The EFI system partition is, by definition, either not encrypted or is unlocked by the firmware - your bootloader wouldn't work otherwise. In this setup, you just stick the UKI on the EFI system partition, and unlocking the rest of the drive is performed in the initramfs.