Hi @adrian and @TheYoctoJester,
I’m still not sure on your actual approach, but I think it went on a hard to solve track right from the beginning.
May you can use Mender and efi-secure-boot on intel-corei7-64 - #12 by esscrb as an inspiration, this is where I oriented myself while implementing and added the parts missing for me to get it on the road.
I think you mixed up several issues here, so it is hard to see where the root cause came in. I had to patch grub-mender-grubenv, too, but in another context - I needed to patch the grub entry in order to load the kernel from the correct, signed location - and could not remember issues with getting it signed (working on kirkstone branches). If it is not crucial for your use-case, I would suggest following the approach in the mentioned thread with no initramfs used, as I think Mender would also need some additional love for proper handling. And I would not try to change the MENDER_BOOT_PART_MOUNT_LOCATION, keep the Mender parts within the root partition and EFI seperated on boot. For updating the signed kernel are Mender state scripts a really good solution.
I hope this helps.
Secure Boot and meta-secure-core is not that well documented and you’re completely on your own with everything besides exactly that use-case the original authors had in mind.
Best,
Anna