diff --git a/playbooks/ci/run.yaml b/playbooks/ci/run.yaml
index 4cbe08664..327e2c1fa 100644
--- a/playbooks/ci/run.yaml
+++ b/playbooks/ci/run.yaml
@@ -17,6 +17,7 @@
         USE_DHCP: "{{ use_dhcp | default(false) | bool | lower }}"
         ZUUL_BRANCH: "{{ zuul.branch }}"
         BOOT_MODE: "{{ boot_mode | default('') }}"
+        ENABLE_GRUB_NETWORK_BOOT: "{{ enable_grub_network_boot | default(false) | bool | lower }}"
         TEST_VM_NODE_DRIVER: "{{ test_driver | default('ipmi') }}"
         NOAUTH_MODE: "{{ noauth_mode | default(false) | bool | lower }}"
         ENABLE_TLS: "{{ enable_tls | default(false) | bool | lower }}"
diff --git a/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2
index fe336cb99..0eb908525 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/dnsmasq.conf.j2
@@ -88,6 +88,9 @@ dhcp-option=42,{{dnsmasq_ntp_servers}}
 {% endif %}
 
 dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
+dhcp-match=set:efi,option:client-arch,7
+dhcp-match=set:efi,option:client-arch,9
+dhcp-match=set:efi,option:client-arch,11
 
 dhcp-optsdir={{ dnsmasq_dhcp_optsdir }}
 {% if dhcp_provider == 'none' %}
@@ -97,10 +100,10 @@ dhcp-optsdir={{ dnsmasq_dhcp_optsdir }}
 dhcp-userclass=set:gpxe,"gPXE"
 dhcp-boot=tag:gpxe,/ipxe.pxe
 
-{% if 'ipxe' in enabled_boot_interfaces.split(',') %}
-dhcp-match=set:efi,option:client-arch,7
-dhcp-match=set:efi,option:client-arch,9
-dhcp-match=set:efi,option:client-arch,11
+{% if default_boot_interface is defined and default_boot_interface == 'pxe' %}
+# Client is PXE booting over EFI, boot with the grub shim
+dhcp-boot=tag:efi,/bootx64.efi
+{% elif 'ipxe' in enabled_boot_interfaces.split(',') %}
 # Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
 dhcp-boot=tag:efi,tag:!ipxe,/{{ ipxe_efi_binary }}
 {% endif %}
diff --git a/releasenotes/notes/grub-network-boot-a27beef089e041ef.yaml b/releasenotes/notes/grub-network-boot-a27beef089e041ef.yaml
new file mode 100644
index 000000000..69d88b1e7
--- /dev/null
+++ b/releasenotes/notes/grub-network-boot-a27beef089e041ef.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    It is now possible to do a PXE network boot with grub as an alternative to
+    iPXE. Grub is loaded via the signed shim, so it may allow end-to-end
+    automated deployments with secure-boot enabled.
+
+    To use grub network boot, deploy bifrost with variable
+    ``default_boot_interface`` set to ``pxe`` and use the ``pxe`` boot interface
+    when deploying nodes.
\ No newline at end of file
diff --git a/scripts/test-bifrost.sh b/scripts/test-bifrost.sh
index cea320657..32e089104 100755
--- a/scripts/test-bifrost.sh
+++ b/scripts/test-bifrost.sh
@@ -12,6 +12,7 @@ ENABLE_KEYSTONE="${ENABLE_KEYSTONE:-false}"
 ZUUL_BRANCH=${ZUUL_BRANCH:-}
 CLI_TEST=${CLI_TEST:-false}
 BOOT_MODE=${BOOT_MODE:-}
+ENABLE_GRUB_NETWORK_BOOT=${ENABLE_GRUB_NETWORK_BOOT:-false}
 ENABLE_TLS=${ENABLE_TLS:-false}
 ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false}
 USE_VMEDIA=${USE_VMEDIA:-false}
@@ -45,6 +46,7 @@ PROVISION_WAIT_TIMEOUT=${PROVISION_WAIT_TIMEOUT:-900}
 NOAUTH_MODE=${NOAUTH_MODE:-false}
 CLOUD_CONFIG=""
 WAIT_FOR_DEPLOY=true
+TEST_VM_NODE_DRIVER=${TEST_VM_NODE_DRIVER:-}
 
 # Get OS information
 source /etc/os-release || source /usr/lib/os-release
@@ -119,8 +121,13 @@ fi
 if [ ${USE_VMEDIA} = "true" ]; then
     TEST_VM_NODE_DRIVER=redfish
     CLOUD_CONFIG+=" -e default_boot_interface=redfish-virtual-media"
-    # The default won't work for other hardware types
-    CLOUD_CONFIG+=" -e enabled_hardware_types=redfish"
+elif [ ${ENABLE_GRUB_NETWORK_BOOT} = "true" ]; then
+    CLOUD_CONFIG+=" -e default_boot_interface=pxe"
+fi
+
+if [[ -n "$TEST_VM_NODE_DRIVER" ]]; then
+    VM_SETUP_EXTRA+=" --driver $TEST_VM_NODE_DRIVER"
+    CLOUD_CONFIG+=" -e enabled_hardware_types=$TEST_VM_NODE_DRIVER"
 fi
 
 on_exit() {
@@ -150,7 +157,6 @@ done
     --memory ${VM_MEMORY_SIZE:-1024} \
     --disk ${VM_DISK:-5} \
     --inventory "${BAREMETAL_DATA_FILE}" \
-    --driver ${TEST_VM_NODE_DRIVER:-ipmi} \
     --extra-vars git_url_root="${WORKSPACE:-https://opendev.org}" \
     ${VM_SETUP_EXTRA:-} \
     ${BIFROST_CLI_EXTRA:-}
diff --git a/zuul.d/bifrost-jobs.yaml b/zuul.d/bifrost-jobs.yaml
index 619fc6f5c..e82ba72a8 100644
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@@ -175,6 +175,7 @@
     name: bifrost-integration-redfish-uefi-fedora-latest
     parent: bifrost-integration-tinyipa-fedora-latest
     vars:
+      enable_grub_network_boot: true
       test_driver: redfish
 
 - job: