cryptocheck: Add --quiet option

The option can be used to suppress output if we only want to test the return value of the command. Also, mention this option in the documentation. Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
disk/cryptodisk: Wipe the passphrase from memory
2025-07-06 00:47:45 +00:00 · 2025-05-06 17:14:04 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00 · 2025-05-06 17:14:03 +02:00
778 changed files with 47466 additions and 63417 deletions
--- a/.gitignore
+++ b/.gitignore
@ -16,6 +16,7 @@
 *.o
 *.pf2
 *.pp
+*.pyc
 *.trs
 *~
 .deps-core/
@ -103,6 +104,7 @@ widthspec.bin
 /docs/version-dev.texi
 /docs/version.texi
 /ehci_test
+/erofs_test
 /example_grub_script_test
 /example_scripted_test
 /example_unit_test
@ -139,10 +141,12 @@ widthspec.bin
 /grub-core/kernel.img.bin
 /grub-core/lib/gnulib
 /grub-core/lib/libgcrypt-grub
+/grub-core/lib/libtasn1-grub
 /grub-core/modinfo.sh
 /grub-core/rs_decoder.h
 /grub-core/symlist.c
 /grub-core/symlist.h
+/grub-core/tests/asn1/tests
 /grub-core/trigtables.c
 /grub-core/unidata.c
 /grub-editenv
@ -167,6 +171,8 @@ widthspec.bin
 /grub-ofpathname.exe
 /grub-probe
 /grub-probe.exe
+/grub-protect
+/grub-protect.exe
 /grub-reboot
 /grub-render-label
 /grub-render-label.exe
@ -230,6 +236,8 @@ widthspec.bin
 /lib/libgcrypt-grub
 /libgrub_a_init.c
 /lzocompress_test
+/luks1_test
+/luks2_test
 /m4/
 /minixfs_test
 /missing
--- a/55487
+++ b/55487
--- a/103
+++ b/103
@ -4,6 +4,10 @@ This is the GRUB.  Welcome.

 This file contains instructions for compiling and installing the GRUB.

+Where this document refers to packages names, they are named according to the
+Debian 11 package repositories. These packages can be found by searching
+https://packages.debian.org/.
+
 The Requirements
 ================

@ -12,14 +16,15 @@ you don't have any of them, please obtain and install them before
 configuring the GRUB.

 * GCC 5.1.0 or later
-  Experimental support for clang 3.8.0 or later (results in much bigger binaries)
+  Experimental support for clang 8.0.0 or later (results in much bigger binaries)
  for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
 * GNU Make
 * GNU Bison 2.3 or later
-* GNU gettext 0.17 or later
+* GNU gettext
 * GNU binutils 2.9.1.0.23 or later
 * Flex 2.5.35 or later
 * pkg-config
+* GNU patch
 * Other standard GNU/Unix tools
 * a libc with large file support (e.g. glibc 2.1 or later)

@ -31,24 +36,74 @@ For optional grub-emu features, you need:

 * SDL (recommended)
 * libpciaccess (optional)
-* libusb (optional)

 To build GRUB's graphical terminal (gfxterm), you need:

 * FreeType 2.1.5 or later
 * GNU Unifont

+To build grub-mkfont the unicode fonts are required (xfonts-unifont package
+on Debian).
+
 If you use a development snapshot or want to hack on GRUB you may
 need the following.

-* Python 2.6 or later
-* Autoconf 2.63 or later
-* Automake 1.11 or later
+* Python 3 (NOTE: python 2.6 should still work, but it's not tested)
+* Autoconf 2.64 or later
+* Automake 1.14 or later
+
+Your distro may package cross-compiling toolchains such as the following
+incomplete list on Debian: gcc-aarch64-linux-gnu, gcc-arm-linux-gnueabihf,
+gcc-mips-linux-gnu, gcc-mipsel-linux-gnu, gcc-powerpc64-linux-gnu,
+gcc-riscv64-linux-gnu, gcc-sparc64-linux-gnu, mingw-w64 and mingw-w64-tools.
+
+More cross compiling toolchains can be found at the following trusted sites:
+
+* https://mirrors.kernel.org/pub/tools/crosstool/
+* https://toolchains.bootlin.com/

 Prerequisites for make-check:

-* qemu, specifically the binary 'qemu-system-i386'
+* qemu, specifically the binary "qemu-system-ARCH" where ARCH is the
+  architecture GRUB has been built for; the "qemu-system" package on Debian
+  will install all needed qemu architectures
+* OVMF, for EFI platforms (packages ovmf, ovmf-ia32, qemu-efi-arm, and
+  qemu-efi-aarch64)
+* OpenBIOS, for ieee1275 platforms (packages openbios-ppc and openbios-sparc)
 * xorriso 1.2.9 or later, for grub-mkrescue and grub-shell
+* wamerican, for grub-fs-tester
+* mtools, FAT tools for EFI platforms
+* xfonts-unifont, for the functional tests
+* swtpm-tools and tpm2-tools, for TPM2 key protector tests
+
+* If running a Linux kernel the following modules must be loaded:
+  - fuse, loop
+  - btrfs, erofs, ext4, f2fs, fat, hfs, hfsplus, jfs, mac-roman, minix, nilfs2,
+    reiserfs, udf, xfs
+  - On newer kernels, the exfat kernel modules may be used instead of the
+    exfat FUSE filesystem
+* The following are Debian named packages required mostly for the full
+  suite of filesystem testing (but some are needed by other tests as well):
+  - btrfs-progs, dosfstools, e2fsprogs, erofs-utils, exfatprogs, exfat-fuse,
+    f2fs-tools, genromfs, hfsprogs, jfsutils, nilfs-tools, ntfs-3g,
+    reiserfsprogs, squashfs-tools, reiserfsprogs, udftools, xfsprogs, zfs-fuse
+  - exfat-fuse, if not using the exfat kernel module
+  - gzip, lzop, xz-utils
+  - attr, cpio, g++, gawk, parted, recode, tar, util-linux
+
+Note that `make check' will run and many tests may complete successfully
+with only a subset of these prerequisites. However, some tests may be
+skipped or fail due to missing prerequisites.
+
+To build the documentation you'll need:
+* texinfo, for the info and html documentation
+* texlive, for building the dvi and pdf documentation (optional)
+
+To use the gdb_grub GDB script you'll need:
+* readelf (binutils package)
+* objdump (binutils package)
+* GNU Debugger > 7, built with python support (gdb package)
+* Python >= 3.5 (python3 package)

 Configuring the GRUB
 ====================
@ -86,9 +141,8 @@ The simplest way to compile this package is:
  
  3. Type `./bootstrap'.

-     * autogen.sh (called by bootstrap) uses python. By default the
-       invocation is "python", but it can be overridden by setting the
-       variable $PYTHON.
+     The autogen.sh (called by bootstrap) uses python. By default autodetect
+     it, but it can be overridden by setting the PYTHON variable.

  4. Type `./configure' to configure the package for your system.
     If you're using `csh' on an old version of System V, you might
@ -101,12 +155,16 @@ The simplest way to compile this package is:
  6. Type `make' to compile the package.

  7. Optionally, type `make check' to run any self-tests that come with
-     the package.
+     the package. Note that many of the tests require root privileges in
+     order to run.

  8. Type `make install' to install the programs and any data files and
     documentation.

-  9. You can remove the program binaries and object files from the
+  9. Type `make html' or `make pdf' to generate the html or pdf
+     documentation.  Note, these are not built by default.
+
+ 10. You can remove the program binaries and object files from the
     source code directory by typing `make clean'.  To also remove the
     files that `configure' created (so you can compile the package for
     a different kind of computer), type `make distclean'.  There is
@ -142,8 +200,9 @@ For this example the configure line might look like (more details below)
 (some options are optional and included here for completeness but some rarely
 used options are omitted):

-  ./configure --host=x86_64-linux-gnu --target=arm-linux-gnueabihf \
-    --with-platform=efi BUILD_CC=gcc BUILD_PKG_CONFIG=pkg-config \
+  ./configure --build=sparc64-freebsd --host=x86_64-linux-gnu \
+    --target=arm-linux-gnueabihf --with-platform=efi \
+    BUILD_CC=gcc BUILD_PKG_CONFIG=pkg-config \
    HOST_CC=x86_64-linux-gnu-gcc HOST_CFLAGS='-g -O2' \
    PKG_CONFIG=x86_64-linux-gnu-pkg-config TARGET_CC=arm-linux-gnueabihf-gcc \
    TARGET_CFLAGS='-Os -march=armv8.3-a' TARGET_CCASFLAGS='-march=armv8.3-a' \
@ -151,6 +210,10 @@ used options are omitted):
    TARGET_STRIP=arm-linux-gnueabihf-strip TARGET_NM=arm-linux-gnueabihf-nm \
    TARGET_RANLIB=arm-linux-gnueabihf-ranlib LEX=flex

+Note, that the autoconf 2.65 manual states that when using the --host argument
+to configure, the --build argument should be specified as well. Not sending
+--build, enters a compatibility mode that will be removed in the future.
+
 Normally, for building a GRUB on amd64 with tools to run on amd64 to
 generate images to run on ARM, using your Linux distribution's
 packaged cross compiler, the following would suffice:
@ -162,13 +225,14 @@ version look at prerequisites. All tools not mentioned in this section under
 corresponding platform are not needed for the platform in question.

  - For build
-    1. BUILD_CC= to gcc able to compile for build. This is used, for
+    1. --build= to autoconf name of build.
+    2. BUILD_CC= to gcc able to compile for build. This is used, for
       example, to compile build-gentrigtables which is then run to
       generate sin and cos tables.
-    2. BUILD_CFLAGS= for C options for build.
-    3. BUILD_CPPFLAGS= for C preprocessor options for build.
-    4. BUILD_LDFLAGS= for linker options for build.
-    5. BUILD_PKG_CONFIG= for pkg-config for build (optional).
+    3. BUILD_CFLAGS= for C options for build.
+    4. BUILD_CPPFLAGS= for C preprocessor options for build.
+    5. BUILD_LDFLAGS= for linker options for build.
+    6. BUILD_PKG_CONFIG= for pkg-config for build (optional).

  - For host
    1. --host= to autoconf name of host.
@ -205,7 +269,6 @@ corresponding platform are not needed for the platform in question.
  - Additionally for emu, for host and target.
    1. SDL is looked for in standard linker directories (-lSDL) (optional)
    2. libpciaccess is looked for in standard linker directories (-lpciaccess) (optional)
-    3. libusb is looked for in standard linker directories (-lusb) (optional)

  - Platform-agnostic tools and data.
    1. make is the tool you execute after ./configure.
--- a/Makefile.am
+++ b/Makefile.am
@ -24,6 +24,15 @@ CCASFLAGS_PROGRAM += $(CCASFLAGS_GNULIB)

 include $(srcdir)/Makefile.util.am

+check_SCRIPTS = $(check_SCRIPTS_native) $(check_SCRIPTS_nonnative)
+check_PROGRAMS = $(check_PROGRAMS_native) $(check_PROGRAMS_nonnative)
+TESTS = $(check_SCRIPTS) $(check_PROGRAMS)
+
+check-native:
+	$(MAKE) TESTS="$(check_PROGRAMS_native) $(check_SCRIPTS_native)" check
+check-nonnative:
+	$(MAKE) TESTS="$(check_PROGRAMS_nonnative) $(check_SCRIPTS_nonnative)" check
+
 # XXX Use Automake's LEX & YACC support
 grub_script.tab.h: $(top_srcdir)/grub-core/script/parser.y
 	$(YACC) -d -p grub_script_yy -b grub_script $(top_srcdir)/grub-core/script/parser.y
@ -43,7 +52,7 @@ libgrub.pp: config-util.h grub_script.tab.h grub_script.yy.h $(libgrubmods_a_SOU
 CLEANFILES += libgrub.pp

 libgrub_a_init.lst: libgrub.pp
-	cat $< | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+	cat $< | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
 CLEANFILES += libgrub_a_init.lst

 libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
@ -51,13 +60,13 @@ libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
 CLEANFILES += libgrub_a_init.c

 # For grub-fstest
-grub_fstest.pp: $(grub_fstest_SOURCES)
+grub_fstest.pp: config-util.h $(grub_fstest_SOURCES)
 	$(CPP) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(grub_fstest_CPPFLAGS) $(CPPFLAGS) \
 	  -D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
 CLEANFILES += grub_fstest.pp

 grub_fstest_init.lst: libgrub.pp grub_fstest.pp
-	cat $^ | grep '@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+	cat $^ | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
 CLEANFILES += grub_fstest_init.lst

 grub_fstest_init.c: grub_fstest_init.lst $(top_srcdir)/geninit.sh
@ -473,8 +482,6 @@ ChangeLog: FORCE
 		touch $@; \
 	fi

-EXTRA_DIST += ChangeLog ChangeLog-2015
-
 syslinux_test: $(top_builddir)/config.status tests/syslinux/ubuntu10.04_grub.cfg

 # Mimic simplify_filename from grub-core/lib/syslinux_parse.c, so that we
--- a/Makefile.util.def
+++ b/Makefile.util.def
@ -40,6 +40,7 @@ library = {
  common = grub-core/disk/luks.c;
  common = grub-core/disk/luks2.c;
  common = grub-core/disk/geli.c;
+  common = grub-core/disk/key_protector.c;
  common = grub-core/disk/cryptodisk.c;
  common = grub-core/disk/AFSplitter.c;
  common = grub-core/lib/pbkdf2.c;
@ -55,7 +56,7 @@ library = {

 library = {
  name = libgrubmods.a;
-  cflags = '-fno-builtin -Wno-undef';
+  cflags = '-fno-builtin -Wno-undef -Wno-unused-but-set-variable';
  cppflags = '-I$(srcdir)/grub-core/lib/minilzo -I$(srcdir)/grub-core/lib/xzembed -I$(srcdir)/grub-core/lib/zstd -DMINILZO_HAVE_CONFIG_H';

  common_nodist = grub_script.tab.c;
@ -98,6 +99,7 @@ library = {
  common = grub-core/fs/cpio_be.c;
  common = grub-core/fs/odc.c;
  common = grub-core/fs/newc.c;
+  common = grub-core/fs/erofs.c;
  common = grub-core/fs/ext2.c;
  common = grub-core/fs/fat.c;
  common = grub-core/fs/exfat.c;
@ -163,6 +165,7 @@ library = {
  common = grub-core/kern/ia64/dl_helper.c;
  common = grub-core/kern/arm/dl_helper.c;
  common = grub-core/kern/arm64/dl_helper.c;
+  common = grub-core/kern/loongarch64/dl_helper.c;
  common = grub-core/lib/minilzo/minilzo.c;
  common = grub-core/lib/xzembed/xz_dec_bcj.c;
  common = grub-core/lib/xzembed/xz_dec_lzma2.c;
@ -205,6 +208,32 @@ program = {
  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };

+program = {
+  name = grub-protect;
+  mansection = 1;
+
+  common = grub-core/kern/emu/argp_common.c;
+  common = grub-core/osdep/init.c;
+  common = grub-core/lib/tss2/buffer.c;
+  common = grub-core/lib/tss2/tss2_mu.c;
+  common = grub-core/lib/tss2/tpm2_cmd.c;
+  common = grub-core/commands/tpm2_key_protector/args.c;
+  common = grub-core/commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+  common = util/grub-protect.c;
+  common = util/probe.c;
+
+  cflags = '-I$(srcdir)/grub-core/lib/tss2 -I$(srcdir)/grub-core/commands/tpm2_key_protector';
+
+  ldadd = libgrubmods.a;
+  ldadd = libgrubgcry.a;
+  ldadd = libgrubkern.a;
+  ldadd = grub-core/lib/gnulib/libgnu.a;
+  ldadd = '$(LIBTASN1)';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+
+  condition = COND_GRUB_PROTECT;
+};
+
 program = {
  name = grub-mkrelpath;
  mansection = 1;
@ -309,11 +338,13 @@ program = {
  common = grub-core/disk/host.c;
  common = grub-core/osdep/init.c;

+  cflags = '$(FUSE_CFLAGS)';
+
  ldadd = libgrubmods.a;
  ldadd = libgrubgcry.a;
  ldadd = libgrubkern.a;
  ldadd = grub-core/lib/gnulib/libgnu.a;
-  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) -lfuse';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM) $(FUSE_LIBS)';
  condition = COND_GRUB_MOUNT;
 };

@ -508,6 +539,12 @@ script = {
  condition = COND_HOST_LINUX;
 };

+script = {
+  name = '25_bli';
+  common = util/grub.d/25_bli.in;
+  installdir = grubconf;
+};
+
 script = {
  name = '30_os-prober';
  common = util/grub.d/30_os-prober.in;
@ -741,6 +778,12 @@ script = {
  installdir = noinst;
 };

+script = {
+  name = grub-shell-luks-tester;
+  common = tests/util/grub-shell-luks-tester.in;
+  installdir = noinst;
+};
+
 script = {
  name = grub-fs-tester;
  common = tests/util/grub-fs-tester.in;
@ -749,470 +792,512 @@ script = {
 };

 script = {
-  testcase;
+  testcase = native;
+  name = erofs_test;
+  common = tests/erofs_test.in;
+};
+
+script = {
+  testcase = native;
  name = ext234_test;
  common = tests/ext234_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = squashfs_test;
  common = tests/squashfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = iso9660_test;
  common = tests/iso9660_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = hfsplus_test;
  common = tests/hfsplus_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = ntfs_test;
  common = tests/ntfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = reiserfs_test;
  common = tests/reiserfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = fat_test;
  common = tests/fat_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = minixfs_test;
  common = tests/minixfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = xfs_test;
  common = tests/xfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = f2fs_test;
  common = tests/f2fs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = nilfs2_test;
  common = tests/nilfs2_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = romfs_test;
  common = tests/romfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = exfat_test;
  common = tests/exfat_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = tar_test;
  common = tests/tar_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = udf_test;
  common = tests/udf_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = hfs_test;
  common = tests/hfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = jfs_test;
  common = tests/jfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = btrfs_test;
  common = tests/btrfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = zfs_test;
  common = tests/zfs_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = cpio_test;
  common = tests/cpio_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = example_scripted_test;
  common = tests/example_scripted_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = gettext_strings_test;
  common = tests/gettext_strings_test.in;
  extra_dist = po/exclude.pot;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = pata_test;
  common = tests/pata_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ahci_test;
  common = tests/ahci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = uhci_test;
  common = tests/uhci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ohci_test;
  common = tests/ohci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = ehci_test;
  common = tests/ehci_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = example_grub_script_test;
  common = tests/example_grub_script_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_eval;
  common = tests/grub_script_eval.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_test;
  common = tests/grub_script_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_echo1;
  common = tests/grub_script_echo1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_leading_whitespace;
  common = tests/grub_script_leading_whitespace.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_echo_keywords;
  common = tests/grub_script_echo_keywords.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_vars1;
  common = tests/grub_script_vars1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_for1;
  common = tests/grub_script_for1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_while1;
  common = tests/grub_script_while1.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_if;
  common = tests/grub_script_if.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_blanklines;
  common = tests/grub_script_blanklines.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_final_semicolon;
  common = tests/grub_script_final_semicolon.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_dollar;
  common = tests/grub_script_dollar.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_comments;
  common = tests/grub_script_comments.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_functions;
  common = tests/grub_script_functions.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_break;
  common = tests/grub_script_break.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_continue;
  common = tests/grub_script_continue.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_shift;
  common = tests/grub_script_shift.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_blockarg;
  common = tests/grub_script_blockarg.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_setparams;
  common = tests/grub_script_setparams.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_return;
  common = tests/grub_script_return.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
+  name = grub_cmd_cryptomount;
+  common = tests/grub_cmd_cryptomount.in;
+};
+
+script = {
+  testcase = nonnative;
  name = grub_cmd_regexp;
  common = tests/grub_cmd_regexp.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_date;
  common = tests/grub_cmd_date.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_set_date;
  common = tests/grub_cmd_set_date.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_sleep;
  common = tests/grub_cmd_sleep.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_expansion;
  common = tests/grub_script_expansion.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_not;
  common = tests/grub_script_not.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = grub_script_no_commands;
  common = tests/grub_script_no_commands.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = partmap_test;
  common = tests/partmap_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = hddboot_test;
  common = tests/hddboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = fddboot_test;
  common = tests/fddboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = cdboot_test;
  common = tests/cdboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = netboot_test;
  common = tests/netboot_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
+  name = serial_test;
+  common = tests/serial_test.in;
+};
+
+script = {
+  testcase = nonnative;
  name = pseries_test;
  common = tests/pseries_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = core_compress_test;
  common = tests/core_compress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = xzcompress_test;
  common = tests/xzcompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = gzcompress_test;
  common = tests/gzcompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = lzocompress_test;
  common = tests/lzocompress_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_echo;
  common = tests/grub_cmd_echo.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = help_test;
  common = tests/help_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_gettext;
  common = tests/grub_script_gettext.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_escape_comma;
  common = tests/grub_script_escape_comma.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_script_strcmp;
  common = tests/grub_script_strcmp.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = test_sha512sum;
  common = tests/test_sha512sum.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = test_unset;
  common = tests/test_unset.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_func_test;
  common = tests/grub_func_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_tr;
  common = tests/grub_cmd_tr.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = file_filter_test;
  common = tests/file_filter_test.in;
 };

 script = {
-  testcase;
+  testcase = nonnative;
  name = grub_cmd_test;
  common = tests/grub_cmd_test.in;
 };

 script = {
-  testcase;
+  testcase = native;
  name = syslinux_test;
  common = tests/syslinux_test.in;
 };

+script = {
+  testcase = native;
+  name = luks1_test;
+  common = tests/luks1_test.in;
+};
+
+script = {
+  testcase = native;
+  name = luks2_test;
+  common = tests/luks2_test.in;
+};
+
+script = {
+  testcase = native;
+  name = asn1_test;
+  common = tests/asn1_test.in;
+};
+
+script = {
+  testcase = native;
+  name = tpm2_key_protector_test;
+  common = tests/tpm2_key_protector_test.in;
+};
+
 program = {
-  testcase;
+  testcase = native;
  name = example_unit_test;
  common = tests/example_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1227,7 +1312,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = printf_test;
  common = tests/printf_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1242,7 +1327,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = date_test;
  common = tests/date_unit_test.c;
  common = tests/lib/unit_test.c;
@ -1257,7 +1342,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = priority_queue_unit_test;
  common = tests/priority_queue_unit_test.cc;
  common = tests/lib/unit_test.c;
@ -1274,7 +1359,7 @@ program = {
 };

 program = {
-  testcase;
+  testcase = native;
  name = cmp_test;
  common = tests/cmp_unit_test.c;
  common = tests/lib/unit_test.c;
--- a/20
+++ b/20
@ -1,3 +1,23 @@
+New in 2.12:
+
+* GCC 13 support.
+* clang 14 support.
+* binutils 2.38 support.
+* Unification of EFI Linux kernel loader across architectures.
+* Transition to EFI Linux kernel stub loader for x86 architecture.
+* Initial support for Boot Loader Interface.
+* Support for dynamic GRUB runtime memory addition using firmware calls.
+* PCI and MMIO UARTs support.
+* SDL2 support.
+* LoongArch support.
+* TPM driver fixes.
+* Many filesystems fixes.
+* Many CVE and Coverity fixes.
+* Debugging support improvements.
+* Tests improvements.
+* Documentation improvements.
+* ...and tons of other fixes and cleanups...
+
 New in 2.06:

 * GCC 10 support.
--- a/acinclude.m4
+++ b/acinclude.m4
@ -430,7 +430,7 @@ link_nopie_needed=no]
 AC_MSG_CHECKING([whether linker needs disabling of PIE to work])
 AC_LANG_CONFTEST([AC_LANG_SOURCE([[]])])

-[if eval "$ac_compile -Wl,-r,-d -nostdlib -Werror -o conftest.o" 2> /dev/null; then]
+[if eval "$ac_compile -Wl,-r -nostdlib -Werror -o conftest.o" 2> /dev/null; then]
  AC_MSG_RESULT([no])
  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
  rm -f conftest.o
--- a/autogen.sh
+++ b/autogen.sh
@ -7,8 +7,21 @@ if [ ! -e grub-core/lib/gnulib/stdlib.in.h ]; then
  exit 1
 fi

-# Set ${PYTHON} to plain 'python' if not set already
-: ${PYTHON:=python}
+# Detect python
+if [ -z "$PYTHON" ]; then
+  for i in python3 python3.10 python; do
+    if command -v "$i" > /dev/null 2>&1; then
+      PYTHON="$i"
+      echo "Using $PYTHON..."
+      break
+    fi
+  done
+
+  if [ -z "$PYTHON" ]; then
+    echo "python not found." >&2
+    exit 1
+  fi
+fi

 export LC_COLLATE=C
 unset LC_ALL
@ -38,6 +51,39 @@ for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
    cp grub-core/lib/libgcrypt-grub/mpi/generic/"$x" grub-core/lib/libgcrypt-grub/mpi/"$x"
 done

+echo "Importing libtasn1..."
+if [ -d grub-core/lib/libtasn1-grub ]; then
+  rm -rf grub-core/lib/libtasn1-grub
+fi
+
+mkdir -p grub-core/lib/libtasn1-grub/lib
+cp grub-core/lib/libtasn1/lib/*.[ch] grub-core/lib/libtasn1-grub/lib
+cp grub-core/lib/libtasn1/libtasn1.h grub-core/lib/libtasn1-grub/
+
+if [ -d grub-core/tests/asn1/tests ]; then
+  rm -rf grub-core/tests/asn1/tests
+fi
+
+mkdir grub-core/tests/asn1/tests
+cp grub-core/lib/libtasn1/tests/*.[ch] grub-core/tests/asn1/tests
+
+for patch in \
+	0001-libtasn1-disable-code-not-needed-in-grub.patch \
+	0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch \
+	0003-libtasn1-replace-strcat-with-_asn1_str_cat.patch \
+	0004-libtasn1-adjust-the-header-paths-in-libtasn1.h.patch \
+	0005-libtasn1-Use-grub_divmod64-for-division.patch \
+	0006-libtasn1-fix-the-potential-buffer-overrun.patch \
+	0007-asn1_test-include-asn1_test.h-only.patch \
+	0008-asn1_test-rename-the-main-functions-to-the-test-name.patch \
+	0009-asn1_test-return-either-0-or-1-to-reflect-the-result.patch \
+	0010-asn1_test-remove-verbose-and-the-unnecessary-printf.patch \
+	0011-asn1_test-print-the-error-messages-with-grub_printf.patch \
+	0012-asn1_test-use-the-grub-specific-functions-and-types.patch \
+	0013-asn1_test-enable-the-testcase-only-when-GRUB_LONG_MA.patch ; do
+  patch -p1 -i grub-core/lib/libtasn1-patches/$patch
+done
+
 echo "Generating Automake input..."

 # Automake doesn't like including files from a path outside the project.
--- a/319
+++ b/319
@ -1,10 +1,10 @@
 #! /bin/sh
 # Print a version string.
-scriptversion=2019-01-04.17; # UTC
+scriptversion=2022-01-26.05; # UTC

 # Bootstrap this package from checked-out sources.

-# Copyright (C) 2003-2019 Free Software Foundation, Inc.
+# Copyright (C) 2003-2022 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -47,7 +47,7 @@ PERL="${PERL-perl}"

 me=$0

-default_gnulib_url=git://git.sv.gnu.org/gnulib
+default_gnulib_url=https://git.savannah.gnu.org/git/gnulib.git

 usage() {
  cat <<EOF
@ -71,7 +71,9 @@ Options:
 --no-git                 do not use git to update gnulib.  Requires that
                          --gnulib-srcdir point to a correct gnulib snapshot
 --skip-po                do not download po files
-
+EOF
+  bootstrap_print_option_usage_hook
+  cat <<EOF
 If the file $me.conf exists in the same directory as this script, its
 contents are read as shell variables to configure the bootstrap.

@ -113,6 +115,12 @@ Running without arguments will suffice in most cases.
 EOF
 }

+copyright_year=`echo "$scriptversion" | sed -e 's/[^0-9].*//'`
+copyright="Copyright (C) ${copyright_year} Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law."
+
 # warnf_ FORMAT-STRING ARG1...
 warnf_ ()
 {
@ -154,6 +162,18 @@ gnulib_files=
 : ${AUTOPOINT=autopoint}
 : ${AUTORECONF=autoreconf}

+# A function to be called for each unrecognized option.  Returns 0 if
+# the option in $1 has been processed by the function.  Returns 1 if
+# the option has not been processed by the function.  Override it via
+# your own definition in bootstrap.conf
+
+bootstrap_option_hook() { return 1; }
+
+# A function to be called in order to print the --help information
+# corresponding to user-defined command-line options.
+
+bootstrap_print_option_usage_hook() { :; }
+
 # A function to be called right after gnulib-tool is run.
 # Override it via your own definition in bootstrap.conf.
 bootstrap_post_import_hook() { :; }
@ -166,11 +186,11 @@ bootstrap_epilogue() { :; }
 # specified directory.  Fill in the first %s with the destination
 # directory and the second with the domain name.
 po_download_command_format=\
-"wget --mirror --level=1 -nd -q -A.po -P '%s' \
+"wget --mirror --level=1 -nd -nv -A.po -P '%s' \
 https://translationproject.org/latest/%s/"

 # Prefer a non-empty tarname (4th argument of AC_INIT if given), else
-# fall back to the package name (1st argument with munging)
+# fall back to the package name (1st argument with munging).
 extract_package_name='
  /^AC_INIT(\[*/{
     s///
@ -187,8 +207,11 @@ extract_package_name='
     p
  }
 '
-package=$(sed -n "$extract_package_name" configure.ac) \
-  || die 'cannot find package name in configure.ac'
+package=$(${AUTOCONF:-autoconf} --trace AC_INIT:\$4 configure.ac 2>/dev/null)
+if test -z "$package"; then
+  package=$(sed -n "$extract_package_name" configure.ac) \
+      || die 'cannot find package name in configure.ac'
+fi
 gnulib_name=lib$package

 build_aux=build-aux
@ -290,62 +313,6 @@ find_tool ()
  eval "export $find_tool_envvar"
 }

-# Override the default configuration, if necessary.
-# Make sure that bootstrap.conf is sourced from the current directory
-# if we were invoked as "sh bootstrap".
-case "$0" in
-  */*) test -r "$0.conf" && . "$0.conf" ;;
-  *) test -r "$0.conf" && . ./"$0.conf" ;;
-esac
-
-if test "$vc_ignore" = auto; then
-  vc_ignore=
-  test -d .git && vc_ignore=.gitignore
-  test -d CVS && vc_ignore="$vc_ignore .cvsignore"
-fi
-
-if test x"$gnulib_modules$gnulib_files$gnulib_extra_files" = x; then
-  use_gnulib=false
-else
-  use_gnulib=true
-fi
-
-# Translate configuration into internal form.
-
-# Parse options.
-
-for option
-do
-  case $option in
-  --help)
-    usage
-    exit;;
-  --gnulib-srcdir=*)
-    GNULIB_SRCDIR=${option#--gnulib-srcdir=};;
-  --skip-po)
-    SKIP_PO=t;;
-  --force)
-    checkout_only_file=;;
-  --copy)
-    copy=true;;
-  --bootstrap-sync)
-    bootstrap_sync=true;;
-  --no-bootstrap-sync)
-    bootstrap_sync=false;;
-  --no-git)
-    use_git=false;;
-  *)
-    die "$option: unknown option";;
-  esac
-done
-
-$use_git || test -d "$GNULIB_SRCDIR" \
-  || die "Error: --no-git requires --gnulib-srcdir"
-
-if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
-  die "Bootstrapping from a non-checked-out distribution is risky."
-fi
-
 # Strip blank and comment lines to leave significant entries.
 gitignore_entries() {
  sed '/^#/d; /^$/d' "$@"
@ -387,6 +354,137 @@ insert_vc_ignore() {
  insert_if_absent "$vc_ignore_file" "$pattern"
 }

+symlink_to_dir()
+{
+  src=$1/$2
+  dst=${3-$2}
+
+  test -f "$src" && {
+
+    # If the destination directory doesn't exist, create it.
+    # This is required at least for "lib/uniwidth/cjk.h".
+    dst_dir=$(dirname "$dst")
+    if ! test -d "$dst_dir"; then
+      mkdir -p "$dst_dir"
+
+      # If we've just created a directory like lib/uniwidth,
+      # tell version control system(s) it's ignorable.
+      # FIXME: for now, this does only one level
+      parent=$(dirname "$dst_dir")
+      for dot_ig in x $vc_ignore; do
+        test $dot_ig = x && continue
+        ig=$parent/$dot_ig
+        insert_vc_ignore $ig "${dst_dir##*/}"
+      done
+    fi
+
+    if $copy; then
+      {
+        test ! -h "$dst" || {
+          echo "$me: rm -f $dst" &&
+          rm -f "$dst"
+        }
+      } &&
+      test -f "$dst" &&
+      cmp -s "$src" "$dst" || {
+        echo "$me: cp -fp $src $dst" &&
+        cp -fp "$src" "$dst"
+      }
+    else
+      # Leave any existing symlink alone, if it already points to the source,
+      # so that broken build tools that care about symlink times
+      # aren't confused into doing unnecessary builds.  Conversely, if the
+      # existing symlink's timestamp is older than the source, make it afresh,
+      # so that broken tools aren't confused into skipping needed builds.  See
+      # <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00326.html>.
+      test -h "$dst" &&
+      src_ls=$(ls -diL "$src" 2>/dev/null) && set $src_ls && src_i=$1 &&
+      dst_ls=$(ls -diL "$dst" 2>/dev/null) && set $dst_ls && dst_i=$1 &&
+      test "$src_i" = "$dst_i" &&
+      both_ls=$(ls -dt "$src" "$dst") &&
+      test "X$both_ls" = "X$dst$nl$src" || {
+        dot_dots=
+        case $src in
+        /*) ;;
+        *)
+          case /$dst/ in
+          *//* | */../* | */./* | /*/*/*/*/*/)
+             die "invalid symlink calculation: $src -> $dst";;
+          /*/*/*/*/)    dot_dots=../../../;;
+          /*/*/*/)      dot_dots=../../;;
+          /*/*/)        dot_dots=../;;
+          esac;;
+        esac
+
+        echo "$me: ln -fs $dot_dots$src $dst" &&
+        ln -fs "$dot_dots$src" "$dst"
+      }
+    fi
+  }
+}
+
+# Override the default configuration, if necessary.
+# Make sure that bootstrap.conf is sourced from the current directory
+# if we were invoked as "sh bootstrap".
+case "$0" in
+  */*) test -r "$0.conf" && . "$0.conf" ;;
+  *) test -r "$0.conf" && . ./"$0.conf" ;;
+esac
+
+if test "$vc_ignore" = auto; then
+  vc_ignore=
+  test -d .git && vc_ignore=.gitignore
+  test -d CVS && vc_ignore="$vc_ignore .cvsignore"
+fi
+
+if test x"$gnulib_modules$gnulib_files$gnulib_extra_files" = x; then
+  use_gnulib=false
+else
+  use_gnulib=true
+fi
+
+# Translate configuration into internal form.
+
+# Parse options.
+
+for option
+do
+  case $option in
+  --help)
+    usage
+    exit;;
+  --version)
+    set -e
+    echo "bootstrap $scriptversion"
+    echo "$copyright"
+    exit 0
+    ;;
+  --gnulib-srcdir=*)
+    GNULIB_SRCDIR=${option#--gnulib-srcdir=};;
+  --skip-po)
+    SKIP_PO=t;;
+  --force)
+    checkout_only_file=;;
+  --copy)
+    copy=true;;
+  --bootstrap-sync)
+    bootstrap_sync=true;;
+  --no-bootstrap-sync)
+    bootstrap_sync=false;;
+  --no-git)
+    use_git=false;;
+  *)
+    bootstrap_option_hook $option || die "$option: unknown option";;
+  esac
+done
+
+$use_git || test -d "$GNULIB_SRCDIR" \
+  || die "Error: --no-git requires --gnulib-srcdir"
+
+if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
+  die "Bootstrapping from a non-checked-out distribution is risky."
+fi
+
 # Die if there is no AC_CONFIG_AUX_DIR($build_aux) line in configure.ac.
 found_aux_dir=no
 grep '^[	 ]*AC_CONFIG_AUX_DIR(\['"$build_aux"'\])' configure.ac \
@ -665,9 +763,25 @@ if $use_gnulib; then
      shallow=
      if test -z "$GNULIB_REVISION"; then
        git clone -h 2>&1 | grep -- --depth > /dev/null && shallow='--depth 2'
+        git clone $shallow ${GNULIB_URL:-$default_gnulib_url} "$gnulib_path" \
+          || cleanup_gnulib
+      else
+        git fetch -h 2>&1 | grep -- --depth > /dev/null && shallow='--depth 2'
+        mkdir -p "$gnulib_path"
+        # Only want a shallow checkout of $GNULIB_REVISION, but git does not
+        # support cloning by commit hash. So attempt a shallow fetch by commit
+        # hash to minimize the amount of data downloaded and changes needed to
+        # be processed, which can drastically reduce download and processing
+        # time for checkout. If the fetch by commit fails, a shallow fetch can
+        # not be performed because we do not know what the depth of the commit
+        # is without fetching all commits. So fallback to fetching all commits.
+        git -C "$gnulib_path" init
+        git -C "$gnulib_path" remote add origin ${GNULIB_URL:-$default_gnulib_url}
+        git -C "$gnulib_path" fetch $shallow origin "$GNULIB_REVISION" \
+          || git -C "$gnulib_path" fetch origin \
+          || cleanup_gnulib
+        git -C "$gnulib_path" reset --hard FETCH_HEAD
      fi
-      git clone $shallow ${GNULIB_URL:-$default_gnulib_url} "$gnulib_path" \
-        || cleanup_gnulib

      trap - 1 2 13 15
    fi
@ -784,75 +898,6 @@ case $SKIP_PO in
  fi;;
 esac

-symlink_to_dir()
-{
-  src=$1/$2
-  dst=${3-$2}
-
-  test -f "$src" && {
-
-    # If the destination directory doesn't exist, create it.
-    # This is required at least for "lib/uniwidth/cjk.h".
-    dst_dir=$(dirname "$dst")
-    if ! test -d "$dst_dir"; then
-      mkdir -p "$dst_dir"
-
-      # If we've just created a directory like lib/uniwidth,
-      # tell version control system(s) it's ignorable.
-      # FIXME: for now, this does only one level
-      parent=$(dirname "$dst_dir")
-      for dot_ig in x $vc_ignore; do
-        test $dot_ig = x && continue
-        ig=$parent/$dot_ig
-        insert_vc_ignore $ig "${dst_dir##*/}"
-      done
-    fi
-
-    if $copy; then
-      {
-        test ! -h "$dst" || {
-          echo "$me: rm -f $dst" &&
-          rm -f "$dst"
-        }
-      } &&
-      test -f "$dst" &&
-      cmp -s "$src" "$dst" || {
-        echo "$me: cp -fp $src $dst" &&
-        cp -fp "$src" "$dst"
-      }
-    else
-      # Leave any existing symlink alone, if it already points to the source,
-      # so that broken build tools that care about symlink times
-      # aren't confused into doing unnecessary builds.  Conversely, if the
-      # existing symlink's timestamp is older than the source, make it afresh,
-      # so that broken tools aren't confused into skipping needed builds.  See
-      # <https://lists.gnu.org/r/bug-gnulib/2011-05/msg00326.html>.
-      test -h "$dst" &&
-      src_ls=$(ls -diL "$src" 2>/dev/null) && set $src_ls && src_i=$1 &&
-      dst_ls=$(ls -diL "$dst" 2>/dev/null) && set $dst_ls && dst_i=$1 &&
-      test "$src_i" = "$dst_i" &&
-      both_ls=$(ls -dt "$src" "$dst") &&
-      test "X$both_ls" = "X$dst$nl$src" || {
-        dot_dots=
-        case $src in
-        /*) ;;
-        *)
-          case /$dst/ in
-          *//* | */../* | */./* | /*/*/*/*/*/)
-             die "invalid symlink calculation: $src -> $dst";;
-          /*/*/*/*/)    dot_dots=../../../;;
-          /*/*/*/)      dot_dots=../../;;
-          /*/*/)        dot_dots=../;;
-          esac;;
-        esac
-
-        echo "$me: ln -fs $dot_dots$src $dst" &&
-        ln -fs "$dot_dots$src" "$dst"
-      }
-    fi
-  }
-}
-
 version_controlled_file() {
  parent=$1
  file=$2
@ -970,7 +1015,7 @@ bootstrap_post_import_hook \
 # Uninitialized submodules are listed with an initial dash.
 if $use_git && git submodule | grep '^-' >/dev/null; then
  die "some git submodules are not initialized. "     \
-      "Run 'git submodule init' and bootstrap again."
+      "Run 'git submodule update --init' and bootstrap again."
 fi

 # Remove any dangling symlink matching "*.m4" or "*.[ch]" in some
@ -1064,7 +1109,7 @@ bootstrap_epilogue

 echo "$0: done.  Now you can run './configure'."

-# Local variables:
+# Local Variables:
 # eval: (add-hook 'before-save-hook 'time-stamp)
 # time-stamp-start: "scriptversion="
 # time-stamp-format: "%:y-%02m-%02d.%02H"
--- a/bootstrap.conf
+++ b/bootstrap.conf
@ -1,6 +1,6 @@
 # Bootstrap configuration.

-# Copyright (C) 2006-2019 Free Software Foundation, Inc.
+# Copyright (C) 2006-2022 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@ -16,11 +16,10 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.


-GNULIB_REVISION=d271f868a8df9bbec29049d01e056481b7a1a263
+GNULIB_REVISION=9f48fb992a3d7e96610c4ce8be969cff2d61a01b

 # gnulib modules used by this package.
-# mbswidth is used by gnulib-fix-width.diff's changes to argp rather than
-# directly.
+# mbswidth is used by fix-width.diff's changes to argp rather than directly.
 gnulib_modules="
  argp
  base64
@ -35,6 +34,7 @@ gnulib_modules="
  realloc-gnu
  regex
  save-cwd
+  stdbool
 "

 gnulib_tool_option_extras="\
@ -66,10 +66,11 @@ SKIP_PO=t

 # Build prerequisites
 buildreq="\
-autoconf   2.63
-automake   1.11
-gettext    0.18.3
+autoconf   2.64
+automake   1.14
+gettext    -
 git        1.5.5
+patch      -
 tar        -
 "

@ -79,11 +80,12 @@ cp -a INSTALL INSTALL.grub

 bootstrap_post_import_hook () {
  set -e
-  for patchname in fix-base64 fix-null-deref fix-null-state-deref fix-regcomp-uninit-token \
-      fix-regexec-null-deref fix-uninit-structure fix-unused-value fix-width no-abort; do
-    patch -d grub-core/lib/gnulib -p2 \
-      < "grub-core/lib/gnulib-patches/$patchname.patch"
-  done
+
+  # Instead of patching our gnulib and therefore maintaining a fork, submit
+  # changes to gnulib and update the hash above when they've merged.  Do not
+  # add new patches here.
+  patch -d grub-core/lib/gnulib -p2 < grub-core/lib/gnulib-patches/fix-width.patch
+
  for patchname in \
      0001-Support-POTFILES-shell \
      0002-Handle-gettext_printf-shell-function \
--- a/conf/Makefile.common
+++ b/conf/Makefile.common
@ -20,6 +20,9 @@ endif
 if COND_powerpc_ieee1275
  CFLAGS_PLATFORM += -mcpu=powerpc
 endif
+if COND_HAVE_PCI
+  CFLAGS_PLATFORM += -DGRUB_HAS_PCI
+endif

 # Other options

@ -39,9 +42,16 @@ LDFLAGS_KERNEL = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC)
 CPPFLAGS_KERNEL = $(CPPFLAGS_CPU) $(CPPFLAGS_PLATFORM) -DGRUB_KERNEL=1
 CCASFLAGS_KERNEL = $(CCASFLAGS_CPU) $(CCASFLAGS_PLATFORM)
 STRIPFLAGS_KERNEL = -R .rel.dyn -R .reginfo -R .note -R .comment -R .drectve -R .note.gnu.gold-version -R .MIPS.abiflags -R .ARM.exidx
+if !COND_emu
+if COND_HAVE_ASM_USCORE
+  LDFLAGS_KERNEL += -Wl,--defsym=_malloc=_grub_malloc -Wl,--defsym=_free=_grub_free
+else
+  LDFLAGS_KERNEL += -Wl,--defsym=malloc=grub_malloc -Wl,--defsym=free=grub_free
+endif
+endif

 CFLAGS_MODULE = $(CFLAGS_PLATFORM) -ffreestanding
-LDFLAGS_MODULE = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC) -Wl,-r,-d
+LDFLAGS_MODULE = $(LDFLAGS_PLATFORM) -nostdlib $(TARGET_LDFLAGS_OLDMAGIC) -Wl,-r
 CPPFLAGS_MODULE = $(CPPFLAGS_CPU) $(CPPFLAGS_PLATFORM)
 CCASFLAGS_MODULE = $(CCASFLAGS_CPU) $(CCASFLAGS_PLATFORM)

@ -65,7 +75,7 @@ grubconfdir = $(sysconfdir)/grub.d
 platformdir = $(pkglibdir)/$(target_cpu)-$(platform)
 starfielddir = $(pkgdatadir)/themes/starfield

-CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion
+CFLAGS_GNULIB = -Wno-undef -Wno-sign-compare -Wno-unused -Wno-unused-parameter -Wno-redundant-decls -Wno-unreachable-code -Wno-conversion -Wno-error=attributes
 CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib -I$(top_srcdir)/grub-core/lib/gnulib

 CFLAGS_POSIX = -fno-builtin
@ -101,27 +111,29 @@ MOD_FILES =
 MODULE_FILES =
 MARKER_FILES =
 KERNEL_HEADER_FILES =
+EXTRA_DEPS =

+bin_SCRIPTS =
+bin_PROGRAMS =
+check_SCRIPTS_native =
+check_SCRIPTS_nonnative =
+check_PROGRAMS_native =
+check_PROGRAMS_nonnative =
+dist_grubconf_DATA =
+dist_noinst_DATA =
+grubconf_SCRIPTS =
 man_MANS =
 noinst_DATA =
-pkgdata_DATA =
-bin_SCRIPTS =
-sbin_SCRIPTS =
-bin_PROGRAMS =
-platform_DATA =
-sbin_PROGRAMS =
-check_SCRIPTS =
-dist_grubconf_DATA =
-check_PROGRAMS =
 noinst_SCRIPTS =
 noinst_PROGRAMS =
-grubconf_SCRIPTS =
 noinst_LIBRARIES =
-dist_noinst_DATA =
+pkgdata_DATA =
+platform_DATA =
 platform_SCRIPTS =
 platform_PROGRAMS =
+sbin_SCRIPTS =
+sbin_PROGRAMS =

-TESTS =
 EXTRA_DIST =
 CLEANFILES =
 BUILT_SOURCES =
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@ -21,6 +21,7 @@ EXTRA_DIST += conf/i386-cygwin-img-ld.sc
 EXTRA_DIST += grub-core/Makefile.core.def
 EXTRA_DIST += grub-core/Makefile.gcry.def

+EXTRA_DIST += grub-core/extra_deps.lst
 EXTRA_DIST += grub-core/genmoddep.awk
 EXTRA_DIST += grub-core/genmod.sh.in
 EXTRA_DIST += grub-core/gensyminfo.sh.in
@ -28,15 +29,7 @@ EXTRA_DIST += grub-core/gensymlist.sh
 EXTRA_DIST += grub-core/genemuinit.sh
 EXTRA_DIST += grub-core/genemuinitheader.sh

-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-base64.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
 EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
-EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch

 EXTRA_DIST += grub-core/lib/libgcrypt
 EXTRA_DIST += grub-core/lib/libgcrypt-grub/mpi/generic
--- a/conf/i386-cygwin-img-ld.sc
+++ b/conf/i386-cygwin-img-ld.sc
@ -14,6 +14,8 @@ SECTIONS
  {
    __data_start__ = . ;
    *(.data)
+    /* Do not discard this section. */
+    . = . ;
    __data_end__ = . ;
    __rdata_start__ = . ;
    *(.rdata)
@ -34,6 +36,8 @@ SECTIONS
  .edata :
  {
    *(.edata)
+    /* Do not discard this section. */
+    . = . ;
    end = . ;
    _end = . ;
    __end = . ;
--- a/config.h.in
+++ b/config.h.in
@ -9,6 +9,10 @@
 #define GCRYPT_NO_DEPRECATED 1
 #define HAVE_MEMMOVE 1

+#if @MM_DEBUG@
+#define MM_DEBUG @MM_DEBUG@
+#endif
+
 /* Define to 1 to enable disk cache statistics.  */
 #define DISK_CACHE_STATS @DISK_CACHE_STATS@
 #define BOOT_TIME_STATS @BOOT_TIME_STATS@
@ -22,46 +26,124 @@
 #define MINILZO_CFG_SKIP_LZO1X_DECOMPRESS 1

 #if defined (GRUB_BUILD)
-#undef ENABLE_NLS
-#define BUILD_SIZEOF_LONG @BUILD_SIZEOF_LONG@
-#define BUILD_SIZEOF_VOID_P @BUILD_SIZEOF_VOID_P@
-#if defined __APPLE__
-# if defined __BIG_ENDIAN__
-#  define BUILD_WORDS_BIGENDIAN 1
-# else
-#  define BUILD_WORDS_BIGENDIAN 0
-# endif
-#else
-#define BUILD_WORDS_BIGENDIAN @BUILD_WORDS_BIGENDIAN@
-#endif
+#  undef ENABLE_NLS
+#  define BUILD_SIZEOF_LONG @BUILD_SIZEOF_LONG@
+#  define BUILD_SIZEOF_VOID_P @BUILD_SIZEOF_VOID_P@
+#  if defined __APPLE__
+#    if defined __BIG_ENDIAN__
+#      define BUILD_WORDS_BIGENDIAN 1
+#    else
+#      define BUILD_WORDS_BIGENDIAN 0
+#    endif
+#  else /* !defined __APPLE__ */
+#    define BUILD_WORDS_BIGENDIAN @BUILD_WORDS_BIGENDIAN@
+#  endif /* !defined __APPLE__ */
 #elif defined (GRUB_UTIL) || !defined (GRUB_MACHINE)
-#include <config-util.h>
-#else
-#define HAVE_FONT_SOURCE @HAVE_FONT_SOURCE@
+#  include <config-util.h>
+#else /* !defined GRUB_UTIL && defined GRUB_MACHINE */
+#  define HAVE_FONT_SOURCE @HAVE_FONT_SOURCE@
 /* Define if C symbols get an underscore after compilation. */
-#define HAVE_ASM_USCORE @HAVE_ASM_USCORE@
+#  define HAVE_ASM_USCORE @HAVE_ASM_USCORE@
 /* Define it to one of __bss_start, edata and _edata.  */
-#define BSS_START_SYMBOL @BSS_START_SYMBOL@
+#  define BSS_START_SYMBOL @BSS_START_SYMBOL@
 /* Define it to either end or _end.  */
-#define END_SYMBOL @END_SYMBOL@
+#  define END_SYMBOL @END_SYMBOL@
 /* Name of package.  */
-#define PACKAGE "@PACKAGE@"
+#  define PACKAGE "@PACKAGE@"
 /* Version number of package.  */
-#define VERSION "@VERSION@"
+#  define VERSION "@VERSION@"
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "@PACKAGE_STRING@"
+#  define PACKAGE_STRING "@PACKAGE_STRING@"
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "@PACKAGE_VERSION@"
+#  define PACKAGE_VERSION "@PACKAGE_VERSION@"
 /* Define to the full name of this package. */
-#define PACKAGE_NAME "@PACKAGE_NAME@"
+#  define PACKAGE_NAME "@PACKAGE_NAME@"
 /* Define to the address where bug reports for this package should be sent. */
-#define PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"
+#  define PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"

-#define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
-#define GRUB_PLATFORM "@GRUB_PLATFORM@"
+#  define GRUB_TARGET_CPU "@GRUB_TARGET_CPU@"
+#  define GRUB_PLATFORM "@GRUB_PLATFORM@"

-#define RE_ENABLE_I18N 1
+#  define GRUB_STACK_PROTECTOR_INIT @GRUB_STACK_PROTECTOR_INIT@

-#define _GNU_SOURCE 1
+#  define RE_ENABLE_I18N 1
+
+#  define _GNU_SOURCE 1
+
+#  ifndef _GL_INLINE_HEADER_BEGIN
+/*
+ * gnulib gets configured against the host, not the target, and the rest of
+ * our buildsystem works around that.  This is difficult to avoid as gnulib's
+ * detection requires a more capable system than our target.  Instead, we
+ * reach in and set values appropriately - intentionally setting more than the
+ * bare minimum.  If, when updating gnulib, something breaks, there's probably
+ * a change needed here or in grub-core/Makefile.core.def.
+ */
+#    define SIZE_MAX ((size_t) -1)
+#    define _GL_ATTRIBUTE_ALLOC_SIZE(args) \
+    __attribute__ ((__alloc_size__ args))
+#    define _GL_ATTRIBUTE_ALWAYS_INLINE __attribute__ ((__always_inline__))
+#    define _GL_ATTRIBUTE_ARTIFICIAL __attribute__ ((__artificial__))
+#    define _GL_ATTRIBUTE_COLD __attribute__ ((cold))
+#    define _GL_ATTRIBUTE_CONST __attribute__ ((const))
+#    define _GL_ATTRIBUTE_DEALLOC(f, i) __attribute ((__malloc__ (f, i)))
+#    define _GL_ATTRIBUTE_DEALLOC_FREE _GL_ATTRIBUTE_DEALLOC (free, 1)
+#    define _GL_ATTRIBUTE_DEPRECATED __attribute__ ((__deprecated__))
+#    define _GL_ATTRIBUTE_ERROR(msg) __attribute__ ((__error__ (msg)))
+#    define _GL_ATTRIBUTE_EXTERNALLY_VISIBLE \
+    __attribute__ ((externally_visible))
+#    define _GL_ATTRIBUTE_FORMAT(spec) __attribute__ ((__format__ spec))
+#    define _GL_ATTRIBUTE_LEAF __attribute__ ((__leaf__))
+#    define _GL_ATTRIBUTE_MALLOC __attribute__ ((malloc))
+#    define _GL_ATTRIBUTE_MAYBE_UNUSED _GL_ATTRIBUTE_UNUSED
+#    define _GL_ATTRIBUTE_MAY_ALIAS __attribute__ ((__may_alias__))
+#    define _GL_ATTRIBUTE_NODISCARD __attribute__ ((__warn_unused_result__))
+#    define _GL_ATTRIBUTE_NOINLINE __attribute__ ((__noinline__))
+#    define _GL_ATTRIBUTE_NONNULL(args) __attribute__ ((__nonnull__ args))
+#    define _GL_ATTRIBUTE_NONSTRING __attribute__ ((__nonstring__))
+#    define _GL_ATTRIBUTE_PACKED __attribute__ ((__packed__))
+#    define _GL_ATTRIBUTE_PURE __attribute__ ((__pure__))
+#    define _GL_ATTRIBUTE_RETURNS_NONNULL \
+    __attribute__ ((__returns_nonnull__))
+#    define _GL_ATTRIBUTE_SENTINEL(pos) __attribute__ ((__sentinel__ pos))
+#    define _GL_ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#    define _GL_ATTRIBUTE_WARNING(msg) __attribute__ ((__warning__ (msg)))
+#    define _GL_CMP(n1, n2) (((n1) > (n2)) - ((n1) < (n2)))
+#    define _GL_GNUC_PREREQ GNUC_PREREQ
+#    define _GL_INLINE inline
+#    define _GL_UNUSED_LABEL _GL_ATTRIBUTE_UNUSED
+
+/* We can't use __has_attribute for these because gcc-5.1 is too old for
+ * that.  Everything above is present in that version, though. */
+#    if __GNUC__ >= 7
+#      define _GL_ATTRIBUTE_FALLTHROUGH __attribute__ ((fallthrough))
+#    else
+#      define _GL_ATTRIBUTE_FALLTHROUGH /* empty */
+#    endif
+
+#    ifndef ASM_FILE
+typedef __INT_FAST32_TYPE__ int_fast32_t;
+typedef __UINT_FAST32_TYPE__ uint_fast32_t;
+#    endif
+
+/* Ensure ialloc nests static/non-static inline properly. */
+#    define IALLOC_INLINE static inline
+
+/*
+ * gnulib uses these for blocking out warnings they can't/won't fix.  gnulib
+ * also makes the decision about whether to provide a declaration for
+ * reallocarray() at compile-time, so this is a convenient place to override -
+ * it's used by the ialloc module, which is used by base64.
+ */
+#    define _GL_INLINE_HEADER_BEGIN _Pragma ("GCC diagnostic push")	\
+    void *								\
+    reallocarray (void *ptr, unsigned int nmemb, unsigned int size);
+#    define _GL_INLINE_HEADER_END   _Pragma ("GCC diagnostic pop")
+#  endif /* !_GL_INLINE_HEADER_BEGIN */
+
+/* gnulib doesn't build cleanly with older compilers. */
+#  if __GNUC__ < 11
+_Pragma ("GCC diagnostic ignored \"-Wtype-limits\"")
+#  endif

 #endif
--- a/configure.ac
+++ b/configure.ac
@ -34,13 +34,18 @@ dnl "TARGET_" (such as TARGET_CC, TARGET_CFLAGS, etc.) are used for
 dnl the target type. See INSTALL for full list of variables and
 dnl description of the relationships between them.

-AC_INIT([GRUB],[2.06],[bug-grub@gnu.org])
+AC_INIT([GRUB],[2.13],[bug-grub@gnu.org])

-AC_CONFIG_AUX_DIR([build-aux])
+AS_CASE(["$ERROR_PLATFORM_NOT_SUPPORT_SSP"],
+  [n | no | nO | N | No | NO], [ERROR_PLATFORM_NOT_SUPPORT_SSP=no],
+  [ERROR_PLATFORM_NOT_SUPPORT_SSP=yes])

 # We don't want -g -O2 by default in CFLAGS
 : ${CFLAGS=""}

+AC_USE_SYSTEM_EXTENSIONS
+AC_CONFIG_AUX_DIR([build-aux])
+
 # Checks for build, host and target systems.
 AC_CANONICAL_BUILD
 AC_CANONICAL_HOST
@ -49,9 +54,9 @@ AC_CANONICAL_TARGET
 program_prefix="${save_program_prefix}"

 AM_INIT_AUTOMAKE([1.11])
-AC_PREREQ(2.63)
+AC_PREREQ(2.64)
 AC_CONFIG_SRCDIR([include/grub/dl.h])
-AC_CONFIG_HEADER([config-util.h])
+AC_CONFIG_HEADERS([config-util.h])

 # Explicitly check for pkg-config early on, since otherwise conditional
 # calls are problematic.
@ -71,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
 grub_TRANSFORM([grub-mkrelpath])
 grub_TRANSFORM([grub-mkrescue])
 grub_TRANSFORM([grub-probe])
+grub_TRANSFORM([grub-protect])
 grub_TRANSFORM([grub-reboot])
 grub_TRANSFORM([grub-script-check])
 grub_TRANSFORM([grub-set-default])
@ -78,6 +84,11 @@ grub_TRANSFORM([grub-sparc64-setup])
 grub_TRANSFORM([grub-render-label])
 grub_TRANSFORM([grub-file])

+# Allow HOST_CC to override CC.
+if test "x$HOST_CC" != x; then
+  CC=$HOST_CC
+fi
+
 # Optimization flag.  Allow user to override.
 if test "x$TARGET_CFLAGS" = x; then
  TARGET_CFLAGS=-Os
@ -85,9 +96,9 @@ fi

 # Enable support for "restrict" keyword and other
 # features from gnu99 C language standard.
-BUILD_CFLAGS="-std=gnu99 $BUILD_CFLAGS"
-HOST_CFLAGS="-std=gnu99 $HOST_CFLAGS"
-TARGET_CFLAGS="-std=gnu99 $TARGET_CFLAGS"
+BUILD_CFLAGS="-std=gnu99 -fno-common $BUILD_CFLAGS"
+HOST_CFLAGS="-std=gnu99 -fno-common $HOST_CFLAGS"
+TARGET_CFLAGS="-std=gnu99 -fno-common $TARGET_CFLAGS"

 # Default HOST_CPPFLAGS
 HOST_CPPFLAGS="$HOST_CPPFLAGS -Wall -W"
@ -107,18 +118,11 @@ case "$target_cpu" in
                target_cpu=mips
 		machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_CPU_MIPS=1"
 		;;
-  arm*)
-		target_cpu=arm
-		;;
-  aarch64*)
-		target_cpu=arm64
-		;;
-  riscv32*)
-		target_cpu=riscv32
-		;;
-  riscv64*)
-		target_cpu=riscv64
-		;;
+  arm*)		target_cpu=arm ;;
+  aarch64*)	target_cpu=arm64 ;;
+  loongarch64)	target_cpu=loongarch64 ;;
+  riscv32*)	target_cpu=riscv32 ;;
+  riscv64*)	target_cpu=riscv64 ;;
 esac

 # Specify the platform (such as firmware).
@ -142,6 +146,7 @@ if test "x$with_platform" = x; then
    ia64-*) platform=efi ;;
    arm-*) platform=uboot ;;
    arm64-*) platform=efi ;;
+    loongarch64-*) platform=efi;;
    riscv32-*) platform=efi ;;
    riscv64-*) platform=efi ;;
    *)
@ -192,6 +197,7 @@ case "$target_cpu"-"$platform" in
  arm-coreboot) ;;
  arm-efi) ;;
  arm64-efi) ;;
+  loongarch64-efi) ;;
  riscv32-efi) ;;
  riscv64-efi) ;;
  *-emu) ;;
@ -247,7 +253,7 @@ case "$platform" in
  emu)		machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_MACHINE_EMU=1" ;;
  loongson)	machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_MACHINE_MIPS_LOONGSON=1" ;;
  qemu_mips)	machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_MACHINE_MIPS_QEMU_MIPS=1" ;;
-  arc)	machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_MACHINE_ARC=1" ;;
+  arc)		machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_MACHINE_ARC=1" ;;
 esac
 if test x${target_cpu} = xmipsel ; then
   machine_CPPFLAGS="$machine_CPPFLAGS -DGRUB_MACHINE=`echo mips_$platform | sed y,abcdefghijklmnopqrstuvwxyz,ABCDEFGHIJKLMNOPQRSTUVWXYZ,`"
@ -333,7 +339,7 @@ fi
 AC_PROG_RANLIB
 AC_PROG_INSTALL
 AC_PROG_AWK
-AC_PROG_LEX
+AC_PROG_LEX([noyywrap])
 AC_PROG_YACC
 AC_PROG_MAKE_SET
 AC_PROG_MKDIR_P
@ -369,11 +375,15 @@ test "x$GCC" = xyes || AC_MSG_ERROR([GCC is required])

 AC_CHECK_PROG(HAVE_CXX, $CXX, yes, no)

-AC_GNU_SOURCE
 AM_GNU_GETTEXT([external])
 AM_GNU_GETTEXT_VERSION([0.18.3])
 AC_SYS_LARGEFILE

+PLATFORMS_PCI=" $(PYTHONPATH="${srcdir}" $PYTHON -c 'import gentpl; print(" ".join(gentpl.GROUPS[["pci"]]))') "
+if test x"${PLATFORMS_PCI##* ${target_cpu}_${platform} *}" = x ; then
+  have_pci=y
+fi
+
 # Identify characteristics of the host architecture.
 unset ac_cv_c_bigendian

@ -424,7 +434,7 @@ AC_CHECK_HEADERS(sys/param.h sys/mount.h sys/mnttab.h limits.h)

 # glibc 2.25 still includes sys/sysmacros.h in sys/types.h but emits deprecation
 # warning which causes compilation failure later with -Werror. So use -Werror here
-# as well to force proper sys/sysmacros.h detection.
+# as well to force proper sys/sysmacros.h detection. Used in include/grub/osdep/major.h.
 SAVED_CFLAGS="$CFLAGS"
 CFLAGS="$HOST_CFLAGS -Werror"
 AC_HEADER_MAJOR
@ -793,11 +803,24 @@ if test "x$target_cpu" = xmips || test "x$target_cpu" = xmipsel ; then
  if test "x$grub_cv_cc_mflush_func" = xyes; then
    TARGET_CFLAGS="$TARGET_CFLAGS -mflush-func=grub_red_herring"
  fi
+
+  AC_CACHE_CHECK([whether -mno-gpopt works], [grub_cv_cc_mno_gpopt], [
+    CFLAGS="$TARGET_CFLAGS -mno-gpopt -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mno_gpopt=yes],
+	[grub_cv_cc_mno_gpopt=no])
+  ])
+
+  if test "x$grub_cv_cc_mno_gpopt" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -mno-gpopt"
+  fi
 fi


 # Force no alignment to save space on i386.
 if test "x$target_cpu" = xi386; then
+  TARGET_CFLAGS="$TARGET_CFLAGS -falign-functions=1"
+
  AC_CACHE_CHECK([whether -falign-loops works], [grub_cv_cc_falign_loop], [
    CFLAGS="$TARGET_CFLAGS -falign-loops=1 -Werror"
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
@ -805,17 +828,19 @@ if test "x$target_cpu" = xi386; then
 	[grub_cv_cc_falign_loop=no])
  ])

-  AC_CACHE_CHECK([whether -malign-loops works], [grub_cv_cc_malign_loop], [
-    CFLAGS="$TARGET_CFLAGS -malign-loops=1 -Werror"
+  if test "x$grub_cv_cc_falign_loop" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -falign-loops=1"
+  fi
+
+  AC_CACHE_CHECK([whether -falign-jumps works], [grub_cv_cc_falign_jumps], [
+    CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -Werror"
    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
-        [grub_cv_cc_malign_loop=yes],
-	[grub_cv_cc_malign_loop=no])
+        [grub_cv_cc_falign_jumps=yes],
+        [grub_cv_cc_falign_jumps=no])
  ])

-  if test "x$grub_cv_cc_falign_loop" = xyes; then
-    TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1 -falign-loops=1 -falign-functions=1"
-  elif test "x$grub_cv_cc_malign_loop" = xyes; then
-    TARGET_CFLAGS="$TARGET_CFLAGS -malign-jumps=1 -malign-loops=1 -malign-functions=1"
+  if test "x$grub_cv_cc_falign_jumps" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -falign-jumps=1"
  fi
 fi

@ -836,6 +861,83 @@ if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ) && test "x$p
  TARGET_CFLAGS="$TARGET_CFLAGS -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow"
 fi

+if ( test "x$target_cpu" = xi386 || test "x$target_cpu" = xx86_64 ); then
+  AC_CACHE_CHECK([whether -Wa,-mx86-used-note works], [grub_cv_cc_mx86_used_note], [
+    CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mx86_used_note=yes],
+	[grub_cv_cc_mx86_used_note=no])
+  ])
+
+  if test "x$grub_cv_cc_mx86_used_note" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mx86-used-note=no"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mx86-used-note=no"
+  fi
+fi
+
+if test "x$target_cpu" = xloongarch64; then
+  AC_CACHE_CHECK([whether _mno_explicit_relocs works], [grub_cv_cc_mno_explicit_relocs], [
+    CFLAGS="$TARGET_CFLAGS -mno-explicit-relocs -Werror"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+	[grub_cv_cc_mno_explicit_relocs=yes],
+	[grub_cv_cc_mno_explicit_relocs=no])
+  ])
+  if test "x$grub_cv_cc_mno_explicit_relocs" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -mno-explicit-relocs -fno-plt"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS -mno-explicit-relocs -fno-plt"
+  fi
+
+  AC_CACHE_CHECK([for no-relax options], grub_cv_target_cc_mno_relax, [
+    grub_cv_target_cc_mno_relax=no
+    for cand in "-mno-relax" "-Wa,-mno-relax"; do
+      if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+        break
+      fi
+      CFLAGS="$TARGET_CFLAGS $cand -Werror"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+	    asm (".globl start; start:");
+	    void __main (void);
+	    void __main (void) {}
+	    int main (void);
+	    ]], [[]])], [grub_cv_target_cc_mno_relax="$cand"], [])
+    done
+  ])
+  CFLAGS="$TARGET_CFLAGS"
+
+  if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+    TARGET_CFLAGS="$TARGET_CFLAGS $grub_cv_target_cc_mno_relax"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS $grub_cv_target_cc_mno_relax"
+  fi
+
+  TARGET_CFLAGS="$TARGET_CFLAGS -Wa,-mla-global-with-abs"
+  TARGET_CCASFLAGS="$TARGET_CCASFLAGS -Wa,-mla-global-with-abs"
+fi
+
+if test "x$target_cpu" = xriscv64 || test "x$target_cpu" = xriscv32; then
+  AC_CACHE_CHECK([for no-relax options], grub_cv_target_cc_mno_relax, [
+    grub_cv_target_cc_mno_relax=no
+    for cand in "-mno-relax" "-Wa,-mno-relax"; do
+      if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+        break
+      fi
+      CFLAGS="$TARGET_CFLAGS $cand -Werror"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+	    asm (".globl start; start:");
+	    void __main (void);
+	    void __main (void) {}
+	    int main (void);
+	    ]], [[]])], [grub_cv_target_cc_mno_relax="$cand"], [])
+    done
+  ])
+
+  CFLAGS="$TARGET_CFLAGS"
+
+  if test x"$grub_cv_target_cc_mno_relax" != xno ; then
+    TARGET_CFLAGS="$TARGET_CFLAGS $grub_cv_target_cc_mno_relax"
+    TARGET_CCASFLAGS="$TARGET_CCASFLAGS $grub_cv_target_cc_mno_relax"
+  fi
+fi
+
 # GRUB doesn't use float or doubles at all. Yet some toolchains may decide
 # that floats are a good fit to run instead of what's written in the code.
 # Given that floating point unit is disabled (if present to begin with)
@ -852,11 +954,19 @@ if test x"$platform" != xemu ; then
       CFLAGS="$TARGET_CFLAGS -march=rv32imac -mabi=ilp32 -Werror"
       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
 		         [grub_cv_target_cc_soft_float="-march=rv32imac -mabi=ilp32"], [])
+       # ISA spec version 20191213 factored out extensions Zicsr and Zifencei
+       CFLAGS="$TARGET_CFLAGS -march=rv32imac_zicsr_zifencei -mabi=ilp32 -Werror"
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+		         [grub_cv_target_cc_soft_float="-march=rv32imac_zicsr_zifencei -mabi=ilp32"], [])
    fi
    if test "x$target_cpu" = xriscv64; then
       CFLAGS="$TARGET_CFLAGS -march=rv64imac -mabi=lp64 -Werror"
       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
 		         [grub_cv_target_cc_soft_float="-march=rv64imac -mabi=lp64"], [])
+       # ISA spec version 20191213 factored out extensions Zicsr and Zifencei
+       CFLAGS="$TARGET_CFLAGS -march=rv64imac_zicsr_zifencei -mabi=lp64 -Werror"
+       AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+		         [grub_cv_target_cc_soft_float="-march=rv64imac_zicsr_zifencei -mabi=lp64"], [])
    fi
    if test "x$target_cpu" = xia64; then
       CFLAGS="$TARGET_CFLAGS -mno-inline-float-divide -mno-inline-sqrt -Werror"
@ -947,6 +1057,19 @@ if test x"$target_cpu" = xsparc64 ; then
  TARGET_LDFLAGS="$TARGET_LDFLAGS $grub_cv_target_cc_mno_relax"
 fi

+# The backtrace module relies on frame pointers and the default optimization
+# level, -Os, omits them. Make sure they are enabled.
+AC_CACHE_CHECK([whether -fno-omit-frame-pointer works], [grub_cv_cc_fno_omit_frame_pointer], [
+  CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+      [grub_cv_cc_fno_omit_frame_pointer=yes],
+      [grub_cv_cc_fno_omit_frame_pointer=no])
+])
+
+if test "x$grub_cv_cc_fno_omit_frame_pointer" = xyes; then
+  TARGET_CFLAGS="$TARGET_CFLAGS -fno-omit-frame-pointer"
+fi
+
 # By default, GCC 4.4 generates .eh_frame sections containing unwind
 # information in some cases where it previously did not. GRUB doesn't need
 # these and they just use up vital space. Restore the old compiler
@ -1102,9 +1225,9 @@ if test x$grub_cv_target_cc_link_format = x-arch,i386 || test x$grub_cv_target_c
 elif test x$grub_cv_target_cc_link_format = x-mi386pe || test x$grub_cv_target_cc_link_format = x-mi386pep ; then
  TARGET_APPLE_LINKER=0
  TARGET_LDFLAGS_OLDMAGIC="-Wl,-N"
-  TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/${grub_coredir}/conf/i386-cygwin-img-ld.sc"
+  TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/conf/i386-cygwin-img-ld.sc"
  TARGET_IMG_LDFLAGS="-Wl,-T${TARGET_IMG_LDSCRIPT}"
-  TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/${grub_coredir}/conf/i386-cygwin-img-ld.sc"
+  TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/conf/i386-cygwin-img-ld.sc"
  TARGET_IMG_BASE_LDOPT="-Wl,-Ttext"
  TARGET_IMG_CFLAGS=
 else
@ -1326,7 +1449,12 @@ if test "x$enable_stack_protector" = xno; then
    TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
  fi
 elif test "x$platform" != xefi; then
-  AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+  if test "$ERROR_PLATFORM_NOT_SUPPORT_SSP" = "yes"; then
+    AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+  else
+    AC_MSG_WARN([--enable-stack-protector is only supported on EFI platforms])
+  fi
+  enable_stack_protector=no
 elif test "x$ssp_global_possible" != xyes; then
  AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
 else
@ -1347,6 +1475,28 @@ else
    AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
  fi
  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
+
+  if test -n "$SOURCE_DATE_EPOCH"; then
+     GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2$(printf "%x" "$SOURCE_DATE_EPOCH" | sed 's/.*\(........\)$/\1/')"
+  elif test -r /dev/urandom; then
+     # Generate the 8 byte stack protector canary at build time if /dev/urandom
+     # is able to be read. The first byte should be NUL to filter out string
+     # buffer overflow attacks.
+     GRUB_STACK_PROTECTOR_INIT="$($PYTHON -c 'import codecs; rf=open("/dev/urandom", "rb"); print("0x00"+codecs.encode(rf.read(7), "hex").decode("ascii"))')"
+  else
+    # Some hosts may not have a urandom, e.g. Windows, so use statically
+    # generated random bytes
+    GRUB_STACK_PROTECTOR_INIT="0x00f2b7e2f193b25c"
+  fi
+
+  if test x"$target_m32" = x1 ; then
+    # Make sure that the canary default value is 24-bits by only using the
+    # lower 3 bytes on 32 bit systems. This allows the upper byte to be NUL
+    # to filter out string buffer overflow attacks.
+    GRUB_STACK_PROTECTOR_INIT="0x00$(echo "$GRUB_STACK_PROTECTOR_INIT" | sed 's/.*\(......\)$/\1/')"
+  fi
+
+  AC_SUBST([GRUB_STACK_PROTECTOR_INIT])
 fi

 CFLAGS="$TARGET_CFLAGS"
@ -1393,27 +1543,11 @@ fi

 # Set them to their new values for the tests below.
 CC="$TARGET_CC"
-if test x"$platform" = xemu ; then
-CFLAGS="$TARGET_CFLAGS -Wno-error"
-elif test "x$TARGET_APPLE_LINKER" = x1 ; then
-CFLAGS="$TARGET_CFLAGS -nostdlib -static -Wno-error"
-else
-CFLAGS="$TARGET_CFLAGS -nostdlib -Wno-error"
-fi
 CPPFLAGS="$TARGET_CPPFLAGS"

-grub_ASM_USCORE
-if test "x$TARGET_APPLE_LINKER" = x0 && test x"$platform" != xemu; then
-if test x$grub_cv_asm_uscore = xyes; then
-DEFSYM="-Wl,--defsym,_abort=_main -Wl,--defsym,__main=_main"
-else
-DEFSYM="-Wl,--defsym,abort=main -Wl,--defsym,_main=main -Wl,--defsym,__main=main"
-fi
-CFLAGS="$TARGET_CFLAGS -nostdlib $DEFSYM"
-fi
-
 # Check for libgcc symbols
 if test x"$platform" = xemu; then
+CFLAGS="$TARGET_CFLAGS -Wno-error"
 AC_CHECK_FUNCS(__udivsi3 __umodsi3 __divsi3 __modsi3 __divdi3 __moddi3 __udivdi3 __umoddi3 __ctzdi2 __ctzsi2 __clzdi2 __aeabi_uidiv __aeabi_uidivmod __aeabi_idiv __aeabi_idivmod __aeabi_ulcmp __muldi3 __aeabi_lmul __aeabi_memcpy __aeabi_memcpy4 __aeabi_memcpy8 __aeabi_memclr __aeabi_memclr4 __aeabi_memclr8 __aeabi_memset __aeabi_lasr __aeabi_llsl __aeabi_llsr _restgpr_14_x __ucmpdi2 __ashldi3 __ashrdi3 __lshrdi3 __bswapsi2 __bswapdi2 __bzero __register_frame_info __deregister_frame_info ___chkstk_ms __chkstk_ms)
 fi

@ -1424,7 +1558,8 @@ CFLAGS="$TARGET_CFLAGS -nostdlib"
 fi
 LIBS=""

-# Defined in aclocal.m4.
+# Defined in acinclude.m4.
+grub_ASM_USCORE
 grub_PROG_TARGET_CC
 if test "x$TARGET_APPLE_LINKER" != x1 ; then
 grub_PROG_OBJCOPY_ABSOLUTE
@ -1460,9 +1595,9 @@ int va_arg_func (int fixed, va_list args);]], [[]])],
  CPPFLAGS="$SAVED_CPPFLAGS"
 ])

-if test x"$grub_cv_cc_isystem" = xyes ; then
-  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -nostdinc -isystem `$TARGET_CC -print-file-name=include`"
-fi
+  if test x"$grub_cv_cc_isystem" = xyes ; then
+    TARGET_CPPFLAGS="$TARGET_CPPFLAGS -nostdinc -isystem `$TARGET_CC -print-file-name=include`"
+  fi
 fi

 AC_CACHE_CHECK([whether -Wtrampolines work], [grub_cv_cc_wtrampolines], [
@ -1493,9 +1628,12 @@ AC_ARG_ENABLE([mm-debug],
 	      AS_HELP_STRING([--enable-mm-debug],
                             [include memory manager debugging]))
 if test x$enable_mm_debug = xyes; then
-    AC_DEFINE([MM_DEBUG], [1],
-            [Define to 1 if you enable memory manager debugging.])
+  MM_DEBUG=1
+else
+  MM_DEBUG=0
 fi
+AC_SUBST([MM_DEBUG])
+AM_CONDITIONAL([COND_MM_DEBUG], [test x$MM_DEBUG = x1])

 AC_ARG_ENABLE([cache-stats],
 	      AS_HELP_STRING([--enable-cache-stats],
@ -1519,6 +1657,10 @@ else
 fi
 AC_SUBST([BOOT_TIME_STATS])

+AC_ARG_ENABLE([grub-emu-sdl2],
+	      [AS_HELP_STRING([--enable-grub-emu-sdl2],
+                             [build and install the `grub-emu' debugging utility with SDL2 support (default=guessed)])])
+
 AC_ARG_ENABLE([grub-emu-sdl],
 	      [AS_HELP_STRING([--enable-grub-emu-sdl],
                             [build and install the `grub-emu' debugging utility with SDL support (default=guessed)])])
@ -1528,63 +1670,86 @@ AC_ARG_ENABLE([grub-emu-pci],
                             [build and install the `grub-emu' debugging utility with PCI support (potentially dangerous) (default=no)])])

 if test "$platform" = emu; then
+  if test x"$enable_grub_emu_sdl2" = xno ; then
+    grub_emu_sdl2_excuse="explicitly disabled"
+  fi
+  [if [ x"$grub_emu_sdl2_excuse" = x ]; then
+    # Check for libSDL libraries.]
+    PKG_CHECK_MODULES([SDL2], [sdl2], [
+            AC_DEFINE([HAVE_SDL2], [1], [Define to 1 if you have SDL2 library.])
+            AC_SUBST(HAVE_SDL2)],
+            [grub_emu_sdl2_excuse="libSDL2 libraries are required to build \`grub-emu' with SDL2 support"])
+  [fi]
+  if test x"$enable_grub_emu_sdl2" = xyes && test x"$grub_emu_sdl2_excuse" != x ; then
+    AC_MSG_ERROR([SDL2 support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl2_excuse)])
+  fi
+  if test x"$grub_emu_sdl2_excuse" = x ; then
+    enable_grub_emu_sdl2=yes
+  else
+    enable_grub_emu_sdl2=no
+  fi
+  if test x"$enable_grub_emu_sdl2" = xyes ; then
+    grub_emu_sdl_excuse="disabled by sdl2"
+  fi

-if test x"$enable_grub_emu_sdl" = xno ; then
-  grub_emu_sdl_excuse="explicitly disabled"
-fi
-[if [ x"$grub_emu_sdl_excuse" = x ]; then
+
+  if test x"$enable_grub_emu_sdl" = xno ; then
+    grub_emu_sdl_excuse="explicitly disabled"
+  fi
+  [if [ x"$grub_emu_sdl_excuse" = x ]; then
    # Check for libSDL libraries.]
 AC_CHECK_LIB([SDL], [SDL_Init], [LIBSDL="-lSDL"],
    [grub_emu_sdl_excuse=["libSDL libraries are required to build \`grub-emu' with SDL support"]])
    AC_SUBST([LIBSDL])
-[fi]
+  [fi]

-[if [ x"$grub_emu_sdl_excuse" = x ]; then
+  [if [ x"$grub_emu_sdl_excuse" = x ]; then
    # Check for headers.]
    AC_CHECK_HEADERS([SDL/SDL.h], [],
      [grub_emu_sdl_excuse=["libSDL header file is required to build \`grub-emu' with SDL support"]])
-[fi]
+  [fi]

-if test x"enable_grub_emu_sdl" = xyes && test x"$grub_emu_sdl_excuse" != x ; then
-  AC_MSG_ERROR([SDL support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl_excuse)])
-fi
-if test x"$grub_emu_sdl_excuse" = x ; then
-enable_grub_emu_sdl=yes
-else
-enable_grub_emu_sdl=no
-fi
+  if test x"$enable_grub_emu_sdl" = xyes && test x"$grub_emu_sdl_excuse" != x ; then
+    AC_MSG_ERROR([SDL support for grub-emu was explicitly requested but can't be compiled ($grub_emu_sdl_excuse)])
+  fi
+  if test x"$grub_emu_sdl_excuse" = x ; then
+    enable_grub_emu_sdl=yes
+  else
+    enable_grub_emu_sdl=no
+  fi

-if test x"$enable_grub_emu_pci" != xyes ; then
-   grub_emu_pci_excuse="not enabled"
-fi
+  if test x"$enable_grub_emu_pci" != xyes ; then
+    grub_emu_pci_excuse="not enabled"
+  fi

-[if [ x"$grub_emu_pci_excuse" = x ]; then
-      # Check for libpci libraries.]
-   AC_CHECK_LIB([pciaccess], [pci_system_init], [LIBPCIACCESS="-lpciaccess"],
+  [if [ x"$grub_emu_pci_excuse" = x ]; then
+    # Check for libpci libraries.]
+    AC_CHECK_LIB([pciaccess], [pci_system_init], [LIBPCIACCESS="-lpciaccess"],
      [grub_emu_pci_excuse=["need libpciaccess library"]])
    AC_SUBST([LIBPCIACCESS])
-[fi]
-[if [ x"$grub_emu_pci_excuse" = x ]; then
+  [fi]
+  [if [ x"$grub_emu_pci_excuse" = x ]; then
    # Check for headers.]
    AC_CHECK_HEADERS([pciaccess.h], [],
      [grub_emu_pci_excuse=["need libpciaccess headers"]])
-[fi]
+  [fi]

-if test x"$grub_emu_pci_excuse" = x ; then
-enable_grub_emu_pci=yes
-else
+  if test x"$grub_emu_pci_excuse" = x ; then
+    enable_grub_emu_pci=yes
+  else
+    enable_grub_emu_pci=no
+  fi

-enable_grub_emu_pci=no
-fi
-
-AC_SUBST([enable_grub_emu_sdl])
-AC_SUBST([enable_grub_emu_pci])
+  AC_SUBST([enable_grub_emu_sdl2])
+  AC_SUBST([enable_grub_emu_sdl])
+  AC_SUBST([enable_grub_emu_pci])

 else

-# Ignore --enable-emu-* if platform is not emu
-enable_grub_emu_sdl=no
-enable_grub_emu_pci=no
+  # Ignore --enable-emu-* if platform is not emu
+  enable_grub_emu_sdl2=no
+  enable_grub_emu_sdl=no
+  enable_grub_emu_pci=no
 fi

 AC_ARG_ENABLE([grub-mkfont],
@ -1610,15 +1775,18 @@ if test x"$grub_mkfont_excuse" = x ; then
    CPPFLAGS="$SAVED_CPPFLAGS"
    LIBS="$SAVED_LIBS"
  ], [grub_mkfont_excuse=["need freetype2 library"]])
+  if test x"$grub_mkfont_excuse" = x && test x"$host_kernel" = xnetbsd ; then
+      FREETYPE_LIBS="$FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;
+  fi
 fi

 if test x"$enable_grub_mkfont" = xyes && test x"$grub_mkfont_excuse" != x ; then
  AC_MSG_ERROR([grub-mkfont was explicitly requested but can't be compiled ($grub_mkfont_excuse)])
 fi
 if test x"$grub_mkfont_excuse" = x ; then
-enable_grub_mkfont=yes
+  enable_grub_mkfont=yes
 else
-enable_grub_mkfont=no
+  enable_grub_mkfont=no
 fi
 AC_SUBST([enable_grub_mkfont])

@ -1631,7 +1799,7 @@ CC="$BUILD_CC"
 CPP="$BUILD_CPP"
 CFLAGS="$BUILD_CFLAGS"
 CPPFLAGS="$BUILD_CPPFLAGS"
-LDFLAGS="$BUILD_LDFAGS"
+LDFLAGS="$BUILD_LDFLAGS"

 unset ac_cv_c_bigendian
 unset ac_cv_header_ft2build_h
@ -1664,6 +1832,11 @@ if test x"$grub_build_mkfont_excuse" = x ; then
    LIBS="$SAVED_LIBS"
    CPPFLAGS="$SAVED_CPPFLAGS_2"
  ], [grub_build_mkfont_excuse=["need freetype2 library"]])
+  if test x"$grub_build_mkfont_excuse" = x ; then
+    case x"$build_os" in
+      xnetbsd*) BUILD_FREETYPE_LIBS="$BUILD_FREETYPE_LIBS -Wl,-R,/usr/pkg/lib" ;;
+    esac
+  fi
  PKG_CONFIG="$SAVED_PKG_CONFIG"
 fi

@ -1690,8 +1863,6 @@ CPPFLAGS="$SAVED_CPPFLAGS"
 LDFLAGS="$SAVED_LDFLAGS"


-DJVU_FONT_SOURCE=
-
 starfield_excuse=

 AC_ARG_ENABLE([grub-themes],
@ -1705,19 +1876,28 @@ if test x"$starfield_excuse" = x && test x"$enable_build_grub_mkfont" = xno ; th
  starfield_excuse="No build-time grub-mkfont"
 fi

-if test x"$starfield_excuse" = x; then
-   for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
-     for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype; do
-        if test -f "$dir/DejaVuSans.$ext"; then
-          DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
-          break 2
-        fi
-     done
-   done
+AC_ARG_WITH([dejavufont],
+            AS_HELP_STRING([--with-dejavufont=FILE],
+                           [set the DejeVu source [[guessed]]]))

-   if test "x$DJVU_FONT_SOURCE" = x; then
-     starfield_excuse="No DejaVu found"
-   fi
+if test "x$with_dejavufont" = x; then
+  # search in well-known directories
+  if test x"$starfield_excuse" = x; then
+     for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
+       for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/truetype/ttf-dejavu /usr/share/fonts/dejavu /usr/share/fonts/truetype /usr/pkg/share/fonts/X11/TTF /usr/local/share/fonts/dejavu /usr/X11R6/lib/X11/fonts/TTF /usr/share/fonts/dejavu-sans-fonts /usr/share/fonts/truetype/dejavu; do
+          if test -f "$dir/DejaVuSans.$ext"; then
+            DJVU_FONT_SOURCE="$dir/DejaVuSans.$ext"
+            break 2
+          fi
+       done
+     done
+
+     if test "x$DJVU_FONT_SOURCE" = x; then
+       starfield_excuse="No DejaVu found"
+     fi
+  fi
+else
+  DJVU_FONT_SOURCE="$with_dejavufont"
 fi

 if test x"$enable_grub_themes" = xyes &&  test x"$starfield_excuse" != x; then
@ -1726,21 +1906,28 @@ fi

 AC_SUBST([DJVU_FONT_SOURCE])

-FONT_SOURCE=
+AC_ARG_WITH([unifont],
+            AS_HELP_STRING([--with-unifont=FILE],
+                           [set the unifont source [[guessed]]]))

-for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz; do
-  for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc; do
-    if test -f "$dir/unifont.$ext"; then
-      md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
-      # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
-      if test "$md5" = 0a54834d2788c83886a3e1785a6a1e61 || test "$md5" = 28f2565c7a41d8d407e2551159385edb || test "$md5" = dae5e588461b3b92b87b6ffee734f936 || test "$md5" = 4a3d687aa5bb329ed05f4263a1016791 ; then
-        continue
+if test "x$with_unifont" = x; then
+  # search in well-known directories
+  for ext in pcf pcf.gz bdf bdf.gz ttf ttf.gz otf otf.gz; do
+    for dir in . /usr/src /usr/share/fonts/X11/misc /usr/share/fonts/unifont /usr/share/fonts/uni /usr/share/fonts/truetype/unifont /usr/share/fonts/misc /usr/pkg/share/fonts/X11/misc /usr/local/share/fonts/gnu-unifont /usr/local/share/fonts/unifont; do
+      if test -f "$dir/unifont.$ext"; then
+        md5="$(md5sum "$dir/unifont.$ext"|awk '{ print $1; }')"
+        # PCF and BDF from version 6.3 isn't hanled properly by libfreetype.
+        if test "$md5" = 0a54834d2788c83886a3e1785a6a1e61 || test "$md5" = 28f2565c7a41d8d407e2551159385edb || test "$md5" = dae5e588461b3b92b87b6ffee734f936 || test "$md5" = 4a3d687aa5bb329ed05f4263a1016791 ; then
+          continue
+        fi
+        FONT_SOURCE="$dir/unifont.$ext"
+        break 2
      fi
-      FONT_SOURCE="$dir/unifont.$ext"
-      break 2
-    fi
+    done
  done
-done
+else
+  FONT_SOURCE="$with_unifont"
+fi

 if test x"$enable_build_grub_mkfont" = xno ; then
  FONT_SOURCE=
@ -1769,17 +1956,11 @@ if test x"$enable_grub_mount" = xno ; then
 fi

 if test x"$grub_mount_excuse" = x ; then
-  AC_CHECK_LIB([fuse], [fuse_main_real], [],
-               [grub_mount_excuse="need FUSE library"])
-fi
-
-if test x"$grub_mount_excuse" = x ; then
-  # Check for fuse headers.
-  SAVED_CPPFLAGS="$CPPFLAGS"
-  CPPFLAGS="$CPPFLAGS -DFUSE_USE_VERSION=26"
-  AC_CHECK_HEADERS([fuse/fuse.h], [],
-  	[grub_mount_excuse=["need FUSE headers"]])
-  CPPFLAGS="$SAVED_CPPFLAGS"
+  PKG_CHECK_MODULES([FUSE], [fuse3], [FUSE_CFLAGS="$FUSE_CFLAGS -DFUSE_USE_VERSION=32"], [
+    PKG_CHECK_MODULES([FUSE], [fuse], [FUSE_CFLAGS="$FUSE_CFLAGS -DFUSE_USE_VERSION=26"], [
+      grub_mount_excuse="need fuse or fuse3 libraries"
+    ])
+  ])
 fi

 if test x"$enable_grub_mount" = xyes && test x"$grub_mount_excuse" != x ; then
@ -1883,8 +2064,19 @@ fi

 if test x"$libzfs_excuse" = x ; then
  AC_CHECK_LIB([nvpair], [nvlist_lookup_string],
-               [],
-               [libzfs_excuse="need nvpair library"])
+               [have_normal_nvpair=yes],
+               [have_normal_nvpair=no])
+  if test x"$have_normal_nvpair" = xno ; then
+    AC_CHECK_LIB([nvpair], [opensolaris_nvlist_lookup_string],
+                 [have_prefixed_nvpair=yes],
+                 [have_prefixed_nvpair=no])
+    if test x"$have_prefixed_nvpair" = xyes ; then
+      AC_DEFINE([GRUB_UTIL_NVPAIR_IS_PREFIXED], [1],
+            [Define to 1 if libnvpair symbols are prefixed with opensolaris_.])
+    else
+      libzfs_excuse="need nvpair library"
+    fi
+  fi
 fi

 if test x"$enable_libzfs" = xyes && test x"$libzfs_excuse" != x ; then
@ -1894,16 +2086,37 @@ fi
 if test x"$libzfs_excuse" = x ; then
  # We need both libzfs and libnvpair for a successful build.
  LIBZFS="-lzfs"
-  AC_DEFINE([HAVE_LIBZFS], [1],
-            [Define to 1 if you have the ZFS library.])
  LIBNVPAIR="-lnvpair"
-  AC_DEFINE([HAVE_LIBNVPAIR], [1],
-            [Define to 1 if you have the NVPAIR library.])
+  AC_DEFINE([USE_LIBZFS], [1],
+            [Define to 1 if ZFS library should be used.])
 fi

 AC_SUBST([LIBZFS])
 AC_SUBST([LIBNVPAIR])

+AC_ARG_ENABLE([grub-protect],
+	      [AS_HELP_STRING([--enable-grub-protect],
+                             [build and install the `grub-protect' utility (default=guessed)])])
+if test x"$enable_grub_protect" = xno ; then
+  grub_protect_excuse="explicitly disabled"
+fi
+
+LIBTASN1=
+if test x"$grub_protect_excuse" = x ; then
+  AC_CHECK_LIB([tasn1], [asn1_write_value], [LIBTASN1="-ltasn1"], [grub_protect_excuse="need libtasn1 library"])
+fi
+AC_SUBST([LIBTASN1])
+
+if test x"$enable_grub_protect" = xyes && test x"$grub_protect_excuse" != x ; then
+  AC_MSG_ERROR([grub-protect was explicitly requested but can't be compiled ($grub_protect_excuse)])
+fi
+if test x"$grub_protect_excuse" = x ; then
+enable_grub_protect=yes
+else
+enable_grub_protect=no
+fi
+AC_SUBST([enable_grub_protect])
+
 LIBS=""

 AC_SUBST([FONT_SOURCE])
@ -1922,6 +2135,10 @@ AC_ARG_ENABLE([werror],
 if test x"$enable_werror" != xno ; then
  TARGET_CFLAGS="$TARGET_CFLAGS -Werror"
  HOST_CFLAGS="$HOST_CFLAGS -Werror"
+  if test "x$grub_cv_cc_target_clang" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -Wno-error=vla"
+    HOST_CFLAGS="$HOST_CFLAGS -Wno-error=vla"
+  fi
 fi

 TARGET_CPP="$TARGET_CC -E"
@ -1969,36 +2186,38 @@ AC_SUBST(BUILD_LIBM)

 AM_CONDITIONAL([COND_real_platform], [test x$platform != xnone])
 AM_CONDITIONAL([COND_emu], [test x$platform = xemu])
-AM_CONDITIONAL([COND_i386_pc], [test x$target_cpu = xi386 -a x$platform = xpc])
-AM_CONDITIONAL([COND_i386_efi], [test x$target_cpu = xi386 -a x$platform = xefi])
-AM_CONDITIONAL([COND_ia64_efi], [test x$target_cpu = xia64 -a x$platform = xefi])
-AM_CONDITIONAL([COND_i386_qemu], [test x$target_cpu = xi386 -a x$platform = xqemu])
-AM_CONDITIONAL([COND_i386_ieee1275], [test x$target_cpu = xi386 -a x$platform = xieee1275])
-AM_CONDITIONAL([COND_i386_coreboot], [test x$target_cpu = xi386 -a x$platform = xcoreboot])
-AM_CONDITIONAL([COND_i386_multiboot], [test x$target_cpu = xi386 -a x$platform = xmultiboot])
-AM_CONDITIONAL([COND_x86_64_efi], [test x$target_cpu = xx86_64 -a x$platform = xefi])
-AM_CONDITIONAL([COND_i386_xen], [test x$target_cpu = xi386 -a x$platform = xxen])
-AM_CONDITIONAL([COND_i386_xen_pvh], [test x$target_cpu = xi386 -a x$platform = xxen_pvh])
-AM_CONDITIONAL([COND_x86_64_xen], [test x$target_cpu = xx86_64 -a x$platform = xxen])
-AM_CONDITIONAL([COND_mips_loongson], [test x$target_cpu = xmipsel -a x$platform = xloongson])
-AM_CONDITIONAL([COND_mips_qemu_mips], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xqemu_mips])
-AM_CONDITIONAL([COND_mips_arc], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xarc])
-AM_CONDITIONAL([COND_sparc64_ieee1275], [test x$target_cpu = xsparc64 -a x$platform = xieee1275])
-AM_CONDITIONAL([COND_sparc64_emu], [test x$target_cpu = xsparc64 -a x$platform = xemu])
-AM_CONDITIONAL([COND_powerpc_ieee1275], [test x$target_cpu = xpowerpc -a x$platform = xieee1275])
-AM_CONDITIONAL([COND_mips], [test x$target_cpu = xmips -o x$target_cpu = xmipsel])
-AM_CONDITIONAL([COND_mipsel], [test x$target_cpu = xmipsel])
-AM_CONDITIONAL([COND_mipseb], [test x$target_cpu = xmips])
 AM_CONDITIONAL([COND_arm], [test x$target_cpu = xarm ])
 AM_CONDITIONAL([COND_arm_uboot], [test x$target_cpu = xarm -a x$platform = xuboot])
 AM_CONDITIONAL([COND_arm_coreboot], [test x$target_cpu = xarm -a x$platform = xcoreboot])
 AM_CONDITIONAL([COND_arm_efi], [test x$target_cpu = xarm -a x$platform = xefi])
 AM_CONDITIONAL([COND_arm64], [test x$target_cpu = xarm64 ])
 AM_CONDITIONAL([COND_arm64_efi], [test x$target_cpu = xarm64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_ia64_efi], [test x$target_cpu = xia64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_i386_pc], [test x$target_cpu = xi386 -a x$platform = xpc])
+AM_CONDITIONAL([COND_i386_efi], [test x$target_cpu = xi386 -a x$platform = xefi])
+AM_CONDITIONAL([COND_i386_qemu], [test x$target_cpu = xi386 -a x$platform = xqemu])
+AM_CONDITIONAL([COND_i386_ieee1275], [test x$target_cpu = xi386 -a x$platform = xieee1275])
+AM_CONDITIONAL([COND_i386_coreboot], [test x$target_cpu = xi386 -a x$platform = xcoreboot])
+AM_CONDITIONAL([COND_i386_multiboot], [test x$target_cpu = xi386 -a x$platform = xmultiboot])
+AM_CONDITIONAL([COND_i386_xen], [test x$target_cpu = xi386 -a x$platform = xxen])
+AM_CONDITIONAL([COND_i386_xen_pvh], [test x$target_cpu = xi386 -a x$platform = xxen_pvh])
+AM_CONDITIONAL([COND_loongarch64], [test x$target_cpu = xloongarch64])
+AM_CONDITIONAL([COND_loongarch64_efi], [test x$target_cpu = xloongarch64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_mips], [test x$target_cpu = xmips -o x$target_cpu = xmipsel])
+AM_CONDITIONAL([COND_mips_arc], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xarc])
+AM_CONDITIONAL([COND_mips_loongson], [test x$target_cpu = xmipsel -a x$platform = xloongson])
+AM_CONDITIONAL([COND_mips_qemu_mips], [test "(" x$target_cpu = xmips -o x$target_cpu = xmipsel ")"  -a x$platform = xqemu_mips])
+AM_CONDITIONAL([COND_mipsel], [test x$target_cpu = xmipsel])
+AM_CONDITIONAL([COND_mipseb], [test x$target_cpu = xmips])
+AM_CONDITIONAL([COND_powerpc_ieee1275], [test x$target_cpu = xpowerpc -a x$platform = xieee1275])
 AM_CONDITIONAL([COND_riscv32], [test x$target_cpu = xriscv32 ])
 AM_CONDITIONAL([COND_riscv64], [test x$target_cpu = xriscv64 ])
 AM_CONDITIONAL([COND_riscv32_efi], [test x$target_cpu = xriscv32 -a x$platform = xefi])
 AM_CONDITIONAL([COND_riscv64_efi], [test x$target_cpu = xriscv64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_sparc64_ieee1275], [test x$target_cpu = xsparc64 -a x$platform = xieee1275])
+AM_CONDITIONAL([COND_sparc64_emu], [test x$target_cpu = xsparc64 -a x$platform = xemu])
+AM_CONDITIONAL([COND_x86_64_efi], [test x$target_cpu = xx86_64 -a x$platform = xefi])
+AM_CONDITIONAL([COND_x86_64_xen], [test x$target_cpu = xx86_64 -a x$platform = xxen])

 AM_CONDITIONAL([COND_HOST_HURD], [test x$host_kernel = xhurd])
 AM_CONDITIONAL([COND_HOST_LINUX], [test x$host_kernel = xlinux])
@ -2009,10 +2228,12 @@ AM_CONDITIONAL([COND_HOST_XNU], [test x$host_kernel = xxnu])
 AM_CONDITIONAL([COND_HOST_ILLUMOS], [test x$host_kernel = xillumos])

 AM_CONDITIONAL([COND_MAN_PAGES], [test x$cross_compiling = xno -a x$HELP2MAN != x])
+AM_CONDITIONAL([COND_GRUB_EMU_SDL2], [test x$enable_grub_emu_sdl2 = xyes])
 AM_CONDITIONAL([COND_GRUB_EMU_SDL], [test x$enable_grub_emu_sdl = xyes])
 AM_CONDITIONAL([COND_GRUB_EMU_PCI], [test x$enable_grub_emu_pci = xyes])
 AM_CONDITIONAL([COND_GRUB_MKFONT], [test x$enable_grub_mkfont = xyes])
 AM_CONDITIONAL([COND_GRUB_MOUNT], [test x$enable_grub_mount = xyes])
+AM_CONDITIONAL([COND_GRUB_PROTECT], [test x$enable_grub_protect = xyes])
 AM_CONDITIONAL([COND_HAVE_FONT_SOURCE], [test x$FONT_SOURCE != x])
 if test x$FONT_SOURCE != x ; then
   HAVE_FONT_SOURCE=1
@ -2030,6 +2251,7 @@ AM_CONDITIONAL([COND_HAVE_CXX], [test x$HAVE_CXX = xyes])
 AM_CONDITIONAL([COND_HAVE_ASM_USCORE], [test x$HAVE_ASM_USCORE = x1])
 AM_CONDITIONAL([COND_STARFIELD], [test "x$starfield_excuse" = x])
 AM_CONDITIONAL([COND_HAVE_EXEC], [test "x$have_exec" = xy])
+AM_CONDITIONAL([COND_HAVE_PCI], [test "x$have_pci" = xy])

 test "x$prefix" = xNONE && prefix="$ac_default_prefix"
 test "x$exec_prefix" = xNONE && exec_prefix="${prefix}"
@ -2086,6 +2308,11 @@ echo "*******************************************************"
 echo GRUB2 will be compiled with following components:
 echo Platform: "$target_cpu"-"$platform"
 if [ x"$platform" = xemu ]; then
+if [ x"$grub_emu_sdl2_excuse" = x ]; then
+echo SDL2 support for grub-emu: Yes
+else
+echo SDL2 support for grub-emu: No "($grub_emu_sdl2_excuse)"
+fi
 if [ x"$grub_emu_sdl_excuse" = x ]; then
 echo SDL support for grub-emu: Yes
 else
@ -2134,6 +2361,11 @@ echo grub-mount: Yes
 else
 echo grub-mount: No "($grub_mount_excuse)"
 fi
+if [ x"$grub_protect_excuse" = x ]; then
+echo grub-protect: Yes
+else
+echo grub-protect: No "($grub_protect_excuse)"
+fi
 if [ x"$starfield_excuse" = x ]; then
 echo starfield theme: Yes
 echo With DejaVuSans font from $DJVU_FONT_SOURCE
--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
@ -77,7 +77,9 @@ This edition documents version @value{VERSION}.
 * Coding style::
 * Finding your way around::
 * Contributing Changes::
+* Setting up and running test suite::
 * Updating External Code::
+* Debugging::
 * Porting::
 * Error Handling::
 * Stack and heap size::
@ -95,8 +97,8 @@ This edition documents version @value{VERSION}.
@node Getting the source code
@chapter Getting the source code

-GRUB is maintained using the @uref{GIT revision
-control system}.  To fetch:
+GRUB is maintained using the @uref{https://git-scm.com/book/en/v2,
+GIT revision control system}.  To fetch:

@example
 git clone git://git.sv.gnu.org/grub.git
@ -345,8 +347,8 @@ manual and try GRUB 2 out to see what you think is missing from there.

 Here are additional pointers:
@itemize
-@item @url{https://savannah.gnu.org/task/?group=grub GRUB's Task Tracker}
-@item @url{https://savannah.gnu.org/bugs/?group=grub GRUB's Bug Tracker}
+@item @uref{https://savannah.gnu.org/task/?group=grub, GRUB's Task Tracker}
+@item @uref{https://savannah.gnu.org/bugs/?group=grub, GRUB's Bug Tracker}
@end itemize

 If you intended to make changes to GRUB Legacy (<=0.97) those are not accepted
@ -460,7 +462,7 @@ and the FSF clerks have dealt with your copyright assignment.
@section When you are approved for write access to project's files

 As you might know, GRUB is hosted on
-@url{https://savannah.gnu.org/projects/grub Savannah}, thus the membership
+@uref{https://savannah.gnu.org/projects/grub, Savannah}, thus the membership
 is managed by Savannah. This means that, if you want to be a member of this
 project:

@ -483,6 +485,17 @@ If your intention is to just get started, please do not submit a inclusion
 request. Instead, please subscribe to the mailing list, and communicate first
 (e.g. sending a patch, asking a question, commenting on another message...).

+@node Setting up and running test suite
+@chapter Setting up and running test suite
+
+GRUB is basically a tiny operating system with read support for many file
+systems and which has been ported to a variety of architectures. As such, its
+test suite has quite a few dependencies required to fully run the suite.
+These dependencies are currently documented in the
+@uref{https://git.savannah.gnu.org/cgit/grub.git/tree/INSTALL, INSTALL}
+file in the source repository. Once installed, the test suite can be started
+by running the @command{make check} command from the GRUB build directory.
+
@node Updating External Code
@chapter Updating external code

@ -493,6 +506,7 @@ to update it.
 * Gnulib::
 * jsmn::
 * minilzo::
+* libtasn1::
@end menu

@node Gnulib
@ -575,14 +589,276 @@ To upgrade to a new version of the miniLZO library, download the release
 tarball and copy the files into the target directory:

@example
-curl -L -O http://www.oberhumer.com/opensource/lzo/download/minilzo-2.08.tar.gz
-tar -zxf minilzo-2.08.tar.gz
-rm minilzo-2.08/testmini.c
+curl -L -O https://www.oberhumer.com/opensource/lzo/download/minilzo-2.10.tar.gz
+tar -zxf minilzo-2.10.tar.gz
+rm minilzo-2.10/testmini.c
 rm -r grub-core/lib/minilzo/*
-cp minilzo-2.08/*.[hc] grub-core/lib/minilzo
-rm -r minilzo-2.08*
+cp minilzo-2.10/*.[hc] grub-core/lib/minilzo
+rm -r minilzo-2.10*
@end example

+@node libtasn1
+@section libtasn1
+
+libtasn1 is a library providing Abstract Syntax Notation One (ASN.1, as
+specified by the X.680 ITU-T recommendation) parsing and structures management,
+and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding
+functions.
+
+To upgrade to a new version of the libtasn1 library, download the release
+tarball and copy the files into the target directory:
+
+@example
+curl -L -O https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.19.0.tar.gz
+tar xvzf libtasn1-4.19.0.tar.gz
+rm -rf grub-core/lib/libtasn1
+mkdir -p grub-core/lib/libtasn1/lib
+mkdir -p grub-core/lib/libtasn1/tests
+cp libtasn1-4.19.0/@{README.md,COPYING@} grub-core/lib/libtasn1
+cp libtasn1-4.19.0/lib/@{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h@} grub-core/lib/libtasn1/lib
+cp libtasn1-4.19.0/lib/includes/libtasn1.h grub-core/lib/libtasn1
+cp libtasn1-4.19.0/tests/@{CVE-2018-1000654-1_asn1_tab.h,CVE-2018-1000654-2_asn1_tab.h,CVE-2018-1000654.c,object-id-decoding.c,object-id-encoding.c,octet-string.c,reproducers.c,Test_overflow.c,Test_simple.c,Test_strings.c@} grub-core/lib/libtasn1/tests
+rm -rf libtasn1-4.19.0*
+@end example
+
+After upgrading the library, it may be necessary to apply the patches in
+@file{grub-core/lib/libtasn1-patches/} to adjust the code to be compatible with
+GRUB. These patches were needed to use the current version of libtasn1. The
+existing patches may not apply cleanly, apply at all, or even be needed for a
+newer version of the library, and other patches may be needed due to changes in
+the newer version. If existing patches need to be refreshed to apply cleanly,
+please include updated patches as part of the a patch set sent to the list.
+If new patches are needed or existing patches are not needed, also please send
+additions or removals as part of any patch set upgrading libtasn1.
+
+@node Debugging
+@chapter Debugging
+
+GRUB2 can be difficult to debug because it runs on the bare-metal and thus
+does not have the debugging facilities normally provided by an operating
+system. This chapter aims to provide useful information on some ways to
+debug GRUB2 for some architectures. It by no means intends to be exhaustive.
+The focus will be one x86_64 and i386 architectures. Luckily for some issues
+virtual machines have made the ability to debug GRUB2 much easier, and this
+chapter will focus debugging via the QEMU virtual machine. We will not be
+going over debugging of the userland tools (eg. grub-install), there are
+many tutorials on debugging programs in userland.
+
+You will need GDB and the QEMU binaries for your system, on Debian these
+can be installed with the @samp{gdb} and @samp{qemu-system-x86} packages.
+Also it is assumed that you have already successfully compiled GRUB2 from
+source for the target specified in the section below and have some
+familiarity with GDB. When GRUB2 is built it will create many different
+binaries. The ones of concern will be in the @file{grub-core}
+directory of the GRUB2 build dir. To aide in debugging we will want the
+debugging symbols generated during the build because these symbols are not
+kept in the binaries which get installed to the boot location. The build
+process outputs two sets of binaries, one without symbols which gets executed
+at boot, and another set of ELF images with debugging symbols. The built
+images with debugging symbols will have a @file{.image} suffix, and the ones
+without a @file{.img} suffix. Similarly, loadable modules with debugging
+symbols will have a @file{.module} suffix, and ones without a @file{.mod}
+suffix. In the case of the kernel the binary with symbols is named
+@file{kernel.exec}.
+
+In the following sections, information will be provided on debugging on
+various targets using @command{gdb} and the @samp{gdb_grub} GDB script.
+
+@menu
+* i386-pc::
+* x86_64-efi::
+@end menu
+
+@node i386-pc
+@section i386-pc
+
+The i386-pc target is a good place to start when first debugging GRUB2
+because in some respects it's easier than EFI platforms. The reason being
+that the initial load address is always known in advance. To start
+debugging GRUB2 first QEMU must be started in GDB stub mode. The following
+command is a simple illustration:
+
+@example
+qemu-system-i386 -drive file=disk.img,format=raw \
+    -device virtio-scsi-pci,id=scsi0 -S -s
+@end example
+
+This will start a QEMU instance booting from @file{disk.img}. It will pause
+at start waiting for a GDB instance to attach to it. You should change
+@file{disk.img} to something more appropriate. A block device can be used,
+but you may need to run QEMU as a privileged user.
+
+To connect to this QEMU instance with GDB, the @code{target remote} GDB
+command must be used. We also need to load a binary image, preferably with
+symbols. This can be done using the GDB command @code{file kernel.exec}, if
+GDB is started from the @file{grub-core} directory in the GRUB2 build
+directory. GRUB2 developers have made this more simple by including a GDB
+script which does much of the setup. This file is at @file{grub-core/gdb_grub}
+in the build directory and is also installed via @command{make install}.
+When using a pre-built GRUB, the distribution may have a package which installs
+this GDB script along with debug symbol binaries, such as Debian's
+@samp{grub-pc-dbg} package. The GDB script is intended to be used
+like so, assuming that @samp{/path/to/script} is the path to the directory
+containing the gdb_grub script and debug symbol files:
+
+@example
+cd $(dirname /path/to/script/gdb_grub)
+gdb -x gdb_grub
+@end example
+
+Once GDB has been started with the @file{gdb_grub} script it will
+automatically connect to the QEMU instance. You can then do things you
+normally would in GDB like set a break point on @var{grub_main}.
+
+Setting breakpoints in modules is trickier since they haven't been loaded
+yet and are loaded at addresses determined at runtime. The module could be
+loaded to different addresses in different QEMU instances. The debug symbols
+in the modules @file{.module} binary, thus are always wrong, and GDB needs
+to be told where to load the symbols to. But this must happen at runtime
+after GRUB2 has determined where the module will get loaded. Luckily the
+@file{gdb_grub} script takes care of this with the @command{runtime_load_module}
+command, which configures GDB to watch for GRUB2 module loading and when
+it does add the module symbols with the appropriate offset.
+
+@node x86_64-efi
+@section x86_64-efi
+
+Using GDB to debug GRUB2 for the x86_64-efi target has some similarities with
+the i386-pc target. Please read and familiarize yourself with the @ref{i386-pc}
+section when reading this one. Extra care must be used to run QEMU such that it
+boots a UEFI firmware. This usually involves either using the @samp{-bios}
+option with a UEFI firmware blob (eg. @file{OVMF.fd}) or loading the firmware
+via pflash. This document will not go further into how to do this as there are
+ample resource on the web.
+
+Like all EFI implementations, on x86_64-efi the (U)EFI firmware that loads
+the GRUB2 EFI application determines at runtime where the application will
+be loaded. This means that we do not know where to tell GDB to load the
+symbols for the GRUB2 core until the (U)EFI firmware determines it. There are
+two good ways of figuring this out when running in QEMU: use a @ref{OVMF debug log,
+debug build of OVMF} and check the debug log, or have GRUB2 say where it is
+loaded. Neither of these are ideal because they both generally give the
+information after GRUB2 is already running, which makes debugging early boot
+infeasible. Technically, the first method does give the load address before
+GRUB2 is run, but without debugging the EFI firmware with symbols, the author
+currently does not know how to cause the OVMF firmware to pause at that point
+to use the load address before GRUB2 is run.
+
+Even after getting the application load address, the loading of core symbols
+is complicated by the fact that the debugging symbols for the kernel are in
+an ELF binary named @file{kernel.exec} while what is in memory are sections
+for the PE32+ EFI binary. When @command{grub-mkimage} creates the PE32+
+binary it condenses several segments from the ELF kernel binary into one
+.data section in the PE32+ binary. This must be taken into account to
+properly load the other non-text sections. Otherwise, GDB will work as
+expected when breaking on functions, but, for instance, global variables
+will point to the wrong address in memory and thus give incorrect values
+(which can be difficult to debug).
+
+Calculating the correct offsets for sections is taken care of automatically
+when loading the kernel symbols via the user-defined GDB command
+@command{dynamic_load_kernel_exec_symbols}, which takes one argument, the
+address where the text section is loaded as determined by one of the methods
+above. Alternatively, the command @command{dynamic_load_symbols} with the text
+section address as an agrument can be called to load the kernel symbols and set
+up loading the module symbols as they are loaded at runtime.
+
+In the author's experience, when debugging with QEMU and OVMF, to have
+debugging symbols loaded at the start of GRUB2 execution the GRUB2 EFI
+application must be run via QEMU at least once prior in order to get the
+load address. Two methods for obtaining the load address are described in
+two subsections below. Generally speaking, the load address does not change
+between QEMU runs. There are exceptions to this, namely that different
+GRUB2 EFI applications can be run at different addresses. Also, it has been
+observed that after running the EFI application for the first time, the
+second run will sometimes have a different load address, but subsequent
+runs of the same EFI application will have the same load address as the
+second run. And it's a near certainty that if the GRUB EFI binary has changed,
+eg. been recompiled, the load address will also be different.
+
+This ability to predict what the load address will be allows one to assume
+the load address on subsequent runs and thus load the symbols before GRUB2
+starts. The following command illustrates this, assuming that QEMU is
+running and waiting for a debugger connection and the current working
+directory is where @file{gdb_grub} resides:
+
+@example
+gdb -x gdb_grub -ex 'dynamic_load_symbols @var{address of .text section}'
+@end example
+
+If you load the symbols in this manner and, after continuing execution, do
+not see output showing the module symbols loading, then it is very likely
+that the load address was incorrect.
+
+Another thing to be aware of is how the loading of the GRUB image by the
+firmware affects previously set software breakpoints. On x86 platforms,
+software breakpoints are implemented by GDB by writing a special processor
+instruction at the location of the desired breakpoint. This special instruction
+when executed will stop the program execution and hand control to the
+debugger, GDB. GDB will first save the instruction bytes that are
+overwritten at the breakpoint and will put them back when the breakpoint
+is hit. If GRUB is being run for the first time in QEMU, the firmware will
+be loading the GRUB image into memory where every byte is already set to 0.
+This means that if a breakpoint is set before GRUB is loaded, GDB will save
+the 0-byte(s) where the the special instruction will go. Then when the firmware
+loads the GRUB image and because it is unaware of the debugger, it will
+write the GRUB image to memory, overwriting anything that was there previously ---
+notably in this case the instruction that implements the software breakpoint.
+This will be confusing for the person using GDB because GDB will show the
+breakpoint as set, but the brekapoint will never be hit. Furthermore, GDB
+then becomes confused, such that even deleting an recreating the breakpoint
+will not create usable breakpoints. The @file{gdb_grub} script takes care of
+this by saving the breakpoints just before they are overwritten, and then
+restores them at the start of GRUB execution. So breakpoints for GRUB can be
+set before GRUB is loaded, but be mindful of this effect if you are confused
+as to why breakpoints are not getting hit.
+
+Also note, that hardware breakpoints do not suffer this problem. They are
+implemented by having the breakpoint address in special debug registers on
+the CPU. So they can always be set freely without regard to whether GRUB has
+been loaded or not. The reason that hardware breakpoints aren't always used
+is because there are a limited number of them, usually around 4 on various
+CPUs, and specifically exactly 4 for x86 CPUs. The @file{gdb_grub} script goes
+out of its way to avoid using hardware breakpoints internally and uses them as
+briefly as possible when needed, thus allowing the user to have a maximal
+number at their disposal.
+
+@menu
+* OVMF debug log::
+* Using the gdbinfo command::
+@end menu
+
+@node OVMF debug log
+@subsection OVMF debug log
+
+In order to get the GRUB2 load address from OVMF, first, a debug build
+of OVMF must be obtained (@uref{https://github.com/retrage/edk2-nightly/raw/master/bin/DEBUGX64_OVMF.fd,
+here is one} which is not officially recommended). OVMF will output debug
+messages to a special serial device, which we must add to QEMU. The following
+QEMU command will run the debug OVMF and write the debug messages to a
+file named @file{debug.log}. It is assumed that @file{disk.img} is a disk
+image or block device that is set up to boot GRUB2 EFI.
+
+@example
+qemu-system-x86_64 -bios /path/to/debug/OVMF.fd \
+    -drive file=disk.img,format=raw \
+    -device virtio-scsi-pci,id=scsi0 \
+    -debugcon file:debug.log -global isa-debugcon.iobase=0x402
+@end example
+
+If GRUB2 was started by the (U)EFI firmware, then in the @file{debug.log}
+file one of the last lines should be a log message like:
+@samp{Loading driver at 0x00006AEE000 EntryPoint=0x00006AEE756}. This
+means that the GRUB2 EFI application was loaded at @samp{0x00006AEE000} and
+its .text section is at @samp{0x00006AEE756}.
+
+@node Using the gdbinfo command
+@subsection Using the gdbinfo command
+
+On EFI platforms the command @command{gdbinfo} will output a string that
+is to be run in a GDB session running with the @file{gdb_grub} GDB script.
+
+
@node Porting
@chapter Porting

@ -760,7 +1036,7 @@ void grub_arch_sync_caches (void *address, grub_size_t len) (cache.S). They
 won't be used for now.

 You will need to create directory include/$cpu/$platform and a file
-include/$cpu/types.h. The later folowing this template:
+include/$cpu/types.h. The latter following this template:

@example
 #ifndef GRUB_TYPES_CPU_HEADER
@ -806,13 +1082,13 @@ If it works next stage is to have heap, console and timer.

 To have the heap working you need to determine which regions are suitable for
 heap usage, allocate them from firmware and map (if applicable). Then call
-grub_mm_init_region (vois *start, grub_size_t s) for every of this region.
+grub_mm_init_region (void *start, grub_size_t s) for every of this region.
 As a shortcut for early port you can allocate right after _end or have
 a big static array for heap. If you do you'll probably need to come back to
 this later. As for output console you should distinguish between an array of
 text, terminfo or graphics-based console. Many of real-world examples don't
 fit perfectly into any of these categories but one of the models is easier
-to be used as base. In second and third case you should add your platform to 
+to be used as base. In second and third case you should add your platform to
 terminfokernel respectively videoinkernel group. A good example of array of
 text is i386-pc (kern/i386/pc/init.c and term/i386/pc/console.c).
 Of terminfo is ieee1275 (kern/ieee1275/init.c and term/ieee1275/console.c).
@ -1034,20 +1310,23 @@ On emu stack and heap are just normal host OS stack and heap. Stack is typically
 On i386-pc, i386-coreboot, i386-qemu and i386-multiboot the stack is 60KiB.
 All available space between 1MiB and 4GiB marks is part of heap.

-On *-xen stack is 4MiB. If compiled for x86-64 with GCC 4.4 or later adressable
-space is unlimited. When compiled for x86-64 with older GCC version adressable
-space is limited to 2GiB. When compiling for i386 adressable space is limited
-to 4GiB. All adressable pages except the ones for stack, GRUB binary, special
+On *-xen stack is 4MiB. If compiled for x86-64 with GCC 4.4 or later addressable
+space is unlimited. When compiled for x86-64 with older GCC version addressable
+space is limited to 2GiB. When compiling for i386 addressable space is limited
+to 4GiB. All addressable pages except the ones for stack, GRUB binary, special
 pages and page table are in the heap.

 On *-efi GRUB uses same stack as EFI. If compiled for x86-64 with GCC 4.4 or
-later adressable space is unlimited. When compiled for x86-64 with older GCC
-version adressable space is limited to 2GiB. For all other platforms adressable
+later addressable space is unlimited. When compiled for x86-64 with older GCC
+version addressable space is limited to 2GiB. For all other platforms addressable
 space is limited to 4GiB. GRUB allocates pages from EFI for its heap, at most
 1.6 GiB.

 On i386-ieee1275 and powerpc-ieee1275 GRUB uses same stack as IEEE1275.
-It allocates at most 32MiB for its heap.
+
+On i386-ieee1275 and powerpc-ieee1275, GRUB will allocate 32MiB for its heap on
+startup. It may allocate more at runtime, as long as at least 128MiB remain free
+in OpenFirmware.

 On sparc64-ieee1275 stack is 256KiB and heap is 2MiB.

@ -1075,7 +1354,7 @@ In short:
@item i386-qemu               @tab 60 KiB  @tab < 4 GiB
@item *-efi                   @tab ?       @tab < 1.6 GiB
@item i386-ieee1275           @tab ?       @tab < 32 MiB
-@item powerpc-ieee1275        @tab ?       @tab < 32 MiB
+@item powerpc-ieee1275        @tab ?       @tab available memory - 128MiB
@item sparc64-ieee1275        @tab 256KiB  @tab 2 MiB
@item arm-uboot               @tab 256KiB  @tab 2 MiB
@item mips(el)-qemu_mips      @tab 2MiB    @tab 253 MiB
@ -1769,7 +2048,7 @@ use in GRUB at this time:
@item BDF 
 Inefficient storage; uses ASCII to describe properties and 
 hexadecimal numbers in ASCII for the bitmap rows.
-@item PCF  
+@item PCF
 Many format variations such as byte order and bitmap padding (rows
 padded to byte, word, etc.) would result in more complex code to
 handle the font format.
@ -1890,8 +2169,8 @@ bit in the byte.  For the sake of compact storage, rows are not padded
 to byte boundaries (i.e., a single byte may contain bits belonging to
 multiple rows).  The last byte of the bitmap @strong{is} padded with zero
 bits in the bits positions to the right of the last used bit if the
-bitmap data does not fill the last byte.  
-         
+bitmap data does not fill the last byte.
+
 The length of the @strong{bitmap data} field is (@var{width} * @var{height} + 7) / 8
 using integer arithmetic, which is equivalent to ceil(@var{width} *
@var{height} / 8) using real number arithmetic.
@ -2036,7 +2315,7 @@ functions (defined in @file{gfxmenu/gui_util.c}) that are particularly useful:

@item @code{grub_gui_find_by_id (root, id, callback, userdata)}:

-This function ecursively traverses the component tree rooted at @var{root}, and
+This function recursively traverses the component tree rooted at @var{root}, and
 for every component that has an ID equal to @var{id}, calls the function pointed
 to by @var{callback} with the matching component and the void pointer @var{userdata}
 as arguments.  The callback function can do whatever is desired to use the
--- a/docs/grub.texi
+++ b/docs/grub.texi
--- a/docs/man/grub-protect.h2m
+++ b/docs/man/grub-protect.h2m
@ -0,0 +1,4 @@
+[NAME]
+grub-protect \- protect a disk key with a key protector
+[DESCRIPTION]
+grub-protect helps to protect a disk encryption key with a specified key protector.
--- a/gentpl.py
+++ b/gentpl.py
@ -32,27 +32,28 @@ GRUB_PLATFORMS = [ "emu", "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot",
                   "mips_loongson", "sparc64_ieee1275",
                   "powerpc_ieee1275", "mips_arc", "ia64_efi",
                   "mips_qemu_mips", "arm_uboot", "arm_efi", "arm64_efi",
-                   "arm_coreboot", "riscv32_efi", "riscv64_efi" ]
+                   "arm_coreboot", "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]

 GROUPS = {}

 GROUPS["common"]   = GRUB_PLATFORMS[:]

 # Groups based on CPU
-GROUPS["i386"]     = [ "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot", "i386_multiboot", "i386_ieee1275" ]
-GROUPS["x86_64"]   = [ "x86_64_efi" ]
-GROUPS["x86"]      = GROUPS["i386"] + GROUPS["x86_64"]
-GROUPS["mips"]     = [ "mips_loongson", "mips_qemu_mips", "mips_arc" ]
-GROUPS["sparc64"]  = [ "sparc64_ieee1275" ]
-GROUPS["powerpc"]  = [ "powerpc_ieee1275" ]
-GROUPS["arm"]      = [ "arm_uboot", "arm_efi", "arm_coreboot" ]
-GROUPS["arm64"]    = [ "arm64_efi" ]
-GROUPS["riscv32"]  = [ "riscv32_efi" ]
-GROUPS["riscv64"]  = [ "riscv64_efi" ]
+GROUPS["i386"]        = [ "i386_pc", "i386_efi", "i386_qemu", "i386_coreboot", "i386_multiboot", "i386_ieee1275" ]
+GROUPS["x86_64"]      = [ "x86_64_efi" ]
+GROUPS["x86"]         = GROUPS["i386"] + GROUPS["x86_64"]
+GROUPS["mips"]        = [ "mips_loongson", "mips_qemu_mips", "mips_arc" ]
+GROUPS["sparc64"]     = [ "sparc64_ieee1275" ]
+GROUPS["powerpc"]     = [ "powerpc_ieee1275" ]
+GROUPS["arm"]         = [ "arm_uboot", "arm_efi", "arm_coreboot" ]
+GROUPS["arm64"]       = [ "arm64_efi" ]
+GROUPS["loongarch64"] = [ "loongarch64_efi" ]
+GROUPS["riscv32"]     = [ "riscv32_efi" ]
+GROUPS["riscv64"]     = [ "riscv64_efi" ]

 # Groups based on firmware
 GROUPS["efi"]  = [ "i386_efi", "x86_64_efi", "ia64_efi", "arm_efi", "arm64_efi",
-		   "riscv32_efi", "riscv64_efi" ]
+		   "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]
 GROUPS["ieee1275"]   = [ "i386_ieee1275", "sparc64_ieee1275", "powerpc_ieee1275" ]
 GROUPS["uboot"] = [ "arm_uboot" ]
 GROUPS["xen"]  = [ "i386_xen", "x86_64_xen" ]
@ -79,7 +80,7 @@ GROUPS["terminfomodule"]   = GRUB_PLATFORMS[:];
 for i in GROUPS["terminfoinkernel"]: GROUPS["terminfomodule"].remove(i)

 # Flattened Device Trees (FDT)
-GROUPS["fdt"] = [ "arm64_efi", "arm_uboot", "arm_efi", "riscv32_efi", "riscv64_efi" ]
+GROUPS["fdt"] = [ "arm64_efi", "arm_uboot", "arm_efi", "loongarch64_efi", "riscv32_efi", "riscv64_efi" ]

 # Needs software helpers for division
 # Must match GRUB_DIVISION_IN_SOFTWARE in misc.h
@ -568,6 +569,7 @@ def foreach_platform_value(defn, platform, suffix, closure):
    for group in RMAP[platform]:
        for value in defn.find_all(group + suffix):
            r.append(closure(value))
+    r.sort()
    return ''.join(r)

 def platform_conditional(platform, closure):
@ -629,7 +631,10 @@ def platform_values(defn, platform, suffix):
 def extra_dist(defn):
    return foreach_value(defn, "extra_dist", lambda value: value + " ")

-def platform_sources(defn, p): return platform_values(defn, p, "")
+def extra_dep(defn):
+    return foreach_value(defn, "depends", lambda value: value + " ")
+
+def platform_sources(defn, p): return platform_values(defn, p, "_head") + platform_values(defn, p, "")
 def platform_nodist_sources(defn, p): return platform_values(defn, p, "_nodist")

 def platform_startup(defn, p): return platform_specific_values(defn, p, "_startup", "startup")
@ -655,7 +660,7 @@ def first_time(defn, snippet):
 def is_platform_independent(defn):
    if 'enable' in defn:
        return False
-    for suffix in [ "", "_nodist" ]:
+    for suffix in [ "", "_head", "_nodist" ]:
        template = platform_values(defn, GRUB_PLATFORMS[0], suffix)
        for platform in GRUB_PLATFORMS[1:]:
            if template != platform_values(defn, platform, suffix):
@ -697,10 +702,14 @@ def module(defn, platform):
    gvar_add("MOD_FILES", name + ".mod")
    gvar_add("MARKER_FILES", name + ".marker")
    gvar_add("CLEANFILES", name + ".marker")
+
+    for dep in defn.find_all("depends"):
+        gvar_add("EXTRA_DEPS", "depends " + name + " " + dep + ":")
+
    output("""
 """ + name + """.marker: $(""" + cname(defn) + """_SOURCES) $(nodist_""" + cname(defn) + """_SOURCES)
 	$(TARGET_CPP) -DGRUB_LST_GENERATOR $(CPPFLAGS_MARKER) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(""" + cname(defn) + """_CPPFLAGS) $(CPPFLAGS) $^ > $@.new || (rm -f $@; exit 1)
-	grep 'MARKER' $@.new > $@; rm -f $@.new
+	grep 'MARKER' $@.new | grep -v '^#' > $@; rm -f $@.new
 """)

 def kernel(defn, platform):
@ -766,7 +775,7 @@ def image(defn, platform):
 if test x$(TARGET_APPLE_LINKER) = x1; then \
  $(MACHO2IMG) $< $@; \
 else \
-  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx $< $@; \
+  $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx -R .interp $< $@; \
 fi
 """)

@ -817,8 +826,7 @@ def program(defn, platform, test=False):
    set_canonical_name_suffix("")

    if 'testcase' in defn:
-        gvar_add("check_PROGRAMS", name)
-        gvar_add("TESTS", name)
+        gvar_add("check_PROGRAMS_" + defn['testcase'], name)
    else:
        var_add(installdir(defn) + "_PROGRAMS", name)
        if 'mansection' in defn:
@ -859,8 +867,7 @@ def script(defn, platform):
    name = defn['name']

    if 'testcase' in defn:
-        gvar_add("check_SCRIPTS", name)
-        gvar_add ("TESTS", name)
+        gvar_add("check_SCRIPTS_" + defn['testcase'], name)
    else:
        var_add(installdir(defn) + "_SCRIPTS", name)
        if 'mansection' in defn:
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@ -90,6 +90,7 @@ endif
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
@ -153,6 +154,7 @@ endif
 if COND_i386_ieee1275
 KERNEL_HEADER_FILES += $(top_builddir)/include/grub/machine/kernel.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/ieee1275.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/alloc.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/terminfo.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lib/arg.h
@ -240,6 +242,7 @@ endif

 if COND_powerpc_ieee1275
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/ieee1275.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/ieee1275/alloc.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/terminfo.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lib/arg.h
@ -288,6 +291,12 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/acpi.h
 endif

+if COND_loongarch64_efi
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/efi.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/acpi.h
+endif
+
 if COND_riscv32_efi
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/efi.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/disk.h
@ -307,9 +316,13 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/net.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/hostdisk.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/hostfile.h
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/extcmd.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/emu/exec.h
 if COND_GRUB_EMU_SDL
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/sdl.h
 endif
+if COND_GRUB_EMU_SDL2
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/sdl.h
+endif
 if COND_GRUB_EMU_PCI
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/libpciaccess.h
 endif
@ -442,8 +455,11 @@ crypto.lst: $(srcdir)/lib/libgcrypt-grub/cipher/crypto.lst
 platform_DATA += crypto.lst
 CLEANFILES += crypto.lst

-syminfo.lst: gensyminfo.sh kernel_syms.lst $(MODULE_FILES)
-	cat kernel_syms.lst > $@.new
+extra_deps.lst:
+	@echo $(EXTRA_DEPS) | sed "s/\s*:\s*/\n/g" > $@
+
+syminfo.lst: gensyminfo.sh kernel_syms.lst extra_deps.lst $(MODULE_FILES)
+	cat kernel_syms.lst extra_deps.lst > $@.new
 	for m in $(MODULE_FILES); do \
 	  sh $< $$m >> $@.new || exit 1; \
 	done
@ -453,7 +469,7 @@ syminfo.lst: gensyminfo.sh kernel_syms.lst $(MODULE_FILES)
 moddep.lst: syminfo.lst genmoddep.awk video.lst
 	cat $< | sort | $(AWK) -f $(srcdir)/genmoddep.awk > $@ || (rm -f $@; exit 1)
 platform_DATA += moddep.lst
-CLEANFILES += config.log syminfo.lst moddep.lst
+CLEANFILES += config.log syminfo.lst moddep.lst extra_deps.lst

 $(MOD_FILES): %.mod : genmod.sh moddep.lst %.module$(EXEEXT) build-grub-module-verifier$(BUILD_EXEEXT)
 	TARGET_OBJ2ELF=@TARGET_OBJ2ELF@ sh $^ $@
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@ -20,8 +20,8 @@ transform_data = {

 transform_data = {
  installdir = platform;
-  name = gmodule.pl;
-  common = gmodule.pl.in;
+  name = gdb_helper.py;
+  common = gdb_helper.py.in;
 };

 transform_data = {
@ -49,26 +49,36 @@ kernel = {

  nostrip = emu;

-  emu_ldflags              = '-Wl,-r,-d';
-  i386_efi_ldflags         = '-Wl,-r,-d';
+  emu_ldflags              = '-Wl,-r';
+  i386_efi_cflags          = '-fshort-wchar';
+  i386_efi_ldflags         = '-Wl,-r';
  i386_efi_stripflags      = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';
-  x86_64_efi_ldflags       = '-Wl,-r,-d';
+  x86_64_efi_cflags        = '-fshort-wchar';
+  x86_64_efi_ldflags       = '-Wl,-r';
  x86_64_efi_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  ia64_efi_cflags = '-fno-builtin -fpic -minline-int-divide-max-throughput';
-  ia64_efi_ldflags = '-Wl,-r,-d';
+  ia64_efi_cflags = '-fshort-wchar -fno-builtin -fpic -minline-int-divide-max-throughput';
+  ia64_efi_ldflags = '-Wl,-r';
  ia64_efi_stripflags = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  arm_efi_ldflags          = '-Wl,-r,-d';
+  arm_efi_cflags           = '-fshort-wchar';
+  arm_efi_ldflags          = '-Wl,-r';
  arm_efi_stripflags       = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

-  arm64_efi_ldflags          = '-Wl,-r,-d';
+  arm64_efi_cflags           = '-fshort-wchar';
+  arm64_efi_ldflags          = '-Wl,-r';
  arm64_efi_stripflags       = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

-  riscv32_efi_ldflags      = '-Wl,-r,-d';
+  loongarch64_efi_cflags       = '-fshort-wchar';
+  loongarch64_efi_ldflags      = '-Wl,-r';
+  loongarch64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';
+
+  riscv32_efi_cflags       = '-fshort-wchar';
+  riscv32_efi_ldflags      = '-Wl,-r';
  riscv32_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

-  riscv64_efi_ldflags      = '-Wl,-r,-d';
+  riscv64_efi_cflags       = '-fshort-wchar';
+  riscv64_efi_ldflags      = '-Wl,-r';
  riscv64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';

  i386_pc_ldflags          = '$(TARGET_IMG_LDFLAGS)';
@ -98,9 +108,9 @@ kernel = {
  i386_qemu_cppflags     = '-DGRUB_BOOT_MACHINE_LINK_ADDR=$(GRUB_BOOT_MACHINE_LINK_ADDR)';
  emu_cflags = '$(CFLAGS_GNULIB)';
  emu_cppflags = '$(CPPFLAGS_GNULIB)';
-  arm_uboot_ldflags       = '-Wl,-r,-d';
+  arm_uboot_ldflags       = '-Wl,-r';
  arm_uboot_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';
-  arm_coreboot_ldflags       = '-Wl,-r,-d';
+  arm_coreboot_ldflags       = '-Wl,-r';
  arm_coreboot_stripflags    = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version';

  i386_pc_startup = kern/i386/pc/startup.S;
@ -120,6 +130,7 @@ kernel = {
  arm_coreboot_startup = kern/arm/startup.S;
  arm_efi_startup = kern/arm/efi/startup.S;
  arm64_efi_startup = kern/arm64/efi/startup.S;
+  loongarch64_efi_startup = kern/loongarch64/efi/startup.S;
  riscv32_efi_startup = kern/riscv/efi/startup.S;
  riscv64_efi_startup = kern/riscv/efi/startup.S;

@ -200,6 +211,7 @@ kernel = {

  efi = disk/efi/efidisk.c;
  efi = kern/efi/efi.c;
+  efi = kern/efi/debug.c;
  efi = kern/efi/init.c;
  efi = kern/efi/mm.c;
  efi = term/efi/console.c;
@ -225,7 +237,6 @@ kernel = {

  x86_64 = kern/x86_64/dl.c;
  x86_64_xen = kern/x86_64/dl.c;
-  x86_64_efi = kern/x86_64/efi/callwrap.S;
  x86_64_efi = kern/i386/efi/init.c;
  x86_64_efi = bus/pci.c;

@ -258,6 +269,9 @@ kernel = {
  arm64_efi = kern/arm64/efi/init.c;
  arm64_efi = kern/efi/fdt.c;

+  loongarch64_efi = kern/loongarch64/efi/init.c;
+  loongarch64_efi = kern/efi/fdt.c;
+
  riscv32_efi = kern/riscv/efi/init.c;
  riscv32_efi = kern/efi/fdt.c;

@ -336,6 +350,11 @@ kernel = {
  arm64 = kern/arm64/dl.c;
  arm64 = kern/arm64/dl_helper.c;

+  loongarch64 = kern/loongarch64/cache.c;
+  loongarch64 = kern/loongarch64/cache_flush.S;
+  loongarch64 = kern/loongarch64/dl.c;
+  loongarch64 = kern/loongarch64/dl_helper.c;
+
  riscv32 = kern/riscv/cache.c;
  riscv32 = kern/riscv/cache_flush.S;
  riscv32 = kern/riscv/dl.c;
@ -399,7 +418,7 @@ program = {

  ldadd = 'kernel.exec$(EXEEXT)';
  ldadd = '$(MODULE_FILES)';
-  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(SDL2_LIBS) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

  enable = emu;
 };
@ -411,7 +430,7 @@ program = {
  emu_nodist = symlist.c;

  ldadd = 'kernel.exec$(EXEEXT)';
-  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+  ldadd = 'lib/gnulib/libgnu.a $(LIBINTL) $(LIBUTIL) $(LIBSDL) $(SDL2_LIBS) $(LIBUSB) $(LIBPCIACCESS) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';

  enable = emu;
 };
@ -517,7 +536,7 @@ image = {

 image = {
  name = xz_decompress;
-  mips = boot/mips/startup_raw.S;
+  mips_head = boot/mips/startup_raw.S;
  common = boot/decompressor/minilib.c;
  common = boot/decompressor/xz.c;
  common = lib/xzembed/xz_dec_bcj.c;
@ -535,7 +554,7 @@ image = {

 image = {
  name = none_decompress;
-  mips = boot/mips/startup_raw.S;
+  mips_head = boot/mips/startup_raw.S;
  common = boot/decompressor/none.c;

  cppflags = '-DGRUB_EMBED_DECOMPRESSOR=1';
@ -695,12 +714,16 @@ module = {
  name = cmostest;
  common = commands/i386/cmostest.c;
  enable = cmos;
+  enable = i386_efi;
+  enable = x86_64_efi;
 };

 module = {
  name = cmosdump;
  common = commands/i386/cmosdump.c;
  enable = cmos;
+  enable = i386_efi;
+  enable = x86_64_efi;
 };

 module = {
@ -743,6 +766,9 @@ module = {
  name = regexp;
  common = commands/regexp.c;
  common = commands/wildcard.c;
+  common = lib/gnulib/malloc/dynarray_finalize.c;
+  common = lib/gnulib/malloc/dynarray_emplace_enlarge.c;
+  common = lib/gnulib/malloc/dynarray_resize.c;
  common = lib/gnulib/regex.c;
  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB)';
@ -808,6 +834,12 @@ module = {
  enable = efi;
 };

+module = {
+  name = efitextmode;
+  efi = commands/efi/efitextmode.c;
+  enable = efi;
+};
+
 module = {
  name = blocklist;
  common = commands/blocklist.c;
@ -827,6 +859,7 @@ module = {
  enable = arm64_efi;
  enable = arm_uboot;
  enable = arm_coreboot;
+  enable = loongarch64_efi;
  enable = riscv32_efi;
  enable = riscv64_efi;
 };
@ -1118,6 +1151,13 @@ module = {
  enable = powerpc_ieee1275;
 };

+module = {
+  name = tpm;
+  common = commands/tpm.c;
+  ieee1275 = commands/ieee1275/ibmvtpm.c;
+  enable = powerpc_ieee1275;
+};
+
 module = {
  name = terminal;
  common = commands/terminal.c;
@ -1169,6 +1209,11 @@ module = {
  common = disk/cryptodisk.c;
 };

+module = {
+  name = plainmount;
+  common = disk/plainmount.c;
+};
+
 module = {
  name = json;
  common = lib/json/json.c;
@ -1237,6 +1282,11 @@ module = {
  common = disk/raid6_recover.c;
 };

+module = {
+  name = key_protector;
+  common = disk/key_protector.c;
+};
+
 module = {
  name = scsi;
  common = disk/scsi.c;
@ -1397,6 +1447,11 @@ module = {
  common = fs/odc.c;
 };

+module = {
+  name = erofs;
+  common = fs/erofs.c;
+};
+
 module = {
  name = ext2;
  common = fs/ext2.c;
@ -1551,6 +1606,7 @@ module = {
  common = fs/zfs/zfs_lz4.c;
  common = fs/zfs/zfs_sha256.c;
  common = fs/zfs/zfs_fletcher.c;
+  cppflags = '-I$(srcdir)/lib/posix_wrap -I$(srcdir)/lib/zstd';
 };

 module = {
@ -1708,6 +1764,7 @@ module = {
  extra_dist = lib/arm/setjmp.S;
  extra_dist = lib/arm64/setjmp.S;
  extra_dist = lib/riscv/setjmp.S;
+  extra_dist = lib/loongarch64/setjmp.S;
 };

 module = {
@ -1806,14 +1863,17 @@ module = {
  sparc64_ieee1275 = loader/sparc64/ieee1275/linux.c;
  ia64_efi = loader/ia64/efi/linux.c;
  arm_coreboot = loader/arm/linux.c;
-  arm_efi = loader/arm64/linux.c;
+  arm_efi = loader/efi/linux.c;
  arm_uboot = loader/arm/linux.c;
-  arm64 = loader/arm64/linux.c;
-  riscv32 = loader/riscv/linux.c;
-  riscv64 = loader/riscv/linux.c;
+  arm64 = loader/efi/linux.c;
+  loongarch64 = loader/efi/linux.c;
+  riscv32 = loader/efi/linux.c;
+  riscv64 = loader/efi/linux.c;
+  i386_efi = loader/efi/linux.c;
+  x86_64_efi = loader/efi/linux.c;
+  emu = loader/emu/linux.c;
  common = loader/linux.c;
  common = lib/cmdline.c;
-  enable = noemu;
 };

 module = {
@ -1905,6 +1965,7 @@ module = {
  enable = ia64_efi;
  enable = arm_efi;
  enable = arm64_efi;
+  enable = loongarch64_efi;
  enable = riscv32_efi;
  enable = riscv64_efi;
  enable = mips;
@ -1947,7 +2008,7 @@ module = {
  extra_dist = script/yylex.l;
  extra_dist = script/parser.y;

-  cflags = '$(CFLAGS_POSIX) -Wno-redundant-decls';
+  cflags = '$(CFLAGS_POSIX) -Wno-redundant-decls -Wno-unused-but-set-variable';
  cppflags = '$(CPPFLAGS_POSIX)';
 };

@ -2033,9 +2094,11 @@ module = {
  name = serial;
  common = term/serial.c;
  x86 = term/ns8250.c;
+  x86 = term/ns8250-spcr.c;
  ieee1275 = term/ieee1275/serial.c;
  mips_arc = term/arc/serial.c;
  efi = term/efi/serial.c;
+  x86 = term/pci/serial.c;

  enable = terminfomodule;
  enable = ieee1275;
@ -2277,6 +2340,14 @@ module = {
  condition = COND_GRUB_EMU_SDL;
 };

+module = {
+  name = sdl;
+  emu = video/emu/sdl.c;
+  enable = emu;
+  condition = COND_GRUB_EMU_SDL2;
+  cflags = '$(SDL2_CFLAGS)';
+};
+
 module = {
  name = datehook;
  common = hook/datehook.c;
@ -2496,6 +2567,34 @@ module = {
  enable = efi;
 };

+module = {
+  name = tss2;
+  common = lib/tss2/buffer.c;
+  common = lib/tss2/tss2_mu.c;
+  common = lib/tss2/tpm2_cmd.c;
+  common = lib/tss2/tss2.c;
+  efi = lib/efi/tcg2.c;
+  emu = lib/tss2/tcg2_emu.c;
+  powerpc_ieee1275 = lib/ieee1275/tcg2.c;
+  enable = efi;
+  enable = emu;
+  enable = powerpc_ieee1275;
+  cppflags = '-I$(srcdir)/lib/tss2';
+};
+
+module = {
+  name = tpm2_key_protector;
+  common = commands/tpm2_key_protector/args.c;
+  common = commands/tpm2_key_protector/module.c;
+  common = commands/tpm2_key_protector/tpm2key.c;
+  common = commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+  /* The plaform support of tpm2_key_protector depends on the tcg2 implementation in tss2. */
+  enable = efi;
+  enable = emu;
+  enable = powerpc_ieee1275;
+  cppflags = '-I$(srcdir)/lib/tss2 -I$(srcdir)/lib/libtasn1-grub';
+};
+
 module = {
  name = tr;
  common = commands/tr.c;
@ -2527,3 +2626,46 @@ module = {
  common = commands/i386/wrmsr.c;
  enable = x86;
 };
+
+module = {
+  name = memtools;
+  common = commands/memtools.c;
+  condition = COND_MM_DEBUG;
+};
+
+module = {
+  name = bli;
+  efi = commands/bli.c;
+  enable = efi;
+  depends = part_gpt;
+};
+
+module = {
+  name = asn1;
+  common = lib/libtasn1-grub/lib/decoding.c;
+  common = lib/libtasn1-grub/lib/coding.c;
+  common = lib/libtasn1-grub/lib/element.c;
+  common = lib/libtasn1-grub/lib/structure.c;
+  common = lib/libtasn1-grub/lib/parser_aux.c;
+  common = lib/libtasn1-grub/lib/gstr.c;
+  common = lib/libtasn1-grub/lib/errors.c;
+  common = lib/libtasn1_wrap/wrap.c;
+  cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
+  /* -Wno-type-limits comes from configure.ac of libtasn1 */
+  cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/libtasn1-grub -I$(srcdir)/lib/libtasn1-grub/lib -Wno-type-limits';
+};
+
+module = {
+  name = asn1_test;
+  common = tests/asn1/tests/CVE-2018-1000654.c;
+  common = tests/asn1/tests/object-id-decoding.c;
+  common = tests/asn1/tests/object-id-encoding.c;
+  common = tests/asn1/tests/octet-string.c;
+  common = tests/asn1/tests/reproducers.c;
+  common = tests/asn1/tests/Test_overflow.c;
+  common = tests/asn1/tests/Test_simple.c;
+  common = tests/asn1/tests/Test_strings.c;
+  common = tests/asn1/asn1_test.c;
+  cflags = '-Wno-uninitialized';
+  cppflags = '-I$(srcdir)/lib/libtasn1-grub -I$(srcdir)/tests/asn1/';
+};
--- a/grub-core/bus/bonito.c
+++ b/grub-core/bus/bonito.c
@ -21,12 +21,12 @@
 #include <grub/misc.h>

 static grub_uint32_t base_win[GRUB_MACHINE_PCI_NUM_WIN];
-static const grub_size_t sizes_win[GRUB_MACHINE_PCI_NUM_WIN] = 
-  {GRUB_MACHINE_PCI_WIN1_SIZE, GRUB_MACHINE_PCI_WIN_SIZE, 
+static const grub_size_t sizes_win[GRUB_MACHINE_PCI_NUM_WIN] =
+  {GRUB_MACHINE_PCI_WIN1_SIZE, GRUB_MACHINE_PCI_WIN_SIZE,
   GRUB_MACHINE_PCI_WIN_SIZE};
 /* Usage counters.  */
 static int usage_win[GRUB_MACHINE_PCI_NUM_WIN];
-static grub_addr_t addr_win[GRUB_MACHINE_PCI_NUM_WIN] = 
+static grub_addr_t addr_win[GRUB_MACHINE_PCI_NUM_WIN] =
  {GRUB_MACHINE_PCI_WIN1_ADDR, GRUB_MACHINE_PCI_WIN2_ADDR,
   GRUB_MACHINE_PCI_WIN3_ADDR};

@ -93,9 +93,9 @@ write_bases_2f (void)
 {
  int i;
  grub_uint32_t reg = 0;
-  for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++) 
-    reg |= (((base_win[i] >> GRUB_MACHINE_PCI_WIN_SHIFT) 
-	     & GRUB_MACHINE_PCI_WIN_MASK) 
+  for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
+    reg |= (((base_win[i] >> GRUB_MACHINE_PCI_WIN_SHIFT)
+	     & GRUB_MACHINE_PCI_WIN_MASK)
 	    << (i * GRUB_MACHINE_PCI_WIN_MASK_SIZE));
  GRUB_MACHINE_PCI_IO_CTRL_REG_2F = reg;
 }
@ -111,23 +111,23 @@ grub_pci_device_map_range (grub_pci_device_t dev __attribute__ ((unused)),

      /* First try already used registers. */
      for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
-	if (usage_win[i] && base_win[i] <= base 
+	if (usage_win[i] && base_win[i] <= base
 	    && base_win[i] + sizes_win[i] > base + size)
 	  {
 	    usage_win[i]++;
-	    return (void *) 
+	    return (void *)
 	      (addr_win[i] | (base & GRUB_MACHINE_PCI_WIN_OFFSET_MASK));
 	  }
      /* Map new register.  */
      newbase = base & ~GRUB_MACHINE_PCI_WIN_OFFSET_MASK;
      for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
-	if (!usage_win[i] && newbase <= base 
+	if (!usage_win[i] && newbase <= base
 	    && newbase + sizes_win[i] > base + size)
 	  {
 	    usage_win[i]++;
 	    base_win[i] = newbase;
 	    write_bases_2f ();
-	    return (void *) 
+	    return (void *)
 	      (addr_win[i] | (base & GRUB_MACHINE_PCI_WIN_OFFSET_MASK));
 	  }
      grub_fatal ("Out of PCI windows.");
@ -164,7 +164,7 @@ grub_pci_device_unmap_range (grub_pci_device_t dev __attribute__ ((unused)),
    {
      int i;
      for (i = 0; i < GRUB_MACHINE_PCI_NUM_WIN; i++)
-	if (usage_win[i] && addr_win[i] 
+	if (usage_win[i] && addr_win[i]
 	    == (((grub_addr_t) mem | 0x20000000)
 		& ~GRUB_MACHINE_PCI_WIN_OFFSET_MASK))
 	  {
--- a/grub-core/bus/cs5536.c
+++ b/grub-core/bus/cs5536.c
@ -72,7 +72,7 @@ grub_cs5536_read_msr (grub_pci_device_t dev, grub_uint32_t addr)
 		  addr);
  ret = (grub_uint64_t)
    grub_pci_read (grub_pci_make_address (dev, GRUB_CS5536_MSR_MAILBOX_DATA0));
-  ret |= (((grub_uint64_t) 
+  ret |= (((grub_uint64_t)
 	  grub_pci_read (grub_pci_make_address (dev,
 						GRUB_CS5536_MSR_MAILBOX_DATA1)))
 	  << 32);
@ -100,7 +100,7 @@ grub_cs5536_smbus_wait (grub_port_t smbbase)
      grub_uint8_t status;
      status = grub_inb (smbbase + GRUB_CS5536_SMB_REG_STATUS);
      if (status & GRUB_CS5536_SMB_REG_STATUS_SDAST)
-	return GRUB_ERR_NONE;	
+	return GRUB_ERR_NONE;
      if (status & GRUB_CS5536_SMB_REG_STATUS_BER)
 	return grub_error (GRUB_ERR_IO, "SM bus error");
      if (status & GRUB_CS5536_SMB_REG_STATUS_NACK)
@ -122,8 +122,8 @@ grub_cs5536_read_spd_byte (grub_port_t smbbase, grub_uint8_t dev,
 	     smbbase + GRUB_CS5536_SMB_REG_CTRL1);

  /* Send device address.  */
-  err = grub_cs5536_smbus_wait (smbbase); 
-  if (err) 
+  err = grub_cs5536_smbus_wait (smbbase);
+  if (err)
    return err;
  grub_outb (dev << 1, smbbase + GRUB_CS5536_SMB_REG_DATA);

@ -139,8 +139,8 @@ grub_cs5536_read_spd_byte (grub_port_t smbbase, grub_uint8_t dev,
  grub_outb (addr, smbbase + GRUB_CS5536_SMB_REG_DATA);

  /* Send START.  */
-  err = grub_cs5536_smbus_wait (smbbase); 
-  if (err) 
+  err = grub_cs5536_smbus_wait (smbbase);
+  if (err)
    return err;
  grub_outb (grub_inb (smbbase + GRUB_CS5536_SMB_REG_CTRL1)
 	     | GRUB_CS5536_SMB_REG_CTRL1_START,
@ -161,7 +161,7 @@ grub_cs5536_read_spd_byte (grub_port_t smbbase, grub_uint8_t dev,
 	     smbbase + GRUB_CS5536_SMB_REG_CTRL1);

  err = grub_cs5536_smbus_wait (smbbase);
-  if (err) 
+  if (err)
    return err;
  *res = grub_inb (smbbase + GRUB_CS5536_SMB_REG_DATA);

@ -198,8 +198,8 @@ grub_cs5536_init_smbus (grub_pci_device_t dev, grub_uint16_t divisor,
  grub_outb (((divisor >> 7) & 0xff), *smbbase + GRUB_CS5536_SMB_REG_CTRL3);
  grub_outb (((divisor << 1) & 0xfe) | GRUB_CS5536_SMB_REG_CTRL2_ENABLE,
 	     *smbbase + GRUB_CS5536_SMB_REG_CTRL2);
-  
-  return GRUB_ERR_NONE; 
+
+  return GRUB_ERR_NONE;
 }

 grub_err_t
@ -217,7 +217,7 @@ grub_cs5536_read_spd (grub_port_t smbbase, grub_uint8_t dev,
  if (b == 0)
    return grub_error (GRUB_ERR_IO, "no SPD found");
  size = b;
-  
+
  ((grub_uint8_t *) res)[0] = b;
  for (ptr = 1; ptr < size; ptr++)
    {
@ -310,7 +310,7 @@ grub_cs5536_init_geode (grub_pci_device_t dev)

  /* Initialise USB controller.  */
  /* FIXME: assign adresses dynamically.  */
-  grub_cs5536_write_msr (dev, GRUB_CS5536_MSR_USB_OHCI_BASE, 
+  grub_cs5536_write_msr (dev, GRUB_CS5536_MSR_USB_OHCI_BASE,
 			 GRUB_CS5536_MSR_USB_BASE_BUS_MASTER
 			 | GRUB_CS5536_MSR_USB_BASE_MEMORY_ENABLE
 			 | 0x05024000);
@ -331,8 +331,9 @@ grub_cs5536_init_geode (grub_pci_device_t dev)

  {
    volatile grub_uint32_t *oc;
-    oc = grub_pci_device_map_range (dev, 0x05022000,
-				    GRUB_CS5536_USB_OPTION_REGS_SIZE);
+
+    oc = grub_absolute_pointer (grub_pci_device_map_range (dev, 0x05022000,
+				GRUB_CS5536_USB_OPTION_REGS_SIZE));

    oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX] =
      (oc[GRUB_CS5536_USB_OPTION_REG_UOCMUX]
--- a/grub-core/bus/pci.c
+++ b/grub-core/bus/pci.c
@ -159,12 +159,12 @@ grub_pci_find_capability (grub_pci_device_t dev, grub_uint8_t cap)

      pos &= ~3;

-      addr = grub_pci_make_address (dev, pos);      
+      addr = grub_pci_make_address (dev, pos);
      id = grub_pci_read_byte (addr);

      if (id == 0xff)
 	break;
-      
+
      if (id == cap)
 	return pos;
      pos++;
--- a/grub-core/bus/usb/ehci-pci.c
+++ b/grub-core/bus/usb/ehci-pci.c
@ -96,7 +96,7 @@ grub_ehci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 	  return 0;
 	}
      grub_dprintf ("ehci", "EHCI grub_ehci_pci_iter: bus rev. num. OK\n");
-  
+
      /* Determine EHCI EHCC registers base address.  */
      addr = grub_pci_make_address (dev, GRUB_PCI_REG_ADDRESS_REG0);
      base = grub_pci_read (addr);
@ -125,7 +125,7 @@ grub_ehci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 			  GRUB_PCI_COMMAND_MEM_ENABLED
 			  | GRUB_PCI_COMMAND_BUS_MASTER
 			  | grub_pci_read_word(addr));
-      
+
      grub_dprintf ("ehci", "EHCI grub_ehci_pci_iter: 32-bit EHCI OK\n");
    }

@ -142,7 +142,7 @@ grub_ehci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
    /* Determine and change ownership. */
  /* EECP offset valid in HCCPARAMS */
  /* Ownership can be changed via EECP only */
-  if (pciid != GRUB_CS5536_PCIID && eecp_offset >= 0x40)	
+  if (pciid != GRUB_CS5536_PCIID && eecp_offset >= 0x40)
    {
      grub_pci_address_t pciaddr_eecp;
      pciaddr_eecp = grub_pci_make_address (dev, eecp_offset);
--- a/grub-core/bus/usb/ehci.c
+++ b/grub-core/bus/usb/ehci.c
@ -218,7 +218,7 @@ enum

 #define GRUB_EHCI_TERMINATE      (1<<0)

-#define GRUB_EHCI_TOGGLE         (1<<31)
+#define GRUB_EHCI_TOGGLE         ((grub_uint32_t) 1<<31)

 enum
 {
@ -498,8 +498,8 @@ grub_ehci_init_device (volatile void *regs)
    }
  e->iobase = ((volatile grub_uint32_t *) e->iobase_ehcc
 	       + (caplen / sizeof (grub_uint32_t)));
-#else  
-  e->iobase = (volatile grub_uint32_t *) 
+#else
+  e->iobase = (volatile grub_uint32_t *)
    ((grub_uint8_t *) e->iobase_ehcc + caplen);
 #endif

@ -869,7 +869,7 @@ grub_ehci_find_qh (struct grub_ehci *e, grub_usb_transfer_t transfer)
    i++ )
    {
      if (target == (qh_iter->ep_char & mask))
-	{		
+	{
 	  /* Found proper existing (and linked) QH, do setup of QH */
 	  grub_dprintf ("ehci", "find_qh: found, QH=%p\n", qh_iter);
 	  grub_ehci_setup_qh (qh_iter, transfer);
@ -1813,7 +1813,7 @@ static struct grub_usb_controller_dev usb_controller = {
  .portstatus = grub_ehci_portstatus,
  .detect_dev = grub_ehci_detect_dev,
  /* estimated max. count of TDs for one bulk transfer */
-  .max_bulk_tds = GRUB_EHCI_N_TD * 3 / 4 
+  .max_bulk_tds = GRUB_EHCI_N_TD * 3 / 4
 };

 GRUB_MOD_INIT (ehci)
--- a/grub-core/bus/usb/ohci.c
+++ b/grub-core/bus/usb/ohci.c
@ -196,7 +196,7 @@ grub_ohci_td_virt2phys (struct grub_ohci *o,  grub_ohci_td_t x)
  return (grub_uint8_t *)x - (grub_uint8_t *)o->td + o->td_addr;
 }

-  
+
 static grub_uint32_t
 grub_ohci_readreg32 (struct grub_ohci *o, grub_ohci_reg_t reg)
 {
@ -224,7 +224,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
  struct grub_ohci *o;
  grub_uint32_t revision;
  int j;
-  
+
  /* Determine IO base address.  */
  grub_dprintf ("ohci", "pciid = %x\n", pciid);

@ -253,7 +253,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,

      addr = grub_pci_make_address (dev, GRUB_PCI_REG_CLASS);
      class_code = grub_pci_read (addr) >> 8;
-      
+
      interf = class_code & 0xFF;
      subclass = (class_code >> 8) & 0xFF;
      class = class_code >> 16;
@ -315,7 +315,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 	       * GRUB_OHCI_CTRL_EDS);
  for (j=0; j < GRUB_OHCI_CTRL_EDS; j++)
    o->ed_ctrl[j].target = grub_cpu_to_le32_compile_time (1 << 14); /* skip */
-    
+
  grub_dprintf ("ohci", "EDs-C: chunk=%p, virt=%p, phys=0x%02x\n",
                o->ed_ctrl_chunk, o->ed_ctrl, o->ed_ctrl_addr);

@ -385,7 +385,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 	    grub_dprintf("ohci", "Ownership changing timeout, change forced !\n");
 	  }
      }
-    else if (((control & 0x100) == 0) && 
+    else if (((control & 0x100) == 0) &&
 	     ((control & 0xc0) != 0)) /* Not owned by SMM nor reset */
      {
 	grub_dprintf("ohci", "OHCI is owned by BIOS\n");
@ -396,7 +396,7 @@ grub_ohci_pci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
      {
 	grub_dprintf("ohci", "OHCI is not owned by SMM nor BIOS\n");
 	/* We can setup OHCI. */
-      }  
+      }
  }

  /* Suspend the OHCI by issuing a reset.  */
@ -513,7 +513,7 @@ grub_ohci_find_ed (struct grub_ohci *o, int bulk, grub_uint32_t target)

  /* Use proper values and structures. */
  if (bulk)
-    {    
+    {
      count = GRUB_OHCI_BULK_EDS;
      ed = o->ed_bulk;
      ed_next = grub_ohci_ed_phys2virt(o, bulk,
@ -576,7 +576,7 @@ grub_ohci_alloc_td (struct grub_ohci *o)
 static void
 grub_ohci_free_td (struct grub_ohci *o, grub_ohci_td_t td)
 {
-  grub_memset ( (void*)td, 0, sizeof(struct grub_ohci_td) ); 
+  grub_memset ( (void*)td, 0, sizeof(struct grub_ohci_td) );
  td->link_td = o->td_free; /* Cahin new free TD & rest */
  o->td_free = td; /* Change address of first free TD */
 }
@ -586,7 +586,7 @@ grub_ohci_free_tds (struct grub_ohci *o, grub_ohci_td_t td)
 {
  if (!td)
    return;
-    
+
  /* Unchain first TD from previous TD if it is chained */
  if (td->prev_td_phys)
    {
@ -596,12 +596,12 @@ grub_ohci_free_tds (struct grub_ohci *o, grub_ohci_td_t td)
      if (td == (grub_ohci_td_t) td_prev_virt->link_td)
        td_prev_virt->link_td = 0;
    }
-  
+
  /* Free all TDs from td  (chained by link_td) */
  while (td)
    {
      grub_ohci_td_t tdprev;
-      
+
      /* Unlink the queue.  */
      tdprev = td;
      td = (grub_ohci_td_t) td->link_td;
@ -658,7 +658,7 @@ grub_ohci_transaction (grub_ohci_td_t td,
      td->buffer = grub_cpu_to_le32 (buffer);
      td->buffer_end = grub_cpu_to_le32 (buffer_end);
    }
-  else 
+  else
    {
      td->buffer = 0;
      td->buffer_end = 0;
@ -728,7 +728,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,
      grub_free (cdata);
      return GRUB_USB_ERR_INTERNAL;
    }
-  
+
  /* Take pointer to first TD from ED */
  td_head_phys = grub_le_to_cpu32 (cdata->ed_virt->td_head) & ~0xf;
  td_tail_phys = grub_le_to_cpu32 (cdata->ed_virt->td_tail) & ~0xf;
@ -743,7 +743,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,
      grub_free (cdata);
      return GRUB_USB_ERR_INTERNAL;
    }
-  
+
  /* Now we should handle first TD. If ED is newly allocated,
   * we must allocate the first TD. */
  if (!td_head_phys)
@ -762,7 +762,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,
    }
  else
    cdata->td_head_virt = grub_ohci_td_phys2virt ( o, td_head_phys );
-    
+
  /* Set TDs */
  cdata->td_last_phys = td_head_phys; /* initial value to make compiler happy... */
  for (i = 0, cdata->td_current_virt = cdata->td_head_virt;
@ -775,10 +775,10 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,

      /* Set index of TD in transfer */
      cdata->td_current_virt->tr_index = (grub_uint32_t) i;
-      
+
      /* Remember last used (processed) TD phys. addr. */
      cdata->td_last_phys = grub_ohci_td_virt2phys (o, cdata->td_current_virt);
-      
+
      /* Allocate next TD */
      td_next_virt = grub_ohci_alloc_td (o);
      if (!td_next_virt) /* No free TD, cancel transfer and free TDs except head TD */
@ -807,7 +807,7 @@ grub_ohci_setup_transfer (grub_usb_controller_t dev,

  grub_dprintf ("ohci", "Tail TD (not processed) = %p\n",
                cdata->td_current_virt);
-  
+
  /* Setup the Endpoint Descriptor for transfer.  */
  /* First set necessary fields in TARGET but keep (or set) skip bit */
  /* Note: It could be simpler if speed, format and max. packet
@ -923,7 +923,7 @@ finish_transfer (grub_usb_controller_t dev,
  struct grub_ohci_transfer_controller_data *cdata = transfer->controller_data;

  /* Set empty ED - set HEAD = TAIL = last (not processed) TD */
-  cdata->ed_virt->td_head = grub_cpu_to_le32 (grub_le_to_cpu32 (cdata->ed_virt->td_tail) & ~0xf); 
+  cdata->ed_virt->td_head = grub_cpu_to_le32 (grub_le_to_cpu32 (cdata->ed_virt->td_tail) & ~0xf);

  /* At this point always should be:
   * ED has skip bit set and halted or empty or after next SOF,
@ -935,7 +935,7 @@ finish_transfer (grub_usb_controller_t dev,
    {
      grub_ohci_td_t td_prev_virt
 	= grub_ohci_td_phys2virt (o, cdata->td_current_virt->prev_td_phys);
-      
+
      if (cdata->td_current_virt == (grub_ohci_td_t) td_prev_virt->link_td)
        td_prev_virt->link_td = 0;

@ -978,7 +978,7 @@ parse_halt (grub_usb_controller_t dev,
    }
  else
    transfer->last_trans = -1;
-  
+
  /* Evaluation of error code */
  grub_dprintf ("ohci", "OHCI tderr_phys=0x%02x, errcode=0x%02x\n",
 		cdata->tderr_phys, errcode);
@ -1089,7 +1089,7 @@ parse_success (grub_usb_controller_t dev,

  /* Prepare pointer to last processed TD */
  tderr_virt = grub_ohci_td_phys2virt (o, cdata->tderr_phys);
-  
+
  /* Set index of last processed TD */
  if (tderr_virt)
    transfer->last_trans = tderr_virt->tr_index;
@ -1207,7 +1207,7 @@ grub_ohci_cancel_transfer (grub_usb_controller_t dev,
  cdata->tderr_phys
    = grub_ohci_td_phys2virt (o, grub_le_to_cpu32 (cdata->ed_virt->td_head)
                              & ~0xf)->prev_td_phys;
-    
+
  tderr_virt = grub_ohci_td_phys2virt (o,cdata-> tderr_phys);

  grub_dprintf ("ohci", "Cancel: tderr_phys=0x%x, tderr_virt=%p\n",
@ -1249,7 +1249,7 @@ grub_ohci_portstatus (grub_usb_controller_t dev,
         grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port));
       return GRUB_USB_ERR_NONE;
     }
-     
+
   /* OHCI does one reset signal 10ms long but USB spec.
    * requests 50ms for root hub (no need to be continuous).
    * So, we do reset 5 times... */
@ -1276,7 +1276,7 @@ grub_ohci_portstatus (grub_usb_controller_t dev,
   grub_ohci_writereg32 (o, GRUB_OHCI_REG_RHUBPORT + port,
                         GRUB_OHCI_SET_PORT_ENABLE);
   grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port);
-   
+
   /* Wait for signal enabled */
   endtime = grub_get_time_ms () + 1000;
   while (! (grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port)
@ -1290,10 +1290,10 @@ grub_ohci_portstatus (grub_usb_controller_t dev,

   /* "Reset recovery time" (USB spec.) */
   grub_millisleep (10);
-   
+
   grub_dprintf ("ohci", "end of portstatus=0x%02x\n",
 		 grub_ohci_readreg32 (o, GRUB_OHCI_REG_RHUBPORT + port));
- 
+
   return GRUB_USB_ERR_NONE;
 }

--- a/grub-core/bus/usb/serial/common.c
+++ b/grub-core/bus/usb/serial/common.c
@ -93,7 +93,7 @@ grub_usbserial_attach (grub_usb_device_t usbdev, int configno, int interfno,
  /* Configure device */
  if (port->out_endp && port->in_endp)
    err = grub_usb_set_configuration (usbdev, configno + 1);
-  
+
  if (!port->out_endp || !port->in_endp || err)
    {
      grub_free (port->name);
--- a/grub-core/bus/usb/serial/ftdi.c
+++ b/grub-core/bus/usb/serial/ftdi.c
@ -174,7 +174,7 @@ static struct grub_serial_driver grub_ftdi_driver =
    .fini = grub_usbserial_fini
  };

-static const struct 
+static const struct
 {
  grub_uint16_t vendor, product;
 } products[] =
--- a/grub-core/bus/usb/serial/pl2303.c
+++ b/grub-core/bus/usb/serial/pl2303.c
@ -187,7 +187,7 @@ static struct grub_serial_driver grub_pl2303_driver =
    .fini = grub_usbserial_fini
  };

-static const struct 
+static const struct
 {
  grub_uint16_t vendor, product;
 } products[] =
--- a/grub-core/bus/usb/uhci.c
+++ b/grub-core/bus/usb/uhci.c
@ -244,10 +244,10 @@ grub_uhci_pci_iter (grub_pci_device_t dev,
  u->iobase = (base & GRUB_UHCI_IOMASK) + GRUB_MACHINE_PCI_IO_BASE;

  /* Reset PIRQ and SMI */
-  addr = grub_pci_make_address (dev, GRUB_UHCI_REG_USBLEGSUP);       
+  addr = grub_pci_make_address (dev, GRUB_UHCI_REG_USBLEGSUP);
  grub_pci_write_word(addr, GRUB_UHCI_RESET_LEGSUP_SMI);
  /* Reset the HC */
-  grub_uhci_writereg16(u, GRUB_UHCI_REG_USBCMD, GRUB_UHCI_CMD_HCRESET); 
+  grub_uhci_writereg16(u, GRUB_UHCI_REG_USBCMD, GRUB_UHCI_CMD_HCRESET);
  grub_millisleep(5);
  /* Disable interrupts and commands (just to be safe) */
  grub_uhci_writereg16(u, GRUB_UHCI_REG_USBINTR, 0);
@ -399,7 +399,7 @@ grub_free_queue (struct grub_uhci *u, grub_uhci_qh_t qh, grub_uhci_td_t td,
  u->qh_busy[qh - u->qh_virt] = 0;

  *actual = 0;
-  
+
  /* Free the TDs in this queue and set last_trans.  */
  for (i=0; td; i++)
    {
@ -411,7 +411,7 @@ grub_free_queue (struct grub_uhci *u, grub_uhci_qh_t qh, grub_uhci_td_t td,
        transfer->last_trans = i;

      *actual += (td->ctrl_status + 1) & 0x7ff;
-      
+
      /* Unlink the queue.  */
      tdprev = td;
      if (!td->linkptr2)
@ -537,7 +537,7 @@ grub_uhci_setup_transfer (grub_usb_controller_t dev,
    }

  grub_dprintf ("uhci", "transfer, iobase:%08x\n", u->iobase);
-  
+
  for (i = 0; i < transfer->transcnt; i++)
    {
      grub_usb_transaction_t tr = &transfer->transactions[i];
@ -604,7 +604,7 @@ grub_uhci_check_transfer (grub_usb_controller_t dev,
    errtd = grub_dma_phys2virt (cdata->qh->elinkptr & ~0x0f, u->qh_chunk);
  else
    errtd = 0;
-  
+
  if (errtd)
    {
      grub_dprintf ("uhci", ">t status=0x%02x data=0x%02x td=%p, %x\n",
@ -632,27 +632,27 @@ grub_uhci_check_transfer (grub_usb_controller_t dev,
      /* Check if the endpoint is stalled.  */
      if (errtd->ctrl_status & (1 << 22))
 	err = GRUB_USB_ERR_STALL;
-      
+
      /* Check if an error related to the data buffer occurred.  */
      else if (errtd->ctrl_status & (1 << 21))
 	err = GRUB_USB_ERR_DATA;
-      
+
      /* Check if a babble error occurred.  */
      else if (errtd->ctrl_status & (1 << 20))
 	err = GRUB_USB_ERR_BABBLE;
-      
+
      /* Check if a NAK occurred.  */
      else if (errtd->ctrl_status & (1 << 19))
 	err = GRUB_USB_ERR_NAK;
-      
+
      /* Check if a timeout occurred.  */
      else if (errtd->ctrl_status & (1 << 18))
 	err = GRUB_USB_ERR_TIMEOUT;
-      
+
      /* Check if a bitstuff error occurred.  */
      else if (errtd->ctrl_status & (1 << 17))
 	err = GRUB_USB_ERR_BITSTUFF;
-      
+
      if (err)
 	{
 	  grub_dprintf ("uhci", "transaction failed\n");
@ -719,7 +719,7 @@ grub_uhci_portstatus (grub_usb_controller_t dev,
  grub_uint64_t endtime;

  grub_dprintf ("uhci", "portstatus, iobase:%08x\n", u->iobase);
-  
+
  grub_dprintf ("uhci", "enable=%d port=%d\n", enable, port);

  if (port == 0)
@ -746,7 +746,7 @@ grub_uhci_portstatus (grub_usb_controller_t dev,
      grub_dprintf ("uhci", ">3detect=0x%02x\n", status);
      return GRUB_USB_ERR_NONE;
    }
-    
+
  /* Reset the port.  */
  status = grub_uhci_readreg16 (u, reg) & ~GRUB_UHCI_PORTSC_RWC;
  grub_uhci_writereg16 (u, reg, status | (1 << 9));
@ -796,7 +796,7 @@ grub_uhci_detect_dev (grub_usb_controller_t dev, int port, int *changed)
  unsigned int status;

  grub_dprintf ("uhci", "detect_dev, iobase:%08x\n", u->iobase);
-  
+
  if (port == 0)
    reg = GRUB_UHCI_REG_PORTSC1;
  else if (port == 1)
@ -818,7 +818,7 @@ grub_uhci_detect_dev (grub_usb_controller_t dev, int port, int *changed)
    }
  else
    *changed = 0;
-    
+
  if (! (status & GRUB_UHCI_DETECT_HAVE_DEVICE))
    return GRUB_USB_SPEED_NONE;
  else if (status & GRUB_UHCI_DETECT_LOW_SPEED)
--- a/grub-core/bus/usb/usb.c
+++ b/grub-core/bus/usb/usb.c
@ -144,7 +144,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
    {
      err = GRUB_USB_ERR_BADDEVICE;
      goto fail;
-    }    
+    }

  for (i = 0; i < descdev->configcnt; i++)
    {
@ -235,7 +235,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
 void grub_usb_device_attach (grub_usb_device_t dev)
 {
  int i;
-  
+
  /* XXX: Just check configuration 0 for now.  */
  for (i = 0; i < dev->config[0].descconf->numif; i++)
    {
@ -331,7 +331,7 @@ grub_usb_register_attach_hook_class (struct grub_usb_attach_desc *desc)
 void
 grub_usb_unregister_attach_hook_class (struct grub_usb_attach_desc *desc)
 {
-  grub_list_remove (GRUB_AS_LIST (desc));  
+  grub_list_remove (GRUB_AS_LIST (desc));
 }


--- a/grub-core/bus/usb/usbhub.c
+++ b/grub-core/bus/usb/usbhub.c
@ -115,11 +115,11 @@ grub_usb_hub_add_dev (grub_usb_controller_t controller,
  grub_millisleep (2);

  grub_boot_time ("Probing USB device driver");
-  
+
  grub_usb_device_attach (dev);

  grub_boot_time ("Attached USB device");
-  
+
  return dev;
 }

@ -130,7 +130,7 @@ grub_usb_add_hub (grub_usb_device_t dev)
  struct grub_usb_usb_hubdesc hubdesc;
  grub_usb_err_t err;
  int i;
-  
+
  err = grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_IN
 	  		            | GRUB_USB_REQTYPE_CLASS
 			            | GRUB_USB_REQTYPE_TARGET_DEV),
@ -328,7 +328,7 @@ grub_usb_controller_dev_register (grub_usb_controller_dev_t usb)

 		speed = hub->controller->dev->detect_dev (hub->controller, portno,
 							  &changed);
-      
+
 		if (hub->ports[portno].state == PORT_STATE_NORMAL
 		    && speed != GRUB_USB_SPEED_NONE)
 		  {
@ -422,7 +422,7 @@ wait_power_nonroot_hub (grub_usb_device_t dev)
  grub_usb_err_t err;
  int continue_waiting = 0;
  unsigned i;
-  
+
  for (i = 1; i <= dev->nports; i++)
    if (dev->ports[i - 1].state == PORT_STATE_WAITING_FOR_STABLE_POWER)
      {
@ -564,7 +564,7 @@ poll_nonroot_hub (grub_usb_device_t dev)

 	  detach_device (dev->children[i - 1]);
 	  dev->children[i - 1] = NULL;
-      	    
+
 	  /* Connected and status of connection changed ? */
 	  if (status & GRUB_USB_HUB_STATUS_PORT_CONNECTED)
 	    {
@ -642,7 +642,7 @@ poll_nonroot_hub (grub_usb_device_t dev)
 		    split_hubport = dev->split_hubport;
 		    split_hubaddr = dev->split_hubaddr;
 		  }
-		
+
 	      /* Add the device and assign a device address to it.  */
 	      next_dev = grub_usb_hub_add_dev (&dev->controller, speed,
 					       split_hubport, split_hubaddr);
@ -707,12 +707,12 @@ grub_usb_poll_devices (int wait_for_completion)
  while (1)
    {
      rescan = 0;
-      
+
      /* We should check changes of non-root hubs too. */
      for (i = 0; i < GRUB_USBHUB_MAX_DEVICES; i++)
 	{
 	  grub_usb_device_t dev = grub_usb_devs[i];
-	  
+
 	  if (dev && dev->descdev.class == 0x09)
 	    poll_nonroot_hub (dev);
 	}
@ -723,7 +723,7 @@ grub_usb_poll_devices (int wait_for_completion)
 	  for (i = 0; i < GRUB_USBHUB_MAX_DEVICES; i++)
 	    {
 	      grub_usb_device_t dev = grub_usb_devs[i];
-	    
+
 	      if (dev && dev->descdev.class == 0x09)
 		continue_waiting = continue_waiting || wait_power_nonroot_hub (dev);
 	    }
--- a/grub-core/bus/usb/usbtrans.c
+++ b/grub-core/bus/usb/usbtrans.c
@ -40,7 +40,7 @@ grub_usb_bulk_maxpacket (grub_usb_device_t dev,


 static grub_usb_err_t
-grub_usb_execute_and_wait_transfer (grub_usb_device_t dev, 
+grub_usb_execute_and_wait_transfer (grub_usb_device_t dev,
 				    grub_usb_transfer_t transfer,
 				    int timeout, grub_size_t *actual)
 {
@ -205,7 +205,7 @@ grub_usb_control_msg (grub_usb_device_t dev,
  grub_dprintf ("usb", "control: err=%d\n", err);

  grub_free (transfer->transactions);
-  
+
  grub_free (transfer);
  grub_dma_free (setupdata_chunk);

--- a/grub-core/commands/acpi.c
+++ b/grub-core/commands/acpi.c
@ -38,6 +38,20 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+enum
+  {
+    OPTION_EXCLUDE = 0,
+    OPTION_LOAD_ONLY,
+    OPTION_V1,
+    OPTION_V2,
+    OPTION_OEMID,
+    OPTION_OEMTABLE,
+    OPTION_OEMTABLEREV,
+    OPTION_OEMTABLECREATOR,
+    OPTION_OEMTABLECREATORREV,
+    OPTION_NO_EBDA
+  };
+
 static const struct grub_arg_option options[] = {
  {"exclude", 'x', 0,
   N_("Don't load host tables specified by comma-separated list."),
@ -168,7 +182,7 @@ grub_acpi_create_ebda (void)
  struct grub_acpi_rsdp_v10 *v1;
  struct grub_acpi_rsdp_v20 *v2;

-  ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *)0x40e)) << 4);
+  ebda = (grub_uint8_t *) (grub_addr_t) ((*((grub_uint16_t *) grub_absolute_pointer (0x40e))) << 4);
  grub_dprintf ("acpi", "EBDA @%p\n", ebda);
  if (ebda)
    ebda_kb_len = *(grub_uint16_t *) ebda;
@ -298,7 +312,7 @@ grub_acpi_create_ebda (void)
      *target = 0;

  grub_dprintf ("acpi", "Switching EBDA\n");
-  (*((grub_uint16_t *) 0x40e)) = ((grub_addr_t) targetebda) >> 4;
+  (*((grub_uint16_t *) grub_absolute_pointer (0x40e))) = ((grub_addr_t) targetebda) >> 4;
  grub_dprintf ("acpi", "EBDA switched\n");

  return GRUB_ERR_NONE;
@ -490,21 +504,21 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)

  if (rsdp)
    {
-      grub_uint32_t *entry_ptr;
+      grub_uint8_t *entry_ptr;
      char *exclude = 0;
      char *load_only = 0;
      char *ptr;
-      /* RSDT consists of header and an array of 32-bit pointers. */
-      struct grub_acpi_table_header *rsdt;
+      grub_size_t tbl_addr_size;
+      struct grub_acpi_table_header *table_head;

-      exclude = state[0].set ? grub_strdup (state[0].arg) : 0;
+      exclude = state[OPTION_EXCLUDE].set ? grub_strdup (state[OPTION_EXCLUDE].arg) : 0;
      if (exclude)
 	{
 	  for (ptr = exclude; *ptr; ptr++)
 	    *ptr = grub_tolower (*ptr);
 	}

-      load_only = state[1].set ? grub_strdup (state[1].arg) : 0;
+      load_only = state[OPTION_LOAD_ONLY].set ? grub_strdup (state[OPTION_LOAD_ONLY].arg) : 0;
      if (load_only)
 	{
 	  for (ptr = load_only; *ptr; ptr++)
@ -514,17 +528,32 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
      /* Set revision variables to replicate the same version as host. */
      rev1 = ! rsdp->revision;
      rev2 = rsdp->revision;
-      rsdt = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
+      if (rev2 && ((struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr) != NULL)
+	{
+	  /* XSDT consists of header and an array of 64-bit pointers. */
+	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) ((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr;
+	  tbl_addr_size = sizeof (((struct grub_acpi_rsdp_v20 *) rsdp)->xsdt_addr);
+	}
+      else
+	{
+	  /* RSDT consists of header and an array of 32-bit pointers. */
+	  table_head = (struct grub_acpi_table_header *) (grub_addr_t) rsdp->rsdt_addr;
+	  tbl_addr_size = sizeof (rsdp->rsdt_addr);
+	}
+
      /* Load host tables. */
-      for (entry_ptr = (grub_uint32_t *) (rsdt + 1);
-	   entry_ptr < (grub_uint32_t *) (((grub_uint8_t *) rsdt)
-					  + rsdt->length);
-	   entry_ptr++)
+      for (entry_ptr = (grub_uint8_t *) (table_head + 1);
+	   entry_ptr < (grub_uint8_t *) (((grub_uint8_t *) table_head) + table_head->length);
+	   entry_ptr += tbl_addr_size)
 	{
 	  char signature[5];
 	  struct efiemu_acpi_table *table;
-	  struct grub_acpi_table_header *curtable
-	    = (struct grub_acpi_table_header *) (grub_addr_t) *entry_ptr;
+	  struct grub_acpi_table_header *curtable;
+	  if (tbl_addr_size == sizeof (rsdp->rsdt_addr))
+	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint32_t *) entry_ptr);
+	  else
+	    curtable = (struct grub_acpi_table_header *) (grub_addr_t) *((grub_uint64_t *) entry_ptr);
+
 	  signature[4] = 0;
 	  for (i = 0; i < 4;i++)
 	    signature[i] = grub_tolower (curtable->signature[i]);
@ -608,26 +637,26 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
    }

  /* Does user specify versions to generate? */
-  if (state[2].set || state[3].set)
+  if (state[OPTION_V1].set || state[OPTION_V2].set)
    {
-      rev1 = state[2].set;
-      if (state[3].set)
+      rev1 = state[OPTION_V1].set;
+      if (state[OPTION_V2].set)
 	rev2 = rev2 ? : 2;
      else
 	rev2 = 0;
    }

  /* Does user override root header information? */
-  if (state[4].set)
-    grub_strncpy (root_oemid, state[4].arg, sizeof (root_oemid));
-  if (state[5].set)
-    grub_strncpy (root_oemtable, state[5].arg, sizeof (root_oemtable));
-  if (state[6].set)
-    root_oemrev = grub_strtoul (state[6].arg, 0, 0);
-  if (state[7].set)
-    grub_strncpy (root_creator_id, state[7].arg, sizeof (root_creator_id));
-  if (state[8].set)
-    root_creator_rev = grub_strtoul (state[8].arg, 0, 0);
+  if (state[OPTION_OEMID].set)
+    grub_strncpy (root_oemid, state[OPTION_OEMID].arg, sizeof (root_oemid));
+  if (state[OPTION_OEMTABLE].set)
+    grub_strncpy (root_oemtable, state[OPTION_OEMTABLE].arg, sizeof (root_oemtable));
+  if (state[OPTION_OEMTABLEREV].set)
+    root_oemrev = grub_strtoul (state[OPTION_OEMTABLEREV].arg, 0, 0);
+  if (state[OPTION_OEMTABLECREATOR].set)
+    grub_strncpy (root_creator_id, state[OPTION_OEMTABLECREATOR].arg, sizeof (root_creator_id));
+  if (state[OPTION_OEMTABLECREATORREV].set)
+    root_creator_rev = grub_strtoul (state[OPTION_OEMTABLECREATORREV].arg, 0, 0);

  /* Load user tables */
  for (i = 0; i < argc; i++)
@ -743,7 +772,7 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)
  acpi_tables = 0;

 #if defined (__i386__) || defined (__x86_64__)
-  if (! state[9].set)
+  if (! state[OPTION_NO_EBDA].set)
    {
      grub_err_t err;
      err = grub_acpi_create_ebda ();
@ -759,13 +788,13 @@ grub_cmd_acpi (struct grub_extcmd_context *ctxt, int argc, char **args)

 #ifdef GRUB_MACHINE_EFI
  {
-    struct grub_efi_guid acpi = GRUB_EFI_ACPI_TABLE_GUID;
-    struct grub_efi_guid acpi20 = GRUB_EFI_ACPI_20_TABLE_GUID;
+    static grub_guid_t acpi = GRUB_EFI_ACPI_TABLE_GUID;
+    static grub_guid_t acpi20 = GRUB_EFI_ACPI_20_TABLE_GUID;

-    efi_call_2 (grub_efi_system_table->boot_services->install_configuration_table,
-      &acpi20, grub_acpi_get_rsdpv2 ());
-    efi_call_2 (grub_efi_system_table->boot_services->install_configuration_table,
-      &acpi, grub_acpi_get_rsdpv1 ());
+    grub_efi_system_table->boot_services->install_configuration_table (&acpi20,
+								       grub_acpi_get_rsdpv2 ());
+    grub_efi_system_table->boot_services->install_configuration_table (&acpi,
+								       grub_acpi_get_rsdpv1 ());
  }
 #endif

--- a/grub-core/commands/acpihalt.c
+++ b/grub-core/commands/acpihalt.c
@ -78,7 +78,7 @@ static inline grub_uint32_t
 skip_name_string (const grub_uint8_t *ptr, const grub_uint8_t *end)
 {
  const grub_uint8_t *ptr0 = ptr;
-  
+
  while (ptr < end && (*ptr == '^' || *ptr == '\\'))
    ptr++;
  switch (*ptr)
@ -231,7 +231,7 @@ get_sleep_type (grub_uint8_t *table, grub_uint8_t *ptr, grub_uint8_t *end,
 		grub_uint8_t *scope, int scope_len)
 {
  grub_uint8_t *prev = table;
-  
+
  if (!ptr)
    ptr = table + sizeof (struct grub_acpi_table_header);
  while (ptr < end && prev < ptr)
@ -337,7 +337,7 @@ get_sleep_type (grub_uint8_t *table, grub_uint8_t *ptr, grub_uint8_t *end,
 	  }
 	default:
 	  grub_printf ("Unknown opcode 0x%x\n", *ptr);
-	  return -1;	  
+	  return -1;
 	}
    }

--- a/grub-core/commands/bli.c
+++ b/grub-core/commands/bli.c
@ -0,0 +1,138 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2023  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  Implementation of the Boot Loader Interface.
+ */
+
+#include <grub/charset.h>
+#include <grub/efi/api.h>
+#include <grub/efi/disk.h>
+#include <grub/efi/efi.h>
+#include <grub/err.h>
+#include <grub/extcmd.h>
+#include <grub/gpt_partition.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/partition.h>
+#include <grub/types.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+#define MODNAME "bli"
+
+static const grub_guid_t bli_vendor_guid = GRUB_EFI_VENDOR_BOOT_LOADER_INTERFACE_GUID;
+
+static grub_err_t
+get_part_uuid (const char *device_name, char **part_uuid)
+{
+  grub_device_t device;
+  grub_err_t status = GRUB_ERR_NONE;
+  grub_disk_t disk = NULL;
+  struct grub_gpt_partentry entry;
+
+  device = grub_device_open (device_name);
+  if (device == NULL)
+    return grub_error (grub_errno, N_("cannot open device: %s"), device_name);
+
+  if (device->disk == NULL)
+    {
+      grub_dprintf ("bli", "%s is not a disk device, partuuid skipped\n", device_name);
+      *part_uuid = NULL;
+      grub_device_close (device);
+      return GRUB_ERR_NONE;
+    }
+
+  if (device->disk->partition == NULL)
+    {
+      grub_dprintf ("bli", "%s has no partition, partuuid skipped\n", device_name);
+      *part_uuid = NULL;
+      grub_device_close (device);
+      return GRUB_ERR_NONE;
+    }
+
+  disk = grub_disk_open (device->disk->name);
+  if (disk == NULL)
+    {
+      status = grub_error (grub_errno, N_("cannot open disk: %s"), device_name);
+      grub_device_close (device);
+      return status;
+    }
+
+  if (grub_strcmp (device->disk->partition->partmap->name, "gpt") != 0)
+    {
+      status = grub_error (GRUB_ERR_BAD_PART_TABLE,
+			   N_("this is not a GPT partition table: %s"), device_name);
+      goto fail;
+    }
+
+  if (grub_disk_read (disk, device->disk->partition->offset,
+		      device->disk->partition->index, sizeof (entry), &entry) != GRUB_ERR_NONE)
+    {
+      status = grub_error (grub_errno, N_("read error: %s"), device_name);
+      goto fail;
+    }
+
+  *part_uuid = grub_xasprintf ("%pG", &entry.guid);
+  if (*part_uuid == NULL)
+    status = grub_errno;
+
+ fail:
+  grub_disk_close (disk);
+  grub_device_close (device);
+
+  return status;
+}
+
+static grub_err_t
+set_loader_device_part_uuid (void)
+{
+  grub_efi_loaded_image_t *image;
+  char *device_name;
+  grub_err_t status = GRUB_ERR_NONE;
+  char *part_uuid = NULL;
+
+  image = grub_efi_get_loaded_image (grub_efi_image_handle);
+  if (image == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("unable to find boot device"));
+
+  device_name = grub_efidisk_get_device_name (image->device_handle);
+  if (device_name == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("unable to find boot device"));
+
+  status = get_part_uuid (device_name, &part_uuid);
+
+  if (status == GRUB_ERR_NONE && part_uuid)
+    status = grub_efi_set_variable_to_string ("LoaderDevicePartUUID", &bli_vendor_guid, part_uuid,
+					      GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+					      GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
+  else
+    grub_error (status, N_("unable to determine partition UUID of boot device"));
+
+  grub_free (part_uuid);
+  grub_free (device_name);
+  return status;
+}
+
+GRUB_MOD_INIT (bli)
+{
+  grub_efi_set_variable_to_string ("LoaderInfo", &bli_vendor_guid, PACKAGE_STRING,
+				   GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				   GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
+  set_loader_device_part_uuid ();
+  /* No error here is critical, other than being logged */
+  grub_print_error ();
+}
--- a/grub-core/commands/blocklist.c
+++ b/grub-core/commands/blocklist.c
@ -53,9 +53,9 @@ print_blocklist (grub_disk_addr_t sector, unsigned num,
 }

 /* Helper for grub_cmd_blocklist.  */
-static void
+static grub_err_t
 read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
-		void *data)
+		char *buf __attribute__ ((unused)), void *data)
 {
  struct blocklist_ctx *ctx = data;

@ -70,7 +70,7 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
 	}

      if (!length)
-	return;
+	return GRUB_ERR_NONE;
      print_blocklist (ctx->start_sector, ctx->num_sectors, 0, 0, ctx);
      ctx->num_sectors = 0;
    }
@ -87,7 +87,7 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
    }

  if (!length)
-    return;
+    return GRUB_ERR_NONE;

  if (length & (GRUB_DISK_SECTOR_SIZE - 1))
    {
@ -103,6 +103,8 @@ read_blocklist (grub_disk_addr_t sector, unsigned offset, unsigned length,
      ctx->start_sector = sector;
      ctx->num_sectors = length >> GRUB_DISK_SECTOR_BITS;
    }
+
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/boot.c
+++ b/grub-core/commands/boot.c
@ -27,10 +27,20 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static grub_err_t (*grub_loader_boot_func) (void);
-static grub_err_t (*grub_loader_unload_func) (void);
+static grub_err_t (*grub_loader_boot_func) (void *context);
+static grub_err_t (*grub_loader_unload_func) (void *context);
+static void *grub_loader_context;
 static int grub_loader_flags;

+struct grub_simple_loader_hooks
+{
+  grub_err_t (*boot) (void);
+  grub_err_t (*unload) (void);
+};
+
+/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
+static struct grub_simple_loader_hooks simple_loader_hooks;
+
 struct grub_preboot
 {
  grub_err_t (*preboot_func) (int);
@ -44,6 +54,29 @@ static int grub_loader_loaded;
 static struct grub_preboot *preboots_head = 0,
  *preboots_tail = 0;

+static grub_err_t
+grub_simple_boot_hook (void *context)
+{
+  struct grub_simple_loader_hooks *hooks;
+
+  hooks = (struct grub_simple_loader_hooks *) context;
+  return hooks->boot ();
+}
+
+static grub_err_t
+grub_simple_unload_hook (void *context)
+{
+  struct grub_simple_loader_hooks *hooks;
+  grub_err_t ret;
+
+  hooks = (struct grub_simple_loader_hooks *) context;
+
+  ret = hooks->unload ();
+  grub_memset (hooks, 0, sizeof (*hooks));
+
+  return ret;
+}
+
 int
 grub_loader_is_loaded (void)
 {
@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
 }

 void
-grub_loader_set (grub_err_t (*boot) (void),
-		 grub_err_t (*unload) (void),
-		 int flags)
+grub_loader_set_ex (grub_err_t (*boot) (void *context),
+		    grub_err_t (*unload) (void *context),
+		    void *context,
+		    int flags)
 {
  if (grub_loader_loaded && grub_loader_unload_func)
-    grub_loader_unload_func ();
+    grub_loader_unload_func (grub_loader_context);

  grub_loader_boot_func = boot;
  grub_loader_unload_func = unload;
+  grub_loader_context = context;
  grub_loader_flags = flags;

  grub_loader_loaded = 1;
 }

+void
+grub_loader_set (grub_err_t (*boot) (void),
+		 grub_err_t (*unload) (void),
+		 int flags)
+{
+  grub_loader_set_ex (grub_simple_boot_hook,
+		      grub_simple_unload_hook,
+		      &simple_loader_hooks,
+		      flags);
+
+  simple_loader_hooks.boot = boot;
+  simple_loader_hooks.unload = unload;
+}
+
 void
 grub_loader_unset(void)
 {
  if (grub_loader_loaded && grub_loader_unload_func)
-    grub_loader_unload_func ();
+    grub_loader_unload_func (grub_loader_context);

  grub_loader_boot_func = 0;
  grub_loader_unload_func = 0;
+  grub_loader_context = 0;

  grub_loader_loaded = 0;
 }
@ -158,7 +208,7 @@ grub_loader_boot (void)
 	  return err;
 	}
    }
-  err = (grub_loader_boot_func) ();
+  err = (grub_loader_boot_func) (grub_loader_context);

  for (cur = preboots_tail; cur; cur = cur->prev)
    if (! err)
--- a/grub-core/commands/boottime.c
+++ b/grub-core/commands/boottime.c
@ -43,7 +43,7 @@ grub_cmd_boottime (struct grub_command *cmd __attribute__ ((unused)),
      grub_uint32_t tmrel = cur->tp - last_time;
      last_time = cur->tp;

-      grub_printf ("%3d.%03ds %2d.%03ds %s:%d %s\n", 
+      grub_printf ("%3d.%03ds %2d.%03ds %s:%d %s\n",
 		   tmabs / 1000, tmabs % 1000, tmrel / 1000, tmrel % 1000, cur->file, cur->line,
 		   cur->msg);
    }
--- a/grub-core/commands/cacheinfo.c
+++ b/grub-core/commands/cacheinfo.c
@ -42,7 +42,7 @@ grub_rescue_cmd_info (struct grub_command *cmd __attribute__ ((unused)),
 		    hits, misses);
    }
  else
-    grub_printf ("%s\n", _("No disk cache statistics available\n"));    
+    grub_printf ("%s\n", _("No disk cache statistics available\n"));

 return 0;
 }
--- a/grub-core/commands/cat.c
+++ b/grub-core/commands/cat.c
@ -104,7 +104,7 @@ grub_cmd_cat (grub_extcmd_context_t ctxt, int argc, char **args)
 	       || grub_isspace (code)) && code != '\r')
 	    {
 	      grub_printf ("%C", code);
-	      count = 0; 
+	      count = 0;
 	      code = 0;
 	      utcount = 0;
 	      continue;
@ -113,7 +113,7 @@ grub_cmd_cat (grub_extcmd_context_t ctxt, int argc, char **args)
 	  if (dos && code == '\r')
 	    {
 	      is_0d = 1;
-	      count = 0; 
+	      count = 0;
 	      code = 0;
 	      utcount = 0;
 	      continue;
@ -123,7 +123,7 @@ grub_cmd_cat (grub_extcmd_context_t ctxt, int argc, char **args)
 	  for (j = 0; j < utcount; j++)
 	    grub_printf ("<%x>", (unsigned int) utbuf[j]);
 	  grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
-	  count = 0; 
+	  count = 0;
 	  code = 0;
 	  utcount = 0;
 	}
--- a/grub-core/commands/cmp.c
+++ b/grub-core/commands/cmp.c
@ -22,14 +22,21 @@
 #include <grub/file.h>
 #include <grub/mm.h>
 #include <grub/command.h>
+#include <grub/extcmd.h>
 #include <grub/i18n.h>

 GRUB_MOD_LICENSE ("GPLv3+");

 #define BUFFER_SIZE 512

+static const struct grub_arg_option options[] =
+  {
+    {0, 'v', 0, N_("Enable verbose output"), 0, 0},
+    {0, 0, 0, 0, 0, 0}
+  };
+
 static grub_err_t
-grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
+grub_cmd_cmp (grub_extcmd_context_t ctxt,
 	      int argc, char **args)
 {
  grub_ssize_t rd1, rd2;
@ -38,19 +45,20 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
  grub_file_t file2 = 0;
  char *buf1 = 0;
  char *buf2 = 0;
+  grub_err_t err = GRUB_ERR_TEST_FAILURE;

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));

-  grub_printf_ (N_("Compare file `%s' with `%s':\n"), args[0],
-		args[1]);
+  if (ctxt->state[0].set)
+    grub_printf_ (N_("Compare file `%s' with `%s':\n"), args[0], args[1]);

  file1 = grub_file_open (args[0], GRUB_FILE_TYPE_CMP);
  file2 = grub_file_open (args[1], GRUB_FILE_TYPE_CMP);
  if (! file1 || ! file2)
    goto cleanup;

-  if (grub_file_size (file1) != grub_file_size (file2))
+  if (ctxt->state[0].set && (grub_file_size (file1) != grub_file_size (file2)))
    grub_printf_ (N_("Files differ in size: %llu [%s], %llu [%s]\n"),
 		  (unsigned long long) grub_file_size (file1), args[0],
 		  (unsigned long long) grub_file_size (file2), args[1]);
@ -78,9 +86,10 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
 	    {
 	      if (buf1[i] != buf2[i])
 		{
-		  grub_printf_ (N_("Files differ at the offset %llu: 0x%x [%s], 0x%x [%s]\n"),
-				(unsigned long long) (i + pos), buf1[i],
-				args[0], buf2[i], args[1]);
+		  if (ctxt->state[0].set)
+		    grub_printf_ (N_("Files differ at the offset %llu: 0x%x [%s], 0x%x [%s]\n"),
+				  (unsigned long long) (i + pos), buf1[i],
+				  args[0], buf2[i], args[1]);
 		  goto cleanup;
 		}
 	    }
@ -90,7 +99,9 @@ grub_cmd_cmp (grub_command_t cmd __attribute__ ((unused)),
      while (rd2);

      /* TRANSLATORS: it's always exactly 2 files.  */
-      grub_printf_ (N_("The files are identical.\n"));
+      if (ctxt->state[0].set)
+        grub_printf_ (N_("The files are identical.\n"));
+      err = GRUB_ERR_NONE;
    }

 cleanup:
@ -102,18 +113,19 @@ cleanup:
  if (file2)
    grub_file_close (file2);

-  return grub_errno;
+  return err;
 }

-static grub_command_t cmd;
+static grub_extcmd_t cmd;

 GRUB_MOD_INIT(cmp)
 {
-  cmd = grub_register_command ("cmp", grub_cmd_cmp,
-			       N_("FILE1 FILE2"), N_("Compare two files."));
+  cmd = grub_register_extcmd ("cmp", grub_cmd_cmp, 0,
+			      N_("FILE1 FILE2"), N_("Compare two files."),
+			      options);
 }

 GRUB_MOD_FINI(cmp)
 {
-  grub_unregister_command (cmd);
+  grub_unregister_extcmd (cmd);
 }
--- a/grub-core/commands/echo.c
+++ b/grub-core/commands/echo.c
@ -119,7 +119,7 @@ grub_cmd_echo (grub_extcmd_context_t ctxt, int argc, char **args)
  if (newline)
    grub_printf ("\n");

-  grub_refresh ();  
+  grub_refresh ();

  return 0;
 }
--- a/grub-core/commands/efi/efifwsetup.c
+++ b/grub-core/commands/efi/efifwsetup.c
@ -27,6 +27,8 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+static grub_efi_boolean_t efifwsetup_is_supported (void);
+
 static grub_err_t
 grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
 		  int argc __attribute__ ((unused)),
@ -36,7 +38,14 @@ grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
  grub_efi_uint64_t os_indications = GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI;
  grub_err_t status;
  grub_size_t oi_size;
-  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  static grub_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+
+  if (argc >= 1 && grub_strcmp(args[0], "--is-supported") == 0)
+    return !efifwsetup_is_supported ();
+
+  if (!efifwsetup_is_supported ())
+	  return grub_error (GRUB_ERR_INVALID_COMMAND,
+			     N_("reboot to firmware setup is not supported by the current firmware"));

  grub_efi_get_variable ("OsIndications", &global, &oi_size,
 			 (void **) &old_os_indications);
@ -44,6 +53,8 @@ grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
  if (old_os_indications != NULL && oi_size == sizeof (os_indications))
    os_indications |= *old_os_indications;

+  grub_free (old_os_indications);
+
  status = grub_efi_set_variable ("OsIndications", &global, &os_indications,
 				  sizeof (os_indications));
  if (status != GRUB_ERR_NONE)
@ -61,26 +72,27 @@ efifwsetup_is_supported (void)
 {
  grub_efi_uint64_t *os_indications_supported = NULL;
  grub_size_t oi_size = 0;
-  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  static grub_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  grub_efi_boolean_t ret = 0;

  grub_efi_get_variable ("OsIndicationsSupported", &global, &oi_size,
 			 (void **) &os_indications_supported);

  if (!os_indications_supported)
-    return 0;
+    goto done;

  if (*os_indications_supported & GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI)
-    return 1;
+    ret = 1;

-  return 0;
+ done:
+  grub_free (os_indications_supported);
+  return ret;
 }

 GRUB_MOD_INIT (efifwsetup)
 {
-  if (efifwsetup_is_supported ())
-    cmd = grub_register_command ("fwsetup", grub_cmd_fwsetup, NULL,
-				 N_("Reboot into firmware setup menu."));
-
+  cmd = grub_register_command ("fwsetup", grub_cmd_fwsetup, NULL,
+                               N_("Reboot into firmware setup menu."));
 }

 GRUB_MOD_FINI (efifwsetup)
--- a/grub-core/commands/efi/efitextmode.c
+++ b/grub-core/commands/efi/efitextmode.c
@ -0,0 +1,153 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  Set/Get UEFI text output mode resolution.
+ */
+
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/command.h>
+#include <grub/i18n.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/api.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static grub_err_t
+grub_efi_set_mode (grub_efi_simple_text_output_interface_t *o,
+		   grub_efi_int32_t mode)
+{
+  grub_efi_status_t status;
+
+  if (mode != o->mode->mode)
+    {
+      status = o->set_mode (o, mode);
+      if (status == GRUB_EFI_SUCCESS)
+	;
+      else if (status == GRUB_EFI_DEVICE_ERROR)
+	return grub_error (GRUB_ERR_BAD_DEVICE,
+			   N_("device error: could not set requested mode"));
+      else if (status == GRUB_EFI_UNSUPPORTED)
+	return grub_error (GRUB_ERR_OUT_OF_RANGE,
+			   N_("invalid mode: number not valid"));
+      else
+	return grub_error (GRUB_ERR_BAD_FIRMWARE,
+			   N_("unexpected EFI error number: `%u'"),
+			   (unsigned) status);
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_cmd_efitextmode (grub_command_t cmd __attribute__ ((unused)),
+		      int argc, char **args)
+{
+  grub_efi_simple_text_output_interface_t *o = grub_efi_system_table->con_out;
+  unsigned long mode;
+  const char *p = NULL;
+  grub_err_t err;
+  grub_efi_uintn_t columns, rows;
+  grub_efi_int32_t i;
+
+  if (o == NULL)
+    return grub_error (GRUB_ERR_BAD_DEVICE, N_("no UEFI output console interface"));
+
+  if (o->mode == NULL)
+    return grub_error (GRUB_ERR_BUG, N_("no mode struct for UEFI output console"));
+
+  if (argc > 2)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("at most two arguments expected"));
+
+  if (argc == 0)
+    {
+      grub_printf_ (N_("Available modes for console output device.\n"));
+
+      for (i = 0; i < o->mode->max_mode; i++)
+	if (GRUB_EFI_SUCCESS == o->query_mode (o, i, &columns, &rows))
+	  grub_printf_ (N_(" [%" PRIuGRUB_EFI_UINT32_T "]  Col %5"
+			   PRIuGRUB_EFI_UINTN_T " Row %5" PRIuGRUB_EFI_UINTN_T
+			   " %c\n"),
+			i, columns, rows, (i == o->mode->mode) ? '*' : ' ');
+    }
+  else if (argc == 1)
+    {
+      if (grub_strcmp (args[0], "min") == 0)
+	mode = 0;
+      else if (grub_strcmp (args[0], "max") == 0)
+	mode = o->mode->max_mode - 1;
+      else
+	{
+	  mode = grub_strtoul (args[0], &p, 0);
+
+	  if (*args[0] == '\0' || *p != '\0')
+	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			       N_("non-numeric or invalid mode `%s'"), args[0]);
+	}
+
+      if (mode < (unsigned long) o->mode->max_mode)
+	{
+	  err = grub_efi_set_mode (o, (grub_efi_int32_t) mode);
+	  if (err != GRUB_ERR_NONE)
+	    return err;
+	}
+      else
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("invalid mode: `%lu' is greater than maximum mode `%lu'"),
+			   mode, (unsigned long) o->mode->max_mode);
+    }
+  else if (argc == 2)
+    {
+      grub_efi_uintn_t u_columns, u_rows;
+
+      u_columns = (grub_efi_uintn_t) grub_strtoul (args[0], &p, 0);
+
+      if (*args[0] == '\0' || *p != '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("non-numeric or invalid columns number `%s'"), args[0]);
+
+      u_rows = (grub_efi_uintn_t) grub_strtoul (args[1], &p, 0);
+
+      if (*args[1] == '\0' || *p != '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			   N_("non-numeric or invalid rows number `%s'"), args[1]);
+
+      for (i = 0; i < o->mode->max_mode; i++)
+	if (GRUB_EFI_SUCCESS == o->query_mode (o, i, &columns, &rows))
+	  if (u_columns == columns && u_rows == rows)
+	    return grub_efi_set_mode (o, (grub_efi_int32_t) i);
+
+      return grub_error (GRUB_ERR_BAD_ARGUMENT,
+			 N_("no mode found with requested columns and rows"));
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_command_t cmd;
+GRUB_MOD_INIT (efitextmode)
+{
+  cmd = grub_register_command ("efitextmode", grub_cmd_efitextmode,
+			       N_("[min | max | <mode_num> | <cols> <rows>]"),
+			       N_("Get or set EFI text mode."));
+}
+
+GRUB_MOD_FINI (efitextmode)
+{
+  grub_unregister_command (cmd);
+}
--- a/grub-core/commands/efi/loadbios.c
+++ b/grub-core/commands/efi/loadbios.c
@ -27,9 +27,9 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static grub_efi_guid_t acpi_guid = GRUB_EFI_ACPI_TABLE_GUID;
-static grub_efi_guid_t acpi2_guid = GRUB_EFI_ACPI_20_TABLE_GUID;
-static grub_efi_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;
+static grub_guid_t acpi_guid = GRUB_EFI_ACPI_TABLE_GUID;
+static grub_guid_t acpi2_guid = GRUB_EFI_ACPI_20_TABLE_GUID;
+static grub_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;

 #define EBDA_SEG_ADDR	0x40e
 #define LOW_MEM_ADDR	0x413
@ -46,7 +46,7 @@ enable_rom_area (void)
  grub_uint32_t *rom_ptr;
  grub_pci_device_t dev = { .bus = 0, .device = 0, .function = 0};

-  rom_ptr = (grub_uint32_t *) VBIOS_ADDR;
+  rom_ptr = grub_absolute_pointer (VBIOS_ADDR);
  if (*rom_ptr != BLANK_MEM)
    {
      grub_puts_ (N_("ROM image is present."));
@ -92,47 +92,29 @@ lock_rom_area (void)
 static void
 fake_bios_data (int use_rom)
 {
-  unsigned i;
  void *acpi, *smbios;
  grub_uint16_t *ebda_seg_ptr, *low_mem_ptr;

-  ebda_seg_ptr = (grub_uint16_t *) EBDA_SEG_ADDR;
-  low_mem_ptr = (grub_uint16_t *) LOW_MEM_ADDR;
+  ebda_seg_ptr = grub_absolute_pointer (EBDA_SEG_ADDR);
+  low_mem_ptr = grub_absolute_pointer (LOW_MEM_ADDR);
  if ((*ebda_seg_ptr) || (*low_mem_ptr))
    return;

-  acpi = 0;
-  smbios = 0;
-  for (i = 0; i < grub_efi_system_table->num_table_entries; i++)
-    {
-      grub_efi_packed_guid_t *guid =
-	&grub_efi_system_table->configuration_table[i].vendor_guid;
+  acpi = grub_efi_find_configuration_table (&acpi2_guid);
+  grub_dprintf ("efi", "ACPI2: %p\n", acpi);
+  if (!acpi) {
+    acpi = grub_efi_find_configuration_table (&acpi_guid);
+    grub_dprintf ("efi", "ACPI: %p\n", acpi);
+  }

-      if (! grub_memcmp (guid, &acpi2_guid, sizeof (grub_efi_guid_t)))
-	{
-	  acpi = grub_efi_system_table->configuration_table[i].vendor_table;
-	  grub_dprintf ("efi", "ACPI2: %p\n", acpi);
-	}
-      else if (! grub_memcmp (guid, &acpi_guid, sizeof (grub_efi_guid_t)))
-	{
-	  void *t;
-
-	  t = grub_efi_system_table->configuration_table[i].vendor_table;
-	  if (! acpi)
-	    acpi = t;
-	  grub_dprintf ("efi", "ACPI: %p\n", t);
-	}
-      else if (! grub_memcmp (guid, &smbios_guid, sizeof (grub_efi_guid_t)))
-	{
-	  smbios = grub_efi_system_table->configuration_table[i].vendor_table;
-	  grub_dprintf ("efi", "SMBIOS: %p\n", smbios);
-	}
-    }
+  smbios = grub_efi_find_configuration_table (&smbios_guid);
+  grub_dprintf ("efi", "SMBIOS: %p\n", smbios);

  *ebda_seg_ptr = FAKE_EBDA_SEG;
  *low_mem_ptr = (FAKE_EBDA_SEG >> 6);

-  *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr;
+  /* *((grub_uint16_t *) (FAKE_EBDA_SEG << 4)) = 640 - *low_mem_ptr; */
+  *((grub_uint16_t *) (grub_absolute_pointer (FAKE_EBDA_SEG << 4))) = 640 - *low_mem_ptr;

  if (acpi)
    grub_memcpy ((char *) ((FAKE_EBDA_SEG << 4) + 16), acpi, 1024 - 16);
--- a/grub-core/commands/efi/lsefi.c
+++ b/grub-core/commands/efi/lsefi.c
@ -29,11 +29,11 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-struct known_protocol
+static struct known_protocol
 {
-  grub_efi_guid_t guid;
+  grub_guid_t guid;
  const char *name;
-} known_protocols[] = 
+} known_protocols[] =
  {
    { GRUB_EFI_DISK_IO_GUID, "disk" },
    { GRUB_EFI_BLOCK_IO_GUID, "block" },
@ -55,6 +55,7 @@ struct known_protocol
    { GRUB_EFI_ABSOLUTE_POINTER_PROTOCOL_GUID, "absolute pointer" },
    { GRUB_EFI_DRIVER_BINDING_PROTOCOL_GUID, "EFI driver binding" },
    { GRUB_EFI_LOAD_FILE_PROTOCOL_GUID, "load file" },
+    { GRUB_EFI_LOAD_FILE2_PROTOCOL_GUID, "load file2" },
    { GRUB_EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID, "simple FS" },
    { GRUB_EFI_TAPE_IO_PROTOCOL_GUID, "tape I/O" },
    { GRUB_EFI_UNICODE_COLLATION_PROTOCOL_GUID, "unicode collation" },
@ -95,7 +96,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
      grub_efi_handle_t handle = handles[i];
      grub_efi_status_t status;
      grub_efi_uintn_t num_protocols;
-      grub_efi_packed_guid_t **protocols;
+      grub_packed_guid_t **protocols;
      grub_efi_device_path_t *dp;

      grub_printf ("Handle %p\n", handle);
@ -107,8 +108,9 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 	  grub_efi_print_device_path (dp);
 	}

-      status = efi_call_3 (grub_efi_system_table->boot_services->protocols_per_handle,
-			   handle, &protocols, &num_protocols);
+      status = grub_efi_system_table->boot_services->protocols_per_handle (handle,
+									   &protocols,
+									   &num_protocols);
      if (status != GRUB_EFI_SUCCESS) {
 	grub_printf ("Unable to retrieve protocols\n");
 	continue;
@ -122,18 +124,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 	  if (k < ARRAY_SIZE (known_protocols))
 	    grub_printf ("  %s\n", known_protocols[k].name);
 	  else
-	    grub_printf ("  %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x\n",
-			 protocols[j]->data1,
-			 protocols[j]->data2,
-			 protocols[j]->data3,
-			 (unsigned) protocols[j]->data4[0],
-			 (unsigned) protocols[j]->data4[1],
-			 (unsigned) protocols[j]->data4[2],
-			 (unsigned) protocols[j]->data4[3],
-			 (unsigned) protocols[j]->data4[4],
-			 (unsigned) protocols[j]->data4[5],
-			 (unsigned) protocols[j]->data4[6],
-			 (unsigned) protocols[j]->data4[7]);
+	    grub_printf ("  %pG\n", protocols[j]);
 	}

    }
--- a/grub-core/commands/efi/lsefimmap.c
+++ b/grub-core/commands/efi/lsefimmap.c
@ -59,9 +59,9 @@ grub_cmd_lsefimmap (grub_command_t cmd __attribute__ ((unused)),
    {
      grub_efi_uint64_t size;
      grub_efi_uint64_t attr;
-      static const char types_str[][9] = 
+      static const char types_str[][9] =
 	{
-	  "reserved", 
+	  "reserved",
 	  "ldr-code",
 	  "ldr-data",
 	  "BS-code ",
@ -81,7 +81,7 @@ grub_cmd_lsefimmap (grub_command_t cmd __attribute__ ((unused)),
 	grub_printf ("%s ", types_str[desc->type]);
      else
 	grub_printf ("Unk %02x   ", desc->type);
-      
+
      grub_printf (" %016" PRIxGRUB_UINT64_T "-%016" PRIxGRUB_UINT64_T
 		   " %08" PRIxGRUB_UINT64_T,
 		   desc->physical_start,
--- a/grub-core/commands/efi/lsefisystab.c
+++ b/grub-core/commands/efi/lsefisystab.c
@ -29,7 +29,7 @@ GRUB_MOD_LICENSE ("GPLv3+");

 struct guid_mapping
 {
-  grub_efi_guid_t guid;
+  grub_guid_t guid;
  const char *name;
 };

@ -37,6 +37,7 @@ static const struct guid_mapping guid_mappings[] =
  {
    { GRUB_EFI_ACPI_20_TABLE_GUID, "ACPI-2.0"},
    { GRUB_EFI_ACPI_TABLE_GUID, "ACPI-1.0"},
+    { GRUB_EFI_CONFORMANCE_PROFILES_TABLE_GUID, "CONFORMANCE PROFILES"},
    { GRUB_EFI_CRC32_GUIDED_SECTION_EXTRACTION_GUID,
      "CRC32 GUIDED SECTION EXTRACTION"},
    { GRUB_EFI_DEBUG_IMAGE_INFO_TABLE_GUID, "DEBUG IMAGE INFO"},
@ -44,6 +45,7 @@ static const struct guid_mapping guid_mappings[] =
    { GRUB_EFI_DXE_SERVICES_TABLE_GUID, "DXE SERVICES"},
    { GRUB_EFI_HCDP_TABLE_GUID, "HCDP"},
    { GRUB_EFI_HOB_LIST_GUID, "HOB LIST"},
+    { GRUB_EFI_IMAGE_SECURITY_DATABASE_GUID, "IMAGE EXECUTION INFORMATION"},
    { GRUB_EFI_LZMA_CUSTOM_DECOMPRESS_GUID, "LZMA CUSTOM DECOMPRESS"},
    { GRUB_EFI_MEMORY_TYPE_INFORMATION_GUID, "MEMORY TYPE INFO"},
    { GRUB_EFI_MPS_TABLE_GUID, "MPS"},
@ -62,17 +64,23 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
 		      char **args __attribute__ ((unused)))
 {
  const grub_efi_system_table_t *st = grub_efi_system_table;
+  const grub_efi_uint32_t major_rev = st->hdr.revision >> 16;
+  const grub_efi_uint32_t minor_rev_upper = (st->hdr.revision & 0xffff) / 10;
+  const grub_efi_uint32_t minor_rev_lower = (st->hdr.revision & 0xffff) % 10;
  grub_efi_configuration_table_t *t;
  unsigned int i;

  grub_printf ("Address: %p\n", st);
-  grub_printf ("Signature: %016" PRIxGRUB_UINT64_T " revision: %08x\n",
-	       st->hdr.signature, st->hdr.revision);
+  grub_printf ("Signature: %016" PRIxGRUB_UINT64_T " revision: %u.%u",
+	       st->hdr.signature, major_rev, minor_rev_upper);
+  if (minor_rev_lower)
+     grub_printf (".%u", minor_rev_lower);
+  grub_printf ("\n");
  {
    char *vendor;
    grub_uint16_t *vendor_utf16;
    grub_printf ("Vendor: ");
-    
+
    for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
    /* Allocate extra 3 bytes to simplify math. */
    vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
@ -94,15 +102,11 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),

      grub_printf ("%p  ", t->vendor_table);

-      grub_printf ("%08x-%04x-%04x-",
-		   t->vendor_guid.data1, t->vendor_guid.data2,
-		   t->vendor_guid.data3);
-      for (j = 0; j < 8; j++)
-	grub_printf ("%02x", t->vendor_guid.data4[j]);
-      
+      grub_printf ("%pG", &t->vendor_guid);
+
      for (j = 0; j < ARRAY_SIZE (guid_mappings); j++)
 	if (grub_memcmp (&guid_mappings[j].guid, &t->vendor_guid,
-			 sizeof (grub_efi_guid_t)) == 0)
+			 sizeof (grub_guid_t)) == 0)
 	  grub_printf ("   %s", guid_mappings[j].name);

      grub_printf ("\n");
@ -115,7 +119,7 @@ static grub_command_t cmd;

 GRUB_MOD_INIT(lsefisystab)
 {
-  cmd = grub_register_command ("lsefisystab", grub_cmd_lsefisystab, 
+  cmd = grub_register_command ("lsefisystab", grub_cmd_lsefisystab,
 			       "", "Display EFI system tables.");
 }

--- a/grub-core/commands/efi/lssal.c
+++ b/grub-core/commands/efi/lssal.c
@ -136,22 +136,16 @@ grub_cmd_lssal (struct grub_command *cmd __attribute__ ((unused)),
 		int argc __attribute__ ((unused)),
 		char **args __attribute__ ((unused)))
 {
-  const grub_efi_system_table_t *st = grub_efi_system_table;
-  grub_efi_configuration_table_t *t = st->configuration_table;
-  unsigned int i;
-  grub_efi_packed_guid_t guid = GRUB_EFI_SAL_TABLE_GUID;
+  static grub_guid_t guid = GRUB_EFI_SAL_TABLE_GUID;
+  void *table = grub_efi_find_configuration_table (&guid);

-  for (i = 0; i < st->num_table_entries; i++)
+  if (table == NULL)
    {
-      if (grub_memcmp (&guid, &t->vendor_guid,
-		       sizeof (grub_efi_packed_guid_t)) == 0)
-	{
-	  disp_sal (t->vendor_table);
-	  return GRUB_ERR_NONE;
-	}
-      t++;
+      grub_printf ("SAL not found\n");
+      return GRUB_ERR_NONE;
    }
-  grub_printf ("SAL not found\n");
+
+  disp_sal (table);
  return GRUB_ERR_NONE;
 }

--- a/grub-core/commands/efi/smbios.c
+++ b/grub-core/commands/efi/smbios.c
@ -18,44 +18,20 @@
 */

 #include <grub/smbios.h>
-#include <grub/misc.h>
 #include <grub/efi/efi.h>
-#include <grub/efi/api.h>

 struct grub_smbios_eps *
 grub_machine_smbios_get_eps (void)
 {
-  unsigned i;
-  static grub_efi_packed_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;
+  static grub_guid_t smbios_guid = GRUB_EFI_SMBIOS_TABLE_GUID;

-  for (i = 0; i < grub_efi_system_table->num_table_entries; i++)
-    {
-      grub_efi_packed_guid_t *guid =
-	&grub_efi_system_table->configuration_table[i].vendor_guid;
-
-      if (! grub_memcmp (guid, &smbios_guid, sizeof (grub_efi_packed_guid_t)))
-	return (struct grub_smbios_eps *)
-	  grub_efi_system_table->configuration_table[i].vendor_table;
-    }
-
-  return 0;
+  return (struct grub_smbios_eps *) grub_efi_find_configuration_table (&smbios_guid);
 }

 struct grub_smbios_eps3 *
 grub_machine_smbios_get_eps3 (void)
 {
-  unsigned i;
-  static grub_efi_packed_guid_t smbios3_guid = GRUB_EFI_SMBIOS3_TABLE_GUID;
+  static grub_guid_t smbios3_guid = GRUB_EFI_SMBIOS3_TABLE_GUID;

-  for (i = 0; i < grub_efi_system_table->num_table_entries; i++)
-    {
-      grub_efi_packed_guid_t *guid =
-	&grub_efi_system_table->configuration_table[i].vendor_guid;
-
-      if (! grub_memcmp (guid, &smbios3_guid, sizeof (grub_efi_packed_guid_t)))
-	return (struct grub_smbios_eps3 *)
-	  grub_efi_system_table->configuration_table[i].vendor_table;
-    }
-
-  return 0;
+  return (struct grub_smbios_eps3 *) grub_efi_find_configuration_table (&smbios3_guid);
 }
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@ -22,6 +22,7 @@
 #include <grub/i18n.h>
 #include <grub/efi/api.h>
 #include <grub/efi/efi.h>
+#include <grub/efi/cc.h>
 #include <grub/efi/tpm.h>
 #include <grub/mm.h>
 #include <grub/tpm.h>
@ -29,8 +30,9 @@

 typedef TCG_PCR_EVENT grub_tpm_event_t;

-static grub_efi_guid_t tpm_guid = EFI_TPM_GUID;
-static grub_efi_guid_t tpm2_guid = EFI_TPM2_GUID;
+static grub_guid_t tpm_guid = EFI_TPM_GUID;
+static grub_guid_t tpm2_guid = EFI_TPM2_GUID;
+static grub_guid_t cc_measurement_guid = GRUB_EFI_CC_MEASUREMENT_PROTOCOL_GUID;

 static grub_efi_handle_t *grub_tpm_handle;
 static grub_uint8_t grub_tpm_version;
@ -51,8 +53,7 @@ grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)

  caps.Size = (grub_uint8_t) sizeof (caps);

-  status = efi_call_5 (tpm->status_check, tpm, &caps, &flags, &eventlog,
-		       &lastevent);
+  status = tpm->status_check (tpm, &caps, &flags, &eventlog, &lastevent);

  if (status != GRUB_EFI_SUCCESS || caps.TPMDeactivatedFlag
      || !caps.TPMPresentFlag)
@ -76,7 +77,7 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
  if (tpm2_present != -1)
    return (grub_efi_boolean_t) tpm2_present;

-  status = efi_call_2 (tpm->get_capability, tpm, &caps);
+  status = tpm->get_capability (tpm, &caps);

  if (status != GRUB_EFI_SUCCESS || !caps.TPMPresentFlag)
    tpm2_present = 0;
@ -135,17 +136,17 @@ grub_efi_log_event_status (grub_efi_status_t status)
  switch (status)
    {
    case GRUB_EFI_SUCCESS:
-      return 0;
+      return GRUB_ERR_NONE;
    case GRUB_EFI_DEVICE_ERROR:
-      return grub_error (GRUB_ERR_IO, N_("Command failed"));
+      return grub_error (GRUB_ERR_IO, N_("command failed"));
    case GRUB_EFI_INVALID_PARAMETER:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter"));
+      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid parameter"));
    case GRUB_EFI_BUFFER_TOO_SMALL:
-      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Output buffer too small"));
+      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("output buffer too small"));
    case GRUB_EFI_NOT_FOUND:
      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("TPM unavailable"));
    default:
-      return grub_error (GRUB_ERR_UNKNOWN_DEVICE, N_("Unknown TPM error"));
+      return grub_error (grub_is_tpm_fail_fatal () ? GRUB_ERR_UNKNOWN_DEVICE : GRUB_ERR_NONE, N_("unknown TPM error"));
    }
 }

@ -175,11 +176,11 @@ grub_tpm1_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  event->PCRIndex = pcr;
  event->EventType = EV_IPL;
  event->EventSize = grub_strlen (description) + 1;
-  grub_memcpy (event->Event, description, event->EventSize);
+  grub_strcpy ((char *) event->Event, description);

  algorithm = TCG_ALG_SHA;
-  status = efi_call_7 (tpm->log_extend_event, tpm, (grub_addr_t) buf, (grub_uint64_t) size,
-		       algorithm, event, &eventnum, &lastevent);
+  status = tpm->log_extend_event (tpm, (grub_addr_t) buf, (grub_uint64_t) size,
+				  algorithm, event, &eventnum, &lastevent);
  grub_free (event);

  return grub_efi_log_event_status (status);
@ -212,15 +213,59 @@ grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  event->Header.EventType = EV_IPL;
  event->Size =
    sizeof (*event) - sizeof (event->Event) + grub_strlen (description) + 1;
-  grub_memcpy (event->Event, description, grub_strlen (description) + 1);
+  grub_strcpy ((char *) event->Event, description);

-  status = efi_call_5 (tpm->hash_log_extend_event, tpm, 0, (grub_addr_t) buf,
-		       (grub_uint64_t) size, event);
+  status = tpm->hash_log_extend_event (tpm, 0, (grub_addr_t) buf,
+				       (grub_uint64_t) size, event);
  grub_free (event);

  return grub_efi_log_event_status (status);
 }

+static void
+grub_cc_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		   const char *description)
+{
+  grub_efi_cc_event_t *event;
+  grub_efi_status_t status;
+  grub_efi_cc_protocol_t *cc;
+  grub_efi_cc_mr_index_t mr;
+
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc == NULL)
+    return;
+
+  status = cc->map_pcr_to_mr_index (cc, pcr, &mr);
+  if (status != GRUB_EFI_SUCCESS)
+    {
+      grub_efi_log_event_status (status);
+      return;
+    }
+
+  event = grub_zalloc (sizeof (grub_efi_cc_event_t) +
+		       grub_strlen (description) + 1);
+  if (event == NULL)
+    {
+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate CC event buffer"));
+      return;
+    }
+
+  event->Header.HeaderSize = sizeof (grub_efi_cc_event_header_t);
+  event->Header.HeaderVersion = GRUB_EFI_CC_EVENT_HEADER_VERSION;
+  event->Header.MrIndex = mr;
+  event->Header.EventType = EV_IPL;
+  event->Size = sizeof (*event) + grub_strlen (description) + 1;
+  grub_strcpy ((char *) event->Event, description);
+
+  status = cc->hash_log_extend_event (cc, 0,
+				      (grub_efi_physical_address_t)(grub_addr_t) buf,
+				      (grub_efi_uint64_t) size, event);
+  grub_free (event);
+
+  if (status != GRUB_EFI_SUCCESS)
+    grub_efi_log_event_status (status);
+}
+
 grub_err_t
 grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
 		    const char *description)
@ -228,6 +273,8 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
  grub_efi_handle_t tpm_handle;
  grub_efi_uint8_t protocol_version;

+  grub_cc_log_event(buf, size, pcr, description);
+
  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
    return 0;

@ -239,3 +286,49 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
  else
    return grub_tpm2_log_event (tpm_handle, buf, size, pcr, description);
 }
+
+int
+grub_tpm_present (void)
+{
+  grub_efi_handle_t tpm_handle;
+  grub_efi_uint8_t protocol_version;
+  grub_efi_cc_protocol_t *cc;
+
+  /*
+   * When confidential computing measurement protocol is enabled
+   * we assume the TPM is present.
+   */
+  cc = grub_efi_locate_protocol (&cc_measurement_guid, NULL);
+  if (cc != NULL)
+    return 1;
+
+  if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
+    return 0;
+
+  if (protocol_version == 1)
+    {
+      grub_efi_tpm_protocol_t *tpm;
+
+      tpm = grub_efi_open_protocol (tpm_handle, &tpm_guid,
+				    GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (!tpm)
+	{
+	  grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+	  return 0;
+	}
+      return grub_tpm1_present (tpm);
+    }
+  else
+    {
+      grub_efi_tpm2_protocol_t *tpm;
+
+      tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
+				    GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (!tpm)
+	{
+	  grub_dprintf ("tpm", "Cannot open TPM protocol\n");
+	  return 0;
+	}
+      return grub_tpm2_present (tpm);
+    }
+}
--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
    }

  state = grub_arg_list_alloc (ext, argc, args);
+  if (state == NULL)
+    return grub_errno;
+
  if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
    {
      context.state = state;
--- a/grub-core/commands/file.c
+++ b/grub-core/commands/file.c
@ -25,10 +25,10 @@
 #include <grub/i18n.h>
 #include <grub/file.h>
 #include <grub/elf.h>
+#include <grub/efi/efi.h>
 #include <grub/xen_file.h>
 #include <grub/efi/pe32.h>
 #include <grub/arm/linux.h>
-#include <grub/arm64/linux.h>
 #include <grub/i386/linux.h>
 #include <grub/xnu.h>
 #include <grub/machoload.h>
@ -306,6 +306,8 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)

 	elf = grub_elf_file (file, file->name);

+	if (elf == NULL)
+	  break;
 	if (elf->ehdr.ehdr32.e_type != grub_cpu_to_le16_compile_time (ET_EXEC)
 	    || elf->ehdr.ehdr32.e_ident[EI_DATA] != ELFDATA2LSB)
 	  break;
@ -391,7 +393,7 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
      }
    case IS_ARM_LINUX:
      {
-	struct linux_arm_kernel_header lh;
+	struct linux_arch_kernel_header lh;

 	if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
 	  break;
@ -412,13 +414,24 @@ grub_cmd_file (grub_extcmd_context_t ctxt, int argc, char **args)
      }
    case IS_ARM64_LINUX:
      {
-	struct linux_arm64_kernel_header lh;
+	struct linux_arch_kernel_header lh;

 	if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
 	  break;

-	if (lh.magic ==
-	    grub_cpu_to_le32_compile_time (GRUB_LINUX_ARM64_MAGIC_SIGNATURE))
+	/*
+	 * The PE/COFF header can be anywhere in the file. Load it from the correct
+	 * offset if it is not where it is expected.
+	 */
+        if ((grub_uint8_t *) &lh + lh.hdr_offset != (grub_uint8_t *) &lh.pe_image_header)
+        {
+          if (grub_file_seek (file, lh.hdr_offset) == (grub_off_t) -1
+              || grub_file_read (file, &lh.pe_image_header, sizeof (struct grub_pe_image_header))
+                 != sizeof (struct grub_pe_image_header))
+            return grub_error (GRUB_ERR_FILE_READ_ERROR, "failed to read COFF image header");
+        }
+
+	if (lh.pe_image_header.coff_header.machine == grub_cpu_to_le16_compile_time (GRUB_PE32_MACHINE_ARM64))
 	  {
 	    ret = 1;
 	    break;
--- a/grub-core/commands/halt.c
+++ b/grub-core/commands/halt.c
@ -37,7 +37,7 @@ static grub_command_t cmd;
 GRUB_MOD_INIT(halt)
 {
  cmd = grub_register_command ("halt", grub_cmd_halt,
-			       0, N_("Halts the computer.  This command does" 
+			       0, N_("Halts the computer.  This command does"
 			       " not work on all firmware implementations."));
 }

--- a/grub-core/commands/hashsum.c
+++ b/grub-core/commands/hashsum.c
@ -39,7 +39,7 @@ static const struct grub_arg_option options[] = {
  {0, 0, 0, 0, 0, 0}
 };

-static struct { const char *name; const char *hashname; } aliases[] = 
+static struct { const char *name; const char *hashname; } aliases[] =
  {
    {"sha256sum", "sha256"},
    {"sha512sum", "sha512"},
@ -116,7 +116,7 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
  hashlist = grub_file_open (hashfilename, GRUB_FILE_TYPE_HASHLIST);
  if (!hashlist)
    return grub_errno;
-  
+
  while (grub_free (buf), (buf = grub_file_getline (hashlist)))
    {
      const char *p = buf;
@ -143,7 +143,7 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
      if (prefix)
 	{
 	  char *filename;
-	  
+
 	  filename = grub_xasprintf ("%s/%s", prefix, p);
 	  if (!filename)
 	    {
@ -192,7 +192,7 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
 				 "hash of '%s' mismatches", p);
 	    }
 	  mismatch++;
-	  continue;	  
+	  continue;
 	}
      grub_printf_ (N_("%s: OK\n"), p);
    }
--- a/grub-core/commands/hdparm.c
+++ b/grub-core/commands/hdparm.c
@ -333,7 +333,7 @@ grub_cmd_hdparm (grub_extcmd_context_t ctxt, int argc, char **args)
      grub_disk_close (disk);
      return grub_error (GRUB_ERR_IO, "not an ATA device");
    }
-    
+

  /* Change settings.  */
  if (aam >= 0)
--- a/grub-core/commands/help.c
+++ b/grub-core/commands/help.c
@ -64,11 +64,11 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,

 	      stringwidth = 0;

-	      while (unicode_last_screen_position < unicode_last_position && 
+	      while (unicode_last_screen_position < unicode_last_position &&
 		     stringwidth < ((grub_term_width (term) / 2) - 2))
 		{
 		  struct grub_unicode_glyph glyph;
-		  unicode_last_screen_position 
+		  unicode_last_screen_position
 		    += grub_unicode_aglomerate_comb (unicode_last_screen_position,
 						     unicode_last_position
 						     - unicode_last_screen_position,
@ -88,7 +88,7 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,
 	    if (cnt % 2)
 	      grub_printf ("\n");
 	    cnt++;
-	  
+
 	    grub_free (command_help);
 	    grub_free (unicode_command_help);
 	  }
@ -135,6 +135,8 @@ grub_cmd_help (grub_extcmd_context_t ctxt __attribute__ ((unused)), int argc,
 	}
    }

+  grub_printf ("\n\nTo enable less(1)-like paging, \"set pager=1\".\n");
+
  return 0;
 }

--- a/grub-core/commands/hexdump.c
+++ b/grub-core/commands/hexdump.c
@ -24,6 +24,7 @@
 #include <grub/lib/hexdump.h>
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/lockdown.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@ -51,7 +52,11 @@ grub_cmd_hexdump (grub_extcmd_context_t ctxt, int argc, char **args)
  length = (state[1].set) ? grub_strtoul (state[1].arg, 0, 0) : 256;

  if (!grub_strcmp (args[0], "(mem)"))
-    hexdump (skip, (char *) (grub_addr_t) skip, length);
+    {
+      if (grub_is_lockdown() == GRUB_LOCKDOWN_ENABLED)
+        return grub_error (GRUB_ERR_ACCESS_DENIED, N_("memory reading is disabled in lockdown mode"));
+      hexdump (skip, (char *) (grub_addr_t) skip, length);
+    }
  else if ((args[0][0] == '(') && (args[0][namelen - 1] == ')'))
    {
      grub_disk_t disk;
--- a/grub-core/commands/i386/cmostest.c
+++ b/grub-core/commands/i386/cmostest.c
@ -104,13 +104,13 @@ static grub_command_t cmd, cmd_clean, cmd_set;

 GRUB_MOD_INIT(cmostest)
 {
-  cmd = grub_register_command ("cmostest", grub_cmd_cmostest,
+  cmd = grub_register_command_lockdown ("cmostest", grub_cmd_cmostest,
 			       N_("BYTE:BIT"),
 			       N_("Test bit at BYTE:BIT in CMOS."));
-  cmd_clean = grub_register_command ("cmosclean", grub_cmd_cmosclean,
+  cmd_clean = grub_register_command_lockdown ("cmosclean", grub_cmd_cmosclean,
 				     N_("BYTE:BIT"),
 				     N_("Clear bit at BYTE:BIT in CMOS."));
-  cmd_set = grub_register_command ("cmosset", grub_cmd_cmosset,
+  cmd_set = grub_register_command_lockdown ("cmosset", grub_cmd_cmosset,
 				   N_("BYTE:BIT"),
 				   /* TRANSLATORS: A bit may be either set (1) or clear (0).  */
 				   N_("Set bit at BYTE:BIT in CMOS."));
--- a/grub-core/commands/i386/coreboot/cb_timestamps.c
+++ b/grub-core/commands/i386/coreboot/cb_timestamps.c
@ -84,7 +84,7 @@ iterate_linuxbios_table (grub_linuxbios_table_item_t table_item,
      grub_uint32_t tmrel = tsc2ms (ts_table->entries[i].tsc - last_tsc);
      last_tsc = ts_table->entries[i].tsc;

-      grub_printf ("%3d.%03ds %2d.%03ds %02d %s\n", 
+      grub_printf ("%3d.%03ds %2d.%03ds %02d %s\n",
 		   tmabs / 1000, tmabs % 1000, tmrel / 1000, tmrel % 1000,
 		   ts_table->entries[i].id,
 		   (ts_table->entries[i].id < ARRAY_SIZE (descs)
--- a/grub-core/commands/i386/coreboot/cbls.c
+++ b/grub-core/commands/i386/coreboot/cbls.c
@ -84,7 +84,7 @@ iterate_linuxbios_table (grub_linuxbios_table_item_t table_item,

 	grub_printf (": %dx%dx%d pitch=%d lfb=0x%llx %d/%d/%d/%d %d/%d/%d/%d",
 		     fb->width, fb->height,
-		     fb->bpp, fb->pitch, 
+		     fb->bpp, fb->pitch,
 		     (unsigned long long) fb->lfb,
 		     fb->red_mask_size, fb->green_mask_size,
 		     fb->blue_mask_size, fb->reserved_mask_size,
--- a/grub-core/commands/i386/pc/drivemap.c
+++ b/grub-core/commands/i386/pc/drivemap.c
@ -31,9 +31,6 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-/* Real mode IVT slot (seg:off far pointer) for interrupt 0x13.  */
-static grub_uint32_t *const int13slot = (grub_uint32_t *) (4 * 0x13);
-
 /* Remember to update enum opt_idxs accordingly.  */
 static const struct grub_arg_option options[] = {
  /* TRANSLATORS: In this file "mapping" refers to a change GRUB makes so if
@ -185,7 +182,7 @@ list_mappings (void)
      return GRUB_ERR_NONE;
    }

-  /* TRANSLATORS:  This is the header of mapping list. 
+  /* TRANSLATORS:  This is the header of mapping list.
     On the left is how OS will see the disks and
     on the right current GRUB vision.  */
  grub_puts_ (N_("OS disk #num ------> GRUB/BIOS device"));
@ -280,6 +277,8 @@ install_int13_handler (int noret __attribute__ ((unused)))
  grub_uint8_t *handler_base = 0;
  /* Address of the map within the deployed bundle.  */
  int13map_node_t *handler_map;
+  /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */
+  grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13);

  int i;
  int entries = 0;
@ -354,6 +353,9 @@ install_int13_handler (int noret __attribute__ ((unused)))
 static grub_err_t
 uninstall_int13_handler (void)
 {
+  /* Real mode IVT slot (seg:off far pointer) for interrupt 0x13. */
+  grub_uint32_t *int13slot = (grub_uint32_t *) grub_absolute_pointer (4 * 0x13);
+
  if (! grub_drivemap_oldhandler)
    return GRUB_ERR_NONE;

--- a/grub-core/commands/i386/pc/halt.c
+++ b/grub-core/commands/i386/pc/halt.c
@ -59,7 +59,7 @@ grub_halt (int no_apm)
  regs.ebx = 0;
  regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
  grub_bios_interrupt (0x15, &regs);
-  
+
  if (regs.flags & GRUB_CPU_INT_FLAGS_CARRY)
    stop ();

--- a/grub-core/commands/i386/pc/lsapm.c
+++ b/grub-core/commands/i386/pc/lsapm.c
@ -34,7 +34,7 @@ grub_apm_get_info (struct grub_apm_info *info)
  regs.ebx = 0;
  regs.flags = GRUB_CPU_INT_FLAGS_DEFAULT;
  grub_bios_interrupt (0x15, &regs);
-  
+
  if (regs.flags & GRUB_CPU_INT_FLAGS_CARRY)
    return 0;
  info->version = regs.eax & 0xffff;
--- a/grub-core/commands/i386/pc/play.c
+++ b/grub-core/commands/i386/pc/play.c
@ -80,7 +80,7 @@ grub_cmd_play (grub_command_t cmd __attribute__ ((unused)),
 {

  if (argc < 1)
-    return grub_error (GRUB_ERR_BAD_ARGUMENT, 
+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
 		       /* TRANSLATORS: It's musical notes, not the notes
 			  you take. Play command expects arguments which can
 			  be either a filename or tempo+notes.
--- a/grub-core/commands/i386/pc/sendkey.c
+++ b/grub-core/commands/i386/pc/sendkey.c
@ -55,12 +55,12 @@ static const struct grub_arg_option options[] =
    {"no-led", 0, 0, N_("don't update LED state"), 0, 0},
    {0, 0, 0, 0, 0, 0}
  };
-static int simple_flag_offsets[] 
+static int simple_flag_offsets[]
 = {5, 6, 4, 7, 11, 1, 0, 10, 13, 14, 12, 15, 9, 3, 8, 2};

 static grub_uint32_t andmask = 0xffffffff, ormask = 0;

-struct 
+struct
 keysym
 {
  const char *unshifted_name;		/* the name in unshifted state */
@ -171,13 +171,13 @@ static struct keysym keysym_table[] =
  {"right",		0,		0xe0,	0,	0x4d}
 };

-/* Set a simple flag in flags variable  
+/* Set a simple flag in flags variable
   OUTOFFSET - offset of flag in FLAGS,
   OP - action id
 */
 static void
 grub_sendkey_set_simple_flag (int outoffset, int op)
-{      
+{
  if (op == 2)
    {
      andmask |= (1 << outoffset);
@ -199,7 +199,7 @@ grub_sendkey_parse_op (struct grub_arg_list state)
  if (! state.set)
    return 2;

-  if (grub_strcmp (state.arg, "off") == 0 || grub_strcmp (state.arg, "0") == 0 
+  if (grub_strcmp (state.arg, "off") == 0 || grub_strcmp (state.arg, "0") == 0
      || grub_strcmp (state.arg, "unpress") == 0)
    return 0;

@ -216,12 +216,12 @@ static grub_err_t
 grub_sendkey_postboot (void)
 {
  /* For convention: pointer to flags.  */
-  grub_uint32_t *flags = (grub_uint32_t *) 0x417;
+  grub_uint32_t *flags = grub_absolute_pointer (0x417);

  *flags = oldflags;

-  *((char *) 0x41a) = 0x1e;
-  *((char *) 0x41c) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41c)) = 0x1e;

  return GRUB_ERR_NONE;
 }
@ -231,13 +231,13 @@ static grub_err_t
 grub_sendkey_preboot (int noret __attribute__ ((unused)))
 {
  /* For convention: pointer to flags.  */
-  grub_uint32_t *flags = (grub_uint32_t *) 0x417;
+  grub_uint32_t *flags = grub_absolute_pointer (0x417);

  oldflags = *flags;
-  
+
  /* Set the sendkey.  */
-  *((char *) 0x41a) = 0x1e;
-  *((char *) 0x41c) = keylen + 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41a)) = 0x1e;
+  *((volatile char *) grub_absolute_pointer (0x41c)) = keylen + 0x1e;
  grub_memcpy ((char *) 0x41e, sendkey, 0x20);

  /* Transform "any ctrl" to "right ctrl" flag.  */
@ -247,7 +247,7 @@ grub_sendkey_preboot (int noret __attribute__ ((unused)))
  /* Transform "any alt" to "right alt" flag.  */
  if (*flags & (1 << 9))
    *flags &= ~(1 << 3);
-  
+
  *flags = (*flags & andmask) | ormask;

  /* Transform "right ctrl" to "any ctrl" flag.  */
@ -294,10 +294,10 @@ find_key_code (char *key)

  for (i = 0; i < ARRAY_SIZE(keysym_table); i++)
    {
-      if (keysym_table[i].unshifted_name 
+      if (keysym_table[i].unshifted_name
 	  && grub_strcmp (key, keysym_table[i].unshifted_name) == 0)
 	return keysym_table[i].keycode;
-      else if (keysym_table[i].shifted_name 
+      else if (keysym_table[i].shifted_name
 	       && grub_strcmp (key, keysym_table[i].shifted_name) == 0)
 	return keysym_table[i].keycode;
    }
@ -313,10 +313,10 @@ find_ascii_code (char *key)

  for (i = 0; i < ARRAY_SIZE(keysym_table); i++)
    {
-      if (keysym_table[i].unshifted_name 
+      if (keysym_table[i].unshifted_name
 	  && grub_strcmp (key, keysym_table[i].unshifted_name) == 0)
 	return keysym_table[i].unshifted_ascii;
-      else if (keysym_table[i].shifted_name 
+      else if (keysym_table[i].shifted_name
 	       && grub_strcmp (key, keysym_table[i].shifted_name) == 0)
 	return keysym_table[i].shifted_ascii;
    }
@ -340,7 +340,7 @@ grub_cmd_sendkey (grub_extcmd_context_t ctxt, int argc, char **args)
    for (i = 0; i < argc && keylen < 0x20; i++)
      {
 	int key_code;
-	
+
 	key_code = find_key_code (args[i]);
 	if (key_code)
 	  {
@ -353,7 +353,7 @@ grub_cmd_sendkey (grub_extcmd_context_t ctxt, int argc, char **args)
  {
    unsigned i;
    for (i = 0; i < ARRAY_SIZE(simple_flag_offsets); i++)
-      grub_sendkey_set_simple_flag (simple_flag_offsets[i], 
+      grub_sendkey_set_simple_flag (simple_flag_offsets[i],
 				    grub_sendkey_parse_op(state[i]));
  }

@ -374,8 +374,8 @@ GRUB_MOD_INIT (sendkey)
 				 keypresses.  */
 			      N_("Emulate a keystroke sequence"), options);

-  preboot_hook 
-    = grub_loader_register_preboot_hook (grub_sendkey_preboot, 
+  preboot_hook
+    = grub_loader_register_preboot_hook (grub_sendkey_preboot,
 					 grub_sendkey_postboot,
 					 GRUB_LOADER_PREBOOT_HOOK_PRIO_CONSOLE);
 }
--- a/grub-core/commands/i386/rdmsr.c
+++ b/grub-core/commands/i386/rdmsr.c
@ -26,7 +26,7 @@
 #include <grub/extcmd.h>
 #include <grub/i18n.h>
 #include <grub/i386/cpuid.h>
-#include <grub/i386/rdmsr.h>
+#include <grub/i386/msr.h>

 GRUB_MOD_LICENSE("GPLv3+");

@ -42,27 +42,16 @@ static const struct grub_arg_option options[] =
 static grub_err_t
 grub_cmd_msr_read (grub_extcmd_context_t ctxt, int argc, char **argv)
 {
-  grub_uint32_t manufacturer[3], max_cpuid, a, b, c, features, addr;
+  grub_err_t err;
+  grub_uint32_t addr;
  grub_uint64_t value;
  const char *ptr;
  char buf[sizeof("1122334455667788")];

-  /*
-   * The CPUID instruction should be used to determine whether MSRs
-   * are supported. (CPUID.01H:EDX[5] = 1)
-   */
-  if (! grub_cpu_is_cpuid_supported ())
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  err = grub_cpu_is_msr_supported ();

-  grub_cpuid (0, max_cpuid, manufacturer[0], manufacturer[2], manufacturer[1]);
-
-  if (max_cpuid < 1)
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
-
-  grub_cpuid (1, a, b, c, features);
-
-  if (!(features & (1 << 5)))
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  if (err != GRUB_ERR_NONE)
+    return grub_error (err, N_("RDMSR is unsupported"));

  if (argc != 1)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
@ -76,7 +65,7 @@ grub_cmd_msr_read (grub_extcmd_context_t ctxt, int argc, char **argv)
  if (*ptr != '\0')
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid argument"));

-  value = grub_msr_read (addr);
+  value = grub_rdmsr (addr);

  if (ctxt->state[0].set)
    {
--- a/grub-core/commands/i386/wrmsr.c
+++ b/grub-core/commands/i386/wrmsr.c
@ -27,7 +27,7 @@
 #include <grub/lockdown.h>
 #include <grub/i18n.h>
 #include <grub/i386/cpuid.h>
-#include <grub/i386/wrmsr.h>
+#include <grub/i386/msr.h>

 GRUB_MOD_LICENSE("GPLv3+");

@ -36,26 +36,15 @@ static grub_command_t cmd_write;
 static grub_err_t
 grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char **argv)
 {
-  grub_uint32_t manufacturer[3], max_cpuid, a, b, c, features, addr;
+  grub_err_t err;
+  grub_uint32_t addr;
  grub_uint64_t value;
  const char *ptr;

-  /*
-   * The CPUID instruction should be used to determine whether MSRs
-   * are supported. (CPUID.01H:EDX[5] = 1)
-   */
-  if (!grub_cpu_is_cpuid_supported ())
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  err = grub_cpu_is_msr_supported ();

-  grub_cpuid (0, max_cpuid, manufacturer[0], manufacturer[2], manufacturer[1]);
-
-  if (max_cpuid < 1)
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
-
-  grub_cpuid (1, a, b, c, features);
-
-  if (!(features & (1 << 5)))
-    return grub_error (GRUB_ERR_BUG, N_("unsupported instruction"));
+  if (err != GRUB_ERR_NONE)
+    return grub_error (err, N_("WRMSR is unsupported"));

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
@ -77,7 +66,7 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
  if (*ptr != '\0')
    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid argument"));

-  grub_msr_write (addr, value);
+  grub_wrmsr (addr, value);

  return GRUB_ERR_NONE;
 }
--- a/grub-core/commands/ieee1275/ibmvtpm.c
+++ b/grub-core/commands/ieee1275/ibmvtpm.c
@ -0,0 +1,117 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022  Free Software Foundation, Inc.
+ *  Copyright (C) 2022  IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ *  IBM vTPM support code.
+ */
+
+#include <grub/err.h>
+#include <grub/types.h>
+#include <grub/tpm.h>
+#include <grub/ieee1275/ieee1275.h>
+#include <grub/ieee1275/tpm.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+
+static int
+ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
+		       grub_uint32_t eventtype,
+		       const char *description,
+		       grub_size_t description_size,
+		       void *buf, grub_size_t size)
+{
+  struct tpm_2hash_ext_log
+  {
+    struct grub_ieee1275_common_hdr common;
+    grub_ieee1275_cell_t method;
+    grub_ieee1275_cell_t ihandle;
+    grub_ieee1275_cell_t size;
+    grub_ieee1275_cell_t buf;
+    grub_ieee1275_cell_t description_size;
+    grub_ieee1275_cell_t description;
+    grub_ieee1275_cell_t eventtype;
+    grub_ieee1275_cell_t pcrindex;
+    grub_ieee1275_cell_t catch_result;
+    grub_ieee1275_cell_t rc;
+  };
+  struct tpm_2hash_ext_log args;
+
+  INIT_IEEE1275_COMMON (&args.common, "call-method", 8, 2);
+  args.method = (grub_ieee1275_cell_t) "2hash-ext-log";
+  args.ihandle = grub_ieee1275_tpm_ihandle;
+  args.pcrindex = pcrindex;
+  args.eventtype = eventtype;
+  args.description = (grub_ieee1275_cell_t) description;
+  args.description_size = description_size;
+  args.buf = (grub_ieee1275_cell_t) buf;
+  args.size = (grub_ieee1275_cell_t) size;
+
+  if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+    return -1;
+
+  /*
+   * catch_result is set if firmware does not support 2hash-ext-log
+   * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
+   */
+  if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
+    return -1;
+
+  return 0;
+}
+
+static grub_err_t
+tpm2_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		const char *description)
+{
+  static int error_displayed = 0;
+  int rc;
+
+  rc = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
+			      description, grub_strlen(description) + 1,
+			      buf, size);
+  if (rc && !error_displayed)
+    {
+      error_displayed++;
+      return grub_error (GRUB_ERR_BAD_DEVICE,
+			 "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+		  const char *description)
+{
+  grub_dprintf ("tpm", "log_event, pcr = %d, size = 0x%" PRIxGRUB_SIZE ", %s\n",
+		pcr, size, description);
+
+  if (grub_ieee1275_tpm_ihandle != GRUB_IEEE1275_IHANDLE_INVALID)
+    return tpm2_log_event (buf, size, pcr, description);
+
+  return GRUB_ERR_NONE;
+}
+
+int
+grub_tpm_present (void)
+{
+  /*
+   * Call tpm_init() "late" rather than from GRUB_MOD_INIT() so that device nodes
+   * can be found.
+   */
+  return grub_ieee1275_tpm_init() == GRUB_ERR_NONE;
+}
--- a/grub-core/commands/keylayouts.c
+++ b/grub-core/commands/keylayouts.c
@ -35,7 +35,7 @@ static struct grub_keyboard_layout layout_us = {
    /* Keyboard errors. Handled by driver.  */
    /* 0x00 */   0,   0,   0,   0,

-    /* 0x04 */ 'a',  'b',  'c',  'd', 
+    /* 0x04 */ 'a',  'b',  'c',  'd',
    /* 0x08 */ 'e',  'f',  'g',  'h',  'i', 'j', 'k', 'l',
    /* 0x10 */ 'm',  'n',  'o',  'p',  'q', 'r', 's', 't',
    /* 0x18 */ 'u',  'v',  'w',  'x',  'y', 'z', '1', '2',
@ -43,11 +43,11 @@ static struct grub_keyboard_layout layout_us = {
    /* 0x28 */ '\n', GRUB_TERM_ESC, GRUB_TERM_BACKSPACE, GRUB_TERM_TAB, ' ', '-', '=', '[',
    /* According to usage table 0x31 should be mapped to '/'
       but testing with real keyboard shows that 0x32 is remapped to '/'.
-       Map 0x31 to 0. 
+       Map 0x31 to 0.
    */
    /* 0x30 */ ']',   0,   '\\', ';', '\'', '`', ',', '.',
    /* 0x39 is CapsLock. Handled by driver.  */
-    /* 0x38 */ '/',   0,   GRUB_TERM_KEY_F1, GRUB_TERM_KEY_F2, 
+    /* 0x38 */ '/',   0,   GRUB_TERM_KEY_F1, GRUB_TERM_KEY_F2,
    /* 0x3c */ GRUB_TERM_KEY_F3,     GRUB_TERM_KEY_F4,
    /* 0x3e */ GRUB_TERM_KEY_F5,     GRUB_TERM_KEY_F6,
    /* 0x40 */ GRUB_TERM_KEY_F7,     GRUB_TERM_KEY_F8,
@ -56,16 +56,16 @@ static struct grub_keyboard_layout layout_us = {
    /* PrtScr and ScrollLock. Not handled yet.  */
    /* 0x46 */ 0,                    0,
    /* 0x48 is Pause. Not handled yet.  */
-    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT, 
+    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT,
    /* 0x4a */ GRUB_TERM_KEY_HOME,   GRUB_TERM_KEY_PPAGE,
    /* 0x4c */ GRUB_TERM_KEY_DC,     GRUB_TERM_KEY_END,
    /* 0x4e */ GRUB_TERM_KEY_NPAGE,  GRUB_TERM_KEY_RIGHT,
    /* 0x50 */ GRUB_TERM_KEY_LEFT,   GRUB_TERM_KEY_DOWN,
    /* 0x53 is NumLock. Handled by driver.  */
    /* 0x52 */ GRUB_TERM_KEY_UP,     0,
-    /* 0x54 */ '/',                  '*', 
+    /* 0x54 */ '/',                  '*',
    /* 0x56 */ '-',                  '+',
-    /* 0x58 */ '\n',                 GRUB_TERM_KEY_END, 
+    /* 0x58 */ '\n',                 GRUB_TERM_KEY_END,
    /* 0x5a */ GRUB_TERM_KEY_DOWN,   GRUB_TERM_KEY_NPAGE,
    /* 0x5c */ GRUB_TERM_KEY_LEFT,   GRUB_TERM_KEY_CENTER,
    /* 0x5e */ GRUB_TERM_KEY_RIGHT,  GRUB_TERM_KEY_HOME,
@ -77,7 +77,7 @@ static struct grub_keyboard_layout layout_us = {
    /* Keyboard errors. Handled by driver.  */
    /* 0x00 */   0,   0,   0,   0,

-    /* 0x04 */ 'A',  'B',  'C',  'D', 
+    /* 0x04 */ 'A',  'B',  'C',  'D',
    /* 0x08 */ 'E',  'F',  'G',  'H',  'I', 'J', 'K', 'L',
    /* 0x10 */ 'M',  'N',  'O',  'P',  'Q', 'R', 'S', 'T',
    /* 0x18 */ 'U',  'V',  'W',  'X',  'Y', 'Z', '!', '@',
@ -87,27 +87,27 @@ static struct grub_keyboard_layout layout_us = {
    /* 0x2c */ ' '  | GRUB_TERM_SHIFT,  '_', '+', '{',
    /* According to usage table 0x31 should be mapped to '/'
       but testing with real keyboard shows that 0x32 is remapped to '/'.
-       Map 0x31 to 0. 
+       Map 0x31 to 0.
    */
    /* 0x30 */ '}',  0,    '|',  ':',  '"', '~', '<', '>',
    /* 0x39 is CapsLock. Handled by driver.  */
    /* 0x38 */ '?',  0,
    /* 0x3a */ GRUB_TERM_KEY_F1 | GRUB_TERM_SHIFT,
-    /* 0x3b */ GRUB_TERM_KEY_F2 | GRUB_TERM_SHIFT, 
-    /* 0x3c */ GRUB_TERM_KEY_F3 | GRUB_TERM_SHIFT, 
-    /* 0x3d */ GRUB_TERM_KEY_F4 | GRUB_TERM_SHIFT, 
-    /* 0x3e */ GRUB_TERM_KEY_F5 | GRUB_TERM_SHIFT, 
-    /* 0x3f */ GRUB_TERM_KEY_F6 | GRUB_TERM_SHIFT, 
-    /* 0x40 */ GRUB_TERM_KEY_F7 | GRUB_TERM_SHIFT, 
-    /* 0x41 */ GRUB_TERM_KEY_F8 | GRUB_TERM_SHIFT, 
-    /* 0x42 */ GRUB_TERM_KEY_F9 | GRUB_TERM_SHIFT, 
-    /* 0x43 */ GRUB_TERM_KEY_F10 | GRUB_TERM_SHIFT, 
-    /* 0x44 */ GRUB_TERM_KEY_F11 | GRUB_TERM_SHIFT, 
-    /* 0x45 */ GRUB_TERM_KEY_F12 | GRUB_TERM_SHIFT, 
+    /* 0x3b */ GRUB_TERM_KEY_F2 | GRUB_TERM_SHIFT,
+    /* 0x3c */ GRUB_TERM_KEY_F3 | GRUB_TERM_SHIFT,
+    /* 0x3d */ GRUB_TERM_KEY_F4 | GRUB_TERM_SHIFT,
+    /* 0x3e */ GRUB_TERM_KEY_F5 | GRUB_TERM_SHIFT,
+    /* 0x3f */ GRUB_TERM_KEY_F6 | GRUB_TERM_SHIFT,
+    /* 0x40 */ GRUB_TERM_KEY_F7 | GRUB_TERM_SHIFT,
+    /* 0x41 */ GRUB_TERM_KEY_F8 | GRUB_TERM_SHIFT,
+    /* 0x42 */ GRUB_TERM_KEY_F9 | GRUB_TERM_SHIFT,
+    /* 0x43 */ GRUB_TERM_KEY_F10 | GRUB_TERM_SHIFT,
+    /* 0x44 */ GRUB_TERM_KEY_F11 | GRUB_TERM_SHIFT,
+    /* 0x45 */ GRUB_TERM_KEY_F12 | GRUB_TERM_SHIFT,
    /* PrtScr and ScrollLock. Not handled yet.  */
    /* 0x46 */ 0,                    0,
    /* 0x48 is Pause. Not handled yet.  */
-    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT | GRUB_TERM_SHIFT, 
+    /* 0x48 */ 0,                    GRUB_TERM_KEY_INSERT | GRUB_TERM_SHIFT,
    /* 0x4a */ GRUB_TERM_KEY_HOME | GRUB_TERM_SHIFT,
    /* 0x4b */ GRUB_TERM_KEY_PPAGE | GRUB_TERM_SHIFT,
    /* 0x4c */ GRUB_TERM_KEY_DC | GRUB_TERM_SHIFT,
@ -118,7 +118,7 @@ static struct grub_keyboard_layout layout_us = {
    /* 0x51 */ GRUB_TERM_KEY_DOWN | GRUB_TERM_SHIFT,
    /* 0x53 is NumLock. Handled by driver.  */
    /* 0x52 */ GRUB_TERM_KEY_UP | GRUB_TERM_SHIFT,     0,
-    /* 0x54 */ '/',                    '*', 
+    /* 0x54 */ '/',                    '*',
    /* 0x56 */ '-',                    '+',
    /* 0x58 */ '\n' | GRUB_TERM_SHIFT, '1', '2', '3', '4', '5','6', '7',
    /* 0x60 */ '8', '9', '0', '.', '|'
@ -148,7 +148,7 @@ map_key_core (int code, int status, int *alt_gr_consumed)
      else if (grub_current_layout->keyboard_map_l3[code])
 	{
 	  *alt_gr_consumed = 1;
-	  return grub_current_layout->keyboard_map_l3[code];  
+	  return grub_current_layout->keyboard_map_l3[code];
 	}
    }
  if (status & (GRUB_TERM_STATUS_LSHIFT | GRUB_TERM_STATUS_RSHIFT))
@ -172,12 +172,12 @@ grub_term_map_key (grub_keyboard_key_t code, int status)
    }

  key = map_key_core (code, status, &alt_gr_consumed);
-  
+
  if (key == 0 || key == GRUB_TERM_SHIFT) {
    grub_printf ("Unknown key 0x%x detected\n", code);
    return GRUB_TERM_NO_KEY;
  }
-  
+
  if (status & GRUB_TERM_STATUS_CAPS)
    {
      if ((key >= 'a') && (key <= 'z'))
@ -185,8 +185,8 @@ grub_term_map_key (grub_keyboard_key_t code, int status)
      else if ((key >= 'A') && (key <= 'Z'))
 	key += 'a' - 'A';
    }
-  
-  if ((status & GRUB_TERM_STATUS_LALT) || 
+
+  if ((status & GRUB_TERM_STATUS_LALT) ||
      ((status & GRUB_TERM_STATUS_RALT) && !alt_gr_consumed))
    key |= GRUB_TERM_ALT;
  if (status & (GRUB_TERM_STATUS_LCTRL | GRUB_TERM_STATUS_RCTRL))
@ -212,7 +212,7 @@ grub_cmd_keymap (struct grub_command *cmd __attribute__ ((unused)),
    {
      const char *prefix = grub_env_get ("prefix");
      if (!prefix)
-	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("variable `%s' isn't set"), "prefix");	
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("variable `%s' isn't set"), "prefix");
      filename = grub_xasprintf ("%s/layouts/%s.gkb", prefix, argv[0]);
      if (!filename)
 	return grub_errno;
--- a/grub-core/commands/legacycfg.c
+++ b/grub-core/commands/legacycfg.c
@ -198,7 +198,6 @@ legacy_file (const char *filename)
      const char **args = grub_malloc (sizeof (args[0]));
      if (!args)
 	{
-	  grub_file_close (file);
 	  grub_free (suffix);
 	  grub_free (entrysrc);
 	  return grub_errno;
@ -257,8 +256,8 @@ grub_cmd_legacy_source (struct grub_command *cmd,
 }

 static enum
-  { 
-    GUESS_IT, LINUX, MULTIBOOT, KFREEBSD, KNETBSD, KOPENBSD 
+  {
+    GUESS_IT, LINUX, MULTIBOOT, KFREEBSD, KNETBSD, KOPENBSD
  } kernel_type;

 static grub_err_t
@ -273,7 +272,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
  char **cutargs;
  int cutargc;
  grub_err_t err = GRUB_ERR_NONE;
-  
+
  for (i = 0; i < 2; i++)
    {
      /* FIXME: really support this.  */
@ -410,7 +409,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
 	  if (dev)
 	    grub_device_close (dev);
 	}
-	
+
 	/* k*BSD didn't really work well with grub-legacy.  */
 	if (kernel_type == GUESS_IT || kernel_type == KFREEBSD)
 	  {
@ -632,7 +631,7 @@ check_password_md5_real (const char *entered,
  digest = GRUB_MD_MD5->read (ctx);
  GRUB_MD_MD5->final (ctx);
  grub_memcpy (alt_result, digest, MD5_HASHLEN);
-  
+
  GRUB_MD_MD5->init (ctx);
  GRUB_MD_MD5->write (ctx, entered, enteredlen);
  GRUB_MD_MD5->write (ctx, pw->salt, pw->saltlen); /* include the $1$ header */
@ -654,7 +653,7 @@ check_password_md5_real (const char *entered,
 	GRUB_MD_MD5->write (ctx, entered, enteredlen);
      else
 	GRUB_MD_MD5->write (ctx, alt_result, 16);
-      
+
      if (i % 3 != 0)
 	GRUB_MD_MD5->write (ctx, pw->salt + 3, pw->saltlen - 3);

--- a/grub-core/commands/loadenv.c
+++ b/grub-core/commands/loadenv.c
@ -352,16 +352,16 @@ struct grub_cmd_save_env_ctx
 };

 /* Store blocklists in a linked list.  */
-static void
+static grub_err_t
 save_env_read_hook (grub_disk_addr_t sector, unsigned offset, unsigned length,
-		    void *data)
+		    char *buf __attribute__ ((unused)), void *data)
 {
  struct grub_cmd_save_env_ctx *ctx = data;
  struct blocklist *block;

  block = grub_malloc (sizeof (*block));
  if (! block)
-    return;
+    return GRUB_ERR_NONE;

  block->sector = sector;
  block->offset = offset;
@ -374,6 +374,8 @@ save_env_read_hook (grub_disk_addr_t sector, unsigned offset, unsigned length,
  ctx->tail = block;
  if (! ctx->head)
    ctx->head = block;
+
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@ -87,37 +87,44 @@ grub_ls_list_devices (int longlist)
 struct grub_ls_list_files_ctx
 {
  char *dirname;
+  char *filename;
  int all;
  int human;
+  int longlist;
+  int print_dirhdr;
 };

 /* Helper for grub_ls_list_files.  */
 static int
-print_files (const char *filename, const struct grub_dirhook_info *info,
-	     void *data)
-{
-  struct grub_ls_list_files_ctx *ctx = data;
-
-  if (ctx->all || filename[0] != '.')
-    grub_printf ("%s%s ", filename, info->dir ? "/" : "");
-
-  return 0;
-}
-
-/* Helper for grub_ls_list_files.  */
-static int
-print_files_long (const char *filename, const struct grub_dirhook_info *info,
+print_file (const char *filename, const struct grub_dirhook_info *info,
 		  void *data)
 {
+  char *pathname = NULL;
  struct grub_ls_list_files_ctx *ctx = data;

  if ((! ctx->all) && (filename[0] == '.'))
    return 0;

+  if ((ctx->filename != NULL) && (grub_strcmp (filename, ctx->filename) != 0))
+    return 0;
+
+  if (ctx->print_dirhdr)
+    {
+      grub_printf ("%s:\n", ctx->dirname);
+      ctx->print_dirhdr = 0;
+    }
+
+  if (! ctx->longlist)
+    {
+      if (ctx->filename != NULL)
+	grub_xputs (ctx->dirname);
+      grub_printf ("%s%s ", filename, info->dir ? "/" : "");
+      return 0;
+    }
+
  if (! info->dir)
    {
      grub_file_t file;
-      char *pathname;

      if (ctx->dirname[grub_strlen (ctx->dirname) - 1] == '/')
 	pathname = grub_xasprintf ("%s%s", ctx->dirname, filename);
@ -131,20 +138,19 @@ print_files_long (const char *filename, const struct grub_dirhook_info *info,
 	 should be reported as directories.  */
      file = grub_file_open (pathname, GRUB_FILE_TYPE_GET_SIZE
 			     | GRUB_FILE_TYPE_NO_DECOMPRESS);
-      if (! file)
+      if (file)
 	{
-	  grub_errno = 0;
-	  grub_free (pathname);
-	  return 0;
-	}
-
-      if (! ctx->human)
-	grub_printf ("%-12llu", (unsigned long long) file->size);
-      else
-	grub_printf ("%-12s", grub_get_human_size (file->size,
+	  if (! ctx->human)
+	    grub_printf ("%-12llu", (unsigned long long) file->size);
+	  else
+	    grub_printf ("%-12s", grub_get_human_size (file->size,
 						   GRUB_HUMAN_SIZE_SHORT));
-      grub_file_close (file);
-      grub_free (pathname);
+	  grub_file_close (file);
+	}
+      else
+	grub_xputs ("????????????");
+
+      grub_errno = GRUB_ERR_NONE;
    }
  else
    grub_printf ("%-12s", _("DIR"));
@ -165,13 +171,22 @@ print_files_long (const char *filename, const struct grub_dirhook_info *info,
 		     datetime.day, datetime.hour,
 		     datetime.minute, datetime.second);
    }
-  grub_printf ("%s%s\n", filename, info->dir ? "/" : "");
+  /*
+   * Only print the full path when listing a file path given as an argument
+   * to ls, i.e. when ctx->filename != NULL. File listings that are printed
+   * due to showing the contents of a directory do not need a full path because
+   * the full path to the directory will have already been printed.
+   */
+  grub_printf ("%s%s\n", (ctx->filename != NULL) ? pathname : filename,
+			 info->dir ? "/" : "");
+
+  grub_free (pathname);

  return 0;
 }

 static grub_err_t
-grub_ls_list_files (char *dirname, int longlist, int all, int human)
+grub_ls_list_files (char *dirname, int longlist, int all, int human, int dirhdr)
 {
  char *device_name;
  grub_fs_t fs;
@ -216,44 +231,38 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
    {
      struct grub_ls_list_files_ctx ctx = {
 	.dirname = dirname,
+	.filename = NULL,
 	.all = all,
-	.human = human
+	.human = human,
+	.longlist = longlist,
+	.print_dirhdr = dirhdr
      };

-      if (longlist)
-	(fs->fs_dir) (dev, path, print_files_long, &ctx);
-      else
-	(fs->fs_dir) (dev, path, print_files, &ctx);
+      (fs->fs_dir) (dev, path, print_file, &ctx);

      if (grub_errno == GRUB_ERR_BAD_FILE_TYPE
 	  && path[grub_strlen (path) - 1] != '/')
 	{
+	  /*
+	   * Reset errno as it is currently set, but will cause subsequent code
+	   * to think there is an error.
+	   */
+	  grub_errno = GRUB_ERR_NONE;
+
 	  /* PATH might be a regular file.  */
-	  char *p;
-	  grub_file_t file;
-	  struct grub_dirhook_info info;
-	  grub_errno = 0;
+	  ctx.print_dirhdr = 0;
+	  ctx.filename = grub_strrchr (dirname, '/');
+	  if (ctx.filename == NULL)
+	    goto fail;
+	  ++(ctx.filename);

-	  file = grub_file_open (dirname, GRUB_FILE_TYPE_GET_SIZE
-				 | GRUB_FILE_TYPE_NO_DECOMPRESS);
-	  if (! file)
+	  ctx.dirname = grub_strndup (dirname, ctx.filename - dirname);
+	  if (ctx.dirname == NULL)
 	    goto fail;

-	  grub_file_close (file);
+	  (fs->fs_dir) (dev, ctx.dirname + (path - dirname), print_file, &ctx);

-	  p = grub_strrchr (dirname, '/') + 1;
-	  dirname = grub_strndup (dirname, p - dirname);
-	  if (! dirname)
-	    goto fail;
-
-	  all = 1;
-	  grub_memset (&info, 0, sizeof (info));
-	  if (longlist)
-	    print_files_long (p, &info, &ctx);
-	  else
-	    print_files (p, &info, &ctx);
-
-	  grub_free (dirname);
+	  grub_free (ctx.dirname);
 	}

      if (grub_errno == GRUB_ERR_NONE)
@ -268,7 +277,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)

  grub_free (device_name);

-  return 0;
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
@ -281,10 +290,10 @@ grub_cmd_ls (grub_extcmd_context_t ctxt, int argc, char **args)
    grub_ls_list_devices (state[0].set);
  else
    for (i = 0; i < argc; i++)
-      grub_ls_list_files (args[i], state[0].set, state[2].set,
-			  state[1].set);
+      grub_ls_list_files (args[i], state[0].set, state[2].set, state[1].set,
+			  argc > 1);

-  return 0;
+  return GRUB_ERR_NONE;
 }

 static grub_extcmd_t cmd;
--- a/grub-core/commands/lsacpi.c
+++ b/grub-core/commands/lsacpi.c
@ -35,7 +35,7 @@ print_strn (grub_uint8_t *str, grub_size_t len)
  for (; *str && len; str++, len--)
    grub_printf ("%c", *str);
  for (len++; len; len--)
-    grub_printf (" ");  
+    grub_printf (" ");
 }

 #define print_field(x) print_strn(x, sizeof (x))
--- a/grub-core/commands/lspci.c
+++ b/grub-core/commands/lspci.c
@ -171,7 +171,7 @@ grub_lspci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,

 	  if (space == 0)
 	    continue;
-	 
+
 	  switch (space & GRUB_PCI_ADDR_SPACE_MASK)
 	    {
 	    case GRUB_PCI_ADDR_SPACE_IO:
@ -195,13 +195,13 @@ grub_lspci_iter (grub_pci_device_t dev, grub_pci_id_t pciid,
 			       (space & GRUB_PCI_ADDR_MEM_MASK),
 			       space & GRUB_PCI_ADDR_MEM_PREFETCH
 			       ? "prefetchable" : "non-prefetchable");
-		 
+
 		}
 	      else
 		grub_printf ("\t32-bit memory space %d at 0x%016llx [%s]\n",
 			     (unsigned) ((reg - GRUB_PCI_REG_ADDRESSES)
 			      / sizeof (grub_uint32_t)) - 1,
-			     (unsigned long long) 
+			     (unsigned long long)
 			     (space & GRUB_PCI_ADDR_MEM_MASK),
 			     space & GRUB_PCI_ADDR_MEM_PREFETCH
 			     ? "prefetchable" : "non-prefetchable");
--- a/grub-core/commands/macbless.c
+++ b/grub-core/commands/macbless.c
@ -220,12 +220,10 @@ GRUB_MOD_INIT(macbless)
 {
  cmd = grub_register_command ("mactelbless", grub_cmd_macbless,
 			       N_("FILE"),
-			       N_
-			       ("Bless FILE of HFS or HFS+ partition for intel macs."));
+			       N_("Bless FILE of HFS or HFS+ partition for intel macs."));
  cmd_ppc =
    grub_register_command ("macppcbless", grub_cmd_macbless, N_("DIR"),
-			   N_
-			   ("Bless DIR of HFS or HFS+ partition for PPC macs."));
+			   N_("Bless DIR of HFS or HFS+ partition for PPC macs."));
 }

 GRUB_MOD_FINI(macbless)
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@ -122,17 +122,20 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
 GRUB_MOD_INIT(memrw)
 {
  cmd_read_byte =
-    grub_register_extcmd ("read_byte", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
-			  options);
+    grub_register_extcmd_lockdown ("read_byte", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 8-bit value from ADDR."),
+                                   options);
  cmd_read_word =
-    grub_register_extcmd ("read_word", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 16-bit value from ADDR."),
-			  options);
+    grub_register_extcmd_lockdown ("read_word", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 16-bit value from ADDR."),
+                                   options);
  cmd_read_dword =
-    grub_register_extcmd ("read_dword", grub_cmd_read, 0,
-			  N_("ADDR"), N_("Read 32-bit value from ADDR."),
-			  options);
+    grub_register_extcmd_lockdown ("read_dword", grub_cmd_read, 0,
+                                   N_("ADDR"),
+                                   N_("Read 32-bit value from ADDR."),
+                                   options);
  cmd_write_byte =
    grub_register_command_lockdown ("write_byte", grub_cmd_write,
                                    N_("ADDR VALUE [MASK]"),
--- a/grub-core/commands/memtools.c
+++ b/grub-core/commands/memtools.c
@ -0,0 +1,152 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Free Software Foundation, Inc.
+ *  Copyright (C) 2022 IBM Corporation
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/command.h>
+#include <grub/i18n.h>
+#include <grub/memory.h>
+#include <grub/mm.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static grub_err_t
+grub_cmd_lsmem (grub_command_t cmd __attribute__ ((unused)),
+		 int argc __attribute__ ((unused)),
+		 char **args __attribute__ ((unused)))
+
+{
+#ifndef GRUB_MACHINE_EMU
+  grub_mm_dump (0);
+#endif
+
+  return 0;
+}
+
+static grub_err_t
+grub_cmd_lsfreemem (grub_command_t cmd __attribute__ ((unused)),
+		    int argc __attribute__ ((unused)),
+		    char **args __attribute__ ((unused)))
+
+{
+#ifndef GRUB_MACHINE_EMU
+  grub_mm_dump_free ();
+#endif
+
+  return 0;
+}
+
+
+static grub_err_t
+grub_cmd_stress_big_allocs (grub_command_t cmd __attribute__ ((unused)),
+			    int argc __attribute__ ((unused)),
+			    char **args __attribute__ ((unused)))
+{
+  int i, max_mb, blocks_alloced;
+  void *mem;
+  void **blocklist;
+
+  grub_printf ("Test 1: increasingly sized allocs to 1GB block\n");
+  for (i = 1; i < 1024; i++)
+    {
+      grub_printf ("%4d MB . ", i);
+      mem = grub_malloc (i * 1024 * 1024);
+      if (mem == NULL)
+	{
+	  grub_printf ("failed\n");
+	  break;
+	}
+      else
+	grub_free (mem);
+
+      if (i % 7 == 0)
+	grub_printf ("\n");
+    }
+
+  max_mb = i - 1;
+  grub_printf ("\nMax sized allocation we did was %d MB\n", max_mb);
+
+  grub_printf ("\nTest 2: 1MB at a time, max 4GB\n");
+  blocklist = grub_calloc (4096, sizeof (void *));
+  for (i = 0; i < 4096; i++)
+    {
+      blocklist[i] = grub_malloc (1024 * 1024);
+      if (blocklist[i] == NULL)
+	{
+	  grub_printf ("Ran out of memory at iteration %d\n", i);
+	  break;
+	}
+    }
+  blocks_alloced = i;
+  for (i = 0; i < blocks_alloced; i++)
+    grub_free (blocklist[i]);
+
+  grub_printf ("\nTest 3: 1MB aligned 900kB + 100kB\n");
+  /* grub_mm_debug=1;*/
+  for (i = 0; i < 4096; i += 2)
+    {
+      blocklist[i] = grub_memalign (1024 * 1024, 900 * 1024);
+      if (blocklist[i] == NULL)
+	{
+	  grub_printf ("Failed big allocation, iteration %d\n", i);
+	  blocks_alloced = i;
+	  break;
+	}
+
+      blocklist[i + 1] = grub_malloc (100 * 1024);
+      if (blocklist[i + 1] == NULL)
+	{
+	  grub_printf ("Failed small allocation, iteration %d\n", i);
+	  blocks_alloced = i + 1;
+	  break;
+	}
+      grub_printf (".");
+    }
+  for (i = 0; i < blocks_alloced; i++)
+    grub_free (blocklist[i]);
+
+  grub_free (blocklist);
+
+#if defined(__powerpc__)
+  grub_printf ("\nA reboot may now be required.\n");
+#endif
+
+  grub_errno = GRUB_ERR_NONE;
+  return GRUB_ERR_NONE;
+}
+
+static grub_command_t cmd_lsmem, cmd_lsfreemem, cmd_sba;
+
+GRUB_MOD_INIT (memtools)
+{
+  cmd_lsmem = grub_register_command ("lsmem", grub_cmd_lsmem,
+				     0, N_("List free and allocated memory blocks."));
+  cmd_lsfreemem = grub_register_command ("lsfreemem", grub_cmd_lsfreemem,
+					 0, N_("List free memory blocks."));
+  cmd_sba = grub_register_command ("stress_big_allocs", grub_cmd_stress_big_allocs,
+				   0, N_("Stress test large allocations."));
+}
+
+GRUB_MOD_FINI (memtools)
+{
+  grub_unregister_command (cmd_lsmem);
+  grub_unregister_command (cmd_lsfreemem);
+  grub_unregister_command (cmd_sba);
+}
--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
@ -29,6 +29,10 @@
 #include <grub/command.h>
 #include <grub/i18n.h>

+#ifdef GRUB_MACHINE_EFI
+#include <grub/cryptodisk.h>
+#endif
+
 GRUB_MOD_LICENSE ("GPLv3+");

 /* cat FILE */
@ -167,7 +171,7 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),
  {
    grub_dl_dep_t dep;

-    grub_printf ("%s\t%d\t\t", mod->name, mod->ref_count);
+    grub_printf ("%s\t%" PRIuGRUB_UINT64_T "\t\t", mod->name, mod->ref_count);
    for (dep = mod->dep; dep; dep = dep->next)
      {
 	if (dep != mod->dep)
@ -187,6 +191,13 @@ grub_mini_cmd_exit (struct grub_command *cmd __attribute__ ((unused)),
 		    int argc __attribute__ ((unused)),
 		    char *argv[] __attribute__ ((unused)))
 {
+#ifdef GRUB_MACHINE_EFI
+  /*
+   * The "exit" command is often used to launch the next boot application.
+   * So, erase the secrets.
+   */
+  grub_cryptodisk_erasesecrets ();
+#endif
  grub_exit ();
  /* Not reached.  */
 }
@ -203,8 +214,8 @@ GRUB_MOD_INIT(minicmd)
    grub_register_command ("help", grub_mini_cmd_help,
 			   0, N_("Show this message."));
  cmd_dump =
-    grub_register_command ("dump", grub_mini_cmd_dump,
-			   N_("ADDR [SIZE]"), N_("Show memory contents."));
+    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
+				    N_("ADDR [SIZE]"), N_("Show memory contents."));
  cmd_rmmod =
    grub_register_command ("rmmod", grub_mini_cmd_rmmod,
 			   N_("MODULE"), N_("Remove a module."));
--- a/grub-core/commands/mips/loongson/lsspd.c
+++ b/grub-core/commands/mips/loongson/lsspd.c
@ -44,7 +44,7 @@ grub_cmd_lsspd (grub_command_t cmd __attribute__ ((unused)),
    }
  grub_printf_ (N_("CS5536 at %d:%d.%d\n"), grub_pci_get_bus (dev),
 		grub_pci_get_device (dev), grub_pci_get_function (dev));
-  
+
  err = grub_cs5536_init_smbus (dev, 0x7fff, &smbbase);
  if (err)
    return err;
--- a/grub-core/commands/nativedisk.c
+++ b/grub-core/commands/nativedisk.c
@ -31,7 +31,7 @@

 GRUB_MOD_LICENSE ("GPLv3+");

-static const char *modnames_def[] = { 
+static const char *modnames_def[] = {
  /* FIXME: autogenerate this.  */
 #if defined (__i386__) || defined (__x86_64__) || defined (GRUB_MACHINE_MIPS_LOONGSON)
  "pata", "ahci", "usbms", "ohci", "uhci", "ehci"
--- a/grub-core/commands/parttool.c
+++ b/grub-core/commands/parttool.c
@ -315,7 +315,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
 		    switch (curarg->type)
 		      {
 		      case GRUB_PARTTOOL_ARG_BOOL:
-			pargs[curarg - ptool->args].bool
+			pargs[curarg - ptool->args].b
 			  = (args[j][grub_strlen (curarg->name)] != '-');
 			break;

--- a/grub-core/commands/password_pbkdf2.c
+++ b/grub-core/commands/password_pbkdf2.c
@ -162,7 +162,7 @@ grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
      return grub_errno;
    }
  ptr = ptr2 + 1;
-  ptr2 += grub_strlen (ptr2); 
+  ptr2 += grub_strlen (ptr2);
  while (ptr < ptr2)
    {
      int hex1, hex2;
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@ -74,7 +74,7 @@ read_packet_header (grub_file_t sig, grub_uint8_t *out_type, grub_size_t *len)
  if (type == 0)
    {
      *out_type = 0xfe;
-      return 0;      
+      return 0;
    }

  if (!(type & 0x80))
@ -166,7 +166,7 @@ struct
  int (*pad) (gcry_mpi_t *hmpi, grub_uint8_t *hval,
 	      const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
  const char *module;
-} pkalgos[] = 
+} pkalgos[] =
  {
    [1] = { "rsa", 1, 2, &grub_crypto_pk_rsa, rsa_pad, "gcry_rsa" },
    [3] = { "rsa", 1, 2, &grub_crypto_pk_rsa, rsa_pad, "gcry_rsa" },
@ -320,7 +320,7 @@ grub_load_public_key (grub_file_t f)
 	      grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
 	      break;
 	    }
-	  
+
 	  lb = (grub_be_to_cpu16 (l) + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT;
 	  if (lb > READBUF_SIZE - sizeof (grub_uint16_t))
 	    {
@ -335,7 +335,7 @@ grub_load_public_key (grub_file_t f)
 	  grub_memcpy (buffer, &l, sizeof (l));

 	  GRUB_MD_SHA1->write (fingerprint_context, buffer, lb + sizeof (grub_uint16_t));
- 
+
 	  if (gcry_mpi_scan (&sk->mpis[i], GCRYMPI_FMT_PGP,
 			     buffer, lb + sizeof (grub_uint16_t), 0))
 	    {
@ -479,7 +479,7 @@ grub_verify_signature_init (struct grub_pubkey_context *ctxt, grub_file_t sig)
  h = ctxt->v4.hash;
  t = ctxt->v4.type;
  pk = ctxt->v4.pkeyalgo;
-  
+
  if (t != 0)
    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));

@ -922,7 +922,7 @@ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
  return grub_strdup (sec ? "enforce" : "no");
 }

-static grub_ssize_t 
+static grub_ssize_t
 pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
 {
  grub_memcpy (buf, (grub_uint8_t *) file->data + file->offset, len);
@ -931,7 +931,7 @@ pseudo_read (struct grub_file *file, char *buf, grub_size_t len)


 /* Filesystem descriptor.  */
-struct grub_fs pseudo_fs = 
+struct grub_fs pseudo_fs =
  {
    .name = "pseudo",
    .fs_read = pseudo_read
@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)

 GRUB_MOD_FINI(pgp)
 {
+  grub_register_variable_hook ("check_signatures", NULL, NULL);
+  grub_env_unset ("check_signatures");
  grub_verifier_unregister (&grub_pubkey_verifier);
  grub_unregister_extcmd (cmd);
  grub_unregister_extcmd (cmd_trust);
--- a/grub-core/commands/probe.c
+++ b/grub-core/commands/probe.c
@ -119,19 +119,21 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
 	  if (grub_strcmp(dev->disk->partition->partmap->name, "gpt") == 0)
 	    {
 	      struct grub_gpt_partentry entry;
-	      grub_gpt_part_guid_t *guid;
+	      grub_guid_t *guid;

 	      if (grub_disk_read(disk, p->offset, p->index, sizeof(entry), &entry))
-		return grub_errno;
+		{
+		  grub_error_push ();
+		  grub_disk_close (disk);
+		  grub_device_close (dev);
+		  grub_error_pop ();
+		  return grub_errno;
+		}
 	      guid = &entry.guid;
-	      grub_snprintf (val, sizeof(val),
-			     "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
-			     grub_le_to_cpu32 (guid->data1),
-			     grub_le_to_cpu16 (guid->data2),
-			     grub_le_to_cpu16 (guid->data3),
-			     guid->data4[0], guid->data4[1], guid->data4[2],
-			     guid->data4[3], guid->data4[4], guid->data4[5],
-			     guid->data4[6], guid->data4[7]);
+	      guid->data1 = grub_le_to_cpu32 (guid->data1);
+	      guid->data2 = grub_le_to_cpu16 (guid->data2);
+	      guid->data3 = grub_le_to_cpu16 (guid->data3);
+	      grub_snprintf (val, sizeof(val), "%pG", guid);
 	    }
 	  else if (grub_strcmp(dev->disk->partition->partmap->name, "msdos") == 0)
 	    {
@ -153,7 +155,12 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    }
  fs = grub_fs_probe (dev);
  if (! fs)
-    return grub_errno;
+    {
+      grub_error_push ();
+      grub_device_close (dev);
+      grub_error_pop ();
+      return grub_errno;
+    }
  if (state[3].set)
    {
      if (state[0].set)
@ -167,14 +174,23 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    {
      char *uuid;
      if (! fs->fs_uuid)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("%s does not support UUIDs"), fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("%s does not support UUIDs"), fs->name);
+	}
      err = fs->fs_uuid (dev, &uuid);
      if (err)
-	return err;
+	{
+	  grub_device_close (dev);
+	  return err;
+	}
      if (! uuid)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("%s does not support UUIDs"), fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("%s does not support UUIDs"), fs->name);
+	}

      if (state[0].set)
 	grub_env_set (state[0].arg, uuid);
@ -188,16 +204,25 @@ grub_cmd_probe (grub_extcmd_context_t ctxt, int argc, char **args)
    {
      char *label;
      if (! fs->fs_label)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("filesystem `%s' does not support labels"),
-			   fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("filesystem `%s' does not support labels"),
+			     fs->name);
+	}
      err = fs->fs_label (dev, &label);
      if (err)
-	return err;
+	{
+	  grub_device_close (dev);
+	  return err;
+	}
      if (! label)
-	return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
-			   N_("filesystem `%s' does not support labels"),
-			   fs->name);
+	{
+	  grub_device_close (dev);
+	  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
+			     N_("filesystem `%s' does not support labels"),
+			     fs->name);
+	}

      if (state[0].set)
 	grub_env_set (state[0].arg, label);
--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
@ -23,21 +23,29 @@
 #include <grub/env.h>
 #include <grub/term.h>
 #include <grub/types.h>
-#include <grub/command.h>
+#include <grub/extcmd.h>
 #include <grub/i18n.h>
+#include <grub/safemath.h>

 GRUB_MOD_LICENSE ("GPLv3+");

+static const struct grub_arg_option options[] =
+  {
+    {"silent", 's', 0, N_("Do not echo input"), 0, 0},
+    {0, 0, 0, 0, 0, 0}
+  };
+
 static char *
-grub_getline (void)
+grub_getline (int silent)
 {
-  int i;
+  grub_size_t i;
  char *line;
  char *tmp;
-  char c;
+  int c;
+  grub_size_t alloc_size;

  i = 0;
-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
  if (! line)
    return NULL;

@ -47,11 +55,23 @@ grub_getline (void)
      if ((c == '\n') || (c == '\r'))
 	break;

-      line[i] = c;
-      if (grub_isprint (c))
+      if (!grub_isprint (c))
+	continue;
+
+      line[i] = (char) c;
+      if (!silent)
 	grub_printf ("%c", c);
-      i++;
-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
      if (! tmp)
 	{
 	  grub_free (line);
@ -65,9 +85,11 @@ grub_getline (void)
 }

 static grub_err_t
-grub_cmd_read (grub_command_t cmd __attribute__ ((unused)), int argc, char **args)
+grub_cmd_read (grub_extcmd_context_t ctxt, int argc, char **args)
 {
-  char *line = grub_getline ();
+  struct grub_arg_list *state = ctxt->state;
+  char *line = grub_getline (state[0].set);
+
  if (! line)
    return grub_errno;
  if (argc > 0)
@ -77,16 +99,16 @@ grub_cmd_read (grub_command_t cmd __attribute__ ((unused)), int argc, char **arg
  return 0;
 }

-static grub_command_t cmd;
+static grub_extcmd_t cmd;

 GRUB_MOD_INIT(read)
 {
-  cmd = grub_register_command ("read", grub_cmd_read,
-			       N_("[ENVVAR]"),
-			       N_("Set variable with user input."));
+  cmd = grub_register_extcmd ("read", grub_cmd_read, 0,
+			       N_("[-s] [ENVVAR]"),
+			       N_("Set variable with user input."), options);
 }

 GRUB_MOD_FINI(read)
 {
-  grub_unregister_command (cmd);
+  grub_unregister_extcmd (cmd);
 }
--- a/grub-core/commands/regexp.c
+++ b/grub-core/commands/regexp.c
@ -36,7 +36,7 @@ static const struct grub_arg_option options[] =
 	 groups with parentheses. These groups are
 	 then numbered and you can save some of
 	 them in variables. In other programs
-	 those components aree often referenced with
+	 those components are often referenced with
 	 back slash, e.g. \1. Compare
 	 sed -e 's,\([a-z][a-z]*\),lowercase=\1,g'
 	 The whole matching component is saved in VARNAME, not its number.
--- a/grub-core/commands/search.c
+++ b/grub-core/commands/search.c
@ -47,13 +47,48 @@ struct search_ctx
 {
  const char *key;
  const char *var;
-  int no_floppy;
+  enum search_flags flags;
  char **hints;
  unsigned nhints;
  int count;
  int is_cache;
 };

+static bool
+is_unencrypted_disk (grub_disk_t disk)
+{
+  grub_command_t cmd;
+  char *disk_str;
+  int disk_str_len;
+  int res;
+
+  if (disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
+    return false; /* This is (crypto) disk. */
+
+  if (disk->dev->id == GRUB_DISK_DEVICE_DISKFILTER_ID)
+    {
+      char opt[] = "--quiet";
+      char *args[2];
+
+      cmd = grub_command_find ("cryptocheck");
+      if (cmd == NULL) /* No diskfilter module loaded for some reason. */
+        return true;
+
+      disk_str_len = grub_strlen (disk->name) + 2 + 1;
+      disk_str = grub_malloc (disk_str_len);
+      if (disk_str == NULL) /* Something is wrong, better report as unencrypted. */
+        return true;
+
+      grub_snprintf (disk_str, disk_str_len, "(%s)", disk->name);
+      args[0] = opt;
+      args[1] = disk_str;
+      res = cmd->func (cmd, 2, args);
+      grub_free (disk_str);
+      return (res != GRUB_ERR_NONE) ? true : false; /* GRUB_ERR_NONE for encrypted. */
+    }
+  return true;
+}
+
 /* Helper for FUNC_NAME.  */
 static int
 iterate_device (const char *name, void *data)
@ -62,9 +97,49 @@ iterate_device (const char *name, void *data)
  int found = 0;

  /* Skip floppy drives when requested.  */
-  if (ctx->no_floppy &&
+  if (ctx->flags & SEARCH_FLAGS_NO_FLOPPY &&
      name[0] == 'f' && name[1] == 'd' && name[2] >= '0' && name[2] <= '9')
-    return 1;
+    return 0;
+
+  /* Limit to EFI disks when requested.  */
+  if (ctx->flags & SEARCH_FLAGS_EFIDISK_ONLY)
+    {
+      grub_device_t dev;
+
+      dev = grub_device_open (name);
+      if (dev == NULL)
+	{
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      if (dev->disk == NULL || dev->disk->dev->id != GRUB_DISK_DEVICE_EFIDISK_ID)
+	{
+	  grub_device_close (dev);
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      grub_device_close (dev);
+    }
+
+  /* Limit to encrypted disks when requested. */
+  if (ctx->flags & SEARCH_FLAGS_CRYPTODISK_ONLY)
+    {
+      grub_device_t dev;
+
+      dev = grub_device_open (name);
+      if (dev == NULL)
+	{
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      if (dev->disk == NULL || is_unencrypted_disk (dev->disk) == true)
+	{
+	  grub_device_close (dev);
+	  grub_errno = GRUB_ERR_NONE;
+	  return 0;
+	}
+      grub_device_close (dev);
+    }

 #ifdef DO_SEARCH_FS_UUID
 #define compare_fn grub_strcasecmp
@ -181,14 +256,14 @@ part_hook (grub_disk_t disk, const grub_partition_t partition, void *data)
  if (!devname)
    return 1;
  ret = iterate_device (devname, ctx);
-  grub_free (devname);    
+  grub_free (devname);

  return ret;
 }

 /* Helper for FUNC_NAME.  */
 static void
-try (struct search_ctx *ctx)    
+try (struct search_ctx *ctx)
 {
  unsigned i;
  struct cache_entry **prev;
@ -261,13 +336,13 @@ try (struct search_ctx *ctx)
 }

 void
-FUNC_NAME (const char *key, const char *var, int no_floppy,
+FUNC_NAME (const char *key, const char *var, enum search_flags flags,
 	   char **hints, unsigned nhints)
 {
  struct search_ctx ctx = {
    .key = key,
    .var = var,
-    .no_floppy = no_floppy,
+    .flags = flags,
    .hints = hints,
    .nhints = nhints,
    .count = 0,
--- a/grub-core/commands/search_wrap.c
+++ b/grub-core/commands/search_wrap.c
@ -40,6 +40,8 @@ static const struct grub_arg_option options[] =
     N_("Set a variable to the first device found."), N_("VARNAME"),
     ARG_TYPE_STRING},
    {"no-floppy",	'n', 0, N_("Do not probe any floppy drive."), 0, 0},
+    {"efidisk-only",	0, 0, N_("Only probe EFI disks."), 0, 0},
+    {"cryptodisk-only",	0, 0, N_("Only probe encrypted disks."), 0, 0},
    {"hint",	        'h', GRUB_ARG_OPTION_REPEATABLE,
     N_("First try the device HINT. If HINT ends in comma, "
 	"also try subpartitions"), N_("HINT"), ARG_TYPE_STRING},
@ -73,6 +75,8 @@ enum options
    SEARCH_FS_UUID,
    SEARCH_SET,
    SEARCH_NO_FLOPPY,
+    SEARCH_EFIDISK_ONLY,
+    SEARCH_CRYPTODISK_ONLY,
    SEARCH_HINT,
    SEARCH_HINT_IEEE1275,
    SEARCH_HINT_BIOS,
@ -89,6 +93,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
  const char *id = 0;
  int i = 0, j = 0, nhints = 0;
  char **hints = NULL;
+  enum search_flags flags = SEARCH_FLAGS_NONE;

  if (state[SEARCH_HINT].set)
    for (i = 0; state[SEARCH_HINT].args[i]; i++)
@ -180,15 +185,21 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
      goto out;
    }

+  if (state[SEARCH_NO_FLOPPY].set)
+    flags |= SEARCH_FLAGS_NO_FLOPPY;
+
+  if (state[SEARCH_EFIDISK_ONLY].set)
+    flags |= SEARCH_FLAGS_EFIDISK_ONLY;
+
+  if (state[SEARCH_CRYPTODISK_ONLY].set)
+    flags |= SEARCH_FLAGS_CRYPTODISK_ONLY;
+
  if (state[SEARCH_LABEL].set)
-    grub_search_label (id, var, state[SEARCH_NO_FLOPPY].set, 
-		       hints, nhints);
+    grub_search_label (id, var, flags, hints, nhints);
  else if (state[SEARCH_FS_UUID].set)
-    grub_search_fs_uuid (id, var, state[SEARCH_NO_FLOPPY].set,
-			 hints, nhints);
+    grub_search_fs_uuid (id, var, flags, hints, nhints);
  else if (state[SEARCH_FILE].set)
-    grub_search_fs_file (id, var, state[SEARCH_NO_FLOPPY].set, 
-			 hints, nhints);
+    grub_search_fs_file (id, var, flags, hints, nhints);
  else
    grub_error (GRUB_ERR_INVALID_COMMAND, "unspecified search type");

@ -204,7 +215,7 @@ GRUB_MOD_INIT(search)
  cmd =
    grub_register_extcmd ("search", grub_cmd_search,
 			  GRUB_COMMAND_FLAG_EXTRACTOR | GRUB_COMMAND_ACCEPT_DASH,
-			  N_("[-f|-l|-u|-s|-n] [--hint HINT [--hint HINT] ...]"
+			  N_("[-f|-l|-u|-s|-n] [--cryptodisk-only] [--hint HINT [--hint HINT] ...]"
 			     " NAME"),
 			  N_("Search devices by file, filesystem label"
 			     " or filesystem UUID."
--- a/grub-core/commands/setpci.c
+++ b/grub-core/commands/setpci.c
@ -311,7 +311,6 @@ grub_cmd_setpci (grub_extcmd_context_t ctxt, int argc, char **argv)
 	  write_mask = grub_strtoul (ptr, &ptr, 16);
 	  if (grub_errno)
 	    return grub_errno;
-	  write_mask = 0xffffffff;
 	}
      regwrite &= write_mask;
    }
--- a/grub-core/commands/terminal.c
+++ b/grub-core/commands/terminal.c
@ -199,9 +199,9 @@ handle_command (int argc, char **args, struct abstract_terminal **enabled,

         grub_list_remove (GRUB_AS_LIST (term));
         grub_list_push (GRUB_AS_LIST_P (enabled), GRUB_AS_LIST (term));
-       }       
+       }
    }
-  
+
  {
    struct abstract_terminal *next;
    for (term = *enabled; term; term = next)
--- a/grub-core/commands/test.c
+++ b/grub-core/commands/test.c
@ -29,6 +29,9 @@

 GRUB_MOD_LICENSE ("GPLv3+");

+/* Set a limit on recursion to avoid stack overflow. */
+#define MAX_TEST_RECURSION_DEPTH	100
+
 /* A simple implementation for signed numbers. */
 static int
 grub_strtosl (char *arg, const char ** const end, int base)
@ -150,7 +153,7 @@ get_fileinfo (char *path, struct test_parse_ctx *ctx)

 /* Parse a test expression starting from *argn. */
 static int
-test_parse (char **args, int *argn, int argc)
+test_parse (char **args, int *argn, int argc, int *depth)
 {
  struct test_parse_ctx ctx = {
    .and = 1,
@ -387,13 +390,24 @@ test_parse (char **args, int *argn, int argc)
      if (grub_strcmp (args[*argn], ")") == 0)
 	{
 	  (*argn)++;
+	  if (*depth > 0)
+	    (*depth)--;
+
 	  return ctx.or || ctx.and;
 	}
      /* Recursively invoke if parenthesis. */
      if (grub_strcmp (args[*argn], "(") == 0)
 	{
 	  (*argn)++;
-	  update_val (test_parse (args, argn, argc), &ctx);
+
+	  if (++(*depth) > MAX_TEST_RECURSION_DEPTH)
+	    {
+	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("max recursion depth exceeded"));
+	      depth--;
+	      return ctx.or || ctx.and;
+	    }
+
+	  update_val (test_parse (args, argn, argc, depth), &ctx);
 	  continue;
 	}

@ -428,11 +442,12 @@ grub_cmd_test (grub_command_t cmd __attribute__ ((unused)),
 	       int argc, char **args)
 {
  int argn = 0;
+  int depth = 0;

  if (argc >= 1 && grub_strcmp (args[argc - 1], "]") == 0)
    argc--;

-  return test_parse (args, &argn, argc) ? GRUB_ERR_NONE
+  return test_parse (args, &argn, argc, &depth) ? GRUB_ERR_NONE
    : grub_error (GRUB_ERR_TEST_FAILURE, N_("false"));
 }

--- a/grub-core/commands/testload.c
+++ b/grub-core/commands/testload.c
@ -32,10 +32,11 @@
 GRUB_MOD_LICENSE ("GPLv3+");

 /* Helper for grub_cmd_testload.  */
-static void
+static grub_err_t
 read_progress (grub_disk_addr_t sector __attribute__ ((unused)),
 	       unsigned offset __attribute__ ((unused)),
 	       unsigned len,
+	       char *buf __attribute__ ((unused)),
 	       void *data __attribute__ ((unused)))
 {
  for (; len >= GRUB_DISK_SECTOR_SIZE; len -= GRUB_DISK_SECTOR_SIZE)
@ -43,6 +44,7 @@ read_progress (grub_disk_addr_t sector __attribute__ ((unused)),
  if (len)
    grub_xputs (".");
  grub_refresh ();
+  return GRUB_ERR_NONE;
 }

 static grub_err_t
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@ -36,13 +36,29 @@ grub_tpm_verify_init (grub_file_t io,
 {
  *context = io->name;
  *flags |= GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+
+  /*
+   * The loopback image is mapped as a disk allowing it to function like
+   * a block device. However, we measure files read from the block device
+   * not the device itself. For example, we don't measure block devices like
+   * hd0 disk directly. This process is crucial to prevent out-of-memory
+   * errors as loopback images are inherently large.
+   */
+  if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_LOOPBACK)
+    *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
  return GRUB_ERR_NONE;
 }

 static grub_err_t
 grub_tpm_verify_write (void *context, void *buf, grub_size_t size)
 {
-  return grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+  grub_err_t status = grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+
+  if (status == GRUB_ERR_NONE)
+    return GRUB_ERR_NONE;
+
+  grub_dprintf ("tpm", "Measuring buffer failed: %d\n", status);
+  return grub_is_tpm_fail_fatal () ? status : GRUB_ERR_NONE;
 }

 static grub_err_t
@ -74,7 +90,11 @@ grub_tpm_verify_string (char *str, enum grub_verify_string_type type)
    grub_tpm_measure ((unsigned char *) str, grub_strlen (str),
 		      GRUB_STRING_PCR, description);
  grub_free (description);
-  return status;
+  if (status == GRUB_ERR_NONE)
+    return GRUB_ERR_NONE;
+
+  grub_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status);
+  return grub_is_tpm_fail_fatal () ? status : GRUB_ERR_NONE;
 }

 struct grub_file_verifier grub_tpm_verifier = {
@ -86,10 +106,20 @@ struct grub_file_verifier grub_tpm_verifier = {

 GRUB_MOD_INIT (tpm)
 {
+  /*
+   * Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
+   * it does seem to call it late enough in the initialization sequence so
+   * that whatever discovered "device nodes" before this GRUB_MOD_INIT() is
+   * called, enables the ibmvtpm driver to see the device nodes.
+   */
+  if (!grub_tpm_present())
+    return;
  grub_verifier_register (&grub_tpm_verifier);
 }

 GRUB_MOD_FINI (tpm)
 {
+  if (!grub_tpm_present())
+    return;
  grub_verifier_unregister (&grub_tpm_verifier);
 }
--- a/grub-core/commands/tpm2_key_protector/args.c
+++ b/grub-core/commands/tpm2_key_protector/args.c
@ -0,0 +1,127 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/err.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+
+#include "tpm2_args.h"
+
+grub_err_t
+grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs,
+				grub_uint8_t *pcr_count)
+{
+  char *current_pcr = value;
+  char *next_pcr;
+  const char *pcr_end;
+  grub_uint64_t pcr;
+  grub_uint8_t i;
+
+  if (grub_strlen (value) == 0)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  *pcr_count = 0;
+  for (i = 0; i < TPM_MAX_PCRS; i++)
+    {
+      next_pcr = grub_strchr (current_pcr, ',');
+      if (next_pcr == current_pcr)
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("empty entry in PCR list"));
+      if (next_pcr != NULL)
+	*next_pcr = '\0';
+
+      pcr = grub_strtoul (current_pcr, &pcr_end, 10);
+      if (*current_pcr == '\0' || *pcr_end != '\0')
+	return grub_error (GRUB_ERR_BAD_NUMBER, N_("entry '%s' in PCR list is not a number"), current_pcr);
+
+      if (pcr > TPM_MAX_PCRS - 1)
+	return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("entry %llu in PCR list is too large to be a PCR number, PCR numbers range from 0 to %u"), (unsigned long long)pcr, TPM_MAX_PCRS - 1);
+
+      pcrs[i] = (grub_uint8_t) pcr;
+      ++(*pcr_count);
+
+      if (next_pcr == NULL)
+	break;
+
+      current_pcr = next_pcr + 1;
+      if (*current_pcr == '\0')
+	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("trailing comma at the end of PCR list"));
+    }
+
+  if (i == TPM_MAX_PCRS)
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("too many PCRs in PCR list, the maximum number of PCRs is %u"), TPM_MAX_PCRS);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+				      grub_srk_type_t *srk_type)
+{
+  if (grub_strcasecmp (value, "ECC") == 0 ||
+      grub_strcasecmp (value, "ECC_NIST_P256") == 0)
+    {
+      srk_type->type = TPM_ALG_ECC;
+      srk_type->detail.ecc_curve = TPM_ECC_NIST_P256;
+    }
+  else if (grub_strcasecmp (value, "RSA") == 0 ||
+	   grub_strcasecmp (value, "RSA2048") == 0)
+    {
+      srk_type->type = TPM_ALG_RSA;
+      srk_type->detail.rsa_bits = 2048;
+    }
+  else
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID_t *bank)
+{
+  if (grub_strcasecmp (value, "SHA1") == 0)
+    *bank = TPM_ALG_SHA1;
+  else if (grub_strcasecmp (value, "SHA256") == 0)
+    *bank = TPM_ALG_SHA256;
+  else if (grub_strcasecmp (value, "SHA384") == 0)
+    *bank = TPM_ALG_SHA384;
+  else if (grub_strcasecmp (value, "SHA512") == 0)
+    *bank = TPM_ALG_SHA512;
+  else
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid PCR bank"), value);
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE_t *handle)
+{
+  grub_uint64_t num;
+  const char *str_end;
+
+  num = grub_strtoul (value, &str_end, 0);
+  if (*value == '\0' || *str_end != '\0')
+    return grub_error (GRUB_ERR_BAD_NUMBER, N_("TPM handle value '%s' is not a number"), value);
+
+  if (num > GRUB_UINT_MAX)
+    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value %llu is too large to be a TPM handle, TPM handles are unsigned 32-bit integers"), (unsigned long long)num);
+
+  *handle = (TPM_HANDLE_t) num;
+
+  return GRUB_ERR_NONE;
+}
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
--- a/grub-core/commands/tpm2_key_protector/tpm2.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2.h
@ -0,0 +1,36 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TPM2_TPM2_HEADER
+#define GRUB_TPM2_TPM2_HEADER 1
+
+#include <tss2_types.h>
+#include <tss2_structs.h>
+#include <tpm2_cmd.h>
+
+/* Well-Known Windows SRK handle */
+#define TPM2_SRK_HANDLE 0x81000001
+
+struct tpm2_sealed_key {
+  TPM2B_PUBLIC_t  public;
+  TPM2B_PRIVATE_t private;
+};
+typedef struct tpm2_sealed_key tpm2_sealed_key_t;
+
+#endif /* ! GRUB_TPM2_TPM2_HEADER */
--- a/grub-core/commands/tpm2_key_protector/tpm2_args.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2_args.h
@ -0,0 +1,49 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TPM2_INTERNAL_ARGS_HEADER
+#define GRUB_TPM2_INTERNAL_ARGS_HEADER 1
+
+#include <grub/err.h>
+
+#include "tpm2.h"
+
+struct grub_srk_type
+{
+  TPMI_ALG_PUBLIC_t type;
+  union {
+    TPM_KEY_BITS_t rsa_bits;
+    TPM_ECC_CURVE_t ecc_curve;
+  } detail;
+};
+typedef struct grub_srk_type grub_srk_type_t;
+
+extern grub_err_t
+grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs, grub_uint8_t *pcr_count);
+
+extern grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value, grub_srk_type_t *srk_type);
+
+extern grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID_t *bank);
+
+extern grub_err_t
+grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE_t *handle);
+
+#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
--- a/Show more
+++ b/Show more