grub

Merge ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu-2.06-clean into ~ubuntu-core-dev/grub/+git/ubuntu:debian-unapplied

Proposed by Julian Andres Klode on 2021-11-29

Status:

Work in progress

Proposed branch:

~ubuntu-core-dev/grub/+git/ubuntu:ubuntu-2.06-clean

Merge into:

~ubuntu-core-dev/grub/+git/ubuntu:debian-unapplied

Diff against target:

30150 lines (+20897/-1697)

129 files modified

debian/build-efi-images (+14/-9)
debian/canonical-uefi-ca.crt (+25/-0)
debian/changelog (+1325/-0)
debian/control (+17/-14)
debian/dirs.in (+1/-0)
debian/grub-check-signatures (+129/-0)
debian/grub-common.dirs (+1/-0)
debian/grub-common.install.in (+4/-0)
debian/grub-common.service (+15/-0)
debian/grub-common.templates (+53/-0)
debian/grub-efi-amd64-bin.maintscript.in (+1/-0)
debian/grub-efi-arm64-bin.maintscript.in (+1/-0)
debian/grub-multi-install (+417/-0)
debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch (+117/-0)
debian/patches/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch (+47/-0)
debian/patches/cherrypick-efi-grub_efi_close_protocol.patch (+79/-0)
debian/patches/cherrypick-efinet-correct-closing-snp-protocol.patch (+106/-0)
debian/patches/efi-variable-storage-minimise-writes.patch (+3/-3)
debian/patches/gfxpayload-dynamic.patch (+1/-1)
debian/patches/grub-install-pvxen-paths.patch (+3/-3)
debian/patches/install-efi-adjust-distributor.patch (+1/-1)
debian/patches/install-powerpc-machtypes.patch (+1/-1)
debian/patches/no-insmod-on-sb.patch (+45/-0)
debian/patches/pc-verifiers-module.patch (+1/-1)
debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch (+23/-0)
debian/patches/rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch (+26/-0)
debian/patches/rhboot-f34-make-exit-take-a-return-code.patch (+268/-0)
debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch (+213/-0)
debian/patches/series (+47/-5)
debian/patches/suse-AUDIT-0-http-boot-tracker-bug.patch (+68/-0)
debian/patches/suse-add-support-for-UEFI-network-protocols.patch (+4941/-0)
debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+49/-0)
debian/patches/ubuntu-add-devicetree-command-support.patch (+51/-0)
debian/patches/ubuntu-add-initrd-less-boot-fallback.patch (+214/-0)
debian/patches/ubuntu-add-initrd-less-boot-messages.patch (+68/-0)
debian/patches/ubuntu-boot-from-multipath-dependent-symlink.patch (+68/-0)
debian/patches/ubuntu-dont-verify-loopback-images.patch (+36/-0)
debian/patches/ubuntu-efi-allow-loopmount-chainload.patch (+126/-0)
debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+29/-0)
debian/patches/ubuntu-fix-reproducible-squashfs-test.patch (+30/-0)
debian/patches/ubuntu-flavour-order.patch (+60/-0)
debian/patches/ubuntu-grub-install-extra-removable.patch (+64/-38)
debian/patches/ubuntu-install-signed.patch (+33/-30)
debian/patches/ubuntu-linuxefi-arm64-set-base-addr.patch (+68/-0)
debian/patches/ubuntu-linuxefi-arm64.patch (+184/-0)
debian/patches/ubuntu-linuxefi.patch (+2579/-0)
debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch (+28/-0)
debian/patches/ubuntu-recovery-dis_ucode_ldr.patch (+83/-0)
debian/patches/ubuntu-resilient-boot-boot-order.patch (+230/-0)
debian/patches/ubuntu-resilient-boot-ignore-alternative-esps.patch (+207/-0)
debian/patches/ubuntu-shorter-version-info.patch (+40/-0)
debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch (+58/-0)
debian/patches/ubuntu-speed-zsys-history.patch (+157/-0)
debian/patches/ubuntu-support-initrd-less-boot.patch (+81/-0)
debian/patches/ubuntu-temp-keep-auto-nvram.patch (+38/-0)
debian/patches/ubuntu-zfs-enhance-support.patch (+1047/-0)
debian/patches/ubuntu-zfs-gfxpayload-dynamic.patch (+95/-0)
debian/patches/ubuntu-zfs-gfxpayload-keep-default.patch (+38/-0)
debian/patches/ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch (+32/-0)
debian/patches/ubuntu-zfs-maybe-quiet.patch (+72/-0)
debian/patches/ubuntu-zfs-mkconfig-recovery-title.patch (+49/-0)
debian/patches/ubuntu-zfs-mkconfig-signed-kernel.patch (+51/-0)
debian/patches/ubuntu-zfs-mkconfig-ubuntu-distributor.patch (+36/-0)
debian/patches/ubuntu-zfs-mkconfig-ubuntu-recovery.patch (+66/-0)
debian/patches/ubuntu-zfs-quick-boot.patch (+50/-0)
debian/patches/ubuntu-zfs-vt-handoff.patch (+77/-0)
debian/patches/uefi-secure-boot-cryptomount.patch (+2/-2)
debian/patches/zstd-require-8-byte-buffer.patch (+63/-0)
debian/po/ar.po (+99/-18)
debian/po/ast.po (+107/-18)
debian/po/be.po (+118/-18)
debian/po/bg.po (+119/-18)
debian/po/ca.po (+120/-18)
debian/po/cs.po (+118/-18)
debian/po/cy.po (+109/-18)
debian/po/da.po (+119/-18)
debian/po/de.po (+122/-18)
debian/po/dz.po (+107/-18)
debian/po/el.po (+120/-18)
debian/po/eo.po (+118/-18)
debian/po/es.po (+119/-18)
debian/po/eu.po (+118/-18)
debian/po/fa.po (+108/-18)
debian/po/fi.po (+118/-18)
debian/po/fr.po (+120/-18)
debian/po/gl.po (+108/-18)
debian/po/gu.po (+106/-18)
debian/po/he.po (+117/-18)
debian/po/hr.po (+118/-18)
debian/po/hu.po (+109/-18)
debian/po/id.po (+107/-18)
debian/po/is.po (+119/-18)
debian/po/it.po (+120/-18)
debian/po/ja.po (+119/-18)
debian/po/ka.po (+87/-18)
debian/po/kk.po (+119/-18)
debian/po/km.po (+106/-18)
debian/po/ko.po (+118/-18)
debian/po/lt.po (+118/-18)
debian/po/lv.po (+118/-18)
debian/po/mr.po (+117/-18)
debian/po/nb.po (+119/-18)
debian/po/nl.po (+120/-18)
debian/po/pl.po (+120/-18)
debian/po/pt.po (+120/-18)
debian/po/pt_BR.po (+120/-18)
debian/po/ro.po (+119/-18)
debian/po/ru.po (+118/-18)
debian/po/si.po (+106/-18)
debian/po/sk.po (+107/-18)
debian/po/sl.po (+118/-18)
debian/po/sq.po (+105/-18)
debian/po/sr.po (+107/-18)
debian/po/sr@latin.po (+107/-18)
debian/po/sv.po (+119/-18)
debian/po/ta.po (+106/-18)
debian/po/templates.pot (+87/-18)
debian/po/th.po (+117/-18)
debian/po/tr.po (+118/-18)
debian/po/ug.po (+119/-18)
debian/po/uk.po (+118/-18)
debian/po/vi.po (+119/-18)
debian/po/zh_CN.po (+105/-18)
debian/po/zh_TW.po (+116/-18)
debian/postinst.in (+96/-12)
debian/rules (+93/-10)
debian/sbat.ubuntu.csv.in (+3/-0)
debian/templates.in (+78/-8)
dev/null (+0/-551)

Undecided

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Core Development Team		2021-11-29	Pending
Review via email: mp+412515@code.launchpad.net

Description of the change

Rebase of the Ubuntu changes against the Debian branch.

DO NOT MERGE: The target branch is set against the debian branch to review the delta against Debian.

~ubuntu-core-dev/grub/+git/ubuntu:ubuntu-2.06-clean updated on 2021-12-07

652be79... by Julian Andres Klode on 2021-11-29

reconstruct changelog

a7c790c... by Julian Andres Klode on 2021-11-29

UBUNTU: Revert "Add jfs module to signed UEFI images. Closes: #950959"

This reverts commit e24c17ada73c6349be75eb2bfb099f707f7ff7e0.

bf0a542... by Julian Andres Klode on 2021-11-29

UBUNTU: Revert "Add f2fs module to signed UEFI images"

This reverts commit 146d21cc9db01cca6f945e466e4adc31d165782b.

356f550... by Julian Andres Klode on 2021-11-30

Rebase the remaining Ubuntu patchset

186f7ca... by Julian Andres Klode on 2021-11-30

Install grub-initrd-fallback.service again

0ec8089... by Julian Andres Klode on 2021-12-01

UBUNTU: Replace linuxefi.patch with ubuntu one

Ours has arm64 support.

441a61c... by Julian Andres Klode on 2021-12-02

UBUNTU: Replace install-signed.patch by ubuntu one

3f8f647... by Julian Andres Klode on 2021-12-02

Fix zstd build on s390x

9abec3a... by Julian Andres Klode on 2021-12-07

cherrypick efinet SNP closing fixes

Unmerged commits

652be79... by Julian Andres Klode on 2021-11-29

reconstruct changelog

9abec3a... by Julian Andres Klode on 2021-12-07

cherrypick efinet SNP closing fixes

3f8f647... by Julian Andres Klode on 2021-12-02

Fix zstd build on s390x

1bf8752... by Julian Andres Klode on 2021-11-29

merge debian/po/

This is not strictly necessary but cleans the merge up

1fa2a0d... by Julian Andres Klode on 2021-11-29

Merge changelog

186f7ca... by Julian Andres Klode on 2021-11-30

Install grub-initrd-fallback.service again

356f550... by Julian Andres Klode on 2021-11-30

Rebase the remaining Ubuntu patchset

bf0a542... by Julian Andres Klode on 2021-11-29

UBUNTU: Revert "Add f2fs module to signed UEFI images"

This reverts commit 146d21cc9db01cca6f945e466e4adc31d165782b.

a7c790c... by Julian Andres Klode on 2021-11-29

UBUNTU: Revert "Add jfs module to signed UEFI images. Closes: #950959"

This reverts commit e24c17ada73c6349be75eb2bfb099f707f7ff7e0.

443797f... by Dimitri John Ledkov on 2020-10-27

grub-common.service: port init.d script to systemd unit. Add warning message, when initrdless boot fails triggering fallback. LP: #1901553

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Julian Andres Klode

Ubuntu Core Development Team

 diff --git a/debian/build-efi-images b/debian/build-efi-images
 index 5ac6676..3e6efd0 100755
 --- a/debian/build-efi-images
 +++ b/debian/build-efi-images
@@ -71,6 +71,8 @@ EOF
  cat >"$workdir/grub-netboot.cfg" <<EOF
  if [ -e \$prefix/$platform/grub.cfg ]; then
  	source \$prefix/$platform/grub.cfg
++elif [ -e \$prefix/grub.cfg-$deb_arch ]; then
++	source \$prefix/grub.cfg-default-$deb_arch
  else
  	source \$prefix/grub.cfg
  fi
@@ -95,7 +97,6 @@ CD_MODULES="
  	ext2
  	fat
  	font
--	f2fs
  	gettext
  	gfxmenu
  	gfxterm
@@ -105,7 +106,6 @@ CD_MODULES="
  	help
  	hfsplus
  	iso9660
--	jfs
  	jpeg
  	keystatus
  	loadenv
@@ -133,6 +133,7 @@ CD_MODULES="
  	search_fs_file
  	search_label
  	sleep
++	smbios
  	squash4
  	test
  	true
@@ -187,6 +188,7 @@ GRUB_MODULES="$CD_MODULES
  	raid6rec
+ 	"
  NET_MODULES="$CD_MODULES
++	http
  	tftp
+ 	"
@@ -218,12 +220,15 @@ echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi"
  # Special network boot image for d-i to use. Just the same as the
  # normal network boot image, but with a different value baked in for
  # the prefix setting
--echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
--"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
--	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
--	-m "$workdir/memdisk-netboot.fat" \
--	-p "/${efi_vendor}-installer/$deb_arch/grub" \
--	--sbat "$sbat_csv" \
--	$NET_MODULES
++#
++# but not on Ubuntu LP: #1863994
++#
++#echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
++#"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
++#	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
++#	-m "$workdir/memdisk-netboot.fat" \
++#	-p "/${efi_vendor}-installer/$deb_arch/grub" \
++#	--sbat "$sbat_csv" \
++#	$NET_MODULES
  exit 0
 diff --git a/debian/canonical-uefi-ca.crt b/debian/canonical-uefi-ca.crt
 new file mode 100644
 index 0000000..55c06d5
 --- /dev/null
 +++ b/debian/canonical-uefi-ca.crt
@@ -0,0 +1,25 @@
++-----BEGIN CERTIFICATE-----
++MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
++VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx
++FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk
++LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX
++DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m
++IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x
++NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo
++b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h
++7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7
++v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO
+++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr
++yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk
++YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO
++BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj
++MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB
++Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu
++b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB
++CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd
++B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH
++WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx
++U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd
++7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p
++9JkU284DDgtmxBxtvbgnd8FClL38agq8
++-----END CERTIFICATE-----
 diff --git a/debian/changelog b/debian/changelog
 index 7219e57..7dc537d 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,103 @@
++grub2 (2.06-2ubuntu0~uefi5) jammy; urgency=medium
++
++  * Merge from Debian unstable; remaining changes:
++    - Build without lto
++    - Add Ubuntu sbat data
++    - Make prebuilt netboot image look for MAAS grub.cfg
++    - build-efi-images: add smbios module to the prebuilt signed EFI images
++      (LP: 1856424)
++    - build-efi-images: do not produce -installer.efi.signed. LP: 1863994
++    - build-efi-images: Add http to netboot images
++    - grub-common: Install canonical-uefi-ca.crt
++    - Check signatures
++    - minilzo: built using the distribution's minilzo
++    - Support installing to multiple ESP (LP: 1871821)
++    - Disable various bits on i386
++    - Split out unsigned artefacts into grub2-unsigned
++    - Vcs-Git: Point to ubuntu packaging branch
++    - Relax dependencies on grub-common and grub2-common
++    - grub-pc: Avoid the possibility of breaking grub on SRU update due
++      to ABI change
++    - UBUNTU: Default timeout changes
++    - Disable os-prober for ppc64el on the PowerNV platform (for Petitboot)
++    - dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar)
++    - Link grub-efi-{amd64,arm64}-bin docs directory
++    - grub-common.service: port init.d script to systemd unit. Add warning
++      message, when initrdless boot fails triggering fallback. LP: 1901553
++    - Removed patches:
++      - grub-install-extra-removable.patch
++      - grub-install-removable-shim.patch
++    - Added patches:
++      + ubuntu-grub-install-extra-removable.patch
++      + ubuntu-zfs-enhance-support.patch
++      + ubuntu-zfs-gfxpayload-keep-default.patch
++      + ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++      + ubuntu-zfs-mkconfig-signed-kernel.patch
++      + ubuntu-zfs-maybe-quiet.patch
++      + ubuntu-zfs-quick-boot.patch
++      + ubuntu-zfs-gfxpayload-dynamic.patch
++      + ubuntu-zfs-vt-handoff.patch
++      + ubuntu-zfs-mkconfig-recovery-title.patch
++      + ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++      + ubuntu-support-initrd-less-boot.patch
++      + ubuntu-shorter-version-info.patch
++      + ubuntu-add-initrd-less-boot-fallback.patch
++      + ubuntu-mkconfig-leave-breadcrumbs.patch
++      + ubuntu-fix-lzma-decompressor-objcopy.patch
++      + ubuntu-temp-keep-auto-nvram.patch
++      + ubuntu-add-devicetree-command-support.patch
++      + ubuntu-boot-from-multipath-dependent-symlink.patch
++      + ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
++      + ubuntu-efi-allow-loopmount-chainload.patch
++      + 0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
++      + ubuntu-resilient-boot-ignore-alternative-esps.patch
++      + ubuntu-resilient-boot-boot-order.patch
++      + ubuntu-speed-zsys-history.patch
++      + ubuntu-flavour-order.patch
++      + ubuntu-dont-verify-loopback-images.patch
++      + ubuntu-recovery-dis_ucode_ldr.patch
++      + ubuntu-linuxefi-arm64.patch
++      + ubuntu-add-initrd-less-boot-messages.patch
++      + ubuntu-fix-reproducible-squashfs-test.patch
++      + rhboot-f34-make-exit-take-a-return-code.patch
++      + rhboot-f34-dont-use-int-for-efi-status.patch
++      + rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
++      + suse-add-support-for-UEFI-network-protocols.patch
++      + suse-AUDIT-0-http-boot-tracker-bug.patch
++      + rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
++      + 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
++  * Dropped changes:
++    - Remove obsolete dependencies on dh-autoreconf and automake
++    - Remove explicit --with systemd in debhelper invocation
++    - Remove debian/gettext-patches; they do not seem to be necessary anymore
++    - Remove inadvertent change to debian/signing-template.json.in, we do not
++      use that file anyway.
++    - Merged upstream:
++      + merged: 0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
++      + merged: 0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
++      + merged security patches 0081-0105, and 0128-0240
++      + various cherry picks: cherry-* and cherrypick-*.patch
++      + grub-install-backup-and-restore.patch
++      + uefi-firmware-setup.patch
++      + sleep-shift.patch
++      + vsnprintf-upper-case-hex.patch
++      + rhboot-f34-update-info-with-grub.cfg-netboot-selection-order.patch
++      + suse-search-for-specific-config-files-for-netboot.patch
++      + tftp-rollover-block-counter.patch
++      + ubuntu-efi-console-set-text-mode-as-needed.patch
++    - Merged in Debian:
++      + install-efi-ubuntu-flavours.patch
++      + ubuntu-dejavu-font-path.patch
++      + ubuntu-tpm-unknown-error-non-fatal.patch
++    - Not applicable:
++      + 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch: The
++        check has been removed.
++  * Fix zstd build on s390x
++  * Cherry-pick two upstream fixes to fix closing of SNP protocol in EFI
++    networking stack
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Tue, 07 Dec 2021 11:34:30 +0100
++
  grub2 (2.06-2) unstable; urgency=medium
    * Update to minilzo-2.10, fixing build failures on armel, mips64el,
@@ -420,6 +520,705 @@ grub2 (2.04-2) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Sat, 03 Aug 2019 13:42:49 +0100
++grub2 (2.04-1ubuntu48) jammy; urgency=medium
++
++  * d/p/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch:
++    Fix "error: can't find command `hwmatch'." on non-i386/pc
++    platforms such as x86_64/efi. (LP: #1840560)
++
++ -- Mauricio Faria de Oliveira <mfo@canonical.com>  Thu, 04 Nov 2021 10:48:06 -0300
++
++grub2 (2.04-1ubuntu47) impish; urgency=medium
++
++  * Drop grub.cfg-400.patch (LP: #1933826)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 02 Sep 2021 14:37:43 +0200
++
++grub2 (2.04-1ubuntu46) impish; urgency=medium
++
++  * debian/grub-common.service: change type to oneshot, add wantedby
++    sleep.target, after sleep.target. The service will now start after
++    resume from hybernation. LP: #1929860
++  * grub-initrd-fallback.service: add wantedby sleep.target, after
++    sleep.target. The service will now start after resume from
++    hybernation. LP: #1929860
++  * cherrypick upstream fix to make armhf efi boot work. LP: #1788940
++  * debian/rules: disable LTO. LP: #1922005
++  * grub-initrd-fallback.service, debian/grub-common.service: only start
++    units when booted with grub. Use presence of /boot/grub/grub.cfg as
++    proxy. LP: #1925507
++  * tests: patch qemu command to use ide-hd instead of the removed
++    ide-drive.
++
++ -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Fri, 16 Jul 2021 14:01:31 +0100
++
++grub2 (2.04-1ubuntu45) hirsute; urgency=medium
++
++  * Unapply all patches.
++  * Stop using git-dpm.
++  * Start using gbp pq import|export --no-patch-numbers, this brings grub2
++    packaging closer to other non-debian distributions.
++  * It would be nice to separate patches into topic subdirs -
++    i.e. reverts, upstream cherry picks, debian, ubuntu, rhel, security,
++    etc.
++  * Drop redundant dh-systemd build-dependency.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 30 Mar 2021 11:55:05 +0100
++
++grub2 (2.04-1ubuntu44) hirsute; urgency=medium
++
++  * Compile grub-efi-amd64 installable i386 platform on hirsute, to make
++    it available in bionic and earlier as part of onegrub builds.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 03 Mar 2021 11:42:28 +0000
++
++grub2 (2.04-1ubuntu42) hirsute; urgency=medium
++
++  * SECURITY UPDATE: acpi command allows privilleged user to load crafted
++    ACPI tables when secure boot is enabled.
++    - 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
++      register the acpi command when secure boot is enabled.
++    - CVE-2020-14372
++  * SECURITY UPDATE: use-after-free in rmmod command
++    - 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
++      allow rmmod to unload modules that are dependencies of other modules.
++    - CVE-2020-25632
++  * SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
++    - 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
++    - CVE-2020-25647
++  * SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
++    - 0206-kern-parser-Introduce-process_char-helper.patch,
++      0207-kern-parser-Introduce-terminate_arg-helper.patch,
++      0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
++      0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
++      0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
++      sized heap buffer type and use this.
++    - CVE-2020-27749
++  * SECURITY UPDATE: cutmem command allows privileged user to remove memory
++    regions when Secure Boot is enabled.
++    - 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
++      Don't register cutmem and badram commands when secure boot is enabled.
++    - CVE-2020-27779
++  * SECURITY UPDATE: heap out-of-bounds write in short form option parser.
++    - 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
++      Block repeated short options that require an argument.
++    - CVE-2021-20225
++  * SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
++    required for quoting.
++    - 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
++      quoting in setparams_prefix()
++    - CVE-2021-20233
++  * Partially backport the lockdown framework to restrict certain features
++    when secure boot is enabled.
++  * Backport various fixes for Coverity defects.
++  * Add SBAT metadata to the grub EFI binary.
++    - Backport patches to support adding SBAT metadata with grub-mkimage:
++      + 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
++      + 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
++      + 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
++      + 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
++      + 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
++      + 0217-util-mkimage-Improve-data_size-value-calculation.patch
++      + 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
++      + 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
++    - Add debian/sbat.csv.in
++    - Update debian/build-efi-image and debian/rules
++
++  [ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
++  * Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
++    src:grub2-unsigned (potentially of a higher version number).
++  * Add debian/rules generate-grub2-unsigned target to quickly build
++    src:grub2-unsigned for binary-copy backports.
++  * postinst: allow postinst to with with or without grub-multi-install
++    binary.
++  * postinst: allow using various grub-install options to achieve
++    --no-extra-removable.
++  * postinst: only call grub-check-signatures if it exists.
++  * control: relax dependency on grub2-common, as maintainer script got
++    fixed up to work with grub2-common/grub-common as far back as trusty.
++  * control: allow higher version depdencies from grub-efi package.
++  * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
++    postinst script uses that directory, and yet relies on grub-common to
++    create/ship it, which is not true in older releases. Also make sure
++    dh_installdirs runs after the .dirs files are generated.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 23 Feb 2021 16:23:39 +0000
++
++grub2 (2.04-1ubuntu41) hirsute; urgency=medium
++
++  * No-change rebuild to drop the udeb package.
++
++ -- Matthias Klose <doko@ubuntu.com>  Mon, 22 Feb 2021 10:33:38 +0100
++
++grub2 (2.04-1ubuntu40) hirsute; urgency=medium
++
++  * Revert: rhboot-f34-tcp-add-window-scaling-support.patch,
++    rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch: these break MAAS
++    LXD KVM pod deployments. LP: #1915288
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 12 Feb 2021 20:29:16 +0000
++
++grub2 (2.04-1ubuntu39) hirsute; urgency=medium
++
++  * Cherrypick a bunch of patches:
++    - fix crash in http LP: #1915288
++    - add bootp6 documentation
++    - add support for UEFI boot protocols
++    - use UEFI protocols for http & https networking
++    - make netboot search for by-mac/by-uuid/by-ip for grub.cfg
++    - update documentation for netboot search paths of grub.cfg
++  * Make prebuilt netboot image look for MAAS grub.cfg
++  * Fix grub-initrd-fallback.service thanks to JawnSmith LP: #1910815
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 12 Feb 2021 00:42:07 +0000
++
++grub2 (2.04-1ubuntu38) hirsute; urgency=medium
++
++  [ Jean-Baptiste Lallement ]
++  [ Didier Roche ]
++  * Fix warnings during grub menu generation.  Thanks wdoekes for the patch
++    (LP: #1898177)
++    - Fix warnings when bpool doesn't exist.
++    - Fix warnings when snapshot name contains dashes.
++  * Do not fail to generate grub menu when name of the snapshot contains
++    spaces. (LP: #1903524)
++
++ -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com>  Mon, 08 Feb 2021 10:50:21 +0100
++
++grub2 (2.04-1ubuntu37) hirsute; urgency=medium
++
++  * debian/patches/grub-install-backup-and-restore.patch: Fix-up the patch
++    to correctly initialyze the names of the modules to restore. LP:
++    #1907085
++  * 10_linux: emit messages when initrdless boot is configured, attempted
++    and fails triggering fallback. LP: #1901553
++  * grub-common.service: port init.d script to systemd unit. Add warning
++    message, when initrdless boot fails triggering fallback. LP: #1901553
++  * debian/rules: undo po/ directory patching in
++    override_dh_autoreconf_clean.
++  * minilzo: built using the distribution's minilzo
++  * ubuntu-fix-reproducible-squashfs-test.patch: fix squashfs-test with
++    new squashfs-tools in hirsute.
++  * rhboot-f34-make-exit-take-a-return-code.patch,
++    rhboot-f34-dont-use-int-for-efi-status.patch: allow grub to exit
++    non-zero under EFI, this should allow falling back to the next
++    BootOrder BootEntry.
++  * rhboot-f34-tcp-add-window-scaling-support.patch: speed up netboot
++    transfer speed.
++  * rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
++    ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch:
++    add support for link layer addresses of up to 32-bytes.
++  * rhboot-f34-make-pmtimer-tsc-calibration-fast.patch:
++    speed up calibration time, especially when booting VMs.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 12 Dec 2020 00:50:47 +0000
++
++grub2 (2.04-1ubuntu36) hirsute; urgency=medium
++
++  * Avoid "EFI stub: FIRMWARE BUG" message when booting >= 5.7 kernels
++    on arm64 by setting the image base address before jumping to the
++    PE/COFF entry point LP: #1900774
++  * Fix tftp timeouts when fetch large files. LP: #1900773
++
++ -- dann frazier <dannf@ubuntu.com>  Wed, 11 Nov 2020 07:17:49 -0700
++
++grub2 (2.04-1ubuntu35) groovy; urgency=medium
++
++  * postinst.in, grub-multi-install: fix logic of skipping installing onto
++    any device, if one chose to not install bootloader on any device. LP:
++    #1896608
++  * Do not finalize params twice on arm64. LP: #1897819
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 01 Oct 2020 22:59:51 +0800
++
++grub2 (2.04-1ubuntu34) groovy; urgency=medium
++
++  * configure.ac: one more dejavu font search path
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 14 Sep 2020 10:53:07 +0100
++
++grub2 (2.04-1ubuntu33) groovy; urgency=medium
++
++  * Build-depend on fonts-dejavu-core, not obsolete ttf-dejavu-core.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 13 Sep 2020 23:49:08 -0700
++
++grub2 (2.04-1ubuntu32) groovy; urgency=medium
++
++  * ubuntu-linuxefi-arm64.patch: Fix build on armhf
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 11 Sep 2020 20:33:34 +0200
++
++grub2 (2.04-1ubuntu31) groovy; urgency=medium
++
++  * ubuntu-linuxefi-arm64.patch: Restore arm64 parts of ubuntu-linuxefi.patch
++    that got lost in the 2.04 rebase (LP: #1862279)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 11 Sep 2020 17:49:50 +0200
++
++grub2 (2.04-1ubuntu30) groovy; urgency=medium
++
++  * postinst.in: do not attempt to call grub-install upon fresh install of
++    grub-pc because it it a job of installers to do that after fresh
++    install.
++  * grub-multi-install: fix non-interactive failures for grub-efi like it
++    was fixed in postinst for grub-pc.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 03 Sep 2020 14:54:23 +0100
++
++grub2 (2.04-1ubuntu29) groovy; urgency=medium
++
++  * grub-install: cherry-pick patch from grub-devel to make grub-install
++    fault tolerant. Create backup of files in /boot/grub, and restore them
++    on failure to complete grub-install. LP: #1891680
++  * postinst.in: do not exit successfully when failing to show critical
++    grub-pc/install_devices_failed and grub-pc/install_devices_empty
++    prompts in non-interactive mode. This enables surfacing upgrade errors
++    to the users and/or automation. LP: #1891680
++  * postinst.in: Fixup postinst.in, to attempt grub-install upon explicit
++    dpkg-reconfigure grub-pc. LP: #1892526
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 01 Sep 2020 20:04:44 +0100
++
++grub2 (2.04-1ubuntu28) groovy; urgency=medium
++
++  * Ensure that grub-multi-install can always find templates (LP: #1879948)
++  * Fix changelog entries for security update
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 10 Aug 2020 15:07:29 +0200
++
++grub2 (2.04-1ubuntu27) groovy; urgency=medium
++
++  * debian/patches/ubuntu-flavour-order.patch:
++    - Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel
++      flavours as preferred, and specify an order between those preferred
++      flavours (LP: #1882663)
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - Use version_find_latest for ordering kernels, so it also supports
++      the GRUB_FLAVOUR_ORDER setting.
++  * debian/patches/ubuntu-dont-verify-loopback-images.patch:
++    - disk/loopback: Don't verify loopback images (LP: #1878541),
++      Thanks to Chris Coulson for the patch
++  * debian/patches/ubuntu-recovery-dis_ucode_ldr.patch
++    - Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789)
++  * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch:
++    - Merge changes from xnox to fix multiple initrds support (LP: #1878705)
++  * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch:
++    - Remove, no longer needed thanks to xnox's patch
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 06 Aug 2020 14:47:52 +0200
++
++grub2 (2.04-1ubuntu26.2) focal; urgency=medium
++
++  * debian/postinst.in: Avoid calling grub-install on upgrade of the grub-pc
++    package, since we cannot be certain that it will install to the correct
++    disk and a grub-install failure will render the system unbootable.
++    LP: #1889556.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 30 Jul 2020 17:34:25 -0700
++
++grub2 (2.04-1ubuntu26.1) focal; urgency=medium
++
++  [ Julian Andres Klode ]
++  * Move gettext patches out of git-dpm's way, so it does not delete them
++
++  [ Chris Coulson ]
++  * SECURITY UPDATE: Heap buffer overflow when encountering commands that
++    cannot be tokenized to less than 8192 characters.
++    - 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make
++      fatal lexer errors actually be fatal
++    - CVE-2020-10713
++  * SECURITY UPDATE: Multiple integer overflow bugs that could result in
++    heap buffer allocations that were too small and subsequent heap buffer
++    overflows when handling certain filesystems, font files or PNG images.
++    - 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add
++      arithmetic primitives that allow for overflows to be detected
++    - 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch:
++      Make sure that there is always an overflow checking implementation
++      of calloc() available
++    - 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where
++      appropriate
++    - 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use
++      overflow-safe arithmetic primitives when performing allocations
++      based on the results of operations that might overflow
++    - 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in
++      hfsplus
++    - 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix
++      more potential integer overflows in lvm
++    - CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
++  * SECURITY UPDATE: Use-after-free when executing a command that causes
++    a currently executing function to be redefined.
++    - 0092-script-Remove-unused-fields-from-grub_script_functio.patch:
++      Remove unused fields from grub_script_function
++    - 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch:
++      Avoid a use-after-free when redefining a function during execution
++    - CVE-2020-15706
++  * SECURITY UPDATE: Integer overflows that could result in heap buffer
++    allocations that were too small and subsequent heap buffer overflows
++    during initrd loading.
++    - 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix
++      integer overflows in initrd size handling
++    - 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix
++      integer overflows in linuxefi grub_cmd_initrd
++    - CVE-2020-15707
++  * Various fixes as a result of code review and static analysis:
++    - 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a
++     memory leak on realloc failures when processing symbolic links
++    - 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a
++      memory leak when processing font files with more than one NAME
++      section
++    - 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap
++      after it is freed in order to avoid a potential double free later on
++    - 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an
++      out-of-bounds read in LzmaEncode
++    - 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use
++      priority queues and fix a double free
++    - 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix
++      various arithmetic errors with malformed device paths
++    - 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix
++      a NULL deref in the chainloader command introduced by a previous
++      patch
++    - 0099-efi-Fix-use-after-free-in-halt-reboot-path.patch: Fix a
++      use-after-free in the halt and reboot commands by not freeing
++      allocated memory in these paths
++    - 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch:
++      Avoid a double free in the chainloader command when validation fails
++    - 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch:
++      Protect grub_relocator_alloc_chunk_addr input arguments against
++      integer overflow / underflow
++    - 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch:
++      Protect grub_relocator_alloc_chunk_align max_addr argument against
++      integer underflow
++    - 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix
++      grub_relocator_alloc_chunk_align top memory allocation
++    - 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch:
++      Avoid overflow on initrd size calculation
++
++  [ Dimitri John Ledkov ]
++  * SECURITY UPDATE: Grub does not enforce kernel signature validation
++    when the shim protocol isn't present.
++    - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
++      Fail kernel validation if the shim protocol isn't available
++    - CVE-2020-15705
++
++ -- Chris Coulson <chris.coulson@canonical.com>  Mon, 20 Jul 2020 19:19:08 +0100
++
++grub2 (2.04-1ubuntu26) focal; urgency=medium
++
++  [ Julian Andres Klode ]
++  * Move /boot/efi -> debconf migration into wrapper, so it runs everywhere
++    (LP: #1872077)
++  * Display disk name and size in the ESP selection dialog, instead of ???
++
++  [ Sebastien Bacher ]
++  * debian/patches/gettext,
++    debian/patches/rules:
++    - backport upstream patches to fix the list of translated strings,
++      reported on the ubuntu-translators mailing list. The changes would
++      be overwritten by autoreconf so applying from a rules override.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 15 Apr 2020 13:31:27 +0200
++
++grub2 (2.04-1ubuntu25) focal; urgency=medium
++
++  [ Jean-Baptiste Lallement ]
++  [ Didier Roche ]
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - fix trailing } when no advanced menu is printed
++    - ensure we unmount all temporary snapshots path before zfs collect them
++      out.
++  * debian/patches/ubuntu-speed-zsys-history.patch:
++    - Speed up navigating zsys history by reducing greatly grub.cfg file size.
++      It used to take eg 80 seconds when loading 100 system snapshots. This is
++      now instantaneous by using a function with parameters that the users can
++      still easily edit.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 13 Apr 2020 15:17:42 +0200
++
++grub2 (2.04-1ubuntu24) focal; urgency=medium
++
++  * Support installing to multiple ESPs (LP: #1871821)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 09 Apr 2020 12:51:07 +0200
++
++grub2 (2.04-1ubuntu23) focal; urgency=medium
++
++  [ Jean-Baptiste Lallement ]
++  [ Didier Roche ]
++  * Performance improvements for update-grub on ZFS systems (LP: #1869885)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Tue, 31 Mar 2020 15:30:36 +0200
++
++grub2 (2.04-1ubuntu22) focal; urgency=medium
++
++  * smbios: Add a --linux argument to apply linux modalias-like filtering
++  * Make the linux command in EFI grub always try EFI handover; thanks
++    to Chris Coulson for the patches (LP: #1864533)
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 11 Mar 2020 17:46:35 +0100
++
++grub2 (2.04-1ubuntu21) focal; urgency=medium
++
++  * Make ZFS menu generation depending on new zsysd binary instead of eoan
++    zsys compatibility symlink.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Wed, 26 Feb 2020 09:59:49 +0100
++
++grub2 (2.04-1ubuntu20) focal; urgency=medium
++
++  * build-efi-images: do not produce -installer.efi.signed. LP: #1863994
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 25 Feb 2020 01:11:31 +0000
++
++grub2 (2.04-1ubuntu19) focal; urgency=medium
++
++  * uefi-firmware: rename fwsetup menuentry to UEFI Firmware Settings
++    (LP: #1864547)
++  * build-efi-images: add smbios module to the prebuilt signed EFI images
++    (LP: #1856424)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 24 Feb 2020 20:34:13 +0000
++
++grub2 (2.04-1ubuntu18) focal; urgency=medium
++
++  * Cherry-pick fix from Colin W. in debian to build with python3.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Thu, 06 Feb 2020 18:37:44 +0100
++
++grub2 (2.04-1ubuntu17) focal; urgency=medium
++
++  * Fix ZFS menu generation with ZFS 0.8.x where mounted datasets can’t list
++    snapshots due to an upstream change.
++    https://github.com/zfsonlinux/zfs/issues/9958
++
++ -- Didier Roche <didrocks@ubuntu.com>  Thu, 06 Feb 2020 18:20:16 +0100
++
++grub2 (2.04-1ubuntu16) focal; urgency=medium
++
++  * Revert "Add smbios module to build-efi-images script" from previous
++    upload, pending review see https://bugs.launchpad.net/bugs/1856424
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sun, 15 Dec 2019 01:28:49 +0000
++
++grub2 (2.04-1ubuntu15) focal; urgency=medium
++
++  * ubuntu-efi-allow-loopmount-chainload.patch:
++    - Enable chainloading EFI apps from loopmounts
++  * cherrypick-lsefisystab-define-smbios3.patch:
++  * cherrypick-smbios-modules.patch:
++    - Cherrypick from 2.05 module for retrieving SMBIOS information
++  * cherrypick-lsefisystab-show-dtb.patch:
++    - If dtb is provided by the firmware / DtbLoader driver, display it in
++    human form, rather than just UUID
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 13 Dec 2019 11:24:21 +0000
++
++grub2 (2.04-1ubuntu14) focal; urgency=medium
++
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - Handle the case where grub-probe returns several devices for a single
++      pool (LP: #1848856). Thanks jpb for the report and the proposed patch.
++    - Add savedefault to non-recovery entries (LP: #1850202). Thanks Deltik
++      for the patch.
++    - Do not crash on invalid fstab and report the invalid entry.
++      (LP: #1849347) Thanks Deltik for the patch.
++    - When a pool fails to import, catch and display the error message and
++      continue with other pools. Import all the pools in readonly mode so we
++      can import other pools with unsupported features (LP: #1848399) Thanks
++      satmandu for the investigation and the proposed patch
++
++ -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com>  Mon, 18 Nov 2019 11:22:43 +0100
++
++grub2 (2.04-1ubuntu13) focal; urgency=medium
++
++  * debian/patches/ubuntu-tpm-unknown-error-non-fatal.patch: treat "unknown"
++    TPM errors as non-fatal, but still write up the details as debug messages
++    so we can further track what happens with the systems throwing those up.
++    (LP: #1848892)
++  * debian/patches/ubuntu-linuxefi.patch: Drop extra check for Secure Boot
++    status in linuxefi_secure_validate(); it's unnecessary and blocking boot
++    in chainload (like chainloading Windows) when SB is disabled.
++    (LP: #1845289)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 31 Oct 2019 17:58:47 -0400
++
++grub2 (2.04-1ubuntu12) eoan; urgency=medium
++
++  * Move our identifier to com.ubuntu
++    As we are not going to own org.zsys, move our identifier under
++    com.ubuntu.zsys (LP: #1847711)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Fri, 11 Oct 2019 15:57:47 +0200
++
++grub2 (2.04-1ubuntu11) eoan; urgency=medium
++
++  * Load all kernels (even those without .efi.signed) for secure boot mode
++    as those are signed kernels on ubuntu, loaded by the shim. (LP: #1847581)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Thu, 10 Oct 2019 11:40:44 +0200
++
++grub2 (2.04-1ubuntu10) eoan; urgency=medium
++
++  * debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch:
++    skip /dev/disk/by-id/lvm-pvm-uuid entries from device iteration.
++    (LP: #1838525)
++
++ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com>  Mon, 07 Oct 2019 23:23:54 -0300
++
++grub2 (2.04-1ubuntu9) eoan; urgency=medium
++
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    - Handle case of pure zfs only snapshots giving additional "}", and as
++      such, creating invalid grub menu.
++      Spotted by grubzfs-testsuite autopkgtests.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Wed, 02 Oct 2019 09:59:19 +0200
++
++grub2 (2.04-1ubuntu8) eoan; urgency=medium
++
++  * debian/patches/install-signed.patch -> ubuntu-install-signed.patch:
++    Really fix the installation of UEFI artefacts to the distributor path (we
++    only want shim, grub, and MokManager, and shim's boot.csv there), and to
++    the removable /EFI/BOOT path (where we want shim and fallback only).
++    Rename the patch to ubuntu- like others that are Ubuntu-specific or
++    otherwise modified to avoid such confusion at merge time in the future.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 01 Oct 2019 11:29:24 -0400
++
++grub2 (2.04-1ubuntu7) eoan; urgency=medium
++
++  * debian/patches/ubuntu-zfs-enhance-support.patch:
++    Disable history entry under some conditions:
++    - Don't show up if the system is a zsys one and zsys isn't installed
++      (LP: #1845333)
++    - Don't show for pure zfs systems: we identified multiple issues due
++      to the mount generator in upstream zfs which makes it incompatible.
++      Disable for now (LP: #1845913)
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 30 Sep 2019 09:35:03 +0200
++
++grub2 (2.04-1ubuntu6) eoan; urgency=medium
++
++  * debian/patches/install-signed.patch: fix paths for MokManager/fallback;
++    shim no longer ships these with a .signed suffix. (LP: #1845466)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 26 Sep 2019 09:48:07 -0400
++
++grub2 (2.04-1ubuntu5) eoan; urgency=medium
++
++  * d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: fix
++    mis-spelling of helper function in final computation of GRUB_DEVICE in
++    multipath case.
++
++ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 13 Aug 2019 08:56:16 +1200
++
++grub2 (2.04-1ubuntu4) eoan; urgency=medium
++
++  * d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: when / is
++    multipathed there will be multiple paths to the partition, so using
++    root=UUID= exposes the boot process to udev races.  In addition
++    grub-probe --target device / in this case reports /dev/dm-1 or similar --
++    better to use a symlink that depends on the multipath name. (LP: #1429327)
++
++ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Tue, 06 Aug 2019 12:37:18 +1200
++
++grub2 (2.04-1ubuntu3) eoan; urgency=medium
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/ubuntu-add-devicetree-command-support.patch: import patch
++    into git-dpm: drop [PATCH] tag and add Patch-Name.
++
++  [ Didier Roche ]
++  * debian/patches/ubuntu-zfs-enhance-support.patch
++    - Don't patch autoregenerated files.
++    - rewrite generate MenuMeta implementation in shell (LP: #1834095)
++      mawk doesn't support \s and other array features.
++      + Change \s by their space or tab equivalent.
++      + Rewrite the menumeta generation in pure shell, which is easier to
++        debug, keeping globally the same algorithm
++      + Support i18n in entry name generation.
++      Co-authored with Jean-Baptiste.
++    - Resplit all patches in debian/patches/*, so that we have upstreamable
++      and non upstreamable parts separate. Also, any change in 10_linux patch
++      will be reflected in 10_linux_zfs.
++    - Always import pools (using force), as we don't mount them. Ensure also
++      that we don't update the host cache, as we import all pools, and not
++      only those attached to that system.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 29 Jul 2019 08:08:48 +0200
++
++grub2 (2.04-1ubuntu2) eoan; urgency=medium
++
++  * Add device-tree command support as installed by flash-kernel.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 17 Jul 2019 23:47:27 +0100
++
++grub2 (2.04-1ubuntu1) eoan; urgency=medium
++
++  * Merge against Debian; remaining changes:
++    - debian/control: Update Vcs fields for code location on Ubuntu.
++    - debian/control: Breaks shim (<< 13).
++    - debian/patches/linuxefi.patch: Secure Boot support: use newer patchset
++      from rhboot repo, flattened to a single patch.
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Install a BOOT.CSV for fallback to use.
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++    - debian/patches/ubuntu-support-initrd-less-boot.patch: allow non-initrd
++      boot config.
++    - debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: If a kernel
++      fails to boot without initrd, we will fallback to trying to boot the
++      kernel with an initrd.
++    - debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch: make sure
++      grub-mkconfig leaves a trace of what files were sourced to help generate
++      the config we're building.
++    - debian/patches/ubuntu-efi-console-set-text-mode-as-needed.patch: in EFI
++      console, only set text-mode when we're actually going to need it.
++    - debian/patches/ubuntu-zfs-enhance-support.patch: Better ZFS grub support.
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot
++    - debian/patches/ubuntu-shorter-version-info.patch: Only show the upstream
++      version in menu and console, and hide the package one in a
++      package_version variable.
++    - Verify that the current and newer kernels are signed when grub is
++      updated, to make sure people do not accidentally shutdown without a
++      signed kernel.
++    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
++      confusing GRUB_TIMEOUT_STYLE=hidden.
++    - debian/rules: shuffle files around for now to keep build artefacts
++      for signing at the same location as they were expected by Launchpad.
++    - debian/rules, debian/control: enable dh-systemd.
++    - debian/grub-common.install.in: install the systemd unit that's part of
++      initrd fallback handling, missed when the feature landed.
++    - debian/build-efi-images: add http module to NET_MODULES.
++  * debian/patches/linuxefi*.patch: Flatten linuxefi patches into one.
++  * debian/patches: rename patches to use "-" as a separator rather than "_".
++  * debian/patches: rename Ubuntu-specific patches and commits to add "ubuntu"
++    so it's clearer which are new or changed when doing a merge.
++  * debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch: fix FTBFS due
++    to objcopy building an invalid binary padded with zeroes (LP: #1833234)
++  * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch: clear up invalid
++    spacing for the initrd command when not using early initrds.
++  * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: move the initrd
++    boot success/failure service to start later at boot time. (LP: #1823391)
++  * debian/patches/fix-lockdown.patch: Drop lockdown patch from Debian, which
++    breaks with new linuxefi patchset.
++  * debian/patches/ubuntu-temp-keep-auto-nvram.patch: Temporarily keep the
++    --auto-nvram option we previously had as a supported option in grub-install
++    (with no effect now), to avoid breaking upgrades. "auto-nvram" is default
++    behavior now that we use libefivar instead of calling efibootmgr.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 16 Jul 2019 11:31:29 -0400
++
  grub2 (2.04-1) unstable; urgency=medium
    * New upstream release.
@@ -553,6 +1352,112 @@ grub2 (2.02+dfsg1-13) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Thu, 14 Mar 2019 10:33:24 +0000
++grub2 (2.02+dfsg1-12ubuntu3) eoan; urgency=medium
++
++  * debian/patches/zfs_enhance_support.patch:
++    Enhance ZFS grub support:
++    - Support multiple zfs systems (grouped by machine-id)
++    - Group zfs snapshots and clones with latest dataset for a given
++      installation.
++    - Support "history" entry with one time boot, recovery mode and
++      consecutive reboots.
++    - Pin kernel to particular snapshot, trying to reboot with the exact
++      same kernel and initrd.
++    - Disable in 10_linux zfs support if 10_linux_zfs is installed so that
++      we don't end up with the same installation multiple times.
++  * debian/patches/*:
++    - Apply ubuntu/debian specific changes of 10_linux to 10_linux_zfs.
++
++  Work done with Jean-Baptiste.
++
++ -- Didier Roche <didrocks@ubuntu.com>  Mon, 17 Jun 2019 11:28:48 +0200
++
++grub2 (2.02+dfsg1-12ubuntu2) disco; urgency=medium
++
++  * debian/patches/efi-console-set-text-mode-as-needed.patch: in EFI console,
++    only set text-mode when we're actually going to need it.
++  * debian/build-efi-images: add http module to NET_MODULES. (LP: #1787630)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 11 Mar 2019 17:48:49 -0400
++
++grub2 (2.02+dfsg1-12ubuntu1) disco; urgency=medium
++
++  * Merge against Debian unstable; remaining changes (LP: #564853):
++    - debian/control: Update Vcs fields for code location on Ubuntu.
++    - debian/control: Breaks shim (<< 13).
++    - Secure Boot support: use newer patchset from rhboot repo:
++      - many linuxefi_* patches added and modified
++      - dropped debian/patches/linuxefi_require_shim.patch
++      - renamed: debian/patches/no_insmod_on_sb.patch ->
++        debian/patches/linuxefi_no_insmod_on_sb.patch
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Install a BOOT.CSV for fallback to use.
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
++      --auto-nvram option to grub-install for auto-detecting NVRAM availability
++      before attempting NVRAM updates.
++    - debian/build-efi-images: provide a new grub EFI image which enforces that
++      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++      the same as grub$arch.efi minus the 'linux' module. Without fallback to
++      'linux' for unsigned loading, this makes it effectively enforce having a
++      signed kernel.
++    - Verify that the current and newer kernels are signed when grub is
++      updated, to make sure people do not accidentally shutdown without a
++      signed kernel.
++    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
++      confusing GRUB_TIMEOUT_STYLE=hidden.
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config.
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot
++    - debian/patches/shorter_version_info.patch: Only show the upstream version
++      in menu and console, and hide the package one in a package_version
++      variable.
++    - debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
++      'text' payload if it's not supported but present in gfxpayload, such as
++      on EFI systems.
++    - debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
++      fizes as block sizes in bufio: this avoids potentially seeking back in
++      the files unnecessarily, which may require re-open files that cannot be
++      seeked into, such as via TFTP.
++    - debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
++      structs in bootpath parser.
++    - debian/rules: shuffle files around for now to keep build artefacts
++      for signing at the same location as they were expected by Launchpad.
++    - debian/rules, debian/control: enable dh-systemd.
++    - debian/grub-common.install.in: install the systemd unit that's part of
++      initrd fallback handling, missed when the feature landed.
++    - debian/patches/quick-boot-lvm.patch: If we don't have writable
++      grubenv and we're on EFI, always show the menu.
++    - debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
++      leaves a trace of what files were sourced to help generate the config
++      we're building.
++    - debian/patches/linuxefi_truncate_overlong_reloc_section.patch: Windows
++      7 bootloader has inconsistent headers; truncate to the smaller, correct
++      size to fix chainloading Windows 7.
++    - debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
++      relocate_coff() causing issues with relocation of code in chainload.
++    - debian/patches/add-initrd-less-boot-fallback.patch: add initrd-less
++      capabilities. If a kernel fails to boot without initrd, we will fallback
++      to trying to boot the kernel with an initrd. Patch by Chris Glass.
++    - debian/patches/grub-reboot-warn.patch: Warn when "for the next
++      boot only" promise cannot be kept.
++  * Refreshed patches and fixed up attribution to the right authors after
++    merge with Debian.
++  * debian/patches/linuxefi_missing_include.patch,
++    debian/patches/linuxefi_fixing_more_errors.patch: Apply some additional
++    small fixes to casts, format strings, includes and Makefile to make sure
++    the newer linuxefi patches apply and build properly.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 05 Mar 2019 17:05:09 -0500
++
  grub2 (2.02+dfsg1-12) unstable; urgency=medium
    [ Colin Watson ]
@@ -697,6 +1602,175 @@ grub2 (2.02+dfsg1-6) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Tue, 28 Aug 2018 16:17:21 +0100
++grub2 (2.02+dfsg1-5ubuntu11) disco; urgency=medium
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/grub-check-signatures: properly account for DB showing as empty on
++    some broken firmwares: Guard against mokutil --export --db failing, and do
++    a better job at finding the DER certs for conversion to PEM format.
++    (LP: #1814575)
++
++  [ Steve Langasek ]
++  * debian/patches/quick-boot-lvm.patch: checking the return value of
++    'lsefi' when the command doesn't exist does not do what's expected, so
++    instead check the value of $grub_platform which is simpler anyway.
++    LP: #1814403.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 04 Feb 2019 17:51:15 -0500
++
++grub2 (2.02+dfsg1-5ubuntu10) disco; urgency=medium
++
++  * debian/grub-check-signatures: check kernel signatures against keys known
++    in firmware, in case a kernel is signed but not using a key that will pass
++    validation, such as when using kernels coming from a PPA. (LP: #1789918)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 21 Jan 2019 09:34:36 -0500
++
++grub2 (2.02+dfsg1-5ubuntu9) disco; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/patches/quick-boot-lvm.patch: If we don't have writable
++    grubenv and we're on EFI, always show the menu.  Closes LP: #1800722.
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
++    leaves a trace of what files were sourced to help generate the config
++    we're building.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 07 Jan 2019 17:32:01 -0500
++
++grub2 (2.02+dfsg1-5ubuntu8) cosmic; urgency=medium
++
++  * debian/patches/grub-install-extra-removable.patch: install mmx64.efi to
++    the EFI removable path to avoid boot failures after install when certs
++    need to be enrolled and the system's firmware is confused. (LP: #1798171)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 17 Oct 2018 14:44:49 -0400
++
++grub2 (2.02+dfsg1-5ubuntu7) cosmic; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/grub-common.install.in: install the systemd unit that's part of
++    initrd fallback handling, missed when the feature landed.
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/rules: set DEFAULT_TIMEOUT to 0 if we've enabled FLICKER_FREE_BOOT,
++    to avoid unnecessary delay at boot time. (LP: #1784363)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 12 Oct 2018 11:10:10 -0400
++
++grub2 (2.02+dfsg1-5ubuntu6) cosmic; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/grub-check-signatures: Handle the case where we have unsigned
++    vmlinuz and signed vmlinuz.efi.signed. (LP: #1788727)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 03 Oct 2018 14:59:05 -0400
++
++grub2 (2.02+dfsg1-5ubuntu5) cosmic; urgency=medium
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/linuxefi_truncate_overlong_reloc_section.patch: The Windows
++    7 bootloader has inconsistent headers; truncate to the smaller, correct
++    size to fix chainloading Windows 7.
++
++  [ Steve Langasek ]
++  * debian/rules, debian/control: enable dh-systemd.
++  * debian/patches/add-initrd-less-boot-fallback.patch: add initrd-less
++    capabilities. If a kernel fails to boot without initrd, grub will fallback
++    to trying to boot the kernel with an initrd. Patch by Chris Glass.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 25 Sep 2018 16:05:13 -0400
++
++grub2 (2.02+dfsg1-5ubuntu4) cosmic; urgency=medium
++
++  * debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
++    relocate_coff() causing issues with relocation of code in chainload.
++    (LP: #1792575)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 17 Sep 2018 07:45:49 -0400
++
++grub2 (2.02+dfsg1-5ubuntu3) cosmic; urgency=medium
++
++  * debian/patches/grub-reboot-warn.patch: Warn when "for the next
++    boot only" promise cannot be kept. (LP: #788298)
++
++ -- dann frazier <dannf@ubuntu.com>  Thu, 13 Sep 2018 15:28:50 -0600
++
++grub2 (2.02+dfsg1-5ubuntu2) cosmic; urgency=medium
++
++  * debian/patches/add_ext_lfb_base_support.patch: i386/linux: Add support for
++    ext_lfb_base. (LP: #1785033)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 05 Sep 2018 14:29:04 -0400
++
++grub2 (2.02+dfsg1-5ubuntu1) cosmic; urgency=medium
++
++  [ Mathieu Trudel-Lapierre]
++  * Merge against Debian unstable; remaining changes:
++    - debian/control: Update Vcs fields for code location on Ubuntu.
++    - debian/control: Breaks shim (<< 13).
++    - Secure Boot support: use newer patchset from rhboot repo:
++      - many linuxefi_* patches added and modified
++      - dropped debian/patches/linuxefi_require_shim.patch
++      - renamed: debian/patches/no_insmod_on_sb.patch ->
++        debian/patches/linuxefi_no_insmod_on_sb.patch
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Move installing fb$arch.efi to --no-extra-removable; as we don't want
++        fallback to be installed unless we're also installing to /EFI/BOOT.
++        (LP: #1684341)
++      - Install a BOOT.CSV for fallback to use.
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
++      --auto-nvram option to grub-install for auto-detecting NVRAM availability
++      before attempting NVRAM updates.
++    - debian/build-efi-images: provide a new grub EFI image which enforces that
++      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++      the same as grub$arch.efi minus the 'linux' module. Without fallback to
++      'linux' for unsigned loading, this makes it effectively enforce having a
++      signed kernel. (LP: #1401532)
++    - Verify that the current and newer kernels are signed when grub is
++      updated, to make sure people do not accidentally shutdown without a
++      signed kernel.
++    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
++      confusing GRUB_TIMEOUT_STYLE=hidden. (LP: #1258597)
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config. (LP: #1640878)
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
++    - debian/patches/shorter_version_info.patch: Only show the upstream version
++      in menu and console, and hide the package one in a package_version
++      variable. (LP: #1723434)
++    - debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
++      'text' payload if it's not supported but present in gfxpayload, such as
++      on EFI systems. (LP: #1711452)
++    - debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
++      fizes as block sizes in bufio: this avoids potentially seeking back in
++      the files unnecessarily, which may require re-open files that cannot be
++      seeked into, such as via TFTP. (LP: #1743249)
++    * util/grub-install.c: Drop extra handling for x.efi.signed files for mok
++      and fallback binaries: shim now installs them without the .signed
++      extension. (LP: #1708245)
++    - debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and
++      the casting they do on some architectures: we don't want to fail build
++      because of some of the warnings that can show up since we otherwise build
++      with -Werror.
++  * debian/rules: shuffle files around for now to keep putting build artefacts
++    for signing at the same location as they were expected by Launchpad.
++
++  [ Julian Andres Klode ]
++  * debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
++    structs in bootpath parser. Fixes netboot issues on ppc64el. (LP: #1785859)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 23 Aug 2018 15:00:14 -0400
++
  grub2 (2.02+dfsg1-5) unstable; urgency=medium
    [ Colin Watson ]
@@ -793,6 +1867,171 @@ grub2 (2.02-3) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Sat, 10 Feb 2018 03:00:30 +0000
++grub2 (2.02-2ubuntu13) cosmic; urgency=medium
++
++  * debian/patches/tests_update_for_new_qemu.patch: update qemu options to
++    remove deprecated options that fail tests.
++  * debian/patches: fix up busted patches due to git-dpm:
++    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch
++    - debian/patches/grub-shell-test-helper-disable-seabios-sercon.patch
++  * debian/patches/r_x86_64_plt32-is-like-r_x86_64_pc32.patch: For the purpose
++    of grub-mkimage, the R_X86_64_PLT32 relocation is basically the same as
++    R_X86_64_PC32. Make R_X86_64_PLT32 supported.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 19 Jul 2018 09:46:53 -0400
++
++grub2 (2.02-2ubuntu12) cosmic; urgency=medium
++
++  * debian/default/grub: replace GRUB_HIDDEN_* variables with the more concise
++    and less confusing GRUB_TIMEOUT_STYLE=hidden. (LP: #1258597)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 16 Jul 2018 14:18:46 -0400
++
++grub2 (2.02-2ubuntu11) cosmic; urgency=medium
++
++  * Verify that the current and newer kernels are signed when grub is updated, to
++    make sure people do not accidentally shutdown without a signed kernel.
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 13 Jul 2018 15:21:48 +0200
++
++grub2 (2.02-2ubuntu10) cosmic; urgency=medium
++
++  * debian/patches/grub-shell-test-helper-disable-seabios-sercon.patch: In the
++    grub-shell test helper, disable seabios's serial console through fw_cfg
++    runtime configuration as its boot output interferes with testing.
++    (LP: #1775249)
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Wed, 06 Jun 2018 01:03:26 +0200
++
++grub2 (2.02-2ubuntu9) cosmic; urgency=medium
++
++  * debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
++    --auto-nvram option to grub-install for auto-detecting NVRAM availability
++    before attempting NVRAM updates.
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Tue, 05 Jun 2018 00:34:38 +0200
++
++grub2 (2.02-2ubuntu8) bionic; urgency=medium
++
++  * Drop debian/patches/mkconfig_keep_native_term_active.patch, which can
++    lead to flickering between graphical and text mode when traversing the
++    menu. (LP: #1752767)
++  * debian/patches/yylex-explicitly_cast_fprintf_to_void.patch: Fix FTBFS
++    with flex 2.6.4.
++
++ -- dann frazier <dannf@ubuntu.com>  Sun, 04 Mar 2018 06:11:35 -0700
++
++grub2 (2.02-2ubuntu7) bionic; urgency=medium
++
++  [ Julian Andres Klode ]
++  * debian/patches/shorter_version_info.patch: Only show the upstream version
++    in menu and console, and hide the package one in a package_version
++    variable. (LP: #1723434)
++
++  [ Mathieu Trudel-Lapierre ]
++  * debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
++    'text' payload if it's not supported but present in gfxpayload, such as
++    on EFI systems. (LP: #1711452)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 09 Feb 2018 16:30:45 -0500
++
++grub2 (2.02-2ubuntu6) bionic; urgency=medium
++
++  [ Steve Langasek ]
++  * debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
++    fizes as block sizes in bufio: this avoids potentially seeking back in
++    the files unnecessarily, which may require re-open files that cannot be
++    seeked into, such as via TFTP. (LP: #1743249)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 05 Feb 2018 11:58:09 -0500
++
++grub2 (2.02-2ubuntu5) bionic; urgency=medium
++
++  * debian/patches/mkconfig_keep_native_term_active.patch: Keep the
++    default EFI console active while enabling gfxterm. (LP: #1743884)
++
++ -- dann frazier <dannf@ubuntu.com>  Wed, 31 Jan 2018 10:51:11 -0700
++
++grub2 (2.02-2ubuntu4) bionic; urgency=medium
++
++  * debian/patches/vt_handoff.patch: modify the existing patch to set
++    vt.handoff=1 instead of vt.handoff=7 as we now start display managers on
++    vt1 anyway. This also fixes issues with netboot installed server systems
++    not displaying the login prompt on boot. (LP: #1675453)
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 18 Jan 2018 18:32:31 +0100
++
++grub2 (2.02-2ubuntu3) bionic; urgency=medium
++
++  * util/grub-install.c: Drop extra handling for x.efi.signed files for mok
++    and fallback binaries: shim now installs them without the .signed
++    extension. (LP: #1708245)
++  * debian/control: Breaks shim (<< 13).
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 17 Jan 2018 09:25:09 -0500
++
++grub2 (2.02-2ubuntu2) bionic; urgency=medium
++
++  * Cherry-pick upstream patch to change the default TSC calibration method
++    to pmtimer on EFI systems (LP: #1734278)
++  * debian/control: Update Vcs fields for code location on Ubuntu.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 05 Dec 2017 11:47:31 -0500
++
++grub2 (2.02-2ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config. (LP: #1640878)
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
++    - debian/build-efi-images: provide a new grub EFI image which enforces that
++      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++      the same as grub$arch.efi minus the 'linux' module. Without fallback to
++      'linux' for unsigned loading, this makes it effectively enforce having a
++      signed kernel. (LP: #1401532)
++    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++      - Make sure if we install shim; it should also be exported as the default
++        bootloader to install later to a removable path, if we do.
++      - Rework grub-install-extra-removable.patch to reverse its logic: in the
++        default case, install the bootloader to /EFI/BOOT, unless we're trying
++        to install on a removable device, or explicitly telling grub *not* to
++        do it.
++      - Move installing fb$arch.efi to --no-extra-removable; as we don't want
++        fallback to be installed unless we're also installing to /EFI/BOOT.
++        (LP: #1684341)
++      - Make sure postinst and templates know about the replacement of
++        --force-extra-removable with --no-extra-removable.
++  * Sync Secure Boot support patches with the upstream patch set from
++    rhboot/grub2:master-sb. Renamed some patches and updated descriptions for
++    the whole thing to make more sense, too:
++    - dropped debian/patches/linuxefi_require_shim.patch
++    - renamed: debian/patches/no_insmod_on_sb.patch ->
++      debian/patches/linuxefi_no_insmod_on_sb.patch
++    - debian/patches/linuxefi.patch
++    - debian/patches/linuxefi_debug.patch
++    - debian/patches/linuxefi_non_sb_fallback.patch
++    - debian/patches/linuxefi_add_sb_to_efi_chainload.patch
++    - debian/patches/linuxefi_cleanup_errors_in_loader.patch
++    - debian/patches/linuxefi_fix_efi_validation_race.patch
++    - debian/patches/linuxefi_handle_multiarch_boot.patch
++    - debian/patches/linuxefi_honor_sb_mode.patch
++    - debian/patches/linuxefi_move_fdt_helper.patch
++    - debian/patches/linuxefi_load_arm_with_sb.patch
++    - debian/patches/linuxefi_minor_cleanups.patch
++    - debian/patches/linuxefi_re-enable_linux_cmd.patch
++    - debian/patches/linuxefi_rework_linux16_cmd.patch
++    - debian/patches/linuxefi_rework_linux_cmd.patch
++    - debian/patches/linuxefi_rework_non-sb_efi_chainload.patch
++    - debian/patches/linuxefi_rework_pe_loading.patch
++    - debian/patches/linuxefi_use_dev_chainloader_target.patch
++  * debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and
++    the casting they do on some architectures: we don't want to fail build
++    because of some of the warnings that can show up since we otherwise build
++    with -Werror.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 06 Nov 2017 15:37:12 -0500
++
  grub2 (2.02-2) unstable; urgency=medium
    * Comment out debian/watch lines for betas and pre-releases for now.
@@ -829,6 +2068,92 @@ grub2 (2.02~beta3-5) unstable; urgency=medium
   -- Colin Watson <cjwatson@debian.org>  Sat, 11 Feb 2017 15:09:19 +0000
++grub2 (2.02~beta3-4ubuntu7) artful; urgency=medium
++
++  * debian/patches/headers_for_device_macros.patch,
++    debian/patches/fix_check_for_sys_macros.patch: make sure the right
++    device macro header is included and that the deprecation warning
++    is dealt with. LP: #1722955.
++
++ -- Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>  Thu, 12 Oct 2017 09:41:17 -0400
++
++grub2 (2.02~beta3-4ubuntu6) artful; urgency=medium
++
++  * debian/patches/mount-ext4-fs-with-crypto-enabled.patch: Allow grub to
++    mount an EXT4 partition that has the 'encrypt' feature enabled
++    (closes: 840204)
++
++ -- Tyler Hicks <tyhicks@canonical.com>  Wed, 05 Jul 2017 22:23:03 +0000
++
++grub2 (2.02~beta3-4ubuntu5) artful; urgency=medium
++
++  * debian/patches/linuxefi.patch: fix double-free caused by an extra
++    grub_free() call in this patch (which the previous upload didn't change).
++  * debian/patches/linuxefi_rework_non-sb_cases.patch,
++    debian/patches/linuxefi_non_sb_fallback.patch: refreshed.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Mon, 29 May 2017 16:28:41 -0400
++
++grub2 (2.02~beta3-4ubuntu4) artful; urgency=medium
++
++  * debian/patches: Rework linuxefi/SecureBoot support and sync with upstream
++    SB patch set:
++    - linuxefi_arm_sb_support.patch: add Secure Boot support for arm for its
++      chainloader.
++    - linuxefi_fix_validation_race.patch: Fix a race in validating images.
++    - linuxefi_chainloader_path.patch: honor the starting path for grub, so
++      images do not need to be started from $root.
++    - linuxefi_chainloader_sb.patch: Fix some more issues in chainloader use
++      when Secure Boot is enabled.
++    - linuxefi_loaders_enforce_sb.patch: Enforce Secure Boot policy for all
++      loaders: don't load the commands when Secure Boot is enabled.
++    - linuxefi_re-enable_linux_cmd.patch: Since we rely on the linux and
++      initrd commands to automatically hand-off to linuxefi/initrdefi; re-
++      enable the linux loader.
++    - linuxefi_chainloader_pe_fixes.patch: PE parsing fixes for chainloading
++      "special" PE images, such as Windows'.
++    - linuxefi_rework_non-sb_cases.patch: rework cases where Secure Boot is
++      disabled or shim validation is disabled so loading works as EFI binaries
++      when it is supposed to.
++    - Removed linuxefi_require_shim.patch; superseded by the above.
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 11 May 2017 17:05:04 -0400
++
++grub2 (2.02~beta3-4ubuntu3) artful; urgency=medium
++
++  * debian/patches/install_signed.patch, grub-install-extra-removable.patch:
++    - Make sure if we install shim; it should also be exported as the default
++      bootloader to install later to a removable path, if we do.
++    - Rework grub-install-extra-removable.patch to reverse its logic: in the
++      default case, install the bootloader to /EFI/BOOT, unless we're trying
++      to install on a removable device, or explicitly telling grub *not* to
++      do it.
++    - Move installing fb$arch.efi to --no-extra-removable; as we don't want
++      fallback to be installed unless we're also installing to /EFI/BOOT.
++      (LP: #1684341)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 26 Apr 2017 21:08:22 -0400
++
++grub2 (2.02~beta3-4ubuntu2) zesty; urgency=medium
++
++  * debian/build-efi-images: provide a new grub EFI image which enforces that
++    loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
++    the same as grub$arch.efi minus the 'linux' module. Without fallback to
++    'linux' for unsigned loading, this makes it effectively enforce having a
++    signed kernel. (LP: #1401532)
++
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 30 Mar 2017 17:45:23 -0400
++
++grub2 (2.02~beta3-4ubuntu1) zesty; urgency=medium
++
++  * Merge with Debian; remaining changes:
++    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
++      non-initrd boot config. (LP: #1640878)
++    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
++      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
++
++ -- dann frazier <dannf@ubuntu.com>  Thu, 09 Feb 2017 10:06:57 -0700
++
  grub2 (2.02~beta3-4) unstable; urgency=medium
    [ Colin Watson ]
 diff --git a/debian/control b/debian/control
 index 591394f..1819b2e 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: grub2
  Section: admin
  Priority: optional
--Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
  Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Colin Watson <cjwatson@debian.org>, Steve McIntyre <93sam@debian.org>
  Build-Depends: debhelper-compat (= 10),
   patchutils,
@@ -19,15 +20,16 @@ Build-Depends: debhelper-compat (= 10),
   libdevmapper-dev [linux-any],
   libgeom-dev (>= 8.2+ds1-1~) [kfreebsd-any] | libgeom-dev (<< 8.2) [kfreebsd-any],
   libsdl1.2-dev [!hurd-any],
-- xorriso,
-- qemu-system [i386 kfreebsd-i386 kopensolaris-i386 any-amd64],
++ xorriso [!i386],
++ qemu-system [kfreebsd-i386 kopensolaris-i386 any-amd64],
   cpio [i386 kopensolaris-i386 amd64 x32],
   parted [!hurd-any],
   libfuse-dev (>= 2.8.4-1.4) [linux-any kfreebsd-any],
   fonts-dejavu-core,
   liblzma-dev,
-- dosfstools [any-i386 any-amd64 any-arm64],
-- mtools [any-i386 any-amd64 any-arm64],
++ liblzo2-dev,
++ dosfstools [any-amd64 any-arm64],
++ mtools [any-amd64 any-arm64],
   wamerican,
   libparted-dev [any-powerpc any-ppc64 any-ppc64el],
   pkg-config,
@@ -37,8 +39,8 @@ Build-Depends: debhelper-compat (= 10),
  Build-Conflicts: autoconf2.13, libzfs-dev, libnvpair-dev
  Standards-Version: 3.9.6
  Homepage: https://www.gnu.org/software/grub/
--Vcs-Git: https://salsa.debian.org/grub-team/grub.git
--Vcs-Browser: https://salsa.debian.org/grub-team/grub
++Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu
++Vcs-Browser: https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu
  Rules-Requires-Root: no
  Package: grub2
@@ -63,7 +65,7 @@ Description: GRand Unified Bootloader, version 2 (dummy package)
  Package: grub-efi
  Architecture: any-i386 any-amd64 any-arm64 any-ia64 any-arm
  Pre-Depends: ${misc:Pre-Depends}
--Depends: ${misc:Depends}, grub-efi-ia32 (= ${binary:Version}) [any-i386], grub-efi-amd64 (= ${binary:Version}) [any-amd64], grub-efi-arm64 (= ${binary:Version}) [any-arm64], grub-efi-ia64 (= ${binary:Version}) [any-ia64], grub-efi-arm (= ${binary:Version}) [any-arm]
++Depends: ${misc:Depends}, grub-efi-ia32 (= ${binary:Version}) [any-i386], grub-efi-amd64 (>= ${binary:Version}) [any-amd64], grub-efi-arm64 (>= ${binary:Version}) [any-arm64], grub-efi-ia64 (= ${binary:Version}) [any-ia64], grub-efi-arm (= ${binary:Version}) [any-arm]
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (dummy package)
   This is a dummy package that depends on the grub-efi-$ARCH package most likely
@@ -71,6 +73,7 @@ Description: GRand Unified Bootloader, version 2 (dummy package)
  Package: grub-common
  Architecture: any
++Built-Using: ${Built-Using}
  Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}
  Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4), init-select
  Recommends: os-prober (>= 1.33)
@@ -308,7 +311,7 @@ Description: GRand Unified Bootloader, version 2 (EFI-IA32 signing template)
  Package: grub-efi-amd64-bin
  Architecture: i386 kopensolaris-i386 any-amd64
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (>= 2.02~beta2-9)
  Recommends: grub-efi-amd64-signed [amd64], efibootmgr [linux-any]
  Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
  Multi-Arch: foreign
@@ -333,7 +336,7 @@ Description: GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
  Package: grub-efi-amd64-dbg
  Section: debug
  Architecture: i386 kopensolaris-i386 any-amd64
--Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${binary:Version}), grub-common (= ${binary:Version})
++Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${binary:Version})
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)
   This package contains debugging files for grub-efi-amd64-bin.  You only
@@ -342,7 +345,7 @@ Description: GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)
  Package: grub-efi-amd64
  Architecture: i386 kopensolaris-i386 any-amd64
  Pre-Depends: ${misc:Pre-Depends}
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-amd64-bin (= ${binary:Version}), ucf
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (>= 2.02~beta2-9), grub-efi-amd64-bin (= ${binary:Version}), ucf
  Replaces: grub, grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-pc, grub-efi-ia32, grub-coreboot, grub-ieee1275
  Conflicts: grub, grub-legacy, grub-efi-ia32, grub-pc, grub-coreboot, grub-ieee1275, grub-xen, elilo
  Multi-Arch: foreign
@@ -469,7 +472,7 @@ Description: GRand Unified Bootloader, version 2 (ARM UEFI version)
  Package: grub-efi-arm64-bin
  Architecture: any-arm64
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (>= 2.02~beta2-9)
  Recommends: grub-efi-arm64-signed [arm64], efibootmgr [linux-any]
  Multi-Arch: foreign
  XB-Efi-Vendor: ${efi:Vendor}
@@ -492,7 +495,7 @@ Description: GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
  Package: grub-efi-arm64-dbg
  Section: debug
  Architecture: any-arm64
--Depends: ${misc:Depends}, grub-efi-arm64-bin (= ${binary:Version}), grub-common (= ${binary:Version})
++Depends: ${misc:Depends}, grub-efi-arm64-bin (= ${binary:Version})
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
   This package contains debugging files for grub-efi-arm64-bin.  You only
@@ -501,7 +504,7 @@ Description: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files)
  Package: grub-efi-arm64
  Architecture: any-arm64
  Pre-Depends: ${misc:Pre-Depends}
--Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-arm64-bin (= ${binary:Version}), ucf
++Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (>= 2.02~beta2-9), grub-efi-arm64-bin (= ${binary:Version}), ucf
  Multi-Arch: foreign
  Description: GRand Unified Bootloader, version 2 (ARM64 UEFI version)
   GRUB is a portable, powerful bootloader.  This version of GRUB is based on a
 diff --git a/debian/dirs.in b/debian/dirs.in
 index e53f2b0..479afbc 100644
 --- a/debian/dirs.in
 +++ b/debian/dirs.in
@@ -1,3 +1,4 @@
  usr/bin
  usr/sbin
  usr/share/grub
++var/lib/grub/ucf
 diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
 new file mode 100755
 index 0000000..3d41c3c
 --- /dev/null
 +++ b/debian/grub-check-signatures
@@ -0,0 +1,129 @@
++#!/bin/sh
++
++set -e
++
++. /usr/share/debconf/confmodule
++
++# Check if we are on an EFI system
++efivars=/sys/firmware/efi/efivars
++secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
++moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
++tmpdir=$(mktemp -d)
++
++on_secure_boot() {
++	# Validate any queued actions before we go try to do them.
++	local moksbstatert=0
++
++	if ! [ -d $efivars ]; then
++		return 1
++	fi
++
++	if ! [ -f $efivars/$secureboot_var ] \
++		|| [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ]
++	then
++		return 1
++	fi
++
++	if [ -f /proc/sys/kernel/moksbstate_disabled ]; then
++		moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0)
++	elif [ -f $efivars/$moksbstatert_var ]; then
++		# MokSBStateRT set to 1 means validation is disabled
++		moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
++					   awk '{ print $NF; }')
++	fi
++
++	if [ $moksbstatert -eq 1 ]; then
++		return 1
++	fi
++
++	return 0
++}
++
++# Retrieve the keys we do trust from PK, DB, KEK, and MokList.
++extract_known_keys() {
++	# Make the Canonical CA cert available for validation too; in case
++	# MokListRT is empty due to a bug.
++	cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir
++
++	# Extract known UEFI certs from firmware variables
++	( cd $tmpdir; \
++		mokutil --export --db >/dev/null 2>/dev/null; \
++		mokutil --export --mok >/dev/null 2>/dev/null; )
++	find $tmpdir -name "*.der" -exec openssl x509 -inform der -in {} -outform pem -out {}.crt  \;
++}
++
++# Check if a given kernel image is signed
++is_signed() {
++	tmp=$(mktemp)
++	sbattach --detach $tmp $1 >/dev/null 2>/dev/null 	# that's ugly...
++	test "$(wc -c < $tmp)" -ge 16	# Just _some_ minimum size
++	result=$?
++	if [ $result -eq 0 ]; then
++		sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: )
++	fi
++	rm $tmp
++	if [ $result -eq 0 ]; then
++		for crtfile in $tmpdir/*.crt; do
++			sbverify --cert $crtfile $1 >/dev/null 2>/dev/null
++			result=$?
++			if [ $result -eq 0 ]; then
++				return $result;
++			fi
++		done
++		echo "$1 is signed, but using an unknown key:" >&2
++		echo "$sig_subject" >&2
++	else
++		echo "$1 is unsigned." >&2
++	fi
++	return $result
++}
++
++# Check that our current kernel and every newer one is signed
++find_unsigned() {
++	uname_r="$(uname -r)"
++	for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do
++		# no kernels :(
++		if [ "$kernel" = "/boot/vmlinuz-*" ]; then
++			break
++		fi
++		this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')"
++		if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then
++			continue
++		fi
++		if [ -e "$kernel.efi.signed" ]; then
++			continue
++		fi
++		if ! is_signed $kernel; then
++			echo "$this_uname_r"
++		fi
++	done
++}
++
++# Only reached from show_warning
++error() {
++	echo "E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment." >&2
++	exit 1
++}
++
++# Either shows a debconf note or prints an error with error() above if
++# that fails
++show_warning() {
++	# kernels should be an indented list of one version per line
++	escaped="$(printf "%s" "$unsigned" | sed "s#^#     #" | debconf-escape -e )"
++	db_capb escape
++	db_settitle grub2/unsigned_kernels_title || error
++	db_fset grub2/unsigned_kernels seen 0 || error
++	db_subst grub2/unsigned_kernels unsigned_versions "$escaped" || error
++	db_input critical grub2/unsigned_kernels || error
++	db_go || error
++	error
++}
++
++if on_secure_boot; then
++	extract_known_keys
++	unsigned="$(find_unsigned)"
++	if [ -n "$unsigned" ]; then
++		show_warning "$unsigned"
++	fi
++	rm -rf "$tmpdir"
++fi
 diff --git a/debian/grub-common.dirs b/debian/grub-common.dirs
 index 3d70df4..832239c 100644
 --- a/debian/grub-common.dirs
 +++ b/debian/grub-common.dirs
@@ -1,2 +1,3 @@
  usr/sbin
  var/lib/grub/ucf
++var/lib/grub/esp
 diff --git a/debian/grub-common.install.in b/debian/grub-common.install.in
 index 420a61e..6c5c9f0 100644
 --- a/debian/grub-common.install.in
 +++ b/debian/grub-common.install.in
@@ -1,6 +1,9 @@
  ../../debian/apport/source_grub2.py	usr/share/apport/package-hooks/
  ../../debian/grub.d			etc
  ../../debian/init-select.cfg		etc/default/grub.d
++../../debian/grub-check-signatures usr/share/grub/
++../../debian/grub-multi-install usr/lib/grub/
++../../debian/canonical-uefi-ca.crt usr/share/grub/
  etc/grub.d
  usr/bin/grub-editenv
@@ -20,6 +23,7 @@ usr/bin/grub-mkstandalone
  usr/bin/grub-render-label
  usr/bin/grub-script-check
  usr/bin/grub-syslinux2cfg
++usr/lib/systemd/system/grub-initrd-fallback.service lib/systemd/system
  usr/sbin/grub-macbless
  usr/sbin/grub-mkconfig
  usr/sbin/grub-mkdevicemap
 diff --git a/debian/grub-common.service b/debian/grub-common.service
 new file mode 100644
 index 0000000..fcf5474
 --- /dev/null
 +++ b/debian/grub-common.service
@@ -0,0 +1,15 @@
++[Unit]
++Description=Record successful boot for GRUB
++After=sleep.target
++ConditionPathExists=/boot/grub/grub.cfg
++
++[Service]
++Type=oneshot
++Restart=no
++ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub'
++ExecStart=grub-editenv /boot/grub/grubenv unset recordfail
++ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi'
++StandardOutput=kmsg
++
++[Install]
++WantedBy=multi-user.target sleep.target
 diff --git a/debian/grub-common.templates b/debian/grub-common.templates
 new file mode 100644
 index 0000000..c75e5d3
 --- /dev/null
 +++ b/debian/grub-common.templates
@@ -0,0 +1,53 @@
++Template: grub-efi/install_devices
++Type: multiselect
++Choices-C: ${RAW_CHOICES}
++Choices: ${CHOICES}
++_Description: GRUB EFI system partitions:
++ The grub-efi package is being upgraded. This menu allows you to select which
++ EFI system partions you'd like grub-install to be automatically run for, if any.
++ .
++ Running grub-install automatically is recommended in most situations, to
++ prevent the installed GRUB core image from getting out of sync with GRUB
++ modules or grub.cfg.
++
++Template: grub-efi/install_devices_disks_changed
++Type: multiselect
++Choices-C: ${RAW_CHOICES}
++Choices: ${CHOICES}
++_Description: GRUB install devices:
++ The GRUB boot loader was previously installed to a disk that is no longer
++ present, or whose unique identifier has changed for some reason. It is
++ important to make sure that the installed GRUB core image stays in sync
++ with GRUB modules and grub.cfg. Please check again to make sure that GRUB
++ is written to the appropriate boot devices.
++
++Template: grub-efi/partition_description
++Type: text
++_Description: ${DEVICE} (${SIZE} MB; ${PATH}) on ${DISK_SIZE} MB ${DISK_MODEL}
++
++Template: grub-efi/install_devices_failed
++Type: boolean
++Default: false
++#flag:translate!:3
++_Description: Writing GRUB to boot device failed - continue?
++ GRUB failed to install to the following devices:
++ .
++ ${FAILED_DEVICES}
++ .
++ Do you want to continue anyway? If you do, your computer may not start up
++ properly.
++
++Template: grub-efi/install_devices_empty
++Type: boolean
++Default: false
++_Description: Continue without installing GRUB?
++ You chose not to install GRUB to any devices. If you continue, the boot
++ loader may not be properly configured, and when this computer next starts
++ up it will use whatever was previously configured. If there is an
++ earlier version of GRUB 2 in the EFI system partition, it may be unable to load
++ modules or handle the current configuration file.
++ .
++ If you are already using a different boot loader and want to carry on
++ doing so, or if this is a special environment where you do not need a boot
++ loader, then you should continue anyway. Otherwise, you should install
++ GRUB somewhere.
 diff --git a/debian/grub-efi-amd64-bin.maintscript.in b/debian/grub-efi-amd64-bin.maintscript.in
 new file mode 100644
 index 0000000..39184d1
 --- /dev/null
 +++ b/debian/grub-efi-amd64-bin.maintscript.in
@@ -0,0 +1 @@
++symlink_to_dir /usr/share/doc/@PACKAGE@ grub-common 2.04-1ubuntu42~
 diff --git a/debian/grub-efi-arm64-bin.maintscript.in b/debian/grub-efi-arm64-bin.maintscript.in
 new file mode 100644
 index 0000000..39184d1
 --- /dev/null
 +++ b/debian/grub-efi-arm64-bin.maintscript.in
@@ -0,0 +1 @@
++symlink_to_dir /usr/share/doc/@PACKAGE@ grub-common 2.04-1ubuntu42~
 diff --git a/debian/grub-multi-install b/debian/grub-multi-install
 new file mode 100755
 index 0000000..bedc700
 --- /dev/null
 +++ b/debian/grub-multi-install
@@ -0,0 +1,417 @@
++#!/bin/bash
++#
++# Install to multiple ESPs
++
++set -e
++
++# Most of this is copy-paste from grub postinst, sigh.
++
++. /usr/share/debconf/confmodule
++
++# shamelessly stolen from ucf:
++#
++# Load our templates, just in case our template has
++# not been loaded or the Debconf DB lost or corrupted
++# since then.
++db_x_loadtemplatefile "$(dpkg-query --control-path grub-common templates)" grub-common
++
++###############################################################################
++#                       COPY FROM POSTINST
++###############################################################################
++# This only works on a Linux system with udev running.  This is probably the
++# vast majority of systems where we need any of this, though, and we fall
++# back reasonably gracefully if we don't have it.
++cached_available_ids=
++available_ids()
++{
++  local id path
++
++  if [ "$cached_available_ids" ]; then
++    echo "$cached_available_ids"
++    return
++  fi
++
++  [ -d /dev/disk/by-id ] || return
++  cached_available_ids="$(
++    for path in /dev/disk/by-id/*; do
++      [ -e "$path" ] || continue
++      printf '%s %s\n' "$path" "$(readlink -f "$path")"
++    done | sort -k2 -s -u | cut -d' ' -f1
++  )"
++  echo "$cached_available_ids"
++}
++
++# Returns non-zero and no output if no mapping can be found.
++device_to_id()
++{
++  local id
++  for id in $(available_ids); do
++    if [ "$(readlink -f "$id")" = "$(readlink -f "$1")" ]; then
++      echo "$id"
++      return 0
++    fi
++  done
++  # Fall back to the plain device name if there's no by-id link for it.
++  if [ -e "$1" ]; then
++    echo "$1"
++    return 0
++  fi
++  return 1
++}
++
++# for Linux
++sysfs_size()
++{
++  local num_sectors sector_size size
++  # Try to find out the size without relying on a partitioning tool being
++  # installed. This isn't too hard on Linux 2.6 with sysfs, but we have to
++  # try a couple of variants on detection of the sector size.
++  if [ -e "$1/size" ]; then
++    num_sectors="$(cat "$1/size")"
++    sector_size=512
++    if [ -e "$1/queue/logical_block_size" ]; then
++      sector_size="$(cat "$1/queue/logical_block_size")"
++    elif [ -e "$1/queue/hw_sector_size" ]; then
++      sector_size="$(cat "$1/queue/hw_sector_size")"
++    fi
++    size="$(expr "$num_sectors" \* "$sector_size" / 1000 / 1000)"
++  fi
++  [ "$size" ] || size='???'
++  echo "$size"
++}
++
++# for kFreeBSD
++camcontrol_size()
++{
++  local num_sectors sector_size size=
++
++  if num_sectors="$(camcontrol readcap "$1" -q -s -N)"; then
++    sector_size="$(camcontrol readcap "$1" -q -b)"
++    size="$(expr "$num_sectors" \* "$sector_size" / 1000 / 1000)"
++  fi
++
++  [ "$size" ] || size='???'
++  echo "$size"
++}
++
++maybe_udevadm()
++{
++  if which udevadm >/dev/null 2>&1; then
++    udevadm "$@" || true
++  fi
++}
++
++# Parse /proc/mounts and find out the mount for the given device.
++# The device must be a real device in /dev, not a symlink to one.
++get_mounted_device()
++{
++  mountpoint="$1"
++  cat /proc/mounts | while read -r line; do
++    set -f
++    set -- $line
++    set +f
++    if [ "$2" = "$mountpoint" ]; then
++      echo "$1"
++      break
++    fi
++  done
++}
++
++###############################################################################
++#                            New or modified helpers
++###############################################################################
++
++# Fixed: Return nothing if the argument is empty
++get_mountpoint()
++{
++  local relpath boot_mountpoint
++
++  if [ -z "$1" ]; then
++    return
++  fi
++
++  relpath="$(grub-mkrelpath "$1")"
++  boot_mountpoint="${1#$relpath}"
++  echo "${boot_mountpoint:-/}"
++}
++
++
++# Returns value in $RET, like a debconf command.
++#
++# Merged version of describe_disk and describe_partition, as disks can't be
++# valid ESPs on their own, so we can't render them as an entry.
++describe_efi_system_partition()
++{
++  local disk part id path sysfs_path diskbase partbase size
++  local disk_basename disk_size model
++  disk="$1"
++  part="$2"
++  id="$3"
++  path="$4"
++
++  # BEGIN: Stolen from describe_disk
++  model=
++  case $(uname -s) in
++    Linux)
++      sysfs_path="$(maybe_udevadm info -n "$disk" -q path)"
++      if [ -z "$sysfs_path" ]; then
++        sysfs_path="/block/$(printf %s "${disk#/dev/}" | sed 's,/,!,g')"
++      fi
++      disk_size="$(sysfs_size "/sys$sysfs_path")"
++
++      model="$(maybe_udevadm info -n "$disk" -q property | sed -n 's/^ID_MODEL=//p')"
++      if [ -z "$model" ]; then
++        model="$(maybe_udevadm info -n "$disk" -q property | sed -n 's/^DM_NAME=//p')"
++        if [ -z "$model" ]; then
++          model="$(maybe_udevadm info -n "$disk" -q property | sed -n 's/^MD_NAME=//p')"
++          if [ -z "$model" ] && which dmsetup >/dev/null 2>&1; then
++            model="$(dmsetup info -c --noheadings -o name "$disk" 2>/dev/null || true)"
++          fi
++        fi
++      fi
++    ;;
++    GNU/kFreeBSD)
++      disk_basename=$(basename "$disk")
++      disk_size="$(camcontrol_size "$disk_basename")"
++      model="$(camcontrol inquiry "$disk_basename" | sed -ne "s/^pass0: <\([^>]*\)>.*/\1/p")"
++    ;;
++  esac
++
++  [ "$model" ] || model='???'
++
++  # END: Stolen from describe_disk
++
++  sysfs_path="$(maybe_udevadm info -n "$part" -q path)"
++  if [ -z "$sysfs_path" ]; then
++    diskbase="${disk#/dev/}"
++    diskbase="$(printf %s "$diskbase" | sed 's,/,!,g')"
++    partbase="${part#/dev/}"
++    partbase="$(printf %s "$partbase" | sed 's,/,!,g')"
++    sysfs_path="/block/$diskbase/$partbase"
++  fi
++  size="$(sysfs_size "/sys$sysfs_path")"
++
++  db_subst grub-efi/partition_description DEVICE "$part"
++  db_subst grub-efi/partition_description SIZE "$size"
++  db_subst grub-efi/partition_description PATH "$path"
++  db_subst grub-efi/partition_description DISK_MODEL "$model"
++  db_subst grub-efi/partition_description DISK_SIZE "$disk_size"
++  db_metaget grub-efi/partition_description description
++}
++
++
++# Parse /proc/mounts and find out the mount for the given device.
++# The device must be a real device in /dev, not a symlink to one.
++find_mount_point()
++{
++  real_device="$1"
++  cat /proc/mounts | while read -r line; do
++    set -f
++    set -- $line
++    set +f
++    if [ "$1" = "$real_device" -a "$3" = "vfat" ]; then
++      echo "$2"
++      break
++    fi
++  done
++}
++
++# Return all devices that are a valid ESP
++usable_efi_system_partitions()
++{
++  local last_partition path partition partition_id
++  local ID_PART_ENTRY_TYPE ID_PART_ENTRY_SCHEME
++
++  last_partition=
++  (
++  for partition in /dev/disk/by-id/*; do
++    eval "$(udevadm info -q property -n "$partition" | grep -E '^ID_PART_ENTRY_(TYPE|SCHEME)=')"
++    if [ -z "$ID_PART_ENTRY_TYPE" -o -z "$ID_PART_ENTRY_SCHEME" -o \
++    \( "$ID_PART_ENTRY_SCHEME" != gpt -a "$ID_PART_ENTRY_SCHEME" != dos \) -o \
++    \( "$ID_PART_ENTRY_SCHEME" = gpt -a "$ID_PART_ENTRY_TYPE" != c12a7328-f81f-11d2-ba4b-00a0c93ec93b \) -o \
++    \( "$ID_PART_ENTRY_SCHEME" = dos -a "$ID_PART_ENTRY_TYPE" != 0xef \) ]; then
++      continue
++    fi
++    # unify the partition id
++    partition_id="$(device_to_id "$partition" || true)"
++    real_device="$(readlink -f "$partition")"
++    path="$(find_mount_point $real_device)"
++    echo "$path:$partition_id"
++  done
++  ) | sort -t: -k2 -u
++}
++
++###############################################################################
++#                            MAGIC SCRIPT
++###############################################################################
++FALLBACK_MOUNTPOINT=/var/lib/grub/esp
++
++# Initial install/upgrade from /boot/efi?
++db_fget grub-efi/install_devices seen
++seen="$RET"
++
++# Get configured value
++question=grub-efi/install_devices
++priority=high
++db_get grub-efi/install_devices
++valid=1
++
++# We either migrate /boot/efi over, or we check if we have invalid devices
++if [ -z "$RET" ] && [ "$seen" != "true" ]; then
++  echo "Trying to migrate /boot/efi into esp config"
++  esp="$(get_mounted_device /boot/efi)"
++  if [ "$esp" ]; then
++    esp="$(device_to_id "$esp")"
++  fi
++  if [ "$esp" ]; then
++    db_set grub-efi/install_devices "$esp"
++    db_fset grub-efi/install_devices seen true
++    RET="$esp"
++  fi
++else
++  for device in $RET; do
++    if [ ! -e "${device%,}" ]; then
++      valid=0
++      break
++    fi
++  done
++fi
++
++# If /boot/efi points to a device that's not in the list, trigger the
++# install_devices_disks_changed prompt below, but add the device behind
++# /boot/efi to the defaults.
++boot_efi_device=$(get_mounted_device /boot/efi || true)
++if [ "$boot_efi_device" ]; then
++  for device in $RET; do
++    device="${device%,}"
++    real_device="$(readlink -f "$device" || true)"
++    if [ "$real_device" = "$boot_efi_device" ]; then
++      boot_efi_device=""
++      break
++    fi
++  done
++
++  if [ "$boot_efi_device" ]; then
++    boot_efi_device="$(device_to_id "$boot_efi_device" || true)"
++    if [ "$RET" ]; then
++      RET="$RET, $boot_efi_device"
++    else
++      RET="$boot_efi_device"
++    fi
++    valid=0
++  fi
++fi
++
++
++if [ "$valid" = 0 ]; then
++  question=grub-efi/install_devices_disks_changed
++  priority=critical
++  db_set "$question" "$RET"
++  db_fset "$question" seen false
++  db_fset grub-efi/install_devices_empty seen false
++fi
++
++while :; do
++  ids=
++  descriptions=
++  partitions="$(usable_efi_system_partitions)"
++
++  for partition_pair in $partitions; do
++    partition_id="${partition_pair#*:}"
++    device="${partition_id%%-part*}"
++    ids="${ids:+$ids, }$partition_id"
++    describe_efi_system_partition "$(readlink -f "$device")" "$(readlink -f "$partition_id")" "$partition_id" "$(get_mountpoint "${partition_pair%%:*}")"
++    RET="$(printf %s "$RET" | sed 's/,/\\,/g')"
++    descriptions="${descriptions:+$descriptions, }$RET"
++  done
++
++  db_subst "$question" RAW_CHOICES "$ids"
++  db_subst "$question" CHOICES "$descriptions"
++  db_input "$priority" "$question" || true
++  db_go
++  db_get "$question"
++
++
++  # Run the installer
++  failed_devices=
++  for i in `echo $RET | sed -e 's/, / /g'` ; do
++    real_device="$(readlink -f "$i")"
++    mntpoint=$(find_mount_point $real_device)
++    if [ -z "$mntpoint" ]; then
++      mntpoint=$FALLBACK_MOUNTPOINT
++      mount $real_device $mntpoint
++    fi
++    echo "Installing grub to $mntpoint." >&2
++    if _UBUNTU_ALTERNATIVE_ESPS="$RET" grub-install --efi-directory=$mntpoint "$@" ; then
++      # We just installed GRUB 2; then also generate grub.cfg.
++      touch /boot/grub/grub.cfg
++    else
++      failed_devices="$failed_devices $real_device"
++    fi
++
++    if [ "$mntpoint" = "$FALLBACK_MOUNTPOINT" ]; then
++      umount $mntpoint
++    fi
++  done
++
++  if [ "$question" != grub-efi/install_devices ] && [ "$RET" ]; then
++    # XXX cjwatson 2019-02-26: The description of
++    # grub-efi/install_devices_disks_changed ought to explain that
++    # selecting no devices will leave the configuration unchanged
++    # so that you'll be prompted again next time, but it's a bit
++    # close to the Debian 10 release to be introducing new
++    # translatable text.  For now, it should be sufficient to
++    # avoid losing configuration data.
++    db_set grub-efi/install_devices "$RET"
++    db_fset grub-efi/install_devices seen true
++  fi
++
++  if [ "$failed_devices" ]; then
++    db_subst grub-efi/install_devices_failed FAILED_DEVICES "$failed_devices"
++    db_fset grub-efi/install_devices_failed seen false
++    if db_input critical grub-efi/install_devices_failed; then
++      db_go
++      db_get grub-efi/install_devices_failed
++      if [ "$RET" = true ]; then
++        break
++      else
++        db_fset "$question" seen false
++        db_fset grub-efi/install_devices_failed seen false
++        continue
++      fi
++    else
++      exit 1 # noninteractive
++    fi
++  fi
++
++  db_get "$question"
++  if [ -z "$RET" ]; then
++    # Reset the seen flag if the current answer is false, since
++    # otherwise we'll loop with no indication of why.
++    db_get grub-efi/install_devices_empty
++    if [ "$RET" = false ]; then
++      db_fset grub-efi/install_devices_empty seen false
++    fi
++    if db_input critical grub-efi/install_devices_empty; then
++      db_go
++      db_get grub-efi/install_devices_empty
++      if [ "$RET" = true ]; then
++        break
++      else
++        db_fset "$question" seen false
++        db_fset grub-efi/install_devices_empty seen false
++      fi
++    else
++      # if question was seen we are done
++      # Otherwise, abort
++      db_fget grub-efi/install_devices_empty seen
++      if [ "$RET" = true ]; then
++        break
++      else
++        exit 1
++      fi
++    fi
++  else
++    break
++  fi
++done
 diff --git a/debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch b/debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
 new file mode 100644
 index 0000000..ffdb808
 --- /dev/null
 +++ b/debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
@@ -0,0 +1,117 @@
++From: Julian Andres Klode <julian.klode@canonical.com>
++Date: Thu, 2 Dec 2021 12:25:37 +0100
++Subject: ubuntu: Make the linux command in EFI grub always try EFI handover
++
++The previous implementation only boots via the EFI handover protocol when
++secure boot is enabled. This means that disabling secure boot breaks some
++features that depend on the kernel being booted via the EFI handover entry
++point, such as retrieval of the TCG event log.
++
++Update the linux command to always attempt to defer to linuxefi in EFI grub
++builds, regardless of whether secure boot is enabled or not. This also allows
++a fallback to the non-EFI handover path on kernels that don't support it, but
++only if secure boot is disabled.
++---
++ grub-core/loader/i386/efi/linux.c | 14 +++++++-----
++ grub-core/loader/i386/linux.c     | 47 ++++++++++++++++++++++-----------------
++ 2 files changed, 35 insertions(+), 26 deletions(-)
++
++diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
++index 6b6aef8..6ab9975 100644
++--- a/grub-core/loader/i386/efi/linux.c
+++++ b/grub-core/loader/i386/efi/linux.c
++@@ -27,6 +27,7 @@
++ #include <grub/lib/cmdline.h>
++ #include <grub/efi/efi.h>
++ #include <grub/efi/linux.h>
+++#include <grub/efi/sb.h>
++
++ GRUB_MOD_LICENSE ("GPLv3+");
++
++@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
++       goto fail;
++     }
++
++-  rc = grub_linuxefi_secure_validate (kernel, filelen);
++-  if (rc < 0)
+++  if (grub_efi_get_secureboot() == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++     {
++-      grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
++-		  argv[0]);
++-      goto fail;
+++      rc = grub_linuxefi_secure_validate (kernel, filelen);
+++      if (rc < 0)
+++	{
+++	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
+++		      argv[0]);
+++	  goto fail;
+++	}
++     }
++
++   params = grub_efi_allocate_pages_max (0x3fffffff,
++diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
++index 912ebb6..0bb47b0 100644
++--- a/grub-core/loader/i386/linux.c
+++++ b/grub-core/loader/i386/linux.c
++@@ -664,35 +664,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
++
++ #ifdef GRUB_MACHINE_EFI
++   using_linuxefi = 0;
++-  if (grub_efi_get_secureboot() == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++-    {
++-      /* linuxefi requires a successful signature check and then hand over
++-	 to the kernel without calling ExitBootServices. */
++-      grub_dl_t mod;
++-      grub_command_t linuxefi_cmd;
++
++-      grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
+++  grub_dl_t mod;
+++  grub_command_t linuxefi_cmd;
+++
+++  grub_dprintf ("linux", "Trying linuxefi\n");
++
++-      mod = grub_dl_load ("linuxefi");
++-      if (mod)
+++  mod = grub_dl_load ("linuxefi");
+++  if (mod)
+++    {
+++      grub_dl_ref (mod);
+++      linuxefi_cmd = grub_command_find ("linuxefi");
+++      initrdefi_cmd = grub_command_find ("initrdefi");
+++      if (linuxefi_cmd && initrdefi_cmd)
++ 	{
++-	  grub_dl_ref (mod);
++-	  linuxefi_cmd = grub_command_find ("linuxefi");
++-	  initrdefi_cmd = grub_command_find ("initrdefi");
++-	  if (linuxefi_cmd && initrdefi_cmd)
+++	  (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
+++	  if (grub_errno == GRUB_ERR_NONE)
+++	    {
+++	      grub_dprintf ("linux", "Handing off to linuxefi\n");
+++	      using_linuxefi = 1;
+++	      return GRUB_ERR_NONE;
+++	    }
+++	  else if (grub_efi_get_secureboot() == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++ 	    {
++-	      (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
++-	      if (grub_errno == GRUB_ERR_NONE)
++-		{
++-		  grub_dprintf ("linux", "Handing off to linuxefi\n");
++-		  using_linuxefi = 1;
++-		  return GRUB_ERR_NONE;
++-		}
++-	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
+++	      grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
++ 	      goto fail;
++ 	    }
++ 	}
++     }
+++
+++  if (grub_efi_get_secureboot() == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+++    {
+++      grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
+++      goto fail;
+++    }
++ #endif
++
++   if (argc == 0)
 diff --git a/debian/patches/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch b/debian/patches/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
 new file mode 100644
 index 0000000..276706f
 --- /dev/null
 +++ b/debian/patches/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
@@ -0,0 +1,47 @@
++From: Mauricio Faria de Oliveira <mfo@canonical.com>
++Date: Fri, 20 Aug 2021 10:15:06 -0300
++Subject: Call hwmatch only on the grub-pc platform
++
++Call hwmatch only on i386/pc as it is only available there.
++This avoids "error: can't find command `hwmatch'." on e.g., x86_64/efi.
++
++The equivalent behavior is linux_gfx_mode=keep because grub is special:
++the `if hwmatch` clause is true on that error and `$match = 0` is true
++too, as it is undefined (confirmed in grub shell.) A quick fix for now.
++
++Before and After:
++
++    grub> hwmatch
++    error: can't find command `hwmatch'.
++
++    grub> echo $grub_platform
++    efi
++
++    grub> echo $linux_gfx_mode
++    keep
++
++Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
++
++Bug-Ubuntu: https://bugs.launchpad.net/bugs/1840560
++Bug-Debian: https://bugs.debian.org/990836
++Forwarded: no
++Last-Update: 2020-08-20
++---
++ util/grub.d/10_linux.in | 4 +++-
++ 1 file changed, 3 insertions(+), 1 deletion(-)
++
++diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
++index 8f2cf82..6668b21 100644
++--- a/util/grub.d/10_linux.in
+++++ b/util/grub.d/10_linux.in
++@@ -378,7 +378,9 @@ else
++   cat << EOF
++ if [ "\${recordfail}" != 1 ]; then
++   if [ -e \${prefix}/gfxblacklist.txt ]; then
++-    if hwmatch \${prefix}/gfxblacklist.txt 3; then
+++    if [ \${grub_platform} != pc ]; then
+++      set linux_gfx_mode=keep
+++    elif hwmatch \${prefix}/gfxblacklist.txt 3; then
++       if [ \${match} = 0 ]; then
++         set linux_gfx_mode=keep
++       else
 diff --git a/debian/patches/cherrypick-efi-grub_efi_close_protocol.patch b/debian/patches/cherrypick-efi-grub_efi_close_protocol.patch
 new file mode 100644
 index 0000000..898dcc5
 --- /dev/null
 +++ b/debian/patches/cherrypick-efi-grub_efi_close_protocol.patch
@@ -0,0 +1,79 @@
++From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
++Date: Mon, 29 Nov 2021 16:00:29 +0100
++Subject: efi: library function grub_efi_close_protocol()
++
++Create a library function for CloseProtocol() and use it for the SNP
++driver.
++
++Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
++
++Origin: upstream
++---
++ grub-core/kern/efi/efi.c           | 12 ++++++++++++
++ grub-core/net/drivers/efi/efinet.c |  8 ++------
++ include/grub/efi/efi.h             |  3 +++
++ 3 files changed, 17 insertions(+), 6 deletions(-)
++
++diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
++index a3cae1e..69c283d 100644
++--- a/grub-core/kern/efi/efi.c
+++++ b/grub-core/kern/efi/efi.c
++@@ -117,6 +117,18 @@ grub_efi_open_protocol (grub_efi_handle_t handle,
++   return interface;
++ }
++
+++grub_efi_status_t
+++grub_efi_close_protocol (grub_efi_handle_t handle, grub_efi_guid_t *protocol)
+++{
+++  grub_efi_boot_services_t *b = grub_efi_system_table->boot_services;
+++  grub_efi_status_t status;
+++
+++  status = efi_call_4 (b->close_protocol, handle, protocol,
+++		       grub_efi_image_handle, NULL);
+++
+++  return status;
+++}
+++
++ int
++ grub_efi_set_text_mode (int on)
++ {
++diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c
++index 9273bb7..a5d0539 100644
++--- a/grub-core/net/drivers/efi/efinet.c
+++++ b/grub-core/net/drivers/efi/efinet.c
++@@ -160,9 +160,7 @@ open_card (struct grub_net_card *dev)
++
++   if (dev->efi_net != NULL)
++     {
++-      efi_call_4 (grub_efi_system_table->boot_services->close_protocol,
++-		  dev->efi_handle, &net_io_guid,
++-		  grub_efi_image_handle, NULL);
+++      grub_efi_close_protocol (dev->efi_handle, &net_io_guid);
++       dev->efi_net = NULL;
++     }
++   /*
++@@ -224,9 +222,7 @@ close_card (struct grub_net_card *dev)
++ {
++   efi_call_1 (dev->efi_net->shutdown, dev->efi_net);
++   efi_call_1 (dev->efi_net->stop, dev->efi_net);
++-  efi_call_4 (grub_efi_system_table->boot_services->close_protocol,
++-	      dev->efi_handle, &net_io_guid,
++-	      grub_efi_image_handle, 0);
+++  grub_efi_close_protocol (dev->efi_handle, &net_io_guid);
++ }
++
++ static struct grub_net_card_driver efidriver =
++diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
++index 08f6ee0..58ac621 100644
++--- a/include/grub/efi/efi.h
+++++ b/include/grub/efi/efi.h
++@@ -35,6 +35,9 @@ EXPORT_FUNC(grub_efi_locate_handle) (grub_efi_locate_search_type_t search_type,
++ void *EXPORT_FUNC(grub_efi_open_protocol) (grub_efi_handle_t handle,
++ 					   grub_efi_guid_t *protocol,
++ 					   grub_efi_uint32_t attributes);
+++grub_efi_status_t
+++EXPORT_FUNC(grub_efi_close_protocol) (grub_efi_handle_t handle,
+++				      grub_efi_guid_t *protocol);
++ int EXPORT_FUNC(grub_efi_set_text_mode) (int on);
++ void EXPORT_FUNC(grub_efi_stall) (grub_efi_uintn_t microseconds);
++ void *
 diff --git a/debian/patches/cherrypick-efinet-correct-closing-snp-protocol.patch b/debian/patches/cherrypick-efinet-correct-closing-snp-protocol.patch
 new file mode 100644
 index 0000000..c5e8bdf
 --- /dev/null
 +++ b/debian/patches/cherrypick-efinet-correct-closing-snp-protocol.patch
@@ -0,0 +1,106 @@
++From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
++Date: Mon, 29 Nov 2021 16:00:28 +0100
++Subject: efinet: correct closing of SNP protocol
++
++In the context of the implementation of the EFI_LOAD_FILE2_PROTOCOL for
++the initial ramdisk it was observed that opening the SNP protocol failed.
++https://lists.gnu.org/archive/html/grub-devel/2021-10/msg00020.html
++This is due to an incorrect call to CloseProtocol().
++
++The first parameter of CloseProtocol() is the handle, not the interface.
++
++We call OpenProtocol() with ControllerHandle = NULL. Hence we must also
++call CloseProtcol with ControllerHandel = NULL.
++
++Each call of OpenProtocol() for the same network card handle is expected to
++return the same interface pointer. If we want to close the protocol which
++we opened non-exclusively when searching for a card, we have to do this
++before opening the protocol exclusively.
++
++As there is no guarantee that we successfully open the protocol add checks
++in the transmit and receive functions.
++
++Reported-by: Andreas Schwab <schwab@linux-m68k.org>
++Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
++
++Origin: upstream
++---
++ grub-core/net/drivers/efi/efinet.c | 31 ++++++++++++++++++++++---------
++ 1 file changed, 22 insertions(+), 9 deletions(-)
++
++diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c
++index f189209..9273bb7 100644
++--- a/grub-core/net/drivers/efi/efinet.c
+++++ b/grub-core/net/drivers/efi/efinet.c
++@@ -43,6 +43,9 @@ send_card_buffer (struct grub_net_card *dev,
++   grub_uint64_t limit_time = grub_get_time_ms () + 4000;
++   void *txbuf;
++
+++  if (net == NULL)
+++    return grub_error (GRUB_ERR_IO,
+++		       N_("network protocol not available, can't send packet"));
++   if (dev->txbusy)
++     while (1)
++       {
++@@ -105,6 +108,9 @@ get_card_packet (struct grub_net_card *dev)
++   struct grub_net_buff *nb;
++   int i;
++
+++  if (net == NULL)
+++    return NULL;
+++
++   for (i = 0; i < 2; i++)
++     {
++       if (!dev->rcvbuf)
++@@ -152,12 +158,20 @@ open_card (struct grub_net_card *dev)
++ {
++   grub_efi_simple_network_t *net;
++
++-  /* Try to reopen SNP exlusively to close any active MNP protocol instance
++-     that may compete for packet polling
+++  if (dev->efi_net != NULL)
+++    {
+++      efi_call_4 (grub_efi_system_table->boot_services->close_protocol,
+++		  dev->efi_handle, &net_io_guid,
+++		  grub_efi_image_handle, NULL);
+++      dev->efi_net = NULL;
+++    }
+++  /*
+++   * Try to reopen SNP exlusively to close any active MNP protocol instance
+++   * that may compete for packet polling
++    */
++   net = grub_efi_open_protocol (dev->efi_handle, &net_io_guid,
++ 				GRUB_EFI_OPEN_PROTOCOL_BY_EXCLUSIVE);
++-  if (net)
+++  if (net != NULL)
++     {
++       if (net->mode->state == GRUB_EFI_NETWORK_STOPPED
++ 	  && efi_call_1 (net->start, net) != GRUB_EFI_SUCCESS)
++@@ -196,13 +210,12 @@ open_card (struct grub_net_card *dev)
++ 	  efi_call_6 (net->receive_filters, net, filters, 0, 0, 0, NULL);
++ 	}
++
++-      efi_call_4 (grub_efi_system_table->boot_services->close_protocol,
++-		  dev->efi_net, &net_io_guid,
++-		  grub_efi_image_handle, dev->efi_handle);
++       dev->efi_net = net;
+++    } else {
+++      return grub_error (GRUB_ERR_NET_NO_CARD, "%s: can't open protocol",
+++			 dev->name);
++     }
++
++-  /* If it failed we just try to run as best as we can */
++   return GRUB_ERR_NONE;
++ }
++
++@@ -212,8 +225,8 @@ close_card (struct grub_net_card *dev)
++   efi_call_1 (dev->efi_net->shutdown, dev->efi_net);
++   efi_call_1 (dev->efi_net->stop, dev->efi_net);
++   efi_call_4 (grub_efi_system_table->boot_services->close_protocol,
++-	      dev->efi_net, &net_io_guid,
++-	      grub_efi_image_handle, dev->efi_handle);
+++	      dev->efi_handle, &net_io_guid,
+++	      grub_efi_image_handle, 0);
++ }
++
++ static struct grub_net_card_driver efidriver =
 diff --git a/debian/patches/efi-variable-storage-minimise-writes.patch b/debian/patches/efi-variable-storage-minimise-writes.patch
 index 9a39021..4d3d134 100644
 --- a/debian/patches/efi-variable-storage-minimise-writes.patch
 +++ b/debian/patches/efi-variable-storage-minimise-writes.patch
@@ -871,10 +871,10 @@ index 135ba48..134b862 100644
   grub_install_register_efi (grub_device_t efidir_grub_dev,
   			   const char *efifile_path,
  diff --git a/util/grub-install.c b/util/grub-install.c
--index 58f1453..05b6952 100644
++index 3f40163..d482fdc 100644
  --- a/util/grub-install.c
  +++ b/util/grub-install.c
--@@ -2086,7 +2086,7 @@ main (int argc, char *argv[])
++@@ -2111,7 +2111,7 @@ main (int argc, char *argv[])
   					       "\\System\\Library\\CoreServices",
   					       efi_distributor);
   	      if (ret)
@@ -883,7 +883,7 @@ index 58f1453..05b6952 100644
   				 strerror (ret));
+  	    }
--@@ -2203,7 +2203,7 @@ main (int argc, char *argv[])
++@@ -2231,7 +2231,7 @@ main (int argc, char *argv[])
   	  ret = grub_install_register_efi (efidir_grub_dev,
   					   efifile_path, efi_distributor);
   	  if (ret)
 diff --git a/debian/patches/fix-lockdown.patch b/debian/patches/fix-lockdown.patch
 deleted file mode 100644
 index 25cfca6..0000000
 --- a/debian/patches/fix-lockdown.patch
 +++ /dev/null
@@ -1,44 +0,0 @@
--From: Luca Boccassi <bluca@debian.org>
--Date: Tue, 15 May 2018 11:36:46 +0100
--Subject: Do not overwrite sentinel byte in boot_params, breaks lockdown
--
--grub currently copies the entire boot_params, which includes setting
--sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel
--which in turn clears various boot_params variables, including the
--indication that the bootloader chain is verified and thus the kernel
--disables lockdown mode.  According to the information on the Fedora bug
--tracker, only the information from byte 0x1f1 is necessary, so start
--copying from there instead.
--
--Author: Luca Boccassi <bluca@debian.org>
--Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360
--Forwarded: no
--
--Patch-Name: fix-lockdown.patch
-----
-- grub-core/loader/i386/efi/linux.c | 5 ++++-
-- 1 file changed, 4 insertions(+), 1 deletion(-)
--
--diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
--index 45b68c0..532e4e5 100644
----- a/grub-core/loader/i386/efi/linux.c
--+++ b/grub-core/loader/i386/efi/linux.c
--@@ -29,6 +29,7 @@
-- #include <grub/linux.h>
-- #include <grub/efi/efi.h>
-- #include <grub/efi/sb.h>
--+#include <stddef.h>
--
-- GRUB_MOD_LICENSE ("GPLv3+");
--
--@@ -336,7 +337,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
--       lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
--     }
--
---  grub_memcpy (params, &lh, 2 * 512);
--+  /* do not overwrite below boot_params->hdr to avoid setting the sentinel byte */
--+  start = offsetof (struct linux_kernel_params, setup_sects);
--+  grub_memcpy ((grub_uint8_t *)params + start, (grub_uint8_t *)&lh + start, 2 * 512 - start);
--
--   params->type_of_loader = 0x21;
--
 diff --git a/debian/patches/gfxpayload-dynamic.patch b/debian/patches/gfxpayload-dynamic.patch
 index 4ebbdc8..0148257 100644
 --- a/debian/patches/gfxpayload-dynamic.patch
 +++ b/debian/patches/gfxpayload-dynamic.patch
@@ -43,7 +43,7 @@ index c42e4c7..947fd52 100644
   AC_SUBST([FONT_SOURCE])
  diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
--index e5b3d27..2ff2668 100644
++index 715d137..10f839b 100644
  --- a/grub-core/Makefile.core.def
  +++ b/grub-core/Makefile.core.def
@@ -964,6 +964,14 @@ module = {
 diff --git a/debian/patches/grub-install-pvxen-paths.patch b/debian/patches/grub-install-pvxen-paths.patch
 index 91b8da7..0171c6a 100644
 --- a/debian/patches/grub-install-pvxen-paths.patch
 +++ b/debian/patches/grub-install-pvxen-paths.patch
@@ -24,10 +24,10 @@ Patch-Name: grub-install-pvxen-paths.patch
 file changed, 22 insertions(+), 2 deletions(-)
  diff --git a/util/grub-install.c b/util/grub-install.c
--index d02bd48..2304cc5 100644
++index 4af831f..65277ea 100644
  --- a/util/grub-install.c
  +++ b/util/grub-install.c
--@@ -2085,6 +2085,28 @@ main (int argc, char *argv[])
++@@ -2088,6 +2088,28 @@ main (int argc, char *argv[])
+  	}
         break;
@@ -56,7 +56,7 @@ index d02bd48..2304cc5 100644
       case GRUB_INSTALL_PLATFORM_MIPSEL_LOONGSON:
       case GRUB_INSTALL_PLATFORM_MIPSEL_QEMU_MIPS:
       case GRUB_INSTALL_PLATFORM_MIPS_QEMU_MIPS:
--@@ -2094,8 +2116,6 @@ main (int argc, char *argv[])
++@@ -2097,8 +2119,6 @@ main (int argc, char *argv[])
       case GRUB_INSTALL_PLATFORM_MIPSEL_ARC:
       case GRUB_INSTALL_PLATFORM_ARM_UBOOT:
       case GRUB_INSTALL_PLATFORM_I386_QEMU:
 diff --git a/debian/patches/grub-install-removable-shim.patch b/debian/patches/grub-install-removable-shim.patch
 deleted file mode 100644
 index 337d32d..0000000
 --- a/debian/patches/grub-install-removable-shim.patch
 +++ /dev/null
@@ -1,194 +0,0 @@
--From: Steve McIntyre <93sam@debian.org>
--Date: Fri, 14 Jun 2019 16:37:11 +0100
--Subject: Deal with --force-extra-removable with signed shim too
--
--In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
--and signed Grub as /EFI/BOOT/grubXXX.efi.
--
--Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
--/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
--NVRAM).
--
--[cjwatson: Refactored also_install_removable somewhat for brevity and so
--that we're using consistent case-insensitive logic.]
--
--Bug-Debian: https://bugs.debian.org/930531
--Last-Update: 2021-09-24
--
--Patch-Name: grub-install-removable-shim.patch
-----
-- util/grub-install.c | 83 ++++++++++++++++++++++++++++++++++++++++++-----------
-- 1 file changed, 66 insertions(+), 17 deletions(-)
--
--diff --git a/util/grub-install.c b/util/grub-install.c
--index 05b6952..43fc27c 100644
----- a/util/grub-install.c
--+++ b/util/grub-install.c
--@@ -891,17 +891,13 @@ check_component_exists(const char *dir,
-- static void
-- also_install_removable(const char *src,
-- 		       const char *base_efidir,
---		       const char *efi_suffix_upper)
--+		       const char *efi_file,
--+		       int is_needed)
-- {
---  char *efi_file = NULL;
--   char *dst = NULL;
--   char *cur = NULL;
--   char *found = NULL;
--
---  if (!efi_suffix_upper)
---    grub_util_error ("%s", _("efi_suffix_upper not set"));
---  efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
---
--   /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
--    * need to cope with case-insensitive stuff here. Build the path one
--    * component at a time, checking for existing matches each time. */
--@@ -935,10 +931,9 @@ also_install_removable(const char *src,
--   cur = xstrdup (dst);
--   free (dst);
--   free (found);
---  grub_install_copy_file (src, cur, 1);
--+  grub_install_copy_file (src, cur, is_needed);
--
--   free (cur);
---  free (efi_file);
-- }
--
-- int
--@@ -2103,11 +2098,14 @@ main (int argc, char *argv[])
--     case GRUB_INSTALL_PLATFORM_IA64_EFI:
--       {
-- 	char *dst = grub_util_path_concat (2, efidir, efi_file);
--+	char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
--+
-- 	if (uefi_secure_boot)
-- 	  {
-- 	    char *shim_signed = NULL;
-- 	    char *mok_signed = NULL, *mok_file = NULL;
-- 	    char *fb_signed = NULL, *fb_file = NULL;
--+	    char *csv_file = NULL;
-- 	    char *config_dst;
-- 	    FILE *config_dst_f;
--
--@@ -2116,11 +2114,15 @@ main (int argc, char *argv[])
-- 	    mok_file = xasprintf ("mm%s.efi", efi_suffix);
-- 	    fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
-- 	    fb_file = xasprintf ("fb%s.efi", efi_suffix);
--+	    csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
--+
--+	    /* If we have a signed shim binary, install that and all
--+	       its helpers in the normal vendor path */
--
-- 	    if (grub_util_is_regular (shim_signed))
-- 	      {
-- 		char *chained_base, *chained_dst;
---		char *mok_src, *mok_dst, *fb_src, *fb_dst;
--+		char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
-- 		if (!removable)
-- 		  {
-- 		    free (efi_file);
--@@ -2132,8 +2134,6 @@ main (int argc, char *argv[])
-- 		chained_base = xasprintf ("grub%s.efi", efi_suffix);
-- 		chained_dst = grub_util_path_concat (2, efidir, chained_base);
-- 		grub_install_copy_file (efi_signed, chained_dst, 1);
---		free (chained_dst);
---		free (chained_base);
--
-- 		/* Not critical, so not an error if they are not present (as it
-- 		   won't be for older releases); but if we have them, make
--@@ -2144,8 +2144,6 @@ main (int argc, char *argv[])
-- 						    mok_file);
-- 		grub_install_copy_file (mok_src,
-- 					mok_dst, 0);
---		free (mok_src);
---		free (mok_dst);
--
-- 		fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
-- 						    fb_signed);
--@@ -2153,30 +2151,81 @@ main (int argc, char *argv[])
-- 						    fb_file);
-- 		grub_install_copy_file (fb_src,
-- 					fb_dst, 0);
--+
--+		csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
--+						    csv_file);
--+		csv_dst = grub_util_path_concat (2, efidir,
--+						    csv_file);
--+		grub_install_copy_file (csv_src,
--+					csv_dst, 0);
--+
--+		/* Install binaries into .../EFI/BOOT too:
--+		   the shim binary
--+		   the grub binary
--+		   the shim fallback binary (not fatal on failure) */
--+		if (force_extra_removable)
--+		  {
--+		    grub_util_info ("Secure boot: installing shim and image into rm path");
--+		    also_install_removable (shim_signed, base_efidir, removable_file, 1);
--+
--+		    also_install_removable (efi_signed, base_efidir, chained_base, 1);
--+
--+		    /* If we're updating the NVRAM, add fallback too - it
--+			will re-update the NVRAM later if things break */
--+		    if (update_nvram)
--+		      also_install_removable (fb_src, base_efidir, fb_file, 0);
--+		  }
--+
--+		free (chained_dst);
--+		free (chained_base);
--+		free (mok_src);
--+		free (mok_dst);
-- 		free (fb_src);
-- 		free (fb_dst);
--+		free (csv_src);
--+		free (csv_dst);
-- 	      }
-- 	    else
---	      grub_install_copy_file (efi_signed, dst, 1);
--+	      {
--+		/* Tried to install for secure boot, but no signed
--+		   shim found. Fall back to just installing the signed
--+		   grub binary */
--+		grub_util_info ("Secure boot (no shim): installing signed grub binary");
--+		grub_install_copy_file (efi_signed, dst, 1);
--+		if (force_extra_removable)
--+		  {
--+		    grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
--+		    also_install_removable (efi_signed, base_efidir, removable_file, 1);
--+		  }
--+	      }
--
--+	    /* In either case, install our grub.cfg */
-- 	    config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
-- 	    grub_install_copy_file (load_cfg, config_dst, 1);
-- 	    config_dst_f = grub_util_fopen (config_dst, "ab");
-- 	    fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
-- 	    fclose (config_dst_f);
-- 	    free (config_dst);
---	    if (force_extra_removable)
---	      also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
--+
--+	    free (csv_file);
--+	    free (fb_file);
--+	    free (fb_signed);
--+	    free (mok_file);
--+	    free (mok_signed);
--+	    free (shim_signed);
-- 	  }
-- 	else
-- 	  {
--+	    /* No secure boot - just install our newly-generated image */
--+	    grub_util_info ("No Secure Boot: installing core image");
-- 	    grub_install_copy_file (imgfile, dst, 1);
-- 	    if (force_extra_removable)
---	      also_install_removable(imgfile, base_efidir, efi_suffix_upper);
--+	      also_install_removable (imgfile, base_efidir, removable_file, 1);
-- 	  }
--
-- 	grub_set_install_backup_ponr ();
--
--+	free (removable_file);
-- 	free (dst);
--       }
--       if (!removable && update_nvram)
 diff --git a/debian/patches/install-efi-adjust-distributor.patch b/debian/patches/install-efi-adjust-distributor.patch
 index 7f1e9c8..4804919 100644
 --- a/debian/patches/install-efi-adjust-distributor.patch
 +++ b/debian/patches/install-efi-adjust-distributor.patch
@@ -17,7 +17,7 @@ Patch-Name: install-efi-adjust-distributor.patch
 file changed, 4 insertions(+)
  diff --git a/util/grub-install.c b/util/grub-install.c
--index f49c78d..48c8c03 100644
++index 5ddd028..3a06718 100644
  --- a/util/grub-install.c
  +++ b/util/grub-install.c
@@ -1123,6 +1123,10 @@ main (int argc, char *argv[])
 diff --git a/debian/patches/install-powerpc-machtypes.patch b/debian/patches/install-powerpc-machtypes.patch
 index 0a976d0..6681371 100644
 --- a/debian/patches/install-powerpc-machtypes.patch
 +++ b/debian/patches/install-powerpc-machtypes.patch
@@ -195,7 +195,7 @@ index 7df3191..135ba48 100644
   grub_install_register_efi (grub_device_t efidir_grub_dev,
   			   const char *efifile_path,
  diff --git a/util/grub-install.c b/util/grub-install.c
--index 48c8c03..d02bd48 100644
++index 3a06718..4af831f 100644
  --- a/util/grub-install.c
  +++ b/util/grub-install.c
@@ -1187,7 +1187,18 @@ main (int argc, char *argv[])
 diff --git a/debian/patches/linuxefi.patch b/debian/patches/linuxefi.patch
 deleted file mode 100644
 index 6c656e7..0000000
 --- a/debian/patches/linuxefi.patch
 +++ /dev/null
@@ -1,551 +0,0 @@
--From: Matthew Garrett <mjg@redhat.com>
--Date: Mon, 13 Jan 2014 12:13:15 +0000
--Subject: Add "linuxefi" loader which avoids ExitBootServices
--
--Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub2-linuxefi.patch
--Author: Colin Watson <cjwatson@ubuntu.com>
--Author: Steve Langasek <steve.langasek@canonical.com>
--Author: Linn Crosetto <linn@hpe.com>
--Forwarded: no
--Last-Update: 2021-09-24
--
--Patch-Name: linuxefi.patch
-----
-- grub-core/Makefile.core.def       |   7 +
-- grub-core/kern/efi/mm.c           |  32 ++++
-- grub-core/loader/i386/efi/linux.c | 383 ++++++++++++++++++++++++++++++++++++++
-- grub-core/loader/i386/linux.c     |  41 ++++
-- include/grub/efi/efi.h            |   3 +
-- 5 files changed, 466 insertions(+)
-- create mode 100644 grub-core/loader/i386/efi/linux.c
--
--diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
--index 8022e1c..e5b3d27 100644
----- a/grub-core/Makefile.core.def
--+++ b/grub-core/Makefile.core.def
--@@ -1874,6 +1874,13 @@ module = {
--   enable = x86_64_efi;
-- };
--
--+module = {
--+  name = linuxefi;
--+  efi = loader/i386/efi/linux.c;
--+  enable = i386_efi;
--+  enable = x86_64_efi;
--+};
--+
-- module = {
--   name = chain;
--   efi = loader/efi/chainloader.c;
--diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
--index 9838fb2..f6aef0e 100644
----- a/grub-core/kern/efi/mm.c
--+++ b/grub-core/kern/efi/mm.c
--@@ -113,6 +113,38 @@ grub_efi_drop_alloc (grub_efi_physical_address_t address,
--     }
-- }
--
--+/* Allocate pages below a specified address */
--+void *
--+grub_efi_allocate_pages_max (grub_efi_physical_address_t max,
--+			     grub_efi_uintn_t pages)
--+{
--+  grub_efi_status_t status;
--+  grub_efi_boot_services_t *b;
--+  grub_efi_physical_address_t address = max;
--+
--+  if (max > 0xffffffff)
--+    return 0;
--+
--+  b = grub_efi_system_table->boot_services;
--+  status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, pages, &address);
--+
--+  if (status != GRUB_EFI_SUCCESS)
--+    return 0;
--+
--+  if (address == 0)
--+    {
--+      /* Uggh, the address 0 was allocated... This is too annoying,
--+	 so reallocate another one.  */
--+      address = max;
--+      status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, pages, &address);
--+      grub_efi_free_pages (0, pages);
--+      if (status != GRUB_EFI_SUCCESS)
--+	return 0;
--+    }
--+
--+  return (void *) ((grub_addr_t) address);
--+}
--+
-- /* Allocate pages. Return the pointer to the first of allocated pages.  */
-- void *
-- grub_efi_allocate_pages_real (grub_efi_physical_address_t address,
--diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
--new file mode 100644
--index 0000000..45b68c0
----- /dev/null
--+++ b/grub-core/loader/i386/efi/linux.c
--@@ -0,0 +1,383 @@
--+/*
--+ *  GRUB  --  GRand Unified Bootloader
--+ *  Copyright (C) 2012  Free Software Foundation, Inc.
--+ *
--+ *  GRUB is free software: you can redistribute it and/or modify
--+ *  it under the terms of the GNU General Public License as published by
--+ *  the Free Software Foundation, either version 3 of the License, or
--+ *  (at your option) any later version.
--+ *
--+ *  GRUB is distributed in the hope that it will be useful,
--+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
--+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--+ *  GNU General Public License for more details.
--+ *
--+ *  You should have received a copy of the GNU General Public License
--+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
--+ */
--+
--+#include <grub/loader.h>
--+#include <grub/file.h>
--+#include <grub/err.h>
--+#include <grub/misc.h>
--+#include <grub/types.h>
--+#include <grub/mm.h>
--+#include <grub/cpu/linux.h>
--+#include <grub/command.h>
--+#include <grub/i18n.h>
--+#include <grub/lib/cmdline.h>
--+#include <grub/linux.h>
--+#include <grub/efi/efi.h>
--+#include <grub/efi/sb.h>
--+
--+GRUB_MOD_LICENSE ("GPLv3+");
--+
--+static grub_dl_t my_mod;
--+static int loaded;
--+static void *kernel_mem;
--+static grub_uint64_t kernel_size;
--+static grub_uint8_t *initrd_mem;
--+static grub_uint32_t handover_offset;
--+struct linux_kernel_params *params;
--+static char *linux_cmdline;
--+
--+#define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)
--+
--+#define SHIM_LOCK_GUID \
--+  { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
--+
--+struct grub_efi_shim_lock
--+{
--+  grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size);
--+};
--+typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
--+
--+static grub_efi_boolean_t
--+grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
--+{
--+  grub_efi_guid_t guid = SHIM_LOCK_GUID;
--+  grub_efi_shim_lock_t *shim_lock;
--+  grub_efi_status_t status;
--+
--+  if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
--+    {
--+      grub_dprintf ("linuxefi", "secure boot not enabled, not validating");
--+      return 1;
--+    }
--+
--+  grub_dprintf ("linuxefi", "Locating shim protocol\n");
--+  shim_lock = grub_efi_locate_protocol(&guid, NULL);
--+
--+  if (!shim_lock)
--+    {
--+      grub_dprintf ("linuxefi", "shim not available\n");
--+      return 0;
--+    }
--+
--+  grub_dprintf ("linuxefi", "Asking shim to verify kernel signature\n");
--+  status = shim_lock->verify(data, size);
--+  if (status == GRUB_EFI_SUCCESS)
--+    {
--+      grub_dprintf ("linuxefi", "Kernel signature verification passed\n");
--+      return 1;
--+    }
--+
--+  grub_dprintf ("linuxefi", "Kernel signature verification failed (0x%lx)\n",
--+		(unsigned long) status);
--+  return 0;
--+}
--+
--+typedef void(*handover_func)(void *, grub_efi_system_table_t *, struct linux_kernel_params *);
--+
--+static grub_err_t
--+grub_linuxefi_boot (void)
--+{
--+  handover_func hf;
--+  int offset = 0;
--+
--+#ifdef __x86_64__
--+  offset = 512;
--+#endif
--+
--+  hf = (handover_func)((char *)kernel_mem + handover_offset + offset);
--+
--+  asm volatile ("cli");
--+
--+  hf (grub_efi_image_handle, grub_efi_system_table, params);
--+
--+  /* Not reached */
--+  return GRUB_ERR_NONE;
--+}
--+
--+static grub_err_t
--+grub_linuxefi_unload (void)
--+{
--+  grub_dl_unref (my_mod);
--+  loaded = 0;
--+  if (initrd_mem)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)initrd_mem, BYTES_TO_PAGES(params->ramdisk_size));
--+  if (linux_cmdline)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)linux_cmdline, BYTES_TO_PAGES(params->cmdline_size + 1));
--+  if (kernel_mem)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)kernel_mem, BYTES_TO_PAGES(kernel_size));
--+  if (params)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)params, BYTES_TO_PAGES(16384));
--+  return GRUB_ERR_NONE;
--+}
--+
--+static grub_err_t
--+grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
--+                 int argc, char *argv[])
--+{
--+  grub_size_t size = 0;
--+  struct grub_linux_initrd_context initrd_ctx;
--+
--+  if (argc == 0)
--+    {
--+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
--+      goto fail;
--+    }
--+
--+  if (!loaded)
--+    {
--+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("you need to load the kernel first"));
--+      goto fail;
--+    }
--+
--+  if (grub_initrd_init (argc, argv, &initrd_ctx))
--+    goto fail;
--+
--+  size = grub_get_initrd_size (&initrd_ctx);
--+
--+  initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
--+
--+  if (!initrd_mem)
--+    {
--+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate initrd"));
--+      goto fail;
--+    }
--+
--+  grub_dprintf ("linuxefi", "initrd_mem = %lx\n", (unsigned long) initrd_mem);
--+
--+  params->ramdisk_size = size;
--+  params->ramdisk_image = (grub_uint32_t)(grub_addr_t) initrd_mem;
--+
--+  if (grub_initrd_load (&initrd_ctx, argv, initrd_mem))
--+    goto fail;
--+
--+  params->ramdisk_size = size;
--+
--+ fail:
--+  grub_initrd_close (&initrd_ctx);
--+
--+  if (initrd_mem && grub_errno)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)initrd_mem, BYTES_TO_PAGES(size));
--+
--+  return grub_errno;
--+}
--+
--+static grub_err_t
--+grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
--+		int argc, char *argv[])
--+{
--+  grub_file_t file = 0;
--+  struct linux_i386_kernel_header lh;
--+  grub_ssize_t len, start, filelen;
--+  void *kernel;
--+
--+  grub_dl_ref (my_mod);
--+
--+  if (argc == 0)
--+    {
--+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
--+      goto fail;
--+    }
--+
--+  file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
--+  if (! file)
--+    goto fail;
--+
--+  filelen = grub_file_size (file);
--+
--+  kernel = grub_malloc(filelen);
--+
--+  if (!kernel)
--+    {
--+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
--+      goto fail;
--+    }
--+
--+  if (grub_file_read (file, kernel, filelen) != filelen)
--+    {
--+      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"), argv[0]);
--+      goto fail;
--+    }
--+
--+  if (! grub_linuxefi_secure_validate (kernel, filelen))
--+    {
--+      grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"), argv[0]);
--+      grub_free (kernel);
--+      goto fail;
--+    }
--+
--+  grub_file_seek (file, 0);
--+
--+  grub_free(kernel);
--+
--+  params = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(16384));
--+
--+  if (! params)
--+    {
--+      grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
--+      goto fail;
--+    }
--+
--+  grub_dprintf ("linuxefi", "params = %lx\n", (unsigned long) params);
--+
--+  grub_memset (params, 0, 16384);
--+
--+  if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
--+    {
--+      if (!grub_errno)
--+	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--+		    argv[0]);
--+      goto fail;
--+    }
--+
--+  if (lh.boot_flag != grub_cpu_to_le16 (0xaa55))
--+    {
--+      grub_error (GRUB_ERR_BAD_OS, N_("invalid magic number"));
--+      goto fail;
--+    }
--+
--+  if (lh.setup_sects > GRUB_LINUX_MAX_SETUP_SECTS)
--+    {
--+      grub_error (GRUB_ERR_BAD_OS, N_("too many setup sectors"));
--+      goto fail;
--+    }
--+
--+  if (lh.version < grub_cpu_to_le16 (0x020b))
--+    {
--+      grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
--+      goto fail;
--+    }
--+
--+  if (!lh.handover_offset)
--+    {
--+      grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support EFI handover"));
--+      goto fail;
--+    }
--+
--+  linux_cmdline = grub_efi_allocate_pages_max(0x3fffffff,
--+					 BYTES_TO_PAGES(lh.cmdline_size + 1));
--+
--+  if (!linux_cmdline)
--+    {
--+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate cmdline"));
--+      goto fail;
--+    }
--+
--+  grub_dprintf ("linuxefi", "linux_cmdline = %lx\n",
--+		(unsigned long) linux_cmdline);
--+
--+  grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
--+  {
--+    grub_err_t err;
--+    err = grub_create_loader_cmdline (argc, argv,
--+				      linux_cmdline
--+				      + sizeof (LINUX_IMAGE) - 1,
--+				      lh.cmdline_size
--+				      - (sizeof (LINUX_IMAGE) - 1),
--+				      GRUB_VERIFY_KERNEL_CMDLINE);
--+    if (err)
--+      goto fail;
--+  }
--+
--+  lh.cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
--+
--+  handover_offset = lh.handover_offset;
--+
--+  start = (lh.setup_sects + 1) * 512;
--+  len = grub_file_size(file) - start;
--+
--+  kernel_mem = grub_efi_allocate_fixed(lh.pref_address,
--+				       BYTES_TO_PAGES(lh.init_size));
--+
--+  if (!kernel_mem)
--+    kernel_mem = grub_efi_allocate_pages_max(0x3fffffff,
--+					     BYTES_TO_PAGES(lh.init_size));
--+
--+  if (!kernel_mem)
--+    {
--+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate kernel"));
--+      goto fail;
--+    }
--+  grub_errno = GRUB_ERR_NONE;
--+
--+  grub_dprintf ("linuxefi", "kernel_mem = %lx\n", (unsigned long) kernel_mem);
--+
--+  if (grub_file_seek (file, start) == (grub_off_t) -1)
--+    {
--+      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--+		  argv[0]);
--+      goto fail;
--+    }
--+
--+  if (grub_file_read (file, kernel_mem, len) != len && !grub_errno)
--+    {
--+      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--+		  argv[0]);
--+    }
--+
--+  if (grub_errno == GRUB_ERR_NONE)
--+    {
--+      grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
--+      loaded = 1;
--+      lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
--+    }
--+
--+  grub_memcpy (params, &lh, 2 * 512);
--+
--+  params->type_of_loader = 0x21;
--+
--+ fail:
--+
--+  if (file)
--+    grub_file_close (file);
--+
--+  if (grub_errno != GRUB_ERR_NONE)
--+    {
--+      grub_dl_unref (my_mod);
--+      loaded = 0;
--+    }
--+
--+  if (linux_cmdline && !loaded)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)linux_cmdline, BYTES_TO_PAGES(lh.cmdline_size + 1));
--+
--+  if (kernel_mem && !loaded)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)kernel_mem, BYTES_TO_PAGES(kernel_size));
--+
--+  if (params && !loaded)
--+    grub_efi_free_pages((grub_efi_physical_address_t)(grub_addr_t)params, BYTES_TO_PAGES(16384));
--+
--+  return grub_errno;
--+}
--+
--+static grub_command_t cmd_linux, cmd_initrd;
--+
--+GRUB_MOD_INIT(linuxefi)
--+{
--+  cmd_linux =
--+    grub_register_command ("linuxefi", grub_cmd_linux,
--+                           0, N_("Load Linux."));
--+  cmd_initrd =
--+    grub_register_command ("initrdefi", grub_cmd_initrd,
--+                           0, N_("Load initrd."));
--+  my_mod = mod;
--+}
--+
--+GRUB_MOD_FINI(linuxefi)
--+{
--+  grub_unregister_command (cmd_linux);
--+  grub_unregister_command (cmd_initrd);
--+}
--diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
--index 9f74a96..be37a16 100644
----- a/grub-core/loader/i386/linux.c
--+++ b/grub-core/loader/i386/linux.c
--@@ -78,6 +78,8 @@ static grub_size_t maximal_cmdline_size;
-- static struct linux_kernel_params linux_params;
-- static char *linux_cmdline;
-- #ifdef GRUB_MACHINE_EFI
--+static int using_linuxefi;
--+static grub_command_t initrdefi_cmd;
-- static grub_efi_uintn_t efi_mmap_size;
-- #else
-- static const grub_size_t efi_mmap_size = 0;
--@@ -659,6 +661,39 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
--
--   grub_dl_ref (my_mod);
--
--+#ifdef GRUB_MACHINE_EFI
--+  using_linuxefi = 0;
--+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
--+    {
--+      /* linuxefi requires a successful signature check and then hand over
--+	 to the kernel without calling ExitBootServices. */
--+      grub_dl_t mod;
--+      grub_command_t linuxefi_cmd;
--+
--+      grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
--+
--+      mod = grub_dl_load ("linuxefi");
--+      if (mod)
--+	{
--+	  grub_dl_ref (mod);
--+	  linuxefi_cmd = grub_command_find ("linuxefi");
--+	  initrdefi_cmd = grub_command_find ("initrdefi");
--+	  if (linuxefi_cmd && initrdefi_cmd)
--+	    {
--+	      (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
--+	      if (grub_errno == GRUB_ERR_NONE)
--+		{
--+		  grub_dprintf ("linux", "Handing off to linuxefi\n");
--+		  using_linuxefi = 1;
--+		  return GRUB_ERR_NONE;
--+		}
--+	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
--+	      goto fail;
--+	    }
--+	}
--+    }
--+#endif
--+
--   if (argc == 0)
--     {
--       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
--@@ -1042,6 +1077,12 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
--   grub_err_t err;
--   struct grub_linux_initrd_context initrd_ctx = { 0, 0, 0 };
--
--+#ifdef GRUB_MACHINE_EFI
--+  /* If we're using linuxefi, just forward to initrdefi.  */
--+  if (using_linuxefi && initrdefi_cmd)
--+    return (initrdefi_cmd->func) (initrdefi_cmd, argc, argv);
--+#endif
--+
--   if (argc == 0)
--     {
--       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
--diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
--index 83d958f..08f6ee0 100644
----- a/include/grub/efi/efi.h
--+++ b/include/grub/efi/efi.h
--@@ -47,6 +47,9 @@ EXPORT_FUNC(grub_efi_allocate_fixed) (grub_efi_physical_address_t address,
-- 				      grub_efi_uintn_t pages);
-- void *
-- EXPORT_FUNC(grub_efi_allocate_any_pages) (grub_efi_uintn_t pages);
--+void *
--+EXPORT_FUNC(grub_efi_allocate_pages_max) (grub_efi_physical_address_t max,
--+					  grub_efi_uintn_t pages);
-- void EXPORT_FUNC(grub_efi_free_pages) (grub_efi_physical_address_t address,
-- 				       grub_efi_uintn_t pages);
-- grub_efi_uintn_t EXPORT_FUNC(grub_efi_find_mmap_size) (void);
 diff --git a/debian/patches/no-insmod-on-sb.patch b/debian/patches/no-insmod-on-sb.patch
 new file mode 100644
 index 0000000..4b1856d
 --- /dev/null
 +++ b/debian/patches/no-insmod-on-sb.patch
@@ -0,0 +1,45 @@
++From: Matthew Garrett <mjg@redhat.com>
++Date: Mon, 13 Jan 2014 12:13:09 +0000
++Subject: Don't permit loading modules on UEFI secure boot
++
++Author: Colin Watson <cjwatson@ubuntu.com>
++Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch
++Forwarded: no
++Last-Update: 2013-12-25
++
++Patch-Name: no-insmod-on-sb.patch
++---
++ grub-core/kern/dl.c | 13 +++++++++++++
++ 1 file changed, 13 insertions(+)
++
++diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
++index 48f8a79..51a800a 100644
++--- a/grub-core/kern/dl.c
+++++ b/grub-core/kern/dl.c
++@@ -38,6 +38,10 @@
++ #define GRUB_MODULES_MACHINE_READONLY
++ #endif
++
+++#ifdef GRUB_MACHINE_EFI
+++#include <grub/efi/efi.h>
+++#endif
+++
++
++
++ #pragma GCC diagnostic ignored "-Wcast-align"
++@@ -695,6 +699,15 @@ grub_dl_load_file (const char *filename)
++   void *core = 0;
++   grub_dl_t mod = 0;
++
+++#ifdef GRUB_MACHINE_EFI
+++  if (grub_efi_get_secureboot() == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+++    {
+++      grub_error (GRUB_ERR_ACCESS_DENIED,
+++		  "Secure Boot forbids loading module from %s", filename);
+++      return 0;
+++    }
+++#endif
+++
++   grub_boot_time ("Loading module %s", filename);
++
++   file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
 diff --git a/debian/patches/pc-verifiers-module.patch b/debian/patches/pc-verifiers-module.patch
 index 22a8e7e..089e9e9 100644
 --- a/debian/patches/pc-verifiers-module.patch
 +++ b/debian/patches/pc-verifiers-module.patch
@@ -52,7 +52,7 @@ index ee88e44..b6872d2 100644
   KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
   KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
  diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
--index 2ff2668..da32698 100644
++index 10f839b..f953817 100644
  --- a/grub-core/Makefile.core.def
  +++ b/grub-core/Makefile.core.def
@@ -141,7 +141,7 @@ kernel = {
 diff --git a/debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch b/debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch
 new file mode 100644
 index 0000000..3baf3e6
 --- /dev/null
 +++ b/debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch
@@ -0,0 +1,23 @@
++From: Peter Jones <pjones@redhat.com>
++Date: Mon, 26 Jun 2017 12:44:59 -0400
++Subject: don't use int for efi status
++
++(cherry picked from commit eee6d2db7e3a392b8fe134fa75a7e28c9ae8cda5)
++Patch-Name: rhboot-f34-dont-use-int-for-efi-status.patch
++---
++ grub-core/kern/efi/efi.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
++index 05d8237..ae9885e 100644
++--- a/grub-core/kern/efi/efi.c
+++++ b/grub-core/kern/efi/efi.c
++@@ -167,7 +167,7 @@ grub_reboot (void)
++ void
++ grub_exit (int retval)
++ {
++-  int rc = GRUB_EFI_LOAD_ERROR;
+++  grub_efi_status_t rc = GRUB_EFI_LOAD_ERROR;
++
++   if (retval == 0)
++     rc = GRUB_EFI_SUCCESS;
 diff --git a/debian/patches/rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch b/debian/patches/rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
 new file mode 100644
 index 0000000..b96a03b
 --- /dev/null
 +++ b/debian/patches/rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
@@ -0,0 +1,26 @@
++From: Peter Jones <pjones@redhat.com>
++Date: Mon, 30 Jul 2018 14:06:42 -0400
++Subject: efinet: also use the firmware acceleration for http
++
++Signed-off-by: Peter Jones <pjones@redhat.com>
++
++Patch-Name: rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
++---
++ grub-core/net/efi/net.c | 4 +++-
++ 1 file changed, 3 insertions(+), 1 deletion(-)
++
++diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
++index 9b7a218..b2fe4db 100644
++--- a/grub-core/net/efi/net.c
+++++ b/grub-core/net/efi/net.c
++@@ -1336,7 +1336,9 @@ grub_efi_net_boot_from_https (void)
++ 	  && (subtype == GRUB_EFI_URI_DEVICE_PATH_SUBTYPE))
++ 	{
++ 	  grub_efi_uri_device_path_t *uri_dp = (grub_efi_uri_device_path_t *) dp;
++-	  return (grub_strncmp ((const char*)uri_dp->uri, "https://", sizeof ("https://") - 1) == 0) ? 1 : 0;
+++	  grub_dprintf ("efinet", "url:%s\n", (const char *)uri_dp->uri);
+++	  return (grub_strncmp ((const char *)uri_dp->uri, "https://", sizeof ("https://") - 1) == 0 ||
+++	          grub_strncmp ((const char *)uri_dp->uri, "http://", sizeof ("http://") - 1) == 0);
++ 	}
++
++       if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
 diff --git a/debian/patches/rhboot-f34-make-exit-take-a-return-code.patch b/debian/patches/rhboot-f34-make-exit-take-a-return-code.patch
 new file mode 100644
 index 0000000..32fa22d
 --- /dev/null
 +++ b/debian/patches/rhboot-f34-make-exit-take-a-return-code.patch
@@ -0,0 +1,268 @@
++From: Peter Jones <pjones@redhat.com>
++Date: Wed, 26 Feb 2014 21:49:12 -0500
++Subject: Make "exit" take a return code.
++
++This adds "exit" with a return code.  With this patch, any "exit"
++command /may/ include a return code, and on platforms that support
++returning with an exit status, we will do so.  By default we return the
++same exit status we did before this patch.
++
++Signed-off-by: Peter Jones <pjones@redhat.com>
++(cherry picked from commit ccce3d69ae3eacc7bdc70217304586bd7e74fe1e)
++Patch-Name: rhboot-f34-make-exit-take-a-return-code.patch
++---
++ grub-core/commands/minicmd.c         | 20 ++++++++++++++++----
++ grub-core/kern/efi/efi.c             |  9 +++++++--
++ grub-core/kern/emu/main.c            |  2 +-
++ grub-core/kern/emu/misc.c            |  5 +++--
++ grub-core/kern/i386/coreboot/init.c  |  2 +-
++ grub-core/kern/i386/qemu/init.c      |  2 +-
++ grub-core/kern/ieee1275/init.c       |  2 +-
++ grub-core/kern/mips/arc/init.c       |  2 +-
++ grub-core/kern/mips/loongson/init.c  |  2 +-
++ grub-core/kern/mips/qemu_mips/init.c |  2 +-
++ grub-core/kern/misc.c                | 11 ++++++++++-
++ grub-core/kern/uboot/init.c          |  6 +++---
++ grub-core/kern/xen/init.c            |  2 +-
++ include/grub/misc.h                  |  2 +-
++ 14 files changed, 48 insertions(+), 21 deletions(-)
++
++diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
++index fa49893..2bd3ac7 100644
++--- a/grub-core/commands/minicmd.c
+++++ b/grub-core/commands/minicmd.c
++@@ -182,12 +182,24 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),
++ }
++
++ /* exit */
++-static grub_err_t __attribute__ ((noreturn))
+++static grub_err_t
++ grub_mini_cmd_exit (struct grub_command *cmd __attribute__ ((unused)),
++-		    int argc __attribute__ ((unused)),
++-		    char *argv[] __attribute__ ((unused)))
+++		    int argc, char *argv[])
++ {
++-  grub_exit ();
+++  int retval = -1;
+++  unsigned long n;
+++
+++  if (argc < 0 || argc > 1)
+++    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+++
+++  if (argc == 1)
+++    {
+++      n = grub_strtoul (argv[0], 0, 10);
+++      if (n != ~0UL)
+++	retval = n;
+++    }
+++
+++  grub_exit (retval);
++   /* Not reached.  */
++ }
++
++diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
++index 8cff7be..05d8237 100644
++--- a/grub-core/kern/efi/efi.c
+++++ b/grub-core/kern/efi/efi.c
++@@ -165,11 +165,16 @@ grub_reboot (void)
++ }
++
++ void
++-grub_exit (void)
+++grub_exit (int retval)
++ {
+++  int rc = GRUB_EFI_LOAD_ERROR;
+++
+++  if (retval == 0)
+++    rc = GRUB_EFI_SUCCESS;
+++
++   grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
++   efi_call_4 (grub_efi_system_table->boot_services->exit,
++-              grub_efi_image_handle, GRUB_EFI_SUCCESS, 0, 0);
+++              grub_efi_image_handle, rc, 0, 0);
++   for (;;) ;
++ }
++
++diff --git a/grub-core/kern/emu/main.c b/grub-core/kern/emu/main.c
++index 425bb96..55ea5a1 100644
++--- a/grub-core/kern/emu/main.c
+++++ b/grub-core/kern/emu/main.c
++@@ -67,7 +67,7 @@ grub_reboot (void)
++ }
++
++ void
++-grub_exit (void)
+++grub_exit (int retval __attribute__((unused)))
++ {
++   grub_reboot ();
++ }
++diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
++index dfd8a8e..0ff13bc 100644
++--- a/grub-core/kern/emu/misc.c
+++++ b/grub-core/kern/emu/misc.c
++@@ -151,9 +151,10 @@ xasprintf (const char *fmt, ...)
++
++ #if !defined (GRUB_MACHINE_EMU) || defined (GRUB_UTIL)
++ void
++-grub_exit (void)
+++__attribute__ ((noreturn))
+++grub_exit (int rc)
++ {
++-  exit (1);
+++  exit (rc < 0 ? 1 : rc);
++ }
++ #endif
++
++diff --git a/grub-core/kern/i386/coreboot/init.c b/grub-core/kern/i386/coreboot/init.c
++index 3314f02..36f9134 100644
++--- a/grub-core/kern/i386/coreboot/init.c
+++++ b/grub-core/kern/i386/coreboot/init.c
++@@ -41,7 +41,7 @@ extern grub_uint8_t _end[];
++ extern grub_uint8_t _edata[];
++
++ void  __attribute__ ((noreturn))
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   /* We can't use grub_fatal() in this function.  This would create an infinite
++      loop, since grub_fatal() calls grub_abort() which in turn calls grub_exit().  */
++diff --git a/grub-core/kern/i386/qemu/init.c b/grub-core/kern/i386/qemu/init.c
++index 271b6fb..9fafe98 100644
++--- a/grub-core/kern/i386/qemu/init.c
+++++ b/grub-core/kern/i386/qemu/init.c
++@@ -42,7 +42,7 @@ extern grub_uint8_t _end[];
++ extern grub_uint8_t _edata[];
++
++ void  __attribute__ ((noreturn))
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   /* We can't use grub_fatal() in this function.  This would create an infinite
++      loop, since grub_fatal() calls grub_abort() which in turn calls grub_exit().  */
++diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
++index 8b089b4..085a6a3 100644
++--- a/grub-core/kern/ieee1275/init.c
+++++ b/grub-core/kern/ieee1275/init.c
++@@ -71,7 +71,7 @@ grub_addr_t grub_ieee1275_original_stack;
++ #endif
++
++ void
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   grub_ieee1275_exit ();
++ }
++diff --git a/grub-core/kern/mips/arc/init.c b/grub-core/kern/mips/arc/init.c
++index 2ed3ff3..5c40c34 100644
++--- a/grub-core/kern/mips/arc/init.c
+++++ b/grub-core/kern/mips/arc/init.c
++@@ -276,7 +276,7 @@ grub_halt (void)
++ }
++
++ void
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   GRUB_ARC_FIRMWARE_VECTOR->exit ();
++
++diff --git a/grub-core/kern/mips/loongson/init.c b/grub-core/kern/mips/loongson/init.c
++index 7b96531..dff598c 100644
++--- a/grub-core/kern/mips/loongson/init.c
+++++ b/grub-core/kern/mips/loongson/init.c
++@@ -304,7 +304,7 @@ grub_halt (void)
++ }
++
++ void
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   grub_halt ();
++ }
++diff --git a/grub-core/kern/mips/qemu_mips/init.c b/grub-core/kern/mips/qemu_mips/init.c
++index be88b77..8b6c55f 100644
++--- a/grub-core/kern/mips/qemu_mips/init.c
+++++ b/grub-core/kern/mips/qemu_mips/init.c
++@@ -75,7 +75,7 @@ grub_machine_fini (int flags __attribute__ ((unused)))
++ }
++
++ void
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   grub_halt ();
++ }
++diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
++index 3af336e..63b586d 100644
++--- a/grub-core/kern/misc.c
+++++ b/grub-core/kern/misc.c
++@@ -1209,9 +1209,18 @@ grub_abort (void)
++       grub_getkey ();
++     }
++
++-  grub_exit ();
+++  grub_exit (1);
++ }
++
+++#if defined (__clang__) && !defined (GRUB_UTIL)
+++/* clang emits references to abort().  */
+++void __attribute__ ((noreturn))
+++abort (void)
+++{
+++  grub_abort ();
+++}
+++#endif
+++
++ void
++ grub_fatal (const char *fmt, ...)
++ {
++diff --git a/grub-core/kern/uboot/init.c b/grub-core/kern/uboot/init.c
++index 3e33864..be2a5be 100644
++--- a/grub-core/kern/uboot/init.c
+++++ b/grub-core/kern/uboot/init.c
++@@ -39,9 +39,9 @@ extern grub_size_t grub_total_module_size;
++ static unsigned long timer_start;
++
++ void
++-grub_exit (void)
+++grub_exit (int rc)
++ {
++-  grub_uboot_return (0);
+++  grub_uboot_return (rc < 0 ? 1 : rc);
++ }
++
++ static grub_uint64_t
++@@ -78,7 +78,7 @@ grub_machine_init (void)
++   if (!ver)
++     {
++       /* Don't even have a console to log errors to... */
++-      grub_exit ();
+++      grub_exit (-1);
++     }
++   else if (ver > API_SIG_VERSION)
++     {
++diff --git a/grub-core/kern/xen/init.c b/grub-core/kern/xen/init.c
++index 782ca72..708b060 100644
++--- a/grub-core/kern/xen/init.c
+++++ b/grub-core/kern/xen/init.c
++@@ -584,7 +584,7 @@ grub_machine_init (void)
++ }
++
++ void
++-grub_exit (void)
+++grub_exit (int rc __attribute__((unused)))
++ {
++   struct sched_shutdown arg;
++
++diff --git a/include/grub/misc.h b/include/grub/misc.h
++index 7d2b551..fd18e63 100644
++--- a/include/grub/misc.h
+++++ b/include/grub/misc.h
++@@ -353,7 +353,7 @@ int EXPORT_FUNC(grub_vsnprintf) (char *str, grub_size_t n, const char *fmt,
++ char *EXPORT_FUNC(grub_xasprintf) (const char *fmt, ...)
++      __attribute__ ((format (GNU_PRINTF, 1, 2))) WARN_UNUSED_RESULT;
++ char *EXPORT_FUNC(grub_xvasprintf) (const char *fmt, va_list args) WARN_UNUSED_RESULT;
++-void EXPORT_FUNC(grub_exit) (void) __attribute__ ((noreturn));
+++void EXPORT_FUNC(grub_exit) (int rc) __attribute__ ((noreturn));
++ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
++ 					  grub_uint64_t d,
++ 					  grub_uint64_t *r);
 diff --git a/debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch b/debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
 new file mode 100644
 index 0000000..6154ced
 --- /dev/null
 +++ b/debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
@@ -0,0 +1,213 @@
++From: Peter Jones <pjones@redhat.com>
++Date: Tue, 7 Nov 2017 17:12:17 -0500
++Subject: Make pmtimer tsc calibration not take 51 seconds to fail.
++
++On my laptop running at 2.4GHz, if I run a VM where tsc calibration
++using pmtimer will fail presuming a broken pmtimer, it takes ~51 seconds
++to do so (as measured with the stopwatch on my phone), with a tsc delta
++of 0x1cd1c85300, or around 125 billion cycles.
++
++If instead of trying to wait for 5-200ms to show up on the pmtimer, we try
++to wait for 5-200us, it decides it's broken in ~0x2626aa0 TSCs, aka ~2.4
++million cycles, or more or less instantly.
++
++Additionally, this reading the pmtimer was returning 0xffffffff anyway,
++and that's obviously an invalid return.  I've added a check for that and
++0 so we don't bother waiting for the test if what we're seeing is dead
++pins with no response at all.
++
++If "debug" is includes "pmtimer", you will see one of the following
++three outcomes.  If pmtimer gives all 0 or all 1 bits, you will see:
++
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 1
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 2
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 3
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 4
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 5
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 6
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 7
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 8
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 9
++kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 10
++kern/i386/tsc_pmtimer.c:78: timer is broken; giving up.
++
++This outcome was tested using qemu+kvm with UEFI (OVMF) firmware and
++these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX
++
++If pmtimer gives any other bit patterns but is not actually marching
++forward fast enough to use for clock calibration, you will see:
++
++kern/i386/tsc_pmtimer.c:121: pmtimer delta is 0x0 (1904 iterations)
++kern/i386/tsc_pmtimer.c:124: tsc delta is implausible: 0x2626aa0
++
++This outcome was tested using grub compiled with GRUB_PMTIMER_IGNORE_BAD_READS
++defined (so as not to trip the bad read test) using qemu+kvm with UEFI
++(OVMF) firmware, and these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX
++
++If pmtimer actually works, you'll see something like:
++
++kern/i386/tsc_pmtimer.c:121: pmtimer delta is 0x0 (1904 iterations)
++kern/i386/tsc_pmtimer.c:124: tsc delta is implausible: 0x2626aa0
++
++This outcome was tested using qemu+kvm with UEFI (OVMF) firmware, and
++these options: -machine pc-i440fx-2.4 -cpu Broadwell-noTSX
++
++I've also tested this outcome on a real Intel Xeon E3-1275v3 on an Intel
++Server Board S1200V3RPS using the SDV.RP.B8 "Release" build here:
++https://firmware.intel.com/sites/default/files/UEFIDevKit_S1200RP_vB8.zip
++
++Signed-off-by: Peter Jones <pjones@redhat.com>
++(cherry picked from commit cf0448d61e00acb548f8f22d57ba6e4f3b37f394)
++
++Patch-Name: rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
++---
++ grub-core/kern/i386/tsc_pmtimer.c | 109 +++++++++++++++++++++++++++++++-------
++ 1 file changed, 89 insertions(+), 20 deletions(-)
++
++diff --git a/grub-core/kern/i386/tsc_pmtimer.c b/grub-core/kern/i386/tsc_pmtimer.c
++index c9c3616..ca15c3a 100644
++--- a/grub-core/kern/i386/tsc_pmtimer.c
+++++ b/grub-core/kern/i386/tsc_pmtimer.c
++@@ -28,40 +28,101 @@
++ #include <grub/acpi.h>
++ #include <grub/cpu/io.h>
++
+++/*
+++ * Define GRUB_PMTIMER_IGNORE_BAD_READS if you're trying to test a timer that's
+++ * present but doesn't keep time well.
+++ */
+++// #define GRUB_PMTIMER_IGNORE_BAD_READS
+++
++ grub_uint64_t
++ grub_pmtimer_wait_count_tsc (grub_port_t pmtimer,
++ 			     grub_uint16_t num_pm_ticks)
++ {
++   grub_uint32_t start;
++-  grub_uint32_t last;
++-  grub_uint32_t cur, end;
+++  grub_uint64_t cur, end;
++   grub_uint64_t start_tsc;
++   grub_uint64_t end_tsc;
++-  int num_iter = 0;
+++  unsigned int num_iter = 0;
+++#ifndef GRUB_PMTIMER_IGNORE_BAD_READS
+++  int bad_reads = 0;
+++#endif
++
++-  start = grub_inl (pmtimer) & 0xffffff;
++-  last = start;
+++  /*
+++   * Some timers are 24-bit and some are 32-bit, but it doesn't make much
+++   * difference to us.  Caring which one we have isn't really worth it since
+++   * the low-order digits will give us enough data to calibrate TSC.  So just
+++   * mask the top-order byte off.
+++   */
+++  cur = start = grub_inl (pmtimer) & 0xffffffUL;
++   end = start + num_pm_ticks;
++   start_tsc = grub_get_tsc ();
++   while (1)
++     {
++-      cur = grub_inl (pmtimer) & 0xffffff;
++-      if (cur < last)
++-	cur |= 0x1000000;
++-      num_iter++;
+++      cur &= 0xffffffffff000000ULL;
+++      cur |= grub_inl (pmtimer) & 0xffffffUL;
+++
+++      end_tsc = grub_get_tsc();
+++
+++#ifndef GRUB_PMTIMER_IGNORE_BAD_READS
+++      /*
+++       * If we get 10 reads in a row that are obviously dead pins, there's no
+++       * reason to do this thousands of times.
+++       */
+++      if (cur == 0xffffffUL || cur == 0)
+++	{
+++	  bad_reads++;
+++	  grub_dprintf ("pmtimer",
+++			"pmtimer: 0x%"PRIxGRUB_UINT64_T" bad_reads: %d\n",
+++			cur, bad_reads);
+++	  grub_dprintf ("pmtimer", "timer is broken; giving up.\n");
+++
+++	  if (bad_reads == 10)
+++	    return 0;
+++	}
+++#endif
+++
+++      if (cur < start)
+++	cur += 0x1000000;
+++
++       if (cur >= end)
++ 	{
++-	  end_tsc = grub_get_tsc ();
+++	  grub_dprintf ("pmtimer", "pmtimer delta is 0x%"PRIxGRUB_UINT64_T"\n",
+++			cur - start);
+++	  grub_dprintf ("pmtimer", "tsc delta is 0x%"PRIxGRUB_UINT64_T"\n",
+++			end_tsc - start_tsc);
++ 	  return end_tsc - start_tsc;
++ 	}
++-      /* Check for broken PM timer.
++-	 50000000 TSCs is between 5 ms (10GHz) and 200 ms (250 MHz)
++-	 if after this time we still don't have 1 ms on pmtimer, then
++-	 pmtimer is broken.
+++
+++      /*
+++       * Check for broken PM timer.  1ms at 10GHz should be 1E+7 TSCs; at
+++       * 250MHz it should be 2.5E6.  So if after 4E+7 TSCs on a 10GHz machine,
+++       * we should have seen pmtimer show 4ms of change (i.e. cur =~
+++       * start+14320); on a 250MHz machine that should be 16ms (start+57280).
+++       * If after this a time we still don't have 1ms on pmtimer, then pmtimer
+++       * is broken.
+++       *
+++       * Likewise, if our code is perfectly efficient and introduces no delays
+++       * whatsoever, on a 10GHz system we should see a TSC delta of 3580 in
+++       * ~3580 iterations.  On a 250MHz machine that should be ~900 iterations.
+++       *
+++       * With those factors in mind, there are two limits here.  There's a hard
+++       * limit here at 8x our desired pm timer delta, picked as an arbitrarily
+++       * large value that's still not a lot of time to humans, because if we
+++       * get that far this is either an implausibly fast machine or the pmtimer
+++       * is not running.  And there's another limit on 4x our 10GHz tsc delta
+++       * without seeing cur converge on our target value.
++        */
++-      if ((num_iter & 0xffffff) == 0 && grub_get_tsc () - start_tsc > 5000000) {
++-	return 0;
++-      }
+++      if ((++num_iter > (grub_uint32_t)num_pm_ticks << 3UL) ||
+++	  end_tsc - start_tsc > 40000000)
+++	{
+++	  grub_dprintf ("pmtimer",
+++			"pmtimer delta is 0x%"PRIxGRUB_UINT64_T" (%u iterations)\n",
+++			cur - start, num_iter);
+++	  grub_dprintf ("pmtimer",
+++			"tsc delta is implausible: 0x%"PRIxGRUB_UINT64_T"\n",
+++			end_tsc - start_tsc);
+++	  return 0;
+++	}
++     }
++ }
++
++@@ -74,12 +135,20 @@ grub_tsc_calibrate_from_pmtimer (void)
++
++   fadt = grub_acpi_find_fadt ();
++   if (!fadt)
++-    return 0;
+++    {
+++      grub_dprintf ("pmtimer", "No FADT found; not using pmtimer.\n");
+++      return 0;
+++    }
++   pmtimer = fadt->pmtimer;
++   if (!pmtimer)
++-    return 0;
+++    {
+++      grub_dprintf ("pmtimer", "FADT does not specify pmtimer; skipping.\n");
+++      return 0;
+++    }
++
++-  /* It's 3.579545 MHz clock. Wait 1 ms.  */
+++  /*
+++   * It's 3.579545 MHz clock. Wait 1 ms.
+++   */
++   tsc_diff = grub_pmtimer_wait_count_tsc (pmtimer, 3580);
++   if (tsc_diff == 0)
++     return 0;
 diff --git a/debian/patches/series b/debian/patches/series
 index acc1c68..1602b13 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -14,12 +14,13 @@ install-efi-fallback.patch
  mkconfig-ubuntu-recovery.patch
  install-locale-langpack.patch
  mkconfig-nonexistent-loopback.patch
++no-insmod-on-sb.patch
  default-grub-d.patch
  blacklist-1440x900x32.patch
  mkconfig-ubuntu-distributor.patch
--linuxefi.patch
++ubuntu-linuxefi.patch
  mkconfig-signed-kernel.patch
--install-signed.patch
++ubuntu-install-signed.patch
  wubi-no-windows.patch
  maybe-quiet.patch
  install-efi-adjust-distributor.patch
@@ -35,7 +36,7 @@ ieee1275-clear-reset.patch
  ppc64el-disable-vsx.patch
  grub-install-pvxen-paths.patch
  insmod-xzio-and-lzopio-on-xen.patch
--grub-install-extra-removable.patch
++ubuntu-grub-install-extra-removable.patch
  mkconfig-other-inits.patch
  zpool-full-device-name.patch
  net-read-bracketed-ipv6-addr.patch
@@ -44,13 +45,11 @@ efinet-uefi-ipv6-pxe-support.patch
  bootp-process-dhcpack-http-boot.patch
  efinet-set-network-from-uefi-devpath.patch
  efinet-set-dns-from-uefi-proto.patch
--fix-lockdown.patch
  skip-grub_cmd_set_date.patch
  bash-completion-drop-have-checks.patch
  at_keyboard-module-init.patch
  uefi-secure-boot-cryptomount.patch
  efi-variable-storage-minimise-writes.patch
--grub-install-removable-shim.patch
  dejavu-font-path.patch
  xen-no-xsm-policy-in-non-xsm-options.patch
  pc-verifiers-module.patch
@@ -60,3 +59,46 @@ tpm-unknown-error-non-fatal.patch
  xfs-fix-v4-superblock.patch
  tests-ahci-update-qemu-device-name.patch
  minilzo-2.10.patch
++zstd-require-8-byte-buffer.patch
++ubuntu-zfs-enhance-support.patch
++ubuntu-zfs-gfxpayload-keep-default.patch
++ubuntu-zfs-mkconfig-ubuntu-recovery.patch
++ubuntu-zfs-mkconfig-ubuntu-distributor.patch
++ubuntu-zfs-mkconfig-signed-kernel.patch
++ubuntu-zfs-maybe-quiet.patch
++ubuntu-zfs-quick-boot.patch
++ubuntu-zfs-gfxpayload-dynamic.patch
++ubuntu-zfs-vt-handoff.patch
++ubuntu-zfs-mkconfig-recovery-title.patch
++ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
++ubuntu-support-initrd-less-boot.patch
++ubuntu-shorter-version-info.patch
++ubuntu-add-initrd-less-boot-fallback.patch
++ubuntu-mkconfig-leave-breadcrumbs.patch
++ubuntu-fix-lzma-decompressor-objcopy.patch
++ubuntu-temp-keep-auto-nvram.patch
++ubuntu-add-devicetree-command-support.patch
++ubuntu-boot-from-multipath-dependent-symlink.patch
++ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
++ubuntu-efi-allow-loopmount-chainload.patch
++0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
++ubuntu-resilient-boot-ignore-alternative-esps.patch
++ubuntu-resilient-boot-boot-order.patch
++ubuntu-speed-zsys-history.patch
++ubuntu-flavour-order.patch
++ubuntu-dont-verify-loopback-images.patch
++ubuntu-recovery-dis_ucode_ldr.patch
++ubuntu-linuxefi-arm64.patch
++ubuntu-linuxefi-arm64-set-base-addr.patch
++ubuntu-add-initrd-less-boot-messages.patch
++ubuntu-fix-reproducible-squashfs-test.patch
++rhboot-f34-make-exit-take-a-return-code.patch
++rhboot-f34-dont-use-int-for-efi-status.patch
++rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
++suse-grub.texi-add-net_bootp6-document.patch
++suse-add-support-for-UEFI-network-protocols.patch
++suse-AUDIT-0-http-boot-tracker-bug.patch
++rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
++0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
++cherrypick-efinet-correct-closing-snp-protocol.patch
++cherrypick-efi-grub_efi_close_protocol.patch
 diff --git a/debian/patches/suse-AUDIT-0-http-boot-tracker-bug.patch b/debian/patches/suse-AUDIT-0-http-boot-tracker-bug.patch
 new file mode 100644
 index 0000000..7647113
 --- /dev/null
 +++ b/debian/patches/suse-AUDIT-0-http-boot-tracker-bug.patch
@@ -0,0 +1,68 @@
++From: Sebastian Krahmer <krahmer@suse.com>
++Date: Tue, 28 Nov 2017 17:24:38 +0800
++Subject: AUDIT-0: http boot tracker bug
++
++Fixing a memory leak in case of error, and a integer overflow, leading to a
++heap overflow due to overly large chunk sizes.
++
++We need to check against some maximum value, otherwise values like 0xffffffff
++will eventually lead in the allocation functions to small sized buffers, since
++the len is rounded up to the next reasonable alignment. The following memcpy
++will then smash the heap, leading to RCE.
++
++This is no big issue for pure http boot, since its going to execute an
++untrusted kernel anyway, but it will break trusted boot scenarios, where only
++signed code is allowed to be executed.
++
++Signed-off-by: Michael Chang <mchang@suse.com>
++
++Origin: SUSE
++UEFI HTTP and related network protocol support (FATE#320130)
++Patch420:       0001-add-support-for-UEFI-network-protocols.patch
++Patch421:       0002-AUDIT-0-http-boot-tracker-bug.patch
++
++Patch-Name: suse-AUDIT-0-http-boot-tracker-bug.patch
++---
++ grub-core/net/efi/net.c | 4 +++-
++ grub-core/net/http.c    | 5 ++++-
++ 2 files changed, 7 insertions(+), 2 deletions(-)
++
++diff --git a/grub-core/net/efi/net.c b/grub-core/net/efi/net.c
++index 3154c55..9b7a218 100644
++--- a/grub-core/net/efi/net.c
+++++ b/grub-core/net/efi/net.c
++@@ -654,8 +654,10 @@ grub_efihttp_chunk_read (grub_file_t file, char *buf,
++
++       rd = efi_net_interface (read, file, chunk, sz);
++
++-      if (rd <= 0)
+++      if (rd <= 0) {
+++	grub_free (chunk);
++ 	return rd;
+++      }
++
++       if (buf)
++ 	{
++diff --git a/grub-core/net/http.c b/grub-core/net/http.c
++index 3fe155f..bf83866 100644
++--- a/grub-core/net/http.c
+++++ b/grub-core/net/http.c
++@@ -31,7 +31,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
++
++ enum
++   {
++-    HTTP_PORT = 80
+++    HTTP_PORT = 80,
+++    HTTP_MAX_CHUNK_SIZE = 0x80000000
++   };
++
++
++@@ -78,6 +79,8 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
++   if (data->in_chunk_len == 2)
++     {
++       data->chunk_rem = grub_strtoul (ptr, 0, 16);
+++      if (data->chunk_rem > HTTP_MAX_CHUNK_SIZE)
+++	  return GRUB_ERR_NET_PACKET_TOO_BIG;
++       grub_errno = GRUB_ERR_NONE;
++       if (data->chunk_rem == 0)
++ 	{
 diff --git a/debian/patches/suse-add-support-for-UEFI-network-protocols.patch b/debian/patches/suse-add-support-for-UEFI-network-protocols.patch
 new file mode 100644
 index 0000000..9724f73
 --- /dev/null
 +++ b/debian/patches/suse-add-support-for-UEFI-network-protocols.patch
@@ -0,0 +1,4941 @@
++From: Michael Chang <mchang@suse.com>
++Date: Wed, 22 Feb 2017 14:27:50 +0800
++Subject: Support UEFI networking protocols
++
++References: fate#320130, bsc#1015589, bsc#1076132
++Patch-Mainline: no
++
++V1:
++  * Add preliminary support of UEFI networking protocols
++  * Support UEFI HTTPS Boot
++
++V2:
++  * Workaround http data access in firmware
++  * Fix DNS device path parsing for efinet device
++  * Relaxed UEFI Protocol requirement
++  * Support Intel OPA (Omni-Path Architecture) PXE Boot
++
++V3:
++  * Fix bufio in calculating address of next_buf
++  * Check HTTP respond code
++  * Use HEAD request method to test before GET
++  * Finish HTTP transaction in one go
++  * Fix bsc#1076132
++
++V4:
++  * Add fs_ prefix with upstream commit
++    ad4bfeec5 Change fs functions to add fs_ prefix
++
++V5:
++  * Use overflow checking primitives where the arithmetic expression for
++    buffer allocations may include unvalidated data
++  * Use grub_calloc for overflow check and return NULL when it would
++    occur.
++
++V6:
++  * Don't force grub_print_error if no best route found as boot process
++    could be interrupted by logged error. The default interface will be
++    used as fallback in this case
++---
++ grub-core/Makefile.core.def        |    6 +
++ grub-core/io/bufio.c               |    2 +-
++ grub-core/kern/efi/efi.c           |   96 ++-
++ grub-core/net/drivers/efi/efinet.c |   27 +
++ grub-core/net/efi/dhcp.c           |  399 ++++++++++
++ grub-core/net/efi/http.c           |  424 +++++++++++
++ grub-core/net/efi/ip4_config.c     |  409 ++++++++++
++ grub-core/net/efi/ip6_config.c     |  430 +++++++++++
++ grub-core/net/efi/net.c            | 1440 ++++++++++++++++++++++++++++++++++++
++ grub-core/net/efi/pxe.c            |  424 +++++++++++
++ grub-core/net/net.c                |   74 ++
++ include/grub/efi/api.h             |  181 ++++-
++ include/grub/efi/dhcp.h            |  343 +++++++++
++ include/grub/efi/http.h            |  215 ++++++
++ include/grub/net/efi.h             |  144 ++++
++ 15 files changed, 4577 insertions(+), 37 deletions(-)
++ create mode 100644 grub-core/net/efi/dhcp.c
++ create mode 100644 grub-core/net/efi/http.c
++ create mode 100644 grub-core/net/efi/ip4_config.c
++ create mode 100644 grub-core/net/efi/ip6_config.c
++ create mode 100644 grub-core/net/efi/net.c
++ create mode 100644 grub-core/net/efi/pxe.c
++ create mode 100644 include/grub/efi/dhcp.h
++ create mode 100644 include/grub/efi/http.h
++ create mode 100644 include/grub/net/efi.h
++
++diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
++index 98cda49..a47c403 100644
++--- a/grub-core/Makefile.core.def
+++++ b/grub-core/Makefile.core.def
++@@ -2322,6 +2322,12 @@ module = {
++   common = net/ethernet.c;
++   common = net/arp.c;
++   common = net/netbuff.c;
+++  efi = net/efi/net.c;
+++  efi = net/efi/http.c;
+++  efi = net/efi/pxe.c;
+++  efi = net/efi/ip4_config.c;
+++  efi = net/efi/ip6_config.c;
+++  efi = net/efi/dhcp.c;
++ };
++
++ module = {
++diff --git a/grub-core/io/bufio.c b/grub-core/io/bufio.c
++index a458c3a..1637731 100644
++--- a/grub-core/io/bufio.c
+++++ b/grub-core/io/bufio.c
++@@ -139,7 +139,7 @@ grub_bufio_read (grub_file_t file, char *buf, grub_size_t len)
++     return res;
++
++   /* Need to read some more.  */
++-  next_buf = (file->offset + res + len - 1) & ~((grub_off_t) bufio->block_size - 1);
+++  next_buf = (grub_divmod64 (file->offset + res + len - 1, bufio->block_size, NULL)) * bufio->block_size;
++   /* Now read between file->offset + res and bufio->buffer_at.  */
++   if (file->offset + res < next_buf)
++     {
++diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
++index ae9885e..a3cae1e 100644
++--- a/grub-core/kern/efi/efi.c
+++++ b/grub-core/kern/efi/efi.c
++@@ -755,7 +755,7 @@ grub_efi_print_device_path (grub_efi_device_path_t *dp)
++ 	      {
++ 		grub_efi_ipv4_device_path_t *ipv4
++ 		  = (grub_efi_ipv4_device_path_t *) dp;
++-		grub_printf ("/IPv4(%u.%u.%u.%u,%u.%u.%u.%u,%u,%u,%x,%x)",
+++		grub_printf ("/IPv4(%u.%u.%u.%u,%u.%u.%u.%u,%u,%u,%x,%x",
++ 			     (unsigned) ipv4->local_ip_address[0],
++ 			     (unsigned) ipv4->local_ip_address[1],
++ 			     (unsigned) ipv4->local_ip_address[2],
++@@ -768,33 +768,60 @@ grub_efi_print_device_path (grub_efi_device_path_t *dp)
++ 			     (unsigned) ipv4->remote_port,
++ 			     (unsigned) ipv4->protocol,
++ 			     (unsigned) ipv4->static_ip_address);
+++		if (len == sizeof (*ipv4))
+++		  {
+++		    grub_printf (",%u.%u.%u.%u,%u.%u.%u.%u",
+++			(unsigned) ipv4->gateway_ip_address[0],
+++			(unsigned) ipv4->gateway_ip_address[1],
+++			(unsigned) ipv4->gateway_ip_address[2],
+++			(unsigned) ipv4->gateway_ip_address[3],
+++			(unsigned) ipv4->subnet_mask[0],
+++			(unsigned) ipv4->subnet_mask[1],
+++			(unsigned) ipv4->subnet_mask[2],
+++			(unsigned) ipv4->subnet_mask[3]);
+++		  }
+++		grub_printf (")");
++ 	      }
++ 	      break;
++ 	    case GRUB_EFI_IPV6_DEVICE_PATH_SUBTYPE:
++ 	      {
++ 		grub_efi_ipv6_device_path_t *ipv6
++ 		  = (grub_efi_ipv6_device_path_t *) dp;
++-		grub_printf ("/IPv6(%x:%x:%x:%x:%x:%x:%x:%x,%x:%x:%x:%x:%x:%x:%x:%x,%u,%u,%x,%x)",
++-			     (unsigned) ipv6->local_ip_address[0],
++-			     (unsigned) ipv6->local_ip_address[1],
++-			     (unsigned) ipv6->local_ip_address[2],
++-			     (unsigned) ipv6->local_ip_address[3],
++-			     (unsigned) ipv6->local_ip_address[4],
++-			     (unsigned) ipv6->local_ip_address[5],
++-			     (unsigned) ipv6->local_ip_address[6],
++-			     (unsigned) ipv6->local_ip_address[7],
++-			     (unsigned) ipv6->remote_ip_address[0],
++-			     (unsigned) ipv6->remote_ip_address[1],
++-			     (unsigned) ipv6->remote_ip_address[2],
++-			     (unsigned) ipv6->remote_ip_address[3],
++-			     (unsigned) ipv6->remote_ip_address[4],
++-			     (unsigned) ipv6->remote_ip_address[5],
++-			     (unsigned) ipv6->remote_ip_address[6],
++-			     (unsigned) ipv6->remote_ip_address[7],
+++		grub_printf ("/IPv6(%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x,%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x,%u,%u,%x,%x",
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[0]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[1]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[2]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[3]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[4]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[5]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[6]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->local_ip_address[7]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[0]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[1]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[2]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[3]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[4]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[5]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[6]),
+++			     (unsigned) grub_be_to_cpu16 (ipv6->remote_ip_address[7]),
++ 			     (unsigned) ipv6->local_port,
++ 			     (unsigned) ipv6->remote_port,
++ 			     (unsigned) ipv6->protocol,
++ 			     (unsigned) ipv6->static_ip_address);
+++		if (len == sizeof (*ipv6))
+++		  {
+++		    grub_printf (",%u,%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x",
+++			(unsigned) ipv6->prefix_length,
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[0]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[1]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[2]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[3]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[4]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[5]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[6]),
+++			(unsigned) grub_be_to_cpu16 (ipv6->gateway_ip_address[7]));
+++		  }
+++		grub_printf (")");
++ 	      }
++ 	      break;
++ 	    case GRUB_EFI_INFINIBAND_DEVICE_PATH_SUBTYPE:
++@@ -834,6 +861,39 @@ grub_efi_print_device_path (grub_efi_device_path_t *dp)
++ 	      dump_vendor_path ("Messaging",
++ 				(grub_efi_vendor_device_path_t *) dp);
++ 	      break;
+++	    case GRUB_EFI_URI_DEVICE_PATH_SUBTYPE:
+++	      {
+++		grub_efi_uri_device_path_t *uri
+++		  = (grub_efi_uri_device_path_t *) dp;
+++		grub_printf ("/URI(%s)", uri->uri);
+++	      }
+++	      break;
+++	    case GRUB_EFI_DNS_DEVICE_PATH_SUBTYPE:
+++	      {
+++		grub_efi_dns_device_path_t *dns
+++		  = (grub_efi_dns_device_path_t *) dp;
+++		if (dns->is_ipv6)
+++		  {
+++		    grub_printf ("/DNS(%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x)",
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[0]) >> 16),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[0])),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[1]) >> 16),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[1])),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[2]) >> 16),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[2])),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[3]) >> 16),
+++			    (grub_uint16_t)(grub_be_to_cpu32(dns->dns_server_ip[0].addr[3])));
+++		  }
+++		else
+++		  {
+++		    grub_printf ("/DNS(%d.%d.%d.%d)",
+++			  dns->dns_server_ip[0].v4.addr[0],
+++			  dns->dns_server_ip[0].v4.addr[1],
+++			  dns->dns_server_ip[0].v4.addr[2],
+++			  dns->dns_server_ip[0].v4.addr[3]);
+++		  }
+++	      }
+++	      break;
++ 	    default:
++ 	      grub_printf ("/UnknownMessaging(%x)", (unsigned) subtype);
++ 	      break;
++diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c
++index 82a28fb..f189209 100644
++--- a/grub-core/net/drivers/efi/efinet.c
+++++ b/grub-core/net/drivers/efi/efinet.c
++@@ -24,6 +24,7 @@
++ #include <grub/efi/efi.h>
++ #include <grub/i18n.h>
++ #include <grub/net/netbuff.h>
+++#include <grub/env.h>
++
++ GRUB_MOD_LICENSE ("GPLv3+");
++
++@@ -481,6 +482,17 @@ grub_efinet_create_dhcp_ack_from_device_path (grub_efi_device_path_t *dp, int *u
++
++   ldp = grub_efi_find_last_device_path (ddp);
++
+++  /* Skip the DNS Device */
+++  if (GRUB_EFI_DEVICE_PATH_TYPE (ldp) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE
+++      && GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) == GRUB_EFI_DNS_DEVICE_PATH_SUBTYPE)
+++    {
+++      ldp->type = GRUB_EFI_END_DEVICE_PATH_TYPE;
+++      ldp->subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
+++      ldp->length = sizeof (*ldp);
+++
+++      ldp = grub_efi_find_last_device_path (ddp);
+++    }
+++
++   if (GRUB_EFI_DEVICE_PATH_TYPE (ldp) != GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE
++       || (GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) != GRUB_EFI_IPV4_DEVICE_PATH_SUBTYPE
++           && GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) != GRUB_EFI_IPV6_DEVICE_PATH_SUBTYPE))
++@@ -744,6 +756,7 @@ grub_efi_net_config_real (grub_efi_handle_t hnd, char **device,
++ 	if (GRUB_EFI_DEVICE_PATH_TYPE (ldp) != GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE
++ 	    || (GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) != GRUB_EFI_IPV4_DEVICE_PATH_SUBTYPE
++ 		&& GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) != GRUB_EFI_IPV6_DEVICE_PATH_SUBTYPE
+++		&& GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) != GRUB_EFI_DNS_DEVICE_PATH_SUBTYPE
++ 		&& GRUB_EFI_DEVICE_PATH_SUBTYPE (ldp) != GRUB_EFI_URI_DEVICE_PATH_SUBTYPE))
++ 	  continue;
++ 	dup_dp = grub_efi_duplicate_device_path (dp);
++@@ -758,6 +771,15 @@ grub_efi_net_config_real (grub_efi_handle_t hnd, char **device,
++ 	    dup_ldp->length = sizeof (*dup_ldp);
++ 	  }
++
+++	dup_ldp = grub_efi_find_last_device_path (dup_dp);
+++	if (GRUB_EFI_DEVICE_PATH_SUBTYPE (dup_ldp) == GRUB_EFI_DNS_DEVICE_PATH_SUBTYPE)
+++	  {
+++	    dup_ldp = grub_efi_find_last_device_path (dup_dp);
+++	    dup_ldp->type = GRUB_EFI_END_DEVICE_PATH_TYPE;
+++	    dup_ldp->subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
+++	    dup_ldp->length = sizeof (*dup_ldp);
+++	  }
+++
++ 	dup_ldp = grub_efi_find_last_device_path (dup_dp);
++ 	dup_ldp->type = GRUB_EFI_END_DEVICE_PATH_TYPE;
++ 	dup_ldp->subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
++@@ -816,6 +838,9 @@ grub_efi_net_config_real (grub_efi_handle_t hnd, char **device,
++
++ GRUB_MOD_INIT(efinet)
++ {
+++  if (grub_efi_net_config)
+++    return;
+++
++   grub_efinet_findcards ();
++   grub_efi_net_config = grub_efi_net_config_real;
++ }
++@@ -827,5 +852,7 @@ GRUB_MOD_FINI(efinet)
++   FOR_NET_CARDS_SAFE (card, next)
++     if (card->driver == &efidriver)
++       grub_net_card_unregister (card);
+++
+++  grub_efi_net_config = NULL;
++ }
++
++diff --git a/grub-core/net/efi/dhcp.c b/grub-core/net/efi/dhcp.c
++new file mode 100644
++index 0000000..4001c04
++--- /dev/null
+++++ b/grub-core/net/efi/dhcp.c
++@@ -0,0 +1,399 @@
+++#include <grub/mm.h>
+++#include <grub/command.h>
+++#include <grub/efi/api.h>
+++#include <grub/efi/efi.h>
+++#include <grub/misc.h>
+++#include <grub/net/efi.h>
+++#include <grub/charset.h>
+++
+++#ifdef GRUB_EFI_NET_DEBUG
+++static void
+++dhcp4_mode_print (grub_efi_dhcp4_mode_data_t *mode)
+++{
+++    switch (mode->state)
+++      {
+++	case GRUB_EFI_DHCP4_STOPPED:
+++	  grub_printf ("STATE: STOPPED\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_INIT:
+++	  grub_printf ("STATE: INIT\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_SELECTING:
+++	  grub_printf ("STATE: SELECTING\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_REQUESTING:
+++	  grub_printf ("STATE: REQUESTING\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_BOUND:
+++	  grub_printf ("STATE: BOUND\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_RENEWING:
+++	  grub_printf ("STATE: RENEWING\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_REBINDING:
+++	  grub_printf ("STATE: REBINDING\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_INIT_REBOOT:
+++	  grub_printf ("STATE: INIT_REBOOT\n");
+++	  break;
+++	case GRUB_EFI_DHCP4_REBOOTING:
+++	  grub_printf ("STATE: REBOOTING\n");
+++	  break;
+++	default:
+++	  grub_printf ("STATE: UNKNOWN\n");
+++	  break;
+++      }
+++
+++    grub_printf ("CLIENT_ADDRESS: %u.%u.%u.%u\n",
+++      mode->client_address[0],
+++      mode->client_address[1],
+++      mode->client_address[2],
+++      mode->client_address[3]);
+++    grub_printf ("SERVER_ADDRESS: %u.%u.%u.%u\n",
+++      mode->server_address[0],
+++      mode->server_address[1],
+++      mode->server_address[2],
+++      mode->server_address[3]);
+++    grub_printf ("SUBNET_MASK: %u.%u.%u.%u\n",
+++      mode->subnet_mask[0],
+++      mode->subnet_mask[1],
+++      mode->subnet_mask[2],
+++      mode->subnet_mask[3]);
+++    grub_printf ("ROUTER_ADDRESS: %u.%u.%u.%u\n",
+++      mode->router_address[0],
+++      mode->router_address[1],
+++      mode->router_address[2],
+++      mode->router_address[3]);
+++}
+++#endif
+++
+++static grub_efi_ipv4_address_t *
+++grub_efi_dhcp4_parse_dns (grub_efi_dhcp4_protocol_t *dhcp4, grub_efi_dhcp4_packet_t *reply_packet)
+++{
+++  grub_efi_dhcp4_packet_option_t **option_list;
+++  grub_efi_status_t status;
+++  grub_efi_uint32_t option_count = 0;
+++  grub_efi_uint32_t i;
+++
+++  status = efi_call_4 (dhcp4->parse, dhcp4, reply_packet, &option_count, NULL);
+++
+++  if (status != GRUB_EFI_BUFFER_TOO_SMALL)
+++    return NULL;
+++
+++  option_list = grub_calloc (option_count, sizeof(*option_list));
+++  if (!option_list)
+++    return NULL;
+++
+++  status = efi_call_4 (dhcp4->parse, dhcp4, reply_packet, &option_count, option_list);
+++  if (status != GRUB_EFI_SUCCESS)
+++    {
+++      grub_free (option_list);
+++      return NULL;
+++    }
+++
+++  for (i = 0; i < option_count; ++i)
+++    {
+++      if (option_list[i]->op_code == 6)
+++	{
+++	  grub_efi_ipv4_address_t *dns_address;
+++
+++	  if (((option_list[i]->length & 0x3) != 0) || (option_list[i]->length == 0))
+++	    continue;
+++
+++	  /* We only contact primary dns */
+++	  dns_address = grub_malloc (sizeof (*dns_address));
+++	  if (!dns_address)
+++	    {
+++	      grub_free (option_list);
+++	      return NULL;
+++	    }
+++	  grub_memcpy (dns_address, option_list[i]->data, sizeof (dns_address));
+++	  grub_free (option_list);
+++	  return dns_address;
+++	}
+++    }
+++
+++  grub_free (option_list);
+++  return NULL;
+++}
+++
+++#if 0
+++/* Somehow this doesn't work ... */
+++static grub_err_t
+++grub_cmd_efi_bootp (struct grub_command *cmd __attribute__ ((unused)),
+++		    int argc __attribute__ ((unused)),
+++		    char **args __attribute__ ((unused)))
+++{
+++  struct grub_efi_net_device *dev;
+++  for (dev = net_devices; dev; dev = dev->next)
+++    {
+++      grub_efi_pxe_t *pxe = dev->ip4_pxe;
+++      grub_efi_pxe_mode_t *mode = pxe->mode;
+++      grub_efi_status_t status;
+++
+++      if (!mode->started)
+++	{
+++	  status = efi_call_2 (pxe->start, pxe, 0);
+++
+++	  if (status != GRUB_EFI_SUCCESS)
+++	      grub_printf ("Couldn't start PXE\n");
+++	}
+++
+++      status = efi_call_2 (pxe->dhcp, pxe, 0);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp4 configure failed, %d\n", (int)status);
+++	  continue;
+++	}
+++
+++      dev->prefer_ip6 = 0;
+++    }
+++
+++  return GRUB_ERR_NONE;
+++}
+++#endif
+++
+++static grub_err_t
+++grub_cmd_efi_bootp (struct grub_command *cmd __attribute__ ((unused)),
+++		    int argc,
+++		    char **args)
+++{
+++  struct grub_efi_net_device *netdev;
+++
+++  for (netdev = net_devices; netdev; netdev = netdev->next)
+++    {
+++      grub_efi_status_t status;
+++      grub_efi_dhcp4_mode_data_t mode;
+++      grub_efi_dhcp4_config_data_t config;
+++      grub_efi_dhcp4_packet_option_t *options;
+++      grub_efi_ipv4_address_t *dns_address;
+++      grub_efi_net_ip_manual_address_t net_ip;
+++      grub_efi_net_ip_address_t ip_addr;
+++      grub_efi_net_interface_t *inf = NULL;
+++
+++      if (argc > 0 && grub_strcmp (netdev->card_name, args[0]) != 0)
+++	continue;
+++
+++      grub_memset (&config, 0, sizeof(config));
+++
+++      config.option_count = 1;
+++      options = grub_malloc (sizeof(*options) + 2);
+++      /* Parameter request list */
+++      options->op_code = 55;
+++      options->length = 3;
+++      /* subnet mask */
+++      options->data[0] = 1;
+++      /* router */
+++      options->data[1] = 3;
+++      /* DNS */
+++      options->data[2] = 6;
+++      config.option_list = &options;
+++
+++      /* FIXME: What if the dhcp has bounded */
+++      status = efi_call_2 (netdev->dhcp4->configure, netdev->dhcp4, &config);
+++      grub_free (options);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp4 configure failed, %d\n", (int)status);
+++	  continue;
+++	}
+++
+++      status = efi_call_2 (netdev->dhcp4->start, netdev->dhcp4, NULL);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp4 start failed, %d\n", (int)status);
+++	  continue;
+++	}
+++
+++      status = efi_call_2 (netdev->dhcp4->get_mode_data, netdev->dhcp4, &mode);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp4 get mode failed, %d\n", (int)status);
+++	  continue;
+++	}
+++
+++#ifdef GRUB_EFI_NET_DEBUG
+++      dhcp4_mode_print (&mode);
+++#endif
+++
+++      for (inf = netdev->net_interfaces; inf; inf = inf->next)
+++	if (inf->prefer_ip6 == 0)
+++	  break;
+++
+++      grub_memcpy (net_ip.ip4.address, mode.client_address, sizeof (net_ip.ip4.address));
+++      grub_memcpy (net_ip.ip4.subnet_mask, mode.subnet_mask, sizeof (net_ip.ip4.subnet_mask));
+++
+++      if (!inf)
+++	{
+++	  char *name = grub_xasprintf ("%s:dhcp", netdev->card_name);
+++
+++	  net_ip.is_ip6 = 0;
+++	  inf = grub_efi_net_create_interface (netdev,
+++		    name,
+++		    &net_ip,
+++		    1);
+++	  grub_free (name);
+++	}
+++      else
+++	{
+++	  efi_net_interface_set_address (inf, &net_ip, 1);
+++	}
+++
+++      grub_memcpy (ip_addr.ip4, mode.router_address, sizeof (ip_addr.ip4));
+++      efi_net_interface_set_gateway (inf, &ip_addr);
+++
+++      dns_address = grub_efi_dhcp4_parse_dns (netdev->dhcp4, mode.reply_packet);
+++      if (dns_address)
+++	efi_net_interface_set_dns (inf, (grub_efi_net_ip_address_t *)&dns_address);
+++
+++    }
+++
+++  return GRUB_ERR_NONE;
+++}
+++
+++
+++static grub_err_t
+++grub_cmd_efi_bootp6 (struct grub_command *cmd __attribute__ ((unused)),
+++		    int argc,
+++		    char **args)
+++{
+++  struct grub_efi_net_device *dev;
+++  grub_efi_uint32_t ia_id;
+++
+++  for (dev = net_devices, ia_id = 0; dev; dev = dev->next, ia_id++)
+++    {
+++      grub_efi_dhcp6_config_data_t config;
+++      grub_efi_dhcp6_packet_option_t *option_list[1];
+++      grub_efi_dhcp6_packet_option_t *opt;
+++      grub_efi_status_t status;
+++      grub_efi_dhcp6_mode_data_t mode;
+++      grub_efi_dhcp6_retransmission_t retrans;
+++      grub_efi_net_ip_manual_address_t net_ip;
+++      grub_efi_boot_services_t *b = grub_efi_system_table->boot_services;
+++      grub_efi_net_interface_t *inf = NULL;
+++
+++      if (argc > 0 && grub_strcmp (dev->card_name, args[0]) != 0)
+++	continue;
+++
+++      opt = grub_malloc (sizeof(*opt) + 2 * sizeof (grub_efi_uint16_t));
+++
+++#define GRUB_EFI_DHCP6_OPT_ORO 6
+++
+++      opt->op_code = grub_cpu_to_be16_compile_time (GRUB_EFI_DHCP6_OPT_ORO);
+++      opt->op_len = grub_cpu_to_be16_compile_time (2 * sizeof (grub_efi_uint16_t));
+++
+++#define GRUB_EFI_DHCP6_OPT_BOOT_FILE_URL 59
+++#define GRUB_EFI_DHCP6_OPT_DNS_SERVERS 23
+++
+++      grub_set_unaligned16 (opt->data, grub_cpu_to_be16_compile_time(GRUB_EFI_DHCP6_OPT_BOOT_FILE_URL));
+++      grub_set_unaligned16 (opt->data + 1 * sizeof (grub_efi_uint16_t),
+++	      grub_cpu_to_be16_compile_time(GRUB_EFI_DHCP6_OPT_DNS_SERVERS));
+++
+++      option_list[0] = opt;
+++      retrans.irt = 4;
+++      retrans.mrc = 4;
+++      retrans.mrt = 32;
+++      retrans.mrd = 60;
+++
+++      config.dhcp6_callback = NULL;
+++      config.callback_context = NULL;
+++      config.option_count = 1;
+++      config.option_list = option_list;
+++      config.ia_descriptor.ia_id = ia_id;
+++      config.ia_descriptor.type = GRUB_EFI_DHCP6_IA_TYPE_NA;
+++      config.ia_info_event = NULL;
+++      config.reconfigure_accept = 0;
+++      config.rapid_commit = 0;
+++      config.solicit_retransmission = &retrans;
+++
+++      status = efi_call_2 (dev->dhcp6->configure, dev->dhcp6, &config);
+++      grub_free (opt);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp6 configure failed, %d\n", (int)status);
+++	  continue;
+++	}
+++      status = efi_call_1 (dev->dhcp6->start, dev->dhcp6);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp6 start failed, %d\n", (int)status);
+++	  continue;
+++	}
+++
+++      status = efi_call_3 (dev->dhcp6->get_mode_data, dev->dhcp6, &mode, NULL);
+++      if (status != GRUB_EFI_SUCCESS)
+++	{
+++	  grub_printf ("dhcp4 get mode failed, %d\n", (int)status);
+++	  continue;
+++	}
+++
+++      for (inf = dev->net_interfaces; inf; inf = inf->next)
+++	if (inf->prefer_ip6 == 1)
+++	  break;
+++
+++      grub_memcpy (net_ip.ip6.address, mode.ia->ia_address[0].ip_address, sizeof (net_ip.ip6.address));
+++      net_ip.ip6.prefix_length = 64;
+++      net_ip.ip6.is_anycast = 0;
+++      net_ip.is_ip6 = 1;
+++
+++      if (!inf)
+++	{
+++	  char *name = grub_xasprintf ("%s:dhcp", dev->card_name);
+++
+++	  inf = grub_efi_net_create_interface (dev,
+++		    name,
+++		    &net_ip,
+++		    1);
+++	  grub_free (name);
+++	}
+++      else
+++	{
+++	  efi_net_interface_set_address (inf, &net_ip, 1);
+++	}
+++
+++      {
+++	grub_efi_uint32_t count = 0;
+++	grub_efi_dhcp6_packet_option_t **options = NULL;
+++	grub_efi_uint32_t i;
+++
+++	status = efi_call_4 (dev->dhcp6->parse, dev->dhcp6, mode.ia->reply_packet, &count, NULL);
+++
+++	if (status == GRUB_EFI_BUFFER_TOO_SMALL && count)