cryptocheck: Add --quiet option

The option can be used to suppress output if we only want to test the return value of the command. Also, mention this option in the documentation. Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
disk/cryptodisk: Wipe the passphrase from memory
2025-07-05 08:36:59 +00:00 · 2025-05-06 17:14:04 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00
862 changed files with 60467 additions and 67387 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+po/exclude.pot binary
--- a/.gitignore
+++ b/.gitignore
@ -1,237 +1,285 @@
-*~
-00_header
-10_*
-20_linux_xen
-30_os-prober
-40_custom
-41_custom
+#
+# Ignore patterns in this directory and all subdirectories.
+#
 *.1
 *.8
-ABOUT-NLS
-aclocal.m4
-ahci_test
-ascii.bitmaps
-ascii.h
-autom4te.cache
-build-aux
-build-grub-gen-asciih
-build-grub-gen-widthspec
-build-grub-mkfont
-cdboot_test
-cmp_test
-config.cache
-config.guess
-config.h
-config-util.h
-config-util.h.in
-config.log
-config.status
-config.sub
-configure
-core_compress_test
-DISTLIST
-docs/*.info
-docs/stamp-vti
-docs/version.texi
-ehci_test
-example_grub_script_test
-example_scripted_test
-example_unit_test
+*.a
 *.exec
 *.exec.exe
-fddboot_test
-genkernsyms.sh
-gensymlist.sh
-gentrigtables
-gentrigtables.exe
-gettext_strings_test
-/gnulib
-grub-bin2h
-/grub-bios-setup
-/grub-bios-setup.exe
-grub_cmd_date
-grub_cmd_echo
-grub_cmd_regexp
-grub_cmd_set_date
-grub_cmd_sleep
-/grub-editenv
-/grub-editenv.exe
-grub-emu
-grub-emu-lite
-grub-emu.exe
-grub-emu-lite.exe
-grub_emu_init.c
-grub_emu_init.h
-/grub-file
-/grub-file.exe
-grub-fstest
-grub-fstest.exe
-grub_fstest_init.c
-grub_fstest_init.h
-grub_func_test
-grub-install
-grub-install.exe
-grub-kbdcomp
-/grub-macbless
-/grub-macbless.exe
-grub-macho2img
-/grub-menulst2cfg
-/grub-menulst2cfg.exe
-/grub-mk*
-grub-mount
-/grub-ofpathname
-/grub-ofpathname.exe
-grub-core/build-grub-pe2elf.exe
-/grub-probe
-/grub-probe.exe
-grub_probe_init.c
-grub_probe_init.h
-/grub-reboot
-grub_script_blanklines
-grub_script_blockarg
-grub_script_break
-grub-script-check
-grub-script-check.exe
-grub_script_check_init.c
-grub_script_check_init.h
-grub_script_comments
-grub_script_continue
-grub_script_dollar
-grub_script_echo1
-grub_script_echo_keywords
-grub_script_escape_comma
-grub_script_eval
-grub_script_expansion
-grub_script_final_semicolon
-grub_script_for1
-grub_script_functions
-grub_script_gettext
-grub_script_if
-grub_script_leading_whitespace
-grub_script_no_commands
-grub_script_not
-grub_script_return
-grub_script_setparams
-grub_script_shift
-grub_script_strcmp
-grub_script_test
-grub_script_vars1
-grub_script_while1
-grub_script.tab.c
-grub_script.tab.h
-grub_script.yy.c
-grub_script.yy.h
-grub-set-default
-grub_setup_init.c
-grub_setup_init.h
-grub-shell
-grub-shell-tester
-grub-sparc64-setup
-grub-sparc64-setup.exe
-/grub-syslinux2cfg
-/grub-syslinux2cfg.exe
-gzcompress_test
-hddboot_test
-help_test
-*.img
 *.image
 *.image.exe
-include/grub/cpu
-include/grub/machine
-INSTALL.grub
-install-sh
-lib/libgcrypt-grub
-libgrub_a_init.c
+*.img
 *.log
 *.lst
-lzocompress_test
 *.marker
-Makefile
-/m4
 *.mod
-mod-*.c
-missing
-netboot_test
 *.o
-*.a
-ohci_test
-partmap_test
-pata_test
 *.pf2
 *.pp
-po/*.mo
-po/grub.pot
-po/Makefile.in.in
-po/Makevars
-po/Makevars.template
-po/POTFILES
-po/Rules-quot
-po/stamp-po
-printf_test
-priority_queue_unit_test
-pseries_test
-stamp-h
-stamp-h1
-stamp-h.in
-symlist.c
-symlist.h
-trigtables.c
+*.pyc
 *.trs
-uhci_test
-update-grub_lib
-unidata.c
-xzcompress_test
-Makefile.in
+*~
+.deps-core/
+.deps-util/
+.deps/
+.dirstamp
+DISTLIST
 GPATH
 GRTAGS
 GSYMS
 GTAGS
-compile
-depcomp
+Makefile
+Makefile.in
+ascii.bitmaps
+genkernsyms.sh
+gensymlist.sh
+grub-bin2h
+grub-emu
+grub-emu-lite
+grub-emu-lite.exe
+grub-emu.exe
+grub-macho2img
+grub_emu_init.c
+grub_emu_init.h
+grub_probe_init.c
+grub_probe_init.h
+grub_script.tab.c
+grub_script.tab.h
+grub_script.yy.c
+grub_script.yy.h
+grub_script_check_init.c
+grub_script_check_init.h
+grub_setup_init.c
+grub_setup_init.h
 mdate-sh
-texinfo.tex
-grub-core/lib/libgcrypt-grub
-.deps
-.deps-util
-.deps-core
-.dirstamp
-Makefile.util.am
-contrib
-grub-core/bootinfo.txt
-grub-core/Makefile.core.am
-grub-core/Makefile.gcry.def
-grub-core/contrib
-grub-core/gdb_grub
-grub-core/genmod.sh
-grub-core/gensyminfo.sh
-grub-core/gmodule.pl
-grub-core/grub.chrp
-grub-core/modinfo.sh
-grub-core/*.module
-grub-core/*.module.exe
-grub-core/*.pp
-grub-core/kernel.img.bin
-util/bash-completion.d/grub
-grub-core/lib/gnulib
-grub-core/rs_decoder.h
+mod-*.c
+update-grub_lib
 widthspec.bin
-widthspec.h
-docs/stamp-1
-docs/version-dev.texi
-Makefile.utilgcry.def
-po/*.po
-po/*.gmo
-po/LINGUAS
-po/remove-potcdate.sed
-include/grub/gcrypt/gcrypt.h
-include/grub/gcrypt/g10lib.h
-po/POTFILES.in
-po/POTFILES-shell.in
-/grub-glue-efi
-/grub-render-label
-/grub-glue-efi.exe
-/grub-render-label.exe
+
+#
+# Ignore patterns relative to this .gitignore file's directory.
+#
+/00_header
+/10_*
+/20_linux_xen
+/30_os-prober
+/30_uefi-firmware
+/40_custom
+/41_custom
+/ABOUT-NLS
+/ChangeLog
+/INSTALL.grub
+/Makefile.util.am
+/Makefile.utilgcry.def
+/aclocal.m4
+/ahci_test
+/ascii.h
+/autom4te.cache/
+/btrfs_test
+/build-aux/
+/build-grub-gen-asciih
+/build-grub-gen-widthspec
+/build-grub-mkfont
+/cdboot_test
+/cmp_test
+/compile
+/config-util.h
+/config-util.h.in
+/config.cache
+/config.guess
+/config.h
+/config.log
+/config.status
+/config.sub
+/configure
+/contrib
+/core_compress_test
+/cpio_test
+/date_test
+/depcomp
+/docs/*.info
+/docs/*.info-[0-9]*
+/docs/stamp-1
+/docs/stamp-vti
+/docs/version-dev.texi
+/docs/version.texi
+/ehci_test
+/erofs_test
+/example_grub_script_test
+/example_scripted_test
+/example_unit_test
+/exfat_test
+/ext234_test
+/f2fs_test
+/fat_test
+/fddboot_test
+/file_filter_test
 /garbage-gen
 /garbage-gen.exe
+/gettext_strings_test
+/gnulib/
+/grub-2.[0-9]*/
+/grub-2.[0-9]*.tar.gz
+/grub-bios-setup
+/grub-bios-setup.exe
+/grub-core/*.module
+/grub-core/*.module.exe
+/grub-core/*.pp
+/grub-core/Makefile.core.am
+/grub-core/Makefile.gcry.def
+/grub-core/bootinfo.txt
+/grub-core/build-grub-module-verifier
+/grub-core/build-grub-pe2elf.exe
+/grub-core/contrib
+/grub-core/gdb_grub
+/grub-core/genmod.sh
+/grub-core/gensyminfo.sh
+/grub-core/gentrigtables
+/grub-core/gentrigtables.exe
+/grub-core/gmodule.pl
+/grub-core/grub.chrp
+/grub-core/kernel.img.bin
+/grub-core/lib/gnulib
+/grub-core/lib/libgcrypt-grub
+/grub-core/lib/libtasn1-grub
+/grub-core/modinfo.sh
+/grub-core/rs_decoder.h
+/grub-core/symlist.c
+/grub-core/symlist.h
+/grub-core/tests/asn1/tests
+/grub-core/trigtables.c
+/grub-core/unidata.c
+/grub-editenv
+/grub-editenv.exe
+/grub-file
+/grub-file.exe
 /grub-fs-tester
-grub-core/build-grub-module-verifier
+/grub-fstest
+/grub-fstest.exe
+/grub-glue-efi
+/grub-glue-efi.exe
+/grub-install
+/grub-install.exe
+/grub-kbdcomp
+/grub-macbless
+/grub-macbless.exe
+/grub-menulst2cfg
+/grub-menulst2cfg.exe
+/grub-mk*
+/grub-mount
+/grub-ofpathname
+/grub-ofpathname.exe
+/grub-probe
+/grub-probe.exe
+/grub-protect
+/grub-protect.exe
+/grub-reboot
+/grub-render-label
+/grub-render-label.exe
+/grub-script-check
+/grub-script-check.exe
+/grub-set-default
+/grub-shell
+/grub-shell-tester
+/grub-sparc64-setup
+/grub-sparc64-setup.exe
+/grub-syslinux2cfg
+/grub-syslinux2cfg.exe
+/grub_cmd_date
+/grub_cmd_echo
+/grub_cmd_regexp
+/grub_cmd_set_date
+/grub_cmd_sleep
+/grub_cmd_test
+/grub_cmd_tr
+/grub_fstest_init.c
+/grub_fstest_init.h
+/grub_func_test
+/grub_script_blanklines
+/grub_script_blockarg
+/grub_script_break
+/grub_script_comments
+/grub_script_continue
+/grub_script_dollar
+/grub_script_echo1
+/grub_script_echo_keywords
+/grub_script_escape_comma
+/grub_script_eval
+/grub_script_expansion
+/grub_script_final_semicolon
+/grub_script_for1
+/grub_script_functions
+/grub_script_gettext
+/grub_script_if
+/grub_script_leading_whitespace
+/grub_script_no_commands
+/grub_script_not
+/grub_script_return
+/grub_script_setparams
+/grub_script_shift
+/grub_script_strcmp
+/grub_script_test
+/grub_script_vars1
+/grub_script_while1
+/gzcompress_test
+/hddboot_test
+/help_test
+/hfs_test
+/hfsplus_test
+/include/grub/cpu
+/include/grub/gcrypt/g10lib.h
+/include/grub/gcrypt/gcrypt.h
+/include/grub/machine
+/install-sh
+/iso9660_test
+/jfs_test
+/lib/libgcrypt-grub
+/libgrub_a_init.c
+/lzocompress_test
+/luks1_test
+/luks2_test
+/m4/
+/minixfs_test
+/missing
+/netboot_test
+/nilfs2_test
+/ntfs_test
+/ohci_test
+/partmap_test
+/pata_test
+/po/*.gmo
+/po/*.mo
+/po/*.po
+/po/LINGUAS
+/po/Makefile.in.in
+/po/Makevars
+/po/Makevars.template
+/po/POTFILES
+/po/POTFILES-shell.in
+/po/POTFILES.in
+/po/Rules-quot
+/po/grub.pot
+/po/remove-potcdate.sed
+/po/stamp-po
+/printf_test
+/priority_queue_unit_test
+/pseries_test
+/reiserfs_test
+/romfs_test
+/squashfs_test
+/stamp-h
+/stamp-h.in
+/stamp-h1
+/syslinux_test
+/tar_test
+/test_sha512sum
+/test_unset
+/tests/syslinux/ubuntu10.04_grub.cfg
+/texinfo.tex
+/udf_test
+/uhci_test
+/util/bash-completion.d/grub
+/widthspec.h
+/xfs_test
+/xzcompress_test
+/zfs_test
--- a/.travis.yml
+++ b/.travis.yml
@ -12,6 +12,7 @@ language: c
 addons:
  apt:
    packages:
+    - autopoint
    - libsdl1.2-dev
    - lzop
    - ovmf
@ -35,7 +36,7 @@ before_script:
 script:
  # Comments must be outside the command strings below, or the Travis parser
  # will get confused.
-  - ./autogen.sh
+  - ./bootstrap

  # Build all selected GRUB targets.
  - for target in $GRUB_TARGETS; do
--- a/55487
+++ b/55487
--- a/166
+++ b/166
@ -4,6 +4,10 @@ This is the GRUB.  Welcome.

 This file contains instructions for compiling and installing the GRUB.

+Where this document refers to packages names, they are named according to the
+Debian 11 package repositories. These packages can be found by searching
+https://packages.debian.org/.
+
 The Requirements
 ================

@ -11,33 +15,16 @@ GRUB depends on some software packages installed into your system. If
 you don't have any of them, please obtain and install them before
 configuring the GRUB.

-* GCC 4.1.3 or later
-  Note: older versions may work but support is limited
-
-  Experimental support for clang 3.3 or later (results in much bigger binaries)
+* GCC 5.1.0 or later
+  Experimental support for clang 8.0.0 or later (results in much bigger binaries)
  for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
-  Note: clang 3.2 or later works for i386 and x86_64 targets but results in
-        much bigger binaries.
-	earlier versions not tested
-  Note: clang 3.2 or later works for arm
-	earlier versions not tested
-  Note: clang on arm64 is not supported due to
-	https://llvm.org/bugs/show_bug.cgi?id=26030
-  Note: clang 3.3 or later works for mips(el)
-	earlier versions fail to generate .reginfo and hence gprel relocations
-	fail.
-  Note: clang 3.2 or later works for powerpc
-	earlier versions not tested
-  Note: clang 3.5 or later works for sparc64
-        earlier versions return "error: unable to interface with target machine"
-  Note: clang has no support for ia64 and hence you can't compile GRUB
-	for ia64 with clang
 * GNU Make
 * GNU Bison 2.3 or later
-* GNU gettext 0.17 or later
+* GNU gettext
 * GNU binutils 2.9.1.0.23 or later
 * Flex 2.5.35 or later
 * pkg-config
+* GNU patch
 * Other standard GNU/Unix tools
 * a libc with large file support (e.g. glibc 2.1 or later)

@ -49,24 +36,74 @@ For optional grub-emu features, you need:

 * SDL (recommended)
 * libpciaccess (optional)
-* libusb (optional)

 To build GRUB's graphical terminal (gfxterm), you need:

 * FreeType 2.1.5 or later
 * GNU Unifont

+To build grub-mkfont the unicode fonts are required (xfonts-unifont package
+on Debian).
+
 If you use a development snapshot or want to hack on GRUB you may
 need the following.

-* Python 2.6 or later
-* Autoconf 2.63 or later
-* Automake 1.11 or later
+* Python 3 (NOTE: python 2.6 should still work, but it's not tested)
+* Autoconf 2.64 or later
+* Automake 1.14 or later
+
+Your distro may package cross-compiling toolchains such as the following
+incomplete list on Debian: gcc-aarch64-linux-gnu, gcc-arm-linux-gnueabihf,
+gcc-mips-linux-gnu, gcc-mipsel-linux-gnu, gcc-powerpc64-linux-gnu,
+gcc-riscv64-linux-gnu, gcc-sparc64-linux-gnu, mingw-w64 and mingw-w64-tools.
+
+More cross compiling toolchains can be found at the following trusted sites:
+
+* https://mirrors.kernel.org/pub/tools/crosstool/
+* https://toolchains.bootlin.com/

 Prerequisites for make-check:

-* qemu, specifically the binary 'qemu-system-i386'
+* qemu, specifically the binary "qemu-system-ARCH" where ARCH is the
+  architecture GRUB has been built for; the "qemu-system" package on Debian
+  will install all needed qemu architectures
+* OVMF, for EFI platforms (packages ovmf, ovmf-ia32, qemu-efi-arm, and
+  qemu-efi-aarch64)
+* OpenBIOS, for ieee1275 platforms (packages openbios-ppc and openbios-sparc)
 * xorriso 1.2.9 or later, for grub-mkrescue and grub-shell
+* wamerican, for grub-fs-tester
+* mtools, FAT tools for EFI platforms
+* xfonts-unifont, for the functional tests
+* swtpm-tools and tpm2-tools, for TPM2 key protector tests
+
+* If running a Linux kernel the following modules must be loaded:
+  - fuse, loop
+  - btrfs, erofs, ext4, f2fs, fat, hfs, hfsplus, jfs, mac-roman, minix, nilfs2,
+    reiserfs, udf, xfs
+  - On newer kernels, the exfat kernel modules may be used instead of the
+    exfat FUSE filesystem
+* The following are Debian named packages required mostly for the full
+  suite of filesystem testing (but some are needed by other tests as well):
+  - btrfs-progs, dosfstools, e2fsprogs, erofs-utils, exfatprogs, exfat-fuse,
+    f2fs-tools, genromfs, hfsprogs, jfsutils, nilfs-tools, ntfs-3g,
+    reiserfsprogs, squashfs-tools, reiserfsprogs, udftools, xfsprogs, zfs-fuse
+  - exfat-fuse, if not using the exfat kernel module
+  - gzip, lzop, xz-utils
+  - attr, cpio, g++, gawk, parted, recode, tar, util-linux
+
+Note that `make check' will run and many tests may complete successfully
+with only a subset of these prerequisites. However, some tests may be
+skipped or fail due to missing prerequisites.
+
+To build the documentation you'll need:
+* texinfo, for the info and html documentation
+* texlive, for building the dvi and pdf documentation (optional)
+
+To use the gdb_grub GDB script you'll need:
+* readelf (binutils package)
+* objdump (binutils package)
+* GNU Debugger > 7, built with python support (gdb package)
+* Python >= 3.5 (python3 package)

 Configuring the GRUB
 ====================
@ -104,9 +141,8 @@ The simplest way to compile this package is:
  
  3. Type `./bootstrap'.

-     * autogen.sh (called by bootstrap) uses python. By default the
-       invocation is "python", but it can be overridden by setting the
-       variable $PYTHON.
+     The autogen.sh (called by bootstrap) uses python. By default autodetect
+     it, but it can be overridden by setting the PYTHON variable.

  4. Type `./configure' to configure the package for your system.
     If you're using `csh' on an old version of System V, you might
@ -119,12 +155,16 @@ The simplest way to compile this package is:
  6. Type `make' to compile the package.

  7. Optionally, type `make check' to run any self-tests that come with
-     the package.
+     the package. Note that many of the tests require root privileges in
+     order to run.

  8. Type `make install' to install the programs and any data files and
     documentation.

-  9. You can remove the program binaries and object files from the
+  9. Type `make html' or `make pdf' to generate the html or pdf
+     documentation.  Note, these are not built by default.
+
+ 10. You can remove the program binaries and object files from the
     source code directory by typing `make clean'.  To also remove the
     files that `configure' created (so you can compile the package for
     a different kind of computer), type `make distclean'.  There is
@ -160,42 +200,59 @@ For this example the configure line might look like (more details below)
 (some options are optional and included here for completeness but some rarely
 used options are omitted):

-./configure BUILD_CC=gcc BUILD_PKG_CONFIG=pkg-config --host=amd64-linux-gnu
-CC=amd64-linux-gnu-gcc CFLAGS="-g -O2" PKG_CONFIG=amd64-linux-gnu-pkg-config
--target=arm --with-platform=uboot TARGET_CC=arm-elf-gcc
-TARGET_CFLAGS="-Os -march=armv6" TARGET_CCASFLAGS="-march=armv6"
-TARGET_OBJCOPY="arm-elf-objcopy" TARGET_STRIP="arm-elf-strip"
-TARGET_NM=arm-elf-nm TARGET_RANLIB=arm-elf-ranlib LEX=gflex
+  ./configure --build=sparc64-freebsd --host=x86_64-linux-gnu \
+    --target=arm-linux-gnueabihf --with-platform=efi \
+    BUILD_CC=gcc BUILD_PKG_CONFIG=pkg-config \
+    HOST_CC=x86_64-linux-gnu-gcc HOST_CFLAGS='-g -O2' \
+    PKG_CONFIG=x86_64-linux-gnu-pkg-config TARGET_CC=arm-linux-gnueabihf-gcc \
+    TARGET_CFLAGS='-Os -march=armv8.3-a' TARGET_CCASFLAGS='-march=armv8.3-a' \
+    TARGET_OBJCOPY=arm-linux-gnueabihf-objcopy \
+    TARGET_STRIP=arm-linux-gnueabihf-strip TARGET_NM=arm-linux-gnueabihf-nm \
+    TARGET_RANLIB=arm-linux-gnueabihf-ranlib LEX=flex
+
+Note, that the autoconf 2.65 manual states that when using the --host argument
+to configure, the --build argument should be specified as well. Not sending
+--build, enters a compatibility mode that will be removed in the future.
+
+Normally, for building a GRUB on amd64 with tools to run on amd64 to
+generate images to run on ARM, using your Linux distribution's
+packaged cross compiler, the following would suffice:
+
+  ./configure --target=arm-linux-gnueabihf --with-platform=efi

 You need to use following options to specify tools and platforms. For minimum
 version look at prerequisites. All tools not mentioned in this section under
 corresponding platform are not needed for the platform in question.

  - For build
-    1. BUILD_CC= to gcc able to compile for build. This is used, for
+    1. --build= to autoconf name of build.
+    2. BUILD_CC= to gcc able to compile for build. This is used, for
       example, to compile build-gentrigtables which is then run to
       generate sin and cos tables.
-    2. BUILD_CFLAGS= for C options for build.
-    3. BUILD_CPPFLAGS= for C preprocessor options for build.
-    4. BUILD_LDFLAGS= for linker options for build.
-    5. BUILD_PKG_CONFIG= for pkg-config for build (optional).
+    3. BUILD_CFLAGS= for C options for build.
+    4. BUILD_CPPFLAGS= for C preprocessor options for build.
+    5. BUILD_LDFLAGS= for linker options for build.
+    6. BUILD_PKG_CONFIG= for pkg-config for build (optional).

  - For host
    1. --host= to autoconf name of host.
-    2. CC= for gcc able to compile for host
-    3. HOST_CFLAGS= for C options for host.
-    4. HOST_CPPFLAGS= for C preprocessor options for host.
-    5. HOST_LDFLAGS= for linker options for host.
-    6. PKG_CONFIG= for pkg-config for host (optional).
-    7. Libdevmapper if any must be in standard linker folders (-ldevmapper) (optional).
-    8. Libfuse if any must be in standard linker folders (-lfuse) (optional).
-    9. Libzfs if any must be in standard linker folders (-lzfs) (optional).
-    10. Liblzma if any must be in standard linker folders (-llzma) (optional).
+    2. CC= for gcc able to compile for host.
+    3. CFLAGS= for C options for host.
+    4. HOST_CC= for gcc able to compile for host.
+    5. HOST_CFLAGS= for C options for host.
+    6. HOST_CPPFLAGS= for C preprocessor options for host.
+    7. HOST_LDFLAGS= for linker options for host.
+    8. PKG_CONFIG= for pkg-config for host (optional).
+    9. Libdevmapper if any must be in standard linker folders (-ldevmapper) (optional).
+    10. Libfuse if any must be in standard linker folders (-lfuse) (optional).
+    11. Libzfs if any must be in standard linker folders (-lzfs) (optional).
+    12. Liblzma if any must be in standard linker folders (-llzma) (optional).
+    Note: The HOST_* variables override not prefixed variables.

  - For target
    1. --target= to autoconf cpu name of target.
    2. --with-platform to choose firmware.
-    3. TARGET_CC= for gcc able to compile for target
+    3. TARGET_CC= for gcc able to compile for target.
    4. TARGET_CFLAGS= for C options for target.
    5. TARGET_CPPFLAGS= for C preprocessor options for target.
    6. TARGET_CCASFLAGS= for assembler options for target.
@ -204,11 +261,14 @@ corresponding platform are not needed for the platform in question.
    9. TARGET_STRIP= for strip for target.
    10. TARGET_NM= for nm for target.
    11. TARGET_RANLIB= for ranlib for target.
+    Note: If the TARGET_* variables are not specified then they will default
+          to be the same as the host variables. If host variables are not
+          specified then the TARGET_* variables will default to be the same
+          as not prefixed variables.

  - Additionally for emu, for host and target.
    1. SDL is looked for in standard linker directories (-lSDL) (optional)
    2. libpciaccess is looked for in standard linker directories (-lpciaccess) (optional)
-    3. libusb is looked for in standard linker directories (-lusb) (optional)

  - Platform-agnostic tools and data.
    1. make is the tool you execute after ./configure.
--- a/35
+++ b/35
@ -0,0 +1,35 @@
+List of current GRUB maintainers and some basic information about the project
+=============================================================================
+
+Here is the list of current GRUB maintainers:
+  - Daniel Kiper <daniel.kiper@oracle.com> and <dkiper@net-space.pl>,
+  - Alex Burmashev <alexander.burmashev@oracle.com>,
+  - Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>.
+
+The maintainers drive and overlook the GRUB development.
+
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
+The GRUB development happens on the grub-devel mailing list [1]. The latest
+GRUB source code is available at Savannah git repository [2].
+
+Users can ask for help on the help-grub mailing list [3].
+
+
+List of past GRUB maintainers and people who strongly contributed to the project
+================================================================================
+
+Here is the list, sorted alphabetically, of past GRUB maintainers and people who
+strongly contributed to the project:
+  - Andrei Borzenkov,
+  - Bryan Ford,
+  - Erich Stefan Boleyn,
+  - Gordon Matzigkeit,
+  - Yoshinori K. Okuji.
+
+
+[1] https://lists.gnu.org/mailman/listinfo/grub-devel
+[2] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
+[3] https://lists.gnu.org/mailman/listinfo/help-grub
--- a/Makefile.am
+++ b/Makefile.am
@ -24,6 +24,15 @@ CCASFLAGS_PROGRAM += $(CCASFLAGS_GNULIB)

 include $(srcdir)/Makefile.util.am

+check_SCRIPTS = $(check_SCRIPTS_native) $(check_SCRIPTS_nonnative)
+check_PROGRAMS = $(check_PROGRAMS_native) $(check_PROGRAMS_nonnative)
+TESTS = $(check_SCRIPTS) $(check_PROGRAMS)
+
+check-native:
+	$(MAKE) TESTS="$(check_PROGRAMS_native) $(check_SCRIPTS_native)" check
+check-nonnative:
+	$(MAKE) TESTS="$(check_PROGRAMS_nonnative) $(check_SCRIPTS_nonnative)" check
+
 # XXX Use Automake's LEX & YACC support
 grub_script.tab.h: $(top_srcdir)/grub-core/script/parser.y
 	$(YACC) -d -p grub_script_yy -b grub_script $(top_srcdir)/grub-core/script/parser.y
@ -37,13 +46,13 @@ grub_script.yy.c: grub_script.yy.h
 CLEANFILES += grub_script.yy.c grub_script.yy.h

 # For libgrub.a
-libgrub.pp: grub_script.tab.h grub_script.yy.h $(libgrubmods_a_SOURCES) $(libgrubkern_a_SOURCES)
+libgrub.pp: config-util.h grub_script.tab.h grub_script.yy.h $(libgrubmods_a_SOURCES) $(libgrubkern_a_SOURCES)
 	$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libgrubmods_a_CPPFLAGS) $(libgrubkern_a_CPPFLAGS) $(CPPFLAGS) \
 	  -D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
 CLEANFILES += libgrub.pp

 libgrub_a_init.lst: libgrub.pp
-	cat $< | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+	cat $< | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
 CLEANFILES += libgrub_a_init.lst

 libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
@ -51,13 +60,13 @@ libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
 CLEANFILES += libgrub_a_init.c

 # For grub-fstest
-grub_fstest.pp: $(grub_fstest_SOURCES)
+grub_fstest.pp: config-util.h $(grub_fstest_SOURCES)
 	$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(grub_fstest_CPPFLAGS) $(CPPFLAGS) \
 	  -D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
 CLEANFILES += grub_fstest.pp

 grub_fstest_init.lst: libgrub.pp grub_fstest.pp
-	cat $^ | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+	cat $^ | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
 CLEANFILES += grub_fstest_init.lst

 grub_fstest_init.c: grub_fstest_init.lst $(top_srcdir)/geninit.sh
@ -473,8 +482,6 @@ ChangeLog: FORCE
 		touch $@; \
 	fi

-EXTRA_DIST += ChangeLog ChangeLog-2015
-
 syslinux_test: $(top_builddir)/config.status tests/syslinux/ubuntu10.04_grub.cfg

 # Mimic simplify_filename from grub-core/lib/syslinux_parse.c, so that we
--- a/Makefile.util.def
+++ b/Makefile.util.def
@ -3,7 +3,7 @@ AutoGen definitions Makefile.tpl;
 library = {
  name = libgrubkern.a;
  cflags = '$(CFLAGS_GNULIB)';
-  cppflags = '$(CPPFLAGS_GNULIB)';
+  cppflags = '$(CPPFLAGS_GNULIB) -I$(srcdir)/grub-core/lib/json';

  common = util/misc.c;
  common = grub-core/kern/command.c;
@ -36,8 +36,11 @@ library = {
  common = grub-core/kern/misc.c;
  common = grub-core/kern/partition.c;
  common = grub-core/lib/crypto.c;
+  common = grub-core/lib/json/json.c;
  common = grub-core/disk/luks.c;
+  common = grub-core/disk/luks2.c;
  common = grub-core/disk/geli.c;
+  common = grub-core/disk/key_protector.c;
  common = grub-core/disk/cryptodisk.c;
  common = grub-core/disk/AFSplitter.c;
  common = grub-core/lib/pbkdf2.c;
@ -53,7 +56,7 @@ library = {

 library = {
  name = libgrubmods.a;
-  cflags = '-fno-builtin -Wno-undef';
+  cflags = '-fno-builtin -Wno-undef -Wno-unused-but-set-variable';
  cppflags = '-I$(srcdir)/grub-core/lib/minilzo -I$(srcdir)/grub-core/lib/xzembed -I$(srcdir)/grub-core/lib/zstd -DMINILZO_HAVE_CONFIG_H';

  common_nodist = grub_script.tab.c;
@ -96,6 +99,7 @@ library = {
  common = grub-core/fs/cpio_be.c;
  common = grub-core/fs/odc.c;
  common = grub-core/fs/newc.c;
+  common = grub-core/fs/erofs.c;
  common = grub-core/fs/ext2.c;
  common = grub-core/fs/fat.c;
  common = grub-core/fs/exfat.c;
@ -139,7 +143,7 @@ library = {
  common = grub-core/lib/crc.c;
  common = grub-core/lib/adler32.c;
  common = grub-core/lib/crc64.c;
-  common = grub-core/normal/datetime.c;
+  common = grub-core/lib/datetime.c;
  common = grub-core/normal/misc.c;
  common = grub-core/partmap/acorn.c;
  common = grub-core/partmap/amiga.c;
@ -161,6 +165,7 @@ library = {
  common = grub-core/kern/ia64/dl_helper.c;
  common = grub-core/kern/arm/dl_helper.c;
  common = grub-core/kern/arm64/dl_helper.c;
+  common = grub-core/kern/loongarch64/dl_helper.c;
  common = grub-core/lib/minilzo/minilzo.c;
  common = grub-core/lib/xzembed/xz_dec_bcj.c;
  common = grub-core/lib/xzembed/xz_dec_lzma2.c;
@ -201,7 +206,32 @@ program = {
  ldadd = grub-core/lib/gnulib/libgnu.a;
  ldadd = '$(LIBLZMA)';
  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
-  cppflags = '-DGRUB_PKGLIBDIR=\"$(pkglibdir)\"';
+};
+
+program = {
+  name = grub-protect;
+  mansection = 1;
+
+  common = grub-core/kern/emu/argp_common.c;
+  common = grub-core/osdep/init.c;
+  common = grub-core/lib/tss2/buffer.c;
+  common = grub-core/lib/tss2/tss2_mu.c;
+  common = grub-core/lib/tss2/tpm2_cmd.c;
+  common = grub-core/commands/tpm2_key_protector/args.c;
+  common = grub-core/commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+  common = util/grub-protect.c;
+  common = util/probe.c;
+
+  cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
+
+  ldadd = libgrubmods.a;
+  ldadd = libgrubgcry.a;
+  ldadd = libgrubkern.a;
+  ldadd = grub-core/lib/gnulib/libgnu.a;
+  ldadd = '$(LIBTASN1)';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+
+  condition = COND_GRUB_PROTECT;
 };

 program = {
@ -240,8 +270,19 @@ program = {

  common = util/grub-editenv.c;
  common = util/editenv.c;
+  common = util/grub-install-common.c;
  common = grub-core/osdep/init.c;
+  common = grub-core/osdep/compress.c;
+  extra_dist = grub-core/osdep/unix/compress.c;
+  extra_dist = grub-core/osdep/basic/compress.c;
+  common = util/mkimage.c;
+  common = util/grub-mkimage32.c;
+  common = util/grub-mkimage64.c;
+  common = grub-core/osdep/config.c;
+  common = util/config.c;
+  common = util/resolve.c;

+  ldadd = '$(LIBLZMA)';
  ldadd = libgrubmods.a;
  ldadd = libgrubgcry.a;
  ldadd = libgrubkern.a;
@ -297,11 +338,13 @@ program = {
  common = grub-core/disk/host.c;
  common = grub-core/osdep/init.c;

+  cflags = '$(FUSE_CFLAGS)';
+
  ldadd = libgrubmods.a;
  ldadd = libgrubgcry.a;
  ldadd = libgrubkern.a;
  ldadd = grub-core/lib/gnulib/libgnu.a;
-  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) -lfuse';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
  condition = COND_GRUB_MOUNT;
 };

@ -496,12 +539,24 @@ script = {
  condition = COND_HOST_LINUX;
 };

+script = {
+  name = '25_bli';
+  common = util/grub.d/25_bli.in;
+  installdir = grubconf;
+};
+
 script = {
  name = '30_os-prober';
  common = util/grub.d/30_os-prober.in;
  installdir = grubconf;
 };

+script = {
+  name = '30_uefi-firmware';
+  common = util/grub.d/30_uefi-firmware.in;
+  installdir = grubconf;
+};
+
 script = {
  name = '40_custom';
  common = util/grub.d/40_custom.in;
@ -723,6 +778,12 @@ script = {
  installdir = noinst;
 };

+script = {
+  name = grub-shell-luks-tester;
+  common = tests/util/grub-shell-luks-tester.in;
+  installdir = noinst;
+};
+
 script = {
  name = grub-fs-tester;
  common = tests/util/grub-fs-tester.in;
@ -731,470 +792,512 @@ script = {
 };

 script = {
-  testcase;
+  testcase = native;
+  name = erofs_test;
+  common = tests/erofs_test.in;
+};
+
+script = {
+  testcase = native;
  name = ext234_test;
  common = tests/ext234_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = squashfs_test;
  common = tests/squashfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = iso9660_test;
  common = tests/iso9660_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = hfsplus_test;
  common = tests/hfsplus_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = ntfs_test;
  common = tests/ntfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = reiserfs_test;
  common = tests/reiserfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = fat_test;
  common = tests/fat_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = minixfs_test;
  common = tests/minixfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = xfs_test;
  common = tests/xfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = f2fs_test;
  common = tests/f2fs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = nilfs2_test;
  common = tests/nilfs2_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = romfs_test;
  common = tests/romfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = exfat_test;
  common = tests/exfat_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = tar_test;
  common = tests/tar_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = udf_test;
  common = tests/udf_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = hfs_test;
  common = tests/hfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = jfs_test;
  common = tests/jfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = btrfs_test;
  common = tests/btrfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = zfs_test;
  common = tests/zfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = cpio_test;
  common = tests/cpio_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = example_scripted_test;
  common = tests/example_scripted_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = gettext_strings_test;
  common = tests/gettext_strings_test.in;
  extra_dist = po/exclude.pot;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = pata_test;
  common = tests/pata_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ahci_test;
  common = tests/ahci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = uhci_test;
  common = tests/uhci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ohci_test;
  common = tests/ohci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ehci_test;
  common = tests/ehci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = example_grub_script_test;
  common = tests/example_grub_script_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_eval;
  common = tests/grub_script_eval.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_test;
  common = tests/grub_script_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_echo1;
  common = tests/grub_script_echo1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_leading_whitespace;
  common = tests/grub_script_leading_whitespace.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_echo_keywords;
  common = tests/grub_script_echo_keywords.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_vars1;
  common = tests/grub_script_vars1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_for1;
  common = tests/grub_script_for1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_while1;
  common = tests/grub_script_while1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_if;
  common = tests/grub_script_if.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_blanklines;
  common = tests/grub_script_blanklines.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_final_semicolon;
  common = tests/grub_script_final_semicolon.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_dollar;
  common = tests/grub_script_dollar.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_comments;
  common = tests/grub_script_comments.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_functions;
  common = tests/grub_script_functions.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_break;
  common = tests/grub_script_break.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_continue;
  common = tests/grub_script_continue.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_shift;
  common = tests/grub_script_shift.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_blockarg;
  common = tests/grub_script_blockarg.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_setparams;
  common = tests/grub_script_setparams.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_return;
  common = tests/grub_script_return.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
+  name = grub_cmd_cryptomount;
+  common = tests/grub_cmd_cryptomount.in;
+};
+
+script = {
+  testcase = nonnative;
  name = grub_cmd_regexp;
  common = tests/grub_cmd_regexp.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_date;
  common = tests/grub_cmd_date.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_set_date;
  common = tests/grub_cmd_set_date.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_sleep;
  common = tests/grub_cmd_sleep.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_expansion;
  common = tests/grub_script_expansion.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_not;
  common = tests/grub_script_not.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_no_commands;
  common = tests/grub_script_no_commands.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = partmap_test;
  common = tests/partmap_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = hddboot_test;
  common = tests/hddboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = fddboot_test;
  common = tests/fddboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = cdboot_test;
  common = tests/cdboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = netboot_test;
  common = tests/netboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
+  name = serial_test;
+  common = tests/serial_test.in;
+};
+
+script = {
+  testcase = nonnative;
  name = pseries_test;
  common = tests/pseries_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = core_compress_test;
  common = tests/core_compress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = xzcompress_test;
  common = tests/xzcompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = gzcompress_test;
  common = tests/gzcompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = lzocompress_test;
  common = tests/lzocompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_echo;
  common = tests/grub_cmd_echo.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = help_test;
  common = tests/help_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_gettext;
  common = tests/grub_script_gettext.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_escape_comma;
  common = tests/grub_script_escape_comma.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_strcmp;
  common = tests/grub_script_strcmp.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = test_sha512sum;
  common = tests/test_sha512sum.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = test_unset;
  common = tests/test_unset.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_func_test;
  common = tests/grub_func_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_tr;
  common = tests/grub_cmd_tr.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = file_filter_test;
  common = tests/file_filter_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_test;
  common = tests/grub_cmd_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = syslinux_test;
  common = tests/syslinux_test.in;
 };

+script = {
+  testcase = native;
+  name = luks1_test;
+  common = tests/luks1_test.in;
+};
+
+script = {
+  testcase = native;
+  name = luks2_test;
+  common = tests/luks2_test.in;
+};
+
+script = {
+  testcase = native;
+  name = asn1_test;
+  common = tests/asn1_test.in;
+};
+
+script = {
+  testcase = native;
+  name = tpm2_key_protector_test;
+  common = tests/tpm2_key_protector_test.in;
+};
+
 program = {
-  testcase;
+  testcase = native;
  name = example_unit_test;
  common = tests/example_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1209,7 +1312,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = printf_test;
  common = tests/printf_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1224,7 +1327,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = date_test;
  common = tests/date_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1239,7 +1342,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = priority_queue_unit_test;
  common = tests/priority_queue_unit_test.cc;
  common = tests/lib/unit_test.c;
@ -1256,7 +1359,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = cmp_test;
  common = tests/cmp_unit_test.c;
  common = tests/lib/unit_test.c;
--- a/34
+++ b/34
@ -1,3 +1,37 @@
+New in 2.12:
+
+* GCC 13 support.
+* clang 14 support.
+* binutils 2.38 support.
+* Unification of EFI Linux kernel loader across architectures.
+* Transition to EFI Linux kernel stub loader for x86 architecture.
+* Initial support for Boot Loader Interface.
+* Support for dynamic GRUB runtime memory addition using firmware calls.
+* PCI and MMIO UARTs support.
+* SDL2 support.
+* LoongArch support.
+* TPM driver fixes.
+* Many filesystems fixes.
+* Many CVE and Coverity fixes.
+* Debugging support improvements.
+* Tests improvements.
+* Documentation improvements.
+* ...and tons of other fixes and cleanups...
+
+New in 2.06:
+
+* GCC 10 support.
+* clang 10 support.
+* SBAT support.
+* LUKS2 support.
+* Drop small MBR gap support.
+* Xen Security Modules (XSM/FLASK) support.
+* The lockdown mechanism similar to the Linux kernel one.
+* Disable the os-prober by default.
+* Many backports of GRUB distros specific patches.
+* BootHole and BootHole2 fixes.
+* ...and tons of other fixes and cleanups...
+
 New in 2.04:

 * GCC 8 and 9 support.
--- a/6
+++ b/6
@ -7,6 +7,12 @@ See the file NEWS for a description of recent changes to GRUB 2.
 See the file INSTALL for instructions on how to build and install the
 GRUB 2 data and program files.

+See the file MAINTAINERS for information about the GRUB maintainers, etc.
+
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 Please visit the official web page of GRUB 2, for more information.
 The URL is <http://www.gnu.org/software/grub/grub.html>.

--- a/60
+++ b/60
@ -0,0 +1,60 @@
+Security Policy
+===============
+
+To report a vulnerability see "Reporting a Vulnerability" below.
+
+
+Security Incident Policy
+========================
+
+Security bug reports are treated with special attention and are handled
+differently from normal bugs. In particular, security sensitive bugs are not
+handled in public but in private. Information about the bug and access to it
+is restricted to people in the security group, the individual engineers that
+work on fixing it, and any other person who needs to be involved for organisational
+reasons. The process is handled by the security team, which decides on the people
+involved in order to fix the issue. It is also guaranteed that the person reporting
+the issue has visibility into the process of fixing it. Any security issue gets
+prioritized according to its security rating. The issue is opened up to the public
+in coordination with the release schedule and the reporter.
+
+
+Disclosure Policy
+=================
+
+Everyone involved in the handling of a security issue - including the reporter -
+is required to adhere to the following policy. Any information related to
+a security issue must be treated as confidential and only shared with trusted
+partners if necessary, for example to coordinate a release or manage exposure
+of clients to the issue. No information must be disclosed to the public before
+the embargo ends. The embargo time is agreed upon by all involved parties. It
+should be as short as possible without putting any users at risk.
+
+
+Supported Versions
+==================
+
+Only the most recent version of the GRUB is supported.
+
+
+Reporting a Vulnerability
+=========================
+
+The security report should be encrypted with the PGP keys and sent to ALL email
+addresses listed below. Every vulnerability report will be assessed within
+72 hours of receiving it. If the outcome of the assessment is that the report
+describes a security issue, the report will be transferred into an issue on the
+internal vulnerability project for further processing. The reporter is updated
+on each step of the process.
+
+While there's currently no bug bounty program we appreciate every report.
+
+* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
+           Daniel Kiper <dkiper@net-space.pl>
+* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+
+* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
+* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E
+
+* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
+* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209
--- a/acinclude.m4
+++ b/acinclude.m4
@ -305,9 +305,9 @@ fi
 ])


-dnl Check if the C compiler supports `-fstack-protector'.
+dnl Check if the C compiler supports the stack protector
 AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
-[# Smashing stack protector.
+[# Stack smashing protector.
 ssp_possible=yes]
 AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
 # Is this a reliable test case?
@ -324,6 +324,40 @@ else
  ssp_possible=no]
  AC_MSG_RESULT([no])
 [fi]
+[# Strong stack smashing protector.
+ssp_strong_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
+  AC_MSG_RESULT([yes])
+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+  rm -f conftest.s
+else
+  ssp_strong_possible=no]
+  AC_MSG_RESULT([no])
+[fi]
+[# Global stack smashing protector.
+ssp_global_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
+  AC_MSG_RESULT([yes])
+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+  rm -f conftest.s
+else
+  ssp_global_possible=no]
+  AC_MSG_RESULT([no])
+[fi]
 ])

 dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
@ -396,7 +430,7 @@ link_nopie_needed=no]
 AC_MSG_CHECKING([whether linker needs disabling of PIE to work])
 AC_LANG_CONFTEST([AC_LANG_SOURCE([[]])])

-[if eval "$ac_compile -Wl,-r,-d -nostdlib -Werror -o conftest.o" 2> /dev/null; then]
+[if eval "$ac_compile -Wl,-r -nostdlib -Werror -o conftest.o" 2> /dev/null; then]
  AC_MSG_RESULT([no])
  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
  rm -f conftest.o
--- a/autogen.sh
+++ b/autogen.sh
@ -7,13 +7,26 @@ if [ ! -e grub-core/lib/gnulib/stdlib.in.h ]; then
  exit 1
 fi

-# Set ${PYTHON} to plain 'python' if not set already
-: ${PYTHON:=python}
+# Detect python
+if [ -z "$PYTHON" ]; then
+  for i in python3 python3.10 python; do
+    if command -v "$i" > /dev/null 2>&1; then
+      PYTHON="$i"
+      echo "Using $PYTHON..."
+      break
+    fi
+  done
+
+  if [ -z "$PYTHON" ]; then
+    echo "python not found." >&2
+    exit 1
+  fi
+fi

 export LC_COLLATE=C
 unset LC_ALL

-find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c'  ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -iname './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
+find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c'  ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
 find util -iname '*.in' ! -name Makefile.in  |sort > po/POTFILES-shell.in

 echo "Importing unicode..."
@ -38,6 +51,39 @@ for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
    cp grub-core/lib/libgcrypt-grub/mpi/generic/"$x" grub-core/lib/libgcrypt-grub/mpi/"$x"
 done

+echo "Importing libtasn1..."
+if [ -d grub-core/lib/libtasn1-grub ]; then
+  rm -rf grub-core/lib/libtasn1-grub
+fi
+
+mkdir -p grub-core/lib/libtasn1-grub/lib
+cp grub-core/lib/libtasn1/lib/*.[ch] grub-core/lib/libtasn1-grub/lib
+cp grub-core/lib/libtasn1/libtasn1.h grub-core/lib/libtasn1-grub/
+
+if [ -d grub-core/tests/asn1/tests ]; then
+  rm -rf grub-core/tests/asn1/tests
+fi
+
+mkdir grub-core/tests/asn1/tests
+cp grub-core/lib/libtasn1/tests/*.[ch] grub-core/tests/asn1/tests
+
+for patch in \
+	0001-libtasn1-disable-code-not-needed-in-grub.patch \
+	0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch \
+	0003-libtasn1-replace-strcat-with-_asn1_str_cat.patch \
+	0004-libtasn1-adjust-the-header-paths-in-libtasn1.h.patch \
+	0005-libtasn1-Use-grub_divmod64-for-division.patch \
+	0006-libtasn1-fix-the-potential-buffer-overrun.patch \
+	0007-asn1_test-include-asn1_test.h-only.patch \
+	0008-asn1_test-rename-the-main-functions-to-the-test-name.patch \
+	0009-asn1_test-return-either-0-or-1-to-reflect-the-result.patch \
+	0010-asn1_test-remove-verbose-and-the-unnecessary-printf.patch \
+	0011-asn1_test-print-the-error-messages-with-grub_printf.patch \
+	0012-asn1_test-use-the-grub-specific-functions-and-types.patch \
+	0013-asn1_test-enable-the-testcase-only-when-GRUB_LONG_MA.patch ; do
+  patch -p1 -i grub-core/lib/libtasn1-patches/$patch
+done
+
 echo "Generating Automake input..."

 # Automake doesn't like including files from a path outside the project.
--- a/313
+++ b/313
@ -1,10 +1,10 @@
 #! /bin/sh
 # Print a version string.
-scriptversion=2019-01-04.17; # UTC
+scriptversion=2022-01-26.05; # UTC

 # Bootstrap this package from checked-out sources.

-# Copyright (C) 2003-2019 Free Software Foundation, Inc.
+# Copyright (C) 2003-2022 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -47,7 +47,7 @@ PERL="${PERL-perl}"

 me=$0

-default_gnulib_url=git://git.sv.gnu.org/gnulib
+default_gnulib_url=https://git.savannah.gnu.org/git/gnulib.git

 usage() {
  cat <<EOF
@ -71,7 +71,9 @@ Options:
 --no-git                 do not use git to update gnulib.  Requires that
                          --gnulib-srcdir point to a correct gnulib snapshot
 --skip-po                do not download po files
-
+EOF
+  bootstrap_print_option_usage_hook
+  cat <<EOF
 If the file $me.conf exists in the same directory as this script, its
 contents are read as shell variables to configure the bootstrap.

@ -113,6 +115,12 @@ Running without arguments will suffice in most cases.
 EOF
 }

+copyright_year=`echo "$scriptversion" | sed -e 's/[^0-9].*//'`
+copyright="Copyright (C) ${copyright_year} Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law."
+
 # warnf_ FORMAT-STRING ARG1...
 warnf_ ()
 {
@ -154,6 +162,18 @@ gnulib_files=
 : ${AUTOPOINT=autopoint}
 : ${AUTORECONF=autoreconf}

+# A function to be called for each unrecognized option.  Returns 0 if
+# the option in $1 has been processed by the function.  Returns 1 if
+# the option has not been processed by the function.  Override it via
+# your own definition in bootstrap.conf
+
+bootstrap_option_hook() { return 1; }
+
+# A function to be called in order to print the --help information
+# corresponding to user-defined command-line options.
+
+bootstrap_print_option_usage_hook() { :; }
+
 # A function to be called right after gnulib-tool is run.
 # Override it via your own definition in bootstrap.conf.
 bootstrap_post_import_hook() { :; }
@ -166,11 +186,11 @@ bootstrap_epilogue() { :; }
 # specified directory.  Fill in the first %s with the destination
 # directory and the second with the domain name.
 po_download_command_format=\
-"wget --mirror --level=1 -nd -q -A.po -P '%s' \
+"wget --mirror --level=1 -nd -nv -A.po -P '%s' \
 https://translationproject.org/latest/%s/"

 # Prefer a non-empty tarname (4th argument of AC_INIT if given), else
-# fall back to the package name (1st argument with munging)
+# fall back to the package name (1st argument with munging).
 extract_package_name='
  /^AC_INIT(\[*/{
     s///
@ -187,8 +207,11 @@ extract_package_name='
     p
  }
 '
+package=$(${AUTOCONF:-autoconf} --trace AC_INIT:\$4 configure.ac 2>/dev/null)
+if test -z "$package"; then
  package=$(sed -n "$extract_package_name" configure.ac) \
      || die 'cannot find package name in configure.ac'
+fi
 gnulib_name=lib$package

 build_aux=build-aux
@ -290,62 +313,6 @@ find_tool ()
  eval "export $find_tool_envvar"
 }

-# Override the default configuration, if necessary.
-# Make sure that bootstrap.conf is sourced from the current directory
-# if we were invoked as "sh bootstrap".
-case "$0" in
-  */*) test -r "$0.conf" && . "$0.conf" ;;
-  *) test -r "$0.conf" && . ./"$0.conf" ;;
-esac
-
-if test "$vc_ignore" = auto; then
-  vc_ignore=
-  test -d .git && vc_ignore=.gitignore
-  test -d CVS && vc_ignore="$vc_ignore .cvsignore"
-fi
-
-if test x"$gnulib_modules$gnulib_files$gnulib_extra_files" = x; then
-  use_gnulib=false
-else
-  use_gnulib=true
-fi
-
-# Translate configuration into internal form.
-
-# Parse options.
-
-for option
-do
-  case $option in
-  --help)
-    usage
-    exit;;
-  --gnulib-srcdir=*)
-    GNULIB_SRCDIR=${option#--gnulib-srcdir=};;
-  --skip-po)
-    SKIP_PO=t;;
-  --force)
-    checkout_only_file=;;
-  --copy)
-    copy=true;;
-  --bootstrap-sync)
-    bootstrap_sync=true;;
-  --no-bootstrap-sync)
-    bootstrap_sync=false;;
-  --no-git)
-    use_git=false;;
-  *)
-    die "$option: unknown option";;
-  esac
-done
-
-$use_git || test -d "$GNULIB_SRCDIR" \
-  || die "Error: --no-git requires --gnulib-srcdir"
-
-if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
-  die "Bootstrapping from a non-checked-out distribution is risky."
-fi
-
 # Strip blank and comment lines to leave significant entries.
 gitignore_entries() {
  sed '/^#/d; /^$/d' "$@"
@ -387,6 +354,137 @@ insert_vc_ignore() {
  insert_if_absent "$vc_ignore_file" "$pattern"
 }

+symlink_to_dir()
+{
+  src=$1/$2
+  dst=${3-$2}
+
+  test -f "$src" && {
+
+    # If the destination directory doesn't exist, create it.
+    # This is required at least for "lib/uniwidth/cjk.h".
+    dst_dir=$(dirname "$dst")
+    if ! test -d "$dst_dir"; then
+      mkdir -p "$dst_dir"
+
+      # If we've just created a directory like lib/uniwidth,
+      # tell version control system(s) it's ignorable.
+      # FIXME: for now, this does only one level
+      parent=$(dirname "$dst_dir")
+      for dot_ig in x $vc_ignore; do
+        test $dot_ig = x && continue
+        ig=$parent/$dot_ig
+        insert_vc_ignore $ig "${dst_dir##*/}"
+      done
+    fi
+
+    if $copy; then
+      {
+        test ! -h "$dst" || {
+          echo "$me: rm -f $dst" &&
+          rm -f "$dst"
+        }
+      } &&
+      test -f "$dst" &&
+      cmp -s "$src" "$dst" || {
+        echo "$me: cp -fp $src $dst" &&
+        cp -fp "$src" "$dst"
+      }
+    else
+      # Leave any existing symlink alone, if it already points to the source,
+      # so that broken build tools that care about symlink times
+      # aren't confused into doing unnecessary builds.  Conversely, if the
+      # existing symlink's timestamp is older than the source, make it afresh,
+      # so that broken tools aren't confused into skipping needed builds.  See
+      # <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00326.html>.
+      test -h "$dst" &&
+      src_ls=$(ls -diL "$src" 2>/dev/null) && set $src_ls && src_i=$1 &&
+      dst_ls=$(ls -diL "$dst" 2>/dev/null) && set $dst_ls && dst_i=$1 &&
+      test "$src_i" = "$dst_i" &&
+      both_ls=$(ls -dt "$src" "$dst") &&
+      test "X$both_ls" = "X$dst$nl$src" || {
+        dot_dots=
+        case $src in
+        /*) ;;
+        *)
+          case /$dst/ in
+          *//* | */../* | */./* | /*/*/*/*/*/)
+             die "invalid symlink calculation: $src -> $dst";;
+          /*/*/*/*/)    dot_dots=../../../;;
+          /*/*/*/)      dot_dots=../../;;
+          /*/*/)        dot_dots=../;;
+          esac;;
+        esac
+
+        echo "$me: ln -fs $dot_dots$src $dst" &&
+        ln -fs "$dot_dots$src" "$dst"
+      }
+    fi
+  }
+}
+
+# Override the default configuration, if necessary.
+# Make sure that bootstrap.conf is sourced from the current directory
+# if we were invoked as "sh bootstrap".
+case "$0" in
+  */*) test -r "$0.conf" && . "$0.conf" ;;
+  *) test -r "$0.conf" && . ./"$0.conf" ;;
+esac
+
+if test "$vc_ignore" = auto; then
+  vc_ignore=
+  test -d .git && vc_ignore=.gitignore
+  test -d CVS && vc_ignore="$vc_ignore .cvsignore"
+fi
+
+if test x"$gnulib_modules$gnulib_files$gnulib_extra_files" = x; then
+  use_gnulib=false
+else
+  use_gnulib=true
+fi
+
+# Translate configuration into internal form.
+
+# Parse options.
+
+for option
+do
+  case $option in
+  --help)
+    usage
+    exit;;
+  --version)
+    set -e
+    echo "bootstrap $scriptversion"
+    echo "$copyright"
+    exit 0
+    ;;
+  --gnulib-srcdir=*)
+    GNULIB_SRCDIR=${option#--gnulib-srcdir=};;
+  --skip-po)
+    SKIP_PO=t;;
+  --force)
+    checkout_only_file=;;
+  --copy)
+    copy=true;;
+  --bootstrap-sync)
+    bootstrap_sync=true;;
+  --no-bootstrap-sync)
+    bootstrap_sync=false;;
+  --no-git)
+    use_git=false;;
+  *)
+    bootstrap_option_hook $option || die "$option: unknown option";;
+  esac
+done
+
+$use_git || test -d "$GNULIB_SRCDIR" \
+  || die "Error: --no-git requires --gnulib-srcdir"
+
+if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
+  die "Bootstrapping from a non-checked-out distribution is risky."
+fi
+
 # Die if there is no AC_CONFIG_AUX_DIR($build_aux) line in configure.ac.
 found_aux_dir=no
 grep '^[	 ]*AC_CONFIG_AUX_DIR(\['"$build_aux"'\])' configure.ac \
@ -665,9 +763,25 @@ if $use_gnulib; then
      shallow=
      if test -z "$GNULIB_REVISION"; then
        git clone -h 2>&1 | grep -- --depth > /dev/null && shallow='--depth 2'
-      fi
        git clone $shallow ${GNULIB_URL:-$default_gnulib_url} "$gnulib_path" \
          || cleanup_gnulib
+      else
+        git fetch -h 2>&1 | grep -- --depth > /dev/null && shallow='--depth 2'
+        mkdir -p "$gnulib_path"
+        # Only want a shallow checkout of $GNULIB_REVISION, but git does not
+        # support cloning by commit hash. So attempt a shallow fetch by commit
+        # hash to minimize the amount of data downloaded and changes needed to
+        # be processed, which can drastically reduce download and processing
+        # time for checkout. If the fetch by commit fails, a shallow fetch can
+        # not be performed because we do not know what the depth of the commit
+        # is without fetching all commits. So fallback to fetching all commits.
+        git -C "$gnulib_path" init
+        git -C "$gnulib_path" remote add origin ${GNULIB_URL:-$default_gnulib_url}
+        git -C "$gnulib_path" fetch $shallow origin "$GNULIB_REVISION" \
+          || git -C "$gnulib_path" fetch origin \
+          || cleanup_gnulib
+        git -C "$gnulib_path" reset --hard FETCH_HEAD
+      fi

      trap - 1 2 13 15
    fi
@ -784,75 +898,6 @@ case $SKIP_PO in
  fi;;
 esac

-symlink_to_dir()
-{
-  src=$1/$2
-  dst=${3-$2}
-
-  test -f "$src" && {
-
-    # If the destination directory doesn't exist, create it.
-    # This is required at least for "lib/uniwidth/cjk.h".
-    dst_dir=$(dirname "$dst")
-    if ! test -d "$dst_dir"; then
-      mkdir -p "$dst_dir"
-
-      # If we've just created a directory like lib/uniwidth,
-      # tell version control system(s) it's ignorable.
-      # FIXME: for now, this does only one level
-      parent=$(dirname "$dst_dir")
-      for dot_ig in x $vc_ignore; do
-        test $dot_ig = x && continue
-        ig=$parent/$dot_ig
-        insert_vc_ignore $ig "${dst_dir##*/}"
-      done
-    fi
-
-    if $copy; then
-      {
-        test ! -h "$dst" || {
-          echo "$me: rm -f $dst" &&
-          rm -f "$dst"
-        }
-      } &&
-      test -f "$dst" &&
-      cmp -s "$src" "$dst" || {
-        echo "$me: cp -fp $src $dst" &&
-        cp -fp "$src" "$dst"
-      }
-    else
-      # Leave any existing symlink alone, if it already points to the source,
-      # so that broken build tools that care about symlink times
-      # aren't confused into doing unnecessary builds.  Conversely, if the
-      # existing symlink's timestamp is older than the source, make it afresh,
-      # so that broken tools aren't confused into skipping needed builds.  See
-      # <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00326.html>.
-      test -h "$dst" &&
-      src_ls=$(ls -diL "$src" 2>/dev/null) && set $src_ls && src_i=$1 &&
-      dst_ls=$(ls -diL "$dst" 2>/dev/null) && set $dst_ls && dst_i=$1 &&
-      test "$src_i" = "$dst_i" &&
-      both_ls=$(ls -dt "$src" "$dst") &&
-      test "X$both_ls" = "X$dst$nl$src" || {
-        dot_dots=
-        case $src in
-        /*) ;;
-        *)
-          case /$dst/ in
-          *//* | */../* | */./* | /*/*/*/*/*/)
-             die "invalid symlink calculation: $src -> $dst";;
-          /*/*/*/*/)    dot_dots=../../../;;
-          /*/*/*/)      dot_dots=../../;;
-          /*/*/)        dot_dots=../;;
-          esac;;
-        esac
-
-        echo "$me: ln -fs $dot_dots$src $dst" &&
-        ln -fs "$dot_dots$src" "$dst"
-      }
-    fi
-  }
-}
-
 version_controlled_file() {
  parent=$1
  file=$2
@ -970,7 +1015,7 @@ bootstrap_post_import_hook \
 # Uninitialized submodules are listed with an initial dash.
 if $use_git && git submodule | grep '^-' >/dev/null; then
  die "some git submodules are not initialized. "     \
-      "Run 'git submodule init' and bootstrap again."
+      "Run 'git submodule update --init' and bootstrap again."
 fi

 # Remove any dangling symlink matching "*.m4" or "*.[ch]" in some
@ -1064,7 +1109,7 @@ bootstrap_epilogue

 echo "$0: done.  Now you can run './configure'."

-# Local variables:
+# Local Variables:
 # eval: (add-hook 'before-save-hook 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
--- a/bootstrap.conf
+++ b/bootstrap.conf
@ -1,6 +1,6 @@
 # Bootstrap configuration.

-# Copyright (C) 2006-2019 Free Software Foundation, Inc.
+# Copyright (C) 2006-2022 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -16,13 +16,13 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


-GNULIB_REVISION=d271f868a8df9bbec29049d01e056481b7a1a263
+GNULIB_REVISION=9f48fb992a3d7e96610c4ce8be969cff2d61a01b

 # gnulib modules used by this package.
-# mbswidth is used by gnulib-fix-width.diff's changes to argp rather than
-# directly.
+# mbswidth is used by fix-width.diff's changes to argp rather than directly.
 gnulib_modules="
  argp
+  base64
  error
  fnmatch
  getdelim
@ -34,6 +34,7 @@ gnulib_modules="
  realloc-gnu
  regex
  save-cwd
+  stdbool
 "

 gnulib_tool_option_extras="\
@ -65,10 +66,11 @@ SKIP_PO=t

 # Build prerequisites
 buildreq="\
-autoconf   2.63
-automake   1.11
-gettext    0.18.3
+autoconf   2.64
+automake   1.14
+gettext    -
 git        1.5.5
+patch      -
 tar        -
 "

@ -78,9 +80,19 @@ cp -a INSTALL INSTALL.grub

 bootstrap_post_import_hook () {
  set -e
-  for patchname in fix-null-deref fix-width no-abort; do
-    patch -d grub-core/lib/gnulib -p2 \
-      < "grub-core/lib/gnulib-patches/$patchname.patch"
+
+  # Instead of patching our gnulib and therefore maintaining a fork, submit
+  # changes to gnulib and update the hash above when they've merged.  Do not
+  # add new patches here.
+  patch -d grub-core/lib/gnulib -p2 < grub-core/lib/gnulib-patches/fix-width.patch
+
+  for patchname in \
+      0001-Support-POTFILES-shell \
+      0002-Handle-gettext_printf-shell-function \
+      0003-Make-msgfmt-output-in-little-endian \
+      0004-Use-SHELL-rather-than-bin-sh; do
+    patch -d po -p3 \
+      < "po/gettext-patches/$patchname.patch"
  done
  FROM_BOOTSTRAP=1 ./autogen.sh
  set +e  # bootstrap expects this
--- a/conf/Makefile.common
+++ b/conf/Makefile.common
@ -20,6 +20,9 @@ endif
 if COND_powerpc_ieee1275
  CFLAGS_PLATFORM += -mcpu=powerpc
 endif
+if COND_HAVE_PCI
+  CFLAGS_PLATFORM += -DGRUB_HAS_PCI
+endif

 # Other options

@ -39,9 +42,16 @@ LDFLAGS_KERNEL = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC)
 CPPFLAGS_KERNEL = $(CPPFLAGS_CPU) $(CPPFLAGS_PLATFORM) -DGRUB_KERNEL=1
 CCASFLAGS_KERNEL = $(CCASFLAGS_CPU) $(CCASFLAGS_PLATFORM)
 STRIPFLAGS_KERNEL = -R .rel.dyn -R .reginfo -R .note -R .comment -R .drectve -R .note.gnu.gold-version -R .MIPS.abiflags -R .ARM.exidx
+if !COND_emu
+if COND_HAVE_ASM_USCORE
+  LDFLAGS_KERNEL += -Wl,--defsym=_malloc=_grub_malloc -Wl,--defsym=_free=_grub_free
+else
+  LDFLAGS_KERNEL += -Wl,--defsym=malloc=grub_malloc -Wl,--defsym=free=grub_free
+endif
+endif

 CFLAGS_MODULE = $(CFLAGS_PLATFORM) -ffreestanding
-LDFLAGS_MODULE = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC) -Wl,-r,-d
+LDFLAGS_MODULE = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC) -Wl,-r
 CPPFLAGS_MODULE = $(CPPFLAGS_CPU) $(CPPFLAGS_PLATFORM)
 CCASFLAGS_MODULE = $(CCASFLAGS_CPU) $(CCASFLAGS_PLATFORM)

@ -65,7 +75,7 @@ grubconfdir = $(sysconfdir)/grub.d
 platformdir = $(pkglibdir)/$(target_cpu)-$(platform)
 starfielddir = $(pkgdatadir)/themes/starfield

-CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion
+CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion -Wno-error=attributes
 CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib -I$(top_srcdir)/grub-core/lib/gnulib

 CFLAGS_POSIX = -fno-builtin
@ -84,7 +94,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
 CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
@ -99,27 +111,29 @@ MOD_FILES =
 MODULE_FILES =
 MARKER_FILES =
 KERNEL_HEADER_FILES =
+EXTRA_DEPS =

+bin_SCRIPTS =
+bin_PROGRAMS =
+check_SCRIPTS_native =
+check_SCRIPTS_nonnative =
+check_PROGRAMS_native =
+check_PROGRAMS_nonnative =
+dist_grubconf_DATA =
+dist_noinst_DATA =
+grubconf_SCRIPTS =
 man_MANS =
 noinst_DATA =
-pkgdata_DATA =
-bin_SCRIPTS =
-sbin_SCRIPTS =
-bin_PROGRAMS =
-platform_DATA =
-sbin_PROGRAMS =
-check_SCRIPTS =
-dist_grubconf_DATA =
-check_PROGRAMS =
 noinst_SCRIPTS =
 noinst_PROGRAMS =
-grubconf_SCRIPTS =
 noinst_LIBRARIES =
-dist_noinst_DATA =
+pkgdata_DATA =
+platform_DATA =
 platform_SCRIPTS =
 platform_PROGRAMS =
+sbin_SCRIPTS =
+sbin_PROGRAMS =

-TESTS =
 EXTRA_DIST =
 CLEANFILES =
 BUILT_SOURCES =
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@ -21,6 +21,7 @@ EXTRA_DIST += conf/i386-cygwin-img-ld.sc
 EXTRA_DIST += grub-core/Makefile.core.def
 EXTRA_DIST += grub-core/Makefile.gcry.def

+EXTRA_DIST += grub-core/extra_deps.lst
 EXTRA_DIST += grub-core/genmoddep.awk
 EXTRA_DIST += grub-core/genmod.sh.in
 EXTRA_DIST += grub-core/gensyminfo.sh.in
@ -28,9 +29,7 @@ EXTRA_DIST += grub-core/gensymlist.sh
 EXTRA_DIST += grub-core/genemuinit.sh
 EXTRA_DIST += grub-core/genemuinitheader.sh

-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch

 EXTRA_DIST += grub-core/lib/libgcrypt
 EXTRA_DIST += grub-core/lib/libgcrypt-grub/mpi/generic
@ -110,6 +109,21 @@ EXTRA_DIST += grub-core/osdep/windows/password.c
 EXTRA_DIST += grub-core/osdep/windows/random.c
 EXTRA_DIST += grub-core/osdep/windows/sleep.c

+EXTRA_DIST += po/gettext-patches/0001-Support-POTFILES-shell.patch
+EXTRA_DIST += po/gettext-patches/0002-Handle-gettext_printf-shell-function.patch
+EXTRA_DIST += po/gettext-patches/0003-Make-msgfmt-output-in-little-endian.patch
+EXTRA_DIST += po/gettext-patches/0004-Use-SHELL-rather-than-bin-sh.patch
+
+EXTRA_DIST += po/POTFILES-shell.in
+EXTRA_DIST += po/README
+EXTRA_DIST += po/Rules-translit
+EXTRA_DIST += po/Rules-windowsdir
+EXTRA_DIST += po/arabic.sed
+EXTRA_DIST += po/cyrillic.sed
+EXTRA_DIST += po/greek.sed
+EXTRA_DIST += po/grub.d.sed
+EXTRA_DIST += po/hebrew.sed
+
 EXTRA_DIST += tests/dfly-mbr-mbexample.mbr.img.gz
 EXTRA_DIST += tests/dfly-mbr-mbexample.dfly.img.gz

--- a/conf/i386-cygwin-img-ld.sc
+++ b/conf/i386-cygwin-img-ld.sc
@ -14,6 +14,8 @@ SECTIONS
  {
    __data_start__ = . ;
    *(.data)
+    /* Do not discard this section. */
+    . = . ;
    __data_end__ = . ;
    __rdata_start__ = . ;
    *(.rdata)
@ -34,6 +36,8 @@ SECTIONS
  .edata :
  {
    *(.edata)
+    /* Do not discard this section. */
+    . = . ;
    end = . ;
    _end = . ;
    __end = . ;
--- a/config.h.in
+++ b/config.h.in
@ -9,6 +9,10 @@
 #define GCRYPT_NO_DEPRECATED 1
 #define HAVE_MEMMOVE 1

+#if @MM_DEBUG@
+#define MM_DEBUG @MM_DEBUG@
+#endif
+
 /* Define to 1 to enable disk cache statistics.  */
 #define DISK_CACHE_STATS @DISK_CACHE_STATS@
 #define BOOT_TIME_STATS @BOOT_TIME_STATS@
@ -31,12 +35,12 @@
 #    else
 #      define BUILD_WORDS_BIGENDIAN 0
 #    endif
-#else
+#  else /* !defined __APPLE__ */
 #    define BUILD_WORDS_BIGENDIAN @BUILD_WORDS_BIGENDIAN@
-#endif
+#  endif /* !defined __APPLE__ */
 #elif defined (GRUB_UTIL) || !defined (GRUB_MACHINE)
 #  include <config-util.h>
-#else
+#else /* !defined GRUB_UTIL && defined GRUB_MACHINE */
 #  define HAVE_FONT_SOURCE @HAVE_FONT_SOURCE@
 /* Define if C symbols get an underscore after compilation. */
 #  define HAVE_ASM_USCORE @HAVE_ASM_USCORE@
@ -60,8 +64,86 @@
 #  define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
 #  define GRUB_PLATFORM "@GRUB_PLATFORM@"

+#  define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@
+
 #  define RE_ENABLE_I18N 1

 #  define _GNU_SOURCE 1

+#  ifndef _GL_INLINE_HEADER_BEGIN
+/*
+ * gnulib gets configured against the host, not the target, and the rest of
+ * our buildsystem works around that.  This is difficult to avoid as gnulib's
+ * detection requires a more capable system than our target.  Instead, we
+ * reach in and set values appropriately - intentionally setting more than the
+ * bare minimum.  If, when updating gnulib, something breaks, there's probably
+ * a change needed here or in grub-core/Makefile.core.def.
+ */
+#    define SIZE_MAX ((size_t) -1)
+#    define _GL_ATTRIBUTE_ALLOC_SIZE(args) \
+    __attribute__ ((__alloc_size__ args))
+#    define _GL_ATTRIBUTE_ALWAYS_INLINE __attribute__ ((__always_inline__))
+#    define _GL_ATTRIBUTE_ARTIFICIAL __attribute__ ((__artificial__))
+#    define _GL_ATTRIBUTE_COLD __attribute__ ((cold))
+#    define _GL_ATTRIBUTE_CONST __attribute__ ((const))
+#    define _GL_ATTRIBUTE_DEALLOC(f, i) __attribute ((__malloc__ (f, i)))
+#    define _GL_ATTRIBUTE_DEALLOC_FREE _GL_ATTRIBUTE_DEALLOC (free, 1)
+#    define _GL_ATTRIBUTE_DEPRECATED __attribute__ ((__deprecated__))
+#    define _GL_ATTRIBUTE_ERROR(msg) __attribute__ ((__error__ (msg)))
+#    define _GL_ATTRIBUTE_EXTERNALLY_VISIBLE \
+    __attribute__ ((externally_visible))
+#    define _GL_ATTRIBUTE_FORMAT(spec) __attribute__ ((__format__ spec))
+#    define _GL_ATTRIBUTE_LEAF __attribute__ ((__leaf__))
+#    define _GL_ATTRIBUTE_MALLOC __attribute__ ((malloc))
+#    define _GL_ATTRIBUTE_MAYBE_UNUSED _GL_ATTRIBUTE_UNUSED
+#    define _GL_ATTRIBUTE_MAY_ALIAS __attribute__ ((__may_alias__))
+#    define _GL_ATTRIBUTE_NODISCARD __attribute__ ((__warn_unused_result__))
+#    define _GL_ATTRIBUTE_NOINLINE __attribute__ ((__noinline__))
+#    define _GL_ATTRIBUTE_NONNULL(args) __attribute__ ((__nonnull__ args))
+#    define _GL_ATTRIBUTE_NONSTRING __attribute__ ((__nonstring__))
+#    define _GL_ATTRIBUTE_PACKED __attribute__ ((__packed__))
+#    define _GL_ATTRIBUTE_PURE __attribute__ ((__pure__))
+#    define _GL_ATTRIBUTE_RETURNS_NONNULL \
+    __attribute__ ((__returns_nonnull__))
+#    define _GL_ATTRIBUTE_SENTINEL(pos) __attribute__ ((__sentinel__ pos))
+#    define _GL_ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#    define _GL_ATTRIBUTE_WARNING(msg) __attribute__ ((__warning__ (msg)))
+#    define _GL_CMP(n1, n2) (((n1) > (n2)) - ((n1) < (n2)))
+#    define _GL_GNUC_PREREQ GNUC_PREREQ
+#    define _GL_INLINE inline
+#    define _GL_UNUSED_LABEL _GL_ATTRIBUTE_UNUSED
+
+/* We can't use __has_attribute for these because gcc-5.1 is too old for
+ * that.  Everything above is present in that version, though. */
+#    if __GNUC__ >= 7
+#      define _GL_ATTRIBUTE_FALLTHROUGH __attribute__ ((fallthrough))
+#    else
+#      define _GL_ATTRIBUTE_FALLTHROUGH /* empty */
+#    endif
+
+#    ifndef ASM_FILE
+typedef __INT_FAST32_TYPE__ int_fast32_t;
+typedef __UINT_FAST32_TYPE__ uint_fast32_t;
+#    endif
+
+/* Ensure ialloc nests static/non-static inline properly. */
+#    define IALLOC_INLINE static inline
+
+/*
+ * gnulib uses these for blocking out warnings they can't/won't fix.  gnulib
+ * also makes the decision about whether to provide a declaration for
+ * reallocarray() at compile-time, so this is a convenient place to override -
+ * it's used by the ialloc module, which is used by base64.
+ */
+#    define _GL_INLINE_HEADER_BEGIN _Pragma ("GCC diagnostic push")	\
+    void *								\
+    reallocarray (void *ptr, unsigned int nmemb, unsigned int size);
+#    define _GL_INLINE_HEADER_END   _Pragma ("GCC diagnostic pop")
+#  endif /* !_GL_INLINE_HEADER_BEGIN */
+
+/* gnulib doesn't build cleanly with older compilers. */
+#  if __GNUC__ < 11
+_Pragma ("GCC diagnostic ignored \"-Wtype-limits\"")
+#  endif
+
 #endif
--- a/configure.ac
+++ b/configure.ac
@ -26,18 +26,26 @@ dnl This is necessary because the target type in autoconf does not
 dnl describe such a system very well.
 dnl
 dnl The current strategy is to use variables with no prefix (such as
-dnl CC, CFLAGS, etc.) for the host type, variables with prefix "BUILD_"
-dnl (such as BUILD_CC, BUILD_CFLAGS, etc.) for the build type and variables
-dnl with the prefix "TARGET_" (such as TARGET_CC, TARGET_CFLAGS, etc.) are
-dnl used for the target type. See INSTALL for full list of variables.
+dnl CC, CFLAGS, etc.) for the host and target type, variables with
+dnl prefix "BUILD_" (such as BUILD_CC, BUILD_CFLAGS, etc.) for the
+dnl build type, variables with prefix "HOST_" (such as HOST_CC,
+dnl HOST_CFLAGS, etc.) for the host type and variables with the prefix
+dnl "TARGET_" (such as TARGET_CC, TARGET_CFLAGS, etc.) are used for
+dnl the target type. See INSTALL for full list of variables and
+dnl description of the relationships between them.

-AC_INIT([GRUB],[2.04],[bug-grub@gnu.org])
+AC_INIT([GRUB],[2.13],[bug-grub@gnu.org])

-AC_CONFIG_AUX_DIR([build-aux])
+AS_CASE(["$ERROR_PLATFORM_NOT_SUPPORT_SSP"],
+  [n | no | nO | N | No | NO], [ERROR_PLATFORM_NOT_SUPPORT_SSP=no],
+  [ERROR_PLATFORM_NOT_SUPPORT_SSP=yes])

 # We don't want -g -O2 by default in CFLAGS
 : ${CFLAGS=""}

+AC_USE_SYSTEM_EXTENSIONS
+AC_CONFIG_AUX_DIR([build-aux])
+
 # Checks for build, host and target systems.
 AC_CANONICAL_BUILD
 AC_CANONICAL_HOST
@ -46,9 +54,9 @@ AC_CANONICAL_TARGET
 program_prefix="${save_program_prefix}"

 AM_INIT_AUTOMAKE([1.11])
-AC_PREREQ(2.63)
+AC_PREREQ(2.64)
 AC_CONFIG_SRCDIR([include/grub/dl.h])
-AC_CONFIG_HEADER([config-util.h])
+AC_CONFIG_HEADERS([config-util.h])

 # Explicitly check for pkg-config early on, since otherwise conditional
 # calls are problematic.
@ -68,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
 grub_TRANSFORM([grub-mkrelpath])
 grub_TRANSFORM([grub-mkrescue])
 grub_TRANSFORM([grub-probe])
+grub_TRANSFORM([grub-protect])
 grub_TRANSFORM([grub-reboot])
 grub_TRANSFORM([grub-script-check])
 grub_TRANSFORM([grub-set-default])
@ -75,11 +84,22 @@ grub_TRANSFORM([grub-sparc64-setup])
 grub_TRANSFORM([grub-render-label])
 grub_TRANSFORM([grub-file])

+# Allow HOST_CC to override CC.
+if test "x$HOST_CC" != x; then
+  CC=$HOST_CC
+fi
+
 # Optimization flag.  Allow user to override.
 if test "x$TARGET_CFLAGS" = x; then
-  TARGET_CFLAGS="$TARGET_CFLAGS -Os"
+  TARGET_CFLAGS=-Os
 fi

+# Enable support for "restrict" keyword and other
+# features from gnu99 C language standard.
+BUILD_CFLAGS="-std=gnu99 -fno-common $BUILD_CFLAGS"
+HOST_CFLAGS="-std=gnu99 -fno-common $HOST_CFLAGS"
+TARGET_CFLAGS="-std=gnu99 -fno-common $TARGET_CFLAGS"
+
 # Default HOST_CPPFLAGS
 HOST_CPPFLAGS="$HOST_CPPFLAGS -Wall -W"
 HOST_CPPFLAGS="$HOST_CPPFLAGS -DGRUB_UTIL=1"
@ -98,18 +118,11 @@ case "$target_cpu" in
                target_cpu=mips
 		machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_CPU_MIPS=1"
 		;;
-  arm*)
-		target_cpu=arm
-		;;
-  aarch64*)
-		target_cpu=arm64
-		;;
-  riscv32*)
-		target_cpu=riscv32
-		;;
-  riscv64*)
-		target_cpu=riscv64
-		;;
+  arm*)		target_cpu=arm ;;
+  aarch64*)	target_cpu=arm64 ;;
+  loongarch64)	target_cpu=loongarch64 ;;
+  riscv32*)	target_cpu=riscv32 ;;
+  riscv64*)	target_cpu=riscv64 ;;
 esac

 # Specify the platform (such as firmware).
@ -133,6 +146,7 @@ if test "x$with_platform" = x; then
    ia64-*) platform=efi ;;
    arm-*) platform=uboot ;;
    arm64-*) platform=efi ;;
+    loongarch64-*) platform=efi;;
    riscv32-*) platform=efi ;;
    riscv64-*) platform=efi ;;
    *)
@ -183,6 +197,7 @@ case "$target_cpu"-"$platform" in
  arm-coreboot) ;;
  arm-efi) ;;
  arm64-efi) ;;
+  loongarch64-efi) ;;
  riscv32-efi) ;;
  riscv64-efi) ;;
  *-emu) ;;
@ -324,7 +339,7 @@ fi
 AC_PROG_RANLIB
 AC_PROG_INSTALL
 AC_PROG_AWK
-AC_PROG_LEX
+AC_PROG_LEX([noyywrap])
 AC_PROG_YACC
 AC_PROG_MAKE_SET
 AC_PROG_MKDIR_P
@ -360,11 +375,15 @@ test "x$GCC" = xyes || AC_MSG_ERROR([GCC is required])

 AC_CHECK_PROG(HAVE_CXX, $CXX, yes, no)

-AC_GNU_SOURCE
 AM_GNU_GETTEXT([external])
 AM_GNU_GETTEXT_VERSION([0.18.3])
 AC_SYS_LARGEFILE

+PLATFORMS_PCI=" $(PYTHONPATH="${srcdir}" $PYTHON -c 'import gentpl; print(" ".join(gentpl.GROUPS[["pci"]]))') "
+if test x"${PLATFORMS_PCI##* ${target_cpu}_${platform} *}" = x ; then
+  have_pci=y
+fi
+
 # Identify characteristics of the host architecture.
 unset ac_cv_c_bigendian

@ -410,12 +429,12 @@ else
 fi

 # Check for functions and headers.
-AC_CHECK_FUNCS(posix_memalign memalign getextmntent)
+AC_CHECK_FUNCS(posix_memalign memalign getextmntent atexit)
 AC_CHECK_HEADERS(sys/param.h sys/mount.h sys/mnttab.h limits.h)

 # glibc 2.25 still includes sys/sysmacros.h in sys/types.h but emits deprecation
 # warning which causes compilation failure later with -Werror. So use -Werror here
-# as well to force proper sys/sysmacros.h detection.
+# as well to force proper sys/sysmacros.h detection. Used in include/grub/osdep/major.h.
 SAVED_CFLAGS="$CFLAGS"
 CFLAGS="$HOST_CFLAGS -Werror"
 AC_HEADER_MAJOR
@ -562,6 +581,24 @@ CPPFLAGS="$TARGET_CPPFLAGS"
 LDFLAGS="$TARGET_LDFLAGS"
 LIBS=""

+if test "x$target_m32" = x1; then
+  # Force 32-bit mode.
+  TARGET_CFLAGS="$TARGET_CFLAGS -m32"
+  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -m32"
+  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -m32"
+  TARGET_LDFLAGS="$TARGET_LDFLAGS -m32"
+  TARGET_MODULE_FORMAT="elf32"
+fi
+
+if test "x$target_m64" = x1; then
+  # Force 64-bit mode.
+  TARGET_CFLAGS="$TARGET_CFLAGS -m64"
+  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -m64"
+  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -m64"
+  TARGET_LDFLAGS="$TARGET_LDFLAGS -m64"
+  TARGET_MODULE_FORMAT="elf64"
+fi
+
 # debug flags.
 TARGET_CFLAGS="$TARGET_CFLAGS $WARN_FLAGS -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations"
 TARGET_CCASFLAGS="$TARGET_CCASFLAGS -g"
@ -750,24 +787,6 @@ if test "x$target_cpu" = xi386 && test "x$platform" != xemu; then
  TARGET_CFLAGS="$TARGET_CFLAGS -march=i386"
 fi

-if test "x$target_m32" = x1; then
-  # Force 32-bit mode.
-  TARGET_CFLAGS="$TARGET_CFLAGS -m32"
-  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -m32"
-  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -m32"
-  TARGET_LDFLAGS="$TARGET_LDFLAGS -m32"
-  TARGET_MODULE_FORMAT="elf32"
-fi
-
-if test "x$target_m64" = x1; then
-  # Force 64-bit mode.
-  TARGET_CFLAGS="$TARGET_CFLAGS -m64"
-  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -m64"
-  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -m64"
-  TARGET_LDFLAGS="$TARGET_LDFLAGS -m64"
-  TARGET_MODULE_FORMAT="elf64"
-fi
-
 if test "x$grub_cv_cc_target_clang" = xno && test "x$target_cpu" = xi386 && test "x$platform" != xemu && test "x$platform" != xefi; then
   TARGET_CFLAGS="$TARGET_CFLAGS -mrtd -mregparm=3"
 fi
@ -784,11 +803,24 @@ if test "x$target_cpu" = xmips || test "x$target_cpu" = xmipsel ; then
  if test "x$grub_cv_cc_mflush_func" = xyes; then
    TARGET_CFLAGS="$TARGET_CFLAGS -mflush-func=grub_red_herring"
  fi
+
+  AC_CACHE_CHECK([whether -mno-gpopt works], [grub_cv_cc_mno_gpopt], [
+    CFLAGS="$TARGET_CFLAGS -mno-gpopt -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mno_gpopt=yes],
+	[grub_cv_cc_mno_gpopt=no])
+  ])
+
+  if test "x$grub_cv_cc_mno_gpopt" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -mno-gpopt"
+  fi
 fi


 # Force no alignment to save space on i386.
 if test "x$target_cpu" = xi386; then
+  TARGET_CFLAGS="$TARGET_CFLAGS -falign-functions=1"
+
  AC_CACHE_CHECK([whether -falign-loops works], [grub_cv_cc_falign_loop], [
    CFLAGS="$TARGET_CFLAGS -falign-loops=1 -Werror"
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
@ -796,17 +828,19 @@ if test "x$target_cpu" = xi386; then
 	[grub_cv_cc_falign_loop=no])
  ])

-  AC_CACHE_CHECK([whether -malign-loops works], [grub_cv_cc_malign_loop], [
-    CFLAGS="$TARGET_CFLAGS -malign-loops=1 -Werror"
+  if test "x$grub_cv_cc_falign_loop" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -falign-loops=1"
+  fi
+
+  AC_CACHE_CHECK([whether -falign-jumps works], [grub_cv_cc_falign_jumps], [
+    CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -Werror"
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
-        [grub_cv_cc_malign_loop=yes],
-	[grub_cv_cc_malign_loop=no])
+        [grub_cv_cc_falign_jumps=yes],
+        [grub_cv_cc_falign_jumps=no])
  ])

-  if test "x$grub_cv_cc_falign_loop" = xyes; then
-    TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -falign-loops=1 -falign-functions=1"
-  elif test "x$grub_cv_cc_malign_loop" = xyes; then
-    TARGET_CFLAGS="$TARGET_CFLAGS -malign-jumps=1 -malign-loops=1 -malign-functions=1"
+  if test "x$grub_cv_cc_falign_jumps" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1"
  fi
 fi

@ -827,6 +861,83 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p
  TARGET_CFLAGS="$TARGET_CFLAGS -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow"
 fi

+if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ); then
+  AC_CACHE_CHECK([whether -Wa,-mx86-used-note works], [grub_cv_cc_mx86_used_note], [
+    CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mx86_used_note=yes],
+	[grub_cv_cc_mx86_used_note=no])
+  ])
+
+  if test "x$grub_cv_cc_mx86_used_note" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mx86-used-note=no"
+  fi
+fi
+
+if test "x$target_cpu" = xloongarch64; then
+  AC_CACHE_CHECK([whether _mno_explicit_relocs works], [grub_cv_cc_mno_explicit_relocs], [
+    CFLAGS="$TARGET_CFLAGS -mno-explicit-relocs -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mno_explicit_relocs=yes],
+	[grub_cv_cc_mno_explicit_relocs=no])
+  ])
+  if test "x$grub_cv_cc_mno_explicit_relocs" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -mno-explicit-relocs -fno-plt"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS -mno-explicit-relocs -fno-plt"
+  fi
+
+  AC_CACHE_CHECK([for no-relax options], grub_cv_target_cc_mno_relax, [
+    grub_cv_target_cc_mno_relax=no
+    for cand in "-mno-relax" "-Wa,-mno-relax"; do
+      if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+        break
+      fi
+      CFLAGS="$TARGET_CFLAGS $cand -Werror"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+	    asm (".globl start; start:");
+	    void __main (void);
+	    void __main (void) {}
+	    int main (void);
+	    ]], [[]])], [grub_cv_target_cc_mno_relax="$cand"], [])
+    done
+  ])
+  CFLAGS="$TARGET_CFLAGS"
+
+  if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+    TARGET_CFLAGS="$TARGET_CFLAGS $grub_cv_target_cc_mno_relax"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS $grub_cv_target_cc_mno_relax"
+  fi
+
+  TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mla-global-with-abs"
+  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mla-global-with-abs"
+fi
+
+if test "x$target_cpu" = xriscv64 || test "x$target_cpu" = xriscv32; then
+  AC_CACHE_CHECK([for no-relax options], grub_cv_target_cc_mno_relax, [
+    grub_cv_target_cc_mno_relax=no
+    for cand in "-mno-relax" "-Wa,-mno-relax"; do
+      if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+        break
+      fi
+      CFLAGS="$TARGET_CFLAGS $cand -Werror"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+	    asm (".globl start; start:");
+	    void __main (void);
+	    void __main (void) {}
+	    int main (void);
+	    ]], [[]])], [grub_cv_target_cc_mno_relax="$cand"], [])
+    done
+  ])
+
+  CFLAGS="$TARGET_CFLAGS"
+
+  if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+    TARGET_CFLAGS="$TARGET_CFLAGS $grub_cv_target_cc_mno_relax"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS $grub_cv_target_cc_mno_relax"
+  fi
+fi
+
 # GRUB doesn't use float or doubles at all. Yet some toolchains may decide
 # that floats are a good fit to run instead of what's written in the code.
 # Given that floating point unit is disabled (if present to begin with)
@ -843,17 +954,30 @@ if test x"$platform" != xemu ; then
       CFLAGS="$TARGET_CFLAGS -march=rv32imac -mabi=ilp32 -Werror"
       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
 		         [grub_cv_target_cc_soft_float="-march=rv32imac -mabi=ilp32"], [])
+       # ISA spec version 20191213 factored out extensions Zicsr and Zifencei
+       CFLAGS="$TARGET_CFLAGS -march=rv32imac_zicsr_zifencei -mabi=ilp32 -Werror"
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+		         [grub_cv_target_cc_soft_float="-march=rv32imac_zicsr_zifencei -mabi=ilp32"], [])
    fi
    if test "x$target_cpu" = xriscv64; then
       CFLAGS="$TARGET_CFLAGS -march=rv64imac -mabi=lp64 -Werror"
       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
 		         [grub_cv_target_cc_soft_float="-march=rv64imac -mabi=lp64"], [])
+       # ISA spec version 20191213 factored out extensions Zicsr and Zifencei
+       CFLAGS="$TARGET_CFLAGS -march=rv64imac_zicsr_zifencei -mabi=lp64 -Werror"
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+		         [grub_cv_target_cc_soft_float="-march=rv64imac_zicsr_zifencei -mabi=lp64"], [])
    fi
    if test "x$target_cpu" = xia64; then
       CFLAGS="$TARGET_CFLAGS -mno-inline-float-divide -mno-inline-sqrt -Werror"
       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
 		         [grub_cv_target_cc_soft_float="-mno-inline-float-divide -mno-inline-sqrt"], [])
    fi
+    if test "x$target_cpu" = xsh4; then
+       CFLAGS="$TARGET_CFLAGS -m4-nofpu -Werror"
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+		         [grub_cv_target_cc_soft_float="-m4-nofpu"], [])
+    fi
    for cand in "-msoft-float -Xclang -msoft-float -Xclang -no-implicit-float" \
 		"-Xclang -msoft-float -Xclang -no-implicit-float" \
 		"-Xclang -msoft-float" "-msoft-float"; do
@ -933,6 +1057,19 @@ if test x"$target_cpu" = xsparc64 ; then
  TARGET_LDFLAGS="$TARGET_LDFLAGS $grub_cv_target_cc_mno_relax"
 fi

+# The backtrace module relies on frame pointers and the default optimization
+# level, -Os, omits them. Make sure they are enabled.
+AC_CACHE_CHECK([whether -fno-omit-frame-pointer works], [grub_cv_cc_fno_omit_frame_pointer], [
+  CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+      [grub_cv_cc_fno_omit_frame_pointer=yes],
+      [grub_cv_cc_fno_omit_frame_pointer=no])
+])
+
+if test "x$grub_cv_cc_fno_omit_frame_pointer" = xyes; then
+  TARGET_CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
+fi
+
 # By default, GCC 4.4 generates .eh_frame sections containing unwind
 # information in some cases where it previously did not. GRUB doesn't need
 # these and they just use up vital space. Restore the old compiler
@ -999,6 +1136,17 @@ if test "x$grub_cv_cc_fno_unwind_tables" = xyes; then
  TARGET_CFLAGS="$TARGET_CFLAGS -fno-unwind-tables"
 fi

+# Do not generate .ident sections.
+AC_CACHE_CHECK([whether -fno-ident works], [grub_cv_cc_fno_ident], [
+  CFLAGS="$TARGET_CFLAGS -fno-ident"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+      [grub_cv_cc_fno_ident=yes],
+      [grub_cv_cc_fno_ident=no])
+])
+
+if test "x$grub_cv_cc_fno_ident" = xyes; then
+  TARGET_CFLAGS="$TARGET_CFLAGS -fno-ident"
+fi

 CFLAGS="$TARGET_CFLAGS"

@ -1077,9 +1225,9 @@ if test x$grub_cv_target_cc_link_format = x-arch,i386 || test x$grub_cv_target_c
 elif test x$grub_cv_target_cc_link_format = x-mi386pe || test x$grub_cv_target_cc_link_format = x-mi386pep ; then
  TARGET_APPLE_LINKER=0
  TARGET_LDFLAGS_OLDMAGIC="-Wl,-N"
-  TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/${grub_coredir}/conf/i386-cygwin-img-ld.sc"
+  TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/conf/i386-cygwin-img-ld.sc"
  TARGET_IMG_LDFLAGS="-Wl,-T${TARGET_IMG_LDSCRIPT}"
-  TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/${grub_coredir}/conf/i386-cygwin-img-ld.sc"
+  TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/conf/i386-cygwin-img-ld.sc"
  TARGET_IMG_BASE_LDOPT="-Wl,-Ttext"
  TARGET_IMG_CFLAGS=
 else
@ -1198,7 +1346,8 @@ if test "x$target_cpu" = xarm; then
  AC_CACHE_CHECK([for options to disable movt and movw], grub_cv_target_cc_mno_movt, [
    grub_cv_target_cc_mno_movt=no
    for cand in "-mno-movt" \
-		"-mllvm -arm-use-movt=0"; do
+		"-mllvm -arm-use-movt=0" \
+		"-mword-relocations"; do
      if test x"$grub_cv_target_cc_mno_movt" != xno ; then
        break
      fi
@ -1251,6 +1400,7 @@ grub_CHECK_LINK_PIE
 # `-fPIE' or '-fpie' and '-pie' in the default specs.
 if [ x"$pie_possible" = xyes ]; then
  TARGET_CFLAGS="$TARGET_CFLAGS -fno-PIE -fno-pie"
+  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -fno-PIE -fno-pie"
 fi

 if [ x"$link_nopie_needed" = xyes ] || [ x"$pie_possible" = xyes ]; then
@ -1285,13 +1435,69 @@ fi]

 CFLAGS="$TARGET_CFLAGS"

-# Smashing stack protector.
+# Stack smashing protector.
 grub_CHECK_STACK_PROTECTOR
+AC_ARG_ENABLE([stack-protector],
+	      AS_HELP_STRING([--enable-stack-protector],
+			     [enable the stack protector]),
+	      [],
+	      [enable_stack_protector=no])
+if test "x$enable_stack_protector" = xno; then
+  if test "x$ssp_possible" = xyes; then
    # Need that, because some distributions ship compilers that include
    # `-fstack-protector' in the default specs.
-if test "x$ssp_possible" = xyes; then
    TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
  fi
+elif test "x$platform" != xefi; then
+  if test "$ERROR_PLATFORM_NOT_SUPPORT_SSP" = "yes"; then
+    AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+  else
+    AC_MSG_WARN([--enable-stack-protector is only supported on EFI platforms])
+  fi
+  enable_stack_protector=no
+elif test "x$ssp_global_possible" != xyes; then
+  AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
+else
+  TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
+  if test "x$enable_stack_protector" = xyes; then
+    if test "x$ssp_possible" != xyes; then
+      AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)])
+    fi
+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
+  elif test "x$enable_stack_protector" = xstrong; then
+    if test "x$ssp_strong_possible" != xyes; then
+      AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)])
+    fi
+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
+  else
+    # Note, -fstack-protector-all requires that the protector is disabled for
+    # functions that appear in the call stack when the canary is initialized.
+    AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
+  fi
+  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
+
+  if test -n "$SOURCE_DATE_EPOCH"; then
+     GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2$(printf "%x" "$SOURCE_DATE_EPOCH" | sed 's/.*\(........\)$/\1/')"
+  elif test -r /dev/urandom; then
+     # Generate the 8 byte stack protector canary at build time if /dev/urandom
+     # is able to be read. The first byte should be NUL to filter out string
+     # buffer overflow attacks.
+     GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
+  else
+    # Some hosts may not have a urandom, e.g. Windows, so use statically
+    # generated random bytes
+    GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
+  fi
+
+  if test x"$target_m32" = x1 ; then
+    # Make sure that the canary default value is 24-bits by only using the
+    # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
+    # to filter out string buffer overflow attacks.
+    GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
+  fi
+
+  AC_SUBST([GRUB_STACK_PROTECTOR_INIT])
+fi

 CFLAGS="$TARGET_CFLAGS"

@ -1337,28 +1543,12 @@ fi

 # Set them to their new values for the tests below.
 CC="$TARGET_CC"
-if test x"$platform" = xemu ; then
-CFLAGS="$TARGET_CFLAGS -Wno-error"
-elif test "x$TARGET_APPLE_LINKER" = x1 ; then
-CFLAGS="$TARGET_CFLAGS -nostdlib -static -Wno-error"
-else
-CFLAGS="$TARGET_CFLAGS -nostdlib -Wno-error"
-fi
 CPPFLAGS="$TARGET_CPPFLAGS"

-grub_ASM_USCORE
-if test "x$TARGET_APPLE_LINKER" = x0 && test x"$platform" != xemu; then
-if test x$grub_cv_asm_uscore = xyes; then
-DEFSYM="-Wl,--defsym,_abort=_main -Wl,--defsym,__main=_main"
-else
-DEFSYM="-Wl,--defsym,abort=main -Wl,--defsym,_main=main -Wl,--defsym,__main=main"
-fi
-CFLAGS="$TARGET_CFLAGS -nostdlib $DEFSYM"
-fi
-
 # Check for libgcc symbols
 if test x"$platform" = xemu; then
-AC_CHECK_FUNCS(__udivsi3 __umodsi3 __divsi3 __modsi3 __divdi3 __moddi3 __udivdi3 __umoddi3 __ctzdi2 __ctzsi2 __aeabi_uidiv __aeabi_uidivmod __aeabi_idiv __aeabi_idivmod __aeabi_ulcmp __muldi3 __aeabi_lmul __aeabi_memcpy __aeabi_memcpy4 __aeabi_memcpy8 __aeabi_memclr __aeabi_memclr4 __aeabi_memclr8 __aeabi_memset __aeabi_lasr __aeabi_llsl __aeabi_llsr _restgpr_14_x __ucmpdi2 __ashldi3 __ashrdi3 __lshrdi3 __bswapsi2 __bswapdi2 __bzero __register_frame_info __deregister_frame_info ___chkstk_ms __chkstk_ms)
+CFLAGS="$TARGET_CFLAGS -Wno-error"
+AC_CHECK_FUNCS(__udivsi3 __umodsi3 __divsi3 __modsi3 __divdi3 __moddi3 __udivdi3 __umoddi3 __ctzdi2 __ctzsi2 __clzdi2 __aeabi_uidiv __aeabi_uidivmod __aeabi_idiv __aeabi_idivmod __aeabi_ulcmp __muldi3 __aeabi_lmul __aeabi_memcpy __aeabi_memcpy4 __aeabi_memcpy8 __aeabi_memclr __aeabi_memclr4 __aeabi_memclr8 __aeabi_memset __aeabi_lasr __aeabi_llsl __aeabi_llsr _restgpr_14_x __ucmpdi2 __ashldi3 __ashrdi3 __lshrdi3 __bswapsi2 __bswapdi2 __bzero __register_frame_info __deregister_frame_info ___chkstk_ms __chkstk_ms)
 fi

 if test "x$TARGET_APPLE_LINKER" = x1 ; then
@ -1368,7 +1558,8 @@ CFLAGS="$TARGET_CFLAGS -nostdlib"
 fi
 LIBS=""

-# Defined in aclocal.m4.
+# Defined in acinclude.m4.
+grub_ASM_USCORE
 grub_PROG_TARGET_CC
 if test "x$TARGET_APPLE_LINKER" != x1 ; then
 grub_PROG_OBJCOPY_ABSOLUTE
@ -1435,9 +1626,14 @@ LIBS="$tmp_LIBS"
 # Memory manager debugging.
 AC_ARG_ENABLE([mm-debug],
 	      AS_HELP_STRING([--enable-mm-debug],
-                             [include memory manager debugging]),
-              [AC_DEFINE([MM_DEBUG], [1],
-                         [Define to 1 if you enable memory manager debugging.])])
+                             [include memory manager debugging]))
+if test x$enable_mm_debug = xyes; then
+  MM_DEBUG=1
+else
+  MM_DEBUG=0
+fi
+AC_SUBST([MM_DEBUG])
+AM_CONDITIONAL([COND_MM_DEBUG], [test x$MM_DEBUG = x1])

 AC_ARG_ENABLE([cache-stats],
 	      AS_HELP_STRING([--enable-cache-stats],
@ -1461,6 +1657,10 @@ else
 fi
 AC_SUBST([BOOT_TIME_STATS])

+AC_ARG_ENABLE([grub-emu-sdl2],
+	      [AS_HELP_STRING([--enable-grub-emu-sdl2],
+                             [build and install the `grub-emu' debugging utility with SDL2 support (default=guessed)])])
+
 AC_ARG_ENABLE([grub-emu-sdl],
 	      [AS_HELP_STRING([--enable-grub-emu-sdl],
                             [build and install the `grub-emu' debugging utility with SDL support (default=guessed)])])
@ -1470,6 +1670,28 @@ AC_ARG_ENABLE([grub-emu-pci],
                             [build and install the `grub-emu' debugging utility with PCI support (potentially dangerous) (default=no)])])

 if test "$platform" = emu; then
+  if test x"$enable_grub_emu_sdl2" = xno ; then
+    grub_emu_sdl2_excuse="explicitly disabled"
+  fi
+  [if [ x"$grub_emu_sdl2_excuse" = x ]; then
+    # Check for libSDL libraries.]
+    PKG_CHECK_MODULES([SDL2], [sdl2], [
+            AC_DEFINE([HAVE_SDL2], [1], [Define to 1 if you have SDL2 library.])
+            AC_SUBST(HAVE_SDL2)],
+            [grub_emu_sdl2_excuse="libSDL2 libraries are required to build \`grub-emu' with SDL2 support"])
+  [fi]
+  if test x"$enable_grub_emu_sdl2" = xyes && test x"$grub_emu_sdl2_excuse" != x ; then
+    AC_MSG_ERROR([SDL2 support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl2_excuse)])
+  fi
+  if test x"$grub_emu_sdl2_excuse" = x ; then
+    enable_grub_emu_sdl2=yes
+  else
+    enable_grub_emu_sdl2=no
+  fi
+  if test x"$enable_grub_emu_sdl2" = xyes ; then
+    grub_emu_sdl_excuse="disabled by sdl2"
+  fi
+

  if test x"$enable_grub_emu_sdl" = xno ; then
    grub_emu_sdl_excuse="explicitly disabled"
@ -1487,7 +1709,7 @@ AC_CHECK_LIB([SDL], [SDL_Init], [LIBSDL="-lSDL"],
      [grub_emu_sdl_excuse=["libSDL header file is required to build \`grub-emu' with SDL support"]])
  [fi]

-if test x"enable_grub_emu_sdl" = xyes && test x"$grub_emu_sdl_excuse" != x ; then
+  if test x"$enable_grub_emu_sdl" = xyes && test x"$grub_emu_sdl_excuse" != x ; then
    AC_MSG_ERROR([SDL support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl_excuse)])
  fi
  if test x"$grub_emu_sdl_excuse" = x ; then
@ -1515,16 +1737,17 @@ fi
  if test x"$grub_emu_pci_excuse" = x ; then
    enable_grub_emu_pci=yes
  else
-
    enable_grub_emu_pci=no
  fi

+  AC_SUBST([enable_grub_emu_sdl2])
  AC_SUBST([enable_grub_emu_sdl])
  AC_SUBST([enable_grub_emu_pci])

 else

  # Ignore --enable-emu-* if platform is not emu
+  enable_grub_emu_sdl2=no
  enable_grub_emu_sdl=no
  enable_grub_emu_pci=no
 fi
@ -1552,6 +1775,9 @@ if test x"$grub_mkfont_excuse" = x ; then
    CPPFLAGS="$SAVED_CPPFLAGS"
    LIBS="$SAVED_LIBS"
  ], [grub_mkfont_excuse=["need freetype2 library"]])
+  if test x"$grub_mkfont_excuse" = x && test x"$host_kernel" = xnetbsd ; then
+      FREETYPE_LIBS="$FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;
+  fi
 fi

 if test x"$enable_grub_mkfont" = xyes && test x"$grub_mkfont_excuse" != x ; then
@ -1573,7 +1799,7 @@ CC="$BUILD_CC"
 CPP="$BUILD_CPP"
 CFLAGS="$BUILD_CFLAGS"
 CPPFLAGS="$BUILD_CPPFLAGS"
-LDFLAGS="$BUILD_LDFAGS"
+LDFLAGS="$BUILD_LDFLAGS"

 unset ac_cv_c_bigendian
 unset ac_cv_header_ft2build_h
@ -1606,6 +1832,11 @@ if test x"$grub_build_mkfont_excuse" = x ; then
    LIBS="$SAVED_LIBS"
    CPPFLAGS="$SAVED_CPPFLAGS_2"
  ], [grub_build_mkfont_excuse=["need freetype2 library"]])
+  if test x"$grub_build_mkfont_excuse" = x ; then
+    case x"$build_os" in
+      xnetbsd*) BUILD_FREETYPE_LIBS="$BUILD_FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;;
+    esac
+  fi
  PKG_CONFIG="$SAVED_PKG_CONFIG"
 fi

@ -1632,8 +1863,6 @@ CPPFLAGS="$SAVED_CPPFLAGS"
 LDFLAGS="$SAVED_LDFLAGS"


-DJVU_FONT_SOURCE=
-
 starfield_excuse=

 AC_ARG_ENABLE([grub-themes],
@ -1647,9 +1876,15 @@ if test x"$starfield_excuse" = x && test x"$enable_build_grub_mkfont" = xno ; th
  starfield_excuse="No build-time grub-mkfont"
 fi

+AC_ARG_WITH([dejavufont],
+            AS_HELP_STRING([--with-dejavufont=FILE],
+                           [set the DejeVu source [[guessed]]]))
+
+if test "x$with_dejavufont" = x; then
+  # search in well-known directories
  if test x"$starfield_excuse" = x; then
     for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
-     for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype; do
+       for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype /usr/pkg/share/fonts/X11/TTF /usr/local/share/fonts/dejavu /usr/X11R6/lib/X11/fonts/TTF /usr/share/fonts/dejavu-sans-fonts /usr/share/fonts/truetype/dejavu; do
          if test -f "$dir/DejaVuSans.$ext"; then
            DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
            break 2
@ -1661,6 +1896,9 @@ if test x"$starfield_excuse" = x; then
       starfield_excuse="No DejaVu found"
     fi
  fi
+else
+  DJVU_FONT_SOURCE="$with_dejavufont"
+fi

 if test x"$enable_grub_themes" = xyes &&  test x"$starfield_excuse" != x; then
   AC_MSG_ERROR([themes were explicitly requested but requirements are not satisfied ($starfield_excuse)])
@ -1668,10 +1906,14 @@ fi

 AC_SUBST([DJVU_FONT_SOURCE])

-FONT_SOURCE=
+AC_ARG_WITH([unifont],
+            AS_HELP_STRING([--with-unifont=FILE],
+                           [set the unifont source [[guessed]]]))

-for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
-  for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc; do
+if test "x$with_unifont" = x; then
+  # search in well-known directories
+  for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz otf otf.gz; do
+    for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc /usr/pkg/share/fonts/X11/misc /usr/local/share/fonts/gnu-unifont /usr/local/share/fonts/unifont; do
      if test -f "$dir/unifont.$ext"; then
        md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
        # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
@ -1683,6 +1925,9 @@ for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
      fi
    done
  done
+else
+  FONT_SOURCE="$with_unifont"
+fi

 if test x"$enable_build_grub_mkfont" = xno ; then
  FONT_SOURCE=
@ -1711,17 +1956,11 @@ if test x"$enable_grub_mount" = xno ; then
 fi

 if test x"$grub_mount_excuse" = x ; then
-  AC_CHECK_LIB([fuse], [fuse_main_real], [],
-               [grub_mount_excuse="need FUSE library"])
-fi
-
-if test x"$grub_mount_excuse" = x ; then
-  # Check for fuse headers.
-  SAVED_CPPFLAGS="$CPPFLAGS"
-  CPPFLAGS="$CPPFLAGS -DFUSE_USE_VERSION=26"
-  AC_CHECK_HEADERS([fuse/fuse.h], [],
-  	[grub_mount_excuse=["need FUSE headers"]])
-  CPPFLAGS="$SAVED_CPPFLAGS"
+  PKG_CHECK_MODULES([FUSE], [fuse3], [FUSE_CFLAGS="$FUSE_CFLAGS -DFUSE_USE_VERSION=32"], [
+    PKG_CHECK_MODULES([FUSE], [fuse], [FUSE_CFLAGS="$FUSE_CFLAGS -DFUSE_USE_VERSION=26"], [
+      grub_mount_excuse="need fuse or fuse3 libraries"
+    ])
+  ])
 fi

 if test x"$enable_grub_mount" = xyes && test x"$grub_mount_excuse" != x ; then
@ -1825,8 +2064,19 @@ fi

 if test x"$libzfs_excuse" = x ; then
  AC_CHECK_LIB([nvpair], [nvlist_lookup_string],
-               [],
-               [libzfs_excuse="need nvpair library"])
+               [have_normal_nvpair=yes],
+               [have_normal_nvpair=no])
+  if test x"$have_normal_nvpair" = xno ; then
+    AC_CHECK_LIB([nvpair], [opensolaris_nvlist_lookup_string],
+                 [have_prefixed_nvpair=yes],
+                 [have_prefixed_nvpair=no])
+    if test x"$have_prefixed_nvpair" = xyes ; then
+      AC_DEFINE([GRUB_UTIL_NVPAIR_IS_PREFIXED], [1],
+            [Define to 1 if libnvpair symbols are prefixed with opensolaris_.])
+    else
+      libzfs_excuse="need nvpair library"
+    fi
+  fi
 fi

 if test x"$enable_libzfs" = xyes && test x"$libzfs_excuse" != x ; then
@ -1836,16 +2086,37 @@ fi
 if test x"$libzfs_excuse" = x ; then
  # We need both libzfs and libnvpair for a successful build.
  LIBZFS="-lzfs"
-  AC_DEFINE([HAVE_LIBZFS], [1],
-            [Define to 1 if you have the ZFS library.])
  LIBNVPAIR="-lnvpair"
-  AC_DEFINE([HAVE_LIBNVPAIR], [1],
-            [Define to 1 if you have the NVPAIR library.])
+  AC_DEFINE([USE_LIBZFS], [1],
+            [Define to 1 if ZFS library should be used.])
 fi

 AC_SUBST([LIBZFS])
 AC_SUBST([LIBNVPAIR])

+AC_ARG_ENABLE([grub-protect],
+	      [AS_HELP_STRING([--enable-grub-protect],
+                             [build and install the `grub-protect' utility (default=guessed)])])
+if test x"$enable_grub_protect" = xno ; then
+  grub_protect_excuse="explicitly disabled"
+fi
+
+LIBTASN1=
+if test x"$grub_protect_excuse" = x ; then
+  AC_CHECK_LIB([tasn1], [asn1_write_value], [LIBTASN1="-ltasn1"], [grub_protect_excuse="need libtasn1 library"])
+fi
+AC_SUBST([LIBTASN1])
+
+if test x"$enable_grub_protect" = xyes && test x"$grub_protect_excuse" != x ; then
+  AC_MSG_ERROR([grub-protect was explicitly requested but can't be compiled ($grub_protect_excuse)])
+fi
+if test x"$grub_protect_excuse" = x ; then
+enable_grub_protect=yes
+else
+enable_grub_protect=no
+fi
+AC_SUBST([enable_grub_protect])
+
 LIBS=""

 AC_SUBST([FONT_SOURCE])
@ -1864,6 +2135,10 @@ AC_ARG_ENABLE([werror],
 if test x"$enable_werror" != xno ; then
  TARGET_CFLAGS="$TARGET_CFLAGS -Werror"
  HOST_CFLAGS="$HOST_CFLAGS -Werror"
+  if test "x$grub_cv_cc_target_clang" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -Wno-error=vla"
+    HOST_CFLAGS="$HOST_CFLAGS -Wno-error=vla"
+  fi
 fi

 TARGET_CPP="$TARGET_CC -E"
@ -1911,36 +2186,38 @@ AC_SUBST(BUILD_LIBM)

 AM_CONDITIONAL([COND_real_platform], [test x$platform != xnone])
 AM_CONDITIONAL([COND_emu], [test x$platform = xemu])
-AM_CONDITIONAL([COND_i386_pc], [test x$target_cpu = xi386 -a x$platform = xpc])
-AM_CONDITIONAL([COND_i386_efi], [test x$target_cpu = xi386 -a x$platform = xefi])
-AM_CONDITIONAL([COND_ia64_efi], [test x$target_cpu = xia64 -a x$platform = xefi])
-AM_CONDITIONAL([COND_i386_qemu], [test x$target_cpu = xi386 -a x$platform = xqemu])
-AM_CONDITIONAL([COND_i386_ieee1275], [test x$target_cpu = xi386 -a x$platform = xieee1275])
-AM_CONDITIONAL([COND_i386_coreboot], [test x$target_cpu = xi386 -a x$platform = xcoreboot])
-AM_CONDITIONAL([COND_i386_multiboot], [test x$target_cpu = xi386 -a x$platform = xmultiboot])
-AM_CONDITIONAL([COND_x86_64_efi], [test x$target_cpu = xx86_64 -a x$platform = xefi])
-AM_CONDITIONAL([COND_i386_xen], [test x$target_cpu = xi386 -a x$platform = xxen])
-AM_CONDITIONAL([COND_i386_xen_pvh], [test x$target_cpu = xi386 -a x$platform = xxen_pvh])
-AM_CONDITIONAL([COND_x86_64_xen], [test x$target_cpu = xx86_64 -a x$platform = xxen])
-AM_CONDITIONAL([COND_mips_loongson], [test x$target_cpu = xmipsel -a x$platform = xloongson])
-AM_CONDITIONAL([COND_mips_qemu_mips], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xqemu_mips])
-AM_CONDITIONAL([COND_mips_arc], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xarc])
-AM_CONDITIONAL([COND_sparc64_ieee1275], [test x$target_cpu = xsparc64 -a x$platform = xieee1275])
-AM_CONDITIONAL([COND_sparc64_emu], [test x$target_cpu = xsparc64 -a x$platform = xemu])
-AM_CONDITIONAL([COND_powerpc_ieee1275], [test x$target_cpu = xpowerpc -a x$platform = xieee1275])
-AM_CONDITIONAL([COND_mips], [test x$target_cpu = xmips -o x$target_cpu = xmipsel])
-AM_CONDITIONAL([COND_mipsel], [test x$target_cpu = xmipsel])
-AM_CONDITIONAL([COND_mipseb], [test x$target_cpu = xmips])
 AM_CONDITIONAL([COND_arm], [test x$target_cpu = xarm ])
 AM_CONDITIONAL([COND_arm_uboot], [test x$target_cpu = xarm -a x$platform = xuboot])
 AM_CONDITIONAL([COND_arm_coreboot], [test x$target_cpu = xarm -a x$platform = xcoreboot])
 AM_CONDITIONAL([COND_arm_efi], [test x$target_cpu = xarm -a x$platform = xefi])
 AM_CONDITIONAL([COND_arm64], [test x$target_cpu = xarm64 ])
 AM_CONDITIONAL([COND_arm64_efi], [test x$target_cpu = xarm64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_ia64_efi], [test x$target_cpu = xia64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_i386_pc], [test x$target_cpu = xi386 -a x$platform = xpc])
+AM_CONDITIONAL([COND_i386_efi], [test x$target_cpu = xi386 -a x$platform = xefi])
+AM_CONDITIONAL([COND_i386_qemu], [test x$target_cpu = xi386 -a x$platform = xqemu])
+AM_CONDITIONAL([COND_i386_ieee1275], [test x$target_cpu = xi386 -a x$platform = xieee1275])
+AM_CONDITIONAL([COND_i386_coreboot], [test x$target_cpu = xi386 -a x$platform = xcoreboot])
+AM_CONDITIONAL([COND_i386_multiboot], [test x$target_cpu = xi386 -a x$platform = xmultiboot])
+AM_CONDITIONAL([COND_i386_xen], [test x$target_cpu = xi386 -a x$platform = xxen])
+AM_CONDITIONAL([COND_i386_xen_pvh], [test x$target_cpu = xi386 -a x$platform = xxen_pvh])
+AM_CONDITIONAL([COND_loongarch64], [test x$target_cpu = xloongarch64])
+AM_CONDITIONAL([COND_loongarch64_efi], [test x$target_cpu = xloongarch64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_mips], [test x$target_cpu = xmips -o x$target_cpu = xmipsel])
+AM_CONDITIONAL([COND_mips_arc], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xarc])
+AM_CONDITIONAL([COND_mips_loongson], [test x$target_cpu = xmipsel -a x$platform = xloongson])
+AM_CONDITIONAL([COND_mips_qemu_mips], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xqemu_mips])
+AM_CONDITIONAL([COND_mipsel], [test x$target_cpu = xmipsel])
+AM_CONDITIONAL([COND_mipseb], [test x$target_cpu = xmips])
+AM_CONDITIONAL([COND_powerpc_ieee1275], [test x$target_cpu = xpowerpc -a x$platform = xieee1275])
 AM_CONDITIONAL([COND_riscv32], [test x$target_cpu = xriscv32 ])
 AM_CONDITIONAL([COND_riscv64], [test x$target_cpu = xriscv64 ])
 AM_CONDITIONAL([COND_riscv32_efi], [test x$target_cpu = xriscv32 -a x$platform = xefi])
 AM_CONDITIONAL([COND_riscv64_efi], [test x$target_cpu = xriscv64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_sparc64_ieee1275], [test x$target_cpu = xsparc64 -a x$platform = xieee1275])
+AM_CONDITIONAL([COND_sparc64_emu], [test x$target_cpu = xsparc64 -a x$platform = xemu])
+AM_CONDITIONAL([COND_x86_64_efi], [test x$target_cpu = xx86_64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_x86_64_xen], [test x$target_cpu = xx86_64 -a x$platform = xxen])

 AM_CONDITIONAL([COND_HOST_HURD], [test x$host_kernel = xhurd])
 AM_CONDITIONAL([COND_HOST_LINUX], [test x$host_kernel = xlinux])
@ -1951,10 +2228,12 @@ AM_CONDITIONAL([COND_HOST_XNU], [test x$host_kernel = xxnu])
 AM_CONDITIONAL([COND_HOST_ILLUMOS], [test x$host_kernel = xillumos])

 AM_CONDITIONAL([COND_MAN_PAGES], [test x$cross_compiling = xno -a x$HELP2MAN != x])
+AM_CONDITIONAL([COND_GRUB_EMU_SDL2], [test x$enable_grub_emu_sdl2 = xyes])
 AM_CONDITIONAL([COND_GRUB_EMU_SDL], [test x$enable_grub_emu_sdl = xyes])
 AM_CONDITIONAL([COND_GRUB_EMU_PCI], [test x$enable_grub_emu_pci = xyes])
 AM_CONDITIONAL([COND_GRUB_MKFONT], [test x$enable_grub_mkfont = xyes])
 AM_CONDITIONAL([COND_GRUB_MOUNT], [test x$enable_grub_mount = xyes])
+AM_CONDITIONAL([COND_GRUB_PROTECT], [test x$enable_grub_protect = xyes])
 AM_CONDITIONAL([COND_HAVE_FONT_SOURCE], [test x$FONT_SOURCE != x])
 if test x$FONT_SOURCE != x ; then
   HAVE_FONT_SOURCE=1
@ -1972,6 +2251,7 @@ AM_CONDITIONAL([COND_HAVE_CXX], [test x$HAVE_CXX = xyes])
 AM_CONDITIONAL([COND_HAVE_ASM_USCORE], [test x$HAVE_ASM_USCORE = x1])
 AM_CONDITIONAL([COND_STARFIELD], [test "x$starfield_excuse" = x])
 AM_CONDITIONAL([COND_HAVE_EXEC], [test "x$have_exec" = xy])
+AM_CONDITIONAL([COND_HAVE_PCI], [test "x$have_pci" = xy])

 test "x$prefix" = xNONE && prefix="$ac_default_prefix"
 test "x$exec_prefix" = xNONE && exec_prefix="${prefix}"
@ -2028,6 +2308,11 @@ echo "*******************************************************"
 echo GRUB2 will be compiled with following components:
 echo Platform: "$target_cpu"-"$platform"
 if [ x"$platform" = xemu ]; then
+if [ x"$grub_emu_sdl2_excuse" = x ]; then
+echo SDL2 support for grub-emu: Yes
+else
+echo SDL2 support for grub-emu: No "($grub_emu_sdl2_excuse)"
+fi
 if [ x"$grub_emu_sdl_excuse" = x ]; then
 echo SDL support for grub-emu: Yes
 else
@ -2076,6 +2361,11 @@ echo grub-mount: Yes
 else
 echo grub-mount: No "($grub_mount_excuse)"
 fi
+if [ x"$grub_protect_excuse" = x ]; then
+echo grub-protect: Yes
+else
+echo grub-protect: No "($grub_protect_excuse)"
+fi
 if [ x"$starfield_excuse" = x ]; then
 echo starfield theme: Yes
 echo With DejaVuSans font from $DJVU_FONT_SOURCE
@ -2103,5 +2393,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
 else
 echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
 fi
+if test "x$enable_stack_protector" != xno; then
+echo "With stack smashing protector: Yes"
+else
+echo "With stack smashing protector: No"
+fi
 echo "*******************************************************"
 ]
--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
@ -77,7 +77,9 @@ This edition documents version @value{VERSION}.
 * Coding style::
 * Finding your way around::
 * Contributing Changes::
+* Setting up and running test suite::
 * Updating External Code::
+* Debugging::
 * Porting::
 * Error Handling::
 * Stack and heap size::
@ -86,6 +88,7 @@ This edition documents version @value{VERSION}.
 * PFF2 Font File Format::
 * Graphical Menu Software Design::
 * Verifiers framework::
+* Lockdown framework::
 * Copying This Manual::         Copying This Manual
 * Index::
@end menu
@ -94,8 +97,8 @@ This edition documents version @value{VERSION}.
@node Getting the source code
@chapter Getting the source code

-GRUB is maintained using the @uref{GIT revision
-control system}.  To fetch:
+GRUB is maintained using the @uref{https://git-scm.com/book/en/v2,
+GIT revision control system}.  To fetch:

@example
 git clone git://git.sv.gnu.org/grub.git
@ -344,8 +347,8 @@ manual and try GRUB 2 out to see what you think is missing from there.

 Here are additional pointers:
@itemize
-@item @url{https://savannah.gnu.org/task/?group=grub GRUB's Task Tracker}
-@item @url{https://savannah.gnu.org/bugs/?group=grub GRUB's Bug Tracker}
+@item @uref{https://savannah.gnu.org/task/?group=grub, GRUB's Task Tracker}
+@item @uref{https://savannah.gnu.org/bugs/?group=grub, GRUB's Bug Tracker}
@end itemize

 If you intended to make changes to GRUB Legacy (<=0.97) those are not accepted
@ -459,7 +462,7 @@ and the FSF clerks have dealt with your copyright assignment.
@section When you are approved for write access to project's files

 As you might know, GRUB is hosted on
-@url{https://savannah.gnu.org/projects/grub Savannah}, thus the membership
+@uref{https://savannah.gnu.org/projects/grub, Savannah}, thus the membership
 is managed by Savannah. This means that, if you want to be a member of this
 project:

@ -482,6 +485,17 @@ If your intention is to just get started, please do not submit a inclusion
 request. Instead, please subscribe to the mailing list, and communicate first
 (e.g. sending a patch, asking a question, commenting on another message...).

+@node Setting up and running test suite
+@chapter Setting up and running test suite
+
+GRUB is basically a tiny operating system with read support for many file
+systems and which has been ported to a variety of architectures. As such, its
+test suite has quite a few dependencies required to fully run the suite.
+These dependencies are currently documented in the
+@uref{https://git.savannah.gnu.org/cgit/grub.git/tree/INSTALL, INSTALL}
+file in the source repository. Once installed, the test suite can be started
+by running the @command{make check} command from the GRUB build directory.
+
@node Updating External Code
@chapter Updating external code

@ -490,6 +504,9 @@ to update it.

@menu
 * Gnulib::
+* jsmn::
+* minilzo::
+* libtasn1::
@end menu

@node Gnulib
@ -545,6 +562,303 @@ AC_SYS_LARGEFILE

@end example

+It will also be necessary to adjust the patches in
+@file{po/gettext-patches/} to apply to an older version of gettext.
+
+@node jsmn
+@section jsmn
+
+jsmn is a minimalistic JSON parser which is implemented in a single header file
+@file{jsmn.h}. To import a different version of the jsmn parser, you may simply
+download the @file{jsmn.h} header from the desired tag or commit to the target
+directory:
+
+@example
+curl -L https://raw.githubusercontent.com/zserge/jsmn/v1.1.0/jsmn.h \
+    -o grub-core/lib/json/jsmn.h
+@end example
+
+@node minilzo
+@section minilzo
+
+miniLZO is a very lightweight subset of the LZO library intended for easy
+inclusion in other projects. It is generated automatically from the LZO
+source code and contains the most important LZO functions.
+
+To upgrade to a new version of the miniLZO library, download the release
+tarball and copy the files into the target directory:
+
+@example
+curl -L -O https://www.oberhumer.com/opensource/lzo/download/minilzo-2.10.tar.gz
+tar -zxf minilzo-2.10.tar.gz
+rm minilzo-2.10/testmini.c
+rm -r grub-core/lib/minilzo/*
+cp minilzo-2.10/*.[hc] grub-core/lib/minilzo
+rm -r minilzo-2.10*
+@end example
+
+@node libtasn1
+@section libtasn1
+
+libtasn1 is a library providing Abstract Syntax Notation One (ASN.1, as
+specified by the X.680 ITU-T recommendation) parsing and structures management,
+and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding
+functions.
+
+To upgrade to a new version of the libtasn1 library, download the release
+tarball and copy the files into the target directory:
+
+@example
+curl -L -O https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.19.0.tar.gz
+tar xvzf libtasn1-4.19.0.tar.gz
+rm -rf grub-core/lib/libtasn1
+mkdir -p grub-core/lib/libtasn1/lib
+mkdir -p grub-core/lib/libtasn1/tests
+cp libtasn1-4.19.0/@{README.md,COPYING@} grub-core/lib/libtasn1
+cp libtasn1-4.19.0/lib/@{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h@} grub-core/lib/libtasn1/lib
+cp libtasn1-4.19.0/lib/includes/libtasn1.h grub-core/lib/libtasn1
+cp libtasn1-4.19.0/tests/@{CVE-2018-1000654-1_asn1_tab.h,CVE-2018-1000654-2_asn1_tab.h,CVE-2018-1000654.c,object-id-decoding.c,object-id-encoding.c,octet-string.c,reproducers.c,Test_overflow.c,Test_simple.c,Test_strings.c@} grub-core/lib/libtasn1/tests
+rm -rf libtasn1-4.19.0*
+@end example
+
+After upgrading the library, it may be necessary to apply the patches in
+@file{grub-core/lib/libtasn1-patches/} to adjust the code to be compatible with
+GRUB. These patches were needed to use the current version of libtasn1. The
+existing patches may not apply cleanly, apply at all, or even be needed for a
+newer version of the library, and other patches may be needed due to changes in
+the newer version. If existing patches need to be refreshed to apply cleanly,
+please include updated patches as part of the a patch set sent to the list.
+If new patches are needed or existing patches are not needed, also please send
+additions or removals as part of any patch set upgrading libtasn1.
+
+@node Debugging
+@chapter Debugging
+
+GRUB2 can be difficult to debug because it runs on the bare-metal and thus
+does not have the debugging facilities normally provided by an operating
+system. This chapter aims to provide useful information on some ways to
+debug GRUB2 for some architectures. It by no means intends to be exhaustive.
+The focus will be one x86_64 and i386 architectures. Luckily for some issues
+virtual machines have made the ability to debug GRUB2 much easier, and this
+chapter will focus debugging via the QEMU virtual machine. We will not be
+going over debugging of the userland tools (eg. grub-install), there are
+many tutorials on debugging programs in userland.
+
+You will need GDB and the QEMU binaries for your system, on Debian these
+can be installed with the @samp{gdb} and @samp{qemu-system-x86} packages.
+Also it is assumed that you have already successfully compiled GRUB2 from
+source for the target specified in the section below and have some
+familiarity with GDB. When GRUB2 is built it will create many different
+binaries. The ones of concern will be in the @file{grub-core}
+directory of the GRUB2 build dir. To aide in debugging we will want the
+debugging symbols generated during the build because these symbols are not
+kept in the binaries which get installed to the boot location. The build
+process outputs two sets of binaries, one without symbols which gets executed
+at boot, and another set of ELF images with debugging symbols. The built
+images with debugging symbols will have a @file{.image} suffix, and the ones
+without a @file{.img} suffix. Similarly, loadable modules with debugging
+symbols will have a @file{.module} suffix, and ones without a @file{.mod}
+suffix. In the case of the kernel the binary with symbols is named
+@file{kernel.exec}.
+
+In the following sections, information will be provided on debugging on
+various targets using @command{gdb} and the @samp{gdb_grub} GDB script.
+
+@menu
+* i386-pc::
+* x86_64-efi::
+@end menu
+
+@node i386-pc
+@section i386-pc
+
+The i386-pc target is a good place to start when first debugging GRUB2
+because in some respects it's easier than EFI platforms. The reason being
+that the initial load address is always known in advance. To start
+debugging GRUB2 first QEMU must be started in GDB stub mode. The following
+command is a simple illustration:
+
+@example
+qemu-system-i386 -drive file=disk.img,format=raw \
+    -device virtio-scsi-pci,id=scsi0 -S -s
+@end example
+
+This will start a QEMU instance booting from @file{disk.img}. It will pause
+at start waiting for a GDB instance to attach to it. You should change
+@file{disk.img} to something more appropriate. A block device can be used,
+but you may need to run QEMU as a privileged user.
+
+To connect to this QEMU instance with GDB, the @code{target remote} GDB
+command must be used. We also need to load a binary image, preferably with
+symbols. This can be done using the GDB command @code{file kernel.exec}, if
+GDB is started from the @file{grub-core} directory in the GRUB2 build
+directory. GRUB2 developers have made this more simple by including a GDB
+script which does much of the setup. This file is at @file{grub-core/gdb_grub}
+in the build directory and is also installed via @command{make install}.
+When using a pre-built GRUB, the distribution may have a package which installs
+this GDB script along with debug symbol binaries, such as Debian's
+@samp{grub-pc-dbg} package. The GDB script is intended to be used
+like so, assuming that @samp{/path/to/script} is the path to the directory
+containing the gdb_grub script and debug symbol files:
+
+@example
+cd $(dirname /path/to/script/gdb_grub)
+gdb -x gdb_grub
+@end example
+
+Once GDB has been started with the @file{gdb_grub} script it will
+automatically connect to the QEMU instance. You can then do things you
+normally would in GDB like set a break point on @var{grub_main}.
+
+Setting breakpoints in modules is trickier since they haven't been loaded
+yet and are loaded at addresses determined at runtime. The module could be
+loaded to different addresses in different QEMU instances. The debug symbols
+in the modules @file{.module} binary, thus are always wrong, and GDB needs
+to be told where to load the symbols to. But this must happen at runtime
+after GRUB2 has determined where the module will get loaded. Luckily the
+@file{gdb_grub} script takes care of this with the @command{runtime_load_module}
+command, which configures GDB to watch for GRUB2 module loading and when
+it does add the module symbols with the appropriate offset.
+
+@node x86_64-efi
+@section x86_64-efi
+
+Using GDB to debug GRUB2 for the x86_64-efi target has some similarities with
+the i386-pc target. Please read and familiarize yourself with the @ref{i386-pc}
+section when reading this one. Extra care must be used to run QEMU such that it
+boots a UEFI firmware. This usually involves either using the @samp{-bios}
+option with a UEFI firmware blob (eg. @file{OVMF.fd}) or loading the firmware
+via pflash. This document will not go further into how to do this as there are
+ample resource on the web.
+
+Like all EFI implementations, on x86_64-efi the (U)EFI firmware that loads
+the GRUB2 EFI application determines at runtime where the application will
+be loaded. This means that we do not know where to tell GDB to load the
+symbols for the GRUB2 core until the (U)EFI firmware determines it. There are
+two good ways of figuring this out when running in QEMU: use a @ref{OVMF debug log,
+debug build of OVMF} and check the debug log, or have GRUB2 say where it is
+loaded. Neither of these are ideal because they both generally give the
+information after GRUB2 is already running, which makes debugging early boot
+infeasible. Technically, the first method does give the load address before
+GRUB2 is run, but without debugging the EFI firmware with symbols, the author
+currently does not know how to cause the OVMF firmware to pause at that point
+to use the load address before GRUB2 is run.
+
+Even after getting the application load address, the loading of core symbols
+is complicated by the fact that the debugging symbols for the kernel are in
+an ELF binary named @file{kernel.exec} while what is in memory are sections
+for the PE32+ EFI binary. When @command{grub-mkimage} creates the PE32+
+binary it condenses several segments from the ELF kernel binary into one
+.data section in the PE32+ binary. This must be taken into account to
+properly load the other non-text sections. Otherwise, GDB will work as
+expected when breaking on functions, but, for instance, global variables
+will point to the wrong address in memory and thus give incorrect values
+(which can be difficult to debug).
+
+Calculating the correct offsets for sections is taken care of automatically
+when loading the kernel symbols via the user-defined GDB command
+@command{dynamic_load_kernel_exec_symbols}, which takes one argument, the
+address where the text section is loaded as determined by one of the methods
+above. Alternatively, the command @command{dynamic_load_symbols} with the text
+section address as an agrument can be called to load the kernel symbols and set
+up loading the module symbols as they are loaded at runtime.
+
+In the author's experience, when debugging with QEMU and OVMF, to have
+debugging symbols loaded at the start of GRUB2 execution the GRUB2 EFI
+application must be run via QEMU at least once prior in order to get the
+load address. Two methods for obtaining the load address are described in
+two subsections below. Generally speaking, the load address does not change
+between QEMU runs. There are exceptions to this, namely that different
+GRUB2 EFI applications can be run at different addresses. Also, it has been
+observed that after running the EFI application for the first time, the
+second run will sometimes have a different load address, but subsequent
+runs of the same EFI application will have the same load address as the
+second run. And it's a near certainty that if the GRUB EFI binary has changed,
+eg. been recompiled, the load address will also be different.
+
+This ability to predict what the load address will be allows one to assume
+the load address on subsequent runs and thus load the symbols before GRUB2
+starts. The following command illustrates this, assuming that QEMU is
+running and waiting for a debugger connection and the current working
+directory is where @file{gdb_grub} resides:
+
+@example
+gdb -x gdb_grub -ex 'dynamic_load_symbols @var{address of .text section}'
+@end example
+
+If you load the symbols in this manner and, after continuing execution, do
+not see output showing the module symbols loading, then it is very likely
+that the load address was incorrect.
+
+Another thing to be aware of is how the loading of the GRUB image by the
+firmware affects previously set software breakpoints. On x86 platforms,
+software breakpoints are implemented by GDB by writing a special processor
+instruction at the location of the desired breakpoint. This special instruction
+when executed will stop the program execution and hand control to the
+debugger, GDB. GDB will first save the instruction bytes that are
+overwritten at the breakpoint and will put them back when the breakpoint
+is hit. If GRUB is being run for the first time in QEMU, the firmware will
+be loading the GRUB image into memory where every byte is already set to 0.
+This means that if a breakpoint is set before GRUB is loaded, GDB will save
+the 0-byte(s) where the the special instruction will go. Then when the firmware
+loads the GRUB image and because it is unaware of the debugger, it will
+write the GRUB image to memory, overwriting anything that was there previously ---
+notably in this case the instruction that implements the software breakpoint.
+This will be confusing for the person using GDB because GDB will show the
+breakpoint as set, but the brekapoint will never be hit. Furthermore, GDB
+then becomes confused, such that even deleting an recreating the breakpoint
+will not create usable breakpoints. The @file{gdb_grub} script takes care of
+this by saving the breakpoints just before they are overwritten, and then
+restores them at the start of GRUB execution. So breakpoints for GRUB can be
+set before GRUB is loaded, but be mindful of this effect if you are confused
+as to why breakpoints are not getting hit.
+
+Also note, that hardware breakpoints do not suffer this problem. They are
+implemented by having the breakpoint address in special debug registers on
+the CPU. So they can always be set freely without regard to whether GRUB has
+been loaded or not. The reason that hardware breakpoints aren't always used
+is because there are a limited number of them, usually around 4 on various
+CPUs, and specifically exactly 4 for x86 CPUs. The @file{gdb_grub} script goes
+out of its way to avoid using hardware breakpoints internally and uses them as
+briefly as possible when needed, thus allowing the user to have a maximal
+number at their disposal.
+
+@menu
+* OVMF debug log::
+* Using the gdbinfo command::
+@end menu
+
+@node OVMF debug log
+@subsection OVMF debug log
+
+In order to get the GRUB2 load address from OVMF, first, a debug build
+of OVMF must be obtained (@uref{https://github.com/retrage/edk2-nightly/raw/master/bin/DEBUGX64_OVMF.fd,
+here is one} which is not officially recommended). OVMF will output debug
+messages to a special serial device, which we must add to QEMU. The following
+QEMU command will run the debug OVMF and write the debug messages to a
+file named @file{debug.log}. It is assumed that @file{disk.img} is a disk
+image or block device that is set up to boot GRUB2 EFI.
+
+@example
+qemu-system-x86_64 -bios /path/to/debug/OVMF.fd \
+    -drive file=disk.img,format=raw \
+    -device virtio-scsi-pci,id=scsi0 \
+    -debugcon file:debug.log -global isa-debugcon.iobase=0x402
+@end example
+
+If GRUB2 was started by the (U)EFI firmware, then in the @file{debug.log}
+file one of the last lines should be a log message like:
+@samp{Loading driver at 0x00006AEE000 EntryPoint=0x00006AEE756}. This
+means that the GRUB2 EFI application was loaded at @samp{0x00006AEE000} and
+its .text section is at @samp{0x00006AEE756}.
+
+@node Using the gdbinfo command
+@subsection Using the gdbinfo command
+
+On EFI platforms the command @command{gdbinfo} will output a string that
+is to be run in a GDB session running with the @file{gdb_grub} GDB script.
+
+
@node Porting
@chapter Porting

@ -722,7 +1036,7 @@ void grub_arch_sync_caches (void *address, grub_size_t len) (cache.S). They
 won't be used for now.

 You will need to create directory include/$cpu/$platform and a file
-include/$cpu/types.h. The later folowing this template:
+include/$cpu/types.h. The latter following this template:

@example
 #ifndef GRUB_TYPES_CPU_HEADER
@ -768,7 +1082,7 @@ If it works next stage is to have heap, console and timer.

 To have the heap working you need to determine which regions are suitable for
 heap usage, allocate them from firmware and map (if applicable). Then call
-grub_mm_init_region (vois *start, grub_size_t s) for every of this region.
+grub_mm_init_region (void *start, grub_size_t s) for every of this region.
 As a shortcut for early port you can allocate right after _end or have
 a big static array for heap. If you do you'll probably need to come back to
 this later. As for output console you should distinguish between an array of
@ -782,7 +1096,7 @@ Of video is loongson (kern/mips/loongson/init.c). Note that terminfo has
 to be inited in 2 stages: one before (to get at least rudimentary console
 as early as possible) and another after the heap (to get full-featured console).
 For the input there are string of keys, terminfo and direct hardware. For string
-of keys look at i386-pc (same files), for termino ieee1275 (same files) and for
+of keys look at i386-pc (same files), for terminfo ieee1275 (same files) and for
 hardware loongson (kern/mips/loongson/init.c and term/at_keyboard.c).

 For the timer you'll need to call grub_install_get_time_ms (...) with as sole
@ -996,20 +1310,23 @@ On emu stack and heap are just normal host OS stack and heap. Stack is typically
 On i386-pc, i386-coreboot, i386-qemu and i386-multiboot the stack is 60KiB.
 All available space between 1MiB and 4GiB marks is part of heap.

-On *-xen stack is 4MiB. If compiled for x86-64 with GCC 4.4 or later adressable
-space is unlimited. When compiled for x86-64 with older GCC version adressable
-space is limited to 2GiB. When compiling for i386 adressable space is limited
-to 4GiB. All adressable pages except the ones for stack, GRUB binary, special
+On *-xen stack is 4MiB. If compiled for x86-64 with GCC 4.4 or later addressable
+space is unlimited. When compiled for x86-64 with older GCC version addressable
+space is limited to 2GiB. When compiling for i386 addressable space is limited
+to 4GiB. All addressable pages except the ones for stack, GRUB binary, special
 pages and page table are in the heap.

 On *-efi GRUB uses same stack as EFI. If compiled for x86-64 with GCC 4.4 or
-later adressable space is unlimited. When compiled for x86-64 with older GCC
-version adressable space is limited to 2GiB. For all other platforms adressable
+later addressable space is unlimited. When compiled for x86-64 with older GCC
+version addressable space is limited to 2GiB. For all other platforms addressable
 space is limited to 4GiB. GRUB allocates pages from EFI for its heap, at most
 1.6 GiB.

 On i386-ieee1275 and powerpc-ieee1275 GRUB uses same stack as IEEE1275.
-It allocates at most 32MiB for its heap.
+
+On i386-ieee1275 and powerpc-ieee1275, GRUB will allocate 32MiB for its heap on
+startup. It may allocate more at runtime, as long as at least 128MiB remain free
+in OpenFirmware.

 On sparc64-ieee1275 stack is 256KiB and heap is 2MiB.

@ -1037,7 +1354,7 @@ In short:
@item i386-qemu               @tab 60 KiB  @tab < 4 GiB
@item *-efi                   @tab ?       @tab < 1.6 GiB
@item i386-ieee1275           @tab ?       @tab < 32 MiB
-@item powerpc-ieee1275        @tab ?       @tab < 32 MiB
+@item powerpc-ieee1275        @tab ?       @tab available memory - 128MiB
@item sparc64-ieee1275        @tab 256KiB  @tab 2 MiB
@item arm-uboot               @tab 256KiB  @tab 2 MiB
@item mips(el)-qemu_mips      @tab 2MiB    @tab 253 MiB
@ -1998,7 +2315,7 @@ functions (defined in @file{gfxmenu/gui_util.c}) that are particularly useful:

@item @code{grub_gui_find_by_id (root, id, callback, userdata)}:

-This function ecursively traverses the component tree rooted at @var{root}, and
+This function recursively traverses the component tree rooted at @var{root}, and
 for every component that has an ID equal to @var{id}, calls the function pointed
 to by @var{callback} with the matching component and the void pointer @var{userdata}
 as arguments.  The callback function can do whatever is desired to use the
@ -2086,6 +2403,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
 the context. If you return no error during any of @samp{init}, @samp{write} and
@samp{fini} then the file is considered as having succeded verification.

+@node Lockdown framework
+@chapter Lockdown framework
+
+The GRUB can be locked down, which is a restricted mode where some operations
+are not allowed. For instance, some commands cannot be used when the GRUB is
+locked down.
+
+The function
+@code{grub_lockdown()} is used to lockdown GRUB and the function
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
+
+The following functions can be used to register the commands that can only be
+used when lockdown is disabled:
+
+@itemize
+
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
+GRUB is in lockdown mode.
+
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
+when the GRUB is in lockdown mode.
+
+@end itemize
+
@node Copying This Manual
@appendix Copying This Manual

--- a/docs/grub.texi
+++ b/docs/grub.texi
--- a/docs/man/grub-protect.h2m
+++ b/docs/man/grub-protect.h2m
@ -0,0 +1,4 @@
+[NAME]
+grub-protect \- protect a disk key with a key protector
+[DESCRIPTION]
+grub-protect helps to protect a disk encryption key with a specified key protector.
--- a/gentpl.py
+++ b/gentpl.py
@ -32,7 +32,7 @@ GRUB_PLATFORMS = [ "emu", "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot",
                   "mips_loongson", "sparc64_ieee1275",
                   "powerpc_ieee1275", "mips_arc", "ia64_efi",
                   "mips_qemu_mips", "arm_uboot", "arm_efi", "arm64_efi",
-                   "arm_coreboot", "riscv32_efi", "riscv64_efi" ]
+                   "arm_coreboot", "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]

 GROUPS = {}

@ -47,12 +47,13 @@ GROUPS["sparc64"]  = [ "sparc64_ieee1275" ]
 GROUPS["powerpc"]     = [ "powerpc_ieee1275" ]
 GROUPS["arm"]         = [ "arm_uboot", "arm_efi", "arm_coreboot" ]
 GROUPS["arm64"]       = [ "arm64_efi" ]
+GROUPS["loongarch64"] = [ "loongarch64_efi" ]
 GROUPS["riscv32"]     = [ "riscv32_efi" ]
 GROUPS["riscv64"]     = [ "riscv64_efi" ]

 # Groups based on firmware
 GROUPS["efi"]  = [ "i386_efi", "x86_64_efi", "ia64_efi", "arm_efi", "arm64_efi",
-		   "riscv32_efi", "riscv64_efi" ]
+		   "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]
 GROUPS["ieee1275"]   = [ "i386_ieee1275", "sparc64_ieee1275", "powerpc_ieee1275" ]
 GROUPS["uboot"] = [ "arm_uboot" ]
 GROUPS["xen"]  = [ "i386_xen", "x86_64_xen" ]
@ -79,7 +80,7 @@ GROUPS["terminfomodule"]   = GRUB_PLATFORMS[:];
 for i in GROUPS["terminfoinkernel"]: GROUPS["terminfomodule"].remove(i)

 # Flattened Device Trees (FDT)
-GROUPS["fdt"] = [ "arm64_efi", "arm_uboot", "arm_efi", "riscv32_efi", "riscv64_efi" ]
+GROUPS["fdt"] = [ "arm64_efi", "arm_uboot", "arm_efi", "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]

 # Needs software helpers for division
 # Must match GRUB_DIVISION_IN_SOFTWARE in misc.h
@ -568,6 +569,7 @@ def foreach_platform_value(defn, platform, suffix, closure):
    for group in RMAP[platform]:
        for value in defn.find_all(group + suffix):
            r.append(closure(value))
+    r.sort()
    return ''.join(r)

 def platform_conditional(platform, closure):
@ -629,7 +631,10 @@ def platform_values(defn, platform, suffix):
 def extra_dist(defn):
    return foreach_value(defn, "extra_dist", lambda value: value + " ")

-def platform_sources(defn, p): return platform_values(defn, p, "")
+def extra_dep(defn):
+    return foreach_value(defn, "depends", lambda value: value + " ")
+
+def platform_sources(defn, p): return platform_values(defn, p, "_head") + platform_values(defn, p, "")
 def platform_nodist_sources(defn, p): return platform_values(defn, p, "_nodist")

 def platform_startup(defn, p): return platform_specific_values(defn, p, "_startup", "startup")
@ -655,7 +660,7 @@ def first_time(defn, snippet):
 def is_platform_independent(defn):
    if 'enable' in defn:
        return False
-    for suffix in [ "", "_nodist" ]:
+    for suffix in [ "", "_head", "_nodist" ]:
        template = platform_values(defn, GRUB_PLATFORMS[0], suffix)
        for platform in GRUB_PLATFORMS[1:]:
            if template != platform_values(defn, platform, suffix):
@ -697,10 +702,14 @@ def module(defn, platform):
    gvar_add("MOD_FILES", name + ".mod")
    gvar_add("MARKER_FILES", name + ".marker")
    gvar_add("CLEANFILES", name + ".marker")
+
+    for dep in defn.find_all("depends"):
+        gvar_add("EXTRA_DEPS", "depends " + name + " " + dep + ":")
+
    output("""
 """ + name + """.marker: $(""" + cname(defn) + """_SOURCES) $(nodist_""" + cname(defn) + """_SOURCES)
 	$(TARGET_CPP) -DGRUB_LST_GENERATOR $(CPPFLAGS_MARKER) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(""" + cname(defn) + """_CPPFLAGS) $(CPPFLAGS) $^ > $@.new || (rm -f $@; exit 1)
-	grep 'MARKER' $@.new > $@; rm -f $@.new
+	grep 'MARKER' $@.new | grep -v '^#' > $@; rm -f $@.new
 """)

 def kernel(defn, platform):
@ -766,7 +775,7 @@ def image(defn, platform):
 if test x$(TARGET_APPLE_LINKER) = x1; then \
  $(MACHO2IMG) $< $@; \
 else \
-  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .ARM.exidx $< $@; \
+  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx -R .interp $< $@; \
 fi
 """)

@ -817,8 +826,7 @@ def program(defn, platform, test=False):
    set_canonical_name_suffix("")

    if 'testcase' in defn:
-        gvar_add("check_PROGRAMS", name)
-        gvar_add("TESTS", name)
+        gvar_add("check_PROGRAMS_" + defn['testcase'], name)
    else:
        var_add(installdir(defn) + "_PROGRAMS", name)
        if 'mansection' in defn:
@ -859,8 +867,7 @@ def script(defn, platform):
    name = defn['name']

    if 'testcase' in defn:
-        gvar_add("check_SCRIPTS", name)
-        gvar_add ("TESTS", name)
+        gvar_add("check_SCRIPTS_" + defn['testcase'], name)
    else:
        var_add(installdir(defn) + "_SCRIPTS", name)
        if 'mansection' in defn:
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
@ -79,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
 if COND_emu
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
@ -88,8 +90,11 @@ endif
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
@ -149,6 +154,7 @@ endif
 if COND_i386_ieee1275
 KERNEL_HEADER_FILES += $(top_builddir)/include/grub/machine/kernel.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/ieee1275.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/alloc.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/terminfo.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lib/arg.h
@ -236,6 +242,7 @@ endif

 if COND_powerpc_ieee1275
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/ieee1275.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/alloc.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/terminfo.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lib/arg.h
@ -284,6 +291,12 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/acpi.h
 endif

+if COND_loongarch64_efi
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/efi.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/acpi.h
+endif
+
 if COND_riscv32_efi
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/efi.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
@ -303,9 +316,13 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/net.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/hostdisk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/hostfile.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/exec.h
 if COND_GRUB_EMU_SDL
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/sdl.h
 endif
+if COND_GRUB_EMU_SDL2
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/sdl.h
+endif
 if COND_GRUB_EMU_PCI
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/libpciaccess.h
 endif
@ -375,8 +392,10 @@ command.lst: $(MARKER_FILES)
 	  b=`basename $$pp .marker`; \
 	  sed -n \
 	    -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+	    -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
 	    -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
-	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
+	    -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
 	done) | sort -u > $@
 platform_DATA += command.lst
 CLEANFILES += command.lst
@ -436,8 +455,11 @@ crypto.lst: $(srcdir)/lib/libgcrypt-grub/cipher/crypto.lst
 platform_DATA += crypto.lst
 CLEANFILES += crypto.lst

-syminfo.lst: gensyminfo.sh kernel_syms.lst $(MODULE_FILES)
-	cat kernel_syms.lst > $@.new
+extra_deps.lst:
+	@echo $(EXTRA_DEPS) | sed "s/\s*:\s*/\n/g" > $@
+
+syminfo.lst: gensyminfo.sh kernel_syms.lst extra_deps.lst $(MODULE_FILES)
+	cat kernel_syms.lst extra_deps.lst > $@.new
 	for m in $(MODULE_FILES); do \
 	  sh $< $$m >> $@.new || exit 1; \
 	done
@ -447,7 +469,7 @@ syminfo.lst: gensyminfo.sh kernel_syms.lst $(MODULE_FILES)
 moddep.lst: syminfo.lst genmoddep.awk video.lst
 	cat $< | sort | $(AWK) -f $(srcdir)/genmoddep.awk > $@ || (rm -f $@; exit 1)
 platform_DATA += moddep.lst
-CLEANFILES += config.log syminfo.lst moddep.lst
+CLEANFILES += config.log syminfo.lst moddep.lst extra_deps.lst

 $(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) build-grub-module-verifier$(BUILD_EXEEXT)
 	TARGET_OBJ2ELF=@TARGET_OBJ2ELF@ sh $^ $@
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@ -20,8 +20,8 @@ transform_data = {

 transform_data = {
  installdir = platform;
-  name = gmodule.pl;
-  common = gmodule.pl.in;
+  name = gdb_helper.py;
+  common = gdb_helper.py.in;
 };

 transform_data = {
@ -49,26 +49,36 @@ kernel = {

  nostrip = emu;

-  emu_ldflags              = '-Wl,-r,-d';
-  i386_efi_ldflags         = '-Wl,-r,-d';
+  emu_ldflags              = '-Wl,-r';
+  i386_efi_cflags          = '-fshort-wchar';
+  i386_efi_ldflags         = '-Wl,-r';
  i386_efi_stripflags      = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';
-  x86_64_efi_ldflags       = '-Wl,-r,-d';
+  x86_64_efi_cflags        = '-fshort-wchar';
+  x86_64_efi_ldflags       = '-Wl,-r';
  x86_64_efi_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  ia64_efi_cflags = '-fno-builtin -fpic -minline-int-divide-max-throughput';
-  ia64_efi_ldflags = '-Wl,-r,-d';
+  ia64_efi_cflags = '-fshort-wchar -fno-builtin -fpic -minline-int-divide-max-throughput';
+  ia64_efi_ldflags = '-Wl,-r';
  ia64_efi_stripflags = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  arm_efi_ldflags          = '-Wl,-r,-d';
+  arm_efi_cflags           = '-fshort-wchar';
+  arm_efi_ldflags          = '-Wl,-r';
  arm_efi_stripflags       = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  arm64_efi_ldflags          = '-Wl,-r,-d';
+  arm64_efi_cflags           = '-fshort-wchar';
+  arm64_efi_ldflags          = '-Wl,-r';
  arm64_efi_stripflags       = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

-  riscv32_efi_ldflags      = '-Wl,-r,-d';
+  loongarch64_efi_cflags       = '-fshort-wchar';
+  loongarch64_efi_ldflags      = '-Wl,-r';
+  loongarch64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';
+
+  riscv32_efi_cflags       = '-fshort-wchar';
+  riscv32_efi_ldflags      = '-Wl,-r';
  riscv32_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

-  riscv64_efi_ldflags      = '-Wl,-r,-d';
+  riscv64_efi_cflags       = '-fshort-wchar';
+  riscv64_efi_ldflags      = '-Wl,-r';
  riscv64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

  i386_pc_ldflags          = '$(TARGET_IMG_LDFLAGS)';
@ -98,9 +108,9 @@ kernel = {
  i386_qemu_cppflags     = '-DGRUB_BOOT_MACHINE_LINK_ADDR=$(GRUB_BOOT_MACHINE_LINK_ADDR)';
  emu_cflags = '$(CFLAGS_GNULIB)';
  emu_cppflags = '$(CPPFLAGS_GNULIB)';
-  arm_uboot_ldflags       = '-Wl,-r,-d';
+  arm_uboot_ldflags       = '-Wl,-r';
  arm_uboot_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';
-  arm_coreboot_ldflags       = '-Wl,-r,-d';
+  arm_coreboot_ldflags       = '-Wl,-r';
  arm_coreboot_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

  i386_pc_startup = kern/i386/pc/startup.S;
@ -120,9 +130,11 @@ kernel = {
  arm_coreboot_startup = kern/arm/startup.S;
  arm_efi_startup = kern/arm/efi/startup.S;
  arm64_efi_startup = kern/arm64/efi/startup.S;
+  loongarch64_efi_startup = kern/loongarch64/efi/startup.S;
  riscv32_efi_startup = kern/riscv/efi/startup.S;
  riscv64_efi_startup = kern/riscv/efi/startup.S;

+  common = kern/buffer.c;
  common = kern/command.c;
  common = kern/corecmd.c;
  common = kern/device.c;
@ -140,6 +152,7 @@ kernel = {
  common = kern/rescue_parser.c;
  common = kern/rescue_reader.c;
  common = kern/term.c;
+  common = kern/verifiers.c;

  noemu = kern/compiler-rt.c;
  noemu = kern/mm.c;
@ -198,11 +211,14 @@ kernel = {

  efi = disk/efi/efidisk.c;
  efi = kern/efi/efi.c;
+  efi = kern/efi/debug.c;
  efi = kern/efi/init.c;
  efi = kern/efi/mm.c;
  efi = term/efi/console.c;
  efi = kern/acpi.c;
  efi = kern/efi/acpi.c;
+  efi = kern/efi/sb.c;
+  efi = kern/lockdown.c;
  i386_coreboot = kern/i386/pc/acpi.c;
  i386_multiboot = kern/i386/pc/acpi.c;
  i386_coreboot = kern/acpi.c;
@ -221,7 +237,6 @@ kernel = {

  x86_64 = kern/x86_64/dl.c;
  x86_64_xen = kern/x86_64/dl.c;
-  x86_64_efi = kern/x86_64/efi/callwrap.S;
  x86_64_efi = kern/i386/efi/init.c;
  x86_64_efi = bus/pci.c;

@ -254,6 +269,9 @@ kernel = {
  arm64_efi = kern/arm64/efi/init.c;
  arm64_efi = kern/efi/fdt.c;

+  loongarch64_efi = kern/loongarch64/efi/init.c;
+  loongarch64_efi = kern/efi/fdt.c;
+
  riscv32_efi = kern/riscv/efi/init.c;
  riscv32_efi = kern/efi/fdt.c;

@ -332,6 +350,11 @@ kernel = {
  arm64 = kern/arm64/dl.c;
  arm64 = kern/arm64/dl_helper.c;

+  loongarch64 = kern/loongarch64/cache.c;
+  loongarch64 = kern/loongarch64/cache_flush.S;
+  loongarch64 = kern/loongarch64/dl.c;
+  loongarch64 = kern/loongarch64/dl_helper.c;
+
  riscv32 = kern/riscv/cache.c;
  riscv32 = kern/riscv/cache_flush.S;
  riscv32 = kern/riscv/dl.c;
@ -395,7 +418,7 @@ program = {

  ldadd = 'kernel.exec$(EXEEXT)';
  ldadd = '$(MODULE_FILES)';
-  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(SDL2_LIBS) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

  enable = emu;
 };
@ -407,7 +430,7 @@ program = {
  emu_nodist = symlist.c;

  ldadd = 'kernel.exec$(EXEEXT)';
-  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(SDL2_LIBS) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

  enable = emu;
 };
@ -513,7 +536,7 @@ image = {

 image = {
  name = xz_decompress;
-  mips = boot/mips/startup_raw.S;
+  mips_head = boot/mips/startup_raw.S;
  common = boot/decompressor/minilib.c;
  common = boot/decompressor/xz.c;
  common = lib/xzembed/xz_dec_bcj.c;
@ -531,7 +554,7 @@ image = {

 image = {
  name = none_decompress;
-  mips = boot/mips/startup_raw.S;
+  mips_head = boot/mips/startup_raw.S;
  common = boot/decompressor/none.c;

  cppflags = '-DGRUB_EMBED_DECOMPRESSOR=1';
@ -691,12 +714,16 @@ module = {
  name = cmostest;
  common = commands/i386/cmostest.c;
  enable = cmos;
+  enable = i386_efi;
+  enable = x86_64_efi;
 };

 module = {
  name = cmosdump;
  common = commands/i386/cmosdump.c;
  enable = cmos;
+  enable = i386_efi;
+  enable = x86_64_efi;
 };

 module = {
@ -739,6 +766,9 @@ module = {
  name = regexp;
  common = commands/regexp.c;
  common = commands/wildcard.c;
+  common = lib/gnulib/malloc/dynarray_finalize.c;
+  common = lib/gnulib/malloc/dynarray_emplace_enlarge.c;
+  common = lib/gnulib/malloc/dynarray_resize.c;
  common = lib/gnulib/regex.c;
  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB)';
@ -804,6 +834,12 @@ module = {
  enable = efi;
 };

+module = {
+  name = efitextmode;
+  efi = commands/efi/efitextmode.c;
+  enable = efi;
+};
+
 module = {
  name = blocklist;
  common = commands/blocklist.c;
@ -823,6 +859,7 @@ module = {
  enable = arm64_efi;
  enable = arm_uboot;
  enable = arm_coreboot;
+  enable = loongarch64_efi;
  enable = riscv32_efi;
  enable = riscv64_efi;
 };
@ -942,17 +979,6 @@ module = {
  cppflags = '-I$(srcdir)/lib/posix_wrap';
 };

-module = {
-  name = verifiers;
-  common = commands/verifiers.c;
-};
-
-module = {
-  name = shim_lock;
-  common = commands/efi/shim_lock.c;
-  enable = x86_64_efi;
-};
-
 module = {
  name = hdparm;
  common = commands/hdparm.c;
@ -1097,6 +1123,21 @@ module = {
  common = commands/sleep.c;
 };

+module = {
+  name = smbios;
+
+  common = commands/smbios.c;
+  efi = commands/efi/smbios.c;
+  i386_pc = commands/i386/pc/smbios.c;
+  i386_coreboot = commands/i386/pc/smbios.c;
+  i386_multiboot = commands/i386/pc/smbios.c;
+
+  enable = efi;
+  enable = i386_pc;
+  enable = i386_coreboot;
+  enable = i386_multiboot;
+};
+
 module = {
  name = suspend;
  ieee1275 = commands/ieee1275/suspend.c;
@ -1110,6 +1151,13 @@ module = {
  enable = powerpc_ieee1275;
 };

+module = {
+  name = tpm;
+  common = commands/tpm.c;
+  ieee1275 = commands/ieee1275/ibmvtpm.c;
+  enable = powerpc_ieee1275;
+};
+
 module = {
  name = terminal;
  common = commands/terminal.c;
@ -1161,10 +1209,32 @@ module = {
  common = disk/cryptodisk.c;
 };

+module = {
+  name = plainmount;
+  common = disk/plainmount.c;
+};
+
+module = {
+  name = json;
+  common = lib/json/json.c;
+};
+
+module = {
+  name = afsplitter;
+  common = disk/AFSplitter.c;
+};
+
 module = {
  name = luks;
  common = disk/luks.c;
-  common = disk/AFSplitter.c;
+};
+
+module = {
+  name = luks2;
+  common = disk/luks2.c;
+  common = lib/gnulib/base64.c;
+  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
+  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/json';
 };

 module = {
@ -1212,6 +1282,11 @@ module = {
  common = disk/raid6_recover.c;
 };

+module = {
+  name = key_protector;
+  common = disk/key_protector.c;
+};
+
 module = {
  name = scsi;
  common = disk/scsi.c;
@ -1372,6 +1447,11 @@ module = {
  common = fs/odc.c;
 };

+module = {
+  name = erofs;
+  common = fs/erofs.c;
+};
+
 module = {
  name = ext2;
  common = fs/ext2.c;
@ -1526,6 +1606,7 @@ module = {
  common = fs/zfs/zfs_lz4.c;
  common = fs/zfs/zfs_sha256.c;
  common = fs/zfs/zfs_fletcher.c;
+  cppflags = '-I$(srcdir)/lib/posix_wrap -I$(srcdir)/lib/zstd';
 };

 module = {
@ -1655,6 +1736,7 @@ module = {

 module = {
  name = datetime;
+  common = lib/datetime.c;
  cmos = lib/cmos_datetime.c;
  efi = lib/efi/datetime.c;
  uboot = lib/dummy/datetime.c;
@ -1667,7 +1749,6 @@ module = {
  i386_xen_pvh = lib/xen/datetime.c;

  mips_arc = lib/arc/datetime.c;
-  enable = noemu;
 };

 module = {
@ -1683,6 +1764,7 @@ module = {
  extra_dist = lib/arm/setjmp.S;
  extra_dist = lib/arm64/setjmp.S;
  extra_dist = lib/riscv/setjmp.S;
+  extra_dist = lib/loongarch64/setjmp.S;
 };

 module = {
@ -1781,14 +1863,17 @@ module = {
  sparc64_ieee1275 = loader/sparc64/ieee1275/linux.c;
  ia64_efi = loader/ia64/efi/linux.c;
  arm_coreboot = loader/arm/linux.c;
-  arm_efi = loader/arm64/linux.c;
+  arm_efi = loader/efi/linux.c;
  arm_uboot = loader/arm/linux.c;
-  arm64 = loader/arm64/linux.c;
-  riscv32 = loader/riscv/linux.c;
-  riscv64 = loader/riscv/linux.c;
+  arm64 = loader/efi/linux.c;
+  loongarch64 = loader/efi/linux.c;
+  riscv32 = loader/efi/linux.c;
+  riscv64 = loader/efi/linux.c;
+  i386_efi = loader/efi/linux.c;
+  x86_64_efi = loader/efi/linux.c;
+  emu = loader/emu/linux.c;
  common = loader/linux.c;
  common = lib/cmdline.c;
-  enable = noemu;
 };

 module = {
@ -1880,6 +1965,7 @@ module = {
  enable = ia64_efi;
  enable = arm_efi;
  enable = arm64_efi;
+  enable = loongarch64_efi;
  enable = riscv32_efi;
  enable = riscv64_efi;
  enable = mips;
@ -1894,7 +1980,6 @@ module = {
  common = normal/autofs.c;
  common = normal/color.c;
  common = normal/completion.c;
-  common = normal/datetime.c;
  common = normal/menu.c;
  common = normal/menu_entry.c;
  common = normal/menu_text.c;
@ -1923,7 +2008,7 @@ module = {
  extra_dist = script/yylex.l;
  extra_dist = script/parser.y;

-  cflags = '$(CFLAGS_POSIX) -Wno-redundant-decls';
+  cflags = '$(CFLAGS_POSIX) -Wno-redundant-decls -Wno-unused-but-set-variable';
  cppflags = '$(CPPFLAGS_POSIX)';
 };

@ -2009,9 +2094,11 @@ module = {
  name = serial;
  common = term/serial.c;
  x86 = term/ns8250.c;
+  x86 = term/ns8250-spcr.c;
  ieee1275 = term/ieee1275/serial.c;
  mips_arc = term/arc/serial.c;
  efi = term/efi/serial.c;
+  x86 = term/pci/serial.c;

  enable = terminfomodule;
  enable = ieee1275;
@ -2253,6 +2340,14 @@ module = {
  condition = COND_GRUB_EMU_SDL;
 };

+module = {
+  name = sdl;
+  emu = video/emu/sdl.c;
+  enable = emu;
+  condition = COND_GRUB_EMU_SDL2;
+  cflags = '$(SDL2_CFLAGS)';
+};
+
 module = {
  name = datehook;
  common = hook/datehook.c;
@ -2469,7 +2564,35 @@ module = {
  name = tpm;
  common = commands/tpm.c;
  efi = commands/efi/tpm.c;
-  enable = x86_64_efi;
+  enable = efi;
+};
+
+module = {
+  name = tss2;
+  common = lib/tss2/buffer.c;
+  common = lib/tss2/tss2_mu.c;
+  common = lib/tss2/tpm2_cmd.c;
+  common = lib/tss2/tss2.c;
+  efi = lib/efi/tcg2.c;
+  emu = lib/tss2/tcg2_emu.c;
+  powerpc_ieee1275 = lib/ieee1275/tcg2.c;
+  enable = efi;
+  enable = emu;
+  enable = powerpc_ieee1275;
+  cppflags = '-I$(srcdir)/lib/tss2';
+};
+
+module = {
+  name = tpm2_key_protector;
+  common = commands/tpm2_key_protector/args.c;
+  common = commands/tpm2_key_protector/module.c;
+  common = commands/tpm2_key_protector/tpm2key.c;
+  common = commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+  /* The plaform support of tpm2_key_protector depends on the tcg2 implementation in tss2. */
+  enable = efi;
+  enable = emu;
+  enable = powerpc_ieee1275;
+  cppflags = '-I$(srcdir)/lib/tss2 -I$(srcdir)/lib/libtasn1-grub';
 };

 module = {
@ -2503,3 +2626,46 @@ module = {
  common = commands/i386/wrmsr.c;
  enable = x86;
 };
+
+module = {
+  name = memtools;
+  common = commands/memtools.c;
+  condition = COND_MM_DEBUG;
+};
+
+module = {
+  name = bli;
+  efi = commands/bli.c;
+  enable = efi;
+  depends = part_gpt;
+};
+
+module = {
+  name = asn1;
+  common = lib/libtasn1-grub/lib/decoding.c;
+  common = lib/libtasn1-grub/lib/coding.c;
+  common = lib/libtasn1-grub/lib/element.c;
+  common = lib/libtasn1-grub/lib/structure.c;
+  common = lib/libtasn1-grub/lib/parser_aux.c;
+  common = lib/libtasn1-grub/lib/gstr.c;
+  common = lib/libtasn1-grub/lib/errors.c;
+  common = lib/libtasn1_wrap/wrap.c;
+  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
+  /* -Wno-type-limits comes from configure.ac of libtasn1 */
+  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/libtasn1-grub -I$(srcdir)/lib/libtasn1-grub/lib -Wno-type-limits';
+};
+
+module = {
+  name = asn1_test;
+  common = tests/asn1/tests/CVE-2018-1000654.c;
+  common = tests/asn1/tests/object-id-decoding.c;
+  common = tests/asn1/tests/object-id-encoding.c;
+  common = tests/asn1/tests/octet-string.c;
+  common = tests/asn1/tests/reproducers.c;
+  common = tests/asn1/tests/Test_overflow.c;
+  common = tests/asn1/tests/Test_simple.c;
+  common = tests/asn1/tests/Test_strings.c;
+  common = tests/asn1/asn1_test.c;
+  cflags = '-Wno-uninitialized';
+  cppflags = '-I$(srcdir)/lib/libtasn1-grub -I$(srcdir)/tests/asn1/';
+};
--- a/grub-core/bus/cs5536.c
+++ b/grub-core/bus/cs5536.c
@ -331,8 +331,9 @@ grub_cs5536_init_geode (grub_pci_device_t dev)

  {
    volatile grub_uint32_t *oc;
-    oc = grub_pci_device_map_range (dev, 0x05022000,
-				    GRUB_CS5536_USB_OPTION_REGS_SIZE);
+
+    oc = grub_absolute_pointer (grub_pci_device_map_range (dev, 0x05022000,
+				GRUB_CS5536_USB_OPTION_REGS_SIZE));

    oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX] =
      (oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX]
--- a/grub-core/bus/usb/ehci.c
+++ b/grub-core/bus/usb/ehci.c
@ -218,7 +218,7 @@ enum

 #define GRUB_EHCI_TERMINATE      (1<<0)

-#define GRUB_EHCI_TOGGLE         (1<<31)
+#define GRUB_EHCI_TOGGLE         ((grub_uint32_t) 1<<31)

 enum
 {
--- a/grub-core/bus/usb/usb.c
+++ b/grub-core/bus/usb/usb.c
@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
 grub_usb_err_t
 grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
 {
+  if (endpoint >= GRUB_USB_MAX_TOGGLE)
+    return GRUB_USB_ERR_BADDEVICE;
+
  dev->toggle[endpoint] = 0;
  return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
 				     | GRUB_USB_REQTYPE_STANDARD
@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
    return err;
  descdev = &dev->descdev;

-  for (i = 0; i < 8; i++)
+  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
    dev->config[i].descconf = NULL;

-  if (descdev->configcnt == 0)
+  if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
    {
      err = GRUB_USB_ERR_BADDEVICE;
      goto fail;
@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
      /* Skip the configuration descriptor.  */
      pos = dev->config[i].descconf->length;

+      if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
+        {
+          err = GRUB_USB_ERR_BADDEVICE;
+          goto fail;
+        }
+
      /* Read all interfaces.  */
      for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
 	{
@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)

 fail:

-  for (i = 0; i < 8; i++)
+  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
    grub_free (dev->config[i].descconf);

  return err;
--- a/grub-core/bus/usb/usbhub.c
+++ b/grub-core/bus/usb/usbhub.c
@ -82,7 +82,7 @@ grub_usb_hub_add_dev (grub_usb_controller_t controller,
  if (i == GRUB_USBHUB_MAX_DEVICES)
    {
      grub_error (GRUB_ERR_IO, "can't assign address to USB device");
-      for (i = 0; i < 8; i++)
+      for (i = 0; i < GRUB_USB_MAX_CONF; i++)
        grub_free (dev->config[i].descconf);
      grub_free (dev);
      return NULL;
@ -96,7 +96,7 @@ grub_usb_hub_add_dev (grub_usb_controller_t controller,
 			      i, 0, 0, NULL);
  if (err)
    {
-      for (i = 0; i < 8; i++)
+      for (i = 0; i < GRUB_USB_MAX_CONF; i++)
        grub_free (dev->config[i].descconf);
      grub_free (dev);
      return NULL;
@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
  grub_usb_set_configuration (dev, 1);

  dev->nports = hubdesc.portcnt;
-  dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
-  dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
+  dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
+  dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
  if (!dev->children || !dev->ports)
    {
      grub_free (dev->children);
@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d

  /* Query the number of ports the root Hub has.  */
  hub->nports = controller->dev->hubports (controller);
-  hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
-  hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
+  hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
+  hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
  if (!hub->devices || !hub->ports)
    {
      grub_free (hub->devices);
--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@ -27,6 +27,7 @@
 #include <grub/mm.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 #ifdef GRUB_MACHINE_EFI
 #include <grub/efi/efi.h>
@ -37,6 +38,20 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+enum
+  {
+    OPTION_EXCLUDE = 0,
+    OPTION_LOAD_ONLY,
+    OPTION_V1,
+    OPTION_V2,
+    OPTION_OEMID,
+    OPTION_OEMTABLE,
+    OPTION_OEMTABLEREV,
+    OPTION_OEMTABLECREATOR,
+    OPTION_OEMTABLECREATORREV,
+    OPTION_NO_EBDA
+  };
+
 static const struct grub_arg_option options[] = {
  {"exclude", 'x', 0,
   N_("Don't load host tables specified by comma-separated list."),
@ -167,7 +182,7 @@ grub_acpi_create_ebda (void)
  struct grub_acpi_rsdp_v10 *v1;
  struct grub_acpi_rsdp_v20 *v2;

-  ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *)0x40e)) << 4);
+  ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *) grub_absolute_pointer (0x40e))) << 4);
  grub_dprintf ("acpi", "EBDA @%p\n", ebda);
  if (ebda)
    ebda_kb_len = *(grub_uint16_t *) ebda;
@ -297,7 +312,7 @@ grub_acpi_create_ebda (void)
      *target = 0;

  grub_dprintf ("acpi", "Switching EBDA\n");
-  (*((grub_uint16_t *) 0x40e)) = ((grub_addr_t) targetebda) >> 4;
+  (*((grub_uint16_t *) grub_absolute_pointer (0x40e))) = ((grub_addr_t) targetebda) >> 4;
  grub_dprintf ("acpi", "EBDA switched\n");

  return GRUB_ERR_NONE;
@ -489,21 +504,21 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)

  if (rsdp)
    {
-      grub_uint32_t *entry_ptr;
+      grub_uint8_t *entry_ptr;
      char *exclude = 0;
      char *load_only = 0;
      char *ptr;
-      /* RSDT consists of header and an array of 32-bit pointers. */
-      struct grub_acpi_table_header *rsdt;
+      grub_size_t tbl_addr_size;
+      struct grub_acpi_table_header *table_head;

-      exclude = state[0].set ? grub_strdup (state[0].arg) : 0;
+      exclude = state[OPTION_EXCLUDE].set ? grub_strdup (state[OPTION_EXCLUDE].arg) : 0;
      if (exclude)
 	{
 	  for (ptr = exclude; *ptr; ptr++)
 	    *ptr = grub_tolower (*ptr);
 	}

-      load_only = state[1].set ? grub_strdup (state[1].arg) : 0;
+      load_only = state[OPTION_LOAD_ONLY].set ? grub_strdup (state[OPTION_LOAD_ONLY].arg) : 0;
      if (load_only)
 	{
 	  for (ptr = load_only; *ptr; ptr++)
@ -513,17 +528,32 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
      /* Set revision variables to replicate the same version as host. */
      rev1 = ! rsdp->revision;
      rev2 = rsdp->revision;
-      rsdt = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
+      if (rev2 && ((struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr) != NULL)
+	{
+	  /* XSDT consists of header and an array of 64-bit pointers. */
+	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr;
+	  tbl_addr_size = sizeof (((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr);
+	}
+      else
+	{
+	  /* RSDT consists of header and an array of 32-bit pointers. */
+	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
+	  tbl_addr_size = sizeof (rsdp->rsdt_addr);
+	}
+
      /* Load host tables. */
-      for (entry_ptr = (grub_uint32_t *) (rsdt + 1);
-	   entry_ptr < (grub_uint32_t *) (((grub_uint8_t *) rsdt)
-					  + rsdt->length);
-	   entry_ptr++)
+      for (entry_ptr = (grub_uint8_t *) (table_head + 1);
+	   entry_ptr < (grub_uint8_t *) (((grub_uint8_t *) table_head) + table_head->length);
+	   entry_ptr += tbl_addr_size)
 	{
 	  char signature[5];
 	  struct efiemu_acpi_table *table;
-	  struct grub_acpi_table_header *curtable
-	    = (struct grub_acpi_table_header *) (grub_addr_t) *entry_ptr;
+	  struct grub_acpi_table_header *curtable;
+	  if (tbl_addr_size == sizeof (rsdp->rsdt_addr))
+	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint32_t *) entry_ptr);
+	  else
+	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint64_t *) entry_ptr);
+
 	  signature[4] = 0;
 	  for (i = 0; i < 4;i++)
 	    signature[i] = grub_tolower (curtable->signature[i]);
@ -607,26 +637,26 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
    }

  /* Does user specify versions to generate? */
-  if (state[2].set || state[3].set)
+  if (state[OPTION_V1].set || state[OPTION_V2].set)
    {
-      rev1 = state[2].set;
-      if (state[3].set)
+      rev1 = state[OPTION_V1].set;
+      if (state[OPTION_V2].set)
 	rev2 = rev2 ? : 2;
      else
 	rev2 = 0;
    }

  /* Does user override root header information? */
-  if (state[4].set)
-    grub_strncpy (root_oemid, state[4].arg, sizeof (root_oemid));
-  if (state[5].set)
-    grub_strncpy (root_oemtable, state[5].arg, sizeof (root_oemtable));
-  if (state[6].set)
-    root_oemrev = grub_strtoul (state[6].arg, 0, 0);
-  if (state[7].set)
-    grub_strncpy (root_creator_id, state[7].arg, sizeof (root_creator_id));
-  if (state[8].set)
-    root_creator_rev = grub_strtoul (state[8].arg, 0, 0);
+  if (state[OPTION_OEMID].set)
+    grub_strncpy (root_oemid, state[OPTION_OEMID].arg, sizeof (root_oemid));
+  if (state[OPTION_OEMTABLE].set)
+    grub_strncpy (root_oemtable, state[OPTION_OEMTABLE].arg, sizeof (root_oemtable));
+  if (state[OPTION_OEMTABLEREV].set)
+    root_oemrev = grub_strtoul (state[OPTION_OEMTABLEREV].arg, 0, 0);
+  if (state[OPTION_OEMTABLECREATOR].set)
+    grub_strncpy (root_creator_id, state[OPTION_OEMTABLECREATOR].arg, sizeof (root_creator_id));
+  if (state[OPTION_OEMTABLECREATORREV].set)
+    root_creator_rev = grub_strtoul (state[OPTION_OEMTABLECREATORREV].arg, 0, 0);

  /* Load user tables */
  for (i = 0; i < argc; i++)
@ -742,7 +772,7 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
  acpi_tables = 0;

 #if defined (__i386__) || defined (__x86_64__)
-  if (! state[9].set)
+  if (! state[OPTION_NO_EBDA].set)
    {
      grub_err_t err;
      err = grub_acpi_create_ebda ();
@ -758,13 +788,13 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)

 #ifdef GRUB_MACHINE_EFI
  {
-    struct grub_efi_guid acpi = GRUB_EFI_ACPI_TABLE_GUID;
-    struct grub_efi_guid acpi20 = GRUB_EFI_ACPI_20_TABLE_GUID;
+    static grub_guid_t acpi = GRUB_EFI_ACPI_TABLE_GUID;
+    static grub_guid_t acpi20 = GRUB_EFI_ACPI_20_TABLE_GUID;

-    efi_call_2 (grub_efi_system_table->boot_services->install_configuration_table,
-      &acpi20, grub_acpi_get_rsdpv2 ());
-    efi_call_2 (grub_efi_system_table->boot_services->install_configuration_table,
-      &acpi, grub_acpi_get_rsdpv1 ());
+    grub_efi_system_table->boot_services->install_configuration_table (&acpi20,
+								       grub_acpi_get_rsdpv2 ());
+    grub_efi_system_table->boot_services->install_configuration_table (&acpi,
+								       grub_acpi_get_rsdpv1 ());
  }
 #endif

@ -775,7 +805,7 @@ static grub_extcmd_t cmd;

 GRUB_MOD_INIT(acpi)
 {
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
                                          "--load-only=TABLE1,TABLE2] FILE1"
                                          " [FILE2] [...]"),
--- a/grub-core/commands/bli.c
+++ b/grub-core/commands/bli.c
@ -0,0 +1,138 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2023  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  Implementation of the Boot Loader Interface.
+ */
+
+#include <grub/charset.h>
+#include <grub/efi/api.h>
+#include <grub/efi/disk.h>
+#include <grub/efi/efi.h>
+#include <grub/err.h>
+#include <grub/extcmd.h>
+#include <grub/gpt_partition.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/partition.h>
+#include <grub/types.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define MODNAME "bli"
+
+static const grub_guid_t bli_vendor_guid = GRUB_EFI_VENDOR_BOOT_LOADER_INTERFACE_GUID;
+
+static grub_err_t
+get_part_uuid (const char *device_name, char **part_uuid)
+{
+  grub_device_t device;
+  grub_err_t status = GRUB_ERR_NONE;
+  grub_disk_t disk = NULL;
+  struct grub_gpt_partentry entry;
+
+  device = grub_device_open (device_name);
+  if (device == NULL)
+    return grub_error (grub_errno, N_("cannot open device: %s"), device_name);
+
+  if (device->disk == NULL)
+    {
+      grub_dprintf ("bli", "%s is not a disk device, partuuid skipped\n", device_name);
+      *part_uuid = NULL;
+      grub_device_close (device);
+      return GRUB_ERR_NONE;
+    }
+
+  if (device->disk->partition == NULL)
+    {
+      grub_dprintf ("bli", "%s has no partition, partuuid skipped\n", device_name);
+      *part_uuid = NULL;
+      grub_device_close (device);
+      return GRUB_ERR_NONE;
+    }
+
+  disk = grub_disk_open (device->disk->name);
+  if (disk == NULL)
+    {
+      status = grub_error (grub_errno, N_("cannot open disk: %s"), device_name);
+      grub_device_close (device);
+      return status;
+    }
+
+  if (grub_strcmp (device->disk->partition->partmap->name, "gpt") != 0)
+    {
+      status = grub_error (GRUB_ERR_BAD_PART_TABLE,
+			   N_("this is not a GPT partition table: %s"), device_name);
+      goto fail;
+    }
+
+  if (grub_disk_read (disk, device->disk->partition->offset,
+		      device->disk->partition->index, sizeof (entry), &entry) != GRUB_ERR_NONE)
+    {
+      status = grub_error (grub_errno, N_("read error: %s"), device_name);
+      goto fail;
+    }
+
+  *part_uuid = grub_xasprintf ("%pG", &entry.guid);
+  if (*part_uuid == NULL)
+    status = grub_errno;
+
+ fail:
+  grub_disk_close (disk);
+  grub_device_close (device);
+
+  return status;
+}
+
+static grub_err_t
+set_loader_device_part_uuid (void)
+{
+  grub_efi_loaded_image_t *image;
+  char *device_name;
+  grub_err_t status = GRUB_ERR_NONE;
+  char *part_uuid = NULL;
+
+  image = grub_efi_get_loaded_image (grub_efi_image_handle);
+  if (image == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("unable to find boot device"));
+
+  device_name = grub_efidisk_get_device_name (image->device_handle);
+  if (device_name == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("unable to find boot device"));
+
+  status = get_part_uuid (device_name, &part_uuid);
+
+  if (status == GRUB_ERR_NONE && part_uuid)
+    status = grub_efi_set_variable_to_string ("LoaderDevicePartUUID", &bli_vendor_guid, part_uuid,
+					      GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+					      GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
+  else
+    grub_error (status, N_("unable to determine partition UUID of boot device"));
+
+  grub_free (part_uuid);
+  grub_free (device_name);
+  return status;
+}
+
+GRUB_MOD_INIT (bli)
+{
+  grub_efi_set_variable_to_string ("LoaderInfo", &bli_vendor_guid, PACKAGE_STRING,
+				   GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				   GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
+  set_loader_device_part_uuid ();
+  /* No error here is critical, other than being logged */
+  grub_print_error ();
+}
--- a/grub-core/commands/blocklist.c
+++ b/grub-core/commands/blocklist.c
@ -53,9 +53,9 @@ print_blocklist (grub_disk_addr_t sector, unsigned num,
 }

 /* Helper for grub_cmd_blocklist.  */
-static void
+static grub_err_t
 read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
-		void *data)
+		char *buf __attribute__ ((unused)), void *data)
 {
  struct blocklist_ctx *ctx = data;

@ -70,7 +70,7 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
 	}

      if (!length)
-	return;
+	return GRUB_ERR_NONE;
      print_blocklist (ctx->start_sector, ctx->num_sectors, 0, 0, ctx);
      ctx->num_sectors = 0;
    }
@ -87,7 +87,7 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
    }

  if (!length)
-    return;
+    return GRUB_ERR_NONE;

  if (length & (GRUB_DISK_SECTOR_SIZE - 1))
    {
@ -103,6 +103,8 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
      ctx->start_sector = sector;
      ctx->num_sectors = length >> GRUB_DISK_SECTOR_BITS;
    }
+
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/boot.c
+++ b/grub-core/commands/boot.c
@ -27,10 +27,20 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static grub_err_t (*grub_loader_boot_func) (void);
-static grub_err_t (*grub_loader_unload_func) (void);
+static grub_err_t (*grub_loader_boot_func) (void *context);
+static grub_err_t (*grub_loader_unload_func) (void *context);
+static void *grub_loader_context;
 static int grub_loader_flags;

+struct grub_simple_loader_hooks
+{
+  grub_err_t (*boot) (void);
+  grub_err_t (*unload) (void);
+};
+
+/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
+static struct grub_simple_loader_hooks simple_loader_hooks;
+
 struct grub_preboot
 {
  grub_err_t (*preboot_func) (int);
@ -44,6 +54,29 @@ static int grub_loader_loaded;
 static struct grub_preboot *preboots_head = 0,
  *preboots_tail = 0;

+static grub_err_t
+grub_simple_boot_hook (void *context)
+{
+  struct grub_simple_loader_hooks *hooks;
+
+  hooks = (struct grub_simple_loader_hooks *) context;
+  return hooks->boot ();
+}
+
+static grub_err_t
+grub_simple_unload_hook (void *context)
+{
+  struct grub_simple_loader_hooks *hooks;
+  grub_err_t ret;
+
+  hooks = (struct grub_simple_loader_hooks *) context;
+
+  ret = hooks->unload ();
+  grub_memset (hooks, 0, sizeof (*hooks));
+
+  return ret;
+}
+
 int
 grub_loader_is_loaded (void)
 {
@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
 }

 void
-grub_loader_set (grub_err_t (*boot) (void),
-		 grub_err_t (*unload) (void),
+grub_loader_set_ex (grub_err_t (*boot) (void *context),
+		    grub_err_t (*unload) (void *context),
+		    void *context,
 		    int flags)
 {
  if (grub_loader_loaded && grub_loader_unload_func)
-    grub_loader_unload_func ();
+    grub_loader_unload_func (grub_loader_context);

  grub_loader_boot_func = boot;
  grub_loader_unload_func = unload;
+  grub_loader_context = context;
  grub_loader_flags = flags;

  grub_loader_loaded = 1;
 }

+void
+grub_loader_set (grub_err_t (*boot) (void),
+		 grub_err_t (*unload) (void),
+		 int flags)
+{
+  grub_loader_set_ex (grub_simple_boot_hook,
+		      grub_simple_unload_hook,
+		      &simple_loader_hooks,
+		      flags);
+
+  simple_loader_hooks.boot = boot;
+  simple_loader_hooks.unload = unload;
+}
+
 void
 grub_loader_unset(void)
 {
  if (grub_loader_loaded && grub_loader_unload_func)
-    grub_loader_unload_func ();
+    grub_loader_unload_func (grub_loader_context);

  grub_loader_boot_func = 0;
  grub_loader_unload_func = 0;
+  grub_loader_context = 0;

  grub_loader_loaded = 0;
 }
@ -158,7 +208,7 @@ grub_loader_boot (void)
 	  return err;
 	}
    }
-  err = (grub_loader_boot_func) ();
+  err = (grub_loader_boot_func) (grub_loader_context);

  for (cur = preboots_tail; cur; cur = cur->prev)
    if (! err)
--- a/grub-core/commands/cmp.c
+++ b/grub-core/commands/cmp.c
@ -22,14 +22,21 @@
 #include <grub/file.h>
 #include <grub/mm.h>
 #include <grub/command.h>
+#include <grub/extcmd.h>
 #include <grub/i18n.h>

 GRUB_MOD_LICENSE ("GPLv3+");

 #define BUFFER_SIZE 512

+static const struct grub_arg_option options[] =
+  {
+    {0, 'v', 0, N_("Enable verbose output"), 0, 0},
+    {0, 0, 0, 0, 0, 0}
+  };
+
 static grub_err_t
-grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
+grub_cmd_cmp (grub_extcmd_context_t ctxt,
 	      int argc, char **args)
 {
  grub_ssize_t rd1, rd2;
@ -38,19 +45,20 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
  grub_file_t file2 = 0;
  char *buf1 = 0;
  char *buf2 = 0;
+  grub_err_t err = GRUB_ERR_TEST_FAILURE;

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));

-  grub_printf_ (N_("Compare file `%s' with `%s':\n"), args[0],
-		args[1]);
+  if (ctxt->state[0].set)
+    grub_printf_ (N_("Compare file `%s' with `%s':\n"), args[0], args[1]);

  file1 = grub_file_open (args[0], GRUB_FILE_TYPE_CMP);
  file2 = grub_file_open (args[1], GRUB_FILE_TYPE_CMP);
  if (! file1 || ! file2)
    goto cleanup;

-  if (grub_file_size (file1) != grub_file_size (file2))
+  if (ctxt->state[0].set && (grub_file_size (file1) != grub_file_size (file2)))
    grub_printf_ (N_("Files differ in size: %llu [%s], %llu [%s]\n"),
 		  (unsigned long long) grub_file_size (file1), args[0],
 		  (unsigned long long) grub_file_size (file2), args[1]);
@ -78,6 +86,7 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
 	    {
 	      if (buf1[i] != buf2[i])
 		{
+		  if (ctxt->state[0].set)
 		    grub_printf_ (N_("Files differ at the offset %llu: 0x%x [%s], 0x%x [%s]\n"),
 				  (unsigned long long) (i + pos), buf1[i],
 				  args[0], buf2[i], args[1]);
@ -90,7 +99,9 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
      while (rd2);

      /* TRANSLATORS: it's always exactly 2 files.  */
+      if (ctxt->state[0].set)
        grub_printf_ (N_("The files are identical.\n"));
+      err = GRUB_ERR_NONE;
    }

 cleanup:
@ -102,18 +113,19 @@ cleanup:
  if (file2)
    grub_file_close (file2);

-  return grub_errno;
+  return err;
 }

-static grub_command_t cmd;
+static grub_extcmd_t cmd;

 GRUB_MOD_INIT(cmp)
 {
-  cmd = grub_register_command ("cmp", grub_cmd_cmp,
-			       N_("FILE1 FILE2"), N_("Compare two files."));
+  cmd = grub_register_extcmd ("cmp", grub_cmd_cmp, 0,
+			      N_("FILE1 FILE2"), N_("Compare two files."),
+			      options);
 }

 GRUB_MOD_FINI(cmp)
 {
-  grub_unregister_command (cmd);
+  grub_unregister_extcmd (cmd);
 }
--- a/grub-core/commands/date.c
+++ b/grub-core/commands/date.c
@ -59,7 +59,8 @@ grub_cmd_date (grub_command_t cmd __attribute__ ((unused)),

  for (; argc; argc--, args++)
    {
-      char *p, c;
+      const char *p;
+      char c;
      int m1, ofs, n, cur_mask;

      p = args[0];
--- a/grub-core/commands/efi/efifwsetup.c
+++ b/grub-core/commands/efi/efifwsetup.c
@ -27,6 +27,8 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+static grub_efi_boolean_t efifwsetup_is_supported (void);
+
 static grub_err_t
 grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
 		  int argc __attribute__ ((unused)),
@ -36,14 +38,23 @@ grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
  grub_efi_uint64_t os_indications = GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI;
  grub_err_t status;
  grub_size_t oi_size;
-  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  static grub_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;

-  old_os_indications = grub_efi_get_variable ("OsIndications", &global,
-					      &oi_size);
+  if (argc >= 1 && grub_strcmp(args[0], "--is-supported") == 0)
+    return !efifwsetup_is_supported ();
+
+  if (!efifwsetup_is_supported ())
+	  return grub_error (GRUB_ERR_INVALID_COMMAND,
+			     N_("reboot to firmware setup is not supported by the current firmware"));
+
+  grub_efi_get_variable ("OsIndications", &global, &oi_size,
+			 (void **) &old_os_indications);

  if (old_os_indications != NULL && oi_size == sizeof (os_indications))
    os_indications |= *old_os_indications;

+  grub_free (old_os_indications);
+
  status = grub_efi_set_variable ("OsIndications", &global, &os_indications,
 				  sizeof (os_indications));
  if (status != GRUB_ERR_NONE)
@ -61,26 +72,27 @@ efifwsetup_is_supported (void)
 {
  grub_efi_uint64_t *os_indications_supported = NULL;
  grub_size_t oi_size = 0;
-  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  static grub_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  grub_efi_boolean_t ret = 0;

-  os_indications_supported = grub_efi_get_variable ("OsIndicationsSupported",
-						    &global, &oi_size);
+  grub_efi_get_variable ("OsIndicationsSupported", &global, &oi_size,
+			 (void **) &os_indications_supported);

  if (!os_indications_supported)
-    return 0;
+    goto done;

  if (*os_indications_supported & GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI)
-    return 1;
+    ret = 1;

-  return 0;
+ done:
+  grub_free (os_indications_supported);
+  return ret;
 }

 GRUB_MOD_INIT (efifwsetup)
 {
-  if (efifwsetup_is_supported ())
  cmd = grub_register_command ("fwsetup", grub_cmd_fwsetup, NULL,
                               N_("Reboot into firmware setup menu."));
-
 }

 GRUB_MOD_FINI (efifwsetup)
--- a/grub-core/commands/efi/efitextmode.c
+++ b/grub-core/commands/efi/efitextmode.c
@ -0,0 +1,153 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  Set/Get UEFI text output mode resolution.
+ */
+
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/command.h>
+#include <grub/i18n.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/api.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static grub_err_t
+grub_efi_set_mode (grub_efi_simple_text_output_interface_t *o,
+		   grub_efi_int32_t mode)
+{
+  grub_efi_status_t status;
+
+  if (mode != o->mode->mode)
+    {
+      status = o->set_mode (o, mode);
+      if (status == GRUB_EFI_SUCCESS)
+	;
+      else if (status == GRUB_EFI_DEVICE_ERROR)
+	return grub_error (GRUB_ERR_BAD_DEVICE,
+			   N_("device error: could not set requested mode"));
+      else if (status == GRUB_EFI_UNSUPPORTED)
+	return grub_error (GRUB_ERR_OUT_OF_RANGE,
+			   N_("invalid mode: number not valid"));
+      else
+	return grub_error (GRUB_ERR_BAD_FIRMWARE,
+			   N_("unexpected EFI error number: `%u'"),
+			   (unsigned) status);
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_cmd_efitextmode (grub_command_t cmd __attribute__ ((unused)),
+		      int argc, char **args)
+{
+  grub_efi_simple_text_output_interface_t *o = grub_efi_system_table->con_out;
+  unsigned long mode;
+  const char *p = NULL;
+  grub_err_t err;
+  grub_efi_uintn_t columns, rows;
+  grub_efi_int32_t i;
+
+  if (o == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("no UEFI output console interface"));
+
+  if (o->mode == NULL)
+    return grub_error (GRUB_ERR_BUG, N_("no mode struct for UEFI output console"));
+
+  if (argc > 2)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("at most two arguments expected"));
+
+  if (argc == 0)
+    {
+      grub_printf_ (N_("Available modes for console output device.\n"));
+
+      for (i = 0; i < o->mode->max_mode; i++)
+	if (GRUB_EFI_SUCCESS == o->query_mode (o, i, &columns, &rows))
+	  grub_printf_ (N_(" [%" PRIuGRUB_EFI_UINT32_T "]  Col %5"
+			   PRIuGRUB_EFI_UINTN_T " Row %5" PRIuGRUB_EFI_UINTN_T
+			   " %c\n"),
+			i, columns, rows, (i == o->mode->mode) ? '*' : ' ');
+    }
+  else if (argc == 1)
+    {
+      if (grub_strcmp (args[0], "min") == 0)
+	mode = 0;
+      else if (grub_strcmp (args[0], "max") == 0)
+	mode = o->mode->max_mode - 1;
+      else
+	{
+	  mode = grub_strtoul (args[0], &p, 0);
+
+	  if (*args[0] == '\0' || *p != '\0')
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			       N_("non-numeric or invalid mode `%s'"), args[0]);
+	}
+
+      if (mode < (unsigned long) o->mode->max_mode)
+	{
+	  err = grub_efi_set_mode (o, (grub_efi_int32_t) mode);
+	  if (err != GRUB_ERR_NONE)
+	    return err;
+	}
+      else
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("invalid mode: `%lu' is greater than maximum mode `%lu'"),
+			   mode, (unsigned long) o->mode->max_mode);
+    }
+  else if (argc == 2)
+    {
+      grub_efi_uintn_t u_columns, u_rows;
+
+      u_columns = (grub_efi_uintn_t) grub_strtoul (args[0], &p, 0);
+
+      if (*args[0] == '\0' || *p != '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("non-numeric or invalid columns number `%s'"), args[0]);
+
+      u_rows = (grub_efi_uintn_t) grub_strtoul (args[1], &p, 0);
+
+      if (*args[1] == '\0' || *p != '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("non-numeric or invalid rows number `%s'"), args[1]);
+
+      for (i = 0; i < o->mode->max_mode; i++)
+	if (GRUB_EFI_SUCCESS == o->query_mode (o, i, &columns, &rows))
+	  if (u_columns == columns && u_rows == rows)
+	    return grub_efi_set_mode (o, (grub_efi_int32_t) i);
+
+      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			 N_("no mode found with requested columns and rows"));
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_command_t cmd;
+GRUB_MOD_INIT (efitextmode)
+{
+  cmd = grub_register_command ("efitextmode", grub_cmd_efitextmode,
+			       N_("[min | max | <mode_num> | <cols> <rows>]"),
+			       N_("Get or set EFI text mode."));
+}
+
+GRUB_MOD_FINI (efitextmode)
+{
+  grub_unregister_command (cmd);
+}
--- a/grub-core/commands/efi/loadbios.c
+++ b/grub-core/commands/efi/loadbios.c
@ -27,9 +27,9 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static grub_efi_guid_t acpi_guid = GRUB_EFI_ACPI_TABLE_GUID;
-static grub_efi_guid_t acpi2_guid = GRUB_EFI_ACPI_20_TABLE_GUID;
-static grub_efi_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;
+static grub_guid_t acpi_guid = GRUB_EFI_ACPI_TABLE_GUID;
+static grub_guid_t acpi2_guid = GRUB_EFI_ACPI_20_TABLE_GUID;
+static grub_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;

 #define EBDA_SEG_ADDR	0x40e
 #define LOW_MEM_ADDR	0x413
@ -46,7 +46,7 @@ enable_rom_area (void)
  grub_uint32_t *rom_ptr;
  grub_pci_device_t dev = { .bus = 0, .device = 0, .function = 0};

-  rom_ptr = (grub_uint32_t *) VBIOS_ADDR;
+  rom_ptr = grub_absolute_pointer (VBIOS_ADDR);
  if (*rom_ptr != BLANK_MEM)
    {
      grub_puts_ (N_("ROM image is present."));
@ -92,47 +92,29 @@ lock_rom_area (void)
 static void
 fake_bios_data (int use_rom)
 {
-  unsigned i;
  void *acpi, *smbios;
  grub_uint16_t *ebda_seg_ptr, *low_mem_ptr;

-  ebda_seg_ptr = (grub_uint16_t *) EBDA_SEG_ADDR;
-  low_mem_ptr = (grub_uint16_t *) LOW_MEM_ADDR;
+  ebda_seg_ptr = grub_absolute_pointer (EBDA_SEG_ADDR);
+  low_mem_ptr = grub_absolute_pointer (LOW_MEM_ADDR);
  if ((*ebda_seg_ptr) || (*low_mem_ptr))
    return;

-  acpi = 0;
-  smbios = 0;
-  for (i = 0; i < grub_efi_system_table->num_table_entries; i++)
-    {
-      grub_efi_packed_guid_t *guid =
-	&grub_efi_system_table->configuration_table[i].vendor_guid;
-
-      if (! grub_memcmp (guid, &acpi2_guid, sizeof (grub_efi_guid_t)))
-	{
-	  acpi = grub_efi_system_table->configuration_table[i].vendor_table;
+  acpi = grub_efi_find_configuration_table (&acpi2_guid);
  grub_dprintf ("efi", "ACPI2: %p\n", acpi);
+  if (!acpi) {
+    acpi = grub_efi_find_configuration_table (&acpi_guid);
+    grub_dprintf ("efi", "ACPI: %p\n", acpi);
  }
-      else if (! grub_memcmp (guid, &acpi_guid, sizeof (grub_efi_guid_t)))
-	{
-	  void *t;

-	  t = grub_efi_system_table->configuration_table[i].vendor_table;
-	  if (! acpi)
-	    acpi = t;
-	  grub_dprintf ("efi", "ACPI: %p\n", t);
-	}
-      else if (! grub_memcmp (guid, &smbios_guid, sizeof (grub_efi_guid_t)))
-	{
-	  smbios = grub_efi_system_table->configuration_table[i].vendor_table;
+  smbios = grub_efi_find_configuration_table (&smbios_guid);
  grub_dprintf ("efi", "SMBIOS: %p\n", smbios);
-	}
-    }

  *ebda_seg_ptr = FAKE_EBDA_SEG;
  *low_mem_ptr = (FAKE_EBDA_SEG >> 6);

-  *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr;
+  /* *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr; */
+  *((grub_uint16_t *) (grub_absolute_pointer (FAKE_EBDA_SEG << 4))) = 640 - *low_mem_ptr;

  if (acpi)
    grub_memcpy ((char *) ((FAKE_EBDA_SEG << 4) + 16), acpi, 1024 - 16);
@ -205,12 +187,12 @@ static grub_command_t cmd_fakebios, cmd_loadbios;

 GRUB_MOD_INIT(loadbios)
 {
-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
 						 0, N_("Create BIOS-like structures for"
 						       " backward compatibility with"
 						       " existing OS."));

-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
 						 N_("BIOS_DUMP [INT10_DUMP]"),
 						 N_("Load BIOS dump."));
 }
--- a/grub-core/commands/efi/lsefi.c
+++ b/grub-core/commands/efi/lsefi.c
@ -29,9 +29,9 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-struct known_protocol
+static struct known_protocol
 {
-  grub_efi_guid_t guid;
+  grub_guid_t guid;
  const char *name;
 } known_protocols[] =
  {
@ -55,6 +55,7 @@ struct known_protocol
    { GRUB_EFI_ABSOLUTE_POINTER_PROTOCOL_GUID, "absolute pointer" },
    { GRUB_EFI_DRIVER_BINDING_PROTOCOL_GUID, "EFI driver binding" },
    { GRUB_EFI_LOAD_FILE_PROTOCOL_GUID, "load file" },
+    { GRUB_EFI_LOAD_FILE2_PROTOCOL_GUID, "load file2" },
    { GRUB_EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID, "simple FS" },
    { GRUB_EFI_TAPE_IO_PROTOCOL_GUID, "tape I/O" },
    { GRUB_EFI_UNICODE_COLLATION_PROTOCOL_GUID, "unicode collation" },
@ -95,7 +96,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
      grub_efi_handle_t handle = handles[i];
      grub_efi_status_t status;
      grub_efi_uintn_t num_protocols;
-      grub_efi_packed_guid_t **protocols;
+      grub_packed_guid_t **protocols;
      grub_efi_device_path_t *dp;

      grub_printf ("Handle %p\n", handle);
@ -107,8 +108,9 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 	  grub_efi_print_device_path (dp);
 	}

-      status = efi_call_3 (grub_efi_system_table->boot_services->protocols_per_handle,
-			   handle, &protocols, &num_protocols);
+      status = grub_efi_system_table->boot_services->protocols_per_handle (handle,
+									   &protocols,
+									   &num_protocols);
      if (status != GRUB_EFI_SUCCESS) {
 	grub_printf ("Unable to retrieve protocols\n");
 	continue;
@ -122,18 +124,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 	  if (k < ARRAY_SIZE (known_protocols))
 	    grub_printf ("  %s\n", known_protocols[k].name);
 	  else
-	    grub_printf ("  %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x\n",
-			 protocols[j]->data1,
-			 protocols[j]->data2,
-			 protocols[j]->data3,
-			 (unsigned) protocols[j]->data4[0],
-			 (unsigned) protocols[j]->data4[1],
-			 (unsigned) protocols[j]->data4[2],
-			 (unsigned) protocols[j]->data4[3],
-			 (unsigned) protocols[j]->data4[4],
-			 (unsigned) protocols[j]->data4[5],
-			 (unsigned) protocols[j]->data4[6],
-			 (unsigned) protocols[j]->data4[7]);
+	    grub_printf ("  %pG\n", protocols[j]);
 	}

    }
--- a/grub-core/commands/efi/lsefisystab.c
+++ b/grub-core/commands/efi/lsefisystab.c
@ -29,7 +29,7 @@ GRUB_MOD_LICENSE ("GPLv3+");

 struct guid_mapping
 {
-  grub_efi_guid_t guid;
+  grub_guid_t guid;
  const char *name;
 };

@ -37,17 +37,22 @@ static const struct guid_mapping guid_mappings[] =
  {
    { GRUB_EFI_ACPI_20_TABLE_GUID, "ACPI-2.0"},
    { GRUB_EFI_ACPI_TABLE_GUID, "ACPI-1.0"},
+    { GRUB_EFI_CONFORMANCE_PROFILES_TABLE_GUID, "CONFORMANCE PROFILES"},
    { GRUB_EFI_CRC32_GUIDED_SECTION_EXTRACTION_GUID,
      "CRC32 GUIDED SECTION EXTRACTION"},
    { GRUB_EFI_DEBUG_IMAGE_INFO_TABLE_GUID, "DEBUG IMAGE INFO"},
+    { GRUB_EFI_DEVICE_TREE_GUID, "DEVICE TREE"},
    { GRUB_EFI_DXE_SERVICES_TABLE_GUID, "DXE SERVICES"},
    { GRUB_EFI_HCDP_TABLE_GUID, "HCDP"},
    { GRUB_EFI_HOB_LIST_GUID, "HOB LIST"},
+    { GRUB_EFI_IMAGE_SECURITY_DATABASE_GUID, "IMAGE EXECUTION INFORMATION"},
    { GRUB_EFI_LZMA_CUSTOM_DECOMPRESS_GUID, "LZMA CUSTOM DECOMPRESS"},
    { GRUB_EFI_MEMORY_TYPE_INFORMATION_GUID, "MEMORY TYPE INFO"},
    { GRUB_EFI_MPS_TABLE_GUID, "MPS"},
+    { GRUB_EFI_RT_PROPERTIES_TABLE_GUID, "RT PROPERTIES"},
    { GRUB_EFI_SAL_TABLE_GUID, "SAL"},
    { GRUB_EFI_SMBIOS_TABLE_GUID, "SMBIOS"},
+    { GRUB_EFI_SMBIOS3_TABLE_GUID, "SMBIOS3"},
    { GRUB_EFI_SYSTEM_RESOURCE_TABLE_GUID, "SYSTEM RESOURCE TABLE"},
    { GRUB_EFI_TIANO_CUSTOM_DECOMPRESS_GUID, "TIANO CUSTOM DECOMPRESS"},
    { GRUB_EFI_TSC_FREQUENCY_GUID, "TSC FREQUENCY"},
@ -59,19 +64,26 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
 		      char **args __attribute__ ((unused)))
 {
  const grub_efi_system_table_t *st = grub_efi_system_table;
+  const grub_efi_uint32_t major_rev = st->hdr.revision >> 16;
+  const grub_efi_uint32_t minor_rev_upper = (st->hdr.revision & 0xffff) / 10;
+  const grub_efi_uint32_t minor_rev_lower = (st->hdr.revision & 0xffff) % 10;
  grub_efi_configuration_table_t *t;
  unsigned int i;

  grub_printf ("Address: %p\n", st);
-  grub_printf ("Signature: %016" PRIxGRUB_UINT64_T " revision: %08x\n",
-	       st->hdr.signature, st->hdr.revision);
+  grub_printf ("Signature: %016" PRIxGRUB_UINT64_T " revision: %u.%u",
+	       st->hdr.signature, major_rev, minor_rev_upper);
+  if (minor_rev_lower)
+     grub_printf (".%u", minor_rev_lower);
+  grub_printf ("\n");
  {
    char *vendor;
    grub_uint16_t *vendor_utf16;
    grub_printf ("Vendor: ");

    for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
-    vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
+    /* Allocate extra 3 bytes to simplify math. */
+    vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
    if (!vendor)
      return grub_errno;
    *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
@ -90,15 +102,11 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),

      grub_printf ("%p  ", t->vendor_table);

-      grub_printf ("%08x-%04x-%04x-",
-		   t->vendor_guid.data1, t->vendor_guid.data2,
-		   t->vendor_guid.data3);
-      for (j = 0; j < 8; j++)
-	grub_printf ("%02x", t->vendor_guid.data4[j]);
+      grub_printf ("%pG", &t->vendor_guid);

      for (j = 0; j < ARRAY_SIZE (guid_mappings); j++)
 	if (grub_memcmp (&guid_mappings[j].guid, &t->vendor_guid,
-			 sizeof (grub_efi_guid_t)) == 0)
+			 sizeof (grub_guid_t)) == 0)
 	  grub_printf ("   %s", guid_mappings[j].name);

      grub_printf ("\n");
--- a/grub-core/commands/efi/lssal.c
+++ b/grub-core/commands/efi/lssal.c
@ -136,22 +136,16 @@ grub_cmd_lssal (struct grub_command *cmd __attribute__ ((unused)),
 		int argc __attribute__ ((unused)),
 		char **args __attribute__ ((unused)))
 {
-  const grub_efi_system_table_t *st = grub_efi_system_table;
-  grub_efi_configuration_table_t *t = st->configuration_table;
-  unsigned int i;
-  grub_efi_packed_guid_t guid = GRUB_EFI_SAL_TABLE_GUID;
+  static grub_guid_t guid = GRUB_EFI_SAL_TABLE_GUID;
+  void *table = grub_efi_find_configuration_table (&guid);

-  for (i = 0; i < st->num_table_entries; i++)
+  if (table == NULL)
    {
-      if (grub_memcmp (&guid, &t->vendor_guid,
-		       sizeof (grub_efi_packed_guid_t)) == 0)
-	{
-	  disp_sal (t->vendor_table);
+      grub_printf ("SAL not found\n");
      return GRUB_ERR_NONE;
    }
-      t++;
-    }
-  grub_printf ("SAL not found\n");
+
+  disp_sal (table);
  return GRUB_ERR_NONE;
 }

--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@ -1,142 +0,0 @@
-/*
- *  GRUB  --  GRand Unified Bootloader
- *  Copyright (C) 2017  Free Software Foundation, Inc.
- *
- *  GRUB is free software: you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation, either version 3 of the License, or
- *  (at your option) any later version.
- *
- *  GRUB is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
- *
- *  EFI shim lock verifier.
- */
-
-#include <grub/dl.h>
-#include <grub/efi/efi.h>
-#include <grub/err.h>
-#include <grub/file.h>
-#include <grub/misc.h>
-#include <grub/verify.h>
-
-GRUB_MOD_LICENSE ("GPLv3+");
-
-#define GRUB_EFI_SHIM_LOCK_GUID \
-  { 0x605dab50, 0xe046, 0x4300, \
-    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
-  }
-
-struct grub_efi_shim_lock_protocol
-{
-  grub_efi_status_t
-  (*verify) (void *buffer, grub_uint32_t size);
-};
-typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
-
-static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
-static grub_efi_shim_lock_protocol_t *sl;
-
-/* List of modules which cannot be loaded if UEFI secure boot mode is enabled. */
-static const char * const disabled_mods[] = {"iorw", "memrw", "wrmsr", NULL};
-
-static grub_err_t
-shim_lock_init (grub_file_t io, enum grub_file_type type,
-		void **context __attribute__ ((unused)),
-		enum grub_verify_flags *flags)
-{
-  const char *b, *e;
-  int i;
-
-  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
-
-  if (!sl)
-    return GRUB_ERR_NONE;
-
-  switch (type & GRUB_FILE_TYPE_MASK)
-    {
-    case GRUB_FILE_TYPE_GRUB_MODULE:
-      /* Establish GRUB module name. */
-      b = grub_strrchr (io->name, '/');
-      e = grub_strrchr (io->name, '.');
-
-      b = b ? (b + 1) : io->name;
-      e = e ? e : io->name + grub_strlen (io->name);
-      e = (e > b) ? e : io->name + grub_strlen (io->name);
-
-      for (i = 0; disabled_mods[i]; i++)
-	if (!grub_strncmp (b, disabled_mods[i], grub_strlen (b) - grub_strlen (e)))
-	  {
-	    grub_error (GRUB_ERR_ACCESS_DENIED,
-			N_("module cannot be loaded in UEFI secure boot mode: %s"),
-			io->name);
-	    return GRUB_ERR_ACCESS_DENIED;
-	  }
-
-      /* Fall through. */
-
-    case GRUB_FILE_TYPE_ACPI_TABLE:
-    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
-
-      return GRUB_ERR_NONE;
-
-    case GRUB_FILE_TYPE_LINUX_KERNEL:
-    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
-    case GRUB_FILE_TYPE_BSD_KERNEL:
-    case GRUB_FILE_TYPE_XNU_KERNEL:
-    case GRUB_FILE_TYPE_PLAN9_KERNEL:
-      for (i = 0; disabled_mods[i]; i++)
-	if (grub_dl_get (disabled_mods[i]))
-	  {
-	    grub_error (GRUB_ERR_ACCESS_DENIED,
-			N_("cannot boot due to dangerous module in memory: %s"),
-			disabled_mods[i]);
-	    return GRUB_ERR_ACCESS_DENIED;
-	  }
-
-      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
-
-      /* Fall through. */
-
-    default:
-      return GRUB_ERR_NONE;
-    }
-}
-
-static grub_err_t
-shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
-{
-  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
-    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
-
-  return GRUB_ERR_NONE;
-}
-
-struct grub_file_verifier shim_lock =
-  {
-    .name = "shim_lock",
-    .init = shim_lock_init,
-    .write = shim_lock_write
-  };
-
-GRUB_MOD_INIT(shim_lock)
-{
-  sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
-  grub_verifier_register (&shim_lock);
-
-  if (!sl)
-    return;
-
-  grub_dl_set_persistent (mod);
-}
-
-GRUB_MOD_FINI(shim_lock)
-{
-  grub_verifier_unregister (&shim_lock);
-}
--- a/grub-core/commands/efi/smbios.c
+++ b/grub-core/commands/efi/smbios.c
@ -0,0 +1,37 @@
+/* smbios.c - get smbios tables. */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2019  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/smbios.h>
+#include <grub/efi/efi.h>
+
+struct grub_smbios_eps *
+grub_machine_smbios_get_eps (void)
+{
+  static grub_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;
+
+  return (struct grub_smbios_eps *) grub_efi_find_configuration_table (&smbios_guid);
+}
+
+struct grub_smbios_eps3 *
+grub_machine_smbios_get_eps3 (void)
+{
+  static grub_guid_t smbios3_guid = GRUB_EFI_SMBIOS3_TABLE_GUID;
+
+  return (struct grub_smbios_eps3 *) grub_efi_find_configuration_table (&smbios3_guid);
+}
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@ -22,6 +22,7 @@
 #include <grub/i18n.h>
 #include <grub/efi/api.h>
 #include <grub/efi/efi.h>
+#include <grub/efi/cc.h>
 #include <grub/efi/tpm.h>
 #include <grub/mm.h>
 #include <grub/tpm.h>
@ -29,8 +30,9 @@

 typedef TCG_PCR_EVENT grub_tpm_event_t;

-static grub_efi_guid_t tpm_guid = EFI_TPM_GUID;
-static grub_efi_guid_t tpm2_guid = EFI_TPM2_GUID;
+static grub_guid_t tpm_guid = EFI_TPM_GUID;
+static grub_guid_t tpm2_guid = EFI_TPM2_GUID;
+static grub_guid_t cc_measurement_guid = GRUB_EFI_CC_MEASUREMENT_PROTOCOL_GUID;

 static grub_efi_handle_t *grub_tpm_handle;
 static grub_uint8_t grub_tpm_version;
@ -51,14 +53,17 @@ grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)

  caps.Size = (grub_uint8_t) sizeof (caps);

-  status = efi_call_5 (tpm->status_check, tpm, &caps, &flags, &eventlog,
-		       &lastevent);
+  status = tpm->status_check (tpm, &caps, &flags, &eventlog, &lastevent);

  if (status != GRUB_EFI_SUCCESS || caps.TPMDeactivatedFlag
      || !caps.TPMPresentFlag)
-    return tpm1_present = 0;
+    tpm1_present = 0;
+  else
+    tpm1_present = 1;

-  return tpm1_present = 1;
+  grub_dprintf ("tpm", "tpm1%s present\n", tpm1_present ? "" : " NOT");
+
+  return (grub_efi_boolean_t) tpm1_present;
 }

 static grub_efi_boolean_t
@ -72,12 +77,16 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
  if (tpm2_present != -1)
    return (grub_efi_boolean_t) tpm2_present;

-  status = efi_call_2 (tpm->get_capability, tpm, &caps);
+  status = tpm->get_capability (tpm, &caps);

  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
-    return tpm2_present = 0;
+    tpm2_present = 0;
+  else
+    tpm2_present = 1;

-  return tpm2_present = 1;
+  grub_dprintf ("tpm", "tpm2%s present\n", tpm2_present ? "" : " NOT");
+
+  return (grub_efi_boolean_t) tpm2_present;
 }

 static grub_efi_boolean_t
@ -102,6 +111,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
      *tpm_handle = handles[0];
      grub_tpm_version = 1;
      *protocol_version = 1;
+      grub_dprintf ("tpm", "TPM handle Found, version: 1\n");
      return 1;
    }

@ -113,6 +123,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
      *tpm_handle = handles[0];
      grub_tpm_version = 2;
      *protocol_version = 2;
+      grub_dprintf ("tpm", "TPM handle Found, version: 2\n");
      return 1;
    }

@ -120,102 +131,25 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
 }

 static grub_err_t
-grub_tpm1_execute (grub_efi_handle_t tpm_handle,
-                   PassThroughToTPM_InputParamBlock *inbuf,
-                   PassThroughToTPM_OutputParamBlock *outbuf)
+grub_efi_log_event_status (grub_efi_status_t status)
 {
-  grub_efi_status_t status;
-  grub_efi_tpm_protocol_t *tpm;
-  grub_uint32_t inhdrsize = sizeof (*inbuf) - sizeof (inbuf->TPMOperandIn);
-  grub_uint32_t outhdrsize =
-    sizeof (*outbuf) - sizeof (outbuf->TPMOperandOut);
-
-  tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
-				GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
-
-  if (!grub_tpm1_present (tpm))
-    return 0;
-
-  /* UEFI TPM protocol takes the raw operand block, no param block header. */
-  status = efi_call_5 (tpm->pass_through_to_tpm, tpm,
-		       inbuf->IPBLength - inhdrsize, inbuf->TPMOperandIn,
-		       outbuf->OPBLength - outhdrsize, outbuf->TPMOperandOut);
-
  switch (status)
    {
    case GRUB_EFI_SUCCESS:
-      return 0;
+      return GRUB_ERR_NONE;
    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
+      return grub_error (GRUB_ERR_IO, N_("command failed"));
    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
+      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid parameter"));
    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
+      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("output buffer too small"));
    case GRUB_EFI_NOT_FOUND:
      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+      return grub_error (grub_is_tpm_fail_fatal () ? GRUB_ERR_UNKNOWN_DEVICE : GRUB_ERR_NONE, N_("unknown TPM error"));
    }
 }

-static grub_err_t
-grub_tpm2_execute (grub_efi_handle_t tpm_handle,
-                   PassThroughToTPM_InputParamBlock *inbuf,
-                   PassThroughToTPM_OutputParamBlock *outbuf)
-{
-  grub_efi_status_t status;
-  grub_efi_tpm2_protocol_t *tpm;
-  grub_uint32_t inhdrsize = sizeof (*inbuf) - sizeof (inbuf->TPMOperandIn);
-  grub_uint32_t outhdrsize =
-    sizeof (*outbuf) - sizeof (outbuf->TPMOperandOut);
-
-  tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
-				GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
-
-  if (!grub_tpm2_present (tpm))
-    return 0;
-
-  /* UEFI TPM protocol takes the raw operand block, no param block header. */
-  status = efi_call_5 (tpm->submit_command, tpm,
-		       inbuf->IPBLength - inhdrsize, inbuf->TPMOperandIn,
-		       outbuf->OPBLength - outhdrsize, outbuf->TPMOperandOut);
-
-  switch (status)
-    {
-    case GRUB_EFI_SUCCESS:
-      return 0;
-    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
-    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
-    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
-    case GRUB_EFI_NOT_FOUND:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
-    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
-    }
-}
-
-grub_err_t
-grub_tpm_execute (PassThroughToTPM_InputParamBlock *inbuf,
-		  PassThroughToTPM_OutputParamBlock *outbuf)
-{
-  grub_efi_handle_t tpm_handle;
-  grub_uint8_t protocol_version;
-
-  /* Absence of a TPM isn't a failure. */
-  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
-    return 0;
-
-  if (protocol_version == 1)
-    return grub_tpm1_execute (tpm_handle, inbuf, outbuf);
-  else
-    return grub_tpm2_execute (tpm_handle, inbuf, outbuf);
-}
-
 static grub_err_t
 grub_tpm1_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
 		     grub_size_t size, grub_uint8_t pcr,
@ -242,28 +176,14 @@ grub_tpm1_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  event->PCRIndex = pcr;
  event->EventType = EV_IPL;
  event->EventSize = grub_strlen (description) + 1;
-  grub_memcpy (event->Event, description, event->EventSize);
+  grub_strcpy ((char *) event->Event, description);

  algorithm = TCG_ALG_SHA;
-  status = efi_call_7 (tpm->log_extend_event, tpm, (grub_addr_t) buf, (grub_uint64_t) size,
+  status = tpm->log_extend_event (tpm, (grub_addr_t) buf, (grub_uint64_t) size,
 				  algorithm, event, &eventnum, &lastevent);
+  grub_free (event);

-  switch (status)
-    {
-    case GRUB_EFI_SUCCESS:
-      return 0;
-    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
-    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
-    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
-    case GRUB_EFI_NOT_FOUND:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
-    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
-    }
+  return grub_efi_log_event_status (status);
 }

 static grub_err_t
@ -293,41 +213,122 @@ grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  event->Header.EventType = EV_IPL;
  event->Size =
    sizeof (*event) - sizeof (event->Event) + grub_strlen (description) + 1;
-  grub_memcpy (event->Event, description, grub_strlen (description) + 1);
+  grub_strcpy ((char *) event->Event, description);

-  status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, (grub_addr_t) buf,
+  status = tpm->hash_log_extend_event (tpm, 0, (grub_addr_t) buf,
 				       (grub_uint64_t) size, event);
+  grub_free (event);

-  switch (status)
-    {
-    case GRUB_EFI_SUCCESS:
-      return 0;
-    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
-    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
-    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
-    case GRUB_EFI_NOT_FOUND:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
-    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+  return grub_efi_log_event_status (status);
 }
+
+static void
+grub_cc_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		   const char *description)
+{
+  grub_efi_cc_event_t *event;
+  grub_efi_status_t status;
+  grub_efi_cc_protocol_t *cc;
+  grub_efi_cc_mr_index_t mr;
+
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc == NULL)
+    return;
+
+  status = cc->map_pcr_to_mr_index (cc, pcr, &mr);
+  if (status != GRUB_EFI_SUCCESS)
+    {
+      grub_efi_log_event_status (status);
+      return;
+    }
+
+  event = grub_zalloc (sizeof (grub_efi_cc_event_t) +
+		       grub_strlen (description) + 1);
+  if (event == NULL)
+    {
+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate CC event buffer"));
+      return;
+    }
+
+  event->Header.HeaderSize = sizeof (grub_efi_cc_event_header_t);
+  event->Header.HeaderVersion = GRUB_EFI_CC_EVENT_HEADER_VERSION;
+  event->Header.MrIndex = mr;
+  event->Header.EventType = EV_IPL;
+  event->Size = sizeof (*event) + grub_strlen (description) + 1;
+  grub_strcpy ((char *) event->Event, description);
+
+  status = cc->hash_log_extend_event (cc, 0,
+				      (grub_efi_physical_address_t)(grub_addr_t) buf,
+				      (grub_efi_uint64_t) size, event);
+  grub_free (event);
+
+  if (status != GRUB_EFI_SUCCESS)
+    grub_efi_log_event_status (status);
 }

 grub_err_t
-grub_tpm_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
 		    const char *description)
 {
  grub_efi_handle_t tpm_handle;
  grub_efi_uint8_t protocol_version;

+  grub_cc_log_event(buf, size, pcr, description);
+
  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
    return 0;

+  grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
+                pcr, size, description);
+
  if (protocol_version == 1)
    return grub_tpm1_log_event (tpm_handle, buf, size, pcr, description);
  else
    return grub_tpm2_log_event (tpm_handle, buf, size, pcr, description);
 }
+
+int
+grub_tpm_present (void)
+{
+  grub_efi_handle_t tpm_handle;
+  grub_efi_uint8_t protocol_version;
+  grub_efi_cc_protocol_t *cc;
+
+  /*
+   * When confidential computing measurement protocol is enabled
+   * we assume the TPM is present.
+   */
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc != NULL)
+    return 1;
+
+  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
+    return 0;
+
+  if (protocol_version == 1)
+    {
+      grub_efi_tpm_protocol_t *tpm;
+
+      tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
+				    GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (!tpm)
+	{
+	  grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+	  return 0;
+	}
+      return grub_tpm1_present (tpm);
+    }
+  else
+    {
+      grub_efi_tpm2_protocol_t *tpm;
+
+      tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
+				    GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (!tpm)
+	{
+	  grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+	  return 0;
+	}
+      return grub_tpm2_present (tpm);
+    }
+}
--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
@ -19,6 +19,7 @@

 #include <grub/mm.h>
 #include <grub/list.h>
+#include <grub/lockdown.h>
 #include <grub/misc.h>
 #include <grub/extcmd.h>
 #include <grub/script_sh.h>
@ -48,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
    }

  state = grub_arg_list_alloc (ext, argc, args);
+  if (state == NULL)
+    return grub_errno;
+
  if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
    {
      context.state = state;
@ -110,6 +114,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
 				    summary, description, parser, 1);
 }

+static grub_err_t
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+                      int argc __attribute__ ((unused)),
+                      char **argv __attribute__ ((unused)))
+{
+  return grub_error (GRUB_ERR_ACCESS_DENIED,
+                     N_("%s: the command is not allowed when lockdown is enforced"),
+                     ctxt->extcmd->cmd->name);
+}
+
+grub_extcmd_t
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
+                               grub_command_flags_t flags, const char *summary,
+                               const char *description,
+                               const struct grub_arg_option *parser)
+{
+  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+    func = grub_extcmd_lockdown;
+
+  return grub_register_extcmd (name, func, flags, summary, description, parser);
+}
+
 void
 grub_unregister_extcmd (grub_extcmd_t ext)
 {
--- a/grub-core/commands/file.c
+++ b/grub-core/commands/file.c
@ -25,10 +25,10 @@
 #include <grub/i18n.h>
 #include <grub/file.h>
 #include <grub/elf.h>
+#include <grub/efi/efi.h>
 #include <grub/xen_file.h>
 #include <grub/efi/pe32.h>
 #include <grub/arm/linux.h>
-#include <grub/arm64/linux.h>
 #include <grub/i386/linux.h>
 #include <grub/xnu.h>
 #include <grub/machoload.h>
@ -134,7 +134,8 @@ enum
  IS_IA_EFI,
  IS_ARM64_EFI,
  IS_ARM_EFI,
-  IS_RISCV_EFI,
+  IS_RISCV32_EFI,
+  IS_RISCV64_EFI,
  IS_HIBERNATED,
  IS_XNU64,
  IS_XNU32,
@ -305,6 +306,8 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)

 	elf = grub_elf_file (file, file->name);

+	if (elf == NULL)
+	  break;
 	if (elf->ehdr.ehdr32.e_type != grub_cpu_to_le16_compile_time (ET_EXEC)
 	    || elf->ehdr.ehdr32.e_ident[EI_DATA] != ELFDATA2LSB)
 	  break;
@ -390,7 +393,7 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
      }
    case IS_ARM_LINUX:
      {
-	struct linux_arm_kernel_header lh;
+	struct linux_arch_kernel_header lh;

 	if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
 	  break;
@ -411,13 +414,24 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
      }
    case IS_ARM64_LINUX:
      {
-	struct linux_arm64_kernel_header lh;
+	struct linux_arch_kernel_header lh;

 	if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
 	  break;

-	if (lh.magic ==
-	    grub_cpu_to_le32_compile_time (GRUB_LINUX_ARM64_MAGIC_SIGNATURE))
+	/*
+	 * The PE/COFF header can be anywhere in the file. Load it from the correct
+	 * offset if it is not where it is expected.
+	 */
+        if ((grub_uint8_t *) &lh + lh.hdr_offset != (grub_uint8_t *) &lh.pe_image_header)
+        {
+          if (grub_file_seek (file, lh.hdr_offset) == (grub_off_t) -1
+              || grub_file_read (file, &lh.pe_image_header, sizeof (struct grub_pe_image_header))
+                 != sizeof (struct grub_pe_image_header))
+            return grub_error (GRUB_ERR_FILE_READ_ERROR, "failed to read COFF image header");
+        }
+
+	if (lh.pe_image_header.coff_header.machine == grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_ARM64))
 	  {
 	    ret = 1;
 	    break;
@ -576,7 +590,8 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
    case IS_IA_EFI:
    case IS_ARM64_EFI:
    case IS_ARM_EFI:
-    case IS_RISCV_EFI:
+    case IS_RISCV32_EFI:
+    case IS_RISCV64_EFI:
      {
 	char signature[4];
 	grub_uint32_t pe_offset;
@ -622,13 +637,13 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
 	    && coff_head.machine !=
 	    grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_ARMTHUMB_MIXED))
 	  break;
-	if (type == IS_RISCV_EFI
+	if ((type == IS_RISCV32_EFI || type == IS_RISCV64_EFI)
 	    && coff_head.machine !=
 	    grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_RISCV64))
          /* TODO: Determine bitness dynamically */
 	  break;
 	if (type == IS_IA_EFI || type == IS_64_EFI || type == IS_ARM64_EFI ||
-	    type == IS_RISCV_EFI)
+	    type == IS_RISCV32_EFI || type == IS_RISCV64_EFI)
 	  {
 	    struct grub_pe64_optional_header o64;
 	    if (grub_file_read (file, &o64, sizeof (o64)) != sizeof (o64))
--- a/grub-core/commands/hashsum.c
+++ b/grub-core/commands/hashsum.c
@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
 	  high = hextoval (*p++);
 	  low = hextoval (*p++);
 	  if (high < 0 || low < 0)
+	    {
+	      grub_free (buf);
 	      return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+	    }
 	  expected[i] = (high << 4) | low;
 	}
      if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
+	{
+	  grub_free (buf);
 	  return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+	}
      p += 2;
      if (prefix)
 	{
@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,

 	  filename = grub_xasprintf ("%s/%s", prefix, p);
 	  if (!filename)
+	    {
+	      grub_free (buf);
 	      return grub_errno;
+	    }
 	  file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
 				 | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
 				    : GRUB_FILE_TYPE_NONE));
--- a/grub-core/commands/hdparm.c
+++ b/grub-core/commands/hdparm.c
@ -436,7 +436,7 @@ static grub_extcmd_t cmd;

 GRUB_MOD_INIT(hdparm)
 {
-  cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
+  cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
 				       N_("[OPTIONS] DISK"),
 				       N_("Get/set ATA disk parameters."), options);
 }
--- a/grub-core/commands/help.c
+++ b/grub-core/commands/help.c
@ -135,6 +135,8 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,
 	}
    }

+  grub_printf ("\n\nTo enable less(1)-like paging, \"set pager=1\".\n");
+
  return 0;
 }

--- a/grub-core/commands/hexdump.c
+++ b/grub-core/commands/hexdump.c
@ -24,6 +24,7 @@
 #include <grub/lib/hexdump.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -51,7 +52,11 @@ grub_cmd_hexdump (grub_extcmd_context_t ctxt, int argc, char **args)
  length = (state[1].set) ? grub_strtoul (state[1].arg, 0, 0) : 256;

  if (!grub_strcmp (args[0], "(mem)"))
+    {
+      if (grub_is_lockdown() == GRUB_LOCKDOWN_ENABLED)
+        return grub_error (GRUB_ERR_ACCESS_DENIED, N_("memory reading is disabled in lockdown mode"));
      hexdump (skip, (char *) (grub_addr_t) skip, length);
+    }
  else if ((args[0][0] == '(') && (args[0][namelen - 1] == ')'))
    {
      grub_disk_t disk;
--- a/grub-core/commands/i386/cmostest.c
+++ b/grub-core/commands/i386/cmostest.c
@ -27,7 +27,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
 static grub_err_t
 parse_args (int argc, char *argv[], int *byte, int *bit)
 {
-  char *rest;
+  const char *rest;

  if (argc != 1)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, "address required");
@ -104,13 +104,13 @@ static grub_command_t cmd, cmd_clean, cmd_set;

 GRUB_MOD_INIT(cmostest)
 {
-  cmd = grub_register_command ("cmostest", grub_cmd_cmostest,
+  cmd = grub_register_command_lockdown ("cmostest", grub_cmd_cmostest,
 			       N_("BYTE:BIT"),
 			       N_("Test bit at BYTE:BIT in CMOS."));
-  cmd_clean = grub_register_command ("cmosclean", grub_cmd_cmosclean,
+  cmd_clean = grub_register_command_lockdown ("cmosclean", grub_cmd_cmosclean,
 				     N_("BYTE:BIT"),
 				     N_("Clear bit at BYTE:BIT in CMOS."));
-  cmd_set = grub_register_command ("cmosset", grub_cmd_cmosset,
+  cmd_set = grub_register_command_lockdown ("cmosset", grub_cmd_cmosset,
 				   N_("BYTE:BIT"),
 				   /* TRANSLATORS: A bit may be either set (1) or clear (0).  */
 				   N_("Set bit at BYTE:BIT in CMOS."));
--- a/grub-core/commands/i386/pc/drivemap.c
+++ b/grub-core/commands/i386/pc/drivemap.c
@ -31,9 +31,6 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-/* Real mode IVT slot (seg:off far pointer) for interrupt 0x13.  */
-static grub_uint32_t *const int13slot = (grub_uint32_t *) (4 * 0x13);
-
 /* Remember to update enum opt_idxs accordingly.  */
 static const struct grub_arg_option options[] = {
  /* TRANSLATORS: In this file "mapping" refers to a change GRUB makes so if
@ -280,6 +277,8 @@ install_int13_handler (int noret __attribute__ ((unused)))
  grub_uint8_t *handler_base = 0;
  /* Address of the map within the deployed bundle.  */
  int13map_node_t *handler_map;
+  /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */
+  grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13);

  int i;
  int entries = 0;
@ -354,6 +353,9 @@ install_int13_handler (int noret __attribute__ ((unused)))
 static grub_err_t
 uninstall_int13_handler (void)
 {
+  /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */
+  grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13);
+
  if (! grub_drivemap_oldhandler)
    return GRUB_ERR_NONE;

--- a/grub-core/commands/i386/pc/play.c
+++ b/grub-core/commands/i386/pc/play.c
@ -132,7 +132,7 @@ grub_cmd_play (grub_command_t cmd __attribute__ ((unused)),
    }
  else
    {
-      char *end;
+      const char *end;
      unsigned tempo;
      struct note note;
      int i;
--- a/grub-core/commands/i386/pc/sendkey.c
+++ b/grub-core/commands/i386/pc/sendkey.c
@ -216,12 +216,12 @@ static grub_err_t
 grub_sendkey_postboot (void)
 {
  /* For convention: pointer to flags.  */
-  grub_uint32_t *flags = (grub_uint32_t *) 0x417;
+  grub_uint32_t *flags = grub_absolute_pointer (0x417);

  *flags = oldflags;

-  *((char *) 0x41a) = 0x1e;
-  *((char *) 0x41c) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41c)) = 0x1e;

  return GRUB_ERR_NONE;
 }
@ -231,13 +231,13 @@ static grub_err_t
 grub_sendkey_preboot (int noret __attribute__ ((unused)))
 {
  /* For convention: pointer to flags.  */
-  grub_uint32_t *flags = (grub_uint32_t *) 0x417;
+  grub_uint32_t *flags = grub_absolute_pointer (0x417);

  oldflags = *flags;

  /* Set the sendkey.  */
-  *((char *) 0x41a) = 0x1e;
-  *((char *) 0x41c) = keylen + 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41c)) = keylen + 0x1e;
  grub_memcpy ((char *) 0x41e, sendkey, 0x20);

  /* Transform "any ctrl" to "right ctrl" flag.  */
--- a/grub-core/commands/i386/pc/smbios.c
+++ b/grub-core/commands/i386/pc/smbios.c
@ -0,0 +1,52 @@
+/* smbios.c - get smbios tables. */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2019  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/acpi.h>
+#include <grub/smbios.h>
+#include <grub/misc.h>
+
+struct grub_smbios_eps *
+grub_machine_smbios_get_eps (void)
+{
+  grub_uint8_t *ptr;
+
+  grub_dprintf ("smbios", "Looking for SMBIOS EPS. Scanning BIOS\n");
+
+  for (ptr = (grub_uint8_t *) 0xf0000; ptr < (grub_uint8_t *) 0x100000; ptr += 16)
+    if (grub_memcmp (ptr, "_SM_", 4) == 0
+	&& grub_byte_checksum (ptr, sizeof (struct grub_smbios_eps)) == 0)
+      return (struct grub_smbios_eps *) ptr;
+
+  return 0;
+}
+
+struct grub_smbios_eps3 *
+grub_machine_smbios_get_eps3 (void)
+{
+  grub_uint8_t *ptr;
+
+  grub_dprintf ("smbios", "Looking for SMBIOS3 EPS. Scanning BIOS\n");
+
+  for (ptr = (grub_uint8_t *) 0xf0000; ptr < (grub_uint8_t *) 0x100000; ptr += 16)
+    if (grub_memcmp (ptr, "_SM3_", 5) == 0
+	&& grub_byte_checksum (ptr, sizeof (struct grub_smbios_eps3)) == 0)
+      return (struct grub_smbios_eps3 *) ptr;
+
+  return 0;
+}
--- a/grub-core/commands/i386/rdmsr.c
+++ b/grub-core/commands/i386/rdmsr.c
@ -26,7 +26,7 @@
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
 #include <grub/i386/cpuid.h>
-#include <grub/i386/rdmsr.h>
+#include <grub/i386/msr.h>

 GRUB_MOD_LICENSE("GPLv3+");

@ -42,27 +42,16 @@ static const struct grub_arg_option options[] =
 static grub_err_t
 grub_cmd_msr_read (grub_extcmd_context_t ctxt, int argc, char **argv)
 {
-  grub_uint32_t manufacturer[3], max_cpuid, a, b, c, features, addr;
+  grub_err_t err;
+  grub_uint32_t addr;
  grub_uint64_t value;
-  char *ptr;
+  const char *ptr;
  char buf[sizeof("1122334455667788")];

-  /*
-   * The CPUID instruction should be used to determine whether MSRs
-   * are supported. (CPUID.01H:EDX[5] = 1)
-   */
-  if (! grub_cpu_is_cpuid_supported ())
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  err = grub_cpu_is_msr_supported ();

-  grub_cpuid (0, max_cpuid, manufacturer[0], manufacturer[2], manufacturer[1]);
-
-  if (max_cpuid < 1)
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
-
-  grub_cpuid (1, a, b, c, features);
-
-  if (!(features & (1 << 5)))
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  if (err != GRUB_ERR_NONE)
+    return grub_error (err, N_("RDMSR is unsupported"));

  if (argc != 1)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
@ -76,7 +65,7 @@ grub_cmd_msr_read (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (*ptr != '\0')
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid argument"));

-  value = grub_msr_read (addr);
+  value = grub_rdmsr (addr);

  if (ctxt->state[0].set)
    {
--- a/grub-core/commands/i386/wrmsr.c
+++ b/grub-core/commands/i386/wrmsr.c
@ -24,9 +24,10 @@
 #include <grub/env.h>
 #include <grub/command.h>
 #include <grub/extcmd.h>
+#include <grub/lockdown.h>
 #include <grub/i18n.h>
 #include <grub/i386/cpuid.h>
-#include <grub/i386/wrmsr.h>
+#include <grub/i386/msr.h>

 GRUB_MOD_LICENSE("GPLv3+");

@ -35,26 +36,15 @@ static grub_command_t cmd_write;
 static grub_err_t
 grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char **argv)
 {
-  grub_uint32_t manufacturer[3], max_cpuid, a, b, c, features, addr;
+  grub_err_t err;
+  grub_uint32_t addr;
  grub_uint64_t value;
-  char *ptr;
+  const char *ptr;

-  /*
-   * The CPUID instruction should be used to determine whether MSRs
-   * are supported. (CPUID.01H:EDX[5] = 1)
-   */
-  if (!grub_cpu_is_cpuid_supported ())
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  err = grub_cpu_is_msr_supported ();

-  grub_cpuid (0, max_cpuid, manufacturer[0], manufacturer[2], manufacturer[1]);
-
-  if (max_cpuid < 1)
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
-
-  grub_cpuid (1, a, b, c, features);
-
-  if (!(features & (1 << 5)))
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  if (err != GRUB_ERR_NONE)
+    return grub_error (err, N_("WRMSR is unsupported"));

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
@ -76,14 +66,14 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
  if (*ptr != '\0')
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid argument"));

-  grub_msr_write (addr, value);
+  grub_wrmsr (addr, value);

  return GRUB_ERR_NONE;
 }

 GRUB_MOD_INIT(wrmsr)
 {
-  cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+  cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
                                              N_("Write a value to a CPU model specific register."));
 }

--- a/grub-core/commands/ieee1275/ibmvtpm.c
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
@ -0,0 +1,117 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022  Free Software Foundation, Inc.
+ *  Copyright (C) 2022  IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  IBM vTPM support code.
+ */
+
+#include <grub/err.h>
+#include <grub/types.h>
+#include <grub/tpm.h>
+#include <grub/ieee1275/ieee1275.h>
+#include <grub/ieee1275/tpm.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+
+static int
+ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
+		       grub_uint32_t eventtype,
+		       const char *description,
+		       grub_size_t description_size,
+		       void *buf, grub_size_t size)
+{
+  struct tpm_2hash_ext_log
+  {
+    struct grub_ieee1275_common_hdr common;
+    grub_ieee1275_cell_t method;
+    grub_ieee1275_cell_t ihandle;
+    grub_ieee1275_cell_t size;
+    grub_ieee1275_cell_t buf;
+    grub_ieee1275_cell_t description_size;
+    grub_ieee1275_cell_t description;
+    grub_ieee1275_cell_t eventtype;
+    grub_ieee1275_cell_t pcrindex;
+    grub_ieee1275_cell_t catch_result;
+    grub_ieee1275_cell_t rc;
+  };
+  struct tpm_2hash_ext_log args;
+
+  INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
+  args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
+  args.ihandle = grub_ieee1275_tpm_ihandle;
+  args.pcrindex = pcrindex;
+  args.eventtype = eventtype;
+  args.description = (grub_ieee1275_cell_t) description;
+  args.description_size = description_size;
+  args.buf = (grub_ieee1275_cell_t) buf;
+  args.size = (grub_ieee1275_cell_t) size;
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+    return -1;
+
+  /*
+   * catch_result is set if firmware does not support 2hash-ext-log
+   * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
+   */
+  if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
+    return -1;
+
+  return 0;
+}
+
+static grub_err_t
+tpm2_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		const char *description)
+{
+  static int error_displayed = 0;
+  int rc;
+
+  rc = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
+			      description, grub_strlen(description) + 1,
+			      buf, size);
+  if (rc && !error_displayed)
+    {
+      error_displayed++;
+      return grub_error (GRUB_ERR_BAD_DEVICE,
+			 "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		  const char *description)
+{
+  grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
+		pcr, size, description);
+
+  if (grub_ieee1275_tpm_ihandle != GRUB_IEEE1275_IHANDLE_INVALID)
+    return tpm2_log_event (buf, size, pcr, description);
+
+  return GRUB_ERR_NONE;
+}
+
+int
+grub_tpm_present (void)
+{
+  /*
+   * Call tpm_init() "late" rather than from GRUB_MOD_INIT() so that device nodes
+   * can be found.
+   */
+  return grub_ieee1275_tpm_init() == GRUB_ERR_NONE;
+}
--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
@ -23,6 +23,7 @@
 #include <grub/env.h>
 #include <grub/cpu/io.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -131,15 +132,15 @@ GRUB_MOD_INIT(memrw)
 			  N_("PORT"), N_("Read 32-bit value from PORT."),
 			  options);
  cmd_write_byte =
-    grub_register_command ("outb", grub_cmd_write,
+    grub_register_command_lockdown ("outb", grub_cmd_write,
                                    N_("PORT VALUE [MASK]"),
                                    N_("Write 8-bit VALUE to PORT."));
  cmd_write_word =
-    grub_register_command ("outw", grub_cmd_write,
+    grub_register_command_lockdown ("outw", grub_cmd_write,
                                    N_("PORT VALUE [MASK]"),
                                    N_("Write 16-bit VALUE to PORT."));
  cmd_write_dword =
-    grub_register_command ("outl", grub_cmd_write,
+    grub_register_command_lockdown ("outl", grub_cmd_write,
                                    N_("ADDR VALUE [MASK]"),
                                    N_("Write 32-bit VALUE to PORT."));
 }
--- a/grub-core/commands/keystatus.c
+++ b/grub-core/commands/keystatus.c
@ -35,24 +35,6 @@ static const struct grub_arg_option options[] =
    {0, 0, 0, 0, 0, 0}
  };

-static int
-grub_getkeystatus (void)
-{
-  int status = 0;
-  grub_term_input_t term;
-
-  if (grub_term_poll_usb)
-    grub_term_poll_usb (0);
-
-  FOR_ACTIVE_TERM_INPUTS(term)
-  {
-    if (term->getkeystatus)
-      status |= term->getkeystatus (term);
-  }
-
-  return status;
-}
-
 static grub_err_t
 grub_cmd_keystatus (grub_extcmd_context_t ctxt,
 		    int argc __attribute__ ((unused)),
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@ -32,6 +32,7 @@
 #include <grub/auth.h>
 #include <grub/disk.h>
 #include <grub/partition.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -104,13 +105,22 @@ legacy_file (const char *filename)
 	if (newsuffix)
 	  {
 	    char *t;
+	    grub_size_t sz;
+
+	    if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
+		grub_add (sz, 1, &sz))
+	      {
+		grub_errno = GRUB_ERR_OUT_OF_RANGE;
+		goto fail_0;
+	      }

 	    t = suffix;
-	    suffix = grub_realloc (suffix, grub_strlen (suffix)
-				   + grub_strlen (newsuffix) + 1);
+	    suffix = grub_realloc (suffix, sz);
 	    if (!suffix)
 	      {
 		grub_free (t);
+
+ fail_0:
 		grub_free (entrysrc);
 		grub_free (parsed);
 		grub_free (newsuffix);
@ -154,13 +164,22 @@ legacy_file (const char *filename)
 	  else
 	    {
 	      char *t;
+	      grub_size_t sz;
+
+	      if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
+		  grub_add (sz, 1, &sz))
+		{
+		  grub_errno = GRUB_ERR_OUT_OF_RANGE;
+		  goto fail_1;
+		}

 	      t = entrysrc;
-	      entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
-				       + grub_strlen (parsed) + 1);
+	      entrysrc = grub_realloc (entrysrc, sz);
 	      if (!entrysrc)
 		{
 		  grub_free (t);
+
+ fail_1:
 		  grub_free (parsed);
 		  grub_free (suffix);
 		  return grub_errno;
@ -179,7 +198,6 @@ legacy_file (const char *filename)
      const char **args = grub_malloc (sizeof (args[0]));
      if (!args)
 	{
-	  grub_file_close (file);
 	  grub_free (suffix);
 	  grub_free (entrysrc);
 	  return grub_errno;
@ -314,7 +332,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
  if (argc < 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

-  cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
+  cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
  if (!cutargs)
    return grub_errno;
  cutargc = argc - 1;
@ -436,7 +454,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
 	    {
 	      char rbuf[3] = "-r";
 	      bsdargc = cutargc + 2;
-	      bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
+	      bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
 	      if (!bsdargs)
 		{
 		  err = grub_errno;
@ -559,7 +577,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
 			   "module");

-      newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
+      newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
      if (!newargs)
 	return grub_errno;
      grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
--- a/grub-core/commands/loadenv.c
+++ b/grub-core/commands/loadenv.c
@ -352,16 +352,16 @@ struct grub_cmd_save_env_ctx
 };

 /* Store blocklists in a linked list.  */
-static void
+static grub_err_t
 save_env_read_hook (grub_disk_addr_t sector, unsigned offset, unsigned length,
-		    void *data)
+		    char *buf __attribute__ ((unused)), void *data)
 {
  struct grub_cmd_save_env_ctx *ctx = data;
  struct blocklist *block;

  block = grub_malloc (sizeof (*block));
  if (! block)
-    return;
+    return GRUB_ERR_NONE;

  block->sector = sector;
  block->offset = offset;
@ -374,6 +374,8 @@ save_env_read_hook (grub_disk_addr_t sector, unsigned offset, unsigned length,
  ctx->tail = block;
  if (! ctx->head)
    ctx->head = block;
+
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@ -87,37 +87,44 @@ grub_ls_list_devices (int longlist)
 struct grub_ls_list_files_ctx
 {
  char *dirname;
+  char *filename;
  int all;
  int human;
+  int longlist;
+  int print_dirhdr;
 };

 /* Helper for grub_ls_list_files.  */
 static int
-print_files (const char *filename, const struct grub_dirhook_info *info,
-	     void *data)
-{
-  struct grub_ls_list_files_ctx *ctx = data;
-
-  if (ctx->all || filename[0] != '.')
-    grub_printf ("%s%s ", filename, info->dir ? "/" : "");
-
-  return 0;
-}
-
-/* Helper for grub_ls_list_files.  */
-static int
-print_files_long (const char *filename, const struct grub_dirhook_info *info,
+print_file (const char *filename, const struct grub_dirhook_info *info,
 		  void *data)
 {
+  char *pathname = NULL;
  struct grub_ls_list_files_ctx *ctx = data;

  if ((! ctx->all) && (filename[0] == '.'))
    return 0;

+  if ((ctx->filename != NULL) && (grub_strcmp (filename, ctx->filename) != 0))
+    return 0;
+
+  if (ctx->print_dirhdr)
+    {
+      grub_printf ("%s:\n", ctx->dirname);
+      ctx->print_dirhdr = 0;
+    }
+
+  if (! ctx->longlist)
+    {
+      if (ctx->filename != NULL)
+	grub_xputs (ctx->dirname);
+      grub_printf ("%s%s ", filename, info->dir ? "/" : "");
+      return 0;
+    }
+
  if (! info->dir)
    {
      grub_file_t file;
-      char *pathname;

      if (ctx->dirname[grub_strlen (ctx->dirname) - 1] == '/')
 	pathname = grub_xasprintf ("%s%s", ctx->dirname, filename);
@ -131,20 +138,19 @@ print_files_long (const char *filename, const struct grub_dirhook_info *info,
 	 should be reported as directories.  */
      file = grub_file_open (pathname, GRUB_FILE_TYPE_GET_SIZE
 			     | GRUB_FILE_TYPE_NO_DECOMPRESS);
-      if (! file)
+      if (file)
 	{
-	  grub_errno = 0;
-	  grub_free (pathname);
-	  return 0;
-	}
-
 	  if (! ctx->human)
 	    grub_printf ("%-12llu", (unsigned long long) file->size);
 	  else
 	    grub_printf ("%-12s", grub_get_human_size (file->size,
 						   GRUB_HUMAN_SIZE_SHORT));
 	  grub_file_close (file);
-      grub_free (pathname);
+	}
+      else
+	grub_xputs ("????????????");
+
+      grub_errno = GRUB_ERR_NONE;
    }
  else
    grub_printf ("%-12s", _("DIR"));
@ -165,13 +171,22 @@ print_files_long (const char *filename, const struct grub_dirhook_info *info,
 		     datetime.day, datetime.hour,
 		     datetime.minute, datetime.second);
    }
-  grub_printf ("%s%s\n", filename, info->dir ? "/" : "");
+  /*
+   * Only print the full path when listing a file path given as an argument
+   * to ls, i.e. when ctx->filename != NULL. File listings that are printed
+   * due to showing the contents of a directory do not need a full path because
+   * the full path to the directory will have already been printed.
+   */
+  grub_printf ("%s%s\n", (ctx->filename != NULL) ? pathname : filename,
+			 info->dir ? "/" : "");
+
+  grub_free (pathname);

  return 0;
 }

 static grub_err_t
-grub_ls_list_files (char *dirname, int longlist, int all, int human)
+grub_ls_list_files (char *dirname, int longlist, int all, int human, int dirhdr)
 {
  char *device_name;
  grub_fs_t fs;
@ -196,7 +211,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
      goto fail;
    }

-  if (! *path)
+  if (! *path && device_name)
    {
      if (grub_errno == GRUB_ERR_UNKNOWN_FS)
 	grub_errno = GRUB_ERR_NONE;
@ -216,44 +231,38 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
    {
      struct grub_ls_list_files_ctx ctx = {
 	.dirname = dirname,
+	.filename = NULL,
 	.all = all,
-	.human = human
+	.human = human,
+	.longlist = longlist,
+	.print_dirhdr = dirhdr
      };

-      if (longlist)
-	(fs->fs_dir) (dev, path, print_files_long, &ctx);
-      else
-	(fs->fs_dir) (dev, path, print_files, &ctx);
+      (fs->fs_dir) (dev, path, print_file, &ctx);

      if (grub_errno == GRUB_ERR_BAD_FILE_TYPE
 	  && path[grub_strlen (path) - 1] != '/')
 	{
+	  /*
+	   * Reset errno as it is currently set, but will cause subsequent code
+	   * to think there is an error.
+	   */
+	  grub_errno = GRUB_ERR_NONE;
+
 	  /* PATH might be a regular file.  */
-	  char *p;
-	  grub_file_t file;
-	  struct grub_dirhook_info info;
-	  grub_errno = 0;
+	  ctx.print_dirhdr = 0;
+	  ctx.filename = grub_strrchr (dirname, '/');
+	  if (ctx.filename == NULL)
+	    goto fail;
+	  ++(ctx.filename);

-	  file = grub_file_open (dirname, GRUB_FILE_TYPE_GET_SIZE
-				 | GRUB_FILE_TYPE_NO_DECOMPRESS);
-	  if (! file)
+	  ctx.dirname = grub_strndup (dirname, ctx.filename - dirname);
+	  if (ctx.dirname == NULL)
 	    goto fail;

-	  grub_file_close (file);
+	  (fs->fs_dir) (dev, ctx.dirname + (path - dirname), print_file, &ctx);

-	  p = grub_strrchr (dirname, '/') + 1;
-	  dirname = grub_strndup (dirname, p - dirname);
-	  if (! dirname)
-	    goto fail;
-
-	  all = 1;
-	  grub_memset (&info, 0, sizeof (info));
-	  if (longlist)
-	    print_files_long (p, &info, &ctx);
-	  else
-	    print_files (p, &info, &ctx);
-
-	  grub_free (dirname);
+	  grub_free (ctx.dirname);
 	}

      if (grub_errno == GRUB_ERR_NONE)
@ -268,7 +277,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)

  grub_free (device_name);

-  return 0;
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
@ -281,10 +290,10 @@ grub_cmd_ls (grub_extcmd_context_t ctxt, int argc, char **args)
    grub_ls_list_devices (state[0].set);
  else
    for (i = 0; i < argc; i++)
-      grub_ls_list_files (args[i], state[0].set, state[2].set,
-			  state[1].set);
+      grub_ls_list_files (args[i], state[0].set, state[2].set, state[1].set,
+			  argc > 1);

-  return 0;
+  return GRUB_ERR_NONE;
 }

 static grub_extcmd_t cmd;
--- a/grub-core/commands/macbless.c
+++ b/grub-core/commands/macbless.c
@ -220,12 +220,10 @@ GRUB_MOD_INIT(macbless)
 {
  cmd = grub_register_command ("mactelbless", grub_cmd_macbless,
 			       N_("FILE"),
-			       N_
-			       ("Bless FILE of HFS or HFS+ partition for intel macs."));
+			       N_("Bless FILE of HFS or HFS+ partition for intel macs."));
  cmd_ppc =
    grub_register_command ("macppcbless", grub_cmd_macbless, N_("DIR"),
-			   N_
-			   ("Bless DIR of HFS or HFS+ partition for PPC macs."));
+			   N_("Bless DIR of HFS or HFS+ partition for PPC macs."));
 }

 GRUB_MOD_FINI(macbless)
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@ -22,6 +22,7 @@
 #include <grub/extcmd.h>
 #include <grub/env.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -121,27 +122,30 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
 GRUB_MOD_INIT(memrw)
 {
  cmd_read_byte =
-    grub_register_extcmd ("read_byte", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
+    grub_register_extcmd_lockdown ("read_byte", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 8-bit value from ADDR."),
                                   options);
  cmd_read_word =
-    grub_register_extcmd ("read_word", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 16-bit value from ADDR."),
+    grub_register_extcmd_lockdown ("read_word", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 16-bit value from ADDR."),
                                   options);
  cmd_read_dword =
-    grub_register_extcmd ("read_dword", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 32-bit value from ADDR."),
+    grub_register_extcmd_lockdown ("read_dword", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 32-bit value from ADDR."),
                                   options);
  cmd_write_byte =
-    grub_register_command ("write_byte", grub_cmd_write,
+    grub_register_command_lockdown ("write_byte", grub_cmd_write,
                                    N_("ADDR VALUE [MASK]"),
                                    N_("Write 8-bit VALUE to ADDR."));
  cmd_write_word =
-    grub_register_command ("write_word", grub_cmd_write,
+    grub_register_command_lockdown ("write_word", grub_cmd_write,
                                    N_("ADDR VALUE [MASK]"),
                                    N_("Write 16-bit VALUE to ADDR."));
  cmd_write_dword =
-    grub_register_command ("write_dword", grub_cmd_write,
+    grub_register_command_lockdown ("write_dword", grub_cmd_write,
                                    N_("ADDR VALUE [MASK]"),
                                    N_("Write 32-bit VALUE to ADDR."));
 }
--- a/grub-core/commands/memtools.c
+++ b/grub-core/commands/memtools.c
@ -0,0 +1,152 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Free Software Foundation, Inc.
+ *  Copyright (C) 2022 IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/command.h>
+#include <grub/i18n.h>
+#include <grub/memory.h>
+#include <grub/mm.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static grub_err_t
+grub_cmd_lsmem (grub_command_t cmd __attribute__ ((unused)),
+		 int argc __attribute__ ((unused)),
+		 char **args __attribute__ ((unused)))
+
+{
+#ifndef GRUB_MACHINE_EMU
+  grub_mm_dump (0);
+#endif
+
+  return 0;
+}
+
+static grub_err_t
+grub_cmd_lsfreemem (grub_command_t cmd __attribute__ ((unused)),
+		    int argc __attribute__ ((unused)),
+		    char **args __attribute__ ((unused)))
+
+{
+#ifndef GRUB_MACHINE_EMU
+  grub_mm_dump_free ();
+#endif
+
+  return 0;
+}
+
+
+static grub_err_t
+grub_cmd_stress_big_allocs (grub_command_t cmd __attribute__ ((unused)),
+			    int argc __attribute__ ((unused)),
+			    char **args __attribute__ ((unused)))
+{
+  int i, max_mb, blocks_alloced;
+  void *mem;
+  void **blocklist;
+
+  grub_printf ("Test 1: increasingly sized allocs to 1GB block\n");
+  for (i = 1; i < 1024; i++)
+    {
+      grub_printf ("%4d MB . ", i);
+      mem = grub_malloc (i * 1024 * 1024);
+      if (mem == NULL)
+	{
+	  grub_printf ("failed\n");
+	  break;
+	}
+      else
+	grub_free (mem);
+
+      if (i % 7 == 0)
+	grub_printf ("\n");
+    }
+
+  max_mb = i - 1;
+  grub_printf ("\nMax sized allocation we did was %d MB\n", max_mb);
+
+  grub_printf ("\nTest 2: 1MB at a time, max 4GB\n");
+  blocklist = grub_calloc (4096, sizeof (void *));
+  for (i = 0; i < 4096; i++)
+    {
+      blocklist[i] = grub_malloc (1024 * 1024);
+      if (blocklist[i] == NULL)
+	{
+	  grub_printf ("Ran out of memory at iteration %d\n", i);
+	  break;
+	}
+    }
+  blocks_alloced = i;
+  for (i = 0; i < blocks_alloced; i++)
+    grub_free (blocklist[i]);
+
+  grub_printf ("\nTest 3: 1MB aligned 900kB + 100kB\n");
+  /* grub_mm_debug=1;*/
+  for (i = 0; i < 4096; i += 2)
+    {
+      blocklist[i] = grub_memalign (1024 * 1024, 900 * 1024);
+      if (blocklist[i] == NULL)
+	{
+	  grub_printf ("Failed big allocation, iteration %d\n", i);
+	  blocks_alloced = i;
+	  break;
+	}
+
+      blocklist[i + 1] = grub_malloc (100 * 1024);
+      if (blocklist[i + 1] == NULL)
+	{
+	  grub_printf ("Failed small allocation, iteration %d\n", i);
+	  blocks_alloced = i + 1;
+	  break;
+	}
+      grub_printf (".");
+    }
+  for (i = 0; i < blocks_alloced; i++)
+    grub_free (blocklist[i]);
+
+  grub_free (blocklist);
+
+#if defined(__powerpc__)
+  grub_printf ("\nA reboot may now be required.\n");
+#endif
+
+  grub_errno = GRUB_ERR_NONE;
+  return GRUB_ERR_NONE;
+}
+
+static grub_command_t cmd_lsmem, cmd_lsfreemem, cmd_sba;
+
+GRUB_MOD_INIT (memtools)
+{
+  cmd_lsmem = grub_register_command ("lsmem", grub_cmd_lsmem,
+				     0, N_("List free and allocated memory blocks."));
+  cmd_lsfreemem = grub_register_command ("lsfreemem", grub_cmd_lsfreemem,
+					 0, N_("List free memory blocks."));
+  cmd_sba = grub_register_command ("stress_big_allocs", grub_cmd_stress_big_allocs,
+				   0, N_("Stress test large allocations."));
+}
+
+GRUB_MOD_FINI (memtools)
+{
+  grub_unregister_command (cmd_lsmem);
+  grub_unregister_command (cmd_lsfreemem);
+  grub_unregister_command (cmd_sba);
+}
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
    goto fail;

  /* Save argc, args to pass as parameters to block arg later. */
-  menu_args = grub_malloc (sizeof (char*) * (argc + 1));
+  menu_args = grub_calloc (argc + 1, sizeof (char *));
  if (! menu_args)
    goto fail;

@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
      len += 3; /* 3 = 1 space + 2 quotes */
      p = args[i];
      while (*p)
-	len += (*p++ == '\'' ? 3 : 1);
+	len += (*p++ == '\'' ? 4 : 1);
    }

  result = grub_malloc (len + 2);
--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
@ -29,6 +29,10 @@
 #include <grub/command.h>
 #include <grub/i18n.h>

+#ifdef GRUB_MACHINE_EFI
+#include <grub/cryptodisk.h>
+#endif
+
 GRUB_MOD_LICENSE ("GPLv3+");

 /* cat FILE */
@ -140,7 +144,10 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
  if (grub_dl_is_persistent (mod))
    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");

-  if (grub_dl_unref (mod) <= 0)
+  if (grub_dl_ref_count (mod) > 1)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
+
+  grub_dl_unref (mod);
  grub_dl_unload (mod);

  return 0;
@ -164,7 +171,7 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),
  {
    grub_dl_dep_t dep;

-    grub_printf ("%s\t%d\t\t", mod->name, mod->ref_count);
+    grub_printf ("%s\t%" PRIuGRUB_UINT64_T "\t\t", mod->name, mod->ref_count);
    for (dep = mod->dep; dep; dep = dep->next)
      {
 	if (dep != mod->dep)
@ -184,6 +191,13 @@ grub_mini_cmd_exit (struct grub_command *cmd __attribute__ ((unused)),
 		    int argc __attribute__ ((unused)),
 		    char *argv[] __attribute__ ((unused)))
 {
+#ifdef GRUB_MACHINE_EFI
+  /*
+   * The "exit" command is often used to launch the next boot application.
+   * So, erase the secrets.
+   */
+  grub_cryptodisk_erasesecrets ();
+#endif
  grub_exit ();
  /* Not reached.  */
 }
@ -200,7 +214,7 @@ GRUB_MOD_INIT(minicmd)
    grub_register_command ("help", grub_mini_cmd_help,
 			   0, N_("Show this message."));
  cmd_dump =
-    grub_register_command ("dump", grub_mini_cmd_dump,
+    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
 				    N_("ADDR [SIZE]"), N_("Show memory contents."));
  cmd_rmmod =
    grub_register_command ("rmmod", grub_mini_cmd_rmmod,
--- a/grub-core/commands/nativedisk.c
+++ b/grub-core/commands/nativedisk.c
@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
  else
    path_prefix = prefix;

-  mods = grub_malloc (argc * sizeof (mods[0]));
+  mods = grub_calloc (argc, sizeof (mods[0]));
  if (!mods)
    return grub_errno;

--- a/grub-core/commands/parttool.c
+++ b/grub-core/commands/parttool.c
@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
  for (nargs = 0; args[nargs].name != 0; nargs++);
  cur->nargs = nargs;
  cur->args = (struct grub_parttool_argdesc *)
-    grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
+    grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
+  if (!cur->args)
+    {
+      grub_free (cur);
+      curhandle--;
+      return -1;
+    }
  grub_memcpy (cur->args, args,
 	       (nargs + 1) * sizeof (struct grub_parttool_argdesc));

@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 	return err;
      }

-  parsed = (int *) grub_zalloc (argc * sizeof (int));
+  parsed = (int *) grub_calloc (argc, sizeof (int));

  for (i = 1; i < argc; i++)
    if (! parsed[i])
@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 	  }
 	ptool = cur;
 	pargs = (struct grub_parttool_args *)
-	  grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
+	  grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
 	for (j = i; j < argc; j++)
 	  if (! parsed[j])
 	    {
@ -309,7 +315,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 		    switch (curarg->type)
 		      {
 		      case GRUB_PARTTOOL_ARG_BOOL:
-			pargs[curarg - ptool->args].bool
+			pargs[curarg - ptool->args].b
 			  = (args[j][grub_strlen (curarg->name)] != '-');
 			break;

--- a/grub-core/commands/password_pbkdf2.c
+++ b/grub-core/commands/password_pbkdf2.c
@ -86,7 +86,7 @@ grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
 		   int argc, char **args)
 {
  grub_err_t err;
-  char *ptr, *ptr2;
+  const char *ptr, *ptr2;
  grub_uint8_t *ptro;
  struct pbkdf2_password *pass;

--- a/grub-core/commands/pcidump.c
+++ b/grub-core/commands/pcidump.c
@ -95,7 +95,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
  if (ctxt->state[0].set)
    {
      ptr = ctxt->state[0].arg;
-      ctx.pciid_check_value |= (grub_strtoul (ptr, (char **) &ptr, 16) & 0xffff);
+      ctx.pciid_check_value |= (grub_strtoul (ptr, &ptr, 16) & 0xffff);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -108,8 +108,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
      if (*ptr != ':')
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing `%c' symbol"), ':');
      ptr++;
-      ctx.pciid_check_value |= (grub_strtoul (ptr, (char **) &ptr, 16) & 0xffff)
-	<< 16;
+      ctx.pciid_check_value |= (grub_strtoul (ptr, &ptr, 16) & 0xffff) << 16;
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	grub_errno = GRUB_ERR_NONE;
      else
@ -124,7 +123,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,

      ptr = ctxt->state[1].arg;
      optr = ptr;
-      ctx.bus = grub_strtoul (ptr, (char **) &ptr, 16);
+      ctx.bus = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -138,7 +137,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing `%c' symbol"), ':');
      ptr++;
      optr = ptr;
-      ctx.device = grub_strtoul (ptr, (char **) &ptr, 16);
+      ctx.device = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -149,7 +148,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
      if (*ptr == '.')
 	{
 	  ptr++;
-	  ctx.function = grub_strtoul (ptr, (char **) &ptr, 16);
+	  ctx.function = grub_strtoul (ptr, &ptr, 16);
 	  if (grub_errno)
 	    return grub_errno;
 	  ctx.check_function = 1;
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@ -633,8 +633,8 @@ grub_verify_signature_real (struct grub_pubkey_context *ctxt,
  if (!sk)
    {
      /* TRANSLATORS: %08x is 32-bit key id.  */
-      grub_error (GRUB_ERR_BAD_SIGNATURE, N_("public key %08x not found"),
-		  keyid);
+      grub_error (GRUB_ERR_BAD_SIGNATURE,
+		  N_("public key %08" PRIxGRUB_UINT64_T " not found"), keyid);
      goto fail;
    }

@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)

 GRUB_MOD_FINI(pgp)
 {
+  grub_register_variable_hook ("check_signatures", NULL, NULL);
+  grub_env_unset ("check_signatures");
  grub_verifier_unregister (&grub_pubkey_verifier);
  grub_unregister_extcmd (cmd);
  grub_unregister_extcmd (cmd_trust);
--- a/grub-core/commands/probe.c
+++ b/grub-core/commands/probe.c
@ -24,6 +24,7 @@
 #include <grub/device.h>
 #include <grub/disk.h>
 #include <grub/partition.h>
+#include <grub/gpt_partition.h>
 #include <grub/net.h>
 #include <grub/fs.h>
 #include <grub/file.h>
@ -31,6 +32,7 @@
 #include <grub/env.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/i386/pc/boot.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -45,6 +47,7 @@ static const struct grub_arg_option options[] =
    {"fs",		'f', 0, N_("Determine filesystem type."), 0, 0},
    {"fs-uuid",		'u', 0, N_("Determine filesystem UUID."), 0, 0},
    {"label",		'l', 0, N_("Determine filesystem label."), 0, 0},
+    {"part-uuid",	0,   0, N_("Determine partition UUID."), 0, 0},
    {0, 0, 0, 0, 0, 0}
  };

@ -98,9 +101,66 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
      grub_device_close (dev);
      return GRUB_ERR_NONE;
    }
+  if (state[6].set)
+    {
+      /* AAAABBBB-CCCC-DDDD-EEEE-FFFFFFFFFFFF + null terminator */
+      char val[37] = "none";
+      if (dev->disk && dev->disk->partition)
+	{
+	  struct grub_partition *p = dev->disk->partition;
+	  grub_disk_t disk = grub_disk_open(dev->disk->name);
+
+	  if (!disk)
+	    {
+	      grub_device_close (dev);
+	      return grub_errno;
+	    }
+
+	  if (grub_strcmp(dev->disk->partition->partmap->name, "gpt") == 0)
+	    {
+	      struct grub_gpt_partentry entry;
+	      grub_guid_t *guid;
+
+	      if (grub_disk_read(disk, p->offset, p->index, sizeof(entry), &entry))
+		{
+		  grub_error_push ();
+		  grub_disk_close (disk);
+		  grub_device_close (dev);
+		  grub_error_pop ();
+		  return grub_errno;
+		}
+	      guid = &entry.guid;
+	      guid->data1 = grub_le_to_cpu32 (guid->data1);
+	      guid->data2 = grub_le_to_cpu16 (guid->data2);
+	      guid->data3 = grub_le_to_cpu16 (guid->data3);
+	      grub_snprintf (val, sizeof(val), "%pG", guid);
+	    }
+	  else if (grub_strcmp(dev->disk->partition->partmap->name, "msdos") == 0)
+	    {
+	      grub_uint32_t nt_disk_sig;
+
+	      if (grub_disk_read(disk, 0, GRUB_BOOT_MACHINE_WINDOWS_NT_MAGIC,
+				 sizeof(nt_disk_sig), &nt_disk_sig) == 0)
+		grub_snprintf (val, sizeof(val), "%08x-%02x",
+			       grub_le_to_cpu32(nt_disk_sig), 1 + p->number);
+	    }
+	  grub_disk_close(disk);
+	}
+      if (state[0].set)
+	grub_env_set (state[0].arg, val);
+      else
+	grub_printf ("%s", val);
+      grub_device_close (dev);
+      return GRUB_ERR_NONE;
+    }
  fs = grub_fs_probe (dev);
  if (! fs)
+    {
+      grub_error_push ();
+      grub_device_close (dev);
+      grub_error_pop ();
      return grub_errno;
+    }
  if (state[3].set)
    {
      if (state[0].set)
@ -114,14 +174,23 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    {
      char *uuid;
      if (! fs->fs_uuid)
+	{
+	  grub_device_close (dev);
 	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
 			     N_("%s does not support UUIDs"), fs->name);
+	}
      err = fs->fs_uuid (dev, &uuid);
      if (err)
+	{
+	  grub_device_close (dev);
 	  return err;
+	}
      if (! uuid)
+	{
+	  grub_device_close (dev);
 	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
 			     N_("%s does not support UUIDs"), fs->name);
+	}

      if (state[0].set)
 	grub_env_set (state[0].arg, uuid);
@ -135,16 +204,25 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    {
      char *label;
      if (! fs->fs_label)
+	{
+	  grub_device_close (dev);
 	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
 			     N_("filesystem `%s' does not support labels"),
 			     fs->name);
+	}
      err = fs->fs_label (dev, &label);
      if (err)
+	{
+	  grub_device_close (dev);
 	  return err;
+	}
      if (! label)
+	{
+	  grub_device_close (dev);
 	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
 			     N_("filesystem `%s' does not support labels"),
 			     fs->name);
+	}

      if (state[0].set)
 	grub_env_set (state[0].arg, label);
--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
@ -23,21 +23,29 @@
 #include <grub/env.h>
 #include <grub/term.h>
 #include <grub/types.h>
-#include <grub/command.h>
+#include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

-static char *
-grub_getline (void)
+static const struct grub_arg_option options[] =
  {
-  int i;
+    {"silent", 's', 0, N_("Do not echo input"), 0, 0},
+    {0, 0, 0, 0, 0, 0}
+  };
+
+static char *
+grub_getline (int silent)
+{
+  grub_size_t i;
  char *line;
  char *tmp;
-  char c;
+  int c;
+  grub_size_t alloc_size;

  i = 0;
-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
  if (! line)
    return NULL;

@ -47,11 +55,23 @@ grub_getline (void)
      if ((c == '\n') || (c == '\r'))
 	break;

-      line[i] = c;
-      if (grub_isprint (c))
+      if (!grub_isprint (c))
+	continue;
+
+      line[i] = (char) c;
+      if (!silent)
 	grub_printf ("%c", c);
-      i++;
-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
      if (! tmp)
 	{
 	  grub_free (line);
@ -65,9 +85,11 @@ grub_getline (void)
 }

 static grub_err_t
-grub_cmd_read (grub_command_t cmd __attribute__ ((unused)), int argc, char **args)
+grub_cmd_read (grub_extcmd_context_t ctxt, int argc, char **args)
 {
-  char *line = grub_getline ();
+  struct grub_arg_list *state = ctxt->state;
+  char *line = grub_getline (state[0].set);
+
  if (! line)
    return grub_errno;
  if (argc > 0)
@ -77,16 +99,16 @@ grub_cmd_read (grub_command_t cmd __attribute__ ((unused)), int argc, char **arg
  return 0;
 }

-static grub_command_t cmd;
+static grub_extcmd_t cmd;

 GRUB_MOD_INIT(read)
 {
-  cmd = grub_register_command ("read", grub_cmd_read,
-			       N_("[ENVVAR]"),
-			       N_("Set variable with user input."));
+  cmd = grub_register_extcmd ("read", grub_cmd_read, 0,
+			       N_("[-s] [ENVVAR]"),
+			       N_("Set variable with user input."), options);
 }

 GRUB_MOD_FINI(read)
 {
-  grub_unregister_command (cmd);
+  grub_unregister_extcmd (cmd);
 }
--- a/grub-core/commands/regexp.c
+++ b/grub-core/commands/regexp.c
@ -36,7 +36,7 @@ static const struct grub_arg_option options[] =
 	 groups with parentheses. These groups are
 	 then numbered and you can save some of
 	 them in variables. In other programs
-	 those components aree often referenced with
+	 those components are often referenced with
 	 back slash, e.g. \1. Compare
 	 sed -e 's,\([a-z][a-z]*\),lowercase=\1,g'
 	 The whole matching component is saved in VARNAME, not its number.
@ -64,7 +64,7 @@ set_matches (char **varnames, char *str, grub_size_t nmatches,
 {
  int i;
  char *p;
-  char *q;
+  const char * q;
  grub_err_t err;
  unsigned long j;

@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
  if (ret)
    goto fail;

-  matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
+  matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
  if (! matches)
    goto fail;

--- a/grub-core/commands/search.c
+++ b/grub-core/commands/search.c
@ -47,13 +47,48 @@ struct search_ctx
 {
  const char *key;
  const char *var;
-  int no_floppy;
+  enum search_flags flags;
  char **hints;
  unsigned nhints;
  int count;
  int is_cache;
 };

+static bool
+is_unencrypted_disk (grub_disk_t disk)
+{
+  grub_command_t cmd;
+  char *disk_str;
+  int disk_str_len;
+  int res;
+
+  if (disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
+    return false; /* This is (crypto) disk. */
+
+  if (disk->dev->id == GRUB_DISK_DEVICE_DISKFILTER_ID)
+    {
+      char opt[] = "--quiet";
+      char *args[2];
+
+      cmd = grub_command_find ("cryptocheck");
+      if (cmd == NULL) /* No diskfilter module loaded for some reason. */
+        return true;
+
+      disk_str_len = grub_strlen (disk->name) + 2 + 1;
+      disk_str = grub_malloc (disk_str_len);
+      if (disk_str == NULL) /* Something is wrong, better report as unencrypted. */
+        return true;
+
+      grub_snprintf (disk_str, disk_str_len, "(%s)", disk->name);
+      args[0] = opt;
+      args[1] = disk_str;
+      res = cmd->func (cmd, 2, args);
+      grub_free (disk_str);
+      return (res != GRUB_ERR_NONE) ? true : false; /* GRUB_ERR_NONE for encrypted. */
+    }
+  return true;
+}
+
 /* Helper for FUNC_NAME.  */
 static int
 iterate_device (const char *name, void *data)
@ -62,9 +97,49 @@ iterate_device (const char *name, void *data)
  int found = 0;

  /* Skip floppy drives when requested.  */
-  if (ctx->no_floppy &&
+  if (ctx->flags & SEARCH_FLAGS_NO_FLOPPY &&
      name[0] == 'f' && name[1] == 'd' && name[2] >= '0' && name[2] <= '9')
-    return 1;
+    return 0;
+
+  /* Limit to EFI disks when requested.  */
+  if (ctx->flags & SEARCH_FLAGS_EFIDISK_ONLY)
+    {
+      grub_device_t dev;
+
+      dev = grub_device_open (name);
+      if (dev == NULL)
+	{
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      if (dev->disk == NULL || dev->disk->dev->id != GRUB_DISK_DEVICE_EFIDISK_ID)
+	{
+	  grub_device_close (dev);
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      grub_device_close (dev);
+    }
+
+  /* Limit to encrypted disks when requested. */
+  if (ctx->flags & SEARCH_FLAGS_CRYPTODISK_ONLY)
+    {
+      grub_device_t dev;
+
+      dev = grub_device_open (name);
+      if (dev == NULL)
+	{
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      if (dev->disk == NULL || is_unencrypted_disk (dev->disk) == true)
+	{
+	  grub_device_close (dev);
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      grub_device_close (dev);
+    }

 #ifdef DO_SEARCH_FS_UUID
 #define compare_fn grub_strcasecmp
@ -261,13 +336,13 @@ try (struct search_ctx *ctx)
 }

 void
-FUNC_NAME (const char *key, const char *var, int no_floppy,
+FUNC_NAME (const char *key, const char *var, enum search_flags flags,
 	   char **hints, unsigned nhints)
 {
  struct search_ctx ctx = {
    .key = key,
    .var = var,
-    .no_floppy = no_floppy,
+    .flags = flags,
    .hints = hints,
    .nhints = nhints,
    .count = 0,
--- a/grub-core/commands/search_wrap.c
+++ b/grub-core/commands/search_wrap.c
@ -40,6 +40,8 @@ static const struct grub_arg_option options[] =
     N_("Set a variable to the first device found."), N_("VARNAME"),
     ARG_TYPE_STRING},
    {"no-floppy",	'n', 0, N_("Do not probe any floppy drive."), 0, 0},
+    {"efidisk-only",	0, 0, N_("Only probe EFI disks."), 0, 0},
+    {"cryptodisk-only",	0, 0, N_("Only probe encrypted disks."), 0, 0},
    {"hint",	        'h', GRUB_ARG_OPTION_REPEATABLE,
     N_("First try the device HINT. If HINT ends in comma, "
 	"also try subpartitions"), N_("HINT"), ARG_TYPE_STRING},
@ -73,6 +75,8 @@ enum options
    SEARCH_FS_UUID,
    SEARCH_SET,
    SEARCH_NO_FLOPPY,
+    SEARCH_EFIDISK_ONLY,
+    SEARCH_CRYPTODISK_ONLY,
    SEARCH_HINT,
    SEARCH_HINT_IEEE1275,
    SEARCH_HINT_BIOS,
@ -89,6 +93,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
  const char *id = 0;
  int i = 0, j = 0, nhints = 0;
  char **hints = NULL;
+  enum search_flags flags = SEARCH_FLAGS_NONE;

  if (state[SEARCH_HINT].set)
    for (i = 0; state[SEARCH_HINT].args[i]; i++)
@ -122,7 +127,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
    for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
      nhints++;

-  hints = grub_malloc (sizeof (hints[0]) * nhints);
+  hints = grub_calloc (nhints, sizeof (hints[0]));
  if (!hints)
    return grub_errno;
  j = 0;
@ -180,15 +185,21 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
      goto out;
    }

+  if (state[SEARCH_NO_FLOPPY].set)
+    flags |= SEARCH_FLAGS_NO_FLOPPY;
+
+  if (state[SEARCH_EFIDISK_ONLY].set)
+    flags |= SEARCH_FLAGS_EFIDISK_ONLY;
+
+  if (state[SEARCH_CRYPTODISK_ONLY].set)
+    flags |= SEARCH_FLAGS_CRYPTODISK_ONLY;
+
  if (state[SEARCH_LABEL].set)
-    grub_search_label (id, var, state[SEARCH_NO_FLOPPY].set, 
-		       hints, nhints);
+    grub_search_label (id, var, flags, hints, nhints);
  else if (state[SEARCH_FS_UUID].set)
-    grub_search_fs_uuid (id, var, state[SEARCH_NO_FLOPPY].set,
-			 hints, nhints);
+    grub_search_fs_uuid (id, var, flags, hints, nhints);
  else if (state[SEARCH_FILE].set)
-    grub_search_fs_file (id, var, state[SEARCH_NO_FLOPPY].set, 
-			 hints, nhints);
+    grub_search_fs_file (id, var, flags, hints, nhints);
  else
    grub_error (GRUB_ERR_INVALID_COMMAND, "unspecified search type");

@ -204,7 +215,7 @@ GRUB_MOD_INIT(search)
  cmd =
    grub_register_extcmd ("search", grub_cmd_search,
 			  GRUB_COMMAND_FLAG_EXTRACTOR | GRUB_COMMAND_ACCEPT_DASH,
-			  N_("[-f|-l|-u|-s|-n] [--hint HINT [--hint HINT] ...]"
+			  N_("[-f|-l|-u|-s|-n] [--cryptodisk-only] [--hint HINT [--hint HINT] ...]"
 			     " NAME"),
 			  N_("Search devices by file, filesystem label"
 			     " or filesystem UUID."
--- a/grub-core/commands/setpci.c
+++ b/grub-core/commands/setpci.c
@ -169,7 +169,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (ctxt->state[0].set)
    {
      ptr = ctxt->state[0].arg;
-      pciid_check_value |= (grub_strtoul (ptr, (char **) &ptr, 16) & 0xffff);
+      pciid_check_value |= (grub_strtoul (ptr, &ptr, 16) & 0xffff);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -182,8 +182,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
      if (*ptr != ':')
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing `%c' symbol"), ':');
      ptr++;
-      pciid_check_value |= (grub_strtoul (ptr, (char **) &ptr, 16) & 0xffff)
-	<< 16;
+      pciid_check_value |= (grub_strtoul (ptr, &ptr, 16) & 0xffff) << 16;
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	grub_errno = GRUB_ERR_NONE;
      else
@ -200,7 +199,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)

      ptr = ctxt->state[1].arg;
      optr = ptr;
-      bus = grub_strtoul (ptr, (char **) &ptr, 16);
+      bus = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -214,7 +213,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing `%c' symbol"), ':');
      ptr++;
      optr = ptr;
-      device = grub_strtoul (ptr, (char **) &ptr, 16);
+      device = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -225,7 +224,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
      if (*ptr == '.')
 	{
 	  ptr++;
-	  function = grub_strtoul (ptr, (char **) &ptr, 16);
+	  function = grub_strtoul (ptr, &ptr, 16);
 	  if (grub_errno)
 	    return grub_errno;
 	  check_function = 1;
@ -253,7 +252,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (i == ARRAY_SIZE (pci_registers))
    {
      regsize = 0;
-      regaddr = grub_strtoul (ptr, (char **) &ptr, 16);
+      regaddr = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno)
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown register");
    }
@ -270,7 +269,7 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (*ptr == '+')
    {
      ptr++;
-      regaddr += grub_strtoul (ptr, (char **) &ptr, 16);
+      regaddr += grub_strtoul (ptr, &ptr, 16);
      if (grub_errno)
 	return grub_errno;
    }
@ -302,17 +301,16 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (*ptr == '=')
    {
      ptr++;
-      regwrite = grub_strtoul (ptr, (char **) &ptr, 16);
+      regwrite = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno)
 	return grub_errno;
      write_mask = 0xffffffff;
      if (*ptr == ':')
 	{
 	  ptr++;
-	  write_mask = grub_strtoul (ptr, (char **) &ptr, 16);
+	  write_mask = grub_strtoul (ptr, &ptr, 16);
 	  if (grub_errno)
 	    return grub_errno;
-	  write_mask = 0xffffffff;
 	}
      regwrite &= write_mask;
    }
@ -329,7 +327,7 @@ static grub_extcmd_t cmd;

 GRUB_MOD_INIT(setpci)
 {
-  cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
+  cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
 				       N_("[-s POSITION] [-d DEVICE] [-v VAR] "
 					  "REGISTER[=VALUE[:MASK]]"),
 				       N_("Manipulate PCI devices."), options);
--- a/grub-core/commands/sleep.c
+++ b/grub-core/commands/sleep.c
@ -55,7 +55,7 @@ grub_interruptible_millisleep (grub_uint32_t ms)
  start = grub_get_time_ms ();

  while (grub_get_time_ms () - start < ms)
-    if (grub_getkey_noblock () == GRUB_TERM_ESC)
+    if (grub_key_is_interrupt (grub_getkey_noblock ()))
      return 1;

  return 0;
--- a/grub-core/commands/smbios.c
+++ b/grub-core/commands/smbios.c
@ -0,0 +1,398 @@
+/* smbios.c - retrieve smbios information. */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2019  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/dl.h>
+#include <grub/env.h>
+#include <grub/extcmd.h>
+#include <grub/i18n.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/smbios.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+/* Abstract useful values found in either the SMBIOS3 or SMBIOS EPS. */
+static struct {
+  grub_addr_t start;
+  grub_addr_t end;
+  grub_uint16_t structures;
+} table_desc;
+
+static grub_extcmd_t cmd;
+
+/* Locate the SMBIOS entry point structure depending on the hardware. */
+struct grub_smbios_eps *
+grub_smbios_get_eps (void)
+{
+  static struct grub_smbios_eps *eps = NULL;
+
+  if (eps != NULL)
+    return eps;
+
+  eps = grub_machine_smbios_get_eps ();
+
+  return eps;
+}
+
+/* Locate the SMBIOS3 entry point structure depending on the hardware. */
+static struct grub_smbios_eps3 *
+grub_smbios_get_eps3 (void)
+{
+  static struct grub_smbios_eps3 *eps = NULL;
+
+  if (eps != NULL)
+    return eps;
+
+  eps = grub_machine_smbios_get_eps3 ();
+
+  return eps;
+}
+
+static char *
+linux_string (const char *value)
+{
+  char *out = grub_malloc( grub_strlen (value) + 1);
+  const char *src = value;
+  char *dst = out;
+
+  for (; *src; src++)
+    if (*src > ' ' && *src < 127 && *src != ':')
+      *dst++ = *src;
+
+  *dst = 0;
+  return out;
+}
+
+/*
+ * These functions convert values from the various SMBIOS structure field types
+ * into a string formatted to be returned to the user.  They expect that the
+ * structure and offset were already validated.  When the requested data is
+ * successfully retrieved and formatted, the pointer to the string is returned;
+ * otherwise, NULL is returned on failure.  Don't free the result.
+ */
+
+static const char *
+grub_smbios_format_byte (const grub_uint8_t *structure, grub_uint8_t offset)
+{
+  static char buffer[sizeof ("255")];
+
+  grub_snprintf (buffer, sizeof (buffer), "%u", structure[offset]);
+
+  return (const char *)buffer;
+}
+
+static const char *
+grub_smbios_format_word (const grub_uint8_t *structure, grub_uint8_t offset)
+{
+  static char buffer[sizeof ("65535")];
+
+  grub_uint16_t value = grub_get_unaligned16 (structure + offset);
+  grub_snprintf (buffer, sizeof (buffer), "%u", value);
+
+  return (const char *)buffer;
+}
+
+static const char *
+grub_smbios_format_dword (const grub_uint8_t *structure, grub_uint8_t offset)
+{
+  static char buffer[sizeof ("4294967295")];
+
+  grub_uint32_t value = grub_get_unaligned32 (structure + offset);
+  grub_snprintf (buffer, sizeof (buffer), "%" PRIuGRUB_UINT32_T, value);
+
+  return (const char *)buffer;
+}
+
+static const char *
+grub_smbios_format_qword (const grub_uint8_t *structure, grub_uint8_t offset)
+{
+  static char buffer[sizeof ("18446744073709551615")];
+
+  grub_uint64_t value = grub_get_unaligned64 (structure + offset);
+  grub_snprintf (buffer, sizeof (buffer), "%" PRIuGRUB_UINT64_T, value);
+
+  return (const char *)buffer;
+}
+
+static const char *
+grub_smbios_get_string (const grub_uint8_t *structure, grub_uint8_t offset)
+{
+  const grub_uint8_t *ptr = structure + structure[1];
+  const grub_uint8_t *table_end = (const grub_uint8_t *)table_desc.end;
+  const grub_uint8_t referenced_string_number = structure[offset];
+  grub_uint8_t i;
+
+  /* A string referenced with zero is interpreted as unset. */
+  if (referenced_string_number == 0)
+    return NULL;
+
+  /* Search the string set. */
+  for (i = 1; *ptr != 0 && ptr < table_end; i++)
+    if (i == referenced_string_number)
+      {
+        const char *str = (const char *)ptr;
+        while (*ptr++ != 0)
+          if (ptr >= table_end)
+            return NULL; /* The string isn't terminated. */
+        return str;
+      }
+    else
+      while (*ptr++ != 0 && ptr < table_end);
+
+  /* The string number is greater than the number of strings in the set. */
+  return NULL;
+}
+
+static const char *
+grub_smbios_format_uuid (const grub_uint8_t *structure, grub_uint8_t offset)
+{
+  static char buffer[sizeof ("ffffffff-ffff-ffff-ffff-ffffffffffff")];
+  const grub_uint8_t *f = structure + offset; /* little-endian fields */
+  const grub_uint8_t *g = f + 8; /* byte-by-byte fields */
+
+  grub_snprintf (buffer, sizeof (buffer),
+                 "%02x%02x%02x%02x-%02x%02x-%02x%02x-"
+                 "%02x%02x-%02x%02x%02x%02x%02x%02x",
+                 f[3], f[2], f[1], f[0], f[5], f[4], f[7], f[6],
+                 g[0], g[1], g[2], g[3], g[4], g[5], g[6], g[7]);
+
+  return (const char *)buffer;
+}
+
+/* List the field formatting functions and the number of bytes they need. */
+static const struct {
+  const char *(*format) (const grub_uint8_t *structure, grub_uint8_t offset);
+  grub_uint8_t field_length;
+} field_extractors[] = {
+  {grub_smbios_format_byte, 1},
+  {grub_smbios_format_word, 2},
+  {grub_smbios_format_dword, 4},
+  {grub_smbios_format_qword, 8},
+  {grub_smbios_get_string, 1},
+  {grub_smbios_format_uuid, 16}
+};
+
+/* List command options, with structure field getters ordered as above. */
+#define FIRST_GETTER_OPT (3)
+#define SETTER_OPT (FIRST_GETTER_OPT + ARRAY_SIZE(field_extractors))
+#define LINUX_OPT (FIRST_GETTER_OPT + ARRAY_SIZE(field_extractors) + 1)
+
+static const struct grub_arg_option options[] = {
+  {"type",       't', 0, N_("Match structures with the given type."),
+                         N_("type"), ARG_TYPE_INT},
+  {"handle",     'h', 0, N_("Match structures with the given handle."),
+                         N_("handle"), ARG_TYPE_INT},
+  {"match",      'm', 0, N_("Select a structure when several match."),
+                         N_("match"), ARG_TYPE_INT},
+  {"get-byte",   'b', 0, N_("Get the byte's value at the given offset."),
+                         N_("offset"), ARG_TYPE_INT},
+  {"get-word",   'w', 0, N_("Get two bytes' value at the given offset."),
+                         N_("offset"), ARG_TYPE_INT},
+  {"get-dword",  'd', 0, N_("Get four bytes' value at the given offset."),
+                         N_("offset"), ARG_TYPE_INT},
+  {"get-qword",  'q', 0, N_("Get eight bytes' value at the given offset."),
+                         N_("offset"), ARG_TYPE_INT},
+  {"get-string", 's', 0, N_("Get the string specified at the given offset."),
+                         N_("offset"), ARG_TYPE_INT},
+  {"get-uuid",   'u', 0, N_("Get the UUID's value at the given offset."),
+                         N_("offset"), ARG_TYPE_INT},
+  {"set",       '\0', 0, N_("Store the value in the given variable name."),
+                         N_("variable"), ARG_TYPE_STRING},
+  {"linux",     '\0', 0, N_("Filter the result like linux does."),
+                         N_("variable"), ARG_TYPE_NONE},
+  {0, 0, 0, 0, 0, 0}
+};
+
+/*
+ * Return a matching SMBIOS structure.
+ *
+ * This method can use up to three criteria for selecting a structure:
+ *   - The "type" field                  (use -1 to ignore)
+ *   - The "handle" field                (use -1 to ignore)
+ *   - Which to return if several match  (use  0 to ignore)
+ *
+ * The return value is a pointer to the first matching structure.  If no
+ * structures match the given parameters, NULL is returned.
+ */
+static const grub_uint8_t *
+grub_smbios_match_structure (const grub_int16_t type,
+                             const grub_int32_t handle,
+                             const grub_uint16_t match)
+{
+  const grub_uint8_t *ptr = (const grub_uint8_t *)table_desc.start;
+  const grub_uint8_t *table_end = (const grub_uint8_t *)table_desc.end;
+  grub_uint16_t structures = table_desc.structures;
+  grub_uint16_t structure_count = 0;
+  grub_uint16_t matches = 0;
+
+  while (ptr < table_end
+         && ptr[1] >= 4 /* Valid structures include the 4-byte header. */
+         && (structure_count++ < structures || structures == 0))
+    {
+      grub_uint16_t structure_handle = grub_get_unaligned16 (ptr + 2);
+      grub_uint8_t structure_type = ptr[0];
+
+      if ((handle < 0 || handle == structure_handle)
+          && (type < 0 || type == structure_type)
+          && (match == 0 || match == ++matches))
+        return ptr;
+      else
+        {
+          ptr += ptr[1];
+          while ((*ptr++ != 0 || *ptr++ != 0) && ptr < table_end);
+        }
+
+      if (structure_type == GRUB_SMBIOS_TYPE_END_OF_TABLE)
+        break;
+    }
+
+  return NULL;
+}
+
+static grub_err_t
+grub_cmd_smbios (grub_extcmd_context_t ctxt,
+                 int argc __attribute__ ((unused)),
+                 char **argv __attribute__ ((unused)))
+{
+  struct grub_arg_list *state = ctxt->state;
+
+  grub_int16_t type = -1;
+  grub_int32_t handle = -1;
+  grub_uint16_t match = 0;
+  grub_uint8_t offset = 0;
+
+  const grub_uint8_t *structure;
+  const char *value;
+  char *modified_value = NULL;
+  grub_int32_t option;
+  grub_int8_t field_type = -1;
+  grub_uint8_t i;
+
+  if (table_desc.start == 0)
+    return grub_error (GRUB_ERR_IO,
+                       N_("the SMBIOS entry point structure was not found"));
+
+  /* Read the given filtering options. */
+  if (state[0].set)
+    {
+      option = grub_strtol (state[0].arg, NULL, 0);
+      if (option < 0 || option > 255)
+        return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                           N_("the type must be between 0 and 255"));
+      type = (grub_int16_t)option;
+    }
+  if (state[1].set)
+    {
+      option = grub_strtol (state[1].arg, NULL, 0);
+      if (option < 0 || option > 65535)
+        return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                           N_("the handle must be between 0 and 65535"));
+      handle = (grub_int32_t)option;
+    }
+  if (state[2].set)
+    {
+      option = grub_strtol (state[2].arg, NULL, 0);
+      if (option <= 0 || option > 65535)
+        return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                           N_("the match must be a positive integer"));
+      match = (grub_uint16_t)option;
+    }
+
+  /* Determine the data type of the structure field to retrieve. */
+  for (i = 0; i < ARRAY_SIZE(field_extractors); i++)
+    if (state[FIRST_GETTER_OPT + i].set)
+      {
+        if (field_type >= 0)
+          return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                             N_("only one --get option is usable at a time"));
+        field_type = i;
+      }
+
+  /* Require a choice of a structure field to return. */
+  if (field_type < 0)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
+                       N_("one of the --get options is required"));
+
+  /* Locate a matching SMBIOS structure. */
+  structure = grub_smbios_match_structure (type, handle, match);
+  if (structure == NULL)
+    return grub_error (GRUB_ERR_IO,
+                       N_("no structure matched the given options"));
+
+  /* Ensure the requested byte offset is inside the structure. */
+  option = grub_strtol (state[FIRST_GETTER_OPT + field_type].arg, NULL, 0);
+  if (option < 0 || option >= structure[1])
+    return grub_error (GRUB_ERR_OUT_OF_RANGE,
+                       N_("the given offset is outside the structure"));
+
+  /* Ensure the requested data type at the offset is inside the structure. */
+  offset = (grub_uint8_t)option;
+  if (offset + field_extractors[field_type].field_length > structure[1])
+    return grub_error (GRUB_ERR_OUT_OF_RANGE,
+                       N_("the field ends outside the structure"));
+
+  /* Format the requested structure field into a readable string. */
+  value = field_extractors[field_type].format (structure, offset);
+  if (value == NULL)
+    return grub_error (GRUB_ERR_IO,
+                       N_("failed to retrieve the structure field"));
+
+  if (state[LINUX_OPT].set)
+    value = modified_value = linux_string (value);
+
+  /* Store or print the formatted value. */
+  if (state[SETTER_OPT].set)
+    grub_env_set (state[SETTER_OPT].arg, value);
+  else
+    grub_printf ("%s\n", value);
+
+  grub_free(modified_value);
+
+  return GRUB_ERR_NONE;
+}
+
+GRUB_MOD_INIT(smbios)
+{
+  struct grub_smbios_eps3 *eps3;
+  struct grub_smbios_eps *eps;
+
+  if ((eps3 = grub_smbios_get_eps3 ()))
+    {
+      table_desc.start = (grub_addr_t)eps3->table_address;
+      table_desc.end = table_desc.start + eps3->maximum_table_length;
+      table_desc.structures = 0; /* SMBIOS3 drops the structure count. */
+    }
+  else if ((eps = grub_smbios_get_eps ()))
+    {
+      table_desc.start = (grub_addr_t)eps->intermediate.table_address;
+      table_desc.end = table_desc.start + eps->intermediate.table_length;
+      table_desc.structures = eps->intermediate.structures;
+    }
+
+  cmd = grub_register_extcmd ("smbios", grub_cmd_smbios, 0,
+                              N_("[-t type] [-h handle] [-m match] "
+                                 "(-b|-w|-d|-q|-s|-u) offset "
+                                 "[--set variable]"),
+                              N_("Retrieve SMBIOS information."), options);
+}
+
+GRUB_MOD_FINI(smbios)
+{
+  grub_unregister_extcmd (cmd);
+}
--- a/grub-core/commands/test.c
+++ b/grub-core/commands/test.c
@ -29,9 +29,12 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+/* Set a limit on recursion to avoid stack overflow. */
+#define MAX_TEST_RECURSION_DEPTH	100
+
 /* A simple implementation for signed numbers. */
 static int
-grub_strtosl (char *arg, char **end, int base)
+grub_strtosl (char *arg, const char ** const end, int base)
 {
  if (arg[0] == '-')
    return -grub_strtoul (arg + 1, end, base);
@ -150,7 +153,7 @@ get_fileinfo (char *path, struct test_parse_ctx *ctx)

 /* Parse a test expression starting from *argn. */
 static int
-test_parse (char **args, int *argn, int argc)
+test_parse (char **args, int *argn, int argc, int *depth)
 {
  struct test_parse_ctx ctx = {
    .and = 1,
@ -387,13 +390,24 @@ test_parse (char **args, int *argn, int argc)
      if (grub_strcmp (args[*argn], ")") == 0)
 	{
 	  (*argn)++;
+	  if (*depth > 0)
+	    (*depth)--;
+
 	  return ctx.or || ctx.and;
 	}
      /* Recursively invoke if parenthesis. */
      if (grub_strcmp (args[*argn], "(") == 0)
 	{
 	  (*argn)++;
-	  update_val (test_parse (args, argn, argc), &ctx);
+
+	  if (++(*depth) > MAX_TEST_RECURSION_DEPTH)
+	    {
+	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("max recursion depth exceeded"));
+	      depth--;
+	      return ctx.or || ctx.and;
+	    }
+
+	  update_val (test_parse (args, argn, argc, depth), &ctx);
 	  continue;
 	}

@ -428,11 +442,12 @@ grub_cmd_test (grub_command_t cmd __attribute__ ((unused)),
 	       int argc, char **args)
 {
  int argn = 0;
+  int depth = 0;

  if (argc >= 1 && grub_strcmp (args[argc - 1], "]") == 0)
    argc--;

-  return test_parse (args, &argn, argc) ? GRUB_ERR_NONE
+  return test_parse (args, &argn, argc, &depth) ? GRUB_ERR_NONE
    : grub_error (GRUB_ERR_TEST_FAILURE, N_("false"));
 }

--- a/grub-core/commands/testload.c
+++ b/grub-core/commands/testload.c
@ -32,10 +32,11 @@
 GRUB_MOD_LICENSE ("GPLv3+");

 /* Helper for grub_cmd_testload.  */
-static void
+static grub_err_t
 read_progress (grub_disk_addr_t sector __attribute__ ((unused)),
 	       unsigned offset __attribute__ ((unused)),
 	       unsigned len,
+	       char *buf __attribute__ ((unused)),
 	       void *data __attribute__ ((unused)))
 {
  for (; len >= GRUB_DISK_SECTOR_SIZE; len -= GRUB_DISK_SECTOR_SIZE)
@ -43,6 +44,7 @@ read_progress (grub_disk_addr_t sector __attribute__ ((unused)),
  if (len)
    grub_xputs (".");
  grub_refresh ();
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@ -29,13 +29,6 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-grub_err_t
-grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
-		  const char *description)
-{
-  return grub_tpm_log_event (buf, size, pcr, description);
-}
-
 static grub_err_t
 grub_tpm_verify_init (grub_file_t io,
 		      enum grub_file_type type __attribute__ ((unused)),
@ -43,13 +36,29 @@ grub_tpm_verify_init (grub_file_t io,
 {
  *context = io->name;
  *flags |= GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+
+  /*
+   * The loopback image is mapped as a disk allowing it to function like
+   * a block device. However, we measure files read from the block device
+   * not the device itself. For example, we don't measure block devices like
+   * hd0 disk directly. This process is crucial to prevent out-of-memory
+   * errors as loopback images are inherently large.
+   */
+  if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_LOOPBACK)
+    *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
  return GRUB_ERR_NONE;
 }

 static grub_err_t
 grub_tpm_verify_write (void *context, void *buf, grub_size_t size)
 {
-  return grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+  grub_err_t status = grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+
+  if (status == GRUB_ERR_NONE)
+    return GRUB_ERR_NONE;
+
+  grub_dprintf ("tpm", "Measuring buffer failed: %d\n", status);
+  return grub_is_tpm_fail_fatal () ? status : GRUB_ERR_NONE;
 }

 static grub_err_t
@ -81,7 +90,11 @@ grub_tpm_verify_string (char *str, enum grub_verify_string_type type)
    grub_tpm_measure ((unsigned char *) str, grub_strlen (str),
 		      GRUB_STRING_PCR, description);
  grub_free (description);
-  return status;
+  if (status == GRUB_ERR_NONE)
+    return GRUB_ERR_NONE;
+
+  grub_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status);
+  return grub_is_tpm_fail_fatal () ? status : GRUB_ERR_NONE;
 }

 struct grub_file_verifier grub_tpm_verifier = {
@ -93,10 +106,20 @@ struct grub_file_verifier grub_tpm_verifier = {

 GRUB_MOD_INIT (tpm)
 {
+  /*
+   * Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
+   * it does seem to call it late enough in the initialization sequence so
+   * that whatever discovered "device nodes" before this GRUB_MOD_INIT() is
+   * called, enables the ibmvtpm driver to see the device nodes.
+   */
+  if (!grub_tpm_present())
+    return;
  grub_verifier_register (&grub_tpm_verifier);
 }

 GRUB_MOD_FINI (tpm)
 {
+  if (!grub_tpm_present())
+    return;
  grub_verifier_unregister (&grub_tpm_verifier);
 }
--- a/grub-core/commands/tpm2_key_protector/args.c
+++ b/grub-core/commands/tpm2_key_protector/args.c
@ -0,0 +1,127 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/err.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+
+#include "tpm2_args.h"
+
+grub_err_t
+grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs,
+				grub_uint8_t *pcr_count)
+{
+  char *current_pcr = value;
+  char *next_pcr;
+  const char *pcr_end;
+  grub_uint64_t pcr;
+  grub_uint8_t i;
+
+  if (grub_strlen (value) == 0)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  *pcr_count = 0;
+  for (i = 0; i < TPM_MAX_PCRS; i++)
+    {
+      next_pcr = grub_strchr (current_pcr, ',');
+      if (next_pcr == current_pcr)
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("empty entry in PCR list"));
+      if (next_pcr != NULL)
+	*next_pcr = '\0';
+
+      pcr = grub_strtoul (current_pcr, &pcr_end, 10);
+      if (*current_pcr == '\0' || *pcr_end != '\0')
+	return grub_error (GRUB_ERR_BAD_NUMBER, N_("entry '%s' in PCR list is not a number"), current_pcr);
+
+      if (pcr > TPM_MAX_PCRS - 1)
+	return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("entry %llu in PCR list is too large to be a PCR number, PCR numbers range from 0 to %u"), (unsigned long long)pcr, TPM_MAX_PCRS - 1);
+
+      pcrs[i] = (grub_uint8_t) pcr;
+      ++(*pcr_count);
+
+      if (next_pcr == NULL)
+	break;
+
+      current_pcr = next_pcr + 1;
+      if (*current_pcr == '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("trailing comma at the end of PCR list"));
+    }
+
+  if (i == TPM_MAX_PCRS)
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("too many PCRs in PCR list, the maximum number of PCRs is %u"), TPM_MAX_PCRS);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+				      grub_srk_type_t *srk_type)
+{
+  if (grub_strcasecmp (value, "ECC") == 0 ||
+      grub_strcasecmp (value, "ECC_NIST_P256") == 0)
+    {
+      srk_type->type = TPM_ALG_ECC;
+      srk_type->detail.ecc_curve = TPM_ECC_NIST_P256;
+    }
+  else if (grub_strcasecmp (value, "RSA") == 0 ||
+	   grub_strcasecmp (value, "RSA2048") == 0)
+    {
+      srk_type->type = TPM_ALG_RSA;
+      srk_type->detail.rsa_bits = 2048;
+    }
+  else
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID_t *bank)
+{
+  if (grub_strcasecmp (value, "SHA1") == 0)
+    *bank = TPM_ALG_SHA1;
+  else if (grub_strcasecmp (value, "SHA256") == 0)
+    *bank = TPM_ALG_SHA256;
+  else if (grub_strcasecmp (value, "SHA384") == 0)
+    *bank = TPM_ALG_SHA384;
+  else if (grub_strcasecmp (value, "SHA512") == 0)
+    *bank = TPM_ALG_SHA512;
+  else
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid PCR bank"), value);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE_t *handle)
+{
+  grub_uint64_t num;
+  const char *str_end;
+
+  num = grub_strtoul (value, &str_end, 0);
+  if (*value == '\0' || *str_end != '\0')
+    return grub_error (GRUB_ERR_BAD_NUMBER, N_("TPM handle value '%s' is not a number"), value);
+
+  if (num > GRUB_UINT_MAX)
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value %llu is too large to be a TPM handle, TPM handles are unsigned 32-bit integers"), (unsigned long long)num);
+
+  *handle = (TPM_HANDLE_t) num;
+
+  return GRUB_ERR_NONE;
+}
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
--- a/grub-core/commands/tpm2_key_protector/tpm2.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2.h
@ -0,0 +1,36 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TPM2_TPM2_HEADER
+#define GRUB_TPM2_TPM2_HEADER 1
+
+#include <tss2_types.h>
+#include <tss2_structs.h>
+#include <tpm2_cmd.h>
+
+/* Well-Known Windows SRK handle */
+#define TPM2_SRK_HANDLE 0x81000001
+
+struct tpm2_sealed_key {
+  TPM2B_PUBLIC_t  public;
+  TPM2B_PRIVATE_t private;
+};
+typedef struct tpm2_sealed_key tpm2_sealed_key_t;
+
+#endif /* ! GRUB_TPM2_TPM2_HEADER */
--- a/grub-core/commands/tpm2_key_protector/tpm2_args.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2_args.h
@ -0,0 +1,49 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TPM2_INTERNAL_ARGS_HEADER
+#define GRUB_TPM2_INTERNAL_ARGS_HEADER 1
+
+#include <grub/err.h>
+
+#include "tpm2.h"
+
+struct grub_srk_type
+{
+  TPMI_ALG_PUBLIC_t type;
+  union {
+    TPM_KEY_BITS_t rsa_bits;
+    TPM_ECC_CURVE_t ecc_curve;
+  } detail;
+};
+typedef struct grub_srk_type grub_srk_type_t;
+
+extern grub_err_t
+grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs, grub_uint8_t *pcr_count);
+
+extern grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value, grub_srk_type_t *srk_type);
+
+extern grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID_t *bank);
+
+extern grub_err_t
+grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE_t *handle);
+
+#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
--- a/grub-core/commands/tpm2_key_protector/tpm2key.asn
+++ b/grub-core/commands/tpm2_key_protector/tpm2key.asn
@ -0,0 +1,49 @@
+--
+-- GRUB: GRand Unified Bootloader
+-- Copyright (C) 2024 Free Software Foundation, Inc.
+--
+-- GRUB is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- GRUB is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+--
+-- This file describes TPM 2.0 Key File format for libtasn1.
+--  To generate tpm2key_asn1_tab.c: asn1Parser tpm2key.asn
+--
+TPM2KEY {}
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
+
+TPMPolicy ::= SEQUENCE {
+    CommandCode   [0] EXPLICIT INTEGER,
+    CommandPolicy [1] EXPLICIT OCTET STRING
+}
+
+TPMAuthPolicy ::= SEQUENCE {
+    Name    [0] EXPLICIT UTF8String OPTIONAL,
+    Policy  [1] EXPLICIT SEQUENCE OF TPMPolicy
+}
+
+TPMKey ::= SEQUENCE {
+    type        OBJECT IDENTIFIER,
+    emptyAuth   [0] EXPLICIT BOOLEAN OPTIONAL,
+    policy      [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+    secret      [2] EXPLICIT OCTET STRING OPTIONAL,
+    authPolicy  [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+    description [4] EXPLICIT UTF8String OPTIONAL,
+    rsaParent   [5] EXPLICIT BOOLEAN OPTIONAL,
+    parent      INTEGER,
+    pubkey      OCTET STRING,
+    privkey     OCTET STRING
+}
+
+END
--- a/grub-core/commands/tpm2_key_protector/tpm2key.c
+++ b/grub-core/commands/tpm2_key_protector/tpm2key.c
@ -0,0 +1,499 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2023 SUSE LLC
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/list.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+
+#include <tss2_buffer.h>
+
+#include "tpm2key.h"
+
+extern asn1_static_node tpm2key_asn1_tab[];
+const char *sealed_key_oid = "2.23.133.10.1.5";
+
+static int
+asn1_allocate_and_read (asn1_node node, const char *name, void **content, grub_size_t *content_size)
+{
+  grub_uint8_t *tmpstr = NULL;
+  int tmpstr_size = 0;
+  int ret;
+
+  if (content == NULL)
+    return ASN1_MEM_ERROR;
+
+  ret = asn1_read_value (node, name, NULL, &tmpstr_size);
+  if (ret != ASN1_MEM_ERROR)
+    return ret;
+
+  tmpstr = grub_malloc (tmpstr_size);
+  if (tmpstr == NULL)
+    return ASN1_MEM_ERROR;
+
+  ret = asn1_read_value (node, name, tmpstr, &tmpstr_size);
+  if (ret != ASN1_SUCCESS)
+    return ret;
+
+  *content = tmpstr;
+  *content_size = tmpstr_size;
+
+  return ASN1_SUCCESS;
+}
+
+static int
+asn1_read_uint32 (asn1_node node, const char *name, grub_uint32_t *out)
+{
+  grub_uint32_t tmp = 0;
+  grub_uint8_t *ptr;
+  void *data = NULL;
+  grub_size_t data_size;
+  int ret;
+
+  ret = asn1_allocate_and_read (node, name, &data, &data_size);
+  if (ret != ASN1_SUCCESS)
+    return ret;
+
+  /*
+   * ASN.1 INTEGER is encoded in the following format:
+   *
+   * TAG LENGTH OCTECTS
+   *
+   * The integer TAG is 02 and LENGTH is the number of followed OCTECTS in
+   * big endian. For example:
+   *
+   *    0x1: 02 01 01
+   * 0xabcd: 02 02 ab cd
+   *
+   * To decribe 0x1, it only takes 1 octect, so LENGTH is 0x01 and the
+   * octect is 0x01. On the other hand, 0xabcd requires 2 octects: 'ab" and
+   * 'cd', so LENGTH is 0x02.
+   *
+   * This function only expects a uint32 integer, so it rejects any integer
+   * containing more than 4 octects.
+   */
+  if (data_size > 4)
+    {
+      ret = ASN1_MEM_ERROR;
+      goto error;
+    }
+
+  /* Copy the octects into 'tmp' to make it a big-endian uint32 */
+  ptr = (grub_uint8_t *) &tmp + (4 - data_size);
+  grub_memcpy (ptr, data, data_size);
+
+  /* Convert the big-endian integer to host uint32 */
+  tmp = grub_be_to_cpu32 (tmp);
+
+  *out = tmp;
+ error:
+  if (data)
+    grub_free (data);
+  return ret;
+}
+
+grub_err_t
+grub_tpm2key_start_parsing (asn1_node *parsed_tpm2key, void *data, grub_size_t size)
+{
+  asn1_node tpm2key;
+  asn1_node tpm2key_asn1 = NULL;
+  void *type_oid = NULL;
+  grub_size_t type_oid_size = 0;
+  void *empty_auth = NULL;
+  grub_size_t empty_auth_size = 0;
+  int tmp_size = 0;
+  int ret;
+  grub_err_t err;
+
+  /*
+   * TPMKey ::= SEQUENCE {
+   *    type        OBJECT IDENTIFIER,
+   *    emptyAuth   [0] EXPLICIT BOOLEAN OPTIONAL,
+   *    policy      [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+   *    secret      [2] EXPLICIT OCTET STRING OPTIONAL,
+   *    authPolicy  [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+   *    description [4] EXPLICIT UTF8String OPTIONAL,
+   *    rsaParent   [5] EXPLICIT BOOLEAN OPTIONAL,
+   *    parent      INTEGER,
+   *    pubkey      OCTET STRING,
+   *    privkey     OCTET STRING
+   * }
+   */
+  ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL);
+  if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to parse TPM2KEY ASN.1 array");
+
+  ret = asn1_create_element (tpm2key_asn1, "TPM2KEY.TPMKey", &tpm2key);
+  if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to create TPM2KEY.TPMKey");
+
+  ret = asn1_der_decoding (&tpm2key, data, size, NULL);
+  if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to decode TPM2KEY DER");
+
+  /* Check if 'type' is Sealed Key or not */
+  ret = asn1_allocate_and_read (tpm2key, "type", &type_oid, &type_oid_size);
+  if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "not a valid TPM2KEY file");
+
+  if (grub_memcmp (sealed_key_oid, type_oid, type_oid_size) != 0)
+    {
+      err = grub_error (GRUB_ERR_BAD_FILE_TYPE, "not a valid TPM2KEY file");
+      goto error;
+    }
+
+  /* 'emptyAuth' must be 'TRUE' since we don't support password authorization */
+  ret = asn1_allocate_and_read (tpm2key, "emptyAuth", &empty_auth, &empty_auth_size);
+  if (ret != ASN1_SUCCESS || grub_strncmp ("TRUE", empty_auth, empty_auth_size) != 0)
+    {
+      err = grub_error (GRUB_ERR_BAD_ARGUMENT, "emptyAuth not TRUE");
+      goto error;
+    }
+
+  /* 'secret' should not be in a sealed key */
+  ret = asn1_read_value (tpm2key, "secret", NULL, &tmp_size);
+  if (ret != ASN1_ELEMENT_NOT_FOUND)
+    {
+      err = grub_error (GRUB_ERR_BAD_ARGUMENT, "\"secret\" not allowed for Sealed Key");
+      goto error;
+    }
+
+  *parsed_tpm2key = tpm2key;
+
+  err = GRUB_ERR_NONE;
+
+ error:
+  grub_free (type_oid);
+  grub_free (empty_auth);
+
+  return err;
+}
+
+void
+grub_tpm2key_end_parsing (asn1_node tpm2key)
+{
+  asn1_delete_structure (&tpm2key);
+  tpm2key = NULL;
+}
+
+grub_err_t
+grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent)
+{
+  void *bool_str = NULL;
+  grub_size_t bool_str_size = 0;
+  int ret;
+
+  if (rsaparent == NULL)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "NULL pointer detected");
+
+  if (tpm2key == NULL)
+    return grub_error (GRUB_ERR_READ_ERROR, "invalid parent node");
+
+  ret = asn1_allocate_and_read (tpm2key, "rsaParent", &bool_str, &bool_str_size);
+  if (ret == ASN1_SUCCESS)
+    {
+      if (grub_strncmp ("TRUE", bool_str, bool_str_size) == 0)
+	*rsaparent = 1;
+      else
+	*rsaparent = 0;
+    }
+  else if (ret == ASN1_ELEMENT_NOT_FOUND)
+    *rsaparent = 0;
+  else
+    return grub_error (GRUB_ERR_READ_ERROR, "failed to retrieve rsaParent");
+
+  grub_free (bool_str);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent)
+{
+  int ret;
+
+  if (parent == NULL)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "NULL pointer detected");
+
+  if (tpm2key == NULL)
+    return grub_error (GRUB_ERR_READ_ERROR, "invalid parent node");
+
+  ret = asn1_read_uint32 (tpm2key, "parent", parent);
+  if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_READ_ERROR, "failed to retrieve parent");
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+tpm2key_get_octstring (asn1_node tpm2key, const char *name, void **data, grub_size_t *size)
+{
+  int ret;
+
+  if (name == NULL || data == NULL || size == NULL)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid parameter(s)");
+
+  if (tpm2key == NULL)
+    return grub_error (GRUB_ERR_READ_ERROR, "invalid %s node", name);
+
+  ret = asn1_allocate_and_read (tpm2key, name, data, size);
+  if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_READ_ERROR, "failed to retrieve %s", name);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2key_get_pubkey (asn1_node tpm2key, void **data, grub_size_t *size)
+{
+  return tpm2key_get_octstring (tpm2key, "pubkey", data, size);
+}
+
+grub_err_t
+grub_tpm2key_get_privkey (asn1_node tpm2key, void **data, grub_size_t *size)
+{
+  return tpm2key_get_octstring (tpm2key, "privkey", data, size);
+}
+
+/*
+ * The maximum and minimum number of elements for 'policy' and 'authPolicy' sequences
+ *
+ * Although there is no limit for the number of sequences elements, we set the upper
+ * bound to 99 to make it easier to implement the code.
+ *
+ * Any 'policy' or 'authPolicy' contains more than 99 commands/policies would become
+ * extremely complex to manage so it is impractical to support such use case.
+ */
+#define TPM2KEY_ELEMENTS_MAX 99
+#define TPM2KEY_ELEMENTS_MIN 1
+
+/*
+ * The string to fetch 'Policy' from 'authPolicy':
+ *   authPolicy.?XX.Policy
+ */
+#define AUTHPOLICY_POL_MAX_STR "authPolicy.?XX.Policy"
+#define AUTHPOLICY_POL_MAX (sizeof (AUTHPOLICY_POL_MAX_STR))
+
+/*
+ * Expected strings for CommandCode and CommandPolicy:
+ *   policy.?XX.CommandCode
+ *   policy.?XX.CommandPolicy
+ *   authPolicy.?XX.Policy.?YY.CommandCode
+ *   authPolicy.?XX.Policy.?YY.CommandPolicy
+ */
+#define CMD_CODE_MAX_STR AUTHPOLICY_POL_MAX_STR".?YY.CommandCode"
+#define CMD_POL_MAX_STR  AUTHPOLICY_POL_MAX_STR".?YY.CommandPolicy"
+#define CMD_CODE_MAX (sizeof (CMD_CODE_MAX_STR))
+#define CMD_POL_MAX  (sizeof (CMD_POL_MAX_STR))
+
+static int
+tpm2key_get_policy_seq (asn1_node tpm2key, const char *prefix,
+			tpm2key_policy_t *policy_seq)
+{
+  tpm2key_policy_t tmp_seq = NULL;
+  tpm2key_policy_t policy = NULL;
+  int policy_n;
+  char cmd_code[CMD_CODE_MAX];
+  char cmd_pol[CMD_POL_MAX];
+  grub_size_t cmd_policy_len;
+  int i;
+  int ret;
+
+  ret = asn1_number_of_elements (tpm2key, prefix, &policy_n);
+  if (ret != ASN1_SUCCESS)
+    return ret;
+
+  /*
+   * Limit the number of policy commands to two digits (99)
+   * Although there is no upper bound for the number of policy commands,
+   * in practice, it takes one or two policy commands to unseal the key,
+   * so the 99 commands limit is more than enough.
+   */
+  if (policy_n > TPM2KEY_ELEMENTS_MAX || policy_n < TPM2KEY_ELEMENTS_MIN)
+    return ASN1_VALUE_NOT_VALID;
+
+  /*
+   * Iterate the policy commands backwards since grub_list_push() prepends
+   * the item into the list.
+   */
+  for (i = policy_n; i >= 1; i--) {
+    policy = grub_zalloc (sizeof (struct tpm2key_policy));
+    if (policy == NULL)
+      {
+	ret = ASN1_MEM_ALLOC_ERROR;
+	goto error;
+      }
+    grub_snprintf (cmd_code, CMD_CODE_MAX, "%s.?%d.CommandCode", prefix, i);
+    grub_snprintf (cmd_pol, CMD_POL_MAX, "%s.?%d.CommandPolicy", prefix, i);
+
+    /* CommandCode   [0] EXPLICIT INTEGER */
+    ret = asn1_read_uint32 (tpm2key, cmd_code, &policy->cmd_code);
+    if (ret != ASN1_SUCCESS)
+      return ret;
+
+    /* CommandPolicy [1] EXPLICIT OCTET STRING */
+    ret = tpm2key_get_octstring (tpm2key, cmd_pol, &policy->cmd_policy,
+				 &cmd_policy_len);
+    if (ret != ASN1_SUCCESS)
+      {
+	goto error;
+      }
+    else if (cmd_policy_len > GRUB_TPM2_BUFFER_CAPACITY)
+      {
+	/*
+	 * CommandPolicy is the marshalled parameters for the TPM command so
+	 * it should not be larger than the maximum TPM2 buffer.
+	 */
+	ret = ASN1_VALUE_NOT_VALID;
+	goto error;
+      }
+    policy->cmd_policy_len = (grub_uint16_t)cmd_policy_len;
+
+    /* Prepend the policy command into the sequence */
+    grub_list_push (GRUB_AS_LIST_P (&tmp_seq), GRUB_AS_LIST (policy));
+  }
+
+  *policy_seq = tmp_seq;
+
+  return ASN1_SUCCESS;
+
+ error:
+  if (policy != NULL)
+    {
+      grub_free (policy->cmd_policy);
+      grub_free (policy);
+    }
+  grub_tpm2key_free_policy_seq (tmp_seq);
+
+  return ret;
+}
+
+grub_err_t
+grub_tpm2key_get_policy_seq (asn1_node tpm2key, tpm2key_policy_t *policy_seq)
+{
+  int ret;
+
+  ret = tpm2key_get_policy_seq (tpm2key, "policy", policy_seq);
+  if (ret == ASN1_ELEMENT_NOT_FOUND)
+    {
+      /* "policy" is optional, so it may not be available */
+      *policy_seq = NULL;
+      return GRUB_ERR_NONE;
+    }
+  else if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_READ_ERROR, "failed to retrieve policy");
+
+  return GRUB_ERR_NONE;
+}
+
+void
+grub_tpm2key_free_policy_seq (tpm2key_policy_t policy_seq)
+{
+  tpm2key_policy_t policy;
+  tpm2key_policy_t next;
+
+  if (policy_seq == NULL)
+    return;
+
+  FOR_LIST_ELEMENTS_SAFE (policy, next, policy_seq)
+    {
+      grub_free (policy->cmd_policy);
+      grub_free (policy);
+    }
+}
+
+grub_err_t
+grub_tpm2key_get_authpolicy_seq (asn1_node tpm2key, tpm2key_authpolicy_t *authpol_seq)
+{
+  tpm2key_authpolicy_t tmp_seq = NULL;
+  tpm2key_authpolicy_t authpol = NULL;
+  int authpol_n;
+  char authpol_pol[AUTHPOLICY_POL_MAX];
+  int i;
+  int ret;
+  grub_err_t err;
+
+  ret = asn1_number_of_elements (tpm2key, "authPolicy", &authpol_n);
+  if (ret == ASN1_ELEMENT_NOT_FOUND)
+    {
+      /* "authPolicy" is optional, so it may not be available */
+      *authpol_seq = NULL;
+      return GRUB_ERR_NONE;
+    }
+  else if (ret != ASN1_SUCCESS)
+    return grub_error (GRUB_ERR_READ_ERROR, "failed to retrieve authPolicy");
+
+  /* Limit the number of authPolicy elements to two digits (99) */
+  if (authpol_n > TPM2KEY_ELEMENTS_MAX || authpol_n < TPM2KEY_ELEMENTS_MIN)
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, "invalid number of authPolicy elements");
+
+  /*
+   * Iterate the authPolicy elements backwards since grub_list_push() prepends
+   * the item into the list.
+   */
+  for (i = authpol_n; i >= 1; i--) {
+    authpol = grub_zalloc (sizeof (struct tpm2key_authpolicy));
+    if (authpol == NULL)
+      {
+	err = grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate memory for authPolicy");
+	goto error;
+      }
+    grub_snprintf (authpol_pol, AUTHPOLICY_POL_MAX, "authPolicy.?%d.Policy", i);
+
+    ret = tpm2key_get_policy_seq (tpm2key, authpol_pol, &authpol->policy_seq);
+    if (ret != ASN1_SUCCESS)
+      {
+        err = grub_error (GRUB_ERR_READ_ERROR, "failed to retrieve policy from authPolicy");
+        goto error;
+      }
+
+    /* Prepend the authPolicy element into the sequence */
+    grub_list_push (GRUB_AS_LIST_P (&tmp_seq), GRUB_AS_LIST (authpol));
+  }
+
+  *authpol_seq = tmp_seq;
+
+  return GRUB_ERR_NONE;
+
+ error:
+  if (authpol != NULL)
+    {
+      grub_tpm2key_free_policy_seq (authpol->policy_seq);
+      grub_free (authpol);
+    }
+
+  grub_tpm2key_free_authpolicy_seq (tmp_seq);
+
+  return err;
+}
+
+void
+grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq)
+{
+  tpm2key_authpolicy_t authpol;
+  tpm2key_authpolicy_t next;
+
+  if (authpol_seq == NULL)
+    return;
+
+  FOR_LIST_ELEMENTS_SAFE (authpol, next, authpol_seq)
+    {
+      grub_tpm2key_free_policy_seq (authpol->policy_seq);
+      grub_free (authpol);
+    }
+}
--- a/grub-core/commands/tpm2_key_protector/tpm2key.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2key.h
@ -0,0 +1,87 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2023 SUSE LLC
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TPM2_TPM2KEY_HEADER
+#define GRUB_TPM2_TPM2KEY_HEADER 1
+
+#include <grub/types.h>
+#include <libtasn1.h>
+
+/*
+ * TPMPolicy ::= SEQUENCE {
+ *   CommandCode   [0] EXPLICIT INTEGER,
+ *   CommandPolicy [1] EXPLICIT OCTET STRING
+ * }
+ */
+struct tpm2key_policy {
+  struct tpm2key_policy *next;
+  struct tpm2key_policy **prev;
+  grub_uint32_t cmd_code;
+  void *cmd_policy;
+  grub_uint16_t cmd_policy_len;
+};
+typedef struct tpm2key_policy *tpm2key_policy_t;
+
+/*
+ * TPMAuthPolicy ::= SEQUENCE {
+ *   Name    [0] EXPLICIT UTF8String OPTIONAL,
+ *   Policy  [1] EXPLICIT SEQUENCE OF TPMPolicy
+ * }
+ *
+ * Name is not a necessary part to unseal the key. Ignore it.
+ */
+struct tpm2key_authpolicy {
+  struct tpm2key_authpolicy *next;
+  struct tpm2key_authpolicy **prev;
+  /* char *name; */
+  tpm2key_policy_t policy_seq;
+};
+typedef struct tpm2key_authpolicy *tpm2key_authpolicy_t;
+
+extern grub_err_t
+grub_tpm2key_start_parsing (asn1_node *parsed_tpm2key, void *data, grub_size_t size);
+
+extern void
+grub_tpm2key_end_parsing (asn1_node tpm2key);
+
+extern grub_err_t
+grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent);
+
+extern grub_err_t
+grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent);
+
+extern grub_err_t
+grub_tpm2key_get_pubkey (asn1_node tpm2key, void **data, grub_size_t *size);
+
+extern grub_err_t
+grub_tpm2key_get_privkey (asn1_node tpm2key, void **data, grub_size_t *size);
+
+extern grub_err_t
+grub_tpm2key_get_policy_seq (asn1_node tpm2key, tpm2key_policy_t *policy_seq);
+
+extern void
+grub_tpm2key_free_policy_seq (tpm2key_policy_t policy_seq);
+
+extern grub_err_t
+grub_tpm2key_get_authpolicy_seq (asn1_node tpm2key, tpm2key_authpolicy_t *authpol_seq);
+
+extern void
+grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq);
+
+#endif /* GRUB_TPM2_TPM2KEY_HEADER */
--- a/grub-core/commands/tpm2_key_protector/tpm2key_asn1_tab.c
+++ b/grub-core/commands/tpm2_key_protector/tpm2key_asn1_tab.c
@ -0,0 +1,63 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ *  This file is generated by 'asn1Parser tpm2key.asn' and the '#include'
+ *  headers are replaced with the ones in grub2.
+ *  - 'grub/mm.h' for the definition of 'NULL'
+ *  - 'libtasn1.h' for the definition of 'asn1_static_node'
+ */
+
+#include <grub/mm.h>
+#include <libtasn1.h>
+
+const asn1_static_node tpm2key_asn1_tab[] = {
+  { "TPM2KEY", 536875024, NULL },
+  { NULL, 1073741836, NULL },
+  { "TPMPolicy", 1610612741, NULL },
+  { "CommandCode", 1610620931, NULL },
+  { NULL, 2056, "0"},
+  { "CommandPolicy", 536879111, NULL },
+  { NULL, 2056, "1"},
+  { "TPMAuthPolicy", 1610612741, NULL },
+  { "Name", 1610637346, NULL },
+  { NULL, 2056, "0"},
+  { "Policy", 536879115, NULL },
+  { NULL, 1073743880, "1"},
+  { NULL, 2, "TPMPolicy"},
+  { "TPMKey", 536870917, NULL },
+  { "type", 1073741836, NULL },
+  { "emptyAuth", 1610637316, NULL },
+  { NULL, 2056, "0"},
+  { "policy", 1610637323, NULL },
+  { NULL, 1073743880, "1"},
+  { NULL, 2, "TPMPolicy"},
+  { "secret", 1610637319, NULL },
+  { NULL, 2056, "2"},
+  { "authPolicy", 1610637323, NULL },
+  { NULL, 1073743880, "3"},
+  { NULL, 2, "TPMAuthPolicy"},
+  { "description", 1610637346, NULL },
+  { NULL, 2056, "4"},
+  { "rsaParent", 1610637316, NULL },
+  { NULL, 2056, "5"},
+  { "parent", 1073741827, NULL },
+  { "pubkey", 1073741831, NULL },
+  { "privkey", 7, NULL },
+  { NULL, 0, NULL }
+};
--- a/grub-core/commands/videoinfo.c
+++ b/grub-core/commands/videoinfo.c
@ -136,7 +136,7 @@ grub_cmd_videoinfo (grub_command_t cmd __attribute__ ((unused)),
  ctx.height = ctx.width = ctx.depth = 0;
  if (argc)
    {
-      char *ptr;
+      const char *ptr;
      ptr = args[0];
      ctx.width = grub_strtoul (ptr, &ptr, 0);
      if (grub_errno)
@ -191,6 +191,11 @@ grub_cmd_videoinfo (grub_command_t cmd __attribute__ ((unused)),
 	  /* Don't worry about errors.  */
 	  grub_errno = GRUB_ERR_NONE;
      }
+    else if (id != GRUB_VIDEO_DRIVER_NONE)
+      {
+	grub_puts_ (N_("  A video driver is active, cannot initialize this driver until it is deactivated\n"));
+	continue;
+      }
    else
      {
 	if (adapter->init ())
--- a/grub-core/commands/wildcard.c
+++ b/grub-core/commands/wildcard.c
@ -23,6 +23,7 @@
 #include <grub/file.h>
 #include <grub/device.h>
 #include <grub/script_sh.h>
+#include <grub/safemath.h>

 #include <regex.h>

@ -48,6 +49,7 @@ merge (char **dest, char **ps)
  int i;
  int j;
  char **p;
+  grub_size_t sz;

  if (! dest)
    return ps;
@ -60,7 +62,12 @@ merge (char **dest, char **ps)
  for (j = 0; ps[j]; j++)
    ;

-  p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
+  if (grub_add (i, j, &sz) ||
+      grub_add (sz, 1, &sz) ||
+      grub_mul (sz, sizeof (char *), &sz))
+    return dest;
+
+  p = grub_realloc (dest, sz);
  if (! p)
    {
      grub_free (dest);
@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
  char ch;
  int i = 0;
  unsigned len = end - start;
-  char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
+  char *buffer;
+  grub_size_t sz;

+  /* Worst case size is (len * 2 + 2 + 1). */
+  if (grub_mul (len, 2, &sz) ||
+      grub_add (sz, 3, &sz))
+    return 1;
+
+  buffer = grub_malloc (sz);
  if (! buffer)
    return 1;

@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
  struct match_devices_ctx *ctx = data;
  char **t;
  char *buffer;
+  grub_size_t sz;

  /* skip partitions if asked to. */
  if (ctx->noparts && grub_strchr (name, ','))
@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
  if (regexec (ctx->regexp, buffer, 0, 0, 0))
    {
      grub_dprintf ("expand", "not matched\n");
+ fail:
      grub_free (buffer);
      return 0;
    }

-  t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
+  if (grub_add (ctx->ndev, 2, &sz) ||
+      grub_mul (sz, sizeof (char *), &sz))
+    goto fail;
+
+  t = grub_realloc (ctx->devs, sz);
  if (! t)
    {
      grub_free (buffer);
@ -300,6 +320,7 @@ match_files_iter (const char *name,
  struct match_files_ctx *ctx = data;
  char **t;
  char *buffer;
+  grub_size_t sz;

  /* skip . and .. names */
  if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
@ -315,9 +336,14 @@ match_files_iter (const char *name,
  if (! buffer)
    return 1;

-  t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
+  if (grub_add (ctx->nfile, 2, &sz) ||
+      grub_mul (sz, sizeof (char *), &sz))
+    goto fail;
+
+  t = grub_realloc (ctx->files, sz);
  if (!t)
    {
+ fail:
      grub_free (buffer);
      return 1;
    }
--- a/grub-core/disk/AFSplitter.c
+++ b/grub-core/disk/AFSplitter.c
@ -21,9 +21,12 @@
 */

 #include <grub/crypto.h>
+#include <grub/dl.h>
 #include <grub/mm.h>
 #include <grub/misc.h>

+GRUB_MOD_LICENSE ("GPLv2+");
+
 gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
 			  grub_uint8_t * dst, grub_size_t blocksize,
 			  grub_size_t blocknumbers);
--- a/grub-core/disk/ahci.c
+++ b/grub-core/disk/ahci.c
@ -152,8 +152,7 @@ struct grub_ahci_device

 static grub_err_t
 grub_ahci_readwrite_real (struct grub_ahci_device *dev,
-			  struct grub_disk_ata_pass_through_parms *parms,
-			  int spinup, int reset);
+			  struct grub_disk_ata_pass_through_parms *parms, int reset);


 enum
@ -573,7 +572,7 @@ grub_ahci_pciinit (grub_pci_device_t dev,
 	/*  struct grub_disk_ata_pass_through_parms parms2;
 	    grub_memset (&parms2, 0, sizeof (parms2));
 	    parms2.taskfile.cmd = 8;
-	    grub_ahci_readwrite_real (dev, &parms2, 1, 1);*/
+	    grub_ahci_readwrite_real (dev, &parms2, 1);*/
      }

  endtime = grub_get_time_ms () + 32000;
@ -908,15 +907,14 @@ grub_ahci_reset_port (struct grub_ahci_device *dev, int force)
      dev->hba->ports[dev->port].sata_error = dev->hba->ports[dev->port].sata_error;
      grub_memset (&parms2, 0, sizeof (parms2));
      parms2.taskfile.cmd = 8;
-      return grub_ahci_readwrite_real (dev, &parms2, 1, 1);
+      return grub_ahci_readwrite_real (dev, &parms2, 1);
    }
  return GRUB_ERR_NONE;
 }

 static grub_err_t
 grub_ahci_readwrite_real (struct grub_ahci_device *dev,
-			  struct grub_disk_ata_pass_through_parms *parms,
-			  int spinup, int reset)
+			  struct grub_disk_ata_pass_through_parms *parms, int reset)
 {
  struct grub_pci_dma_chunk *bufc;
  grub_uint64_t endtime;
@ -1038,7 +1036,7 @@ grub_ahci_readwrite_real (struct grub_ahci_device *dev,
  grub_dprintf ("ahci", "AHCI tfd = %x\n",
 		dev->hba->ports[dev->port].task_file_data);

-  endtime = grub_get_time_ms () + (spinup ? 20000 : 20000);
+  endtime = grub_get_time_ms () + 20000;
  while ((dev->hba->ports[dev->port].command_issue & 1))
    if (grub_get_time_ms () > endtime ||
 	(dev->hba->ports[dev->port].intstatus & GRUB_AHCI_HBA_PORT_IS_FATAL_MASK))
@ -1097,9 +1095,9 @@ grub_ahci_readwrite_real (struct grub_ahci_device *dev,
 static grub_err_t
 grub_ahci_readwrite (grub_ata_t disk,
 		     struct grub_disk_ata_pass_through_parms *parms,
-		     int spinup)
+		     int spinup __attribute__((__unused__)))
 {
-  return grub_ahci_readwrite_real (disk->data, parms, spinup, 0);
+  return grub_ahci_readwrite_real (disk->data, parms, 0);
 }

 static grub_err_t
--- a/grub-core/disk/ata.c
+++ b/grub-core/disk/ata.c
@ -112,10 +112,10 @@ grub_ata_identify (struct grub_ata *dev)
    return grub_atapi_identify (dev);

  info64 = grub_malloc (GRUB_DISK_SECTOR_SIZE);
+  if (info64 == NULL)
+    return grub_errno;
  info32 = (grub_uint32_t *) info64;
  info16 = (grub_uint16_t *) info64;
-  if (! info16)
-    return grub_errno;

  grub_memset (&parms, 0, sizeof (parms));
  parms.buffer = info16;
@ -181,10 +181,7 @@ grub_ata_identify (struct grub_ata *dev)
      if (secsize & (secsize - 1) || !secsize
 	  || secsize > 1048576)
 	secsize = 256;
-      for (dev->log_sector_size = 0;
-	   (1U << dev->log_sector_size) < secsize;
-	   dev->log_sector_size++);
-      dev->log_sector_size++;
+      dev->log_sector_size = grub_log2ull (secsize) + 1;
    }
  else
    dev->log_sector_size = 9;
@ -219,8 +216,9 @@ grub_ata_setaddress (struct grub_ata *dev,
 	if (dev->sectors_per_track == 0
 	    || dev->heads == 0)
 	  return grub_error (GRUB_ERR_OUT_OF_RANGE,
-			     "sector %d cannot be addressed "
-			     "using CHS addressing", sector);
+			     "sector %" PRIxGRUB_UINT64_T " cannot be "
+			     "addressed using CHS addressing",
+			     sector);

 	/* Calculate the sector, cylinder and head to use.  */
 	sect = ((grub_uint32_t) sector % dev->sectors_per_track) + 1;
@ -232,8 +230,9 @@ grub_ata_setaddress (struct grub_ata *dev,
 	    || cylinder > dev->cylinders
 	    || head > dev->heads)
 	  return grub_error (GRUB_ERR_OUT_OF_RANGE,
-			     "sector %d cannot be addressed "
-			     "using CHS addressing", sector);
+			     "sector %" PRIxGRUB_UINT64_T " cannot be "
+			     "addressed using CHS addressing",
+			     sector);

 	parms->taskfile.disk = 0xE0 | head;
 	parms->taskfile.sectnum = sect;
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@ -20,10 +20,12 @@
 #include <grub/dl.h>
 #include <grub/disk.h>
 #include <grub/mm.h>
+#include <grub/command.h>
 #include <grub/err.h>
 #include <grub/misc.h>
 #include <grub/diskfilter.h>
 #include <grub/partition.h>
+#include <grub/safemath.h>
 #ifdef GRUB_UTIL
 #include <grub/i18n.h>
 #include <grub/util/misc.h>
@ -148,7 +150,7 @@ scan_disk_partition_iter (grub_disk_t disk, grub_partition_t p, void *data)
 	if (m->disk && m->disk->id == disk->id
 	    && m->disk->dev->id == disk->dev->id
 	    && m->part_start == grub_partition_get_start (disk->partition)
-	    && m->part_size == grub_disk_get_size (disk))
+	    && m->part_size == grub_disk_native_sectors (disk))
 	  return 0;
    }

@ -226,14 +228,27 @@ scan_devices (const char *arname)
  int need_rescan;

  for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++)
+    {
+      /* look up the crytodisk devices first */
      for (p = grub_disk_dev_list; p; p = p->next)
-      if (p->id != GRUB_DISK_DEVICE_DISKFILTER_ID
-	  && p->disk_iterate)
+	if (p->id == GRUB_DISK_DEVICE_CRYPTODISK_ID && p->disk_iterate)
 	  {
 	    if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
 	      return;
 	    if (arname && is_lv_readable (find_lv (arname), 1))
 	      return;
+	    break;
+	  }
+
+      /* check the devices other than crytodisk */
+      for (p = grub_disk_dev_list; p; p = p->next)
+	if (p->id != GRUB_DISK_DEVICE_DISKFILTER_ID && p->disk_iterate)
+	  {
+	    if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
+	      return;
+	    if (arname && is_lv_readable (find_lv (arname), 1))
+	      return;
+	  }
    }

  scan_depth = 0;
@ -300,6 +315,8 @@ grub_diskfilter_memberlist (grub_disk_t disk)
  grub_disk_dev_t p;
  struct grub_diskfilter_vg *vg;
  struct grub_diskfilter_lv *lv2 = NULL;
+  struct grub_diskfilter_segment *seg;
+  unsigned int i, j;

  if (!lv->vg->pvs)
    return NULL;
@ -331,27 +348,52 @@ grub_diskfilter_memberlist (grub_disk_t disk)
 	    }
    }

-  for (pv = lv->vg->pvs; pv; pv = pv->next)
+  for (i = 0, seg = lv->segments; i < lv->segment_count; i++, seg++)
+    for (j = 0; j < seg->node_count; ++j)
+      if (seg->nodes[j].pv != NULL)
 	{
-      if (!pv->disk)
+	  pv = seg->nodes[j].pv;
+
+	  if (pv->disk == NULL)
 	    {
-	  /* TRANSLATORS: This message kicks in during the detection of
-	     which modules needs to be included in core image. This happens
-	     in the case of degraded RAID and means that autodetection may
-	     fail to include some of modules. It's an installation time
-	     message, not runtime message.  */
+	      /*
+	       * TRANSLATORS: This message kicks in during the detection of
+	       * which modules needs to be included in core image. This happens
+	       * in the case of degraded RAID and means that autodetection may
+	       * fail to include some of modules. It's an installation time
+	       * message, not runtime message.
+	       */
 	      grub_util_warn (_("Couldn't find physical volume `%s'."
 				" Some modules may be missing from core image."),
 			      pv->name);
 	      continue;
 	    }
+
+	  for (tmp = list; tmp != NULL; tmp = tmp->next)
+	    if (!grub_strcmp (tmp->disk->name, pv->disk->name))
+	      break;
+	  if (tmp != NULL)
+	    continue;
+
 	  tmp = grub_malloc (sizeof (*tmp));
+	  if (tmp == NULL)
+	    goto fail;
 	  tmp->disk = pv->disk;
 	  tmp->next = list;
 	  list = tmp;
 	}

  return list;
+
+ fail:
+  while (list != NULL)
+    {
+      tmp = list;
+      list = list->next;
+      grub_free (tmp);
+    }
+
+  return NULL;
 }

 void
@ -693,7 +735,7 @@ read_segment (struct grub_diskfilter_segment *seg, grub_disk_addr_t sector,
    case GRUB_DISKFILTER_RAID6:
      {
 	grub_disk_addr_t read_sector;
-	grub_uint64_t b, p, n, disknr, e;
+	grub_uint64_t b, p, n, disknr;

 	/* n = 1 for level 4 and 5, 2 for level 6.  */
 	n = seg->type / 3;
@ -743,7 +785,6 @@ read_segment (struct grub_diskfilter_segment *seg, grub_disk_addr_t sector,
 	    if (read_size > size)
 	      read_size = size;

-	    e = 0;
 	    /* Reset read error.  */
 	    if (grub_errno == GRUB_ERR_READ_ERROR
 		|| grub_errno == GRUB_ERR_UNKNOWN_DEVICE)
@ -757,7 +798,6 @@ read_segment (struct grub_diskfilter_segment *seg, grub_disk_addr_t sector,
 	    if ((err) && (err != GRUB_ERR_READ_ERROR
 			  && err != GRUB_ERR_UNKNOWN_DEVICE))
 	      return err;
-	    e++;

 	    if (err)
 	      {
@ -941,8 +981,6 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)

  for (lv = vg->lvs; lv; lv = lv->next)
    {
-      grub_err_t err;
-
      /* RAID 1 and single-disk RAID 0 don't use a chunksize but code
         assumes one so set one. */
      for (i = 0; i < lv->segment_count; i++)
@ -954,6 +992,10 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)
 	      && lv->segments[i].stripe_size == 0)
 	    lv->segments[i].stripe_size = 64;
 	}
+    }
+  for (lv = vg->lvs; lv; lv = lv->next)
+    {
+      grub_err_t err;

      err = validate_lv(lv);
      if (err)
@ -969,7 +1011,8 @@ grub_diskfilter_vg_register (struct grub_diskfilter_vg *vg)
 	    for (p = vgp->lvs; p; p = p->next)
 	      {
 		int cur_num;
-		char *num, *end;
+		char *num;
+		const char *end;
 		if (!p->fullname)
 		  continue;
 		if (grub_strncmp (p->fullname, lv->fullname, len) != 0)
@ -1013,11 +1056,18 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
 {
  struct grub_diskfilter_vg *array;
  int i;
-  grub_size_t j;
+  grub_size_t j, sz;
  grub_uint64_t totsize;
  struct grub_diskfilter_pv *pv;
  grub_err_t err;

+  /* We choose not to support more than the specified number of disks. */
+  if (nmemb < 1 || nmemb > GRUB_MDRAID_MAX_DISKS)
+    {
+      grub_free (uuid);
+      return NULL;
+    }
+
  switch (level)
    {
    case 1:
@ -1107,7 +1157,11 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
    }
  array->lvs->vg = array;

-  array->lvs->idname = grub_malloc (sizeof ("mduuid/") + 2 * uuidlen);
+  if (grub_mul (uuidlen, 2, &sz) ||
+      grub_add (sz, sizeof ("mduuid/"), &sz))
+    goto fail;
+
+  array->lvs->idname = grub_malloc (sz);
  if (!array->lvs->idname)
    goto fail;

@ -1134,7 +1188,10 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
  array->lvs->segments->node_count = nmemb;
  array->lvs->segments->raid_member_size = disk_size;
  array->lvs->segments->nodes
-    = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
+    = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
+  if (array->lvs->segments->nodes == NULL)
+    goto fail;
+
  array->lvs->segments->stripe_size = stripe_size;
  for (i = 0; i < nmemb; i++)
    {
@ -1189,13 +1246,13 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,

  grub_dprintf ("diskfilter", "Inserting %s (+%lld,%lld) into %s (%s)\n", disk->name,
 		(unsigned long long) grub_partition_get_start (disk->partition),
-		(unsigned long long) grub_disk_get_size (disk),
+		(unsigned long long) grub_disk_native_sectors (disk),
 		array->name, diskfilter->name);
 #ifdef GRUB_UTIL
  grub_util_info ("Inserting %s (+%" GRUB_HOST_PRIuLONG_LONG ",%"
 		  GRUB_HOST_PRIuLONG_LONG ") into %s (%s)\n", disk->name,
 		  (unsigned long long) grub_partition_get_start (disk->partition),
-		  (unsigned long long) grub_disk_get_size (disk),
+		  (unsigned long long) grub_disk_native_sectors (disk),
 		  array->name, diskfilter->name);
  array->driver = diskfilter;
 #endif
@ -1209,7 +1266,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
 	struct grub_diskfilter_lv *lv;
 	/* FIXME: Check whether the update time of the superblocks are
 	   the same.  */
-	if (pv->disk && grub_disk_get_size (disk) >= pv->part_size)
+	if (pv->disk && grub_disk_native_sectors (disk) >= pv->part_size)
 	  return GRUB_ERR_NONE;
 	pv->disk = grub_disk_open (disk->name);
 	if (!pv->disk)
@ -1218,7 +1275,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
 	   raid device, we shouldn't change it.  */
 	pv->start_sector -= pv->part_start;
 	pv->part_start = grub_partition_get_start (disk->partition);
-	pv->part_size = grub_disk_get_size (disk);
+	pv->part_size = grub_disk_native_sectors (disk);

 #ifdef GRUB_UTIL
 	{
@ -1226,7 +1283,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
 	  grub_partition_t p;
 	  for (p = disk->partition; p; p = p->parent)
 	    s++;
-	  pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
+	  pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
 	  s = 0;
 	  for (p = disk->partition; p; p = p->parent)
 	    pv->partmaps[s++] = xstrdup (p->partmap->name);
@ -1310,7 +1367,7 @@ grub_diskfilter_get_pv_from_disk (grub_disk_t disk,
 	if (pv->disk && pv->disk->id == disk->id
 	    && pv->disk->dev->id == disk->dev->id
 	    && pv->part_start == grub_partition_get_start (disk->partition)
-	    && pv->part_size == grub_disk_get_size (disk))
+	    && pv->part_size == grub_disk_native_sectors (disk))
 	  {
 	    if (vg_out)
 	      *vg_out = vg;
@ -1321,6 +1378,86 @@ grub_diskfilter_get_pv_from_disk (grub_disk_t disk,
 }
 #endif

+static int
+grub_diskfilter_check_pvs_encrypted (grub_disk_t disk, int *pvs_cnt)
+{
+  struct grub_diskfilter_lv *lv = disk->data;
+  struct grub_diskfilter_pv *pv;
+
+  *pvs_cnt = 0;
+
+  if (lv->vg->pvs)
+    for (pv = lv->vg->pvs; pv; pv = pv->next)
+      {
+        (*pvs_cnt)++;
+
+        if (pv->disk == NULL)
+          {
+            /* Can be a partially activated VG, bail out. */
+            return GRUB_ERR_TEST_FAILURE;
+          }
+
+        if (pv->disk->dev->id != GRUB_DISK_DEVICE_CRYPTODISK_ID)
+          {
+            /* All backing devices must be cryptodisks, stop. */
+            return GRUB_ERR_TEST_FAILURE;
+          }
+      }
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_cmd_cryptocheck (grub_command_t cmd __attribute__ ((unused)),
+               int argc, char **args)
+{
+  grub_disk_t disk;
+  int check_pvs_res;
+  int namelen;
+  int pvs_cnt;
+  int opt_quiet = 0;
+
+  if (argc == 2)
+    {
+      if (grub_strcmp (args[0], "--quiet") == 0)
+	{
+	  opt_quiet = 1;
+	  argc--;
+	  args++;
+	}
+      else
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("unrecognized option: %s"), args[0]);
+    }
+
+  if (argc != 1)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("disk name expected"));
+
+  namelen = grub_strlen (args[0]);
+  if (namelen > 2 && (args[0][0] == '(') && (args[0][namelen - 1] == ')'))
+    args[0][namelen - 1] = 0;
+  else
+    return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("invalid disk: %s"),
+                       args[0]);
+
+  if (!is_valid_diskfilter_name (&args[0][1]))
+    return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("unrecognized disk: %s"),
+                       &args[0][1]);
+
+  disk = grub_disk_open (&args[0][1]);
+  if (disk == NULL)
+    return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("no such disk: %s"),
+                       &args[0][1]);
+
+  check_pvs_res = grub_diskfilter_check_pvs_encrypted (disk, &pvs_cnt);
+  grub_disk_close (disk);
+  if (!opt_quiet)
+    grub_printf ("%s is %sencrypted (%d pv%s examined)\n", &args[0][1],
+		 (check_pvs_res == GRUB_ERR_NONE) ? "" : "un",
+		 pvs_cnt,
+		 (pvs_cnt > 1) ? "s" : "");
+
+  return check_pvs_res;
+}
+
 static struct grub_disk_dev grub_diskfilter_dev =
  {
    .name = "diskfilter",
@ -1337,14 +1474,21 @@ static struct grub_disk_dev grub_diskfilter_dev =
    .next = 0
  };

+static grub_command_t cmd;
+

 GRUB_MOD_INIT(diskfilter)
 {
  grub_disk_dev_register (&grub_diskfilter_dev);
+  cmd = grub_register_command ("cryptocheck", grub_cmd_cryptocheck,
+                                N_("[--quiet] DEVICE"),
+                                N_("Check if a logical volume resides on encrypted disks."));
 }

 GRUB_MOD_FINI(diskfilter)
 {
  grub_disk_dev_unregister (&grub_diskfilter_dev);
+  if (cmd != NULL)
+    grub_unregister_command (cmd);
  free_array ();
 }
--- a/Show more
+++ b/Show more