diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 5c5e7a43b3..840dbdd029 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -41,7 +41,7 @@ switch_to_strict_mode
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
 
 # Modules required to boot a standard CoreOS configuration
-CORE_MODULES=( normal search test fat part_gpt search_fs_uuid gzio search_part_label terminal gptprio configfile memdisk tar echo read btrfs )
+CORE_MODULES=( normal search test fat part_gpt search_fs_uuid xzio search_part_label terminal gptprio configfile memdisk tar echo read btrfs )
 
 SBAT_ARG=()
 
@@ -126,11 +126,21 @@ if [[ -z ${MOUNTED} ]]; then
 fi
 sudo mkdir -p "${ESP_DIR}/${GRUB_DIR}" "${ESP_DIR}/${GRUB_IMAGE%/*}"
 
-info "Compressing modules in ${GRUB_DIR}"
-for file in "${GRUB_SRC}"/*{.lst,.mod}; do
-    out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
-    gzip --best --stdout "${file}" | sudo_clobber "${out}"
-done
+# Additional GRUB modules cannot be loaded with Secure Boot enabled, so only
+# copy and compress these for target that don't support it.
+case "${FLAGS_target}" in
+    x86_64-efi|arm64-efi) : ;;
+    *)
+        info "Compressing modules in ${GRUB_DIR}"
+        for file in "${GRUB_SRC}"/*{.lst,.mod}; do
+            for core_mod in "${CORE_MODULES[@]}"; do
+                [[ ${file} == ${GRUB_SRC}/${core_mod}.mod ]] && continue 2
+            done
+            out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
+            xz --stdout "${file}" | sudo_clobber "${out}"
+        done
+        ;;
+esac
 
 info "Generating ${GRUB_DIR}/load.cfg"
 # Include a small initial config in the core image to search for the ESP
@@ -168,7 +178,7 @@ fi
 
 info "Generating ${GRUB_IMAGE}"
 sudo grub-mkimage \
-    --compression=auto \
+    --compression=xz \
     --format "${FLAGS_target}" \
     --directory "${GRUB_SRC}" \
     --config "${ESP_DIR}/${GRUB_DIR}/load.cfg" \
@@ -177,10 +187,6 @@ sudo grub-mkimage \
     --output "${ESP_DIR}/${GRUB_IMAGE}" \
     "${CORE_MODULES[@]}"
 
-for mod in "${CORE_MODULES[@]}"; do
-    sudo rm "${ESP_DIR}/${GRUB_DIR}/${mod}.mod"
-done
-
 # Now target specific steps to make the system bootable
 case "${FLAGS_target}" in
     x86_64-efi|arm64-efi)
diff --git a/changelog/changes/2024-11-18-grub-modules.md b/changelog/changes/2024-11-18-grub-modules.md
new file mode 100644
index 0000000000..043c3b7d7e
--- /dev/null
+++ b/changelog/changes/2024-11-18-grub-modules.md
@@ -0,0 +1,2 @@
+- Additional GRUB modules are no longer installed for UEFI platforms to save space and also because they cannot be loaded with Secure Boot enabled. This does not affect existing installations.
+- The GRUB modules on non-UEFI platforms are now compressed with xz rather than gzip to save even more space. This does not affect existing installations.
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
index 95b5a62285..75bb8c8252 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
@@ -12,6 +12,32 @@ cros_pre_src_prepare_adjust_version() {
 	sed -i "/AC_INIT/s/\b${PV//./\\.}\b/\0-${FLATCAR_VERSION}/g" configure.ac || die
 }
 
+# Prevent developer test modules from being built. These are normally always
+# installed, even by grub-install, but they have no use outside of testing and
+# take up valuable space in /boot. The best way to identify these is to look for
+# references to the tests/ directory.
+cros_post_src_prepare_drop_tests() {
+	gawk -i inplace '
+		/^module = \{/ {
+			in_mod = 1
+		}
+		in_mod {
+			block = block $0 "\n"
+		}
+		/^\};/ && in_mod {
+			if (block !~ /\<tests\//) {
+				printf "%s", block
+			}
+			in_mod = 0
+			block = ""
+			next
+		}
+		!in_mod {
+			print
+		}
+	' grub-core/Makefile.core.def || die
+}
+
 # Replace Gentoo's SBAT with Flatcar's.
 cros_post_src_install_sbat() {
 	insinto /usr/share/grub