.gitignore

@@ -1,3 +1,9 @@
 SOURCES/grub-2.02.tar.xz
+SOURCES/redhatsecureboot301.cer
+SOURCES/redhatsecureboot502.cer
+SOURCES/redhatsecureboot601.cer
+SOURCES/redhatsecureboot701.cer
+SOURCES/redhatsecurebootca3.cer
+SOURCES/redhatsecurebootca5.cer
 SOURCES/theme.tar.bz2
-SOURCES/unifont-5.1.20080820.pcf.gz
+SOURCES/unifont-5.1.20080820.pcf.gz

.grub2.metadata

@@ -1,3 +1,9 @@
 3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
+4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
+3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer
+039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer
+e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer
+cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
+e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
 cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
 87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz

SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 29 Jul 2022 15:56:00 -0400
+Subject: [PATCH] Make debug=file show which file filters get run.
+
+If one of the file filters breaks things, it's hard to figure out where
+it has happened.
+
+This makes grub log which filter is being run, which makes it easier to
+figure out where you are in the sequence of events.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit d3d6518a13b5440a3be6c66b0ae47447182f2891)
+(cherry picked from commit d197e70761b1383827e9008e21ee41c6c7015776)
+---
+ grub-core/kern/file.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index f062fc21e7..5e1f29d0dd 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -30,6 +30,14 @@ void (*EXPORT_VAR (grub_grubnet_fini)) (void);
+ 
+ grub_file_filter_t grub_file_filters[GRUB_FILE_FILTER_MAX];
+ 
++static char *filter_names[] = {
++    [GRUB_FILE_FILTER_VERIFY] = "GRUB_FILE_FILTER_VERIFY",
++    [GRUB_FILE_FILTER_GZIO] = "GRUB_FILE_FILTER_GZIO",
++    [GRUB_FILE_FILTER_XZIO] = "GRUB_FILE_FILTER_XZIO",
++    [GRUB_FILE_FILTER_LZOPIO] = "GRUB_FILE_FILTER_LZOPIO",
++    [GRUB_FILE_FILTER_MAX] = "GRUB_FILE_FILTER_MAX"
++};
++
+ /* Get the device part of the filename NAME. It is enclosed by parentheses.  */
+ char *
+ grub_file_get_device_name (const char *name)
+@@ -121,6 +129,9 @@ grub_file_open (const char *name, enum grub_file_type type)
+     if (grub_file_filters[filter])
+       {
+ 	last_file = file;
++	if (filter < GRUB_FILE_FILTER_MAX)
++	  grub_dprintf ("file", "Running %s file filter\n",
++			filter_names[filter]);
+ 	file = grub_file_filters[filter] (file, type);
+ 	if (file && file != last_file)
+ 	  {

SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch

@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 1 Aug 2022 14:06:30 -0400
+Subject: [PATCH] efi: use enumerated array positions for our allocation
+ choices
+
+In our kernel allocator on EFI systems, we currently have a growing
+amount of code that references the various allocation policies by
+position in the array, and of course maintenance of this code scales
+very poorly.
+
+This patch changes them to be enumerated, so they're easier to refer to
+farther along in the code without confusion.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 6768026270cca015d7fef0ecc8a4119e9b3d3923)
+(cherry picked from commit 50b2ca3274b6950393a4ffc7edde04a1a3de594e)
+---
+ grub-core/loader/i386/efi/linux.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index d80d6ec312..23b27f6507 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -60,17 +60,26 @@ struct allocation_choice {
+     grub_efi_allocate_type_t alloc_type;
+ };
+ 
+-static struct allocation_choice max_addresses[4] =
++enum {
++    KERNEL_PREF_ADDRESS,
++    KERNEL_4G_LIMIT,
++    KERNEL_NO_LIMIT,
++};
++
++static struct allocation_choice max_addresses[] =
+   {
+     /* the kernel overrides this one with pref_address and
+      * GRUB_EFI_ALLOCATE_ADDRESS */
+-    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++    [KERNEL_PREF_ADDRESS] =
++      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++    /* If the flag in params is set, this one gets changed to be above 4GB. */
++    [KERNEL_4G_LIMIT] =
++      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+     /* this one is always below 4GB, which we still *prefer* even if the flag
+      * is set. */
+-    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+-    /* If the flag in params is set, this one gets changed to be above 4GB. */
+-    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+-    { 0, 0 }
++    [KERNEL_NO_LIMIT] =
++      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++    { NO_MEM, 0, 0 }
+   };
+ static struct allocation_choice saved_addresses[4];
+ 
+@@ -423,7 +432,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   if (lh->xloadflags & LINUX_XLF_CAN_BE_LOADED_ABOVE_4G)
+     {
+       grub_dprintf ("linux", "Loading kernel above 4GB is supported; enabling.\n");
+-      max_addresses[2].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
++      max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
+     }
+   else
+     {
+@@ -495,11 +504,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   grub_dprintf ("linux", "lh->pref_address: %p\n", (void *)(grub_addr_t)lh->pref_address);
+   if (lh->pref_address < (grub_uint64_t)GRUB_EFI_MAX_ALLOCATION_ADDRESS)
+     {
+-      max_addresses[0].addr = lh->pref_address;
+-      max_addresses[0].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
++      max_addresses[KERNEL_PREF_ADDRESS].addr = lh->pref_address;
++      max_addresses[KERNEL_PREF_ADDRESS].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
+     }
+-  max_addresses[1].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+-  max_addresses[2].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
++  max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
++  max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+   kernel_size = lh->init_size;
+   kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE,
+ 			     N_("can't allocate kernel"));

SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch

@@ -0,0 +1,129 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 1 Aug 2022 14:24:39 -0400
+Subject: [PATCH] efi: split allocation policy for kernel vs initrd memories.
+
+Currently in our kernel allocator, we use the same set of choices for
+all of our various kernel and initramfs allocations, though they do not
+have exactly the same constraints.
+
+This patch adds the concept of an allocation purpose, which currently
+can be KERNEL_MEM or INITRD_MEM, and updates kernel_alloc() calls
+appropriately, but does not change any current policy decision.  It
+also adds a few debug prints.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 36307bed28cd838116fc4af26a30719660d62d4c)
+(cherry picked from commit dc1196350b0cbe89582832f44df0fce67e0c9fb2)
+---
+ grub-core/loader/i386/efi/linux.c | 35 +++++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 23b27f6507..09e7596064 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -55,7 +55,14 @@ struct grub_linuxefi_context {
+ 
+ #define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)
+ 
++typedef enum {
++    NO_MEM,
++    KERNEL_MEM,
++    INITRD_MEM,
++} kernel_alloc_purpose_t;
++
+ struct allocation_choice {
++    kernel_alloc_purpose_t purpose;
+     grub_efi_physical_address_t addr;
+     grub_efi_allocate_type_t alloc_type;
+ };
+@@ -64,6 +71,7 @@ enum {
+     KERNEL_PREF_ADDRESS,
+     KERNEL_4G_LIMIT,
+     KERNEL_NO_LIMIT,
++    INITRD_MAX_ADDRESS,
+ };
+ 
+ static struct allocation_choice max_addresses[] =
+@@ -71,14 +79,17 @@ static struct allocation_choice max_addresses[] =
+     /* the kernel overrides this one with pref_address and
+      * GRUB_EFI_ALLOCATE_ADDRESS */
+     [KERNEL_PREF_ADDRESS] =
+-      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++      { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+     /* If the flag in params is set, this one gets changed to be above 4GB. */
+     [KERNEL_4G_LIMIT] =
+-      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++      { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+     /* this one is always below 4GB, which we still *prefer* even if the flag
+      * is set. */
+     [KERNEL_NO_LIMIT] =
+-      { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++      { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++    /* this is for the initrd */
++    [INITRD_MAX_ADDRESS] =
++      { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+     { NO_MEM, 0, 0 }
+   };
+ static struct allocation_choice saved_addresses[4];
+@@ -95,7 +106,8 @@ kernel_free(void *addr, grub_efi_uintn_t size)
+ }
+ 
+ static void *
+-kernel_alloc(grub_efi_uintn_t size,
++kernel_alloc(kernel_alloc_purpose_t purpose,
++	     grub_efi_uintn_t size,
+ 	     grub_efi_memory_type_t memtype,
+ 	     const char * const errmsg)
+ {
+@@ -108,6 +120,9 @@ kernel_alloc(grub_efi_uintn_t size,
+       grub_uint64_t max = max_addresses[i].addr;
+       grub_efi_uintn_t pages;
+ 
++      if (purpose != max_addresses[i].purpose)
++	continue;
++
+       /*
+        * When we're *not* loading the kernel, or >4GB allocations aren't
+        * supported, these entries are basically all the same, so don't re-try
+@@ -262,7 +277,8 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])
+ 	}
+     }
+ 
+-  initrd_mem = kernel_alloc(size, GRUB_EFI_RUNTIME_SERVICES_DATA,
++  grub_dprintf ("linux", "Trying to allocate initrd mem\n");
++  initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA,
+ 			    N_("can't allocate initrd"));
+   if (initrd_mem == NULL)
+     goto fail;
+@@ -440,7 +456,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+     }
+ #endif
+ 
+-  params = kernel_alloc (sizeof(*params), GRUB_EFI_RUNTIME_SERVICES_DATA,
++  params = kernel_alloc (KERNEL_MEM, sizeof(*params),
++			 GRUB_EFI_RUNTIME_SERVICES_DATA,
+ 			 "cannot allocate kernel parameters");
+   if (!params)
+     goto fail;
+@@ -462,7 +479,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   grub_dprintf ("linux", "new lh is at %p\n", lh);
+ 
+   grub_dprintf ("linux", "setting up cmdline\n");
+-  cmdline = kernel_alloc (lh->cmdline_size + 1,
++  cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
+ 			  GRUB_EFI_RUNTIME_SERVICES_DATA,
+ 			  N_("can't allocate cmdline"));
+   if (!cmdline)
+@@ -510,7 +527,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+   max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+   kernel_size = lh->init_size;
+-  kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE,
++  grub_dprintf ("linux", "Trying to allocate kernel mem\n");
++  kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size,
++			     GRUB_EFI_RUNTIME_SERVICES_CODE,
+ 			     N_("can't allocate kernel"));
+   restore_addresses();
+   if (!kernel_mem)

SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 1 Aug 2022 13:04:43 -0400
+Subject: [PATCH] efi: use EFI_LOADER_(CODE|DATA) for kernel and initrd
+ allocations
+
+At some point due to an erroneous kernel warning, we switched kernel and
+initramfs to being loaded in EFI_RUNTIME_SERVICES_CODE and
+EFI_RUNTIME_SERVICES_DATA memory pools.  This doesn't appear to be
+correct according to the spec, and that kernel warning has gone away.
+
+This patch puts them back in EFI_LOADER_CODE and EFI_LOADER_DATA
+allocations, respectively.
+
+Resolves: rhbz#2108456
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 35b5d5fa47bc394c76022e6595b173e68f53225e)
+(cherry picked from commit 66e1c922b40957fca488435e06a2f875a219844b)
+---
+ grub-core/loader/i386/efi/linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 09e7596064..4d39023792 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -278,7 +278,7 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])
+     }
+ 
+   grub_dprintf ("linux", "Trying to allocate initrd mem\n");
+-  initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA,
++  initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_LOADER_DATA,
+ 			    N_("can't allocate initrd"));
+   if (initrd_mem == NULL)
+     goto fail;
+@@ -457,7 +457,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ #endif
+ 
+   params = kernel_alloc (KERNEL_MEM, sizeof(*params),
+-			 GRUB_EFI_RUNTIME_SERVICES_DATA,
++			 GRUB_EFI_LOADER_DATA,
+ 			 "cannot allocate kernel parameters");
+   if (!params)
+     goto fail;
+@@ -480,7 +480,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ 
+   grub_dprintf ("linux", "setting up cmdline\n");
+   cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
+-			  GRUB_EFI_RUNTIME_SERVICES_DATA,
++			  GRUB_EFI_LOADER_DATA,
+ 			  N_("can't allocate cmdline"));
+   if (!cmdline)
+     goto fail;
+@@ -529,7 +529,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   kernel_size = lh->init_size;
+   grub_dprintf ("linux", "Trying to allocate kernel mem\n");
+   kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size,
+-			     GRUB_EFI_RUNTIME_SERVICES_CODE,
++			     GRUB_EFI_LOADER_CODE,
+ 			     N_("can't allocate kernel"));
+   restore_addresses();
+   if (!kernel_mem)

SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch

@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Diego Domingos <diegodo@linux.vnet.ibm.com>
+Date: Thu, 25 Aug 2022 11:37:56 -0400
+Subject: [PATCH] ieee1275: implement vec5 for cas negotiation
+
+As a legacy support, if the vector 5 is not implemented, Power
+Hypervisor will consider the max CPUs as 64 instead 256 currently
+supported during client-architecture-support negotiation.
+
+This patch implements the vector 5 and set the MAX CPUs to 256 while
+setting the others values to 0 (default).
+
+Signed-off-by: Diego Domingos <diegodo@linux.vnet.ibm.com>
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit f735c65b6da8a9d4251242b37774e1a517511253)
+(cherry picked from commit 1639f43b2db4ac405ac2a92e50ed4cff351c3baa)
+---
+ grub-core/kern/ieee1275/init.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 1414695cc6..37f3098c39 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -307,6 +307,18 @@ struct option_vector2 {
+   grub_uint8_t max_pft_size;
+ } __attribute__((packed));
+ 
++struct option_vector5 {
++        grub_uint8_t byte1;
++        grub_uint8_t byte2;
++        grub_uint8_t byte3;
++        grub_uint8_t cmo;
++        grub_uint8_t associativity;
++        grub_uint8_t bin_opts;
++        grub_uint8_t micro_checkpoint;
++        grub_uint8_t reserved0;
++        grub_uint32_t max_cpus;
++} __attribute__((packed));
++
+ struct pvr_entry {
+   grub_uint32_t mask;
+   grub_uint32_t entry;
+@@ -325,6 +337,8 @@ struct cas_vector {
+   grub_uint16_t vec3;
+   grub_uint8_t vec4_size;
+   grub_uint16_t vec4;
++  grub_uint8_t vec5_size;
++  struct option_vector5 vec5;
+ } __attribute__((packed));
+ 
+ /* Call ibm,client-architecture-support to try to get more RMA.
+@@ -345,7 +359,7 @@ grub_ieee1275_ibm_cas (void)
+   } args;
+   struct cas_vector vector = {
+     .pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */
+-    .num_vecs = 4 - 1,
++    .num_vecs = 5 - 1,
+     .vec1_size = 0,
+     .vec1 = 0x80, /* ignore */
+     .vec2_size = 1 + sizeof(struct option_vector2) - 2,
+@@ -356,6 +370,10 @@ grub_ieee1275_ibm_cas (void)
+     .vec3 = 0x00e0, // ask for FP + VMX + DFP but don't halt if unsatisfied
+     .vec4_size = 2 - 1,
+     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
++    .vec5_size = 1 + sizeof(struct option_vector5) - 2,
++    .vec5 = {
++	0, 0, 0, 0, 0, 0, 0, 0, 256
++    }
+   };
+ 
+   INIT_IEEE1275_COMMON (&args.common, "call-method", 3, 2);

SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 11 Oct 2022 17:00:50 -0400
+Subject: [PATCH] x86-efi: Fix an incorrect array size in kernel allocation
+
+In 81a6ebf62bbe166ddc968463df2e8bd481bf697c ("efi: split allocation
+policy for kernel vs initrd memories."), I introduced a split in the
+kernel allocator to allow for different dynamic policies for the kernel
+and the initrd allocations.
+
+Unfortunately, that change increased the size of the policy data used to
+make decisions, but did not change the size of the temporary storage we
+use to back it up and restore.  This results in some of .data getting
+clobbered at runtime, and hilarity ensues.
+
+This patch makes the size of the backup storage be based on the size of
+the initial policy data.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 37747b22342499a798ca3a8895770cd93b6e1258)
+(cherry picked from commit 72713ce761720235c86bbda412480c97b2892e00)
+---
+ grub-core/loader/i386/efi/linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 4d39023792..3d55f8b8d2 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -92,7 +92,7 @@ static struct allocation_choice max_addresses[] =
+       { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+     { NO_MEM, 0, 0 }
+   };
+-static struct allocation_choice saved_addresses[4];
++static struct allocation_choice saved_addresses[sizeof(max_addresses) / sizeof(max_addresses[0])];
+ 
+ #define save_addresses() grub_memcpy(saved_addresses, max_addresses, sizeof(max_addresses))
+ #define restore_addresses() grub_memcpy(max_addresses, saved_addresses, sizeof(max_addresses))

SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch

@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 18 Oct 2022 14:15:28 -0400
+Subject: [PATCH] switch-to-blscfg: don't assume newline at end of cfg
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ util/grub-switch-to-blscfg.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
+index eeea130770..5a97954c39 100644
+--- a/util/grub-switch-to-blscfg.in
++++ b/util/grub-switch-to-blscfg.in
+@@ -277,7 +277,9 @@ if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
+     fi
+     GENERATE=1
+ elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then
+-    if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then
++    # prepend in case admins have been bad at newlines
++    sed -i '1iGRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}"
++    if ! grep -q '^GRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}" ; then
+         gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
+         exit 1
+     fi

SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Wed, 3 Aug 2022 19:45:33 +0800
+Subject: [PATCH] font: Reject glyphs exceeds font->max_glyph_width or
+ font->max_glyph_height
+
+Check glyph's width and height against limits specified in font's
+metadata. Reject the glyph (and font) if such limits are exceeded.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16)
+(cherry picked from commit 3b410ef4bb95e607cadeba2193fa90ae9bddb98d)
+(cherry picked from commit 8ebe587def61af7893ebcae87d45c883f3cfb713)
+---
+ grub-core/font/font.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index b67507fcc8..8d1a990401 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ 	  || read_be_uint16 (font->file, &height) != 0
+ 	  || read_be_int16 (font->file, &xoff) != 0
+ 	  || read_be_int16 (font->file, &yoff) != 0
+-	  || read_be_int16 (font->file, &dwidth) != 0)
++	  || read_be_int16 (font->file, &dwidth) != 0
++	  || width > font->max_char_width
++	  || height > font->max_char_height)
+ 	{
+ 	  remove_font (font);
+ 	  return 0;

SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch

@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
+(cherry picked from commit 6bca9693878bdf61dd62b8c784862a48e75f569a)
+(cherry picked from commit edbbda5486cf8c3dc2b68fbd3dead822ab448022)
+---
+ grub-core/font/font.c   | 17 +++++++++++++----
+ include/grub/bitmap.h   | 18 ++++++++++++++++++
+ include/grub/safemath.h |  2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8d1a990401..d6df79602d 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+       grub_int16_t xoff;
+       grub_int16_t yoff;
+       grub_int16_t dwidth;
+-      int len;
++      grub_ssize_t len;
++      grub_size_t sz;
+ 
+       if (index_entry->glyph)
+ 	/* Return cached glyph.  */
+@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ 	  return 0;
+ 	}
+ 
+-      len = (width * height + 7) / 8;
+-      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+-      if (!glyph)
++      /* Calculate real struct size of current glyph. */
++      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++	  grub_add (sizeof (struct grub_font_glyph), len, &sz))
++	{
++	  remove_font (font);
++	  return 0;
++	}
++
++      /* Allocate and initialize the glyph struct. */
++      glyph = grub_malloc (sz);
++      if (glyph == NULL)
+ 	{
+ 	  remove_font (font);
+ 	  return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8ca3a..0d9603f619 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+ 
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+   return bitmap->mode_info.height;
+ }
+ 
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++  grub_uint64_t _bitmap_pixels; \
++  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ 						    struct grub_video_mode_info *mode_info);
+ 
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index 1ccac276b5..30800ad6a1 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
+ 
++#define grub_cast(a, res)	grub_add ((a), 0, (res))
++
+ #else
+ /*
+  * Copyright 2020 Rasmus Villemoes

SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch

@@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
+(cherry picked from commit b91eb9bd6c724339b7d7bb4765b9d36f1ee88b84)
+(cherry picked from commit 1ebafd82dd19e522f0d753fd9828553fe8bcac78)
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index d6df79602d..129aaa3838 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   struct grub_video_signed_rect bounds;
+   static struct grub_font_glyph *glyph = 0;
+   static grub_size_t max_glyph_size = 0;
++  grub_size_t cur_glyph_size;
+ 
+   ensure_comb_space (glyph_id);
+ 
+@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+   if (!glyph_id->ncomb && !glyph_id->attributes)
+     return main_glyph;
+ 
+-  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++    return main_glyph;
++
++  if (max_glyph_size < cur_glyph_size)
+     {
+       grub_free (glyph);
+-      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+-      if (max_glyph_size < 8)
+-	max_glyph_size = 8;
+-      glyph = grub_malloc (max_glyph_size);
++      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++	max_glyph_size = 0;
++      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+     }
+   if (!glyph)
+     {
++      max_glyph_size = 0;
+       grub_errno = GRUB_ERR_NONE;
+       return main_glyph;
+     }
+ 
+-  grub_memset (glyph, 0, sizeof (*glyph)
+-	       + (bounds.width * bounds.height
+-		  + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++  grub_memset (glyph, 0, cur_glyph_size);
+ 
+   glyph->font = main_glyph->font;
+-  glyph->width = bounds.width;
+-  glyph->height = bounds.height;
+-  glyph->offset_x = bounds.x;
+-  glyph->offset_y = bounds.y;
++  if (bounds.width == 0 || bounds.height == 0 ||
++      grub_cast (bounds.width, &glyph->width) ||
++      grub_cast (bounds.height, &glyph->height) ||
++      grub_cast (bounds.x, &glyph->offset_x) ||
++      grub_cast (bounds.y, &glyph->offset_y))
++    return main_glyph;
+ 
+   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+     grub_font_blit_glyph_mirror (glyph, main_glyph,

SOURCES/0565-font-Remove-grub_font_dup_glyph.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 02:13:29 +0800
+Subject: [PATCH] font: Remove grub_font_dup_glyph()
+
+Remove grub_font_dup_glyph() since nobody is using it since 2013, and
+I'm too lazy to fix the integer overflow problem in it.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d)
+(cherry picked from commit ad950e1e033318bb50222ed268a6dcfb97389035)
+(cherry picked from commit 71644fccc1d43309f0a379dcfe9341ec3bd9657d)
+---
+ grub-core/font/font.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 129aaa3838..347e9dfa29 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code)
+   return best_glyph;
+ }
+ 
+-#if 0
+-static struct grub_font_glyph *
+-grub_font_dup_glyph (struct grub_font_glyph *glyph)
+-{
+-  static struct grub_font_glyph *ret;
+-  ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8);
+-  if (!ret)
+-    return NULL;
+-  grub_memcpy (ret, glyph, sizeof (*ret)
+-	       + (glyph->width * glyph->height + 7) / 8);
+-  return ret;
+-}
+-#endif
+-
+ /* FIXME: suboptimal.  */
+ static void
+ grub_font_blit_glyph (struct grub_font_glyph *target,

SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 02:27:05 +0800
+Subject: [PATCH] font: Fix integer overflow in ensure_comb_space()
+
+In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
+wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
+in the future. This patch also fixes the inconsistency between
+render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
+returns NULL.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f)
+(cherry picked from commit f66ea1e60c347408e92b6695d5105c7e0f24d568)
+(cherry picked from commit 0e07159c24cdbb62a9d19fba8199065b049e03c7)
+---
+ grub-core/font/font.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 347e9dfa29..1367e44743 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id)
+   if (glyph_id->ncomb <= render_max_comb_glyphs)
+     return;
+ 
+-  render_max_comb_glyphs = 2 * glyph_id->ncomb;
+-  if (render_max_comb_glyphs < 8)
++  if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs))
++    render_max_comb_glyphs = 0;
++  if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8)
+     render_max_comb_glyphs = 8;
+   grub_free (render_combining_glyphs);
+-  render_combining_glyphs = grub_malloc (render_max_comb_glyphs
+-					 * sizeof (render_combining_glyphs[0]));
++  render_combining_glyphs = (render_max_comb_glyphs > 0) ?
++    grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL;
+   if (!render_combining_glyphs)
+-    grub_errno = 0;
++    {
++      render_max_comb_glyphs = 0;
++      grub_errno = GRUB_ERR_NONE;
++    }
+ }
+ 
+ int

SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch

@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 15 Aug 2022 02:04:58 +0800
+Subject: [PATCH] font: Fix integer overflow in BMP index
+
+The BMP index (font->bmp_idx) is designed as a reverse lookup table of
+char entries (font->char_index), in order to speed up lookups for BMP
+chars (i.e. code < 0x10000). The values in BMP index are the subscripts
+of the corresponding char entries, stored in grub_uint16_t, while 0xffff
+means not found.
+
+This patch fixes the problem of large subscript truncated to grub_uint16_t,
+leading BMP index to return wrong char entry or report false miss. The
+code now checks for bounds and uses BMP index as a hint, and fallbacks
+to binary-search if necessary.
+
+On the occasion add a comment about BMP index is initialized to 0xffff.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492)
+(cherry picked from commit 6d90568929e11739b56f09ebbce9185ca9c23519)
+(cherry picked from commit b8c47c3dd6894b3135db861e3e563f661efad5c3)
+---
+ grub-core/font/font.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 1367e44743..059c23dff7 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+   font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
+   if (!font->bmp_idx)
+     return 1;
++
++  /* Init the BMP index array to 0xffff. */
+   grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
+ 
+ 
+@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+ 	  return 1;
+ 	}
+ 
+-      if (entry->code < 0x10000)
++      if (entry->code < 0x10000 && i < 0xffff)
+ 	font->bmp_idx[entry->code] = i;
+ 
+       last_code = entry->code;
+@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
+   /* Use BMP index if possible.  */
+   if (code < 0x10000 && font->bmp_idx)
+     {
+-      if (font->bmp_idx[code] == 0xffff)
+-	return 0;
+-      return &table[font->bmp_idx[code]];
++      if (font->bmp_idx[code] < 0xffff)
++	return &table[font->bmp_idx[code]];
++      /*
++       * When we are here then lookup in BMP index result in miss,
++       * fallthough to binary-search.
++       */
+     }
+ 
+   /* Do a binary search in `char_index', which is ordered by code point.  */

SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch

@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Sun, 14 Aug 2022 18:09:38 +0800
+Subject: [PATCH] font: Fix integer underflow in binary search of char index
+
+If search target is less than all entries in font->index then "hi"
+variable is set to -1, which translates to SIZE_MAX and leads to errors.
+
+This patch fixes the problem by replacing the entire binary search code
+with the libstdc++'s std::lower_bound() implementation.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc)
+(cherry picked from commit e110997335b1744464ea232d57a7d86e16ca8dee)
+(cherry picked from commit 403053a5116ae945f9515a82c37ff8cfb927362c)
+---
+ grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 059c23dff7..31786ab339 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
+ static inline struct char_index_entry *
+ find_glyph (const grub_font_t font, grub_uint32_t code)
+ {
+-  struct char_index_entry *table;
+-  grub_size_t lo;
+-  grub_size_t hi;
+-  grub_size_t mid;
++  struct char_index_entry *table, *first, *end;
++  grub_size_t len;
+ 
+   table = font->char_index;
++  if (table == NULL)
++    return NULL;
+ 
+   /* Use BMP index if possible.  */
+   if (code < 0x10000 && font->bmp_idx)
+@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
+        */
+     }
+ 
+-  /* Do a binary search in `char_index', which is ordered by code point.  */
+-  lo = 0;
+-  hi = font->num_chars - 1;
++  /*
++   * Do a binary search in char_index which is ordered by code point.
++   * The code below is the same as libstdc++'s std::lower_bound().
++   */
++  first = table;
++  len = font->num_chars;
++  end = first + len;
+ 
+-  if (!table)
+-    return 0;
+-
+-  while (lo <= hi)
++  while (len > 0)
+     {
+-      mid = lo + (hi - lo) / 2;
+-      if (code < table[mid].code)
+-	hi = mid - 1;
+-      else if (code > table[mid].code)
+-	lo = mid + 1;
++      grub_size_t half = len >> 1;
++      struct char_index_entry *middle = first + half;
++
++      if (middle->code < code)
++	{
++	  first = middle + 1;
++	  len = len - half - 1;
++	}
+       else
+-	return &table[mid];
++	len = half;
+     }
+ 
+-  return 0;
++  return (first < end && first->code == code) ? first : NULL;
+ }
+ 
+ /* Get a glyph for the Unicode character CODE in FONT.  The glyph is loaded

SOURCES/0569-fbutil-Fix-integer-overflow.patch

@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Tue, 6 Sep 2022 03:03:21 +0800
+Subject: [PATCH] fbutil: Fix integer overflow
+
+Expressions like u64 = u32 * u32 are unsafe because their products are
+truncated to u32 even if left hand side is u64. This patch fixes all
+problems like that one in fbutil.
+
+To get right result not only left hand side have to be u64 but it's also
+necessary to cast at least one of the operands of all leaf operators of
+right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
+u64 = (u64)u32 * u32 + (u64)u32 * u32.
+
+For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
+combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
+not overflow grub_uint64_t.
+
+Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
+They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
+
+This patch also adds a comment to grub_video_fb_get_video_ptr() which
+says it's arguments must be valid and no sanity check is performed
+(like its siblings in grub-core/video/fb/fbutil.c).
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12)
+(cherry picked from commit 8fa75d647362c938c4cc302cf5945b31fb92c078)
+(cherry picked from commit 91005e39b3c8b6ca8dcc84ecb19ac9328966aaea)
+---
+ grub-core/video/fb/fbutil.c |  4 ++--
+ include/grub/fbutil.h       | 13 +++++++++----
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c
+index b98bb51fe8..25ef39f47d 100644
+--- a/grub-core/video/fb/fbutil.c
++++ b/grub-core/video/fb/fbutil.c
+@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source,
+     case 1:
+       if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
+         {
+-          int bit_index = y * source->mode_info->width + x;
++          grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
+           grub_uint8_t *ptr = source->data + bit_index / 8;
+           int bit_pos = 7 - bit_index % 8;
+           color = (*ptr >> bit_pos) & 0x01;
+@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source,
+     case 1:
+       if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
+         {
+-          int bit_index = y * source->mode_info->width + x;
++          grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
+           grub_uint8_t *ptr = source->data + bit_index / 8;
+           int bit_pos = 7 - bit_index % 8;
+           *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos);
+diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h
+index 4205eb917f..78a1ab3b45 100644
+--- a/include/grub/fbutil.h
++++ b/include/grub/fbutil.h
+@@ -31,14 +31,19 @@ struct grub_video_fbblit_info
+   grub_uint8_t *data;
+ };
+ 
+-/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
+-   and it doesn't make sense, in general, to ask for a pointer
+-   to a particular pixel's data.  */
++/*
++ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
++ * and it doesn't make sense, in general, to ask for a pointer
++ * to a particular pixel's data.
++ *
++ * This function assumes that bounds checking has been done in previous phase
++ * and they are opted out in here.
++ */
+ static inline void *
+ grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source,
+               unsigned int x, unsigned int y)
+ {
+-  return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel;
++  return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel;
+ }
+ 
+ /* Advance pointer by VAL bytes. If there is no unaligned access available,

SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch

@@ -0,0 +1,91 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4)
+(cherry picked from commit 05e532fb707bbf79aa4e1efbde4d208d7da89d6b)
+(cherry picked from commit 0b2592fbb245d53c5c42885d695ece03ddb0eb12)
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 31786ab339..fc9d92fce4 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+   ctx.bounds.height = main_glyph->height;
+ 
+   above_rightx = main_glyph->offset_x + main_glyph->width;
+-  above_righty = ctx.bounds.y + ctx.bounds.height;
++  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+   above_leftx = main_glyph->offset_x;
+-  above_lefty = ctx.bounds.y + ctx.bounds.height;
++  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+ 
+-  below_rightx = ctx.bounds.x + ctx.bounds.width;
++  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+   below_righty = ctx.bounds.y;
+ 
+   comb = grub_unicode_get_comb (glyph_id);
+@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+       if (!combining_glyphs[i])
+ 	continue;
+-      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+       /* CGJ is to avoid diacritics reordering. */
+       if (comb[i].code
+ 	  == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 	case GRUB_UNICODE_COMB_OVERLAY:
+ 	  do_blit (combining_glyphs[i],
+ 		   targetx,
+-		   (ctx.bounds.height - combining_glyphs[i]->height) / 2
+-		   - (ctx.bounds.height + ctx.bounds.y), &ctx);
++		   ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++		   - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ 	  if (min_devwidth < combining_glyphs[i]->width)
+ 	    min_devwidth = combining_glyphs[i]->width;
+ 	  break;
+@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 	  /* Fallthrough.  */
+ 	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ 	  do_blit (combining_glyphs[i], targetx,
+-		   -(ctx.bounds.height + ctx.bounds.y + space
++		   -((int) ctx.bounds.height + ctx.bounds.y + space
+ 		     + combining_glyphs[i]->height), &ctx);
+ 	  if (min_devwidth < combining_glyphs[i]->width)
+ 	    min_devwidth = combining_glyphs[i]->width;
+@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ 
+ 	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ 	  do_blit (combining_glyphs[i], targetx,
+-		   -(ctx.bounds.height / 2 + ctx.bounds.y
++		   -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ 		     + combining_glyphs[i]->height / 2), &ctx);
+ 	  if (min_devwidth < combining_glyphs[i]->width)
+ 	    min_devwidth = combining_glyphs[i]->width;

SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch

@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 07:15:41 +0800
+Subject: [PATCH] font: Harden grub_font_blit_glyph() and
+ grub_font_blit_glyph_mirror()
+
+As a mitigation and hardening measure add sanity checks to
+grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
+makes these two functions do nothing if target blitting area isn't fully
+contained in target bitmap. Therefore, if complex calculations in caller
+overflows and malicious coordinates are given, we are still safe because
+any coordinates which result in out-of-bound-write are rejected. However,
+this patch only checks for invalid coordinates, and doesn't provide any
+protection against invalid source glyph or destination glyph, e.g.
+mismatch between glyph size and buffer size.
+
+This hardening measure is designed to mitigate possible overflows in
+blit_comb(). If overflow occurs, it may return invalid bounding box
+during dry run and call grub_font_blit_glyph() with malicious
+coordinates during actual blitting. However, we are still safe because
+the scratch glyph itself is valid, although its size makes no sense, and
+any invalid coordinates are rejected.
+
+It would be better to call grub_fatal() if illegal parameter is detected.
+However, doing this may end up in a dangerous recursion because grub_fatal()
+would print messages to the screen and we are in the progress of drawing
+characters on the screen.
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6)
+(cherry picked from commit 1d37ec63a1c76a14fdf70f548eada92667b42ddb)
+(cherry picked from commit 686c72ea0a841343b7d8ab64e815751aa36e24b5)
+---
+ grub-core/font/font.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index fc9d92fce4..cfa4bd5096 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1069,8 +1069,15 @@ static void
+ grub_font_blit_glyph (struct grub_font_glyph *target,
+ 		      struct grub_font_glyph *src, unsigned dx, unsigned dy)
+ {
++  grub_uint16_t max_x, max_y;
+   unsigned src_bit, tgt_bit, src_byte, tgt_byte;
+   unsigned i, j;
++
++  /* Harden against out-of-bound writes. */
++  if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
++      (grub_add (dy, src->height, &max_y) || max_y > target->height))
++    return;
++
+   for (i = 0; i < src->height; i++)
+     {
+       src_bit = (src->width * i) % 8;
+@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target,
+ 			     struct grub_font_glyph *src,
+ 			     unsigned dx, unsigned dy)
+ {
++  grub_uint16_t max_x, max_y;
+   unsigned tgt_bit, src_byte, tgt_byte;
+   signed src_bit;
+   unsigned i, j;
++
++  /* Harden against out-of-bound writes. */
++  if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
++      (grub_add (dy, src->height, &max_y) || max_y > target->height))
++    return;
++
+   for (i = 0; i < src->height; i++)
+     {
+       src_bit = (src->width * i + src->width - 1) % 8;

SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 28 Oct 2022 17:29:16 +0800
+Subject: [PATCH] font: Assign null_font to glyphs in ascii_font_glyph[]
+
+The calculations in blit_comb() need information from glyph's font, e.g.
+grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
+NULL if main_glyph comes from ascii_font_glyph[]. Therefore
+grub_font_get_*() crashes because of NULL pointer.
+
+There is already a solution, the null_font. So, assign it to those glyphs
+in ascii_font_glyph[].
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6)
+(cherry picked from commit 87526376857eaceae474c9797e3cee5b50597332)
+(cherry picked from commit b4807bbb09d9adf82fe9ae12a3af1c852dc4e32d)
+---
+ grub-core/font/font.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index cfa4bd5096..30cd1fe07f 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code)
+ 	  ascii_font_glyph[current]->offset_x = 0;
+ 	  ascii_font_glyph[current]->offset_y = -2;
+ 	  ascii_font_glyph[current]->device_width = 8;
+-	  ascii_font_glyph[current]->font = NULL;
++	  ascii_font_glyph[current]->font = &null_font;
+ 
+ 	  grub_memcpy (ascii_font_glyph[current]->bitmap,
+ 		       &ascii_bitmaps[current * ASCII_BITMAP_SIZE],

SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 28 Oct 2022 21:31:39 +0800
+Subject: [PATCH] normal/charset: Fix an integer overflow in
+ grub_unicode_aglomerate_comb()
+
+The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
+However, code in grub_unicode_aglomerate_comb() doesn't check for an
+overflow when incrementing out->ncomb. If out->ncomb is already 255,
+after incrementing it will get 0 instead of 256, and cause illegal
+memory access in subsequent processing.
+
+This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
+acceptable value of ncomb. The code now checks for this limit and
+ignores additional combining characters when limit is reached.
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
+(cherry picked from commit 26fafec86000b5322837722a115279ef03922ca6)
+(cherry picked from commit 872fba1c44dee2ab5cb36b2c7a883847f91ed907)
+---
+ grub-core/normal/charset.c | 3 +++
+ include/grub/unicode.h     | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index 7b2de12001..4849cf06f7 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ 	  if (!haveout)
+ 	    continue;
+ 
++	  if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
++	    continue;
++
+ 	  if (comb_type == GRUB_UNICODE_COMB_MC
+ 	      || comb_type == GRUB_UNICODE_COMB_ME
+ 	      || comb_type == GRUB_UNICODE_COMB_MN)
+diff --git a/include/grub/unicode.h b/include/grub/unicode.h
+index 4de986a857..c4f6fca043 100644
+--- a/include/grub/unicode.h
++++ b/include/grub/unicode.h
+@@ -147,7 +147,9 @@ struct grub_unicode_glyph
+   grub_uint8_t bidi_level:6; /* minimum: 6 */
+   enum grub_bidi_type bidi_type:5; /* minimum: :5 */
+ 
++#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
+   unsigned ncomb:8;
++
+   /* Hint by unicode subsystem how wide this character usually is.
+      Real width is determined by font. Set only in UTF-8 stream.  */
+   int estimated_width:8;

SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch

@@ -0,0 +1,227 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lu Ken <ken.lu@intel.com>
+Date: Sat, 3 Jul 2021 10:50:37 -0400
+Subject: [PATCH] Enable TDX measurement to RTMR register
+
+Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology
+that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory
+Encryption(MK-TME) with a new kind of virtual machine guest called a
+Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality
+of its memory contents and its CPU state from any other software, including
+the hosting Virtual Machine Monitor (VMM).
+
+Trust Domain Virtual Firmware (TDVF) is required to provide TD services to
+the TD guest OS.[2] Its reference code is available at https://github.com/tianocore/edk2-staging/tree/TDVF.
+
+To support TD measurement/attestation, TDs provide 4 RTMR registers like
+TPM/TPM2 PCR as below:
+- RTMR[0] is for TDVF configuration
+- RTMR[1] is for the TD OS loader and kernel
+- RTMR[2] is for the OS application
+- RTMR[3] is reserved for special usage only
+
+This patch adds TD Measurement protocol support along with TPM/TPM2 protocol.
+
+References:
+[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
+[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
+
+Signed-off-by: Lu Ken <ken.lu@intel.com>
+(cherry picked from commit 841a0977397cf12a5498d439b8aaf8bf28ff8544)
+---
+ grub-core/Makefile.core.def |  1 +
+ grub-core/kern/efi/tdx.c    | 70 +++++++++++++++++++++++++++++++++++++++++++++
+ grub-core/kern/tpm.c        |  4 +++
+ include/grub/efi/tdx.h      | 26 +++++++++++++++++
+ include/grub/tdx.h          | 36 +++++++++++++++++++++++
+ 5 files changed, 137 insertions(+)
+ create mode 100644 grub-core/kern/efi/tdx.c
+ create mode 100644 include/grub/efi/tdx.h
+ create mode 100644 include/grub/tdx.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 637d7203e3..2787d59c52 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -200,6 +200,7 @@ kernel = {
+   efi = kern/efi/acpi.c;
+   efi = kern/lockdown.c;
+   efi = lib/envblk.c;
++  efi = kern/efi/tdx.c;
+   efi = kern/efi/tpm.c;
+   i386_coreboot = kern/i386/pc/acpi.c;
+   i386_multiboot = kern/i386/pc/acpi.c;
+diff --git a/grub-core/kern/efi/tdx.c b/grub-core/kern/efi/tdx.c
+new file mode 100644
+index 0000000000..3a49f8d117
+--- /dev/null
++++ b/grub-core/kern/efi/tdx.c
+@@ -0,0 +1,70 @@
++#include <grub/err.h>
++#include <grub/i18n.h>
++#include <grub/efi/api.h>
++#include <grub/efi/efi.h>
++#include <grub/efi/tpm.h>
++#include <grub/efi/tdx.h>
++#include <grub/mm.h>
++#include <grub/tpm.h>
++#include <grub/tdx.h>
++
++static grub_efi_guid_t tdx_guid = EFI_TDX_GUID;
++
++static inline grub_err_t grub_tdx_dprintf(grub_efi_status_t status)
++{
++  switch (status) {
++  case GRUB_EFI_SUCCESS:
++    return 0;
++  case GRUB_EFI_DEVICE_ERROR:
++    grub_dprintf ("tdx", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n",
++                  status);
++    return GRUB_ERR_IO;
++  case GRUB_EFI_INVALID_PARAMETER:
++    grub_dprintf ("tdx", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n",
++                  status);
++    return GRUB_ERR_BAD_ARGUMENT;
++  case GRUB_EFI_VOLUME_FULL:
++    grub_dprintf ("tdx", "Volume is full: 0x%"PRIxGRUB_EFI_STATUS"\n",
++                  status);
++    return GRUB_ERR_BAD_ARGUMENT;
++  case GRUB_EFI_UNSUPPORTED:
++    grub_dprintf ("tdx", "TDX unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n",
++                  status);
++    return GRUB_ERR_UNKNOWN_DEVICE;
++  default:
++    grub_dprintf ("tdx", "Unknown TDX error: 0x%"PRIxGRUB_EFI_STATUS"\n",
++                  status);
++    return GRUB_ERR_UNKNOWN_DEVICE;
++  }
++}
++
++grub_err_t
++grub_tdx_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
++		   const char *description)
++{
++  EFI_TCG2_EVENT *event;
++  grub_efi_status_t status;
++  grub_efi_tdx_protocol_t *tdx;
++
++  tdx = grub_efi_locate_protocol (&tdx_guid, NULL);
++
++  if (!tdx)
++    return 0;
++
++  event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1);
++  if (!event)
++    return grub_error (GRUB_ERR_OUT_OF_MEMORY,
++		       N_("cannot allocate TCG2 event buffer"));
++
++  event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
++  event->Header.HeaderVersion = 1;
++  event->Header.PCRIndex = pcr;
++  event->Header.EventType = EV_IPL;
++  event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1;
++  grub_memcpy(event->Event, description, grub_strlen(description) + 1);
++
++  status = efi_call_5 (tdx->hash_log_extend_event, tdx, 0, (unsigned long) buf,
++		       (grub_uint64_t) size, event);
++
++  return grub_tdx_dprintf(status);
++}
+\ No newline at end of file
+diff --git a/grub-core/kern/tpm.c b/grub-core/kern/tpm.c
+index e5e8fced62..71cc4252c1 100644
+--- a/grub-core/kern/tpm.c
++++ b/grub-core/kern/tpm.c
+@@ -4,6 +4,7 @@
+ #include <grub/mm.h>
+ #include <grub/tpm.h>
+ #include <grub/term.h>
++#include <grub/tdx.h>
+ 
+ grub_err_t
+ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+@@ -13,6 +14,9 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+   char *desc = grub_xasprintf("%s %s", kind, description);
+   if (!desc)
+     return GRUB_ERR_OUT_OF_MEMORY;
++
++  grub_tdx_log_event(buf, size, pcr, desc);
++
+   ret = grub_tpm_log_event(buf, size, pcr, desc);
+   grub_free(desc);
+   return ret;
+diff --git a/include/grub/efi/tdx.h b/include/grub/efi/tdx.h
+new file mode 100644
+index 0000000000..9bdac2a275
+--- /dev/null
++++ b/include/grub/efi/tdx.h
+@@ -0,0 +1,26 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2015  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_EFI_TDX_HEADER
++#define GRUB_EFI_TDX_HEADER 1
++
++#define EFI_TDX_GUID {0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b}};
++
++typedef grub_efi_tpm2_protocol_t grub_efi_tdx_protocol_t;
++
++#endif
+\ No newline at end of file
+diff --git a/include/grub/tdx.h b/include/grub/tdx.h
+new file mode 100644
+index 0000000000..4a98008e39
+--- /dev/null
++++ b/include/grub/tdx.h
+@@ -0,0 +1,36 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2015  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_TDX_HEADER
++#define GRUB_TDX_HEADER 1
++
++#if defined (GRUB_MACHINE_EFI)
++grub_err_t grub_tdx_log_event(unsigned char *buf, grub_size_t size,
++			      grub_uint8_t pcr, const char *description);
++#else
++static inline grub_err_t grub_tdx_log_event(
++	unsigned char *buf __attribute__ ((unused)),
++	grub_size_t size __attribute__ ((unused)),
++	grub_uint8_t pcr __attribute__ ((unused)),
++	const char *description __attribute__ ((unused)))
++{
++	return 0;
++};
++#endif
++
++#endif

SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+Date: Tue, 24 Jan 2023 08:01:47 -0500
+Subject: [PATCH] Enable shared processor mode in vector 5
+
+This patch is to update the vector 5 which is troubling some
+machines to bootup properly in shared processor mode.
+
+Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+(cherry picked from commit 30d2ee836649386a336f9437c8a149c8e642a46b)
+(cherry picked from commit 7e309d139c5eca1f03659e612a14499213e79c95)
+---
+ grub-core/kern/ieee1275/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 37f3098c39..3ea9b73b2a 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -372,7 +372,7 @@ grub_ieee1275_ibm_cas (void)
+     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
+     .vec5_size = 1 + sizeof(struct option_vector5) - 2,
+     .vec5 = {
+-	0, 0, 0, 0, 0, 0, 0, 0, 256
++	0, 192, 0, 128, 0, 0, 0, 0, 256
+     }
+   };
+ 

SOURCES/0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matt Hsiao <matt.hsiao@hpe.com>
+Date: Mon, 24 Apr 2023 13:39:05 +0800
+Subject: [PATCH] efi/http: change uint32_t to uintn_t for
+ grub_efi_http_message_t
+
+Modify UINT32 to UINTN in EFI_HTTP_MESSAGE to be UEFI 2.9 compliant.
+
+Signed-off-by: Matt Hsiao <matt.hsiao@hpe.com>
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ include/grub/efi/http.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/grub/efi/http.h b/include/grub/efi/http.h
+index c5e9a89f5050..ad164ba1913d 100644
+--- a/include/grub/efi/http.h
++++ b/include/grub/efi/http.h
+@@ -171,9 +171,9 @@ typedef struct {
+     grub_efi_http_request_data_t *request;
+     grub_efi_http_response_data_t *response;
+   } data;
+-  grub_efi_uint32_t header_count;
++  grub_efi_uintn_t header_count;
+   grub_efi_http_header_t *headers;
+-  grub_efi_uint32_t body_length;
++  grub_efi_uintn_t body_length;
+   void *body;
+ } grub_efi_http_message_t;
+ 

SOURCES/0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2023 08:16:25 -0400
+Subject: [PATCH] ieee1275 : Converting plain numbers to constants in Vec5
+
+This patch converts the plain numbers used in Vec5 properties to
+constants.
+
+1. LPAR : Client program supports logical partitioning and
+   associated hcall()s.
+2. SPLPAR : Client program supports the Shared
+   Processor LPAR Option.
+3. CMO : Enables the Cooperative Memory Over-commitment Option.
+4. MAX_CPU : Defines maximum number of CPUs supported.
+
+Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+---
+ grub-core/kern/ieee1275/init.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 3ea9b73b2a59..2516e02091cb 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -56,6 +56,12 @@ extern char _end[];
+ grub_addr_t grub_ieee1275_original_stack;
+ #endif
+ 
++#define LPAR     0x80
++#define SPLPAR   0x40
++#define BYTE2    (LPAR | SPLPAR)
++#define CMO      0x80
++#define MAX_CPU  256
++
+ void
+ grub_exit (int rc __attribute__((unused)))
+ {
+@@ -372,7 +378,7 @@ grub_ieee1275_ibm_cas (void)
+     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
+     .vec5_size = 1 + sizeof(struct option_vector5) - 2,
+     .vec5 = {
+-	0, 192, 0, 128, 0, 0, 0, 0, 256
++        0, BYTE2, 0, CMO, 0, 0, 0, 0, MAX_CPU	
+     }
+   };
+ 

SOURCES/0578-ieee1275-extended-support-in-options-vector5.patch

@@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2023 08:33:12 -0400
+Subject: [PATCH] ieee1275 : extended support in options vector5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch enables the multiple options in Options Vector5 which are
+required and solves the boot issue seen on some machines which are looking for these specific options.
+
+1. LPAR : Client program supports logical partitioning and
+   associated hcall()s.
+2. SPLPAR : Client program supports the Shared
+   Processor LPAR Option.
+3. DYN_RCON_MEM : Client program supports the
+   “ibm,dynamic-reconfiguration-memory” property and it may be
+   presented in the device tree.
+4. LARGE_PAGES : Client supports pages larger than 4 KB.
+5. DONATE_DCPU_CLS : Client supports donating dedicated processor cycles.
+6. PCI_EXP : Client supports PCI Express implementations
+   utilizing Message Signaled Interrupts (MSIs).
+
+7. CMOC : Enables the Cooperative Memory Over-commitment Option.
+8. EXT_CMO : Enables the Extended Cooperative Memory Over-commit
+   Option.
+
+9. ASSOC_REF : Enables “ibm,associativity” and
+   “ibm,associativity-reference-points” properties.
+10. AFFINITY : Enables Platform Resource Reassignment Notification.
+11. NUMA : Supports NUMA Distance Lookup Table Option.
+
+12. HOTPLUG_INTRPT : Supports Hotplug Interrupts.
+13. HPT_RESIZE : Enable Hash Page Table Resize Option.
+
+14. MAX_CPU : Defines maximum number of CPUs supported.
+
+15. PFO_HWRNG : Supports Random Number Generator.
+16. PFO_HW_COMP : Supports Compression Engine.
+17. PFO_ENCRYPT : Supports Encryption Engine.
+
+18. SUB_PROCESSORS : Supports Sub-Processors.
+
+19. DY_MEM_V2 : Client program supports the “ibm,dynamic-memory-v2” property in the
+    “ibm,dynamic-reconfiguration-memory” node and it may be presented in the device tree.
+20. DRC_INFO : Client program supports the “ibm,drc-info” property definition and it may be
+    presented in the device tree.
+
+Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+---
+ grub-core/kern/ieee1275/init.c | 47 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 41 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 2516e02091cb..1fae84440403 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -56,11 +56,41 @@ extern char _end[];
+ grub_addr_t grub_ieee1275_original_stack;
+ #endif
+ 
+-#define LPAR     0x80
+-#define SPLPAR   0x40
+-#define BYTE2    (LPAR | SPLPAR)
+-#define CMO      0x80
+-#define MAX_CPU  256
++/* Options vector5 properties */
++
++#define LPAR                0x80
++#define SPLPAR              0x40
++#define DYN_RCON_MEM        0x20
++#define LARGE_PAGES         0x10
++#define DONATE_DCPU_CLS     0x02
++#define PCI_EXP             0x01
++#define BYTE2               (LPAR | SPLPAR | DYN_RCON_MEM | LARGE_PAGES | DONATE_DCPU_CLS | PCI_EXP)
++
++#define CMOC                0x80
++#define EXT_CMO             0x40
++#define CMO                 (CMOC | EXT_CMO)
++
++#define ASSOC_REF           0x80
++#define AFFINITY            0x40
++#define NUMA                0x20
++#define ASSOCIATIVITY       (ASSOC_REF | AFFINITY | NUMA)
++
++#define HOTPLUG_INTRPT      0x04
++#define HPT_RESIZE          0x01
++#define BIN_OPTS            (HOTPLUG_INTRPT | HPT_RESIZE)
++
++#define MAX_CPU             256
++
++#define PFO_HWRNG           0x80000000
++#define PFO_HW_COMP         0x40000000
++#define PFO_ENCRYPT         0x20000000
++#define PLATFORM_FACILITIES (PFO_HWRNG | PFO_HW_COMP | PFO_ENCRYPT)
++
++#define SUB_PROCESSORS      1
++
++#define DY_MEM_V2           0x80
++#define DRC_INFO            0x40
++#define BYTE22              (DY_MEM_V2 | DRC_INFO)
+ 
+ void
+ grub_exit (int rc __attribute__((unused)))
+@@ -323,6 +353,11 @@ struct option_vector5 {
+         grub_uint8_t micro_checkpoint;
+         grub_uint8_t reserved0;
+         grub_uint32_t max_cpus;
++        grub_uint16_t base_PAPR;
++        grub_uint16_t mem_reference;
++        grub_uint32_t platform_facilities;
++        grub_uint8_t sub_processors;
++        grub_uint8_t byte22;
+ } __attribute__((packed));
+ 
+ struct pvr_entry {
+@@ -378,7 +413,7 @@ grub_ieee1275_ibm_cas (void)
+     .vec4 = 0x0001, // set required minimum capacity % to the lowest value
+     .vec5_size = 1 + sizeof(struct option_vector5) - 2,
+     .vec5 = {
+-        0, BYTE2, 0, CMO, 0, 0, 0, 0, MAX_CPU	
++        0, BYTE2, 0, CMO, ASSOCIATIVITY, BIN_OPTS, 0, 0, MAX_CPU, 0, 0, PLATFORM_FACILITIES, SUB_PROCESSORS, BYTE22
+     }
+   };
+ 

SOURCES/0579-Regenerate-kernelopts-if-missing-on-ppc.patch

@@ -0,0 +1,36 @@
+From 8c74431327e0c7d7fe47462b0e69fcbe3bbac56e Mon Sep 17 00:00:00 2001
+From: Marta Lewandowska <mlewando@redhat.com>
+Date: Fri, 24 Mar 2023 09:14:29 -0400
+Subject: [PATCH] Regenerate kernelopts if missing on ppc
+
+Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
+---
+ util/grub.d/10_linux_bls.in | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/util/grub.d/10_linux_bls.in b/util/grub.d/10_linux_bls.in
+index 855dbdd..f2281bc 100644
+--- a/util/grub.d/10_linux_bls.in
++++ b/util/grub.d/10_linux_bls.in
+@@ -117,6 +117,18 @@ cat <<EOF
+ # This section was generated by a script. Do not modify the generated file - all changes
+ # will be lost the next time file is regenerated. Instead edit the BootLoaderSpec files.
+ 
++# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
++# entries populated from BootLoaderSpec files that use this variable work correctly even
++# without a grubenv file, define a fallback kernelopts variable if this has not been set.
++#
++# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
++# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
++# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
++# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
++if [ -z "\${kernelopts}" ]; then
++  set kernelopts="root=${linux_root_device_thisversion} ro ${args}"
++fi
++
+ EOF
+ }
+ 
+-- 
+2.39.1
+

SOURCES/0580-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch

@@ -0,0 +1,210 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 8 Aug 2023 12:21:55 -0400
+Subject: [PATCH] kern/ieee1275/init: ppc64: Restrict high memory in presence
+ of fadump
+
+This is a backport of the patch with the same name to grub 2.02.
+
+When a kernel dump is present then restrict the high memory regions to
+avoid allocating memory where the kernel dump resides. Use the
+ibm,kernel-dump node under /rtas to determine whether a kernel dump exists
+and up to which limit grub can use available memory. Set the
+upper_mem_limit to the size of the kernel dump section of type
+'REAL_MODE_REGION' and therefore only allow grub's memory usage for high
+addresses from 768MB to 'upper_mem_limit'. This means that grub can
+use high memory in the range of 768MB to upper_mem_limit and
+the kernel-dump memory regions above 'upper_mem_limit' remain untouched.
+This change has no effect on memory allocations below 640MB.
+
+Also, fall back to allocating below 640MB in case the chunk of
+memory there would be larger than the chunk of memory above 768MB.
+This can for example occur if a free memory area is found starting at 300MB
+extending up to 1GB but a kernel dump is located at 768MB and therefore
+does not allow the allocation of the high memory area but requiring to use
+the chunk starting at 300MB to avoid an unnecessary out-of-memory
+condition.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Cc: Hari Bathini <hbathini@linux.ibm.com>
+Cc: Pavithra Prakash <pavrampu@in.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
+Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
+---
+ grub-core/kern/ieee1275/init.c | 139 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 139 insertions(+)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 1fae84440403..31843ab70a62 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -17,6 +17,8 @@
+  *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
++#include <stddef.h> /* offsetof() */
++
+ #include <grub/kernel.h>
+ #include <grub/dl.h>
+ #include <grub/disk.h>
+@@ -180,6 +182,97 @@ grub_claim_heap (void)
+ 				 + GRUB_KERNEL_MACHINE_STACK_SIZE), 0x200000);
+ }
+ #else
++
++/* ibm,kernel-dump data structures */
++struct kd_section
++{
++  grub_uint32_t flags;
++  grub_uint16_t src_datatype;
++#define KD_SRC_DATATYPE_REAL_MODE_REGION  0x0011
++  grub_uint16_t error_flags;
++  grub_uint64_t src_address;
++  grub_uint64_t num_bytes;
++  grub_uint64_t act_bytes;
++  grub_uint64_t dst_address;
++} GRUB_PACKED;
++
++#define MAX_KD_SECTIONS 10
++
++struct kernel_dump
++{
++  grub_uint32_t format;
++  grub_uint16_t num_sections;
++  grub_uint16_t status_flags;
++  grub_uint32_t offset_1st_section;
++  grub_uint32_t num_blocks;
++  grub_uint64_t start_block;
++  grub_uint64_t num_blocks_avail;
++  grub_uint32_t offet_path_string;
++  grub_uint32_t max_time_allowed;
++  struct kd_section kds[MAX_KD_SECTIONS]; /* offset_1st_section should point to kds[0] */
++} GRUB_PACKED;
++
++/*
++ * Determine if a kernel dump exists and if it does, then determine the highest
++ * address that grub can use for memory allocations.
++ * The caller must have initialized *highest to ~0. *highest will not
++ * be modified if no kernel dump is found.
++ */
++static int
++check_kernel_dump (grub_uint64_t *highest)
++{
++  struct kernel_dump kernel_dump;
++  grub_ssize_t kernel_dump_size;
++  grub_ieee1275_phandle_t rtas;
++  struct kd_section *kds;
++  grub_size_t i;
++
++  /* If there's a kernel-dump it must have at least one section */
++  if (grub_ieee1275_finddevice ("/rtas", &rtas) ||
++      grub_ieee1275_get_property (rtas, "ibm,kernel-dump", &kernel_dump,
++                                  sizeof (kernel_dump), &kernel_dump_size) ||
++      kernel_dump_size <= (grub_ssize_t) offsetof (struct kernel_dump, kds[1]))
++    return 0;
++
++  kernel_dump_size = grub_min (kernel_dump_size, (grub_ssize_t) sizeof (kernel_dump));
++
++  if (grub_be_to_cpu32 (kernel_dump.format) != 1)
++    {
++      grub_printf (_("Error: ibm,kernel-dump has an unexpected format version '%u'\n"),
++                   grub_be_to_cpu32 (kernel_dump.format));
++      return 0;
++    }
++
++  if (grub_be_to_cpu16 (kernel_dump.num_sections) > MAX_KD_SECTIONS)
++    {
++      grub_printf (_("Error: Too many kernel dump sections: %d\n"),
++                   grub_be_to_cpu32 (kernel_dump.num_sections));
++      return 0;
++    }
++
++  for (i = 0; i < grub_be_to_cpu16 (kernel_dump.num_sections); i++)
++    {
++      kds = (struct kd_section *) ((grub_addr_t) &kernel_dump +
++                                   grub_be_to_cpu32 (kernel_dump.offset_1st_section) +
++                                   i * sizeof (struct kd_section));
++      /* sanity check the address is within the 'kernel_dump' struct */
++      if ((grub_addr_t) kds > (grub_addr_t) &kernel_dump + kernel_dump_size + sizeof (*kds))
++        {
++          grub_printf (_("Error: 'kds' address beyond last available section\n"));
++          return 0;
++        }
++
++      if ((grub_be_to_cpu16 (kds->src_datatype) == KD_SRC_DATATYPE_REAL_MODE_REGION) &&
++          (grub_be_to_cpu64 (kds->src_address) == 0))
++        {
++          *highest = grub_min (*highest, grub_be_to_cpu64 (kds->num_bytes));
++          break;
++        }
++    }
++
++  return 1;
++}
++
+ /* Helper for grub_claim_heap on powerpc. */
+ static int
+ heap_size (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+@@ -207,7 +300,9 @@ static int
+ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+ 	   void *data)
+ {
++  grub_uint64_t upper_mem_limit = ~0;
+   grub_uint32_t total = *(grub_uint32_t *)data;
++  int has_kernel_dump;
+ 
+   if (type != GRUB_MEMORY_AVAILABLE)
+     return 0;
+@@ -243,6 +338,50 @@ heap_init (grub_uint64_t addr, grub_uint64_t len, grub_memory_type_t type,
+       len = 0;
+     }
+ 
++  has_kernel_dump = check_kernel_dump (&upper_mem_limit);
++  if (has_kernel_dump)
++    {
++      grub_uint64_t lo_len = 0, hi_len = 0;
++
++      if (addr > upper_mem_limit || upper_mem_limit == (grub_uint64_t)~0)
++        return 0;
++
++      /* limit len to stay below upper_mem_limit */
++      if (addr < upper_mem_limit && (addr + len) > upper_mem_limit)
++        {
++           len = grub_min (len, upper_mem_limit - addr);
++        }
++
++      /* We can allocate below 640MB or above 768MB.
++       * Choose the bigger chunk below 640MB or above 768MB.
++       */
++      if (addr < 0x28000000)
++        {
++           lo_len = grub_min (len, 0x28000000 - addr);
++        }
++      if (addr + len > 0x30000000)
++        {
++           if (addr < 0x30000000)
++             hi_len = len - (0x30000000 - addr);
++           else
++             hi_len = len;
++        }
++
++      if (hi_len > lo_len)
++        {
++           len = hi_len;
++           if (addr < 0x30000000)
++             addr = 0x30000000;
++        }
++      else
++        {
++           len = lo_len;
++        }
++
++      if (len == 0)
++        return 0;
++    }
++
+   /* If this block contains 0x30000000 (768MB), do not claim below that.
+      Linux likes to claim memory at min(RMO top, 768MB) and works down
+      without reference to /memory/available. */

SOURCES/0581-util-Enable-default-kernel-for-updates.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Wed, 24 May 2023 11:22:47 +0200
+Subject: [PATCH] util: Enable default kernel for updates
+
+Several kernel variants can be installed on a system in parallel.
+In order to allow the user to choose which kernel will be set to
+default after an update, re-enable grub's usage of DEFAULTKERNEL as
+set in /etc/sysconfig/kernel
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ util/grub-get-kernel-settings.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/util/grub-get-kernel-settings.in b/util/grub-get-kernel-settings.in
+index 7e87dfccc0e4..f71bc64360b0 100644
+--- a/util/grub-get-kernel-settings.in
++++ b/util/grub-get-kernel-settings.in
+@@ -68,6 +68,14 @@ if test -f /etc/sysconfig/kernel ; then
+     . /etc/sysconfig/kernel
+ fi
+ 
++GRUB_DEFAULT_KERNEL_TYPE=${DEFAULTKERNEL/-core/}
++if [ "$GRUB_DEFAULT_KERNEL_TYPE" != "kernel" ]; then
++    echo GRUB_NON_STANDARD_KERNEL=true
++    echo export GRUB_NON_STANDARD_KERNEL
++    GRUB_DEFAULT_KERNEL_TYPE=${GRUB_DEFAULT_KERNEL_TYPE/kernel-/}
++fi
++echo GRUB_DEFAULT_KERNEL_TYPE=$GRUB_DEFAULT_KERNEL_TYPE
++echo export GRUB_DEFAULT_KERNEL_TYPE
+ if [ "$MAKEDEBUG" = "yes" ]; then
+     echo GRUB_LINUX_MAKE_DEBUG=true
+     echo export GRUB_LINUX_MAKE_DEBUG

SOURCES/0582-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch

@@ -0,0 +1,150 @@
+From 9ca4c3fe1c7dbd62e8ad6a23cb1b1fda695fdb44 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 21:39:41 +0100
+Subject: [PATCH 1/3] grub-set-bootflag: Conservative partial fix for
+ CVE-2024-1048
+
+Following up on CVE-2019-14865 and taking a fresh look at
+grub2-set-bootflag now (through my work at CIQ on Rocky Linux), I saw some
+other ways in which users could still abuse this little program:
+
+1. After CVE-2019-14865 fix, grub2-set-bootflag no longer rewrites the
+grubenv file in-place, but writes into a temporary file and renames it
+over the original, checking for error returns from each call first.
+This prevents the original file truncation vulnerability, but it can
+leave the temporary file around if the program is killed before it can
+rename or remove the file.  There are still many ways to get the program
+killed, such as through RLIMIT_FSIZE triggering SIGXFSZ (tested,
+reliable) or by careful timing (tricky) of signals sent by process group
+leader, pty, pre-scheduled timers, SIGXCPU (probably not an exhaustive
+list).  Invoking the program multiple times fills up /boot (or if /boot
+is not separate, then it can fill up the root filesystem).  Since the
+files are tiny, the filesystem is likely to run out of free inodes
+before it'd run out of blocks, but the effect is similar - can't create
+new files after this point (but still can add data to existing files,
+such as logs).
+
+2. After CVE-2019-14865 fix, grub2-set-bootflag naively tries to protect
+itself from signals by becoming full root.  (This does protect it from
+signals sent by the user directly to the PID, but e.g. "kill -9 -1" by
+the user still works.)  A side effect of such "protection" is that it's
+possible to invoke more concurrent instances of grub2-set-bootflag than
+the user's RLIMIT_NPROC would normally permit (as specified e.g. in
+/etc/security/limits.conf, or say in Apache httpd's RLimitNPROC if
+grub2-set-bootflag would be abused by a website script), thereby
+exhausting system resources (e.g., bypassing RAM usage limit if
+RLIMIT_AS was also set).
+
+3. umask is inherited.  Again, due to how the CVE-2019-14865 fix creates
+a new file, and due to how mkstemp() works, this affects grubenv's new
+file permissions.  Luckily, mkstemp() forces them to be no more relaxed
+than 0600, but the user ends up being able to set them e.g. to 0.
+Luckily, at least in my testing GRUB still works fine even when the file
+has such (lack of) permissions.
+
+This commit deals with the abuses above as follows:
+
+1. RLIMIT_FSIZE is pre-checked, so this specific way to get the process
+killed should no longer work.  However, this isn't a complete fix
+because there are other ways to get the process killed after it has
+created the temporary file.
+
+The commit also fixes bug 1975892 ("RFE: grub2-set-bootflag should not
+write the grubenv when the flag being written is already set") and
+similar for "menu_show_once", which further reduces the abuse potential.
+
+2. RLIMIT_NPROC bypass should be avoided by not becoming full root (aka
+dropping the partial "kill protection").
+
+3. A safe umask is set.
+
+This is a partial fix (temporary files can still accumulate, but this is
+harder to trigger).
+
+While at it, this commit also fixes potential 1- or 2-byte over-read of
+env[] if its content is malformed - this was not a security issue since the
+grubenv file is trusted input, and the fix is just for robustness.
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index a85f11fceacb..5b932f76b6f4 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -32,6 +32,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/stat.h>
++#include <sys/resource.h>
+ 
+ #define GRUBENV "/" GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME "/" GRUB_ENVBLK_DEFCFG
+ #define GRUBENV_SIZE 1024
+@@ -54,12 +56,17 @@ static void usage(void)
+ int main(int argc, char *argv[])
+ {
+   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+-  char env[GRUBENV_SIZE + 1], buf[64], *s;
++  char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
+   /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+   char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
+   const char *bootflag;
+   int i, fd, len, ret;
+   FILE *f;
++  struct rlimit rlim;
++
++  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
++    return 1;
++  umask(077);
+ 
+   if (argc != 2)
+     {
+@@ -81,20 +88,11 @@ int main(int argc, char *argv[])
+   len = strlen (bootflag);
+ 
+   /*
+-   * Really become root. setuid avoids an user killing us, possibly leaking
+-   * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
++   * setegid avoids the new grubenv's gid being that of the user.
+    */
+-  ret = setuid(0);
+-  if (ret)
+-    {
+-      perror ("Error setuid(0) failed");
+-      return 1;
+-    }
+-
+-  ret = setgid(0);
+-  if (ret)
++  if (setegid(0))
+     {
+-      perror ("Error setgid(0) failed");
++      perror ("Error setegid(0) failed");
+       return 1;
+     }
+ 
+@@ -123,6 +121,9 @@ int main(int argc, char *argv[])
+ 
+   /* 0 terminate env */
+   env[GRUBENV_SIZE] = 0;
++  /* not a valid flag value */
++  env[GRUBENV_SIZE + 1] = 0;
++  env[GRUBENV_SIZE + 2] = 0;
+ 
+   if (strncmp (env, GRUB_ENVBLK_SIGNATURE, strlen (GRUB_ENVBLK_SIGNATURE)))
+     {
+@@ -158,6 +159,8 @@ int main(int argc, char *argv[])
+ 
+   /* The grubenv is not 0 terminated, so memcpy the name + '=' , '1', '\n' */
+   snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
++  if (!memcmp(s, buf, len + 3))
++    return 0; /* nothing to do */
+   memcpy(s, buf, len + 3);
+ 
+ 
+-- 
+2.43.0
+

SOURCES/0583-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch

@@ -0,0 +1,187 @@
+From f4c7783c2b695794938748a6567e86456ed2314a Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 21:56:21 +0100
+Subject: [PATCH 2/3] grub-set-bootflag: More complete fix for CVE-2024-1048
+
+Switch to per-user fixed temporary filenames along with a weird locking
+mechanism, which is explained in source code comments.  This is a more
+complete fix than the previous commit (temporary files can't accumulate).
+Unfortunately, it introduces new risks (by working on a temporary file
+shared between the user's invocations), which are _hopefully_ avoided by
+the patch's elaborate logic.  I actually got it wrong at first, which
+suggests that this logic is hard to reason about, and more errors or
+omissions are possible.  It also relies on the kernel's primitives' exact
+semantics to a greater extent (nothing out of the ordinary, though).
+
+Remaining issues that I think cannot reasonably be fixed without a
+redesign (e.g., having per-flag files with nothing else in them) and
+without introducing new issues:
+
+A. A user can still revert a concurrent user's attempt of setting the
+other flag - or of making other changes to grubenv by means other than
+this program.
+
+B. One leftover temporary file per user is still possible.
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 87 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 75 insertions(+), 12 deletions(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 5b932f76b6f4..698b55a1ab93 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -32,6 +32,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/file.h>
+ #include <sys/stat.h>
+ #include <sys/resource.h>
+ 
+@@ -57,15 +58,12 @@ int main(int argc, char *argv[])
+ {
+   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+   char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
+-  /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+-  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
++  /* +1 for 0 termination, +11 for ".%u" in tmp filename */
++  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 11 + 1];
+   const char *bootflag;
+   int i, fd, len, ret;
+   FILE *f;
+-  struct rlimit rlim;
+ 
+-  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
+-    return 1;
+   umask(077);
+ 
+   if (argc != 2)
+@@ -92,7 +90,7 @@ int main(int argc, char *argv[])
+    */
+   if (setegid(0))
+     {
+-      perror ("Error setegid(0) failed");
++      perror ("setegid(0) failed");
+       return 1;
+     }
+ 
+@@ -163,19 +161,82 @@ int main(int argc, char *argv[])
+     return 0; /* nothing to do */
+   memcpy(s, buf, len + 3);
+ 
++  struct rlimit rlim;
++  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
++    {
++      fprintf (stderr, "Resource limits undetermined or too low\n");
++      return 1;
++    }
++
++  /*
++   * Here we work under the premise that we shouldn't write into the target
++   * file directly because we might not be able to have all of our changes
++   * written completely and atomically.  That was CVE-2019-14865, known to
++   * have been triggerable via RLIMIT_FSIZE.  While we've dealt with that
++   * specific attack via the check above, there may be other possibilities.
++   */
+ 
+   /*
+    * Create a tempfile for writing the new env.  Use the canonicalized filename
+    * for the template so that the tmpfile is in the same dir / on same fs.
++   *
++   * We now use per-user fixed temporary filenames, so that a user cannot cause
++   * multiple files to accumulate.
++   *
++   * We don't use O_EXCL so that a stale temporary file doesn't prevent further
++   * usage of the program by the user.
+    */
+-  snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
+-  fd = mkstemp(tmp_filename);
++  snprintf(tmp_filename, sizeof(tmp_filename), "%s.%u", env_filename, getuid());
++  fd = open(tmp_filename, O_CREAT | O_WRONLY, 0600);
+   if (fd == -1)
+     {
+       perror ("Creating tmpfile failed");
+       return 1;
+     }
+ 
++  /*
++   * The lock prevents the same user from reaching further steps ending in
++   * rename() concurrently, in which case the temporary file only partially
++   * written by one invocation could be renamed to the target file by another.
++   *
++   * The lock also guards the slow fsync() from concurrent calls.  After the
++   * first time that and the rename() complete, further invocations for the
++   * same flag become no-ops.
++   *
++   * We lock the temporary file rather than the target file because locking the
++   * latter would allow any user having SIGSTOP'ed their process to make all
++   * other users' invocations fail (or lock up if we'd use blocking mode).
++   *
++   * We use non-blocking mode (LOCK_NB) because the lock having been taken by
++   * another process implies that the other process would normally have already
++   * renamed the file to target by the time it releases the lock (and we could
++   * acquire it), so we'd be working directly on the target if we proceeded,
++   * which is undesirable, and we'd kind of fail on the already-done rename.
++   */
++  if (flock(fd, LOCK_EX | LOCK_NB))
++    {
++      perror ("Locking tmpfile failed");
++      return 1;
++    }
++
++  /*
++   * Deal with the potential that another invocation proceeded all the way to
++   * rename() and process exit while we were between open() and flock().
++   */
++  {
++    struct stat st1, st2;
++    if (fstat(fd, &st1) || stat(tmp_filename, &st2))
++      {
++        perror ("stat of tmpfile failed");
++        return 1;
++      }
++    if (st1.st_dev != st2.st_dev || st1.st_ino != st2.st_ino)
++      {
++        fprintf (stderr, "Another invocation won race\n");
++        return 1;
++      }
++  }
++
+   f = fdopen (fd, "w");
+   if (!f)
+     {
+@@ -200,23 +261,25 @@ int main(int argc, char *argv[])
+       return 1;     
+     }
+ 
+-  ret = fsync (fileno (f));
++  ret = ftruncate (fileno (f), GRUBENV_SIZE);
+   if (ret)
+     {
+-      perror ("Error syncing tmpfile");
++      perror ("Error truncating tmpfile");
+       unlink(tmp_filename);
+       return 1;
+     }
+ 
+-  ret = fclose (f);
++  ret = fsync (fileno (f));
+   if (ret)
+     {
+-      perror ("Error closing tmpfile");
++      perror ("Error syncing tmpfile");
+       unlink(tmp_filename);
+       return 1;
+     }
+ 
+   /*
++   * We must not close the file before rename() as that would remove the lock.
++   *
+    * And finally rename the tmpfile with the new env over the old env, the
+    * linux kernel guarantees that this is atomic (from a syscall pov).
+    */
+-- 
+2.43.0
+

SOURCES/0584-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch

@@ -0,0 +1,39 @@
+From a7192a650c1e94221a86b49f5132fb47a4dda6ea Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 22:05:45 +0100
+Subject: [PATCH 3/3] grub-set-bootflag: Exit calmly when not running as root
+
+Exit calmly when not installed SUID root and invoked by non-root.  This
+allows installing user/grub-boot-success.service unconditionally while
+supporting non-SUID installation of the program for some limited usage.
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 698b55a1ab93..a51805fa8cec 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -85,6 +85,17 @@ int main(int argc, char *argv[])
+   bootflag = bootflags[i];
+   len = strlen (bootflag);
+ 
++  /*
++   * Exit calmly when not installed SUID root and invoked by non-root.  This
++   * allows installing user/grub-boot-success.service unconditionally while
++   * supporting non-SUID installation of the program for some limited usage.
++   */
++  if (geteuid())
++    {
++      printf ("grub-set-bootflag not running as root, no action taken\n");
++      return 0;
++    }
++
+   /*
+    * setegid avoids the new grubenv's gid being that of the user.
+    */
+-- 
+2.43.0
+

SOURCES/0585-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch

@@ -0,0 +1,93 @@
+From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the
+ $ATTRIBUTE_LIST attribute for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index bbdbe24ada83..c3c4db117bba 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
++      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    }
+ 	  at->attr_nxt = at->edat_buf;
+ 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
++	  pa_end = at->edat_buf + n;
+ 	}
+       else
+ 	{
+ 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
++	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	  at->flags |= GRUB_NTFS_AF_GPOS;
+ 	  at->attr_cur = at->attr_nxt;
+ 	  pa = at->attr_cur;
++
++	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
++	    {
++	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	      return NULL;
++	    }
++
+ 	  grub_set_unaligned32 ((char *) pa + 0x10,
+ 				grub_cpu_to_le32 (at->mft->data->mft_start));
+ 	  grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    {
+ 	      if (*pa != attr)
+ 		break;
++
++              if ((pa >= pa_end) || (pa_end - pa < 0x18))
++                {
++	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	          return NULL;
++	        }
++
+ 	      if (read_attr
+ 		  (at, pa + 0x10,
+ 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+-- 
+2.43.0
+

SOURCES/0586-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch

@@ -0,0 +1,58 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the
+ resident $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c3c4db117bba..a68e173d8285 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+2.43.0
+

SOURCES/0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch

@@ -0,0 +1,73 @@
+From 7e5f031a6a6a3decc2360a7b0c71abbe598e7354 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:33:17 +0300
+Subject: [PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries
+ from resident and non-resident index attributes
+
+This fix introduces checks to ensure that index entries are never read
+beyond the corresponding directory index.
+
+The lack of this check is a minor issue, likely not exploitable in any way.
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index a68e173d8285..2d78b96e19fb 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
+ }
+ 
+ static int
+-list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
++list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos,
+ 	   grub_fshelp_iterate_dir_hook_t hook, void *hook_data)
+ {
+   grub_uint8_t *np;
+@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+       grub_uint8_t namespace;
+       char *ustr;
+ 
++      if ((pos >= end_pos) || (end_pos - pos < 0x52))
++        break;
++
+       if (pos[0xC] & 2)		/* end signature */
+ 	break;
+ 
+@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+       ns = *(np++);
+       namespace = *(np++);
+ 
++      if (2 * ns > end_pos - pos - 0x52)
++        break;
++
+       /*
+        *  Ignore files in DOS namespace, as they will reappear as Win32
+        *  names.
+@@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+     }
+ 
+   cur_pos += 0x10;		/* Skip index root */
+-  ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data);
++  ret = list_file (mft, cur_pos + u16at (cur_pos, 0),
++                   at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
++                   hook, hook_data);
+   if (ret)
+     goto done;
+ 
+@@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 			     (const grub_uint8_t *) "INDX")))
+ 		goto done;
+ 	      ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)],
++			       indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR),
+ 			       hook, hook_data);
+ 	      if (ret)
+ 		goto done;
+-- 
+2.43.0
+

SOURCES/0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch

@@ -0,0 +1,51 @@
+From 7a5a116739fa6d8a625da7d6b9272c9a2462f967 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:33:44 +0300
+Subject: [PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index
+ attributes
+
+This fix introduces checks to ensure that bitmaps for directory indices
+are never read beyond their actual sizes.
+
+The lack of this check is a minor issue, likely not exploitable in any way.
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2d78b96e19fb..bb70c89fb803 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 
+ 	  if (is_resident)
+ 	    {
++              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
++		  goto done;
++		}
++
++              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
++		  goto done;
++		}
++
++              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
++		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
++		  goto done;
++		}
++
+               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
+                            bitmap_len);
+ 	    }
+-- 
+2.43.0
+

SOURCES/0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch

@@ -0,0 +1,61 @@
+From 1fe82c41e070385e273d7bb1cfb482627a3c28e8 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:38:19 +0300
+Subject: [PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label
+
+This fix introduces checks to ensure that an NTFS volume label is always
+read from the corresponding file record segment.
+
+The current NTFS code allows the volume label string to be read from an
+arbitrary, attacker-chosen memory location. However, the bytes read are
+always treated as UTF-16LE. So, the final string displayed is mostly
+unreadable and it can't be easily converted back to raw bytes.
+
+The lack of this check is a minor issue, likely not causing a significant
+data leak.
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index bb70c89fb803..ff5e3740f0dd 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -1213,13 +1213,29 @@ grub_ntfs_label (grub_device_t device, char **label)
+ 
+   init_attr (&mft->attr, mft);
+   pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME);
++
++  if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++    {
++      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
++      goto fail;
++    }
++
++  if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16)
++    {
++      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
++      goto fail;
++    }
++
+   if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
+     {
+       int len;
+ 
+       len = u32at (pa, 0x10) / 2;
+       pa += u16at (pa, 0x14);
+-      *label = get_utf8 (pa, len);
++      if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
++        *label = get_utf8 (pa, len);
++      else
++        grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
+     }
+ 
+ fail:
+-- 
+2.43.0
+

SOURCES/0590-fs-ntfs-Make-code-more-readable.patch

@@ -0,0 +1,159 @@
+From e58b870ff926415e23fc386af41ff81b2f588763 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:40:07 +0300
+Subject: [PATCH 6/6] fs/ntfs: Make code more readable
+
+Move some calls used to access NTFS attribute header fields into
+functions with human-readable names.
+
+Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index ff5e3740f0dd..de435aa14d85 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs)
+   return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs));
+ }
+ 
++static grub_uint16_t
++first_attr_off (void *mft_buf_ptr)
++{
++  return u16at (mft_buf_ptr, 0x14);
++}
++
++static grub_uint16_t
++res_attr_data_off (void *res_attr_ptr)
++{
++  return u16at (res_attr_ptr, 0x14);
++}
++
++static grub_uint32_t
++res_attr_data_len (void *res_attr_ptr)
++{
++  return u32at (res_attr_ptr, 0x10);
++}
++
+ grub_ntfscomp_func_t grub_ntfscomp_func;
+ 
+ static grub_err_t
+@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft)
+ {
+   at->mft = mft;
+   at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0;
+-  at->attr_nxt = mft->buf + u16at (mft->buf, 0x14);
++  at->attr_nxt = mft->buf + first_attr_off (mft->buf);
+   at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL;
+ }
+ 
+@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 		    return NULL;
+ 		}
+ 
+-	      new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)];
++	      new_pos = &at->emft_buf[first_attr_off (at->emft_buf)];
+ 	      while (*new_pos != 0xFF)
+ 		{
+ 		  if ((*new_pos == *at->attr_cur)
+@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	}
+       else
+ 	{
+-	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
++	  at->attr_nxt = at->attr_end + res_attr_data_off (pa);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
+ 	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+ 
+   if (pa[8] == 0)
+     {
+-      if (ofs + len > u32at (pa, 0x10))
++      if (ofs + len > res_attr_data_len (pa))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+ 
+-      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++      if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
+ 
+       if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+ 
+-      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++      if (res_attr_data_off (pa) + res_attr_data_len (pa) >
+ 	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+ 
+-      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
++      grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len);
+       return 0;
+     }
+ 
+@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno)
+ 			   (unsigned long long) mftno);
+ 
+       if (!pa[8])
+-	mft->size = u32at (pa, 0x10);
++	mft->size = res_attr_data_len (pa);
+       else
+ 	mft->size = u64at (pa, 0x30);
+ 
+@@ -805,7 +823,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 	  (u32at (cur_pos, 0x18) != 0x490024) ||
+ 	  (u32at (cur_pos, 0x1C) != 0x300033))
+ 	continue;
+-      cur_pos += u16at (cur_pos, 0x14);
++      cur_pos += res_attr_data_off (cur_pos);
+       if (*cur_pos != 0x30)	/* Not filename index */
+ 	continue;
+       break;
+@@ -834,7 +852,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 	{
+           int is_resident = (cur_pos[8] == 0);
+ 
+-          bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) :
++          bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) :
+                         u32at (cur_pos, 0x28));
+ 
+           bmp = grub_malloc (bitmap_len);
+@@ -855,14 +873,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 		  goto done;
+ 		}
+ 
+-              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
++              if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) >
+ 		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
+ 		{
+ 		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+ 		  goto done;
+ 		}
+ 
+-              grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
++              grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos),
+                            bitmap_len);
+ 	    }
+           else
+@@ -1226,12 +1244,12 @@ grub_ntfs_label (grub_device_t device, char **label)
+       goto fail;
+     }
+ 
+-  if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
++  if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa)))
+     {
+       int len;
+ 
+-      len = u32at (pa, 0x10) / 2;
+-      pa += u16at (pa, 0x14);
++      len = res_attr_data_len (pa) / 2;
++      pa += res_attr_data_off (pa);
+       if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
+         *label = get_utf8 (pa, len);
+       else
+-- 
+2.43.0
+

SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leo Sandoval <lsandova@redhat.com>
+Date: Thu, 19 Sep 2024 10:15:13 -0600
+Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
+
+Stricker permissions are required on the grub.cfg file, resulting in
+at most 0600 owner's file permissions. This resolves conflicting
+requirement permissions on grub2-pc package's grub2.cfg file.
+
+Signed-off-by: Leo Sandoval <lsandova@redhat.com>
+---
+ util/grub-mkconfig.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index a1c00776d..573004915 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+-    oldumask=$(umask); umask 077
++    oldumask=$(umask); umask 177
+     cat ${grub_cfg}.new > ${grub_cfg}
+     umask $oldumask
+     rm -f ${grub_cfg}.new

SOURCES/20-grub.install

@@ -90,13 +90,10 @@ case "$COMMAND" in
             [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
             BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
             BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
-            if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
-                cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
-            else
-                mkbls "${KERNEL_VERSION}" \
-                    "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
-                    >"${BLS_TARGET}"
-            fi
+            mkbls "${KERNEL_VERSION}" \
+                "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
+                >"${BLS_TARGET}"
+            command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}"
 
             LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
             INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"
@@ -109,7 +106,11 @@ case "$COMMAND" in
                 sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}"
             fi
 
-            if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then
+            if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \
+                     [ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \
+                   ( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \
+                    	[ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \
+                   ( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then
                 GRUB_UPDATE_DEFAULT_KERNEL=false
             fi
 

SOURCES/grub.macros

@@ -589,14 +589,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 %{nil}
 
 %define define_legacy_variant_files()				\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ifarch ppc64le						\
 %dir %{_libdir}/grub/%{2}/					\

SOURCES/grub.patches

@@ -552,3 +552,40 @@ Patch0551: 0551-nx-set-page-permissions-for-loaded-modules.patch
 Patch0552: 0552-nx-set-attrs-in-our-kernel-loaders.patch
 Patch0553: 0553-nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch
 Patch0554: 0554-Fixup-grub_efi_get_variable-type-in-our-loaders.patch
+Patch0555: 0555-Make-debug-file-show-which-file-filters-get-run.patch
+Patch0556: 0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
+Patch0557: 0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
+Patch0558: 0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
+Patch0559: 0559-ieee1275-implement-vec5-for-cas-negotiation.patch
+Patch0560: 0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
+Patch0561: 0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
+Patch0562: 0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
+Patch0563: 0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
+Patch0564: 0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
+Patch0565: 0565-font-Remove-grub_font_dup_glyph.patch
+Patch0566: 0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
+Patch0567: 0567-font-Fix-integer-overflow-in-BMP-index.patch
+Patch0568: 0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
+Patch0569: 0569-fbutil-Fix-integer-overflow.patch
+Patch0570: 0570-font-Fix-an-integer-underflow-in-blit_comb.patch
+Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
+Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
+Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
+Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch
+Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch
+Patch0576: 0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
+Patch0577: 0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
+Patch0578: 0578-ieee1275-extended-support-in-options-vector5.patch
+Patch0579: 0579-Regenerate-kernelopts-if-missing-on-ppc.patch
+Patch0580: 0580-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch
+Patch0581: 0581-util-Enable-default-kernel-for-updates.patch
+Patch0582: 0582-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch
+Patch0583: 0583-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch
+Patch0584: 0584-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch
+Patch0585: 0585-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
+Patch0586: 0586-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
+Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
+Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
+Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
+Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
+Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch

SOURCES/sbat.csv.in

@@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,2,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
+grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
 grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com

SPECS/grub2.spec

@@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	138%{?dist}
+Release:	158%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -310,6 +310,19 @@ if [ "$1" = 2 ]; then
 	/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
 fi
 
+%posttrans common
+set -eu
+
+GRUB_HOME=/boot/%{name}
+
+if test  -f ${GRUB_HOME}/grub.cfg; then
+    # make sure GRUB_HOME/grub.cfg has 600 permissions
+    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
+    if ! test "${GRUB_CFG_MODE}" = "600"; then
+        chmod 0600 ${GRUB_HOME}/grub.cfg
+    fi
+fi
+
 %triggerun -- grub2 < 1:1.99-4
 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
 # from the affected grub2 packages, we first back up the files in triggerun and
@@ -510,48 +523,128 @@ fi
 %endif
 
 %changelog
-* Wed Jul 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-138
+* Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
+- grub-mkconfig.in: turn off executable owner bit
+- Resolves: #RHEL-58835
+
+* Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
+- 20-grub-install: fix SELinux security type context for BLS
+- Resolves: #RHEL-4395
+
+* Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
+- fs/ntfs: OOB write fix
+- (CVE-2023-4692)
+- Resolves: #RHEL-11566
+
+* Thu Feb 8 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-155
+- grub-set-bootflag: Fix for CVE-2024-1048
+- (CVE-2024-1048)
+- Resolves: #RHEL-20746
+
+* Mon Nov 27 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-154
+- Missing install script for previous commit
+- Related: #RHEL-4343
+
+* Fri Nov 24 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-153
+- util: Enable default kernel for updates
+- Resolves: #RHEL-4343
+
+* Fri Oct 20 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-152
+- kern/ieee1275/init: ppc64: Restrict high memory in presence
+  of fadump
+- Resolves: #RHEL-14283
+
+* Mon Aug 28 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-151
+- util: Regenerate kernelopts if missing on ppc
+- Resolves: #2051889
+
+* Fri Jun 16 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-150
+- kern/ieee1275/init: sync vec5 patchset with upstream
+- Resolves: #2172111
+
+* Wed Jun 14 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-149
+- efi/http: change uint32_t to uintn_t for grub_efi_http_message_t
+- Resolves: #2178388
+
+* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-148
+- ppc64le: cas5, take 3
+- Resolves: #2139508
+
+* Tue Jan 10 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-147
+- Enable TDX measurement to RTMR register
+- Resolves: #1981485
+
+* Wed Dec 14 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-146
+- ppc64le: fix lpar cas5
+- Resolves: #2139508
+
+* Tue Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.02-145
+- Font CVE fixes
+- Resolves: CVE-2022-2601
+
+* Tue Oct 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-144
+- blscfg: don't assume newline at end of cfg
+- Resolves: #2121132
+
+* Wed Oct 12 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-143
+- x86-efi: Fix an incorrect array size in kernel allocation
+- Also merge with 8.7
+- Resolves: #2031288
+
+* Thu Aug 25 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-141
+- Implement vec5 for cas negotiation
+- Resolves: #2117914
+
+* Wed Aug 24 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-140
+- Or two, because I forgot the debug patch
+- Resolves: #2118896
+
+* Thu Aug 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-139
+- Kernel allocator fixups (in one pass)
+- Resolves: #2118896
+
+* Wed Jul 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-138
 - Rotate signing keys on ppc64le
 - Resolves: #2074762
 
-* Fri Jun 03 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-137
+* Fri Jun 03 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-137
 - CVE fixes for 2022-06-07
 - CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
 - CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
 - Resolves: #2070687
 
-* Mon May 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-129
+* Mon May 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-129
 - ppc64le: Slow boot after LPM
 - Resolves: #2070347
 
-* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-127
+* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-127
 - ppc64le: CAS improvements, prefix detection, and vTPM support
 - Resolves: #2076795
 - Resolves: #2026568
 - Resolves: #2051331
 
-* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-126
+* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-126
 - Fix rpm verification error on grub.cfg permissions
 - Resolves: #2071643
 
-* Wed Apr 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-125
+* Wed Apr 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-125
 - RHEL 8.6.0 import; no code changes
 - Resolves: #2062892
 
-* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-123
+* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-123
 - Bump for signing
 
-* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-122
+* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-122
 - Fix initialization on efidisk patch
 
-* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-121
+* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-121
 - Backport support for loading initrd above 4GB
 
-* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-120
+* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-120
 - Bump signing
 - Resolves: #2032294
 
-* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-119
+* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-119
 - Enable connectefi module
 - Resolves: #2032294