diff --git a/build_library/grub.cfg b/build_library/grub.cfg
index c315654e08..e9120b718a 100644
--- a/build_library/grub.cfg
+++ b/build_library/grub.cfg
@@ -62,19 +62,19 @@ menuentry "CoreOS default" --id=coreos {
     gptprio.next -d usr -u usr_uuid
     if [ "$usr_uuid" = "7130c94a-213a-4e5a-8e26-6cce9662f132" ]; then
        linux$suf /coreos/vmlinuz-a $linux_console $linux_root \
-            mount.usr=PARTUUID=$usr_uuid $linux_append
+            @@MOUNTUSR@@=PARTUUID=$usr_uuid $linux_append
     else
        linux$suf /coreos/vmlinuz-b $linux_console $linux_root \
-            mount.usr=PARTUUID=$usr_uuid $linux_append
+            @@MOUNTUSR@@=PARTUUID=$usr_uuid $linux_append
     fi
 }
 
 menuentry "CoreOS USR-A" --id=coreos-a {
-    linux$suf /coreos/vmlinuz-a $linux_console $linux_root \
-         mount.usr=PARTLABEL=USR-A $linux_append
+   linux$suf /coreos/vmlinuz-a $linux_console $linux_root \
+        @@MOUNTUSR@@=PARTLABEL=USR-A $linux_append
 }
 
 menuentry "CoreOS USR-B" --id=coreos-b {
-    linux$suf /coreos/vmlinuz-b $linux_console $linux_root \
-         mount.usr=PARTLABEL=USR-B $linux_append
+   linux$suf /coreos/vmlinuz-b $linux_console $linux_root \
+        @@MOUNTUSR@@=PARTLABEL=USR-B $linux_append
 }
diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 0179bd62a0..dd50e9113f 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -20,6 +20,8 @@ DEFINE_string esp_dir "" \
   "Path to EFI System partition mount point."
 DEFINE_string disk_image "" \
   "The disk image containing the EFI System partition."
+DEFINE_boolean verity ${FLAGS_FALSE} \
+  "Indicates that boot commands should enable dm-verity."
 
 # Parse flags
 FLAGS "$@" || exit 1
@@ -71,6 +73,9 @@ cleanup() {
     if [[ -b "${LOOP_DEV}" ]]; then
         sudo losetup --detach "${LOOP_DEV}"
     fi
+    if [[ -n "${GRUB_TEMP_DIR}" && -e "${GRUB_TEMP_DIR}" ]]; then
+      rm -r "${GRUB_TEMP_DIR}"
+    fi
 }
 trap cleanup EXIT
 
@@ -116,10 +121,26 @@ set prefix=(memdisk)
 set
 EOF
 
+# Generate a memdisk containing the appropriately generated grub.cfg. Doing
+# this because we need conflicting default behaviors between verity and
+# non-verity images.
+GRUB_TEMP_DIR=$(mktemp -d)
 if [[ ! -f "${ESP_DIR}/coreos/grub/grub.cfg.tar" ]]; then
     info "Generating grub.cfg memdisk"
+
+    if [[ ${FLAGS_verity} -eq ${FLAGS_TRUE} ]]; then
+      # use dm-verity for /usr
+      cat "${BUILD_LIBRARY_DIR}/grub.cfg" | \
+        sed 's/@@MOUNTUSR@@/mount.usr=\/dev\/mapper\/usr verity.usr/' > \
+        "${GRUB_TEMP_DIR}/grub.cfg"
+    else
+      # uses standard systemd /usr mount
+      cat "${BUILD_LIBRARY_DIR}/grub.cfg" | \
+        sed 's/@@MOUNTUSR@@/mount.usr/' > "${GRUB_TEMP_DIR}/grub.cfg"
+    fi
+
     sudo tar cf "${ESP_DIR}/coreos/grub/grub.cfg.tar" \
-	 -C "${BUILD_LIBRARY_DIR}" "grub.cfg"
+	 -C "${GRUB_TEMP_DIR}" "grub.cfg"
 fi
 
 info "Generating ${GRUB_DIR}/${CORE_NAME}"