In the grub-efi.cfg (https://github.com/Wind-River/meta-secure-core/blob/master/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/grub-efi.cfg#L30) there is a test in order to check the file size. Seem to be a flaw.: an attacker may defeat the password protection just by removing the file, no? Or I miss something? I fall on this issue when testing with pgp signing.

On way do provide a good way is by templating the grub file:

if [ "@@uefi_sb@@" == "1" ]; then
    source "${prefix}/efi-secure-boot.inc"
fi

And replace with the sed in the install part the @@uefi_sb@@ by the value of the UEFI_SB variable.

cat ${WORKDIR}/grub.cfg.in \
| sed "s,@@uefi_sb@@,${UEFI_SB},g" \
> ${D}${EFI_FILES_PATH}/grub.cfg
chmod 600 ${D}${EFI_FILES_PATH}/grub.cfg