gentoo auto-resync : 08:08:2024 - 12:38:45

6 files changed, 526 insertions, 4 deletions

diff --git a/sys-boot/Manifest.gz b/sys-boot/Manifest.gz
index 96e533c73333..e431b076a64e 100644
--- a/sys-boot/Manifest.gz
+++ b/sys-boot/Manifest.gz
diff --git a/sys-boot/elilo/Manifest b/sys-boot/elilo/Manifest
index d0a1337ea399..e608e0d6e2b2 100644
--- a/sys-boot/elilo/Manifest
+++ b/sys-boot/elilo/Manifest
@@ -6,5 +6,5 @@ AUX elilo-3.16-strncpy-clash.patch 744 BLAKE2B 421530303406aa819e07883d4b80a27da
 AUX elilo.conf.sample 150 BLAKE2B d823113e1fcdaf08398f09b6fe9b4b2284004be2886799a69fd776bfaab194413c51969c65d1d81607c0a46699e84132b88bdd2a82f6f41a65ae6fbb061d9356 SHA512 3f99527724759f5c03a5f244b957bc6d50ca378f2b66cbcb19f73fa721d2fd76119ae90669e4cce045f5bc66a80d46b21e76e8c4895d23b22df23ec69262b0e0
 DIST elilo-3.16-all.tar.gz 485844 BLAKE2B 813762ffef32a640c074973a07d886e0de137be10ff08e9375cd894b0d83dd8bc96cc33f80da1e698db49cc9f105a905abb2fa04048eaca394d3d70e79cb8534 SHA512 4289b45f2e40b2a12167f2efd9a482cf97baedb13fc24813f360f375296d0d3f107d6c980b4b31262816f664a2536353fa124e689cbd65093da9b16fdddaf842
 DIST elilo_3.14-3.debian.tar.gz 32179 BLAKE2B 84f8055d3e33b99ce91079768da80a8800c3c2f569ce5619641a983efb943055dfd9a8fb2fda8e5e6d60009ffefbcc1573098f022f06635d4d5304bc3bfddf1e SHA512 b2d5927bf84d61cc432fc916301ddb3be74db16d3e5ba4f13039e2925606b8870991fbb17f837005d8f2b655b7dcd2b2311dfacd7f02183762caf7081ede638f
-EBUILD elilo-3.16-r5.ebuild 2254 BLAKE2B 48dacfee9a35801dfb6df3cb22d45dce57d42e1cf9a90d6bc4c8e2c6a46cad0ac5adc1df98ad8c5ceda20f4941693b55201bb6848bab4069b05f92dbbb2e051d SHA512 94055cd2b5a03a12742d870d8c5f0d60f112e7e2d770cb9171197f58a66057fdc616524ae4de8bc2c9b1fb34c5ce1bfad051864fb5b6efdc082fc90ba87394c8
+EBUILD elilo-3.16-r6.ebuild 2299 BLAKE2B 91222881c0919f2d01d636084bd0edaa5105f0bd27b9fa3f78b1ebb37959b6b720d5a3a4e9dec95eb711d2a0330f17d53c3fc5433a42fb14eb78eb2b286a978d SHA512 82ba25dc800d55820ba1ced27ba7e413d50c64eccc6a7d52e1c01b5d28619bf7a97aa61dacb3ffce56a599717c6fab1c5b9a1e8acb05157f93d004030523289c
 MISC metadata.xml 243 BLAKE2B 66e62c67d6277e9e807057685d0ee4ad0b2078abcc66b35beeb189c4f049c67c25829a0ec1c6a259888ed559fb2a46e7587c46dd6faebf4689a61d3eb8c08125 SHA512 2d4d88b896e79aa0028444a091a3d4b3b2c8bad11f99b55afc2a849d174ebb3932d9bca6bc56315660a7add8aed7964a5dd86ed8b0c5d730c5a14b1ac0d007bb
diff --git a/sys-boot/elilo/elilo-3.16-r5.ebuild b/sys-boot/elilo/elilo-3.16-r6.ebuild
index 8f067bedb4c0..6d1f82ca9369 100644
--- a/sys-boot/elilo/elilo-3.16-r5.ebuild
+++ b/sys-boot/elilo/elilo-3.16-r6.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=8
 
-inherit toolchain-funcs
+inherit secureboot toolchain-funcs
 
 DESCRIPTION="Linux boot loader for EFI-based systems such as IA-64"
 HOMEPAGE="https://sourceforge.net/projects/elilo/"
@@ -89,4 +89,6 @@ src_install() {
 
 	dodoc docs/* "${FILESDIR}"/elilo.conf.sample
 	doman debian/*.[0-9]
+
+	secureboot_auto_sign --in-place
 }
diff --git a/sys-boot/grub/Manifest b/sys-boot/grub/Manifest
index 4a91bbd0e049..cc2cffac98ce 100644
--- a/sys-boot/grub/Manifest
+++ b/sys-boot/grub/Manifest
@@ -10,5 +10,6 @@ DIST grub-2.12.tar.xz 6675608 BLAKE2B a678f7fafb945d325c8cf47aa086f48357a8f6335b
 DIST grub-2.12.tar.xz.sig 566 BLAKE2B 9b77fe53041b99f1196743aa6d9fc9c727b17c6512129bab2b35005f2c70f371e30521ddd804bf0c666e36cf2667247980f385ca1ac911fa9b8e0311427dc01c SHA512 fbe971d8c382578b49d33902234edd9cbd084b70820a1a56a59df4ec30874c0dd4fe27f8dc44bb380716bb7480ca68a87d120a25b92a6a10ff6c8ec1b60548d3
 DIST unifont-15.0.06.pcf.gz 1358322 BLAKE2B 81811e3de390ca35d1a2dc1f1dee73464e97f44907ba522c218ba9c5e39ca3c9d767552780a257a97c156eb623c17786d9c0d2b67786d61df5ca33a1e10db7ca SHA512 0a28a406629c604f5cbf51f501528239a7ed50d19f93ea505bc5bdc72639e4b926b03f4b8782a5733041f7cdb4aebb9948ac7cfd5a8ad9a0fe309944e595517b
 EBUILD grub-2.12-r4.ebuild 9387 BLAKE2B 391d0e5f4c9cf092420ba5a175683585a794c0318cc24d38bc039d9080d9ff9cb43cb6f9e5b6222d559b68a1cb4f9e8fe5cb1d409e4078a6aa5294f84dc79da2 SHA512 18f50ba5120eb0173aed591e746d43208b2e6233d1e94dce6a18caaaf13b93a349c8cdc14e2a505e758bfc72efcd9d88f15ac5498ea871c4cb178214e38d1254
-EBUILD grub-9999.ebuild 9055 BLAKE2B 7235ab9a787c08ffd684fe5e34f018a109662a3c6883d38660f8462472baa08ebb30cf0e22071ff1ea2ce822b78f3571f0382f27f6983719dc44378fdbfe70f0 SHA512 181a72180d2bf31c3b78077754faa4192c922ca0d1c3a7aae200136fcbc505ff192573c9c71203116e7d500ba680ca59aee8bbd69e114fe93cca87cfac573478
+EBUILD grub-2.12-r5.ebuild 12203 BLAKE2B 484f55ba3ff326ba1f6462dc88b20b66a0bb62772bcaa1acb0bc5484f4ce3dd3a02fc5a5cd833334f191dbbe57dd780f1870c64c1703149381a5407ca7e463b0 SHA512 e6bf3497f6175e5b23df0cd0129717f2d7658097aaecc5ec5d0d32a955c9ff9feb8d5ec6a3d5c569cad4d00731a71f6680cba0ec90e562a09ec48b96545f50fd
+EBUILD grub-9999.ebuild 11864 BLAKE2B 85472b605827f236279740012f16c18fd3a6d6356391828f22fbf353fe26aaa9d656071eb5edf530cbc440f781b14a394c41a4eaacd63a3f0db66fec270f66a4 SHA512 f5c194a90201de73366597b2ce60fd6d3c081f121fe0c8645f4afa55ee27d6bb868024a4efe50bd1f2850fed52a59a45b92807203d3fc15af2a1d3d7b01d0b13
 MISC metadata.xml 986 BLAKE2B 7c03fac1bf235c1d82e435926c5a9079a21eb16e9937c0ac4e6297bc2f129bc9022efa11c099df07fd9e3b6c47a13246e25ae1c4cc390878ead82394c9b9ed11 SHA512 eb62f4b746c87bf2756669d57e76e60f24cea493948b19429a45e52d02fc1a501b4465ba52940757409258f7ad0ceef0e0f473aeb80cbd9b693b866ae015f13c
diff --git a/sys-boot/grub/grub-2.12-r5.ebuild b/sys-boot/grub/grub-2.12-r5.ebuild
new file mode 100644
index 000000000000..1e22477b727a
--- /dev/null
+++ b/sys-boot/grub/grub-2.12-r5.ebuild
@@ -0,0 +1,435 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# This ebuild uses 3 special global variables:
+# GRUB_BOOTSTRAP: Depend on python and invoke bootstrap (gnulib).
+# GRUB_AUTOGEN: Depend on python and invoke autogen.sh.
+# GRUB_AUTORECONF: Inherit autotools and invoke eautoreconf.
+#
+# When applying patches:
+# If gnulib is updated, set GRUB_BOOTSTRAP=1
+# If gentpl.py or *.def is updated, set GRUB_AUTOGEN=1
+# If gnulib, gentpl.py, *.def, or any autotools files are updated, set GRUB_AUTORECONF=1
+#
+# If any of the above applies to a user patch, the user should set the
+# corresponding variable in make.conf or the environment.
+
+GRUB_AUTORECONF=1
+PYTHON_COMPAT=( python3_{10..12} )
+WANT_LIBTOOL=none
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/dkiper.gpg
+
+if [[ -n ${GRUB_AUTORECONF} ]]; then
+	inherit autotools
+fi
+
+inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1
+inherit secureboot toolchain-funcs
+
+DESCRIPTION="GNU GRUB boot loader"
+HOMEPAGE="https://www.gnu.org/software/grub/"
+
+MY_P=${P}
+if [[ ${PV} != 9999 ]]; then
+	inherit verify-sig
+
+	if [[ ${PV} == *_alpha* || ${PV} == *_beta* || ${PV} == *_rc* ]]; then
+		# The quote style is to work with <=bash-4.2 and >=bash-4.3 #503860
+		MY_P=${P/_/'~'}
+		SRC_URI="
+			https://alpha.gnu.org/gnu/${PN}/${MY_P}.tar.xz
+			verify-sig? ( https://alpha.gnu.org/gnu/${PN}/${MY_P}.tar.xz.sig )
+		"
+		S=${WORKDIR}/${MY_P}
+	else
+		SRC_URI="
+			mirror://gnu/${PN}/${P}.tar.xz
+			https://dev.gentoo.org/~floppym/dist/${P}-bash-completion.patch.gz
+			verify-sig? ( mirror://gnu/${PN}/${P}.tar.xz.sig )
+		"
+		S=${WORKDIR}/${P%_*}
+	fi
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-danielkiper )"
+	KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://git.savannah.gnu.org/git/grub.git"
+fi
+
+DEJAVU=dejavu-sans-ttf-2.37
+UNIFONT=unifont-15.0.06
+SRC_URI+=" fonts? ( mirror://gnu/unifont/${UNIFONT}/${UNIFONT}.pcf.gz )
+	themes? ( https://downloads.sourceforge.net/dejavu/${DEJAVU}.zip )"
+
+# Includes licenses for dejavu and unifont
+LICENSE="GPL-3+ BSD MIT fonts? ( GPL-2-with-font-exception ) themes? ( CC-BY-SA-3.0 BitstreamVera )"
+SLOT="2/${PVR}"
+IUSE="device-mapper doc efiemu +fonts mount nls sdl test +themes truetype libzfs"
+
+GRUB_ALL_PLATFORMS=( coreboot efi-32 efi-64 emu ieee1275 loongson multiboot
+	qemu qemu-mips pc uboot xen xen-32 xen-pvh )
+IUSE+=" ${GRUB_ALL_PLATFORMS[@]/#/grub_platforms_}"
+
+REQUIRED_USE="
+	grub_platforms_coreboot? ( fonts )
+	grub_platforms_qemu? ( fonts )
+	grub_platforms_ieee1275? ( fonts )
+	grub_platforms_loongson? ( fonts )
+"
+
+BDEPEND+="
+	${PYTHON_DEPS}
+	>=sys-devel/flex-2.5.35
+	sys-devel/bison
+	sys-apps/help2man
+	sys-apps/texinfo
+	fonts? (
+		media-libs/freetype:2
+		virtual/pkgconfig
+	)
+	test? (
+		app-admin/genromfs
+		app-alternatives/cpio
+		app-arch/lzop
+		app-emulation/qemu
+		dev-libs/libisoburn
+		sys-apps/miscfiles
+		sys-block/parted
+		sys-fs/squashfs-tools
+	)
+	themes? (
+		app-arch/unzip
+		media-libs/freetype:2
+		virtual/pkgconfig
+	)
+	truetype? ( virtual/pkgconfig )
+"
+DEPEND="
+	app-arch/xz-utils
+	>=sys-libs/ncurses-5.2-r5:0=
+	grub_platforms_emu? (
+		sdl? ( media-libs/libsdl2 )
+	)
+	device-mapper? ( >=sys-fs/lvm2-2.02.45 )
+	libzfs? ( sys-fs/zfs:= )
+	mount? ( sys-fs/fuse:3 )
+	truetype? ( media-libs/freetype:2= )
+	ppc? ( >=sys-apps/ibm-powerpc-utils-1.3.5 )
+	ppc64? ( >=sys-apps/ibm-powerpc-utils-1.3.5 )
+"
+RDEPEND="${DEPEND}
+	kernel_linux? (
+		grub_platforms_efi-32? ( sys-boot/efibootmgr )
+		grub_platforms_efi-64? ( sys-boot/efibootmgr )
+	)
+	!sys-boot/grub:0
+	nls? ( sys-devel/gettext )
+"
+
+RESTRICT="!test? ( test ) test? ( userpriv )"
+
+QA_EXECSTACK="usr/bin/grub-emu* usr/lib/grub/*"
+QA_PRESTRIPPED="usr/lib/grub/.*"
+QA_MULTILIB_PATHS="usr/lib/grub/.*"
+QA_WX_LOAD="usr/lib/grub/*"
+
+pkg_setup() {
+	:
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999 ]]; then
+		git-r3_src_unpack
+		pushd "${P}" >/dev/null || die
+		local GNULIB_URI="https://git.savannah.gnu.org/git/gnulib.git"
+		local GNULIB_REVISION=$(source bootstrap.conf >/dev/null; echo "${GNULIB_REVISION}")
+		git-r3_fetch "${GNULIB_URI}" "${GNULIB_REVISION}"
+		git-r3_checkout "${GNULIB_URI}" gnulib
+		popd >/dev/null || die
+	elif use verify-sig; then
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.sig}
+	fi
+	default
+}
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}"/gfxpayload.patch
+		"${FILESDIR}"/grub-2.02_beta2-KERNEL_GLOBS.patch
+		"${FILESDIR}"/grub-2.06-test-words.patch
+		"${FILESDIR}"/grub-2.12-fwsetup.patch
+		"${WORKDIR}"/grub-2.12-bash-completion.patch
+	)
+
+	default
+
+	python_setup
+
+	if [[ -n ${GRUB_BOOTSTRAP} ]]; then
+		eautopoint --force
+		AUTOPOINT=: AUTORECONF=: ./bootstrap || die
+	elif [[ -n ${GRUB_AUTOGEN} ]]; then
+		FROM_BOOTSTRAP=1 ./autogen.sh || die
+	fi
+
+	if [[ -n ${GRUB_AUTORECONF} ]]; then
+		eautoreconf
+	fi
+
+	# Avoid error due to extra_deps.lst missing from source tarball:
+	#       make[3]: *** No rule to make target 'grub-core/extra_deps.lst', needed by 'syminfo.lst'.  Stop.
+	echo "depends bli part_gpt" > grub-core/extra_deps.lst || die
+}
+
+grub_do() {
+	multibuild_foreach_variant run_in_build_dir "$@"
+}
+
+grub_do_once() {
+	multibuild_for_best_variant run_in_build_dir "$@"
+}
+
+grub_configure() {
+	local platform
+
+	case ${MULTIBUILD_VARIANT} in
+		efi*) platform=efi ;;
+		xen-pvh) platform=xen_pvh ;;
+		xen*) platform=xen ;;
+		guessed) ;;
+		*) platform=${MULTIBUILD_VARIANT} ;;
+	esac
+
+	case ${MULTIBUILD_VARIANT} in
+		*-32)
+			if [[ ${CTARGET:-${CHOST}} == x86_64* ]]; then
+				local CTARGET=i386
+			fi ;;
+		*-64)
+			if [[ ${CTARGET:-${CHOST}} == i?86* ]]; then
+				local CTARGET=x86_64
+				local -x TARGET_CFLAGS="-Os -march=x86-64 ${TARGET_CFLAGS}"
+				local -x TARGET_CPPFLAGS="-march=x86-64 ${TARGET_CPPFLAGS}"
+			fi ;;
+	esac
+
+	local myeconfargs=(
+		--disable-werror
+		--program-prefix=
+		--libdir="${EPREFIX}"/usr/lib
+		$(use_enable device-mapper)
+		$(use_enable mount grub-mount)
+		$(use_enable nls)
+		$(use_enable themes grub-themes)
+		$(use_enable truetype grub-mkfont)
+		$(use_enable libzfs)
+		--enable-grub-emu-sdl=no
+		$(use_enable sdl grub-emu-sdl2)
+		${platform:+--with-platform=}${platform}
+
+		# Let configure detect this where supported
+		$(usex efiemu '' '--disable-efiemu')
+	)
+
+	if use fonts; then
+		ln -rs "${WORKDIR}/${UNIFONT}.pcf" unifont.pcf || die
+	fi
+
+	if use themes; then
+		ln -rs "${WORKDIR}/${DEJAVU}/ttf/DejaVuSans.ttf" DejaVuSans.ttf || die
+	fi
+
+	local ECONF_SOURCE="${S}"
+	econf "${myeconfargs[@]}"
+}
+
+src_configure() {
+	# Bug 508758.
+	replace-flags -O3 -O2
+
+	# Workaround for bug 829165.
+	filter-ldflags -pie
+
+	# We don't want to leak flags onto boot code.
+	export HOST_CCASFLAGS=${CCASFLAGS}
+	export HOST_CFLAGS=${CFLAGS}
+	export HOST_CPPFLAGS=${CPPFLAGS}
+	export HOST_LDFLAGS=${LDFLAGS}
+	unset CCASFLAGS CFLAGS CPPFLAGS LDFLAGS
+
+	tc-ld-disable-gold #439082 #466536 #526348
+	export TARGET_LDFLAGS="${TARGET_LDFLAGS} ${LDFLAGS}"
+	unset LDFLAGS
+
+	tc-export CC NM OBJCOPY RANLIB STRIP
+	tc-export BUILD_CC BUILD_PKG_CONFIG
+
+	# Force configure to use flex & bison, bug 887211.
+	export LEX=flex
+	unset YACC
+
+	MULTIBUILD_VARIANTS=()
+	local p
+	for p in "${GRUB_ALL_PLATFORMS[@]}"; do
+		use "grub_platforms_${p}" && MULTIBUILD_VARIANTS+=( "${p}" )
+	done
+	[[ ${#MULTIBUILD_VARIANTS[@]} -eq 0 ]] && MULTIBUILD_VARIANTS=( guessed )
+	grub_do grub_configure
+}
+
+src_compile() {
+	# Sandbox bug 404013.
+	use libzfs && { addpredict /etc/dfs; addpredict /dev/zfs; }
+
+	grub_do emake
+	use doc && grub_do_once emake -C docs html
+}
+
+src_test() {
+	# The qemu dependency is a bit complex.
+	# You will need to adjust QEMU_SOFTMMU_TARGETS to match the cpu/platform.
+	local SANDBOX_WRITE=${SANDBOX_WRITE}
+	addwrite /dev
+	grub_do emake -j1 check
+}
+
+grub_mkstandalone_secureboot() {
+	use secureboot || return
+
+	if tc-is-cross-compiler; then
+		ewarn "USE=secureboot is not supported when cross-compiling."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local standalone_targets
+
+	case ${CTARGET:-${CHOST}} in
+		i?86* | x86_64*)
+			use grub_platforms_efi-32 && standalone_targets+=( i386-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( x86_64-efi )
+			;;
+		arm* | aarch64*)
+			use grub_platforms_efi-32 && standalone_targets+=( arm-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( arm64-efi )
+			;;
+		riscv*)
+			use grub_platforms_efi-32 && standalone_targets+=( riscv32-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( riscv64-efi )
+			;;
+		ia64*)
+			use grub_platforms_efi-64 && standalone_targets+=( ia64-efi )
+			;;
+		loongarch64*)
+			use grub_platforms_efi-64 && standalone_targets+=( loongarch64-efi )
+			;;
+	esac
+
+	if [[ ${#standalone_targets[@]} -eq 0 ]]; then
+		ewarn "USE=secureboot is enabled, but no suitable EFI target in GRUB_PLATFORMS."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local target mkstandalone_args
+
+	# grub-mkstandalone embeds a config file, make this config file chainload
+	# a config file in the same directory grub is installed in. This requires
+	# pre-loading the part_gpt and part_msdos modules.
+	echo 'configfile ${cmdpath}/grub.cfg' > "${T}/grub.cfg" || die
+	for target in "${standalone_targets[@]}"; do
+		ebegin "Building standalone EFI executable for ${target}"
+		mkstandalone_args=(
+			--verbose
+			--directory="${ED}/usr/lib/grub/${target}"
+			--locale-directory="${ED}/usr/share/locale"
+			--format="${target}"
+			--modules="part_gpt part_msdos"
+			--sbat="${ED}/usr/share/grub/sbat.csv"
+			--output="${ED}/usr/lib/grub/grub-${target%-efi}.efi"
+			"boot/grub/grub.cfg=${T}/grub.cfg"
+		)
+
+		"${ED}/usr/bin/grub-mkstandalone" "${mkstandalone_args[@]}"
+		eend ${?} || die "grub-mkstandalone failed to build EFI executable"
+	done
+
+	secureboot_auto_sign
+}
+
+src_install() {
+	grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)"
+	use doc && grub_do_once emake -C docs install-html DESTDIR="${D}"
+
+	einstalldocs
+
+	insinto /etc/default
+	newins "${FILESDIR}"/grub.default-4 grub
+
+	# https://bugs.gentoo.org/231935
+	dostrip -x /usr/lib/grub
+
+	sed -e "s/%PV%/${PV}/" "${FILESDIR}/sbat.csv" > "${T}/sbat.csv" || die
+	insinto /usr/share/grub
+	doins "${T}/sbat.csv"
+
+	if use elibc_musl; then
+		# https://bugs.gentoo.org/900348
+		QA_CONFIG_IMPL_DECL_SKIP=( re_{compile_pattern,match,search,set_syntax} )
+	fi
+
+	grub_mkstandalone_secureboot
+}
+
+pkg_postinst() {
+	elog "For information on how to configure GRUB2 please refer to the guide:"
+	elog "    https://wiki.gentoo.org/wiki/GRUB2_Quick_Start"
+
+	if [[ -n ${REPLACING_VERSIONS} ]]; then
+		local v
+		for v in ${REPLACING_VERSIONS}; do
+			if ver_test -gt ${v}; then
+				ewarn
+				ewarn "Re-run grub-install to update installed boot code!"
+				ewarn "Re-run grub-mkconfig to update grub.cfg!"
+				ewarn
+				break
+			fi
+		done
+	else
+		elog
+		optfeature "detecting other operating systems (grub-mkconfig)" sys-boot/os-prober
+		optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn sys-fs/mtools
+		optfeature "enabling RAID device detection" sys-fs/mdadm
+		optfeature "automatically updating GRUB's configuration on each kernel installation" "sys-kernel/installkernel[grub]"
+	fi
+
+	if has_version 'sys-boot/grub:0'; then
+		elog "A migration guide for GRUB Legacy users is available:"
+		elog "    https://wiki.gentoo.org/wiki/GRUB2_Migration"
+	fi
+
+	if has_version sys-boot/os-prober; then
+		ewarn "Due to security concerns, os-prober is disabled by default."
+		ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it."
+	fi
+
+	if use secureboot; then
+		elog
+		elog "The signed standalone grub EFI executable(s) are available in:"
+		elog "    /usr/lib/grub/grub-<target>.efi(.signed)"
+		elog "These EFI executables should be copied to the usual location at:"
+		elog "    ESP/EFI/Gentoo/grub<arch>.efi"
+		elog "Note that 'grub-install' does not install these images."
+		elog
+		elog "These standalone grub executables read the grub config file from"
+		elog "the grub.cfg in the same directory instead of the default"
+		elog "/boot/grub/grub.cfg. When sys-kernel/installkernel[grub] is used,"
+		elog "the location of the grub.cfg may be overridden by setting the"
+		elog "GRUB_CFG environment variable:"
+		elog "     GRUB_CFG=ESP/EFI/Gentoo/grub.cfg"
+		elog
+	fi
+}
diff --git a/sys-boot/grub/grub-9999.ebuild b/sys-boot/grub/grub-9999.ebuild
index f007f3aaa884..2b24a0433912 100644
--- a/sys-boot/grub/grub-9999.ebuild
+++ b/sys-boot/grub/grub-9999.ebuild
@@ -29,7 +29,8 @@ if [[ -n ${GRUB_AUTORECONF} ]]; then
 	inherit autotools
 fi
 
-inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1 toolchain-funcs
+inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1
+inherit secureboot toolchain-funcs
 
 DESCRIPTION="GNU GRUB boot loader"
 HOMEPAGE="https://www.gnu.org/software/grub/"
@@ -291,6 +292,70 @@ src_test() {
 	grub_do emake -j1 check
 }
 
+grub_mkstandalone_secureboot() {
+	use secureboot || return
+
+	if tc-is-cross-compiler; then
+		ewarn "USE=secureboot is not supported when cross-compiling."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local standalone_targets
+
+	case ${CTARGET:-${CHOST}} in
+		i?86* | x86_64*)
+			use grub_platforms_efi-32 && standalone_targets+=( i386-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( x86_64-efi )
+			;;
+		arm* | aarch64*)
+			use grub_platforms_efi-32 && standalone_targets+=( arm-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( arm64-efi )
+			;;
+		riscv*)
+			use grub_platforms_efi-32 && standalone_targets+=( riscv32-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( riscv64-efi )
+			;;
+		ia64*)
+			use grub_platforms_efi-64 && standalone_targets+=( ia64-efi )
+			;;
+		loongarch64*)
+			use grub_platforms_efi-64 && standalone_targets+=( loongarch64-efi )
+			;;
+	esac
+
+	if [[ ${#standalone_targets[@]} -eq 0 ]]; then
+		ewarn "USE=secureboot is enabled, but no suitable EFI target in GRUB_PLATFORMS."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local target mkstandalone_args
+
+	# grub-mkstandalone embeds a config file, make this config file chainload
+	# a config file in the same directory grub is installed in. This requires
+	# pre-loading the part_gpt and part_msdos modules.
+	echo 'configfile ${cmdpath}/grub.cfg' > "${T}/grub.cfg" || die
+	for target in "${standalone_targets[@]}"; do
+		ebegin "Building standalone EFI executable for ${target}"
+		mkstandalone_args=(
+			--verbose
+			--directory="${ED}/usr/lib/grub/${target}"
+			--locale-directory="${ED}/usr/share/locale"
+			--format="${target}"
+			--modules="part_gpt part_msdos"
+			--sbat="${ED}/usr/share/grub/sbat.csv"
+			--output="${ED}/usr/lib/grub/grub-${target%-efi}.efi"
+			"boot/grub/grub.cfg=${T}/grub.cfg"
+		)
+
+		"${ED}/usr/bin/grub-mkstandalone" "${mkstandalone_args[@]}"
+		eend ${?} || die "grub-mkstandalone failed to build EFI executable"
+	done
+
+	secureboot_auto_sign
+}
+
 src_install() {
 	grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)"
 	use doc && grub_do_once emake -C docs install-html DESTDIR="${D}"
@@ -311,6 +376,8 @@ src_install() {
 		# https://bugs.gentoo.org/900348
 		QA_CONFIG_IMPL_DECL_SKIP=( re_{compile_pattern,match,search,set_syntax} )
 	fi
+
+	grub_mkstandalone_secureboot
 }
 
 pkg_postinst() {
@@ -345,4 +412,21 @@ pkg_postinst() {
 		ewarn "Due to security concerns, os-prober is disabled by default."
 		ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it."
 	fi
+
+	if use secureboot; then
+		elog
+		elog "The signed standalone grub EFI executable(s) are available in:"
+		elog "    /usr/lib/grub/grub-<target>.efi(.signed)"
+		elog "These EFI executables should be copied to the usual location at:"
+		elog "    ESP/EFI/Gentoo/grub<arch>.efi"
+		elog "Note that 'grub-install' does not install these images."
+		elog
+		elog "These standalone grub executables read the grub config file from"
+		elog "the grub.cfg in the same directory instead of the default"
+		elog "/boot/grub/grub.cfg. When sys-kernel/installkernel[grub] is used,"
+		elog "the location of the grub.cfg may be overridden by setting the"
+		elog "GRUB_CFG environment variable:"
+		elog "     GRUB_CFG=ESP/EFI/Gentoo/grub.cfg"
+		elog
+	fi
 }