diff --git a/debian/changelog b/debian/changelog
index 4385298fc..b8cb18e2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,10 @@ grub2 (2.00-20) UNRELEASED; urgency=low
   * Merge from Ubuntu:
     - Handle probing striped DM-RAID devices (thanks, Robert Collins;
       LP: #803658).
+    - Unconditionally create grub.cfg on our EFI boot partition in Secure
+      Boot mode; GRUB always needs some configuration in this case to find
+      /boot/grub, since we can't modify the signed image at install time
+      (Steve Langasek, LP: #1236625).
 
  -- Colin Watson <cjwatson@debian.org>  Mon, 07 Oct 2013 09:48:53 +0100
 
diff --git a/debian/patches/install_signed.patch b/debian/patches/install_signed.patch
index 2e5fd1c0f..6642b610a 100644
--- a/debian/patches/install_signed.patch
+++ b/debian/patches/install_signed.patch
@@ -1,8 +1,9 @@
 Description: Install signed images if UEFI Secure Boot is enabled
 Author: Colin Watson <cjwatson@ubuntu.com>
 Author: Stéphane Graber <stgraber@ubuntu.com>
+Author: Steve Langasek <steve.langasek@ubuntu.com>
 Forwarded: no
-Last-Update: 2013-08-12
+Last-Update: 2013-11-12
 
 Index: b/util/grub-install.in
 ===================================================================
@@ -94,7 +95,24 @@ Index: b/util/grub-install.in
  	   # TODO: We should also use efibootmgr, if available, to add a Boot
  	   # entry for ourselves.
  	fi
-@@ -653,7 +654,7 @@
+@@ -634,7 +635,15 @@
+     config_opt_file="${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/load.cfg"
+ fi
+ 
+-if [ "x${devabstraction_module}" = "x" ] ; then
++if [ x"$grub_modinfo_platform" = xefi ]; then
++    if [ $removable = yes ]; then
++	efi_signed="${source_dir}-signed/gcd$efi_suffix.efi.signed"
++    else
++	efi_signed="${source_dir}-signed/grub$efi_suffix.efi.signed"
++    fi
++fi
++
++if [ "x${devabstraction_module}" = "x" ] || ([ x"$grub_modinfo_platform" = xefi ] && [ "$uefi_secure_boot" = yes ] && [ -e "$efi_signed" ]); then
+     if [ x"${install_device}" != x ]; then
+       if echo "${install_device}" | grep -qx "(.*)" ; then
+         install_drive="${install_device}"
+@@ -653,7 +662,7 @@
  	install_drive="$grub_drive"
      fi
  
@@ -103,7 +121,7 @@ Index: b/util/grub-install.in
          # generic method (used on coreboot and ata mod)
  	uuid=
  	if [ x"$force_file_id" != xy ]; then
-@@ -828,10 +829,32 @@
+@@ -828,10 +837,25 @@
      gettext "You will have to set \`SystemPartition' and \`OSLoader' manually." 1>&2
      echo 1>&2
  elif [ x"$grub_modinfo_platform" = xefi ]; then
@@ -111,11 +129,6 @@ Index: b/util/grub-install.in
 -    # For old macs. Suggested by Peter Jones.
 -    if [ x$grub_modinfo_target_cpu = xi386 ]; then
 -	cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/boot.efi"
-+    if [ $removable = yes ]; then
-+	efi_signed="${source_dir}-signed/gcd$efi_suffix.efi.signed"
-+    else
-+	efi_signed="${source_dir}-signed/grub$efi_suffix.efi.signed"
-+    fi
 +    if [ "$uefi_secure_boot" = yes ] && [ -e "$efi_signed" ]; then
 +	shim_signed=/usr/lib/shim/shim.efi.signed
 +	if [ -e "$shim_signed" ]; then
@@ -127,10 +140,8 @@ Index: b/util/grub-install.in
 +	else
 +	    cp "$efi_signed" "${efidir}/${efi_file}"
 +	fi
-+	if [ x"$config_opt_file" != x ]; then
-+	    cp "${config_opt_file}" "${efidir}/grub.cfg"
-+	    echo 'configfile $prefix/grub.cfg' >> "${efidir}/grub.cfg"
-+	fi
++	cp "${config_opt_file}" "${efidir}/grub.cfg"
++	echo 'configfile $prefix/grub.cfg' >> "${efidir}/grub.cfg"
 +    else
 +	cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/${efi_file}"
 +	# For old macs. Suggested by Peter Jones.
diff --git a/util/grub-install.in b/util/grub-install.in
index f40be3614..91e8c0d15 100644
--- a/util/grub-install.in
+++ b/util/grub-install.in
@@ -638,7 +638,15 @@ if [ "x${debug_image}" != x ]; then
     config_opt_file="${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/load.cfg"
 fi
 
-if [ "x${devabstraction_module}" = "x" ] ; then
+if [ x"$grub_modinfo_platform" = xefi ]; then
+    if [ $removable = yes ]; then
+	efi_signed="${source_dir}-signed/gcd$efi_suffix.efi.signed"
+    else
+	efi_signed="${source_dir}-signed/grub$efi_suffix.efi.signed"
+    fi
+fi
+
+if [ "x${devabstraction_module}" = "x" ] || ([ x"$grub_modinfo_platform" = xefi ] && [ "$uefi_secure_boot" = yes ] && [ -e "$efi_signed" ]); then
     if [ x"${install_device}" != x ]; then
       if echo "${install_device}" | grep -qx "(.*)" ; then
         install_drive="${install_device}"
@@ -832,11 +840,6 @@ elif [ x"${grub_modinfo_target_cpu}-${grub_modinfo_platform}" = xmips-arc ]; the
     gettext "You will have to set \`SystemPartition' and \`OSLoader' manually." 1>&2
     echo 1>&2
 elif [ x"$grub_modinfo_platform" = xefi ]; then
-    if [ $removable = yes ]; then
-	efi_signed="${source_dir}-signed/gcd$efi_suffix.efi.signed"
-    else
-	efi_signed="${source_dir}-signed/grub$efi_suffix.efi.signed"
-    fi
     if [ "$uefi_secure_boot" = yes ] && [ -e "$efi_signed" ]; then
 	shim_signed=/usr/lib/shim/shim.efi.signed
 	if [ -e "$shim_signed" ]; then
@@ -848,10 +851,8 @@ elif [ x"$grub_modinfo_platform" = xefi ]; then
 	else
 	    cp "$efi_signed" "${efidir}/${efi_file}"
 	fi
-	if [ x"$config_opt_file" != x ]; then
-	    cp "${config_opt_file}" "${efidir}/grub.cfg"
-	    echo 'configfile $prefix/grub.cfg' >> "${efidir}/grub.cfg"
-	fi
+	cp "${config_opt_file}" "${efidir}/grub.cfg"
+	echo 'configfile $prefix/grub.cfg' >> "${efidir}/grub.cfg"
     else
 	cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/${efi_file}"
 	# For old macs. Suggested by Peter Jones.