50 changed files with 24 additions and 3067 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1,3 @@
 SOURCES/grub-2.02.tar.xz
 SOURCES/redhatsecureboot301.cer
 SOURCES/redhatsecureboot502.cer
 SOURCES/redhatsecureboot601.cer
 SOURCES/redhatsecureboot701.cer
 SOURCES/redhatsecurebootca3.cer
 SOURCES/redhatsecurebootca5.cer
 SOURCES/theme.tar.bz2
 SOURCES/unifont-5.1.20080820.pcf.gz
--- a/.grub2.metadata
+++ b/.grub2.metadata
@ -1,9 +1,3 @@
 3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
 4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
 3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer
 039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer
 e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer
 cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
 e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
 cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
 87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz
--- a/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch
+++ b/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch
@ -1,47 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 29 Jul 2022 15:56:00 -0400
 Subject: [PATCH] Make debug=file show which file filters get run.
 If one of the file filters breaks things, it's hard to figure out where
 it has happened.
 This makes grub log which filter is being run, which makes it easier to
 figure out where you are in the sequence of events.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 (cherry picked from commit d3d6518a13b5440a3be6c66b0ae47447182f2891)
 (cherry picked from commit d197e70761b1383827e9008e21ee41c6c7015776)
 ---
 grub-core/kern/file.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
 index f062fc21e7..5e1f29d0dd 100644
 --- a/grub-core/kern/file.c
 +++ b/grub-core/kern/file.c
@@ -30,6 +30,14 @@ void (*EXPORT_VAR (grub_grubnet_fini)) (void);
 grub_file_filter_t grub_file_filters[GRUB_FILE_FILTER_MAX];
 +static char *filter_names[] = {
 +    [GRUB_FILE_FILTER_VERIFY] = "GRUB_FILE_FILTER_VERIFY",
 +    [GRUB_FILE_FILTER_GZIO] = "GRUB_FILE_FILTER_GZIO",
 +    [GRUB_FILE_FILTER_XZIO] = "GRUB_FILE_FILTER_XZIO",
 +    [GRUB_FILE_FILTER_LZOPIO] = "GRUB_FILE_FILTER_LZOPIO",
 +    [GRUB_FILE_FILTER_MAX] = "GRUB_FILE_FILTER_MAX"
 +};
 +
 /* Get the device part of the filename NAME. It is enclosed by parentheses.  */
 char *
 grub_file_get_device_name (const char *name)
@@ -121,6 +129,9 @@ grub_file_open (const char *name, enum grub_file_type type)
     if (grub_file_filters[filter])
       {
 	last_file = file;
 +	if (filter < GRUB_FILE_FILTER_MAX)
 +	  grub_dprintf ("file", "Running %s file filter\n",
 +			filter_names[filter]);
 	file = grub_file_filters[filter] (file, type);
 	if (file && file != last_file)
 	  {
--- a/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
+++ b/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
@ -1,83 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 1 Aug 2022 14:06:30 -0400
 Subject: [PATCH] efi: use enumerated array positions for our allocation
 choices
 In our kernel allocator on EFI systems, we currently have a growing
 amount of code that references the various allocation policies by
 position in the array, and of course maintenance of this code scales
 very poorly.
 This patch changes them to be enumerated, so they're easier to refer to
 farther along in the code without confusion.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 (cherry picked from commit 6768026270cca015d7fef0ecc8a4119e9b3d3923)
 (cherry picked from commit 50b2ca3274b6950393a4ffc7edde04a1a3de594e)
 ---
 grub-core/loader/i386/efi/linux.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)
 diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
 index d80d6ec312..23b27f6507 100644
 --- a/grub-core/loader/i386/efi/linux.c
 +++ b/grub-core/loader/i386/efi/linux.c
@@ -60,17 +60,26 @@ struct allocation_choice {
     grub_efi_allocate_type_t alloc_type;
 };
 -static struct allocation_choice max_addresses[4] =
 +enum {
 +    KERNEL_PREF_ADDRESS,
 +    KERNEL_4G_LIMIT,
 +    KERNEL_NO_LIMIT,
 +};
 +
 +static struct allocation_choice max_addresses[] =
   {
     /* the kernel overrides this one with pref_address and
      * GRUB_EFI_ALLOCATE_ADDRESS */
 -    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +    [KERNEL_PREF_ADDRESS] =
 +      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +    /* If the flag in params is set, this one gets changed to be above 4GB. */
 +    [KERNEL_4G_LIMIT] =
 +      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
     /* this one is always below 4GB, which we still *prefer* even if the flag
      * is set. */
 -    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 -    /* If the flag in params is set, this one gets changed to be above 4GB. */
 -    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 -    { 0, 0 }
 +    [KERNEL_NO_LIMIT] =
 +      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +    { NO_MEM, 0, 0 }
   };
 static struct allocation_choice saved_addresses[4];
@@ -423,7 +432,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   if (lh->xloadflags & LINUX_XLF_CAN_BE_LOADED_ABOVE_4G)
     {
       grub_dprintf ("linux", "Loading kernel above 4GB is supported; enabling.\n");
 -      max_addresses[2].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
 +      max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
     }
   else
     {
@@ -495,11 +504,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   grub_dprintf ("linux", "lh->pref_address: %p\n", (void *)(grub_addr_t)lh->pref_address);
   if (lh->pref_address < (grub_uint64_t)GRUB_EFI_MAX_ALLOCATION_ADDRESS)
     {
 -      max_addresses[0].addr = lh->pref_address;
 -      max_addresses[0].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
 +      max_addresses[KERNEL_PREF_ADDRESS].addr = lh->pref_address;
 +      max_addresses[KERNEL_PREF_ADDRESS].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
     }
 -  max_addresses[1].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
 -  max_addresses[2].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
 +  max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
 +  max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
   kernel_size = lh->init_size;
   kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE,
 			     N_("can't allocate kernel"));
--- a/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
+++ b/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
@ -1,129 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 1 Aug 2022 14:24:39 -0400
 Subject: [PATCH] efi: split allocation policy for kernel vs initrd memories.
 Currently in our kernel allocator, we use the same set of choices for
 all of our various kernel and initramfs allocations, though they do not
 have exactly the same constraints.
 This patch adds the concept of an allocation purpose, which currently
 can be KERNEL_MEM or INITRD_MEM, and updates kernel_alloc() calls
 appropriately, but does not change any current policy decision.  It
 also adds a few debug prints.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 (cherry picked from commit 36307bed28cd838116fc4af26a30719660d62d4c)
 (cherry picked from commit dc1196350b0cbe89582832f44df0fce67e0c9fb2)
 ---
 grub-core/loader/i386/efi/linux.c | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)
 diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
 index 23b27f6507..09e7596064 100644
 --- a/grub-core/loader/i386/efi/linux.c
 +++ b/grub-core/loader/i386/efi/linux.c
@@ -55,7 +55,14 @@ struct grub_linuxefi_context {
 #define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)
 +typedef enum {
 +    NO_MEM,
 +    KERNEL_MEM,
 +    INITRD_MEM,
 +} kernel_alloc_purpose_t;
 +
 struct allocation_choice {
 +    kernel_alloc_purpose_t purpose;
     grub_efi_physical_address_t addr;
     grub_efi_allocate_type_t alloc_type;
 };
@@ -64,6 +71,7 @@ enum {
     KERNEL_PREF_ADDRESS,
     KERNEL_4G_LIMIT,
     KERNEL_NO_LIMIT,
 +    INITRD_MAX_ADDRESS,
 };
 static struct allocation_choice max_addresses[] =
@@ -71,14 +79,17 @@ static struct allocation_choice max_addresses[] =
     /* the kernel overrides this one with pref_address and
      * GRUB_EFI_ALLOCATE_ADDRESS */
     [KERNEL_PREF_ADDRESS] =
 -      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +      { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
     /* If the flag in params is set, this one gets changed to be above 4GB. */
     [KERNEL_4G_LIMIT] =
 -      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +      { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
     /* this one is always below 4GB, which we still *prefer* even if the flag
      * is set. */
     [KERNEL_NO_LIMIT] =
 -      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +      { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
 +    /* this is for the initrd */
 +    [INITRD_MAX_ADDRESS] =
 +      { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
     { NO_MEM, 0, 0 }
   };
 static struct allocation_choice saved_addresses[4];
@@ -95,7 +106,8 @@ kernel_free(void *addr, grub_efi_uintn_t size)
 }
 static void *
 -kernel_alloc(grub_efi_uintn_t size,
 +kernel_alloc(kernel_alloc_purpose_t purpose,
 +	     grub_efi_uintn_t size,
 	     grub_efi_memory_type_t memtype,
 	     const char * const errmsg)
 {
@@ -108,6 +120,9 @@ kernel_alloc(grub_efi_uintn_t size,
       grub_uint64_t max = max_addresses[i].addr;
       grub_efi_uintn_t pages;
 +      if (purpose != max_addresses[i].purpose)
 +	continue;
 +
       /*
        * When we're *not* loading the kernel, or >4GB allocations aren't
        * supported, these entries are basically all the same, so don't re-try
@@ -262,7 +277,8 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])
 	}
     }
 -  initrd_mem = kernel_alloc(size, GRUB_EFI_RUNTIME_SERVICES_DATA,
 +  grub_dprintf ("linux", "Trying to allocate initrd mem\n");
 +  initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA,
 			    N_("can't allocate initrd"));
   if (initrd_mem == NULL)
     goto fail;
@@ -440,7 +456,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     }
 #endif
 -  params = kernel_alloc (sizeof(*params), GRUB_EFI_RUNTIME_SERVICES_DATA,
 +  params = kernel_alloc (KERNEL_MEM, sizeof(*params),
 +			 GRUB_EFI_RUNTIME_SERVICES_DATA,
 			 "cannot allocate kernel parameters");
   if (!params)
     goto fail;
@@ -462,7 +479,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   grub_dprintf ("linux", "new lh is at %p\n", lh);
   grub_dprintf ("linux", "setting up cmdline\n");
 -  cmdline = kernel_alloc (lh->cmdline_size + 1,
 +  cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
 			  GRUB_EFI_RUNTIME_SERVICES_DATA,
 			  N_("can't allocate cmdline"));
   if (!cmdline)
@@ -510,7 +527,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
   max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
   kernel_size = lh->init_size;
 -  kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE,
 +  grub_dprintf ("linux", "Trying to allocate kernel mem\n");
 +  kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size,
 +			     GRUB_EFI_RUNTIME_SERVICES_CODE,
 			     N_("can't allocate kernel"));
   restore_addresses();
   if (!kernel_mem)
--- a/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
+++ b/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
@ -1,63 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 1 Aug 2022 13:04:43 -0400
 Subject: [PATCH] efi: use EFI_LOADER_(CODE|DATA) for kernel and initrd
 allocations
 At some point due to an erroneous kernel warning, we switched kernel and
 initramfs to being loaded in EFI_RUNTIME_SERVICES_CODE and
 EFI_RUNTIME_SERVICES_DATA memory pools.  This doesn't appear to be
 correct according to the spec, and that kernel warning has gone away.
 This patch puts them back in EFI_LOADER_CODE and EFI_LOADER_DATA
 allocations, respectively.
 Resolves: rhbz#2108456
 Signed-off-by: Peter Jones <pjones@redhat.com>
 (cherry picked from commit 35b5d5fa47bc394c76022e6595b173e68f53225e)
 (cherry picked from commit 66e1c922b40957fca488435e06a2f875a219844b)
 ---
 grub-core/loader/i386/efi/linux.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
 index 09e7596064..4d39023792 100644
 --- a/grub-core/loader/i386/efi/linux.c
 +++ b/grub-core/loader/i386/efi/linux.c
@@ -278,7 +278,7 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])
     }
   grub_dprintf ("linux", "Trying to allocate initrd mem\n");
 -  initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA,
 +  initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_LOADER_DATA,
 			    N_("can't allocate initrd"));
   if (initrd_mem == NULL)
     goto fail;
@@ -457,7 +457,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 #endif
   params = kernel_alloc (KERNEL_MEM, sizeof(*params),
 -			 GRUB_EFI_RUNTIME_SERVICES_DATA,
 +			 GRUB_EFI_LOADER_DATA,
 			 "cannot allocate kernel parameters");
   if (!params)
     goto fail;
@@ -480,7 +480,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   grub_dprintf ("linux", "setting up cmdline\n");
   cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
 -			  GRUB_EFI_RUNTIME_SERVICES_DATA,
 +			  GRUB_EFI_LOADER_DATA,
 			  N_("can't allocate cmdline"));
   if (!cmdline)
     goto fail;
@@ -529,7 +529,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   kernel_size = lh->init_size;
   grub_dprintf ("linux", "Trying to allocate kernel mem\n");
   kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size,
 -			     GRUB_EFI_RUNTIME_SERVICES_CODE,
 +			     GRUB_EFI_LOADER_CODE,
 			     N_("can't allocate kernel"));
   restore_addresses();
   if (!kernel_mem)
--- a/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch
+++ b/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch
@ -1,72 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Diego Domingos <diegodo@linux.vnet.ibm.com>
 Date: Thu, 25 Aug 2022 11:37:56 -0400
 Subject: [PATCH] ieee1275: implement vec5 for cas negotiation
 As a legacy support, if the vector 5 is not implemented, Power
 Hypervisor will consider the max CPUs as 64 instead 256 currently
 supported during client-architecture-support negotiation.
 This patch implements the vector 5 and set the MAX CPUs to 256 while
 setting the others values to 0 (default).
 Signed-off-by: Diego Domingos <diegodo@linux.vnet.ibm.com>
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 (cherry picked from commit f735c65b6da8a9d4251242b37774e1a517511253)
 (cherry picked from commit 1639f43b2db4ac405ac2a92e50ed4cff351c3baa)
 ---
 grub-core/kern/ieee1275/init.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)
 diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
 index 1414695cc6..37f3098c39 100644
 --- a/grub-core/kern/ieee1275/init.c
 +++ b/grub-core/kern/ieee1275/init.c
@@ -307,6 +307,18 @@ struct option_vector2 {
   grub_uint8_t max_pft_size;
 } __attribute__((packed));
 +struct option_vector5 {
 +        grub_uint8_t byte1;
 +        grub_uint8_t byte2;
 +        grub_uint8_t byte3;
 +        grub_uint8_t cmo;
 +        grub_uint8_t associativity;
 +        grub_uint8_t bin_opts;
 +        grub_uint8_t micro_checkpoint;
 +        grub_uint8_t reserved0;
 +        grub_uint32_t max_cpus;
 +} __attribute__((packed));
 +
 struct pvr_entry {
   grub_uint32_t mask;
   grub_uint32_t entry;
@@ -325,6 +337,8 @@ struct cas_vector {
   grub_uint16_t vec3;
   grub_uint8_t vec4_size;
   grub_uint16_t vec4;
 +  grub_uint8_t vec5_size;
 +  struct option_vector5 vec5;
 } __attribute__((packed));
 /* Call ibm,client-architecture-support to try to get more RMA.
@@ -345,7 +359,7 @@ grub_ieee1275_ibm_cas (void)
   } args;
   struct cas_vector vector = {
     .pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */
 -    .num_vecs = 4 - 1,
 +    .num_vecs = 5 - 1,
     .vec1_size = 0,
     .vec1 = 0x80, /* ignore */
     .vec2_size = 1 + sizeof(struct option_vector2) - 2,
@@ -356,6 +370,10 @@ grub_ieee1275_ibm_cas (void)
     .vec3 = 0x00e0, // ask for FP + VMX + DFP but don't halt if unsatisfied
     .vec4_size = 2 - 1,
     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
 +    .vec5_size = 1 + sizeof(struct option_vector5) - 2,
 +    .vec5 = {
 +	0, 0, 0, 0, 0, 0, 0, 0, 256
 +    }
   };
   INIT_IEEE1275_COMMON (&args.common, "call-method", 3, 2);
--- a/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
+++ b/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
@ -1,38 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 11 Oct 2022 17:00:50 -0400
 Subject: [PATCH] x86-efi: Fix an incorrect array size in kernel allocation
 In 81a6ebf62bbe166ddc968463df2e8bd481bf697c ("efi: split allocation
 policy for kernel vs initrd memories."), I introduced a split in the
 kernel allocator to allow for different dynamic policies for the kernel
 and the initrd allocations.
 Unfortunately, that change increased the size of the policy data used to
 make decisions, but did not change the size of the temporary storage we
 use to back it up and restore.  This results in some of .data getting
 clobbered at runtime, and hilarity ensues.
 This patch makes the size of the backup storage be based on the size of
 the initial policy data.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 (cherry picked from commit 37747b22342499a798ca3a8895770cd93b6e1258)
 (cherry picked from commit 72713ce761720235c86bbda412480c97b2892e00)
 ---
 grub-core/loader/i386/efi/linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
 index 4d39023792..3d55f8b8d2 100644
 --- a/grub-core/loader/i386/efi/linux.c
 +++ b/grub-core/loader/i386/efi/linux.c
@@ -92,7 +92,7 @@ static struct allocation_choice max_addresses[] =
       { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
     { NO_MEM, 0, 0 }
   };
 -static struct allocation_choice saved_addresses[4];
 +static struct allocation_choice saved_addresses[sizeof(max_addresses) / sizeof(max_addresses[0])];
 #define save_addresses() grub_memcpy(saved_addresses, max_addresses, sizeof(max_addresses))
 #define restore_addresses() grub_memcpy(max_addresses, saved_addresses, sizeof(max_addresses))
--- a/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
+++ b/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
@ -1,25 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 18 Oct 2022 14:15:28 -0400
 Subject: [PATCH] switch-to-blscfg: don't assume newline at end of cfg
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 util/grub-switch-to-blscfg.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
 index eeea130770..5a97954c39 100644
 --- a/util/grub-switch-to-blscfg.in
 +++ b/util/grub-switch-to-blscfg.in
@@ -277,7 +277,9 @@ if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
     fi
     GENERATE=1
 elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then
 -    if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then
 +    # prepend in case admins have been bad at newlines
 +    sed -i '1iGRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}"
 +    if ! grep -q '^GRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}" ; then
         gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
         exit 1
     fi
--- a/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
+++ b/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
@ -1,33 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Wed, 3 Aug 2022 19:45:33 +0800
 Subject: [PATCH] font: Reject glyphs exceeds font->max_glyph_width or
 font->max_glyph_height
 Check glyph's width and height against limits specified in font's
 metadata. Reject the glyph (and font) if such limits are exceeded.
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16)
 (cherry picked from commit 3b410ef4bb95e607cadeba2193fa90ae9bddb98d)
 (cherry picked from commit 8ebe587def61af7893ebcae87d45c883f3cfb713)
 ---
 grub-core/font/font.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index b67507fcc8..8d1a990401 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
 	  || read_be_uint16 (font->file, &height) != 0
 	  || read_be_int16 (font->file, &xoff) != 0
 	  || read_be_int16 (font->file, &yoff) != 0
 -	  || read_be_int16 (font->file, &dwidth) != 0)
 +	  || read_be_int16 (font->file, &dwidth) != 0
 +	  || width > font->max_char_width
 +	  || height > font->max_char_height)
 	{
 	  remove_font (font);
 	  return 0;
--- a/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
+++ b/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@ -1,112 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 5 Aug 2022 00:51:20 +0800
 Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
 The length of memory allocation and file read may overflow. This patch
 fixes the problem by using safemath macros.
 There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
 if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
 It is safe replacement for such code. It has safemath-like prototype.
 This patch also introduces grub_cast(value, pointer), it casts value to
 typeof(*pointer) then store the value to *pointer. It returns true when
 overflow occurs or false if there is no overflow. The semantics of arguments
 and return value are designed to be consistent with other safemath macros.
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
 (cherry picked from commit 6bca9693878bdf61dd62b8c784862a48e75f569a)
 (cherry picked from commit edbbda5486cf8c3dc2b68fbd3dead822ab448022)
 ---
 grub-core/font/font.c   | 17 +++++++++++++----
 include/grub/bitmap.h   | 18 ++++++++++++++++++
 include/grub/safemath.h |  2 ++
 3 files changed, 33 insertions(+), 4 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index 8d1a990401..d6df79602d 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
       grub_int16_t xoff;
       grub_int16_t yoff;
       grub_int16_t dwidth;
 -      int len;
 +      grub_ssize_t len;
 +      grub_size_t sz;
       if (index_entry->glyph)
 	/* Return cached glyph.  */
@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
 	  return 0;
 	}
 -      len = (width * height + 7) / 8;
 -      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
 -      if (!glyph)
 +      /* Calculate real struct size of current glyph. */
 +      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
 +	  grub_add (sizeof (struct grub_font_glyph), len, &sz))
 +	{
 +	  remove_font (font);
 +	  return 0;
 +	}
 +
 +      /* Allocate and initialize the glyph struct. */
 +      glyph = grub_malloc (sz);
 +      if (glyph == NULL)
 	{
 	  remove_font (font);
 	  return 0;
 diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
 index 5728f8ca3a..0d9603f619 100644
 --- a/include/grub/bitmap.h
 +++ b/include/grub/bitmap.h
@@ -23,6 +23,7 @@
 #include <grub/symbol.h>
 #include <grub/types.h>
 #include <grub/video.h>
 +#include <grub/safemath.h>
 struct grub_video_bitmap
 {
@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
   return bitmap->mode_info.height;
 }
 +/*
 + * Calculate and store the size of data buffer of 1bit bitmap in result.
 + * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
 + * Return true when overflow occurs or false if there is no overflow.
 + * This function is intentionally implemented as a macro instead of
 + * an inline function. Although a bit awkward, it preserves data types for
 + * safemath macros and reduces macro side effects as much as possible.
 + *
 + * XXX: Will report false overflow if width * height > UINT64_MAX.
 + */
 +#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
 +({ \
 +  grub_uint64_t _bitmap_pixels; \
 +  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
 +    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
 +})
 +
 void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
 						    struct grub_video_mode_info *mode_info);
 diff --git a/include/grub/safemath.h b/include/grub/safemath.h
 index 1ccac276b5..30800ad6a1 100644
 --- a/include/grub/safemath.h
 +++ b/include/grub/safemath.h
@@ -30,6 +30,8 @@
 #define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
 #define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
 +#define grub_cast(a, res)	grub_add ((a), 0, (res))
 +
 #else
 /*
  * Copyright 2020 Rasmus Villemoes
--- a/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
+++ b/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
@ -1,81 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 5 Aug 2022 01:58:27 +0800
 Subject: [PATCH] font: Fix several integer overflows in
 grub_font_construct_glyph()
 This patch fixes several integer overflows in grub_font_construct_glyph().
 Glyphs of invalid size, zero or leading to an overflow, are rejected.
 The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
 returns NULL is fixed too.
 Fixes: CVE-2022-2601
 Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
 (cherry picked from commit b91eb9bd6c724339b7d7bb4765b9d36f1ee88b84)
 (cherry picked from commit 1ebafd82dd19e522f0d753fd9828553fe8bcac78)
 ---
 grub-core/font/font.c | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index d6df79602d..129aaa3838 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
   struct grub_video_signed_rect bounds;
   static struct grub_font_glyph *glyph = 0;
   static grub_size_t max_glyph_size = 0;
 +  grub_size_t cur_glyph_size;
   ensure_comb_space (glyph_id);
@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
   if (!glyph_id->ncomb && !glyph_id->attributes)
     return main_glyph;
 -  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
 +  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
 +      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
 +    return main_glyph;
 +
 +  if (max_glyph_size < cur_glyph_size)
     {
       grub_free (glyph);
 -      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
 -      if (max_glyph_size < 8)
 -	max_glyph_size = 8;
 -      glyph = grub_malloc (max_glyph_size);
 +      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
 +	max_glyph_size = 0;
 +      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
     }
   if (!glyph)
     {
 +      max_glyph_size = 0;
       grub_errno = GRUB_ERR_NONE;
       return main_glyph;
     }
 -  grub_memset (glyph, 0, sizeof (*glyph)
 -	       + (bounds.width * bounds.height
 -		  + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
 +  grub_memset (glyph, 0, cur_glyph_size);
   glyph->font = main_glyph->font;
 -  glyph->width = bounds.width;
 -  glyph->height = bounds.height;
 -  glyph->offset_x = bounds.x;
 -  glyph->offset_y = bounds.y;
 +  if (bounds.width == 0 || bounds.height == 0 ||
 +      grub_cast (bounds.width, &glyph->width) ||
 +      grub_cast (bounds.height, &glyph->height) ||
 +      grub_cast (bounds.x, &glyph->offset_x) ||
 +      grub_cast (bounds.y, &glyph->offset_y))
 +    return main_glyph;
   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
     grub_font_blit_glyph_mirror (glyph, main_glyph,
--- a/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch
+++ b/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch
@ -1,42 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 5 Aug 2022 02:13:29 +0800
 Subject: [PATCH] font: Remove grub_font_dup_glyph()
 Remove grub_font_dup_glyph() since nobody is using it since 2013, and
 I'm too lazy to fix the integer overflow problem in it.
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d)
 (cherry picked from commit ad950e1e033318bb50222ed268a6dcfb97389035)
 (cherry picked from commit 71644fccc1d43309f0a379dcfe9341ec3bd9657d)
 ---
 grub-core/font/font.c | 14 --------------
 1 file changed, 14 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index 129aaa3838..347e9dfa29 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code)
   return best_glyph;
 }
 -#if 0
 -static struct grub_font_glyph *
 -grub_font_dup_glyph (struct grub_font_glyph *glyph)
 -{
 -  static struct grub_font_glyph *ret;
 -  ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8);
 -  if (!ret)
 -    return NULL;
 -  grub_memcpy (ret, glyph, sizeof (*ret)
 -	       + (glyph->width * glyph->height + 7) / 8);
 -  return ret;
 -}
 -#endif
 -
 /* FIXME: suboptimal.  */
 static void
 grub_font_blit_glyph (struct grub_font_glyph *target,
--- a/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
+++ b/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
@ -1,48 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 5 Aug 2022 02:27:05 +0800
 Subject: [PATCH] font: Fix integer overflow in ensure_comb_space()
 In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
 wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
 in the future. This patch also fixes the inconsistency between
 render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
 returns NULL.
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f)
 (cherry picked from commit f66ea1e60c347408e92b6695d5105c7e0f24d568)
 (cherry picked from commit 0e07159c24cdbb62a9d19fba8199065b049e03c7)
 ---
 grub-core/font/font.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index 347e9dfa29..1367e44743 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id)
   if (glyph_id->ncomb <= render_max_comb_glyphs)
     return;
 -  render_max_comb_glyphs = 2 * glyph_id->ncomb;
 -  if (render_max_comb_glyphs < 8)
 +  if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs))
 +    render_max_comb_glyphs = 0;
 +  if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8)
     render_max_comb_glyphs = 8;
   grub_free (render_combining_glyphs);
 -  render_combining_glyphs = grub_malloc (render_max_comb_glyphs
 -					 * sizeof (render_combining_glyphs[0]));
 +  render_combining_glyphs = (render_max_comb_glyphs > 0) ?
 +    grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL;
   if (!render_combining_glyphs)
 -    grub_errno = 0;
 +    {
 +      render_max_comb_glyphs = 0;
 +      grub_errno = GRUB_ERR_NONE;
 +    }
 }
 int
--- a/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch
+++ b/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch
@ -1,65 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Mon, 15 Aug 2022 02:04:58 +0800
 Subject: [PATCH] font: Fix integer overflow in BMP index
 The BMP index (font->bmp_idx) is designed as a reverse lookup table of
 char entries (font->char_index), in order to speed up lookups for BMP
 chars (i.e. code < 0x10000). The values in BMP index are the subscripts
 of the corresponding char entries, stored in grub_uint16_t, while 0xffff
 means not found.
 This patch fixes the problem of large subscript truncated to grub_uint16_t,
 leading BMP index to return wrong char entry or report false miss. The
 code now checks for bounds and uses BMP index as a hint, and fallbacks
 to binary-search if necessary.
 On the occasion add a comment about BMP index is initialized to 0xffff.
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492)
 (cherry picked from commit 6d90568929e11739b56f09ebbce9185ca9c23519)
 (cherry picked from commit b8c47c3dd6894b3135db861e3e563f661efad5c3)
 ---
 grub-core/font/font.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index 1367e44743..059c23dff7 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
   font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
   if (!font->bmp_idx)
     return 1;
 +
 +  /* Init the BMP index array to 0xffff. */
   grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
 	  return 1;
 	}
 -      if (entry->code < 0x10000)
 +      if (entry->code < 0x10000 && i < 0xffff)
 	font->bmp_idx[entry->code] = i;
       last_code = entry->code;
@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
   /* Use BMP index if possible.  */
   if (code < 0x10000 && font->bmp_idx)
     {
 -      if (font->bmp_idx[code] == 0xffff)
 -	return 0;
 -      return &table[font->bmp_idx[code]];
 +      if (font->bmp_idx[code] < 0xffff)
 +	return &table[font->bmp_idx[code]];
 +      /*
 +       * When we are here then lookup in BMP index result in miss,
 +       * fallthough to binary-search.
 +       */
     }
   /* Do a binary search in `char_index', which is ordered by code point.  */
--- a/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
+++ b/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
@ -1,85 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Sun, 14 Aug 2022 18:09:38 +0800
 Subject: [PATCH] font: Fix integer underflow in binary search of char index
 If search target is less than all entries in font->index then "hi"
 variable is set to -1, which translates to SIZE_MAX and leads to errors.
 This patch fixes the problem by replacing the entire binary search code
 with the libstdc++'s std::lower_bound() implementation.
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc)
 (cherry picked from commit e110997335b1744464ea232d57a7d86e16ca8dee)
 (cherry picked from commit 403053a5116ae945f9515a82c37ff8cfb927362c)
 ---
 grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index 059c23dff7..31786ab339 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
 static inline struct char_index_entry *
 find_glyph (const grub_font_t font, grub_uint32_t code)
 {
 -  struct char_index_entry *table;
 -  grub_size_t lo;
 -  grub_size_t hi;
 -  grub_size_t mid;
 +  struct char_index_entry *table, *first, *end;
 +  grub_size_t len;
   table = font->char_index;
 +  if (table == NULL)
 +    return NULL;
   /* Use BMP index if possible.  */
   if (code < 0x10000 && font->bmp_idx)
@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
        */
     }
 -  /* Do a binary search in `char_index', which is ordered by code point.  */
 -  lo = 0;
 -  hi = font->num_chars - 1;
 +  /*
 +   * Do a binary search in char_index which is ordered by code point.
 +   * The code below is the same as libstdc++'s std::lower_bound().
 +   */
 +  first = table;
 +  len = font->num_chars;
 +  end = first + len;
 -  if (!table)
 -    return 0;
 -
 -  while (lo <= hi)
 +  while (len > 0)
     {
 -      mid = lo + (hi - lo) / 2;
 -      if (code < table[mid].code)
 -	hi = mid - 1;
 -      else if (code > table[mid].code)
 -	lo = mid + 1;
 +      grub_size_t half = len >> 1;
 +      struct char_index_entry *middle = first + half;
 +
 +      if (middle->code < code)
 +	{
 +	  first = middle + 1;
 +	  len = len - half - 1;
 +	}
       else
 -	return &table[mid];
 +	len = half;
     }
 -  return 0;
 +  return (first < end && first->code == code) ? first : NULL;
 }
 /* Get a glyph for the Unicode character CODE in FONT.  The glyph is loaded
--- a/SOURCES/0569-fbutil-Fix-integer-overflow.patch
+++ b/SOURCES/0569-fbutil-Fix-integer-overflow.patch
@ -1,85 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Tue, 6 Sep 2022 03:03:21 +0800
 Subject: [PATCH] fbutil: Fix integer overflow
 Expressions like u64 = u32 * u32 are unsafe because their products are
 truncated to u32 even if left hand side is u64. This patch fixes all
 problems like that one in fbutil.
 To get right result not only left hand side have to be u64 but it's also
 necessary to cast at least one of the operands of all leaf operators of
 right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
 u64 = (u64)u32 * u32 + (u64)u32 * u32.
 For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
 combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
 not overflow grub_uint64_t.
 Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
 They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
 This patch also adds a comment to grub_video_fb_get_video_ptr() which
 says it's arguments must be valid and no sanity check is performed
 (like its siblings in grub-core/video/fb/fbutil.c).
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12)
 (cherry picked from commit 8fa75d647362c938c4cc302cf5945b31fb92c078)
 (cherry picked from commit 91005e39b3c8b6ca8dcc84ecb19ac9328966aaea)
 ---
 grub-core/video/fb/fbutil.c |  4 ++--
 include/grub/fbutil.h       | 13 +++++++++----
 2 files changed, 11 insertions(+), 6 deletions(-)
 diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c
 index b98bb51fe8..25ef39f47d 100644
 --- a/grub-core/video/fb/fbutil.c
 +++ b/grub-core/video/fb/fbutil.c
@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source,
     case 1:
       if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
         {
 -          int bit_index = y * source->mode_info->width + x;
 +          grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
           grub_uint8_t *ptr = source->data + bit_index / 8;
           int bit_pos = 7 - bit_index % 8;
           color = (*ptr >> bit_pos) & 0x01;
@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source,
     case 1:
       if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
         {
 -          int bit_index = y * source->mode_info->width + x;
 +          grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
           grub_uint8_t *ptr = source->data + bit_index / 8;
           int bit_pos = 7 - bit_index % 8;
           *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos);
 diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h
 index 4205eb917f..78a1ab3b45 100644
 --- a/include/grub/fbutil.h
 +++ b/include/grub/fbutil.h
@@ -31,14 +31,19 @@ struct grub_video_fbblit_info
   grub_uint8_t *data;
 };
 -/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
 -   and it doesn't make sense, in general, to ask for a pointer
 -   to a particular pixel's data.  */
 +/*
 + * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
 + * and it doesn't make sense, in general, to ask for a pointer
 + * to a particular pixel's data.
 + *
 + * This function assumes that bounds checking has been done in previous phase
 + * and they are opted out in here.
 + */
 static inline void *
 grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source,
               unsigned int x, unsigned int y)
 {
 -  return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel;
 +  return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel;
 }
 /* Advance pointer by VAL bytes. If there is no unaligned access available,
--- a/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch
+++ b/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch
@ -1,91 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Mon, 24 Oct 2022 08:05:35 +0800
 Subject: [PATCH] font: Fix an integer underflow in blit_comb()
 The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
 evaluate to a very big invalid value even if both ctx.bounds.height and
 combining_glyphs[i]->height are small integers. For example, if
 ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
 expression evaluates to 2147483647 (expected -1). This is because
 coordinates are allowed to be negative but ctx.bounds.height is an
 unsigned int. So, the subtraction operates on unsigned ints and
 underflows to a very big value. The division makes things even worse.
 The quotient is still an invalid value even if converted back to int.
 This patch fixes the problem by casting ctx.bounds.height to int. As
 a result the subtraction will operate on int and grub_uint16_t which
 will be promoted to an int. So, the underflow will no longer happen. Other
 uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
 to ensure coordinates are always calculated on signed integers.
 Fixes: CVE-2022-3775
 Reported-by: Daniel Axtens <dja@axtens.net>
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4)
 (cherry picked from commit 05e532fb707bbf79aa4e1efbde4d208d7da89d6b)
 (cherry picked from commit 0b2592fbb245d53c5c42885d695ece03ddb0eb12)
 ---
 grub-core/font/font.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index 31786ab339..fc9d92fce4 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
   ctx.bounds.height = main_glyph->height;
   above_rightx = main_glyph->offset_x + main_glyph->width;
 -  above_righty = ctx.bounds.y + ctx.bounds.height;
 +  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
   above_leftx = main_glyph->offset_x;
 -  above_lefty = ctx.bounds.y + ctx.bounds.height;
 +  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
 -  below_rightx = ctx.bounds.x + ctx.bounds.width;
 +  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
   below_righty = ctx.bounds.y;
   comb = grub_unicode_get_comb (glyph_id);
@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
       if (!combining_glyphs[i])
 	continue;
 -      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
 +      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
       /* CGJ is to avoid diacritics reordering. */
       if (comb[i].code
 	  == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
 	case GRUB_UNICODE_COMB_OVERLAY:
 	  do_blit (combining_glyphs[i],
 		   targetx,
 -		   (ctx.bounds.height - combining_glyphs[i]->height) / 2
 -		   - (ctx.bounds.height + ctx.bounds.y), &ctx);
 +		   ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
 +		   - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
 	  if (min_devwidth < combining_glyphs[i]->width)
 	    min_devwidth = combining_glyphs[i]->width;
 	  break;
@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
 	  /* Fallthrough.  */
 	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
 	  do_blit (combining_glyphs[i], targetx,
 -		   -(ctx.bounds.height + ctx.bounds.y + space
 +		   -((int) ctx.bounds.height + ctx.bounds.y + space
 		     + combining_glyphs[i]->height), &ctx);
 	  if (min_devwidth < combining_glyphs[i]->width)
 	    min_devwidth = combining_glyphs[i]->width;
@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
 	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
 	  do_blit (combining_glyphs[i], targetx,
 -		   -(ctx.bounds.height / 2 + ctx.bounds.y
 +		   -((int) ctx.bounds.height / 2 + ctx.bounds.y
 		     + combining_glyphs[i]->height / 2), &ctx);
 	  if (min_devwidth < combining_glyphs[i]->width)
 	    min_devwidth = combining_glyphs[i]->width;
--- a/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
+++ b/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
@ -1,75 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Mon, 24 Oct 2022 07:15:41 +0800
 Subject: [PATCH] font: Harden grub_font_blit_glyph() and
 grub_font_blit_glyph_mirror()
 As a mitigation and hardening measure add sanity checks to
 grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
 makes these two functions do nothing if target blitting area isn't fully
 contained in target bitmap. Therefore, if complex calculations in caller
 overflows and malicious coordinates are given, we are still safe because
 any coordinates which result in out-of-bound-write are rejected. However,
 this patch only checks for invalid coordinates, and doesn't provide any
 protection against invalid source glyph or destination glyph, e.g.
 mismatch between glyph size and buffer size.
 This hardening measure is designed to mitigate possible overflows in
 blit_comb(). If overflow occurs, it may return invalid bounding box
 during dry run and call grub_font_blit_glyph() with malicious
 coordinates during actual blitting. However, we are still safe because
 the scratch glyph itself is valid, although its size makes no sense, and
 any invalid coordinates are rejected.
 It would be better to call grub_fatal() if illegal parameter is detected.
 However, doing this may end up in a dangerous recursion because grub_fatal()
 would print messages to the screen and we are in the progress of drawing
 characters on the screen.
 Reported-by: Daniel Axtens <dja@axtens.net>
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6)
 (cherry picked from commit 1d37ec63a1c76a14fdf70f548eada92667b42ddb)
 (cherry picked from commit 686c72ea0a841343b7d8ab64e815751aa36e24b5)
 ---
 grub-core/font/font.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index fc9d92fce4..cfa4bd5096 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -1069,8 +1069,15 @@ static void
 grub_font_blit_glyph (struct grub_font_glyph *target,
 		      struct grub_font_glyph *src, unsigned dx, unsigned dy)
 {
 +  grub_uint16_t max_x, max_y;
   unsigned src_bit, tgt_bit, src_byte, tgt_byte;
   unsigned i, j;
 +
 +  /* Harden against out-of-bound writes. */
 +  if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
 +      (grub_add (dy, src->height, &max_y) || max_y > target->height))
 +    return;
 +
   for (i = 0; i < src->height; i++)
     {
       src_bit = (src->width * i) % 8;
@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target,
 			     struct grub_font_glyph *src,
 			     unsigned dx, unsigned dy)
 {
 +  grub_uint16_t max_x, max_y;
   unsigned tgt_bit, src_byte, tgt_byte;
   signed src_bit;
   unsigned i, j;
 +
 +  /* Harden against out-of-bound writes. */
 +  if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
 +      (grub_add (dy, src->height, &max_y) || max_y > target->height))
 +    return;
 +
   for (i = 0; i < src->height; i++)
     {
       src_bit = (src->width * i + src->width - 1) % 8;
--- a/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
+++ b/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
@ -1,36 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 28 Oct 2022 17:29:16 +0800
 Subject: [PATCH] font: Assign null_font to glyphs in ascii_font_glyph[]
 The calculations in blit_comb() need information from glyph's font, e.g.
 grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
 NULL if main_glyph comes from ascii_font_glyph[]. Therefore
 grub_font_get_*() crashes because of NULL pointer.
 There is already a solution, the null_font. So, assign it to those glyphs
 in ascii_font_glyph[].
 Reported-by: Daniel Axtens <dja@axtens.net>
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6)
 (cherry picked from commit 87526376857eaceae474c9797e3cee5b50597332)
 (cherry picked from commit b4807bbb09d9adf82fe9ae12a3af1c852dc4e32d)
 ---
 grub-core/font/font.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/grub-core/font/font.c b/grub-core/font/font.c
 index cfa4bd5096..30cd1fe07f 100644
 --- a/grub-core/font/font.c
 +++ b/grub-core/font/font.c
@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code)
 	  ascii_font_glyph[current]->offset_x = 0;
 	  ascii_font_glyph[current]->offset_y = -2;
 	  ascii_font_glyph[current]->device_width = 8;
 -	  ascii_font_glyph[current]->font = NULL;
 +	  ascii_font_glyph[current]->font = &null_font;
 	  grub_memcpy (ascii_font_glyph[current]->bitmap,
 		       &ascii_bitmaps[current * ASCII_BITMAP_SIZE],
--- a/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
+++ b/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
@ -1,55 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Zhang Boyang <zhangboyang.id@gmail.com>
 Date: Fri, 28 Oct 2022 21:31:39 +0800
 Subject: [PATCH] normal/charset: Fix an integer overflow in
 grub_unicode_aglomerate_comb()
 The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
 However, code in grub_unicode_aglomerate_comb() doesn't check for an
 overflow when incrementing out->ncomb. If out->ncomb is already 255,
 after incrementing it will get 0 instead of 256, and cause illegal
 memory access in subsequent processing.
 This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
 acceptable value of ncomb. The code now checks for this limit and
 ignores additional combining characters when limit is reached.
 Reported-by: Daniel Axtens <dja@axtens.net>
 Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 (cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
 (cherry picked from commit 26fafec86000b5322837722a115279ef03922ca6)
 (cherry picked from commit 872fba1c44dee2ab5cb36b2c7a883847f91ed907)
 ---
 grub-core/normal/charset.c | 3 +++
 include/grub/unicode.h     | 2 ++
 2 files changed, 5 insertions(+)
 diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
 index 7b2de12001..4849cf06f7 100644
 --- a/grub-core/normal/charset.c
 +++ b/grub-core/normal/charset.c
@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
 	  if (!haveout)
 	    continue;
 +	  if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
 +	    continue;
 +
 	  if (comb_type == GRUB_UNICODE_COMB_MC
 	      || comb_type == GRUB_UNICODE_COMB_ME
 	      || comb_type == GRUB_UNICODE_COMB_MN)
 diff --git a/include/grub/unicode.h b/include/grub/unicode.h
 index 4de986a857..c4f6fca043 100644
 --- a/include/grub/unicode.h
 +++ b/include/grub/unicode.h
@@ -147,7 +147,9 @@ struct grub_unicode_glyph
   grub_uint8_t bidi_level:6; /* minimum: 6 */
   enum grub_bidi_type bidi_type:5; /* minimum: :5 */
 +#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
   unsigned ncomb:8;
 +
   /* Hint by unicode subsystem how wide this character usually is.
      Real width is determined by font. Set only in UTF-8 stream.  */
   int estimated_width:8;
--- a/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch
+++ b/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch
@ -1,227 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Lu Ken <ken.lu@intel.com>
 Date: Sat, 3 Jul 2021 10:50:37 -0400
 Subject: [PATCH] Enable TDX measurement to RTMR register
 Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology
 that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory
 Encryption(MK-TME) with a new kind of virtual machine guest called a
 Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality
 of its memory contents and its CPU state from any other software, including
 the hosting Virtual Machine Monitor (VMM).
 Trust Domain Virtual Firmware (TDVF) is required to provide TD services to
 the TD guest OS.[2] Its reference code is available at https://github.com/tianocore/edk2-staging/tree/TDVF.
 To support TD measurement/attestation, TDs provide 4 RTMR registers like
 TPM/TPM2 PCR as below:
 - RTMR[0] is for TDVF configuration
 - RTMR[1] is for the TD OS loader and kernel
 - RTMR[2] is for the OS application
 - RTMR[3] is reserved for special usage only
 This patch adds TD Measurement protocol support along with TPM/TPM2 protocol.
 References:
 [1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
 [2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
 Signed-off-by: Lu Ken <ken.lu@intel.com>
 (cherry picked from commit 841a0977397cf12a5498d439b8aaf8bf28ff8544)
 ---
 grub-core/Makefile.core.def |  1 +
 grub-core/kern/efi/tdx.c    | 70 +++++++++++++++++++++++++++++++++++++++++++++
 grub-core/kern/tpm.c        |  4 +++
 include/grub/efi/tdx.h      | 26 +++++++++++++++++
 include/grub/tdx.h          | 36 +++++++++++++++++++++++
 5 files changed, 137 insertions(+)
 create mode 100644 grub-core/kern/efi/tdx.c
 create mode 100644 include/grub/efi/tdx.h
 create mode 100644 include/grub/tdx.h
 diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
 index 637d7203e3..2787d59c52 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
@@ -200,6 +200,7 @@ kernel = {
   efi = kern/efi/acpi.c;
   efi = kern/lockdown.c;
   efi = lib/envblk.c;
 +  efi = kern/efi/tdx.c;
   efi = kern/efi/tpm.c;
   i386_coreboot = kern/i386/pc/acpi.c;
   i386_multiboot = kern/i386/pc/acpi.c;
 diff --git a/grub-core/kern/efi/tdx.c b/grub-core/kern/efi/tdx.c
 new file mode 100644
 index 0000000000..3a49f8d117
 --- /dev/null
 +++ b/grub-core/kern/efi/tdx.c
@@ -0,0 +1,70 @@
 +#include <grub/err.h>
 +#include <grub/i18n.h>
 +#include <grub/efi/api.h>
 +#include <grub/efi/efi.h>
 +#include <grub/efi/tpm.h>
 +#include <grub/efi/tdx.h>
 +#include <grub/mm.h>
 +#include <grub/tpm.h>
 +#include <grub/tdx.h>
 +
 +static grub_efi_guid_t tdx_guid = EFI_TDX_GUID;
 +
 +static inline grub_err_t grub_tdx_dprintf(grub_efi_status_t status)
 +{
 +  switch (status) {
 +  case GRUB_EFI_SUCCESS:
 +    return 0;
 +  case GRUB_EFI_DEVICE_ERROR:
 +    grub_dprintf ("tdx", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n",
 +                  status);
 +    return GRUB_ERR_IO;
 +  case GRUB_EFI_INVALID_PARAMETER:
 +    grub_dprintf ("tdx", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n",
 +                  status);
 +    return GRUB_ERR_BAD_ARGUMENT;
 +  case GRUB_EFI_VOLUME_FULL:
 +    grub_dprintf ("tdx", "Volume is full: 0x%"PRIxGRUB_EFI_STATUS"\n",
 +                  status);
 +    return GRUB_ERR_BAD_ARGUMENT;
 +  case GRUB_EFI_UNSUPPORTED:
 +    grub_dprintf ("tdx", "TDX unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n",
 +                  status);
 +    return GRUB_ERR_UNKNOWN_DEVICE;
 +  default:
 +    grub_dprintf ("tdx", "Unknown TDX error: 0x%"PRIxGRUB_EFI_STATUS"\n",
 +                  status);
 +    return GRUB_ERR_UNKNOWN_DEVICE;
 +  }
 +}
 +
 +grub_err_t
 +grub_tdx_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
 +		   const char *description)
 +{
 +  EFI_TCG2_EVENT *event;
 +  grub_efi_status_t status;
 +  grub_efi_tdx_protocol_t *tdx;
 +
 +  tdx = grub_efi_locate_protocol (&tdx_guid, NULL);
 +
 +  if (!tdx)
 +    return 0;
 +
 +  event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1);
 +  if (!event)
 +    return grub_error (GRUB_ERR_OUT_OF_MEMORY,
 +		       N_("cannot allocate TCG2 event buffer"));
 +
 +  event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
 +  event->Header.HeaderVersion = 1;
 +  event->Header.PCRIndex = pcr;
 +  event->Header.EventType = EV_IPL;
 +  event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1;
 +  grub_memcpy(event->Event, description, grub_strlen(description) + 1);
 +
 +  status = efi_call_5 (tdx->hash_log_extend_event, tdx, 0, (unsigned long) buf,
 +		       (grub_uint64_t) size, event);
 +
 +  return grub_tdx_dprintf(status);
 +}
 \ No newline at end of file
 diff --git a/grub-core/kern/tpm.c b/grub-core/kern/tpm.c
 index e5e8fced62..71cc4252c1 100644
 --- a/grub-core/kern/tpm.c
 +++ b/grub-core/kern/tpm.c
@@ -4,6 +4,7 @@
 #include <grub/mm.h>
 #include <grub/tpm.h>
 #include <grub/term.h>
 +#include <grub/tdx.h>
 grub_err_t
 grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
@@ -13,6 +14,9 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
   char *desc = grub_xasprintf("%s %s", kind, description);
   if (!desc)
     return GRUB_ERR_OUT_OF_MEMORY;
 +
 +  grub_tdx_log_event(buf, size, pcr, desc);
 +
   ret = grub_tpm_log_event(buf, size, pcr, desc);
   grub_free(desc);
   return ret;
 diff --git a/include/grub/efi/tdx.h b/include/grub/efi/tdx.h
 new file mode 100644
 index 0000000000..9bdac2a275
 --- /dev/null
 +++ b/include/grub/efi/tdx.h
@@ -0,0 +1,26 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2015  Free Software Foundation, Inc.
 + *
 + *  GRUB is free software: you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License as published by
 + *  the Free Software Foundation, either version 3 of the License, or
 + *  (at your option) any later version.
 + *
 + *  GRUB is distributed in the hope that it will be useful,
 + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + *  GNU General Public License for more details.
 + *
 + *  You should have received a copy of the GNU General Public License
 + *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#ifndef GRUB_EFI_TDX_HEADER
 +#define GRUB_EFI_TDX_HEADER 1
 +
 +#define EFI_TDX_GUID {0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b}};
 +
 +typedef grub_efi_tpm2_protocol_t grub_efi_tdx_protocol_t;
 +
 +#endif
 \ No newline at end of file
 diff --git a/include/grub/tdx.h b/include/grub/tdx.h
 new file mode 100644
 index 0000000000..4a98008e39
 --- /dev/null
 +++ b/include/grub/tdx.h
@@ -0,0 +1,36 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2015  Free Software Foundation, Inc.
 + *
 + *  GRUB is free software: you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License as published by
 + *  the Free Software Foundation, either version 3 of the License, or
 + *  (at your option) any later version.
 + *
 + *  GRUB is distributed in the hope that it will be useful,
 + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + *  GNU General Public License for more details.
 + *
 + *  You should have received a copy of the GNU General Public License
 + *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#ifndef GRUB_TDX_HEADER
 +#define GRUB_TDX_HEADER 1
 +
 +#if defined (GRUB_MACHINE_EFI)
 +grub_err_t grub_tdx_log_event(unsigned char *buf, grub_size_t size,
 +			      grub_uint8_t pcr, const char *description);
 +#else
 +static inline grub_err_t grub_tdx_log_event(
 +	unsigned char *buf __attribute__ ((unused)),
 +	grub_size_t size __attribute__ ((unused)),
 +	grub_uint8_t pcr __attribute__ ((unused)),
 +	const char *description __attribute__ ((unused)))
 +{
 +	return 0;
 +};
 +#endif
 +
 +#endif
--- a/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch
+++ b/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch
@ -1,28 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
 Date: Tue, 24 Jan 2023 08:01:47 -0500
 Subject: [PATCH] Enable shared processor mode in vector 5
 This patch is to update the vector 5 which is troubling some
 machines to bootup properly in shared processor mode.
 Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
 (cherry picked from commit 30d2ee836649386a336f9437c8a149c8e642a46b)
 (cherry picked from commit 7e309d139c5eca1f03659e612a14499213e79c95)
 ---
 grub-core/kern/ieee1275/init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
 index 37f3098c39..3ea9b73b2a 100644
 --- a/grub-core/kern/ieee1275/init.c
 +++ b/grub-core/kern/ieee1275/init.c
@@ -372,7 +372,7 @@ grub_ieee1275_ibm_cas (void)
     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
     .vec5_size = 1 + sizeof(struct option_vector5) - 2,
     .vec5 = {
 -	0, 0, 0, 0, 0, 0, 0, 0, 256
 +	0, 192, 0, 128, 0, 0, 0, 0, 256
     }
   };
--- a/SOURCES/0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
+++ b/SOURCES/0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
@ -1,30 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Matt Hsiao <matt.hsiao@hpe.com>
 Date: Mon, 24 Apr 2023 13:39:05 +0800
 Subject: [PATCH] efi/http: change uint32_t to uintn_t for
 grub_efi_http_message_t
 Modify UINT32 to UINTN in EFI_HTTP_MESSAGE to be UEFI 2.9 compliant.
 Signed-off-by: Matt Hsiao <matt.hsiao@hpe.com>
 Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
 ---
 include/grub/efi/http.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/include/grub/efi/http.h b/include/grub/efi/http.h
 index c5e9a89f5050..ad164ba1913d 100644
 --- a/include/grub/efi/http.h
 +++ b/include/grub/efi/http.h
@@ -171,9 +171,9 @@ typedef struct {
     grub_efi_http_request_data_t *request;
     grub_efi_http_response_data_t *response;
   } data;
 -  grub_efi_uint32_t header_count;
 +  grub_efi_uintn_t header_count;
   grub_efi_http_header_t *headers;
 -  grub_efi_uint32_t body_length;
 +  grub_efi_uintn_t body_length;
   void *body;
 } grub_efi_http_message_t;
--- a/SOURCES/0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
+++ b/SOURCES/0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
@ -1,46 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
 Date: Thu, 23 Mar 2023 08:16:25 -0400
 Subject: [PATCH] ieee1275 : Converting plain numbers to constants in Vec5
 This patch converts the plain numbers used in Vec5 properties to
 constants.
 1. LPAR : Client program supports logical partitioning and
   associated hcall()s.
 2. SPLPAR : Client program supports the Shared
   Processor LPAR Option.
 3. CMO : Enables the Cooperative Memory Over-commitment Option.
 4. MAX_CPU : Defines maximum number of CPUs supported.
 Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
 ---
 grub-core/kern/ieee1275/init.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
 index 3ea9b73b2a59..2516e02091cb 100644
 --- a/grub-core/kern/ieee1275/init.c
 +++ b/grub-core/kern/ieee1275/init.c
@@ -56,6 +56,12 @@ extern char _end[];
 grub_addr_t grub_ieee1275_original_stack;
 #endif
 +#define LPAR     0x80
 +#define SPLPAR   0x40
 +#define BYTE2    (LPAR | SPLPAR)
 +#define CMO      0x80
 +#define MAX_CPU  256
 +
 void
 grub_exit (int rc __attribute__((unused)))
 {
@@ -372,7 +378,7 @@ grub_ieee1275_ibm_cas (void)
     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
     .vec5_size = 1 + sizeof(struct option_vector5) - 2,
     .vec5 = {
 -	0, 192, 0, 128, 0, 0, 0, 0, 256
 +        0, BYTE2, 0, CMO, 0, 0, 0, 0, MAX_CPU	
     }
   };
--- a/SOURCES/0578-ieee1275-extended-support-in-options-vector5.patch
+++ b/SOURCES/0578-ieee1275-extended-support-in-options-vector5.patch
@ -1,125 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
 Date: Thu, 23 Mar 2023 08:33:12 -0400
 Subject: [PATCH] ieee1275 : extended support in options vector5
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This patch enables the multiple options in Options Vector5 which are
 required and solves the boot issue seen on some machines which are looking for these specific options.
 1. LPAR : Client program supports logical partitioning and
   associated hcall()s.
 2. SPLPAR : Client program supports the Shared
   Processor LPAR Option.
 3. DYN_RCON_MEM : Client program supports the
   “ibm,dynamic-reconfiguration-memory” property and it may be
   presented in the device tree.
 4. LARGE_PAGES : Client supports pages larger than 4 KB.
 5. DONATE_DCPU_CLS : Client supports donating dedicated processor cycles.
 6. PCI_EXP : Client supports PCI Express implementations
   utilizing Message Signaled Interrupts (MSIs).
 7. CMOC : Enables the Cooperative Memory Over-commitment Option.
 8. EXT_CMO : Enables the Extended Cooperative Memory Over-commit
   Option.
 9. ASSOC_REF : Enables “ibm,associativity” and
   “ibm,associativity-reference-points” properties.
 10. AFFINITY : Enables Platform Resource Reassignment Notification.
 11. NUMA : Supports NUMA Distance Lookup Table Option.
 12. HOTPLUG_INTRPT : Supports Hotplug Interrupts.
 13. HPT_RESIZE : Enable Hash Page Table Resize Option.
 14. MAX_CPU : Defines maximum number of CPUs supported.
 15. PFO_HWRNG : Supports Random Number Generator.
 16. PFO_HW_COMP : Supports Compression Engine.
 17. PFO_ENCRYPT : Supports Encryption Engine.
 18. SUB_PROCESSORS : Supports Sub-Processors.
 19. DY_MEM_V2 : Client program supports the “ibm,dynamic-memory-v2” property in the
    “ibm,dynamic-reconfiguration-memory” node and it may be presented in the device tree.
 20. DRC_INFO : Client program supports the “ibm,drc-info” property definition and it may be
    presented in the device tree.
 Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
 ---
 grub-core/kern/ieee1275/init.c | 47 ++++++++++++++++++++++++++++++++++++------
 1 file changed, 41 insertions(+), 6 deletions(-)
 diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
 index 2516e02091cb..1fae84440403 100644
 --- a/grub-core/kern/ieee1275/init.c
 +++ b/grub-core/kern/ieee1275/init.c
@@ -56,11 +56,41 @@ extern char _end[];
 grub_addr_t grub_ieee1275_original_stack;
 #endif
 -#define LPAR     0x80
 -#define SPLPAR   0x40
 -#define BYTE2    (LPAR | SPLPAR)
 -#define CMO      0x80
 -#define MAX_CPU  256
 +/* Options vector5 properties */
 +
 +#define LPAR                0x80
 +#define SPLPAR              0x40
 +#define DYN_RCON_MEM        0x20
 +#define LARGE_PAGES         0x10
 +#define DONATE_DCPU_CLS     0x02
 +#define PCI_EXP             0x01
 +#define BYTE2               (LPAR | SPLPAR | DYN_RCON_MEM | LARGE_PAGES | DONATE_DCPU_CLS | PCI_EXP)
 +
 +#define CMOC                0x80
 +#define EXT_CMO             0x40
 +#define CMO                 (CMOC | EXT_CMO)
 +
 +#define ASSOC_REF           0x80
 +#define AFFINITY            0x40
 +#define NUMA                0x20
 +#define ASSOCIATIVITY       (ASSOC_REF | AFFINITY | NUMA)
 +
 +#define HOTPLUG_INTRPT      0x04
 +#define HPT_RESIZE          0x01
 +#define BIN_OPTS            (HOTPLUG_INTRPT | HPT_RESIZE)
 +
 +#define MAX_CPU             256
 +
 +#define PFO_HWRNG           0x80000000
 +#define PFO_HW_COMP         0x40000000
 +#define PFO_ENCRYPT         0x20000000
 +#define PLATFORM_FACILITIES (PFO_HWRNG | PFO_HW_COMP | PFO_ENCRYPT)
 +
 +#define SUB_PROCESSORS      1
 +
 +#define DY_MEM_V2           0x80
 +#define DRC_INFO            0x40
 +#define BYTE22              (DY_MEM_V2 | DRC_INFO)
 void
 grub_exit (int rc __attribute__((unused)))
@@ -323,6 +353,11 @@ struct option_vector5 {
         grub_uint8_t micro_checkpoint;
         grub_uint8_t reserved0;
         grub_uint32_t max_cpus;
 +        grub_uint16_t base_PAPR;
 +        grub_uint16_t mem_reference;
 +        grub_uint32_t platform_facilities;
 +        grub_uint8_t sub_processors;
 +        grub_uint8_t byte22;
 } __attribute__((packed));
 struct pvr_entry {
@@ -378,7 +413,7 @@ grub_ieee1275_ibm_cas (void)
     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
     .vec5_size = 1 + sizeof(struct option_vector5) - 2,
     .vec5 = {
 -        0, BYTE2, 0, CMO, 0, 0, 0, 0, MAX_CPU	
 +        0, BYTE2, 0, CMO, ASSOCIATIVITY, BIN_OPTS, 0, 0, MAX_CPU, 0, 0, PLATFORM_FACILITIES, SUB_PROCESSORS, BYTE22
     }
   };
--- a/SOURCES/0579-Regenerate-kernelopts-if-missing-on-ppc.patch
+++ b/SOURCES/0579-Regenerate-kernelopts-if-missing-on-ppc.patch
@ -1,36 +0,0 @@
 From 8c74431327e0c7d7fe47462b0e69fcbe3bbac56e Mon Sep 17 00:00:00 2001
 From: Marta Lewandowska <mlewando@redhat.com>
 Date: Fri, 24 Mar 2023 09:14:29 -0400
 Subject: [PATCH] Regenerate kernelopts if missing on ppc
 Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
 ---
 util/grub.d/10_linux_bls.in | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/util/grub.d/10_linux_bls.in b/util/grub.d/10_linux_bls.in
 index 855dbdd..f2281bc 100644
 --- a/util/grub.d/10_linux_bls.in
 +++ b/util/grub.d/10_linux_bls.in
@@ -117,6 +117,18 @@ cat <<EOF
 # This section was generated by a script. Do not modify the generated file - all changes
 # will be lost the next time file is regenerated. Instead edit the BootLoaderSpec files.
 +# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
 +# entries populated from BootLoaderSpec files that use this variable work correctly even
 +# without a grubenv file, define a fallback kernelopts variable if this has not been set.
 +#
 +# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
 +# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
 +# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
 +# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
 +if [ -z "\${kernelopts}" ]; then
 +  set kernelopts="root=${linux_root_device_thisversion} ro ${args}"
 +fi
 +
 EOF
 }
 -- 
 2.39.1
--- a/SOURCES/0580-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch
+++ b/SOURCES/0580-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch
@ -1,210 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.ibm.com>
 Date: Tue, 8 Aug 2023 12:21:55 -0400
 Subject: [PATCH] kern/ieee1275/init: ppc64: Restrict high memory in presence
 of fadump
 This is a backport of the patch with the same name to grub 2.02.
 When a kernel dump is present then restrict the high memory regions to
 avoid allocating memory where the kernel dump resides. Use the
 ibm,kernel-dump node under /rtas to determine whether a kernel dump exists
 and up to which limit grub can use available memory. Set the
 upper_mem_limit to the size of the kernel dump section of type
 'REAL_MODE_REGION' and therefore only allow grub's memory usage for high
 addresses from 768MB to 'upper_mem_limit'. This means that grub can
 use high memory in the range of 768MB to upper_mem_limit and
 the kernel-dump memory regions above 'upper_mem_limit' remain untouched.
 This change has no effect on memory allocations below 640MB.
 Also, fall back to allocating below 640MB in case the chunk of
 memory there would be larger than the chunk of memory above 768MB.
 This can for example occur if a free memory area is found starting at 300MB
 extending up to 1GB but a kernel dump is located at 768MB and therefore
 does not allow the allocation of the high memory area but requiring to use
 the chunk starting at 300MB to avoid an unnecessary out-of-memory
 condition.
 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
 Cc: Hari Bathini <hbathini@linux.ibm.com>
 Cc: Pavithra Prakash <pavrampu@in.ibm.com>
 Cc: Michael Ellerman <mpe@ellerman.id.au>
 Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
 Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
 Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
 ---
 grub-core/kern/ieee1275/init.c | 139 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)
 diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
 index 1fae84440403..31843ab70a62 100644
 --- a/grub-core/kern/ieee1275/init.c
 +++ b/grub-core/kern/ieee1275/init.c
@@ -17,6 +17,8 @@
  *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
  */
 +#include <stddef.h> /* offsetof() */
 +
 #include <grub/kernel.h>
 #include <grub/dl.h>
 #include <grub/disk.h>
@@ -180,6 +182,97 @@ grub_claim_heap (void)
 				 + GRUB_KERNEL_MACHINE_STACK_SIZE), 0x200000);
 }
 #else
 +
 +/* ibm,kernel-dump data structures */
 +struct kd_section
 +{
 +  grub_uint32_t flags;
 +  grub_uint16_t src_datatype;
 +#define KD_SRC_DATATYPE_REAL_MODE_REGION  0x0011
 +  grub_uint16_t error_flags;
 +  grub_uint64_t src_address;
 +  grub_uint64_t num_bytes;
 +  grub_uint64_t act_bytes;
 +  grub_uint64_t dst_address;
 +} GRUB_PACKED;
 +
 +#define MAX_KD_SECTIONS 10
 +
 +struct kernel_dump
 +{
 +  grub_uint32_t format;
 +  grub_uint16_t num_sections;
 +  grub_uint16_t status_flags;
 +  grub_uint32_t offset_1st_section;
 +  grub_uint32_t num_blocks;
 +  grub_uint64_t start_block;
 +  grub_uint64_t num_blocks_avail;
 +  grub_uint32_t offet_path_string;
 +  grub_uint32_t max_time_allowed;
 +  struct kd_section kds[MAX_KD_SECTIONS]; /* offset_1st_section should point to kds[0] */
 +} GRUB_PACKED;
 +
 +/*
 + * Determine if a kernel dump exists and if it does, then determine the highest
 + * address that grub can use for memory allocations.
 + * The caller must have initialized *highest to ~0. *highest will not
 + * be modified if no kernel dump is found.
 + */
 +static int
 +check_kernel_dump (grub_uint64_t *highest)
 +{
 +  struct kernel_dump kernel_dump;
 +  grub_ssize_t kernel_dump_size;
 +  grub_ieee1275_phandle_t rtas;
 +  struct kd_section *kds;
 +  grub_size_t i;
 +
 +  /* If there's a kernel-dump it must have at least one section */
 +  if (grub_ieee1275_finddevice ("/rtas", &rtas) ||
 +      grub_ieee1275_get_property (rtas, "ibm,kernel-dump", &kernel_dump,
 +                                  sizeof (kernel_dump), &kernel_dump_size) ||
 +      kernel_dump_size <= (grub_ssize_t) offsetof (struct kernel_dump, kds[1]))
 +    return 0;
 +
 +  kernel_dump_size = grub_min (kernel_dump_size, (grub_ssize_t) sizeof (kernel_dump));
 +
 +  if (grub_be_to_cpu32 (kernel_dump.format) != 1)
 +    {
 +      grub_printf (_("Error: ibm,kernel-dump has an unexpected format version '%u'\n"),
 +                   grub_be_to_cpu32 (kernel_dump.format));
 +      return 0;
 +    }
 +
 +  if (grub_be_to_cpu16 (kernel_dump.num_sections) > MAX_KD_SECTIONS)
 +    {
 +      grub_printf (_("Error: Too many kernel dump sections: %d\n"),
 +                   grub_be_to_cpu32 (kernel_dump.num_sections));
 +      return 0;
 +    }
 +
 +  for (i = 0; i < grub_be_to_cpu16 (kernel_dump.num_sections); i++)
 +    {
 +      kds = (struct kd_section *) ((grub_addr_t) &kernel_dump +
 +                                   grub_be_to_cpu32 (kernel_dump.offset_1st_section) +
 +                                   i * sizeof (struct kd_section));
 +      /* sanity check the address is within the 'kernel_dump' struct */
 +      if ((grub_addr_t) kds > (grub_addr_t) &kernel_dump + kernel_dump_size + sizeof (*kds))
 +        {
 +          grub_printf (_("Error: 'kds' address beyond last available section\n"));
 +          return 0;
 +        }
 +
 +      if ((grub_be_to_cpu16 (kds->src_datatype) == KD_SRC_DATATYPE_REAL_MODE_REGION) &&
 +          (grub_be_to_cpu64 (kds->src_address) == 0))
 +        {
 +          *highest = grub_min (*highest, grub_be_to_cpu64 (kds->num_bytes));
 +          break;
 +        }
 +    }
 +
 +  return 1;
 +}
 +
 /* Helper for grub_claim_heap on powerpc. */
 static int
 heap_size (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
@@ -207,7 +300,9 @@ static int
 heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
 	   void *data)
 {
 +  grub_uint64_t upper_mem_limit = ~0;
   grub_uint32_t total = *(grub_uint32_t *)data;
 +  int has_kernel_dump;
   if (type != GRUB_MEMORY_AVAILABLE)
     return 0;
@@ -243,6 +338,50 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
       len = 0;
     }
 +  has_kernel_dump = check_kernel_dump (&upper_mem_limit);
 +  if (has_kernel_dump)
 +    {
 +      grub_uint64_t lo_len = 0, hi_len = 0;
 +
 +      if (addr > upper_mem_limit || upper_mem_limit == (grub_uint64_t)~0)
 +        return 0;
 +
 +      /* limit len to stay below upper_mem_limit */
 +      if (addr < upper_mem_limit && (addr + len) > upper_mem_limit)
 +        {
 +           len = grub_min (len, upper_mem_limit - addr);
 +        }
 +
 +      /* We can allocate below 640MB or above 768MB.
 +       * Choose the bigger chunk below 640MB or above 768MB.
 +       */
 +      if (addr < 0x28000000)
 +        {
 +           lo_len = grub_min (len, 0x28000000 - addr);
 +        }
 +      if (addr + len > 0x30000000)
 +        {
 +           if (addr < 0x30000000)
 +             hi_len = len - (0x30000000 - addr);
 +           else
 +             hi_len = len;
 +        }
 +
 +      if (hi_len > lo_len)
 +        {
 +           len = hi_len;
 +           if (addr < 0x30000000)
 +             addr = 0x30000000;
 +        }
 +      else
 +        {
 +           len = lo_len;
 +        }
 +
 +      if (len == 0)
 +        return 0;
 +    }
 +
   /* If this block contains 0x30000000 (768MB), do not claim below that.
      Linux likes to claim memory at min(RMO top, 768MB) and works down
      without reference to /memory/available. */
--- a/SOURCES/0581-util-Enable-default-kernel-for-updates.patch
+++ b/SOURCES/0581-util-Enable-default-kernel-for-updates.patch
@ -1,34 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nicolas Frayer <nfrayer@redhat.com>
 Date: Wed, 24 May 2023 11:22:47 +0200
 Subject: [PATCH] util: Enable default kernel for updates
 Several kernel variants can be installed on a system in parallel.
 In order to allow the user to choose which kernel will be set to
 default after an update, re-enable grub's usage of DEFAULTKERNEL as
 set in /etc/sysconfig/kernel
 Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
 ---
 util/grub-get-kernel-settings.in | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/util/grub-get-kernel-settings.in b/util/grub-get-kernel-settings.in
 index 7e87dfccc0e4..f71bc64360b0 100644
 --- a/util/grub-get-kernel-settings.in
 +++ b/util/grub-get-kernel-settings.in
@@ -68,6 +68,14 @@ if test -f /etc/sysconfig/kernel ; then
     . /etc/sysconfig/kernel
 fi
 +GRUB_DEFAULT_KERNEL_TYPE=${DEFAULTKERNEL/-core/}
 +if [ "$GRUB_DEFAULT_KERNEL_TYPE" != "kernel" ]; then
 +    echo GRUB_NON_STANDARD_KERNEL=true
 +    echo export GRUB_NON_STANDARD_KERNEL
 +    GRUB_DEFAULT_KERNEL_TYPE=${GRUB_DEFAULT_KERNEL_TYPE/kernel-/}
 +fi
 +echo GRUB_DEFAULT_KERNEL_TYPE=$GRUB_DEFAULT_KERNEL_TYPE
 +echo export GRUB_DEFAULT_KERNEL_TYPE
 if [ "$MAKEDEBUG" = "yes" ]; then
     echo GRUB_LINUX_MAKE_DEBUG=true
     echo export GRUB_LINUX_MAKE_DEBUG
--- a/SOURCES/0582-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch
+++ b/SOURCES/0582-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch
@ -1,150 +0,0 @@
 From 9ca4c3fe1c7dbd62e8ad6a23cb1b1fda695fdb44 Mon Sep 17 00:00:00 2001
 From: Solar Designer <solar@openwall.com>
 Date: Tue, 6 Feb 2024 21:39:41 +0100
 Subject: [PATCH 1/3] grub-set-bootflag: Conservative partial fix for
 CVE-2024-1048
 Following up on CVE-2019-14865 and taking a fresh look at
 grub2-set-bootflag now (through my work at CIQ on Rocky Linux), I saw some
 other ways in which users could still abuse this little program:
 1. After CVE-2019-14865 fix, grub2-set-bootflag no longer rewrites the
 grubenv file in-place, but writes into a temporary file and renames it
 over the original, checking for error returns from each call first.
 This prevents the original file truncation vulnerability, but it can
 leave the temporary file around if the program is killed before it can
 rename or remove the file.  There are still many ways to get the program
 killed, such as through RLIMIT_FSIZE triggering SIGXFSZ (tested,
 reliable) or by careful timing (tricky) of signals sent by process group
 leader, pty, pre-scheduled timers, SIGXCPU (probably not an exhaustive
 list).  Invoking the program multiple times fills up /boot (or if /boot
 is not separate, then it can fill up the root filesystem).  Since the
 files are tiny, the filesystem is likely to run out of free inodes
 before it'd run out of blocks, but the effect is similar - can't create
 new files after this point (but still can add data to existing files,
 such as logs).
 2. After CVE-2019-14865 fix, grub2-set-bootflag naively tries to protect
 itself from signals by becoming full root.  (This does protect it from
 signals sent by the user directly to the PID, but e.g. "kill -9 -1" by
 the user still works.)  A side effect of such "protection" is that it's
 possible to invoke more concurrent instances of grub2-set-bootflag than
 the user's RLIMIT_NPROC would normally permit (as specified e.g. in
 /etc/security/limits.conf, or say in Apache httpd's RLimitNPROC if
 grub2-set-bootflag would be abused by a website script), thereby
 exhausting system resources (e.g., bypassing RAM usage limit if
 RLIMIT_AS was also set).
 3. umask is inherited.  Again, due to how the CVE-2019-14865 fix creates
 a new file, and due to how mkstemp() works, this affects grubenv's new
 file permissions.  Luckily, mkstemp() forces them to be no more relaxed
 than 0600, but the user ends up being able to set them e.g. to 0.
 Luckily, at least in my testing GRUB still works fine even when the file
 has such (lack of) permissions.
 This commit deals with the abuses above as follows:
 1. RLIMIT_FSIZE is pre-checked, so this specific way to get the process
 killed should no longer work.  However, this isn't a complete fix
 because there are other ways to get the process killed after it has
 created the temporary file.
 The commit also fixes bug 1975892 ("RFE: grub2-set-bootflag should not
 write the grubenv when the flag being written is already set") and
 similar for "menu_show_once", which further reduces the abuse potential.
 2. RLIMIT_NPROC bypass should be avoided by not becoming full root (aka
 dropping the partial "kill protection").
 3. A safe umask is set.
 This is a partial fix (temporary files can still accumulate, but this is
 harder to trigger).
 While at it, this commit also fixes potential 1- or 2-byte over-read of
 env[] if its content is malformed - this was not a security issue since the
 grubenv file is trusted input, and the fix is just for robustness.
 Signed-off-by: Solar Designer <solar@openwall.com>
 ---
 util/grub-set-bootflag.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)
 diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
 index a85f11fceacb..5b932f76b6f4 100644
 --- a/util/grub-set-bootflag.c
 +++ b/util/grub-set-bootflag.c
@@ -32,6 +32,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 +#include <sys/stat.h>
 +#include <sys/resource.h>
 #define GRUBENV "/" GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME "/" GRUB_ENVBLK_DEFCFG
 #define GRUBENV_SIZE 1024
@@ -54,12 +56,17 @@ static void usage(void)
 int main(int argc, char *argv[])
 {
   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
 -  char env[GRUBENV_SIZE + 1], buf[64], *s;
 +  char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
   /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
   char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
   const char *bootflag;
   int i, fd, len, ret;
   FILE *f;
 +  struct rlimit rlim;
 +
 +  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
 +    return 1;
 +  umask(077);
   if (argc != 2)
     {
@@ -81,20 +88,11 @@ int main(int argc, char *argv[])
   len = strlen (bootflag);
   /*
 -   * Really become root. setuid avoids an user killing us, possibly leaking
 -   * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
 +   * setegid avoids the new grubenv's gid being that of the user.
    */
 -  ret = setuid(0);
 -  if (ret)
 -    {
 -      perror ("Error setuid(0) failed");
 -      return 1;
 -    }
 -
 -  ret = setgid(0);
 -  if (ret)
 +  if (setegid(0))
     {
 -      perror ("Error setgid(0) failed");
 +      perror ("Error setegid(0) failed");
       return 1;
     }
@@ -123,6 +121,9 @@ int main(int argc, char *argv[])
   /* 0 terminate env */
   env[GRUBENV_SIZE] = 0;
 +  /* not a valid flag value */
 +  env[GRUBENV_SIZE + 1] = 0;
 +  env[GRUBENV_SIZE + 2] = 0;
   if (strncmp (env, GRUB_ENVBLK_SIGNATURE, strlen (GRUB_ENVBLK_SIGNATURE)))
     {
@@ -158,6 +159,8 @@ int main(int argc, char *argv[])
   /* The grubenv is not 0 terminated, so memcpy the name + '=' , '1', '\n' */
   snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
 +  if (!memcmp(s, buf, len + 3))
 +    return 0; /* nothing to do */
   memcpy(s, buf, len + 3);
 -- 
 2.43.0
--- a/SOURCES/0583-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch
+++ b/SOURCES/0583-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch
@ -1,187 +0,0 @@
 From f4c7783c2b695794938748a6567e86456ed2314a Mon Sep 17 00:00:00 2001
 From: Solar Designer <solar@openwall.com>
 Date: Tue, 6 Feb 2024 21:56:21 +0100
 Subject: [PATCH 2/3] grub-set-bootflag: More complete fix for CVE-2024-1048
 Switch to per-user fixed temporary filenames along with a weird locking
 mechanism, which is explained in source code comments.  This is a more
 complete fix than the previous commit (temporary files can't accumulate).
 Unfortunately, it introduces new risks (by working on a temporary file
 shared between the user's invocations), which are _hopefully_ avoided by
 the patch's elaborate logic.  I actually got it wrong at first, which
 suggests that this logic is hard to reason about, and more errors or
 omissions are possible.  It also relies on the kernel's primitives' exact
 semantics to a greater extent (nothing out of the ordinary, though).
 Remaining issues that I think cannot reasonably be fixed without a
 redesign (e.g., having per-flag files with nothing else in them) and
 without introducing new issues:
 A. A user can still revert a concurrent user's attempt of setting the
 other flag - or of making other changes to grubenv by means other than
 this program.
 B. One leftover temporary file per user is still possible.
 Signed-off-by: Solar Designer <solar@openwall.com>
 ---
 util/grub-set-bootflag.c | 87 ++++++++++++++++++++++++++++++++++------
 1 file changed, 75 insertions(+), 12 deletions(-)
 diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
 index 5b932f76b6f4..698b55a1ab93 100644
 --- a/util/grub-set-bootflag.c
 +++ b/util/grub-set-bootflag.c
@@ -32,6 +32,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 +#include <sys/file.h>
 #include <sys/stat.h>
 #include <sys/resource.h>
@@ -57,15 +58,12 @@ int main(int argc, char *argv[])
 {
   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
   char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
 -  /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
 -  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
 +  /* +1 for 0 termination, +11 for ".%u" in tmp filename */
 +  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 11 + 1];
   const char *bootflag;
   int i, fd, len, ret;
   FILE *f;
 -  struct rlimit rlim;
 -  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
 -    return 1;
   umask(077);
   if (argc != 2)
@@ -92,7 +90,7 @@ int main(int argc, char *argv[])
    */
   if (setegid(0))
     {
 -      perror ("Error setegid(0) failed");
 +      perror ("setegid(0) failed");
       return 1;
     }
@@ -163,19 +161,82 @@ int main(int argc, char *argv[])
     return 0; /* nothing to do */
   memcpy(s, buf, len + 3);
 +  struct rlimit rlim;
 +  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
 +    {
 +      fprintf (stderr, "Resource limits undetermined or too low\n");
 +      return 1;
 +    }
 +
 +  /*
 +   * Here we work under the premise that we shouldn't write into the target
 +   * file directly because we might not be able to have all of our changes
 +   * written completely and atomically.  That was CVE-2019-14865, known to
 +   * have been triggerable via RLIMIT_FSIZE.  While we've dealt with that
 +   * specific attack via the check above, there may be other possibilities.
 +   */
   /*
    * Create a tempfile for writing the new env.  Use the canonicalized filename
    * for the template so that the tmpfile is in the same dir / on same fs.
 +   *
 +   * We now use per-user fixed temporary filenames, so that a user cannot cause
 +   * multiple files to accumulate.
 +   *
 +   * We don't use O_EXCL so that a stale temporary file doesn't prevent further
 +   * usage of the program by the user.
    */
 -  snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
 -  fd = mkstemp(tmp_filename);
 +  snprintf(tmp_filename, sizeof(tmp_filename), "%s.%u", env_filename, getuid());
 +  fd = open(tmp_filename, O_CREAT | O_WRONLY, 0600);
   if (fd == -1)
     {
       perror ("Creating tmpfile failed");
       return 1;
     }
 +  /*
 +   * The lock prevents the same user from reaching further steps ending in
 +   * rename() concurrently, in which case the temporary file only partially
 +   * written by one invocation could be renamed to the target file by another.
 +   *
 +   * The lock also guards the slow fsync() from concurrent calls.  After the
 +   * first time that and the rename() complete, further invocations for the
 +   * same flag become no-ops.
 +   *
 +   * We lock the temporary file rather than the target file because locking the
 +   * latter would allow any user having SIGSTOP'ed their process to make all
 +   * other users' invocations fail (or lock up if we'd use blocking mode).
 +   *
 +   * We use non-blocking mode (LOCK_NB) because the lock having been taken by
 +   * another process implies that the other process would normally have already
 +   * renamed the file to target by the time it releases the lock (and we could
 +   * acquire it), so we'd be working directly on the target if we proceeded,
 +   * which is undesirable, and we'd kind of fail on the already-done rename.
 +   */
 +  if (flock(fd, LOCK_EX | LOCK_NB))
 +    {
 +      perror ("Locking tmpfile failed");
 +      return 1;
 +    }
 +
 +  /*
 +   * Deal with the potential that another invocation proceeded all the way to
 +   * rename() and process exit while we were between open() and flock().
 +   */
 +  {
 +    struct stat st1, st2;
 +    if (fstat(fd, &st1) || stat(tmp_filename, &st2))
 +      {
 +        perror ("stat of tmpfile failed");
 +        return 1;
 +      }
 +    if (st1.st_dev != st2.st_dev || st1.st_ino != st2.st_ino)
 +      {
 +        fprintf (stderr, "Another invocation won race\n");
 +        return 1;
 +      }
 +  }
 +
   f = fdopen (fd, "w");
   if (!f)
     {
@@ -200,23 +261,25 @@ int main(int argc, char *argv[])
       return 1;     
     }
 -  ret = fsync (fileno (f));
 +  ret = ftruncate (fileno (f), GRUBENV_SIZE);
   if (ret)
     {
 -      perror ("Error syncing tmpfile");
 +      perror ("Error truncating tmpfile");
       unlink(tmp_filename);
       return 1;
     }
 -  ret = fclose (f);
 +  ret = fsync (fileno (f));
   if (ret)
     {
 -      perror ("Error closing tmpfile");
 +      perror ("Error syncing tmpfile");
       unlink(tmp_filename);
       return 1;
     }
   /*
 +   * We must not close the file before rename() as that would remove the lock.
 +   *
    * And finally rename the tmpfile with the new env over the old env, the
    * linux kernel guarantees that this is atomic (from a syscall pov).
    */
 -- 
 2.43.0
--- a/SOURCES/0584-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch
+++ b/SOURCES/0584-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch
@ -1,39 +0,0 @@
 From a7192a650c1e94221a86b49f5132fb47a4dda6ea Mon Sep 17 00:00:00 2001
 From: Solar Designer <solar@openwall.com>
 Date: Tue, 6 Feb 2024 22:05:45 +0100
 Subject: [PATCH 3/3] grub-set-bootflag: Exit calmly when not running as root
 Exit calmly when not installed SUID root and invoked by non-root.  This
 allows installing user/grub-boot-success.service unconditionally while
 supporting non-SUID installation of the program for some limited usage.
 Signed-off-by: Solar Designer <solar@openwall.com>
 ---
 util/grub-set-bootflag.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
 index 698b55a1ab93..a51805fa8cec 100644
 --- a/util/grub-set-bootflag.c
 +++ b/util/grub-set-bootflag.c
@@ -85,6 +85,17 @@ int main(int argc, char *argv[])
   bootflag = bootflags[i];
   len = strlen (bootflag);
 +  /*
 +   * Exit calmly when not installed SUID root and invoked by non-root.  This
 +   * allows installing user/grub-boot-success.service unconditionally while
 +   * supporting non-SUID installation of the program for some limited usage.
 +   */
 +  if (geteuid())
 +    {
 +      printf ("grub-set-bootflag not running as root, no action taken\n");
 +      return 0;
 +    }
 +
   /*
    * setegid avoids the new grubenv's gid being that of the user.
    */
 -- 
 2.43.0
--- a/SOURCES/0585-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
+++ b/SOURCES/0585-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
@ -1,93 +0,0 @@
 From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@gmail.com>
 Date: Mon, 28 Aug 2023 16:31:57 +0300
 Subject: [PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the
 $ATTRIBUTE_LIST attribute for the $MFT file
 When parsing an extremely fragmented $MFT file, i.e., the file described
 using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
 containing bytes read from the underlying drive to store sector numbers,
 which are consumed later to read data from these sectors into another buffer.
 These sectors numbers, two 32-bit integers, are always stored at predefined
 offsets, 0x10 and 0x14, relative to first byte of the selected entry within
 the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
 However, when parsing a specially-crafted file system image, this may cause
 the NTFS code to write these integers beyond the buffer boundary, likely
 causing the GRUB memory allocator to misbehave or fail. These integers contain
 values which are controlled by on-disk structures of the NTFS file system.
 Such modification and resulting misbehavior may touch a memory range not
 assigned to the GRUB and owned by firmware or another EFI application/driver.
 This fix introduces checks to ensure that these sector numbers are never
 written beyond the boundary.
 Fixes: CVE-2023-4692
 Reported-by: Maxim Suhanov <dfirblog@gmail.com>
 Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/fs/ntfs.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index bbdbe24ada83..c3c4db117bba 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
     }
   if (at->attr_end)
     {
 -      grub_uint8_t *pa;
 +      grub_uint8_t *pa, *pa_end;
       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
       if (at->emft_buf == NULL)
@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	    }
 	  at->attr_nxt = at->edat_buf;
 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
 +	  pa_end = at->edat_buf + n;
 	}
       else
 	{
 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
 	  at->attr_end = at->attr_end + u32at (pa, 4);
 +	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
 	}
       at->flags |= GRUB_NTFS_AF_ALST;
       while (at->attr_nxt < at->attr_end)
@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	  at->flags |= GRUB_NTFS_AF_GPOS;
 	  at->attr_cur = at->attr_nxt;
 	  pa = at->attr_cur;
 +
 +	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
 +	    {
 +	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
 +	      return NULL;
 +	    }
 +
 	  grub_set_unaligned32 ((char *) pa + 0x10,
 				grub_cpu_to_le32 (at->mft->data->mft_start));
 	  grub_set_unaligned32 ((char *) pa + 0x14,
@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	    {
 	      if (*pa != attr)
 		break;
 +
 +              if ((pa >= pa_end) || (pa_end - pa < 0x18))
 +                {
 +	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
 +	          return NULL;
 +	        }
 +
 	      if (read_attr
 		  (at, pa + 0x10,
 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
 -- 
 2.43.0
--- a/SOURCES/0586-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
+++ b/SOURCES/0586-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
@ -1,58 +0,0 @@
 From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@gmail.com>
 Date: Mon, 28 Aug 2023 16:32:33 +0300
 Subject: [PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the
 resident $DATA attribute
 When reading a file containing resident data, i.e., the file data is stored in
 the $DATA attribute within the NTFS file record, not in external clusters,
 there are no checks that this resident data actually fits the corresponding
 file record segment.
 When parsing a specially-crafted file system image, the current NTFS code will
 read the file data from an arbitrary, attacker-chosen memory offset and of
 arbitrary, attacker-chosen length.
 This allows an attacker to display arbitrary chunks of memory, which could
 contain sensitive information like password hashes or even plain-text,
 obfuscated passwords from BS EFI variables.
 This fix implements a check to ensure that resident data is read from the
 corresponding file record segment only.
 Fixes: CVE-2023-4693
 Reported-by: Maxim Suhanov <dfirblog@gmail.com>
 Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/fs/ntfs.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)
 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index c3c4db117bba..a68e173d8285 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
     {
       if (ofs + len > u32at (pa, 0x10))
 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
 -      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
 +
 +      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
 +
 +      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
 +
 +      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
 +	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
 +	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
 +
 +      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
       return 0;
     }
 -- 
 2.43.0
--- a/SOURCES/0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
+++ b/SOURCES/0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
@ -1,73 +0,0 @@
 From 7e5f031a6a6a3decc2360a7b0c71abbe598e7354 Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@gmail.com>
 Date: Mon, 28 Aug 2023 16:33:17 +0300
 Subject: [PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries
 from resident and non-resident index attributes
 This fix introduces checks to ensure that index entries are never read
 beyond the corresponding directory index.
 The lack of this check is a minor issue, likely not exploitable in any way.
 Reported-by: Maxim Suhanov <dfirblog@gmail.com>
 Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/fs/ntfs.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index a68e173d8285..2d78b96e19fb 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
 }
 static int
 -list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
 +list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos,
 	   grub_fshelp_iterate_dir_hook_t hook, void *hook_data)
 {
   grub_uint8_t *np;
@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
       grub_uint8_t namespace;
       char *ustr;
 +      if ((pos >= end_pos) || (end_pos - pos < 0x52))
 +        break;
 +
       if (pos[0xC] & 2)		/* end signature */
 	break;
@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
       ns = *(np++);
       namespace = *(np++);
 +      if (2 * ns > end_pos - pos - 0x52)
 +        break;
 +
       /*
        *  Ignore files in DOS namespace, as they will reappear as Win32
        *  names.
@@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
     }
   cur_pos += 0x10;		/* Skip index root */
 -  ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data);
 +  ret = list_file (mft, cur_pos + u16at (cur_pos, 0),
 +                   at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
 +                   hook, hook_data);
   if (ret)
     goto done;
@@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 			     (const grub_uint8_t *) "INDX")))
 		goto done;
 	      ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)],
 +			       indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR),
 			       hook, hook_data);
 	      if (ret)
 		goto done;
 -- 
 2.43.0
--- a/SOURCES/0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
+++ b/SOURCES/0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
@ -1,51 +0,0 @@
 From 7a5a116739fa6d8a625da7d6b9272c9a2462f967 Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@gmail.com>
 Date: Mon, 28 Aug 2023 16:33:44 +0300
 Subject: [PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index
 attributes
 This fix introduces checks to ensure that bitmaps for directory indices
 are never read beyond their actual sizes.
 The lack of this check is a minor issue, likely not exploitable in any way.
 Reported-by: Maxim Suhanov <dfirblog@gmail.com>
 Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/fs/ntfs.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index 2d78b96e19fb..bb70c89fb803 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 	  if (is_resident)
 	    {
 +              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +		{
 +		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
 +		  goto done;
 +		}
 +
 +              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +		{
 +		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
 +		  goto done;
 +		}
 +
 +              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
 +		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
 +		{
 +		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
 +		  goto done;
 +		}
 +
               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
                            bitmap_len);
 	    }
 -- 
 2.43.0
--- a/SOURCES/0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
+++ b/SOURCES/0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
@ -1,61 +0,0 @@
 From 1fe82c41e070385e273d7bb1cfb482627a3c28e8 Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@gmail.com>
 Date: Mon, 28 Aug 2023 16:38:19 +0300
 Subject: [PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label
 This fix introduces checks to ensure that an NTFS volume label is always
 read from the corresponding file record segment.
 The current NTFS code allows the volume label string to be read from an
 arbitrary, attacker-chosen memory location. However, the bytes read are
 always treated as UTF-16LE. So, the final string displayed is mostly
 unreadable and it can't be easily converted back to raw bytes.
 The lack of this check is a minor issue, likely not causing a significant
 data leak.
 Reported-by: Maxim Suhanov <dfirblog@gmail.com>
 Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/fs/ntfs.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index bb70c89fb803..ff5e3740f0dd 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
@@ -1213,13 +1213,29 @@ grub_ntfs_label (grub_device_t device, char **label)
   init_attr (&mft->attr, mft);
   pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME);
 +
 +  if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +    {
 +      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
 +      goto fail;
 +    }
 +
 +  if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16)
 +    {
 +      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
 +      goto fail;
 +    }
 +
   if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
     {
       int len;
       len = u32at (pa, 0x10) / 2;
       pa += u16at (pa, 0x14);
 -      *label = get_utf8 (pa, len);
 +      if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
 +        *label = get_utf8 (pa, len);
 +      else
 +        grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
     }
 fail:
 -- 
 2.43.0
--- a/SOURCES/0590-fs-ntfs-Make-code-more-readable.patch
+++ b/SOURCES/0590-fs-ntfs-Make-code-more-readable.patch
@ -1,159 +0,0 @@
 From e58b870ff926415e23fc386af41ff81b2f588763 Mon Sep 17 00:00:00 2001
 From: Maxim Suhanov <dfirblog@gmail.com>
 Date: Mon, 28 Aug 2023 16:40:07 +0300
 Subject: [PATCH 6/6] fs/ntfs: Make code more readable
 Move some calls used to access NTFS attribute header fields into
 functions with human-readable names.
 Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
 grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 15 deletions(-)
 diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
 index ff5e3740f0dd..de435aa14d85 100644
 --- a/grub-core/fs/ntfs.c
 +++ b/grub-core/fs/ntfs.c
@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs)
   return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs));
 }
 +static grub_uint16_t
 +first_attr_off (void *mft_buf_ptr)
 +{
 +  return u16at (mft_buf_ptr, 0x14);
 +}
 +
 +static grub_uint16_t
 +res_attr_data_off (void *res_attr_ptr)
 +{
 +  return u16at (res_attr_ptr, 0x14);
 +}
 +
 +static grub_uint32_t
 +res_attr_data_len (void *res_attr_ptr)
 +{
 +  return u32at (res_attr_ptr, 0x10);
 +}
 +
 grub_ntfscomp_func_t grub_ntfscomp_func;
 static grub_err_t
@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft)
 {
   at->mft = mft;
   at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0;
 -  at->attr_nxt = mft->buf + u16at (mft->buf, 0x14);
 +  at->attr_nxt = mft->buf + first_attr_off (mft->buf);
   at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL;
 }
@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 		    return NULL;
 		}
 -	      new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)];
 +	      new_pos = &at->emft_buf[first_attr_off (at->emft_buf)];
 	      while (*new_pos != 0xFF)
 		{
 		  if ((*new_pos == *at->attr_cur)
@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
 	}
       else
 	{
 -	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
 +	  at->attr_nxt = at->attr_end + res_attr_data_off (pa);
 	  at->attr_end = at->attr_end + u32at (pa, 4);
 	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
 	}
@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
   if (pa[8] == 0)
     {
 -      if (ofs + len > u32at (pa, 0x10))
 +      if (ofs + len > res_attr_data_len (pa))
 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
 -      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 +      if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
       if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
 -      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
 +      if (res_attr_data_off (pa) + res_attr_data_len (pa) >
 	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
 -      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
 +      grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len);
       return 0;
     }
@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno)
 			   (unsigned long long) mftno);
       if (!pa[8])
 -	mft->size = u32at (pa, 0x10);
 +	mft->size = res_attr_data_len (pa);
       else
 	mft->size = u64at (pa, 0x30);
@@ -805,7 +823,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 	  (u32at (cur_pos, 0x18) != 0x490024) ||
 	  (u32at (cur_pos, 0x1C) != 0x300033))
 	continue;
 -      cur_pos += u16at (cur_pos, 0x14);
 +      cur_pos += res_attr_data_off (cur_pos);
       if (*cur_pos != 0x30)	/* Not filename index */
 	continue;
       break;
@@ -834,7 +852,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 	{
           int is_resident = (cur_pos[8] == 0);
 -          bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) :
 +          bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) :
                         u32at (cur_pos, 0x28));
           bmp = grub_malloc (bitmap_len);
@@ -855,14 +873,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
 		  goto done;
 		}
 -              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
 +              if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) >
 		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
 		{
 		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
 		  goto done;
 		}
 -              grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
 +              grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos),
                            bitmap_len);
 	    }
           else
@@ -1226,12 +1244,12 @@ grub_ntfs_label (grub_device_t device, char **label)
       goto fail;
     }
 -  if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
 +  if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa)))
     {
       int len;
 -      len = u32at (pa, 0x10) / 2;
 -      pa += u16at (pa, 0x14);
 +      len = res_attr_data_len (pa) / 2;
 +      pa += res_attr_data_off (pa);
       if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
         *label = get_utf8 (pa, len);
       else
 -- 
 2.43.0
--- a/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
+++ b/SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
@ -1,27 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Leo Sandoval <lsandova@redhat.com>
 Date: Thu, 19 Sep 2024 10:15:13 -0600
 Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
 Stricker permissions are required on the grub.cfg file, resulting in
 at most 0600 owner's file permissions. This resolves conflicting
 requirement permissions on grub2-pc package's grub2.cfg file.
 Signed-off-by: Leo Sandoval <lsandova@redhat.com>
 ---
 util/grub-mkconfig.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
 index a1c00776d..573004915 100644
 --- a/util/grub-mkconfig.in
 +++ b/util/grub-mkconfig.in
@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
     exit 1
   else
     # none of the children aborted with error, install the new grub.cfg
 -    oldumask=$(umask); umask 077
 +    oldumask=$(umask); umask 177
     cat ${grub_cfg}.new > ${grub_cfg}
     umask $oldumask
     rm -f ${grub_cfg}.new
--- a/SOURCES/20-grub.install
+++ b/SOURCES/20-grub.install
@ -90,10 +90,13 @@ case "$COMMAND" in
            [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
            BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
            BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
-            mkbls "${KERNEL_VERSION}" \
+            if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
-                "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
+                cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
-                >"${BLS_TARGET}"
+            else
-            command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}"
+                mkbls "${KERNEL_VERSION}" \
                    "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
                    >"${BLS_TARGET}"
            fi
            LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
            INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"
@ -106,11 +109,7 @@ case "$COMMAND" in
                sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}"
            fi
-            if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \
+            if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then
                     [ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \
                   ( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \
                    	[ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \
                   ( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then
                GRUB_UPDATE_DEFAULT_KERNEL=false
            fi
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@ -589,15 +589,14 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch grub.cfg							\
+touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
 install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 %{nil}
 %define define_legacy_variant_files()				\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
-%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ifarch ppc64le						\
 %dir %{_libdir}/grub/%{2}/					\
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@ -552,40 +552,3 @@ Patch0551: 0551-nx-set-page-permissions-for-loaded-modules.patch
 Patch0552: 0552-nx-set-attrs-in-our-kernel-loaders.patch
 Patch0553: 0553-nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch
 Patch0554: 0554-Fixup-grub_efi_get_variable-type-in-our-loaders.patch
 Patch0555: 0555-Make-debug-file-show-which-file-filters-get-run.patch
 Patch0556: 0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
 Patch0557: 0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
 Patch0558: 0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
 Patch0559: 0559-ieee1275-implement-vec5-for-cas-negotiation.patch
 Patch0560: 0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
 Patch0561: 0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
 Patch0562: 0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
 Patch0563: 0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
 Patch0564: 0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
 Patch0565: 0565-font-Remove-grub_font_dup_glyph.patch
 Patch0566: 0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
 Patch0567: 0567-font-Fix-integer-overflow-in-BMP-index.patch
 Patch0568: 0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
 Patch0569: 0569-fbutil-Fix-integer-overflow.patch
 Patch0570: 0570-font-Fix-an-integer-underflow-in-blit_comb.patch
 Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
 Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
 Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
 Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch
 Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch
 Patch0576: 0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
 Patch0577: 0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
 Patch0578: 0578-ieee1275-extended-support-in-options-vector5.patch
 Patch0579: 0579-Regenerate-kernelopts-if-missing-on-ppc.patch
 Patch0580: 0580-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch
 Patch0581: 0581-util-Enable-default-kernel-for-updates.patch
 Patch0582: 0582-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch
 Patch0583: 0583-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch
 Patch0584: 0584-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch
 Patch0585: 0585-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
 Patch0586: 0586-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
 Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
 Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
 Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
 Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
 Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot502.cer
+++ b/SOURCES/redhatsecureboot502.cer
--- a/SOURCES/redhatsecureboot601.cer
+++ b/SOURCES/redhatsecureboot601.cer
--- a/SOURCES/redhatsecureboot701.cer
+++ b/SOURCES/redhatsecureboot701.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/sbat.csv.in
+++ b/SOURCES/sbat.csv.in
@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
+grub,2,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
 grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	158%{?dist}
+Release:	138%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@ -310,19 +310,6 @@ if [ "$1" = 2 ]; then
 	/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
 fi
 %posttrans common
 set -eu
 GRUB_HOME=/boot/%{name}
 if test  -f ${GRUB_HOME}/grub.cfg; then
    # make sure GRUB_HOME/grub.cfg has 600 permissions
    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
    if ! test "${GRUB_CFG_MODE}" = "600"; then
        chmod 0600 ${GRUB_HOME}/grub.cfg
    fi
 fi
 %triggerun -- grub2 < 1:1.99-4
 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
 # from the affected grub2 packages, we first back up the files in triggerun and
@ -523,128 +510,48 @@ fi
 %endif
 %changelog
-* Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
+* Wed Jul 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-138
 - grub-mkconfig.in: turn off executable owner bit
 - Resolves: #RHEL-58835
 * Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
 - 20-grub-install: fix SELinux security type context for BLS
 - Resolves: #RHEL-4395
 * Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
 - fs/ntfs: OOB write fix
 - (CVE-2023-4692)
 - Resolves: #RHEL-11566
 * Thu Feb 8 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-155
 - grub-set-bootflag: Fix for CVE-2024-1048
 - (CVE-2024-1048)
 - Resolves: #RHEL-20746
 * Mon Nov 27 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-154
 - Missing install script for previous commit
 - Related: #RHEL-4343
 * Fri Nov 24 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-153
 - util: Enable default kernel for updates
 - Resolves: #RHEL-4343
 * Fri Oct 20 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-152
 - kern/ieee1275/init: ppc64: Restrict high memory in presence
  of fadump
 - Resolves: #RHEL-14283
 * Mon Aug 28 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-151
 - util: Regenerate kernelopts if missing on ppc
 - Resolves: #2051889
 * Fri Jun 16 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-150
 - kern/ieee1275/init: sync vec5 patchset with upstream
 - Resolves: #2172111
 * Wed Jun 14 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-149
 - efi/http: change uint32_t to uintn_t for grub_efi_http_message_t
 - Resolves: #2178388
 * Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-148
 - ppc64le: cas5, take 3
 - Resolves: #2139508
 * Tue Jan 10 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-147
 - Enable TDX measurement to RTMR register
 - Resolves: #1981485
 * Wed Dec 14 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-146
 - ppc64le: fix lpar cas5
 - Resolves: #2139508
 * Tue Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.02-145
 - Font CVE fixes
 - Resolves: CVE-2022-2601
 * Tue Oct 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-144
 - blscfg: don't assume newline at end of cfg
 - Resolves: #2121132
 * Wed Oct 12 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-143
 - x86-efi: Fix an incorrect array size in kernel allocation
 - Also merge with 8.7
 - Resolves: #2031288
 * Thu Aug 25 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-141
 - Implement vec5 for cas negotiation
 - Resolves: #2117914
 * Wed Aug 24 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-140
 - Or two, because I forgot the debug patch
 - Resolves: #2118896
 * Thu Aug 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-139
 - Kernel allocator fixups (in one pass)
 - Resolves: #2118896
 * Wed Jul 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-138
 - Rotate signing keys on ppc64le
 - Resolves: #2074762
-* Fri Jun 03 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-137
+* Fri Jun 03 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-137
 - CVE fixes for 2022-06-07
 - CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
 - CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
 - Resolves: #2070687
-* Mon May 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-129
+* Mon May 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-129
 - ppc64le: Slow boot after LPM
 - Resolves: #2070347
-* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-127
+* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-127
 - ppc64le: CAS improvements, prefix detection, and vTPM support
 - Resolves: #2076795
 - Resolves: #2026568
 - Resolves: #2051331
-* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-126
+* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-126
 - Fix rpm verification error on grub.cfg permissions
 - Resolves: #2071643
-* Wed Apr 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-125
+* Wed Apr 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-125
 - RHEL 8.6.0 import; no code changes
 - Resolves: #2062892
-* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-123
+* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-123
 - Bump for signing
-* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-122
+* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-122
 - Fix initialization on efidisk patch
-* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-121
+* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-121
 - Backport support for loading initrd above 4GB
-* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-120
+* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-120
 - Bump signing
 - Resolves: #2032294
-* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-119
+* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-119
 - Enable connectefi module
 - Resolves: #2032294