SECURITY: Update security team members names/fingerprints

Daniel has stepped down [1] whereas Marta and Leo are joining the security team.

[1] https://lists.gnu.org/archive/html/grub-devel/2026-02/msg00021.html

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>

.gitignore

@@ -238,7 +238,8 @@ widthspec.bin
 /lzocompress_test
 /luks1_test
 /luks2_test
-/m4/
+/m4/*
+!/m4/ax_check_link_flag.m4
 /minixfs_test
 /missing
 /netboot_test

MAINTAINERS

@@ -2,7 +2,8 @@ List of current GRUB maintainers and some basic information about the project
 =============================================================================
 
 Here is the list of current GRUB maintainers:
-  - Daniel Kiper <daniel.kiper@oracle.com> and <dkiper@net-space.pl>,
+  - Leo Sandoval <lsandova@redhat.com>,
+  - Marta Lewandowska <mlewando@redhat.com>,
   - Alex Burmashev <alexander.burmashev@oracle.com>,
   - Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>.
 
@@ -13,10 +14,9 @@ file to get more information how to properly report this kind of bugs to
 the maintainers.
 
 The GRUB development happens on the grub-devel mailing list [1]. The latest
-GRUB source code is available at Savannah git repository [2].
-
-Users can ask for help on the help-grub mailing list [3].
+GRUB source code is available at freedesktop git repository [2].
 
+Users can also ask for help on the same grub-devel mailing list [1].
 
 List of past GRUB maintainers and people who strongly contributed to the project
 ================================================================================
@@ -25,11 +25,11 @@ Here is the list, sorted alphabetically, of past GRUB maintainers and people who
 strongly contributed to the project:
   - Andrei Borzenkov,
   - Bryan Ford,
+  - Daniel Kiper,
   - Erich Stefan Boleyn,
   - Gordon Matzigkeit,
   - Yoshinori K. Okuji.
 
 
-[1] https://lists.gnu.org/mailman/listinfo/grub-devel
-[2] https://git.savannah.gnu.org/gitweb/?p=grub.git&view=view+git+repository
-[3] https://lists.gnu.org/mailman/listinfo/help-grub
+[1] https://lists.freedesktop.org/postorius/lists/grub-devel.lists.freedesktop.org/
+[2] https://gitlab.freedesktop.org/gnu-grub/grub/

Makefile.util.def

@@ -1294,13 +1294,13 @@ script = {
 };
 
 script = {
-  testcase = native;
+  testcase = nonnative;
   name = asn1_test;
   common = tests/asn1_test.in;
 };
 
 script = {
-  testcase = native;
+  testcase = nonnative;
   name = tpm2_key_protector_test;
   common = tests/tpm2_key_protector_test.in;
 };

NEWS

@@ -1,3 +1,26 @@
+New in 2.14:
+
+* libgcrypt 1.11.
+* LVM LV integrity and cachevol support.
+* EROFS support.
+* GRUB environment block inside the Btrfs header support.
+* NX support for EFI platforms.
+* shim loader protocol support.
+* BLS and UKI support.
+* Argon2 KDF support.
+* TPM2 key protector support.
+* Appended Signature Secure Boot Support for PowerPC.
+* New option to block command line interface.
+* Support dates outside of 1901..2038 range.
+* zstdio decompression support.
+* EFI code improvements and fixes.
+* TPM driver fixes.
+* Filesystems fixes.
+* CVE and Coverity fixes.
+* Tests improvements.
+* Documentation improvements.
+* ... and tons of other fixes and cleanups...
+
 New in 2.12:
 
 * GCC 13 support.

SECURITY

@@ -49,9 +49,11 @@ on each step of the process.
 
 While there's currently no bug bounty program we appreciate every report.
 
-* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
-           Daniel Kiper <dkiper@net-space.pl>
-* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+* Contact: Marta Lewandowska <mlewando@redhat.com>
+* PGP Key Fingerprint: 5B21 5739 7348 6620 C0FF  7073 DDF0 92F7 4C8F 619B
+
+* Contact: Leonardo Sandoval Gonzalez <lsandova@redhat.com>
+* PGP Key Fingerprint: DFB6 2CC1 A987 E6C7 6EBF  8143 916E C070 8CDF DDFD
 
 * Contact: Alex Burmashev <alexander.burmashev@oracle.com>
 * PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E

acinclude.m4

@@ -79,11 +79,6 @@ AC_DEFUN([grub_PROG_OBJCOPY_ABSOLUTE],
 [AC_MSG_CHECKING([whether ${TARGET_OBJCOPY} works for absolute addresses])
 AC_CACHE_VAL(grub_cv_prog_objcopy_absolute,
 [cat > conftest.c <<\EOF
-asm (
-    ".globl start, _start, __start\n"
-    ".ifdef cmain; .set start = _start = __start = cmain\n.endif\n"
-    ".ifdef _cmain; .set start = _start = __start = _cmain\n.endif\n"
-);
 void cmain (void);
 void
 cmain (void)
@@ -98,7 +93,18 @@ else
 fi
 grub_cv_prog_objcopy_absolute=yes
 for link_addr in 0x2000 0x8000 0x7C00; do
-  if AC_TRY_COMMAND([${CC-cc} ${TARGET_CFLAGS} ${TARGET_LDFLAGS} -nostdlib ${TARGET_IMG_LDFLAGS_AC} ${TARGET_IMG_BASE_LDOPT},$link_addr conftest.o -o conftest.exec]); then :
+
+  target_img_base_ld="${TARGET_IMG_BASE_LDOPT}"
+  case "$target_img_base_ld" in
+    *_grub_text_base)
+      target_img_base_ld="${target_img_base_ld}=$link_addr"
+    ;;
+    *)
+      target_img_base_ld="${target_img_base_ld},$link_addr"
+    ;;
+  esac
+
+  if AC_TRY_COMMAND([${CC-cc} ${TARGET_CFLAGS} ${TARGET_LDFLAGS} -nostdlib ${TARGET_IMG_LDFLAGS_AC} ${target_img_base_ld} conftest.o -o conftest.exec]); then :
   else
     AC_MSG_ERROR([${CC-cc} cannot link at address $link_addr])
   fi

conf/Makefile.extra-dist

@@ -16,7 +16,8 @@ EXTRA_DIST += docs/autoiso.cfg
 EXTRA_DIST += docs/grub.cfg
 EXTRA_DIST += docs/osdetect.cfg
 
-EXTRA_DIST += conf/i386-cygwin-img-ld.sc
+EXTRA_DIST += conf/i386-cygwin-img.lds
+EXTRA_DIST += conf/i386-pc-kernel.lds
 
 EXTRA_DIST += grub-core/Makefile.core.def
 EXTRA_DIST += grub-core/Makefile.gcry.def
@@ -72,6 +73,7 @@ EXTRA_DIST += grub-core/lib/libtasn1
 EXTRA_DIST += $(shell find $(top_srcdir)/include -name '*.h')
 EXTRA_DIST += $(shell find $(top_srcdir)/grub-core/lib -name '*.h')
 EXTRA_DIST += grub-core/efiemu/runtime/config.h
+EXTRA_DIST += grub-core/tests/crypto_cipher_mode_vectors.h
 EXTRA_DIST += grub-core/tests/asn1/asn1_test.h
 EXTRA_DIST += $(shell find $(top_srcdir)/grub-core/tests/asn1/tests -name '*.h')
 EXTRA_DIST += $(shell find $(top_srcdir)/grub-core/commands/tpm2_key_protector -name '*.h')

conf/i386-cygwin-img.lds

@@ -2,6 +2,7 @@
 
 SECTIONS
 {
+  . = _grub_text_base;
   .text :
   {
     start = . ;

conf/i386-pc-kernel.lds

@@ -0,0 +1,51 @@
+ENTRY(_start)
+
+/*
+ * Align sections to a 16-byte boundary. This guarantees ABI compatibility with
+ * C generated code.
+ */
+SECTION_ALIGN = 0x10;
+
+PHDRS {
+    text PT_LOAD FLAGS(7) /* PF_R | PF_W | PF_X */;
+}
+
+SECTIONS
+{
+    /*
+     * Set section alignment to 1. This allows sections to be aligned without
+     * creating holes in the VMA space or gaps in the file.
+     */
+    . = _grub_text_base;
+    .text ALIGN(0x1) : {
+        _start = .;
+        *(.text .text.*)
+        . = ALIGN(SECTION_ALIGN);
+    } :text
+    .rodata ALIGN(0x1) : {
+        *(.rodata .rodata.*)
+        . = ALIGN(SECTION_ALIGN);
+    } :text
+    .module_license ALIGN(0x1) : {
+        *(.module_license)
+        . = ALIGN(SECTION_ALIGN);
+    } :text
+    .data ALIGN(0x1) : {
+        *(.data .data.*)
+        . = ALIGN(SECTION_ALIGN);
+        _edata = .;
+    } :text
+    .bss ALIGN(0x1) : {
+        __bss_start = .;
+        *(.bss .bss.*)
+        *(COMMON)
+        . = ALIGN(SECTION_ALIGN);
+        _end = .;
+    } :text
+    /DISCARD/ : {
+        *(.interp)
+        *(.note*)
+        *(.comment)
+        *(.build-id)
+    }
+}

configure.ac

@@ -34,7 +34,7 @@ dnl "TARGET_" (such as TARGET_CC, TARGET_CFLAGS, etc.) are used for
 dnl the target type. See INSTALL for full list of variables and
 dnl description of the relationships between them.
 
-AC_INIT([GRUB],[2.14~rc1],[bug-grub@gnu.org])
+AC_INIT([GRUB],[2.15],[bug-grub@gnu.org])
 
 AS_CASE(["$ERROR_PLATFORM_NOT_SUPPORT_SSP"],
   [n | no | nO | N | No | NO], [ERROR_PLATFORM_NOT_SUPPORT_SSP=no],
@@ -1454,13 +1454,16 @@ if test x$grub_cv_target_cc_link_format = x-arch,i386 || test x$grub_cv_target_c
    TARGET_IMG_LDFLAGS='-nostdlib -static -Wl,-preload -Wl,-segalign,20'
    TARGET_IMG_LDFLAGS_AC='-nostdlib -static -Wl,-preload -Wl,-segalign,20'
    TARGET_IMG_BASE_LDOPT="-Wl,-image_base"
+   TARGET_IMG_BASE_LDOPT_ARG_SEP=","
    TARGET_LDFLAGS_OLDMAGIC=""
 elif test x$grub_cv_target_cc_link_format = x-mi386pe || test x$grub_cv_target_cc_link_format = x-mi386pep ; then
   TARGET_APPLE_LINKER=0
   TARGET_LDFLAGS_OLDMAGIC="-Wl,-N"
-  TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/conf/i386-cygwin-img-ld.sc"
+  TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/conf/i386-cygwin-img.lds"
   TARGET_IMG_LDFLAGS="-Wl,-T${TARGET_IMG_LDSCRIPT}"
-  TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/conf/i386-cygwin-img-ld.sc"
+  TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/conf/i386-cygwin-img.lds"
+  TARGET_IMG_BASE_LDOPT="-Wl,--defsym=_grub_text_base"
+  TARGET_IMG_BASE_LDOPT_ARG_SEP="="
   TARGET_IMG_CFLAGS=
 else
   TARGET_APPLE_LINKER=0
@@ -1468,6 +1471,27 @@ else
   TARGET_IMG_LDSCRIPT=
   TARGET_IMG_LDFLAGS='-Wl,-N'
   TARGET_IMG_LDFLAGS_AC='-Wl,-N'
+  if test "x$target_cpu-$platform" != "xi386-pc"; then
+    AX_CHECK_LINK_FLAG([-Wl,--image-base,0],
+        [TARGET_IMG_BASE_LDOPT="-Wl,--image-base,0 -Wl,-Ttext"],
+        [TARGET_IMG_BASE_LDOPT="-Wl,-Ttext"],
+        [],
+        [AC_LANG_SOURCE([
+    asm (".globl start; start:");
+    asm (".globl _start; _start:");
+    asm (".globl __start; __start:");
+    void __main (void);
+    void __main (void) {}
+    int main (void);
+        ])])
+    TARGET_IMG_BASE_LDOPT_ARG_SEP=","
+  else
+    TARGET_IMG_BASE_LDOPT="-Wl,--defsym=_grub_text_base"
+    TARGET_IMG_BASE_LDOPT_ARG_SEP="="
+    TARGET_IMG_LDSCRIPT='$(top_srcdir)'"/conf/i386-pc-kernel.lds"
+    TARGET_IMG_LDFLAGS="${TARGET_IMG_LDFLAGS} -Wl,-T${TARGET_IMG_LDSCRIPT}"
+    TARGET_IMG_LDFLAGS_AC="-Wl,-T${srcdir}/conf/i386-pc-kernel.lds"
+  fi
   TARGET_IMG_CFLAGS=
 fi
 
@@ -1543,21 +1567,6 @@ AC_SUBST(TARGET_LDFLAGS_OLDMAGIC)
 
 LDFLAGS="$TARGET_LDFLAGS"
 
-if test "$target_cpu" = x86_64 || test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64 ; then
-  # Use large model to support 4G memory
-  AC_CACHE_CHECK([whether option -mcmodel=large works], grub_cv_cc_mcmodel, [
-    CFLAGS="$TARGET_CFLAGS -mcmodel=large"
-    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
-		      [grub_cv_cc_mcmodel=yes],
-		      [grub_cv_cc_mcmodel=no])
-  ])
-  if test "x$grub_cv_cc_mcmodel" = xyes; then
-    TARGET_CFLAGS="$TARGET_CFLAGS -mcmodel=large"
-  elif test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64; then
-    TARGET_CFLAGS="$TARGET_CFLAGS -mcmodel=medany"
-  fi
-fi
-
 if test "$target_cpu"-"$platform" = x86_64-efi; then
   # EFI writes to stack below %rsp, we must not use the red zone
   AC_CACHE_CHECK([whether option -mno-red-zone works], grub_cv_cc_no_red_zone, [
@@ -1666,6 +1675,21 @@ fi]
 
 CFLAGS="$TARGET_CFLAGS"
 
+if test "$target_cpu" = x86_64 || test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64 ; then
+  # Use large model to support 4G memory
+  AC_CACHE_CHECK([whether option -mcmodel=large works], grub_cv_cc_mcmodel, [
+    CFLAGS="$TARGET_CFLAGS -mcmodel=large"
+    AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+		      [grub_cv_cc_mcmodel=yes],
+		      [grub_cv_cc_mcmodel=no])
+  ])
+  if test "x$grub_cv_cc_mcmodel" = xyes; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -mcmodel=large"
+  elif test "$target_cpu" = sparc64 || test "$target_cpu" = riscv64; then
+    TARGET_CFLAGS="$TARGET_CFLAGS -mcmodel=medany"
+  fi
+fi
+
 # Stack smashing protector.
 grub_CHECK_STACK_PROTECTOR
 AC_ARG_ENABLE([stack-protector],
@@ -1793,18 +1817,6 @@ LIBS=""
 grub_ASM_USCORE
 grub_PROG_TARGET_CC
 if test "x$TARGET_APPLE_LINKER" != x1 ; then
-AX_CHECK_LINK_FLAG([-Wl,--image-base,0x400000],
-    [TARGET_IMG_BASE_LDOPT="-Wl,--image-base"],
-    [TARGET_IMG_BASE_LDOPT="-Wl,-Ttext"],
-    [],
-    [AC_LANG_SOURCE([
-asm (".globl start; start:");
-asm (".globl _start; _start:");
-asm (".globl __start; __start:");
-void __main (void);
-void __main (void) {}
-int main (void);
-    ])])
 grub_PROG_OBJCOPY_ABSOLUTE
 fi
 grub_PROG_LD_BUILD_ID_NONE
@@ -1812,7 +1824,18 @@ if test "x$target_cpu" = xi386; then
   if test "$platform" != emu && test "x$TARGET_APPLE_LINKER" != x1 ; then
     if test ! -z "$TARGET_IMG_LDSCRIPT"; then
       # Check symbols provided by linker script.
-      CFLAGS="$TARGET_CFLAGS -nostdlib ${TARGET_IMG_LDFLAGS_AC} ${TARGET_IMG_BASE_LDOPT},0x8000"
+      target_img_base_ld="${TARGET_IMG_BASE_LDOPT}"
+      case "$target_img_base_ld" in
+        *_grub_text_base)
+          target_img_base_ld="${target_img_base_ld}="
+        ;;
+        *)
+          target_img_base_ld="${target_img_base_ld},"
+        ;;
+      esac
+      target_img_base_ld="${target_img_base_ld}0x8000"
+      CFLAGS="$TARGET_CFLAGS -nostdlib ${TARGET_IMG_LDFLAGS_AC} ${target_img_base_ld}"
+      target_img_base_ld=""
     fi
     grub_CHECK_BSS_START_SYMBOL
     grub_CHECK_END_SYMBOL
@@ -2414,6 +2437,7 @@ AC_SUBST(TARGET_CCASFLAGS)
 AC_SUBST(TARGET_IMG_LDFLAGS)
 AC_SUBST(TARGET_IMG_CFLAGS)
 AC_SUBST(TARGET_IMG_BASE_LDOPT)
+AC_SUBST(TARGET_IMG_BASE_LDOPT_ARG_SEP)
 AC_SUBST(TARGET_APPLE_LINKER)
 
 AC_SUBST(HOST_CFLAGS)

docs/grub.texi

@@ -4078,6 +4078,7 @@ Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.
 * cpio_be_module::
 * cpuid_module::
 * crc64_module::
+* crypto_cipher_mode_test_module::
 * crypto_module::
 * cryptodisk_module::
 * cs5536_module::
@@ -4610,6 +4611,10 @@ various CPU features. @xref{cpuid} for more information.
 @section crc64
 This module provides support for the CRC64 operation.
 
+@node crypto_cipher_mode_test_module
+@section crypto_cipher_mode_test
+This module performs various cipher mode encryption/decryption tests
+
 @node crypto_module
 @section crypto
 This module provides library support for various base cryptography operations

grub-core/Makefile.core.def

@@ -10,6 +10,7 @@ transform_data = {
   installdir = noinst;
   name = genmod.sh;
   common = genmod.sh.in;
+  i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
 };
 
 transform_data = {
@@ -82,21 +83,21 @@ kernel = {
   riscv64_efi_stripflags   = '--strip-unneeded -K start -R .note -R .comment -R .note.gnu.gold-version -R .eh_frame';
 
   i386_pc_ldflags          = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags          = '$(TARGET_IMG_BASE_LDOPT),0x9000';
+  i386_pc_ldflags          = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x9000';
   i386_qemu_ldflags        = '$(TARGET_IMG_LDFLAGS)';
-  i386_qemu_ldflags        = '$(TARGET_IMG_BASE_LDOPT),0x9000';
+  i386_qemu_ldflags        = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x9000';
   i386_coreboot_ldflags    = '$(TARGET_IMG_LDFLAGS)';
-  i386_coreboot_ldflags    = '$(TARGET_IMG_BASE_LDOPT),0x9000';
+  i386_coreboot_ldflags    = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x9000';
   i386_multiboot_ldflags   = '$(TARGET_IMG_LDFLAGS)';
-  i386_multiboot_ldflags   = '$(TARGET_IMG_BASE_LDOPT),0x9000';
+  i386_multiboot_ldflags   = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x9000';
   i386_ieee1275_ldflags    = '$(TARGET_IMG_LDFLAGS)';
-  i386_ieee1275_ldflags    = '$(TARGET_IMG_BASE_LDOPT),0x10000';
+  i386_ieee1275_ldflags    = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x10000';
   i386_xen_ldflags         = '$(TARGET_IMG_LDFLAGS)';
-  i386_xen_ldflags         = '$(TARGET_IMG_BASE_LDOPT),0';
+  i386_xen_ldflags         = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0';
   x86_64_xen_ldflags       = '$(TARGET_IMG_LDFLAGS)';
   x86_64_xen_ldflags       = '$(TARGET_IMG_BASE_LDOPT),0';
   i386_xen_pvh_ldflags     = '$(TARGET_IMG_LDFLAGS)';
-  i386_xen_pvh_ldflags     = '$(TARGET_IMG_BASE_LDOPT),0x100000';
+  i386_xen_pvh_ldflags     = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x100000';
 
   mips_loongson_ldflags    = '-Wl,-Ttext,0x80200000';
   powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x200000';
@@ -450,10 +451,10 @@ image = {
   sparc64_ieee1275 = boot/sparc64/ieee1275/boot.S;
 
   i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x7C00';
+  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x7C00';
 
   i386_qemu_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_qemu_ldflags = '$(TARGET_IMG_BASE_LDOPT),$(GRUB_BOOT_MACHINE_LINK_ADDR)';
+  i386_qemu_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)$(GRUB_BOOT_MACHINE_LINK_ADDR)';
   i386_qemu_ccasflags = '-DGRUB_BOOT_MACHINE_LINK_ADDR=$(GRUB_BOOT_MACHINE_LINK_ADDR)';
 
   /* The entry point for a.out binaries on sparc64 starts
@@ -478,7 +479,7 @@ image = {
   cppflags = '-DHYBRID_BOOT=1';
   
   i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x7C00';
+  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x7C00';
 
   objcopyflags = '-O binary';
   enable = i386_pc;
@@ -489,7 +490,7 @@ image = {
 
   i386_pc = boot/i386/pc/cdboot.S;
   i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x7C00';
+  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x7C00';
 
   sparc64_ieee1275 = boot/sparc64/ieee1275/boot.S;
 
@@ -509,7 +510,7 @@ image = {
   i386_pc = boot/i386/pc/pxeboot.S;
 
   i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x7C00';
+  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x7C00';
 
   objcopyflags = '-O binary';
   enable = i386_pc;
@@ -520,7 +521,7 @@ image = {
   i386_pc = boot/i386/pc/diskboot.S;
 
   i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x8000';
+  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x8000';
 
   sparc64_ieee1275 = boot/sparc64/ieee1275/diskboot.S;
   sparc64_ieee1275_ldflags = '-Wl,-Ttext=0x4200';
@@ -536,7 +537,7 @@ image = {
   i386_pc = boot/i386/pc/lnxboot.S;
 
   i386_pc_ldflags = '$(TARGET_IMG_LDFLAGS)';
-  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x6000';
+  i386_pc_ldflags = '$(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x6000';
 
   objcopyflags = '-O binary';
   enable = i386_pc;
@@ -578,7 +579,7 @@ image = {
   i386_pc_nodist = rs_decoder.h;
 
   objcopyflags = '-O binary';
-  ldflags = '$(TARGET_IMG_LDFLAGS) $(TARGET_IMG_BASE_LDOPT),0x8200';
+  ldflags = '$(TARGET_IMG_LDFLAGS) $(TARGET_IMG_BASE_LDOPT)$(TARGET_IMG_BASE_LDOPT_ARG_SEP)0x8200';
   enable = i386_pc;
 };
 
@@ -2272,6 +2273,11 @@ module = {
   common = tests/argon2_test.c;
 };
 
+module = {
+  name = crypto_cipher_mode_test;
+  common = tests/crypto_cipher_mode_test.c;
+};
+
 module = {
   name = legacy_password_test;
   common = tests/legacy_password_test.c;

grub-core/commands/blsuki.c

@@ -88,7 +88,7 @@ static const struct grub_arg_option uki_opt[] =
     {"enable-fallback", 'f', 0, "Fallback to the default BLS path if --path fails to find UKI entries.", 0, ARG_TYPE_NONE},
     {"show-default", 'd', 0, N_("Allow the default UKI entry to be added to the GRUB menu."), 0, ARG_TYPE_NONE},
     {"show-non-default", 'n', 0, N_("Allow the non-default UKI entries to be added to the GRUB menu."), 0, ARG_TYPE_NONE},
-    {"entry", 'e', 0, N_("Allow specificUKII entries to be added to the GRUB menu."), N_("FILE"), ARG_TYPE_FILE},
+    {"entry", 'e', 0, N_("Allow specific UKI entries to be added to the GRUB menu."), N_("FILE"), ARG_TYPE_FILE},
     {0, 0, 0, 0, 0, 0}
   };
 #endif
@@ -1210,7 +1210,7 @@ blsuki_find_entry (struct find_entry_info *info, bool enable_fallback, enum blsu
 
       /*
        * If we aren't able to find BLS entries in the directory given by info->dirname,
-       * we can fallback to the default location "/boot/loader/entries/" and see if we
+       * we can fallback to the default location of "/loader/entries/" and see if we
        * can find the files there. If we can't find UKI entries, fallback to
        * "/EFI/Linux" on the EFI system partition.
        */
@@ -1231,7 +1231,7 @@ blsuki_find_entry (struct find_entry_info *info, bool enable_fallback, enum blsu
 	  tmp = blsuki_update_boot_device (default_dir);
 	  tmp = grub_stpcpy (tmp, cmd_dir);
 
-	  blsuki_set_find_entry_info (info, default_dir, NULL, cmd_type);
+	  blsuki_set_find_entry_info (info, default_dir, info->devid, cmd_type);
 	  grub_dprintf ("blsuki", "Entries weren't found in %s, fallback to %s\n",
 			read_entry_info.dirname, info->dirname);
 	  fallback = true;
@@ -1458,9 +1458,11 @@ blsuki_cmd (grub_extcmd_context_t ctxt, enum blsuki_cmd_type cmd_type)
 }
 
 static grub_err_t
-grub_cmd_blscfg (grub_extcmd_context_t ctxt, int argc __attribute__ ((unused)),
+grub_cmd_blscfg (grub_extcmd_context_t ctxt, int argc,
 		 char **args __attribute__ ((unused)))
 {
+  if (argc != 0)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("unexpected argument(s) found, see --help"));
   return blsuki_cmd (ctxt, BLSUKI_BLS_CMD);
 }
 
@@ -1468,9 +1470,11 @@ static grub_extcmd_t bls_cmd;
 
 #ifdef GRUB_MACHINE_EFI
 static grub_err_t
-grub_cmd_uki (grub_extcmd_context_t ctxt, int argc __attribute__ ((unused)),
+grub_cmd_uki (grub_extcmd_context_t ctxt, int argc,
 		 char **args __attribute__ ((unused)))
 {
+  if (argc != 0)
+    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("unexpected argument(s) found, see --help"));
   return blsuki_cmd (ctxt, BLSUKI_UKI_CMD);
 }
 
@@ -1480,7 +1484,7 @@ static grub_extcmd_t uki_cmd;
 GRUB_MOD_INIT(blsuki)
 {
   bls_cmd = grub_register_extcmd ("blscfg", grub_cmd_blscfg, 0,
-				  N_("[-p|--path] [-f|--enable-fallback] DIR [-d|--show-default] [-n|--show-non-default] [-e|--entry] FILE"),
+				  N_("[-p|--path] DIR [-f|--enable-fallback] [-d|--show-default] [-n|--show-non-default] [-e|--entry] FILE"),
 				  N_("Import Boot Loader Specification snippets."),
 				  bls_opt);
 #ifdef GRUB_MACHINE_EFI

grub-core/commands/efi/lsefi.c

@@ -129,6 +129,7 @@ grub_cmd_lsefi (grub_command_t cmd __attribute__ ((unused)),
 
     }
 
+  grub_free (handles);
   return 0;
 }
 

grub-core/commands/efi/lsefisystab.c

@@ -47,6 +47,7 @@ static const struct guid_mapping guid_mappings[] =
     { GRUB_EFI_HOB_LIST_GUID, "HOB LIST"},
     { GRUB_EFI_IMAGE_SECURITY_DATABASE_GUID, "IMAGE EXECUTION INFORMATION"},
     { GRUB_EFI_LZMA_CUSTOM_DECOMPRESS_GUID, "LZMA CUSTOM DECOMPRESS"},
+    { GRUB_EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMORY ATTRIBUTES TABLE"},
     { GRUB_EFI_MEMORY_TYPE_INFORMATION_GUID, "MEMORY TYPE INFO"},
     { GRUB_EFI_MPS_TABLE_GUID, "MPS"},
     { GRUB_EFI_RT_PROPERTIES_TABLE_GUID, "RT PROPERTIES"},
@@ -54,6 +55,7 @@ static const struct guid_mapping guid_mappings[] =
     { GRUB_EFI_SMBIOS_TABLE_GUID, "SMBIOS"},
     { GRUB_EFI_SMBIOS3_TABLE_GUID, "SMBIOS3"},
     { GRUB_EFI_SYSTEM_RESOURCE_TABLE_GUID, "SYSTEM RESOURCE TABLE"},
+    { GRUB_EFI_TCG2_FINAL_EVENTS_TABLE_GUID, "TCG2 FINAL EVENTS TABLE"},
     { GRUB_EFI_TIANO_CUSTOM_DECOMPRESS_GUID, "TIANO CUSTOM DECOMPRESS"},
     { GRUB_EFI_TSC_FREQUENCY_GUID, "TSC FREQUENCY"},
   };

grub-core/commands/efi/tpm.c

@@ -39,7 +39,7 @@ static grub_uint8_t grub_tpm_version;
 
 static grub_int8_t tpm1_present = -1;
 static grub_int8_t tpm2_present = -1;
-static grub_int8_t tpm2_pcr_banks_reporting_present = -1;
+static grub_efi_int64_t tpm2_active_pcr_banks = -1;
 
 static grub_efi_boolean_t
 grub_tpm1_present (grub_efi_tpm_protocol_t *tpm)
@@ -90,34 +90,6 @@ grub_tpm2_present (grub_efi_tpm2_protocol_t *tpm)
   return (grub_efi_boolean_t) tpm2_present;
 }
 
-static grub_efi_boolean_t
-grub_tpm2_pcr_banks_reporting_present (grub_efi_tpm2_protocol_t *tpm)
-{
-  grub_efi_status_t status;
-  EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
-
-  caps.Size = (grub_uint8_t) sizeof (caps);
-
-  if (tpm2_pcr_banks_reporting_present != -1)
-    return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
-
-  if (!grub_tpm2_present (tpm))
-    return (grub_efi_boolean_t) (tpm2_pcr_banks_reporting_present = 0);
-
-  status = tpm->get_capability (tpm, &caps);
-
-  if (status != GRUB_EFI_SUCCESS || caps.StructureVersion.Major < 1
-      || (caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1))
-    tpm2_pcr_banks_reporting_present = 0;
-  else
-    tpm2_pcr_banks_reporting_present = 1;
-
-  grub_dprintf ("tpm", "tpm2 PCR banks reporting%s present\n",
-		tpm2_pcr_banks_reporting_present ? "" : " NOT");
-
-  return (grub_efi_boolean_t) tpm2_pcr_banks_reporting_present;
-}
-
 static grub_efi_boolean_t
 grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
 		      grub_efi_uint8_t *protocol_version)
@@ -141,6 +113,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
       grub_tpm_version = 1;
       *protocol_version = 1;
       grub_dprintf ("tpm", "TPM handle Found, version: 1\n");
+      grub_free (handles);
       return 1;
     }
 
@@ -153,6 +126,7 @@ grub_tpm_handle_find (grub_efi_handle_t *tpm_handle,
       grub_tpm_version = 2;
       *protocol_version = 2;
       grub_dprintf ("tpm", "TPM handle Found, version: 2\n");
+      grub_free (handles);
       return 1;
     }
 
@@ -365,32 +339,45 @@ grub_tpm_present (void)
 grub_uint32_t
 grub_tpm2_active_pcr_banks (void)
 {
+  EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
   grub_efi_handle_t tpm_handle;
   grub_efi_uint8_t protocol_version;
   grub_efi_tpm2_protocol_t *tpm;
-  grub_efi_uint32_t active_pcr_banks = 0;
+  grub_efi_uint32_t active_pcr_banks;
+  grub_efi_status_t status;
+
+  if (tpm2_active_pcr_banks >= 0)
+    return (grub_uint32_t) tpm2_active_pcr_banks;
 
   if (!grub_tpm_handle_find (&tpm_handle, &protocol_version))
-    return 0;
+    return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
 
   if (protocol_version == 1)
-    return 0; /* We report TPM2 status */
+    return (grub_uint32_t) (tpm2_active_pcr_banks = 0); /* We report TPM2 status. */
 
   tpm = grub_efi_open_protocol (tpm_handle, &tpm2_guid,
 				GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
   if (tpm == NULL)
     {
       grub_dprintf ("tpm", "Cannot open TPM2 protocol\n");
-      return 0;
+      return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
     }
 
-  if (grub_tpm2_pcr_banks_reporting_present (tpm))
-    {
-      grub_efi_status_t status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks);
+  if (!grub_tpm2_present (tpm))
+    return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
 
-      if (status != GRUB_EFI_SUCCESS)
-	return 0; /* Assume none available if the call fails. */
-    }
+  caps.Size = (grub_uint8_t) sizeof (caps);
+  status = tpm->get_capability (tpm, &caps);
+  if (status != GRUB_EFI_SUCCESS)
+    return (grub_uint32_t) (tpm2_active_pcr_banks = 0);
+  if (caps.StructureVersion.Major < 1 ||
+      (caps.StructureVersion.Major == 1 && caps.StructureVersion.Minor < 1))
+    /* There's a working TPM2 but without querying protocol, let userspace figure it out. */
+    return (grub_uint32_t) (tpm2_active_pcr_banks = GRUB_UINT_MAX);
 
-  return active_pcr_banks;
+  status = tpm->get_active_pcr_banks (tpm, &active_pcr_banks);
+  if (status != GRUB_EFI_SUCCESS)
+    return (grub_uint32_t) (tpm2_active_pcr_banks = 0); /* Assume none available if the call fails. */
+
+  return (grub_uint32_t) (tpm2_active_pcr_banks = active_pcr_banks);
 }

grub-core/disk/ieee1275/ofdisk.c

@@ -93,6 +93,7 @@ ofdisk_hash_add_real (char *devpath)
       grub_add (sz, sizeof ("ieee1275/"), &sz))
     {
       grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow detected while obtaining size of device path"));
+      grub_free (p);
       return NULL;
     }
 
@@ -109,6 +110,8 @@ ofdisk_hash_add_real (char *devpath)
       if (grub_add (grub_strlen (p->devpath), 3, &sz))
 	{
 	  grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow detected while obtaining size of an open path"));
+	  grub_free (p->grub_devpath);
+	  grub_free (p);
 	  return NULL;
 	}
 

grub-core/efiemu/loadcore.c

@@ -203,6 +203,9 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
   grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
     grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
 
+  if (grub_efiemu_elfsyms == NULL)
+    return grub_errno;
+
   /* Relocators */
   for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
        i < e->e_shnum;

grub-core/kern/efi/sb.c

@@ -152,6 +152,8 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
     case GRUB_FILE_TYPE_TESTLOAD:
     case GRUB_FILE_TYPE_GET_SIZE:
     case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
+    case GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY:
+    case GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER:
     case GRUB_FILE_TYPE_CAT:
     case GRUB_FILE_TYPE_HEXCAT:
     case GRUB_FILE_TYPE_CMP:

grub-core/kern/ieee1275/openfw.c

@@ -512,7 +512,20 @@ grub_ieee1275_encode_devname (const char *path)
     }
   if (partition && partition[0])
     {
-      unsigned int partno = grub_strtoul (partition, 0, 0);
+      unsigned long partno;
+      const char *endptr;
+
+      partno = grub_strtoul (partition, &endptr, 0);
+      grub_errno = GRUB_ERR_NONE;
+      if (*endptr != '\0' || partno > 65535 ||
+          (partno == 0 && ! grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_0_BASED_PARTITIONS)))
+        {
+          grub_free (partition);
+          grub_free (device);
+          grub_free (encoding);
+          grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid partition number"));
+          return NULL;
+        }
 
       *optr++ = ',';
 
@@ -520,7 +533,7 @@ grub_ieee1275_encode_devname (const char *path)
 	/* GRUB partition 1 is OF partition 0.  */
 	partno++;
 
-      grub_snprintf (optr, sizeof ("XXXXXXXXXXXX"), "%d", partno);
+      grub_snprintf (optr, sizeof ("XXXXXXXXXXXX"), "%lu", partno);
     }
   else
     *optr = '\0';

grub-core/lib/x86_64/setjmp.S

@@ -36,7 +36,7 @@ GRUB_MOD_LICENSE "GPLv3+"
  */
 FUNCTION(grub_setjmp)
 	pop	%rsi		/* Return address, and adjust the stack */
-	xorq	%rax, %rax
+	xorl	%eax, %eax
 	movq	%rbx, 0(%rdi)	/* RBX */
 	movq	%rsp, 8(%rdi)   /* RSP */
 	push	%rsi

grub-core/mmap/mmap.c

@@ -409,7 +409,7 @@ badram_iter (grub_uint64_t addr, grub_uint64_t size,
       */
       while (high - low > 1)
 	{
-	  cur = (low + high) / 2;
+	  cur = low + (high - low) / 2;
 	  if (fill_mask (entry, cur) >= addr)
 	    high = cur;
 	  else

grub-core/osdep/aros/hostdisk.c

@@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg)
 						 sizeof(struct IOExtTD));
   if (!ret->ioreq)
     {
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
       return NULL;
     }
 
@@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg)
   if (OpenDevice ((unsigned char *) tmp, unit,
 		  (struct IORequest *) ret->ioreq, flags))
     {
-      free (tmp);
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
+      free (tmp);
       return NULL;
     }
   free (tmp);

grub-core/osdep/linux/ofpath.c

@@ -488,8 +488,11 @@ check_hba_identifiers (const char *sysfs_path, int *vendor, int *device_id)
 static void
 check_sas (const char *sysfs_path, int *tgt, unsigned long int *sas_address)
 {
-  char *ed = strstr (sysfs_path, "end_device");
-  char *p, *q, *path;
+  const char *ed = strstr (sysfs_path, "end_device");
+  int p_len;
+  int ed_len;
+  const char *q;
+  char *path;
   char phy[21];
   int fd;
   size_t path_size;
@@ -498,20 +501,16 @@ check_sas (const char *sysfs_path, int *tgt, unsigned long int *sas_address)
     return;
 
   /* SAS devices are identified using disk@$PHY_ID */
-  p = xstrdup (sysfs_path);
-  ed = strstr(p, "end_device");
-  if (!ed)
-    return;
-
   q = ed;
   while (*q && *q != '/')
     q++;
-  *q = '\0';
+  p_len = (int) (q - sysfs_path);
+  ed_len = (int) (q - ed);
 
-  path_size = (strlen (p) + strlen (ed)
-	       + sizeof ("%s/sas_device/%s/phy_identifier"));
+  path_size = (p_len + ed_len + sizeof ("/sas_device//phy_identifier"));
   path = xmalloc (path_size);
-  snprintf (path, path_size, "%s/sas_device/%s/phy_identifier", p, ed);
+  snprintf (path, path_size, "%.*s/sas_device/%.*s/phy_identifier", p_len,
+	    sysfs_path, ed_len, ed);
   fd = open (path, O_RDONLY);
   if (fd < 0)
     grub_util_error (_("cannot open `%s': %s"), path, strerror (errno));
@@ -524,7 +523,8 @@ check_sas (const char *sysfs_path, int *tgt, unsigned long int *sas_address)
 
   sscanf (phy, "%d", tgt);
 
-  snprintf (path, path_size, "%s/sas_device/%s/sas_address", p, ed);
+  snprintf (path, path_size, "%.*s/sas_device/%.*s/sas_address", p_len,
+	    sysfs_path, ed_len, ed);
   fd = open (path, O_RDONLY);
   if (fd < 0)
     grub_util_error (_("cannot open `%s': %s"), path, strerror (errno));
@@ -535,7 +535,6 @@ check_sas (const char *sysfs_path, int *tgt, unsigned long int *sas_address)
   sscanf (phy, "%lx", sas_address);
 
   free (path);
-  free (p);
   close (fd);
 }
 

grub-core/script/execute.c

@@ -562,6 +562,8 @@ gettext_append (struct grub_script_argv *result, const char *orig_str)
     if (*iptr == '$')
       dollar_cnt++;
   ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0]));
+  if (ctx.allowed_strings == NULL)
+    goto fail;
 
   if (parse_string (orig_str, gettext_save_allow, &ctx, 0))
     goto fail;

grub-core/term/efi/serial.c

@@ -169,13 +169,13 @@ grub_efiserial_init (void)
 
       port = grub_zalloc (sizeof (*port));
       if (!port)
-	return;
+	break;
 
       port->name = grub_malloc (sizeof ("efiXXXXXXXXXXXXXXXXXXXX"));
       if (!port->name)
 	{
 	  grub_free (port);
-	  return;
+	  break;
 	}
       grub_snprintf (port->name, sizeof ("efiXXXXXXXXXXXXXXXXXXXX"),
 		     "efi%d", num_serial++);

grub-core/tests/crypto_cipher_mode_test.c

@@ -0,0 +1,197 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025 Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/test.h>
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/crypto.h>
+
+#include "crypto_cipher_mode_vectors.h"
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+/* Perform cipher lookup, handle init, and key setting. */
+static grub_crypto_cipher_handle_t
+handle_init (struct vector vec, grub_crypto_cipher_handle_t handle)
+{
+  gcry_err_code_t err;
+
+  const gcry_cipher_spec_t *cipher = grub_crypto_lookup_cipher_by_name (vec.cipher);
+  grub_test_assert (cipher != NULL, "\n%s: cipher lookup failed for %s", vec.mode, vec.cipher);
+  if (cipher == NULL)
+    return NULL;
+
+  handle = grub_crypto_cipher_open (cipher);
+  grub_test_assert (handle != NULL, "\n%s: handle init failed for %s", vec.mode, vec.cipher);
+  if (handle == NULL)
+    return NULL;
+
+  err = grub_crypto_cipher_set_key (handle, (grub_uint8_t *) vec.key, vec.keylen);
+  grub_test_assert (err == GPG_ERR_NO_ERROR, "\n%s: key set of size %d failed for %s with err = %d",
+                    vec.mode, vec.keylen, vec.cipher, err);
+  if (err != GPG_ERR_NO_ERROR)
+    {
+      grub_crypto_cipher_close (handle);
+      return NULL;
+    }
+
+  return handle;
+}
+
+static void
+ecb_test (struct vector vec)
+{
+  gcry_err_code_t gcry_err;
+  grub_crypto_cipher_handle_t handle = NULL;
+  grub_uint8_t *plaintext = NULL, *ciphertext = NULL;
+  grub_int32_t rc;
+
+  handle = handle_init (vec, handle);
+  if (handle == NULL)
+    return;
+
+  /* Test encryption. */
+  ciphertext = grub_zalloc (vec.plen);
+  grub_test_assert (ciphertext != NULL, "\necb: ciphertext buffer allocation failed");
+  if (ciphertext == NULL)
+    goto out_handle;
+
+  gcry_err = grub_crypto_ecb_encrypt (handle, ciphertext, vec.ptext, vec.plen);
+  grub_test_assert (gcry_err == GPG_ERR_NO_ERROR, "\necb: encryption failed with err = %d",
+                    gcry_err);
+  if (gcry_err != GPG_ERR_NO_ERROR)
+    goto out_ct;
+
+  rc = grub_memcmp (ciphertext, vec.ctext, vec.plen);
+  grub_test_assert (rc == 0, "\necb: ciphertext mismatch after encryption");
+  if (rc != 0)
+    goto out_ct;
+
+  /* Test decryption. */
+  plaintext = grub_zalloc (vec.plen);
+  grub_test_assert (plaintext != NULL, "\necb: plaintext buffer allocation failed");
+  if (plaintext == NULL)
+    goto out_ct;
+
+  gcry_err = grub_crypto_ecb_decrypt (handle, plaintext, ciphertext, vec.plen);
+  grub_test_assert (gcry_err == GPG_ERR_NO_ERROR, "\necb: decryption failed failed with err = %d",
+                    gcry_err);
+  if (gcry_err != GPG_ERR_NO_ERROR)
+    goto out_pt;
+
+  rc = grub_memcmp (plaintext, vec.ptext, vec.plen);
+  grub_test_assert (rc == 0, "\necb: plaintext mismatch after decryption");
+
+ out_pt:
+  grub_free(plaintext);
+ out_ct:
+  grub_free(ciphertext);
+ out_handle:
+  grub_crypto_cipher_close(handle);
+}
+
+static void
+cbc_test (struct vector vec)
+{
+  gcry_err_code_t gcry_err;
+  grub_crypto_cipher_handle_t handle = NULL;
+  grub_uint8_t *plaintext = NULL, *ciphertext = NULL;
+  grub_uint32_t *iv = NULL;
+  grub_int32_t rc;
+
+  handle = handle_init (vec, handle);
+  if (handle == NULL)
+    return;
+
+  /* Test Encryption */
+  iv = grub_malloc(vec.ivlen);
+  grub_test_assert (iv != NULL, "\ncbc: IV buffer allocation failed");
+  if (iv == NULL)
+    goto out_handle;
+
+  grub_memcpy (iv, vec.iv_in, vec.ivlen);
+
+  ciphertext = grub_zalloc (vec.plen);
+  grub_test_assert (ciphertext != NULL, "\ncbc: ciphertext buffer allocation failed");
+  if (ciphertext == NULL)
+    goto out_iv;
+
+  gcry_err = grub_crypto_cbc_encrypt (handle, ciphertext, vec.ptext, vec.plen, iv);
+  grub_test_assert (gcry_err == GPG_ERR_NO_ERROR, "\ncbc: encryption failed with err = %d",
+                    gcry_err);
+  if (gcry_err != GPG_ERR_NO_ERROR)
+    goto out_ct;
+
+  rc = grub_memcmp (ciphertext, vec.ctext, vec.plen);
+  grub_test_assert (rc == 0, "\ncbc: ciphertext mismatch after encryption");
+  if (rc != 0)
+    goto out_ct;
+
+  rc = grub_memcmp (iv, vec.iv_out, vec.ivlen);
+  grub_test_assert (rc == 0, "\ncbc: IV out mismatch after encryption");
+  if (rc != 0)
+    goto out_ct;
+
+  /* Test Decryption  */
+  grub_memcpy (iv, vec.iv_in, vec.ivlen);
+
+  plaintext = grub_zalloc (vec.plen);
+  grub_test_assert (plaintext != NULL, "\ncbc: plaintext buffer allocation failed");
+  if (plaintext == NULL)
+    goto out_ct;
+
+  gcry_err = grub_crypto_cbc_decrypt (handle, plaintext, ciphertext, vec.plen, iv);
+  grub_test_assert (gcry_err == GPG_ERR_NO_ERROR, "\ncbc: decryption failed with err = %d",
+                    gcry_err);
+  if (gcry_err != GPG_ERR_NO_ERROR)
+    goto out_pt;
+
+  rc = grub_memcmp (plaintext, vec.ptext, vec.plen);
+  grub_test_assert (rc == 0, "\ncbc: plaintext mismatch after decryption");
+
+ out_pt:
+  grub_free(plaintext);
+ out_ct:
+  grub_free(ciphertext);
+ out_iv:
+  grub_free(iv);
+ out_handle:
+  grub_crypto_cipher_close(handle);
+}
+
+static void
+crypto_cipher_mode_test (void)
+{
+  grub_size_t i;
+
+  for (i = 0; i < ARRAY_SIZE (vecs); i++)
+    {
+      if (grub_strcmp (vecs[i].mode, "ecb") == 0)
+        ecb_test(vecs[i]);
+      else if (grub_strcmp (vecs[i].mode, "cbc") == 0)
+        cbc_test(vecs[i]);
+      else
+        {
+          grub_test_assert(0, "\n%s mode unsupported for testing", vecs[i].mode);
+          return;
+        }
+    }
+}
+
+/* Register example_test method as a functional test.  */
+GRUB_FUNCTIONAL_TEST (crypto_cipher_mode_test, crypto_cipher_mode_test);

grub-core/tests/crypto_cipher_mode_vectors.h

@@ -0,0 +1,135 @@
+struct vector
+{
+  const char *cipher;
+  const char *mode;
+  const char *key;
+  grub_uint32_t keylen;
+  const char *ptext;
+  grub_uint32_t plen;
+  const char *ctext;
+  const char *iv_in;
+  const char *iv_out;
+  grub_uint32_t ivlen;
+} vecs[] = {
+  {
+    .cipher = "aes",
+    .mode   = "ecb",
+    .key    = "\x00\x01\x02\x03\x04\x05\x06\x07"
+              "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+    .keylen = 16,
+    .ptext  = "\x00\x11\x22\x33\x44\x55\x66\x77"
+              "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
+    .plen   = 16,
+    .ctext  = "\x69\xc4\xe0\xd8\x6a\x7b\x04\x30"
+              "\xd8\xcd\xb7\x80\x70\xb4\xc5\x5a",
+  },
+  {
+    .cipher = "aes",
+    .mode   = "ecb",
+    .key    = "\x00\x01\x02\x03\x04\x05\x06\x07"
+              "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+              "\x10\x11\x12\x13\x14\x15\x16\x17",
+    .keylen = 24,
+    .ptext  = "\x00\x11\x22\x33\x44\x55\x66\x77"
+              "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
+    .plen   = 16,
+    .ctext  = "\xdd\xa9\x7c\xa4\x86\x4c\xdf\xe0"
+              "\x6e\xaf\x70\xa0\xec\x0d\x71\x91",
+  },
+  {
+    .cipher = "aes",
+    .mode   = "ecb",
+    .key    = "\x00\x01\x02\x03\x04\x05\x06\x07"
+              "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+              "\x10\x11\x12\x13\x14\x15\x16\x17"
+              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+    .keylen = 32,
+    .ptext  = "\x00\x11\x22\x33\x44\x55\x66\x77"
+              "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
+    .plen   = 16,
+    .ctext  = "\x8e\xa2\xb7\xca\x51\x67\x45\xbf"
+              "\xea\xfc\x49\x90\x4b\x49\x60\x89",
+  },
+  {
+    .cipher = "aes",
+    .mode   = "cbc",
+    .key    = "\xc2\x86\x69\x6d\x88\x7c\x9a\xa0"
+              "\x61\x1b\xbb\x3e\x20\x25\xa4\x5a",
+    .keylen = 16,
+    .ptext  = "\x00\x01\x02\x03\x04\x05\x06\x07"
+              "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+              "\x10\x11\x12\x13\x14\x15\x16\x17"
+              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+    .plen   = 32,
+    .ctext  = "\xd2\x96\xcd\x94\xc2\xcc\xcf\x8a"
+              "\x3a\x86\x30\x28\xb5\xe1\xdc\x0a"
+              "\x75\x86\x60\x2d\x25\x3c\xff\xf9"
+              "\x1b\x82\x66\xbe\xa6\xd6\x1a\xb1",
+    .iv_in  = "\x56\x2e\x17\x99\x6d\x09\x3d\x28"
+              "\xdd\xb3\xba\x69\x5a\x2e\x6f\x58",
+    .iv_out = "\x75\x86\x60\x2d\x25\x3c\xff\xf9"
+              "\x1b\x82\x66\xbe\xa6\xd6\x1a\xb1",
+    .ivlen  = 16,
+  },
+  {
+    .cipher = "aes",
+    .mode   = "cbc",
+    .key    = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52"
+              "\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
+              "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b",
+    .keylen = 24,
+    .ptext  = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+              "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+              "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
+              "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+              "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
+              "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+              "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
+              "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
+    .plen   = 64,
+    .ctext  = "\x4f\x02\x1d\xb2\x43\xbc\x63\x3d"
+              "\x71\x78\x18\x3a\x9f\xa0\x71\xe8"
+              "\xb4\xd9\xad\xa9\xad\x7d\xed\xf4"
+              "\xe5\xe7\x38\x76\x3f\x69\x14\x5a"
+              "\x57\x1b\x24\x20\x12\xfb\x7a\xe0"
+              "\x7f\xa9\xba\xac\x3d\xf1\x02\xe0"
+              "\x08\xb0\xe2\x79\x88\x59\x88\x81"
+              "\xd9\x20\xa9\xe6\x4f\x56\x15\xcd",
+    .iv_in  = "\x00\x01\x02\x03\x04\x05\x06\x07"
+              "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+    .iv_out = "\x08\xb0\xe2\x79\x88\x59\x88\x81"
+              "\xd9\x20\xa9\xe6\x4f\x56\x15\xcd",
+    .ivlen  = 16,
+  },
+  {
+    .cipher = "aes",
+    .mode   = "cbc",
+    .key    = "\x60\x3d\xeb\x10\x15\xca\x71\xbe"
+              "\x2b\x73\xae\xf0\x85\x7d\x77\x81"
+              "\x1f\x35\x2c\x07\x3b\x61\x08\xd7"
+              "\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
+    .keylen = 32,
+    .ptext  = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+              "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+              "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
+              "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
+              "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
+              "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
+              "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
+              "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
+    .plen   = 64,
+    .ctext  = "\xf5\x8c\x4c\x04\xd6\xe5\xf1\xba"
+              "\x77\x9e\xab\xfb\x5f\x7b\xfb\xd6"
+              "\x9c\xfc\x4e\x96\x7e\xdb\x80\x8d"
+              "\x67\x9f\x77\x7b\xc6\x70\x2c\x7d"
+              "\x39\xf2\x33\x69\xa9\xd9\xba\xcf"
+              "\xa5\x30\xe2\x63\x04\x23\x14\x61"
+              "\xb2\xeb\x05\xe2\xc3\x9b\xe9\xfc"
+              "\xda\x6c\x19\x07\x8c\x6a\x9d\x1b",
+    .iv_in  = "\x00\x01\x02\x03\x04\x05\x06\x07"
+              "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+    .iv_out = "\xb2\xeb\x05\xe2\xc3\x9b\xe9\xfc"
+              "\xda\x6c\x19\x07\x8c\x6a\x9d\x1b",
+    .ivlen  = 16,
+  },
+};

grub-core/tests/lib/functional_test.c

@@ -82,6 +82,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
   grub_dl_load ("shift_test");
   grub_dl_load ("asn1_test");
   grub_dl_load ("argon2_test");
+  grub_dl_load ("crypto_cipher_mode_test");
 
   FOR_LIST_ELEMENTS (test, grub_test_list)
     ok = !grub_test_run (test) && ok;

grub-core/video/efi_gop.c

@@ -94,7 +94,7 @@ check_protocol (void)
   gop_handle = 0;
 
   grub_dprintf ("video", "GOP: no usable mode\n");
-
+  grub_free (handles);
   return 0;
 }
 

include/grub/efi/api.h

@@ -389,6 +389,16 @@
     { 0xa1, 0x92, 0xbf, 0x1d, 0x57, 0xd0, 0xb1, 0x89 } \
   }
 
+#define GRUB_EFI_MEMORY_ATTRIBUTES_TABLE_GUID \
+  { 0xdcfa911d, 0x26eb, 0x469f, \
+    { 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20 } \
+  }
+
+#define GRUB_EFI_TCG2_FINAL_EVENTS_TABLE_GUID \
+  { 0x1e2ed096, 0x30e2, 0x4254, \
+    { 0xbd, 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25 } \
+  }
+
 struct grub_efi_sal_system_table
 {
   grub_uint32_t signature;

include/grub/i386/pc/int.h

@@ -22,11 +22,11 @@
 #include <grub/symbol.h>
 #include <grub/i386/pc/int_types.h>
 
+#ifdef GRUB_MACHINE_PCBIOS
 void EXPORT_FUNC (grub_bios_interrupt) (grub_uint8_t intno,
 					struct grub_bios_int_registers *regs)
      __attribute__ ((regparm(3)));
 
-#ifdef GRUB_MACHINE_PCBIOS
 extern struct grub_i386_idt *EXPORT_VAR(grub_realidt);
 #endif
 

m4/ax_check_link_flag.m4

@@ -0,0 +1,53 @@
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the linker or gives an error.
+#   (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the linker's default flags
+#   when the check is done.  The check is thus made with the flags: "LDFLAGS
+#   EXTRA-FLAGS FLAG".  This can for example be used to force the linker to
+#   issue an error when a bad flag is given.
+#
+#   INPUT gives an alternative input source to AC_LINK_IFELSE.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 6
+
+AC_DEFUN([AX_CHECK_LINK_FLAG],
+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
+  ax_check_save_flags=$LDFLAGS
+  LDFLAGS="$LDFLAGS $4 $1"
+  AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  LDFLAGS=$ax_check_save_flags])
+AS_VAR_IF(CACHEVAR,yes,
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_LINK_FLAGS

tests/util/grub-fs-tester.in

@@ -743,7 +743,9 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
 		    dd if=/dev/urandom of="${MOUNTDEVICE}" bs=1 seek=$((0x468)) conv=notrunc count=8
 		    MOUNTFS="hfsplus";;
 		x"hfs")
-		    "mkfs.hfs" -b $BLKSIZE -v "`echo $FSLABEL |recode utf8..macroman`" -h "${MOUNTDEVICE}"
+		    # CSMACINTOSH is an alias for MacRoman which is the
+		    # encoding used on HFS.
+		    "mkfs.hfs" -b $BLKSIZE -v "`echo $FSLABEL | recode utf8..CSMACINTOSH`" -h "${MOUNTDEVICE}"
 		    dd if=/dev/urandom of="${MOUNTDEVICE}" bs=1 seek=$((0x474)) conv=notrunc count=8
 		    MOUNTOPTS="iocharset=utf8,codepage=macroman,"
 		    ;;

util/grub-install-common.c

@@ -803,13 +803,20 @@ copy_all (const char *srcd,
 	  || strcmp (de->d_name, "..") == 0)
 	continue;
       srcf = grub_util_path_concat (2, srcd, de->d_name);
-      if (grub_util_is_special_file (srcf)
-	  || grub_util_is_directory (srcf))
+      if (grub_util_is_special_file (srcf))
 	{
 	  free (srcf);
 	  continue;
 	}
       dstf = grub_util_path_concat (2, dstd, de->d_name);
+      if (grub_util_is_directory (srcf))
+	{
+	  grub_install_mkdir_p (dstf);
+	  copy_all (srcf, dstf);
+	  free (srcf);
+	  free (dstf);
+	  continue;
+	}
       grub_install_compress_file (srcf, dstf, 1);
       free (srcf);
       free (dstf);

util/grub-mkimagexx.c

@@ -249,6 +249,7 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
     {
       phnum++;
       footer_size += ALIGN_UP (sizeof (struct grub_appended_signature_note), 4);
+      footer_size += ALIGN_UP_OVERHEAD (appsig_size, 4);
     }
 
   if (image_target->id != IMAGE_LOONGSON_ELF)

util/mkimage.c

@@ -56,6 +56,9 @@
 
 #pragma GCC diagnostic ignored "-Wcast-align"
 
+#define SBAT_HEADER      "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
+#define SBAT_HEADER_SIZE (sizeof (SBAT_HEADER))
+
 #define TARGET_NO_FIELD 0xffffffff
 
 /* use 2015-01-01T00:00:00+0000 as a stock timestamp */
@@ -963,6 +966,12 @@ grub_install_generate_image (const char *dir, const char *prefix,
 
   if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
     grub_util_error (_("SBAT data can be added only to EFI or powerpc-ieee1275 images"));
+  else if (sbat_path != NULL)
+    {
+      sbat_size = grub_util_get_image_size (sbat_path);
+      if (sbat_size < SBAT_HEADER_SIZE)
+        grub_util_error (_("%s file should contain at least an SBAT header"), sbat_path);
+    }
 
   if (appsig_size != 0 && image_target->id != IMAGE_PPC)
     grub_util_error (_("appended signature can be support only to powerpc-ieee1275 images"));
@@ -1396,7 +1405,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
 
 	if (sbat_path != NULL)
 	  {
-	    sbat_size = ALIGN_ADDR (grub_util_get_image_size (sbat_path));
+	    sbat_size = ALIGN_ADDR (sbat_size);
 	    sbat_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
 	  }
 
@@ -1857,7 +1866,6 @@ grub_install_generate_image (const char *dir, const char *prefix,
 	char *sbat = NULL;
 	if (sbat_path != NULL)
 	  {
-	    sbat_size = grub_util_get_image_size (sbat_path);
 	    sbat = xmalloc (sbat_size);
 	    grub_util_load_image (sbat_path, sbat);
 	    layout.sbat_size = sbat_size;

util/probe.c

@@ -70,7 +70,7 @@ char *
 grub_util_guess_bios_drive (const char *orig_path)
 {
   char *canon;
-  char *ptr;
+  const char *ptr;
   canon = grub_canonicalize_file_name (orig_path);
   if (!canon)
     return NULL;
@@ -99,7 +99,7 @@ char *
 grub_util_guess_efi_drive (const char *orig_path)
 {
   char *canon;
-  char *ptr;
+  const char *ptr;
   canon = grub_canonicalize_file_name (orig_path);
   if (!canon)
     return NULL;
@@ -128,7 +128,7 @@ char *
 grub_util_guess_baremetal_drive (const char *orig_path)
 {
   char *canon;
-  char *ptr;
+  const char *ptr;
   canon = grub_canonicalize_file_name (orig_path);
   if (!canon)
     return NULL;

util/resolve.c

@@ -138,12 +138,12 @@ read_dep_list (FILE *fp)
 static char *
 get_module_name (const char *str)
 {
-  char *base;
-  char *ext;
+  const char *base;
+  const char *ext;
 
   base = strrchr (str, '/');
   if (! base)
-    base = (char *) str;
+    base = str;
   else
     base++;
 
@@ -164,9 +164,9 @@ get_module_name (const char *str)
 static char *
 get_module_path (const char *prefix, const char *str)
 {
-  char *dir;
+  const char *dir;
   char *base;
-  char *ext;
+  const char *ext;
   char *ret;
 
   ext = strrchr (str, '.');