grub-glue-efi

grub-glue-efi [-v] [-o FILE] <core.efi> <module.mod> [module.mod ...]

-h, --help
    display this help and exit

-v, --verbose
    enable verbose output

-o, --output=FILE
    write output to FILE (default: stdout)

--version
    print version information

grub-glue-efi is a utility for embedding GRUB bootloader modules directly into the GRUB EFI core image, producing a single, self-contained EFI executable. This is essential for Secure Boot environments where only a trusted, signed binary can be loaded by the firmware, and dynamic module loading from the EFI System Partition (ESP) is restricted or insecure.

In standard GRUB EFI setups, the signed grubx64.efi (or similar) loads a core image that accesses modules like normal.mod, linux.mod, and filesystem drivers from the ESP. However, if the ESP lacks necessary modules or Secure Boot prevents unsigned loads, grub-glue-efi combines them into one file. The resulting binary contains the core plus specified modules, enabling boot without external dependencies.

Commonly used by Linux distributions (e.g., Ubuntu, Fedora) during grub-install for Secure Boot compatibility. It preserves GRUB's modularity while creating monolithic images for constrained firmware.

Resulting EFI image grows large with many modules; ensure modules match core architecture (e.g., x86_64-efi). Not for production without signing for Secure Boot. Fails if modules incompatible or corrupted.

grub-glue-efi -o /boot/efi/EFI/ubuntu/grubx64.efi
/usr/lib/grub/x86_64-efi-signed/grubx64.efi normal.mod linux.mod ext2.mod

Developed for GRUB 2.02+ (around 2012) to support EFI and Secure Boot. Integrated into distros like Debian/Ubuntu by 2013 for signed bootloader packaging. Evolved with shim project for Microsoft-signed GRUB images.

grub-mkimage(1), grub-mkstandalone(1), grub-install(8), efibootmgr(8)