buildroot: bump to buildroot 2022, add arch and boot

.gitignore

@@ -1,2 +1,4 @@
 linux-src/
-uboot-src/
+uboot-src/
+buildroot-2022.02/
+buildroot/**/*.d

buildroot/arch/Config.in

@@ -77,9 +77,8 @@ config BR2_aarch64_be
 
 config BR2_csky
 	bool "csky"
+	select BR2_ARCH_HAS_NO_TOOLCHAIN_BUILDROOT
 	select BR2_ARCH_HAS_MMU_MANDATORY
-	# Most variants are supported by gcc-9+, except one that is
-	# handled as a special exception in package/gcc/Config.in.host
 	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
 	help
 	  csky is processor IP from china.
@@ -210,7 +209,6 @@ config BR2_powerpc64le
 
 config BR2_riscv
 	bool "RISCV"
-	select BR2_ARCH_HAS_MMU_MANDATORY
 	select BR2_ARCH_NEEDS_GCC_AT_LEAST_7
 	help
 	  RISC-V is an open, free Instruction Set Architecture created
@@ -219,6 +217,15 @@ config BR2_riscv
 	  https://riscv.org/
 	  https://en.wikipedia.org/wiki/RISC-V
 
+config BR2_s390x
+	bool "s390x"
+	select BR2_ARCH_IS_64
+	select BR2_ARCH_HAS_MMU_MANDATORY
+	help
+	  s390x is a big-endian architecture made by IBM.
+	  http://www.ibm.com/
+	  http://en.wikipedia.org/wiki/IBM_System/390
+
 config BR2_sh
 	bool "SuperH"
 	select BR2_ARCH_HAS_MMU_OPTIONAL
@@ -308,11 +315,22 @@ config BR2_ARCH_NEEDS_GCC_AT_LEAST_9
 	bool
 	select BR2_ARCH_NEEDS_GCC_AT_LEAST_8
 
+config BR2_ARCH_NEEDS_GCC_AT_LEAST_10
+	bool
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
+
+config BR2_ARCH_NEEDS_GCC_AT_LEAST_11
+	bool
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_10
+
 # The following string values are defined by the individual
 # Config.in.$ARCH files
 config BR2_ARCH
 	string
 
+config BR2_NORMALIZED_ARCH
+	string
+
 config BR2_ENDIAN
 	string
 
@@ -453,6 +471,10 @@ if BR2_riscv
 source "arch/Config.in.riscv"
 endif
 
+if BR2_s390x
+source "arch/Config.in.s390x"
+endif
+
 if BR2_sh
 source "arch/Config.in.sh"
 endif

buildroot/arch/Config.in.arc

@@ -39,9 +39,14 @@ config BR2_archs38_full
 
 config BR2_archs4x_rel31
 	bool "ARC HS48 rel 31"
+	help
+	   Build for HS48 release 3.1
+
+config BR2_archs4x
+	bool "ARC HS48"
 	help
 	   Latest release of HS48 processor
-	   - Dual- and quad multiply and MC oprations
+	   - Dual and Quad multiply and MAC operations
 	   - Double-precision FPU
 
 endchoice
@@ -49,12 +54,17 @@ endchoice
 # Choice of atomic instructions presence
 config BR2_ARC_ATOMIC_EXT
 	bool "Atomic extension (LLOCK/SCOND instructions)"
-	default y if BR2_arc770d || BR2_archs38 || BR2_archs38_64mpy || BR2_archs38_full || BR2_archs4x_rel31
+	default y if BR2_arc770d
+	default y if BR2_archs38 || BR2_archs38_64mpy || BR2_archs38_full
+	default y if BR2_archs4x_rel31 || BR2_archs4x
 
 config BR2_ARCH
 	default "arc"	if BR2_arcle
 	default "arceb"	if BR2_arceb
 
+config BR2_NORMALIZED_ARCH
+	default "arc"
+
 config BR2_arc
 	bool
 	default y if BR2_arcle || BR2_arceb
@@ -70,10 +80,12 @@ config BR2_GCC_TARGET_CPU
 	default "hs38"	 if BR2_archs38_64mpy
 	default "hs38_linux"	 if BR2_archs38_full
 	default "hs4x_rel31"	 if BR2_archs4x_rel31
+	default "hs4x"	 if BR2_archs4x
 
 config BR2_READELF_ARCH_NAME
 	default "ARCompact"	if BR2_arc750d || BR2_arc770d
-	default "ARCv2"		if BR2_archs38 || BR2_archs38_64mpy || BR2_archs38_full || BR2_archs4x_rel31
+	default "ARCv2"		if BR2_archs38 || BR2_archs38_64mpy || BR2_archs38_full
+	default "ARCv2"		if BR2_archs4x_rel31 || BR2_archs4x
 
 choice
 	prompt "MMU Page Size"
@@ -93,7 +105,7 @@ choice
 
 config BR2_ARC_PAGE_SIZE_4K
 	bool "4KB"
-	depends on BR2_arc770d || BR2_archs38 || BR2_archs38_64mpy || BR2_archs38_full || BR2_archs4x_rel31
+	depends on !BR2_arc750d
 
 config BR2_ARC_PAGE_SIZE_8K
 	bool "8KB"
@@ -103,7 +115,7 @@ config BR2_ARC_PAGE_SIZE_8K
 
 config BR2_ARC_PAGE_SIZE_16K
 	bool "16KB"
-	depends on BR2_arc770d || BR2_archs38 || BR2_archs38_64mpy || BR2_archs38_full || BR2_archs4x_rel31
+	depends on !BR2_arc750d
 
 endchoice
 

buildroot/arch/Config.in.arm

@@ -822,6 +822,10 @@ config BR2_ARCH
 	default "aarch64"	if BR2_aarch64
 	default "aarch64_be"	if BR2_aarch64_be
 
+config BR2_NORMALIZED_ARCH
+	default "arm"		if BR2_arm || BR2_armeb
+	default "arm64"		if BR2_aarch64 || BR2_aarch64_be
+
 config BR2_ENDIAN
 	default "LITTLE" if (BR2_arm || BR2_aarch64)
 	default "BIG"	 if (BR2_armeb || BR2_aarch64_be)

buildroot/arch/Config.in.csky

@@ -39,6 +39,9 @@ config BR2_GCC_TARGET_FLOAT_ABI
 config BR2_ARCH
 	default "csky"
 
+config BR2_NORMALIZED_ARCH
+	default "csky"
+
 config BR2_ENDIAN
 	default "LITTLE"
 

buildroot/arch/Config.in.m68k

@@ -1,6 +1,9 @@
 config BR2_ARCH
 	default "m68k"		if BR2_m68k
 
+config BR2_NORMALIZED_ARCH
+	default "m68k"
+
 config BR2_ENDIAN
 	default "BIG"
 

buildroot/arch/Config.in.microblaze

@@ -2,6 +2,9 @@ config BR2_ARCH
 	default "microblazeel"  if BR2_microblazeel
 	default "microblaze"    if BR2_microblazebe
 
+config BR2_NORMALIZED_ARCH
+	default "microblaze"
+
 config BR2_ENDIAN
 	default "LITTLE" if BR2_microblazeel
 	default "BIG"	 if BR2_microblazebe

buildroot/arch/Config.in.mips

@@ -235,6 +235,9 @@ config BR2_ARCH
 	default "mips64"	if BR2_mips64
 	default "mips64el"	if BR2_mips64el
 
+config BR2_NORMALIZED_ARCH
+	default "mips"
+
 config BR2_ENDIAN
 	default "LITTLE"	if BR2_mipsel || BR2_mips64el
 	default "BIG"		if BR2_mips || BR2_mips64

buildroot/arch/Config.in.nds32

@@ -1,6 +1,9 @@
 config BR2_ARCH
 	default "nds32le"
 
+config BR2_NORMALIZED_ARCH
+	default "nds32"
+
 config BR2_GCC_TARGET_ARCH
 	default "v3"
 

buildroot/arch/Config.in.nios2

@@ -1,6 +1,9 @@
 config BR2_ARCH
 	default "nios2"
 
+config BR2_NORMALIZED_ARCH
+	default "nios2"
+
 config BR2_ENDIAN
 	default "LITTLE"
 

buildroot/arch/Config.in.or1k

@@ -1,6 +1,9 @@
 config BR2_ARCH
 	default "or1k"
 
+config BR2_NORMALIZED_ARCH
+	default "openrisc"
+
 config BR2_ENDIAN
 	default "BIG"
 

buildroot/arch/Config.in.powerpc

@@ -44,9 +44,6 @@ config BR2_powerpc_476fp
 config BR2_powerpc_505
 	bool "505"
 	depends on !BR2_ARCH_IS_64
-config BR2_powerpc_601
-	bool "601"
-	depends on !BR2_ARCH_IS_64
 config BR2_powerpc_602
 	bool "602"
 	depends on !BR2_ARCH_IS_64
@@ -160,6 +157,9 @@ config BR2_ARCH
 	default "powerpc64"	if BR2_powerpc64
 	default "powerpc64le"	if BR2_powerpc64le
 
+config BR2_NORMALIZED_ARCH
+	default "powerpc"
+
 config BR2_ENDIAN
 	default "BIG"    if BR2_powerpc || BR2_powerpc64
 	default "LITTLE" if BR2_powerpc64le
@@ -176,7 +176,6 @@ config BR2_GCC_TARGET_CPU
 	default "476"		if BR2_powerpc_476
 	default "476fp"		if BR2_powerpc_476fp
 	default "505"		if BR2_powerpc_505
-	default "601"		if BR2_powerpc_601
 	default "602"		if BR2_powerpc_602
 	default "603"		if BR2_powerpc_603
 	default "603e"		if BR2_powerpc_603e

buildroot/arch/Config.in.riscv

@@ -71,10 +71,12 @@ choice
 
 config BR2_RISCV_32
 	bool "32-bit"
+	select BR2_ARCH_HAS_MMU_MANDATORY
 
 config BR2_RISCV_64
 	bool "64-bit"
 	select BR2_ARCH_IS_64
+	select BR2_ARCH_HAS_MMU_OPTIONAL
 
 endchoice
 
@@ -116,6 +118,9 @@ config BR2_ARCH
 	default "riscv32" if !BR2_ARCH_IS_64
 	default "riscv64" if BR2_ARCH_IS_64
 
+config BR2_NORMALIZED_ARCH
+	default "riscv"
+
 config BR2_ENDIAN
 	default "LITTLE"
 

buildroot/arch/Config.in.s390x

@@ -0,0 +1,32 @@
+choice
+	prompt "Target Architecture Variant"
+	help
+	  Specific CPU variant to use
+
+config BR2_s390x_z13
+	bool "z13"
+
+config BR2_s390x_z14
+	bool "z14"
+
+config BR2_s390x_z15
+	bool "z15"
+
+endchoice
+
+config BR2_ARCH
+	default "s390x"	if BR2_s390x
+
+config BR2_NORMALIZED_ARCH
+	default "s390"
+
+config BR2_ENDIAN
+	default "BIG"
+
+config BR2_GCC_TARGET_ARCH
+	default "arch11" if BR2_s390x_z13
+	default "arch12" if BR2_s390x_z14
+	default "arch13" if BR2_s390x_z15
+
+config BR2_READELF_ARCH_NAME
+	default "IBM S/390"	if BR2_s390x

buildroot/arch/Config.in.sh

@@ -24,6 +24,9 @@ config BR2_ARCH
 	default "sh4a"		if BR2_sh4a
 	default "sh4aeb"	if BR2_sh4aeb
 
+config BR2_NORMALIZED_ARCH
+	default "sh"
+
 config BR2_ENDIAN
 	default "LITTLE"	if BR2_sh4 || BR2_sh4a
 	default "BIG"		if BR2_sh2a || BR2_sh4eb || BR2_sh4aeb

buildroot/arch/Config.in.sparc

@@ -21,6 +21,10 @@ config BR2_ARCH
 	default "sparc"	if BR2_sparc
 	default "sparc64" if BR2_sparc64
 
+config BR2_NORMALIZED_ARCH
+	default "sparc"	if BR2_sparc
+	default "sparc64" if BR2_sparc64
+
 config BR2_ENDIAN
 	default "BIG"
 

buildroot/arch/Config.in.x86

@@ -19,7 +19,12 @@ config BR2_X86_CPU_HAS_AVX
 	bool
 config BR2_X86_CPU_HAS_AVX2
 	bool
+config BR2_X86_CPU_HAS_AVX512
+	bool
 
+# This list of CPU architecture variant is (loosely) ordered according
+# to the gcc documentation at
+# https://gcc.gnu.org/onlinedocs/gcc-11.2.0/gcc/x86-Options.html
 choice
 	prompt "Target Architecture Variant"
 	default BR2_x86_i586 if BR2_i386
@@ -81,6 +86,78 @@ config BR2_x86_prescott
 	select BR2_X86_CPU_HAS_SSE
 	select BR2_X86_CPU_HAS_SSE2
 	select BR2_X86_CPU_HAS_SSE3
+config BR2_x86_x86_64
+	bool "x86-64"
+	depends on BR2_x86_64
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	help
+	  This option corresponds to -march=x86-64, documented as a
+	  "Generic CPU with 64-bit extensions" by the GCC
+	  documentation. It is a 64-bit CPU with MMX, SSE and SSE2
+	  support.
+config BR2_x86_x86_64_v2
+	bool "x86-64-v2"
+	depends on BR2_x86_64
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_11
+	help
+	  This option corresponds to the x86-64-v2 micro-architecture
+	  level, as defined by the x86-64 psABI document, see
+	  https://gitlab.com/x86-psABIs/x86-64-ABI/-/blob/master/x86-64-ABI/low-level-sys-info.tex.
+
+	  It is close to the Nehalem CPU architecture, and is
+	  applicable for CPUs that support CMPXCHG16B, LAHF-SAHF,
+	  POPCNT, SSE3, SSE4.1, SSE4.2, SSSE3.
+config BR2_x86_x86_64_v3
+	bool "x86-64-v3"
+	depends on BR2_x86_64
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_11
+	help
+	  This option corresponds to the x86-64-v3 micro-architecture
+	  level, as defined by the x86-64 psABI document, see
+	  https://gitlab.com/x86-psABIs/x86-64-ABI/-/blob/master/x86-64-ABI/low-level-sys-info.tex.
+
+	  It is close to the Haswell CPU architecture, and is
+	  applicable for CPUs that support all of x86-64-v2 plus AVX,
+	  AVX2, BMI1, BMI2, F16C, FMA, LZCNT, MOVBE, XSAVE.
+config BR2_x86_x86_64_v4
+	bool "x86-64-v4"
+	depends on BR2_x86_64
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_11
+	help
+	  This option corresponds to the x86-64-v4 micro-architecture
+	  level, as defined by the x86-64 psABI document, see
+	  https://gitlab.com/x86-psABIs/x86-64-ABI/-/blob/master/x86-64-ABI/low-level-sys-info.tex.
+
+	  It is applicable for CPUs that support all of x86-64-v3 plus
+	  AVX512F, AVX512BW, AVX512CD, AVX512DQ, AVX512VL.
 config BR2_x86_nocona
 	bool "nocona"
 	select BR2_X86_CPU_HAS_MMX
@@ -103,6 +180,19 @@ config BR2_x86_corei7
 	select BR2_X86_CPU_HAS_SSSE3
 	select BR2_X86_CPU_HAS_SSE4
 	select BR2_X86_CPU_HAS_SSE42
+	help
+	  This option is deprecated. Since gcc 4.9, the gcc option
+	  "nehalem" is preferred. Use BR2_x86_nehalem instead.
+config BR2_x86_nehalem
+	bool "nehalem"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
 config BR2_x86_westmere
 	bool "westmere"
 	select BR2_X86_CPU_HAS_MMX
@@ -112,6 +202,7 @@ config BR2_x86_westmere
 	select BR2_X86_CPU_HAS_SSSE3
 	select BR2_X86_CPU_HAS_SSE4
 	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
 config BR2_x86_corei7_avx
 	bool "corei7-avx"
 	select BR2_X86_CPU_HAS_MMX
@@ -122,6 +213,20 @@ config BR2_x86_corei7_avx
 	select BR2_X86_CPU_HAS_SSE4
 	select BR2_X86_CPU_HAS_SSE42
 	select BR2_X86_CPU_HAS_AVX
+	help
+	  This option is deprecated. Since gcc 4.9, the gcc option
+	  "sandybridge" is preferred. Use BR2_x86_sandybridge instead.
+config BR2_x86_sandybridge
+	bool "sandybridge"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
 config BR2_x86_core_avx2
 	bool "core-avx2"
 	select BR2_X86_CPU_HAS_MMX
@@ -133,6 +238,45 @@ config BR2_x86_core_avx2
 	select BR2_X86_CPU_HAS_SSE42
 	select BR2_X86_CPU_HAS_AVX
 	select BR2_X86_CPU_HAS_AVX2
+	help
+	  This option is deprecated. Since gcc 4.9, the gcc option
+	  "haswell" is preferred. Use BR2_x86_haswell instead.
+config BR2_x86_haswell
+	bool "haswell"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
+config BR2_x86_broadwell
+	bool "broadwell"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
+config BR2_x86_skylake
+	bool "skylake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_6
 config BR2_x86_atom
 	bool "atom"
 	select BR2_X86_CPU_HAS_MMX
@@ -140,6 +284,17 @@ config BR2_x86_atom
 	select BR2_X86_CPU_HAS_SSE2
 	select BR2_X86_CPU_HAS_SSE3
 	select BR2_X86_CPU_HAS_SSSE3
+	help
+	  This option is deprecated. Since gcc 4.9, the gcc option
+	  "bonnel" is preferred. Use BR2_x86_bonnel instead.
+config BR2_x86_bonnel
+	bool "bonnel"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
 config BR2_x86_silvermont
 	bool "silvermont"
 	select BR2_X86_CPU_HAS_MMX
@@ -149,6 +304,167 @@ config BR2_x86_silvermont
 	select BR2_X86_CPU_HAS_SSSE3
 	select BR2_X86_CPU_HAS_SSE4
 	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_4_9
+config BR2_x86_goldmont
+	bool "goldmont"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
+config BR2_x86_goldmont_plus
+	bool "goldmont-plus"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
+config BR2_x86_tremont
+	bool "tremont"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
+config BR2_x86_skylake_avx512
+	bool "skylake-avx512"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_6
+config BR2_x86_cannonlake
+	bool "cannonlake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_8
+config BR2_x86_icelake_client
+	bool "icelake-client"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_8
+config BR2_x86_icelake_server
+	bool "icelake-server"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_8
+config BR2_x86_cascadelake
+	bool "cascadelake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
+config BR2_x86_cooperlake
+	bool "cooperlake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_10
+config BR2_x86_tigerlake
+	bool "tigerlake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_9
+config BR2_x86_sapphirerapids
+	bool "sapphirerapids"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_11
+config BR2_x86_alderlake
+	bool "alderlake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_11
+config BR2_x86_rocketlake
+	bool "rocketlake"
+	select BR2_X86_CPU_HAS_MMX
+	select BR2_X86_CPU_HAS_SSE
+	select BR2_X86_CPU_HAS_SSE2
+	select BR2_X86_CPU_HAS_SSE3
+	select BR2_X86_CPU_HAS_SSSE3
+	select BR2_X86_CPU_HAS_SSE4
+	select BR2_X86_CPU_HAS_SSE42
+	select BR2_X86_CPU_HAS_AVX
+	select BR2_X86_CPU_HAS_AVX2
+	select BR2_X86_CPU_HAS_AVX512
+	select BR2_ARCH_NEEDS_GCC_AT_LEAST_11
 config BR2_x86_k6
 	bool "k6"
 	depends on !BR2_x86_64
@@ -240,30 +556,16 @@ config BR2_ARCH
 	default "i686"		if BR2_x86_c32
 	default "i586"		if BR2_x86_winchip_c6
 	default "i586"		if BR2_x86_winchip2
-	default "i686"		if BR2_x86_i686
-	default "i686"		if BR2_x86_pentium2
-	default "i686"		if BR2_x86_pentium3
-	default "i686"		if BR2_x86_pentium4
-	default "i686"		if BR2_x86_pentium_m
-	default "i686"		if BR2_x86_pentiumpro
-	default "i686"		if BR2_x86_prescott
-	default "i686"		if BR2_x86_nocona && BR2_i386
-	default "i686"		if BR2_x86_core2 && BR2_i386
-	default "i686"		if BR2_x86_corei7 && BR2_i386
-	default "i686"		if BR2_x86_westmere && BR2_i386
-	default "i686"		if BR2_x86_corei7_avx && BR2_i386
-	default "i686"		if BR2_x86_core_avx2 && BR2_i386
-	default "i686"		if BR2_x86_atom && BR2_i386
-	default "i686"		if BR2_x86_silvermont && BR2_i386
-	default "i686"		if BR2_x86_opteron && BR2_i386
-	default "i686"		if BR2_x86_opteron_sse3 && BR2_i386
-	default "i686"		if BR2_x86_barcelona && BR2_i386
-	default "i686"		if BR2_x86_jaguar && BR2_i386
-	default "i686"		if BR2_x86_steamroller && BR2_i386
-	default "i686"		if BR2_x86_k6
-	default "i686"		if BR2_x86_k6_2
-	default "i686"		if BR2_x86_athlon
-	default "i686"		if BR2_x86_athlon_4
+	# We use the property of Kconfig that the first match of a
+	# list of default will be chosen. So the following entry will
+	# not match for all BR2_i386=y configurations, but only the
+	# ones that didn't match any of the previous cases (i486,
+	# i586).
+	default "i686"		if BR2_i386
+	default "x86_64"	if BR2_x86_64
+
+config BR2_NORMALIZED_ARCH
+	default "i386"		if !BR2_x86_64
 	default "x86_64"	if BR2_x86_64
 
 config BR2_ENDIAN
@@ -281,14 +583,37 @@ config BR2_GCC_TARGET_ARCH
 	default "pentium3"	if BR2_x86_pentium3
 	default "pentium4"	if BR2_x86_pentium4
 	default "prescott"	if BR2_x86_prescott
+	default "x86-64"	if BR2_x86_x86_64
+	default "x86-64-v2"	if BR2_x86_x86_64_v2
+	default "x86-64-v3"	if BR2_x86_x86_64_v3
+	default "x86-64-v4"	if BR2_x86_x86_64_v4
 	default "nocona"	if BR2_x86_nocona
 	default "core2"		if BR2_x86_core2
 	default "corei7"	if BR2_x86_corei7
+	default "nehalem"	if BR2_x86_nehalem
 	default "corei7-avx"	if BR2_x86_corei7_avx
+	default "sandybridge"	if BR2_x86_sandybridge
 	default "core-avx2"	if BR2_x86_core_avx2
+	default "haswell"	if BR2_x86_haswell
+	default "broadwell"	if BR2_x86_broadwell
+	default "skylake"	if BR2_x86_skylake
 	default "atom"		if BR2_x86_atom
+	default "bonnel"	if BR2_x86_bonnel
 	default "westmere"	if BR2_x86_westmere
 	default "silvermont"	if BR2_x86_silvermont
+	default "goldmont"	if BR2_x86_goldmont
+	default "goldmont-plus"	if BR2_x86_goldmont_plus
+	default "tremont"	if BR2_x86_tremont
+	default "skylake-avx512" if BR2_x86_skylake_avx512
+	default "cannonlake"	if BR2_x86_cannonlake
+	default "icelake-client" if BR2_x86_icelake_client
+	default "icelake-server" if BR2_x86_icelake_server
+	default "cascadelake"	if BR2_x86_cascadelake
+	default "cooperlake"	if BR2_x86_cooperlake
+	default "tigerlake"	if BR2_x86_tigerlake
+	default "sapphirerapids" if BR2_x86_sapphirerapids
+	default "alderlake"	if BR2_x86_alderlake
+	default "rocketlake"	if BR2_x86_rocketlake
 	default "k8"		if BR2_x86_opteron
 	default "k8-sse3"	if BR2_x86_opteron_sse3
 	default "barcelona"	if BR2_x86_barcelona

buildroot/arch/Config.in.xtensa

@@ -48,6 +48,9 @@ config BR2_ENDIAN
 config BR2_ARCH
 	default "xtensa"	if BR2_xtensa
 
+config BR2_NORMALIZED_ARCH
+	default "xtensa"
+
 config BR2_READELF_ARCH_NAME
 	default "Tensilica Xtensa Processor"
 

buildroot/board/allwinner-generic/suniv-f1c200s

@@ -0,0 +1 @@
+/home/yuzuki/WorkSpace/buildroot-YuzukiSBC/buildroot/board/allwinner-generic/suniv-f1c100s

buildroot/boot/Config.in

@@ -6,8 +6,11 @@ source "boot/at91bootstrap3/Config.in"
 source "boot/at91dataflashboot/Config.in"
 source "boot/arm-trusted-firmware/Config.in"
 source "boot/barebox/Config.in"
+source "boot/beaglev-ddrinit/Config.in"
+source "boot/beaglev-secondboot/Config.in"
 source "boot/binaries-marvell/Config.in"
 source "boot/boot-wrapper-aarch64/Config.in"
+source "boot/edk2/Config.in"
 source "boot/grub2/Config.in"
 source "boot/gummiboot/Config.in"
 source "boot/lpc32xxcdl/Config.in"
@@ -17,6 +20,7 @@ source "boot/optee-os/Config.in"
 source "boot/opensbi/Config.in"
 source "boot/s500-bootloader/Config.in"
 source "boot/shim/Config.in"
+source "boot/sun20i-d1-spl/Config.in"
 source "boot/syslinux/Config.in"
 source "boot/uboot/Config.in"
 source "boot/vexpress-firmware/Config.in"

buildroot/boot/afboot-stm32/0001-Pass-fno-builtin-to-fix-build-with-gcc-10.patch

@@ -0,0 +1,46 @@
+From 5448f328ff63a6ca4a64519c2f1dfc63a33df4b7 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Thu, 10 Sep 2020 11:37:33 +0200
+Subject: [PATCH] Pass -fno-builtin to fix build with gcc 10
+
+gcc 10, if it recognizes some hand-written code that looks like
+memcpy, will generate a call to memcpy().
+
+For example:
+
+        while (dst < &_end_data) {
+                *dst++ = *src++;
+        }
+
+gets recognized as such. However, in the context of bare-metal code,
+having a call to memcpy() in the C library doesn't work. So we fix
+that by disabling builtins.
+
+Fixes:
+
+/home/thomas/projets/buildroot/output/host/opt/ext-toolchain/bin/../arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: stm32f429i-disco.o: in function `reset':
+stm32f429i-disco.c:(.text.reset+0x1a): undefined reference to `memcpy'
+/home/thomas/projets/buildroot/output/host/opt/ext-toolchain/bin/../arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: stm32f429i-disco.c:(.text.reset+0x34): undefined reference to `memset'
+make[1]: *** [Makefile:26: stm32f429i-disco] Error 1
+
+Upstream: https://github.com/mcoquelin-stm32/afboot-stm32/pull/9
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Makefile b/Makefile
+index f699176..1e8557d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -13,6 +13,7 @@ DTB_ADDR?=0x08004000
+ CFLAGS := -mthumb -mcpu=cortex-m4
+ CFLAGS += -ffunction-sections -fdata-sections
+ CFLAGS += -Os -std=gnu99 -Wall
++CFLAGS += -fno-builtin
+ LINKERFLAGS := -nostartfiles --gc-sections
+ 
+ obj-y += gpio.o mpu.o qspi.o start_kernel.o
+-- 
+2.26.2
+

buildroot/boot/afboot-stm32/Config.in

@@ -5,3 +5,23 @@ config BR2_TARGET_AFBOOT_STM32
 	  afboot-stm32 is a very small bootloader for STM32 platforms
 
 	  https://github.com/mcoquelin-stm32/afboot-stm32
+
+if BR2_TARGET_AFBOOT_STM32
+
+config BR2_TARGET_AFBOOT_STM32_KERNEL_ADDR
+	hex "Kernel load address"
+	default "0x08008000"
+	help
+	  This is the physical address in your flash memory the kernel
+	  will be linked for and stored to. This address is dependent on
+	  your own flash usage.
+
+config BR2_TARGET_AFBOOT_STM32_DTB_ADDR
+	hex "Device-tree load address"
+	default "0x08004000"
+	help
+	  This is the physical address in your flash memory the
+	  device-tree will be stored to. This address is dependent on
+	  your own flash usage.
+
+endif

buildroot/boot/afboot-stm32/afboot-stm32.hash

@@ -1,2 +1,2 @@
 # Locally calculated
-sha256 9b37b661bd3091ceb5d8dc5a56a2dfc02ae9ebc0c63dad3c4289c9d6b3d3ec89  afboot-stm32-0.2.tar.gz
+sha256  2caacd302ab3ed5b70b3b93a6aef04162abf779c758a5be547be3ab01b68ca10  afboot-stm32-3566acd582e5536fb60864281788a30f5527df2d.tar.gz

buildroot/boot/afboot-stm32/afboot-stm32.mk

@@ -4,13 +4,15 @@
 #
 ################################################################################
 
-AFBOOT_STM32_VERSION = 0.2
-AFBOOT_STM32_SITE = $(call github,mcoquelin-stm32,afboot-stm32,v$(AFBOOT_STM32_VERSION))
+AFBOOT_STM32_VERSION = 3566acd582e5536fb60864281788a30f5527df2d
+AFBOOT_STM32_SITE = $(call github,mcoquelin-stm32,afboot-stm32,$(AFBOOT_STM32_VERSION))
 AFBOOT_STM32_INSTALL_IMAGES = YES
 AFBOOT_STM32_INSTALL_TARGET = NO
 
 define AFBOOT_STM32_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) CROSS_COMPILE=$(TARGET_CROSS) all
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) CROSS_COMPILE=$(TARGET_CROSS) all \
+		KERNEL_ADDR=$(BR2_TARGET_AFBOOT_STM32_KERNEL_ADDR) \
+		DTB_ADDR=$(BR2_TARGET_AFBOOT_STM32_DTB_ADDR)
 endef
 
 define AFBOOT_STM32_INSTALL_IMAGES_CMDS

buildroot/boot/arm-trusted-firmware/Config.in

@@ -1,7 +1,7 @@
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE
 	bool "ARM Trusted Firmware (ATF)"
 	depends on (BR2_ARM_CPU_ARMV8A || BR2_ARM_CPU_ARMV7A) && \
-		   BR2_TARGET_UBOOT
+		   (BR2_TARGET_UBOOT || BR2_TARGET_EDK2)
 	help
 	  Enable this option if you want to build the ATF for your ARM
 	  based embedded device.
@@ -15,7 +15,7 @@ choice
 	  Select the specific ATF version you want to use
 
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
-	bool "v1.4"
+	bool "v2.5"
 
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION
 	bool "Custom version"
@@ -43,7 +43,7 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE
 
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_VERSION
 	string
-	default "v1.4"		if BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
+	default "v2.5"		if BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION
 	default "custom"	if BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_TARBALL
 	default BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_REPO_VERSION \
 				if BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_GIT
@@ -68,6 +68,15 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM
 	help
 	  Target plaform to build for.
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH
+	string "Device Tree Source file paths"
+	help
+	  Space-separated list of paths to device tree source files
+	  that will be copied to fdts/ before starting the build.
+
+	  To use this device tree source file, the ATF configuration
+	  file must refer to it.
+
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP
 	bool "Build FIP image"
 	help
@@ -135,6 +144,19 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_BL33_IMAGE
 
 endif
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
+	bool "Use EDK2 as BL33"
+	depends on BR2_TARGET_EDK2
+	help
+	  This option allows to embed EDK2 as the BL33 part of
+	  the ARM Trusted Firmware. It ensures that the EDK2 package
+	  gets built before ATF, and that the appropriate BL33
+	  variable pointing to the EDK2 is passed when building ATF.
+
+	  Do not choose this option if you intend to build ATF and EDK2
+	  for the 'qemu_sbsa' platform. In this case, due to the EDK2
+	  build system, the dependency between ATF and EDK is reversed.
+
 config BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_TARGETS
 	string "Additional ATF make targets"
 	help
@@ -167,4 +189,36 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC
 	  Select this option if your ATF board configuration
 	  requires the Device Tree compiler to be available.
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_ARM32_TOOLCHAIN
+	bool "Needs arm-none-eabi toolchain"
+	depends on BR2_aarch64
+	depends on BR2_HOSTARCH = "x86_64"
+	help
+	  Select this option if your ATF board configuration requires
+	  an ARM32 bare metal toolchain to be available.
+
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP
+	bool "Build with SSP"
+	default y
+	depends on BR2_TOOLCHAIN_HAS_SSP
+	depends on !BR2_SSP_NONE
+	help
+	  Say 'y' here if you want to build ATF with SSP.
+
+	  Your board must have SSP support in ATF: it must have an
+	  implementation for plat_get_stack_protector_canary().
+
+	  If you say 'y', the SSP level will be the level selected
+	  by the global SSP setting.
+
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_LEVEL
+	string
+	# While newer versions of TF-A support "none" as
+	# ENABLE_STACK_PROTECTOR value, older versions (e.g 2.0) only
+	# supported "0" to disable SSP.
+	default "0"    	  if !BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP
+	default "default" if BR2_SSP_REGULAR
+	default "strong"  if BR2_SSP_STRONG
+	default "all"     if BR2_SSP_ALL
+
 endif

buildroot/boot/arm-trusted-firmware/arm-trusted-firmware.hash

@@ -1,3 +1,3 @@
 # Locally calculated
-sha256 6dae02acd85278394bfad6e2683e186e5332a711e4491ac4632ad6480f6e5494 arm-trusted-firmware-v1.4.tar.gz
-sha256 487795b8023df866259fa159bab94706b747fb0d623b7913f1c4955c0ab5f164  license.rst
+sha256  d12a824afcc5cb90d005f9820f3274f1319cef1bb282e40a6a190b75900206d3  arm-trusted-firmware-v2.5.tar.gz
+sha256  0171b0795501ee90634fbc4a7835e2fb215d9423daf1cf5b0d0682adde12c597  docs/license.rst

buildroot/boot/arm-trusted-firmware/arm-trusted-firmware.mk

@@ -18,10 +18,10 @@ else
 # Handle stable official ATF versions
 ARM_TRUSTED_FIRMWARE_SITE = $(call github,ARM-software,arm-trusted-firmware,$(ARM_TRUSTED_FIRMWARE_VERSION))
 # The licensing of custom or from-git versions is unknown.
-# This is valid only for the official v1.4.
+# This is valid only for the latest (i.e. known) version.
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LATEST_VERSION),y)
 ARM_TRUSTED_FIRMWARE_LICENSE = BSD-3-Clause
-ARM_TRUSTED_FIRMWARE_LICENSE_FILES = license.rst
+ARM_TRUSTED_FIRMWARE_LICENSE_FILES = docs/license.rst
 endif
 endif
 
@@ -35,6 +35,10 @@ ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC),y)
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += host-dtc
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_ARM32_TOOLCHAIN),y)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += host-arm-gnu-a-toolchain
+endif
+
 ARM_TRUSTED_FIRMWARE_PLATFORM = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM))
 
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_DEBUG),y)
@@ -49,6 +53,10 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
 	$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES)) \
 	PLAT=$(ARM_TRUSTED_FIRMWARE_PLATFORM)
 
+ARM_TRUSTED_FIRMWARE_MAKE_ENV += \
+	$(TARGET_MAKE_ENV) \
+	ENABLE_STACK_PROTECTOR=$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP_LEVEL))
+
 ifeq ($(BR2_ARM_CPU_ARMV7A),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ARM_ARCH_MAJOR=7
 else ifeq ($(BR2_ARM_CPU_ARMV8A),y)
@@ -75,6 +83,15 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += AARCH32_SP=optee
 endif
 endif # BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33),y)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += edk2
+# Since the flash device name vary between platforms, we use the variable
+# provided by the EDK2 package for this. Using this variable here is OK
+# as it will expand after all dependencies are resolved, inside _BUILD_CMDS.
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += \
+	BL33=$(BINARIES_DIR)/$(call qstrip,$(BR2_TARGET_EDK2_FD_NAME).fd)
+endif
+
 ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_AS_BL33),y)
 ARM_TRUSTED_FIRMWARE_UBOOT_BIN = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_UBOOT_BL33_IMAGE))
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/$(ARM_TRUSTED_FIRMWARE_UBOOT_BIN)
@@ -148,9 +165,15 @@ endif
 ARM_TRUSTED_FIRMWARE_MAKE_TARGETS += \
 	$(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_TARGETS))
 
+ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH = $(call qstrip,$(BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH))
+
 define ARM_TRUSTED_FIRMWARE_BUILD_CMDS
+	$(if $(ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH),
+		cp -f $(ARM_TRUSTED_FIRMWARE_CUSTOM_DTS_PATH) $(@D)/fdts/
+	)
 	$(ARM_TRUSTED_FIRMWARE_BUILD_FIPTOOL)
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(ARM_TRUSTED_FIRMWARE_MAKE_OPTS) \
+	$(ARM_TRUSTED_FIRMWARE_MAKE_ENV) $(MAKE) -C $(@D) \
+		$(ARM_TRUSTED_FIRMWARE_MAKE_OPTS) \
 		$(ARM_TRUSTED_FIRMWARE_MAKE_TARGETS)
 	$(ARM_TRUSTED_FIRMWARE_BL31_UBOOT_BUILD)
 endef

buildroot/boot/at91bootstrap/at91bootstrap.hash

@@ -1,2 +1,3 @@
 # locally computed
 sha256  d66192a274247f4baa39fa932eadf903d7add55641d89d30402f967c4f2282a5  AT91Bootstrap1.16.zip
+sha256  6a3ac5dfcf19e6bac1b1109d30d72818768a3855e2594b84fe2b012b5fe0e77b  include/sdramc.h

buildroot/boot/at91bootstrap/at91bootstrap.mk

@@ -7,6 +7,8 @@
 AT91BOOTSTRAP_VERSION = 1.16
 AT91BOOTSTRAP_SITE = ftp://www.at91.com/pub/at91bootstrap
 AT91BOOTSTRAP_SOURCE = AT91Bootstrap$(AT91BOOTSTRAP_VERSION).zip
+AT91BOOTSTRAP_LICENSE = BSD-Source-Code
+AT91BOOTSTRAP_LICENSE_FILES = include/sdramc.h
 
 AT91BOOTSTRAP_BOARD = $(call qstrip,$(BR2_TARGET_AT91BOOTSTRAP_BOARD))
 AT91BOOTSTRAP_MEMORY = $(call qstrip,$(BR2_TARGET_AT91BOOTSTRAP_MEMORY))

buildroot/boot/at91bootstrap3/Config.in

@@ -1,5 +1,5 @@
 config BR2_TARGET_AT91BOOTSTRAP3
-	bool "AT91 Bootstrap 3"
+	bool "AT91 Bootstrap 3+"
 	depends on BR2_arm926t || BR2_cortex_a5 || BR2_cortex_a7
 	help
 	  AT91Bootstrap is a first level bootloader for the Atmel AT91
@@ -16,10 +16,13 @@ if BR2_TARGET_AT91BOOTSTRAP3
 
 choice
 
-	prompt "AT91 Bootstrap 3 version"
+	prompt "AT91 Bootstrap 3+ version"
 
 config BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION
-	bool "3.9.0"
+	bool "4.0.0"
+
+config BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION_3X
+	bool "3.10.3"
 
 config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT
 	bool "Custom Git repository"
@@ -27,6 +30,12 @@ config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT
 	  This option allows Buildroot to get the AT91 Bootstrap 3
 	  source code from a Git repository.
 
+config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_SVN
+	bool "Custom SVN repository"
+	help
+	  This option allows Buildroot to get the AT91 Bootstrap 3
+	  source code from a Subversion repository
+
 config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_TARBALL
 	bool "Custom tarball"
 
@@ -36,7 +45,7 @@ config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_TARBALL_LOCATION
 	string "URL of custom AT91Bootstrap tarball"
 	depends on BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_TARBALL
 
-if BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT
+if BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT || BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_SVN
 
 config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_URL
 	string "URL of custom repository"
@@ -44,16 +53,17 @@ config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_URL
 config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_VERSION
 	string "Custom repository version"
 	help
-	  Revision to use in the typical format used by Git
+	  Revision to use in the typical format used by Git or SVN
 	  E.G. a sha id, a tag, branch, ..
 
 endif
 
 config BR2_TARGET_AT91BOOTSTRAP3_VERSION
 	string
-	default "v3.9.0" if BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION
+	default "v4.0.0" if BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION
+	default "v3.10.3" if BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION_3X
 	default BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_VERSION \
-		if BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT
+		if BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT || BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_SVN
 	default "custom"	if BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_TARBALL
 
 config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_PATCH_DIR
@@ -96,4 +106,12 @@ config BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_CONFIG_FILE
 	help
 	  Path to the at91bootstrap3 configuration file
 
+config BR2_TARGET_AT91BOOTSTRAP3_NEEDS_PYTHON3
+	bool "needs host-python3"
+	help
+	  Enable this option if the at91bootstrap build process needs
+	  Python 3.x to be available on the host. This is needed in
+	  some at91bootstrap configurations to use NAND/PMECC Python
+	  scripts.
+
 endif # BR2_TARGET_AT91BOOTSTRAP3

buildroot/boot/at91bootstrap3/at91bootstrap3.hash

@@ -1,3 +1,4 @@
 # Locally calculated
-sha256	e23e6df23b79ca81e412cb73a1f48bd95df8d46c7d52a1d073c2ed9d4f3a1a71  at91bootstrap3-v3.9.0.tar.gz
-sha256  732b2a55b5905031d8ae420136ffb5f8889214865784386bf754cffab8d2bc6e  main.c
+sha256  b6ae5bcaacc5a949f400182e036ae053049638444a3ba8b1dd154ec5f7898d8e  at91bootstrap3-v3.10.3.tar.gz
+sha256  08c5b95df28be7f2e0439fb2b77fe27524f97c499850641e4540c07ea0b2c25d  at91bootstrap3-v4.0.0.tar.gz
+sha256  5a3809b1c2ba13b7242572322951311c584419f1f8516f665d6c06f0668d78de  LICENSES/MIT.txt

buildroot/boot/at91bootstrap3/at91bootstrap3.mk

@@ -15,18 +15,31 @@ else ifeq ($(BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_GIT),y)
 AT91BOOTSTRAP3_SITE = $(call qstrip,$(BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_URL))
 AT91BOOTSTRAP3_SITE_METHOD = git
 BR_NO_CHECK_HASH_FOR += $(AT91BOOTSTRAP3_SOURCE)
+else ifeq ($(BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_SVN),y)
+AT91BOOTSTRAP3_SITE = $(call qstrip,$(BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_REPO_URL))
+AT91BOOTSTRAP3_SITE_METHOD = svn
+BR_NO_CHECK_HASH_FOR += $(AT91BOOTSTRAP3_SOURCE)
 else
 AT91BOOTSTRAP3_SITE = $(call github,linux4sam,at91bootstrap,$(AT91BOOTSTRAP3_VERSION))
 endif
 
-AT91BOOTSTRAP3_LICENSE = Atmel License
 ifeq ($(BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION),y)
-AT91BOOTSTRAP3_LICENSE_FILES = main.c
+AT91BOOTSTRAP3_LICENSE = MIT
+AT91BOOTSTRAP3_LICENSE_FILES = LICENSES/MIT.txt
+else ifeq ($(BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION_3X),y)
+AT91BOOTSTRAP3_LICENSE = Atmel License
 endif
 
+AT91BOOTSTRAP3_CPE_ID_VENDOR = linux4sam
+AT91BOOTSTRAP3_CPE_ID_PRODUCT = at91bootstrap
+
 AT91BOOTSTRAP3_INSTALL_IMAGES = YES
 AT91BOOTSTRAP3_INSTALL_TARGET = NO
 
+ifeq ($(BR2_TARGET_AT91BOOTSTRAP3_NEEDS_PYTHON3),y)
+AT91BOOTSTRAP3_DEPENDENCIES += host-python3
+endif
+
 AT91BOOTSTRAP3_CUSTOM_PATCH_DIR = \
 	$(call qstrip,$(BR2_TARGET_AT91BOOTSTRAP3_CUSTOM_PATCH_DIR))
 
@@ -45,7 +58,7 @@ define AT91BOOTSTRAP3_BUILD_CMDS
 endef
 
 define AT91BOOTSTRAP3_INSTALL_IMAGES_CMDS
-	cp $(@D)/binaries/*.bin $(BINARIES_DIR)
+	cp $(wildcard $(@D)/build/binaries/*.bin $(@D)/binaries/*.bin) $(BINARIES_DIR)
 endef
 
 ifeq ($(BR2_TARGET_AT91BOOTSTRAP3_USE_DEFCONFIG),y)

buildroot/boot/barebox/Config.in

@@ -12,7 +12,7 @@ choice
 	  Select the specific Barebox version you want to use
 
 config BR2_TARGET_BAREBOX_LATEST_VERSION
-	bool "2020.01.0"
+	bool "2021.12.0"
 
 config BR2_TARGET_BAREBOX_CUSTOM_VERSION
 	bool "Custom version"
@@ -40,7 +40,7 @@ endif
 
 config BR2_TARGET_BAREBOX_VERSION
 	string
-	default "2020.01.0"	if BR2_TARGET_BAREBOX_LATEST_VERSION
+	default "2021.12.0"	if BR2_TARGET_BAREBOX_LATEST_VERSION
 	default BR2_TARGET_BAREBOX_CUSTOM_VERSION_VALUE if BR2_TARGET_BAREBOX_CUSTOM_VERSION
 	default "custom"	if BR2_TARGET_BAREBOX_CUSTOM_TARBALL
 	default BR2_TARGET_BAREBOX_CUSTOM_GIT_VERSION if BR2_TARGET_BAREBOX_CUSTOM_GIT

buildroot/boot/barebox/barebox.hash

@@ -1,8 +1,8 @@
-# From https://www.barebox.org/download/barebox-2020.01.0.tar.bz2.md5
-md5  05038e0b61b68ce40e038295b809c548  barebox-2020.01.0.tar.bz2
+# From https://www.barebox.org/download/barebox-2021.12.0.tar.bz2.md5
+md5  199b6d7ff3441cec2062ab18a52454dc  barebox-2021.12.0.tar.bz2
 
 # Locally calculated
-sha256  8968e6b0d72d79eba636917b067b925e3bbb54d38c6c2acfc4e1e49909b42f33  barebox-2020.01.0.tar.bz2
+sha256  555569fe9e71524e0bf927eaa2c1aa2e81ee2c34dd71e39fe21620db6ccc8aa6  barebox-2021.12.0.tar.bz2
 
 # License files, locally computed
 sha256  ab1122aa9f9073ad1ec824edcd970b16a6a7881a34a18fd56c080debb2dca5d4  COPYING

buildroot/boot/barebox/barebox.mk

@@ -28,7 +28,7 @@ $(1)_SITE_METHOD = git
 # Override the default value of _SOURCE to 'barebox-*' so that it is not
 # downloaded a second time for barebox-aux; also alows avoiding the hash
 # check:
-$(1)_SOURCE = barebox-$$($(1)_VERSION).tar.gz
+$(1)_SOURCE = barebox-$$($(1)_VERSION)$$(BR_FMT_VERSION_git).tar.gz
 else
 # Handle stable official Barebox versions
 $(1)_SOURCE = barebox-$$($(1)_VERSION).tar.bz2
@@ -59,16 +59,16 @@ ifneq ($$(BR2_TARGET_$(1)_BAREBOXENV),y)
 $(1)_INSTALL_TARGET = NO
 endif
 
-ifeq ($$(KERNEL_ARCH),i386)
+ifeq ($$(NORMALIZED_ARCH),i386)
 $(1)_ARCH = x86
-else ifeq ($$(KERNEL_ARCH),x86_64)
+else ifeq ($$(NORMALIZED_ARCH),x86_64)
 $(1)_ARCH = x86
-else ifeq ($$(KERNEL_ARCH),powerpc)
+else ifeq ($$(NORMALIZED_ARCH),powerpc)
 $(1)_ARCH = ppc
-else ifeq ($$(KERNEL_ARCH),arm64)
+else ifeq ($$(NORMALIZED_ARCH),arm64)
 $(1)_ARCH = arm
 else
-$(1)_ARCH = $$(KERNEL_ARCH)
+$(1)_ARCH = $$(NORMALIZED_ARCH)
 endif
 
 $(1)_MAKE_FLAGS = ARCH=$$($(1)_ARCH) CROSS_COMPILE="$$(TARGET_CROSS)"
@@ -138,6 +138,11 @@ define $(1)_INSTALL_IMAGES_CMDS
 	$$($(1)_INSTALL_CUSTOM_ENV)
 endef
 
+# Starting with barebox v2020.09.0, the kconfig used calls the
+# cross-compiler to check its capabilities. So we need the
+# toolchain before we can call the configurators.
+$(1)_KCONFIG_DEPENDENCIES += toolchain
+
 ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y)
 define $(1)_INSTALL_TARGET_CMDS
 	cp $$(@D)/scripts/bareboxenv-target $$(TARGET_DIR)/usr/bin/bareboxenv

buildroot/boot/barebox/barebox/barebox.mk

@@ -4,10 +4,5 @@
 #
 ################################################################################
 
-define BAREBOX_HELP_CMDS
-	@echo '  barebox-menuconfig     - Run barebox menuconfig'
-	@echo '  barebox-savedefconfig  - Run barebox savedefconfig'
-endef
-
 # Instantiate the barebox package
 $(eval $(barebox-package))

buildroot/boot/beaglev-ddrinit/Config.in

@@ -0,0 +1,9 @@
+config BR2_TARGET_BEAGLEV_DDRINIT
+	bool "beaglev-ddrinit"
+	depends on BR2_riscv
+	depends on BR2_HOSTARCH = "x86_64" # host-riscv64-elf-toolchain
+	help
+	  This package builds the DDRinit firmware used on the BeagleV
+	  platform.
+
+	  https://github.com/starfive-tech/beagle_ddrinit

buildroot/boot/beaglev-ddrinit/beaglev-ddrinit.hash

@@ -0,0 +1,3 @@
+# Locally computed
+sha256  2d491f64bd77de9dfd4b8ae6c00e83670e80c205cc20917fefa6194b1dc1fe4e  beaglev-ddrinit-c0839f25246d9e308c23498d344ca13d8a7ad6ed.tar.gz
+sha256  284d26192537710910ec1f112ec5f4c981601ae23702391986d6ce0b8ba90813  LICENSE

buildroot/boot/beaglev-ddrinit/beaglev-ddrinit.mk

@@ -0,0 +1,28 @@
+################################################################################
+#
+# beaglev-ddrinit
+#
+################################################################################
+
+# Commit on the 'starfive' branch
+BEAGLEV_DDRINIT_VERSION = c0839f25246d9e308c23498d344ca13d8a7ad6ed
+BEAGLEV_DDRINIT_SITE = $(call github,starfive-tech,beagle_ddrinit,$(BEAGLEV_DDRINIT_VERSION))
+BEAGLEV_DDRINIT_INSTALL_TARGET = NO
+BEAGLEV_DDRINIT_INSTALL_IMAGES = YES
+BEAGLEV_DDRINIT_DEPENDENCIES = host-riscv64-elf-toolchain
+BEAGLEV_DDRINIT_LICENSE = GPL-2.0+
+BEAGLEV_DDRINIT_LICENSE_FILES = LICENSE
+
+define BEAGLEV_DDRINIT_BUILD_CMDS
+	$(MAKE) -C $(@D)/build \
+		CROSSCOMPILE=$(HOST_DIR)/bin/riscv64-unknown-elf- \
+		SUFFIX=buildroot \
+		GIT_VERSION=$(BEAGLEV_DDRINIT_VERSION)
+endef
+
+define BEAGLEV_DDRINIT_INSTALL_IMAGES_CMDS
+	$(INSTALL) -D -m 0644 $(@D)/build/ddrinit-2133-buildroot.bin.out \
+		$(BINARIES_DIR)/ddrinit-2133-buildroot.bin.out
+endef
+
+$(eval $(generic-package))

buildroot/boot/beaglev-secondboot/Config.in

@@ -0,0 +1,9 @@
+config BR2_TARGET_BEAGLEV_SECONDBOOT
+	bool "beaglev-secondboot"
+	depends on BR2_riscv
+	depends on BR2_HOSTARCH = "x86_64" # host-riscv64-elf-toolchain
+	help
+	  This package builds the SecondBoot firmware used on the
+	  BeagleV platform.
+
+	  https://github.com/starfive-tech/beagle_secondBoot

buildroot/boot/beaglev-secondboot/beaglev-secondboot.hash

@@ -0,0 +1,3 @@
+# Locally computed
+sha256  fe4d37f3ff38e7f2da70a08f9cb1668c0b928e85d2e0935bd985f910b3ce30e9  beaglev-secondboot-2d20047960044308126117ad56bc08a1164e82b2.tar.gz
+sha256  284d26192537710910ec1f112ec5f4c981601ae23702391986d6ce0b8ba90813  LICENSE

buildroot/boot/beaglev-secondboot/beaglev-secondboot.mk

@@ -0,0 +1,28 @@
+################################################################################
+#
+# beaglev-secondboot
+#
+################################################################################
+
+# Commit on the 'starfive' branch
+BEAGLEV_SECONDBOOT_VERSION = 2d20047960044308126117ad56bc08a1164e82b2
+BEAGLEV_SECONDBOOT_SITE = $(call github,starfive-tech,beagle_secondBoot,$(BEAGLEV_SECONDBOOT_VERSION))
+BEAGLEV_SECONDBOOT_INSTALL_TARGET = NO
+BEAGLEV_SECONDBOOT_INSTALL_IMAGES = YES
+BEAGLEV_SECONDBOOT_DEPENDENCIES = host-riscv64-elf-toolchain
+BEAGLEV_SECONDBOOT_LICENSE = GPL-2.0+
+BEAGLEV_SECONDBOOT_LICENSE_FILES = LICENSE
+
+define BEAGLEV_SECONDBOOT_BUILD_CMDS
+	$(MAKE) -C $(@D)/build \
+		CROSSCOMPILE=$(HOST_DIR)/bin/riscv64-unknown-elf- \
+		SUFFIX=buildroot \
+		GIT_VERSION=$(BEAGLEV_SECONDBOOT_VERSION)
+endef
+
+define BEAGLEV_SECONDBOOT_INSTALL_IMAGES_CMDS
+	$(INSTALL) -D -m 0644 $(@D)/build/bootloader-BEAGLEV-buildroot.bin.out \
+		$(BINARIES_DIR)/bootloader-BEAGLEV-buildroot.bin.out
+endef
+
+$(eval $(generic-package))

buildroot/boot/boot-wrapper-aarch64/boot-wrapper-aarch64.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BOOT_WRAPPER_AARCH64_VERSION = fd74c8cbd0e17483d2299208cad9742bee605ca7
+BOOT_WRAPPER_AARCH64_VERSION = 8d5a765251d9113c3c0f9fa14de42a9e7486fe8a
 BOOT_WRAPPER_AARCH64_SITE = git://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git
 BOOT_WRAPPER_AARCH64_LICENSE = BSD-3-Clause
 BOOT_WRAPPER_AARCH64_LICENSE_FILES = LICENSE.txt

buildroot/boot/edk2/Config.in

@@ -0,0 +1,124 @@
+config BR2_TARGET_EDK2_ARCH_SUPPORTS
+	bool
+	default y if BR2_aarch64
+	default y if BR2_i386
+	default y if BR2_x86_64
+
+config BR2_TARGET_EDK2
+	bool "EDK2"
+	depends on BR2_TARGET_EDK2_ARCH_SUPPORTS
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5
+	select BR2_PACKAGE_EDK2_PLATFORMS
+	help
+	  EDK II is a modern, feature-rich, cross-platform firmware
+	  development environment for the UEFI and PI specifications.
+
+	  https://github.com/tianocore/tianocore.github.io/wiki/EDK-II
+
+if BR2_TARGET_EDK2
+
+choice
+	prompt "Platform"
+	default BR2_TARGET_EDK2_PLATFORM_OVMF_I386 if BR2_i386
+	default BR2_TARGET_EDK2_PLATFORM_OVMF_X64 if BR2_x86_64
+	default BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU if BR2_aarch64
+
+config BR2_TARGET_EDK2_PLATFORM_OVMF_I386
+	bool "i386"
+	depends on BR2_i386 || BR2_x86_64
+	help
+	  Platform configuration for a generic i386 target.
+	  This platform will boot from flash address 0x0.
+	  It should therefore be used as the first bootloader.
+
+config BR2_TARGET_EDK2_PLATFORM_OVMF_X64
+	bool "x86-64"
+	depends on BR2_x86_64
+	help
+	  Platform configuration for a generic x86-64 target.
+	  This platform will boot from flash address 0x0.
+	  It should therefore be used as the first bootloader.
+
+config BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU
+	bool "ARM Virt Qemu (flash)"
+	depends on BR2_aarch64
+	help
+	  Platform configuration for QEMU targeting the Virt machine.
+	  This platform will only boot from flash address 0x0.
+	  It should therefore be used as the first bootloader.
+
+config BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU_KERNEL
+	bool "ARM Virt Qemu (kernel)"
+	depends on BR2_aarch64
+	help
+	  Platform configuration for QEMU targeting the Virt machine.
+	  This platform can boot from either flash address 0x0 or via
+	  the Linux boot protocol. It can therefore be loaded by a
+	  previous bootloader like ARM Trusted Firmware or OP-TEE.
+
+config BR2_TARGET_EDK2_PLATFORM_ARM_SGI575
+	bool "ARM SGI-575"
+	depends on BR2_aarch64
+	help
+	  Platform configuration for ARM SGI-575 on ARM's
+	  Fixed Virtual Platform (FVP).
+
+config BR2_TARGET_EDK2_PLATFORM_ARM_VEXPRESS_FVP_AARCH64
+	bool "ARM VExpress FVP Aarch64"
+	depends on BR2_aarch64
+	help
+	  Platform configuration for ARM Versatile Express targeting
+	  the Aarch64 Fixed Virtual Platform (FVP).
+
+config BR2_TARGET_EDK2_PLATFORM_SOCIONEXT_DEVELOPERBOX
+	bool "Socionext DeveloperBox"
+	depends on BR2_aarch64
+	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE
+	depends on !BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
+	select BR2_PACKAGE_HOST_DTC
+	select BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP
+	help
+	  Platform configuration for Socionext SynQuacer DeveloperBox
+	  (SC2A11).
+
+comment "Socionext DeveloperBox depends on ATF not using EDK2 as BL33"
+	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
+
+config BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN
+	bool "SolidRun MacchiatoBin"
+	depends on BR2_aarch64
+	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE
+	select BR2_PACKAGE_HOST_DTC
+	select BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP
+	help
+	  Platform configuration for the SolidRun MacchiatoBin.
+
+config BR2_TARGET_EDK2_PLATFORM_QEMU_SBSA
+	bool "QEMU SBSA"
+	depends on BR2_aarch64
+	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE
+	depends on !BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
+	help
+	  Platform configuration for QEMU targeting the SBSA reference
+	  machine.
+
+comment "QEMU SBSA depends on ATF not using EDK2 as BL33"
+	depends on BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
+
+endchoice
+
+config BR2_TARGET_EDK2_FD_NAME
+	string
+	default "OVMF" if BR2_TARGET_EDK2_PLATFORM_OVMF_I386
+	default "OVMF" if BR2_TARGET_EDK2_PLATFORM_OVMF_X64
+	default "QEMU_EFI" if BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU
+	default "QEMU_EFI" if BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU_KERNEL
+	default "BL33_AP_UEFI" if BR2_TARGET_EDK2_PLATFORM_ARM_SGI575
+	default "FVP_AARCH64_EFI" if BR2_TARGET_EDK2_PLATFORM_ARM_VEXPRESS_FVP_AARCH64
+	default "FVP_AARCH64_EFI" if BR2_TARGET_EDK2_PLATFORM_SOCIONEXT_DEVELOPERBOX
+	default "ARMADA_EFI" if BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN
+
+endif
+
+comment "EDK2 needs a toolchain w/ gcc >= 5"
+	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_5

buildroot/boot/edk2/edk2.hash

@@ -0,0 +1,3 @@
+# Locally calculated
+sha256  04791c13b414a6d1877182a6d565cb762c30aa63e49bb4d495fca68ef4dd209d  edk2-edk2-stable202102-br1.tar.gz
+sha256  50ce20c9cfdb0e19ee34fe0a51fc0afe961f743697b068359ab2f862b494df80  License.txt

buildroot/boot/edk2/edk2.mk

@@ -0,0 +1,159 @@
+################################################################################
+#
+# edk2
+#
+################################################################################
+
+EDK2_VERSION = edk2-stable202102
+EDK2_SITE = https://github.com/tianocore/edk2
+EDK2_SITE_METHOD = git
+EDK2_LICENSE = BSD-2-Clause
+EDK2_LICENSE_FILE = License.txt
+EDK2_CPE_ID_VENDOR = tianocore
+EDK2_DEPENDENCIES = edk2-platforms host-python3 host-acpica host-util-linux
+EDK2_INSTALL_TARGET = NO
+EDK2_INSTALL_IMAGES = YES
+
+ifeq ($(BR2_ENABLE_DEBUG),y)
+EDK2_BUILD_TYPE = DEBUG
+else
+EDK2_BUILD_TYPE = RELEASE
+endif
+
+# Build system notes.
+#
+# The EDK2 build system is rather unique, so here are a few useful notes.
+#
+# First, builds rely heavily on Git submodules to fetch various dependencies
+# into specific directory structures. It might be possible to work around this
+# and rely on Buildroot's infrastructure, but using Git submodules greatly
+# simplifies this already complicated build system.
+#
+# Second, the build system is spread across various commands and stages.
+# Therefore, all build variables needs to be exported to be available
+# accordingly. The first stage will build $(@D)/BaseTools which contains
+# various tools and scripts for the host.
+#
+# Third, where applicable, the dependency direction between EDK2 and
+# ARM Trusted Firmware (ATF) will go in different direction for different
+# platforms. Most commonly, ATF will depend on EDK2 via the BL33 payload.
+# But for some platforms (e.g. QEMU SBSA or DeveloperBox) EDK2 will package
+# the ATF images within its own build system. In such cases, intermediary
+# "EDK2 packages" will be built in $(EDK2_BUILD_PACKAGES) in order for EDK2
+# to be able to use them in subsequent build stages.
+#
+# For more information about the build setup:
+# https://edk2-docs.gitbook.io/edk-ii-build-specification/4_edk_ii_build_process_overview
+
+EDK2_GIT_SUBMODULES = YES
+EDK2_BUILD_PACKAGES = $(@D)/Build/Buildroot
+EDK2_PACKAGES_PATH = $(@D):$(EDK2_BUILD_PACKAGES):$(STAGING_DIR)/usr/share/edk2-platforms
+
+ifeq ($(BR2_TARGET_EDK2_PLATFORM_OVMF_I386),y)
+EDK2_ARCH = IA32
+EDK2_DEPENDENCIES += host-nasm
+EDK2_PACKAGE_NAME = OvmfPkg
+EDK2_PLATFORM_NAME = OvmfPkgIa32
+EDK2_BUILD_DIR = OvmfIa32
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_OVMF_X64),y)
+EDK2_ARCH = X64
+EDK2_DEPENDENCIES += host-nasm
+EDK2_PACKAGE_NAME = OvmfPkg
+EDK2_PLATFORM_NAME = OvmfPkgX64
+EDK2_BUILD_DIR = OvmfX64
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU),y)
+EDK2_ARCH = AARCH64
+EDK2_PACKAGE_NAME = ArmVirtPkg
+EDK2_PLATFORM_NAME = ArmVirtQemu
+EDK2_BUILD_DIR = $(EDK2_PLATFORM_NAME)-$(EDK2_ARCH)
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_ARM_VIRT_QEMU_KERNEL),y)
+EDK2_ARCH = AARCH64
+EDK2_PACKAGE_NAME = ArmVirtPkg
+EDK2_PLATFORM_NAME = ArmVirtQemuKernel
+EDK2_BUILD_DIR = $(EDK2_PLATFORM_NAME)-$(EDK2_ARCH)
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_ARM_VEXPRESS_FVP_AARCH64),y)
+EDK2_ARCH = AARCH64
+EDK2_PACKAGE_NAME = Platform/ARM/VExpressPkg
+EDK2_PLATFORM_NAME = ArmVExpress-FVP-AArch64
+EDK2_BUILD_DIR = $(EDK2_PLATFORM_NAME)
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_SOCIONEXT_DEVELOPERBOX),y)
+EDK2_ARCH = AARCH64
+EDK2_DEPENDENCIES += host-dtc arm-trusted-firmware
+EDK2_PACKAGE_NAME = Platform/Socionext/DeveloperBox
+EDK2_PLATFORM_NAME = DeveloperBox
+EDK2_BUILD_DIR = $(EDK2_PLATFORM_NAME)
+EDK2_BUILD_ENV += DTC_PREFIX=$(HOST_DIR)/bin/
+EDK2_BUILD_OPTS += -D DO_X86EMU=TRUE
+EDK2_PRE_BUILD_HOOKS += EDK2_PRE_BUILD_SOCIONEXT_DEVELOPERBOX
+
+define EDK2_PRE_BUILD_SOCIONEXT_DEVELOPERBOX
+	mkdir -p $(EDK2_BUILD_PACKAGES)/Platform/Socionext/DeveloperBox
+	$(ARM_TRUSTED_FIRMWARE_DIR)/tools/fiptool/fiptool create \
+		--tb-fw $(BINARIES_DIR)/bl31.bin \
+		--soc-fw $(BINARIES_DIR)/bl31.bin \
+		--scp-fw $(BINARIES_DIR)/bl31.bin \
+		$(EDK2_BUILD_PACKAGES)/Platform/Socionext/DeveloperBox/fip_all_arm_tf.bin
+endef
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN),y)
+EDK2_ARCH = AARCH64
+EDK2_DEPENDENCIES += host-dtc arm-trusted-firmware
+EDK2_PACKAGE_NAME = Platform/SolidRun/Armada80x0McBin
+EDK2_PLATFORM_NAME = Armada80x0McBin
+EDK2_BUILD_DIR = $(EDK2_PLATFORM_NAME)-$(EDK2_ARCH)
+EDK2_BUILD_ENV += DTC_PREFIX=$(HOST_DIR)/bin/
+EDK2_BUILD_OPTS += -D INCLUDE_TFTP_COMMAND
+
+else ifeq ($(BR2_TARGET_EDK2_PLATFORM_QEMU_SBSA),y)
+EDK2_ARCH = AARCH64
+EDK2_DEPENDENCIES += arm-trusted-firmware
+EDK2_PACKAGE_NAME = Platform/Qemu/SbsaQemu
+EDK2_PLATFORM_NAME = SbsaQemu
+EDK2_BUILD_DIR = $(EDK2_PLATFORM_NAME)
+EDK2_PRE_BUILD_HOOKS += EDK2_PRE_BUILD_QEMU_SBSA
+
+define EDK2_PRE_BUILD_QEMU_SBSA
+	mkdir -p $(EDK2_BUILD_PACKAGES)/Platform/Qemu/Sbsa
+	ln -srf $(BINARIES_DIR)/{bl1.bin,fip.bin} $(EDK2_BUILD_PACKAGES)/Platform/Qemu/Sbsa/
+endef
+
+endif
+
+EDK2_BASETOOLS_OPTS = \
+	EXTRA_LDFLAGS="$(HOST_LDFLAGS)" \
+	EXTRA_OPTFLAGS="$(HOST_CPPFLAGS)"
+
+EDK2_BUILD_ENV += \
+	WORKSPACE=$(@D) \
+	PACKAGES_PATH=$(EDK2_PACKAGES_PATH) \
+	PYTHON_COMMAND=$(HOST_DIR)/bin/python3 \
+	IASL_PREFIX=$(HOST_DIR)/bin/ \
+	NASM_PREFIX=$(HOST_DIR)/bin/ \
+	GCC5_$(EDK2_ARCH)_PREFIX=$(TARGET_CROSS)
+
+EDK2_BUILD_OPTS += \
+	-t GCC5 \
+	-n $(BR2_JLEVEL) \
+	-a $(EDK2_ARCH) \
+	-b $(EDK2_BUILD_TYPE) \
+	-p $(EDK2_PACKAGE_NAME)/$(EDK2_PLATFORM_NAME).dsc
+
+define EDK2_BUILD_CMDS
+	mkdir -p $(EDK2_BUILD_PACKAGES)
+	export $(EDK2_BUILD_ENV) && \
+	unset ARCH && \
+	source $(@D)/edksetup.sh && \
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)/BaseTools $(EDK2_BASETOOLS_OPTS) && \
+	build $(EDK2_BUILD_OPTS) all
+endef
+
+define EDK2_INSTALL_IMAGES_CMDS
+	cp -f $(@D)/Build/$(EDK2_BUILD_DIR)/$(EDK2_BUILD_TYPE)_GCC5/FV/*.fd $(BINARIES_DIR)
+endef
+
+$(eval $(generic-package))

buildroot/boot/grub2/0029-efi-Make-shim_lock-GUID-and-protocol-type-public.patch

@@ -0,0 +1,97 @@
+From f76a27996c34900f2c369a8a0d6ac72ae2faa988 Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Thu, 3 Dec 2020 16:01:45 +0100
+Subject: [PATCH] efi: Make shim_lock GUID and protocol type public
+
+The GUID will be used to properly detect and report UEFI Secure Boot
+status to the x86 Linux kernel. The functionality will be added by
+subsequent patches. The shim_lock protocol type is made public for
+completeness.
+
+Additionally, fix formatting of four preceding GUIDs.
+
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/commands/efi/shim_lock.c | 12 ------------
+ include/grub/efi/api.h             | 19 +++++++++++++++----
+ 2 files changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
+index 764098c..d8f52d7 100644
+--- a/grub-core/commands/efi/shim_lock.c
++++ b/grub-core/commands/efi/shim_lock.c
+@@ -27,18 +27,6 @@
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+-#define GRUB_EFI_SHIM_LOCK_GUID \
+-  { 0x605dab50, 0xe046, 0x4300, \
+-    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
+-  }
+-
+-struct grub_efi_shim_lock_protocol
+-{
+-  grub_efi_status_t
+-  (*verify) (void *buffer, grub_uint32_t size);
+-};
+-typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
+-
+ static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+ static grub_efi_shim_lock_protocol_t *sl;
+ 
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index cf1355a..13e5715 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
+@@ -316,22 +316,27 @@
+ 
+ #define GRUB_EFI_SAL_TABLE_GUID \
+   { 0xeb9d2d32, 0x2d88, 0x11d3, \
+-      { 0x9a, 0x16, 0x0, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \
++    { 0x9a, 0x16, 0x0, 0x90, 0x27, 0x3f, 0xc1, 0x4d } \
+   }
+ 
+ #define GRUB_EFI_HCDP_TABLE_GUID \
+   { 0xf951938d, 0x620b, 0x42ef, \
+-      { 0x82, 0x79, 0xa8, 0x4b, 0x79, 0x61, 0x78, 0x98 } \
++    { 0x82, 0x79, 0xa8, 0x4b, 0x79, 0x61, 0x78, 0x98 } \
+   }
+ 
+ #define GRUB_EFI_DEVICE_TREE_GUID \
+   { 0xb1b621d5, 0xf19c, 0x41a5, \
+-      { 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 } \
++    { 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0 } \
+   }
+ 
+ #define GRUB_EFI_VENDOR_APPLE_GUID \
+   { 0x2B0585EB, 0xD8B8, 0x49A9,	\
+-      { 0x8B, 0x8C, 0xE2, 0x1B, 0x01, 0xAE, 0xF2, 0xB7 } \
++    { 0x8B, 0x8C, 0xE2, 0x1B, 0x01, 0xAE, 0xF2, 0xB7 } \
++  }
++
++#define GRUB_EFI_SHIM_LOCK_GUID \
++  { 0x605dab50, 0xe046, 0x4300, \
++    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
+   }
+ 
+ struct grub_efi_sal_system_table
+@@ -1689,6 +1694,12 @@ struct grub_efi_block_io
+ };
+ typedef struct grub_efi_block_io grub_efi_block_io_t;
+ 
++struct grub_efi_shim_lock_protocol
++{
++  grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size);
++};
++typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
++
+ #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
+   || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) \
+   || defined(__riscv)
+-- 
+2.14.2
+

buildroot/boot/grub2/0030-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch

@@ -0,0 +1,149 @@
+From 04ae030d0eea8668d4417702d88bf2cf04713d80 Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Thu, 3 Dec 2020 16:01:46 +0100
+Subject: [PATCH] efi: Return grub_efi_status_t from grub_efi_get_variable()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is needed to properly detect and report UEFI Secure Boot status
+to the x86 Linux kernel. The functionality will be added by subsequent
+patches.
+
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/commands/efi/efifwsetup.c |  8 ++++----
+ grub-core/kern/efi/efi.c            | 16 +++++++++-------
+ grub-core/video/efi_gop.c           |  2 +-
+ include/grub/efi/efi.h              |  7 ++++---
+ 4 files changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/commands/efi/efifwsetup.c b/grub-core/commands/efi/efifwsetup.c
+index 7a137a72a..eaca03283 100644
+--- a/grub-core/commands/efi/efifwsetup.c
++++ b/grub-core/commands/efi/efifwsetup.c
+@@ -38,8 +38,8 @@ grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
+   grub_size_t oi_size;
+   grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ 
+-  old_os_indications = grub_efi_get_variable ("OsIndications", &global,
+-					      &oi_size);
++  grub_efi_get_variable ("OsIndications", &global, &oi_size,
++			 (void **) &old_os_indications);
+ 
+   if (old_os_indications != NULL && oi_size == sizeof (os_indications))
+     os_indications |= *old_os_indications;
+@@ -63,8 +63,8 @@ efifwsetup_is_supported (void)
+   grub_size_t oi_size = 0;
+   grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ 
+-  os_indications_supported = grub_efi_get_variable ("OsIndicationsSupported",
+-						    &global, &oi_size);
++  grub_efi_get_variable ("OsIndicationsSupported", &global, &oi_size,
++			 (void **) &os_indications_supported);
+ 
+   if (!os_indications_supported)
+     return 0;
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index e0165e74c..9403b12cd 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -223,9 +223,9 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
+   return grub_error (GRUB_ERR_IO, "could not set EFI variable `%s'", var);
+ }
+ 
+-void *
++grub_efi_status_t
+ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+-		       grub_size_t *datasize_out)
++		       grub_size_t *datasize_out, void **data_out)
+ {
+   grub_efi_status_t status;
+   grub_efi_uintn_t datasize = 0;
+@@ -234,13 +234,14 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+   void *data;
+   grub_size_t len, len16;
+ 
++  *data_out = NULL;
+   *datasize_out = 0;
+ 
+   len = grub_strlen (var);
+   len16 = len * GRUB_MAX_UTF16_PER_UTF8;
+   var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
+   if (!var16)
+-    return NULL;
++    return GRUB_EFI_OUT_OF_RESOURCES;
+   len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
+   var16[len16] = 0;
+ 
+@@ -251,14 +252,14 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+   if (status != GRUB_EFI_BUFFER_TOO_SMALL || !datasize)
+     {
+       grub_free (var16);
+-      return NULL;
++      return status;
+     }
+ 
+   data = grub_malloc (datasize);
+   if (!data)
+     {
+       grub_free (var16);
+-      return NULL;
++      return GRUB_EFI_OUT_OF_RESOURCES;
+     }
+ 
+   status = efi_call_5 (r->get_variable, var16, guid, NULL, &datasize, data);
+@@ -266,12 +267,13 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+ 
+   if (status == GRUB_EFI_SUCCESS)
+     {
++      *data_out = data;
+       *datasize_out = datasize;
+-      return data;
++      return status;
+     }
+ 
+   grub_free (data);
+-  return NULL;
++  return status;
+ }
+ 
+ #pragma GCC diagnostic ignored "-Wcast-align"
+diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
+index be446f8d2..7fe0cdabf 100644
+--- a/grub-core/video/efi_gop.c
++++ b/grub-core/video/efi_gop.c
+@@ -316,7 +316,7 @@ grub_video_gop_get_edid (struct grub_video_edid_info *edid_info)
+       char edidname[] = "agp-internal-edid";
+       grub_size_t datasize;
+       grub_uint8_t *data;
+-      data = grub_efi_get_variable (edidname, &efi_var_guid, &datasize);
++      grub_efi_get_variable (edidname, &efi_var_guid, &datasize, (void **) &data);
+       if (data && datasize > 16)
+ 	{
+ 	  copy_size = datasize - 16;
+diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
+index e90e00dc4..8b2a0f1f5 100644
+--- a/include/grub/efi/efi.h
++++ b/include/grub/efi/efi.h
+@@ -74,9 +74,10 @@ grub_err_t EXPORT_FUNC (grub_efi_set_virtual_address_map) (grub_efi_uintn_t memo
+ 							   grub_efi_uintn_t descriptor_size,
+ 							   grub_efi_uint32_t descriptor_version,
+ 							   grub_efi_memory_descriptor_t *virtual_map);
+-void *EXPORT_FUNC (grub_efi_get_variable) (const char *variable,
+-					   const grub_efi_guid_t *guid,
+-					   grub_size_t *datasize_out);
++grub_efi_status_t EXPORT_FUNC (grub_efi_get_variable) (const char *variable,
++						       const grub_efi_guid_t *guid,
++						       grub_size_t *datasize_out,
++						       void **data_out);
+ grub_err_t
+ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
+ 				     const grub_efi_guid_t *guid,
+-- 
+2.29.2
+

buildroot/boot/grub2/0031-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch

@@ -0,0 +1,78 @@
+From ac5c9367548750e75ed1e7fc4354a3d20186d733 Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Thu, 3 Dec 2020 16:01:47 +0100
+Subject: [PATCH] efi: Add a function to read EFI variables with attributes
+
+It will be used to properly detect and report UEFI Secure Boot status to
+the x86 Linux kernel. The functionality will be added by subsequent patches.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/efi.c | 16 +++++++++++++---
+ include/grub/efi/efi.h   |  5 +++++
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 9403b12cd..2942b8e35 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -224,8 +224,11 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
+ }
+ 
+ grub_efi_status_t
+-grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+-		       grub_size_t *datasize_out, void **data_out)
++grub_efi_get_variable_with_attributes (const char *var,
++				       const grub_efi_guid_t *guid,
++				       grub_size_t *datasize_out,
++				       void **data_out,
++				       grub_efi_uint32_t *attributes)
+ {
+   grub_efi_status_t status;
+   grub_efi_uintn_t datasize = 0;
+@@ -262,7 +265,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+       return GRUB_EFI_OUT_OF_RESOURCES;
+     }
+ 
+-  status = efi_call_5 (r->get_variable, var16, guid, NULL, &datasize, data);
++  status = efi_call_5 (r->get_variable, var16, guid, attributes, &datasize, data);
+   grub_free (var16);
+ 
+   if (status == GRUB_EFI_SUCCESS)
+@@ -276,6 +279,13 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+   return status;
+ }
+ 
++grub_efi_status_t
++grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
++		       grub_size_t *datasize_out, void **data_out)
++{
++  return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
++}
++
+ #pragma GCC diagnostic ignored "-Wcast-align"
+ 
+ /* Search the mods section from the PE32/PE32+ image. This code uses
+diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
+index 8b2a0f1f5..83d958f99 100644
+--- a/include/grub/efi/efi.h
++++ b/include/grub/efi/efi.h
+@@ -74,6 +74,11 @@ grub_err_t EXPORT_FUNC (grub_efi_set_virtual_address_map) (grub_efi_uintn_t memo
+ 							   grub_efi_uintn_t descriptor_size,
+ 							   grub_efi_uint32_t descriptor_version,
+ 							   grub_efi_memory_descriptor_t *virtual_map);
++grub_efi_status_t EXPORT_FUNC (grub_efi_get_variable_with_attributes) (const char *variable,
++								       const grub_efi_guid_t *guid,
++								       grub_size_t *datasize_out,
++								       void **data_out,
++								       grub_efi_uint32_t *attributes);
+ grub_efi_status_t EXPORT_FUNC (grub_efi_get_variable) (const char *variable,
+ 						       const grub_efi_guid_t *guid,
+ 						       grub_size_t *datasize_out,
+-- 
+2.29.2
+

buildroot/boot/grub2/0032-efi-Add-secure-boot-detection.patch

@@ -0,0 +1,541 @@
+From d7e54b2e5feee95d2f83058ed30d883c450d1473 Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Thu, 3 Dec 2020 16:01:48 +0100
+Subject: [PATCH] efi: Add secure boot detection
+
+Introduce grub_efi_get_secureboot() function which returns whether
+UEFI Secure Boot is enabled or not on UEFI systems.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/Makefile.am       |   1 +
+ grub-core/Makefile.core.am  |  14 +++---
+ grub-core/Makefile.core.def |   1 +
+ grub-core/Makefile.in       | 102 ++++++++++++++++++++++++++---------------
+ grub-core/kern/efi/sb.c     | 109 ++++++++++++++++++++++++++++++++++++++++++++
+ include/grub/efi/sb.h       |  40 ++++++++++++++++
+ po/POTFILES.in              |   2 +
+ 7 files changed, 225 insertions(+), 44 deletions(-)
+ create mode 100644 grub-core/kern/efi/sb.c
+ create mode 100644 include/grub/efi/sb.h
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 3ea8e7f..c6ba5b2 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
+diff --git a/grub-core/Makefile.core.am b/grub-core/Makefile.core.am
+index a217716..f28b753 100644
+--- a/grub-core/Makefile.core.am
++++ b/grub-core/Makefile.core.am
+@@ -22421,7 +22421,7 @@ endif
+ if COND_i386_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/i386/efi/startup.S 
+-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22531,7 +22531,7 @@ endif
+ if COND_x86_64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/x86_64/efi/startup.S 
+-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22707,7 +22707,7 @@ endif
+ if COND_ia64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = 
+-kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) -fno-builtin -fpic -minline-int-divide-max-throughput 
+@@ -22773,7 +22773,7 @@ endif
+ if COND_arm_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/arm/efi/startup.S 
+-kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22795,7 +22795,7 @@ endif
+ if COND_arm64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/arm64/efi/startup.S 
+-kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22839,7 +22839,7 @@ endif
+ if COND_riscv32_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/riscv/efi/startup.S 
+-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22861,7 +22861,7 @@ endif
+ if COND_riscv64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/riscv/efi/startup.S 
+-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
++kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 474a63e..abd26cf 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -203,6 +203,7 @@ kernel = {
+   efi = term/efi/console.c;
+   efi = kern/acpi.c;
+   efi = kern/efi/acpi.c;
++  efi = kern/efi/sb.c;
+   i386_coreboot = kern/i386/pc/acpi.c;
+   i386_multiboot = kern/i386/pc/acpi.c;
+   i386_coreboot = kern/acpi.c;
+diff --git a/grub-core/Makefile.in b/grub-core/Makefile.in
+index d287607..8fb81ee 100644
+--- a/grub-core/Makefile.in
++++ b/grub-core/Makefile.in
+@@ -10468,32 +10468,33 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ 	kern/arm64/cache_flush.S kern/arm64/dl.c \
+ 	kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c \
+ 	kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c \
+-	kern/efi/acpi.c kern/compiler-rt.c kern/mm.c kern/time.c \
+-	kern/generic/millisleep.c kern/command.c kern/corecmd.c \
+-	kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c \
+-	kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c \
+-	kern/parser.c kern/partition.c kern/rescue_parser.c \
+-	kern/rescue_reader.c kern/term.c kern/arm/startup.S \
+-	kern/arm/coreboot/init.c kern/arm/coreboot/timer.c \
+-	kern/arm/coreboot/coreboot.S lib/fdt.c bus/fdt.c term/ps2.c \
+-	term/arm/pl050.c term/arm/cros.c term/arm/cros_ec.c \
+-	bus/spi/rk3288_spi.c commands/keylayouts.c \
+-	kern/arm/coreboot/dma.c kern/arm/coreboot/cbtable.c \
+-	video/coreboot/cbfb.c kern/coreboot/mmap.c \
+-	kern/coreboot/cbtable.c term/gfxterm.c font/font.c \
+-	font/font_cmd.c io/bufio.c video/fb/fbblit.c video/fb/fbfill.c \
+-	video/fb/fbutil.c video/fb/video_fb.c video/video.c \
+-	kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S \
+-	kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S \
+-	lib/division.c kern/arm/efi/startup.S kern/arm/efi/init.c \
+-	kern/arm/uboot/init.c kern/arm/uboot/uboot.S \
+-	disk/uboot/ubootdisk.c kern/uboot/uboot.c kern/uboot/init.c \
+-	kern/uboot/hw.c term/uboot/console.c term/terminfo.c \
+-	term/tparm.c commands/extcmd.c lib/arg.c disk/host.c \
+-	kern/emu/cache_s.S kern/emu/hostdisk.c osdep/unix/hostdisk.c \
+-	osdep/exec.c osdep/devmapper/hostdisk.c osdep/hostdisk.c \
+-	kern/emu/hostfs.c kern/emu/main.c kern/emu/argp_common.c \
+-	kern/emu/misc.c kern/emu/mm.c kern/emu/time.c kern/emu/cache.c \
++	kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c \
++	kern/time.c kern/generic/millisleep.c kern/command.c \
++	kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c \
++	kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c \
++	kern/misc.c kern/parser.c kern/partition.c \
++	kern/rescue_parser.c kern/rescue_reader.c kern/term.c \
++	kern/arm/startup.S kern/arm/coreboot/init.c \
++	kern/arm/coreboot/timer.c kern/arm/coreboot/coreboot.S \
++	lib/fdt.c bus/fdt.c term/ps2.c term/arm/pl050.c \
++	term/arm/cros.c term/arm/cros_ec.c bus/spi/rk3288_spi.c \
++	commands/keylayouts.c kern/arm/coreboot/dma.c \
++	kern/arm/coreboot/cbtable.c video/coreboot/cbfb.c \
++	kern/coreboot/mmap.c kern/coreboot/cbtable.c term/gfxterm.c \
++	font/font.c font/font_cmd.c io/bufio.c video/fb/fbblit.c \
++	video/fb/fbfill.c video/fb/fbutil.c video/fb/video_fb.c \
++	video/video.c kern/arm/dl.c kern/arm/dl_helper.c \
++	kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c \
++	kern/arm/compiler-rt.S lib/division.c kern/arm/efi/startup.S \
++	kern/arm/efi/init.c kern/arm/uboot/init.c \
++	kern/arm/uboot/uboot.S disk/uboot/ubootdisk.c \
++	kern/uboot/uboot.c kern/uboot/init.c kern/uboot/hw.c \
++	term/uboot/console.c term/terminfo.c term/tparm.c \
++	commands/extcmd.c lib/arg.c disk/host.c kern/emu/cache_s.S \
++	kern/emu/hostdisk.c osdep/unix/hostdisk.c osdep/exec.c \
++	osdep/devmapper/hostdisk.c osdep/hostdisk.c kern/emu/hostfs.c \
++	kern/emu/main.c kern/emu/argp_common.c kern/emu/misc.c \
++	kern/emu/mm.c kern/emu/time.c kern/emu/cache.c \
+ 	osdep/emuconsole.c osdep/dl.c osdep/sleep.c osdep/init.c \
+ 	osdep/emunet.c osdep/cputime.c kern/i386/coreboot/startup.S \
+ 	kern/i386/coreboot/init.c kern/i386/pc/acpi.c \
+@@ -10580,6 +10581,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -10651,6 +10653,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -10686,6 +10689,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -10881,6 +10885,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -11109,6 +11114,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -11271,6 +11277,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -11360,6 +11367,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_TRUE@	term/efi/kernel_exec-console.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
++@COND_arm64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -16380,6 +16388,7 @@ KERNEL_HEADER_FILES = $(top_srcdir)/include/grub/cache.h \
+ 	$(top_srcdir)/include/grub/device.h \
+ 	$(top_srcdir)/include/grub/disk.h \
+ 	$(top_srcdir)/include/grub/dl.h \
++	$(top_srcdir)/include/grub/efi/sb.h \
+ 	$(top_srcdir)/include/grub/env.h \
+ 	$(top_srcdir)/include/grub/env_private.h \
+ 	$(top_srcdir)/include/grub/err.h \
+@@ -25612,7 +25621,7 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_arm64_efi_TRUE@	kern/arm64/dl_helper.c disk/efi/efidisk.c \
+ @COND_arm64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_arm64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+-@COND_arm64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
++@COND_arm64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \
+ @COND_arm64_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
+ @COND_arm64_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_arm64_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+@@ -25661,8 +25670,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_arm_efi_TRUE@	disk/efi/efidisk.c kern/efi/efi.c \
+ @COND_arm_efi_TRUE@	kern/efi/init.c kern/efi/mm.c \
+ @COND_arm_efi_TRUE@	term/efi/console.c kern/acpi.c \
+-@COND_arm_efi_TRUE@	kern/efi/acpi.c kern/compiler-rt.c \
+-@COND_arm_efi_TRUE@	kern/mm.c kern/time.c \
++@COND_arm_efi_TRUE@	kern/efi/acpi.c kern/efi/sb.c \
++@COND_arm_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
+ @COND_arm_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_arm_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_arm_efi_TRUE@	kern/dl.c kern/env.c kern/err.c kern/file.c \
+@@ -25739,7 +25748,7 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_i386_efi_TRUE@	kern/i386/tsc_pit.c disk/efi/efidisk.c \
+ @COND_i386_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_i386_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+-@COND_i386_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
++@COND_i386_efi_TRUE@	kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \
+ @COND_i386_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
+ @COND_i386_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_i386_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+@@ -25851,7 +25860,7 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_ia64_efi_TRUE@	lib/division.c disk/efi/efidisk.c \
+ @COND_ia64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_ia64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+-@COND_ia64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
++@COND_ia64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \
+ @COND_ia64_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
+ @COND_ia64_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_ia64_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+@@ -25959,9 +25968,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_riscv32_efi_TRUE@	disk/efi/efidisk.c kern/efi/efi.c \
+ @COND_riscv32_efi_TRUE@	kern/efi/init.c kern/efi/mm.c \
+ @COND_riscv32_efi_TRUE@	term/efi/console.c kern/acpi.c \
+-@COND_riscv32_efi_TRUE@	kern/efi/acpi.c kern/compiler-rt.c \
+-@COND_riscv32_efi_TRUE@	kern/mm.c kern/time.c \
+-@COND_riscv32_efi_TRUE@	kern/generic/millisleep.c \
++@COND_riscv32_efi_TRUE@	kern/efi/acpi.c kern/efi/sb.c \
++@COND_riscv32_efi_TRUE@	kern/compiler-rt.c kern/mm.c \
++@COND_riscv32_efi_TRUE@	kern/time.c kern/generic/millisleep.c \
+ @COND_riscv32_efi_TRUE@	kern/command.c kern/corecmd.c \
+ @COND_riscv32_efi_TRUE@	kern/device.c kern/disk.c kern/dl.c \
+ @COND_riscv32_efi_TRUE@	kern/env.c kern/err.c kern/file.c \
+@@ -25977,8 +25986,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_riscv64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_riscv64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_riscv64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
+-@COND_riscv64_efi_TRUE@	kern/compiler-rt.c kern/mm.c \
+-@COND_riscv64_efi_TRUE@	kern/time.c kern/generic/millisleep.c \
++@COND_riscv64_efi_TRUE@	kern/efi/sb.c kern/compiler-rt.c \
++@COND_riscv64_efi_TRUE@	kern/mm.c kern/time.c \
++@COND_riscv64_efi_TRUE@	kern/generic/millisleep.c \
+ @COND_riscv64_efi_TRUE@	kern/command.c kern/corecmd.c \
+ @COND_riscv64_efi_TRUE@	kern/device.c kern/disk.c kern/dl.c \
+ @COND_riscv64_efi_TRUE@	kern/env.c kern/err.c kern/file.c \
+@@ -26022,7 +26032,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_x86_64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_x86_64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_x86_64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
+-@COND_x86_64_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
++@COND_x86_64_efi_TRUE@	kern/efi/sb.c kern/compiler-rt.c \
++@COND_x86_64_efi_TRUE@	kern/mm.c kern/time.c \
+ @COND_x86_64_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_x86_64_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_x86_64_efi_TRUE@	kern/dl.c kern/env.c kern/err.c \
+@@ -27989,6 +28000,8 @@ kern/kernel_exec-acpi.$(OBJEXT): kern/$(am__dirstamp) \
+ 	kern/$(DEPDIR)/$(am__dirstamp)
+ kern/efi/kernel_exec-acpi.$(OBJEXT): kern/efi/$(am__dirstamp) \
+ 	kern/efi/$(DEPDIR)/$(am__dirstamp)
++kern/efi/kernel_exec-sb.$(OBJEXT): kern/efi/$(am__dirstamp) \
++	kern/efi/$(DEPDIR)/$(am__dirstamp)
+ kern/kernel_exec-compiler-rt.$(OBJEXT): kern/$(am__dirstamp) \
+ 	kern/$(DEPDIR)/$(am__dirstamp)
+ kern/kernel_exec-mm.$(OBJEXT): kern/$(am__dirstamp) \
+@@ -30994,6 +31007,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/efi/$(DEPDIR)/kernel_exec-fdt.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/efi/$(DEPDIR)/kernel_exec-init.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/efi/$(DEPDIR)/kernel_exec-mm.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@kern/efi/$(DEPDIR)/kernel_exec-sb.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/emu/$(DEPDIR)/grub_emu-full.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/emu/$(DEPDIR)/grub_emu_lite-lite.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/emu/$(DEPDIR)/kernel_exec-argp_common.Po@am__quote@
+@@ -35285,6 +35299,20 @@ kern/efi/kernel_exec-acpi.obj: kern/efi/acpi.c
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/efi/kernel_exec-acpi.obj `if test -f 'kern/efi/acpi.c'; then $(CYGPATH_W) 'kern/efi/acpi.c'; else $(CYGPATH_W) '$(srcdir)/kern/efi/acpi.c'; fi`
+ 
++kern/efi/kernel_exec-sb.o: kern/efi/sb.c
++@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/efi/kernel_exec-sb.o -MD -MP -MF kern/efi/$(DEPDIR)/kernel_exec-sb.Tpo -c -o kern/efi/kernel_exec-sb.o `test -f 'kern/efi/sb.c' || echo '$(srcdir)/'`kern/efi/sb.c
++@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) kern/efi/$(DEPDIR)/kernel_exec-sb.Tpo kern/efi/$(DEPDIR)/kernel_exec-sb.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kern/efi/sb.c' object='kern/efi/kernel_exec-sb.o' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/efi/kernel_exec-sb.o `test -f 'kern/efi/sb.c' || echo '$(srcdir)/'`kern/efi/sb.c
++
++kern/efi/kernel_exec-sb.obj: kern/efi/sb.c
++@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/efi/kernel_exec-sb.obj -MD -MP -MF kern/efi/$(DEPDIR)/kernel_exec-sb.Tpo -c -o kern/efi/kernel_exec-sb.obj `if test -f 'kern/efi/sb.c'; then $(CYGPATH_W) 'kern/efi/sb.c'; else $(CYGPATH_W) '$(srcdir)/kern/efi/sb.c'; fi`
++@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) kern/efi/$(DEPDIR)/kernel_exec-sb.Tpo kern/efi/$(DEPDIR)/kernel_exec-sb.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kern/efi/sb.c' object='kern/efi/kernel_exec-sb.obj' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/efi/kernel_exec-sb.obj `if test -f 'kern/efi/sb.c'; then $(CYGPATH_W) 'kern/efi/sb.c'; else $(CYGPATH_W) '$(srcdir)/kern/efi/sb.c'; fi`
++
+ kern/kernel_exec-compiler-rt.o: kern/compiler-rt.c
+ @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-compiler-rt.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo -c -o kern/kernel_exec-compiler-rt.o `test -f 'kern/compiler-rt.c' || echo '$(srcdir)/'`kern/compiler-rt.c
+ @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo kern/$(DEPDIR)/kernel_exec-compiler-rt.Po
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+new file mode 100644
+index 0000000..19658d9
+--- /dev/null
++++ b/grub-core/kern/efi/sb.c
+@@ -0,0 +1,109 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ *  UEFI Secure Boot related checkings.
++ */
++
++#include <grub/efi/efi.h>
++#include <grub/efi/pe32.h>
++#include <grub/efi/sb.h>
++#include <grub/err.h>
++#include <grub/i386/linux.h>
++#include <grub/mm.h>
++#include <grub/types.h>
++
++/*
++ * Determine whether we're in secure boot mode.
++ *
++ * Please keep the logic in sync with the Linux kernel,
++ * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
++ */
++grub_uint8_t
++grub_efi_get_secureboot (void)
++{
++  static grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++  static grub_efi_guid_t efi_shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
++  grub_efi_status_t status;
++  grub_efi_uint32_t attr = 0;
++  grub_size_t size = 0;
++  grub_uint8_t *secboot = NULL;
++  grub_uint8_t *setupmode = NULL;
++  grub_uint8_t *moksbstate = NULL;
++  grub_uint8_t secureboot = GRUB_EFI_SECUREBOOT_MODE_UNKNOWN;
++  const char *secureboot_str = "UNKNOWN";
++
++  status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid,
++				  &size, (void **) &secboot);
++
++  if (status == GRUB_EFI_NOT_FOUND)
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++      goto out;
++    }
++
++  if (status != GRUB_EFI_SUCCESS)
++    goto out;
++
++  status = grub_efi_get_variable ("SetupMode", &efi_variable_guid,
++				  &size, (void **) &setupmode);
++
++  if (status != GRUB_EFI_SUCCESS)
++    goto out;
++
++  if ((*secboot == 0) || (*setupmode == 1))
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++      goto out;
++    }
++
++  /*
++   * See if a user has put the shim into insecure mode. If so, and if the
++   * variable doesn't have the runtime attribute set, we might as well
++   * honor that.
++   */
++  status = grub_efi_get_variable_with_attributes ("MokSBState", &efi_shim_lock_guid,
++						  &size, (void **) &moksbstate, &attr);
++
++  /* If it fails, we don't care why. Default to secure. */
++  if (status != GRUB_EFI_SUCCESS)
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
++      goto out;
++    }
++
++  if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
++    {
++      secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++      goto out;
++    }
++
++  secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
++
++ out:
++  grub_free (moksbstate);
++  grub_free (setupmode);
++  grub_free (secboot);
++
++  if (secureboot == GRUB_EFI_SECUREBOOT_MODE_DISABLED)
++    secureboot_str = "Disabled";
++  else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++    secureboot_str = "Enabled";
++
++  grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str);
++
++  return secureboot;
++}
+diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
+new file mode 100644
+index 0000000..a33d985
+--- /dev/null
++++ b/include/grub/efi/sb.h
+@@ -0,0 +1,40 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_EFI_SB_H
++#define GRUB_EFI_SB_H     1
++
++#include <grub/types.h>
++#include <grub/dl.h>
++
++#define GRUB_EFI_SECUREBOOT_MODE_UNSET	0
++#define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN	1
++#define GRUB_EFI_SECUREBOOT_MODE_DISABLED	2
++#define GRUB_EFI_SECUREBOOT_MODE_ENABLED	3
++
++#ifdef GRUB_MACHINE_EFI
++extern grub_uint8_t
++EXPORT_FUNC (grub_efi_get_secureboot) (void);
++#else
++static inline grub_uint8_t
++grub_efi_get_secureboot (void)
++{
++  return GRUB_EFI_SECUREBOOT_MODE_UNSET;
++}
++#endif
++#endif /* GRUB_EFI_SB_H */
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 5574cbe..22543be 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -266,6 +266,7 @@
+ ./grub-core/kern/efi/fdt.c
+ ./grub-core/kern/efi/init.c
+ ./grub-core/kern/efi/mm.c
++./grub-core/kern/efi/sb.c
+ ./grub-core/kern/elf.c
+ ./grub-core/kern/elfXX.c
+ ./grub-core/kern/emu/argp_common.c
+@@ -1053,6 +1054,7 @@
+ ./include/grub/efi/memory.h
+ ./include/grub/efi/pci.h
+ ./include/grub/efi/pe32.h
++./include/grub/efi/sb.h
+ ./include/grub/efi/tpm.h
+ ./include/grub/efi/uga_draw.h
+ ./include/grub/efiemu/efiemu.h
+-- 
+2.14.2
+

buildroot/boot/grub2/0035-kern-Add-lockdown-support.patch

@@ -0,0 +1,763 @@
+From 578c95298bcc46e0296f4c786db64c2ff26ce2cc Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:02 +0200
+Subject: [PATCH] kern: Add lockdown support
+
+When the GRUB starts on a secure boot platform, some commands can be
+used to subvert the protections provided by the verification mechanism and
+could lead to booting untrusted system.
+
+To prevent that situation, allow GRUB to be locked down. That way the code
+may check if GRUB has been locked down and further restrict the commands
+that are registered or what subset of their functionality could be used.
+
+The lockdown support adds the following components:
+
+* The grub_lockdown() function which can be used to lockdown GRUB if,
+  e.g., UEFI Secure Boot is enabled.
+
+* The grub_is_lockdown() function which can be used to check if the GRUB
+  was locked down.
+
+* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
+  tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
+  verifiers. These files are only successfully verified if another registered
+  verifier returns success. Otherwise, the whole verification process fails.
+
+  For example, PE/COFF binaries verification can be done by the shim_lock
+  verifier which validates the signatures using the shim_lock protocol.
+  However, the verification is not deferred directly to the shim_lock verifier.
+  The shim_lock verifier is hooked into the verification process instead.
+
+* A set of grub_{command,extcmd}_lockdown functions that can be used by
+  code registering command handlers, to only register unsafe commands if
+  the GRUB has not been locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ Makefile.in                 |  2 ++
+ conf/Makefile.common        |  2 ++
+ docs/grub-dev.texi          | 27 +++++++++++++++
+ docs/grub.texi              |  8 +++++
+ grub-core/Makefile.am       |  5 ++-
+ grub-core/Makefile.core.am  | 14 ++++----
+ grub-core/Makefile.core.def |  1 +
+ grub-core/Makefile.in       | 73 ++++++++++++++++++++++++++++++-----------
+ grub-core/commands/extcmd.c | 23 +++++++++++++
+ grub-core/kern/command.c    | 24 ++++++++++++++
+ grub-core/kern/lockdown.c   | 80 +++++++++++++++++++++++++++++++++++++++++++++
+ include/grub/command.h      |  5 +++
+ include/grub/extcmd.h       |  7 ++++
+ include/grub/lockdown.h     | 44 +++++++++++++++++++++++++
+ po/POTFILES.in              |  2 ++
+ 15 files changed, 290 insertions(+), 27 deletions(-)
+ create mode 100644 grub-core/kern/lockdown.c
+ create mode 100644 include/grub/lockdown.h
+
+diff --git a/Makefile.in b/Makefile.in
+index e6a185b..ecb3278 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2617,7 +2617,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' \
+ 	'-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' \
++	'-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \
+ 	'-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' \
++	'-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \
+ 	'-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+diff --git a/conf/Makefile.common b/conf/Makefile.common
+index 6cd71cb..2a1a886 100644
+--- a/conf/Makefile.common
++++ b/conf/Makefile.common
+@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index ee389fd..635ec72 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
+ * PFF2 Font File Format::
+ * Graphical Menu Software Design::
+ * Verifiers framework::
++* Lockdown framework::
+ * Copying This Manual::         Copying This Manual
+ * Index::
+ @end menu
+@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
+ the context. If you return no error during any of @samp{init}, @samp{write} and
+ @samp{fini} then the file is considered as having succeded verification.
+ 
++@node Lockdown framework
++@chapter Lockdown framework
++
++The GRUB can be locked down, which is a restricted mode where some operations
++are not allowed. For instance, some commands cannot be used when the GRUB is
++locked down.
++
++The function
++@code{grub_lockdown()} is used to lockdown GRUB and the function
++@code{grub_is_lockdown()} function can be used to check whether lockdown is
++enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
++and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
++
++The following functions can be used to register the commands that can only be
++used when lockdown is disabled:
++
++@itemize
++
++@item @code{grub_cmd_lockdown()} registers command which should not run when the
++GRUB is in lockdown mode.
++
++@item @code{grub_cmd_lockdown()} registers extended command which should not run
++when the GRUB is in lockdown mode.
++
++@end itemize
++
+ @node Copying This Manual
+ @appendix Copying This Manual
+ 
+diff --git a/docs/grub.texi b/docs/grub.texi
+index aefe032..a25459f 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order.
+ * Using digital signatures::         Booting digitally signed code
+ * UEFI secure boot and shim::        Booting digitally signed PE files
+ * Measured Boot::                    Measuring boot components
++* Lockdown::                         Lockdown when booting on a secure setup
+ @end menu
+ 
+ @node Authentication and authorisation
+@@ -5795,6 +5796,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
+ 
+ Measured boot is currently only supported on EFI platforms.
+ 
++@node Lockdown
++@section Lockdown when booting on a secure setup
++
++The GRUB can be locked down when booted on a secure boot environment, for example
++if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
++be restricted and some operations/commands cannot be executed.
++
+ @node Platform limitations
+ @chapter Platform limitations
+ 
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index cc6fc7d..30e23ad 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -80,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
+ if COND_emu
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
+@@ -377,8 +378,10 @@ command.lst: $(MARKER_FILES)
+ 	  b=`basename $$pp .marker`; \
+ 	  sed -n \
+ 	    -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
++	    -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ 	    -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+-	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
++	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
++	    -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ 	done) | sort -u > $@
+ platform_DATA += command.lst
+ CLEANFILES += command.lst
+diff --git a/grub-core/Makefile.core.am b/grub-core/Makefile.core.am
+index 5623a5e..fbfb627 100644
+--- a/grub-core/Makefile.core.am
++++ b/grub-core/Makefile.core.am
+@@ -22378,7 +22378,7 @@ endif
+ if COND_i386_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/i386/efi/startup.S 
+-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22488,7 +22488,7 @@ endif
+ if COND_x86_64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/x86_64/efi/startup.S 
+-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22664,7 +22664,7 @@ endif
+ if COND_ia64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = 
+-kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) -fno-builtin -fpic -minline-int-divide-max-throughput 
+@@ -22730,7 +22730,7 @@ endif
+ if COND_arm_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/arm/efi/startup.S 
+-kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22752,7 +22752,7 @@ endif
+ if COND_arm64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/arm64/efi/startup.S 
+-kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22796,7 +22796,7 @@ endif
+ if COND_riscv32_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/riscv/efi/startup.S 
+-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+@@ -22818,7 +22818,7 @@ endif
+ if COND_riscv64_efi
+ platform_PROGRAMS += kernel.exec
+ kernel_exec_SOURCES  = kern/riscv/efi/startup.S 
+-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
++kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 
+ nodist_kernel_exec_SOURCES  = symlist.c  ## platform nodist sources
+ kernel_exec_LDADD  = 
+ kernel_exec_CFLAGS  = $(AM_CFLAGS) $(CFLAGS_KERNEL) 
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 4d380ed..ee8dc55 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -205,6 +205,7 @@ kernel = {
+   efi = kern/acpi.c;
+   efi = kern/efi/acpi.c;
+   efi = kern/efi/sb.c;
++  efi = kern/lockdown.c;
+   i386_coreboot = kern/i386/pc/acpi.c;
+   i386_multiboot = kern/i386/pc/acpi.c;
+   i386_coreboot = kern/acpi.c;
+diff --git a/grub-core/Makefile.in b/grub-core/Makefile.in
+index 09dc802..ac400ea 100644
+--- a/grub-core/Makefile.in
++++ b/grub-core/Makefile.in
+@@ -10457,13 +10457,14 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ 	kern/arm64/cache_flush.S kern/arm64/dl.c \
+ 	kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c \
+ 	kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c \
+-	kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c \
+-	kern/time.c kern/generic/millisleep.c kern/command.c \
+-	kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c \
+-	kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c \
+-	kern/misc.c kern/parser.c kern/partition.c \
+-	kern/rescue_parser.c kern/rescue_reader.c kern/term.c \
+-	kern/verifiers.c kern/arm/startup.S kern/arm/coreboot/init.c \
++	kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c \
++	kern/compiler-rt.c kern/mm.c kern/time.c \
++	kern/generic/millisleep.c kern/command.c kern/corecmd.c \
++	kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c \
++	kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c \
++	kern/parser.c kern/partition.c kern/rescue_parser.c \
++	kern/rescue_reader.c kern/term.c kern/verifiers.c \
++	kern/arm/startup.S kern/arm/coreboot/init.c \
+ 	kern/arm/coreboot/timer.c kern/arm/coreboot/coreboot.S \
+ 	lib/fdt.c bus/fdt.c term/ps2.c term/arm/pl050.c \
+ 	term/arm/cros.c term/arm/cros_ec.c bus/spi/rk3288_spi.c \
+@@ -10572,6 +10573,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -10646,6 +10648,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -10683,6 +10686,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -10884,6 +10888,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -11120,6 +11125,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -11287,6 +11293,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -11379,6 +11386,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/efi/kernel_exec-acpi.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/efi/kernel_exec-sb.$(OBJEXT) \
++@COND_arm64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-compiler-rt.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-mm.$(OBJEXT) \
+ @COND_arm64_efi_TRUE@	kern/kernel_exec-time.$(OBJEXT) \
+@@ -15379,7 +15387,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' \
+ 	'-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' \
++	'-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \
+ 	'-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' \
++	'-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \
+ 	'-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+@@ -16387,6 +16397,7 @@ KERNEL_HEADER_FILES = $(top_srcdir)/include/grub/cache.h \
+ 	$(top_srcdir)/include/grub/i18n.h \
+ 	$(top_srcdir)/include/grub/kernel.h \
+ 	$(top_srcdir)/include/grub/list.h \
++	$(top_srcdir)/include/grub/lockdown.h \
+ 	$(top_srcdir)/include/grub/misc.h $(am__append_5794) \
+ 	$(am__append_5795) $(top_srcdir)/include/grub/mm.h \
+ 	$(top_srcdir)/include/grub/parser.h \
+@@ -25594,7 +25605,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_arm64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_arm64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_arm64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \
+-@COND_arm64_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
++@COND_arm64_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
++@COND_arm64_efi_TRUE@	kern/mm.c kern/time.c \
+ @COND_arm64_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_arm64_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_arm64_efi_TRUE@	kern/dl.c kern/env.c kern/err.c \
+@@ -25645,7 +25657,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_arm_efi_TRUE@	kern/efi/init.c kern/efi/mm.c \
+ @COND_arm_efi_TRUE@	term/efi/console.c kern/acpi.c \
+ @COND_arm_efi_TRUE@	kern/efi/acpi.c kern/efi/sb.c \
+-@COND_arm_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
++@COND_arm_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
++@COND_arm_efi_TRUE@	kern/mm.c kern/time.c \
+ @COND_arm_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_arm_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_arm_efi_TRUE@	kern/dl.c kern/env.c kern/err.c kern/file.c \
+@@ -25725,7 +25738,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_i386_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_i386_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_i386_efi_TRUE@	kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \
+-@COND_i386_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
++@COND_i386_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
++@COND_i386_efi_TRUE@	kern/mm.c kern/time.c \
+ @COND_i386_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_i386_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_i386_efi_TRUE@	kern/dl.c kern/env.c kern/err.c \
+@@ -25843,7 +25857,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_ia64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_ia64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_ia64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \
+-@COND_ia64_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
++@COND_ia64_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
++@COND_ia64_efi_TRUE@	kern/mm.c kern/time.c \
+ @COND_ia64_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_ia64_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_ia64_efi_TRUE@	kern/dl.c kern/env.c kern/err.c \
+@@ -25956,8 +25971,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_riscv32_efi_TRUE@	kern/efi/init.c kern/efi/mm.c \
+ @COND_riscv32_efi_TRUE@	term/efi/console.c kern/acpi.c \
+ @COND_riscv32_efi_TRUE@	kern/efi/acpi.c kern/efi/sb.c \
+-@COND_riscv32_efi_TRUE@	kern/compiler-rt.c kern/mm.c \
+-@COND_riscv32_efi_TRUE@	kern/time.c kern/generic/millisleep.c \
++@COND_riscv32_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
++@COND_riscv32_efi_TRUE@	kern/mm.c kern/time.c \
++@COND_riscv32_efi_TRUE@	kern/generic/millisleep.c \
+ @COND_riscv32_efi_TRUE@	kern/command.c kern/corecmd.c \
+ @COND_riscv32_efi_TRUE@	kern/device.c kern/disk.c kern/dl.c \
+ @COND_riscv32_efi_TRUE@	kern/env.c kern/err.c kern/file.c \
+@@ -25974,9 +25990,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_riscv64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_riscv64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_riscv64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
+-@COND_riscv64_efi_TRUE@	kern/efi/sb.c kern/compiler-rt.c \
+-@COND_riscv64_efi_TRUE@	kern/mm.c kern/time.c \
+-@COND_riscv64_efi_TRUE@	kern/generic/millisleep.c \
++@COND_riscv64_efi_TRUE@	kern/efi/sb.c kern/lockdown.c \
++@COND_riscv64_efi_TRUE@	kern/compiler-rt.c kern/mm.c \
++@COND_riscv64_efi_TRUE@	kern/time.c kern/generic/millisleep.c \
+ @COND_riscv64_efi_TRUE@	kern/command.c kern/corecmd.c \
+ @COND_riscv64_efi_TRUE@	kern/device.c kern/disk.c kern/dl.c \
+ @COND_riscv64_efi_TRUE@	kern/env.c kern/err.c kern/file.c \
+@@ -26022,8 +26038,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF)
+ @COND_x86_64_efi_TRUE@	kern/efi/efi.c kern/efi/init.c \
+ @COND_x86_64_efi_TRUE@	kern/efi/mm.c term/efi/console.c \
+ @COND_x86_64_efi_TRUE@	kern/acpi.c kern/efi/acpi.c \
+-@COND_x86_64_efi_TRUE@	kern/efi/sb.c kern/compiler-rt.c \
+-@COND_x86_64_efi_TRUE@	kern/mm.c kern/time.c \
++@COND_x86_64_efi_TRUE@	kern/efi/sb.c kern/lockdown.c \
++@COND_x86_64_efi_TRUE@	kern/compiler-rt.c kern/mm.c kern/time.c \
+ @COND_x86_64_efi_TRUE@	kern/generic/millisleep.c kern/command.c \
+ @COND_x86_64_efi_TRUE@	kern/corecmd.c kern/device.c kern/disk.c \
+ @COND_x86_64_efi_TRUE@	kern/dl.c kern/env.c kern/err.c \
+@@ -27994,6 +28010,8 @@ kern/efi/kernel_exec-acpi.$(OBJEXT): kern/efi/$(am__dirstamp) \
+ 	kern/efi/$(DEPDIR)/$(am__dirstamp)
+ kern/efi/kernel_exec-sb.$(OBJEXT): kern/efi/$(am__dirstamp) \
+ 	kern/efi/$(DEPDIR)/$(am__dirstamp)
++kern/kernel_exec-lockdown.$(OBJEXT): kern/$(am__dirstamp) \
++	kern/$(DEPDIR)/$(am__dirstamp)
+ kern/kernel_exec-compiler-rt.$(OBJEXT): kern/$(am__dirstamp) \
+ 	kern/$(DEPDIR)/$(am__dirstamp)
+ kern/kernel_exec-mm.$(OBJEXT): kern/$(am__dirstamp) \
+@@ -30945,6 +30963,7 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-file.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-fs.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-list.Po@am__quote@
++@AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-lockdown.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-main.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-misc.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-mm.Po@am__quote@
+@@ -35293,6 +35312,20 @@ kern/efi/kernel_exec-sb.obj: kern/efi/sb.c
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/efi/kernel_exec-sb.obj `if test -f 'kern/efi/sb.c'; then $(CYGPATH_W) 'kern/efi/sb.c'; else $(CYGPATH_W) '$(srcdir)/kern/efi/sb.c'; fi`
+ 
++kern/kernel_exec-lockdown.o: kern/lockdown.c
++@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-lockdown.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'`kern/lockdown.c
++@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdown.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdown.o' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'`kern/lockdown.c
++
++kern/kernel_exec-lockdown.obj: kern/lockdown.c
++@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-lockdown.obj -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; else $(CYGPATH_W) '$(srcdir)/kern/lockdown.c'; fi`
++@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdown.Po
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdown.obj' libtool=no @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; else $(CYGPATH_W) '$(srcdir)/kern/lockdown.c'; fi`
++
+ kern/kernel_exec-compiler-rt.o: kern/compiler-rt.c
+ @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-compiler-rt.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo -c -o kern/kernel_exec-compiler-rt.o `test -f 'kern/compiler-rt.c' || echo '$(srcdir)/'`kern/compiler-rt.c
+ @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo kern/$(DEPDIR)/kernel_exec-compiler-rt.Po
+@@ -46650,8 +46683,10 @@ command.lst: $(MARKER_FILES)
+ 	  b=`basename $$pp .marker`; \
+ 	  sed -n \
+ 	    -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
++	    -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ 	    -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+-	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
++	    -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
++	    -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ 	done) | sort -u > $@
+ 
+ partmap.lst: $(MARKER_FILES)
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 69574e2..90a5ca2 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -19,6 +19,7 @@
+ 
+ #include <grub/mm.h>
+ #include <grub/list.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/extcmd.h>
+ #include <grub/script_sh.h>
+@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
+ 				    summary, description, parser, 1);
+ }
+ 
++static grub_err_t
++grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
++                      int argc __attribute__ ((unused)),
++                      char **argv __attribute__ ((unused)))
++{
++  return grub_error (GRUB_ERR_ACCESS_DENIED,
++                     N_("%s: the command is not allowed when lockdown is enforced"),
++                     ctxt->extcmd->cmd->name);
++}
++
++grub_extcmd_t
++grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
++                               grub_command_flags_t flags, const char *summary,
++                               const char *description,
++                               const struct grub_arg_option *parser)
++{
++  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++    func = grub_extcmd_lockdown;
++
++  return grub_register_extcmd (name, func, flags, summary, description, parser);
++}
++
+ void
+ grub_unregister_extcmd (grub_extcmd_t ext)
+ {
+diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
+index acd7218..4aabcd4 100644
+--- a/grub-core/kern/command.c
++++ b/grub-core/kern/command.c
+@@ -17,6 +17,7 @@
+  *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
++#include <grub/lockdown.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+ 
+@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
+   return cmd;
+ }
+ 
++static grub_err_t
++grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
++                   int argc __attribute__ ((unused)),
++                   char **argv __attribute__ ((unused)))
++
++{
++  return grub_error (GRUB_ERR_ACCESS_DENIED,
++                     N_("%s: the command is not allowed when lockdown is enforced"),
++                     cmd->name);
++}
++
++grub_command_t
++grub_register_command_lockdown (const char *name,
++                                grub_command_func_t func,
++                                const char *summary,
++                                const char *description)
++{
++  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++    func = grub_cmd_lockdown;
++
++  return grub_register_command_prio (name, func, summary, description, 0);
++}
++
+ void
+ grub_unregister_command (grub_command_t cmd)
+ {
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+new file mode 100644
+index 0000000..1e56c0b
+--- /dev/null
++++ b/grub-core/kern/lockdown.c
+@@ -0,0 +1,80 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include <grub/dl.h>
++#include <grub/file.h>
++#include <grub/lockdown.h>
++#include <grub/verify.h>
++
++static int lockdown = GRUB_LOCKDOWN_DISABLED;
++
++static grub_err_t
++lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
++                    enum grub_file_type type,
++                    void **context __attribute__ ((unused)),
++                    enum grub_verify_flags *flags)
++{
++  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++
++  switch (type & GRUB_FILE_TYPE_MASK)
++    {
++    case GRUB_FILE_TYPE_GRUB_MODULE:
++    case GRUB_FILE_TYPE_LINUX_KERNEL:
++    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
++    case GRUB_FILE_TYPE_XEN_HYPERVISOR:
++    case GRUB_FILE_TYPE_BSD_KERNEL:
++    case GRUB_FILE_TYPE_XNU_KERNEL:
++    case GRUB_FILE_TYPE_PLAN9_KERNEL:
++    case GRUB_FILE_TYPE_NTLDR:
++    case GRUB_FILE_TYPE_TRUECRYPT:
++    case GRUB_FILE_TYPE_FREEDOS:
++    case GRUB_FILE_TYPE_PXECHAINLOADER:
++    case GRUB_FILE_TYPE_PCCHAINLOADER:
++    case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
++    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
++    case GRUB_FILE_TYPE_ACPI_TABLE:
++    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
++      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
++
++      /* Fall through. */
++
++    default:
++      return GRUB_ERR_NONE;
++    }
++}
++
++struct grub_file_verifier lockdown_verifier =
++  {
++    .name = "lockdown_verifier",
++    .init = lockdown_verifier_init,
++  };
++
++void
++grub_lockdown (void)
++{
++  lockdown = GRUB_LOCKDOWN_ENABLED;
++
++  grub_verifier_register (&lockdown_verifier);
++}
++
++int
++grub_is_lockdown (void)
++{
++  return lockdown;
++}
+diff --git a/include/grub/command.h b/include/grub/command.h
+index eee4e84..2a6f7f8 100644
+--- a/include/grub/command.h
++++ b/include/grub/command.h
+@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
+ 					 const char *summary,
+ 					 const char *description,
+ 					 int prio);
++grub_command_t
++EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
++                                             grub_command_func_t func,
++                                             const char *summary,
++                                             const char *description);
+ void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
+ 
+ static inline grub_command_t
+diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
+index 19fe592..fe9248b 100644
+--- a/include/grub/extcmd.h
++++ b/include/grub/extcmd.h
+@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
+ 						 const char *description,
+ 						 const struct grub_arg_option *parser);
+ 
++grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
++                                                          grub_extcmd_func_t func,
++                                                          grub_command_flags_t flags,
++                                                          const char *summary,
++                                                          const char *description,
++                                                          const struct grub_arg_option *parser);
++
+ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
+ 						      grub_extcmd_func_t func,
+ 						      grub_command_flags_t flags,
+diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
+new file mode 100644
+index 0000000..40531fa
+--- /dev/null
++++ b/include/grub/lockdown.h
+@@ -0,0 +1,44 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_LOCKDOWN_H
++#define GRUB_LOCKDOWN_H 1
++
++#include <grub/symbol.h>
++
++#define GRUB_LOCKDOWN_DISABLED       0
++#define GRUB_LOCKDOWN_ENABLED        1
++
++#ifdef GRUB_MACHINE_EFI
++extern void
++EXPORT_FUNC (grub_lockdown) (void);
++extern int
++EXPORT_FUNC (grub_is_lockdown) (void);
++#else
++static inline void
++grub_lockdown (void)
++{
++}
++
++static inline int
++grub_is_lockdown (void)
++{
++  return GRUB_LOCKDOWN_DISABLED;
++}
++#endif
++#endif /* ! GRUB_LOCKDOWN_H */
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 49755d3..5e26845 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -309,6 +309,7 @@
+ ./grub-core/kern/ieee1275/mmap.c
+ ./grub-core/kern/ieee1275/openfw.c
+ ./grub-core/kern/list.c
++./grub-core/kern/lockdown.c
+ ./grub-core/kern/main.c
+ ./grub-core/kern/mips/arc/init.c
+ ./grub-core/kern/mips/dl.c
+@@ -1207,6 +1208,7 @@
+ ./include/grub/linux.h
+ ./include/grub/list.h
+ ./include/grub/loader.h
++./include/grub/lockdown.h
+ ./include/grub/lvm.h
+ ./include/grub/macho.h
+ ./include/grub/machoload.h
+-- 
+2.14.2
+

buildroot/boot/grub2/0036-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch

@@ -0,0 +1,57 @@
+From d90367471779c240e002e62edfb6b31fc85b4908 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 2 Feb 2021 19:59:48 +0100
+Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
+
+It may be useful for scripts to determine whether the GRUB is locked
+down or not. Add the lockdown variable which is set to "y" when the GRUB
+is locked down.
+
+Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ docs/grub.texi            | 3 +++
+ grub-core/kern/lockdown.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index a25459f..bdbb329 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5803,6 +5803,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
+ if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+ be restricted and some operations/commands cannot be executed.
+ 
++The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
++Otherwise it does not exit.
++
+ @node Platform limitations
+ @chapter Platform limitations
+ 
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+index 1e56c0b..0bc70fd 100644
+--- a/grub-core/kern/lockdown.c
++++ b/grub-core/kern/lockdown.c
+@@ -18,6 +18,7 @@
+  */
+ 
+ #include <grub/dl.h>
++#include <grub/env.h>
+ #include <grub/file.h>
+ #include <grub/lockdown.h>
+ #include <grub/verify.h>
+@@ -71,6 +72,9 @@ grub_lockdown (void)
+   lockdown = GRUB_LOCKDOWN_ENABLED;
+ 
+   grub_verifier_register (&lockdown_verifier);
++
++  grub_env_set ("lockdown", "y");
++  grub_env_export ("lockdown");
+ }
+ 
+ int
+-- 
+2.14.2
+

buildroot/boot/grub2/0037-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch

@@ -0,0 +1,49 @@
+From 98b00a403cbf2ba6833d1ac0499871b27a08eb77 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:29 +0200
+Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
+
+If the UEFI Secure Boot is enabled then the GRUB must be locked down
+to prevent executing code that can potentially be used to subvert its
+verification mechanisms.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/efi/init.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index b683bec..1333465 100644
+--- a/grub-core/kern/efi/init.c
++++ b/grub-core/kern/efi/init.c
+@@ -21,6 +21,7 @@
+ #include <grub/efi/console.h>
+ #include <grub/efi/disk.h>
+ #include <grub/efi/sb.h>
++#include <grub/lockdown.h>
+ #include <grub/term.h>
+ #include <grub/misc.h>
+ #include <grub/env.h>
+@@ -40,8 +41,15 @@ grub_efi_init (void)
+   /* Initialize the memory management system.  */
+   grub_efi_mm_init ();
+ 
+-  /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */
+-  grub_shim_lock_verifier_setup ();
++  /*
++   * Lockdown the GRUB and register the shim_lock verifier
++   * if the UEFI Secure Boot is enabled.
++   */
++  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++    {
++      grub_lockdown ();
++      grub_shim_lock_verifier_setup ();
++    }
+ 
+   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+ 	      0, 0, 0, NULL);
+-- 
+2.14.2
+

buildroot/boot/grub2/0038-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch

@@ -0,0 +1,232 @@
+From 8f73052885892bc0dbc01e297f79d7cf4925e491 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:33 +0200
+Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
+ modules list
+
+Now the GRUB can check if it has been locked down and this can be used to
+prevent executing commands that can be utilized to circumvent the UEFI
+Secure Boot mechanisms. So, instead of hardcoding a list of modules that
+have to be disabled, prevent the usage of commands that can be dangerous.
+
+This not only allows the commands to be disabled on other platforms, but
+also properly separate the concerns. Since the shim_lock verifier logic
+should be only about preventing to run untrusted binaries and not about
+defining these kind of policies.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ docs/grub.texi                  | 15 +++++++++------
+ grub-core/commands/i386/wrmsr.c |  5 +++--
+ grub-core/commands/iorw.c       | 19 ++++++++++---------
+ grub-core/commands/memrw.c      | 19 ++++++++++---------
+ grub-core/kern/efi/sb.c         | 41 -----------------------------------------
+ 5 files changed, 32 insertions(+), 67 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index bdbb329..bbe60a4 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
+ Also, if you specify a reserved or unimplemented MSR address, it will
+ cause a general protection exception (which is not currently being handled)
+ and the system will reboot.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This is done to prevent subverting various security mechanisms.
+ @end deffn
+ 
+ @node xen_hypervisor
+@@ -5752,12 +5755,12 @@ boot and the shim. This functionality is provided by the shim_lock verifier. It
+ is built into the @file{core.img} and is registered if the UEFI secure boot is
+ enabled.
+ 
+-All modules not stored in the @file{core.img} and the ACPI tables for the
+-@command{acpi} command have to be signed, e.g. using PGP. Additionally, the
+-@command{iorw}, the @command{memrw} and the @command{wrmsr} commands are
+-prohibited if the UEFI secure boot is enabled. This is done due to
+-security reasons. All above mentioned requirements are enforced by the
+-shim_lock verifier logic.
++All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
++Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
++that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
++and @command{memrw} will not be available when the UEFI secure boot is enabled.
++This is done for security reasons and are enforced by the GRUB Lockdown mechanism
++(@pxref{Lockdown}).
+ 
+ @node Measured Boot
+ @section Measuring boot components
+diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
+index 9c5e510..56a29c2 100644
+--- a/grub-core/commands/i386/wrmsr.c
++++ b/grub-core/commands/i386/wrmsr.c
+@@ -24,6 +24,7 @@
+ #include <grub/env.h>
+ #include <grub/command.h>
+ #include <grub/extcmd.h>
++#include <grub/lockdown.h>
+ #include <grub/i18n.h>
+ #include <grub/i386/cpuid.h>
+ #include <grub/i386/wrmsr.h>
+@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
+ 
+ GRUB_MOD_INIT(wrmsr)
+ {
+-  cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+-				     N_("Write a value to a CPU model specific register."));
++  cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
++                                              N_("Write a value to a CPU model specific register."));
+ }
+ 
+ GRUB_MOD_FINI(wrmsr)
+diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
+index a0c164e..584baec 100644
+--- a/grub-core/commands/iorw.c
++++ b/grub-core/commands/iorw.c
+@@ -23,6 +23,7 @@
+ #include <grub/env.h>
+ #include <grub/cpu/io.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
+ 			  N_("PORT"), N_("Read 32-bit value from PORT."),
+ 			  options);
+   cmd_write_byte =
+-    grub_register_command ("outb", grub_cmd_write,
+-			   N_("PORT VALUE [MASK]"),
+-			   N_("Write 8-bit VALUE to PORT."));
++    grub_register_command_lockdown ("outb", grub_cmd_write,
++                                    N_("PORT VALUE [MASK]"),
++                                    N_("Write 8-bit VALUE to PORT."));
+   cmd_write_word =
+-    grub_register_command ("outw", grub_cmd_write,
+-			   N_("PORT VALUE [MASK]"),
+-			   N_("Write 16-bit VALUE to PORT."));
++    grub_register_command_lockdown ("outw", grub_cmd_write,
++                                    N_("PORT VALUE [MASK]"),
++                                    N_("Write 16-bit VALUE to PORT."));
+   cmd_write_dword =
+-    grub_register_command ("outl", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 32-bit VALUE to PORT."));
++    grub_register_command_lockdown ("outl", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 32-bit VALUE to PORT."));
+ }
+ 
+ GRUB_MOD_FINI(memrw)
+diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
+index 98769ea..d401a6d 100644
+--- a/grub-core/commands/memrw.c
++++ b/grub-core/commands/memrw.c
+@@ -22,6 +22,7 @@
+ #include <grub/extcmd.h>
+ #include <grub/env.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
+ 			  N_("ADDR"), N_("Read 32-bit value from ADDR."),
+ 			  options);
+   cmd_write_byte =
+-    grub_register_command ("write_byte", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 8-bit VALUE to ADDR."));
++    grub_register_command_lockdown ("write_byte", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 8-bit VALUE to ADDR."));
+   cmd_write_word =
+-    grub_register_command ("write_word", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 16-bit VALUE to ADDR."));
++    grub_register_command_lockdown ("write_word", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 16-bit VALUE to ADDR."));
+   cmd_write_dword =
+-    grub_register_command ("write_dword", grub_cmd_write,
+-			   N_("ADDR VALUE [MASK]"),
+-			   N_("Write 32-bit VALUE to ADDR."));
++    grub_register_command_lockdown ("write_dword", grub_cmd_write,
++                                    N_("ADDR VALUE [MASK]"),
++                                    N_("Write 32-bit VALUE to ADDR."));
+ }
+ 
+ GRUB_MOD_FINI(memrw)
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+index ce3b7f6..5d7210a 100644
+--- a/grub-core/kern/efi/sb.c
++++ b/grub-core/kern/efi/sb.c
+@@ -30,9 +30,6 @@
+ 
+ static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+ 
+-/* List of modules which cannot be loaded if UEFI secure boot mode is enabled. */
+-static const char * const disabled_mods[] = {"iorw", "memrw", NULL};
+-
+ /*
+  * Determine whether we're in secure boot mode.
+  *
+@@ -121,53 +118,15 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
+ 			 void **context __attribute__ ((unused)),
+ 			 enum grub_verify_flags *flags)
+ {
+-  const char *b, *e;
+-  int i;
+-
+   *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+ 
+   switch (type & GRUB_FILE_TYPE_MASK)
+     {
+-    case GRUB_FILE_TYPE_GRUB_MODULE:
+-      /* Establish GRUB module name. */
+-      b = grub_strrchr (io->name, '/');
+-      e = grub_strrchr (io->name, '.');
+-
+-      b = b ? (b + 1) : io->name;
+-      e = e ? e : io->name + grub_strlen (io->name);
+-      e = (e > b) ? e : io->name + grub_strlen (io->name);
+-
+-      for (i = 0; disabled_mods[i]; i++)
+-	if (!grub_strncmp (b, disabled_mods[i], grub_strlen (b) - grub_strlen (e)))
+-	  {
+-	    grub_error (GRUB_ERR_ACCESS_DENIED,
+-			N_("module cannot be loaded in UEFI secure boot mode: %s"),
+-			io->name);
+-	    return GRUB_ERR_ACCESS_DENIED;
+-	  }
+-
+-      /* Fall through. */
+-
+-    case GRUB_FILE_TYPE_ACPI_TABLE:
+-    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+-
+-      return GRUB_ERR_NONE;
+-
+     case GRUB_FILE_TYPE_LINUX_KERNEL:
+     case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
+     case GRUB_FILE_TYPE_BSD_KERNEL:
+     case GRUB_FILE_TYPE_XNU_KERNEL:
+     case GRUB_FILE_TYPE_PLAN9_KERNEL:
+-      for (i = 0; disabled_mods[i]; i++)
+-	if (grub_dl_get (disabled_mods[i]))
+-	  {
+-	    grub_error (GRUB_ERR_ACCESS_DENIED,
+-			N_("cannot boot due to dangerous module in memory: %s"),
+-			disabled_mods[i]);
+-	    return GRUB_ERR_ACCESS_DENIED;
+-	  }
+-
+       *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+ 
+       /* Fall through. */
+-- 
+2.14.2
+

buildroot/boot/grub2/0039-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch

@@ -0,0 +1,76 @@
+From 3e8e4c0549240fa209acffceb473e1e509b50c95 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:41 +0200
+Subject: [PATCH] acpi: Don't register the acpi command when locked down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The command is not allowed when lockdown is enforced. Otherwise an
+attacker can instruct the GRUB to load an SSDT table to overwrite
+the kernel lockdown configuration and later load and execute
+unsigned code.
+
+Fixes: CVE-2020-14372
+
+Reported-by: Máté Kukri <km@mkukri.xyz>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ docs/grub.texi            |  5 +++++
+ grub-core/commands/acpi.c | 15 ++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index bbe60a4..98592d3 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer
+ (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
+ @option{--no-ebda} option is used, the new tables will be known only to
+ GRUB, but may be used by GRUB's EFI emulation.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      Otherwise an attacker can instruct the GRUB to load an SSDT table to
++      overwrite the kernel lockdown configuration and later load and execute
++      unsigned code.
+ @end deffn
+ 
+ 
+diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
+index 5a1499a..1215f2a 100644
+--- a/grub-core/commands/acpi.c
++++ b/grub-core/commands/acpi.c
+@@ -27,6 +27,7 @@
+ #include <grub/mm.h>
+ #include <grub/memory.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ #ifdef GRUB_MACHINE_EFI
+ #include <grub/efi/efi.h>
+@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
+ 
+ GRUB_MOD_INIT(acpi)
+ {
+-  cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
+-			      N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+-			      "--load-only=TABLE1,TABLE2] FILE1"
+-			      " [FILE2] [...]"),
+-			      N_("Load host ACPI tables and tables "
+-			      "specified by arguments."),
+-			      options);
++  cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
++                                       N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
++                                          "--load-only=TABLE1,TABLE2] FILE1"
++                                          " [FILE2] [...]"),
++                                       N_("Load host ACPI tables and tables "
++                                          "specified by arguments."),
++                                       options);
+ }
+ 
+ GRUB_MOD_FINI(acpi)
+-- 
+2.14.2
+

buildroot/boot/grub2/0040-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch

@@ -0,0 +1,70 @@
+From d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 14 Oct 2020 16:33:42 +0200
+Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
+ is enforced
+
+The cutmem and badram commands can be used to remove EFI memory regions
+and potentially disable the UEFI Secure Boot. Prevent the commands to be
+registered if the GRUB is locked down.
+
+Fixes: CVE-2020-27779
+
+Reported-by: Teddy Reed <teddy.reed@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ docs/grub.texi        |  4 ++++
+ grub-core/mmap/mmap.c | 13 +++++++------
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 98592d3..f2fe149 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4051,6 +4051,10 @@ this page is to be filtered.  This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+ 
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This prevents removing EFI memory regions to potentially subvert the
++      security mechanisms provided by the UEFI secure boot.
++
+ @node blocklist
+ @subsection blocklist
+ 
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 57b4e9a..7ebf32e 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -20,6 +20,7 @@
+ #include <grub/memory.h>
+ #include <grub/machine/memory.h>
+ #include <grub/err.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
+ 
+ GRUB_MOD_INIT(mmap)
+ {
+-  cmd = grub_register_command ("badram", grub_cmd_badram,
+-			       N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+-			       N_("Declare memory regions as faulty (badram)."));
+-  cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
+-				   N_("FROM[K|M|G] TO[K|M|G]"),
+-				   N_("Remove any memory regions in specified range."));
++  cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
++                                        N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
++                                        N_("Declare memory regions as faulty (badram)."));
++  cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
++                                            N_("FROM[K|M|G] TO[K|M|G]"),
++                                            N_("Remove any memory regions in specified range."));
+ 
+ }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0041-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch

@@ -0,0 +1,105 @@
+From 468a5699b249fe6816b4e7e86c5dc9d325c9b09e Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 09:00:05 +0100
+Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
+ when locked down
+
+There are some more commands that should be restricted when the GRUB is
+locked down. Following is the list of commands and reasons to restrict:
+
+  * fakebios:   creates BIOS-like structures for backward compatibility with
+                existing OSes. This should not be allowed when locked down.
+
+  * loadbios:   reads a BIOS dump from storage and loads it. This action
+                should not be allowed when locked down.
+
+  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
+                any Device Tree provided by the firmware. This also should
+                not be allowed when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ docs/grub.texi                    |  3 +++
+ grub-core/commands/efi/loadbios.c | 16 ++++++++--------
+ grub-core/loader/arm/linux.c      |  6 +++---
+ grub-core/loader/efi/fdt.c        |  4 ++--
+ 4 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index f2fe149..79f58c5 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4235,6 +4235,9 @@ hour, minute, and second unchanged.
+ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
+ kernel. Does not perform merging with any device tree supplied by firmware,
+ but rather replaces it completely.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This is done to prevent subverting various security mechanisms.
+ @ref{GNU/Linux}.
+ @end deffn
+ 
+diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
+index d41d521..5c7725f 100644
+--- a/grub-core/commands/efi/loadbios.c
++++ b/grub-core/commands/efi/loadbios.c
+@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
+ 
+ GRUB_MOD_INIT(loadbios)
+ {
+-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
+-					0, N_("Create BIOS-like structures for"
+-					      " backward compatibility with"
+-					      " existing OS."));
+-
+-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
+-					N_("BIOS_DUMP [INT10_DUMP]"),
+-					N_("Load BIOS dump."));
++  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
++						 0, N_("Create BIOS-like structures for"
++						       " backward compatibility with"
++						       " existing OS."));
++
++  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
++						 N_("BIOS_DUMP [INT10_DUMP]"),
++						 N_("Load BIOS dump."));
+ }
+ 
+ GRUB_MOD_FINI(loadbios)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index d70c174..ed23dc7 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
+ 				     0, N_("Load Linux."));
+   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
+ 				      0, N_("Load initrd."));
+-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
+-					  /* TRANSLATORS: DTB stands for device tree blob.  */
+-					  0, N_("Load DTB file."));
++  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
++						   /* TRANSLATORS: DTB stands for device tree blob. */
++						   0, N_("Load DTB file."));
+   my_mod = mod;
+   current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
+   machine_type = grub_arm_firmware_get_machine_type ();
+diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
+index ee9c559..003d07c 100644
+--- a/grub-core/loader/efi/fdt.c
++++ b/grub-core/loader/efi/fdt.c
+@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
+ GRUB_MOD_INIT (fdt)
+ {
+   cmd_devicetree =
+-    grub_register_command ("devicetree", grub_cmd_devicetree, 0,
+-			   N_("Load DTB file."));
++    grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
++				    N_("Load DTB file."));
+ }
+ 
+ GRUB_MOD_FINI (fdt)
+-- 
+2.14.2
+

buildroot/boot/grub2/0042-commands-setpci-Restrict-setpci-command-when-locked-.patch

@@ -0,0 +1,37 @@
+From 58b77d4069823b44c5fa916fa8ddfc9c4cd51e02 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 22:59:59 +0100
+Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
+
+This command can set PCI devices register values, which makes it dangerous
+in a locked down configuration. Restrict it so can't be used on this setup.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/commands/setpci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
+index d5bc97d..fa2ba7d 100644
+--- a/grub-core/commands/setpci.c
++++ b/grub-core/commands/setpci.c
+@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
+ 
+ GRUB_MOD_INIT(setpci)
+ {
+-  cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
+-			      N_("[-s POSITION] [-d DEVICE] [-v VAR] "
+-				 "REGISTER[=VALUE[:MASK]]"),
+-			      N_("Manipulate PCI devices."), options);
++  cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
++				       N_("[-s POSITION] [-d DEVICE] [-v VAR] "
++					  "REGISTER[=VALUE[:MASK]]"),
++				       N_("Manipulate PCI devices."), options);
+ }
+ 
+ GRUB_MOD_FINI(setpci)
+-- 
+2.14.2
+

buildroot/boot/grub2/0043-commands-hdparm-Restrict-hdparm-command-when-locked-.patch

@@ -0,0 +1,35 @@
+From 5c97492a29c6063567b65ed1a069f5e6f4e211f0 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 12:59:29 +0100
+Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
+
+The command can be used to get/set ATA disk parameters. Some of these can
+be dangerous since change the disk behavior. Restrict it when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/commands/hdparm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
+index d3fa966..2e2319e 100644
+--- a/grub-core/commands/hdparm.c
++++ b/grub-core/commands/hdparm.c
+@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
+ 
+ GRUB_MOD_INIT(hdparm)
+ {
+-  cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
+-			      N_("[OPTIONS] DISK"),
+-			      N_("Get/set ATA disk parameters."), options);
++  cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
++				       N_("[OPTIONS] DISK"),
++				       N_("Get/set ATA disk parameters."), options);
+ }
+ 
+ GRUB_MOD_FINI(hdparm)
+-- 
+2.14.2
+

buildroot/boot/grub2/0044-gdb-Restrict-GDB-access-when-locked-down.patch

@@ -0,0 +1,62 @@
+From 508270838998f151a82e9c13e7cb8a470a2dc23d Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 15:03:26 +0100
+Subject: [PATCH] gdb: Restrict GDB access when locked down
+
+The gdbstub* commands allow to start and control a GDB stub running on
+local host that can be used to connect from a remote debugger. Restrict
+this functionality when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
+index 847a1e1..1818cb6 100644
+--- a/grub-core/gdb/gdb.c
++++ b/grub-core/gdb/gdb.c
+@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
+ GRUB_MOD_INIT (gdb)
+ {
+   grub_gdb_idtinit ();
+-  cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
+-			       N_("PORT"), 
+-			       /* TRANSLATORS: GDB stub is a small part of
+-				  GDB functionality running on local host
+-				  which allows remote debugger to
+-				  connect to it.  */
+-			       N_("Start GDB stub on given port"));
+-  cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
+-				     /* TRANSLATORS: this refers to triggering
+-					a breakpoint so that the user will land
+-					into GDB.  */
+-				     0, N_("Break into GDB"));
+-  cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
+-				    0, N_("Stop GDB stub"));
++  cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
++					N_("PORT"),
++					/*
++					 * TRANSLATORS: GDB stub is a small part of
++					 * GDB functionality running on local host
++					 * which allows remote debugger to
++					 * connect to it.
++					 */
++					N_("Start GDB stub on given port"));
++  cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
++					      /*
++					       * TRANSLATORS: this refers to triggering
++					       * a breakpoint so that the user will land
++					       * into GDB.
++					       */
++					      0, N_("Break into GDB"));
++  cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
++					     0, N_("Stop GDB stub"));
+ }
+ 
+ GRUB_MOD_FINI (gdb)
+-- 
+2.14.2
+

buildroot/boot/grub2/0045-loader-xnu-Don-t-allow-loading-extension-and-package.patch

@@ -0,0 +1,61 @@
+From 9c5565135f12400a925ee901b25984e7af4442f5 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:38 +0100
+Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
+ locked down
+
+The shim_lock verifier validates the XNU kernels but no its extensions
+and packages. Prevent these to be loaded when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 9ae4ceb..44fd5a9 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1485,20 +1485,23 @@ GRUB_MOD_INIT(xnu)
+ 				      N_("Load XNU image."));
+   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
+ 					0, N_("Load 64-bit XNU image."));
+-  cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+-				     N_("Load XNU extension package."));
+-  cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
+-				    N_("Load XNU extension."));
+-  cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
+-				       /* TRANSLATORS: OSBundleRequired is a
+-					  variable name in xnu extensions
+-					  manifests. It behaves mostly like
+-					  GNU/Linux runlevels.
+-				       */
+-				       N_("DIRECTORY [OSBundleRequired]"),
+-				       /* TRANSLATORS: There are many extensions
+-					  in extension directory.  */
+-				       N_("Load XNU extension directory."));
++  cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
++					      N_("Load XNU extension package."));
++  cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
++					     N_("Load XNU extension."));
++  cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
++						/*
++						 * TRANSLATORS: OSBundleRequired is
++						 * a variable name in xnu extensions
++						 * manifests. It behaves mostly like
++						 * GNU/Linux runlevels.
++						 */
++						N_("DIRECTORY [OSBundleRequired]"),
++						/*
++						 * TRANSLATORS: There are many extensions
++						 * in extension directory.
++						 */
++						N_("Load XNU extension directory."));
+   cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
+    /* TRANSLATORS: ramdisk here isn't identifier. It can be translated.  */
+ 				       N_("Load XNU ramdisk. "
+-- 
+2.14.2
+

buildroot/boot/grub2/0046-docs-Document-the-cutmem-command.patch

@@ -0,0 +1,65 @@
+From f05e79a0143beb2d9a482a3ebf4fe0ce76778122 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 7 Nov 2020 01:03:18 +0100
+Subject: [PATCH] docs: Document the cutmem command
+
+The command is not present in the docs/grub.texi user documentation.
+
+Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ docs/grub.texi | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 79f58c5..8518cc0 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help}
+ * cpuid::                       Check for CPU features
+ * crc::                         Compute or check CRC32 checksums
+ * cryptomount::                 Mount a crypto device
++* cutmem::                      Remove memory regions
+ * date::                        Display or set current date and time
+ * devicetree::                  Load a device tree blob
+ * distrust::                    Remove a pubkey from trusted keys
+@@ -4051,6 +4052,8 @@ this page is to be filtered.  This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+ 
++The command is similar to @command{cutmem} command.
++
+ Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+       This prevents removing EFI memory regions to potentially subvert the
+       security mechanisms provided by the UEFI secure boot.
+@@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
+ be used.
+ @end deffn
+ 
++@node cutmem
++@subsection cutmem
++
++@deffn Command cutmem from[K|M|G] to[K|M|G]
++Remove any memory regions in specified range.
++@end deffn
++
++This command notifies the memory manager that specified regions of RAM ought to
++be filtered out. This remains in effect after a payload kernel has been loaded
++by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
++that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
++kernels in general.
++
++The command is similar to @command{badram} command.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This prevents removing EFI memory regions to potentially subvert the
++      security mechanisms provided by the UEFI secure boot.
+ 
+ @node date
+ @subsection date
+-- 
+2.14.2
+

buildroot/boot/grub2/0047-dl-Only-allow-unloading-modules-that-are-not-depende.patch

@@ -0,0 +1,87 @@
+From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 29 Sep 2020 14:08:55 +0200
+Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
+
+When a module is attempted to be removed its reference counter is always
+decremented. This means that repeated rmmod invocations will cause the
+module to be unloaded even if another module depends on it.
+
+This may lead to a use-after-free scenario allowing an attacker to execute
+arbitrary code and by-pass the UEFI Secure Boot protection.
+
+While being there, add the extern keyword to some function declarations in
+that header file.
+
+Fixes: CVE-2020-25632
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/commands/minicmd.c | 7 +++++--
+ grub-core/kern/dl.c          | 9 +++++++++
+ include/grub/dl.h            | 8 +++++---
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 6bbce31..fa49893 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
+   if (grub_dl_is_persistent (mod))
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
+ 
+-  if (grub_dl_unref (mod) <= 0)
+-    grub_dl_unload (mod);
++  if (grub_dl_ref_count (mod) > 1)
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
++
++  grub_dl_unref (mod);
++  grub_dl_unload (mod);
+ 
+   return 0;
+ }
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7..48f8a79 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
+   return --mod->ref_count;
+ }
+ 
++int
++grub_dl_ref_count (grub_dl_t mod)
++{
++  if (mod == NULL)
++    return 0;
++
++  return mod->ref_count;
++}
++
+ static void
+ grub_dl_flush_cache (grub_dl_t mod)
+ {
+diff --git a/include/grub/dl.h b/include/grub/dl.h
+index f03c035..b3753c9 100644
+--- a/include/grub/dl.h
++++ b/include/grub/dl.h
+@@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
+ grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
+ grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
+ int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
+-void grub_dl_unload_unneeded (void);
+-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern void grub_dl_unload_unneeded (void);
++extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
++
+ extern grub_dl_t EXPORT_VAR(grub_dl_head);
+ 
+ #ifndef GRUB_UTIL
+-- 
+2.14.2
+

buildroot/boot/grub2/0048-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch

@@ -0,0 +1,116 @@
+From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 11 Dec 2020 19:19:21 +0100
+Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
+ devices
+
+The maximum number of configurations and interfaces are fixed but there is
+no out-of-bound checking to prevent a malicious USB device to report large
+values for these and cause accesses outside the arrays' memory.
+
+Fixes: CVE-2020-25647
+
+Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/bus/usb/usb.c | 15 ++++++++++++---
+ include/grub/usb.h      | 10 +++++++---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
+index 8da5e4c..7cb3cc2 100644
+--- a/grub-core/bus/usb/usb.c
++++ b/grub-core/bus/usb/usb.c
+@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
+ grub_usb_err_t
+ grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
+ {
++  if (endpoint >= GRUB_USB_MAX_TOGGLE)
++    return GRUB_USB_ERR_BADDEVICE;
++
+   dev->toggle[endpoint] = 0;
+   return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
+ 				     | GRUB_USB_REQTYPE_STANDARD
+@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+     return err;
+   descdev = &dev->descdev;
+ 
+-  for (i = 0; i < 8; i++)
++  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+     dev->config[i].descconf = NULL;
+ 
+-  if (descdev->configcnt == 0)
++  if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
+     {
+       err = GRUB_USB_ERR_BADDEVICE;
+       goto fail;
+@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+       /* Skip the configuration descriptor.  */
+       pos = dev->config[i].descconf->length;
+ 
++      if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
++        {
++          err = GRUB_USB_ERR_BADDEVICE;
++          goto fail;
++        }
++
+       /* Read all interfaces.  */
+       for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
+ 	{
+@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ 
+  fail:
+ 
+-  for (i = 0; i < 8; i++)
++  for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+     grub_free (dev->config[i].descconf);
+ 
+   return err;
+diff --git a/include/grub/usb.h b/include/grub/usb.h
+index 512ae1d..6475c55 100644
+--- a/include/grub/usb.h
++++ b/include/grub/usb.h
+@@ -23,6 +23,10 @@
+ #include <grub/usbdesc.h>
+ #include <grub/usbtrans.h>
+ 
++#define GRUB_USB_MAX_CONF    8
++#define GRUB_USB_MAX_IF      32
++#define GRUB_USB_MAX_TOGGLE  256
++
+ typedef struct grub_usb_device *grub_usb_device_t;
+ typedef struct grub_usb_controller *grub_usb_controller_t;
+ typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
+@@ -167,7 +171,7 @@ struct grub_usb_configuration
+   struct grub_usb_desc_config *descconf;
+ 
+   /* Interfaces associated to this configuration.  */
+-  struct grub_usb_interface interf[32];
++  struct grub_usb_interface interf[GRUB_USB_MAX_IF];
+ };
+ 
+ struct grub_usb_hub_port
+@@ -191,7 +195,7 @@ struct grub_usb_device
+   struct grub_usb_controller controller;
+ 
+   /* Device configurations (after opening the device).  */
+-  struct grub_usb_configuration config[8];
++  struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
+ 
+   /* Device address.  */
+   int addr;
+@@ -203,7 +207,7 @@ struct grub_usb_device
+   int initialized;
+ 
+   /* Data toggle values (used for bulk transfers only).  */
+-  int toggle[256];
++  int toggle[GRUB_USB_MAX_TOGGLE];
+ 
+   /* Used by libusb wrapper.  Schedulded for removal. */
+   void *data;
+-- 
+2.14.2
+

buildroot/boot/grub2/0049-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch

@@ -0,0 +1,40 @@
+From 8cb2848f9699642a698af84b12ba187cab722031 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 3 Dec 2020 14:39:45 +0000
+Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
+
+When returning from grub_mmap_iterate() the memory allocated to present
+is not being released causing it to leak.
+
+Fixes: CID 96655
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/mmap/mmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 7ebf32e..8bf235f 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ 		   hook_data))
+ 	{
+ 	  grub_free (ctx.scanline_events);
++	  grub_free (present);
+ 	  return GRUB_ERR_NONE;
+ 	}
+ 
+@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+     }
+ 
+   grub_free (ctx.scanline_events);
++  grub_free (present);
+   return GRUB_ERR_NONE;
+ }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0050-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch

@@ -0,0 +1,40 @@
+From 03f2515ae0c503406f1a99a2178405049c6555db Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 27 Nov 2020 15:10:26 +0000
+Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
+
+It is always possible that grub_zalloc() could fail, so we should check for
+a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
+
+Fixes: CID 296221
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/net/net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 38f19df..7c2cdf2 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -86,8 +86,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
+ 
+   /* Add sender to cache table.  */
+   if (card->link_layer_table == NULL)
+-    card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
+-					  * sizeof (card->link_layer_table[0]));
++    {
++      card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
++					    * sizeof (card->link_layer_table[0]));
++      if (card->link_layer_table == NULL)
++	return;
++    }
++
+   entry = &(card->link_layer_table[card->new_ll_entry]);
+   entry->avail = 1;
+   grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));
+-- 
+2.14.2
+

buildroot/boot/grub2/0051-net-tftp-Fix-dangling-memory-pointer.patch

@@ -0,0 +1,34 @@
+From 0cb838b281a68b536a09681f9557ea6a7ac5da7a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 19 Feb 2021 17:12:23 +0000
+Subject: [PATCH] net/tftp: Fix dangling memory pointer
+
+The static code analysis tool, Parfait, reported that the valid of
+file->data was left referencing memory that was freed by the call to
+grub_free(data) where data was initialized from file->data.
+
+To ensure that there is no unintentional access to this memory
+referenced by file->data we should set the pointer to NULL.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/net/tftp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index b4297bc..c106704 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -406,6 +406,7 @@ tftp_close (struct grub_file *file)
+       grub_net_udp_close (data->sock);
+     }
+   grub_free (data);
++  file->data = NULL;
+   return GRUB_ERR_NONE;
+ }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0052-kern-parser-Fix-resource-leak-if-argc-0.patch

@@ -0,0 +1,51 @@
+From d06161b035dde4769199ad65aa0a587a5920012b Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 22 Jan 2021 12:32:41 +0000
+Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
+
+After processing the command-line yet arriving at the point where we are
+setting argv, we are allocating memory, even if argc == 0, which makes
+no sense since we never put anything into the allocated argv.
+
+The solution is to simply return that we've successfully processed the
+arguments but that argc == 0, and also ensure that argv is NULL when
+we're not allocating anything in it.
+
+There are only 2 callers of this function, and both are handling a zero
+value in argc assuming nothing is allocated in argv.
+
+Fixes: CID 96680
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/parser.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 619db31..d1cf061 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
+   int i;
+ 
+   *argc = 0;
++  *argv = NULL;
+   do
+     {
+       if (!rd || !*rd)
+@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
+       (*argc)++;
+     }
+ 
++  /* If there are no args, then we're done. */
++  if (!*argc)
++    return 0;
++
+   /* Reserve memory for the return values.  */
+   args = grub_malloc (bp - buffer);
+   if (!args)
+-- 
+2.14.2
+

buildroot/boot/grub2/0053-kern-efi-Fix-memory-leak-on-failure.patch

@@ -0,0 +1,31 @@
+From ed286ceba6015d37a9304f04602451c47bf195d7 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:15:25 +0000
+Subject: [PATCH] kern/efi: Fix memory leak on failure
+
+Free the memory allocated to name before returning on failure.
+
+Fixes: CID 296222
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/efi/efi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 9cfd88d..4fc14d6 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -388,6 +388,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 	    {
+ 	      grub_error (GRUB_ERR_OUT_OF_RANGE,
+ 			  "malformed EFI Device Path node has length=%d", len);
++	      grub_free (name);
+ 	      return NULL;
+ 	    }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0054-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch

@@ -0,0 +1,66 @@
+From 6aee4bfd6973c714056fb7b56890b8d524e94ee1 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 11 Dec 2020 15:03:13 +0000
+Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
+
+The model of grub_efi_get_memory_map() is that if memory_map is NULL,
+then the purpose is to discover how much memory should be allocated to
+it for the subsequent call.
+
+The problem here is that with grub_efi_is_finished set to 1, there is no
+check at all that the function is being called with a non-NULL memory_map.
+
+While this MAY be true, we shouldn't assume it.
+
+The solution to this is to behave as expected, and if memory_map is NULL,
+then don't try to use it and allow memory_map_size to be filled in, and
+return 0 as is done later in the code if the buffer is too small (or NULL).
+
+Additionally, drop unneeded ret = 1.
+
+Fixes: CID 96632
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/efi/mm.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
+index b02fab1..5afcef7 100644
+--- a/grub-core/kern/efi/mm.c
++++ b/grub-core/kern/efi/mm.c
+@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
+   if (grub_efi_is_finished)
+     {
+       int ret = 1;
+-      if (*memory_map_size < finish_mmap_size)
++
++      if (memory_map != NULL)
+ 	{
+-	  grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+-	  ret = 0;
++	  if (*memory_map_size < finish_mmap_size)
++	    {
++	      grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
++	      ret = 0;
++	    }
++          else
++	    grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+ 	}
+       else
+ 	{
+-	  grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+-	  ret = 1;
++	  /*
++	   * Incomplete, no buffer to copy into, same as
++	   * GRUB_EFI_BUFFER_TOO_SMALL below.
++	   */
++	  ret = 0;
+ 	}
+       *memory_map_size = finish_mmap_size;
+       if (map_key)
+-- 
+2.14.2
+

buildroot/boot/grub2/0055-gnulib-regexec-Resolve-unused-variable.patch

@@ -0,0 +1,90 @@
+From a983d36bd9178d377d2072fd4b11c635fdc404b4 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:41:27 +0000
+Subject: [PATCH] gnulib/regexec: Resolve unused variable
+
+This is a really minor issue where a variable is being assigned to but
+not checked before it is overwritten again.
+
+The reason for this issue is that we are not building with DEBUG set and
+this in turn means that the assert() that reads the value of the
+variable match_last is being processed out.
+
+The solution, move the assignment to match_last in to an ifdef DEBUG too.
+
+Fixes: CID 292459
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ Makefile.in                                         |  1 +
+ conf/Makefile.extra-dist                            |  1 +
+ grub-core/lib/gnulib-patches/fix-unused-value.patch | 14 ++++++++++++++
+ grub-core/lib/gnulib/regexec.c                      |  4 ++++
+ 4 files changed, 20 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-unused-value.patch
+
+diff --git a/Makefile.in b/Makefile.in
+index ecb3278..e6b287b 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2742,6 +2742,7 @@ EXTRA_DIST = autogen.sh geninit.sh gentpl.py Makefile.util.def \
+ 	grub-core/gensyminfo.sh.in grub-core/gensymlist.sh \
+ 	grub-core/genemuinit.sh grub-core/genemuinitheader.sh \
+ 	grub-core/lib/gnulib-patches/fix-null-deref.patch \
++	grub-core/lib/gnulib-patches/fix-unused-value.patch \
+ 	grub-core/lib/gnulib-patches/fix-width.patch \
+ 	grub-core/lib/gnulib-patches/no-abort.patch \
+ 	grub-core/lib/libgcrypt \
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 46c4e95..9b01152 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
+ 
+diff --git a/grub-core/lib/gnulib-patches/fix-unused-value.patch b/grub-core/lib/gnulib-patches/fix-unused-value.patch
+new file mode 100644
+index 0000000..ba51f1b
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-unused-value.patch
+@@ -0,0 +1,14 @@
++--- a/lib/regexec.c	2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c	2020-10-21 14:32:07.961765604 +0000
++@@ -828,7 +828,11 @@
++ 		    break;
++ 		  if (__glibc_unlikely (err != REG_NOMATCH))
++ 		    goto free_return;
+++#ifdef DEBUG
+++		  /* Only used for assertion below when DEBUG is set, otherwise
+++		     it will be over-written when we loop around.  */
++ 		  match_last = -1;
+++#endif
++ 		}
++ 	      else
++ 		break; /* We found a match.  */
+diff --git a/grub-core/lib/gnulib/regexec.c b/grub-core/lib/gnulib/regexec.c
+index 21cf791..98a25f5 100644
+--- a/grub-core/lib/gnulib/regexec.c
++++ b/grub-core/lib/gnulib/regexec.c
+@@ -828,6 +828,10 @@ re_search_internal (const regex_t *preg, const char *string, Idx length,
+ 		    break;
+ 		  if (__glibc_unlikely (err != REG_NOMATCH))
+ 		    goto free_return;
++#ifdef DEBUG
++		  /* Only used for assertion below when DEBUG is set, otherwise
++		     it will be over-written when we loop around.  */
++#endif
+ 		  match_last = -1;
+ 		}
+ 	      else
+-- 
+2.14.2
+

buildroot/boot/grub2/0056-gnulib-regcomp-Fix-uninitialized-token-structure.patch

@@ -0,0 +1,82 @@
+From 75c3d3cec4f408848f575d6d5e30a95bd6313db0 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 22 Oct 2020 13:54:06 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
+
+The code is assuming that the value of br_token.constraint was
+initialized to zero when it wasn't.
+
+While some compilers will ensure that, not all do, so it is better to
+fix this explicitly than leave it to chance.
+
+Fixes: CID 73749
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ Makefile.in                                             |  1 +
+ conf/Makefile.extra-dist                                |  1 +
+ grub-core/lib/gnulib-patches/fix-uninit-structure.patch | 11 +++++++++++
+ grub-core/lib/gnulib/regcomp.c                          |  2 +-
+ 4 files changed, 14 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+
+diff --git a/Makefile.in b/Makefile.in
+index e6b287b..d58a7d7 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2742,6 +2742,7 @@ EXTRA_DIST = autogen.sh geninit.sh gentpl.py Makefile.util.def \
+ 	grub-core/gensyminfo.sh.in grub-core/gensymlist.sh \
+ 	grub-core/genemuinit.sh grub-core/genemuinitheader.sh \
+ 	grub-core/lib/gnulib-patches/fix-null-deref.patch \
++	grub-core/lib/gnulib-patches/fix-uninit-structure.patch \
+ 	grub-core/lib/gnulib-patches/fix-unused-value.patch \
+ 	grub-core/lib/gnulib-patches/fix-width.patch \
+ 	grub-core/lib/gnulib-patches/no-abort.patch \
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 9b01152..9e55458 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-uninit-structure.patch b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+new file mode 100644
+index 0000000..7b4d9f6
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+@@ -0,0 +1,11 @@
++--- a/lib/regcomp.c	2020-10-22 13:49:06.770168928 +0000
+++++ b/lib/regcomp.c	2020-10-22 13:50:37.026528298 +0000
++@@ -3662,7 +3662,7 @@
++   Idx alloc = 0;
++ #endif /* not RE_ENABLE_I18N */
++   reg_errcode_t ret;
++-  re_token_t br_token;
+++  re_token_t br_token = {0};
++   bin_tree_t *tree;
++ 
++   sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
+diff --git a/grub-core/lib/gnulib/regcomp.c b/grub-core/lib/gnulib/regcomp.c
+index fe7dfcb..2545d3e 100644
+--- a/grub-core/lib/gnulib/regcomp.c
++++ b/grub-core/lib/gnulib/regcomp.c
+@@ -3662,7 +3662,7 @@ build_charclass_op (re_dfa_t *dfa, RE_TRANSLATE_TYPE trans,
+   Idx alloc = 0;
+ #endif /* not RE_ENABLE_I18N */
+   reg_errcode_t ret;
+-  re_token_t br_token;
++  re_token_t br_token = {0};
+   bin_tree_t *tree;
+ 
+   sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
+-- 
+2.14.2
+

buildroot/boot/grub2/0057-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch

@@ -0,0 +1,82 @@
+From 3a37bf120a9194c373257c70175cdb5b337bc107 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 28 Oct 2020 14:43:01 +0000
+Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
+
+All other instances of call to __argp_failure() where there is
+a dgettext() call is first checking whether state is NULL before
+attempting to dereference it to get the root_argp->argp_domain.
+
+Fixes: CID 292436
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ Makefile.in                                             |  1 +
+ conf/Makefile.extra-dist                                |  1 +
+ grub-core/lib/gnulib-patches/fix-null-state-deref.patch | 12 ++++++++++++
+ grub-core/lib/gnulib/argp-help.c                        |  3 ++-
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+
+diff --git a/Makefile.in b/Makefile.in
+index d58a7d7..812b7c2 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2742,6 +2742,7 @@ EXTRA_DIST = autogen.sh geninit.sh gentpl.py Makefile.util.def \
+ 	grub-core/gensyminfo.sh.in grub-core/gensymlist.sh \
+ 	grub-core/genemuinit.sh grub-core/genemuinitheader.sh \
+ 	grub-core/lib/gnulib-patches/fix-null-deref.patch \
++	grub-core/lib/gnulib-patches/fix-null-state-deref.patch \
+ 	grub-core/lib/gnulib-patches/fix-uninit-structure.patch \
+ 	grub-core/lib/gnulib-patches/fix-unused-value.patch \
+ 	grub-core/lib/gnulib-patches/fix-width.patch \
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 9e55458..96d7e69 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-null-state-deref.patch b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+new file mode 100644
+index 0000000..813ec09
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/argp-help.c	2020-10-28 14:32:19.189215988 +0000
+++++ b/lib/argp-help.c	2020-10-28 14:38:21.204673940 +0000
++@@ -145,7 +145,8 @@
++       if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
++         {
++           __argp_failure (state, 0, 0,
++-                          dgettext (state->root_argp->argp_domain,
+++                          dgettext (state == NULL ? NULL
+++                                    : state->root_argp->argp_domain,
++                                     "\
++ ARGP_HELP_FMT: %s value is less than or equal to %s"),
++                           "rmargin", up->name);
+diff --git a/grub-core/lib/gnulib/argp-help.c b/grub-core/lib/gnulib/argp-help.c
+index 5d8f451..c75568c 100644
+--- a/grub-core/lib/gnulib/argp-help.c
++++ b/grub-core/lib/gnulib/argp-help.c
+@@ -145,7 +145,8 @@ validate_uparams (const struct argp_state *state, struct uparams *upptr)
+       if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
+         {
+           __argp_failure (state, 0, 0,
+-                          dgettext (state->root_argp->argp_domain,
++                          dgettext (state == NULL ? NULL
++                                    : state->root_argp->argp_domain,
+                                     "\
+ ARGP_HELP_FMT: %s value is less than or equal to %s"),
+                           "rmargin", up->name);
+-- 
+2.14.2
+

buildroot/boot/grub2/0058-gnulib-regexec-Fix-possible-null-dereference.patch

@@ -0,0 +1,83 @@
+From 0b7f347638153e403ee2dd518af3ce26f4f99647 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:57:14 +0000
+Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
+
+It appears to be possible that the mctx->state_log field may be NULL,
+and the name of this function, clean_state_log_if_needed(), suggests
+that it should be checking that it is valid to be cleaned before
+assuming that it does.
+
+Fixes: CID 86720
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ Makefile.in                                               |  1 +
+ conf/Makefile.extra-dist                                  |  1 +
+ grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | 12 ++++++++++++
+ grub-core/lib/gnulib/regexec.c                            |  3 +++
+ 4 files changed, 17 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+
+diff --git a/Makefile.in b/Makefile.in
+index 812b7c2..d9da6e9 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2743,6 +2743,7 @@ EXTRA_DIST = autogen.sh geninit.sh gentpl.py Makefile.util.def \
+ 	grub-core/genemuinit.sh grub-core/genemuinitheader.sh \
+ 	grub-core/lib/gnulib-patches/fix-null-deref.patch \
+ 	grub-core/lib/gnulib-patches/fix-null-state-deref.patch \
++	grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch \
+ 	grub-core/lib/gnulib-patches/fix-uninit-structure.patch \
+ 	grub-core/lib/gnulib-patches/fix-unused-value.patch \
+ 	grub-core/lib/gnulib-patches/fix-width.patch \
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 96d7e69..d27d3a9 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+new file mode 100644
+index 0000000..db6dac9
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/regexec.c	2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c	2020-11-05 10:55:09.621542984 +0000
++@@ -1692,6 +1692,9 @@
++ {
++   Idx top = mctx->state_log_top;
++
+++  if (mctx->state_log == NULL)
+++    return REG_NOERROR;
+++
++   if ((next_state_log_idx >= mctx->input.bufs_len
++        && mctx->input.bufs_len < mctx->input.len)
++       || (next_state_log_idx >= mctx->input.valid_len
+diff --git a/grub-core/lib/gnulib/regexec.c b/grub-core/lib/gnulib/regexec.c
+index 98a25f5..df97667 100644
+--- a/grub-core/lib/gnulib/regexec.c
++++ b/grub-core/lib/gnulib/regexec.c
+@@ -1696,6 +1696,9 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx next_state_log_idx)
+ {
+   Idx top = mctx->state_log_top;
+ 
++  if (mctx->state_log == NULL)
++    return REG_NOERROR;
++
+   if ((next_state_log_idx >= mctx->input.bufs_len
+        && mctx->input.bufs_len < mctx->input.len)
+       || (next_state_log_idx >= mctx->input.valid_len
+-- 
+2.14.2
+

buildroot/boot/grub2/0059-gnulib-regcomp-Fix-uninitialized-re_token.patch

@@ -0,0 +1,88 @@
+From 03477085f9a33789ba6cca7cd49ab9326a1baa0e Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 18:04:22 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
+
+This issue has been fixed in the latest version of gnulib, so to
+maintain consistency, I've backported that change rather than doing
+something different.
+
+Fixes: CID 73828
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[Add changes to generated files]
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ Makefile.in                                               |  1 +
+ conf/Makefile.extra-dist                                  |  1 +
+ .../lib/gnulib-patches/fix-regcomp-uninit-token.patch     | 15 +++++++++++++++
+ grub-core/lib/gnulib/regcomp.c                            |  6 +-----
+ 4 files changed, 18 insertions(+), 5 deletions(-)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+
+diff --git a/Makefile.in b/Makefile.in
+index d9da6e9..9442504 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -2743,6 +2743,7 @@ EXTRA_DIST = autogen.sh geninit.sh gentpl.py Makefile.util.def \
+ 	grub-core/genemuinit.sh grub-core/genemuinitheader.sh \
+ 	grub-core/lib/gnulib-patches/fix-null-deref.patch \
+ 	grub-core/lib/gnulib-patches/fix-null-state-deref.patch \
++	grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch \
+ 	grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch \
+ 	grub-core/lib/gnulib-patches/fix-uninit-structure.patch \
+ 	grub-core/lib/gnulib-patches/fix-unused-value.patch \
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index d27d3a9..ffe6829 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+ 
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+new file mode 100644
+index 0000000..02e0631
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+@@ -0,0 +1,15 @@
++--- a/lib/regcomp.c	2020-11-24 17:06:08.159223858 +0000
+++++ b/lib/regcomp.c	2020-11-24 17:06:15.630253923 +0000
++@@ -3808,11 +3808,7 @@
++ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
++ 	     re_token_type_t type)
++ {
++-  re_token_t t;
++-#if defined GCC_LINT || defined lint
++-  memset (&t, 0, sizeof t);
++-#endif
++-  t.type = type;
+++  re_token_t t = { .type = type };
++   return create_token_tree (dfa, left, right, &t);
++ }
++ 
+diff --git a/grub-core/lib/gnulib/regcomp.c b/grub-core/lib/gnulib/regcomp.c
+index 2545d3e..64a4fa7 100644
+--- a/grub-core/lib/gnulib/regcomp.c
++++ b/grub-core/lib/gnulib/regcomp.c
+@@ -3808,11 +3808,7 @@ static bin_tree_t *
+ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
+ 	     re_token_type_t type)
+ {
+-  re_token_t t;
+-#if defined GCC_LINT || defined lint
+-  memset (&t, 0, sizeof t);
+-#endif
+-  t.type = type;
++  re_token_t t = { .type = type };
+   return create_token_tree (dfa, left, right, &t);
+ }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0060-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch

@@ -0,0 +1,42 @@
+From 59666e520f44177c97b82a44c169b3b315d63b42 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:44:10 +0000
+Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
+
+These 2 assignments are unnecessary since they are just assigning
+to themselves.
+
+Fixes: CID 73643
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/io/lzopio.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
+index 3014485..a7d4425 100644
+--- a/grub-core/io/lzopio.c
++++ b/grub-core/io/lzopio.c
+@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ 			  sizeof (lzopio->block.ucheck)) !=
+ 	  sizeof (lzopio->block.ucheck))
+ 	return -1;
+-
+-      lzopio->block.ucheck = lzopio->block.ucheck;
+     }
+ 
+   /* Read checksum of compressed data.  */
+@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ 			      sizeof (lzopio->block.ccheck)) !=
+ 	      sizeof (lzopio->block.ccheck))
+ 	    return -1;
+-
+-	  lzopio->block.ccheck = lzopio->block.ccheck;
+ 	}
+     }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0061-zstd-Initialize-seq_t-structure-fully.patch

@@ -0,0 +1,35 @@
+From 2777cf4466719921dbe4b30af358a75e7d76f217 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:29:59 +0000
+Subject: [PATCH] zstd: Initialize seq_t structure fully
+
+While many compilers will initialize this to zero, not all will, so it
+is better to be sure that fields not being explicitly set are at known
+values, and there is code that checks this fields value elsewhere in the
+code.
+
+Fixes: CID 292440
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/zstd/zstd_decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/zstd/zstd_decompress.c b/grub-core/lib/zstd/zstd_decompress.c
+index 711b5b6..e4b5670 100644
+--- a/grub-core/lib/zstd/zstd_decompress.c
++++ b/grub-core/lib/zstd/zstd_decompress.c
+@@ -1325,7 +1325,7 @@ typedef enum { ZSTD_lo_isRegularOffset, ZSTD_lo_isLongOffset=1 } ZSTD_longOffset
+ FORCE_INLINE_TEMPLATE seq_t
+ ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets)
+ {
+-    seq_t seq;
++    seq_t seq = {0};
+     U32 const llBits = seqState->stateLL.table[seqState->stateLL.state].nbAdditionalBits;
+     U32 const mlBits = seqState->stateML.table[seqState->stateML.state].nbAdditionalBits;
+     U32 const ofBits = seqState->stateOffb.table[seqState->stateOffb.state].nbAdditionalBits;
+-- 
+2.14.2
+

buildroot/boot/grub2/0062-kern-partition-Check-for-NULL-before-dereferencing-i.patch

@@ -0,0 +1,44 @@
+From bc9c468a2ce84bc767234eec888b71f1bc744fff Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 09:49:59 +0000
+Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
+ string
+
+There is the possibility that the value of str comes from an external
+source and continuing to use it before ever checking its validity is
+wrong. So, needs fixing.
+
+Additionally, drop unneeded part initialization.
+
+Fixes: CID 292444
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/partition.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
+index e499147..b10a184 100644
+--- a/grub-core/kern/partition.c
++++ b/grub-core/kern/partition.c
+@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
+ grub_partition_t
+ grub_partition_probe (struct grub_disk *disk, const char *str)
+ {
+-  grub_partition_t part = 0;
++  grub_partition_t part;
+   grub_partition_t curpart = 0;
+   grub_partition_t tail;
+   const char *ptr;
+ 
++  if (str == NULL)
++    return 0;
++
+   part = tail = disk->partition;
+ 
+   for (ptr = str; *ptr;)
+-- 
+2.14.2
+

buildroot/boot/grub2/0063-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch

@@ -0,0 +1,129 @@
+From 23e39f50ca7a107f6b66396ed4d177a914dee035 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 7 Dec 2020 11:53:03 -0300
+Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
+ make_vg()
+
+Several error handling paths in make_vg() do not free comp data before
+jumping to fail2 label and returning from the function. This will leak
+memory. So, let's fix all issues of that kind.
+
+Fixes: CID 73804
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 58f8a53..428415f 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
+ 	      comp->segments = grub_calloc (comp->segment_alloc,
+ 					    sizeof (*comp->segments));
+ 	      if (!comp->segments)
+-		goto fail2;
++		{
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	    }
+ 	  else
+ 	    {
+@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
+ 	      comp->segment_count = 1;
+ 	      comp->segments = grub_malloc (sizeof (*comp->segments));
+ 	      if (!comp->segments)
+-		goto fail2;
++		{
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      comp->segments->start_extent = 0;
+ 	      comp->segments->extent_count = lv->size;
+ 	      comp->segments->layout = 0;
+@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
+ 		  comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
+ 		}
+ 	      else
+-		goto fail2;
++		{
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      ptr += *ptr + 1;
+ 	      ptr++;
+ 	      if (!(vblk[i].flags & 0x10))
+-		goto fail2;
++		{
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
+ 		  || ptr + *ptr + 1 >= vblk[i].dynamic
+ 		  + sizeof (vblk[i].dynamic))
+ 		{
++		  grub_free (comp->segments);
+ 		  grub_free (comp->internal_id);
+ 		  grub_free (comp);
+ 		  goto fail2;
+@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
+ 	      if (ptr + *ptr + 1 >= vblk[i].dynamic
+ 		  + sizeof (vblk[i].dynamic))
+ 		{
++		  grub_free (comp->segments);
+ 		  grub_free (comp->internal_id);
+ 		  grub_free (comp);
+ 		  goto fail2;
+@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
+ 	      comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
+ 						   sizeof (*comp->segments->nodes));
+ 	      if (!lv->segments->nodes)
+-		goto fail2;
++		{
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	    }
+ 
+ 	  if (lv->segments->node_alloc == lv->segments->node_count)
+@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
+ 
+ 	      if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
+ 		  grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
+-		goto fail2;
++		{
++		  grub_free (comp->segments->nodes);
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 
+ 	      t = grub_realloc (lv->segments->nodes, sz);
+ 	      if (!t)
+-		goto fail2;
++		{
++		  grub_free (comp->segments->nodes);
++		  grub_free (comp->segments);
++		  grub_free (comp->internal_id);
++		  grub_free (comp);
++		  goto fail2;
++		}
+ 	      lv->segments->nodes = t;
+ 	    }
+ 	  lv->segments->nodes[lv->segments->node_count].pv = 0;
+-- 
+2.14.2
+

buildroot/boot/grub2/0064-disk-ldm-If-failed-then-free-vg-variable-too.patch

@@ -0,0 +1,29 @@
+From e0b83df5da538d2a38f770e60817b3a4b9d5b4d7 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 7 Dec 2020 10:07:47 -0300
+Subject: [PATCH] disk/ldm: If failed then free vg variable too
+
+Fixes: CID 73809
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/disk/ldm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 428415f..54713f4 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
+     {
+       grub_free (vg->uuid);
+       grub_free (vg->name);
++      grub_free (vg);
+       return NULL;
+     }
+   grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
+-- 
+2.14.2
+

buildroot/boot/grub2/0065-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch

@@ -0,0 +1,51 @@
+From 156c281a1625dc73fd350530630c6f2d5673d4f6 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 10:00:51 +0000
+Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
+
+The problem here is that the memory allocated to the variable lv is not
+yet inserted into the list that is being processed at the label fail2.
+
+As we can already see at line 342, which correctly frees lv before going
+to fail2, we should also be doing that at these earlier jumps to fail2.
+
+Fixes: CID 73824
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/disk/ldm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 54713f4..e82e989 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
+ 	  lv->visible = 1;
+ 	  lv->segments = grub_zalloc (sizeof (*lv->segments));
+ 	  if (!lv->segments)
+-	    goto fail2;
++	    {
++	      grub_free (lv);
++	      goto fail2;
++	    }
+ 	  lv->segments->start_extent = 0;
+ 	  lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ 	  lv->segments->node_count = 0;
+@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
+ 	  lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
+ 					     sizeof (*lv->segments->nodes));
+ 	  if (!lv->segments->nodes)
+-	    goto fail2;
++	    {
++	      grub_free (lv);
++	      goto fail2;
++	    }
+ 	  ptr = vblk[i].dynamic;
+ 	  if (ptr + *ptr + 1 >= vblk[i].dynamic
+ 	      + sizeof (vblk[i].dynamic))
+-- 
+2.14.2
+

buildroot/boot/grub2/0066-disk-cryptodisk-Fix-potential-integer-overflow.patch

@@ -0,0 +1,51 @@
+From a201ad17caa430aa710654fdf2e6ab4c8166f031 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 21 Jan 2021 11:38:31 +0000
+Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
+
+The encrypt and decrypt functions expect a grub_size_t. So, we need to
+ensure that the constant bit shift is using grub_size_t rather than
+unsigned int when it is performing the shift.
+
+Fixes: CID 307788
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/disk/cryptodisk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 5037768..6883f48 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ 	case GRUB_CRYPTODISK_MODE_CBC:
+ 	  if (do_encrypt)
+ 	    err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
+-					   (1U << dev->log_sector_size), iv);
++					   ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  else
+ 	    err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
+-					   (1U << dev->log_sector_size), iv);
++					   ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  if (err)
+ 	    return err;
+ 	  break;
+@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ 	case GRUB_CRYPTODISK_MODE_PCBC:
+ 	  if (do_encrypt)
+ 	    err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
+-					    (1U << dev->log_sector_size), iv);
++					    ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  else
+ 	    err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
+-					    (1U << dev->log_sector_size), iv);
++					    ((grub_size_t) 1 << dev->log_sector_size), iv);
+ 	  if (err)
+ 	    return err;
+ 	  break;
+-- 
+2.14.2
+

buildroot/boot/grub2/0067-hfsplus-Check-that-the-volume-name-length-is-valid.patch

@@ -0,0 +1,44 @@
+From 2298f6e0d951251bb9ca97d891d1bc8b74515f8c Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 17:09:31 +0000
+Subject: [PATCH] hfsplus: Check that the volume name length is valid
+
+HFS+ documentation suggests that the maximum filename and volume name is
+255 Unicode characters in length.
+
+So, when converting from big-endian to little-endian, we should ensure
+that the name of the volume has a length that is between 0 and 255,
+inclusive.
+
+Fixes: CID 73641
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/hfsplus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 9c4e4c8..8fe7c12 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -1012,6 +1012,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
+     grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+ 
+   label_len = grub_be_to_cpu16 (catkey->namelen);
++
++  /* Ensure that the length is >= 0. */
++  if (label_len < 0)
++    label_len = 0;
++
++  /* Ensure label length is at most 255 Unicode characters. */
++  if (label_len > 255)
++    label_len = 255;
++
+   label_name = grub_calloc (label_len, sizeof (*label_name));
+   if (!label_name)
+     {
+-- 
+2.14.2
+

buildroot/boot/grub2/0068-zfs-Fix-possible-negative-shift-operation.patch

@@ -0,0 +1,43 @@
+From a02091834d3e167320d8a262ff04b8e83c5e616d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 16:41:49 +0000
+Subject: [PATCH] zfs: Fix possible negative shift operation
+
+While it is possible for the return value from zfs_log2() to be zero
+(0), it is quite unlikely, given that the previous assignment to blksz
+is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
+assignment to epbs.
+
+But, while unlikely during a normal operation, it may be that a carefully
+crafted ZFS filesystem could result in a zero (0) value to the
+dn_datalbkszsec field, which means that the shift left does nothing
+and assigns zero (0) to blksz, resulting in a negative epbs value.
+
+Fixes: CID 73608
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/zfs/zfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 36d0373..0c42cba 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
+   blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec, 
+ 			     mdn->endian) << SPA_MINBLOCKSHIFT;
+   epbs = zfs_log2 (blksz) - DNODE_SHIFT;
++
++  /* While this should never happen, we should check that epbs is not negative. */
++  if (epbs < 0)
++    epbs = 0;
++
+   blkid = objnum >> epbs;
+   idx = objnum & ((1 << epbs) - 1);
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0069-zfs-Fix-resource-leaks-while-constructing-path.patch

@@ -0,0 +1,122 @@
+From 89bdab965805e8d54d7f75349024e1a11cbe2eb8 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 14 Dec 2020 18:54:49 -0300
+Subject: [PATCH] zfs: Fix resource leaks while constructing path
+
+There are several exit points in dnode_get_path() that are causing possible
+memory leaks.
+
+In the while(1) the correct exit mechanism should not be to do a direct return,
+but to instead break out of the loop, setting err first if it is not already set.
+
+The reason behind this is that the dnode_path is a linked list, and while doing
+through this loop, it is being allocated and built up - the only way to
+correctly unravel it is to traverse it, which is what is being done at the end
+of the function outside of the loop.
+
+Several of the existing exit points correctly did a break, but not all so this
+change makes that more consistent and should resolve the leaking of memory as
+found by Coverity.
+
+Fixes: CID 73741
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 0c42cba..9087a72 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 
+       if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
+ 	{
+-	  grub_free (path_buf);
+-	  return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++	  err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++	  break;
+ 	}
+       err = zap_lookup (&(dnode_path->dn), cname, &objnum,
+ 			data, subvol->case_insensitive);
+@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 		       << SPA_MINBLOCKSHIFT);
+ 
+ 	      if (blksz == 0)
+-		return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
++                {
++                  err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
++                  break;
++                }
+ 
+ 	      sym_value = grub_malloc (sym_sz);
+ 	      if (!sym_value)
+-		return grub_errno;
++		{
++		  err = grub_errno;
++		  break;
++		}
++
+ 	      for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
+ 		{
+ 		  void *t;
+@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 		  if (err)
+ 		    {
+ 		      grub_free (sym_value);
+-		      return err;
++		      break;
+ 		    }
+ 
+ 		  movesize = sym_sz - block * blksz;
+@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 		  grub_memcpy (sym_value + block * blksz, t, movesize);
+ 		  grub_free (t);
+ 		}
++		if (err)
++		  break;
+ 	      free_symval = 1;
+ 	    }	    
+ 	  path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
+@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 	      grub_free (oldpathbuf);
+ 	      if (free_symval)
+ 		grub_free (sym_value);
+-	      return grub_errno;
++	      err = grub_errno;
++	      break;
+ 	    }
+ 	  grub_memcpy (path, sym_value, sym_sz);
+ 	  if (free_symval)
+@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 	      
+ 	      err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
+ 	      if (err)
+-		return err;
++	        break;
+ 	    }
+ 	  else
+ 	    {
+-	      return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++	      err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++	      break;
+ 	    }
+ 
+ 	  hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
+@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 	      if (!path_buf)
+ 		{
+ 		  grub_free (oldpathbuf);
+-		  return grub_errno;
++		  err = grub_errno;
++		  break;
+ 		}
+ 	      grub_memcpy (path, sym_value, sym_sz);
+ 	      path [sym_sz] = 0;
+-- 
+2.14.2
+

buildroot/boot/grub2/0070-zfs-Fix-possible-integer-overflows.patch

@@ -0,0 +1,57 @@
+From 302c12ff5714bc455949117c1c9548ccb324d55b Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 22:17:04 +0000
+Subject: [PATCH] zfs: Fix possible integer overflows
+
+In all cases the problem is that the value being acted upon by
+a left-shift is a 32-bit number which is then being used in the
+context of a 64-bit number.
+
+To avoid overflow we ensure that the number being shifted is 64-bit
+before the shift is done.
+
+Fixes: CID 73684, CID 73695, CID 73764
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/zfs/zfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 9087a72..b078ccc 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
+       ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
+ 				    + ((i << ub_shift)
+ 				       / sizeof (grub_properly_aligned_t)));
+-      err = uberblock_verify (ubptr, offset, 1 << ub_shift);
++      err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
+       if (err)
+ 	{
+ 	  grub_errno = GRUB_ERR_NONE;
+@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+ 
+ 	    high = grub_divmod64 ((offset >> desc->ashift) + c,
+ 				  desc->n_children, &devn);
+-	    csize = bsize << desc->ashift;
++	    csize = (grub_size_t) bsize << desc->ashift;
+ 	    if (csize > len)
+ 	      csize = len;
+ 
+@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+ 
+ 	    while (len > 0)
+ 	      {
+-		grub_size_t csize;
+-		csize = ((s / (desc->n_children - desc->nparity))
++		grub_size_t csize = s;
++		csize = ((csize / (desc->n_children - desc->nparity))
+ 			 << desc->ashift);
+ 		if (csize > len)
+ 		  csize = len;
+-- 
+2.14.2
+

buildroot/boot/grub2/0071-zfsinfo-Correct-a-check-for-error-allocating-memory.patch

@@ -0,0 +1,36 @@
+From 7aab03418ec6a9b991aa44416cb2585aff4e7972 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:56:45 +0000
+Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
+
+While arguably the check for grub_errno is correct, we should really be
+checking the return value from the function since it is always possible
+that grub_errno was set elsewhere, making this code behave incorrectly.
+
+Fixes: CID 73668
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/zfs/zfsinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
+index c8a28ac..bf29180 100644
+--- a/grub-core/fs/zfs/zfsinfo.c
++++ b/grub-core/fs/zfs/zfsinfo.c
+@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ 
+   devname = grub_file_get_device_name (args[0]);
+-  if (grub_errno)
+-    return grub_errno;
++  if (devname == NULL)
++    return GRUB_ERR_OUT_OF_MEMORY;
+ 
+   dev = grub_device_open (devname);
+   grub_free (devname);
+-- 
+2.14.2
+

buildroot/boot/grub2/0072-affs-Fix-memory-leaks.patch

@@ -0,0 +1,83 @@
+From 178ac5107389f8e5b32489d743d6824a5ebf342a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:48:07 +0000
+Subject: [PATCH] affs: Fix memory leaks
+
+The node structure reference is being allocated but not freed if it
+reaches the end of the function. If any of the hooks had returned
+a non-zero value, then node would have been copied in to the context
+reference, but otherwise node is not stored and should be freed.
+
+Similarly, the call to grub_affs_create_node() replaces the allocated
+memory in node with a newly allocated structure, leaking the existing
+memory pointed by node.
+
+Finally, when dir->parent is set, then we again replace node with newly
+allocated memory, which seems unnecessary when we copy in the values
+from dir->parent immediately after.
+
+Fixes: CID 73759
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/affs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 220b371..230e26a 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ {
+   unsigned int i;
+   struct grub_affs_file file;
+-  struct grub_fshelp_node *node = 0;
++  struct grub_fshelp_node *node, *orig_node;
+   struct grub_affs_data *data = dir->data;
+   grub_uint32_t *hashtable;
+ 
+   /* Create the directory entries for `.' and `..'.  */
+-  node = grub_zalloc (sizeof (*node));
++  node = orig_node = grub_zalloc (sizeof (*node));
+   if (!node)
+     return 1;
+     
+@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+     return 1;
+   if (dir->parent)
+     {
+-      node = grub_zalloc (sizeof (*node));
+-      if (!node)
+-	return 1;
+       *node = *dir->parent;
+       if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+ 	return 1;
+@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ 
+ 	  if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
+ 				     next, &file))
+-	    return 1;
++	    {
++	      /* Node has been replaced in function. */
++	      grub_free (orig_node);
++	      return 1;
++	    }
+ 
+ 	  next = grub_be_to_cpu32 (file.next);
+ 	}
+     }
+ 
+-  grub_free (hashtable);
+-  return 0;
+-
+  fail:
+-  grub_free (node);
++  grub_free (orig_node);
+   grub_free (hashtable);
+   return 0;
+ }
+-- 
+2.14.2
+

buildroot/boot/grub2/0073-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch

@@ -0,0 +1,50 @@
+From e8814c811132a70f9b55418f7567378a34ad3883 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 3 Nov 2020 16:43:37 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
+
+The array of unsigned char gets promoted to a signed 32-bit int before
+it is finally promoted to a size_t. There is the possibility that this
+may result in the signed-bit being set for the intermediate signed
+32-bit int. We should ensure that the promotion is to the correct type
+before we bitwise-OR the values.
+
+Fixes: CID 96697
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/libgcrypt-grub/mpi/mpicoder.c | 2 +-
+ grub-core/lib/libgcrypt/mpi/mpicoder.c      | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c b/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c
+index 3d55dfc..faf1cd6 100644
+--- a/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c
+@@ -460,7 +460,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+       if (len && len < 4)
+         return gcry_error (GPG_ERR_TOO_SHORT);
+ 
+-      n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
++      n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
+       s += 4;
+       if (len)
+         len -= 4;
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index a3435ed..7ecad27 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+       if (len && len < 4)
+         return gcry_error (GPG_ERR_TOO_SHORT);
+ 
+-      n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
++      n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
+       s += 4;
+       if (len)
+         len -= 4;
+-- 
+2.14.2
+

buildroot/boot/grub2/0074-libgcrypt-mpi-Fix-possible-NULL-dereference.patch

@@ -0,0 +1,49 @@
+From ae0f3fabeba7b393113d5dc185b6aff9b728136d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:41:54 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
+
+The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
+is no explicit check for that, so we add one.
+
+Fixes: CID 73757
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/libgcrypt-grub/mpi/mpicoder.c | 3 +++
+ grub-core/lib/libgcrypt/mpi/mpicoder.c      | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c b/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c
+index faf1cd6..e734dcf 100644
+--- a/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt-grub/mpi/mpicoder.c
+@@ -381,6 +381,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+   unsigned int len;
+   int secure = (buffer && gcry_is_secure (buffer));
+ 
++  if (!buffer)
++    return gcry_error (GPG_ERR_INV_ARG);
++
+   if (format == GCRYMPI_FMT_SSH)
+     len = 0;
+   else
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index 7ecad27..6fe3891 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+   unsigned int len;
+   int secure = (buffer && gcry_is_secure (buffer));
+ 
++  if (!buffer)
++    return gcry_error (GPG_ERR_INV_ARG);
++
+   if (format == GCRYMPI_FMT_SSH)
+     len = 0;
+   else
+-- 
+2.14.2
+

buildroot/boot/grub2/0075-syslinux-Fix-memory-leak-while-parsing.patch

@@ -0,0 +1,44 @@
+From 95bc016dba94cab3d398dd74160665915cd08ad6 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 15:31:53 +0000
+Subject: [PATCH] syslinux: Fix memory leak while parsing
+
+In syslinux_parse_real() the 2 points where return is being called
+didn't release the memory stored in buf which is no longer required.
+
+Fixes: CID 176634
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/syslinux_parse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
+index 4afa992..3acc6b4 100644
+--- a/grub-core/lib/syslinux_parse.c
++++ b/grub-core/lib/syslinux_parse.c
+@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ 		  && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
+ 	    {
+ 	      if (helptext (ptr5, file, menu))
+-		return 1;
++		{
++		  grub_free (buf);
++		  return 1;
++		}
+ 	      continue;
+ 	    }
+ 
+@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
+     }
+  fail:
+   grub_file_close (file);
++  grub_free (buf);
+   return err;
+ }
+ 
+-- 
+2.14.2
+

buildroot/boot/grub2/0076-normal-completion-Fix-leaking-of-memory-when-process.patch

@@ -0,0 +1,53 @@
+From 9213575b7a95b514bce80be5964a28d407d7d56d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 18:56:48 +0000
+Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
+ completion
+
+It is possible for the code to reach the end of the function without
+freeing the memory allocated to argv and argc still to be 0.
+
+We should always call grub_free(argv). The grub_free() will handle
+a NULL argument correctly if it reaches that code without the memory
+being allocated.
+
+Fixes: CID 96672
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/normal/completion.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
+index 5961028..46e473c 100644
+--- a/grub-core/normal/completion.c
++++ b/grub-core/normal/completion.c
+@@ -400,8 +400,8 @@ char *
+ grub_normal_do_completion (char *buf, int *restore,
+ 			   void (*hook) (const char *, grub_completion_type_t, int))
+ {
+-  int argc;
+-  char **argv;
++  int argc = 0;
++  char **argv = NULL;
+ 
+   /* Initialize variables.  */
+   match = 0;
+@@ -516,10 +516,8 @@ grub_normal_do_completion (char *buf, int *restore,
+ 
+  fail:
+   if (argc != 0)
+-    {
+-      grub_free (argv[0]);
+-      grub_free (argv);
+-    }
++    grub_free (argv[0]);
++  grub_free (argv);
+   grub_free (match);
+   grub_errno = GRUB_ERR_NONE;
+ 
+-- 
+2.14.2
+