diff --git a/grub-2.00-no-insmod-on-sb.patch b/grub-2.00-no-insmod-on-sb.patch
new file mode 100644
index 0000000..3949727
--- /dev/null
+++ b/grub-2.00-no-insmod-on-sb.patch
@@ -0,0 +1,84 @@
+commit 032fac327b8db7af06509c730934a5c70bb74122
+Author: Matthew Garrett <mjg@redhat.com>
+Date:   Mon Aug 13 14:46:51 2012 -0400
+
+    Don't permit insmod on secure boot
+
+diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
+index eec575c..3df9dbd 100644
+--- a/grub-core/kern/corecmd.c
++++ b/grub-core/kern/corecmd.c
+@@ -28,6 +28,10 @@
+ #include <grub/command.h>
+ #include <grub/i18n.h>
+ 
++#ifdef GRUB_MACHINE_EFI
++#include <grub/efi/efi.h>
++#endif
++
+ /* set ENVVAR=VALUE */
+ static grub_err_t
+ grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)),
+@@ -81,6 +85,11 @@ grub_core_cmd_insmod (struct grub_command *cmd __attribute__ ((unused)),
+ {
+   grub_dl_t mod;
+ 
++#ifdef GRUB_MACHINE_EFI
++  if (grub_efi_secure_boot())
++    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("Secure Boot forbids insmod"));
++#endif
++
+   if (argc == 0)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ 
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 02d2f9a..4bafd16 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -229,6 +229,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+   return NULL;
+ }
+ 
++grub_efi_boolean_t
++grub_efi_secure_boot (void)
++{
++  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++  grub_size_t datasize;
++  char *secure_boot = NULL;
++  char *setup_mode = NULL;
++  grub_efi_boolean_t ret = 0;
++
++  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
++
++  if (datasize != 1 || !secure_boot)
++    goto out;
++
++  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
++
++  if (datasize != 1 || !setup_mode)
++    goto out;
++
++  if (*secure_boot && !*setup_mode)
++    ret = 1;
++
++ out:
++  grub_free (secure_boot);
++  grub_free (setup_mode);
++  return ret;
++}
++
+ #pragma GCC diagnostic ignored "-Wcast-align"
+ 
+ /* Search the mods section from the PE32/PE32+ image. This code uses
+diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
+index 1b0e7ae..153ac7a 100644
+--- a/include/grub/efi/efi.h
++++ b/include/grub/efi/efi.h
+@@ -67,6 +67,7 @@ grub_err_t EXPORT_FUNC (grub_efi_set_virtual_address_map) (grub_efi_uintn_t memo
+ void *EXPORT_FUNC (grub_efi_get_variable) (const char *variable,
+ 					   const grub_efi_guid_t *guid,
+ 					   grub_size_t *datasize_out);
++grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
+ int
+ EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
+ 					     const grub_efi_device_path_t *dp2);
diff --git a/grub2.spec b/grub2.spec
index 29b3c76..7877590 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -41,7 +41,7 @@
 Name:           grub2
 Epoch:          1
 Version:        2.00
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Bootloader with support for Linux, Multiboot and more
 
 Group:          System Environment/Base
@@ -64,6 +64,7 @@ Patch20:	grub2-linuxefi.patch
 Patch21:	grub2-cdpath.patch
 Patch22:	grub2-use-linuxefi.patch
 Patch23:	grub-2.00-dont-decrease-mmap-size.patch
+Patch24:	grub-2.00-no-insmod-on-sb.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -81,7 +82,7 @@ BuildRequires:  autoconf automake autogen device-mapper-devel
 BuildRequires:	freetype-devel gettext-devel git
 BuildRequires:	texinfo
 BuildRequires:	dejavu-sans-fonts
-BuildRequires:	pesign >= 0.8-1
+BuildRequires:	pesign >= 0.10-3
 
 Requires:	gettext os-prober which file system-logos
 Requires:	%{name}-tools = %{epoch}:%{version}-%{release}
@@ -174,12 +175,11 @@ CD_MODULES="	all_video boot btrfs cat chain configfile echo efifwsetup \
 		search_fs_file search_label test video"
 ./grub-mkimage -O %{grubefiarch} -o %{grubeficdname}.orig -p /EFI/BOOT \
 		-d grub-core ${CD_MODULES}
-pesign -s -c "Red Hat Test Certificate" -i %{grubeficdname}.orig \
-					-o %{grubeficdname}
+%pesign -s -i %{grubeficdname}.orig -o %{grubeficdname}
 GRUB_MODULES="${CD_MODULES} mdraid09 mdraid1x"
 ./grub-mkimage -O %{grubefiarch} -o %{grubefiname}.orig -p /EFI/%{efidir} \
 		-d grub-core ${GRUB_MODULES}
-pesign -s -c "Red Hat Test Certificate" -i %{grubefiname}.orig -o %{grubefiname}
+%pesign -s -i %{grubefiname}.orig -o %{grubefiname}
 cd ..
 %endif
 
@@ -415,6 +415,10 @@ fi
 %doc grub-%{tarversion}/themes/starfield/COPYING.CC-BY-SA-3.0
 
 %changelog
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 2.00-5
+- Move to newer pesign macros
+- Don't allow insmod if we're in secure-boot mode.
+
 * Wed Aug 08 2012 Peter Jones <pjones@redhat.com>
 - Split module lists for UEFI boot vs UEFI cd images.
 - Add raid modules for UEFI image (related: #750794)