debian/patches/qemu/efi-secure-boot.patch is not a good approach to
enabling secure boot with U-Boot. Variables entered via the command line
containing the security database will be stored on file but will not be
loaded into U-Boot on the next boot.
If you want a version of U-Boot that supports secure boot properly, use
CONFIG_EFI_VARIABLES_PRESEED=y and provide a file with the security
database which will be built into U-Boot. tools/efivar.py can be used to
build that file.
Separate U-Boot binaries for secure and non-secure would have to be
provided.
Existing EDK II packages provide secure boot. Hence I suggest to simply
drop patch debian/patches/qemu/efi-secure-boot.patch.
Best regards
Heinrich