5 files changed, 529 insertions, 9 deletions
diff --git a/sys-boot/grub/Manifest b/sys-boot/grub/Manifest
index 9401eb4edc47..cc2cffac98ce 100644
--- a/sys-boot/grub/Manifest
+++ b/sys-boot/grub/Manifest
@@ -2,13 +2,14 @@ AUX gfxpayload.patch 1118 BLAKE2B 4104fc696535b1c3feba5876bccc64f9b2e52319ee992c
 AUX grub-2.02_beta2-KERNEL_GLOBS.patch 2355 BLAKE2B c120f06d3597a2ff9566778afd69d80a814904726e47766b7582626d182a2703e54fd69ecf00b54bcc5541e22a3d93ff8b85c9cf8d0440623454e8e7da3aaa91 SHA512 23416ac17838f101ed73103af6aa7305609667f47288bfa3bd5ae80d1123da664ba6f9b518451b0bd5f528e069893a51444d203953be0b0644790cea0b4b9cf0
 AUX grub-2.06-test-words.patch 2553 BLAKE2B 21d6167945b461be7cc73198451ae0dc15ce0dfe2a301342f1a3bb75d6fcb5d73da9997fb8a93f36dffb43a351f056a1a4db9eed3147b0f3e77c65034b805c64 SHA512 627422377bdad97d0197f178814d6616a0f7ec07357182b00166a455d38ba0c5a60185c5febf4dfb7a11b35f26c7af607508cb5f418acdb7290517240fbd99e4
 AUX grub-2.12-fwsetup.patch 1156 BLAKE2B 0a2097c324351ba00c9cb375401a4e06701572d7b000888ff202ab3a6b701dfd4d89314d190b1992ddbebe8b57701de760cf656b847f39ac70280b87e557f3b0 SHA512 3b2ea63a35fce6d375e1e6ed5979f93acc80e2512d4b4fbee72b4a26f67a1a41c20e18ecab81d5250b61c3f41831e421cb8a29b38cd0a4f40694e7e1a6e565c5
-AUX grub.default-4 2644 BLAKE2B a954461f46df2ea1be2b6a6ae0ba3c023bd72f75d1998ee3f124eadd4bdc05de86fba77b3f693cb567e85daa1cdf39aa1f9f75ec3ad4b0e67cf93608c73e3721 SHA512 4d9004f9d93ca8cf0918c587df29a423d4122c86bc6ae6b08438e094e5276c5a21d30688c99f4b52ce40df78739a72dbddbb2bcefbcdd582374a62f565d057bf
+AUX grub.default-4 2631 BLAKE2B fc81f26d599320776999ccef0c20d5cdac0034ba6cd7f5451c8eee590847008aedab272250a6c9bf9610a7e2d2942713e9fbec73d12ee893d7a304fef8d351fd SHA512 16d2060f75d3d31cd980d3fce330bd10165daf50bde89d962ffdbeb3c2434eff7544f593e42fc38f95c40b579725093514d5344696865fab012ec2855fb3dccf
 AUX sbat.csv 208 BLAKE2B e7d4fa4662344f94225abfb6fd9517663e15e124ddf5df4d3e3cece7cd1594f6805f5c7ef3ff6d5a6adda2a175b7d7a4b7fd8ab773b322c968d43138c74fd5e2 SHA512 e53f552355cc5f07535513d76c0b39d37349fc5662feca9d4193e9379760cad3c6926a9541358b197d97786ab01cfe1e043cb4e86a087e0f37f5039e85ee4bd4
 DIST dejavu-sans-ttf-2.37.zip 417746 BLAKE2B c8904f3cd5a49370a7dc10e456684c88aeae998a99090bf4d0a5baa4f36cc8fb8f70586cf6d610a5ffeee97261d28c80f55bbe9dcfc3ed796d5c2d60e79adb58 SHA512 ede5899daa1984c5aa8cacb1c850eb53f189dddef3d9bb78bf9774d8976b7c0d6eb0bcf86237cd7d11f5b36cf5b5058d42cd94d3bd76f2bd0931c7ceb1271fae
 DIST grub-2.12-bash-completion.patch.gz 3627 BLAKE2B 6ba80fd4fb4b28ae2e5a2387133d815da126a4eaa4b5cb24b13f4ba5a2499ab4099d10ada366ed39f84be2c38774122f48e1a1894768c5bee29149528610d095 SHA512 a9ee6d2253ae48d7f90907a9e975a3a1d01346bc621d8b8cddf7cc815cd91e078f6c61392724d13556ee64f099fa15c94fcb88a49ff02d4a90ebd376252cea5c
 DIST grub-2.12.tar.xz 6675608 BLAKE2B a678f7fafb945d325c8cf47aa086f48357a8f6335b762f77038c30a3896b3b05491598d9931d5335841d224fffcbe4a9a43ca1479057c1f1ce52b8d2a952c431 SHA512 761c060a4c3da9c0e810b0ea967e3ebc66baa4ddd682a503ae3d30a83707626bccaf49359304a16b3a26fc4435fe6bea1ee90be910c84de3c2b5485a31a15be3
 DIST grub-2.12.tar.xz.sig 566 BLAKE2B 9b77fe53041b99f1196743aa6d9fc9c727b17c6512129bab2b35005f2c70f371e30521ddd804bf0c666e36cf2667247980f385ca1ac911fa9b8e0311427dc01c SHA512 fbe971d8c382578b49d33902234edd9cbd084b70820a1a56a59df4ec30874c0dd4fe27f8dc44bb380716bb7480ca68a87d120a25b92a6a10ff6c8ec1b60548d3
 DIST unifont-15.0.06.pcf.gz 1358322 BLAKE2B 81811e3de390ca35d1a2dc1f1dee73464e97f44907ba522c218ba9c5e39ca3c9d767552780a257a97c156eb623c17786d9c0d2b67786d61df5ca33a1e10db7ca SHA512 0a28a406629c604f5cbf51f501528239a7ed50d19f93ea505bc5bdc72639e4b926b03f4b8782a5733041f7cdb4aebb9948ac7cfd5a8ad9a0fe309944e595517b
-EBUILD grub-2.12-r4.ebuild 9373 BLAKE2B 45ea454cac91bfd1316735c41bbb6b4cae4ef5ca3194c7f6f29b456c58bdd571eb3a654e82b086c602b470c98cf3cf0e42a1477f07f6cbb6f6282569468415a0 SHA512 bd507daa4e596b2069988cb2469dc6339ac9f019edc8f82f78e7b1e77da14d62738bcc944e8ddbfc08ada537e55cc97fcf5177c50c114a52b0ba69c5bc0d5c1b
-EBUILD grub-9999.ebuild 9041 BLAKE2B 6d186ada2fc481c4c9a9718a93756860c0ffed8f5dc8d16bcde50e6590d653cf5ade561a582339bf91cce462b71773cacb2b0a849a152b7ce226a4bd32c9187b SHA512 c385e7704c581d789ead0e2beda14993eb0ad8cc5686465df4a40c9240cf9dccf898967648208a336f966c510f07e07ddde7a4d75fcd33b74ed1d024b653af41
+EBUILD grub-2.12-r4.ebuild 9387 BLAKE2B 391d0e5f4c9cf092420ba5a175683585a794c0318cc24d38bc039d9080d9ff9cb43cb6f9e5b6222d559b68a1cb4f9e8fe5cb1d409e4078a6aa5294f84dc79da2 SHA512 18f50ba5120eb0173aed591e746d43208b2e6233d1e94dce6a18caaaf13b93a349c8cdc14e2a505e758bfc72efcd9d88f15ac5498ea871c4cb178214e38d1254
+EBUILD grub-2.12-r5.ebuild 12203 BLAKE2B 484f55ba3ff326ba1f6462dc88b20b66a0bb62772bcaa1acb0bc5484f4ce3dd3a02fc5a5cd833334f191dbbe57dd780f1870c64c1703149381a5407ca7e463b0 SHA512 e6bf3497f6175e5b23df0cd0129717f2d7658097aaecc5ec5d0d32a955c9ff9feb8d5ec6a3d5c569cad4d00731a71f6680cba0ec90e562a09ec48b96545f50fd
+EBUILD grub-9999.ebuild 11864 BLAKE2B 85472b605827f236279740012f16c18fd3a6d6356391828f22fbf353fe26aaa9d656071eb5edf530cbc440f781b14a394c41a4eaacd63a3f0db66fec270f66a4 SHA512 f5c194a90201de73366597b2ce60fd6d3c081f121fe0c8645f4afa55ee27d6bb868024a4efe50bd1f2850fed52a59a45b92807203d3fc15af2a1d3d7b01d0b13
 MISC metadata.xml 986 BLAKE2B 7c03fac1bf235c1d82e435926c5a9079a21eb16e9937c0ac4e6297bc2f129bc9022efa11c099df07fd9e3b6c47a13246e25ae1c4cc390878ead82394c9b9ed11 SHA512 eb62f4b746c87bf2756669d57e76e60f24cea493948b19429a45e52d02fc1a501b4465ba52940757409258f7ad0ceef0e0f473aeb80cbd9b693b866ae015f13c
diff --git a/sys-boot/grub/files/grub.default-4 b/sys-boot/grub/files/grub.default-4
index 35d3060137a9..74f5d10aea3b 100644
--- a/sys-boot/grub/files/grub.default-4
+++ b/sys-boot/grub/files/grub.default-4
@@ -34,9 +34,9 @@ GRUB_DISTRIBUTOR="Gentoo"
 # Uncomment to disable graphical terminal (grub-pc only)
 #GRUB_TERMINAL=console
 
-# The resolution used on graphical terminal.
-# Note that you can use only modes which your graphic card supports via VBE.
-# You can see them in real GRUB with the command `vbeinfo'.
+# Resolution used on graphical terminal.
+# The list of valid modes may be obtained using the 'vbeinfo' (PC BIOS) or
+# 'videoinfo' (EFI) command from a GRUB boot prompt.
 #GRUB_GFXMODE=640x480
 
 # Set to 'text' to force the Linux kernel to boot in normal text
diff --git a/sys-boot/grub/grub-2.12-r4.ebuild b/sys-boot/grub/grub-2.12-r4.ebuild
index 66b37086f92f..5ce4953d88c4 100644
--- a/sys-boot/grub/grub-2.12-r4.ebuild
+++ b/sys-boot/grub/grub-2.12-r4.ebuild
@@ -334,7 +334,7 @@ pkg_postinst() {
 	else
 		elog
 		optfeature "detecting other operating systems (grub-mkconfig)" sys-boot/os-prober
-		optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn
+		optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn sys-fs/mtools
 		optfeature "enabling RAID device detection" sys-fs/mdadm
 		optfeature "automatically updating GRUB's configuration on each kernel installation" "sys-kernel/installkernel[grub]"
 	fi
diff --git a/sys-boot/grub/grub-2.12-r5.ebuild b/sys-boot/grub/grub-2.12-r5.ebuild
new file mode 100644
index 000000000000..1e22477b727a
--- /dev/null
+++ b/sys-boot/grub/grub-2.12-r5.ebuild
@@ -0,0 +1,435 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# This ebuild uses 3 special global variables:
+# GRUB_BOOTSTRAP: Depend on python and invoke bootstrap (gnulib).
+# GRUB_AUTOGEN: Depend on python and invoke autogen.sh.
+# GRUB_AUTORECONF: Inherit autotools and invoke eautoreconf.
+#
+# When applying patches:
+# If gnulib is updated, set GRUB_BOOTSTRAP=1
+# If gentpl.py or *.def is updated, set GRUB_AUTOGEN=1
+# If gnulib, gentpl.py, *.def, or any autotools files are updated, set GRUB_AUTORECONF=1
+#
+# If any of the above applies to a user patch, the user should set the
+# corresponding variable in make.conf or the environment.
+
+GRUB_AUTORECONF=1
+PYTHON_COMPAT=( python3_{10..12} )
+WANT_LIBTOOL=none
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/dkiper.gpg
+
+if [[ -n ${GRUB_AUTORECONF} ]]; then
+	inherit autotools
+fi
+
+inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1
+inherit secureboot toolchain-funcs
+
+DESCRIPTION="GNU GRUB boot loader"
+HOMEPAGE="https://www.gnu.org/software/grub/"
+
+MY_P=${P}
+if [[ ${PV} != 9999 ]]; then
+	inherit verify-sig
+
+	if [[ ${PV} == *_alpha* || ${PV} == *_beta* || ${PV} == *_rc* ]]; then
+		# The quote style is to work with <=bash-4.2 and >=bash-4.3 #503860
+		MY_P=${P/_/'~'}
+		SRC_URI="
+			https://alpha.gnu.org/gnu/${PN}/${MY_P}.tar.xz
+			verify-sig? ( https://alpha.gnu.org/gnu/${PN}/${MY_P}.tar.xz.sig )
+		"
+		S=${WORKDIR}/${MY_P}
+	else
+		SRC_URI="
+			mirror://gnu/${PN}/${P}.tar.xz
+			https://dev.gentoo.org/~floppym/dist/${P}-bash-completion.patch.gz
+			verify-sig? ( mirror://gnu/${PN}/${P}.tar.xz.sig )
+		"
+		S=${WORKDIR}/${P%_*}
+	fi
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-danielkiper )"
+	KEYWORDS="~amd64 ~arm ~arm64 ~ia64 ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+else
+	inherit git-r3
+	EGIT_REPO_URI="https://git.savannah.gnu.org/git/grub.git"
+fi
+
+DEJAVU=dejavu-sans-ttf-2.37
+UNIFONT=unifont-15.0.06
+SRC_URI+=" fonts? ( mirror://gnu/unifont/${UNIFONT}/${UNIFONT}.pcf.gz )
+	themes? ( https://downloads.sourceforge.net/dejavu/${DEJAVU}.zip )"
+
+# Includes licenses for dejavu and unifont
+LICENSE="GPL-3+ BSD MIT fonts? ( GPL-2-with-font-exception ) themes? ( CC-BY-SA-3.0 BitstreamVera )"
+SLOT="2/${PVR}"
+IUSE="device-mapper doc efiemu +fonts mount nls sdl test +themes truetype libzfs"
+
+GRUB_ALL_PLATFORMS=( coreboot efi-32 efi-64 emu ieee1275 loongson multiboot
+	qemu qemu-mips pc uboot xen xen-32 xen-pvh )
+IUSE+=" ${GRUB_ALL_PLATFORMS[@]/#/grub_platforms_}"
+
+REQUIRED_USE="
+	grub_platforms_coreboot? ( fonts )
+	grub_platforms_qemu? ( fonts )
+	grub_platforms_ieee1275? ( fonts )
+	grub_platforms_loongson? ( fonts )
+"
+
+BDEPEND+="
+	${PYTHON_DEPS}
+	>=sys-devel/flex-2.5.35
+	sys-devel/bison
+	sys-apps/help2man
+	sys-apps/texinfo
+	fonts? (
+		media-libs/freetype:2
+		virtual/pkgconfig
+	)
+	test? (
+		app-admin/genromfs
+		app-alternatives/cpio
+		app-arch/lzop
+		app-emulation/qemu
+		dev-libs/libisoburn
+		sys-apps/miscfiles
+		sys-block/parted
+		sys-fs/squashfs-tools
+	)
+	themes? (
+		app-arch/unzip
+		media-libs/freetype:2
+		virtual/pkgconfig
+	)
+	truetype? ( virtual/pkgconfig )
+"
+DEPEND="
+	app-arch/xz-utils
+	>=sys-libs/ncurses-5.2-r5:0=
+	grub_platforms_emu? (
+		sdl? ( media-libs/libsdl2 )
+	)
+	device-mapper? ( >=sys-fs/lvm2-2.02.45 )
+	libzfs? ( sys-fs/zfs:= )
+	mount? ( sys-fs/fuse:3 )
+	truetype? ( media-libs/freetype:2= )
+	ppc? ( >=sys-apps/ibm-powerpc-utils-1.3.5 )
+	ppc64? ( >=sys-apps/ibm-powerpc-utils-1.3.5 )
+"
+RDEPEND="${DEPEND}
+	kernel_linux? (
+		grub_platforms_efi-32? ( sys-boot/efibootmgr )
+		grub_platforms_efi-64? ( sys-boot/efibootmgr )
+	)
+	!sys-boot/grub:0
+	nls? ( sys-devel/gettext )
+"
+
+RESTRICT="!test? ( test ) test? ( userpriv )"
+
+QA_EXECSTACK="usr/bin/grub-emu* usr/lib/grub/*"
+QA_PRESTRIPPED="usr/lib/grub/.*"
+QA_MULTILIB_PATHS="usr/lib/grub/.*"
+QA_WX_LOAD="usr/lib/grub/*"
+
+pkg_setup() {
+	:
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999 ]]; then
+		git-r3_src_unpack
+		pushd "${P}" >/dev/null || die
+		local GNULIB_URI="https://git.savannah.gnu.org/git/gnulib.git"
+		local GNULIB_REVISION=$(source bootstrap.conf >/dev/null; echo "${GNULIB_REVISION}")
+		git-r3_fetch "${GNULIB_URI}" "${GNULIB_REVISION}"
+		git-r3_checkout "${GNULIB_URI}" gnulib
+		popd >/dev/null || die
+	elif use verify-sig; then
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.sig}
+	fi
+	default
+}
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}"/gfxpayload.patch
+		"${FILESDIR}"/grub-2.02_beta2-KERNEL_GLOBS.patch
+		"${FILESDIR}"/grub-2.06-test-words.patch
+		"${FILESDIR}"/grub-2.12-fwsetup.patch
+		"${WORKDIR}"/grub-2.12-bash-completion.patch
+	)
+
+	default
+
+	python_setup
+
+	if [[ -n ${GRUB_BOOTSTRAP} ]]; then
+		eautopoint --force
+		AUTOPOINT=: AUTORECONF=: ./bootstrap || die
+	elif [[ -n ${GRUB_AUTOGEN} ]]; then
+		FROM_BOOTSTRAP=1 ./autogen.sh || die
+	fi
+
+	if [[ -n ${GRUB_AUTORECONF} ]]; then
+		eautoreconf
+	fi
+
+	# Avoid error due to extra_deps.lst missing from source tarball:
+	#       make[3]: *** No rule to make target 'grub-core/extra_deps.lst', needed by 'syminfo.lst'.  Stop.
+	echo "depends bli part_gpt" > grub-core/extra_deps.lst || die
+}
+
+grub_do() {
+	multibuild_foreach_variant run_in_build_dir "$@"
+}
+
+grub_do_once() {
+	multibuild_for_best_variant run_in_build_dir "$@"
+}
+
+grub_configure() {
+	local platform
+
+	case ${MULTIBUILD_VARIANT} in
+		efi*) platform=efi ;;
+		xen-pvh) platform=xen_pvh ;;
+		xen*) platform=xen ;;
+		guessed) ;;
+		*) platform=${MULTIBUILD_VARIANT} ;;
+	esac
+
+	case ${MULTIBUILD_VARIANT} in
+		*-32)
+			if [[ ${CTARGET:-${CHOST}} == x86_64* ]]; then
+				local CTARGET=i386
+			fi ;;
+		*-64)
+			if [[ ${CTARGET:-${CHOST}} == i?86* ]]; then
+				local CTARGET=x86_64
+				local -x TARGET_CFLAGS="-Os -march=x86-64 ${TARGET_CFLAGS}"
+				local -x TARGET_CPPFLAGS="-march=x86-64 ${TARGET_CPPFLAGS}"
+			fi ;;
+	esac
+
+	local myeconfargs=(
+		--disable-werror
+		--program-prefix=
+		--libdir="${EPREFIX}"/usr/lib
+		$(use_enable device-mapper)
+		$(use_enable mount grub-mount)
+		$(use_enable nls)
+		$(use_enable themes grub-themes)
+		$(use_enable truetype grub-mkfont)
+		$(use_enable libzfs)
+		--enable-grub-emu-sdl=no
+		$(use_enable sdl grub-emu-sdl2)
+		${platform:+--with-platform=}${platform}
+
+		# Let configure detect this where supported
+		$(usex efiemu '' '--disable-efiemu')
+	)
+
+	if use fonts; then
+		ln -rs "${WORKDIR}/${UNIFONT}.pcf" unifont.pcf || die
+	fi
+
+	if use themes; then
+		ln -rs "${WORKDIR}/${DEJAVU}/ttf/DejaVuSans.ttf" DejaVuSans.ttf || die
+	fi
+
+	local ECONF_SOURCE="${S}"
+	econf "${myeconfargs[@]}"
+}
+
+src_configure() {
+	# Bug 508758.
+	replace-flags -O3 -O2
+
+	# Workaround for bug 829165.
+	filter-ldflags -pie
+
+	# We don't want to leak flags onto boot code.
+	export HOST_CCASFLAGS=${CCASFLAGS}
+	export HOST_CFLAGS=${CFLAGS}
+	export HOST_CPPFLAGS=${CPPFLAGS}
+	export HOST_LDFLAGS=${LDFLAGS}
+	unset CCASFLAGS CFLAGS CPPFLAGS LDFLAGS
+
+	tc-ld-disable-gold #439082 #466536 #526348
+	export TARGET_LDFLAGS="${TARGET_LDFLAGS} ${LDFLAGS}"
+	unset LDFLAGS
+
+	tc-export CC NM OBJCOPY RANLIB STRIP
+	tc-export BUILD_CC BUILD_PKG_CONFIG
+
+	# Force configure to use flex & bison, bug 887211.
+	export LEX=flex
+	unset YACC
+
+	MULTIBUILD_VARIANTS=()
+	local p
+	for p in "${GRUB_ALL_PLATFORMS[@]}"; do
+		use "grub_platforms_${p}" && MULTIBUILD_VARIANTS+=( "${p}" )
+	done
+	[[ ${#MULTIBUILD_VARIANTS[@]} -eq 0 ]] && MULTIBUILD_VARIANTS=( guessed )
+	grub_do grub_configure
+}
+
+src_compile() {
+	# Sandbox bug 404013.
+	use libzfs && { addpredict /etc/dfs; addpredict /dev/zfs; }
+
+	grub_do emake
+	use doc && grub_do_once emake -C docs html
+}
+
+src_test() {
+	# The qemu dependency is a bit complex.
+	# You will need to adjust QEMU_SOFTMMU_TARGETS to match the cpu/platform.
+	local SANDBOX_WRITE=${SANDBOX_WRITE}
+	addwrite /dev
+	grub_do emake -j1 check
+}
+
+grub_mkstandalone_secureboot() {
+	use secureboot || return
+
+	if tc-is-cross-compiler; then
+		ewarn "USE=secureboot is not supported when cross-compiling."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local standalone_targets
+
+	case ${CTARGET:-${CHOST}} in
+		i?86* | x86_64*)
+			use grub_platforms_efi-32 && standalone_targets+=( i386-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( x86_64-efi )
+			;;
+		arm* | aarch64*)
+			use grub_platforms_efi-32 && standalone_targets+=( arm-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( arm64-efi )
+			;;
+		riscv*)
+			use grub_platforms_efi-32 && standalone_targets+=( riscv32-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( riscv64-efi )
+			;;
+		ia64*)
+			use grub_platforms_efi-64 && standalone_targets+=( ia64-efi )
+			;;
+		loongarch64*)
+			use grub_platforms_efi-64 && standalone_targets+=( loongarch64-efi )
+			;;
+	esac
+
+	if [[ ${#standalone_targets[@]} -eq 0 ]]; then
+		ewarn "USE=secureboot is enabled, but no suitable EFI target in GRUB_PLATFORMS."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local target mkstandalone_args
+
+	# grub-mkstandalone embeds a config file, make this config file chainload
+	# a config file in the same directory grub is installed in. This requires
+	# pre-loading the part_gpt and part_msdos modules.
+	echo 'configfile ${cmdpath}/grub.cfg' > "${T}/grub.cfg" || die
+	for target in "${standalone_targets[@]}"; do
+		ebegin "Building standalone EFI executable for ${target}"
+		mkstandalone_args=(
+			--verbose
+			--directory="${ED}/usr/lib/grub/${target}"
+			--locale-directory="${ED}/usr/share/locale"
+			--format="${target}"
+			--modules="part_gpt part_msdos"
+			--sbat="${ED}/usr/share/grub/sbat.csv"
+			--output="${ED}/usr/lib/grub/grub-${target%-efi}.efi"
+			"boot/grub/grub.cfg=${T}/grub.cfg"
+		)
+
+		"${ED}/usr/bin/grub-mkstandalone" "${mkstandalone_args[@]}"
+		eend ${?} || die "grub-mkstandalone failed to build EFI executable"
+	done
+
+	secureboot_auto_sign
+}
+
+src_install() {
+	grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)"
+	use doc && grub_do_once emake -C docs install-html DESTDIR="${D}"
+
+	einstalldocs
+
+	insinto /etc/default
+	newins "${FILESDIR}"/grub.default-4 grub
+
+	# https://bugs.gentoo.org/231935
+	dostrip -x /usr/lib/grub
+
+	sed -e "s/%PV%/${PV}/" "${FILESDIR}/sbat.csv" > "${T}/sbat.csv" || die
+	insinto /usr/share/grub
+	doins "${T}/sbat.csv"
+
+	if use elibc_musl; then
+		# https://bugs.gentoo.org/900348
+		QA_CONFIG_IMPL_DECL_SKIP=( re_{compile_pattern,match,search,set_syntax} )
+	fi
+
+	grub_mkstandalone_secureboot
+}
+
+pkg_postinst() {
+	elog "For information on how to configure GRUB2 please refer to the guide:"
+	elog "    https://wiki.gentoo.org/wiki/GRUB2_Quick_Start"
+
+	if [[ -n ${REPLACING_VERSIONS} ]]; then
+		local v
+		for v in ${REPLACING_VERSIONS}; do
+			if ver_test -gt ${v}; then
+				ewarn
+				ewarn "Re-run grub-install to update installed boot code!"
+				ewarn "Re-run grub-mkconfig to update grub.cfg!"
+				ewarn
+				break
+			fi
+		done
+	else
+		elog
+		optfeature "detecting other operating systems (grub-mkconfig)" sys-boot/os-prober
+		optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn sys-fs/mtools
+		optfeature "enabling RAID device detection" sys-fs/mdadm
+		optfeature "automatically updating GRUB's configuration on each kernel installation" "sys-kernel/installkernel[grub]"
+	fi
+
+	if has_version 'sys-boot/grub:0'; then
+		elog "A migration guide for GRUB Legacy users is available:"
+		elog "    https://wiki.gentoo.org/wiki/GRUB2_Migration"
+	fi
+
+	if has_version sys-boot/os-prober; then
+		ewarn "Due to security concerns, os-prober is disabled by default."
+		ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it."
+	fi
+
+	if use secureboot; then
+		elog
+		elog "The signed standalone grub EFI executable(s) are available in:"
+		elog "    /usr/lib/grub/grub-<target>.efi(.signed)"
+		elog "These EFI executables should be copied to the usual location at:"
+		elog "    ESP/EFI/Gentoo/grub<arch>.efi"
+		elog "Note that 'grub-install' does not install these images."
+		elog
+		elog "These standalone grub executables read the grub config file from"
+		elog "the grub.cfg in the same directory instead of the default"
+		elog "/boot/grub/grub.cfg. When sys-kernel/installkernel[grub] is used,"
+		elog "the location of the grub.cfg may be overridden by setting the"
+		elog "GRUB_CFG environment variable:"
+		elog "     GRUB_CFG=ESP/EFI/Gentoo/grub.cfg"
+		elog
+	fi
+}
diff --git a/sys-boot/grub/grub-9999.ebuild b/sys-boot/grub/grub-9999.ebuild
index 1061d6ebe58d..2b24a0433912 100644
--- a/sys-boot/grub/grub-9999.ebuild
+++ b/sys-boot/grub/grub-9999.ebuild
@@ -29,7 +29,8 @@ if [[ -n ${GRUB_AUTORECONF} ]]; then
 	inherit autotools
 fi
 
-inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1 toolchain-funcs
+inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1
+inherit secureboot toolchain-funcs
 
 DESCRIPTION="GNU GRUB boot loader"
 HOMEPAGE="https://www.gnu.org/software/grub/"
@@ -291,6 +292,70 @@ src_test() {
 	grub_do emake -j1 check
 }
 
+grub_mkstandalone_secureboot() {
+	use secureboot || return
+
+	if tc-is-cross-compiler; then
+		ewarn "USE=secureboot is not supported when cross-compiling."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local standalone_targets
+
+	case ${CTARGET:-${CHOST}} in
+		i?86* | x86_64*)
+			use grub_platforms_efi-32 && standalone_targets+=( i386-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( x86_64-efi )
+			;;
+		arm* | aarch64*)
+			use grub_platforms_efi-32 && standalone_targets+=( arm-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( arm64-efi )
+			;;
+		riscv*)
+			use grub_platforms_efi-32 && standalone_targets+=( riscv32-efi )
+			use grub_platforms_efi-64 && standalone_targets+=( riscv64-efi )
+			;;
+		ia64*)
+			use grub_platforms_efi-64 && standalone_targets+=( ia64-efi )
+			;;
+		loongarch64*)
+			use grub_platforms_efi-64 && standalone_targets+=( loongarch64-efi )
+			;;
+	esac
+
+	if [[ ${#standalone_targets[@]} -eq 0 ]]; then
+		ewarn "USE=secureboot is enabled, but no suitable EFI target in GRUB_PLATFORMS."
+		ewarn "No standalone EFI executable will be built."
+		return 1
+	fi
+
+	local target mkstandalone_args
+
+	# grub-mkstandalone embeds a config file, make this config file chainload
+	# a config file in the same directory grub is installed in. This requires
+	# pre-loading the part_gpt and part_msdos modules.
+	echo 'configfile ${cmdpath}/grub.cfg' > "${T}/grub.cfg" || die
+	for target in "${standalone_targets[@]}"; do
+		ebegin "Building standalone EFI executable for ${target}"
+		mkstandalone_args=(
+			--verbose
+			--directory="${ED}/usr/lib/grub/${target}"
+			--locale-directory="${ED}/usr/share/locale"
+			--format="${target}"
+			--modules="part_gpt part_msdos"
+			--sbat="${ED}/usr/share/grub/sbat.csv"
+			--output="${ED}/usr/lib/grub/grub-${target%-efi}.efi"
+			"boot/grub/grub.cfg=${T}/grub.cfg"
+		)
+
+		"${ED}/usr/bin/grub-mkstandalone" "${mkstandalone_args[@]}"
+		eend ${?} || die "grub-mkstandalone failed to build EFI executable"
+	done
+
+	secureboot_auto_sign
+}
+
 src_install() {
 	grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)"
 	use doc && grub_do_once emake -C docs install-html DESTDIR="${D}"
@@ -311,6 +376,8 @@ src_install() {
 		# https://bugs.gentoo.org/900348
 		QA_CONFIG_IMPL_DECL_SKIP=( re_{compile_pattern,match,search,set_syntax} )
 	fi
+
+	grub_mkstandalone_secureboot
 }
 
 pkg_postinst() {
@@ -331,7 +398,7 @@ pkg_postinst() {
 	else
 		elog
 		optfeature "detecting other operating systems (grub-mkconfig)" sys-boot/os-prober
-		optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn
+		optfeature "creating rescue media (grub-mkrescue)" dev-libs/libisoburn sys-fs/mtools
 		optfeature "enabling RAID device detection" sys-fs/mdadm
 		optfeature "automatically updating GRUB's configuration on each kernel installation" "sys-kernel/installkernel[grub]"
 	fi
@@ -345,4 +412,21 @@ pkg_postinst() {
 		ewarn "Due to security concerns, os-prober is disabled by default."
 		ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it."
 	fi
+
+	if use secureboot; then
+		elog
+		elog "The signed standalone grub EFI executable(s) are available in:"
+		elog "    /usr/lib/grub/grub-<target>.efi(.signed)"
+		elog "These EFI executables should be copied to the usual location at:"
+		elog "    ESP/EFI/Gentoo/grub<arch>.efi"
+		elog "Note that 'grub-install' does not install these images."
+		elog
+		elog "These standalone grub executables read the grub config file from"
+		elog "the grub.cfg in the same directory instead of the default"
+		elog "/boot/grub/grub.cfg. When sys-kernel/installkernel[grub] is used,"
+		elog "the location of the grub.cfg may be overridden by setting the"
+		elog "GRUB_CFG environment variable:"
+		elog "     GRUB_CFG=ESP/EFI/Gentoo/grub.cfg"
+		elog
+	fi
 }