diff --git a/build_library/grub.cfg b/build_library/grub.cfg
index 0e3b2ce0f0..99433f23c0 100644
--- a/build_library/grub.cfg
+++ b/build_library/grub.cfg
@@ -27,6 +27,32 @@ if [ "$grub_platform" = "efi" ]; then
    getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode
    if [ "$sb" = "01" -a "$setupmode" = "00" ]; then
       set secure_boot="1"
+      getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey
+      if [ "$gpgpubkey" != "" ]; then
+         trust_var gpgpubkey
+      fi
+   fi
+fi
+
+if [ "$net_default_server" != "" ]; then
+   smbios --type 1 --get-uuid 8 --set uuid
+   smbios --type 1 --get-string 7 --set serial
+   set mac=$net_default_mac
+   # Re-DHCP as grub to get the API endpoint
+   net_bootp $net_default_interface
+   # This is awful, but grub doesn't support a nice way to do this
+   for i in "$net_efinet0_dhcp_boot_file" "$net_efinet1_dhcp_boot_file" "$net_efinet2_dhcp_boot_file" "$net_efinet3_dhcp_boot_file" "$net_efinet4_dhcp_boot_file" "$net_efinet5_dhcp_boot_file" "$net_efinet6_dhcp_boot_file" "$net_efinet7_dhcp_boot_file" "$net_efinet8_dhcp_boot_file" "$net_efinet9_dhcp_boot_file"; do
+      if [ "$i" != "" ]; then
+          set endpoint="$i"
+          break
+      fi
+   done
+   if [ "$endpoint" != "" ]; then
+      set url="${endpoint}?uuid=$uuid&serial=$serial&mac=$mac"
+      if [ "$gpgpubkey" != "" ]; then
+         set check_signatures="enforce"
+      fi
+      configfile $url
    fi
 fi
 
@@ -69,11 +95,13 @@ if [ -z "$linux_console" ]; then
     fi
 fi
 
+set suf=""
+
 # UEFI uses linuxefi/initrdefi instead of linux/initrd except for arm64
-if [ "$grub_platform" = efi ] && [ "$grub_cpu" != arm64 ]; then
+if [ "$grub_platform" = efi ]; then
+  if [ "$grub_cpu" != arm64 ]; then
     set suf="efi"
-else
-    set suf=""
+  fi
 fi
 
 # Assemble the options applicable to all the kernels below
diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index b84a35d6c0..a6913108a2 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -43,7 +43,7 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-	CORE_MODULES+=( serial linuxefi efi_gop getenv )
+	CORE_MODULES+=( serial linuxefi efi_gop getenv smbios efinet verify http )
         CORE_NAME="core.efi"
         ;;
     x86_64-xen)