grub

Merge ~mkukri/grub:ubuntu into ~ubuntu-core-dev/grub/+git/ubuntu:master

Git
lp:~mkukri/grub
ubuntu
Merge into master

Proposed by Mate Kukri on 2024-01-31

Status:

Merged

Merge reported by:

Julian Andres Klode

Merged at revision:

b64aac60df87dbd18ae956dc51bb0430f7d978a1

Proposed branch:

~mkukri/grub:ubuntu

Merge into:

~ubuntu-core-dev/grub/+git/ubuntu:master

Diff against target:

95559 lines (+35434/-11890)

299 files modified

ChangeLog (+1496/-0)
INSTALL (+1/-1)
Makefile.in (+43/-28)
Makefile.util.am (+10/-1)
Makefile.util.def (+7/-1)
NEWS (+20/-0)
autogen.sh (+1/-1)
conf/Makefile.common (+1/-1)
config-util.h.in (+7/-4)
config.h.in (+2/-0)
configure (+191/-59)
configure.ac (+101/-36)
debian/build-efi-images (+13/-13)
debian/canonical-uefi-ca.crt (+25/-0)
debian/changelog (+2069/-0)
debian/control (+17/-20)
debian/grub-check-signatures (+136/-0)
debian/grub-common.dirs (+1/-0)
debian/grub-common.install.in (+5/-0)
debian/grub-common.templates (+53/-0)
debian/grub-multi-install (+419/-0)
debian/grub-sort-version (+56/-0)
debian/patches/Revert-kern-ieee1275-cmain-ppc64-Introduce-flags-to-ident.patch (+52/-0)
debian/patches/Revert-kern-ieee1275-ieee1275-Display-successful-memory-c.patch (+52/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Add-support-for-alignment.patch (+48/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Decide-by-request-whether.patch (+60/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Display-upper_mem_limit-w.patch (+24/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Fix-a-comment.patch (+22/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Introduce-a-request-for-r.patch (+164/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Rename-regions_claim-to-g.patch (+58/-0)
debian/patches/Revert-kern-ieee1275-init-ppc64-Return-allocated-address-.patch (+36/-0)
debian/patches/Revert-loader-powerpc-ieee1275-Use-new-allocation-functio.patch (+99/-0)
debian/patches/efi-variable-storage-minimise-writes.patch (+6/-6)
debian/patches/extra_deps_lst.patch (+17/-0)
debian/patches/fdt-device-tree-fixup-protocol.patch (+1/-1)
debian/patches/gfxpayload-dynamic.patch (+6/-6)
debian/patches/grub-install-pvxen-paths.patch (+3/-3)
debian/patches/grub-legacy-0-based-partitions.patch (+1/-1)
debian/patches/grub-sort-version.patch (+37/-0)
debian/patches/hwmatch-only-on-grub-pc-platform.patch (+2/-2)
debian/patches/insmod-xzio-and-lzopio-on-xen.patch (+2/-2)
debian/patches/install-efi-adjust-distributor.patch (+1/-1)
debian/patches/install-locale-langpack.patch (+7/-7)
debian/patches/install-powerpc-machtypes.patch (+1/-1)
debian/patches/install-stage2-confusion.patch (+2/-2)
debian/patches/maybe-quiet.patch (+6/-6)
debian/patches/mkconfig-loopback.patch (+2/-2)
debian/patches/mkconfig-nonexistent-loopback.patch (+1/-1)
debian/patches/mkconfig-recovery-title.patch (+8/-8)
debian/patches/mkconfig-ubuntu-distributor.patch (+1/-1)
debian/patches/mkconfig-ubuntu-recovery.patch (+19/-11)
debian/patches/network/bootp-new-net_bootp6-command.patch (+1/-1)
debian/patches/network/efinet-Configure-network-from-UEFI-device-path.patch (+1/-1)
debian/patches/network/efinet-add-structures-for-PXE-messages.patch (+1/-1)
debian/patches/network/efinet-set-dns-from-uefi-proto.patch (+1/-1)
debian/patches/network/http-prepend-prefix-when-the-http-path-is-relative.patch (+2/-2)
debian/patches/network/net-http-check-result-of-grub_netbuff_put-in-http_receive.patch (+2/-2)
debian/patches/network/support-uefi-networking-protocols.patch (+13/-15)
debian/patches/network/try-prefixes-for-tftp-config-file.patch (+2/-2)
debian/patches/olpc-prefix-hack.patch (+4/-4)
debian/patches/pc-verifiers-module.patch (+2/-2)
debian/patches/quick-boot.patch (+6/-6)
debian/patches/recovery-dis_ucode_ldr.patch (+2/-2)
debian/patches/restore-mkdevicemap.patch (+1/-1)
debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch (+23/-0)
debian/patches/rhboot-f34-make-exit-take-a-return-code.patch (+280/-0)
debian/patches/secure-boot/efi-use-peimage-shim.patch (+1/-1)
debian/patches/secure-boot/loader-framework.patch (+7/-7)
debian/patches/secure-boot/revert-efi-fallback-to-legacy.patch (+27/-8)
debian/patches/series (+42/-14)
debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+49/-0)
debian/patches/ubuntu-add-devicetree-command-support.patch (+51/-0)
debian/patches/ubuntu-add-initrd-less-boot-fallback.patch (+212/-0)
debian/patches/ubuntu-add-initrd-less-boot-messages.patch (+68/-0)
debian/patches/ubuntu-boot-from-multipath-dependent-symlink.patch (+68/-0)
debian/patches/ubuntu-dont-verify-loopback-images.patch (+35/-0)
debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+29/-0)
debian/patches/ubuntu-grub-install-extra-removable.patch (+65/-39)
debian/patches/ubuntu-install-signed.patch (+43/-42)
debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch (+28/-0)
debian/patches/ubuntu-os-prober-auto.patch (+51/-0)
debian/patches/ubuntu-recovery-dis_ucode_ldr.patch (+67/-0)
debian/patches/ubuntu-resilient-boot-boot-order.patch (+236/-0)
debian/patches/ubuntu-resilient-boot-ignore-alternative-esps.patch (+212/-0)
debian/patches/ubuntu-shorter-version-info.patch (+40/-0)
debian/patches/ubuntu-speed-zsys-history.patch (+157/-0)
debian/patches/ubuntu-support-initrd-less-boot.patch (+80/-0)
debian/patches/ubuntu-verifiers-last.patch (+59/-0)
debian/patches/ubuntu-zfs-enhance-support.patch (+1048/-0)
debian/patches/ubuntu-zfs-gfxpayload-dynamic.patch (+95/-0)
debian/patches/ubuntu-zfs-gfxpayload-keep-default.patch (+38/-0)
debian/patches/ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch (+32/-0)
debian/patches/ubuntu-zfs-mkconfig-recovery-title.patch (+49/-0)
debian/patches/ubuntu-zfs-mkconfig-signed-kernel.patch (+93/-0)
debian/patches/ubuntu-zfs-mkconfig-ubuntu-distributor.patch (+36/-0)
debian/patches/ubuntu-zfs-mkconfig-ubuntu-recovery.patch (+66/-0)
debian/patches/ubuntu-zfs-vt-handoff.patch (+77/-0)
debian/patches/uefi-secure-boot-cryptomount.patch (+2/-2)
debian/patches/vt-handoff.patch (+6/-6)
debian/patches/xen-no-xsm-policy-in-non-xsm-options.patch (+1/-1)
debian/patches/zpool-full-device-name.patch (+1/-1)
debian/po/ar.po (+99/-18)
debian/po/ast.po (+107/-18)
debian/po/be.po (+118/-18)
debian/po/bg.po (+119/-18)
debian/po/ca.po (+120/-18)
debian/po/cs.po (+118/-18)
debian/po/cy.po (+120/-18)
debian/po/da.po (+119/-18)
debian/po/de.po (+122/-18)
debian/po/dz.po (+107/-18)
debian/po/el.po (+134/-33)
debian/po/eo.po (+118/-18)
debian/po/es.po (+119/-18)
debian/po/eu.po (+118/-18)
debian/po/fa.po (+108/-18)
debian/po/fi.po (+118/-18)
debian/po/fr.po (+136/-33)
debian/po/gl.po (+108/-18)
debian/po/gu.po (+106/-18)
debian/po/he.po (+117/-18)
debian/po/hr.po (+118/-18)
debian/po/hu.po (+109/-18)
debian/po/id.po (+119/-18)
debian/po/is.po (+119/-18)
debian/po/it.po (+120/-18)
debian/po/ja.po (+119/-18)
debian/po/ka.po (+87/-18)
debian/po/kk.po (+119/-18)
debian/po/km.po (+106/-18)
debian/po/ko.po (+118/-18)
debian/po/lt.po (+118/-18)
debian/po/lv.po (+118/-18)
debian/po/mr.po (+117/-18)
debian/po/nb.po (+129/-31)
debian/po/nl.po (+120/-18)
debian/po/pl.po (+120/-18)
debian/po/pt.po (+120/-18)
debian/po/pt_BR.po (+120/-18)
debian/po/ro.po (+265/-157)
debian/po/ru.po (+127/-27)
debian/po/si.po (+106/-18)
debian/po/sk.po (+107/-18)
debian/po/sl.po (+118/-18)
debian/po/sq.po (+105/-18)
debian/po/sr.po (+107/-18)
debian/po/sr@latin.po (+107/-18)
debian/po/sv.po (+119/-18)
debian/po/ta.po (+106/-18)
debian/po/templates.pot (+87/-18)
debian/po/th.po (+117/-18)
debian/po/tr.po (+118/-18)
debian/po/ug.po (+119/-18)
debian/po/uk.po (+118/-18)
debian/po/vi.po (+119/-18)
debian/po/zh_CN.po (+105/-18)
debian/po/zh_TW.po (+116/-18)
debian/postinst.in (+74/-4)
debian/rules (+81/-11)
debian/sbat.ubuntu.csv.in (+4/-0)
debian/signing-template/control.in (+1/-1)
debian/templates.in (+78/-8)
dev/null (+0/-48)
docs/Makefile.in (+1/-0)
docs/grub-dev.info (+55/-55)
docs/grub-dev.texi (+8/-2)
docs/grub.info (+265/-263)
docs/grub.info-1 (+155/-186)
docs/grub.info-2 (+123/-17)
docs/grub.texi (+101/-30)
docs/stamp-1 (+4/-4)
docs/stamp-vti (+4/-4)
docs/version-dev.texi (+4/-4)
docs/version.texi (+4/-4)
grub-core/Makefile.am (+4/-2)
grub-core/Makefile.core.am (+1/-1)
grub-core/Makefile.core.def (+1/-1)
grub-core/Makefile.in (+7/-4)
grub-core/commands/acpi.c (+22/-11)
grub-core/commands/efi/loadbios.c (+9/-28)
grub-core/commands/efi/lsefi.c (+2/-2)
grub-core/commands/efi/lsefisystab.c (+8/-2)
grub-core/commands/efi/lssal.c (+6/-12)
grub-core/commands/efi/smbios.c (+2/-26)
grub-core/commands/ls.c (+13/-13)
grub-core/commands/videoinfo.c (+5/-0)
grub-core/disk/cryptodisk.c (+23/-9)
grub-core/disk/diskfilter.c (+1/-3)
grub-core/disk/i386/pc/biosdisk.c (+4/-1)
grub-core/efiemu/runtime/efiemu.c (+31/-10)
grub-core/fs/archelp.c (+8/-0)
grub-core/fs/btrfs.c (+2/-0)
grub-core/fs/ntfs.c (+105/-16)
grub-core/fs/xfs.c (+65/-24)
grub-core/fs/zfs/zfs.c (+22/-7)
grub-core/fs/zfs/zfsinfo.c (+2/-2)
grub-core/genmoddep.awk (+4/-0)
grub-core/gfxmenu/gui_image.c (+7/-4)
grub-core/kern/acpi.c (+8/-0)
grub-core/kern/efi/acpi.c (+2/-24)
grub-core/kern/efi/efi.c (+18/-0)
grub-core/kern/efi/fdt.c (+6/-14)
grub-core/kern/efi/init.c (+3/-2)
grub-core/kern/efi/sb.c (+8/-0)
grub-core/kern/i386/pc/init.c (+10/-1)
grub-core/kern/ieee1275/cmain.c (+7/-1)
grub-core/kern/ieee1275/ieee1275.c (+3/-0)
grub-core/kern/ieee1275/init.c (+200/-15)
grub-core/kern/misc.c (+2/-2)
grub-core/kern/mm.c (+2/-2)
grub-core/lib/gnulib/Makefile.in (+1/-0)
grub-core/lib/i386/relocator64.S (+1/-1)
grub-core/lib/libgcrypt-grub/cipher/ChangeLog (+1/-1)
grub-core/loader/efi/linux.c (+3/-0)
grub-core/loader/i386/bsdXX.c (+12/-8)
grub-core/loader/i386/linux.c (+12/-0)
grub-core/loader/i386/xnu.c (+1/-1)
grub-core/loader/powerpc/ieee1275/linux.c (+46/-9)
grub-core/net/http.c (+2/-6)
grub-core/osdep/bsd/hostdisk.c (+6/-2)
grub-core/osdep/generic/blocklist.c (+26/-2)
grub-core/osdep/unix/getroot.c (+6/-6)
grub-core/partmap/gpt.c (+3/-0)
grub-core/term/ns8250-spcr.c (+3/-1)
grub-core/term/serial.c (+4/-1)
grub-core/video/efi_gop.c (+4/-0)
include/grub/disk.h (+3/-0)
include/grub/efi/api.h (+6/-6)
include/grub/efi/efi.h (+3/-0)
include/grub/efi/pe32.h (+6/-0)
include/grub/efiemu/efiemu.h (+2/-2)
include/grub/efiemu/runtime.h (+1/-1)
include/grub/gpt_partition.h (+1/-1)
include/grub/i386/linux.h (+13/-2)
include/grub/ieee1275/alloc.h (+39/-0)
include/grub/ieee1275/ieee1275.h (+4/-0)
include/grub/powerpc/ieee1275/ieee1275.h (+3/-0)
include/grub/sparc64/ieee1275/ieee1275.h (+3/-0)
include/grub/types.h (+11/-2)
include/grub/util/libnvpair.h (+9/-3)
po/LINGUAS (+1/-1)
po/POTFILES.in (+1/-0)
po/ast.po (+180/-153)
po/ca.po (+180/-153)
po/da.po (+180/-153)
po/de.po (+418/-394)
po/de@hebrew.po (+410/-386)
po/de_CH.po (+419/-394)
po/en@arabic.po (+185/-156)
po/en@cyrillic.po (+185/-156)
po/en@greek.po (+185/-156)
po/en@hebrew.po (+185/-156)
po/en@piglatin.po (+187/-156)
po/en@quot.po (+185/-156)
po/eo.po (+180/-153)
po/es.po (+180/-153)
po/fi.po (+181/-154)
po/fr.po (+393/-358)
po/gl.po (+180/-153)
po/grub.pot (+181/-154)
po/he.po (+7539/-0)
po/hr.po (+181/-154)
po/hu.po (+181/-154)
po/id.po (+181/-154)
po/it.po (+180/-153)
po/ja.po (+180/-153)
po/ka.po (+324/-326)
po/ko.po (+378/-369)
po/lg.po (+180/-153)
po/lt.po (+180/-153)
po/nb.po (+181/-154)
po/nl.po (+181/-154)
po/pa.po (+180/-153)
po/pl.po (+383/-382)
po/pt.po (+181/-154)
po/pt_BR.po (+180/-153)
po/ro.po (+432/-413)
po/ru.po (+181/-154)
po/sl.po (+180/-153)
po/sr.po (+383/-369)
po/sv.po (+181/-154)
po/tr.po (+180/-153)
po/uk.po (+382/-369)
po/vi.po (+385/-377)
po/zh_CN.po (+374/-374)
po/zh_TW.po (+180/-153)
tests/serial_test.in (+55/-0)
tests/util/grub-shell-luks-tester.in (+8/-3)
tests/util/grub-shell.in (+26/-13)
util/bash-completion.d/Makefile.in (+1/-0)
util/editenv.c (+2/-2)
util/getroot.c (+3/-3)
util/grub-install-common.c (+31/-18)
util/grub-install.c (+32/-30)
util/grub-mkconfig_lib.in (+54/-0)
util/grub-mkstandalone.c (+29/-8)
util/grub-mount.c (+3/-0)
util/grub.d/20_linux_xen.in (+8/-8)
util/grub.d/25_bli.in (+1/-1)

Related bugs:

Bug #2048953: grub fails to add boot entries if python3-apt is missing	Medium	Fix Released
Bug #2053117: ppc64el boot regression	Undecided	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Julian Andres Klode		2024-01-31	Pending
Review via email: mp+459698@code.launchpad.net

Commit message

Rebase on top of grub2 2.12-1 from Debian sid.

Passed all automated, and some manual testing.

Also fixes the 'single recovery' issue.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Julian Andres Klode

Mate Kukri

Ubuntu Core Development Team

 diff --git a/ChangeLog b/ChangeLog
 index 2f75a1d..f33a8db 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,1499 @@
++2023-12-20  Daniel Kiper  <daniel.kiper@oracle.com>
++
++	Release 2.12
++
++2023-12-20  Glenn Washburn  <development@efficientek.com>
++
++	efi: Add support for reproducible builds
++	Having randomly generated bytes in the binary output breaks reproducible
++	builds. Since build timestamps are usually the source of irreproducibility
++	there is a standard which defines an environment variable SOURCE_DATE_EPOCH
++	to be used when set for build timestamps. According to the standard [1], the
++	value of SOURCE_DATE_EPOCH is a base-10 integer of the number of seconds
++	since the UNIX epoch. Currently, this is a 10 digit number that fits into
++	32-bits, but will not shortly after the year 2100. So to be future-proof
++	only use the least significant 32-bits. On 64-bit architectures, where the
++	canary is also 64-bits, there is an extra 32-bits that can be filled to
++	provide more entropy. The first byte is NUL to filter out string buffer
++	overflow attacks and the remaining 24-bits are set to static random bytes.
++
++	[1] https://reproducible-builds.org/specs/source-date-epoch
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-20  Glenn Washburn  <development@efficientek.com>
++
++	efi: Generate stack protector canary at build time if urandom is available
++	Generating the canary at build time allows the canary to be different for
++	every build which could limit the effectiveness of certain exploits.
++	Fallback to the statically generated random bytes if /dev/urandom is not
++	readable, e.g. Windows.
++
++	On 32-bit architectures, which use a 32-bit canary, reduce the canary to
++	4 bytes with one byte being NUL to filter out string buffer overflow attacks.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-20  Glenn Washburn  <development@efficientek.com>
++
++	efi: Initialize canary to non-zero value
++	The canary, __stack_chk_guard, is in the BSS and so will get initialized to
++	zero if it is not explicitly initialized. If the UEFI firmware does not
++	support the RNG protocol, then the canary will not be randomized and will
++	be zero. This seems like a possibly easier value to write by an attacker.
++	Initialize canary to static random bytes, so that it is still random when
++	there is no RNG protocol. Set at least one byte to NUL to protect against
++	string buffer overflow attacks [1]. Code that writes NUL terminated strings
++	will terminate when a NUL is encountered in the input byte stream. So the
++	attacker will not be able to forge the canary by including it in the input
++	stream without terminating the string operation and thus limiting the
++	stack corruption.
++
++	[1] https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-14  Alec Brown  <alec.r.brown@oracle.com>
++
++	gfxmenu/gui_image: Fix double free of bitmap
++	In grub-core/gfxmenu/gui_image.c, Coverity detected a double free in the
++	function load_image(). The function checks if self->bitmap and self->raw_bitmap
++	aren't NULL and then frees them. In the case self->bitmap and self->raw_bitmap
++	are the same, only self->raw_bitmap is freed which would also free the memory
++	used by self->bitmap. However, in this case self->bitmap isn't being set to NULL
++	which could lead to a double free later in the code. After self->raw_bitmap is
++	freed, it gets set to the variable bitmap. If this variable is NULL, the code
++	could have a path that would free self->bitmap a second time in the function
++	rescale_image().
++
++	Fixes: CID 292472
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Qiumiao Zhang  <zhangqiumiao1@huawei.com>
++
++	commands/acpi: Fix calculation of ACPI tables addresses when processing RSDT and XSDT
++	According to the ACPI specification the XSDT Entry field contains an array
++	of 64-bit physical addresses which points to other DESCRIPTION_HEADERs. However,
++	the entry_ptr iterator is defined as a 32-bit pointer. It means each 64-bit
++	entry in the XSDT table is treated as two separate 32-bit entries then. Fix the
++	issue by using correct addresses sizes when processing RSDT and XSDT tables.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	libnvpair: Support prefixed nvlist symbol names as found on NetBSD
++	NetBSD uses slightly different function names for the same functions.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	bootstrap: Don't check gettext version
++	NetBSD gettext is older than the check but we don't actually need 0.18.3,
++	older one works fine. This is needed to make bootstrap work on NetBSD.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	kern/mm: Use %x and cast for displaying sizeof()
++	There is some variance in how compiler treats sizeof() especially
++	on 32-bit platforms where it can be naturally either int or long.
++	Explicit cast solves the issue.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	configure: Add RPATH for freetype on NetBSD
++	Without this build-time mkfont fails dynamic linking. This is not ideal
++	but improves the situation until a better solution is available.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	configure: Add *BSD font paths
++	*BSD puts fonts in other places. Add them to the list.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	autogen: Accept python3.10 as a python alternative
++	NetBSD doesn't provide python or python3.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	build: Rename HAVE_LIBZFS to USE_LIBZFS
++	The HAVE_LIBZFS is defined by libzfs test and hence conflicts with
++	manual definition. On NetBSD it ends up detecting zfs but not detecting
++	nvpair and creates confusion. Split them.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	gnulib: Tolerate always_inline attribute being ignored
++	It's not critical, -Werror on it is inappropriate. We don't want to
++	modify gnulib too much. This warning is pretty much irrelevant.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	util/editenv: Don't use %m formatter
++	It's not available on NetBSD outside of syslog. Using strerror() is more
++	reliable as we retrieve errno immediately rather than down the stack.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	osdep/bsd/hostdisk: Fix NetBSD compilation
++	Wrong function and variable name cause a stupid compilation error on
++	NetBSD and OpenBSD. Only NetBSD and OpenBSD use this file. No other
++	platform is affected.
++
++	Additionally, define RAW_FLOPPY_MAJOR constant if it is missing.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	osdep/generic/blocklist: Fix compilation
++	After recent change in blocklist types we have a type mismatch. Fixing it
++	requires a wrapper or large changes. I feel like wrapper makes more sense.
++
++	Without this patch we end up with a compilation problem and without wrapping
++	callback data is not passed properly anymore.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	disk/diskfilter: Remove unused variable
++	Variable e is set but never used. We can just remove it now.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	build: Tolerate unused-but-set in generated lexer/bison files
++	We don't really control the small aspects of generated files and NetBSD
++	version has an unused variable that is then detected by gcc as warning
++	that is then promoted to error.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	loader/i386/bsdXX: Fix loading after unaligned module
++	Current code implicitly assumes that aligning chunk_size + *kern_end is
++	the same as aligning on curload which is not the case because
++	chunk_size starts at zero even if *kern_end is unaligned and ALIGN_PAGE
++	moved curload to an aligned position but not *kern_end + chunk_size.
++
++	This fixes booting of FreeBSD with zfs module.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Mate Kukri  <mate.kukri@canonical.com>
++
++	grub-core/Makefile.am: Make path to extra_deps.lst relative to $(top_srcdir)/grub-core
++	The commit 154dcb1ae (build: Allow explicit module dependencies) broke
++	out of tree builds by introducing the extra_deps.lst file into the
++	source tree but referencing it just by name in grub-core/Makefile.am.
++	Fix it by adding $(top_srcdir)/grub-core to the path.
++
++	Fixes: 154dcb1ae (build: Allow explicit module dependencies)
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Mate Kukri  <mate.kukri@canonical.com>
++
++	util/grub-install: Move platdir path canonicalization after files were copied to grubdir
++	The commit 3f9eace2d (util/grub-install: Delay copying files to
++	{grubdir,platdir} after install_device was validated) delaying
++	copying of files caused a regression when installing without an
++	existing directory structure.
++
++	This patch ensures that the platform directory actually exists by the
++	time the code tries to canonicalize its filename.
++
++	Fixes: 3f9eace2d (util/grub-install: Delay copying files to {grubdir,platdir} after install_device was validated)
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Michael Chang  <mchang@suse.com>
++
++	util/grub-mkstandalone: Ensure deterministic tar file creation by sorting contents
++	The add_tar_files() function currently iterates through a directory's
++	content using readdir(), which doesn't guarantee a specific order. This
++	lack of deterministic behavior impacts reproducibility in the build process.
++
++	This commit resolves the issue by introducing sorting functionality.
++	The list retrieved by readdir() is now sorted alphabetically before
++	incorporation into the tar archive, ensuring consistent and predictable
++	file ordering within the archive.
++
++	On the occasion fix tfp memory leak.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-12  Michael Chang  <mchang@suse.com>
++
++	util/grub-mkstandalone: Ensure stable timestamps for generated images
++	This change mirrors a previous fix [1] but is specific to images
++	generated by grub-mkstandalone.
++
++	The former fix, commit 85a7be241 (util/mkimage: Use stable timestamp
++	when generating binaries.), focused on utilizing a stable timestamp
++	during binary generation in the util/mkimage context. This commit
++	extends that approach to the images produced by grub-mkstandalone,
++	ensuring consistency and stability in timestamps across all generated
++	binaries.
++
++	[1] 85a7be241 util/mkimage: Use stable timestamp when generating binaries.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Mate Kukri  <mate.kukri@canonical.com>
++
++	net/http: Fix gcc-13 errors relating to type signedness
++	Replace definition of HTTP_PORT with a pre-processor macro that converts
++	the constant to the correct grub_uint16_t type.
++
++	Change "port" local variable definition in http_establish() to have the
++	same type.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com
++
++2023-12-05  Julian Andres Klode  <julian.klode@canonical.com>
++
++	templates: Reinstate unused version comparison functions with warning
++	Revert the commit a79c567f6 (templates: Remove unused version comparison
++	functions) and add a warning to the functions that they are deprecated.
++
++	Removing the functions directly caused a lot of upgrade issues
++	with custom user scripts that called the functions. In Debian and
++	Ubuntu, grub-mkconfig is invoked as a post-installation script
++	and would fail, causing upgrades to fail halfway through and
++	putting the package manager into an inconsistent state.
++
++	FWIW, we get one bug per 2 weeks basically, for an interim Ubuntu
++	release which generally does not receive much usage, that is a high
++	number.
++
++	The proposal is to pick this for 2.12 and directly after the release
++	remove it again. Then users will have time to fix their scripts without
++	systems breaking immediately.
++
++	This reverts commit a79c567f6 (templates: Remove unused version
++	comparison functions).
++
++	Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
++	Cc: Daniel Kiper <daniel.kiper@oracle.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Mate Kukri  <mate.kukri@canonical.com>
++
++	util/grub-install: Delay copying files to {grubdir,platdir} after install_device was validated
++	Previously grub-install copied modules to grubdir before doing any
++	validation on the install_device.
++
++	When grub-install was called with an invalid install_device, modules
++	were already copied to /boot before it found out and was forced to rely
++	on atexit() rollback.
++
++	This patch delays copying the modules after at least some install_device
++	validation was done, and thus reduces reliance on successful rollback.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Julian Andres Klode  <julian.klode@canonical.com>
++
++	efi: Set shim_lock_enabled even if validation is disabled
++	If validation has been disabled via MokSbState, secure boot on the
++	firmware is still enabled, and the kernel fails to boot.
++
++	This is a bit hacky, because shim_lock is not *fully* enabled, but
++	it triggers the right code paths.
++
++	Ultimately, all this will be resolved by shim gaining it's own image
++	loading and starting protocol, so this is more a temporary workaround.
++
++	Fixes: 6425c12cd (efi: Fallback to legacy mode if shim is loaded on x86 archs)
++
++	Cc: Peter Jones <pjones@redhat.com>
++	Cc: Michael Chang <mchang@suse.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Oliver Steffen  <osteffen@redhat.com>
++
++	docs: Improve bli module documentation
++	Improve the documentation of the bli module and explain in more detail what
++	it does. Make clear that GPT formatted drives are expected and other
++	partition formats are ignored. Also reorder and reword this section a bit.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Oliver Steffen  <osteffen@redhat.com>
++
++	bli: Add explicit dependency on the part_gpt module
++	The bli module has a "hidden" dependency on the part_gpt module, which
++	is not picked up automatically by the build system. One purpose of the
++	bli module is to communicate the GPT UUID of the partition GRUB was
++	launched from to Linux user-space (systemd-gpt-auto-generator).
++	Without the part_gpt module, bli is not able to obtain the UUID. Since
++	bli does its work in the module initialization function, the order in
++	which the modules are loaded is also important: part_gpt needs to be
++	loaded before the bli module.
++
++	To solve this, track this dependency explicitly.
++
++	Note that the Boot Loader Interface specification, which bli aims to
++	implement, requires GPT formatted drives. The bli module ignores all
++	other partition formats.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Oliver Steffen  <osteffen@redhat.com>
++
++	build: Allow explicit module dependencies
++	The build system deduces inter-module dependencies from the symbols
++	required and exported by the modules. This works well, except for some
++	rare cases where the dependency is indirect or hidden. A module might
++	not make use of any function of some other module, but still expect its
++	functionality to be available to GRUB.
++
++	To solve this, introduce a new file, currently empty, called extra_deps.lst
++	to track these cases manually. This file gets processed in the same way
++	as the automatically generated syminfo.lst, making it possible to inject
++	data into the dependency resolver.
++
++	Since *.lst files are set to be ignored by git, add an exception for
++	extra_deps.lst.
++
++	Additionally, introduce a new keyword for the syminfo.lst syntax:
++	"depends" allows specifying a module dependency directly:
++
++	  depends <module> <depdendency>...
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Display upper_mem_limit when debugging
++	Display upper_mem_limit and its rounded-down value in MiB.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Fix a comment
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/ieee1275: Display successful memory claims when debugging
++	Display successful memory claims with exact address and rounded-down
++	MiB location and rounded-up size in MiB.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Eric Snowberg <eric.snowberg@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	loader/powerpc/ieee1275: Use new allocation function for kernel and initrd
++	On PowerVM and KVM on Power use the new memory allocation function that
++	honors restrictions on which memory GRUB can actually use. In the request
++	structure indicate the request for a single memory block along with
++	address alignment restrictions. Request direct usage of the memory block
++	by setting init_region to false (prevent it from being added to GRUB's
++	heap). Initialize the found addr to -1, so that -1 will be returned
++	to the loader in case no memory could be allocated.
++
++	Report an out-of-memory error in case the initrd could not be loaded.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/cmain/ppc64: Introduce flags to identify KVM and PowerVM
++	Introduce flags to identify PowerVM and KVM on Power and set them where
++	each type of host has been detected.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Rename regions_claim() to grub_regions_claim()
++	Rename regions_claim() to grub_regions_claim() to make it available for
++	memory allocation. The ieee1275 loader will use this function on PowerVM
++	and KVM on Power and thus avoid usage of memory that it is not allowed
++	to use.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Add support for alignment requirements
++	Add support for memory alignment requirements and adjust a candidate
++	address to it before checking whether the block is large enough. This
++	must be done in this order since the alignment adjustment can make
++	a block smaller than what was requested.
++
++	None of the current callers has memory alignment requirements but the
++	ieee1275 loader for kernel and initrd will use it to convey them.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Return allocated address using context
++	Return the allocated address of the memory block in the request structure
++	if a memory allocation was actually done. Leave the address untouched
++	otherwise. This enables a caller who wants to use the allocated memory
++	directly, rather than adding the memory to the heap, to see where memory
++	was allocated. None of the current callers need this but the converted
++	ieee1275 loader will make use of it.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Decide by request whether to initialize region
++	Let the regions_claim() request structure's init_region determine whether
++	to call grub_mm_init_region() on it. This allows for adding memory to
++	GRUB's memory heap if init_region is set to true, or direct usage of the
++	memory otherwise. Set all current callers' init_region to true since they
++	want to add memory regions to GRUB's heap.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init/ppc64: Introduce a request for regions_claim()
++	The regions_claim() function limits the allocation of memory regions
++	by excluding certain memory areas from being used by GRUB. This for
++	example includes a gap between 640MB and 768MB as well as an upper
++	limit beyond which no memory may be used when an fadump is present.
++	However, the ieee1275 loader for kernel and initrd currently does not
++	use regions_claim() for memory allocation on PowerVM and KVM on Power
++	and therefore may allocate memory in those areas that it should not use.
++
++	To make the regions_claim() function more flexible and ultimately usable
++	for the ieee1275 loader, introduce a request structure to pass various
++	parameters to the regions_claim() function that describe the properties
++	of requested memory chunks. In a first step, move the total and flags
++	variables into this structure.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++
++2023-11-22  Anthony Iliopoulos  <ailiop@suse.com>
++
++	fs/xfs: Add large extent counters incompat feature support
++	XFS introduced 64-bit extent counters for inodes via a series of
++	upstream commits and the feature was marked as stable in v6.5 via
++	commit 61d7e8274cd8 (xfs: drop EXPERIMENTAL tag for large extent
++	counts).
++
++	Further, xfsprogs release v6.5.0 switched this feature on by default
++	in mkfs.xfs via commit e5b18d7d1d96 (mkfs: enable large extent counts
++	by default).
++
++	Filesystems formatted with large extent count support, nrext64=1, are
++	thus currently not recognizable by GRUB, since this is an incompat
++	feature. Add the required support so that those filesystems and inodes
++	with large extent counters can be read by GRUB.
++
++	Reviewed-by: Andrey Albershteyn <aalbersh@redhat.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Tested-by: Marta Lewandowska <mlewando@redhat.com>
++	Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
++
++2023-11-08  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	gpt: Add compile time asserts for guid and gpt_partentry sizes
++	With new alignment specification it's easy to screw up. Fortunately if it
++	happens the size will be bigger than intended. Compile time assert will catch
++	this.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-11-08  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	types: Split aligned and packed guids
++	On ia64 alignment requirements are strict. When we pass a pointer to
++	UUID it needs to be at least 4-byte aligned or EFI will crash.
++	On the other hand in device path there is no padding for UUID, so we
++	need 2 types in one formor another. Make 4-byte aligned and unaligned types
++
++	The code is structured in a way to accept unaligned inputs
++	in most cases and supply 4-byte aligned outputs.
++
++	Efiemu case is a bit ugly because there inputs and outputs are
++	reversed and so we need careful casts to account for this
++	inversion.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	gpt_partition: Mark grub_gpt_partentry as having natural alignment
++	gpt_partition contains grub_guid. We need to decide whether the whole
++	structure is unaligned and then we need to use packed_guid. But we never
++	have unaligned part entries as we read them in an aligned buffer from disk.
++	Hence just make it all aligned.
++
++2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	efi: Deduplicate configuration table search function
++	We do table search in many places doing exactly the same algorithm.
++	The only minor variance in users is which table is used if several entries
++	are present. As specification mandates uniqueness and even if it ever isn't,
++	first entry is good enough, unify this code and always use the first entry.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	lsefi: Add missing static qualifier
++	known_protocols isn't used anywhere else and even misses grub_ prefix, so
++	let's make it local (static).
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	types: Fix typo
++	Just a small grammar mistake.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-30  Qiumiao Zhang  <zhangqiumiao1@huawei.com>
++
++	util/grub-mount: Check file path sanity
++	The function argp_parser() in util/grub-mount.c lacks a check on the
++	sanity of the file path when parsing parameters. This results in
++	a segmentation fault if a partition is mounted to a non-existent path.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-30  Richard Marko  <srk@48.io>
++
++	configure: Make the DJVU_FONT_SOURCE configurable with --with-dejavufont=FILE
++	Font might be located in different location, the default font might
++	not be available on all systems or other font might be preferred.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-30  Mads Kiilerich  <mads@kiilerich.com>
++
++	configure: Make the Unifont FONT_SOURCE configurable with --with-unifont=FILE
++	Font might be located in different location, the default font might
++	not be available on all systems or other font might be preferred.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-30  Jon DeVree  <nuxi@vault24.org>
++
++	fs/xfs: Fix XFS directory extent parsing
++	The XFS directory entry parsing code has never been completely correct
++	for extent based directories. The parser correctly handles the case
++	where the directory is contained in a single extent, but then mistakenly
++	assumes the data blocks for the multiple extent case are each identical
++	to the single extent case. The difference in the format of the data
++	blocks between the two cases is tiny enough that its gone unnoticed for
++	a very long time.
++
++	A recent change introduced some additional bounds checking into the XFS
++	parser. Like GRUB's existing parser, it is correct for the single extent
++	case but incorrect for the multiple extent case. When parsing a directory
++	with multiple extents, this new bounds checking is sometimes (but not
++	always) tripped and triggers an "invalid XFS directory entry" error. This
++	probably would have continued to go unnoticed but the /boot/grub/<arch>
++	directory is large enough that it often has multiple extents.
++
++	The difference between the two cases is that when there are multiple
++	extents, the data blocks do not contain a trailer nor do they contain
++	any leaf information. That information is stored in a separate set of
++	extents dedicated to just the leaf information. These extents come after
++	the directory entry extents and are not included in the inode size. So
++	the existing parser already ignores the leaf extents.
++
++	The only reason to read the trailer/leaf information at all is so that
++	the parser can avoid misinterpreting that data as directory entries. So
++	this updates the parser as follows:
++
++	For the single extent case the parser doesn't change much:
++	1. Read the size of the leaf information from the trailer
++	2. Set the end pointer for the parser to the start of the leaf
++	   information. (The previous bounds checking set the end pointer to the
++	   start of the trailer, so this is actually a small improvement.)
++	3. Set the entries variable to the expected number of directory entries.
++
++	For the multiple extent case:
++	1. Set the end pointer to the end of the block.
++	2. Do not set up the entries variable. Figuring out how many entries are
++	   in each individual block is complex and does not seem worth it when
++	   it appears to be safe to just iterate over the entire block.
++
++	The bounds check itself was also dependent upon the faulty XFS parser
++	because it accidentally used "filename + length - 1". Presumably this
++	was able to pass the fuzzer because in the old parser there was always
++	8 bytes of slack space between the tail pointer and the actual end of
++	the block. Since this is no longer the case the bounds check needs to be
++	updated to "filename + length + 1" in order to prevent a regression in
++	the handling of corrupt fliesystems.
++
++	Notes:
++	* When there is only one extent there will only ever be one block. If
++	  more than one block is required then XFS will always switch to holding
++	  leaf information in a separate extent.
++	* B-tree based directories seems to be parsed properly by the same code
++	  that handles multiple extents. This is unlikely to ever occur within
++	  /boot though because its only used when there are an extremely large
++	  number of directory entries.
++
++	Fixes: ef7850c75 (fs/xfs: Fix issues found while fuzzing the XFS filesystem)
++	Fixes: b2499b29c (Adds support for the XFS filesystem.)
++	Fixes: https://savannah.gnu.org/bugs/?64376
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
++	Tested-by: Marta Lewandowska <mlewando@redhat.com>
++
++2023-10-30  Lidong Chen  <lidong.chen@oracle.com>
++
++	fs/xfs: Incorrect short form directory data boundary check
++	After parsing of the current entry, the entry pointer is advanced
++	to the next entry at the end of the "for" loop. In case where the
++	last entry is at the end of the data boundary, the advanced entry
++	pointer can point off the data boundary. The subsequent boundary
++	check for the advanced entry pointer can cause a failure.
++
++	The fix is to include the boundary check into the "for" loop
++	condition.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
++	Tested-by: Marta Lewandowska <mlewando@redhat.com>
++
++2023-10-12  Vladimir 'phcoder' Serbinenko  <phcoder@gmail.com>
++
++	Revert "zfsinfo: Correct a check for error allocating memory"
++	Original commit is wrong because grub_file_get_device_name() may return NULL
++	if we use implicit $root. Additionally, the grub_errno is guaranteed to be
++	GRUB_ERR_NONE at the beginning of a command. So, everything should work as
++	expected and Coverity report, CID 73668, WRT to this code should be treated
++	as false positive.
++
++	This reverts commit 7aab03418 (zfsinfo: Correct a check for error allocating memory).
++
++	Fixes: 7aab03418 (zfsinfo: Correct a check for error allocating memory)
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  ValdikSS  <iam@valdikss.org.ru>
++
++	disk/i386/pc/biosdisk: Read up to 63 sectors in LBA mode
++	Current code imposes limitations on the amount of sectors read in
++	a single call according to CHS layout of the disk even in LBA
++	read mode. There's no need to obey CHS layout restrictions for
++	LBA reads on LBA disks. It only slows down booting process.
++
++	See: https://lore.kernel.org/grub-devel/d42a11fa-2a59-b5e7-08b1-d2c60444bb99@valdikss.org.ru/
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  ValdikSS  <iam@valdikss.org.ru>
++
++	kern/i386/pc/init: Flush cache only on VIA C3 and earlier
++	The code flushes the cache on VIA processors unconditionally which
++	is excessive. Check for cpuid family and execute wbinvd only on C3
++	and earlier.
++
++	Fixes: https://savannah.gnu.org/bugs/?45149
++	Fixes: 25492a0f0 (Add wbinvd around bios call.)
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Fabian Vogt  <fvogt@suse.de>
++
++	fs/btrfs: Zero file data not backed by extents
++	Implicit holes in file data need to be zeroed explicitly, instead of
++	just leaving the data in the buffer uninitialized.
++
++	This led to kernels randomly failing to boot in "fun" ways when loaded
++	from btrfs with the no_holes feature enabled, because large blocks of
++	zeros in the kernel file contained random data instead.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Reviewed-by: Qu Wenruo <wqu@suse.com>
++
++2023-10-12  Stefan Berger  <stefanb@linux.ibm.com>
++
++	kern/ieee1275/init: Restrict high memory in presence of fadump on ppc64
++	When a kernel dump is present then restrict the high memory regions to
++	avoid allocating memory where the kernel dump resides. Use the
++	ibm,kernel-dump node under /rtas to determine whether a kernel dump
++	exists and up to which limit GRUB can use available memory. Set the
++	upper_mem_limit to the size of the kernel dump section of type
++	REAL_MODE_REGION and therefore only allow GRUB's memory usage for high
++	addresses from RMO_ADDR_MAX to upper_mem_limit. This means that GRUB can
++	use high memory in the range of RMO_ADDR_MAX (768MB) to upper_mem_limit
++	and the kernel-dump memory regions above upper_mem_limit remain
++	untouched. This change has no effect on memory allocations below
++	linux_rmo_save (typically at 640MB).
++
++	Also, fall back to allocating below rmo_linux_save in case the chunk of
++	memory there would be larger than the chunk of memory above RMO_ADDR_MAX.
++	This can for example occur if a free memory area is found starting at 300MB
++	extending up to 1GB but a kernel dump is located at 768MB and therefore
++	does not allow the allocation of the high memory area but requiring to use
++	the chunk starting at 300MB to avoid an unnecessary out-of-memory condition.
++
++	Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
++	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
++	Cc: Michael Ellerman <mpe@ellerman.id.au>
++	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
++	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
++	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell: Enable RNG device to better test stack smashing
++	In certain firmwares, e.g. OVMF, the RNG protocol is not enabled unless
++	there is an RNG device. When not enabled, GRUB fails to initialize the
++	stack guard with random bytes. For testing, this is not a big issue, but
++	there have been bugs found in the initialization. So turn this on for EFI
++	platforms to catch any regressions.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Glenn Washburn  <development@efficientek.com>
++
++	kern/efi/init: Disable stack smashing protection on grub_efi_init()
++	GCC is electing to instrument grub_efi_init() to give it stack smashing
++	protection when configuring with --enable-stack-protector on the x86_64-efi
++	target. In the function prologue, the canary at the top of the stack frame
++	is set to the value of the stack guard. And in the epilogue, the canary is
++	checked to verify if it is equal to the guard and if not to call the stack
++	check fail function. The issue is that grub_efi_init() sets up the guard
++	by initializing it with random bytes, if the firmware supports the RNG
++	protocol. So in its prologue the canary will be set with the value of the
++	uninitialized guard, likely NUL bytes. Then the guard is initialized, and
++	finally the epilogue checks the canary against the guard, which will almost
++	certainly be different. This causes the code path for a smashed stack to be
++	taken, causing the machine to print out a message that stack smashing was
++	detected, wait 5 seconds, and then reboot. Disable grub_efi_init()
++	instrumentation so there is no stack smashing false positive generated.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Glenn Washburn  <development@efficientek.com>
++
++	disk/cryptodisk: Add support for LUKS2 in (proc)/luks_script
++	The sector size in bytes is added to each line and it is allowed to be
++	6 decimal digits long, which covers the most common cases of 512 and 4096
++	byte sectors with space for two additional digits as future-proofing. The
++	size allocation is updated to reflect this additional field. Also make
++	clearer the size allocation calculation.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Glenn Washburn  <development@efficientek.com>
++
++	disk/cryptodisk: Optimize luks_script_get()
++	Use the return value of grub_snprintf() to move the string pointer forward,
++	instead of incrementing the string pointer iteratively until a NULL byte is
++	reached. Move the space out of the format string argument, a small
++	optimization, but also makes the spacing clearer. Also, use the new
++	PRIxGRUB_OFFSET instead of PRIuGRUB_UINT64_T to accurately reflect the
++	format string for this type.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Glenn Washburn  <development@efficientek.com>
++
++	term/serial: Ensure proper NULL termination after grub_strncpy()
++	A large enough argument to the --port option could cause a string buffer
++	to be not NULL terminated because grub_strncpy() does not guarantee NULL
++	termination if copied string is longer than max characters to copy.
++
++	Fixes: 712309eaae04 (term/serial: Use grub_strncpy() instead of grub_snprintf() when only copying string)
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-12  Heinrich Schuchardt  <heinrich.schuchardt@canonical.com>
++
++	commands/efi/lsefisystab: Print the UEFI specification revision in human readable form
++	E.g. 2.10 instead of 00020064 and 2.3.1 instead of 0002001f.
++
++	See UEFI 2.10 specification, chapter 4.2.1 EFI_TABLE_HEADER.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>
++
++	fs/ntfs: Make code more readable
++	Move some calls used to access NTFS attribute header fields into
++	functions with human-readable names.
++
++	Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>
++
++	fs/ntfs: Fix an OOB read when parsing a volume label
++	This fix introduces checks to ensure that an NTFS volume label is always
++	read from the corresponding file record segment.
++
++	The current NTFS code allows the volume label string to be read from an
++	arbitrary, attacker-chosen memory location. However, the bytes read are
++	always treated as UTF-16LE. So, the final string displayed is mostly
++	unreadable and it can't be easily converted back to raw bytes.
++
++	The lack of this check is a minor issue, likely not causing a significant
++	data leak.
++
++	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>
++
++	fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
++	This fix introduces checks to ensure that bitmaps for directory indices
++	are never read beyond their actual sizes.
++
++	The lack of this check is a minor issue, likely not exploitable in any way.
++
++	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>
++
++	fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
++	This fix introduces checks to ensure that index entries are never read
++	beyond the corresponding directory index.
++
++	The lack of this check is a minor issue, likely not exploitable in any way.
++
++	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>
++
++	fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute
++	When reading a file containing resident data, i.e., the file data is stored in
++	the $DATA attribute within the NTFS file record, not in external clusters,
++	there are no checks that this resident data actually fits the corresponding
++	file record segment.
++
++	When parsing a specially-crafted file system image, the current NTFS code will
++	read the file data from an arbitrary, attacker-chosen memory offset and of
++	arbitrary, attacker-chosen length.
++
++	This allows an attacker to display arbitrary chunks of memory, which could
++	contain sensitive information like password hashes or even plain-text,
++	obfuscated passwords from BS EFI variables.
++
++	This fix implements a check to ensure that resident data is read from the
++	corresponding file record segment only.
++
++	Fixes: CVE-2023-4693
++
++	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>
++
++	fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
++	When parsing an extremely fragmented $MFT file, i.e., the file described
++	using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
++	containing bytes read from the underlying drive to store sector numbers,
++	which are consumed later to read data from these sectors into another buffer.
++
++	These sectors numbers, two 32-bit integers, are always stored at predefined
++	offsets, 0x10 and 0x14, relative to first byte of the selected entry within
++	the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
++
++	However, when parsing a specially-crafted file system image, this may cause
++	the NTFS code to write these integers beyond the buffer boundary, likely
++	causing the GRUB memory allocator to misbehave or fail. These integers contain
++	values which are controlled by on-disk structures of the NTFS file system.
++
++	Such modification and resulting misbehavior may touch a memory range not
++	assigned to the GRUB and owned by firmware or another EFI application/driver.
++
++	This fix introduces checks to ensure that these sector numbers are never
++	written beyond the boundary.
++
++	Fixes: CVE-2023-4692
++
++	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Michael Chang  <mchang@suse.com>
++
++	kern/acpi: Skip NULL entries in RSDT and XSDT
++	During attempts to configure a serial console, a Page Fault Exception
++	and system reset were encountered, specifically on release 2.12~rc1.
++	This issue was not present in prior versions and seemed to affect only
++	a specific machine, potentially pointing to hardware or firmware flaw.
++
++	After investigation, it was discovered that the invalid page access
++	occurred during the discovery of serial MMIO ports as specified by
++	ACPI's SPCR table [1]. The recent change uncovered an issue in GRUB's
++	ACPI driver.
++
++	In certain cases, the XSDT/RSDT root table might contain a NULL entry as
++	a terminator, depending on how the tables are assembled. GRUB cannot
++	blindly trust the address in the root table to be valid and should
++	perform a sanity check for NULL entries. This patch introduces this
++	simple check.
++
++	This fix is also inspired by a related Linux kernel fix [2].
++
++	[1] 7b192ec4c term/ns8250: Use ACPI SPCR table when available to configure serial
++	[2] 0f929fbf0 ACPICA: Tables: Add new mechanism to skip NULL entries in RSDT and XSDT.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Glenn Washburn  <development@efficientek.com>
++
++	util/grub-install-common: Print usable grub-mkimage command
++	When grub-install is run with the verbose option, it will print a log
++	message indicating the grub-mkimage command and arguments used.
++	GRUB no longer calls the grub-mkimage binary internally, however the
++	command logged is a command that if run should effectively be what
++	grub-install used. However, as this has changed some of the newer
++	options have been incorrectly added so that the printed command fails
++	when run separately. This change makes the displayed command run as
++	intended.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Glenn Washburn  <development@efficientek.com>
++
++	util/grub-install-common: Minor improvements to printing of grub-mkimage command
++	This is a preparatory patch to make the following patch less cluttered. The
++	only visible change made here is to not print extra spaces when either or
++	both --note or --disable-shim-lock are not given and to not print an extra
++	space at the end of the command. The latter is done by constructing the
++	trailing argument string with spaces in front of each argument rather than
++	trailing. The allocation of the argument string is made precise, which has
++	the benefit of saving a few bytes, but more importantly self-documenting
++	what the needed allocated bytes are. Also, unneeded braces are removed from
++	an if block.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-10-03  Vladimir 'phcoder' Serbinenko  <phcoder@gmail.com>
++
++	lib/i386/relocator64: Fix 64-bit FreeBSD boot on BIOS
++	The commit 80948f532d (lib/i386/relocator64: Build fixes for i386) has
++	broken 64-bit FreeBSD boot on BIOS. This patch fixes the issue.
++
++	Fixes: 80948f532d (lib/i386/relocator64: Build fixes for i386)
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-22  Anthony PERARD  <anthony.perard@citrix.com>
++
++	templates/linux_xen: Fix XSM entries generation
++	It turns out that setting $xen_version in linux_entry_xsm() override
++	$xen_version in the loop over $reverse_sorted_xen_list. This means
++	that only one entry per Xen version is going to enable XSM, but all
++	further entries are going to have "(XSM enabled)" in their titles
++	without enabling XSM.
++
++	When a "xenpolicy-$xen_version" file was found for the current
++	$xen_version, it would overwrite $xen_version to add "(XSM enabled)" to
++	the menu entry title. Once updated, the next call to linux_entry_xsm()
++	would also have this modified $xen_version and would look for the file
++	"xenpolicy-*(XSM enabled)" and fail.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-22  Xiaotian Wu  <wuxiaotian@loongson.cn>
++
++	loongarch: Eliminate cmodel compilation warnings
++	In the configure phase, the "-mcmodel=large" CFLAGS passed the test, but
++	because it has not been implemented in gcc, the following warning will
++	appear when compiling:
++
++	  gcc: warning: 'large' is not supported, now cmodel is set to 'normal'
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-22  Glenn Washburn  <development@efficientek.com>
++
++	configure: Enable -fno-omit-frame-pointer for backtrace module
++	The backtrace module is written assuming that the frame pointer is in %ebp.
++	By default, -Os optimization level is used, which enables the gcc option
++	-fomit-frame-pointer. This breaks the backtrace functionality. Enabling
++	this may cause an unnoticeable performance cost and virtually no size increase.
++
++	The backtrace command on x86_64 and probably i386 is broken due to the
++	above rationale. I've not verified, but presumably the backtrace that used
++	to be printed for an unhandled CPU exception is also broken. Do any distros
++	handle this?
++
++	Considering that, to my knowledge, no one has complained about this in the
++	over 13 years that -Os has been used, has this code actually been useful?
++	Is it worth disabling -fomit-frame-pointer? Though, I don't see much downside
++	right now in disabling it. Alternatively, we could disable/remove the
++	backtrace code. I think it would be nice to keep it and have it working.
++
++	Nowadays, presumably QEMU makes the GDB stub rarely used as I imagine most
++	are developing in a virtual machines. Also, the GDB stub does not work in UEFI.
++	So, if anyone is using it on real hardware, they are doing so on pretty old
++	machines. The lack of a GDB stub does not seem to be a pain point because
++	no one has got it working on UEFI.
++
++	This patch gets the backtrace command working on x86_64-efi in QEMU for me.
++	However, it hangs when run on my laptop. Not sure what's going on there.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-22  Ard Biesheuvel  <ardb@kernel.org>
++
++	loader/efi/linux: Implement x86 mixed mode using legacy boot
++	Recent mixed-mode Linux kernels, i.e., v4.0 or newer, can access EFI
++	runtime services at OS runtime even when the OS was not entered via the
++	EFI stub. This is because, instead of reverting back to the firmware's
++	segment selectors, GDTs and IDTs, the 64-bit kernel simply calls 32-bit
++	runtime services using compatibility mode, i.e., the same mode used for
++	32-bit user space, without taking down all interrupt handling, exception
++	handling, etc.
++
++	This means that GRUB's legacy x86 boot mode is sufficient to make use of
++	this: 32-bit i686 builds of GRUB can already boot 64-bit kernels in EFI
++	enlightened mode, but without going via the EFI stub, and provide all
++	the metadata that the OS needs to map the EFI runtime regions and call
++	EFI runtime services successfully.
++
++	It does mean that GRUB should not attempt to invoke the firmware's
++	LoadImage()/StartImage() methods on kernel builds that it knows cannot
++	be started natively. So, add a check for this in the native EFI boot
++	path and fall back to legacy x86 mode in such cases.
++
++	Note that in the general case, booting non-native images of the same
++	native word size, e.g., x64 EFI apps on arm64 firmware, might be
++	supported by means of emulation. So, let's only disallow images that use
++	a non-native word size. This will also permit booting i686 kernels on
++	x86_64 builds, although without access to runtime services, as this is
++	not supported by Linux.
++
++	This change on top of 2.12-rc1 is sufficient to boot ordinary Linux
++	mixed mode builds and get full access to the EFI runtime services.
++
++	Cc: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Steve McIntyre <steve@einval.com>
++	Cc: Julian Andres Klode <julian.klode@canonical.com>
++	Acked-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-22  Ard Biesheuvel  <ardb@kernel.org>
++
++	loader/i386/linux: Prefer entry in long mode when booting via EFI
++	The x86_64 Linux kernel can be booted in 32-bit mode, in which case the
++	startup code creates a set of preliminary page tables that map the first
++	4 GiB of physical memory 1:1 and enables paging. This is a prerequisite
++	for 64-bit execution and can therefore only be implemented in 32-bit code.
++
++	The x86_64 Linux kernel can also be booted in 64-bit mode directly: this
++	implies that paging is already enabled and it is the responsibility of
++	the bootloader to ensure that the active page tables cover the entire
++	loaded image, including its BSS space, the size of which is described in
++	the image's setup header.
++
++	Given that the EFI spec mandates execution in long mode for x86_64 and
++	stipulates that all system memory is mapped 1:1, the Linux/x86
++	requirements for 64-bit entry can be met trivially when booting on
++	x86_64 via EFI. So, enter via the 64-bit entry point in this case.
++
++	This involves inspecting the xloadflags field in the setup header to
++	check whether the 64-bit entry point is supported. This field was
++	introduced in Linux version v3.8 (early 2013).
++
++	This change ensures that all EFI firmware tables and other assets passed
++	by the firmware or bootloader in memory remain mapped and accessible
++	throughout the early startup code.
++
++	Avoiding the drop out of long mode will also be needed to support
++	upcoming CPU designs that no longer implement 32-bit mode at all
++	(as recently announced by Intel [0]).
++
++	[0] https://www.intel.com/content/www/us/en/developer/articles/technical/envisioning-future-simplified-architecture.html
++
++	Cc: Daniel Kiper <daniel.kiper@oracle.com>
++	Cc: Julian Andres Klode <julian.klode@canonical.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-18  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	ZFS: Check bonustype in addition to dnode type
++	Some dnodes are shared with properties zap. This is used
++	e.g. for quotas. Then dnode type is 0xc4 and GRUB stumbles on
++	this. Check bonus type and if it's ok then ignore dnode type mismatch
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-18  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	ZFS: Don't iterate over null objsets
++	Reading them is harmless but useless as they are empty by definition
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-18  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	ZFS: Fix invalid memcmp
++	We ended up comparing over unset values as we had dnode_phys on one side
++	and dnode on another
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-09-18  Vladimir Serbinenko  <phcoder@gmail.com>
++
++	ZFS: support inode type embed into its ID
++	This is a speedup used in some ZFS version. This trips GRUB and makes it
++	unable to access directories. Just skip it for now and revisit
++	if we ever need this speedup.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Heinrich Schuchardt  <heinrich.schuchardt@canonical.com>
++
++	video/efi_gop: Require shadow if PixelBltOnly
++	If the EFI graphics pixel format is PixelBltOnly, we cannot write directly
++	to the frame buffer. We need the shadow frame buffer which we copy via
++	the BitBlt operation to the hardware.
++
++	If the pixel format is PixelBltOnly and allocation of the shadow frame
++	buffer fails, we must raise an error to signal that the EFI GOP protocol
++	is not usable.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	docs: Add menu to prevent older makeinfo versions from failing
++	It has been reported that makeinfo version 4.13a complains and returns
++	error when menus for chapter structuring commands are not present. It
++	is also known that newer makeinfos, such as version 6.7, will create
++	default menus when needed. Since the menu will be created regardless,
++	explicitly create it to support older makeinfo versions. This also
++	enables building to be successful when an older makeinfo is installed
++	because in that case info files are attempted to be generated with the
++	"all" target.
++
++	Reported-by: Olaf Hering <olaf@aepfle.de>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Tested-by: Olaf Hering <olaf@aepfle.de>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	docs: Use @ref instead of @xref
++	The @xref command is meant to be used at the beginning of a sentence
++	because its expansion creates a "See " prefix on all output formats, and
++	on older makeinfo versions is strict about enforcing a "." or "," after
++	the command. The @ref command has no such restriction and is just the
++	link, which allows more control over output. This also fixes an issue
++	where there was a repeated "see" in the output.
++
++	Reported-by: Olaf Hering <olaf@aepfle.de>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Tested-by: Olaf Hering <olaf@aepfle.de>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell-luks-tester: Allow setting timeout
++	Allow using the envvar GRUB_SHELL_LUKS_TIMEOUT to change the default
++	timeout. If not specified, use value of GRUB_SHELL_DEFAULT_TIMEOUT. And
++	if that is not specified, fallback to original 600s timeout.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	disk/cryptodisk: Fix missing change when updating to use grub_uuidcasecmp()
++	This was causing the cryptomount command to return failure even though
++	the crypto device was successfully added. Of course, this meant that any
++	script using the return code would behave unexpectedly.
++
++	Fixes: 3cf2e848bc03 (disk/cryptodisk: Allows UUIDs to be compared in a dash-insensitive manner)
++
++	Suggested-by: Olaf Hering <olaf@aepfle.de>
++	Reviewed-by: Patrich Steinhardt <ps@pks.im>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	kern/misc: Make grub_vsnprintf() C99/POSIX conformant
++	To comply with C99 and POSIX standards, snprintf() should return the
++	number of bytes that would be written to the string (excluding the
++	terminating NUL byte) if the buffer size was big enough. Before this
++	change, the return value was the minimum of the standard return and the
++	length of the buffer. Rarely is the return value of grub_snprintf() or
++	grub_vsnprintf() used with current code, and the few places where it is
++	used do not need to be changed.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	tests: Add serial_test
++	This test is meant to test output via various serial devices. Currently,
++	only the PCI serial device is tested.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell: Allow explicitly using other serial ports for output
++	While here, move "-qemu=*" case to be next to the "--qemu-opts=*" case.
++	This causes no change in logic, but is more logically located.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-31  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell-luks-tester: Do not remove generated files when test fails to allow debugging
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++	tests/util/grub-shell: Convert spaces to TABs
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	commands/ls: Print "????????????" if unable to get file size
++	In long list mode, if the file can not be opened, the file is not printed.
++	Instead, print the file but print the size as "????????????".
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	commands/ls: Send correct dirname to print functions
++	For each non-directory path argument to the ls command, the full path was
++	being sent to the print functions, instead of the dirname. The long output
++	print function expected dirname to be the directory containing the file
++	and so could not open the file to get the file size because the generated
++	path was incorrect. This caused the output to be a blank line.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	fs/archelp: If path given to grub_archelp_dir() is not a directory return error
++	Specifically, return GRUB_ERR_BAD_FILE_TYPE because this is what is
++	expected by the ls command when it is given a path to a non-directory.
++	This fixes a bug where calling ls with a list of non-directory paths
++	outputs a blank line for each such argument.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	commands/videoinfo: Prevent crash when run while video driver already active
++	The videoinfo command will initialize all non-active video adapters. Video
++	drivers tend to zero out the global framebuffer object on initialization.
++	This is not a problem when there is no active video adapter. However, when
++	there is, then outputting to the video adapter will cause a crash because
++	methods in the framebuffer object are reinitialized. For example, this
++	command sequence will cause a crash.
++
++	  terminal_output --append gfxterm; videoinfo
++
++	When running in a QEMU headless with GRUB built for the x86_64-efi target,
++	the first command initializes the Bochs video adapter, which, among
++	other things, sets the set_page() member function. Then when videoinfo is
++	run, all non-Bochs video adapters will be initialized, each one wiping
++	the framebuffer and thus setting set_page to NULL. Soon after the videoinfo
++	command finishes there will be a call to grub_refresh(), which will
++	ultimately call the framebuffer's set_page which will be NULL and cause
++	a crash when called.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	docs: Improve initrd documentation
++	A list of improvements:
++	  * Remove reference to "initial ramdisk" and replace with "initrd". This
++	    then covers the case of ramdisk and ramfs, which is the usual method
++	    with kernels 2.6 and newer.
++	  * Add sentence with URL to initrd documentation Linux kernel.
++	  * Add a section documenting how to have the initrd command generate
++	    a new-style initrd via a specially crafted argument and include an example.
++	  * Update initrd16 to refer to the initrd section and make note that
++	    initrd16 is only on the pc platform.
++
++	Reviewed-by: Oskari Pirhonen <xxc3ncoredxx@gmail.com>
++	Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	term/ns8250-spcr: Continue processing SPCR table even if revision is < 2
++	According to commit 0231d00082 (ACPI: SPCR: Make SPCR available to x86)
++	to the Linux kernel, "On x86, many systems have a valid SPCR table but the
++	table version is not 2 so the table version check must be a warning."
++
++	Reviewed-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	docs: A note to cat that hexdump should be used for binary data
++	The cat command should not be used to print binary data because it can
++	show bytes not in the binary data and not show bytes that are in the data,
++	which can lead to confusion. This happens because cat does some processing
++	of the data stream, namely trying to decode substrings as UTF-8.
++
++	Reviewed-by: Oskari Pirhonen <xxc3ncoredxx@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	docs: Document hexdump command
++	Reviewed-by: Oskari Pirhonen <xxc3ncoredxx@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++	docs: Group usage of user-space utilities into single chapter
++	Reviewed-by: Oskari Pirhonen <xxc3ncoredxx@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Qiumiao Zhang  <zhangqiumiao1@huawei.com>
++
++	util/grub-mount: Fix memory leak in fuse_getattr()
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Michał Grzelak  <mchl.grzlk@gmail.com>
++
++	configure: Fix SDL2 typo by referencing value
++	During configuration of SDL2, variable enable_grub_emu_sdl2 is checked
++	whether to throw an error message. However, error could not happen
++	because two unequal strings were compared. Fix this by referencing
++	value of enable_grub_emu_sdl2, not name.
++
++	Fixes: 17d6ac1a7 (emu: Add SDL2 support)
++
++	Reviewed-by: Julian Andres Klode <julian.klode@canonical.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	docs: Add missing assumption
++	Also reword a prior sentence to be more clear.
++
++	Fixes: 5a3d2b4742df (docs: Add debugging chapter to development documentation)
++
++	Reviewed-by: Oskari Pirhonen <xxc3ncoredxx@gmail.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Oskari Pirhonen  <xxc3ncoredxx@gmail.com>
++
++	util/grub.d/25_bli.in: Fix shebang on unmerged-usr
++	On an unmerged-usr system, grub-mkconfig errors out with the following
++	error due to /usr/bin/sh not existing:
++
++	  /usr/sbin/grub-mkconfig: /etc/grub.d/25_bli: /usr/bin/sh: bad interpreter: No such file or directory
++
++	Use a /bin/sh shebang to fix the error as well as match the other
++	existing files.
++
++	Fixes: 158a6583e (util/grub.d/25_bli.in: Activate bli module on EFI)
++
++	Reviewed-by: Glenn Washburn <development@efficientek.com>
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++	Reviewed-by: Oliver Steffen <osteffen@redhat.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell-luks-tester: Allow GRUB_SHELL_LUKS_DEFAULT_DEBUG and GRUB_TEST_DEFAULT_DEBUG to specify the debug level to grub-shell
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell: Allow setting the value of debug regardless of its previous state
++	This allows an invocation of grub-shell to set the value of debug regardless
++	of the global default environment variable GRUB_SHELL_DEFAULT_DEBUG.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell: Allow setting default timeout via GRUB_SHELL_DEFAULT_TIMEOUT envvar
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
++2023-08-14  Glenn Washburn  <development@efficientek.com>
++
++	tests/util/grub-shell: Add --verbose to grub-mkrescue when $debug is greater than 2
++	Since this is fairly verbose output, do not enable first level of debug
++	is turned on.
++
++	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
++
 -07-10  Daniel Kiper  <daniel.kiper@oracle.com>
  	Release 2.12~rc1
 diff --git a/INSTALL b/INSTALL
 index b93fe9c..8d9207c 100644
 --- a/INSTALL
 +++ b/INSTALL
@@ -20,7 +20,7 @@ configuring the GRUB.
    for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
  * GNU Make
  * GNU Bison 2.3 or later
--* GNU gettext 0.17 or later
++* GNU gettext
  * GNU binutils 2.9.1.0.23 or later
  * Flex 2.5.35 or later
  * pkg-config
 diff --git a/Makefile.in b/Makefile.in
 index 0e7be5f..6c8dfcf 100644
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -1296,15 +1296,16 @@ am__dist_noinst_DATA_DIST = grub-core/kern/disk_common.c \
  	tests/grub_script_no_commands.in tests/partmap_test.in \
  	tests/hddboot_test.in tests/fddboot_test.in \
  	tests/cdboot_test.in tests/netboot_test.in \
--	tests/pseries_test.in tests/core_compress_test.in \
--	tests/xzcompress_test.in tests/gzcompress_test.in \
--	tests/lzocompress_test.in tests/grub_cmd_echo.in \
--	tests/help_test.in tests/grub_script_gettext.in \
--	tests/grub_script_escape_comma.in tests/grub_script_strcmp.in \
--	tests/test_sha512sum.in tests/test_unset.in \
--	tests/grub_func_test.in tests/grub_cmd_tr.in \
--	tests/file_filter_test.in tests/grub_cmd_test.in \
--	tests/syslinux_test.in tests/luks1_test.in tests/luks2_test.in
++	tests/serial_test.in tests/pseries_test.in \
++	tests/core_compress_test.in tests/xzcompress_test.in \
++	tests/gzcompress_test.in tests/lzocompress_test.in \
++	tests/grub_cmd_echo.in tests/help_test.in \
++	tests/grub_script_gettext.in tests/grub_script_escape_comma.in \
++	tests/grub_script_strcmp.in tests/test_sha512sum.in \
++	tests/test_unset.in tests/grub_func_test.in \
++	tests/grub_cmd_tr.in tests/file_filter_test.in \
++	tests/grub_cmd_test.in tests/syslinux_test.in \
++	tests/luks1_test.in tests/luks2_test.in
  DATA = $(dist_grubconf_DATA) $(dist_noinst_DATA) $(noinst_DATA) \
  	$(pkgdata_DATA) $(platform_DATA) $(starfield_DATA)
  HEADERS = $(nodist_platform_HEADERS)
@@ -1998,6 +1999,7 @@ GNULIB_GETTIMEOFDAY = @GNULIB_GETTIMEOFDAY@
  GREP = @GREP@
  GRUB_BOOT_MACHINE_LINK_ADDR = @GRUB_BOOT_MACHINE_LINK_ADDR@
  GRUB_PLATFORM = @GRUB_PLATFORM@
++GRUB_STACK_PROTECTOR_INIT = @GRUB_STACK_PROTECTOR_INIT@
  GRUB_TARGET_CPU = @GRUB_TARGET_CPU@
  HAVE_ALIGNED_ALLOC = @HAVE_ALIGNED_ALLOC@
  HAVE_ALLOCA_H = @HAVE_ALLOCA_H@
@@ -2781,7 +2783,7 @@ CCASFLAGS_LIBRARY =
  grubconfdir = $(sysconfdir)/grub.d
  platformdir = $(pkglibdir)/$(target_cpu)-$(platform)
  starfielddir = $(pkgdatadir)/themes/starfield
--CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion
++CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion -Wno-error=attributes
  CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib -I$(top_srcdir)/grub-core/lib/gnulib
  CFLAGS_POSIX = -fno-builtin
  CPPFLAGS_POSIX = -I$(top_srcdir)/grub-core/lib/posix_wrap
@@ -2834,11 +2836,12 @@ check_SCRIPTS_nonnative = pata_test ahci_test uhci_test ohci_test \
  	grub_cmd_cryptomount grub_cmd_regexp grub_cmd_date \
  	grub_cmd_set_date grub_cmd_sleep grub_script_expansion \
  	grub_script_not partmap_test hddboot_test fddboot_test \
--	cdboot_test netboot_test pseries_test core_compress_test \
--	xzcompress_test gzcompress_test lzocompress_test grub_cmd_echo \
--	help_test grub_script_gettext grub_script_escape_comma \
--	grub_script_strcmp test_sha512sum test_unset grub_func_test \
--	grub_cmd_tr file_filter_test grub_cmd_test
++	cdboot_test netboot_test serial_test pseries_test \
++	core_compress_test xzcompress_test gzcompress_test \
++	lzocompress_test grub_cmd_echo help_test grub_script_gettext \
++	grub_script_escape_comma grub_script_strcmp test_sha512sum \
++	test_unset grub_func_test grub_cmd_tr file_filter_test \
++	grub_cmd_test
  check_PROGRAMS_native = example_unit_test printf_test date_test \
  	$(am__append_50) cmp_test
  check_PROGRAMS_nonnative =
@@ -2899,15 +2902,16 @@ dist_noinst_DATA = grub-core/kern/disk_common.c \
  	tests/grub_script_no_commands.in tests/partmap_test.in \
  	tests/hddboot_test.in tests/fddboot_test.in \
  	tests/cdboot_test.in tests/netboot_test.in \
--	tests/pseries_test.in tests/core_compress_test.in \
--	tests/xzcompress_test.in tests/gzcompress_test.in \
--	tests/lzocompress_test.in tests/grub_cmd_echo.in \
--	tests/help_test.in tests/grub_script_gettext.in \
--	tests/grub_script_escape_comma.in tests/grub_script_strcmp.in \
--	tests/test_sha512sum.in tests/test_unset.in \
--	tests/grub_func_test.in tests/grub_cmd_tr.in \
--	tests/file_filter_test.in tests/grub_cmd_test.in \
--	tests/syslinux_test.in tests/luks1_test.in tests/luks2_test.in
++	tests/serial_test.in tests/pseries_test.in \
++	tests/core_compress_test.in tests/xzcompress_test.in \
++	tests/gzcompress_test.in tests/lzocompress_test.in \
++	tests/grub_cmd_echo.in tests/help_test.in \
++	tests/grub_script_gettext.in tests/grub_script_escape_comma.in \
++	tests/grub_script_strcmp.in tests/test_sha512sum.in \
++	tests/test_unset.in tests/grub_func_test.in \
++	tests/grub_cmd_tr.in tests/file_filter_test.in \
++	tests/grub_cmd_test.in tests/syslinux_test.in \
++	tests/luks1_test.in tests/luks2_test.in
  grubconf_SCRIPTS = 00_header $(am__append_59) $(am__append_63) \
  	$(am__append_67) $(am__append_71) $(am__append_75) \
  	$(am__append_79) $(am__append_83) $(am__append_87) 25_bli \
@@ -3086,9 +3090,9 @@ CLEANFILES = $(nodist_libgrubkern_a_SOURCES) \
  	grub_cmd_regexp grub_cmd_date grub_cmd_set_date grub_cmd_sleep \
  	grub_script_expansion grub_script_not grub_script_no_commands \
  	partmap_test hddboot_test fddboot_test cdboot_test \
--	netboot_test pseries_test core_compress_test xzcompress_test \
--	gzcompress_test lzocompress_test grub_cmd_echo help_test \
--	grub_script_gettext grub_script_escape_comma \
++	netboot_test serial_test pseries_test core_compress_test \
++	xzcompress_test gzcompress_test lzocompress_test grub_cmd_echo \
++	help_test grub_script_gettext grub_script_escape_comma \
  	grub_script_strcmp test_sha512sum test_unset grub_func_test \
  	grub_cmd_tr file_filter_test grub_cmd_test syslinux_test \
  	luks1_test luks2_test grub_script.tab.c grub_script.tab.h \
@@ -3216,7 +3220,7 @@ libgrubmods_a_SOURCES = grub-core/commands/blocklist.c \
  nodist_libgrubmods_a_SOURCES = grub_script.tab.c grub_script.tab.h \
  	grub_script.yy.c grub_script.yy.h libgrub_a_init.c
  libgrubmods_a_CFLAGS = $(AM_CFLAGS) $(CFLAGS_LIBRARY) -fno-builtin \
--	-Wno-undef
++	-Wno-undef -Wno-unused-but-set-variable
  libgrubmods_a_CPPFLAGS = $(AM_CPPFLAGS) $(CPPFLAGS_LIBRARY) \
  	-I$(srcdir)/grub-core/lib/minilzo \
  	-I$(srcdir)/grub-core/lib/xzembed \
@@ -12395,6 +12399,13 @@ netboot_test.log: netboot_test
  	--log-file $$b.log --trs-file $$b.trs \
  	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
  	"$$tst" $(AM_TESTS_FD_REDIRECT)
++serial_test.log: serial_test
++	@p='serial_test'; \
++	b='serial_test'; \
++	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
++	--log-file $$b.log --trs-file $$b.trs \
++	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
++	"$$tst" $(AM_TESTS_FD_REDIRECT)
  pseries_test.log: pseries_test
  	@p='pseries_test'; \
  	b='pseries_test'; \
@@ -13453,6 +13464,10 @@ netboot_test: $(top_builddir)/config.status tests/netboot_test.in
  	(for x in tests/netboot_test.in ; do cat $(srcdir)/"$$x"; done) | $(top_builddir)/config.status --file=$@:-
  	chmod a+x netboot_test
++serial_test: $(top_builddir)/config.status tests/serial_test.in
++	(for x in tests/serial_test.in ; do cat $(srcdir)/"$$x"; done) | $(top_builddir)/config.status --file=$@:-
++	chmod a+x serial_test
++
  pseries_test: $(top_builddir)/config.status tests/pseries_test.in
  	(for x in tests/pseries_test.in ; do cat $(srcdir)/"$$x"; done) | $(top_builddir)/config.status --file=$@:-
  	chmod a+x pseries_test
 diff --git a/Makefile.util.am b/Makefile.util.am
 index fd6243d..87eead8 100644
 --- a/Makefile.util.am
 +++ b/Makefile.util.am
@@ -25,7 +25,7 @@ CLEANFILES += $(nodist_libgrubkern_a_SOURCES)
  noinst_LIBRARIES += libgrubmods.a
  libgrubmods_a_SOURCES += grub-core/commands/blocklist.c grub-core/commands/ls.c grub-core/commands/macbless.c grub-core/commands/testload.c grub-core/commands/xnu_uuid.c grub-core/disk/dmraid_nvidia.c grub-core/disk/loopback.c grub-core/disk/lvm.c grub-core/disk/mdraid1x_linux.c grub-core/disk/mdraid_linux.c grub-core/disk/mdraid_linux_be.c grub-core/disk/raid5_recover.c grub-core/disk/raid6_recover.c grub-core/font/font.c grub-core/fs/affs.c grub-core/fs/afs.c grub-core/fs/bfs.c grub-core/fs/btrfs.c grub-core/fs/cbfs.c grub-core/fs/cpio.c grub-core/fs/cpio_be.c grub-core/fs/exfat.c grub-core/fs/ext2.c grub-core/fs/f2fs.c grub-core/fs/fat.c grub-core/fs/fshelp.c grub-core/fs/hfs.c grub-core/fs/hfsplus.c grub-core/fs/hfspluscomp.c grub-core/fs/iso9660.c grub-core/fs/jfs.c grub-core/fs/minix.c grub-core/fs/minix2.c grub-core/fs/minix2_be.c grub-core/fs/minix3.c grub-core/fs/minix3_be.c grub-core/fs/minix_be.c grub-core/fs/newc.c grub-core/fs/nilfs2.c grub-core/fs/ntfs.c grub-core/fs/ntfscomp.c grub-core/fs/odc.c grub-core/fs/reiserfs.c grub-core/fs/romfs.c grub-core/fs/sfs.c grub-core/fs/squash4.c grub-core/fs/tar.c grub-core/fs/udf.c grub-core/fs/ufs.c grub-core/fs/ufs2.c grub-core/fs/ufs_be.c grub-core/fs/xfs.c grub-core/fs/zfs/zfs.c grub-core/fs/zfs/zfs_fletcher.c grub-core/fs/zfs/zfs_lz4.c grub-core/fs/zfs/zfs_lzjb.c grub-core/fs/zfs/zfs_sha256.c grub-core/fs/zfs/zfscrypt.c grub-core/fs/zfs/zfsinfo.c grub-core/gfxmenu/font.c grub-core/io/bufio.c grub-core/io/gzio.c grub-core/io/lzopio.c grub-core/io/xzio.c grub-core/kern/arm/dl_helper.c grub-core/kern/arm64/dl_helper.c grub-core/kern/ia64/dl_helper.c grub-core/kern/loongarch64/dl_helper.c grub-core/lib/LzFind.c grub-core/lib/LzmaEnc.c grub-core/lib/adler32.c grub-core/lib/crc.c grub-core/lib/crc64.c grub-core/lib/datetime.c grub-core/lib/envblk.c grub-core/lib/hexdump.c grub-core/lib/minilzo/minilzo.c grub-core/lib/xzembed/xz_dec_bcj.c grub-core/lib/xzembed/xz_dec_lzma2.c grub-core/lib/xzembed/xz_dec_stream.c grub-core/lib/zstd/debug.c grub-core/lib/zstd/entropy_common.c grub-core/lib/zstd/error_private.c grub-core/lib/zstd/fse_decompress.c grub-core/lib/zstd/huf_decompress.c grub-core/lib/zstd/module.c grub-core/lib/zstd/xxhash.c grub-core/lib/zstd/zstd_common.c grub-core/lib/zstd/zstd_decompress.c grub-core/normal/charset.c grub-core/normal/misc.c grub-core/partmap/acorn.c grub-core/partmap/amiga.c grub-core/partmap/apple.c grub-core/partmap/bsdlabel.c grub-core/partmap/dfly.c grub-core/partmap/dvh.c grub-core/partmap/plan.c grub-core/partmap/sun.c grub-core/partmap/sunpc.c grub-core/script/argv.c grub-core/script/function.c grub-core/script/lexer.c grub-core/script/main.c grub-core/script/script.c grub-core/unidata.c grub-core/video/capture.c grub-core/video/colors.c grub-core/video/fb/fbblit.c grub-core/video/fb/fbfill.c grub-core/video/fb/fbutil.c grub-core/video/fb/video_fb.c grub-core/video/video.c
  nodist_libgrubmods_a_SOURCES += grub_script.tab.c grub_script.tab.h grub_script.yy.c grub_script.yy.h libgrub_a_init.c
--libgrubmods_a_CFLAGS += $(AM_CFLAGS) $(CFLAGS_LIBRARY) -fno-builtin -Wno-undef
++libgrubmods_a_CFLAGS += $(AM_CFLAGS) $(CFLAGS_LIBRARY) -fno-builtin -Wno-undef -Wno-unused-but-set-variable
  libgrubmods_a_CPPFLAGS += $(AM_CPPFLAGS) $(CPPFLAGS_LIBRARY) -I$(srcdir)/grub-core/lib/minilzo -I$(srcdir)/grub-core/lib/xzembed -I$(srcdir)/grub-core/lib/zstd -DMINILZO_HAVE_CONFIG_H
  libgrubmods_a_CCASFLAGS += $(AM_CCASFLAGS) $(CCASFLAGS_LIBRARY)
  dist_noinst_DATA +=
@@ -1393,6 +1393,15 @@ netboot_test: $(top_builddir)/config.status tests/netboot_test.in
  CLEANFILES += netboot_test
  EXTRA_DIST +=
  dist_noinst_DATA += tests/netboot_test.in
++check_SCRIPTS_nonnative += serial_test
++
++serial_test: $(top_builddir)/config.status tests/serial_test.in
++	(for x in tests/serial_test.in ; do cat $(srcdir)/"$$x"; done) | $(top_builddir)/config.status --file=$@:-
++	chmod a+x serial_test
++
++CLEANFILES += serial_test
++EXTRA_DIST +=
++dist_noinst_DATA += tests/serial_test.in
  check_SCRIPTS_nonnative += pseries_test
  pseries_test: $(top_builddir)/config.status tests/pseries_test.in
 diff --git a/Makefile.util.def b/Makefile.util.def
 index 1e9a13d..9432365 100644
 --- a/Makefile.util.def
 +++ b/Makefile.util.def
@@ -55,7 +55,7 @@ library = {
  library = {
    name = libgrubmods.a;
--  cflags = '-fno-builtin -Wno-undef';
++  cflags = '-fno-builtin -Wno-undef -Wno-unused-but-set-variable';
    cppflags = '-I$(srcdir)/grub-core/lib/minilzo -I$(srcdir)/grub-core/lib/xzembed -I$(srcdir)/grub-core/lib/zstd -DMINILZO_HAVE_CONFIG_H';
    common_nodist = grub_script.tab.c;
@@ -1132,6 +1132,12 @@ script = {
  script = {
    testcase = nonnative;
++  name = serial_test;
++  common = tests/serial_test.in;
++};
++
++script = {
++  testcase = nonnative;
    name = pseries_test;
    common = tests/pseries_test.in;
  };
 diff --git a/NEWS b/NEWS
 index 73b8492..3101309 100644
 --- a/NEWS
 +++ b/NEWS
@@ -1,3 +1,23 @@
++New in 2.12:
++
++* GCC 13 support.
++* clang 14 support.
++* binutils 2.38 support.
++* Unification of EFI Linux kernel loader across architectures.
++* Transition to EFI Linux kernel stub loader for x86 architecture.
++* Initial support for Boot Loader Interface.
++* Support for dynamic GRUB runtime memory addition using firmware calls.
++* PCI and MMIO UARTs support.
++* SDL2 support.
++* LoongArch support.
++* TPM driver fixes.
++* Many filesystems fixes.
++* Many CVE and Coverity fixes.
++* Debugging support improvements.
++* Tests improvements.
++* Documentation improvements.
++* ...and tons of other fixes and cleanups...
++
  New in 2.06:
  * GCC 10 support.
 diff --git a/autogen.sh b/autogen.sh
 index 5a5c356..195daa5 100755
 --- a/autogen.sh
 +++ b/autogen.sh
@@ -9,7 +9,7 @@ fi
  # Detect python
  if [ -z "$PYTHON" ]; then
--  for i in python3 python; do
++  for i in python3 python3.10 python; do
      if command -v "$i" > /dev/null 2>&1; then
        PYTHON="$i"
        echo "Using $PYTHON..."
 diff --git a/conf/Makefile.common b/conf/Makefile.common
 index f8faa92..b8f216f 100644
 --- a/conf/Makefile.common
 +++ b/conf/Makefile.common
@@ -75,7 +75,7 @@ grubconfdir = $(sysconfdir)/grub.d
  platformdir = $(pkglibdir)/$(target_cpu)-$(platform)
  starfielddir = $(pkgdatadir)/themes/starfield
--CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion
++CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion -Wno-error=attributes
  CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib -I$(top_srcdir)/grub-core/lib/gnulib
  CFLAGS_POSIX = -fno-builtin
 diff --git a/config-util.h.in b/config-util.h.in
 index 7d48348..fc4530f 100644
 --- a/config-util.h.in
 +++ b/config-util.h.in
@@ -319,6 +319,9 @@
  /* Configuration dir */
  #undef GRUB_SYSCONFDIR
++/* Define to 1 if libnvpair symbols are prefixed with opensolaris_. */
++#undef GRUB_UTIL_NVPAIR_IS_PREFIXED
++
  /* Define to 1 if you have 'alloca' after including <alloca.h>, a header that
     may be supplied by this distribution. */
  #undef HAVE_ALLOCA
@@ -640,13 +643,10 @@
  /* Define to 1 if you have the `lzma' library (-llzma). */
  #undef HAVE_LIBLZMA
--/* Define to 1 if you have the NVPAIR library. */
--#undef HAVE_LIBNVPAIR
--
  /* Define to 1 if you have the <libnvpair.h> header file. */
  #undef HAVE_LIBNVPAIR_H
--/* Define to 1 if you have the ZFS library. */
++/* Define to 1 if you have the `zfs' library (-lzfs). */
  #undef HAVE_LIBZFS
  /* Define to 1 if you have the <libzfs.h> header file. */
@@ -1389,6 +1389,9 @@
  /* Define to 1 if you have the LZMA library. */
  #undef USE_LIBLZMA
++/* Define to 1 if ZFS library should be used. */
++#undef USE_LIBZFS
++
  /* Define if the POSIX multithreading library can be used. */
  #undef USE_POSIX_THREADS
 diff --git a/config.h.in b/config.h.in
 index 4d1e50e..9b1d399 100644
 --- a/config.h.in
 +++ b/config.h.in
@@ -64,6 +64,8 @@
  #  define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
  #  define GRUB_PLATFORM "@GRUB_PLATFORM@"
++#  define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@
++
  #  define RE_ENABLE_I18N 1
  #  define _GNU_SOURCE 1
 diff --git a/configure b/configure
 index 2eba5f1..d1a9432 100755
 --- a/configure
 +++ b/configure
@@ -1,6 +1,6 @@
  #! /bin/sh
  # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.69 for GRUB 2.12~rc1.
++# Generated by GNU Autoconf 2.69 for GRUB 2.12.
+ #
  # Report bugs to <bug-grub@gnu.org>.
+ #
@@ -580,8 +580,8 @@ MAKEFLAGS=
  # Identity of this package.
  PACKAGE_NAME='GRUB'
  PACKAGE_TARNAME='grub'
--PACKAGE_VERSION='2.12~rc1'
--PACKAGE_STRING='GRUB 2.12~rc1'
++PACKAGE_VERSION='2.12'
++PACKAGE_STRING='GRUB 2.12'
  PACKAGE_BUGREPORT='bug-grub@gnu.org'
  PACKAGE_URL=''
@@ -812,6 +812,7 @@ COND_MM_DEBUG_TRUE
  MM_DEBUG
  TARGET_NMFLAGS_DEFINED_ONLY
  TARGET_NMFLAGS_MINUS_P
++GRUB_STACK_PROTECTOR_INIT
  TARGET_LDFLAGS_OLDMAGIC
  EFIEMU64_LINK_FORMAT
  enable_efiemu
@@ -2090,6 +2091,8 @@ enable_grub_emu_sdl
  enable_grub_emu_pci
  enable_grub_mkfont
  enable_grub_themes
++with_dejavufont
++with_unifont
  enable_grub_mount
  enable_device_mapper
  enable_liblzma
@@ -2674,7 +2677,7 @@ if test "$ac_init_help" = "long"; then
    # Omit some internal or obsolete options to make the list less imposing.
    # This message is too long to be a string in the A/UX 3.1 sh.
    cat <<_ACEOF
--\`configure' configures GRUB 2.12~rc1 to adapt to many kinds of systems.
++\`configure' configures GRUB 2.12 to adapt to many kinds of systems.
  Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2746,7 +2749,7 @@ fi
  if test -n "$ac_init_help"; then
    case $ac_init_help in
--     short | recursive ) echo "Configuration of GRUB 2.12~rc1:";;
++     short | recursive ) echo "Configuration of GRUB 2.12:";;
     esac
    cat <<\_ACEOF
@@ -2809,6 +2812,8 @@ Optional Packages:
                            don't compile regex; this is the default on systems
                            with recent-enough versions of the GNU C Library
                            (use with caution on other systems).
++  --with-dejavufont=FILE  set the DejeVu source [[guessed]]
++  --with-unifont=FILE     set the unifont source [[guessed]]
  Some influential environment variables:
    CC          C compiler command
@@ -2914,7 +2919,7 @@ fi
  test -n "$ac_init_help" && exit $ac_status
  if $ac_init_version; then
    cat <<\_ACEOF
--GRUB configure 2.12~rc1
++GRUB configure 2.12
  generated by GNU Autoconf 2.69
  Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3666,7 +3671,7 @@ cat >config.log <<_ACEOF
  This file contains any messages produced by compilers while
  running configure, to aid debugging if configure makes a mistake.
--It was created by GRUB $as_me 2.12~rc1, which was
++It was created by GRUB $as_me 2.12, which was
  generated by GNU Autoconf 2.69.  Invocation command line was
    $ $0 $@
@@ -6707,7 +6712,7 @@ fi
  # Define the identity of the package.
   PACKAGE='grub'
-- VERSION='2.12~rc1'
++ VERSION='2.12'
  cat >>confdefs.h <<_ACEOF
@@ -17782,8 +17787,8 @@ rm -f core conftest.err conftest.$ac_objext \
          LIBS=$save_LIBS
          test $gl_pthread_api = yes && break
        done
--      echo "$as_me:17785: gl_pthread_api=$gl_pthread_api" >&5
--      echo "$as_me:17786: LIBPTHREAD=$LIBPTHREAD" >&5
++      echo "$as_me:17790: gl_pthread_api=$gl_pthread_api" >&5
++      echo "$as_me:17791: LIBPTHREAD=$LIBPTHREAD" >&5
        gl_pthread_in_glibc=no
        # On Linux with glibc >= 2.34, libc contains the fully functional
@@ -17808,7 +17813,7 @@ rm -f conftest*
            ;;
        esac
--      echo "$as_me:17811: gl_pthread_in_glibc=$gl_pthread_in_glibc" >&5
++      echo "$as_me:17816: gl_pthread_in_glibc=$gl_pthread_in_glibc" >&5
        # Test for libpthread by looking for pthread_kill. (Not pthread_self,
        # since it is defined as a macro on OSF/1.)
@@ -17962,7 +17967,7 @@ fi
          fi
        fi
--      echo "$as_me:17965: LIBPMULTITHREAD=$LIBPMULTITHREAD" >&5
++      echo "$as_me:17970: LIBPMULTITHREAD=$LIBPMULTITHREAD" >&5
      fi
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether POSIX threads API is available" >&5
  $as_echo_n "checking whether POSIX threads API is available... " >&6; }
@@ -20382,8 +20387,8 @@ rm -f core conftest.err conftest.$ac_objext \
          LIBS=$save_LIBS
          test $gl_pthread_api = yes && break
        done
--      echo "$as_me:20385: gl_pthread_api=$gl_pthread_api" >&5
--      echo "$as_me:20386: LIBPTHREAD=$LIBPTHREAD" >&5
++      echo "$as_me:20390: gl_pthread_api=$gl_pthread_api" >&5
++      echo "$as_me:20391: LIBPTHREAD=$LIBPTHREAD" >&5
        gl_pthread_in_glibc=no
        # On Linux with glibc >= 2.34, libc contains the fully functional
@@ -20408,7 +20413,7 @@ rm -f conftest*
            ;;
        esac
--      echo "$as_me:20411: gl_pthread_in_glibc=$gl_pthread_in_glibc" >&5
++      echo "$as_me:20416: gl_pthread_in_glibc=$gl_pthread_in_glibc" >&5
        # Test for libpthread by looking for pthread_kill. (Not pthread_self,
        # since it is defined as a macro on OSF/1.)
@@ -20562,7 +20567,7 @@ fi
          fi
        fi
--      echo "$as_me:20565: LIBPMULTITHREAD=$LIBPMULTITHREAD" >&5
++      echo "$as_me:20570: LIBPMULTITHREAD=$LIBPMULTITHREAD" >&5
      fi
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether POSIX threads API is available" >&5
  $as_echo_n "checking whether POSIX threads API is available... " >&6; }
@@ -20788,8 +20793,8 @@ rm -f core conftest.err conftest.$ac_objext \
          LIBS=$save_LIBS
          test $gl_pthread_api = yes && break
        done
--      echo "$as_me:20791: gl_pthread_api=$gl_pthread_api" >&5
--      echo "$as_me:20792: LIBPTHREAD=$LIBPTHREAD" >&5
++      echo "$as_me:20796: gl_pthread_api=$gl_pthread_api" >&5
++      echo "$as_me:20797: LIBPTHREAD=$LIBPTHREAD" >&5
        gl_pthread_in_glibc=no
        # On Linux with glibc >= 2.34, libc contains the fully functional
@@ -20814,7 +20819,7 @@ rm -f conftest*
            ;;
        esac
--      echo "$as_me:20817: gl_pthread_in_glibc=$gl_pthread_in_glibc" >&5
++      echo "$as_me:20822: gl_pthread_in_glibc=$gl_pthread_in_glibc" >&5
        # Test for libpthread by looking for pthread_kill. (Not pthread_self,
        # since it is defined as a macro on OSF/1.)
@@ -20968,7 +20973,7 @@ fi
          fi
        fi
--      echo "$as_me:20971: LIBPMULTITHREAD=$LIBPMULTITHREAD" >&5
++      echo "$as_me:20976: LIBPMULTITHREAD=$LIBPMULTITHREAD" >&5
      fi
      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether POSIX threads API is available" >&5
  $as_echo_n "checking whether POSIX threads API is available... " >&6; }
@@ -37117,6 +37122,41 @@ $as_echo "$grub_cv_target_cc_mno_relax" >&6; }
    TARGET_LDFLAGS="$TARGET_LDFLAGS $grub_cv_target_cc_mno_relax"
  fi
++# The backtrace module relies on frame pointers and the default optimization
++# level, -Os, omits them. Make sure they are enabled.
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -fno-omit-frame-pointer works" >&5
++$as_echo_n "checking whether -fno-omit-frame-pointer works... " >&6; }
++if ${grub_cv_cc_fno_omit_frame_pointer+:} false; then :
++  $as_echo_n "(cached) " >&6
++else
++
++  CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++
++int
++main (void)
++{
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"; then :
++  grub_cv_cc_fno_omit_frame_pointer=yes
++else
++  grub_cv_cc_fno_omit_frame_pointer=no
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
++
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $grub_cv_cc_fno_omit_frame_pointer" >&5
++$as_echo "$grub_cv_cc_fno_omit_frame_pointer" >&6; }
++
++if test "x$grub_cv_cc_fno_omit_frame_pointer" = xyes; then
++  TARGET_CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
++fi
++
  # By default, GCC 4.4 generates .eh_frame sections containing unwind
  # information in some cases where it previously did not. GRUB doesn't need
  # these and they just use up vital space. Restore the old compiler
@@ -37637,8 +37677,7 @@ CFLAGS="$TARGET_CFLAGS"
  LDFLAGS="$TARGET_LDFLAGS"
--if test "$target_cpu" = x86_64 || test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64 \
--  || test "$target_cpu" = loongarch64 ; then
++if test "$target_cpu" = x86_64 || test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64 ; then
    # Use large model to support 4G memory
    { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether option -mcmodel=large works" >&5
  $as_echo_n "checking whether option -mcmodel=large works... " >&6; }
@@ -38135,6 +38174,28 @@ else
      as_fn_error $? "invalid value $enable_stack_protector for --enable-stack-protector" "$LINENO" 5
    fi
    TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
++
++  if test -n "$SOURCE_DATE_EPOCH"; then
++     GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2$(printf "%x" "$SOURCE_DATE_EPOCH" | sed 's/.*\(........\)$/\1/')"
++  elif test -r /dev/urandom; then
++     # Generate the 8 byte stack protector canary at build time if /dev/urandom
++     # is able to be read. The first byte should be NUL to filter out string
++     # buffer overflow attacks.
++     GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
++  else
++    # Some hosts may not have a urandom, e.g. Windows, so use statically
++    # generated random bytes
++    GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
++  fi
++
++  if test x"$target_m32" = x1 ; then
++    # Make sure that the canary default value is 24-bits by only using the
++    # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
++    # to filter out string buffer overflow attacks.
++    GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
++  fi
++
++
  fi
  CFLAGS="$TARGET_CFLAGS"
@@ -39000,7 +39061,7 @@ $as_echo "#define HAVE_SDL2 1" >>confdefs.h
  fi
    fi
--  if test x"enable_grub_emu_sdl2" = xyes && test x"$grub_emu_sdl2_excuse" != x ; then
++  if test x"$enable_grub_emu_sdl2" = xyes && test x"$grub_emu_sdl2_excuse" != x ; then
      as_fn_error $? "SDL2 support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl2_excuse)" "$LINENO" 5
    fi
    if test x"$grub_emu_sdl2_excuse" = x ; then
@@ -39306,6 +39367,9 @@ rm -f core conftest.err conftest.$ac_objext \
      LIBS="$SAVED_LIBS"
  fi
++  if test x"$grub_mkfont_excuse" = x && test x"$host_kernel" = xnetbsd ; then
++      FREETYPE_LIBS="$FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;
++  fi
  fi
  if test x"$enable_grub_mkfont" = xyes && test x"$grub_mkfont_excuse" != x ; then
@@ -39690,6 +39754,11 @@ rm -f core conftest.err conftest.$ac_objext \
      CPPFLAGS="$SAVED_CPPFLAGS_2"
  fi
++  if test x"$grub_build_mkfont_excuse" = x ; then
++    case x"$build_os" in
++      xnetbsd*) BUILD_FREETYPE_LIBS="$BUILD_FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;;
++    esac
++  fi
    PKG_CONFIG="$SAVED_PKG_CONFIG"
  fi
@@ -39716,8 +39785,6 @@ CPPFLAGS="$SAVED_CPPFLAGS"
  LDFLAGS="$SAVED_LDFLAGS"
--DJVU_FONT_SOURCE=
--
  starfield_excuse=
  # Check whether --enable-grub-themes was given.
@@ -39733,19 +39800,31 @@ if test x"$starfield_excuse" = x && test x"$enable_build_grub_mkfont" = xno ; th
    starfield_excuse="No build-time grub-mkfont"
  fi
--if test x"$starfield_excuse" = x; then
--   for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
--     for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype; do
--        if test -f "$dir/DejaVuSans.$ext"; then
--          DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
--          break 2
--        fi
++
++# Check whether --with-dejavufont was given.
++if test "${with_dejavufont+set}" = set; then :
++  withval=$with_dejavufont;
++fi
++
++
++if test "x$with_dejavufont" = x; then
++  # search in well-known directories
++  if test x"$starfield_excuse" = x; then
++     for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
++       for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype /usr/pkg/share/fonts/X11/TTF /usr/local/share/fonts/dejavu /usr/X11R6/lib/X11/fonts/TTF; do
++          if test -f "$dir/DejaVuSans.$ext"; then
++            DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
++            break 2
++          fi
++       done
       done
--   done
--   if test "x$DJVU_FONT_SOURCE" = x; then
--     starfield_excuse="No DejaVu found"
--   fi
++     if test "x$DJVU_FONT_SOURCE" = x; then
++       starfield_excuse="No DejaVu found"
++     fi
++  fi
++else
++  DJVU_FONT_SOURCE="$with_dejavufont"
  fi
  if test x"$enable_grub_themes" = xyes &&  test x"$starfield_excuse" != x; then
@@ -39754,21 +39833,31 @@ fi
--FONT_SOURCE=
--for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
--  for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc; do
--    if test -f "$dir/unifont.$ext"; then
--      md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
--      # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
--      if test "$md5" = 0a54834d2788c83886a3e1785a6a1e61 || test "$md5" = 28f2565c7a41d8d407e2551159385edb || test "$md5" = dae5e588461b3b92b87b6ffee734f936 || test "$md5" = 4a3d687aa5bb329ed05f4263a1016791 ; then
--        continue
++# Check whether --with-unifont was given.
++if test "${with_unifont+set}" = set; then :
++  withval=$with_unifont;
++fi
++
++
++if test "x$with_unifont" = x; then
++  # search in well-known directories
++  for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
++    for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc /usr/pkg/share/fonts/X11/misc /usr/local/share/fonts/gnu-unifont /usr/local/share/fonts/unifont; do
++      if test -f "$dir/unifont.$ext"; then
++        md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
++        # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
++        if test "$md5" = 0a54834d2788c83886a3e1785a6a1e61 || test "$md5" = 28f2565c7a41d8d407e2551159385edb || test "$md5" = dae5e588461b3b92b87b6ffee734f936 || test "$md5" = 4a3d687aa5bb329ed05f4263a1016791 ; then
++          continue
++        fi
++        FONT_SOURCE="$dir/unifont.$ext"
++        break 2
        fi
--      FONT_SOURCE="$dir/unifont.$ext"
--      break 2
--    fi
++    done
    done
--done
++else
++  FONT_SOURCE="$with_unifont"
++fi
  if test x"$enable_build_grub_mkfont" = xno ; then
    FONT_SOURCE=
@@ -40417,16 +40506,62 @@ fi
  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nvpair_nvlist_lookup_string" >&5
  $as_echo "$ac_cv_lib_nvpair_nvlist_lookup_string" >&6; }
  if test "x$ac_cv_lib_nvpair_nvlist_lookup_string" = xyes; then :
--  cat >>confdefs.h <<_ACEOF
--#define HAVE_LIBNVPAIR 1
--_ACEOF
++  have_normal_nvpair=yes
++else
++  have_normal_nvpair=no
++fi
--  LIBS="-lnvpair $LIBS"
++  if test x"$have_normal_nvpair" = xno ; then
++    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for opensolaris_nvlist_lookup_string in -lnvpair" >&5
++$as_echo_n "checking for opensolaris_nvlist_lookup_string in -lnvpair... " >&6; }
++if ${ac_cv_lib_nvpair_opensolaris_nvlist_lookup_string+:} false; then :
++  $as_echo_n "(cached) " >&6
++else
++  ac_check_lib_save_LIBS=$LIBS
++LIBS="-lnvpair  $LIBS"
++cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++/* Override any GCC internal prototype to avoid an error.
++   Use char because int might match the return type of a GCC
++   builtin and then its argument prototype would still apply.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++char opensolaris_nvlist_lookup_string ();
++int
++main (void)
++{
++return opensolaris_nvlist_lookup_string ();
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"; then :
++  ac_cv_lib_nvpair_opensolaris_nvlist_lookup_string=yes
  else
--  libzfs_excuse="need nvpair library"
++  ac_cv_lib_nvpair_opensolaris_nvlist_lookup_string=no
  fi
++rm -f core conftest.err conftest.$ac_objext \
++    conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nvpair_opensolaris_nvlist_lookup_string" >&5
++$as_echo "$ac_cv_lib_nvpair_opensolaris_nvlist_lookup_string" >&6; }
++if test "x$ac_cv_lib_nvpair_opensolaris_nvlist_lookup_string" = xyes; then :
++  have_prefixed_nvpair=yes
++else
++  have_prefixed_nvpair=no
++fi
++
++    if test x"$have_prefixed_nvpair" = xyes ; then
++
++$as_echo "#define GRUB_UTIL_NVPAIR_IS_PREFIXED 1" >>confdefs.h
++    else
++      libzfs_excuse="need nvpair library"
++    fi
++  fi
  fi
  if test x"$enable_libzfs" = xyes && test x"$libzfs_excuse" != x ; then
@@ -40436,12 +40571,9 @@ fi
  if test x"$libzfs_excuse" = x ; then
    # We need both libzfs and libnvpair for a successful build.
    LIBZFS="-lzfs"
--
--$as_echo "#define HAVE_LIBZFS 1" >>confdefs.h
--
    LIBNVPAIR="-lnvpair"
--$as_echo "#define HAVE_LIBNVPAIR 1" >>confdefs.h
++$as_echo "#define USE_LIBZFS 1" >>confdefs.h
  fi
@@ -41909,7 +42041,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
  # report actual input values of CONFIG_FILES etc. instead of their
  # values after options handling.
  ac_log="
--This file was extended by GRUB $as_me 2.12~rc1, which was
++This file was extended by GRUB $as_me 2.12, which was
  generated by GNU Autoconf 2.69.  Invocation command line was
    CONFIG_FILES    = $CONFIG_FILES
@@ -41979,7 +42111,7 @@ _ACEOF
  cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
  ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
  ac_cs_version="\\
--GRUB config.status 2.12~rc1
++GRUB config.status 2.12
  configured by $0, generated by GNU Autoconf 2.69,
    with options \\"\$ac_cs_config\\"
 diff --git a/configure.ac b/configure.ac
 index 01500ff..cd667a2 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -34,7 +34,7 @@ dnl "TARGET_" (such as TARGET_CC, TARGET_CFLAGS, etc.) are used for
  dnl the target type. See INSTALL for full list of variables and
  dnl description of the relationships between them.
--AC_INIT([GRUB],[2.12~rc1],[bug-grub@gnu.org])
++AC_INIT([GRUB],[2.12],[bug-grub@gnu.org])
  AS_CASE(["$ERROR_PLATFORM_NOT_SUPPORT_SSP"],
    [n | no | nO | N | No | NO], [ERROR_PLATFORM_NOT_SUPPORT_SSP=no],
@@ -1020,6 +1020,19 @@ if test x"$target_cpu" = xsparc64 ; then
    TARGET_LDFLAGS="$TARGET_LDFLAGS $grub_cv_target_cc_mno_relax"
  fi
++# The backtrace module relies on frame pointers and the default optimization
++# level, -Os, omits them. Make sure they are enabled.
++AC_CACHE_CHECK([whether -fno-omit-frame-pointer works], [grub_cv_cc_fno_omit_frame_pointer], [
++  CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
++  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
++      [grub_cv_cc_fno_omit_frame_pointer=yes],
++      [grub_cv_cc_fno_omit_frame_pointer=no])
++])
++
++if test "x$grub_cv_cc_fno_omit_frame_pointer" = xyes; then
++  TARGET_CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
++fi
++
  # By default, GCC 4.4 generates .eh_frame sections containing unwind
  # information in some cases where it previously did not. GRUB doesn't need
  # these and they just use up vital space. Restore the old compiler
@@ -1262,8 +1275,7 @@ AC_SUBST(TARGET_LDFLAGS_OLDMAGIC)
  LDFLAGS="$TARGET_LDFLAGS"
--if test "$target_cpu" = x86_64 || test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64 \
--  || test "$target_cpu" = loongarch64 ; then
++if test "$target_cpu" = x86_64 || test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64 ; then
    # Use large model to support 4G memory
    AC_CACHE_CHECK([whether option -mcmodel=large works], grub_cv_cc_mcmodel, [
      CFLAGS="$TARGET_CFLAGS -mcmodel=large"
@@ -1426,6 +1438,28 @@ else
      AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
    fi
    TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
++
++  if test -n "$SOURCE_DATE_EPOCH"; then
++     GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2$(printf "%x" "$SOURCE_DATE_EPOCH" | sed 's/.*\(........\)$/\1/')"
++  elif test -r /dev/urandom; then
++     # Generate the 8 byte stack protector canary at build time if /dev/urandom
++     # is able to be read. The first byte should be NUL to filter out string
++     # buffer overflow attacks.
++     GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
++  else
++    # Some hosts may not have a urandom, e.g. Windows, so use statically
++    # generated random bytes
++    GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
++  fi
++
++  if test x"$target_m32" = x1 ; then
++    # Make sure that the canary default value is 24-bits by only using the
++    # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
++    # to filter out string buffer overflow attacks.
++    GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
++  fi
++
++  AC_SUBST([GRUB_STACK_PROTECTOR_INIT])
  fi
  CFLAGS="$TARGET_CFLAGS"
@@ -1609,7 +1643,7 @@ if test "$platform" = emu; then
              AC_SUBST(HAVE_SDL2)],
              [grub_emu_sdl2_excuse="libSDL2 libraries are required to build \`grub-emu' with SDL2 support"])
    [fi]
--  if test x"enable_grub_emu_sdl2" = xyes && test x"$grub_emu_sdl2_excuse" != x ; then
++  if test x"$enable_grub_emu_sdl2" = xyes && test x"$grub_emu_sdl2_excuse" != x ; then
      AC_MSG_ERROR([SDL2 support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl2_excuse)])
    fi
    if test x"$grub_emu_sdl2_excuse" = x ; then
@@ -1704,6 +1738,9 @@ if test x"$grub_mkfont_excuse" = x ; then
      CPPFLAGS="$SAVED_CPPFLAGS"
      LIBS="$SAVED_LIBS"
    ], [grub_mkfont_excuse=["need freetype2 library"]])
++  if test x"$grub_mkfont_excuse" = x && test x"$host_kernel" = xnetbsd ; then
++      FREETYPE_LIBS="$FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;
++  fi
  fi
  if test x"$enable_grub_mkfont" = xyes && test x"$grub_mkfont_excuse" != x ; then
@@ -1758,6 +1795,11 @@ if test x"$grub_build_mkfont_excuse" = x ; then
      LIBS="$SAVED_LIBS"
      CPPFLAGS="$SAVED_CPPFLAGS_2"
    ], [grub_build_mkfont_excuse=["need freetype2 library"]])
++  if test x"$grub_build_mkfont_excuse" = x ; then
++    case x"$build_os" in
++      xnetbsd*) BUILD_FREETYPE_LIBS="$BUILD_FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;;
++    esac
++  fi
    PKG_CONFIG="$SAVED_PKG_CONFIG"
  fi
@@ -1784,8 +1826,6 @@ CPPFLAGS="$SAVED_CPPFLAGS"
  LDFLAGS="$SAVED_LDFLAGS"
--DJVU_FONT_SOURCE=
--
  starfield_excuse=
  AC_ARG_ENABLE([grub-themes],
@@ -1799,19 +1839,28 @@ if test x"$starfield_excuse" = x && test x"$enable_build_grub_mkfont" = xno ; th
    starfield_excuse="No build-time grub-mkfont"
  fi
--if test x"$starfield_excuse" = x; then
--   for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
--     for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype; do
--        if test -f "$dir/DejaVuSans.$ext"; then
--          DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
--          break 2
--        fi
++AC_ARG_WITH([dejavufont],
++            AS_HELP_STRING([--with-dejavufont=FILE],
++                           [set the DejeVu source [[guessed]]]))
++
++if test "x$with_dejavufont" = x; then
++  # search in well-known directories
++  if test x"$starfield_excuse" = x; then
++     for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
++       for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype /usr/pkg/share/fonts/X11/TTF /usr/local/share/fonts/dejavu /usr/X11R6/lib/X11/fonts/TTF; do
++          if test -f "$dir/DejaVuSans.$ext"; then
++            DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
++            break 2
++          fi
++       done
       done
--   done
--   if test "x$DJVU_FONT_SOURCE" = x; then
--     starfield_excuse="No DejaVu found"
--   fi
++     if test "x$DJVU_FONT_SOURCE" = x; then
++       starfield_excuse="No DejaVu found"
++     fi
++  fi
++else
++  DJVU_FONT_SOURCE="$with_dejavufont"
  fi
  if test x"$enable_grub_themes" = xyes &&  test x"$starfield_excuse" != x; then
@@ -1820,21 +1869,28 @@ fi
  AC_SUBST([DJVU_FONT_SOURCE])
--FONT_SOURCE=
--
--for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
--  for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc; do
--    if test -f "$dir/unifont.$ext"; then
--      md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
--      # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
--      if test "$md5" = 0a54834d2788c83886a3e1785a6a1e61 || test "$md5" = 28f2565c7a41d8d407e2551159385edb || test "$md5" = dae5e588461b3b92b87b6ffee734f936 || test "$md5" = 4a3d687aa5bb329ed05f4263a1016791 ; then
--        continue
++AC_ARG_WITH([unifont],
++            AS_HELP_STRING([--with-unifont=FILE],
++                           [set the unifont source [[guessed]]]))
++
++if test "x$with_unifont" = x; then
++  # search in well-known directories
++  for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
++    for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc /usr/pkg/share/fonts/X11/misc /usr/local/share/fonts/gnu-unifont /usr/local/share/fonts/unifont; do
++      if test -f "$dir/unifont.$ext"; then
++        md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
++        # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
++        if test "$md5" = 0a54834d2788c83886a3e1785a6a1e61 || test "$md5" = 28f2565c7a41d8d407e2551159385edb || test "$md5" = dae5e588461b3b92b87b6ffee734f936 || test "$md5" = 4a3d687aa5bb329ed05f4263a1016791 ; then
++          continue
++        fi
++        FONT_SOURCE="$dir/unifont.$ext"
++        break 2
        fi
--      FONT_SOURCE="$dir/unifont.$ext"
--      break 2
--    fi
++    done
    done
--done
++else
++  FONT_SOURCE="$with_unifont"
++fi
  if test x"$enable_build_grub_mkfont" = xno ; then
    FONT_SOURCE=
@@ -1971,8 +2027,19 @@ fi
  if test x"$libzfs_excuse" = x ; then
    AC_CHECK_LIB([nvpair], [nvlist_lookup_string],
--               [],
--               [libzfs_excuse="need nvpair library"])
++               [have_normal_nvpair=yes],
++               [have_normal_nvpair=no])
++  if test x"$have_normal_nvpair" = xno ; then
++    AC_CHECK_LIB([nvpair], [opensolaris_nvlist_lookup_string],
++                 [have_prefixed_nvpair=yes],
++                 [have_prefixed_nvpair=no])
++    if test x"$have_prefixed_nvpair" = xyes ; then
++      AC_DEFINE([GRUB_UTIL_NVPAIR_IS_PREFIXED], [1],
++            [Define to 1 if libnvpair symbols are prefixed with opensolaris_.])
++    else
++      libzfs_excuse="need nvpair library"
++    fi
++  fi
  fi
  if test x"$enable_libzfs" = xyes && test x"$libzfs_excuse" != x ; then
@@ -1982,11 +2049,9 @@ fi
  if test x"$libzfs_excuse" = x ; then
    # We need both libzfs and libnvpair for a successful build.
    LIBZFS="-lzfs"
--  AC_DEFINE([HAVE_LIBZFS], [1],
--            [Define to 1 if you have the ZFS library.])
    LIBNVPAIR="-lnvpair"
--  AC_DEFINE([HAVE_LIBNVPAIR], [1],
--            [Define to 1 if you have the NVPAIR library.])
++  AC_DEFINE([USE_LIBZFS], [1],
++            [Define to 1 if ZFS library should be used.])
  fi
  AC_SUBST([LIBZFS])
 diff --git a/debian/build-efi-images b/debian/build-efi-images
 index d3f6cc5..d17e225 100755
 --- a/debian/build-efi-images
 +++ b/debian/build-efi-images
@@ -104,7 +104,6 @@ CD_MODULES="
  	ext2
  	fat
  	font
--	f2fs
  	gettext
  	gfxmenu
  	gfxterm
@@ -114,7 +113,6 @@ CD_MODULES="
  	help
  	hfsplus
  	iso9660
--	jfs
  	jpeg
  	keystatus
  	loadenv
@@ -196,7 +194,6 @@ GRUB_MODULES="$CD_MODULES
  	gcry_twofish
  	gcry_whirlpool
  	luks
--	luks2
  	lvm
  	mdraid09
  	mdraid1x
@@ -246,15 +243,18 @@ echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi"
  # Special network boot image for d-i to use. Just the same as the
  # normal network boot image, but with a different value baked in for
  # the prefix setting
--echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
--"$grub_mkimage" \
--    -O "$platform" \
--    -o "$outdir/grubnet$efi_name-installer.efi" \
--    -c "$workdir/grub-bootstrap.cfg" \
--    -d "$grub_core" \
--    -m "$workdir/memdisk-netboot.squashfs" \
--    -p "/${efi_vendor}-installer/$deb_arch/grub" \
--    --sbat "$sbat_csv" \
--    $NET_MODULES
++#
++# but not on Ubuntu LP: #1863994
++#
++#echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
++#"$grub_mkimage" \
++#    -O "$platform" \
++#    -o "$outdir/grubnet$efi_name-installer.efi" \
++#    -c "$workdir/grub-bootstrap.cfg" \
++#    -d "$grub_core" \
++#    -m "$workdir/memdisk-netboot.squashfs" \
++#    -p "/${efi_vendor}-installer/$deb_arch/grub" \
++#    --sbat "$sbat_csv" \
++#    $NET_MODULES
  exit 0
 diff --git a/debian/canonical-uefi-ca.crt b/debian/canonical-uefi-ca.crt
 new file mode 100644
 index 0000000..55c06d5
 --- /dev/null
 +++ b/debian/canonical-uefi-ca.crt
@@ -0,0 +1,25 @@
++-----BEGIN CERTIFICATE-----
++MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
++VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx
++FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk
++LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX
++DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m
++IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x
++NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo
++b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h
++7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7
++v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO
+++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr
++yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk
++YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO
++BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj
++MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB
++Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu
++b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB
++CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd
++B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH
++WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx
++U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd
++7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p
++9JkU284DDgtmxBxtvbgnd8FClL38agq8
++-----END CERTIFICATE-----
 diff --git a/debian/changelog b/debian/changelog
 index da31470..17299bf 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,207 @@
++grub2 (2.12-1ubuntu2) noble; urgency=medium
++
++  * Revert patchset "ppc64: Restrict memory allocations" (LP: #2053117)
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Wed, 14 Feb 2024 09:19:35 +0000
++
++grub2 (2.12-1ubuntu1) noble; urgency=medium
++
++  * Merge from Debian unstable; remaining changes:
++    - Add Ubuntu sbat data
++    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
++    - grub-common: Install canonical-uefi-ca.crt
++    - Check signatures
++    - Support installing to multiple ESP (LP: 1871821)
++    - Disable various bits on i386
++    - Split out unsigned artefacts into grub2-unsigned
++    - Vcs-Git: Point to ubuntu packaging branch
++    - Relax dependencies on grub-common and grub2-common
++    - grub-pc: Avoid the possibility of breaking grub on SRU update due
++      to ABI change
++    - UBUNTU: Default timeout changes
++    - Revert "Add jfs module to signed UEFI images. Closes: #950959"
++    - Revert "Add f2fs module to signed UEFI images"
++    - Install grub-initrd-fallback.service again
++    - Build using -O1 on s390x to avoid misoptimization
++    - grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
++    - grub-multi-install: Reset partition type between partitions (LP: #1997795)
++    - Drop i386 from grub-efi-amd64* (LP: #2020907)
++    - Turn depends on grub-efi-amd64/arm64 unversioned
++    - forward port fix for LP: #1926748
++    - Make the grub2/no_efi_extra_removable setting work correctly
++    - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
++    - Build grub2-unsigned packages with xz compression
++    - Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
++      compatible with our versioning schemes.
++    - Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
++      it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
++    - rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
++    - Drop luks2
++    - d/control: Add python3-apt to Depends of grub-common (LP: #2048953)
++    - Replaced patches:
++      - install-signed.patche
++      - grub-install-extra-removable.patch
++      - grub-install-removable-shim.patch
++    - Added patches:
++      + rhboot-f34-dont-use-int-for-efi-status.patch
++      + rhboot-f34-make-exit-take-a-return-code.patch
++      + suse-grub.texi-add-net_bootp6-document.patch
++      + ubuntu-add-devicetree-command-support.patch
++      + ubuntu-add-initrd-less-boot-fallback.patch
++      + ubuntu-add-initrd-less-boot-messages.patch
++      + ubuntu-boot-from-multipath-dependent-symlink.patch
++      + ubuntu-dont-verify-loopback-images.patch
++      + ubuntu-fix-lzma-decompressor-objcopy.patch
++      + ubuntu-grub-install-extra-removable.patch
++      + ubuntu-install-signed.patch
++      + ubuntu-mkconfig-leave-breadcrumbs.patch
++      + ubuntu-os-prober-auto.patch
++      + ubuntu-recovery-dis_ucode_ldr.patch
++      + ubuntu-resilient-boot-boot-order.patch
++      + ubuntu-resilient-boot-ignore-alternative-esps.patch
++      + ubuntu-shorter-version-info.patch
++      + ubuntu-speed-zsys-history.patch
++      + ubuntu-support-initrd-less-boot.patch
++      + ubuntu-verifiers-last.patch
++      + ubuntu-zfs-enhance-support.patch
++      + ubuntu-zfs-gfxpayload-dynamic.patch
++      + ubuntu-zfs-gfxpayload-keep-default.patch
++      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++      + ubuntu-zfs-mkconfig-recovery-title.patch
++      + ubuntu-zfs-mkconfig-signed-kernel.patch
++      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++      + ubuntu-zfs-mkconfig-ubuntu-recovery.patch
++      + ubuntu-zfs-vt-handoff.patch
++  * Unreleased changes from Debian:
++    - Update signing-template Uploaders to match main package.
++    - d/p/mkconfig-ubuntu-recovery.patch: Use "recovery" instead of "single recovery"
++      for recovery mode bootparams (LP: #2041245)
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Mon, 29 Jan 2024 11:06:12 +0000
++
++grub2 (2.12-1) unstable; urgency=medium
++
++  [ Mate Kukri ]
++  * New upstream version, 2.12
++  * d/patches: Rebase on `upstream/2.12` and drop superseded patches:
++    - Dropping patches now included upstream:
++      + d/p/ntfs-cve-fixes/*: Fixes for NTFS OOB CVE
++      + d/p/upstream/xfs-*: XFS parsing fixes
++      + d/p/upstream/unmerged-usr-shebang.patch
++    - Dropping patch replaced with configure option:
++      + d/p/dejavu-font-path.patch
++  * d/rules: Pass configure option '--enable-grub-themes'
++  * d/rules: Provide Debian specific DejaVu path via configure
++  * d/{control,rules}: Use default gcc version
++  * d/p/extra_deps_lst.patch:
++    Checkout "extra_deps.lst" from upstream/master
++  * d/p/sb/revert-efi-fallback-to-legacy.patch:
++    Also revert newer fallback patch
++
++  [ Julian Andres Klode ]
++  * Add Mate to Uploaders
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Mon, 15 Jan 2024 09:54:55 +0000
++
++grub2 (2.12~rc1-13) unstable; urgency=medium
++
++  * No-change rebuild to retrigger signing following binNMU breakage
++
++ -- Julian Andres Klode <jak@debian.org>  Fri, 12 Jan 2024 19:00:41 +0100
++
++grub2 (2.12~rc1-12ubuntu5) noble; urgency=medium
++
++  * d/control: Add python3-apt to Depends of grub-common (LP: #2048953)
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Fri, 09 Feb 2024 13:23:36 +0000
++
++grub2 (2.12~rc1-12ubuntu4) noble; urgency=medium
++
++  * d/p/delay-copying-to-grubdir.patch: Move platdir path canonicalisation
++    after files were copied to grubdir. (LP: #2045944)
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Fri, 08 Dec 2023 09:22:22 +0000
++
++grub2 (2.12~rc1-12ubuntu3) noble; urgency=medium
++
++  * d/p/delay-copying-to-grubdir.patch: Improve grub-install robustness by
++    delaying the update of /boot after install device validation
++  * Remove workaround for LP: 1889556 (LP: #2043995)
++    - Was not needed since /boot rollback was introduced upstream
++    - Patch above ensures that this will not reoccur even if rollback fails
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Tue, 21 Nov 2023 15:35:55 +0000
++
++grub2 (2.12~rc1-12ubuntu2) noble; urgency=medium
++
++  * Merge from Debian unstable; remaining changes:
++    - Add Ubuntu sbat data
++    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
++    - grub-common: Install canonical-uefi-ca.crt
++    - Check signatures
++    - Support installing to multiple ESP (LP: 1871821)
++    - Disable various bits on i386
++    - Split out unsigned artefacts into grub2-unsigned
++    - Vcs-Git: Point to ubuntu packaging branch
++    - Relax dependencies on grub-common and grub2-common
++    - grub-pc: Avoid the possibility of breaking grub on SRU update due
++      to ABI change
++    - UBUNTU: Default timeout changes
++    - Revert "Add jfs module to signed UEFI images. Closes: #950959"
++    - Revert "Add f2fs module to signed UEFI images"
++    - Install grub-initrd-fallback.service again
++    - Build using -O1 on s390x to avoid misoptimization
++    - grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
++    - grub-multi-install: Reset partition type between partitions (LP: #1997795)
++    - Drop i386 from grub-efi-amd64* (LP: #2020907)
++    - Turn depends on grub-efi-amd64/arm64 unversioned
++    - forward port fix for LP: #1926748
++    - Make the grub2/no_efi_extra_removable setting work correctly
++    - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
++    - Build grub2-unsigned packages with xz compression
++    - Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
++      compatible with our versioning schemes.
++    - Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
++      it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
++    - rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
++    - Replaced patches:
++      - installe-signed.patched
++      - grub-install-extra-removable.patch
++      - grub-install-removable-shim.patch
++    - Added patches:
++      + rhboot-f34-dont-use-int-for-efi-status.patch
++      + rhboot-f34-make-exit-take-a-return-code.patch
++      + suse-grub.texi-add-net_bootp6-document.patch
++      + ubuntu-add-devicetree-command-support.patch
++      + ubuntu-add-initrd-less-boot-fallback.patch
++      + ubuntu-add-initrd-less-boot-messages.patch
++      + ubuntu-boot-from-multipath-dependent-symlink.patch
++      + ubuntu-dont-verify-loopback-images.patch
++      + ubuntu-fix-lzma-decompressor-objcopy.patch
++      + ubuntu-grub-install-extra-removable.patch
++      + ubuntu-install-signed.patch
++      + ubuntu-mkconfig-leave-breadcrumbs.patch
++      + ubuntu-os-prober-auto.patch
++      + ubuntu-recovery-dis_ucode_ldr.patch
++      + ubuntu-resilient-boot-boot-order.patch
++      + ubuntu-resilient-boot-ignore-alternative-esps.patch
++      + ubuntu-shorter-version-info.patch
++      + ubuntu-speed-zsys-history.patch
++      + ubuntu-support-initrd-less-boot.patch
++      + ubuntu-verifiers-last.patch
++      + ubuntu-zfs-enhance-support.patch
++      + ubuntu-zfs-gfxpayload-dynamic.patch
++      + ubuntu-zfs-gfxpayload-keep-default.patch
++      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++      + ubuntu-zfs-mkconfig-recovery-title.patch
++      + ubuntu-zfs-mkconfig-signed-kernel.patch
++      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++      + ubuntu-zfs-mkconfig-ubuntu-recovery.patch
++      + ubuntu-zfs-vt-handoff.patch
++  * Removed luks2 from signed EFI binaries (LP: #2043101)
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Thu, 09 Nov 2023 16:16:56 +0200
++
  grub2 (2.12~rc1-12) unstable; urgency=medium
    [ Mate Kukri ]
@@ -51,6 +255,108 @@ grub2 (2.12~rc1-11) unstable; urgency=medium
   -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 02 Oct 2023 15:55:25 +0200
++grub2 (2.12~rc1-10ubuntu4) mantic; urgency=high
++
++  * SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
++    and may leak sensitive information into the GRUB pager.
++    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
++      label.patch:
++      fs/ntfs: Fix an OOB read when parsing a volume label
++    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
++      index-at.patch:
++      fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
++    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
++      entries-fr.patch:
++      fs/ntfs: Fix an OOB read when parsing directory entries from resident and
++      non-resident index attributes
++    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
++      reside.patch:
++      fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
++      attribute
++    - CVE-2023-4693
++  * SECURITY UPDATE: Crafted file system images can cause heap-based buffer
++    overflow and may allow arbitrary code execution and secure boot bypass.
++    - d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
++      ATTRIBUTE_LIST-.patch:
++      fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
++      the $MFT file
++    - d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
++      fs/ntfs: Make code more readable
++    - CVE-2023-4692
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Mon, 02 Oct 2023 15:23:58 +0100
++
++grub2 (2.12~rc1-10ubuntu2) mantic; urgency=medium
++
++  * Merge from Debian unstable to pick up fixes (LP: #2028947); remaining changes:
++    - Add Ubuntu sbat data
++    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
++    - grub-common: Install canonical-uefi-ca.crt
++    - Check signatures
++    - Support installing to multiple ESP (LP: 1871821)
++    - Disable various bits on i386
++    - Split out unsigned artefacts into grub2-unsigned
++    - Vcs-Git: Point to ubuntu packaging branch
++    - Relax dependencies on grub-common and grub2-common
++    - grub-pc: Avoid the possibility of breaking grub on SRU update due
++      to ABI change
++    - UBUNTU: Default timeout changes
++    - Revert "Add jfs module to signed UEFI images. Closes: #950959"
++    - Revert "Add f2fs module to signed UEFI images"
++    - Install grub-initrd-fallback.service again
++    - Build using -O1 on s390x to avoid misoptimization
++    - grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
++    - grub-multi-install: Reset partition type between partitions (LP: #1997795)
++    - Drop i386 from grub-efi-amd64* (LP: #2020907)
++    - Turn depends on grub-efi-amd64/arm64 unversioned
++    - forward port fix for LP: #1926748
++    - Make the grub2/no_efi_extra_removable setting work correctly
++    - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
++    - Build grub2-unsigned packages with xz compression
++    - Replaced patches:
++      - installe-signed.patched
++      - grub-install-extra-removable.patch
++      - grub-install-removable-shim.patch
++    - Added patches:
++      + rhboot-f34-dont-use-int-for-efi-status.patch
++      + rhboot-f34-make-exit-take-a-return-code.patch
++      + suse-grub.texi-add-net_bootp6-document.patch
++      + ubuntu-add-devicetree-command-support.patch
++      + ubuntu-add-initrd-less-boot-fallback.patch
++      + ubuntu-add-initrd-less-boot-messages.patch
++      + ubuntu-boot-from-multipath-dependent-symlink.patch
++      + ubuntu-dont-verify-loopback-images.patch
++      + ubuntu-fix-lzma-decompressor-objcopy.patch
++      + ubuntu-grub-install-extra-removable.patch
++      + ubuntu-install-signed.patch
++      + ubuntu-mkconfig-leave-breadcrumbs.patch
++      + ubuntu-os-prober-auto.patch
++      + ubuntu-recovery-dis_ucode_ldr.patch
++      + ubuntu-resilient-boot-boot-order.patch
++      + ubuntu-resilient-boot-ignore-alternative-esps.patch
++      + ubuntu-shorter-version-info.patch
++      + ubuntu-speed-zsys-history.patch
++      + ubuntu-support-initrd-less-boot.patch
++      + ubuntu-verifiers-last.patch
++      + ubuntu-zfs-enhance-support.patch
++      + ubuntu-zfs-gfxpayload-dynamic.patch
++      + ubuntu-zfs-gfxpayload-keep-default.patch
++      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++      + ubuntu-zfs-mkconfig-recovery-title.patch
++      + ubuntu-zfs-mkconfig-signed-kernel.patch
++      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++      + ubuntu-zfs-mkconfig-ubuntu-recovery.patch
++      + ubuntu-zfs-vt-handoff.patch
++  * Dropped Ubuntu changes:
++    - Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810)
++  * Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
++    compatible with our versioning schemes.
++  * Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
++    it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
++  * rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 25 Sep 2023 17:31:09 +0200
++
  grub2 (2.12~rc1-10) unstable; urgency=medium
    [ Julian Andres Klode ]
@@ -111,6 +417,165 @@ grub2 (2.12~rc1-5) experimental; urgency=medium
   -- Julian Andres Klode <jak@debian.org>  Mon, 04 Sep 2023 14:16:12 +0200
++grub2 (2.12~rc1-4ubuntu3) mantic; urgency=medium
++
++  * zfs: Drop `set -u`, incompatible with undefined variables in library
++    (LP: #2033256)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Tue, 29 Aug 2023 16:03:49 +0200
++
++grub2 (2.12~rc1-4ubuntu2) mantic; urgency=medium
++
++  * ubuntu-zfs-enhance-support.patch: Adjustments for 2.12 library
++    (LP: #2029260)
++  * zfs: on_exit: Unmount ${MNTDIR}/boot before ${MNTDIR} (LP: #2031042)
++  * Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 21 Aug 2023 14:26:07 +0200
++
++grub2 (2.12~rc1-4ubuntu1) mantic; urgency=medium
++
++  * Merge from Debian unstable (LP: #2028947); remaining changes:
++    - Add Ubuntu sbat data
++    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
++    - grub-common: Install canonical-uefi-ca.crt
++    - Check signatures
++    - Support installing to multiple ESP (LP: 1871821)
++    - Disable various bits on i386
++    - Split out unsigned artefacts into grub2-unsigned
++    - Vcs-Git: Point to ubuntu packaging branch
++    - Relax dependencies on grub-common and grub2-common
++    - grub-pc: Avoid the possibility of breaking grub on SRU update due
++      to ABI change
++    - UBUNTU: Default timeout changes
++    - Revert "Add jfs module to signed UEFI images. Closes: #950959"
++    - Revert "Add f2fs module to signed UEFI images"
++    - Install grub-initrd-fallback.service again
++    - Build using -O1 on s390x to avoid misoptimization
++    - grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
++    - grub-multi-install: Reset partition type between partitions (LP: #1997795)
++    - Drop i386 from grub-efi-amd64* (LP: #2020907)
++    - Turn depends on grub-efi-amd64/arm64 unversioned
++    - forward port fix for LP: #1926748
++    - Make the grub2/no_efi_extra_removable setting work correctly
++    - Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
++    - Build grub2-unsigned packages with xz compression
++    - Replaced patches:
++      - installe-signed.patched
++      - grub-install-extra-removable.patch
++      - grub-install-removable-shim.patch
++    - Added patches:
++      + rhboot-f34-dont-use-int-for-efi-status.patch
++      + rhboot-f34-make-exit-take-a-return-code.patch
++      + suse-grub.texi-add-net_bootp6-document.patch
++      + ubuntu-add-devicetree-command-support.patch
++      + ubuntu-add-initrd-less-boot-fallback.patch
++      + ubuntu-add-initrd-less-boot-messages.patch
++      + ubuntu-boot-from-multipath-dependent-symlink.patch
++      + ubuntu-dont-verify-loopback-images.patch
++      + ubuntu-fix-lzma-decompressor-objcopy.patch
++      + ubuntu-grub-install-extra-removable.patch
++      + ubuntu-install-signed.patch
++      + ubuntu-mkconfig-leave-breadcrumbs.patch
++      + ubuntu-os-prober-auto.patch
++      + ubuntu-recovery-dis_ucode_ldr.patch
++      + ubuntu-resilient-boot-boot-order.patch
++      + ubuntu-resilient-boot-ignore-alternative-esps.patch
++      + ubuntu-shorter-version-info.patch
++      + ubuntu-speed-zsys-history.patch
++      + ubuntu-support-initrd-less-boot.patch
++      + ubuntu-verifiers-last.patch
++      + ubuntu-zfs-enhance-support.patch
++      + ubuntu-zfs-gfxpayload-dynamic.patch
++      + ubuntu-zfs-gfxpayload-keep-default.patch
++      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++      + ubuntu-zfs-mkconfig-recovery-title.patch
++      + ubuntu-zfs-mkconfig-signed-kernel.patch
++      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++      + ubuntu-zfs-mkconfig-ubuntu-recovery.patch
++      + ubuntu-zfs-vt-handoff.patch
++  * Dropped Ubuntu changes:
++    - All the rhboot loader patches
++    - Temporarily, support for GRUB_FLAVOUR_ORDER
++    - RISC-V patches, applied upstream:
++      + efi-add-definition-of-LoadFile2-protocol.patch
++      + efi-correct-struct-grub_efi_boot_services.patch
++      + efi-implemented-LoadFile2-initrd-loading-protocol-fo.patch
++      + efi-implement-grub_efi_run_image.patch
++      + RISC-V-Update-image-header.patch
++      + RISC-V-Use-common-linux-loader.patch
++      + riscv-adjust-march-flags-for-binutils-2.38.patch
++      + upstream/riscv-handle-r-riscv-call-plt-reloc.patch
++      + loader-drop-argv-argument-in-grub_initrd_load.patch
++      + loader-Move-arm64-linux-loader-to-common-code.patch
++    - Networking patches (rebasing still WIP):
++      + cherrypick-efi-grub_efi_close_protocol.patch
++      + cherrypick-efinet-correct-closing-snp-protocol.patch
++      + efinet-uefi-ipv6-pxe-support.patch
++      + suse-add-support-for-UEFI-network-protocols.patch
++      + suse-AUDIT-0-http-boot-tracker-bug.patch
++    - Red Hat boot loader, replaced by upstream:
++      + linuxefi-do-not-validate-kernels-twice.patch
++      + linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
++      + rhboot-bounce-buffers.patch
++      + rhboot-efi-allocate-in-kernel-bounds.patch
++      + rhboot-efi-allocate-kernel-as-code-for-real.patch
++      + rhboot-efi-allocate-kernel-as-code.patch
++      + rhboot-efi-enumerated-array-for-allocation-choice.patch
++      + rhboot-efi-fix-incorrect-array-size.patch
++      + rhboot-efi-initrd-above-4gb.patch
++      + rhboot-efi-kernel-allocator.patch
++      + rhboot-efi-rearrange-grub-cmd-linux.patch
++      + rhboot-efi-split-allocation-policy.patch
++      + rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
++      + rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
++      + rhboot-try-to-pick-better-locations-for-kernel-and-initrd.patch
++      + ubuntu-linuxefi-arm64.patch
++      + ubuntu-linuxefi-arm64-set-base-addr.patch
++      + ubuntu-linuxefi.patch
++      + ubuntu-rhboot-cast-fixups.patch
++      + ubuntu-efi-allow-loopmount-chainload.patch
++      + ubuntu-efi-loader-code.patch
++    - Security patches, applied upstream:
++      + {0076...0161} security patches, applied upstream
++      + font-*.patchi - security patches applied upstream
++      + commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
++      + fbutil-Fix-integer-overflow.patch
++      + kern-efi-sb-Enforce-verification-of-font-files.patch
++      + normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
++    - Misc patches, merged in Debian:
++      + efi-EFI-Device-Tree-Fixup-Protocol.patch
++      + efivar-check-that-efivarfs-is-writeable.patch
++      + fat-fix-listing-the-root-directory.patch
++      + fdt-add-debug-output-to-devicetree-command.patch
++      + zstd-require-8-byte-buffer.patch
++      + 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
++    - Misc patches applied upstream:
++      + 2.12-mm/* - applied upstream
++      + ubuntu-fuse3.patch
++      + xfs-fix-v4-superblock.patch
++      + tpm-unknown-error-non-fatal.patch
++      + commands-efi-tpm-Refine-the-status-of-log-event.patch
++      + efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
++      + linux_xen-Properly-load-multiple-initrd-files.patch
++      + linux_xen-Properly-order-multiple-initrd-files.patch
++      + linux-ignore-FDT-unless-we-need-to-modify-it.patch
++      + mkrescue-efi-modules.patch
++      + tests-ahci-update-qemu-device-name.patch
++    - No longer relevant:
++      + ubuntu-disable-LOAD-FILE2-protocol-for-initrd-on-ARM.patch
++      + ubuntu-temp-keep-auto-nvram.patch: was temporary in 2019 lol
++      + ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
++      + no-devicetree-if-secure-boot.patch
++      + no-insmod-on-sb.patch
++    - To be rewritten later in this cycle:
++      + ubuntu-flavour-order.patch
++    - Coalesced into some other patches:
++      + ubuntu-zfs-maybe-quiet.patch
++      + ubuntu-zfs-quick-boot.patch
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 28 Jul 2023 15:34:32 +0200
++
  grub2 (2.12~rc1-4) experimental; urgency=medium
    [ Julian Andres Klode ]
@@ -485,6 +950,385 @@ grub2 (2.06-3) unstable; urgency=medium
   -- Julian Andres Klode <jak@debian.org>  Fri, 10 Jun 2022 11:15:11 +0200
++grub2 (2.06-2ubuntu18) mantic; urgency=medium
++
++  * Cherry-pick "RISC-V: Handle R_RISCV_CALL_PLT reloc" (LP: #2022379)
++  * Drop i386 from grub-efi-amd64* (LP: #2020907)
++  * Turn depends on grub-efi-amd64/arm64 unversioned
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 05 Jun 2023 18:55:05 +0200
++
++grub2 (2.06-2ubuntu17) lunar; urgency=medium
++
++  * Cherry-pick more upstream memory patches (LP: #2004643)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 20 Feb 2023 17:24:10 +0100
++
++grub2 (2.06-2ubuntu16) lunar; urgency=medium
++
++  * Cherry-pick all memory patches from rhboot
++    - Allocate initrd > 4 GB (LP: #1842320)
++    - Allocate kernels as code, not data (needed for newer firmware)
++  * ubuntu: Fix casts on i386-efi target
++  * Cherry-pick all the 2.12 memory management changes (LP: #1842320)
++  * Allocate executables as CODE, not DATA in chainloader and arm64
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 09 Dec 2022 17:11:44 +0100
++
++grub2 (2.06-2ubuntu15) lunar; urgency=medium
++
++  * grub-multi-install: Reset partition type between partitions (LP: #1997795)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 01 Dec 2022 16:30:53 +0100
++
++grub2 (2.06-2ubuntu14) kinetic; urgency=medium
++
++  * SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
++    - add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
++    - add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
++    - CVE-2022-2601, CVE-2022-3775
++    - LP: #1996950
++  * Fix various issues as a result of fuzzing, static analysis and code
++    review:
++    - add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
++    - add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
++    - add debian/patchces/font-Remove-grub_font_dup_glyph.patch
++    - add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
++    - add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
++    - add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
++    - add debian/patches/fbutil-Fix-integer-overflow.patch
++    - add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
++    - add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
++    - add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
++  * Enforce verification of fonts when secure boot is enabled:
++    - add debian/patches/kern-efi-sb-Enforce-verification-of-font-files.patch
++  * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
++    - update debian/control
++    - update debian/build-efi-image
++    - add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
++  * Fix LP: #1997006 - add support for performing measurements to RTMRs
++    - add debian/patches/commands-efi-tpm-Refine-the-status-of-log-event.patch
++    - add debian/patches/commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
++    - add debian/patches/efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
++  * Fix the squashfs tests during the build
++    - remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
++    - add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
++  * Bump SBAT generation:
++    - update debian/sbat.ubuntu.csv.in
++
++ -- Chris Coulson <chris.coulson@canonical.com>  Wed, 16 Nov 2022 14:40:42 +0000
++
++grub2 (2.06-2ubuntu13) kinetic; urgency=medium
++
++  * Try to pick better locations for kernel and initrd (LP: #1989446)
++  * x86-efi: Use bounce buffers for reading to addresses > 4GB (enhances
++    firmware compatibility of previous change)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 20 Oct 2022 21:18:25 +0200
++
++grub2 (2.06-2ubuntu12) kinetic; urgency=medium
++
++  * ubuntu-zfs-enhance-support.patch: Fix missing lines (LP: #1990143)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 19 Sep 2022 16:00:47 +0200
++
++grub2 (2.06-2ubuntu11) kinetic; urgency=medium
++
++  [ Mauricio Faria de Oliveira ]
++  * linux_xen: Properly handle multiple initrd files (LP: #1987567)
++    - d/p/linux_xen-Properly-load-multiple-initrd-files.patch
++    - d/p/linux_xen-Properly-order-multiple-initrd-files.patch
++  * Fix for ZFS snapshots without etc directory.
++    Thanks to Adam R Bell <a_0x07@protonmail.ch> (LP: #1965983)
++
++  [ Heinrich Schuchardt ]
++  * efi/peimage: fix typos in code comments
++
++  [ dann frazier ]
++  * linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
++    - d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
++
++ -- dann frazier <dannf@ubuntu.com>  Wed, 14 Sep 2022 12:35:29 -0600
++
++grub2 (2.06-2ubuntu10) kinetic; urgency=medium
++
++  [ Chris Coulson ]
++  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
++    write in heap.
++    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
++      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
++    - CVE-2021-3695
++  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
++    huffman table handling.
++    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
++      video/readers/png: Avoid heap OOB R/W inserting huff table items
++    - CVE-2021-3696
++  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
++    the heap.
++    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
++      video/readers/jpeg: Block int underflow -> wild pointer write
++    - CVE-2021-3697
++  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
++    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
++      maths safely
++    - CVE-2022-28733
++  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
++    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
++      OOB write for split http headers
++    - CVE-2022-28734
++  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
++    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
++      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
++    - CVE-2022-28735
++  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
++    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
++      loader/efi/chainloader: simplify the loader state
++    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
++      Add API to pass context to loader
++    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
++      loader/efi/chainloader: Use grub_loader_set_ex
++    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
++      loader/i386/efi/linux: Use grub_loader_set_ex
++  * Various fixes as a result of fuzzing and static analysis:
++    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
++      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
++    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
++      loader/i386/efi/linux: Fix a memory leak in the initrd command
++    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
++      kern/file: Do not leak device_name on error in grub_file_open()
++    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
++      video/readers/png: Abort sooner if a read operation fails
++    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
++      video/readers/png: Refuse to handle multiple image headers
++    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
++      video/readers/png: Sanity check some huffman codes
++    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
++      video/readers/jpeg: Abort sooner if a read operation fails
++    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
++      video/readers/jpeg: Do not reallocate a given huff table
++    - 0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
++      video/readers/jpeg: Refuse to handle multiple start of streams
++    - 0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
++      normal/charset: Fix array out-of-bounds formatting unicode for display
++    - 0147-net-netbuff-Block-overly-large-netbuff-allocs.patch:
++      net/netbuff: Block overly large netbuff allocs
++    - 0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
++      net/dns: Fix double-free addresses on corrupt DNS response
++    - 0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
++      net/dns: Don't read past the end of the string we're checking against
++    - 0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
++      net/tftp: Prevent a UAF and double-free from a failed seek
++    - 0152-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
++    - 0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
++      net/http: Do not tear down socket if it's already been torn down
++    - 0155-net-http-Error-out-on-headers-with-LF-without-CR.patch:
++      net/http: Error out on headers with LF without CR
++    - 0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
++      fs/f2fs: Do not read past the end of nat journal entries
++    - 0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
++      fs/f2fs: Do not read past the end of nat bitmap
++    - 0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
++      fs/f2fs: Do not copy file names that are too long
++    - 0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
++      fs/btrfs: Fix several fuzz issues with invalid dir item sizing
++    - 0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
++      fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
++    - 0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
++      fs/btrfs: Fix more fuzz issues related to chunks
++  * Bump SBAT generation:
++    - update debian/sbat.ubuntu.csv.in
++  * Make the grub2/no_efi_extra_removable setting work correctly
++    - update debian/postinst.in
++  * Build grub2-unsigned packages with xz compression for compatibility
++    with xenial dpkg
++    - update debian/rules
++
++  [ Steve Langasek ]
++  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
++    necessary arm relocation support.  LP: #1926748.
++  * debian/postinst.in: Unconditionally call grub-install with
++    --force-extra-removable on xenial and bionic, so that the \EFI\BOOT
++    removable path as used in cloud images receives the updates.  LP: #1930742.
++
++ -- Chris Coulson <chris.coulson@canonical.com>  Tue, 07 Jun 2022 17:36:27 +0100
++
++grub2 (2.06-2ubuntu7) jammy; urgency=medium
++
++  [ Heinrich Schuchardt ]
++  * Disable LOAD FILE2 protocol for initrd on ARM (LP: #1967562)
++
++ -- dann frazier <dannf@ubuntu.com>  Fri, 15 Apr 2022 15:50:11 -0600
++
++grub2 (2.06-2ubuntu6) jammy; urgency=medium
++
++  [ Heinrich Schuchardt ]
++  * efivar: check that efivarfs is writeable (LP: #1965288)
++
++  [ Dimitri John Ledkov ]
++  * Do not validate kernels twice. (LP: #1964943)
++
++  [ Heinrich Schuchardt ]
++  * efi: EFI Device Tree Fixup Protocol (LP: #1965796)
++  * fdt: add debug output to devicetree command
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 25 Mar 2022 16:03:11 +0100
++
++grub2 (2.06-2ubuntu5) jammy; urgency=medium
++
++  [ Julian Andres Klode ]
++  * Free correct size when freeing params, rather than 16 Ki (LP: #1958623)
++  * Build with FUSE3 (LP: #1935659)
++  * Only run os-prober on first run and if it previously found other OS
++    (LP: #1955109)
++
++  [ Heinrich Schuchardt ]
++  * Rename grub-core/loader/efi/linux.c
++  * Add patches for GRUB on RISC-V
++  * fat: fix listing the root directory
++  * Enable building for RISC-V (LP: #1876620)
++
++  [ Julian Andres Klode ]
++  * Re-enable peimage code on other archs outside secure boot; this
++    fixes LP: #1947046 when not booting in secure boot mode (secure
++    boot pending security review of the code)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 18 Feb 2022 17:21:16 +0100
++
++grub2 (2.06-2ubuntu4) jammy; urgency=medium
++
++  * UBUNTU: Move verifiers after decompressors (LP: #1954683)
++  * grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 10 Jan 2022 14:52:04 +0100
++
++grub2 (2.06-2ubuntu3) jammy; urgency=medium
++
++  * Cherry-pick the missing hunk back that changes parameter loading
++    in grub-core/loader/i386/linux.c, this should fix booting on
++    BIOS systems.
++  * Fix the fallback for kernel addresses on amd64 EFI, if the kernel
++    could not be allocated at the preferred address, reset errno such
++    that if the 2nd allocation succeeds, we do not fail erroneously.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 13 Dec 2021 14:27:53 +0100
++
++grub2 (2.06-2ubuntu2) jammy; urgency=medium
++
++  * Restore still relevant patches lost in rebase.
++    They got lost in a first rebase, when we did not include
++    ubuntu-linuxefi.patch as they modify code in there.
++    - no-devicetree-if-secure-boot.patch
++    - 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch
++    - 0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch
++    - 0099-chainloader-Avoid-a-double-free-when-validation-fail.patch
++    - 0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 08 Dec 2021 17:14:50 +0100
++
++grub2 (2.06-2ubuntu1) jammy; urgency=medium
++
++  * Merge from Debian unstable; remaining changes:
++    - Build without lto
++    - Add Ubuntu sbat data
++    - Make prebuilt netboot image look for MAAS grub.cfg
++    - build-efi-images: add smbios module to the prebuilt signed EFI images
++      (LP: 1856424)
++    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
++    - build-efi-images: Add http to netboot images
++    - grub-common: Install canonical-uefi-ca.crt
++    - Check signatures
++    - minilzo: built using the distribution's minilzo
++    - Support installing to multiple ESP (LP: 1871821)
++    - Disable various bits on i386
++    - Split out unsigned artefacts into grub2-unsigned
++    - Vcs-Git: Point to ubuntu packaging branch
++    - Relax dependencies on grub-common and grub2-common
++    - grub-pc: Avoid the possibility of breaking grub on SRU update due
++      to ABI change
++    - UBUNTU: Default timeout changes
++    - Disable os-prober for ppc64el on the PowerNV platform (for Petitboot)
++    - dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar)
++    - Link grub-efi-{amd64,arm64}-bin docs directory
++    - grub-common.service: port init.d script to systemd unit. Add warning
++      message, when initrdless boot fails triggering fallback. LP: 1901553
++    - Removed patches:
++      - grub-install-extra-removable.patch
++      - grub-install-removable-shim.patch
++    - Added patches:
++      + ubuntu-grub-install-extra-removable.patch
++      + ubuntu-zfs-enhance-support.patch
++      + ubuntu-zfs-gfxpayload-keep-default.patch
++      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++      + ubuntu-zfs-mkconfig-signed-kernel.patch
++      + ubuntu-zfs-maybe-quiet.patch
++      + ubuntu-zfs-quick-boot.patch
++      + ubuntu-zfs-gfxpayload-dynamic.patch
++      + ubuntu-zfs-vt-handoff.patch
++      + ubuntu-zfs-mkconfig-recovery-title.patch
++      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++      + ubuntu-support-initrd-less-boot.patch
++      + ubuntu-shorter-version-info.patch
++      + ubuntu-add-initrd-less-boot-fallback.patch
++      + ubuntu-mkconfig-leave-breadcrumbs.patch
++      + ubuntu-fix-lzma-decompressor-objcopy.patch
++      + ubuntu-temp-keep-auto-nvram.patch
++      + ubuntu-add-devicetree-command-support.patch
++      + ubuntu-boot-from-multipath-dependent-symlink.patch
++      + ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
++      + ubuntu-efi-allow-loopmount-chainload.patch
++      + 0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
++      + ubuntu-resilient-boot-ignore-alternative-esps.patch
++      + ubuntu-resilient-boot-boot-order.patch
++      + ubuntu-speed-zsys-history.patch
++      + ubuntu-flavour-order.patch
++      + ubuntu-dont-verify-loopback-images.patch
++      + ubuntu-recovery-dis_ucode_ldr.patch
++      + ubuntu-linuxefi-arm64.patch
++      + ubuntu-add-initrd-less-boot-messages.patch
++      + ubuntu-fix-reproducible-squashfs-test.patch
++      + rhboot-f34-make-exit-take-a-return-code.patch
++      + rhboot-f34-dont-use-int-for-efi-status.patch
++      + rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
++      + suse-add-support-for-UEFI-network-protocols.patch
++      + suse-AUDIT-0-http-boot-tracker-bug.patch
++      + rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
++      + 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
++  * Dropped changes:
++    - Remove obsolete dependencies on dh-autoreconf and automake
++    - Remove explicit --with systemd in debhelper invocation
++    - Remove debian/gettext-patches; they do not seem to be necessary anymore
++    - Remove inadvertent change to debian/signing-template.json.in, we do not
++      use that file anyway.
++    - Merged upstream:
++      + merged: 0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
++      + merged: 0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
++      + merged security patches 0081-0105, and 0128-0240
++      + various cherry picks: cherry-* and cherrypick-*.patch
++      + grub-install-backup-and-restore.patch
++      + uefi-firmware-setup.patch
++      + sleep-shift.patch
++      + vsnprintf-upper-case-hex.patch
++      + rhboot-f34-update-info-with-grub.cfg-netboot-selection-order.patch
++      + suse-search-for-specific-config-files-for-netboot.patch
++      + tftp-rollover-block-counter.patch
++      + ubuntu-efi-console-set-text-mode-as-needed.patch
++    - Merged in Debian:
++      + install-efi-ubuntu-flavours.patch
++      + ubuntu-dejavu-font-path.patch
++      + ubuntu-tpm-unknown-error-non-fatal.patch
++    - Not applicable:
++      + 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch: The
++        check has been removed.
++  * Fix zstd build on s390x
++  * Cherry-pick two upstream fixes to fix closing of SNP protocol in EFI
++    networking stack
++  * Build with -O1 on s390x to avoid build failure due to gcc optimization
++    failure causing it to wrongly assume variables as uninitialized.
++  * Revert integration of jfs and f2fs modules into signed images, we do not
++    support these file systems on /boot.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Tue, 07 Dec 2021 13:40:32 +0100
++
  grub2 (2.06-2) unstable; urgency=medium
    * Update to minilzo-2.10, fixing build failures on armel, mips64el,
@@ -907,6 +1751,705 @@ grub2 (2.04-2) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Sat, 03 Aug 2019 13:42:49 +0100
++grub2 (2.04-1ubuntu48) jammy; urgency=medium
++
++  * d/p/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch:
++    Fix "error: can't find command `hwmatch'." on non-i386/pc
++    platforms such as x86_64/efi. (LP: #1840560)
++
++ -- Mauricio Faria de Oliveira <mfo@canonical.com>  Thu, 04 Nov 2021 10:48:06 -0300
++
++grub2 (2.04-1ubuntu47) impish; urgency=medium
++
++  * Drop grub.cfg-400.patch (LP: #1933826)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 02 Sep 2021 14:37:43 +0200
++
++grub2 (2.04-1ubuntu46) impish; urgency=medium
++
++  * debian/grub-common.service: change type to oneshot, add wantedby
++    sleep.target, after sleep.target. The service will now start after
++    resume from hybernation. LP: #1929860
++  * grub-initrd-fallback.service: add wantedby sleep.target, after
++    sleep.target. The service will now start after resume from
++    hybernation. LP: #1929860
++  * cherrypick upstream fix to make armhf efi boot work. LP: #1788940
++  * debian/rules: disable LTO. LP: #1922005
++  * grub-initrd-fallback.service, debian/grub-common.service: only start
++    units when booted with grub. Use presence of /boot/grub/grub.cfg as
++    proxy. LP: #1925507
++  * tests: patch qemu command to use ide-hd instead of the removed
++    ide-drive.
++
++ -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Fri, 16 Jul 2021 14:01:31 +0100
++
++grub2 (2.04-1ubuntu45) hirsute; urgency=medium
++
++  * Unapply all patches.
++  * Stop using git-dpm.
++  * Start using gbp pq import|export --no-patch-numbers, this brings grub2
++    packaging closer to other non-debian distributions.
++  * It would be nice to separate patches into topic subdirs -
++    i.e. reverts, upstream cherry picks, debian, ubuntu, rhel, security,
++    etc.
++  * Drop redundant dh-systemd build-dependency.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 30 Mar 2021 11:55:05 +0100
++
++grub2 (2.04-1ubuntu44) hirsute; urgency=medium
++
++  * Compile grub-efi-amd64 installable i386 platform on hirsute, to make
++    it available in bionic and earlier as part of onegrub builds.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 03 Mar 2021 11:42:28 +0000
++
++grub2 (2.04-1ubuntu42) hirsute; urgency=medium
++
++  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
++    ACPI tables when secure boot is enabled.
++    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
++      register the acpi command when secure boot is enabled.
++    - CVE-2020-14372
++  * SECURITY UPDATE: use-after-free in rmmod command
++    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
++      allow rmmod to unload modules that are dependencies of other modules.
++    - CVE-2020-25632
++  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
++    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
++    - CVE-2020-25647
++  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
++    - 0206-kern-parser-Introduce-process_char-helper.patch,
++      0207-kern-parser-Introduce-terminate_arg-helper.patch,
++      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
++      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
++      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
++      sized heap buffer type and use this.
++    - CVE-2020-27749
++  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
++    regions when Secure Boot is enabled.
++    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
++      Don't register cutmem and badram commands when secure boot is enabled.
++    - CVE-2020-27779
++  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
++    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
++      Block repeated short options that require an argument.
++    - CVE-2021-20225
++  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
++    required for quoting.
++    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
++      quoting in setparams_prefix()
++    - CVE-2021-20233
++  * Partially backport the lockdown framework to restrict certain features
++    when secure boot is enabled.
++  * Backport various fixes for Coverity defects.
++  * Add SBAT metadata to the grub EFI binary.
++    - Backport patches to support adding SBAT metadata with grub-mkimage:
++      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
++      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
++      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
++      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
++      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
++      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
++      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
++      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
++    - Add debian/sbat.csv.in
++    - Update debian/build-efi-image and debian/rules
++
++  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
++  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
++    src:grub2-unsigned (potentially of a higher version number).
++  * Add debian/rules generate-grub2-unsigned target to quickly build
++    src:grub2-unsigned for binary-copy backports.
++  * postinst: allow postinst to with with or without grub-multi-install
++    binary.
++  * postinst: allow using various grub-install options to achieve
++    --no-extra-removable.
++  * postinst: only call grub-check-signatures if it exists.
++  * control: relax dependency on grub2-common, as maintainer script got
++    fixed up to work with grub2-common/grub-common as far back as trusty.
++  * control: allow higher version depdencies from grub-efi package.
++  * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
++    postinst script uses that directory, and yet relies on grub-common to
++    create/ship it, which is not true in older releases. Also make sure
++    dh_installdirs runs after the .dirs files are generated.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 23 Feb 2021 16:23:39 +0000
++
++grub2 (2.04-1ubuntu41) hirsute; urgency=medium
++
++  * No-change rebuild to drop the udeb package.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 22 Feb 2021 10:33:38 +0100
++
++grub2 (2.04-1ubuntu40) hirsute; urgency=medium
++
++  * Revert: rhboot-f34-tcp-add-window-scaling-support.patch,
++    rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch: these break MAAS
++    LXD KVM pod deployments. LP: #1915288
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 12 Feb 2021 20:29:16 +0000
++
++grub2 (2.04-1ubuntu39) hirsute; urgency=medium
++
++  * Cherrypick a bunch of patches:
++    - fix crash in http LP: #1915288
++    - add bootp6 documentation
++    - add support for UEFI boot protocols
++    - use UEFI protocols for http & https networking
++    - make netboot search for by-mac/by-uuid/by-ip for grub.cfg
++    - update documentation for netboot search paths of grub.cfg
++  * Make prebuilt netboot image look for MAAS grub.cfg
++  * Fix grub-initrd-fallback.service thanks to JawnSmith LP: #1910815
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 12 Feb 2021 00:42:07 +0000
++
++grub2 (2.04-1ubuntu38) hirsute; urgency=medium
++
++  [ Jean-Baptiste Lallement ]
++  [ Didier Roche ]
++  * Fix warnings during grub menu generation.  Thanks wdoekes for the patch
++    (LP: #1898177)
++    - Fix warnings when bpool doesn't exist.
++    - Fix warnings when snapshot name contains dashes.
++  * Do not fail to generate grub menu when name of the snapshot contains
++    spaces. (LP: #1903524)
++
++ -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com>  Mon, 08 Feb 2021 10:50:21 +0100
++
++grub2 (2.04-1ubuntu37) hirsute; urgency=medium
++
++  * debian/patches/grub-install-backup-and-restore.patch: Fix-up the patch
++    to correctly initialyze the names of the modules to restore. LP:
++    #1907085
++  * 10_linux: emit messages when initrdless boot is configured, attempted
++    and fails triggering fallback. LP: #1901553
++  * grub-common.service: port init.d script to systemd unit. Add warning
++    message, when initrdless boot fails triggering fallback. LP: #1901553
++  * debian/rules: undo po/ directory patching in
++    override_dh_autoreconf_clean.
++  * minilzo: built using the distribution's minilzo
++  * ubuntu-fix-reproducible-squashfs-test.patch: fix squashfs-test with
++    new squashfs-tools in hirsute.
++  * rhboot-f34-make-exit-take-a-return-code.patch,
++    rhboot-f34-dont-use-int-for-efi-status.patch: allow grub to exit
++    non-zero under EFI, this should allow falling back to the next
++    BootOrder BootEntry.
++  * rhboot-f34-tcp-add-window-scaling-support.patch: speed up netboot
++    transfer speed.
++  * rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch:
++    add support for link layer addresses of up to 32-bytes.
++  * rhboot-f34-make-pmtimer-tsc-calibration-fast.patch:
++    speed up calibration time, especially when booting VMs.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 12 Dec 2020 00:50:47 +0000
++
++grub2 (2.04-1ubuntu36) hirsute; urgency=medium
++
++  * Avoid "EFI stub: FIRMWARE BUG" message when booting >= 5.7 kernels
++    on arm64 by setting the image base address before jumping to the
++    PE/COFF entry point LP: #1900774
++  * Fix tftp timeouts when fetch large files. LP: #1900773
++
++ -- dann frazier <dannf@ubuntu.com>  Wed, 11 Nov 2020 07:17:49 -0700
++
++grub2 (2.04-1ubuntu35) groovy; urgency=medium
++
++  * postinst.in, grub-multi-install: fix logic of skipping installing onto
++    any device, if one chose to not install bootloader on any device. LP:
++    #1896608
++  * Do not finalize params twice on arm64. LP: #1897819
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 01 Oct 2020 22:59:51 +0800
++
++grub2 (2.04-1ubuntu34) groovy; urgency=medium
++
++  * configure.ac: one more dejavu font search path
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 14 Sep 2020 10:53:07 +0100
++
++grub2 (2.04-1ubuntu33) groovy; urgency=medium
++
++  * Build-depend on fonts-dejavu-core, not obsolete ttf-dejavu-core.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 13 Sep 2020 23:49:08 -0700
++
++grub2 (2.04-1ubuntu32) groovy; urgency=medium
++
++  * ubuntu-linuxefi-arm64.patch: Fix build on armhf
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 11 Sep 2020 20:33:34 +0200
++
++grub2 (2.04-1ubuntu31) groovy; urgency=medium
++
++  * ubuntu-linuxefi-arm64.patch: Restore arm64 parts of ubuntu-linuxefi.patch
++    that got lost in the 2.04 rebase (LP: #1862279)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 11 Sep 2020 17:49:50 +0200
++
++grub2 (2.04-1ubuntu30) groovy; urgency=medium
++
++  * postinst.in: do not attempt to call grub-install upon fresh install of
++    grub-pc because it it a job of installers to do that after fresh
++    install.
++  * grub-multi-install: fix non-interactive failures for grub-efi like it
++    was fixed in postinst for grub-pc.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 03 Sep 2020 14:54:23 +0100
++
++grub2 (2.04-1ubuntu29) groovy; urgency=medium
++
++  * grub-install: cherry-pick patch from grub-devel to make grub-install
++    fault tolerant. Create backup of files in /boot/grub, and restore them
++    on failure to complete grub-install. LP: #1891680
++  * postinst.in: do not exit successfully when failing to show critical
++    grub-pc/install_devices_failed and grub-pc/install_devices_empty
++    prompts in non-interactive mode. This enables surfacing upgrade errors
++    to the users and/or automation. LP: #1891680
++  * postinst.in: Fixup postinst.in, to attempt grub-install upon explicit
++    dpkg-reconfigure grub-pc. LP: #1892526
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 01 Sep 2020 20:04:44 +0100
++
++grub2 (2.04-1ubuntu28) groovy; urgency=medium
++
++  * Ensure that grub-multi-install can always find templates (LP: #1879948)
++  * Fix changelog entries for security update
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 10 Aug 2020 15:07:29 +0200
++
++grub2 (2.04-1ubuntu27) groovy; urgency=medium
++
++  * debian/patches/ubuntu-flavour-order.patch:
++    - Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel
++      flavours as preferred, and specify an order between those preferred
++      flavours (LP: #1882663)
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - Use version_find_latest for ordering kernels, so it also supports
++      the GRUB_FLAVOUR_ORDER setting.
++  * debian/patches/ubuntu-dont-verify-loopback-images.patch:
++    - disk/loopback: Don't verify loopback images (LP: #1878541),
++      Thanks to Chris Coulson for the patch
++  * debian/patches/ubuntu-recovery-dis_ucode_ldr.patch
++    - Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789)
++  * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch:
++    - Merge changes from xnox to fix multiple initrds support (LP: #1878705)
++  * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch:
++    - Remove, no longer needed thanks to xnox's patch
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 06 Aug 2020 14:47:52 +0200
++
++grub2 (2.04-1ubuntu26.2) focal; urgency=medium
++
++  * debian/postinst.in: Avoid calling grub-install on upgrade of the grub-pc
++    package, since we cannot be certain that it will install to the correct
++    disk and a grub-install failure will render the system unbootable.
++    LP: #1889556.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 30 Jul 2020 17:34:25 -0700
++
++grub2 (2.04-1ubuntu26.1) focal; urgency=medium
++
++  [ Julian Andres Klode ]
++  * Move gettext patches out of git-dpm's way, so it does not delete them
++
++  [ Chris Coulson ]
++  * SECURITY UPDATE: Heap buffer overflow when encountering commands that
++    cannot be tokenized to less than 8192 characters.
++    - 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make
++      fatal lexer errors actually be fatal
++    - CVE-2020-10713
++  * SECURITY UPDATE: Multiple integer overflow bugs that could result in
++    heap buffer allocations that were too small and subsequent heap buffer
++    overflows when handling certain filesystems, font files or PNG images.
++    - 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add
++      arithmetic primitives that allow for overflows to be detected
++    - 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch:
++      Make sure that there is always an overflow checking implementation
++      of calloc() available
++    - 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where
++      appropriate
++    - 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use
++      overflow-safe arithmetic primitives when performing allocations
++      based on the results of operations that might overflow
++    - 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in
++      hfsplus
++    - 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix
++      more potential integer overflows in lvm
++    - CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
++  * SECURITY UPDATE: Use-after-free when executing a command that causes
++    a currently executing function to be redefined.
++    - 0092-script-Remove-unused-fields-from-grub_script_functio.patch:
++      Remove unused fields from grub_script_function
++    - 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch:
++      Avoid a use-after-free when redefining a function during execution
++    - CVE-2020-15706
++  * SECURITY UPDATE: Integer overflows that could result in heap buffer
++    allocations that were too small and subsequent heap buffer overflows
++    during initrd loading.
++    - 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix
++      integer overflows in initrd size handling
++    - 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix
++      integer overflows in linuxefi grub_cmd_initrd
++    - CVE-2020-15707
++  * Various fixes as a result of code review and static analysis:
++    - 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a
++     memory leak on realloc failures when processing symbolic links
++    - 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a
++      memory leak when processing font files with more than one NAME
++      section
++    - 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap
++      after it is freed in order to avoid a potential double free later on
++    - 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an
++      out-of-bounds read in LzmaEncode
++    - 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use
++      priority queues and fix a double free
++    - 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix
++      various arithmetic errors with malformed device paths
++    - 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix
++      a NULL deref in the chainloader command introduced by a previous
++      patch
++    - 0099-efi-Fix-use-after-free-in-halt-reboot-path.patch: Fix a
++      use-after-free in the halt and reboot commands by not freeing
++      allocated memory in these paths
++    - 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch:
++      Avoid a double free in the chainloader command when validation fails
++    - 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch:
++      Protect grub_relocator_alloc_chunk_addr input arguments against
++      integer overflow / underflow
++    - 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch:
++      Protect grub_relocator_alloc_chunk_align max_addr argument against
++      integer underflow
++    - 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix
++      grub_relocator_alloc_chunk_align top memory allocation
++    - 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch:
++      Avoid overflow on initrd size calculation
++
++  [ Dimitri John Ledkov ]
++  * SECURITY UPDATE: Grub does not enforce kernel signature validation
++    when the shim protocol isn't present.
++    - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
++      Fail kernel validation if the shim protocol isn't available
++    - CVE-2020-15705
++
++ -- Chris Coulson <chris.coulson@canonical.com>  Mon, 20 Jul 2020 19:19:08 +0100
++
++grub2 (2.04-1ubuntu26) focal; urgency=medium
++
++  [ Julian Andres Klode ]
++  * Move /boot/efi -> debconf migration into wrapper, so it runs everywhere
++    (LP: #1872077)
++  * Display disk name and size in the ESP selection dialog, instead of ???
++
++  [ Sebastien Bacher ]
++  * debian/patches/gettext,
++    debian/patches/rules:
++    - backport upstream patches to fix the list of translated strings,
++      reported on the ubuntu-translators mailing list. The changes would
++      be overwritten by autoreconf so applying from a rules override.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 15 Apr 2020 13:31:27 +0200
++
++grub2 (2.04-1ubuntu25) focal; urgency=medium
++
++  [ Jean-Baptiste Lallement ]
++  [ Didier Roche ]
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - fix trailing } when no advanced menu is printed
++    - ensure we unmount all temporary snapshots path before zfs collect them
++      out.
++  * debian/patches/ubuntu-speed-zsys-history.patch:
++    - Speed up navigating zsys history by reducing greatly grub.cfg file size.
++      It used to take eg 80 seconds when loading 100 system snapshots. This is
++      now instantaneous by using a function with parameters that the users can
++      still easily edit.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 13 Apr 2020 15:17:42 +0200
++
++grub2 (2.04-1ubuntu24) focal; urgency=medium
++
++  * Support installing to multiple ESPs (LP: #1871821)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 09 Apr 2020 12:51:07 +0200
++
++grub2 (2.04-1ubuntu23) focal; urgency=medium
++
++  [ Jean-Baptiste Lallement ]
++  [ Didier Roche ]
++  * Performance improvements for update-grub on ZFS systems (LP: #1869885)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Tue, 31 Mar 2020 15:30:36 +0200
++
++grub2 (2.04-1ubuntu22) focal; urgency=medium
++
++  * smbios: Add a --linux argument to apply linux modalias-like filtering
++  * Make the linux command in EFI grub always try EFI handover; thanks
++    to Chris Coulson for the patches (LP: #1864533)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 11 Mar 2020 17:46:35 +0100
++
++grub2 (2.04-1ubuntu21) focal; urgency=medium
++
++  * Make ZFS menu generation depending on new zsysd binary instead of eoan
++    zsys compatibility symlink.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Wed, 26 Feb 2020 09:59:49 +0100
++
++grub2 (2.04-1ubuntu20) focal; urgency=medium
++
++  * build-efi-images: do not produce -installer.efi.signed. LP: #1863994
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 25 Feb 2020 01:11:31 +0000
++
++grub2 (2.04-1ubuntu19) focal; urgency=medium
++
++  * uefi-firmware: rename fwsetup menuentry to UEFI Firmware Settings
++    (LP: #1864547)
++  * build-efi-images: add smbios module to the prebuilt signed EFI images
++    (LP: #1856424)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 24 Feb 2020 20:34:13 +0000
++
++grub2 (2.04-1ubuntu18) focal; urgency=medium
++
++  * Cherry-pick fix from Colin W. in debian to build with python3.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Thu, 06 Feb 2020 18:37:44 +0100
++
++grub2 (2.04-1ubuntu17) focal; urgency=medium
++
++  * Fix ZFS menu generation with ZFS 0.8.x where mounted datasets can’t list
++    snapshots due to an upstream change.
++    https://github.com/zfsonlinux/zfs/issues/9958
++
++ -- Didier Roche <didrocks@ubuntu.com>  Thu, 06 Feb 2020 18:20:16 +0100
++
++grub2 (2.04-1ubuntu16) focal; urgency=medium
++
++  * Revert "Add smbios module to build-efi-images script" from previous
++    upload, pending review see https://bugs.launchpad.net/bugs/1856424
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sun, 15 Dec 2019 01:28:49 +0000
++
++grub2 (2.04-1ubuntu15) focal; urgency=medium
++
++  * ubuntu-efi-allow-loopmount-chainload.patch:
++    - Enable chainloading EFI apps from loopmounts
++  * cherrypick-lsefisystab-define-smbios3.patch:
++  * cherrypick-smbios-modules.patch:
++    - Cherrypick from 2.05 module for retrieving SMBIOS information
++  * cherrypick-lsefisystab-show-dtb.patch:
++    - If dtb is provided by the firmware / DtbLoader driver, display it in
++    human form, rather than just UUID
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 13 Dec 2019 11:24:21 +0000
++
++grub2 (2.04-1ubuntu14) focal; urgency=medium
++
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - Handle the case where grub-probe returns several devices for a single
++      pool (LP: #1848856). Thanks jpb for the report and the proposed patch.
++    - Add savedefault to non-recovery entries (LP: #1850202). Thanks Deltik
++      for the patch.
++    - Do not crash on invalid fstab and report the invalid entry.
++      (LP: #1849347) Thanks Deltik for the patch.
++    - When a pool fails to import, catch and display the error message and
++      continue with other pools. Import all the pools in readonly mode so we
++      can import other pools with unsupported features (LP: #1848399) Thanks
++      satmandu for the investigation and the proposed patch
++
++ -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com>  Mon, 18 Nov 2019 11:22:43 +0100
++
++grub2 (2.04-1ubuntu13) focal; urgency=medium
++
++  * debian/patches/ubuntu-tpm-unknown-error-non-fatal.patch: treat "unknown"
++    TPM errors as non-fatal, but still write up the details as debug messages
++    so we can further track what happens with the systems throwing those up.
++    (LP: #1848892)
++  * debian/patches/ubuntu-linuxefi.patch: Drop extra check for Secure Boot
++    status in linuxefi_secure_validate(); it's unnecessary and blocking boot
++    in chainload (like chainloading Windows) when SB is disabled.
++    (LP: #1845289)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 31 Oct 2019 17:58:47 -0400
++
++grub2 (2.04-1ubuntu12) eoan; urgency=medium
++
++  * Move our identifier to com.ubuntu
++    As we are not going to own org.zsys, move our identifier under
++    com.ubuntu.zsys (LP: #1847711)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Fri, 11 Oct 2019 15:57:47 +0200
++
++grub2 (2.04-1ubuntu11) eoan; urgency=medium
++
++  * Load all kernels (even those without .efi.signed) for secure boot mode
++    as those are signed kernels on ubuntu, loaded by the shim. (LP: #1847581)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Thu, 10 Oct 2019 11:40:44 +0200
++
++grub2 (2.04-1ubuntu10) eoan; urgency=medium
++
++  * debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch:
++    skip /dev/disk/by-id/lvm-pvm-uuid entries from device iteration.
++    (LP: #1838525)
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Mon, 07 Oct 2019 23:23:54 -0300
++
++grub2 (2.04-1ubuntu9) eoan; urgency=medium
++
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - Handle case of pure zfs only snapshots giving additional "}", and as
++      such, creating invalid grub menu.
++      Spotted by grubzfs-testsuite autopkgtests.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Wed, 02 Oct 2019 09:59:19 +0200
++
++grub2 (2.04-1ubuntu8) eoan; urgency=medium
++
++  * debian/patches/install-signed.patch -> ubuntu-install-signed.patch:
++    Really fix the installation of UEFI artefacts to the distributor path (we
++    only want shim, grub, and MokManager, and shim's boot.csv there), and to
++    the removable /EFI/BOOT path (where we want shim and fallback only).
++    Rename the patch to ubuntu- like others that are Ubuntu-specific or
++    otherwise modified to avoid such confusion at merge time in the future.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 01 Oct 2019 11:29:24 -0400
++
++grub2 (2.04-1ubuntu7) eoan; urgency=medium
++
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    Disable history entry under some conditions:
++    - Don't show up if the system is a zsys one and zsys isn't installed
++      (LP: #1845333)
++    - Don't show for pure zfs systems: we identified multiple issues due
++      to the mount generator in upstream zfs which makes it incompatible.
++      Disable for now (LP: #1845913)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 30 Sep 2019 09:35:03 +0200
++
++grub2 (2.04-1ubuntu6) eoan; urgency=medium
++
++  * debian/patches/install-signed.patch: fix paths for MokManager/fallback;
++    shim no longer ships these with a .signed suffix. (LP: #1845466)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 26 Sep 2019 09:48:07 -0400
++
++grub2 (2.04-1ubuntu5) eoan; urgency=medium
++
++  * d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: fix
++    mis-spelling of helper function in final computation of GRUB_DEVICE in
++    multipath case.
++
++ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 13 Aug 2019 08:56:16 +1200
++
++grub2 (2.04-1ubuntu4) eoan; urgency=medium
++
++  * d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: when / is
++    multipathed there will be multiple paths to the partition, so using
++    root=UUID= exposes the boot process to udev races.  In addition
++    grub-probe --target device / in this case reports /dev/dm-1 or similar --
++    better to use a symlink that depends on the multipath name. (LP: #1429327)
++
++ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 06 Aug 2019 12:37:18 +1200
++
++grub2 (2.04-1ubuntu3) eoan; urgency=medium
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/ubuntu-add-devicetree-command-support.patch: import patch
++    into git-dpm: drop [PATCH] tag and add Patch-Name.
++
++  [ Didier Roche ]
++  * debian/patches/ubuntu-zfs-enhance-support.patch
++    - Don't patch autoregenerated files.
++    - rewrite generate MenuMeta implementation in shell (LP: #1834095)
++      mawk doesn't support \s and other array features.
++      + Change \s by their space or tab equivalent.
++      + Rewrite the menumeta generation in pure shell, which is easier to
++        debug, keeping globally the same algorithm
++      + Support i18n in entry name generation.
++      Co-authored with Jean-Baptiste.
++    - Resplit all patches in debian/patches/*, so that we have upstreamable
++      and non upstreamable parts separate. Also, any change in 10_linux patch
++      will be reflected in 10_linux_zfs.
++    - Always import pools (using force), as we don't mount them. Ensure also
++      that we don't update the host cache, as we import all pools, and not
++      only those attached to that system.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 29 Jul 2019 08:08:48 +0200
++
++grub2 (2.04-1ubuntu2) eoan; urgency=medium
++
++  * Add device-tree command support as installed by flash-kernel.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 17 Jul 2019 23:47:27 +0100
++
++grub2 (2.04-1ubuntu1) eoan; urgency=medium
++
++  * Merge against Debian; remaining changes:
++    - debian/control: Update Vcs fields for code location on Ubuntu.
++    - debian/control: Breaks shim (<< 13).
++    - debian/patches/linuxefi.patch: Secure Boot support: use newer patchset
++      from rhboot repo, flattened to a single patch.
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Install a BOOT.CSV for fallback to use.
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++    - debian/patches/ubuntu-support-initrd-less-boot.patch: allow non-initrd
++      boot config.
++    - debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: If a kernel
++      fails to boot without initrd, we will fallback to trying to boot the
++      kernel with an initrd.
++    - debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch: make sure
++      grub-mkconfig leaves a trace of what files were sourced to help generate
++      the config we're building.
++    - debian/patches/ubuntu-efi-console-set-text-mode-as-needed.patch: in EFI
++      console, only set text-mode when we're actually going to need it.
++    - debian/patches/ubuntu-zfs-enhance-support.patch: Better ZFS grub support.
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot
++    - debian/patches/ubuntu-shorter-version-info.patch: Only show the upstream
++      version in menu and console, and hide the package one in a
++      package_version variable.
++    - Verify that the current and newer kernels are signed when grub is
++      updated, to make sure people do not accidentally shutdown without a
++      signed kernel.
++    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
++      confusing GRUB_TIMEOUT_STYLE=hidden.
++    - debian/rules: shuffle files around for now to keep build artefacts
++      for signing at the same location as they were expected by Launchpad.
++    - debian/rules, debian/control: enable dh-systemd.
++    - debian/grub-common.install.in: install the systemd unit that's part of
++      initrd fallback handling, missed when the feature landed.
++    - debian/build-efi-images: add http module to NET_MODULES.
++  * debian/patches/linuxefi*.patch: Flatten linuxefi patches into one.
++  * debian/patches: rename patches to use "-" as a separator rather than "_".
++  * debian/patches: rename Ubuntu-specific patches and commits to add "ubuntu"
++    so it's clearer which are new or changed when doing a merge.
++  * debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch: fix FTBFS due
++    to objcopy building an invalid binary padded with zeroes (LP: #1833234)
++  * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch: clear up invalid
++    spacing for the initrd command when not using early initrds.
++  * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: move the initrd
++    boot success/failure service to start later at boot time. (LP: #1823391)
++  * debian/patches/fix-lockdown.patch: Drop lockdown patch from Debian, which
++    breaks with new linuxefi patchset.
++  * debian/patches/ubuntu-temp-keep-auto-nvram.patch: Temporarily keep the
++    --auto-nvram option we previously had as a supported option in grub-install
++    (with no effect now), to avoid breaking upgrades. "auto-nvram" is default
++    behavior now that we use libefivar instead of calling efibootmgr.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 16 Jul 2019 11:31:29 -0400
++
  grub2 (2.04-1) unstable; urgency=medium
    * New upstream release.
@@ -1040,6 +2583,112 @@ grub2 (2.02+dfsg1-13) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Thu, 14 Mar 2019 10:33:24 +0000
++grub2 (2.02+dfsg1-12ubuntu3) eoan; urgency=medium
++
++  * debian/patches/zfs_enhance_support.patch:
++    Enhance ZFS grub support:
++    - Support multiple zfs systems (grouped by machine-id)
++    - Group zfs snapshots and clones with latest dataset for a given
++      installation.
++    - Support "history" entry with one time boot, recovery mode and
++      consecutive reboots.
++    - Pin kernel to particular snapshot, trying to reboot with the exact
++      same kernel and initrd.
++    - Disable in 10_linux zfs support if 10_linux_zfs is installed so that
++      we don't end up with the same installation multiple times.
++  * debian/patches/*:
++    - Apply ubuntu/debian specific changes of 10_linux to 10_linux_zfs.
++
++  Work done with Jean-Baptiste.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 17 Jun 2019 11:28:48 +0200
++
++grub2 (2.02+dfsg1-12ubuntu2) disco; urgency=medium
++
++  * debian/patches/efi-console-set-text-mode-as-needed.patch: in EFI console,
++    only set text-mode when we're actually going to need it.
++  * debian/build-efi-images: add http module to NET_MODULES. (LP: #1787630)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 11 Mar 2019 17:48:49 -0400
++
++grub2 (2.02+dfsg1-12ubuntu1) disco; urgency=medium
++
++  * Merge against Debian unstable; remaining changes (LP: #564853):
++    - debian/control: Update Vcs fields for code location on Ubuntu.
++    - debian/control: Breaks shim (<< 13).
++    - Secure Boot support: use newer patchset from rhboot repo:
++      - many linuxefi_* patches added and modified
++      - dropped debian/patches/linuxefi_require_shim.patch
++      - renamed: debian/patches/no_insmod_on_sb.patch ->
++        debian/patches/linuxefi_no_insmod_on_sb.patch
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Install a BOOT.CSV for fallback to use.
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
++      --auto-nvram option to grub-install for auto-detecting NVRAM availability
++      before attempting NVRAM updates.
++    - debian/build-efi-images: provide a new grub EFI image which enforces that
++      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++      the same as grub$arch.efi minus the 'linux' module. Without fallback to
++      'linux' for unsigned loading, this makes it effectively enforce having a
++      signed kernel.
++    - Verify that the current and newer kernels are signed when grub is
++      updated, to make sure people do not accidentally shutdown without a
++      signed kernel.
++    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
++      confusing GRUB_TIMEOUT_STYLE=hidden.
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config.
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot
++    - debian/patches/shorter_version_info.patch: Only show the upstream version
++      in menu and console, and hide the package one in a package_version
++      variable.
++    - debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
++      'text' payload if it's not supported but present in gfxpayload, such as
++      on EFI systems.
++    - debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
++      fizes as block sizes in bufio: this avoids potentially seeking back in
++      the files unnecessarily, which may require re-open files that cannot be
++      seeked into, such as via TFTP.
++    - debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
++      structs in bootpath parser.
++    - debian/rules: shuffle files around for now to keep build artefacts
++      for signing at the same location as they were expected by Launchpad.
++    - debian/rules, debian/control: enable dh-systemd.
++    - debian/grub-common.install.in: install the systemd unit that's part of
++      initrd fallback handling, missed when the feature landed.
++    - debian/patches/quick-boot-lvm.patch: If we don't have writable
++      grubenv and we're on EFI, always show the menu.
++    - debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
++      leaves a trace of what files were sourced to help generate the config
++      we're building.
++    - debian/patches/linuxefi_truncate_overlong_reloc_section.patch: Windows
++      7 bootloader has inconsistent headers; truncate to the smaller, correct
++      size to fix chainloading Windows 7.
++    - debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
++      relocate_coff() causing issues with relocation of code in chainload.
++    - debian/patches/add-initrd-less-boot-fallback.patch: add initrd-less
++      capabilities. If a kernel fails to boot without initrd, we will fallback
++      to trying to boot the kernel with an initrd. Patch by Chris Glass.
++    - debian/patches/grub-reboot-warn.patch: Warn when "for the next
++      boot only" promise cannot be kept.
++  * Refreshed patches and fixed up attribution to the right authors after
++    merge with Debian.
++  * debian/patches/linuxefi_missing_include.patch,
++    debian/patches/linuxefi_fixing_more_errors.patch: Apply some additional
++    small fixes to casts, format strings, includes and Makefile to make sure
++    the newer linuxefi patches apply and build properly.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 05 Mar 2019 17:05:09 -0500
++
  grub2 (2.02+dfsg1-12) unstable; urgency=medium
    [ Colin Watson ]
@@ -1184,6 +2833,175 @@ grub2 (2.02+dfsg1-6) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Tue, 28 Aug 2018 16:17:21 +0100
++grub2 (2.02+dfsg1-5ubuntu11) disco; urgency=medium
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/grub-check-signatures: properly account for DB showing as empty on
++    some broken firmwares: Guard against mokutil --export --db failing, and do
++    a better job at finding the DER certs for conversion to PEM format.
++    (LP: #1814575)
++
++  [ Steve Langasek ]
++  * debian/patches/quick-boot-lvm.patch: checking the return value of
++    'lsefi' when the command doesn't exist does not do what's expected, so
++    instead check the value of $grub_platform which is simpler anyway.
++    LP: #1814403.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 04 Feb 2019 17:51:15 -0500
++
++grub2 (2.02+dfsg1-5ubuntu10) disco; urgency=medium
++
++  * debian/grub-check-signatures: check kernel signatures against keys known
++    in firmware, in case a kernel is signed but not using a key that will pass
++    validation, such as when using kernels coming from a PPA. (LP: #1789918)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 21 Jan 2019 09:34:36 -0500
++
++grub2 (2.02+dfsg1-5ubuntu9) disco; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/patches/quick-boot-lvm.patch: If we don't have writable
++    grubenv and we're on EFI, always show the menu.  Closes LP: #1800722.
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
++    leaves a trace of what files were sourced to help generate the config
++    we're building.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 07 Jan 2019 17:32:01 -0500
++
++grub2 (2.02+dfsg1-5ubuntu8) cosmic; urgency=medium
++
++  * debian/patches/grub-install-extra-removable.patch: install mmx64.efi to
++    the EFI removable path to avoid boot failures after install when certs
++    need to be enrolled and the system's firmware is confused. (LP: #1798171)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 17 Oct 2018 14:44:49 -0400
++
++grub2 (2.02+dfsg1-5ubuntu7) cosmic; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/grub-common.install.in: install the systemd unit that's part of
++    initrd fallback handling, missed when the feature landed.
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/rules: set DEFAULT_TIMEOUT to 0 if we've enabled FLICKER_FREE_BOOT,
++    to avoid unnecessary delay at boot time. (LP: #1784363)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 12 Oct 2018 11:10:10 -0400
++
++grub2 (2.02+dfsg1-5ubuntu6) cosmic; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/grub-check-signatures: Handle the case where we have unsigned
++    vmlinuz and signed vmlinuz.efi.signed. (LP: #1788727)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 03 Oct 2018 14:59:05 -0400
++
++grub2 (2.02+dfsg1-5ubuntu5) cosmic; urgency=medium
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/linuxefi_truncate_overlong_reloc_section.patch: The Windows
++    7 bootloader has inconsistent headers; truncate to the smaller, correct
++    size to fix chainloading Windows 7.
++
++  [ Steve Langasek ]
++  * debian/rules, debian/control: enable dh-systemd.
++  * debian/patches/add-initrd-less-boot-fallback.patch: add initrd-less
++    capabilities. If a kernel fails to boot without initrd, grub will fallback
++    to trying to boot the kernel with an initrd. Patch by Chris Glass.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 25 Sep 2018 16:05:13 -0400
++
++grub2 (2.02+dfsg1-5ubuntu4) cosmic; urgency=medium
++
++  * debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
++    relocate_coff() causing issues with relocation of code in chainload.
++    (LP: #1792575)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 17 Sep 2018 07:45:49 -0400
++
++grub2 (2.02+dfsg1-5ubuntu3) cosmic; urgency=medium
++
++  * debian/patches/grub-reboot-warn.patch: Warn when "for the next
++    boot only" promise cannot be kept. (LP: #788298)
++
++ -- dann frazier <dannf@ubuntu.com>  Thu, 13 Sep 2018 15:28:50 -0600
++
++grub2 (2.02+dfsg1-5ubuntu2) cosmic; urgency=medium
++
++  * debian/patches/add_ext_lfb_base_support.patch: i386/linux: Add support for
++    ext_lfb_base. (LP: #1785033)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 05 Sep 2018 14:29:04 -0400
++
++grub2 (2.02+dfsg1-5ubuntu1) cosmic; urgency=medium
++
++  [ Mathieu Trudel-Lapierre]
++  * Merge against Debian unstable; remaining changes:
++    - debian/control: Update Vcs fields for code location on Ubuntu.
++    - debian/control: Breaks shim (<< 13).
++    - Secure Boot support: use newer patchset from rhboot repo:
++      - many linuxefi_* patches added and modified
++      - dropped debian/patches/linuxefi_require_shim.patch
++      - renamed: debian/patches/no_insmod_on_sb.patch ->
++        debian/patches/linuxefi_no_insmod_on_sb.patch
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Move installing fb$arch.efi to --no-extra-removable; as we don't want
++        fallback to be installed unless we're also installing to /EFI/BOOT.
++        (LP: #1684341)
++      - Install a BOOT.CSV for fallback to use.
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
++      --auto-nvram option to grub-install for auto-detecting NVRAM availability
++      before attempting NVRAM updates.
++    - debian/build-efi-images: provide a new grub EFI image which enforces that
++      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++      the same as grub$arch.efi minus the 'linux' module. Without fallback to
++      'linux' for unsigned loading, this makes it effectively enforce having a
++      signed kernel. (LP: #1401532)
++    - Verify that the current and newer kernels are signed when grub is
++      updated, to make sure people do not accidentally shutdown without a
++      signed kernel.
++    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
++      confusing GRUB_TIMEOUT_STYLE=hidden. (LP: #1258597)
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config. (LP: #1640878)
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
++    - debian/patches/shorter_version_info.patch: Only show the upstream version
++      in menu and console, and hide the package one in a package_version
++      variable. (LP: #1723434)
++    - debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
++      'text' payload if it's not supported but present in gfxpayload, such as
++      on EFI systems. (LP: #1711452)
++    - debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
++      fizes as block sizes in bufio: this avoids potentially seeking back in
++      the files unnecessarily, which may require re-open files that cannot be
++      seeked into, such as via TFTP. (LP: #1743249)
++    * util/grub-install.c: Drop extra handling for x.efi.signed files for mok
++      and fallback binaries: shim now installs them without the .signed
++      extension. (LP: #1708245)
++    - debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and
++      the casting they do on some architectures: we don't want to fail build
++      because of some of the warnings that can show up since we otherwise build
++      with -Werror.
++  * debian/rules: shuffle files around for now to keep putting build artefacts
++    for signing at the same location as they were expected by Launchpad.
++
++  [ Julian Andres Klode ]
++  * debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
++    structs in bootpath parser. Fixes netboot issues on ppc64el. (LP: #1785859)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 23 Aug 2018 15:00:14 -0400
++
  grub2 (2.02+dfsg1-5) unstable; urgency=medium
    [ Colin Watson ]
@@ -1280,6 +3098,171 @@ grub2 (2.02-3) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Sat, 10 Feb 2018 03:00:30 +0000
++grub2 (2.02-2ubuntu13) cosmic; urgency=medium
++
++  * debian/patches/tests_update_for_new_qemu.patch: update qemu options to
++    remove deprecated options that fail tests.
++  * debian/patches: fix up busted patches due to git-dpm:
++    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch
++    - debian/patches/grub-shell-test-helper-disable-seabios-sercon.patch
++  * debian/patches/r_x86_64_plt32-is-like-r_x86_64_pc32.patch: For the purpose
++    of grub-mkimage, the R_X86_64_PLT32 relocation is basically the same as
++    R_X86_64_PC32. Make R_X86_64_PLT32 supported.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 19 Jul 2018 09:46:53 -0400
++
++grub2 (2.02-2ubuntu12) cosmic; urgency=medium
++
++  * debian/default/grub: replace GRUB_HIDDEN_* variables with the more concise
++    and less confusing GRUB_TIMEOUT_STYLE=hidden. (LP: #1258597)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 16 Jul 2018 14:18:46 -0400
++
++grub2 (2.02-2ubuntu11) cosmic; urgency=medium
++
++  * Verify that the current and newer kernels are signed when grub is updated, to
++    make sure people do not accidentally shutdown without a signed kernel.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 13 Jul 2018 15:21:48 +0200
++
++grub2 (2.02-2ubuntu10) cosmic; urgency=medium
++
++  * debian/patches/grub-shell-test-helper-disable-seabios-sercon.patch: In the
++    grub-shell test helper, disable seabios's serial console through fw_cfg
++    runtime configuration as its boot output interferes with testing.
++    (LP: #1775249)
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Wed, 06 Jun 2018 01:03:26 +0200
++
++grub2 (2.02-2ubuntu9) cosmic; urgency=medium
++
++  * debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
++    --auto-nvram option to grub-install for auto-detecting NVRAM availability
++    before attempting NVRAM updates.
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Tue, 05 Jun 2018 00:34:38 +0200
++
++grub2 (2.02-2ubuntu8) bionic; urgency=medium
++
++  * Drop debian/patches/mkconfig_keep_native_term_active.patch, which can
++    lead to flickering between graphical and text mode when traversing the
++    menu. (LP: #1752767)
++  * debian/patches/yylex-explicitly_cast_fprintf_to_void.patch: Fix FTBFS
++    with flex 2.6.4.
++
++ -- dann frazier <dannf@ubuntu.com>  Sun, 04 Mar 2018 06:11:35 -0700
++
++grub2 (2.02-2ubuntu7) bionic; urgency=medium
++
++  [ Julian Andres Klode ]
++  * debian/patches/shorter_version_info.patch: Only show the upstream version
++    in menu and console, and hide the package one in a package_version
++    variable. (LP: #1723434)
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
++    'text' payload if it's not supported but present in gfxpayload, such as
++    on EFI systems. (LP: #1711452)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 09 Feb 2018 16:30:45 -0500
++
++grub2 (2.02-2ubuntu6) bionic; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
++    fizes as block sizes in bufio: this avoids potentially seeking back in
++    the files unnecessarily, which may require re-open files that cannot be
++    seeked into, such as via TFTP. (LP: #1743249)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 05 Feb 2018 11:58:09 -0500
++
++grub2 (2.02-2ubuntu5) bionic; urgency=medium
++
++  * debian/patches/mkconfig_keep_native_term_active.patch: Keep the
++    default EFI console active while enabling gfxterm. (LP: #1743884)
++
++ -- dann frazier <dannf@ubuntu.com>  Wed, 31 Jan 2018 10:51:11 -0700
++
++grub2 (2.02-2ubuntu4) bionic; urgency=medium
++
++  * debian/patches/vt_handoff.patch: modify the existing patch to set
++    vt.handoff=1 instead of vt.handoff=7 as we now start display managers on
++    vt1 anyway. This also fixes issues with netboot installed server systems
++    not displaying the login prompt on boot. (LP: #1675453)
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 18 Jan 2018 18:32:31 +0100
++
++grub2 (2.02-2ubuntu3) bionic; urgency=medium
++
++  * util/grub-install.c: Drop extra handling for x.efi.signed files for mok
++    and fallback binaries: shim now installs them without the .signed
++    extension. (LP: #1708245)
++  * debian/control: Breaks shim (<< 13).
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 17 Jan 2018 09:25:09 -0500
++
++grub2 (2.02-2ubuntu2) bionic; urgency=medium
++
++  * Cherry-pick upstream patch to change the default TSC calibration method
++    to pmtimer on EFI systems (LP: #1734278)
++  * debian/control: Update Vcs fields for code location on Ubuntu.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 05 Dec 2017 11:47:31 -0500
++
++grub2 (2.02-2ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config. (LP: #1640878)
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
++    - debian/build-efi-images: provide a new grub EFI image which enforces that
++      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++      the same as grub$arch.efi minus the 'linux' module. Without fallback to
++      'linux' for unsigned loading, this makes it effectively enforce having a
++      signed kernel. (LP: #1401532)
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Move installing fb$arch.efi to --no-extra-removable; as we don't want
++        fallback to be installed unless we're also installing to /EFI/BOOT.
++        (LP: #1684341)
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++  * Sync Secure Boot support patches with the upstream patch set from
++    rhboot/grub2:master-sb. Renamed some patches and updated descriptions for
++    the whole thing to make more sense, too:
++    - dropped debian/patches/linuxefi_require_shim.patch
++    - renamed: debian/patches/no_insmod_on_sb.patch ->
++      debian/patches/linuxefi_no_insmod_on_sb.patch
++    - debian/patches/linuxefi.patch
++    - debian/patches/linuxefi_debug.patch
++    - debian/patches/linuxefi_non_sb_fallback.patch
++    - debian/patches/linuxefi_add_sb_to_efi_chainload.patch
++    - debian/patches/linuxefi_cleanup_errors_in_loader.patch
++    - debian/patches/linuxefi_fix_efi_validation_race.patch
++    - debian/patches/linuxefi_handle_multiarch_boot.patch
++    - debian/patches/linuxefi_honor_sb_mode.patch
++    - debian/patches/linuxefi_move_fdt_helper.patch
++    - debian/patches/linuxefi_load_arm_with_sb.patch
++    - debian/patches/linuxefi_minor_cleanups.patch
++    - debian/patches/linuxefi_re-enable_linux_cmd.patch
++    - debian/patches/linuxefi_rework_linux16_cmd.patch
++    - debian/patches/linuxefi_rework_linux_cmd.patch
++    - debian/patches/linuxefi_rework_non-sb_efi_chainload.patch
++    - debian/patches/linuxefi_rework_pe_loading.patch
++    - debian/patches/linuxefi_use_dev_chainloader_target.patch
++  * debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and
++    the casting they do on some architectures: we don't want to fail build
++    because of some of the warnings that can show up since we otherwise build
++    with -Werror.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 06 Nov 2017 15:37:12 -0500
++
  grub2 (2.02-2) unstable; urgency=medium
    * Comment out debian/watch lines for betas and pre-releases for now.
@@ -1316,6 +3299,92 @@ grub2 (2.02~beta3-5) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Sat, 11 Feb 2017 15:09:19 +0000
++grub2 (2.02~beta3-4ubuntu7) artful; urgency=medium
++
++  * debian/patches/headers_for_device_macros.patch,
++    debian/patches/fix_check_for_sys_macros.patch: make sure the right
++    device macro header is included and that the deprecation warning
++    is dealt with. LP: #1722955.
++
++ -- Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>  Thu, 12 Oct 2017 09:41:17 -0400
++
++grub2 (2.02~beta3-4ubuntu6) artful; urgency=medium
++
++  * debian/patches/mount-ext4-fs-with-crypto-enabled.patch: Allow grub to
++    mount an EXT4 partition that has the 'encrypt' feature enabled
++    (closes: 840204)
++
++ -- Tyler Hicks <tyhicks@canonical.com>  Wed, 05 Jul 2017 22:23:03 +0000
++
++grub2 (2.02~beta3-4ubuntu5) artful; urgency=medium
++
++  * debian/patches/linuxefi.patch: fix double-free caused by an extra
++    grub_free() call in this patch (which the previous upload didn't change).
++  * debian/patches/linuxefi_rework_non-sb_cases.patch,
++    debian/patches/linuxefi_non_sb_fallback.patch: refreshed.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 29 May 2017 16:28:41 -0400
++
++grub2 (2.02~beta3-4ubuntu4) artful; urgency=medium
++
++  * debian/patches: Rework linuxefi/SecureBoot support and sync with upstream
++    SB patch set:
++    - linuxefi_arm_sb_support.patch: add Secure Boot support for arm for its
++      chainloader.
++    - linuxefi_fix_validation_race.patch: Fix a race in validating images.
++    - linuxefi_chainloader_path.patch: honor the starting path for grub, so
++      images do not need to be started from $root.
++    - linuxefi_chainloader_sb.patch: Fix some more issues in chainloader use
++      when Secure Boot is enabled.
++    - linuxefi_loaders_enforce_sb.patch: Enforce Secure Boot policy for all
++      loaders: don't load the commands when Secure Boot is enabled.
++    - linuxefi_re-enable_linux_cmd.patch: Since we rely on the linux and
++      initrd commands to automatically hand-off to linuxefi/initrdefi; re-
++      enable the linux loader.
++    - linuxefi_chainloader_pe_fixes.patch: PE parsing fixes for chainloading
++      "special" PE images, such as Windows'.
++    - linuxefi_rework_non-sb_cases.patch: rework cases where Secure Boot is
++      disabled or shim validation is disabled so loading works as EFI binaries
++      when it is supposed to.
++    - Removed linuxefi_require_shim.patch; superseded by the above.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 11 May 2017 17:05:04 -0400
++
++grub2 (2.02~beta3-4ubuntu3) artful; urgency=medium
++
++  * debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++    - Make sure if we install shim; it should also be exported as the default
++      bootloader to install later to a removable path, if we do.
++    - Rework grub-install-extra-removable.patch to reverse its logic: in the
++      default case, install the bootloader to /EFI/BOOT, unless we're trying
++      to install on a removable device, or explicitly telling grub *not* to
++      do it.
++    - Move installing fb$arch.efi to --no-extra-removable; as we don't want
++      fallback to be installed unless we're also installing to /EFI/BOOT.
++      (LP: #1684341)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 26 Apr 2017 21:08:22 -0400
++
++grub2 (2.02~beta3-4ubuntu2) zesty; urgency=medium
++
++  * debian/build-efi-images: provide a new grub EFI image which enforces that
++    loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++    the same as grub$arch.efi minus the 'linux' module. Without fallback to
++    'linux' for unsigned loading, this makes it effectively enforce having a
++    signed kernel. (LP: #1401532)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 30 Mar 2017 17:45:23 -0400
++
++grub2 (2.02~beta3-4ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config. (LP: #1640878)
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
++
++ -- dann frazier <dannf@ubuntu.com>  Thu, 09 Feb 2017 10:06:57 -0700
++
  grub2 (2.02~beta3-4) unstable; urgency=medium
    [ Colin Watson ]
 diff --git a/debian/control b/debian/control
 index b9d79ec..efd46e3 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,8 +1,9 @@
  Source: grub2
  Section: admin
  Priority: optional
--Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
--Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Steve McIntyre <93sam@debian.org>, Julian Andres Klode <jak@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
++Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Steve McIntyre <93sam@debian.org>, Julian Andres Klode <jak@debian.org>, Mate Kukri <mate.kukri@canonical.com>
  Build-Depends: debhelper-compat (= 13),
   patchutils,
   python3,
@@ -12,8 +13,7 @@ Build-Depends: debhelper-compat (= 13),
   po-debconf,
   help2man,
   texinfo,
-- gcc-12,
-- gcc-12-multilib [i386 kopensolaris-i386 any-amd64 any-ppc64 any-sparc],
++ gcc-multilib [i386 kopensolaris-i386 any-amd64 any-ppc64 any-sparc],
   xfonts-unifont,
   libfreetype6-dev,
   gettext,
@@ -40,8 +40,8 @@ Build-Depends: debhelper-compat (= 13),
  Build-Conflicts: autoconf2.13, libzfs-dev, libnvpair-dev
  Standards-Version: 3.9.6
  Homepage: https://www.gnu.org/software/grub/
--Vcs-Git: https://salsa.debian.org/grub-team/grub.git
--Vcs-Browser: https://salsa.debian.org/grub-team/grub
++Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu
++Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu
  Rules-Requires-Root: no
  Package: grub2
@@ -66,7 +66,7 @@ Description: GRand Unified Bootloader, version 2 (dummy package)
  Package: grub-efi
  Architecture: any-i386 any-amd64 any-arm64 any-ia64 any-arm any-riscv64
  Pre-Depends: ${misc:Pre-Depends}
--Depends: ${misc:Depends}, grub-efi-ia32 (= ${binary:Version}) [any-i386], grub-efi-amd64 (= ${binary:Version}) [any-amd64], grub-efi-arm64 (= ${binary:Version}) [any-arm64], grub-efi-ia64 (= ${binary:Version}) [any-ia64], grub-efi-arm (= ${binary:Version}) [any-arm], grub-efi-riscv64 (= ${binary:Version}) [any-riscv64]
++Depends: ${misc:Depends}, grub-efi-ia32 (>= ${binary:Version}) [any-i386], grub-efi-amd64 [any-amd64], grub-efi-arm64 [any-arm64], grub-efi-ia64 (>= ${binary:Version}) [any-ia64], grub-efi-arm (>= ${binary:Version}) [any-arm], grub-efi-riscv64 (>= ${binary:Version}) [any-riscv64]
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (dummy package)
   This is a dummy package that depends on the grub-efi-$ARCH package most likely
@@ -75,7 +75,7 @@ Description: GRand Unified Bootloader, version 2 (dummy package)
  Package: grub-common
  Architecture: any
  Built-Using: ${Built-Using}
--Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}
++Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}, python3, python3-apt
  Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4), init-select
  Recommends: os-prober (>= 1.33)
  Suggests: multiboot-doc, grub-emu [any-i386 any-amd64 any-powerpc], mtools [any-i386 any-amd64 any-ia64 any-arm any-arm64 riscv64], xorriso (>= 0.5.6.pl00), desktop-base (>= 4.0.6), console-setup
@@ -252,7 +252,6 @@ Description: GRand Unified Bootloader, version 2 (Coreboot version)
  Package: grub-efi-ia32-bin
  Architecture: any-i386 any-amd64
  Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
--Breaks: grub-efi-ia32-signed (<< 1+2.12~rc1)
  Recommends: grub-efi-ia32-signed [i386], efibootmgr [linux-any]
  Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi, grub-efi-ia32 (<< 1.99-1)
  Multi-Arch: foreign
@@ -313,11 +312,10 @@ Description: GRand Unified Bootloader, version 2 (EFI-IA32 signing template)
   This is only needed for Secure Boot signing.
  Package: grub-efi-amd64-bin
--Architecture: i386 kopensolaris-i386 any-amd64
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
++Architecture: kopensolaris-i386 any-amd64
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (>= 2.02~beta2-9)
  Recommends: grub-efi-amd64-signed [amd64], efibootmgr [linux-any]
  Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
--Breaks: grub-efi-amd64-signed (<< 1+2.12~rc1)
  Multi-Arch: foreign
  XB-Efi-Vendor: ${efi:Vendor}
  Description: GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
@@ -339,17 +337,17 @@ Description: GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
  Package: grub-efi-amd64-dbg
  Section: debug
--Architecture: i386 kopensolaris-i386 any-amd64
--Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${binary:Version}), grub-common (= ${binary:Version})
++Architecture: kopensolaris-i386 any-amd64
++Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${binary:Version})
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)
   This package contains debugging files for grub-efi-amd64-bin.  You only
   need these if you are trying to debug GRUB using its GDB stub.
  Package: grub-efi-amd64
--Architecture: i386 kopensolaris-i386 any-amd64
++Architecture: kopensolaris-i386 any-amd64
  Pre-Depends: ${misc:Pre-Depends}
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-amd64-bin (= ${binary:Version}), ucf
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (>= 2.02~beta2-9), grub-efi-amd64-bin (= ${binary:Version}), ucf
  Replaces: grub, grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-pc, grub-efi-ia32, grub-coreboot, grub-ieee1275
  Conflicts: grub, grub-legacy, grub-efi-ia32, grub-pc, grub-coreboot, grub-ieee1275, grub-xen, elilo
  Multi-Arch: foreign
@@ -477,8 +475,7 @@ Description: GRand Unified Bootloader, version 2 (ARM UEFI version)
  Package: grub-efi-arm64-bin
  Architecture: any-arm64
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
--Breaks: grub-efi-arm64-signed (<< 1+2.12~rc1)
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (>= 2.02~beta2-9)
  Recommends: grub-efi-arm64-signed [arm64], efibootmgr [linux-any]
  Multi-Arch: foreign
  XB-Efi-Vendor: ${efi:Vendor}
@@ -501,7 +498,7 @@ Description: GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
  Package: grub-efi-arm64-dbg
  Section: debug
  Architecture: any-arm64
--Depends: ${misc:Depends}, grub-efi-arm64-bin (= ${binary:Version}), grub-common (= ${binary:Version})
++Depends: ${misc:Depends}, grub-efi-arm64-bin (= ${binary:Version})
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
   This package contains debugging files for grub-efi-arm64-bin.  You only
@@ -510,7 +507,7 @@ Description: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
  Package: grub-efi-arm64
  Architecture: any-arm64
  Pre-Depends: ${misc:Pre-Depends}
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-arm64-bin (= ${binary:Version}), ucf
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (>= 2.02~beta2-36ubuntu3.32), grub-efi-arm64-bin (= ${binary:Version}), ucf
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (ARM64 UEFI version)
   GRUB is a portable, powerful bootloader.  This version of GRUB is based on a
 diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
 new file mode 100755
 index 0000000..edc171e
 --- /dev/null
 +++ b/debian/grub-check-signatures
@@ -0,0 +1,136 @@
++#!/bin/sh
++
++set -e
++
++. /usr/share/debconf/confmodule
++
++# Check if we are on an EFI system
++efivars=/sys/firmware/efi/efivars
++secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
++moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
++tmpdir=$(mktemp -d)
++
++on_secure_boot() {
++	# Validate any queued actions before we go try to do them.
++	local moksbstatert=0
++
++	if ! [ -d $efivars ]; then
++		return 1
++	fi
++
++	if ! [ -f $efivars/$secureboot_var ] \
++		|| [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
++	then
++		return 1
++	fi
++
++	if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
++		moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
++	elif [ -f $efivars/$moksbstatert_var ]; then
++		# MokSBStateRT set to 1 means validation is disabled
++		moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
++					   awk '{ print $NF; }')
++	fi
++
++	if [ $moksbstatert -eq 1 ]; then
++		return 1
++	fi
++
++	return 0
++}
++
++# Retrieve the keys we do trust from PK, DB, KEK, and MokList.
++extract_known_keys() {
++	# Make the Canonical CA cert available for validation too; in case
++	# MokListRT is empty due to a bug.
++	cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir
++
++	# Extract known UEFI certs from firmware variables
++	( cd $tmpdir; \
++		mokutil --export --db >/dev/null 2>/dev/null; \
++		mokutil --export --mok >/dev/null 2>/dev/null; )
++	find $tmpdir -name "*.der" -exec openssl x509 -inform der -in {} -outform pem -out {}.crt  \;
++}
++
++# Check if a given kernel image is signed
++is_signed() {
++	kernel=$1
++	tmp=$(mktemp)
++	kernel_tmp=$(mktemp)
++	if zcat $kernel > $kernel_tmp 2>/dev/null; then
++		kernel=$kernel_tmp
++	fi
++	sbattach --detach $tmp $kernel >/dev/null 2>/dev/null 	# that's ugly...
++	test "$(wc -c < $tmp)" -ge 16	# Just _some_ minimum size
++	result=$?
++	if [ $result -eq 0 ]; then
++		sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: )
++	fi
++	rm $tmp
++	if [ $result -eq 0 ]; then
++		for crtfile in $tmpdir/*.crt; do
++			sbverify --cert $crtfile $kernel >/dev/null 2>/dev/null
++			result=$?
++			if [ $result -eq 0 ]; then
++				rm "$kernel_tmp"
++				return $result;
++			fi
++		done
++		echo "$1 is signed, but using an unknown key:" >&2
++		echo "$sig_subject" >&2
++	else
++		echo "$1 is unsigned." >&2
++	fi
++	rm "$kernel_tmp"
++	return $result
++}
++
++# Check that our current kernel and every newer one is signed
++find_unsigned() {
++	uname_r="$(uname -r)"
++	for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do
++		# no kernels :(
++		if [ "$kernel" = "/boot/vmlinuz-*" ]; then
++			break
++		fi
++		this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')"
++		if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then
++			continue
++		fi
++		if [ -e "$kernel.efi.signed" ]; then
++			continue
++		fi
++		if ! is_signed $kernel; then
++			echo "$this_uname_r"
++		fi
++	done
++}
++
++# Only reached from show_warning
++error() {
++	echo "E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment." >&2

grub

Merge ~mkukri/grub:ubuntu into ~ubuntu-core-dev/grub/+git/ubuntu:master

Commit message

Description of the change

Preview Diff

Subscribers