diff --git a/shim-install b/shim-install
index 445f561..85d412b 100644
--- a/shim-install
+++ b/shim-install
@@ -17,6 +17,7 @@ source_dir="${datadir}/efi/${arch}"
 efibootmgr="/usr/sbin/efibootmgr"
 grub_probe="/usr/sbin/grub2-probe"
 grub_mkrelpath="/usr/bin/grub2-mkrelpath"
+no_grub_install=no
 grub_install="/usr/sbin/grub2-install"
 grub_install_target=
 self="`basename $0`"
@@ -127,6 +128,7 @@ usage () {
     echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
     echo "--clean remove all installed files and configs."
     echo "--suse-enable-tpm install grub.efi with TPM support."
+    echo "--no-grub-install Do not run grub2-install."
     echo
     echo "INSTALL_DEVICE must be system device filename."
 }
@@ -206,6 +208,9 @@ do
     --clean)
 	clean=yes ;;
 
+    --no-grub-install)
+	no_grub_install=yes ;;
+
     -*)
 	echo "Unrecognized option \`$option'"  1>&2
 	usage
@@ -352,6 +357,39 @@ if test "$update_boot" = "yes"; then
 fi
 
 
+prepare_cryptodisk () {
+  uuid="$1"
+
+  if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
+    echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
+    return
+  fi
+
+  if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
+    echo "cryptomount -u $uuid"
+    return
+  fi
+
+  tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}"
+  tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
+  tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
+
+  declare -g TPM_PCR_SNAPSHOT_TAKEN
+
+  if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
+    TPM_PCR_SNAPSHOT_TAKEN=1
+    echo "tpm_record_pcrs 0-9"
+  fi
+
+  cat <<EOF
+tpm2_key_protector_init -b $tpm_pcr_bank -p $tpm_pcr_list -k \$prefix/$tpm_sealed_key
+if ! cryptomount -u $uuid -k tpm2; then
+    cryptomount -u $uuid
+fi
+EOF
+}
+
+
 make_grubcfg () {
 
 grub_cfg_dirname=`dirname $grub_cfg`
@@ -374,7 +412,7 @@ fi
 
 if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
   for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do
-    echo "cryptomount -u $uuid"
+    prepare_cryptodisk "$uuid"
   done
 fi
 
@@ -390,7 +428,9 @@ EOF
 # invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg
 # bsc#1118363 shim-install didn't specify the target for grub2-install
 # set the target explicitly for some special cases 
-${grub_install} --target=${grub_install_target} --no-nvram
+if test "$no_grub_install" != "yes"; then
+  ${grub_install} --target=${grub_install_target} --no-nvram
+fi
 
 # Making sure grub.cfg not overwritten by grub-install above 
 make_grubcfg > "${efidir}/grub.cfg"
diff --git a/shim.changes b/shim.changes
index bde494a..2b1a637 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Dec  9 08:38:14 UTC 2022 - Joey Lee <jlee@suse.com>
+
+- Modified shim-install, add the following Olaf Kirch's patches to support
+  full disk encryption: (jsc#PED-922)
+    a5c57340740c	Introduce --no-grub-install option
+    5c2c3addc51f	Handle different cases of controlling cryptomount volumes during first stage boot
+    26c6bd5df7ae	Have grub take a snapshot of "relevant" TPM PCRs 
+
 -------------------------------------------------------------------
 Wed Nov 23 07:28:57 UTC 2022 - Joey Lee <jlee@suse.com>