hello JulienMoinard,
regarding to your questions,
Q1 >
yes
Q2 >
you may delete LINUX entry to make kernel images loads from kernel partition.
however, you may check r32.5 developer guide, [To sign kernel, kernel-dtb, and initrd files].
Q3 >
you may moving to JetPack-4.5 included a new feature to enhance SecureBoot.
Q4 >
that’s signed and encrypted by flash script within the flashing process.
you may also include --no-flash commands to generate those files locally.
further more, please combine -k options to specify the partition you would like to perform.
for example, $ sudo ./flash.sh --no-flash -r -k kernel-dtb jetson-xavier-nx-devkit mmcblk0p1
this sample command will generate signed and encrypted device tree blob locally to your local host machine.
...
[ 0.0261 ] Signed file: $OUT/Linux_for_Tegra/bootloader/tegra194-p3668-all-p3509-0000_sigheader.dtb.encrypt
*** tegra194-p3668-all-p3509-0000.dtb has been signed successfully. ***