Create GRUB for secureboot (only builtin modules allowed) for Kali and Parrot OS on usb stick

grub_efi_secure_boot.sh

# GRUB for secureboot (only builtin modules allowed) for Kali and Parrot OS on usb stick
# main part from kali build scripts: http://git.kali.org/gitweb/?p=packages/live-build.git;a=blob;f=scripts/build/efi-image
# parrot os includes already compiled binaries
# generate keys for secureboot: https://habrahabr.ru/post/273497/

# compiled binary can just replaced builded on efi partition on usb stick
mkdir grub-efi-temp-x86_64-efi
mkdir workdir
mkdir -p workdir/boot/grub

# default builtin config
$ cat >"workdir/boot/grub/grub.cfg" <<EOF
search --file --set=root /.disk/info
set prefix=(\$root)/boot/grub
source \$prefix/x86_64-efi/grub.cfg
EOF

# create memdisk
(cd "workdir"; tar -cf - boot) >"memdisk_img"

# generate default efi binary
#grub-mkimage -O "x86_64-efi" -m "memdisk_img" -o "workdir/bootx64.efi" -p '(memdisk)/boot/grub' search iso9660 configfile normal memdisk tar part_msdos part_gpt fat

# generate efi binary with additional modules
grub-mkimage -O "x86_64-efi" -m "memdisk_img" -o "bootx64.efi.unsigned" --compress=xz -p '(memdisk)/boot/grub' search iso9660 configfile normal memdisk tar part_msdos part_gpt fat linux linuxefi png all_video gfxterm crypto cryptodisk gcry_blowfish gcry_camellia gcry_md5 gcry_rijndael gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_twofish gcry_whirlpool password password_pbkdf2 pbkdf2 bitmap bitmap_scale gettext gfxmenu gfxterm_background gfxterm_menu halt sleep reboot ls tga test
# test - for if in configs
# linux linuxefi - for load os

# sign
sbsign --key ISK.key --cert ISK.pem --output "bootx64.efi" "bootx64.efi.unsigned"