Optimize PBKDF2 to reduce the decryption time (bsc#1248516)

- 0001-lib-crypto-Introduce-new-HMAC-functions-to-reuse-buf.patch
- 0002-lib-pbkdf2-Optimize-PBKDF2-by-reusing-HMAC-handle.patch
- 0001-kern-misc-Implement-faster-grub_memcpy-for-aligned-b.patch

0001-disk-cryptodisk-Allow-user-to-retry-failed-passphras.patch

@@ -0,0 +1,153 @@
+From 386b59ddb42fa3f86ddfe557113b25c8fa16f88c Mon Sep 17 00:00:00 2001
+From: Forest <forestix@nom.one>
+Date: Mon, 6 May 2024 17:07:30 -0700
+Subject: [PATCH] disk/cryptodisk: Allow user to retry failed passphrase
+
+Give the user a chance to re-enter their cryptodisk passphrase after a typo,
+rather than immediately failing (and likely dumping them into a GRUB shell).
+
+By default, we allow 3 tries before giving up. A value in the
+cryptodisk_passphrase_tries environment variable will override this default.
+
+The user can give up early by entering an empty passphrase, just as they
+could before this patch.
+
+Signed-off-by: Forest <forestix@nom.one>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ docs/grub.texi              |  9 +++++
+ grub-core/disk/cryptodisk.c | 71 ++++++++++++++++++++++++++++---------
+ 2 files changed, 64 insertions(+), 16 deletions(-)
+
+Index: grub-2.12/docs/grub.texi
+===================================================================
+--- grub-2.12.orig/docs/grub.texi
++++ grub-2.12/docs/grub.texi
+@@ -3278,6 +3278,7 @@ These variables have special meaning to
+ * color_normal::
+ * config_directory::
+ * config_file::
++* cryptodisk_passphrase_tries::
+ * debug::
+ * default::
+ * fallback::
+@@ -3450,6 +3451,14 @@ processed by commands @command{configfil
+ (@pxref{normal}).  It is restored to the previous value when command completes.
+ 
+ 
++@node cryptodisk_passphrase_tries
++@subsection cryptodisk_passphrase_tries
++
++When prompting the user for a cryptodisk passphrase, allow this many attempts
++before giving up. Defaults to @samp{3} if unset or set to an invalid value.
++(The user can give up early by entering an empty passphrase.)
++
++
+ @node debug
+ @subsection debug
+ 
+Index: grub-2.12/grub-core/disk/cryptodisk.c
+===================================================================
+--- grub-2.12.orig/grub-core/disk/cryptodisk.c
++++ grub-2.12/grub-core/disk/cryptodisk.c
+@@ -17,6 +17,7 @@
+  */
+ 
+ #include <grub/cryptodisk.h>
++#include <grub/env.h>
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/dl.h>
+@@ -1202,37 +1203,76 @@ grub_cryptodisk_scan_device_real (const
+       grub_free (part);
+     }
+ 
+-  if (!cargs->key_len)
++  if (cargs->key_len)
+     {
++      ret = cr->recover_key (source, dev, cargs);
++      if (ret != GRUB_ERR_NONE)
++	goto error;
++    }
++  else
++    {
++      /* Get the passphrase from the user, if no key data. */
++      unsigned long tries = 3;
++      const char *tries_env;
++
+       if (grub_errno)
+ 	{
+ 	  grub_print_error ();
+ 	  grub_errno = GRUB_ERR_NONE;
+ 	}
+ 
+-      /* Get the passphrase from the user, if no key data. */
+       askpass = 1;
+-      part = grub_partition_get_name (source->partition);
+-      grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+-		    source->partition != NULL ? "," : "",
+-		    part != NULL ? part : N_("UNKNOWN"), dev->uuid);
+-      grub_free (part);
+-
+       cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
+       if (cargs->key_data == NULL)
+ 	goto error;
+ 
+-      if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
++      tries_env = grub_env_get ("cryptodisk_passphrase_tries");
++      if (tries_env != NULL && tries_env[0] != '\0')
+ 	{
+-	  grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
+-	  goto error;
++	  unsigned long tries_env_val;
++	  const char *p;
++
++	  tries_env_val = grub_strtoul (tries_env, &p, 0);
++	  if (*p == '\0' && tries_env_val != ~0UL)
++	    tries = tries_env_val;
++	  else
++	    grub_printf_ (N_("Invalid cryptodisk_passphrase_tries value `%s'. Defaulting to %lu.\n"),
++			  tries_env,
++			  tries);
+ 	}
+-      cargs->key_len = grub_strlen ((char *) cargs->key_data);
+-    }
+ 
+-  ret = cr->recover_key (source, dev, cargs);
+-  if (ret != GRUB_ERR_NONE)
+-    goto error;
++      for (; tries > 0; tries--)
++	{
++	  part = grub_partition_get_name (source->partition);
++	  grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++			source->partition != NULL ? "," : "",
++			part != NULL ? part : N_("UNKNOWN"),
++			dev->uuid);
++	  grub_free (part);
++
++	  if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
++	    {
++	      grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
++	      goto error;
++	    }
++	  cargs->key_len = grub_strlen ((char *) cargs->key_data);
++
++	  ret = cr->recover_key (source, dev, cargs);
++	  if (ret == GRUB_ERR_NONE)
++	    break;
++	  if (ret != GRUB_ERR_ACCESS_DENIED || tries == 1)
++	    goto error;
++	  grub_puts_ (N_("Invalid passphrase."));
++
++	  /*
++	   * Since recover_key() calls a function that returns grub_errno,
++	   * a leftover error value from a previously rejected passphrase
++	   * will trigger a phantom failure. We therefore clear it before
++	   * trying a new passphrase.
++	   */
++	  grub_errno = GRUB_ERR_NONE;
++	}
++    }
+ 
+   ret = grub_cryptodisk_insert (dev, name, source);
+   if (ret != GRUB_ERR_NONE)

0001-getroot-Skip-mount-points-in-grub_find_device.patch

@@ -0,0 +1,66 @@
+From ff3165a3e519892ec4bf9a31f4f1132668f83394 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Tue, 15 Jul 2025 14:15:22 +0800
+Subject: [PATCH] getroot: Skip mount points in grub_find_device
+
+The grub_find_device function scans a starting directory, typically
+/dev, for device files with matching major and minor numbers. During
+this process, it recursively descends into subdirectories.
+
+However, this can significantly slow down the scan if a subdirectory is
+a mount point not related to devtmpfs, especially if it contains a large
+number of files.
+
+This patch modifies grub_find_device() to skip subdirectories that are
+mount points. A mount point is detected by comparing the st_dev of the
+subdirectory against that of the parent or starting directory. While
+this method does not catch all types of mounts, for eg bind mounts, it
+is a practical solution that avoids the need to parse /proc/self/mounts.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/osdep/unix/getroot.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/grub-core/osdep/unix/getroot.c b/grub-core/osdep/unix/getroot.c
+index dce94b52e..9759cc59b 100644
+--- a/grub-core/osdep/unix/getroot.c
++++ b/grub-core/osdep/unix/getroot.c
+@@ -353,6 +353,7 @@ grub_find_device (const char *dir, dev_t dev)
+   DIR *dp;
+   struct saved_cwd saved_cwd;
+   struct dirent *ent;
++  struct stat st_dir;
+ 
+   if (! dir)
+     dir = "/dev";
+@@ -361,6 +362,12 @@ grub_find_device (const char *dir, dev_t dev)
+   if (! dp)
+     return 0;
+ 
++  if (stat (dir, &st_dir) < 0)
++    {
++      closedir (dp);
++      return 0;
++    }
++
+   if (save_cwd (&saved_cwd) < 0)
+     {
+       grub_util_error ("%s", _("cannot save the original directory"));
+@@ -410,6 +417,13 @@ grub_find_device (const char *dir, dev_t dev)
+ 	  /* Find it recursively.  */
+ 	  char *res;
+ 
++	  /* Skip mount point */
++	  if (st.st_dev != st_dir.st_dev)
++	    {
++	      grub_util_info ("skip mount point %s/%s", dir, ent->d_name);
++	      continue;
++	    }
++
+ 	  res = grub_find_device (ent->d_name, dev);
+ 
+ 	  if (res)
+-- 
+2.50.0
+

0001-ieee1275-Use-net-config-for-boot-location-instead-of.patch

@@ -0,0 +1,113 @@
+From eae4fc64a16cb58733afca09e70a09e51d405a9d Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Tue, 30 Sep 2025 14:44:02 +0800
+Subject: [PATCH] ieee1275: Use net config for boot location instead of
+ firmware bootpath
+
+On network boots, grub_ieee1275_net_config() is used to determine the
+boot device, but the path continues to be taken from the Open Firmware
+/chosen/bootpath property. This assumes the device node follows the
+generic IEEE-1275 syntax, which is not always the case. Different
+drivers may extend or redefine the format, and GRUB may then
+misinterpret the argument as a filename and set $prefix incorrectly.
+
+The generic Open Firmware device path format is:
+
+  device-name[:device-argument]
+  device-argument := [partition][,[filename]]
+
+For example, a bootpath such as:
+
+  /vdevice/l-lan@30000002:speed=auto,duplex=auto,1.2.243.345,,9.8.76.543,1.2.34.5,5,5,255.255.255.0,512
+
+does not follow this form. The section after the colon (the
+device-argument) contains driver-specific options and network
+parameters, not a valid filename. GRUB interprets this string as a
+filename, which results in $prefix being set to "/", effectively losing
+the intended boot directory.
+
+The firmware is not at fault here, since interpretation of device nodes
+is driver-specific. Instead, GRUB should use the filename provided in
+the cached DHCP packet, which is consistent and reliable. This is also
+the same mechanism already used on UEFI and legacy BIOS platforms.
+
+This patch updates grub_machine_get_bootlocation() to prefer the result
+from grub_ieee1275_net_config() when complete, and only fall back to the
+firmware bootpath otherwise.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/kern/ieee1275/init.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 45f787eff..802a34f07 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -153,9 +153,11 @@ void (*grub_ieee1275_net_config) (const char *dev, char **device, char **path,
+ void
+ grub_machine_get_bootlocation (char **device, char **path)
+ {
+-  char *bootpath;
++  char *bootpath = NULL;
+   char *filename;
+-  char *type;
++  char *type = NULL;
++  char *ret_device = NULL;
++  char *ret_path = NULL;
+ 
+   bootpath = grub_ieee1275_get_boot_dev ();
+   if (! bootpath)
+@@ -171,7 +173,7 @@ grub_machine_get_bootlocation (char **device, char **path)
+       dev = grub_ieee1275_get_aliasdevname (bootpath);
+       canon = grub_ieee1275_canonicalise_devname (dev);
+       if (! canon)
+-        return;
++	goto done;
+       ptr = canon + grub_strlen (canon) - 1;
+       while (ptr > canon && (*ptr == ',' || *ptr == ':'))
+ 	ptr--;
+@@ -179,13 +181,17 @@ grub_machine_get_bootlocation (char **device, char **path)
+       *ptr = 0;
+ 
+       if (grub_ieee1275_net_config)
+-	grub_ieee1275_net_config (canon, device, path, bootpath);
++	grub_ieee1275_net_config (canon, &ret_device, &ret_path, bootpath);
+       grub_free (dev);
+       grub_free (canon);
++
++      /* Use path from net config if it is provided by cached DHCP info */
++      if (ret_path != NULL)
++	goto done;
++      /* Fall through to use firmware bootpath */
+     }
+   else
+-    *device = grub_ieee1275_encode_devname (bootpath);
+-  grub_free (type);
++    ret_device = grub_ieee1275_encode_devname (bootpath);
+ 
+   filename = grub_ieee1275_get_filename (bootpath);
+   if (filename)
+@@ -198,10 +204,18 @@ grub_machine_get_bootlocation (char **device, char **path)
+ 	  *lastslash = '\0';
+ 	  grub_translate_ieee1275_path (filename);
+ 
+-	  *path = filename;
++	  ret_path = filename;
+ 	}
+     }
++
++ done:
++  grub_free (type);
+   grub_free (bootpath);
++
++  if (device != NULL)
++    *device = ret_device;
++  if (path != NULL)
++    *path = ret_path;
+ }
+ 
+ /* Claim some available memory in the first /memory node. */
+-- 
+2.51.0
+

0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch

@@ -0,0 +1,45 @@
+From 12d518fd50ed4787d3cc4bafcc11e14139dc5d76 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Wed, 7 May 2025 16:15:22 +0200
+Subject: [PATCH 1/7] kern/file: Call grub_dl_unref() after fs->fs_close()
+
+With commit 16f196874 (kern/file: Implement filesystem reference
+counting) files hold a reference to their file systems.
+
+When closing a file in grub_file_close() we should not expect
+file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
+So, grub_dl_unref() should be called after file->fs->fs_close().
+
+Fixes: CVE-2025-54771
+Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
+
+Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/file.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index 7217a6ea7..dce29bedd 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -201,12 +201,12 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
+ grub_err_t
+ grub_file_close (grub_file_t file)
+ {
+-  if (file->fs->mod)
+-    grub_dl_unref (file->fs->mod);
+-
+   if (file->fs->fs_close)
+     (file->fs->fs_close) (file);
+ 
++  if (file->fs->mod)
++    grub_dl_unref (file->fs->mod);
++
+   if (file->device)
+     grub_device_close (file->device);
+   grub_free (file->name);
+-- 
+2.51.1
+

0001-kern-misc-Implement-faster-grub_memcpy-for-aligned-b.patch

@@ -0,0 +1,116 @@
+From 1fbd2a278cfc645adc45c0e1357e58bcd1909f8d Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 28 Aug 2025 15:03:35 +0800
+Subject: [PATCH] kern/misc: Implement faster grub_memcpy() for aligned buffers
+
+When both "dest" and "src" are aligned, copying the data in chunks
+(unsigned long) is more efficient than a byte-by-byte copy.
+
+Also tweak '__aeabi_memcpy()', '__aeabi_memcpy4()', and
+'__aeabi_memcpy8()', since 'grub_memcpy()' is not inline anymore.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/kern/compiler-rt.c |  8 ++++----
+ grub-core/kern/misc.c        | 30 ++++++++++++++++++++++++++++++
+ include/grub/misc.h          |  8 +-------
+ 3 files changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/grub-core/kern/compiler-rt.c b/grub-core/kern/compiler-rt.c
+index eda689a0c..8f3865e95 100644
+--- a/grub-core/kern/compiler-rt.c
++++ b/grub-core/kern/compiler-rt.c
+@@ -24,7 +24,7 @@
+ void * GRUB_BUILTIN_ATTR
+ memcpy (void *dest, const void *src, grub_size_t n)
+ {
+-	return grub_memmove (dest, src, n);
++	return grub_memcpy (dest, src, n);
+ }
+ void * GRUB_BUILTIN_ATTR
+ memmove (void *dest, const void *src, grub_size_t n)
+@@ -372,11 +372,11 @@ grub_int32_t
+ __aeabi_idiv (grub_int32_t a, grub_int32_t b)
+   __attribute__ ((alias ("__divsi3")));
+ void *__aeabi_memcpy (void *dest, const void *src, grub_size_t n)
+-  __attribute__ ((alias ("grub_memcpy")));
++  __attribute__ ((alias ("memcpy")));
+ void *__aeabi_memcpy4 (void *dest, const void *src, grub_size_t n)
+-  __attribute__ ((alias ("grub_memcpy")));
++  __attribute__ ((alias ("memcpy")));
+ void *__aeabi_memcpy8 (void *dest, const void *src, grub_size_t n)
+-  __attribute__ ((alias ("grub_memcpy")));
++  __attribute__ ((alias ("memcpy")));
+ void *__aeabi_memset (void *s, int c, grub_size_t n)
+   __attribute__ ((alias ("memset")));
+ 
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index 2b7922393..016932583 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -99,6 +99,36 @@ grub_memmove (void *dest, const void *src, grub_size_t n)
+   return dest;
+ }
+ 
++static void *
++__memcpy_aligned (void *dest, const void *src, grub_size_t n)
++{
++  unsigned long *dw = (unsigned long *) dest;
++  const unsigned long *sw = (const unsigned long *) src;
++  grub_uint8_t *d;
++  const grub_uint8_t *s;
++
++  for (; n >= sizeof (unsigned long); n -= sizeof (unsigned long))
++    *dw++ = *sw++;
++
++  d = (grub_uint8_t *) dw;
++  s = (const grub_uint8_t *) sw;
++  for (; n > 0; n--)
++    *d++ = *s++;
++
++  return dest;
++}
++
++void *
++grub_memcpy (void *dest, const void *src, grub_size_t n)
++{
++  /* Check if 'dest' and 'src' are aligned */
++  if (((grub_addr_t) dest & (sizeof (unsigned long) - 1)) == 0 &&
++      ((grub_addr_t) src & (sizeof (unsigned long) - 1)) == 0)
++    return __memcpy_aligned (dest, src, n);
++
++  return grub_memmove (dest, src, n);
++}
++
+ char *
+ grub_strcpy (char *dest, const char *src)
+ {
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index e087e7b3e..b6b14ca55 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -38,6 +38,7 @@
+ #define grub_dprintf(condition, ...) grub_real_dprintf(GRUB_FILE, __LINE__, condition, __VA_ARGS__)
+ 
+ void *EXPORT_FUNC(grub_memmove) (void *dest, const void *src, grub_size_t n);
++void *EXPORT_FUNC(grub_memcpy) (void *dest, const void *src, grub_size_t n);
+ char *EXPORT_FUNC(grub_strcpy) (char *dest, const char *src);
+ 
+ static inline char *
+@@ -103,13 +104,6 @@ grub_strlcpy (char *dest, const char *src, grub_size_t size)
+   return res;
+ }
+ 
+-/* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+-static inline void *
+-grub_memcpy (void *dest, const void *src, grub_size_t n)
+-{
+-  return grub_memmove (dest, src, n);
+-}
+-
+ #if defined(__x86_64__) && !defined (GRUB_UTIL)
+ #if defined (__MINGW32__) || defined (__CYGWIN__) || defined (__MINGW64__)
+ #define GRUB_ASM_ATTR __attribute__ ((sysv_abi))
+-- 
+2.51.0
+

0001-lib-crypto-Introduce-new-HMAC-functions-to-reuse-buf.patch

@@ -0,0 +1,234 @@
+From e98e880b67be178f3a5951fb345ded8c002eb6e5 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 13 Aug 2025 11:43:40 +0800
+Subject: [PATCH 1/2] lib/crypto: Introduce new HMAC functions to reuse buffers
+
+To enable more efficient buffer reuse for HMAC operations, three new
+functions have been introduced. This change prevents the need to
+reallocate memory for each HMAC operation.
+
+* grub_crypto_hmac_reset(): Reinitializes the hash contexts in the HMAC
+  handle.
+
+* grub_crypto_hmac_final(): Provides the final HMAC result without
+  freeing the handle, allowing it to be reused immediately.
+
+* grub_crypto_hmac_free(): Deallocates the HMAC handle and its
+  associated memory.
+
+To further facilitate buffer reuse, 'ctx2' is now included within the HMAC
+handle struct, and the initialization of 'ctx2' is moved to
+grub_crypto_hmac_init().
+
+The intermediate hash states ('ctx' and 'ctx2') for the inner and outer
+padded keys are now cached. grub_crypto_hmac_reset() restores these cached
+states for new operations, which avoids redundant hashing of the keys.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/disk/geli.c  |  4 +-
+ grub-core/lib/crypto.c | 91 ++++++++++++++++++++++++++++++------------
+ include/grub/crypto.h  |  8 +++-
+ 3 files changed, 74 insertions(+), 29 deletions(-)
+
+Index: grub-2.12/grub-core/disk/geli.c
+===================================================================
+--- grub-2.12.orig/grub-core/disk/geli.c
++++ grub-2.12/grub-core/disk/geli.c
+@@ -464,9 +464,7 @@ geli_recover_key (grub_disk_t source, gr
+       grub_crypto_hmac_write (hnd, header.salt, sizeof (header.salt));
+       grub_crypto_hmac_write (hnd, cargs->key_data, cargs->key_len);
+ 
+-      gcry_err = grub_crypto_hmac_fini (hnd, geomkey);
+-      if (gcry_err)
+-	return grub_crypto_gcry_error (gcry_err);
++      grub_crypto_hmac_fini (hnd, geomkey);
+     }
+ 
+   gcry_err = grub_crypto_hmac_buffer (dev->hash, geomkey,
+Index: grub-2.12/grub-core/lib/crypto.c
+===================================================================
+--- grub-2.12.orig/grub-core/lib/crypto.c
++++ grub-2.12/grub-core/lib/crypto.c
+@@ -31,7 +31,9 @@ struct grub_crypto_hmac_handle
+ {
+   const struct gcry_md_spec *md;
+   void *ctx;
+-  void *opad;
++  void *ctx2;
++  void *ctx_cache;
++  void *ctx2_cache;
+ };
+ 
+ static gcry_cipher_spec_t *grub_ciphers = NULL;
+@@ -307,7 +309,8 @@ grub_crypto_hmac_init (const struct gcry
+ {
+   grub_uint8_t *helpkey = NULL;
+   grub_uint8_t *ipad = NULL, *opad = NULL;
+-  void *ctx = NULL;
++  void *ctx = NULL, *ctx2 = NULL;
++  void *ctx_cache = NULL, *ctx2_cache = NULL;
+   struct grub_crypto_hmac_handle *ret = NULL;
+   unsigned i;
+ 
+@@ -318,6 +321,18 @@ grub_crypto_hmac_init (const struct gcry
+   if (!ctx)
+     goto err;
+ 
++  ctx2 = grub_malloc (md->contextsize);
++  if (!ctx2)
++    goto err;
++
++  ctx_cache = grub_malloc (md->contextsize);
++  if (!ctx_cache)
++    goto err;
++
++  ctx2_cache = grub_malloc (md->contextsize);
++  if (!ctx2_cache)
++    goto err;
++
+   if ( keylen > md->blocksize )
+     {
+       helpkey = grub_malloc (md->mdlen);
+@@ -347,26 +362,40 @@ grub_crypto_hmac_init (const struct gcry
+   grub_free (helpkey);
+   helpkey = NULL;
+ 
++  /* inner pad */
+   md->init (ctx);
+-
+-  md->write (ctx, ipad, md->blocksize); /* inner pad */
++  md->write (ctx, ipad, md->blocksize);
++  grub_memcpy (ctx_cache, ctx, md->contextsize);
+   grub_memset (ipad, 0, md->blocksize);
+   grub_free (ipad);
+   ipad = NULL;
+ 
++  /* outer pad */
++  md->init (ctx2);
++  md->write (ctx2, opad, md->blocksize);
++  grub_memcpy (ctx2_cache, ctx2, md->contextsize);
++  grub_memset (opad, 0, md->blocksize);
++  grub_free (opad);
++  opad = NULL;
++
+   ret = grub_malloc (sizeof (*ret));
+   if (!ret)
+     goto err;
+ 
+   ret->md = md;
+   ret->ctx = ctx;
+-  ret->opad = opad;
++  ret->ctx2 = ctx2;
++  ret->ctx_cache = ctx_cache;
++  ret->ctx2_cache = ctx2_cache;
+ 
+   return ret;
+ 
+  err:
+   grub_free (helpkey);
+   grub_free (ctx);
++  grub_free (ctx2);
++  grub_free (ctx_cache);
++  grub_free (ctx2_cache);
+   grub_free (ipad);
+   grub_free (opad);
+   return NULL;
+@@ -380,37 +409,48 @@ grub_crypto_hmac_write (struct grub_cryp
+   hnd->md->write (hnd->ctx, data, datalen);
+ }
+ 
+-gcry_err_code_t
++void
+ grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out)
+ {
+-  grub_uint8_t *p;
+-  grub_uint8_t *ctx2;
++  grub_crypto_hmac_final (hnd, out);
++  grub_crypto_hmac_free (hnd);
++}
+ 
+-  ctx2 = grub_malloc (hnd->md->contextsize);
+-  if (!ctx2)
+-    return GPG_ERR_OUT_OF_MEMORY;
++void
++grub_crypto_hmac_reset (struct grub_crypto_hmac_handle *hnd)
++{
++  grub_memcpy (hnd->ctx, hnd->ctx_cache, hnd->md->contextsize);
++  grub_memcpy (hnd->ctx2, hnd->ctx2_cache, hnd->md->contextsize);
++}
++
++void
++grub_crypto_hmac_final (struct grub_crypto_hmac_handle *hnd, void *out)
++{
++  grub_uint8_t *p;
+ 
+   hnd->md->final (hnd->ctx);
+   hnd->md->read (hnd->ctx);
+   p = hnd->md->read (hnd->ctx);
+ 
+-  hnd->md->init (ctx2);
+-  hnd->md->write (ctx2, hnd->opad, hnd->md->blocksize);
+-  hnd->md->write (ctx2, p, hnd->md->mdlen);
+-  hnd->md->final (ctx2);
+-  grub_memset (hnd->opad, 0, hnd->md->blocksize);
+-  grub_free (hnd->opad);
+-  grub_memset (hnd->ctx, 0, hnd->md->contextsize);
+-  grub_free (hnd->ctx);
++  hnd->md->write (hnd->ctx2, p, hnd->md->mdlen);
++  hnd->md->final (hnd->ctx2);
+ 
+-  grub_memcpy (out, hnd->md->read (ctx2), hnd->md->mdlen);
+-  grub_memset (ctx2, 0, hnd->md->contextsize);
+-  grub_free (ctx2);
++  grub_memcpy (out, hnd->md->read (hnd->ctx2), hnd->md->mdlen);
++}
+ 
++void
++grub_crypto_hmac_free (struct grub_crypto_hmac_handle *hnd)
++{
++  grub_memset (hnd->ctx, 0, hnd->md->contextsize);
++  grub_free (hnd->ctx);
++  grub_memset (hnd->ctx2, 0, hnd->md->contextsize);
++  grub_free (hnd->ctx2);
++  grub_memset (hnd->ctx_cache, 0, hnd->md->contextsize);
++  grub_free (hnd->ctx_cache);
++  grub_memset (hnd->ctx2_cache, 0, hnd->md->contextsize);
++  grub_free (hnd->ctx2_cache);
+   grub_memset (hnd, 0, sizeof (*hnd));
+   grub_free (hnd);
+-
+-  return GPG_ERR_NO_ERROR;
+ }
+ 
+ gcry_err_code_t
+@@ -425,7 +465,8 @@ grub_crypto_hmac_buffer (const struct gc
+     return GPG_ERR_OUT_OF_MEMORY;
+ 
+   grub_crypto_hmac_write (hnd, data, datalen);
+-  return grub_crypto_hmac_fini (hnd, out);
++  grub_crypto_hmac_fini (hnd, out);
++  return GPG_ERR_NO_ERROR;
+ }
+ 
+ 
+Index: grub-2.12/include/grub/crypto.h
+===================================================================
+--- grub-2.12.orig/include/grub/crypto.h
++++ grub-2.12/include/grub/crypto.h
+@@ -358,8 +358,14 @@ void
+ grub_crypto_hmac_write (struct grub_crypto_hmac_handle *hnd,
+ 			const void *data,
+ 			grub_size_t datalen);
+-gcry_err_code_t
++void
+ grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out);
++void
++grub_crypto_hmac_reset (struct grub_crypto_hmac_handle *hnd);
++void
++grub_crypto_hmac_final (struct grub_crypto_hmac_handle *hnd, void *out);
++void
++grub_crypto_hmac_free (struct grub_crypto_hmac_handle *hnd);
+ 
+ gcry_err_code_t
+ grub_crypto_hmac_buffer (const struct gcry_md_spec *md,

0001-tcp-Fix-TCP-port-number-reused-on-reboot.patch

@@ -0,0 +1,116 @@
+From 468a37601083ef3352ff6e5d4f40ec8b1cebc4ef Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Tue, 8 Jul 2025 11:57:42 +0800
+Subject: [PATCH] tcp: Fix TCP port number reused on reboot
+
+GRUB's TCP stack assigns source ports for outgoing connections starting
+at 21550 and increments sequentially by 1 (e.g., 21550, 21551, ...).
+While this generally works, it can lead to failures if the system
+reboots rapidly and reuses the same source port too soon.
+
+This issue was observed on powerpc-ieee1275 platforms using CAS (Client
+Architecture Support) reboot. In such cases, loading the initrd over
+HTTP may fail with connection timeouts. Packet captures show the failed
+connections are flagged as "TCP Port Number Reused" by Wireshark.
+
+The root cause is that GRUB reuses the same port shortly after reboot,
+while the server may still be tracking the previous connection in
+TIME_WAIT. This can result in the server rejecting the connection
+attempt or responding with a stale ACK or RST, leading to handshake
+failure.
+
+This patch fixes the issue by introducing a time based source port
+selection strategy. Instead of always starting from port 21550, GRUB now
+computes an initial base port based on the current RTC time, divided
+into 5 minute windows. The purpose of this time based strategy is to
+ensure that GRUB avoids reusing the same source port within a 5 minute
+window, thereby preventing collisions with stale server side connection
+tracking that could interfere with a new TCP handshake.
+
+A step size of 8 ensures that the same port will not be reused across
+reboots unless GRUB opens more than 8 TCP connections per second on
+average, something that is highly unlikely. In typical usage, a GRUB
+boot cycle lasts about 15 seconds and may open fewer than 100
+connections total, well below the reuse threshold. This makes the
+approach robust against short reboot intervals while keeping the logic
+simple and deterministic.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
+---
+ grub-core/net/tcp.c | 39 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/tcp.c b/grub-core/net/tcp.c
+index 93dee0caa..d0cc602dc 100644
+--- a/grub-core/net/tcp.c
++++ b/grub-core/net/tcp.c
+@@ -22,6 +22,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/time.h>
+ #include <grub/priority_queue.h>
++#include <grub/datetime.h>
+ 
+ #define TCP_SYN_RETRANSMISSION_TIMEOUT GRUB_NET_INTERVAL
+ #define TCP_SYN_RETRANSMISSION_COUNT GRUB_NET_TRIES
+@@ -552,6 +553,36 @@ grub_net_tcp_accept (grub_net_tcp_socket_t sock,
+   return GRUB_ERR_NONE;
+ }
+ 
++/*
++ * Derive a time-based source port to avoid reusing the same port across
++ * reboots. This helps prevent failures caused by server side TCP state (e.g.
++ * TIME_WAIT) from interfering with new connections using the same socket.
++ *
++ * The base port starts at 21550 and increments every second by 8 across a 5
++ * minute window (300 seconds), giving 2400 possible distinct base ports per
++ * window. In typical GRUB usage, the number of connections per boot is small,
++ * so reuse is effectively avoided.
++ */
++static grub_uint16_t
++get_initial_base_port (void)
++{
++  grub_err_t err;
++  struct grub_datetime date;
++  grub_int64_t t = 0;
++  grub_uint64_t r = 0;
++
++  err = grub_get_datetime (&date);
++  if (err != GRUB_ERR_NONE || !grub_datetime2unixtime (&date, &t))
++    {
++      grub_errno = GRUB_ERR_NONE;
++      return 21550;
++    }
++
++  grub_divmod64 (t, 300, &r);
++
++  return 21550 + (r << 3);
++}
++
+ grub_net_tcp_socket_t
+ grub_net_tcp_open (char *server,
+ 		   grub_uint16_t out_port,
+@@ -569,13 +600,19 @@ grub_net_tcp_open (char *server,
+   struct grub_net_network_level_interface *inf;
+   grub_net_network_level_address_t gateway;
+   grub_net_tcp_socket_t socket;
+-  static grub_uint16_t in_port = 21550;
++  static grub_uint16_t in_port;
+   struct grub_net_buff *nb;
+   struct tcphdr *tcph;
+   int i;
+   grub_uint8_t *nbd;
+   grub_net_link_level_address_t ll_target_addr;
+ 
++  if (!in_port)
++    {
++      in_port = get_initial_base_port ();
++      grub_dprintf ("net", "base port: %d\n", in_port);
++    }
++
+   err = grub_net_resolve_address (server, &addr);
+   if (err)
+     return NULL;
+-- 
+2.50.1
+

0001-term-ns8250-spcr-Return-if-redirection-is-disabled.patch

@@ -0,0 +1,38 @@
+From f0a08324d0f923527ba611887a3780c1f2cb1578 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Tue, 21 Jan 2025 11:01:26 -0600
+Subject: [PATCH] term/ns8250-spcr: Return if redirection is disabled
+
+The Microsoft spec for SPCR says "The base address of the Serial Port
+register set described using the ACPI Generic Address Structure, or
+0 if console redirection is disabled". So, return early if redirection
+is disabled (base address = 0). If this check is not done we may get
+invalid ports on machines with redirection disabled and boot may hang
+when reading the grub.cfg file.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Reviewed-by: Leo Sandoval <lsandova@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/term/ns8250-spcr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/term/ns8250-spcr.c b/grub-core/term/ns8250-spcr.c
+index 4efaaf768..428b2d59a 100644
+--- a/grub-core/term/ns8250-spcr.c
++++ b/grub-core/term/ns8250-spcr.c
+@@ -76,6 +76,11 @@ grub_ns8250_spcr_init (void)
+         config.speed = 115200;
+         break;
+     };
++
++  /* If base address is 0 it means redirection is disabled. */
++  if (spcr->base_addr.addr == 0)
++    return NULL;
++
+   switch (spcr->base_addr.space_id)
+     {
+       case GRUB_ACPI_GENADDR_MEM_SPACE:
+-- 
+2.51.0
+

0001-test-Fix-f-test-on-files-over-network.patch

@@ -0,0 +1,67 @@
+From 0a8f0e75151067a8b7c09a6ffdfa9558aa040d3b Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 14 Jul 2025 17:59:20 +0800
+Subject: [PATCH 1/4] test: Fix -f test on files over network
+
+The "test -f ..." aka "if [ -f ... ]; " does not work for files over
+network in both TFTP and HTTP and always evaluates to false.
+
+It is caused by network protocols like TFTP and HTTP are designed for
+transferring files and not a file system over network. In that way they
+do not have a way to list files in a directory and test their properties
+individually. The current logic in grub assumes that directory and file
+listing must be implemented, which applies to local file systems but not
+to file reading over the network. This logic should be adjusted to test
+network files.
+
+This patch updates the logic to detect when the underlying device is a
+network device. If so, it attempts to test the file using
+grub_file_open. If the file opens successfully, the ctx->file_exists
+flag is set accordingly to true. Other properties that cannot be
+determined over the network, such as whether the file is a directory or
+whether the modification time is set, are conservatively set to false.
+
+This means that -d cannot reliably detect directories on network
+devices, and -e may not work as expected if the target is a directory.
+In addition, comparisons such as -nt and -ot will not function
+correctly, since file timestamps are not available. Despite these
+limitations, this patch ensures that the -f test behaves correctly in
+the most common case: checking whether a "file" exists on a network
+device.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/commands/test.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/grub-core/commands/test.c b/grub-core/commands/test.c
+index 62d3fb398..541f36daf 100644
+--- a/grub-core/commands/test.c
++++ b/grub-core/commands/test.c
+@@ -91,6 +91,23 @@ get_fileinfo (char *path, struct test_parse_ctx *ctx)
+       return;
+     }
+ 
++  if (! dev->disk && dev->net)
++    {
++      grub_file_t file;
++
++      file = grub_file_open (path , GRUB_FILE_TYPE_GET_SIZE
++			     | GRUB_FILE_TYPE_NO_DECOMPRESS);
++      ctx->file_exists = file ? 1 : 0;
++      ctx->file_info.dir = 0;
++      ctx->file_info.mtimeset = 0;
++      grub_errno = GRUB_ERR_NONE;
++      if (file)
++	grub_file_close (file);
++      grub_free (device_name);
++      grub_device_close (dev);
++      return;
++    }
++
+   fs = grub_fs_probe (dev);
+   if (! fs)
+     {
+-- 
+2.50.0
+

0002-http-Return-HTTP-status-code-in-http_establish.patch

@@ -0,0 +1,65 @@
+From 6704d7715b6303f4b7e2cb9da7c6dcc3bfdd5726 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 14 Jul 2025 22:10:18 +0800
+Subject: [PATCH 2/4] http: Return HTTP status code in http_establish
+
+Previously, using "test -s ..." or "test -f ..." on files served via
+HTTP would always return true, regardless of whether the target file
+actually existed. This is incorrect behavior, whereas the same tests
+work as expected with TFTP.
+
+The issue stems from http_establish returning success (GRUB_ERR_NONE) as
+long as the HTTP connection was established, without considering the
+HTTP status code returned in the response. As a result, http_open would
+always report success, discarding error responses such as 404 Not Found.
+
+The patch makes http_establish to return the HTTP status code as its
+return value when an error or unknown status code is encountered. It
+also sets data->first_line_recv = 1 in the parse_line()'s error code
+path to correctly reflect the parsing state and prevent reprocessing.
+
+With this change, both -s and -f tests now behave correctly when used
+with the HTTP protocol, as http_establish returns error for failed HTTP
+status codes as well. As a result, http_open is no longer considered
+successful solely based on establishing the connection, it now also
+takes the HTTP status code into account.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/net/http.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 686949c17..c5509dc45 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -125,6 +125,7 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+ 	case 404:
+ 	  data->err = GRUB_ERR_FILE_NOT_FOUND;
+ 	  data->errmsg = grub_xasprintf (_("file `%s' not found"), data->filename);
++	  data->first_line_recv = 1;
+ 	  return GRUB_ERR_NONE;
+ 	default:
+ 	  data->err = GRUB_ERR_NET_UNKNOWN_ERROR;
+@@ -132,6 +133,7 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+ 	     valid answers like 403 will trigger this very generic message.  */
+ 	  data->errmsg = grub_xasprintf (_("unsupported HTTP error %d: %s"),
+ 					 code, ptr);
++	  data->first_line_recv = 1;
+ 	  return GRUB_ERR_NONE;
+ 	}
+       data->first_line_recv = 1;
+@@ -444,6 +446,10 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
+ 	}
+       return grub_error (GRUB_ERR_TIMEOUT, N_("time out opening `%s'"), data->filename);
+     }
++
++  if (data->err)
++    return grub_error (data->err, N_("%s"), data->errmsg);
++
+   return GRUB_ERR_NONE;
+ }
+ 
+-- 
+2.50.0
+

0002-lib-pbkdf2-Optimize-PBKDF2-by-reusing-HMAC-handle.patch

@@ -0,0 +1,91 @@
+From 7126da87f17ff41334b9fa6969ad032ff9940979 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 13 Aug 2025 09:57:04 +0800
+Subject: [PATCH 2/2] lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle
+
+The previous PBKDF2 implementation used grub_crypto_hmac_buffer(), which
+allocates and frees an HMAC handle on every call. This approach caused
+significant performance overhead, slowing down the boot process
+considerably.
+
+This commit refactors the PBKDF2 code to use the new HMAC functions,
+allowing the HMAC handle and its buffers to be allocated once and reused
+across multiple operations. This change significantly reduces disk
+unlocking time.
+
+In a QEMU/OVMF test environment, this patch reduced the time to unlock a
+LUKS2(*) partition from approximately 15 seconds to 4 seconds.
+
+(*) PBKDF2 SHA256 with 3454944 iterations
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/pbkdf2.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/lib/pbkdf2.c b/grub-core/lib/pbkdf2.c
+index 28aa96c46..410eff580 100644
+--- a/grub-core/lib/pbkdf2.c
++++ b/grub-core/lib/pbkdf2.c
+@@ -39,6 +39,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+ 		    unsigned int c,
+ 		    grub_uint8_t *DK, grub_size_t dkLen)
+ {
++  struct grub_crypto_hmac_handle *hnd = NULL;
+   unsigned int hLen = md->mdlen;
+   grub_uint8_t U[GRUB_CRYPTO_MAX_MDLEN];
+   grub_uint8_t T[GRUB_CRYPTO_MAX_MDLEN];
+@@ -47,7 +48,6 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+   unsigned int r;
+   unsigned int i;
+   unsigned int k;
+-  gcry_err_code_t rc;
+   grub_uint8_t *tmp;
+   grub_size_t tmplen = Slen + 4;
+ 
+@@ -72,6 +72,13 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+ 
+   grub_memcpy (tmp, S, Slen);
+ 
++  hnd = grub_crypto_hmac_init (md, P, Plen);
++  if (hnd == NULL)
++    {
++      grub_free (tmp);
++      return GPG_ERR_OUT_OF_MEMORY;
++    }
++
+   for (i = 1; i - 1 < l; i++)
+     {
+       grub_memset (T, 0, hLen);
+@@ -85,16 +92,13 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+ 	      tmp[Slen + 2] = (i & 0x0000ff00) >> 8;
+ 	      tmp[Slen + 3] = (i & 0x000000ff) >> 0;
+ 
+-	      rc = grub_crypto_hmac_buffer (md, P, Plen, tmp, tmplen, U);
++	      grub_crypto_hmac_write (hnd, tmp, tmplen);
+ 	    }
+ 	  else
+-	    rc = grub_crypto_hmac_buffer (md, P, Plen, U, hLen, U);
++	    grub_crypto_hmac_write (hnd, U, hLen);
+ 
+-	  if (rc != GPG_ERR_NO_ERROR)
+-	    {
+-	      grub_free (tmp);
+-	      return rc;
+-	    }
++	  grub_crypto_hmac_final (hnd, U);
++	  grub_crypto_hmac_reset (hnd);
+ 
+ 	  for (k = 0; k < hLen; k++)
+ 	    T[k] ^= U[k];
+@@ -103,6 +107,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+       grub_memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen);
+     }
+ 
++  grub_crypto_hmac_free (hnd);
+   grub_free (tmp);
+ 
+   return GPG_ERR_NO_ERROR;
+-- 
+2.51.0
+

0002-net-net-Unregister-net_set_vlan-command-on-unload.patch

@@ -0,0 +1,35 @@
+From c9af7dfdd068beb1f47b1837bcc143118a87fbb1 Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Fri, 9 May 2025 14:20:47 +0200
+Subject: [PATCH 2/7] net/net: Unregister net_set_vlan command on unload
+
+The commit 954c48b9c (net/net: Add net_set_vlan command) added command
+net_set_vlan to the net module. Unfortunately the commit only added the
+grub_register_command() call on module load but missed the
+grub_unregister_command() on unload. Let's fix this.
+
+Fixes: CVE-2025-54770
+Fixes: 954c48b9c (net/net: Add net_set_vlan command)
+
+Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index df13c3aaa..7bd8f1bf7 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -2151,6 +2151,7 @@ GRUB_MOD_FINI(net)
+   grub_unregister_command (cmd_deladdr);
+   grub_unregister_command (cmd_addroute);
+   grub_unregister_command (cmd_delroute);
++  grub_unregister_command (cmd_setvlan);
+   grub_unregister_command (cmd_lsroutes);
+   grub_unregister_command (cmd_lscards);
+   grub_unregister_command (cmd_lsaddr);
+-- 
+2.51.1
+

0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch

@@ -0,0 +1,34 @@
+From a0bcce49bc285fb71c572963e662db3d88bcd563 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Wed, 16 Jul 2025 17:52:03 +0800
+Subject: [PATCH 3/4] docs: Clarify test for files on TFTP and HTTP
+
+---
+ docs/grub.texi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 9aaea7282..4b947e942 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5887,13 +5887,13 @@ the strings are not equal
+ @item @var{prefix}@var{integer1} @code{-plt} @var{prefix}@var{integer2}
+ @var{integer1} is less than @var{integer2} after stripping off common non-numeric @var{prefix}.
+ @item @var{file1} @code{-nt} @var{file2}
+-@var{file1} is newer than @var{file2} (modification time). Optionally numeric @var{bias} may be directly appended to @code{-nt} in which case it is added to the first file modification time.
++@var{file1} is newer than @var{file2} (modification time). Optionally numeric @var{bias} may be directly appended to @code{-nt} in which case it is added to the first file modification time. For @var{file} on TFTP or HTTP servers, this operation may not work as expected.
+ @item @var{file1} @code{-ot} @var{file2}
+-@var{file1} is older than @var{file2} (modification time). Optionally numeric @var{bias} may be directly appended to @code{-ot} in which case it is added to the first file modification time.
++@var{file1} is older than @var{file2} (modification time). Optionally numeric @var{bias} may be directly appended to @code{-ot} in which case it is added to the first file modification time. For @var{file} on TFTP or HTTP servers, this operation may not work as expected.
+ @item @code{-d} @var{file}
+-@var{file} exists and is a directory
++@var{file} exists and is a directory. For @var{file} on TFTP or HTTP servers, the test is unreliable because these protocols are designed for file transport, and GRUB’s netfs does not implement directory listing for them.
+ @item @code{-e} @var{file}
+-@var{file} exists
++@var{file} exists. For @var{file} on TFTP or HTTP servers, the result is the same as @code{-f} because these protocols are designed for file transport, and GRUB’s netfs lacks directory support to distinguish between files and directories.
+ @item @code{-f} @var{file}
+ @var{file} exists and is not a directory
+ @item @code{-s} @var{file}
+-- 
+2.50.0
+

0003-gettext-gettext-Unregister-gettext-command-on-module.patch

@@ -0,0 +1,66 @@
+From 04f3a7beebd029c10e80e9cbea5c1d8452b066ce Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:06 +0000
+Subject: [PATCH 3/7] gettext/gettext: Unregister gettext command on module
+ unload
+
+When the gettext module is loaded, the gettext command is registered but
+isn't unregistered when the module is unloaded. We need to add a call to
+grub_unregister_command() when unloading the module.
+
+Fixes: CVE-2025-61662
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/gettext/gettext.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 9ffc73428..edebed998 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -502,6 +502,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
++static grub_command_t cmd;
++
+ GRUB_MOD_INIT (gettext)
+ {
+   const char *lang;
+@@ -521,13 +523,14 @@ GRUB_MOD_INIT (gettext)
+   grub_register_variable_hook ("locale_dir", NULL, read_main);
+   grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
+ 
+-  grub_register_command_p1 ("gettext", grub_cmd_translate,
+-			    N_("STRING"),
+-			    /* TRANSLATORS: It refers to passing the string through gettext.
+-			       So it's "translate" in the same meaning as in what you're
+-			       doing now.
+-			     */
+-			    N_("Translates the string with the current settings."));
++  cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
++				  N_("STRING"),
++				  /*
++				   * TRANSLATORS: It refers to passing the string through gettext.
++				   * So it's "translate" in the same meaning as in what you're
++				   * doing now.
++				   */
++				  N_("Translates the string with the current settings."));
+ 
+   /* Reload .mo file information if lang changes.  */
+   grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
+@@ -544,6 +547,8 @@ GRUB_MOD_FINI (gettext)
+   grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+   grub_register_variable_hook ("lang", NULL, NULL);
+ 
++  grub_unregister_command (cmd);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
+-- 
+2.51.1
+

0004-normal-main-Unregister-commands-on-module-unload.patch

@@ -0,0 +1,58 @@
+From 41330d7fafe122d79d7a9ec28884c0771eb4fdf3 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:07 +0000
+Subject: [PATCH 4/7] normal/main: Unregister commands on module unload
+
+When the normal module is loaded, the normal and normal_exit commands
+are registered but aren't unregistered when the module is unloaded. We
+need to add calls to grub_unregister_command() when unloading the module
+for these commands.
+
+Fixes: CVE-2025-61663
+Fixes: CVE-2025-61664
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/normal/main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 398169299..b77d55eb3 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -639,7 +639,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
+-static grub_command_t cmd_clear;
++static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit;
+ 
+ static void (*grub_xputs_saved) (const char *str);
+ static const char *features[] = {
+@@ -682,10 +682,10 @@ GRUB_MOD_INIT(normal)
+   grub_env_export ("pager");
+ 
+   /* Register a command "normal" for the rescue mode.  */
+-  grub_register_command ("normal", grub_cmd_normal,
+-			 0, N_("Enter normal mode."));
+-  grub_register_command ("normal_exit", grub_cmd_normal_exit,
+-			 0, N_("Exit from normal mode."));
++  cmd_normal = grub_register_command ("normal", grub_cmd_normal,
++				      0, N_("Enter normal mode."));
++  cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit,
++					   0, N_("Exit from normal mode."));
+ 
+   /* Reload terminal colors when these variables are written to.  */
+   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
+@@ -727,4 +727,6 @@ GRUB_MOD_FINI(normal)
+   grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
++  grub_unregister_command (cmd_normal);
++  grub_unregister_command (cmd_normal_exit);
+ }
+-- 
+2.51.1
+

0004-tftp-Fix-hang-when-file-is-a-directory.patch

@@ -0,0 +1,59 @@
+From 9f8f5e0d45165b99d0f3ce9bf37382738e0bddb7 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 17 Jul 2025 13:29:48 +0800
+Subject: [PATCH 4/4] tftp: Fix hang when file is a directory
+
+We observed an issue when accessing a remote directory via TFTP: GRUB
+hangs indefinitely instead of returning an error immediately.
+
+The packet capture [1] shows that the server doesn't send an error
+packet right after the RRQ. Instead, it first replies with an OACK
+indicating tsize=22, as if the target were a regular file. After GRUB
+sends its ACK, the server then sends an error "Is a directory". GRUB
+ignores this delayed error and hangs while waiting for data that never
+arrives.
+
+This happens because GRUB currently assumes any error must follow the
+RRQ immediately, before data transfer begins. Once it receives an OACK,
+it switches to expecting data packets and neglects any error that
+arrives afterward.
+
+To work around this, we detect an error on block 0 immediately after
+OACK, set the eof and stall flags to break out of the receive loop, and
+close the socket (so that tftp_close() won't send another error). GRUB
+will then report the error and exit properly.
+
+[1]
+Source          Destination     Info
+192.168.100.122	192.168.100.2	Read Request, File: /grub/i386-pc, Transfer type: octet, blksize=1024, tsize=0
+192.168.100.2	192.168.100.122	Option Acknowledgement, blksize=1024, tsize=22
+192.168.100.122	192.168.100.2	Acknowledgement, Block: 0
+192.168.100.2	192.168.100.122	Error Code, Code: Not defined, Message: Is a directory
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/net/tftp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 409b1d09b..93452fe3b 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -250,6 +250,14 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+       grub_netbuff_free (nb);
+       return GRUB_ERR_NONE;
+     case TFTP_ERROR:
++      if (data->have_oack == 1 && data->block == 0)
++	{
++	  file->device->net->eof = 1;
++	  file->device->net->stall = 1;
++	  /* Do not send closed error code back to server in tftp_close() */
++	  grub_net_udp_close (data->sock);
++	  data->sock = NULL;
++	}
+       data->have_oack = 1;
+       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
+       grub_error_save (&data->save_err);
+-- 
+2.50.0
+

0005-tests-lib-functional_test-Unregister-commands-on-mod.patch

@@ -0,0 +1,47 @@
+From 0289adccc2127a1179fea9da0c787fab04a831f7 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:08 +0000
+Subject: [PATCH 5/7] tests/lib/functional_test: Unregister commands on module
+ unload
+
+When the functional_test module is loaded, both the functional_test and
+all_functional_test commands are registered but only the all_functional_test
+command is being unregistered since it was the last to set the cmd variable
+that gets unregistered when the module is unloaded. To unregister both
+commands, we need to create an additional grub_extcmd_t variable.
+
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/tests/lib/functional_test.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
+index 403fa5c78..31b6b5dab 100644
+--- a/grub-core/tests/lib/functional_test.c
++++ b/grub-core/tests/lib/functional_test.c
+@@ -90,17 +90,18 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+   return GRUB_ERR_NONE;
+ }
+ 
+-static grub_extcmd_t cmd;
++static grub_extcmd_t cmd, cmd_all;
+ 
+ GRUB_MOD_INIT (functional_test)
+ {
+   cmd = grub_register_extcmd ("functional_test", grub_functional_test, 0, 0,
+ 			      "Run all loaded functional tests.", 0);
+-  cmd = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0,
+-			      "Run all functional tests.", 0);
++  cmd_all = grub_register_extcmd ("all_functional_test", grub_functional_all_tests, 0, 0,
++				  "Run all functional tests.", 0);
+ }
+ 
+ GRUB_MOD_FINI (functional_test)
+ {
+   grub_unregister_extcmd (cmd);
++  grub_unregister_extcmd (cmd_all);
+ }
+-- 
+2.51.1
+

0006-commands-usbtest-Use-correct-string-length-field.patch

@@ -0,0 +1,34 @@
+From 8dd7026738fb445abd811bb6bd98ff297676329e Mon Sep 17 00:00:00 2001
+From: Jamie <volticks@gmail.com>
+Date: Mon, 14 Jul 2025 09:52:59 +0100
+Subject: [PATCH 6/7] commands/usbtest: Use correct string length field
+
+An incorrect length field is used for buffer allocation. This leads to
+grub_utf16_to_utf8() receiving an incorrect/different length and possibly
+causing OOB write. This makes sure to use the correct length.
+
+Fixes: CVE-2025-61661
+
+Reported-by: Jamie <volticks@gmail.com>
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/usbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+index 2c6d93fe6..8ef187a9a 100644
+--- a/grub-core/commands/usbtest.c
++++ b/grub-core/commands/usbtest.c
+@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+       return GRUB_USB_ERR_NONE;
+     }
+ 
+-  *string = grub_malloc (descstr.length * 2 + 1);
++  *string = grub_malloc (descstrp->length * 2 + 1);
+   if (! *string)
+     {
+       grub_free (descstrp);
+-- 
+2.51.1
+

0007-commands-usbtest-Ensure-string-length-is-sufficient-.patch

@@ -0,0 +1,32 @@
+From 5b375fcf38550c59f869dca8356ce71c92c8cf6a Mon Sep 17 00:00:00 2001
+From: Jamie <volticks@gmail.com>
+Date: Mon, 14 Jul 2025 10:07:47 +0100
+Subject: [PATCH 7/7] commands/usbtest: Ensure string length is sufficient in
+ usb string processing
+
+If descstrp->length is less than 2 this will result in underflow in
+"descstrp->length / 2 - 1" math. Let's fix the check to make sure the
+value is sufficient.
+
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/usbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+index 8ef187a9a..3184ac9af 100644
+--- a/grub-core/commands/usbtest.c
++++ b/grub-core/commands/usbtest.c
+@@ -90,7 +90,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+ 			      0x06, (3 << 8) | index,
+ 			      langid, descstr.length, (char *) descstrp);
+ 
+-  if (descstrp->length == 0)
++  if (descstrp->length < 2)
+     {
+       grub_free (descstrp);
+       *string = grub_strdup ("");
+-- 
+2.51.1
+

grub2-blsbumpcounter-menu.patch

@@ -0,0 +1,88 @@
+Call the command bls_bumpcounter when an entry is executed. Adding the
+bls_bumpcounter command in the list of commands generated by blscfg breaks FDE,
+as each command is logged in the PCR. Do not unset `enable_blscfg` grub env var,
+otherwise bls_bumpcounter would not be called.
+
+Index: grub-2.12/grub-core/commands/blscfg.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/blscfg.c
++++ grub-2.12/grub-core/commands/blscfg.c
+@@ -1049,19 +1049,6 @@ static void create_entry (struct bls_ent
+       grub_free(prefix);
+     }
+ 
+-  /* "bls_bumpcounter " + id + "\n" */
+-  int bumpcounter_size = sizeof("bls_bumpcounter ") + grub_strlen(id) + 1;
+-  bumpcounter = grub_malloc(bumpcounter_size);
+-  if (!bumpcounter)
+-  {
+-    grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
+-    goto finish;
+-  }
+-  char *tmp = bumpcounter;
+-  tmp = grub_stpcpy(tmp, "bls_bumpcounter ");
+-  tmp = grub_stpcpy(tmp, id);
+-  tmp = grub_stpcpy(tmp, "\n");
+-
+   grub_dprintf ("blscfg2", "devicetree %s for id:\"%s\"\n", dt, id);
+ 
+   const char *sdval = grub_env_get("save_default");
+@@ -1074,7 +1061,7 @@ static void create_entry (struct bls_ent
+ 			"insmod gzio\n"
+ 			"linux %s%s%s%s\n"
+ #endif
+-			"%s%s%s",
++			"%s%s",
+ 			savedefault ? "savedefault\n" : "",
+ #ifdef GRUB_MACHINE_EMU
+ 			separate_boot ? GRUB_BOOT_DEVICE : "",
+@@ -1082,8 +1069,7 @@ static void create_entry (struct bls_ent
+ 			bootdev,
+ #endif
+ 			clinux, options ? " " : "", options ? options : "",
+-			bumpcounter ? bumpcounter : "", initrd ? initrd : "",
+-			dt ? dt : "");
++			initrd ? initrd : "", dt ? dt : "");
+ 
+   grub_normal_add_menu_entry (argc, argv, classes, id, users, hotkey, NULL, src, 0, 0, &index, entry);
+   grub_dprintf ("blscfg", "Added entry %d id:\"%s\"\n", index, id);
+Index: grub-2.12/grub-core/normal/menu.c
+===================================================================
+--- grub-2.12.orig/grub-core/normal/menu.c
++++ grub-2.12/grub-core/normal/menu.c
+@@ -331,6 +331,23 @@ grub_menu_execute_entry(grub_menu_entry_
+     grub_env_set ("default", ptr + 1);
+   else
+     grub_env_unset ("default");
++
++#ifdef GRUB_MACHINE_EFI
++  const char* val = grub_env_get ("enable_blscfg");
++  if (val && (val[0] == '1' || val[0] == 'y') && entry->bls != NULL)
++    {
++      char* id = grub_strdup (entry->bls->filename);
++      if (id == NULL)
++        {
++          grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
++        } else {
++          char* args[] = { id };
++          grub_command_execute ("bls_bumpcounter", 1, args);
++        }
++    }
++  grub_env_unset ("enable_blscfg");
++#endif
++
+ #ifdef GRUB_MACHINE_IEEE1275
+   char *cas_entry_id = NULL;
+   char *cas_entry_source;
+Index: grub-2.12/grub-core/normal/main.c
+===================================================================
+--- grub-2.12.orig/grub-core/normal/main.c
++++ grub-2.12/grub-core/normal/main.c
+@@ -356,7 +356,6 @@ grub_normal_execute (const char *config,
+       /* Ignore any error.  */
+       grub_errno = GRUB_ERR_NONE;
+       /* unset to let configfile and source commands continue to work */
+-      grub_env_unset ("enable_blscfg");
+       goto check_batch;
+     }
+ #endif

grub2-constant-time-grub_crypto_memcmp.patch

@@ -0,0 +1,59 @@
+From be4670936bc86a14f20a8c9c40d34c45aad0d0b2 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 25 Jul 2025 13:50:23 +0800
+Subject: [PATCH] Constant-time grub_crypto_memcmp()
+
+Use the constant-time algorithm to compare the given memory blocks.
+The code is extracted from the upstream commit:
+0739d24cd1648531d0708d1079ff6bbfa6140268
+
+Fix: bsc#1234959
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/crypto.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
+index 396f764..19db787 100644
+--- a/grub-core/lib/crypto.c
++++ b/grub-core/lib/crypto.c
+@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)
+   return GRUB_ACCESS_DENIED;
+ }
+ 
++/*
++ * Compare byte arrays of length LEN, return 1 if it's not same,
++ * 0, otherwise.
++ */
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)
+ {
+-  register grub_size_t counter = 0;
+-  const grub_uint8_t *pa, *pb;
++  const grub_uint8_t *a = b1;
++  const grub_uint8_t *b = b2;
++  int ab, ba;
++  grub_size_t i;
+ 
+-  for (pa = a, pb = b; n; pa++, pb++, n--)
++  /* Constant-time compare. */
++  for (i = 0, ab = 0, ba = 0; i < len; i++)
+     {
+-      if (*pa != *pb)
+-	counter++;
++      /* If a[i] != b[i], either ab or ba will be negative. */
++      ab |= a[i] - b[i];
++      ba |= b[i] - a[i];
+     }
+ 
+-  return !!counter;
++  /* 'ab | ba' is negative when buffers are not equal, extract sign bit.  */
++  return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
+ }
+ 
+ #ifndef GRUB_UTIL
+-- 
+2.43.0
+

grub2-grubenv-in-btrfs-header.patch

@@ -475,27 +475,33 @@ v4:
  EOF
  if [ "x$GRUB_BUTTON_CMOS_ADDRESS" != "x" ]; then
      cat <<EOF
-@@ -55,6 +62,9 @@
+@@ -54,7 +61,11 @@
+ elif [ "\${next_entry}" ] ; then
     set default="\${next_entry}"
     set next_entry=
-    save_env next_entry
+-   save_env next_entry
 +   if [ "\${env_block}" ] ; then
 +     save_env -f "\${env_block}" next_entry
++   else
++     save_env next_entry
 +   fi
     set boot_once=true
  else
     set default="${GRUB_DEFAULT}"
-@@ -66,6 +76,9 @@
+@@ -65,7 +76,11 @@
+ if [ "\${next_entry}" ] ; then
     set default="\${next_entry}"
     set next_entry=
-    save_env next_entry
+-   save_env next_entry
 +   if [ "\${env_block}" ] ; then
 +     save_env -f "\${env_block}" next_entry
++   else
++     save_env next_entry
 +   fi
     set boot_once=true
  else
     set default="${GRUB_DEFAULT}"
-@@ -93,7 +106,12 @@
+@@ -93,7 +108,12 @@
  function savedefault {
    if [ -z "\${boot_once}" ]; then
      saved_entry="\${chosen}"

grub2-i386-pc-no-pageflipping.patch

@@ -0,0 +1,20 @@
+In x86 Legacy BIOS mode, on some Lenovo machines, the grub menu is not
+visible, although it demonstrably has been drawn (bsc#1245636).
+
+A workaround to avoid this is to not use page flipping mode.
+
+This patch enforces that no page flipping is used in the VBE framebuffer
+backend for i386-pc.
+
+--- a/grub-core/video/i386/pc/vbe.c
++++ b/grub-core/video/i386/pc/vbe.c
+@@ -1137,7 +1137,8 @@ grub_video_vbe_setup (unsigned int width, unsigned int height,
+ 
+ 	page_size = framebuffer.mode_info.pitch * framebuffer.mode_info.height;
+ 
+-	if (vram_size >= 2 * page_size)
++	/* avoid page flipping mode (bsc#1245636) */
++	if (0 && vram_size >= 2 * page_size)
+ 	  err = grub_video_fb_setup (mode_type, mode_mask,
+ 				     &framebuffer.mode_info,
+ 				     framebuffer.ptr,

grub2.changes

@@ -1,3 +1,100 @@
+-------------------------------------------------------------------
+Tue Jan 20 02:25:34 UTC 2026 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Optimize PBKDF2 to reduce the decryption time (bsc#1248516)
+  * 0001-lib-crypto-Introduce-new-HMAC-functions-to-reuse-buf.patch
+  * 0002-lib-pbkdf2-Optimize-PBKDF2-by-reusing-HMAC-handle.patch
+  * 0001-kern-misc-Implement-faster-grub_memcpy-for-aligned-b.patch
+
+-------------------------------------------------------------------
+Wed Nov 12 08:24:35 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Fix CVE-2025-54771 (bsc#1252931)
+  * 0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch
+- Fix CVE-2025-54770 (bsc#1252930)
+  * 0002-net-net-Unregister-net_set_vlan-command-on-unload.patch
+- Fix CVE-2025-61662 (bsc#1252933)
+  * 0003-gettext-gettext-Unregister-gettext-command-on-module.patch
+- Fix CVE-2025-61663 (bsc#1252934)
+- Fix CVE-2025-61664 (bsc#1252935)
+  * 0004-normal-main-Unregister-commands-on-module-unload.patch
+  * 0005-tests-lib-functional_test-Unregister-commands-on-mod.patch
+- Fix CVE-2025-61661 (bsc#1252932)
+  * 0006-commands-usbtest-Use-correct-string-length-field.patch
+  * 0007-commands-usbtest-Ensure-string-length-is-sufficient-.patch
+- Bump upstream SBAT generation to 6
+
+-------------------------------------------------------------------
+Mon Oct 13 09:45:07 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Fix "sparse file not allowed" error after grub2-reboot (bsc#1245738)
+  * grub2-grubenv-in-btrfs-header.patch
+
+-------------------------------------------------------------------
+Mon Oct 13 09:36:02 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385)
+  * 0001-ieee1275-Use-net-config-for-boot-location-instead-of.patch
+
+-------------------------------------------------------------------
+Tue Sep 23 08:47:49 UTC 2025 - Steffen Winterfeldt <snwint@suse.com>
+
+- turn off page flipping for i386-pc using VBE video backend (bsc#1245636)
+  * grub2-i386-pc-no-pageflipping.patch
+
+-------------------------------------------------------------------
+Mon Sep 22 07:15:00 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Fix boot hangs in setting up serial console when ACPI SPCR table is present
+  and redirection is disabled (bsc#1249088)
+  * 0001-term-ns8250-spcr-Return-if-redirection-is-disabled.patch
+
+-------------------------------------------------------------------
+Thu Aug  7 06:19:53 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Fix timeout when loading initrd via http after PPC CAS reboot (bsc#1245953)
+  * 0001-tcp-Fix-TCP-port-number-reused-on-reboot.patch
+
+-------------------------------------------------------------------
+Mon Aug  4 06:44:01 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Skip mount point in grub_find_device function (bsc#1246231)
+  * 0001-getroot-Skip-mount-points-in-grub_find_device.patch
+
+-------------------------------------------------------------------
+Fri Jul 25 05:56:26 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Fix CVE-2024-56738: side-channel attack due to not constant-time
+  algorithm in grub_crypto_memcmp (bsc#1234959)
+  * grub2-constant-time-grub_crypto_memcmp.patch
+
+-------------------------------------------------------------------
+Wed Jul 16 11:19:21 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Fix test -f and -s do not work properly over the network files served via
+  tftp and http (bsc#1246157) (bsc#1246237)
+  * 0001-test-Fix-f-test-on-files-over-network.patch
+  * 0002-http-Return-HTTP-status-code-in-http_establish.patch
+  * 0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch
+  * 0004-tftp-Fix-hang-when-file-is-a-directory.patch
+
+-------------------------------------------------------------------
+Fri Jul 11 05:34:39 UTC 2025 - Michael Chang <mchang@suse.com>
+
+- Enable loongarch64 build (bsc#1234248)
+
+-------------------------------------------------------------------
+Tue Jul  8 07:14:12 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Backport upstream disk password retry (bsc#1245545)
+  * 0001-disk-cryptodisk-Allow-user-to-retry-failed-passphras.patch
+
+-------------------------------------------------------------------
+Fri Jun  6 09:46:55 UTC 2025 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix bls_bumpcounter breaking FDE (bsc#1243842)
+  * grub2-blsbumpcounter-menu.patch
+
 -------------------------------------------------------------------
 Thu May 29 04:06:14 UTC 2025 - Michael Chang <mchang@suse.com>
 
@@ -141,7 +238,7 @@ Mon Mar 17 08:27:29 UTC 2025 - Michael Chang <mchang@suse.com>
 Thu Mar 13 06:50:37 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
 
 - Update the patch to fix "SRK not matched" errors when unsealing
-  the key (bsc#1232411)
+  the key (bsc#1232411) (bsc#1247242)
   * 0001-tpm2-Add-extra-RSA-SRK-types.patch
 
 -------------------------------------------------------------------

grub2.spec

@@ -22,7 +22,7 @@
 %if %{defined sbat_distro}
 # SBAT metadata
 %define sbat_generation 1
-%define sbat_generation_grub 5
+%define sbat_generation_grub 6
 %else
 %{error please define sbat_distro, sbat_distro_summary and sbat_distro_url}
 %endif
@@ -109,11 +109,17 @@ BuildRequires:  update-bootloader-rpm-macros
 %define only_efi 1
 %endif
 
+%ifarch loongarch64
+%define grubcpu loongarch64
+%define platform efi
+%define only_efi 1
+%endif
+
 %define grubarch %{grubcpu}-%{platform}
 
 # build efi bootloader on some platforms only:
 %if ! 0%{?efi:1}
-%global efi %{ix86} x86_64 ia64 aarch64 %{arm} riscv64
+%global efi %{ix86} x86_64 ia64 aarch64 %{arm} riscv64 loongarch64
 %endif
 
 %ifarch %{efi}
@@ -161,7 +167,7 @@ BuildRequires:  squashfs
 # For ALP and Tumbleweed
 %if 0%{?suse_version} >= 1600
 # Only include the macros for the architectures with the newer UEFI and TCG protocol
-%ifarch x86_64 aarch64 riscv64
+%ifarch x86_64 aarch64 riscv64 loongarch64
 BuildRequires:  fde-tpm-helper-rpm-macros
 %endif
 %endif
@@ -481,6 +487,28 @@ Patch309:       0001-Improve-TPM-key-protection-on-boot-interruptions.patch
 Patch310:       0004-Key-revocation-on-out-of-bound-file-access.patch
 Patch311:       grub2-bls-loader-entry-oneshot.patch
 Patch312:       0001-mkconfig-Determine-GRUB_DISTRIBUTOR-from-etc-SUSE-br.patch
+Patch313:       grub2-blsbumpcounter-menu.patch
+Patch314:       0001-disk-cryptodisk-Allow-user-to-retry-failed-passphras.patch
+Patch315:       0001-test-Fix-f-test-on-files-over-network.patch
+Patch316:       0002-http-Return-HTTP-status-code-in-http_establish.patch
+Patch317:       0003-docs-Clarify-test-for-files-on-TFTP-and-HTTP.patch
+Patch318:       0004-tftp-Fix-hang-when-file-is-a-directory.patch
+Patch319:       grub2-constant-time-grub_crypto_memcmp.patch
+Patch320:       0001-getroot-Skip-mount-points-in-grub_find_device.patch
+Patch321:       0001-tcp-Fix-TCP-port-number-reused-on-reboot.patch
+Patch343:       0001-term-ns8250-spcr-Return-if-redirection-is-disabled.patch
+Patch344:       grub2-i386-pc-no-pageflipping.patch
+Patch345:       0001-ieee1275-Use-net-config-for-boot-location-instead-of.patch
+Patch346:       0001-kern-file-Call-grub_dl_unref-after-fs-fs_close.patch
+Patch347:       0002-net-net-Unregister-net_set_vlan-command-on-unload.patch
+Patch348:       0003-gettext-gettext-Unregister-gettext-command-on-module.patch
+Patch349:       0004-normal-main-Unregister-commands-on-module-unload.patch
+Patch350:       0005-tests-lib-functional_test-Unregister-commands-on-mod.patch
+Patch351:       0006-commands-usbtest-Use-correct-string-length-field.patch
+Patch352:       0007-commands-usbtest-Ensure-string-length-is-sufficient-.patch
+Patch353:       0001-lib-crypto-Introduce-new-HMAC-functions-to-reuse-buf.patch
+Patch354:       0002-lib-pbkdf2-Optimize-PBKDF2-by-reusing-HMAC-handle.patch
+Patch355:       0001-kern-misc-Implement-faster-grub_memcpy-for-aligned-b.patch
 
 %if 0%{?suse_version} < 1600
 Requires:       gettext-runtime
@@ -522,7 +550,7 @@ Requires:       grub2-%{grubarch} = %{version}-%{release}
 %if 0%{?only_x86_64:1}
 ExclusiveArch:  x86_64
 %else
-ExclusiveArch:  %{ix86} x86_64 ppc ppc64 ppc64le s390x aarch64 %{arm} riscv64
+ExclusiveArch:  %{ix86} x86_64 ppc ppc64 ppc64le s390x aarch64 %{arm} riscv64 loongarch64
 %endif
 
 %description