You need GRUB's help do do this. There is a 'verify' module you can use that makes GRUB load files that are signed with a given GPG key.
You build a GRUB efi binary that contains your key and only loads signed config files, initrds, and kernels and then sign that binary so that it can be loaded by UEFI.
You build a GRUB efi binary that contains your key and only loads signed config files, initrds, and kernels and then sign that binary so that it can be loaded by UEFI.