grub

Merge ~ubuntu-uefi-team/grub/+git/ubuntu:ubuntu into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

Proposed by Mate Kukri on 2024-03-05

Status:

Merged

Merge reported by:

Mate Kukri

Merged at revision:

f1625e10dda448f9592c1f2b3142a43cf9b5d46b

Proposed branch:

~ubuntu-uefi-team/grub/+git/ubuntu:ubuntu

Merge into:

~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

Diff against target:

2339 lines (+1674/-237)

24 files modified

debian/build-efi-images (+6/-0)
debian/changelog (+26/-0)
debian/control (+2/-0)
debian/grub-sort-version (+2/-2)
debian/patches/grub-sort-version.patch (+16/-1)
debian/patches/kern-efi-mm-Change-grub_efi_allocate_pages_real-to-call-s.patch (+36/-0)
debian/patches/kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-track-.patch (+69/-0)
debian/patches/kern-efi-mm-Detect-calls-to-grub_efi_drop_alloc-with-wron.patch (+34/-0)
debian/patches/nx/efi-Disallow-fallback-to-legacy-Linux-loader-when-shim-sa.patch (+116/-0)
debian/patches/nx/modules-Don-t-allocate-space-for-non-allocable-sections.patch (+37/-0)
debian/patches/nx/modules-load-module-sections-at-page-aligned-addresses.patch (+390/-0)
debian/patches/nx/modules-strip-.llvm_addrsig-sections-and-similar.patch (+41/-0)
debian/patches/nx/nx-add-memory-attribute-get-set-API.patch (+252/-0)
debian/patches/nx/nx-set-page-permissions-for-loaded-modules.patch (+222/-0)
debian/patches/nx/nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch (+49/-0)
debian/patches/nx/peimage-Add-memory-attribute-support.patch (+132/-0)
debian/patches/secure-boot/efi-use-peimage-shim.patch (+151/-227)
debian/patches/series (+11/-0)
debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+3/-3)
debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+1/-1)
debian/patches/ubuntu-support-initrd-less-boot.patch (+1/-1)
debian/rules (+3/-0)
debian/sbat.ubuntu.csv.in (+2/-2)
debian/test_grub_sort_version.py (+72/-0)

Related bugs:

Bug #2041827: update-grub sorts custom kernel below older/lower package kernels	Low	Fix Released
Bug #2054127: grub-efi crashes upon `exit`	Medium	Fix Released
Bug #2057679: systemd-stub fails to boot when loaded via peimage	Undecided	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Julian Andres Klode		2024-03-05	Pending
Review via email: mp+461796@code.launchpad.net

~ubuntu-uefi-team/grub/+git/ubuntu:ubuntu updated on 2024-06-12

f8ebfa5... by Mate Kukri on 2024-03-12

Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2"

4858769... by Mate Kukri on 2024-03-12

Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127)

peimage sometimes has to load things such as systemd-stub that will pass
their ImageHandle to the firmware's LoadImage() as ParentImageHandle.

Such a ParentImageHandle must always come from the firmware itself,
otherwise LoadImage() asserts.

Reverting to the old implementation also fixes LP: #2054127 as systab
hook installation will again be done in StartImage().

0efc7d0... by Mate Kukri on 2024-03-20

d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry

2e09b0d... by Mate Kukri on 2024-03-21

releasing package grub2 version 2.12-1ubuntu5

67b61d4... by Mate Kukri on 2024-04-04

Add 2.12-1ubuntu6 to changelog

4be2e5f... by Mate Kukri on 2024-04-04

releasing package grub2 version 2.12-1ubuntu7

44ab0d1... by Mate Kukri on 2024-06-12

peimage: Ignore empty sections when checking for bounds

These checks were assuming empty sections to overlap, this is wrong, and
was preventing things like Xen from booting.

21fab0b... by Mate Kukri on 2024-06-12

peimage: Make sure partially loaded images are unloaded on error

83485b1... by Mate Kukri on 2024-06-12

Cherry-pick upstream efi mm patches to avoid crashing at exit on Mu

f1625e1... by Mate Kukri on 2024-06-12

Implement support for UEFI NX mitigation

- Cherry-picked relevant upstream NX patches
- Implemented support for NX in peimage

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Development of Ubuntu software for UEFI platforms

Julian Andres Klode

Ubuntu Core Development Team

grub

Merge ~ubuntu-uefi-team/grub/+git/ubuntu:ubuntu into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

Commit message

Description of the change

Preview Diff

Subscribers

 diff --git a/debian/build-efi-images b/debian/build-efi-images
 index d17e225..2f847f2 100755
 --- a/debian/build-efi-images
 +++ b/debian/build-efi-images
@@ -33,6 +33,12 @@ efi_name="$6"
  sbat_csv="$7"
  efi_vendor="${8:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
++# make sure downstreams didn't mess up sbat.csv
++if ! grep -q ^grub.peimage $sbat_csv; then
++   echo Missing sbat entry for "grub.peimage" >&2
++   exit 1
++fi
++
  # mkfs.msdos may not be on the default PATH.
  export PATH="$PATH:/sbin:/usr/sbin"
 diff --git a/debian/changelog b/debian/changelog
 index bc37a14..b9aae02 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,29 @@
++grub2 (2.12-1ubuntu7) noble; urgency=medium
++
++  * d/p/grub-sort-version.patch: Also patch grub-mkconfig to export GRUB_FLAVOUR_ORDER
++  * d/grub-sort-version: Update regex to correctly match kernel flavour
++  * d/grub-sort-version: Append `-0` to abi strings before passing to python-apt (Fixes LP: #2041827)
++  * debian/: Add tests for grub-sort-version
++  * Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127)
++  * Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2"
++  * d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry
++  * SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127]
++    - CVE-2024-2312
++
++ -- Mate Kukri <mate.kukri@canonical.com>  Thu, 04 Apr 2024 11:12:35 +0100
++
++grub2 (2.12-1ubuntu6) noble; urgency=medium
++
++  * No-change rebuild for CVE-2024-3094
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 31 Mar 2024 08:54:41 +0000
++
++grub2 (2.12-1ubuntu5) noble; urgency=medium
++
++  * No-change rebuild for libefivar1t64 on riscv64.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 07 Mar 2024 09:18:17 +0000
++
  grub2 (2.12-1ubuntu4) noble; urgency=medium
    * d/grub-multi-install: Treat missing `cloud_style_installation` debconf as
 diff --git a/debian/control b/debian/control
 index efd46e3..3cc18db 100644
 --- a/debian/control
 +++ b/debian/control
@@ -7,6 +7,8 @@ Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, S
  Build-Depends: debhelper-compat (= 13),
   patchutils,
   python3,
++ python3-apt,
++ python3-pytest,
   flex,
   bison,
   gawk,
 diff --git a/debian/grub-sort-version b/debian/grub-sort-version
 index 6e47231..40a6eda 100755
 --- a/debian/grub-sort-version
 +++ b/debian/grub-sort-version
@@ -28,7 +28,7 @@ class KernelABI:
          if self._index != other._index:
              # Ordering is reversed, what should be considered highest comes first.
              return self._index > other._index
--        return apt_pkg.version_compare(self.abi, other.abi) < 0
++        return apt_pkg.version_compare(f"{self.abi}-0", f"{other.abi}-0") < 0
  def main() -> None:
@@ -43,7 +43,7 @@ def main() -> None:
      order = []
      for flavour in os.environ.get("GRUB_FLAVOUR_ORDER", "").split():
--        order.append(re.compile(f"[0-9]*-{flavour}$"))
++        order.append(re.compile(f"[\\s\\S]*-{flavour}(\\s*\\d*)$"))
      versions = [KernelABI(line.rstrip(), order) for line in sys.stdin]
      versions.sort(reverse=args.reverse)
 diff --git a/debian/patches/grub-sort-version.patch b/debian/patches/grub-sort-version.patch
 index d885c50..8e6385c 100644
 --- a/debian/patches/grub-sort-version.patch
 +++ b/debian/patches/grub-sort-version.patch
@@ -6,9 +6,24 @@ We need to have support for GRUB_FLAVOUR_ORDER and it's arguably
  the easiest way to hook this in, although you might be able to
  write this as an awk script or something.
  ---
++ util/grub-mkconfig.in     |  3 ++-
   util/grub-mkconfig_lib.in | 15 +--------------
-- 1 file changed, 1 insertion(+), 14 deletions(-)
++ 2 files changed, 3 insertions(+), 15 deletions(-)
++diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
++index 46b036b..0b1adf5 100644
++--- a/util/grub-mkconfig.in
+++++ b/util/grub-mkconfig.in
++@@ -270,7 +270,8 @@ export GRUB_DEFAULT \
++   GRUB_RECORDFAIL_TIMEOUT \
++   GRUB_RECOVERY_TITLE \
++   GRUB_FORCE_PARTUUID \
++-  GRUB_DISABLE_INITRD
+++  GRUB_DISABLE_INITRD \
+++  GRUB_FLAVOUR_ORDER
++
++ if test "x${grub_cfg}" != "x"; then
++   rm -f "${grub_cfg}.new"
  diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
  index 121df9a..cabac83 100644
  --- a/util/grub-mkconfig_lib.in
 diff --git a/debian/patches/kern-efi-mm-Change-grub_efi_allocate_pages_real-to-call-s.patch b/debian/patches/kern-efi-mm-Change-grub_efi_allocate_pages_real-to-call-s.patch
 new file mode 100644
 index 0000000..0764e5e
 --- /dev/null
 +++ b/debian/patches/kern-efi-mm-Change-grub_efi_allocate_pages_real-to-call-s.patch
@@ -0,0 +1,36 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Tue, 11 Jun 2024 15:21:33 +0100
++Subject: kern/efi/mm: Change grub_efi_allocate_pages_real() to call
++ semantically correct free function
++
++If the firmware happens to return 0 as an address of allocated pages,
++grub_efi_allocate_pages_real() tries to allocate a new set of pages,
++and then free the ones at address 0.
++
++However at that point grub_efi_store_alloc() wasn't yet called, so
++freeing the pages at 0 using grub_efi_free_pages() which calls
++grub_efi_drop_alloc() isn't necessary, so let's call b->free_pages()
++instead.
++
++The call to grub_efi_drop_alloc() doesn't seem particularly harmful,
++because it seems to do nothing if the allocation it is asked to drop
++isn't on the list, but the call to it is obviously unnecessary here.
++
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ grub-core/kern/efi/mm.c | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
++index 4fec188..6613191 100644
++--- a/grub-core/kern/efi/mm.c
+++++ b/grub-core/kern/efi/mm.c
++@@ -150,7 +150,7 @@ grub_efi_allocate_pages_real (grub_efi_physical_address_t address,
++ 	 so reallocate another one.  */
++       address = GRUB_EFI_MAX_USABLE_ADDRESS;
++       status = b->allocate_pages (alloctype, memtype, pages, &address);
++-      grub_efi_free_pages (0, pages);
+++      b->free_pages (0, pages);
++       if (status != GRUB_EFI_SUCCESS)
++ 	{
++ 	  grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
 diff --git a/debian/patches/kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-track-.patch b/debian/patches/kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-track-.patch
 new file mode 100644
 index 0000000..96bebaf
 --- /dev/null
 +++ b/debian/patches/kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-track-.patch
@@ -0,0 +1,69 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Tue, 11 Jun 2024 15:19:48 +0100
++Subject: kern/efi/mm: Change grub_efi_mm_add_regions() to keep track of map
++ allocation size
++
++If the map was too big for the initial allocation, it was freed and replaced
++with a bigger one, but the free call still used the hard-coded size.
++
++Seems like this wasn't hit for a long time, because most firmware maps
++fit into 12K.
++
++This bug was trigerred on Project Mu firmware with a big memory map, and
++results in the heap getting trashed and the firmware ASSERTING on
++corrupted heap guard values when GRUB exits.
++
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ grub-core/kern/efi/mm.c | 14 +++++++-------
++ 1 file changed, 7 insertions(+), 7 deletions(-)
++
++diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
++index 6a6fba8..4fec188 100644
++--- a/grub-core/kern/efi/mm.c
+++++ b/grub-core/kern/efi/mm.c
++@@ -574,13 +574,15 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
++   grub_efi_memory_descriptor_t *memory_map_end;
++   grub_efi_memory_descriptor_t *filtered_memory_map;
++   grub_efi_memory_descriptor_t *filtered_memory_map_end;
+++  grub_efi_uintn_t alloc_size;
++   grub_efi_uintn_t map_size;
++   grub_efi_uintn_t desc_size;
++   grub_err_t err;
++   int mm_status;
++
++   /* Prepare a memory region to store two memory maps.  */
++-  memory_map = grub_efi_allocate_any_pages (2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
+++  alloc_size = 2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE);
+++  memory_map = grub_efi_allocate_any_pages (alloc_size);
++   if (! memory_map)
++     return grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate memory for memory map");
++
++@@ -591,14 +593,13 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
++
++   if (mm_status == 0)
++     {
++-      grub_efi_free_pages
++-	((grub_efi_physical_address_t) ((grub_addr_t) memory_map),
++-	 2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
+++      grub_efi_free_pages ((grub_efi_physical_address_t) (grub_addr_t) memory_map, alloc_size);
++
++       /* Freeing/allocating operations may increase memory map size.  */
++       map_size += desc_size * 32;
++
++-      memory_map = grub_efi_allocate_any_pages (2 * BYTES_TO_PAGES (map_size));
+++      alloc_size = 2 * BYTES_TO_PAGES (map_size);
+++      memory_map = grub_efi_allocate_any_pages (alloc_size);
++       if (! memory_map)
++ 	return grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate memory for new memory map");
++
++@@ -642,8 +643,7 @@ grub_efi_mm_add_regions (grub_size_t required_bytes, unsigned int flags)
++ #endif
++
++   /* Release the memory maps.  */
++-  grub_efi_free_pages ((grub_addr_t) memory_map,
++-		       2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
+++  grub_efi_free_pages ((grub_efi_physical_address_t) (grub_addr_t) memory_map, alloc_size);
++
++   return GRUB_ERR_NONE;
++ }
 diff --git a/debian/patches/kern-efi-mm-Detect-calls-to-grub_efi_drop_alloc-with-wron.patch b/debian/patches/kern-efi-mm-Detect-calls-to-grub_efi_drop_alloc-with-wron.patch
 new file mode 100644
 index 0000000..9de1acd
 --- /dev/null
 +++ b/debian/patches/kern-efi-mm-Detect-calls-to-grub_efi_drop_alloc-with-wron.patch
@@ -0,0 +1,34 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Wed, 12 Jun 2024 09:29:29 +0100
++Subject: kern/efi/mm: Detect calls to grub_efi_drop_alloc() with wrong page
++ counts
++
++Silently keeping entries in the list if the address matches, but the
++page count doesn't is a bad idea, and can lead to double frees.
++
++grub_efi_free_pages() have already freed parts of this block by this
++point, and thus keeping the whole block in the list and freeing it again
++at exit can lead to double frees.
++
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ grub-core/kern/efi/mm.c | 6 ++++--
++ 1 file changed, 4 insertions(+), 2 deletions(-)
++
++diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
++index 6613191..d45d0e2 100644
++--- a/grub-core/kern/efi/mm.c
+++++ b/grub-core/kern/efi/mm.c
++@@ -95,8 +95,10 @@ grub_efi_drop_alloc (grub_efi_physical_address_t address,
++
++   for (eap = NULL, ea = efi_allocated_memory; ea; eap = ea, ea = ea->next)
++     {
++-      if (ea->address != address || ea->pages != pages)
++-         continue;
+++      if (ea->address != address)
+++	continue;
+++      if (ea->pages != pages)
+++	grub_fatal ("grub_efi_drop_alloc() called with wrong page count");
++
++       /* Remove the current entry from the list. */
++       if (eap)
 diff --git a/debian/patches/nx/efi-Disallow-fallback-to-legacy-Linux-loader-when-shim-sa.patch b/debian/patches/nx/efi-Disallow-fallback-to-legacy-Linux-loader-when-shim-sa.patch
 new file mode 100644
 index 0000000..ecb6371
 --- /dev/null
 +++ b/debian/patches/nx/efi-Disallow-fallback-to-legacy-Linux-loader-when-shim-sa.patch
@@ -0,0 +1,116 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Fri, 31 May 2024 13:00:37 +0100
++Subject: efi: Disallow fallback to legacy Linux loader when shim says NX is
++ required.
++
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ grub-core/kern/efi/sb.c      | 28 ++++++++++++++++++++++++++++
++ grub-core/loader/efi/linux.c | 13 ++++++++-----
++ include/grub/efi/api.h       |  2 ++
++ include/grub/efi/sb.h        |  2 ++
++ 4 files changed, 40 insertions(+), 5 deletions(-)
++
++diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
++index 80cfa08..8eb6bce 100644
++--- a/grub-core/kern/efi/sb.c
+++++ b/grub-core/kern/efi/sb.c
++@@ -218,3 +218,31 @@ grub_shim_lock_verifier_setup (void)
++   grub_env_set ("shim_lock", "y");
++   grub_env_export ("shim_lock");
++ }
+++
+++int
+++grub_efi_check_nx_required (void)
+++{
+++  int nx_required = 1; /* assume required, unless we can prove otherwise */
+++  grub_efi_status_t status;
+++  grub_size_t mok_policy_sz = 0;
+++  char *mok_policy = NULL;
+++  grub_uint32_t mok_policy_attrs = 0;
+++
+++  status = grub_efi_get_variable_with_attributes ("MokPolicy",
+++						  &(grub_guid_t) GRUB_EFI_SHIM_LOCK_GUID,
+++						  &mok_policy_sz,
+++						  (void **)&mok_policy,
+++						  &mok_policy_attrs);
+++  if (status != GRUB_EFI_SUCCESS ||
+++      mok_policy_sz != 1 ||
+++      mok_policy == NULL ||
+++      mok_policy_attrs != GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS)
+++    goto out;
+++
+++  nx_required = !!(mok_policy[0] & GRUB_MOK_POLICY_NX_REQUIRED);
+++
+++ out:
+++  grub_free (mok_policy);
+++
+++  return nx_required;
+++}
++diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
++index 2b891d6..47ef165 100644
++--- a/grub-core/loader/efi/linux.c
+++++ b/grub-core/loader/efi/linux.c
++@@ -29,6 +29,7 @@
++ #include <grub/efi/fdtload.h>
++ #include <grub/efi/memory.h>
++ #include <grub/efi/pe32.h>
+++#include <grub/efi/sb.h>
++ #include <grub/i18n.h>
++ #include <grub/lib/cmdline.h>
++ #include <grub/verify.h>
++@@ -473,21 +474,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
++
++   kernel_size = grub_file_size (file);
++
++-  if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
++ #if !defined(__i386__) && !defined(__x86_64__)
+++  if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
++     goto fail;
++ #else
++-    goto fallback;
++-
++-  if (!initrd_use_loadfile2)
+++  if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE ||
+++      !initrd_use_loadfile2)
++     {
+++      /* We cannot use the legacy loader when NX is required */
+++      if (grub_efi_check_nx_required())
+++        goto fail;
+++
++       /*
++        * This is a EFI stub image but it is too old to implement the LoadFile2
++        * based initrd loading scheme, and Linux/x86 does not support the DT
++        * based method either. So fall back to the x86-specific loader that
++        * enters Linux in EFI mode but without going through its EFI stub.
++        */
++-fallback:
++       grub_file_close (file);
++       return grub_cmd_linux_x86_legacy (cmd, argc, argv);
++     }
++diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
++index 699bccf..343f968 100644
++--- a/include/grub/efi/api.h
+++++ b/include/grub/efi/api.h
++@@ -2023,6 +2023,8 @@ struct grub_efi_dt_fixup
++ };
++ typedef struct grub_efi_dt_fixup grub_efi_dt_fixup_t;
++
+++#define GRUB_MOK_POLICY_NX_REQUIRED	0x1
+++
++ struct grub_efi_shim_lock_protocol
++ {
++   /*
++diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
++index 30c4335..83ba311 100644
++--- a/include/grub/efi/sb.h
+++++ b/include/grub/efi/sb.h
++@@ -33,6 +33,8 @@ EXPORT_FUNC (grub_efi_get_secureboot) (void);
++
++ extern void
++ grub_shim_lock_verifier_setup (void);
+++extern int
+++EXPORT_FUNC (grub_efi_check_nx_required) (void);
++ #else
++ static inline grub_uint8_t
++ grub_efi_get_secureboot (void)
 diff --git a/debian/patches/nx/modules-Don-t-allocate-space-for-non-allocable-sections.patch b/debian/patches/nx/modules-Don-t-allocate-space-for-non-allocable-sections.patch
 new file mode 100644
 index 0000000..4721e2d
 --- /dev/null
 +++ b/debian/patches/nx/modules-Don-t-allocate-space-for-non-allocable-sections.patch
@@ -0,0 +1,37 @@
++From: Peter Jones <pjones@redhat.com>
++Date: Mon, 21 Mar 2022 16:56:10 -0400
++Subject: modules: Don't allocate space for non-allocable sections.
++
++Currently when loading grub modules, we allocate space for all sections,
++including those without SHF_ALLOC set.  We then copy the sections that
++/do/ have SHF_ALLOC set into the allocated memory, leaving some of our
++allocation untouched forever.  Additionally, on platforms with GOT
++fixups and trampolines, we currently compute alignment round-ups for the
++sections and sections with sh_size = 0.
++
++This patch removes the extra space from the allocation computation, and
++makes the allocation computation loop skip empty sections as the loading
++loop does.
++
++Signed-off-by: Peter Jones <pjones@redhat.com>
++Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++Reviewed-By: Vladimir Serbinenko
++---
++ grub-core/kern/dl.c | 3 +++
++ 1 file changed, 3 insertions(+)
++
++diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
++index 0bf40ca..37db9fa 100644
++--- a/grub-core/kern/dl.c
+++++ b/grub-core/kern/dl.c
++@@ -237,6 +237,9 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++        i < e->e_shnum;
++        i++, s = (const Elf_Shdr *)((const char *) s + e->e_shentsize))
++     {
+++      if (s->sh_size == 0 || !(s->sh_flags & SHF_ALLOC))
+++	continue;
+++
++       tsize = ALIGN_UP (tsize, s->sh_addralign) + s->sh_size;
++       if (talign < s->sh_addralign)
++ 	talign = s->sh_addralign;
 diff --git a/debian/patches/nx/modules-load-module-sections-at-page-aligned-addresses.patch b/debian/patches/nx/modules-load-module-sections-at-page-aligned-addresses.patch
 new file mode 100644
 index 0000000..a652ea3
 --- /dev/null
 +++ b/debian/patches/nx/modules-load-module-sections-at-page-aligned-addresses.patch
@@ -0,0 +1,390 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Mon, 21 Mar 2022 17:45:40 -0400
++Subject: modules: load module sections at page-aligned addresses
++
++Currently we load module sections at whatever alignment gcc+ld happened
++to dump into the ELF section header, which is often less then the page
++size. Since NX protections are page based, this alignment must be
++rounded up to page size on platforms supporting NX protections.
++
++This patch switches most EFI platforms to load module sections at 4kB
++page-aligned addresses.  To do so, it adds an new per-arch function,
++grub_arch_dl_min_alignment(), which returns the alignment needed for
++dynamically loaded sections (in bytes).  Currently it sets it to 4096
++when GRUB_MACHINE_EFI is true on x86_64, i386, arm, arm64, and emu, and
++1-byte alignment on everything else.
++
++It then changes the allocation size computation and the loader code in
++grub_dl_load_segments() to align the locations and sizes up to these
++boundaries, and fills any added padding with zeros.
++
++All of this happens before relocations are applied, so the relocations
++factor that in with no change.
++
++Original-Author: Peter Jones <pjones@redhat.com>
++Original-Author: Laszlo Ersek <lersek@redhat.com>
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ docs/grub-dev.texi          |  6 ++---
++ grub-core/kern/arm/dl.c     | 13 +++++++++++
++ grub-core/kern/arm64/dl.c   | 13 +++++++++++
++ grub-core/kern/dl.c         | 53 +++++++++++++++++++++++++++++++--------------
++ grub-core/kern/emu/full.c   | 13 +++++++++++
++ grub-core/kern/i386/dl.c    | 13 +++++++++++
++ grub-core/kern/ia64/dl.c    |  9 ++++++++
++ grub-core/kern/mips/dl.c    |  8 +++++++
++ grub-core/kern/powerpc/dl.c |  9 ++++++++
++ grub-core/kern/riscv/dl.c   | 13 +++++++++++
++ grub-core/kern/sparc64/dl.c |  9 ++++++++
++ grub-core/kern/x86_64/dl.c  | 13 +++++++++++
++ include/grub/dl.h           |  2 ++
++ 13 files changed, 155 insertions(+), 19 deletions(-)
++
++diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
++index 1276c59..2f782cd 100644
++--- a/docs/grub-dev.texi
+++++ b/docs/grub-dev.texi
++@@ -996,9 +996,9 @@ declare startup asm file ($cpu_$platform_startup) as well as any other files
++ (e.g. init.c and callwrap.S) (e.g. $cpu_$platform = kern/$cpu/$platform/init.c).
++ At this stage you will also need to add dummy dl.c and cache.S with functions
++ grub_err_t grub_arch_dl_check_header (void *ehdr), grub_err_t
++-grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr) (dl.c) and
++-void grub_arch_sync_caches (void *address, grub_size_t len) (cache.S). They
++-won't be used for now.
+++grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr) (dl.c), grub_uint32_t
+++grub_arch_dl_min_alignment (void), and void grub_arch_sync_caches (void
+++*address, grub_size_t len) (cache.S). They won't be used for now.
++
++ You will need to create directory include/$cpu/$platform and a file
++ include/$cpu/types.h. The latter following this template:
++diff --git a/grub-core/kern/arm/dl.c b/grub-core/kern/arm/dl.c
++index eab9d17..9260737 100644
++--- a/grub-core/kern/arm/dl.c
+++++ b/grub-core/kern/arm/dl.c
++@@ -278,3 +278,16 @@ grub_arch_dl_check_header (void *ehdr)
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++#ifdef GRUB_MACHINE_EFI
+++  return 4096;
+++#else
+++  return 1;
+++#endif
+++}
++diff --git a/grub-core/kern/arm64/dl.c b/grub-core/kern/arm64/dl.c
++index a2b5789..95c6d5b 100644
++--- a/grub-core/kern/arm64/dl.c
+++++ b/grub-core/kern/arm64/dl.c
++@@ -196,3 +196,16 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++#ifdef GRUB_MACHINE_EFI
+++  return 4096;
+++#else
+++  return 1;
+++#endif
+++}
++diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
++index 37db9fa..8338f74 100644
++--- a/grub-core/kern/dl.c
+++++ b/grub-core/kern/dl.c
++@@ -224,25 +224,35 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++ {
++   unsigned i;
++   const Elf_Shdr *s;
++-  grub_size_t tsize = 0, talign = 1;
+++  grub_size_t tsize = 0, talign = 1, arch_addralign = 1;
++ #if !defined (__i386__) && !defined (__x86_64__) && !defined(__riscv) && \
++   !defined (__loongarch__)
++   grub_size_t tramp;
+++  grub_size_t tramp_align;
++   grub_size_t got;
+++  grub_size_t got_align;
++   grub_err_t err;
++ #endif
++   char *ptr;
++
+++  arch_addralign = grub_arch_dl_min_alignment ();
+++
++   for (i = 0, s = (const Elf_Shdr *)((const char *) e + e->e_shoff);
++        i < e->e_shnum;
++        i++, s = (const Elf_Shdr *)((const char *) s + e->e_shentsize))
++     {
+++      grub_size_t sh_addralign;
+++      grub_size_t sh_size;
+++
++       if (s->sh_size == 0 || !(s->sh_flags & SHF_ALLOC))
++ 	continue;
++
++-      tsize = ALIGN_UP (tsize, s->sh_addralign) + s->sh_size;
++-      if (talign < s->sh_addralign)
++-	talign = s->sh_addralign;
+++      sh_addralign = ALIGN_UP(s->sh_addralign, arch_addralign);
+++      sh_size = ALIGN_UP(s->sh_size, sh_addralign);
+++
+++      tsize = ALIGN_UP (tsize, sh_addralign) + sh_size;
+++      if (talign < sh_addralign)
+++	talign = sh_addralign;
++     }
++
++ #if !defined (__i386__) && !defined (__x86_64__) && !defined(__riscv) && \
++@@ -250,12 +260,18 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++   err = grub_arch_dl_get_tramp_got_size (e, &tramp, &got);
++   if (err)
++     return err;
++-  tsize += ALIGN_UP (tramp, GRUB_ARCH_DL_TRAMP_ALIGN);
++-  if (talign < GRUB_ARCH_DL_TRAMP_ALIGN)
++-    talign = GRUB_ARCH_DL_TRAMP_ALIGN;
++-  tsize += ALIGN_UP (got, GRUB_ARCH_DL_GOT_ALIGN);
++-  if (talign < GRUB_ARCH_DL_GOT_ALIGN)
++-    talign = GRUB_ARCH_DL_GOT_ALIGN;
+++  tramp_align = GRUB_ARCH_DL_TRAMP_ALIGN;
+++  if (tramp_align < arch_addralign)
+++    tramp_align = arch_addralign;
+++  tsize += ALIGN_UP (tramp, tramp_align);
+++  if (talign < tramp_align)
+++    talign = tramp_align;
+++  got_align = GRUB_ARCH_DL_GOT_ALIGN;
+++  if (got_align < arch_addralign)
+++    got_align = arch_addralign;
+++  tsize += ALIGN_UP (got, got_align);
+++  if (talign < got_align)
+++    talign = got_align;
++ #endif
++
++ #ifdef GRUB_MACHINE_EMU
++@@ -272,6 +288,9 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++        i < e->e_shnum;
++        i++, s = (Elf_Shdr *)((char *) s + e->e_shentsize))
++     {
+++      grub_size_t sh_addralign = ALIGN_UP(s->sh_addralign, arch_addralign);
+++      grub_size_t sh_size = ALIGN_UP(s->sh_size, sh_addralign);
+++
++       if (s->sh_flags & SHF_ALLOC)
++ 	{
++ 	  grub_dl_segment_t seg;
++@@ -284,17 +303,19 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++ 	    {
++ 	      void *addr;
++
++-	      ptr = (char *) ALIGN_UP ((grub_addr_t) ptr, s->sh_addralign);
+++	      ptr = (char *) ALIGN_UP ((grub_addr_t) ptr, sh_addralign);
++ 	      addr = ptr;
++-	      ptr += s->sh_size;
+++	      ptr += sh_size;
++
++ 	      switch (s->sh_type)
++ 		{
++ 		case SHT_PROGBITS:
++ 		  grub_memcpy (addr, (char *) e + s->sh_offset, s->sh_size);
+++		  grub_memset ((char *)addr + s->sh_size, 0,
+++			       sh_size - s->sh_size);
++ 		  break;
++ 		case SHT_NOBITS:
++-		  grub_memset (addr, 0, s->sh_size);
+++		  grub_memset (addr, 0, sh_size);
++ 		  break;
++ 		}
++
++@@ -303,7 +324,7 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++ 	  else
++ 	    seg->addr = 0;
++
++-	  seg->size = s->sh_size;
+++	  seg->size = sh_size;
++ 	  seg->section = i;
++ 	  seg->next = mod->segment;
++ 	  mod->segment = seg;
++@@ -311,11 +332,11 @@ grub_dl_load_segments (grub_dl_t mod, const Elf_Ehdr *e)
++     }
++ #if !defined (__i386__) && !defined (__x86_64__) && !defined(__riscv) && \
++   !defined (__loongarch__)
++-  ptr = (char *) ALIGN_UP ((grub_addr_t) ptr, GRUB_ARCH_DL_TRAMP_ALIGN);
+++  ptr = (char *) ALIGN_UP ((grub_addr_t) ptr, tramp_align);
++   mod->tramp = ptr;
++   mod->trampptr = ptr;
++   ptr += tramp;
++-  ptr = (char *) ALIGN_UP ((grub_addr_t) ptr, GRUB_ARCH_DL_GOT_ALIGN);
+++  ptr = (char *) ALIGN_UP ((grub_addr_t) ptr, got_align);
++   mod->got = ptr;
++   mod->gotptr = ptr;
++   ptr += got;
++diff --git a/grub-core/kern/emu/full.c b/grub-core/kern/emu/full.c
++index e8d63b1..1de1c28 100644
++--- a/grub-core/kern/emu/full.c
+++++ b/grub-core/kern/emu/full.c
++@@ -67,3 +67,16 @@ grub_arch_dl_init_linker (void)
++ }
++ #endif
++
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++#ifdef GRUB_MACHINE_EFI
+++  return 4096;
+++#else
+++  return 1;
+++#endif
+++}
++diff --git a/grub-core/kern/i386/dl.c b/grub-core/kern/i386/dl.c
++index 1346da5..d6b4681 100644
++--- a/grub-core/kern/i386/dl.c
+++++ b/grub-core/kern/i386/dl.c
++@@ -79,3 +79,16 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++#ifdef GRUB_MACHINE_EFI
+++  return 4096;
+++#else
+++  return 1;
+++#endif
+++}
++diff --git a/grub-core/kern/ia64/dl.c b/grub-core/kern/ia64/dl.c
++index db59300..92d82c5 100644
++--- a/grub-core/kern/ia64/dl.c
+++++ b/grub-core/kern/ia64/dl.c
++@@ -148,3 +148,12 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++     }
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++  return 1;
+++}
++diff --git a/grub-core/kern/mips/dl.c b/grub-core/kern/mips/dl.c
++index 5b02f97..db41189 100644
++--- a/grub-core/kern/mips/dl.c
+++++ b/grub-core/kern/mips/dl.c
++@@ -272,3 +272,11 @@ grub_arch_dl_init_linker (void)
++   grub_dl_register_symbol ("_gp_disp", &_gp_disp_dummy, 0, 0);
++ }
++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++  return 1;
+++}
++diff --git a/grub-core/kern/powerpc/dl.c b/grub-core/kern/powerpc/dl.c
++index 7b6418e..0eb8bc5 100644
++--- a/grub-core/kern/powerpc/dl.c
+++++ b/grub-core/kern/powerpc/dl.c
++@@ -167,3 +167,12 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++  return 1;
+++}
++diff --git a/grub-core/kern/riscv/dl.c b/grub-core/kern/riscv/dl.c
++index 896653b..1fa085b 100644
++--- a/grub-core/kern/riscv/dl.c
+++++ b/grub-core/kern/riscv/dl.c
++@@ -344,3 +344,16 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++#ifdef GRUB_MACHINE_EFI
+++  return 4096;
+++#else
+++  return 1;
+++#endif
+++}
++diff --git a/grub-core/kern/sparc64/dl.c b/grub-core/kern/sparc64/dl.c
++index f3d9601..f054f08 100644
++--- a/grub-core/kern/sparc64/dl.c
+++++ b/grub-core/kern/sparc64/dl.c
++@@ -189,3 +189,12 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++  return 1;
+++}
++diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c
++index e5a8bdc..a105dc5 100644
++--- a/grub-core/kern/x86_64/dl.c
+++++ b/grub-core/kern/x86_64/dl.c
++@@ -119,3 +119,16 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++
++   return GRUB_ERR_NONE;
++ }
+++
+++/*
+++ * Tell the loader what our minimum section alignment is.
+++ */
+++grub_size_t
+++grub_arch_dl_min_alignment (void)
+++{
+++#ifdef GRUB_MACHINE_EFI
+++  return 4096;
+++#else
+++  return 1;
+++#endif
+++}
++diff --git a/include/grub/dl.h b/include/grub/dl.h
++index cd1f46c..e890210 100644
++--- a/include/grub/dl.h
+++++ b/include/grub/dl.h
++@@ -264,6 +264,8 @@ grub_err_t grub_arch_dl_check_header (void *ehdr);
++ grub_err_t
++ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
++ 			       Elf_Shdr *s, grub_dl_segment_t seg);
+++grub_size_t
+++grub_arch_dl_min_alignment (void);
++ #endif
++
++ #if defined (_mips)
 diff --git a/debian/patches/nx/modules-strip-.llvm_addrsig-sections-and-similar.patch b/debian/patches/nx/modules-strip-.llvm_addrsig-sections-and-similar.patch
 new file mode 100644
 index 0000000..a60c07b
 --- /dev/null
 +++ b/debian/patches/nx/modules-strip-.llvm_addrsig-sections-and-similar.patch
@@ -0,0 +1,41 @@
++From: Peter Jones <pjones@redhat.com>
++Date: Thu, 24 Feb 2022 16:40:11 -0500
++Subject: modules: strip .llvm_addrsig sections and similar.
++
++Currently grub modules built with clang or gcc have several sections
++which we don't actually need or support.
++
++We already have a list of section to skip in genmod.sh, and this patch
++adds the following sections to that list (as well as a few newlines):
++
++.note.gnu.property
++.llvm*
++
++Note that the glob there won't work without a new enough linker, but the
++failure is just reversion to the status quo, so that's not a big problem.
++
++Signed-off-by: Peter Jones <pjones@redhat.com>
++Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++Reviewed-By: Vladimir Serbinenko
++---
++ grub-core/genmod.sh.in | 5 ++++-
++ 1 file changed, 4 insertions(+), 1 deletion(-)
++
++diff --git a/grub-core/genmod.sh.in b/grub-core/genmod.sh.in
++index e57c4d9..337753c 100644
++--- a/grub-core/genmod.sh.in
+++++ b/grub-core/genmod.sh.in
++@@ -57,8 +57,11 @@ if test x@TARGET_APPLE_LINKER@ != x1; then
++ 	    @TARGET_STRIP@ --strip-unneeded \
++ 		-K grub_mod_init -K grub_mod_fini \
++ 		-K _grub_mod_init -K _grub_mod_fini \
++-		-R .note.gnu.gold-version -R .note.GNU-stack \
+++		-R .note.GNU-stack \
+++		-R .note.gnu.gold-version \
+++		-R .note.gnu.property \
++ 		-R .gnu.build.attributes \
+++		-R '.llvm*' \
++ 		-R .rel.gnu.build.attributes \
++ 		-R .rela.gnu.build.attributes \
++ 		-R .eh_frame -R .rela.eh_frame -R .rel.eh_frame \
 diff --git a/debian/patches/nx/nx-add-memory-attribute-get-set-API.patch b/debian/patches/nx/nx-add-memory-attribute-get-set-API.patch
 new file mode 100644
 index 0000000..cf58691
 --- /dev/null
 +++ b/debian/patches/nx/nx-add-memory-attribute-get-set-API.patch
@@ -0,0 +1,252 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Tue, 22 Mar 2022 10:56:21 -0400
++Subject: nx: add memory attribute get/set API
++
++For NX, we need to set the page access permission attributes for write
++and execute permissions.
++
++This patch adds two new primitives, grub_set_mem_attrs() and
++grub_clear_mem_attrs(), and associated constant definitions, to be used
++for that purpose.
++
++For most platforms, it adds a dummy implementation that returns
++GRUB_ERR_NONE.
++
++On EFI platforms, it implements the primitives using the EFI
++Memory Attribute Protocol (defined in UEFI 2.10 specification).
++
++Original-Author: Peter Jones <pjones@redhat.com>
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ grub-core/kern/efi/mm.c | 127 ++++++++++++++++++++++++++++++++++++++++++++++++
++ include/grub/efi/api.h  |  25 ++++++++++
++ include/grub/mm.h       |  33 +++++++++++++
++ 3 files changed, 185 insertions(+)
++
++diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
++index d45d0e2..790094c 100644
++--- a/grub-core/kern/efi/mm.c
+++++ b/grub-core/kern/efi/mm.c
++@@ -689,3 +689,130 @@ grub_efi_get_ram_base(grub_addr_t *base_addr)
++   return GRUB_ERR_NONE;
++ }
++ #endif
+++
+++static inline grub_uint64_t
+++grub_mem_attrs_to_uefi_mem_attrs (grub_uint64_t attrs)
+++{
+++  grub_uint64_t ret = GRUB_EFI_MEMORY_RP |
+++		      GRUB_EFI_MEMORY_RO |
+++		      GRUB_EFI_MEMORY_XP;
+++
+++  if (attrs & GRUB_MEM_ATTR_R)
+++    ret &= ~GRUB_EFI_MEMORY_RP;
+++
+++  if (attrs & GRUB_MEM_ATTR_W)
+++    ret &= ~GRUB_EFI_MEMORY_RO;
+++
+++  if (attrs & GRUB_MEM_ATTR_X)
+++    ret &= ~GRUB_EFI_MEMORY_XP;
+++
+++  return ret;
+++}
+++
+++static inline grub_uint64_t
+++uefi_mem_attrs_to_grub_mem_attrs (grub_uint64_t attrs)
+++{
+++  grub_uint64_t ret = GRUB_MEM_ATTR_R |
+++		      GRUB_MEM_ATTR_W |
+++		      GRUB_MEM_ATTR_X;
+++
+++  if (attrs & GRUB_EFI_MEMORY_RP)
+++    ret &= ~GRUB_MEM_ATTR_R;
+++
+++  if (attrs & GRUB_EFI_MEMORY_RO)
+++    ret &= ~GRUB_MEM_ATTR_W;
+++
+++  if (attrs & GRUB_EFI_MEMORY_XP)
+++    ret &= ~GRUB_MEM_ATTR_X;
+++
+++  return ret;
+++}
+++
+++grub_err_t
+++grub_get_mem_attrs (grub_addr_t addr, grub_size_t size, grub_uint64_t *attrs)
+++{
+++  grub_efi_memory_attribute_protocol_t *proto;
+++  grub_efi_physical_address_t physaddr = addr;
+++  grub_guid_t protocol_guid = GRUB_EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID;
+++  grub_efi_status_t efi_status;
+++
+++  if (physaddr & 0xfff || size & 0xfff || size == 0 || attrs == NULL)
+++    {
+++      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+++			 N_("grub_get_mem_attrs() called with invalid arguments"));
+++    }
+++
+++  proto = grub_efi_locate_protocol (&protocol_guid, 0);
+++  if (!proto)
+++    {
+++      /* No protocol -> do nothing, all memory is RWX in boot services */
+++      *attrs = GRUB_MEM_ATTR_R | GRUB_MEM_ATTR_W | GRUB_MEM_ATTR_X;
+++      return GRUB_ERR_NONE;
+++    }
+++
+++  efi_status = proto->get_memory_attributes(proto, physaddr, size, attrs);
+++  if (efi_status != GRUB_EFI_SUCCESS)
+++    {
+++      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+++			 N_("grub_get_mem_attrs() called with invalid arguments"));
+++    }
+++
+++  *attrs = uefi_mem_attrs_to_grub_mem_attrs (*attrs);
+++
+++  grub_dprintf ("nx", "get 0x%"PRIxGRUB_ADDR"-0x%"PRIxGRUB_ADDR":%c%c%c\n",
+++		addr, addr + size - 1,
+++		(*attrs & GRUB_MEM_ATTR_R) ? 'r' : '-',
+++		(*attrs & GRUB_MEM_ATTR_W) ? 'w' : '-',
+++		(*attrs & GRUB_MEM_ATTR_X) ? 'x' : '-');
+++
+++  return GRUB_ERR_NONE;
+++}
+++
+++grub_err_t
+++grub_update_mem_attrs (grub_addr_t addr, grub_size_t size,
+++		       grub_uint64_t set_attrs, grub_uint64_t clear_attrs)
+++{
+++  grub_efi_memory_attribute_protocol_t *proto;
+++  grub_efi_physical_address_t physaddr = addr;
+++  grub_guid_t protocol_guid = GRUB_EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID;
+++  grub_efi_status_t efi_status = GRUB_EFI_SUCCESS;
+++  grub_uint64_t uefi_set_attrs, uefi_clear_attrs;
+++
+++
+++  if (physaddr & 0xfff || size & 0xfff || size == 0)
+++    {
+++      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+++			 N_("grub_update_mem_attrs() called with invalid arguments"));
+++    }
+++
+++  proto = grub_efi_locate_protocol (&protocol_guid, 0);
+++  if (!proto)
+++    {
+++      /* No protocol -> do nothing, all memory is RWX in boot services */
+++      return GRUB_ERR_NONE;
+++    }
+++
+++  uefi_set_attrs = grub_mem_attrs_to_uefi_mem_attrs (set_attrs);
+++  uefi_clear_attrs = grub_mem_attrs_to_uefi_mem_attrs (clear_attrs);
+++  if (uefi_set_attrs)
+++    efi_status = proto->set_memory_attributes(proto, physaddr, size, uefi_set_attrs);
+++  if (efi_status == GRUB_EFI_SUCCESS && uefi_clear_attrs)
+++    efi_status = proto->clear_memory_attributes(proto, physaddr, size, uefi_clear_attrs);
+++
+++  if (efi_status != GRUB_EFI_SUCCESS)
+++    {
+++      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+++			 N_("grub_update_mem_attrs() called with invalid arguments"));
+++    }
+++
+++  grub_dprintf ("nx", "set +%s%s%s -%s%s%s on 0x%"PRIxGRUB_ADDR"-0x%"PRIxGRUB_ADDR"\n",
+++		(set_attrs & GRUB_MEM_ATTR_R) ? "r" : "",
+++		(set_attrs & GRUB_MEM_ATTR_W) ? "w" : "",
+++		(set_attrs & GRUB_MEM_ATTR_X) ? "x" : "",
+++		(clear_attrs & GRUB_MEM_ATTR_R) ? "r" : "",
+++		(clear_attrs & GRUB_MEM_ATTR_W) ? "w" : "",
+++		(clear_attrs & GRUB_MEM_ATTR_X) ? "x" : "",
+++		addr, addr + size - 1);
+++
+++  return GRUB_ERR_NONE;
+++}
++diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
++index a89bf3d..699bccf 100644
++--- a/include/grub/efi/api.h
+++++ b/include/grub/efi/api.h
++@@ -393,6 +393,11 @@
++     {0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f } \
++   }
++
+++#define GRUB_EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID \
+++  { 0xf4560cf6, 0x40ec, 0x4b4a, \
+++    { 0xa1, 0x92, 0xbf, 0x1d, 0x57, 0xd0, 0xb1, 0x89 } \
+++  }
+++
++ struct grub_efi_sal_system_table
++ {
++   grub_uint32_t signature;
++@@ -2214,4 +2219,24 @@ struct initrd_media_device_path {
++ } GRUB_PACKED;
++ typedef struct initrd_media_device_path initrd_media_device_path_t;
++
+++struct grub_efi_memory_attribute_protocol
+++{
+++  grub_efi_status_t (__grub_efi_api *get_memory_attributes) (
+++			    struct grub_efi_memory_attribute_protocol *this,
+++			    grub_efi_physical_address_t base_address,
+++			    grub_efi_uint64_t length,
+++			    grub_efi_uint64_t *attributes);
+++  grub_efi_status_t (__grub_efi_api *set_memory_attributes) (
+++			    struct grub_efi_memory_attribute_protocol *this,
+++			    grub_efi_physical_address_t base_address,
+++			    grub_efi_uint64_t length,
+++			    grub_efi_uint64_t attributes);
+++  grub_efi_status_t (__grub_efi_api *clear_memory_attributes) (
+++			    struct grub_efi_memory_attribute_protocol *this,
+++			    grub_efi_physical_address_t base_address,
+++			    grub_efi_uint64_t length,
+++			    grub_efi_uint64_t attributes);
+++};
+++typedef struct grub_efi_memory_attribute_protocol grub_efi_memory_attribute_protocol_t;
+++
++ #endif /* ! GRUB_EFI_API_HEADER */
++diff --git a/include/grub/mm.h b/include/grub/mm.h
++index f3bf87f..dcccfe3 100644
++--- a/include/grub/mm.h
+++++ b/include/grub/mm.h
++@@ -23,6 +23,7 @@
++ #include <grub/err.h>
++ #include <grub/types.h>
++ #include <grub/symbol.h>
+++#include <grub/err.h>
++ #include <config.h>
++
++ #ifndef NULL
++@@ -56,6 +57,38 @@ void *EXPORT_FUNC(grub_realloc) (void *ptr, grub_size_t size);
++ void *EXPORT_FUNC(grub_memalign) (grub_size_t align, grub_size_t size);
++ #endif
++
+++#define GRUB_MEM_ATTR_R	0x0000000000000004LLU
+++#define GRUB_MEM_ATTR_W	0x0000000000000002LLU
+++#define GRUB_MEM_ATTR_X	0x0000000000000001LLU
+++
+++#ifdef GRUB_MACHINE_EFI
+++grub_err_t EXPORT_FUNC(grub_get_mem_attrs) (grub_addr_t addr,
+++					    grub_size_t size,
+++					    grub_uint64_t *attrs);
+++grub_err_t EXPORT_FUNC(grub_update_mem_attrs) (grub_addr_t addr,
+++					       grub_size_t size,
+++					       grub_uint64_t set_attrs,
+++					       grub_uint64_t clear_attrs);
+++#else /* !GRUB_MACHINE_EFI */
+++static inline grub_err_t
+++grub_get_mem_attrs (grub_addr_t addr __attribute__((__unused__)),
+++		    grub_size_t size __attribute__((__unused__)),
+++		    grub_uint64_t *attrs __attribute__((__unused__)))
+++{
+++  *attrs = GRUB_MEM_ATTR_R | GRUB_MEM_ATTR_W | GRUB_MEM_ATTR_X;
+++  return GRUB_ERR_NONE;
+++}
+++
+++static inline grub_err_t
+++grub_update_mem_attrs (grub_addr_t addr __attribute__((__unused__)),
+++		       grub_size_t size __attribute__((__unused__)),
+++		       grub_uint64_t set_attrs __attribute__((__unused__)),
+++		       grub_uint64_t clear_attrs __attribute__((__unused__)))
+++{
+++  return GRUB_ERR_NONE;
+++}
+++#endif /* GRUB_MACHINE_EFI */
+++
++ void grub_mm_check_real (const char *file, int line);
++ #define grub_mm_check() grub_mm_check_real (GRUB_FILE, __LINE__);
++
 diff --git a/debian/patches/nx/nx-set-page-permissions-for-loaded-modules.patch b/debian/patches/nx/nx-set-page-permissions-for-loaded-modules.patch
 new file mode 100644
 index 0000000..f4eecc9
 --- /dev/null
 +++ b/debian/patches/nx/nx-set-page-permissions-for-loaded-modules.patch
@@ -0,0 +1,222 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Mon, 21 Mar 2022 17:46:35 -0400
++Subject: nx: set page permissions for loaded modules.
++
++For NX, we need to set write and executable permissions on the sections
++of grub modules when we load them.
++
++On sections with SHF_ALLOC set, which is typically everything except
++.modname and the symbol and string tables, this patch clears the Read
++Only flag on sections that have the ELF flag SHF_WRITE set, and clears
++the No eXecute flag on sections with SHF_EXECINSTR set.  In all other
++cases it sets both flags.
++
++Original-Author: Peter Jones <pjones@redhat.com>
++Original-Author: Robbie Harwood <rharwood@redhat.com>
++Original-Author: Laszlo Ersek <lersek@redhat.com>
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ grub-core/kern/dl.c | 104 +++++++++++++++++++++++++++++++++++++++++++++-------
++ include/grub/dl.h   |  46 +++++++++++++++++++++++
++ 2 files changed, 137 insertions(+), 13 deletions(-)
++
++diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
++index 8338f74..3341d78 100644
++--- a/grub-core/kern/dl.c
+++++ b/grub-core/kern/dl.c
++@@ -616,25 +616,97 @@ grub_dl_relocate_symbols (grub_dl_t mod, void *ehdr)
++ 	grub_dl_segment_t seg;
++ 	grub_err_t err;
++
++-	/* Find the target segment.  */
++-	for (seg = mod->segment; seg; seg = seg->next)
++-	  if (seg->section == s->sh_info)
++-	    break;
+++	seg = grub_dl_find_segment(mod, s->sh_info);
+++        if (!seg)
+++	  continue;
++
++-	if (seg)
++-	  {
++-	    if (!mod->symtab)
++-	      return grub_error (GRUB_ERR_BAD_MODULE, "relocation without symbol table");
+++	if (!mod->symtab)
+++	  return grub_error (GRUB_ERR_BAD_MODULE, "relocation without symbol table");
++
++-	    err = grub_arch_dl_relocate_symbols (mod, ehdr, s, seg);
++-	    if (err)
++-	      return err;
++-	  }
+++	err = grub_arch_dl_relocate_symbols (mod, ehdr, s, seg);
+++	if (err)
+++	  return err;
++       }
++
++   return GRUB_ERR_NONE;
++ }
++
+++/* Only define this on EFI to save space in core */
+++#ifdef GRUB_MACHINE_EFI
+++static grub_err_t
+++grub_dl_set_mem_attrs (grub_dl_t mod, void *ehdr)
+++{
+++  unsigned i;
+++  const Elf_Shdr *s;
+++  const Elf_Ehdr *e = ehdr;
+++  grub_err_t err;
+++#if !defined (__i386__) && !defined (__x86_64__) && !defined(__riscv)
+++  grub_size_t arch_addralign = grub_arch_dl_min_alignment ();
+++  grub_addr_t tgaddr;
+++  grub_size_t tgsz;
+++#endif
+++
+++  for (i = 0, s = (const Elf_Shdr *)((const char *) e + e->e_shoff);
+++       i < e->e_shnum;
+++       i++, s = (const Elf_Shdr *)((const char *) s + e->e_shentsize))
+++    {
+++      grub_dl_segment_t seg;
+++      grub_uint64_t set_attrs = GRUB_MEM_ATTR_R;
+++      grub_uint64_t clear_attrs = GRUB_MEM_ATTR_W|GRUB_MEM_ATTR_X;
+++
+++      seg = grub_dl_find_segment(mod, i);
+++      if (!seg)
+++	continue;
+++
+++      if (seg->size == 0 || !(s->sh_flags & SHF_ALLOC))
+++	continue;
+++
+++      if (s->sh_flags & SHF_WRITE)
+++	{
+++	  set_attrs |= GRUB_MEM_ATTR_W;
+++	  clear_attrs &= ~GRUB_MEM_ATTR_W;
+++	}
+++
+++      if (s->sh_flags & SHF_EXECINSTR)
+++	{
+++	  set_attrs |= GRUB_MEM_ATTR_X;
+++	  clear_attrs &= ~GRUB_MEM_ATTR_X;
+++	}
+++
+++      err = grub_update_mem_attrs ((grub_addr_t)(seg->addr), seg->size,
+++				   set_attrs, clear_attrs);
+++      if (err != GRUB_ERR_NONE)
+++	return err;
+++    }
+++
+++#if !defined (__i386__) && !defined (__x86_64__) && !defined(__riscv)
+++  tgaddr = grub_min((grub_addr_t)mod->tramp, (grub_addr_t)mod->got);
+++  tgsz = grub_max((grub_addr_t)mod->trampptr, (grub_addr_t)mod->gotptr) - tgaddr;
+++
+++  if (tgsz)
+++    {
+++      tgsz = ALIGN_UP(tgsz, arch_addralign);
+++
+++      if (tgaddr < (grub_addr_t)mod->base ||
+++          tgsz > (grub_addr_t)-1 - tgaddr ||
+++	  tgaddr + tgsz > (grub_addr_t)mod->base + mod->sz)
+++	return grub_error (GRUB_ERR_BUG,
+++			   "BUG: trying to protect pages outside of module "
+++			   "allocation (\"%s\"): module base %p, size 0x%"
+++			   PRIxGRUB_SIZE "; tramp/GOT base 0x%" PRIxGRUB_ADDR
+++			   ", size 0x%" PRIxGRUB_SIZE,
+++			   mod->name, mod->base, mod->sz, tgaddr, tgsz);
+++      err = grub_update_mem_attrs (tgaddr, tgsz, GRUB_MEM_ATTR_R|GRUB_MEM_ATTR_X,
+++				   GRUB_MEM_ATTR_W);
+++      if (err != GRUB_ERR_NONE)
+++	return err;
+++    }
+++#endif
+++
+++  return GRUB_ERR_NONE;
+++}
+++#endif
+++
++ /* Load a module from core memory.  */
++ grub_dl_t
++ grub_dl_load_core_noinit (void *addr, grub_size_t size)
++@@ -668,6 +740,7 @@ grub_dl_load_core_noinit (void *addr, grub_size_t size)
++   mod->ref_count = 1;
++
++   grub_dprintf ("modules", "relocating to %p\n", mod);
+++
++   /* Me, Vladimir Serbinenko, hereby I add this module check as per new
++      GNU module policy. Note that this license check is informative only.
++      Modules have to be licensed under GPLv3 or GPLv3+ (optionally
++@@ -681,7 +754,12 @@ grub_dl_load_core_noinit (void *addr, grub_size_t size)
++       || grub_dl_resolve_dependencies (mod, e)
++       || grub_dl_load_segments (mod, e)
++       || grub_dl_resolve_symbols (mod, e)
++-      || grub_dl_relocate_symbols (mod, e))
+++      || grub_dl_relocate_symbols (mod, e)
+++#ifdef GRUB_MACHINE_EFI
+++      || grub_dl_set_mem_attrs (mod, e))
+++#else
+++  	)
+++#endif
++     {
++       mod->fini = 0;
++       grub_dl_unload (mod);
++diff --git a/include/grub/dl.h b/include/grub/dl.h
++index e890210..00aaa9c 100644
++--- a/include/grub/dl.h
+++++ b/include/grub/dl.h
++@@ -27,6 +27,7 @@
++ #include <grub/elf.h>
++ #include <grub/list.h>
++ #include <grub/misc.h>
+++#include <grub/mm.h>
++ #endif
++
++ /*
++@@ -254,6 +255,51 @@ grub_dl_is_persistent (grub_dl_t mod)
++   return mod->persistent;
++ }
++
+++#pragma GCC diagnostic ignored "-Wcast-align"
+++
+++static inline const char *
+++grub_dl_get_section_name (const Elf_Ehdr *e, const Elf_Shdr *s)
+++{
+++  Elf_Shdr *str_s;
+++  const char *str;
+++
+++  str_s = (Elf_Shdr *) ((char *) e + e->e_shoff + e->e_shstrndx * e->e_shentsize);
+++  str = (char *) e + str_s->sh_offset;
+++
+++  return str + s->sh_name;
+++}
+++
+++static inline long
+++grub_dl_find_section_index (Elf_Ehdr *e, const char *name)
+++{
+++  Elf_Shdr *s;
+++  const char *str;
+++  unsigned i;
+++
+++  s = (Elf_Shdr *) ((char *) e + e->e_shoff + e->e_shstrndx * e->e_shentsize);
+++  str = (char *) e + s->sh_offset;
+++
+++  for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
+++       i < e->e_shnum;
+++       i++, s = (Elf_Shdr *) ((char *) s + e->e_shentsize))
+++    if (grub_strcmp (str + s->sh_name, name) == 0)
+++      return (long)i;
+++  return -1;
+++}
+++
+++/* Return the segment for a section of index N */
+++static inline grub_dl_segment_t
+++grub_dl_find_segment (grub_dl_t mod, unsigned n)
+++{
+++  grub_dl_segment_t seg;
+++
+++  for (seg = mod->segment; seg; seg = seg->next)
+++    if (seg->section == n)
+++      return seg;
+++
+++  return NULL;
+++}
+++
++ #endif
++
++ grub_err_t grub_dl_register_symbol (const char *name, void *addr,
 diff --git a/debian/patches/nx/nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch b/debian/patches/nx/nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch
 new file mode 100644
 index 0000000..95f90f0
 --- /dev/null
 +++ b/debian/patches/nx/nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch
@@ -0,0 +1,49 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Tue, 22 Mar 2022 10:57:20 -0400
++Subject: nx: set the nx compatible flag in EFI grub images
++
++For NX, we need the grub binary to announce that it is compatible with
++the NX feature.  This implies that when loading the executable grub
++image, several attributes are true:
++
++- the binary doesn't need an executable stack
++- the binary doesn't need sections to be both executable and writable
++- the binary knows how to use the EFI Memory Attributes protocol on code
++  it is loading.
++
++This patch
++- adds a definition for the PE DLL Characteristics flag GRUB_PE32_NX_COMPAT
++- changes grub-mkimage to set that flag.
++
++Original-Author: Peter Jones <pjones@redhat.com>
++Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
++---
++ include/grub/efi/pe32.h | 2 ++
++ util/mkimage.c          | 1 +
++ 2 files changed, 3 insertions(+)
++
++diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
++index 4e6e9d2..9887e14 100644
++--- a/include/grub/efi/pe32.h
+++++ b/include/grub/efi/pe32.h
++@@ -231,6 +231,8 @@ struct grub_pe64_optional_header
++
++ #define GRUB_PE32_SUBSYSTEM_EFI_APPLICATION	10
++
+++#define GRUB_PE32_NX_COMPAT	0x0100
+++
++ #define GRUB_PE32_NUM_DATA_DIRECTORIES	16
++
++ struct grub_pe32_section_table
++diff --git a/util/mkimage.c b/util/mkimage.c
++index ee0e6f6..dfd757a 100644
++--- a/util/mkimage.c
+++++ b/util/mkimage.c
++@@ -1403,6 +1403,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
++ #pragma GCC diagnostic push
++ #pragma GCC diagnostic ignored "-Wdangling-pointer"
++ #endif
+++	PE_OHDR (o32, o64, dll_characteristics) = grub_host_to_target16 (GRUB_PE32_NX_COMPAT);
++ 	PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size);
++ 	PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (layout.start_address);
++ 	PE_OHDR (o32, o64, image_base) = 0;
 diff --git a/debian/patches/nx/peimage-Add-memory-attribute-support.patch b/debian/patches/nx/peimage-Add-memory-attribute-support.patch
 new file mode 100644
 index 0000000..8950430
 --- /dev/null
 +++ b/debian/patches/nx/peimage-Add-memory-attribute-support.patch
@@ -0,0 +1,132 @@
++From: Mate Kukri <mate.kukri@canonical.com>
++Date: Wed, 12 Jun 2024 15:08:04 +0100
++Subject: peimage: Add memory attribute support
++
++---
++ grub-core/loader/efi/peimage.c | 68 ++++++++++++++++++++++++++++++++++++++++--
++ 1 file changed, 65 insertions(+), 3 deletions(-)
++
++diff --git a/grub-core/loader/efi/peimage.c b/grub-core/loader/efi/peimage.c
++index e28f020..22d7e1a 100644
++--- a/grub-core/loader/efi/peimage.c
+++++ b/grub-core/loader/efi/peimage.c
++@@ -8,6 +8,7 @@
++ #include <grub/efi/efi.h>
++ #include <grub/efi/pe32.h>
++ #include <grub/efi/peimage.h>
+++#include <grub/efi/sb.h>
++ #include <grub/env.h>
++ #include <grub/misc.h>
++ #include <grub/mm.h>
++@@ -22,6 +23,7 @@ struct image_info
++   void *data;
++   grub_efi_uint32_t data_size;
++   grub_efi_device_path_t *file_path;
+++  grub_efi_uint8_t nx_compat;
++   grub_efi_uint16_t machine;
++   grub_efi_uint16_t num_sections;
++   struct grub_pe32_section_table *section;
++@@ -145,6 +147,8 @@ check_pe_header (struct image_info *info)
++ 	  grub_error (GRUB_ERR_BAD_OS, "expected EFI application");
++ 	  return GRUB_EFI_LOAD_ERROR;
++ 	}
+++      info->nx_compat =
+++	(pe32_header->dll_characteristics & GRUB_PE32_NX_COMPAT) != 0;
++       info->section_alignment = pe32_header->section_alignment;
++       info->image_base = pe32_header->image_base;
++       info->image_size = pe32_header->image_size;
++@@ -171,6 +175,8 @@ check_pe_header (struct image_info *info)
++ 	  grub_error (GRUB_ERR_BAD_OS, "expected EFI application");
++ 	  return GRUB_EFI_LOAD_ERROR;
++ 	}
+++      info->nx_compat =
+++	(pe64_header->dll_characteristics & GRUB_PE32_NX_COMPAT) != 0;
++       info->section_alignment = pe64_header->section_alignment;
++       info->image_base = pe64_header->image_base;
++       info->image_size = pe64_header->image_size;
++@@ -196,6 +202,19 @@ check_pe_header (struct image_info *info)
++       return GRUB_EFI_LOAD_ERROR;
++     }
++
+++  /* NOTE: shim_lock->verify() also enforces this, so this
+++   * check won't be hit when used with shim */
+++  if (grub_efi_check_nx_required() && !info->nx_compat)
+++    {
+++      grub_error (GRUB_ERR_BAD_OS, "NX policy violation");
+++      return GRUB_EFI_SECURITY_VIOLATION;
+++    }
+++  if (info->nx_compat && info->section_alignment < GRUB_EFI_PAGE_SIZE)
+++    {
+++      grub_error (GRUB_ERR_BAD_OS, "NX compatible image with sub-page section alignment");
+++      return GRUB_EFI_LOAD_ERROR;
+++    }
+++
++   if ((unsigned long)info->section
++ 	  + info->num_sections * sizeof (*info->section)
++       > (unsigned long)info->data + info->data_size)
++@@ -221,6 +240,9 @@ load_sections (struct image_info *info)
++ {
++   struct grub_pe32_section_table *section;
++   unsigned long align_mask = 0xfff;
+++  grub_addr_t section_addr;
+++  grub_err_t err;
+++  grub_uint64_t section_set_mem_attr, section_clear_mem_attr;
++
++   /* Section alignment must be a power of two */
++   if (info->section_alignment & (info->section_alignment - 1))
++@@ -264,12 +286,52 @@ load_sections (struct image_info *info)
++ 	  return GRUB_EFI_LOAD_ERROR;
++ 	}
++
++-      grub_memset ((void *)((unsigned long)info->image_addr + section->virtual_address),
++-		   0, section->virtual_size);
+++      section_addr = (grub_addr_t)info->image_addr + section->virtual_address;
+++
+++      grub_memset ((void *) section_addr, 0, section->virtual_size);
++       grub_memcpy (
++-	  (void *)((unsigned long)info->image_addr + section->virtual_address),
+++          (void *) section_addr,
++ 	  (void *)((unsigned long)info->data + section->raw_data_offset),
++ 	  section->raw_data_size);
+++
+++      if (!info->nx_compat)
+++	continue;
+++
+++      if (section_addr & (GRUB_EFI_PAGE_SIZE - 1))
+++        {
+++          grub_error (GRUB_ERR_BAD_OS, "NX compatible image with badly aligned section");
+++	  return GRUB_EFI_LOAD_ERROR;
+++        }
+++
+++      if ((section->characteristics & GRUB_PE32_SCN_MEM_WRITE) && (section->characteristics & GRUB_PE32_SCN_MEM_EXECUTE))
+++	{
+++	  grub_error (GRUB_ERR_BAD_OS, "NX compatible image with W|X section");
+++	  return GRUB_EFI_LOAD_ERROR;
+++	}
+++
+++      section_set_mem_attr = 0;
+++      section_clear_mem_attr = 0;
+++      if (section->characteristics & GRUB_PE32_SCN_MEM_READ)
+++	section_set_mem_attr |= GRUB_MEM_ATTR_R;
+++      else
+++	section_clear_mem_attr |= GRUB_MEM_ATTR_R;
+++      if (section->characteristics & GRUB_PE32_SCN_MEM_WRITE)
+++	section_set_mem_attr |= GRUB_MEM_ATTR_W;
+++      else
+++	section_clear_mem_attr |= GRUB_MEM_ATTR_W;
+++      if (section->characteristics & GRUB_PE32_SCN_MEM_EXECUTE)
+++	section_set_mem_attr |= GRUB_MEM_ATTR_X;
+++      else
+++	section_clear_mem_attr |= GRUB_MEM_ATTR_X;
+++
+++      err = grub_update_mem_attrs (section_addr,
+++				   GRUB_EFI_BYTES_TO_PAGES(section->virtual_size) * GRUB_EFI_PAGE_SIZE,
+++				   section_set_mem_attr, section_clear_mem_attr);
+++      if (err != GRUB_ERR_NONE)
+++	{
+++	  grub_error (GRUB_ERR_BAD_OS, "Failed to set PE section memory attributes");
+++	  return GRUB_EFI_LOAD_ERROR;
+++	}
++     }
++
++   info->entry_point = (void *)((unsigned long)info->entry_point
 diff --git a/debian/patches/secure-boot/efi-use-peimage-shim.patch b/debian/patches/secure-boot/efi-use-peimage-shim.patch
 index 505f92f..c05440e 100644
 --- a/debian/patches/secure-boot/efi-use-peimage-shim.patch
 +++ b/debian/patches/secure-boot/efi-use-peimage-shim.patch
@@ -30,9 +30,9 @@ Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
  Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
  ---
   grub-core/Makefile.core.def    |  12 +
-- grub-core/loader/efi/peimage.c | 902 +++++++++++++++++++++++++++++++++++++++++
++ grub-core/loader/efi/peimage.c | 826 +++++++++++++++++++++++++++++++++++++++++
   include/grub/efi/peimage.h     |  19 +
-- 3 files changed, 933 insertions(+)
++ 3 files changed, 857 insertions(+)
   create mode 100644 grub-core/loader/efi/peimage.c
   create mode 100644 include/grub/efi/peimage.h
@@ -61,10 +61,10 @@ index 333d3fe..c3ad031 100644
     efi = loader/efi/fdt.c;
  diff --git a/grub-core/loader/efi/peimage.c b/grub-core/loader/efi/peimage.c
  new file mode 100644
--index 0000000..0387277
++index 0000000..e28f020
  --- /dev/null
  +++ b/grub-core/loader/efi/peimage.c
--@@ -0,0 +1,902 @@
++@@ -0,0 +1,826 @@
  +/* peimage.c - load EFI PE binaries (for Secure Boot support) */
+ +
  +// SPDX-License-Identifier: GPL-3.0+
@@ -82,33 +82,39 @@ index 0000000..0387277
+ +
  +GRUB_MOD_LICENSE ("GPLv3+");
+ +
--+
  +static grub_dl_t my_mod;
+ +
  +struct image_info
  +{
--+  grub_efi_loaded_image_t loaded_image;
--+
--+  grub_efi_device_path_t *orig_file_path;
--+
  +  void *data;
  +  grub_efi_uint32_t data_size;
+++  grub_efi_device_path_t *file_path;
  +  grub_efi_uint16_t machine;
  +  grub_efi_uint16_t num_sections;
  +  struct grub_pe32_section_table *section;
  +  struct grub_pe32_data_directory *reloc;
  +  grub_uint64_t image_base;
  +  grub_uint32_t section_alignment;
+++  grub_uint32_t image_size;
  +  grub_uint32_t header_size;
  +  void *alloc_addr;
  +  grub_uint32_t alloc_pages;
--+
+++  void *image_addr;
  +  grub_efi_status_t (__grub_efi_api *entry_point) (
--+      grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
+++    grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
+++};
+ +
+++static struct
+++{
  +  grub_jmp_buf jmp;
+++  grub_efi_handle_t image_handle;
  +  grub_efi_status_t exit_status;
--+};
+++  grub_efi_status_t (__grub_efi_api *exit) (grub_efi_handle_t image_handle,
+++					    grub_efi_status_t exit_status,
+++					    grub_efi_uintn_t exit_data_size,
+++					    grub_efi_char16_t *exit_data);
+++} started_image;
+++
+ +
  +static grub_uint16_t machines[] = {
  +#if defined(__x86_64__)
@@ -126,19 +132,6 @@ index 0000000..0387277
  +#endif
  +};
+ +
--+// Forward declare unload_image handler
--+static grub_efi_status_t __grub_efi_api
--+do_unload_image (grub_efi_handle_t image_handle);
--+
--+// Original exit handler
--+static grub_efi_status_t (__grub_efi_api *exit_orig) (
--+    grub_efi_handle_t image_handle, grub_efi_status_t exit_status,
--+    grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data);
--+
--+// Original unload_image handler
--+static grub_efi_status_t (__grub_efi_api *unload_image_orig) (
--+  grub_efi_handle_t image_handle);
--+
  +/**
  + * check_machine_type() - check if the machine type matches the architecture
  + *
@@ -221,7 +214,7 @@ index 0000000..0387277
  +	}
  +      info->section_alignment = pe32_header->section_alignment;
  +      info->image_base = pe32_header->image_base;
--+      info->loaded_image.image_size = pe32_header->image_size;
+++      info->image_size = pe32_header->image_size;
  +      info->entry_point = (void *)(unsigned long)pe32_header->entry_addr;
  +      info->header_size = pe32_header->header_size;
  +      if (info->data_size < info->header_size)
@@ -247,7 +240,7 @@ index 0000000..0387277
  +	}
  +      info->section_alignment = pe64_header->section_alignment;
  +      info->image_base = pe64_header->image_base;
--+      info->loaded_image.image_size = pe64_header->image_size;
+++      info->image_size = pe64_header->image_size;
  +      info->entry_point = (void *)(unsigned long)pe64_header->entry_addr;
  +      info->header_size = pe64_header->header_size;
  +      if (info->data_size < info->header_size)
@@ -306,8 +299,7 @@ index 0000000..0387277
  +  if (info->section_alignment > align_mask)
  +    align_mask = info->section_alignment - 1;
+ +
--+  info->alloc_pages = GRUB_EFI_BYTES_TO_PAGES (info->loaded_image.image_size
--+					       + (align_mask & ~0xfffUL));
+++  info->alloc_pages = GRUB_EFI_BYTES_TO_PAGES (info->image_size + (align_mask & ~0xfffUL));
+ +
  +  info->alloc_addr = grub_efi_allocate_pages_real (
  +      GRUB_EFI_MAX_USABLE_ADDRESS, info->alloc_pages,
@@ -315,44 +307,40 @@ index 0000000..0387277
  +  if (!info->alloc_addr)
  +    return GRUB_EFI_OUT_OF_RESOURCES;
+ +
--+  info->loaded_image.image_base
+++  info->image_addr
  +      = (void *)(((unsigned long)info->alloc_addr + align_mask) & ~align_mask);
+ +
--+  grub_memcpy (info->loaded_image.image_base, info->data, info->header_size);
+++  grub_memcpy (info->image_addr, info->data, info->header_size);
  +  for (section = &info->section[0];
  +       section < &info->section[info->num_sections]; ++section)
  +    {
--+      if (section->virtual_address < info->header_size
--+	  || (section->raw_data_size
--+	      && section->raw_data_offset < info->header_size))
+++      if ((section->raw_data_size && section->raw_data_offset < info->header_size)
+++	  || (section->virtual_size && section->virtual_address < info->header_size))
  +	{
  +	  grub_error (GRUB_ERR_BAD_OS, "section inside header");
  +	  return GRUB_EFI_LOAD_ERROR;
  +	}
--+      if (section->raw_data_offset + section->raw_data_size > info->data_size)
+++      if (section->raw_data_size && section->raw_data_offset + section->raw_data_size > info->data_size)
  +	{
  +	  grub_error (GRUB_ERR_BAD_OS, "truncated image");
  +	  return GRUB_EFI_LOAD_ERROR;
  +	}
--+      if (section->virtual_address + section->virtual_size
--+	  > info->loaded_image.image_size)
+++      if (section->virtual_size && section->virtual_address + section->virtual_size > info->image_size)
  +	{
  +	  grub_error (GRUB_ERR_BAD_OS, "section outside image");
  +	  return GRUB_EFI_LOAD_ERROR;
  +	}
+ +
--+      grub_memset ((void *)((unsigned long)info->loaded_image.image_base
--+			    + section->virtual_address),
+++      grub_memset ((void *)((unsigned long)info->image_addr + section->virtual_address),
  +		   0, section->virtual_size);
  +      grub_memcpy (
--+	  (void *)((unsigned long)info->loaded_image.image_base
--+		   + section->virtual_address),
+++	  (void *)((unsigned long)info->image_addr + section->virtual_address),
  +	  (void *)((unsigned long)info->data + section->raw_data_offset),
  +	  section->raw_data_size);
  +    }
+ +
  +  info->entry_point = (void *)((unsigned long)info->entry_point
--+			       + (unsigned long)info->loaded_image.image_base);
+++			       + (unsigned long)info->image_addr);
+ +
  +  grub_dprintf ("linux", "sections loaded\n");
+ +
@@ -560,7 +548,7 @@ index 0000000..0387277
  +      return GRUB_EFI_SUCCESS;
  +    }
+ +
--+  if (info->reloc->rva + info->reloc->size > info->loaded_image.image_size)
+++  if (info->reloc->rva + info->reloc->size > info->image_size)
  +    {
  +      grub_error (GRUB_ERR_BAD_OS, "relocation block outside image");
  +      return GRUB_EFI_LOAD_ERROR;
@@ -570,10 +558,9 @@ index 0000000..0387277
  +   * The relocations are based on the difference between
  +   * actual load address and the preferred base address.
  +   */
--+  offset = (unsigned long)info->loaded_image.image_base - info->image_base;
+++  offset = (unsigned long)info->image_addr - info->image_base;
+ +
--+  block = (void *)((unsigned long)info->loaded_image.image_base
--+		   + info->reloc->rva);
+++  block = (void *)((unsigned long)info->image_addr + info->reloc->rva);
  +  reloc_end = (void *)((unsigned long)block + info->reloc->size);
+ +
  +  for (; block < reloc_end;
@@ -585,7 +572,7 @@ index 0000000..0387277
+ +
  +      for (; reloc_entry < block_end; ++reloc_entry)
  +	{
--+	  void *addr = (void *)((unsigned long)info->loaded_image.image_base
+++	  void *addr = (void *)((unsigned long)info->image_addr
  +				+ block->page_rva + (*reloc_entry & 0xfff));
+ +
  +	  reloc_type = *reloc_entry >> 12;
@@ -687,254 +674,203 @@ index 0000000..0387277
  +bad_reloc:
  +  grub_error (GRUB_ERR_BAD_OS, "unsupported relocation type %d, rva 0x%08lx\n",
  +	      *reloc_entry >> 12,
--+	      (unsigned long)reloc_entry
--+		  - (unsigned long)info->loaded_image.image_base);
+++	      (unsigned long)reloc_entry - (unsigned long)info->image_addr);
  +  return GRUB_EFI_LOAD_ERROR;
  +}
+ +
  +/**
--+ * exit_hook() - replacement for EFI_BOOT_SERVICES.Exit()
+++ * efi_exit() - replacement for EFI_BOOT_SERVICES.Exit()
  + *
  + * This function is inserted into system table to trap invocations of
  + * EFI_BOOT_SERVICES.Exit(). If Exit() is called with our handle
  + * return to our start routine using a long jump.
  + *
--+ * @image_handle:	handle of the application as passed on entry
--+ * @exit_status:	the images exit code
--+ * @exit_data_size:	size of @exit_data
--+ * @exit_data:		null terminated string followed by optional data
+++ * @image_handle:       handle of the application as passed on entry
+++ * @exit_status:        the images exit code
+++ * @exit_data_size:     size of @exit_data
+++ * @exit_data:          null terminated string followed by optional data
  + */
  +static grub_efi_status_t __grub_efi_api
--+exit_hook (grub_efi_handle_t image_handle, grub_efi_status_t exit_status,
--+	   grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data)
+++efi_exit (grub_efi_handle_t image_handle, grub_efi_status_t exit_status,
+++	  grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data)
  +{
--+  struct image_info *info;
+++  grub_efi_system_table->boot_services->exit = started_image.exit;
+ +
  +  if (!image_handle)
  +    return GRUB_EFI_INVALID_PARAMETER;
+ +
--+  info = grub_efi_open_protocol (image_handle,
--+				 &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID,
--+				 GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
--+  if (!info)
+++  if (image_handle != started_image.image_handle)
  +    {
  +      grub_dprintf ("linux", "delegating Exit()\n");
--+      return exit_orig (image_handle, exit_status, exit_data_size,
--+			(grub_efi_char16_t *)exit_data);
+++      return started_image.exit (image_handle, exit_status, exit_data_size,
+++				(grub_efi_char16_t *)exit_data);
  +    }
+ +
--+  info->exit_status = exit_status;
+++  started_image.exit_status = exit_status;
+ +
  +  if (exit_status != GRUB_EFI_SUCCESS)
  +    {
  +      grub_printf ("Application failed, r = %d\n",
  +		   (int)exit_status & 0x7fffffff);
  +      if (exit_data_size && exit_data)
--+	{
+++        {
  +	  grub_printf ("exit message: ");
  +	  for (grub_efi_uintn_t pos = 0;
  +	       exit_data[pos] && pos < exit_data_size / 2; ++pos)
  +	    grub_printf ("%C", exit_data[pos]);
  +	  grub_printf ("\n");
--+	}
+++        }
  +    }
  +  if (exit_data_size && exit_data)
  +    {
  +      /* exit data must be freed by the caller */
  +      grub_efi_system_table->boot_services->free_pool (exit_data);
  +    }
--+  grub_longjmp (info->jmp, 1);
+++  grub_longjmp (started_image.jmp, 1);
  +}
+ +
+++static grub_efi_status_t __grub_efi_api
+++do_unload_image (grub_efi_handle_t image_handle);
+++
  +/**
--+ * unload_image_hook() - replacement for EFI_BOOT_SERVICES.UnloadImage()
--+ *
--+ * peimage only supports loading EFI Applications, which cannot be correctly
--+ * unloaded while running.
+++ * start_image() - our implementation of StartImage()
  + *
--+ * Installing this hooks prevents that from happening.
+++ * As we do not load the image via LoadImage() we need our own implementation
+++ * of StartImage() to launch the PE-COFF image.
  + */
--+static grub_efi_status_t __grub_efi_api
--+unload_image_hook (grub_efi_handle_t image_handle)
+++static grub_efi_status_t
+++start_image (struct image_info *info)
  +{
--+  if (grub_efi_open_protocol (image_handle,
--+         &(grub_guid_t) GRUB_PEIMAGE_MARKER_GUID,
--+         GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL))
--+    return GRUB_EFI_UNSUPPORTED;
+++  int ret;
+++  grub_efi_status_t status;
+++  grub_efi_loaded_image_t *loaded_image;
+ +
--+  return unload_image_orig(image_handle);
--+}
+++  /*
+++   * NOTE: We cannot easily comply with the UEFI specification and provide the
+++   * child its own handle, otherwise things can go horribly wrong if said custom
+++   * handle is passed to the firmware by child images
+++   */
+++  started_image.image_handle = grub_efi_image_handle;
+ +
--+static grub_efi_status_t __grub_efi_api
--+do_load_image (grub_efi_boolean_t boot_policy __attribute__ ((unused)),
--+	       grub_efi_handle_t parent_image_handle,
--+	       grub_efi_device_path_t *file_path, void *source_buffer,
--+	       grub_efi_uintn_t source_size, grub_efi_handle_t *image_handle)
--+{
--+  grub_efi_status_t status;
--+  struct image_info *info;
+++  loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
+++  if (loaded_image)
+++    {
+++      loaded_image->image_base = info->image_addr;
+++      loaded_image->image_size = info->image_size;
+++
+++      // Pass just the file path portion to the loaded image
+++      loaded_image->file_path = info->file_path;
+++      while (loaded_image->file_path &&
+++	     (loaded_image->file_path->type != GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
+++	      || loaded_image->file_path->subtype != GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE))
+++	loaded_image->file_path = GRUB_EFI_NEXT_DEVICE_PATH (loaded_image->file_path);
+++    }
+++  else
+++    {
+++      grub_dprintf ("linux", "Loaded image protocol missing\n");
+++    }
+ +
--+  info = grub_efi_allocate_pages_real (
--+      GRUB_EFI_MAX_USABLE_ADDRESS, GRUB_EFI_BYTES_TO_PAGES (sizeof *info),
--+      GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA);
--+  if (!info)
--+    return GRUB_EFI_OUT_OF_RESOURCES;
+++  ret = grub_setjmp (started_image.jmp);
+++  if (ret)
+++    {
+++      do_unload_image(started_image.image_handle);
+++      started_image.image_handle = NULL;
+++      return started_image.exit_status;
+++    }
+ +
--+  grub_memset (info, 0, sizeof *info);
+++  started_image.exit = grub_efi_system_table->boot_services->exit;
+++  grub_efi_system_table->boot_services->exit = efi_exit;
+ +
--+  info->data = source_buffer;
--+  info->data_size = source_size;
+++  grub_dprintf (
+++      "linux",
+++      "Executing image loaded at 0x%lx\nEntry point 0x%lx\nSize 0x%08x\n",
+++      (unsigned long)info->image_addr, (unsigned long)info->entry_point,
+++      info->image_size);
+ +
--+  // Save original device path
--+  if (file_path)
--+    info->orig_file_path = grub_efi_duplicate_device_path (file_path);
+++  /* Invalidate the instruction cache */
+++  grub_arch_sync_caches (info->image_addr, info->image_size);
+ +
--+  // Split out file path
--+  while (file_path
--+	 && (file_path->type != GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
--+	     || file_path->subtype != GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE))
--+    file_path = GRUB_EFI_NEXT_DEVICE_PATH (file_path);
--+  if (file_path)
--+    info->loaded_image.file_path = grub_efi_duplicate_device_path (file_path);
+++  status = info->entry_point (started_image.image_handle, grub_efi_system_table);
+ +
--+  // Process PE image
--+  status = check_pe_header (info);
--+  if (status != GRUB_EFI_SUCCESS)
--+    goto err;
+++  grub_dprintf ("linux", "Application returned\n");
+ +
--+  status = load_sections (info);
--+  if (status != GRUB_EFI_SUCCESS)
--+    goto err;
+++  return efi_exit (started_image.image_handle, status, 0, NULL);
+++}
+++
+++static struct image_info info;
+++
+++/* TODO: move the creation of the load options here */
+++static grub_efi_status_t __grub_efi_api
+++do_load_image (grub_efi_boolean_t boot_policy __attribute__ ((unused)),
+++               grub_efi_handle_t parent_image_handle __attribute__ ((unused)),
+++               grub_efi_device_path_t *file_path,
+++               void *source_buffer, grub_efi_uintn_t source_size,
+++               grub_efi_handle_t *image_handle)
+++{
+++  grub_efi_status_t ret = GRUB_EFI_SUCCESS;
+++  if (info.data != NULL)
+++    {
+++      grub_error (GRUB_ERR_BAD_OS, "cannot load multiple images");
+++      return GRUB_EFI_LOAD_ERROR;
+++    }
+++
+++  grub_dl_ref (my_mod);
+++
+++  info = (struct image_info){
+++    .data = source_buffer,
+++    .data_size = source_size,
+++    .file_path = grub_efi_duplicate_device_path(file_path),
+++  };
+ +
--+  status = relocate (info);
--+  if (status != GRUB_EFI_SUCCESS)
+++  ret = check_pe_header (&info);
+++  if (ret != GRUB_EFI_SUCCESS)
  +    goto err;
+ +
--+  // Setup EFI_LOADED_IMAGE_PROTOCOL
--+  info->loaded_image.revision = GRUB_EFI_LOADED_IMAGE_REVISION;
--+  info->loaded_image.parent_handle = parent_image_handle;
--+  info->loaded_image.system_table = grub_efi_system_table;
--+  info->loaded_image.image_code_type = GRUB_EFI_LOADER_CODE;
--+  info->loaded_image.image_data_type = GRUB_EFI_LOADER_DATA;
--+
--+  // Instruct EFI to create a new handle
--+  *image_handle = NULL;
--+  status
--+      = grub_efi_system_table->boot_services
--+	    ->install_multiple_protocol_interfaces (
--+		image_handle, &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, info,
--+		&(grub_guid_t)GRUB_EFI_LOADED_IMAGE_GUID, &info->loaded_image,
--+		&(grub_guid_t)GRUB_EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID,
--+		info->orig_file_path, NULL);
--+  if (status != GRUB_EFI_SUCCESS)
+++  ret = load_sections (&info);
+++  if (ret != GRUB_EFI_SUCCESS)
  +    goto err;
+ +
--+  // Increment module refcount
--+  grub_dl_ref (my_mod);
+++  ret = relocate (&info);
+++  if (ret != GRUB_EFI_SUCCESS)
+++    goto err;
+ +
--+  return status;
+++  *image_handle = grub_efi_image_handle;
+++  return GRUB_EFI_SUCCESS;
+ +
  +err:
--+  if (info->alloc_addr)
--+    grub_efi_free_pages ((unsigned long)info->alloc_addr, info->alloc_pages);
--+  if (info->loaded_image.file_path)
--+    grub_free (info->loaded_image.file_path);
--+  if (info->orig_file_path)
--+    grub_free (info->orig_file_path);
--+  grub_efi_free_pages ((unsigned long)info,
--+		       GRUB_EFI_BYTES_TO_PAGES (sizeof *info));
--+  return status;
+++   /* NOTE: do_unload_image() doesn't care about image_handle */
+++   do_unload_image (NULL);
+++   return ret;
  +}
+ +
  +static grub_efi_status_t __grub_efi_api
--+do_start_image (grub_efi_handle_t image_handle,
+++do_start_image (grub_efi_handle_t image_handle __attribute__ ((unused)),
  +		grub_efi_uintn_t *exit_data_size __attribute__ ((unused)),
  +		grub_efi_char16_t **exit_data __attribute__ ((unused)))
  +{
--+  grub_efi_status_t status;
--+  struct image_info *info;
--+
--+  info = grub_efi_open_protocol (image_handle,
--+				 &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID,
--+				 GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
--+  if (!info)
+++  if (info.data == NULL)
  +    {
  +      grub_error (GRUB_ERR_BAD_OS, "image not loaded");
  +      return GRUB_EFI_LOAD_ERROR;
  +    }
--+
--+  if (grub_setjmp (info->jmp))
--+    {
--+      status = info->exit_status;
--+      do_unload_image (image_handle);
--+    }
--+  else
--+    {
--+      grub_dprintf ("linux",
--+		    "Executing image loaded at 0x%lx\n"
--+		    "Entry point 0x%lx\n"
--+		    "Size 0x%lx\n",
--+		    (unsigned long)info->loaded_image.image_base,
--+		    (unsigned long)info->entry_point,
--+		    (unsigned long)info->loaded_image.image_size);
--+
--+      /* Invalidate the instruction cache */
--+      grub_arch_sync_caches (info->loaded_image.image_base,
--+			     info->loaded_image.image_size);
--+
--+      status = info->entry_point (image_handle, grub_efi_system_table);
--+
--+      grub_dprintf ("linux", "Application returned\n");
--+
--+      /* converge to the same exit path as if the image called
--+       * boot_services->exit itself */
--+      exit_hook (image_handle, status, 0, NULL);
--+
--+      /* image_handle is always valid above, thus exit_hook cannot
--+       * return to here. if only GRUB had assert :(
--+      grub_assert (false && "entered unreachable code");
--+      */
--+    }
--+
--+  return status;
+++  return start_image (&info);
  +}
+ +
  +static grub_efi_status_t __grub_efi_api
--+do_unload_image (grub_efi_handle_t image_handle)
+++do_unload_image (grub_efi_handle_t image_handle __attribute__ ((unused)))
  +{
--+  grub_efi_status_t status;
--+  struct image_info *info;
--+
--+  info = grub_efi_open_protocol (image_handle,
--+				 &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID,
--+				 GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
--+  if (!info)
+++  if (info.data == NULL)
  +    {
  +      grub_error (GRUB_ERR_BAD_OS, "image not loaded");
  +      return GRUB_EFI_LOAD_ERROR;
  +    }
--+
--+  status
--+      = grub_efi_system_table->boot_services
--+	    ->uninstall_multiple_protocol_interfaces (
--+		image_handle, &(grub_guid_t)GRUB_PEIMAGE_MARKER_GUID, info,
--+		&(grub_guid_t)GRUB_EFI_LOADED_IMAGE_GUID, &info->loaded_image,
--+		&(grub_guid_t)GRUB_EFI_LOADED_IMAGE_DEVICE_PATH_PROTOCOL_GUID,
--+		info->orig_file_path, NULL);
--+  if (status != GRUB_EFI_SUCCESS)
--+    return GRUB_EFI_LOAD_ERROR;
--+
--+  if (info->alloc_addr)
--+    grub_efi_free_pages ((unsigned long)info->alloc_addr, info->alloc_pages);
--+  if (info->loaded_image.file_path)
--+    grub_free (info->loaded_image.file_path);
--+  if (info->orig_file_path)
--+    grub_free (info->orig_file_path);
--+
--+  grub_efi_free_pages ((unsigned long)info,
--+		       GRUB_EFI_BYTES_TO_PAGES (sizeof *info));
+++  if (info.alloc_addr)
+++    grub_efi_free_pages ((unsigned long)info.alloc_addr, info.alloc_pages);
+++  if (info.file_path)
+++    grub_free(info.file_path);
+ +
  +  grub_dl_unref (my_mod);
+++  info = (struct image_info){};
+ +
  +  return GRUB_EFI_SUCCESS;
  +}
@@ -949,22 +885,10 @@ index 0000000..0387277
  +{
  +  grub_efi_register_loader (&peimage_loader);
  +  my_mod = mod;
--+
--+  // Hook exit handler
--+  exit_orig = grub_efi_system_table->boot_services->exit;
--+  grub_efi_system_table->boot_services->exit = exit_hook;
--+  // Hook unload_image handler
--+  unload_image_orig = grub_efi_system_table->boot_services->unload_image;
--+  grub_efi_system_table->boot_services->unload_image = unload_image_hook;
  +}
+ +
  +GRUB_MOD_FINI (peimage)
  +{
--+  // Restore exit handler
--+  grub_efi_system_table->boot_services->exit = exit_orig;
--+  // Restore unload_image handler
--+  grub_efi_system_table->boot_services->unload_image = unload_image_orig;
--+
  +  grub_efi_unregister_loader (&peimage_loader);
  +}
  diff --git a/include/grub/efi/peimage.h b/include/grub/efi/peimage.h
 diff --git a/debian/patches/series b/debian/patches/series
 index 05de63a..ad6da55 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -111,3 +111,14 @@ Revert-kern-ieee1275-init-ppc64-Return-allocated-address-.patch
  Revert-kern-ieee1275-init-ppc64-Decide-by-request-whether.patch
  Revert-kern-ieee1275-init-ppc64-Introduce-a-request-for-r.patch
  grub-install-efi-title.patch
++kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-track-.patch
++kern-efi-mm-Change-grub_efi_allocate_pages_real-to-call-s.patch
++kern-efi-mm-Detect-calls-to-grub_efi_drop_alloc-with-wron.patch
++nx/modules-strip-.llvm_addrsig-sections-and-similar.patch
++nx/modules-Don-t-allocate-space-for-non-allocable-sections.patch
++nx/modules-load-module-sections-at-page-aligned-addresses.patch
++nx/nx-add-memory-attribute-get-set-API.patch
++nx/nx-set-page-permissions-for-loaded-modules.patch
++nx/nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch
++nx/efi-Disallow-fallback-to-legacy-Linux-loader-when-shim-sa.patch
++nx/peimage-Add-memory-attribute-support.patch
 diff --git a/debian/patches/suse-grub.texi-add-net_bootp6-document.patch b/debian/patches/suse-grub.texi-add-net_bootp6-document.patch
 index a8a46b4..a84bdfb 100644
 --- a/debian/patches/suse-grub.texi-add-net_bootp6-document.patch
 +++ b/debian/patches/suse-grub.texi-add-net_bootp6-document.patch
@@ -13,10 +13,10 @@ Patch-Name: suse-grub.texi-add-net_bootp6-document.patch
 file changed, 17 insertions(+)
  diff --git a/docs/grub.texi b/docs/grub.texi
--index 584f6dc..4e6fb8d 100644
++index c2682be..c332de3 100644
  --- a/docs/grub.texi
  +++ b/docs/grub.texi
--@@ -5982,6 +5982,7 @@ Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++@@ -5973,6 +5973,7 @@ Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
   * net_add_dns::                 Add a DNS server
   * net_add_route::               Add routing entry
   * net_bootp::                   Perform a bootp/DHCP autoconfiguration
@@ -24,7 +24,7 @@ index 584f6dc..4e6fb8d 100644
   * net_del_addr::                Remove IP address from interface
   * net_del_dns::                 Remove a DNS server
   * net_del_route::               Remove a route entry
--@@ -6107,6 +6108,22 @@ Sets environment variable @samp{net_}@var{<card>}@samp{_boot_file}
++@@ -6098,6 +6099,22 @@ Sets environment variable @samp{net_}@var{<card>}@samp{_boot_file}
   @end deffn
 diff --git a/debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch b/debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch
 index 311f938..2300117 100644
 --- a/debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch
 +++ b/debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch
@@ -15,7 +15,7 @@ Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
 file changed, 1 insertion(+), 1 deletion(-)
  diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
--index c3ad031..3d98edf 100644
++index 7b49f77..ae5c558 100644
  --- a/grub-core/Makefile.core.def
  +++ b/grub-core/Makefile.core.def
@@ -569,7 +569,7 @@ image = {
 diff --git a/debian/patches/ubuntu-support-initrd-less-boot.patch b/debian/patches/ubuntu-support-initrd-less-boot.patch
 index aac23f6..c883c7c 100644
 --- a/debian/patches/ubuntu-support-initrd-less-boot.patch
 +++ b/debian/patches/ubuntu-support-initrd-less-boot.patch
@@ -16,7 +16,7 @@ Patch-Name: ubuntu-support-initrd-less-boot.patch
 files changed, 25 insertions(+), 4 deletions(-)
  diff --git a/docs/grub.texi b/docs/grub.texi
--index b4825b7..584f6dc 100644
++index 990d8c7..c2682be 100644
  --- a/docs/grub.texi
  +++ b/docs/grub.texi
@@ -1615,6 +1615,19 @@ This option sets the English text of the string that will be displayed in
 diff --git a/debian/rules b/debian/rules
 index f806fec..5e2b379 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -253,6 +253,9 @@ debian/stamps/configure-grub-common: debian/stamps/configure-grub-$(COMMON_PLATF
  	touch $@
  debian/stamps/build-grub-common: debian/stamps/build-grub-$(COMMON_PLATFORM)
++ifeq ($(with_check), yes)
++	pytest -q debian/test_grub_sort_version.py
++endif
  	touch $@
  debian/stamps/configure-grub-none debian/stamps/configure-grub-pc debian/stamps/configure-grub-ieee1275 debian/stamps/configure-grub-coreboot debian/stamps/configure-grub-emu debian/stamps/configure-grub-uboot debian/stamps/configure-grub-yeeloong:
 diff --git a/debian/sbat.ubuntu.csv.in b/debian/sbat.ubuntu.csv.in
 index f33b573..0df0cc2 100644
 --- a/debian/sbat.ubuntu.csv.in
 +++ b/debian/sbat.ubuntu.csv.in
@@ -1,4 +1,4 @@
  sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
  grub,4,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/
--grub.ubuntu,1,Ubuntu,grub2,@DEB_VERSION@,https://www.ubuntu.com/
--grub.peimage,1,Canonical,grub2,@DEB_VERSION@,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
++grub.ubuntu,2,Ubuntu,grub2,@DEB_VERSION@,https://www.ubuntu.com/
++grub.peimage,2,Canonical,grub2,@DEB_VERSION@,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
 diff --git a/debian/test_grub_sort_version.py b/debian/test_grub_sort_version.py
 new file mode 100755
 index 0000000..8718ff4
 --- /dev/null
 +++ b/debian/test_grub_sort_version.py
@@ -0,0 +1,72 @@
++import os
++import pytest
++import subprocess
++
++GRUB_SORT_VERSION = "debian/grub-sort-version"
++
++def assert_grub_sort_version(input, output, flavour_order=""):
++  env = os.environ.copy()
++  env["LC_ALL"] = "C"
++  env["GRUB_FLAVOUR_ORDER"] = flavour_order
++  # Assert the output is as expected
++  result = subprocess.run([GRUB_SORT_VERSION], env=env,
++                          input=input, encoding="utf-8", capture_output=True)
++  assert result.returncode == 0
++  print(result.stdout)
++  assert result.stdout == output
++  # Then do the same in reverse mode too
++  result = subprocess.run([GRUB_SORT_VERSION, "-r"], env=env,
++                          input=input, encoding="utf-8", capture_output=True)
++  assert result.returncode == 0
++  assert result.stdout == "\n".join(output.rstrip().split("\n")[::-1]) + "\n"
++
++def test_empty_line():
++  INPUT = """/boot/vmlinuz-6.5.0-10-generic 2
++/boot/vmlinuz-6.5.0-9-generic 2
++ 2
++"""
++
++  OUTPUT = """ 2
++/boot/vmlinuz-6.5.0-9-generic 2
++/boot/vmlinuz-6.5.0-10-generic 2
++"""
++
++  assert_grub_sort_version(INPUT, OUTPUT)
++
++def test_custom_kernels():
++  INPUT = """/boot/vmlinuz-6.6.0 2
++/boot/vmlinuz-6.5.0-10-generic 2
++/boot/vmlinuz-6.5.0-9-generic 2
++/boot/vmlinuz-6.5.9 2
++/boot/vmlinuz-6.5.8 2
++"""
++
++  OUTPUT = """/boot/vmlinuz-6.5.0-9-generic 2
++/boot/vmlinuz-6.5.0-10-generic 2
++/boot/vmlinuz-6.5.8 2
++/boot/vmlinuz-6.5.9 2
++/boot/vmlinuz-6.6.0 2
++"""
++
++  assert_grub_sort_version(INPUT, OUTPUT)
++
++def test_flavour_order():
++  INPUT = """/boot/vmlinuz-6.5.0-10-generic 2
++/boot/vmlinuz-6.5.0-9-generic 2
++/boot/vmlinuz-6.5.0-9-aaa 2
++/boot/vmlinuz-6.5.0-9-aaa 1
++/boot/vmlinuz-6.5.8 2
++/boot/vmlinuz-6.5.9 2
++/boot/vmlinuz-6.6.0 2
++"""
++
++  OUTPUT = """/boot/vmlinuz-6.5.8 2
++/boot/vmlinuz-6.5.9 2
++/boot/vmlinuz-6.6.0 2
++/boot/vmlinuz-6.5.0-9-aaa 1
++/boot/vmlinuz-6.5.0-9-aaa 2
++/boot/vmlinuz-6.5.0-9-generic 2
++/boot/vmlinuz-6.5.0-10-generic 2
++"""
++
++  assert_grub_sort_version(INPUT, OUTPUT, flavour_order="generic aaa")