So after some discussion we just had with Colin and Steve, the conclusion is that we'll change grub2 and the installer to always install shim-signed on UEFI machines and have all machines secureboot or not go through the shim at boot time.
That way we won't need to rely on the state of the machine at grub installation time to know which binary to use.
So after some discussion we just had with Colin and Steve, the conclusion is that we'll change grub2 and the installer to always install shim-signed on UEFI machines and have all machines secureboot or not go through the shim at boot time.
That way we won't need to rely on the state of the machine at grub installation time to know which binary to use.