grub_install.sh: Only install additional GRUB modules for non-SB targets

Secure Boot prevents you from loading additional modules so remove them
to save space. These modules could be useful for debugging with Secure
Boot disabled, but manually copying the modules with debug symbols is
even more useful and not that difficult.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

build_library/grub_install.sh

@@ -126,11 +126,21 @@ if [[ -z ${MOUNTED} ]]; then
 fi
 sudo mkdir -p "${ESP_DIR}/${GRUB_DIR}" "${ESP_DIR}/${GRUB_IMAGE%/*}"
 
-info "Compressing modules in ${GRUB_DIR}"
-for file in "${GRUB_SRC}"/*{.lst,.mod}; do
-    out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
-    gzip --best --stdout "${file}" | sudo_clobber "${out}"
-done
+# Additional GRUB modules cannot be loaded with Secure Boot enabled, so only
+# copy and compress these for target that don't support it.
+case "${FLAGS_target}" in
+    x86_64-efi|arm64-efi) : ;;
+    *)
+        info "Compressing modules in ${GRUB_DIR}"
+        for file in "${GRUB_SRC}"/*{.lst,.mod}; do
+            for core_mod in "${CORE_MODULES[@]}"; do
+                [[ ${file} == ${GRUB_SRC}/${core_mod}.mod ]] && continue 2
+            done
+            out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
+            gzip --best --stdout "${file}" | sudo_clobber "${out}"
+        done
+        ;;
+esac
 
 info "Generating ${GRUB_DIR}/load.cfg"
 # Include a small initial config in the core image to search for the ESP
@@ -177,10 +187,6 @@ sudo grub-mkimage \
     --output "${ESP_DIR}/${GRUB_IMAGE}" \
     "${CORE_MODULES[@]}"
 
-for mod in "${CORE_MODULES[@]}"; do
-    sudo rm "${ESP_DIR}/${GRUB_DIR}/${mod}.mod"
-done
-
 # Now target specific steps to make the system bootable
 case "${FLAGS_target}" in
     x86_64-efi|arm64-efi)

changelog/changes/2024-11-18-grub-modules.md

@@ -0,0 +1 @@
+- Additional GRUB modules are no longer installed for UEFI platforms to save space and also because they cannot be loaded with Secure Boot enabled. This does not affect existing installations.