diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 480fc0b5f0..4dc8eabc32 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -315,6 +315,8 @@ finish_image() {
   local image_contents="$4"
   local image_kernel="$5"
   local pcr_policy="$6"
+  local image_grub="$7"
+  local image_shim="$8"
 
   local install_grub=0
   local disk_img="${BUILD_DIR}/${image_name}"
@@ -430,20 +432,24 @@ finish_image() {
     if [[ ${BOARD} == "arm64-usr" ]]; then
       target_list="arm64-efi"
     fi
+    local grub_args=()
+    if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
+      grub_args+=(--verity)
+    else
+      grub_args+=(--noverity)
+    fi
+    if [[ -n "${image_grub}" && -n "${image_shim}" ]]; then
+      grub_args+=(
+        --copy_efi_grub="${BUILD_DIR}/${image_grub}"
+        --copy_shim="${BUILD_DIR}/${image_shim}"
+      )
+    fi
     for target in ${target_list}; do
-      if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
-        ${BUILD_LIBRARY_DIR}/grub_install.sh \
-            --board="${BOARD}" \
-            --target="${target}" \
-            --disk_image="${disk_img}" \
-            --verity
-      else
-        ${BUILD_LIBRARY_DIR}/grub_install.sh \
-            --board="${BOARD}" \
-            --target="${target}" \
-            --disk_image="${disk_img}" \
-            --noverity
-      fi
+      ${BUILD_LIBRARY_DIR}/grub_install.sh \
+          --board="${BOARD}" \
+          --target="${target}" \
+          --disk_image="${disk_img}" \
+          "${grub_args[@]}"
     done
   fi
 
diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 4258e056ee..e70de0f6e7 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -22,6 +22,10 @@ DEFINE_string disk_image "" \
   "The disk image containing the EFI System partition."
 DEFINE_boolean verity ${FLAGS_FALSE} \
   "Indicates that boot commands should enable dm-verity."
+DEFINE_string copy_efi_grub "" \
+  "Copy the EFI GRUB image to the specified path."
+DEFINE_string copy_shim "" \
+  "Copy the shim image to the specified path."
 
 # Parse flags
 FLAGS "$@" || exit 1
@@ -208,6 +212,15 @@ case "${FLAGS_target}" in
             sudo cp "/usr/lib/shim/shim.efi" \
                 "${ESP_DIR}/EFI/boot/bootx64.efi"
 	fi
+        # copying from vfat so ignore permissions
+        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \
+                "${FLAGS_copy_efi_grub}"
+        fi
+        if [[ -n "${FLAGS_copy_shim}" ]]; then
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootx64.efi" \
+                "${FLAGS_copy_shim}"
+        fi
         ;;
     x86_64-xen)
         info "Installing default x86_64 Xen bootloader."
@@ -223,6 +236,11 @@ case "${FLAGS_target}" in
         #FIXME(andrejro): shim not ported to aarch64
         sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \
             "${ESP_DIR}/EFI/boot/bootaa64.efi"
+        if [[ -n "${FLAGS_copy_efi_grub}" ]]; then
+            # copying from vfat so ignore permissions
+            cp --no-preserve=mode "${ESP_DIR}/EFI/boot/bootaa64.efi" \
+                "${FLAGS_copy_efi_grub}"
+        fi
         ;;
 esac
 
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index d132ae81f8..f27dec78c0 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -68,6 +68,8 @@ create_prod_image() {
   local image_licenses="${image_name%.bin}_licenses.txt"
   local image_kernel="${image_name%.bin}.vmlinuz"
   local image_pcr_policy="${image_name%.bin}_pcr_policy.zip"
+  local image_grub="${image_name%.bin}.grub"
+  local image_shim="${image_name%.bin}.shim"
 
   start_image "${image_name}" "${disk_layout}" "${root_fs_dir}" "${update_group}"
 
@@ -122,12 +124,22 @@ EOF
       "${root_fs_dir}" \
       "${image_contents}" \
       "${image_kernel}" \
-      "${image_pcr_policy}"
+      "${image_pcr_policy}" \
+      "${image_grub}" \
+      "${image_shim}"
 
-  upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" \
-      "${BUILD_DIR}/${image_contents}" \
-      "${BUILD_DIR}/${image_packages}" \
-      "${BUILD_DIR}/${image_name}" \
-      "${BUILD_DIR}/${image_kernel}" \
-      "${BUILD_DIR}/${image_pcr_policy}"
+  # Upload
+  local to_upload=(
+    "${BUILD_DIR}/${image_contents}"
+    "${BUILD_DIR}/${image_packages}"
+    "${BUILD_DIR}/${image_name}"
+    "${BUILD_DIR}/${image_kernel}"
+    "${BUILD_DIR}/${image_pcr_policy}"
+    "${BUILD_DIR}/${image_grub}"
+  )
+  # FIXME(bgilbert): no shim on arm64
+  if [[ -f "${BUILD_DIR}/${image_shim}" ]]; then
+    to_upload+=("${BUILD_DIR}/${image_shim}")
+  fi
+  upload_image -d "${BUILD_DIR}/${image_name}.bz2.DIGESTS" "${to_upload[@]}"
 }