cryptocheck: Add --quiet option

The option can be used to suppress output if we only want to test the return value of the command. Also, mention this option in the documentation. Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
disk/cryptodisk: Wipe the passphrase from memory
2025-07-05 08:36:59 +00:00 · 2025-05-06 17:14:04 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00
862 changed files with 60467 additions and 67387 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+po/exclude.pot binary
--- a/.gitignore
+++ b/.gitignore
@ -1,237 +1,285 @@
-*~
-00_header
-10_*
-20_linux_xen
-30_os-prober
-40_custom
-41_custom
+#
+# Ignore patterns in this directory and all subdirectories.
+#
 *.1
 *.8
-ABOUT-NLS
-aclocal.m4
-ahci_test
-ascii.bitmaps
-ascii.h
-autom4te.cache
-build-aux
-build-grub-gen-asciih
-build-grub-gen-widthspec
-build-grub-mkfont
-cdboot_test
-cmp_test
-config.cache
-config.guess
-config.h
-config-util.h
-config-util.h.in
-config.log
-config.status
-config.sub
-configure
-core_compress_test
-DISTLIST
-docs/*.info
-docs/stamp-vti
-docs/version.texi
-ehci_test
-example_grub_script_test
-example_scripted_test
-example_unit_test
+*.a
 *.exec
 *.exec.exe
-fddboot_test
-genkernsyms.sh
-gensymlist.sh
-gentrigtables
-gentrigtables.exe
-gettext_strings_test
-/gnulib
-grub-bin2h
-/grub-bios-setup
-/grub-bios-setup.exe
-grub_cmd_date
-grub_cmd_echo
-grub_cmd_regexp
-grub_cmd_set_date
-grub_cmd_sleep
-/grub-editenv
-/grub-editenv.exe
-grub-emu
-grub-emu-lite
-grub-emu.exe
-grub-emu-lite.exe
-grub_emu_init.c
-grub_emu_init.h
-/grub-file
-/grub-file.exe
-grub-fstest
-grub-fstest.exe
-grub_fstest_init.c
-grub_fstest_init.h
-grub_func_test
-grub-install
-grub-install.exe
-grub-kbdcomp
-/grub-macbless
-/grub-macbless.exe
-grub-macho2img
-/grub-menulst2cfg
-/grub-menulst2cfg.exe
-/grub-mk*
-grub-mount
-/grub-ofpathname
-/grub-ofpathname.exe
-grub-core/build-grub-pe2elf.exe
-/grub-probe
-/grub-probe.exe
-grub_probe_init.c
-grub_probe_init.h
-/grub-reboot
-grub_script_blanklines
-grub_script_blockarg
-grub_script_break
-grub-script-check
-grub-script-check.exe
-grub_script_check_init.c
-grub_script_check_init.h
-grub_script_comments
-grub_script_continue
-grub_script_dollar
-grub_script_echo1
-grub_script_echo_keywords
-grub_script_escape_comma
-grub_script_eval
-grub_script_expansion
-grub_script_final_semicolon
-grub_script_for1
-grub_script_functions
-grub_script_gettext
-grub_script_if
-grub_script_leading_whitespace
-grub_script_no_commands
-grub_script_not
-grub_script_return
-grub_script_setparams
-grub_script_shift
-grub_script_strcmp
-grub_script_test
-grub_script_vars1
-grub_script_while1
-grub_script.tab.c
-grub_script.tab.h
-grub_script.yy.c
-grub_script.yy.h
-grub-set-default
-grub_setup_init.c
-grub_setup_init.h
-grub-shell
-grub-shell-tester
-grub-sparc64-setup
-grub-sparc64-setup.exe
-/grub-syslinux2cfg
-/grub-syslinux2cfg.exe
-gzcompress_test
-hddboot_test
-help_test
-*.img
 *.image
 *.image.exe
-include/grub/cpu
-include/grub/machine
-INSTALL.grub
-install-sh
-lib/libgcrypt-grub
-libgrub_a_init.c
+*.img
 *.log
 *.lst
-lzocompress_test
 *.marker
-Makefile
-/m4
 *.mod
-mod-*.c
-missing
-netboot_test
 *.o
-*.a
-ohci_test
-partmap_test
-pata_test
 *.pf2
 *.pp
-po/*.mo
-po/grub.pot
-po/Makefile.in.in
-po/Makevars
-po/Makevars.template
-po/POTFILES
-po/Rules-quot
-po/stamp-po
-printf_test
-priority_queue_unit_test
-pseries_test
-stamp-h
-stamp-h1
-stamp-h.in
-symlist.c
-symlist.h
-trigtables.c
+*.pyc
 *.trs
-uhci_test
-update-grub_lib
-unidata.c
-xzcompress_test
-Makefile.in
+*~
+.deps-core/
+.deps-util/
+.deps/
+.dirstamp
+DISTLIST
 GPATH
 GRTAGS
 GSYMS
 GTAGS
-compile
-depcomp
+Makefile
+Makefile.in
+ascii.bitmaps
+genkernsyms.sh
+gensymlist.sh
+grub-bin2h
+grub-emu
+grub-emu-lite
+grub-emu-lite.exe
+grub-emu.exe
+grub-macho2img
+grub_emu_init.c
+grub_emu_init.h
+grub_probe_init.c
+grub_probe_init.h
+grub_script.tab.c
+grub_script.tab.h
+grub_script.yy.c
+grub_script.yy.h
+grub_script_check_init.c
+grub_script_check_init.h
+grub_setup_init.c
+grub_setup_init.h
 mdate-sh
-texinfo.tex
-grub-core/lib/libgcrypt-grub
-.deps
-.deps-util
-.deps-core
-.dirstamp
-Makefile.util.am
-contrib
-grub-core/bootinfo.txt
-grub-core/Makefile.core.am
-grub-core/Makefile.gcry.def
-grub-core/contrib
-grub-core/gdb_grub
-grub-core/genmod.sh
-grub-core/gensyminfo.sh
-grub-core/gmodule.pl
-grub-core/grub.chrp
-grub-core/modinfo.sh
-grub-core/*.module
-grub-core/*.module.exe
-grub-core/*.pp
-grub-core/kernel.img.bin
-util/bash-completion.d/grub
-grub-core/lib/gnulib
-grub-core/rs_decoder.h
+mod-*.c
+update-grub_lib
 widthspec.bin
-widthspec.h
-docs/stamp-1
-docs/version-dev.texi
-Makefile.utilgcry.def
-po/*.po
-po/*.gmo
-po/LINGUAS
-po/remove-potcdate.sed
-include/grub/gcrypt/gcrypt.h
-include/grub/gcrypt/g10lib.h
-po/POTFILES.in
-po/POTFILES-shell.in
-/grub-glue-efi
-/grub-render-label
-/grub-glue-efi.exe
-/grub-render-label.exe
+
+#
+# Ignore patterns relative to this .gitignore file's directory.
+#
+/00_header
+/10_*
+/20_linux_xen
+/30_os-prober
+/30_uefi-firmware
+/40_custom
+/41_custom
+/ABOUT-NLS
+/ChangeLog
+/INSTALL.grub
+/Makefile.util.am
+/Makefile.utilgcry.def
+/aclocal.m4
+/ahci_test
+/ascii.h
+/autom4te.cache/
+/btrfs_test
+/build-aux/
+/build-grub-gen-asciih
+/build-grub-gen-widthspec
+/build-grub-mkfont
+/cdboot_test
+/cmp_test
+/compile
+/config-util.h
+/config-util.h.in
+/config.cache
+/config.guess
+/config.h
+/config.log
+/config.status
+/config.sub
+/configure
+/contrib
+/core_compress_test
+/cpio_test
+/date_test
+/depcomp
+/docs/*.info
+/docs/*.info-[0-9]*
+/docs/stamp-1
+/docs/stamp-vti
+/docs/version-dev.texi
+/docs/version.texi
+/ehci_test
+/erofs_test
+/example_grub_script_test
+/example_scripted_test
+/example_unit_test
+/exfat_test
+/ext234_test
+/f2fs_test
+/fat_test
+/fddboot_test
+/file_filter_test
 /garbage-gen
 /garbage-gen.exe
+/gettext_strings_test
+/gnulib/
+/grub-2.[0-9]*/
+/grub-2.[0-9]*.tar.gz
+/grub-bios-setup
+/grub-bios-setup.exe
+/grub-core/*.module
+/grub-core/*.module.exe
+/grub-core/*.pp
+/grub-core/Makefile.core.am
+/grub-core/Makefile.gcry.def
+/grub-core/bootinfo.txt
+/grub-core/build-grub-module-verifier
+/grub-core/build-grub-pe2elf.exe
+/grub-core/contrib
+/grub-core/gdb_grub
+/grub-core/genmod.sh
+/grub-core/gensyminfo.sh
+/grub-core/gentrigtables
+/grub-core/gentrigtables.exe
+/grub-core/gmodule.pl
+/grub-core/grub.chrp
+/grub-core/kernel.img.bin
+/grub-core/lib/gnulib
+/grub-core/lib/libgcrypt-grub
+/grub-core/lib/libtasn1-grub
+/grub-core/modinfo.sh
+/grub-core/rs_decoder.h
+/grub-core/symlist.c
+/grub-core/symlist.h
+/grub-core/tests/asn1/tests
+/grub-core/trigtables.c
+/grub-core/unidata.c
+/grub-editenv
+/grub-editenv.exe
+/grub-file
+/grub-file.exe
 /grub-fs-tester
-grub-core/build-grub-module-verifier
+/grub-fstest
+/grub-fstest.exe
+/grub-glue-efi
+/grub-glue-efi.exe
+/grub-install
+/grub-install.exe
+/grub-kbdcomp
+/grub-macbless
+/grub-macbless.exe
+/grub-menulst2cfg
+/grub-menulst2cfg.exe
+/grub-mk*
+/grub-mount
+/grub-ofpathname
+/grub-ofpathname.exe
+/grub-probe
+/grub-probe.exe
+/grub-protect
+/grub-protect.exe
+/grub-reboot
+/grub-render-label
+/grub-render-label.exe
+/grub-script-check
+/grub-script-check.exe
+/grub-set-default
+/grub-shell
+/grub-shell-tester
+/grub-sparc64-setup
+/grub-sparc64-setup.exe
+/grub-syslinux2cfg
+/grub-syslinux2cfg.exe
+/grub_cmd_date
+/grub_cmd_echo
+/grub_cmd_regexp
+/grub_cmd_set_date
+/grub_cmd_sleep
+/grub_cmd_test
+/grub_cmd_tr
+/grub_fstest_init.c
+/grub_fstest_init.h
+/grub_func_test
+/grub_script_blanklines
+/grub_script_blockarg
+/grub_script_break
+/grub_script_comments
+/grub_script_continue
+/grub_script_dollar
+/grub_script_echo1
+/grub_script_echo_keywords
+/grub_script_escape_comma
+/grub_script_eval
+/grub_script_expansion
+/grub_script_final_semicolon
+/grub_script_for1
+/grub_script_functions
+/grub_script_gettext
+/grub_script_if
+/grub_script_leading_whitespace
+/grub_script_no_commands
+/grub_script_not
+/grub_script_return
+/grub_script_setparams
+/grub_script_shift
+/grub_script_strcmp
+/grub_script_test
+/grub_script_vars1
+/grub_script_while1
+/gzcompress_test
+/hddboot_test
+/help_test
+/hfs_test
+/hfsplus_test
+/include/grub/cpu
+/include/grub/gcrypt/g10lib.h
+/include/grub/gcrypt/gcrypt.h
+/include/grub/machine
+/install-sh
+/iso9660_test
+/jfs_test
+/lib/libgcrypt-grub
+/libgrub_a_init.c
+/lzocompress_test
+/luks1_test
+/luks2_test
+/m4/
+/minixfs_test
+/missing
+/netboot_test
+/nilfs2_test
+/ntfs_test
+/ohci_test
+/partmap_test
+/pata_test
+/po/*.gmo
+/po/*.mo
+/po/*.po
+/po/LINGUAS
+/po/Makefile.in.in
+/po/Makevars
+/po/Makevars.template
+/po/POTFILES
+/po/POTFILES-shell.in
+/po/POTFILES.in
+/po/Rules-quot
+/po/grub.pot
+/po/remove-potcdate.sed
+/po/stamp-po
+/printf_test
+/priority_queue_unit_test
+/pseries_test
+/reiserfs_test
+/romfs_test
+/squashfs_test
+/stamp-h
+/stamp-h.in
+/stamp-h1
+/syslinux_test
+/tar_test
+/test_sha512sum
+/test_unset
+/tests/syslinux/ubuntu10.04_grub.cfg
+/texinfo.tex
+/udf_test
+/uhci_test
+/util/bash-completion.d/grub
+/widthspec.h
+/xfs_test
+/xzcompress_test
+/zfs_test
--- a/.travis.yml
+++ b/.travis.yml
@ -12,6 +12,7 @@ language: c
 addons:
  apt:
    packages:
+    - autopoint
    - libsdl1.2-dev
    - lzop
    - ovmf
@ -35,7 +36,7 @@ before_script:
 script:
  # Comments must be outside the command strings below, or the Travis parser
  # will get confused.
-  - ./autogen.sh
+  - ./bootstrap

  # Build all selected GRUB targets.
  - for target in $GRUB_TARGETS; do
--- a/55487
+++ b/55487
--- a/166
+++ b/166
@ -4,6 +4,10 @@ This is the GRUB.  Welcome.

 This file contains instructions for compiling and installing the GRUB.

+Where this document refers to packages names, they are named according to the
+Debian 11 package repositories. These packages can be found by searching
+https://packages.debian.org/.
+
 The Requirements
 ================

@ -11,33 +15,16 @@ GRUB depends on some software packages installed into your system. If
 you don't have any of them, please obtain and install them before
 configuring the GRUB.

-* GCC 4.1.3 or later
-  Note: older versions may work but support is limited
-
-  Experimental support for clang 3.3 or later (results in much bigger binaries)
+* GCC 5.1.0 or later
+  Experimental support for clang 8.0.0 or later (results in much bigger binaries)
  for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
-  Note: clang 3.2 or later works for i386 and x86_64 targets but results in
-        much bigger binaries.
-	earlier versions not tested
-  Note: clang 3.2 or later works for arm
-	earlier versions not tested
-  Note: clang on arm64 is not supported due to
-	https://llvm.org/bugs/show_bug.cgi?id=26030
-  Note: clang 3.3 or later works for mips(el)
-	earlier versions fail to generate .reginfo and hence gprel relocations
-	fail.
-  Note: clang 3.2 or later works for powerpc
-	earlier versions not tested
-  Note: clang 3.5 or later works for sparc64
-        earlier versions return "error: unable to interface with target machine"
-  Note: clang has no support for ia64 and hence you can't compile GRUB
-	for ia64 with clang
 * GNU Make
 * GNU Bison 2.3 or later
-* GNU gettext 0.17 or later
+* GNU gettext
 * GNU binutils 2.9.1.0.23 or later
 * Flex 2.5.35 or later
 * pkg-config
+* GNU patch
 * Other standard GNU/Unix tools
 * a libc with large file support (e.g. glibc 2.1 or later)

@ -49,24 +36,74 @@ For optional grub-emu features, you need:

 * SDL (recommended)
 * libpciaccess (optional)
-* libusb (optional)

 To build GRUB's graphical terminal (gfxterm), you need:

 * FreeType 2.1.5 or later
 * GNU Unifont

+To build grub-mkfont the unicode fonts are required (xfonts-unifont package
+on Debian).
+
 If you use a development snapshot or want to hack on GRUB you may
 need the following.

-* Python 2.6 or later
-* Autoconf 2.63 or later
-* Automake 1.11 or later
+* Python 3 (NOTE: python 2.6 should still work, but it's not tested)
+* Autoconf 2.64 or later
+* Automake 1.14 or later
+
+Your distro may package cross-compiling toolchains such as the following
+incomplete list on Debian: gcc-aarch64-linux-gnu, gcc-arm-linux-gnueabihf,
+gcc-mips-linux-gnu, gcc-mipsel-linux-gnu, gcc-powerpc64-linux-gnu,
+gcc-riscv64-linux-gnu, gcc-sparc64-linux-gnu, mingw-w64 and mingw-w64-tools.
+
+More cross compiling toolchains can be found at the following trusted sites:
+
+* https://mirrors.kernel.org/pub/tools/crosstool/
+* https://toolchains.bootlin.com/

 Prerequisites for make-check:

-* qemu, specifically the binary 'qemu-system-i386'
+* qemu, specifically the binary "qemu-system-ARCH" where ARCH is the
+  architecture GRUB has been built for; the "qemu-system" package on Debian
+  will install all needed qemu architectures
+* OVMF, for EFI platforms (packages ovmf, ovmf-ia32, qemu-efi-arm, and
+  qemu-efi-aarch64)
+* OpenBIOS, for ieee1275 platforms (packages openbios-ppc and openbios-sparc)
 * xorriso 1.2.9 or later, for grub-mkrescue and grub-shell
+* wamerican, for grub-fs-tester
+* mtools, FAT tools for EFI platforms
+* xfonts-unifont, for the functional tests
+* swtpm-tools and tpm2-tools, for TPM2 key protector tests
+
+* If running a Linux kernel the following modules must be loaded:
+  - fuse, loop
+  - btrfs, erofs, ext4, f2fs, fat, hfs, hfsplus, jfs, mac-roman, minix, nilfs2,
+    reiserfs, udf, xfs
+  - On newer kernels, the exfat kernel modules may be used instead of the
+    exfat FUSE filesystem
+* The following are Debian named packages required mostly for the full
+  suite of filesystem testing (but some are needed by other tests as well):
+  - btrfs-progs, dosfstools, e2fsprogs, erofs-utils, exfatprogs, exfat-fuse,
+    f2fs-tools, genromfs, hfsprogs, jfsutils, nilfs-tools, ntfs-3g,
+    reiserfsprogs, squashfs-tools, reiserfsprogs, udftools, xfsprogs, zfs-fuse
+  - exfat-fuse, if not using the exfat kernel module
+  - gzip, lzop, xz-utils
+  - attr, cpio, g++, gawk, parted, recode, tar, util-linux
+
+Note that `make check' will run and many tests may complete successfully
+with only a subset of these prerequisites. However, some tests may be
+skipped or fail due to missing prerequisites.
+
+To build the documentation you'll need:
+* texinfo, for the info and html documentation
+* texlive, for building the dvi and pdf documentation (optional)
+
+To use the gdb_grub GDB script you'll need:
+* readelf (binutils package)
+* objdump (binutils package)
+* GNU Debugger > 7, built with python support (gdb package)
+* Python >= 3.5 (python3 package)

 Configuring the GRUB
 ====================
@ -104,9 +141,8 @@ The simplest way to compile this package is:
  
  3. Type `./bootstrap'.

-     * autogen.sh (called by bootstrap) uses python. By default the
-       invocation is "python", but it can be overridden by setting the
-       variable $PYTHON.
+     The autogen.sh (called by bootstrap) uses python. By default autodetect
+     it, but it can be overridden by setting the PYTHON variable.

  4. Type `./configure' to configure the package for your system.
     If you're using `csh' on an old version of System V, you might
@ -119,12 +155,16 @@ The simplest way to compile this package is:
  6. Type `make' to compile the package.

  7. Optionally, type `make check' to run any self-tests that come with
-     the package.
+     the package. Note that many of the tests require root privileges in
+     order to run.

  8. Type `make install' to install the programs and any data files and
     documentation.

-  9. You can remove the program binaries and object files from the
+  9. Type `make html' or `make pdf' to generate the html or pdf
+     documentation.  Note, these are not built by default.
+
+ 10. You can remove the program binaries and object files from the
     source code directory by typing `make clean'.  To also remove the
     files that `configure' created (so you can compile the package for
     a different kind of computer), type `make distclean'.  There is
@ -160,42 +200,59 @@ For this example the configure line might look like (more details below)
 (some options are optional and included here for completeness but some rarely
 used options are omitted):

-./configure BUILD_CC=gcc BUILD_PKG_CONFIG=pkg-config --host=amd64-linux-gnu
-CC=amd64-linux-gnu-gcc CFLAGS="-g -O2" PKG_CONFIG=amd64-linux-gnu-pkg-config
--target=arm --with-platform=uboot TARGET_CC=arm-elf-gcc
-TARGET_CFLAGS="-Os -march=armv6" TARGET_CCASFLAGS="-march=armv6"
-TARGET_OBJCOPY="arm-elf-objcopy" TARGET_STRIP="arm-elf-strip"
-TARGET_NM=arm-elf-nm TARGET_RANLIB=arm-elf-ranlib LEX=gflex
+  ./configure --build=sparc64-freebsd --host=x86_64-linux-gnu \
+    --target=arm-linux-gnueabihf --with-platform=efi \
+    BUILD_CC=gcc BUILD_PKG_CONFIG=pkg-config \
+    HOST_CC=x86_64-linux-gnu-gcc HOST_CFLAGS='-g -O2' \
+    PKG_CONFIG=x86_64-linux-gnu-pkg-config TARGET_CC=arm-linux-gnueabihf-gcc \
+    TARGET_CFLAGS='-Os -march=armv8.3-a' TARGET_CCASFLAGS='-march=armv8.3-a' \
+    TARGET_OBJCOPY=arm-linux-gnueabihf-objcopy \
+    TARGET_STRIP=arm-linux-gnueabihf-strip TARGET_NM=arm-linux-gnueabihf-nm \
+    TARGET_RANLIB=arm-linux-gnueabihf-ranlib LEX=flex
+
+Note, that the autoconf 2.65 manual states that when using the --host argument
+to configure, the --build argument should be specified as well. Not sending
+--build, enters a compatibility mode that will be removed in the future.
+
+Normally, for building a GRUB on amd64 with tools to run on amd64 to
+generate images to run on ARM, using your Linux distribution's
+packaged cross compiler, the following would suffice:
+
+  ./configure --target=arm-linux-gnueabihf --with-platform=efi

 You need to use following options to specify tools and platforms. For minimum
 version look at prerequisites. All tools not mentioned in this section under
 corresponding platform are not needed for the platform in question.

  - For build
-    1. BUILD_CC= to gcc able to compile for build. This is used, for
+    1. --build= to autoconf name of build.
+    2. BUILD_CC= to gcc able to compile for build. This is used, for
       example, to compile build-gentrigtables which is then run to
       generate sin and cos tables.
-    2. BUILD_CFLAGS= for C options for build.
-    3. BUILD_CPPFLAGS= for C preprocessor options for build.
-    4. BUILD_LDFLAGS= for linker options for build.
-    5. BUILD_PKG_CONFIG= for pkg-config for build (optional).
+    3. BUILD_CFLAGS= for C options for build.
+    4. BUILD_CPPFLAGS= for C preprocessor options for build.
+    5. BUILD_LDFLAGS= for linker options for build.
+    6. BUILD_PKG_CONFIG= for pkg-config for build (optional).

  - For host
    1. --host= to autoconf name of host.
-    2. CC= for gcc able to compile for host
-    3. HOST_CFLAGS= for C options for host.
-    4. HOST_CPPFLAGS= for C preprocessor options for host.
-    5. HOST_LDFLAGS= for linker options for host.
-    6. PKG_CONFIG= for pkg-config for host (optional).
-    7. Libdevmapper if any must be in standard linker folders (-ldevmapper) (optional).
-    8. Libfuse if any must be in standard linker folders (-lfuse) (optional).
-    9. Libzfs if any must be in standard linker folders (-lzfs) (optional).
-    10. Liblzma if any must be in standard linker folders (-llzma) (optional).
+    2. CC= for gcc able to compile for host.
+    3. CFLAGS= for C options for host.
+    4. HOST_CC= for gcc able to compile for host.
+    5. HOST_CFLAGS= for C options for host.
+    6. HOST_CPPFLAGS= for C preprocessor options for host.
+    7. HOST_LDFLAGS= for linker options for host.
+    8. PKG_CONFIG= for pkg-config for host (optional).
+    9. Libdevmapper if any must be in standard linker folders (-ldevmapper) (optional).
+    10. Libfuse if any must be in standard linker folders (-lfuse) (optional).
+    11. Libzfs if any must be in standard linker folders (-lzfs) (optional).
+    12. Liblzma if any must be in standard linker folders (-llzma) (optional).
+    Note: The HOST_* variables override not prefixed variables.

  - For target
    1. --target= to autoconf cpu name of target.
    2. --with-platform to choose firmware.
-    3. TARGET_CC= for gcc able to compile for target
+    3. TARGET_CC= for gcc able to compile for target.
    4. TARGET_CFLAGS= for C options for target.
    5. TARGET_CPPFLAGS= for C preprocessor options for target.
    6. TARGET_CCASFLAGS= for assembler options for target.
@ -204,11 +261,14 @@ corresponding platform are not needed for the platform in question.
    9. TARGET_STRIP= for strip for target.
    10. TARGET_NM= for nm for target.
    11. TARGET_RANLIB= for ranlib for target.
+    Note: If the TARGET_* variables are not specified then they will default
+          to be the same as the host variables. If host variables are not
+          specified then the TARGET_* variables will default to be the same
+          as not prefixed variables.

  - Additionally for emu, for host and target.
    1. SDL is looked for in standard linker directories (-lSDL) (optional)
    2. libpciaccess is looked for in standard linker directories (-lpciaccess) (optional)
-    3. libusb is looked for in standard linker directories (-lusb) (optional)

  - Platform-agnostic tools and data.
    1. make is the tool you execute after ./configure.
--- a/35
+++ b/35
@ -0,0 +1,35 @@
+List of current GRUB maintainers and some basic information about the project
+=============================================================================
+
+Here is the list of current GRUB maintainers:
+  - Daniel Kiper <daniel.kiper@oracle.com> and <dkiper@net-space.pl>,
+  - Alex Burmashev <alexander.burmashev@oracle.com>,
+  - Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>.
+
+The maintainers drive and overlook the GRUB development.
+
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
+The GRUB development happens on the grub-devel mailing list [1]. The latest
+GRUB source code is available at Savannah git repository [2].
+
+Users can ask for help on the help-grub mailing list [3].
+
+
+List of past GRUB maintainers and people who strongly contributed to the project
+================================================================================
+
+Here is the list, sorted alphabetically, of past GRUB maintainers and people who
+strongly contributed to the project:
+  - Andrei Borzenkov,
+  - Bryan Ford,
+  - Erich Stefan Boleyn,
+  - Gordon Matzigkeit,
+  - Yoshinori K. Okuji.
+
+
+[1] https://lists.gnu.org/mailman/listinfo/grub-devel
+[2] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
+[3] https://lists.gnu.org/mailman/listinfo/help-grub
--- a/Makefile.am
+++ b/Makefile.am
@ -24,6 +24,15 @@ CCASFLAGS_PROGRAM += $(CCASFLAGS_GNULIB)

 include $(srcdir)/Makefile.util.am

+check_SCRIPTS = $(check_SCRIPTS_native) $(check_SCRIPTS_nonnative)
+check_PROGRAMS = $(check_PROGRAMS_native) $(check_PROGRAMS_nonnative)
+TESTS = $(check_SCRIPTS) $(check_PROGRAMS)
+
+check-native:
+	$(MAKE) TESTS="$(check_PROGRAMS_native) $(check_SCRIPTS_native)" check
+check-nonnative:
+	$(MAKE) TESTS="$(check_PROGRAMS_nonnative) $(check_SCRIPTS_nonnative)" check
+
 # XXX Use Automake's LEX & YACC support
 grub_script.tab.h: $(top_srcdir)/grub-core/script/parser.y
 	$(YACC) -d -p grub_script_yy -b grub_script $(top_srcdir)/grub-core/script/parser.y
@ -37,13 +46,13 @@ grub_script.yy.c: grub_script.yy.h
 CLEANFILES += grub_script.yy.c grub_script.yy.h

 # For libgrub.a
-libgrub.pp: grub_script.tab.h grub_script.yy.h $(libgrubmods_a_SOURCES) $(libgrubkern_a_SOURCES)
+libgrub.pp: config-util.h grub_script.tab.h grub_script.yy.h $(libgrubmods_a_SOURCES) $(libgrubkern_a_SOURCES)
 	$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libgrubmods_a_CPPFLAGS) $(libgrubkern_a_CPPFLAGS) $(CPPFLAGS) \
 	  -D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
 CLEANFILES += libgrub.pp

 libgrub_a_init.lst: libgrub.pp
-	cat $< | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+	cat $< | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
 CLEANFILES += libgrub_a_init.lst

 libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
@ -51,13 +60,13 @@ libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
 CLEANFILES += libgrub_a_init.c

 # For grub-fstest
-grub_fstest.pp: $(grub_fstest_SOURCES)
+grub_fstest.pp: config-util.h $(grub_fstest_SOURCES)
 	$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(grub_fstest_CPPFLAGS) $(CPPFLAGS) \
 	  -D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
 CLEANFILES += grub_fstest.pp

 grub_fstest_init.lst: libgrub.pp grub_fstest.pp
-	cat $^ | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+	cat $^ | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
 CLEANFILES += grub_fstest_init.lst

 grub_fstest_init.c: grub_fstest_init.lst $(top_srcdir)/geninit.sh
@ -473,8 +482,6 @@ ChangeLog: FORCE
 		touch $@; \
 	fi

-EXTRA_DIST += ChangeLog ChangeLog-2015
-
 syslinux_test: $(top_builddir)/config.status tests/syslinux/ubuntu10.04_grub.cfg

 # Mimic simplify_filename from grub-core/lib/syslinux_parse.c, so that we
--- a/Makefile.util.def
+++ b/Makefile.util.def
@ -3,7 +3,7 @@ AutoGen definitions Makefile.tpl;
 library = {
  name = libgrubkern.a;
  cflags = '$(CFLAGS_GNULIB)';
-  cppflags = '$(CPPFLAGS_GNULIB)';
+  cppflags = '$(CPPFLAGS_GNULIB) -I$(srcdir)/grub-core/lib/json';

  common = util/misc.c;
  common = grub-core/kern/command.c;
@ -36,8 +36,11 @@ library = {
  common = grub-core/kern/misc.c;
  common = grub-core/kern/partition.c;
  common = grub-core/lib/crypto.c;
+  common = grub-core/lib/json/json.c;
  common = grub-core/disk/luks.c;
+  common = grub-core/disk/luks2.c;
  common = grub-core/disk/geli.c;
+  common = grub-core/disk/key_protector.c;
  common = grub-core/disk/cryptodisk.c;
  common = grub-core/disk/AFSplitter.c;
  common = grub-core/lib/pbkdf2.c;
@ -53,7 +56,7 @@ library = {

 library = {
  name = libgrubmods.a;
-  cflags = '-fno-builtin -Wno-undef';
+  cflags = '-fno-builtin -Wno-undef -Wno-unused-but-set-variable';
  cppflags = '-I$(srcdir)/grub-core/lib/minilzo -I$(srcdir)/grub-core/lib/xzembed -I$(srcdir)/grub-core/lib/zstd -DMINILZO_HAVE_CONFIG_H';

  common_nodist = grub_script.tab.c;
@ -96,6 +99,7 @@ library = {
  common = grub-core/fs/cpio_be.c;
  common = grub-core/fs/odc.c;
  common = grub-core/fs/newc.c;
+  common = grub-core/fs/erofs.c;
  common = grub-core/fs/ext2.c;
  common = grub-core/fs/fat.c;
  common = grub-core/fs/exfat.c;
@ -139,7 +143,7 @@ library = {
  common = grub-core/lib/crc.c;
  common = grub-core/lib/adler32.c;
  common = grub-core/lib/crc64.c;
-  common = grub-core/normal/datetime.c;
+  common = grub-core/lib/datetime.c;
  common = grub-core/normal/misc.c;
  common = grub-core/partmap/acorn.c;
  common = grub-core/partmap/amiga.c;
@ -161,6 +165,7 @@ library = {
  common = grub-core/kern/ia64/dl_helper.c;
  common = grub-core/kern/arm/dl_helper.c;
  common = grub-core/kern/arm64/dl_helper.c;
+  common = grub-core/kern/loongarch64/dl_helper.c;
  common = grub-core/lib/minilzo/minilzo.c;
  common = grub-core/lib/xzembed/xz_dec_bcj.c;
  common = grub-core/lib/xzembed/xz_dec_lzma2.c;
@ -201,7 +206,32 @@ program = {
  ldadd = grub-core/lib/gnulib/libgnu.a;
  ldadd = '$(LIBLZMA)';
  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
-  cppflags = '-DGRUB_PKGLIBDIR=\"$(pkglibdir)\"';
+};
+
+program = {
+  name = grub-protect;
+  mansection = 1;
+
+  common = grub-core/kern/emu/argp_common.c;
+  common = grub-core/osdep/init.c;
+  common = grub-core/lib/tss2/buffer.c;
+  common = grub-core/lib/tss2/tss2_mu.c;
+  common = grub-core/lib/tss2/tpm2_cmd.c;
+  common = grub-core/commands/tpm2_key_protector/args.c;
+  common = grub-core/commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+  common = util/grub-protect.c;
+  common = util/probe.c;
+
+  cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
+
+  ldadd = libgrubmods.a;
+  ldadd = libgrubgcry.a;
+  ldadd = libgrubkern.a;
+  ldadd = grub-core/lib/gnulib/libgnu.a;
+  ldadd = '$(LIBTASN1)';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+
+  condition = COND_GRUB_PROTECT;
 };

 program = {
@ -240,8 +270,19 @@ program = {

  common = util/grub-editenv.c;
  common = util/editenv.c;
+  common = util/grub-install-common.c;
  common = grub-core/osdep/init.c;
+  common = grub-core/osdep/compress.c;
+  extra_dist = grub-core/osdep/unix/compress.c;
+  extra_dist = grub-core/osdep/basic/compress.c;
+  common = util/mkimage.c;
+  common = util/grub-mkimage32.c;
+  common = util/grub-mkimage64.c;
+  common = grub-core/osdep/config.c;
+  common = util/config.c;
+  common = util/resolve.c;

+  ldadd = '$(LIBLZMA)';
  ldadd = libgrubmods.a;
  ldadd = libgrubgcry.a;
  ldadd = libgrubkern.a;
@ -297,11 +338,13 @@ program = {
  common = grub-core/disk/host.c;
  common = grub-core/osdep/init.c;

+  cflags = '$(FUSE_CFLAGS)';
+
  ldadd = libgrubmods.a;
  ldadd = libgrubgcry.a;
  ldadd = libgrubkern.a;
  ldadd = grub-core/lib/gnulib/libgnu.a;
-  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) -lfuse';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
  condition = COND_GRUB_MOUNT;
 };

@ -496,12 +539,24 @@ script = {
  condition = COND_HOST_LINUX;
 };

+script = {
+  name = '25_bli';
+  common = util/grub.d/25_bli.in;
+  installdir = grubconf;
+};
+
 script = {
  name = '30_os-prober';
  common = util/grub.d/30_os-prober.in;
  installdir = grubconf;
 };

+script = {
+  name = '30_uefi-firmware';
+  common = util/grub.d/30_uefi-firmware.in;
+  installdir = grubconf;
+};
+
 script = {
  name = '40_custom';
  common = util/grub.d/40_custom.in;
@ -723,6 +778,12 @@ script = {
  installdir = noinst;
 };

+script = {
+  name = grub-shell-luks-tester;
+  common = tests/util/grub-shell-luks-tester.in;
+  installdir = noinst;
+};
+
 script = {
  name = grub-fs-tester;
  common = tests/util/grub-fs-tester.in;
@ -731,470 +792,512 @@ script = {
 };

 script = {
-  testcase;
+  testcase = native;
+  name = erofs_test;
+  common = tests/erofs_test.in;
+};
+
+script = {
+  testcase = native;
  name = ext234_test;
  common = tests/ext234_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = squashfs_test;
  common = tests/squashfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = iso9660_test;
  common = tests/iso9660_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = hfsplus_test;
  common = tests/hfsplus_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = ntfs_test;
  common = tests/ntfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = reiserfs_test;
  common = tests/reiserfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = fat_test;
  common = tests/fat_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = minixfs_test;
  common = tests/minixfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = xfs_test;
  common = tests/xfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = f2fs_test;
  common = tests/f2fs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = nilfs2_test;
  common = tests/nilfs2_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = romfs_test;
  common = tests/romfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = exfat_test;
  common = tests/exfat_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = tar_test;
  common = tests/tar_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = udf_test;
  common = tests/udf_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = hfs_test;
  common = tests/hfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = jfs_test;
  common = tests/jfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = btrfs_test;
  common = tests/btrfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = zfs_test;
  common = tests/zfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = cpio_test;
  common = tests/cpio_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = example_scripted_test;
  common = tests/example_scripted_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = gettext_strings_test;
  common = tests/gettext_strings_test.in;
  extra_dist = po/exclude.pot;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = pata_test;
  common = tests/pata_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ahci_test;
  common = tests/ahci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = uhci_test;
  common = tests/uhci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ohci_test;
  common = tests/ohci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ehci_test;
  common = tests/ehci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = example_grub_script_test;
  common = tests/example_grub_script_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_eval;
  common = tests/grub_script_eval.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_test;
  common = tests/grub_script_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_echo1;
  common = tests/grub_script_echo1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_leading_whitespace;
  common = tests/grub_script_leading_whitespace.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_echo_keywords;
  common = tests/grub_script_echo_keywords.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_vars1;
  common = tests/grub_script_vars1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_for1;
  common = tests/grub_script_for1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_while1;
  common = tests/grub_script_while1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_if;
  common = tests/grub_script_if.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_blanklines;
  common = tests/grub_script_blanklines.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_final_semicolon;
  common = tests/grub_script_final_semicolon.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_dollar;
  common = tests/grub_script_dollar.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_comments;
  common = tests/grub_script_comments.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_functions;
  common = tests/grub_script_functions.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_break;
  common = tests/grub_script_break.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_continue;
  common = tests/grub_script_continue.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_shift;
  common = tests/grub_script_shift.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_blockarg;
  common = tests/grub_script_blockarg.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_setparams;
  common = tests/grub_script_setparams.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_return;
  common = tests/grub_script_return.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
+  name = grub_cmd_cryptomount;
+  common = tests/grub_cmd_cryptomount.in;
+};
+
+script = {
+  testcase = nonnative;
  name = grub_cmd_regexp;
  common = tests/grub_cmd_regexp.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_date;
  common = tests/grub_cmd_date.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_set_date;
  common = tests/grub_cmd_set_date.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_sleep;
  common = tests/grub_cmd_sleep.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_expansion;
  common = tests/grub_script_expansion.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_not;
  common = tests/grub_script_not.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_no_commands;
  common = tests/grub_script_no_commands.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = partmap_test;
  common = tests/partmap_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = hddboot_test;
  common = tests/hddboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = fddboot_test;
  common = tests/fddboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = cdboot_test;
  common = tests/cdboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = netboot_test;
  common = tests/netboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
+  name = serial_test;
+  common = tests/serial_test.in;
+};
+
+script = {
+  testcase = nonnative;
  name = pseries_test;
  common = tests/pseries_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = core_compress_test;
  common = tests/core_compress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = xzcompress_test;
  common = tests/xzcompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = gzcompress_test;
  common = tests/gzcompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = lzocompress_test;
  common = tests/lzocompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_echo;
  common = tests/grub_cmd_echo.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = help_test;
  common = tests/help_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_gettext;
  common = tests/grub_script_gettext.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_escape_comma;
  common = tests/grub_script_escape_comma.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_strcmp;
  common = tests/grub_script_strcmp.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = test_sha512sum;
  common = tests/test_sha512sum.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = test_unset;
  common = tests/test_unset.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_func_test;
  common = tests/grub_func_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_tr;
  common = tests/grub_cmd_tr.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = file_filter_test;
  common = tests/file_filter_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_test;
  common = tests/grub_cmd_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = syslinux_test;
  common = tests/syslinux_test.in;
 };

+script = {
+  testcase = native;
+  name = luks1_test;
+  common = tests/luks1_test.in;
+};
+
+script = {
+  testcase = native;
+  name = luks2_test;
+  common = tests/luks2_test.in;
+};
+
+script = {
+  testcase = native;
+  name = asn1_test;
+  common = tests/asn1_test.in;
+};
+
+script = {
+  testcase = native;
+  name = tpm2_key_protector_test;
+  common = tests/tpm2_key_protector_test.in;
+};
+
 program = {
-  testcase;
+  testcase = native;
  name = example_unit_test;
  common = tests/example_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1209,7 +1312,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = printf_test;
  common = tests/printf_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1224,7 +1327,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = date_test;
  common = tests/date_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1239,7 +1342,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = priority_queue_unit_test;
  common = tests/priority_queue_unit_test.cc;
  common = tests/lib/unit_test.c;
@ -1256,7 +1359,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = cmp_test;
  common = tests/cmp_unit_test.c;
  common = tests/lib/unit_test.c;
--- a/34
+++ b/34
@ -1,3 +1,37 @@
+New in 2.12:
+
+* GCC 13 support.
+* clang 14 support.
+* binutils 2.38 support.
+* Unification of EFI Linux kernel loader across architectures.
+* Transition to EFI Linux kernel stub loader for x86 architecture.
+* Initial support for Boot Loader Interface.
+* Support for dynamic GRUB runtime memory addition using firmware calls.
+* PCI and MMIO UARTs support.
+* SDL2 support.
+* LoongArch support.
+* TPM driver fixes.
+* Many filesystems fixes.
+* Many CVE and Coverity fixes.
+* Debugging support improvements.
+* Tests improvements.
+* Documentation improvements.
+* ...and tons of other fixes and cleanups...
+
+New in 2.06:
+
+* GCC 10 support.
+* clang 10 support.
+* SBAT support.
+* LUKS2 support.
+* Drop small MBR gap support.
+* Xen Security Modules (XSM/FLASK) support.
+* The lockdown mechanism similar to the Linux kernel one.
+* Disable the os-prober by default.
+* Many backports of GRUB distros specific patches.
+* BootHole and BootHole2 fixes.
+* ...and tons of other fixes and cleanups...
+
 New in 2.04:

 * GCC 8 and 9 support.
--- a/6
+++ b/6
@ -7,6 +7,12 @@ See the file NEWS for a description of recent changes to GRUB 2.
 See the file INSTALL for instructions on how to build and install the
 GRUB 2 data and program files.

+See the file MAINTAINERS for information about the GRUB maintainers, etc.
+
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 Please visit the official web page of GRUB 2, for more information.
 The URL is <http://www.gnu.org/software/grub/grub.html>.

--- a/60
+++ b/60
@ -0,0 +1,60 @@
+Security Policy
+===============
+
+To report a vulnerability see "Reporting a Vulnerability" below.
+
+
+Security Incident Policy
+========================
+
+Security bug reports are treated with special attention and are handled
+differently from normal bugs. In particular, security sensitive bugs are not
+handled in public but in private. Information about the bug and access to it
+is restricted to people in the security group, the individual engineers that
+work on fixing it, and any other person who needs to be involved for organisational
+reasons. The process is handled by the security team, which decides on the people
+involved in order to fix the issue. It is also guaranteed that the person reporting
+the issue has visibility into the process of fixing it. Any security issue gets
+prioritized according to its security rating. The issue is opened up to the public
+in coordination with the release schedule and the reporter.
+
+
+Disclosure Policy
+=================
+
+Everyone involved in the handling of a security issue - including the reporter -
+is required to adhere to the following policy. Any information related to
+a security issue must be treated as confidential and only shared with trusted
+partners if necessary, for example to coordinate a release or manage exposure
+of clients to the issue. No information must be disclosed to the public before
+the embargo ends. The embargo time is agreed upon by all involved parties. It
+should be as short as possible without putting any users at risk.
+
+
+Supported Versions
+==================
+
+Only the most recent version of the GRUB is supported.
+
+
+Reporting a Vulnerability
+=========================
+
+The security report should be encrypted with the PGP keys and sent to ALL email
+addresses listed below. Every vulnerability report will be assessed within
+72 hours of receiving it. If the outcome of the assessment is that the report
+describes a security issue, the report will be transferred into an issue on the
+internal vulnerability project for further processing. The reporter is updated
+on each step of the process.
+
+While there's currently no bug bounty program we appreciate every report.
+
+* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
+           Daniel Kiper <dkiper@net-space.pl>
+* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+
+* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
+* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E
+
+* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
+* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209
--- a/acinclude.m4
+++ b/acinclude.m4
@ -305,9 +305,9 @@ fi
 ])


-dnl Check if the C compiler supports `-fstack-protector'.
+dnl Check if the C compiler supports the stack protector
 AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
-[# Smashing stack protector.
+[# Stack smashing protector.
 ssp_possible=yes]
 AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
 # Is this a reliable test case?
@ -324,6 +324,40 @@ else
  ssp_possible=no]
  AC_MSG_RESULT([no])
 [fi]
+[# Strong stack smashing protector.
+ssp_strong_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
+  AC_MSG_RESULT([yes])
+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+  rm -f conftest.s
+else
+  ssp_strong_possible=no]
+  AC_MSG_RESULT([no])
+[fi]
+[# Global stack smashing protector.
+ssp_global_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
+  AC_MSG_RESULT([yes])
+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+  rm -f conftest.s
+else
+  ssp_global_possible=no]
+  AC_MSG_RESULT([no])
+[fi]
 ])

 dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
@ -396,7 +430,7 @@ link_nopie_needed=no]
 AC_MSG_CHECKING([whether linker needs disabling of PIE to work])
 AC_LANG_CONFTEST([AC_LANG_SOURCE([[]])])

-[if eval "$ac_compile -Wl,-r,-d -nostdlib -Werror -o conftest.o" 2> /dev/null; then]
+[if eval "$ac_compile -Wl,-r -nostdlib -Werror -o conftest.o" 2> /dev/null; then]
  AC_MSG_RESULT([no])
  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
  rm -f conftest.o
--- a/autogen.sh
+++ b/autogen.sh
@ -7,13 +7,26 @@ if [ ! -e grub-core/lib/gnulib/stdlib.in.h ]; then
  exit 1
 fi

-# Set ${PYTHON} to plain 'python' if not set already
-: ${PYTHON:=python}
+# Detect python
+if [ -z "$PYTHON" ]; then
+  for i in python3 python3.10 python; do
+    if command -v "$i" > /dev/null 2>&1; then
+      PYTHON="$i"
+      echo "Using $PYTHON..."
+      break
+    fi
+  done
+
+  if [ -z "$PYTHON" ]; then
+    echo "python not found." >&2
+    exit 1
+  fi
+fi

 export LC_COLLATE=C
 unset LC_ALL

-find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c'  ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -iname './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
+find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c'  ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
 find util -iname '*.in' ! -name Makefile.in  |sort > po/POTFILES-shell.in

 echo "Importing unicode..."
@ -38,6 +51,39 @@ for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
    cp grub-core/lib/libgcrypt-grub/mpi/generic/"$x" grub-core/lib/libgcrypt-grub/mpi/"$x"
 done

+echo "Importing libtasn1..."
+if [ -d grub-core/lib/libtasn1-grub ]; then
+  rm -rf grub-core/lib/libtasn1-grub
+fi
+
+mkdir -p grub-core/lib/libtasn1-grub/lib
+cp grub-core/lib/libtasn1/lib/*.[ch] grub-core/lib/libtasn1-grub/lib
+cp grub-core/lib/libtasn1/libtasn1.h grub-core/lib/libtasn1-grub/
+
+if [ -d grub-core/tests/asn1/tests ]; then
+  rm -rf grub-core/tests/asn1/tests
+fi
+
+mkdir grub-core/tests/asn1/tests
+cp grub-core/lib/libtasn1/tests/*.[ch] grub-core/tests/asn1/tests
+
+for patch in \
+	0001-libtasn1-disable-code-not-needed-in-grub.patch \
+	0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch \
+	0003-libtasn1-replace-strcat-with-_asn1_str_cat.patch \
+	0004-libtasn1-adjust-the-header-paths-in-libtasn1.h.patch \
+	0005-libtasn1-Use-grub_divmod64-for-division.patch \
+	0006-libtasn1-fix-the-potential-buffer-overrun.patch \
+	0007-asn1_test-include-asn1_test.h-only.patch \
+	0008-asn1_test-rename-the-main-functions-to-the-test-name.patch \
+	0009-asn1_test-return-either-0-or-1-to-reflect-the-result.patch \
+	0010-asn1_test-remove-verbose-and-the-unnecessary-printf.patch \
+	0011-asn1_test-print-the-error-messages-with-grub_printf.patch \
+	0012-asn1_test-use-the-grub-specific-functions-and-types.patch \
+	0013-asn1_test-enable-the-testcase-only-when-GRUB_LONG_MA.patch ; do
+  patch -p1 -i grub-core/lib/libtasn1-patches/$patch
+done
+
 echo "Generating Automake input..."

 # Automake doesn't like including files from a path outside the project.
--- a/319
+++ b/319
@ -1,10 +1,10 @@
 #! /bin/sh
 # Print a version string.
-scriptversion=2019-01-04.17; # UTC
+scriptversion=2022-01-26.05; # UTC

 # Bootstrap this package from checked-out sources.

-# Copyright (C) 2003-2019 Free Software Foundation, Inc.
+# Copyright (C) 2003-2022 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -47,7 +47,7 @@ PERL="${PERL-perl}"

 me=$0

-default_gnulib_url=git://git.sv.gnu.org/gnulib
+default_gnulib_url=https://git.savannah.gnu.org/git/gnulib.git

 usage() {
  cat <<EOF
@ -71,7 +71,9 @@ Options:
 --no-git                 do not use git to update gnulib.  Requires that
                          --gnulib-srcdir point to a correct gnulib snapshot
 --skip-po                do not download po files
-
+EOF
+  bootstrap_print_option_usage_hook
+  cat <<EOF
 If the file $me.conf exists in the same directory as this script, its
 contents are read as shell variables to configure the bootstrap.

@ -113,6 +115,12 @@ Running without arguments will suffice in most cases.
 EOF
 }

+copyright_year=`echo "$scriptversion" | sed -e 's/[^0-9].*//'`
+copyright="Copyright (C) ${copyright_year} Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law."
+
 # warnf_ FORMAT-STRING ARG1...
 warnf_ ()
 {
@ -154,6 +162,18 @@ gnulib_files=
 : ${AUTOPOINT=autopoint}
 : ${AUTORECONF=autoreconf}

+# A function to be called for each unrecognized option.  Returns 0 if
+# the option in $1 has been processed by the function.  Returns 1 if
+# the option has not been processed by the function.  Override it via
+# your own definition in bootstrap.conf
+
+bootstrap_option_hook() { return 1; }
+
+# A function to be called in order to print the --help information
+# corresponding to user-defined command-line options.
+
+bootstrap_print_option_usage_hook() { :; }
+
 # A function to be called right after gnulib-tool is run.
 # Override it via your own definition in bootstrap.conf.
 bootstrap_post_import_hook() { :; }
@ -166,11 +186,11 @@ bootstrap_epilogue() { :; }
 # specified directory.  Fill in the first %s with the destination
 # directory and the second with the domain name.
 po_download_command_format=\
-"wget --mirror --level=1 -nd -q -A.po -P '%s' \
+"wget --mirror --level=1 -nd -nv -A.po -P '%s' \
 https://translationproject.org/latest/%s/"

 # Prefer a non-empty tarname (4th argument of AC_INIT if given), else
-# fall back to the package name (1st argument with munging)
+# fall back to the package name (1st argument with munging).
 extract_package_name='
  /^AC_INIT(\[*/{
     s///
@ -187,8 +207,11 @@ extract_package_name='
     p
  }
 '
-package=$(sed -n "$extract_package_name" configure.ac) \
-  || die 'cannot find package name in configure.ac'
+package=$(${AUTOCONF:-autoconf} --trace AC_INIT:\$4 configure.ac 2>/dev/null)
+if test -z "$package"; then
+  package=$(sed -n "$extract_package_name" configure.ac) \
+      || die 'cannot find package name in configure.ac'
+fi
 gnulib_name=lib$package

 build_aux=build-aux
@ -290,62 +313,6 @@ find_tool ()
  eval "export $find_tool_envvar"
 }

-# Override the default configuration, if necessary.
-# Make sure that bootstrap.conf is sourced from the current directory
-# if we were invoked as "sh bootstrap".
-case "$0" in
-  */*) test -r "$0.conf" && . "$0.conf" ;;
-  *) test -r "$0.conf" && . ./"$0.conf" ;;
-esac
-
-if test "$vc_ignore" = auto; then
-  vc_ignore=
-  test -d .git && vc_ignore=.gitignore
-  test -d CVS && vc_ignore="$vc_ignore .cvsignore"
-fi
-
-if test x"$gnulib_modules$gnulib_files$gnulib_extra_files" = x; then
-  use_gnulib=false
-else
-  use_gnulib=true
-fi
-
-# Translate configuration into internal form.
-
-# Parse options.
-
-for option
-do
-  case $option in
-  --help)
-    usage
-    exit;;
-  --gnulib-srcdir=*)
-    GNULIB_SRCDIR=${option#--gnulib-srcdir=};;
-  --skip-po)
-    SKIP_PO=t;;
-  --force)
-    checkout_only_file=;;
-  --copy)
-    copy=true;;
-  --bootstrap-sync)
-    bootstrap_sync=true;;
-  --no-bootstrap-sync)
-    bootstrap_sync=false;;
-  --no-git)
-    use_git=false;;
-  *)
-    die "$option: unknown option";;
-  esac
-done
-
-$use_git || test -d "$GNULIB_SRCDIR" \
-  || die "Error: --no-git requires --gnulib-srcdir"
-
-if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
-  die "Bootstrapping from a non-checked-out distribution is risky."
-fi
-
 # Strip blank and comment lines to leave significant entries.
 gitignore_entries() {
  sed '/^#/d; /^$/d' "$@"
@ -387,6 +354,137 @@ insert_vc_ignore() {
  insert_if_absent "$vc_ignore_file" "$pattern"
 }

+symlink_to_dir()
+{
+  src=$1/$2
+  dst=${3-$2}
+
+  test -f "$src" && {
+
+    # If the destination directory doesn't exist, create it.
+    # This is required at least for "lib/uniwidth/cjk.h".
+    dst_dir=$(dirname "$dst")
+    if ! test -d "$dst_dir"; then
+      mkdir -p "$dst_dir"
+
+      # If we've just created a directory like lib/uniwidth,
+      # tell version control system(s) it's ignorable.
+      # FIXME: for now, this does only one level
+      parent=$(dirname "$dst_dir")
+      for dot_ig in x $vc_ignore; do
+        test $dot_ig = x && continue
+        ig=$parent/$dot_ig
+        insert_vc_ignore $ig "${dst_dir##*/}"
+      done
+    fi
+
+    if $copy; then
+      {
+        test ! -h "$dst" || {
+          echo "$me: rm -f $dst" &&
+          rm -f "$dst"
+        }
+      } &&
+      test -f "$dst" &&
+      cmp -s "$src" "$dst" || {
+        echo "$me: cp -fp $src $dst" &&
+        cp -fp "$src" "$dst"
+      }
+    else
+      # Leave any existing symlink alone, if it already points to the source,
+      # so that broken build tools that care about symlink times
+      # aren't confused into doing unnecessary builds.  Conversely, if the
+      # existing symlink's timestamp is older than the source, make it afresh,
+      # so that broken tools aren't confused into skipping needed builds.  See
+      # <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00326.html>.
+      test -h "$dst" &&
+      src_ls=$(ls -diL "$src" 2>/dev/null) && set $src_ls && src_i=$1 &&
+      dst_ls=$(ls -diL "$dst" 2>/dev/null) && set $dst_ls && dst_i=$1 &&
+      test "$src_i" = "$dst_i" &&
+      both_ls=$(ls -dt "$src" "$dst") &&
+      test "X$both_ls" = "X$dst$nl$src" || {
+        dot_dots=
+        case $src in
+        /*) ;;
+        *)
+          case /$dst/ in
+          *//* | */../* | */./* | /*/*/*/*/*/)
+             die "invalid symlink calculation: $src -> $dst";;
+          /*/*/*/*/)    dot_dots=../../../;;
+          /*/*/*/)      dot_dots=../../;;
+          /*/*/)        dot_dots=../;;
+          esac;;
+        esac
+
+        echo "$me: ln -fs $dot_dots$src $dst" &&
+        ln -fs "$dot_dots$src" "$dst"
+      }
+    fi
+  }
+}
+
+# Override the default configuration, if necessary.
+# Make sure that bootstrap.conf is sourced from the current directory
+# if we were invoked as "sh bootstrap".
+case "$0" in
+  */*) test -r "$0.conf" && . "$0.conf" ;;
+  *) test -r "$0.conf" && . ./"$0.conf" ;;
+esac
+
+if test "$vc_ignore" = auto; then
+  vc_ignore=
+  test -d .git && vc_ignore=.gitignore
+  test -d CVS && vc_ignore="$vc_ignore .cvsignore"
+fi
+
+if test x"$gnulib_modules$gnulib_files$gnulib_extra_files" = x; then
+  use_gnulib=false
+else
+  use_gnulib=true
+fi
+
+# Translate configuration into internal form.
+
+# Parse options.
+
+for option
+do
+  case $option in
+  --help)
+    usage
+    exit;;
+  --version)
+    set -e
+    echo "bootstrap $scriptversion"
+    echo "$copyright"
+    exit 0
+    ;;
+  --gnulib-srcdir=*)
+    GNULIB_SRCDIR=${option#--gnulib-srcdir=};;
+  --skip-po)
+    SKIP_PO=t;;
+  --force)
+    checkout_only_file=;;
+  --copy)
+    copy=true;;
+  --bootstrap-sync)
+    bootstrap_sync=true;;
+  --no-bootstrap-sync)
+    bootstrap_sync=false;;
+  --no-git)
+    use_git=false;;
+  *)
+    bootstrap_option_hook $option || die "$option: unknown option";;
+  esac
+done
+
+$use_git || test -d "$GNULIB_SRCDIR" \
+  || die "Error: --no-git requires --gnulib-srcdir"
+
+if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
+  die "Bootstrapping from a non-checked-out distribution is risky."
+fi
+
 # Die if there is no AC_CONFIG_AUX_DIR($build_aux) line in configure.ac.
 found_aux_dir=no
 grep '^[	 ]*AC_CONFIG_AUX_DIR(\['"$build_aux"'\])' configure.ac \
@ -665,9 +763,25 @@ if $use_gnulib; then
      shallow=
      if test -z "$GNULIB_REVISION"; then
        git clone -h 2>&1 | grep -- --depth > /dev/null && shallow='--depth 2'
+        git clone $shallow ${GNULIB_URL:-$default_gnulib_url} "$gnulib_path" \
+          || cleanup_gnulib
+      else
+        git fetch -h 2>&1 | grep -- --depth > /dev/null && shallow='--depth 2'
+        mkdir -p "$gnulib_path"
+        # Only want a shallow checkout of $GNULIB_REVISION, but git does not
+        # support cloning by commit hash. So attempt a shallow fetch by commit
+        # hash to minimize the amount of data downloaded and changes needed to
+        # be processed, which can drastically reduce download and processing
+        # time for checkout. If the fetch by commit fails, a shallow fetch can
+        # not be performed because we do not know what the depth of the commit
+        # is without fetching all commits. So fallback to fetching all commits.
+        git -C "$gnulib_path" init
+        git -C "$gnulib_path" remote add origin ${GNULIB_URL:-$default_gnulib_url}
+        git -C "$gnulib_path" fetch $shallow origin "$GNULIB_REVISION" \
+          || git -C "$gnulib_path" fetch origin \
+          || cleanup_gnulib
+        git -C "$gnulib_path" reset --hard FETCH_HEAD
      fi
-      git clone $shallow ${GNULIB_URL:-$default_gnulib_url} "$gnulib_path" \
-        || cleanup_gnulib

      trap - 1 2 13 15
    fi
@ -784,75 +898,6 @@ case $SKIP_PO in
  fi;;
 esac

-symlink_to_dir()
-{
-  src=$1/$2
-  dst=${3-$2}
-
-  test -f "$src" && {
-
-    # If the destination directory doesn't exist, create it.
-    # This is required at least for "lib/uniwidth/cjk.h".
-    dst_dir=$(dirname "$dst")
-    if ! test -d "$dst_dir"; then
-      mkdir -p "$dst_dir"
-
-      # If we've just created a directory like lib/uniwidth,
-      # tell version control system(s) it's ignorable.
-      # FIXME: for now, this does only one level
-      parent=$(dirname "$dst_dir")
-      for dot_ig in x $vc_ignore; do
-        test $dot_ig = x && continue
-        ig=$parent/$dot_ig
-        insert_vc_ignore $ig "${dst_dir##*/}"
-      done
-    fi
-
-    if $copy; then
-      {
-        test ! -h "$dst" || {
-          echo "$me: rm -f $dst" &&
-          rm -f "$dst"
-        }
-      } &&
-      test -f "$dst" &&
-      cmp -s "$src" "$dst" || {
-        echo "$me: cp -fp $src $dst" &&
-        cp -fp "$src" "$dst"
-      }
-    else
-      # Leave any existing symlink alone, if it already points to the source,
-      # so that broken build tools that care about symlink times
-      # aren't confused into doing unnecessary builds.  Conversely, if the
-      # existing symlink's timestamp is older than the source, make it afresh,
-      # so that broken tools aren't confused into skipping needed builds.  See
-      # <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00326.html>.
-      test -h "$dst" &&
-      src_ls=$(ls -diL "$src" 2>/dev/null) && set $src_ls && src_i=$1 &&
-      dst_ls=$(ls -diL "$dst" 2>/dev/null) && set $dst_ls && dst_i=$1 &&
-      test "$src_i" = "$dst_i" &&
-      both_ls=$(ls -dt "$src" "$dst") &&
-      test "X$both_ls" = "X$dst$nl$src" || {
-        dot_dots=
-        case $src in
-        /*) ;;
-        *)
-          case /$dst/ in
-          *//* | */../* | */./* | /*/*/*/*/*/)
-             die "invalid symlink calculation: $src -> $dst";;
-          /*/*/*/*/)    dot_dots=../../../;;
-          /*/*/*/)      dot_dots=../../;;
-          /*/*/)        dot_dots=../;;
-          esac;;
-        esac
-
-        echo "$me: ln -fs $dot_dots$src $dst" &&
-        ln -fs "$dot_dots$src" "$dst"
-      }
-    fi
-  }
-}
-
 version_controlled_file() {
  parent=$1
  file=$2
@ -970,7 +1015,7 @@ bootstrap_post_import_hook \
 # Uninitialized submodules are listed with an initial dash.
 if $use_git && git submodule | grep '^-' >/dev/null; then
  die "some git submodules are not initialized. "     \
-      "Run 'git submodule init' and bootstrap again."
+      "Run 'git submodule update --init' and bootstrap again."
 fi

 # Remove any dangling symlink matching "*.m4" or "*.[ch]" in some
@ -1064,7 +1109,7 @@ bootstrap_epilogue

 echo "$0: done.  Now you can run './configure'."

-# Local variables:
+# Local Variables:
 # eval: (add-hook 'before-save-hook 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
--- a/bootstrap.conf
+++ b/bootstrap.conf
@ -1,6 +1,6 @@
 # Bootstrap configuration.

-# Copyright (C) 2006-2019 Free Software Foundation, Inc.
+# Copyright (C) 2006-2022 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -16,13 +16,13 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


-GNULIB_REVISION=d271f868a8df9bbec29049d01e056481b7a1a263
+GNULIB_REVISION=9f48fb992a3d7e96610c4ce8be969cff2d61a01b

 # gnulib modules used by this package.
-# mbswidth is used by gnulib-fix-width.diff's changes to argp rather than
-# directly.
+# mbswidth is used by fix-width.diff's changes to argp rather than directly.
 gnulib_modules="
  argp
+  base64
  error
  fnmatch
  getdelim
@ -34,6 +34,7 @@ gnulib_modules="
  realloc-gnu
  regex
  save-cwd
+  stdbool
 "

 gnulib_tool_option_extras="\
@ -65,10 +66,11 @@ SKIP_PO=t

 # Build prerequisites
 buildreq="\
-autoconf   2.63
-automake   1.11
-gettext    0.18.3
+autoconf   2.64
+automake   1.14
+gettext    -
 git        1.5.5
+patch      -
 tar        -
 "

@ -78,9 +80,19 @@ cp -a INSTALL INSTALL.grub

 bootstrap_post_import_hook () {
  set -e
-  for patchname in fix-null-deref fix-width no-abort; do
-    patch -d grub-core/lib/gnulib -p2 \
-      < "grub-core/lib/gnulib-patches/$patchname.patch"
+
+  # Instead of patching our gnulib and therefore maintaining a fork, submit
+  # changes to gnulib and update the hash above when they've merged.  Do not
+  # add new patches here.
+  patch -d grub-core/lib/gnulib -p2 < grub-core/lib/gnulib-patches/fix-width.patch
+
+  for patchname in \
+      0001-Support-POTFILES-shell \
+      0002-Handle-gettext_printf-shell-function \
+      0003-Make-msgfmt-output-in-little-endian \
+      0004-Use-SHELL-rather-than-bin-sh; do
+    patch -d po -p3 \
+      < "po/gettext-patches/$patchname.patch"
  done
  FROM_BOOTSTRAP=1 ./autogen.sh
  set +e  # bootstrap expects this
--- a/conf/Makefile.common
+++ b/conf/Makefile.common
@ -20,6 +20,9 @@ endif
 if COND_powerpc_ieee1275
  CFLAGS_PLATFORM += -mcpu=powerpc
 endif
+if COND_HAVE_PCI
+  CFLAGS_PLATFORM += -DGRUB_HAS_PCI
+endif

 # Other options

@ -39,9 +42,16 @@ LDFLAGS_KERNEL = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC)
 CPPFLAGS_KERNEL = $(CPPFLAGS_CPU) $(CPPFLAGS_PLATFORM) -DGRUB_KERNEL=1
 CCASFLAGS_KERNEL = $(CCASFLAGS_CPU) $(CCASFLAGS_PLATFORM)
 STRIPFLAGS_KERNEL = -R .rel.dyn -R .reginfo -R .note -R .comment -R .drectve -R .note.gnu.gold-version -R .MIPS.abiflags -R .ARM.exidx
+if !COND_emu
+if COND_HAVE_ASM_USCORE
+  LDFLAGS_KERNEL += -Wl,--defsym=_malloc=_grub_malloc -Wl,--defsym=_free=_grub_free
+else
+  LDFLAGS_KERNEL += -Wl,--defsym=malloc=grub_malloc -Wl,--defsym=free=grub_free
+endif
+endif

 CFLAGS_MODULE = $(CFLAGS_PLATFORM) -ffreestanding
-LDFLAGS_MODULE = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC) -Wl,-r,-d
+LDFLAGS_MODULE = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC) -Wl,-r
 CPPFLAGS_MODULE = $(CPPFLAGS_CPU) $(CPPFLAGS_PLATFORM)
 CCASFLAGS_MODULE = $(CCASFLAGS_CPU) $(CCASFLAGS_PLATFORM)

@ -65,7 +75,7 @@ grubconfdir = $(sysconfdir)/grub.d
 platformdir = $(pkglibdir)/$(target_cpu)-$(platform)
 starfielddir = $(pkgdatadir)/themes/starfield

-CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion
+CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion -Wno-error=attributes
 CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib -I$(top_srcdir)/grub-core/lib/gnulib

 CFLAGS_POSIX = -fno-builtin
@ -84,7 +94,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
 CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
 CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
@ -99,27 +111,29 @@ MOD_FILES =
 MODULE_FILES =
 MARKER_FILES =
 KERNEL_HEADER_FILES =
+EXTRA_DEPS =

+bin_SCRIPTS =
+bin_PROGRAMS =
+check_SCRIPTS_native =
+check_SCRIPTS_nonnative =
+check_PROGRAMS_native =
+check_PROGRAMS_nonnative =
+dist_grubconf_DATA =
+dist_noinst_DATA =
+grubconf_SCRIPTS =
 man_MANS =
 noinst_DATA =
-pkgdata_DATA =
-bin_SCRIPTS =
-sbin_SCRIPTS =
-bin_PROGRAMS =
-platform_DATA =
-sbin_PROGRAMS =
-check_SCRIPTS =
-dist_grubconf_DATA =
-check_PROGRAMS =
 noinst_SCRIPTS =
 noinst_PROGRAMS =
-grubconf_SCRIPTS =
 noinst_LIBRARIES =
-dist_noinst_DATA =
+pkgdata_DATA =
+platform_DATA =
 platform_SCRIPTS =
 platform_PROGRAMS =
+sbin_SCRIPTS =
+sbin_PROGRAMS =

-TESTS =
 EXTRA_DIST =
 CLEANFILES =
 BUILT_SOURCES =
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@ -21,6 +21,7 @@ EXTRA_DIST += conf/i386-cygwin-img-ld.sc
 EXTRA_DIST += grub-core/Makefile.core.def
 EXTRA_DIST += grub-core/Makefile.gcry.def

+EXTRA_DIST += grub-core/extra_deps.lst
 EXTRA_DIST += grub-core/genmoddep.awk
 EXTRA_DIST += grub-core/genmod.sh.in
 EXTRA_DIST += grub-core/gensyminfo.sh.in
@ -28,9 +29,7 @@ EXTRA_DIST += grub-core/gensymlist.sh
 EXTRA_DIST += grub-core/genemuinit.sh
 EXTRA_DIST += grub-core/genemuinitheader.sh

-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch

 EXTRA_DIST += grub-core/lib/libgcrypt
 EXTRA_DIST += grub-core/lib/libgcrypt-grub/mpi/generic
@ -110,6 +109,21 @@ EXTRA_DIST += grub-core/osdep/windows/password.c
 EXTRA_DIST += grub-core/osdep/windows/random.c
 EXTRA_DIST += grub-core/osdep/windows/sleep.c

+EXTRA_DIST += po/gettext-patches/0001-Support-POTFILES-shell.patch
+EXTRA_DIST += po/gettext-patches/0002-Handle-gettext_printf-shell-function.patch
+EXTRA_DIST += po/gettext-patches/0003-Make-msgfmt-output-in-little-endian.patch
+EXTRA_DIST += po/gettext-patches/0004-Use-SHELL-rather-than-bin-sh.patch
+
+EXTRA_DIST += po/POTFILES-shell.in
+EXTRA_DIST += po/README
+EXTRA_DIST += po/Rules-translit
+EXTRA_DIST += po/Rules-windowsdir
+EXTRA_DIST += po/arabic.sed
+EXTRA_DIST += po/cyrillic.sed
+EXTRA_DIST += po/greek.sed
+EXTRA_DIST += po/grub.d.sed
+EXTRA_DIST += po/hebrew.sed
+
 EXTRA_DIST += tests/dfly-mbr-mbexample.mbr.img.gz
 EXTRA_DIST += tests/dfly-mbr-mbexample.dfly.img.gz

--- a/conf/i386-cygwin-img-ld.sc
+++ b/conf/i386-cygwin-img-ld.sc
@ -14,6 +14,8 @@ SECTIONS
  {
    __data_start__ = . ;
    *(.data)
+    /* Do not discard this section. */
+    . = . ;
    __data_end__ = . ;
    __rdata_start__ = . ;
    *(.rdata)
@ -34,6 +36,8 @@ SECTIONS
  .edata :
  {
    *(.edata)
+    /* Do not discard this section. */
+    . = . ;
    end = . ;
    _end = . ;
    __end = . ;
--- a/config.h.in
+++ b/config.h.in
@ -9,6 +9,10 @@
 #define GCRYPT_NO_DEPRECATED 1
 #define HAVE_MEMMOVE 1

+#if @MM_DEBUG@
+#define MM_DEBUG @MM_DEBUG@
+#endif
+
 /* Define to 1 to enable disk cache statistics.  */
 #define DISK_CACHE_STATS @DISK_CACHE_STATS@
 #define BOOT_TIME_STATS @BOOT_TIME_STATS@
@ -22,46 +26,124 @@
 #define MINILZO_CFG_SKIP_LZO1X_DECOMPRESS 1

 #if defined (GRUB_BUILD)
-#undef ENABLE_NLS
-#define BUILD_SIZEOF_LONG @BUILD_SIZEOF_LONG@
-#define BUILD_SIZEOF_VOID_P @BUILD_SIZEOF_VOID_P@
-#if defined __APPLE__
-# if defined __BIG_ENDIAN__
-#  define BUILD_WORDS_BIGENDIAN 1
-# else
-#  define BUILD_WORDS_BIGENDIAN 0
-# endif
-#else
-#define BUILD_WORDS_BIGENDIAN @BUILD_WORDS_BIGENDIAN@
-#endif
+#  undef ENABLE_NLS
+#  define BUILD_SIZEOF_LONG @BUILD_SIZEOF_LONG@
+#  define BUILD_SIZEOF_VOID_P @BUILD_SIZEOF_VOID_P@
+#  if defined __APPLE__
+#    if defined __BIG_ENDIAN__
+#      define BUILD_WORDS_BIGENDIAN 1
+#    else
+#      define BUILD_WORDS_BIGENDIAN 0
+#    endif
+#  else /* !defined __APPLE__ */
+#    define BUILD_WORDS_BIGENDIAN @BUILD_WORDS_BIGENDIAN@
+#  endif /* !defined __APPLE__ */
 #elif defined (GRUB_UTIL) || !defined (GRUB_MACHINE)
-#include <config-util.h>
-#else
-#define HAVE_FONT_SOURCE @HAVE_FONT_SOURCE@
+#  include <config-util.h>
+#else /* !defined GRUB_UTIL && defined GRUB_MACHINE */
+#  define HAVE_FONT_SOURCE @HAVE_FONT_SOURCE@
 /* Define if C symbols get an underscore after compilation. */
-#define HAVE_ASM_USCORE @HAVE_ASM_USCORE@
+#  define HAVE_ASM_USCORE @HAVE_ASM_USCORE@
 /* Define it to one of __bss_start, edata and _edata.  */
-#define BSS_START_SYMBOL @BSS_START_SYMBOL@
+#  define BSS_START_SYMBOL @BSS_START_SYMBOL@
 /* Define it to either end or _end.  */
-#define END_SYMBOL @END_SYMBOL@
+#  define END_SYMBOL @END_SYMBOL@
 /* Name of package.  */
-#define PACKAGE "@PACKAGE@"
+#  define PACKAGE "@PACKAGE@"
 /* Version number of package.  */
-#define VERSION "@VERSION@"
+#  define VERSION "@VERSION@"
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "@PACKAGE_STRING@"
+#  define PACKAGE_STRING "@PACKAGE_STRING@"
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "@PACKAGE_VERSION@"
+#  define PACKAGE_VERSION "@PACKAGE_VERSION@"
 /* Define to the full name of this package. */
-#define PACKAGE_NAME "@PACKAGE_NAME@"
+#  define PACKAGE_NAME "@PACKAGE_NAME@"
 /* Define to the address where bug reports for this package should be sent. */
-#define PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"
+#  define PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"

-#define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
-#define GRUB_PLATFORM "@GRUB_PLATFORM@"
+#  define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
+#  define GRUB_PLATFORM "@GRUB_PLATFORM@"

-#define RE_ENABLE_I18N 1
+#  define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@

-#define _GNU_SOURCE 1
+#  define RE_ENABLE_I18N 1
+
+#  define _GNU_SOURCE 1
+
+#  ifndef _GL_INLINE_HEADER_BEGIN
+/*
+ * gnulib gets configured against the host, not the target, and the rest of
+ * our buildsystem works around that.  This is difficult to avoid as gnulib's
+ * detection requires a more capable system than our target.  Instead, we
+ * reach in and set values appropriately - intentionally setting more than the
+ * bare minimum.  If, when updating gnulib, something breaks, there's probably
+ * a change needed here or in grub-core/Makefile.core.def.
+ */
+#    define SIZE_MAX ((size_t) -1)
+#    define _GL_ATTRIBUTE_ALLOC_SIZE(args) \
+    __attribute__ ((__alloc_size__ args))
+#    define _GL_ATTRIBUTE_ALWAYS_INLINE __attribute__ ((__always_inline__))
+#    define _GL_ATTRIBUTE_ARTIFICIAL __attribute__ ((__artificial__))
+#    define _GL_ATTRIBUTE_COLD __attribute__ ((cold))
+#    define _GL_ATTRIBUTE_CONST __attribute__ ((const))
+#    define _GL_ATTRIBUTE_DEALLOC(f, i) __attribute ((__malloc__ (f, i)))
+#    define _GL_ATTRIBUTE_DEALLOC_FREE _GL_ATTRIBUTE_DEALLOC (free, 1)
+#    define _GL_ATTRIBUTE_DEPRECATED __attribute__ ((__deprecated__))
+#    define _GL_ATTRIBUTE_ERROR(msg) __attribute__ ((__error__ (msg)))
+#    define _GL_ATTRIBUTE_EXTERNALLY_VISIBLE \
+    __attribute__ ((externally_visible))
+#    define _GL_ATTRIBUTE_FORMAT(spec) __attribute__ ((__format__ spec))
+#    define _GL_ATTRIBUTE_LEAF __attribute__ ((__leaf__))
+#    define _GL_ATTRIBUTE_MALLOC __attribute__ ((malloc))
+#    define _GL_ATTRIBUTE_MAYBE_UNUSED _GL_ATTRIBUTE_UNUSED
+#    define _GL_ATTRIBUTE_MAY_ALIAS __attribute__ ((__may_alias__))
+#    define _GL_ATTRIBUTE_NODISCARD __attribute__ ((__warn_unused_result__))
+#    define _GL_ATTRIBUTE_NOINLINE __attribute__ ((__noinline__))
+#    define _GL_ATTRIBUTE_NONNULL(args) __attribute__ ((__nonnull__ args))
+#    define _GL_ATTRIBUTE_NONSTRING __attribute__ ((__nonstring__))
+#    define _GL_ATTRIBUTE_PACKED __attribute__ ((__packed__))
+#    define _GL_ATTRIBUTE_PURE __attribute__ ((__pure__))
+#    define _GL_ATTRIBUTE_RETURNS_NONNULL \
+    __attribute__ ((__returns_nonnull__))
+#    define _GL_ATTRIBUTE_SENTINEL(pos) __attribute__ ((__sentinel__ pos))
+#    define _GL_ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#    define _GL_ATTRIBUTE_WARNING(msg) __attribute__ ((__warning__ (msg)))
+#    define _GL_CMP(n1, n2) (((n1) > (n2)) - ((n1) < (n2)))
+#    define _GL_GNUC_PREREQ GNUC_PREREQ
+#    define _GL_INLINE inline
+#    define _GL_UNUSED_LABEL _GL_ATTRIBUTE_UNUSED
+
+/* We can't use __has_attribute for these because gcc-5.1 is too old for
+ * that.  Everything above is present in that version, though. */
+#    if __GNUC__ >= 7
+#      define _GL_ATTRIBUTE_FALLTHROUGH __attribute__ ((fallthrough))
+#    else
+#      define _GL_ATTRIBUTE_FALLTHROUGH /* empty */
+#    endif
+
+#    ifndef ASM_FILE
+typedef __INT_FAST32_TYPE__ int_fast32_t;
+typedef __UINT_FAST32_TYPE__ uint_fast32_t;
+#    endif
+
+/* Ensure ialloc nests static/non-static inline properly. */
+#    define IALLOC_INLINE static inline
+
+/*
+ * gnulib uses these for blocking out warnings they can't/won't fix.  gnulib
+ * also makes the decision about whether to provide a declaration for
+ * reallocarray() at compile-time, so this is a convenient place to override -
+ * it's used by the ialloc module, which is used by base64.
+ */
+#    define _GL_INLINE_HEADER_BEGIN _Pragma ("GCC diagnostic push")	\
+    void *								\
+    reallocarray (void *ptr, unsigned int nmemb, unsigned int size);
+#    define _GL_INLINE_HEADER_END   _Pragma ("GCC diagnostic pop")
+#  endif /* !_GL_INLINE_HEADER_BEGIN */
+
+/* gnulib doesn't build cleanly with older compilers. */
+#  if __GNUC__ < 11
+_Pragma ("GCC diagnostic ignored \"-Wtype-limits\"")
+#  endif

 #endif
--- a/configure.ac
+++ b/configure.ac
--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
@ -77,7 +77,9 @@ This edition documents version @value{VERSION}.
 * Coding style::
 * Finding your way around::
 * Contributing Changes::
+* Setting up and running test suite::
 * Updating External Code::
+* Debugging::
 * Porting::
 * Error Handling::
 * Stack and heap size::
@ -86,6 +88,7 @@ This edition documents version @value{VERSION}.
 * PFF2 Font File Format::
 * Graphical Menu Software Design::
 * Verifiers framework::
+* Lockdown framework::
 * Copying This Manual::         Copying This Manual
 * Index::
@end menu
@ -94,8 +97,8 @@ This edition documents version @value{VERSION}.
@node Getting the source code
@chapter Getting the source code

-GRUB is maintained using the @uref{GIT revision
-control system}.  To fetch:
+GRUB is maintained using the @uref{https://git-scm.com/book/en/v2,
+GIT revision control system}.  To fetch:

@example
 git clone git://git.sv.gnu.org/grub.git
@ -344,8 +347,8 @@ manual and try GRUB 2 out to see what you think is missing from there.

 Here are additional pointers:
@itemize
-@item @url{https://savannah.gnu.org/task/?group=grub GRUB's Task Tracker}
-@item @url{https://savannah.gnu.org/bugs/?group=grub GRUB's Bug Tracker}
+@item @uref{https://savannah.gnu.org/task/?group=grub, GRUB's Task Tracker}
+@item @uref{https://savannah.gnu.org/bugs/?group=grub, GRUB's Bug Tracker}
@end itemize

 If you intended to make changes to GRUB Legacy (<=0.97) those are not accepted
@ -459,7 +462,7 @@ and the FSF clerks have dealt with your copyright assignment.
@section When you are approved for write access to project's files

 As you might know, GRUB is hosted on
-@url{https://savannah.gnu.org/projects/grub Savannah}, thus the membership
+@uref{https://savannah.gnu.org/projects/grub, Savannah}, thus the membership
 is managed by Savannah. This means that, if you want to be a member of this
 project:

@ -482,6 +485,17 @@ If your intention is to just get started, please do not submit a inclusion
 request. Instead, please subscribe to the mailing list, and communicate first
 (e.g. sending a patch, asking a question, commenting on another message...).

+@node Setting up and running test suite
+@chapter Setting up and running test suite
+
+GRUB is basically a tiny operating system with read support for many file
+systems and which has been ported to a variety of architectures. As such, its
+test suite has quite a few dependencies required to fully run the suite.
+These dependencies are currently documented in the
+@uref{https://git.savannah.gnu.org/cgit/grub.git/tree/INSTALL, INSTALL}
+file in the source repository. Once installed, the test suite can be started
+by running the @command{make check} command from the GRUB build directory.
+
@node Updating External Code
@chapter Updating external code

@ -490,6 +504,9 @@ to update it.

@menu
 * Gnulib::
+* jsmn::
+* minilzo::
+* libtasn1::
@end menu

@node Gnulib
@ -545,6 +562,303 @@ AC_SYS_LARGEFILE

@end example

+It will also be necessary to adjust the patches in
+@file{po/gettext-patches/} to apply to an older version of gettext.
+
+@node jsmn
+@section jsmn
+
+jsmn is a minimalistic JSON parser which is implemented in a single header file
+@file{jsmn.h}. To import a different version of the jsmn parser, you may simply
+download the @file{jsmn.h} header from the desired tag or commit to the target
+directory:
+
+@example
+curl -L https://raw.githubusercontent.com/zserge/jsmn/v1.1.0/jsmn.h \
+    -o grub-core/lib/json/jsmn.h
+@end example
+
+@node minilzo
+@section minilzo
+
+miniLZO is a very lightweight subset of the LZO library intended for easy
+inclusion in other projects. It is generated automatically from the LZO
+source code and contains the most important LZO functions.
+
+To upgrade to a new version of the miniLZO library, download the release
+tarball and copy the files into the target directory:
+
+@example
+curl -L -O https://www.oberhumer.com/opensource/lzo/download/minilzo-2.10.tar.gz
+tar -zxf minilzo-2.10.tar.gz
+rm minilzo-2.10/testmini.c
+rm -r grub-core/lib/minilzo/*
+cp minilzo-2.10/*.[hc] grub-core/lib/minilzo
+rm -r minilzo-2.10*
+@end example
+
+@node libtasn1
+@section libtasn1
+
+libtasn1 is a library providing Abstract Syntax Notation One (ASN.1, as
+specified by the X.680 ITU-T recommendation) parsing and structures management,
+and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding
+functions.
+
+To upgrade to a new version of the libtasn1 library, download the release
+tarball and copy the files into the target directory:
+
+@example
+curl -L -O https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.19.0.tar.gz
+tar xvzf libtasn1-4.19.0.tar.gz
+rm -rf grub-core/lib/libtasn1
+mkdir -p grub-core/lib/libtasn1/lib
+mkdir -p grub-core/lib/libtasn1/tests
+cp libtasn1-4.19.0/@{README.md,COPYING@} grub-core/lib/libtasn1
+cp libtasn1-4.19.0/lib/@{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h@} grub-core/lib/libtasn1/lib
+cp libtasn1-4.19.0/lib/includes/libtasn1.h grub-core/lib/libtasn1
+cp libtasn1-4.19.0/tests/@{CVE-2018-1000654-1_asn1_tab.h,CVE-2018-1000654-2_asn1_tab.h,CVE-2018-1000654.c,object-id-decoding.c,object-id-encoding.c,octet-string.c,reproducers.c,Test_overflow.c,Test_simple.c,Test_strings.c@} grub-core/lib/libtasn1/tests
+rm -rf libtasn1-4.19.0*
+@end example
+
+After upgrading the library, it may be necessary to apply the patches in
+@file{grub-core/lib/libtasn1-patches/} to adjust the code to be compatible with
+GRUB. These patches were needed to use the current version of libtasn1. The
+existing patches may not apply cleanly, apply at all, or even be needed for a
+newer version of the library, and other patches may be needed due to changes in
+the newer version. If existing patches need to be refreshed to apply cleanly,
+please include updated patches as part of the a patch set sent to the list.
+If new patches are needed or existing patches are not needed, also please send
+additions or removals as part of any patch set upgrading libtasn1.
+
+@node Debugging
+@chapter Debugging
+
+GRUB2 can be difficult to debug because it runs on the bare-metal and thus
+does not have the debugging facilities normally provided by an operating
+system. This chapter aims to provide useful information on some ways to
+debug GRUB2 for some architectures. It by no means intends to be exhaustive.
+The focus will be one x86_64 and i386 architectures. Luckily for some issues
+virtual machines have made the ability to debug GRUB2 much easier, and this
+chapter will focus debugging via the QEMU virtual machine. We will not be
+going over debugging of the userland tools (eg. grub-install), there are
+many tutorials on debugging programs in userland.
+
+You will need GDB and the QEMU binaries for your system, on Debian these
+can be installed with the @samp{gdb} and @samp{qemu-system-x86} packages.
+Also it is assumed that you have already successfully compiled GRUB2 from
+source for the target specified in the section below and have some
+familiarity with GDB. When GRUB2 is built it will create many different
+binaries. The ones of concern will be in the @file{grub-core}
+directory of the GRUB2 build dir. To aide in debugging we will want the
+debugging symbols generated during the build because these symbols are not
+kept in the binaries which get installed to the boot location. The build
+process outputs two sets of binaries, one without symbols which gets executed
+at boot, and another set of ELF images with debugging symbols. The built
+images with debugging symbols will have a @file{.image} suffix, and the ones
+without a @file{.img} suffix. Similarly, loadable modules with debugging
+symbols will have a @file{.module} suffix, and ones without a @file{.mod}
+suffix. In the case of the kernel the binary with symbols is named
+@file{kernel.exec}.
+
+In the following sections, information will be provided on debugging on
+various targets using @command{gdb} and the @samp{gdb_grub} GDB script.
+
+@menu
+* i386-pc::
+* x86_64-efi::
+@end menu
+
+@node i386-pc
+@section i386-pc
+
+The i386-pc target is a good place to start when first debugging GRUB2
+because in some respects it's easier than EFI platforms. The reason being
+that the initial load address is always known in advance. To start
+debugging GRUB2 first QEMU must be started in GDB stub mode. The following
+command is a simple illustration:
+
+@example
+qemu-system-i386 -drive file=disk.img,format=raw \
+    -device virtio-scsi-pci,id=scsi0 -S -s
+@end example
+
+This will start a QEMU instance booting from @file{disk.img}. It will pause
+at start waiting for a GDB instance to attach to it. You should change
+@file{disk.img} to something more appropriate. A block device can be used,
+but you may need to run QEMU as a privileged user.
+
+To connect to this QEMU instance with GDB, the @code{target remote} GDB
+command must be used. We also need to load a binary image, preferably with
+symbols. This can be done using the GDB command @code{file kernel.exec}, if
+GDB is started from the @file{grub-core} directory in the GRUB2 build
+directory. GRUB2 developers have made this more simple by including a GDB
+script which does much of the setup. This file is at @file{grub-core/gdb_grub}
+in the build directory and is also installed via @command{make install}.
+When using a pre-built GRUB, the distribution may have a package which installs
+this GDB script along with debug symbol binaries, such as Debian's
+@samp{grub-pc-dbg} package. The GDB script is intended to be used
+like so, assuming that @samp{/path/to/script} is the path to the directory
+containing the gdb_grub script and debug symbol files:
+
+@example
+cd $(dirname /path/to/script/gdb_grub)
+gdb -x gdb_grub
+@end example
+
+Once GDB has been started with the @file{gdb_grub} script it will
+automatically connect to the QEMU instance. You can then do things you
+normally would in GDB like set a break point on @var{grub_main}.
+
+Setting breakpoints in modules is trickier since they haven't been loaded
+yet and are loaded at addresses determined at runtime. The module could be
+loaded to different addresses in different QEMU instances. The debug symbols
+in the modules @file{.module} binary, thus are always wrong, and GDB needs
+to be told where to load the symbols to. But this must happen at runtime
+after GRUB2 has determined where the module will get loaded. Luckily the
+@file{gdb_grub} script takes care of this with the @command{runtime_load_module}
+command, which configures GDB to watch for GRUB2 module loading and when
+it does add the module symbols with the appropriate offset.
+
+@node x86_64-efi
+@section x86_64-efi
+
+Using GDB to debug GRUB2 for the x86_64-efi target has some similarities with
+the i386-pc target. Please read and familiarize yourself with the @ref{i386-pc}
+section when reading this one. Extra care must be used to run QEMU such that it
+boots a UEFI firmware. This usually involves either using the @samp{-bios}
+option with a UEFI firmware blob (eg. @file{OVMF.fd}) or loading the firmware
+via pflash. This document will not go further into how to do this as there are
+ample resource on the web.
+
+Like all EFI implementations, on x86_64-efi the (U)EFI firmware that loads
+the GRUB2 EFI application determines at runtime where the application will
+be loaded. This means that we do not know where to tell GDB to load the
+symbols for the GRUB2 core until the (U)EFI firmware determines it. There are
+two good ways of figuring this out when running in QEMU: use a @ref{OVMF debug log,
+debug build of OVMF} and check the debug log, or have GRUB2 say where it is
+loaded. Neither of these are ideal because they both generally give the
+information after GRUB2 is already running, which makes debugging early boot
+infeasible. Technically, the first method does give the load address before
+GRUB2 is run, but without debugging the EFI firmware with symbols, the author
+currently does not know how to cause the OVMF firmware to pause at that point
+to use the load address before GRUB2 is run.
+
+Even after getting the application load address, the loading of core symbols
+is complicated by the fact that the debugging symbols for the kernel are in
+an ELF binary named @file{kernel.exec} while what is in memory are sections
+for the PE32+ EFI binary. When @command{grub-mkimage} creates the PE32+
+binary it condenses several segments from the ELF kernel binary into one
+.data section in the PE32+ binary. This must be taken into account to
+properly load the other non-text sections. Otherwise, GDB will work as
+expected when breaking on functions, but, for instance, global variables
+will point to the wrong address in memory and thus give incorrect values
+(which can be difficult to debug).
+
+Calculating the correct offsets for sections is taken care of automatically
+when loading the kernel symbols via the user-defined GDB command
+@command{dynamic_load_kernel_exec_symbols}, which takes one argument, the
+address where the text section is loaded as determined by one of the methods
+above. Alternatively, the command @command{dynamic_load_symbols} with the text
+section address as an agrument can be called to load the kernel symbols and set
+up loading the module symbols as they are loaded at runtime.
+
+In the author's experience, when debugging with QEMU and OVMF, to have
+debugging symbols loaded at the start of GRUB2 execution the GRUB2 EFI
+application must be run via QEMU at least once prior in order to get the
+load address. Two methods for obtaining the load address are described in
+two subsections below. Generally speaking, the load address does not change
+between QEMU runs. There are exceptions to this, namely that different
+GRUB2 EFI applications can be run at different addresses. Also, it has been
+observed that after running the EFI application for the first time, the
+second run will sometimes have a different load address, but subsequent
+runs of the same EFI application will have the same load address as the
+second run. And it's a near certainty that if the GRUB EFI binary has changed,
+eg. been recompiled, the load address will also be different.
+
+This ability to predict what the load address will be allows one to assume
+the load address on subsequent runs and thus load the symbols before GRUB2
+starts. The following command illustrates this, assuming that QEMU is
+running and waiting for a debugger connection and the current working
+directory is where @file{gdb_grub} resides:
+
+@example
+gdb -x gdb_grub -ex 'dynamic_load_symbols @var{address of .text section}'
+@end example
+
+If you load the symbols in this manner and, after continuing execution, do
+not see output showing the module symbols loading, then it is very likely
+that the load address was incorrect.
+
+Another thing to be aware of is how the loading of the GRUB image by the
+firmware affects previously set software breakpoints. On x86 platforms,
+software breakpoints are implemented by GDB by writing a special processor
+instruction at the location of the desired breakpoint. This special instruction
+when executed will stop the program execution and hand control to the
+debugger, GDB. GDB will first save the instruction bytes that are
+overwritten at the breakpoint and will put them back when the breakpoint
+is hit. If GRUB is being run for the first time in QEMU, the firmware will
+be loading the GRUB image into memory where every byte is already set to 0.
+This means that if a breakpoint is set before GRUB is loaded, GDB will save
+the 0-byte(s) where the the special instruction will go. Then when the firmware
+loads the GRUB image and because it is unaware of the debugger, it will
+write the GRUB image to memory, overwriting anything that was there previously ---
+notably in this case the instruction that implements the software breakpoint.
+This will be confusing for the person using GDB because GDB will show the
+breakpoint as set, but the brekapoint will never be hit. Furthermore, GDB
+then becomes confused, such that even deleting an recreating the breakpoint
+will not create usable breakpoints. The @file{gdb_grub} script takes care of
+this by saving the breakpoints just before they are overwritten, and then
+restores them at the start of GRUB execution. So breakpoints for GRUB can be
+set before GRUB is loaded, but be mindful of this effect if you are confused
+as to why breakpoints are not getting hit.
+
+Also note, that hardware breakpoints do not suffer this problem. They are
+implemented by having the breakpoint address in special debug registers on
+the CPU. So they can always be set freely without regard to whether GRUB has
+been loaded or not. The reason that hardware breakpoints aren't always used
+is because there are a limited number of them, usually around 4 on various
+CPUs, and specifically exactly 4 for x86 CPUs. The @file{gdb_grub} script goes
+out of its way to avoid using hardware breakpoints internally and uses them as
+briefly as possible when needed, thus allowing the user to have a maximal
+number at their disposal.
+
+@menu
+* OVMF debug log::
+* Using the gdbinfo command::
+@end menu
+
+@node OVMF debug log
+@subsection OVMF debug log
+
+In order to get the GRUB2 load address from OVMF, first, a debug build
+of OVMF must be obtained (@uref{https://github.com/retrage/edk2-nightly/raw/master/bin/DEBUGX64_OVMF.fd,
+here is one} which is not officially recommended). OVMF will output debug
+messages to a special serial device, which we must add to QEMU. The following
+QEMU command will run the debug OVMF and write the debug messages to a
+file named @file{debug.log}. It is assumed that @file{disk.img} is a disk
+image or block device that is set up to boot GRUB2 EFI.
+
+@example
+qemu-system-x86_64 -bios /path/to/debug/OVMF.fd \
+    -drive file=disk.img,format=raw \
+    -device virtio-scsi-pci,id=scsi0 \
+    -debugcon file:debug.log -global isa-debugcon.iobase=0x402
+@end example
+
+If GRUB2 was started by the (U)EFI firmware, then in the @file{debug.log}
+file one of the last lines should be a log message like:
+@samp{Loading driver at 0x00006AEE000 EntryPoint=0x00006AEE756}. This
+means that the GRUB2 EFI application was loaded at @samp{0x00006AEE000} and
+its .text section is at @samp{0x00006AEE756}.
+
+@node Using the gdbinfo command
+@subsection Using the gdbinfo command
+
+On EFI platforms the command @command{gdbinfo} will output a string that
+is to be run in a GDB session running with the @file{gdb_grub} GDB script.
+
+
@node Porting
@chapter Porting

@ -722,7 +1036,7 @@ void grub_arch_sync_caches (void *address, grub_size_t len) (cache.S). They
 won't be used for now.

 You will need to create directory include/$cpu/$platform and a file
-include/$cpu/types.h. The later folowing this template:
+include/$cpu/types.h. The latter following this template:

@example
 #ifndef GRUB_TYPES_CPU_HEADER
@ -768,13 +1082,13 @@ If it works next stage is to have heap, console and timer.

 To have the heap working you need to determine which regions are suitable for
 heap usage, allocate them from firmware and map (if applicable). Then call
-grub_mm_init_region (vois *start, grub_size_t s) for every of this region.
+grub_mm_init_region (void *start, grub_size_t s) for every of this region.
 As a shortcut for early port you can allocate right after _end or have
 a big static array for heap. If you do you'll probably need to come back to
 this later. As for output console you should distinguish between an array of
 text, terminfo or graphics-based console. Many of real-world examples don't
 fit perfectly into any of these categories but one of the models is easier
-to be used as base. In second and third case you should add your platform to 
+to be used as base. In second and third case you should add your platform to
 terminfokernel respectively videoinkernel group. A good example of array of
 text is i386-pc (kern/i386/pc/init.c and term/i386/pc/console.c).
 Of terminfo is ieee1275 (kern/ieee1275/init.c and term/ieee1275/console.c).
@ -782,7 +1096,7 @@ Of video is loongson (kern/mips/loongson/init.c). Note that terminfo has
 to be inited in 2 stages: one before (to get at least rudimentary console
 as early as possible) and another after the heap (to get full-featured console).
 For the input there are string of keys, terminfo and direct hardware. For string
-of keys look at i386-pc (same files), for termino ieee1275 (same files) and for
+of keys look at i386-pc (same files), for terminfo ieee1275 (same files) and for
 hardware loongson (kern/mips/loongson/init.c and term/at_keyboard.c).

 For the timer you'll need to call grub_install_get_time_ms (...) with as sole
@ -996,20 +1310,23 @@ On emu stack and heap are just normal host OS stack and heap. Stack is typically
 On i386-pc, i386-coreboot, i386-qemu and i386-multiboot the stack is 60KiB.
 All available space between 1MiB and 4GiB marks is part of heap.

-On *-xen stack is 4MiB. If compiled for x86-64 with GCC 4.4 or later adressable
-space is unlimited. When compiled for x86-64 with older GCC version adressable
-space is limited to 2GiB. When compiling for i386 adressable space is limited
-to 4GiB. All adressable pages except the ones for stack, GRUB binary, special
+On *-xen stack is 4MiB. If compiled for x86-64 with GCC 4.4 or later addressable
+space is unlimited. When compiled for x86-64 with older GCC version addressable
+space is limited to 2GiB. When compiling for i386 addressable space is limited
+to 4GiB. All addressable pages except the ones for stack, GRUB binary, special
 pages and page table are in the heap.

 On *-efi GRUB uses same stack as EFI. If compiled for x86-64 with GCC 4.4 or
-later adressable space is unlimited. When compiled for x86-64 with older GCC
-version adressable space is limited to 2GiB. For all other platforms adressable
+later addressable space is unlimited. When compiled for x86-64 with older GCC
+version addressable space is limited to 2GiB. For all other platforms addressable
 space is limited to 4GiB. GRUB allocates pages from EFI for its heap, at most
 1.6 GiB.

 On i386-ieee1275 and powerpc-ieee1275 GRUB uses same stack as IEEE1275.
-It allocates at most 32MiB for its heap.
+
+On i386-ieee1275 and powerpc-ieee1275, GRUB will allocate 32MiB for its heap on
+startup. It may allocate more at runtime, as long as at least 128MiB remain free
+in OpenFirmware.

 On sparc64-ieee1275 stack is 256KiB and heap is 2MiB.

@ -1037,7 +1354,7 @@ In short:
@item i386-qemu               @tab 60 KiB  @tab < 4 GiB
@item *-efi                   @tab ?       @tab < 1.6 GiB
@item i386-ieee1275           @tab ?       @tab < 32 MiB
-@item powerpc-ieee1275        @tab ?       @tab < 32 MiB
+@item powerpc-ieee1275        @tab ?       @tab available memory - 128MiB
@item sparc64-ieee1275        @tab 256KiB  @tab 2 MiB
@item arm-uboot               @tab 256KiB  @tab 2 MiB
@item mips(el)-qemu_mips      @tab 2MiB    @tab 253 MiB
@ -1731,7 +2048,7 @@ use in GRUB at this time:
@item BDF 
 Inefficient storage; uses ASCII to describe properties and 
 hexadecimal numbers in ASCII for the bitmap rows.
-@item PCF  
+@item PCF
 Many format variations such as byte order and bitmap padding (rows
 padded to byte, word, etc.) would result in more complex code to
 handle the font format.
@ -1852,8 +2169,8 @@ bit in the byte.  For the sake of compact storage, rows are not padded
 to byte boundaries (i.e., a single byte may contain bits belonging to
 multiple rows).  The last byte of the bitmap @strong{is} padded with zero
 bits in the bits positions to the right of the last used bit if the
-bitmap data does not fill the last byte.  
-         
+bitmap data does not fill the last byte.
+
 The length of the @strong{bitmap data} field is (@var{width} * @var{height} + 7) / 8
 using integer arithmetic, which is equivalent to ceil(@var{width} *
@var{height} / 8) using real number arithmetic.
@ -1998,7 +2315,7 @@ functions (defined in @file{gfxmenu/gui_util.c}) that are particularly useful:

@item @code{grub_gui_find_by_id (root, id, callback, userdata)}:

-This function ecursively traverses the component tree rooted at @var{root}, and
+This function recursively traverses the component tree rooted at @var{root}, and
 for every component that has an ID equal to @var{id}, calls the function pointed
 to by @var{callback} with the matching component and the void pointer @var{userdata}
 as arguments.  The callback function can do whatever is desired to use the
@ -2086,6 +2403,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
 the context. If you return no error during any of @samp{init}, @samp{write} and
@samp{fini} then the file is considered as having succeded verification.

+@node Lockdown framework
+@chapter Lockdown framework
+
+The GRUB can be locked down, which is a restricted mode where some operations
+are not allowed. For instance, some commands cannot be used when the GRUB is
+locked down.
+
+The function
+@code{grub_lockdown()} is used to lockdown GRUB and the function
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
+
+The following functions can be used to register the commands that can only be
+used when lockdown is disabled:
+
+@itemize
+
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
+GRUB is in lockdown mode.
+
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
+when the GRUB is in lockdown mode.
+
+@end itemize
+
@node Copying This Manual
@appendix Copying This Manual

--- a/docs/grub.texi
+++ b/docs/grub.texi
--- a/docs/man/grub-protect.h2m
+++ b/docs/man/grub-protect.h2m
@ -0,0 +1,4 @@
+[NAME]
+grub-protect \- protect a disk key with a key protector
+[DESCRIPTION]
+grub-protect helps to protect a disk encryption key with a specified key protector.
--- a/gentpl.py
+++ b/gentpl.py
@ -32,27 +32,28 @@ GRUB_PLATFORMS = [ "emu", "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot",
                   "mips_loongson", "sparc64_ieee1275",
                   "powerpc_ieee1275", "mips_arc", "ia64_efi",
                   "mips_qemu_mips", "arm_uboot", "arm_efi", "arm64_efi",
-                   "arm_coreboot", "riscv32_efi", "riscv64_efi" ]
+                   "arm_coreboot", "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]

 GROUPS = {}

 GROUPS["common"]   = GRUB_PLATFORMS[:]

 # Groups based on CPU
-GROUPS["i386"]     = [ "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot", "i386_multiboot", "i386_ieee1275" ]
-GROUPS["x86_64"]   = [ "x86_64_efi" ]
-GROUPS["x86"]      = GROUPS["i386"] + GROUPS["x86_64"]
-GROUPS["mips"]     = [ "mips_loongson", "mips_qemu_mips", "mips_arc" ]
-GROUPS["sparc64"]  = [ "sparc64_ieee1275" ]
-GROUPS["powerpc"]  = [ "powerpc_ieee1275" ]
-GROUPS["arm"]      = [ "arm_uboot", "arm_efi", "arm_coreboot" ]
-GROUPS["arm64"]    = [ "arm64_efi" ]
-GROUPS["riscv32"]  = [ "riscv32_efi" ]
-GROUPS["riscv64"]  = [ "riscv64_efi" ]
+GROUPS["i386"]        = [ "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot", "i386_multiboot", "i386_ieee1275" ]
+GROUPS["x86_64"]      = [ "x86_64_efi" ]
+GROUPS["x86"]         = GROUPS["i386"] + GROUPS["x86_64"]
+GROUPS["mips"]        = [ "mips_loongson", "mips_qemu_mips", "mips_arc" ]
+GROUPS["sparc64"]     = [ "sparc64_ieee1275" ]
+GROUPS["powerpc"]     = [ "powerpc_ieee1275" ]
+GROUPS["arm"]         = [ "arm_uboot", "arm_efi", "arm_coreboot" ]
+GROUPS["arm64"]       = [ "arm64_efi" ]
+GROUPS["loongarch64"] = [ "loongarch64_efi" ]
+GROUPS["riscv32"]     = [ "riscv32_efi" ]
+GROUPS["riscv64"]     = [ "riscv64_efi" ]

 # Groups based on firmware
 GROUPS["efi"]  = [ "i386_efi", "x86_64_efi", "ia64_efi", "arm_efi", "arm64_efi",
-		   "riscv32_efi", "riscv64_efi" ]
+		   "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]
 GROUPS["ieee1275"]   = [ "i386_ieee1275", "sparc64_ieee1275", "powerpc_ieee1275" ]
 GROUPS["uboot"] = [ "arm_uboot" ]
 GROUPS["xen"]  = [ "i386_xen", "x86_64_xen" ]
@ -79,7 +80,7 @@ GROUPS["terminfomodule"]   = GRUB_PLATFORMS[:];
 for i in GROUPS["terminfoinkernel"]: GROUPS["terminfomodule"].remove(i)

 # Flattened Device Trees (FDT)
-GROUPS["fdt"] = [ "arm64_efi", "arm_uboot", "arm_efi", "riscv32_efi", "riscv64_efi" ]
+GROUPS["fdt"] = [ "arm64_efi", "arm_uboot", "arm_efi", "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]

 # Needs software helpers for division
 # Must match GRUB_DIVISION_IN_SOFTWARE in misc.h
@ -568,6 +569,7 @@ def foreach_platform_value(defn, platform, suffix, closure):
    for group in RMAP[platform]:
        for value in defn.find_all(group + suffix):
            r.append(closure(value))
+    r.sort()
    return ''.join(r)

 def platform_conditional(platform, closure):
@ -629,7 +631,10 @@ def platform_values(defn, platform, suffix):
 def extra_dist(defn):
    return foreach_value(defn, "extra_dist", lambda value: value + " ")

-def platform_sources(defn, p): return platform_values(defn, p, "")
+def extra_dep(defn):
+    return foreach_value(defn, "depends", lambda value: value + " ")
+
+def platform_sources(defn, p): return platform_values(defn, p, "_head") + platform_values(defn, p, "")
 def platform_nodist_sources(defn, p): return platform_values(defn, p, "_nodist")

 def platform_startup(defn, p): return platform_specific_values(defn, p, "_startup", "startup")
@ -655,7 +660,7 @@ def first_time(defn, snippet):
 def is_platform_independent(defn):
    if 'enable' in defn:
        return False
-    for suffix in [ "", "_nodist" ]:
+    for suffix in [ "", "_head", "_nodist" ]:
        template = platform_values(defn, GRUB_PLATFORMS[0], suffix)
        for platform in GRUB_PLATFORMS[1:]:
            if template != platform_values(defn, platform, suffix):
@ -697,10 +702,14 @@ def module(defn, platform):
    gvar_add("MOD_FILES", name + ".mod")
    gvar_add("MARKER_FILES", name + ".marker")
    gvar_add("CLEANFILES", name + ".marker")
+
+    for dep in defn.find_all("depends"):
+        gvar_add("EXTRA_DEPS", "depends " + name + " " + dep + ":")
+
    output("""
 """ + name + """.marker: $(""" + cname(defn) + """_SOURCES) $(nodist_""" + cname(defn) + """_SOURCES)
 	$(TARGET_CPP) -DGRUB_LST_GENERATOR $(CPPFLAGS_MARKER) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(""" + cname(defn) + """_CPPFLAGS) $(CPPFLAGS) $^ > $@.new || (rm -f $@; exit 1)
-	grep 'MARKER' $@.new > $@; rm -f $@.new
+	grep 'MARKER' $@.new | grep -v '^#' > $@; rm -f $@.new
 """)

 def kernel(defn, platform):
@ -766,7 +775,7 @@ def image(defn, platform):
 if test x$(TARGET_APPLE_LINKER) = x1; then \
  $(MACHO2IMG) $< $@; \
 else \
-  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .ARM.exidx $< $@; \
+  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx -R .interp $< $@; \
 fi
 """)

@ -817,8 +826,7 @@ def program(defn, platform, test=False):
    set_canonical_name_suffix("")

    if 'testcase' in defn:
-        gvar_add("check_PROGRAMS", name)
-        gvar_add("TESTS", name)
+        gvar_add("check_PROGRAMS_" + defn['testcase'], name)
    else:
        var_add(installdir(defn) + "_PROGRAMS", name)
        if 'mansection' in defn:
@ -859,8 +867,7 @@ def script(defn, platform):
    name = defn['name']

    if 'testcase' in defn:
-        gvar_add("check_SCRIPTS", name)
-        gvar_add ("TESTS", name)
+        gvar_add("check_SCRIPTS_" + defn['testcase'], name)
    else:
        var_add(installdir(defn) + "_SCRIPTS", name)
        if 'mansection' in defn:
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
@ -79,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
 if COND_emu
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
@ -88,8 +90,11 @@ endif
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
@ -149,6 +154,7 @@ endif
 if COND_i386_ieee1275
 KERNEL_HEADER_FILES += $(top_builddir)/include/grub/machine/kernel.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/ieee1275.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/alloc.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/terminfo.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lib/arg.h
@ -236,6 +242,7 @@ endif

 if COND_powerpc_ieee1275
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/ieee1275.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/alloc.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/terminfo.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lib/arg.h
@ -284,6 +291,12 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/acpi.h
 endif

+if COND_loongarch64_efi
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/efi.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/acpi.h
+endif
+
 if COND_riscv32_efi
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/efi.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
@ -303,9 +316,13 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/net.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/hostdisk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/hostfile.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/exec.h
 if COND_GRUB_EMU_SDL
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/sdl.h
 endif
+if COND_GRUB_EMU_SDL2
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/sdl.h
+endif
 if COND_GRUB_EMU_PCI
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/libpciaccess.h
 endif
@ -375,8 +392,10 @@ command.lst: $(MARKER_FILES)
 	  b=`basename $$pp .marker`; \
 	  sed -n \
 	    -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+	    -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
 	    -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
-	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
+	    -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
 	done) | sort -u > $@
 platform_DATA += command.lst
 CLEANFILES += command.lst
@ -436,8 +455,11 @@ crypto.lst: $(srcdir)/lib/libgcrypt-grub/cipher/crypto.lst
 platform_DATA += crypto.lst
 CLEANFILES += crypto.lst

-syminfo.lst: gensyminfo.sh kernel_syms.lst $(MODULE_FILES)
-	cat kernel_syms.lst > $@.new
+extra_deps.lst:
+	@echo $(EXTRA_DEPS) | sed "s/\s*:\s*/\n/g" > $@
+
+syminfo.lst: gensyminfo.sh kernel_syms.lst extra_deps.lst $(MODULE_FILES)
+	cat kernel_syms.lst extra_deps.lst > $@.new
 	for m in $(MODULE_FILES); do \
 	  sh $< $$m >> $@.new || exit 1; \
 	done
@ -447,7 +469,7 @@ syminfo.lst: gensyminfo.sh kernel_syms.lst $(MODULE_FILES)
 moddep.lst: syminfo.lst genmoddep.awk video.lst
 	cat $< | sort | $(AWK) -f $(srcdir)/genmoddep.awk > $@ || (rm -f $@; exit 1)
 platform_DATA += moddep.lst
-CLEANFILES += config.log syminfo.lst moddep.lst
+CLEANFILES += config.log syminfo.lst moddep.lst extra_deps.lst

 $(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) build-grub-module-verifier$(BUILD_EXEEXT)
 	TARGET_OBJ2ELF=@TARGET_OBJ2ELF@ sh $^ $@
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@ -20,8 +20,8 @@ transform_data = {

 transform_data = {
  installdir = platform;
-  name = gmodule.pl;
-  common = gmodule.pl.in;
+  name = gdb_helper.py;
+  common = gdb_helper.py.in;
 };

 transform_data = {
@ -49,26 +49,36 @@ kernel = {

  nostrip = emu;

-  emu_ldflags              = '-Wl,-r,-d';
-  i386_efi_ldflags         = '-Wl,-r,-d';
+  emu_ldflags              = '-Wl,-r';
+  i386_efi_cflags          = '-fshort-wchar';
+  i386_efi_ldflags         = '-Wl,-r';
  i386_efi_stripflags      = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';
-  x86_64_efi_ldflags       = '-Wl,-r,-d';
+  x86_64_efi_cflags        = '-fshort-wchar';
+  x86_64_efi_ldflags       = '-Wl,-r';
  x86_64_efi_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  ia64_efi_cflags = '-fno-builtin -fpic -minline-int-divide-max-throughput';
-  ia64_efi_ldflags = '-Wl,-r,-d';
+  ia64_efi_cflags = '-fshort-wchar -fno-builtin -fpic -minline-int-divide-max-throughput';
+  ia64_efi_ldflags = '-Wl,-r';
  ia64_efi_stripflags = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  arm_efi_ldflags          = '-Wl,-r,-d';
+  arm_efi_cflags           = '-fshort-wchar';
+  arm_efi_ldflags          = '-Wl,-r';
  arm_efi_stripflags       = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  arm64_efi_ldflags          = '-Wl,-r,-d';
+  arm64_efi_cflags           = '-fshort-wchar';
+  arm64_efi_ldflags          = '-Wl,-r';
  arm64_efi_stripflags       = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

-  riscv32_efi_ldflags      = '-Wl,-r,-d';
+  loongarch64_efi_cflags       = '-fshort-wchar';
+  loongarch64_efi_ldflags      = '-Wl,-r';
+  loongarch64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';
+
+  riscv32_efi_cflags       = '-fshort-wchar';
+  riscv32_efi_ldflags      = '-Wl,-r';
  riscv32_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

-  riscv64_efi_ldflags      = '-Wl,-r,-d';
+  riscv64_efi_cflags       = '-fshort-wchar';
+  riscv64_efi_ldflags      = '-Wl,-r';
  riscv64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

  i386_pc_ldflags          = '$(TARGET_IMG_LDFLAGS)';
@ -98,9 +108,9 @@ kernel = {
  i386_qemu_cppflags     = '-DGRUB_BOOT_MACHINE_LINK_ADDR=$(GRUB_BOOT_MACHINE_LINK_ADDR)';
  emu_cflags = '$(CFLAGS_GNULIB)';
  emu_cppflags = '$(CPPFLAGS_GNULIB)';
-  arm_uboot_ldflags       = '-Wl,-r,-d';
+  arm_uboot_ldflags       = '-Wl,-r';
  arm_uboot_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';
-  arm_coreboot_ldflags       = '-Wl,-r,-d';
+  arm_coreboot_ldflags       = '-Wl,-r';
  arm_coreboot_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

  i386_pc_startup = kern/i386/pc/startup.S;
@ -120,9 +130,11 @@ kernel = {
  arm_coreboot_startup = kern/arm/startup.S;
  arm_efi_startup = kern/arm/efi/startup.S;
  arm64_efi_startup = kern/arm64/efi/startup.S;
+  loongarch64_efi_startup = kern/loongarch64/efi/startup.S;
  riscv32_efi_startup = kern/riscv/efi/startup.S;
  riscv64_efi_startup = kern/riscv/efi/startup.S;

+  common = kern/buffer.c;
  common = kern/command.c;
  common = kern/corecmd.c;
  common = kern/device.c;
@ -140,6 +152,7 @@ kernel = {
  common = kern/rescue_parser.c;
  common = kern/rescue_reader.c;
  common = kern/term.c;
+  common = kern/verifiers.c;

  noemu = kern/compiler-rt.c;
  noemu = kern/mm.c;
@ -198,11 +211,14 @@ kernel = {

  efi = disk/efi/efidisk.c;
  efi = kern/efi/efi.c;
+  efi = kern/efi/debug.c;
  efi = kern/efi/init.c;
  efi = kern/efi/mm.c;
  efi = term/efi/console.c;
  efi = kern/acpi.c;
  efi = kern/efi/acpi.c;
+  efi = kern/efi/sb.c;
+  efi = kern/lockdown.c;
  i386_coreboot = kern/i386/pc/acpi.c;
  i386_multiboot = kern/i386/pc/acpi.c;
  i386_coreboot = kern/acpi.c;
@ -221,7 +237,6 @@ kernel = {

  x86_64 = kern/x86_64/dl.c;
  x86_64_xen = kern/x86_64/dl.c;
-  x86_64_efi = kern/x86_64/efi/callwrap.S;
  x86_64_efi = kern/i386/efi/init.c;
  x86_64_efi = bus/pci.c;

@ -254,6 +269,9 @@ kernel = {
  arm64_efi = kern/arm64/efi/init.c;
  arm64_efi = kern/efi/fdt.c;

+  loongarch64_efi = kern/loongarch64/efi/init.c;
+  loongarch64_efi = kern/efi/fdt.c;
+
  riscv32_efi = kern/riscv/efi/init.c;
  riscv32_efi = kern/efi/fdt.c;

@ -332,6 +350,11 @@ kernel = {
  arm64 = kern/arm64/dl.c;
  arm64 = kern/arm64/dl_helper.c;

+  loongarch64 = kern/loongarch64/cache.c;
+  loongarch64 = kern/loongarch64/cache_flush.S;
+  loongarch64 = kern/loongarch64/dl.c;
+  loongarch64 = kern/loongarch64/dl_helper.c;
+
  riscv32 = kern/riscv/cache.c;
  riscv32 = kern/riscv/cache_flush.S;
  riscv32 = kern/riscv/dl.c;
@ -395,7 +418,7 @@ program = {

  ldadd = 'kernel.exec$(EXEEXT)';
  ldadd = '$(MODULE_FILES)';
-  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(SDL2_LIBS) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

  enable = emu;
 };
@ -407,7 +430,7 @@ program = {
  emu_nodist = symlist.c;

  ldadd = 'kernel.exec$(EXEEXT)';
-  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(SDL2_LIBS) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

  enable = emu;
 };
@ -513,7 +536,7 @@ image = {

 image = {
  name = xz_decompress;
-  mips = boot/mips/startup_raw.S;
+  mips_head = boot/mips/startup_raw.S;
  common = boot/decompressor/minilib.c;
  common = boot/decompressor/xz.c;
  common = lib/xzembed/xz_dec_bcj.c;
@ -531,7 +554,7 @@ image = {

 image = {
  name = none_decompress;
-  mips = boot/mips/startup_raw.S;
+  mips_head = boot/mips/startup_raw.S;
  common = boot/decompressor/none.c;

  cppflags = '-DGRUB_EMBED_DECOMPRESSOR=1';
@ -691,12 +714,16 @@ module = {
  name = cmostest;
  common = commands/i386/cmostest.c;
  enable = cmos;
+  enable = i386_efi;
+  enable = x86_64_efi;
 };

 module = {
  name = cmosdump;
  common = commands/i386/cmosdump.c;
  enable = cmos;
+  enable = i386_efi;
+  enable = x86_64_efi;
 };

 module = {
@ -739,6 +766,9 @@ module = {
  name = regexp;
  common = commands/regexp.c;
  common = commands/wildcard.c;
+  common = lib/gnulib/malloc/dynarray_finalize.c;
+  common = lib/gnulib/malloc/dynarray_emplace_enlarge.c;
+  common = lib/gnulib/malloc/dynarray_resize.c;
  common = lib/gnulib/regex.c;
  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB)';
@ -804,6 +834,12 @@ module = {
  enable = efi;
 };

+module = {
+  name = efitextmode;
+  efi = commands/efi/efitextmode.c;
+  enable = efi;
+};
+
 module = {
  name = blocklist;
  common = commands/blocklist.c;
@ -823,6 +859,7 @@ module = {
  enable = arm64_efi;
  enable = arm_uboot;
  enable = arm_coreboot;
+  enable = loongarch64_efi;
  enable = riscv32_efi;
  enable = riscv64_efi;
 };
@ -942,17 +979,6 @@ module = {
  cppflags = '-I$(srcdir)/lib/posix_wrap';
 };

-module = {
-  name = verifiers;
-  common = commands/verifiers.c;
-};
-
-module = {
-  name = shim_lock;
-  common = commands/efi/shim_lock.c;
-  enable = x86_64_efi;
-};
-
 module = {
  name = hdparm;
  common = commands/hdparm.c;
@ -1097,6 +1123,21 @@ module = {
  common = commands/sleep.c;
 };

+module = {
+  name = smbios;
+
+  common = commands/smbios.c;
+  efi = commands/efi/smbios.c;
+  i386_pc = commands/i386/pc/smbios.c;
+  i386_coreboot = commands/i386/pc/smbios.c;
+  i386_multiboot = commands/i386/pc/smbios.c;
+
+  enable = efi;
+  enable = i386_pc;
+  enable = i386_coreboot;
+  enable = i386_multiboot;
+};
+
 module = {
  name = suspend;
  ieee1275 = commands/ieee1275/suspend.c;
@ -1110,6 +1151,13 @@ module = {
  enable = powerpc_ieee1275;
 };

+module = {
+  name = tpm;
+  common = commands/tpm.c;
+  ieee1275 = commands/ieee1275/ibmvtpm.c;
+  enable = powerpc_ieee1275;
+};
+
 module = {
  name = terminal;
  common = commands/terminal.c;
@ -1161,10 +1209,32 @@ module = {
  common = disk/cryptodisk.c;
 };

+module = {
+  name = plainmount;
+  common = disk/plainmount.c;
+};
+
+module = {
+  name = json;
+  common = lib/json/json.c;
+};
+
+module = {
+  name = afsplitter;
+  common = disk/AFSplitter.c;
+};
+
 module = {
  name = luks;
  common = disk/luks.c;
-  common = disk/AFSplitter.c;
+};
+
+module = {
+  name = luks2;
+  common = disk/luks2.c;
+  common = lib/gnulib/base64.c;
+  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
+  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/json';
 };

 module = {
@ -1212,6 +1282,11 @@ module = {
  common = disk/raid6_recover.c;
 };

+module = {
+  name = key_protector;
+  common = disk/key_protector.c;
+};
+
 module = {
  name = scsi;
  common = disk/scsi.c;
@ -1372,6 +1447,11 @@ module = {
  common = fs/odc.c;
 };

+module = {
+  name = erofs;
+  common = fs/erofs.c;
+};
+
 module = {
  name = ext2;
  common = fs/ext2.c;
@ -1526,6 +1606,7 @@ module = {
  common = fs/zfs/zfs_lz4.c;
  common = fs/zfs/zfs_sha256.c;
  common = fs/zfs/zfs_fletcher.c;
+  cppflags = '-I$(srcdir)/lib/posix_wrap -I$(srcdir)/lib/zstd';
 };

 module = {
@ -1655,6 +1736,7 @@ module = {

 module = {
  name = datetime;
+  common = lib/datetime.c;
  cmos = lib/cmos_datetime.c;
  efi = lib/efi/datetime.c;
  uboot = lib/dummy/datetime.c;
@ -1667,7 +1749,6 @@ module = {
  i386_xen_pvh = lib/xen/datetime.c;

  mips_arc = lib/arc/datetime.c;
-  enable = noemu;
 };

 module = {
@ -1683,6 +1764,7 @@ module = {
  extra_dist = lib/arm/setjmp.S;
  extra_dist = lib/arm64/setjmp.S;
  extra_dist = lib/riscv/setjmp.S;
+  extra_dist = lib/loongarch64/setjmp.S;
 };

 module = {
@ -1781,14 +1863,17 @@ module = {
  sparc64_ieee1275 = loader/sparc64/ieee1275/linux.c;
  ia64_efi = loader/ia64/efi/linux.c;
  arm_coreboot = loader/arm/linux.c;
-  arm_efi = loader/arm64/linux.c;
+  arm_efi = loader/efi/linux.c;
  arm_uboot = loader/arm/linux.c;
-  arm64 = loader/arm64/linux.c;
-  riscv32 = loader/riscv/linux.c;
-  riscv64 = loader/riscv/linux.c;
+  arm64 = loader/efi/linux.c;
+  loongarch64 = loader/efi/linux.c;
+  riscv32 = loader/efi/linux.c;
+  riscv64 = loader/efi/linux.c;
+  i386_efi = loader/efi/linux.c;
+  x86_64_efi = loader/efi/linux.c;
+  emu = loader/emu/linux.c;
  common = loader/linux.c;
  common = lib/cmdline.c;
-  enable = noemu;
 };

 module = {
@ -1880,6 +1965,7 @@ module = {
  enable = ia64_efi;
  enable = arm_efi;
  enable = arm64_efi;
+  enable = loongarch64_efi;
  enable = riscv32_efi;
  enable = riscv64_efi;
  enable = mips;
@ -1894,7 +1980,6 @@ module = {
  common = normal/autofs.c;
  common = normal/color.c;
  common = normal/completion.c;
-  common = normal/datetime.c;
  common = normal/menu.c;
  common = normal/menu_entry.c;
  common = normal/menu_text.c;
@ -1923,7 +2008,7 @@ module = {
  extra_dist = script/yylex.l;
  extra_dist = script/parser.y;

-  cflags = '$(CFLAGS_POSIX) -Wno-redundant-decls';
+  cflags = '$(CFLAGS_POSIX) -Wno-redundant-decls -Wno-unused-but-set-variable';
  cppflags = '$(CPPFLAGS_POSIX)';
 };

@ -2009,9 +2094,11 @@ module = {
  name = serial;
  common = term/serial.c;
  x86 = term/ns8250.c;
+  x86 = term/ns8250-spcr.c;
  ieee1275 = term/ieee1275/serial.c;
  mips_arc = term/arc/serial.c;
  efi = term/efi/serial.c;
+  x86 = term/pci/serial.c;

  enable = terminfomodule;
  enable = ieee1275;
@ -2253,6 +2340,14 @@ module = {
  condition = COND_GRUB_EMU_SDL;
 };

+module = {
+  name = sdl;
+  emu = video/emu/sdl.c;
+  enable = emu;
+  condition = COND_GRUB_EMU_SDL2;
+  cflags = '$(SDL2_CFLAGS)';
+};
+
 module = {
  name = datehook;
  common = hook/datehook.c;
@ -2469,7 +2564,35 @@ module = {
  name = tpm;
  common = commands/tpm.c;
  efi = commands/efi/tpm.c;
-  enable = x86_64_efi;
+  enable = efi;
+};
+
+module = {
+  name = tss2;
+  common = lib/tss2/buffer.c;
+  common = lib/tss2/tss2_mu.c;
+  common = lib/tss2/tpm2_cmd.c;
+  common = lib/tss2/tss2.c;
+  efi = lib/efi/tcg2.c;
+  emu = lib/tss2/tcg2_emu.c;
+  powerpc_ieee1275 = lib/ieee1275/tcg2.c;
+  enable = efi;
+  enable = emu;
+  enable = powerpc_ieee1275;
+  cppflags = '-I$(srcdir)/lib/tss2';
+};
+
+module = {
+  name = tpm2_key_protector;
+  common = commands/tpm2_key_protector/args.c;
+  common = commands/tpm2_key_protector/module.c;
+  common = commands/tpm2_key_protector/tpm2key.c;
+  common = commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+  /* The plaform support of tpm2_key_protector depends on the tcg2 implementation in tss2. */
+  enable = efi;
+  enable = emu;
+  enable = powerpc_ieee1275;
+  cppflags = '-I$(srcdir)/lib/tss2 -I$(srcdir)/lib/libtasn1-grub';
 };

 module = {
@ -2503,3 +2626,46 @@ module = {
  common = commands/i386/wrmsr.c;
  enable = x86;
 };
+
+module = {
+  name = memtools;
+  common = commands/memtools.c;
+  condition = COND_MM_DEBUG;
+};
+
+module = {
+  name = bli;
+  efi = commands/bli.c;
+  enable = efi;
+  depends = part_gpt;
+};
+
+module = {
+  name = asn1;
+  common = lib/libtasn1-grub/lib/decoding.c;
+  common = lib/libtasn1-grub/lib/coding.c;
+  common = lib/libtasn1-grub/lib/element.c;
+  common = lib/libtasn1-grub/lib/structure.c;
+  common = lib/libtasn1-grub/lib/parser_aux.c;
+  common = lib/libtasn1-grub/lib/gstr.c;
+  common = lib/libtasn1-grub/lib/errors.c;
+  common = lib/libtasn1_wrap/wrap.c;
+  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
+  /* -Wno-type-limits comes from configure.ac of libtasn1 */
+  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/libtasn1-grub -I$(srcdir)/lib/libtasn1-grub/lib -Wno-type-limits';
+};
+
+module = {
+  name = asn1_test;
+  common = tests/asn1/tests/CVE-2018-1000654.c;
+  common = tests/asn1/tests/object-id-decoding.c;
+  common = tests/asn1/tests/object-id-encoding.c;
+  common = tests/asn1/tests/octet-string.c;
+  common = tests/asn1/tests/reproducers.c;
+  common = tests/asn1/tests/Test_overflow.c;
+  common = tests/asn1/tests/Test_simple.c;
+  common = tests/asn1/tests/Test_strings.c;
+  common = tests/asn1/asn1_test.c;
+  cflags = '-Wno-uninitialized';
+  cppflags = '-I$(srcdir)/lib/libtasn1-grub -I$(srcdir)/tests/asn1/';
+};
--- a/grub-core/bus/bonito.c
+++ b/grub-core/bus/bonito.c
@ -21,12 +21,12 @@
 #include <grub/misc.h>

 static grub_uint32_t base_win[GRUB_MACHINE_PCI_NUM_WIN];
-static const grub_size_t sizes_win[GRUB_MACHINE_PCI_NUM_WIN] = 
-  {GRUB_MACHINE_PCI_WIN1_SIZE, GRUB_MACHINE_PCI_WIN_SIZE, 
+static const grub_size_t sizes_win[GRUB_MACHINE_PCI_NUM_WIN] =
+  {GRUB_MACHINE_PCI_WIN1_SIZE, GRUB_MACHINE_PCI_WIN_SIZE,
   GRUB_MACHINE_PCI_WIN_SIZE};
 /* Usage counters.  */
 static int usage_win[GRUB_MACHINE_PCI_NUM_WIN];
-static grub_addr_t addr_win[GRUB_MACHINE_PCI_NUM_WIN] = 
+static grub_addr_t addr_win[GRUB_MACHINE_PCI_NUM_WIN] =
  {GRUB_MACHINE_PCI_WIN1_ADDR, GRUB_MACHINE_PCI_WIN2_ADDR,
   GRUB_MACHINE_PCI_WIN3_ADDR};

@ -93,9 +93,9 @@ write_bases_2f (void)
 {
  int i;
  grub_uint32_t reg = 0;
-  for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++) 
-    reg |= (((base_win[i] >> GRUB_MACHINE_PCI_WIN_SHIFT) 
-	     & GRUB_MACHINE_PCI_WIN_MASK) 
+  for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
+    reg |= (((base_win[i] >> GRUB_MACHINE_PCI_WIN_SHIFT)
+	     & GRUB_MACHINE_PCI_WIN_MASK)
 	    << (i * GRUB_MACHINE_PCI_WIN_MASK_SIZE));
  GRUB_MACHINE_PCI_IO_CTRL_REG_2F = reg;
 }
@ -111,23 +111,23 @@ grub_pci_device_map_range (grub_pci_device_t dev __attribute__ ((unused)),

      /* First try already used registers. */
      for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
-	if (usage_win[i] && base_win[i] <= base 
+	if (usage_win[i] && base_win[i] <= base
 	    && base_win[i] + sizes_win[i] > base + size)
 	  {
 	    usage_win[i]++;
-	    return (void *) 
+	    return (void *)
 	      (addr_win[i] | (base & GRUB_MACHINE_PCI_WIN_OFFSET_MASK));
 	  }
      /* Map new register.  */
      newbase = base & ~GRUB_MACHINE_PCI_WIN_OFFSET_MASK;
      for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
-	if (!usage_win[i] && newbase <= base 
+	if (!usage_win[i] && newbase <= base
 	    && newbase + sizes_win[i] > base + size)
 	  {
 	    usage_win[i]++;
 	    base_win[i] = newbase;
 	    write_bases_2f ();
-	    return (void *) 
+	    return (void *)
 	      (addr_win[i] | (base & GRUB_MACHINE_PCI_WIN_OFFSET_MASK));
 	  }
      grub_fatal ("Out of PCI windows.");
@ -164,7 +164,7 @@ grub_pci_device_unmap_range (grub_pci_device_t dev __attribute__ ((unused)),
    {
      int i;
      for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
-	if (usage_win[i] && addr_win[i] 
+	if (usage_win[i] && addr_win[i]
 	    == (((grub_addr_t) mem | 0x20000000)
 		& ~GRUB_MACHINE_PCI_WIN_OFFSET_MASK))
 	  {
--- a/grub-core/bus/cs5536.c
+++ b/grub-core/bus/cs5536.c
@ -72,7 +72,7 @@ grub_cs5536_read_msr (grub_pci_device_t dev, grub_uint32_t addr)
 		  addr);
  ret = (grub_uint64_t)
    grub_pci_read (grub_pci_make_address (dev, GRUB_CS5536_MSR_MAILBOX_DATA0));
-  ret |= (((grub_uint64_t) 
+  ret |= (((grub_uint64_t)
 	  grub_pci_read (grub_pci_make_address (dev,
 						GRUB_CS5536_MSR_MAILBOX_DATA1)))
 	  << 32);
@ -100,7 +100,7 @@ grub_cs5536_smbus_wait (grub_port_t smbbase)
      grub_uint8_t status;
      status = grub_inb (smbbase + GRUB_CS5536_SMB_REG_STATUS);
      if (status & GRUB_CS5536_SMB_REG_STATUS_SDAST)
-	return GRUB_ERR_NONE;	
+	return GRUB_ERR_NONE;
      if (status & GRUB_CS5536_SMB_REG_STATUS_BER)
 	return grub_error (GRUB_ERR_IO, "SM bus error");
      if (status & GRUB_CS5536_SMB_REG_STATUS_NACK)
@ -122,8 +122,8 @@ grub_cs5536_read_spd_byte (grub_port_t smbbase, grub_uint8_t dev,
 	     smbbase + GRUB_CS5536_SMB_REG_CTRL1);

  /* Send device address.  */
-  err = grub_cs5536_smbus_wait (smbbase); 
-  if (err) 
+  err = grub_cs5536_smbus_wait (smbbase);
+  if (err)
    return err;
  grub_outb (dev << 1, smbbase + GRUB_CS5536_SMB_REG_DATA);

@ -139,8 +139,8 @@ grub_cs5536_read_spd_byte (grub_port_t smbbase, grub_uint8_t dev,
  grub_outb (addr, smbbase + GRUB_CS5536_SMB_REG_DATA);

  /* Send START.  */
-  err = grub_cs5536_smbus_wait (smbbase); 
-  if (err) 
+  err = grub_cs5536_smbus_wait (smbbase);
+  if (err)
    return err;
  grub_outb (grub_inb (smbbase + GRUB_CS5536_SMB_REG_CTRL1)
 	     | GRUB_CS5536_SMB_REG_CTRL1_START,
@ -161,7 +161,7 @@ grub_cs5536_read_spd_byte (grub_port_t smbbase, grub_uint8_t dev,
 	     smbbase + GRUB_CS5536_SMB_REG_CTRL1);

  err = grub_cs5536_smbus_wait (smbbase);
-  if (err) 
+  if (err)
    return err;
  *res = grub_inb (smbbase + GRUB_CS5536_SMB_REG_DATA);

@ -198,8 +198,8 @@ grub_cs5536_init_smbus (grub_pci_device_t dev, grub_uint16_t divisor,
  grub_outb (((divisor >> 7) & 0xff), *smbbase + GRUB_CS5536_SMB_REG_CTRL3);
  grub_outb (((divisor << 1) & 0xfe) | GRUB_CS5536_SMB_REG_CTRL2_ENABLE,
 	     *smbbase + GRUB_CS5536_SMB_REG_CTRL2);
-  
-  return GRUB_ERR_NONE; 
+
+  return GRUB_ERR_NONE;
 }

 grub_err_t
@ -217,7 +217,7 @@ grub_cs5536_read_spd (grub_port_t smbbase, grub_uint8_t dev,
  if (b == 0)
    return grub_error (GRUB_ERR_IO, "no SPD found");
  size = b;
-  
+
  ((grub_uint8_t *) res)[0] = b;
  for (ptr = 1; ptr < size; ptr++)
    {
@ -310,7 +310,7 @@ grub_cs5536_init_geode (grub_pci_device_t dev)

  /* Initialise USB controller.  */
  /* FIXME: assign adresses dynamically.  */
-  grub_cs5536_write_msr (dev, GRUB_CS5536_MSR_USB_OHCI_BASE, 
+  grub_cs5536_write_msr (dev, GRUB_CS5536_MSR_USB_OHCI_BASE,
 			 GRUB_CS5536_MSR_USB_BASE_BUS_MASTER
 			 | GRUB_CS5536_MSR_USB_BASE_MEMORY_ENABLE
 			 | 0x05024000);
@ -331,8 +331,9 @@ grub_cs5536_init_geode (grub_pci_device_t dev)

  {
    volatile grub_uint32_t *oc;
-    oc = grub_pci_device_map_range (dev, 0x05022000,
-				    GRUB_CS5536_USB_OPTION_REGS_SIZE);
+
+    oc = grub_absolute_pointer (grub_pci_device_map_range (dev, 0x05022000,
+				GRUB_CS5536_USB_OPTION_REGS_SIZE));

    oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX] =
      (oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX]
--- a/grub-core/bus/pci.c
+++ b/grub-core/bus/pci.c
@ -159,12 +159,12 @@ grub_pci_find_capability (grub_pci_device_t dev, grub_uint8_t cap)

      pos &= ~3;

-      addr = grub_pci_make_address (dev, pos);      
+      addr = grub_pci_make_address (dev, pos);
      id = grub_pci_read_byte (addr);

      if (id == 0xff)
 	break;
-      
+
      if (id == cap)
 	return pos;
      pos++;
--- a/grub-core/bus/usb/ehci-pci.c
+++ b/grub-core/bus/usb/ehci-pci.c
@ -96,7 +96,7 @@ grub_ehci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 	  return 0;
 	}
      grub_dprintf ("ehci", "EHCI grub_ehci_pci_iter: bus rev. num. OK\n");
-  
+
      /* Determine EHCI EHCC registers base address.  */
      addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
      base = grub_pci_read (addr);
@ -125,7 +125,7 @@ grub_ehci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 			  GRUB_PCI_COMMAND_MEM_ENABLED
 			  | GRUB_PCI_COMMAND_BUS_MASTER
 			  | grub_pci_read_word(addr));
-      
+
      grub_dprintf ("ehci", "EHCI grub_ehci_pci_iter: 32-bit EHCI OK\n");
    }

@ -142,7 +142,7 @@ grub_ehci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
    /* Determine and change ownership. */
  /* EECP offset valid in HCCPARAMS */
  /* Ownership can be changed via EECP only */
-  if (pciid != GRUB_CS5536_PCIID && eecp_offset >= 0x40)	
+  if (pciid != GRUB_CS5536_PCIID && eecp_offset >= 0x40)
    {
      grub_pci_address_t pciaddr_eecp;
      pciaddr_eecp = grub_pci_make_address (dev, eecp_offset);
--- a/grub-core/bus/usb/ehci.c
+++ b/grub-core/bus/usb/ehci.c
@ -218,7 +218,7 @@ enum

 #define GRUB_EHCI_TERMINATE      (1<<0)

-#define GRUB_EHCI_TOGGLE         (1<<31)
+#define GRUB_EHCI_TOGGLE         ((grub_uint32_t) 1<<31)

 enum
 {
@ -498,8 +498,8 @@ grub_ehci_init_device (volatile void *regs)
    }
  e->iobase = ((volatile grub_uint32_t *) e->iobase_ehcc
 	       + (caplen / sizeof (grub_uint32_t)));
-#else  
-  e->iobase = (volatile grub_uint32_t *) 
+#else
+  e->iobase = (volatile grub_uint32_t *)
    ((grub_uint8_t *) e->iobase_ehcc + caplen);
 #endif

@ -869,7 +869,7 @@ grub_ehci_find_qh (struct grub_ehci *e, grub_usb_transfer_t transfer)
    i++ )
    {
      if (target == (qh_iter->ep_char & mask))
-	{		
+	{
 	  /* Found proper existing (and linked) QH, do setup of QH */
 	  grub_dprintf ("ehci", "find_qh: found, QH=%p\n", qh_iter);
 	  grub_ehci_setup_qh (qh_iter, transfer);
@ -1813,7 +1813,7 @@ static struct grub_usb_controller_dev usb_controller = {
  .portstatus = grub_ehci_portstatus,
  .detect_dev = grub_ehci_detect_dev,
  /* estimated max. count of TDs for one bulk transfer */
-  .max_bulk_tds = GRUB_EHCI_N_TD * 3 / 4 
+  .max_bulk_tds = GRUB_EHCI_N_TD * 3 / 4
 };

 GRUB_MOD_INIT (ehci)
--- a/grub-core/bus/usb/ohci.c
+++ b/grub-core/bus/usb/ohci.c
@ -196,7 +196,7 @@ grub_ohci_td_virt2phys (struct grub_ohci *o,  grub_ohci_td_t x)
  return (grub_uint8_t *)x - (grub_uint8_t *)o->td + o->td_addr;
 }

-  
+
 static grub_uint32_t
 grub_ohci_readreg32 (struct grub_ohci *o, grub_ohci_reg_t reg)
 {
@ -224,7 +224,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
  struct grub_ohci *o;
  grub_uint32_t revision;
  int j;
-  
+
  /* Determine IO base address.  */
  grub_dprintf ("ohci", "pciid = %x\n", pciid);

@ -253,7 +253,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,

      addr = grub_pci_make_address (dev, GRUB_PCI_REG_CLASS);
      class_code = grub_pci_read (addr) >> 8;
-      
+
      interf = class_code & 0xFF;
      subclass = (class_code >> 8) & 0xFF;
      class = class_code >> 16;
@ -315,7 +315,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 	       * GRUB_OHCI_CTRL_EDS);
  for (j=0; j < GRUB_OHCI_CTRL_EDS; j++)
    o->ed_ctrl[j].target = grub_cpu_to_le32_compile_time (1 << 14); /* skip */
-    
+
  grub_dprintf ("ohci", "EDs-C: chunk=%p, virt=%p, phys=0x%02x\n",
                o->ed_ctrl_chunk, o->ed_ctrl, o->ed_ctrl_addr);

@ -385,7 +385,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 	    grub_dprintf("ohci", "Ownership changing timeout, change forced !\n");
 	  }
      }
-    else if (((control & 0x100) == 0) && 
+    else if (((control & 0x100) == 0) &&
 	     ((control & 0xc0) != 0)) /* Not owned by SMM nor reset */
      {
 	grub_dprintf("ohci", "OHCI is owned by BIOS\n");
@ -396,7 +396,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
      {
 	grub_dprintf("ohci", "OHCI is not owned by SMM nor BIOS\n");
 	/* We can setup OHCI. */
-      }  
+      }
  }

  /* Suspend the OHCI by issuing a reset.  */
@ -513,7 +513,7 @@ grub_ohci_find_ed (struct grub_ohci *o, int bulk, grub_uint32_t target)

  /* Use proper values and structures. */
  if (bulk)
-    {    
+    {
      count = GRUB_OHCI_BULK_EDS;
      ed = o->ed_bulk;
      ed_next = grub_ohci_ed_phys2virt(o, bulk,
@ -576,7 +576,7 @@ grub_ohci_alloc_td (struct grub_ohci *o)
 static void
 grub_ohci_free_td (struct grub_ohci *o, grub_ohci_td_t td)
 {
-  grub_memset ( (void*)td, 0, sizeof(struct grub_ohci_td) ); 
+  grub_memset ( (void*)td, 0, sizeof(struct grub_ohci_td) );
  td->link_td = o->td_free; /* Cahin new free TD & rest */
  o->td_free = td; /* Change address of first free TD */
 }
@ -586,7 +586,7 @@ grub_ohci_free_tds (struct grub_ohci *o, grub_ohci_td_t td)
 {
  if (!td)
    return;
-    
+
  /* Unchain first TD from previous TD if it is chained */
  if (td->prev_td_phys)
    {
@ -596,12 +596,12 @@ grub_ohci_free_tds (struct grub_ohci *o, grub_ohci_td_t td)
      if (td == (grub_ohci_td_t) td_prev_virt->link_td)
        td_prev_virt->link_td = 0;
    }
-  
+
  /* Free all TDs from td  (chained by link_td) */
  while (td)
    {
      grub_ohci_td_t tdprev;
-      
+
      /* Unlink the queue.  */
      tdprev = td;
      td = (grub_ohci_td_t) td->link_td;
@ -658,7 +658,7 @@ grub_ohci_transaction (grub_ohci_td_t td,
      td->buffer = grub_cpu_to_le32 (buffer);
      td->buffer_end = grub_cpu_to_le32 (buffer_end);
    }
-  else 
+  else
    {
      td->buffer = 0;
      td->buffer_end = 0;
@ -728,7 +728,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,
      grub_free (cdata);
      return GRUB_USB_ERR_INTERNAL;
    }
-  
+
  /* Take pointer to first TD from ED */
  td_head_phys = grub_le_to_cpu32 (cdata->ed_virt->td_head) & ~0xf;
  td_tail_phys = grub_le_to_cpu32 (cdata->ed_virt->td_tail) & ~0xf;
@ -743,7 +743,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,
      grub_free (cdata);
      return GRUB_USB_ERR_INTERNAL;
    }
-  
+
  /* Now we should handle first TD. If ED is newly allocated,
   * we must allocate the first TD. */
  if (!td_head_phys)
@ -762,7 +762,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,
    }
  else
    cdata->td_head_virt = grub_ohci_td_phys2virt ( o, td_head_phys );
-    
+
  /* Set TDs */
  cdata->td_last_phys = td_head_phys; /* initial value to make compiler happy... */
  for (i = 0, cdata->td_current_virt = cdata->td_head_virt;
@ -775,10 +775,10 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,

      /* Set index of TD in transfer */
      cdata->td_current_virt->tr_index = (grub_uint32_t) i;
-      
+
      /* Remember last used (processed) TD phys. addr. */
      cdata->td_last_phys = grub_ohci_td_virt2phys (o, cdata->td_current_virt);
-      
+
      /* Allocate next TD */
      td_next_virt = grub_ohci_alloc_td (o);
      if (!td_next_virt) /* No free TD, cancel transfer and free TDs except head TD */
@ -807,7 +807,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,

  grub_dprintf ("ohci", "Tail TD (not processed) = %p\n",
                cdata->td_current_virt);
-  
+
  /* Setup the Endpoint Descriptor for transfer.  */
  /* First set necessary fields in TARGET but keep (or set) skip bit */
  /* Note: It could be simpler if speed, format and max. packet
@ -923,7 +923,7 @@ finish_transfer (grub_usb_controller_t dev,
  struct grub_ohci_transfer_controller_data *cdata = transfer->controller_data;

  /* Set empty ED - set HEAD = TAIL = last (not processed) TD */
-  cdata->ed_virt->td_head = grub_cpu_to_le32 (grub_le_to_cpu32 (cdata->ed_virt->td_tail) & ~0xf); 
+  cdata->ed_virt->td_head = grub_cpu_to_le32 (grub_le_to_cpu32 (cdata->ed_virt->td_tail) & ~0xf);

  /* At this point always should be:
   * ED has skip bit set and halted or empty or after next SOF,
@ -935,7 +935,7 @@ finish_transfer (grub_usb_controller_t dev,
    {
      grub_ohci_td_t td_prev_virt
 	= grub_ohci_td_phys2virt (o, cdata->td_current_virt->prev_td_phys);
-      
+
      if (cdata->td_current_virt == (grub_ohci_td_t) td_prev_virt->link_td)
        td_prev_virt->link_td = 0;

@ -978,7 +978,7 @@ parse_halt (grub_usb_controller_t dev,
    }
  else
    transfer->last_trans = -1;
-  
+
  /* Evaluation of error code */
  grub_dprintf ("ohci", "OHCI tderr_phys=0x%02x, errcode=0x%02x\n",
 		cdata->tderr_phys, errcode);
@ -1089,7 +1089,7 @@ parse_success (grub_usb_controller_t dev,

  /* Prepare pointer to last processed TD */
  tderr_virt = grub_ohci_td_phys2virt (o, cdata->tderr_phys);
-  
+
  /* Set index of last processed TD */
  if (tderr_virt)
    transfer->last_trans = tderr_virt->tr_index;
@ -1207,7 +1207,7 @@ grub_ohci_cancel_transfer (grub_usb_controller_t dev,
  cdata->tderr_phys
    = grub_ohci_td_phys2virt (o, grub_le_to_cpu32 (cdata->ed_virt->td_head)
                              & ~0xf)->prev_td_phys;
-    
+
  tderr_virt = grub_ohci_td_phys2virt (o,cdata-> tderr_phys);

  grub_dprintf ("ohci", "Cancel: tderr_phys=0x%x, tderr_virt=%p\n",
@ -1249,7 +1249,7 @@ grub_ohci_portstatus (grub_usb_controller_t dev,
         grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port));
       return GRUB_USB_ERR_NONE;
     }
-     
+
   /* OHCI does one reset signal 10ms long but USB spec.
    * requests 50ms for root hub (no need to be continuous).
    * So, we do reset 5 times... */
@ -1276,7 +1276,7 @@ grub_ohci_portstatus (grub_usb_controller_t dev,
   grub_ohci_writereg32 (o, GRUB_OHCI_REG_RHUBPORT + port,
                         GRUB_OHCI_SET_PORT_ENABLE);
   grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port);
-   
+
   /* Wait for signal enabled */
   endtime = grub_get_time_ms () + 1000;
   while (! (grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port)
@ -1290,10 +1290,10 @@ grub_ohci_portstatus (grub_usb_controller_t dev,

   /* "Reset recovery time" (USB spec.) */
   grub_millisleep (10);
-   
+
   grub_dprintf ("ohci", "end of portstatus=0x%02x\n",
 		 grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port));
- 
+
   return GRUB_USB_ERR_NONE;
 }

--- a/grub-core/bus/usb/serial/common.c
+++ b/grub-core/bus/usb/serial/common.c
@ -93,7 +93,7 @@ grub_usbserial_attach (grub_usb_device_t usbdev, int configno, int interfno,
  /* Configure device */
  if (port->out_endp && port->in_endp)
    err = grub_usb_set_configuration (usbdev, configno + 1);
-  
+
  if (!port->out_endp || !port->in_endp || err)
    {
      grub_free (port->name);
--- a/grub-core/bus/usb/serial/ftdi.c
+++ b/grub-core/bus/usb/serial/ftdi.c
@ -174,7 +174,7 @@ static struct grub_serial_driver grub_ftdi_driver =
    .fini = grub_usbserial_fini
  };

-static const struct 
+static const struct
 {
  grub_uint16_t vendor, product;
 } products[] =
--- a/grub-core/bus/usb/serial/pl2303.c
+++ b/grub-core/bus/usb/serial/pl2303.c
@ -187,7 +187,7 @@ static struct grub_serial_driver grub_pl2303_driver =
    .fini = grub_usbserial_fini
  };

-static const struct 
+static const struct
 {
  grub_uint16_t vendor, product;
 } products[] =
--- a/grub-core/bus/usb/uhci.c
+++ b/grub-core/bus/usb/uhci.c
@ -244,10 +244,10 @@ grub_uhci_pci_iter (grub_pci_device_t dev,
  u->iobase = (base & GRUB_UHCI_IOMASK) + GRUB_MACHINE_PCI_IO_BASE;

  /* Reset PIRQ and SMI */
-  addr = grub_pci_make_address (dev, GRUB_UHCI_REG_USBLEGSUP);       
+  addr = grub_pci_make_address (dev, GRUB_UHCI_REG_USBLEGSUP);
  grub_pci_write_word(addr, GRUB_UHCI_RESET_LEGSUP_SMI);
  /* Reset the HC */
-  grub_uhci_writereg16(u, GRUB_UHCI_REG_USBCMD, GRUB_UHCI_CMD_HCRESET); 
+  grub_uhci_writereg16(u, GRUB_UHCI_REG_USBCMD, GRUB_UHCI_CMD_HCRESET);
  grub_millisleep(5);
  /* Disable interrupts and commands (just to be safe) */
  grub_uhci_writereg16(u, GRUB_UHCI_REG_USBINTR, 0);
@ -399,7 +399,7 @@ grub_free_queue (struct grub_uhci *u, grub_uhci_qh_t qh, grub_uhci_td_t td,
  u->qh_busy[qh - u->qh_virt] = 0;

  *actual = 0;
-  
+
  /* Free the TDs in this queue and set last_trans.  */
  for (i=0; td; i++)
    {
@ -411,7 +411,7 @@ grub_free_queue (struct grub_uhci *u, grub_uhci_qh_t qh, grub_uhci_td_t td,
        transfer->last_trans = i;

      *actual += (td->ctrl_status + 1) & 0x7ff;
-      
+
      /* Unlink the queue.  */
      tdprev = td;
      if (!td->linkptr2)
@ -537,7 +537,7 @@ grub_uhci_setup_transfer (grub_usb_controller_t dev,
    }

  grub_dprintf ("uhci", "transfer, iobase:%08x\n", u->iobase);
-  
+
  for (i = 0; i < transfer->transcnt; i++)
    {
      grub_usb_transaction_t tr = &transfer->transactions[i];
@ -604,7 +604,7 @@ grub_uhci_check_transfer (grub_usb_controller_t dev,
    errtd = grub_dma_phys2virt (cdata->qh->elinkptr & ~0x0f, u->qh_chunk);
  else
    errtd = 0;
-  
+
  if (errtd)
    {
      grub_dprintf ("uhci", ">t status=0x%02x data=0x%02x td=%p, %x\n",
@ -632,27 +632,27 @@ grub_uhci_check_transfer (grub_usb_controller_t dev,
      /* Check if the endpoint is stalled.  */
      if (errtd->ctrl_status & (1 << 22))
 	err = GRUB_USB_ERR_STALL;
-      
+
      /* Check if an error related to the data buffer occurred.  */
      else if (errtd->ctrl_status & (1 << 21))
 	err = GRUB_USB_ERR_DATA;
-      
+
      /* Check if a babble error occurred.  */
      else if (errtd->ctrl_status & (1 << 20))
 	err = GRUB_USB_ERR_BABBLE;
-      
+
      /* Check if a NAK occurred.  */
      else if (errtd->ctrl_status & (1 << 19))
 	err = GRUB_USB_ERR_NAK;
-      
+
      /* Check if a timeout occurred.  */
      else if (errtd->ctrl_status & (1 << 18))
 	err = GRUB_USB_ERR_TIMEOUT;
-      
+
      /* Check if a bitstuff error occurred.  */
      else if (errtd->ctrl_status & (1 << 17))
 	err = GRUB_USB_ERR_BITSTUFF;
-      
+
      if (err)
 	{
 	  grub_dprintf ("uhci", "transaction failed\n");
@ -719,7 +719,7 @@ grub_uhci_portstatus (grub_usb_controller_t dev,
  grub_uint64_t endtime;

  grub_dprintf ("uhci", "portstatus, iobase:%08x\n", u->iobase);
-  
+
  grub_dprintf ("uhci", "enable=%d port=%d\n", enable, port);

  if (port == 0)
@ -746,7 +746,7 @@ grub_uhci_portstatus (grub_usb_controller_t dev,
      grub_dprintf ("uhci", ">3detect=0x%02x\n", status);
      return GRUB_USB_ERR_NONE;
    }
-    
+
  /* Reset the port.  */
  status = grub_uhci_readreg16 (u, reg) & ~GRUB_UHCI_PORTSC_RWC;
  grub_uhci_writereg16 (u, reg, status | (1 << 9));
@ -796,7 +796,7 @@ grub_uhci_detect_dev (grub_usb_controller_t dev, int port, int *changed)
  unsigned int status;

  grub_dprintf ("uhci", "detect_dev, iobase:%08x\n", u->iobase);
-  
+
  if (port == 0)
    reg = GRUB_UHCI_REG_PORTSC1;
  else if (port == 1)
@ -818,7 +818,7 @@ grub_uhci_detect_dev (grub_usb_controller_t dev, int port, int *changed)
    }
  else
    *changed = 0;
-    
+
  if (! (status & GRUB_UHCI_DETECT_HAVE_DEVICE))
    return GRUB_USB_SPEED_NONE;
  else if (status & GRUB_UHCI_DETECT_LOW_SPEED)
--- a/grub-core/bus/usb/usb.c
+++ b/grub-core/bus/usb/usb.c
@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
 grub_usb_err_t
 grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
 {
+  if (endpoint >= GRUB_USB_MAX_TOGGLE)
+    return GRUB_USB_ERR_BADDEVICE;
+
  dev->toggle[endpoint] = 0;
  return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
 				     | GRUB_USB_REQTYPE_STANDARD
@ -134,14 +137,14 @@ grub_usb_device_initialize (grub_usb_device_t dev)
    return err;
  descdev = &dev->descdev;

-  for (i = 0; i < 8; i++)
+  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
    dev->config[i].descconf = NULL;

-  if (descdev->configcnt == 0)
+  if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
    {
      err = GRUB_USB_ERR_BADDEVICE;
      goto fail;
-    }    
+    }

  for (i = 0; i < descdev->configcnt; i++)
    {
@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
      /* Skip the configuration descriptor.  */
      pos = dev->config[i].descconf->length;

+      if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
+        {
+          err = GRUB_USB_ERR_BADDEVICE;
+          goto fail;
+        }
+
      /* Read all interfaces.  */
      for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
 	{
@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)

 fail:

-  for (i = 0; i < 8; i++)
+  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
    grub_free (dev->config[i].descconf);

  return err;
@ -226,7 +235,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
 void grub_usb_device_attach (grub_usb_device_t dev)
 {
  int i;
-  
+
  /* XXX: Just check configuration 0 for now.  */
  for (i = 0; i < dev->config[0].descconf->numif; i++)
    {
@ -322,7 +331,7 @@ grub_usb_register_attach_hook_class (struct grub_usb_attach_desc *desc)
 void
 grub_usb_unregister_attach_hook_class (struct grub_usb_attach_desc *desc)
 {
-  grub_list_remove (GRUB_AS_LIST (desc));  
+  grub_list_remove (GRUB_AS_LIST (desc));
 }


--- a/grub-core/bus/usb/usbhub.c
+++ b/grub-core/bus/usb/usbhub.c
@ -82,7 +82,7 @@ grub_usb_hub_add_dev (grub_usb_controller_t controller,
  if (i == GRUB_USBHUB_MAX_DEVICES)
    {
      grub_error (GRUB_ERR_IO, "can't assign address to USB device");
-      for (i = 0; i < 8; i++)
+      for (i = 0; i < GRUB_USB_MAX_CONF; i++)
        grub_free (dev->config[i].descconf);
      grub_free (dev);
      return NULL;
@ -96,7 +96,7 @@ grub_usb_hub_add_dev (grub_usb_controller_t controller,
 			      i, 0, 0, NULL);
  if (err)
    {
-      for (i = 0; i < 8; i++)
+      for (i = 0; i < GRUB_USB_MAX_CONF; i++)
        grub_free (dev->config[i].descconf);
      grub_free (dev);
      return NULL;
@ -115,11 +115,11 @@ grub_usb_hub_add_dev (grub_usb_controller_t controller,
  grub_millisleep (2);

  grub_boot_time ("Probing USB device driver");
-  
+
  grub_usb_device_attach (dev);

  grub_boot_time ("Attached USB device");
-  
+
  return dev;
 }

@ -130,7 +130,7 @@ grub_usb_add_hub (grub_usb_device_t dev)
  struct grub_usb_usb_hubdesc hubdesc;
  grub_usb_err_t err;
  int i;
-  
+
  err = grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_IN
 	  		            | GRUB_USB_REQTYPE_CLASS
 			            | GRUB_USB_REQTYPE_TARGET_DEV),
@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
  grub_usb_set_configuration (dev, 1);

  dev->nports = hubdesc.portcnt;
-  dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
-  dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
+  dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
+  dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
  if (!dev->children || !dev->ports)
    {
      grub_free (dev->children);
@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d

  /* Query the number of ports the root Hub has.  */
  hub->nports = controller->dev->hubports (controller);
-  hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
-  hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
+  hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
+  hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
  if (!hub->devices || !hub->ports)
    {
      grub_free (hub->devices);
@ -328,7 +328,7 @@ grub_usb_controller_dev_register (grub_usb_controller_dev_t usb)

 		speed = hub->controller->dev->detect_dev (hub->controller, portno,
 							  &changed);
-      
+
 		if (hub->ports[portno].state == PORT_STATE_NORMAL
 		    && speed != GRUB_USB_SPEED_NONE)
 		  {
@ -422,7 +422,7 @@ wait_power_nonroot_hub (grub_usb_device_t dev)
  grub_usb_err_t err;
  int continue_waiting = 0;
  unsigned i;
-  
+
  for (i = 1; i <= dev->nports; i++)
    if (dev->ports[i - 1].state == PORT_STATE_WAITING_FOR_STABLE_POWER)
      {
@ -564,7 +564,7 @@ poll_nonroot_hub (grub_usb_device_t dev)

 	  detach_device (dev->children[i - 1]);
 	  dev->children[i - 1] = NULL;
-      	    
+
 	  /* Connected and status of connection changed ? */
 	  if (status & GRUB_USB_HUB_STATUS_PORT_CONNECTED)
 	    {
@ -642,7 +642,7 @@ poll_nonroot_hub (grub_usb_device_t dev)
 		    split_hubport = dev->split_hubport;
 		    split_hubaddr = dev->split_hubaddr;
 		  }
-		
+
 	      /* Add the device and assign a device address to it.  */
 	      next_dev = grub_usb_hub_add_dev (&dev->controller, speed,
 					       split_hubport, split_hubaddr);
@ -707,12 +707,12 @@ grub_usb_poll_devices (int wait_for_completion)
  while (1)
    {
      rescan = 0;
-      
+
      /* We should check changes of non-root hubs too. */
      for (i = 0; i < GRUB_USBHUB_MAX_DEVICES; i++)
 	{
 	  grub_usb_device_t dev = grub_usb_devs[i];
-	  
+
 	  if (dev && dev->descdev.class == 0x09)
 	    poll_nonroot_hub (dev);
 	}
@ -723,7 +723,7 @@ grub_usb_poll_devices (int wait_for_completion)
 	  for (i = 0; i < GRUB_USBHUB_MAX_DEVICES; i++)
 	    {
 	      grub_usb_device_t dev = grub_usb_devs[i];
-	    
+
 	      if (dev && dev->descdev.class == 0x09)
 		continue_waiting = continue_waiting || wait_power_nonroot_hub (dev);
 	    }
--- a/grub-core/bus/usb/usbtrans.c
+++ b/grub-core/bus/usb/usbtrans.c
@ -40,7 +40,7 @@ grub_usb_bulk_maxpacket (grub_usb_device_t dev,


 static grub_usb_err_t
-grub_usb_execute_and_wait_transfer (grub_usb_device_t dev, 
+grub_usb_execute_and_wait_transfer (grub_usb_device_t dev,
 				    grub_usb_transfer_t transfer,
 				    int timeout, grub_size_t *actual)
 {
@ -205,7 +205,7 @@ grub_usb_control_msg (grub_usb_device_t dev,
  grub_dprintf ("usb", "control: err=%d\n", err);

  grub_free (transfer->transactions);
-  
+
  grub_free (transfer);
  grub_dma_free (setupdata_chunk);

--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@ -27,6 +27,7 @@
 #include <grub/mm.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 #ifdef GRUB_MACHINE_EFI
 #include <grub/efi/efi.h>
@ -37,6 +38,20 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+enum
+  {
+    OPTION_EXCLUDE = 0,
+    OPTION_LOAD_ONLY,
+    OPTION_V1,
+    OPTION_V2,
+    OPTION_OEMID,
+    OPTION_OEMTABLE,
+    OPTION_OEMTABLEREV,
+    OPTION_OEMTABLECREATOR,
+    OPTION_OEMTABLECREATORREV,
+    OPTION_NO_EBDA
+  };
+
 static const struct grub_arg_option options[] = {
  {"exclude", 'x', 0,
   N_("Don't load host tables specified by comma-separated list."),
@ -167,7 +182,7 @@ grub_acpi_create_ebda (void)
  struct grub_acpi_rsdp_v10 *v1;
  struct grub_acpi_rsdp_v20 *v2;

-  ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *)0x40e)) << 4);
+  ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *) grub_absolute_pointer (0x40e))) << 4);
  grub_dprintf ("acpi", "EBDA @%p\n", ebda);
  if (ebda)
    ebda_kb_len = *(grub_uint16_t *) ebda;
@ -297,7 +312,7 @@ grub_acpi_create_ebda (void)
      *target = 0;

  grub_dprintf ("acpi", "Switching EBDA\n");
-  (*((grub_uint16_t *) 0x40e)) = ((grub_addr_t) targetebda) >> 4;
+  (*((grub_uint16_t *) grub_absolute_pointer (0x40e))) = ((grub_addr_t) targetebda) >> 4;
  grub_dprintf ("acpi", "EBDA switched\n");

  return GRUB_ERR_NONE;
@ -489,21 +504,21 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)

  if (rsdp)
    {
-      grub_uint32_t *entry_ptr;
+      grub_uint8_t *entry_ptr;
      char *exclude = 0;
      char *load_only = 0;
      char *ptr;
-      /* RSDT consists of header and an array of 32-bit pointers. */
-      struct grub_acpi_table_header *rsdt;
+      grub_size_t tbl_addr_size;
+      struct grub_acpi_table_header *table_head;

-      exclude = state[0].set ? grub_strdup (state[0].arg) : 0;
+      exclude = state[OPTION_EXCLUDE].set ? grub_strdup (state[OPTION_EXCLUDE].arg) : 0;
      if (exclude)
 	{
 	  for (ptr = exclude; *ptr; ptr++)
 	    *ptr = grub_tolower (*ptr);
 	}

-      load_only = state[1].set ? grub_strdup (state[1].arg) : 0;
+      load_only = state[OPTION_LOAD_ONLY].set ? grub_strdup (state[OPTION_LOAD_ONLY].arg) : 0;
      if (load_only)
 	{
 	  for (ptr = load_only; *ptr; ptr++)
@ -513,17 +528,32 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
      /* Set revision variables to replicate the same version as host. */
      rev1 = ! rsdp->revision;
      rev2 = rsdp->revision;
-      rsdt = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
+      if (rev2 && ((struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr) != NULL)
+	{
+	  /* XSDT consists of header and an array of 64-bit pointers. */
+	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr;
+	  tbl_addr_size = sizeof (((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr);
+	}
+      else
+	{
+	  /* RSDT consists of header and an array of 32-bit pointers. */
+	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
+	  tbl_addr_size = sizeof (rsdp->rsdt_addr);
+	}
+
      /* Load host tables. */
-      for (entry_ptr = (grub_uint32_t *) (rsdt + 1);
-	   entry_ptr < (grub_uint32_t *) (((grub_uint8_t *) rsdt)
-					  + rsdt->length);
-	   entry_ptr++)
+      for (entry_ptr = (grub_uint8_t *) (table_head + 1);
+	   entry_ptr < (grub_uint8_t *) (((grub_uint8_t *) table_head) + table_head->length);
+	   entry_ptr += tbl_addr_size)
 	{
 	  char signature[5];
 	  struct efiemu_acpi_table *table;
-	  struct grub_acpi_table_header *curtable
-	    = (struct grub_acpi_table_header *) (grub_addr_t) *entry_ptr;
+	  struct grub_acpi_table_header *curtable;
+	  if (tbl_addr_size == sizeof (rsdp->rsdt_addr))
+	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint32_t *) entry_ptr);
+	  else
+	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint64_t *) entry_ptr);
+
 	  signature[4] = 0;
 	  for (i = 0; i < 4;i++)
 	    signature[i] = grub_tolower (curtable->signature[i]);
@ -607,26 +637,26 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
    }

  /* Does user specify versions to generate? */
-  if (state[2].set || state[3].set)
+  if (state[OPTION_V1].set || state[OPTION_V2].set)
    {
-      rev1 = state[2].set;
-      if (state[3].set)
+      rev1 = state[OPTION_V1].set;
+      if (state[OPTION_V2].set)
 	rev2 = rev2 ? : 2;
      else
 	rev2 = 0;
    }

  /* Does user override root header information? */
-  if (state[4].set)
-    grub_strncpy (root_oemid, state[4].arg, sizeof (root_oemid));
-  if (state[5].set)
-    grub_strncpy (root_oemtable, state[5].arg, sizeof (root_oemtable));
-  if (state[6].set)
-    root_oemrev = grub_strtoul (state[6].arg, 0, 0);
-  if (state[7].set)
-    grub_strncpy (root_creator_id, state[7].arg, sizeof (root_creator_id));
-  if (state[8].set)
-    root_creator_rev = grub_strtoul (state[8].arg, 0, 0);
+  if (state[OPTION_OEMID].set)
+    grub_strncpy (root_oemid, state[OPTION_OEMID].arg, sizeof (root_oemid));
+  if (state[OPTION_OEMTABLE].set)
+    grub_strncpy (root_oemtable, state[OPTION_OEMTABLE].arg, sizeof (root_oemtable));
+  if (state[OPTION_OEMTABLEREV].set)
+    root_oemrev = grub_strtoul (state[OPTION_OEMTABLEREV].arg, 0, 0);
+  if (state[OPTION_OEMTABLECREATOR].set)
+    grub_strncpy (root_creator_id, state[OPTION_OEMTABLECREATOR].arg, sizeof (root_creator_id));
+  if (state[OPTION_OEMTABLECREATORREV].set)
+    root_creator_rev = grub_strtoul (state[OPTION_OEMTABLECREATORREV].arg, 0, 0);

  /* Load user tables */
  for (i = 0; i < argc; i++)
@ -742,7 +772,7 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
  acpi_tables = 0;

 #if defined (__i386__) || defined (__x86_64__)
-  if (! state[9].set)
+  if (! state[OPTION_NO_EBDA].set)
    {
      grub_err_t err;
      err = grub_acpi_create_ebda ();
@ -758,13 +788,13 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)

 #ifdef GRUB_MACHINE_EFI
  {
-    struct grub_efi_guid acpi = GRUB_EFI_ACPI_TABLE_GUID;
-    struct grub_efi_guid acpi20 = GRUB_EFI_ACPI_20_TABLE_GUID;
+    static grub_guid_t acpi = GRUB_EFI_ACPI_TABLE_GUID;
+    static grub_guid_t acpi20 = GRUB_EFI_ACPI_20_TABLE_GUID;

-    efi_call_2 (grub_efi_system_table->boot_services->install_configuration_table,
-      &acpi20, grub_acpi_get_rsdpv2 ());
-    efi_call_2 (grub_efi_system_table->boot_services->install_configuration_table,
-      &acpi, grub_acpi_get_rsdpv1 ());
+    grub_efi_system_table->boot_services->install_configuration_table (&acpi20,
+								       grub_acpi_get_rsdpv2 ());
+    grub_efi_system_table->boot_services->install_configuration_table (&acpi,
+								       grub_acpi_get_rsdpv1 ());
  }
 #endif

@ -775,13 +805,13 @@ static grub_extcmd_t cmd;

 GRUB_MOD_INIT(acpi)
 {
-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
-			      "--load-only=TABLE1,TABLE2] FILE1"
-			      " [FILE2] [...]"),
-			      N_("Load host ACPI tables and tables "
-			      "specified by arguments."),
-			      options);
+  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
+                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+                                          "--load-only=TABLE1,TABLE2] FILE1"
+                                          " [FILE2] [...]"),
+                                       N_("Load host ACPI tables and tables "
+                                          "specified by arguments."),
+                                       options);
 }

 GRUB_MOD_FINI(acpi)
--- a/grub-core/commands/acpihalt.c
+++ b/grub-core/commands/acpihalt.c
@ -78,7 +78,7 @@ static inline grub_uint32_t
 skip_name_string (const grub_uint8_t *ptr, const grub_uint8_t *end)
 {
  const grub_uint8_t *ptr0 = ptr;
-  
+
  while (ptr < end && (*ptr == '^' || *ptr == '\\'))
    ptr++;
  switch (*ptr)
@ -231,7 +231,7 @@ get_sleep_type (grub_uint8_t *table, grub_uint8_t *ptr, grub_uint8_t *end,
 		grub_uint8_t *scope, int scope_len)
 {
  grub_uint8_t *prev = table;
-  
+
  if (!ptr)
    ptr = table + sizeof (struct grub_acpi_table_header);
  while (ptr < end && prev < ptr)
@ -337,7 +337,7 @@ get_sleep_type (grub_uint8_t *table, grub_uint8_t *ptr, grub_uint8_t *end,
 	  }
 	default:
 	  grub_printf ("Unknown opcode 0x%x\n", *ptr);
-	  return -1;	  
+	  return -1;
 	}
    }

--- a/grub-core/commands/bli.c
+++ b/grub-core/commands/bli.c
@ -0,0 +1,138 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2023  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  Implementation of the Boot Loader Interface.
+ */
+
+#include <grub/charset.h>
+#include <grub/efi/api.h>
+#include <grub/efi/disk.h>
+#include <grub/efi/efi.h>
+#include <grub/err.h>
+#include <grub/extcmd.h>
+#include <grub/gpt_partition.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/partition.h>
+#include <grub/types.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define MODNAME "bli"
+
+static const grub_guid_t bli_vendor_guid = GRUB_EFI_VENDOR_BOOT_LOADER_INTERFACE_GUID;
+
+static grub_err_t
+get_part_uuid (const char *device_name, char **part_uuid)
+{
+  grub_device_t device;
+  grub_err_t status = GRUB_ERR_NONE;
+  grub_disk_t disk = NULL;
+  struct grub_gpt_partentry entry;
+
+  device = grub_device_open (device_name);
+  if (device == NULL)
+    return grub_error (grub_errno, N_("cannot open device: %s"), device_name);
+
+  if (device->disk == NULL)
+    {
+      grub_dprintf ("bli", "%s is not a disk device, partuuid skipped\n", device_name);
+      *part_uuid = NULL;
+      grub_device_close (device);
+      return GRUB_ERR_NONE;
+    }
+
+  if (device->disk->partition == NULL)
+    {
+      grub_dprintf ("bli", "%s has no partition, partuuid skipped\n", device_name);
+      *part_uuid = NULL;
+      grub_device_close (device);
+      return GRUB_ERR_NONE;
+    }
+
+  disk = grub_disk_open (device->disk->name);
+  if (disk == NULL)
+    {
+      status = grub_error (grub_errno, N_("cannot open disk: %s"), device_name);
+      grub_device_close (device);
+      return status;
+    }
+
+  if (grub_strcmp (device->disk->partition->partmap->name, "gpt") != 0)
+    {
+      status = grub_error (GRUB_ERR_BAD_PART_TABLE,
+			   N_("this is not a GPT partition table: %s"), device_name);
+      goto fail;
+    }
+
+  if (grub_disk_read (disk, device->disk->partition->offset,
+		      device->disk->partition->index, sizeof (entry), &entry) != GRUB_ERR_NONE)
+    {
+      status = grub_error (grub_errno, N_("read error: %s"), device_name);
+      goto fail;
+    }
+
+  *part_uuid = grub_xasprintf ("%pG", &entry.guid);
+  if (*part_uuid == NULL)
+    status = grub_errno;
+
+ fail:
+  grub_disk_close (disk);
+  grub_device_close (device);
+
+  return status;
+}
+
+static grub_err_t
+set_loader_device_part_uuid (void)
+{
+  grub_efi_loaded_image_t *image;
+  char *device_name;
+  grub_err_t status = GRUB_ERR_NONE;
+  char *part_uuid = NULL;
+
+  image = grub_efi_get_loaded_image (grub_efi_image_handle);
+  if (image == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("unable to find boot device"));
+
+  device_name = grub_efidisk_get_device_name (image->device_handle);
+  if (device_name == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("unable to find boot device"));
+
+  status = get_part_uuid (device_name, &part_uuid);
+
+  if (status == GRUB_ERR_NONE && part_uuid)
+    status = grub_efi_set_variable_to_string ("LoaderDevicePartUUID", &bli_vendor_guid, part_uuid,
+					      GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+					      GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
+  else
+    grub_error (status, N_("unable to determine partition UUID of boot device"));
+
+  grub_free (part_uuid);
+  grub_free (device_name);
+  return status;
+}
+
+GRUB_MOD_INIT (bli)
+{
+  grub_efi_set_variable_to_string ("LoaderInfo", &bli_vendor_guid, PACKAGE_STRING,
+				   GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				   GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
+  set_loader_device_part_uuid ();
+  /* No error here is critical, other than being logged */
+  grub_print_error ();
+}
--- a/grub-core/commands/blocklist.c
+++ b/grub-core/commands/blocklist.c
@ -53,9 +53,9 @@ print_blocklist (grub_disk_addr_t sector, unsigned num,
 }

 /* Helper for grub_cmd_blocklist.  */
-static void
+static grub_err_t
 read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
-		void *data)
+		char *buf __attribute__ ((unused)), void *data)
 {
  struct blocklist_ctx *ctx = data;

@ -70,7 +70,7 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
 	}

      if (!length)
-	return;
+	return GRUB_ERR_NONE;
      print_blocklist (ctx->start_sector, ctx->num_sectors, 0, 0, ctx);
      ctx->num_sectors = 0;
    }
@ -87,7 +87,7 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
    }

  if (!length)
-    return;
+    return GRUB_ERR_NONE;

  if (length & (GRUB_DISK_SECTOR_SIZE - 1))
    {
@ -103,6 +103,8 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
      ctx->start_sector = sector;
      ctx->num_sectors = length >> GRUB_DISK_SECTOR_BITS;
    }
+
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/boot.c
+++ b/grub-core/commands/boot.c
@ -27,10 +27,20 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static grub_err_t (*grub_loader_boot_func) (void);
-static grub_err_t (*grub_loader_unload_func) (void);
+static grub_err_t (*grub_loader_boot_func) (void *context);
+static grub_err_t (*grub_loader_unload_func) (void *context);
+static void *grub_loader_context;
 static int grub_loader_flags;

+struct grub_simple_loader_hooks
+{
+  grub_err_t (*boot) (void);
+  grub_err_t (*unload) (void);
+};
+
+/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
+static struct grub_simple_loader_hooks simple_loader_hooks;
+
 struct grub_preboot
 {
  grub_err_t (*preboot_func) (int);
@ -44,6 +54,29 @@ static int grub_loader_loaded;
 static struct grub_preboot *preboots_head = 0,
  *preboots_tail = 0;

+static grub_err_t
+grub_simple_boot_hook (void *context)
+{
+  struct grub_simple_loader_hooks *hooks;
+
+  hooks = (struct grub_simple_loader_hooks *) context;
+  return hooks->boot ();
+}
+
+static grub_err_t
+grub_simple_unload_hook (void *context)
+{
+  struct grub_simple_loader_hooks *hooks;
+  grub_err_t ret;
+
+  hooks = (struct grub_simple_loader_hooks *) context;
+
+  ret = hooks->unload ();
+  grub_memset (hooks, 0, sizeof (*hooks));
+
+  return ret;
+}
+
 int
 grub_loader_is_loaded (void)
 {
@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
 }

 void
-grub_loader_set (grub_err_t (*boot) (void),
-		 grub_err_t (*unload) (void),
-		 int flags)
+grub_loader_set_ex (grub_err_t (*boot) (void *context),
+		    grub_err_t (*unload) (void *context),
+		    void *context,
+		    int flags)
 {
  if (grub_loader_loaded && grub_loader_unload_func)
-    grub_loader_unload_func ();
+    grub_loader_unload_func (grub_loader_context);

  grub_loader_boot_func = boot;
  grub_loader_unload_func = unload;
+  grub_loader_context = context;
  grub_loader_flags = flags;

  grub_loader_loaded = 1;
 }

+void
+grub_loader_set (grub_err_t (*boot) (void),
+		 grub_err_t (*unload) (void),
+		 int flags)
+{
+  grub_loader_set_ex (grub_simple_boot_hook,
+		      grub_simple_unload_hook,
+		      &simple_loader_hooks,
+		      flags);
+
+  simple_loader_hooks.boot = boot;
+  simple_loader_hooks.unload = unload;
+}
+
 void
 grub_loader_unset(void)
 {
  if (grub_loader_loaded && grub_loader_unload_func)
-    grub_loader_unload_func ();
+    grub_loader_unload_func (grub_loader_context);

  grub_loader_boot_func = 0;
  grub_loader_unload_func = 0;
+  grub_loader_context = 0;

  grub_loader_loaded = 0;
 }
@ -158,7 +208,7 @@ grub_loader_boot (void)
 	  return err;
 	}
    }
-  err = (grub_loader_boot_func) ();
+  err = (grub_loader_boot_func) (grub_loader_context);

  for (cur = preboots_tail; cur; cur = cur->prev)
    if (! err)
--- a/grub-core/commands/boottime.c
+++ b/grub-core/commands/boottime.c
@ -43,7 +43,7 @@ grub_cmd_boottime (struct grub_command *cmd __attribute__ ((unused)),
      grub_uint32_t tmrel = cur->tp - last_time;
      last_time = cur->tp;

-      grub_printf ("%3d.%03ds %2d.%03ds %s:%d %s\n", 
+      grub_printf ("%3d.%03ds %2d.%03ds %s:%d %s\n",
 		   tmabs / 1000, tmabs % 1000, tmrel / 1000, tmrel % 1000, cur->file, cur->line,
 		   cur->msg);
    }
--- a/grub-core/commands/cacheinfo.c
+++ b/grub-core/commands/cacheinfo.c
@ -42,7 +42,7 @@ grub_rescue_cmd_info (struct grub_command *cmd __attribute__ ((unused)),
 		    hits, misses);
    }
  else
-    grub_printf ("%s\n", _("No disk cache statistics available\n"));    
+    grub_printf ("%s\n", _("No disk cache statistics available\n"));

 return 0;
 }
--- a/grub-core/commands/cat.c
+++ b/grub-core/commands/cat.c
@ -104,7 +104,7 @@ grub_cmd_cat (grub_extcmd_context_t ctxt, int argc, char **args)
 	       || grub_isspace (code)) && code != '\r')
 	    {
 	      grub_printf ("%C", code);
-	      count = 0; 
+	      count = 0;
 	      code = 0;
 	      utcount = 0;
 	      continue;
@ -113,7 +113,7 @@ grub_cmd_cat (grub_extcmd_context_t ctxt, int argc, char **args)
 	  if (dos && code == '\r')
 	    {
 	      is_0d = 1;
-	      count = 0; 
+	      count = 0;
 	      code = 0;
 	      utcount = 0;
 	      continue;
@ -123,7 +123,7 @@ grub_cmd_cat (grub_extcmd_context_t ctxt, int argc, char **args)
 	  for (j = 0; j < utcount; j++)
 	    grub_printf ("<%x>", (unsigned int) utbuf[j]);
 	  grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
-	  count = 0; 
+	  count = 0;
 	  code = 0;
 	  utcount = 0;
 	}
--- a/grub-core/commands/cmp.c
+++ b/grub-core/commands/cmp.c
@ -22,14 +22,21 @@
 #include <grub/file.h>
 #include <grub/mm.h>
 #include <grub/command.h>
+#include <grub/extcmd.h>
 #include <grub/i18n.h>

 GRUB_MOD_LICENSE ("GPLv3+");

 #define BUFFER_SIZE 512

+static const struct grub_arg_option options[] =
+  {
+    {0, 'v', 0, N_("Enable verbose output"), 0, 0},
+    {0, 0, 0, 0, 0, 0}
+  };
+
 static grub_err_t
-grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
+grub_cmd_cmp (grub_extcmd_context_t ctxt,
 	      int argc, char **args)
 {
  grub_ssize_t rd1, rd2;
@ -38,19 +45,20 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
  grub_file_t file2 = 0;
  char *buf1 = 0;
  char *buf2 = 0;
+  grub_err_t err = GRUB_ERR_TEST_FAILURE;

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));

-  grub_printf_ (N_("Compare file `%s' with `%s':\n"), args[0],
-		args[1]);
+  if (ctxt->state[0].set)
+    grub_printf_ (N_("Compare file `%s' with `%s':\n"), args[0], args[1]);

  file1 = grub_file_open (args[0], GRUB_FILE_TYPE_CMP);
  file2 = grub_file_open (args[1], GRUB_FILE_TYPE_CMP);
  if (! file1 || ! file2)
    goto cleanup;

-  if (grub_file_size (file1) != grub_file_size (file2))
+  if (ctxt->state[0].set && (grub_file_size (file1) != grub_file_size (file2)))
    grub_printf_ (N_("Files differ in size: %llu [%s], %llu [%s]\n"),
 		  (unsigned long long) grub_file_size (file1), args[0],
 		  (unsigned long long) grub_file_size (file2), args[1]);
@ -78,9 +86,10 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
 	    {
 	      if (buf1[i] != buf2[i])
 		{
-		  grub_printf_ (N_("Files differ at the offset %llu: 0x%x [%s], 0x%x [%s]\n"),
-				(unsigned long long) (i + pos), buf1[i],
-				args[0], buf2[i], args[1]);
+		  if (ctxt->state[0].set)
+		    grub_printf_ (N_("Files differ at the offset %llu: 0x%x [%s], 0x%x [%s]\n"),
+				  (unsigned long long) (i + pos), buf1[i],
+				  args[0], buf2[i], args[1]);
 		  goto cleanup;
 		}
 	    }
@ -90,7 +99,9 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
      while (rd2);

      /* TRANSLATORS: it's always exactly 2 files.  */
-      grub_printf_ (N_("The files are identical.\n"));
+      if (ctxt->state[0].set)
+        grub_printf_ (N_("The files are identical.\n"));
+      err = GRUB_ERR_NONE;
    }

 cleanup:
@ -102,18 +113,19 @@ cleanup:
  if (file2)
    grub_file_close (file2);

-  return grub_errno;
+  return err;
 }

-static grub_command_t cmd;
+static grub_extcmd_t cmd;

 GRUB_MOD_INIT(cmp)
 {
-  cmd = grub_register_command ("cmp", grub_cmd_cmp,
-			       N_("FILE1 FILE2"), N_("Compare two files."));
+  cmd = grub_register_extcmd ("cmp", grub_cmd_cmp, 0,
+			      N_("FILE1 FILE2"), N_("Compare two files."),
+			      options);
 }

 GRUB_MOD_FINI(cmp)
 {
-  grub_unregister_command (cmd);
+  grub_unregister_extcmd (cmd);
 }
--- a/grub-core/commands/date.c
+++ b/grub-core/commands/date.c
@ -59,7 +59,8 @@ grub_cmd_date (grub_command_t cmd __attribute__ ((unused)),

  for (; argc; argc--, args++)
    {
-      char *p, c;
+      const char *p;
+      char c;
      int m1, ofs, n, cur_mask;

      p = args[0];
--- a/grub-core/commands/echo.c
+++ b/grub-core/commands/echo.c
@ -119,7 +119,7 @@ grub_cmd_echo (grub_extcmd_context_t ctxt, int argc, char **args)
  if (newline)
    grub_printf ("\n");

-  grub_refresh ();  
+  grub_refresh ();

  return 0;
 }
--- a/grub-core/commands/efi/efifwsetup.c
+++ b/grub-core/commands/efi/efifwsetup.c
@ -27,6 +27,8 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+static grub_efi_boolean_t efifwsetup_is_supported (void);
+
 static grub_err_t
 grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
 		  int argc __attribute__ ((unused)),
@ -36,14 +38,23 @@ grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
  grub_efi_uint64_t os_indications = GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI;
  grub_err_t status;
  grub_size_t oi_size;
-  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  static grub_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;

-  old_os_indications = grub_efi_get_variable ("OsIndications", &global,
-					      &oi_size);
+  if (argc >= 1 && grub_strcmp(args[0], "--is-supported") == 0)
+    return !efifwsetup_is_supported ();
+
+  if (!efifwsetup_is_supported ())
+	  return grub_error (GRUB_ERR_INVALID_COMMAND,
+			     N_("reboot to firmware setup is not supported by the current firmware"));
+
+  grub_efi_get_variable ("OsIndications", &global, &oi_size,
+			 (void **) &old_os_indications);

  if (old_os_indications != NULL && oi_size == sizeof (os_indications))
    os_indications |= *old_os_indications;

+  grub_free (old_os_indications);
+
  status = grub_efi_set_variable ("OsIndications", &global, &os_indications,
 				  sizeof (os_indications));
  if (status != GRUB_ERR_NONE)
@ -61,26 +72,27 @@ efifwsetup_is_supported (void)
 {
  grub_efi_uint64_t *os_indications_supported = NULL;
  grub_size_t oi_size = 0;
-  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  static grub_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  grub_efi_boolean_t ret = 0;

-  os_indications_supported = grub_efi_get_variable ("OsIndicationsSupported",
-						    &global, &oi_size);
+  grub_efi_get_variable ("OsIndicationsSupported", &global, &oi_size,
+			 (void **) &os_indications_supported);

  if (!os_indications_supported)
-    return 0;
+    goto done;

  if (*os_indications_supported & GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI)
-    return 1;
+    ret = 1;

-  return 0;
+ done:
+  grub_free (os_indications_supported);
+  return ret;
 }

 GRUB_MOD_INIT (efifwsetup)
 {
-  if (efifwsetup_is_supported ())
-    cmd = grub_register_command ("fwsetup", grub_cmd_fwsetup, NULL,
-				 N_("Reboot into firmware setup menu."));
-
+  cmd = grub_register_command ("fwsetup", grub_cmd_fwsetup, NULL,
+                               N_("Reboot into firmware setup menu."));
 }

 GRUB_MOD_FINI (efifwsetup)
--- a/grub-core/commands/efi/efitextmode.c
+++ b/grub-core/commands/efi/efitextmode.c
@ -0,0 +1,153 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  Set/Get UEFI text output mode resolution.
+ */
+
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/command.h>
+#include <grub/i18n.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/api.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static grub_err_t
+grub_efi_set_mode (grub_efi_simple_text_output_interface_t *o,
+		   grub_efi_int32_t mode)
+{
+  grub_efi_status_t status;
+
+  if (mode != o->mode->mode)
+    {
+      status = o->set_mode (o, mode);
+      if (status == GRUB_EFI_SUCCESS)
+	;
+      else if (status == GRUB_EFI_DEVICE_ERROR)
+	return grub_error (GRUB_ERR_BAD_DEVICE,
+			   N_("device error: could not set requested mode"));
+      else if (status == GRUB_EFI_UNSUPPORTED)
+	return grub_error (GRUB_ERR_OUT_OF_RANGE,
+			   N_("invalid mode: number not valid"));
+      else
+	return grub_error (GRUB_ERR_BAD_FIRMWARE,
+			   N_("unexpected EFI error number: `%u'"),
+			   (unsigned) status);
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_cmd_efitextmode (grub_command_t cmd __attribute__ ((unused)),
+		      int argc, char **args)
+{
+  grub_efi_simple_text_output_interface_t *o = grub_efi_system_table->con_out;
+  unsigned long mode;
+  const char *p = NULL;
+  grub_err_t err;
+  grub_efi_uintn_t columns, rows;
+  grub_efi_int32_t i;
+
+  if (o == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("no UEFI output console interface"));
+
+  if (o->mode == NULL)
+    return grub_error (GRUB_ERR_BUG, N_("no mode struct for UEFI output console"));
+
+  if (argc > 2)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("at most two arguments expected"));
+
+  if (argc == 0)
+    {
+      grub_printf_ (N_("Available modes for console output device.\n"));
+
+      for (i = 0; i < o->mode->max_mode; i++)
+	if (GRUB_EFI_SUCCESS == o->query_mode (o, i, &columns, &rows))
+	  grub_printf_ (N_(" [%" PRIuGRUB_EFI_UINT32_T "]  Col %5"
+			   PRIuGRUB_EFI_UINTN_T " Row %5" PRIuGRUB_EFI_UINTN_T
+			   " %c\n"),
+			i, columns, rows, (i == o->mode->mode) ? '*' : ' ');
+    }
+  else if (argc == 1)
+    {
+      if (grub_strcmp (args[0], "min") == 0)
+	mode = 0;
+      else if (grub_strcmp (args[0], "max") == 0)
+	mode = o->mode->max_mode - 1;
+      else
+	{
+	  mode = grub_strtoul (args[0], &p, 0);
+
+	  if (*args[0] == '\0' || *p != '\0')
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			       N_("non-numeric or invalid mode `%s'"), args[0]);
+	}
+
+      if (mode < (unsigned long) o->mode->max_mode)
+	{
+	  err = grub_efi_set_mode (o, (grub_efi_int32_t) mode);
+	  if (err != GRUB_ERR_NONE)
+	    return err;
+	}
+      else
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("invalid mode: `%lu' is greater than maximum mode `%lu'"),
+			   mode, (unsigned long) o->mode->max_mode);
+    }
+  else if (argc == 2)
+    {
+      grub_efi_uintn_t u_columns, u_rows;
+
+      u_columns = (grub_efi_uintn_t) grub_strtoul (args[0], &p, 0);
+
+      if (*args[0] == '\0' || *p != '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("non-numeric or invalid columns number `%s'"), args[0]);
+
+      u_rows = (grub_efi_uintn_t) grub_strtoul (args[1], &p, 0);
+
+      if (*args[1] == '\0' || *p != '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("non-numeric or invalid rows number `%s'"), args[1]);
+
+      for (i = 0; i < o->mode->max_mode; i++)
+	if (GRUB_EFI_SUCCESS == o->query_mode (o, i, &columns, &rows))
+	  if (u_columns == columns && u_rows == rows)
+	    return grub_efi_set_mode (o, (grub_efi_int32_t) i);
+
+      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			 N_("no mode found with requested columns and rows"));
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_command_t cmd;
+GRUB_MOD_INIT (efitextmode)
+{
+  cmd = grub_register_command ("efitextmode", grub_cmd_efitextmode,
+			       N_("[min | max | <mode_num> | <cols> <rows>]"),
+			       N_("Get or set EFI text mode."));
+}
+
+GRUB_MOD_FINI (efitextmode)
+{
+  grub_unregister_command (cmd);
+}
--- a/grub-core/commands/efi/loadbios.c
+++ b/grub-core/commands/efi/loadbios.c
@ -27,9 +27,9 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static grub_efi_guid_t acpi_guid = GRUB_EFI_ACPI_TABLE_GUID;
-static grub_efi_guid_t acpi2_guid = GRUB_EFI_ACPI_20_TABLE_GUID;
-static grub_efi_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;
+static grub_guid_t acpi_guid = GRUB_EFI_ACPI_TABLE_GUID;
+static grub_guid_t acpi2_guid = GRUB_EFI_ACPI_20_TABLE_GUID;
+static grub_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;

 #define EBDA_SEG_ADDR	0x40e
 #define LOW_MEM_ADDR	0x413
@ -46,7 +46,7 @@ enable_rom_area (void)
  grub_uint32_t *rom_ptr;
  grub_pci_device_t dev = { .bus = 0, .device = 0, .function = 0};

-  rom_ptr = (grub_uint32_t *) VBIOS_ADDR;
+  rom_ptr = grub_absolute_pointer (VBIOS_ADDR);
  if (*rom_ptr != BLANK_MEM)
    {
      grub_puts_ (N_("ROM image is present."));
@ -92,47 +92,29 @@ lock_rom_area (void)
 static void
 fake_bios_data (int use_rom)
 {
-  unsigned i;
  void *acpi, *smbios;
  grub_uint16_t *ebda_seg_ptr, *low_mem_ptr;

-  ebda_seg_ptr = (grub_uint16_t *) EBDA_SEG_ADDR;
-  low_mem_ptr = (grub_uint16_t *) LOW_MEM_ADDR;
+  ebda_seg_ptr = grub_absolute_pointer (EBDA_SEG_ADDR);
+  low_mem_ptr = grub_absolute_pointer (LOW_MEM_ADDR);
  if ((*ebda_seg_ptr) || (*low_mem_ptr))
    return;

-  acpi = 0;
-  smbios = 0;
-  for (i = 0; i < grub_efi_system_table->num_table_entries; i++)
-    {
-      grub_efi_packed_guid_t *guid =
-	&grub_efi_system_table->configuration_table[i].vendor_guid;
+  acpi = grub_efi_find_configuration_table (&acpi2_guid);
+  grub_dprintf ("efi", "ACPI2: %p\n", acpi);
+  if (!acpi) {
+    acpi = grub_efi_find_configuration_table (&acpi_guid);
+    grub_dprintf ("efi", "ACPI: %p\n", acpi);
+  }

-      if (! grub_memcmp (guid, &acpi2_guid, sizeof (grub_efi_guid_t)))
-	{
-	  acpi = grub_efi_system_table->configuration_table[i].vendor_table;
-	  grub_dprintf ("efi", "ACPI2: %p\n", acpi);
-	}
-      else if (! grub_memcmp (guid, &acpi_guid, sizeof (grub_efi_guid_t)))
-	{
-	  void *t;
-
-	  t = grub_efi_system_table->configuration_table[i].vendor_table;
-	  if (! acpi)
-	    acpi = t;
-	  grub_dprintf ("efi", "ACPI: %p\n", t);
-	}
-      else if (! grub_memcmp (guid, &smbios_guid, sizeof (grub_efi_guid_t)))
-	{
-	  smbios = grub_efi_system_table->configuration_table[i].vendor_table;
-	  grub_dprintf ("efi", "SMBIOS: %p\n", smbios);
-	}
-    }
+  smbios = grub_efi_find_configuration_table (&smbios_guid);
+  grub_dprintf ("efi", "SMBIOS: %p\n", smbios);

  *ebda_seg_ptr = FAKE_EBDA_SEG;
  *low_mem_ptr = (FAKE_EBDA_SEG >> 6);

-  *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr;
+  /* *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr; */
+  *((grub_uint16_t *) (grub_absolute_pointer (FAKE_EBDA_SEG << 4))) = 640 - *low_mem_ptr;

  if (acpi)
    grub_memcpy ((char *) ((FAKE_EBDA_SEG << 4) + 16), acpi, 1024 - 16);
@ -205,14 +187,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;

 GRUB_MOD_INIT(loadbios)
 {
-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
-					0, N_("Create BIOS-like structures for"
-					      " backward compatibility with"
-					      " existing OS."));
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
+						 0, N_("Create BIOS-like structures for"
+						       " backward compatibility with"
+						       " existing OS."));

-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
-					N_("BIOS_DUMP [INT10_DUMP]"),
-					N_("Load BIOS dump."));
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
+						 N_("BIOS_DUMP [INT10_DUMP]"),
+						 N_("Load BIOS dump."));
 }

 GRUB_MOD_FINI(loadbios)
--- a/grub-core/commands/efi/lsefi.c
+++ b/grub-core/commands/efi/lsefi.c
@ -29,11 +29,11 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-struct known_protocol
+static struct known_protocol
 {
-  grub_efi_guid_t guid;
+  grub_guid_t guid;
  const char *name;
-} known_protocols[] = 
+} known_protocols[] =
  {
    { GRUB_EFI_DISK_IO_GUID, "disk" },
    { GRUB_EFI_BLOCK_IO_GUID, "block" },
@ -55,6 +55,7 @@ struct known_protocol
    { GRUB_EFI_ABSOLUTE_POINTER_PROTOCOL_GUID, "absolute pointer" },
    { GRUB_EFI_DRIVER_BINDING_PROTOCOL_GUID, "EFI driver binding" },
    { GRUB_EFI_LOAD_FILE_PROTOCOL_GUID, "load file" },
+    { GRUB_EFI_LOAD_FILE2_PROTOCOL_GUID, "load file2" },
    { GRUB_EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID, "simple FS" },
    { GRUB_EFI_TAPE_IO_PROTOCOL_GUID, "tape I/O" },
    { GRUB_EFI_UNICODE_COLLATION_PROTOCOL_GUID, "unicode collation" },
@ -95,7 +96,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
      grub_efi_handle_t handle = handles[i];
      grub_efi_status_t status;
      grub_efi_uintn_t num_protocols;
-      grub_efi_packed_guid_t **protocols;
+      grub_packed_guid_t **protocols;
      grub_efi_device_path_t *dp;

      grub_printf ("Handle %p\n", handle);
@ -107,8 +108,9 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 	  grub_efi_print_device_path (dp);
 	}

-      status = efi_call_3 (grub_efi_system_table->boot_services->protocols_per_handle,
-			   handle, &protocols, &num_protocols);
+      status = grub_efi_system_table->boot_services->protocols_per_handle (handle,
+									   &protocols,
+									   &num_protocols);
      if (status != GRUB_EFI_SUCCESS) {
 	grub_printf ("Unable to retrieve protocols\n");
 	continue;
@ -122,18 +124,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 	  if (k < ARRAY_SIZE (known_protocols))
 	    grub_printf ("  %s\n", known_protocols[k].name);
 	  else
-	    grub_printf ("  %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x\n",
-			 protocols[j]->data1,
-			 protocols[j]->data2,
-			 protocols[j]->data3,
-			 (unsigned) protocols[j]->data4[0],
-			 (unsigned) protocols[j]->data4[1],
-			 (unsigned) protocols[j]->data4[2],
-			 (unsigned) protocols[j]->data4[3],
-			 (unsigned) protocols[j]->data4[4],
-			 (unsigned) protocols[j]->data4[5],
-			 (unsigned) protocols[j]->data4[6],
-			 (unsigned) protocols[j]->data4[7]);
+	    grub_printf ("  %pG\n", protocols[j]);
 	}

    }
--- a/grub-core/commands/efi/lsefimmap.c
+++ b/grub-core/commands/efi/lsefimmap.c
@ -59,9 +59,9 @@ grub_cmd_lsefimmap (grub_command_t cmd __attribute__ ((unused)),
    {
      grub_efi_uint64_t size;
      grub_efi_uint64_t attr;
-      static const char types_str[][9] = 
+      static const char types_str[][9] =
 	{
-	  "reserved", 
+	  "reserved",
 	  "ldr-code",
 	  "ldr-data",
 	  "BS-code ",
@ -81,7 +81,7 @@ grub_cmd_lsefimmap (grub_command_t cmd __attribute__ ((unused)),
 	grub_printf ("%s ", types_str[desc->type]);
      else
 	grub_printf ("Unk %02x   ", desc->type);
-      
+
      grub_printf (" %016" PRIxGRUB_UINT64_T "-%016" PRIxGRUB_UINT64_T
 		   " %08" PRIxGRUB_UINT64_T,
 		   desc->physical_start,
--- a/grub-core/commands/efi/lsefisystab.c
+++ b/grub-core/commands/efi/lsefisystab.c
@ -29,7 +29,7 @@ GRUB_MOD_LICENSE ("GPLv3+");

 struct guid_mapping
 {
-  grub_efi_guid_t guid;
+  grub_guid_t guid;
  const char *name;
 };

@ -37,17 +37,22 @@ static const struct guid_mapping guid_mappings[] =
  {
    { GRUB_EFI_ACPI_20_TABLE_GUID, "ACPI-2.0"},
    { GRUB_EFI_ACPI_TABLE_GUID, "ACPI-1.0"},
+    { GRUB_EFI_CONFORMANCE_PROFILES_TABLE_GUID, "CONFORMANCE PROFILES"},
    { GRUB_EFI_CRC32_GUIDED_SECTION_EXTRACTION_GUID,
      "CRC32 GUIDED SECTION EXTRACTION"},
    { GRUB_EFI_DEBUG_IMAGE_INFO_TABLE_GUID, "DEBUG IMAGE INFO"},
+    { GRUB_EFI_DEVICE_TREE_GUID, "DEVICE TREE"},
    { GRUB_EFI_DXE_SERVICES_TABLE_GUID, "DXE SERVICES"},
    { GRUB_EFI_HCDP_TABLE_GUID, "HCDP"},
    { GRUB_EFI_HOB_LIST_GUID, "HOB LIST"},
+    { GRUB_EFI_IMAGE_SECURITY_DATABASE_GUID, "IMAGE EXECUTION INFORMATION"},
    { GRUB_EFI_LZMA_CUSTOM_DECOMPRESS_GUID, "LZMA CUSTOM DECOMPRESS"},
    { GRUB_EFI_MEMORY_TYPE_INFORMATION_GUID, "MEMORY TYPE INFO"},
    { GRUB_EFI_MPS_TABLE_GUID, "MPS"},
+    { GRUB_EFI_RT_PROPERTIES_TABLE_GUID, "RT PROPERTIES"},
    { GRUB_EFI_SAL_TABLE_GUID, "SAL"},
    { GRUB_EFI_SMBIOS_TABLE_GUID, "SMBIOS"},
+    { GRUB_EFI_SMBIOS3_TABLE_GUID, "SMBIOS3"},
    { GRUB_EFI_SYSTEM_RESOURCE_TABLE_GUID, "SYSTEM RESOURCE TABLE"},
    { GRUB_EFI_TIANO_CUSTOM_DECOMPRESS_GUID, "TIANO CUSTOM DECOMPRESS"},
    { GRUB_EFI_TSC_FREQUENCY_GUID, "TSC FREQUENCY"},
@ -59,19 +64,26 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
 		      char **args __attribute__ ((unused)))
 {
  const grub_efi_system_table_t *st = grub_efi_system_table;
+  const grub_efi_uint32_t major_rev = st->hdr.revision >> 16;
+  const grub_efi_uint32_t minor_rev_upper = (st->hdr.revision & 0xffff) / 10;
+  const grub_efi_uint32_t minor_rev_lower = (st->hdr.revision & 0xffff) % 10;
  grub_efi_configuration_table_t *t;
  unsigned int i;

  grub_printf ("Address: %p\n", st);
-  grub_printf ("Signature: %016" PRIxGRUB_UINT64_T " revision: %08x\n",
-	       st->hdr.signature, st->hdr.revision);
+  grub_printf ("Signature: %016" PRIxGRUB_UINT64_T " revision: %u.%u",
+	       st->hdr.signature, major_rev, minor_rev_upper);
+  if (minor_rev_lower)
+     grub_printf (".%u", minor_rev_lower);
+  grub_printf ("\n");
  {
    char *vendor;
    grub_uint16_t *vendor_utf16;
    grub_printf ("Vendor: ");
-    
+
    for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
-    vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
+    /* Allocate extra 3 bytes to simplify math. */
+    vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
    if (!vendor)
      return grub_errno;
    *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
@ -90,15 +102,11 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),

      grub_printf ("%p  ", t->vendor_table);

-      grub_printf ("%08x-%04x-%04x-",
-		   t->vendor_guid.data1, t->vendor_guid.data2,
-		   t->vendor_guid.data3);
-      for (j = 0; j < 8; j++)
-	grub_printf ("%02x", t->vendor_guid.data4[j]);
-      
+      grub_printf ("%pG", &t->vendor_guid);
+
      for (j = 0; j < ARRAY_SIZE (guid_mappings); j++)
 	if (grub_memcmp (&guid_mappings[j].guid, &t->vendor_guid,
-			 sizeof (grub_efi_guid_t)) == 0)
+			 sizeof (grub_guid_t)) == 0)
 	  grub_printf ("   %s", guid_mappings[j].name);

      grub_printf ("\n");
@ -111,7 +119,7 @@ static grub_command_t cmd;

 GRUB_MOD_INIT(lsefisystab)
 {
-  cmd = grub_register_command ("lsefisystab", grub_cmd_lsefisystab, 
+  cmd = grub_register_command ("lsefisystab", grub_cmd_lsefisystab,
 			       "", "Display EFI system tables.");
 }

--- a/grub-core/commands/efi/lssal.c
+++ b/grub-core/commands/efi/lssal.c
@ -136,22 +136,16 @@ grub_cmd_lssal (struct grub_command *cmd __attribute__ ((unused)),
 		int argc __attribute__ ((unused)),
 		char **args __attribute__ ((unused)))
 {
-  const grub_efi_system_table_t *st = grub_efi_system_table;
-  grub_efi_configuration_table_t *t = st->configuration_table;
-  unsigned int i;
-  grub_efi_packed_guid_t guid = GRUB_EFI_SAL_TABLE_GUID;
+  static grub_guid_t guid = GRUB_EFI_SAL_TABLE_GUID;
+  void *table = grub_efi_find_configuration_table (&guid);

-  for (i = 0; i < st->num_table_entries; i++)
+  if (table == NULL)
    {
-      if (grub_memcmp (&guid, &t->vendor_guid,
-		       sizeof (grub_efi_packed_guid_t)) == 0)
-	{
-	  disp_sal (t->vendor_table);
-	  return GRUB_ERR_NONE;
-	}
-      t++;
+      grub_printf ("SAL not found\n");
+      return GRUB_ERR_NONE;
    }
-  grub_printf ("SAL not found\n");
+
+  disp_sal (table);
  return GRUB_ERR_NONE;
 }

--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@ -1,142 +0,0 @@
-/*
- *  GRUB  --  GRand Unified Bootloader
- *  Copyright (C) 2017  Free Software Foundation, Inc.
- *
- *  GRUB is free software: you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation, either version 3 of the License, or
- *  (at your option) any later version.
- *
- *  GRUB is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
- *
- *  EFI shim lock verifier.
- */
-
-#include <grub/dl.h>
-#include <grub/efi/efi.h>
-#include <grub/err.h>
-#include <grub/file.h>
-#include <grub/misc.h>
-#include <grub/verify.h>
-
-GRUB_MOD_LICENSE ("GPLv3+");
-
-#define GRUB_EFI_SHIM_LOCK_GUID \
-  { 0x605dab50, 0xe046, 0x4300, \
-    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
-  }
-
-struct grub_efi_shim_lock_protocol
-{
-  grub_efi_status_t
-  (*verify) (void *buffer, grub_uint32_t size);
-};
-typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
-
-static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
-static grub_efi_shim_lock_protocol_t *sl;
-
-/* List of modules which cannot be loaded if UEFI secure boot mode is enabled. */
-static const char * const disabled_mods[] = {"iorw", "memrw", "wrmsr", NULL};
-
-static grub_err_t
-shim_lock_init (grub_file_t io, enum grub_file_type type,
-		void **context __attribute__ ((unused)),
-		enum grub_verify_flags *flags)
-{
-  const char *b, *e;
-  int i;
-
-  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
-
-  if (!sl)
-    return GRUB_ERR_NONE;
-
-  switch (type & GRUB_FILE_TYPE_MASK)
-    {
-    case GRUB_FILE_TYPE_GRUB_MODULE:
-      /* Establish GRUB module name. */
-      b = grub_strrchr (io->name, '/');
-      e = grub_strrchr (io->name, '.');
-
-      b = b ? (b + 1) : io->name;
-      e = e ? e : io->name + grub_strlen (io->name);
-      e = (e > b) ? e : io->name + grub_strlen (io->name);
-
-      for (i = 0; disabled_mods[i]; i++)
-	if (!grub_strncmp (b, disabled_mods[i], grub_strlen (b) - grub_strlen (e)))
-	  {
-	    grub_error (GRUB_ERR_ACCESS_DENIED,
-			N_("module cannot be loaded in UEFI secure boot mode: %s"),
-			io->name);
-	    return GRUB_ERR_ACCESS_DENIED;
-	  }
-
-      /* Fall through. */
-
-    case GRUB_FILE_TYPE_ACPI_TABLE:
-    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
-
-      return GRUB_ERR_NONE;
-
-    case GRUB_FILE_TYPE_LINUX_KERNEL:
-    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
-    case GRUB_FILE_TYPE_BSD_KERNEL:
-    case GRUB_FILE_TYPE_XNU_KERNEL:
-    case GRUB_FILE_TYPE_PLAN9_KERNEL:
-      for (i = 0; disabled_mods[i]; i++)
-	if (grub_dl_get (disabled_mods[i]))
-	  {
-	    grub_error (GRUB_ERR_ACCESS_DENIED,
-			N_("cannot boot due to dangerous module in memory: %s"),
-			disabled_mods[i]);
-	    return GRUB_ERR_ACCESS_DENIED;
-	  }
-
-      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
-
-      /* Fall through. */
-
-    default:
-      return GRUB_ERR_NONE;
-    }
-}
-
-static grub_err_t
-shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
-{
-  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
-    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
-
-  return GRUB_ERR_NONE;
-}
-
-struct grub_file_verifier shim_lock =
-  {
-    .name = "shim_lock",
-    .init = shim_lock_init,
-    .write = shim_lock_write
-  };
-
-GRUB_MOD_INIT(shim_lock)
-{
-  sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
-  grub_verifier_register (&shim_lock);
-
-  if (!sl)
-    return;
-
-  grub_dl_set_persistent (mod);
-}
-
-GRUB_MOD_FINI(shim_lock)
-{
-  grub_verifier_unregister (&shim_lock);
-}
--- a/grub-core/commands/efi/smbios.c
+++ b/grub-core/commands/efi/smbios.c
@ -0,0 +1,37 @@
+/* smbios.c - get smbios tables. */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2019  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/smbios.h>
+#include <grub/efi/efi.h>
+
+struct grub_smbios_eps *
+grub_machine_smbios_get_eps (void)
+{
+  static grub_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;
+
+  return (struct grub_smbios_eps *) grub_efi_find_configuration_table (&smbios_guid);
+}
+
+struct grub_smbios_eps3 *
+grub_machine_smbios_get_eps3 (void)
+{
+  static grub_guid_t smbios3_guid = GRUB_EFI_SMBIOS3_TABLE_GUID;
+
+  return (struct grub_smbios_eps3 *) grub_efi_find_configuration_table (&smbios3_guid);
+}
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@ -22,6 +22,7 @@
 #include <grub/i18n.h>
 #include <grub/efi/api.h>
 #include <grub/efi/efi.h>
+#include <grub/efi/cc.h>
 #include <grub/efi/tpm.h>
 #include <grub/mm.h>
 #include <grub/tpm.h>
@ -29,8 +30,9 @@

 typedef TCG_PCR_EVENT grub_tpm_event_t;

-static grub_efi_guid_t tpm_guid = EFI_TPM_GUID;
-static grub_efi_guid_t tpm2_guid = EFI_TPM2_GUID;
+static grub_guid_t tpm_guid = EFI_TPM_GUID;
+static grub_guid_t tpm2_guid = EFI_TPM2_GUID;
+static grub_guid_t cc_measurement_guid = GRUB_EFI_CC_MEASUREMENT_PROTOCOL_GUID;

 static grub_efi_handle_t *grub_tpm_handle;
 static grub_uint8_t grub_tpm_version;
@ -51,14 +53,17 @@ grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)

  caps.Size = (grub_uint8_t) sizeof (caps);

-  status = efi_call_5 (tpm->status_check, tpm, &caps, &flags, &eventlog,
-		       &lastevent);
+  status = tpm->status_check (tpm, &caps, &flags, &eventlog, &lastevent);

  if (status != GRUB_EFI_SUCCESS || caps.TPMDeactivatedFlag
      || !caps.TPMPresentFlag)
-    return tpm1_present = 0;
+    tpm1_present = 0;
+  else
+    tpm1_present = 1;

-  return tpm1_present = 1;
+  grub_dprintf ("tpm", "tpm1%s present\n", tpm1_present ? "" : " NOT");
+
+  return (grub_efi_boolean_t) tpm1_present;
 }

 static grub_efi_boolean_t
@ -72,12 +77,16 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
  if (tpm2_present != -1)
    return (grub_efi_boolean_t) tpm2_present;

-  status = efi_call_2 (tpm->get_capability, tpm, &caps);
+  status = tpm->get_capability (tpm, &caps);

  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
-    return tpm2_present = 0;
+    tpm2_present = 0;
+  else
+    tpm2_present = 1;

-  return tpm2_present = 1;
+  grub_dprintf ("tpm", "tpm2%s present\n", tpm2_present ? "" : " NOT");
+
+  return (grub_efi_boolean_t) tpm2_present;
 }

 static grub_efi_boolean_t
@ -102,6 +111,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
      *tpm_handle = handles[0];
      grub_tpm_version = 1;
      *protocol_version = 1;
+      grub_dprintf ("tpm", "TPM handle Found, version: 1\n");
      return 1;
    }

@ -113,6 +123,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
      *tpm_handle = handles[0];
      grub_tpm_version = 2;
      *protocol_version = 2;
+      grub_dprintf ("tpm", "TPM handle Found, version: 2\n");
      return 1;
    }

@ -120,102 +131,25 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
 }

 static grub_err_t
-grub_tpm1_execute (grub_efi_handle_t tpm_handle,
-                   PassThroughToTPM_InputParamBlock *inbuf,
-                   PassThroughToTPM_OutputParamBlock *outbuf)
+grub_efi_log_event_status (grub_efi_status_t status)
 {
-  grub_efi_status_t status;
-  grub_efi_tpm_protocol_t *tpm;
-  grub_uint32_t inhdrsize = sizeof (*inbuf) - sizeof (inbuf->TPMOperandIn);
-  grub_uint32_t outhdrsize =
-    sizeof (*outbuf) - sizeof (outbuf->TPMOperandOut);
-
-  tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
-				GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
-
-  if (!grub_tpm1_present (tpm))
-    return 0;
-
-  /* UEFI TPM protocol takes the raw operand block, no param block header. */
-  status = efi_call_5 (tpm->pass_through_to_tpm, tpm,
-		       inbuf->IPBLength - inhdrsize, inbuf->TPMOperandIn,
-		       outbuf->OPBLength - outhdrsize, outbuf->TPMOperandOut);
-
  switch (status)
    {
    case GRUB_EFI_SUCCESS:
-      return 0;
+      return GRUB_ERR_NONE;
    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
+      return grub_error (GRUB_ERR_IO, N_("command failed"));
    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
+      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid parameter"));
    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
+      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("output buffer too small"));
    case GRUB_EFI_NOT_FOUND:
      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+      return grub_error (grub_is_tpm_fail_fatal () ? GRUB_ERR_UNKNOWN_DEVICE : GRUB_ERR_NONE, N_("unknown TPM error"));
    }
 }

-static grub_err_t
-grub_tpm2_execute (grub_efi_handle_t tpm_handle,
-                   PassThroughToTPM_InputParamBlock *inbuf,
-                   PassThroughToTPM_OutputParamBlock *outbuf)
-{
-  grub_efi_status_t status;
-  grub_efi_tpm2_protocol_t *tpm;
-  grub_uint32_t inhdrsize = sizeof (*inbuf) - sizeof (inbuf->TPMOperandIn);
-  grub_uint32_t outhdrsize =
-    sizeof (*outbuf) - sizeof (outbuf->TPMOperandOut);
-
-  tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
-				GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
-
-  if (!grub_tpm2_present (tpm))
-    return 0;
-
-  /* UEFI TPM protocol takes the raw operand block, no param block header. */
-  status = efi_call_5 (tpm->submit_command, tpm,
-		       inbuf->IPBLength - inhdrsize, inbuf->TPMOperandIn,
-		       outbuf->OPBLength - outhdrsize, outbuf->TPMOperandOut);
-
-  switch (status)
-    {
-    case GRUB_EFI_SUCCESS:
-      return 0;
-    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
-    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
-    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
-    case GRUB_EFI_NOT_FOUND:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
-    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
-    }
-}
-
-grub_err_t
-grub_tpm_execute (PassThroughToTPM_InputParamBlock *inbuf,
-		  PassThroughToTPM_OutputParamBlock *outbuf)
-{
-  grub_efi_handle_t tpm_handle;
-  grub_uint8_t protocol_version;
-
-  /* Absence of a TPM isn't a failure. */
-  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
-    return 0;
-
-  if (protocol_version == 1)
-    return grub_tpm1_execute (tpm_handle, inbuf, outbuf);
-  else
-    return grub_tpm2_execute (tpm_handle, inbuf, outbuf);
-}
-
 static grub_err_t
 grub_tpm1_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
 		     grub_size_t size, grub_uint8_t pcr,
@ -242,28 +176,14 @@ grub_tpm1_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  event->PCRIndex = pcr;
  event->EventType = EV_IPL;
  event->EventSize = grub_strlen (description) + 1;
-  grub_memcpy (event->Event, description, event->EventSize);
+  grub_strcpy ((char *) event->Event, description);

  algorithm = TCG_ALG_SHA;
-  status = efi_call_7 (tpm->log_extend_event, tpm, (grub_addr_t) buf, (grub_uint64_t) size,
-		       algorithm, event, &eventnum, &lastevent);
+  status = tpm->log_extend_event (tpm, (grub_addr_t) buf, (grub_uint64_t) size,
+				  algorithm, event, &eventnum, &lastevent);
+  grub_free (event);

-  switch (status)
-    {
-    case GRUB_EFI_SUCCESS:
-      return 0;
-    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
-    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
-    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
-    case GRUB_EFI_NOT_FOUND:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
-    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
-    }
+  return grub_efi_log_event_status (status);
 }

 static grub_err_t
@ -293,41 +213,122 @@ grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  event->Header.EventType = EV_IPL;
  event->Size =
    sizeof (*event) - sizeof (event->Event) + grub_strlen (description) + 1;
-  grub_memcpy (event->Event, description, grub_strlen (description) + 1);
+  grub_strcpy ((char *) event->Event, description);

-  status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, (grub_addr_t) buf,
-		       (grub_uint64_t) size, event);
+  status = tpm->hash_log_extend_event (tpm, 0, (grub_addr_t) buf,
+				       (grub_uint64_t) size, event);
+  grub_free (event);

-  switch (status)
+  return grub_efi_log_event_status (status);
+}
+
+static void
+grub_cc_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		   const char *description)
+{
+  grub_efi_cc_event_t *event;
+  grub_efi_status_t status;
+  grub_efi_cc_protocol_t *cc;
+  grub_efi_cc_mr_index_t mr;
+
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc == NULL)
+    return;
+
+  status = cc->map_pcr_to_mr_index (cc, pcr, &mr);
+  if (status != GRUB_EFI_SUCCESS)
    {
-    case GRUB_EFI_SUCCESS:
-      return 0;
-    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
-    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
-    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT,
-			 N_("Output buffer too small"));
-    case GRUB_EFI_NOT_FOUND:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
-    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+      grub_efi_log_event_status (status);
+      return;
    }
+
+  event = grub_zalloc (sizeof (grub_efi_cc_event_t) +
+		       grub_strlen (description) + 1);
+  if (event == NULL)
+    {
+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate CC event buffer"));
+      return;
+    }
+
+  event->Header.HeaderSize = sizeof (grub_efi_cc_event_header_t);
+  event->Header.HeaderVersion = GRUB_EFI_CC_EVENT_HEADER_VERSION;
+  event->Header.MrIndex = mr;
+  event->Header.EventType = EV_IPL;
+  event->Size = sizeof (*event) + grub_strlen (description) + 1;
+  grub_strcpy ((char *) event->Event, description);
+
+  status = cc->hash_log_extend_event (cc, 0,
+				      (grub_efi_physical_address_t)(grub_addr_t) buf,
+				      (grub_efi_uint64_t) size, event);
+  grub_free (event);
+
+  if (status != GRUB_EFI_SUCCESS)
+    grub_efi_log_event_status (status);
 }

 grub_err_t
-grub_tpm_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
 		    const char *description)
 {
  grub_efi_handle_t tpm_handle;
  grub_efi_uint8_t protocol_version;

+  grub_cc_log_event(buf, size, pcr, description);
+
  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
    return 0;

+  grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
+                pcr, size, description);
+
  if (protocol_version == 1)
    return grub_tpm1_log_event (tpm_handle, buf, size, pcr, description);
  else
    return grub_tpm2_log_event (tpm_handle, buf, size, pcr, description);
 }
+
+int
+grub_tpm_present (void)
+{
+  grub_efi_handle_t tpm_handle;
+  grub_efi_uint8_t protocol_version;
+  grub_efi_cc_protocol_t *cc;
+
+  /*
+   * When confidential computing measurement protocol is enabled
+   * we assume the TPM is present.
+   */
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc != NULL)
+    return 1;
+
+  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
+    return 0;
+
+  if (protocol_version == 1)
+    {
+      grub_efi_tpm_protocol_t *tpm;
+
+      tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
+				    GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (!tpm)
+	{
+	  grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+	  return 0;
+	}
+      return grub_tpm1_present (tpm);
+    }
+  else
+    {
+      grub_efi_tpm2_protocol_t *tpm;
+
+      tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
+				    GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (!tpm)
+	{
+	  grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+	  return 0;
+	}
+      return grub_tpm2_present (tpm);
+    }
+}
--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
@ -19,6 +19,7 @@

 #include <grub/mm.h>
 #include <grub/list.h>
+#include <grub/lockdown.h>
 #include <grub/misc.h>
 #include <grub/extcmd.h>
 #include <grub/script_sh.h>
@ -48,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
    }

  state = grub_arg_list_alloc (ext, argc, args);
+  if (state == NULL)
+    return grub_errno;
+
  if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
    {
      context.state = state;
@ -110,6 +114,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
 				    summary, description, parser, 1);
 }

+static grub_err_t
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+                      int argc __attribute__ ((unused)),
+                      char **argv __attribute__ ((unused)))
+{
+  return grub_error (GRUB_ERR_ACCESS_DENIED,
+                     N_("%s: the command is not allowed when lockdown is enforced"),
+                     ctxt->extcmd->cmd->name);
+}
+
+grub_extcmd_t
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
+                               grub_command_flags_t flags, const char *summary,
+                               const char *description,
+                               const struct grub_arg_option *parser)
+{
+  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+    func = grub_extcmd_lockdown;
+
+  return grub_register_extcmd (name, func, flags, summary, description, parser);
+}
+
 void
 grub_unregister_extcmd (grub_extcmd_t ext)
 {
--- a/grub-core/commands/file.c
+++ b/grub-core/commands/file.c
@ -25,10 +25,10 @@
 #include <grub/i18n.h>
 #include <grub/file.h>
 #include <grub/elf.h>
+#include <grub/efi/efi.h>
 #include <grub/xen_file.h>
 #include <grub/efi/pe32.h>
 #include <grub/arm/linux.h>
-#include <grub/arm64/linux.h>
 #include <grub/i386/linux.h>
 #include <grub/xnu.h>
 #include <grub/machoload.h>
@ -134,7 +134,8 @@ enum
  IS_IA_EFI,
  IS_ARM64_EFI,
  IS_ARM_EFI,
-  IS_RISCV_EFI,
+  IS_RISCV32_EFI,
+  IS_RISCV64_EFI,
  IS_HIBERNATED,
  IS_XNU64,
  IS_XNU32,
@ -305,6 +306,8 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)

 	elf = grub_elf_file (file, file->name);

+	if (elf == NULL)
+	  break;
 	if (elf->ehdr.ehdr32.e_type != grub_cpu_to_le16_compile_time (ET_EXEC)
 	    || elf->ehdr.ehdr32.e_ident[EI_DATA] != ELFDATA2LSB)
 	  break;
@ -390,7 +393,7 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
      }
    case IS_ARM_LINUX:
      {
-	struct linux_arm_kernel_header lh;
+	struct linux_arch_kernel_header lh;

 	if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
 	  break;
@ -411,13 +414,24 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
      }
    case IS_ARM64_LINUX:
      {
-	struct linux_arm64_kernel_header lh;
+	struct linux_arch_kernel_header lh;

 	if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
 	  break;

-	if (lh.magic ==
-	    grub_cpu_to_le32_compile_time (GRUB_LINUX_ARM64_MAGIC_SIGNATURE))
+	/*
+	 * The PE/COFF header can be anywhere in the file. Load it from the correct
+	 * offset if it is not where it is expected.
+	 */
+        if ((grub_uint8_t *) &lh + lh.hdr_offset != (grub_uint8_t *) &lh.pe_image_header)
+        {
+          if (grub_file_seek (file, lh.hdr_offset) == (grub_off_t) -1
+              || grub_file_read (file, &lh.pe_image_header, sizeof (struct grub_pe_image_header))
+                 != sizeof (struct grub_pe_image_header))
+            return grub_error (GRUB_ERR_FILE_READ_ERROR, "failed to read COFF image header");
+        }
+
+	if (lh.pe_image_header.coff_header.machine == grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_ARM64))
 	  {
 	    ret = 1;
 	    break;
@ -576,7 +590,8 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
    case IS_IA_EFI:
    case IS_ARM64_EFI:
    case IS_ARM_EFI:
-    case IS_RISCV_EFI:
+    case IS_RISCV32_EFI:
+    case IS_RISCV64_EFI:
      {
 	char signature[4];
 	grub_uint32_t pe_offset;
@ -622,13 +637,13 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
 	    && coff_head.machine !=
 	    grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_ARMTHUMB_MIXED))
 	  break;
-	if (type == IS_RISCV_EFI
+	if ((type == IS_RISCV32_EFI || type == IS_RISCV64_EFI)
 	    && coff_head.machine !=
 	    grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_RISCV64))
          /* TODO: Determine bitness dynamically */
 	  break;
 	if (type == IS_IA_EFI || type == IS_64_EFI || type == IS_ARM64_EFI ||
-	    type == IS_RISCV_EFI)
+	    type == IS_RISCV32_EFI || type == IS_RISCV64_EFI)
 	  {
 	    struct grub_pe64_optional_header o64;
 	    if (grub_file_read (file, &o64, sizeof (o64)) != sizeof (o64))
--- a/grub-core/commands/halt.c
+++ b/grub-core/commands/halt.c
@ -37,7 +37,7 @@ static grub_command_t cmd;
 GRUB_MOD_INIT(halt)
 {
  cmd = grub_register_command ("halt", grub_cmd_halt,
-			       0, N_("Halts the computer.  This command does" 
+			       0, N_("Halts the computer.  This command does"
 			       " not work on all firmware implementations."));
 }

--- a/grub-core/commands/hashsum.c
+++ b/grub-core/commands/hashsum.c
@ -39,7 +39,7 @@ static const struct grub_arg_option options[] = {
  {0, 0, 0, 0, 0, 0}
 };

-static struct { const char *name; const char *hashname; } aliases[] = 
+static struct { const char *name; const char *hashname; } aliases[] =
  {
    {"sha256sum", "sha256"},
    {"sha512sum", "sha512"},
@ -116,7 +116,7 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
  hashlist = grub_file_open (hashfilename, GRUB_FILE_TYPE_HASHLIST);
  if (!hashlist)
    return grub_errno;
-  
+
  while (grub_free (buf), (buf = grub_file_getline (hashlist)))
    {
      const char *p = buf;
@ -128,19 +128,28 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
 	  high = hextoval (*p++);
 	  low = hextoval (*p++);
 	  if (high < 0 || low < 0)
-	    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+	    {
+	      grub_free (buf);
+	      return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+	    }
 	  expected[i] = (high << 4) | low;
 	}
      if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
-	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+	{
+	  grub_free (buf);
+	  return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
+	}
      p += 2;
      if (prefix)
 	{
 	  char *filename;
-	  
+
 	  filename = grub_xasprintf ("%s/%s", prefix, p);
 	  if (!filename)
-	    return grub_errno;
+	    {
+	      grub_free (buf);
+	      return grub_errno;
+	    }
 	  file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
 				 | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
 				    : GRUB_FILE_TYPE_NONE));
@ -183,7 +192,7 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
 				 "hash of '%s' mismatches", p);
 	    }
 	  mismatch++;
-	  continue;	  
+	  continue;
 	}
      grub_printf_ (N_("%s: OK\n"), p);
    }
--- a/grub-core/commands/hdparm.c
+++ b/grub-core/commands/hdparm.c
@ -333,7 +333,7 @@ grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
      grub_disk_close (disk);
      return grub_error (GRUB_ERR_IO, "not an ATA device");
    }
-    
+

  /* Change settings.  */
  if (aam >= 0)
@ -436,9 +436,9 @@ static grub_extcmd_t cmd;

 GRUB_MOD_INIT(hdparm)
 {
-  cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
-			      N_("[OPTIONS] DISK"),
-			      N_("Get/set ATA disk parameters."), options);
+  cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
+				       N_("[OPTIONS] DISK"),
+				       N_("Get/set ATA disk parameters."), options);
 }

 GRUB_MOD_FINI(hdparm)
--- a/grub-core/commands/help.c
+++ b/grub-core/commands/help.c
@ -64,11 +64,11 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,

 	      stringwidth = 0;

-	      while (unicode_last_screen_position < unicode_last_position && 
+	      while (unicode_last_screen_position < unicode_last_position &&
 		     stringwidth < ((grub_term_width (term) / 2) - 2))
 		{
 		  struct grub_unicode_glyph glyph;
-		  unicode_last_screen_position 
+		  unicode_last_screen_position
 		    += grub_unicode_aglomerate_comb (unicode_last_screen_position,
 						     unicode_last_position
 						     - unicode_last_screen_position,
@ -88,7 +88,7 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,
 	    if (cnt % 2)
 	      grub_printf ("\n");
 	    cnt++;
-	  
+
 	    grub_free (command_help);
 	    grub_free (unicode_command_help);
 	  }
@ -135,6 +135,8 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,
 	}
    }

+  grub_printf ("\n\nTo enable less(1)-like paging, \"set pager=1\".\n");
+
  return 0;
 }

--- a/grub-core/commands/hexdump.c
+++ b/grub-core/commands/hexdump.c
@ -24,6 +24,7 @@
 #include <grub/lib/hexdump.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -51,7 +52,11 @@ grub_cmd_hexdump (grub_extcmd_context_t ctxt, int argc, char **args)
  length = (state[1].set) ? grub_strtoul (state[1].arg, 0, 0) : 256;

  if (!grub_strcmp (args[0], "(mem)"))
-    hexdump (skip, (char *) (grub_addr_t) skip, length);
+    {
+      if (grub_is_lockdown() == GRUB_LOCKDOWN_ENABLED)
+        return grub_error (GRUB_ERR_ACCESS_DENIED, N_("memory reading is disabled in lockdown mode"));
+      hexdump (skip, (char *) (grub_addr_t) skip, length);
+    }
  else if ((args[0][0] == '(') && (args[0][namelen - 1] == ')'))
    {
      grub_disk_t disk;
--- a/grub-core/commands/i386/cmostest.c
+++ b/grub-core/commands/i386/cmostest.c
@ -27,7 +27,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
 static grub_err_t
 parse_args (int argc, char *argv[], int *byte, int *bit)
 {
-  char *rest;
+  const char *rest;

  if (argc != 1)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, "address required");
@ -104,13 +104,13 @@ static grub_command_t cmd, cmd_clean, cmd_set;

 GRUB_MOD_INIT(cmostest)
 {
-  cmd = grub_register_command ("cmostest", grub_cmd_cmostest,
+  cmd = grub_register_command_lockdown ("cmostest", grub_cmd_cmostest,
 			       N_("BYTE:BIT"),
 			       N_("Test bit at BYTE:BIT in CMOS."));
-  cmd_clean = grub_register_command ("cmosclean", grub_cmd_cmosclean,
+  cmd_clean = grub_register_command_lockdown ("cmosclean", grub_cmd_cmosclean,
 				     N_("BYTE:BIT"),
 				     N_("Clear bit at BYTE:BIT in CMOS."));
-  cmd_set = grub_register_command ("cmosset", grub_cmd_cmosset,
+  cmd_set = grub_register_command_lockdown ("cmosset", grub_cmd_cmosset,
 				   N_("BYTE:BIT"),
 				   /* TRANSLATORS: A bit may be either set (1) or clear (0).  */
 				   N_("Set bit at BYTE:BIT in CMOS."));
--- a/grub-core/commands/i386/coreboot/cb_timestamps.c
+++ b/grub-core/commands/i386/coreboot/cb_timestamps.c
@ -84,7 +84,7 @@ iterate_linuxbios_table (grub_linuxbios_table_item_t table_item,
      grub_uint32_t tmrel = tsc2ms (ts_table->entries[i].tsc - last_tsc);
      last_tsc = ts_table->entries[i].tsc;

-      grub_printf ("%3d.%03ds %2d.%03ds %02d %s\n", 
+      grub_printf ("%3d.%03ds %2d.%03ds %02d %s\n",
 		   tmabs / 1000, tmabs % 1000, tmrel / 1000, tmrel % 1000,
 		   ts_table->entries[i].id,
 		   (ts_table->entries[i].id < ARRAY_SIZE (descs)
--- a/grub-core/commands/i386/coreboot/cbls.c
+++ b/grub-core/commands/i386/coreboot/cbls.c
@ -84,7 +84,7 @@ iterate_linuxbios_table (grub_linuxbios_table_item_t table_item,

 	grub_printf (": %dx%dx%d pitch=%d lfb=0x%llx %d/%d/%d/%d %d/%d/%d/%d",
 		     fb->width, fb->height,
-		     fb->bpp, fb->pitch, 
+		     fb->bpp, fb->pitch,
 		     (unsigned long long) fb->lfb,
 		     fb->red_mask_size, fb->green_mask_size,
 		     fb->blue_mask_size, fb->reserved_mask_size,
--- a/grub-core/commands/i386/pc/drivemap.c
+++ b/grub-core/commands/i386/pc/drivemap.c
@ -31,9 +31,6 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-/* Real mode IVT slot (seg:off far pointer) for interrupt 0x13.  */
-static grub_uint32_t *const int13slot = (grub_uint32_t *) (4 * 0x13);
-
 /* Remember to update enum opt_idxs accordingly.  */
 static const struct grub_arg_option options[] = {
  /* TRANSLATORS: In this file "mapping" refers to a change GRUB makes so if
@ -185,7 +182,7 @@ list_mappings (void)
      return GRUB_ERR_NONE;
    }

-  /* TRANSLATORS:  This is the header of mapping list. 
+  /* TRANSLATORS:  This is the header of mapping list.
     On the left is how OS will see the disks and
     on the right current GRUB vision.  */
  grub_puts_ (N_("OS disk #num ------> GRUB/BIOS device"));
@ -280,6 +277,8 @@ install_int13_handler (int noret __attribute__ ((unused)))
  grub_uint8_t *handler_base = 0;
  /* Address of the map within the deployed bundle.  */
  int13map_node_t *handler_map;
+  /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */
+  grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13);

  int i;
  int entries = 0;
@ -354,6 +353,9 @@ install_int13_handler (int noret __attribute__ ((unused)))
 static grub_err_t
 uninstall_int13_handler (void)
 {
+  /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */
+  grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13);
+
  if (! grub_drivemap_oldhandler)
    return GRUB_ERR_NONE;

--- a/grub-core/commands/i386/pc/halt.c
+++ b/grub-core/commands/i386/pc/halt.c
@ -59,7 +59,7 @@ grub_halt (int no_apm)
  regs.ebx = 0;
  regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
  grub_bios_interrupt (0x15, &regs);
-  
+
  if (regs.flags & GRUB_CPU_INT_FLAGS_CARRY)
    stop ();

--- a/grub-core/commands/i386/pc/lsapm.c
+++ b/grub-core/commands/i386/pc/lsapm.c
@ -34,7 +34,7 @@ grub_apm_get_info (struct grub_apm_info *info)
  regs.ebx = 0;
  regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
  grub_bios_interrupt (0x15, &regs);
-  
+
  if (regs.flags & GRUB_CPU_INT_FLAGS_CARRY)
    return 0;
  info->version = regs.eax & 0xffff;
--- a/grub-core/commands/i386/pc/play.c
+++ b/grub-core/commands/i386/pc/play.c
@ -80,7 +80,7 @@ grub_cmd_play (grub_command_t cmd __attribute__ ((unused)),
 {

  if (argc < 1)
-    return grub_error (GRUB_ERR_BAD_ARGUMENT, 
+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
 		       /* TRANSLATORS: It's musical notes, not the notes
 			  you take. Play command expects arguments which can
 			  be either a filename or tempo+notes.
@ -132,7 +132,7 @@ grub_cmd_play (grub_command_t cmd __attribute__ ((unused)),
    }
  else
    {
-      char *end;
+      const char *end;
      unsigned tempo;
      struct note note;
      int i;
--- a/grub-core/commands/i386/pc/sendkey.c
+++ b/grub-core/commands/i386/pc/sendkey.c
@ -55,12 +55,12 @@ static const struct grub_arg_option options[] =
    {"no-led", 0, 0, N_("don't update LED state"), 0, 0},
    {0, 0, 0, 0, 0, 0}
  };
-static int simple_flag_offsets[] 
+static int simple_flag_offsets[]
 = {5, 6, 4, 7, 11, 1, 0, 10, 13, 14, 12, 15, 9, 3, 8, 2};

 static grub_uint32_t andmask = 0xffffffff, ormask = 0;

-struct 
+struct
 keysym
 {
  const char *unshifted_name;		/* the name in unshifted state */
@ -171,13 +171,13 @@ static struct keysym keysym_table[] =
  {"right",		0,		0xe0,	0,	0x4d}
 };

-/* Set a simple flag in flags variable  
+/* Set a simple flag in flags variable
   OUTOFFSET - offset of flag in FLAGS,
   OP - action id
 */
 static void
 grub_sendkey_set_simple_flag (int outoffset, int op)
-{      
+{
  if (op == 2)
    {
      andmask |= (1 << outoffset);
@ -199,7 +199,7 @@ grub_sendkey_parse_op (struct grub_arg_list state)
  if (! state.set)
    return 2;

-  if (grub_strcmp (state.arg, "off") == 0 || grub_strcmp (state.arg, "0") == 0 
+  if (grub_strcmp (state.arg, "off") == 0 || grub_strcmp (state.arg, "0") == 0
      || grub_strcmp (state.arg, "unpress") == 0)
    return 0;

@ -216,12 +216,12 @@ static grub_err_t
 grub_sendkey_postboot (void)
 {
  /* For convention: pointer to flags.  */
-  grub_uint32_t *flags = (grub_uint32_t *) 0x417;
+  grub_uint32_t *flags = grub_absolute_pointer (0x417);

  *flags = oldflags;

-  *((char *) 0x41a) = 0x1e;
-  *((char *) 0x41c) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41c)) = 0x1e;

  return GRUB_ERR_NONE;
 }
@ -231,13 +231,13 @@ static grub_err_t
 grub_sendkey_preboot (int noret __attribute__ ((unused)))
 {
  /* For convention: pointer to flags.  */
-  grub_uint32_t *flags = (grub_uint32_t *) 0x417;
+  grub_uint32_t *flags = grub_absolute_pointer (0x417);

  oldflags = *flags;
-  
+
  /* Set the sendkey.  */
-  *((char *) 0x41a) = 0x1e;
-  *((char *) 0x41c) = keylen + 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41c)) = keylen + 0x1e;
  grub_memcpy ((char *) 0x41e, sendkey, 0x20);

  /* Transform "any ctrl" to "right ctrl" flag.  */
@ -247,7 +247,7 @@ grub_sendkey_preboot (int noret __attribute__ ((unused)))
  /* Transform "any alt" to "right alt" flag.  */
  if (*flags & (1 << 9))
    *flags &= ~(1 << 3);
-  
+
  *flags = (*flags & andmask) | ormask;

  /* Transform "right ctrl" to "any ctrl" flag.  */
@ -294,10 +294,10 @@ find_key_code (char *key)

  for (i = 0; i < ARRAY_SIZE(keysym_table); i++)
    {
-      if (keysym_table[i].unshifted_name 
+      if (keysym_table[i].unshifted_name
 	  && grub_strcmp (key, keysym_table[i].unshifted_name) == 0)
 	return keysym_table[i].keycode;
-      else if (keysym_table[i].shifted_name 
+      else if (keysym_table[i].shifted_name
 	       && grub_strcmp (key, keysym_table[i].shifted_name) == 0)
 	return keysym_table[i].keycode;
    }
@ -313,10 +313,10 @@ find_ascii_code (char *key)

  for (i = 0; i < ARRAY_SIZE(keysym_table); i++)
    {
-      if (keysym_table[i].unshifted_name 
+      if (keysym_table[i].unshifted_name
 	  && grub_strcmp (key, keysym_table[i].unshifted_name) == 0)
 	return keysym_table[i].unshifted_ascii;
-      else if (keysym_table[i].shifted_name 
+      else if (keysym_table[i].shifted_name
 	       && grub_strcmp (key, keysym_table[i].shifted_name) == 0)
 	return keysym_table[i].shifted_ascii;
    }
@ -340,7 +340,7 @@ grub_cmd_sendkey (grub_extcmd_context_t ctxt, int argc, char **args)
    for (i = 0; i < argc && keylen < 0x20; i++)
      {
 	int key_code;
-	
+
 	key_code = find_key_code (args[i]);
 	if (key_code)
 	  {
@ -353,7 +353,7 @@ grub_cmd_sendkey (grub_extcmd_context_t ctxt, int argc, char **args)
  {
    unsigned i;
    for (i = 0; i < ARRAY_SIZE(simple_flag_offsets); i++)
-      grub_sendkey_set_simple_flag (simple_flag_offsets[i], 
+      grub_sendkey_set_simple_flag (simple_flag_offsets[i],
 				    grub_sendkey_parse_op(state[i]));
  }

@ -374,8 +374,8 @@ GRUB_MOD_INIT (sendkey)
 				 keypresses.  */
 			      N_("Emulate a keystroke sequence"), options);

-  preboot_hook 
-    = grub_loader_register_preboot_hook (grub_sendkey_preboot, 
+  preboot_hook
+    = grub_loader_register_preboot_hook (grub_sendkey_preboot,
 					 grub_sendkey_postboot,
 					 GRUB_LOADER_PREBOOT_HOOK_PRIO_CONSOLE);
 }
--- a/grub-core/commands/i386/pc/smbios.c
+++ b/grub-core/commands/i386/pc/smbios.c
@ -0,0 +1,52 @@
+/* smbios.c - get smbios tables. */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2019  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/acpi.h>
+#include <grub/smbios.h>
+#include <grub/misc.h>
+
+struct grub_smbios_eps *
+grub_machine_smbios_get_eps (void)
+{
+  grub_uint8_t *ptr;
+
+  grub_dprintf ("smbios", "Looking for SMBIOS EPS. Scanning BIOS\n");
+
+  for (ptr = (grub_uint8_t *) 0xf0000; ptr < (grub_uint8_t *) 0x100000; ptr += 16)
+    if (grub_memcmp (ptr, "_SM_", 4) == 0
+	&& grub_byte_checksum (ptr, sizeof (struct grub_smbios_eps)) == 0)
+      return (struct grub_smbios_eps *) ptr;
+
+  return 0;
+}
+
+struct grub_smbios_eps3 *
+grub_machine_smbios_get_eps3 (void)
+{
+  grub_uint8_t *ptr;
+
+  grub_dprintf ("smbios", "Looking for SMBIOS3 EPS. Scanning BIOS\n");
+
+  for (ptr = (grub_uint8_t *) 0xf0000; ptr < (grub_uint8_t *) 0x100000; ptr += 16)
+    if (grub_memcmp (ptr, "_SM3_", 5) == 0
+	&& grub_byte_checksum (ptr, sizeof (struct grub_smbios_eps3)) == 0)
+      return (struct grub_smbios_eps3 *) ptr;
+
+  return 0;
+}
--- a/grub-core/commands/i386/rdmsr.c
+++ b/grub-core/commands/i386/rdmsr.c
@ -26,7 +26,7 @@
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
 #include <grub/i386/cpuid.h>
-#include <grub/i386/rdmsr.h>
+#include <grub/i386/msr.h>

 GRUB_MOD_LICENSE("GPLv3+");

@ -42,27 +42,16 @@ static const struct grub_arg_option options[] =
 static grub_err_t
 grub_cmd_msr_read (grub_extcmd_context_t ctxt, int argc, char **argv)
 {
-  grub_uint32_t manufacturer[3], max_cpuid, a, b, c, features, addr;
+  grub_err_t err;
+  grub_uint32_t addr;
  grub_uint64_t value;
-  char *ptr;
+  const char *ptr;
  char buf[sizeof("1122334455667788")];

-  /*
-   * The CPUID instruction should be used to determine whether MSRs
-   * are supported. (CPUID.01H:EDX[5] = 1)
-   */
-  if (! grub_cpu_is_cpuid_supported ())
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  err = grub_cpu_is_msr_supported ();

-  grub_cpuid (0, max_cpuid, manufacturer[0], manufacturer[2], manufacturer[1]);
-
-  if (max_cpuid < 1)
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
-
-  grub_cpuid (1, a, b, c, features);
-
-  if (!(features & (1 << 5)))
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  if (err != GRUB_ERR_NONE)
+    return grub_error (err, N_("RDMSR is unsupported"));

  if (argc != 1)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
@ -76,7 +65,7 @@ grub_cmd_msr_read (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (*ptr != '\0')
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid argument"));

-  value = grub_msr_read (addr);
+  value = grub_rdmsr (addr);

  if (ctxt->state[0].set)
    {
--- a/grub-core/commands/i386/wrmsr.c
+++ b/grub-core/commands/i386/wrmsr.c
@ -24,9 +24,10 @@
 #include <grub/env.h>
 #include <grub/command.h>
 #include <grub/extcmd.h>
+#include <grub/lockdown.h>
 #include <grub/i18n.h>
 #include <grub/i386/cpuid.h>
-#include <grub/i386/wrmsr.h>
+#include <grub/i386/msr.h>

 GRUB_MOD_LICENSE("GPLv3+");

@ -35,26 +36,15 @@ static grub_command_t cmd_write;
 static grub_err_t
 grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char **argv)
 {
-  grub_uint32_t manufacturer[3], max_cpuid, a, b, c, features, addr;
+  grub_err_t err;
+  grub_uint32_t addr;
  grub_uint64_t value;
-  char *ptr;
+  const char *ptr;

-  /*
-   * The CPUID instruction should be used to determine whether MSRs
-   * are supported. (CPUID.01H:EDX[5] = 1)
-   */
-  if (!grub_cpu_is_cpuid_supported ())
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  err = grub_cpu_is_msr_supported ();

-  grub_cpuid (0, max_cpuid, manufacturer[0], manufacturer[2], manufacturer[1]);
-
-  if (max_cpuid < 1)
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
-
-  grub_cpuid (1, a, b, c, features);
-
-  if (!(features & (1 << 5)))
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  if (err != GRUB_ERR_NONE)
+    return grub_error (err, N_("WRMSR is unsupported"));

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
@ -76,15 +66,15 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
  if (*ptr != '\0')
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid argument"));

-  grub_msr_write (addr, value);
+  grub_wrmsr (addr, value);

  return GRUB_ERR_NONE;
 }

 GRUB_MOD_INIT(wrmsr)
 {
-  cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
-				     N_("Write a value to a CPU model specific register."));
+  cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+                                              N_("Write a value to a CPU model specific register."));
 }

 GRUB_MOD_FINI(wrmsr)
--- a/grub-core/commands/ieee1275/ibmvtpm.c
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
@ -0,0 +1,117 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022  Free Software Foundation, Inc.
+ *  Copyright (C) 2022  IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  IBM vTPM support code.
+ */
+
+#include <grub/err.h>
+#include <grub/types.h>
+#include <grub/tpm.h>
+#include <grub/ieee1275/ieee1275.h>
+#include <grub/ieee1275/tpm.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+
+static int
+ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
+		       grub_uint32_t eventtype,
+		       const char *description,
+		       grub_size_t description_size,
+		       void *buf, grub_size_t size)
+{
+  struct tpm_2hash_ext_log
+  {
+    struct grub_ieee1275_common_hdr common;
+    grub_ieee1275_cell_t method;
+    grub_ieee1275_cell_t ihandle;
+    grub_ieee1275_cell_t size;
+    grub_ieee1275_cell_t buf;
+    grub_ieee1275_cell_t description_size;
+    grub_ieee1275_cell_t description;
+    grub_ieee1275_cell_t eventtype;
+    grub_ieee1275_cell_t pcrindex;
+    grub_ieee1275_cell_t catch_result;
+    grub_ieee1275_cell_t rc;
+  };
+  struct tpm_2hash_ext_log args;
+
+  INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
+  args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
+  args.ihandle = grub_ieee1275_tpm_ihandle;
+  args.pcrindex = pcrindex;
+  args.eventtype = eventtype;
+  args.description = (grub_ieee1275_cell_t) description;
+  args.description_size = description_size;
+  args.buf = (grub_ieee1275_cell_t) buf;
+  args.size = (grub_ieee1275_cell_t) size;
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+    return -1;
+
+  /*
+   * catch_result is set if firmware does not support 2hash-ext-log
+   * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
+   */
+  if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
+    return -1;
+
+  return 0;
+}
+
+static grub_err_t
+tpm2_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		const char *description)
+{
+  static int error_displayed = 0;
+  int rc;
+
+  rc = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
+			      description, grub_strlen(description) + 1,
+			      buf, size);
+  if (rc && !error_displayed)
+    {
+      error_displayed++;
+      return grub_error (GRUB_ERR_BAD_DEVICE,
+			 "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		  const char *description)
+{
+  grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
+		pcr, size, description);
+
+  if (grub_ieee1275_tpm_ihandle != GRUB_IEEE1275_IHANDLE_INVALID)
+    return tpm2_log_event (buf, size, pcr, description);
+
+  return GRUB_ERR_NONE;
+}
+
+int
+grub_tpm_present (void)
+{
+  /*
+   * Call tpm_init() "late" rather than from GRUB_MOD_INIT() so that device nodes
+   * can be found.
+   */
+  return grub_ieee1275_tpm_init() == GRUB_ERR_NONE;
+}
--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
@ -23,6 +23,7 @@
 #include <grub/env.h>
 #include <grub/cpu/io.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
 			  N_("PORT"), N_("Read 32-bit value from PORT."),
 			  options);
  cmd_write_byte =
-    grub_register_command ("outb", grub_cmd_write,
-			   N_("PORT VALUE [MASK]"),
-			   N_("Write 8-bit VALUE to PORT."));
+    grub_register_command_lockdown ("outb", grub_cmd_write,
+                                    N_("PORT VALUE [MASK]"),
+                                    N_("Write 8-bit VALUE to PORT."));
  cmd_write_word =
-    grub_register_command ("outw", grub_cmd_write,
-			   N_("PORT VALUE [MASK]"),
-			   N_("Write 16-bit VALUE to PORT."));
+    grub_register_command_lockdown ("outw", grub_cmd_write,
+                                    N_("PORT VALUE [MASK]"),
+                                    N_("Write 16-bit VALUE to PORT."));
  cmd_write_dword =
-    grub_register_command ("outl", grub_cmd_write,
-			   N_("ADDR VALUE [MASK]"),
-			   N_("Write 32-bit VALUE to PORT."));
+    grub_register_command_lockdown ("outl", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 32-bit VALUE to PORT."));
 }

 GRUB_MOD_FINI(memrw)
--- a/grub-core/commands/keylayouts.c
+++ b/grub-core/commands/keylayouts.c
@ -35,7 +35,7 @@ static struct grub_keyboard_layout layout_us = {
    /* Keyboard errors. Handled by driver.  */
    /* 0x00 */   0,   0,   0,   0,

-    /* 0x04 */ 'a',  'b',  'c',  'd', 
+    /* 0x04 */ 'a',  'b',  'c',  'd',
    /* 0x08 */ 'e',  'f',  'g',  'h',  'i', 'j', 'k', 'l',
    /* 0x10 */ 'm',  'n',  'o',  'p',  'q', 'r', 's', 't',
    /* 0x18 */ 'u',  'v',  'w',  'x',  'y', 'z', '1', '2',
@ -43,11 +43,11 @@ static struct grub_keyboard_layout layout_us = {
    /* 0x28 */ '\n', GRUB_TERM_ESC, GRUB_TERM_BACKSPACE, GRUB_TERM_TAB, ' ', '-', '=', '[',
    /* According to usage table 0x31 should be mapped to '/'
       but testing with real keyboard shows that 0x32 is remapped to '/'.
-       Map 0x31 to 0. 
+       Map 0x31 to 0.
    */
    /* 0x30 */ ']',   0,   '\\', ';', '\'', '`', ',', '.',
    /* 0x39 is CapsLock. Handled by driver.  */
-    /* 0x38 */ '/',   0,   GRUB_TERM_KEY_F1, GRUB_TERM_KEY_F2, 
+    /* 0x38 */ '/',   0,   GRUB_TERM_KEY_F1, GRUB_TERM_KEY_F2,
    /* 0x3c */ GRUB_TERM_KEY_F3,     GRUB_TERM_KEY_F4,
    /* 0x3e */ GRUB_TERM_KEY_F5,     GRUB_TERM_KEY_F6,
    /* 0x40 */ GRUB_TERM_KEY_F7,     GRUB_TERM_KEY_F8,
@ -56,16 +56,16 @@ static struct grub_keyboard_layout layout_us = {
    /* PrtScr and ScrollLock. Not handled yet.  */
    /* 0x46 */ 0,                    0,
    /* 0x48 is Pause. Not handled yet.  */
-    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT, 
+    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT,
    /* 0x4a */ GRUB_TERM_KEY_HOME,   GRUB_TERM_KEY_PPAGE,
    /* 0x4c */ GRUB_TERM_KEY_DC,     GRUB_TERM_KEY_END,
    /* 0x4e */ GRUB_TERM_KEY_NPAGE,  GRUB_TERM_KEY_RIGHT,
    /* 0x50 */ GRUB_TERM_KEY_LEFT,   GRUB_TERM_KEY_DOWN,
    /* 0x53 is NumLock. Handled by driver.  */
    /* 0x52 */ GRUB_TERM_KEY_UP,     0,
-    /* 0x54 */ '/',                  '*', 
+    /* 0x54 */ '/',                  '*',
    /* 0x56 */ '-',                  '+',
-    /* 0x58 */ '\n',                 GRUB_TERM_KEY_END, 
+    /* 0x58 */ '\n',                 GRUB_TERM_KEY_END,
    /* 0x5a */ GRUB_TERM_KEY_DOWN,   GRUB_TERM_KEY_NPAGE,
    /* 0x5c */ GRUB_TERM_KEY_LEFT,   GRUB_TERM_KEY_CENTER,
    /* 0x5e */ GRUB_TERM_KEY_RIGHT,  GRUB_TERM_KEY_HOME,
@ -77,7 +77,7 @@ static struct grub_keyboard_layout layout_us = {
    /* Keyboard errors. Handled by driver.  */
    /* 0x00 */   0,   0,   0,   0,

-    /* 0x04 */ 'A',  'B',  'C',  'D', 
+    /* 0x04 */ 'A',  'B',  'C',  'D',
    /* 0x08 */ 'E',  'F',  'G',  'H',  'I', 'J', 'K', 'L',
    /* 0x10 */ 'M',  'N',  'O',  'P',  'Q', 'R', 'S', 'T',
    /* 0x18 */ 'U',  'V',  'W',  'X',  'Y', 'Z', '!', '@',
@ -87,27 +87,27 @@ static struct grub_keyboard_layout layout_us = {
    /* 0x2c */ ' '  | GRUB_TERM_SHIFT,  '_', '+', '{',
    /* According to usage table 0x31 should be mapped to '/'
       but testing with real keyboard shows that 0x32 is remapped to '/'.
-       Map 0x31 to 0. 
+       Map 0x31 to 0.
    */
    /* 0x30 */ '}',  0,    '|',  ':',  '"', '~', '<', '>',
    /* 0x39 is CapsLock. Handled by driver.  */
    /* 0x38 */ '?',  0,
    /* 0x3a */ GRUB_TERM_KEY_F1 | GRUB_TERM_SHIFT,
-    /* 0x3b */ GRUB_TERM_KEY_F2 | GRUB_TERM_SHIFT, 
-    /* 0x3c */ GRUB_TERM_KEY_F3 | GRUB_TERM_SHIFT, 
-    /* 0x3d */ GRUB_TERM_KEY_F4 | GRUB_TERM_SHIFT, 
-    /* 0x3e */ GRUB_TERM_KEY_F5 | GRUB_TERM_SHIFT, 
-    /* 0x3f */ GRUB_TERM_KEY_F6 | GRUB_TERM_SHIFT, 
-    /* 0x40 */ GRUB_TERM_KEY_F7 | GRUB_TERM_SHIFT, 
-    /* 0x41 */ GRUB_TERM_KEY_F8 | GRUB_TERM_SHIFT, 
-    /* 0x42 */ GRUB_TERM_KEY_F9 | GRUB_TERM_SHIFT, 
-    /* 0x43 */ GRUB_TERM_KEY_F10 | GRUB_TERM_SHIFT, 
-    /* 0x44 */ GRUB_TERM_KEY_F11 | GRUB_TERM_SHIFT, 
-    /* 0x45 */ GRUB_TERM_KEY_F12 | GRUB_TERM_SHIFT, 
+    /* 0x3b */ GRUB_TERM_KEY_F2 | GRUB_TERM_SHIFT,
+    /* 0x3c */ GRUB_TERM_KEY_F3 | GRUB_TERM_SHIFT,
+    /* 0x3d */ GRUB_TERM_KEY_F4 | GRUB_TERM_SHIFT,
+    /* 0x3e */ GRUB_TERM_KEY_F5 | GRUB_TERM_SHIFT,
+    /* 0x3f */ GRUB_TERM_KEY_F6 | GRUB_TERM_SHIFT,
+    /* 0x40 */ GRUB_TERM_KEY_F7 | GRUB_TERM_SHIFT,
+    /* 0x41 */ GRUB_TERM_KEY_F8 | GRUB_TERM_SHIFT,
+    /* 0x42 */ GRUB_TERM_KEY_F9 | GRUB_TERM_SHIFT,
+    /* 0x43 */ GRUB_TERM_KEY_F10 | GRUB_TERM_SHIFT,
+    /* 0x44 */ GRUB_TERM_KEY_F11 | GRUB_TERM_SHIFT,
+    /* 0x45 */ GRUB_TERM_KEY_F12 | GRUB_TERM_SHIFT,
    /* PrtScr and ScrollLock. Not handled yet.  */
    /* 0x46 */ 0,                    0,
    /* 0x48 is Pause. Not handled yet.  */
-    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT | GRUB_TERM_SHIFT, 
+    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT | GRUB_TERM_SHIFT,
    /* 0x4a */ GRUB_TERM_KEY_HOME | GRUB_TERM_SHIFT,
    /* 0x4b */ GRUB_TERM_KEY_PPAGE | GRUB_TERM_SHIFT,
    /* 0x4c */ GRUB_TERM_KEY_DC | GRUB_TERM_SHIFT,
@ -118,7 +118,7 @@ static struct grub_keyboard_layout layout_us = {
    /* 0x51 */ GRUB_TERM_KEY_DOWN | GRUB_TERM_SHIFT,
    /* 0x53 is NumLock. Handled by driver.  */
    /* 0x52 */ GRUB_TERM_KEY_UP | GRUB_TERM_SHIFT,     0,
-    /* 0x54 */ '/',                    '*', 
+    /* 0x54 */ '/',                    '*',
    /* 0x56 */ '-',                    '+',
    /* 0x58 */ '\n' | GRUB_TERM_SHIFT, '1', '2', '3', '4', '5','6', '7',
    /* 0x60 */ '8', '9', '0', '.', '|'
@ -148,7 +148,7 @@ map_key_core (int code, int status, int *alt_gr_consumed)
      else if (grub_current_layout->keyboard_map_l3[code])
 	{
 	  *alt_gr_consumed = 1;
-	  return grub_current_layout->keyboard_map_l3[code];  
+	  return grub_current_layout->keyboard_map_l3[code];
 	}
    }
  if (status & (GRUB_TERM_STATUS_LSHIFT | GRUB_TERM_STATUS_RSHIFT))
@ -172,12 +172,12 @@ grub_term_map_key (grub_keyboard_key_t code, int status)
    }

  key = map_key_core (code, status, &alt_gr_consumed);
-  
+
  if (key == 0 || key == GRUB_TERM_SHIFT) {
    grub_printf ("Unknown key 0x%x detected\n", code);
    return GRUB_TERM_NO_KEY;
  }
-  
+
  if (status & GRUB_TERM_STATUS_CAPS)
    {
      if ((key >= 'a') && (key <= 'z'))
@ -185,8 +185,8 @@ grub_term_map_key (grub_keyboard_key_t code, int status)
      else if ((key >= 'A') && (key <= 'Z'))
 	key += 'a' - 'A';
    }
-  
-  if ((status & GRUB_TERM_STATUS_LALT) || 
+
+  if ((status & GRUB_TERM_STATUS_LALT) ||
      ((status & GRUB_TERM_STATUS_RALT) && !alt_gr_consumed))
    key |= GRUB_TERM_ALT;
  if (status & (GRUB_TERM_STATUS_LCTRL | GRUB_TERM_STATUS_RCTRL))
@ -212,7 +212,7 @@ grub_cmd_keymap (struct grub_command *cmd __attribute__ ((unused)),
    {
      const char *prefix = grub_env_get ("prefix");
      if (!prefix)
-	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("variable `%s' isn't set"), "prefix");	
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("variable `%s' isn't set"), "prefix");
      filename = grub_xasprintf ("%s/layouts/%s.gkb", prefix, argv[0]);
      if (!filename)
 	return grub_errno;
--- a/grub-core/commands/keystatus.c
+++ b/grub-core/commands/keystatus.c
@ -35,24 +35,6 @@ static const struct grub_arg_option options[] =
    {0, 0, 0, 0, 0, 0}
  };

-static int
-grub_getkeystatus (void)
-{
-  int status = 0;
-  grub_term_input_t term;
-
-  if (grub_term_poll_usb)
-    grub_term_poll_usb (0);
-
-  FOR_ACTIVE_TERM_INPUTS(term)
-  {
-    if (term->getkeystatus)
-      status |= term->getkeystatus (term);
-  }
-
-  return status;
-}
-
 static grub_err_t
 grub_cmd_keystatus (grub_extcmd_context_t ctxt,
 		    int argc __attribute__ ((unused)),
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@ -32,6 +32,7 @@
 #include <grub/auth.h>
 #include <grub/disk.h>
 #include <grub/partition.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -104,13 +105,22 @@ legacy_file (const char *filename)
 	if (newsuffix)
 	  {
 	    char *t;
-	    
+	    grub_size_t sz;
+
+	    if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
+		grub_add (sz, 1, &sz))
+	      {
+		grub_errno = GRUB_ERR_OUT_OF_RANGE;
+		goto fail_0;
+	      }
+
 	    t = suffix;
-	    suffix = grub_realloc (suffix, grub_strlen (suffix)
-				   + grub_strlen (newsuffix) + 1);
+	    suffix = grub_realloc (suffix, sz);
 	    if (!suffix)
 	      {
 		grub_free (t);
+
+ fail_0:
 		grub_free (entrysrc);
 		grub_free (parsed);
 		grub_free (newsuffix);
@ -154,13 +164,22 @@ legacy_file (const char *filename)
 	  else
 	    {
 	      char *t;
+	      grub_size_t sz;
+
+	      if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
+		  grub_add (sz, 1, &sz))
+		{
+		  grub_errno = GRUB_ERR_OUT_OF_RANGE;
+		  goto fail_1;
+		}

 	      t = entrysrc;
-	      entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
-				       + grub_strlen (parsed) + 1);
+	      entrysrc = grub_realloc (entrysrc, sz);
 	      if (!entrysrc)
 		{
 		  grub_free (t);
+
+ fail_1:
 		  grub_free (parsed);
 		  grub_free (suffix);
 		  return grub_errno;
@ -179,7 +198,6 @@ legacy_file (const char *filename)
      const char **args = grub_malloc (sizeof (args[0]));
      if (!args)
 	{
-	  grub_file_close (file);
 	  grub_free (suffix);
 	  grub_free (entrysrc);
 	  return grub_errno;
@ -238,8 +256,8 @@ grub_cmd_legacy_source (struct grub_command *cmd,
 }

 static enum
-  { 
-    GUESS_IT, LINUX, MULTIBOOT, KFREEBSD, KNETBSD, KOPENBSD 
+  {
+    GUESS_IT, LINUX, MULTIBOOT, KFREEBSD, KNETBSD, KOPENBSD
  } kernel_type;

 static grub_err_t
@ -254,7 +272,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
  char **cutargs;
  int cutargc;
  grub_err_t err = GRUB_ERR_NONE;
-  
+
  for (i = 0; i < 2; i++)
    {
      /* FIXME: really support this.  */
@ -314,7 +332,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
  if (argc < 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

-  cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
+  cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
  if (!cutargs)
    return grub_errno;
  cutargc = argc - 1;
@ -391,7 +409,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
 	  if (dev)
 	    grub_device_close (dev);
 	}
-	
+
 	/* k*BSD didn't really work well with grub-legacy.  */
 	if (kernel_type == GUESS_IT || kernel_type == KFREEBSD)
 	  {
@ -436,7 +454,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
 	    {
 	      char rbuf[3] = "-r";
 	      bsdargc = cutargc + 2;
-	      bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
+	      bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
 	      if (!bsdargs)
 		{
 		  err = grub_errno;
@ -559,7 +577,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
 			   "module");

-      newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
+      newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
      if (!newargs)
 	return grub_errno;
      grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
@ -613,7 +631,7 @@ check_password_md5_real (const char *entered,
  digest = GRUB_MD_MD5->read (ctx);
  GRUB_MD_MD5->final (ctx);
  grub_memcpy (alt_result, digest, MD5_HASHLEN);
-  
+
  GRUB_MD_MD5->init (ctx);
  GRUB_MD_MD5->write (ctx, entered, enteredlen);
  GRUB_MD_MD5->write (ctx, pw->salt, pw->saltlen); /* include the $1$ header */
@ -635,7 +653,7 @@ check_password_md5_real (const char *entered,
 	GRUB_MD_MD5->write (ctx, entered, enteredlen);
      else
 	GRUB_MD_MD5->write (ctx, alt_result, 16);
-      
+
      if (i % 3 != 0)
 	GRUB_MD_MD5->write (ctx, pw->salt + 3, pw->saltlen - 3);

--- a/grub-core/commands/loadenv.c
+++ b/grub-core/commands/loadenv.c
@ -352,16 +352,16 @@ struct grub_cmd_save_env_ctx
 };

 /* Store blocklists in a linked list.  */
-static void
+static grub_err_t
 save_env_read_hook (grub_disk_addr_t sector, unsigned offset, unsigned length,
-		    void *data)
+		    char *buf __attribute__ ((unused)), void *data)
 {
  struct grub_cmd_save_env_ctx *ctx = data;
  struct blocklist *block;

  block = grub_malloc (sizeof (*block));
  if (! block)
-    return;
+    return GRUB_ERR_NONE;

  block->sector = sector;
  block->offset = offset;
@ -374,6 +374,8 @@ save_env_read_hook (grub_disk_addr_t sector, unsigned offset, unsigned length,
  ctx->tail = block;
  if (! ctx->head)
    ctx->head = block;
+
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@ -70,7 +70,7 @@ grub_ls_list_devices (int longlist)
    FOR_NET_APP_LEVEL (proto)
    {
      if (first)
-	grub_puts_ (N_ ("Network protocols:"));
+	grub_puts_ (N_("Network protocols:"));
      first = 0;
      grub_printf ("%s ", proto->name);
    }
@ -87,37 +87,44 @@ grub_ls_list_devices (int longlist)
 struct grub_ls_list_files_ctx
 {
  char *dirname;
+  char *filename;
  int all;
  int human;
+  int longlist;
+  int print_dirhdr;
 };

 /* Helper for grub_ls_list_files.  */
 static int
-print_files (const char *filename, const struct grub_dirhook_info *info,
-	     void *data)
-{
-  struct grub_ls_list_files_ctx *ctx = data;
-
-  if (ctx->all || filename[0] != '.')
-    grub_printf ("%s%s ", filename, info->dir ? "/" : "");
-
-  return 0;
-}
-
-/* Helper for grub_ls_list_files.  */
-static int
-print_files_long (const char *filename, const struct grub_dirhook_info *info,
+print_file (const char *filename, const struct grub_dirhook_info *info,
 		  void *data)
 {
+  char *pathname = NULL;
  struct grub_ls_list_files_ctx *ctx = data;

  if ((! ctx->all) && (filename[0] == '.'))
    return 0;

+  if ((ctx->filename != NULL) && (grub_strcmp (filename, ctx->filename) != 0))
+    return 0;
+
+  if (ctx->print_dirhdr)
+    {
+      grub_printf ("%s:\n", ctx->dirname);
+      ctx->print_dirhdr = 0;
+    }
+
+  if (! ctx->longlist)
+    {
+      if (ctx->filename != NULL)
+	grub_xputs (ctx->dirname);
+      grub_printf ("%s%s ", filename, info->dir ? "/" : "");
+      return 0;
+    }
+
  if (! info->dir)
    {
      grub_file_t file;
-      char *pathname;

      if (ctx->dirname[grub_strlen (ctx->dirname) - 1] == '/')
 	pathname = grub_xasprintf ("%s%s", ctx->dirname, filename);
@ -131,20 +138,19 @@ print_files_long (const char *filename, const struct grub_dirhook_info *info,
 	 should be reported as directories.  */
      file = grub_file_open (pathname, GRUB_FILE_TYPE_GET_SIZE
 			     | GRUB_FILE_TYPE_NO_DECOMPRESS);
-      if (! file)
+      if (file)
 	{
-	  grub_errno = 0;
-	  grub_free (pathname);
-	  return 0;
-	}
-
-      if (! ctx->human)
-	grub_printf ("%-12llu", (unsigned long long) file->size);
-      else
-	grub_printf ("%-12s", grub_get_human_size (file->size,
+	  if (! ctx->human)
+	    grub_printf ("%-12llu", (unsigned long long) file->size);
+	  else
+	    grub_printf ("%-12s", grub_get_human_size (file->size,
 						   GRUB_HUMAN_SIZE_SHORT));
-      grub_file_close (file);
-      grub_free (pathname);
+	  grub_file_close (file);
+	}
+      else
+	grub_xputs ("????????????");
+
+      grub_errno = GRUB_ERR_NONE;
    }
  else
    grub_printf ("%-12s", _("DIR"));
@ -165,13 +171,22 @@ print_files_long (const char *filename, const struct grub_dirhook_info *info,
 		     datetime.day, datetime.hour,
 		     datetime.minute, datetime.second);
    }
-  grub_printf ("%s%s\n", filename, info->dir ? "/" : "");
+  /*
+   * Only print the full path when listing a file path given as an argument
+   * to ls, i.e. when ctx->filename != NULL. File listings that are printed
+   * due to showing the contents of a directory do not need a full path because
+   * the full path to the directory will have already been printed.
+   */
+  grub_printf ("%s%s\n", (ctx->filename != NULL) ? pathname : filename,
+			 info->dir ? "/" : "");
+
+  grub_free (pathname);

  return 0;
 }

 static grub_err_t
-grub_ls_list_files (char *dirname, int longlist, int all, int human)
+grub_ls_list_files (char *dirname, int longlist, int all, int human, int dirhdr)
 {
  char *device_name;
  grub_fs_t fs;
@ -196,7 +211,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
      goto fail;
    }

-  if (! *path)
+  if (! *path && device_name)
    {
      if (grub_errno == GRUB_ERR_UNKNOWN_FS)
 	grub_errno = GRUB_ERR_NONE;
@ -216,44 +231,38 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
    {
      struct grub_ls_list_files_ctx ctx = {
 	.dirname = dirname,
+	.filename = NULL,
 	.all = all,
-	.human = human
+	.human = human,
+	.longlist = longlist,
+	.print_dirhdr = dirhdr
      };

-      if (longlist)
-	(fs->fs_dir) (dev, path, print_files_long, &ctx);
-      else
-	(fs->fs_dir) (dev, path, print_files, &ctx);
+      (fs->fs_dir) (dev, path, print_file, &ctx);

      if (grub_errno == GRUB_ERR_BAD_FILE_TYPE
 	  && path[grub_strlen (path) - 1] != '/')
 	{
+	  /*
+	   * Reset errno as it is currently set, but will cause subsequent code
+	   * to think there is an error.
+	   */
+	  grub_errno = GRUB_ERR_NONE;
+
 	  /* PATH might be a regular file.  */
-	  char *p;
-	  grub_file_t file;
-	  struct grub_dirhook_info info;
-	  grub_errno = 0;
+	  ctx.print_dirhdr = 0;
+	  ctx.filename = grub_strrchr (dirname, '/');
+	  if (ctx.filename == NULL)
+	    goto fail;
+	  ++(ctx.filename);

-	  file = grub_file_open (dirname, GRUB_FILE_TYPE_GET_SIZE
-				 | GRUB_FILE_TYPE_NO_DECOMPRESS);
-	  if (! file)
+	  ctx.dirname = grub_strndup (dirname, ctx.filename - dirname);
+	  if (ctx.dirname == NULL)
 	    goto fail;

-	  grub_file_close (file);
+	  (fs->fs_dir) (dev, ctx.dirname + (path - dirname), print_file, &ctx);

-	  p = grub_strrchr (dirname, '/') + 1;
-	  dirname = grub_strndup (dirname, p - dirname);
-	  if (! dirname)
-	    goto fail;
-
-	  all = 1;
-	  grub_memset (&info, 0, sizeof (info));
-	  if (longlist)
-	    print_files_long (p, &info, &ctx);
-	  else
-	    print_files (p, &info, &ctx);
-
-	  grub_free (dirname);
+	  grub_free (ctx.dirname);
 	}

      if (grub_errno == GRUB_ERR_NONE)
@ -268,7 +277,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)

  grub_free (device_name);

-  return 0;
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
@ -281,10 +290,10 @@ grub_cmd_ls (grub_extcmd_context_t ctxt, int argc, char **args)
    grub_ls_list_devices (state[0].set);
  else
    for (i = 0; i < argc; i++)
-      grub_ls_list_files (args[i], state[0].set, state[2].set,
-			  state[1].set);
+      grub_ls_list_files (args[i], state[0].set, state[2].set, state[1].set,
+			  argc > 1);

-  return 0;
+  return GRUB_ERR_NONE;
 }

 static grub_extcmd_t cmd;
--- a/grub-core/commands/lsacpi.c
+++ b/grub-core/commands/lsacpi.c
@ -35,7 +35,7 @@ print_strn (grub_uint8_t *str, grub_size_t len)
  for (; *str && len; str++, len--)
    grub_printf ("%c", *str);
  for (len++; len; len--)
-    grub_printf (" ");  
+    grub_printf (" ");
 }

 #define print_field(x) print_strn(x, sizeof (x))
--- a/grub-core/commands/lspci.c
+++ b/grub-core/commands/lspci.c
@ -171,7 +171,7 @@ grub_lspci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,

 	  if (space == 0)
 	    continue;
-	 
+
 	  switch (space & GRUB_PCI_ADDR_SPACE_MASK)
 	    {
 	    case GRUB_PCI_ADDR_SPACE_IO:
@ -195,13 +195,13 @@ grub_lspci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 			       (space & GRUB_PCI_ADDR_MEM_MASK),
 			       space & GRUB_PCI_ADDR_MEM_PREFETCH
 			       ? "prefetchable" : "non-prefetchable");
-		 
+
 		}
 	      else
 		grub_printf ("\t32-bit memory space %d at 0x%016llx [%s]\n",
 			     (unsigned) ((reg - GRUB_PCI_REG_ADDRESSES)
 			      / sizeof (grub_uint32_t)) - 1,
-			     (unsigned long long) 
+			     (unsigned long long)
 			     (space & GRUB_PCI_ADDR_MEM_MASK),
 			     space & GRUB_PCI_ADDR_MEM_PREFETCH
 			     ? "prefetchable" : "non-prefetchable");
--- a/grub-core/commands/macbless.c
+++ b/grub-core/commands/macbless.c
@ -220,12 +220,10 @@ GRUB_MOD_INIT(macbless)
 {
  cmd = grub_register_command ("mactelbless", grub_cmd_macbless,
 			       N_("FILE"),
-			       N_
-			       ("Bless FILE of HFS or HFS+ partition for intel macs."));
+			       N_("Bless FILE of HFS or HFS+ partition for intel macs."));
  cmd_ppc =
    grub_register_command ("macppcbless", grub_cmd_macbless, N_("DIR"),
-			   N_
-			   ("Bless DIR of HFS or HFS+ partition for PPC macs."));
+			   N_("Bless DIR of HFS or HFS+ partition for PPC macs."));
 }

 GRUB_MOD_FINI(macbless)
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@ -22,6 +22,7 @@
 #include <grub/extcmd.h>
 #include <grub/env.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -121,29 +122,32 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
 GRUB_MOD_INIT(memrw)
 {
  cmd_read_byte =
-    grub_register_extcmd ("read_byte", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
-			  options);
+    grub_register_extcmd_lockdown ("read_byte", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 8-bit value from ADDR."),
+                                   options);
  cmd_read_word =
-    grub_register_extcmd ("read_word", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 16-bit value from ADDR."),
-			  options);
+    grub_register_extcmd_lockdown ("read_word", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 16-bit value from ADDR."),
+                                   options);
  cmd_read_dword =
-    grub_register_extcmd ("read_dword", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 32-bit value from ADDR."),
-			  options);
+    grub_register_extcmd_lockdown ("read_dword", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 32-bit value from ADDR."),
+                                   options);
  cmd_write_byte =
-    grub_register_command ("write_byte", grub_cmd_write,
-			   N_("ADDR VALUE [MASK]"),
-			   N_("Write 8-bit VALUE to ADDR."));
+    grub_register_command_lockdown ("write_byte", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 8-bit VALUE to ADDR."));
  cmd_write_word =
-    grub_register_command ("write_word", grub_cmd_write,
-			   N_("ADDR VALUE [MASK]"),
-			   N_("Write 16-bit VALUE to ADDR."));
+    grub_register_command_lockdown ("write_word", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 16-bit VALUE to ADDR."));
  cmd_write_dword =
-    grub_register_command ("write_dword", grub_cmd_write,
-			   N_("ADDR VALUE [MASK]"),
-			   N_("Write 32-bit VALUE to ADDR."));
+    grub_register_command_lockdown ("write_dword", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 32-bit VALUE to ADDR."));
 }

 GRUB_MOD_FINI(memrw)
--- a/grub-core/commands/memtools.c
+++ b/grub-core/commands/memtools.c
@ -0,0 +1,152 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Free Software Foundation, Inc.
+ *  Copyright (C) 2022 IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/command.h>
+#include <grub/i18n.h>
+#include <grub/memory.h>
+#include <grub/mm.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static grub_err_t
+grub_cmd_lsmem (grub_command_t cmd __attribute__ ((unused)),
+		 int argc __attribute__ ((unused)),
+		 char **args __attribute__ ((unused)))
+
+{
+#ifndef GRUB_MACHINE_EMU
+  grub_mm_dump (0);
+#endif
+
+  return 0;
+}
+
+static grub_err_t
+grub_cmd_lsfreemem (grub_command_t cmd __attribute__ ((unused)),
+		    int argc __attribute__ ((unused)),
+		    char **args __attribute__ ((unused)))
+
+{
+#ifndef GRUB_MACHINE_EMU
+  grub_mm_dump_free ();
+#endif
+
+  return 0;
+}
+
+
+static grub_err_t
+grub_cmd_stress_big_allocs (grub_command_t cmd __attribute__ ((unused)),
+			    int argc __attribute__ ((unused)),
+			    char **args __attribute__ ((unused)))
+{
+  int i, max_mb, blocks_alloced;
+  void *mem;
+  void **blocklist;
+
+  grub_printf ("Test 1: increasingly sized allocs to 1GB block\n");
+  for (i = 1; i < 1024; i++)
+    {
+      grub_printf ("%4d MB . ", i);
+      mem = grub_malloc (i * 1024 * 1024);
+      if (mem == NULL)
+	{
+	  grub_printf ("failed\n");
+	  break;
+	}
+      else
+	grub_free (mem);
+
+      if (i % 7 == 0)
+	grub_printf ("\n");
+    }
+
+  max_mb = i - 1;
+  grub_printf ("\nMax sized allocation we did was %d MB\n", max_mb);
+
+  grub_printf ("\nTest 2: 1MB at a time, max 4GB\n");
+  blocklist = grub_calloc (4096, sizeof (void *));
+  for (i = 0; i < 4096; i++)
+    {
+      blocklist[i] = grub_malloc (1024 * 1024);
+      if (blocklist[i] == NULL)
+	{
+	  grub_printf ("Ran out of memory at iteration %d\n", i);
+	  break;
+	}
+    }
+  blocks_alloced = i;
+  for (i = 0; i < blocks_alloced; i++)
+    grub_free (blocklist[i]);
+
+  grub_printf ("\nTest 3: 1MB aligned 900kB + 100kB\n");
+  /* grub_mm_debug=1;*/
+  for (i = 0; i < 4096; i += 2)
+    {
+      blocklist[i] = grub_memalign (1024 * 1024, 900 * 1024);
+      if (blocklist[i] == NULL)
+	{
+	  grub_printf ("Failed big allocation, iteration %d\n", i);
+	  blocks_alloced = i;
+	  break;
+	}
+
+      blocklist[i + 1] = grub_malloc (100 * 1024);
+      if (blocklist[i + 1] == NULL)
+	{
+	  grub_printf ("Failed small allocation, iteration %d\n", i);
+	  blocks_alloced = i + 1;
+	  break;
+	}
+      grub_printf (".");
+    }
+  for (i = 0; i < blocks_alloced; i++)
+    grub_free (blocklist[i]);
+
+  grub_free (blocklist);
+
+#if defined(__powerpc__)
+  grub_printf ("\nA reboot may now be required.\n");
+#endif
+
+  grub_errno = GRUB_ERR_NONE;
+  return GRUB_ERR_NONE;
+}
+
+static grub_command_t cmd_lsmem, cmd_lsfreemem, cmd_sba;
+
+GRUB_MOD_INIT (memtools)
+{
+  cmd_lsmem = grub_register_command ("lsmem", grub_cmd_lsmem,
+				     0, N_("List free and allocated memory blocks."));
+  cmd_lsfreemem = grub_register_command ("lsfreemem", grub_cmd_lsfreemem,
+					 0, N_("List free memory blocks."));
+  cmd_sba = grub_register_command ("stress_big_allocs", grub_cmd_stress_big_allocs,
+				   0, N_("Stress test large allocations."));
+}
+
+GRUB_MOD_FINI (memtools)
+{
+  grub_unregister_command (cmd_lsmem);
+  grub_unregister_command (cmd_lsfreemem);
+  grub_unregister_command (cmd_sba);
+}
--- a/grub-core/commands/menuentry.c
+++ b/grub-core/commands/menuentry.c
@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
    goto fail;

  /* Save argc, args to pass as parameters to block arg later. */
-  menu_args = grub_malloc (sizeof (char*) * (argc + 1));
+  menu_args = grub_calloc (argc + 1, sizeof (char *));
  if (! menu_args)
    goto fail;

@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
      len += 3; /* 3 = 1 space + 2 quotes */
      p = args[i];
      while (*p)
-	len += (*p++ == '\'' ? 3 : 1);
+	len += (*p++ == '\'' ? 4 : 1);
    }

  result = grub_malloc (len + 2);
--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
@ -29,6 +29,10 @@
 #include <grub/command.h>
 #include <grub/i18n.h>

+#ifdef GRUB_MACHINE_EFI
+#include <grub/cryptodisk.h>
+#endif
+
 GRUB_MOD_LICENSE ("GPLv3+");

 /* cat FILE */
@ -140,8 +144,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
  if (grub_dl_is_persistent (mod))
    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");

-  if (grub_dl_unref (mod) <= 0)
-    grub_dl_unload (mod);
+  if (grub_dl_ref_count (mod) > 1)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
+
+  grub_dl_unref (mod);
+  grub_dl_unload (mod);

  return 0;
 }
@ -164,7 +171,7 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),
  {
    grub_dl_dep_t dep;

-    grub_printf ("%s\t%d\t\t", mod->name, mod->ref_count);
+    grub_printf ("%s\t%" PRIuGRUB_UINT64_T "\t\t", mod->name, mod->ref_count);
    for (dep = mod->dep; dep; dep = dep->next)
      {
 	if (dep != mod->dep)
@ -184,6 +191,13 @@ grub_mini_cmd_exit (struct grub_command *cmd __attribute__ ((unused)),
 		    int argc __attribute__ ((unused)),
 		    char *argv[] __attribute__ ((unused)))
 {
+#ifdef GRUB_MACHINE_EFI
+  /*
+   * The "exit" command is often used to launch the next boot application.
+   * So, erase the secrets.
+   */
+  grub_cryptodisk_erasesecrets ();
+#endif
  grub_exit ();
  /* Not reached.  */
 }
@ -200,8 +214,8 @@ GRUB_MOD_INIT(minicmd)
    grub_register_command ("help", grub_mini_cmd_help,
 			   0, N_("Show this message."));
  cmd_dump =
-    grub_register_command ("dump", grub_mini_cmd_dump,
-			   N_("ADDR [SIZE]"), N_("Show memory contents."));
+    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
+				    N_("ADDR [SIZE]"), N_("Show memory contents."));
  cmd_rmmod =
    grub_register_command ("rmmod", grub_mini_cmd_rmmod,
 			   N_("MODULE"), N_("Remove a module."));
--- a/grub-core/commands/mips/loongson/lsspd.c
+++ b/grub-core/commands/mips/loongson/lsspd.c
@ -44,7 +44,7 @@ grub_cmd_lsspd (grub_command_t cmd __attribute__ ((unused)),
    }
  grub_printf_ (N_("CS5536 at %d:%d.%d\n"), grub_pci_get_bus (dev),
 		grub_pci_get_device (dev), grub_pci_get_function (dev));
-  
+
  err = grub_cs5536_init_smbus (dev, 0x7fff, &smbbase);
  if (err)
    return err;
--- a/grub-core/commands/nativedisk.c
+++ b/grub-core/commands/nativedisk.c
@ -31,7 +31,7 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static const char *modnames_def[] = { 
+static const char *modnames_def[] = {
  /* FIXME: autogenerate this.  */
 #if defined (__i386__) || defined (__x86_64__) || defined (GRUB_MACHINE_MIPS_LOONGSON)
  "pata", "ahci", "usbms", "ohci", "uhci", "ehci"
@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
  else
    path_prefix = prefix;

-  mods = grub_malloc (argc * sizeof (mods[0]));
+  mods = grub_calloc (argc, sizeof (mods[0]));
  if (!mods)
    return grub_errno;

--- a/grub-core/commands/parttool.c
+++ b/grub-core/commands/parttool.c
@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
  for (nargs = 0; args[nargs].name != 0; nargs++);
  cur->nargs = nargs;
  cur->args = (struct grub_parttool_argdesc *)
-    grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
+    grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
+  if (!cur->args)
+    {
+      grub_free (cur);
+      curhandle--;
+      return -1;
+    }
  grub_memcpy (cur->args, args,
 	       (nargs + 1) * sizeof (struct grub_parttool_argdesc));

@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 	return err;
      }

-  parsed = (int *) grub_zalloc (argc * sizeof (int));
+  parsed = (int *) grub_calloc (argc, sizeof (int));

  for (i = 1; i < argc; i++)
    if (! parsed[i])
@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 	  }
 	ptool = cur;
 	pargs = (struct grub_parttool_args *)
-	  grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
+	  grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
 	for (j = i; j < argc; j++)
 	  if (! parsed[j])
 	    {
@ -309,7 +315,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 		    switch (curarg->type)
 		      {
 		      case GRUB_PARTTOOL_ARG_BOOL:
-			pargs[curarg - ptool->args].bool
+			pargs[curarg - ptool->args].b
 			  = (args[j][grub_strlen (curarg->name)] != '-');
 			break;

--- a/grub-core/commands/password_pbkdf2.c
+++ b/grub-core/commands/password_pbkdf2.c
@ -86,7 +86,7 @@ grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
 		   int argc, char **args)
 {
  grub_err_t err;
-  char *ptr, *ptr2;
+  const char *ptr, *ptr2;
  grub_uint8_t *ptro;
  struct pbkdf2_password *pass;

@ -162,7 +162,7 @@ grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
      return grub_errno;
    }
  ptr = ptr2 + 1;
-  ptr2 += grub_strlen (ptr2); 
+  ptr2 += grub_strlen (ptr2);
  while (ptr < ptr2)
    {
      int hex1, hex2;
--- a/grub-core/commands/pcidump.c
+++ b/grub-core/commands/pcidump.c
@ -95,7 +95,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
  if (ctxt->state[0].set)
    {
      ptr = ctxt->state[0].arg;
-      ctx.pciid_check_value |= (grub_strtoul (ptr, (char **) &ptr, 16) & 0xffff);
+      ctx.pciid_check_value |= (grub_strtoul (ptr, &ptr, 16) & 0xffff);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -108,8 +108,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
      if (*ptr != ':')
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing `%c' symbol"), ':');
      ptr++;
-      ctx.pciid_check_value |= (grub_strtoul (ptr, (char **) &ptr, 16) & 0xffff)
-	<< 16;
+      ctx.pciid_check_value |= (grub_strtoul (ptr, &ptr, 16) & 0xffff) << 16;
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	grub_errno = GRUB_ERR_NONE;
      else
@ -121,10 +120,10 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
  if (ctxt->state[1].set)
    {
      const char *optr;
-      
+
      ptr = ctxt->state[1].arg;
      optr = ptr;
-      ctx.bus = grub_strtoul (ptr, (char **) &ptr, 16);
+      ctx.bus = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -138,7 +137,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing `%c' symbol"), ':');
      ptr++;
      optr = ptr;
-      ctx.device = grub_strtoul (ptr, (char **) &ptr, 16);
+      ctx.device = grub_strtoul (ptr, &ptr, 16);
      if (grub_errno == GRUB_ERR_BAD_NUMBER)
 	{
 	  grub_errno = GRUB_ERR_NONE;
@ -149,7 +148,7 @@ grub_cmd_pcidump (grub_extcmd_context_t ctxt,
      if (*ptr == '.')
 	{
 	  ptr++;
-	  ctx.function = grub_strtoul (ptr, (char **) &ptr, 16);
+	  ctx.function = grub_strtoul (ptr, &ptr, 16);
 	  if (grub_errno)
 	    return grub_errno;
 	  ctx.check_function = 1;
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@ -74,7 +74,7 @@ read_packet_header (grub_file_t sig, grub_uint8_t *out_type, grub_size_t *len)
  if (type == 0)
    {
      *out_type = 0xfe;
-      return 0;      
+      return 0;
    }

  if (!(type & 0x80))
@ -166,7 +166,7 @@ struct
  int (*pad) (gcry_mpi_t *hmpi, grub_uint8_t *hval,
 	      const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
  const char *module;
-} pkalgos[] = 
+} pkalgos[] =
  {
    [1] = { "rsa", 1, 2, &grub_crypto_pk_rsa, rsa_pad, "gcry_rsa" },
    [3] = { "rsa", 1, 2, &grub_crypto_pk_rsa, rsa_pad, "gcry_rsa" },
@ -320,7 +320,7 @@ grub_load_public_key (grub_file_t f)
 	      grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
 	      break;
 	    }
-	  
+
 	  lb = (grub_be_to_cpu16 (l) + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT;
 	  if (lb > READBUF_SIZE - sizeof (grub_uint16_t))
 	    {
@ -335,7 +335,7 @@ grub_load_public_key (grub_file_t f)
 	  grub_memcpy (buffer, &l, sizeof (l));

 	  GRUB_MD_SHA1->write (fingerprint_context, buffer, lb + sizeof (grub_uint16_t));
- 
+
 	  if (gcry_mpi_scan (&sk->mpis[i], GCRYMPI_FMT_PGP,
 			     buffer, lb + sizeof (grub_uint16_t), 0))
 	    {
@ -479,7 +479,7 @@ grub_verify_signature_init (struct grub_pubkey_context *ctxt, grub_file_t sig)
  h = ctxt->v4.hash;
  t = ctxt->v4.type;
  pk = ctxt->v4.pkeyalgo;
-  
+
  if (t != 0)
    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));

@ -633,8 +633,8 @@ grub_verify_signature_real (struct grub_pubkey_context *ctxt,
  if (!sk)
    {
      /* TRANSLATORS: %08x is 32-bit key id.  */
-      grub_error (GRUB_ERR_BAD_SIGNATURE, N_("public key %08x not found"),
-		  keyid);
+      grub_error (GRUB_ERR_BAD_SIGNATURE,
+		  N_("public key %08" PRIxGRUB_UINT64_T " not found"), keyid);
      goto fail;
    }

@ -922,7 +922,7 @@ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
  return grub_strdup (sec ? "enforce" : "no");
 }

-static grub_ssize_t 
+static grub_ssize_t
 pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
 {
  grub_memcpy (buf, (grub_uint8_t *) file->data + file->offset, len);
@ -931,7 +931,7 @@ pseudo_read (struct grub_file *file, char *buf, grub_size_t len)


 /* Filesystem descriptor.  */
-struct grub_fs pseudo_fs = 
+struct grub_fs pseudo_fs =
  {
    .name = "pseudo",
    .fs_read = pseudo_read
@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)

 GRUB_MOD_FINI(pgp)
 {
+  grub_register_variable_hook ("check_signatures", NULL, NULL);
+  grub_env_unset ("check_signatures");
  grub_verifier_unregister (&grub_pubkey_verifier);
  grub_unregister_extcmd (cmd);
  grub_unregister_extcmd (cmd_trust);
--- a/grub-core/commands/probe.c
+++ b/grub-core/commands/probe.c
@ -24,6 +24,7 @@
 #include <grub/device.h>
 #include <grub/disk.h>
 #include <grub/partition.h>
+#include <grub/gpt_partition.h>
 #include <grub/net.h>
 #include <grub/fs.h>
 #include <grub/file.h>
@ -31,6 +32,7 @@
 #include <grub/env.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/i386/pc/boot.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -45,6 +47,7 @@ static const struct grub_arg_option options[] =
    {"fs",		'f', 0, N_("Determine filesystem type."), 0, 0},
    {"fs-uuid",		'u', 0, N_("Determine filesystem UUID."), 0, 0},
    {"label",		'l', 0, N_("Determine filesystem label."), 0, 0},
+    {"part-uuid",	0,   0, N_("Determine partition UUID."), 0, 0},
    {0, 0, 0, 0, 0, 0}
  };

@ -98,9 +101,66 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
      grub_device_close (dev);
      return GRUB_ERR_NONE;
    }
+  if (state[6].set)
+    {
+      /* AAAABBBB-CCCC-DDDD-EEEE-FFFFFFFFFFFF + null terminator */
+      char val[37] = "none";
+      if (dev->disk && dev->disk->partition)
+	{
+	  struct grub_partition *p = dev->disk->partition;
+	  grub_disk_t disk = grub_disk_open(dev->disk->name);
+
+	  if (!disk)
+	    {
+	      grub_device_close (dev);
+	      return grub_errno;
+	    }
+
+	  if (grub_strcmp(dev->disk->partition->partmap->name, "gpt") == 0)
+	    {
+	      struct grub_gpt_partentry entry;
+	      grub_guid_t *guid;
+
+	      if (grub_disk_read(disk, p->offset, p->index, sizeof(entry), &entry))
+		{
+		  grub_error_push ();
+		  grub_disk_close (disk);
+		  grub_device_close (dev);
+		  grub_error_pop ();
+		  return grub_errno;
+		}
+	      guid = &entry.guid;
+	      guid->data1 = grub_le_to_cpu32 (guid->data1);
+	      guid->data2 = grub_le_to_cpu16 (guid->data2);
+	      guid->data3 = grub_le_to_cpu16 (guid->data3);
+	      grub_snprintf (val, sizeof(val), "%pG", guid);
+	    }
+	  else if (grub_strcmp(dev->disk->partition->partmap->name, "msdos") == 0)
+	    {
+	      grub_uint32_t nt_disk_sig;
+
+	      if (grub_disk_read(disk, 0, GRUB_BOOT_MACHINE_WINDOWS_NT_MAGIC,
+				 sizeof(nt_disk_sig), &nt_disk_sig) == 0)
+		grub_snprintf (val, sizeof(val), "%08x-%02x",
+			       grub_le_to_cpu32(nt_disk_sig), 1 + p->number);
+	    }
+	  grub_disk_close(disk);
+	}
+      if (state[0].set)
+	grub_env_set (state[0].arg, val);
+      else
+	grub_printf ("%s", val);
+      grub_device_close (dev);
+      return GRUB_ERR_NONE;
+    }
  fs = grub_fs_probe (dev);
  if (! fs)
-    return grub_errno;
+    {
+      grub_error_push ();
+      grub_device_close (dev);
+      grub_error_pop ();
+      return grub_errno;
+    }
  if (state[3].set)
    {
      if (state[0].set)
@ -114,14 +174,23 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    {
      char *uuid;
      if (! fs->fs_uuid)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("%s does not support UUIDs"), fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("%s does not support UUIDs"), fs->name);
+	}
      err = fs->fs_uuid (dev, &uuid);
      if (err)
-	return err;
+	{
+	  grub_device_close (dev);
+	  return err;
+	}
      if (! uuid)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("%s does not support UUIDs"), fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("%s does not support UUIDs"), fs->name);
+	}

      if (state[0].set)
 	grub_env_set (state[0].arg, uuid);
@ -135,16 +204,25 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    {
      char *label;
      if (! fs->fs_label)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("filesystem `%s' does not support labels"),
-			   fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("filesystem `%s' does not support labels"),
+			     fs->name);
+	}
      err = fs->fs_label (dev, &label);
      if (err)
-	return err;
+	{
+	  grub_device_close (dev);
+	  return err;
+	}
      if (! label)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("filesystem `%s' does not support labels"),
-			   fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("filesystem `%s' does not support labels"),
+			     fs->name);
+	}

      if (state[0].set)
 	grub_env_set (state[0].arg, label);
--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
@ -23,21 +23,29 @@
 #include <grub/env.h>
 #include <grub/term.h>
 #include <grub/types.h>
-#include <grub/command.h>
+#include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

+static const struct grub_arg_option options[] =
+  {
+    {"silent", 's', 0, N_("Do not echo input"), 0, 0},
+    {0, 0, 0, 0, 0, 0}
+  };
+
 static char *
-grub_getline (void)
+grub_getline (int silent)
 {
-  int i;
+  grub_size_t i;
  char *line;
  char *tmp;
-  char c;
+  int c;
+  grub_size_t alloc_size;

  i = 0;
-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
  if (! line)
    return NULL;

@ -47,11 +55,23 @@ grub_getline (void)
      if ((c == '\n') || (c == '\r'))
 	break;

-      line[i] = c;
-      if (grub_isprint (c))
+      if (!grub_isprint (c))
+	continue;
+
+      line[i] = (char) c;
+      if (!silent)
 	grub_printf ("%c", c);
-      i++;
-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
      if (! tmp)
 	{
 	  grub_free (line);
@ -65,9 +85,11 @@ grub_getline (void)
 }

 static grub_err_t
-grub_cmd_read (grub_command_t cmd __attribute__ ((unused)), int argc, char **args)
+grub_cmd_read (grub_extcmd_context_t ctxt, int argc, char **args)
 {
-  char *line = grub_getline ();
+  struct grub_arg_list *state = ctxt->state;
+  char *line = grub_getline (state[0].set);
+
  if (! line)
    return grub_errno;
  if (argc > 0)
@ -77,16 +99,16 @@ grub_cmd_read (grub_command_t cmd __attribute__ ((unused)), int argc, char **arg
  return 0;
 }

-static grub_command_t cmd;
+static grub_extcmd_t cmd;

 GRUB_MOD_INIT(read)
 {
-  cmd = grub_register_command ("read", grub_cmd_read,
-			       N_("[ENVVAR]"),
-			       N_("Set variable with user input."));
+  cmd = grub_register_extcmd ("read", grub_cmd_read, 0,
+			       N_("[-s] [ENVVAR]"),
+			       N_("Set variable with user input."), options);
 }

 GRUB_MOD_FINI(read)
 {
-  grub_unregister_command (cmd);
+  grub_unregister_extcmd (cmd);
 }
--- a/Show more
+++ b/Show more