Comment 28 for bug 1773457

What you are talking about is signature verification. You need the firmware to verify the signature on the kernel and initrd, using a custom self signing key only. That is unrelated to whether /boot is encrypted or not.