Apparently systemd supports building it now somehow (search for UKI, unified kernel image), but I'm too lazy to switch, since my current setup works great. But sooner or later I may be forced to, since my solution is apparently no longer maintained.

I've followed this: https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

Basically, my distro will install the kernel, initrd and cpu microcode normally to /boot. But at the end of it, there's a hook being triggered, that calls sbupdate with stitches together the kernel, command line, initrd, and cpu microcode, signs it and dumps it in the /EFI partition as a single file. /boot is not a separate partition on my system, it lives inside the encrypted /. I also told my UEFI about this specific image using efibootmgr. This allows me to register the image as a bootable OS and use the UEFI's boot manager to choose between Linux and Windows on startup.

If you browse around that Arch Wiki page, they also tell you how to sign your own boot images. I've installed my own keys in the UEFI, since Arch's kernel isn't signed by anybody.