mklibrebootgrub allows you to boot from a full disk encryption (FDE) media like the ones using LUKS. Remember that you need to specify the names of the encrypted volumes that will be searched for LVM medias.
For example:
/dev/mapper/grubcrypt-bootvolWe have “grubcrypt” as encrypted volume and “bootvol” the LVM volume. In this case we got it from a Devuan GNU/Linux installation where the Linux kernel is started from GRUB inside encrypted boot partition rather than directly from GRUB inside Libreboot.
Configuration values can be found and set in “Media support” -> “LVM support” -> List of encrypted and LVM volumes.
A fully encrypted media is unbootable until a bootloader from unencrypted media is running (and capable of decryption of course).
SeaBIOS payload will not be able to load from it but could be used to load an external media where a bootloader can boot from the encrypted media. (Like an external GRUB bootloader for example)
Actually mklibrebootgrub is not capable of loading Linux kernel directly so it relies on its distro’s GRUB bootloader that also need to be encrypted.
It could be on a separate partition or /boot directory from root media, it doesn’t matter. In any case there will be another decryption password prompt.
Keep in mind that you don’t need to unencrypt root partition if bootloader is on another partition or media. You can skip password prompt by pressing ENTER.
The bootloader still requires some hardening to prevent tampering like passwords, checksums or signing files. mklibrebootgrub alone can hardly provide an efficient security to the system without considering everything else related to its operation.