From 93cbba765dbd23acd3486d12af2a381c22c14aea Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 14 Nov 2024 16:08:04 +0000
Subject: [PATCH 1/3] grub_install.sh: Only install additional GRUB modules for
 non-SB targets

Secure Boot prevents you from loading additional modules so remove them
to save space. These modules could be useful for debugging with Secure
Boot disabled, but manually copying the modules with debug symbols is
even more useful and not that difficult.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_library/grub_install.sh                | 24 ++++++++++++--------
 changelog/changes/2024-11-18-grub-modules.md |  1 +
 2 files changed, 16 insertions(+), 9 deletions(-)
 create mode 100644 changelog/changes/2024-11-18-grub-modules.md

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 5c5e7a43b3..cbe2958b96 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -126,11 +126,21 @@ if [[ -z ${MOUNTED} ]]; then
 fi
 sudo mkdir -p "${ESP_DIR}/${GRUB_DIR}" "${ESP_DIR}/${GRUB_IMAGE%/*}"
 
-info "Compressing modules in ${GRUB_DIR}"
-for file in "${GRUB_SRC}"/*{.lst,.mod}; do
-    out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
-    gzip --best --stdout "${file}" | sudo_clobber "${out}"
-done
+# Additional GRUB modules cannot be loaded with Secure Boot enabled, so only
+# copy and compress these for target that don't support it.
+case "${FLAGS_target}" in
+    x86_64-efi|arm64-efi) : ;;
+    *)
+        info "Compressing modules in ${GRUB_DIR}"
+        for file in "${GRUB_SRC}"/*{.lst,.mod}; do
+            for core_mod in "${CORE_MODULES[@]}"; do
+                [[ ${file} == ${GRUB_SRC}/${core_mod}.mod ]] && continue 2
+            done
+            out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
+            gzip --best --stdout "${file}" | sudo_clobber "${out}"
+        done
+        ;;
+esac
 
 info "Generating ${GRUB_DIR}/load.cfg"
 # Include a small initial config in the core image to search for the ESP
@@ -177,10 +187,6 @@ sudo grub-mkimage \
     --output "${ESP_DIR}/${GRUB_IMAGE}" \
     "${CORE_MODULES[@]}"
 
-for mod in "${CORE_MODULES[@]}"; do
-    sudo rm "${ESP_DIR}/${GRUB_DIR}/${mod}.mod"
-done
-
 # Now target specific steps to make the system bootable
 case "${FLAGS_target}" in
     x86_64-efi|arm64-efi)
diff --git a/changelog/changes/2024-11-18-grub-modules.md b/changelog/changes/2024-11-18-grub-modules.md
new file mode 100644
index 0000000000..ed8f3d096b
--- /dev/null
+++ b/changelog/changes/2024-11-18-grub-modules.md
@@ -0,0 +1 @@
+- Additional GRUB modules are no longer installed for UEFI platforms to save space and also because they cannot be loaded with Secure Boot enabled. This does not affect existing installations.

From 945014691b11c08c9455e19c46b72a151cb5063c Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 14 Nov 2024 16:14:42 +0000
Subject: [PATCH 2/3] grub_install.sh: Compress modules with xz instead of gzip
 to save space

Giving the --best or -9 option results in a heavier decompression cost
with no gain on such small files.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 build_library/grub_install.sh                | 6 +++---
 changelog/changes/2024-11-18-grub-modules.md | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index cbe2958b96..840dbdd029 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -41,7 +41,7 @@ switch_to_strict_mode
 GRUB_DIR="flatcar/grub/${FLAGS_target}"
 
 # Modules required to boot a standard CoreOS configuration
-CORE_MODULES=( normal search test fat part_gpt search_fs_uuid gzio search_part_label terminal gptprio configfile memdisk tar echo read btrfs )
+CORE_MODULES=( normal search test fat part_gpt search_fs_uuid xzio search_part_label terminal gptprio configfile memdisk tar echo read btrfs )
 
 SBAT_ARG=()
 
@@ -137,7 +137,7 @@ case "${FLAGS_target}" in
                 [[ ${file} == ${GRUB_SRC}/${core_mod}.mod ]] && continue 2
             done
             out="${ESP_DIR}/${GRUB_DIR}/${file##*/}"
-            gzip --best --stdout "${file}" | sudo_clobber "${out}"
+            xz --stdout "${file}" | sudo_clobber "${out}"
         done
         ;;
 esac
@@ -178,7 +178,7 @@ fi
 
 info "Generating ${GRUB_IMAGE}"
 sudo grub-mkimage \
-    --compression=auto \
+    --compression=xz \
     --format "${FLAGS_target}" \
     --directory "${GRUB_SRC}" \
     --config "${ESP_DIR}/${GRUB_DIR}/load.cfg" \
diff --git a/changelog/changes/2024-11-18-grub-modules.md b/changelog/changes/2024-11-18-grub-modules.md
index ed8f3d096b..043c3b7d7e 100644
--- a/changelog/changes/2024-11-18-grub-modules.md
+++ b/changelog/changes/2024-11-18-grub-modules.md
@@ -1 +1,2 @@
 - Additional GRUB modules are no longer installed for UEFI platforms to save space and also because they cannot be loaded with Secure Boot enabled. This does not affect existing installations.
+- The GRUB modules on non-UEFI platforms are now compressed with xz rather than gzip to save even more space. This does not affect existing installations.

From ed59dd9fc79f14645d63479db4cdce118c601579 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 14 Nov 2024 16:19:39 +0000
Subject: [PATCH 3/3] sys-boot/grub: Prevent developer test modules from being
 built

These are normally always installed, even by grub-install, but they have
no use outside of testing and take up valuable space in /boot.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../coreos/config/env/sys-boot/grub           | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
index 95b5a62285..75bb8c8252 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
+++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub
@@ -12,6 +12,32 @@ cros_pre_src_prepare_adjust_version() {
 	sed -i "/AC_INIT/s/\b${PV//./\\.}\b/\0-${FLATCAR_VERSION}/g" configure.ac || die
 }
 
+# Prevent developer test modules from being built. These are normally always
+# installed, even by grub-install, but they have no use outside of testing and
+# take up valuable space in /boot. The best way to identify these is to look for
+# references to the tests/ directory.
+cros_post_src_prepare_drop_tests() {
+	gawk -i inplace '
+		/^module = \{/ {
+			in_mod = 1
+		}
+		in_mod {
+			block = block $0 "\n"
+		}
+		/^\};/ && in_mod {
+			if (block !~ /\<tests\//) {
+				printf "%s", block
+			}
+			in_mod = 0
+			block = ""
+			next
+		}
+		!in_mod {
+			print
+		}
+	' grub-core/Makefile.core.def || die
+}
+
 # Replace Gentoo's SBAT with Flatcar's.
 cros_post_src_install_sbat() {
 	insinto /usr/share/grub