diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch b/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch
new file mode 100644
index 0000000..b614ef3
--- /dev/null
+++ b/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 29 Jul 2022 15:56:00 -0400
+Subject: [PATCH] Make debug=file show which file filters get run.
+
+If one of the file filters breaks things, it's hard to figure out where
+it has happened.
+
+This makes grub log which filter is being run, which makes it easier to
+figure out where you are in the sequence of events.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit d3d6518a13b5440a3be6c66b0ae47447182f2891)
+(cherry picked from commit d197e70761b1383827e9008e21ee41c6c7015776)
+---
+ grub-core/kern/file.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index f062fc21e7..5e1f29d0dd 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -30,6 +30,14 @@ void (*EXPORT_VAR (grub_grubnet_fini)) (void);
+
+ grub_file_filter_t grub_file_filters[GRUB_FILE_FILTER_MAX];
+
++static char *filter_names[] = {
++ [GRUB_FILE_FILTER_VERIFY] = "GRUB_FILE_FILTER_VERIFY",
++ [GRUB_FILE_FILTER_GZIO] = "GRUB_FILE_FILTER_GZIO",
++ [GRUB_FILE_FILTER_XZIO] = "GRUB_FILE_FILTER_XZIO",
++ [GRUB_FILE_FILTER_LZOPIO] = "GRUB_FILE_FILTER_LZOPIO",
++ [GRUB_FILE_FILTER_MAX] = "GRUB_FILE_FILTER_MAX"
++};
++
+ /* Get the device part of the filename NAME. It is enclosed by parentheses. */
+ char *
+ grub_file_get_device_name (const char *name)
+@@ -121,6 +129,9 @@ grub_file_open (const char *name, enum grub_file_type type)
+ if (grub_file_filters[filter])
+ {
+ last_file = file;
++ if (filter < GRUB_FILE_FILTER_MAX)
++ grub_dprintf ("file", "Running %s file filter\n",
++ filter_names[filter]);
+ file = grub_file_filters[filter] (file, type);
+ if (file && file != last_file)
+ {
diff --git a/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch b/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
new file mode 100644
index 0000000..6f1bfc7
--- /dev/null
+++ b/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
@@ -0,0 +1,83 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 1 Aug 2022 14:06:30 -0400
+Subject: [PATCH] efi: use enumerated array positions for our allocation
+ choices
+
+In our kernel allocator on EFI systems, we currently have a growing
+amount of code that references the various allocation policies by
+position in the array, and of course maintenance of this code scales
+very poorly.
+
+This patch changes them to be enumerated, so they're easier to refer to
+farther along in the code without confusion.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 6768026270cca015d7fef0ecc8a4119e9b3d3923)
+(cherry picked from commit 50b2ca3274b6950393a4ffc7edde04a1a3de594e)
+---
+ grub-core/loader/i386/efi/linux.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index d80d6ec312..23b27f6507 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -60,17 +60,26 @@ struct allocation_choice {
+ grub_efi_allocate_type_t alloc_type;
+ };
+
+-static struct allocation_choice max_addresses[4] =
++enum {
++ KERNEL_PREF_ADDRESS,
++ KERNEL_4G_LIMIT,
++ KERNEL_NO_LIMIT,
++};
++
++static struct allocation_choice max_addresses[] =
+ {
+ /* the kernel overrides this one with pref_address and
+ * GRUB_EFI_ALLOCATE_ADDRESS */
+- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ [KERNEL_PREF_ADDRESS] =
++ { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ /* If the flag in params is set, this one gets changed to be above 4GB. */
++ [KERNEL_4G_LIMIT] =
++ { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+ /* this one is always below 4GB, which we still *prefer* even if the flag
+ * is set. */
+- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+- /* If the flag in params is set, this one gets changed to be above 4GB. */
+- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+- { 0, 0 }
++ [KERNEL_NO_LIMIT] =
++ { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ { NO_MEM, 0, 0 }
+ };
+ static struct allocation_choice saved_addresses[4];
+
+@@ -423,7 +432,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ if (lh->xloadflags & LINUX_XLF_CAN_BE_LOADED_ABOVE_4G)
+ {
+ grub_dprintf ("linux", "Loading kernel above 4GB is supported; enabling.\n");
+- max_addresses[2].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
++ max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
+ }
+ else
+ {
+@@ -495,11 +504,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ grub_dprintf ("linux", "lh->pref_address: %p\n", (void *)(grub_addr_t)lh->pref_address);
+ if (lh->pref_address < (grub_uint64_t)GRUB_EFI_MAX_ALLOCATION_ADDRESS)
+ {
+- max_addresses[0].addr = lh->pref_address;
+- max_addresses[0].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
++ max_addresses[KERNEL_PREF_ADDRESS].addr = lh->pref_address;
++ max_addresses[KERNEL_PREF_ADDRESS].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
+ }
+- max_addresses[1].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+- max_addresses[2].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
++ max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
++ max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+ kernel_size = lh->init_size;
+ kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE,
+ N_("can't allocate kernel"));
diff --git a/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch b/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
new file mode 100644
index 0000000..08d2765
--- /dev/null
+++ b/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
@@ -0,0 +1,129 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 1 Aug 2022 14:24:39 -0400
+Subject: [PATCH] efi: split allocation policy for kernel vs initrd memories.
+
+Currently in our kernel allocator, we use the same set of choices for
+all of our various kernel and initramfs allocations, though they do not
+have exactly the same constraints.
+
+This patch adds the concept of an allocation purpose, which currently
+can be KERNEL_MEM or INITRD_MEM, and updates kernel_alloc() calls
+appropriately, but does not change any current policy decision. It
+also adds a few debug prints.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 36307bed28cd838116fc4af26a30719660d62d4c)
+(cherry picked from commit dc1196350b0cbe89582832f44df0fce67e0c9fb2)
+---
+ grub-core/loader/i386/efi/linux.c | 35 +++++++++++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 23b27f6507..09e7596064 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -55,7 +55,14 @@ struct grub_linuxefi_context {
+
+ #define BYTES_TO_PAGES(bytes) (((bytes) + 0xfff) >> 12)
+
++typedef enum {
++ NO_MEM,
++ KERNEL_MEM,
++ INITRD_MEM,
++} kernel_alloc_purpose_t;
++
+ struct allocation_choice {
++ kernel_alloc_purpose_t purpose;
+ grub_efi_physical_address_t addr;
+ grub_efi_allocate_type_t alloc_type;
+ };
+@@ -64,6 +71,7 @@ enum {
+ KERNEL_PREF_ADDRESS,
+ KERNEL_4G_LIMIT,
+ KERNEL_NO_LIMIT,
++ INITRD_MAX_ADDRESS,
+ };
+
+ static struct allocation_choice max_addresses[] =
+@@ -71,14 +79,17 @@ static struct allocation_choice max_addresses[] =
+ /* the kernel overrides this one with pref_address and
+ * GRUB_EFI_ALLOCATE_ADDRESS */
+ [KERNEL_PREF_ADDRESS] =
+- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+ /* If the flag in params is set, this one gets changed to be above 4GB. */
+ [KERNEL_4G_LIMIT] =
+- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+ /* this one is always below 4GB, which we still *prefer* even if the flag
+ * is set. */
+ [KERNEL_NO_LIMIT] =
+- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
++ /* this is for the initrd */
++ [INITRD_MAX_ADDRESS] =
++ { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+ { NO_MEM, 0, 0 }
+ };
+ static struct allocation_choice saved_addresses[4];
+@@ -95,7 +106,8 @@ kernel_free(void *addr, grub_efi_uintn_t size)
+ }
+
+ static void *
+-kernel_alloc(grub_efi_uintn_t size,
++kernel_alloc(kernel_alloc_purpose_t purpose,
++ grub_efi_uintn_t size,
+ grub_efi_memory_type_t memtype,
+ const char * const errmsg)
+ {
+@@ -108,6 +120,9 @@ kernel_alloc(grub_efi_uintn_t size,
+ grub_uint64_t max = max_addresses[i].addr;
+ grub_efi_uintn_t pages;
+
++ if (purpose != max_addresses[i].purpose)
++ continue;
++
+ /*
+ * When we're *not* loading the kernel, or >4GB allocations aren't
+ * supported, these entries are basically all the same, so don't re-try
+@@ -262,7 +277,8 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])
+ }
+ }
+
+- initrd_mem = kernel_alloc(size, GRUB_EFI_RUNTIME_SERVICES_DATA,
++ grub_dprintf ("linux", "Trying to allocate initrd mem\n");
++ initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA,
+ N_("can't allocate initrd"));
+ if (initrd_mem == NULL)
+ goto fail;
+@@ -440,7 +456,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ }
+ #endif
+
+- params = kernel_alloc (sizeof(*params), GRUB_EFI_RUNTIME_SERVICES_DATA,
++ params = kernel_alloc (KERNEL_MEM, sizeof(*params),
++ GRUB_EFI_RUNTIME_SERVICES_DATA,
+ "cannot allocate kernel parameters");
+ if (!params)
+ goto fail;
+@@ -462,7 +479,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ grub_dprintf ("linux", "new lh is at %p\n", lh);
+
+ grub_dprintf ("linux", "setting up cmdline\n");
+- cmdline = kernel_alloc (lh->cmdline_size + 1,
++ cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
+ GRUB_EFI_RUNTIME_SERVICES_DATA,
+ N_("can't allocate cmdline"));
+ if (!cmdline)
+@@ -510,7 +527,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+ max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
+ kernel_size = lh->init_size;
+- kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE,
++ grub_dprintf ("linux", "Trying to allocate kernel mem\n");
++ kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size,
++ GRUB_EFI_RUNTIME_SERVICES_CODE,
+ N_("can't allocate kernel"));
+ restore_addresses();
+ if (!kernel_mem)
diff --git a/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch b/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
new file mode 100644
index 0000000..28f603e
--- /dev/null
+++ b/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 1 Aug 2022 13:04:43 -0400
+Subject: [PATCH] efi: use EFI_LOADER_(CODE|DATA) for kernel and initrd
+ allocations
+
+At some point due to an erroneous kernel warning, we switched kernel and
+initramfs to being loaded in EFI_RUNTIME_SERVICES_CODE and
+EFI_RUNTIME_SERVICES_DATA memory pools. This doesn't appear to be
+correct according to the spec, and that kernel warning has gone away.
+
+This patch puts them back in EFI_LOADER_CODE and EFI_LOADER_DATA
+allocations, respectively.
+
+Resolves: rhbz#2108456
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 35b5d5fa47bc394c76022e6595b173e68f53225e)
+(cherry picked from commit 66e1c922b40957fca488435e06a2f875a219844b)
+---
+ grub-core/loader/i386/efi/linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 09e7596064..4d39023792 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -278,7 +278,7 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[])
+ }
+
+ grub_dprintf ("linux", "Trying to allocate initrd mem\n");
+- initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA,
++ initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_LOADER_DATA,
+ N_("can't allocate initrd"));
+ if (initrd_mem == NULL)
+ goto fail;
+@@ -457,7 +457,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ #endif
+
+ params = kernel_alloc (KERNEL_MEM, sizeof(*params),
+- GRUB_EFI_RUNTIME_SERVICES_DATA,
++ GRUB_EFI_LOADER_DATA,
+ "cannot allocate kernel parameters");
+ if (!params)
+ goto fail;
+@@ -480,7 +480,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+
+ grub_dprintf ("linux", "setting up cmdline\n");
+ cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
+- GRUB_EFI_RUNTIME_SERVICES_DATA,
++ GRUB_EFI_LOADER_DATA,
+ N_("can't allocate cmdline"));
+ if (!cmdline)
+ goto fail;
+@@ -529,7 +529,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ kernel_size = lh->init_size;
+ grub_dprintf ("linux", "Trying to allocate kernel mem\n");
+ kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size,
+- GRUB_EFI_RUNTIME_SERVICES_CODE,
++ GRUB_EFI_LOADER_CODE,
+ N_("can't allocate kernel"));
+ restore_addresses();
+ if (!kernel_mem)
diff --git a/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch b/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch
new file mode 100644
index 0000000..ff614f8
--- /dev/null
+++ b/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch
@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Diego Domingos <diegodo@linux.vnet.ibm.com>
+Date: Thu, 25 Aug 2022 11:37:56 -0400
+Subject: [PATCH] ieee1275: implement vec5 for cas negotiation
+
+As a legacy support, if the vector 5 is not implemented, Power
+Hypervisor will consider the max CPUs as 64 instead 256 currently
+supported during client-architecture-support negotiation.
+
+This patch implements the vector 5 and set the MAX CPUs to 256 while
+setting the others values to 0 (default).
+
+Signed-off-by: Diego Domingos <diegodo@linux.vnet.ibm.com>
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit f735c65b6da8a9d4251242b37774e1a517511253)
+(cherry picked from commit 1639f43b2db4ac405ac2a92e50ed4cff351c3baa)
+---
+ grub-core/kern/ieee1275/init.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 1414695cc6..37f3098c39 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -307,6 +307,18 @@ struct option_vector2 {
+ grub_uint8_t max_pft_size;
+ } __attribute__((packed));
+
++struct option_vector5 {
++ grub_uint8_t byte1;
++ grub_uint8_t byte2;
++ grub_uint8_t byte3;
++ grub_uint8_t cmo;
++ grub_uint8_t associativity;
++ grub_uint8_t bin_opts;
++ grub_uint8_t micro_checkpoint;
++ grub_uint8_t reserved0;
++ grub_uint32_t max_cpus;
++} __attribute__((packed));
++
+ struct pvr_entry {
+ grub_uint32_t mask;
+ grub_uint32_t entry;
+@@ -325,6 +337,8 @@ struct cas_vector {
+ grub_uint16_t vec3;
+ grub_uint8_t vec4_size;
+ grub_uint16_t vec4;
++ grub_uint8_t vec5_size;
++ struct option_vector5 vec5;
+ } __attribute__((packed));
+
+ /* Call ibm,client-architecture-support to try to get more RMA.
+@@ -345,7 +359,7 @@ grub_ieee1275_ibm_cas (void)
+ } args;
+ struct cas_vector vector = {
+ .pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */
+- .num_vecs = 4 - 1,
++ .num_vecs = 5 - 1,
+ .vec1_size = 0,
+ .vec1 = 0x80, /* ignore */
+ .vec2_size = 1 + sizeof(struct option_vector2) - 2,
+@@ -356,6 +370,10 @@ grub_ieee1275_ibm_cas (void)
+ .vec3 = 0x00e0, // ask for FP + VMX + DFP but don't halt if unsatisfied
+ .vec4_size = 2 - 1,
+ .vec4 = 0x0001, // set required minimum capacity % to the lowest value
++ .vec5_size = 1 + sizeof(struct option_vector5) - 2,
++ .vec5 = {
++ 0, 0, 0, 0, 0, 0, 0, 0, 256
++ }
+ };
+
+ INIT_IEEE1275_COMMON (&args.common, "call-method", 3, 2);
diff --git a/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch b/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
new file mode 100644
index 0000000..a422b99
--- /dev/null
+++ b/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 11 Oct 2022 17:00:50 -0400
+Subject: [PATCH] x86-efi: Fix an incorrect array size in kernel allocation
+
+In 81a6ebf62bbe166ddc968463df2e8bd481bf697c ("efi: split allocation
+policy for kernel vs initrd memories."), I introduced a split in the
+kernel allocator to allow for different dynamic policies for the kernel
+and the initrd allocations.
+
+Unfortunately, that change increased the size of the policy data used to
+make decisions, but did not change the size of the temporary storage we
+use to back it up and restore. This results in some of .data getting
+clobbered at runtime, and hilarity ensues.
+
+This patch makes the size of the backup storage be based on the size of
+the initial policy data.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 37747b22342499a798ca3a8895770cd93b6e1258)
+(cherry picked from commit 72713ce761720235c86bbda412480c97b2892e00)
+---
+ grub-core/loader/i386/efi/linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 4d39023792..3d55f8b8d2 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -92,7 +92,7 @@ static struct allocation_choice max_addresses[] =
+ { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
+ { NO_MEM, 0, 0 }
+ };
+-static struct allocation_choice saved_addresses[4];
++static struct allocation_choice saved_addresses[sizeof(max_addresses) / sizeof(max_addresses[0])];
+
+ #define save_addresses() grub_memcpy(saved_addresses, max_addresses, sizeof(max_addresses))
+ #define restore_addresses() grub_memcpy(max_addresses, saved_addresses, sizeof(max_addresses))
diff --git a/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch b/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
new file mode 100644
index 0000000..fee71eb
--- /dev/null
+++ b/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 18 Oct 2022 14:15:28 -0400
+Subject: [PATCH] switch-to-blscfg: don't assume newline at end of cfg
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ util/grub-switch-to-blscfg.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
+index eeea130770..5a97954c39 100644
+--- a/util/grub-switch-to-blscfg.in
++++ b/util/grub-switch-to-blscfg.in
+@@ -277,7 +277,9 @@ if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
+ fi
+ GENERATE=1
+ elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then
+- if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then
++ # prepend in case admins have been bad at newlines
++ sed -i '1iGRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}"
++ if ! grep -q '^GRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}" ; then
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
+ exit 1
+ fi
diff --git a/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch b/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
new file mode 100644
index 0000000..e7f7a0c
--- /dev/null
+++ b/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Wed, 3 Aug 2022 19:45:33 +0800
+Subject: [PATCH] font: Reject glyphs exceeds font->max_glyph_width or
+ font->max_glyph_height
+
+Check glyph's width and height against limits specified in font's
+metadata. Reject the glyph (and font) if such limits are exceeded.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16)
+(cherry picked from commit 3b410ef4bb95e607cadeba2193fa90ae9bddb98d)
+(cherry picked from commit 8ebe587def61af7893ebcae87d45c883f3cfb713)
+---
+ grub-core/font/font.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index b67507fcc8..8d1a990401 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ || read_be_uint16 (font->file, &height) != 0
+ || read_be_int16 (font->file, &xoff) != 0
+ || read_be_int16 (font->file, &yoff) != 0
+- || read_be_int16 (font->file, &dwidth) != 0)
++ || read_be_int16 (font->file, &dwidth) != 0
++ || width > font->max_char_width
++ || height > font->max_char_height)
+ {
+ remove_font (font);
+ return 0;
diff --git a/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000..df3a705
--- /dev/null
+++ b/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
+(cherry picked from commit 6bca9693878bdf61dd62b8c784862a48e75f569a)
+(cherry picked from commit edbbda5486cf8c3dc2b68fbd3dead822ab448022)
+---
+ grub-core/font/font.c | 17 +++++++++++++----
+ include/grub/bitmap.h | 18 ++++++++++++++++++
+ include/grub/safemath.h | 2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8d1a990401..d6df79602d 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ grub_int16_t xoff;
+ grub_int16_t yoff;
+ grub_int16_t dwidth;
+- int len;
++ grub_ssize_t len;
++ grub_size_t sz;
+
+ if (index_entry->glyph)
+ /* Return cached glyph. */
+@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ return 0;
+ }
+
+- len = (width * height + 7) / 8;
+- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+- if (!glyph)
++ /* Calculate real struct size of current glyph. */
++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++ grub_add (sizeof (struct grub_font_glyph), len, &sz))
++ {
++ remove_font (font);
++ return 0;
++ }
++
++ /* Allocate and initialize the glyph struct. */
++ glyph = grub_malloc (sz);
++ if (glyph == NULL)
+ {
+ remove_font (font);
+ return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8ca3a..0d9603f619 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+ return bitmap->mode_info.height;
+ }
+
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++ grub_uint64_t _bitmap_pixels; \
++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ struct grub_video_mode_info *mode_info);
+
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index 1ccac276b5..30800ad6a1 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
++#define grub_cast(a, res) grub_add ((a), 0, (res))
++
+ #else
+ /*
+ * Copyright 2020 Rasmus Villemoes
diff --git a/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch b/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
new file mode 100644
index 0000000..0afdf93
--- /dev/null
+++ b/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
@@ -0,0 +1,81 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
+(cherry picked from commit b91eb9bd6c724339b7d7bb4765b9d36f1ee88b84)
+(cherry picked from commit 1ebafd82dd19e522f0d753fd9828553fe8bcac78)
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index d6df79602d..129aaa3838 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ struct grub_video_signed_rect bounds;
+ static struct grub_font_glyph *glyph = 0;
+ static grub_size_t max_glyph_size = 0;
++ grub_size_t cur_glyph_size;
+
+ ensure_comb_space (glyph_id);
+
+@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ if (!glyph_id->ncomb && !glyph_id->attributes)
+ return main_glyph;
+
+- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++ return main_glyph;
++
++ if (max_glyph_size < cur_glyph_size)
+ {
+ grub_free (glyph);
+- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+- if (max_glyph_size < 8)
+- max_glyph_size = 8;
+- glyph = grub_malloc (max_glyph_size);
++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++ max_glyph_size = 0;
++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+ }
+ if (!glyph)
+ {
++ max_glyph_size = 0;
+ grub_errno = GRUB_ERR_NONE;
+ return main_glyph;
+ }
+
+- grub_memset (glyph, 0, sizeof (*glyph)
+- + (bounds.width * bounds.height
+- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++ grub_memset (glyph, 0, cur_glyph_size);
+
+ glyph->font = main_glyph->font;
+- glyph->width = bounds.width;
+- glyph->height = bounds.height;
+- glyph->offset_x = bounds.x;
+- glyph->offset_y = bounds.y;
++ if (bounds.width == 0 || bounds.height == 0 ||
++ grub_cast (bounds.width, &glyph->width) ||
++ grub_cast (bounds.height, &glyph->height) ||
++ grub_cast (bounds.x, &glyph->offset_x) ||
++ grub_cast (bounds.y, &glyph->offset_y))
++ return main_glyph;
+
+ if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+ grub_font_blit_glyph_mirror (glyph, main_glyph,
diff --git a/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch b/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch
new file mode 100644
index 0000000..2f9a33e
--- /dev/null
+++ b/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch
@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 02:13:29 +0800
+Subject: [PATCH] font: Remove grub_font_dup_glyph()
+
+Remove grub_font_dup_glyph() since nobody is using it since 2013, and
+I'm too lazy to fix the integer overflow problem in it.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d)
+(cherry picked from commit ad950e1e033318bb50222ed268a6dcfb97389035)
+(cherry picked from commit 71644fccc1d43309f0a379dcfe9341ec3bd9657d)
+---
+ grub-core/font/font.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 129aaa3838..347e9dfa29 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code)
+ return best_glyph;
+ }
+
+-#if 0
+-static struct grub_font_glyph *
+-grub_font_dup_glyph (struct grub_font_glyph *glyph)
+-{
+- static struct grub_font_glyph *ret;
+- ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8);
+- if (!ret)
+- return NULL;
+- grub_memcpy (ret, glyph, sizeof (*ret)
+- + (glyph->width * glyph->height + 7) / 8);
+- return ret;
+-}
+-#endif
+-
+ /* FIXME: suboptimal. */
+ static void
+ grub_font_blit_glyph (struct grub_font_glyph *target,
diff --git a/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch b/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
new file mode 100644
index 0000000..baa2d74
--- /dev/null
+++ b/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 02:27:05 +0800
+Subject: [PATCH] font: Fix integer overflow in ensure_comb_space()
+
+In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
+wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
+in the future. This patch also fixes the inconsistency between
+render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
+returns NULL.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f)
+(cherry picked from commit f66ea1e60c347408e92b6695d5105c7e0f24d568)
+(cherry picked from commit 0e07159c24cdbb62a9d19fba8199065b049e03c7)
+---
+ grub-core/font/font.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 347e9dfa29..1367e44743 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id)
+ if (glyph_id->ncomb <= render_max_comb_glyphs)
+ return;
+
+- render_max_comb_glyphs = 2 * glyph_id->ncomb;
+- if (render_max_comb_glyphs < 8)
++ if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs))
++ render_max_comb_glyphs = 0;
++ if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8)
+ render_max_comb_glyphs = 8;
+ grub_free (render_combining_glyphs);
+- render_combining_glyphs = grub_malloc (render_max_comb_glyphs
+- * sizeof (render_combining_glyphs[0]));
++ render_combining_glyphs = (render_max_comb_glyphs > 0) ?
++ grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL;
+ if (!render_combining_glyphs)
+- grub_errno = 0;
++ {
++ render_max_comb_glyphs = 0;
++ grub_errno = GRUB_ERR_NONE;
++ }
+ }
+
+ int
diff --git a/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch b/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch
new file mode 100644
index 0000000..c28337d
--- /dev/null
+++ b/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 15 Aug 2022 02:04:58 +0800
+Subject: [PATCH] font: Fix integer overflow in BMP index
+
+The BMP index (font->bmp_idx) is designed as a reverse lookup table of
+char entries (font->char_index), in order to speed up lookups for BMP
+chars (i.e. code < 0x10000). The values in BMP index are the subscripts
+of the corresponding char entries, stored in grub_uint16_t, while 0xffff
+means not found.
+
+This patch fixes the problem of large subscript truncated to grub_uint16_t,
+leading BMP index to return wrong char entry or report false miss. The
+code now checks for bounds and uses BMP index as a hint, and fallbacks
+to binary-search if necessary.
+
+On the occasion add a comment about BMP index is initialized to 0xffff.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492)
+(cherry picked from commit 6d90568929e11739b56f09ebbce9185ca9c23519)
+(cherry picked from commit b8c47c3dd6894b3135db861e3e563f661efad5c3)
+---
+ grub-core/font/font.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 1367e44743..059c23dff7 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+ font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
+ if (!font->bmp_idx)
+ return 1;
++
++ /* Init the BMP index array to 0xffff. */
+ grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
+
+
+@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+ return 1;
+ }
+
+- if (entry->code < 0x10000)
++ if (entry->code < 0x10000 && i < 0xffff)
+ font->bmp_idx[entry->code] = i;
+
+ last_code = entry->code;
+@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
+ /* Use BMP index if possible. */
+ if (code < 0x10000 && font->bmp_idx)
+ {
+- if (font->bmp_idx[code] == 0xffff)
+- return 0;
+- return &table[font->bmp_idx[code]];
++ if (font->bmp_idx[code] < 0xffff)
++ return &table[font->bmp_idx[code]];
++ /*
++ * When we are here then lookup in BMP index result in miss,
++ * fallthough to binary-search.
++ */
+ }
+
+ /* Do a binary search in `char_index', which is ordered by code point. */
diff --git a/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch b/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
new file mode 100644
index 0000000..31b66af
--- /dev/null
+++ b/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Sun, 14 Aug 2022 18:09:38 +0800
+Subject: [PATCH] font: Fix integer underflow in binary search of char index
+
+If search target is less than all entries in font->index then "hi"
+variable is set to -1, which translates to SIZE_MAX and leads to errors.
+
+This patch fixes the problem by replacing the entire binary search code
+with the libstdc++'s std::lower_bound() implementation.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc)
+(cherry picked from commit e110997335b1744464ea232d57a7d86e16ca8dee)
+(cherry picked from commit 403053a5116ae945f9515a82c37ff8cfb927362c)
+---
+ grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 059c23dff7..31786ab339 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
+ static inline struct char_index_entry *
+ find_glyph (const grub_font_t font, grub_uint32_t code)
+ {
+- struct char_index_entry *table;
+- grub_size_t lo;
+- grub_size_t hi;
+- grub_size_t mid;
++ struct char_index_entry *table, *first, *end;
++ grub_size_t len;
+
+ table = font->char_index;
++ if (table == NULL)
++ return NULL;
+
+ /* Use BMP index if possible. */
+ if (code < 0x10000 && font->bmp_idx)
+@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
+ */
+ }
+
+- /* Do a binary search in `char_index', which is ordered by code point. */
+- lo = 0;
+- hi = font->num_chars - 1;
++ /*
++ * Do a binary search in char_index which is ordered by code point.
++ * The code below is the same as libstdc++'s std::lower_bound().
++ */
++ first = table;
++ len = font->num_chars;
++ end = first + len;
+
+- if (!table)
+- return 0;
+-
+- while (lo <= hi)
++ while (len > 0)
+ {
+- mid = lo + (hi - lo) / 2;
+- if (code < table[mid].code)
+- hi = mid - 1;
+- else if (code > table[mid].code)
+- lo = mid + 1;
++ grub_size_t half = len >> 1;
++ struct char_index_entry *middle = first + half;
++
++ if (middle->code < code)
++ {
++ first = middle + 1;
++ len = len - half - 1;
++ }
+ else
+- return &table[mid];
++ len = half;
+ }
+
+- return 0;
++ return (first < end && first->code == code) ? first : NULL;
+ }
+
+ /* Get a glyph for the Unicode character CODE in FONT. The glyph is loaded
diff --git a/SOURCES/0569-fbutil-Fix-integer-overflow.patch b/SOURCES/0569-fbutil-Fix-integer-overflow.patch
new file mode 100644
index 0000000..8854410
--- /dev/null
+++ b/SOURCES/0569-fbutil-Fix-integer-overflow.patch
@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Tue, 6 Sep 2022 03:03:21 +0800
+Subject: [PATCH] fbutil: Fix integer overflow
+
+Expressions like u64 = u32 * u32 are unsafe because their products are
+truncated to u32 even if left hand side is u64. This patch fixes all
+problems like that one in fbutil.
+
+To get right result not only left hand side have to be u64 but it's also
+necessary to cast at least one of the operands of all leaf operators of
+right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
+u64 = (u64)u32 * u32 + (u64)u32 * u32.
+
+For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
+combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
+not overflow grub_uint64_t.
+
+Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
+They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
+
+This patch also adds a comment to grub_video_fb_get_video_ptr() which
+says it's arguments must be valid and no sanity check is performed
+(like its siblings in grub-core/video/fb/fbutil.c).
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12)
+(cherry picked from commit 8fa75d647362c938c4cc302cf5945b31fb92c078)
+(cherry picked from commit 91005e39b3c8b6ca8dcc84ecb19ac9328966aaea)
+---
+ grub-core/video/fb/fbutil.c | 4 ++--
+ include/grub/fbutil.h | 13 +++++++++----
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c
+index b98bb51fe8..25ef39f47d 100644
+--- a/grub-core/video/fb/fbutil.c
++++ b/grub-core/video/fb/fbutil.c
+@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source,
+ case 1:
+ if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
+ {
+- int bit_index = y * source->mode_info->width + x;
++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
+ grub_uint8_t *ptr = source->data + bit_index / 8;
+ int bit_pos = 7 - bit_index % 8;
+ color = (*ptr >> bit_pos) & 0x01;
+@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source,
+ case 1:
+ if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
+ {
+- int bit_index = y * source->mode_info->width + x;
++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
+ grub_uint8_t *ptr = source->data + bit_index / 8;
+ int bit_pos = 7 - bit_index % 8;
+ *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos);
+diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h
+index 4205eb917f..78a1ab3b45 100644
+--- a/include/grub/fbutil.h
++++ b/include/grub/fbutil.h
+@@ -31,14 +31,19 @@ struct grub_video_fbblit_info
+ grub_uint8_t *data;
+ };
+
+-/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
+- and it doesn't make sense, in general, to ask for a pointer
+- to a particular pixel's data. */
++/*
++ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
++ * and it doesn't make sense, in general, to ask for a pointer
++ * to a particular pixel's data.
++ *
++ * This function assumes that bounds checking has been done in previous phase
++ * and they are opted out in here.
++ */
+ static inline void *
+ grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source,
+ unsigned int x, unsigned int y)
+ {
+- return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel;
++ return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel;
+ }
+
+ /* Advance pointer by VAL bytes. If there is no unaligned access available,
diff --git a/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch b/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch
new file mode 100644
index 0000000..8da101f
--- /dev/null
+++ b/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch
@@ -0,0 +1,91 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4)
+(cherry picked from commit 05e532fb707bbf79aa4e1efbde4d208d7da89d6b)
+(cherry picked from commit 0b2592fbb245d53c5c42885d695ece03ddb0eb12)
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 31786ab339..fc9d92fce4 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ ctx.bounds.height = main_glyph->height;
+
+ above_rightx = main_glyph->offset_x + main_glyph->width;
+- above_righty = ctx.bounds.y + ctx.bounds.height;
++ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+
+ above_leftx = main_glyph->offset_x;
+- above_lefty = ctx.bounds.y + ctx.bounds.height;
++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+
+- below_rightx = ctx.bounds.x + ctx.bounds.width;
++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+ below_righty = ctx.bounds.y;
+
+ comb = grub_unicode_get_comb (glyph_id);
+@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ if (!combining_glyphs[i])
+ continue;
+- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+ /* CGJ is to avoid diacritics reordering. */
+ if (comb[i].code
+ == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ case GRUB_UNICODE_COMB_OVERLAY:
+ do_blit (combining_glyphs[i],
+ targetx,
+- (ctx.bounds.height - combining_glyphs[i]->height) / 2
+- - (ctx.bounds.height + ctx.bounds.y), &ctx);
++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+ break;
+@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ /* Fallthrough. */
+ case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height + ctx.bounds.y + space
++ -((int) ctx.bounds.height + ctx.bounds.y + space
+ + combining_glyphs[i]->height), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height / 2 + ctx.bounds.y
++ -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ + combining_glyphs[i]->height / 2), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
diff --git a/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch b/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
new file mode 100644
index 0000000..87b8e33
--- /dev/null
+++ b/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 07:15:41 +0800
+Subject: [PATCH] font: Harden grub_font_blit_glyph() and
+ grub_font_blit_glyph_mirror()
+
+As a mitigation and hardening measure add sanity checks to
+grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
+makes these two functions do nothing if target blitting area isn't fully
+contained in target bitmap. Therefore, if complex calculations in caller
+overflows and malicious coordinates are given, we are still safe because
+any coordinates which result in out-of-bound-write are rejected. However,
+this patch only checks for invalid coordinates, and doesn't provide any
+protection against invalid source glyph or destination glyph, e.g.
+mismatch between glyph size and buffer size.
+
+This hardening measure is designed to mitigate possible overflows in
+blit_comb(). If overflow occurs, it may return invalid bounding box
+during dry run and call grub_font_blit_glyph() with malicious
+coordinates during actual blitting. However, we are still safe because
+the scratch glyph itself is valid, although its size makes no sense, and
+any invalid coordinates are rejected.
+
+It would be better to call grub_fatal() if illegal parameter is detected.
+However, doing this may end up in a dangerous recursion because grub_fatal()
+would print messages to the screen and we are in the progress of drawing
+characters on the screen.
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6)
+(cherry picked from commit 1d37ec63a1c76a14fdf70f548eada92667b42ddb)
+(cherry picked from commit 686c72ea0a841343b7d8ab64e815751aa36e24b5)
+---
+ grub-core/font/font.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index fc9d92fce4..cfa4bd5096 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1069,8 +1069,15 @@ static void
+ grub_font_blit_glyph (struct grub_font_glyph *target,
+ struct grub_font_glyph *src, unsigned dx, unsigned dy)
+ {
++ grub_uint16_t max_x, max_y;
+ unsigned src_bit, tgt_bit, src_byte, tgt_byte;
+ unsigned i, j;
++
++ /* Harden against out-of-bound writes. */
++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
++ (grub_add (dy, src->height, &max_y) || max_y > target->height))
++ return;
++
+ for (i = 0; i < src->height; i++)
+ {
+ src_bit = (src->width * i) % 8;
+@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target,
+ struct grub_font_glyph *src,
+ unsigned dx, unsigned dy)
+ {
++ grub_uint16_t max_x, max_y;
+ unsigned tgt_bit, src_byte, tgt_byte;
+ signed src_bit;
+ unsigned i, j;
++
++ /* Harden against out-of-bound writes. */
++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
++ (grub_add (dy, src->height, &max_y) || max_y > target->height))
++ return;
++
+ for (i = 0; i < src->height; i++)
+ {
+ src_bit = (src->width * i + src->width - 1) % 8;
diff --git a/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch b/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
new file mode 100644
index 0000000..981d5df
--- /dev/null
+++ b/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 28 Oct 2022 17:29:16 +0800
+Subject: [PATCH] font: Assign null_font to glyphs in ascii_font_glyph[]
+
+The calculations in blit_comb() need information from glyph's font, e.g.
+grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
+NULL if main_glyph comes from ascii_font_glyph[]. Therefore
+grub_font_get_*() crashes because of NULL pointer.
+
+There is already a solution, the null_font. So, assign it to those glyphs
+in ascii_font_glyph[].
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6)
+(cherry picked from commit 87526376857eaceae474c9797e3cee5b50597332)
+(cherry picked from commit b4807bbb09d9adf82fe9ae12a3af1c852dc4e32d)
+---
+ grub-core/font/font.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index cfa4bd5096..30cd1fe07f 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code)
+ ascii_font_glyph[current]->offset_x = 0;
+ ascii_font_glyph[current]->offset_y = -2;
+ ascii_font_glyph[current]->device_width = 8;
+- ascii_font_glyph[current]->font = NULL;
++ ascii_font_glyph[current]->font = &null_font;
+
+ grub_memcpy (ascii_font_glyph[current]->bitmap,
+ &ascii_bitmaps[current * ASCII_BITMAP_SIZE],
diff --git a/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch b/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
new file mode 100644
index 0000000..283d560
--- /dev/null
+++ b/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 28 Oct 2022 21:31:39 +0800
+Subject: [PATCH] normal/charset: Fix an integer overflow in
+ grub_unicode_aglomerate_comb()
+
+The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
+However, code in grub_unicode_aglomerate_comb() doesn't check for an
+overflow when incrementing out->ncomb. If out->ncomb is already 255,
+after incrementing it will get 0 instead of 256, and cause illegal
+memory access in subsequent processing.
+
+This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
+acceptable value of ncomb. The code now checks for this limit and
+ignores additional combining characters when limit is reached.
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+(cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
+(cherry picked from commit 26fafec86000b5322837722a115279ef03922ca6)
+(cherry picked from commit 872fba1c44dee2ab5cb36b2c7a883847f91ed907)
+---
+ grub-core/normal/charset.c | 3 +++
+ include/grub/unicode.h | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index 7b2de12001..4849cf06f7 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ if (!haveout)
+ continue;
+
++ if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
++ continue;
++
+ if (comb_type == GRUB_UNICODE_COMB_MC
+ || comb_type == GRUB_UNICODE_COMB_ME
+ || comb_type == GRUB_UNICODE_COMB_MN)
+diff --git a/include/grub/unicode.h b/include/grub/unicode.h
+index 4de986a857..c4f6fca043 100644
+--- a/include/grub/unicode.h
++++ b/include/grub/unicode.h
+@@ -147,7 +147,9 @@ struct grub_unicode_glyph
+ grub_uint8_t bidi_level:6; /* minimum: 6 */
+ enum grub_bidi_type bidi_type:5; /* minimum: :5 */
+
++#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
+ unsigned ncomb:8;
++
+ /* Hint by unicode subsystem how wide this character usually is.
+ Real width is determined by font. Set only in UTF-8 stream. */
+ int estimated_width:8;
diff --git a/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch b/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch
new file mode 100644
index 0000000..3fd5d5a
--- /dev/null
+++ b/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch
@@ -0,0 +1,227 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lu Ken <ken.lu@intel.com>
+Date: Sat, 3 Jul 2021 10:50:37 -0400
+Subject: [PATCH] Enable TDX measurement to RTMR register
+
+Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology
+that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory
+Encryption(MK-TME) with a new kind of virtual machine guest called a
+Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality
+of its memory contents and its CPU state from any other software, including
+the hosting Virtual Machine Monitor (VMM).
+
+Trust Domain Virtual Firmware (TDVF) is required to provide TD services to
+the TD guest OS.[2] Its reference code is available at https://github.com/tianocore/edk2-staging/tree/TDVF.
+
+To support TD measurement/attestation, TDs provide 4 RTMR registers like
+TPM/TPM2 PCR as below:
+- RTMR[0] is for TDVF configuration
+- RTMR[1] is for the TD OS loader and kernel
+- RTMR[2] is for the OS application
+- RTMR[3] is reserved for special usage only
+
+This patch adds TD Measurement protocol support along with TPM/TPM2 protocol.
+
+References:
+[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
+[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
+
+Signed-off-by: Lu Ken <ken.lu@intel.com>
+(cherry picked from commit 841a0977397cf12a5498d439b8aaf8bf28ff8544)
+---
+ grub-core/Makefile.core.def | 1 +
+ grub-core/kern/efi/tdx.c | 70 +++++++++++++++++++++++++++++++++++++++++++++
+ grub-core/kern/tpm.c | 4 +++
+ include/grub/efi/tdx.h | 26 +++++++++++++++++
+ include/grub/tdx.h | 36 +++++++++++++++++++++++
+ 5 files changed, 137 insertions(+)
+ create mode 100644 grub-core/kern/efi/tdx.c
+ create mode 100644 include/grub/efi/tdx.h
+ create mode 100644 include/grub/tdx.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 637d7203e3..2787d59c52 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -200,6 +200,7 @@ kernel = {
+ efi = kern/efi/acpi.c;
+ efi = kern/lockdown.c;
+ efi = lib/envblk.c;
++ efi = kern/efi/tdx.c;
+ efi = kern/efi/tpm.c;
+ i386_coreboot = kern/i386/pc/acpi.c;
+ i386_multiboot = kern/i386/pc/acpi.c;
+diff --git a/grub-core/kern/efi/tdx.c b/grub-core/kern/efi/tdx.c
+new file mode 100644
+index 0000000000..3a49f8d117
+--- /dev/null
++++ b/grub-core/kern/efi/tdx.c
+@@ -0,0 +1,70 @@
++#include <grub/err.h>
++#include <grub/i18n.h>
++#include <grub/efi/api.h>
++#include <grub/efi/efi.h>
++#include <grub/efi/tpm.h>
++#include <grub/efi/tdx.h>
++#include <grub/mm.h>
++#include <grub/tpm.h>
++#include <grub/tdx.h>
++
++static grub_efi_guid_t tdx_guid = EFI_TDX_GUID;
++
++static inline grub_err_t grub_tdx_dprintf(grub_efi_status_t status)
++{
++ switch (status) {
++ case GRUB_EFI_SUCCESS:
++ return 0;
++ case GRUB_EFI_DEVICE_ERROR:
++ grub_dprintf ("tdx", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_IO;
++ case GRUB_EFI_INVALID_PARAMETER:
++ grub_dprintf ("tdx", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_BAD_ARGUMENT;
++ case GRUB_EFI_VOLUME_FULL:
++ grub_dprintf ("tdx", "Volume is full: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_BAD_ARGUMENT;
++ case GRUB_EFI_UNSUPPORTED:
++ grub_dprintf ("tdx", "TDX unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_UNKNOWN_DEVICE;
++ default:
++ grub_dprintf ("tdx", "Unknown TDX error: 0x%"PRIxGRUB_EFI_STATUS"\n",
++ status);
++ return GRUB_ERR_UNKNOWN_DEVICE;
++ }
++}
++
++grub_err_t
++grub_tdx_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
++ const char *description)
++{
++ EFI_TCG2_EVENT *event;
++ grub_efi_status_t status;
++ grub_efi_tdx_protocol_t *tdx;
++
++ tdx = grub_efi_locate_protocol (&tdx_guid, NULL);
++
++ if (!tdx)
++ return 0;
++
++ event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1);
++ if (!event)
++ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
++ N_("cannot allocate TCG2 event buffer"));
++
++ event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER);
++ event->Header.HeaderVersion = 1;
++ event->Header.PCRIndex = pcr;
++ event->Header.EventType = EV_IPL;
++ event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1;
++ grub_memcpy(event->Event, description, grub_strlen(description) + 1);
++
++ status = efi_call_5 (tdx->hash_log_extend_event, tdx, 0, (unsigned long) buf,
++ (grub_uint64_t) size, event);
++
++ return grub_tdx_dprintf(status);
++}
+\ No newline at end of file
+diff --git a/grub-core/kern/tpm.c b/grub-core/kern/tpm.c
+index e5e8fced62..71cc4252c1 100644
+--- a/grub-core/kern/tpm.c
++++ b/grub-core/kern/tpm.c
+@@ -4,6 +4,7 @@
+ #include <grub/mm.h>
+ #include <grub/tpm.h>
+ #include <grub/term.h>
++#include <grub/tdx.h>
+
+ grub_err_t
+ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+@@ -13,6 +14,9 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+ char *desc = grub_xasprintf("%s %s", kind, description);
+ if (!desc)
+ return GRUB_ERR_OUT_OF_MEMORY;
++
++ grub_tdx_log_event(buf, size, pcr, desc);
++
+ ret = grub_tpm_log_event(buf, size, pcr, desc);
+ grub_free(desc);
+ return ret;
+diff --git a/include/grub/efi/tdx.h b/include/grub/efi/tdx.h
+new file mode 100644
+index 0000000000..9bdac2a275
+--- /dev/null
++++ b/include/grub/efi/tdx.h
+@@ -0,0 +1,26 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2015 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_EFI_TDX_HEADER
++#define GRUB_EFI_TDX_HEADER 1
++
++#define EFI_TDX_GUID {0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b}};
++
++typedef grub_efi_tpm2_protocol_t grub_efi_tdx_protocol_t;
++
++#endif
+\ No newline at end of file
+diff --git a/include/grub/tdx.h b/include/grub/tdx.h
+new file mode 100644
+index 0000000000..4a98008e39
+--- /dev/null
++++ b/include/grub/tdx.h
+@@ -0,0 +1,36 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2015 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_TDX_HEADER
++#define GRUB_TDX_HEADER 1
++
++#if defined (GRUB_MACHINE_EFI)
++grub_err_t grub_tdx_log_event(unsigned char *buf, grub_size_t size,
++ grub_uint8_t pcr, const char *description);
++#else
++static inline grub_err_t grub_tdx_log_event(
++ unsigned char *buf __attribute__ ((unused)),
++ grub_size_t size __attribute__ ((unused)),
++ grub_uint8_t pcr __attribute__ ((unused)),
++ const char *description __attribute__ ((unused)))
++{
++ return 0;
++};
++#endif
++
++#endif
diff --git a/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch b/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch
new file mode 100644
index 0000000..b7563d7
--- /dev/null
+++ b/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch
@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+Date: Tue, 24 Jan 2023 08:01:47 -0500
+Subject: [PATCH] Enable shared processor mode in vector 5
+
+This patch is to update the vector 5 which is troubling some
+machines to bootup properly in shared processor mode.
+
+Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+(cherry picked from commit 30d2ee836649386a336f9437c8a149c8e642a46b)
+(cherry picked from commit 7e309d139c5eca1f03659e612a14499213e79c95)
+---
+ grub-core/kern/ieee1275/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 37f3098c39..3ea9b73b2a 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -372,7 +372,7 @@ grub_ieee1275_ibm_cas (void)
+ .vec4 = 0x0001, // set required minimum capacity % to the lowest value
+ .vec5_size = 1 + sizeof(struct option_vector5) - 2,
+ .vec5 = {
+- 0, 0, 0, 0, 0, 0, 0, 0, 256
++ 0, 192, 0, 128, 0, 0, 0, 0, 256
+ }
+ };
+
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 9ea738a..3eacbac 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -552,3 +552,24 @@ Patch0551: 0551-nx-set-page-permissions-for-loaded-modules.patch
Patch0552: 0552-nx-set-attrs-in-our-kernel-loaders.patch
Patch0553: 0553-nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch
Patch0554: 0554-Fixup-grub_efi_get_variable-type-in-our-loaders.patch
+Patch0555: 0555-Make-debug-file-show-which-file-filters-get-run.patch
+Patch0556: 0556-efi-use-enumerated-array-positions-for-our-allocatio.patch
+Patch0557: 0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch
+Patch0558: 0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch
+Patch0559: 0559-ieee1275-implement-vec5-for-cas-negotiation.patch
+Patch0560: 0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch
+Patch0561: 0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch
+Patch0562: 0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
+Patch0563: 0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
+Patch0564: 0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch
+Patch0565: 0565-font-Remove-grub_font_dup_glyph.patch
+Patch0566: 0566-font-Fix-integer-overflow-in-ensure_comb_space.patch
+Patch0567: 0567-font-Fix-integer-overflow-in-BMP-index.patch
+Patch0568: 0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch
+Patch0569: 0569-fbutil-Fix-integer-overflow.patch
+Patch0570: 0570-font-Fix-an-integer-underflow-in-blit_comb.patch
+Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
+Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
+Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
+Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch
+Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch
diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in
index 55b3d10..b338b5f 100755
--- a/SOURCES/sbat.csv.in
+++ b/SOURCES/sbat.csv.in
@@ -1,3 +1,3 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
-grub,2,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
+grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index c61f8d5..64bb124 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 138%{?dist}
+Release: 148%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -510,51 +510,85 @@ fi
%endif
%changelog
-* Tue Sep 27 2022 CentOS Sources <bugs@centos.org> - 2.02-138.el8.centos
-- Apply debranding changes
+* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-148
+- ppc64le: cas5, take 3
+- Resolves: #2139508
-* Wed Jul 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-138
+* Tue Jan 10 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-147
+- Enable TDX measurement to RTMR register
+- Resolves: #1981485
+
+* Wed Dec 14 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-146
+- ppc64le: fix lpar cas5
+- Resolves: #2139508
+
+* Tue Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.02-145
+- Font CVE fixes
+- Resolves: CVE-2022-2601
+
+* Tue Oct 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-144
+- blscfg: don't assume newline at end of cfg
+- Resolves: #2121132
+
+* Wed Oct 12 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-143
+- x86-efi: Fix an incorrect array size in kernel allocation
+- Also merge with 8.7
+- Resolves: #2031288
+
+* Thu Aug 25 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-141
+- Implement vec5 for cas negotiation
+- Resolves: #2117914
+
+* Wed Aug 24 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-140
+- Or two, because I forgot the debug patch
+- Resolves: #2118896
+
+* Thu Aug 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-139
+- Kernel allocator fixups (in one pass)
+- Resolves: #2118896
+
+* Wed Jul 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-138
- Rotate signing keys on ppc64le
- Resolves: #2074762
-* Fri Jun 03 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-137
+* Fri Jun 03 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-137
- CVE fixes for 2022-06-07
- CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
- CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
- Resolves: #2070687
-* Mon May 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-129
+* Mon May 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-129
- ppc64le: Slow boot after LPM
- Resolves: #2070347
-* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-127
+* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-127
- ppc64le: CAS improvements, prefix detection, and vTPM support
- Resolves: #2076795
- Resolves: #2026568
- Resolves: #2051331
-* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-126
+* Wed May 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-126
- Fix rpm verification error on grub.cfg permissions
- Resolves: #2071643
-* Wed Apr 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-125
+* Wed Apr 20 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-125
- RHEL 8.6.0 import; no code changes
- Resolves: #2062892
-* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-123
+* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-123
- Bump for signing
-* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-122
+* Wed Mar 09 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-122
- Fix initialization on efidisk patch
-* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-121
+* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-121
- Backport support for loading initrd above 4GB
-* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-120
+* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-120
- Bump signing
- Resolves: #2032294
-* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-119
+* Mon Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-119
- Enable connectefi module
- Resolves: #2032294