diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
--- grub2-2.04/debian/changelog	2021-02-12 20:29:16.000000000 +0000
+++ grub2-2.04/debian/changelog	2021-02-18 00:50:30.000000000 +0000
@@ -1,3 +1,12 @@
+grub2 (2.04-1ubuntu41) hirsute; urgency=medium
+
+  * In grub-efi-*-{bin,dbg} packages ship modules & kernel.img in the
+    -unsigned platform directory, and instead depend on
+    grub-efi-*-signed-{bin,dbg} packages that will provide both modules
+    and images. LP: #1915536
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 18 Feb 2021 00:50:30 +0000
+
 grub2 (2.04-1ubuntu40) hirsute; urgency=medium
 
   * Revert: rhboot-f34-tcp-add-window-scaling-support.patch,
diff -Nru grub2-2.04/debian/control grub2-2.04/debian/control
--- grub2-2.04/debian/control	2021-02-12 20:29:16.000000000 +0000
+++ grub2-2.04/debian/control	2021-02-18 00:50:30.000000000 +0000
@@ -313,7 +313,7 @@
 
 Package: grub-efi-amd64-bin
 Architecture: i386 kopensolaris-i386 any-amd64
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
+Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version}), grub-efi-amd64-signed-bin
 Recommends: grub-efi-amd64-signed, efibootmgr [linux-any]
 Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
 Multi-Arch: foreign
@@ -338,7 +338,7 @@
 Package: grub-efi-amd64-dbg
 Section: debug
 Architecture: i386 kopensolaris-i386 any-amd64
-Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${binary:Version}), grub-common (= ${binary:Version})
+Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${binary:Version}), grub-common (= ${binary:Version}), grub-efi-amd64-signed-dbg
 Multi-Arch: foreign
 Description: GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)
  This package contains debugging files for grub-efi-amd64-bin.  You only
@@ -474,7 +474,7 @@
 
 Package: grub-efi-arm64-bin
 Architecture: any-arm64
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
+Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version}), grub-efi-arm64-signed-bin
 Recommends: grub-efi-arm64-signed, efibootmgr [linux-any]
 Multi-Arch: foreign
 XB-Efi-Vendor: ${efi:Vendor}
@@ -497,7 +497,7 @@
 Package: grub-efi-arm64-dbg
 Section: debug
 Architecture: any-arm64
-Depends: ${misc:Depends}, grub-efi-arm64-bin (= ${binary:Version}), grub-common (= ${binary:Version})
+Depends: ${misc:Depends}, grub-efi-arm64-bin (= ${binary:Version}), grub-common (= ${binary:Version}), grub-efi-arm64-signed-dbg
 Multi-Arch: foreign
 Description: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
  This package contains debugging files for grub-efi-arm64-bin.  You only
diff -Nru grub2-2.04/debian/rules grub2-2.04/debian/rules
--- grub2-2.04/debian/rules	2021-02-12 20:29:16.000000000 +0000
+++ grub2-2.04/debian/rules	2021-02-18 00:50:30.000000000 +0000
@@ -120,14 +120,22 @@
 debian/stamps/build-grub-efi-arm64 install/grub-efi-arm64: export SB_PLATFORM := arm64-efi
 debian/stamps/build-grub-efi-arm64 install/grub-efi-arm64: export SB_EFI_NAME := aa64
 SB_PACKAGE :=
+SB_SUBMIT := 
 ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
 ifeq ($(DEB_HOST_ARCH),amd64)
 SB_PACKAGE := grub-efi-amd64
+override_dh_install override_dh_builddeb: SB_PLATFORM := x86_64-efi
 endif
 ifeq ($(DEB_HOST_ARCH),arm64)
 SB_PACKAGE := grub-efi-arm64
+override_dh_install override_dh_builddeb: SB_PLATFORM := arm64-efi
 endif
 endif
+# Submit raw-uefi tarball for signing
+ifneq (,$(SB_PACKAGE))
+SB_SUBMIT := yes
+endif
+
 
 # Downstream distributions that want to support SB and build images, but do not
 # rebuild grub, need a programmatic way to get the vendor, as it's used by build-efi-images
@@ -546,6 +554,11 @@
 	patch debian/grub-pc/usr/lib/grub-legacy/update-grub \
 		< debian/legacy/update-grub.ubuntu.patch
 endif
+ifneq (,$(SB_PACKAGE))
+	mv debian/$(SB_PACKAGE)-bin/usr/lib/grub/$(SB_PLATFORM) debian/$(SB_PACKAGE)-bin/usr/lib/grub/$(SB_PLATFORM)-unsigned
+	mv debian/$(SB_PACKAGE)-dbg/usr/lib/grub/$(SB_PLATFORM) debian/$(SB_PACKAGE)-dbg/usr/lib/grub/$(SB_PLATFORM)-unsigned
+	sed -i 's/$(SB_PLATFORM)/$(SB_PLATFORM)-unsigned/g' debian/$(SB_PACKAGE)-bin/usr/share/lintian/overrides/$(SB_PACKAGE)-bin
+endif
 endif
 
 override_dh_installdocs:
@@ -589,11 +602,23 @@
 	if [ -d obj/monolithic/$(SB_PACKAGE)/$(deb_version) ]; then \
 		rm -rf obj/monolithic/$(SB_PACKAGE)/$(deb_version); \
 	fi
-	mkdir -v obj/monolithic/$(SB_PACKAGE)/$(deb_version)
-	ln -v obj/monolithic/$(SB_PACKAGE)/* obj/monolithic/$(SB_PACKAGE)/$(deb_version) || :
+	mkdir -vp obj/monolithic/$(SB_PACKAGE)/$(deb_version)/control
+	echo 'tarball' > obj/monolithic/$(SB_PACKAGE)/$(deb_version)/control/options
+	mkdir -p obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)/ obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)-signed
+	# move version
+	cp obj/monolithic/$(SB_PACKAGE)/version obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)-signed
+	# copy in modules
+	cp -r debian/$(SB_PACKAGE)-bin/usr/lib/grub/$(SB_PLATFORM)-unsigned/* obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)/
+	# copy in dbg modules
+	cp -r debian/$(SB_PACKAGE)-dbg/usr/lib/grub/$(SB_PLATFORM)-unsigned/* obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)/
+	# move .efi apps where they are expected as signed
+	mv obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)/monolithic/* obj/monolithic/$(SB_PACKAGE)/$(deb_version)/$(SB_PLATFORM)-signed
+	# this way signed tarball more-or-less will look like how everything needs to be in /usr/lib/grub/
 endif
 	tar -c -f ../$(TARNAME) -a -C obj/monolithic/$(SB_PACKAGE) -v $(deb_version)
-	dpkg-distaddfile $(TARNAME) raw-uefi -
+ifneq (,$(SB_SUBMIT))
+	dpkg-distaddfile $(TARNAME) raw-signing -
+endif
 endif
 
 override_dh_auto_clean: