2023-12-20  Daniel Kiper  <daniel.kiper@oracle.com>

	Release 2.12

2023-12-20  Glenn Washburn  <development@efficientek.com>

	efi: Add support for reproducible builds
	Having randomly generated bytes in the binary output breaks reproducible
	builds. Since build timestamps are usually the source of irreproducibility
	there is a standard which defines an environment variable SOURCE_DATE_EPOCH
	to be used when set for build timestamps. According to the standard [1], the
	value of SOURCE_DATE_EPOCH is a base-10 integer of the number of seconds
	since the UNIX epoch. Currently, this is a 10 digit number that fits into
	32-bits, but will not shortly after the year 2100. So to be future-proof
	only use the least significant 32-bits. On 64-bit architectures, where the
	canary is also 64-bits, there is an extra 32-bits that can be filled to
	provide more entropy. The first byte is NUL to filter out string buffer
	overflow attacks and the remaining 24-bits are set to static random bytes.

	[1] https://reproducible-builds.org/specs/source-date-epoch

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-20  Glenn Washburn  <development@efficientek.com>

	efi: Generate stack protector canary at build time if urandom is available
	Generating the canary at build time allows the canary to be different for
	every build which could limit the effectiveness of certain exploits.
	Fallback to the statically generated random bytes if /dev/urandom is not
	readable, e.g. Windows.

	On 32-bit architectures, which use a 32-bit canary, reduce the canary to
	4 bytes with one byte being NUL to filter out string buffer overflow attacks.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-20  Glenn Washburn  <development@efficientek.com>

	efi: Initialize canary to non-zero value
	The canary, __stack_chk_guard, is in the BSS and so will get initialized to
	zero if it is not explicitly initialized. If the UEFI firmware does not
	support the RNG protocol, then the canary will not be randomized and will
	be zero. This seems like a possibly easier value to write by an attacker.
	Initialize canary to static random bytes, so that it is still random when
	there is no RNG protocol. Set at least one byte to NUL to protect against
	string buffer overflow attacks [1]. Code that writes NUL terminated strings
	will terminate when a NUL is encountered in the input byte stream. So the
	attacker will not be able to forge the canary by including it in the input
	stream without terminating the string operation and thus limiting the
	stack corruption.

	[1] https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-14  Alec Brown  <alec.r.brown@oracle.com>

	gfxmenu/gui_image: Fix double free of bitmap
	In grub-core/gfxmenu/gui_image.c, Coverity detected a double free in the
	function load_image(). The function checks if self->bitmap and self->raw_bitmap
	aren't NULL and then frees them. In the case self->bitmap and self->raw_bitmap
	are the same, only self->raw_bitmap is freed which would also free the memory
	used by self->bitmap. However, in this case self->bitmap isn't being set to NULL
	which could lead to a double free later in the code. After self->raw_bitmap is
	freed, it gets set to the variable bitmap. If this variable is NULL, the code
	could have a path that would free self->bitmap a second time in the function
	rescale_image().

	Fixes: CID 292472

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Qiumiao Zhang  <zhangqiumiao1@huawei.com>

	commands/acpi: Fix calculation of ACPI tables addresses when processing RSDT and XSDT
	According to the ACPI specification the XSDT Entry field contains an array
	of 64-bit physical addresses which points to other DESCRIPTION_HEADERs. However,
	the entry_ptr iterator is defined as a 32-bit pointer. It means each 64-bit
	entry in the XSDT table is treated as two separate 32-bit entries then. Fix the
	issue by using correct addresses sizes when processing RSDT and XSDT tables.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>

	libnvpair: Support prefixed nvlist symbol names as found on NetBSD
	NetBSD uses slightly different function names for the same functions.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>

	bootstrap: Don't check gettext version
	NetBSD gettext is older than the check but we don't actually need 0.18.3,
	older one works fine. This is needed to make bootstrap work on NetBSD.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>

	kern/mm: Use %x and cast for displaying sizeof()
	There is some variance in how compiler treats sizeof() especially
	on 32-bit platforms where it can be naturally either int or long.
	Explicit cast solves the issue.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>

	configure: Add RPATH for freetype on NetBSD
	Without this build-time mkfont fails dynamic linking. This is not ideal
	but improves the situation until a better solution is available.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>

	configure: Add *BSD font paths
	*BSD puts fonts in other places. Add them to the list.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-13  Vladimir Serbinenko  <phcoder@gmail.com>

	autogen: Accept python3.10 as a python alternative
	NetBSD doesn't provide python or python3.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	build: Rename HAVE_LIBZFS to USE_LIBZFS
	The HAVE_LIBZFS is defined by libzfs test and hence conflicts with
	manual definition. On NetBSD it ends up detecting zfs but not detecting
	nvpair and creates confusion. Split them.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	gnulib: Tolerate always_inline attribute being ignored
	It's not critical, -Werror on it is inappropriate. We don't want to
	modify gnulib too much. This warning is pretty much irrelevant.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	util/editenv: Don't use %m formatter
	It's not available on NetBSD outside of syslog. Using strerror() is more
	reliable as we retrieve errno immediately rather than down the stack.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	osdep/bsd/hostdisk: Fix NetBSD compilation
	Wrong function and variable name cause a stupid compilation error on
	NetBSD and OpenBSD. Only NetBSD and OpenBSD use this file. No other
	platform is affected.

	Additionally, define RAW_FLOPPY_MAJOR constant if it is missing.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	osdep/generic/blocklist: Fix compilation
	After recent change in blocklist types we have a type mismatch. Fixing it
	requires a wrapper or large changes. I feel like wrapper makes more sense.

	Without this patch we end up with a compilation problem and without wrapping
	callback data is not passed properly anymore.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	disk/diskfilter: Remove unused variable
	Variable e is set but never used. We can just remove it now.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	build: Tolerate unused-but-set in generated lexer/bison files
	We don't really control the small aspects of generated files and NetBSD
	version has an unused variable that is then detected by gcc as warning
	that is then promoted to error.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Vladimir Serbinenko  <phcoder@gmail.com>

	loader/i386/bsdXX: Fix loading after unaligned module
	Current code implicitly assumes that aligning chunk_size + *kern_end is
	the same as aligning on curload which is not the case because
	chunk_size starts at zero even if *kern_end is unaligned and ALIGN_PAGE
	moved curload to an aligned position but not *kern_end + chunk_size.

	This fixes booting of FreeBSD with zfs module.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Mate Kukri  <mate.kukri@canonical.com>

	grub-core/Makefile.am: Make path to extra_deps.lst relative to $(top_srcdir)/grub-core
	The commit 154dcb1ae (build: Allow explicit module dependencies) broke
	out of tree builds by introducing the extra_deps.lst file into the
	source tree but referencing it just by name in grub-core/Makefile.am.
	Fix it by adding $(top_srcdir)/grub-core to the path.

	Fixes: 154dcb1ae (build: Allow explicit module dependencies)

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Mate Kukri  <mate.kukri@canonical.com>

	util/grub-install: Move platdir path canonicalization after files were copied to grubdir
	The commit 3f9eace2d (util/grub-install: Delay copying files to
	{grubdir,platdir} after install_device was validated) delaying
	copying of files caused a regression when installing without an
	existing directory structure.

	This patch ensures that the platform directory actually exists by the
	time the code tries to canonicalize its filename.

	Fixes: 3f9eace2d (util/grub-install: Delay copying files to {grubdir,platdir} after install_device was validated)

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Michael Chang  <mchang@suse.com>

	util/grub-mkstandalone: Ensure deterministic tar file creation by sorting contents
	The add_tar_files() function currently iterates through a directory's
	content using readdir(), which doesn't guarantee a specific order. This
	lack of deterministic behavior impacts reproducibility in the build process.

	This commit resolves the issue by introducing sorting functionality.
	The list retrieved by readdir() is now sorted alphabetically before
	incorporation into the tar archive, ensuring consistent and predictable
	file ordering within the archive.

	On the occasion fix tfp memory leak.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-12  Michael Chang  <mchang@suse.com>

	util/grub-mkstandalone: Ensure stable timestamps for generated images
	This change mirrors a previous fix [1] but is specific to images
	generated by grub-mkstandalone.

	The former fix, commit 85a7be241 (util/mkimage: Use stable timestamp
	when generating binaries.), focused on utilizing a stable timestamp
	during binary generation in the util/mkimage context. This commit
	extends that approach to the images produced by grub-mkstandalone,
	ensuring consistency and stability in timestamps across all generated
	binaries.

	[1] 85a7be241 util/mkimage: Use stable timestamp when generating binaries.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Mate Kukri  <mate.kukri@canonical.com>

	net/http: Fix gcc-13 errors relating to type signedness
	Replace definition of HTTP_PORT with a pre-processor macro that converts
	the constant to the correct grub_uint16_t type.

	Change "port" local variable definition in http_establish() to have the
	same type.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com

2023-12-05  Julian Andres Klode  <julian.klode@canonical.com>

	templates: Reinstate unused version comparison functions with warning
	Revert the commit a79c567f6 (templates: Remove unused version comparison
	functions) and add a warning to the functions that they are deprecated.

	Removing the functions directly caused a lot of upgrade issues
	with custom user scripts that called the functions. In Debian and
	Ubuntu, grub-mkconfig is invoked as a post-installation script
	and would fail, causing upgrades to fail halfway through and
	putting the package manager into an inconsistent state.

	FWIW, we get one bug per 2 weeks basically, for an interim Ubuntu
	release which generally does not receive much usage, that is a high
	number.

	The proposal is to pick this for 2.12 and directly after the release
	remove it again. Then users will have time to fix their scripts without
	systems breaking immediately.

	This reverts commit a79c567f6 (templates: Remove unused version
	comparison functions).

	Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
	Cc: Daniel Kiper <daniel.kiper@oracle.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Mate Kukri  <mate.kukri@canonical.com>

	util/grub-install: Delay copying files to {grubdir,platdir} after install_device was validated
	Previously grub-install copied modules to grubdir before doing any
	validation on the install_device.

	When grub-install was called with an invalid install_device, modules
	were already copied to /boot before it found out and was forced to rely
	on atexit() rollback.

	This patch delays copying the modules after at least some install_device
	validation was done, and thus reduces reliance on successful rollback.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Julian Andres Klode  <julian.klode@canonical.com>

	efi: Set shim_lock_enabled even if validation is disabled
	If validation has been disabled via MokSbState, secure boot on the
	firmware is still enabled, and the kernel fails to boot.

	This is a bit hacky, because shim_lock is not *fully* enabled, but
	it triggers the right code paths.

	Ultimately, all this will be resolved by shim gaining it's own image
	loading and starting protocol, so this is more a temporary workaround.

	Fixes: 6425c12cd (efi: Fallback to legacy mode if shim is loaded on x86 archs)

	Cc: Peter Jones <pjones@redhat.com>
	Cc: Michael Chang <mchang@suse.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Oliver Steffen  <osteffen@redhat.com>

	docs: Improve bli module documentation
	Improve the documentation of the bli module and explain in more detail what
	it does. Make clear that GPT formatted drives are expected and other
	partition formats are ignored. Also reorder and reword this section a bit.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Oliver Steffen  <osteffen@redhat.com>

	bli: Add explicit dependency on the part_gpt module
	The bli module has a "hidden" dependency on the part_gpt module, which
	is not picked up automatically by the build system. One purpose of the
	bli module is to communicate the GPT UUID of the partition GRUB was
	launched from to Linux user-space (systemd-gpt-auto-generator).
	Without the part_gpt module, bli is not able to obtain the UUID. Since
	bli does its work in the module initialization function, the order in
	which the modules are loaded is also important: part_gpt needs to be
	loaded before the bli module.

	To solve this, track this dependency explicitly.

	Note that the Boot Loader Interface specification, which bli aims to
	implement, requires GPT formatted drives. The bli module ignores all
	other partition formats.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Oliver Steffen  <osteffen@redhat.com>

	build: Allow explicit module dependencies
	The build system deduces inter-module dependencies from the symbols
	required and exported by the modules. This works well, except for some
	rare cases where the dependency is indirect or hidden. A module might
	not make use of any function of some other module, but still expect its
	functionality to be available to GRUB.

	To solve this, introduce a new file, currently empty, called extra_deps.lst
	to track these cases manually. This file gets processed in the same way
	as the automatically generated syminfo.lst, making it possible to inject
	data into the dependency resolver.

	Since *.lst files are set to be ignored by git, add an exception for
	extra_deps.lst.

	Additionally, introduce a new keyword for the syminfo.lst syntax:
	"depends" allows specifying a module dependency directly:

	  depends <module> <depdendency>...

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Display upper_mem_limit when debugging
	Display upper_mem_limit and its rounded-down value in MiB.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Fix a comment
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/ieee1275: Display successful memory claims when debugging
	Display successful memory claims with exact address and rounded-down
	MiB location and rounded-up size in MiB.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Eric Snowberg <eric.snowberg@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	loader/powerpc/ieee1275: Use new allocation function for kernel and initrd
	On PowerVM and KVM on Power use the new memory allocation function that
	honors restrictions on which memory GRUB can actually use. In the request
	structure indicate the request for a single memory block along with
	address alignment restrictions. Request direct usage of the memory block
	by setting init_region to false (prevent it from being added to GRUB's
	heap). Initialize the found addr to -1, so that -1 will be returned
	to the loader in case no memory could be allocated.

	Report an out-of-memory error in case the initrd could not be loaded.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/cmain/ppc64: Introduce flags to identify KVM and PowerVM
	Introduce flags to identify PowerVM and KVM on Power and set them where
	each type of host has been detected.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Rename regions_claim() to grub_regions_claim()
	Rename regions_claim() to grub_regions_claim() to make it available for
	memory allocation. The ieee1275 loader will use this function on PowerVM
	and KVM on Power and thus avoid usage of memory that it is not allowed
	to use.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Add support for alignment requirements
	Add support for memory alignment requirements and adjust a candidate
	address to it before checking whether the block is large enough. This
	must be done in this order since the alignment adjustment can make
	a block smaller than what was requested.

	None of the current callers has memory alignment requirements but the
	ieee1275 loader for kernel and initrd will use it to convey them.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Return allocated address using context
	Return the allocated address of the memory block in the request structure
	if a memory allocation was actually done. Leave the address untouched
	otherwise. This enables a caller who wants to use the allocated memory
	directly, rather than adding the memory to the heap, to see where memory
	was allocated. None of the current callers need this but the converted
	ieee1275 loader will make use of it.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Decide by request whether to initialize region
	Let the regions_claim() request structure's init_region determine whether
	to call grub_mm_init_region() on it. This allows for adding memory to
	GRUB's memory heap if init_region is set to true, or direct usage of the
	memory otherwise. Set all current callers' init_region to true since they
	want to add memory regions to GRUB's heap.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-12-05  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init/ppc64: Introduce a request for regions_claim()
	The regions_claim() function limits the allocation of memory regions
	by excluding certain memory areas from being used by GRUB. This for
	example includes a gap between 640MB and 768MB as well as an upper
	limit beyond which no memory may be used when an fadump is present.
	However, the ieee1275 loader for kernel and initrd currently does not
	use regions_claim() for memory allocation on PowerVM and KVM on Power
	and therefore may allocate memory in those areas that it should not use.

	To make the regions_claim() function more flexible and ultimately usable
	for the ieee1275 loader, introduce a request structure to pass various
	parameters to the regions_claim() function that describe the properties
	of requested memory chunks. In a first step, move the total and flags
	variables into this structure.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Cc: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>

2023-11-22  Anthony Iliopoulos  <ailiop@suse.com>

	fs/xfs: Add large extent counters incompat feature support
	XFS introduced 64-bit extent counters for inodes via a series of
	upstream commits and the feature was marked as stable in v6.5 via
	commit 61d7e8274cd8 (xfs: drop EXPERIMENTAL tag for large extent
	counts).

	Further, xfsprogs release v6.5.0 switched this feature on by default
	in mkfs.xfs via commit e5b18d7d1d96 (mkfs: enable large extent counts
	by default).

	Filesystems formatted with large extent count support, nrext64=1, are
	thus currently not recognizable by GRUB, since this is an incompat
	feature. Add the required support so that those filesystems and inodes
	with large extent counters can be read by GRUB.

	Reviewed-by: Andrey Albershteyn <aalbersh@redhat.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Tested-by: Marta Lewandowska <mlewando@redhat.com>
	Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

2023-11-08  Vladimir Serbinenko  <phcoder@gmail.com>

	gpt: Add compile time asserts for guid and gpt_partentry sizes
	With new alignment specification it's easy to screw up. Fortunately if it
	happens the size will be bigger than intended. Compile time assert will catch
	this.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-11-08  Vladimir Serbinenko  <phcoder@gmail.com>

	types: Split aligned and packed guids
	On ia64 alignment requirements are strict. When we pass a pointer to
	UUID it needs to be at least 4-byte aligned or EFI will crash.
	On the other hand in device path there is no padding for UUID, so we
	need 2 types in one formor another. Make 4-byte aligned and unaligned types

	The code is structured in a way to accept unaligned inputs
	in most cases and supply 4-byte aligned outputs.

	Efiemu case is a bit ugly because there inputs and outputs are
	reversed and so we need careful casts to account for this
	inversion.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>

	gpt_partition: Mark grub_gpt_partentry as having natural alignment
	gpt_partition contains grub_guid. We need to decide whether the whole
	structure is unaligned and then we need to use packed_guid. But we never
	have unaligned part entries as we read them in an aligned buffer from disk.
	Hence just make it all aligned.

2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>

	efi: Deduplicate configuration table search function
	We do table search in many places doing exactly the same algorithm.
	The only minor variance in users is which table is used if several entries
	are present. As specification mandates uniqueness and even if it ever isn't,
	first entry is good enough, unify this code and always use the first entry.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>

	lsefi: Add missing static qualifier
	known_protocols isn't used anywhere else and even misses grub_ prefix, so
	let's make it local (static).

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-11-06  Vladimir Serbinenko  <phcoder@gmail.com>

	types: Fix typo
	Just a small grammar mistake.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-30  Qiumiao Zhang  <zhangqiumiao1@huawei.com>

	util/grub-mount: Check file path sanity
	The function argp_parser() in util/grub-mount.c lacks a check on the
	sanity of the file path when parsing parameters. This results in
	a segmentation fault if a partition is mounted to a non-existent path.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-30  Richard Marko  <srk@48.io>

	configure: Make the DJVU_FONT_SOURCE configurable with --with-dejavufont=FILE
	Font might be located in different location, the default font might
	not be available on all systems or other font might be preferred.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-30  Mads Kiilerich  <mads@kiilerich.com>

	configure: Make the Unifont FONT_SOURCE configurable with --with-unifont=FILE
	Font might be located in different location, the default font might
	not be available on all systems or other font might be preferred.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-30  Jon DeVree  <nuxi@vault24.org>

	fs/xfs: Fix XFS directory extent parsing
	The XFS directory entry parsing code has never been completely correct
	for extent based directories. The parser correctly handles the case
	where the directory is contained in a single extent, but then mistakenly
	assumes the data blocks for the multiple extent case are each identical
	to the single extent case. The difference in the format of the data
	blocks between the two cases is tiny enough that its gone unnoticed for
	a very long time.

	A recent change introduced some additional bounds checking into the XFS
	parser. Like GRUB's existing parser, it is correct for the single extent
	case but incorrect for the multiple extent case. When parsing a directory
	with multiple extents, this new bounds checking is sometimes (but not
	always) tripped and triggers an "invalid XFS directory entry" error. This
	probably would have continued to go unnoticed but the /boot/grub/<arch>
	directory is large enough that it often has multiple extents.

	The difference between the two cases is that when there are multiple
	extents, the data blocks do not contain a trailer nor do they contain
	any leaf information. That information is stored in a separate set of
	extents dedicated to just the leaf information. These extents come after
	the directory entry extents and are not included in the inode size. So
	the existing parser already ignores the leaf extents.

	The only reason to read the trailer/leaf information at all is so that
	the parser can avoid misinterpreting that data as directory entries. So
	this updates the parser as follows:

	For the single extent case the parser doesn't change much:
	1. Read the size of the leaf information from the trailer
	2. Set the end pointer for the parser to the start of the leaf
	   information. (The previous bounds checking set the end pointer to the
	   start of the trailer, so this is actually a small improvement.)
	3. Set the entries variable to the expected number of directory entries.

	For the multiple extent case:
	1. Set the end pointer to the end of the block.
	2. Do not set up the entries variable. Figuring out how many entries are
	   in each individual block is complex and does not seem worth it when
	   it appears to be safe to just iterate over the entire block.

	The bounds check itself was also dependent upon the faulty XFS parser
	because it accidentally used "filename + length - 1". Presumably this
	was able to pass the fuzzer because in the old parser there was always
	8 bytes of slack space between the tail pointer and the actual end of
	the block. Since this is no longer the case the bounds check needs to be
	updated to "filename + length + 1" in order to prevent a regression in
	the handling of corrupt fliesystems.

	Notes:
	* When there is only one extent there will only ever be one block. If
	  more than one block is required then XFS will always switch to holding
	  leaf information in a separate extent.
	* B-tree based directories seems to be parsed properly by the same code
	  that handles multiple extents. This is unlikely to ever occur within
	  /boot though because its only used when there are an extremely large
	  number of directory entries.

	Fixes: ef7850c75 (fs/xfs: Fix issues found while fuzzing the XFS filesystem)
	Fixes: b2499b29c (Adds support for the XFS filesystem.)
	Fixes: https://savannah.gnu.org/bugs/?64376

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
	Tested-by: Marta Lewandowska <mlewando@redhat.com>

2023-10-30  Lidong Chen  <lidong.chen@oracle.com>

	fs/xfs: Incorrect short form directory data boundary check
	After parsing of the current entry, the entry pointer is advanced
	to the next entry at the end of the "for" loop. In case where the
	last entry is at the end of the data boundary, the advanced entry
	pointer can point off the data boundary. The subsequent boundary
	check for the advanced entry pointer can cause a failure.

	The fix is to include the boundary check into the "for" loop
	condition.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Tested-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
	Tested-by: Marta Lewandowska <mlewando@redhat.com>

2023-10-12  Vladimir 'phcoder' Serbinenko  <phcoder@gmail.com>

	Revert "zfsinfo: Correct a check for error allocating memory"
	Original commit is wrong because grub_file_get_device_name() may return NULL
	if we use implicit $root. Additionally, the grub_errno is guaranteed to be
	GRUB_ERR_NONE at the beginning of a command. So, everything should work as
	expected and Coverity report, CID 73668, WRT to this code should be treated
	as false positive.

	This reverts commit 7aab03418 (zfsinfo: Correct a check for error allocating memory).

	Fixes: 7aab03418 (zfsinfo: Correct a check for error allocating memory)

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  ValdikSS  <iam@valdikss.org.ru>

	disk/i386/pc/biosdisk: Read up to 63 sectors in LBA mode
	Current code imposes limitations on the amount of sectors read in
	a single call according to CHS layout of the disk even in LBA
	read mode. There's no need to obey CHS layout restrictions for
	LBA reads on LBA disks. It only slows down booting process.

	See: https://lore.kernel.org/grub-devel/d42a11fa-2a59-b5e7-08b1-d2c60444bb99@valdikss.org.ru/

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  ValdikSS  <iam@valdikss.org.ru>

	kern/i386/pc/init: Flush cache only on VIA C3 and earlier
	The code flushes the cache on VIA processors unconditionally which
	is excessive. Check for cpuid family and execute wbinvd only on C3
	and earlier.

	Fixes: https://savannah.gnu.org/bugs/?45149
	Fixes: 25492a0f0 (Add wbinvd around bios call.)

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Fabian Vogt  <fvogt@suse.de>

	fs/btrfs: Zero file data not backed by extents
	Implicit holes in file data need to be zeroed explicitly, instead of
	just leaving the data in the buffer uninitialized.

	This led to kernels randomly failing to boot in "fun" ways when loaded
	from btrfs with the no_holes feature enabled, because large blocks of
	zeros in the kernel file contained random data instead.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Reviewed-by: Qu Wenruo <wqu@suse.com>

2023-10-12  Stefan Berger  <stefanb@linux.ibm.com>

	kern/ieee1275/init: Restrict high memory in presence of fadump on ppc64
	When a kernel dump is present then restrict the high memory regions to
	avoid allocating memory where the kernel dump resides. Use the
	ibm,kernel-dump node under /rtas to determine whether a kernel dump
	exists and up to which limit GRUB can use available memory. Set the
	upper_mem_limit to the size of the kernel dump section of type
	REAL_MODE_REGION and therefore only allow GRUB's memory usage for high
	addresses from RMO_ADDR_MAX to upper_mem_limit. This means that GRUB can
	use high memory in the range of RMO_ADDR_MAX (768MB) to upper_mem_limit
	and the kernel-dump memory regions above upper_mem_limit remain
	untouched. This change has no effect on memory allocations below
	linux_rmo_save (typically at 640MB).

	Also, fall back to allocating below rmo_linux_save in case the chunk of
	memory there would be larger than the chunk of memory above RMO_ADDR_MAX.
	This can for example occur if a free memory area is found starting at 300MB
	extending up to 1GB but a kernel dump is located at 768MB and therefore
	does not allow the allocation of the high memory area but requiring to use
	the chunk starting at 300MB to avoid an unnecessary out-of-memory condition.

	Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
	Cc: Pavithra Prakash <pavrampu@in.ibm.com>
	Cc: Michael Ellerman <mpe@ellerman.id.au>
	Cc: Carolyn Scherrer <cpscherr@us.ibm.com>
	Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
	Cc: Sourabh Jain <sourabhjain@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Glenn Washburn  <development@efficientek.com>

	tests/util/grub-shell: Enable RNG device to better test stack smashing
	In certain firmwares, e.g. OVMF, the RNG protocol is not enabled unless
	there is an RNG device. When not enabled, GRUB fails to initialize the
	stack guard with random bytes. For testing, this is not a big issue, but
	there have been bugs found in the initialization. So turn this on for EFI
	platforms to catch any regressions.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Glenn Washburn  <development@efficientek.com>

	kern/efi/init: Disable stack smashing protection on grub_efi_init()
	GCC is electing to instrument grub_efi_init() to give it stack smashing
	protection when configuring with --enable-stack-protector on the x86_64-efi
	target. In the function prologue, the canary at the top of the stack frame
	is set to the value of the stack guard. And in the epilogue, the canary is
	checked to verify if it is equal to the guard and if not to call the stack
	check fail function. The issue is that grub_efi_init() sets up the guard
	by initializing it with random bytes, if the firmware supports the RNG
	protocol. So in its prologue the canary will be set with the value of the
	uninitialized guard, likely NUL bytes. Then the guard is initialized, and
	finally the epilogue checks the canary against the guard, which will almost
	certainly be different. This causes the code path for a smashed stack to be
	taken, causing the machine to print out a message that stack smashing was
	detected, wait 5 seconds, and then reboot. Disable grub_efi_init()
	instrumentation so there is no stack smashing false positive generated.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Glenn Washburn  <development@efficientek.com>

	disk/cryptodisk: Add support for LUKS2 in (proc)/luks_script
	The sector size in bytes is added to each line and it is allowed to be
	6 decimal digits long, which covers the most common cases of 512 and 4096
	byte sectors with space for two additional digits as future-proofing. The
	size allocation is updated to reflect this additional field. Also make
	clearer the size allocation calculation.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Glenn Washburn  <development@efficientek.com>

	disk/cryptodisk: Optimize luks_script_get()
	Use the return value of grub_snprintf() to move the string pointer forward,
	instead of incrementing the string pointer iteratively until a NULL byte is
	reached. Move the space out of the format string argument, a small
	optimization, but also makes the spacing clearer. Also, use the new
	PRIxGRUB_OFFSET instead of PRIuGRUB_UINT64_T to accurately reflect the
	format string for this type.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Glenn Washburn  <development@efficientek.com>

	term/serial: Ensure proper NULL termination after grub_strncpy()
	A large enough argument to the --port option could cause a string buffer
	to be not NULL terminated because grub_strncpy() does not guarantee NULL
	termination if copied string is longer than max characters to copy.

	Fixes: 712309eaae04 (term/serial: Use grub_strncpy() instead of grub_snprintf() when only copying string)

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-12  Heinrich Schuchardt  <heinrich.schuchardt@canonical.com>

	commands/efi/lsefisystab: Print the UEFI specification revision in human readable form
	E.g. 2.10 instead of 00020064 and 2.3.1 instead of 0002001f.

	See UEFI 2.10 specification, chapter 4.2.1 EFI_TABLE_HEADER.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>

	fs/ntfs: Make code more readable
	Move some calls used to access NTFS attribute header fields into
	functions with human-readable names.

	Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>

	fs/ntfs: Fix an OOB read when parsing a volume label
	This fix introduces checks to ensure that an NTFS volume label is always
	read from the corresponding file record segment.

	The current NTFS code allows the volume label string to be read from an
	arbitrary, attacker-chosen memory location. However, the bytes read are
	always treated as UTF-16LE. So, the final string displayed is mostly
	unreadable and it can't be easily converted back to raw bytes.

	The lack of this check is a minor issue, likely not causing a significant
	data leak.

	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>

	fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
	This fix introduces checks to ensure that bitmaps for directory indices
	are never read beyond their actual sizes.

	The lack of this check is a minor issue, likely not exploitable in any way.

	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>

	fs/ntfs: Fix an OOB read when parsing directory entries from resident and non-resident index attributes
	This fix introduces checks to ensure that index entries are never read
	beyond the corresponding directory index.

	The lack of this check is a minor issue, likely not exploitable in any way.

	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>

	fs/ntfs: Fix an OOB read when reading data from the resident $DATA attribute
	When reading a file containing resident data, i.e., the file data is stored in
	the $DATA attribute within the NTFS file record, not in external clusters,
	there are no checks that this resident data actually fits the corresponding
	file record segment.

	When parsing a specially-crafted file system image, the current NTFS code will
	read the file data from an arbitrary, attacker-chosen memory offset and of
	arbitrary, attacker-chosen length.

	This allows an attacker to display arbitrary chunks of memory, which could
	contain sensitive information like password hashes or even plain-text,
	obfuscated passwords from BS EFI variables.

	This fix implements a check to ensure that resident data is read from the
	corresponding file record segment only.

	Fixes: CVE-2023-4693

	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Maxim Suhanov  <dfirblog@gmail.com>

	fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for the $MFT file
	When parsing an extremely fragmented $MFT file, i.e., the file described
	using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
	containing bytes read from the underlying drive to store sector numbers,
	which are consumed later to read data from these sectors into another buffer.

	These sectors numbers, two 32-bit integers, are always stored at predefined
	offsets, 0x10 and 0x14, relative to first byte of the selected entry within
	the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.

	However, when parsing a specially-crafted file system image, this may cause
	the NTFS code to write these integers beyond the buffer boundary, likely
	causing the GRUB memory allocator to misbehave or fail. These integers contain
	values which are controlled by on-disk structures of the NTFS file system.

	Such modification and resulting misbehavior may touch a memory range not
	assigned to the GRUB and owned by firmware or another EFI application/driver.

	This fix introduces checks to ensure that these sector numbers are never
	written beyond the boundary.

	Fixes: CVE-2023-4692

	Reported-by: Maxim Suhanov <dfirblog@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2023-10-03  Michael Chang  <mchang@suse.com>

	kern/acpi: Skip NULL entries in RSDT and XSDT
	During attempts to configure a serial console, a Page Fault Exception
	and system reset were encountered, specifically on release 2.12~rc1.
	This issue was not present in prior versions and seemed to affect only
	a specific machine, potentially pointing to hardware or firmware flaw.

	After investigation, it was discovered that the invalid page access
