This doesn't work with secure boot and UKIs, since the entire "pre-rootfs switch" is signed in a single binary. If your threat model is what you have that is the least you should have.
Can't I just extract the key from uefi/tmp in this case?
Not that it's easy, but with the right tools you can so it offline with all the time in the world
