When the signature for grub.cfg is bad, or the file doesn't exist grub will drop to an unrestricted prompt, allowing someone with physical access to disable check_signatures and load their own config, kernel, etc.
This is of limited utility for unlocking the disk as it would change the TPM PCR values, but still a loophole worth closing as, among other reasons, someone who isn't paying attention could approve the new PCR values when prompted by tpm2_encrypt.
This could possibly be solved by embedding a config file containing the password hash into the image.
When the signature for grub.cfg is bad, or the file doesn't exist grub will drop to an unrestricted prompt, allowing someone with physical access to disable check_signatures and load their own config, kernel, etc.
This is of limited utility for unlocking the disk as it would change the TPM PCR values, but still a loophole worth closing as, among other reasons, someone who isn't paying attention could approve the new PCR values when prompted by tpm2_encrypt.
This could possibly be solved by embedding a config file containing the password hash into the image.