2025-10-28  Daniel Kiper  <daniel.kiper@oracle.com>

	Release 2.14~rc1

2025-10-28  Daniel Kiper  <daniel.kiper@oracle.com>

	windows: Fix symbol table generation during module conversion from PE to ELF
	According to the System V Application Binary Interface specification [1]
	the sections holding a symbol table, SHT_SYMTAB and SHT_DYNSYM, have to
	have sh_info set to "One greater than the symbol table index of the last
	local symbol (binding STB_LOCAL)". Current code converting PE images to
	ELF files does not do that and readelf complains in following way:

	  ...

	  Section Headers:
	    [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
	    [ 0]                   NULL            00000000 000000 000000 00      0   0  0
	    [ 1] .text             PROGBITS        00000000 000034 0014d4 00  AX  0   0  4
	    [ 2] .data             PROGBITS        00000000 001508 000040 00  WA  0   0 32
	    [ 3] .rdata            PROGBITS        00000000 001548 0006b8 00   A  0   0  4
	    [ 4] .module_license   PROGBITS        00000000 001c00 000010 00      0   0  4
	    [ 5] .bss              NOBITS          00000000 000000 000008 00  WA  0   0  4
	    [ 6] .moddeps          PROGBITS        00000000 001c10 000010 00      0   0  4
	    [ 7] .modname          PROGBITS        00000000 001c20 000008 00      0   0  4
	    [ 8] .rel.text         REL             00000000 001c28 0008c8 08     11   1  4
	    [ 9] .rel.data         REL             00000000 0024f0 000040 08     11   2  4
	    [10] .rel.rdata        REL             00000000 002530 000070 08     11   3  4
	    [11] .symtab           SYMTAB          00000000 0025a0 0001d0 10     12   0  4
	    [12] .strtab           STRTAB          00000000 002770 000237 00      0   0  1

	  ...

	  Symbol table '.symtab' contains 29 entries:
	     Num:    Value  Size Type    Bind   Vis      Ndx Name
	       0: 00000000     0 NOTYPE  LOCAL  DEFAULT  UND
	  readelf: Warning: local symbol 0 found at index >= .symtab's sh_info value of 0
	       1: 0000144a     0 FUNC    LOCAL  DEFAULT    1 grub_mod_init
	  readelf: Warning: local symbol 1 found at index >= .symtab's sh_info value of 0
	       2: 000014aa     0 FUNC    LOCAL  DEFAULT    1 grub_mod_fini
	  readelf: Warning: local symbol 2 found at index >= .symtab's sh_info value of 0
	       3: 00000000     0 SECTION LOCAL  DEFAULT    1 .text
	  readelf: Warning: local symbol 3 found at index >= .symtab's sh_info value of 0
	       4: 00000000     0 SECTION LOCAL  DEFAULT    2 .data
	  readelf: Warning: local symbol 4 found at index >= .symtab's sh_info value of 0
	       5: 00000000     0 SECTION LOCAL  DEFAULT    5 .bss
	  readelf: Warning: local symbol 5 found at index >= .symtab's sh_info value of 0
	       6: 00000000     0 SECTION LOCAL  DEFAULT    3 .rdata
	  readelf: Warning: local symbol 6 found at index >= .symtab's sh_info value of 0
	       7: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND grub_dma_get_phys
	       8: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND grub_cs5536_write_msr
	       9: 00000000     0 NOTYPE  GLOBAL DEFAULT  UND grub_dma_free

	  ...

	Let's fix it...

	[1] https://www.sco.com/developers/gabi/2012-12-31/contents.html

	Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>

2025-10-28  Daniel Kiper  <daniel.kiper@oracle.com>

	windows: Fix relocation sections generation during module conversion from PE to ELF
	The commit 98ad84328 (kern/dl: Check for the SHF_INFO_LINK flag in
	grub_dl_relocate_symbols()) revealed a bug in the code converting PE
	module images to ELF files. The missing SHF_INFO_LINK flag for SHT_REL
	and SHT_RELA sections lead to hangs during GRUB load. This only happens
	for the GRUB images generated on Windows platforms. The *NIX platforms
	are not affected due to lack of PE to ELF conversion step.

	This patch fixes the issue...

	Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>

2025-10-28  Andrew Hamilton  <adhamilt@gmail.com>

	loader/efi/linux: Fix compile error with Clang
	Clang will produce a warning, which is treated as an error, that
	"vendor_defined_data" is uninitialized. This is a "zero length" array
	member of this struct. Add conditional compile pragma to allow this to
	compile with Clang.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-28  Andrew Hamilton  <adhamilt@gmail.com>

	build: Add tpm2key.asn file for reference to dist archive
	Add the tpm2key.asn file to the dist archive for reference by end users.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-28  Andrew Hamilton  <adhamilt@gmail.com>

	build: Include new zstd test support files in dist archive
	Include the two new zstd test support files in the dist archive
	so end users can successfully run this test.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-28  Andrew Hamilton  <adhamilt@gmail.com>

	build: Include MAINTAINERS and SECURITY files in dist archive
	Include the MAINTAINERS and SECURITY files in the dist archive
	for reference in distributed archives by end users.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Daniel Kiper  <daniel.kiper@oracle.com>

	build: Add appended signatures header file to EXTRA_DIST
	This file was not added to EXTRA_DIST during the appended signatures merge.

	Fixes: 3e4ff6ffb (appended signatures: Parse ASN1 node)

	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>

2025-10-24  Daniel Kiper  <daniel.kiper@oracle.com>

	lib/xzembed/xz_dec_stream: Replace grub_memcpy() call with memcpy()
	Make the code consistent.

	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>

2025-10-24  Daniel Kiper  <daniel.kiper@oracle.com>

	bootstrap: Fix patching warnings
	Currently bootstrap complains in the following way when
	patching gnulib files:

	  patching file regcomp.c
	  Hunk #2 succeeded at 1029 with fuzz 2.
	  Hunk #5 succeeded at 1716 with fuzz 2.
	  patching file regexec.c
	  patching file base64.c
	  patching file regexec.c
	  Hunk #1 succeeded at 807 (offset -21 lines).

	Let's fix it by adding missing "\f" and amending line
	numbers in the patches.

	Reviewed-by: Alec Brown <alec.r.brown@oracle.com>

2025-10-24  Yann Diorcet  <diorcet.yann@gmail.com>

	tss2: Always init out buffer before calling tpm2_submit_command_real()
	When tpm2_submit_command_real() is called for a retry, the content of
	out buffer can already be set with previous tpm2_submit_command_real()
	call's reply. Add a call to grub_tpm2_buffer_init() before tpm2_submit_command_real().

	This solves the issues occurring during TPM_CC_Load command on the
	integrated TPM 2.0 in Intel Elkhart Lake chip.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Andrew Hamilton  <adhamilt@gmail.com>

	fs/ntfs: Correct next_attribute validation
	Improved ad-hoc fuzzing coverage revealed a possible access violation
	around line 342 of grub-core/fs/ntfs.c when accessing the attr_cur
	pointer due to possibility of moving pointer "next" beyond of the end of
	the valid buffer inside next_attribute. Prevent this for cases where
	full attribute validation is not performed (such as on attribute lists)
	by performing a sanity check on the newly calculated next pointer.

	Fixes: 06914b614 (fs/ntfs: Correct attribute vs attribute list validation)

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Michael Chang  <mchang@suse.com>

	kern/ieee1275/init: Use net config for boot location instead of firmware bootpath
	On network boots grub_ieee1275_net_config() is used to determine the
	boot device but the path continues to be taken from the Open Firmware
	/chosen/bootpath property. This assumes the device node follows the
	generic IEEE 1275 syntax which is not always the case. Different drivers
	may extend or redefine the format and GRUB may then misinterpret the
	argument as a filename and set $prefix incorrectly.

	The generic Open Firmware device path format is:

	  device-name[:device-argument]
	  device-argument := [partition][,[filename]]

	For example, a bootpath such as:

	  /vdevice/l-lan@30000002:speed=auto,duplex=auto,1.2.243.345,,9.8.76.543,1.2.34.5,5,5,255.255.255.0,512

	does not follow this form. The section after the colon (the device-argument)
	contains driver-specific options and network parameters, not a valid filename.
	The GRUB interprets this string as a filename which results in $prefix being
	set to "/", effectively losing the intended boot directory.

	The firmware is not at fault here since interpretation of device nodes
	is driver-specific. Instead, GRUB should use the filename provided in
	the cached DHCP packet which is consistent and reliable. This is also
	the same mechanism already used on UEFI and legacy BIOS platforms.

	This patch updates grub_machine_get_bootlocation() to prefer the result
	from grub_ieee1275_net_config() when complete and only fall back to the
	firmware bootpath otherwise.

	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Lidong Chen  <lidong.chen@oracle.com>

	net/tftp: Fix NULL pointer dereference in grub_net_udp_close()
	A NULL pointer dereference can occur in grub_net_udp_close(data->sock)
	when handling a malformed TFTP OACK packet.

	This issue was discovered via fuzzing. When a malformed OACK packet
	contains an invalid file size, "tsize", value tftp_receive() detects
	the error and saves it via grub_error_save(&data->save_err). Later,
	tftp_open() restores this error and calls grub_net_udp_close(data->sock)
	assuming the socket is still valid.

	However, the socket may have already been closed and set to NULL after
	processing the final data block in tftp_receive() leading to a NULL
	pointer dereference when attempting to close it again.

	Fix it by checking if the socket is non-NULL before closing.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>

2025-10-24  Lidong Chen  <lidong.chen@oracle.com>

	net/dns: Prevent UAF and double free
	In recv_hook(), *data->addresses is freed without being set to NULL.
	Since *data->addresses can be cached in dns_cache[h].addresses, this
	can lead to UAF or double free if dns_cache[h].addresses is accessed
	or cleared later.

	The fix sets *data->addresses to NULL after freeing to avoid dangling
	pointer.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Lidong Chen  <lidong.chen@oracle.com>

	net/bootp: Prevent a UAF in network interface unregister
	A UAF occurs in grub_net_network_level_interface_unregister()
	when inter->name is accessed after being freed in grub_cmd_bootp().
	Fix it by deferring grub_free(ifaces[j].name) until after
	grub_net_network_level_interface_unregister() completes.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Andrew Hamilton  <adhamilt@gmail.com>

	docs: Document lsmemregions and memtools commands
	Add documentation of the new lsmemregions command as well as
	documenting the existing memtools module commands.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Leo Sandoval  <lsandova@redhat.com>

	commands/memtools: Add lsmemregions command
	Prints memory regions general information including size, number of
	blocks, total free and total allocated memory per region. The reason
	behind is to have a tool that shows general information about regions
	and how fragmented the memory is at some particular time.

	Below is an example showing how this tool before and after memory stress.

	    grub> lsmemregions

	    Region 0x78f6e000 (size 33554368 blocks 1048574 free 27325472 alloc 6232768)

	    > stress_big_allocations
	    ...

	    grub> lsmemregions

	    Region 0x7af8e000 (size 4032 blocks 126 free 2720 alloc 1312)
	    Region 0x80c000 (size 81856 blocks 2558 free 81856 alloc 0)
	    Region 0x7d165000 (size 167872 blocks 5246 free 167872 alloc 0)
	    Region 0x7d0bf000 (size 655296 blocks 20478 free 655296 alloc 0)
	    Region 0x7ee00000 (size 1331136 blocks 41598 free 1331136 alloc 0)
	    Region 0x100000 (size 7385024 blocks 230782 free 7385024 alloc 0)
	    Region 0x7af95000 (size 25382848 blocks 793214 free 25382848 alloc 0)
	    Region 0x1780000 (size 2038357952 blocks 63698686 free 2077517536 alloc 5445568)

	Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Logan Gunthorpe  <logang@deltatee.com>

	tests/file_filter: Add zstd tests
	Test zstd decompression in the same way that other decompressors are tested.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Logan Gunthorpe  <logang@deltatee.com>

	tests/file_filter: Add zstd test file
	Add a file.zstd similar to the other compression methods and generate
	a gpg signature with "gpg --detach-sign".

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Logan Gunthorpe  <logang@deltatee.com>

	tests/file_filter: Regenerate gpg keys
	The "keys" file is not a valid GPG secret key so it is not possible to
	generate new signatures.

	Create a new key and use "gpg --export-secret-key" to export the key
	and "gpg --export" to export the public key. Then resign all the
	signatures with "gpg --detach-sign".

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-24  Logan Gunthorpe  <logang@deltatee.com>

	io/zstdio: Implement zstdio decompression
	Add zstd based io decompression.

	Based largely on the existing xzio, implement the same features using
	the zstd library already included in the project.

	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	fs/btrfs: Update doc link for bootloader support
	The old wiki link is obsolete and no longer updated. Change it to the
	current documentation.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	docs: Add Btrfs env block and special env vars
	Update grub.texi to describe the external environment block in the
	reserved area of Btrfs header used for grub-reboot and savedefault, and
	add a section documenting the saved_entry, next_entry, and env_block
	variables.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub.d/00_header.in: Wire grub.cfg to use env_block when present
	This patch extends the generated grub.cfg so that it can use the
	external environment block when the variable env_block is defined.
	During boot, if env_block is set, grub.cfg builds a device path for it,
	exports the variable, and then loads its contents in addition to the
	normal grubenv file.

	When GRUB writes variables such as next_entry or saved_entry, the save
	commands are changed to write into env_block if it is set, and to fall
	back to the grubenv file otherwise. In this way the external environment
	block is used automatically, and existing commands like savedefault or
	save_env do not need to change.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	fs/btrfs: Add environment block to reserved header area
	This patch reserves space for the GRUB environment block inside the
	Btrfs header. The block is placed at an offset of GRUB_ENV_BTRFS_OFFSET,
	256 KiB from the start of the device, and occupies one sector. To
	protect the space, overflow guard sectors are placed before and after
	the reserved block.

	The Btrfs header already defines regions for bootloader use. By adding
	this entry, GRUB gains a fixed and safe location to store the environment
	block without conflicting with other structures in the header.

	Add Btrfs and its reserved area information to the fs_envblk_spec table.
	With the groundworks done in previous patches, the function is now
	complete and working in grub-editenv.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub-editenv: Add probe call for external envblk
	This patch adds the probe_fs_envblk() function to identify the root
	filesystem and invoke fs_envblk_init() with the probed filesystem type
	and device. This checks if the feature is available and initializes the
	handle, fs_envblk, to access the external environment block. It avoids
	configurations with diskfilter or cryptodisk where filesystem blocks may
	be remapped or encrypted.

	The probe is only invoked when grub-editenv is working on the default
	environment file path. This restriction ensures that probing and
	possible raw device access are not triggered for arbitrary user supplied
	paths, but only for the standard grubenv file. In that case the code
	checks if the filename equals DEFAULT_ENVBLK_PATH and then calls
	probe_fs_envblk with fs_envblk_spec. The result is stored in the global
	fs_envblk handle. At this stage the external environment block is only
	detected and recorded, and the behavior of grub-editenv is unchanged.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub-editenv: Wire list_variables() to optional fs_envblk
	This patch updates list_variables() so that it also prints entries from
	the external environment block when one is present. The function first
	lists all variables from the file based envblk, then iterates over the
	external envblk and prints those as well.

	The output format remains the same as before. The change makes it
	possible to inspect variables regardless of whether they are stored in
	the file envblk or in the reserved block.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub-editenv: Wire unset_variables() to optional fs_envblk
	This patch updates unset_variables() so that removals are also applied
	to the external environment block when it is present. The code opens the
	external block, deletes the same named keys there, and then writes the
	external block back using fs_envblk_write(). The file based envblk is
	still updated and written as before.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub-editenv: Wire set_variables() to optional fs_envblk
	This patch changes set_variables() so that it can use an external
	environment block when one is present. The variable next_entry is
	written into the external block, env_block is treated as read only, and
	all other variables are written into the normal file based envblk.

	A cleanup step is added to handle cases where GRUB at runtime writes
	variables into the external block because file based updates are not
	safe on a copy on write filesystem such as Btrfs. For example, the
	savedefault command can update saved_entry, and on Btrfs GRUB will place
	that update in the external block instead of the file envblk. If an
	older copy remains in the external block, it would override the newer
	value from the file envblk when GRUB first loads the file and then
	applies the external block on top of it. To avoid this, whenever
	a variable is updated in the file envblk, any same named key in
	the external block is deleted.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub-editenv: Add fs_envblk write helper
	This patch adds the function fs_envblk_write to update the reserved
	environment block on disk. The helper takes an in memory envblk buffer
	and writes it back to the device at the location defined by the
	fs_envblk specification. It performs size checks and uses file sync to
	ensure that the updated data is flushed.

	The helper is also added into the fs_envblk ops table, together with the
	open helper from the previous patch. With this change the basic input
	and output path for an external environment block is complete. The
	choice of which variables should be written externally will be handled
	by later patches.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	util/grub-editenv: Add fs_envblk open helper
	This patch adds the logic to locate and open an environment block that
	is stored in a reserved area on the device. It introduces the function
	fs_envblk_open() together with helper routines to read the block pointed
	to by the env_block variable, and to create the block on disk when it
	does not exist yet. When a block is created, the code records its
	location inside the file based envblk by setting env_block in block list
	syntax of offset plus size in sectors.

	The env_block variable acts as a link from the file envblk to the raw
	disk region so that later runs of grub-editenv can follow it and access
	the external block. The helper is exposed through a small ops table
	attached to fs_envblk so that later patches can call
	fs_envblk->ops->open() without touching core code again. At this stage
	variables are still stored in the file envblk and no redirection has
	been applied.

	In relation to this, the fs_envblk_spec table defines the file-system
	specific layout of the reserved raw blocks used for environment storage.
	It is prepared to facilitate integration in grub-editenv, with Btrfs to
	be added in the future once its reserved area is defined.

	An fs_envblk_init() helper is added to prepare it for using the ops with
	its associated data context if the feature is available. It is not used
	yet, but will be used later when a filesystem and its device are probed
	to initialize the fs_envblk handle and enable access to the feature.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	tests: Add "z" length modifier printf tests
	Add unit tests for %zd, %zu and %zx to verify size_t and ssize_t
	formatting matches system snprintf().

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Michael Chang  <mchang@suse.com>

	kern/misc: Add the "z" length modifier support
	Add support for the "z" length modifier in the printf code. This allows
	printing of size_t and ssize_t values using %zu, %zd and related
	formats. The parser maps "z" to the correct integer width based on
	sizeof(size_t).

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	disk/cryptodisk: Add --hw-accel to enable hardware acceleration
	The --hw-accel option has been added to cryptomount to speed up
	decryption by temporarily enabling hardware-specific instruction
	sets (e.g., AVX, SSE) in libgcrypt.

	A new feature, "feature_gcry_hw_accel", is also introduced to mark the
	availability of the new option.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	libgcrypt: Add hardware acceleration for gcry_sha512
	Enable hardware acceleration for the gcry_sha512 module when building
	for the x86_64 EFI target.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	libgcrypt: Add hardware acceleration for gcry_sha256
	Enable hardware acceleration for the gcry_sha256 module when building
	for the x86_64 EFI target.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	libgcrypt: Declare the sha256 shaext function
	There is no prototype of _gcry_sha256_transform_intel_shaext() defined
	in the header or libgcrypt-grub/cipher/sha256.c, and gcc may complain
	the missing-prototypes error when compiling sha256-intel-shaext.c.

	Declare the prototype in sha256-intel-shaext.c to avoid the error.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	libgcrypt: Implement _gcry_get_hw_features()
	Implement _gcry_get_hw_features() and enable hardware feature detection
	for x86_64.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	libgcrypt: Copy sha512 x86_64 assembly files
	Copy the selected x86_64 assembly files to support hardware
	acceleration for sha512.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	libgcrypt: Copy sha256 x86_64 assembly files
	Copy the selected x86_64 assembly files to support hardware
	acceleration for sha256.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	lib/hwfeatures-gcry: Enable SSE and AVX for x86_64 EFI
	Implement the necessary functions to dynamically enable SSE and AVX
	on x86_64 EFI systems when the hardware is capable.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	lib/hwfeatures-gcry: Introduce functions to manage hardware features
	This commit introduces the generic functions to manage the hardware
	features in libgcrypt. These functions are stubs for future
	platform-specific implementations:
	  - grub_gcry_hwf_enabled() returns __gcry_use_hwf which indicates if
	    the hardware features are enabled specifically by grub_enable_gcry_hwf(),
	  - grub_enable_gcry_hwf() invokes the architecture specific enablement
	    functions and sets __gcry_use_hwf to true,
	  - grub_reset_gcry_hwf() invokes the architecture specific reset
	    functions and sets __gcry_use_hwf to false.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	configure: Tweak autoconf/automake files to detect x86_64 features
	To enable hardware acceleration, this commit ports the feature detection
	logic from libgcrypt. This allows us to check if the compiler supports
	specific assembly instructions, including SSSE3, Intel SHA extensions,
	SSE4.1, AVX, AVX2, AVX512, and BMI2.

	To simplify the initial implementation, support for x86_64 feature
	detection is currently limited to the x86_64 EFI target.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	lib/pbkdf2: Optimize PBKDF2 by reusing HMAC handle
	The previous PBKDF2 implementation used grub_crypto_hmac_buffer() which
	allocates and frees an HMAC handle on every call. This approach caused
	significant performance overhead slowing down the boot process considerably.

	This commit refactors the PBKDF2 code to use the new HMAC functions
	allowing the HMAC handle and its buffers to be allocated once and reused
	across multiple operations. This change significantly reduces disk
	unlocking time.

	In a QEMU/OVMF test environment this patch reduced the time to unlock
	a LUKS2 (*) partition from approximately 15 seconds to 4 seconds.

	  (*) PBKDF2 SHA256 with 3454944 iterations.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	lib/crypto: Introduce new HMAC functions to reuse buffers
	To enable more efficient buffer reuse for HMAC operations three new
	functions have been introduced. This change prevents the need to
	reallocate memory for each HMAC operation:
	  - grub_crypto_hmac_reset(): reinitializes the hash contexts in the HMAC handle,
	  - grub_crypto_hmac_final(): provides the final HMAC result without freeing the
	    handle allowing it to be reused immediately,
	  - grub_crypto_hmac_free(): deallocates the HMAC handle and its associated memory.

	To further facilitate buffer reuse ctx2 is now included within the HMAC handle
	struct and the initialization of ctx2 is moved to grub_crypto_hmac_init().

	The intermediate hash states, ctx and ctx2, for the inner and outer padded
	keys are now cached. The grub_crypto_hmac_reset() restores these cached
	states for new operations which avoids redundant hashing of the keys.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	docs: Document argon2 and argon2_test modules
	Tested-By: Waldemar Brodkorb <wbx@openadk.org>
	Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-23  Gary Lin  <glin@suse.com>

	kern/misc: Implement faster grub_memcpy() for aligned buffers
	When both "dest" and "src" are aligned, copying the data in grub_addr_t
	sized chunks is more efficient than a byte-by-byte copy.

	Also tweak __aeabi_memcpy(), __aeabi_memcpy4(), and __aeabi_memcpy8(),
	since grub_memcpy() is not inline anymore.

	Optimization for unaligned buffers was omitted to maintain code
	simplicity and readability. The current chunk-copy optimization
	for aligned buffers already provides a noticeable performance
	improvement (*) for Argon2 keyslot decryption.

	  (*) On my system, for a LUKS2 keyslot configured with a 1 GB Argon2
	      memory requirement, this patch reduces the decryption time from
	      22 seconds to 12 seconds.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
	Given that the LUKS1 test already covers PBKDF2, the default KDF for the
	LUKS2 test has been switched to Argon2id to ensure both algorithms are
	validated.

	Tested-By: Waldemar Brodkorb <wbx@openadk.org>
	Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	tests: Integrate Argon2 tests into functional_test
	Refactor the Argon2 tests to enable the module build and integrate the
	tests into function_test.

	Tested-By: Waldemar Brodkorb <wbx@openadk.org>
	Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	tests: Import Argon2 tests from libgcrypt
	Copy the Argon2 test function, check_argon2(), from t-kdf.c in libgcrypt
	to grub-core/tests/argon2_test.c.

	Tested-By: Waldemar Brodkorb <wbx@openadk.org>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	disk/luks2: Add Argon2 support
	Leverage the new grub_crypto_argon2() function to add support for the
	Argon2i and Argon2id KDFs in LUKS2.

	Tested-By: Waldemar Brodkorb <wbx@openadk.org>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	argon2: Introduce grub_crypto_argon2()
	This commit introduces grub_crypto_argon2() which leverages the
	_gcry_kdf_*() functions from libgcrypt to provide Argon2 support.

	Due to the dependency of the _gcry_kdf_*() functions, the order of
	"ldadd" entries have to be tweaked in Makefile.util.def so that the
	linker can discover these functions.

	Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
	Use grub_divmod64() for the 64-bit modulus to prevent creation of
	special division calls such as __umoddi3() and __aeabi_uldivmod() on
	32-bit platforms.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	libgcrypt/kdf: Remove unsupported KDFs
	Clean up _gcry_kdf_*() to remove unsupported KDFs.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
	gpg_err_code_from_errno() requires libgcrypt_wrap/mem.c which is not in
	Makefile.utilgcry.def. This commit replaces gpg_err_code_from_errno()
	with GPG_ERR_* to avoid the build errors.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	libgcrypt/kdf: Implement hash_buffers() for BLAKE2b-512
	The hash_buffers() functions are disabled in GRUB by default but the
	Argon2 implementation requires hash_buffers() for BLAKE2b-512.

	This commit implements argon2_blake2b_512_hash_buffers() as the
	replacement of _gcry_digest_spec_blake2b_512.hash_buffers().

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	crypto: Update crypto.h for libgcrypt KDF functions
	This commit introduces the necessary changes to crypto.h in preparation
	for implementing Argon2 support via the generic KDF functions, _gcry_kdf_*():
	  - add new GPG error types required by kdf.c,
	  - declare _gcry_digest_spec_blake2b_512 to enable BLAKE2b-512 digest calculations,
	  - define the gcrypt KDF algorithm IDs for Argon2,
	  - add the prototypes of _gcry_kdf_*() functions.

	Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-21  Gary Lin  <glin@suse.com>

	util/import_gcry: Import kdf.c for Argon2
	The import_gcry.py script now imports kdf.c from libgcrypt. To isolate
	the Argon2 implementation, all unrelated functions have been removed.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Sudhakar Kuppusamy  <sudhakar@linux.ibm.com>

	commands/menuentry: Fix for out of bound access
	A menu entry with an empty title leads to an out-of-bounds access at
	"ch = src[len - 1]", i.e., "src" is empty and "len" is zero. So, fixing
	this by checking the menu entry title length and throwing an error if
	the length is zero.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tests/tpm2_key_protector_test: Add a test for PCR Capping
	A test is introduced to cap PCR 1 and track the PCR 1 value before and
	after key unsealing.

	Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tpm2_key_protector: Support PCR capping
	To prevent a sealed key from being unsealed again, a common and
	straightforward method is to "cap" the key by extending the associated
	PCRs. When the PCRs associated with the sealed key are extended, TPM will
	be unable to unseal the key, as the PCR values required for unsealing no
	longer match, effectively rendering the key unusable until the next
	system boot or a state where the PCRs are reset to their expected values.

	To cap a specific set of PCRs, simply append the argument '-c pcr_list'
	to the tpm2_key_protector command. Upon successfully unsealing the key,
	the TPM2 key protector will then invoke tpm2_protector_cap_pcrs(). This
	function extends the selected PCRs with an EV_SEPARATOR event,
	effectively "capping" them. Consequently, the associated key cannot be
	unsealed in any subsequent attempts until these PCRs are reset to their
	original, pre-capped state, typically occurring upon the next system
	boot.

	Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tss2: Implement grub_tcg2_cap_pcr() for emu
	Since there is no system firmware for grub-emu, the TPM2_PCR_Event
	command becomes the only choice to implement grub_tcg2_cap_pcr().

	Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tss2: Implement grub_tcg2_cap_pcr() for ieee1275
	This commit implements grub_tcg2_cap_pcr() for ieee1275 with the
	firmware function, 2hash-ext-log, to extend the target PCR with an
	EV_SEPARATOR event and record the event into the TPM event log.

	To avoid duplicate code, ibmvtpm_2hash_ext_log() is moved to tcg2.c
	and exported as a global function.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tss2: Implement grub_tcg2_cap_pcr() for EFI
	This commit implements grub_tcg2_cap_pcr() for EFI by using the UEFI
	TCG2 protocol, HashLogExtendEvent, to extend the specified PCR with an
	EV_SEPARATOR event and ensure the event will be recorded properly in the
	TPM event log.

	Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tss2: Introduce grub_tcg2_cap_pcr()
	This commit introduces the definition of grub_tcg2_cap_pcr(), a new
	function designed to enhance the security of sealed keys. Its primary
	purpose is to "cap" a specific PCR by extending it with an EV_SEPARATOR
	event. This action cryptographically alters the PCR value, making it
	impossible to unseal any key that was previously sealed to the original
	PCR state. Consequently, the sealed key remains protected against
	unauthorized unsealing attempts until the associated PCRs are reset to
	their initial configuration, typically occurring during a subsequent
	system boot.

	Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Gary Lin  <glin@suse.com>

	tss2: Add TPM2_PCR_Event command
	The TPM2_PCR_Event command is introduced to tss2 to allow the user to
	extend a specific PCR. The related data structure and unmarshal function
	are also introduced.

	However, simply invoking TPM2_PCR_Event does not automatically record
	the event into the TPM event log. The TPM event log is primarily
	maintained by the system firmware (e.g., BIOS/UEFI). Therefore, for most
	standard use cases, the recommended method for extending PCRs and
	ensuring proper event logging is to utilize the system firmware
	functions.

	There are specific scenarios where direct use of TPM2_PCR_Event becomes
	necessary. For instance, in environments lacking system firmware support
	for PCR extension, such as the grub-emu, TPM2_PCR_Event serves as the
	only available method to extend PCRs.

	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Thomas Zimmermann  <tzimmermann@suse.de>

	loader/i386/linux: Transfer EDID information to kernel
	The Linux kernel's struct bootparams provides a field at offset 0x140
	for storing an EDID header. Copy the video adapter's data to the field.

	The edid_info field was added in 2003 (see "[FBDEV] EDID support from
	OpenFirmware on PPC platoforms and from the BIOS on intel platforms."),
	but only got useable in 2004 (see "[PATCH] Fix EDID_INFO in zero-page").
	The boot protocol was at version 2.03 at that time.

	The field was never used much, but with the recent addition of the efidrm
	and vesadrm drivers to the kernel, it becomes much more useful. As with
	the initial screen setup, these drivers can make use of the provided
	EDID information for basic display output.

	Reviewed-by: Neal Gompa <ngompa13@gmail.com>
	Reviewed-by: Michael Chang <mchang@suse.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Dave Vasilevsky  <dave@vasilevsky.ca>

	fs/hfsplus: Allow reading files created by Mac OS 9
	The "permissions" field of hfsplus files is only used by Mac OS X. This
	causes GRUB to skip reading files created by Mac OS 9, since their
	file mode is read as unknown. Instead, assume files with zero mode
	are regular files.

	From Technote 1150:

	  The traditional Mac OS implementation of HFS Plus does not use the
	  permissions field. Files created by traditional Mac OS have the
	  entire field set to 0.

	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Sridhar Markonda  <sridharm@linux.ibm.com>

	docs: Fix build warnings in libgcrypt and blsuki doc
	Following warnings are thrown during libgrcypt and bluski doc build:

	  grub.texi:4744: warning: node next pointer for `gcry_arcfour_module' is `gcry_blake2_module' but next is `gcry_aria_module' in menu
	  grub.texi:4744: warning: node prev pointer for `gcry_arcfour_module' is `gcry_aria_module' but prev is `functional_test_module' in menu
	  grub.texi:4751: warning: node prev pointer for `gcry_blake2_module' is `gcry_arcfour_module' but prev is `gcry_aria_module' in menu
	  grub.texi:8532: warning: node next pointer for `trust' is `unset' but next is `uki' in menu
	  grub.texi:8549: warning: node next pointer for `unset' is `uki' but next is `verify_detached' in menu
	  grub.texi:8549: warning: node prev pointer for `unset' is `trust' but prev is `uki' in menu
	  grub.texi:8557: warning: node next pointer for `uki' is `verify_detached' but next is `unset' in menu
	  grub.texi:8557: warning: node prev pointer for `uki' is `unset' but prev is `trust' in menu
	  grub.texi:8600: warning: node prev pointer for `verify_detached' is `uki' but prev is `unset' in menu

	Fix order of gcry_aria_module and unset nodes.

	Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>
	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Srish Srinivasan  <ssrish@linux.ibm.com>

	kern/command,commands/extcmd: Perform explicit NULL check in both the unregister helpers
	During command registration, grub_register_command_prio() returns
	a 0 when there is a failure in memory allocation. In such a situation,
	calls to grub_unregister_{command(), extcmd()} during command
	unregistration will result in dereferencing a NULL pointer.

	Perform explicit NULL check in both unregister helpers to prevent
	undefined behaviour due to a NULL pointer dereference.

	Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

2025-10-11  Luca Boccassi  <luca.boccassi@gmail.com>

