From abbbe63ab9e6560a217711810059aea8c9332596 Mon Sep 17 00:00:00 2001
From: Mandeep Plaha <99760213+mandeepsplaha@users.noreply.github.com>
Date: Wed, 12 Jun 2024 11:00:42 -0700
Subject: [PATCH 01/40] add nodejs-npm to nodejs golden container (#9386)

---
 .pipelines/containerSourceData/nodejs/distroless/nodejs.pkg | 1 +
 .pipelines/containerSourceData/nodejs/nodejs.pkg            | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.pipelines/containerSourceData/nodejs/distroless/nodejs.pkg b/.pipelines/containerSourceData/nodejs/distroless/nodejs.pkg
index a3dd92d9c6e..331605e8f16 100644
--- a/.pipelines/containerSourceData/nodejs/distroless/nodejs.pkg
+++ b/.pipelines/containerSourceData/nodejs/distroless/nodejs.pkg
@@ -1,3 +1,4 @@
 distroless-packages-base
 nodejs
+nodejs-npm
 prebuilt-ca-certificates
diff --git a/.pipelines/containerSourceData/nodejs/nodejs.pkg b/.pipelines/containerSourceData/nodejs/nodejs.pkg
index 54515b67eee..5d0b9374c8c 100644
--- a/.pipelines/containerSourceData/nodejs/nodejs.pkg
+++ b/.pipelines/containerSourceData/nodejs/nodejs.pkg
@@ -1,2 +1,3 @@
 ca-certificates
 nodejs
+nodejs-npm

From 42a30eb91bf31349a79b99a373ae5a71438a6462 Mon Sep 17 00:00:00 2001
From: Muhammad Falak R Wani <falakreyaz@gmail.com>
Date: Wed, 12 Jun 2024 23:59:45 +0530
Subject: [PATCH 02/40] toolkit: bump azidentity 1.3.1 -> 1.6.0 to address
 CVE-2024-35255 (#9383)

Fixes: https://github.com/microsoft/azurelinux/security/dependabot/13
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
---
 toolkit/tools/go.mod | 26 +++++++++----------
 toolkit/tools/go.sum | 62 +++++++++++++++++++++-----------------------
 2 files changed, 41 insertions(+), 47 deletions(-)

diff --git a/toolkit/tools/go.mod b/toolkit/tools/go.mod
index f799de8f587..813c64241a7 100644
--- a/toolkit/tools/go.mod
+++ b/toolkit/tools/go.mod
@@ -3,14 +3,14 @@ module github.com/microsoft/azurelinux/toolkit/tools
 go 1.20
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/bendahl/uinput v1.4.0
 	github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e
 	github.com/fatih/color v1.16.0
 	github.com/gdamore/tcell v1.4.0
-	github.com/google/uuid v1.3.0
+	github.com/google/uuid v1.6.0
 	github.com/jinzhu/copier v0.3.2
 	github.com/juliangruber/go-intersect v1.1.0
 	github.com/klauspost/pgzip v1.2.5
@@ -18,9 +18,9 @@ require (
 	github.com/muesli/crunchy v0.4.0
 	github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c
 	github.com/sirupsen/logrus v1.9.3
-	github.com/stretchr/testify v1.7.1
+	github.com/stretchr/testify v1.9.0
 	github.com/ulikunitz/xz v0.5.10
-	golang.org/x/sys v0.15.0
+	golang.org/x/sys v0.21.0
 	gonum.org/v1/gonum v0.14.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/ini.v1 v1.67.0
@@ -28,28 +28,26 @@ require (
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/klauspost/compress v1.10.5 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.7 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.1.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
 	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
-	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 )
diff --git a/toolkit/tools/go.sum b/toolkit/tools/go.sum
index 5b5f636f814..98873b8d746 100644
--- a/toolkit/tools/go.sum
+++ b/toolkit/tools/go.sum
@@ -1,14 +1,14 @@
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.2.0 h1:Ma67P/GGprNwsslzEH6+Kb8nybI8jpDTm4Wmzu2ReK8=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 h1:nVocQV40OQne5613EeLayJiRAJuKlBGy+m22qWG+WRg=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0/go.mod h1:7QJP7dr2wznCMeqIrhMgWGf7XpAQnVrJqDm9nvV3Cu4=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -25,7 +25,6 @@ github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oD
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
@@ -33,10 +32,10 @@ github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo
 github.com/gdamore/tcell v1.3.0/go.mod h1:Hjvr+Ofd+gLglo7RYKxxnzCBmev3BzsS67MebKS4zMM=
 github.com/gdamore/tcell v1.4.0 h1:vUnHwJRvcPQa3tzi+0QI4U9JINXYJlOz9yiaiPQ2wMU=
 github.com/gdamore/tcell v1.4.0/go.mod h1:vxEiSDZdW3L+Uhjii9c3375IlDmR05bzxY404ZVSMo0=
-github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
-github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jinzhu/copier v0.3.2 h1:QdBOCbaouLDYaIPFfi1bKv5F5tPpeTwXe4sD0jqtz5w=
 github.com/jinzhu/copier v0.3.2/go.mod h1:24xnZezI2Yqac9J61UC6/dG/k76ttpq0DdJI3QmUvro=
 github.com/juliangruber/go-intersect v1.1.0 h1:sc+y5dCjMMx0pAdYk/N6KBm00tD/f3tq+Iox7dYDUrY=
@@ -45,11 +44,11 @@ github.com/klauspost/compress v1.10.5 h1:7q6vHIqubShURwQz8cQK6yIe/xC3IF0Vm7TGfqj
 github.com/klauspost/compress v1.10.5/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lucasb-eyer/go-colorful v1.0.2/go.mod h1:0MS4r+7BZKSJ5mw4/S5MPN+qHFF1fYclkSPilDOKW0s=
@@ -67,58 +66,55 @@ github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vyg
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/muesli/crunchy v0.4.0 h1:qdiml8gywULHBsztiSAf6rrE6EyuNasNKZ104mAaahM=
 github.com/muesli/crunchy v0.4.0/go.mod h1:9k4x6xdSbb7WwtAVy0iDjaiDjIk6Wa5AgUIqp+HqOpU=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c h1:Q1oRqcTvxE0hjV0Gw4bEcYYLM0ztcuARGVSWEF2tKaI=
 github.com/rivo/tview v0.0.0-20200219135020-0ba8301b415c/go.mod h1:/rBeY22VG2QprWnEqG57IBC8biVu3i0DOIjRLc9I8H0=
 github.com/rivo/uniseg v0.1.0 h1:+2KBaVoUmb9XzDsrx/Ct0W/EYOSFf/nWTauy++DprtY=
 github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
 github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9 h1:w8V9v0qVympSF6GjdjIyeqR7+EVhAF9CBQmkmW7Zw0w=
 github.com/xrash/smetrics v0.0.0-20170218160415-a3153f7040e9/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 h1:mchzmB1XO2pMaKFRqk/+MV3mgGG96aqaPXaMifQU47w=
 golang.org/x/exp v0.0.0-20231108232855-2478ac86f678/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/sys v0.0.0-20190626150813-e07cf5db2756/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191018095205-727590c5006e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gonum.org/v1/gonum v0.14.0 h1:2NiG67LD1tEH0D7kM+ps2V+fXmsAnpUeec7n8tcr4S0=
 gonum.org/v1/gonum v0.14.0/go.mod h1:AoWeoz0becf9QMWtE8iWXNXc27fK4fNeHNf/oMejGfU=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

From a63d5a4572dba6296e279c6de2f960c2d42506aa Mon Sep 17 00:00:00 2001
From: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Date: Wed, 12 Jun 2024 13:59:47 -0700
Subject: [PATCH 03/40] php: udpate to v8.3.8 to fix CVEs (#9377)

---
 SPECS/php/php.signatures.json | 34 +++++++++++++++++-----------------
 SPECS/php/php.spec            |  5 ++++-
 cgmanifest.json               |  4 ++--
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/SPECS/php/php.signatures.json b/SPECS/php/php.signatures.json
index 15ac1962006..588da35473a 100644
--- a/SPECS/php/php.signatures.json
+++ b/SPECS/php/php.signatures.json
@@ -1,19 +1,19 @@
 {
-  "Signatures": {
-    "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869",
-    "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0",
-    "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e",
-    "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59",
-    "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95",
-    "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38",
-    "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8",
-    "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9",
-    "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79",
-    "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117",
-    "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328",
-    "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2",
-    "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8",
-    "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278",
-    "php-8.3.6.tar.xz": "53c8386b2123af97626d3438b3e4058e0c5914cb74b048a6676c57ac647f5eae"
-  }
+ "Signatures": {
+  "10-opcache.ini": "6065beb2ace54d6cb5a8cde751330ea358bd23692073c6e3d2c57f7c97bec869",
+  "20-ffi.ini": "f5e968fdd3eca54f3dab2399e243931cf16cd9da034f0364800aefab222271c0",
+  "macros.php": "917104496e8239e1ed1d4812871be772a5fa8b38cf80c4c59ec3e0c36d48310e",
+  "nginx-fpm.conf": "5a222ab2c3fc0145cb67a1c5125471bbf097de304e77c9858e7077a3b4fcad59",
+  "nginx-php.conf": "b3b3f744c4c122302fcb11f39cac78d01cef15ee6f8bd67e98b3438efcf8dc95",
+  "opcache-default.blacklist": "4eef0875e1a0c6a75b8a2bafd4ddc029b83be74dd336a6a99214b0c32808cb38",
+  "php-8.3.8.tar.xz": "aea358b56186f943c2bbd350c9005b9359133d47e954cfc561385319ae5bb8d7",
+  "php-fpm-www.conf": "1cacdd4962c01a0a968933c38db503023940ad9105f021bdab85d6cdc46dcbb8",
+  "php-fpm.conf": "bb261d53b9b42bb163a7637bb373ffa18a20dddf27a3efe6cb5ed1b1cf5981a9",
+  "php-fpm.logrotate": "7d8279bebb9ffabc596a2699150e93d4ce4513245890b9b786d337288b19fa79",
+  "php-fpm.service": "574f50dec5a0edd60e60e44e7cc2d03575bc728bdc0b0cab021ce3c55abc0117",
+  "php-fpm.wants": "846297e91ba02bd0e29b6635eeddcca01a7ad4faf5a8f27113543804331d0328",
+  "php.conf": "e2388be032eccf7c0197d597ba72259a095bf8434438a184e6a640edb4b59de2",
+  "php.ini": "8fd5a4d891c19320c07010fbbbac982c886b422bc8d062acaeae49d70c136fc8",
+  "php.modconf": "dc7303ea584452d2f742d002a648abe74905025aabf240259c7e8bd01746d278"
+ }
 }
diff --git a/SPECS/php/php.spec b/SPECS/php/php.spec
index 3246a9afa72..42c23432d0b 100644
--- a/SPECS/php/php.spec
+++ b/SPECS/php/php.spec
@@ -32,7 +32,7 @@
 %global with_qdbm     0
 Summary:        PHP scripting language for creating dynamic web sites
 Name:           php
-Version:        8.3.6
+Version:        8.3.8
 Release:        1%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
@@ -1514,6 +1514,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 %dir %{_datadir}/php/preload
 
 %changelog
+* Tue Jun 11 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 8.3.8-1
+- Upgrade to 8.3.8 to fix CVE-2024-4577, CVE-2024-5458, CVE-2024-5585
+
 * Tue May 07 2024 Gary Swalling <gaswal@microsoft.com> - 8.3.6-1
 - Upgrade to 8.3.6 to fix CVE-2024-2756, CVE-2024-2757, CVE-2024-3096
 - Update BuildRequires, libpq is now provided by postgresql
diff --git a/cgmanifest.json b/cgmanifest.json
index 8dc42f687f0..33b21884d89 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -20793,8 +20793,8 @@
         "type": "other",
         "other": {
           "name": "php",
-          "version": "8.3.6",
-          "downloadUrl": "https://www.php.net/distributions/php-8.3.6.tar.xz"
+          "version": "8.3.8",
+          "downloadUrl": "https://www.php.net/distributions/php-8.3.8.tar.xz"
         }
       }
     },

From 070daa86678a878c39f71488cd137afcb05c7ec1 Mon Sep 17 00:00:00 2001
From: Sam Meluch <109628994+sameluch@users.noreply.github.com>
Date: Wed, 12 Jun 2024 17:46:26 -0700
Subject: [PATCH 04/40] Bump azurelinux release for preview (#9389)

---
 SPECS/azurelinux-release/azurelinux-release.spec | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/SPECS/azurelinux-release/azurelinux-release.spec b/SPECS/azurelinux-release/azurelinux-release.spec
index 763d3d992a7..23a38fbcdd8 100644
--- a/SPECS/azurelinux-release/azurelinux-release.spec
+++ b/SPECS/azurelinux-release/azurelinux-release.spec
@@ -5,7 +5,7 @@
 Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        %{dist_version}.0
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -118,6 +118,9 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
 %{_sysctldir}/*.conf
 
 %changelog
+* Wed Jun 12 2024 Sam Meluch <sammeluch@microsoft.com> - 3.0-14
+- Azure Linux 3.0 June Preview Release 1
+
 * Fri May 24 2024 Sam Meluch <sammeluch@microsoft.com> - 3.0-13
 - Azure Linux 3.0 May Preview Release 2
 

From a961baf6befb15de1fd13ecc4f753b78a18a0463 Mon Sep 17 00:00:00 2001
From: bfjelds <bfjelds@microsoft.com>
Date: Thu, 13 Jun 2024 12:09:28 -0700
Subject: [PATCH 05/40] Address CVE-2024-3727 by patching vendored
 github.com/containers/image (#9342)

---
 .../CVE-2024-3727.patch                       | 165 ++++++++++++++++++
 .../containerized-data-importer.spec          |   7 +-
 2 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/containerized-data-importer/CVE-2024-3727.patch

diff --git a/SPECS/containerized-data-importer/CVE-2024-3727.patch b/SPECS/containerized-data-importer/CVE-2024-3727.patch
new file mode 100644
index 00000000000..92f882851e9
--- /dev/null
+++ b/SPECS/containerized-data-importer/CVE-2024-3727.patch
@@ -0,0 +1,165 @@
+From ea14d57b98cc37decad0c39ccbafb27994274b47 Mon Sep 17 00:00:00 2001
+From: Brian Fjeldstad <bfjelds@microsoft.com>
+Date: Thu, 6 Jun 2024 21:13:36 +0000
+Subject: [PATCH] apply CVE-2024-3727 fix to v5.19.1
+
+---
+ vendor/github.com/containers/image/v5/docker/docker_client.go     |  3 +++
+ vendor/github.com/containers/image/v5/docker/docker_image.go      |  8 ++++++--
+ vendor/github.com/containers/image/v5/docker/docker_image_dest.go | 15 ++++++++++++---
+ vendor/github.com/containers/image/v5/docker/docker_image_src.go  | 19 +++++++++++++++++--
+ vendor/github.com/containers/image/v5/docker/lookaside.go         |  7 +++++--
+ 5 files changed, 43 insertions(+), 9 deletions(-)
+
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
+index 833323b4..99bde923 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
+@@ -796,6 +796,9 @@ func (c *dockerClient) detectProperties(ctx context.Context) error {
+ // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension,
+ // using the original data structures.
+ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) {
++	if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters
++		return nil, err
++	}
+ 	path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest)
+ 	res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil)
+ 	if err != nil {
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go
+index c84bb37d..0076d229 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image.go
+@@ -83,8 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types.
+ 		if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil {
+ 			return nil, err
+ 		}
+-		tags = append(tags, tagsHolder.Tags...)
+-
++		for _, tag := range tagsHolder.Tags {
++			if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values
++				return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err)
++			}
++			tags = append(tags, tag)
++		}
+ 		link := res.Header.Get("Link")
+ 		if link == "" {
+ 			break
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+index e7af8f93..1096c56f 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+@@ -226,6 +226,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader,
+ // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil);
+ // it returns a non-nil error only on an unexpected failure.
+ func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) {
++	if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters
++		return false, -1, err
++	}
+ 	checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String())
+ 	logrus.Debugf("Checking %s", checkPath)
+ 	res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope)
+@@ -558,8 +561,11 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m
+ 
+ 	// NOTE: Keep this in sync with docs/signature-protocols.md!
+ 	for i, signature := range signatures {
+-		url := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
+-		err := d.putOneSignature(url, signature)
++		url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return err
++		}
++		err = d.putOneSignature(url, signature)
+ 		if err != nil {
+ 			return err
+ 		}
+@@ -570,7 +576,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m
+ 	// is enough for dockerImageSource to stop looking for other signatures, so that
+ 	// is sufficient.
+ 	for i := len(signatures); ; i++ {
+-		url := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
++		url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return err
++		}
+ 		missing, err := d.c.deleteOneSignature(url)
+ 		if err != nil {
+ 			return err
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+index 314e9b39..43ca0c4f 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string {
+ // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists).
+ func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) {
+ 	if instanceDigest != nil {
++		if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters
++			return nil, "", err
++		}
+ 		return s.fetchManifest(ctx, instanceDigest.String())
+ 	}
+ 	err := s.ensureManifestIsLoaded(ctx)
+@@ -373,6 +376,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo,
+ 		return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt")
+ 	}
+ 
++	if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters
++		return nil, nil, err
++	}
+ 	path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
+ 	logrus.Debugf("Downloading %s", path)
+ 	res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil)
+@@ -425,6 +431,9 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca
+ 		}
+ 	}
+ 
++	if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters
++		return nil, 0, err
++	}
+ 	path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String())
+ 	logrus.Debugf("Downloading %s", path)
+ 	res, err := s.c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil)
+@@ -486,7 +495,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst
+ 	// NOTE: Keep this in sync with docs/signature-protocols.md!
+ 	signatures := [][]byte{}
+ 	for i := 0; ; i++ {
+-		url := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
++		url, err := signatureStorageURL(s.c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return nil, err
++		}
+ 		signature, missing, err := s.getOneSignature(ctx, url)
+ 		if err != nil {
+ 			return nil, err
+@@ -627,7 +639,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 	}
+ 
+ 	for i := 0; ; i++ {
+-		url := signatureStorageURL(c.signatureBase, manifestDigest, i)
++		url, err := signatureStorageURL(c.signatureBase, manifestDigest, i)
++		if err != nil {
++			return err
++		}
+ 		missing, err := c.deleteOneSignature(url)
+ 		if err != nil {
+ 			return err
+diff --git a/vendor/github.com/containers/image/v5/docker/lookaside.go b/vendor/github.com/containers/image/v5/docker/lookaside.go
+index 515e5932..2e400c09 100644
+--- a/vendor/github.com/containers/image/v5/docker/lookaside.go
++++ b/vendor/github.com/containers/image/v5/docker/lookaside.go
+@@ -229,8 +229,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string {
+ // signatureStorageURL returns an URL usable for accessing signature index in base with known manifestDigest.
+ // base is not nil from the caller
+ // NOTE: Keep this in sync with docs/signature-protocols.md!
+-func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL {
++func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) {
++	if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly.
++		return nil, err
++	}
+ 	url := *base
+ 	url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1)
+-	return &url
++	return &url, nil
+ }
+-- 
+2.34.1
+
diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec
index a5c94512633..7eabf50fbf1 100644
--- a/SPECS/containerized-data-importer/containerized-data-importer.spec
+++ b/SPECS/containerized-data-importer/containerized-data-importer.spec
@@ -18,13 +18,14 @@
 Summary:        Container native virtualization
 Name:           containerized-data-importer
 Version:        1.57.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System/Packages
 URL:            https://github.com/kubevirt/containerized-data-importer
 Source0:        https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-3727.patch
 BuildRequires:  golang
 BuildRequires:  golang-packaging
 BuildRequires:  libnbd-devel
@@ -108,6 +109,7 @@ kubernetes installation with kubectl apply.
 # to be 'physically' placed into the proper location.
 %setup -q -n go/src/kubevirt.io/%{name} -c -T
 tar --strip-components=1 -xf %{SOURCE0}
+%autopatch -p1
 
 %build
 
@@ -198,6 +200,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
 %{_datadir}/cdi/manifests
 
 %changelog
+* Thu Jun 06 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.57.0-2
+- Address CVE-2024-3727 by patching vendored github.com/containers/image
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.57.0-1
 - Auto-upgrade to 1.57.0 - Azure Linux 3.0 - package upgrades
 

From c0c48481c10f2a253a5cfbfe233e5d05c29c9acf Mon Sep 17 00:00:00 2001
From: Alberto Perez <aperezguevar@microsoft.com>
Date: Thu, 13 Jun 2024 14:29:13 -0500
Subject: [PATCH 06/40] Python XlsxWriter Initial Azure Linux Import from
 Fedora 40 (#9387)

---
 LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md    |   2 +-
 LICENSES-AND-NOTICES/SPECS/data/licenses.json |   1 +
 .../python-xlsxwriter.signatures.json         |   5 +
 .../python-xlsxwriter/python-xlsxwriter.spec  | 267 ++++++++++++++++++
 cgmanifest.json                               |  10 +
 5 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/python-xlsxwriter/python-xlsxwriter.signatures.json
 create mode 100644 SPECS/python-xlsxwriter/python-xlsxwriter.spec

diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index 34333b9711e..e64526f55fa 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -5,7 +5,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
 | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command <br> delve <br> fstrm <br> nodejs-nodemon <br> rhnlib <br> rt-setup <br> rt-tests <br> rtctl <br> tuned |
 | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph |
 | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter |
-| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> argparse-manpage <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bogofilter <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fapolicyd <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbi-drivers <br> libdbusmenu <br> libdc1394 <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mozjs <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-BDB <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> redland <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> sendmail <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
+| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> argparse-manpage <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bogofilter <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fapolicyd <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbi-drivers <br> libdbusmenu <br> libdc1394 <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mozjs <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-BDB <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> redland <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> sendmail <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
 | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome <br> librabbitmq |
 | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
 | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index b4ae96cad2a..68a7a07693f 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -1854,6 +1854,7 @@
                 "python-winrm",
                 "python-wrapt",
                 "python-xlrd",
+                "python-xlsxwriter",
                 "python-xmltodict",
                 "python-yubico",
                 "python-zipp",
diff --git a/SPECS/python-xlsxwriter/python-xlsxwriter.signatures.json b/SPECS/python-xlsxwriter/python-xlsxwriter.signatures.json
new file mode 100644
index 00000000000..55045dbc9e3
--- /dev/null
+++ b/SPECS/python-xlsxwriter/python-xlsxwriter.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "python-xlsxwriter-3.2.0.tar.gz" : "177ca97f176076e0955dbbb8e7ffefc75587483b547c86b84f277c6d86c8f20b"
+ }
+}
diff --git a/SPECS/python-xlsxwriter/python-xlsxwriter.spec b/SPECS/python-xlsxwriter/python-xlsxwriter.spec
new file mode 100644
index 00000000000..abeb54f78df
--- /dev/null
+++ b/SPECS/python-xlsxwriter/python-xlsxwriter.spec
@@ -0,0 +1,267 @@
+%global pypi_name xlsxwriter
+%global src_name XlsxWriter
+
+Name:		python-%{pypi_name}
+Version:	3.2.0
+Release:	2%{?dist}
+Summary:	Python module for writing files in the Excel 2007+ XLSX file format
+License:	BSD
+URL:		https://pypi.python.org/pypi/XlsxWriter
+Source0:	https://github.com/jmcnamara/XlsxWriter/archive/refs/tags/RELEASE_3.2.0.tar.gz#/%{name}-%{version}.tar.gz
+BuildArch:	noarch
+
+%global common_desc\
+XlsxWriter is a Python module for writing files in the Excel 2007+\
+XLSX file format.\
+\
+XlsxWriter can be used to write text, numbers, formulas and hyperlinks\
+to multiple worksheets and it supports features such as formatting and\
+many more, including:\
+\
+	100% compatible Excel XLSX files.\
+	Full formatting.\
+	Merged cells.\
+	Defined names.\
+	Charts.\
+	Autofilters.\
+	Data validation and drop down lists.\
+	Conditional formatting.\
+	Worksheet PNG/JPEG images.\
+	Rich multi-format strings.\
+	Cell comments.\
+	Integration with Pandas.\
+	Textboxes.\
+	Memory optimization mode for writing large files.\
+\
+It supports Python 2.7, 3.4+, Jython and PyPy and uses standard libraries only.
+
+%description
+%{common_desc}
+
+%package -n python3-%{pypi_name}
+Summary:		Python 3 modules for writing files in the Excel 2007+ XLSX file format
+BuildRequires:	python3-setuptools
+BuildRequires:	python3-devel
+%{?python_provide:%python_provide python3-%{pypi_name}}
+
+%description -n python3-%{pypi_name}
+%{common_desc}
+
+%prep
+%setup -q -n %{src_name}-%{version}
+# Remove bundled egg-info
+rm -rf %{src_name}.egg-info
+
+%build
+%py3_build
+
+%install
+%py3_install
+
+%files -n python3-%{pypi_name}
+%doc README.rst
+%license LICENSE.txt
+%{python3_sitelib}/%{pypi_name}
+%{python3_sitelib}/%{src_name}-%{version}-py%{python3_version}.egg-info
+%{_bindir}/vba_extract.py
+
+%changelog
+* Wed Jun 12 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 3.2.0-2
+- Initial Azure Linux import from Fedora 40 (license: MIT).
+- License verified.
+
+* Mon Feb 19 2024 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.2.0-1
+- New release 3.2.0
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Oct 22 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.1.9-1
+- New release 3.1.9
+
+* Sun Oct 08 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.1.6-1
+- New release 3.1.6
+
+* Sun Sep 10 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.1.3-1
+- New release 3.1.3
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.1.2-2
+- Rebuilt for Python 3.12
+
+* Sun Jun 04 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.1.2-1
+- New release 3.1.2
+
+* Sat May 27 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.1.1-1
+- New release 3.1.1
+
+* Sat Apr 15 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.1.0-1
+- New minor update, version 3.1.0
+
+* Sun Mar 19 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.9-1
+- New minor update, version 3.0.9
+
+* Sun Feb 12 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.8-1
+- New minor update, version 3.0.8
+
+* Thu Jan 26 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.7-1
+- New minor update, version 3.0.7
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Jan 09 2023 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.6-1
+- New minor update with serval minor fixes, version 3.0.6
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.0.3-2
+- Rebuilt for Python 3.11
+
+* Tue Mar 08 2022 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.3-1
+- New minor update version 3.0.3
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sun Nov 07 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.2-1
+- New release 3.0.2
+
+* Sun Aug 15 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 3.0.1-1
+- New release 3.0.1 supporting only Python 3
+
+* Sun Aug 01 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.4.5-1
+- New release 1.4.4
+
+* Sun Jul 25 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.4.4-1
+- New release 1.4.4
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.4.3-2
+- Rebuilt for Python 3.10
+
+* Sun May 16 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.4.3-1
+- New release 1.4.3
+
+* Sun May 09 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.4.2-1
+- New release 1.4.2
+
+* Sun Apr 25 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.4.0-1
+- New release 1.4.0
+
+* Sun Apr 18 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.9-1
+- New release 1.3.9
+
+* Fri Apr 02 2021 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.8-1
+- New release 1.3.8
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sun Oct 18 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.7-1
+- Version 1.3.7
+- Fixed issue where custom chart data labels didn’t inherit the position
+- Added text alignment for textboxes
+
+* Sun Oct 04 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.6-1
+- Version 1.3.6
+- Added the worksheet unprotect_range() method
+- There are now over 1500 test cases in the test suite
+- Version 1.3.5
+- Fixed issue where relative url links in images didn’t work
+- Added use_zip64 as a constructor option
+- Added check, and warning, for worksheet tables with no data row
+- Add a warning when the string length in write_rich_string() exceeds Excel’s limit
+
+* Sun Sep 20 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.4-1
+- Replaced internal MD5 with SHA256 digest to avoid issues on OS such as Red Hat
+  in FIPS mode
+
+* Wed Aug 26 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.3-1
+- Added ignore_errors() worksheet method; Added warning when closing a file more
+  than once via close()
+
+* Tue Aug 11 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.3.2-1
+- Added Border, Fill, Pattern and Gradient formatting to chart data labels and
+  chart custom data labels
+
+* Tue Aug 04 2020 Rajeesh K V <rajeeshknambiar@fedoraproject.org> - 1.3.1-1
+- Fix for issue where array formulas weren’t included in the output file for
+  certain ranges/conditions
+
+* Thu Jul 30 2020 Rajeesh K V <rajeeshknambiar@fedoraproject.org> - 1.3.0-1
+- Added support for custom chart custom data labels
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat May 30 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.2.9-1
+- Added support for stacked and percent_stacked Line charts
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.2.8-2
+- Rebuilt for Python 3.9
+
+* Sun Feb 23 2020 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.2.8-1
+- Fix for issue where duplicate images with hyperlinks weren’t handled correctly
+- Removed ReservedWorksheetName exception which was used with the reserved worksheet name 'History'
+- Fix for worksheet objects (charts, images and textboxes) that are inserted with an offset that starts in a hidden cell
+- Fix to allow handling of NoneType in add_write_handler()
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Dec 24 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.2.7-1
+- New version 1.2.7
+- Fix for duplicate images being copied to an XlsxWriter file
+- Added documentation on Number Format Categories and Number Formats in different locales
+- Added note to protect() about how it is possible to encrypt an XlsxWriter file using msoffice-crypt
+
+* Tue Nov 19 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.2.6-1
+- New version 1.2.6
+- Added option to remove style from worksheet tables - 1.2.6
+- Added option to add hyperlinks to textboxes - 1.2.5
+- Added option to link textbox text from a cell - 1.2.4
+- Added option to rotate text in a textbox - 1.2.4
+- Increased allowable worksheet url length from 255 to 2079 characters - 1.2.3
+- Fixed several issues with hyperlinks in worksheet images - 1.2.3
+- Fixed Python 3.8.0 warnings - 1.2.2
+
+* Mon Sep 16 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.2.1-1
+- New version 1.2.1
+- Added the add_write_handler() method to allow user defined types to be handled by the write() method
+- Add support for East Asian vertical fonts in charts
+
+* Sat Aug 31 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.2.0-1
+- New version 1.2.0
+- Refactored exception handling around the workbook file close() method
+- Added the option to allow chart fonts to be rotated to 270 degrees
+
+* Thu Aug 22 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.1.9-1
+- New version 1.1.9
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1.8-3
+- Rebuilt for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat May 18 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.1.8-1
+- New version 1.1.8
+
+* Sun Apr 21 2019 Rajeesh K V <rajeeshknambiar@gmail.com> - 1.1.7-1
+- New version 1.1.7
+
+* Mon Apr 08 2019 Rajeesh KV <rajeeshknambiar@fedoraproject.org> 1.1.6-1
+- Release 1.1.6, fix issues with  images that started in hidden rows/columns
+- and mime-type reported by system file(1)
+
+* Mon Mar 11 2019 Rajeesh KV <rajeeshknambiar@fedoraproject.org> 1.1.5-1
+- Release 1.1.5, initial packaging for Fedora
diff --git a/cgmanifest.json b/cgmanifest.json
index 33b21884d89..f3d734bc3b4 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -24968,6 +24968,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-xlsxwriter",
+          "version": "3.2.0",
+          "downloadUrl": "https://github.com/jmcnamara/XlsxWriter/archive/refs/tags/RELEASE_3.2.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",

From a21765f7aa9c80d3846cfaa9c1225dcfad6ca0d9 Mon Sep 17 00:00:00 2001
From: Minghe Ren <mingheren@microsoft.com>
Date: Thu, 13 Jun 2024 14:04:29 -0700
Subject: [PATCH 07/40] Add patch for cloud init dhcp issue (#9331)

Co-authored-by: minghe <rmhsawyer>
---
 SPECS/cloud-init/cloud-init.spec              |   9 +-
 .../dhcp_support_dhclient_unknown_121.patch   | 130 ++++++++++++++++++
 2 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/cloud-init/dhcp_support_dhclient_unknown_121.patch

diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec
index f06201068b4..feb1c5eeb26 100644
--- a/SPECS/cloud-init/cloud-init.spec
+++ b/SPECS/cloud-init/cloud-init.spec
@@ -1,7 +1,7 @@
 Summary:        Cloud instance init scripts
 Name:           cloud-init
 Version:        23.4.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,8 @@ Source0:        https://github.com/canonical/%{name}/archive/refs/tags/%{version
 Source1:        10-azure-kvp.cfg
 Patch0:         0001-Add-new-distro-azurelinux-for-Microsoft-Azure-Linux.patch
 Patch1:         Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
+# Patch no longer needed for cloud-init >= 24.1
+Patch2:         dhcp_support_dhclient_unknown_121.patch
 %define cl_services cloud-config.service cloud-config.target cloud-final.service cloud-init.service cloud-init.target cloud-init-local.service
 BuildRequires:  automake
 BuildRequires:  dbus
@@ -144,7 +146,10 @@ make check %{?_smp_mflags}
 %config(noreplace) %{_sysconfdir}/cloud/cloud.cfg.d/10-azure-kvp.cfg
 
 %changelog
-* Thu May 9 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 23.4.3-2
+* Wed June 06 2024 Minghe Ren <mingheren@microsoft.com> - 23.4.3-3
+- Add patch for cloud-init to support dhclient's unknown-121 option
+
+* Thu May 09 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 23.4.3-2
 - Add patch to add network interface renaming support for CAPM3 Met.
 
 * Mon Feb 26 2024 Dan Streetman <ddstreet@microsoft.com> - 23.4.3-1
diff --git a/SPECS/cloud-init/dhcp_support_dhclient_unknown_121.patch b/SPECS/cloud-init/dhcp_support_dhclient_unknown_121.patch
new file mode 100644
index 00000000000..f0f493ee07b
--- /dev/null
+++ b/SPECS/cloud-init/dhcp_support_dhclient_unknown_121.patch
@@ -0,0 +1,130 @@
+From 5cf6f3aee2a8af335b36cf573abf48642b94aa65 Mon Sep 17 00:00:00 2001
+From: Chris Patterson <cpatterson@microsoft.com>
+Date: Thu, 4 Apr 2024 12:16:06 -0400
+Subject: [PATCH] dhcp: support configuring static routes for dhclient's
+ unknown-121 option
+
+Cloud-init does not configure rfc3442-classless-static-routes if dhclient isn't
+patched to support them or it is not configured with:
+
+```
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+```
+
+Example lease with option configured (typical):
+
+lease {
+  interface "eth0";
+  <...cut...>
+  option rfc3442-classless-static-routes 0,10,0,0,1,32,168,63,129,16,10,0,0,1,32,169,254,169,254,10,0,0,1;
+  <...cut...>
+}
+
+Example lease without option, where it is presented as "unknown-121":
+
+lease {
+  interface "eth0";
+  <...cut...>
+  option unknown-121 0:a:0:0:1:20:a8:3f:81:10:a:0:0:1:20:a9:fe:a9:fe:a:0:0:1;
+  <...cut...>
+}
+
+The primary difference is that dhclient outputs the bytes in a
+hex-encoded format and with `:` delimiter. Extend existing
+parsing to support this format.
+
+With a couple added INFO logs, here is a sample DHCP on Azure with
+static routes being parsed from unknown-121 option with this patch:
+
+```
+2024-04-04 16:12:01,677 - ephemeral.py[DEBUG]: Received dhcp lease on eth0 for 10.0.0.11/255.255.255.0
+2024-04-04 16:12:01,677 - dhcp.py[INFO]: Parsing: '0:a:0:0:1:20:a8:3f:81:10:a:0:0:1:20:a9:fe:a9:fe:a:0:0:1'
+2024-04-04 16:12:01,677 - dhcp.py[INFO]: Tokens: ['0', '10', '0', '0', '1', '32', '168', '63', '129', '16', '10', '0', '0', '1', '32', '169', '254', '169', '254', '10', '0', '0', '1']
+2024-04-04 16:12:01,677 - ephemeral.py[DEBUG]: Attempting setup of ephemeral network on eth0 with 10.0.0.11/24 brd 10.0.0.255
+2024-04-04 16:12:01,677 - subp.py[DEBUG]: Running command ['ip', '-family', 'inet', 'addr', 'add', '10.0.0.11/24', 'broadcast', '10.0.0.255', 'dev', 'eth0'] with allowed return codes [0] (shell=False, capture=True)
+2024-04-04 16:12:01,679 - subp.py[DEBUG]: Running command ['ip', '-family', 'inet', 'link', 'set', 'dev', 'eth0', 'up'] with allowed return codes [0] (shell=False, capture=True)
+2024-04-04 16:12:01,681 - subp.py[DEBUG]: Running command ['ip', '-4', 'route', 'append', '0.0.0.0/0', 'via', '10.0.0.1', 'dev', 'eth0'] with allowed return codes [0] (shell=False, capture=True)
+2024-04-04 16:12:01,683 - subp.py[DEBUG]: Running command ['ip', '-4', 'route', 'append', '168.63.129.16/32', 'via', '10.0.0.1', 'dev', 'eth0'] with allowed return codes [0] (shell=False, capture=True)
+2024-04-04 16:12:01,684 - subp.py[DEBUG]: Running command ['ip', '-4', 'route', 'append', '169.254.169.254/32', 'via', '10.0.0.1', 'dev', 'eth0'] with allowed return codes [0] (shell=False, capture=True)
+2024-04-04 16:12:01,686 - handlers.py[DEBUG]: start: azure-ds/_check_if_primary: _check_if_primary
+2024-04-04 16:12:01,686 - handlers.py[DEBUG]: finish: azure-ds/_check_if_primary: SUCCESS: _check_if_primary
+2024-04-04 16:12:01,687 - azure.py[DEBUG]: Obtained DHCP lease on interface 'eth0' (primary=True driver='hv_netvsc' router='10.0.0.1' routes=[('0.0.0.0/0', '10.0.0.1'), ('168.63.129.16/32', '10.0.0.1'), ('169.254.169.254/32', '10.0.0.1')] lease={'inter
+face': 'eth0', 'fixed-address': '10.0.0.11', 'server-name': 'BL24A1071918060SOC', 'subnet-mask': '255.255.255.0', 'dhcp-lease-time': '4294967295', 'routers': '10.0.0.1', 'dhcp-message-type': '5', 'domain-name-servers': '168.63.129.16', 'dhcp-server-ide
+ntifier': '168.63.129.16', 'dhcp-renewal-time': '4294967295', 'unknown-121': '0:a:0:0:1:20:a8:3f:81:10:a:0:0:1:20:a9:fe:a9:fe:a:0:0:1', 'dhcp-rebinding-time': '4294967295', 'unknown-245': 'a8:3f:81:10', 'domain-name': 'fyoqc4gghleevjxtq4h4pjbded.bx.int
+ernal.cloudapp.net', 'renew': '0 2160/05/11 22:40:16', 'rebind': '0 2160/05/11 22:40:16', 'expire': '0 2160/05/11 22:40:16'} imds_routed=True wireserver_routed=True)
+```
+
+Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
+---
+ cloudinit/net/dhcp.py            | 15 ++++++++++++++-
+ cloudinit/net/ephemeral.py       |  1 +
+ tests/unittests/net/test_dhcp.py | 11 +++++++++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/net/dhcp.py b/cloudinit/net/dhcp.py
+index 07c1339..ce1402a 100644
+--- a/cloudinit/net/dhcp.py
++++ b/cloudinit/net/dhcp.py
+@@ -388,14 +388,27 @@ class IscDhclient(DhcpClient):
+         ("0.0.0.0/0", "192.168.128.1")
+         ]
+
++        # unknown-121 option format
++        sr3 = parse_static_routes(\
++        "0:a:0:0:1:20:a8:3f:81:10:a:0:0:1:20:a9:fe:a9:fe:a:0:0:1")
++        sr3 = [
++            ("0.0.0.0/0", "10.0.0.1"),
++            ("168.63.129.16/32", "10.0.0.1"),
++            ("169.254.169.254/32", "10.0.0.1"),
++        ]
++
+         Python version of isc-dhclient's hooks:
+            /etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes
+         """
+         # raw strings from dhcp lease may end in semi-colon
+         rfc3442 = rfc3442.rstrip(";")
+-        tokens = [tok for tok in re.split(r"[, .]", rfc3442) if tok]
++        tokens = [tok for tok in re.split(r"[, . :]", rfc3442) if tok]
+         static_routes = []
+
++        # Handle unknown-121 format by converting hex to base 10.
++        if ":" in rfc3442:
++            tokens = [str(int(tok, 16)) for tok in tokens]
++
+         def _trunc_error(cidr, required, remain):
+             msg = (
+                 "RFC3442 string malformed.  Current route has CIDR of %s "
+diff --git a/cloudinit/net/ephemeral.py b/cloudinit/net/ephemeral.py
+index 28c851c..d4a1095 100644
+--- a/cloudinit/net/ephemeral.py
++++ b/cloudinit/net/ephemeral.py
+@@ -305,6 +305,7 @@ class EphemeralDHCPv4:
+             "static_routes": [
+                 "rfc3442-classless-static-routes",
+                 "classless-static-routes",
++                "unknown-121",
+             ],
+             "router": "routers",
+         }
+diff --git a/tests/unittests/net/test_dhcp.py b/tests/unittests/net/test_dhcp.py
+index a7b6231..b75bb40 100644
+--- a/tests/unittests/net/test_dhcp.py
++++ b/tests/unittests/net/test_dhcp.py
+@@ -262,6 +262,17 @@ class TestDHCPParseStaticRoutes(CiTestCase):
+             IscDhclient.parse_static_routes(rfc3442),
+         )
+
++    def test_unknown_121(self):
++        for unknown121 in [
++            "0:a:0:0:1:20:a8:3f:81:10:a:0:0:1:20:a9:fe:a9:fe:a:0:0:1",
++            "0:a:0:0:1:20:a8:3f:81:10:a:0:0:1:20:a9:fe:a9:fe:a:0:0:1;",
++        ]:
++            assert IscDhclient.parse_static_routes(unknown121) == [
++                ("0.0.0.0/0", "10.0.0.1"),
++                ("168.63.129.16/32", "10.0.0.1"),
++                ("169.254.169.254/32", "10.0.0.1"),
++            ]
++
+     def test_parse_static_routes_default_route(self):
+         rfc3442 = "0,130,56,240,1"
+         self.assertEqual(

From d751e04231792291cf859ceff9ac7ffaba8bd51d Mon Sep 17 00:00:00 2001
From: Mandeep Plaha <99760213+mandeepsplaha@users.noreply.github.com>
Date: Thu, 13 Jun 2024 14:21:29 -0700
Subject: [PATCH 08/40] add oneliner to memcached dockerfile to add user
 (#9399)

---
 .pipelines/containerSourceData/memcached/Dockerfile-Memcached | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pipelines/containerSourceData/memcached/Dockerfile-Memcached b/.pipelines/containerSourceData/memcached/Dockerfile-Memcached
index 26a0f496a7a..a756b4a8e57 100644
--- a/.pipelines/containerSourceData/memcached/Dockerfile-Memcached
+++ b/.pipelines/containerSourceData/memcached/Dockerfile-Memcached
@@ -7,7 +7,7 @@ FROM $BASE_IMAGE
 
 @INCLUDE_MAIN_RUN_INSTRUCTION@
 
-RUN useradd memcache
+RUN tdnf install -y shadow-utils && useradd memcache && tdnf remove -y shadow-utils && tdnf clean all
 
 USER memcache
 

From 3d6f28d55c7c6a78b4b41d929bdc14001e8bc05a Mon Sep 17 00:00:00 2001
From: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com>
Date: Thu, 13 Jun 2024 19:12:11 -0700
Subject: [PATCH 09/40] Fix shadow-utils to reenable user groups (#9363)

Change #7761 upgraded shadow-utils and took part of a change from upstream that modifies /etc/login.defs so that USERGROUPS_ENAB is set to no. This makes all users be created in the same group (in our case users) rather than created with their own group.

This change undoes that, so users will once again be created with their own group with the same name as the user.
---
 SPECS/shadow-utils/shadow-utils.spec | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/SPECS/shadow-utils/shadow-utils.spec b/SPECS/shadow-utils/shadow-utils.spec
index 00d0afa9ed0..f92866766e5 100644
--- a/SPECS/shadow-utils/shadow-utils.spec
+++ b/SPECS/shadow-utils/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary:        Programs for handling passwords in a secure way
 Name:           shadow-utils
 Version:        4.14.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -99,9 +99,6 @@ mv -v %{buildroot}%{_bindir}/passwd %{buildroot}/bin
 chmod ug-s %{buildroot}/bin/passwd
 install -vm644 %{SOURCE12} %{buildroot}%{_sysconfdir}/default/useradd
 install -vm644 %{SOURCE13} %{buildroot}%{_sysconfdir}/login.defs
-# Disable usergroups. Use "users" group by default (see /usr/sbin/useradd)
-# for all nonroot users.
-sed -i 's/USERGROUPS_ENAB.*/USERGROUPS_ENAB no/' %{buildroot}%{_sysconfdir}/login.defs
 ln -s useradd %{buildroot}%{_sbindir}/adduser
 cp etc/{limits,login.access} %{buildroot}%{_sysconfdir}
 for FUNCTION in FAIL_DELAY               \
@@ -184,6 +181,9 @@ rm -rf %{buildroot}/*
 %{_libdir}/libsubid.so
 
 %changelog
+* Mon Jun 10 2024 Tobias Brick <tobiasb@microsoft.com> - 4.14.3-2
+- Enable user groups for useradd
+
 * Fri Feb 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.14.3-1
 - Auto-upgrade to 4.14.3 - 3.0 Upgrade
 - Remove obsolete patches and fix configure command

From 7791dfe5307b2dd0e77054b9edcd1ad974771eea Mon Sep 17 00:00:00 2001
From: Christopher Co <35273088+christopherco@users.noreply.github.com>
Date: Fri, 14 Jun 2024 09:40:24 -0700
Subject: [PATCH 10/40] systemd: disable llmnr by default (#9396)

LLMNR poisoning is a MitM attack used to capture credential material by tampering with LLMNR request and response messages.

To prevent LLMNR poisoning, disable LLMNR in systemd. LLMNR is actively being phased out in favor of mDNS.

Signed-off-by: Chris Co <chrco@microsoft.com>
---
 SPECS/systemd/systemd.spec | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
index d0c204c376a..166b671866c 100644
--- a/SPECS/systemd/systemd.spec
+++ b/SPECS/systemd/systemd.spec
@@ -50,7 +50,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        13%{?dist}
+Release:        14%{?dist}
 
 # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
 %global stable 1
@@ -707,7 +707,12 @@ CONFIGURE_OPTS=(
         -Ddefault-dns-over-tls=no
         # https://bugzilla.redhat.com/show_bug.cgi?id=1867830
         -Ddefault-mdns=no
+%if 0%{?azl}
+        # By default, disable llmnr to prevent llmnr poisoning MitM attacks
+        -Ddefault-llmnr=no
+%else
         -Ddefault-llmnr=resolve
+%endif
         # https://bugzilla.redhat.com/show_bug.cgi?id=2028169
         -Dstatus-unit-format-default=combined
         # https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer
@@ -1197,6 +1202,9 @@ rm -f %{name}.lang
 # %autochangelog. So we need to continue manually maintaining the
 # changelog here.
 %changelog
+* Thu Jun 13 2024 Chris Co <chrco@microsoft.com> - 255-14
+- Disable LLMNR by default to prevent LLMNR poisoning MitM attacks
+
 * Thu May 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 255-13
 - Supply 10-console-messages.conf sysctl to lower the default kernel messages to the console
 

From c50d4af5d86bf836f5b680aefa6f35dce31414f6 Mon Sep 17 00:00:00 2001
From: George Mileka <gmileka@users.noreply.github.com>
Date: Fri, 14 Jun 2024 10:56:59 -0700
Subject: [PATCH 11/40] [grub] Disable code optimization for ip frame checksum
 calculation. (#9391)

---
 .../grub2-efi-binary-signed.spec                     |  5 ++++-
 SPECS/grub2/disable-checksum-code-optimization.patch | 12 ++++++++++++
 SPECS/grub2/grub2.spec                               |  9 ++++++++-
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/grub2/disable-checksum-code-optimization.patch

diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
index c7f1b7b1acc..abce26d0b52 100644
--- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
+++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
@@ -12,7 +12,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -79,6 +79,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
 /boot/efi/EFI/BOOT/%{grubpxeefiname}
 
 %changelog
+* Wed Jun 12 2024 George Mileka <gmileka@microsoft.com> - 2.06-19
+- disable code optimization for ip checksum calculation
+
 * Mon Apr 15 2024 Dan Streetman <ddstreet@microsoft.com> - 2.06-18
 - update grub to sbat 4
 
diff --git a/SPECS/grub2/disable-checksum-code-optimization.patch b/SPECS/grub2/disable-checksum-code-optimization.patch
new file mode 100644
index 00000000000..d672ab61698
--- /dev/null
+++ b/SPECS/grub2/disable-checksum-code-optimization.patch
@@ -0,0 +1,12 @@
+diff -ruN grub-2.06-ori/grub-core/net/ip.c grub-2.06/grub-core/net/ip.c
+--- grub-2.06-ori/grub-core/net/ip.c	2024-06-07 15:02:36.073464745 -0700
++++ grub-2.06/grub-core/net/ip.c	2024-06-12 19:02:51.293389116 -0700
+@@ -94,7 +94,7 @@
+ static struct reassemble *reassembles;
+ 
+ grub_uint16_t
+-grub_net_ip_chksum (void *ipv, grub_size_t len)
++__attribute__((optimize("O0"))) grub_net_ip_chksum (void *ipv, grub_size_t len)
+ {
+   grub_uint16_t *ip = (grub_uint16_t *) ipv;
+   grub_uint32_t sum = 0;
diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec
index 192859b4db5..909d2ef104c 100644
--- a/SPECS/grub2/grub2.spec
+++ b/SPECS/grub2/grub2.spec
@@ -6,7 +6,7 @@
 Summary:        GRand Unified Bootloader
 Name:           grub2
 Version:        2.06
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -103,6 +103,10 @@ Patch:          sbat-4-0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri
 Patch:          sbat-4-0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
 Patch:          sbat-4-0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
 Patch:          sbat-4-0006-fs-ntfs-Make-code-more-readable.patch
+# The Azure Linux team created this patch since the gcc version in use at the
+# time optimizes the code incorrectly, leading to network traffic getting
+# dropped in scenarios like PXE booting.
+Patch:          disable-checksum-code-optimization.patch
 BuildRequires:  autoconf
 BuildRequires:  device-mapper-devel
 BuildRequires:  python3
@@ -440,6 +444,9 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
 %config(noreplace) %{_sysconfdir}/grub.d/41_custom
 
 %changelog
+* Wed Jun 12 2024 George Mileka <gmileka@microsoft.com> - 2.06-19
+- disable code optimization for ip checksum calculation
+
 * Mon Apr 15 2024 Dan Streetman <ddstreet@microsoft.com> - 2.06-18
 - update grub to sbat 4
 

From 4994e489cf6582c3f1a8eeaadecb6bd41f8a2d0d Mon Sep 17 00:00:00 2001
From: Sam Meluch <109628994+sameluch@users.noreply.github.com>
Date: Fri, 14 Jun 2024 11:54:09 -0700
Subject: [PATCH 12/40] Test Fix for Package annobin (#9406)

---
 SPECS/annobin/annobin.spec | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/SPECS/annobin/annobin.spec b/SPECS/annobin/annobin.spec
index 0b5ae36b0db..53fee070300 100644
--- a/SPECS/annobin/annobin.spec
+++ b/SPECS/annobin/annobin.spec
@@ -19,13 +19,14 @@
 Summary:        Binary annotation plugin for GCC
 Name:           annobin
 Version:        12.49
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPL-3.0-or-later AND LGPL-2.0-or-later AND (GPL-2.0-or-later WITH GCC-exception-2.0) AND (LGPL-2.0-or-later WITH GCC-exception-2.0) AND GFDL-1.3-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://sourceware.org/annobin/
 Source:         https://nickc.fedorapeople.org/%{annobin_sources}
 Requires:       %{name}-plugin-clang
+
 # Insert patches here, if needed.  Eg:
 # Patch01: annobin-plugin-default-string-notes.patch
 #---------------------------------------------------------------------------------
@@ -236,7 +237,7 @@ touch doc/annobin.info
 #---------------------------------------------------------------------------------
 
 %build
-CONFIG_ARGS="$CONFIG_ARGS --quiet --with-debuginfod --with-clang --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} --with-llvm"
+CONFIG_ARGS="$CONFIG_ARGS --quiet --without-debuginfod --with-clang --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR} --with-llvm"
 
 export CFLAGS="$CFLAGS -DAARCH64_BRANCH_PROTECTION_SUPPORTED=1"
 
@@ -352,6 +353,10 @@ make check || ( cat tests/test-suite.log; false )
 #---------------------------------------------------------------------------------
 
 %changelog
+* Thu Jun 13 2024 Sam Meluch <sammeluch@microsoft.com> - 12.40-2
+- build package --without-debuginfod
+- fix package tests
+
 * Fri Mar 08 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 12.40-1
 - Promoted package from extended to core
 - Upgraded to 12.49

From 77b17181ac3a194d6f0bfc822dc14e888a0a29b7 Mon Sep 17 00:00:00 2001
From: Sam Meluch <109628994+sameluch@users.noreply.github.com>
Date: Fri, 14 Jun 2024 14:56:17 -0700
Subject: [PATCH 13/40] Test Fix for Package brotli (#9409)

---
 SPECS/brotli/brotli.spec | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/SPECS/brotli/brotli.spec b/SPECS/brotli/brotli.spec
index 29e6bb78f6d..6cc0f2291c8 100644
--- a/SPECS/brotli/brotli.spec
+++ b/SPECS/brotli/brotli.spec
@@ -1,7 +1,7 @@
 Summary:        Lossless compression algorithm
 Name:           brotli
 Version:        1.1.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -78,10 +78,7 @@ done
 %postun -p /sbin/ldconfig
 
 %check
-make test
-test_result=$?
-make clean
-[[ $test_result -eq 0 ]]
+%ctest
 
 %files
 %{_bindir}/brotli
@@ -113,6 +110,9 @@ make clean
 %{_mandir}/man3/constants.h.3brotli*
 
 %changelog
+* Fri Jun 14 2024 Sam Meluch <sammeluch@microsoft.com> - 1.1.0-2
+- fix package tests
+
 * Wed Dec 13 2023 Andrew Phelps <anphel@microsoft.com> - 1.1.0-1
 - Upgrade to version 1.1.0
 

From daea85da1469205fbf0af4587cc1f94f68dde70a Mon Sep 17 00:00:00 2001
From: Sam Meluch <109628994+sameluch@users.noreply.github.com>
Date: Fri, 14 Jun 2024 14:56:48 -0700
Subject: [PATCH 14/40] Upgrade babel to Version 2.15.0 to Fix Package Tests
 (#9408)

---
 SPECS/babel/babel.signatures.json |  2 +-
 SPECS/babel/babel.spec            | 16 +++++++++++-----
 cgmanifest.json                   |  4 ++--
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/SPECS/babel/babel.signatures.json b/SPECS/babel/babel.signatures.json
index 7264a5a8829..642ce9cfdc6 100644
--- a/SPECS/babel/babel.signatures.json
+++ b/SPECS/babel/babel.signatures.json
@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "Babel-2.12.1.tar.gz": "cc2d99999cd01d44420ae725a21c9e3711b3aadc7976d6147f622d8581963455"
+    "babel-2.15.0.tar.gz": "8daf0e265d05768bc6c7a314cf1321e9a123afc328cc635c18622a2f30a04413"
   }
 }
diff --git a/SPECS/babel/babel.spec b/SPECS/babel/babel.spec
index 0e9072bf358..4cb048c34f3 100644
--- a/SPECS/babel/babel.spec
+++ b/SPECS/babel/babel.spec
@@ -1,13 +1,13 @@
 Summary:        An integrated collection of utilities that assist in internationalizing and localizing Python applications
 Name:           babel
-Version:        2.12.1
+Version:        2.15.0
 Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages/Python
 URL:            https://babel.pocoo.org
-Source0:        https://files.pythonhosted.org/packages/ba/42/54426ba5d7aeebde9f4aaba9884596eb2fe02b413ad77d62ef0b0422e205/Babel-%{version}.tar.gz
+Source0:        https://files.pythonhosted.org/packages/15/d2/9671b93d623300f0aef82cde40e25357f11330bdde91743891b22a555bed/%{name}-%{version}.tar.gz
 BuildRequires:  python3-devel
 BuildRequires:  python3-pytest
 BuildRequires:  python3-pytz
@@ -19,6 +19,8 @@ BuildRequires:  openssl-devel
 BuildRequires:  python3-attrs
 BuildRequires:  python3-pip
 BuildRequires:  python3-six
+BuildRequires:  python3-pytest
+BuildRequires:  python3-pluggy
 %endif
 Requires:       python3
 Requires:       python3-pytz
@@ -34,7 +36,7 @@ The functionality Babel provides for internationalization (I18n) and localizatio
 2.A Python interface to the CLDR (Common Locale Data Repository), providing access to various locale display names, localized number and date formatting, etc.
 
 %prep
-%autosetup -n Babel-%{version}
+%autosetup -n babel-%{version}
 
 %build
 %py3_build
@@ -44,8 +46,8 @@ The functionality Babel provides for internationalization (I18n) and localizatio
 ln -sfv pybabel %{buildroot}/%{_bindir}/pybabel3
 
 %check
-pip3 install pytest freezegun funcsigs pathlib2 pluggy utils
-%{python3} setup.py test
+pip3 install freezegun funcsigs pathlib2 utils iniconfig
+%pytest
 
 %files
 %defattr(-,root,root,-)
@@ -55,6 +57,10 @@ pip3 install pytest freezegun funcsigs pathlib2 pluggy utils
 %{python3_sitelib}/*
 
 %changelog
+* Fri Jun 14 2024 Sam Meluch <sammeluch@microsoft.com> - 2.15.0-1
+- fix package tests
+- upgrade to 2.15.0 for python 3.12 support
+
 * Thu Nov 02 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.12.1-1
 - Auto-upgrade to 2.12.1 - Azure Linux 3.0 - package upgrades
 
diff --git a/cgmanifest.json b/cgmanifest.json
index f3d734bc3b4..ce17d6e35f4 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -895,8 +895,8 @@
         "type": "other",
         "other": {
           "name": "babel",
-          "version": "2.12.1",
-          "downloadUrl": "https://files.pythonhosted.org/packages/ba/42/54426ba5d7aeebde9f4aaba9884596eb2fe02b413ad77d62ef0b0422e205/Babel-2.12.1.tar.gz"
+          "version": "2.15.0",
+          "downloadUrl": "https://files.pythonhosted.org/packages/15/d2/9671b93d623300f0aef82cde40e25357f11330bdde91743891b22a555bed/babel-2.15.0.tar.gz"
         }
       }
     },

From c687f6d1262ede607e49e50d4b9cc7b6a857cbf6 Mon Sep 17 00:00:00 2001
From: sharath-srikanth-chellappa
 <115591284+sharath-srikanth-chellappa@users.noreply.github.com>
Date: Fri, 14 Jun 2024 16:46:53 -0700
Subject: [PATCH 15/40] Changes to kubevirt, multus to build container images
 on 3.0 (#9412)

Co-authored-by: Sharath Srikanth Chellappa <sharathsr@microsoft.com>
---
 .../kubevirt/Dockerfile-kubevirt-virt-launcher               | 5 -----
 .pipelines/containerSourceData/kubevirt/virt-launcher.pkg    | 1 +
 .pipelines/containerSourceData/multus/Dockerfile-Multus      | 5 ++---
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher
index 18f51d905ad..16d29e35b28 100644
--- a/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher
+++ b/.pipelines/containerSourceData/kubevirt/Dockerfile-kubevirt-virt-launcher
@@ -7,11 +7,6 @@ FROM $BASE_IMAGE
 
 @INCLUDE_MAIN_RUN_INSTRUCTION@
 
-# XXX Once edk2 is moved to SPECS this will not be needed
-RUN tdnf -y install azurelinux-repos-extended.noarch \
-  && tdnf -y install edk2-ovmf \
-  && tdnf clean all
-
 # Setup permissions and capabilities for non-root VMIs. KubeVirt sets
 # XDG_* directories to /var/run.
 RUN  cd /var && rm -rf run && ln -s ../run . \
diff --git a/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg b/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg
index d6cfdfdef22..11775c0ba0e 100644
--- a/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg
+++ b/.pipelines/containerSourceData/kubevirt/virt-launcher.pkg
@@ -1,5 +1,6 @@
 augeas
 ca-certificates
+edk2-ovmf
 iptables
 kubevirt-container-disk
 kubevirt-virt-launcher
diff --git a/.pipelines/containerSourceData/multus/Dockerfile-Multus b/.pipelines/containerSourceData/multus/Dockerfile-Multus
index 1f379ffaddb..4b52a3fbd75 100644
--- a/.pipelines/containerSourceData/multus/Dockerfile-Multus
+++ b/.pipelines/containerSourceData/multus/Dockerfile-Multus
@@ -11,7 +11,6 @@ RUN ln -s /usr/bin/python3 /usr/bin/python
 
 RUN mkdir -p /usr/src/multus-cni/bin \ 
   && cp /usr/bin/multus /usr/src/multus-cni/bin/ \ 
-  && cp /usr/bin/install_multus /install_multus \ 
-  && cp /usr/bin/thin_entrypoint /thin_entrypoint 
+  && cp /usr/bin/multus-entrypoint /multus-entrypoint 
 
-ENTRYPOINT [ "/thin_entrypoint" ]
+ENTRYPOINT [ "/multus-entrypoint" ]

From 640ece28fe73092c845d29b6dcbc28b6c34300b0 Mon Sep 17 00:00:00 2001
From: Alberto Perez <aperezguevar@microsoft.com>
Date: Fri, 14 Jun 2024 19:17:53 -0500
Subject: [PATCH 16/40] xlsxwriter build issue (#9411)

---
 SPECS/python-xlsxwriter/python-xlsxwriter.spec | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/SPECS/python-xlsxwriter/python-xlsxwriter.spec b/SPECS/python-xlsxwriter/python-xlsxwriter.spec
index abeb54f78df..37a4b5b7f70 100644
--- a/SPECS/python-xlsxwriter/python-xlsxwriter.spec
+++ b/SPECS/python-xlsxwriter/python-xlsxwriter.spec
@@ -3,9 +3,10 @@
 
 Name:		python-%{pypi_name}
 Version:	3.2.0
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Python module for writing files in the Excel 2007+ XLSX file format
 License:	BSD
+Vendor:         Microsoft Corporation
 URL:		https://pypi.python.org/pypi/XlsxWriter
 Source0:	https://github.com/jmcnamara/XlsxWriter/archive/refs/tags/RELEASE_3.2.0.tar.gz#/%{name}-%{version}.tar.gz
 BuildArch:	noarch
@@ -48,7 +49,7 @@ BuildRequires:	python3-devel
 %{common_desc}
 
 %prep
-%setup -q -n %{src_name}-%{version}
+%setup -q -n %{src_name}-RELEASE_%{version}
 # Remove bundled egg-info
 rm -rf %{src_name}.egg-info
 
@@ -66,6 +67,9 @@ rm -rf %{src_name}.egg-info
 %{_bindir}/vba_extract.py
 
 %changelog
+* Fri Jun 14 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 3.2.0-3
+- Build step correction
+
 * Wed Jun 12 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 3.2.0-2
 - Initial Azure Linux import from Fedora 40 (license: MIT).
 - License verified.

From 6fda93c24e708bfd16c22d11160b6270b861c7f7 Mon Sep 17 00:00:00 2001
From: Nick Samson <nick.samson@microsoft.com>
Date: Fri, 14 Jun 2024 18:11:21 -0700
Subject: [PATCH 17/40] [3.0-dev] Patch CVE-2024-5564 in libndp (#9414)

Co-authored-by: Nick Samson <nisamson@microsoft.com>
---
 SPECS/libndp/CVE-2024-5564.patch | 44 ++++++++++++++++++++++++++++++++
 SPECS/libndp/libndp.spec         |  8 ++++--
 2 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/libndp/CVE-2024-5564.patch

diff --git a/SPECS/libndp/CVE-2024-5564.patch b/SPECS/libndp/CVE-2024-5564.patch
new file mode 100644
index 00000000000..15c9129cda1
--- /dev/null
+++ b/SPECS/libndp/CVE-2024-5564.patch
@@ -0,0 +1,44 @@
+From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 5 Jun 2024 11:57:43 +0800
+Subject: [PATCH] libndp: valid route information option length
+
+RFC 4191 specifies that the Route Information Option Length should be 1, 2,
+or 3, depending on the Prefix Length. A malicious node could potentially
+trigger a buffer overflow and crash the tool by sending an IPv6 router
+advertisement message containing the "Route Information" option with a
+"Length" field larger than 3.
+
+To address this, add a check on the length field.
+
+Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
+Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
+Suggested-by: Felix Maurer <fmaurer@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+---
+ libndp/libndp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/libndp/libndp.c b/libndp/libndp.c
+index 6314717..72ec92e 100644
+--- a/libndp/libndp.c
++++ b/libndp/libndp.c
+@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
+ 	 */
+ 	if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
+ 		return false;
++
++	/* The Length field is 1, 2, or 3 depending on the Prefix Length.
++	 * If Prefix Length is greater than 64, then Length must be 3.
++	 * If Prefix Length is greater than 0, then Length must be 2 or 3.
++	 * If Prefix Length is zero, then Length must be 1, 2, or 3.
++	 */
++	if (ri->nd_opt_ri_len > 3 ||
++	    (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) ||
++	    (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
++		return false;
++
+ 	return true;
+ }
+ 
diff --git a/SPECS/libndp/libndp.spec b/SPECS/libndp/libndp.spec
index a9153f20d09..15456dc8886 100644
--- a/SPECS/libndp/libndp.spec
+++ b/SPECS/libndp/libndp.spec
@@ -1,13 +1,14 @@
 Summary:        Library for Neighbor Discovery Protocol
 Name:           libndp
 Version:        1.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Libraries
 URL:            http://www.libndp.org/
 Source:         http://www.libndp.org/files/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-5564.patch
 
 %description
 This package contains a library which provides a wrapper
@@ -22,7 +23,7 @@ Requires:       libndp
 Headers and libraries for the libndp.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 %configure --disable-static
@@ -48,6 +49,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Fri Jun 14 2024 Nick Samson <nisamson@microsoft.com> - 1.8-2
+- Patch CVE-2024-5564
+
 * Tue Jan 11 2022 Henry Li <lihl@microsoft.com> - 1.8-1
 - Upgrade to version 1.8
 - Remove calling autogen, which does not exist in latest version

From 26d9bca561c40a7f8cc4d76401333600e214ebca Mon Sep 17 00:00:00 2001
From: Gary Swalling <31018813+gjswalling@users.noreply.github.com>
Date: Sat, 15 Jun 2024 20:49:01 -0700
Subject: [PATCH 18/40] Upgrade grub2 from 2.06 to 2.12 (#9407)

---
 .../grub2-efi-binary-signed.spec              |    7 +-
 ...d-support-for-Linux-EFI-stub-loading.patch |  983 ---------
 SPECS/grub2/0002-Rework-linux-command.patch   |  109 -
 SPECS/grub2/0003-Rework-linux16-command.patch |   99 -
 ...ecureboot-support-on-efi-chainloader.patch | 1382 ------------
 ...loaders-that-link-in-efi-mode-honor-.patch |  390 ----
 ...rch-64-on-32-boot-in-linuxefi-loader.patch |  264 ---
 ...-hex-hex-straight-through-unmolested.patch |  173 --
 ...f-man-pages-with-slightly-nicer-ones.patch | 1959 -----------------
 ...fo-pages-say-grub2-where-appropriate.patch | 1014 ---------
 ...-calibration-not-take-51-seconds-to-.patch |  211 --
 ...04-Rework-how-the-fdt-command-builds.patch |  118 -
 ...tter-locations-for-kernel-and-initrd.patch |  196 --
 ...ce-buffers-for-reading-to-addresses-.patch |  101 -
 ...-arrange-grub_cmd_linux-a-little-bit.patch |  133 --
 ...e-our-own-allocator-for-kernel-stuff.patch |  258 ---
 ...itrd-params-cmdline-allocations-abov.patch |  171 --
 ...se-address-before-jumping-to-the-PE-.patch |   62 -
 ...ate-TPM-measurement-errors-to-the-ve.patch |   62 -
 ...maximum-bounce-buffer-size-to-16-MiB.patch |   40 -
 ...integer-overflows-in-grub_cmd_initrd.patch |   49 -
 ...rnel-validation-without-shim-protoco.patch |  130 --
 ...ll-disable-support-for-EFI-platforms.patch |  120 -
 .../0167-restore-umask-for-grub-config.patch  |   41 -
 .../0170-fix-memory-alloc-errno-reset.patch   |   27 -
 ...hainloader-Simplify-the-loader-state.patch |  320 ---
 ...ot-Add-API-to-pass-context-to-loader.patch |  161 --
 ...i-chainloader-Use-grub_loader_set_ex.patch |  146 --
 ...ct-non-kernel-files-in-the-shim_lock.patch |  103 -
 ...-leak-device_name-on-error-in-grub_f.patch |   41 -
 ...g-Abort-sooner-if-a-read-operation-f.patch |  200 --
 ...g-Refuse-to-handle-multiple-image-he.patch |   30 -
 ...g-Drop-greyscale-support-to-fix-heap.patch |  171 --
 ...g-Avoid-heap-OOB-R-W-inserting-huff-.patch |   42 -
 ...-png-Sanity-check-some-huffman-codes.patch |   42 -
 ...eg-Abort-sooner-if-a-read-operation-.patch |  257 ---
 ...eg-Do-not-reallocate-a-given-huff-ta.patch |   31 -
 ...eg-Refuse-to-handle-multiple-start-o.patch |   46 -
 ...eg-Block-int-underflow-wild-pointer-.patch |   76 -
 ...ix-array-out-of-bounds-formatting-un.patch |   36 -
 ...8-net-ip-Do-IP-fragment-maths-safely.patch |   54 -
 ...ff-Block-overly-large-netbuff-allocs.patch |   55 -
 ...le-free-addresses-on-corrupt-DNS-res.patch |   58 -
 ...ad-past-the-end-of-the-string-we-re-.patch |   74 -
 ...-a-UAF-and-double-free-from-a-failed.patch |  114 -
 .../0193-net-tftp-Avoid-a-trivial-UAF.patch   |   37 -
 ...tear-down-socket-if-it-s-already-bee.patch |   44 -
 ...Fix-OOB-write-for-split-http-headers.patch |   48 -
 ...or-out-on-headers-with-LF-without-CR.patch |   50 -
 ...ead-past-the-end-of-nat-journal-entr.patch |   74 -
 ...-not-read-past-the-end-of-nat-bitmap.patch |  134 --
 ...ot-copy-file-names-that-are-too-long.patch |   40 -
 ...eral-fuzz-issues-with-invalid-dir-it.patch |   79 -
 ...e-ASAN-and-SEGV-issues-found-with-fu.patch |  136 --
 ...x-more-fuzz-issues-related-to-chunks.patch |   78 -
 SPECS/grub2/CVE-2020-10713.nopatch            |    0
 SPECS/grub2/CVE-2020-14308.nopatch            |    0
 SPECS/grub2/CVE-2020-14309.nopatch            |    0
 SPECS/grub2/CVE-2020-14310.nopatch            |    0
 SPECS/grub2/CVE-2020-14311.nopatch            |    0
 SPECS/grub2/CVE-2020-14372.nopatch            |    0
 SPECS/grub2/CVE-2020-25632.nopatch            |    0
 SPECS/grub2/CVE-2020-25647.nopatch            |    0
 SPECS/grub2/CVE-2020-27749.nopatch            |    0
 SPECS/grub2/CVE-2020-27779.nopatch            |    0
 SPECS/grub2/CVE-2021-20225.nopatch            |    0
 SPECS/grub2/CVE-2021-20233.nopatch            |    0
 SPECS/grub2/CVE-2021-3418.nopatch             |    0
 SPECS/grub2/CVE-2022-2601.patch               |  197 --
 SPECS/grub2/CVE-2022-3775.patch               |   91 -
 SPECS/grub2/grub2.signatures.json             |    4 +-
 SPECS/grub2/grub2.spec                        |  108 +-
 ...hs-exceeds-font-max_glyph_width-or-f.patch |   33 -
 ...0004-font-Remove-grub_font_dup_glyph.patch |   42 -
 ...nteger-overflow-in-ensure_comb_space.patch |   48 -
 ...nt-Fix-integer-overflow-in-BMP-index.patch |   65 -
 ...-underflow-in-binary-search-of-char-.patch |   86 -
 ...b-Enforce-verification-of-font-files.patch |   54 -
 ...t-3-0009-fbutil-Fix-integer-overflow.patch |   85 -
 ..._font_blit_glyph-and-grub_font_blit_.patch |   75 -
 ...l_font-to-glyphs-in-ascii_font_glyph.patch |   36 -
 ...ix-an-integer-overflow-in-grub_unico.patch |   55 -
 ...OB-write-when-parsing-the-ATTRIBUTE_.patch |   93 -
 ...OB-read-when-reading-data-from-the-r.patch |   58 -
 ...OB-read-when-parsing-directory-entri.patch |   73 -
 ...OB-read-when-parsing-bitmaps-for-ind.patch |   51 -
 ...OOB-read-when-parsing-a-volume-label.patch |   61 -
 ...0006-fs-ntfs-Make-code-more-readable.patch |  159 --
 cgmanifest.json                               |    4 +-
 89 files changed, 21 insertions(+), 12333 deletions(-)
 delete mode 100644 SPECS/grub2/0001-Add-support-for-Linux-EFI-stub-loading.patch
 delete mode 100644 SPECS/grub2/0002-Rework-linux-command.patch
 delete mode 100644 SPECS/grub2/0003-Rework-linux16-command.patch
 delete mode 100644 SPECS/grub2/0004-Add-secureboot-support-on-efi-chainloader.patch
 delete mode 100644 SPECS/grub2/0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
 delete mode 100644 SPECS/grub2/0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch
 delete mode 100644 SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch
 delete mode 100644 SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch
 delete mode 100644 SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch
 delete mode 100644 SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch
 delete mode 100644 SPECS/grub2/0104-Rework-how-the-fdt-command-builds.patch
 delete mode 100644 SPECS/grub2/0112-Try-to-pick-better-locations-for-kernel-and-initrd.patch
 delete mode 100644 SPECS/grub2/0115-x86-efi-Use-bounce-buffers-for-reading-to-addresses-.patch
 delete mode 100644 SPECS/grub2/0116-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch
 delete mode 100644 SPECS/grub2/0117-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch
 delete mode 100644 SPECS/grub2/0118-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch
 delete mode 100644 SPECS/grub2/0148-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
 delete mode 100644 SPECS/grub2/0149-tpm-Don-t-propagate-TPM-measurement-errors-to-the-ve.patch
 delete mode 100644 SPECS/grub2/0150-x86-efi-Reduce-maximum-bounce-buffer-size-to-16-MiB.patch
 delete mode 100644 SPECS/grub2/0156-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
 delete mode 100644 SPECS/grub2/0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch
 delete mode 100644 SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch
 delete mode 100644 SPECS/grub2/0167-restore-umask-for-grub-config.patch
 delete mode 100644 SPECS/grub2/0170-fix-memory-alloc-errno-reset.patch
 delete mode 100644 SPECS/grub2/0173-loader-efi-chainloader-Simplify-the-loader-state.patch
 delete mode 100644 SPECS/grub2/0174-commands-boot-Add-API-to-pass-context-to-loader.patch
 delete mode 100644 SPECS/grub2/0175-loader-efi-chainloader-Use-grub_loader_set_ex.patch
 delete mode 100644 SPECS/grub2/0176-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
 delete mode 100644 SPECS/grub2/0177-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
 delete mode 100644 SPECS/grub2/0178-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
 delete mode 100644 SPECS/grub2/0179-video-readers-png-Refuse-to-handle-multiple-image-he.patch
 delete mode 100644 SPECS/grub2/0180-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
 delete mode 100644 SPECS/grub2/0181-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
 delete mode 100644 SPECS/grub2/0182-video-readers-png-Sanity-check-some-huffman-codes.patch
 delete mode 100644 SPECS/grub2/0183-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
 delete mode 100644 SPECS/grub2/0184-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
 delete mode 100644 SPECS/grub2/0185-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
 delete mode 100644 SPECS/grub2/0186-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
 delete mode 100644 SPECS/grub2/0187-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
 delete mode 100644 SPECS/grub2/0188-net-ip-Do-IP-fragment-maths-safely.patch
 delete mode 100644 SPECS/grub2/0189-net-netbuff-Block-overly-large-netbuff-allocs.patch
 delete mode 100644 SPECS/grub2/0190-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
 delete mode 100644 SPECS/grub2/0191-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
 delete mode 100644 SPECS/grub2/0192-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
 delete mode 100644 SPECS/grub2/0193-net-tftp-Avoid-a-trivial-UAF.patch
 delete mode 100644 SPECS/grub2/0194-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
 delete mode 100644 SPECS/grub2/0195-net-http-Fix-OOB-write-for-split-http-headers.patch
 delete mode 100644 SPECS/grub2/0196-net-http-Error-out-on-headers-with-LF-without-CR.patch
 delete mode 100644 SPECS/grub2/0197-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch
 delete mode 100644 SPECS/grub2/0198-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch
 delete mode 100644 SPECS/grub2/0199-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch
 delete mode 100644 SPECS/grub2/0200-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
 delete mode 100644 SPECS/grub2/0201-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
 delete mode 100644 SPECS/grub2/0202-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
 delete mode 100644 SPECS/grub2/CVE-2020-10713.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-14308.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-14309.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-14310.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-14311.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-14372.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-25632.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-25647.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-27749.nopatch
 delete mode 100644 SPECS/grub2/CVE-2020-27779.nopatch
 delete mode 100644 SPECS/grub2/CVE-2021-20225.nopatch
 delete mode 100644 SPECS/grub2/CVE-2021-20233.nopatch
 delete mode 100644 SPECS/grub2/CVE-2021-3418.nopatch
 delete mode 100644 SPECS/grub2/CVE-2022-2601.patch
 delete mode 100644 SPECS/grub2/CVE-2022-3775.patch
 delete mode 100644 SPECS/grub2/sbat-3-0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
 delete mode 100644 SPECS/grub2/sbat-3-0004-font-Remove-grub_font_dup_glyph.patch
 delete mode 100644 SPECS/grub2/sbat-3-0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
 delete mode 100644 SPECS/grub2/sbat-3-0006-font-Fix-integer-overflow-in-BMP-index.patch
 delete mode 100644 SPECS/grub2/sbat-3-0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
 delete mode 100644 SPECS/grub2/sbat-3-0008-kern-efi-sb-Enforce-verification-of-font-files.patch
 delete mode 100644 SPECS/grub2/sbat-3-0009-fbutil-Fix-integer-overflow.patch
 delete mode 100644 SPECS/grub2/sbat-3-0011-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
 delete mode 100644 SPECS/grub2/sbat-3-0012-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
 delete mode 100644 SPECS/grub2/sbat-3-0013-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
 delete mode 100644 SPECS/grub2/sbat-4-0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
 delete mode 100644 SPECS/grub2/sbat-4-0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
 delete mode 100644 SPECS/grub2/sbat-4-0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
 delete mode 100644 SPECS/grub2/sbat-4-0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
 delete mode 100644 SPECS/grub2/sbat-4-0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
 delete mode 100644 SPECS/grub2/sbat-4-0006-fs-ntfs-Make-code-more-readable.patch

diff --git a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
index abce26d0b52..3d27aacf30f 100644
--- a/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
+++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec
@@ -11,8 +11,8 @@
 %endif
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
-Version:        2.06
-Release:        19%{?dist}
+Version:        2.12
+Release:        1%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -79,6 +79,9 @@ cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
 /boot/efi/EFI/BOOT/%{grubpxeefiname}
 
 %changelog
+* Fri Jun 14 2024 Gary Swalling <gaswal@microsoft.com> - 2.12-1
+- Match grub2 version and release numbers
+
 * Wed Jun 12 2024 George Mileka <gmileka@microsoft.com> - 2.06-19
 - disable code optimization for ip checksum calculation
 
diff --git a/SPECS/grub2/0001-Add-support-for-Linux-EFI-stub-loading.patch b/SPECS/grub2/0001-Add-support-for-Linux-EFI-stub-loading.patch
deleted file mode 100644
index 74044b8b2a0..00000000000
--- a/SPECS/grub2/0001-Add-support-for-Linux-EFI-stub-loading.patch
+++ /dev/null
@@ -1,983 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg@redhat.com>
-Date: Tue, 10 Jul 2012 11:58:52 -0400
-Subject: [PATCH] Add support for Linux EFI stub loading.
-
-Also:
-
-commit 71c843745f22f81e16d259e2e19c99bf3c1855c1
-Author: Colin Watson <cjwatson@ubuntu.com>
-Date:   Tue Oct 23 10:40:49 2012 -0400
-
-Don't allow insmod when secure boot is enabled.
-
-Hi,
-
-Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine
-as far as it goes.  However, the insmod command is not the only way that
-modules can be loaded.  In particular, the 'normal' command, which
-implements the usual GRUB menu and the fully-featured command prompt,
-will implicitly load commands not currently loaded into memory.  This
-permits trivial Secure Boot violations by writing commands implementing
-whatever you want to do and pointing $prefix at the malicious code.
-
-I'm currently test-building this patch (replacing your current
-grub-2.00-no-insmod-on-sb.patch), but this should be more correct.  It
-moves the check into grub_dl_load_file.
----
- grub-core/Makefile.core.def       |  16 +-
- grub-core/kern/dl.c               |  21 +++
- grub-core/kern/efi/efi.c          |  28 ++++
- grub-core/kern/efi/mm.c           |  32 ++++
- grub-core/loader/arm64/linux.c    | 118 +++++++-------
- grub-core/loader/arm64/xen_boot.c |   1 -
- grub-core/loader/efi/linux.c      |  70 ++++++++
- grub-core/loader/i386/efi/linux.c | 335 ++++++++++++++++++++++++++++++++++++++
- grub-core/loader/i386/pc/linux.c  |  10 +-
- include/grub/arm/linux.h          |   9 +
- include/grub/arm64/linux.h        |   9 +
- include/grub/efi/efi.h            |   7 +-
- include/grub/efi/linux.h          |  31 ++++
- 13 files changed, 618 insertions(+), 69 deletions(-)
- create mode 100644 grub-core/loader/efi/linux.c
- create mode 100644 grub-core/loader/i386/efi/linux.c
- create mode 100644 include/grub/efi/linux.h
-
-diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index 8022e1c0a79..45d3edaa4dc 100644
---- a/grub-core/Makefile.core.def
-+++ b/grub-core/Makefile.core.def
-@@ -1734,13 +1734,6 @@ module = {
-   enable = i386_pc;
- };
- 
--
--module = {
--  name = linux16;
--  common = loader/i386/pc/linux.c;
--  enable = x86;
--};
--
- module = {
-   name = ntldr;
-   i386_pc = loader/i386/pc/ntldr.c;
-@@ -1796,7 +1789,9 @@ module = {
- 
- module = {
-   name = linux;
--  x86 = loader/i386/linux.c;
-+  i386_pc = loader/i386/pc/linux.c;
-+  x86_64_efi = loader/i386/efi/linux.c;
-+  i386_efi = loader/i386/efi/linux.c;
-   i386_xen_pvh = loader/i386/linux.c;
-   xen = loader/i386/xen.c;
-   i386_pc = lib/i386/pc/vesa_modes_table.c;
-@@ -1811,9 +1806,14 @@ module = {
-   arm64 = loader/arm64/linux.c;
-   riscv32 = loader/riscv/linux.c;
-   riscv64 = loader/riscv/linux.c;
-+  emu = loader/emu/linux.c;
-+  fdt = lib/fdt.c;
-+
-   common = loader/linux.c;
-   common = lib/cmdline.c;
-   enable = noemu;
-+
-+  efi = loader/efi/linux.c;
- };
- 
- module = {
-diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
-index 48f8a79073d..b7149370950 100644
---- a/grub-core/kern/dl.c
-+++ b/grub-core/kern/dl.c
-@@ -38,6 +38,14 @@
- #define GRUB_MODULES_MACHINE_READONLY
- #endif
- 
-+#ifdef GRUB_MACHINE_EMU
-+#include <sys/mman.h>
-+#endif
-+
-+#ifdef GRUB_MACHINE_EFI
-+#include <grub/efi/efi.h>
-+#endif
-+
- 
- 
- #pragma GCC diagnostic ignored "-Wcast-align"
-@@ -695,6 +703,19 @@ grub_dl_load_file (const char *filename)
-   void *core = 0;
-   grub_dl_t mod = 0;
- 
-+#ifdef GRUB_MACHINE_EFI
-+  if (grub_efi_secure_boot ())
-+    {
-+#if 0
-+      /* This is an error, but grub2-mkconfig still generates a pile of
-+       * insmod commands, so emitting it would be mostly just obnoxious. */
-+      grub_error (GRUB_ERR_ACCESS_DENIED,
-+		  "Secure Boot forbids loading module from %s", filename);
-+#endif
-+      return 0;
-+    }
-+#endif
-+
-   grub_boot_time ("Loading module %s", filename);
- 
-   file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
-diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
-index 8cff7be0289..35b8f670602 100644
---- a/grub-core/kern/efi/efi.c
-+++ b/grub-core/kern/efi/efi.c
-@@ -286,6 +286,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
-   return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
- }
- 
-+grub_efi_boolean_t
-+grub_efi_secure_boot (void)
-+{
-+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
-+  grub_size_t datasize;
-+  char *secure_boot = NULL;
-+  char *setup_mode = NULL;
-+  grub_efi_boolean_t ret = 0;
-+
-+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
-+
-+  if (datasize != 1 || !secure_boot)
-+    goto out;
-+
-+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
-+
-+  if (datasize != 1 || !setup_mode)
-+    goto out;
-+
-+  if (*secure_boot && !*setup_mode)
-+    ret = 1;
-+
-+ out:
-+  grub_free (secure_boot);
-+  grub_free (setup_mode);
-+  return ret;
-+}
-+
- #pragma GCC diagnostic ignored "-Wcast-align"
- 
- /* Search the mods section from the PE32/PE32+ image. This code uses
-diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
-index 0cdb063bb1b..74360542062 100644
---- a/grub-core/kern/efi/mm.c
-+++ b/grub-core/kern/efi/mm.c
-@@ -113,6 +113,38 @@ grub_efi_drop_alloc (grub_efi_physical_address_t address,
-     }
- }
- 
-+/* Allocate pages below a specified address */
-+void *
-+grub_efi_allocate_pages_max (grub_efi_physical_address_t max,
-+			     grub_efi_uintn_t pages)
-+{
-+  grub_efi_status_t status;
-+  grub_efi_boot_services_t *b;
-+  grub_efi_physical_address_t address = max;
-+
-+  if (max > 0xffffffff)
-+    return 0;
-+
-+  b = grub_efi_system_table->boot_services;
-+  status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, pages, &address);
-+
-+  if (status != GRUB_EFI_SUCCESS)
-+    return 0;
-+
-+  if (address == 0)
-+    {
-+      /* Uggh, the address 0 was allocated... This is too annoying,
-+	 so reallocate another one.  */
-+      address = max;
-+      status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, pages, &address);
-+      grub_efi_free_pages (0, pages);
-+      if (status != GRUB_EFI_SUCCESS)
-+	return 0;
-+    }
-+
-+  return (void *) ((grub_addr_t) address);
-+}
-+
- /* Allocate pages. Return the pointer to the first of allocated pages.  */
- void *
- grub_efi_allocate_pages_real (grub_efi_physical_address_t address,
-diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
-index ef3e9f9444c..a312c668685 100644
---- a/grub-core/loader/arm64/linux.c
-+++ b/grub-core/loader/arm64/linux.c
-@@ -29,6 +29,7 @@
- #include <grub/efi/efi.h>
- #include <grub/efi/fdtload.h>
- #include <grub/efi/memory.h>
-+#include <grub/efi/linux.h>
- #include <grub/efi/pe32.h>
- #include <grub/i18n.h>
- #include <grub/lib/cmdline.h>
-@@ -41,6 +42,7 @@ static int loaded;
- 
- static void *kernel_addr;
- static grub_uint64_t kernel_size;
-+static grub_uint32_t handover_offset;
- 
- static char *linux_args;
- static grub_uint32_t cmdline_size;
-@@ -67,7 +69,8 @@ grub_arch_efi_linux_check_image (struct linux_arch_kernel_header * lh)
- static grub_err_t
- finalize_params_linux (void)
- {
--  int node, retval;
-+  grub_efi_loaded_image_t *loaded_image = NULL;
-+  int node, retval, len;
- 
-   void *fdt;
- 
-@@ -102,79 +105,70 @@ finalize_params_linux (void)
-   if (grub_fdt_install() != GRUB_ERR_NONE)
-     goto failure;
- 
--  return GRUB_ERR_NONE;
--
--failure:
--  grub_fdt_unload();
--  return grub_error(GRUB_ERR_BAD_OS, "failed to install/update FDT");
--}
--
--grub_err_t
--grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
--{
--  grub_efi_memory_mapped_device_path_t *mempath;
--  grub_efi_handle_t image_handle;
--  grub_efi_boot_services_t *b;
--  grub_efi_status_t status;
--  grub_efi_loaded_image_t *loaded_image;
--  int len;
--
--  mempath = grub_malloc (2 * sizeof (grub_efi_memory_mapped_device_path_t));
--  if (!mempath)
--    return grub_errno;
--
--  mempath[0].header.type = GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE;
--  mempath[0].header.subtype = GRUB_EFI_MEMORY_MAPPED_DEVICE_PATH_SUBTYPE;
--  mempath[0].header.length = grub_cpu_to_le16_compile_time (sizeof (*mempath));
--  mempath[0].memory_type = GRUB_EFI_LOADER_DATA;
--  mempath[0].start_address = addr;
--  mempath[0].end_address = addr + size;
--
--  mempath[1].header.type = GRUB_EFI_END_DEVICE_PATH_TYPE;
--  mempath[1].header.subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
--  mempath[1].header.length = sizeof (grub_efi_device_path_t);
--
--  b = grub_efi_system_table->boot_services;
--  status = b->load_image (0, grub_efi_image_handle,
--			  (grub_efi_device_path_t *) mempath,
--			  (void *) addr, size, &image_handle);
--  if (status != GRUB_EFI_SUCCESS)
--    return grub_error (GRUB_ERR_BAD_OS, "cannot load image");
--
--  grub_dprintf ("linux", "linux command line: '%s'\n", args);
-+  grub_dprintf ("linux", "Installed/updated FDT configuration table @ %p\n",
-+                fdt);
- 
-   /* Convert command line to UCS-2 */
--  loaded_image = grub_efi_get_loaded_image (image_handle);
-+  loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
-+  if (!loaded_image)
-+    goto failure;
-+
-   loaded_image->load_options_size = len =
--    (grub_strlen (args) + 1) * sizeof (grub_efi_char16_t);
-+    (grub_strlen (linux_args) + 1) * sizeof (grub_efi_char16_t);
-   loaded_image->load_options =
-     grub_efi_allocate_any_pages (GRUB_EFI_BYTES_TO_PAGES (loaded_image->load_options_size));
-   if (!loaded_image->load_options)
--    return grub_errno;
-+    return grub_error(GRUB_ERR_BAD_OS, "failed to create kernel parameters");
- 
-   loaded_image->load_options_size =
-     2 * grub_utf8_to_utf16 (loaded_image->load_options, len,
--			    (grub_uint8_t *) args, len, NULL);
-+                           (grub_uint8_t *) linux_args, len, NULL);
- 
--  grub_dprintf ("linux", "starting image %p\n", image_handle);
--  status = b->start_image (image_handle, 0, NULL);
-+  return GRUB_ERR_NONE;
- 
--  /* When successful, not reached */
--  b->unload_image (image_handle);
--  grub_efi_free_pages ((grub_addr_t) loaded_image->load_options,
--		       GRUB_EFI_BYTES_TO_PAGES (loaded_image->load_options_size));
-+failure:
-+  grub_fdt_unload();
-+  return grub_error(GRUB_ERR_BAD_OS, "failed to install/update FDT");
-+}
- 
--  return grub_errno;
-+static void
-+free_params (void)
-+{
-+  grub_efi_loaded_image_t *loaded_image = NULL;
-+
-+  loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
-+  if (loaded_image)
-+    {
-+      if (loaded_image->load_options)
-+       grub_efi_free_pages ((grub_efi_physical_address_t)(grub_efi_uintn_t)loaded_image->load_options,
-+                            GRUB_EFI_BYTES_TO_PAGES (loaded_image->load_options_size));
-+      loaded_image->load_options = NULL;
-+      loaded_image->load_options_size = 0;
-+    }
-+}
-+
-+grub_err_t
-+grub_arch_efi_linux_boot_image (grub_addr_t addr, char *args)
-+{
-+  grub_err_t retval;
-+
-+  retval = finalize_params_linux ();
-+  if (retval != GRUB_ERR_NONE)
-+    return grub_errno;
-+
-+  grub_dprintf ("linux", "linux command line: '%s'\n", args);
-+
-+  retval = grub_efi_linux_boot ((char *)addr, handover_offset, (void *)addr);
-+
-+  /* Never reached... */
-+  free_params();
-+  return retval;
- }
- 
- static grub_err_t
- grub_linux_boot (void)
- {
--  if (finalize_params_linux () != GRUB_ERR_NONE)
--    return grub_errno;
--
--  return (grub_arch_efi_linux_boot_image((grub_addr_t)kernel_addr,
--                                          kernel_size, linux_args));
-+  return (grub_arch_efi_linux_boot_image((grub_addr_t)kernel_addr, linux_args));
- }
- 
- static grub_err_t
-@@ -288,6 +282,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- {
-   grub_file_t file = 0;
-   struct linux_arch_kernel_header lh;
-+  struct grub_armxx_linux_pe_header *pe;
-   grub_err_t err;
- 
-   grub_dl_ref (my_mod);
-@@ -333,6 +328,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
- 
-+  if (!grub_linuxefi_secure_validate (kernel_addr, kernel_size))
-+    {
-+      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
-+      goto fail;
-+    }
-+
-+  pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
-+  handover_offset = pe->opt.entry_addr;
-+
-   cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE);
-   linux_args = grub_malloc (cmdline_size);
-   if (!linux_args)
-diff --git a/grub-core/loader/arm64/xen_boot.c b/grub-core/loader/arm64/xen_boot.c
-index 22cc25eccd9..d9b7a9ba400 100644
---- a/grub-core/loader/arm64/xen_boot.c
-+++ b/grub-core/loader/arm64/xen_boot.c
-@@ -266,7 +266,6 @@ xen_boot (void)
-     return err;
- 
-   return grub_arch_efi_linux_boot_image (xen_hypervisor->start,
--					  xen_hypervisor->size,
- 					  xen_hypervisor->cmdline);
- }
- 
-diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
-new file mode 100644
-index 00000000000..c24202a5dd1
---- /dev/null
-+++ b/grub-core/loader/efi/linux.c
-@@ -0,0 +1,70 @@
-+/*
-+ *  GRUB  --  GRand Unified Bootloader
-+ *  Copyright (C) 2014 Free Software Foundation, Inc.
-+ *
-+ *  GRUB is free software: you can redistribute it and/or modify
-+ *  it under the terms of the GNU General Public License as published by
-+ *  the Free Software Foundation, either version 3 of the License, or
-+ *  (at your option) any later version.
-+ *
-+ *  GRUB is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ *  GNU General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU General Public License
-+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include <grub/err.h>
-+#include <grub/mm.h>
-+#include <grub/types.h>
-+#include <grub/cpu/linux.h>
-+#include <grub/efi/efi.h>
-+#include <grub/efi/pe32.h>
-+#include <grub/efi/linux.h>
-+
-+#define SHIM_LOCK_GUID \
-+ { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
-+
-+struct grub_efi_shim_lock
-+{
-+  grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size);
-+};
-+typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
-+
-+grub_efi_boolean_t
-+grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
-+{
-+  grub_efi_guid_t guid = SHIM_LOCK_GUID;
-+  grub_efi_shim_lock_t *shim_lock;
-+
-+  shim_lock = grub_efi_locate_protocol(&guid, NULL);
-+
-+  if (!shim_lock)
-+    return 1;
-+
-+  if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
-+    return 1;
-+
-+  return 0;
-+}
-+
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wcast-align"
-+
-+typedef void (*handover_func) (void *, grub_efi_system_table_t *, void *);
-+
-+grub_err_t
-+grub_efi_linux_boot (void *kernel_addr, grub_off_t offset,
-+		     void *kernel_params)
-+{
-+  handover_func hf;
-+
-+  hf = (handover_func)((char *)kernel_addr + offset);
-+  hf (grub_efi_image_handle, grub_efi_system_table, kernel_params);
-+
-+  return GRUB_ERR_BUG;
-+}
-+
-+#pragma GCC diagnostic pop
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-new file mode 100644
-index 00000000000..bb2616a8092
---- /dev/null
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -0,0 +1,335 @@
-+/*
-+ *  GRUB  --  GRand Unified Bootloader
-+ *  Copyright (C) 2012  Free Software Foundation, Inc.
-+ *
-+ *  GRUB is free software: you can redistribute it and/or modify
-+ *  it under the terms of the GNU General Public License as published by
-+ *  the Free Software Foundation, either version 3 of the License, or
-+ *  (at your option) any later version.
-+ *
-+ *  GRUB is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ *  GNU General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU General Public License
-+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include <grub/loader.h>
-+#include <grub/file.h>
-+#include <grub/err.h>
-+#include <grub/types.h>
-+#include <grub/mm.h>
-+#include <grub/cpu/linux.h>
-+#include <grub/command.h>
-+#include <grub/i18n.h>
-+#include <grub/lib/cmdline.h>
-+#include <grub/efi/efi.h>
-+#include <grub/efi/linux.h>
-+
-+GRUB_MOD_LICENSE ("GPLv3+");
-+
-+static grub_dl_t my_mod;
-+static int loaded;
-+static void *kernel_mem;
-+static grub_uint64_t kernel_size;
-+static grub_uint8_t *initrd_mem;
-+static grub_uint32_t handover_offset;
-+struct linux_kernel_params *params;
-+static char *linux_cmdline;
-+
-+#define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)
-+
-+static grub_err_t
-+grub_linuxefi_boot (void)
-+{
-+  int offset = 0;
-+
-+#ifdef __x86_64__
-+  offset = 512;
-+#endif
-+  asm volatile ("cli");
-+
-+  return grub_efi_linux_boot ((char *)kernel_mem, handover_offset + offset,
-+			      params);
-+}
-+
-+static grub_err_t
-+grub_linuxefi_unload (void)
-+{
-+  grub_dl_unref (my_mod);
-+  loaded = 0;
-+  if (initrd_mem)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)initrd_mem,
-+			 BYTES_TO_PAGES(params->ramdisk_size));
-+  if (linux_cmdline)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)
-+			 linux_cmdline,
-+			 BYTES_TO_PAGES(params->cmdline_size + 1));
-+  if (kernel_mem)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)kernel_mem,
-+			 BYTES_TO_PAGES(kernel_size));
-+  if (params)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)params,
-+			 BYTES_TO_PAGES(16384));
-+  return GRUB_ERR_NONE;
-+}
-+
-+static grub_err_t
-+grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-+                 int argc, char *argv[])
-+{
-+  grub_file_t *files = 0;
-+  int i, nfiles = 0;
-+  grub_size_t size = 0;
-+  grub_uint8_t *ptr;
-+
-+  if (argc == 0)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
-+      goto fail;
-+    }
-+
-+  if (!loaded)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("you need to load the kernel first"));
-+      goto fail;
-+    }
-+
-+  files = grub_zalloc (argc * sizeof (files[0]));
-+  if (!files)
-+    goto fail;
-+
-+  for (i = 0; i < argc; i++)
-+    {
-+      files[i] = grub_file_open (argv[i], GRUB_FILE_TYPE_LINUX_INITRD | GRUB_FILE_TYPE_NO_DECOMPRESS);
-+      if (! files[i])
-+        goto fail;
-+      nfiles++;
-+      size += ALIGN_UP (grub_file_size (files[i]), 4);
-+    }
-+
-+  initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
-+  if (!initrd_mem)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate initrd"));
-+      goto fail;
-+    }
-+
-+  params->ramdisk_size = size;
-+  params->ramdisk_image = (grub_uint32_t)(grub_addr_t) initrd_mem;
-+
-+  ptr = initrd_mem;
-+
-+  for (i = 0; i < nfiles; i++)
-+    {
-+      grub_ssize_t cursize = grub_file_size (files[i]);
-+      if (grub_file_read (files[i], ptr, cursize) != cursize)
-+        {
-+          if (!grub_errno)
-+            grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
-+                        argv[i]);
-+          goto fail;
-+        }
-+      ptr += cursize;
-+      grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
-+      ptr += ALIGN_UP_OVERHEAD (cursize, 4);
-+    }
-+
-+  params->ramdisk_size = size;
-+
-+ fail:
-+  for (i = 0; i < nfiles; i++)
-+    grub_file_close (files[i]);
-+  grub_free (files);
-+
-+  if (initrd_mem && grub_errno)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)initrd_mem,
-+			 BYTES_TO_PAGES(size));
-+
-+  return grub_errno;
-+}
-+
-+static grub_err_t
-+grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-+		int argc, char *argv[])
-+{
-+  grub_file_t file = 0;
-+  struct linux_i386_kernel_header lh;
-+  grub_ssize_t len, start, filelen;
-+  void *kernel = NULL;
-+
-+  grub_dl_ref (my_mod);
-+
-+  if (argc == 0)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
-+      goto fail;
-+    }
-+
-+  file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
-+  if (! file)
-+    goto fail;
-+
-+  filelen = grub_file_size (file);
-+
-+  kernel = grub_malloc(filelen);
-+
-+  if (!kernel)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
-+      goto fail;
-+    }
-+
-+  if (grub_file_read (file, kernel, filelen) != filelen)
-+    {
-+      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"), argv[0]);
-+      goto fail;
-+    }
-+
-+  if (! grub_linuxefi_secure_validate (kernel, filelen))
-+    {
-+      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
-+		  argv[0]);
-+      goto fail;
-+    }
-+
-+  params = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(16384));
-+
-+  if (! params)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
-+      goto fail;
-+    }
-+
-+  grub_memset (params, 0, 16384);
-+
-+  grub_memcpy (&lh, kernel, sizeof (lh));
-+
-+  if (lh.boot_flag != grub_cpu_to_le16 (0xaa55))
-+    {
-+      grub_error (GRUB_ERR_BAD_OS, N_("invalid magic number"));
-+      goto fail;
-+    }
-+
-+  if (lh.setup_sects > GRUB_LINUX_MAX_SETUP_SECTS)
-+    {
-+      grub_error (GRUB_ERR_BAD_OS, N_("too many setup sectors"));
-+      goto fail;
-+    }
-+
-+  if (lh.version < grub_cpu_to_le16 (0x020b))
-+    {
-+      grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
-+      goto fail;
-+    }
-+
-+  if (!lh.handover_offset)
-+    {
-+      grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support EFI handover"));
-+      goto fail;
-+    }
-+
-+  grub_dprintf ("linux", "setting up cmdline\n");
-+  linux_cmdline = grub_efi_allocate_pages_max(0x3fffffff,
-+					 BYTES_TO_PAGES(lh.cmdline_size + 1));
-+
-+  if (!linux_cmdline)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate cmdline"));
-+      goto fail;
-+    }
-+
-+  grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
-+  grub_create_loader_cmdline (argc, argv,
-+                              linux_cmdline + sizeof (LINUX_IMAGE) - 1,
-+			      lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1),
-+			      GRUB_VERIFY_KERNEL_CMDLINE);
-+
-+  lh.cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
-+
-+  handover_offset = lh.handover_offset;
-+
-+  start = (lh.setup_sects + 1) * 512;
-+  len = grub_file_size(file) - start;
-+
-+  kernel_mem = grub_efi_allocate_pages_max(lh.pref_address,
-+					   BYTES_TO_PAGES(lh.init_size));
-+
-+  if (!kernel_mem)
-+    kernel_mem = grub_efi_allocate_pages_max(0x3fffffff,
-+					     BYTES_TO_PAGES(lh.init_size));
-+
-+  if (!kernel_mem)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate kernel"));
-+      goto fail;
-+    }
-+
-+  grub_memcpy (kernel_mem, (char *)kernel + start, len);
-+  grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
-+  loaded=1;
-+
-+  lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem;
-+  grub_memcpy (params, &lh, 2 * 512);
-+
-+  params->type_of_loader = 0x21;
-+
-+ fail:
-+
-+  if (file)
-+    grub_file_close (file);
-+
-+  if (kernel)
-+    grub_free (kernel);
-+
-+  if (grub_errno != GRUB_ERR_NONE)
-+    {
-+      grub_dl_unref (my_mod);
-+      loaded = 0;
-+    }
-+
-+  if (linux_cmdline && !loaded)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)
-+			 linux_cmdline,
-+			 BYTES_TO_PAGES(lh.cmdline_size + 1));
-+
-+  if (kernel_mem && !loaded)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)kernel_mem,
-+			 BYTES_TO_PAGES(kernel_size));
-+
-+  if (params && !loaded)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)params,
-+			 BYTES_TO_PAGES(16384));
-+
-+  return grub_errno;
-+}
-+
-+static grub_command_t cmd_linux, cmd_initrd;
-+static grub_command_t cmd_linuxefi, cmd_initrdefi;
-+
-+GRUB_MOD_INIT(linux)
-+{
-+  cmd_linux =
-+    grub_register_command ("linux", grub_cmd_linux,
-+                           0, N_("Load Linux."));
-+  cmd_linuxefi =
-+    grub_register_command ("linuxefi", grub_cmd_linux,
-+                           0, N_("Load Linux."));
-+  cmd_initrd =
-+    grub_register_command ("initrd", grub_cmd_initrd,
-+                           0, N_("Load initrd."));
-+  cmd_initrdefi =
-+    grub_register_command ("initrdefi", grub_cmd_initrd,
-+                           0, N_("Load initrd."));
-+  my_mod = mod;
-+}
-+
-+GRUB_MOD_FINI(linux)
-+{
-+  grub_unregister_command (cmd_linux);
-+  grub_unregister_command (cmd_linuxefi);
-+  grub_unregister_command (cmd_initrd);
-+  grub_unregister_command (cmd_initrdefi);
-+}
-diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
-index 2a299520160..8be4c3b3f48 100644
---- a/grub-core/loader/i386/pc/linux.c
-+++ b/grub-core/loader/i386/pc/linux.c
-@@ -474,14 +474,20 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-   return grub_errno;
- }
- 
--static grub_command_t cmd_linux, cmd_initrd;
-+static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
- 
- GRUB_MOD_INIT(linux16)
- {
-   cmd_linux =
-+    grub_register_command ("linux", grub_cmd_linux,
-+			   0, N_("Load Linux."));
-+  cmd_linux16 =
-     grub_register_command ("linux16", grub_cmd_linux,
- 			   0, N_("Load Linux."));
-   cmd_initrd =
-+    grub_register_command ("initrd", grub_cmd_initrd,
-+			   0, N_("Load initrd."));
-+  cmd_initrd16 =
-     grub_register_command ("initrd16", grub_cmd_initrd,
- 			   0, N_("Load initrd."));
-   my_mod = mod;
-@@ -490,5 +496,7 @@ GRUB_MOD_INIT(linux16)
- GRUB_MOD_FINI(linux16)
- {
-   grub_unregister_command (cmd_linux);
-+  grub_unregister_command (cmd_linux16);
-   grub_unregister_command (cmd_initrd);
-+  grub_unregister_command (cmd_initrd16);
- }
-diff --git a/include/grub/arm/linux.h b/include/grub/arm/linux.h
-index bcd5a7eb186..b582f67f661 100644
---- a/include/grub/arm/linux.h
-+++ b/include/grub/arm/linux.h
-@@ -20,6 +20,7 @@
- #ifndef GRUB_ARM_LINUX_HEADER
- #define GRUB_ARM_LINUX_HEADER 1
- 
-+#include <grub/efi/pe32.h>
- #include "system.h"
- 
- #define GRUB_LINUX_ARM_MAGIC_SIGNATURE 0x016f2818
-@@ -34,9 +35,17 @@ struct linux_arm_kernel_header {
-   grub_uint32_t hdr_offset;
- };
- 
-+struct grub_arm_linux_pe_header
-+{
-+  grub_uint32_t magic;
-+  struct grub_pe32_coff_header coff;
-+  struct grub_pe32_optional_header opt;
-+};
-+
- #if defined(__arm__)
- # define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM_MAGIC_SIGNATURE
- # define linux_arch_kernel_header linux_arm_kernel_header
-+# define grub_armxx_linux_pe_header grub_arm_linux_pe_header
- #endif
- 
- #if defined GRUB_MACHINE_UBOOT
-diff --git a/include/grub/arm64/linux.h b/include/grub/arm64/linux.h
-index 7e22b4ab699..ea030312df3 100644
---- a/include/grub/arm64/linux.h
-+++ b/include/grub/arm64/linux.h
-@@ -19,6 +19,7 @@
- #ifndef GRUB_ARM64_LINUX_HEADER
- #define GRUB_ARM64_LINUX_HEADER 1
- 
-+#include <grub/efi/pe32.h>
- #include <grub/types.h>
- 
- #define GRUB_LINUX_ARM64_MAGIC_SIGNATURE 0x644d5241 /* 'ARM\x64' */
-@@ -38,9 +39,17 @@ struct linux_arm64_kernel_header
-   grub_uint32_t hdr_offset;	/* Offset of PE/COFF header */
- };
- 
-+struct grub_arm64_linux_pe_header
-+{
-+  grub_uint32_t magic;
-+  struct grub_pe32_coff_header coff;
-+  struct grub_pe64_optional_header opt;
-+};
-+
- #if defined(__aarch64__)
- # define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM64_MAGIC_SIGNATURE
- # define linux_arch_kernel_header linux_arm64_kernel_header
-+# define grub_armxx_linux_pe_header grub_arm64_linux_pe_header
- #endif
- 
- #endif /* ! GRUB_ARM64_LINUX_HEADER */
-diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
-index 83d958f9945..6295df85f3f 100644
---- a/include/grub/efi/efi.h
-+++ b/include/grub/efi/efi.h
-@@ -47,6 +47,9 @@ EXPORT_FUNC(grub_efi_allocate_fixed) (grub_efi_physical_address_t address,
- 				      grub_efi_uintn_t pages);
- void *
- EXPORT_FUNC(grub_efi_allocate_any_pages) (grub_efi_uintn_t pages);
-+void *
-+EXPORT_FUNC(grub_efi_allocate_pages_max) (grub_efi_physical_address_t max,
-+					  grub_efi_uintn_t pages);
- void EXPORT_FUNC(grub_efi_free_pages) (grub_efi_physical_address_t address,
- 				       grub_efi_uintn_t pages);
- grub_efi_uintn_t EXPORT_FUNC(grub_efi_find_mmap_size) (void);
-@@ -88,6 +91,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
- 				     const grub_efi_guid_t *guid,
- 				     void *data,
- 				     grub_size_t datasize);
-+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
- int
- EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
- 					     const grub_efi_device_path_t *dp2);
-@@ -101,8 +105,7 @@ void *EXPORT_FUNC(grub_efi_get_firmware_fdt)(void);
- grub_err_t EXPORT_FUNC(grub_efi_get_ram_base)(grub_addr_t *);
- #include <grub/cpu/linux.h>
- grub_err_t grub_arch_efi_linux_check_image(struct linux_arch_kernel_header *lh);
--grub_err_t grub_arch_efi_linux_boot_image(grub_addr_t addr, grub_size_t size,
--                                           char *args);
-+grub_err_t grub_arch_efi_linux_boot_image(grub_addr_t addr, char *args);
- #endif
- 
- grub_addr_t grub_efi_modules_addr (void);
-diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
-new file mode 100644
-index 00000000000..d9ede36773b
---- /dev/null
-+++ b/include/grub/efi/linux.h
-@@ -0,0 +1,31 @@
-+/*
-+ *  GRUB  --  GRand Unified Bootloader
-+ *  Copyright (C) 2014  Free Software Foundation, Inc.
-+ *
-+ *  GRUB is free software: you can redistribute it and/or modify
-+ *  it under the terms of the GNU General Public License as published by
-+ *  the Free Software Foundation, either version 3 of the License, or
-+ *  (at your option) any later version.
-+ *
-+ *  GRUB is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ *  GNU General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU General Public License
-+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+#ifndef GRUB_EFI_LINUX_HEADER
-+#define GRUB_EFI_LINUX_HEADER	1
-+
-+#include <grub/efi/api.h>
-+#include <grub/err.h>
-+#include <grub/symbol.h>
-+
-+grub_efi_boolean_t
-+EXPORT_FUNC(grub_linuxefi_secure_validate) (void *data, grub_uint32_t size);
-+grub_err_t
-+EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset,
-+				  void *kernel_param);
-+
-+#endif /* ! GRUB_EFI_LINUX_HEADER */
diff --git a/SPECS/grub2/0002-Rework-linux-command.patch b/SPECS/grub2/0002-Rework-linux-command.patch
deleted file mode 100644
index 9954dd0a61c..00000000000
--- a/SPECS/grub2/0002-Rework-linux-command.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@coreos.com>
-Date: Sun, 9 Aug 2015 16:12:39 -0700
-Subject: [PATCH] Rework linux command
-
-We want a single buffer that contains the entire kernel image in order to
-perform a TPM measurement. Allocate one and copy the entire kernel into it
-before pulling out the individual blocks later on.
-
-Signed-off-by: Matthew Garrett <mjg59@coreos.com>
----
- grub-core/loader/i386/linux.c | 35 +++++++++++++++++++++++------------
- 1 file changed, 23 insertions(+), 12 deletions(-)
-
-diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
-index 9f74a96b19a..dccf3bb3005 100644
---- a/grub-core/loader/i386/linux.c
-+++ b/grub-core/loader/i386/linux.c
-@@ -649,13 +649,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- {
-   grub_file_t file = 0;
-   struct linux_i386_kernel_header lh;
-+  grub_uint8_t *linux_params_ptr;
-   grub_uint8_t setup_sects;
--  grub_size_t real_size, prot_size, prot_file_size;
-+  grub_size_t real_size, prot_size, prot_file_size, kernel_offset;
-   grub_ssize_t len;
-   int i;
-   grub_size_t align, min_align;
-   int relocatable;
-   grub_uint64_t preferred_address = GRUB_LINUX_BZIMAGE_ADDR;
-+  grub_uint8_t *kernel = NULL;
- 
-   grub_dl_ref (my_mod);
- 
-@@ -669,7 +671,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   if (! file)
-     goto fail;
- 
--  if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
-+  len = grub_file_size (file);
-+  kernel = grub_malloc (len);
-+  if (!kernel)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
-+      goto fail;
-+    }
-+
-+  if (grub_file_read (file, kernel, len) != len)
-     {
-       if (!grub_errno)
- 	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
-@@ -677,6 +687,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
-+  grub_memcpy (&lh, kernel, sizeof (lh));
-+  kernel_offset = sizeof (lh);
-+
-   if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
-     {
-       grub_error (GRUB_ERR_BAD_OS, "invalid magic number");
-@@ -784,13 +797,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   /* We've already read lh so there is no need to read it second time. */
-   len -= sizeof(lh);
- 
--  if ((len > 0) &&
--      (grub_file_read (file, (char *) &linux_params + sizeof (lh), len) != len))
-+  linux_params_ptr = (void *)&linux_params;
-+  if (len > 0)
-     {
--      if (!grub_errno)
--	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--		    argv[0]);
--      goto fail;
-+      grub_memcpy (linux_params_ptr + sizeof (lh), kernel + kernel_offset, len);
-+      kernel_offset += len;
-     }
- 
-   linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR;
-@@ -853,7 +864,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   /* The other parameters are filled when booting.  */
- 
--  grub_file_seek (file, real_size + GRUB_DISK_SECTOR_SIZE);
-+  kernel_offset = real_size + GRUB_DISK_SECTOR_SIZE;
- 
-   grub_dprintf ("linux", "bzImage, setup=0x%x, size=0x%x\n",
- 		(unsigned) real_size, (unsigned) prot_size);
-@@ -1007,9 +1018,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   }
- 
-   len = prot_file_size;
--  if (grub_file_read (file, prot_mode_mem, len) != len && !grub_errno)
--    grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--		argv[0]);
-+  grub_memcpy (prot_mode_mem, kernel + kernel_offset, len);
- 
-   if (grub_errno == GRUB_ERR_NONE)
-     {
-@@ -1020,6 +1029,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-  fail:
- 
-+  grub_free (kernel);
-+
-   if (file)
-     grub_file_close (file);
- 
diff --git a/SPECS/grub2/0003-Rework-linux16-command.patch b/SPECS/grub2/0003-Rework-linux16-command.patch
deleted file mode 100644
index 2c2d6f0ba6c..00000000000
--- a/SPECS/grub2/0003-Rework-linux16-command.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@coreos.com>
-Date: Sun, 9 Aug 2015 16:20:58 -0700
-Subject: [PATCH] Rework linux16 command
-
-We want a single buffer that contains the entire kernel image in order to
-perform a TPM measurement. Allocate one and copy the entire kernel int it
-before pulling out the individual blocks later on.
-
-Signed-off-by: Matthew Garrett <mjg59@coreos.com>
----
- grub-core/loader/i386/pc/linux.c | 33 +++++++++++++++++++++------------
- 1 file changed, 21 insertions(+), 12 deletions(-)
-
-diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
-index 8be4c3b3f48..4b1750e360e 100644
---- a/grub-core/loader/i386/pc/linux.c
-+++ b/grub-core/loader/i386/pc/linux.c
-@@ -124,13 +124,14 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   grub_file_t file = 0;
-   struct linux_i386_kernel_header lh;
-   grub_uint8_t setup_sects;
--  grub_size_t real_size;
-+  grub_size_t real_size, kernel_offset = 0;
-   grub_ssize_t len;
-   int i;
-   char *grub_linux_prot_chunk;
-   int grub_linux_is_bzimage;
-   grub_addr_t grub_linux_prot_target;
-   grub_err_t err;
-+  grub_uint8_t *kernel = NULL;
- 
-   grub_dl_ref (my_mod);
- 
-@@ -144,7 +145,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   if (! file)
-     goto fail;
- 
--  if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
-+  len = grub_file_size (file);
-+  kernel = grub_malloc (len);
-+  if (!kernel)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
-+      goto fail;
-+    }
-+
-+  if (grub_file_read (file, kernel, len) != len)
-     {
-       if (!grub_errno)
- 	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
-@@ -152,6 +161,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
-+  grub_memcpy (&lh, kernel, sizeof (lh));
-+  kernel_offset = sizeof (lh);
-+
-   if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
-     {
-       grub_error (GRUB_ERR_BAD_OS, "invalid magic number");
-@@ -320,13 +332,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   grub_memmove (grub_linux_real_chunk, &lh, sizeof (lh));
- 
-   len = real_size + GRUB_DISK_SECTOR_SIZE - sizeof (lh);
--  if (grub_file_read (file, grub_linux_real_chunk + sizeof (lh), len) != len)
--    {
--      if (!grub_errno)
--	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--		    argv[0]);
--      goto fail;
--    }
-+  grub_memcpy (grub_linux_real_chunk + sizeof (lh), kernel + kernel_offset,
-+	       len);
-+  kernel_offset += len;
- 
-   if (lh.header != grub_cpu_to_le32_compile_time (GRUB_LINUX_I386_MAGIC_SIGNATURE)
-       || grub_le_to_cpu16 (lh.version) < 0x0200)
-@@ -364,9 +372,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   }
- 
-   len = grub_linux16_prot_size;
--  if (grub_file_read (file, grub_linux_prot_chunk, len) != len && !grub_errno)
--    grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
--		argv[0]);
-+  grub_memcpy (grub_linux_prot_chunk, kernel + kernel_offset, len);
-+  kernel_offset += len;
- 
-   if (grub_errno == GRUB_ERR_NONE)
-     {
-@@ -376,6 +383,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-  fail:
- 
-+  grub_free (kernel);
-+
-   if (file)
-     grub_file_close (file);
- 
diff --git a/SPECS/grub2/0004-Add-secureboot-support-on-efi-chainloader.patch b/SPECS/grub2/0004-Add-secureboot-support-on-efi-chainloader.patch
deleted file mode 100644
index bfb5a9b6770..00000000000
--- a/SPECS/grub2/0004-Add-secureboot-support-on-efi-chainloader.patch
+++ /dev/null
@@ -1,1382 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Raymund Will <rw@suse.com>
-Date: Mon, 8 Jul 2019 11:55:18 +0200
-Subject: [PATCH] Add secureboot support on efi chainloader
-
-Expand the chainloader to be able to verify the image by means of shim
-lock protocol. The PE/COFF image is loaded and relocated by the
-chainloader instead of calling LoadImage and StartImage UEFI boot
-Service as they require positive verification result from keys enrolled
-in KEK or DB. The shim will use MOK in addition to firmware enrolled
-keys to verify the image.
-
-The chainloader module could be used to load other UEFI bootloaders,
-such as xen.efi, and could be signed by any of MOK, KEK or DB.
-
-Based on https://build.opensuse.org/package/view_file/openSUSE:Factory/grub2/grub2-secureboot-chainloader.patch
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-
-Also:
-
-commit cd7a8984d4fda905877b5bfe466339100156b3bc
-Author: Raymund Will <rw@suse.com>
-Date:   Fri Apr 10 01:45:02 2015 -0400
-
-Use device part of chainloader target, if present.
-
-Otherwise chainloading is restricted to '$root', which might not even
-be readable by EFI!
-
-v1. use grub_file_get_device_name() to get device name
-
-Signed-off-by: Michael Chang <mchang@suse.com>
-Signed-off-by: Peter Jones <pjones@redhat.com>
-
-Also:
-
-commit 0872a2310a0eeac4ecfe9e1b49dd2d72ab373039
-Author: Peter Jones <pjones@redhat.com>
-Date:   Fri Jun 10 14:06:15 2016 -0400
-
-Rework even more of efi chainload so non-sb cases work right.
-
-This ensures that if shim protocol is not loaded, or is loaded but shim
-is disabled, we will fall back to a correct load method for the efi
-chain loader.
-
-Here's what I tested with this version:
-
-results                             expected    actual
-------------------------------------------------------------
-sb + enabled + shim + fedora        success     success
-sb + enabled + shim + win           success     success
-sb + enabled + grub + fedora        fail        fail
-sb + enabled + grub + win           fail        fail
-
-sb + mokdisabled + shim + fedora    success     success
-sb + mokdisabled + shim + win       success     success
-sb + mokdisabled + grub + fedora    fail        fail
-sb + mokdisabled + grub + win       fail        fail
-
-sb disabled + shim + fedora         success     success*
-sb disabled + shim + win            success     success*
-sb disabled + grub + fedora         success     success
-sb disabled + grub + win            success     success
-
-nosb + shim + fedora                success     success*
-nosb + shim + win                   success     success*
-nosb + grub + fedora                success     success
-nosb + grub + win                   success     success
-
-* for some reason shim protocol is being installed in these cases, and I
-  can't see why, but I think it may be this firmware build returning an
-  erroneous value.  But this effectively falls back to the mokdisabled
-  behavior, which works correctly, and the presence of the "grub" (i.e.
-  no shim) tests effectively tests the desired behavior here.
-
-Resolves: rhbz#1344512
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-
-Also:
-
-commit ff7b1cb7f69487870211aeb69ff4f54470fbcb58
-Author: Laszlo Ersek <lersek@redhat.com>
-Date:   Mon Nov 21 15:34:00 2016 +0100
-
-efi/chainloader: fix wrong sanity check in relocate_coff()
-
-In relocate_coff(), the relocation entries are parsed from the original
-image (not the section-wise copied image). The original image is
-pointed-to by the "orig" pointer. The current check
-
-  (void *)reloc_end < data
-
-compares the addresses of independent memory allocations. "data" is a typo
-here, it should be "orig".
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1347291
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
-Tested-by: Bogdan Costescu <bcostescu@gmail.com>
-Tested-by: Juan Orti <j.orti.alcaine@gmail.com>
-
-Also:
-
-commit ab4ba9997ad4832449e54d930fa2aac6a160d0e9
-Author: Laszlo Ersek <lersek@redhat.com>
-Date:   Wed Nov 23 06:27:09 2016 +0100
-
-efi/chainloader: truncate overlong relocation section
-
-The UEFI Windows 7 boot loader ("EFI/Microsoft/Boot/bootmgfw.efi", SHA1
-31b410e029bba87d2068c65a80b88882f9f8ea25) has inconsistent headers.
-
-Compare:
-
-> The Data Directory
-> ...
-> Entry 5 00000000000d9000 00000574 Base Relocation Directory [.reloc]
-
-Versus:
-
-> Sections:
-> Idx Name      Size      VMA               LMA               File off ...
-> ...
->  10 .reloc    00000e22  00000000100d9000  00000000100d9000  000a1800 ...
-
-That is, the size reported by the RelocDir entry (0x574) is smaller than
-the virtual size of the .reloc section (0xe22).
-
-Quoting the grub2 debug log for the same:
-
-> chainloader.c:595: reloc_dir: 0xd9000 reloc_size: 0x00000574
-> chainloader.c:603: reloc_base: 0x7d208000 reloc_base_end: 0x7d208573
-> ...
-> chainloader.c:620: Section 10 ".reloc" at 0x7d208000..0x7d208e21
-> chainloader.c:661:  section is not reloc section?
-> chainloader.c:663:  rds: 0x00001000, vs: 00000e22
-> chainloader.c:664:  base: 0x7d208000 end: 0x7d208e21
-> chainloader.c:666:  reloc_base: 0x7d208000 reloc_base_end: 0x7d208573
-> chainloader.c:671:  Section characteristics are 42000040
-> chainloader.c:673:  Section virtual size: 00000e22
-> chainloader.c:675:  Section raw_data size: 00001000
-> chainloader.c:678:  Discarding section
-
-After hexdumping "bootmgfw.efi" and manually walking its relocation blocks
-(yes, really), I determined that the (smaller) RelocDir value is correct.
-The remaining area that extends up to the .reloc section size (== 0xe22 -
-0x574 == 0x8ae bytes) exists as zero padding in the file.
-
-This zero padding shouldn't be passed to relocate_coff() for parsing. In
-order to cope with it, split the handling of .reloc sections into the
-following branches:
-
-- original case (equal size): original behavior (--> relocation
-  attempted),
-
-- overlong .reloc section (longer than reported by RelocDir): truncate the
-  section to the RelocDir size for the purposes of relocate_coff(), and
-  attempt relocation,
-
-- .reloc section is too short, or other checks fail: original behavior
-  (--> relocation not attempted).
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1347291
-Signed-off-by: Laszlo Ersek <lersek@redhat.com>
----
- grub-core/kern/efi/efi.c           |  14 +-
- grub-core/loader/arm64/linux.c     |   4 +-
- grub-core/loader/efi/chainloader.c | 816 +++++++++++++++++++++++++++++++++----
- grub-core/loader/efi/linux.c       |  25 +-
- grub-core/loader/i386/efi/linux.c  |  17 +-
- include/grub/efi/linux.h           |   2 +-
- include/grub/efi/pe32.h            |  52 ++-
- 7 files changed, 840 insertions(+), 90 deletions(-)
-
-diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
-index 35b8f670602..4a2259aa1c7 100644
---- a/grub-core/kern/efi/efi.c
-+++ b/grub-core/kern/efi/efi.c
-@@ -296,14 +296,20 @@ grub_efi_secure_boot (void)
-   grub_efi_boolean_t ret = 0;
- 
-   secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
--
-   if (datasize != 1 || !secure_boot)
--    goto out;
-+    {
-+      grub_dprintf ("secureboot", "No SecureBoot variable\n");
-+      goto out;
-+    }
-+  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
- 
-   setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
--
-   if (datasize != 1 || !setup_mode)
--    goto out;
-+    {
-+      grub_dprintf ("secureboot", "No SetupMode variable\n");
-+      goto out;
-+    }
-+  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
- 
-   if (*secure_boot && !*setup_mode)
-     ret = 1;
-diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
-index a312c668685..04994d5c67d 100644
---- a/grub-core/loader/arm64/linux.c
-+++ b/grub-core/loader/arm64/linux.c
-@@ -284,6 +284,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   struct linux_arch_kernel_header lh;
-   struct grub_armxx_linux_pe_header *pe;
-   grub_err_t err;
-+  int rc;
- 
-   grub_dl_ref (my_mod);
- 
-@@ -328,7 +329,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
- 
--  if (!grub_linuxefi_secure_validate (kernel_addr, kernel_size))
-+  rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
-+  if (rc < 0)
-     {
-       grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
-       goto fail;
-diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
-index 2bd80f4db3d..b54cf6986fc 100644
---- a/grub-core/loader/efi/chainloader.c
-+++ b/grub-core/loader/efi/chainloader.c
-@@ -32,6 +32,8 @@
- #include <grub/efi/api.h>
- #include <grub/efi/efi.h>
- #include <grub/efi/disk.h>
-+#include <grub/efi/pe32.h>
-+#include <grub/efi/linux.h>
- #include <grub/command.h>
- #include <grub/i18n.h>
- #include <grub/net.h>
-@@ -46,9 +48,14 @@ static grub_dl_t my_mod;
- 
- static grub_efi_physical_address_t address;
- static grub_efi_uintn_t pages;
-+static grub_ssize_t fsize;
- static grub_efi_device_path_t *file_path;
- static grub_efi_handle_t image_handle;
- static grub_efi_char16_t *cmdline;
-+static grub_ssize_t cmdline_len;
-+static grub_efi_handle_t dev_handle;
-+
-+static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
- 
- static grub_err_t
- grub_chainloader_unload (void)
-@@ -63,6 +70,7 @@ grub_chainloader_unload (void)
-   grub_free (cmdline);
-   cmdline = 0;
-   file_path = 0;
-+  dev_handle = 0;
- 
-   grub_dl_unref (my_mod);
-   return GRUB_ERR_NONE;
-@@ -213,20 +221,690 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
-   return file_path;
- }
- 
-+#define SHIM_LOCK_GUID \
-+  { 0x605dab50, 0xe046, 0x4300, { 0xab,0xb6,0x3d,0xd8,0x10,0xdd,0x8b,0x23 } }
-+
-+typedef union
-+{
-+  struct grub_pe32_header_32 pe32;
-+  struct grub_pe32_header_64 pe32plus;
-+} grub_pe_header_t;
-+
-+struct pe_coff_loader_image_context
-+{
-+  grub_efi_uint64_t image_address;
-+  grub_efi_uint64_t image_size;
-+  grub_efi_uint64_t entry_point;
-+  grub_efi_uintn_t size_of_headers;
-+  grub_efi_uint16_t image_type;
-+  grub_efi_uint16_t number_of_sections;
-+  grub_efi_uint32_t section_alignment;
-+  struct grub_pe32_section_table *first_section;
-+  struct grub_pe32_data_directory *reloc_dir;
-+  struct grub_pe32_data_directory *sec_dir;
-+  grub_efi_uint64_t number_of_rva_and_sizes;
-+  grub_pe_header_t *pe_hdr;
-+};
-+
-+typedef struct pe_coff_loader_image_context pe_coff_loader_image_context_t;
-+
-+struct grub_efi_shim_lock
-+{
-+  grub_efi_status_t (*verify)(void *buffer,
-+                              grub_efi_uint32_t size);
-+  grub_efi_status_t (*hash)(void *data,
-+                            grub_efi_int32_t datasize,
-+                            pe_coff_loader_image_context_t *context,
-+                            grub_efi_uint8_t *sha256hash,
-+                            grub_efi_uint8_t *sha1hash);
-+  grub_efi_status_t (*context)(void *data,
-+                               grub_efi_uint32_t size,
-+                               pe_coff_loader_image_context_t *context);
-+};
-+
-+typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
-+
-+static grub_efi_boolean_t
-+read_header (void *data, grub_efi_uint32_t size,
-+	     pe_coff_loader_image_context_t *context)
-+{
-+  grub_efi_guid_t guid = SHIM_LOCK_GUID;
-+  grub_efi_shim_lock_t *shim_lock;
-+  grub_efi_status_t status;
-+
-+  shim_lock = grub_efi_locate_protocol (&guid, NULL);
-+  if (!shim_lock)
-+    {
-+      grub_dprintf ("chain", "no shim lock protocol");
-+      return 0;
-+    }
-+
-+  status = shim_lock->context (data, size, context);
-+
-+  if (status == GRUB_EFI_SUCCESS)
-+    {
-+      grub_dprintf ("chain", "context success\n");
-+      return 1;
-+    }
-+
-+  switch (status)
-+    {
-+      case GRUB_EFI_UNSUPPORTED:
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "context error unsupported");
-+      break;
-+      case GRUB_EFI_INVALID_PARAMETER:
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "context error invalid parameter");
-+      break;
-+      default:
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "context error code");
-+      break;
-+    }
-+
-+  return -1;
-+}
-+
-+static void*
-+image_address (void *image, grub_efi_uint64_t sz, grub_efi_uint64_t adr)
-+{
-+  if (adr > sz)
-+    return NULL;
-+
-+  return ((grub_uint8_t*)image + adr);
-+}
-+
-+static int
-+image_is_64_bit (grub_pe_header_t *pe_hdr)
-+{
-+  /* .Magic is the same offset in all cases */
-+  if (pe_hdr->pe32plus.optional_header.magic == GRUB_PE32_PE64_MAGIC)
-+    return 1;
-+  return 0;
-+}
-+
-+static const grub_uint16_t machine_type __attribute__((__unused__)) =
-+#if defined(__x86_64__)
-+  GRUB_PE32_MACHINE_X86_64;
-+#elif defined(__aarch64__)
-+  GRUB_PE32_MACHINE_ARM64;
-+#elif defined(__arm__)
-+  GRUB_PE32_MACHINE_ARMTHUMB_MIXED;
-+#elif defined(__i386__) || defined(__i486__) || defined(__i686__)
-+  GRUB_PE32_MACHINE_I386;
-+#elif defined(__ia64__)
-+  GRUB_PE32_MACHINE_IA64;
-+#else
-+#error this architecture is not supported by grub2
-+#endif
-+
-+static grub_efi_status_t
-+relocate_coff (pe_coff_loader_image_context_t *context,
-+	       struct grub_pe32_section_table *section,
-+	       void *orig, void *data)
-+{
-+  struct grub_pe32_data_directory *reloc_base, *reloc_base_end;
-+  grub_efi_uint64_t adjust;
-+  struct grub_pe32_fixup_block *reloc, *reloc_end;
-+  char *fixup, *fixup_base, *fixup_data = NULL;
-+  grub_efi_uint16_t *fixup_16;
-+  grub_efi_uint32_t *fixup_32;
-+  grub_efi_uint64_t *fixup_64;
-+  grub_efi_uint64_t size = context->image_size;
-+  void *image_end = (char *)orig + size;
-+  int n = 0;
-+
-+  if (image_is_64_bit (context->pe_hdr))
-+    context->pe_hdr->pe32plus.optional_header.image_base =
-+      (grub_uint64_t)(unsigned long)data;
-+  else
-+    context->pe_hdr->pe32.optional_header.image_base =
-+      (grub_uint32_t)(unsigned long)data;
-+
-+  /* Alright, so here's how this works:
-+   *
-+   * context->reloc_dir gives us two things:
-+   * - the VA the table of base relocation blocks are (maybe) to be
-+   *   mapped at (reloc_dir->rva)
-+   * - the virtual size (reloc_dir->size)
-+   *
-+   * The .reloc section (section here) gives us some other things:
-+   * - the name! kind of. (section->name)
-+   * - the virtual size (section->virtual_size), which should be the same
-+   *   as RelocDir->Size
-+   * - the virtual address (section->virtual_address)
-+   * - the file section size (section->raw_data_size), which is
-+   *   a multiple of optional_header->file_alignment.  Only useful for image
-+   *   validation, not really useful for iteration bounds.
-+   * - the file address (section->raw_data_offset)
-+   * - a bunch of stuff we don't use that's 0 in our binaries usually
-+   * - Flags (section->characteristics)
-+   *
-+   * and then the thing that's actually at the file address is an array
-+   * of struct grub_pe32_fixup_block structs with some values packed behind
-+   * them.  The block_size field of this structure includes the
-+   * structure itself, and adding it to that structure's address will
-+   * yield the next entry in the array.
-+   */
-+
-+  reloc_base = image_address (orig, size, section->raw_data_offset);
-+  reloc_base_end = image_address (orig, size, section->raw_data_offset
-+				  + section->virtual_size);
-+
-+  grub_dprintf ("chain", "relocate_coff(): reloc_base %p reloc_base_end %p\n",
-+		reloc_base, reloc_base_end);
-+
-+  if (!reloc_base && !reloc_base_end)
-+    return GRUB_EFI_SUCCESS;
-+
-+  if (!reloc_base || !reloc_base_end)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "Reloc table overflows binary");
-+      return GRUB_EFI_UNSUPPORTED;
-+    }
-+
-+  adjust = (grub_uint64_t)(grub_efi_uintn_t)data - context->image_address;
-+  if (adjust == 0)
-+    return GRUB_EFI_SUCCESS;
-+
-+  while (reloc_base < reloc_base_end)
-+    {
-+      grub_uint16_t *entry;
-+      reloc = (struct grub_pe32_fixup_block *)((char*)reloc_base);
-+
-+      if ((reloc_base->size == 0) ||
-+	  (reloc_base->size > context->reloc_dir->size))
-+	{
-+	  grub_error (GRUB_ERR_BAD_ARGUMENT,
-+		      "Reloc %d block size %d is invalid\n", n,
-+		      reloc_base->size);
-+	  return GRUB_EFI_UNSUPPORTED;
-+	}
-+
-+      entry = &reloc->entries[0];
-+      reloc_end = (struct grub_pe32_fixup_block *)
-+	((char *)reloc_base + reloc_base->size);
-+
-+      if ((void *)reloc_end < orig || (void *)reloc_end > image_end)
-+        {
-+          grub_error (GRUB_ERR_BAD_ARGUMENT, "Reloc entry %d overflows binary",
-+		      n);
-+          return GRUB_EFI_UNSUPPORTED;
-+        }
-+
-+      fixup_base = image_address(data, size, reloc_base->rva);
-+
-+      if (!fixup_base)
-+        {
-+          grub_error (GRUB_ERR_BAD_ARGUMENT, "Reloc %d Invalid fixupbase", n);
-+          return GRUB_EFI_UNSUPPORTED;
-+        }
-+
-+      while ((void *)entry < (void *)reloc_end)
-+        {
-+          fixup = fixup_base + (*entry & 0xFFF);
-+          switch ((*entry) >> 12)
-+            {
-+              case GRUB_PE32_REL_BASED_ABSOLUTE:
-+                break;
-+              case GRUB_PE32_REL_BASED_HIGH:
-+                fixup_16 = (grub_uint16_t *)fixup;
-+                *fixup_16 = (grub_uint16_t)
-+		  (*fixup_16 + ((grub_uint16_t)((grub_uint32_t)adjust >> 16)));
-+                if (fixup_data != NULL)
-+                  {
-+                    *(grub_uint16_t *) fixup_data = *fixup_16;
-+                    fixup_data = fixup_data + sizeof (grub_uint16_t);
-+                  }
-+                break;
-+              case GRUB_PE32_REL_BASED_LOW:
-+                fixup_16 = (grub_uint16_t *)fixup;
-+                *fixup_16 = (grub_uint16_t) (*fixup_16 + (grub_uint16_t)adjust);
-+                if (fixup_data != NULL)
-+                  {
-+                    *(grub_uint16_t *) fixup_data = *fixup_16;
-+                    fixup_data = fixup_data + sizeof (grub_uint16_t);
-+                  }
-+                break;
-+              case GRUB_PE32_REL_BASED_HIGHLOW:
-+                fixup_32 = (grub_uint32_t *)fixup;
-+                *fixup_32 = *fixup_32 + (grub_uint32_t)adjust;
-+                if (fixup_data != NULL)
-+                  {
-+                    fixup_data = (char *)ALIGN_UP ((grub_addr_t)fixup_data, sizeof (grub_uint32_t));
-+                    *(grub_uint32_t *) fixup_data = *fixup_32;
-+                    fixup_data += sizeof (grub_uint32_t);
-+                  }
-+                break;
-+              case GRUB_PE32_REL_BASED_DIR64:
-+                fixup_64 = (grub_uint64_t *)fixup;
-+                *fixup_64 = *fixup_64 + (grub_uint64_t)adjust;
-+                if (fixup_data != NULL)
-+                  {
-+                    fixup_data = (char *)ALIGN_UP ((grub_addr_t)fixup_data, sizeof (grub_uint64_t));
-+                    *(grub_uint64_t *) fixup_data = *fixup_64;
-+                    fixup_data += sizeof (grub_uint64_t);
-+                  }
-+                break;
-+              default:
-+                grub_error (GRUB_ERR_BAD_ARGUMENT,
-+			    "Reloc %d unknown relocation type %d",
-+			    n, (*entry) >> 12);
-+                return GRUB_EFI_UNSUPPORTED;
-+            }
-+          entry += 1;
-+        }
-+      reloc_base = (struct grub_pe32_data_directory *)reloc_end;
-+      n++;
-+    }
-+
-+  return GRUB_EFI_SUCCESS;
-+}
-+
-+static grub_efi_device_path_t *
-+grub_efi_get_media_file_path (grub_efi_device_path_t *dp)
-+{
-+  while (1)
-+    {
-+      grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
-+      grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
-+
-+      if (type == GRUB_EFI_END_DEVICE_PATH_TYPE)
-+        break;
-+      else if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
-+            && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)
-+      return dp;
-+
-+      dp = GRUB_EFI_NEXT_DEVICE_PATH (dp);
-+    }
-+
-+    return NULL;
-+}
-+
-+static grub_efi_boolean_t
-+handle_image (void *data, grub_efi_uint32_t datasize)
-+{
-+  grub_efi_boot_services_t *b;
-+  grub_efi_loaded_image_t *li, li_bak;
-+  grub_efi_status_t efi_status;
-+  char *buffer = NULL;
-+  char *buffer_aligned = NULL;
-+  grub_efi_uint32_t i;
-+  struct grub_pe32_section_table *section;
-+  char *base, *end;
-+  pe_coff_loader_image_context_t context;
-+  grub_uint32_t section_alignment;
-+  grub_uint32_t buffer_size;
-+  int found_entry_point = 0;
-+  int rc;
-+
-+  b = grub_efi_system_table->boot_services;
-+
-+  rc = read_header (data, datasize, &context);
-+  if (rc < 0)
-+    {
-+      grub_dprintf ("chain", "Failed to read header\n");
-+      goto error_exit;
-+    }
-+  else if (rc == 0)
-+    {
-+      grub_dprintf ("chain", "Secure Boot is not enabled\n");
-+      return 0;
-+    }
-+  else
-+    {
-+      grub_dprintf ("chain", "Header read without error\n");
-+    }
-+
-+  /*
-+   * The spec says, uselessly, of SectionAlignment:
-+   * =====
-+   * The alignment (in bytes) of sections when they are loaded into
-+   * memory. It must be greater than or equal to FileAlignment. The
-+   * default is the page size for the architecture.
-+   * =====
-+   * Which doesn't tell you whose responsibility it is to enforce the
-+   * "default", or when.  It implies that the value in the field must
-+   * be > FileAlignment (also poorly defined), but it appears visual
-+   * studio will happily write 512 for FileAlignment (its default) and
-+   * 0 for SectionAlignment, intending to imply PAGE_SIZE.
-+   *
-+   * We only support one page size, so if it's zero, nerf it to 4096.
-+   */
-+  section_alignment = context.section_alignment;
-+  if (section_alignment == 0)
-+    section_alignment = 4096;
-+
-+  buffer_size = context.image_size + section_alignment;
-+  grub_dprintf ("chain", "image size is %08"PRIxGRUB_UINT64_T", datasize is %08x\n",
-+	       context.image_size, datasize);
-+
-+  efi_status = efi_call_3 (b->allocate_pool, GRUB_EFI_LOADER_DATA,
-+			   buffer_size, &buffer);
-+
-+  if (efi_status != GRUB_EFI_SUCCESS)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
-+      goto error_exit;
-+    }
-+
-+  buffer_aligned = (char *)ALIGN_UP ((grub_addr_t)buffer, section_alignment);
-+  if (!buffer_aligned)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
-+      goto error_exit;
-+    }
-+
-+  grub_memcpy (buffer_aligned, data, context.size_of_headers);
-+
-+  entry_point = image_address (buffer_aligned, context.image_size,
-+			       context.entry_point);
-+
-+  grub_dprintf ("chain", "entry_point: %p\n", entry_point);
-+  if (!entry_point)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid entry point");
-+      goto error_exit;
-+    }
-+
-+  char *reloc_base, *reloc_base_end;
-+  grub_dprintf ("chain", "reloc_dir: %p reloc_size: 0x%08x\n",
-+		(void *)(unsigned long)context.reloc_dir->rva,
-+		context.reloc_dir->size);
-+  reloc_base = image_address (buffer_aligned, context.image_size,
-+			      context.reloc_dir->rva);
-+  /* RelocBaseEnd here is the address of the last byte of the table */
-+  reloc_base_end = image_address (buffer_aligned, context.image_size,
-+				  context.reloc_dir->rva
-+				  + context.reloc_dir->size - 1);
-+  grub_dprintf ("chain", "reloc_base: %p reloc_base_end: %p\n",
-+		reloc_base, reloc_base_end);
-+
-+  struct grub_pe32_section_table *reloc_section = NULL, fake_reloc_section;
-+
-+  section = context.first_section;
-+  for (i = 0; i < context.number_of_sections; i++, section++)
-+    {
-+      char name[9];
-+
-+      base = image_address (buffer_aligned, context.image_size,
-+			    section->virtual_address);
-+      end = image_address (buffer_aligned, context.image_size,
-+			   section->virtual_address + section->virtual_size -1);
-+
-+      grub_strncpy(name, section->name, 9);
-+      name[8] = '\0';
-+      grub_dprintf ("chain", "Section %d \"%s\" at %p..%p\n", i,
-+		   name, base, end);
-+
-+      if (end < base)
-+	{
-+	  grub_dprintf ("chain", " base is %p but end is %p... bad.\n",
-+		       base, end);
-+	  grub_error (GRUB_ERR_BAD_ARGUMENT,
-+		      "Image has invalid negative size");
-+	  goto error_exit;
-+	}
-+
-+      if (section->virtual_address <= context.entry_point &&
-+	  (section->virtual_address + section->raw_data_size - 1)
-+	  > context.entry_point)
-+	{
-+	  found_entry_point++;
-+	  grub_dprintf ("chain", " section contains entry point\n");
-+	}
-+
-+      /* We do want to process .reloc, but it's often marked
-+       * discardable, so we don't want to memcpy it. */
-+      if (grub_memcmp (section->name, ".reloc\0\0", 8) == 0)
-+	{
-+	  if (reloc_section)
-+	    {
-+	      grub_error (GRUB_ERR_BAD_ARGUMENT,
-+			  "Image has multiple relocation sections");
-+	      goto error_exit;
-+	    }
-+
-+	  /* If it has nonzero sizes, and our bounds check
-+	   * made sense, and the VA and size match RelocDir's
-+	   * versions, then we believe in this section table. */
-+	  if (section->raw_data_size && section->virtual_size &&
-+	      base && end && reloc_base == base)
-+	    {
-+	      if (reloc_base_end == end)
-+		{
-+		  grub_dprintf ("chain", " section is relocation section\n");
-+		  reloc_section = section;
-+		}
-+	      else if (reloc_base_end && reloc_base_end < end)
-+	        {
-+		  /* Bogus virtual size in the reloc section -- RelocDir
-+		   * reported a smaller Base Relocation Directory. Decrease
-+		   * the section's virtual size so that it equal RelocDir's
-+		   * idea, but only for the purposes of relocate_coff(). */
-+		  grub_dprintf ("chain",
-+				" section is (overlong) relocation section\n");
-+		  grub_memcpy (&fake_reloc_section, section, sizeof *section);
-+		  fake_reloc_section.virtual_size -= (end - reloc_base_end);
-+		  reloc_section = &fake_reloc_section;
-+		}
-+	    }
-+
-+	  if (!reloc_section)
-+	    {
-+	      grub_dprintf ("chain", " section is not reloc section?\n");
-+	      grub_dprintf ("chain", " rds: 0x%08x, vs: %08x\n",
-+			    section->raw_data_size, section->virtual_size);
-+	      grub_dprintf ("chain", " base: %p end: %p\n", base, end);
-+	      grub_dprintf ("chain", " reloc_base: %p reloc_base_end: %p\n",
-+			    reloc_base, reloc_base_end);
-+	    }
-+	}
-+
-+      grub_dprintf ("chain", " Section characteristics are %08x\n",
-+		   section->characteristics);
-+      grub_dprintf ("chain", " Section virtual size: %08x\n",
-+		   section->virtual_size);
-+      grub_dprintf ("chain", " Section raw_data size: %08x\n",
-+		   section->raw_data_size);
-+      if (section->characteristics & GRUB_PE32_SCN_MEM_DISCARDABLE)
-+	{
-+	  grub_dprintf ("chain", " Discarding section\n");
-+	  continue;
-+	}
-+
-+      if (!base || !end)
-+        {
-+	  grub_dprintf ("chain", " section is invalid\n");
-+          grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid section size");
-+          goto error_exit;
-+        }
-+
-+      if (section->characteristics & GRUB_PE32_SCN_CNT_UNINITIALIZED_DATA)
-+	{
-+	  if (section->raw_data_size != 0)
-+	    grub_dprintf ("chain", " UNINITIALIZED_DATA section has data?\n");
-+	}
-+      else if (section->virtual_address < context.size_of_headers ||
-+	       section->raw_data_offset < context.size_of_headers)
-+	{
-+	  grub_error (GRUB_ERR_BAD_ARGUMENT,
-+		      "Section %d is inside image headers", i);
-+	  goto error_exit;
-+	}
-+
-+      if (section->raw_data_size > 0)
-+	{
-+	  grub_dprintf ("chain", " copying 0x%08x bytes to %p\n",
-+			section->raw_data_size, base);
-+	  grub_memcpy (base,
-+		       (grub_efi_uint8_t*)data + section->raw_data_offset,
-+		       section->raw_data_size);
-+	}
-+
-+      if (section->raw_data_size < section->virtual_size)
-+	{
-+	  grub_dprintf ("chain", " padding with 0x%08x bytes at %p\n",
-+			section->virtual_size - section->raw_data_size,
-+			base + section->raw_data_size);
-+	  grub_memset (base + section->raw_data_size, 0,
-+		       section->virtual_size - section->raw_data_size);
-+	}
-+
-+      grub_dprintf ("chain", " finished section %s\n", name);
-+    }
-+
-+  /* 5 == EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC */
-+  if (context.number_of_rva_and_sizes <= 5)
-+    {
-+      grub_dprintf ("chain", "image has no relocation entry\n");
-+      goto error_exit;
-+    }
-+
-+  if (context.reloc_dir->size && reloc_section)
-+    {
-+      /* run the relocation fixups */
-+      efi_status = relocate_coff (&context, reloc_section, data,
-+				  buffer_aligned);
-+
-+      if (efi_status != GRUB_EFI_SUCCESS)
-+	{
-+	  grub_error (GRUB_ERR_BAD_ARGUMENT, "relocation failed");
-+	  goto error_exit;
-+	}
-+    }
-+
-+  if (!found_entry_point)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "entry point is not within sections");
-+      goto error_exit;
-+    }
-+  if (found_entry_point > 1)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "%d sections contain entry point",
-+		  found_entry_point);
-+      goto error_exit;
-+    }
-+
-+  li = grub_efi_get_loaded_image (grub_efi_image_handle);
-+  if (!li)
-+    {
-+      grub_error (GRUB_ERR_BAD_ARGUMENT, "no loaded image available");
-+      goto error_exit;
-+    }
-+
-+  grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));
-+  li->image_base = buffer_aligned;
-+  li->image_size = context.image_size;
-+  li->load_options = cmdline;
-+  li->load_options_size = cmdline_len;
-+  li->file_path = grub_efi_get_media_file_path (file_path);
-+  li->device_handle = dev_handle;
-+  if (!li->file_path)
-+    {
-+      grub_error (GRUB_ERR_UNKNOWN_DEVICE, "no matching file path found");
-+      goto error_exit;
-+    }
-+
-+  grub_dprintf ("chain", "booting via entry point\n");
-+  efi_status = efi_call_2 (entry_point, grub_efi_image_handle,
-+			   grub_efi_system_table);
-+
-+  grub_dprintf ("chain", "entry_point returned %ld\n", efi_status);
-+  grub_memcpy (li, &li_bak, sizeof (grub_efi_loaded_image_t));
-+  efi_status = efi_call_1 (b->free_pool, buffer);
-+
-+  return 1;
-+
-+error_exit:
-+  grub_dprintf ("chain", "error_exit: grub_errno: %d\n", grub_errno);
-+  if (buffer)
-+      efi_call_1 (b->free_pool, buffer);
-+
-+  return 0;
-+}
-+
-+static grub_err_t
-+grub_secureboot_chainloader_unload (void)
-+{
-+  grub_efi_boot_services_t *b;
-+
-+  b = grub_efi_system_table->boot_services;
-+  efi_call_2 (b->free_pages, address, pages);
-+  grub_free (file_path);
-+  grub_free (cmdline);
-+  cmdline = 0;
-+  file_path = 0;
-+  dev_handle = 0;
-+
-+  grub_dl_unref (my_mod);
-+  return GRUB_ERR_NONE;
-+}
-+
-+static grub_err_t
-+grub_load_and_start_image(void *boot_image)
-+{
-+  grub_efi_boot_services_t *b;
-+  grub_efi_status_t status;
-+  grub_efi_loaded_image_t *loaded_image;
-+
-+  b = grub_efi_system_table->boot_services;
-+
-+  status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
-+		       boot_image, fsize, &image_handle);
-+  if (status != GRUB_EFI_SUCCESS)
-+    {
-+      if (status == GRUB_EFI_OUT_OF_RESOURCES)
-+	grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
-+      else
-+	grub_error (GRUB_ERR_BAD_OS, "cannot load image");
-+      return -1;
-+    }
-+
-+  /* LoadImage does not set a device handler when the image is
-+     loaded from memory, so it is necessary to set it explicitly here.
-+     This is a mess.  */
-+  loaded_image = grub_efi_get_loaded_image (image_handle);
-+  if (! loaded_image)
-+    {
-+      grub_error (GRUB_ERR_BAD_OS, "no loaded image available");
-+      return -1;
-+    }
-+  loaded_image->device_handle = dev_handle;
-+
-+  if (cmdline)
-+    {
-+      loaded_image->load_options = cmdline;
-+      loaded_image->load_options_size = cmdline_len;
-+    }
-+
-+  return 0;
-+}
-+
-+static grub_err_t
-+grub_secureboot_chainloader_boot (void)
-+{
-+  int rc;
-+  rc = handle_image ((void *)(unsigned long)address, fsize);
-+  if (rc == 0)
-+    {
-+      grub_load_and_start_image((void *)(unsigned long)address);
-+    }
-+
-+  grub_loader_unset ();
-+  return grub_errno;
-+}
-+
- static grub_err_t
- grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
- 		      int argc, char *argv[])
- {
-   grub_file_t file = 0;
--  grub_ssize_t size;
-   grub_efi_status_t status;
-   grub_efi_boot_services_t *b;
-   grub_device_t dev = 0;
-   grub_efi_device_path_t *dp = 0;
--  grub_efi_loaded_image_t *loaded_image;
-   char *filename;
-   void *boot_image = 0;
--  grub_efi_handle_t dev_handle = 0;
-+  int rc;
- 
-   if (argc == 0)
-     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
-@@ -238,15 +916,45 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-   address = 0;
-   image_handle = 0;
-   file_path = 0;
-+  dev_handle = 0;
- 
-   b = grub_efi_system_table->boot_services;
- 
-+  if (argc > 1)
-+    {
-+      int i;
-+      grub_efi_char16_t *p16;
-+
-+      for (i = 1, cmdline_len = 0; i < argc; i++)
-+        cmdline_len += grub_strlen (argv[i]) + 1;
-+
-+      cmdline_len *= sizeof (grub_efi_char16_t);
-+      cmdline = p16 = grub_malloc (cmdline_len);
-+      if (! cmdline)
-+        goto fail;
-+
-+      for (i = 1; i < argc; i++)
-+        {
-+          char *p8;
-+
-+          p8 = argv[i];
-+          while (*p8)
-+            *(p16++) = *(p8++);
-+
-+          *(p16++) = ' ';
-+        }
-+      *(--p16) = 0;
-+    }
-+
-   file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
-   if (! file)
-     goto fail;
- 
--  /* Get the root device's device path.  */
--  dev = grub_device_open (0);
-+  /* Get the device path from filename. */
-+  char *devname = grub_file_get_device_name (filename);
-+  dev = grub_device_open (devname);
-+  if (devname)
-+    grub_free (devname);
-   if (! dev)
-     goto fail;
- 
-@@ -283,17 +991,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-   if (! file_path)
-     goto fail;
- 
--  grub_printf ("file path: ");
--  grub_efi_print_device_path (file_path);
--
--  size = grub_file_size (file);
--  if (!size)
-+  fsize = grub_file_size (file);
-+  if (!fsize)
-     {
-       grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- 		  filename);
-       goto fail;
-     }
--  pages = (((grub_efi_uintn_t) size + ((1 << 12) - 1)) >> 12);
-+  pages = (((grub_efi_uintn_t) fsize + ((1 << 12) - 1)) >> 12);
- 
-   status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_ANY_PAGES,
- 			      GRUB_EFI_LOADER_CODE,
-@@ -307,7 +1012,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-     }
- 
-   boot_image = (void *) ((grub_addr_t) address);
--  if (grub_file_read (file, boot_image, size) != size)
-+  if (grub_file_read (file, boot_image, fsize) != fsize)
-     {
-       if (grub_errno == GRUB_ERR_NONE)
- 	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
-@@ -317,7 +1022,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-     }
- 
- #if defined (__i386__) || defined (__x86_64__)
--  if (size >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
-+  if (fsize >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
-     {
-       struct grub_macho_fat_header *head = boot_image;
-       if (head->magic
-@@ -326,6 +1031,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
- 	  grub_uint32_t i;
- 	  struct grub_macho_fat_arch *archs
- 	    = (struct grub_macho_fat_arch *) (head + 1);
-+
-+	  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+	    {
-+	      grub_error (GRUB_ERR_BAD_OS,
-+			  "MACHO binaries are forbidden with Secure Boot");
-+	      goto fail;
-+	    }
-+
- 	  for (i = 0; i < grub_cpu_to_le32 (head->nfat_arch); i++)
- 	    {
- 	      if (GRUB_MACHO_CPUTYPE_IS_HOST_CURRENT (archs[i].cputype))
-@@ -340,79 +1053,39 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
- 	      > ~grub_cpu_to_le32 (archs[i].size)
- 	      || grub_cpu_to_le32 (archs[i].offset)
- 	      + grub_cpu_to_le32 (archs[i].size)
--	      > (grub_size_t) size)
-+	      > (grub_size_t) fsize)
- 	    {
- 	      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- 			  filename);
- 	      goto fail;
- 	    }
- 	  boot_image = (char *) boot_image + grub_cpu_to_le32 (archs[i].offset);
--	  size = grub_cpu_to_le32 (archs[i].size);
-+	  fsize = grub_cpu_to_le32 (archs[i].size);
- 	}
-     }
- #endif
- 
--  status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
--		       boot_image, size,
--		       &image_handle);
--  if (status != GRUB_EFI_SUCCESS)
-+  rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize);
-+  grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
-+  if (rc > 0)
-     {
--      if (status == GRUB_EFI_OUT_OF_RESOURCES)
--	grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
--      else
--	grub_error (GRUB_ERR_BAD_OS, "cannot load image");
--
--      goto fail;
-+      grub_file_close (file);
-+      grub_device_close (dev);
-+      grub_loader_set (grub_secureboot_chainloader_boot,
-+		       grub_secureboot_chainloader_unload, 0);
-+      return 0;
-     }
--
--  /* LoadImage does not set a device handler when the image is
--     loaded from memory, so it is necessary to set it explicitly here.
--     This is a mess.  */
--  loaded_image = grub_efi_get_loaded_image (image_handle);
--  if (! loaded_image)
-+  else if (rc == 0)
-     {
--      grub_error (GRUB_ERR_BAD_OS, "no loaded image available");
--      goto fail;
--    }
--  loaded_image->device_handle = dev_handle;
--
--  if (argc > 1)
--    {
--      int i, len;
--      grub_efi_char16_t *p16;
--
--      for (i = 1, len = 0; i < argc; i++)
--        len += grub_strlen (argv[i]) + 1;
--
--      len *= sizeof (grub_efi_char16_t);
--      cmdline = p16 = grub_malloc (len);
--      if (! cmdline)
--        goto fail;
-+      grub_load_and_start_image(boot_image);
-+      grub_file_close (file);
-+      grub_device_close (dev);
-+      grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
- 
--      for (i = 1; i < argc; i++)
--        {
--          char *p8;
--
--          p8 = argv[i];
--          while (*p8)
--            *(p16++) = *(p8++);
--
--          *(p16++) = ' ';
--        }
--      *(--p16) = 0;
--
--      loaded_image->load_options = cmdline;
--      loaded_image->load_options_size = len;
-+      return 0;
-     }
- 
--  grub_file_close (file);
--  grub_device_close (dev);
--
--  grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
--  return 0;
--
-- fail:
--
-+fail:
-   if (dev)
-     grub_device_close (dev);
- 
-@@ -424,6 +1097,9 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-   if (address)
-     efi_call_2 (b->free_pages, address, pages);
- 
-+  if (cmdline)
-+    grub_free (cmdline);
-+
-   grub_dl_unref (my_mod);
- 
-   return grub_errno;
-diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
-index c24202a5dd1..c8ecce6dfd0 100644
---- a/grub-core/loader/efi/linux.c
-+++ b/grub-core/loader/efi/linux.c
-@@ -33,21 +33,34 @@ struct grub_efi_shim_lock
- };
- typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
- 
--grub_efi_boolean_t
-+int
- grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
- {
-   grub_efi_guid_t guid = SHIM_LOCK_GUID;
-   grub_efi_shim_lock_t *shim_lock;
-+  grub_efi_status_t status;
- 
-   shim_lock = grub_efi_locate_protocol(&guid, NULL);
--
-+  grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
-   if (!shim_lock)
--    return 1;
-+    {
-+      grub_dprintf ("secureboot", "shim not available\n");
-+      return 0;
-+    }
- 
--  if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
--    return 1;
-+  grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n");
-+  status = shim_lock->verify (data, size);
-+  grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status);
-+  if (status == GRUB_EFI_SUCCESS)
-+    {
-+      grub_dprintf ("secureboot", "Kernel signature verification passed\n");
-+      return 1;
-+    }
- 
--  return 0;
-+  grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n",
-+		(unsigned long) status);
-+
-+  return -1;
- }
- 
- #pragma GCC diagnostic push
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index bb2616a8092..6b24cbb9483 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -117,6 +117,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
-+  grub_dprintf ("linux", "initrd_mem = %lx\n", (unsigned long) initrd_mem);
-+
-   params->ramdisk_size = size;
-   params->ramdisk_image = (grub_uint32_t)(grub_addr_t) initrd_mem;
- 
-@@ -159,6 +161,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   struct linux_i386_kernel_header lh;
-   grub_ssize_t len, start, filelen;
-   void *kernel = NULL;
-+  int rc;
- 
-   grub_dl_ref (my_mod);
- 
-@@ -184,11 +187,13 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   if (grub_file_read (file, kernel, filelen) != filelen)
-     {
--      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"), argv[0]);
-+      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"),
-+		  argv[0]);
-       goto fail;
-     }
- 
--  if (! grub_linuxefi_secure_validate (kernel, filelen))
-+  rc = grub_linuxefi_secure_validate (kernel, filelen);
-+  if (rc < 0)
-     {
-       grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
- 		  argv[0]);
-@@ -203,6 +208,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
-+  grub_dprintf ("linux", "params = %lx\n", (unsigned long) params);
-+
-   grub_memset (params, 0, 16384);
- 
-   grub_memcpy (&lh, kernel, sizeof (lh));
-@@ -241,6 +248,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
-+  grub_dprintf ("linux", "linux_cmdline = %lx\n",
-+		(unsigned long)linux_cmdline);
-+
-   grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
-   grub_create_loader_cmdline (argc, argv,
-                               linux_cmdline + sizeof (LINUX_IMAGE) - 1,
-@@ -275,9 +285,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   grub_memcpy (params, &lh, 2 * 512);
- 
-   params->type_of_loader = 0x21;
-+  grub_dprintf("linux", "kernel_mem: %p handover_offset: %08x\n",
-+	       kernel_mem, handover_offset);
- 
-  fail:
--
-   if (file)
-     grub_file_close (file);
- 
-diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
-index d9ede36773b..0033d9305a9 100644
---- a/include/grub/efi/linux.h
-+++ b/include/grub/efi/linux.h
-@@ -22,7 +22,7 @@
- #include <grub/err.h>
- #include <grub/symbol.h>
- 
--grub_efi_boolean_t
-+int
- EXPORT_FUNC(grub_linuxefi_secure_validate) (void *data, grub_uint32_t size);
- grub_err_t
- EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset,
-diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
-index 0ed8781f037..a43adf27464 100644
---- a/include/grub/efi/pe32.h
-+++ b/include/grub/efi/pe32.h
-@@ -223,7 +223,11 @@ struct grub_pe64_optional_header
- struct grub_pe32_section_table
- {
-   char name[8];
--  grub_uint32_t virtual_size;
-+  union
-+    {
-+      grub_uint32_t physical_address;
-+      grub_uint32_t virtual_size;
-+    };
-   grub_uint32_t virtual_address;
-   grub_uint32_t raw_data_size;
-   grub_uint32_t raw_data_offset;
-@@ -234,12 +238,18 @@ struct grub_pe32_section_table
-   grub_uint32_t characteristics;
- };
- 
-+#define GRUB_PE32_SCN_TYPE_NO_PAD		0x00000008
- #define GRUB_PE32_SCN_CNT_CODE			0x00000020
- #define GRUB_PE32_SCN_CNT_INITIALIZED_DATA	0x00000040
--#define GRUB_PE32_SCN_MEM_DISCARDABLE		0x02000000
--#define GRUB_PE32_SCN_MEM_EXECUTE		0x20000000
--#define GRUB_PE32_SCN_MEM_READ			0x40000000
--#define GRUB_PE32_SCN_MEM_WRITE			0x80000000
-+#define GRUB_PE32_SCN_CNT_UNINITIALIZED_DATA	0x00000080
-+#define GRUB_PE32_SCN_LNK_OTHER			0x00000100
-+#define GRUB_PE32_SCN_LNK_INFO			0x00000200
-+#define GRUB_PE32_SCN_LNK_REMOVE		0x00000800
-+#define GRUB_PE32_SCN_LNK_COMDAT		0x00001000
-+#define GRUB_PE32_SCN_GPREL			0x00008000
-+#define GRUB_PE32_SCN_MEM_16BIT			0x00020000
-+#define GRUB_PE32_SCN_MEM_LOCKED		0x00040000
-+#define GRUB_PE32_SCN_MEM_PRELOAD		0x00080000
- 
- #define GRUB_PE32_SCN_ALIGN_1BYTES		0x00100000
- #define GRUB_PE32_SCN_ALIGN_2BYTES		0x00200000
-@@ -248,10 +258,28 @@ struct grub_pe32_section_table
- #define GRUB_PE32_SCN_ALIGN_16BYTES		0x00500000
- #define GRUB_PE32_SCN_ALIGN_32BYTES		0x00600000
- #define GRUB_PE32_SCN_ALIGN_64BYTES		0x00700000
-+#define GRUB_PE32_SCN_ALIGN_128BYTES		0x00800000
-+#define GRUB_PE32_SCN_ALIGN_256BYTES		0x00900000
-+#define GRUB_PE32_SCN_ALIGN_512BYTES		0x00A00000
-+#define GRUB_PE32_SCN_ALIGN_1024BYTES		0x00B00000
-+#define GRUB_PE32_SCN_ALIGN_2048BYTES		0x00C00000
-+#define GRUB_PE32_SCN_ALIGN_4096BYTES		0x00D00000
-+#define GRUB_PE32_SCN_ALIGN_8192BYTES		0x00E00000
- 
- #define GRUB_PE32_SCN_ALIGN_SHIFT		20
- #define GRUB_PE32_SCN_ALIGN_MASK		7
- 
-+#define GRUB_PE32_SCN_LNK_NRELOC_OVFL		0x01000000
-+#define GRUB_PE32_SCN_MEM_DISCARDABLE		0x02000000
-+#define GRUB_PE32_SCN_MEM_NOT_CACHED		0x04000000
-+#define GRUB_PE32_SCN_MEM_NOT_PAGED		0x08000000
-+#define GRUB_PE32_SCN_MEM_SHARED		0x10000000
-+#define GRUB_PE32_SCN_MEM_EXECUTE		0x20000000
-+#define GRUB_PE32_SCN_MEM_READ			0x40000000
-+#define GRUB_PE32_SCN_MEM_WRITE			0x80000000
-+
-+
-+
- #define GRUB_PE32_SIGNATURE_SIZE 4
- 
- struct grub_pe32_header
-@@ -274,6 +302,20 @@ struct grub_pe32_header
- #endif
- };
- 
-+struct grub_pe32_header_32
-+{
-+  char signature[GRUB_PE32_SIGNATURE_SIZE];
-+  struct grub_pe32_coff_header coff_header;
-+  struct grub_pe32_optional_header optional_header;
-+};
-+
-+struct grub_pe32_header_64
-+{
-+  char signature[GRUB_PE32_SIGNATURE_SIZE];
-+  struct grub_pe32_coff_header coff_header;
-+  struct grub_pe64_optional_header optional_header;
-+};
-+
- struct grub_pe32_fixup_block
- {
-   grub_uint32_t page_rva;
diff --git a/SPECS/grub2/0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch b/SPECS/grub2/0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
deleted file mode 100644
index 3182fe99305..00000000000
--- a/SPECS/grub2/0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
+++ /dev/null
@@ -1,390 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 6 Oct 2015 16:09:25 -0400
-Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
- boot.
-
-And in this case "honor" means "even if somebody does link this in, they
-won't register commands if SB is enabled."
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/commands/iorw.c          |  7 +++++++
- grub-core/commands/memrw.c         |  7 +++++++
- grub-core/kern/dl.c                |  3 ++-
- grub-core/kern/efi/efi.c           | 34 ----------------------------------
- grub-core/loader/efi/appleloader.c |  7 +++++++
- grub-core/loader/efi/chainloader.c |  1 +
- grub-core/loader/i386/bsd.c        |  7 +++++++
- grub-core/loader/i386/linux.c      |  7 +++++++
- grub-core/loader/i386/pc/linux.c   |  7 +++++++
- grub-core/loader/multiboot.c       |  7 +++++++
- grub-core/loader/xnu.c             |  7 +++++++
- include/grub/efi/efi.h             |  1 -
- include/grub/ia64/linux.h          |  0
- include/grub/mips/linux.h          |  0
- include/grub/powerpc/linux.h       |  0
- include/grub/sparc64/linux.h       |  0
- 16 files changed, 59 insertions(+), 36 deletions(-)
- create mode 100644 include/grub/ia64/linux.h
- create mode 100644 include/grub/mips/linux.h
- create mode 100644 include/grub/powerpc/linux.h
- create mode 100644 include/grub/sparc64/linux.h
-
-diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
-index 584baec8f91..7b2999b14b5 100644
---- a/grub-core/commands/iorw.c
-+++ b/grub-core/commands/iorw.c
-@@ -24,6 +24,7 @@
- #include <grub/cpu/io.h>
- #include <grub/i18n.h>
- #include <grub/lockdown.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -119,6 +120,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
- 
- GRUB_MOD_INIT(memrw)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd_read_byte =
-     grub_register_extcmd ("inb", grub_cmd_read, 0,
- 			  N_("PORT"), N_("Read 8-bit value from PORT."),
-@@ -147,6 +151,9 @@ GRUB_MOD_INIT(memrw)
- 
- GRUB_MOD_FINI(memrw)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_extcmd (cmd_read_byte);
-   grub_unregister_extcmd (cmd_read_word);
-   grub_unregister_extcmd (cmd_read_dword);
-diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
-index d401a6db0ef..39cf3a06dbd 100644
---- a/grub-core/commands/memrw.c
-+++ b/grub-core/commands/memrw.c
-@@ -23,6 +23,7 @@
- #include <grub/env.h>
- #include <grub/i18n.h>
- #include <grub/lockdown.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -121,6 +122,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
- 
- GRUB_MOD_INIT(memrw)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd_read_byte =
-     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
- 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
-@@ -149,6 +153,9 @@ GRUB_MOD_INIT(memrw)
- 
- GRUB_MOD_FINI(memrw)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_extcmd (cmd_read_byte);
-   grub_unregister_extcmd (cmd_read_word);
-   grub_unregister_extcmd (cmd_read_dword);
-diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
-index b7149370950..7afb9e6f724 100644
---- a/grub-core/kern/dl.c
-+++ b/grub-core/kern/dl.c
-@@ -32,6 +32,7 @@
- #include <grub/env.h>
- #include <grub/cache.h>
- #include <grub/i18n.h>
-+#include <grub/efi/sb.h>
- 
- /* Platforms where modules are in a readonly area of memory.  */
- #if defined(GRUB_MACHINE_QEMU)
-@@ -704,7 +705,7 @@ grub_dl_load_file (const char *filename)
-   grub_dl_t mod = 0;
- 
- #ifdef GRUB_MACHINE_EFI
--  if (grub_efi_secure_boot ())
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-     {
- #if 0
-       /* This is an error, but grub2-mkconfig still generates a pile of
-diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
-index 4a2259aa1c7..8cff7be0289 100644
---- a/grub-core/kern/efi/efi.c
-+++ b/grub-core/kern/efi/efi.c
-@@ -286,40 +286,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
-   return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
- }
- 
--grub_efi_boolean_t
--grub_efi_secure_boot (void)
--{
--  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
--  grub_size_t datasize;
--  char *secure_boot = NULL;
--  char *setup_mode = NULL;
--  grub_efi_boolean_t ret = 0;
--
--  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
--  if (datasize != 1 || !secure_boot)
--    {
--      grub_dprintf ("secureboot", "No SecureBoot variable\n");
--      goto out;
--    }
--  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
--
--  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
--  if (datasize != 1 || !setup_mode)
--    {
--      grub_dprintf ("secureboot", "No SetupMode variable\n");
--      goto out;
--    }
--  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
--
--  if (*secure_boot && !*setup_mode)
--    ret = 1;
--
-- out:
--  grub_free (secure_boot);
--  grub_free (setup_mode);
--  return ret;
--}
--
- #pragma GCC diagnostic ignored "-Wcast-align"
- 
- /* Search the mods section from the PE32/PE32+ image. This code uses
-diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
-index 74888c463ba..585f2b57385 100644
---- a/grub-core/loader/efi/appleloader.c
-+++ b/grub-core/loader/efi/appleloader.c
-@@ -24,6 +24,7 @@
- #include <grub/misc.h>
- #include <grub/efi/api.h>
- #include <grub/efi/efi.h>
-+#include <grub/efi/sb.h>
- #include <grub/command.h>
- #include <grub/i18n.h>
- 
-@@ -227,6 +228,9 @@ static grub_command_t cmd;
- 
- GRUB_MOD_INIT(appleloader)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
- 			       N_("[OPTS]"),
- 			       /* TRANSLATORS: This command is used on EFI to
-@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
- 
- GRUB_MOD_FINI(appleloader)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_command (cmd);
- }
-diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
-index b54cf6986fc..3ff305b1d32 100644
---- a/grub-core/loader/efi/chainloader.c
-+++ b/grub-core/loader/efi/chainloader.c
-@@ -34,6 +34,7 @@
- #include <grub/efi/disk.h>
- #include <grub/efi/pe32.h>
- #include <grub/efi/linux.h>
-+#include <grub/efi/sb.h>
- #include <grub/command.h>
- #include <grub/i18n.h>
- #include <grub/net.h>
-diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
-index 5f3290ce17b..54befc26626 100644
---- a/grub-core/loader/i386/bsd.c
-+++ b/grub-core/loader/i386/bsd.c
-@@ -40,6 +40,7 @@
- #ifdef GRUB_MACHINE_PCBIOS
- #include <grub/machine/int.h>
- #endif
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -2137,6 +2138,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
- 
- GRUB_MOD_INIT (bsd)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   /* Net and OpenBSD kernels are often compressed.  */
-   grub_dl_load ("gzio");
- 
-@@ -2176,6 +2180,9 @@ GRUB_MOD_INIT (bsd)
- 
- GRUB_MOD_FINI (bsd)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_extcmd (cmd_freebsd);
-   grub_unregister_extcmd (cmd_openbsd);
-   grub_unregister_extcmd (cmd_netbsd);
-diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
-index dccf3bb3005..4aeb0e4b9a6 100644
---- a/grub-core/loader/i386/linux.c
-+++ b/grub-core/loader/i386/linux.c
-@@ -37,6 +37,7 @@
- #include <grub/linux.h>
- #include <grub/machine/kernel.h>
- #include <grub/safemath.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -1138,6 +1139,9 @@ static grub_command_t cmd_linux, cmd_initrd;
- 
- GRUB_MOD_INIT(linux)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd_linux = grub_register_command ("linux", grub_cmd_linux,
- 				     0, N_("Load Linux."));
-   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
-@@ -1147,6 +1151,9 @@ GRUB_MOD_INIT(linux)
- 
- GRUB_MOD_FINI(linux)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_command (cmd_linux);
-   grub_unregister_command (cmd_initrd);
- }
-diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
-index 4b1750e360e..e3fa1221e81 100644
---- a/grub-core/loader/i386/pc/linux.c
-+++ b/grub-core/loader/i386/pc/linux.c
-@@ -36,6 +36,7 @@
- #include <grub/lib/cmdline.h>
- #include <grub/linux.h>
- #include <grub/safemath.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -487,6 +488,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
- 
- GRUB_MOD_INIT(linux16)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd_linux =
-     grub_register_command ("linux", grub_cmd_linux,
- 			   0, N_("Load Linux."));
-@@ -504,6 +508,9 @@ GRUB_MOD_INIT(linux16)
- 
- GRUB_MOD_FINI(linux16)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_command (cmd_linux);
-   grub_unregister_command (cmd_linux16);
-   grub_unregister_command (cmd_initrd);
-diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
-index facb13f3d36..47e481f4576 100644
---- a/grub-core/loader/multiboot.c
-+++ b/grub-core/loader/multiboot.c
-@@ -50,6 +50,7 @@
- #include <grub/video.h>
- #include <grub/memory.h>
- #include <grub/i18n.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -444,6 +445,9 @@ static grub_command_t cmd_multiboot, cmd_module;
- 
- GRUB_MOD_INIT(multiboot)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd_multiboot =
- #ifdef GRUB_USE_MULTIBOOT2
-     grub_register_command ("multiboot2", grub_cmd_multiboot,
-@@ -464,6 +468,9 @@ GRUB_MOD_INIT(multiboot)
- 
- GRUB_MOD_FINI(multiboot)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   grub_unregister_command (cmd_multiboot);
-   grub_unregister_command (cmd_module);
- }
-diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
-index 1c0cf6a430a..baa54e652ab 100644
---- a/grub-core/loader/xnu.c
-+++ b/grub-core/loader/xnu.c
-@@ -35,6 +35,7 @@
- #include <grub/i18n.h>
- #include <grub/verify.h>
- #include <grub/safemath.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -1497,6 +1498,9 @@ static grub_extcmd_t cmd_splash;
- 
- GRUB_MOD_INIT(xnu)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
-   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
- 				      N_("Load XNU image."));
-   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
-@@ -1540,6 +1544,9 @@ GRUB_MOD_INIT(xnu)
- 
- GRUB_MOD_FINI(xnu)
- {
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-+    return;
-+
- #ifndef GRUB_MACHINE_EMU
-   grub_unregister_command (cmd_resume);
- #endif
-diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
-index 6295df85f3f..585fa6662b6 100644
---- a/include/grub/efi/efi.h
-+++ b/include/grub/efi/efi.h
-@@ -91,7 +91,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
- 				     const grub_efi_guid_t *guid,
- 				     void *data,
- 				     grub_size_t datasize);
--grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
- int
- EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
- 					     const grub_efi_device_path_t *dp2);
-diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
-new file mode 100644
-index 00000000000..e69de29bb2d
-diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
-new file mode 100644
-index 00000000000..e69de29bb2d
-diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
-new file mode 100644
-index 00000000000..e69de29bb2d
-diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
-new file mode 100644
-index 00000000000..e69de29bb2d
diff --git a/SPECS/grub2/0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch b/SPECS/grub2/0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch
deleted file mode 100644
index f3aae389907..00000000000
--- a/SPECS/grub2/0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch
+++ /dev/null
@@ -1,264 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 8 Jul 2019 12:32:37 +0200
-Subject: [PATCH] Handle multi-arch (64-on-32) boot in linuxefi loader.
-
-Allow booting 64-bit kernels on 32-bit EFI on x86.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/loader/efi/linux.c      |   9 +++-
- grub-core/loader/i386/efi/linux.c | 110 ++++++++++++++++++++++++++------------
- include/grub/i386/linux.h         |   7 ++-
- 3 files changed, 89 insertions(+), 37 deletions(-)
-
-diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
-index c8ecce6dfd0..0622dfa48d4 100644
---- a/grub-core/loader/efi/linux.c
-+++ b/grub-core/loader/efi/linux.c
-@@ -69,12 +69,17 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
- typedef void (*handover_func) (void *, grub_efi_system_table_t *, void *);
- 
- grub_err_t
--grub_efi_linux_boot (void *kernel_addr, grub_off_t offset,
-+grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
- 		     void *kernel_params)
- {
-   handover_func hf;
-+  int offset = 0;
- 
--  hf = (handover_func)((char *)kernel_addr + offset);
-+#ifdef __x86_64__
-+  offset = 512;
-+#endif
-+
-+  hf = (handover_func)((char *)kernel_addr + handover_offset + offset);
-   hf (grub_efi_image_handle, grub_efi_system_table, kernel_params);
- 
-   return GRUB_ERR_BUG;
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 6b24cbb9483..3017d0f3e52 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -44,14 +44,10 @@ static char *linux_cmdline;
- static grub_err_t
- grub_linuxefi_boot (void)
- {
--  int offset = 0;
--
--#ifdef __x86_64__
--  offset = 512;
--#endif
-   asm volatile ("cli");
- 
--  return grub_efi_linux_boot ((char *)kernel_mem, handover_offset + offset,
-+  return grub_efi_linux_boot ((char *)kernel_mem,
-+			      handover_offset,
- 			      params);
- }
- 
-@@ -153,14 +149,20 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-   return grub_errno;
- }
- 
-+#define MIN(a, b) \
-+  ({ typeof (a) _a = (a);  \
-+     typeof (b) _b = (b); \
-+     _a < _b ? _a : _b; })
-+
- static grub_err_t
- grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 		int argc, char *argv[])
- {
-   grub_file_t file = 0;
--  struct linux_i386_kernel_header lh;
--  grub_ssize_t len, start, filelen;
-+  struct linux_i386_kernel_header *lh = NULL;
-+  grub_ssize_t start, filelen;
-   void *kernel = NULL;
-+  int setup_header_end_offset;
-   int rc;
- 
-   grub_dl_ref (my_mod);
-@@ -200,48 +202,79 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--  params = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(16384));
--
-+  params = grub_efi_allocate_pages_max (0x3fffffff,
-+					BYTES_TO_PAGES(sizeof(*params)));
-   if (! params)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
-       goto fail;
-     }
- 
--  grub_dprintf ("linux", "params = %lx\n", (unsigned long) params);
-+  grub_dprintf ("linux", "params = %p\n", params);
- 
--  grub_memset (params, 0, 16384);
-+  grub_memset (params, 0, sizeof(*params));
- 
--  grub_memcpy (&lh, kernel, sizeof (lh));
--
--  if (lh.boot_flag != grub_cpu_to_le16 (0xaa55))
-+  setup_header_end_offset = *((grub_uint8_t *)kernel + 0x201);
-+  grub_dprintf ("linux", "copying %lu bytes from %p to %p\n",
-+		MIN((grub_size_t)0x202+setup_header_end_offset,
-+		    sizeof (*params)) - 0x1f1,
-+		(grub_uint8_t *)kernel + 0x1f1,
-+		(grub_uint8_t *)params + 0x1f1);
-+  grub_memcpy ((grub_uint8_t *)params + 0x1f1,
-+	       (grub_uint8_t *)kernel + 0x1f1,
-+		MIN((grub_size_t)0x202+setup_header_end_offset,sizeof (*params)) - 0x1f1);
-+  lh = (struct linux_i386_kernel_header *)params;
-+  grub_dprintf ("linux", "lh is at %p\n", lh);
-+  grub_dprintf ("linux", "checking lh->boot_flag\n");
-+  if (lh->boot_flag != grub_cpu_to_le16 (0xaa55))
-     {
-       grub_error (GRUB_ERR_BAD_OS, N_("invalid magic number"));
-       goto fail;
-     }
- 
--  if (lh.setup_sects > GRUB_LINUX_MAX_SETUP_SECTS)
-+  grub_dprintf ("linux", "checking lh->setup_sects\n");
-+  if (lh->setup_sects > GRUB_LINUX_MAX_SETUP_SECTS)
-     {
-       grub_error (GRUB_ERR_BAD_OS, N_("too many setup sectors"));
-       goto fail;
-     }
- 
--  if (lh.version < grub_cpu_to_le16 (0x020b))
-+  grub_dprintf ("linux", "checking lh->version\n");
-+  if (lh->version < grub_cpu_to_le16 (0x020b))
-     {
-       grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
-       goto fail;
-     }
- 
--  if (!lh.handover_offset)
-+  grub_dprintf ("linux", "checking lh->handover_offset\n");
-+  if (!lh->handover_offset)
-     {
-       grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support EFI handover"));
-       goto fail;
-     }
- 
-+#if defined(__x86_64__) || defined(__aarch64__)
-+  grub_dprintf ("linux", "checking lh->xloadflags\n");
-+  if (!(lh->xloadflags & LINUX_XLF_KERNEL_64))
-+    {
-+      grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support 64-bit CPUs"));
-+      goto fail;
-+    }
-+#endif
-+
-+#if defined(__i386__)
-+  if ((lh->xloadflags & LINUX_XLF_KERNEL_64) &&
-+      !(lh->xloadflags & LINUX_XLF_EFI_HANDOVER_32))
-+    {
-+      grub_error (GRUB_ERR_BAD_OS,
-+		  N_("kernel doesn't support 32-bit handover"));
-+      goto fail;
-+    }
-+#endif
-+
-   grub_dprintf ("linux", "setting up cmdline\n");
-   linux_cmdline = grub_efi_allocate_pages_max(0x3fffffff,
--					 BYTES_TO_PAGES(lh.cmdline_size + 1));
--
-+					 BYTES_TO_PAGES(lh->cmdline_size + 1));
-   if (!linux_cmdline)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate cmdline"));
-@@ -254,22 +287,24 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
-   grub_create_loader_cmdline (argc, argv,
-                               linux_cmdline + sizeof (LINUX_IMAGE) - 1,
--			      lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1),
-+			      lh->cmdline_size - (sizeof (LINUX_IMAGE) - 1),
- 			      GRUB_VERIFY_KERNEL_CMDLINE);
- 
--  lh.cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
-+  grub_dprintf ("linux", "cmdline:%s\n", linux_cmdline);
-+  grub_dprintf ("linux", "setting lh->cmd_line_ptr\n");
-+  lh->cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
- 
--  handover_offset = lh.handover_offset;
-+  grub_dprintf ("linux", "computing handover offset\n");
-+  handover_offset = lh->handover_offset;
- 
--  start = (lh.setup_sects + 1) * 512;
--  len = grub_file_size(file) - start;
-+  start = (lh->setup_sects + 1) * 512;
- 
--  kernel_mem = grub_efi_allocate_pages_max(lh.pref_address,
--					   BYTES_TO_PAGES(lh.init_size));
-+  kernel_mem = grub_efi_allocate_pages_max(lh->pref_address,
-+					   BYTES_TO_PAGES(lh->init_size));
- 
-   if (!kernel_mem)
-     kernel_mem = grub_efi_allocate_pages_max(0x3fffffff,
--					     BYTES_TO_PAGES(lh.init_size));
-+					     BYTES_TO_PAGES(lh->init_size));
- 
-   if (!kernel_mem)
-     {
-@@ -277,14 +312,21 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--  grub_memcpy (kernel_mem, (char *)kernel + start, len);
-+  grub_dprintf ("linux", "kernel_mem = %lx\n", (unsigned long) kernel_mem);
-+
-   grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
-   loaded=1;
-+  grub_dprintf ("linux", "setting lh->code32_start to %p\n", kernel_mem);
-+  lh->code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
- 
--  lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem;
--  grub_memcpy (params, &lh, 2 * 512);
-+  grub_memcpy (kernel_mem, (char *)kernel + start, filelen - start);
- 
--  params->type_of_loader = 0x21;
-+  grub_dprintf ("linux", "setting lh->type_of_loader\n");
-+  lh->type_of_loader = 0x6;
-+
-+  grub_dprintf ("linux", "setting lh->ext_loader_{type,ver}\n");
-+  params->ext_loader_type = 0;
-+  params->ext_loader_ver = 2;
-   grub_dprintf("linux", "kernel_mem: %p handover_offset: %08x\n",
- 	       kernel_mem, handover_offset);
- 
-@@ -301,10 +343,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       loaded = 0;
-     }
- 
--  if (linux_cmdline && !loaded)
-+  if (linux_cmdline && lh && !loaded)
-     grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)
- 			 linux_cmdline,
--			 BYTES_TO_PAGES(lh.cmdline_size + 1));
-+			 BYTES_TO_PAGES(lh->cmdline_size + 1));
- 
-   if (kernel_mem && !loaded)
-     grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)kernel_mem,
-diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h
-index eddf9251d9a..25ef52c04eb 100644
---- a/include/grub/i386/linux.h
-+++ b/include/grub/i386/linux.h
-@@ -138,7 +138,12 @@ struct linux_i386_kernel_header
-   grub_uint32_t kernel_alignment;
-   grub_uint8_t relocatable;
-   grub_uint8_t min_alignment;
--  grub_uint8_t pad[2];
-+#define LINUX_XLF_KERNEL_64                   (1<<0)
-+#define LINUX_XLF_CAN_BE_LOADED_ABOVE_4G      (1<<1)
-+#define LINUX_XLF_EFI_HANDOVER_32             (1<<2)
-+#define LINUX_XLF_EFI_HANDOVER_64             (1<<3)
-+#define LINUX_XLF_EFI_KEXEC                   (1<<4)
-+  grub_uint16_t xloadflags;
-   grub_uint32_t cmdline_size;
-   grub_uint32_t hardware_subarch;
-   grub_uint64_t hardware_subarch_data;
diff --git a/SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch b/SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch
deleted file mode 100644
index b81abb54583..00000000000
--- a/SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 1 Oct 2012 13:24:37 -0400
-Subject: [PATCH] Pass "\x[[:hex:]][[:hex:]]" straight through unmolested.
-
-Don't munge raw spaces when we're doing our cmdline escaping (#923374)
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/commands/wildcard.c | 16 +++++++++++++++-
- grub-core/lib/cmdline.c       | 25 +++++++++++++++++++++++--
- grub-core/script/execute.c    | 43 +++++++++++++++++++++++++++++++++++++------
- 3 files changed, 75 insertions(+), 9 deletions(-)
-
-diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
-index cc3290311f0..8f67a4be7f0 100644
---- a/grub-core/commands/wildcard.c
-+++ b/grub-core/commands/wildcard.c
-@@ -488,6 +488,12 @@ check_file (const char *dir, const char *basename)
-   return ctx.found;
- }
- 
-+static int
-+is_hex(char c)
-+{
-+  return ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F'));
-+}
-+
- static void
- unescape (char *out, const char *in, const char *end)
- {
-@@ -496,7 +502,15 @@ unescape (char *out, const char *in, const char *end)
- 
-   for (optr = out, iptr = in; iptr < end;)
-     {
--      if (*iptr == '\\' && iptr + 1 < end)
-+      if (*iptr == '\\' && iptr + 3 < end && iptr[1] == 'x' && is_hex(iptr[2]) && is_hex(iptr[3]))
-+	{
-+	  *optr++ = *iptr++;
-+	  *optr++ = *iptr++;
-+	  *optr++ = *iptr++;
-+	  *optr++ = *iptr++;
-+	  continue;
-+	}
-+      else if (*iptr == '\\' && iptr + 1 < end)
- 	{
- 	  *optr++ = iptr[1];
- 	  iptr += 2;
-diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
-index ed0b149dca5..8e2294d8ff6 100644
---- a/grub-core/lib/cmdline.c
-+++ b/grub-core/lib/cmdline.c
-@@ -20,6 +20,12 @@
- #include <grub/lib/cmdline.h>
- #include <grub/misc.h>
- 
-+static int
-+is_hex(char c)
-+{
-+  return ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F'));
-+}
-+
- static unsigned int check_arg (char *c, int *has_space)
- {
-   int space = 0;
-@@ -27,7 +33,13 @@ static unsigned int check_arg (char *c, int *has_space)
- 
-   while (*c)
-     {
--      if (*c == '\\' || *c == '\'' || *c == '"')
-+      if (*c == '\\' && *(c+1) == 'x' && is_hex(*(c+2)) && is_hex(*(c+3)))
-+	{
-+	  size += 4;
-+	  c += 4;
-+	  continue;
-+	}
-+      else if (*c == '\\' || *c == '\'' || *c == '"')
- 	size++;
-       else if (*c == ' ')
- 	space = 1;
-@@ -86,7 +98,16 @@ grub_create_loader_cmdline (int argc, char *argv[], char *buf,
- 
-       while (*c)
- 	{
--	  if (*c == '\\' || *c == '\'' || *c == '"')
-+	  if (*c == '\\' && *(c+1) == 'x' &&
-+		   is_hex(*(c+2)) && is_hex(*(c+3)))
-+	    {
-+	      *buf++ = *c++;
-+	      *buf++ = *c++;
-+	      *buf++ = *c++;
-+	      *buf++ = *c++;
-+	      continue;
-+	    }
-+	  else if (*c == '\\' || *c == '\'' || *c == '"')
- 	    *buf++ = '\\';
- 
- 	  *buf++ = *c;
-diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
-index ad80399246a..0c6dd9c5201 100644
---- a/grub-core/script/execute.c
-+++ b/grub-core/script/execute.c
-@@ -56,6 +56,12 @@ static struct grub_script_scope *scope = 0;
- /* Wildcard translator for GRUB script.  */
- struct grub_script_wildcard_translator *grub_wildcard_translator;
- 
-+static int
-+is_hex(char c)
-+{
-+  return ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F'));
-+}
-+
- static char*
- wildcard_escape (const char *s)
- {
-@@ -72,7 +78,15 @@ wildcard_escape (const char *s)
-   i = 0;
-   while ((ch = *s++))
-     {
--      if (ch == '*' || ch == '\\' || ch == '?')
-+      if (ch == '\\' && s[0] == 'x' && is_hex(s[1]) && is_hex(s[2]))
-+	{
-+	  p[i++] = ch;
-+	  p[i++] = *s++;
-+	  p[i++] = *s++;
-+	  p[i++] = *s++;
-+	  continue;
-+	}
-+      else if (ch == '*' || ch == '\\' || ch == '?')
- 	p[i++] = '\\';
-       p[i++] = ch;
-     }
-@@ -96,7 +110,14 @@ wildcard_unescape (const char *s)
-   i = 0;
-   while ((ch = *s++))
-     {
--      if (ch == '\\')
-+      if (ch == '\\' && s[0] == 'x' && is_hex(s[1]) && is_hex(s[2]))
-+	{
-+	  p[i++] = '\\';
-+	  p[i++] = *s++;
-+	  p[i++] = *s++;
-+	  p[i++] = *s++;
-+	}
-+      else if (ch == '\\')
- 	p[i++] = *s++;
-       else
- 	p[i++] = ch;
-@@ -398,10 +419,20 @@ parse_string (const char *str,
-     switch (*ptr)
-       {
-       case '\\':
--	escaped = !escaped;
--	if (!escaped && put)
--	  *(put++) = '\\';
--	ptr++;
-+	if (!escaped && put && *(ptr+1) == 'x' && is_hex(*(ptr+2)) && is_hex(*(ptr+3)))
-+	  {
-+	    *(put++) = *ptr++;
-+	    *(put++) = *ptr++;
-+	    *(put++) = *ptr++;
-+	    *(put++) = *ptr++;
-+	  }
-+	else
-+	  {
-+	    escaped = !escaped;
-+	    if (!escaped && put)
-+	      *(put++) = '\\';
-+	    ptr++;
-+	  }
- 	break;
-       case '$':
- 	if (escaped)
diff --git a/SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch b/SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch
deleted file mode 100644
index 79399654283..00000000000
--- a/SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch
+++ /dev/null
@@ -1,1959 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 4 Mar 2014 11:00:23 -0500
-Subject: [PATCH] Replace a lot of man pages with slightly nicer ones.
-
-Replace a bunch of machine generated ones with ones that look nicer.
----
- configure.ac                      |  23 ++++++
- conf/Makefile.extra-dist          |   1 -
- docs/Makefile.am                  |   2 -
- docs/man/grub-bios-setup.h2m      |   6 --
- docs/man/grub-editenv.h2m         |   5 --
- docs/man/grub-emu.h2m             |   6 --
- docs/man/grub-file.h2m            |   2 -
- docs/man/grub-fstest.h2m          |   4 -
- docs/man/grub-glue-efi.h2m        |   4 -
- docs/man/grub-install.h2m         |   6 --
- docs/man/grub-kbdcomp.h2m         |  10 ---
- docs/man/grub-macbless.h2m        |   4 -
- docs/man/grub-macho2img.h2m       |   4 -
- docs/man/grub-menulst2cfg.h2m     |   4 -
- docs/man/grub-mkconfig.h2m        |   4 -
- docs/man/grub-mkfont.h2m          |   4 -
- docs/man/grub-mkimage.h2m         |   6 --
- docs/man/grub-mklayout.h2m        |  10 ---
- docs/man/grub-mknetdir.h2m        |   4 -
- docs/man/grub-mkpasswd-pbkdf2.h2m |   4 -
- docs/man/grub-mkrelpath.h2m       |   4 -
- docs/man/grub-mkrescue.h2m        |   4 -
- docs/man/grub-mkstandalone.h2m    |   4 -
- docs/man/grub-mount.h2m           |   2 -
- docs/man/grub-ofpathname.h2m      |   4 -
- docs/man/grub-pe2elf.h2m          |   4 -
- docs/man/grub-probe.h2m           |   4 -
- docs/man/grub-reboot.h2m          |   5 --
- docs/man/grub-render-label.h2m    |   3 -
- docs/man/grub-script-check.h2m    |   4 -
- docs/man/grub-set-default.h2m     |   5 --
- docs/man/grub-sparc64-setup.h2m   |   6 --
- docs/man/grub-syslinux2cfg.h2m    |   4 -
- gentpl.py                         |   5 +-
- util/grub-bios-setup.8            |  54 +++++++++++++
- util/grub-editenv.1               |  46 +++++++++++
- util/grub-file.1                  | 165 ++++++++++++++++++++++++++++++++++++++
- util/grub-fstest.1                |  99 +++++++++++++++++++++++
- util/grub-glue-efi.1              |  31 +++++++
- util/grub-install.8               | 128 +++++++++++++++++++++++++++++
- util/grub-kbdcomp.1               |  19 +++++
- util/grub-macbless.1              |  22 +++++
- util/grub-menulst2cfg.1           |  12 +++
- util/grub-mkconfig.8              |  17 ++++
- util/grub-mkfont.1                |  87 ++++++++++++++++++++
- util/grub-mkimage.1               |  95 ++++++++++++++++++++++
- util/grub-mklayout.1              |  27 +++++++
- util/grub-mknetdir.1              |  12 +++
- util/grub-mkpasswd-pbkdf2.1       |  27 +++++++
- util/grub-mkrelpath.1             |  12 +++
- util/grub-mkrescue.1              | 123 ++++++++++++++++++++++++++++
- util/grub-mkstandalone.1          | 100 +++++++++++++++++++++++
- util/grub-ofpathname.8            |  12 +++
- util/grub-probe.8                 |  80 ++++++++++++++++++
- util/grub-reboot.8                |  21 +++++
- util/grub-render-label.1          |  51 ++++++++++++
- util/grub-script-check.1          |  21 +++++
- util/grub-set-default.8           |  21 +++++
- util/grub-sparc64-setup.8         |  12 +++
- 59 files changed, 1318 insertions(+), 147 deletions(-)
- delete mode 100644 docs/man/grub-bios-setup.h2m
- delete mode 100644 docs/man/grub-editenv.h2m
- delete mode 100644 docs/man/grub-emu.h2m
- delete mode 100644 docs/man/grub-file.h2m
- delete mode 100644 docs/man/grub-fstest.h2m
- delete mode 100644 docs/man/grub-glue-efi.h2m
- delete mode 100644 docs/man/grub-install.h2m
- delete mode 100644 docs/man/grub-kbdcomp.h2m
- delete mode 100644 docs/man/grub-macbless.h2m
- delete mode 100644 docs/man/grub-macho2img.h2m
- delete mode 100644 docs/man/grub-menulst2cfg.h2m
- delete mode 100644 docs/man/grub-mkconfig.h2m
- delete mode 100644 docs/man/grub-mkfont.h2m
- delete mode 100644 docs/man/grub-mkimage.h2m
- delete mode 100644 docs/man/grub-mklayout.h2m
- delete mode 100644 docs/man/grub-mknetdir.h2m
- delete mode 100644 docs/man/grub-mkpasswd-pbkdf2.h2m
- delete mode 100644 docs/man/grub-mkrelpath.h2m
- delete mode 100644 docs/man/grub-mkrescue.h2m
- delete mode 100644 docs/man/grub-mkstandalone.h2m
- delete mode 100644 docs/man/grub-mount.h2m
- delete mode 100644 docs/man/grub-ofpathname.h2m
- delete mode 100644 docs/man/grub-pe2elf.h2m
- delete mode 100644 docs/man/grub-probe.h2m
- delete mode 100644 docs/man/grub-reboot.h2m
- delete mode 100644 docs/man/grub-render-label.h2m
- delete mode 100644 docs/man/grub-script-check.h2m
- delete mode 100644 docs/man/grub-set-default.h2m
- delete mode 100644 docs/man/grub-sparc64-setup.h2m
- delete mode 100644 docs/man/grub-syslinux2cfg.h2m
- create mode 100644 util/grub-bios-setup.8
- create mode 100644 util/grub-editenv.1
- create mode 100644 util/grub-file.1
- create mode 100644 util/grub-fstest.1
- create mode 100644 util/grub-glue-efi.1
- create mode 100644 util/grub-install.8
- create mode 100644 util/grub-kbdcomp.1
- create mode 100644 util/grub-macbless.1
- create mode 100644 util/grub-menulst2cfg.1
- create mode 100644 util/grub-mkconfig.8
- create mode 100644 util/grub-mkfont.1
- create mode 100644 util/grub-mkimage.1
- create mode 100644 util/grub-mklayout.1
- create mode 100644 util/grub-mknetdir.1
- create mode 100644 util/grub-mkpasswd-pbkdf2.1
- create mode 100644 util/grub-mkrelpath.1
- create mode 100644 util/grub-mkrescue.1
- create mode 100644 util/grub-mkstandalone.1
- create mode 100644 util/grub-ofpathname.8
- create mode 100644 util/grub-probe.8
- create mode 100644 util/grub-reboot.8
- create mode 100644 util/grub-render-label.1
- create mode 100644 util/grub-script-check.1
- create mode 100644 util/grub-set-default.8
- create mode 100644 util/grub-sparc64-setup.8
-
-diff --git a/configure.ac b/configure.ac
-index c0103b30d4e..b8c4d52dfd1 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -77,6 +77,29 @@ grub_TRANSFORM([grub-set-default])
- grub_TRANSFORM([grub-sparc64-setup])
- grub_TRANSFORM([grub-render-label])
- grub_TRANSFORM([grub-file])
-+grub_TRANSFORM([grub-bios-setup.3])
-+grub_TRANSFORM([grub-editenv.1])
-+grub_TRANSFORM([grub-fstest.3])
-+grub_TRANSFORM([grub-glue-efi.3])
-+grub_TRANSFORM([grub-install.1])
-+grub_TRANSFORM([grub-kbdcomp.3])
-+grub_TRANSFORM([grub-menulst2cfg.1])
-+grub_TRANSFORM([grub-mkconfig.1])
-+grub_TRANSFORM([grub-mkfont.3])
-+grub_TRANSFORM([grub-mkimage.1])
-+grub_TRANSFORM([grub-mklayout.3])
-+grub_TRANSFORM([grub-mknetdir.3])
-+grub_TRANSFORM([grub-mkpasswd-pbkdf2.3])
-+grub_TRANSFORM([grub-mkrelpath.3])
-+grub_TRANSFORM([grub-mkrescue.1])
-+grub_TRANSFORM([grub-mkstandalone.3])
-+grub_TRANSFORM([grub-ofpathname.3])
-+grub_TRANSFORM([grub-probe.3])
-+grub_TRANSFORM([grub-reboot.3])
-+grub_TRANSFORM([grub-render-label.3])
-+grub_TRANSFORM([grub-script-check.3])
-+grub_TRANSFORM([grub-set-default.1])
-+grub_TRANSFORM([grub-sparc64-setup.3])
- 
- # Optimization flag.  Allow user to override.
- if test "x$TARGET_CFLAGS" = x; then
-diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
-index 8f1485d52a5..b909f2c073a 100644
---- a/conf/Makefile.extra-dist
-+++ b/conf/Makefile.extra-dist
-@@ -11,7 +11,6 @@ EXTRA_DIST += unicode
- EXTRA_DIST += util/import_gcry.py
- EXTRA_DIST += util/import_unicode.py
- 
--EXTRA_DIST += docs/man
- EXTRA_DIST += docs/autoiso.cfg
- EXTRA_DIST += docs/grub.cfg
- EXTRA_DIST += docs/osdetect.cfg
-diff --git a/docs/Makefile.am b/docs/Makefile.am
-index 93eb3962765..ab28f199694 100644
---- a/docs/Makefile.am
-+++ b/docs/Makefile.am
-@@ -5,5 +5,3 @@ info_TEXINFOS = grub.texi grub-dev.texi
- grub_TEXINFOS = fdl.texi
- 
- EXTRA_DIST = font_char_metrics.png font_char_metrics.txt
--
--
-diff --git a/docs/man/grub-bios-setup.h2m b/docs/man/grub-bios-setup.h2m
-deleted file mode 100644
-index ac6ede36296..00000000000
---- a/docs/man/grub-bios-setup.h2m
-+++ /dev/null
-@@ -1,6 +0,0 @@
--[NAME]
--grub-bios-setup \- set up a device to boot using GRUB
--[SEE ALSO]
--.BR grub-install (8),
--.BR grub-mkimage (1),
--.BR grub-mkrescue (1)
-diff --git a/docs/man/grub-editenv.h2m b/docs/man/grub-editenv.h2m
-deleted file mode 100644
-index 3859d3d4c4f..00000000000
---- a/docs/man/grub-editenv.h2m
-+++ /dev/null
-@@ -1,5 +0,0 @@
--[NAME]
--grub-editenv \- edit GRUB environment block
--[SEE ALSO]
--.BR grub-reboot (8),
--.BR grub-set-default (8)
-diff --git a/docs/man/grub-emu.h2m b/docs/man/grub-emu.h2m
-deleted file mode 100644
-index ef1c000656a..00000000000
---- a/docs/man/grub-emu.h2m
-+++ /dev/null
-@@ -1,6 +0,0 @@
--[NAME]
--grub-emu \- GRUB emulator
--[SEE ALSO]
--If you are trying to install GRUB, then you should use
--.BR grub-install (8)
--rather than this program.
-diff --git a/docs/man/grub-file.h2m b/docs/man/grub-file.h2m
-deleted file mode 100644
-index e09bb4d3101..00000000000
---- a/docs/man/grub-file.h2m
-+++ /dev/null
-@@ -1,2 +0,0 @@
--[NAME]
--grub-file \- check file type
-diff --git a/docs/man/grub-fstest.h2m b/docs/man/grub-fstest.h2m
-deleted file mode 100644
-index 9676b159afd..00000000000
---- a/docs/man/grub-fstest.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-fstest \- debug tool for GRUB filesystem drivers
--[SEE ALSO]
--.BR grub-probe (8)
-diff --git a/docs/man/grub-glue-efi.h2m b/docs/man/grub-glue-efi.h2m
-deleted file mode 100644
-index c1c6ded49ff..00000000000
---- a/docs/man/grub-glue-efi.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-glue-efi \- generate a fat binary for EFI
--[DESCRIPTION]
--grub-glue-efi processes ia32 and amd64 EFI images and glues them according to Apple format.
-diff --git a/docs/man/grub-install.h2m b/docs/man/grub-install.h2m
-deleted file mode 100644
-index 8cbbc87a0f2..00000000000
---- a/docs/man/grub-install.h2m
-+++ /dev/null
-@@ -1,6 +0,0 @@
--[NAME]
--grub-install \- install GRUB to a device
--[SEE ALSO]
--.BR grub-mkconfig (8),
--.BR grub-mkimage (1),
--.BR grub-mkrescue (1)
-diff --git a/docs/man/grub-kbdcomp.h2m b/docs/man/grub-kbdcomp.h2m
-deleted file mode 100644
-index d81f9157e01..00000000000
---- a/docs/man/grub-kbdcomp.h2m
-+++ /dev/null
-@@ -1,10 +0,0 @@
--[NAME]
--grub-kbdcomp \- generate a GRUB keyboard layout file
--[DESCRIPTION]
--grub-kbdcomp processes a X keyboard layout description in
--.BR keymaps (5)
--format into a format that can be used by GRUB's
--.B keymap
--command.
--[SEE ALSO]
--.BR grub-mklayout (8)
-diff --git a/docs/man/grub-macbless.h2m b/docs/man/grub-macbless.h2m
-deleted file mode 100644
-index 0197c0087d7..00000000000
---- a/docs/man/grub-macbless.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-macbless \- bless a mac file/directory
--[SEE ALSO]
--.BR grub-install (1)
-diff --git a/docs/man/grub-macho2img.h2m b/docs/man/grub-macho2img.h2m
-deleted file mode 100644
-index d79aaeed8f9..00000000000
---- a/docs/man/grub-macho2img.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-macho2img \- convert Mach-O to raw image
--[SEE ALSO]
--.BR grub-mkimage (1)
-diff --git a/docs/man/grub-menulst2cfg.h2m b/docs/man/grub-menulst2cfg.h2m
-deleted file mode 100644
-index c2e0055ed7e..00000000000
---- a/docs/man/grub-menulst2cfg.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-menulst2cfg \- transform legacy menu.lst into grub.cfg
--[SEE ALSO]
--.BR grub-mkconfig (8)
-diff --git a/docs/man/grub-mkconfig.h2m b/docs/man/grub-mkconfig.h2m
-deleted file mode 100644
-index 9b42f813010..00000000000
---- a/docs/man/grub-mkconfig.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mkconfig \- generate a GRUB configuration file
--[SEE ALSO]
--.BR grub-install (8)
-diff --git a/docs/man/grub-mkfont.h2m b/docs/man/grub-mkfont.h2m
-deleted file mode 100644
-index d46fe600eca..00000000000
---- a/docs/man/grub-mkfont.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mkfont \- make GRUB font files
--[SEE ALSO]
--.BR grub-mkconfig (8)
-diff --git a/docs/man/grub-mkimage.h2m b/docs/man/grub-mkimage.h2m
-deleted file mode 100644
-index f0fbc2bb197..00000000000
---- a/docs/man/grub-mkimage.h2m
-+++ /dev/null
-@@ -1,6 +0,0 @@
--[NAME]
--grub-mkimage \- make a bootable image of GRUB
--[SEE ALSO]
--.BR grub-install (8),
--.BR grub-mkrescue (1),
--.BR grub-mknetdir (8)
-diff --git a/docs/man/grub-mklayout.h2m b/docs/man/grub-mklayout.h2m
-deleted file mode 100644
-index 1e43409c0ab..00000000000
---- a/docs/man/grub-mklayout.h2m
-+++ /dev/null
-@@ -1,10 +0,0 @@
--[NAME]
--grub-mklayout \- generate a GRUB keyboard layout file
--[DESCRIPTION]
--grub-mklayout processes a keyboard layout description in
--.BR keymaps (5)
--format into a format that can be used by GRUB's
--.B keymap
--command.
--[SEE ALSO]
--.BR grub-mkconfig (8)
-diff --git a/docs/man/grub-mknetdir.h2m b/docs/man/grub-mknetdir.h2m
-deleted file mode 100644
-index a2ef13ec111..00000000000
---- a/docs/man/grub-mknetdir.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mknetdir \- prepare a GRUB netboot directory.
--[SEE ALSO]
--.BR grub-mkimage (1)
-diff --git a/docs/man/grub-mkpasswd-pbkdf2.h2m b/docs/man/grub-mkpasswd-pbkdf2.h2m
-deleted file mode 100644
-index 4d202f3da7e..00000000000
---- a/docs/man/grub-mkpasswd-pbkdf2.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mkpasswd-pbkdf2 \- generate hashed password for GRUB
--[SEE ALSO]
--.BR grub-mkconfig (8)
-diff --git a/docs/man/grub-mkrelpath.h2m b/docs/man/grub-mkrelpath.h2m
-deleted file mode 100644
-index d01f3961e3f..00000000000
---- a/docs/man/grub-mkrelpath.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mkrelpath \- make a system path relative to its root
--[SEE ALSO]
--.BR grub-probe (8)
-diff --git a/docs/man/grub-mkrescue.h2m b/docs/man/grub-mkrescue.h2m
-deleted file mode 100644
-index a427f02e3c6..00000000000
---- a/docs/man/grub-mkrescue.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mkrescue \- make a GRUB rescue image
--[SEE ALSO]
--.BR grub-mkimage (1)
-diff --git a/docs/man/grub-mkstandalone.h2m b/docs/man/grub-mkstandalone.h2m
-deleted file mode 100644
-index c77313978ad..00000000000
---- a/docs/man/grub-mkstandalone.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-mkstandalone \- make a memdisk-based GRUB image
--[SEE ALSO]
--.BR grub-mkimage (1)
-diff --git a/docs/man/grub-mount.h2m b/docs/man/grub-mount.h2m
-deleted file mode 100644
-index 8d168982d72..00000000000
---- a/docs/man/grub-mount.h2m
-+++ /dev/null
-@@ -1,2 +0,0 @@
--[NAME]
--grub-mount \- export GRUB filesystem with FUSE
-diff --git a/docs/man/grub-ofpathname.h2m b/docs/man/grub-ofpathname.h2m
-deleted file mode 100644
-index 74b43eea039..00000000000
---- a/docs/man/grub-ofpathname.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-ofpathname \- find OpenBOOT path for a device
--[SEE ALSO]
--.BR grub-probe (8)
-diff --git a/docs/man/grub-pe2elf.h2m b/docs/man/grub-pe2elf.h2m
-deleted file mode 100644
-index 7ca29bd703c..00000000000
---- a/docs/man/grub-pe2elf.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-pe2elf \- convert PE image to ELF
--[SEE ALSO]
--.BR grub-mkimage (1)
-diff --git a/docs/man/grub-probe.h2m b/docs/man/grub-probe.h2m
-deleted file mode 100644
-index 6e1ffdcf937..00000000000
---- a/docs/man/grub-probe.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-probe \- probe device information for GRUB
--[SEE ALSO]
--.BR grub-fstest (1)
-diff --git a/docs/man/grub-reboot.h2m b/docs/man/grub-reboot.h2m
-deleted file mode 100644
-index e4acace65ce..00000000000
---- a/docs/man/grub-reboot.h2m
-+++ /dev/null
-@@ -1,5 +0,0 @@
--[NAME]
--grub-reboot \- set the default boot entry for GRUB, for the next boot only
--[SEE ALSO]
--.BR grub-set-default (8),
--.BR grub-editenv (1)
-diff --git a/docs/man/grub-render-label.h2m b/docs/man/grub-render-label.h2m
-deleted file mode 100644
-index 50ae5247c05..00000000000
---- a/docs/man/grub-render-label.h2m
-+++ /dev/null
-@@ -1,3 +0,0 @@
--[NAME]
--grub-render-label \- generate a .disk_label for Apple Macs.
--
-diff --git a/docs/man/grub-script-check.h2m b/docs/man/grub-script-check.h2m
-deleted file mode 100644
-index 3653682671a..00000000000
---- a/docs/man/grub-script-check.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-script-check \- check grub.cfg for syntax errors
--[SEE ALSO]
--.BR grub-mkconfig (8)
-diff --git a/docs/man/grub-set-default.h2m b/docs/man/grub-set-default.h2m
-deleted file mode 100644
-index 7945001c154..00000000000
---- a/docs/man/grub-set-default.h2m
-+++ /dev/null
-@@ -1,5 +0,0 @@
--[NAME]
--grub-set-default \- set the saved default boot entry for GRUB
--[SEE ALSO]
--.BR grub-reboot (8),
--.BR grub-editenv (1)
-diff --git a/docs/man/grub-sparc64-setup.h2m b/docs/man/grub-sparc64-setup.h2m
-deleted file mode 100644
-index 18f803a50db..00000000000
---- a/docs/man/grub-sparc64-setup.h2m
-+++ /dev/null
-@@ -1,6 +0,0 @@
--[NAME]
--grub-sparc64-setup \- set up a device to boot using GRUB
--[SEE ALSO]
--.BR grub-install (8),
--.BR grub-mkimage (1),
--.BR grub-mkrescue (1)
-diff --git a/docs/man/grub-syslinux2cfg.h2m b/docs/man/grub-syslinux2cfg.h2m
-deleted file mode 100644
-index ad25c8ab753..00000000000
---- a/docs/man/grub-syslinux2cfg.h2m
-+++ /dev/null
-@@ -1,4 +0,0 @@
--[NAME]
--grub-syslinux2cfg \- transform syslinux config into grub.cfg
--[SEE ALSO]
--.BR grub-menulst2cfg (8)
-diff --git a/gentpl.py b/gentpl.py
-index c86550d4f9e..2cba0bbbd6f 100644
---- a/gentpl.py
-+++ b/gentpl.py
-@@ -805,10 +805,7 @@ def manpage(defn, adddeps):
- 
-     output("if COND_MAN_PAGES\n")
-     gvar_add("man_MANS", name + "." + mansection)
--    rule(name + "." + mansection, name + " " + adddeps, """
--chmod a+x """ + name + """
--PATH=$(builddir):$$PATH pkgdatadir=$(builddir) $(HELP2MAN) --section=""" + mansection + """ -i $(top_srcdir)/docs/man/""" + name + """.h2m -o $@ """ + name + """
--""")
-+    rule(name + "." + mansection, name + " " + adddeps, "cat $(top_srcdir)/util/" + name + "." + mansection + " | $(top_builddir)/config.status --file=$@:-")
-     gvar_add("CLEANFILES", name + "." + mansection)
-     output("endif\n")
- 
-diff --git a/util/grub-bios-setup.8 b/util/grub-bios-setup.8
-new file mode 100644
-index 00000000000..56f582b3d75
---- /dev/null
-+++ b/util/grub-bios-setup.8
-@@ -0,0 +1,54 @@
-+.TH GRUB-BIOS-SETUP 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-bios-setup\fR \(em Set up images to boot from a device.
-+
-+.SH SYNOPSIS
-+\fBgrub-bios-setup\fR [-a | --allow-floppy] [-b | --boot-image=\fIFILE\fR]
-+.RS 17
-+[-c | --core-image=\fIFILE\fR] [-d | --directory=\fIDIR\fR]
-+.RE
-+.RS 17
-+[-f | --force] [-m | --device-map=\fIFILE\fR]
-+.RE
-+.RS 17
-+[-s | --skip-fs-probe] [-v | --verbose] \fIDEVICE\fR
-+
-+.SH DESCRIPTION
-+You should not normally run this program directly.  Use grub-install instead.
-+
-+.SH OPTIONS
-+.TP
-+\fB--allow-floppy\fR
-+Make the device also bootable as a floppy.  This option is the default for
-+/dev/fdX devices.  Some BIOSes will not boot images created with this option.
-+
-+.TP
-+\fB--boot-image\fR=\fIFILE\fR
-+Use FILE as the boot image.  The default value is \fBboot.img\fR.
-+
-+.TP
-+\fB--core-image\fR=\fIFILE\fR
-+Use FILE as ther core image.  The default value is \fBcore.img\fR.
-+
-+.TP
-+\fB--directory\fR=\fIDIR\fR
-+Use GRUB files in the directory DIR.  The default value is \fB/boot/grub\fR.
-+
-+.TP
-+\fB--force\fR
-+Install even if problems are detected.
-+
-+.TP
-+\fB--device-map\fR=\fIFILE\fR
-+Use FILE as the device map.  The default value is /boot/grub/device.map .
-+
-+.TP
-+\fB--skip-fs-probe\fR
-+Do not probe DEVICE for filesystems.
-+
-+.TP
-+\fB--verbose\fR
-+Print verbose messages.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-editenv.1 b/util/grub-editenv.1
-new file mode 100644
-index 00000000000..d28ba03ba42
---- /dev/null
-+++ b/util/grub-editenv.1
-@@ -0,0 +1,46 @@
-+.TH GRUB-EDITENV 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-editenv\fR \(em Manage the GRUB environment block.
-+
-+.SH SYNOPSIS
-+\fBgrub-editenv\fR [-v | --verbose] [\fIFILE\fR]
-+.RS 14
-+<create | list | set \fINAME\fR=\fIVALUE\fR | unset \fINAME\fR>
-+
-+.SH DESCRIPTION
-+\fBgrub-editenv\fR is a command line tool to manage GRUB's stored environment.
-+
-+.SH OPTIONS
-+.TP
-+\fB--verbose\fR
-+Print verbose messages.
-+
-+.TP
-+\fBFILE\fR
-+.RS 7
-+File name to use for grub environment.  Default is /boot/grub/grubenv .
-+.RE
-+
-+.SH COMMANDS
-+.TP
-+\fBcreate\fR
-+.RS 7
-+Create a blank environment block file.
-+.RE
-+
-+.TP
-+\fBlist\fR
-+.RS 7
-+List the current variables.
-+.RE
-+
-+.TP
-+\fBset\fR [\fINAME\fR=\fIVALUE\fR ...]
-+Set variables.
-+
-+.TP
-+\fBunset [\fINAME\fR ...]
-+Delete variables.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-file.1 b/util/grub-file.1
-new file mode 100644
-index 00000000000..b29cb327889
---- /dev/null
-+++ b/util/grub-file.1
-@@ -0,0 +1,165 @@
-+.TH GRUB-FILE 1 "Web Feb 26 2014"
-+.SH NAME
-+\fBgrub-file\fR \(em Check if FILE is of specified type.
-+
-+.SH SYNOPSIS
-+\fBgrub-file\fR (--is-i386-xen-pae-domu | --is-x86_64-xen-domu |
-+.RS 11
-+--is-x86-xen-dom0 | --is-x86-multiboot |
-+.RE
-+.RS 11
-+--is-x86-multiboot2 | --is-arm-linux | --is-arm64-linux |
-+.RE
-+.RS 11
-+--is-ia64-linux | --is-mips-linux | --is-mipsel-linux |
-+.RE
-+.RS 11
-+--is-sparc64-linux | --is-powerpc-linux | --is-x86-linux |
-+.RE
-+.RS 11
-+--is-x86-linux32 | --is-x86-kfreebsd | --is-i386-kfreebsd |
-+.RE
-+.RS 11
-+--is-x86_64-kfreebsd | --is-x86-knetbsd |
-+.RE
-+.RS 11
-+--is-i386-knetbsd | --is-x86_64-knetbsd | --is-i386-efi |
-+.RE
-+.RS 11
-+--is-x86_64-efi | --is-ia64-efi | --is-arm64-efi |
-+.RE
-+.RS 11
-+--is-arm-efi | --is-hibernated-hiberfil | --is-x86_64-xnu |
-+.RE
-+.RS 11
-+--is-i386-xnu | --is-xnu-hibr | --is-x86-bios-bootsector)
-+.RE
-+.RS 11
-+\fIFILE\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-file\fR is used to check if \fIFILE\fR is of a specified type.
-+
-+.SH OPTIONS
-+.TP
-+--is-i386-xen-pae-domu
-+Check if FILE can be booted as i386 PAE Xen unprivileged guest kernel
-+
-+.TP
-+--is-x86_64-xen-domu
-+Check if FILE can be booted as x86_64 Xen unprivileged guest kernel
-+
-+.TP
-+--is-x86-xen-dom0
-+Check if FILE can be used as Xen x86 privileged guest kernel
-+
-+.TP
-+--is-x86-multiboot
-+Check if FILE can be used as x86 multiboot kernel
-+
-+.TP
-+--is-x86-multiboot2
-+Check if FILE can be used as x86 multiboot2 kernel
-+
-+.TP
-+--is-arm-linux
-+Check if FILE is ARM Linux
-+
-+.TP
-+--is-arm64-linux
-+Check if FILE is ARM64 Linux
-+
-+.TP
-+--is-ia64-linux
-+Check if FILE is IA64 Linux
-+
-+.TP
-+--is-mips-linux
-+Check if FILE is MIPS Linux
-+
-+.TP
-+--is-mipsel-linux
-+Check if FILE is MIPSEL Linux
-+
-+.TP
-+--is-sparc64-linux
-+Check if FILE is SPARC64 Linux
-+
-+.TP
-+--is-powerpc-linux
-+Check if FILE is POWERPC Linux
-+
-+.TP
-+--is-x86-linux
-+Check if FILE is x86 Linux
-+
-+.TP
-+--is-x86-linux32
-+Check if FILE is x86 Linux supporting 32-bit protocol
-+
-+.TP
-+--is-x86-kfreebsd
-+Check if FILE is x86 kFreeBSD
-+
-+.TP
-+--is-i386-kfreebsd
-+Check if FILE is i386 kFreeBSD
-+
-+.TP
-+--is-x86_64-kfreebsd
-+Check if FILE is x86_64 kFreeBSD
-+
-+.TP
-+--is-x86-knetbsd
-+Check if FILE is x86 kNetBSD
-+
-+.TP
-+--is-i386-knetbsd
-+Check if FILE is i386 kNetBSD
-+
-+.TP
-+--is-x86_64-knetbsd
-+Check if FILE is x86_64 kNetBSD
-+
-+.TP
-+--is-i386-efi
-+Check if FILE is i386 EFI file
-+
-+.TP
-+--is-x86_64-efi
-+Check if FILE is x86_64 EFI file
-+
-+.TP
-+--is-ia64-efi
-+Check if FILE is IA64 EFI file
-+
-+.TP
-+--is-arm64-efi
-+Check if FILE is ARM64 EFI file
-+
-+.TP
-+--is-arm-efi
-+Check if FILE is ARM EFI file
-+
-+.TP
-+--is-hibernated-hiberfil
-+Check if FILE is hiberfil.sys in hibernated state
-+
-+.TP
-+--is-x86_64-xnu
-+Check if FILE is x86_64 XNU (Mac OS X kernel)
-+
-+.TP
-+--is-i386-xnu
-+Check if FILE is i386 XNU (Mac OS X kernel)
-+
-+.TP
-+--is-xnu-hibr
-+Check if FILE is XNU (Mac OS X kernel) hibernated image
-+
-+.TP
-+--is-x86-bios-bootsector
-+Check if FILE is BIOS bootsector
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-fstest.1 b/util/grub-fstest.1
-new file mode 100644
-index 00000000000..792fa78634c
---- /dev/null
-+++ b/util/grub-fstest.1
-@@ -0,0 +1,99 @@
-+.TH GRUB-FSTEST 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-fstest\fR — Debug tool for GRUB's filesystem driver.
-+
-+.SH SYNOPSIS
-+\fBgrub-fstest\fR [-c | --diskcount=\fINUM\fR] [-C | --crypto]
-+.RS 13
-+[-d | --debug=\fISTRING\fR] [-K | --zfs-key=\fIFILE\fR|\fIprompt\fR]
-+.RE
-+.RS 13
-+[-n | --length=\fINUM\fR] [-r | --root=\fIDEVICE_NAME\fR]
-+.RE
-+.RS 13
-+[-s | --skip=\fINUM\fR] [-u | --uncompress] [-v | --verbose]
-+.RE
-+.RS 13
-+\fIIMAGE_PATH\fR <blocklist \fIFILE\fR | cat \fIFILE\fR |
-+.RE
-+.RS 13
-+cmp \fIFILE\fR \fILOCAL\fR | cp \fIFILE\fR \fILOCAL\fR | crc \fIFILE\fR |
-+.RE
-+.RS 13
-+hex \fIFILE\fR | ls \fIPATH\fR | xnu_uuid \fIDEVICE\fR>
-+
-+.SH DESCRIPTION
-+\fBgrub-fstest\fR is a tool for testing GRUB's filesystem drivers.  You should not normally need to run this program.
-+
-+.SH OPTIONS
-+.TP
-+\fB--diskcount\fR=\fINUM\fR
-+Specify the number of input files.
-+
-+.TP
-+\fB--crypto\fR
-+Mount cryptographic devices.
-+
-+.TP
-+\fB--debug\fR=\fISTRING\fR
-+Set debug environment variable.
-+
-+.TP
-+\fB--zfs-key\fR=\fIFILE\fR|\fIprompt\fR
-+Load ZFS cryptographic key.
-+
-+.TP
-+\fB--length\fR=\fINUM\fR
-+Handle NUM bytes in output file.
-+
-+.TP
-+\fB--root\fR=\fIDEVICE_NAME\fR
-+Set root device.
-+
-+.TP
-+\fB--skip\fR=\fINUM\fR
-+Skip NUM bytes from output file.
-+
-+.TP
-+\fB--uncompress\fR
-+Uncompress data.
-+
-+.TP
-+\fB--verbose\fR
-+Print verbose messages.
-+
-+.SH COMMANDS
-+.TP
-+\fBblocklist\fR \fIFILE\fR
-+Display block list of \fIFILE\fR.
-+
-+.TP
-+\fBcat\fR \fIFILE\fR
-+Display \fIFILE\fR on standard output.
-+
-+.TP
-+\fBcmp\fR \fIFILE\fR \fILOCAL\fR
-+Compare \fIFILE\fR with local file \fILOCAL\fR.
-+
-+.TP
-+\fBcp\fR \fIFILE\fR \fILOCAL\fR
-+Copy \fIFILE\fR to local file \fILOCAL\fR.
-+
-+.TP
-+\fBcrc\fR \fIFILE\fR
-+Display the CRC-32 checksum of \fIFILE\fR.
-+
-+.TP
-+\fBhex\fR \fIFILE\fR
-+Display contents of \fIFILE\fR in hexidecimal.
-+
-+.TP
-+\fBls\fR \fIPATH\fR
-+List files at \fIPATH\fR.
-+
-+.TP
-+\fBxnu_uuid\fR \fIDEVICE\fR
-+Display the XNU UUID of \fIDEVICE\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-glue-efi.1 b/util/grub-glue-efi.1
-new file mode 100644
-index 00000000000..72bd555d577
---- /dev/null
-+++ b/util/grub-glue-efi.1
-@@ -0,0 +1,31 @@
-+.TH GRUB-GLUE-EFI 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-glue-efi\fR \(em Create an Apple fat EFI binary.
-+
-+.SH SYNOPSIS
-+\fBgrub-glue-efi\fR <-3 | --input32=\fIFILE\fR> <-6 | --input64=\fIFILE\fR>
-+.RS 15
-+<-o | --output=\fIFILE\fR> [-v | --verbose]
-+
-+.SH DESCRIPTION
-+\fBgrub-glue-efi\fR creates an Apple fat EFI binary from two EFI binaries.
-+
-+.SH OPTIONS
-+.TP
-+\fB--input32\fR=\fIFILE\fR
-+Read 32-bit binary from \fIFILE\fR.
-+
-+.TP
-+\fB--input64\fR=\fIFILE\fR
-+Read 64-bit binary from \fIFILE\fR.
-+
-+.TP
-+\fB--output\fR=\fIFILE\fR
-+Write resulting fat binary to \fIFILE\fR.
-+
-+.TP
-+\fB--verbose\fR
-+Print verbose messages.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-install.8 b/util/grub-install.8
-new file mode 100644
-index 00000000000..1db89e94b3b
---- /dev/null
-+++ b/util/grub-install.8
-@@ -0,0 +1,128 @@
-+.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-install\fR \(em Install GRUB on a device.
-+
-+.SH SYNOPSIS
-+\fBgrub-install\fR [--modules=\fIMODULES\fR] [--install-modules=\fIMODULES\fR]
-+.RS 14
-+[--themes=\fITHEMES\fR] [--fonts=\fIFONTS\fR] [--locales=\fILOCALES\fR]
-+.RE
-+.RS 14
-+[--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]] [-d | --directory=\fIDIR\fR]
-+.RE
-+.RS 14
-+[--grub-mkimage=\fIFILE\fR] [--boot-directory=\fIDIR\fR]
-+.RE
-+.RS 14
-+[--target=\fITARGET\fR] [--grub-setup=\fIFILE\fR]
-+.RE
-+.RS 14
-+[--grub-mkrelpath=\fIFILE\fR] [--grub-probe=\fIFILE\fR]
-+.RE
-+.RS 14
-+[--allow-floppy] [--recheck] [--force] [--force-file-id]
-+.RE
-+.RS 14
-+[--disk-module=\fIMODULE\fR] [--no-nvram] [--removable]
-+.RE
-+.RS 14
-+[--bootloader-id=\fIID\fR] [--efi-directory=\fIDIR\fR] \fIINSTALL_DEVICE\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-install\fR installs GRUB onto a device.  This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
-+
-+.SH OPTIONS
-+.TP
-+\fB--modules\fR=\fIMODULES\fR\!
-+Pre-load modules specified by \fIMODULES\fR.
-+
-+.TP
-+\fB--install-modules\fR=\fIMODULES\fR
-+Install only \fIMODULES\fR and their dependencies.  The default is to install all available modules.
-+
-+.TP
-+\fB--themes\fR=\fITHEMES\fR
-+Install \fITHEMES\fR.  The default is to install the \fIstarfield\fR theme, if available.
-+
-+.TP
-+\fB--fonts\fR=\fIFONTS\fR
-+Install \fIFONTS\fR.  The default is to install the \fIunicode\fR font.
-+
-+.TP
-+\fB--locales\fR=\fILOCALES\fR
-+Install only locales listed in \fILOCALES\fR.  The default is to install all available locales.
-+
-+.TP
-+\fB--compress\fR=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR
-+Compress GRUB files using the specified compression algorithm.
-+
-+.TP
-+\fB--directory\fR=\fIDIR\fR
-+Use images and modules in \fIDIR\fR.
-+
-+.TP
-+\fB--grub-mkimage\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-mkimage\fR.  The default is \fI/usr/bin/grub-mkimage\fR.
-+
-+.TP
-+\fB--boot-directory\fR=\fIDIR\fR
-+Use \fIDIR\fR as the boot directory.  The default is \fI/boot\fR.  GRUB will put its files in a subdirectory of this directory named \fIgrub\fR.
-+
-+.TP
-+\fB--target\fR=\fITARGET\fR
-+Install GRUB for \fITARGET\fR platform.  The default is the platform \fBgrub-install\fR is running on.
-+
-+.TP
-+\fB--grub-setup\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-setup\fR.  The default is \fI/usr/bin/grub-setup\fR.
-+
-+.TP
-+\fB--grub-mkrelpath\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-mkrelpath\fR.  The default is \fI/usr/bin/grub-mkrelpath\fR.
-+
-+.TP
-+\fB--grub-probe\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-probe\fR.  The default is \fI/usr/bin/grub-mkrelpath\fR.
-+
-+.TP
-+\fB--allow-floppy
-+Make the device also bootable as a floppy.  This option is the default for /dev/fdX devices. Some BIOSes will not boot images created with this option.
-+
-+.TP
-+\fB--recheck
-+Delete any existing device map and create a new one if necessary.
-+
-+.TP
-+\fB--force
-+Install even if problems are detected.
-+
-+.TP
-+\fB--force-file-id
-+Use identifier file even if UUID is available.
-+
-+.TP
-+\fB--disk-module\fR=\fIMODULE\fR
-+Use \fIMODULE\fR for disk access.  This allows you to manually specify either \fIbiosdisk\fR or \fInative\fR disk access.  This option is only available on the BIOS target platform.
-+
-+.TP
-+\fB--no-nvram
-+Do not update the \fIboot-device\fR NVRAM variable.  This option is only available on IEEE1275 target platforms.
-+
-+.TP
-+\fB--removable
-+Treat the target device as if it is removeable.  This option is only available on the EFI target platform.
-+
-+.TP
-+\fB--bootloader-id\fR=\fIID\fR
-+Use \fIID\fR as the bootloader ID.  This option is only available on the EFI target platform.
-+
-+.TP
-+\fB--efi-directory\fR=\fIDIR\fR
-+Use \fIDIR\fR as the EFI System Partition root.  This option is only available on the EFI target platform.
-+
-+.TP
-+\fIINSTALL_DEVICE\fR
-+Install GRUB to the block device \fIINSTALL_DEVICE\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-kbdcomp.1 b/util/grub-kbdcomp.1
-new file mode 100644
-index 00000000000..0bb969a5b43
---- /dev/null
-+++ b/util/grub-kbdcomp.1
-@@ -0,0 +1,19 @@
-+.TH GRUB-KBDCOMP 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-kbdcomp\fR \(em Generate a GRUB keyboard layout file.
-+
-+.SH SYNOPSIS
-+\fBgrub-kbdcomp\fR <-o | --output=\fIFILE\fR> \fICKBMAP_ARGUMENTS\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-kbdcomp\fR processes an X keyboard layout description in
-+\fBkeymaps\fR(5) format into a format that can be used by GRUB's \fBkeymap\fR
-+command.
-+
-+.SH OPTIONS
-+.TP
-+\fB--output\fR=\fIFILE\fR
-+Write output to \fIFILE\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-macbless.1 b/util/grub-macbless.1
-new file mode 100644
-index 00000000000..41a96186f70
---- /dev/null
-+++ b/util/grub-macbless.1
-@@ -0,0 +1,22 @@
-+.TH GRUB-MACBLESS 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-macbless\fR \(em Mac-style bless on HFS or HFS+
-+
-+.SH SYNOPSIS
-+\fBgrub-macbless\fR [-v | --verbose] [-p | --ppc] \fIFILE\fR | [-x | --x86] \fIFILE\fR
-+
-+.SH OPTIONS
-+.TP
-+--x86
-+Bless for x86 based Macs.
-+
-+.TP
-+--ppc
-+Bless for PPC based Macs.
-+
-+.TP
-+--verbose
-+Print verbose messages.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-menulst2cfg.1 b/util/grub-menulst2cfg.1
-new file mode 100644
-index 00000000000..91e2ef87113
---- /dev/null
-+++ b/util/grub-menulst2cfg.1
-@@ -0,0 +1,12 @@
-+.TH GRUB-MENULST2CFG 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-menulst2cfg\fR \(em Convert a configuration file from GRUB 0.xx to GRUB 2.xx format.
-+
-+.SH SYNOPSIS
-+\fBgrub-menulst2cfg\fR [\fIINFILE\fR [\fIOUTFILE\fR]]
-+
-+.SH DESCRIPTION
-+\fBgrub-menulst2cfg\fR converts a configuration file from GRUB 0.xx to the current format.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkconfig.8 b/util/grub-mkconfig.8
-new file mode 100644
-index 00000000000..a2d1f577b9b
---- /dev/null
-+++ b/util/grub-mkconfig.8
-@@ -0,0 +1,17 @@
-+.TH GRUB-MKCONFIG 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mkconfig\fR \(em Generate a GRUB configuration file.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkconfig\fR [-o | --output=\fIFILE\fR]
-+
-+.SH DESCRIPTION
-+\fBgrub-mkconfig\fR generates a configuration file for GRUB.
-+
-+.SH OPTIONS
-+.TP
-+\fB--output\fR=\fIFILE\fR
-+Write generated output to \fIFILE\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkfont.1 b/util/grub-mkfont.1
-new file mode 100644
-index 00000000000..3494857987d
---- /dev/null
-+++ b/util/grub-mkfont.1
-@@ -0,0 +1,87 @@
-+.TH GRUB-MKFONT 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mkfont\fR \(em Convert common font file formats into the PF2 format.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkfont\fR [--ascii-bitmaps] [-a | --force-autohint]
-+.RS 13
-+[-b | --bold] [-c | --asce=\fINUM\fR] [-d | --desc=\fINUM\fR]
-+.RE
-+.RS 13
-+[-i | --index=\fINUM\fR] [-n | --name=\fINAME\fR] [--no-bitmap]
-+.RE
-+.RS 13
-+[--no-hinting] <-o | --output=\fIFILE\fR>
-+.RE
-+.RS 13
-+[-r | --range=\fIFROM-TO\fR[\fI,FROM-TO\fR]] [-s | --size=\fISIZE\fR]
-+.RE
-+.RS 13
-+[-v | --verbose] [--width-spec] \fIFONT_FILES\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-mkfont\fR converts font files from common formats into the PF2 format used by GRUB.
-+
-+.SH OPTIONS
-+.TP
-+--ascii-bitmaps
-+Save only bitmaps for ASCII characters.
-+
-+.TP
-+--force-autohint
-+Force generation of automatic hinting.
-+
-+.TP
-+--bold
-+Convert font to bold.
-+
-+.TP
-+--asce=\fINUM\fR
-+Set font ascent to \fINUM\fR.
-+
-+.TP
-+--desc=\fINUM\fR
-+Set font descent to \fINUM\fR.
-+
-+.TP
-+--index=\fINUM\fR
-+Select face index \fINUM\fR.
-+
-+.TP
-+--name=\fINAME\fR
-+Set font family to \fINAME\fR.
-+
-+.TP
-+--no-bitmap
-+Ignore bitmap strikes when loading.
-+
-+.TP
-+--no-hinting
-+Disable hinting.
-+
-+.TP
-+--output=\fIFILE\fR
-+Save ouptut to \fIFILE\fR.  This argument is required.
-+
-+.TP
-+--range=\fIFROM-TO\fR\fI,FROM-TO\fR
-+Set the font ranges to each pair of \fIFROM\fR,\fITO\fR.
-+
-+.TP
-+--size=\fISIZE\fR
-+Set font size to \fISIZE\fR.
-+
-+.TP
-+--verbose
-+Print verbose messages.
-+
-+.TP
-+--width-spec
-+Create a width summary file.
-+
-+.TP
-+\fIFONT_FILES\fR
-+The input files to be converted.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkimage.1 b/util/grub-mkimage.1
-new file mode 100644
-index 00000000000..4dea4f54597
---- /dev/null
-+++ b/util/grub-mkimage.1
-@@ -0,0 +1,95 @@
-+.TH GRUB-MKIMAGE 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mkimage\fR \(em Make a bootable GRUB image.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkimage\fR [-c | --config=\fRFILE\fI] [-C | --compression=(\fIxz\fR,\fInone\fR,\fIauto\fR)]
-+.RS 14
-+[-d | --directory=\fRDIR\fR] [-k | --pubkey=\fIFILE\fR]
-+.RE
-+.RS 14
-+[-m | --memdisk=\fIFILE\fR] [-n | --note] [-o | --output=\fIFILE\fR]
-+.RE
-+.RS 14
-+[-O | --format=\fIFORMAT\fR] [-p | --prefix=\fIDIR\fR]
-+.RE
-+.RS 14
-+[-v | --verbose] \fIMODULES\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-mkimage\fI builds a bootable image of GRUB.
-+
-+.SH OPTIONS
-+.TP
-+--config=\fIFILE\fR
-+Embed \fIFILE\fR as the image's initial configuration file.
-+
-+.TP
-+--compression=(\fIxz\fR,\fInone\fR,\fIauto\fR)
-+Use one of \fIxz\fR, \fInone\fR, or \fIauto\fR as the compression method for the core image.
-+
-+.TP
-+--directory=\fIDIR\fR
-+Use images and modules from \fIDIR\fR.  The default value is \fB/usr/lib/grub/<platform>\fR.
-+
-+.TP
-+--pubkey=\fIFILE\fR
-+Embed the public key \fIFILE\fR for signature checking.
-+
-+.TP
-+--memdisk=\fIFILE\fR
-+Embed the memdisk image \fIFILE\fR.  If no \fB-p\fR option is also specified, this implies \fI-p (memdisk)/boot/grub\fR.
-+
-+.TP
-+--note
-+Add a CHRP \fINOTE\fR section.  This option is only valid on IEEE1275 platforms.
-+
-+.TP
-+--output=\fIFILE\fR
-+Write the generated file to \fIFILE\fR.  The default is to write to standard output.
-+
-+.TP
-+--format=\fIFORMAT\fR
-+Generate an image in the specified \fIFORMAT\fR.  Valid values are:
-+.RS
-+.RS 4
-+.P
-+i386-coreboot,
-+i386-multiboot,
-+i386-pc,
-+i386-pc-pxe,
-+i386-efi,
-+i386-ieee1275,
-+i386-qemu,
-+x86_64-efi,
-+mipsel-yeeloong-flash,
-+mipsel-fuloong2f-flash,
-+mipself-loongson-elf,
-+powerpc-ieee1275,
-+sparc64-ieee1275-raw,
-+sparc64-ieee1275-cdcore,
-+sparc64-ieee1275-aout,
-+ia64-efi,
-+mips-arc,
-+mipsel-arc,
-+mipsel-qemu_mips-elf,
-+mips-qemu_mips-flash,
-+mipsel-qemu_mips-flash,
-+mips-qemu_mips-elf
-+.RE
-+.RE
-+
-+.TP
-+--prefix=\fIDIR\fR
-+Set prefix directory.  The default value is \fI/boot/grub\fR.
-+
-+.TP
-+--verbose
-+Print verbose messages.
-+
-+.TP
-+\fIMODULES\fR
-+Include \fIMODULES\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mklayout.1 b/util/grub-mklayout.1
-new file mode 100644
-index 00000000000..d1bbc2ec515
---- /dev/null
-+++ b/util/grub-mklayout.1
-@@ -0,0 +1,27 @@
-+.TH GRUB-MKLAYOUT 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mklayout\fR \(em Generate a GRUB keyboard layout file.
-+
-+.SH SYNOPSIS
-+\fBgrub-mklayout\fR [-i | --input=\fIFILE\fR] [-o | --output=\fIFILE\fR]
-+.RS 15
-+[-v | --verbose]
-+
-+.SH DESCRIPTION
-+\fBgrub-mklayout\fR generates a GRUB keyboard layout description which corresponds with the Linux console layout description given as input.
-+
-+.SH OPTIONS
-+.TP
-+--input=\fIFILE\fR
-+Use \fIFILE\fR as the input.  The default value is the standard input device.
-+
-+.TP
-+--output=\fIFILE\fR
-+Use \fIFILE\fR as the output.  The default value is the standard output device.
-+
-+.TP
-+--verbose
-+Print verbose messages.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mknetdir.1 b/util/grub-mknetdir.1
-new file mode 100644
-index 00000000000..fa7e8d4ef0d
---- /dev/null
-+++ b/util/grub-mknetdir.1
-@@ -0,0 +1,12 @@
-+.TH GRUB-MKNETDIR 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mknetdir\fR \(em Prepare a GRUB netboot directory.
-+
-+.SH SYNOPSIS
-+\fBgrub-mknetdir\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-mknetdir\fR prepares a directory for GRUB to be netbooted from.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkpasswd-pbkdf2.1 b/util/grub-mkpasswd-pbkdf2.1
-new file mode 100644
-index 00000000000..73c437c15d8
---- /dev/null
-+++ b/util/grub-mkpasswd-pbkdf2.1
-@@ -0,0 +1,27 @@
-+.TH GRUB-MKPASSWD-PBKDF2 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mkpasswd-pbkdf2\fR \(em Generate a PBKDF2 password hash.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkpasswd-pbkdf2\fR [-c | --iteration-count=\fINUM\fR] [-l | --buflen=\fINUM\fR]
-+.RS 22
-+[-s | --salt=\fINUM\fR]
-+
-+.SH DESCRIPTION
-+\fBgrub-mkpasswd-pbkdf2\fR generates a PBKDF2 password string suitable for use in a GRUB configuration file.
-+
-+.SH OPTIONS
-+.TP
-+--iteration-count=\fINUM\fR
-+Number of PBKDF2 iterations.
-+
-+.TP
-+--buflen=\fINUM\fR
-+Length of generated hash.
-+
-+.TP
-+--salt=\fINUM\fR
-+Length of salt to use.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkrelpath.1 b/util/grub-mkrelpath.1
-new file mode 100644
-index 00000000000..85f1113621d
---- /dev/null
-+++ b/util/grub-mkrelpath.1
-@@ -0,0 +1,12 @@
-+.TH GRUB-MKRELPATH 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mkrelpath\fR \(em Generate a relative GRUB path given an OS path.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkrelpath\fR \fIFILE\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-mkrelpath\fR takes an OS filesystem path for \fIFILE\fR and returns a relative path suitable for use in a GRUB configuration file.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkrescue.1 b/util/grub-mkrescue.1
-new file mode 100644
-index 00000000000..4ed9fc723fd
---- /dev/null
-+++ b/util/grub-mkrescue.1
-@@ -0,0 +1,123 @@
-+.TH GRUB-MKRESCUE 3 "Wed Feb 26 2014"
-+.SH NAME
-+grub-mkrescue \(em Generate a GRUB rescue image using GNU Xorriso.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkrescue\fR [-o | --output=\fIFILE\fR] [--modules=\fIMODULES\fR]
-+.RS 15
-+[--install-modules=\fIMODULES\fR] [--themes=\fITHEMES\fR]
-+.RE
-+.RS 15
-+[--fonts=\fIFONTS\fR] [--locales=\fILOCALES\fR]
-+.RE
-+.RS 15
-+[--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]] [-d | --directory=\fIDIR\fR]
-+.RE
-+.RS 15
-+[--grub-mkimage=\fIFILE\fR] [--rom-directory=\fIDIR\fR]
-+.RE
-+.RS 15
-+[--xorriso=\fIFILE\fR] [--grub-glue-efi=\fIFILE\fR]
-+.RE
-+.RS 15
-+[--grub-render-label=\fIFILE\fR] [--label-font=\fIFILE\fR]
-+.RE
-+.RS 15
-+[--label-color=\fICOLOR\fR] [--label-bgcolor=\fIFILE\fR]
-+.RE
-+.RS 15
-+[--product-name=\fISTRING\fR] [--product-version=\fISTRING\fR]
-+.RE
-+.RS 15
-+[--sparc-boot] [--arcs-boot]
-+
-+.SH DESCRIPTION
-+\fBgrub-mkrescue\fR can be used to generate a rescue image with the GRUB bootloader.
-+
-+.SH OPTIONS
-+.TP
-+\fB--output\fR=\fIFILE\fR
-+Write the generated file to \fIFILE\fR.  The default is to write to standard output.
-+
-+.TP
-+\fB--modules\fR=\fIMODULES\fR
-+Pre-load modules specified by \fIMODULES\fR.
-+
-+.TP
-+\fB--install-modules\fR=\fIMODULES\fR
-+Install only \fIMODULES\fR and their dependencies.  The default is to install all available modules.
-+
-+.TP
-+\fB--themes\fR=\fITHEMES\fR
-+Install \fITHEMES\fR.  The default is to install the \fIstarfield\fR theme, if available.
-+
-+.TP
-+\fB--fonts\fR=\fIFONTS\fR
-+Install \fIFONTS\fR.  The default is to install the \fIunicode\fR font.
-+
-+.TP
-+\fB--locales\fR=\fILOCALES\fR
-+Install only locales listed in \fILOCALES\fR.  The default is to install all available locales.
-+
-+.TP
-+\fB--compress\fR[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]
-+Compress GRUB files using the specified compression algorithm.
-+
-+.TP
-+\fB--directory\fR=\fIDIR\fR
-+Use images and modules in \fIDIR\fR.
-+
-+.TP
-+\fB--grub-mkimage\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-mkimage\fR(1).  The default is \fI/usr/bin/grub-mkimage\fR.
-+
-+.TP
-+\fB--rom-directory\fR=\fIDIR\fR
-+Save ROM images in \fIDIR\fR.
-+
-+.TP
-+\fB--xorriso\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBxorriso\fI.
-+
-+.TP
-+\fB--grub-glue-efi\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-glue-efi\fR(3).
-+
-+.TP
-+\fB--grub-render-label\fR=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-render-label\fR(3).
-+
-+.TP
-+\fB--label-font\fR=\fIFILE\fR
-+Use \fIFILE\fR as the font file for generated labels.
-+
-+.TP
-+\fB--label-color\fR=\fICOLOR\fR
-+Use \fICOLOR\fI as the color for generated labels.
-+
-+.TP
-+\fB--label-bgcolor\fR=\fICOLOR\fR
-+Use \fICOLOR\fR as the background color for generated labels.
-+
-+.TP
-+\fB--product-name\fR=\fISTRING\fR
-+Use \fISTRING\fR as the product name in generated labels.
-+
-+.TP
-+\fB--product-version\fR=\fISTRING\fR
-+Use \fISTRING\fR as the product version in generated labels.
-+
-+.TP
-+\fB--sparc-boot\fR
-+Enable booting the SPARC platform.  This disables HFS+, APM, ARCS, and "boot as disk image" on the \fIi386-pc\fR target platform.
-+
-+.TP
-+\fB--arcs-boot\fR
-+Enable ARCS booting.  This is typically for big-endian MIPS machines, and disables HFS+, APM, sparc64, and "boot as disk image" on the \fIi386-pc\fR target platform.
-+
-+.TP
-+\fB--\fR
-+All options after a \fB--\fR will be passed directly to xorriso's command line when generating the image.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-mkstandalone.1 b/util/grub-mkstandalone.1
-new file mode 100644
-index 00000000000..ba2d2bdf279
---- /dev/null
-+++ b/util/grub-mkstandalone.1
-@@ -0,0 +1,100 @@
-+.TH GRUB-MKSTANDALONE 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-mkstandalone\fR \(em Generate a standalone image in the selected format.
-+
-+.SH SYNOPSIS
-+\fBgrub-mkstandalone\fR [-o | --output=\fIFILE\fR] [-O | --format=\fIFORMAT\fR]
-+.RS 19
-+[-C | --compression=(\fIxz\fR|\fInone\fR|\fIauto\fR)]
-+.RE
-+.RS 19
-+[--modules=\fIMODULES\fR] [--install-modules=\fIMODULES\fR]
-+.RE
-+.RS 19
-+[--themes=\fITHEMES\fR] [--fonts=\fIFONTS\fR]
-+.RE
-+.RS 19
-+[--locales=\fILOCALES\fR] [--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]]
-+.RE
-+.RS 19
-+[-d | --directory=\fIDIR\fR] [--grub-mkimage=\fIFILE\fR]
-+.RE
-+.RS 19
-+\fISOURCE...\fR
-+
-+.SH DESCRIPTION
-+
-+.SH OPTIONS
-+.TP
-+--output=\fIFILE\fR
-+Write the generated file to \fIFILE\fR.  The default is to write to standard output.
-+
-+.TP
-+--format=\fIFORMAT\fR
-+Generate an image in the specified \fIFORMAT\fR.  Valid values are:
-+.RS
-+.RS 4
-+.P
-+i386-coreboot,
-+i386-multiboot,
-+i386-pc,
-+i386-pc-pxe,
-+i386-efi,
-+i386-ieee1275,
-+i386-qemu,
-+x86_64-efi,
-+mipsel-yeeloong-flash,
-+mipsel-fuloong2f-flash,
-+mipself-loongson-elf,
-+powerpc-ieee1275,
-+sparc64-ieee1275-raw,
-+sparc64-ieee1275-cdcore,
-+sparc64-ieee1275-aout,
-+ia64-efi,
-+mips-arc,
-+mipsel-arc,
-+mipsel-qemu_mips-elf,
-+mips-qemu_mips-flash,
-+mipsel-qemu_mips-flash,
-+mips-qemu_mips-elf
-+.RE
-+.RE
-+
-+.TP
-+--compression=(\fIxz\fR|\fInone\fR|\fIauto\fR)
-+Use one of \fIxz\fR, \fInone\fR, or \fIauto\fR as the compression method for the core image.
-+
-+.TP
-+--modules=\fIMODULES\fR
-+Pre-load modules specified by \fIMODULES\fR.
-+
-+.TP
-+--install-modules=\fIMODULES\fR
-+Install only \fIMODULES\fR and their dependencies.  The default is to install all available modules.
-+
-+.TP
-+--themes=\fITHEMES\fR
-+Install \fITHEMES\fR.  The default is to install the \fIstarfield\fR theme, if available.
-+
-+.TP
-+--fonts=\fIFONTS\fR
-+Install \fIFONTS\fR.  The default is to install the \fIunicode\fR font.
-+
-+.TP
-+--locales=\fILOCALES\fR
-+Install only locales listed in \fILOCALES\fR.  The default is to install all available locales.
-+
-+.TP
-+--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]
-+Compress GRUB files using the specified compression algorithm.
-+
-+.TP
-+--directory=\fIDIR\fR
-+Use images and modules in \fIDIR\fR.
-+
-+.TP
-+--grub-mkimage=\fIFILE\fR
-+Use \fIFILE\fR as \fBgrub-mkimage\fR.  The default is \fI/usr/bin/grub-mkimage\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-ofpathname.8 b/util/grub-ofpathname.8
-new file mode 100644
-index 00000000000..bf3743aeba1
---- /dev/null
-+++ b/util/grub-ofpathname.8
-@@ -0,0 +1,12 @@
-+.TH GRUB-OFPATHNAME 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-ofpathname\fR \(em Generate an IEEE-1275 device path for a specified device.
-+
-+.SH SYNOPSIS
-+\fBgrub-ofpathname\fR \fIDEVICE\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-ofpathname\fR generates an IEEE-1275 device path for the specified \fIDEVICE\fR.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-probe.8 b/util/grub-probe.8
-new file mode 100644
-index 00000000000..04e26c832bb
---- /dev/null
-+++ b/util/grub-probe.8
-@@ -0,0 +1,80 @@
-+.TH GRUB-PROBE 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-probe\fR \(em Probe device information for a given path.
-+
-+.SH SYNOPSIS
-+\fBgrub-probe\fR \[-d | --device] [-m | --device-map=\fIFILE\fR]
-+.RS 12
-+[-t | --target=(fs|fs_uuid|fs_label|drive|device|partmap|
-+.RE
-+.RS 28
-+abstraction|cryptodisk_uuid|
-+.RE
-+.RS 28
-+msdos_parttype)]
-+.RE
-+.RS 12
-+[-v | --verbose] (PATH|DEVICE)
-+
-+.SH DESCRIPTION
-+\fBgrub-probe\fR probes a path or device for filesystem and related information.
-+
-+.SH OPTIONS
-+.TP
-+--device
-+Final option represents a \fIDEVICE\fR, rather than a filesystem \fIPATH\fR.
-+.TP
-+--device-map=\fIFILE\fR
-+Use \fIFILE\fR as the device map.  The default value is \fI/boot/grub/device.map\fR.
-+
-+.TP
-+--target=(fs|fs_uuid|fs_label|drive|device|partmap|msdos_parttype)
-+Select among various output definitions.  The default is \fIfs\fR.
-+.RS
-+.TP
-+\fIfs\fR
-+filesystem module
-+
-+.TP
-+\fIfs_uuid\fR
-+filesystem UUID
-+
-+.TP
-+\fIfs_label\fR
-+filesystem label
-+
-+.TP
-+\fIdrive\fR
-+GRUB drive name
-+
-+.TP
-+\fIdevice\fR
-+System device
-+
-+.TP
-+\fIpartmap\fR
-+partition map module
-+
-+.TP
-+\fIabstraction\fR
-+abstraction module
-+
-+.TP
-+\fIcryptodisk_uuid\fR
-+cryptographic container
-+
-+.TP
-+\fImsdos_partmap\fR
-+MS-DOS partition map
-+.RE
-+
-+.TP
-+--verbose
-+Print verbose output.
-+
-+.TP
-+(\fIPATH\fR|\fIDEVICE\fR)
-+If --device is passed, a block \fIDEVICE\fR.  Otherwise, the \fIPATH\fR of a file on the filesystem.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-reboot.8 b/util/grub-reboot.8
-new file mode 100644
-index 00000000000..faa5e4eece2
---- /dev/null
-+++ b/util/grub-reboot.8
-@@ -0,0 +1,21 @@
-+.TH GRUB-REBOOT 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-reboot\fR \(em Set the default boot menu entry for the next boot only.
-+
-+.SH SYNOPSIS
-+\fBgrub-reboot\fR [--boot-directory=\fIDIR\fR] \fIMENU_ENTRY\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-reboot\fR sets the default boot menu entry for the next boot, but not further boots after that.  This command only works for GRUB configuration files created with \fIGRUB_DEFAULT=saved\fR in \fI/etc/default/grub\fR.
-+
-+.SH OPTIONS
-+.TP
-+--boot-directory=\fIDIR\fR
-+Find GRUB images under \fIDIR/grub\fR.  The default value is \fI/boot\fR, resulting in grub images being search for at \fI/boot/grub\fR.
-+
-+.TP
-+\fIMENU_ENTRY\fR
-+A number, a menu item title or a menu item identifier.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-render-label.1 b/util/grub-render-label.1
-new file mode 100644
-index 00000000000..4d51c8abf01
---- /dev/null
-+++ b/util/grub-render-label.1
-@@ -0,0 +1,51 @@
-+.TH GRUB-RENDER-LABEL 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-render-label\fR \(em Render an Apple disk label.
-+
-+.SH SYNOPSIS
-+\fBgrub-render-label\fR [-b | --bgcolor=\fICOLOR\fR] [-c | --color=\fICOLOR\fR]
-+.RS 19
-+[-f | --font=\fIFILE\fR] [-i | --input=\fIFILE\fR]
-+.RE
-+.RS 19
-+[-o | --output=\fIFILE\fR] [-t | --text=\fISTRING\fR]
-+.RE
-+.RS 19
-+[-v | --verbose]
-+
-+.SH DESCRIPTION
-+\fBgrub-render-label\fR renders an Apple disk label (.disk_label) file.
-+
-+
-+.SH OPTIONS
-+.TP
-+\fB--color\fR=\fICOLOR\fR
-+Use \fICOLOR\fI as the color for generated labels.
-+
-+.TP
-+\fB--bgcolor\fR=\fICOLOR\fR
-+Use \fICOLOR\fR as the background color for generated labels.
-+
-+.TP
-+\fB--font\fR=\fIFILE\fR
-+Use \fIFILE\fR as the font file for generated labels.
-+
-+.TP
-+--input=\fIFILE\fR
-+Read input text from \fIFILE\fR.
-+
-+.TP
-+--output=\fIFILE\fR
-+Render output to \fIFILE\fR.
-+
-+.TP
-+--text=\fISTRING\fR
-+Use \fISTRING\fR as input text.
-+
-+.TP
-+--verbose
-+Print verbose output.
-+
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-script-check.1 b/util/grub-script-check.1
-new file mode 100644
-index 00000000000..0f1f625b05d
---- /dev/null
-+++ b/util/grub-script-check.1
-@@ -0,0 +1,21 @@
-+.TH GRUB-SCRIPT-CHECK 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-script-check\fR \(em Check GRUB configuration file for syntax errors.
-+
-+.SH SYNOPSIS
-+\fBgrub-script-check\fR [-v | --verbose] \fIPATH\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-script-check\fR verifies that a specified GRUB configuration file does not contain syntax errors.
-+
-+.SH OPTIONS
-+.TP
-+--verbose
-+Print verbose output.
-+
-+.TP
-+\fIPATH\fR
-+Path of the file to use as input.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-set-default.8 b/util/grub-set-default.8
-new file mode 100644
-index 00000000000..a96265a1509
---- /dev/null
-+++ b/util/grub-set-default.8
-@@ -0,0 +1,21 @@
-+.TH GRUB-SET-DEFAULT 1 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-set-default\fR \(em Set the default boot menu entry for GRUB.
-+
-+.SH SYNOPSIS
-+\fBgrub-set-default\fR [--boot-directory=\fIDIR\fR] \fIMENU_ENTRY\fR
-+
-+.SH DESCRIPTION
-+\fBgrub-set-default\fR sets the default boot menu entry for all subsequent boots.  This command only works for GRUB configuration files created with \fIGRUB_DEFAULT=saved\fR in \fI/etc/default/grub\fR.
-+
-+.SH OPTIONS
-+.TP
-+--boot-directory=\fIDIR\fR
-+Find GRUB images under \fIDIR/grub\fR.  The default value is \fI/boot\fR, resulting in grub images being search for at \fI/boot/grub\fR.
-+
-+.TP
-+\fIMENU_ENTRY\fR
-+A number, a menu item title or a menu item identifier.
-+
-+.SH SEE ALSO
-+.BR "info grub"
-diff --git a/util/grub-sparc64-setup.8 b/util/grub-sparc64-setup.8
-new file mode 100644
-index 00000000000..37ea2dd5eaa
---- /dev/null
-+++ b/util/grub-sparc64-setup.8
-@@ -0,0 +1,12 @@
-+.TH GRUB-SPARC64-SETUP 3 "Wed Feb 26 2014"
-+.SH NAME
-+\fBgrub-sparc64-setup\fR \(em Set up a device to boot a sparc64 GRUB image.
-+
-+.SH SYNOPSIS
-+\fBgrub-sparc64-setup\fR [OPTIONS].
-+
-+.SH DESCRIPTION
-+You should not normally run this program directly.  Use grub-install instead.
-+
-+.SH SEE ALSO
-+.BR "info grub"
diff --git a/SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch b/SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch
deleted file mode 100644
index e09306741c2..00000000000
--- a/SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch
+++ /dev/null
@@ -1,1014 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 9 Jul 2019 12:59:58 +0200
-Subject: [PATCH] Make our info pages say "grub2" where appropriate.
-
-This needs to be hooked up to --program-transform=, but I haven't had
-time.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- docs/grub-dev.texi |   4 +-
- docs/grub.texi     | 323 ++++++++++++++++++++++++++++-------------------------
- 2 files changed, 172 insertions(+), 155 deletions(-)
-
-diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
-index a834b3a9c32..a55af53fd45 100644
---- a/docs/grub-dev.texi
-+++ b/docs/grub-dev.texi
-@@ -1,7 +1,7 @@
- \input texinfo
- @c -*-texinfo-*-
- @c %**start of header
--@setfilename grub-dev.info
-+@setfilename grub2-dev.info
- @include version-dev.texi
- @settitle GNU GRUB Developers Manual @value{VERSION}
- @c Unify all our little indices for now.
-@@ -32,7 +32,7 @@ Invariant Sections.
- 
- @dircategory Kernel
- @direntry
--* grub-dev: (grub-dev).                 The GRand Unified Bootloader Dev
-+* grub2-dev: (grub2-dev).                 The GRand Unified Bootloader Dev
- @end direntry
- 
- @setchapternewpage odd
-diff --git a/docs/grub.texi b/docs/grub.texi
-index eeb3118ebde..aa3a7de9d4f 100644
---- a/docs/grub.texi
-+++ b/docs/grub.texi
-@@ -1,7 +1,7 @@
- \input texinfo
- @c -*-texinfo-*-
- @c %**start of header
--@setfilename grub.info
-+@setfilename grub2.info
- @include version.texi
- @settitle GNU GRUB Manual @value{VERSION}
- @c Unify all our little indices for now.
-@@ -32,15 +32,15 @@ Invariant Sections.
- 
- @dircategory Kernel
- @direntry
--* GRUB: (grub).                 The GRand Unified Bootloader
--* grub-install: (grub)Invoking grub-install.    Install GRUB on your drive
--* grub-mkconfig: (grub)Invoking grub-mkconfig.  Generate GRUB configuration
--* grub-mkpasswd-pbkdf2: (grub)Invoking grub-mkpasswd-pbkdf2.
--* grub-mkrelpath: (grub)Invoking grub-mkrelpath.
--* grub-mkrescue: (grub)Invoking grub-mkrescue.  Make a GRUB rescue image
--* grub-mount: (grub)Invoking grub-mount.        Mount a file system using GRUB
--* grub-probe: (grub)Invoking grub-probe.        Probe device information
--* grub-script-check: (grub)Invoking grub-script-check.
-+* GRUB2: (grub2).                 The GRand Unified Bootloader
-+* grub2-install: (grub2)Invoking grub2-install.    Install GRUB on your drive
-+* grub2-mkconfig: (grub2)Invoking grub2-mkconfig.  Generate GRUB configuration
-+* grub2-mkpasswd-pbkdf2: (grub2)Invoking grub2-mkpasswd-pbkdf2.
-+* grub2-mkrelpath: (grub2)Invoking grub2-mkrelpath.
-+* grub2-mkrescue: (grub2)Invoking grub2-mkrescue.  Make a GRUB rescue image
-+* grub2-mount: (grub2)Invoking grub2-mount.        Mount a file system using GRUB
-+* grub2-probe: (grub2)Invoking grub2-probe.        Probe device information
-+* grub2-script-check: (grub2)Invoking grub2-script-check.
- @end direntry
- 
- @setchapternewpage odd
-@@ -103,15 +103,15 @@ This edition documents version @value{VERSION}.
- * Platform-specific operations:: Platform-specific operations
- * Supported kernels::           The list of supported kernels
- * Troubleshooting::             Error messages produced by GRUB
--* Invoking grub-install::       How to use the GRUB installer
--* Invoking grub-mkconfig::      Generate a GRUB configuration file
--* Invoking grub-mkpasswd-pbkdf2::
-+* Invoking grub2-install::       How to use the GRUB installer
-+* Invoking grub2-mkconfig::      Generate a GRUB configuration file
-+* Invoking grub2-mkpasswd-pbkdf2::
-                                 Generate GRUB password hashes
--* Invoking grub-mkrelpath::     Make system path relative to its root
--* Invoking grub-mkrescue::      Make a GRUB rescue image
--* Invoking grub-mount::         Mount a file system using GRUB
--* Invoking grub-probe::         Probe device information for GRUB
--* Invoking grub-script-check::  Check GRUB script file for syntax errors
-+* Invoking grub2-mkrelpath::     Make system path relative to its root
-+* Invoking grub2-mkrescue::      Make a GRUB rescue image
-+* Invoking grub2-mount::         Mount a file system using GRUB
-+* Invoking grub2-probe::         Probe device information for GRUB
-+* Invoking grub2-script-check::  Check GRUB script file for syntax errors
- * Obtaining and Building GRUB:: How to obtain and build GRUB
- * Reporting bugs::              Where you should send a bug report
- * Future::                      Some future plans on GRUB
-@@ -230,7 +230,7 @@ surprising.
- 
- @item
- @file{grub.cfg} is typically automatically generated by
--@command{grub-mkconfig} (@pxref{Simple configuration}).  This makes it
-+@command{grub2-mkconfig} (@pxref{Simple configuration}).  This makes it
- easier to handle versioned kernel upgrades.
- 
- @item
-@@ -244,7 +244,7 @@ scripting language: variables, conditionals, and loops are available.
- @item
- A small amount of persistent storage is available across reboots, using the
- @command{save_env} and @command{load_env} commands in GRUB and the
--@command{grub-editenv} utility.  This is not available in all configurations
-+@command{grub2-editenv} utility.  This is not available in all configurations
- (@pxref{Environment block}).
- 
- @item
-@@ -549,7 +549,7 @@ On OS which have device nodes similar to Unix-like OS GRUB tools use the
- OS name. E.g. for GNU/Linux:
- 
- @example
--# @kbd{grub-install /dev/sda}
-+# @kbd{grub2-install /dev/sda}
- @end example
- 
- On AROS we use another syntax. For volumes:
-@@ -572,7 +572,7 @@ For disks we use syntax:
- E.g.
- 
- @example
--# @kbd{grub-install //:ata.device/0/0}
-+# @kbd{grub2-install //:ata.device/0/0}
- @end example
- 
- On Windows we use UNC path. For volumes it's typically
-@@ -599,7 +599,7 @@ For disks it's
- E.g.
- 
- @example
--# @kbd{grub-install \\?\PhysicalDrive0}
-+# @kbd{grub2-install \\?\PhysicalDrive0}
- @end example
- 
- Beware that you may need to further escape the backslashes depending on your
-@@ -609,7 +609,7 @@ When compiled with cygwin support then cygwin drive names are automatically
- when needed. E.g.
- 
- @example
--# @kbd{grub-install /dev/sda}
-+# @kbd{grub2-install /dev/sda}
- @end example
- 
- @node Installation
-@@ -622,7 +622,7 @@ from the source tarball, or as a package for your OS.
- 
- After you have done that, you need to install the boot loader on a
- drive (floppy or hard disk) by using the utility
--@command{grub-install} (@pxref{Invoking grub-install}) on a UNIX-like OS.
-+@command{grub2-install} (@pxref{Invoking grub2-install}) on a UNIX-like OS.
- 
- GRUB comes with boot images, which are normally put in the directory
- @file{/usr/lib/grub/<cpu>-<platform>} (for BIOS-based machines
-@@ -633,22 +633,22 @@ loader needs to find them (usually @file{/boot}) will be called
- the @dfn{boot directory}.
- 
- @menu
--* Installing GRUB using grub-install::
-+* Installing GRUB using grub2-install::
- * Making a GRUB bootable CD-ROM::
- * Device map::
- * BIOS installation::
- @end menu
- 
- 
--@node Installing GRUB using grub-install
--@section Installing GRUB using grub-install
-+@node Installing GRUB using grub2-install
-+@section Installing GRUB using grub2-install
- 
- For information on where GRUB should be installed on PC BIOS platforms,
- @pxref{BIOS installation}.
- 
- In order to install GRUB under a UNIX-like OS (such
--as @sc{gnu}), invoke the program @command{grub-install} (@pxref{Invoking
--grub-install}) as the superuser (@dfn{root}).
-+as @sc{gnu}), invoke the program @command{grub2-install} (@pxref{Invoking
-+grub2-install}) as the superuser (@dfn{root}).
- 
- The usage is basically very simple. You only need to specify one
- argument to the program, namely, where to install the boot loader. The
-@@ -657,13 +657,13 @@ For example, under Linux the following will install GRUB into the MBR
- of the first IDE disk:
- 
- @example
--# @kbd{grub-install /dev/sda}
-+# @kbd{grub2-install /dev/sda}
- @end example
- 
- Likewise, under GNU/Hurd, this has the same effect:
- 
- @example
--# @kbd{grub-install /dev/hd0}
-+# @kbd{grub2-install /dev/hd0}
- @end example
- 
- But all the above examples assume that GRUB should put images under
-@@ -677,7 +677,7 @@ boot floppy with a filesystem. Here is an example:
- # @kbd{mke2fs /dev/fd0}
- # @kbd{mount -t ext2 /dev/fd0 /mnt}
- # @kbd{mkdir /mnt/boot}
--# @kbd{grub-install --boot-directory=/mnt/boot /dev/fd0}
-+# @kbd{grub2-install --boot-directory=/mnt/boot /dev/fd0}
- # @kbd{umount /mnt}
- @end group
- @end example
-@@ -689,30 +689,37 @@ floppy instead of exposing the USB drive as a hard disk (they call it
- @example
- # @kbd{losetup /dev/loop0 /dev/sdb1}
- # @kbd{mount /dev/loop0 /mnt/usb}
--# @kbd{grub-install --boot-directory=/mnt/usb/bugbios --force --allow-floppy /dev/loop0}
-+# @kbd{grub2-install --boot-directory=/mnt/usb/bugbios --force --allow-floppy /dev/loop0}
- @end example
- 
- This install doesn't conflict with standard install as long as they are in
- separate directories.
- 
-+Note that @command{grub2-install} is actually just a shell script and the
-+real task is done by other tools such as @command{grub2-mkimage}. Therefore,
-+you may run those commands directly to install GRUB, without using
-+@command{grub2-install}. Don't do that, however, unless you are very familiar
-+with the internals of GRUB. Installing a boot loader on a running OS may be
-+extremely dangerous.
-+
- On EFI systems for fixed disk install you have to mount EFI System Partition.
- If you mount it at @file{/boot/efi} then you don't need any special arguments:
- 
- @example
--# @kbd{grub-install}
-+# @kbd{grub2-install}
- @end example
- 
- Otherwise you need to specify where your EFI System partition is mounted:
- 
- @example
--# @kbd{grub-install --efi-directory=/mnt/efi}
-+# @kbd{grub2-install --efi-directory=/mnt/efi}
- @end example
- 
- For removable installs you have to use @option{--removable} and specify both
- @option{--boot-directory} and @option{--efi-directory}:
- 
- @example
--# @kbd{grub-install --efi-directory=/mnt/usb --boot-directory=/mnt/usb/boot --removable}
-+# @kbd{grub2-install --efi-directory=/mnt/usb --boot-directory=/mnt/usb/boot --removable}
- @end example
- 
- @node Making a GRUB bootable CD-ROM
-@@ -732,10 +739,10 @@ usually also need to include a configuration file @file{grub.cfg} and some
- other GRUB modules.
- 
- To make a simple generic GRUB rescue CD, you can use the
--@command{grub-mkrescue} program (@pxref{Invoking grub-mkrescue}):
-+@command{grub2-mkrescue} program (@pxref{Invoking grub2-mkrescue}):
- 
- @example
--$ @kbd{grub-mkrescue -o grub.iso}
-+$ @kbd{grub2-mkrescue -o grub.iso}
- @end example
- 
- You will often need to include other files in your image. To do this, first
-@@ -758,7 +765,7 @@ directory @file{iso/}.
- Finally, make the image:
- 
- @example
--$ @kbd{grub-mkrescue -o grub.iso iso}
-+$ @kbd{grub2-mkrescue -o grub.iso iso}
- @end example
- 
- This produces a file named @file{grub.iso}, which then can be burned
-@@ -774,7 +781,7 @@ storage devices.
- @node Device map
- @section The map between BIOS drives and OS devices
- 
--If the device map file exists, the GRUB utilities (@command{grub-probe},
-+If the device map file exists, the GRUB utilities (@command{grub2-probe},
- etc.) read it to map BIOS drives to OS devices.  This file consists of lines
- like this:
- 
-@@ -1254,23 +1261,23 @@ need to write the whole thing by hand.
- @node Simple configuration
- @section Simple configuration handling
- 
--The program @command{grub-mkconfig} (@pxref{Invoking grub-mkconfig})
-+The program @command{grub2-mkconfig} (@pxref{Invoking grub2-mkconfig})
- generates @file{grub.cfg} files suitable for most cases.  It is suitable for
- use when upgrading a distribution, and will discover available kernels and
- attempt to generate menu entries for them.
- 
--@command{grub-mkconfig} does have some limitations.  While adding extra
-+@command{grub2-mkconfig} does have some limitations.  While adding extra
- custom menu entries to the end of the list can be done by editing
--@file{/etc/grub.d/40_custom} or creating @file{/boot/grub/custom.cfg},
-+@file{/etc/grub.d/40_custom} or creating @file{/boot/grub2/custom.cfg},
- changing the order of menu entries or changing their titles may require
- making complex changes to shell scripts stored in @file{/etc/grub.d/}.  This
- may be improved in the future.  In the meantime, those who feel that it
- would be easier to write @file{grub.cfg} directly are encouraged to do so
- (@pxref{Booting}, and @ref{Shell-like scripting}), and to disable any system
--provided by their distribution to automatically run @command{grub-mkconfig}.
-+provided by their distribution to automatically run @command{grub2-mkconfig}.
- 
- The file @file{/etc/default/grub} controls the operation of
--@command{grub-mkconfig}.  It is sourced by a shell script, and so must be
-+@command{grub2-mkconfig}.  It is sourced by a shell script, and so must be
- valid POSIX shell input; normally, it will just be a sequence of
- @samp{KEY=value} lines, but if the value contains spaces or other special
- characters then it must be quoted.  For example:
-@@ -1308,7 +1315,7 @@ works it's not recommended since titles often contain unstable device names
- and may be translated
- 
- If you set this to @samp{saved}, then the default menu entry will be that
--saved by @samp{GRUB_SAVEDEFAULT} or @command{grub-set-default}.  This relies on
-+saved by @samp{GRUB_SAVEDEFAULT} or @command{grub2-set-default}.  This relies on
- the environment block, which may not be available in all situations
- (@pxref{Environment block}).
- 
-@@ -1319,7 +1326,7 @@ If this option is set to @samp{true}, then, when an entry is selected, save
- it as a new default entry for use by future runs of GRUB.  This is only
- useful if @samp{GRUB_DEFAULT=saved}; it is a separate option because
- @samp{GRUB_DEFAULT=saved} is useful without this option, in conjunction with
--@command{grub-set-default}.  Unset by default.
-+@command{grub2-set-default}.  Unset by default.
- This option relies on the environment block, which may not be available in
- all situations (@pxref{Environment block}).
- 
-@@ -1449,7 +1456,7 @@ intel-uc.img intel-ucode.img amd-uc.img amd-ucode.img early_ucode.cpio microcode
- @end example
- 
- @item GRUB_DISABLE_LINUX_UUID
--Normally, @command{grub-mkconfig} will generate menu entries that use
-+Normally, @command{grub2-mkconfig} will generate menu entries that use
- universally-unique identifiers (UUIDs) to identify the root filesystem to
- the Linux kernel, using a @samp{root=UUID=...} kernel parameter.  This is
- usually more reliable, but in some cases it may not be appropriate.  To
-@@ -1471,7 +1478,7 @@ If this option is set to @samp{true}, disable the generation of recovery
- mode menu entries.
- 
- @item GRUB_DISABLE_UUID
--Normally, @command{grub-mkconfig} will generate menu entries that use
-+Normally, @command{grub2-mkconfig} will generate menu entries that use
- universally-unique identifiers (UUIDs) to identify various filesystems to
- search for files.  This is usually more reliable, but in some cases it may
- not be appropriate.  To disable this use of UUIDs, set this option to
-@@ -1482,12 +1489,12 @@ not be appropriate.  To disable this use of UUIDs, set this option to
- @item GRUB_VIDEO_BACKEND
- If graphical video support is required, either because the @samp{gfxterm}
- graphical terminal is in use or because @samp{GRUB_GFXPAYLOAD_LINUX} is set,
--then @command{grub-mkconfig} will normally load all available GRUB video
-+then @command{grub2-mkconfig} will normally load all available GRUB video
- drivers and use the one most appropriate for your hardware.  If you need to
- override this for some reason, then you can set this option.
- 
--After @command{grub-install} has been run, the available video drivers are
--listed in @file{/boot/grub/video.lst}.
-+After @command{grub2-install} has been run, the available video drivers are
-+listed in @file{/boot/grub2/video.lst}.
- 
- @item GRUB_GFXMODE
- Set the resolution used on the @samp{gfxterm} graphical terminal.  Note that
-@@ -1519,20 +1526,20 @@ boot sequence.  If you have problems, set this option to @samp{text} and
- GRUB will tell Linux to boot in normal text mode.
- 
- @item GRUB_DISABLE_OS_PROBER
--The @command{grub-mkconfig} has a feature to use the external
-+The @command{grub2-mkconfig} has a feature to use the external
- @command{os-prober} program to discover other operating systems installed on
- the same machine and generate appropriate menu entries for them. It is disabled
- by default since automatic and silent execution of @command{os-prober}, and
- creating boot entries based on that data, is a potential attack vector. Set
- this option to @samp{false} to enable this feature in the
--@command{grub-mkconfig} command.
-+@command{grub2-mkconfig} command.
- 
- @item GRUB_OS_PROBER_SKIP_LIST
- List of space-separated FS UUIDs of filesystems to be ignored from os-prober
- output. For efi chainloaders it's <UUID>@@<EFI FILE>
- 
- @item GRUB_DISABLE_SUBMENU
--Normally, @command{grub-mkconfig} will generate top level menu entry for
-+Normally, @command{grub2-mkconfig} will generate top level menu entry for
- the kernel with highest version number and put all other found kernels
- or alternative menu entries for recovery mode in submenu. For entries returned
- by @command{os-prober} first entry will be put on top level and all others
-@@ -1540,11 +1547,11 @@ in submenu. If this option is set to @samp{true}, flat menu with all entries
- on top level will be generated instead. Changing this option will require
- changing existing values of @samp{GRUB_DEFAULT}, @samp{fallback} (@pxref{fallback})
- and @samp{default} (@pxref{default}) environment variables as well as saved
--default entry using @command{grub-set-default} and value used with
--@command{grub-reboot}.
-+default entry using @command{grub2-set-default} and value used with
-+@command{grub2-reboot}.
- 
- @item GRUB_ENABLE_CRYPTODISK
--If set to @samp{y}, @command{grub-mkconfig} and @command{grub-install} will
-+If set to @samp{y}, @command{grub2-mkconfig} and @command{grub2-install} will
- check for encrypted disks and generate additional commands needed to access
- them during boot.  Note that in this case unattended boot is not possible
- because GRUB will wait for passphrase to unlock encrypted container.
-@@ -1603,7 +1610,7 @@ confusing @samp{GRUB_TIMEOUT_STYLE=countdown} or
- 
- @end table
- 
--For more detailed customisation of @command{grub-mkconfig}'s output, you may
-+For more detailed customisation of @command{grub2-mkconfig}'s output, you may
- edit the scripts in @file{/etc/grub.d} directly.
- @file{/etc/grub.d/40_custom} is particularly useful for adding entire custom
- menu entries; simply type the menu entries you want to add at the end of
-@@ -1864,7 +1871,7 @@ images as well.
- Mount this partition on/mnt/boot and disable GRUB in all OSes and manually
- install self-compiled latest GRUB with:
- 
--@code{grub-install --boot-directory=/mnt/boot /dev/sda}
-+@code{grub2-install --boot-directory=/mnt/boot /dev/sda}
- 
- In all the OSes install GRUB tools but disable installing GRUB in bootsector,
- so you'll have menu.lst and grub.cfg available for use. Also disable os-prober
-@@ -1874,20 +1881,20 @@ use by setting:
- 
- in /etc/default/grub
- 
--Then write a grub.cfg (/mnt/boot/grub/grub.cfg):
-+Then write a grub.cfg (/mnt/boot/grub2/grub.cfg):
- 
- @example
- 
- menuentry "OS using grub2" @{
-    insmod xfs
-    search --set=root --label OS1 --hint hd0,msdos8
--   configfile /boot/grub/grub.cfg
-+   configfile /boot/grub2/grub.cfg
- @}
- 
- menuentry "OS using grub2-legacy" @{
-    insmod ext2
-    search --set=root --label OS2 --hint hd0,msdos6
--   legacy_configfile /boot/grub/menu.lst
-+   legacy_configfile /boot/grub2/menu.lst
- @}
- 
- menuentry "Windows XP" @{
-@@ -1950,15 +1957,15 @@ GRUB supports embedding a configuration file directly into the core image,
- so that it is loaded before entering normal mode.  This is useful, for
- example, when it is not straightforward to find the real configuration file,
- or when you need to debug problems with loading that file.
--@command{grub-install} uses this feature when it is not using BIOS disk
-+@command{grub2-install} uses this feature when it is not using BIOS disk
- functions or when installing to a different disk from the one containing
- @file{/boot/grub}, in which case it needs to use the @command{search}
- command (@pxref{search}) to find @file{/boot/grub}.
- 
- To embed a configuration file, use the @option{-c} option to
--@command{grub-mkimage}.  The file is copied into the core image, so it may
-+@command{grub2-mkimage}.  The file is copied into the core image, so it may
- reside anywhere on the file system, and may be removed after running
--@command{grub-mkimage}.
-+@command{grub2-mkimage}.
- 
- After the embedded configuration file (if any) is executed, GRUB will load
- the @samp{normal} module (@pxref{normal}), which will then read the real
-@@ -1993,13 +2000,13 @@ included in the core image:
- @example
- @group
- search.fs_label grub root
--if [ -e /boot/grub/example/test1.cfg ]; then
-+if [ -e /boot/grub2/example/test1.cfg ]; then
-     set prefix=($root)/boot/grub
--    configfile /boot/grub/example/test1.cfg
-+    configfile /boot/grub2/example/test1.cfg
- else
--    if [ -e /boot/grub/example/test2.cfg ]; then
-+    if [ -e /boot/grub2/example/test2.cfg ]; then
-         set prefix=($root)/boot/grub
--        configfile /boot/grub/example/test2.cfg
-+        configfile /boot/grub2/example/test2.cfg
-     else
-         echo "Could not find an example configuration file!"
-     fi
-@@ -2523,7 +2530,7 @@ grub-mknetdir --net-directory=/srv/tftp --subdir=/boot/grub -d /usr/lib/grub/i38
- @end group
- @end example
- 
--Then follow instructions printed out by grub-mknetdir on configuring your DHCP
-+Then follow instructions printed out by grub2-mknetdir on configuring your DHCP
- server.
- 
- The grub.cfg file is placed in the same directory as the path output by
-@@ -2717,7 +2724,7 @@ team are:
- @end table
- 
- To take full advantage of this function, install GRUB into the MBR
--(@pxref{Installing GRUB using grub-install}).
-+(@pxref{Installing GRUB using grub2-install}).
- 
- If you have a laptop which has a similar feature and not in the above list
- could you figure your address and contribute?
-@@ -2778,7 +2785,7 @@ bytes.
- The sole function of @file{boot.img} is to read the first sector of the core
- image from a local disk and jump to it.  Because of the size restriction,
- @file{boot.img} cannot understand any file system structure, so
--@command{grub-install} hardcodes the location of the first sector of the
-+@command{grub2-install} hardcodes the location of the first sector of the
- core image into @file{boot.img} when installing GRUB.
- 
- @item diskboot.img
-@@ -2808,7 +2815,7 @@ images.
- 
- @item core.img
- This is the core image of GRUB.  It is built dynamically from the kernel
--image and an arbitrary list of modules by the @command{grub-mkimage}
-+image and an arbitrary list of modules by the @command{grub2-mkimage}
- program.  Usually, it contains enough modules to access @file{/boot/grub},
- and loads everything else (including menu handling, the ability to load
- target operating systems, and so on) from the file system at run-time.  The
-@@ -2860,7 +2867,7 @@ GRUB 2 has no single Stage 2 image.  Instead, it loads modules from
- In GRUB 2, images for booting from CD-ROM drives are now constructed using
- @file{cdboot.img} and @file{core.img}, making sure that the core image
- contains the @samp{iso9660} module.  It is usually best to use the
--@command{grub-mkrescue} program for this.
-+@command{grub2-mkrescue} program for this.
- 
- @item nbgrub
- There is as yet no equivalent for @file{nbgrub} in GRUB 2; it was used by
-@@ -3016,8 +3023,8 @@ There are two ways to specify files, by @dfn{absolute file name} and by
- 
- An absolute file name resembles a Unix absolute file name, using
- @samp{/} for the directory separator (not @samp{\} as in DOS). One
--example is @samp{(hd0,1)/boot/grub/grub.cfg}. This means the file
--@file{/boot/grub/grub.cfg} in the first partition of the first hard
-+example is @samp{(hd0,1)/boot/grub2/grub.cfg}. This means the file
-+@file{/boot/grub2/grub.cfg} in the first partition of the first hard
- disk. If you omit the device name in an absolute file name, GRUB uses
- GRUB's @dfn{root device} implicitly. So if you set the root device to,
- say, @samp{(hd1,1)} by the command @samp{set root=(hd1,1)} (@pxref{set}),
-@@ -3025,8 +3032,8 @@ then @code{/boot/kernel} is the same as @code{(hd1,1)/boot/kernel}.
- 
- On ZFS filesystem the first path component must be
- @var{volume}@samp{@@}[@var{snapshot}].
--So @samp{/rootvol@@snap-129/boot/grub/grub.cfg} refers to file
--@samp{/boot/grub/grub.cfg} in snapshot of volume @samp{rootvol} with name
-+So @samp{/rootvol@@snap-129/boot/grub2/grub.cfg} refers to file
-+@samp{/boot/grub2/grub.cfg} in snapshot of volume @samp{rootvol} with name
- @samp{snap-129}.  Trailing @samp{@@} after volume name is mandatory even if
- snapshot name is omitted.
- 
-@@ -3429,7 +3436,7 @@ The more recent release of Minix would then be identified as
- @samp{other>minix>minix-3.4.0}.
- 
- This variable is often set by @samp{GRUB_DEFAULT} (@pxref{Simple
--configuration}), @command{grub-set-default}, or @command{grub-reboot}.
-+configuration}), @command{grub2-set-default}, or @command{grub2-reboot}.
- 
- 
- @node fallback
-@@ -3519,7 +3526,7 @@ If this variable is set, it names the language code that the
- example, French would be named as @samp{fr}, and Simplified Chinese as
- @samp{zh_CN}.
- 
--@command{grub-mkconfig} (@pxref{Simple configuration}) will try to set a
-+@command{grub2-mkconfig} (@pxref{Simple configuration}) will try to set a
- reasonable default for this variable based on the system locale.
- 
- 
-@@ -3527,10 +3534,10 @@ reasonable default for this variable based on the system locale.
- @subsection locale_dir
- 
- If this variable is set, it names the directory where translation files may
--be found (@pxref{gettext}), usually @file{/boot/grub/locale}.  Otherwise,
-+be found (@pxref{gettext}), usually @file{/boot/grub2/locale}.  Otherwise,
- internationalization is disabled.
- 
--@command{grub-mkconfig} (@pxref{Simple configuration}) will set a reasonable
-+@command{grub2-mkconfig} (@pxref{Simple configuration}) will set a reasonable
- default for this variable if internationalization is needed and any
- translation files are available.
- 
-@@ -3648,7 +3655,7 @@ input.  The default is not to pause output.
- 
- The location of the @samp{/boot/grub} directory as an absolute file name
- (@pxref{File name syntax}).  This is normally set by GRUB at startup based
--on information provided by @command{grub-install}.  GRUB modules are
-+on information provided by @command{grub2-install}.  GRUB modules are
- dynamically loaded from this directory, so it must be set correctly in order
- for many parts of GRUB to work.
- 
-@@ -3739,17 +3746,17 @@ GRUB provides an ``environment block'' which can be used to save a small
- amount of state.
- 
- The environment block is a preallocated 1024-byte file, which normally lives
--in @file{/boot/grub/grubenv} (although you should not assume this).  At boot
-+in @file{/boot/grub2/grubenv} (although you should not assume this).  At boot
- time, the @command{load_env} command (@pxref{load_env}) loads environment
- variables from it, and the @command{save_env} (@pxref{save_env}) command
- saves environment variables to it.  From a running system, the
--@command{grub-editenv} utility can be used to edit the environment block.
-+@command{grub2-editenv} utility can be used to edit the environment block.
- 
- For safety reasons, this storage is only available when installed on a plain
- disk (no LVM or RAID), using a non-checksumming filesystem (no ZFS), and
- using BIOS or EFI functions (no ATA, USB or IEEE1275).
- 
--@command{grub-mkconfig} uses this facility to implement
-+@command{grub2-mkconfig} uses this facility to implement
- @samp{GRUB_SAVEDEFAULT} (@pxref{Simple configuration}).
- 
- 
-@@ -4473,7 +4480,7 @@ Translate @var{string} into the current language.
- 
- The current language code is stored in the @samp{lang} variable in GRUB's
- environment (@pxref{lang}).  Translation files in MO format are read from
--@samp{locale_dir} (@pxref{locale_dir}), usually @file{/boot/grub/locale}.
-+@samp{locale_dir} (@pxref{locale_dir}), usually @file{/boot/grub2/locale}.
- @end deffn
- 
- 
-@@ -4868,7 +4875,7 @@ Define a user named @var{user} with password @var{clear-password}.
- 
- @deffn Command password_pbkdf2 user hashed-password
- Define a user named @var{user} with password hash @var{hashed-password}.
--Use @command{grub-mkpasswd-pbkdf2} (@pxref{Invoking grub-mkpasswd-pbkdf2})
-+Use @command{grub2-mkpasswd-pbkdf2} (@pxref{Invoking grub2-mkpasswd-pbkdf2})
- to generate password hashes.  @xref{Security}.
- @end deffn
- 
-@@ -5811,8 +5818,8 @@ The @samp{password} (@pxref{password}) and @samp{password_pbkdf2}
- which has an associated password.  @samp{password} sets the password in
- plain text, requiring @file{grub.cfg} to be secure; @samp{password_pbkdf2}
- sets the password hashed using the Password-Based Key Derivation Function
--(RFC 2898), requiring the use of @command{grub-mkpasswd-pbkdf2}
--(@pxref{Invoking grub-mkpasswd-pbkdf2}) to generate password hashes.
-+(RFC 2898), requiring the use of @command{grub2-mkpasswd-pbkdf2}
-+(@pxref{Invoking grub2-mkpasswd-pbkdf2}) to generate password hashes.
- 
- In order to enable authentication support, the @samp{superusers} environment
- variable must be set to a list of usernames, separated by any of spaces,
-@@ -5857,7 +5864,7 @@ menuentry "May be run by user1 or a superuser" --users user1 @{
- @end group
- @end example
- 
--The @command{grub-mkconfig} program does not yet have built-in support for
-+The @command{grub2-mkconfig} program does not yet have built-in support for
- generating configuration files with authentication.  You can use
- @file{/etc/grub.d/40_custom} to add simple superuser authentication, by
- adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
-@@ -5884,7 +5891,17 @@ may halt or otherwise impact the boot process.
- 
- An initial trusted public key can be embedded within the GRUB @file{core.img}
- using the @code{--pubkey} option to @command{grub-install}
--(@pxref{Invoking grub-install}).
-+(@pxref{Invoking grub2-install}).
-+
-+@comment Unfortunately --pubkey is not yet supported by grub2-install,
-+@comment but we should not bring up internal detail grub2-mkimage here
-+@comment in the user guide (as opposed to developer's manual).
-+
-+@comment An initial trusted public key can be embedded within the GRUB
-+@comment @file{core.img} using the @code{--pubkey} option to
-+@comment @command{grub2-mkimage} (@pxref{Invoking grub2-install}).  Presently it
-+@comment is necessary to write a custom wrapper around @command{grub2-mkimage}
-+@comment using the @code{--grub-mkimage} flag to @command{grub2-install}.
- 
- GRUB uses GPG-style detached signatures (meaning that a file
- @file{foo.sig} will be produced when file @file{foo} is signed), and
-@@ -5904,8 +5921,8 @@ gpg --detach-sign /path/to/file
- For successful validation of all of GRUB's subcomponents and the
- loaded OS kernel, they must all be signed.  One way to accomplish this
- is the following (after having already produced the desired
--@file{grub.cfg} file, e.g., by running @command{grub-mkconfig}
--(@pxref{Invoking grub-mkconfig}):
-+@file{grub.cfg} file, e.g., by running @command{grub2-mkconfig}
-+(@pxref{Invoking grub2-mkconfig}):
- 
- @example
- @group
-@@ -5927,7 +5944,7 @@ See also: @ref{check_signatures}, @ref{verify_detached}, @ref{trust},
- Note that internally signature enforcement is controlled by setting
- the environment variable @code{check_signatures} equal to
- @code{enforce}.  Passing one or more @code{--pubkey} options to
--@command{grub-mkimage} implicitly defines @code{check_signatures}
-+@command{grub2-mkimage} implicitly defines @code{check_signatures}
- equal to @code{enforce} in @file{core.img} prior to processing any
- configuration files.
- 
-@@ -6385,10 +6402,10 @@ Required files are:
- 
- GRUB's normal start-up procedure involves setting the @samp{prefix}
- environment variable to a value set in the core image by
--@command{grub-install}, setting the @samp{root} variable to match, loading
-+@command{grub2-install}, setting the @samp{root} variable to match, loading
- the @samp{normal} module from the prefix, and running the @samp{normal}
- command (@pxref{normal}).  This command is responsible for reading
--@file{/boot/grub/grub.cfg}, running the menu, and doing all the useful
-+@file{/boot/grub2/grub.cfg}, running the menu, and doing all the useful
- things GRUB is supposed to do.
- 
- If, instead, you only get a rescue shell, this usually means that GRUB
-@@ -6414,8 +6431,8 @@ normal
- 
- However, any problem that leaves you in the rescue shell probably means that
- GRUB was not correctly installed.  It may be more useful to try to reinstall
--it properly using @kbd{grub-install @var{device}} (@pxref{Invoking
--grub-install}).  When doing this, there are a few things to remember:
-+it properly using @kbd{grub2-install @var{device}} (@pxref{Invoking
-+grub2-install}).  When doing this, there are a few things to remember:
- 
- @itemize @bullet{}
- @item
-@@ -6427,7 +6444,7 @@ is usually better to use UUIDs or file system labels and avoid depending on
- drive ordering entirely.
- 
- @item
--At least on BIOS systems, if you tell @command{grub-install} to install GRUB
-+At least on BIOS systems, if you tell @command{grub2-install} to install GRUB
- to a partition but GRUB has already been installed in the master boot
- record, then the GRUB installation in the partition will be ignored.
- 
-@@ -6458,21 +6475,21 @@ entry which claims partition start at block 0. This change will not hamper
- bootability on other machines.
- 
- 
--@node Invoking grub-install
--@chapter Invoking grub-install
-+@node Invoking grub2-install
-+@chapter Invoking grub2-install
- 
--The program @command{grub-install} generates a GRUB core image using
--@command{grub-mkimage} and installs it on your system.  You must specify the
-+The program @command{grub2-install} generates a GRUB core image using
-+@command{grub2-mkimage} and installs it on your system.  You must specify the
- device name on which you want to install GRUB, like this:
- 
- @example
--grub-install @var{install_device}
-+grub2-install @var{install_device}
- @end example
- 
- The device name @var{install_device} is an OS device name or a GRUB
- device name.
- 
--@command{grub-install} accepts the following options:
-+@command{grub2-install} accepts the following options:
- 
- @table @option
- @item --help
-@@ -6488,13 +6505,13 @@ separate partition or a removable disk.
- If this option is not specified then it defaults to @file{/boot}, so
- 
- @example
--@kbd{grub-install /dev/sda}
-+@kbd{grub2-install /dev/sda}
- @end example
- 
- is equivalent to
- 
- @example
--@kbd{grub-install --boot-directory=/boot/ /dev/sda}
-+@kbd{grub2-install --boot-directory=/boot/ /dev/sda}
- @end example
- 
- Here is an example in which you have a separate @dfn{boot} partition which is 
-@@ -6502,16 +6519,16 @@ mounted on
- @file{/mnt/boot}:
- 
- @example
--@kbd{grub-install --boot-directory=/mnt/boot /dev/sdb}
-+@kbd{grub2-install --boot-directory=/mnt/boot /dev/sdb}
- @end example
- 
- @item --recheck
--Recheck the device map, even if @file{/boot/grub/device.map} already
-+Recheck the device map, even if @file{/boot/grub2/device.map} already
- exists. You should use this option whenever you add/remove a disk
- into/from your computer.
- 
- @item --no-rs-codes
--By default on x86 BIOS systems, @command{grub-install} will use some
-+By default on x86 BIOS systems, @command{grub2-install} will use some
- extra space in the bootloader embedding area for Reed-Solomon
- error-correcting codes. This enables GRUB to still boot successfully
- if some blocks are corrupted.  The exact amount of protection offered
-@@ -6524,17 +6541,17 @@ installation}) where GRUB does not reside in any unpartitioned space
- outside of the MBR.  Disable the Reed-Solomon codes with this option.
- @end table
- 
--@node Invoking grub-mkconfig
--@chapter Invoking grub-mkconfig
-+@node Invoking grub2-mkconfig
-+@chapter Invoking grub2-mkconfig
- 
--The program @command{grub-mkconfig} generates a configuration file for GRUB
-+The program @command{grub2-mkconfig} generates a configuration file for GRUB
- (@pxref{Simple configuration}).
- 
- @example
--grub-mkconfig -o /boot/grub/grub.cfg
-+grub-mkconfig -o /boot/grub2/grub.cfg
- @end example
- 
--@command{grub-mkconfig} accepts the following options:
-+@command{grub2-mkconfig} accepts the following options:
- 
- @table @option
- @item --help
-@@ -6550,17 +6567,17 @@ it to standard output.
- @end table
- 
- 
--@node Invoking grub-mkpasswd-pbkdf2
--@chapter Invoking grub-mkpasswd-pbkdf2
-+@node Invoking grub2-mkpasswd-pbkdf2
-+@chapter Invoking grub2-mkpasswd-pbkdf2
- 
--The program @command{grub-mkpasswd-pbkdf2} generates password hashes for
-+The program @command{grub2-mkpasswd-pbkdf2} generates password hashes for
- GRUB (@pxref{Security}).
- 
- @example
- grub-mkpasswd-pbkdf2
- @end example
- 
--@command{grub-mkpasswd-pbkdf2} accepts the following options:
-+@command{grub2-mkpasswd-pbkdf2} accepts the following options:
- 
- @table @option
- @item -c @var{number}
-@@ -6578,23 +6595,23 @@ Length of the salt.  Defaults to 64.
- @end table
- 
- 
--@node Invoking grub-mkrelpath
--@chapter Invoking grub-mkrelpath
-+@node Invoking grub2-mkrelpath
-+@chapter Invoking grub2-mkrelpath
- 
--The program @command{grub-mkrelpath} makes a file system path relative to
-+The program @command{grub2-mkrelpath} makes a file system path relative to
- the root of its containing file system.  For instance, if @file{/usr} is a
- mount point, then:
- 
- @example
--$ @kbd{grub-mkrelpath /usr/share/grub/unicode.pf2}
-+$ @kbd{grub2-mkrelpath /usr/share/grub/unicode.pf2}
- @samp{/share/grub/unicode.pf2}
- @end example
- 
- This is mainly used internally by other GRUB utilities such as
--@command{grub-mkconfig} (@pxref{Invoking grub-mkconfig}), but may
-+@command{grub2-mkconfig} (@pxref{Invoking grub2-mkconfig}), but may
- occasionally also be useful for debugging.
- 
--@command{grub-mkrelpath} accepts the following options:
-+@command{grub2-mkrelpath} accepts the following options:
- 
- @table @option
- @item --help
-@@ -6605,17 +6622,17 @@ Print the version number of GRUB and exit.
- @end table
- 
- 
--@node Invoking grub-mkrescue
--@chapter Invoking grub-mkrescue
-+@node Invoking grub2-mkrescue
-+@chapter Invoking grub2-mkrescue
- 
--The program @command{grub-mkrescue} generates a bootable GRUB rescue image
-+The program @command{grub2-mkrescue} generates a bootable GRUB rescue image
- (@pxref{Making a GRUB bootable CD-ROM}).
- 
- @example
- grub-mkrescue -o grub.iso
- @end example
- 
--All arguments not explicitly listed as @command{grub-mkrescue} options are
-+All arguments not explicitly listed as @command{grub2-mkrescue} options are
- passed on directly to @command{xorriso} in @command{mkisofs} emulation mode.
- Options passed to @command{xorriso} will normally be interpreted as
- @command{mkisofs} options; if the option @samp{--} is used, then anything
-@@ -6630,7 +6647,7 @@ mkdir -p disk/boot/grub
- grub-mkrescue -o grub.iso disk
- @end example
- 
--@command{grub-mkrescue} accepts the following options:
-+@command{grub2-mkrescue} accepts the following options:
- 
- @table @option
- @item --help
-@@ -6658,15 +6675,15 @@ Use @var{file} as the @command{xorriso} program, rather than the built-in
- default.
- 
- @item --grub-mkimage=@var{file}
--Use @var{file} as the @command{grub-mkimage} program, rather than the
-+Use @var{file} as the @command{grub2-mkimage} program, rather than the
- built-in default.
- @end table
- 
- 
--@node Invoking grub-mount
--@chapter Invoking grub-mount
-+@node Invoking grub2-mount
-+@chapter Invoking grub2-mount
- 
--The program @command{grub-mount} performs a read-only mount of any file
-+The program @command{grub2-mount} performs a read-only mount of any file
- system or file system image that GRUB understands, using GRUB's file system
- drivers via FUSE.  (It is only available if FUSE development files were
- present when GRUB was built.)  This has a number of uses:
-@@ -6698,13 +6715,13 @@ even if nobody has yet written a FUSE module specifically for that file
- system type.
- @end itemize
- 
--Using @command{grub-mount} is normally as simple as:
-+Using @command{grub2-mount} is normally as simple as:
- 
- @example
- grub-mount /dev/sda1 /mnt
- @end example
- 
--@command{grub-mount} must be given one or more images and a mount point as
-+@command{grub2-mount} must be given one or more images and a mount point as
- non-option arguments (if it is given more than one image, it will treat them
- as a RAID set), and also accepts the following options:
- 
-@@ -6726,13 +6743,13 @@ Show debugging output for conditions matching @var{string}.
- @item -K prompt|@var{file}
- @itemx --zfs-key=prompt|@var{file}
- Load a ZFS encryption key.  If you use @samp{prompt} as the argument,
--@command{grub-mount} will read a passphrase from the terminal; otherwise, it
-+@command{grub2-mount} will read a passphrase from the terminal; otherwise, it
- will read key material from the specified file.
- 
- @item -r @var{device}
- @itemx --root=@var{device}
- Set the GRUB root device to @var{device}.  You do not normally need to set
--this; @command{grub-mount} will automatically set the root device to the
-+this; @command{grub2-mount} will automatically set the root device to the
- root of the supplied file system.
- 
- If @var{device} is just a number, then it will be treated as a partition
-@@ -6750,10 +6767,10 @@ Print verbose messages.
- @end table
- 
- 
--@node Invoking grub-probe
--@chapter Invoking grub-probe
-+@node Invoking grub2-probe
-+@chapter Invoking grub2-probe
- 
--The program @command{grub-probe} probes device information for a given path
-+The program @command{grub2-probe} probes device information for a given path
- or device.
- 
- @example
-@@ -6761,7 +6778,7 @@ grub-probe --target=fs /boot/grub
- grub-probe --target=drive --device /dev/sda1
- @end example
- 
--@command{grub-probe} must be given a path or device as a non-option
-+@command{grub2-probe} must be given a path or device as a non-option
- argument, and also accepts the following options:
- 
- @table @option
-@@ -6774,16 +6791,16 @@ Print the version number of GRUB and exit.
- @item -d
- @itemx --device
- If this option is given, then the non-option argument is a system device
--name (such as @samp{/dev/sda1}), and @command{grub-probe} will print
-+name (such as @samp{/dev/sda1}), and @command{grub2-probe} will print
- information about that device.  If it is not given, then the non-option
- argument is a filesystem path (such as @samp{/boot/grub}), and
--@command{grub-probe} will print information about the device containing that
-+@command{grub2-probe} will print information about the device containing that
- part of the filesystem.
- 
- @item -m @var{file}
- @itemx --device-map=@var{file}
- Use @var{file} as the device map (@pxref{Device map}) rather than the
--default, usually @samp{/boot/grub/device.map}.
-+default, usually @samp{/boot/grub2/device.map}.
- 
- @item -t @var{target}
- @itemx --target=@var{target}
-@@ -6836,19 +6853,19 @@ Print verbose messages.
- @end table
- 
- 
--@node Invoking grub-script-check
--@chapter Invoking grub-script-check
-+@node Invoking grub2-script-check
-+@chapter Invoking grub2-script-check
- 
--The program @command{grub-script-check} takes a GRUB script file
-+The program @command{grub2-script-check} takes a GRUB script file
- (@pxref{Shell-like scripting}) and checks it for syntax errors, similar to
- commands such as @command{sh -n}.  It may take a @var{path} as a non-option
- argument; if none is supplied, it will read from standard input.
- 
- @example
--grub-script-check /boot/grub/grub.cfg
-+grub-script-check /boot/grub2/grub.cfg
- @end example
- 
--@command{grub-script-check} accepts the following options:
-+@command{grub2-script-check} accepts the following options:
- 
- @table @option
- @item --help
diff --git a/SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch b/SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch
deleted file mode 100644
index acfb116d74f..00000000000
--- a/SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch
+++ /dev/null
@@ -1,211 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 7 Nov 2017 17:12:17 -0500
-Subject: [PATCH] Make pmtimer tsc calibration not take 51 seconds to fail.
-
-On my laptop running at 2.4GHz, if I run a VM where tsc calibration
-using pmtimer will fail presuming a broken pmtimer, it takes ~51 seconds
-to do so (as measured with the stopwatch on my phone), with a tsc delta
-of 0x1cd1c85300, or around 125 billion cycles.
-
-If instead of trying to wait for 5-200ms to show up on the pmtimer, we try
-to wait for 5-200us, it decides it's broken in ~0x2626aa0 TSCs, aka ~2.4
-million cycles, or more or less instantly.
-
-Additionally, this reading the pmtimer was returning 0xffffffff anyway,
-and that's obviously an invalid return.  I've added a check for that and
-0 so we don't bother waiting for the test if what we're seeing is dead
-pins with no response at all.
-
-If "debug" is includes "pmtimer", you will see one of the following
-three outcomes.  If pmtimer gives all 0 or all 1 bits, you will see:
-
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 1
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 2
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 3
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 4
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 5
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 6
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 7
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 8
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 9
-kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 10
-kern/i386/tsc_pmtimer.c:78: timer is broken; giving up.
-
-This outcome was tested using qemu+kvm with UEFI (OVMF) firmware and
-these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX
-
-If pmtimer gives any other bit patterns but is not actually marching
-forward fast enough to use for clock calibration, you will see:
-
-kern/i386/tsc_pmtimer.c:121: pmtimer delta is 0x0 (1904 iterations)
-kern/i386/tsc_pmtimer.c:124: tsc delta is implausible: 0x2626aa0
-
-This outcome was tested using grub compiled with GRUB_PMTIMER_IGNORE_BAD_READS
-defined (so as not to trip the bad read test) using qemu+kvm with UEFI
-(OVMF) firmware, and these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX
-
-If pmtimer actually works, you'll see something like:
-
-kern/i386/tsc_pmtimer.c:121: pmtimer delta is 0x0 (1904 iterations)
-kern/i386/tsc_pmtimer.c:124: tsc delta is implausible: 0x2626aa0
-
-This outcome was tested using qemu+kvm with UEFI (OVMF) firmware, and
-these options: -machine pc-i440fx-2.4 -cpu Broadwell-noTSX
-
-I've also tested this outcome on a real Intel Xeon E3-1275v3 on an Intel
-Server Board S1200V3RPS using the SDV.RP.B8 "Release" build here:
-https://firmware.intel.com/sites/default/files/UEFIDevKit_S1200RP_vB8.zip
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/kern/i386/tsc_pmtimer.c | 109 +++++++++++++++++++++++++++++++-------
- 1 file changed, 89 insertions(+), 20 deletions(-)
-
-diff --git a/grub-core/kern/i386/tsc_pmtimer.c b/grub-core/kern/i386/tsc_pmtimer.c
-index c9c36169978..ca15c3aacd7 100644
---- a/grub-core/kern/i386/tsc_pmtimer.c
-+++ b/grub-core/kern/i386/tsc_pmtimer.c
-@@ -28,40 +28,101 @@
- #include <grub/acpi.h>
- #include <grub/cpu/io.h>
- 
-+/*
-+ * Define GRUB_PMTIMER_IGNORE_BAD_READS if you're trying to test a timer that's
-+ * present but doesn't keep time well.
-+ */
-+// #define GRUB_PMTIMER_IGNORE_BAD_READS
-+
- grub_uint64_t
- grub_pmtimer_wait_count_tsc (grub_port_t pmtimer,
- 			     grub_uint16_t num_pm_ticks)
- {
-   grub_uint32_t start;
--  grub_uint32_t last;
--  grub_uint32_t cur, end;
-+  grub_uint64_t cur, end;
-   grub_uint64_t start_tsc;
-   grub_uint64_t end_tsc;
--  int num_iter = 0;
-+  unsigned int num_iter = 0;
-+#ifndef GRUB_PMTIMER_IGNORE_BAD_READS
-+  int bad_reads = 0;
-+#endif
- 
--  start = grub_inl (pmtimer) & 0xffffff;
--  last = start;
-+  /*
-+   * Some timers are 24-bit and some are 32-bit, but it doesn't make much
-+   * difference to us.  Caring which one we have isn't really worth it since
-+   * the low-order digits will give us enough data to calibrate TSC.  So just
-+   * mask the top-order byte off.
-+   */
-+  cur = start = grub_inl (pmtimer) & 0xffffffUL;
-   end = start + num_pm_ticks;
-   start_tsc = grub_get_tsc ();
-   while (1)
-     {
--      cur = grub_inl (pmtimer) & 0xffffff;
--      if (cur < last)
--	cur |= 0x1000000;
--      num_iter++;
-+      cur &= 0xffffffffff000000ULL;
-+      cur |= grub_inl (pmtimer) & 0xffffffUL;
-+
-+      end_tsc = grub_get_tsc();
-+
-+#ifndef GRUB_PMTIMER_IGNORE_BAD_READS
-+      /*
-+       * If we get 10 reads in a row that are obviously dead pins, there's no
-+       * reason to do this thousands of times.
-+       */
-+      if (cur == 0xffffffUL || cur == 0)
-+	{
-+	  bad_reads++;
-+	  grub_dprintf ("pmtimer",
-+			"pmtimer: 0x%"PRIxGRUB_UINT64_T" bad_reads: %d\n",
-+			cur, bad_reads);
-+	  grub_dprintf ("pmtimer", "timer is broken; giving up.\n");
-+
-+	  if (bad_reads == 10)
-+	    return 0;
-+	}
-+#endif
-+
-+      if (cur < start)
-+	cur += 0x1000000;
-+
-       if (cur >= end)
- 	{
--	  end_tsc = grub_get_tsc ();
-+	  grub_dprintf ("pmtimer", "pmtimer delta is 0x%"PRIxGRUB_UINT64_T"\n",
-+			cur - start);
-+	  grub_dprintf ("pmtimer", "tsc delta is 0x%"PRIxGRUB_UINT64_T"\n",
-+			end_tsc - start_tsc);
- 	  return end_tsc - start_tsc;
- 	}
--      /* Check for broken PM timer.
--	 50000000 TSCs is between 5 ms (10GHz) and 200 ms (250 MHz)
--	 if after this time we still don't have 1 ms on pmtimer, then
--	 pmtimer is broken.
-+
-+      /*
-+       * Check for broken PM timer.  1ms at 10GHz should be 1E+7 TSCs; at
-+       * 250MHz it should be 2.5E6.  So if after 4E+7 TSCs on a 10GHz machine,
-+       * we should have seen pmtimer show 4ms of change (i.e. cur =~
-+       * start+14320); on a 250MHz machine that should be 16ms (start+57280).
-+       * If after this a time we still don't have 1ms on pmtimer, then pmtimer
-+       * is broken.
-+       *
-+       * Likewise, if our code is perfectly efficient and introduces no delays
-+       * whatsoever, on a 10GHz system we should see a TSC delta of 3580 in
-+       * ~3580 iterations.  On a 250MHz machine that should be ~900 iterations.
-+       *
-+       * With those factors in mind, there are two limits here.  There's a hard
-+       * limit here at 8x our desired pm timer delta, picked as an arbitrarily
-+       * large value that's still not a lot of time to humans, because if we
-+       * get that far this is either an implausibly fast machine or the pmtimer
-+       * is not running.  And there's another limit on 4x our 10GHz tsc delta
-+       * without seeing cur converge on our target value.
-        */
--      if ((num_iter & 0xffffff) == 0 && grub_get_tsc () - start_tsc > 5000000) {
--	return 0;
--      }
-+      if ((++num_iter > (grub_uint32_t)num_pm_ticks << 3UL) ||
-+	  end_tsc - start_tsc > 40000000)
-+	{
-+	  grub_dprintf ("pmtimer",
-+			"pmtimer delta is 0x%"PRIxGRUB_UINT64_T" (%u iterations)\n",
-+			cur - start, num_iter);
-+	  grub_dprintf ("pmtimer",
-+			"tsc delta is implausible: 0x%"PRIxGRUB_UINT64_T"\n",
-+			end_tsc - start_tsc);
-+	  return 0;
-+	}
-     }
- }
- 
-@@ -74,12 +135,20 @@ grub_tsc_calibrate_from_pmtimer (void)
- 
-   fadt = grub_acpi_find_fadt ();
-   if (!fadt)
--    return 0;
-+    {
-+      grub_dprintf ("pmtimer", "No FADT found; not using pmtimer.\n");
-+      return 0;
-+    }
-   pmtimer = fadt->pmtimer;
-   if (!pmtimer)
--    return 0;
-+    {
-+      grub_dprintf ("pmtimer", "FADT does not specify pmtimer; skipping.\n");
-+      return 0;
-+    }
- 
--  /* It's 3.579545 MHz clock. Wait 1 ms.  */
-+  /*
-+   * It's 3.579545 MHz clock. Wait 1 ms.
-+   */
-   tsc_diff = grub_pmtimer_wait_count_tsc (pmtimer, 3580);
-   if (tsc_diff == 0)
-     return 0;
diff --git a/SPECS/grub2/0104-Rework-how-the-fdt-command-builds.patch b/SPECS/grub2/0104-Rework-how-the-fdt-command-builds.patch
deleted file mode 100644
index 71328da15df..00000000000
--- a/SPECS/grub2/0104-Rework-how-the-fdt-command-builds.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 11 Jul 2019 13:01:41 +0200
-Subject: [PATCH] Rework how the fdt command builds.
-
-Trying to avoid all variants of:
-cat syminfo.lst | sort | gawk -f ../../grub-core/genmoddep.awk > moddep.lst || (rm -f moddep.lst; exit 1)
-grub_fdt_install in linux is not defined
-grub_fdt_load in linux is not defined
-grub_fdt_unload in linux is not defined
-grub_fdt_install in xen_boot is not defined
-grub_fdt_load in xen_boot is not defined
-grub_fdt_unload in xen_boot is not defined
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/Makefile.core.def | 5 ++---
- grub-core/lib/fdt.c         | 2 --
- grub-core/loader/efi/fdt.c  | 2 ++
- include/grub/fdt.h          | 4 ++++
- grub-core/Makefile.am       | 1 +
- 5 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index c40170f2dd2..84a3d89de9a 100644
---- a/grub-core/Makefile.core.def
-+++ b/grub-core/Makefile.core.def
-@@ -177,7 +177,6 @@ kernel = {
-   arm_coreboot = kern/arm/coreboot/init.c;
-   arm_coreboot = kern/arm/coreboot/timer.c;
-   arm_coreboot = kern/arm/coreboot/coreboot.S;
--  arm_coreboot = lib/fdt.c;
-   arm_coreboot = bus/fdt.c;
-   arm_coreboot = term/ps2.c;
-   arm_coreboot = term/arm/pl050.c;
-@@ -351,6 +350,8 @@ kernel = {
-   riscv64 = kern/riscv/cache_flush.S;
-   riscv64 = kern/riscv/dl.c;
- 
-+  fdt = lib/fdt.c;
-+
-   emu = disk/host.c;
-   emu = kern/emu/cache_s.S;
-   emu = kern/emu/hostdisk.c;
-@@ -1825,7 +1826,6 @@ module = {
-   riscv32 = loader/riscv/linux.c;
-   riscv64 = loader/riscv/linux.c;
-   emu = loader/emu/linux.c;
--  fdt = lib/fdt.c;
- 
-   common = loader/linux.c;
-   common = lib/cmdline.c;
-@@ -1836,7 +1836,6 @@ module = {
- module = {
-   name = fdt;
-   efi = loader/efi/fdt.c;
--  common = lib/fdt.c;
-   enable = fdt;
- };
- 
-diff --git a/grub-core/lib/fdt.c b/grub-core/lib/fdt.c
-index 0d371c5633e..37e04bd69e7 100644
---- a/grub-core/lib/fdt.c
-+++ b/grub-core/lib/fdt.c
-@@ -21,8 +21,6 @@
- #include <grub/mm.h>
- #include <grub/dl.h>
- 
--GRUB_MOD_LICENSE ("GPLv3+");
--
- #define FDT_SUPPORTED_VERSION	17
- 
- #define FDT_BEGIN_NODE	0x00000001
-diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
-index c86f283d756..c572415d38a 100644
---- a/grub-core/loader/efi/fdt.c
-+++ b/grub-core/loader/efi/fdt.c
-@@ -27,6 +27,8 @@
- #include <grub/efi/memory.h>
- #include <grub/cpu/efi/memory.h>
- 
-+GRUB_MOD_LICENSE ("GPLv3+");
-+
- static void *loaded_fdt;
- static void *fdt;
- 
-diff --git a/include/grub/fdt.h b/include/grub/fdt.h
-index e609c7e4111..22b7c5463fc 100644
---- a/include/grub/fdt.h
-+++ b/include/grub/fdt.h
-@@ -19,6 +19,8 @@
- #ifndef GRUB_FDT_HEADER
- #define GRUB_FDT_HEADER	1
- 
-+#if defined(__arm__) || defined(__aarch64__)
-+
- #include <grub/types.h>
- #include <grub/symbol.h>
- 
-@@ -144,4 +146,6 @@ int EXPORT_FUNC(grub_fdt_set_prop) (void *fdt, unsigned int nodeoffset, const ch
-   grub_fdt_set_prop ((fdt), (nodeoffset), "reg", reg_64, 16);  \
- })
- 
-+#endif /* defined(__arm__) || defined(__aarch64__) */
-+
- #endif	/* ! GRUB_FDT_HEADER */
-diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
-index f512573c0da..dd49939aaa9 100644
---- a/grub-core/Makefile.am
-+++ b/grub-core/Makefile.am
-@@ -76,6 +76,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
- KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
- KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
- KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
-+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fdt.h
- KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/file.h
- KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
- KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
diff --git a/SPECS/grub2/0112-Try-to-pick-better-locations-for-kernel-and-initrd.patch b/SPECS/grub2/0112-Try-to-pick-better-locations-for-kernel-and-initrd.patch
deleted file mode 100644
index 0bceecb62eb..00000000000
--- a/SPECS/grub2/0112-Try-to-pick-better-locations-for-kernel-and-initrd.patch
+++ /dev/null
@@ -1,196 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 11 Jul 2019 17:17:02 +0200
-Subject: [PATCH] Try to pick better locations for kernel and initrd
-
-- Don't limit allocations on 64-bit platforms to < 0x[37f]fffffff if
-  we're using the "large" code model ; use __UINTPTR_MAX__.
-- Get the comparison right to check the address we've allocated.
-- Fix the allocation for the command line as well.
-
-*But*, when we did this some systems started failing badly; coudln't
-parse partition tables, etc.  What's going on here is the disk controller
-is silently failing DMAs to addresses above 4GB, so we're trying to parse
-uninitialized (or HW zeroed) ram when looking for the partition table,
-etc.
-
-So to limit this, we make grub_malloc() pick addresses below 4GB on
-x86_64, but the direct EFI page allocation functions can get addresses
-above that.
-
-Additionally, we now try to locate kernel+initrd+cmdline+etc below
-0x7fffffff, and if they're too big to fit any memory window there, then
-we try a higher address.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/kern/efi/mm.c           |  8 ++++----
- grub-core/loader/i386/efi/linux.c | 24 +++++++++++++++++-------
- include/grub/arm/efi/memory.h     |  1 +
- include/grub/arm64/efi/memory.h   |  1 +
- include/grub/i386/efi/memory.h    |  1 +
- include/grub/ia64/efi/memory.h    |  1 +
- include/grub/x86_64/efi/memory.h  |  4 +++-
- 7 files changed, 28 insertions(+), 12 deletions(-)
-
-diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
-index e6abc923db2..83d7644222e 100644
---- a/grub-core/kern/efi/mm.c
-+++ b/grub-core/kern/efi/mm.c
-@@ -122,7 +122,7 @@ grub_efi_allocate_pages_max (grub_efi_physical_address_t max,
-   grub_efi_boot_services_t *b;
-   grub_efi_physical_address_t address = max;
- 
--  if (max > 0xffffffff)
-+  if (max > GRUB_EFI_MAX_USABLE_ADDRESS)
-     return 0;
- 
-   b = grub_efi_system_table->boot_services;
-@@ -476,7 +476,7 @@ filter_memory_map (grub_efi_memory_descriptor_t *memory_map,
-     {
-       if (desc->type == GRUB_EFI_CONVENTIONAL_MEMORY
- #if 1
--	  && desc->physical_start <= GRUB_EFI_MAX_USABLE_ADDRESS
-+	  && desc->physical_start <= GRUB_EFI_MAX_ALLOCATION_ADDRESS
- #endif
- 	  && desc->physical_start + PAGES_TO_BYTES (desc->num_pages) > 0x100000
- 	  && desc->num_pages != 0)
-@@ -494,9 +494,9 @@ filter_memory_map (grub_efi_memory_descriptor_t *memory_map,
- #if 1
- 	  if (BYTES_TO_PAGES (filtered_desc->physical_start)
- 	      + filtered_desc->num_pages
--	      > BYTES_TO_PAGES_DOWN (GRUB_EFI_MAX_USABLE_ADDRESS))
-+	      > BYTES_TO_PAGES_DOWN (GRUB_EFI_MAX_ALLOCATION_ADDRESS))
- 	    filtered_desc->num_pages
--	      = (BYTES_TO_PAGES_DOWN (GRUB_EFI_MAX_USABLE_ADDRESS)
-+	      = (BYTES_TO_PAGES_DOWN (GRUB_EFI_MAX_ALLOCATION_ADDRESS)
- 		 - BYTES_TO_PAGES (filtered_desc->physical_start));
- #endif
- 
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 3017d0f3e52..33e981e76e7 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -27,6 +27,7 @@
- #include <grub/lib/cmdline.h>
- #include <grub/efi/efi.h>
- #include <grub/efi/linux.h>
-+#include <grub/cpu/efi/memory.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -106,7 +107,9 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-       size += ALIGN_UP (grub_file_size (files[i]), 4);
-     }
- 
--  initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));
-+  initrd_mem = grub_efi_allocate_pages_max (GRUB_EFI_MAX_ALLOCATION_ADDRESS, BYTES_TO_PAGES(size));
-+  if (!initrd_mem)
-+    initrd_mem = grub_efi_allocate_pages_max (GRUB_EFI_MAX_USABLE_ADDRESS, BYTES_TO_PAGES(size));
-   if (!initrd_mem)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate initrd"));
-@@ -202,8 +205,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--  params = grub_efi_allocate_pages_max (0x3fffffff,
-+  params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_ALLOCATION_ADDRESS,
- 					BYTES_TO_PAGES(sizeof(*params)));
-+  if (!params)
-+    params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_USABLE_ADDRESS,
-+					  BYTES_TO_PAGES(sizeof(*params)));
-   if (! params)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
-@@ -273,8 +279,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- #endif
- 
-   grub_dprintf ("linux", "setting up cmdline\n");
--  linux_cmdline = grub_efi_allocate_pages_max(0x3fffffff,
--					 BYTES_TO_PAGES(lh->cmdline_size + 1));
-+  linux_cmdline = grub_efi_allocate_pages_max(GRUB_EFI_MAX_ALLOCATION_ADDRESS,
-+					      BYTES_TO_PAGES(lh->cmdline_size + 1));
-+  if (!linux_cmdline)
-+    linux_cmdline = grub_efi_allocate_pages_max(GRUB_EFI_MAX_USABLE_ADDRESS,
-+						BYTES_TO_PAGES(lh->cmdline_size + 1));
-   if (!linux_cmdline)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate cmdline"));
-@@ -301,11 +310,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   kernel_mem = grub_efi_allocate_pages_max(lh->pref_address,
- 					   BYTES_TO_PAGES(lh->init_size));
--
-   if (!kernel_mem)
--    kernel_mem = grub_efi_allocate_pages_max(0x3fffffff,
-+    kernel_mem = grub_efi_allocate_pages_max(GRUB_EFI_MAX_ALLOCATION_ADDRESS,
-+					     BYTES_TO_PAGES(lh->init_size));
-+  if (!kernel_mem)
-+    kernel_mem = grub_efi_allocate_pages_max(GRUB_EFI_MAX_USABLE_ADDRESS,
- 					     BYTES_TO_PAGES(lh->init_size));
--
-   if (!kernel_mem)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate kernel"));
-diff --git a/include/grub/arm/efi/memory.h b/include/grub/arm/efi/memory.h
-index 2c64918e3f7..a4c2ec83502 100644
---- a/include/grub/arm/efi/memory.h
-+++ b/include/grub/arm/efi/memory.h
-@@ -2,5 +2,6 @@
- #include <grub/efi/memory.h>
- 
- #define GRUB_EFI_MAX_USABLE_ADDRESS 0xffffffff
-+#define GRUB_EFI_MAX_ALLOCATION_ADDRESS GRUB_EFI_MAX_USABLE_ADDRESS
- 
- #endif /* ! GRUB_MEMORY_CPU_HEADER */
-diff --git a/include/grub/arm64/efi/memory.h b/include/grub/arm64/efi/memory.h
-index c6cb3241714..acb61dca44b 100644
---- a/include/grub/arm64/efi/memory.h
-+++ b/include/grub/arm64/efi/memory.h
-@@ -2,5 +2,6 @@
- #include <grub/efi/memory.h>
- 
- #define GRUB_EFI_MAX_USABLE_ADDRESS 0xffffffffffffULL
-+#define GRUB_EFI_MAX_ALLOCATION_ADDRESS GRUB_EFI_MAX_USABLE_ADDRESS
- 
- #endif /* ! GRUB_MEMORY_CPU_HEADER */
-diff --git a/include/grub/i386/efi/memory.h b/include/grub/i386/efi/memory.h
-index 2c64918e3f7..a4c2ec83502 100644
---- a/include/grub/i386/efi/memory.h
-+++ b/include/grub/i386/efi/memory.h
-@@ -2,5 +2,6 @@
- #include <grub/efi/memory.h>
- 
- #define GRUB_EFI_MAX_USABLE_ADDRESS 0xffffffff
-+#define GRUB_EFI_MAX_ALLOCATION_ADDRESS GRUB_EFI_MAX_USABLE_ADDRESS
- 
- #endif /* ! GRUB_MEMORY_CPU_HEADER */
-diff --git a/include/grub/ia64/efi/memory.h b/include/grub/ia64/efi/memory.h
-index 2c64918e3f7..a4c2ec83502 100644
---- a/include/grub/ia64/efi/memory.h
-+++ b/include/grub/ia64/efi/memory.h
-@@ -2,5 +2,6 @@
- #include <grub/efi/memory.h>
- 
- #define GRUB_EFI_MAX_USABLE_ADDRESS 0xffffffff
-+#define GRUB_EFI_MAX_ALLOCATION_ADDRESS GRUB_EFI_MAX_USABLE_ADDRESS
- 
- #endif /* ! GRUB_MEMORY_CPU_HEADER */
-diff --git a/include/grub/x86_64/efi/memory.h b/include/grub/x86_64/efi/memory.h
-index 46e9145a308..e81cfb32213 100644
---- a/include/grub/x86_64/efi/memory.h
-+++ b/include/grub/x86_64/efi/memory.h
-@@ -2,9 +2,11 @@
- #include <grub/efi/memory.h>
- 
- #if defined (__code_model_large__)
--#define GRUB_EFI_MAX_USABLE_ADDRESS 0xffffffff
-+#define GRUB_EFI_MAX_USABLE_ADDRESS __UINTPTR_MAX__
-+#define GRUB_EFI_MAX_ALLOCATION_ADDRESS 0x7fffffff
- #else
- #define GRUB_EFI_MAX_USABLE_ADDRESS 0x7fffffff
-+#define GRUB_EFI_MAX_ALLOCATION_ADDRESS GRUB_EFI_MAX_USABLE_ADDRESS
- #endif
- 
- #endif /* ! GRUB_MEMORY_CPU_HEADER */
diff --git a/SPECS/grub2/0115-x86-efi-Use-bounce-buffers-for-reading-to-addresses-.patch b/SPECS/grub2/0115-x86-efi-Use-bounce-buffers-for-reading-to-addresses-.patch
deleted file mode 100644
index fdd3096520f..00000000000
--- a/SPECS/grub2/0115-x86-efi-Use-bounce-buffers-for-reading-to-addresses-.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 12 Jul 2019 09:53:32 +0200
-Subject: [PATCH] x86-efi: Use bounce buffers for reading to addresses > 4GB
-
-Lots of machines apparently can't DMA correctly above 4GB during UEFI,
-so use bounce buffers for the initramfs read.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/loader/i386/efi/linux.c | 52 +++++++++++++++++++++++++++++++++------
- 1 file changed, 45 insertions(+), 7 deletions(-)
-
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 33e981e76e7..2f0336809e7 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -35,11 +35,16 @@ static grub_dl_t my_mod;
- static int loaded;
- static void *kernel_mem;
- static grub_uint64_t kernel_size;
--static grub_uint8_t *initrd_mem;
-+static void *initrd_mem;
- static grub_uint32_t handover_offset;
- struct linux_kernel_params *params;
- static char *linux_cmdline;
- 
-+#define MIN(a, b) \
-+  ({ typeof (a) _a = (a); \
-+     typeof (b) _b = (b); \
-+     _a < _b ? _a : _b; })
-+
- #define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)
- 
- static grub_err_t
-@@ -73,6 +78,44 @@ grub_linuxefi_unload (void)
-   return GRUB_ERR_NONE;
- }
- 
-+#define BOUNCE_BUFFER_MAX 0x10000000ull
-+
-+static grub_ssize_t
-+read(grub_file_t file, grub_uint8_t *bufp, grub_size_t len)
-+{
-+  grub_ssize_t bufpos = 0;
-+  static grub_size_t bbufsz = 0;
-+  static char *bbuf = NULL;
-+
-+  if (bbufsz == 0)
-+    bbufsz = MIN(BOUNCE_BUFFER_MAX, len);
-+
-+  while (!bbuf && bbufsz)
-+    {
-+      bbuf = grub_malloc(bbufsz);
-+      if (!bbuf)
-+	bbufsz >>= 1;
-+    }
-+  if (!bbuf)
-+    grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate bounce buffer"));
-+
-+  while (bufpos < (long long)len)
-+    {
-+      grub_ssize_t sz;
-+
-+      sz = grub_file_read (file, bbuf, MIN(bbufsz, len - bufpos));
-+      if (sz < 0)
-+	return sz;
-+      if (sz == 0)
-+	break;
-+
-+      grub_memcpy(bufp + bufpos, bbuf, sz);
-+      bufpos += sz;
-+    }
-+
-+  return bufpos;
-+}
-+
- static grub_err_t
- grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-                  int argc, char *argv[])
-@@ -126,7 +169,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-   for (i = 0; i < nfiles; i++)
-     {
-       grub_ssize_t cursize = grub_file_size (files[i]);
--      if (grub_file_read (files[i], ptr, cursize) != cursize)
-+      if (read (files[i], ptr, cursize) != cursize)
-         {
-           if (!grub_errno)
-             grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
-@@ -152,11 +195,6 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-   return grub_errno;
- }
- 
--#define MIN(a, b) \
--  ({ typeof (a) _a = (a);  \
--     typeof (b) _b = (b); \
--     _a < _b ? _a : _b; })
--
- static grub_err_t
- grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 		int argc, char *argv[])
diff --git a/SPECS/grub2/0116-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch b/SPECS/grub2/0116-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch
deleted file mode 100644
index f8284ec28a8..00000000000
--- a/SPECS/grub2/0116-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 13 Sep 2018 14:42:34 -0400
-Subject: [PATCH] x86-efi: Re-arrange grub_cmd_linux() a little bit.
-
-This just helps the next patch be easier to read.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/loader/i386/efi/linux.c | 75 +++++++++++++++++++++------------------
- 1 file changed, 41 insertions(+), 34 deletions(-)
-
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 2f0336809e7..5f48fa55619 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -243,32 +243,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--  params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_ALLOCATION_ADDRESS,
--					BYTES_TO_PAGES(sizeof(*params)));
--  if (!params)
--    params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_USABLE_ADDRESS,
--					  BYTES_TO_PAGES(sizeof(*params)));
--  if (! params)
--    {
--      grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
--      goto fail;
--    }
-+  lh = (struct linux_i386_kernel_header *)kernel;
-+  grub_dprintf ("linux", "original lh is at %p\n", kernel);
- 
--  grub_dprintf ("linux", "params = %p\n", params);
--
--  grub_memset (params, 0, sizeof(*params));
--
--  setup_header_end_offset = *((grub_uint8_t *)kernel + 0x201);
--  grub_dprintf ("linux", "copying %lu bytes from %p to %p\n",
--		MIN((grub_size_t)0x202+setup_header_end_offset,
--		    sizeof (*params)) - 0x1f1,
--		(grub_uint8_t *)kernel + 0x1f1,
--		(grub_uint8_t *)params + 0x1f1);
--  grub_memcpy ((grub_uint8_t *)params + 0x1f1,
--	       (grub_uint8_t *)kernel + 0x1f1,
--		MIN((grub_size_t)0x202+setup_header_end_offset,sizeof (*params)) - 0x1f1);
--  lh = (struct linux_i386_kernel_header *)params;
--  grub_dprintf ("linux", "lh is at %p\n", lh);
-   grub_dprintf ("linux", "checking lh->boot_flag\n");
-   if (lh->boot_flag != grub_cpu_to_le16 (0xaa55))
-     {
-@@ -316,6 +293,34 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-     }
- #endif
- 
-+  params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_ALLOCATION_ADDRESS,
-+					BYTES_TO_PAGES(sizeof(*params)));
-+  if (!params)
-+    params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_USABLE_ADDRESS,
-+					  BYTES_TO_PAGES(sizeof(*params)));
-+  if (! params)
-+    {
-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
-+      goto fail;
-+    }
-+
-+  grub_dprintf ("linux", "params = %p\n", params);
-+
-+  grub_memset (params, 0, sizeof(*params));
-+
-+  setup_header_end_offset = *((grub_uint8_t *)kernel + 0x201);
-+  grub_dprintf ("linux", "copying %lu bytes from %p to %p\n",
-+		MIN((grub_size_t)0x202+setup_header_end_offset,
-+		    sizeof (*params)) - 0x1f1,
-+		(grub_uint8_t *)kernel + 0x1f1,
-+		(grub_uint8_t *)params + 0x1f1);
-+  grub_memcpy ((grub_uint8_t *)params + 0x1f1,
-+	       (grub_uint8_t *)kernel + 0x1f1,
-+		MIN((grub_size_t)0x202+setup_header_end_offset,sizeof (*params)) - 0x1f1);
-+
-+  lh = (struct linux_i386_kernel_header *)params;
-+  grub_dprintf ("linux", "new lh is at %p\n", lh);
-+
-   grub_dprintf ("linux", "setting up cmdline\n");
-   linux_cmdline = grub_efi_allocate_pages_max(GRUB_EFI_MAX_ALLOCATION_ADDRESS,
- 					      BYTES_TO_PAGES(lh->cmdline_size + 1));
-@@ -341,8 +346,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   grub_dprintf ("linux", "setting lh->cmd_line_ptr\n");
-   lh->cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
- 
--  grub_dprintf ("linux", "computing handover offset\n");
-   handover_offset = lh->handover_offset;
-+  grub_dprintf("linux", "handover_offset: %08x\n", handover_offset);
- 
-   start = (lh->setup_sects + 1) * 512;
- 
-@@ -359,26 +364,28 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate kernel"));
-       goto fail;
-     }
--
--  grub_dprintf ("linux", "kernel_mem = %lx\n", (unsigned long) kernel_mem);
-+  grub_dprintf("linux", "kernel_mem = %p\n", kernel_mem);
- 
-   grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
--  loaded=1;
-+
-+  loaded = 1;
-+
-   grub_dprintf ("linux", "setting lh->code32_start to %p\n", kernel_mem);
-   lh->code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
- 
-   grub_memcpy (kernel_mem, (char *)kernel + start, filelen - start);
- 
--  grub_dprintf ("linux", "setting lh->type_of_loader\n");
-   lh->type_of_loader = 0x6;
-+  grub_dprintf ("linux", "setting lh->type_of_loader = 0x%02x\n",
-+		lh->type_of_loader);
- 
--  grub_dprintf ("linux", "setting lh->ext_loader_{type,ver}\n");
-   params->ext_loader_type = 0;
-   params->ext_loader_ver = 2;
--  grub_dprintf("linux", "kernel_mem: %p handover_offset: %08x\n",
--	       kernel_mem, handover_offset);
-+  grub_dprintf ("linux",
-+		"setting lh->ext_loader_{type,ver} = {0x%02x,0x%02x}\n",
-+		params->ext_loader_type, params->ext_loader_ver);
- 
-- fail:
-+fail:
-   if (file)
-     grub_file_close (file);
- 
diff --git a/SPECS/grub2/0117-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch b/SPECS/grub2/0117-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch
deleted file mode 100644
index 4ad0696be43..00000000000
--- a/SPECS/grub2/0117-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch
+++ /dev/null
@@ -1,258 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 12 Sep 2018 16:03:55 -0400
-Subject: [PATCH] x86-efi: Make our own allocator for kernel stuff
-
-This helps enable allocations above 4GB.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/loader/i386/efi/linux.c | 167 +++++++++++++++++++++-----------------
- 1 file changed, 94 insertions(+), 73 deletions(-)
-
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 5f48fa55619..3e4f7ef39f4 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -47,6 +47,65 @@ static char *linux_cmdline;
- 
- #define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)
- 
-+struct allocation_choice {
-+    grub_efi_physical_address_t addr;
-+    grub_efi_allocate_type_t alloc_type;
-+};
-+
-+static struct allocation_choice max_addresses[] =
-+  {
-+    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
-+    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
-+    { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
-+    { 0, 0 }
-+  };
-+
-+static inline void
-+kernel_free(void *addr, grub_efi_uintn_t size)
-+{
-+  if (addr && size)
-+    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)addr,
-+			 BYTES_TO_PAGES(size));
-+}
-+
-+static void *
-+kernel_alloc(grub_efi_uintn_t size, const char * const errmsg)
-+{
-+  void *addr = 0;
-+  unsigned int i;
-+  grub_efi_physical_address_t prev_max = 0;
-+
-+  for (i = 0; max_addresses[i].addr != 0 && addr == 0; i++)
-+    {
-+      grub_uint64_t max = max_addresses[i].addr;
-+      grub_efi_uintn_t pages;
-+
-+      if (max == prev_max)
-+	continue;
-+
-+      pages = BYTES_TO_PAGES(size);
-+      grub_dprintf ("linux", "Trying to allocate %lu pages from %p\n",
-+		    pages, (void *)max);
-+
-+      prev_max = max;
-+      addr = grub_efi_allocate_pages_real (max, pages,
-+					   max_addresses[i].alloc_type,
-+					   GRUB_EFI_LOADER_DATA);
-+      if (addr)
-+	grub_dprintf ("linux", "Allocated at %p\n", addr);
-+    }
-+
-+  while (grub_error_pop ())
-+    {
-+      ;
-+    }
-+
-+  if (addr == NULL)
-+    grub_error (GRUB_ERR_OUT_OF_MEMORY, "%s", errmsg);
-+
-+  return addr;
-+}
-+
- static grub_err_t
- grub_linuxefi_boot (void)
- {
-@@ -62,19 +121,12 @@ grub_linuxefi_unload (void)
- {
-   grub_dl_unref (my_mod);
-   loaded = 0;
--  if (initrd_mem)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)initrd_mem,
--			 BYTES_TO_PAGES(params->ramdisk_size));
--  if (linux_cmdline)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)
--			 linux_cmdline,
--			 BYTES_TO_PAGES(params->cmdline_size + 1));
--  if (kernel_mem)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)kernel_mem,
--			 BYTES_TO_PAGES(kernel_size));
--  if (params)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)params,
--			 BYTES_TO_PAGES(16384));
-+
-+  kernel_free(initrd_mem, params->ramdisk_size);
-+  kernel_free(linux_cmdline, params->cmdline_size + 1);
-+  kernel_free(kernel_mem, kernel_size);
-+  kernel_free(params, sizeof(*params));
-+
-   return GRUB_ERR_NONE;
- }
- 
-@@ -150,19 +202,13 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-       size += ALIGN_UP (grub_file_size (files[i]), 4);
-     }
- 
--  initrd_mem = grub_efi_allocate_pages_max (GRUB_EFI_MAX_ALLOCATION_ADDRESS, BYTES_TO_PAGES(size));
--  if (!initrd_mem)
--    initrd_mem = grub_efi_allocate_pages_max (GRUB_EFI_MAX_USABLE_ADDRESS, BYTES_TO_PAGES(size));
--  if (!initrd_mem)
--    {
--      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate initrd"));
--      goto fail;
--    }
--
--  grub_dprintf ("linux", "initrd_mem = %lx\n", (unsigned long) initrd_mem);
-+  initrd_mem = kernel_alloc(size, N_("can't allocate initrd"));
-+  if (initrd_mem == NULL)
-+    goto fail;
-+  grub_dprintf ("linux", "initrd_mem = %p\n", initrd_mem);
- 
-   params->ramdisk_size = size;
--  params->ramdisk_image = (grub_uint32_t)(grub_addr_t) initrd_mem;
-+  params->ramdisk_image = initrd_mem;
- 
-   ptr = initrd_mem;
- 
-@@ -221,7 +267,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   filelen = grub_file_size (file);
- 
-   kernel = grub_malloc(filelen);
--
-   if (!kernel)
-     {
-       grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
-@@ -274,7 +319,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--#if defined(__x86_64__) || defined(__aarch64__)
-+#if defined(__x86_64__)
-   grub_dprintf ("linux", "checking lh->xloadflags\n");
-   if (!(lh->xloadflags & LINUX_XLF_KERNEL_64))
-     {
-@@ -293,17 +338,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-     }
- #endif
- 
--  params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_ALLOCATION_ADDRESS,
--					BYTES_TO_PAGES(sizeof(*params)));
-+  params = kernel_alloc (sizeof(*params), "cannot allocate kernel parameters");
-   if (!params)
--    params = grub_efi_allocate_pages_max (GRUB_EFI_MAX_USABLE_ADDRESS,
--					  BYTES_TO_PAGES(sizeof(*params)));
--  if (! params)
--    {
--      grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");
--      goto fail;
--    }
--
-+    goto fail;
-   grub_dprintf ("linux", "params = %p\n", params);
- 
-   grub_memset (params, 0, sizeof(*params));
-@@ -322,19 +359,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-   grub_dprintf ("linux", "new lh is at %p\n", lh);
- 
-   grub_dprintf ("linux", "setting up cmdline\n");
--  linux_cmdline = grub_efi_allocate_pages_max(GRUB_EFI_MAX_ALLOCATION_ADDRESS,
--					      BYTES_TO_PAGES(lh->cmdline_size + 1));
-+  linux_cmdline = kernel_alloc (lh->cmdline_size + 1, N_("can't allocate cmdline"));
-   if (!linux_cmdline)
--    linux_cmdline = grub_efi_allocate_pages_max(GRUB_EFI_MAX_USABLE_ADDRESS,
--						BYTES_TO_PAGES(lh->cmdline_size + 1));
--  if (!linux_cmdline)
--    {
--      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate cmdline"));
--      goto fail;
--    }
--
--  grub_dprintf ("linux", "linux_cmdline = %lx\n",
--		(unsigned long)linux_cmdline);
-+    goto fail;
-+  grub_dprintf ("linux", "linux_cmdline = %p\n", linux_cmdline);
- 
-   grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
-   grub_create_loader_cmdline (argc, argv,
-@@ -343,27 +371,24 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 			      GRUB_VERIFY_KERNEL_CMDLINE);
- 
-   grub_dprintf ("linux", "cmdline:%s\n", linux_cmdline);
--  grub_dprintf ("linux", "setting lh->cmd_line_ptr\n");
--  lh->cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
-+  grub_dprintf ("linux", "setting lh->cmd_line_ptr to 0x%08x\n",
-+		linux_cmdline);
-+  lh->cmd_line_ptr = linux_cmdline;
- 
-   handover_offset = lh->handover_offset;
--  grub_dprintf("linux", "handover_offset: %08x\n", handover_offset);
-+  grub_dprintf("linux", "handover_offset: 0x%08x\n", handover_offset);
- 
-   start = (lh->setup_sects + 1) * 512;
- 
--  kernel_mem = grub_efi_allocate_pages_max(lh->pref_address,
--					   BYTES_TO_PAGES(lh->init_size));
--  if (!kernel_mem)
--    kernel_mem = grub_efi_allocate_pages_max(GRUB_EFI_MAX_ALLOCATION_ADDRESS,
--					     BYTES_TO_PAGES(lh->init_size));
--  if (!kernel_mem)
--    kernel_mem = grub_efi_allocate_pages_max(GRUB_EFI_MAX_USABLE_ADDRESS,
--					     BYTES_TO_PAGES(lh->init_size));
--  if (!kernel_mem)
-+  grub_dprintf ("linux", "lh->pref_address: %p\n", (void *)(grub_addr_t)lh->pref_address);
-+  if (lh->pref_address < (grub_uint64_t)GRUB_EFI_MAX_ALLOCATION_ADDRESS)
-     {
--      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate kernel"));
--      goto fail;
-+      max_addresses[0].addr = lh->pref_address;
-+      max_addresses[0].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
-     }
-+  kernel_mem = kernel_alloc (lh->init_size, N_("can't allocate kernel"));
-+  if (!kernel_mem)
-+    goto fail;
-   grub_dprintf("linux", "kernel_mem = %p\n", kernel_mem);
- 
-   grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
-@@ -398,18 +423,14 @@ fail:
-       loaded = 0;
-     }
- 
--  if (linux_cmdline && lh && !loaded)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)
--			 linux_cmdline,
--			 BYTES_TO_PAGES(lh->cmdline_size + 1));
-+  if (!loaded)
-+    {
-+      if (lh)
-+	kernel_free (linux_cmdline, lh->cmdline_size + 1);
- 
--  if (kernel_mem && !loaded)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)kernel_mem,
--			 BYTES_TO_PAGES(kernel_size));
--
--  if (params && !loaded)
--    grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)params,
--			 BYTES_TO_PAGES(16384));
-+      kernel_free (kernel_mem, kernel_size);
-+      kernel_free (params, sizeof(*params));
-+    }
- 
-   return grub_errno;
- }
diff --git a/SPECS/grub2/0118-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch b/SPECS/grub2/0118-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch
deleted file mode 100644
index b1233ce3ca2..00000000000
--- a/SPECS/grub2/0118-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 12 Sep 2018 16:12:27 -0400
-Subject: [PATCH] x86-efi: Allow initrd+params+cmdline allocations above 4GB.
-
-This enables everything except the kernel itself to be above 4GB.
-Putting the kernel up there still doesn't work, because of the way
-params->code32_start is used.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- grub-core/loader/i386/efi/linux.c | 67 +++++++++++++++++++++++++++++++++++----
- include/grub/i386/linux.h         |  6 +++-
- 2 files changed, 65 insertions(+), 8 deletions(-)
-
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 3e4f7ef39f4..6bc18d5aef5 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -52,13 +52,22 @@ struct allocation_choice {
-     grub_efi_allocate_type_t alloc_type;
- };
- 
--static struct allocation_choice max_addresses[] =
-+static struct allocation_choice max_addresses[4] =
-   {
-+    /* the kernel overrides this one with pref_address and
-+     * GRUB_EFI_ALLOCATE_ADDRESS */
-     { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
-+    /* this one is always below 4GB, which we still *prefer* even if the flag
-+     * is set. */
-     { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
-+    /* If the flag in params is set, this one gets changed to be above 4GB. */
-     { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS },
-     { 0, 0 }
-   };
-+static struct allocation_choice saved_addresses[4];
-+
-+#define save_addresses() grub_memcpy(saved_addresses, max_addresses, sizeof(max_addresses))
-+#define restore_addresses() grub_memcpy(max_addresses, saved_addresses, sizeof(max_addresses))
- 
- static inline void
- kernel_free(void *addr, grub_efi_uintn_t size)
-@@ -80,6 +89,11 @@ kernel_alloc(grub_efi_uintn_t size, const char * const errmsg)
-       grub_uint64_t max = max_addresses[i].addr;
-       grub_efi_uintn_t pages;
- 
-+      /*
-+       * When we're *not* loading the kernel, or >4GB allocations aren't
-+       * supported, these entries are basically all the same, so don't re-try
-+       * the same parameters.
-+       */
-       if (max == prev_max)
- 	continue;
- 
-@@ -168,6 +182,9 @@ read(grub_file_t file, grub_uint8_t *bufp, grub_size_t len)
-   return bufpos;
- }
- 
-+#define LOW_U32(val) ((grub_uint32_t)(((grub_addr_t)(val)) & 0xffffffffull))
-+#define HIGH_U32(val) ((grub_uint32_t)(((grub_addr_t)(val) >> 32) & 0xffffffffull))
-+
- static grub_err_t
- grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-                  int argc, char *argv[])
-@@ -207,8 +224,12 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-     goto fail;
-   grub_dprintf ("linux", "initrd_mem = %p\n", initrd_mem);
- 
--  params->ramdisk_size = size;
--  params->ramdisk_image = initrd_mem;
-+  params->ramdisk_size = LOW_U32(size);
-+  params->ramdisk_image = LOW_U32(initrd_mem);
-+#if defined(__x86_64__)
-+  params->ext_ramdisk_size = HIGH_U32(size);
-+  params->ext_ramdisk_image = HIGH_U32(initrd_mem);
-+#endif
- 
-   ptr = initrd_mem;
- 
-@@ -338,6 +359,18 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-     }
- #endif
- 
-+#if defined(__x86_64__)
-+  if (lh->xloadflags & LINUX_XLF_CAN_BE_LOADED_ABOVE_4G)
-+    {
-+      grub_dprintf ("linux", "Loading kernel above 4GB is supported; enabling.\n");
-+      max_addresses[2].addr = GRUB_EFI_MAX_USABLE_ADDRESS;
-+    }
-+  else
-+    {
-+      grub_dprintf ("linux", "Loading kernel above 4GB is not supported\n");
-+    }
-+#endif
-+
-   params = kernel_alloc (sizeof(*params), "cannot allocate kernel parameters");
-   if (!params)
-     goto fail;
-@@ -372,21 +405,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   grub_dprintf ("linux", "cmdline:%s\n", linux_cmdline);
-   grub_dprintf ("linux", "setting lh->cmd_line_ptr to 0x%08x\n",
--		linux_cmdline);
--  lh->cmd_line_ptr = linux_cmdline;
-+		LOW_U32(linux_cmdline));
-+  lh->cmd_line_ptr = LOW_U32(linux_cmdline);
-+#if defined(__x86_64__)
-+  if ((grub_efi_uintn_t)linux_cmdline > 0xffffffffull)
-+    {
-+      grub_dprintf ("linux", "setting params->ext_cmd_line_ptr to 0x%08x\n",
-+		    HIGH_U32(linux_cmdline));
-+      params->ext_cmd_line_ptr = HIGH_U32(linux_cmdline);
-+    }
-+#endif
- 
-   handover_offset = lh->handover_offset;
-   grub_dprintf("linux", "handover_offset: 0x%08x\n", handover_offset);
- 
-   start = (lh->setup_sects + 1) * 512;
- 
-+  /*
-+   * AFAICS >4GB for kernel *cannot* work because of params->code32_start being
-+   * 32-bit and getting called unconditionally in head_64.S from either entry
-+   * point.
-+   *
-+   * so nerf that out here...
-+   */
-+  save_addresses();
-   grub_dprintf ("linux", "lh->pref_address: %p\n", (void *)(grub_addr_t)lh->pref_address);
-   if (lh->pref_address < (grub_uint64_t)GRUB_EFI_MAX_ALLOCATION_ADDRESS)
-     {
-       max_addresses[0].addr = lh->pref_address;
-       max_addresses[0].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS;
-     }
-+  max_addresses[1].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
-+  max_addresses[2].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS;
-   kernel_mem = kernel_alloc (lh->init_size, N_("can't allocate kernel"));
-+  restore_addresses();
-   if (!kernel_mem)
-     goto fail;
-   grub_dprintf("linux", "kernel_mem = %p\n", kernel_mem);
-@@ -395,8 +447,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   loaded = 1;
- 
--  grub_dprintf ("linux", "setting lh->code32_start to %p\n", kernel_mem);
--  lh->code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
-+  grub_dprintf ("linux", "setting lh->code32_start to 0x%08x\n",
-+		LOW_U32(kernel_mem));
-+  lh->code32_start = LOW_U32(kernel_mem);
- 
-   grub_memcpy (kernel_mem, (char *)kernel + start, filelen - start);
- 
-diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h
-index 25ef52c04eb..fac22476cc5 100644
---- a/include/grub/i386/linux.h
-+++ b/include/grub/i386/linux.h
-@@ -236,7 +236,11 @@ struct linux_kernel_params
-   grub_uint32_t ofw_cif_handler;	/* b8 */
-   grub_uint32_t ofw_idt;		/* bc */
- 
--  grub_uint8_t padding7[0x1b8 - 0xc0];
-+  grub_uint32_t ext_ramdisk_image;	/* 0xc0 */
-+  grub_uint32_t ext_ramdisk_size;	/* 0xc4 */
-+  grub_uint32_t ext_cmd_line_ptr;	/* 0xc8 */
-+
-+  grub_uint8_t padding7[0x1b8 - 0xcc];
- 
-   union
-     {
diff --git a/SPECS/grub2/0148-efi-Set-image-base-address-before-jumping-to-the-PE-.patch b/SPECS/grub2/0148-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
deleted file mode 100644
index 336bcf18b2f..00000000000
--- a/SPECS/grub2/0148-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Thu, 23 Apr 2020 15:06:46 +0200
-Subject: [PATCH] efi: Set image base address before jumping to the PE/COFF
- entry point
-
-Upstream GRUB uses the EFI LoadImage() and StartImage() to boot the Linux
-kernel. But our custom EFI loader that supports Secure Boot instead uses
-the EFI handover protocol (for x86) or jumping directly to the PE/COFF
-entry point (for aarch64).
-
-This is done to allow the bootloader to verify the images using the shim
-lock protocol to avoid booting untrusted binaries.
-
-Since the bootloader loads the kernel from the boot media instead of using
-LoadImage(), it is responsible to set the Loaded Image base address before
-booting the kernel.
-
-Otherwise the kernel EFI stub will complain that it was not set correctly
-and print the following warning message:
-
-EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus value
-
-Resolves: rhbz#1814690
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- grub-core/loader/efi/linux.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
-index 0622dfa48d4..e8b9ecb17f6 100644
---- a/grub-core/loader/efi/linux.c
-+++ b/grub-core/loader/efi/linux.c
-@@ -72,6 +72,7 @@ grub_err_t
- grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
- 		     void *kernel_params)
- {
-+  grub_efi_loaded_image_t *loaded_image = NULL;
-   handover_func hf;
-   int offset = 0;
- 
-@@ -79,6 +80,19 @@ grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
-   offset = 512;
- #endif
- 
-+  /*
-+   * Since the EFI loader is not calling the LoadImage() and StartImage()
-+   * services for loading the kernel and booting respectively, it has to
-+   * set the Loaded Image base address.
-+   */
-+  loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
-+  if (loaded_image)
-+    loaded_image->image_base = kernel_addr;
-+  else
-+    grub_dprintf ("linux", "Loaded Image base address could not be set\n");
-+
-+  grub_dprintf ("linux", "kernel_addr: %p handover_offset: %p params: %p\n",
-+		kernel_addr, (void *)(grub_efi_uintn_t)handover_offset, kernel_params);
-   hf = (handover_func)((char *)kernel_addr + handover_offset + offset);
-   hf (grub_efi_image_handle, grub_efi_system_table, kernel_params);
- 
diff --git a/SPECS/grub2/0149-tpm-Don-t-propagate-TPM-measurement-errors-to-the-ve.patch b/SPECS/grub2/0149-tpm-Don-t-propagate-TPM-measurement-errors-to-the-ve.patch
deleted file mode 100644
index 747773d1d60..00000000000
--- a/SPECS/grub2/0149-tpm-Don-t-propagate-TPM-measurement-errors-to-the-ve.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Sat, 16 May 2020 11:33:18 +0200
-Subject: [PATCH] tpm: Don't propagate TPM measurement errors to the verifiers
- layer
-
-Currently if the EFI firmware fails to do a TPM measurement for a file,
-the error will be propagated to the verifiers framework and so opening
-the file will not succeed.
-
-This mean that buggy firmwares will prevent the system to boot since the
-loader won't be able to open any file. But failing to do TPM measurements
-shouldn't be a fatal error and the system should still be able to boot.
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- grub-core/commands/tpm.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c
-index 2052c36eaba..e287d042e6b 100644
---- a/grub-core/commands/tpm.c
-+++ b/grub-core/commands/tpm.c
-@@ -42,7 +42,8 @@ grub_tpm_verify_init (grub_file_t io,
- static grub_err_t
- grub_tpm_verify_write (void *context, void *buf, grub_size_t size)
- {
--  return grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
-+  grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
-+  return GRUB_ERR_NONE;
- }
- 
- static grub_err_t
-@@ -50,7 +51,6 @@ grub_tpm_verify_string (char *str, enum grub_verify_string_type type)
- {
-   const char *prefix = NULL;
-   char *description;
--  grub_err_t status;
- 
-   switch (type)
-     {
-@@ -66,15 +66,15 @@ grub_tpm_verify_string (char *str, enum grub_verify_string_type type)
-     }
-   description = grub_malloc (grub_strlen (str) + grub_strlen (prefix) + 1);
-   if (!description)
--    return grub_errno;
-+    return GRUB_ERR_NONE;
-   grub_memcpy (description, prefix, grub_strlen (prefix));
-   grub_memcpy (description + grub_strlen (prefix), str,
- 	       grub_strlen (str) + 1);
--  status =
--    grub_tpm_measure ((unsigned char *) str, grub_strlen (str),
--		      GRUB_STRING_PCR, description);
-+
-+  grub_tpm_measure ((unsigned char *) str, grub_strlen (str), GRUB_STRING_PCR,
-+                    description);
-   grub_free (description);
--  return status;
-+  return GRUB_ERR_NONE;
- }
- 
- struct grub_file_verifier grub_tpm_verifier = {
diff --git a/SPECS/grub2/0150-x86-efi-Reduce-maximum-bounce-buffer-size-to-16-MiB.patch b/SPECS/grub2/0150-x86-efi-Reduce-maximum-bounce-buffer-size-to-16-MiB.patch
deleted file mode 100644
index 825d0f7c80a..00000000000
--- a/SPECS/grub2/0150-x86-efi-Reduce-maximum-bounce-buffer-size-to-16-MiB.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Tue, 26 May 2020 16:59:28 +0200
-Subject: [PATCH] x86-efi: Reduce maximum bounce buffer size to 16 MiB
-
-The EFI linux loader allocates a bounce buffer to copy the initrd since in
-some machines doing DMA on addresses above 4GB is not possible during EFI.
-
-But the verifiers framework also allocates a buffer to copy the initrd in
-its grub_file_open() handler. It does this since the data to verify has to
-be passed as a single chunk to modules that use the verifiers framework.
-
-If the initrd image size is big there may not be enough memory in the heap
-to allocate two buffers of that size. This causes an allocation failure in
-the verifiers framework and leads to the initrd not being read.
-
-To prevent these allocation failures, let's reduce the maximum size of the
-bounce buffer used in the EFI loader. Since the data read can be copied to
-the actual initrd address in multilple chunks.
-
-Resolves: rhbz#1838633
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- grub-core/loader/i386/efi/linux.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 6bc18d5aef5..15d40d6e35b 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -144,7 +144,7 @@ grub_linuxefi_unload (void)
-   return GRUB_ERR_NONE;
- }
- 
--#define BOUNCE_BUFFER_MAX 0x10000000ull
-+#define BOUNCE_BUFFER_MAX 0x1000000ull
- 
- static grub_ssize_t
- read(grub_file_t file, grub_uint8_t *bufp, grub_size_t len)
diff --git a/SPECS/grub2/0156-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch b/SPECS/grub2/0156-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
deleted file mode 100644
index 95f7e208dd8..00000000000
--- a/SPECS/grub2/0156-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Fri, 24 Jul 2020 17:18:09 +0100
-Subject: [PATCH] efilinux: Fix integer overflows in grub_cmd_initrd
-
-These could be triggered by an extremely large number of arguments to
-the initrd command on 32-bit architectures, or a crafted filesystem with
-very large files on any architecture.
-
-Signed-off-by: Colin Watson <cjwatson@debian.org>
----
- grub-core/loader/i386/efi/linux.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index 15d40d6e35b..f992ceeef20 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -28,6 +28,8 @@
- #include <grub/efi/efi.h>
- #include <grub/efi/linux.h>
- #include <grub/cpu/efi/memory.h>
-+#include <grub/tpm.h>
-+#include <grub/safemath.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -206,7 +208,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--  files = grub_zalloc (argc * sizeof (files[0]));
-+  files = grub_calloc (argc, sizeof (files[0]));
-   if (!files)
-     goto fail;
- 
-@@ -216,7 +218,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-       if (! files[i])
-         goto fail;
-       nfiles++;
--      size += ALIGN_UP (grub_file_size (files[i]), 4);
-+      if (grub_add (size, ALIGN_UP (grub_file_size (files[i]), 4), &size))
-+	{
-+	  grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+	  goto fail;
-+	}
-     }
- 
-   initrd_mem = kernel_alloc(size, N_("can't allocate initrd"));
diff --git a/SPECS/grub2/0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch b/SPECS/grub2/0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch
deleted file mode 100644
index 20fc7869fd9..00000000000
--- a/SPECS/grub2/0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Wed, 22 Jul 2020 11:31:43 +0100
-Subject: [PATCH] linuxefi: fail kernel validation without shim protocol.
-
-If certificates that signed grub are installed into db, grub can be
-booted directly. It will then boot any kernel without signature
-validation. The booted kernel will think it was booted in secureboot
-mode and will implement lockdown, yet it could have been tampered.
-
-This version of the patch skips calling verification, when booted
-without secureboot. And is indented with gnu ident.
-
-CVE-2020-15705
-
-Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
----
- grub-core/loader/arm64/linux.c     | 13 +++++++++----
- grub-core/loader/efi/chainloader.c |  1 +
- grub-core/loader/efi/linux.c       |  1 +
- grub-core/loader/i386/efi/linux.c  | 17 +++++++++++------
- 4 files changed, 22 insertions(+), 10 deletions(-)
-
-diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
-index 70a0075ec5e..47f8cf0d84b 100644
---- a/grub-core/loader/arm64/linux.c
-+++ b/grub-core/loader/arm64/linux.c
-@@ -34,6 +34,7 @@
- #include <grub/i18n.h>
- #include <grub/lib/cmdline.h>
- #include <grub/verify.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -363,11 +364,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
- 
--  rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
--  if (rc < 0)
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-     {
--      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
--      goto fail;
-+      rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
-+      if (rc <= 0)
-+	{
-+	  grub_error (GRUB_ERR_INVALID_COMMAND,
-+		      N_("%s has invalid signature"), argv[0]);
-+	  goto fail;
-+	}
-     }
- 
-   pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
-diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
-index ac8dfd40c61..d41e8ea14a8 100644
---- a/grub-core/loader/efi/chainloader.c
-+++ b/grub-core/loader/efi/chainloader.c
-@@ -1084,6 +1084,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
- 
-       return 0;
-     }
-+  // -1 fall-through to fail
- 
- fail:
-   if (dev)
-diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
-index e8b9ecb17f6..9260731c107 100644
---- a/grub-core/loader/efi/linux.c
-+++ b/grub-core/loader/efi/linux.c
-@@ -33,6 +33,7 @@ struct grub_efi_shim_lock
- };
- typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
- 
-+// Returns 1 on success, -1 on error, 0 when not available
- int
- grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
- {
-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
-index f992ceeef20..3cf0f9b330b 100644
---- a/grub-core/loader/i386/efi/linux.c
-+++ b/grub-core/loader/i386/efi/linux.c
-@@ -30,6 +30,7 @@
- #include <grub/cpu/efi/memory.h>
- #include <grub/tpm.h>
- #include <grub/safemath.h>
-+#include <grub/efi/sb.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -101,7 +102,7 @@ kernel_alloc(grub_efi_uintn_t size, const char * const errmsg)
- 
-       pages = BYTES_TO_PAGES(size);
-       grub_dprintf ("linux", "Trying to allocate %lu pages from %p\n",
--		    pages, (void *)max);
-+		    (unsigned long)pages, (void *)(unsigned long)max);
- 
-       prev_max = max;
-       addr = grub_efi_allocate_pages_real (max, pages,
-@@ -307,12 +308,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
-       goto fail;
-     }
- 
--  rc = grub_linuxefi_secure_validate (kernel, filelen);
--  if (rc < 0)
-+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-     {
--      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
--		  argv[0]);
--      goto fail;
-+      rc = grub_linuxefi_secure_validate (kernel, filelen);
-+      if (rc <= 0)
-+	{
-+	  grub_error (GRUB_ERR_INVALID_COMMAND,
-+		      N_("%s has invalid signature"), argv[0]);
-+	  goto fail;
-+	}
-     }
- 
-   lh = (struct linux_i386_kernel_header *)kernel;
-@@ -386,6 +390,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- 
-   setup_header_end_offset = *((grub_uint8_t *)kernel + 0x201);
-   grub_dprintf ("linux", "copying %lu bytes from %p to %p\n",
-+		(unsigned long)
- 		MIN((grub_size_t)0x202+setup_header_end_offset,
- 		    sizeof (*params)) - 0x1f1,
- 		(grub_uint8_t *)kernel + 0x1f1,
diff --git a/SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch b/SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch
deleted file mode 100644
index e3cf2ecf2ec..00000000000
--- a/SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jan Hlavac <jhlavac@redhat.com>
-Date: Fri, 20 Nov 2020 23:51:47 +0100
-Subject: [PATCH] grub-install: disable support for EFI platforms
-
-For each platform, GRUB is shipped as a kernel image and a set of
-modules. These files are then used by the grub-install utility to
-install GRUB on a specific device. However, in order to support UEFI
-Secure Boot, the resulting EFI binary must be signed by a recognized
-private key. For this reason, for EFI platforms, most distributions also
-ship prebuilt EFI binaries signed by a distribution-specific private
-key. In this case, however, the grub-install utility should not be used
-because it would overwrite the signed EFI binary.
-
-The current fix is suboptimal because it preserves all EFI-related code.
-A better solution could be to modularize the code and provide a
-build-time option.
-
-Resolves: rhbz#1737444
-
-Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
----
- util/grub-install.c | 37 ++++++++++++++++---------------------
- docs/grub.texi      |  7 +++++++
- util/grub-install.8 |  4 +++-
- 3 files changed, 26 insertions(+), 22 deletions(-)
-
-diff --git a/util/grub-install.c b/util/grub-install.c
-index 1e47491bc21..ffac91c9a24 100644
---- a/util/grub-install.c
-+++ b/util/grub-install.c
-@@ -899,6 +899,22 @@ main (int argc, char *argv[])
- 
-   platform = grub_install_get_target (grub_install_source_directory);
- 
-+  switch (platform)
-+    {
-+    case GRUB_INSTALL_PLATFORM_ARM_EFI:
-+    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
-+    case GRUB_INSTALL_PLATFORM_I386_EFI:
-+    case GRUB_INSTALL_PLATFORM_IA64_EFI:
-+    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
-+      is_efi = 1;
-+      grub_util_error (_("this utility cannot be used for EFI platforms"
-+                         " because it does not support UEFI Secure Boot"));
-+      break;
-+    default:
-+      is_efi = 0;
-+      break;
-+    }
-+
-   {
-     char *platname = grub_install_get_platform_name (platform);
-     fprintf (stderr, _("Installing for %s platform.\n"), platname);
-@@ -1011,28 +1027,7 @@ main (int argc, char *argv[])
-   grub_hostfs_init ();
-   grub_host_init ();
- 
--  switch (platform)
--    {
--    case GRUB_INSTALL_PLATFORM_I386_EFI:
--    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
--    case GRUB_INSTALL_PLATFORM_ARM_EFI:
--    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
--    case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
--    case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
--    case GRUB_INSTALL_PLATFORM_IA64_EFI:
--      is_efi = 1;
--      break;
--    default:
--      is_efi = 0;
--      break;
--
--      /* pacify warning.  */
--    case GRUB_INSTALL_PLATFORM_MAX:
--      break;
--    }
--
-   /* Find the EFI System Partition.  */
--
-   if (is_efi)
-     {
-       grub_fs_t fs;
-diff --git a/docs/grub.texi b/docs/grub.texi
-index 67bf8523ccb..75b22231f35 100644
---- a/docs/grub.texi
-+++ b/docs/grub.texi
-@@ -6506,6 +6506,13 @@ grub2-install @var{install_device}
- The device name @var{install_device} is an OS device name or a GRUB
- device name.
- 
-+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
-+be signed by a recognized private key. For this reason, for EFI
-+platforms, most distributions also ship prebuilt GRUB EFI binaries
-+signed by a distribution-specific private key. In this case, however,
-+@command{grub2-install} should not be used because it would overwrite
-+the signed EFI binary.
-+
- @command{grub2-install} accepts the following options:
- 
- @table @option
-diff --git a/util/grub-install.8 b/util/grub-install.8
-index 1db89e94b3b..811d441b16c 100644
---- a/util/grub-install.8
-+++ b/util/grub-install.8
-@@ -1,4 +1,4 @@
--.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
-+.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
- .SH NAME
- \fBgrub-install\fR \(em Install GRUB on a device.
- 
-@@ -31,6 +31,8 @@
- .SH DESCRIPTION
- \fBgrub-install\fR installs GRUB onto a device.  This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
- 
-+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
-+
- .SH OPTIONS
- .TP
- \fB--modules\fR=\fIMODULES\fR\!
diff --git a/SPECS/grub2/0167-restore-umask-for-grub-config.patch b/SPECS/grub2/0167-restore-umask-for-grub-config.patch
deleted file mode 100644
index e2a6414ef05..00000000000
--- a/SPECS/grub2/0167-restore-umask-for-grub-config.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
-From: Michael Chang <mchang@suse.com>
-Date: Fri, 3 Dec 2021 16:13:28 +0800
-Subject: grub-mkconfig: Restore umask for the grub.cfg
-
-The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
-configuration by grub-mkconfig) has inadvertently discarded umask for
-creating grub.cfg in the process of running grub-mkconfig. The resulting
-wrong permission (0644) would allow unprivileged users to read GRUB
-configuration file content. This presents a low confidentiality risk
-as grub.cfg may contain non-secured plain-text passwords.
-
-This patch restores the missing umask and sets the creation file mode
-to 0600 preventing unprivileged access.
-
-Fixes: CVE-2021-3981
-
-Signed-off-by: Michael Chang <mchang@suse.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- util/grub-mkconfig.in | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
-index c3ea761..62335d0 100644
---- a/util/grub-mkconfig.in
-+++ b/util/grub-mkconfig.in
-@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
-     exit 1
-   else
-     # none of the children aborted with error, install the new grub.cfg
-+    oldumask=$(umask)
-+    umask 077
-     cat ${grub_cfg}.new > ${grub_cfg}
-+    umask $oldumask
-     rm -f ${grub_cfg}.new
-   fi
- fi
--- 
-cgit v1.1
-
diff --git a/SPECS/grub2/0170-fix-memory-alloc-errno-reset.patch b/SPECS/grub2/0170-fix-memory-alloc-errno-reset.patch
deleted file mode 100644
index 7867188ec6e..00000000000
--- a/SPECS/grub2/0170-fix-memory-alloc-errno-reset.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -ruN grub-2.06/grub-core/loader/i386/efi/linux.c grub-2.06-inst/grub-core/loader/i386/efi/linux.c
---- grub-2.06/grub-core/loader/i386/efi/linux.c	2022-03-18 11:44:56.489594673 -0700
-+++ grub-2.06-inst/grub-core/loader/i386/efi/linux.c	2022-03-24 11:25:09.561150736 -0700
-@@ -161,6 +161,23 @@
- 
-   while (!bbuf && bbufsz)
-     {
-+      /* Make sure to reset the global grub_errno in case it was left over
-+         from a previous failed grub call.
-+
-+         There is a bug in grub_malloc() where it does not reset grub_errno
-+         on success.
-+
-+         Such behavior leads to exiting this loop with grub_errno set to
-+         GRUB_ERR_OUT_OF_MEMORY even though the last call to grub_malloc()
-+         actually succeeds. A caller up the stack who checks grub_errno
-+         will report a failure where it should not.
-+
-+         This problem manifested with larger initrd files that left less
-+         memory available and caused the default size allocation below to
-+         fail. A smaller allocation size, then, works fine as expected.
-+      */
-+      grub_errno = GRUB_ERR_NONE;
-+
-       bbuf = grub_malloc(bbufsz);
-       if (!bbuf)
- 	bbufsz >>= 1;
diff --git a/SPECS/grub2/0173-loader-efi-chainloader-Simplify-the-loader-state.patch b/SPECS/grub2/0173-loader-efi-chainloader-Simplify-the-loader-state.patch
deleted file mode 100644
index 803ba9fef84..00000000000
--- a/SPECS/grub2/0173-loader-efi-chainloader-Simplify-the-loader-state.patch
+++ /dev/null
@@ -1,320 +0,0 @@
-From 008135319a9ce23aac1742651fa3a3f919b5ea1c Mon Sep 17 00:00:00 2001
-From: Chris Coulson <chris.coulson@canonical.com>
-Date: Tue, 5 Apr 2022 10:02:04 +0100
-Subject: [PATCH] loader/efi/chainloader: Simplify the loader state
-
-The chainloader command retains the source buffer and device path passed
-to LoadImage(), requiring the unload hook passed to grub_loader_set() to
-free them. It isn't required to retain this state though - they aren't
-required by StartImage() or anything else in the boot hook, so clean them
-up before grub_cmd_chainloader() finishes.
-
-Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Modified patch 1469983ebb9674753ad333d37087fb8cb20e1dce to apply to CBL-Mariner: Merged chainloader to remove globals and instead pass context.  Based on https://src.fedoraproject.org/rpms/grub2/blob/f0ad2aaa267a5d99b47f5c5770a55de0a702fdf0/f/0221-loader-efi-chainloader-simplify-the-loader-state.patch
-Modified-by: Gary Swalling <gaswal@microsoft.com>
----
- grub-core/loader/efi/chainloader.c | 143 +++++++++++++++++++----------
- 1 file changed, 97 insertions(+), 46 deletions(-)
-
-diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
-index 6f5b034..97a6a70 100644
---- a/grub-core/loader/efi/chainloader.c
-+++ b/grub-core/loader/efi/chainloader.c
-@@ -47,38 +47,38 @@ GRUB_MOD_LICENSE ("GPLv3+");
- 
- static grub_dl_t my_mod;
- 
--static grub_efi_physical_address_t address;
--static grub_efi_uintn_t pages;
--static grub_ssize_t fsize;
--static grub_efi_device_path_t *file_path;
- static grub_efi_handle_t image_handle;
--static grub_efi_char16_t *cmdline;
--static grub_ssize_t cmdline_len;
--static grub_efi_handle_t dev_handle;
- 
--static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
-+struct grub_secureboot_chainloader_context {
-+  grub_efi_physical_address_t address;
-+  grub_efi_uintn_t pages;
-+  grub_ssize_t fsize;
-+  grub_efi_device_path_t *file_path;
-+  grub_efi_char16_t *cmdline;
-+  grub_ssize_t cmdline_len;
-+  grub_efi_handle_t dev_handle;
-+};
-+static struct grub_secureboot_chainloader_context *sb_context;
- 
- static grub_err_t
- grub_chainloader_unload (void)
- {
-+  grub_efi_loaded_image_t *loaded_image;
-   grub_efi_boot_services_t *b;
- 
-+  loaded_image = grub_efi_get_loaded_image (image_handle);
-+  if (loaded_image != NULL)
-+    grub_free (loaded_image->load_options);
-+
-   b = grub_efi_system_table->boot_services;
-   efi_call_1 (b->unload_image, image_handle);
--  efi_call_2 (b->free_pages, address, pages);
--
--  grub_free (file_path);
--  grub_free (cmdline);
--  cmdline = 0;
--  file_path = 0;
--  dev_handle = 0;
- 
-   grub_dl_unref (my_mod);
-   return GRUB_ERR_NONE;
- }
- 
- static grub_err_t
--grub_chainloader_boot (void)
-+grub_start_image (grub_efi_handle_t handle)
- {
-   grub_efi_boot_services_t *b;
-   grub_efi_status_t status;
-@@ -86,7 +86,7 @@ grub_chainloader_boot (void)
-   grub_efi_char16_t *exit_data = NULL;
- 
-   b = grub_efi_system_table->boot_services;
--  status = efi_call_3 (b->start_image, image_handle, &exit_data_size, &exit_data);
-+  status = efi_call_3 (b->start_image, handle, &exit_data_size, &exit_data);
-   if (status != GRUB_EFI_SUCCESS)
-     {
-       if (exit_data)
-@@ -110,11 +110,21 @@ grub_chainloader_boot (void)
-   if (exit_data)
-     efi_call_1 (b->free_pool, exit_data);
- 
--  grub_loader_unset ();
--
-   return grub_errno;
- }
- 
-+static grub_err_t
-+grub_chainloader_boot (void)
-+{
-+  grub_err_t err;
-+
-+  err = grub_start_image (image_handle);
-+
-+  grub_loader_unset ();
-+  return err;
-+}
-+
-+
- static grub_err_t
- copy_file_path (grub_efi_file_path_device_path_t *fp,
- 		const char *str, grub_efi_uint16_t len)
-@@ -149,7 +159,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
-   char *dir_start;
-   char *dir_end;
-   grub_size_t size;
--  grub_efi_device_path_t *d;
-+  grub_efi_device_path_t *d, *file_path;
- 
-   dir_start = grub_strchr (filename, ')');
-   if (! dir_start)
-@@ -521,11 +531,13 @@ grub_efi_get_media_file_path (grub_efi_device_path_t *dp)
- }
- 
- static grub_efi_boolean_t
--handle_image (void *data, grub_efi_uint32_t datasize)
-+handle_image (struct grub_secureboot_chainloader_context *load_context)
- {
-   grub_efi_boot_services_t *b;
-   grub_efi_loaded_image_t *li, li_bak;
-   grub_efi_status_t efi_status;
-+  void *data = (void *)(unsigned long)load_context->address;
-+  grub_efi_uint32_t datasize = load_context->fsize;
-   char *buffer = NULL;
-   char *buffer_aligned = NULL;
-   grub_efi_uint32_t i;
-@@ -536,6 +548,7 @@ handle_image (void *data, grub_efi_uint32_t datasize)
-   grub_uint32_t buffer_size;
-   int found_entry_point = 0;
-   int rc;
-+  grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
- 
-   b = grub_efi_system_table->boot_services;
- 
-@@ -795,10 +808,10 @@ handle_image (void *data, grub_efi_uint32_t datasize)
-   grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));
-   li->image_base = buffer_aligned;
-   li->image_size = context.image_size;
--  li->load_options = cmdline;
--  li->load_options_size = cmdline_len;
--  li->file_path = grub_efi_get_media_file_path (file_path);
--  li->device_handle = dev_handle;
-+  li->load_options = load_context->cmdline;
-+  li->load_options_size = load_context->cmdline_len;
-+  li->file_path = grub_efi_get_media_file_path (load_context->file_path);
-+  li->device_handle = load_context->dev_handle;
-   if (!li->file_path)
-     {
-       grub_error (GRUB_ERR_UNKNOWN_DEVICE, "no matching file path found");
-@@ -826,22 +839,22 @@ error_exit:
- static grub_err_t
- grub_secureboot_chainloader_unload (void)
- {
--  grub_efi_boot_services_t *b;
-+  grub_efi_free_pages (sb_context->address, sb_context->pages);
-+  grub_free (sb_context->file_path);
-+  grub_free (sb_context->cmdline);
-+  grub_free (sb_context);
- 
--  b = grub_efi_system_table->boot_services;
--  efi_call_2 (b->free_pages, address, pages);
--  grub_free (file_path);
--  grub_free (cmdline);
--  cmdline = 0;
--  file_path = 0;
--  dev_handle = 0;
-+  sb_context = 0;
- 
-   grub_dl_unref (my_mod);
-   return GRUB_ERR_NONE;
- }
- 
- static grub_err_t
--grub_load_and_start_image(void *boot_image)
-+grub_load_image(grub_efi_device_path_t *file_path, void *boot_image,
-+                grub_efi_uintn_t image_size, grub_efi_handle_t dev_handle,
-+                grub_efi_char16_t *cmdline, grub_ssize_t cmdline_len,
-+                grub_efi_handle_t *image_handle_out)
- {
-   grub_efi_boot_services_t *b;
-   grub_efi_status_t status;
-@@ -850,7 +863,7 @@ grub_load_and_start_image(void *boot_image)
-   b = grub_efi_system_table->boot_services;
- 
-   status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
--		       boot_image, fsize, &image_handle);
-+                       boot_image, image_size, image_handle_out);
-   if (status != GRUB_EFI_SUCCESS)
-     {
-       if (status == GRUB_EFI_OUT_OF_RESOURCES)
-@@ -863,7 +876,7 @@ grub_load_and_start_image(void *boot_image)
-   /* LoadImage does not set a device handler when the image is
-      loaded from memory, so it is necessary to set it explicitly here.
-      This is a mess.  */
--  loaded_image = grub_efi_get_loaded_image (image_handle);
-+  loaded_image = grub_efi_get_loaded_image (*image_handle_out);
-   if (! loaded_image)
-     {
-       grub_error (GRUB_ERR_BAD_OS, "no loaded image available");
-@@ -883,13 +896,28 @@ grub_load_and_start_image(void *boot_image)
- static grub_err_t
- grub_secureboot_chainloader_boot (void)
- {
-+  grub_efi_boot_services_t *b;
-   int rc;
--  rc = handle_image ((void *)(unsigned long)address, fsize);
-+  grub_efi_handle_t handle = 0;
-+
-+  rc = handle_image (sb_context);
-   if (rc == 0)
-     {
--      grub_load_and_start_image((void *)(unsigned long)address);
-+      /* We weren't able to attempt to execute the image, so fall back
-+       * to LoadImage / StartImage.
-+       */
-+      rc = grub_load_image(sb_context->file_path,
-+                          (void *)(unsigned long)sb_context->address,
-+                          sb_context->fsize, sb_context->dev_handle,
-+                          sb_context->cmdline, sb_context->cmdline_len,
-+                          &handle);
-+      if (rc == 0)
-+        grub_start_image (handle);
-     }
- 
-+  b = grub_efi_system_table->boot_services;
-+  efi_call_1 (b->unload_image, handle);
-+
-   grub_loader_unset ();
-   return grub_errno;
- }
-@@ -902,9 +930,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-   grub_efi_status_t status;
-   grub_efi_boot_services_t *b;
-   grub_device_t dev = 0;
--  grub_efi_device_path_t *dp = 0;
-+  grub_efi_device_path_t *dp = 0, *file_path = 0;
-   char *filename;
-   void *boot_image = 0;
-+  grub_efi_physical_address_t address = 0;
-+  grub_ssize_t fsize;
-+  grub_efi_uintn_t pages = 0;
-+  grub_efi_char16_t *cmdline = 0;
-+  grub_ssize_t cmdline_len = 0;
-+  grub_efi_handle_t dev_handle = 0;
-   int rc;
- 
-   if (argc == 0)
-@@ -913,12 +947,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
- 
-   grub_dl_ref (my_mod);
- 
--  /* Initialize some global variables.  */
--  address = 0;
--  image_handle = 0;
--  file_path = 0;
--  dev_handle = 0;
--
-   b = grub_efi_system_table->boot_services;
- 
-   if (argc > 1)
-@@ -1070,6 +1098,17 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-   grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
-   if (rc > 0)
-     {
-+      sb_context = grub_malloc (sizeof (*sb_context));
-+      if (sb_context == NULL)
-+        goto fail;
-+      sb_context->address = address;
-+      sb_context->fsize = fsize;
-+      sb_context->pages = pages;
-+      sb_context->file_path = file_path;
-+      sb_context->cmdline = cmdline;
-+      sb_context->cmdline_len = cmdline_len;
-+      sb_context->dev_handle = dev_handle;
-+
-       grub_file_close (file);
-       grub_device_close (dev);
-       grub_loader_set (grub_secureboot_chainloader_boot,
-@@ -1078,9 +1117,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-     }
-   else if (rc == 0)
-     {
--      grub_load_and_start_image(boot_image);
-+      grub_load_image(file_path, boot_image, fsize, dev_handle, cmdline,
-+                      cmdline_len, &image_handle);
-       grub_file_close (file);
-       grub_device_close (dev);
-+
-+      /* We're finished with the source image buffer and file path now */
-+      efi_call_2 (b->free_pages, address, pages);
-+      grub_free (file_path);
-+
-       grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
- 
-       return 0;
-@@ -1102,6 +1147,12 @@ fail:
-   if (cmdline)
-     grub_free (cmdline);
- 
-+  if (image_handle != 0)
-+    {
-+      efi_call_1 (b->unload_image, image_handle);
-+      image_handle = 0;
-+    }
-+
-   grub_dl_unref (my_mod);
- 
-   return grub_errno;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0174-commands-boot-Add-API-to-pass-context-to-loader.patch b/SPECS/grub2/0174-commands-boot-Add-API-to-pass-context-to-loader.patch
deleted file mode 100644
index 14b6996c4e3..00000000000
--- a/SPECS/grub2/0174-commands-boot-Add-API-to-pass-context-to-loader.patch
+++ /dev/null
@@ -1,161 +0,0 @@
-From 03bb665ab91ae941931cfb6f035d15c8eb443894 Mon Sep 17 00:00:00 2001
-From: Chris Coulson <chris.coulson@canonical.com>
-Date: Tue, 5 Apr 2022 10:58:28 +0100
-Subject: [PATCH] commands/boot: Add API to pass context to loader
-
-Loaders rely on global variables for saving context which is consumed
-in the boot hook and freed in the unload hook. In the case where a loader
-command is executed twice, calling grub_loader_set() a second time executes
-the unload hook, but in some cases this runs when the loader's global
-context has already been updated, resulting in the updated context being
-freed and potential use-after-free bugs when the boot hook is subsequently
-called.
-
-This adds a new API, grub_loader_set_ex(), which allows a loader to specify
-context that is passed to its boot and unload hooks. This is an alternative
-to requiring that loaders call grub_loader_unset() before mutating their
-global context.
-
-Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++++++++++-----
- include/grub/loader.h     |  5 +++
- 2 files changed, 63 insertions(+), 8 deletions(-)
-
-diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
-index bbca81e..6151478 100644
---- a/grub-core/commands/boot.c
-+++ b/grub-core/commands/boot.c
-@@ -27,10 +27,20 @@
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
--static grub_err_t (*grub_loader_boot_func) (void);
--static grub_err_t (*grub_loader_unload_func) (void);
-+static grub_err_t (*grub_loader_boot_func) (void *context);
-+static grub_err_t (*grub_loader_unload_func) (void *context);
-+static void *grub_loader_context;
- static int grub_loader_flags;
- 
-+struct grub_simple_loader_hooks
-+{
-+  grub_err_t (*boot) (void);
-+  grub_err_t (*unload) (void);
-+};
-+
-+/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
-+static struct grub_simple_loader_hooks simple_loader_hooks;
-+
- struct grub_preboot
- {
-   grub_err_t (*preboot_func) (int);
-@@ -44,6 +54,29 @@ static int grub_loader_loaded;
- static struct grub_preboot *preboots_head = 0,
-   *preboots_tail = 0;
- 
-+static grub_err_t
-+grub_simple_boot_hook (void *context)
-+{
-+  struct grub_simple_loader_hooks *hooks;
-+
-+  hooks = (struct grub_simple_loader_hooks *) context;
-+  return hooks->boot ();
-+}
-+
-+static grub_err_t
-+grub_simple_unload_hook (void *context)
-+{
-+  struct grub_simple_loader_hooks *hooks;
-+  grub_err_t ret;
-+
-+  hooks = (struct grub_simple_loader_hooks *) context;
-+
-+  ret = hooks->unload ();
-+  grub_memset (hooks, 0, sizeof (*hooks));
-+
-+  return ret;
-+}
-+
- int
- grub_loader_is_loaded (void)
- {
-@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
- }
- 
- void
--grub_loader_set (grub_err_t (*boot) (void),
--		 grub_err_t (*unload) (void),
--		 int flags)
-+grub_loader_set_ex (grub_err_t (*boot) (void *context),
-+		    grub_err_t (*unload) (void *context),
-+		    void *context,
-+		    int flags)
- {
-   if (grub_loader_loaded && grub_loader_unload_func)
--    grub_loader_unload_func ();
-+    grub_loader_unload_func (grub_loader_context);
- 
-   grub_loader_boot_func = boot;
-   grub_loader_unload_func = unload;
-+  grub_loader_context = context;
-   grub_loader_flags = flags;
- 
-   grub_loader_loaded = 1;
- }
- 
-+void
-+grub_loader_set (grub_err_t (*boot) (void),
-+		 grub_err_t (*unload) (void),
-+		 int flags)
-+{
-+  grub_loader_set_ex (grub_simple_boot_hook,
-+		      grub_simple_unload_hook,
-+		      &simple_loader_hooks,
-+		      flags);
-+
-+  simple_loader_hooks.boot = boot;
-+  simple_loader_hooks.unload = unload;
-+}
-+
- void
- grub_loader_unset(void)
- {
-   if (grub_loader_loaded && grub_loader_unload_func)
--    grub_loader_unload_func ();
-+    grub_loader_unload_func (grub_loader_context);
- 
-   grub_loader_boot_func = 0;
-   grub_loader_unload_func = 0;
-+  grub_loader_context = 0;
- 
-   grub_loader_loaded = 0;
- }
-@@ -158,7 +208,7 @@ grub_loader_boot (void)
- 	  return err;
- 	}
-     }
--  err = (grub_loader_boot_func) ();
-+  err = (grub_loader_boot_func) (grub_loader_context);
- 
-   for (cur = preboots_tail; cur; cur = cur->prev)
-     if (! err)
-diff --git a/include/grub/loader.h b/include/grub/loader.h
-index b208642..97f2310 100644
---- a/include/grub/loader.h
-+++ b/include/grub/loader.h
-@@ -40,6 +40,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
- 				    grub_err_t (*unload) (void),
- 				    int flags);
- 
-+void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context),
-+				       grub_err_t (*unload) (void *context),
-+				       void *context,
-+				       int flags);
-+
- /* Unset current loader, if any.  */
- void EXPORT_FUNC (grub_loader_unset) (void);
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0175-loader-efi-chainloader-Use-grub_loader_set_ex.patch b/SPECS/grub2/0175-loader-efi-chainloader-Use-grub_loader_set_ex.patch
deleted file mode 100644
index 553d25afb8e..00000000000
--- a/SPECS/grub2/0175-loader-efi-chainloader-Use-grub_loader_set_ex.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From 4a1a2c0f05839e80229fcb2516fee5067804491e Mon Sep 17 00:00:00 2001
-From: Chris Coulson <chris.coulson@canonical.com>
-Date: Tue, 5 Apr 2022 11:48:58 +0100
-Subject: [PATCH] loader/efi/chainloader: Use grub_loader_set_ex()
-
-This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
-a use-after-free bug that occurs when grub_cmd_chainloader() is executed
-more than once before a boot attempt is performed.
-
-Fixes: CVE-2022-28736
-
-Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Modified patch 04c86e0bb7b58fc2f913f798cdb18934933e532d to apply to CBL-Mariner: Merged chainloader to remove remaining globals and use grub_loader_set_ex().  Based on https://src.fedoraproject.org/rpms/grub2/blob/f0ad2aaa267a5d99b47f5c5770a55de0a702fdf0/f/0223-loader-efi-chainloader-Use-grub_loader_set_ex.patch
-Modified-by: Gary Swalling <gaswal@microsoft.com>
----
- grub-core/loader/efi/chainloader.c | 35 +++++++++++++++---------------
- 1 file changed, 18 insertions(+), 17 deletions(-)
-
-diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
-index 97a6a70..996787f 100644
---- a/grub-core/loader/efi/chainloader.c
-+++ b/grub-core/loader/efi/chainloader.c
-@@ -47,8 +47,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
- 
- static grub_dl_t my_mod;
- 
--static grub_efi_handle_t image_handle;
--
- struct grub_secureboot_chainloader_context {
-   grub_efi_physical_address_t address;
-   grub_efi_uintn_t pages;
-@@ -58,11 +56,11 @@ struct grub_secureboot_chainloader_context {
-   grub_ssize_t cmdline_len;
-   grub_efi_handle_t dev_handle;
- };
--static struct grub_secureboot_chainloader_context *sb_context;
- 
- static grub_err_t
--grub_chainloader_unload (void)
-+grub_chainloader_unload (void *context)
- {
-+  grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
-   grub_efi_loaded_image_t *loaded_image;
-   grub_efi_boot_services_t *b;
- 
-@@ -114,8 +112,9 @@ grub_start_image (grub_efi_handle_t handle)
- }
- 
- static grub_err_t
--grub_chainloader_boot (void)
-+grub_chainloader_boot (void *context)
- {
-+  grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
-   grub_err_t err;
- 
-   err = grub_start_image (image_handle);
-@@ -124,7 +123,6 @@ grub_chainloader_boot (void)
-   return err;
- }
- 
--
- static grub_err_t
- copy_file_path (grub_efi_file_path_device_path_t *fp,
- 		const char *str, grub_efi_uint16_t len)
-@@ -837,15 +835,16 @@ error_exit:
- }
- 
- static grub_err_t
--grub_secureboot_chainloader_unload (void)
-+grub_secureboot_chainloader_unload (void *context)
- {
-+  struct grub_secureboot_chainloader_context *sb_context;
-+  sb_context = (struct grub_secureboot_chainloader_context *) context;
-+
-   grub_efi_free_pages (sb_context->address, sb_context->pages);
-   grub_free (sb_context->file_path);
-   grub_free (sb_context->cmdline);
-   grub_free (sb_context);
- 
--  sb_context = 0;
--
-   grub_dl_unref (my_mod);
-   return GRUB_ERR_NONE;
- }
-@@ -894,12 +893,15 @@ grub_load_image(grub_efi_device_path_t *file_path, void *boot_image,
- }
- 
- static grub_err_t
--grub_secureboot_chainloader_boot (void)
-+grub_secureboot_chainloader_boot (void *context)
- {
-+  struct grub_secureboot_chainloader_context *sb_context;
-   grub_efi_boot_services_t *b;
-   int rc;
-   grub_efi_handle_t handle = 0;
- 
-+  sb_context = (struct grub_secureboot_chainloader_context *) context;
-+
-   rc = handle_image (sb_context);
-   if (rc == 0)
-     {
-@@ -939,6 +941,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-   grub_efi_char16_t *cmdline = 0;
-   grub_ssize_t cmdline_len = 0;
-   grub_efi_handle_t dev_handle = 0;
-+  grub_efi_handle_t image_handle = 0;
-+  struct grub_secureboot_chainloader_context *sb_context = 0;
-   int rc;
- 
-   if (argc == 0)
-@@ -1111,8 +1115,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
- 
-       grub_file_close (file);
-       grub_device_close (dev);
--      grub_loader_set (grub_secureboot_chainloader_boot,
--		       grub_secureboot_chainloader_unload, 0);
-+      grub_loader_set_ex (grub_secureboot_chainloader_boot,
-+		       grub_secureboot_chainloader_unload, sb_context, 0);
-       return 0;
-     }
-   else if (rc == 0)
-@@ -1126,7 +1130,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
-       efi_call_2 (b->free_pages, address, pages);
-       grub_free (file_path);
- 
--      grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
-+      grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
- 
-       return 0;
-     }
-@@ -1148,10 +1152,7 @@ fail:
-     grub_free (cmdline);
- 
-   if (image_handle != 0)
--    {
--      efi_call_1 (b->unload_image, image_handle);
--      image_handle = 0;
--    }
-+    efi_call_1 (b->unload_image, image_handle);
- 
-   grub_dl_unref (my_mod);
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0176-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch b/SPECS/grub2/0176-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
deleted file mode 100644
index 9e94a56f039..00000000000
--- a/SPECS/grub2/0176-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 24a8a8c1a2d6d8be7d34905d7806d0b82f392d1e Mon Sep 17 00:00:00 2001
-From: Julian Andres Klode <julian.klode@canonical.com>
-Date: Thu, 2 Dec 2021 15:03:53 +0100
-Subject: [PATCH] kern/efi/sb: Reject non-kernel files in the shim_lock
- verifier
-
-We must not allow other verifiers to pass things like the GRUB modules.
-Instead of maintaining a blocklist, maintain an allowlist of things
-that we do not care about.
-
-This allowlist really should be made reusable, and shared by the
-lockdown verifier, but this is the minimal patch addressing
-security concerns where the TPM verifier was able to mark modules
-as verified (or the OpenPGP verifier for that matter), when it
-should not do so on shim-powered secure boot systems.
-
-Fixes: CVE-2022-28735
-
-Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/kern/efi/sb.c | 39 ++++++++++++++++++++++++++++++++++++---
- include/grub/verify.h   |  1 +
- 2 files changed, 37 insertions(+), 3 deletions(-)
-
-diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
-index c52ec62..89c4bb3 100644
---- a/grub-core/kern/efi/sb.c
-+++ b/grub-core/kern/efi/sb.c
-@@ -119,10 +119,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
- 			 void **context __attribute__ ((unused)),
- 			 enum grub_verify_flags *flags)
- {
--  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
-+  *flags = GRUB_VERIFY_FLAGS_NONE;
- 
-   switch (type & GRUB_FILE_TYPE_MASK)
-     {
-+    /* Files we check. */
-     case GRUB_FILE_TYPE_LINUX_KERNEL:
-     case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
-     case GRUB_FILE_TYPE_BSD_KERNEL:
-@@ -130,11 +131,43 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
-     case GRUB_FILE_TYPE_PLAN9_KERNEL:
-     case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
-       *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
-+      return GRUB_ERR_NONE;
- 
--      /* Fall through. */
-+    /* Files that do not affect secureboot state. */
-+    case GRUB_FILE_TYPE_NONE:
-+    case GRUB_FILE_TYPE_LOOPBACK:
-+    case GRUB_FILE_TYPE_LINUX_INITRD:
-+    case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
-+    case GRUB_FILE_TYPE_XNU_RAMDISK:
-+    case GRUB_FILE_TYPE_SIGNATURE:
-+    case GRUB_FILE_TYPE_PUBLIC_KEY:
-+    case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
-+    case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
-+    case GRUB_FILE_TYPE_TESTLOAD:
-+    case GRUB_FILE_TYPE_GET_SIZE:
-+    case GRUB_FILE_TYPE_FONT:
-+    case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
-+    case GRUB_FILE_TYPE_CAT:
-+    case GRUB_FILE_TYPE_HEXCAT:
-+    case GRUB_FILE_TYPE_CMP:
-+    case GRUB_FILE_TYPE_HASHLIST:
-+    case GRUB_FILE_TYPE_TO_HASH:
-+    case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
-+    case GRUB_FILE_TYPE_PIXMAP:
-+    case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
-+    case GRUB_FILE_TYPE_CONFIG:
-+    case GRUB_FILE_TYPE_THEME:
-+    case GRUB_FILE_TYPE_GETTEXT_CATALOG:
-+    case GRUB_FILE_TYPE_FS_SEARCH:
-+    case GRUB_FILE_TYPE_LOADENV:
-+    case GRUB_FILE_TYPE_SAVEENV:
-+    case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
-+      *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
-+      return GRUB_ERR_NONE;
- 
-+    /* Other files. */
-     default:
--      return GRUB_ERR_NONE;
-+      return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
-     }
- }
- 
-diff --git a/include/grub/verify.h b/include/grub/verify.h
-index cd129c3..672ae16 100644
---- a/include/grub/verify.h
-+++ b/include/grub/verify.h
-@@ -24,6 +24,7 @@
- 
- enum grub_verify_flags
-   {
-+    GRUB_VERIFY_FLAGS_NONE		= 0,
-     GRUB_VERIFY_FLAGS_SKIP_VERIFICATION	= 1,
-     GRUB_VERIFY_FLAGS_SINGLE_CHUNK	= 2,
-     /* Defer verification to another authority. */
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0177-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch b/SPECS/grub2/0177-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
deleted file mode 100644
index 86eae3db968..00000000000
--- a/SPECS/grub2/0177-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 8a0bf1683fcb5631469d7dbdbe3224167b213628 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Fri, 25 Jun 2021 02:19:05 +1000
-Subject: [PATCH] kern/file: Do not leak device_name on error in
- grub_file_open()
-
-If we have an error in grub_file_open() before we free device_name, we
-will leak it.
-
-Free device_name in the error path and null out the pointer in the good
-path once we free it there.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/kern/file.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
-index 5845445..ffdcaba 100644
---- a/grub-core/kern/file.c
-+++ b/grub-core/kern/file.c
-@@ -79,6 +79,7 @@ grub_file_open (const char *name, enum grub_file_type type)
- 
-   device = grub_device_open (device_name);
-   grub_free (device_name);
-+  device_name = NULL;
-   if (! device)
-     goto fail;
- 
-@@ -131,6 +132,7 @@ grub_file_open (const char *name, enum grub_file_type type)
-   return file;
- 
-  fail:
-+  grub_free (device_name);
-   if (device)
-     grub_device_close (device);
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0178-video-readers-png-Abort-sooner-if-a-read-operation-f.patch b/SPECS/grub2/0178-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
deleted file mode 100644
index 84b92da67b0..00000000000
--- a/SPECS/grub2/0178-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From 2d6dc71e56cf6fa7474f5d8ec21dd34cfe64066f Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 6 Jul 2021 14:02:55 +1000
-Subject: [PATCH] video/readers/png: Abort sooner if a read operation fails
-
-Fuzzing revealed some inputs that were taking a long time, potentially
-forever, because they did not bail quickly upon encountering an I/O error.
-
-Try to catch I/O errors sooner and bail out.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/png.c | 55 ++++++++++++++++++++++++++++++-----
- 1 file changed, 47 insertions(+), 8 deletions(-)
-
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index 0157ff7..e2a6b1c 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -142,6 +142,7 @@ static grub_uint8_t
- grub_png_get_byte (struct grub_png_data *data)
- {
-   grub_uint8_t r;
-+  grub_ssize_t bytes_read = 0;
- 
-   if ((data->inside_idat) && (data->idat_remain == 0))
-     {
-@@ -175,7 +176,14 @@ grub_png_get_byte (struct grub_png_data *data)
-     }
- 
-   r = 0;
--  grub_file_read (data->file, &r, 1);
-+  bytes_read = grub_file_read (data->file, &r, 1);
-+
-+  if (bytes_read != 1)
-+    {
-+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		  "png: unexpected end of data");
-+      return 0;
-+    }
- 
-   if (data->inside_idat)
-     data->idat_remain--;
-@@ -231,15 +239,16 @@ grub_png_decode_image_palette (struct grub_png_data *data,
-   if (len == 0)
-     return GRUB_ERR_NONE;
- 
--  for (i = 0; 3 * i < len && i < 256; i++)
-+  grub_errno = GRUB_ERR_NONE;
-+  for (i = 0; 3 * i < len && i < 256 && grub_errno == GRUB_ERR_NONE; i++)
-     for (j = 0; j < 3; j++)
-       data->palette[i][j] = grub_png_get_byte (data);
--  for (i *= 3; i < len; i++)
-+  for (i *= 3; i < len && grub_errno == GRUB_ERR_NONE; i++)
-     grub_png_get_byte (data);
- 
-   grub_png_get_dword (data);
- 
--  return GRUB_ERR_NONE;
-+  return grub_errno;
- }
- 
- static grub_err_t
-@@ -256,9 +265,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: invalid image size");
- 
-   color_bits = grub_png_get_byte (data);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-   data->is_16bit = (color_bits == 16);
- 
-   color_type = grub_png_get_byte (data);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   /* According to PNG spec, no other types are valid.  */
-   if ((color_type & ~(PNG_COLOR_MASK_ALPHA | PNG_COLOR_MASK_COLOR))
-@@ -340,14 +353,20 @@ grub_png_decode_image_header (struct grub_png_data *data)
-   if (grub_png_get_byte (data) != PNG_COMPRESSION_BASE)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 		       "png: compression method not supported");
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   if (grub_png_get_byte (data) != PNG_FILTER_TYPE_BASE)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 		       "png: filter method not supported");
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   if (grub_png_get_byte (data) != PNG_INTERLACE_NONE)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 		       "png: interlace method not supported");
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   /* Skip crc checksum.  */
-   grub_png_get_dword (data);
-@@ -449,7 +468,7 @@ grub_png_get_huff_code (struct grub_png_data *data, struct huff_table *ht)
-   int code, i;
- 
-   code = 0;
--  for (i = 0; i < ht->max_length; i++)
-+  for (i = 0; i < ht->max_length && grub_errno == GRUB_ERR_NONE; i++)
-     {
-       code = (code << 1) + grub_png_get_bits (data, 1);
-       if (code < ht->maxval[i])
-@@ -504,8 +523,14 @@ grub_png_init_dynamic_block (struct grub_png_data *data)
-   grub_uint8_t lens[DEFLATE_HCLEN_MAX];
- 
-   nl = DEFLATE_HLIT_BASE + grub_png_get_bits (data, 5);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-   nd = DEFLATE_HDIST_BASE + grub_png_get_bits (data, 5);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-   nb = DEFLATE_HCLEN_BASE + grub_png_get_bits (data, 4);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   if ((nl > DEFLATE_HLIT_MAX) || (nd > DEFLATE_HDIST_MAX) ||
-       (nb > DEFLATE_HCLEN_MAX))
-@@ -533,7 +558,7 @@ grub_png_init_dynamic_block (struct grub_png_data *data)
- 			    data->dist_offset);
- 
-   prev = 0;
--  for (i = 0; i < nl + nd; i++)
-+  for (i = 0; i < nl + nd && grub_errno == GRUB_ERR_NONE; i++)
-     {
-       int n, code;
-       struct huff_table *ht;
-@@ -721,17 +746,21 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
- 	  len = cplens[n];
- 	  if (cplext[n])
- 	    len += grub_png_get_bits (data, cplext[n]);
-+	  if (grub_errno != GRUB_ERR_NONE)
-+	    return grub_errno;
- 
- 	  n = grub_png_get_huff_code (data, &data->dist_table);
- 	  dist = cpdist[n];
- 	  if (cpdext[n])
- 	    dist += grub_png_get_bits (data, cpdext[n]);
-+	  if (grub_errno != GRUB_ERR_NONE)
-+	    return grub_errno;
- 
- 	  pos = data->wp - dist;
- 	  if (pos < 0)
- 	    pos += WSIZE;
- 
--	  while (len > 0)
-+	  while (len > 0 && grub_errno == GRUB_ERR_NONE)
- 	    {
- 	      data->slide[data->wp] = data->slide[pos];
- 	      grub_png_output_byte (data, data->slide[data->wp]);
-@@ -759,7 +788,11 @@ grub_png_decode_image_data (struct grub_png_data *data)
-   int final;
- 
-   cmf = grub_png_get_byte (data);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-   flg = grub_png_get_byte (data);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   if ((cmf & 0xF) != Z_DEFLATED)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-@@ -774,7 +807,11 @@ grub_png_decode_image_data (struct grub_png_data *data)
-       int block_type;
- 
-       final = grub_png_get_bits (data, 1);
-+      if (grub_errno != GRUB_ERR_NONE)
-+	return grub_errno;
-       block_type = grub_png_get_bits (data, 2);
-+      if (grub_errno != GRUB_ERR_NONE)
-+	return grub_errno;
- 
-       switch (block_type)
- 	{
-@@ -790,7 +827,7 @@ grub_png_decode_image_data (struct grub_png_data *data)
- 	    grub_png_get_byte (data);
- 	    grub_png_get_byte (data);
- 
--	    for (i = 0; i < len; i++)
-+	    for (i = 0; i < len && grub_errno == GRUB_ERR_NONE; i++)
- 	      grub_png_output_byte (data, grub_png_get_byte (data));
- 
- 	    break;
-@@ -1045,6 +1082,8 @@ grub_png_decode_png (struct grub_png_data *data)
- 
-       len = grub_png_get_dword (data);
-       type = grub_png_get_dword (data);
-+      if (grub_errno != GRUB_ERR_NONE)
-+	break;
-       data->next_offset = data->file->offset + len + 4;
- 
-       switch (type)
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0179-video-readers-png-Refuse-to-handle-multiple-image-he.patch b/SPECS/grub2/0179-video-readers-png-Refuse-to-handle-multiple-image-he.patch
deleted file mode 100644
index a034a2b9a56..00000000000
--- a/SPECS/grub2/0179-video-readers-png-Refuse-to-handle-multiple-image-he.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From b046a6da15a2a2e31ac80d6cac19ab3e2aeb71aa Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 6 Jul 2021 14:13:40 +1000
-Subject: [PATCH] video/readers/png: Refuse to handle multiple image headers
-
-This causes the bitmap to be leaked. Do not permit multiple image headers.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/png.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index e2a6b1c..8955b8e 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -258,6 +258,9 @@ grub_png_decode_image_header (struct grub_png_data *data)
-   int color_bits;
-   enum grub_video_blit_format blt;
- 
-+  if (data->image_width || data->image_height)
-+    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "png: two image headers found");
-+
-   data->image_width = grub_png_get_dword (data);
-   data->image_height = grub_png_get_dword (data);
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0180-video-readers-png-Drop-greyscale-support-to-fix-heap.patch b/SPECS/grub2/0180-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
deleted file mode 100644
index 220fb19d6d2..00000000000
--- a/SPECS/grub2/0180-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 2c3f3251ca003c43b24c7777b52719f591b02a98 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 6 Jul 2021 18:51:35 +1000
-Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap
- out-of-bounds write
-
-A 16-bit greyscale PNG without alpha is processed in the following loop:
-
-      for (i = 0; i < (data->image_width * data->image_height);
-	   i++, d1 += 4, d2 += 2)
-	{
-	  d1[R3] = d2[1];
-	  d1[G3] = d2[1];
-	  d1[B3] = d2[1];
-	}
-
-The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
-but there are only 3 bytes allocated for storage. This means that image
-data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
-out of every 4 following the end of the image.
-
-This has existed since greyscale support was added in 2013 in commit
-3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
-
-Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
-and attempting to load it causes grub-emu to crash - I don't think this code
-has ever worked.
-
-Delete all PNG greyscale support.
-
-Fixes: CVE-2021-3695
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/png.c | 87 +++--------------------------------
- 1 file changed, 7 insertions(+), 80 deletions(-)
-
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index 8955b8e..a3161e2 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -100,7 +100,7 @@ struct grub_png_data
- 
-   unsigned image_width, image_height;
-   int bpp, is_16bit;
--  int raw_bytes, is_gray, is_alpha, is_palette;
-+  int raw_bytes, is_alpha, is_palette;
-   int row_bytes, color_bits;
-   grub_uint8_t *image_data;
- 
-@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
-     data->bpp = 3;
-   else
-     {
--      data->is_gray = 1;
--      data->bpp = 1;
-+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+			 "png: color type not supported");
-     }
- 
-   if ((color_bits != 8) && (color_bits != 16)
-       && (color_bits != 4
--	  || !(data->is_gray || data->is_palette)))
-+	  || !data->is_palette))
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-                        "png: bit depth must be 8 or 16");
- 
-@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
-     }
- 
- #ifndef GRUB_CPU_WORDS_BIGENDIAN
--  if (data->is_16bit || data->is_gray || data->is_palette)
-+  if (data->is_16bit || data->is_palette)
- #endif
-     {
-       data->image_data = grub_calloc (data->image_height, data->row_bytes);
-@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
-       int shift;
-       int mask = (1 << data->color_bits) - 1;
-       unsigned j;
--      if (data->is_gray)
--	{
--	  /* Generic formula is
--	     (0xff * i) / ((1U << data->color_bits) - 1)
--	     but for allowed bit depth of 1, 2 and for it's
--	     equivalent to
--	     (0xff / ((1U << data->color_bits) - 1)) * i
--	     Precompute the multipliers to avoid division.
--	  */
--
--	  const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
--	  for (i = 0; i < (1U << data->color_bits); i++)
--	    {
--	      grub_uint8_t col = multipliers[data->color_bits] * i;
--	      palette[i][0] = col;
--	      palette[i][1] = col;
--	      palette[i][2] = col;
--	    }
--	}
--      else
--	grub_memcpy (palette, data->palette, 3 << data->color_bits);
-+
-+      grub_memcpy (palette, data->palette, 3 << data->color_bits);
-       d1c = d1;
-       d2c = d2;
-       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
-@@ -956,60 +937,6 @@ grub_png_convert_image (struct grub_png_data *data)
- 	}
-       return;
-     }
--  
--  if (data->is_gray)
--    {
--      switch (data->bpp)
--	{
--	case 4:
--	  /* 16-bit gray with alpha.  */
--	  for (i = 0; i < (data->image_width * data->image_height);
--	       i++, d1 += 4, d2 += 4)
--	    {
--	      d1[R4] = d2[3];
--	      d1[G4] = d2[3];
--	      d1[B4] = d2[3];
--	      d1[A4] = d2[1];
--	    }
--	  break;
--	case 2:
--	  if (data->is_16bit)
--	    /* 16-bit gray without alpha.  */
--	    {
--	      for (i = 0; i < (data->image_width * data->image_height);
--		   i++, d1 += 4, d2 += 2)
--		{
--		  d1[R3] = d2[1];
--		  d1[G3] = d2[1];
--		  d1[B3] = d2[1];
--		}
--	    }
--	  else
--	    /* 8-bit gray with alpha.  */
--	    {
--	      for (i = 0; i < (data->image_width * data->image_height);
--		   i++, d1 += 4, d2 += 2)
--		{
--		  d1[R4] = d2[1];
--		  d1[G4] = d2[1];
--		  d1[B4] = d2[1];
--		  d1[A4] = d2[0];
--		}
--	    }
--	  break;
--	  /* 8-bit gray without alpha.  */
--	case 1:
--	  for (i = 0; i < (data->image_width * data->image_height);
--	       i++, d1 += 3, d2++)
--	    {
--	      d1[R3] = d2[0];
--	      d1[G3] = d2[0];
--	      d1[B3] = d2[0];
--	    }
--	  break;
--	}
--      return;
--    }
- 
-     {
-   /* Only copy the upper 8 bit.  */
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0181-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch b/SPECS/grub2/0181-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
deleted file mode 100644
index de45e84a820..00000000000
--- a/SPECS/grub2/0181-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e1483398a1edab11ff2840aca142edabd818f4b3 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 6 Jul 2021 23:25:07 +1000
-Subject: [PATCH] video/readers/png: Avoid heap OOB R/W inserting huff table
- items
-
-In fuzzing we observed crashes where a code would attempt to be inserted
-into a huffman table before the start, leading to a set of heap OOB reads
-and writes as table entries with negative indices were shifted around and
-the new code written in.
-
-Catch the case where we would underflow the array and bail.
-
-Fixes: CVE-2021-3696
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/png.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index a3161e2..d7ed5aa 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -438,6 +438,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
-   for (i = len; i < ht->max_length; i++)
-     n += ht->maxval[i];
- 
-+  if (n > ht->num_values)
-+    {
-+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		  "png: out of range inserting huffman table item");
-+      return;
-+    }
-+
-   for (i = 0; i < n; i++)
-     ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0182-video-readers-png-Sanity-check-some-huffman-codes.patch b/SPECS/grub2/0182-video-readers-png-Sanity-check-some-huffman-codes.patch
deleted file mode 100644
index d8de952cd95..00000000000
--- a/SPECS/grub2/0182-video-readers-png-Sanity-check-some-huffman-codes.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ae7ade4fc13c5ee85f3d8e865f16c296920142a0 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 6 Jul 2021 19:19:11 +1000
-Subject: [PATCH] video/readers/png: Sanity check some huffman codes
-
-ASAN picked up two OOB global reads: we weren't checking if some code
-values fit within the cplens or cpdext arrays. Check and throw an error
-if not.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/png.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
-index d7ed5aa..7f2ba78 100644
---- a/grub-core/video/readers/png.c
-+++ b/grub-core/video/readers/png.c
-@@ -753,6 +753,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
- 	  int len, dist, pos;
- 
- 	  n -= 257;
-+	  if (((unsigned int) n) >= ARRAY_SIZE (cplens))
-+	    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+			       "png: invalid huff code");
- 	  len = cplens[n];
- 	  if (cplext[n])
- 	    len += grub_png_get_bits (data, cplext[n]);
-@@ -760,6 +763,9 @@ grub_png_read_dynamic_block (struct grub_png_data *data)
- 	    return grub_errno;
- 
- 	  n = grub_png_get_huff_code (data, &data->dist_table);
-+	  if (((unsigned int) n) >= ARRAY_SIZE (cpdist))
-+	    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+			       "png: invalid huff code");
- 	  dist = cpdist[n];
- 	  if (cpdext[n])
- 	    dist += grub_png_get_bits (data, cpdext[n]);
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0183-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch b/SPECS/grub2/0183-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
deleted file mode 100644
index 3a4463ed61d..00000000000
--- a/SPECS/grub2/0183-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-From 5e394e17cf44fa46be915ceb9a7026778f86626e Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Mon, 28 Jun 2021 14:16:14 +1000
-Subject: [PATCH] video/readers/jpeg: Abort sooner if a read operation fails
-
-Fuzzing revealed some inputs that were taking a long time, potentially
-forever, because they did not bail quickly upon encountering an I/O error.
-
-Try to catch I/O errors sooner and bail out.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/jpeg.c | 86 +++++++++++++++++++++++++++-------
- 1 file changed, 70 insertions(+), 16 deletions(-)
-
-diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
-index e31602f..10225ab 100644
---- a/grub-core/video/readers/jpeg.c
-+++ b/grub-core/video/readers/jpeg.c
-@@ -109,9 +109,17 @@ static grub_uint8_t
- grub_jpeg_get_byte (struct grub_jpeg_data *data)
- {
-   grub_uint8_t r;
-+  grub_ssize_t bytes_read;
- 
-   r = 0;
--  grub_file_read (data->file, &r, 1);
-+  bytes_read = grub_file_read (data->file, &r, 1);
-+
-+  if (bytes_read != 1)
-+    {
-+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		  "jpeg: unexpected end of data");
-+      return 0;
-+    }
- 
-   return r;
- }
-@@ -120,9 +128,17 @@ static grub_uint16_t
- grub_jpeg_get_word (struct grub_jpeg_data *data)
- {
-   grub_uint16_t r;
-+  grub_ssize_t bytes_read;
- 
-   r = 0;
--  grub_file_read (data->file, &r, sizeof (grub_uint16_t));
-+  bytes_read = grub_file_read (data->file, &r, sizeof (grub_uint16_t));
-+
-+  if (bytes_read != sizeof (grub_uint16_t))
-+    {
-+      grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		  "jpeg: unexpected end of data");
-+      return 0;
-+    }
- 
-   return grub_be_to_cpu16 (r);
- }
-@@ -135,6 +151,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
-   if (data->bit_mask == 0)
-     {
-       data->bit_save = grub_jpeg_get_byte (data);
-+      if (grub_errno != GRUB_ERR_NONE) {
-+	grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		    "jpeg: file read error");
-+	return 0;
-+      }
-       if (data->bit_save == JPEG_ESC_CHAR)
- 	{
- 	  if (grub_jpeg_get_byte (data) != 0)
-@@ -143,6 +164,11 @@ grub_jpeg_get_bit (struct grub_jpeg_data *data)
- 			  "jpeg: invalid 0xFF in data stream");
- 	      return 0;
- 	    }
-+	  if (grub_errno != GRUB_ERR_NONE)
-+	    {
-+	      grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: file read error");
-+	      return 0;
-+	    }
- 	}
-       data->bit_mask = 0x80;
-     }
-@@ -161,7 +187,7 @@ grub_jpeg_get_number (struct grub_jpeg_data *data, int num)
-     return 0;
- 
-   msb = value = grub_jpeg_get_bit (data);
--  for (i = 1; i < num; i++)
-+  for (i = 1; i < num && grub_errno == GRUB_ERR_NONE; i++)
-     value = (value << 1) + (grub_jpeg_get_bit (data) != 0);
-   if (!msb)
-     value += 1 - (1 << num);
-@@ -202,6 +228,8 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
-   while (data->file->offset + sizeof (count) + 1 <= next_marker)
-     {
-       id = grub_jpeg_get_byte (data);
-+      if (grub_errno != GRUB_ERR_NONE)
-+	return grub_errno;
-       ac = (id >> 4) & 1;
-       id &= 0xF;
-       if (id > 1)
-@@ -252,6 +280,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
- 
-   next_marker = data->file->offset;
-   next_marker += grub_jpeg_get_word (data);
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
- 
-   if (next_marker > data->file->size)
-     {
-@@ -263,6 +293,8 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
- 	 <= next_marker)
-     {
-       id = grub_jpeg_get_byte (data);
-+      if (grub_errno != GRUB_ERR_NONE)
-+        return grub_errno;
-       if (id >= 0x10)		/* Upper 4-bit is precision.  */
- 	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 			   "jpeg: only 8-bit precision is supported");
-@@ -294,6 +326,9 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
-   next_marker = data->file->offset;
-   next_marker += grub_jpeg_get_word (data);
- 
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-+
-   if (grub_jpeg_get_byte (data) != 8)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 		       "jpeg: only 8-bit precision is supported");
-@@ -319,6 +354,8 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
- 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
- 
-       ss = grub_jpeg_get_byte (data);	/* Sampling factor.  */
-+      if (grub_errno != GRUB_ERR_NONE)
-+	return grub_errno;
-       if (!id)
- 	{
- 	  grub_uint8_t vs, hs;
-@@ -498,7 +535,7 @@ grub_jpeg_idct_transform (jpeg_data_unit_t du)
-     }
- }
- 
--static void
-+static grub_err_t
- grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
- {
-   int h1, h2, qt;
-@@ -513,6 +550,9 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
-   data->dc_value[id] +=
-     grub_jpeg_get_number (data, grub_jpeg_get_huff_code (data, h1));
- 
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-+
-   du[0] = data->dc_value[id] * (int) data->quan_table[qt][0];
-   pos = 1;
-   while (pos < ARRAY_SIZE (data->quan_table[qt]))
-@@ -527,11 +567,13 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
-       num >>= 4;
-       pos += num;
- 
-+      if (grub_errno != GRUB_ERR_NONE)
-+        return grub_errno;
-+
-       if (pos >= ARRAY_SIZE (jpeg_zigzag_order))
- 	{
--	  grub_error (GRUB_ERR_BAD_FILE_TYPE,
--		      "jpeg: invalid position in zigzag order!?");
--	  return;
-+	  return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+			     "jpeg: invalid position in zigzag order!?");
- 	}
- 
-       du[jpeg_zigzag_order[pos]] = val * (int) data->quan_table[qt][pos];
-@@ -539,6 +581,7 @@ grub_jpeg_decode_du (struct grub_jpeg_data *data, int id, jpeg_data_unit_t du)
-     }
- 
-   grub_jpeg_idct_transform (du);
-+  return GRUB_ERR_NONE;
- }
- 
- static void
-@@ -597,7 +640,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
-   data_offset += grub_jpeg_get_word (data);
- 
-   cc = grub_jpeg_get_byte (data);
--
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-   if (cc != 3 && cc != 1)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 		       "jpeg: component count must be 1 or 3");
-@@ -610,7 +654,8 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
-       id = grub_jpeg_get_byte (data) - 1;
-       if ((id < 0) || (id >= 3))
- 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid index");
--
-+      if (grub_errno != GRUB_ERR_NONE)
-+	return grub_errno;
-       ht = grub_jpeg_get_byte (data);
-       data->comp_index[id][1] = (ht >> 4);
-       data->comp_index[id][2] = (ht & 0xF) + 2;
-@@ -618,11 +663,14 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
-       if ((data->comp_index[id][1] < 0) || (data->comp_index[id][1] > 3) ||
- 	  (data->comp_index[id][2] < 0) || (data->comp_index[id][2] > 3))
- 	return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid hufftable index");
-+      if (grub_errno != GRUB_ERR_NONE)
-+	return grub_errno;
-     }
- 
-   grub_jpeg_get_byte (data);	/* Skip 3 unused bytes.  */
-   grub_jpeg_get_word (data);
--
-+  if (grub_errno != GRUB_ERR_NONE)
-+    return grub_errno;
-   if (data->file->offset != data_offset)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
- 
-@@ -640,6 +688,7 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
- {
-   unsigned c1, vb, hb, nr1, nc1;
-   int rst = data->dri;
-+  grub_err_t err = GRUB_ERR_NONE;
- 
-   vb = 8 << data->log_vs;
-   hb = 8 << data->log_hs;
-@@ -660,17 +709,22 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
- 
- 	for (r2 = 0; r2 < (1U << data->log_vs); r2++)
- 	  for (c2 = 0; c2 < (1U << data->log_hs); c2++)
--	    grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
-+            {
-+              err = grub_jpeg_decode_du (data, 0, data->ydu[r2 * 2 + c2]);
-+              if (err != GRUB_ERR_NONE)
-+                return err;
-+            }
- 
- 	if (data->color_components >= 3)
- 	  {
--	    grub_jpeg_decode_du (data, 1, data->cbdu);
--	    grub_jpeg_decode_du (data, 2, data->crdu);
-+	    err = grub_jpeg_decode_du (data, 1, data->cbdu);
-+	    if (err != GRUB_ERR_NONE)
-+	      return err;
-+	    err = grub_jpeg_decode_du (data, 2, data->crdu);
-+	    if (err != GRUB_ERR_NONE)
-+	      return err;
- 	  }
- 
--	if (grub_errno)
--	  return grub_errno;
--
- 	nr2 = (data->r1 == nr1 - 1) ? (data->image_height - data->r1 * vb) : vb;
- 	nc2 = (c1 == nc1 - 1) ? (data->image_width - c1 * hb) : hb;
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0184-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch b/SPECS/grub2/0184-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
deleted file mode 100644
index af3df246b19..00000000000
--- a/SPECS/grub2/0184-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From bcbf06418c757faad7f4e127773b4b2e588266b9 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Mon, 28 Jun 2021 14:16:58 +1000
-Subject: [PATCH] video/readers/jpeg: Do not reallocate a given huff table
-
-Fix a memory leak where an invalid file could cause us to reallocate
-memory for a huffman table we had already allocated memory for.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/jpeg.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
-index 10225ab..caa211f 100644
---- a/grub-core/video/readers/jpeg.c
-+++ b/grub-core/video/readers/jpeg.c
-@@ -245,6 +245,9 @@ grub_jpeg_decode_huff_table (struct grub_jpeg_data *data)
- 	n += count[i];
- 
-       id += ac * 2;
-+      if (data->huff_value[id] != NULL)
-+	return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+			   "jpeg: attempt to reallocate huffman table");
-       data->huff_value[id] = grub_malloc (n);
-       if (grub_errno)
- 	return grub_errno;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0185-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch b/SPECS/grub2/0185-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
deleted file mode 100644
index bb2dc3ee15b..00000000000
--- a/SPECS/grub2/0185-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From ae73befd2a7b4867a83625228c9eec2b01246c4b Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Mon, 28 Jun 2021 14:25:17 +1000
-Subject: [PATCH] video/readers/jpeg: Refuse to handle multiple start of
- streams
-
-An invalid file could contain multiple start of stream blocks, which
-would cause us to reallocate and leak our bitmap. Refuse to handle
-multiple start of streams.
-
-Additionally, fix a grub_error() call formatting.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/jpeg.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
-index caa211f..1df1171 100644
---- a/grub-core/video/readers/jpeg.c
-+++ b/grub-core/video/readers/jpeg.c
-@@ -677,6 +677,9 @@ grub_jpeg_decode_sos (struct grub_jpeg_data *data)
-   if (data->file->offset != data_offset)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: extra byte in sos");
- 
-+  if (*data->bitmap)
-+    return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: too many start of scan blocks");
-+
-   if (grub_video_bitmap_create (data->bitmap, data->image_width,
- 				data->image_height,
- 				GRUB_VIDEO_BLIT_FORMAT_RGB_888))
-@@ -699,8 +702,8 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
-   nc1 = (data->image_width + hb - 1)  >> (3 + data->log_hs);
- 
-   if (data->bitmap_ptr == NULL)
--    return grub_error(GRUB_ERR_BAD_FILE_TYPE,
--		      "jpeg: attempted to decode data before start of stream");
-+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		       "jpeg: attempted to decode data before start of stream");
- 
-   for (; data->r1 < nr1 && (!data->dri || rst);
-        data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0186-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch b/SPECS/grub2/0186-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
deleted file mode 100644
index 95c93ec76ea..00000000000
--- a/SPECS/grub2/0186-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From b19b781d69f02e16011d5362b6345897bafc159c Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Wed, 7 Jul 2021 15:38:19 +1000
-Subject: [PATCH] video/readers/jpeg: Block int underflow -> wild pointer write
-
-Certain 1 px wide images caused a wild pointer write in
-grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
-we have the following loop:
-
-for (; data->r1 < nr1 && (!data->dri || rst);
-     data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
-
-We did not check if vb * width >= hb * nc1.
-
-On a 64-bit platform, if that turns out to be negative, it will underflow,
-be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
-we see data->bitmap_ptr jump, e.g.:
-
-0x6180_0000_0480 to
-0x6181_0000_0498
-     ^
-     ~--- carry has occurred and this pointer is now far away from
-          any object.
-
-On a 32-bit platform, it will decrement the pointer, creating a pointer
-that won't crash but will overwrite random data.
-
-Catch the underflow and error out.
-
-Fixes: CVE-2021-3697
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/readers/jpeg.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
-index 1df1171..97a533b 100644
---- a/grub-core/video/readers/jpeg.c
-+++ b/grub-core/video/readers/jpeg.c
-@@ -23,6 +23,7 @@
- #include <grub/mm.h>
- #include <grub/misc.h>
- #include <grub/bufio.h>
-+#include <grub/safemath.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -693,6 +694,7 @@ static grub_err_t
- grub_jpeg_decode_data (struct grub_jpeg_data *data)
- {
-   unsigned c1, vb, hb, nr1, nc1;
-+  unsigned stride_a, stride_b, stride;
-   int rst = data->dri;
-   grub_err_t err = GRUB_ERR_NONE;
- 
-@@ -705,8 +707,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
- 		       "jpeg: attempted to decode data before start of stream");
- 
-+  if (grub_mul(vb, data->image_width, &stride_a) ||
-+      grub_mul(hb, nc1, &stride_b) ||
-+      grub_sub(stride_a, stride_b, &stride))
-+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+		       "jpeg: cannot decode image with these dimensions");
-+
-   for (; data->r1 < nr1 && (!data->dri || rst);
--       data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
-+       data->r1++, data->bitmap_ptr += stride * 3)
-     for (c1 = 0;  c1 < nc1 && (!data->dri || rst);
- 	c1++, rst--, data->bitmap_ptr += hb * 3)
-       {
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0187-normal-charset-Fix-array-out-of-bounds-formatting-un.patch b/SPECS/grub2/0187-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
deleted file mode 100644
index 3d6a0b3816a..00000000000
--- a/SPECS/grub2/0187-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From b206688dbf759234a15049a321efb88d88f1edfa Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 13 Jul 2021 13:24:38 +1000
-Subject: [PATCH] normal/charset: Fix array out-of-bounds formatting unicode
- for display
-
-In some cases attempting to display arbitrary binary strings leads
-to ASAN splats reading the widthspec array out of bounds.
-
-Check the index. If it would be out of bounds, return a width of 1.
-I don't know if that's strictly correct, but we're not really expecting
-great display of arbitrary binary data, and it's certainly not worse than
-an OOB read.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/normal/charset.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
-index 4dfcc31..7a5a7c1 100644
---- a/grub-core/normal/charset.c
-+++ b/grub-core/normal/charset.c
-@@ -395,6 +395,8 @@ grub_unicode_estimate_width (const struct grub_unicode_glyph *c)
- {
-   if (grub_unicode_get_comb_type (c->base))
-     return 0;
-+  if (((unsigned long) (c->base >> 3)) >= ARRAY_SIZE (widthspec))
-+    return 1;
-   if (widthspec[c->base >> 3] & (1 << (c->base & 7)))
-     return 2;
-   else
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0188-net-ip-Do-IP-fragment-maths-safely.patch b/SPECS/grub2/0188-net-ip-Do-IP-fragment-maths-safely.patch
deleted file mode 100644
index 5faea884df5..00000000000
--- a/SPECS/grub2/0188-net-ip-Do-IP-fragment-maths-safely.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 218d27f073b1afd18b2232e46e5fdcc0e717d608 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Mon, 20 Dec 2021 19:41:21 +1100
-Subject: [PATCH] net/ip: Do IP fragment maths safely
-
-We can receive packets with invalid IP fragmentation information. This
-can lead to rsm->total_len underflowing and becoming very large.
-
-Then, in grub_netbuff_alloc(), we add to this very large number, which can
-cause it to overflow and wrap back around to a small positive number.
-The allocation then succeeds, but the resulting buffer is too small and
-subsequent operations can write past the end of the buffer.
-
-Catch the underflow here.
-
-Fixes: CVE-2022-28733
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/ip.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
-index ea5edf8..74e4e8b 100644
---- a/grub-core/net/ip.c
-+++ b/grub-core/net/ip.c
-@@ -25,6 +25,7 @@
- #include <grub/net/netbuff.h>
- #include <grub/mm.h>
- #include <grub/priority_queue.h>
-+#include <grub/safemath.h>
- #include <grub/time.h>
- 
- struct iphdr {
-@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
-     {
-       rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
- 			+ (nb->tail - nb->data));
--      rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
-+
-+      if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
-+		    &rsm->total_len))
-+	{
-+	  grub_dprintf ("net", "IP reassembly size underflow\n");
-+	  return GRUB_ERR_NONE;
-+	}
-+
-       rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
-       if (!rsm->asm_netbuff)
- 	{
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0189-net-netbuff-Block-overly-large-netbuff-allocs.patch b/SPECS/grub2/0189-net-netbuff-Block-overly-large-netbuff-allocs.patch
deleted file mode 100644
index 1425c103868..00000000000
--- a/SPECS/grub2/0189-net-netbuff-Block-overly-large-netbuff-allocs.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From ad632ccfbf7933ee3dce71c655ac547a30a0c801 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 8 Mar 2022 23:47:46 +1100
-Subject: [PATCH] net/netbuff: Block overly large netbuff allocs
-
-A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment
-reassembly. If we are asked to create one that is unreasonably big, refuse.
-
-This is a hardening measure: if we hit this code, there's a bug somewhere
-else that we should catch and fix.
-
-This commit:
-  - stops the bug propagating any further.
-  - provides a spot to instrument in e.g. fuzzing to try to catch these bugs.
-
-I have put instrumentation (e.g. __builtin_trap() to force a crash) here and
-have not been able to find any more crashes.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/netbuff.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/grub-core/net/netbuff.c b/grub-core/net/netbuff.c
-index dbeeefe..d5e9e9a 100644
---- a/grub-core/net/netbuff.c
-+++ b/grub-core/net/netbuff.c
-@@ -79,10 +79,23 @@ grub_netbuff_alloc (grub_size_t len)
- 
-   COMPILE_TIME_ASSERT (NETBUFF_ALIGN % sizeof (grub_properly_aligned_t) == 0);
- 
-+  /*
-+   * The largest size of a TCP packet is 64 KiB, and everything else
-+   * should be a lot smaller - most MTUs are 1500 or less. Cap data
-+   * size at 64 KiB + a buffer.
-+   */
-+  if (len > 0xffffUL + 0x1000UL)
-+    {
-+      grub_error (GRUB_ERR_BUG,
-+                  "attempted to allocate a packet that is too big");
-+      return NULL;
-+    }
-+
-   if (len < NETBUFFMINLEN)
-     len = NETBUFFMINLEN;
- 
-   len = ALIGN_UP (len, NETBUFF_ALIGN);
-+
- #ifdef GRUB_MACHINE_EMU
-   data = grub_malloc (len + sizeof (*nb));
- #else
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0190-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch b/SPECS/grub2/0190-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
deleted file mode 100644
index 716fe22ed48..00000000000
--- a/SPECS/grub2/0190-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 5b7c9f45b8901a09c77d52ce355f2d89a7fbf79f Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Thu, 16 Sep 2021 01:29:54 +1000
-Subject: [PATCH] net/dns: Fix double-free addresses on corrupt DNS response
-
-grub_net_dns_lookup() takes as inputs a pointer to an array of addresses
-("addresses") for the given name, and pointer to a number of addresses
-("naddresses"). grub_net_dns_lookup() is responsible for allocating
-"addresses", and the caller is responsible for freeing it if
-"naddresses" > 0.
-
-The DNS recv_hook will sometimes set and free the addresses array,
-for example if the packet is too short:
-
-      if (ptr + 10 >= nb->tail)
-	{
-	  if (!*data->naddresses)
-	    grub_free (*data->addresses);
-	  grub_netbuff_free (nb);
-	  return GRUB_ERR_NONE;
-	}
-
-Later on the nslookup command code unconditionally frees the "addresses"
-array. Normally this is fine: the array is either populated with valid
-data or is NULL. But in these sorts of error cases it is neither NULL
-nor valid and we get a double-free.
-
-Only free "addresses" if "naddresses" > 0.
-
-It looks like the other use of grub_net_dns_lookup() is not affected.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/dns.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
-index 906ec7d..135faac 100644
---- a/grub-core/net/dns.c
-+++ b/grub-core/net/dns.c
-@@ -667,9 +667,11 @@ grub_cmd_nslookup (struct grub_command *cmd __attribute__ ((unused)),
-       grub_net_addr_to_str (&addresses[i], buf);
-       grub_printf ("%s\n", buf);
-     }
--  grub_free (addresses);
-   if (naddresses)
--    return GRUB_ERR_NONE;
-+    {
-+      grub_free (addresses);
-+      return GRUB_ERR_NONE;
-+    }
-   return grub_error (GRUB_ERR_NET_NO_DOMAIN, N_("no DNS record found"));
- }
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0191-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch b/SPECS/grub2/0191-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
deleted file mode 100644
index 7796743c99b..00000000000
--- a/SPECS/grub2/0191-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From c2c71b193ba897f7b5d8e8ce176f38636323410e Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Mon, 20 Dec 2021 21:55:43 +1100
-Subject: [PATCH] net/dns: Don't read past the end of the string we're checking
- against
-
-I don't really understand what's going on here but fuzzing found
-a bug where we read past the end of check_with. That's a C string,
-so use grub_strlen() to make sure we don't overread it.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/dns.c | 21 +++++++++++++++++----
- 1 file changed, 17 insertions(+), 4 deletions(-)
-
-diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
-index 135faac..9d5597e 100644
---- a/grub-core/net/dns.c
-+++ b/grub-core/net/dns.c
-@@ -146,11 +146,18 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
- 		 int *length, char *set)
- {
-   const char *readable_ptr = check_with;
-+  int readable_len;
-   const grub_uint8_t *ptr;
-   char *optr = set;
-   int bytes_processed = 0;
-   if (length)
-     *length = 0;
-+
-+  if (readable_ptr != NULL)
-+    readable_len = grub_strlen (readable_ptr);
-+  else
-+    readable_len = 0;
-+
-   for (ptr = name_at; ptr < tail && bytes_processed < tail - head + 2; )
-     {
-       /* End marker.  */
-@@ -172,13 +179,16 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
- 	  ptr = head + (((ptr[0] & 0x3f) << 8) | ptr[1]);
- 	  continue;
- 	}
--      if (readable_ptr && grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0)
-+      if (readable_ptr != NULL && (*ptr > readable_len || grub_memcmp (ptr + 1, readable_ptr, *ptr) != 0))
- 	return 0;
--      if (grub_memchr (ptr + 1, 0, *ptr) 
-+      if (grub_memchr (ptr + 1, 0, *ptr)
- 	  || grub_memchr (ptr + 1, '.', *ptr))
- 	return 0;
-       if (readable_ptr)
--	readable_ptr += *ptr;
-+	{
-+	  readable_ptr += *ptr;
-+	  readable_len -= *ptr;
-+	}
-       if (readable_ptr && *readable_ptr != '.' && *readable_ptr != 0)
- 	return 0;
-       bytes_processed += *ptr + 1;
-@@ -192,7 +202,10 @@ check_name_real (const grub_uint8_t *name_at, const grub_uint8_t *head,
-       if (optr)
- 	*optr++ = '.';
-       if (readable_ptr && *readable_ptr)
--	readable_ptr++;
-+	{
-+	  readable_ptr++;
-+	  readable_len--;
-+	}
-       ptr += *ptr + 1;
-     }
-   return 0;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0192-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch b/SPECS/grub2/0192-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
deleted file mode 100644
index c72f946a6fc..00000000000
--- a/SPECS/grub2/0192-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 1c6072ab86e17c71dac8af86fdc9f46c8a1bf617 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Mon, 20 Sep 2021 01:12:24 +1000
-Subject: [PATCH] net/tftp: Prevent a UAF and double-free from a failed seek
-
-A malicious tftp server can cause UAFs and a double free.
-
-An attempt to read from a network file is handled by grub_net_fs_read(). If
-the read is at an offset other than the current offset, grub_net_seek_real()
-is invoked.
-
-In grub_net_seek_real(), if a backwards seek cannot be satisfied from the
-currently received packets, and the underlying transport does not provide
-a seek method, then grub_net_seek_real() will close and reopen the network
-protocol layer.
-
-For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t
-file->data. The file->data pointer is not nulled out after the free.
-
-If the ->open() call fails, the file->data will not be reallocated and will
-continue point to a freed memory block. This could happen from a server
-refusing to send the requisite ack to the new tftp request, for example.
-
-The seek and the read will then fail, but the grub_file continues to exist:
-the failed seek does not necessarily cause the entire file to be thrown
-away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc.,
-a read failure is interpreted as a decompressor passing on the file, not as
-an invalidation of the entire grub_file_t structure).
-
-This means subsequent attempts to read or seek the file will use the old
-file->data after free. Eventually, the file will be close()d again and
-file->data will be freed again.
-
-Mark a net_fs file that doesn't reopen as broken. Do not permit read() or
-close() on a broken file (seek is not exposed directly to the file API -
-it is only called as part of read, so this blocks seeks as well).
-
-As an additional defence, null out the ->data pointer if tftp_open() fails.
-That would have lead to a simple null pointer dereference rather than
-a mess of UAFs.
-
-This may affect other protocols, I haven't checked.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/net.c  | 11 +++++++++--
- grub-core/net/tftp.c |  1 +
- include/grub/net.h   |  1 +
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/net/net.c b/grub-core/net/net.c
-index 4d3eb5c..2cfe1a3 100644
---- a/grub-core/net/net.c
-+++ b/grub-core/net/net.c
-@@ -1467,7 +1467,8 @@ grub_net_fs_close (grub_file_t file)
-       grub_netbuff_free (file->device->net->packs.first->nb);
-       grub_net_remove_packet (file->device->net->packs.first);
-     }
--  file->device->net->protocol->close (file);
-+  if (!file->device->net->broken)
-+    file->device->net->protocol->close (file);
-   grub_free (file->device->net->name);
-   return GRUB_ERR_NONE;
- }
-@@ -1689,7 +1690,10 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
-     file->device->net->stall = 0;
-     err = file->device->net->protocol->open (file, file->device->net->name);
-     if (err)
--      return err;
-+      {
-+	file->device->net->broken = 1;
-+	return err;
-+      }
-     grub_net_fs_read_real (file, NULL, offset);
-     return grub_errno;
-   }
-@@ -1698,6 +1702,9 @@ grub_net_seek_real (struct grub_file *file, grub_off_t offset)
- static grub_ssize_t
- grub_net_fs_read (grub_file_t file, char *buf, grub_size_t len)
- {
-+  if (file->device->net->broken)
-+    return -1;
-+
-   if (file->offset != file->device->net->offset)
-     {
-       grub_err_t err;
-diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
-index 7f44b30..4ea8069 100644
---- a/grub-core/net/tftp.c
-+++ b/grub-core/net/tftp.c
-@@ -400,6 +400,7 @@ tftp_open (struct grub_file *file, const char *filename)
-     {
-       grub_net_udp_close (data->sock);
-       grub_free (data);
-+      file->data = NULL;
-       return grub_errno;
-     }
- 
-diff --git a/include/grub/net.h b/include/grub/net.h
-index 7ae4b6b..1c0f18a 100644
---- a/include/grub/net.h
-+++ b/include/grub/net.h
-@@ -276,6 +276,7 @@ typedef struct grub_net
-   grub_fs_t fs;
-   int eof;
-   int stall;
-+  int broken;
- } *grub_net_t;
- 
- extern grub_net_t (*EXPORT_VAR (grub_net_open)) (const char *name);
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0193-net-tftp-Avoid-a-trivial-UAF.patch b/SPECS/grub2/0193-net-tftp-Avoid-a-trivial-UAF.patch
deleted file mode 100644
index d803873fa52..00000000000
--- a/SPECS/grub2/0193-net-tftp-Avoid-a-trivial-UAF.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 597f4cef5f140d9212af12f5010a211fe20ff9f1 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 18 Jan 2022 14:29:20 +1100
-Subject: [PATCH] net/tftp: Avoid a trivial UAF
-
-Under tftp errors, we print a tftp error message from the tftp header.
-However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
-we were freeing the nb and then dereferencing it. Don't do that, use it
-and then free it later.
-
-This isn't really _bad_ per se, especially as we're single-threaded, but
-it trips up fuzzers.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/tftp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
-index 4ea8069..df8bf50 100644
---- a/grub-core/net/tftp.c
-+++ b/grub-core/net/tftp.c
-@@ -251,9 +251,9 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
-       return GRUB_ERR_NONE;
-     case TFTP_ERROR:
-       data->have_oack = 1;
--      grub_netbuff_free (nb);
-       grub_error (GRUB_ERR_IO, "%s", tftph->u.err.errmsg);
-       grub_error_save (&data->save_err);
-+      grub_netbuff_free (nb);
-       return GRUB_ERR_NONE;
-     default:
-       grub_netbuff_free (nb);
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0194-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch b/SPECS/grub2/0194-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
deleted file mode 100644
index 85e20a8f128..00000000000
--- a/SPECS/grub2/0194-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 33b9c2a5433c5512e76e0069b4d191bf2dbeac87 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 1 Mar 2022 23:14:15 +1100
-Subject: [PATCH] net/http: Do not tear down socket if it's already been torn
- down
-
-It's possible for data->sock to get torn down in tcp error handling.
-If we unconditionally tear it down again we will end up doing writes
-to an offset of the NULL pointer when we go to tear it down again.
-
-Detect if it has been torn down and don't do it again.
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/http.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/net/http.c b/grub-core/net/http.c
-index b616cf4..833c99f 100644
---- a/grub-core/net/http.c
-+++ b/grub-core/net/http.c
-@@ -409,7 +409,7 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
-       return err;
-     }
- 
--  for (i = 0; !data->headers_recv && i < 100; i++)
-+  for (i = 0; data->sock && !data->headers_recv && i < 100; i++)
-     {
-       grub_net_tcp_retransmit ();
-       grub_net_poll_cards (300, &data->headers_recv);
-@@ -417,7 +417,8 @@ http_establish (struct grub_file *file, grub_off_t offset, int initial)
- 
-   if (!data->headers_recv)
-     {
--      grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT);
-+      if (data->sock)
-+        grub_net_tcp_close (data->sock, GRUB_NET_TCP_ABORT);
-       if (data->err)
- 	{
- 	  char *str = data->errmsg;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0195-net-http-Fix-OOB-write-for-split-http-headers.patch b/SPECS/grub2/0195-net-http-Fix-OOB-write-for-split-http-headers.patch
deleted file mode 100644
index ca4d4848ea8..00000000000
--- a/SPECS/grub2/0195-net-http-Fix-OOB-write-for-split-http-headers.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From be197ecee81b2c8932f65f7fd38e929b3d92ec46 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 8 Mar 2022 18:17:03 +1100
-Subject: [PATCH] net/http: Fix OOB write for split http headers
-
-GRUB has special code for handling an http header that is split
-across two packets.
-
-The code tracks the end of line by looking for a "\n" byte. The
-code for split headers has always advanced the pointer just past the
-end of the line, whereas the code that handles unsplit headers does
-not advance the pointer. This extra advance causes the length to be
-one greater, which breaks an assumption in parse_line(), leading to
-it writing a NUL byte one byte past the end of the buffer where we
-reconstruct the line from the two packets.
-
-It's conceivable that an attacker controlled set of packets could
-cause this to zero out the first byte of the "next" pointer of the
-grub_mm_region structure following the current_line buffer.
-
-Do not advance the pointer in the split header case.
-
-Fixes: CVE-2022-28734
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/http.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/grub-core/net/http.c b/grub-core/net/http.c
-index 833c99f..1db72fc 100644
---- a/grub-core/net/http.c
-+++ b/grub-core/net/http.c
-@@ -190,9 +190,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
- 	  int have_line = 1;
- 	  char *t;
- 	  ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
--	  if (ptr)
--	    ptr++;
--	  else
-+	  if (ptr == NULL)
- 	    {
- 	      have_line = 0;
- 	      ptr = (char *) nb->tail;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0196-net-http-Error-out-on-headers-with-LF-without-CR.patch b/SPECS/grub2/0196-net-http-Error-out-on-headers-with-LF-without-CR.patch
deleted file mode 100644
index 0a8727b340d..00000000000
--- a/SPECS/grub2/0196-net-http-Error-out-on-headers-with-LF-without-CR.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From dc5cb8fe2f3aeae657d5c52870c6958178fcdd9e Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Tue, 8 Mar 2022 19:04:40 +1100
-Subject: [PATCH] net/http: Error out on headers with LF without CR
-
-In a similar vein to the previous patch, parse_line() would write
-a NUL byte past the end of the buffer if there was an HTTP header
-with a LF rather than a CRLF.
-
-RFC-2616 says:
-
-  Many HTTP/1.1 header field values consist of words separated by LWS
-  or special characters. These special characters MUST be in a quoted
-  string to be used within a parameter value (as defined in section 3.6).
-
-We don't support quoted sections or continuation lines, etc.
-
-If we see an LF that's not part of a CRLF, bail out.
-
-Fixes: CVE-2022-28734
-
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/net/http.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/grub-core/net/http.c b/grub-core/net/http.c
-index 1db72fc..21064d3 100644
---- a/grub-core/net/http.c
-+++ b/grub-core/net/http.c
-@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
-   char *end = ptr + len;
-   while (end > ptr && *(end - 1) == '\r')
-     end--;
-+
-+  /* LF without CR. */
-+  if (end == ptr + len)
-+    {
-+      data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
-+      return GRUB_ERR_NONE;
-+    }
-   *end = 0;
-+
-   /* Trailing CRLF.  */
-   if (data->in_chunk_len == 1)
-     {
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0197-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch b/SPECS/grub2/0197-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch
deleted file mode 100644
index 81962f126a0..00000000000
--- a/SPECS/grub2/0197-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 10ed2f4a6a1ebcb3b631fdb7760dd9bba803ad0b Mon Sep 17 00:00:00 2001
-From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
-Date: Wed, 6 Apr 2022 18:03:37 +0530
-Subject: [PATCH] fs/f2fs: Do not read past the end of nat journal entries
-
-A corrupt f2fs file system could specify a nat journal entry count
-that is beyond the maximum NAT_JOURNAL_ENTRIES.
-
-Check if the specified nat journal entry count before accessing the
-array, and throw an error if it is too large.
-
-Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/f2fs.c | 21 ++++++++++++++-------
- 1 file changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
-index 8a9992c..6370221 100644
---- a/grub-core/fs/f2fs.c
-+++ b/grub-core/fs/f2fs.c
-@@ -632,23 +632,27 @@ get_nat_journal (struct grub_f2fs_data *data)
-   return err;
- }
- 
--static grub_uint32_t
--get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid)
-+static grub_err_t
-+get_blkaddr_from_nat_journal (struct grub_f2fs_data *data, grub_uint32_t nid,
-+                              grub_uint32_t *blkaddr)
- {
-   grub_uint16_t n = grub_le_to_cpu16 (data->nat_j.n_nats);
--  grub_uint32_t blkaddr = 0;
-   grub_uint16_t i;
- 
-+  if (n >= NAT_JOURNAL_ENTRIES)
-+    return grub_error (GRUB_ERR_BAD_FS,
-+                       "invalid number of nat journal entries");
-+
-   for (i = 0; i < n; i++)
-     {
-       if (grub_le_to_cpu32 (data->nat_j.entries[i].nid) == nid)
-         {
--          blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);
-+          *blkaddr = grub_le_to_cpu32 (data->nat_j.entries[i].ne.block_addr);
-           break;
-         }
-     }
- 
--  return blkaddr;
-+  return GRUB_ERR_NONE;
- }
- 
- static grub_uint32_t
-@@ -656,10 +660,13 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)
- {
-   struct grub_f2fs_nat_block *nat_block;
-   grub_uint32_t seg_off, block_off, entry_off, block_addr;
--  grub_uint32_t blkaddr;
-+  grub_uint32_t blkaddr = 0;
-   grub_err_t err;
- 
--  blkaddr = get_blkaddr_from_nat_journal (data, nid);
-+  err = get_blkaddr_from_nat_journal (data, nid, &blkaddr);
-+  if (err != GRUB_ERR_NONE)
-+    return 0;
-+
-   if (blkaddr)
-     return blkaddr;
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0198-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch b/SPECS/grub2/0198-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch
deleted file mode 100644
index 3c64ad89bf1..00000000000
--- a/SPECS/grub2/0198-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From e528f9e9ea9e05a17a2f76a7d4f765e0061fe089 Mon Sep 17 00:00:00 2001
-From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
-Date: Wed, 6 Apr 2022 18:49:09 +0530
-Subject: [PATCH] fs/f2fs: Do not read past the end of nat bitmap
-
-A corrupt f2fs filesystem could have a block offset or a bitmap
-offset that would cause us to read beyond the bounds of the nat
-bitmap.
-
-Introduce the nat_bitmap_size member in grub_f2fs_data which holds
-the size of nat bitmap.
-
-Set the size when loading the nat bitmap in nat_bitmap_ptr(), and
-catch when an invalid offset would create a pointer past the end of
-the allocated space.
-
-Check against the bitmap size in grub_f2fs_test_bit() test bit to avoid
-reading past the end of the nat bitmap.
-
-Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/f2fs.c | 33 +++++++++++++++++++++++++++------
- 1 file changed, 27 insertions(+), 6 deletions(-)
-
-diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
-index 6370221..8898b23 100644
---- a/grub-core/fs/f2fs.c
-+++ b/grub-core/fs/f2fs.c
-@@ -122,6 +122,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
- #define F2FS_INLINE_DOTS          0x10  /* File having implicit dot dentries. */
- 
- #define MAX_VOLUME_NAME           512
-+#define MAX_NAT_BITMAP_SIZE       3900
- 
- enum FILE_TYPE
- {
-@@ -183,7 +184,7 @@ struct grub_f2fs_checkpoint
-   grub_uint32_t                   checksum_offset;
-   grub_uint64_t                   elapsed_time;
-   grub_uint8_t                    alloc_type[MAX_ACTIVE_LOGS];
--  grub_uint8_t                    sit_nat_version_bitmap[3900];
-+  grub_uint8_t                    sit_nat_version_bitmap[MAX_NAT_BITMAP_SIZE];
-   grub_uint32_t                   checksum;
- } GRUB_PACKED;
- 
-@@ -302,6 +303,7 @@ struct grub_f2fs_data
- 
-   struct grub_f2fs_nat_journal    nat_j;
-   char                            *nat_bitmap;
-+  grub_uint32_t                   nat_bitmap_size;
- 
-   grub_disk_t                     disk;
-   struct grub_f2fs_node           *inode;
-@@ -377,15 +379,20 @@ sum_blk_addr (struct grub_f2fs_data *data, int base, int type)
- }
- 
- static void *
--nat_bitmap_ptr (struct grub_f2fs_data *data)
-+nat_bitmap_ptr (struct grub_f2fs_data *data, grub_uint32_t *nat_bitmap_size)
- {
-   struct grub_f2fs_checkpoint *ckpt = &data->ckpt;
-   grub_uint32_t offset;
-+  *nat_bitmap_size = MAX_NAT_BITMAP_SIZE;
- 
-   if (grub_le_to_cpu32 (data->sblock.cp_payload) > 0)
-     return ckpt->sit_nat_version_bitmap;
- 
-   offset = grub_le_to_cpu32 (ckpt->sit_ver_bitmap_bytesize);
-+  if (offset >= MAX_NAT_BITMAP_SIZE)
-+     return NULL;
-+
-+  *nat_bitmap_size = *nat_bitmap_size - offset;
- 
-   return ckpt->sit_nat_version_bitmap + offset;
- }
-@@ -438,11 +445,15 @@ grub_f2fs_crc_valid (grub_uint32_t blk_crc, void *buf, const grub_uint32_t len)
- }
- 
- static int
--grub_f2fs_test_bit (grub_uint32_t nr, const char *p)
-+grub_f2fs_test_bit (grub_uint32_t nr, const char *p, grub_uint32_t len)
- {
-   int mask;
-+  grub_uint32_t shifted_nr = (nr >> 3);
-+
-+  if (shifted_nr >= len)
-+    return -1;
- 
--  p += (nr >> 3);
-+  p += shifted_nr;
-   mask = 1 << (7 - (nr & 0x07));
- 
-   return mask & *p;
-@@ -662,6 +673,7 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)
-   grub_uint32_t seg_off, block_off, entry_off, block_addr;
-   grub_uint32_t blkaddr = 0;
-   grub_err_t err;
-+  int result_bit;
- 
-   err = get_blkaddr_from_nat_journal (data, nid, &blkaddr);
-   if (err != GRUB_ERR_NONE)
-@@ -682,8 +694,15 @@ get_node_blkaddr (struct grub_f2fs_data *data, grub_uint32_t nid)
-         ((seg_off * data->blocks_per_seg) << 1) +
-         (block_off & (data->blocks_per_seg - 1));
- 
--  if (grub_f2fs_test_bit (block_off, data->nat_bitmap))
-+  result_bit = grub_f2fs_test_bit (block_off, data->nat_bitmap,
-+                                   data->nat_bitmap_size);
-+  if (result_bit > 0)
-     block_addr += data->blocks_per_seg;
-+  else if (result_bit == -1)
-+    {
-+      grub_free (nat_block);
-+      return 0;
-+    }
- 
-   err = grub_f2fs_block_read (data, block_addr, nat_block);
-   if (err)
-@@ -833,7 +852,9 @@ grub_f2fs_mount (grub_disk_t disk)
-   if (err)
-     goto fail;
- 
--  data->nat_bitmap = nat_bitmap_ptr (data);
-+  data->nat_bitmap = nat_bitmap_ptr (data, &data->nat_bitmap_size);
-+  if (data->nat_bitmap == NULL)
-+    goto fail;
- 
-   err = get_nat_journal (data);
-   if (err)
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0199-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch b/SPECS/grub2/0199-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch
deleted file mode 100644
index 5ad560822d2..00000000000
--- a/SPECS/grub2/0199-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From cd65bd3869a655097e04e8956668156f8712b9c0 Mon Sep 17 00:00:00 2001
-From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
-Date: Wed, 6 Apr 2022 18:17:43 +0530
-Subject: [PATCH] fs/f2fs: Do not copy file names that are too long
-
-A corrupt f2fs file system might specify a name length which is greater
-than the maximum name length supported by the GRUB f2fs driver.
-
-We will allocate enough memory to store the overly long name, but there
-are only F2FS_NAME_LEN bytes in the source, so we would read past the end
-of the source.
-
-While checking directory entries, do not copy a file name with an invalid
-length.
-
-Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/f2fs.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
-index 8898b23..df6beb5 100644
---- a/grub-core/fs/f2fs.c
-+++ b/grub-core/fs/f2fs.c
-@@ -1003,6 +1003,10 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx)
- 
-       ftype = ctx->dentry[i].file_type;
-       name_len = grub_le_to_cpu16 (ctx->dentry[i].name_len);
-+
-+      if (name_len >= F2FS_NAME_LEN)
-+        return 0;
-+
-       filename = grub_malloc (name_len + 1);
-       if (!filename)
-         return 0;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0200-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch b/SPECS/grub2/0200-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
deleted file mode 100644
index 8fee5ddea49..00000000000
--- a/SPECS/grub2/0200-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 1126af7c04aced132923b76a5f26cfb665d1c88f Mon Sep 17 00:00:00 2001
-From: Darren Kenny <darren.kenny@oracle.com>
-Date: Tue, 29 Mar 2022 10:49:56 +0000
-Subject: [PATCH] fs/btrfs: Fix several fuzz issues with invalid dir item
- sizing
-
-According to the btrfs code in Linux, the structure of a directory item
-leaf should be of the form:
-
-  |struct btrfs_dir_item|name|data|
-
-in GRUB the name len and data len are in the grub_btrfs_dir_item
-structure's n and m fields respectively.
-
-The combined size of the structure, name and data should be less than
-the allocated memory, a difference to the Linux kernel's struct
-btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for
-where the name is stored, so we adjust for that too.
-
-Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/btrfs.c | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
-index 6320303..eb9857d 100644
---- a/grub-core/fs/btrfs.c
-+++ b/grub-core/fs/btrfs.c
-@@ -1961,6 +1961,7 @@ grub_btrfs_dir (grub_device_t device, const char *path,
-   int r = 0;
-   grub_uint64_t tree;
-   grub_uint8_t type;
-+  grub_size_t est_size = 0;
- 
-   if (!data)
-     return grub_errno;
-@@ -2019,6 +2020,18 @@ grub_btrfs_dir (grub_device_t device, const char *path,
- 	  break;
- 	}
- 
-+      if (direl == NULL ||
-+	  grub_add (grub_le_to_cpu16 (direl->n),
-+		    grub_le_to_cpu16 (direl->m), &est_size) ||
-+	  grub_add (est_size, sizeof (*direl), &est_size) ||
-+	  grub_sub (est_size, sizeof (direl->name), &est_size) ||
-+	  est_size > allocated)
-+       {
-+         grub_errno = GRUB_ERR_OUT_OF_RANGE;
-+         r = -grub_errno;
-+         goto out;
-+       }
-+
-       for (cdirel = direl;
- 	   (grub_uint8_t *) cdirel - (grub_uint8_t *) direl
- 	   < (grub_ssize_t) elemsize;
-@@ -2029,6 +2042,19 @@ grub_btrfs_dir (grub_device_t device, const char *path,
- 	  char c;
- 	  struct grub_btrfs_inode inode;
- 	  struct grub_dirhook_info info;
-+
-+	  if (cdirel == NULL ||
-+	      grub_add (grub_le_to_cpu16 (cdirel->n),
-+			grub_le_to_cpu16 (cdirel->m), &est_size) ||
-+	      grub_add (est_size, sizeof (*cdirel), &est_size) ||
-+	      grub_sub (est_size, sizeof (cdirel->name), &est_size) ||
-+	      est_size > allocated)
-+	   {
-+	     grub_errno = GRUB_ERR_OUT_OF_RANGE;
-+	     r = -grub_errno;
-+	     goto out;
-+	   }
-+
- 	  err = grub_btrfs_read_inode (data, &inode, cdirel->key.object_id,
- 				       tree);
- 	  grub_memset (&info, 0, sizeof (info));
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0201-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch b/SPECS/grub2/0201-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
deleted file mode 100644
index f1b7f9f5b4d..00000000000
--- a/SPECS/grub2/0201-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 7a765bcaee6f6a26adabb8051459a8c49bf7dae2 Mon Sep 17 00:00:00 2001
-From: Darren Kenny <darren.kenny@oracle.com>
-Date: Tue, 29 Mar 2022 15:52:46 +0000
-Subject: [PATCH] fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
-
-The fuzzer is generating btrfs file systems that have chunks with
-invalid combinations of stripes and substripes for the given RAID
-configurations.
-
-After examining the Linux kernel fs/btrfs/tree-checker.c code, it
-appears that sub-stripes should only be applied to RAID10, and in that
-case there should only ever be 2 of them.
-
-Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4
-should have 2. 3 or 4 stripes respectively, which is what redundancy
-corresponds.
-
-Some of the chunks ended up with a size of 0, which grub_malloc() still
-returned memory for and in turn generated ASAN errors later when
-accessed.
-
-While it would be possible to specifically limit the number of stripes,
-a more correct test was on the combination of the chunk item, and the
-number of stripes by the size of the chunk stripe structure in
-comparison to the size of the chunk itself.
-
-Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/btrfs.c | 55 ++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 55 insertions(+)
-
-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
-index eb9857d..b3d71cd 100644
---- a/grub-core/fs/btrfs.c
-+++ b/grub-core/fs/btrfs.c
-@@ -912,6 +912,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	return grub_error (GRUB_ERR_BAD_FS,
- 			   "couldn't find the chunk descriptor");
- 
-+      if (!chsize)
-+	{
-+	  grub_dprintf ("btrfs", "zero-size chunk\n");
-+	  return grub_error (GRUB_ERR_BAD_FS,
-+			     "got an invalid zero-size chunk");
-+	}
-       chunk = grub_malloc (chsize);
-       if (!chunk)
- 	return grub_errno;
-@@ -970,6 +976,16 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	      stripe_length = grub_divmod64 (grub_le_to_cpu64 (chunk->size),
- 					     nstripes,
- 					     NULL);
-+
-+	      /* For single, there should be exactly 1 stripe. */
-+	      if (grub_le_to_cpu16 (chunk->nstripes) != 1)
-+		{
-+		  grub_dprintf ("btrfs", "invalid RAID_SINGLE: nstripes != 1 (%u)\n",
-+				grub_le_to_cpu16 (chunk->nstripes));
-+		  return grub_error (GRUB_ERR_BAD_FS,
-+				     "invalid RAID_SINGLE: nstripes != 1 (%u)",
-+				      grub_le_to_cpu16 (chunk->nstripes));
-+		}
- 	      if (stripe_length == 0)
- 		stripe_length = 512;
- 	      stripen = grub_divmod64 (off, stripe_length, &stripe_offset);
-@@ -989,6 +1005,19 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	      stripen = 0;
- 	      stripe_offset = off;
- 	      csize = grub_le_to_cpu64 (chunk->size) - off;
-+
-+             /*
-+	      * Redundancy, and substripes only apply to RAID10, and there
-+	      * should be exactly 2 sub-stripes.
-+	      */
-+	     if (grub_le_to_cpu16 (chunk->nstripes) != redundancy)
-+               {
-+                 grub_dprintf ("btrfs", "invalid RAID1: nstripes != %u (%u)\n",
-+                               redundancy, grub_le_to_cpu16 (chunk->nstripes));
-+                 return grub_error (GRUB_ERR_BAD_FS,
-+                                    "invalid RAID1: nstripes != %u (%u)",
-+                                    redundancy, grub_le_to_cpu16 (chunk->nstripes));
-+               }
- 	      break;
- 	    }
- 	  case GRUB_BTRFS_CHUNK_TYPE_RAID0:
-@@ -1025,6 +1054,20 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	      stripe_offset = low + chunk_stripe_length
- 		* high;
- 	      csize = chunk_stripe_length - low;
-+
-+	      /*
-+	       * Substripes only apply to RAID10, and there
-+	       * should be exactly 2 sub-stripes.
-+	       */
-+	      if (grub_le_to_cpu16 (chunk->nsubstripes) != 2)
-+		{
-+		  grub_dprintf ("btrfs", "invalid RAID10: nsubstripes != 2 (%u)",
-+				grub_le_to_cpu16 (chunk->nsubstripes));
-+		  return grub_error (GRUB_ERR_BAD_FS,
-+				     "invalid RAID10: nsubstripes != 2 (%u)",
-+				     grub_le_to_cpu16 (chunk->nsubstripes));
-+		}
-+
- 	      break;
- 	    }
- 	  case GRUB_BTRFS_CHUNK_TYPE_RAID5:
-@@ -1124,6 +1167,8 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 
- 	for (j = 0; j < 2; j++)
- 	  {
-+	    grub_size_t est_chunk_alloc = 0;
-+
- 	    grub_dprintf ("btrfs", "chunk 0x%" PRIxGRUB_UINT64_T
- 			  "+0x%" PRIxGRUB_UINT64_T
- 			  " (%d stripes (%d substripes) of %"
-@@ -1136,6 +1181,16 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	    grub_dprintf ("btrfs", "reading laddr 0x%" PRIxGRUB_UINT64_T "\n",
- 			  addr);
- 
-+	    if (grub_mul (sizeof (struct grub_btrfs_chunk_stripe),
-+			  grub_le_to_cpu16 (chunk->nstripes), &est_chunk_alloc) ||
-+		grub_add (est_chunk_alloc,
-+			  sizeof (struct grub_btrfs_chunk_item), &est_chunk_alloc) ||
-+		est_chunk_alloc > chunk->size)
-+	      {
-+		err = GRUB_ERR_BAD_FS;
-+		break;
-+	      }
-+
- 	    if (is_raid56)
- 	      {
- 		err = btrfs_read_from_chunk (data, chunk, stripen,
--- 
-2.34.1
-
diff --git a/SPECS/grub2/0202-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch b/SPECS/grub2/0202-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
deleted file mode 100644
index 674b4fca683..00000000000
--- a/SPECS/grub2/0202-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 3fe02dfed8d8f78d26ef5b975d7886873530ec3e Mon Sep 17 00:00:00 2001
-From: Darren Kenny <darren.kenny@oracle.com>
-Date: Thu, 7 Apr 2022 15:18:12 +0000
-Subject: [PATCH] fs/btrfs: Fix more fuzz issues related to chunks
-
-The corpus was generating issues in grub_btrfs_read_logical() when
-attempting to iterate over stripe entries in the superblock's
-bootmapping.
-
-In most cases the reason for the failure was that the number of stripes
-in chunk->nstripes exceeded the possible space statically allocated in
-superblock bootmapping space. Each stripe entry in the bootmapping block
-consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.
-
-Another issue that came up was that while calculating the chunk size,
-in an earlier piece of code in that function, depending on the data
-provided in the btrfs file system, it would end up calculating a size
-that was too small to contain even 1 grub_btrfs_chunk_item, which is
-obviously invalid too.
-
-Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/btrfs.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
-index b3d71cd..54a46b8 100644
---- a/grub-core/fs/btrfs.c
-+++ b/grub-core/fs/btrfs.c
-@@ -918,6 +918,17 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	  return grub_error (GRUB_ERR_BAD_FS,
- 			     "got an invalid zero-size chunk");
- 	}
-+
-+      /*
-+       * The space being allocated for a chunk should at least be able to
-+       * contain one chunk item.
-+       */
-+      if (chsize < sizeof (struct grub_btrfs_chunk_item))
-+       {
-+         grub_dprintf ("btrfs", "chunk-size too small\n");
-+         return grub_error (GRUB_ERR_BAD_FS,
-+                            "got an invalid chunk size");
-+       }
-       chunk = grub_malloc (chsize);
-       if (!chunk)
- 	return grub_errno;
-@@ -1165,6 +1176,13 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 	if (csize > (grub_uint64_t) size)
- 	  csize = size;
- 
-+	/*
-+	 * The space for a chunk stripe is limited to the space provide in the super-block's
-+	 * bootstrap mapping with an initial btrfs key at the start of each chunk.
-+	 */
-+	grub_size_t avail_stripes = sizeof (data->sblock.bootstrap_mapping) /
-+	  (sizeof (struct grub_btrfs_key) + sizeof (struct grub_btrfs_chunk_stripe));
-+
- 	for (j = 0; j < 2; j++)
- 	  {
- 	    grub_size_t est_chunk_alloc = 0;
-@@ -1191,6 +1209,12 @@ grub_btrfs_read_logical (struct grub_btrfs_data *data, grub_disk_addr_t addr,
- 		break;
- 	      }
- 
-+	   if (grub_le_to_cpu16 (chunk->nstripes) > avail_stripes)
-+             {
-+               err = GRUB_ERR_BAD_FS;
-+               break;
-+             }
-+
- 	    if (is_raid56)
- 	      {
- 		err = btrfs_read_from_chunk (data, chunk, stripen,
--- 
-2.34.1
-
diff --git a/SPECS/grub2/CVE-2020-10713.nopatch b/SPECS/grub2/CVE-2020-10713.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-14308.nopatch b/SPECS/grub2/CVE-2020-14308.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-14309.nopatch b/SPECS/grub2/CVE-2020-14309.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-14310.nopatch b/SPECS/grub2/CVE-2020-14310.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-14311.nopatch b/SPECS/grub2/CVE-2020-14311.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-14372.nopatch b/SPECS/grub2/CVE-2020-14372.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-25632.nopatch b/SPECS/grub2/CVE-2020-25632.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-25647.nopatch b/SPECS/grub2/CVE-2020-25647.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-27749.nopatch b/SPECS/grub2/CVE-2020-27749.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2020-27779.nopatch b/SPECS/grub2/CVE-2020-27779.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2021-20225.nopatch b/SPECS/grub2/CVE-2021-20225.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2021-20233.nopatch b/SPECS/grub2/CVE-2021-20233.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2021-3418.nopatch b/SPECS/grub2/CVE-2021-3418.nopatch
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/SPECS/grub2/CVE-2022-2601.patch b/SPECS/grub2/CVE-2022-2601.patch
deleted file mode 100644
index 1e335708677..00000000000
--- a/SPECS/grub2/CVE-2022-2601.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-Modified patch 9c76ec09ae08155df27cd237eaea150b4f02f532 to apply to CBL-Mariner: removed extra define from bitmap.c and resolved line issue in safemath.h
-Modified-by: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
-
-From 01c0d4ca26319145703809ab660655373a636ebb Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Fri, 5 Aug 2022 00:51:20 +0800
-Subject: [PATCH 1/2] font: Fix size overflow in grub_font_get_glyph_internal()
-
-The length of memory allocation and file read may overflow. This patch
-fixes the problem by using safemath macros.
-
-There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
-if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
-It is safe replacement for such code. It has safemath-like prototype.
-
-This patch also introduces grub_cast(value, pointer), it casts value to
-typeof(*pointer) then store the value to *pointer. It returns true when
-overflow occurs or false if there is no overflow. The semantics of arguments
-and return value are designed to be consistent with other safemath macros.
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c   | 17 +++++++++++++----
- include/grub/bitmap.h   | 18 ++++++++++++++++++
- include/grub/safemath.h |  2 ++
- 3 files changed, 33 insertions(+), 4 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index d09bb38..876b5b6 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
-       grub_int16_t xoff;
-       grub_int16_t yoff;
-       grub_int16_t dwidth;
--      int len;
-+      grub_ssize_t len;
-+      grub_size_t sz;
- 
-       if (index_entry->glyph)
- 	/* Return cached glyph.  */
-@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
- 	  return 0;
- 	}
- 
--      len = (width * height + 7) / 8;
--      glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
--      if (!glyph)
-+      /* Calculate real struct size of current glyph. */
-+      if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
-+	  grub_add (sizeof (struct grub_font_glyph), len, &sz))
-+	{
-+	  remove_font (font);
-+	  return 0;
-+	}
-+
-+      /* Allocate and initialize the glyph struct. */
-+      glyph = grub_malloc (sz);
-+      if (glyph == NULL)
- 	{
- 	  remove_font (font);
- 	  return 0;
-diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
-index 5728f8c..0d9603f 100644
---- a/include/grub/bitmap.h
-+++ b/include/grub/bitmap.h
-@@ -23,6 +23,7 @@
- #include <grub/symbol.h>
- #include <grub/types.h>
- #include <grub/video.h>
-+#include <grub/safemath.h>
- 
- struct grub_video_bitmap
- {
-@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
-   return bitmap->mode_info.height;
- }
- 
-+/*
-+ * Calculate and store the size of data buffer of 1bit bitmap in result.
-+ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
-+ * Return true when overflow occurs or false if there is no overflow.
-+ * This function is intentionally implemented as a macro instead of
-+ * an inline function. Although a bit awkward, it preserves data types for
-+ * safemath macros and reduces macro side effects as much as possible.
-+ *
-+ * XXX: Will report false overflow if width * height > UINT64_MAX.
-+ */
-+#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
-+({ \
-+  grub_uint64_t _bitmap_pixels; \
-+  grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
-+    grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
-+})
-+
- void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
- 						    struct grub_video_mode_info *mode_info);
- 
-diff --git a/include/grub/safemath.h b/include/grub/safemath.h
-index c17b89b..bb0f826 100644
---- a/include/grub/safemath.h
-+++ b/include/grub/safemath.h
-@@ -30,6 +30,8 @@
- #define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
- #define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
- 
-+#define grub_cast(a, res)	grub_add ((a), 0, (res))
-+
- #else
- #error gcc 5.1 or newer or clang 3.8 or newer is required
- #endif
--- 
-2.25.1
-
-
-From fb6d1e06a7c7fee106a7d6bc491b3f064e1574c3 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Fri, 5 Aug 2022 01:58:27 +0800
-Subject: [PATCH 2/2] font: Fix several integer overflows in
- grub_font_construct_glyph()
-
-This patch fixes several integer overflows in grub_font_construct_glyph().
-Glyphs of invalid size, zero or leading to an overflow, are rejected.
-The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
-returns NULL is fixed too.
-
-Fixes: CVE-2022-2601
-
-Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 29 +++++++++++++++++------------
- 1 file changed, 17 insertions(+), 12 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index 876b5b6..0ff5525 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
-   struct grub_video_signed_rect bounds;
-   static struct grub_font_glyph *glyph = 0;
-   static grub_size_t max_glyph_size = 0;
-+  grub_size_t cur_glyph_size;
- 
-   ensure_comb_space (glyph_id);
- 
-@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
-   if (!glyph_id->ncomb && !glyph_id->attributes)
-     return main_glyph;
- 
--  if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
-+  if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
-+      grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
-+    return main_glyph;
-+
-+  if (max_glyph_size < cur_glyph_size)
-     {
-       grub_free (glyph);
--      max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
--      if (max_glyph_size < 8)
--	max_glyph_size = 8;
--      glyph = grub_malloc (max_glyph_size);
-+      if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
-+	max_glyph_size = 0;
-+      glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
-     }
-   if (!glyph)
-     {
-+      max_glyph_size = 0;
-       grub_errno = GRUB_ERR_NONE;
-       return main_glyph;
-     }
- 
--  grub_memset (glyph, 0, sizeof (*glyph)
--	       + (bounds.width * bounds.height
--		  + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
-+  grub_memset (glyph, 0, cur_glyph_size);
- 
-   glyph->font = main_glyph->font;
--  glyph->width = bounds.width;
--  glyph->height = bounds.height;
--  glyph->offset_x = bounds.x;
--  glyph->offset_y = bounds.y;
-+  if (bounds.width == 0 || bounds.height == 0 ||
-+      grub_cast (bounds.width, &glyph->width) ||
-+      grub_cast (bounds.height, &glyph->height) ||
-+      grub_cast (bounds.x, &glyph->offset_x) ||
-+      grub_cast (bounds.y, &glyph->offset_y))
-+    return main_glyph;
- 
-   if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
-     grub_font_blit_glyph_mirror (glyph, main_glyph,
--- 
-2.25.1
-
diff --git a/SPECS/grub2/CVE-2022-3775.patch b/SPECS/grub2/CVE-2022-3775.patch
deleted file mode 100644
index 89f877c48e5..00000000000
--- a/SPECS/grub2/CVE-2022-3775.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 992c06191babc1e109caf40d6a07ec6fdef427af Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Mon, 24 Oct 2022 08:05:35 +0800
-Subject: [PATCH] font: Fix an integer underflow in blit_comb()
-
-The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
-evaluate to a very big invalid value even if both ctx.bounds.height and
-combining_glyphs[i]->height are small integers. For example, if
-ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
-expression evaluates to 2147483647 (expected -1). This is because
-coordinates are allowed to be negative but ctx.bounds.height is an
-unsigned int. So, the subtraction operates on unsigned ints and
-underflows to a very big value. The division makes things even worse.
-The quotient is still an invalid value even if converted back to int.
-
-This patch fixes the problem by casting ctx.bounds.height to int. As
-a result the subtraction will operate on int and grub_uint16_t which
-will be promoted to an int. So, the underflow will no longer happen. Other
-uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
-to ensure coordinates are always calculated on signed integers.
-
-Fixes: CVE-2022-3775
-
-Reported-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 16 ++++++++--------
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index abd412a5e..3d3d803e8 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -1197,12 +1197,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
-   ctx.bounds.height = main_glyph->height;
- 
-   above_rightx = main_glyph->offset_x + main_glyph->width;
--  above_righty = ctx.bounds.y + ctx.bounds.height;
-+  above_righty = ctx.bounds.y + (int) ctx.bounds.height;
- 
-   above_leftx = main_glyph->offset_x;
--  above_lefty = ctx.bounds.y + ctx.bounds.height;
-+  above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
- 
--  below_rightx = ctx.bounds.x + ctx.bounds.width;
-+  below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
-   below_righty = ctx.bounds.y;
- 
-   comb = grub_unicode_get_comb (glyph_id);
-@@ -1215,7 +1215,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
- 
-       if (!combining_glyphs[i])
- 	continue;
--      targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
-+      targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
-       /* CGJ is to avoid diacritics reordering. */
-       if (comb[i].code
- 	  == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
-@@ -1225,8 +1225,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
- 	case GRUB_UNICODE_COMB_OVERLAY:
- 	  do_blit (combining_glyphs[i],
- 		   targetx,
--		   (ctx.bounds.height - combining_glyphs[i]->height) / 2
--		   - (ctx.bounds.height + ctx.bounds.y), &ctx);
-+		   ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
-+		   - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
- 	  if (min_devwidth < combining_glyphs[i]->width)
- 	    min_devwidth = combining_glyphs[i]->width;
- 	  break;
-@@ -1299,7 +1299,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
- 	  /* Fallthrough.  */
- 	case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
- 	  do_blit (combining_glyphs[i], targetx,
--		   -(ctx.bounds.height + ctx.bounds.y + space
-+		   -((int) ctx.bounds.height + ctx.bounds.y + space
- 		     + combining_glyphs[i]->height), &ctx);
- 	  if (min_devwidth < combining_glyphs[i]->width)
- 	    min_devwidth = combining_glyphs[i]->width;
-@@ -1307,7 +1307,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
- 
- 	case GRUB_UNICODE_COMB_HEBREW_DAGESH:
- 	  do_blit (combining_glyphs[i], targetx,
--		   -(ctx.bounds.height / 2 + ctx.bounds.y
-+		   -((int) ctx.bounds.height / 2 + ctx.bounds.y
- 		     + combining_glyphs[i]->height / 2), &ctx);
- 	  if (min_devwidth < combining_glyphs[i]->width)
- 	    min_devwidth = combining_glyphs[i]->width;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/grub2.signatures.json b/SPECS/grub2/grub2.signatures.json
index 3e381bb7bfa..c3f09876bcb 100644
--- a/SPECS/grub2/grub2.signatures.json
+++ b/SPECS/grub2/grub2.signatures.json
@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "gnulib-d271f868a8df9bbec29049d01e056481b7a1a263.tar.gz": "4e23415ae2977ffca15e07419ceff3e9334d0369eafc9e7ae2578f8dd9a4839c",
-  "grub-2.06.tar.gz": "660eaa2355a4045d8d0cdb5765169d1cad9912ec07873b86c9c6d55dbaa9dfca",
+  "gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz": "00a25a5c3a18d9d7b0deb456344f7ab02f6f9ef8422fbe6174afafc546c8ee36",
+  "grub-2.12.tar.gz": "af4d58df3024988799225e94bc1cfaccdeaa9d5725b4ad5517f3b6cf2ee9ed78",
   "macros.grub2": "b03f6f713601214406971de53538dfc25136bf836f09a663eaffc4332a72c38b",
   "sbat.csv.in": "040bcd900845b53ef9124f70f8b40fbd169740681fdd519a688663a59a958cf1"
  }
diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec
index 909d2ef104c..2d8610db036 100644
--- a/SPECS/grub2/grub2.spec
+++ b/SPECS/grub2/grub2.spec
@@ -2,11 +2,12 @@
 %define __os_install_post %{nil}
 # Gnulib does not produce source tarball releases, and grub's bootstrap.conf
 # bakes in a specific commit id to pull (GNULIB_REVISION).
-%global gnulibversion d271f868a8df9bbec29049d01e056481b7a1a263
+%global gnulibversion 9f48fb992a3d7e96610c4ce8be969cff2d61a01b
+%undefine distro_module_ldflags
 Summary:        GRand Unified Bootloader
 Name:           grub2
-Version:        2.06
-Release:        19%{?dist}
+Version:        2.12
+Release:        1%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,93 +17,6 @@ Source0:        https://git.savannah.gnu.org/cgit/grub.git/snapshot/grub-%{versi
 Source1:        https://git.savannah.gnu.org/cgit/gnulib.git/snapshot/gnulib-%{gnulibversion}.tar.gz
 Source2:        sbat.csv.in
 Source3:        macros.grub2
-# Incorporate relevant patches from Fedora 34
-# EFI Secure Boot / Handover Protocol patches
-Patch0001:      0001-Add-support-for-Linux-EFI-stub-loading.patch
-Patch0002:      0002-Rework-linux-command.patch
-Patch0003:      0003-Rework-linux16-command.patch
-Patch0004:      0004-Add-secureboot-support-on-efi-chainloader.patch
-Patch0005:      0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
-Patch0006:      0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch
-# Kernel cmdline fix
-Patch0017:      0017-Pass-x-hex-hex-straight-through-unmolested.patch
-# Nicer documentation. Also makes patch #166 apply cleanly
-Patch0037:      0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch
-Patch0052:      0052-Make-our-info-pages-say-grub2-where-appropriate.patch
-# General fix
-Patch0069:      0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch
-# ARM64 build patch
-Patch0104:      0104-Rework-how-the-fdt-command-builds.patch
-# General fixes (> 4GB DMA, TPM measurements, etc)
-Patch0112:      0112-Try-to-pick-better-locations-for-kernel-and-initrd.patch
-Patch0115:      0115-x86-efi-Use-bounce-buffers-for-reading-to-addresses-.patch
-Patch0116:      0116-x86-efi-Re-arrange-grub_cmd_linux-a-little-bit.patch
-Patch0117:      0117-x86-efi-Make-our-own-allocator-for-kernel-stuff.patch
-Patch0118:      0118-x86-efi-Allow-initrd-params-cmdline-allocations-abov.patch
-Patch0148:      0148-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
-Patch0149:      0149-tpm-Don-t-propagate-TPM-measurement-errors-to-the-ve.patch
-Patch0150:      0150-x86-efi-Reduce-maximum-bounce-buffer-size-to-16-MiB.patch
-Patch0156:      0156-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
-# CVE-2020-15705
-Patch0157:      0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch
-# Fix to prevent user from overwriting signed grub binary using grub2-install
-Patch0166:      0166-grub-install-disable-support-for-EFI-platforms.patch
-# CVE-2021-3981
-Patch0167:      0167-restore-umask-for-grub-config.patch 
-# Fix to reset the global errno to success upon success.
-Patch0170:      0170-fix-memory-alloc-errno-reset.patch
-Patch0171:      CVE-2022-2601.patch
-Patch0172:      CVE-2022-3775.patch
-# CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734
-# CVE-2022-28735 CVE-2022-28736
-Patch0173:      0173-loader-efi-chainloader-Simplify-the-loader-state.patch
-Patch0174:      0174-commands-boot-Add-API-to-pass-context-to-loader.patch
-Patch0175:      0175-loader-efi-chainloader-Use-grub_loader_set_ex.patch
-Patch0176:      0176-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
-Patch0177:      0177-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
-Patch0178:      0178-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
-Patch0179:      0179-video-readers-png-Refuse-to-handle-multiple-image-he.patch
-Patch0180:      0180-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
-Patch0181:      0181-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
-Patch0182:      0182-video-readers-png-Sanity-check-some-huffman-codes.patch
-Patch0183:      0183-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
-Patch0184:      0184-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
-Patch0185:      0185-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
-Patch0186:      0186-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
-Patch0187:      0187-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
-Patch0188:      0188-net-ip-Do-IP-fragment-maths-safely.patch
-Patch0189:      0189-net-netbuff-Block-overly-large-netbuff-allocs.patch
-Patch0190:      0190-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
-Patch0191:      0191-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
-Patch0192:      0192-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
-Patch0193:      0193-net-tftp-Avoid-a-trivial-UAF.patch
-Patch0194:      0194-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
-Patch0195:      0195-net-http-Fix-OOB-write-for-split-http-headers.patch
-Patch0196:      0196-net-http-Error-out-on-headers-with-LF-without-CR.patch
-Patch0197:      0197-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch
-Patch0198:      0198-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch
-Patch0199:      0199-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch
-Patch0200:      0200-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
-Patch0201:      0201-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
-Patch0202:      0202-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
-# Required to reach SBAT 3
-Patch:          sbat-3-0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
-Patch:          sbat-3-0004-font-Remove-grub_font_dup_glyph.patch
-Patch:          sbat-3-0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
-Patch:          sbat-3-0006-font-Fix-integer-overflow-in-BMP-index.patch
-Patch:          sbat-3-0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
-Patch:          sbat-3-0008-kern-efi-sb-Enforce-verification-of-font-files.patch
-Patch:          sbat-3-0009-fbutil-Fix-integer-overflow.patch
-Patch:          sbat-3-0011-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
-Patch:          sbat-3-0012-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
-Patch:          sbat-3-0013-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
-# Required to reach SBAT 4
-Patch:          sbat-4-0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
-Patch:          sbat-4-0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
-Patch:          sbat-4-0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
-Patch:          sbat-4-0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
-Patch:          sbat-4-0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
-Patch:          sbat-4-0006-fs-ntfs-Make-code-more-readable.patch
 # The Azure Linux team created this patch since the gcc version in use at the
 # time optimizes the code incorrectly, leading to network traffic getting
 # dropped in scenarios like PXE booting.
@@ -218,18 +132,16 @@ Requires:       %{name}-configuration = %{version}-%{release}
 Minimal set of utilities to configure a grub-based system
 
 %prep
-# Remove module_info.ld script due to error "grub2-install: error: Decompressor is too big"
-LDFLAGS="`echo " %{build_ldflags} " | sed 's#-Wl,-dT,%{_topdir}/BUILD/module_info.ld##'`"
-export LDFLAGS
 
-%autosetup -p1 -n grub-2.06
+%autosetup -p1 -n grub-%{version}
 cp %{SOURCE1} gnulib-%{gnulibversion}.tar.gz
 tar -zxf gnulib-%{gnulibversion}.tar.gz
 mv gnulib-%{gnulibversion} gnulib
 
 %build
-# Remove module_info.ld script due to error "grub2-install: error: Decompressor is too big"
-LDFLAGS="`echo " %{build_ldflags} " | sed 's#-Wl,-dT,%{_topdir}/BUILD/module_info.ld##'`"
+# Add linker option -d "assign space to common symbols", otherwise some symbols in grub's
+# kernel.img will be assigned to the SHN_COMMON section which is not supported by grub-mkimage
+LDFLAGS="-Wl,-d %{build_ldflags}"
 export LDFLAGS
 
 export PYTHON=%{python3}
@@ -438,12 +350,16 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
 %config() %{_sysconfdir}/grub.d/00_header
 %config() %{_sysconfdir}/grub.d/10_linux
 %config() %{_sysconfdir}/grub.d/20_linux_xen
+%config() %{_sysconfdir}/grub.d/25_bli
 %config() %{_sysconfdir}/grub.d/30_os-prober
 %config() %{_sysconfdir}/grub.d/30_uefi-firmware
 %config(noreplace) %{_sysconfdir}/grub.d/40_custom
 %config(noreplace) %{_sysconfdir}/grub.d/41_custom
 
 %changelog
+* Fri Jun 14 2024 Gary Swalling <gaswal@microsoft.com> - 2.12-1
+- Upgrade to 2.12 - fixes and features in latest full release
+
 * Wed Jun 12 2024 George Mileka <gmileka@microsoft.com> - 2.06-19
 - disable code optimization for ip checksum calculation
 
diff --git a/SPECS/grub2/sbat-3-0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch b/SPECS/grub2/sbat-3-0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
deleted file mode 100644
index 477a7b1b226..00000000000
--- a/SPECS/grub2/sbat-3-0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From f6b6236077f059e64ee315f2d7acb8fa4eda87c5 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Wed, 3 Aug 2022 19:45:33 +0800
-Subject: [PATCH 01/13] font: Reject glyphs exceeds font->max_glyph_width or
- font->max_glyph_height
-
-Check glyph's width and height against limits specified in font's
-metadata. Reject the glyph (and font) if such limits are exceeded.
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index 42189c325..756ca0abf 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
- 	  || read_be_uint16 (font->file, &height) != 0
- 	  || read_be_int16 (font->file, &xoff) != 0
- 	  || read_be_int16 (font->file, &yoff) != 0
--	  || read_be_int16 (font->file, &dwidth) != 0)
-+	  || read_be_int16 (font->file, &dwidth) != 0
-+	  || width > font->max_char_width
-+	  || height > font->max_char_height)
- 	{
- 	  remove_font (font);
- 	  return 0;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0004-font-Remove-grub_font_dup_glyph.patch b/SPECS/grub2/sbat-3-0004-font-Remove-grub_font_dup_glyph.patch
deleted file mode 100644
index dc68acedc4d..00000000000
--- a/SPECS/grub2/sbat-3-0004-font-Remove-grub_font_dup_glyph.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From c51292274ded3259eb04c2f1c8d253ffbdb5216a Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Fri, 5 Aug 2022 02:13:29 +0800
-Subject: [PATCH 04/13] font: Remove grub_font_dup_glyph()
-
-Remove grub_font_dup_glyph() since nobody is using it since 2013, and
-I'm too lazy to fix the integer overflow problem in it.
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 14 --------------
- 1 file changed, 14 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index e6548892f..a8576ffec 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code)
-   return best_glyph;
- }
- 
--#if 0
--static struct grub_font_glyph *
--grub_font_dup_glyph (struct grub_font_glyph *glyph)
--{
--  static struct grub_font_glyph *ret;
--  ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8);
--  if (!ret)
--    return NULL;
--  grub_memcpy (ret, glyph, sizeof (*ret)
--	       + (glyph->width * glyph->height + 7) / 8);
--  return ret;
--}
--#endif
--
- /* FIXME: suboptimal.  */
- static void
- grub_font_blit_glyph (struct grub_font_glyph *target,
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0005-font-Fix-integer-overflow-in-ensure_comb_space.patch b/SPECS/grub2/sbat-3-0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
deleted file mode 100644
index 2ba00bb5988..00000000000
--- a/SPECS/grub2/sbat-3-0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 23843fe8947e4da955a05ad3d1858725bfcb56c8 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Fri, 5 Aug 2022 02:27:05 +0800
-Subject: [PATCH 05/13] font: Fix integer overflow in ensure_comb_space()
-
-In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
-wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
-in the future. This patch also fixes the inconsistency between
-render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
-returns NULL.
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 14 +++++++++-----
- 1 file changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index a8576ffec..9e3e0a94e 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id)
-   if (glyph_id->ncomb <= render_max_comb_glyphs)
-     return;
- 
--  render_max_comb_glyphs = 2 * glyph_id->ncomb;
--  if (render_max_comb_glyphs < 8)
-+  if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs))
-+    render_max_comb_glyphs = 0;
-+  if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8)
-     render_max_comb_glyphs = 8;
-   grub_free (render_combining_glyphs);
--  render_combining_glyphs = grub_malloc (render_max_comb_glyphs
--					 * sizeof (render_combining_glyphs[0]));
-+  render_combining_glyphs = (render_max_comb_glyphs > 0) ?
-+    grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL;
-   if (!render_combining_glyphs)
--    grub_errno = 0;
-+    {
-+      render_max_comb_glyphs = 0;
-+      grub_errno = GRUB_ERR_NONE;
-+    }
- }
- 
- int
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0006-font-Fix-integer-overflow-in-BMP-index.patch b/SPECS/grub2/sbat-3-0006-font-Fix-integer-overflow-in-BMP-index.patch
deleted file mode 100644
index 07011ad2d21..00000000000
--- a/SPECS/grub2/sbat-3-0006-font-Fix-integer-overflow-in-BMP-index.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From b9396daf1c2e3cdc0a1e69b056852e0769fb24de Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Mon, 15 Aug 2022 02:04:58 +0800
-Subject: [PATCH 06/13] font: Fix integer overflow in BMP index
-
-The BMP index (font->bmp_idx) is designed as a reverse lookup table of
-char entries (font->char_index), in order to speed up lookups for BMP
-chars (i.e. code < 0x10000). The values in BMP index are the subscripts
-of the corresponding char entries, stored in grub_uint16_t, while 0xffff
-means not found.
-
-This patch fixes the problem of large subscript truncated to grub_uint16_t,
-leading BMP index to return wrong char entry or report false miss. The
-code now checks for bounds and uses BMP index as a hint, and fallbacks
-to binary-search if necessary.
-
-On the occasion add a comment about BMP index is initialized to 0xffff.
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index 9e3e0a94e..e4cb0d867 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
-   font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
-   if (!font->bmp_idx)
-     return 1;
-+
-+  /* Init the BMP index array to 0xffff. */
-   grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t));
- 
- 
-@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
- 	  return 1;
- 	}
- 
--      if (entry->code < 0x10000)
-+      if (entry->code < 0x10000 && i < 0xffff)
- 	font->bmp_idx[entry->code] = i;
- 
-       last_code = entry->code;
-@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
-   /* Use BMP index if possible.  */
-   if (code < 0x10000 && font->bmp_idx)
-     {
--      if (font->bmp_idx[code] == 0xffff)
--	return 0;
--      return &table[font->bmp_idx[code]];
-+      if (font->bmp_idx[code] < 0xffff)
-+	return &table[font->bmp_idx[code]];
-+      /*
-+       * When we are here then lookup in BMP index result in miss,
-+       * fallthough to binary-search.
-+       */
-     }
- 
-   /* Do a binary search in `char_index', which is ordered by code point.  */
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch b/SPECS/grub2/sbat-3-0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
deleted file mode 100644
index 8b5da8908ec..00000000000
--- a/SPECS/grub2/sbat-3-0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 1d2015598cc7a9fca4b39186273e3519a88e80c7 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Sun, 14 Aug 2022 18:09:38 +0800
-Subject: [PATCH 07/13] font: Fix integer underflow in binary search of char
- index
-
-If search target is less than all entries in font->index then "hi"
-variable is set to -1, which translates to SIZE_MAX and leads to errors.
-
-This patch fixes the problem by replacing the entire binary search code
-with the libstdc++'s std::lower_bound() implementation.
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 40 ++++++++++++++++++++++------------------
- 1 file changed, 22 insertions(+), 18 deletions(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index e4cb0d867..abd412a5e 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value)
- static inline struct char_index_entry *
- find_glyph (const grub_font_t font, grub_uint32_t code)
- {
--  struct char_index_entry *table;
--  grub_size_t lo;
--  grub_size_t hi;
--  grub_size_t mid;
-+  struct char_index_entry *table, *first, *end;
-+  grub_size_t len;
- 
-   table = font->char_index;
-+  if (table == NULL)
-+    return NULL;
- 
-   /* Use BMP index if possible.  */
-   if (code < 0x10000 && font->bmp_idx)
-@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code)
-        */
-     }
- 
--  /* Do a binary search in `char_index', which is ordered by code point.  */
--  lo = 0;
--  hi = font->num_chars - 1;
--
--  if (!table)
--    return 0;
-+  /*
-+   * Do a binary search in char_index which is ordered by code point.
-+   * The code below is the same as libstdc++'s std::lower_bound().
-+   */
-+  first = table;
-+  len = font->num_chars;
-+  end = first + len;
- 
--  while (lo <= hi)
-+  while (len > 0)
-     {
--      mid = lo + (hi - lo) / 2;
--      if (code < table[mid].code)
--	hi = mid - 1;
--      else if (code > table[mid].code)
--	lo = mid + 1;
-+      grub_size_t half = len >> 1;
-+      struct char_index_entry *middle = first + half;
-+
-+      if (middle->code < code)
-+	{
-+	  first = middle + 1;
-+	  len = len - half - 1;
-+	}
-       else
--	return &table[mid];
-+	len = half;
-     }
- 
--  return 0;
-+  return (first < end && first->code == code) ? first : NULL;
- }
- 
- /* Get a glyph for the Unicode character CODE in FONT.  The glyph is loaded
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0008-kern-efi-sb-Enforce-verification-of-font-files.patch b/SPECS/grub2/sbat-3-0008-kern-efi-sb-Enforce-verification-of-font-files.patch
deleted file mode 100644
index 784f6c36505..00000000000
--- a/SPECS/grub2/sbat-3-0008-kern-efi-sb-Enforce-verification-of-font-files.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 93a786a00163e50c29f0394df198518617e1c9a5 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Sun, 14 Aug 2022 15:51:54 +0800
-Subject: [PATCH 08/13] kern/efi/sb: Enforce verification of font files
-
-As a mitigation and hardening measure enforce verification of font
-files. Then only trusted font files can be load. This will reduce the
-attack surface at cost of losing the ability of end-users to customize
-fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
-fonts because they have ability to pack fonts into their GRUB bundles.
-
-This goal is achieved by:
-
-  * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
-    skip-verification list.
-
-  * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
-    so font files must be verified by a verifier before they can be loaded.
-
-Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/kern/efi/sb.c   | 1 -
- grub-core/kern/lockdown.c | 1 +
- 2 files changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
-index 89c4bb3fd..db42c2539 100644
---- a/grub-core/kern/efi/sb.c
-+++ b/grub-core/kern/efi/sb.c
-@@ -145,7 +145,6 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
-     case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
-     case GRUB_FILE_TYPE_TESTLOAD:
-     case GRUB_FILE_TYPE_GET_SIZE:
--    case GRUB_FILE_TYPE_FONT:
-     case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
-     case GRUB_FILE_TYPE_CAT:
-     case GRUB_FILE_TYPE_HEXCAT:
-diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
-index 0bc70fd42..af6d493cd 100644
---- a/grub-core/kern/lockdown.c
-+++ b/grub-core/kern/lockdown.c
-@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
-     case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
-     case GRUB_FILE_TYPE_ACPI_TABLE:
-     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
-+    case GRUB_FILE_TYPE_FONT:
-       *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
- 
-       /* Fall through. */
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0009-fbutil-Fix-integer-overflow.patch b/SPECS/grub2/sbat-3-0009-fbutil-Fix-integer-overflow.patch
deleted file mode 100644
index 86ebb790d0d..00000000000
--- a/SPECS/grub2/sbat-3-0009-fbutil-Fix-integer-overflow.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 1eac01c147b4d85d2ec4a7e5671fa4345f2e8549 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Tue, 6 Sep 2022 03:03:21 +0800
-Subject: [PATCH 09/13] fbutil: Fix integer overflow
-
-Expressions like u64 = u32 * u32 are unsafe because their products are
-truncated to u32 even if left hand side is u64. This patch fixes all
-problems like that one in fbutil.
-
-To get right result not only left hand side have to be u64 but it's also
-necessary to cast at least one of the operands of all leaf operators of
-right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
-u64 = (u64)u32 * u32 + (u64)u32 * u32.
-
-For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
-combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
-not overflow grub_uint64_t.
-
-Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
-They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
-
-This patch also adds a comment to grub_video_fb_get_video_ptr() which
-says it's arguments must be valid and no sanity check is performed
-(like its siblings in grub-core/video/fb/fbutil.c).
-
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/video/fb/fbutil.c |  4 ++--
- include/grub/fbutil.h       | 13 +++++++++----
- 2 files changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c
-index b98bb51fe..25ef39f47 100644
---- a/grub-core/video/fb/fbutil.c
-+++ b/grub-core/video/fb/fbutil.c
-@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source,
-     case 1:
-       if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
-         {
--          int bit_index = y * source->mode_info->width + x;
-+          grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
-           grub_uint8_t *ptr = source->data + bit_index / 8;
-           int bit_pos = 7 - bit_index % 8;
-           color = (*ptr >> bit_pos) & 0x01;
-@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source,
-     case 1:
-       if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED)
-         {
--          int bit_index = y * source->mode_info->width + x;
-+          grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x;
-           grub_uint8_t *ptr = source->data + bit_index / 8;
-           int bit_pos = 7 - bit_index % 8;
-           *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos);
-diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h
-index 4205eb917..78a1ab3b4 100644
---- a/include/grub/fbutil.h
-+++ b/include/grub/fbutil.h
-@@ -31,14 +31,19 @@ struct grub_video_fbblit_info
-   grub_uint8_t *data;
- };
- 
--/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
--   and it doesn't make sense, in general, to ask for a pointer
--   to a particular pixel's data.  */
-+/*
-+ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level
-+ * and it doesn't make sense, in general, to ask for a pointer
-+ * to a particular pixel's data.
-+ *
-+ * This function assumes that bounds checking has been done in previous phase
-+ * and they are opted out in here.
-+ */
- static inline void *
- grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source,
-               unsigned int x, unsigned int y)
- {
--  return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel;
-+  return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel;
- }
- 
- /* Advance pointer by VAL bytes. If there is no unaligned access available,
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0011-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch b/SPECS/grub2/sbat-3-0011-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
deleted file mode 100644
index df290027128..00000000000
--- a/SPECS/grub2/sbat-3-0011-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 9d81f71c6b8f55cf20cd56f5fe29c759df9b48cc Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Mon, 24 Oct 2022 07:15:41 +0800
-Subject: [PATCH 11/13] font: Harden grub_font_blit_glyph() and
- grub_font_blit_glyph_mirror()
-
-As a mitigation and hardening measure add sanity checks to
-grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
-makes these two functions do nothing if target blitting area isn't fully
-contained in target bitmap. Therefore, if complex calculations in caller
-overflows and malicious coordinates are given, we are still safe because
-any coordinates which result in out-of-bound-write are rejected. However,
-this patch only checks for invalid coordinates, and doesn't provide any
-protection against invalid source glyph or destination glyph, e.g.
-mismatch between glyph size and buffer size.
-
-This hardening measure is designed to mitigate possible overflows in
-blit_comb(). If overflow occurs, it may return invalid bounding box
-during dry run and call grub_font_blit_glyph() with malicious
-coordinates during actual blitting. However, we are still safe because
-the scratch glyph itself is valid, although its size makes no sense, and
-any invalid coordinates are rejected.
-
-It would be better to call grub_fatal() if illegal parameter is detected.
-However, doing this may end up in a dangerous recursion because grub_fatal()
-would print messages to the screen and we are in the progress of drawing
-characters on the screen.
-
-Reported-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index 3d3d803e8..cf15dc2f9 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -1069,8 +1069,15 @@ static void
- grub_font_blit_glyph (struct grub_font_glyph *target,
- 		      struct grub_font_glyph *src, unsigned dx, unsigned dy)
- {
-+  grub_uint16_t max_x, max_y;
-   unsigned src_bit, tgt_bit, src_byte, tgt_byte;
-   unsigned i, j;
-+
-+  /* Harden against out-of-bound writes. */
-+  if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
-+      (grub_add (dy, src->height, &max_y) || max_y > target->height))
-+    return;
-+
-   for (i = 0; i < src->height; i++)
-     {
-       src_bit = (src->width * i) % 8;
-@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target,
- 			     struct grub_font_glyph *src,
- 			     unsigned dx, unsigned dy)
- {
-+  grub_uint16_t max_x, max_y;
-   unsigned tgt_bit, src_byte, tgt_byte;
-   signed src_bit;
-   unsigned i, j;
-+
-+  /* Harden against out-of-bound writes. */
-+  if ((grub_add (dx, src->width, &max_x) || max_x > target->width) ||
-+      (grub_add (dy, src->height, &max_y) || max_y > target->height))
-+    return;
-+
-   for (i = 0; i < src->height; i++)
-     {
-       src_bit = (src->width * i + src->width - 1) % 8;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0012-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch b/SPECS/grub2/sbat-3-0012-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
deleted file mode 100644
index ac7c5f82cb0..00000000000
--- a/SPECS/grub2/sbat-3-0012-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 22b77b87e10a3a6c9bb9885415bc9a9c678378e6 Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Fri, 28 Oct 2022 17:29:16 +0800
-Subject: [PATCH 12/13] font: Assign null_font to glyphs in ascii_font_glyph[]
-
-The calculations in blit_comb() need information from glyph's font, e.g.
-grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
-NULL if main_glyph comes from ascii_font_glyph[]. Therefore
-grub_font_get_*() crashes because of NULL pointer.
-
-There is already a solution, the null_font. So, assign it to those glyphs
-in ascii_font_glyph[].
-
-Reported-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/font/font.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/font/font.c b/grub-core/font/font.c
-index cf15dc2f9..3821937e6 100644
---- a/grub-core/font/font.c
-+++ b/grub-core/font/font.c
-@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code)
- 	  ascii_font_glyph[current]->offset_x = 0;
- 	  ascii_font_glyph[current]->offset_y = -2;
- 	  ascii_font_glyph[current]->device_width = 8;
--	  ascii_font_glyph[current]->font = NULL;
-+	  ascii_font_glyph[current]->font = &null_font;
- 
- 	  grub_memcpy (ascii_font_glyph[current]->bitmap,
- 		       &ascii_bitmaps[current * ASCII_BITMAP_SIZE],
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-3-0013-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch b/SPECS/grub2/sbat-3-0013-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
deleted file mode 100644
index f871b1eb372..00000000000
--- a/SPECS/grub2/sbat-3-0013-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 1514678888595ef41a968a0c69b7ff769edd1e9c Mon Sep 17 00:00:00 2001
-From: Zhang Boyang <zhangboyang.id@gmail.com>
-Date: Fri, 28 Oct 2022 21:31:39 +0800
-Subject: [PATCH 13/13] normal/charset: Fix an integer overflow in
- grub_unicode_aglomerate_comb()
-
-The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
-However, code in grub_unicode_aglomerate_comb() doesn't check for an
-overflow when incrementing out->ncomb. If out->ncomb is already 255,
-after incrementing it will get 0 instead of 256, and cause illegal
-memory access in subsequent processing.
-
-This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
-acceptable value of ncomb. The code now checks for this limit and
-ignores additional combining characters when limit is reached.
-
-Reported-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/normal/charset.c | 3 +++
- include/grub/unicode.h     | 2 ++
- 2 files changed, 5 insertions(+)
-
-diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
-index 000e687bd..4f6647116 100644
---- a/grub-core/normal/charset.c
-+++ b/grub-core/normal/charset.c
-@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
- 	  if (!haveout)
- 	    continue;
- 
-+	  if (out->ncomb == GRUB_UNICODE_NCOMB_MAX)
-+	    continue;
-+
- 	  if (comb_type == GRUB_UNICODE_COMB_MC
- 	      || comb_type == GRUB_UNICODE_COMB_ME
- 	      || comb_type == GRUB_UNICODE_COMB_MN)
-diff --git a/include/grub/unicode.h b/include/grub/unicode.h
-index 71a4d1a54..9360b0b97 100644
---- a/include/grub/unicode.h
-+++ b/include/grub/unicode.h
-@@ -147,7 +147,9 @@ struct grub_unicode_glyph
-   grub_uint8_t bidi_level:6; /* minimum: 6 */
-   enum grub_bidi_type bidi_type:5; /* minimum: :5 */
- 
-+#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1)
-   unsigned ncomb:8;
-+
-   /* Hint by unicode subsystem how wide this character usually is.
-      Real width is determined by font. Set only in UTF-8 stream.  */
-   int estimated_width:8;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-4-0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch b/SPECS/grub2/sbat-4-0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
deleted file mode 100644
index f0b92488c61..00000000000
--- a/SPECS/grub2/sbat-4-0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
-From: Maxim Suhanov <dfirblog@gmail.com>
-Date: Mon, 28 Aug 2023 16:31:57 +0300
-Subject: [PATCH 1/6] fs/ntfs: Fix an OOB write when parsing the
- $ATTRIBUTE_LIST attribute for the $MFT file
-
-When parsing an extremely fragmented $MFT file, i.e., the file described
-using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
-containing bytes read from the underlying drive to store sector numbers,
-which are consumed later to read data from these sectors into another buffer.
-
-These sectors numbers, two 32-bit integers, are always stored at predefined
-offsets, 0x10 and 0x14, relative to first byte of the selected entry within
-the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
-
-However, when parsing a specially-crafted file system image, this may cause
-the NTFS code to write these integers beyond the buffer boundary, likely
-causing the GRUB memory allocator to misbehave or fail. These integers contain
-values which are controlled by on-disk structures of the NTFS file system.
-
-Such modification and resulting misbehavior may touch a memory range not
-assigned to the GRUB and owned by firmware or another EFI application/driver.
-
-This fix introduces checks to ensure that these sector numbers are never
-written beyond the boundary.
-
-Fixes: CVE-2023-4692
-
-Reported-by: Maxim Suhanov <dfirblog@gmail.com>
-Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/ntfs.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index bbdbe24ad..c3c4db117 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
-     }
-   if (at->attr_end)
-     {
--      grub_uint8_t *pa;
-+      grub_uint8_t *pa, *pa_end;
- 
-       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
-       if (at->emft_buf == NULL)
-@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
- 	    }
- 	  at->attr_nxt = at->edat_buf;
- 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
-+	  pa_end = at->edat_buf + n;
- 	}
-       else
- 	{
- 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
- 	  at->attr_end = at->attr_end + u32at (pa, 4);
-+	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
- 	}
-       at->flags |= GRUB_NTFS_AF_ALST;
-       while (at->attr_nxt < at->attr_end)
-@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
- 	  at->flags |= GRUB_NTFS_AF_GPOS;
- 	  at->attr_cur = at->attr_nxt;
- 	  pa = at->attr_cur;
-+
-+	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
-+	    {
-+	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
-+	      return NULL;
-+	    }
-+
- 	  grub_set_unaligned32 ((char *) pa + 0x10,
- 				grub_cpu_to_le32 (at->mft->data->mft_start));
- 	  grub_set_unaligned32 ((char *) pa + 0x14,
-@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
- 	    {
- 	      if (*pa != attr)
- 		break;
-+
-+              if ((pa >= pa_end) || (pa_end - pa < 0x18))
-+                {
-+	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
-+	          return NULL;
-+	        }
-+
- 	      if (read_attr
- 		  (at, pa + 0x10,
- 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-4-0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch b/SPECS/grub2/sbat-4-0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
deleted file mode 100644
index beae88ee410..00000000000
--- a/SPECS/grub2/sbat-4-0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
-From: Maxim Suhanov <dfirblog@gmail.com>
-Date: Mon, 28 Aug 2023 16:32:33 +0300
-Subject: [PATCH 2/6] fs/ntfs: Fix an OOB read when reading data from the
- resident $DATA attribute
-
-When reading a file containing resident data, i.e., the file data is stored in
-the $DATA attribute within the NTFS file record, not in external clusters,
-there are no checks that this resident data actually fits the corresponding
-file record segment.
-
-When parsing a specially-crafted file system image, the current NTFS code will
-read the file data from an arbitrary, attacker-chosen memory offset and of
-arbitrary, attacker-chosen length.
-
-This allows an attacker to display arbitrary chunks of memory, which could
-contain sensitive information like password hashes or even plain-text,
-obfuscated passwords from BS EFI variables.
-
-This fix implements a check to ensure that resident data is read from the
-corresponding file record segment only.
-
-Fixes: CVE-2023-4693
-
-Reported-by: Maxim Suhanov <dfirblog@gmail.com>
-Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/ntfs.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index c3c4db117..a68e173d8 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
-     {
-       if (ofs + len > u32at (pa, 0x10))
- 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
--      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
-+
-+      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
-+	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
-+
-+      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
-+	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
-+
-+      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
-+	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
-+	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
-+
-+      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
-       return 0;
-     }
- 
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-4-0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch b/SPECS/grub2/sbat-4-0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
deleted file mode 100644
index 6785d1f0b35..00000000000
--- a/SPECS/grub2/sbat-4-0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 7e5f031a6a6a3decc2360a7b0c71abbe598e7354 Mon Sep 17 00:00:00 2001
-From: Maxim Suhanov <dfirblog@gmail.com>
-Date: Mon, 28 Aug 2023 16:33:17 +0300
-Subject: [PATCH 3/6] fs/ntfs: Fix an OOB read when parsing directory entries
- from resident and non-resident index attributes
-
-This fix introduces checks to ensure that index entries are never read
-beyond the corresponding directory index.
-
-The lack of this check is a minor issue, likely not exploitable in any way.
-
-Reported-by: Maxim Suhanov <dfirblog@gmail.com>
-Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/ntfs.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index a68e173d8..2d78b96e1 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
- }
- 
- static int
--list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
-+list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos,
- 	   grub_fshelp_iterate_dir_hook_t hook, void *hook_data)
- {
-   grub_uint8_t *np;
-@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
-       grub_uint8_t namespace;
-       char *ustr;
- 
-+      if ((pos >= end_pos) || (end_pos - pos < 0x52))
-+        break;
-+
-       if (pos[0xC] & 2)		/* end signature */
- 	break;
- 
-@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
-       ns = *(np++);
-       namespace = *(np++);
- 
-+      if (2 * ns > end_pos - pos - 0x52)
-+        break;
-+
-       /*
-        *  Ignore files in DOS namespace, as they will reappear as Win32
-        *  names.
-@@ -806,7 +812,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
-     }
- 
-   cur_pos += 0x10;		/* Skip index root */
--  ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data);
-+  ret = list_file (mft, cur_pos + u16at (cur_pos, 0),
-+                   at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
-+                   hook, hook_data);
-   if (ret)
-     goto done;
- 
-@@ -893,6 +901,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
- 			     (const grub_uint8_t *) "INDX")))
- 		goto done;
- 	      ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)],
-+			       indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR),
- 			       hook, hook_data);
- 	      if (ret)
- 		goto done;
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-4-0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch b/SPECS/grub2/sbat-4-0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
deleted file mode 100644
index 65718a6f2b8..00000000000
--- a/SPECS/grub2/sbat-4-0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 7a5a116739fa6d8a625da7d6b9272c9a2462f967 Mon Sep 17 00:00:00 2001
-From: Maxim Suhanov <dfirblog@gmail.com>
-Date: Mon, 28 Aug 2023 16:33:44 +0300
-Subject: [PATCH 4/6] fs/ntfs: Fix an OOB read when parsing bitmaps for index
- attributes
-
-This fix introduces checks to ensure that bitmaps for directory indices
-are never read beyond their actual sizes.
-
-The lack of this check is a minor issue, likely not exploitable in any way.
-
-Reported-by: Maxim Suhanov <dfirblog@gmail.com>
-Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/ntfs.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index 2d78b96e1..bb70c89fb 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -843,6 +843,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
- 
- 	  if (is_resident)
- 	    {
-+              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
-+		{
-+		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
-+		  goto done;
-+		}
-+
-+              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
-+		{
-+		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
-+		  goto done;
-+		}
-+
-+              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
-+		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
-+		{
-+		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
-+		  goto done;
-+		}
-+
-               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
-                            bitmap_len);
- 	    }
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-4-0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch b/SPECS/grub2/sbat-4-0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
deleted file mode 100644
index 5e40dac8764..00000000000
--- a/SPECS/grub2/sbat-4-0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 1fe82c41e070385e273d7bb1cfb482627a3c28e8 Mon Sep 17 00:00:00 2001
-From: Maxim Suhanov <dfirblog@gmail.com>
-Date: Mon, 28 Aug 2023 16:38:19 +0300
-Subject: [PATCH 5/6] fs/ntfs: Fix an OOB read when parsing a volume label
-
-This fix introduces checks to ensure that an NTFS volume label is always
-read from the corresponding file record segment.
-
-The current NTFS code allows the volume label string to be read from an
-arbitrary, attacker-chosen memory location. However, the bytes read are
-always treated as UTF-16LE. So, the final string displayed is mostly
-unreadable and it can't be easily converted back to raw bytes.
-
-The lack of this check is a minor issue, likely not causing a significant
-data leak.
-
-Reported-by: Maxim Suhanov <dfirblog@gmail.com>
-Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/ntfs.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index bb70c89fb..ff5e3740f 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -1213,13 +1213,29 @@ grub_ntfs_label (grub_device_t device, char **label)
- 
-   init_attr (&mft->attr, mft);
-   pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME);
-+
-+  if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR))
-+    {
-+      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
-+      goto fail;
-+    }
-+
-+  if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16)
-+    {
-+      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
-+      goto fail;
-+    }
-+
-   if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
-     {
-       int len;
- 
-       len = u32at (pa, 0x10) / 2;
-       pa += u16at (pa, 0x14);
--      *label = get_utf8 (pa, len);
-+      if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
-+        *label = get_utf8 (pa, len);
-+      else
-+        grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
-     }
- 
- fail:
--- 
-2.34.1
-
diff --git a/SPECS/grub2/sbat-4-0006-fs-ntfs-Make-code-more-readable.patch b/SPECS/grub2/sbat-4-0006-fs-ntfs-Make-code-more-readable.patch
deleted file mode 100644
index c30fa5b6cdd..00000000000
--- a/SPECS/grub2/sbat-4-0006-fs-ntfs-Make-code-more-readable.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From e58b870ff926415e23fc386af41ff81b2f588763 Mon Sep 17 00:00:00 2001
-From: Maxim Suhanov <dfirblog@gmail.com>
-Date: Mon, 28 Aug 2023 16:40:07 +0300
-Subject: [PATCH 6/6] fs/ntfs: Make code more readable
-
-Move some calls used to access NTFS attribute header fields into
-functions with human-readable names.
-
-Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
-Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
----
- grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++--------------
- 1 file changed, 33 insertions(+), 15 deletions(-)
-
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index ff5e3740f..de435aa14 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs)
-   return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs));
- }
- 
-+static grub_uint16_t
-+first_attr_off (void *mft_buf_ptr)
-+{
-+  return u16at (mft_buf_ptr, 0x14);
-+}
-+
-+static grub_uint16_t
-+res_attr_data_off (void *res_attr_ptr)
-+{
-+  return u16at (res_attr_ptr, 0x14);
-+}
-+
-+static grub_uint32_t
-+res_attr_data_len (void *res_attr_ptr)
-+{
-+  return u32at (res_attr_ptr, 0x10);
-+}
-+
- grub_ntfscomp_func_t grub_ntfscomp_func;
- 
- static grub_err_t
-@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft)
- {
-   at->mft = mft;
-   at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0;
--  at->attr_nxt = mft->buf + u16at (mft->buf, 0x14);
-+  at->attr_nxt = mft->buf + first_attr_off (mft->buf);
-   at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL;
- }
- 
-@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
- 		    return NULL;
- 		}
- 
--	      new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)];
-+	      new_pos = &at->emft_buf[first_attr_off (at->emft_buf)];
- 	      while (*new_pos != 0xFF)
- 		{
- 		  if ((*new_pos == *at->attr_cur)
-@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
- 	}
-       else
- 	{
--	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
-+	  at->attr_nxt = at->attr_end + res_attr_data_off (pa);
- 	  at->attr_end = at->attr_end + u32at (pa, 4);
- 	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
- 	}
-@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
- 
-   if (pa[8] == 0)
-     {
--      if (ofs + len > u32at (pa, 0x10))
-+      if (ofs + len > res_attr_data_len (pa))
- 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
- 
--      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
-+      if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
- 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
- 
-       if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
- 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
- 
--      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
-+      if (res_attr_data_off (pa) + res_attr_data_len (pa) >
- 	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
- 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
- 
--      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
-+      grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len);
-       return 0;
-     }
- 
-@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno)
- 			   (unsigned long long) mftno);
- 
-       if (!pa[8])
--	mft->size = u32at (pa, 0x10);
-+	mft->size = res_attr_data_len (pa);
-       else
- 	mft->size = u64at (pa, 0x30);
- 
-@@ -805,7 +823,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
- 	  (u32at (cur_pos, 0x18) != 0x490024) ||
- 	  (u32at (cur_pos, 0x1C) != 0x300033))
- 	continue;
--      cur_pos += u16at (cur_pos, 0x14);
-+      cur_pos += res_attr_data_off (cur_pos);
-       if (*cur_pos != 0x30)	/* Not filename index */
- 	continue;
-       break;
-@@ -834,7 +852,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
- 	{
-           int is_resident = (cur_pos[8] == 0);
- 
--          bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) :
-+          bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) :
-                         u32at (cur_pos, 0x28));
- 
-           bmp = grub_malloc (bitmap_len);
-@@ -855,14 +873,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
- 		  goto done;
- 		}
- 
--              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
-+              if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) >
- 		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
- 		{
- 		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
- 		  goto done;
- 		}
- 
--              grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
-+              grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos),
-                            bitmap_len);
- 	    }
-           else
-@@ -1226,12 +1244,12 @@ grub_ntfs_label (grub_device_t device, char **label)
-       goto fail;
-     }
- 
--  if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
-+  if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa)))
-     {
-       int len;
- 
--      len = u32at (pa, 0x10) / 2;
--      pa += u16at (pa, 0x14);
-+      len = res_attr_data_len (pa) / 2;
-+      pa += res_attr_data_off (pa);
-       if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
-         *label = get_utf8 (pa, len);
-       else
--- 
-2.34.1
-
diff --git a/cgmanifest.json b/cgmanifest.json
index ce17d6e35f4..85680b5eb22 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -4860,8 +4860,8 @@
         "type": "other",
         "other": {
           "name": "grub2",
-          "version": "2.06",
-          "downloadUrl": "https://git.savannah.gnu.org/cgit/grub.git/snapshot/grub-2.06.tar.gz"
+          "version": "2.12",
+          "downloadUrl": "https://git.savannah.gnu.org/cgit/grub.git/snapshot/grub-2.12.tar.gz"
         }
       }
     },

From 79bca29c6fc6ece2d808b0b620a13f8ebcb7c35b Mon Sep 17 00:00:00 2001
From: Henry Beberman <henry.beberman@microsoft.com>
Date: Mon, 17 Jun 2024 09:50:59 -0700
Subject: [PATCH 19/40] Import capnproto and rr specs (#9405)

---
 LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md    |   2 +-
 LICENSES-AND-NOTICES/SPECS/data/licenses.json |   2 +
 .../capnproto/capnproto.signatures.json       |   5 +
 SPECS-EXTENDED/capnproto/capnproto.spec       | 205 +++++++++++++++
 SPECS-EXTENDED/rr/rr.signatures.json          |   5 +
 SPECS-EXTENDED/rr/rr.spec                     | 236 ++++++++++++++++++
 cgmanifest.json                               |  20 ++
 7 files changed, 474 insertions(+), 1 deletion(-)
 create mode 100644 SPECS-EXTENDED/capnproto/capnproto.signatures.json
 create mode 100644 SPECS-EXTENDED/capnproto/capnproto.spec
 create mode 100644 SPECS-EXTENDED/rr/rr.signatures.json
 create mode 100644 SPECS-EXTENDED/rr/rr.spec

diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index e64526f55fa..11896048c26 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -5,7 +5,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
 | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command <br> delve <br> fstrm <br> nodejs-nodemon <br> rhnlib <br> rt-setup <br> rt-tests <br> rtctl <br> tuned |
 | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph |
 | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter |
-| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> argparse-manpage <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bogofilter <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fapolicyd <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbi-drivers <br> libdbusmenu <br> libdc1394 <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mozjs <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-BDB <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> redland <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> sendmail <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
+| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> argparse-manpage <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bogofilter <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capnproto <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fapolicyd <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbi-drivers <br> libdbusmenu <br> libdc1394 <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mozjs <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-BDB <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> redland <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rr <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> sendmail <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
 | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome <br> librabbitmq |
 | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
 | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index 68a7a07693f..1192fb20d3a 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -99,6 +99,7 @@
                 "cachefilesd",
                 "cairomm",
                 "calamares",
+                "capnproto",
                 "capstone",
                 "catatonit",
                 "catch",
@@ -1904,6 +1905,7 @@
                 "rpm-mpi-hooks",
                 "rpmdevtools",
                 "rpmlint",
+                "rr",
                 "rtkit",
                 "rtl-sdr",
                 "ruby-augeas",
diff --git a/SPECS-EXTENDED/capnproto/capnproto.signatures.json b/SPECS-EXTENDED/capnproto/capnproto.signatures.json
new file mode 100644
index 00000000000..2a788b98b07
--- /dev/null
+++ b/SPECS-EXTENDED/capnproto/capnproto.signatures.json
@@ -0,0 +1,5 @@
+{
+  "Signatures": {
+    "capnproto-c++-1.0.1.tar.gz": "0f7f4b8a76a2cdb284fddef20de8306450df6dd031a47a15ac95bc43c3358e09"
+  }
+}
diff --git a/SPECS-EXTENDED/capnproto/capnproto.spec b/SPECS-EXTENDED/capnproto/capnproto.spec
new file mode 100644
index 00000000000..836dd4869b1
--- /dev/null
+++ b/SPECS-EXTENDED/capnproto/capnproto.spec
@@ -0,0 +1,205 @@
+# Force out of source build
+%undefine __cmake_in_source_build
+
+%global modulename %{name}-c++
+
+Name:           capnproto
+Version:        1.0.1
+Release:        4%{?dist}
+Summary:        A data interchange format and capability-based RPC system
+
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            https://capnproto.org
+
+Source0:        https://capnproto.org/%{modulename}-%{version}.tar.gz
+
+# We need C++
+BuildRequires:  gcc-c++
+BuildRequires:  cmake >= 3.1
+
+# Ensure that we use matching version of libraries
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description
+Cap’n Proto is an insanely fast data interchange format
+and capability-based RPC system. Think JSON, except binary.
+Or think Protocol Buffers, except faster. In fact, in benchmarks,
+Cap’n Proto is INFINITY TIMES faster than Protocol Buffers.
+
+This package contains the schema compiler and command-line
+encoder/decoder tools.
+
+%package        libs
+Summary:        Libraries for %{name}
+
+%description    libs
+The %{name}-libs package contains the libraries for using %{name}
+in applications.
+
+%package        devel
+Summary:        Development files for %{name}
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+
+%prep
+%autosetup -n %{modulename}-%{version} -p2
+
+# Disable broken test
+## Cf. https://github.com/capnproto/capnproto/issues/1349
+## Cf. https://github.com/capnproto/capnproto/issues/1398
+sed -e '/TEST(AsyncIo, AncillaryMessageHandler)/,/^}/s/^/\/\//' -i src/kj/async-io-test.c++
+
+
+%build
+# The tests are randomly failing due to poor sparsing support in the build system
+export CFLAGS="%{build_cflags} -DHOLES_NOT_SUPPORTED=1"
+export CXXFLAGS="%{build_cxxflags} -DHOLES_NOT_SUPPORTED=1"
+
+%cmake -DBUILD_TESTING=ON
+%cmake_build
+
+
+%check
+%ctest
+
+
+%install
+%cmake_install
+find %{buildroot} -name '*.la' -delete
+
+
+%files
+%{_bindir}/capnp
+%{_bindir}/capnpc
+%{_bindir}/capnpc-c++
+%{_bindir}/capnpc-capnp
+
+%files libs
+%license LICENSE.txt
+%{_libdir}/*.so.*
+
+%files devel
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+%{_libdir}/cmake/CapnProto/
+
+%changelog
+* Fri Jun 14 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.0.1-4
+- Initial Azure Linux import from Fedora 41 (license: MIT).
+- License verified.
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Sep 08 2023 Neal Gompa <ngompa@fedoraproject.org> - 1.0.1-1
+- Rebase to 1.0.1
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Feb 28 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 0.10.3-3
+- Backport upstream fix for missing headers for g++13
+- Backport upstream fix for operator!= removal for C++20
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 02 2022 Fabio Valentini <decathorpe@gmail.com> - 0.10.3-1
+- Update to version 0.10.3
+- Fixes RHBZ#2149787
+- Addresses CVE-2022-46149
+
+* Tue Nov 29 2022 Neal Gompa <ngompa@fedoraproject.org> - 0.10.2-1
+- Rebase to 0.10.2
+- Drop backported patch
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Dec 21 2021 Neal Gompa <ngompa@fedoraproject.org> - 0.9.1-1
+- Rebase to 0.9.1
+- Add patch to fix running tests
+- Disable flaky/broken test per upstream guidance
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat Jul 18 2020 Neal Gompa <ngompa13@gmail.com> - 0.8.0-1
+- Update to 0.8.0 (#1827443)
+- Drop backported patches
+
+* Thu Mar 12 2020 Neal Gompa <ngompa13@gmail.com> - 0.7.0-6
+- Backport patch to fix aliasing violation breaking builds on GCC 10 on ARM (#1807872)
+- Disable "DiskFile holes" test to stop build failures
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 23 2019 Björn Esser <besser82@fedoraproject.org> - 0.7.0-2
+- Append curdir to CMake invokation. (#1668512)
+
+* Sun Sep 23 2018 Neal Gompa <ngompa13@gmail.com> - 0.7.0-1
+- Update to 0.7.0
+- Drop upstreamed patches
+- Drop obsolete ldconfig scriptlets
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sun Aug 06 2017 Björn Esser <besser82@fedoraproject.org> - 0.6.1-6
+- Rebuilt for AutoReq cmake-filesystem
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun 09 2017 Neal Gompa <ngompa13@gmail.com> - 0.6.1-3
+- Update patch based on upstream feedback
+
+* Fri Jun 09 2017 Neal Gompa <ngompa13@gmail.com> - 0.6.1-2
+- Adjust soversion patch to maintain binary compat across patch versions
+
+* Fri Jun 09 2017 Neal Gompa <ngompa13@gmail.com> - 0.6.1-1
+- Update to 0.6.1
+
+* Mon Feb 27 2017 Neal Gompa <ngompa13@gmail.com> - 0.5.3-4
+- Add patch to fix FTBFS with GCC 7 (#1423291)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Apr 28 2016 Neal Gompa <ngompa13@gmail.com> - 0.5.3-2
+- Add patches to fix ppc builds
+
+* Tue Apr 26 2016 Neal Gompa <ngompa13@gmail.com> - 0.5.3-1
+- Initial packaging
diff --git a/SPECS-EXTENDED/rr/rr.signatures.json b/SPECS-EXTENDED/rr/rr.signatures.json
new file mode 100644
index 00000000000..98b5c7e7f5d
--- /dev/null
+++ b/SPECS-EXTENDED/rr/rr.signatures.json
@@ -0,0 +1,5 @@
+{
+  "Signatures": {
+    "rr-5.8.0.tar.gz": "8b162a3340a6ddb29170b359fe0f2e023f86a9bfea035555b74d38d9fc5e0c00"
+  }
+}
diff --git a/SPECS-EXTENDED/rr/rr.spec b/SPECS-EXTENDED/rr/rr.spec
new file mode 100644
index 00000000000..a6a7742372a
--- /dev/null
+++ b/SPECS-EXTENDED/rr/rr.spec
@@ -0,0 +1,236 @@
+# Force out of source build
+%undefine __cmake_in_source_build
+
+%global commit da33770d22b404d7333e46e26495eaca0c5a6d8a
+%global gittag 5.8.0
+%global shortcommit %(c=%{commit}; echo ${c:0:7})
+
+ExclusiveArch:  %{ix86} x86_64 aarch64
+
+# Disable 32-bit builds on architectures with multilibs
+# to avoid attempting pulling in 32-bit in to koji build.
+%ifarch x86_64
+%global disable32bit -Ddisable32bit=ON
+%endif
+Summary:        Tool to record and replay execution of applications
+Name:           rr
+Version:        5.8.0
+Release:        2%{?dist}
+# The entire source code is MIT with the exceptions of
+# files in following directories:
+#   third-party/blake2             CC0
+#   third-party/gdb                BSD
+#   third-party/proc-service       BSD
+#   third-party/zen-pmu-workaround GPLv2
+License:        MIT and CC0 and BSD and GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            http://rr-project.org
+
+Source: https://github.com/rr-debugger/rr/archive/%{gittag}/%{name}-%{version}.tar.gz
+
+%if  0%{?rhel} == 7
+BuildRequires: cmake3
+BuildRequires: python36-pexpect
+%else
+BuildRequires: cmake
+BuildRequires: python3-pexpect
+%endif
+BuildRequires: python3
+BuildRequires: make gcc gcc-c++ gdb
+BuildRequires: libgcc
+BuildRequires: glibc-devel
+BuildRequires: libstdc++-devel
+BuildRequires: man-pages
+BuildRequires: capnproto capnproto-libs capnproto-devel
+BuildRequires: patchelf
+BuildRequires: zlib-devel
+
+%description
+rr is a lightweight tool for recording and replaying execution
+of applications (trees of processes and threads).
+For more information, please visit http://rr-project.org
+
+%package testsuite
+Summary: Testsuite for checking rr functionality
+Requires: rr
+Requires: gdb
+Requires: python3
+%if  0%{?rhel} == 7
+Requires: python36-pexpect
+Requires: cmake3
+%else
+Requires: python3-pexpect
+Requires: cmake
+%endif
+%description testsuite
+rr-testsuite includes compiled test binaries and other files
+which are used to test the functionality of rr.
+ 
+%prep
+%autosetup -p1 -n rr-%{gittag}
+
+%build
+%if  0%{?rhel} == 7
+%cmake3 -DCMAKE_BUILD_TYPE=Release -DINSTALL_TESTSUITE=ON %{?disable32bit}
+%cmake3_build
+%else
+%cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_TESTSUITE=ON %{?disable32bit}
+%cmake_build
+%endif
+
+%install
+%if  0%{?rhel} == 7
+%cmake3_install
+%else
+%cmake_install
+%endif
+
+rm -rf %{buildroot}%{_datadir}/rr/src
+
+# Using a small hack from the Dyninst testsuite which changes file permissions
+# to prevent any stripping of debugging information. This is done for libraries
+# and executables used by the testsuite.
+find %{buildroot}%{_libdir}/rr/testsuite/obj/bin \
+  -type f -name '*' -execdir chmod 644 '{}' '+'
+
+find %{buildroot}%{_libdir} \
+  -type f -name '*.so' -execdir chmod 644 '{}' '+'
+
+# Some files contain invalid RPATHS.
+patchelf --set-rpath '%{_libdir}/rr/' %{buildroot}%{_libdir}/rr/testsuite/obj/bin/constructor
+patchelf --set-rpath '%{_libdir}/rr/' %{buildroot}%{_libdir}/rr/testsuite/obj/bin/step_into_lib
+
+%files
+%dir %{_libdir}/rr
+%{_libdir}/rr/*.so
+%exclude %{_libdir}/rr/libtest_lib*.so
+%{_bindir}/rr
+%{_bindir}/rr_exec_stub*
+%{_bindir}/signal-rr-recording.sh
+%{_bindir}/rr-collect-symbols.py
+%{_datadir}/bash-completion/completions/rr
+%dir %{_datadir}/rr
+%{_datadir}/rr/*.xml
+
+%attr(755,root,root) %{_libdir}/rr/*.so
+
+%files testsuite
+%{_libdir}/rr/libtest_lib*.so
+%dir %{_libdir}/rr/testsuite
+%{_libdir}/rr/testsuite/*
+
+%attr(755,root,root) %{_libdir}/rr/libtest_lib*.so
+%attr(755,root,root) %{_libdir}/rr/testsuite/obj/bin/*
+
+%license LICENSE
+
+%changelog
+* Fri Jun 14 2024 Henry Beberman <henry.beberman@microsoft.com> - 5.8.0-2
+- Initial Azure Linux import from Fedora 41 (license: MIT).
+- License verified.
+
+* Mon May 20 2024 William Cohen <wcohen@redhat.com> - 5.8.0-1
+- Rebase to rr-5.8.0.
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Oct 4 2023 William Cohen <wcohen@redhat.com> - 5.7.0-9
+- Rebase to rr-5.7.0.
+
+* Tue Sep 12 2023 William Cohen <wcohen@redhat.com> - 5.6.0-8
+- Rebuild for capnproto 1.0.1
+
+* Fri Sep 08 2023 Neal Gompa <ngompa@fedoraproject.org> - 5.6.0-7
+- Rebuild for capnproto 1.0.1
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jan 18 2023 William Cohen <wcohen@redhat.com> - 5.6.0-5
+- Fix FTBFS issue with gcc-13.
+
+* Sat Dec  3 2022 Florian Weimer <fweimer@redhat.com> - 5.6.0-4
+- Avoid implicit function declaration in test (C99 compatibility)
+
+* Fri Dec 02 2022 Fabio Valentini <decathorpe@gmail.com> - 5.6.0-3
+- Rebuild for capnproto 0.10.3 / CVE-2022-46149
+
+* Tue Nov 29 2022 Neal Gompa <ngompa@fedoraproject.org> - 5.6.0-2
+- Rebuild for capnproto 0.10.2
+
+* Mon Aug 8 2022 William Cohen <wcohen@redhat.com> - 5.6.0-1
+- Rebase to rr-5.6.0.
+
+* Fri Aug 5 2022 William Cohen <wcohen@redhat.com> - 5.5.0-5.20220805gitda33770
+- Sync with upstream branch master,
+  commit da33770d22b404d7333e46e26495eaca0c5a6d8a.
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Dec 21 2021 Neal Gompa <ngompa@fedoraproject.org> - 5.5.0-2
+- Rebuild for capnproto 0.9.1
+
+* Mon Sep 20 2021 William Cohen <wcohen@redhat.com> - 5.5.0-1
+- Rebase to rr-5.5.0.
+
+* Thu Jul 29 2021 William Cohen <wcohen@redhat.com> - 5.4.0-4
+- Fix FTBFS (rhbz#1987924)
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov 2 2020 William Cohen <wcohen@redhat.com> - 5.4.0-1
+- Rebase to rr-5.4.0.
+
+* Fri Aug 28 2020 Sagar Patel <sapatel@redhat.com> - 5.3.0-19.20200828gitb53e4d9
+- Sync with upstream branch master,
+  commit b53e4d990b873e1b57284994ad7a65f3626880f5.
+- Fix package requirements for rr-testsuite.
+- Note: There is an issue causing rr to hang on RHEL7 (RHBZ#1873266).
+- Note: There are some pathing issues with rr-testsuite.
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.0-17.20200427gitbab9ca9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat Jul 18 2020 Neal Gompa <ngompa13@gmail.com> - 5.3.0-16.20200427gitbab9ca9
+- Rebuilt for capnproto 0.8.0 again
+
+* Sat Jul 18 2020 Neal Gompa <ngompa13@gmail.com> - 5.3.0-15.20200427gitbab9ca9
+- Rebuilt for capnproto 0.8.0
+
+* Mon Apr 27 2020 Sagar Patel <sapatel@redhat.com> 14.20200427gitbab9ca9
+- Sync with upstream branch master,
+  commit bab9ca94fc03d893cf6b8bf58f7b4522a0113466.
+- Build failures from the previous release are now fixed.
+
+* Fri Apr 24 2020 Sagar Patel <sapatel@redhat.com> 13.20200424gitcf5169b
+- Sync with upstream branch master,
+  commit cf5169bb3e29ce9db4a73e26164bec0e92b083fb.
+- Introduces support for installable testsuite.
+
+* Mon Feb 24 2020 Sagar Patel <sapatel@redhat.com> 11.20200224git4513b23
+- Sync with upstream branch master,
+  commit 4513b23c8092097dc42c73f3cbaf4cfaebd04efe.
+- New patches enable rr to be built on older compilers.
+
+* Thu Feb 13 2020 Sagar Patel <sapatel@redhat.com> 10.20200213gitabd3442
+- Sync with upstream branch master,
+  commit abd344288878c9b4046e0b8664927992947a46eb.
+- New patches enable rr to be built on RHEL7.2 and later.
+
+* Tue Jan 14 2020 William Cohen <wcohen@redhat.com> 5.3.0-8.20200124git7908fea
+- Sync with upstream branch master,
+  commit 70ba28f7ab2923d4e36ffc9d5d2e32357353b25c.
+- SRPM buildable on Fedora koji or other rpm build systems.
diff --git a/cgmanifest.json b/cgmanifest.json
index 85680b5eb22..dcc84bfeb87 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -1432,6 +1432,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "capnproto",
+          "version": "1.0.1",
+          "downloadUrl": "https://capnproto.org/capnproto-c++-1.0.1.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -25699,6 +25709,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "rr",
+          "version": "5.8.0",
+          "downloadUrl": "https://github.com/rr-debugger/rr/archive/5.8.0/rr-5.8.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",

From 5463f3ab6f9b267f654b7599f594fa4e2b911cfc Mon Sep 17 00:00:00 2001
From: Mitch Zhu <mitchzhu@microsoft.com>
Date: Mon, 17 Jun 2024 11:12:28 -0700
Subject: [PATCH 20/40] kata-containers(-cc): enable sandbox_cgroup_only to
 support cgroupv2 (#9417)

---
 SPECS/kata-containers-cc/kata-containers-cc.spec | 6 +++++-
 SPECS/kata-containers/kata-containers.spec       | 9 +++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec
index 48d6bb56d8b..9d0490a9f17 100644
--- a/SPECS/kata-containers-cc/kata-containers-cc.spec
+++ b/SPECS/kata-containers-cc/kata-containers-cc.spec
@@ -1,6 +1,7 @@
 %global virtiofsd_binary        virtiofsd
 
 %global runtime_make_vars       DEFMEMSZ=256 \\\
+                                DEFSANDBOXCGROUPONLY=true \\\
                                 DEFSTATICSANDBOXWORKLOADMEM=1792 \\\
                                 DEFSNPGUEST=true \\\
                                 DEFVIRTIOFSDAEMON=%{_libexecdir}/"%{virtiofsd_binary}" \\\
@@ -13,7 +14,7 @@
 
 Name:         kata-containers-cc
 Version:      3.2.0.azl2
-Release:      1%{?dist}
+Release:      2%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
 Vendor:       Microsoft Corporation
@@ -288,6 +289,9 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
 
 %changelog
+* Mon Jun 17 2024 Mitch Zhu <mitchzhu@microsoft.com> 3.2.0.azl2-2
+- Enable sandbox_cgroup_only configuration
+
 * Wed May 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl2-1
 - Auto-upgrade to 3.2.0.azl2
 - Update cloud-hypervisor-snp symlink to also point to /usr/bin/cloud-hypervisor
diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec
index 9022ebbbc43..370103b08ec 100644
--- a/SPECS/kata-containers/kata-containers.spec
+++ b/SPECS/kata-containers/kata-containers.spec
@@ -23,8 +23,9 @@
 
 # DEFAULT_HYPERVISOR: makes configuration.toml link to configuration-clh.toml.
 %global runtime_make_vars       KERNELTYPE="compressed" \\\
-                                KERNELPARAMS="systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0" \\\
+                                KERNELPARAMS="" \\\
                                 DEFVIRTIOFSDAEMON=%{_libexecdir}/"virtiofsd" \\\
+                                DEFSANDBOXCGROUPONLY=true \\\
                                 DEFSTATICRESOURCEMGMT_CLH=true \\\
                                 DEFSTATICSANDBOXWORKLOADMEM=1792 \\\
                                 DEFMEMSZ=256 \\\
@@ -39,7 +40,7 @@
 Summary:        Kata Containers
 Name:           kata-containers
 Version:        3.2.0.azl2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 URL:            https://github.com/microsoft/kata-containers
@@ -215,6 +216,10 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime
 %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu
 
 %changelog
+* Mon Jun 17 2024 Mitch Zhu <mitchzhu@microsoft.com> 3.2.0.azl2-2
+- Enable sandbox_cgroup_only configuration
+- Remove cgroupv1 kernel parameters
+
 * Wed May 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl2-1
 - Auto-upgrade to 3.2.0.azl2
 

From 7d8b2b2321c0871267d810ae4abe7223bcb72d65 Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Mon, 17 Jun 2024 13:46:57 -0700
Subject: [PATCH 21/40] Fix ordering issues with new preview repo handling in
 derivative builds (#9400)

---
 toolkit/scripts/preview.mk | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/toolkit/scripts/preview.mk b/toolkit/scripts/preview.mk
index 0b8e0e44e49..e2e5f8081c4 100644
--- a/toolkit/scripts/preview.mk
+++ b/toolkit/scripts/preview.mk
@@ -18,20 +18,24 @@ preview_repo_source := $(PROJECT_ROOT)/SPECS/azurelinux-repos/azurelinux-officia
 
 # Stop immediately if the preview repo file is missing and cannot be created.
 ifeq ($(wildcard $(preview_repo_source))$(wildcard $(preview_repo)),)
-	$(warning )
-	$(warning ######################### ERROR #########################)
-	$(warning 'USE_PREVIEW_REPO=y' is set but all of the following failed:)
-	$(warning - packaged default '$(preview_repo)' is missing)
-	$(warning - backup source    '$(preview_repo_source)' is missing)
-	$(warning ######################### ERROR #########################)
-	$(error )
+    $(warning )
+    $(warning ######################### ERROR #########################)
+    $(warning 'USE_PREVIEW_REPO=y' is set but all of the following failed:)
+    $(warning - packaged default '$(preview_repo)' is missing)
+    $(warning - backup source    '$(preview_repo_source)' is missing)
+    $(warning ######################### ERROR #########################)
+    $(error )
 endif
 
-# Copy the preview repo file to the expected repo location.
+# Copy the preview repo file to the expected repo location, but only if we  have a target to copy from.
+ifeq ($(wildcard $(preview_repo_source)),)
+$(preview_repo): ;
+else
 $(preview_repo): $(preview_repo_source)
 	@echo "Regenerating preview repo file from '$<' to '$@'"
 	mkdir -p $(dir $@)
 	cp $< $@
+endif
 
 ######## VARIABLE CONFIGURATION ########
 

From 2df8b96f7837e9aca5388305cd5bde116a77b35f Mon Sep 17 00:00:00 2001
From: Henry Li <69694695+henryli001@users.noreply.github.com>
Date: Mon, 17 Jun 2024 19:32:27 -0500
Subject: [PATCH 22/40] [3.0] Fix and upgrade nvidia-container-toolkit and
 libnvidia-container (#9403)

Co-authored-by: Henry Li <lihl@microsoft.com>
---
 .../libnvidia-container.signatures.json             |  4 ++--
 SPECS/libnvidia-container/libnvidia-container.spec  | 11 +++++++----
 SPECS/libnvidia-container/nvidia-modprobe.patch     |  8 +++++---
 .../nvidia-container-toolkit.signatures.json        |  4 ++--
 .../nvidia-container-toolkit.spec                   | 13 ++++++++-----
 cgmanifest.json                                     | 12 ++++++------
 6 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/SPECS/libnvidia-container/libnvidia-container.signatures.json b/SPECS/libnvidia-container/libnvidia-container.signatures.json
index 9f105c4e525..2530cd6a1e3 100644
--- a/SPECS/libnvidia-container/libnvidia-container.signatures.json
+++ b/SPECS/libnvidia-container/libnvidia-container.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "libnvidia-container-1.14.4.tar.gz": "074cf994e9190034f3a35f1247d3b0983633ccd3a00cb27f329ac3471cbb388f",
-  "nvidia-modprobe-495.44.tar.gz": "ae6e9c7e6b43368945c28f6b8b6d0d7cc36ee7e1be8955a009a1cb189e46de92"
+  "libnvidia-container-1.15.0.tar.gz": "6633fcadadb6b8d517e2859f4edd9b20cbb3702d7b3b7c4ac41617ca9891d1b9",
+  "nvidia-modprobe-550.54.14.tar.gz": "5687b0dfa6087dd480ae91e91ff1dca975794e35a2edcf9ec08d8f9cb98ef905"
  }
 }
\ No newline at end of file
diff --git a/SPECS/libnvidia-container/libnvidia-container.spec b/SPECS/libnvidia-container/libnvidia-container.spec
index 876b35c662e..c00bae02bef 100644
--- a/SPECS/libnvidia-container/libnvidia-container.spec
+++ b/SPECS/libnvidia-container/libnvidia-container.spec
@@ -1,9 +1,9 @@
-%define modprobe_version 495.44
+%define modprobe_version 550.54.14
 %define _major 1
 %define mod_probe_dir deps/src/nvidia-modprobe-%{modprobe_version}
 Summary:        NVIDIA container runtime library
 Name:           libnvidia-container
-Version:        1.14.4
+Version:        1.15.0
 Release:        1%{?dist}
 License:        BSD AND ASL2.0 AND GPLv3+ AND LGPLv3+ AND MIT AND GPLv2
 Vendor:         Microsoft Corporation
@@ -40,8 +40,8 @@ touch %{mod_probe_dir}/.download_stamp
 
 %build
 sed -i 's/^MAJOR[[:space:]]*:=.*$/MAJOR := 1/' versions.mk
-sed -i 's/^MINOR[[:space:]]*:=.*$/MINOR := 14/' versions.mk
-sed -i 's/^PATCH[[:space:]]*:=.*$/PATCH := 4/' versions.mk
+sed -i 's/^MINOR[[:space:]]*:=.*$/MINOR := 15/' versions.mk
+sed -i 's/^PATCH[[:space:]]*:=.*$/PATCH := 0/' versions.mk
 %make_build WITH_LIBELF=yes
 
 %install
@@ -135,6 +135,9 @@ This package contains command-line tools that facilitate using the library.
 %{_bindir}/*
 
 %changelog
+* Fri Jun 07 2024 Henry Li <lihl@microsoft.com> - 1.15.0-1
+- Upgrade to version 1.15.0
+
 * Fri Apr 16 2024 Henry Li <lihl@microsoft.com> - 1.14.4-1
 - Upgrade to version 1.14.4
 - Add external specification of package versioning to build
diff --git a/SPECS/libnvidia-container/nvidia-modprobe.patch b/SPECS/libnvidia-container/nvidia-modprobe.patch
index d99a17488a0..b5450f6afe3 100644
--- a/SPECS/libnvidia-container/nvidia-modprobe.patch
+++ b/SPECS/libnvidia-container/nvidia-modprobe.patch
@@ -1,7 +1,7 @@
 diff -ruN nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.c nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.c
 --- nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.c	2021-11-13 14:36:58.096684602 +0000
 +++ nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.c	2021-11-13 14:43:40.965146390 +0000
-@@ -888,10 +888,10 @@
+@@ -959,10 +959,10 @@
      return mknod_helper(major, minor_num, vgpu_dev_name, NV_PROC_REGISTRY_PATH);
  }
  
@@ -19,11 +19,13 @@ diff -ruN nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.c nvidia-m
 diff -ruN nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.h nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.h
 --- nvidia-modprobe-495.44/modprobe-utils/nvidia-modprobe-utils.h	2021-11-13 14:36:58.096684602 +0000
 +++ nvidia-modprobe-495.44-patched/modprobe-utils/nvidia-modprobe-utils.h	2021-11-13 14:38:34.078700961 +0000
-@@ -81,6 +81,7 @@
+@@ -87,6 +87,7 @@
  int nvidia_nvswitch_get_file_state(int minor);
  int nvidia_cap_mknod(const char* cap_file_path, int *minor);
  int nvidia_cap_get_file_state(const char* cap_file_path);
 +int nvidia_cap_get_device_file_attrs(const char* cap_file_path, int *major, int *minor, char *name);
+ int nvidia_cap_imex_channel_mknod(int minor);
+ int nvidia_cap_imex_channel_file_state(int minor);
  int nvidia_get_chardev_major(const char *name);
  int nvidia_msr_modprobe(void);
- 
+ 
\ No newline at end of file
diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json
index 2e373022d88..61905ef9d8d 100644
--- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json
+++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "nvidia-container-toolkit-1.14.4-vendor.tar.gz": "5c4f1ba9c6e3cacc1002ece40c93928f8836824532f5e0b8c6bcea2322dc3123",
-  "nvidia-container-toolkit-1.14.4.tar.gz": "bc490ec639cda474ee5876349bf686411107301c666a246d4a58045b3332c6eb"
+  "nvidia-container-toolkit-1.15.0-vendor.tar.gz": "bf7f794e9ec7be779707c4ef9ea5bd813f767b49a76729115716110dafa1b7c2",
+  "nvidia-container-toolkit-1.15.0.tar.gz": "9ecf53ffce76404de6717745a55b82d40d3217b43c1ab27acc7d8b15238b6edc"
  }
 }
diff --git a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec
index 95c3586f1a0..b319af17039 100644
--- a/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec
+++ b/SPECS/nvidia-container-toolkit/nvidia-container-toolkit.spec
@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 Summary:        NVIDIA container runtime hook
 Name:           nvidia-container-toolkit
-Version:        1.14.4
+Version:        1.15.0
 Release:        1%{?dist}
 License:        ALS2.0
 Vendor:         Microsoft Corporation
@@ -65,13 +65,12 @@ install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime-hook
 install -m 755 -t %{buildroot}%{_bindir} nvidia-container-runtime
 install -m 755 -t %{buildroot}%{_bindir} nvidia-ctk
 
-mkdir -p %{buildroot}%{_sysconfdir}/nvidia-container-runtime
-mkdir -p %{buildroot}%{_libexecdir}/oci/hooks.d
-mkdir -p %{buildroot}%{_datadir}/containers/oci/hooks.d
-
 %posttrans
 ln -sf %{_bindir}/nvidia-container-runtime-hook %{_bindir}/nvidia-container-toolkit
 
+# Generate the default config; If this file already exists no changes are made.
+%{_bindir}/nvidia-ctk --quiet config --config-file=%{_sysconfdir}/nvidia-container-runtime/config.toml --in-place
+
 %postun
 rm -f %{_bindir}/nvidia-container-toolkit
 
@@ -85,6 +84,10 @@ rm -f %{_bindir}/nvidia-container-toolkit
 %{_bindir}/nvidia-ctk
 
 %changelog
+* Fri Jun 07 2024 Henry Li <lihl@microsoft.com> - 1.15.0-1
+- Upgrade to version 1.15.0
+- Generate config.toml file during %posttrans
+
 * Mon Feb 05 2024 Bala <balakumaran.kannan@microsoft.com> - 1.14.4-1
 - Upgrade to version 1.14.4
 - Remove config and oci hooks from files as they are handled in post-install from v1.14.0
diff --git a/cgmanifest.json b/cgmanifest.json
index dcc84bfeb87..37779cbc2cd 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -10331,8 +10331,8 @@
         "type": "other",
         "other": {
           "name": "libnvidia-container",
-          "version": "1.14.4",
-          "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.14.4.tar.gz"
+          "version": "1.15.0",
+          "downloadUrl": "https://github.com/NVIDIA/libnvidia-container/archive/v1.15.0.tar.gz"
         }
       }
     },
@@ -14292,8 +14292,8 @@
         "type": "other",
         "other": {
           "name": "nvidia-container-toolkit",
-          "version": "1.14.4",
-          "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.14.4.tar.gz"
+          "version": "1.15.0",
+          "downloadUrl": "https://github.com/NVIDIA/nvidia-container-toolkit/archive/v1.15.0.tar.gz"
         }
       }
     },
@@ -14302,8 +14302,8 @@
         "type": "other",
         "other": {
           "name": "nvidia-modprobe",
-          "version": "495.44",
-          "downloadUrl": "https://github.com/NVIDIA/nvidia-modprobe/archive/495.44.tar.gz"
+          "version": "550.54.14",
+          "downloadUrl": "https://github.com/NVIDIA/nvidia-modprobe/archive/550.54.14.tar.gz"
         }
       }
     },

From c025a0c6e0175b2cedb7b4b6cfee7cded4cd19c7 Mon Sep 17 00:00:00 2001
From: nicolas guibourge <nicogbg@gmail.com>
Date: Tue, 18 Jun 2024 14:55:17 -0700
Subject: [PATCH 23/40] glibc - Address CVE-2023-4911, CVE-2023-5156,
 CVE-2023-6246, CVE-2023-6779, CVE-2023-6780 (#9423)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
---
 SPECS-EXTENDED/buildah/buildah.spec           |    2 +-
 SPECS-EXTENDED/catatonit/catatonit.spec       |    2 +-
 SPECS-EXTENDED/dyninst/dyninst.spec           |    2 +-
 SPECS-EXTENDED/podman/podman.spec             |    2 +-
 SPECS/busybox/busybox.spec                    |    2 +-
 SPECS/flannel/flannel.spec                    |    2 +-
 SPECS/glibc/CVE-2023-4806.patch               | 1995 -----------------
 SPECS/glibc/CVE-2023-4911.patch               |   73 +-
 SPECS/glibc/CVE-2023-5156.patch               |  111 +-
 ...023-6246-CVE-2023-6779-CVE-2023-6780.patch |  158 ++
 SPECS/glibc/glibc.spec                        |    9 +-
 SPECS/kubernetes/kubernetes.spec              |    2 +-
 SPECS/kubevirt/kubevirt.spec                  |    2 +-
 SPECS/libguestfs/libguestfs.spec              |    2 +-
 SPECS/mdadm/mdadm.spec                        |    2 +-
 SPECS/qemu/qemu.spec                          |    2 +-
 SPECS/rust/rust.spec                          |    2 +-
 SPECS/supermin/supermin.spec                  |    2 +-
 SPECS/tini/tini.spec                          |    2 +-
 .../manifests/package/pkggen_core_aarch64.txt |   16 +-
 .../manifests/package/pkggen_core_x86_64.txt  |   16 +-
 .../manifests/package/toolchain_aarch64.txt   |   20 +-
 .../manifests/package/toolchain_x86_64.txt    |   20 +-
 23 files changed, 256 insertions(+), 2190 deletions(-)
 delete mode 100644 SPECS/glibc/CVE-2023-4806.patch
 create mode 100644 SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch

diff --git a/SPECS-EXTENDED/buildah/buildah.spec b/SPECS-EXTENDED/buildah/buildah.spec
index 759b23f6cb7..ae8713ec4b7 100644
--- a/SPECS-EXTENDED/buildah/buildah.spec
+++ b/SPECS-EXTENDED/buildah/buildah.spec
@@ -32,7 +32,7 @@ BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  go-md2man
 BuildRequires:  go-rpm-macros
 BuildRequires:  golang
diff --git a/SPECS-EXTENDED/catatonit/catatonit.spec b/SPECS-EXTENDED/catatonit/catatonit.spec
index acb4f70a73d..3a766166714 100644
--- a/SPECS-EXTENDED/catatonit/catatonit.spec
+++ b/SPECS-EXTENDED/catatonit/catatonit.spec
@@ -13,7 +13,7 @@ BuildRequires: automake
 BuildRequires: file
 BuildRequires: gcc
 BuildRequires: git
-BuildRequires: glibc-static >= 2.38-5%{?dist}
+BuildRequires: glibc-static >= 2.38-6%{?dist}
 BuildRequires: libtool
 BuildRequires: make
 
diff --git a/SPECS-EXTENDED/dyninst/dyninst.spec b/SPECS-EXTENDED/dyninst/dyninst.spec
index 511ecf4baaf..2448eecd356 100644
--- a/SPECS-EXTENDED/dyninst/dyninst.spec
+++ b/SPECS-EXTENDED/dyninst/dyninst.spec
@@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel
 
 # Extra requires just for the testsuite
 BuildRequires: gcc-gfortran libstdc++-static libxml2-devel
-BuildRequires: glibc-static >= 2.38-5%{?dist}
+BuildRequires: glibc-static >= 2.38-6%{?dist}
 
 # Testsuite files should not provide/require anything
 %{?filter_setup:
diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec
index 525690b6b8f..add84212ce4 100644
--- a/SPECS-EXTENDED/podman/podman.spec
+++ b/SPECS-EXTENDED/podman/podman.spec
@@ -50,7 +50,7 @@ BuildRequires:  go-md2man
 BuildRequires:  golang
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  git
 BuildRequires:  go-rpm-macros
 BuildRequires:  gpgme-devel
diff --git a/SPECS/busybox/busybox.spec b/SPECS/busybox/busybox.spec
index a45ecb0906b..dc320f6e41b 100644
--- a/SPECS/busybox/busybox.spec
+++ b/SPECS/busybox/busybox.spec
@@ -12,7 +12,7 @@ Source2:        busybox-petitboot.config
 Patch0:         busybox-1.31.1-stime-fix.patch
 Patch1:         CVE-2022-28391.patch
 BuildRequires:  gcc
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  libselinux-devel >= 1.27.7-2
 BuildRequires:  libsepol-devel
 %if 0%{?with_check}
diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec
index b6886979760..46c1119df8d 100644
--- a/SPECS/flannel/flannel.spec
+++ b/SPECS/flannel/flannel.spec
@@ -13,7 +13,7 @@ Source0:        https://github.com/flannel-io/%{name}/archive/refs/tags/v%{versi
 Source1:        %{name}-%{version}-vendor.tar.gz
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  golang >= 1.20
 BuildRequires:  kernel-headers
 
diff --git a/SPECS/glibc/CVE-2023-4806.patch b/SPECS/glibc/CVE-2023-4806.patch
deleted file mode 100644
index 276e7275f4c..00000000000
--- a/SPECS/glibc/CVE-2023-4806.patch
+++ /dev/null
@@ -1,1995 +0,0 @@
-From e3ccb230a961b4797510e6a1f5f21fd9021853e7 Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar <siddhesh@sourceware.org>
-Date: Fri, 15 Sep 2023 13:51:12 -0400
-Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname
- (CVE-2023-4806)
-
-When an NSS plugin only implements the _gethostbyname2_r and
-_getcanonname_r callbacks, getaddrinfo could use memory that was freed
-during tmpbuf resizing, through h_name in a previous query response.
-
-The backing store for res->at->name when doing a query with
-gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
-gethosts during the query.  For AF_INET6 lookup with AI_ALL |
-AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
-for a v4 lookup.  In this case, if the first call reallocates tmpbuf
-enough number of times, resulting in a malloc, th->h_name (that
-res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
-Now if the second call to gethosts also causes the plugin callback to
-return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
-reference in res->at->name.  This then gets dereferenced in the
-getcanonname_r plugin call, resulting in the use after free.
-
-Fix this by copying h_name over and freeing it at the end.  This
-resolves BZ #30843, which is assigned CVE-2023-4806.
-
-Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
-(cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994)
----
- nss/Makefile                                  | 15 ++++-
- nss/nss_test_gai_hv2_canonname.c              | 56 +++++++++++++++++
- nss/tst-nss-gai-hv2-canonname.c               | 63 +++++++++++++++++++
- nss/tst-nss-gai-hv2-canonname.h               |  1 +
- .../postclean.req                             |  0
- .../tst-nss-gai-hv2-canonname.script          |  2 +
- sysdeps/posix/getaddrinfo.c                   | 25 +++++---
- 7 files changed, 152 insertions(+), 10 deletions(-)
- create mode 100644 nss/nss_test_gai_hv2_canonname.c
- create mode 100644 nss/tst-nss-gai-hv2-canonname.c
- create mode 100644 nss/tst-nss-gai-hv2-canonname.h
- create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req
- create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
-
-diff -ruN a/nss/Makefile b/nss/Makefile
---- a/nss/Makefile	2022-02-02 21:27:54.000000000 -0800
-+++ b/nss/Makefile	2023-10-03 16:02:01.212592232 -0700
-@@ -69,7 +69,8 @@
- 			  tst-nss-files-hosts-long \
- 			  tst-nss-db-endpwent \
- 			  tst-nss-db-endgrent \
--			  tst-reload1 tst-reload2
-+			  tst-reload1 tst-reload2 \
-+			  tst-nss-gai-hv2-canonname  
- 
- # Tests which need libdl
- ifeq (yes,$(build-shared))
-@@ -132,7 +133,8 @@
- ifeq ($(build-static-nss),yes)
- tests-static		+= tst-nss-static
- endif
--extra-test-objs		+= nss_test1.os nss_test2.os
-+extra-test-objs                += nss_test1.os nss_test2.os nss_test_errno.os \
-+                          nss_test_gai_hv2_canonname.os
- 
- include ../Rules
- 
-@@ -166,10 +168,13 @@
- 
- libof-nss_test1 = extramodules
- libof-nss_test2 = extramodules
-+libof-nss_test_gai_hv2_canonname = extramodules
- $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
- 	$(build-module)
- $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
- 	$(build-module)
-+$(objpfx)/libnss_test_gai_hv2_canonname.so: $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
-+	$(build-module)
- $(objpfx)nss_test2.os : nss_test1.c
- ifdef libnss_test1.so-version
- $(objpfx)/libnss_test1.so$(libnss_test1.so-version): $(objpfx)/libnss_test1.so
-@@ -179,10 +184,13 @@
- $(objpfx)/libnss_test2.so$(libnss_test2.so-version): $(objpfx)/libnss_test2.so
- 	$(make-link)
- endif
-+$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): $(objpfx)/libnss_test_gai_hv2_canonname.so
-+	$(make-link)
- $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
- 	$(objpfx)/libnss_test1.so$(libnss_test1.so-version) \
--	$(objpfx)/libnss_test2.so$(libnss_test2.so-version)
--
-+	$(objpfx)/libnss_test2.so$(libnss_test2.so-version) \
-+	$(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
-+	$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
- ifeq (yes,$(have-thread-library))
- $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
- endif
-@@ -197,3 +205,4 @@
- LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
- LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
- LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
-+LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
-diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c
-new file mode 100644
-index 0000000000..4439c83c9f
---- /dev/null
-+++ b/nss/nss_test_gai_hv2_canonname.c
-@@ -0,0 +1,56 @@
-+/* NSS service provider that only provides gethostbyname2_r.
-+   Copyright The GNU Toolchain Authors.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <nss.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include "nss/tst-nss-gai-hv2-canonname.h"
-+
-+/* Catch misnamed and functions.  */
-+#pragma GCC diagnostic error "-Wmissing-prototypes"
-+NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname)
-+
-+extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
-+						    struct hostent *, char *,
-+						    size_t, int *, int *);
-+
-+enum nss_status
-+_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
-+					      struct hostent *result,
-+					      char *buffer, size_t buflen,
-+					      int *errnop, int *herrnop)
-+{
-+  return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop,
-+				      herrnop);
-+}
-+
-+enum nss_status
-+_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer,
-+					    size_t buflen, char **result,
-+					    int *errnop, int *h_errnop)
-+{
-+  /* We expect QUERYNAME, which is a small enough string that it shouldn't fail
-+     the test.  */
-+  if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
-+      || buflen < sizeof (QUERYNAME))
-+    abort ();
-+
-+  strncpy (buffer, name, buflen);
-+  *result = buffer;
-+  return NSS_STATUS_SUCCESS;
-+}
-diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
-new file mode 100644
-index 0000000000..d5f10c07d6
---- /dev/null
-+++ b/nss/tst-nss-gai-hv2-canonname.c
-@@ -0,0 +1,63 @@
-+/* Test NSS query path for plugins that only implement gethostbyname2
-+   (#30843).
-+   Copyright The GNU Toolchain Authors.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <nss.h>
-+#include <netdb.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <support/check.h>
-+#include <support/xstdio.h>
-+#include "nss/tst-nss-gai-hv2-canonname.h"
-+
-+#define PREPARE do_prepare
-+
-+static void do_prepare (int a, char **av)
-+{
-+  FILE *hosts = xfopen ("/etc/hosts", "w");
-+  for (unsigned i = 2; i < 255; i++)
-+    {
-+      fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
-+      fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
-+    }
-+  xfclose (hosts);
-+}
-+
-+static int
-+do_test (void)
-+{
-+  __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
-+
-+  struct addrinfo hints = {};
-+  struct addrinfo *result = NULL;
-+
-+  hints.ai_family = AF_INET6;
-+  hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
-+
-+  int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
-+
-+  if (ret != 0)
-+    FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
-+
-+  TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
-+
-+  freeaddrinfo(result);
-+  return 0;
-+}
-+
-+#include <support/test-driver.c>
-diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h
-new file mode 100644
-index 0000000000..14f2a9cb08
---- /dev/null
-+++ b/nss/tst-nss-gai-hv2-canonname.h
-@@ -0,0 +1 @@
-+#define QUERYNAME "test.example.com"
-diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
-new file mode 100644
-index 0000000000..e69de29bb2
-diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
-new file mode 100644
-index 0000000000..31848b4a28
---- /dev/null
-+++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
-@@ -0,0 +1,2 @@
-+cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2
-+su
-diff -ruN a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
---- a/sysdeps/posix/getaddrinfo.c	2022-02-02 21:27:54.000000000 -0800
-+++ b/sysdeps/posix/getaddrinfo.c	2023-10-03 16:30:25.792764226 -0700
-@@ -100,14 +100,12 @@
- 
- struct gaih_servtuple
-   {
--    struct gaih_servtuple *next;
-     int socktype;
-     int protocol;
-     int port;
-+    bool set;
-   };
- 
--static const struct gaih_servtuple nullserv;
--
- 
- struct gaih_typeproto
-   {
-@@ -118,6 +116,15 @@
-     char name[8];
-   };
- 
-+struct gaih_result
-+{
-+  struct gaih_addrtuple *at;
-+  char *canon;
-+  char *h_name;
-+  bool free_at;
-+  bool got_ipv6;
-+};
-+
- /* Values for `protoflag'.  */
- #define GAI_PROTO_NOSERVICE	1
- #define GAI_PROTO_PROTOANY	2
-@@ -153,6 +160,15 @@
-     .ai_next = NULL
-   };
- 
-+static void
-+gaih_result_reset (struct gaih_result *res)
-+{
-+  if (res->free_at)
-+    free (res->at);
-+  free (res->canon);
-+  free (res->h_name);
-+  memset (res, 0, sizeof (*res));
-+}
- 
- static int
- gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
-@@ -180,28 +196,21 @@
-     }
-   while (r);
- 
--  st->next = NULL;
-   st->socktype = tp->socktype;
-   st->protocol = ((tp->protoflag & GAI_PROTO_PROTOANY)
- 		  ? req->ai_protocol : tp->protocol);
-   st->port = s->s_port;
-+  st->set = true;
- 
-   return 0;
- }
- 
--/* Convert struct hostent to a list of struct gaih_addrtuple objects.
--   h_name is not copied, and the struct hostent object must not be
--   deallocated prematurely.  *RESULT must be NULL or a pointer to a
--   linked-list.  The new addresses are appended at the end.  */
-+/* Convert struct hostent to a list of struct gaih_addrtuple objects.  The new
-+   addresses are appended to the tuple array in RES.  */
- static bool
--convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
--				   int family,
--				   struct hostent *h,
--				   struct gaih_addrtuple **result)
-+convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
-+				   struct hostent *h, struct gaih_result *res)
- {
--  while (*result)
--    result = &(*result)->next;
--
-   /* Count the number of addresses in h->h_addr_list.  */
-   size_t count = 0;
-   for (char **p = h->h_addr_list; *p != NULL; ++p)
-@@ -212,10 +221,41 @@
-   if (count == 0 || h->h_length > sizeof (((struct gaih_addrtuple) {}).addr))
-     return true;
- 
--  struct gaih_addrtuple *array = calloc (count, sizeof (*array));
-+  struct gaih_addrtuple *array = res->at;
-+  size_t old = 0;
-+
-+  while (array != NULL)
-+    {
-+      old++;
-+      array = array->next;
-+    }
-+
-+  array = realloc (res->at, (old + count) * sizeof (*array));
-+
-   if (array == NULL)
-     return false;
- 
-+  res->got_ipv6 = family == AF_INET6;
-+  res->at = array;
-+  res->free_at = true;
-+
-+  /* Duplicate h_name because it may get reclaimed when the underlying storage
-+     is freed.  */
-+  if (res->h_name == NULL)
-+    {
-+      res->h_name = __strdup (h->h_name);
-+      if (res->h_name == NULL)
-+	return false;
-+    }
-+
-+  /* Update the next pointers on reallocation.  */
-+  for (size_t i = 0; i < old; i++)
-+    array[i].next = array + i + 1;
-+
-+  array += old;
-+
-+  memset (array, 0, count * sizeof (*array));
-+
-   for (size_t i = 0; i < count; ++i)
-     {
-       if (family == AF_INET && req->ai_family == AF_INET6)
-@@ -232,73 +272,59 @@
- 	}
-       array[i].next = array + i + 1;
-     }
--  array[0].name = h->h_name;
-   array[count - 1].next = NULL;
- 
--  *result = array;
-   return true;
- }
- 
--#define gethosts(_family) \
-- {									      \
--  struct hostent th;							      \
--  char *localcanon = NULL;						      \
--  no_data = 0;								      \
--  while (1)								      \
--    {									      \
--      status = DL_CALL_FCT (fct, (name, _family, &th,			      \
--				  tmpbuf->data, tmpbuf->length,		      \
--				  &errno, &h_errno, NULL, &localcanon));      \
--      if (status != NSS_STATUS_TRYAGAIN || h_errno != NETDB_INTERNAL	      \
--	  || errno != ERANGE)						      \
--	break;								      \
--      if (!scratch_buffer_grow (tmpbuf))				      \
--	{								      \
--	  __resolv_context_put (res_ctx);				      \
--	  result = -EAI_MEMORY;						      \
--	  goto free_and_return;						      \
--	}								      \
--    }									      \
--  if (status == NSS_STATUS_NOTFOUND					      \
--      || status == NSS_STATUS_TRYAGAIN || status == NSS_STATUS_UNAVAIL)	      \
--    {									      \
--      if (h_errno == NETDB_INTERNAL)					      \
--	{								      \
--	  __resolv_context_put (res_ctx);				      \
--	  result = -EAI_SYSTEM;						      \
--	  goto free_and_return;						      \
--	}								      \
--      if (h_errno == TRY_AGAIN)						      \
--	no_data = EAI_AGAIN;						      \
--      else								      \
--	no_data = h_errno == NO_DATA;					      \
--    }									      \
--  else if (status == NSS_STATUS_SUCCESS)				      \
--    {									      \
--      if (!convert_hostent_to_gaih_addrtuple (req, _family, &th, &addrmem))   \
--	{								      \
--	  __resolv_context_put (res_ctx);				      \
--	  result = -EAI_SYSTEM;						      \
--	  goto free_and_return;						      \
--	}								      \
--      *pat = addrmem;							      \
--									      \
--      if (localcanon != NULL && canon == NULL)				      \
--	{								      \
--	  canonbuf = __strdup (localcanon);				      \
--	  if (canonbuf == NULL)						      \
--	    {								      \
--	      __resolv_context_put (res_ctx);				      \
--	      result = -EAI_SYSTEM;					      \
--	      goto free_and_return;					      \
--	    }								      \
--	  canon = canonbuf;						      \
--	}								      \
--      if (_family == AF_INET6 && *pat != NULL)				      \
--	got_ipv6 = true;						      \
--    }									      \
-- }
-+static int
-+gethosts (nss_gethostbyname3_r fct, int family, const char *name,
-+	  const struct addrinfo *req, struct scratch_buffer *tmpbuf,
-+	  struct gaih_result *res, enum nss_status *statusp, int *no_datap)
-+{
-+  struct hostent th;
-+  char *localcanon = NULL;
-+  enum nss_status status;
- 
-+  *no_datap = 0;
-+  while (1)
-+    {
-+      *statusp = status = DL_CALL_FCT (fct, (name, family, &th,
-+					     tmpbuf->data, tmpbuf->length,
-+					     &errno, &h_errno, NULL,
-+					     &localcanon));
-+      if (status != NSS_STATUS_TRYAGAIN || h_errno != NETDB_INTERNAL
-+	  || errno != ERANGE)
-+	break;
-+      if (!scratch_buffer_grow (tmpbuf))
-+	return -EAI_MEMORY;
-+    }
-+  if (status == NSS_STATUS_NOTFOUND
-+      || status == NSS_STATUS_TRYAGAIN || status == NSS_STATUS_UNAVAIL)
-+    {
-+      if (h_errno == NETDB_INTERNAL)
-+	return -EAI_SYSTEM;
-+      if (h_errno == TRY_AGAIN)
-+	*no_datap = EAI_AGAIN;
-+      else
-+	*no_datap = h_errno == NO_DATA;
-+    }
-+  else if (status == NSS_STATUS_SUCCESS)
-+    {
-+      if (!convert_hostent_to_gaih_addrtuple (req, family, &th, res))
-+	return -EAI_MEMORY;
-+
-+      if (localcanon != NULL && res->canon == NULL)
-+	{
-+	  char *canonbuf = __strdup (localcanon);
-+	  if (canonbuf == NULL)
-+	    return  -EAI_MEMORY;
-+	  res->canon = canonbuf;
-+	}
-+    }
-+
-+  return 0;
-+}
- 
- /* This function is called if a canonical name is requested, but if
-    the service function did not provide it.  It tries to obtain the
-@@ -307,15 +333,15 @@
-    memory allocation failure.  The returned string is allocated on the
-    heap; the caller has to free it.  */
- static char *
--getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name)
-+getcanonname (nss_action_list nip, const char *hname, const char *name)
- {
-   nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r");
-   char *s = (char *) name;
-   if (cfct != NULL)
-     {
-       char buf[256];
--      if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
--			      &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
-+      if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
-+			      &h_errno)) != NSS_STATUS_SUCCESS)
- 	/* If the canonical name cannot be determined, use the passed
- 	   string.  */
- 	s = (char *) name;
-@@ -323,21 +349,47 @@
-   return __strdup (name);
- }
- 
-+/* Process looked up canonical name and if necessary, decode to IDNA.  Result
-+   is a new string written to CANONP and the earlier string is freed.  */
-+
- static int
--gaih_inet (const char *name, const struct gaih_service *service,
--	   const struct addrinfo *req, struct addrinfo **pai,
--	   unsigned int *naddrs, struct scratch_buffer *tmpbuf)
-+process_canonname (const struct addrinfo *req, const char *orig_name,
-+		   struct gaih_result *res)
- {
--  const struct gaih_typeproto *tp = gaih_inet_typeproto;
--  struct gaih_servtuple *st = (struct gaih_servtuple *) &nullserv;
--  struct gaih_addrtuple *at = NULL;
--  bool got_ipv6 = false;
--  const char *canon = NULL;
--  const char *orig_name = name;
-+  char *canon = res->canon;
- 
--  /* Reserve stack memory for the scratch buffer in the getaddrinfo
--     function.  */
--  size_t alloca_used = sizeof (struct scratch_buffer);
-+  if ((req->ai_flags & AI_CANONNAME) != 0)
-+    {
-+      bool do_idn = req->ai_flags & AI_CANONIDN;
-+      if (do_idn)
-+	{
-+	  char *out;
-+	  int rc = __idna_from_dns_encoding (canon ?: orig_name, &out);
-+	  if (rc == 0)
-+	    {
-+	      free (canon);
-+	      canon = out;
-+	    }
-+	  else if (rc == EAI_IDN_ENCODE)
-+	    /* Use the punycode name as a fallback.  */
-+	    do_idn = false;
-+	  else
-+	    return -rc;
-+	}
-+      if (!do_idn && canon == NULL && (canon = __strdup (orig_name)) == NULL)
-+	return -EAI_MEMORY;
-+    }
-+
-+  res->canon = canon;
-+  return 0;
-+}
-+
-+static int
-+get_servtuples (const struct gaih_service *service, const struct addrinfo *req,
-+		struct gaih_servtuple *st, struct scratch_buffer *tmpbuf)
-+{
-+  int i;
-+  const struct gaih_typeproto *tp = gaih_inet_typeproto;
- 
-   if (req->ai_protocol || req->ai_socktype)
-     {
-@@ -359,747 +411,792 @@
- 	}
-     }
- 
--  int port = 0;
--  if (service != NULL)
-+  if (service != NULL && (tp->protoflag & GAI_PROTO_NOSERVICE) != 0)
-+    return -EAI_SERVICE;
-+
-+  if (service == NULL || service->num >= 0)
-     {
--      if ((tp->protoflag & GAI_PROTO_NOSERVICE) != 0)
--	return -EAI_SERVICE;
-+      int port = service != NULL ? htons (service->num) : 0;
- 
--      if (service->num < 0)
-+      if (req->ai_socktype || req->ai_protocol)
- 	{
--	  if (tp->name[0])
--	    {
--	      st = (struct gaih_servtuple *)
--		alloca_account (sizeof (struct gaih_servtuple), alloca_used);
-+	  st[0].socktype = tp->socktype;
-+	  st[0].protocol = ((tp->protoflag & GAI_PROTO_PROTOANY)
-+			  ? req->ai_protocol : tp->protocol);
-+	  st[0].port = port;
-+	  st[0].set = true;
- 
--	      int rc = gaih_inet_serv (service->name, tp, req, st, tmpbuf);
--	      if (__glibc_unlikely (rc != 0))
--		return rc;
--	    }
--	  else
--	    {
--	      struct gaih_servtuple **pst = &st;
--	      for (tp++; tp->name[0]; tp++)
--		{
--		  struct gaih_servtuple *newp;
-+	  return 0;
-+	}
-+
-+      /* Neither socket type nor protocol is set.  Return all socket types
-+	 we know about.  */
-+      for (i = 0, ++tp; tp->name[0]; ++tp)
-+	if (tp->defaultflag)
-+	  {
-+	    st[i].socktype = tp->socktype;
-+	    st[i].protocol = tp->protocol;
-+	    st[i].port = port;
-+	    st[i++].set = true;
-+	  }
- 
--		  if ((tp->protoflag & GAI_PROTO_NOSERVICE) != 0)
--		    continue;
-+      return 0;
-+    }
- 
--		  if (req->ai_socktype != 0
--		      && req->ai_socktype != tp->socktype)
--		    continue;
--		  if (req->ai_protocol != 0
--		      && !(tp->protoflag & GAI_PROTO_PROTOANY)
--		      && req->ai_protocol != tp->protocol)
--		    continue;
--
--		  newp = (struct gaih_servtuple *)
--		    alloca_account (sizeof (struct gaih_servtuple),
--				    alloca_used);
--
--		  if (gaih_inet_serv (service->name,
--				      tp, req, newp, tmpbuf) != 0)
--		    continue;
-+  if (tp->name[0])
-+    return gaih_inet_serv (service->name, tp, req, st, tmpbuf);
- 
--		  *pst = newp;
--		  pst = &(newp->next);
--		}
--	      if (st == (struct gaih_servtuple *) &nullserv)
--		return -EAI_SERVICE;
--	    }
--	}
--      else
-+  for (i = 0, tp++; tp->name[0]; tp++)
-+    {
-+      if ((tp->protoflag & GAI_PROTO_NOSERVICE) != 0)
-+	continue;
-+
-+      if (req->ai_socktype != 0
-+	  && req->ai_socktype != tp->socktype)
-+	continue;
-+      if (req->ai_protocol != 0
-+	  && !(tp->protoflag & GAI_PROTO_PROTOANY)
-+	  && req->ai_protocol != tp->protocol)
-+	continue;
-+
-+      if (gaih_inet_serv (service->name,
-+			  tp, req, &st[i], tmpbuf) != 0)
-+	continue;
-+
-+      i++;
-+    }
-+
-+  if (!st[0].set)
-+    return -EAI_SERVICE;
-+
-+  return 0;
-+}
-+
-+#ifdef USE_NSCD
-+/* Query addresses from nscd cache, returning a non-zero value on error.
-+   RES members have the lookup result; RES->AT is NULL if there were no errors
-+   but also no results.  */
-+
-+static int
-+get_nscd_addresses (const char *name, const struct addrinfo *req,
-+		    struct gaih_result *res)
-+{
-+  if (__nss_not_use_nscd_hosts > 0
-+      && ++__nss_not_use_nscd_hosts > NSS_NSCD_RETRY)
-+    __nss_not_use_nscd_hosts = 0;
-+
-+  res->at = NULL;
-+
-+  if (__nss_not_use_nscd_hosts || __nss_database_custom[NSS_DBSIDX_hosts])
-+    return 0;
-+
-+  /* Try to use nscd.  */
-+  struct nscd_ai_result *air = NULL;
-+  int err = __nscd_getai (name, &air, &h_errno);
-+
-+  if (__glibc_unlikely (air == NULL))
-+    {
-+      /* The database contains a negative entry.  */
-+      if (err == 0)
-+	return -EAI_NONAME;
-+      if (__nss_not_use_nscd_hosts == 0)
- 	{
--	  port = htons (service->num);
--	  goto got_port;
-+	  if (h_errno == NETDB_INTERNAL && errno == ENOMEM)
-+	    return -EAI_MEMORY;
-+	  if (h_errno == TRY_AGAIN)
-+	    return -EAI_AGAIN;
-+	  return -EAI_SYSTEM;
- 	}
-+      return 0;
-     }
--  else
-+
-+  /* Transform into gaih_addrtuple list.  */
-+  int result = 0;
-+  char *addrs = air->addrs;
-+
-+  struct gaih_addrtuple *addrfree = calloc (air->naddrs, sizeof (*addrfree));
-+  struct gaih_addrtuple *at = calloc (air->naddrs, sizeof (*at));
-+  if (at == NULL)
-     {
--    got_port:
-+      result = -EAI_MEMORY;
-+      goto out;
-+    }
- 
--      if (req->ai_socktype || req->ai_protocol)
-+  res->free_at = true;
-+
-+  int count = 0;
-+  for (int i = 0; i < air->naddrs; ++i)
-+    {
-+      socklen_t size = (air->family[i] == AF_INET
-+			? INADDRSZ : IN6ADDRSZ);
-+
-+      if (!((air->family[i] == AF_INET
-+	     && req->ai_family == AF_INET6
-+	     && (req->ai_flags & AI_V4MAPPED) != 0)
-+	    || req->ai_family == AF_UNSPEC
-+	    || air->family[i] == req->ai_family))
- 	{
--	  st = alloca_account (sizeof (struct gaih_servtuple), alloca_used);
--	  st->next = NULL;
--	  st->socktype = tp->socktype;
--	  st->protocol = ((tp->protoflag & GAI_PROTO_PROTOANY)
--			  ? req->ai_protocol : tp->protocol);
--	  st->port = port;
-+	  /* Skip over non-matching result.  */
-+	  addrs += size;
-+	  continue;
- 	}
--      else
-+
-+      if (air->family[i] == AF_INET && req->ai_family == AF_INET6
-+	  && (req->ai_flags & AI_V4MAPPED))
- 	{
--	  /* Neither socket type nor protocol is set.  Return all socket types
--	     we know about.  */
--	  struct gaih_servtuple **lastp = &st;
--	  for (++tp; tp->name[0]; ++tp)
--	    if (tp->defaultflag)
--	      {
--		struct gaih_servtuple *newp;
--
--		newp = alloca_account (sizeof (struct gaih_servtuple),
--				       alloca_used);
--		newp->next = NULL;
--		newp->socktype = tp->socktype;
--		newp->protocol = tp->protocol;
--		newp->port = port;
--
--		*lastp = newp;
--		lastp = &newp->next;
--	      }
-+	  at[count].family = AF_INET6;
-+	  at[count].addr[3] = *(uint32_t *) addrs;
-+	  at[count].addr[2] = htonl (0xffff);
- 	}
-+      else if (req->ai_family == AF_UNSPEC
-+	       || air->family[count] == req->ai_family)
-+	{
-+	  at[count].family = air->family[count];
-+	  memcpy (at[count].addr, addrs, size);
-+	  if (air->family[count] == AF_INET6)
-+	    res->got_ipv6 = true;
-+	}
-+      at[count].next = at + count + 1;
-+      count++;
-+      addrs += size;
-     }
- 
--  bool malloc_name = false;
--  struct gaih_addrtuple *addrmem = NULL;
--  char *canonbuf = NULL;
-+  if ((req->ai_flags & AI_CANONNAME) && air->canon != NULL)
-+    {
-+      char *canonbuf = __strdup (air->canon);
-+      if (canonbuf == NULL)
-+	{
-+	  result = -EAI_MEMORY;
-+	  goto out;
-+	}
-+      res->canon = canonbuf;
-+    }
-+
-+  if (count == 0)
-+    {
-+      result = -EAI_NONAME;
-+      goto out;
-+    }
-+
-+  at[count - 1].next = NULL;
-+
-+  res->at = at;
-+
-+out:
-+  free (air);
-+  if (result != 0)
-+    {
-+      free (at);
-+      res->free_at = false;
-+    }
-+
-+  return result;
-+}
-+#endif
-+
-+static int
-+get_nss_addresses (const char *name, const struct addrinfo *req,
-+		   struct scratch_buffer *tmpbuf, struct gaih_result *res)
-+{
-+  int no_data = 0;
-+  int no_inet6_data = 0;
-+  nss_action_list nip;
-+  enum nss_status inet6_status = NSS_STATUS_UNAVAIL;
-+  enum nss_status status = NSS_STATUS_UNAVAIL;
-+  int no_more;
-+  struct resolv_context *res_ctx = NULL;
-+  bool do_merge = false;
-   int result = 0;
- 
--  if (name != NULL)
-+  no_more = !__nss_database_get (nss_database_hosts, &nip);
-+
-+  /* If we are looking for both IPv4 and IPv6 address we don't
-+     want the lookup functions to automatically promote IPv4
-+     addresses to IPv6 addresses, so we use the no_inet6
-+     function variant.  */
-+  res_ctx = __resolv_context_get ();
-+  if (res_ctx == NULL)
-+    no_more = 1;
-+
-+  while (!no_more)
-     {
--      at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
--      at->family = AF_UNSPEC;
--      at->scopeid = 0;
--      at->next = NULL;
-+      /* Always start afresh; continue should discard previous results
-+	 and the hosts database does not support merge.  */
-+      gaih_result_reset (res);
- 
--      if (req->ai_flags & AI_IDN)
-+      if (do_merge)
- 	{
--	  char *out;
--	  result = __idna_to_dns_encoding (name, &out);
--	  if (result != 0)
--	    return -result;
--	  name = out;
--	  malloc_name = true;
-+	  __set_h_errno (NETDB_INTERNAL);
-+	  __set_errno (EBUSY);
-+	  break;
- 	}
- 
--      if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
--	{
--	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
--	    at->family = AF_INET;
--	  else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
--	    {
--	      at->addr[3] = at->addr[0];
--	      at->addr[2] = htonl (0xffff);
--	      at->addr[1] = 0;
--	      at->addr[0] = 0;
--	      at->family = AF_INET6;
--	    }
--	  else
--	    {
--	      result = -EAI_ADDRFAMILY;
--	      goto free_and_return;
--	    }
-+      no_data = 0;
-+      nss_gethostbyname4_r *fct4 = NULL;
- 
--	  if (req->ai_flags & AI_CANONNAME)
--	    canon = name;
--	}
--      else if (at->family == AF_UNSPEC)
-+      /* gethostbyname4_r sends out parallel A and AAAA queries and
-+	 is thus only suitable for PF_UNSPEC.  */
-+      if (req->ai_family == PF_UNSPEC)
-+	fct4 = __nss_lookup_function (nip, "gethostbyname4_r");
-+
-+      if (fct4 != NULL)
- 	{
--	  char *scope_delim = strchr (name, SCOPE_DELIMITER);
--	  int e;
--	  if (scope_delim == NULL)
--	    e = inet_pton (AF_INET6, name, at->addr);
--	  else
--	    e = __inet_pton_length (AF_INET6, name, scope_delim - name,
--				    at->addr);
--	  if (e > 0)
-+	  while (1)
- 	    {
--	      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
--		at->family = AF_INET6;
--	      else if (req->ai_family == AF_INET
--		       && IN6_IS_ADDR_V4MAPPED (at->addr))
--		{
--		  at->addr[0] = at->addr[3];
--		  at->family = AF_INET;
--		}
--	      else
-+	      status = DL_CALL_FCT (fct4, (name, &res->at,
-+					   tmpbuf->data, tmpbuf->length,
-+					   &errno, &h_errno,
-+					   NULL));
-+	      if (status == NSS_STATUS_SUCCESS)
-+		break;
-+	      /* gethostbyname4_r may write into AT, so reset it.  */
-+	      res->at = NULL;
-+	      if (status != NSS_STATUS_TRYAGAIN
-+		  || errno != ERANGE || h_errno != NETDB_INTERNAL)
- 		{
--		  result = -EAI_ADDRFAMILY;
--		  goto free_and_return;
-+		  if (h_errno == TRY_AGAIN)
-+		    no_data = EAI_AGAIN;
-+		  else
-+		    no_data = h_errno == NO_DATA;
-+		  break;
- 		}
- 
--	      if (scope_delim != NULL
--		  && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
--					   scope_delim + 1,
--					   &at->scopeid) != 0)
-+	      if (!scratch_buffer_grow (tmpbuf))
- 		{
--		  result = -EAI_NONAME;
--		  goto free_and_return;
-+		  __resolv_context_put (res_ctx);
-+		  result = -EAI_MEMORY;
-+		  goto out;
- 		}
--
--	      if (req->ai_flags & AI_CANONNAME)
--		canon = name;
- 	    }
--	}
- 
--      if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
--	{
--	  struct gaih_addrtuple **pat = &at;
--	  int no_data = 0;
--	  int no_inet6_data = 0;
--	  nss_action_list nip;
--	  enum nss_status inet6_status = NSS_STATUS_UNAVAIL;
--	  enum nss_status status = NSS_STATUS_UNAVAIL;
--	  int no_more;
--	  struct resolv_context *res_ctx = NULL;
--
--	  /* If we do not have to look for IPv6 addresses or the canonical
--	     name, use the simple, old functions, which do not support
--	     IPv6 scope ids, nor retrieving the canonical name.  */
--	  if (req->ai_family == AF_INET
--	      && (req->ai_flags & AI_CANONNAME) == 0)
-+	  if (status == NSS_STATUS_SUCCESS)
- 	    {
--	      int rc;
--	      struct hostent th;
--	      struct hostent *h;
-+	      assert (!no_data);
-+	      no_data = 1;
- 
--	      while (1)
-+	      if ((req->ai_flags & AI_CANONNAME) != 0 && res->canon == NULL)
- 		{
--		  rc = __gethostbyname2_r (name, AF_INET, &th,
--					   tmpbuf->data, tmpbuf->length,
--					   &h, &h_errno);
--		  if (rc != ERANGE || h_errno != NETDB_INTERNAL)
--		    break;
--		  if (!scratch_buffer_grow (tmpbuf))
-+		  char *canonbuf = __strdup (res->at->name);
-+		  if (canonbuf == NULL)
- 		    {
-+		      __resolv_context_put (res_ctx);
- 		      result = -EAI_MEMORY;
--		      goto free_and_return;
-+		      goto out;
- 		    }
-+		  res->canon = canonbuf;
- 		}
- 
--	      if (rc == 0)
-+	      struct gaih_addrtuple **pat = &res->at;
-+
-+	      while (*pat != NULL)
- 		{
--		  if (h != NULL)
-+		  if ((*pat)->family == AF_INET
-+		      && req->ai_family == AF_INET6
-+		      && (req->ai_flags & AI_V4MAPPED) != 0)
- 		    {
--		      /* We found data, convert it.  */
--		      if (!convert_hostent_to_gaih_addrtuple
--			  (req, AF_INET, h, &addrmem))
--			{
--			  result = -EAI_MEMORY;
--			  goto free_and_return;
--			}
--		      *pat = addrmem;
-+		      uint32_t *pataddr = (*pat)->addr;
-+		      (*pat)->family = AF_INET6;
-+		      pataddr[3] = pataddr[0];
-+		      pataddr[2] = htonl (0xffff);
-+		      pataddr[1] = 0;
-+		      pataddr[0] = 0;
-+		      pat = &((*pat)->next);
-+		      no_data = 0;
- 		    }
--		  else
-+		  else if (req->ai_family == AF_UNSPEC
-+			   || (*pat)->family == req->ai_family)
- 		    {
--		      if (h_errno == NO_DATA)
--			result = -EAI_NODATA;
--		      else
--			result = -EAI_NONAME;
--		      goto free_and_return;
-+		      pat = &((*pat)->next);
-+
-+		      no_data = 0;
-+		      if (req->ai_family == AF_INET6)
-+			res->got_ipv6 = true;
- 		    }
--		}
--	      else
--		{
--		  if (h_errno == NETDB_INTERNAL)
--		    result = -EAI_SYSTEM;
--		  else if (h_errno == TRY_AGAIN)
--		    result = -EAI_AGAIN;
- 		  else
--		    /* We made requests but they turned out no data.
--		       The name is known, though.  */
--		    result = -EAI_NODATA;
--
--		  goto free_and_return;
-+		    *pat = ((*pat)->next);
- 		}
--
--	      goto process_list;
- 	    }
- 
--#ifdef USE_NSCD
--	  if (__nss_not_use_nscd_hosts > 0
--	      && ++__nss_not_use_nscd_hosts > NSS_NSCD_RETRY)
--	    __nss_not_use_nscd_hosts = 0;
-+	  no_inet6_data = no_data;
-+	}
-+      else
-+	{
-+	  nss_gethostbyname3_r *fct = NULL;
-+	  if (req->ai_flags & AI_CANONNAME)
-+	    /* No need to use this function if we do not look for
-+	       the canonical name.  The function does not exist in
-+	       all NSS modules and therefore the lookup would
-+	       often fail.  */
-+	    fct = __nss_lookup_function (nip, "gethostbyname3_r");
-+	  if (fct == NULL)
-+	    /* We are cheating here.  The gethostbyname2_r
-+	       function does not have the same interface as
-+	       gethostbyname3_r but the extra arguments the
-+	       latter takes are added at the end.  So the
-+	       gethostbyname2_r code will just ignore them.  */
-+	    fct = __nss_lookup_function (nip, "gethostbyname2_r");
- 
--	  if (!__nss_not_use_nscd_hosts
--	      && !__nss_database_custom[NSS_DBSIDX_hosts])
-+	  if (fct != NULL)
- 	    {
--	      /* Try to use nscd.  */
--	      struct nscd_ai_result *air = NULL;
--	      int err = __nscd_getai (name, &air, &h_errno);
--	      if (air != NULL)
-+	      if (req->ai_family == AF_INET6
-+		  || req->ai_family == AF_UNSPEC)
- 		{
--		  /* Transform into gaih_addrtuple list.  */
--		  bool added_canon = (req->ai_flags & AI_CANONNAME) == 0;
--		  char *addrs = air->addrs;
--
--		  addrmem = calloc (air->naddrs, sizeof (*addrmem));
--		  if (addrmem == NULL)
-+		  if ((result = gethosts (fct, AF_INET6, name, req, tmpbuf,
-+					  res, &status, &no_data)) != 0)
- 		    {
--		      result = -EAI_MEMORY;
--		      goto free_and_return;
-+		      __resolv_context_put (res_ctx);
-+		      goto out;
- 		    }
--
--		  struct gaih_addrtuple *addrfree = addrmem;
--		  for (int i = 0; i < air->naddrs; ++i)
-+		  no_inet6_data = no_data;
-+		  inet6_status = status;
-+		}
-+	      if (req->ai_family == AF_INET
-+		  || req->ai_family == AF_UNSPEC
-+		  || (req->ai_family == AF_INET6
-+		      && (req->ai_flags & AI_V4MAPPED)
-+		      /* Avoid generating the mapped addresses if we
-+			 know we are not going to need them.  */
-+		      && ((req->ai_flags & AI_ALL) || !res->got_ipv6)))
-+		{
-+		  if ((result = gethosts (fct, AF_INET, name, req, tmpbuf,
-+					  res, &status, &no_data)) != 0)
- 		    {
--		      socklen_t size = (air->family[i] == AF_INET
--					? INADDRSZ : IN6ADDRSZ);
--
--		      if (!((air->family[i] == AF_INET
--			     && req->ai_family == AF_INET6
--			     && (req->ai_flags & AI_V4MAPPED) != 0)
--			    || req->ai_family == AF_UNSPEC
--			    || air->family[i] == req->ai_family))
--			{
--			  /* Skip over non-matching result.  */
--			  addrs += size;
--			  continue;
--			}
--
--		      if (*pat == NULL)
--			{
--			  *pat = addrfree++;
--			  (*pat)->scopeid = 0;
--			}
--		      uint32_t *pataddr = (*pat)->addr;
--		      (*pat)->next = NULL;
--		      if (added_canon || air->canon == NULL)
--			(*pat)->name = NULL;
--		      else if (canonbuf == NULL)
--			{
--			  canonbuf = __strdup (air->canon);
--			  if (canonbuf == NULL)
--			    {
--			      result = -EAI_MEMORY;
--			      goto free_and_return;
--			    }
--			  canon = (*pat)->name = canonbuf;
--			}
--
--		      if (air->family[i] == AF_INET
--			  && req->ai_family == AF_INET6
--			  && (req->ai_flags & AI_V4MAPPED))
--			{
--			  (*pat)->family = AF_INET6;
--			  pataddr[3] = *(uint32_t *) addrs;
--			  pataddr[2] = htonl (0xffff);
--			  pataddr[1] = 0;
--			  pataddr[0] = 0;
--			  pat = &((*pat)->next);
--			  added_canon = true;
--			}
--		      else if (req->ai_family == AF_UNSPEC
--			       || air->family[i] == req->ai_family)
--			{
--			  (*pat)->family = air->family[i];
--			  memcpy (pataddr, addrs, size);
--			  pat = &((*pat)->next);
--			  added_canon = true;
--			  if (air->family[i] == AF_INET6)
--			    got_ipv6 = true;
--			}
--		      addrs += size;
-+		      __resolv_context_put (res_ctx);
-+		      goto out;
- 		    }
- 
--		  free (air);
--
--		  if (at->family == AF_UNSPEC)
-+		  if (req->ai_family == AF_INET)
- 		    {
--		      result = -EAI_NONAME;
--		      goto free_and_return;
-+		      no_inet6_data = no_data;
-+		      inet6_status = status;
- 		    }
--
--		  goto process_list;
- 		}
--	      else if (err == 0)
--		/* The database contains a negative entry.  */
--		goto free_and_return;
--	      else if (__nss_not_use_nscd_hosts == 0)
--		{
--		  if (h_errno == NETDB_INTERNAL && errno == ENOMEM)
--		    result = -EAI_MEMORY;
--		  else if (h_errno == TRY_AGAIN)
--		    result = -EAI_AGAIN;
--		  else
--		    result = -EAI_SYSTEM;
--
--		  goto free_and_return;
--		}
--	    }
--#endif
--
--	  no_more = !__nss_database_get (nss_database_hosts, &nip);
--
--	  /* If we are looking for both IPv4 and IPv6 address we don't
--	     want the lookup functions to automatically promote IPv4
--	     addresses to IPv6 addresses, so we use the no_inet6
--	     function variant.  */
--	  res_ctx = __resolv_context_get ();
--	  if (res_ctx == NULL)
--	    no_more = 1;
--
--	  while (!no_more)
--	    {
--	      no_data = 0;
--	      nss_gethostbyname4_r *fct4 = NULL;
--
--	      /* gethostbyname4_r sends out parallel A and AAAA queries and
--		 is thus only suitable for PF_UNSPEC.  */
--	      if (req->ai_family == PF_UNSPEC)
--		fct4 = __nss_lookup_function (nip, "gethostbyname4_r");
- 
--	      if (fct4 != NULL)
-+	      /* If we found one address for AF_INET or AF_INET6,
-+		 don't continue the search.  */
-+	      if (inet6_status == NSS_STATUS_SUCCESS
-+		  || status == NSS_STATUS_SUCCESS)
- 		{
--		  while (1)
-+		  if ((req->ai_flags & AI_CANONNAME) != 0
-+		      && res->canon == NULL)
- 		    {
--		      status = DL_CALL_FCT (fct4, (name, pat,
--						   tmpbuf->data, tmpbuf->length,
--						   &errno, &h_errno,
--						   NULL));
--		      if (status == NSS_STATUS_SUCCESS)
--			break;
--		      if (status != NSS_STATUS_TRYAGAIN
--			  || errno != ERANGE || h_errno != NETDB_INTERNAL)
--			{
--			  if (h_errno == TRY_AGAIN)
--			    no_data = EAI_AGAIN;
--			  else
--			    no_data = h_errno == NO_DATA;
--			  break;
--			}
--
--		      if (!scratch_buffer_grow (tmpbuf))
-+		      char *canonbuf = getcanonname (nip, res->h_name, name);
-+		      if (canonbuf == NULL)
- 			{
- 			  __resolv_context_put (res_ctx);
- 			  result = -EAI_MEMORY;
--			  goto free_and_return;
-+			  goto out;
- 			}
-+		      res->canon = canonbuf;
- 		    }
-+		  status = NSS_STATUS_SUCCESS;
-+		}
-+	      else
-+		{
-+		  /* We can have different states for AF_INET and
-+		     AF_INET6.  Try to find a useful one for both.  */
-+		  if (inet6_status == NSS_STATUS_TRYAGAIN)
-+		    status = NSS_STATUS_TRYAGAIN;
-+		  else if (status == NSS_STATUS_UNAVAIL
-+			   && inet6_status != NSS_STATUS_UNAVAIL)
-+		    status = inet6_status;
-+		}
-+	    }
-+	  else
-+	    {
-+	      /* Could not locate any of the lookup functions.
-+		 The NSS lookup code does not consistently set
-+		 errno, so we need to supply our own error
-+		 code here.  The root cause could either be a
-+		 resource allocation failure, or a missing
-+		 service function in the DSO (so it should not
-+		 be listed in /etc/nsswitch.conf).  Assume the
-+		 former, and return EBUSY.  */
-+	      status = NSS_STATUS_UNAVAIL;
-+	      __set_h_errno (NETDB_INTERNAL);
-+	      __set_errno (EBUSY);
-+	    }
-+	}
- 
--		  if (status == NSS_STATUS_SUCCESS)
--		    {
--		      assert (!no_data);
--		      no_data = 1;
-+      if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
-+	break;
- 
--		      if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
--			canon = (*pat)->name;
-+      /* The hosts database does not support MERGE.  */
-+      if (nss_next_action (nip, status) == NSS_ACTION_MERGE)
-+	do_merge = true;
-+
-+      nip++;
-+      if (nip->module == NULL)
-+	no_more = -1;
-+    }
- 
--		      while (*pat != NULL)
--			{
--			  if ((*pat)->family == AF_INET
--			      && req->ai_family == AF_INET6
--			      && (req->ai_flags & AI_V4MAPPED) != 0)
--			    {
--			      uint32_t *pataddr = (*pat)->addr;
--			      (*pat)->family = AF_INET6;
--			      pataddr[3] = pataddr[0];
--			      pataddr[2] = htonl (0xffff);
--			      pataddr[1] = 0;
--			      pataddr[0] = 0;
--			      pat = &((*pat)->next);
--			      no_data = 0;
--			    }
--			  else if (req->ai_family == AF_UNSPEC
--				   || (*pat)->family == req->ai_family)
--			    {
--			      pat = &((*pat)->next);
--
--			      no_data = 0;
--			      if (req->ai_family == AF_INET6)
--				got_ipv6 = true;
--			    }
--			  else
--			    *pat = ((*pat)->next);
--			}
--		    }
-+  __resolv_context_put (res_ctx);
- 
--		  no_inet6_data = no_data;
--		}
--	      else
--		{
--		  nss_gethostbyname3_r *fct = NULL;
--		  if (req->ai_flags & AI_CANONNAME)
--		    /* No need to use this function if we do not look for
--		       the canonical name.  The function does not exist in
--		       all NSS modules and therefore the lookup would
--		       often fail.  */
--		    fct = __nss_lookup_function (nip, "gethostbyname3_r");
--		  if (fct == NULL)
--		    /* We are cheating here.  The gethostbyname2_r
--		       function does not have the same interface as
--		       gethostbyname3_r but the extra arguments the
--		       latter takes are added at the end.  So the
--		       gethostbyname2_r code will just ignore them.  */
--		    fct = __nss_lookup_function (nip, "gethostbyname2_r");
-+  /* If we have a failure which sets errno, report it using
-+     EAI_SYSTEM.  */
-+  if ((status == NSS_STATUS_TRYAGAIN || status == NSS_STATUS_UNAVAIL)
-+      && h_errno == NETDB_INTERNAL)
-+    {
-+      result = -EAI_SYSTEM;
-+      goto out;
-+    }
- 
--		  if (fct != NULL)
--		    {
--		      if (req->ai_family == AF_INET6
--			  || req->ai_family == AF_UNSPEC)
--			{
--			  gethosts (AF_INET6);
--			  no_inet6_data = no_data;
--			  inet6_status = status;
--			}
--		      if (req->ai_family == AF_INET
--			  || req->ai_family == AF_UNSPEC
--			  || (req->ai_family == AF_INET6
--			      && (req->ai_flags & AI_V4MAPPED)
--			      /* Avoid generating the mapped addresses if we
--				 know we are not going to need them.  */
--			      && ((req->ai_flags & AI_ALL) || !got_ipv6)))
--			{
--			  gethosts (AF_INET);
-+  if (no_data != 0 && no_inet6_data != 0)
-+    {
-+      /* If both requests timed out report this.  */
-+      if (no_data == EAI_AGAIN && no_inet6_data == EAI_AGAIN)
-+	result = -EAI_AGAIN;
-+      else
-+	/* We made requests but they turned out no data.  The name
-+	   is known, though.  */
-+	result = -EAI_NODATA;
-+    }
- 
--			  if (req->ai_family == AF_INET)
--			    {
--			      no_inet6_data = no_data;
--			      inet6_status = status;
--			    }
--			}
-+out:
-+  if (result != 0)
-+    gaih_result_reset (res);
-+  return result;
-+}
- 
--		      /* If we found one address for AF_INET or AF_INET6,
--			 don't continue the search.  */
--		      if (inet6_status == NSS_STATUS_SUCCESS
--			  || status == NSS_STATUS_SUCCESS)
--			{
--			  if ((req->ai_flags & AI_CANONNAME) != 0
--			      && canon == NULL)
--			    {
--			      canonbuf = getcanonname (nip, at, name);
--			      if (canonbuf == NULL)
--				{
--				  __resolv_context_put (res_ctx);
--				  result = -EAI_MEMORY;
--				  goto free_and_return;
--				}
--			      canon = canonbuf;
--			    }
--			  status = NSS_STATUS_SUCCESS;
--			}
--		      else
--			{
--			  /* We can have different states for AF_INET and
--			     AF_INET6.  Try to find a useful one for both.  */
--			  if (inet6_status == NSS_STATUS_TRYAGAIN)
--			    status = NSS_STATUS_TRYAGAIN;
--			  else if (status == NSS_STATUS_UNAVAIL
--				   && inet6_status != NSS_STATUS_UNAVAIL)
--			    status = inet6_status;
--			}
--		    }
--		  else
--		    {
--		      /* Could not locate any of the lookup functions.
--			 The NSS lookup code does not consistently set
--			 errno, so we need to supply our own error
--			 code here.  The root cause could either be a
--			 resource allocation failure, or a missing
--			 service function in the DSO (so it should not
--			 be listed in /etc/nsswitch.conf).  Assume the
--			 former, and return EBUSY.  */
--		      status = NSS_STATUS_UNAVAIL;
--		     __set_h_errno (NETDB_INTERNAL);
--		     __set_errno (EBUSY);
--		    }
--		}
-+/* Convert numeric addresses to binary into RES.  On failure, RES->AT is set to
-+   NULL and an error code is returned.  If AI_NUMERIC_HOST is not requested and
-+   the function cannot determine a result, RES->AT is set to NULL and 0
-+   returned.  */
- 
--	      if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
--		break;
-+static int
-+text_to_binary_address (const char *name, const struct addrinfo *req,
-+			struct gaih_result *res)
-+{
-+  struct gaih_addrtuple *at = res->at;
-+  int result = 0;
- 
--	      nip++;
--	      if (nip->module == NULL)
--		no_more = -1;
--	    }
-+  assert (at != NULL);
- 
--	  __resolv_context_put (res_ctx);
-+  memset (at->addr, 0, sizeof (at->addr));
-+  if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
-+    {
-+      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
-+	at->family = AF_INET;
-+      else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
-+	{
-+	  at->addr[3] = at->addr[0];
-+	  at->addr[2] = htonl (0xffff);
-+	  at->addr[1] = 0;
-+	  at->addr[0] = 0;
-+	  at->family = AF_INET6;
-+	}
-+      else
-+	{
-+	  result = -EAI_ADDRFAMILY;
-+	  goto out;
-+	}
- 
--	  /* If we have a failure which sets errno, report it using
--	     EAI_SYSTEM.  */
--	  if ((status == NSS_STATUS_TRYAGAIN || status == NSS_STATUS_UNAVAIL)
--	      && h_errno == NETDB_INTERNAL)
-+      if (req->ai_flags & AI_CANONNAME)
-+	{
-+	  char *canonbuf = __strdup (name);
-+	  if (canonbuf == NULL)
- 	    {
--	      result = -EAI_SYSTEM;
--	      goto free_and_return;
-+	      result = -EAI_MEMORY;
-+	      goto out;
- 	    }
-+	  res->canon = canonbuf;
-+	}
-+      return 0;
-+    }
- 
--	  if (no_data != 0 && no_inet6_data != 0)
--	    {
--	      /* If both requests timed out report this.  */
--	      if (no_data == EAI_AGAIN && no_inet6_data == EAI_AGAIN)
--		result = -EAI_AGAIN;
--	      else
--		/* We made requests but they turned out no data.  The name
--		   is known, though.  */
--		result = -EAI_NODATA;
-+  char *scope_delim = strchr (name, SCOPE_DELIMITER);
-+  int e;
- 
--	      goto free_and_return;
--	    }
-+  if (scope_delim == NULL)
-+    e = inet_pton (AF_INET6, name, at->addr);
-+  else
-+    e = __inet_pton_length (AF_INET6, name, scope_delim - name, at->addr);
-+
-+  if (e > 0)
-+    {
-+      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
-+	at->family = AF_INET6;
-+      else if (req->ai_family == AF_INET
-+	       && IN6_IS_ADDR_V4MAPPED (at->addr))
-+	{
-+	  at->addr[0] = at->addr[3];
-+	  at->family = AF_INET;
-+	}
-+      else
-+	{
-+	  result = -EAI_ADDRFAMILY;
-+	  goto out;
- 	}
- 
--    process_list:
--      if (at->family == AF_UNSPEC)
-+      if (scope_delim != NULL
-+	  && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
-+				   scope_delim + 1, &at->scopeid) != 0)
- 	{
- 	  result = -EAI_NONAME;
--	  goto free_and_return;
-+	  goto out;
- 	}
-+
-+      if (req->ai_flags & AI_CANONNAME)
-+	{
-+	  char *canonbuf = __strdup (name);
-+	  if (canonbuf == NULL)
-+	    {
-+	      result = -EAI_MEMORY;
-+	      goto out;
-+	    }
-+	  res->canon = canonbuf;
-+	}
-+      return 0;
-     }
--  else
-+
-+  if ((req->ai_flags & AI_NUMERICHOST))
-+    result = -EAI_NONAME;
-+
-+out:
-+  res->at = NULL;
-+  return result;
-+}
-+
-+/* If possible, call the simple, old functions, which do not support IPv6 scope
-+   ids, nor retrieving the canonical name.  */
-+
-+static int
-+try_simple_gethostbyname (const char *name, const struct addrinfo *req,
-+			  struct scratch_buffer *tmpbuf,
-+			  struct gaih_result *res)
-+{
-+  res->at = NULL;
-+
-+  if (req->ai_family != AF_INET || (req->ai_flags & AI_CANONNAME) != 0)
-+    return 0;
-+
-+  int rc;
-+  struct hostent th;
-+  struct hostent *h;
-+
-+  while (1)
-     {
--      struct gaih_addrtuple *atr;
--      atr = at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
--      memset (at, '\0', sizeof (struct gaih_addrtuple));
-+      rc = __gethostbyname2_r (name, AF_INET, &th, tmpbuf->data,
-+			       tmpbuf->length, &h, &h_errno);
-+      if (rc != ERANGE || h_errno != NETDB_INTERNAL)
-+	break;
-+      if (!scratch_buffer_grow (tmpbuf))
-+	return -EAI_MEMORY;
-+    }
- 
--      if (req->ai_family == AF_UNSPEC)
-+  if (rc == 0)
-+    {
-+      if (h != NULL)
- 	{
--	  at->next = __alloca (sizeof (struct gaih_addrtuple));
--	  memset (at->next, '\0', sizeof (struct gaih_addrtuple));
-+	  /* We found data, convert it.  RES->AT from the conversion will
-+	     either be an allocated block or NULL, both of which are safe to
-+	     pass to free ().  */
-+	  if (!convert_hostent_to_gaih_addrtuple (req, AF_INET, h, res))
-+	    return -EAI_MEMORY;
-+
-+	  res->free_at = true;
-+	  return 0;
- 	}
-+      if (h_errno == NO_DATA)
-+	return -EAI_NODATA;
- 
--      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
-+      return -EAI_NONAME;
-+    }
-+
-+  if (h_errno == NETDB_INTERNAL)
-+    return -EAI_SYSTEM;
-+  if (h_errno == TRY_AGAIN)
-+    return -EAI_AGAIN;
-+
-+  /* We made requests but they turned out no data.
-+     The name is known, though.  */
-+  return -EAI_NODATA;
-+}
-+
-+/* Add local address information into RES.  RES->AT is assumed to have enough
-+   space for two tuples and is zeroed out.  */
-+
-+static void
-+get_local_addresses (const struct addrinfo *req, struct gaih_result *res)
-+{
-+  struct gaih_addrtuple *atr = res->at;
-+  if (req->ai_family == AF_UNSPEC)
-+    res->at->next = res->at + 1;
-+
-+  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
-+    {
-+      res->at->family = AF_INET6;
-+      if ((req->ai_flags & AI_PASSIVE) == 0)
-+	memcpy (res->at->addr, &in6addr_loopback, sizeof (struct in6_addr));
-+      atr = res->at->next;
-+    }
-+
-+  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
-+    {
-+      atr->family = AF_INET;
-+      if ((req->ai_flags & AI_PASSIVE) == 0)
-+	atr->addr[0] = htonl (INADDR_LOOPBACK);
-+    }
-+}
-+
-+/* Generate results in PAI and its count in NADDRS.  Return 0 on success or an
-+   error code on failure.  */
-+
-+static int
-+generate_addrinfo (const struct addrinfo *req, struct gaih_result *res,
-+		   const struct gaih_servtuple *st, struct addrinfo **pai,
-+		   unsigned int *naddrs)
-+{
-+  size_t socklen;
-+  sa_family_t family;
-+
-+  /* Buffer is the size of an unformatted IPv6 address in printable format.  */
-+  for (struct gaih_addrtuple *at = res->at; at != NULL; at = at->next)
-+    {
-+      family = at->family;
-+      if (family == AF_INET6)
- 	{
--	  at->family = AF_INET6;
--	  if ((req->ai_flags & AI_PASSIVE) == 0)
--	    memcpy (at->addr, &in6addr_loopback, sizeof (struct in6_addr));
--	  atr = at->next;
-+	  socklen = sizeof (struct sockaddr_in6);
-+
-+	  /* If we looked up IPv4 mapped address discard them here if
-+	     the caller isn't interested in all address and we have
-+	     found at least one IPv6 address.  */
-+	  if (res->got_ipv6
-+	      && (req->ai_flags & (AI_V4MAPPED|AI_ALL)) == AI_V4MAPPED
-+	      && IN6_IS_ADDR_V4MAPPED (at->addr))
-+	    continue;
- 	}
-+      else
-+	socklen = sizeof (struct sockaddr_in);
- 
--      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
-+      for (int i = 0; st[i].set; i++)
- 	{
--	  atr->family = AF_INET;
--	  if ((req->ai_flags & AI_PASSIVE) == 0)
--	    atr->addr[0] = htonl (INADDR_LOOPBACK);
-+	  struct addrinfo *ai;
-+	  ai = *pai = malloc (sizeof (struct addrinfo) + socklen);
-+	  if (ai == NULL)
-+	    return -EAI_MEMORY;
-+
-+	  ai->ai_flags = req->ai_flags;
-+	  ai->ai_family = family;
-+	  ai->ai_socktype = st[i].socktype;
-+	  ai->ai_protocol = st[i].protocol;
-+	  ai->ai_addrlen = socklen;
-+	  ai->ai_addr = (void *) (ai + 1);
-+
-+	  /* We only add the canonical name once.  */
-+	  ai->ai_canonname = res->canon;
-+	  res->canon = NULL;
-+
-+#ifdef _HAVE_SA_LEN
-+	  ai->ai_addr->sa_len = socklen;
-+#endif /* _HAVE_SA_LEN */
-+	  ai->ai_addr->sa_family = family;
-+
-+	  /* In case of an allocation error the list must be NULL
-+	     terminated.  */
-+	  ai->ai_next = NULL;
-+
-+	  if (family == AF_INET6)
-+	    {
-+	      struct sockaddr_in6 *sin6p = (struct sockaddr_in6 *) ai->ai_addr;
-+	      sin6p->sin6_port = st[i].port;
-+	      sin6p->sin6_flowinfo = 0;
-+	      memcpy (&sin6p->sin6_addr, at->addr, sizeof (struct in6_addr));
-+	      sin6p->sin6_scope_id = at->scopeid;
-+	    }
-+	  else
-+	    {
-+	      struct sockaddr_in *sinp = (struct sockaddr_in *) ai->ai_addr;
-+	      sinp->sin_port = st[i].port;
-+	      memcpy (&sinp->sin_addr, at->addr, sizeof (struct in_addr));
-+	      memset (sinp->sin_zero, '\0', sizeof (sinp->sin_zero));
-+	    }
-+
-+	  pai = &(ai->ai_next);
- 	}
-+
-+      ++*naddrs;
-     }
-+  return 0;
-+}
- 
--  {
--    struct gaih_servtuple *st2;
--    struct gaih_addrtuple *at2 = at;
--    size_t socklen;
--    sa_family_t family;
--
--    /*
--      buffer is the size of an unformatted IPv6 address in printable format.
--     */
--    while (at2 != NULL)
--      {
--	/* Only the first entry gets the canonical name.  */
--	if (at2 == at && (req->ai_flags & AI_CANONNAME) != 0)
--	  {
--	    if (canon == NULL)
--	      /* If the canonical name cannot be determined, use
--		 the passed in string.  */
--	      canon = orig_name;
--
--	    bool do_idn = req->ai_flags & AI_CANONIDN;
--	    if (do_idn)
--	      {
--		char *out;
--		int rc = __idna_from_dns_encoding (canon, &out);
--		if (rc == 0)
--		  canon = out;
--		else if (rc == EAI_IDN_ENCODE)
--		  /* Use the punycode name as a fallback.  */
--		  do_idn = false;
--		else
--		  {
--		    result = -rc;
--		    goto free_and_return;
--		  }
--	      }
--	    if (!do_idn)
--	      {
--		if (canonbuf != NULL)
--		  /* We already allocated the string using malloc, but
--		     the buffer is now owned by canon.  */
--		  canonbuf = NULL;
--		else
--		  {
--		    canon = __strdup (canon);
--		    if (canon == NULL)
--		      {
--			result = -EAI_MEMORY;
--			goto free_and_return;
--		      }
--		  }
--	      }
--	  }
-+static int
-+gaih_inet (const char *name, const struct gaih_service *service,
-+	   const struct addrinfo *req, struct addrinfo **pai,
-+	   unsigned int *naddrs, struct scratch_buffer *tmpbuf)
-+{
-+  struct gaih_servtuple st[sizeof (gaih_inet_typeproto)
-+			   / sizeof (struct gaih_typeproto)] = {0};
- 
--	family = at2->family;
--	if (family == AF_INET6)
--	  {
--	    socklen = sizeof (struct sockaddr_in6);
-+  const char *orig_name = name;
- 
--	    /* If we looked up IPv4 mapped address discard them here if
--	       the caller isn't interested in all address and we have
--	       found at least one IPv6 address.  */
--	    if (got_ipv6
--		&& (req->ai_flags & (AI_V4MAPPED|AI_ALL)) == AI_V4MAPPED
--		&& IN6_IS_ADDR_V4MAPPED (at2->addr))
--	      goto ignore;
--	  }
--	else
--	  socklen = sizeof (struct sockaddr_in);
-+  int rc;
-+  if ((rc = get_servtuples (service, req, st, tmpbuf)) != 0)
-+    return rc;
- 
--	for (st2 = st; st2 != NULL; st2 = st2->next)
--	  {
--	    struct addrinfo *ai;
--	    ai = *pai = malloc (sizeof (struct addrinfo) + socklen);
--	    if (ai == NULL)
--	      {
--		free ((char *) canon);
--		result = -EAI_MEMORY;
--		goto free_and_return;
--	      }
--
--	    ai->ai_flags = req->ai_flags;
--	    ai->ai_family = family;
--	    ai->ai_socktype = st2->socktype;
--	    ai->ai_protocol = st2->protocol;
--	    ai->ai_addrlen = socklen;
--	    ai->ai_addr = (void *) (ai + 1);
--
--	    /* We only add the canonical name once.  */
--	    ai->ai_canonname = (char *) canon;
--	    canon = NULL;
-+  bool malloc_name = false;
-+  struct gaih_addrtuple *addrmem = NULL;
-+  int result = 0;
- 
--#ifdef _HAVE_SA_LEN
--	    ai->ai_addr->sa_len = socklen;
--#endif /* _HAVE_SA_LEN */
--	    ai->ai_addr->sa_family = family;
-+  struct gaih_result res = {0};
-+  struct gaih_addrtuple local_at[2] = {0};
- 
--	    /* In case of an allocation error the list must be NULL
--	       terminated.  */
--	    ai->ai_next = NULL;
--
--	    if (family == AF_INET6)
--	      {
--		struct sockaddr_in6 *sin6p =
--		  (struct sockaddr_in6 *) ai->ai_addr;
--
--		sin6p->sin6_port = st2->port;
--		sin6p->sin6_flowinfo = 0;
--		memcpy (&sin6p->sin6_addr,
--			at2->addr, sizeof (struct in6_addr));
--		sin6p->sin6_scope_id = at2->scopeid;
--	      }
--	    else
--	      {
--		struct sockaddr_in *sinp =
--		  (struct sockaddr_in *) ai->ai_addr;
--		sinp->sin_port = st2->port;
--		memcpy (&sinp->sin_addr,
--			at2->addr, sizeof (struct in_addr));
--		memset (sinp->sin_zero, '\0', sizeof (sinp->sin_zero));
--	      }
-+  res.at = local_at;
- 
--	    pai = &(ai->ai_next);
--	  }
-+  if (__glibc_unlikely (name == NULL))
-+    {
-+      get_local_addresses (req, &res);
-+      goto process_list;
-+    }
-+
-+  if (req->ai_flags & AI_IDN)
-+    {
-+      char *out;
-+      result = __idna_to_dns_encoding (name, &out);
-+      if (result != 0)
-+	return -result;
-+      name = out;
-+      malloc_name = true;
-+    }
-+
-+  if ((result = text_to_binary_address (name, req, &res)) != 0)
-+    goto free_and_return;
-+  else if (res.at != NULL)
-+    goto process_list;
-+
-+  if ((result = try_simple_gethostbyname (name, req, tmpbuf, &res)) != 0)
-+    goto free_and_return;
-+  else if (res.at != NULL)
-+    goto process_list;
-+
-+#ifdef USE_NSCD
-+  if ((result = get_nscd_addresses (name, req, &res)) != 0)
-+    goto free_and_return;
-+  else if (res.at != NULL)
-+    goto process_list;
-+#endif
- 
--	++*naddrs;
-+  if ((result = get_nss_addresses (name, req, tmpbuf, &res)) != 0)
-+    goto free_and_return;
-+  else if (res.at != NULL)
-+    goto process_list;
-+
-+  /* None of the lookups worked, so name not found.  */
-+  result = -EAI_NONAME;
-+  goto free_and_return;
-+
-+process_list:
-+  /* Set up the canonical name if we need it.  */
-+  if ((result = process_canonname (req, orig_name, &res)) != 0)
-+    goto free_and_return;
- 
--      ignore:
--	at2 = at2->next;
--      }
--  }
-+  result = generate_addrinfo (req, &res, st, pai, naddrs);
- 
-- free_and_return:
-+free_and_return:
-   if (malloc_name)
-     free ((char *) name);
-   free (addrmem);
--  free (canonbuf);
-+  gaih_result_reset (&res);
- 
-   return result;
- }
diff --git a/SPECS/glibc/CVE-2023-4911.patch b/SPECS/glibc/CVE-2023-4911.patch
index f20443b6e42..98da4526b6d 100644
--- a/SPECS/glibc/CVE-2023-4911.patch
+++ b/SPECS/glibc/CVE-2023-4911.patch
@@ -1,29 +1,9 @@
-From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar <siddhesh@sourceware.org>
-Date: Tue, 19 Sep 2023 18:39:32 -0400
-Subject: [PATCH] tunables: Terminate if end of input is reached
- (CVE-2023-4911)
+backport of https://sourceware.org/git/?p=glibc.git;a=patch;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa
 
-The string parsing routine may end up writing beyond bounds of tunestr
-if the input tunable string is malformed, of the form name=name=val.
-This gets processed twice, first as name=name=val and next as name=val,
-resulting in tunestr being name=name=val:name=val, thus overflowing
-tunestr.
-
-Terminate the parsing loop at the first instance itself so that tunestr
-does not overflow.
-
-This also fixes up tst-env-setuid-tunables to actually handle failures
-correct and add new tests to validate the fix for this CVE.
-
-Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
-Reviewed-by: Carlos O'Donell <carlos@redhat.com>
-
-diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
-index 8e7ee9d..76cf8b9 100644
---- a/elf/dl-tunables.c
-+++ b/elf/dl-tunables.c
-@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
+diff -ru glibc-2.38-orig/elf/dl-tunables.c glibc-2.38/elf/dl-tunables.c
+--- glibc-2.38-orig/elf/dl-tunables.c	2024-06-17 21:53:23.756408666 +0000
++++ glibc-2.38/elf/dl-tunables.c	2024-06-17 23:01:00.207961672 +0000
+@@ -180,11 +180,7 @@
        /* If we reach the end of the string before getting a valid name-value
  	 pair, bail out.  */
        if (p[len] == '\0')
@@ -36,7 +16,7 @@ index 8e7ee9d..76cf8b9 100644
  
        /* We did not find a valid name-value pair before encountering the
  	 colon.  */
-@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
+@@ -244,9 +240,16 @@
  	    }
  	}
  
@@ -53,13 +33,12 @@ index 8e7ee9d..76cf8b9 100644
 +  if (__libc_enable_secure)
 +    tunestr[off] = '\0';
  }
- #endif
  
-diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
-index 88182b7..0e77584 100644
---- a/elf/tst-env-setuid-tunables.c
-+++ b/elf/tst-env-setuid-tunables.c
-@@ -52,6 +52,8 @@ const char *teststrings[] =
+ /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
+diff -ru glibc-2.38-orig/elf/tst-env-setuid-tunables.c glibc-2.38/elf/tst-env-setuid-tunables.c
+--- glibc-2.38-orig/elf/tst-env-setuid-tunables.c	2024-06-17 21:53:23.808408845 +0000
++++ glibc-2.38/elf/tst-env-setuid-tunables.c	2024-06-17 23:26:01.648142768 +0000
+@@ -50,6 +50,8 @@
    "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
    "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
    "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
@@ -68,7 +47,7 @@ index 88182b7..0e77584 100644
    "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
    "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
    ":glibc.malloc.garbage=2:glibc.malloc.check=1",
-@@ -70,6 +72,8 @@ const char *resultstrings[] =
+@@ -68,6 +70,8 @@
    "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
    "glibc.malloc.mmap_threshold=4096",
    "glibc.malloc.mmap_threshold=4096",
@@ -77,10 +56,10 @@ index 88182b7..0e77584 100644
    "",
    "",
    "",
-@@ -84,11 +88,18 @@ test_child (int off)
+@@ -81,11 +85,18 @@
+ {
    const char *val = getenv ("GLIBC_TUNABLES");
  
- #if HAVE_TUNABLES
 +  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
 +  fflush (stdout);
    if (val != NULL && strcmp (val, resultstrings[off]) == 0)
@@ -96,39 +75,39 @@ index 88182b7..0e77584 100644
 +  fflush (stdout);
  
    return 1;
- #else
-@@ -118,30 +129,40 @@ do_test (int argc, char **argv)
+ }
+@@ -106,7 +117,9 @@
+       if (ret != 0)
  	exit (1);
  
-       exit (EXIT_SUCCESS);
+-      exit (EXIT_SUCCESS);
 +      /* Special return code to make sure that the child executed all the way
 +	 through.  */
 +      exit (42);
      }
    else
      {
--      int ret = 0;
--
-       /* Spawn tests.  */
-       for (int i = 0; i < array_length (teststrings); i++)
+@@ -117,10 +130,15 @@
  	{
  	  char buf[INT_BUFSIZE_BOUND (int)];
  
 -	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
+-	  snprintf (buf, sizeof (buf), "%d\n", i);
+-	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+-	    exit (1);
 +	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
- 	  snprintf (buf, sizeof (buf), "%d\n", i);
++ 	  snprintf (buf, sizeof (buf), "%d\n", i);
 +	  fflush (stdout);
- 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
--	    exit (1);
--
++ 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
 +	    {
 +	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
 +	      support_record_failure ();
 +	      continue;
 +	    }
+ 
  	  int status = support_capture_subprogram_self_sgid (buf);
  
- 	  /* Bail out early if unsupported.  */
+@@ -128,9 +146,14 @@
  	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
  	    return EXIT_UNSUPPORTED;
  
diff --git a/SPECS/glibc/CVE-2023-5156.patch b/SPECS/glibc/CVE-2023-5156.patch
index db562f4a42e..4a869922cf8 100644
--- a/SPECS/glibc/CVE-2023-5156.patch
+++ b/SPECS/glibc/CVE-2023-5156.patch
@@ -1,99 +1,16 @@
-From 17092c0311f954e6f3c010f73ce3a78c24ac279a Mon Sep 17 00:00:00 2001
-From: Romain Geissler <romain.geissler@amadeus.com>
-Date: Mon, 25 Sep 2023 01:21:51 +0100
-Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for
- CVE-2023-4806 [BZ #30843]
+backport of https://sourceware.org/git?p=glibc.git;a=commit;h=17092c0311f954e6f3c010f73ce3a78c24ac279a
 
-This patch fixes a very recently added leak in getaddrinfo.
-
-This was assigned CVE-2023-5156.
-
-Resolves: BZ #30884
-Related: BZ #30842
-
-Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
-(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
----
- nss/Makefile                    | 20 ++++++++++++++++++++
- nss/tst-nss-gai-hv2-canonname.c |  3 +++
- sysdeps/posix/getaddrinfo.c     |  4 +---
- 3 files changed, 24 insertions(+), 3 deletions(-)
-
-diff -ruN a/nss/Makefile b/nss/Makefile
---- a/nss/Makefile	2023-10-03 16:02:01.212592000 -0700
-+++ b/nss/Makefile	2023-10-03 18:03:01.994397600 -0700
-@@ -136,6 +136,15 @@
- extra-test-objs                += nss_test1.os nss_test2.os nss_test_errno.os \
-                           nss_test_gai_hv2_canonname.os
- 
-+ifeq ($(run-built-tests),yes)
-+ifneq (no,$(PERL))
-+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
-+endif
-+endif
-+
-+generated += mtrace-tst-nss-gai-hv2-canonname.out \
-+               tst-nss-gai-hv2-canonname.mtrace
-+
- include ../Rules
- 
- ifeq (yes,$(have-selinux))
-@@ -198,6 +207,17 @@
- $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
- $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
- 
-+tst-nss-gai-hv2-canonname-ENV = \
-+		MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
-+		LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
-+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
-+  $(objpfx)tst-nss-gai-hv2-canonname.out
-+	{ test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
-+	|| ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
-+	&& $(common-objpfx)malloc/mtrace \
-+	$(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
-+	$(evaluate-test)
-+
- # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
- # functions can load testing NSS modules via DT_RPATH.
- LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
---- a/nss/tst-nss-gai-hv2-canonname.c
-+++ b/nss/tst-nss-gai-hv2-canonname.c
-@@ -21,6 +21,7 @@
- #include <netdb.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <mcheck.h>
- #include <support/check.h>
- #include <support/xstdio.h>
- #include "nss/tst-nss-gai-hv2-canonname.h"
-@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
- static int
- do_test (void)
- {
-+  mtrace ();
-+
-   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
- 
-   struct addrinfo hints = {};
-diff -ruN a/NEWS b/NEWS
---- a/NEWS	2022-02-02 21:27:54.000000000 -0800
-+++ b/NEWS	2023-10-03 20:04:28.294207226 -0700
-@@ -5,6 +5,18 @@
- Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
- using `glibc' in the "product" field.
- 
-+
-+Security related changes:
-+
-+  CVE-2023-4806: When an NSS plugin only implements the
-+  _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
-+  memory that was freed during buffer resizing, potentially causing a
-+  crash or read or write to arbitrary memory.
-+
-+  CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
-+  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
-+  AI_ALL and AI_V4MAPPED flags set.
-+
- Version 2.35
+diff -ru glibc-2.38-orig/sysdeps/posix/getaddrinfo.c glibc-2.38/sysdeps/posix/getaddrinfo.c
+--- glibc-2.38-orig/sysdeps/posix/getaddrinfo.c	2024-06-17 21:53:25.432414431 +0000
++++ glibc-2.38/sysdeps/posix/getaddrinfo.c	2024-06-17 23:44:56.127284457 +0000
+@@ -1187,9 +1187,7 @@
+   if (malloc_name)
+     free ((char *) name);
+   free (addrmem);
+-  if (res.free_at)
+-    free (res.at);
+-  free (res.canon);
++  gaih_result_reset (&res);
  
- Major new features:
+   return result;
+ }
diff --git a/SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch b/SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch
new file mode 100644
index 00000000000..41eed5cf391
--- /dev/null
+++ b/SPECS/glibc/CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch
@@ -0,0 +1,158 @@
+Backport of the below commit
+CVE-2023-6246 -> https://sourceware.org/git?p=glibc.git;a=commit;h=6bd0e4efcc78f3c0115e5ea9739a1642807450da
+CVE-2023-6779 -> https://sourceware.org/git?p=glibc.git;a=commit;h=7e5a0c286da33159d47d0122007aac016f3e02cd
+CVE-2023-6780 -> https://sourceware.org/git?p=glibc.git;a=commit;h=ddf542da94caf97ff43cc2875c88749880b7259b
+
+
+diff -ru glibc-2.38-orig/misc/Makefile glibc-2.38/misc/Makefile
+--- glibc-2.38-orig/misc/Makefile	2024-06-17 21:53:24.532411335 +0000
++++ glibc-2.38/misc/Makefile	2024-06-17 21:57:25.721213362 +0000
+@@ -351,6 +351,9 @@
+ 	$(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \
+ 	$(evaluate-test)
+ 
++tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \
++			       LD_PRELOAD=libc_malloc_debug.so.0
++
+ $(objpfx)tst-select: $(librt)
+ $(objpfx)tst-select-time64: $(librt)
+ $(objpfx)tst-pselect: $(librt)
+diff -ru glibc-2.38-orig/misc/syslog.c glibc-2.38/misc/syslog.c
+--- glibc-2.38-orig/misc/syslog.c	2024-06-17 21:53:24.552411404 +0000
++++ glibc-2.38/misc/syslog.c	2024-06-17 22:39:50.400414890 +0000
+@@ -41,6 +41,7 @@
+ #include <sys/uio.h>
+ #include <sys/un.h>
+ #include <syslog.h>
++#include <limits.h>
+ 
+ static int LogType = SOCK_DGRAM;	/* type of socket connection */
+ static int LogFile = -1;		/* fd for log */
+@@ -124,8 +125,9 @@
+ {
+   /* Try to use a static buffer as an optimization.  */
+   char bufs[1024];
+-  char *buf = NULL;
+-  size_t bufsize = 0;
++  char *buf = bufs;
++  size_t bufsize;
++
+   int msgoff;
+   int saved_errno = errno;
+ 
+@@ -177,29 +179,54 @@
+ #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff)        \
+   "<%d>: %n", __pri, __msgoff
+ 
+-  int l;
++  int l, vl;
+   if (has_ts)
+     l = __snprintf (bufs, sizeof bufs,
+ 		    SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
+   else
+     l = __snprintf (bufs, sizeof bufs,
+ 		    SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
+-  if (0 <= l && l < sizeof bufs)
++  if (l < 0)
++    goto out;
++
++  char *pos;
++  size_t len;
++
++  if (l < sizeof bufs)
++    {
++      /* At this point, there is still a chance that we can print the
++         remaining part of the log into bufs and use that.  */
++      pos = bufs + l;
++      len = sizeof (bufs) - l;
++    }
++  else
+     {
+-      va_list apc;
+-      va_copy (apc, ap);
++      buf = NULL;
++      /* We already know that bufs is too small to use for this log message.
++         The next vsnprintf into bufs is used only to calculate the total
++         required buffer length.  We will discard bufs contents and allocate
++         an appropriately sized buffer later instead.  */
++      pos = bufs;
++      len = sizeof (bufs);
++    }
+ 
+-      /* Restore errno for %m format.  */
+-      __set_errno (saved_errno);
++  {
++    va_list apc;
++    va_copy (apc, ap);
+ 
+-      int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc,
+-                                     mode_flags);
+-      if (0 <= vl && vl < sizeof bufs - l)
+-        buf = bufs;
+-      bufsize = l + vl;
++    /* Restore errno for %m format.  */
++    __set_errno (saved_errno);
+ 
+-      va_end (apc);
+-    }
++    va_end (apc);
++
++    if (vl < 0 || vl >= INT_MAX - l)
++      goto out;
++
++    if (vl >= len)
++      buf = NULL;
++
++    bufsize = l + vl;
++  }
+ 
+   if (buf == NULL)
+     {
+@@ -209,25 +236,37 @@
+ 	  /* Tell the cancellation handler to free this buffer.  */
+ 	  clarg.buf = buf;
+ 
++	  int cl;
+ 	  if (has_ts)
+-	    __snprintf (buf, l + 1,
+-			SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
++	    cl = __snprintf (buf, l + 1,
++			     SYSLOG_HEADER (pri, timestamp, &msgoff, pid));
+ 	  else
+-	    __snprintf (buf, l + 1,
+-			SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
++	    cl = __snprintf (buf, l + 1,
++			     SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff));
++	  if (cl != l)
++	    goto out;
+ 
+ 	  va_list apc;
+ 	  va_copy (apc, ap);
+-	  __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
+-				mode_flags);
+-	  va_end (apc);
++	  cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,
++				     mode_flags);
++ 	  va_end (apc);
++
++	  if (cl != vl)
++	    goto out;
+ 	}
+       else
+         {
++          int bl;
+ 	  /* Nothing much to do but emit an error message.  */
+-          bufsize = __snprintf (bufs, sizeof bufs,
+-                                "out of memory[%d]", __getpid ());
++          bl = __snprintf (bufs, sizeof bufs,
++                           "out of memory[%d]", __getpid ());
++          if (bl < 0 || bl >= sizeof bufs)
++            goto out;
++
++          bufsize = bl;
+           buf = bufs;
++          msgoff = 0;
+         }
+     }
+ 
+Only in glibc-2.38/misc: tst-syslog-long-progname.c
diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec
index 823566cfb8d..e015978e701 100644
--- a/SPECS/glibc/glibc.spec
+++ b/SPECS/glibc/glibc.spec
@@ -10,7 +10,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.38
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -30,6 +30,10 @@ Patch3:         CVE-2020-1751.nopatch
 # Rationale: Exploit requires crafted pattern in regex compiler meant only for trusted content
 Patch4:         CVE-2018-20796.nopatch
 Patch5:         https://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.38-memalign_fix-1.patch
+Patch6:         CVE-2023-4911.patch
+Patch7:         CVE-2023-5156.patch
+Patch8:         CVE-2023-6246-CVE-2023-6779-CVE-2023-6780.patch
+
 BuildRequires:  bison
 BuildRequires:  gawk
 BuildRequires:  gettext
@@ -348,6 +352,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %exclude %{_libdir}/locale/C.utf8
 
 %changelog
+* Mon Jun 17 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 2.38-6
+- Address CVE-2023-4911, CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
+
 * Wed May 22 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 2.38-5
 - Generate and provide glibc all locales in a sub-package
 
diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec
index 6716fd07685..9c629bae60a 100644
--- a/SPECS/kubernetes/kubernetes.spec
+++ b/SPECS/kubernetes/kubernetes.spec
@@ -19,7 +19,7 @@ URL:            https://kubernetes.io/
 Source0:        https://dl.k8s.io/v%{version}/kubernetes-src.tar.gz#/%{name}-v%{version}.tar.gz
 Source1:        kubelet.service
 BuildRequires:  flex-devel
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  golang
 BuildRequires:  rsync
 BuildRequires:  systemd-devel
diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec
index 32e3fd1f2b2..2f6afeaee6f 100644
--- a/SPECS/kubevirt/kubevirt.spec
+++ b/SPECS/kubevirt/kubevirt.spec
@@ -34,7 +34,7 @@ Patch0:         Cleanup-housekeeping-cgroup-on-vm-del.patch
 Patch1:         Hotplug_detach_grace_period.patch
 %global debug_package %{nil}
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  golang >= 1.21
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
diff --git a/SPECS/libguestfs/libguestfs.spec b/SPECS/libguestfs/libguestfs.spec
index ba4878117d1..412ce5c4b6a 100644
--- a/SPECS/libguestfs/libguestfs.spec
+++ b/SPECS/libguestfs/libguestfs.spec
@@ -82,7 +82,7 @@ BuildRequires:  gcc-c++
 BuildRequires:  gdisk
 BuildRequires:  genisoimage
 BuildRequires:  gfs2-utils
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  gperf
 BuildRequires:  grep
diff --git a/SPECS/mdadm/mdadm.spec b/SPECS/mdadm/mdadm.spec
index 2f47c81a5d2..f0dbd6077ca 100644
--- a/SPECS/mdadm/mdadm.spec
+++ b/SPECS/mdadm/mdadm.spec
@@ -145,7 +145,7 @@ Patch198:    mdadm-2.5.2-static.patch
 Patch199:    disable-Werror.patch
 
 BuildRequires: make
-BuildRequires: glibc-static >= 2.38-5%{?dist}
+BuildRequires: glibc-static >= 2.38-6%{?dist}
 BuildRequires: systemd-rpm-macros 
 BuildRequires: binutils-devel 
 BuildRequires: gcc 
diff --git a/SPECS/qemu/qemu.spec b/SPECS/qemu/qemu.spec
index db824f942df..2a3f34384dd 100644
--- a/SPECS/qemu/qemu.spec
+++ b/SPECS/qemu/qemu.spec
@@ -659,7 +659,7 @@ BuildRequires: rutabaga-gfx-ffi-devel
 %endif
 
 %if %{user_static}
-BuildRequires: glibc-static >= 2.38-5
+BuildRequires: glibc-static >= 2.38-6
 BuildRequires: glib2-static zlib-static
 BuildRequires: pcre2-static
 %endif
diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec
index c16dc212a59..50c22c80caa 100644
--- a/SPECS/rust/rust.spec
+++ b/SPECS/rust/rust.spec
@@ -57,7 +57,7 @@ BuildRequires:  ninja-build
 BuildRequires:  openssl-devel
 BuildRequires:  python3
 %if 0%{?with_check}
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 %endif
 # rustc uses a C compiler to invoke the linker, and links to glibc in most cases
 Requires:       binutils
diff --git a/SPECS/supermin/supermin.spec b/SPECS/supermin/supermin.spec
index 667cedbd0fc..f7de7ce73b6 100644
--- a/SPECS/supermin/supermin.spec
+++ b/SPECS/supermin/supermin.spec
@@ -54,7 +54,7 @@ BuildRequires:  systemd-udev
 %if %{with dietlibc}
 BuildRequires:  dietlibc-devel
 %else
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 %endif
 
 %if 0%{?with_check}
diff --git a/SPECS/tini/tini.spec b/SPECS/tini/tini.spec
index 6d94aef0fda..376efe87741 100644
--- a/SPECS/tini/tini.spec
+++ b/SPECS/tini/tini.spec
@@ -13,7 +13,7 @@ BuildRequires:  diffutils
 BuildRequires:  file
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-5%{?dist}
+BuildRequires:  glibc-static >= 2.38-6%{?dist}
 BuildRequires:  kernel-headers
 BuildRequires:  make
 BuildRequires:  sed
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index b7e5a08bd15..60395e71960 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,13 +1,13 @@
 filesystem-1.1-21.azl3.aarch64.rpm
 kernel-headers-6.6.29.1-4.azl3.noarch.rpm
-glibc-2.38-5.azl3.aarch64.rpm
-glibc-devel-2.38-5.azl3.aarch64.rpm
-glibc-i18n-2.38-5.azl3.aarch64.rpm
-glibc-iconv-2.38-5.azl3.aarch64.rpm
-glibc-lang-2.38-5.azl3.aarch64.rpm
-glibc-locales-all-2.38-5.azl3.aarch64.rpm
-glibc-nscd-2.38-5.azl3.aarch64.rpm
-glibc-tools-2.38-5.azl3.aarch64.rpm
+glibc-2.38-6.azl3.aarch64.rpm
+glibc-devel-2.38-6.azl3.aarch64.rpm
+glibc-i18n-2.38-6.azl3.aarch64.rpm
+glibc-iconv-2.38-6.azl3.aarch64.rpm
+glibc-lang-2.38-6.azl3.aarch64.rpm
+glibc-locales-all-2.38-6.azl3.aarch64.rpm
+glibc-nscd-2.38-6.azl3.aarch64.rpm
+glibc-tools-2.38-6.azl3.aarch64.rpm
 zlib-1.3.1-1.azl3.aarch64.rpm
 zlib-devel-1.3.1-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index c5f8554ea3e..4823a3e4b8b 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,13 +1,13 @@
 filesystem-1.1-21.azl3.x86_64.rpm
 kernel-headers-6.6.29.1-4.azl3.noarch.rpm
-glibc-2.38-5.azl3.x86_64.rpm
-glibc-devel-2.38-5.azl3.x86_64.rpm
-glibc-i18n-2.38-5.azl3.x86_64.rpm
-glibc-iconv-2.38-5.azl3.x86_64.rpm
-glibc-lang-2.38-5.azl3.x86_64.rpm
-glibc-locales-all-2.38-5.azl3.x86_64.rpm
-glibc-nscd-2.38-5.azl3.x86_64.rpm
-glibc-tools-2.38-5.azl3.x86_64.rpm
+glibc-2.38-6.azl3.x86_64.rpm
+glibc-devel-2.38-6.azl3.x86_64.rpm
+glibc-i18n-2.38-6.azl3.x86_64.rpm
+glibc-iconv-2.38-6.azl3.x86_64.rpm
+glibc-lang-2.38-6.azl3.x86_64.rpm
+glibc-locales-all-2.38-6.azl3.x86_64.rpm
+glibc-nscd-2.38-6.azl3.x86_64.rpm
+glibc-tools-2.38-6.azl3.x86_64.rpm
 zlib-1.3.1-1.azl3.x86_64.rpm
 zlib-devel-1.3.1-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 9bfe61fa3ef..94965fffe45 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -121,16 +121,16 @@ glib-debuginfo-2.78.1-4.azl3.aarch64.rpm
 glib-devel-2.78.1-4.azl3.aarch64.rpm
 glib-doc-2.78.1-4.azl3.noarch.rpm
 glib-schemas-2.78.1-4.azl3.aarch64.rpm
-glibc-2.38-5.azl3.aarch64.rpm
-glibc-debuginfo-2.38-5.azl3.aarch64.rpm
-glibc-devel-2.38-5.azl3.aarch64.rpm
-glibc-i18n-2.38-5.azl3.aarch64.rpm
-glibc-iconv-2.38-5.azl3.aarch64.rpm
-glibc-lang-2.38-5.azl3.aarch64.rpm
-glibc-locales-all-2.38-5.azl3.aarch64.rpm
-glibc-nscd-2.38-5.azl3.aarch64.rpm
-glibc-static-2.38-5.azl3.aarch64.rpm
-glibc-tools-2.38-5.azl3.aarch64.rpm
+glibc-2.38-6.azl3.aarch64.rpm
+glibc-debuginfo-2.38-6.azl3.aarch64.rpm
+glibc-devel-2.38-6.azl3.aarch64.rpm
+glibc-i18n-2.38-6.azl3.aarch64.rpm
+glibc-iconv-2.38-6.azl3.aarch64.rpm
+glibc-lang-2.38-6.azl3.aarch64.rpm
+glibc-locales-all-2.38-6.azl3.aarch64.rpm
+glibc-nscd-2.38-6.azl3.aarch64.rpm
+glibc-static-2.38-6.azl3.aarch64.rpm
+glibc-tools-2.38-6.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 8240a99f6ae..9e11264cc88 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -126,16 +126,16 @@ glib-debuginfo-2.78.1-4.azl3.x86_64.rpm
 glib-devel-2.78.1-4.azl3.x86_64.rpm
 glib-doc-2.78.1-4.azl3.noarch.rpm
 glib-schemas-2.78.1-4.azl3.x86_64.rpm
-glibc-2.38-5.azl3.x86_64.rpm
-glibc-debuginfo-2.38-5.azl3.x86_64.rpm
-glibc-devel-2.38-5.azl3.x86_64.rpm
-glibc-i18n-2.38-5.azl3.x86_64.rpm
-glibc-iconv-2.38-5.azl3.x86_64.rpm
-glibc-lang-2.38-5.azl3.x86_64.rpm
-glibc-locales-all-2.38-5.azl3.x86_64.rpm
-glibc-nscd-2.38-5.azl3.x86_64.rpm
-glibc-static-2.38-5.azl3.x86_64.rpm
-glibc-tools-2.38-5.azl3.x86_64.rpm
+glibc-2.38-6.azl3.x86_64.rpm
+glibc-debuginfo-2.38-6.azl3.x86_64.rpm
+glibc-devel-2.38-6.azl3.x86_64.rpm
+glibc-i18n-2.38-6.azl3.x86_64.rpm
+glibc-iconv-2.38-6.azl3.x86_64.rpm
+glibc-lang-2.38-6.azl3.x86_64.rpm
+glibc-locales-all-2.38-6.azl3.x86_64.rpm
+glibc-nscd-2.38-6.azl3.x86_64.rpm
+glibc-static-2.38-6.azl3.x86_64.rpm
+glibc-tools-2.38-6.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm

From 5a20c8e29b44d0007fcc88ea94dd1d0fff6a0e5c Mon Sep 17 00:00:00 2001
From: amritakohli <56371098+amritakohli@users.noreply.github.com>
Date: Tue, 18 Jun 2024 14:58:51 -0700
Subject: [PATCH 24/40] python-jsonschema: revert upgrade (#9427)

---
 .../python-jsonschema.signatures.json         |  8 +--
 .../python-jsonschema/python-jsonschema.spec  | 49 ++++---------------
 cgmanifest.json                               |  4 +-
 3 files changed, 16 insertions(+), 45 deletions(-)

diff --git a/SPECS/python-jsonschema/python-jsonschema.signatures.json b/SPECS/python-jsonschema/python-jsonschema.signatures.json
index 5b758daac6e..010c9157b5f 100644
--- a/SPECS/python-jsonschema/python-jsonschema.signatures.json
+++ b/SPECS/python-jsonschema/python-jsonschema.signatures.json
@@ -1,5 +1,5 @@
 {
-  "Signatures": {
-    "jsonschema-4.21.1.tar.gz": "85727c00279f5fa6bedbe6238d2aa6403bedd8b4864ab11207d07df3cc1b2ee5"
-  }
-}
\ No newline at end of file
+ "Signatures": {
+  "jsonschema-2.6.0.tar.gz": "6ff5f3180870836cae40f06fa10419f557208175f13ad7bc26caa77beb1f6e02"
+ }
+}
diff --git a/SPECS/python-jsonschema/python-jsonschema.spec b/SPECS/python-jsonschema/python-jsonschema.spec
index dec5cf6b4d3..133edcee2fc 100644
--- a/SPECS/python-jsonschema/python-jsonschema.spec
+++ b/SPECS/python-jsonschema/python-jsonschema.spec
@@ -1,7 +1,7 @@
 Summary:        An implementation of JSON Schema validation for Python
 Name:           python-jsonschema
-Version:        4.21.1
-Release:        1%{?dist}
+Version:        2.6.0
+Release:        6%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,66 +16,37 @@ http://tools.ietf.org/html/draft-zyp-json-schema-03
 
 %package -n     python3-jsonschema
 Summary:        An implementation of JSON Schema validation for Python
-BuildRequires:  pyproject-rpm-macros
 BuildRequires:  python3-devel
-BuildRequires:  python3-hatchling
-BuildRequires:  python3-hatch-fancy-pypi-readme
-BuildRequires:  python3-hatch-vcs
-BuildRequires:  python3-packaging
-BuildRequires:  python3-pathspec
-BuildRequires:  python3-pip
-BuildRequires:  python3-pluggy
 BuildRequires:  python3-setuptools
-BuildRequires:  python3-setuptools_scm
-BuildRequires:  python3-trove-classifiers
 BuildRequires:  python3-vcversioner
-BuildRequires:  python3-wheel
 BuildRequires:  python3-xml
-%if %{with_check}
-BuildRequires:  python3-twisted
-BuildRequires:  python3-typing-extensions
-%endif
 Requires:       python3
 
 %description -n python3-jsonschema
 jsonschema is JSON Schema validator currently based on
 http://tools.ietf.org/html/draft-zyp-json-schema-03
 
-%pyproject_extras_subpkg -n python3-jsonschema format format-nongpl
-
 %prep
 %autosetup -n jsonschema-%{version}
 
-# Requires a checkout of the JSON-Schema-Test-Suite
-# https://github.com/json-schema-org/JSON-Schema-Test-Suite
-rm jsonschema/tests/test_jsonschema_test_suite.py
-
-%generate_buildrequires
-%pyproject_buildrequires
- 
 %build
-%pyproject_wheel
+%py3_build
 
 %install
-%pyproject_install
-%pyproject_save_files jsonschema
+%py3_install
+ln -s jsonschema %{buildroot}%{_bindir}/jsonschema3
 
-%if %{with_check}
 %check
-pip3 install jsonschema-specifications referencing
-PYTHONPATH=%{buildroot}%{python3_sitelib} trial3 jsonschema
-%endif
+%python3 setup test
 
-%files -n python3-jsonschema -f %{pyproject_files}
+%files -n python3-jsonschema
 %defattr(-,root,root)
-%license COPYING json/LICENSE
-%doc README.rst
+%license COPYING
+%{python3_sitelib}/*
 %{_bindir}/jsonschema
+%{_bindir}/jsonschema3
 
 %changelog
-* Mon Feb 26 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.21.1-1
-- Auto-upgrade to 4.21.1 - Azure Linux 3.0 - package upgrades
-
 * Wed Oct 20 2021 Thomas Crain <thcrain@microsoft.com> - 2.6.0-6
 - Remove python2 package
 - Lint spec
diff --git a/cgmanifest.json b/cgmanifest.json
index 37779cbc2cd..11ba476602a 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -22833,8 +22833,8 @@
         "type": "other",
         "other": {
           "name": "python-jsonschema",
-          "version": "4.21.1",
-          "downloadUrl": "https://pypi.python.org/packages/source/j/jsonschema/jsonschema-4.21.1.tar.gz"
+          "version": "2.6.0",
+          "downloadUrl": "https://pypi.python.org/packages/source/j/jsonschema/jsonschema-2.6.0.tar.gz"
         }
       }
     },

From a6d8189444f04f9bdb52cd93e3e77fbc76e9e5d7 Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Wed, 19 Jun 2024 10:12:22 -0700
Subject: [PATCH 25/40] Remove locales from core images, add documentation on
 restoring locales (#9430)

---
 toolkit/docs/formats/imageconfig.md   | 4 ++++
 toolkit/imageconfigs/core-efi.json    | 3 ++-
 toolkit/imageconfigs/core-legacy.json | 4 +++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/toolkit/docs/formats/imageconfig.md b/toolkit/docs/formats/imageconfig.md
index bd4f5e03844..8802e4e0c3f 100644
--- a/toolkit/docs/formats/imageconfig.md
+++ b/toolkit/docs/formats/imageconfig.md
@@ -217,6 +217,10 @@ A specific locale string may also be set using:
 
 This may be any value compatible with the `%_install_langs` rpm macro.
 
+#### Restoring Documentation and Locales on an Installed System
+
+The `OverrideRpmLocales` and `DisableRpmDocs` settings are stored in `/usr/lib/rpm/macros.d/macros.installercustomizations_*` files on the final system. The files selected for install are based on the `rpm` macros at the time of transaction, so to restore these files on an installed system remove the associated macro definition and run  `tdnf -y reinstall $(rpm -qa)`. This will reinstall all packages and apply the new settings.
+
 ### Customization Scripts
 The tools offer the option of executing arbitrary shell scripts during various points of the image generation process. There are three points that scripts can be executed: `PreInstall`, `PostInstall`, and `ImageFinalize`.
 
diff --git a/toolkit/imageconfigs/core-efi.json b/toolkit/imageconfigs/core-efi.json
index 97a3374217b..293d1d049b3 100644
--- a/toolkit/imageconfigs/core-efi.json
+++ b/toolkit/imageconfigs/core-efi.json
@@ -54,7 +54,8 @@
                 "default": "kernel"
             },
             "Hostname": "azurelinux",
-            "DisableRpmDocs": true
+            "DisableRpmDocs": true,
+            "OverrideRpmLocales": "NONE"
         }
     ]
 }
diff --git a/toolkit/imageconfigs/core-legacy.json b/toolkit/imageconfigs/core-legacy.json
index a1bd8a6299d..f326d13ed81 100644
--- a/toolkit/imageconfigs/core-legacy.json
+++ b/toolkit/imageconfigs/core-legacy.json
@@ -51,7 +51,9 @@
             "KernelOptions": {
                 "default": "kernel"
             },
-            "Hostname": "azurelinux"
+            "Hostname": "azurelinux",
+            "DisableRpmDocs": true,
+            "OverrideRpmLocales": "NONE"
         }
     ]
 }

From f32fdc4927487b220c01fc0926bf6baac6d4ebcb Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Wed, 19 Jun 2024 10:25:15 -0700
Subject: [PATCH 26/40] Patch bash to load startup files when invoked with
 '-bash' (#9425)

---
 SPECS/bash/bash-2.03-profile.patch                   | 12 ++++++++++++
 SPECS/bash/bash.spec                                 |  8 +++++++-
 .../manifests/package/pkggen_core_aarch64.txt        |  6 +++---
 .../manifests/package/pkggen_core_x86_64.txt         |  6 +++---
 .../manifests/package/toolchain_aarch64.txt          |  8 ++++----
 .../resources/manifests/package/toolchain_x86_64.txt |  8 ++++----
 6 files changed, 33 insertions(+), 15 deletions(-)
 create mode 100644 SPECS/bash/bash-2.03-profile.patch

diff --git a/SPECS/bash/bash-2.03-profile.patch b/SPECS/bash/bash-2.03-profile.patch
new file mode 100644
index 00000000000..ba3344b3cc1
--- /dev/null
+++ b/SPECS/bash/bash-2.03-profile.patch
@@ -0,0 +1,12 @@
+diff -up bash-3.2/config-top.h.profile bash-3.2/config-top.h
+--- bash-3.2/config-top.h.profile	2008-07-17 13:35:39.000000000 +0200
++++ bash-3.2/config-top.h	2008-07-17 13:42:18.000000000 +0200
+@@ -26,6 +26,8 @@
+    what POSIX.2 specifies. */
+ #define CONTINUE_AFTER_KILL_ERROR
+ 
++#define NON_INTERACTIVE_LOGIN_SHELLS
++
+ /* Define BREAK_COMPLAINS if you want the non-standard, but useful
+    error messages about `break' and `continue' out of context. */
+ #define BREAK_COMPLAINS
diff --git a/SPECS/bash/bash.spec b/SPECS/bash/bash.spec
index c5ee6f5a61c..4b37ec039e0 100644
--- a/SPECS/bash/bash.spec
+++ b/SPECS/bash/bash.spec
@@ -1,7 +1,7 @@
 Summary:        Bourne-Again SHell
 Name:           bash
 Version:        5.2.15
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,8 @@ URL:            https://www.gnu.org/software/bash/
 Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
 Source1:        bash_completion
 Patch0:         bash-5.1.patch
+# Non-interactive shells beginning with argv[0][0] == '-' should run the startup files when not in posix mode.
+Patch1:         bash-2.03-profile.patch
 BuildRequires:  readline
 Requires:       readline
 Requires(post): /bin/cp
@@ -328,6 +330,10 @@ fi
 %defattr(-,root,root)
 
 %changelog
+* Mon Jun 17 2024 Daniel McIlvaney <damcilva@microsoft.com> - 5.2.15-2
+- When non-interactive shells are started with '-bash' load startup files. From
+- Fedora upstream: https://src.fedoraproject.org/rpms/bash/blob/f40/f/bash-2.03-profile.patch
+
 * Tue Nov 21 2023 Andrew Phelps <anphel@microsoft.com> - 5.2.15-1
 - Upgrade to version 5.2.15
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 60395e71960..d20cca6be7a 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -43,9 +43,9 @@ readline-8.2-1.azl3.aarch64.rpm
 readline-devel-8.2-1.azl3.aarch64.rpm
 coreutils-9.4-2.azl3.aarch64.rpm
 coreutils-lang-9.4-2.azl3.aarch64.rpm
-bash-5.2.15-1.azl3.aarch64.rpm
-bash-devel-5.2.15-1.azl3.aarch64.rpm
-bash-lang-5.2.15-1.azl3.aarch64.rpm
+bash-5.2.15-2.azl3.aarch64.rpm
+bash-devel-5.2.15-2.azl3.aarch64.rpm
+bash-lang-5.2.15-2.azl3.aarch64.rpm
 bzip2-1.0.8-1.azl3.aarch64.rpm
 bzip2-devel-1.0.8-1.azl3.aarch64.rpm
 bzip2-libs-1.0.8-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 4823a3e4b8b..d0bfa0bd016 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -43,9 +43,9 @@ readline-8.2-1.azl3.x86_64.rpm
 readline-devel-8.2-1.azl3.x86_64.rpm
 coreutils-9.4-2.azl3.x86_64.rpm
 coreutils-lang-9.4-2.azl3.x86_64.rpm
-bash-5.2.15-1.azl3.x86_64.rpm
-bash-devel-5.2.15-1.azl3.x86_64.rpm
-bash-lang-5.2.15-1.azl3.x86_64.rpm
+bash-5.2.15-2.azl3.x86_64.rpm
+bash-devel-5.2.15-2.azl3.x86_64.rpm
+bash-lang-5.2.15-2.azl3.x86_64.rpm
 bzip2-1.0.8-1.azl3.x86_64.rpm
 bzip2-devel-1.0.8-1.azl3.x86_64.rpm
 bzip2-libs-1.0.8-1.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 94965fffe45..87af9808156 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -20,10 +20,10 @@ azurelinux-repos-ms-oss-preview-3.0-2.azl3.noarch.rpm
 azurelinux-repos-preview-3.0-2.azl3.noarch.rpm
 azurelinux-repos-shared-3.0-2.azl3.noarch.rpm
 azurelinux-rpm-macros-3.0-5.azl3.noarch.rpm
-bash-5.2.15-1.azl3.aarch64.rpm
-bash-debuginfo-5.2.15-1.azl3.aarch64.rpm
-bash-devel-5.2.15-1.azl3.aarch64.rpm
-bash-lang-5.2.15-1.azl3.aarch64.rpm
+bash-5.2.15-2.azl3.aarch64.rpm
+bash-debuginfo-5.2.15-2.azl3.aarch64.rpm
+bash-devel-5.2.15-2.azl3.aarch64.rpm
+bash-lang-5.2.15-2.azl3.aarch64.rpm
 binutils-2.41-2.azl3.aarch64.rpm
 binutils-debuginfo-2.41-2.azl3.aarch64.rpm
 binutils-devel-2.41-2.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 9e11264cc88..4d9f3889788 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -20,10 +20,10 @@ azurelinux-repos-ms-oss-preview-3.0-2.azl3.noarch.rpm
 azurelinux-repos-preview-3.0-2.azl3.noarch.rpm
 azurelinux-repos-shared-3.0-2.azl3.noarch.rpm
 azurelinux-rpm-macros-3.0-5.azl3.noarch.rpm
-bash-5.2.15-1.azl3.x86_64.rpm
-bash-debuginfo-5.2.15-1.azl3.x86_64.rpm
-bash-devel-5.2.15-1.azl3.x86_64.rpm
-bash-lang-5.2.15-1.azl3.x86_64.rpm
+bash-5.2.15-2.azl3.x86_64.rpm
+bash-debuginfo-5.2.15-2.azl3.x86_64.rpm
+bash-devel-5.2.15-2.azl3.x86_64.rpm
+bash-lang-5.2.15-2.azl3.x86_64.rpm
 binutils-2.41-2.azl3.x86_64.rpm
 binutils-aarch64-linux-gnu-2.41-2.azl3.x86_64.rpm
 binutils-debuginfo-2.41-2.azl3.x86_64.rpm

From 2af92d397f42e00f6cd1066bb8d39940e72b3362 Mon Sep 17 00:00:00 2001
From: nicolas guibourge <nicogbg@gmail.com>
Date: Wed, 19 Jun 2024 10:48:17 -0700
Subject: [PATCH 27/40] =?UTF-8?q?3.0-dev=20-=20telegraf=20upgrade=20to=201?=
 =?UTF-8?q?.31.0=20to=20address=20CVE-2024-27304,=20CVE-2=E2=80=A6=20(#943?=
 =?UTF-8?q?7)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
---
 SPECS/telegraf/telegraf.signatures.json | 4 ++--
 SPECS/telegraf/telegraf.spec            | 5 ++++-
 cgmanifest.json                         | 4 ++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/SPECS/telegraf/telegraf.signatures.json b/SPECS/telegraf/telegraf.signatures.json
index cd929da37db..1d2f0c9a2b6 100644
--- a/SPECS/telegraf/telegraf.signatures.json
+++ b/SPECS/telegraf/telegraf.signatures.json
@@ -1,6 +1,6 @@
 {
   "Signatures": {
-    "telegraf-1.29.4.tar.gz": "1387ee03ae0d5fb94215c2d091a35697bcfff045dbc3c6e0226643951a3cf9f2",
-    "telegraf-1.29.4-vendor.tar.gz": "fd9d7a0997d3b05296fa65f2b8deb70e4b667cdab6ff4a364980ab114add46ec"
+    "telegraf-1.31.0.tar.gz": "c7a4725aefaf6cab4a354c577e06032187ce1c428337c795e48bbe7d7054d489",
+    "telegraf-1.31.0-vendor.tar.gz": "582012893525873ef2b93b95714ea87b002405a1425806a0392ac50e235d3ed0"
   }
 }
\ No newline at end of file
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
index 034c9d6e57c..7714f2acd03 100644
--- a/SPECS/telegraf/telegraf.spec
+++ b/SPECS/telegraf/telegraf.spec
@@ -1,6 +1,6 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
-Version:        1.29.4
+Version:        1.31.0
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
@@ -74,6 +74,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Tue Jun 18 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.31.0-1
+- Auto-upgrade to 1.31.0 - Address CVEs
+
 * Thu Mar 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.29.4-1
 - Auto-upgrade to 1.29.4 - Azure Linux 3.0 Package Upgrades
 - Remove additional logging as it has been added upstream
diff --git a/cgmanifest.json b/cgmanifest.json
index 11ba476602a..333be5a7fb3 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -28446,8 +28446,8 @@
         "type": "other",
         "other": {
           "name": "telegraf",
-          "version": "1.29.4",
-          "downloadUrl": "https://github.com/influxdata/telegraf/archive/refs/tags/v1.29.4.tar.gz"
+          "version": "1.31.0",
+          "downloadUrl": "https://github.com/influxdata/telegraf/archive/refs/tags/v1.31.0.tar.gz"
         }
       }
     },

From df2f8f47122c632fb6ee5bed1a276ecf4ab032f5 Mon Sep 17 00:00:00 2001
From: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Date: Wed, 19 Jun 2024 14:45:00 -0700
Subject: [PATCH 28/40] add script to update toolchain and package manifest
 (#9345)

---
 toolkit/scripts/update_toolchain_manifest.py | 107 +++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 toolkit/scripts/update_toolchain_manifest.py

diff --git a/toolkit/scripts/update_toolchain_manifest.py b/toolkit/scripts/update_toolchain_manifest.py
new file mode 100644
index 00000000000..768b9fb0a6e
--- /dev/null
+++ b/toolkit/scripts/update_toolchain_manifest.py
@@ -0,0 +1,107 @@
+#!/usr/bin/python3
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+import argparse
+import os
+import shlex
+import subprocess
+
+# Can't rely on Python's 'pyrpm.spec' module - it's not as good with parsing the spec as 'rpmspec' and may leave unexpanded macros.
+RPMSPEC_COMMAND_COMMON = "rpmspec --parse -D 'forgemeta %{{nil}}' -D 'py3_dist X' -D 'with_check 0' -D 'dist .azl3' -D '__python3 python3' -D '_sourcedir {source_dir}' -D 'fillup_prereq fillup'"
+manifest_files = ["pkggen_core_x86_64.txt", "toolchain_x86_64.txt", "pkggen_core_aarch64.txt",  "toolchain_aarch64.txt"]
+
+class Entry:
+    def __init__(self, name, version, release: str):
+        self.name = name
+        self.version = version
+        self.release = release
+
+    def get_processed_entry(self) -> str:
+        return self.version+"-"+self.release
+
+def formatted_rpmspec_command(spec_path: str) -> str:
+    source_dir = os.path.dirname(spec_path)
+    return f"{RPMSPEC_COMMAND_COMMON.format(source_dir=source_dir)}"
+
+def read_spec_name(spec_path: str) -> str:
+    return read_spec_tag(spec_path, "NAME")
+
+def read_spec_version(spec_path: str) -> str:
+    return read_spec_tag(spec_path, "VERSION")
+
+def read_spec_release(spec_path: str):
+    return read_spec_tag(spec_path, "RELEASE")
+
+def read_spec_tag(spec_path, tag: str) -> str:
+    command = formatted_rpmspec_command(spec_path)
+    raw_output = subprocess.check_output(f"{command} --srpm --qf '%{{{tag}}}' -q {spec_path}", shell=True,
+                                         stderr=subprocess.DEVNULL)
+    return str(raw_output, encoding="utf-8", errors="strict")
+
+def get_arch(manifest: str) -> str:
+    if "x86_64" in manifest:
+        arch = "x86_64"
+    elif "aarch64" in manifest:
+        arch = "aarch64"
+    else:
+        raise ValueError("failed to find architecture of manifest file")
+    return arch
+
+def update_manifest(manifest: str, entry: Entry):
+    updated_manifest = []
+    arch = get_arch(manifest)
+
+    with open(manifest,"r") as manifest_file:
+        for line in manifest_file:
+            if line.startswith(entry.name):
+                sublines = line.split('-')
+                replace_line = sublines[-2]+"-"+sublines[-1] #{version}-{release}.{arch}.rpm
+                line = line.replace(replace_line, entry.get_processed_entry()+"."+arch+".rpm\n")
+            updated_manifest.append(line)
+
+    with open(manifest, "w") as manifest_file:
+        manifest_file.writelines((str(i) for i in updated_manifest))
+
+    return
+
+def process_spec(spec_path: str) -> Entry:
+    print(f"Processing: {spec_path}")
+
+    name = read_spec_name(spec_path)
+    version = read_spec_version(spec_path)
+    release = read_spec_release(spec_path)
+
+    return Entry(name, version, release)
+
+def dir_type(path: str) -> str:
+    if(os.path.isdir(path)):
+        return path
+    else:
+        raise NotADirectoryError(path, "is not a valid directory")
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description='''Tool for updating the toolchain and pkggen manifest files with values from the input spec files.
+                    Sample usage: python3 scripts/update_toolchain_manifest.py --manifest_dir resources/manifests/package/ --specs ../SPECS/sqlite/sqlite.spec''')
+    parser.add_argument('--manifest_dir',
+                        type=dir_type,
+                        required=True,
+                        metavar='',
+                        help='path to folder containing toolchain_.txt and pkggen_core_.txt files')
+    parser.add_argument('--specs',
+                        metavar='',
+                        type=argparse.FileType('r'),
+                        required=True,
+                        nargs='+',
+                        help='path to spec file(s)')
+    args = parser.parse_args()
+    manifest_dir = args.manifest_dir
+
+    if not manifest_dir.endswith("/"):
+        manifest_dir = manifest_dir+'/'
+
+    for spec in args.specs:
+        entry = process_spec(spec.name)
+        for manifest in manifest_files:
+            update_manifest(manifest_dir+manifest, entry)

From 68f627883403447427c0b0de6cd218f0571006e2 Mon Sep 17 00:00:00 2001
From: Andrew Phelps <anphel31@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:18:32 -0700
Subject: [PATCH 29/40] coreutils - add patch to fix uname (#9420)

---
 SPECS/coreutils/coreutils-9.4-uname-1.patch   | 69 +++++++++++++++++++
 SPECS/coreutils/coreutils.spec                |  6 +-
 .../manifests/package/pkggen_core_aarch64.txt |  4 +-
 .../manifests/package/pkggen_core_x86_64.txt  |  4 +-
 .../manifests/package/toolchain_aarch64.txt   |  6 +-
 .../manifests/package/toolchain_x86_64.txt    |  6 +-
 6 files changed, 84 insertions(+), 11 deletions(-)
 create mode 100644 SPECS/coreutils/coreutils-9.4-uname-1.patch

diff --git a/SPECS/coreutils/coreutils-9.4-uname-1.patch b/SPECS/coreutils/coreutils-9.4-uname-1.patch
new file mode 100644
index 00000000000..15f01b19bdd
--- /dev/null
+++ b/SPECS/coreutils/coreutils-9.4-uname-1.patch
@@ -0,0 +1,69 @@
+From e92876a5257bc762eb61c2f12f0338be493ab939 Mon Sep 17 00:00:00 2001
+From: Rachel Menge <rachelmenge@microsoft.com>
+Date: Wed, 29 May 2024 22:27:32 +0000
+Subject: [PATCH] coreutils-9.4 uname patch for -i and -p
+
+Original commit info:
+
+Submitted by: William Immendorf <will.immendorf@gmail.com>
+Date: 2010-05-08
+Inital Package Version: 8.5
+Origin: http://cvs.fedoraproject.org/viewvc/devel/coreutils/coreutils-8.2-uname-processortype.patch
+Upstream Status: Rejected
+Description: Fixes the output of uname's -i and -p parameters
+---
+ src/uname.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/uname.c b/src/uname.c
+index 883b9a4..78641bf 100644
+--- a/src/uname.c
++++ b/src/uname.c
+@@ -313,7 +313,7 @@ main (int argc, char **argv)
+ 
+   if (toprint & PRINT_PROCESSOR)
+     {
+-      char const *element = unknown;
++      char *element = unknown;
+ #ifdef __APPLE__
+ # if defined __arm__ || defined __arm64__
+       element = "arm";
+@@ -330,6 +330,12 @@ main (int argc, char **argv)
+           if (0 <= sysinfo (SI_ARCHITECTURE, processor, sizeof processor))
+             element = processor;
+         }
++#else
++      {
++	struct utsname u;
++	uname(&u);
++	element = u.machine;
++      }
+ #endif
+ #ifdef UNAME_PROCESSOR
+       if (element == unknown)
+@@ -347,7 +353,7 @@ main (int argc, char **argv)
+ 
+   if (toprint & PRINT_HARDWARE_PLATFORM)
+     {
+-      char const *element = unknown;
++      char *element = unknown;
+ #if HAVE_SYSINFO && defined SI_PLATFORM
+       {
+         static char hardware_platform[257];
+@@ -355,6 +361,14 @@ main (int argc, char **argv)
+                           hardware_platform, sizeof hardware_platform))
+           element = hardware_platform;
+       }
++#else
++      {
++	struct utsname u;
++	uname(&u);
++	element = u.machine;
++	if(strlen(element)==4 && element[0]=='i' && element[2]=='8' && element[3]=='6')
++		element[1]='3';
++      }
+ #endif
+ #ifdef UNAME_HARDWARE_PLATFORM
+       if (element == unknown)
+-- 
+2.34.1
diff --git a/SPECS/coreutils/coreutils.spec b/SPECS/coreutils/coreutils.spec
index ef32e5c6c75..8a2ee7b6745 100644
--- a/SPECS/coreutils/coreutils.spec
+++ b/SPECS/coreutils/coreutils.spec
@@ -1,7 +1,7 @@
 Summary:        Basic system utilities
 Name:           coreutils
 Version:        9.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,7 @@ Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
 # make this package to own serial console profile since it utilizes stty tool
 Source1:        serial-console.sh
 Patch0:         coreutils-9.4-i18n-1.patch
+Patch1:         coreutils-9.4-uname-1.patch
 BuildRequires:  libselinux-devel
 BuildRequires:  libselinux-utils
 Requires:       gmp
@@ -91,6 +92,9 @@ LANGUAGE=en_US.UTF-8 LC_ALL=en_US.UTF-8 make -k check
 %defattr(-,root,root)
 
 %changelog
+* Mon Jun 17 2024 Andrew Phelps <anphel@microsoft.com> - 9.4-3
+- add coreutils-9.4-uname-1.patch
+
 * Wed Mar 20 2024 Dan Streetman <ddstreet@microsoft.com> - 9.4-2
 - fix serial-console.sh
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index d20cca6be7a..dfd1b6129c4 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -41,8 +41,8 @@ ncurses-libs-6.4-2.azl3.aarch64.rpm
 ncurses-term-6.4-2.azl3.aarch64.rpm
 readline-8.2-1.azl3.aarch64.rpm
 readline-devel-8.2-1.azl3.aarch64.rpm
-coreutils-9.4-2.azl3.aarch64.rpm
-coreutils-lang-9.4-2.azl3.aarch64.rpm
+coreutils-9.4-3.azl3.aarch64.rpm
+coreutils-lang-9.4-3.azl3.aarch64.rpm
 bash-5.2.15-2.azl3.aarch64.rpm
 bash-devel-5.2.15-2.azl3.aarch64.rpm
 bash-lang-5.2.15-2.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index d0bfa0bd016..8b9c8de3392 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -41,8 +41,8 @@ ncurses-libs-6.4-2.azl3.x86_64.rpm
 ncurses-term-6.4-2.azl3.x86_64.rpm
 readline-8.2-1.azl3.x86_64.rpm
 readline-devel-8.2-1.azl3.x86_64.rpm
-coreutils-9.4-2.azl3.x86_64.rpm
-coreutils-lang-9.4-2.azl3.x86_64.rpm
+coreutils-9.4-3.azl3.x86_64.rpm
+coreutils-lang-9.4-3.azl3.x86_64.rpm
 bash-5.2.15-2.azl3.x86_64.rpm
 bash-devel-5.2.15-2.azl3.x86_64.rpm
 bash-lang-5.2.15-2.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 87af9808156..7b42a4633c1 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -47,9 +47,9 @@ chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm
 chkconfig-lang-1.25-1.azl3.aarch64.rpm
 cmake-3.28.2-6.azl3.aarch64.rpm
 cmake-debuginfo-3.28.2-6.azl3.aarch64.rpm
-coreutils-9.4-2.azl3.aarch64.rpm
-coreutils-debuginfo-9.4-2.azl3.aarch64.rpm
-coreutils-lang-9.4-2.azl3.aarch64.rpm
+coreutils-9.4-3.azl3.aarch64.rpm
+coreutils-debuginfo-9.4-3.azl3.aarch64.rpm
+coreutils-lang-9.4-3.azl3.aarch64.rpm
 cpio-2.14-1.azl3.aarch64.rpm
 cpio-debuginfo-2.14-1.azl3.aarch64.rpm
 cpio-lang-2.14-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 4d9f3889788..58f60b5649e 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -48,9 +48,9 @@ chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm
 chkconfig-lang-1.25-1.azl3.x86_64.rpm
 cmake-3.28.2-6.azl3.x86_64.rpm
 cmake-debuginfo-3.28.2-6.azl3.x86_64.rpm
-coreutils-9.4-2.azl3.x86_64.rpm
-coreutils-debuginfo-9.4-2.azl3.x86_64.rpm
-coreutils-lang-9.4-2.azl3.x86_64.rpm
+coreutils-9.4-3.azl3.x86_64.rpm
+coreutils-debuginfo-9.4-3.azl3.x86_64.rpm
+coreutils-lang-9.4-3.azl3.x86_64.rpm
 cpio-2.14-1.azl3.x86_64.rpm
 cpio-debuginfo-2.14-1.azl3.x86_64.rpm
 cpio-lang-2.14-1.azl3.x86_64.rpm

From 38bbb2faa7af85aad0431bfc96b82ee884e2e4e0 Mon Sep 17 00:00:00 2001
From: Chris Gunn <chrisgun@microsoft.com>
Date: Wed, 19 Jun 2024 15:30:59 -0700
Subject: [PATCH 30/40] Image Customizer: Minor doc updates. (#9449)

---
 toolkit/tools/imagecustomizer/docs/configuration.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/toolkit/tools/imagecustomizer/docs/configuration.md b/toolkit/tools/imagecustomizer/docs/configuration.md
index 6ae6095f6ef..e1a11678bfa 100644
--- a/toolkit/tools/imagecustomizer/docs/configuration.md
+++ b/toolkit/tools/imagecustomizer/docs/configuration.md
@@ -66,8 +66,8 @@ The Azure Linux Image Customizer is configured using a YAML (or JSON) file.
 21. If ([verity](#verity-type)) is specified, then create the hash tree and update the
     grub config.
 
-22. if the output format is set to `iso`, copy additional iso media files.
-([iso](#iso-type))
+22. If the output format is set to `iso`, copy additional iso media files.
+    ([iso](#iso-type))
 
 ### /etc/resolv.conf
 
@@ -79,6 +79,10 @@ For example, `systemd-resolved`.
 Hence, the `/etc/resolv.conf` file is simply deleted at the end instead of being
 restored to its original contents.
 
+If you want to explicitly set the `/etc/resolv.conf` file contents, you can do so within
+a [finalizeCustomization](#finalizecustomization-script) script, since those scripts run
+after the `/etc/resolv.conf` is deleted.
+
 ### Replacing packages
 
 If you wish to replace a package with conflicting package, then you can remove the
@@ -1032,7 +1036,7 @@ These scripts are run under a chroot of the customized OS.
 Example:
 
 ```yaml
-os:
+scripts:
   finalizeCustomization:
   - path: scripts/b.sh
 ```

From 137d10598dd705af93ddbd869c176723e8221988 Mon Sep 17 00:00:00 2001
From: nicolas guibourge <nicogbg@gmail.com>
Date: Wed, 19 Jun 2024 16:06:25 -0700
Subject: [PATCH 31/40] 3.0-dev - influxdb fix CVE-2021-4238 (#9452)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
---
 SPECS/influxdb/CVE-2021-4238.patch | 49 ++++++++++++++++++++++++++++++
 SPECS/influxdb/influxdb.spec       |  8 +++--
 2 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/influxdb/CVE-2021-4238.patch

diff --git a/SPECS/influxdb/CVE-2021-4238.patch b/SPECS/influxdb/CVE-2021-4238.patch
new file mode 100644
index 00000000000..bd63254729c
--- /dev/null
+++ b/SPECS/influxdb/CVE-2021-4238.patch
@@ -0,0 +1,49 @@
+Partial backport of 869801f20f9f1e7ecdbdb6422049d8241270d5e1
+
+diff --git a/vendor/github.com/aokoli/goutils/randomstringutils.go b/vendor/github.com/aokoli/goutils/randomstringutils.go
+index 1364e0c..8c6ccab 100644
+--- a/vendor/github.com/aokoli/goutils/randomstringutils.go
++++ b/vendor/github.com/aokoli/goutils/randomstringutils.go
+@@ -20,7 +20,6 @@ import (
+ 	"fmt"
+ 	"math"
+ 	"math/rand"
+-	"regexp"
+ 	"time"
+ 	"unicode"
+ )
+@@ -75,12 +74,10 @@ func RandomNumeric(count int) (string, error) {
+ 
+ /*
+ RandomAlphabetic creates a random string whose length is the number of characters specified.
+-Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments.
++Characters will be chosen from the set of alphabetic characters.
+ 
+ Parameters:
+ 	count - the length of random string to create
+-	letters - if true, generated string may include alphabetic characters
+-	numbers - if true, generated string may include numeric characters
+ 
+ Returns:
+ 	string - the random string
+@@ -106,19 +103,8 @@ func RandomAlphaNumeric(count int) (string, error) {
+ 	if err != nil {
+ 		return "", fmt.Errorf("Error: %s", err)
+ 	}
+-	match, err := regexp.MatchString("([0-9]+)", RandomString)
+-	if err != nil {
+-		panic(err)
+-	}
+ 
+-	if !match {
+-		//Get the position between 0 and the length of the string-1  to insert a random number
+-		position := rand.Intn(count)
+-		//Insert a random number between [0-9] in the position
+-		RandomString = RandomString[:position] + string('0'+rand.Intn(10)) + RandomString[position+1:]
+-		return RandomString, err
+-	}
+-	return RandomString, err
++	return RandomString[:count], nil
+ 
+ }
+ 
\ No newline at end of file
diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec
index 2793a8ded90..44565303ac6 100644
--- a/SPECS/influxdb/influxdb.spec
+++ b/SPECS/influxdb/influxdb.spec
@@ -18,7 +18,7 @@
 Summary:        Scalable datastore for metrics, events, and real-time analytics
 Name:           influxdb
 Version:        2.7.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -55,6 +55,7 @@ Source3:        influxdb.service
 Source4:        influxdb.tmpfiles
 Source5:        config.yaml
 Source6:        influxdb-user.conf
+Patch0:         CVE-2021-4238.patch
 BuildRequires:  clang
 BuildRequires:  golang
 BuildRequires:  kernel-headers
@@ -84,7 +85,7 @@ Conflicts:      influxdb
 Go sources and other development files for InfluxDB
 
 %prep
-%autosetup -a 1
+%autosetup -p1 -a 1
 
 mkdir -pv static
 tar -xf %{SOURCE2} -C static/ --no-same-owner
@@ -144,6 +145,9 @@ go test ./...
 %{_tmpfilesdir}/influxdb.conf
 
 %changelog
+* Wed Jun 19 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 2.7.3-3
+- Address CVE-2021-4238
+
 * Thu Mar 07 2024 Andrew Phelps <anphel@microsoft.com> - 2.7.3-2
 - Remove restriction on golang BR version
 

From 690b2cb14257748363de277bee50662c642bc9d4 Mon Sep 17 00:00:00 2001
From: Christopher Co <35273088+christopherco@users.noreply.github.com>
Date: Wed, 19 Jun 2024 16:08:07 -0700
Subject: [PATCH 32/40] Move cri-o to Extended (#9451)

Azure Linux's primary supported container runtime is containerd. We will provide CRI-O as an option for users to try, but will be community maintained in the Extended repository.

Signed-off-by: Chris Co <chrco@microsoft.com>
---
 {SPECS => SPECS-EXTENDED}/cri-o/cri-o-rpmlintrc            | 0
 {SPECS => SPECS-EXTENDED}/cri-o/cri-o.signatures.json      | 0
 {SPECS => SPECS-EXTENDED}/cri-o/cri-o.spec                 | 0
 {SPECS => SPECS-EXTENDED}/cri-o/crio.conf                  | 0
 {SPECS => SPECS-EXTENDED}/cri-o/crio.service               | 0
 {SPECS => SPECS-EXTENDED}/cri-o/generate_source_tarball.sh | 0
 {SPECS => SPECS-EXTENDED}/cri-o/kubelet.env                | 0
 {SPECS => SPECS-EXTENDED}/cri-o/sysconfig.crio             | 0
 8 files changed, 0 insertions(+), 0 deletions(-)
 rename {SPECS => SPECS-EXTENDED}/cri-o/cri-o-rpmlintrc (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/cri-o.signatures.json (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/cri-o.spec (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/crio.conf (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/crio.service (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/generate_source_tarball.sh (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/kubelet.env (100%)
 rename {SPECS => SPECS-EXTENDED}/cri-o/sysconfig.crio (100%)

diff --git a/SPECS/cri-o/cri-o-rpmlintrc b/SPECS-EXTENDED/cri-o/cri-o-rpmlintrc
similarity index 100%
rename from SPECS/cri-o/cri-o-rpmlintrc
rename to SPECS-EXTENDED/cri-o/cri-o-rpmlintrc
diff --git a/SPECS/cri-o/cri-o.signatures.json b/SPECS-EXTENDED/cri-o/cri-o.signatures.json
similarity index 100%
rename from SPECS/cri-o/cri-o.signatures.json
rename to SPECS-EXTENDED/cri-o/cri-o.signatures.json
diff --git a/SPECS/cri-o/cri-o.spec b/SPECS-EXTENDED/cri-o/cri-o.spec
similarity index 100%
rename from SPECS/cri-o/cri-o.spec
rename to SPECS-EXTENDED/cri-o/cri-o.spec
diff --git a/SPECS/cri-o/crio.conf b/SPECS-EXTENDED/cri-o/crio.conf
similarity index 100%
rename from SPECS/cri-o/crio.conf
rename to SPECS-EXTENDED/cri-o/crio.conf
diff --git a/SPECS/cri-o/crio.service b/SPECS-EXTENDED/cri-o/crio.service
similarity index 100%
rename from SPECS/cri-o/crio.service
rename to SPECS-EXTENDED/cri-o/crio.service
diff --git a/SPECS/cri-o/generate_source_tarball.sh b/SPECS-EXTENDED/cri-o/generate_source_tarball.sh
similarity index 100%
rename from SPECS/cri-o/generate_source_tarball.sh
rename to SPECS-EXTENDED/cri-o/generate_source_tarball.sh
diff --git a/SPECS/cri-o/kubelet.env b/SPECS-EXTENDED/cri-o/kubelet.env
similarity index 100%
rename from SPECS/cri-o/kubelet.env
rename to SPECS-EXTENDED/cri-o/kubelet.env
diff --git a/SPECS/cri-o/sysconfig.crio b/SPECS-EXTENDED/cri-o/sysconfig.crio
similarity index 100%
rename from SPECS/cri-o/sysconfig.crio
rename to SPECS-EXTENDED/cri-o/sysconfig.crio

From 90f521f3dfa9fa81570b17c3200d459572c5ea41 Mon Sep 17 00:00:00 2001
From: J Camposeco <108859819+jcamposeco@users.noreply.github.com>
Date: Thu, 20 Jun 2024 09:51:31 -0700
Subject: [PATCH 33/40] Add patch to add msflint kernel driver 4.28 as module
 (#9380)

---
 SPECS-SIGNED/kernel-signed/kernel-signed.spec |    5 +-
 SPECS/kernel-headers/kernel-headers.spec      |    5 +-
 .../0001-add-mstflint-kernel-4.28.0.patch     | 2465 +++++++++++++++++
 SPECS/kernel/config                           |    1 +
 SPECS/kernel/config_aarch64                   |    1 +
 SPECS/kernel/kernel-uki.spec                  |    5 +-
 SPECS/kernel/kernel.signatures.json           |    4 +-
 SPECS/kernel/kernel.spec                      |    8 +-
 ...01-update-tool-name-in-error-message.patch |   25 +
 ...ault-link-flags-for-shared-libraries.patch |   52 -
 SPECS/mstflint/mstflint.signatures.json       |    2 +-
 SPECS/mstflint/mstflint.spec                  |   13 +-
 ...-with-mstfwreset-in-mstflint-message.patch |   26 -
 cgmanifest.json                               |    4 +-
 .../manifests/package/pkggen_core_aarch64.txt |    2 +-
 .../manifests/package/pkggen_core_x86_64.txt  |    2 +-
 .../manifests/package/toolchain_aarch64.txt   |    2 +-
 .../manifests/package/toolchain_x86_64.txt    |    4 +-
 toolkit/scripts/check_entangled_specs.py      |   31 +-
 19 files changed, 2551 insertions(+), 106 deletions(-)
 create mode 100644 SPECS/kernel/0001-add-mstflint-kernel-4.28.0.patch
 create mode 100644 SPECS/mstflint/0001-update-tool-name-in-error-message.patch
 delete mode 100644 SPECS/mstflint/add-default-link-flags-for-shared-libraries.patch
 delete mode 100644 SPECS/mstflint/replace-mlxfwreset-with-mstfwreset-in-mstflint-message.patch

diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
index 79b62ee9a41..7f6613b5031 100644
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.29.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> 6.6.29.1-5
+- Add patch to enable mstflint kernel driver
+
 * Fri May 31 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.29.1-4
 - Bump release to match kernel
 
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index 05598448915..1ed6a79e923 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -14,7 +14,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        6.6.29.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,9 @@ done
 %endif
 
 %changelog
+* Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 6.6.29.1-5
+- Bump release to match kernel
+
 * Fri May 31 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.29.1-4
 - Bump release to match kernel
 
diff --git a/SPECS/kernel/0001-add-mstflint-kernel-4.28.0.patch b/SPECS/kernel/0001-add-mstflint-kernel-4.28.0.patch
new file mode 100644
index 00000000000..9a5dfa42a3e
--- /dev/null
+++ b/SPECS/kernel/0001-add-mstflint-kernel-4.28.0.patch
@@ -0,0 +1,2465 @@
+From c42941e9e7a9ec456867d7c57535152a9180c46a Mon Sep 17 00:00:00 2001
+From: Juan Camposeco <juanarturoc@microsoft.com>
+Date: Wed, 12 Jun 2024 11:36:01 -0700
+Subject: [PATCH] add mstflint kernel 4.28
+
+---
+ drivers/misc/Kconfig               |    1 +
+ drivers/misc/Makefile              |    1 +
+ drivers/misc/mstflint/Kconfig      |    8 +
+ drivers/misc/mstflint/Makefile     |   93 ++
+ drivers/misc/mstflint/mst.h        |  226 ++++
+ drivers/misc/mstflint/mst_kernel.h |  127 ++
+ drivers/misc/mstflint/mst_main.c   | 1766 ++++++++++++++++++++++++++++
+ drivers/misc/mstflint/mst_vpd.c    |  164 +++
+ 8 files changed, 2386 insertions(+)
+ create mode 100644 drivers/misc/mstflint/Kconfig
+ create mode 100644 drivers/misc/mstflint/Makefile
+ create mode 100644 drivers/misc/mstflint/mst.h
+ create mode 100644 drivers/misc/mstflint/mst_kernel.h
+ create mode 100644 drivers/misc/mstflint/mst_main.c
+ create mode 100644 drivers/misc/mstflint/mst_vpd.c
+
+diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
+index cadd4a820c033..c0f3d9fc843bd 100644
+--- a/drivers/misc/Kconfig
++++ b/drivers/misc/Kconfig
+@@ -578,5 +578,6 @@ source "drivers/misc/bcm-vk/Kconfig"
+ source "drivers/misc/cardreader/Kconfig"
+ source "drivers/misc/uacce/Kconfig"
+ source "drivers/misc/pvpanic/Kconfig"
++source "drivers/misc/mstflint/Kconfig"
+ source "drivers/misc/mchp_pci1xxxx/Kconfig"
+ endmenu
+diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
+index f2a4d1ff65d46..657988554a1c1 100644
+--- a/drivers/misc/Makefile
++++ b/drivers/misc/Makefile
+@@ -49,6 +49,7 @@ obj-$(CONFIG_SRAM)		+= sram.o
+ obj-$(CONFIG_SRAM_EXEC)		+= sram-exec.o
+ obj-$(CONFIG_GENWQE)		+= genwqe/
+ obj-$(CONFIG_ECHO)		+= echo/
++obj-$(CONFIG_MSTFLINT) 		+= mstflint/
+ obj-$(CONFIG_CXL_BASE)		+= cxl/
+ obj-$(CONFIG_DW_XDATA_PCIE)	+= dw-xdata-pcie.o
+ obj-$(CONFIG_PCI_ENDPOINT_TEST)	+= pci_endpoint_test.o
+diff --git a/drivers/misc/mstflint/Kconfig b/drivers/misc/mstflint/Kconfig
+new file mode 100644
+index 0000000000000..b5a5901987685
+--- /dev/null
++++ b/drivers/misc/mstflint/Kconfig
+@@ -0,0 +1,8 @@
++# SPDX-License-Identifier: GPL-2.0-only
++config MSTFLINT
++	tristate "Driver for mstflint secure boot"
++	help
++	  This driver enables mstflint to work under secure boot enabled systems.
++
++	  To compile this driver as a module, choose M here. The module
++	  will be called mstflint.
+diff --git a/drivers/misc/mstflint/Makefile b/drivers/misc/mstflint/Makefile
+new file mode 100644
+index 0000000000000..0a1d3b6ac84c0
+--- /dev/null
++++ b/drivers/misc/mstflint/Makefile
+@@ -0,0 +1,93 @@
++#
++# Copyright (c) 2017-2021 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
++# BSD-3-Clause
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions are met:
++#
++# 1. Redistributions of source code must retain the above copyright notice, this
++# list of conditions and the following disclaimer.
++#
++# 2. Redistributions in binary form must reproduce the above copyright notice,
++# this list of conditions and the following disclaimer in the documentation
++# and/or other materials provided with the distribution.
++#
++# 3. Neither the name of the copyright holder nor the names of its
++# contributors may be used to endorse or promote products derived from
++# this software without specific prior written permission.
++#
++# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
++# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
++# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
++# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++#
++KPVER ?= $(shell uname -r)
++KSRC ?= /lib/modules/$(KPVER)/build
++CPU_ARCH ?= $(shell uname -m)
++
++PACKAGE_NAME := mstflint
++PACKAGE_VERSION := $(shell sed -r '1 s:(.*) \((.*)\).*:\2:; q' ../debian/changelog)
++DKMS_SRC_DIR := /usr/src/$(PACKAGE_NAME)-$(PACKAGE_VERSION)
++SOURCE_FILES := Makefile mst.h mst_kernel.h mst_main.c mst_vpd.c
++
++# GCC earlier than 4.6.0 will build modules which require 'mcount',
++# and this symbol will not be available in the kernel if the kernel was
++# compiled with GCC 4.6.0 and above.
++# therefore, to prevent unknown symbol issues we disable function tracing.
++#
++
++ifeq ($(CC),)
++CC  = $(CROSS_COMPILE)gcc
++endif
++CPP = $(CC) -E
++ifneq ($(CC),cc)
++override WITH_MAKE_PARAMS += CC=$(CC)
++endif
++
++CPP_MAJOR := $(shell $(CPP) -dumpversion 2>&1 | cut -d'.' -f1)
++CPP_MINOR := $(shell $(CPP) -dumpversion 2>&1 | cut -d'.' -f2)
++CPP_PATCH := $(shell $(CPP) -dumpversion 2>&1 | cut -d'.' -f3)
++# Assumes that major, minor, and patch cannot exceed 999
++CPP_VERS  := $(shell expr 0$(CPP_MAJOR) \* 1000000 + 0$(CPP_MINOR) \* 1000 + 0$(CPP_PATCH))
++compile_h=$(shell /bin/ls -1 $(KSRC)/include/*/compile.h 2> /dev/null | head -1)
++ifneq ($(compile_h),)
++KERNEL_GCC_MAJOR := $(shell grep LINUX_COMPILER $(compile_h) | grep -Eo ' [0-9]+\.[0-9]+\.[0-9]+[, $$]' | sed 's/[, ]//g' | cut -d'.' -f1)
++KERNEL_GCC_MINOR := $(shell grep LINUX_COMPILER $(compile_h) | grep -Eo ' [0-9]+\.[0-9]+\.[0-9]+[, $$]' | sed 's/[, ]//g' | cut -d'.' -f2)
++KERNEL_GCC_PATCH := $(shell grep LINUX_COMPILER $(compile_h) | grep -Eo ' [0-9]+\.[0-9]+\.[0-9]+[, $$]' | sed 's/[, ]//g' | cut -d'.' -f3)
++KERNEL_GCC_VER  := $(shell expr 0$(KERNEL_GCC_MAJOR) \* 1000000 + 0$(KERNEL_GCC_MINOR) \* 1000 + 0$(KERNEL_GCC_PATCH))
++ifneq ($(shell if [ $(CPP_VERS) -lt 4006000 ] && [ $(KERNEL_GCC_VER) -ge 4006000 ]; then \
++                                       echo "YES"; else echo ""; fi),)
++$(info Warning: The kernel was compiled with GCC newer than 4.6.0, while the current GCC is older than 4.6.0, Disabling function tracing to prevent unknown symbol issues...)
++override WITH_MAKE_PARAMS += CONFIG_FUNCTION_TRACER= CONFIG_HAVE_FENTRY=
++endif
++ifneq ($(shell if [ $(CPP_VERS) -ge 4006000 ] && [ $(KERNEL_GCC_VER) -lt 4006000 ]; then \
++                                       echo "YES"; else echo ""; fi),)
++$(info Warning: The kernel was compiled with GCC older than 4.6.0, while the current GCC is newer than 4.6.0, Disabling function tracing to prevent unknown symbol issues...)
++override WITH_MAKE_PARAMS += CONFIG_FUNCTION_TRACER= CONFIG_HAVE_FENTRY=
++endif
++endif
++ifneq ($(shell if (echo $(KPVER) | grep -qE 'uek'); then \
++                                       echo "YES"; else echo ""; fi),)
++override WITH_MAKE_PARAMS += ctf-dir=$(CWD)/.ctf
++endif
++
++obj-m += mstflint_access.o
++mstflint_access-objs += mst_vpd.o mst_main.o
++
++all:
++	make -C $(KSRC) M=$(PWD) CONFIG_CTF= CONFIG_CC_STACKPROTECTOR_STRONG= $(WITH_MAKE_PARAMS) modules
++
++clean:
++	make -C $(KSRC) M=$(PWD) clean
++
++install-dkms: $(SOURCE_FILES)
++	install -d $(DESTDIR)$(DKMS_SRC_DIR)
++	cp -a $^ $(DESTDIR)$(DKMS_SRC_DIR)
++
++
+diff --git a/drivers/misc/mstflint/mst.h b/drivers/misc/mstflint/mst.h
+new file mode 100644
+index 0000000000000..3fe2ebe950021
+--- /dev/null
++++ b/drivers/misc/mstflint/mst.h
+@@ -0,0 +1,226 @@
++/*
++ * Copyright (c) 2023 NVIDIA CORPORATION & AFFILIATES. ALL RIGHTS RESERVED.
++ *
++ * This software is available to you under a choice of one of two
++ * licenses.  You may choose to be licensed under the terms of the GNU
++ * General Public License (GPL) Version 2, available from the file
++ * COPYING in the main directory of this source tree, or the
++ * OpenIB.org BSD license below:
++ *
++ *     Redistribution and use in source and binary forms, with or
++ *     without modification, are permitted provided that the following
++ *     conditions are met:
++ *
++ *      - Redistributions of source code must retain the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer.
++ *
++ *      - Redistributions in binary form must reproduce the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer in the documentation and/or other materials
++ *        provided with the distribution.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++#ifndef _MST_H_
++#define _MST_H_
++
++#include <linux/ioctl.h>
++
++/****************************************************/
++#define MST_MEMORY_SIZE (1024 * 1024)
++#define MST_BLOCK_SIZE 64
++
++#define MST_PARAMS_MAGIC 0xD0
++#define MST_BYTE_ACCESS_MAGIC 0xD1
++#define MST_BLOCK_ACCESS_MAGIC 0xD2
++#define MST_PCICONF_MAGIC 0xD3
++#define MST_PCIMEM_MAGIC 0xD4
++#define MST_CONNECTX_WA_MAGIC 0xD5
++#define MST_VPD_MAGIC 0xD6
++
++#define PCICONF_MAX_BUFFER_SIZE 256
++#define PCICONF_MAX_PAGES_SIZE 32
++/****************************************************/
++/* GET PARAMS */
++#define MST_PARAMS _IOR(MST_PARAMS_MAGIC, 1, struct mst_params)
++
++struct mst_params
++{
++    unsigned int domain;
++    unsigned int bus;
++    unsigned int slot;
++    unsigned int func;
++    unsigned int bar;
++    unsigned int device;
++    unsigned int vendor;
++    unsigned int subsystem_device;
++    unsigned int subsystem_vendor;
++    unsigned int vendor_specific_cap;
++};
++
++typedef uint32_t u32;
++
++/****************************************************/
++/* BYTE ACCESS */
++#define MST_READ4 _IOR(MST_BYTE_ACCESS_MAGIC, 1, struct mst_read4_st)
++
++struct mst_read4_st
++{
++    unsigned int address_space;
++    unsigned int offset;
++    unsigned int data; /*OUT*/
++};
++
++#define MST_WRITE4 _IOW(MST_BYTE_ACCESS_MAGIC, 2, struct mst_write4_st)
++
++struct mst_write4_st
++{
++    unsigned int address_space;
++    unsigned int offset;
++    unsigned int data;
++};
++
++#define PCICONF_READ4 MST_READ4
++#define PCICONF_WRITE4 MST_WRITE4
++#define PCIMEM_READ4 MST_READ4
++#define PCIMEM_WRITE4 MST_WRITE4
++
++/****************************************************/
++/* BLOCK ACCESS */
++#define PCIMEM_READ_BLOCK _IOR(MST_BLOCK_ACCESS_MAGIC, 1, struct mst_read_block_st)
++
++struct mst_read_block_st
++{
++    unsigned int offset;
++    unsigned int size;        /* in bytes */
++    u32 data[MST_BLOCK_SIZE]; /* OUT */
++};
++
++#define PCIMEM_WRITE_BLOCK _IOW(MST_BLOCK_ACCESS_MAGIC, 2, struct mst_write_block_st)
++
++struct mst_write_block_st
++{
++    unsigned int offset;
++    unsigned int size; /* in bytes */
++    u32 data[MST_BLOCK_SIZE];
++};
++
++#define PCICONF_READ4_BUFFER _IOR(MST_BLOCK_ACCESS_MAGIC, 3, struct mst_read4_buffer_st)
++#define PCICONF_READ4_BUFFER_EX _IOR(MST_BLOCK_ACCESS_MAGIC, 3, struct mst_read4_buffer_st)
++// We support backward compatibility.
++// There is a known bug with PCICONF_READ4_BUFFER ioctl and data may be corrupted.
++#define PCICONF_READ4_BUFFER_BC _IOR(MST_BLOCK_ACCESS_MAGIC, 3, struct mst_read4_st)
++struct mst_read4_buffer_st
++{
++    unsigned int address_space;
++    unsigned int offset;
++    int size;
++    unsigned int data[PCICONF_MAX_BUFFER_SIZE / 4]; /*OUT*/
++};
++
++#define PCICONF_WRITE4_BUFFER _IOW(MST_BLOCK_ACCESS_MAGIC, 4, struct mst_write4_buffer_st)
++struct mst_write4_buffer_st
++{
++    unsigned int address_space;
++    unsigned int offset;
++    int size;
++    unsigned int data[PCICONF_MAX_BUFFER_SIZE / 4]; /*IN*/
++};
++/****************************************************/
++/*
++ * INIT / STOP Conf Access
++ * Used to change conf registers on the fly,
++ * by default we set the conf register to default values
++ */
++#define PCICONF_INIT _IOC(_IOC_NONE, MST_PCICONF_MAGIC, 1, sizeof(struct mst_pciconf_init_st))
++
++struct mst_pciconf_init_st
++{
++    unsigned int domain;
++    unsigned int bus;
++    unsigned int devfn;
++    /* Byte offsets in configuration space */
++    unsigned int addr_reg;
++    unsigned int data_reg;
++};
++
++#define PCICONF_STOP _IOC(_IOC_NONE, MST_PCICONF_MAGIC, 2, 0)
++
++/****************************************************/
++/*
++ * INIT / STOP Memory Access
++ * Used to change bar number and map the new bar on the fly,
++ * by default we set and map bar to default bar number per device
++ */
++#define PCIMEM_INIT _IOC(_IOC_NONE, MST_PCIMEM_MAGIC, 1, sizeof(struct mst_mem_init_st))
++
++struct mst_mem_init_st
++{
++    unsigned int bar;
++};
++
++#define PCIMEM_STOP _IOC(_IOC_NONE, MST_PCIMEM_MAGIC, 2, 0)
++
++/****************************************************/
++/* CONNECTX ORDERING WA */
++#define CONNECTX_WA_BASE 0xf0384 /* SEM BASE ADDR. SEM 0xf0380 is reserved for external tools usage. */
++#define CONNECTX_WA_SIZE 3       /* Size in entries */
++
++#define PCI_CONNECTX_WA _IOR(MST_CONNECTX_WA_MAGIC, 1, u_int32_t)
++
++struct mst_connectx_wa
++{
++    u32 connectx_wa_slot_p1; /* connectx used slot plus 1. zero means unused */
++};
++
++/****************************************************/
++/* VPD ACCESS */
++#define PCICONF_VPD_READ4 _IOR(MST_VPD_MAGIC, 1, struct mst_vpd_read4_st)
++struct mst_vpd_read4_st
++{
++    unsigned int offset;  /* IN - must be aligned to DWORD */
++    unsigned int timeout; /* IN - timeout in milliseconds or zero for default timeout */
++    u32 data;             /* OUT */
++};
++
++#define PCICONF_VPD_WRITE4 _IOW(MST_VPD_MAGIC, 2, struct mst_vpd_write4_st)
++struct mst_vpd_write4_st
++{
++    unsigned int offset;  /* IN - must be aligned to DWORD */
++    unsigned int timeout; /* IN - timeout in milliseconds or zero for default timeout */
++    u32 data;             /* IN */
++};
++
++#define PCICONF_GET_DMA_PAGES _IOR(MST_PCICONF_MAGIC, 13, struct page_info_st)
++#define PCICONF_RELEASE_DMA_PAGES _IOR(MST_PCICONF_MAGIC, 14, struct page_info_st)
++
++struct page_address_st
++{
++    u_int64_t dma_address;
++    u_int64_t virtual_address;
++};
++
++struct page_info_st
++{
++    unsigned int page_amount;
++    unsigned long page_pointer_start;
++    struct page_address_st page_address_array[PCICONF_MAX_PAGES_SIZE];
++};
++
++#define PCICONF_READ_DWORD_FROM_CONFIG_SPACE _IOR(MST_PCICONF_MAGIC, 15, struct read_dword_from_config_space)
++struct read_dword_from_config_space
++{
++    unsigned int offset;
++    unsigned int data;
++};
++
++#endif /* _MST_H_ */
++
+diff --git a/drivers/misc/mstflint/mst_kernel.h b/drivers/misc/mstflint/mst_kernel.h
+new file mode 100644
+index 0000000000000..7d12c9938ca1e
+--- /dev/null
++++ b/drivers/misc/mstflint/mst_kernel.h
+@@ -0,0 +1,127 @@
++/*
++ * Copyright (c) 2023 NVIDIA CORPORATION & AFFILIATES. ALL RIGHTS RESERVED.
++ *
++ * This software is available to you under a choice of one of two
++ * licenses.  You may choose to be licensed under the terms of the GNU
++ * General Public License (GPL) Version 2, available from the file
++ * COPYING in the main directory of this source tree, or the
++ * OpenIB.org BSD license below:
++ *
++ *     Redistribution and use in source and binary forms, with or
++ *     without modification, are permitted provided that the following
++ *     conditions are met:
++ *
++ *      - Redistributions of source code must retain the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer.
++ *
++ *      - Redistributions in binary form must reproduce the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer in the documentation and/or other materials
++ *        provided with the distribution.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++#ifndef _MST_KERNEL_H_
++#define _MST_KERNEL_H_
++
++/****************************************************/
++#include <linux/kernel.h>
++#include <linux/pci.h>
++#include <linux/init.h>
++#include <linux/ioctl.h>
++#include <asm/uaccess.h>
++#include <linux/list.h>
++#include <linux/mutex.h>
++#include <linux/io.h>
++#include <linux/byteorder/generic.h>
++#include <linux/cdev.h>
++
++#include "mst.h"
++
++/****************************************************/
++#define DRV_VERSION "2.0.0"
++#define DRV_RELDATE "Nov-27-2012"
++
++/****************************************************/
++/* defines */
++#define MST_NAME_SIZE 30
++#define MST_PREFIX "  MST::  "
++
++#define MST_DEVICE_PREFIX "mt"
++#define MST_PCICONF_DEVICE_NAME "_mstconf"
++#define MST_PCIMEM_DEVICE_NAME "_mstcr"
++
++#define MST_MELLANOX_PCI_VENDOR 0x15b3
++
++#define MST_CONF_ADDR_REG 88
++#define MST_CONF_DATA_REG 92
++
++#define MST_VPD_DEFAULT_TOUT 2000 /* milli seconds */
++
++#define mst_err(format, arg...) pr_err("%s: %s %d: " format, MST_PREFIX, __func__, __LINE__, ##arg)
++#define mst_info(format, arg...) pr_info("%s: %s %d: " format, MST_PREFIX, __func__, __LINE__, ##arg)
++
++#define capability_support_info_message(dev, capability)                                                 \
++    mst_info("Device 0x%x (%x:%x:%x.%x) doesn't support %s capability.\n", dev->pci_dev->device,         \
++             pci_domain_nr(dev->pci_dev->bus), dev->pci_dev->bus->number, PCI_SLOT(dev->pci_dev->devfn), \
++             PCI_FUNC(dev->pci_dev->devfn), #capability);
++
++/****************************************************/
++/* new types */
++enum dev_type
++{
++    PCICONF,
++    PCIMEM
++};
++
++struct dma_page
++{
++    struct page** page_list;
++    dma_addr_t dma_addr[PCICONF_MAX_PAGES_SIZE];
++};
++
++struct mst_dev_data
++{
++    int addr_reg; /* PCICONF address register */
++    int data_reg; /* PCICONF data register */
++    int wo_addr;
++    unsigned int bar;         /* PCIMEM bar */
++    void* hw_addr;            /* PCIMEM memory start */
++    char name[MST_NAME_SIZE]; /* name of character device */
++    enum dev_type type;       /* type of device */
++    struct pci_dev* pci_dev;  /* device pci struct in kernel */
++    struct list_head list;    /* list of mst_devices */
++    struct mutex lock;        /* device lock */
++    int vpd_cap_addr;         /* addr VPD capability */
++    int major;                /* device major number */
++    int initialized;          /* indicate if init done */
++
++    dev_t my_dev;
++    struct cdev mcdev;
++    struct class* cl;
++
++    unsigned char connectx_wa_slots; /* wa for pci bug */
++                                     /* Vendor specific capability address */
++    int vendor_specific_cap;
++    /* status on VSEC supported spaces*/
++    int spaces_support_status;
++
++    // Allocated pages for the user space.
++    struct dma_page dma_page;
++};
++
++/****************************************************/
++int pci_read4_vpd(struct mst_dev_data* dev, unsigned int timeout, unsigned int offset, u32* buf);
++
++int pci_write4_vpd(struct mst_dev_data* dev, unsigned int timeout, unsigned int offset, u32 buf);
++
++#endif /* _MST_KERNEL_H_ */
++
+diff --git a/drivers/misc/mstflint/mst_main.c b/drivers/misc/mstflint/mst_main.c
+new file mode 100644
+index 0000000000000..b3ec3f7b11943
+--- /dev/null
++++ b/drivers/misc/mstflint/mst_main.c
+@@ -0,0 +1,1766 @@
++/*
++ * Copyright (c) 2021 NVIDIA CORPORATION & AFFILIATES. ALL RIGHTS RESERVED.
++ *
++ * This software is available to you under a choice of one of two
++ * licenses.  You may choose to be licensed under the terms of the GNU
++ * General Public License (GPL) Version 2, available from the file
++ * COPYING in the main directory of this source tree, or the
++ * OpenIB.org BSD license below:
++ *
++ *     Redistribution and use in source and binary forms, with or
++ *     without modification, are permitted provided that the following
++ *     conditions are met:
++ *
++ *      - Redistributions of source code must retain the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer.
++ *
++ *      - Redistributions in binary form must reproduce the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer in the documentation and/or other materials
++ *        provided with the distribution.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++#include <linux/version.h>
++#include <linux/kernel.h>
++#include <linux/module.h>
++#include <asm/io.h>
++#if KERNEL_VERSION(2, 6, 18) <= LINUX_VERSION_CODE
++#include <linux/uaccess.h>
++#else
++#include <asm/uaccess.h>
++#endif
++#include <linux/pci.h>
++#include <linux/fs.h>
++#include <linux/delay.h>
++#include "mst_kernel.h"
++
++/****************************************************/
++MODULE_AUTHOR("Mahmoud Hasan");
++MODULE_DESCRIPTION("MST Module");
++MODULE_LICENSE("Dual BSD/GPL");
++MODULE_VERSION(DRV_VERSION " (" DRV_RELDATE ")");
++
++/****************************************************/
++/* globals variables */
++static const char mst_driver_version[] = DRV_VERSION;
++static const char mst_driver_string[] = "Mellanox Technologies Software Tools Driver";
++
++LIST_HEAD(mst_devices);
++
++static struct pci_device_id mst_livefish_pci_table[] = {
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x01f6)}, /* MT27500 Family [ConnectX-3 Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x01f8)}, /* MT27520 Family [ConnectX-3 Pro Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x01ff)}, /* MT27600 Family [Connect-IB Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0209)}, /* MT27700 Family [ConnectX-4 Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x020b)}, /* MT27710 Family [ConnectX-4 Lx Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x020d)}, /* MT28800 Family [ConnectX-5 Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x020f)}, /* MT28908A0 Family [ConnectX-6 Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0210)}, /* MT28908A0 Family [ConnectX-6 Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0211)}, /* MT416842 Family [BlueField SoC Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0212)}, /* MT2892 Family [ConnectX-6 Dx Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0213)}, /* MT2892 Family [ConnectX-6 Dx Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0214)}, /* MT42822 Family [BlueField-2 SoC Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0215)}, /* MT42822 Family [BlueField-2 Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0216)}, /* MT2894 Family [ConnectX-6 Lx Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0217)}, /* MT2894 Family [ConnectX-6 Lx Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0218)}, /* MT2910 Family [ConnectX-7 Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0219)}, /* MT2910 Family [ConnectX-7 Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021a)}, /* MT43162 Family [BlueField-3 Lx SoC Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021b)}, /* MT43162 Family [BlueField-3 Lx Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021c)}, /* MT43244 Family [BlueField-3 SoC Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021d)}, /* MT43244 Family [BlueField-3 Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021e)}, /* CX8 Family [ConnectX-8 Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021e)}, /* CX8 Family [ConnectX-8 Secure Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x0220)}, /* BF4 Family Flash Recovery [BlueField-4 SoC Flash Recovery] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 0x021e)}, /* BF4 Family Secure Flash Recovery [BlueField-4 Secure Flash Recovery]
++                                                  */
++  {
++    0,
++  }};
++
++static struct pci_device_id mst_bar_pci_table[] = {
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4099)}, /* MT 27600 [ConnectX-3] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4103)}, /* MT27600 [ConnectX-3Pro] */
++  {
++    0,
++  }};
++
++static struct pci_device_id supported_pci_devices[] = {
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4099)},  /* MT27500 Family [ConnectX-3] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4103)},  /* MT27520 Family [ConnectX-3Pro] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4113)},  /* MT27600 Family [ConnectX-IB] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4115)},  /* MT27620 Family [ConnectX-4] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4117)},  /* MT2763.00.l0 Family [ConnectX-4Lx] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4119)},  /* MT27800 Family [ConnectX-5] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4121)},  /* MT28800 Family [ConnectX-5EX] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4123)},  /* MT28908 Family [ConnectX-6] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4125)},  /* MT2892 Family [ConnectX-6DX] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4127)},  /* MT2894 Family [ConnectX-6LX] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 4129)},  /* MT2910 Family [ConnectX-7] */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 41682)}, /* MT416842 Family BlueField integrated ConnectX-5 network controller */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 41686)}, /* MT42822 Family BlueField2 integrated ConnectX-6 DX network controller
++                                                 */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 41692)}, /* MT43244 Family BlueField3 integrated ConnectX-7 network controller */
++  {PCI_DEVICE(MST_MELLANOX_PCI_VENDOR, 41694)}, /* BF4 Family integrated network controller */
++  {
++    0,
++  }};
++
++/****************** VSEC SUPPORT ********************/
++
++// BIT Slicing macros
++#define ONES32(size) ((size) ? (0xffffffff >> (32 - (size))) : 0)
++#define MASK32(offset, size) (ONES32(size) << (offset))
++
++#define EXTRACT_C(source, offset, size) ((((unsigned int)(source)) >> (offset)) & ONES32(size))
++#define EXTRACT(src, start, len) (((len) == 32) ? (src) : EXTRACT_C(src, start, len))
++
++#define MERGE_C(rsrc1, rsrc2, start, len) \
++    ((((rsrc2) << (start)) & (MASK32((start), (len)))) | ((rsrc1) & (~MASK32((start), (len)))))
++#define MERGE(rsrc1, rsrc2, start, len) (((len) == 32) ? (rsrc2) : MERGE_C(rsrc1, rsrc2, start, len))
++
++/* Allow minor numbers 0-255 */
++#define MAXMINOR 256
++#define BUFFER_SIZE 256
++#define MLNX_VENDOR_SPECIFIC_CAP_ID 0x9
++#define CRSPACE_DOMAIN 0x2
++#define AS_ICMD 0x3
++#define AS_CR_SPACE 0x2
++#define AS_SEMAPHORE 0xa
++
++/* PCI address space related enum*/
++enum
++{
++    PCI_CAP_PTR = 0x34,
++    PCI_HDR_SIZE = 0x40,
++    PCI_EXT_SPACE_ADDR = 0xff,
++
++    PCI_CTRL_OFFSET = 0x4, // for space / semaphore / auto-increment bit
++    PCI_COUNTER_OFFSET = 0x8,
++    PCI_SEMAPHORE_OFFSET = 0xc,
++    PCI_ADDR_OFFSET = 0x10,
++    PCI_DATA_OFFSET = 0x14,
++
++    PCI_FLAG_BIT_OFFS = 31,
++
++    PCI_SPACE_BIT_OFFS = 0,
++    PCI_SPACE_BIT_LEN = 16,
++
++    PCI_STATUS_BIT_OFFS = 29,
++    PCI_STATUS_BIT_LEN = 3,
++};
++
++/* Mellanox vendor specific enum */
++enum
++{
++    CAP_ID = 0x9,
++    IFC_MAX_RETRIES = 0x10000,
++    SEM_MAX_RETRIES = 0x1000
++};
++
++/* PCI operation enum(read or write)*/
++enum
++{
++    READ_OP = 0,
++    WRITE_OP = 1,
++};
++
++/* VSEC space status enum*/
++enum
++{
++    SS_UNINITIALIZED = 0,
++    SS_ALL_SPACES_SUPPORTED = 1,
++    SS_NOT_ALL_SPACES_SUPPORTED = 2
++};
++
++// VSEC supported macro
++#define VSEC_FULLY_SUPPORTED(dev) \
++    (((dev)->vendor_specific_cap) && ((dev)->spaces_support_status == SS_ALL_SPACES_SUPPORTED))
++
++static int _vendor_specific_sem(struct mst_dev_data* dev, int state)
++{
++    u32 lock_val;
++    u32 counter = 0;
++    int retries = 0;
++    int ret;
++
++    if (!state)
++    { // unlock
++        ret = pci_write_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_SEMAPHORE_OFFSET, 0);
++        if (ret)
++            return ret;
++    }
++    else
++    { // lock
++        do
++        {
++            if (retries > SEM_MAX_RETRIES)
++                return -1;
++            // read semaphore untill 0x0
++            ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_SEMAPHORE_OFFSET, &lock_val);
++            if (ret)
++                return ret;
++
++            if (lock_val)
++            { // semaphore is taken
++                retries++;
++                udelay(1000); // wait for current op to end
++                continue;
++            }
++            // read ticket
++            ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_COUNTER_OFFSET, &counter);
++            if (ret)
++                return ret;
++            // write ticket to semaphore dword
++            ret = pci_write_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_SEMAPHORE_OFFSET, counter);
++            if (ret)
++                return ret;
++            // read back semaphore make sure ticket == semaphore else repeat
++            ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_SEMAPHORE_OFFSET, &lock_val);
++            if (ret)
++                return ret;
++            retries++;
++        } while (counter != lock_val);
++    }
++    return 0;
++}
++
++static int _wait_on_flag(struct mst_dev_data* dev, u8 expected_val)
++{
++    int retries = 0;
++    int ret;
++    u32 flag;
++
++    do
++    {
++        if (retries > IFC_MAX_RETRIES)
++            return -1;
++
++        ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_ADDR_OFFSET, &flag);
++        if (ret)
++            return ret;
++
++        flag = EXTRACT(flag, PCI_FLAG_BIT_OFFS, 1);
++        retries++;
++        if ((retries & 0xf) == 0)
++        { // dont sleep always
++          // usleep_range(1,5);
++        }
++    } while (flag != expected_val);
++    return 0;
++}
++
++static int _set_addr_space(struct mst_dev_data* dev, u16 space)
++{
++    // read modify write
++    u32 val;
++    int ret;
++
++    ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_CTRL_OFFSET, &val);
++    if (ret)
++        return ret;
++    val = MERGE(val, space, PCI_SPACE_BIT_OFFS, PCI_SPACE_BIT_LEN);
++    ret = pci_write_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_CTRL_OFFSET, val);
++    if (ret)
++        return ret;
++    // read status and make sure space is supported
++    ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_CTRL_OFFSET, &val);
++    if (ret)
++        return ret;
++
++    if (EXTRACT(val, PCI_STATUS_BIT_OFFS, PCI_STATUS_BIT_LEN) == 0)
++    {
++        //      mst_err("CRSPACE %d is not supported !\n", space);
++        return -1;
++    }
++    //  mst_err("CRSPACE %d is supported !\n", space);
++    return 0;
++}
++
++static int _pciconf_rw(struct mst_dev_data* dev, unsigned int offset, u32* data, int rw)
++{
++    int ret = 0;
++    u32 address = offset;
++
++    // last 2 bits must be zero as we only allow 30 bits addresses
++    if (EXTRACT(address, 30, 2))
++        return -1;
++
++    address = MERGE(address, (rw ? 1 : 0), PCI_FLAG_BIT_OFFS, 1);
++    if (rw == WRITE_OP)
++    {
++        // write data
++        ret = pci_write_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_DATA_OFFSET, *data);
++        if (ret)
++            return ret;
++        // write address
++        ret = pci_write_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_ADDR_OFFSET, address);
++        if (ret)
++            return ret;
++        // wait on flag
++        ret = _wait_on_flag(dev, 0);
++    }
++    else
++    {
++        // write address
++        ret = pci_write_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_ADDR_OFFSET, address);
++        if (ret)
++            return ret;
++        // wait on flag
++        ret = _wait_on_flag(dev, 1);
++        // read data
++        ret = pci_read_config_dword(dev->pci_dev, dev->vendor_specific_cap + PCI_DATA_OFFSET, data);
++        if (ret)
++            return ret;
++    }
++    return ret;
++}
++
++static int _send_pci_cmd_int(struct mst_dev_data* dev, int space, unsigned int offset, u32* data, int rw)
++{
++    int ret = 0;
++
++    // take semaphore
++    ret = _vendor_specific_sem(dev, 1);
++    if (ret)
++        return ret;
++    // set address space
++    ret = _set_addr_space(dev, space);
++    if (ret)
++        goto cleanup;
++    // read/write the data
++    ret = _pciconf_rw(dev, offset, data, rw);
++cleanup:
++    // clear semaphore
++    _vendor_specific_sem(dev, 0);
++    return ret;
++}
++
++static int _block_op(struct mst_dev_data* dev, int space, unsigned int offset, int size, u32* data, int rw)
++{
++    int i;
++    int ret = 0;
++    int wrote_or_read = size;
++
++    if (size % 4)
++        return -1;
++    // lock semaphore and set address space
++    ret = _vendor_specific_sem(dev, 1);
++    if (ret)
++        return -1;
++    // set address space
++    ret = _set_addr_space(dev, space);
++    if (ret)
++    {
++        wrote_or_read = -1;
++        goto cleanup;
++    }
++
++    for (i = 0; i < size; i += 4)
++    {
++        if (_pciconf_rw(dev, offset + i, &(data[(i >> 2)]), rw))
++        {
++            wrote_or_read = i;
++            goto cleanup;
++        }
++    }
++cleanup:
++    _vendor_specific_sem(dev, 0);
++    return wrote_or_read;
++}
++
++static int write4_vsec(struct mst_dev_data* dev, int addresss_domain, unsigned int offset, unsigned int data)
++{
++    int ret;
++
++    ret = _send_pci_cmd_int(dev, addresss_domain, offset, &data, WRITE_OP);
++    if (ret)
++        return -1;
++    return 0;
++}
++
++static int read4_vsec(struct mst_dev_data* dev, int address_space, unsigned int offset, unsigned int* data)
++{
++    int ret;
++    // mst_info("Read from VSEC: offset: %#x\n", offset);
++    ret = _send_pci_cmd_int(dev, address_space, offset, data, READ_OP);
++    if (ret)
++        return -1;
++    return 0;
++}
++
++int pciconf_read4_legacy(struct mst_dev_data* dev, unsigned int offset, unsigned int* data)
++{
++    int res = 0;
++    unsigned int new_offset = offset;
++    // mst_info("pciconf_read4_legacy: offset: %#x\n", offset);
++    if (dev->type != PCICONF)
++        return -1;
++    if (dev->wo_addr)
++        new_offset |= 0x1;
++    /* write the wanted address to addr register */
++    res = pci_write_config_dword(dev->pci_dev, dev->addr_reg, new_offset);
++    if (res)
++    {
++        mst_err("pci_write_config_dword failed\n");
++        return res;
++    }
++
++    /* read the result from data register */
++    res = pci_read_config_dword(dev->pci_dev, dev->data_reg, data);
++    if (res)
++    {
++        mst_err("pci_read_config_dword failed\n");
++        return res;
++    }
++    return 0;
++}
++
++int pciconf_write4_legacy(struct mst_dev_data* dev, unsigned int offset, unsigned int data)
++{
++    int res = 0;
++
++    if (dev->type != PCICONF)
++        return -1;
++    if (dev->wo_addr)
++    {
++        /*
++         * Write operation with new WO GW
++         * 1. Write data
++         * 2. Write address
++         */
++
++        /* write the data to data register */
++        res = pci_write_config_dword(dev->pci_dev, dev->data_reg, data);
++        if (res)
++        {
++            mst_err("pci_write_config_dword failed\n");
++            return res;
++        }
++        /* write the destination address to addr register */
++        res = pci_write_config_dword(dev->pci_dev, dev->addr_reg, offset);
++        if (res)
++        {
++            mst_err("pci_write_config_dword failed\n");
++            return res;
++        }
++    }
++    else
++    {
++        /* write the destination address to addr register */
++        res = pci_write_config_dword(dev->pci_dev, dev->addr_reg, offset);
++        if (res)
++        {
++            mst_err("pci_write_conflig_dword failed\n");
++            return res;
++        }
++
++        /* write the data to data register */
++        res = pci_write_config_dword(dev->pci_dev, dev->data_reg, data);
++        if (res)
++        {
++            mst_err("pci_write_config_dword failed\n");
++            return res;
++        }
++    }
++    return 0;
++}
++
++static int write4_block_vsec(struct mst_dev_data* dev, int address_space, unsigned int offset, int size, u32* data)
++{
++    //    mst_info("HERE %#x %#x %#x\n", address_space, offset, *data);
++    return _block_op(dev, address_space, offset, size, data, WRITE_OP);
++}
++
++static int read4_block_vsec(struct mst_dev_data* dev, int address_space, unsigned int offset, int size, u32* data)
++{
++    //    mst_info("HERE %#x %#x %#x\n", address_space, offset, *data);
++    return _block_op(dev, address_space, offset, size, data, READ_OP);
++}
++
++static int get_space_support_status(struct mst_dev_data* dev)
++{
++    int ret;
++    //    printk("[MST] Checking if the Vendor CAP %d supports the SPACES in devices\n", vend_cap);
++    if ((!dev->vendor_specific_cap) || (!dev->pci_dev))
++        return 0;
++    if (dev->spaces_support_status != SS_UNINITIALIZED)
++        return 0;
++    // take semaphore
++    ret = _vendor_specific_sem(dev, 1);
++    if (ret)
++    {
++        mst_err("Failed to lock VSEC semaphore\n");
++        return 1;
++    }
++
++    if (_set_addr_space(dev, AS_CR_SPACE))
++    {
++        capability_support_info_message(dev, CR_SPACE);
++        dev->spaces_support_status = SS_NOT_ALL_SPACES_SUPPORTED;
++    }
++    else if (_set_addr_space(dev, AS_ICMD))
++    {
++        capability_support_info_message(dev, ICMD);
++        dev->spaces_support_status = SS_NOT_ALL_SPACES_SUPPORTED;
++    }
++    else if (_set_addr_space(dev, AS_SEMAPHORE))
++    {
++        capability_support_info_message(dev, SEMAPHORE);
++        dev->spaces_support_status = SS_NOT_ALL_SPACES_SUPPORTED;
++    }
++    else
++    {
++        dev->spaces_support_status = SS_ALL_SPACES_SUPPORTED;
++    }
++
++    // clear semaphore
++    _vendor_specific_sem(dev, 0);
++    return 0;
++}
++
++/********** WO GW ************/
++
++#define WO_REG_ADDR_DATA 0xbadacce5
++#define DEVID_OFFSET 0xf0014
++int is_wo_gw(struct pci_dev* pcidev, unsigned int addr_reg)
++{
++    int ret;
++    unsigned int data = 0;
++
++    ret = pci_write_config_dword(pcidev, addr_reg, DEVID_OFFSET);
++    if (ret)
++        return 0;
++    ret = pci_read_config_dword(pcidev, addr_reg, &data);
++    if (ret)
++        return 0;
++    if (data == WO_REG_ADDR_DATA)
++        return 1;
++    return 0;
++}
++
++/****************************************************/
++static int mst_open(struct inode* inode, struct file* file)
++{
++    struct mst_file_data* md = NULL;
++
++    md = kmalloc(sizeof(struct mst_connectx_wa), GFP_KERNEL);
++    if (!md)
++        return -ERESTARTSYS;
++
++    memset(md, 0, sizeof(struct mst_connectx_wa));
++
++    file->private_data = md;
++
++    return 0;
++}
++
++/****************************************************/
++static int mst_release(struct inode* inode, struct file* file)
++{
++    int res = 0;
++    struct mst_dev_data* dev = NULL;
++    struct mst_dev_data* cur = NULL;
++    unsigned int slot_mask;
++    struct mst_connectx_wa* md = file->private_data;
++
++    /*
++     * make sure the device is available since it
++     * could be removed by hotplug event
++     * if available grab its lock
++     */
++    list_for_each_entry(cur, &mst_devices, list)
++    {
++        if (cur->major == imajor(inode))
++        {
++            dev = cur;
++            mutex_lock(&dev->lock);
++            break;
++        }
++    }
++
++    if (!dev)
++    {
++        mst_err("failed to find device with major=%d\n", imajor(inode));
++        res = -ENODEV;
++        goto out;
++    }
++
++    if (md->connectx_wa_slot_p1 != 0) {
++        slot_mask = ~(1 << (md->connectx_wa_slot_p1 - 1));
++        dev->connectx_wa_slots &= slot_mask;
++    }
++
++    /*
++     * mst_info("CONNECTX_WA: Released slot %u. Current slots: %02x\n",
++     *			md->connectx_wa_slot_p1 - 1, dev->connectx_wa_slots);
++     */
++    md->connectx_wa_slot_p1 = 0;
++    mutex_unlock(&dev->lock);
++
++    kfree(file->private_data);
++    file->private_data = NULL;
++
++out:
++    return res;
++}
++
++static int page_pin(struct mst_dev_data* dev, struct page_info_st* page_info)
++{
++    unsigned long page_pointer_start = page_info->page_pointer_start;
++    unsigned int page_amount = page_info->page_amount;
++    unsigned int pages_size = page_amount * PAGE_SIZE;
++    unsigned long end_of_buffer = page_pointer_start + pages_size;
++    unsigned int gup_flags = FOLL_WRITE;
++    int page_mapped_counter = 0;
++    int page_counter = 0;
++    int total_pinned = 0;
++
++    // If the combination of the addr and size requested for this memory
++    // region causes an integer overflow, return error.
++    if (((end_of_buffer) < page_pointer_start) || PAGE_ALIGN(end_of_buffer) < (end_of_buffer) || page_amount < 1)
++    {
++        return -EINVAL;
++    }
++
++    // Check if we allow locking memory.
++    if (!can_do_mlock())
++    {
++        return -EPERM;
++    }
++
++    // Allocate the page list.
++    dev->dma_page.page_list = kcalloc(page_amount, sizeof(struct page*), GFP_KERNEL);
++    if (!dev->dma_page.page_list)
++    {
++        return -ENOMEM;
++    }
++
++    // Go over the user memory buffer and pin user pages in memory.
++    while (total_pinned < page_amount)
++    {
++        // Save the current number of pages to pin
++        int num_pages = page_amount - total_pinned;
++
++        // Save the current pointer to the right offset.
++        uint64_t current_ptr = page_pointer_start + (total_pinned * PAGE_SIZE);
++
++        // Save the current page.
++        struct page** current_pages = dev->dma_page.page_list + total_pinned;
++
++        // Attempt to pin user pages in memory.
++        // Returns number of pages pinned - this may be fewer than the number requested
++        //   or -errno in case of error.
++        int pinned_pages = get_user_pages_fast(current_ptr, num_pages, gup_flags, current_pages);
++        if (pinned_pages < 1)
++        {
++            kfree(dev->dma_page.page_list);
++            return -EFAULT;
++        }
++
++        // When the parameter 'inter_iommu' is on, we need to set up
++        // a mapping on a pages in order to access the physical address
++        while (page_mapped_counter < pinned_pages)
++        {
++            int current_page = total_pinned + page_mapped_counter;
++
++            // Get the dma address.
++            dev->dma_page.dma_addr[current_page] =
++              dma_map_page(&dev->pci_dev->dev, current_pages[current_page], 0, PAGE_SIZE, DMA_BIDIRECTIONAL);
++            // Do we get a valid dma address ?
++            if (dma_mapping_error(&dev->pci_dev->dev, dev->dma_page.dma_addr[current_page]))
++            {
++                printk(KERN_ERR "Failed to get DMA addresses\n");
++                return -EINVAL;
++            }
++
++            page_info->page_address_array[current_page].dma_address = dev->dma_page.dma_addr[current_page];
++
++            page_mapped_counter++;
++        }
++
++        // Advance the memory that already pinned.
++        total_pinned += pinned_pages;
++    }
++
++    // There is a page that not pinned in the kernel space ?
++    if (total_pinned != page_amount)
++    {
++        return -EFAULT;
++    }
++
++    // Print the pages to the dmesg.
++    for (page_counter = 0; page_counter < page_amount; page_counter++)
++    {
++        printk(KERN_INFO "Page address structure number: %d, device: %04x:%02x:%02x.%0x\n", page_counter,
++               pci_domain_nr(dev->pci_dev->bus), dev->pci_dev->bus->number, PCI_SLOT(dev->pci_dev->devfn),
++               PCI_FUNC(dev->pci_dev->devfn));
++    }
++
++    return 0;
++}
++
++static int page_unpin(struct mst_dev_data* dev, struct page_info_st* page_info)
++{
++    int page_counter;
++
++    // Check if the page list is allocated.
++    if (!dev || !dev->dma_page.page_list)
++    {
++        return -EINVAL;
++    }
++
++    // Deallocate the pages.
++    for (page_counter = 0; page_counter < page_info->page_amount; page_counter++)
++    {
++        // DMA activity is finished.
++        dma_unmap_page(&dev->pci_dev->dev, dev->dma_page.dma_addr[page_counter], PAGE_SIZE, DMA_BIDIRECTIONAL);
++
++        // Release the page list.
++        set_page_dirty(dev->dma_page.page_list[page_counter]);
++        put_page(dev->dma_page.page_list[page_counter]);
++        dev->dma_page.page_list[page_counter] = NULL;
++        dev->dma_page.dma_addr[page_counter] = 0;
++
++        printk(KERN_INFO "Page structure number: %d was released. device:%04x:%02x:%02x.%0x\n", page_counter,
++               pci_domain_nr(dev->pci_dev->bus), dev->pci_dev->bus->number, PCI_SLOT(dev->pci_dev->devfn),
++               PCI_FUNC(dev->pci_dev->devfn));
++    }
++
++    // All the pages are clean.
++    dev->dma_page.page_list = NULL;
++
++    return 0;
++}
++
++static int read_dword_from_config_space(struct mst_dev_data* dev, struct read_dword_from_config_space* read_from_cspace)
++{
++    int ret = 0;
++
++    // take semaphore
++    ret = _vendor_specific_sem(dev, 1);
++    if (ret)
++    {
++        return ret;
++    }
++
++    // Read dword from config space
++    ret = pci_read_config_dword(dev->pci_dev, read_from_cspace->offset, &read_from_cspace->data);
++    if (ret)
++    {
++        goto cleanup;
++    }
++
++cleanup:
++    // clear semaphore
++    _vendor_specific_sem(dev, 0);
++    return ret;
++}
++
++/****************************************************/
++static ssize_t mst_read(struct file* file, char* buf, size_t count, loff_t* f_pos)
++{
++    mst_err("not implemented\n");
++    return 0;
++}
++
++/****************************************************/
++static ssize_t mst_write(struct file* file, const char* buf, size_t count, loff_t* f_pos)
++{
++    mst_err("not implemented\n");
++    return 0;
++}
++
++/****************************************************/
++static inline void print_opcode(void)
++{
++    mst_info("MST_PARAMS=%lx\n", MST_PARAMS);
++
++    mst_info("PCICONF_READ4=%lx\n", PCICONF_READ4);
++    mst_info("PCICONF_WRITE4=%lx\n", PCICONF_WRITE4);
++    mst_info("PCIMEM_READ4=%lx\n", PCIMEM_READ4);
++    mst_info("PCIMEM_WRITE4=%lx\n", PCIMEM_WRITE4);
++
++    mst_info("PCIMEM_READ_BLOCK=%lx\n", PCIMEM_READ_BLOCK);
++    mst_info("PCIMEM_WRITE_BLOCK=%lx\n", PCIMEM_WRITE_BLOCK);
++
++    mst_info("PCICONF_INIT=%lx\n", PCICONF_INIT);
++    mst_info("PCICONF_STOP=%x\n", PCICONF_STOP);
++
++    mst_info("PCIMEM_INIT=%lx\n", PCIMEM_INIT);
++    mst_info("PCIMEM_STOP=%x\n", PCIMEM_STOP);
++
++    mst_info("PCI_CONNECTX_WA=%lx\n", PCI_CONNECTX_WA);
++
++    mst_info("PCICONF_VPD_READ4=%lx\n", PCICONF_VPD_READ4);
++    mst_info("PCICONF_VPD_WRITE4=%lx\n", PCICONF_VPD_WRITE4);
++}
++
++/****************************************************/
++/*
++ * mst_ioctl
++ *
++ * @opcode:
++ *  MST_PARAMS - get the device parameters
++ *
++ *  PCICONF_READ4     - read 4 bytes from configuration space
++ *  PCICONF_WRITE4    - write 4 bytes to configuration space
++ *  PCIMEM_READ4      - read 4 bytes from memory access
++ *  PCIMEM_WRITE4     - write 4 bytes to memory access
++ *
++ *  PCIMEM_READ_BLOCK - read a block of data from pci memory,
++ *			size is expressed as num of unsigned integers
++ *  PCIMEM_WRITE_BLOCK - write a block of data to pci memory,
++ *			size is expressed as num of unsigned integers
++
++ *  PCICONF_INIT       - initialize a new PCICONF device
++ *  PCICONF_STOP       - stop a PCICONF device
++ *
++ *  PCIMEM_INIT        - initialize a new PCIMEM device
++ *  PCIMEM_STOP        - stop a PCIMEM device
++ *
++ *  PCI_CONNECTX_WA      - connectx workaround for
++ *           pci reads passing writes
++ *
++ * RETURN VALUE:
++ *   0 upon success
++ *   -EINVAL if opcode is invalid
++ *   -ENODEV if device is not initialized
++ *   -EPERM  if operation does not match device type
++ *   -EFAULT if there was a problem with hardware operation
++ *
++ */
++static int mst_ioctl(struct inode* inode, struct file* file, unsigned int opcode, unsigned long input)
++{
++    int res = 0;
++    struct mst_dev_data* dev = NULL;
++    struct mst_dev_data* cur = NULL;
++    void* user_buf = (void*)input;
++
++    /*
++     * In MEM mapped data flow there is no need to lock the semaphore.
++     * Since the HW handles the requests in PCI level thus no need
++     * for serializing (HW is capable of handling parallel requests)
++     */
++#define IS_LOCK_NEEDED(dev) (!(dev->type == PCIMEM && (opcode == MST_READ4 || opcode == MST_WRITE4)))
++
++    /*
++     * make sure the device is available since it
++     * could be removed by hotplug event
++     * if available grab its lock
++     */
++    list_for_each_entry(cur, &mst_devices, list)
++    {
++        if (cur->major == imajor(inode))
++        {
++            dev = cur;
++            if (IS_LOCK_NEEDED(dev))
++                mutex_lock(&dev->lock);
++            break;
++        }
++    }
++
++    if (!dev)
++    {
++        mst_err("failed to find device with major=%d\n", imajor(inode));
++        res = -ENODEV;
++        goto fin_err;
++    }
++
++    switch (opcode)
++    {
++        case MST_PARAMS:
++        {
++            struct mst_params paramst;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++            // best effort : try to get space spport status if we fail assume we got vsec support.
++            get_space_support_status(dev);
++            paramst.domain = pci_domain_nr(dev->pci_dev->bus);
++            paramst.bus = dev->pci_dev->bus->number;
++            paramst.slot = PCI_SLOT(dev->pci_dev->devfn);
++            paramst.func = PCI_FUNC(dev->pci_dev->devfn);
++            paramst.bar = dev->bar;
++            paramst.device = dev->pci_dev->device;
++            paramst.vendor = dev->pci_dev->vendor;
++            paramst.subsystem_device = dev->pci_dev->subsystem_device;
++            paramst.subsystem_vendor = dev->pci_dev->subsystem_vendor;
++            if (dev->vendor_specific_cap && (dev->spaces_support_status == SS_ALL_SPACES_SUPPORTED ||
++                                             dev->spaces_support_status == SS_UNINITIALIZED))
++            {
++                // assume supported if SS_UNINITIALIZED (since semaphore is locked)
++                paramst.vendor_specific_cap = dev->vendor_specific_cap;
++            }
++            else
++            {
++                paramst.vendor_specific_cap = 0;
++            }
++            if (copy_to_user(user_buf, &paramst, sizeof(struct mst_params)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++            break;
++        }
++
++        case MST_READ4:
++        {
++            u32 out;
++            u32* dataout = NULL;
++            struct mst_read4_st readst;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (copy_from_user(&readst, user_buf, sizeof(struct mst_read4_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            switch (dev->type)
++            {
++                case PCICONF:
++                    if (get_space_support_status(dev))
++                    {
++                        res = -EBUSY;
++                        goto fin;
++                    }
++
++                    if (VSEC_FULLY_SUPPORTED(dev))
++                        res = read4_vsec(dev, readst.address_space, readst.offset, &out);
++                    else
++                        res = pciconf_read4_legacy(dev, readst.offset, &out);
++                    if (res)
++                        goto fin;
++                    break;
++
++                case PCIMEM:
++                    if ((readst.offset + sizeof(u32)) > MST_MEMORY_SIZE)
++                    {
++                        mst_err("accessing invalid address\n");
++                        res = -EINVAL;
++                        goto fin;
++                    }
++
++                    /* read from hardware */
++                    out = ioread32(dev->hw_addr + readst.offset);
++
++                    /* endianness conversion - we noticed that we need to swap always */
++                    be32_to_cpus(&out);
++                    out = cpu_to_le32(out);
++                    break;
++            }
++
++            /* retrieve to user */
++            dataout = &((struct mst_read4_st*)user_buf)->data;
++            if (copy_to_user(dataout, &out, sizeof(u32)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++            break;
++        }
++
++        case MST_WRITE4:
++        {
++            struct mst_write4_st writest;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (copy_from_user(&writest, user_buf, sizeof(struct mst_write4_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            switch (dev->type)
++            {
++                case PCICONF:
++                    if (get_space_support_status(dev))
++                    {
++                        res = -EBUSY;
++                        goto fin;
++                    }
++                    if (VSEC_FULLY_SUPPORTED(dev))
++                        res = write4_vsec(dev, writest.address_space, writest.offset, writest.data);
++                    else
++                        res = pciconf_write4_legacy(dev, writest.offset, writest.data);
++                    break;
++
++                case PCIMEM:
++                    if ((writest.offset + sizeof(u32)) > MST_MEMORY_SIZE)
++                    {
++                        mst_err("Accesing invalid address\n");
++                        res = -EINVAL;
++                        goto fin;
++                    }
++
++                    /* endianness conversion - we noticed that we need to swap always */
++                    cpu_to_be32s(&(writest.data));
++                    writest.data = cpu_to_le32(writest.data);
++
++                    /* write to hardware */
++                    iowrite32(writest.data, dev->hw_addr + writest.offset);
++                    break;
++            }
++
++            break;
++        }
++
++        case PCIMEM_READ_BLOCK:
++        {
++            int i = 0;
++            u32* data = NULL;
++            u32* dataout = NULL;
++            struct mst_read_block_st readst;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCIMEM)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (copy_from_user(&readst, user_buf, sizeof(struct mst_read_block_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            if (readst.size % sizeof(u32))
++            {
++                mst_err("invalid size. size should be in bytes and divide sizeof(u32)\n");
++                res = -EINVAL;
++                goto fin;
++            }
++
++            if ((readst.offset + readst.size) > MST_MEMORY_SIZE)
++            {
++                mst_err("accessing invalid address\n");
++                res = -EINVAL;
++                goto fin;
++            }
++
++            data = kzalloc(readst.size, GFP_KERNEL);
++            if (!data)
++            {
++                res = -ENOMEM;
++                goto fin;
++            }
++
++            /* read from hardware */
++            memcpy_fromio(data, dev->hw_addr + readst.offset, readst.size);
++
++            /* endianness conversion */
++            for (i = 0; i < (readst.size / sizeof(u32)); ++i)
++                be32_to_cpus(&(data[i]));
++
++            /* retrieve to user */
++            dataout = ((struct mst_read_block_st*)user_buf)->data;
++            if (copy_to_user(dataout, data, readst.size))
++            {
++                res = -EFAULT;
++                kfree(data);
++                goto fin;
++            }
++
++            kfree(data);
++            break;
++        }
++
++        case PCIMEM_WRITE_BLOCK:
++        {
++            int i = 0;
++            struct mst_write_block_st writest;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCIMEM)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (copy_from_user(&writest, user_buf, sizeof(struct mst_write_block_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            if (writest.size % sizeof(u32))
++            {
++                mst_err("invalid size. size should be in bytes and divide sizeof(u32)\n");
++                res = -EINVAL;
++                goto fin;
++            }
++
++            if ((writest.offset + writest.size) > MST_MEMORY_SIZE)
++            {
++                mst_err("accessing invalid address\n");
++                res = -EINVAL;
++                goto fin;
++            }
++
++            /* endianness conversion */
++            for (i = 0; i < (writest.size / sizeof(u32)); ++i)
++                cpu_to_be32s(&(writest.data[i]));
++
++            /* write to hardware */
++            memcpy_toio(dev->hw_addr + writest.offset, writest.data, writest.size);
++
++            break;
++        }
++
++        case PCICONF_READ4_BUFFER:
++        {
++            struct mst_read4_buffer_st read4_buf;
++            struct mst_read4_buffer_st* rb_udata = (struct mst_read4_buffer_st*)user_buf;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCICONF)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (get_space_support_status(dev))
++            {
++                res = -EBUSY;
++                goto fin;
++            }
++
++            if (dev->spaces_support_status != SS_ALL_SPACES_SUPPORTED)
++            {
++                res = -EOPNOTSUPP;
++                goto fin;
++            }
++
++            if (copy_from_user(&read4_buf, user_buf, sizeof(read4_buf)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            res = read4_block_vsec(dev, read4_buf.address_space, read4_buf.offset, read4_buf.size, read4_buf.data);
++            if (res != read4_buf.size)
++                goto fin;
++
++            res = copy_to_user(rb_udata, &read4_buf, sizeof(read4_buf)) ? -EFAULT : read4_buf.size;
++            goto fin;
++        }
++        case PCICONF_WRITE4_BUFFER:
++        {
++            struct mst_write4_buffer_st write4_buf;
++            struct mst_write4_buffer_st* wb_udata = (struct mst_write4_buffer_st*)user_buf;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCICONF)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (get_space_support_status(dev))
++            {
++                res = -EBUSY;
++                goto fin;
++            }
++
++            if (dev->spaces_support_status != SS_ALL_SPACES_SUPPORTED)
++            {
++                res = -EOPNOTSUPP;
++                goto fin;
++            }
++
++            if (copy_from_user(&write4_buf, user_buf, sizeof(write4_buf)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            res = write4_block_vsec(dev, write4_buf.address_space, write4_buf.offset, write4_buf.size, write4_buf.data);
++            if (res != write4_buf.size)
++                goto fin;
++
++            res = copy_to_user(wb_udata, &write4_buf, sizeof(write4_buf)) ? -EFAULT : write4_buf.size;
++            goto fin;
++        }
++        case PCICONF_INIT:
++        {
++            struct mst_pciconf_init_st initst;
++
++            if (dev->initialized)
++            {
++                mst_err("device already initialized\n");
++                res = ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCICONF)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (copy_from_user(&initst, user_buf, sizeof(struct mst_pciconf_init_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            dev->addr_reg = initst.addr_reg;
++            dev->data_reg = initst.data_reg;
++
++            dev->wo_addr = is_wo_gw(dev->pci_dev, initst.addr_reg);
++            dev->vendor_specific_cap = pci_find_capability(dev->pci_dev, MLNX_VENDOR_SPECIFIC_CAP_ID);
++            // mst_info("VSEC SUPP: %#x\n", dev->vendor_specific_cap);
++            dev->spaces_support_status = SS_UNINITIALIZED; // init on first op
++
++            dev->initialized = 1;
++            break;
++        }
++
++        case PCICONF_STOP:
++        {
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCICONF)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            dev->initialized = 0;
++            break;
++        }
++
++        case PCIMEM_INIT:
++        {
++            struct mst_mem_init_st initst;
++            unsigned long resource_start;
++
++            if (dev->initialized)
++            {
++                mst_err("device already initialized\n");
++                res = ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCIMEM)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (copy_from_user(&initst, user_buf, sizeof(struct mst_mem_init_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            /* unmap previously mapped device if it was not stopped properly */
++            if (dev->hw_addr)
++            {
++                iounmap(cur->hw_addr);
++                dev->hw_addr = NULL;
++            }
++
++            dev->bar = initst.bar;
++            resource_start = pci_resource_start(dev->pci_dev, dev->bar);
++
++            dev->hw_addr = ioremap(resource_start, MST_MEMORY_SIZE);
++
++            if (dev->hw_addr <= 0)
++            {
++                mst_err("could not map device memory\n");
++                res = -EFAULT;
++                goto fin;
++            }
++
++            dev->initialized = 1;
++            break;
++        }
++
++        case PCIMEM_STOP:
++        {
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCIMEM)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (cur->hw_addr)
++                iounmap(cur->hw_addr);
++
++            cur->hw_addr = NULL;
++            dev->initialized = 0;
++            break;
++        }
++
++        case PCI_CONNECTX_WA:
++        {
++            struct mst_connectx_wa* md = file->private_data;
++            unsigned int slot_mask;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = -ENODEV;
++                goto fin;
++            }
++
++            /* slot exists */
++            if (md->connectx_wa_slot_p1)
++            {
++                mst_err("slot exits for file %s, slot:0x%x\n", dev->name, md->connectx_wa_slot_p1);
++                res = -EPERM;
++                goto fin;
++            }
++
++            /* find first un(set) bit. and remember the slot */
++            md->connectx_wa_slot_p1 = ffs(~dev->connectx_wa_slots);
++            if (md->connectx_wa_slot_p1 == 0 || md->connectx_wa_slot_p1 > CONNECTX_WA_SIZE)
++            {
++                res = -ENOLCK;
++                goto fin;
++            }
++
++            slot_mask = 1 << (md->connectx_wa_slot_p1 - 1);
++            /* set the slot as taken */
++            dev->connectx_wa_slots |= slot_mask;
++
++            /*
++             * mst_info("CONNECTX_WA: Took slot %u. Current slots: %02x\n",
++             *			md->connectx_wa_slot_p1 - 1, dev->connectx_wa_slots);
++             */
++            if (copy_to_user(user_buf, md, sizeof(struct mst_connectx_wa)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++            break;
++        }
++
++        case PCICONF_VPD_READ4:
++        {
++            u32 out;
++            u32* dataout = NULL;
++            struct mst_vpd_read4_st readst;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCICONF)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (copy_from_user(&readst, user_buf, sizeof(struct mst_vpd_read4_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            res = pci_read4_vpd(dev, readst.timeout, readst.offset, &out);
++            if (res)
++                goto fin;
++
++            /* retrieve to user - we noticed that we need to swap always */
++            dataout = &((struct mst_vpd_read4_st*)user_buf)->data;
++            out = le32_to_cpu(out);
++            if (copy_to_user(dataout, &out, sizeof(u32)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++            break;
++        }
++
++        case PCICONF_VPD_WRITE4:
++        {
++            struct mst_vpd_write4_st writest;
++
++            if (!dev->initialized)
++            {
++                mst_err("device is not initialized\n");
++                res = ENODEV;
++                goto fin;
++            }
++
++            if (dev->type != PCICONF)
++            {
++                mst_err("wrong type for device\n");
++                res = -EPERM;
++                goto fin;
++            }
++
++            if (copy_from_user(&writest, user_buf, sizeof(struct mst_vpd_write4_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++            writest.data = le32_to_cpu(writest.data);
++            res = pci_write4_vpd(dev, writest.timeout, writest.offset, writest.data);
++            if (res)
++                goto fin;
++            break;
++        }
++        case PCICONF_GET_DMA_PAGES:
++        case PCICONF_RELEASE_DMA_PAGES:
++        {
++            struct page_info_st page_info;
++
++            // Device validation.
++            if (!dev->initialized || !dev->pci_dev)
++            {
++                res = -ENOTTY;
++                goto fin;
++            }
++
++            // Copy the page info structure from the user space.
++            if (copy_from_user(&page_info, user_buf, sizeof(struct page_info_st)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            if (opcode == PCICONF_GET_DMA_PAGES)
++            {
++                res = page_pin(dev, &page_info);
++                if (res)
++                {
++                    goto fin;
++                }
++
++                // Return the physical address to the user.
++                if (copy_to_user(user_buf, &page_info, sizeof(struct page_info_st)) != 0)
++                {
++                    res = -EFAULT;
++                    goto fin;
++                }
++            }
++            else
++            {
++                res = page_unpin(dev, &page_info);
++            }
++
++            break;
++        }
++        case PCICONF_READ_DWORD_FROM_CONFIG_SPACE:
++        {
++            struct read_dword_from_config_space read_from_cspace;
++
++            // Device validation.
++            if (!dev->initialized || !dev->pci_dev)
++            {
++                res = -ENOTTY;
++                goto fin;
++            }
++
++            // Copy the page info structure from the user space.
++            if (copy_from_user(&read_from_cspace, user_buf, sizeof(struct read_dword_from_config_space)))
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            res = read_dword_from_config_space(dev, &read_from_cspace);
++            if (res)
++            {
++                goto fin;
++            }
++            // Return the physical address to the user.
++            if (copy_to_user(user_buf, &read_from_cspace, sizeof(struct read_dword_from_config_space)) != 0)
++            {
++                res = -EFAULT;
++                goto fin;
++            }
++
++            break;
++        }
++
++        default:
++        {
++            mst_err("incorrect opcode = %x available opcodes:\n", opcode);
++            print_opcode();
++            res = -EINVAL;
++            break;
++        }
++    }
++
++fin:
++    if (IS_LOCK_NEEDED(dev))
++        mutex_unlock(&dev->lock);
++fin_err:
++    return res;
++}
++
++static long unlocked_ioctl(struct file* f, unsigned int o, unsigned long d)
++{
++#if KERNEL_VERSION(3, 18, 0) > LINUX_VERSION_CODE
++    struct inode* n = f->f_dentry->d_inode;
++#else
++    struct inode* n = f->f_path.dentry->d_inode;
++#endif
++
++    return mst_ioctl(n, f, o, d);
++}
++
++/****************************************************/
++static inline const char* dev_type_to_str(enum dev_type type)
++{
++    switch (type)
++    {
++        case PCICONF:
++            return "PCICONF";
++        case PCIMEM:
++            return "PCIMEM";
++        default:
++            return "UNKNOWN";
++    }
++}
++
++/****************************************************/
++static const struct file_operations mst_fops = {
++  .read = mst_read,
++  .write = mst_write,
++  .unlocked_ioctl = unlocked_ioctl,
++  .open = mst_open,
++  .release = mst_release,
++  .owner = THIS_MODULE,
++};
++
++static struct mst_dev_data* mst_device_create(enum dev_type type, struct pci_dev* pdev)
++{
++    struct mst_dev_data* dev = NULL;
++    char dbdf[20];
++
++    dev = kzalloc(sizeof(struct mst_dev_data), GFP_KERNEL);
++    if (!dev)
++        return NULL;
++
++    sprintf(dbdf, "%4.4x:%2.2x:%2.2x.%1.1x", pci_domain_nr(pdev->bus), pdev->bus->number, PCI_SLOT(pdev->devfn),
++            PCI_FUNC(pdev->devfn));
++    switch (type)
++    {
++        case PCICONF:
++            dev->addr_reg = MST_CONF_ADDR_REG;
++            dev->data_reg = MST_CONF_DATA_REG;
++            dev->bar = 0;        /* invalid */
++            dev->hw_addr = NULL; /* invalid */
++            snprintf(dev->name, MST_NAME_SIZE, "%s" MST_PCICONF_DEVICE_NAME, dbdf);
++
++            break;
++        case PCIMEM:
++            dev->addr_reg = 0; /* invalid */
++            dev->data_reg = 0; /* invalid */
++            dev->bar = 0;
++            dev->hw_addr = ioremap(pci_resource_start(pdev, dev->bar), MST_MEMORY_SIZE);
++            if (dev->hw_addr <= 0)
++            {
++                mst_err("could not map device memory, BAR: %x\n", dev->bar);
++                goto out;
++            }
++
++            snprintf(dev->name, MST_NAME_SIZE, "%s" MST_PCIMEM_DEVICE_NAME, dbdf);
++            break;
++        default:
++            mst_err("failed to %s, unknown device type 0x%x\n", __func__, dev->type);
++            goto out;
++    }
++
++    dev->type = type;
++    dev->pci_dev = pdev;
++    mutex_init(&dev->lock);
++
++    dev->vpd_cap_addr = pci_find_capability(pdev, PCI_CAP_ID_VPD);
++
++    if (alloc_chrdev_region(&dev->my_dev, 0, 1, dev->name))
++        mst_err("failed to allocate chrdev_region\n");
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0)
++    dev->cl = class_create(dev->name);
++#else
++    dev->cl = class_create(THIS_MODULE, dev->name);
++#endif
++    if (dev->cl == NULL)
++    {
++        pr_alert("Class creation failed\n");
++        unregister_chrdev_region(dev->my_dev, 1);
++        goto out;
++    }
++
++    if (device_create(dev->cl, NULL, dev->my_dev, NULL, dev->name) == NULL)
++    {
++        pr_alert("Device creation failed\n");
++        class_destroy(dev->cl);
++        unregister_chrdev_region(dev->my_dev, 1);
++        goto out;
++    }
++
++    dev->major = MAJOR(dev->my_dev);
++    cdev_init(&dev->mcdev, &mst_fops);
++    cdev_add(&dev->mcdev, dev->my_dev, 1); // TODO check if cdev_add fails
++
++    if (type == PCICONF)
++    {
++        /*
++         * Initialize 5th Gen attributes
++         */
++        dev->wo_addr = is_wo_gw(dev->pci_dev, MST_CONF_ADDR_REG);
++        dev->vendor_specific_cap = pci_find_capability(dev->pci_dev, MLNX_VENDOR_SPECIFIC_CAP_ID);
++        // mst_info("VSEC SUPP: %#x\n", dev->vendor_specific_cap);
++        dev->spaces_support_status = SS_UNINITIALIZED; // init on first op
++    }
++    dev->initialized = 1;
++    list_add_tail(&dev->list, &mst_devices);
++
++    return dev;
++out:
++    kfree(dev);
++    return NULL;
++}
++
++static void mst_device_destroy(struct mst_dev_data* dev)
++{
++    if (dev->hw_addr)
++        iounmap(dev->hw_addr);
++
++    cdev_del(&dev->mcdev);
++    device_destroy(dev->cl, dev->my_dev);
++    class_destroy(dev->cl);
++    unregister_chrdev_region(dev->my_dev, 1);
++    list_del(&dev->list);
++    kfree(dev);
++}
++
++/****************************************************/
++static int __init mst_init(void)
++{
++    struct pci_dev* pdev = NULL;
++    struct mst_dev_data* dev = NULL;
++
++    mst_info("%s - version %s\n", mst_driver_string, mst_driver_version);
++
++    while ((pdev = pci_get_device(MST_MELLANOX_PCI_VENDOR, PCI_ANY_ID, pdev)) != NULL)
++    {
++        if (!pci_match_id(supported_pci_devices, pdev) && !pci_match_id(mst_livefish_pci_table, pdev))
++            continue;
++
++        if (pdev->is_virtfn)
++            continue;
++
++        /* found new device */
++        mst_info("found device - domain=0x%x, bus=0x%x, slot=0x%x, func=0x%x, vendor=0x%x, device=0x%x\n",
++                 pci_domain_nr(pdev->bus), pdev->bus->number, PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
++                 pdev->vendor, pdev->device);
++
++        /* create PCICONF for this device */
++        dev = mst_device_create(PCICONF, pdev);
++        if (!dev)
++            mst_err("failed to mst_device_create\n");
++        continue; /* PCICONF creation failed, no point creating a PCIMEM device */
++
++        /*
++         * for livefish devices we only allocate PCICONF
++         * for non livefish both PCICONF and PCIMEM
++         */
++        if (!pci_match_id(mst_livefish_pci_table, pdev) && pci_match_id(mst_bar_pci_table, pdev))
++        {
++            /* create new mst_device for PCIMEM */
++            dev = mst_device_create(PCIMEM, pdev);
++            if (!dev)
++            {
++                mst_err("failed to mst_device_create\n");
++                continue;
++            }
++        }
++    }
++
++    return 0;
++}
++
++static void __exit mst_cleanup(void)
++{
++    struct mst_dev_data *cur, *temp;
++
++    /* free all mst_devices */
++    list_for_each_entry_safe(cur, temp, &mst_devices, list) { mst_device_destroy(cur); }
++}
++
++/****************************************************/
++module_init(mst_init);
++module_exit(mst_cleanup);
++
+diff --git a/drivers/misc/mstflint/mst_vpd.c b/drivers/misc/mstflint/mst_vpd.c
+new file mode 100644
+index 0000000000000..4b4c68fcbce78
+--- /dev/null
++++ b/drivers/misc/mstflint/mst_vpd.c
+@@ -0,0 +1,164 @@
++/*
++ * Copyright (c) 2021 NVIDIA CORPORATION & AFFILIATES. ALL RIGHTS RESERVED.
++ *
++ * This software is available to you under a choice of one of two
++ * licenses.  You may choose to be licensed under the terms of the GNU
++ * General Public License (GPL) Version 2, available from the file
++ * COPYING in the main directory of this source tree, or the
++ * OpenIB.org BSD license below:
++ *
++ *     Redistribution and use in source and binary forms, with or
++ *     without modification, are permitted provided that the following
++ *     conditions are met:
++ *
++ *      - Redistributions of source code must retain the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer.
++ *
++ *      - Redistributions in binary form must reproduce the above
++ *        copyright notice, this list of conditions and the following
++ *        disclaimer in the documentation and/or other materials
++ *        provided with the distribution.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ */
++#include <linux/highmem.h>
++#include <linux/sched.h>
++#include "mst_kernel.h"
++
++/****************************************************/
++int pci_read4_vpd(struct mst_dev_data* dev, unsigned int timeout, unsigned int offset, u32* buf)
++{
++    struct pci_dev* pci_dev = dev->pci_dev;
++    int vpd_cap = dev->vpd_cap_addr;
++    unsigned long end;
++    uint16_t addr;
++    int done, res = 0;
++
++    if (!vpd_cap)
++    {
++        mst_err("device %s not support Vital Product Data\n", dev->name);
++        return -ENODEV;
++    }
++
++    if (!timeout)
++        timeout = MST_VPD_DEFAULT_TOUT;
++
++    /* sets F bit to zero and write VPD addr */
++    addr = (0x7fff & offset);
++    res = pci_write_config_word(pci_dev, vpd_cap + PCI_VPD_ADDR, addr);
++    if (res)
++    {
++        mst_err("pci_write_config_dword failed\n");
++        return res;
++    }
++
++    /* wait for data until F bit is set with one */
++    addr = 0x0;
++    done = 0;
++
++    end = msecs_to_jiffies(timeout) + jiffies;
++    while (time_before(jiffies, end))
++    {
++        res = pci_read_config_word(pci_dev, vpd_cap + PCI_VPD_ADDR, &addr);
++        if (res)
++        {
++            mst_err("pci_read_config_word failed\n");
++            return res;
++        }
++
++        if (addr & 0x8000)
++        {
++            done = 1;
++            break;
++        }
++
++        cond_resched();
++    }
++
++    if (!done)
++        return -ETIMEDOUT;
++
++    /* read data */
++    res = pci_read_config_dword(pci_dev, vpd_cap + PCI_VPD_DATA, buf);
++    if (res)
++    {
++        mst_err("pci_read_config_word failed\n");
++        return res;
++    }
++
++    return res;
++}
++EXPORT_SYMBOL(pci_read4_vpd);
++
++int pci_write4_vpd(struct mst_dev_data* dev, unsigned int timeout, unsigned int offset, u32 buf)
++{
++    struct pci_dev* pci_dev = dev->pci_dev;
++    int vpd_cap = dev->vpd_cap_addr;
++    unsigned long end;
++    uint16_t addr;
++    int done, res = 0;
++
++    if (!vpd_cap)
++    {
++        mst_err("device %s not support Vital Product Data\n", dev->name);
++        return -ENODEV;
++    }
++
++    if (!timeout)
++        timeout = MST_VPD_DEFAULT_TOUT;
++
++    /* write data */
++    res = pci_write_config_dword(pci_dev, vpd_cap + PCI_VPD_DATA, buf);
++    if (res)
++    {
++        mst_err("pci_read_config_word failed\n");
++        return res;
++    }
++
++    /* sets F bit to one and write VPD addr */
++    addr = 0x8000 | (0x7ffff & offset);
++    res = pci_write_config_word(pci_dev, vpd_cap + PCI_VPD_ADDR, addr);
++    if (res)
++    {
++        mst_err("pci_write_config_dword failed\n");
++        return res;
++    }
++
++    /* wait for data until F bit is set with zero */
++    addr = 0x0;
++    done = 0;
++
++    end = msecs_to_jiffies(timeout) + jiffies;
++    while (time_before(jiffies, end))
++    {
++        res = pci_read_config_word(pci_dev, vpd_cap + PCI_VPD_ADDR, &addr);
++        if (res)
++        {
++            mst_err("pci_read_config_word failed\n");
++            return res;
++        }
++
++        if (!(addr & 0x8000))
++        {
++            done = 1;
++            break;
++        }
++
++        cond_resched();
++    }
++
++    if (!done)
++        return -ETIMEDOUT;
++
++    return res;
++}
++EXPORT_SYMBOL(pci_write4_vpd);
++
diff --git a/SPECS/kernel/config b/SPECS/kernel/config
index 833f01ec792..96772523c03 100644
--- a/SPECS/kernel/config
+++ b/SPECS/kernel/config
@@ -2206,6 +2206,7 @@ CONFIG_VMWARE_VMCI=m
 # CONFIG_MISC_RTSX_USB is not set
 # CONFIG_UACCE is not set
 # CONFIG_PVPANIC is not set
+CONFIG_MSTFLINT=m
 # CONFIG_GP_PCI1XXXX is not set
 # end of Misc devices
 
diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64
index ade3cb751d2..42472ccb263 100644
--- a/SPECS/kernel/config_aarch64
+++ b/SPECS/kernel/config_aarch64
@@ -2723,6 +2723,7 @@ CONFIG_CB710_DEBUG_ASSUMPTIONS=y
 # CONFIG_MISC_RTSX_USB is not set
 # CONFIG_UACCE is not set
 # CONFIG_PVPANIC is not set
+CONFIG_MSTFLINT=m
 # CONFIG_GP_PCI1XXXX is not set
 # end of Misc devices
 
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
index 6a51ad040f4..13edcf67071 100644
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@@ -18,7 +18,7 @@
 Summary:        Unified Kernel Image
 Name:           kernel-uki
 Version:        6.6.29.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -64,6 +64,9 @@ install -D -t %{buildroot}/lib/modules/%{kernelver} vmlinuz-uki.efi
 /lib/modules/%{kernelver}/vmlinuz-uki.efi
 
 %changelog
+* Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 6.6.29.1-5
+- Bump release to match kernel
+
 * Thu Apr 25 2024 Dan Streetman <ddstreet@microsoft.com> - 6.6.29.1-4
 - Original version for Azure Linux.
 - License verified.
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index 6cbe22b164a..53195396816 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -1,8 +1,8 @@
 {
  "Signatures": {
   "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-  "config": "7b24a85dd3001cbfd5a4c76d9eabd9a0d7ad9e090938cfb1695e86c698d5c96b",
-  "config_aarch64": "e70e3f3d734c2a1b5ab770562490bb820ae7833db100b5ae1189b8dc8154f464",
+  "config": "7c440f9079e588b7ff54f1e03ee9f3c429e2b1fefdfeead4ee06344b0f1d2105",
+  "config_aarch64": "aaf9beec3f3328e7758cd90ae7f012bc49cafacd792718fe0feff0ca8d2dabcb",
   "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
   "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
   "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index abb2b2487b9..4a0c6bc1cb9 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -1,5 +1,6 @@
 %global security_hardening none
 %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
+%global mstflintver 4.28.0
 %define uname_r %{version}-%{release}
 %define mariner_version 3
 
@@ -29,7 +30,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        6.6.29.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -42,6 +43,7 @@ Source3:        sha512hmac-openssl.sh
 Source4:        cbl-mariner-ca-20211013.pem
 Source5:        cpupower
 Source6:        cpupower.service
+Patch0:		    0001-add-mstflint-kernel-%{mstflintver}.patch
 BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bc
@@ -160,6 +162,7 @@ manipulation of eBPF programs and maps.
 
 %prep
 %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{mariner_version}-%{version}
+%patch 0 -p1
 make mrproper
 
 cp %{config_source} .config
@@ -404,6 +407,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 6.6.29.1-5
+- Add patch to enable mstflint kernel driver 4.28.0-1
+
 * Fri May 31 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.29.1-4
 - Enable CONFIG_AMD_MEM_ENCRYPT, CONFIG_SEV_GUEST
 
diff --git a/SPECS/mstflint/0001-update-tool-name-in-error-message.patch b/SPECS/mstflint/0001-update-tool-name-in-error-message.patch
new file mode 100644
index 00000000000..8077ffada5e
--- /dev/null
+++ b/SPECS/mstflint/0001-update-tool-name-in-error-message.patch
@@ -0,0 +1,25 @@
+From a61b93f3437347b3f9bbbb38236189eab2f6f73d Mon Sep 17 00:00:00 2001
+From: Juan Camposeco <juanarturoc@microsoft.com>
+Date: Wed, 12 Jun 2024 14:30:12 -0700
+Subject: [PATCH] update tool name in error message
+
+---
+ flint/subcommands.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/flint/subcommands.cpp b/flint/subcommands.cpp
+index c645c160..e24abf4f 100644
+--- a/flint/subcommands.cpp
++++ b/flint/subcommands.cpp
+@@ -5591,7 +5591,11 @@ FlintStatus SgSubCommand::sgFs2()
+     return FLINT_SUCCESS;
+ }
+ 
++#ifndef MST_UL
+ #define FW_RESET_MSG "To load new configuration run mlxfwreset or reboot machine"
++#else
++#define FW_RESET_MSG "To load new configuration run mstfwreset or reboot machine"
++#endif
+ 
+ FlintStatus SgSubCommand::sgFs3()
+ {
diff --git a/SPECS/mstflint/add-default-link-flags-for-shared-libraries.patch b/SPECS/mstflint/add-default-link-flags-for-shared-libraries.patch
deleted file mode 100644
index f19325600e3..00000000000
--- a/SPECS/mstflint/add-default-link-flags-for-shared-libraries.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-diff --git a/cmdif/Makefile.am b/cmdif/Makefile.am
-index 9807603..b23bcb9 100644
---- a/cmdif/Makefile.am
-+++ b/cmdif/Makefile.am
-@@ -51,7 +51,7 @@ libcmdif_a_SOURCES = tools_cif.c tools_cif.h icmd_cif_common.c icmd_cif_common.h
- cmdif_pylibdir = $(libdir)/mstflint/python_tools/
- cmdif_pylib_DATA = ${CCMDIF_SO} cmdif.py
- ${CCMDIF_SO}: libcmdif.a
--	$(CC) -g -Wall -pthread -shared ${CFLAGS} *.o -o ${CCMDIF_SO} \
-+	$(CC) -g -Wall -pthread -shared ${CFLAGS} ${LDFLAGS} *.o -o ${CCMDIF_SO} \
- 	-L$(USER_DIR)/tools_layouts -ltools_layouts -L$(USER_DIR)/${MTCR_CONF_DIR} -lmtcr_ul
- 
- CLEANFILES = ${CCMDIF_SO}
-diff --git a/dev_mgt/Makefile.am b/dev_mgt/Makefile.am
-index 1fbd142..df5b14a 100644
---- a/dev_mgt/Makefile.am
-+++ b/dev_mgt/Makefile.am
-@@ -50,7 +50,7 @@ dev_mgt_pylib_DATA = c_dev_mgt.so dev_mgt.py
- dist_dev_mgt_pylib_DATA = dev_mgt.py
- 
- c_dev_mgt.so: libdev_mgt.a
--	$(CC) -g -Wall -pthread -shared ${CFLAGS} tools_dev_types.o -o c_dev_mgt.so \
-+	$(CC) -g -Wall -pthread -shared ${CFLAGS} ${LDFLAGS} tools_dev_types.o -o c_dev_mgt.so \
- 	-L$(USER_DIR)/reg_access -lreg_access \
- 	-L$(USER_DIR)/tools_layouts -ltools_layouts \
- 	-L$(USER_DIR)/${MTCR_CONF_DIR} -lmtcr_ul
-diff --git a/mtcr_py/Makefile.am b/mtcr_py/Makefile.am
-index 934b803..c8af0c2 100644
---- a/mtcr_py/Makefile.am
-+++ b/mtcr_py/Makefile.am
-@@ -40,7 +40,7 @@ MTCR_DIR = $(USER_DIR)/${MTCR_CONF_DIR}
- mtcr_pylib_DATA = cmtcr.so mtcr.py
- dist_mtcr_pylib_DATA = mtcr.py
- cmtcr.so:
--	$(CC) -g -Wall -pthread -shared ${CFLAGS} $(MTCR_DIR)/*.o -o cmtcr.so $(MFT_CORE_LIB_LINK)
-+	$(CC) -g -Wall -pthread -shared ${CFLAGS} ${LDFLAGS} $(MTCR_DIR)/*.o -o cmtcr.so $(MFT_CORE_LIB_LINK)
- 
- CLEANFILES = cmtcr.so
- 
-diff --git a/reg_access/Makefile.am b/reg_access/Makefile.am
-index 26f6a5a..9a42c37 100644
---- a/reg_access/Makefile.am
-+++ b/reg_access/Makefile.am
-@@ -53,7 +53,7 @@ reg_access_pylib_DATA = ${RREG_ACCESS_SO} regaccess.py
- dist_reg_access_pylib_DATA = regaccess.py
- 
- ${RREG_ACCESS_SO}: libreg_access.a
--	$(CC) -g -Wall -pthread -shared ${CFLAGS} *.o -o ${RREG_ACCESS_SO} \
-+	$(CC) -g -Wall -pthread -shared ${CFLAGS} ${LDFLAGS} *.o -o ${RREG_ACCESS_SO} \
- 	-L$(USER_DIR)/tools_layouts -ltools_layouts -L$(MTCR_DIR) -lmtcr_ul
- 
- CLEANFILES = ${RREG_ACCESS_SO}
diff --git a/SPECS/mstflint/mstflint.signatures.json b/SPECS/mstflint/mstflint.signatures.json
index 16b999149bb..c76b844c37f 100644
--- a/SPECS/mstflint/mstflint.signatures.json
+++ b/SPECS/mstflint/mstflint.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "mstflint-4.21.0-1.tar.gz": "4d3afabed38e0b1fade1371ec87d4c8bcd85436e9aa478962925754d87edde26"
+  "mstflint-4.28.0-1.tar.gz": "cef08373ff7002a4f75c123d03990ea6b9e79b9d8493ca067b625eddd287b62d"
  }
 }
diff --git a/SPECS/mstflint/mstflint.spec b/SPECS/mstflint/mstflint.spec
index cafd8397307..d07d98e525f 100644
--- a/SPECS/mstflint/mstflint.spec
+++ b/SPECS/mstflint/mstflint.spec
@@ -1,15 +1,16 @@
+%global mstflintver 4.28.0
+
 Summary:        Mellanox firmware burning tool
 Name:           mstflint
-Version:        4.21.0
-Release:        4%{?dist}
+Version:        4.28.0
+Release:        1%{?dist}
 License:        GPLv2 OR BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/System
 URL:            https://github.com/Mellanox/%{name}
 Source0:        https://github.com/Mellanox/%{name}/releases/download/v%{version}-1/%{name}-%{version}-1.tar.gz
-Patch4:         add-default-link-flags-for-shared-libraries.patch
-Patch6:         replace-mlxfwreset-with-mstfwreset-in-mstflint-message.patch
+Patch0:         0001-update-tool-name-in-error-message.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  boost-devel
@@ -58,6 +59,10 @@ find %{buildroot} -type f -name '*.a' -delete
 %{_mandir}/man1/*
 
 %changelog
+* Tue Jun 11 2024 Juan Camposeco <juanarturoc@microsoft.com> - 4.28.0-1
+- Upgrade to 4.28.0
+- Update patches
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 4.21.0-4
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
diff --git a/SPECS/mstflint/replace-mlxfwreset-with-mstfwreset-in-mstflint-message.patch b/SPECS/mstflint/replace-mlxfwreset-with-mstfwreset-in-mstflint-message.patch
deleted file mode 100644
index d24ef01eeb1..00000000000
--- a/SPECS/mstflint/replace-mlxfwreset-with-mstfwreset-in-mstflint-message.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/flint/subcommands.cpp b/flint/subcommands.cpp
-index 420b82f..0a20bcd 100644
---- a/flint/subcommands.cpp
-+++ b/flint/subcommands.cpp
-@@ -4484,7 +4484,7 @@ FlintStatus SgSubCommand::sgFs2()
-     return FLINT_SUCCESS;
- }
- 
--#define FW_RESET_MSG "To load new configuration run mlxfwreset or reboot machine"
-+#define FW_RESET_MSG "To load new configuration run mstfwreset or reboot machine"
- 
- FlintStatus SgSubCommand::sgFs3()
- {
-diff --git a/mlxfwops/lib/flint_base.h b/mlxfwops/lib/flint_base.h
-index f3edc43..a85e43d 100644
---- a/mlxfwops/lib/flint_base.h
-+++ b/mlxfwops/lib/flint_base.h
-@@ -364,7 +364,7 @@ struct GPH {
- 
- #define REBOOT_REQUIRED_STR "To load new FW run reboot machine."
- #ifndef MST_UL
--#define REBOOT_OR_FWRESET_REQUIRED_STR "To load new FW run mlxfwreset or reboot machine."
-+#define REBOOT_OR_FWRESET_REQUIRED_STR "To load new FW run mstfwreset or reboot machine."
- #else
- #define REBOOT_OR_FWRESET_REQUIRED_STR "To load new FW run mstfwreset or reboot machine."
- #endif
diff --git a/cgmanifest.json b/cgmanifest.json
index 333be5a7fb3..b8a46ce5d71 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -13422,8 +13422,8 @@
         "type": "other",
         "other": {
           "name": "mstflint",
-          "version": "4.21.0",
-          "downloadUrl": "https://github.com/Mellanox/mstflint/releases/download/v4.21.0-1/mstflint-4.21.0-1.tar.gz"
+          "version": "4.28.0",
+          "downloadUrl": "https://github.com/Mellanox/mstflint/releases/download/v4.28.0-1/mstflint-4.28.0-1.tar.gz"
         }
       }
     },
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index dfd1b6129c4..03d7260f579 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.29.1-4.azl3.noarch.rpm
+kernel-headers-6.6.29.1-5.azl3.noarch.rpm
 glibc-2.38-6.azl3.aarch64.rpm
 glibc-devel-2.38-6.azl3.aarch64.rpm
 glibc-i18n-2.38-6.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 8b9c8de3392..a46cc23d0d3 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.29.1-4.azl3.noarch.rpm
+kernel-headers-6.6.29.1-5.azl3.noarch.rpm
 glibc-2.38-6.azl3.x86_64.rpm
 glibc-devel-2.38-6.azl3.x86_64.rpm
 glibc-i18n-2.38-6.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 7b42a4633c1..b8839fb5b94 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -152,7 +152,7 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.aarch64.rpm
 kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.29.1-4.azl3.noarch.rpm
+kernel-headers-6.6.29.1-5.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 58f60b5649e..a90fa9b2ade 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -157,8 +157,8 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.29.1-4.azl3.noarch.rpm
-kernel-headers-6.6.29.1-4.azl3.noarch.rpm
+kernel-cross-headers-6.6.29.1-5.azl3.noarch.rpm
+kernel-headers-6.6.29.1-5.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm
diff --git a/toolkit/scripts/check_entangled_specs.py b/toolkit/scripts/check_entangled_specs.py
index 408f535ebe2..6910d02d1e2 100755
--- a/toolkit/scripts/check_entangled_specs.py
+++ b/toolkit/scripts/check_entangled_specs.py
@@ -67,6 +67,12 @@
     ])
 ]
 
+mstflintver_matching_groups = [
+    frozenset([
+        "SPECS/mstflint/mstflint.spec",
+        "SPECS/kernel/kernel.spec"
+    ])
+]
 
 def check_spec_tags(base_path: str, tags: List[str], groups: List[FrozenSet]) -> Set[FrozenSet]:
     """Returns spec sets which violate matching rules for given tags. """
@@ -77,36 +83,35 @@ def check_spec_tags(base_path: str, tags: List[str], groups: List[FrozenSet]) ->
         for spec_filename in group:
             parsed_spec = Spec.from_file(Path(base_path, spec_filename))
             for tag in tags:
-                variants[tag].add(getattr(
-                    parsed_spec, tag))
+                variants[tag].add(getattr(parsed_spec, tag))
 
         for tag in tags:
-            if len(variants[tag]) > 1:
-                err_groups.add(group)
+            if len(variants[tag]) > 1: err_groups.add(group)
     return err_groups
 
 
+def check_mstflintver_match_groups(base_path: str) -> Set[FrozenSet]:
+    return check_spec_tags(base_path, ['mstflintver'], mstflintver_matching_groups)
+
 def check_sdkver_match_groups(base_path: str) -> Set[FrozenSet]:
     return check_spec_tags(base_path, ['sdkver'], sdkver_matching_groups)
 
-
 def check_version_release_match_groups(base_path: str) -> Set[FrozenSet]:
     return check_spec_tags(base_path, ['epoch', 'version', 'release'], version_release_matching_groups)
 
-
 def check_version_match_groups(base_path: str) -> Set[FrozenSet]:
     return check_spec_tags(base_path, ['epoch', 'version'], version_matching_groups)
 
 
 def check_matches(base_path: str):
     version_match_errors = check_version_match_groups(base_path)
-    version_release_match_errors = check_version_release_match_groups(
-        base_path)
+    version_release_match_errors = check_version_release_match_groups(base_path)
     sdkver_match_errors = check_sdkver_match_groups(base_path)
+    mstflintver_match_errors = check_mstflintver_match_groups(base_path)
 
     printer = pprint.PrettyPrinter()
 
-    if len(version_match_errors) or len(version_release_match_errors) or len(sdkver_match_errors):
+    if len(version_match_errors) or len(version_release_match_errors) or len(sdkver_match_errors) or len(mstflintver_match_errors):
         print('The current repository state violates a spec entanglement rule!')
 
         if len(version_match_errors):
@@ -126,7 +131,13 @@ def check_matches(base_path: str):
                 '\nPlease update the following sets of specs to have the same "sdkver" global variables:')
             for e in sdkver_match_errors:
                 printer.pprint(e)
-
+        
+        if len(mstflintver_match_errors):
+            print(
+                '\nPlease update the following sets of specs to have the same "mstflintver" global variables:')
+            for e in mstflintver_match_errors:
+                printer.pprint(e)
+                
         sys.exit(1)
 
 

From 70b1a20924df78aa640254e09b69b9c0d1e78a74 Mon Sep 17 00:00:00 2001
From: AZaugg <AZaugg@users.noreply.github.com>
Date: Thu, 20 Jun 2024 22:20:47 -0400
Subject: [PATCH 34/40] Package argparse-manpage naming convention consistency
 (#9419)

Renaming package name argparse-manpage -> python-argparse-manpage

To be consistent, all python pypi modules are named python- the
package argparse-manpage does not follow this convention, updating base
package name to be consistent.
---
 LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md    |  2 +-
 LICENSES-AND-NOTICES/SPECS/data/licenses.json |  2 +-
 .../python-argparse-manpage.signatures.json}  |  0
 .../python-argparse-manpage.spec}             | 17 ++++++++--------
 cgmanifest.json                               | 20 +++++++++----------
 5 files changed, 21 insertions(+), 20 deletions(-)
 rename SPECS-EXTENDED/{argparse-manpage/argparse-manpage.signatures.json => python-argparse-manpage/python-argparse-manpage.signatures.json} (100%)
 rename SPECS-EXTENDED/{argparse-manpage/argparse-manpage.spec => python-argparse-manpage/python-argparse-manpage.spec} (90%)

diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index 11896048c26..e6f4b0a8053 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -5,7 +5,7 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
 | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command <br> delve <br> fstrm <br> nodejs-nodemon <br> rhnlib <br> rt-setup <br> rt-tests <br> rtctl <br> tuned |
 | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph |
 | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter |
-| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> argparse-manpage <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bogofilter <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capnproto <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fapolicyd <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbi-drivers <br> libdbusmenu <br> libdc1394 <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mozjs <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-BDB <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> redland <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rr <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> sendmail <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
+| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bogofilter <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capnproto <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fapolicyd <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbi-drivers <br> libdbusmenu <br> libdc1394 <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mozjs <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-BDB <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-argparse-manpage <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> redland <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rr <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> sendmail <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
 | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome <br> librabbitmq |
 | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
 | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index 1192fb20d3a..54ecaedc612 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -54,7 +54,6 @@
                 "annobin",
                 "ansible-freeipa",
                 "archivemount",
-                "argparse-manpage",
                 "arptables",
                 "arpwatch",
                 "asio",
@@ -1630,6 +1629,7 @@
                 "python-aiohttp",
                 "python-alsa",
                 "python-argcomplete",
+                "python-argparse-manpage",
                 "python-astroid",
                 "python-astunparse",
                 "python-async-generator",
diff --git a/SPECS-EXTENDED/argparse-manpage/argparse-manpage.signatures.json b/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/argparse-manpage/argparse-manpage.signatures.json
rename to SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.signatures.json
diff --git a/SPECS-EXTENDED/argparse-manpage/argparse-manpage.spec b/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec
similarity index 90%
rename from SPECS-EXTENDED/argparse-manpage/argparse-manpage.spec
rename to SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec
index f849f13fe5f..8c77828b5dd 100644
--- a/SPECS-EXTENDED/argparse-manpage/argparse-manpage.spec
+++ b/SPECS-EXTENDED/python-argparse-manpage/python-argparse-manpage.spec
@@ -1,5 +1,6 @@
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
+%global modname argparse-manpage
 
 %global sum()   Build manual page from %* ArgumentParser object
 %global desc \
@@ -11,33 +12,33 @@ specify that by (a) the module name or corresponding python filename and \
 There is a limited support for (deprecated) optparse objects, too.
 
 
-Name:           argparse-manpage
+Name:           python-%{modname}
 Version:        1.5
 Release:        3%{?dist}
 Summary:        %{sum Python}
 BuildArch:      noarch
 
 License:        ASL 2.0
-URL:            https://github.com/praiskup/%{name}
-Source0:        %pypi_source
+URL:            https://github.com/praiskup/%{modname}
+Source0:        %pypi_source argparse-manpage
 
 BuildRequires: python3-setuptools python3-devel
 %if 0%{?with_check}
 BuildRequires: python3-pip
 %endif
-Requires: python3-%{name} = %{version}-%{release}
+Requires: python3-%{modname} = %{version}-%{release}
 
 %description
 %desc
 
-%package -n     python3-%name
+%package -n     python3-%{modname}
 Summary:        %{sum Python 3}
 
-%description -n python3-%name
+%description -n python3-%{modname}
 %{desc}
 
 %prep
-%setup -q
+%setup -q -n %{modname}-%{version}
 
 %build
 %py3_build
@@ -59,7 +60,7 @@ pip3 install pytest==7.1.2 six==1.16.0
 %{_mandir}/man1/argparse-manpage.1.*
 %{python3_sitelib}/build_manpages/cli
 
-%files -n python3-%name
+%files -n python3-%{modname}
 %license LICENSE
 %{python3_sitelib}/build_manpages
 %{python3_sitelib}/argparse_manpage-%{version}*.egg-info
diff --git a/cgmanifest.json b/cgmanifest.json
index b8a46ce5d71..b5c6f4e5c37 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -530,16 +530,6 @@
         }
       }
     },
-    {
-      "component": {
-        "type": "other",
-        "other": {
-          "name": "argparse-manpage",
-          "version": "1.5",
-          "downloadUrl": "https://files.pythonhosted.org/packages/source/a/argparse-manpage/argparse-manpage-1.5.tar.gz"
-        }
-      }
-    },
     {
       "component": {
         "type": "other",
@@ -21678,6 +21668,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-argparse-manpage",
+          "version": "1.5",
+          "downloadUrl": "https://files.pythonhosted.org/packages/source/a/argparse-manpage/argparse-manpage-1.5.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",

From d5c2a09ae0de773bfb64714d3956d386c87b522d Mon Sep 17 00:00:00 2001
From: Andrew Phelps <anphel31@users.noreply.github.com>
Date: Thu, 20 Jun 2024 23:05:54 -0700
Subject: [PATCH 35/40] crash: add crash-target-arm64 binary (#9442)

---
 SPECS/crash/crash.spec | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/SPECS/crash/crash.spec b/SPECS/crash/crash.spec
index ca4cf709f35..4ce251310f1 100644
--- a/SPECS/crash/crash.spec
+++ b/SPECS/crash/crash.spec
@@ -1,11 +1,11 @@
 %global gdb_version 10.2
 Name:          crash
 Version:       8.0.4
-Release:       2%{?dist}
+Release:       3%{?dist}
 Summary:       kernel crash analysis utility for live systems, netdump, diskdump, kdump, LKCD or mcore dumpfiles
 Group:         Development/Tools
 Vendor:        Microsoft Corporation
-Distribution:   Azure Linux
+Distribution:  Azure Linux
 URL:           https://github.com/crash-utility/crash
 Source0:       https://github.com/crash-utility/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # crash requires gdb tarball for the build. There is no option to use the host gdb. For crash 8.0.1 the newest supported gdb version is 10.2.
@@ -36,17 +36,41 @@ The core analysis suite is a self-contained tool that can be used to investigate
 
 This package contains libraries and header files need for development.
 
+%ifarch x86_64
+%package target-arm64
+Summary:       Crash executable for analyzing arm64 crash dumps on x86_64 host machines
+Group:         Development/Libraries
+
+%description target-arm64
+This package contains the "crash-target-arm64" binary for analyzing arm64 crash dumps on x86_64 host machines.
+%endif
+
 %prep
 %autosetup -n %{name}-%{version}
 # make expect the gdb tarball to be named with its version only, gdb-[version].tar.gz, e.g.: gdb-10.2.tar.gz
 cp %{SOURCE1} ./gdb-%{gdb_version}.tar.gz
 
 %build
+%ifarch x86_64
+# For x86_64 only, build a separate crash binary for target=ARM64
+# After creating the "crash-target-arm64" binary, clean everything and rebuild for native target
+make RPMPKG=%{version}-%{release} target=ARM64
+cp -v crash crash-target-arm64
+rm -rf ./gdb-%{gdb_version}
+make clean
+# Need to specify target=X86_64 here, since this parameter is "sticky" from the previous build
+make RPMPKG=%{version}-%{release} target=X86_64
+%else
 make RPMPKG=%{version}-%{release}
+%endif
 
 %install
 mkdir -p %{buildroot}%{_bindir}
 %make_install
+%ifarch x86_64
+cp -v crash-target-arm64 %{buildroot}%{_bindir}/crash-target-arm64
+%endif
+
 mkdir -p %{buildroot}%{_mandir}/man8
 install -pm 644 crash.8 %{buildroot}%{_mandir}/man8/crash.8
 mkdir -p %{buildroot}%{_includedir}/crash
@@ -65,7 +89,16 @@ cp -p defs.h %{buildroot}%{_includedir}/crash
 %dir %{_includedir}/crash
 %{_includedir}/crash/*.h
 
+%ifarch x86_64
+%files target-arm64
+%defattr(-,root,root)
+%{_bindir}/crash-target-arm64
+%endif
+
 %changelog
+* Tue Jun 18 2024 Andrew Phelps <anphel@microsoft.com> - 8.0.4-3
+- Add crash-target-arm64 binary to analyze aarch64 dumps on x86_64 machine
+
 * Mon Jun 03 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 8.0.4-2
 - Update gdb-10.2-2.tar.gz to address CVE-2022-37434
 

From b9a0a26e709f17536b18731235f21f0bddc54507 Mon Sep 17 00:00:00 2001
From: Andrew Phelps <anphel31@users.noreply.github.com>
Date: Fri, 21 Jun 2024 14:01:56 -0700
Subject: [PATCH 36/40] azurelinux-release: bump to 3.0-15 for June preview
 update 2 (#9462)

---
 SPECS/azurelinux-release/azurelinux-release.spec | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/SPECS/azurelinux-release/azurelinux-release.spec b/SPECS/azurelinux-release/azurelinux-release.spec
index 23a38fbcdd8..70fac2d5bbc 100644
--- a/SPECS/azurelinux-release/azurelinux-release.spec
+++ b/SPECS/azurelinux-release/azurelinux-release.spec
@@ -5,7 +5,7 @@
 Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        %{dist_version}.0
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -118,6 +118,9 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
 %{_sysctldir}/*.conf
 
 %changelog
+* Thu Jun 21 2024 Andrew Phelps <anphel@microsoft.com> - 3.0-15
+- Azure Linux 3.0 June Preview Release 2
+
 * Wed Jun 12 2024 Sam Meluch <sammeluch@microsoft.com> - 3.0-14
 - Azure Linux 3.0 June Preview Release 1
 

From e9ab5868f2ef0b087440edcb34f2efb6752ae629 Mon Sep 17 00:00:00 2001
From: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Date: Fri, 21 Jun 2024 15:18:31 -0700
Subject: [PATCH 37/40] [3.0] mariadb: patch CVE-2024-0901 (#9466)

---
 SPECS/mariadb/CVE-2024-0901.patch | 20 ++++++++++++++++++++
 SPECS/mariadb/mariadb.spec        |  6 +++++-
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/mariadb/CVE-2024-0901.patch

diff --git a/SPECS/mariadb/CVE-2024-0901.patch b/SPECS/mariadb/CVE-2024-0901.patch
new file mode 100644
index 00000000000..45c70065da8
--- /dev/null
+++ b/SPECS/mariadb/CVE-2024-0901.patch
@@ -0,0 +1,20 @@
+diff --git a/extra/wolfssl/wolfssl/src/internal.c b/extra/wolfssl/wolfssl/src/internal.c
+--- a/extra/wolfssl/wolfssl/src/internal.c	2024-06-21 11:46:35.999354801 -0700
++++ b/extra/wolfssl/wolfssl/src/internal.c	2024-06-21 11:59:43.700966514 -0700
+@@ -19748,11 +19748,11 @@
+                 ssl->keys.decryptedCur = 1;
+ #ifdef WOLFSSL_TLS13
+                 if (ssl->options.tls1_3) {
+-                    /* end of plaintext */
+-                    word16 i = (word16)(ssl->buffers.inputBuffer.idx +
+-                                 ssl->curSize - ssl->specs.aead_mac_size);
+-
+-                    if (i > ssl->buffers.inputBuffer.length) {
++                    word32 i = (ssl->buffers.inputBuffer.idx +
++                        ssl->curSize - ssl->specs.aead_mac_size);
++                    /* check that the end of the logical length doesn't extend
++                     * past the real buffer */
++                    if (i > ssl->buffers.inputBuffer.length || i == 0) {
+                         WOLFSSL_ERROR(BUFFER_ERROR);
+                         return BUFFER_ERROR;
+                     }
diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec
index 1cb2e985cc8..ba7bbc34a1e 100644
--- a/SPECS/mariadb/mariadb.spec
+++ b/SPECS/mariadb/mariadb.spec
@@ -1,7 +1,7 @@
 Summary:        Database servers made by the original developers of MySQL.
 Name:           mariadb
 Version:        10.11.6
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2 WITH exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -11,6 +11,7 @@ Group:          Applications/Databases
 # To generate run CBL-Mariner/SPECS/mariadb/generate_source_tarball.sh script
 URL:            https://mariadb.org/
 Source0:        https://github.com/MariaDB/server/archive/mariadb-%{version}.tar.gz
+Patch0:         CVE-2024-0901.patch
 BuildRequires:  cmake
 BuildRequires:  curl-devel
 BuildRequires:  e2fsprogs-devel
@@ -468,6 +469,9 @@ fi
 %{_datadir}/mysql/hindi/errmsg.sys
 
 %changelog
+* Fri Jun 21 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 10.11.6-3
+- Patch CVE-2024-0901
+
 * Sun Feb 04 2024 Dan Streetman <ddstreet@ieee.org> - 10.11.6-2
 - workaround "circular dependencies" from build tooling
 

From f5aee669d83746a2e417d855aa20cd9a4b5dbef3 Mon Sep 17 00:00:00 2001
From: Neha Agarwal <58672330+neha170@users.noreply.github.com>
Date: Fri, 21 Jun 2024 15:26:06 -0700
Subject: [PATCH 38/40] [3.0] bluez: patch CVE-2023-50229 and CVE-2023-50230
 (#9467)

---
 .../bluez/CVE-2023-50229-CVE-2023-50230.patch | 63 +++++++++++++++++++
 SPECS/bluez/bluez.spec                        |  6 +-
 2 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/bluez/CVE-2023-50229-CVE-2023-50230.patch

diff --git a/SPECS/bluez/CVE-2023-50229-CVE-2023-50230.patch b/SPECS/bluez/CVE-2023-50229-CVE-2023-50230.patch
new file mode 100644
index 00000000000..d6fb603e58d
--- /dev/null
+++ b/SPECS/bluez/CVE-2023-50229-CVE-2023-50230.patch
@@ -0,0 +1,63 @@
+From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 19 Sep 2023 12:14:01 -0700
+Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length
+
+Primary/Secundary Counters are supposed to be 16 bytes values, if the
+server has implemented them incorrectly it may lead to the following
+crash:
+
+=================================================================
+==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
+0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
+
+ READ of size 48 at 0x607000001878 thread T0
+     #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
+     #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
+     #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
+     #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
+     #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
+     #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
+     #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
+     #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
+     #8 0x564df698b9ee in handle_response gobex/gobex.c:1140
+     #9 0x564df698cdea in incoming_data gobex/gobex.c:1385
+     #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+     #11 0x7f95a13526c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+     #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+     #13 0x564df6977d41 in main obexd/src/main.c:307
+     #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+     #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
+     #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
+ 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
+
+ allocated by thread T0 here:
+     #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+     #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
+---
+ obexd/client/pbap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
+index 1ed8c68ecc..2d2aa95089 100644
+--- a/obexd/client/pbap.c
++++ b/obexd/client/pbap.c
+@@ -285,7 +285,7 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
+ 		data = value;
+ 	}
+
+-	if (memcmp(pbap->primary, data, len)) {
++	if (len == sizeof(pbap->primary) && memcmp(pbap->primary, data, len)) {
+ 		memcpy(pbap->primary, data, len);
+ 		g_dbus_emit_property_changed(conn,
+ 					obc_session_get_path(pbap->session),
+@@ -299,7 +299,8 @@ static void read_version(struct pbap_data *pbap, GObexApparam *apparam)
+ 		data = value;
+ 	}
+
+-	if (memcmp(pbap->secondary, data, len)) {
++	if (len == sizeof(pbap->secondary) &&
++			memcmp(pbap->secondary, data, len)) {
+ 		memcpy(pbap->secondary, data, len);
+ 		g_dbus_emit_property_changed(conn,
+ 					obc_session_get_path(pbap->session),
diff --git a/SPECS/bluez/bluez.spec b/SPECS/bluez/bluez.spec
index 586f2ea35c7..68c5bf759d0 100644
--- a/SPECS/bluez/bluez.spec
+++ b/SPECS/bluez/bluez.spec
@@ -1,7 +1,7 @@
 Summary:        Bluetooth utilities
 Name:           bluez
 Version:        5.63
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2+ AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -24,6 +24,7 @@ Patch6:         0002-Use-g_memdup2-everywhere.patch
 Patch7:         0001-hog-Fix-read-order-of-attributes-rediffed.patch
 Patch8:         0002-hog-Add-input-queue-while-uhid-device-has-not-been-c-rediffed.patch
 Patch9:         CVE-2022-3563.patch
+Patch10:        CVE-2023-50229-CVE-2023-50230.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 # For printing
@@ -272,6 +273,9 @@ install emulator/btvirt %{buildroot}/%{_libexecdir}/bluetooth/
 %{_userunitdir}/obex.service
 
 %changelog
+* Fri Jun 21 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 5.63-5
+- Patch CVE-2023-50229 and CVE-2023-50230
+
 * Mon Oct 02 2023 Minghe Ren <mingheren@microsoft.com> - 5.63-4
 - Add patch for CVE-2022-3563
 

From 238a8392f23f46b72cdf825442437b2f2411a135 Mon Sep 17 00:00:00 2001
From: Chris Gunn <chrisgun@microsoft.com>
Date: Fri, 21 Jun 2024 15:36:16 -0700
Subject: [PATCH 39/40] Image Customizer: Add tests for additionalFiles and
 additionalDirs. (#9461)

---
 .../imagecustomizerlib/customizeutils_test.go | 197 ++++++++++++++++--
 .../testdata/adddirs-config.yaml              |   4 +
 .../testdata/addfiles-config.yaml             |   3 +
 .../testdata/dirs/.gitignore                  |   1 +
 .../testdata/dirs/a/usr/local/bin/animals.sh  |   3 +
 .../testdata/dirs/b/bin/animals.sh            |   3 +
 .../imagecustomizerlib/testdata/files/b.txt   |   1 +
 .../testdata/files/helloworld.sh              |   3 +
 8 files changed, 192 insertions(+), 23 deletions(-)
 create mode 100644 toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml
 create mode 100644 toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/.gitignore
 create mode 100644 toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/a/usr/local/bin/animals.sh
 create mode 100644 toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/b/bin/animals.sh
 create mode 100644 toolkit/tools/pkg/imagecustomizerlib/testdata/files/b.txt
 create mode 100644 toolkit/tools/pkg/imagecustomizerlib/testdata/files/helloworld.sh

diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go
index 92f158010db..db7c1d7fe0c 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeutils_test.go
@@ -58,48 +58,164 @@ func TestCopyAdditionalFiles(t *testing.T) {
 
 	copy_2_filemode := os.FileMode(0o777)
 
+	// Copy a file.
 	err = copyAdditionalFiles(baseConfigPath, map[string]imagecustomizerapi.FileConfigList{
 		"files/a.txt": {
-			{Path: "/a_copy_1.txt"},
-			{Path: "/a_copy_2.txt", Permissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(copy_2_filemode))},
+			{Path: "/copy_1.txt"},
+			{Path: "/copy_2.txt", Permissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(copy_2_filemode))},
 		},
 	}, chroot)
 	assert.NoError(t, err)
 
-	orig_path := filepath.Join(baseConfigPath, "files/a.txt")
-	copy_1_path := filepath.Join(chroot.RootDir(), "a_copy_1.txt")
-	copy_2_path := filepath.Join(chroot.RootDir(), "a_copy_2.txt")
+	a_orig_path := filepath.Join(baseConfigPath, "files/a.txt")
+	copy_1_path := filepath.Join(chroot.RootDir(), "copy_1.txt")
+	copy_2_path := filepath.Join(chroot.RootDir(), "copy_2.txt")
 
-	// Make sure the files exist.
-	orig_stat, err := os.Stat(orig_path)
-	assert.NoError(t, err)
+	// Make sure the file permissions are the expected values.
+	verifyFilePermissionsSame(t, a_orig_path, copy_1_path)
+	verifyFilePermissions(t, copy_2_filemode, copy_2_path)
 
-	copy_1_stat, err := os.Stat(copy_1_path)
-	assert.NoError(t, err)
+	// Make sure the files' contents are correct.
+	verifyFileContentsSame(t, a_orig_path, copy_1_path)
+	verifyFileContentsSame(t, a_orig_path, copy_2_path)
 
-	copy_2_stat, err := os.Stat(copy_2_path)
+	// Copy a different file to the same location.
+	err = copyAdditionalFiles(baseConfigPath, map[string]imagecustomizerapi.FileConfigList{
+		"files/b.txt": {
+			{Path: "/copy_1.txt"},
+		},
+	}, chroot)
 	assert.NoError(t, err)
 
-	// Make sure the filemode of the original file is different from the target filemode,
-	// as otherwise it would defeat the purpose of the test.
-	assert.NotEqual(t, copy_2_filemode, orig_stat.Mode()&os.ModePerm)
+	b_orig_path := filepath.Join(baseConfigPath, "files/b.txt")
 
-	// Make sure the file permissions are the expected values.
-	assert.Equal(t, orig_stat.Mode()&os.ModePerm, copy_1_stat.Mode()&os.ModePerm)
-	assert.Equal(t, copy_2_filemode, copy_2_stat.Mode()&os.ModePerm)
+	verifyFileContentsSame(t, b_orig_path, copy_1_path)
+	verifyFilePermissionsSame(t, b_orig_path, copy_1_path)
+}
 
-	// Make sure the files' contents are correct.
-	orig_contents, err := os.ReadFile(orig_path)
+func TestCustomizeImageAdditionalFiles(t *testing.T) {
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+
+	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageAdditionalFiles")
+	buildDir := filepath.Join(testTmpDir, "build")
+	configFile := filepath.Join(testDir, "addfiles-config.yaml")
+	outImageFilePath := filepath.Join(buildDir, "image.qcow2")
+
+	// Customize image.
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
+		false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Connect to customized image.
+	imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer imageConnection.Close()
+
+	// Verify the files were copied correctly.
+	a_path := filepath.Join(testDir, "files/a.txt")
+	a_copy_path := filepath.Join(imageConnection.Chroot().RootDir(), "/a.txt")
+
+	helloworld_path := filepath.Join(testDir, "files/helloworld.sh")
+	helloworld_copy_path := filepath.Join(imageConnection.Chroot().RootDir(), "/usr/local/bin/helloworld.sh")
+
+	verifyFileContentsSame(t, a_path, a_copy_path)
+	verifyFileContentsSame(t, helloworld_path, helloworld_copy_path)
+
+	verifyFilePermissions(t, os.FileMode(0o755), helloworld_copy_path)
+}
+
+func TestCopyAdditionalDirs(t *testing.T) {
+	if os.Geteuid() != 0 {
+		t.Skip("Test must be run as root because it uses a chroot")
+	}
+
+	proposedDir := filepath.Join(tmpDir, "TestCopyAdditionalDirs")
+	chroot := safechroot.NewChroot(proposedDir, false)
+	baseConfigPath := testDir
+
+	err := chroot.Initialize("", []string{}, []*safechroot.MountPoint{}, false)
 	assert.NoError(t, err)
+	defer chroot.Close(false)
 
-	copy_1_contents, err := os.ReadFile(copy_1_path)
+	// Copy the directory.
+	err = copyAdditionalDirs(baseConfigPath,
+		imagecustomizerapi.DirConfigList{
+			{
+				SourcePath:           "dirs/a",
+				DestinationPath:      "/",
+				ChildFilePermissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o755)),
+				NewDirPermissions:    ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o750)),
+			},
+		},
+		chroot)
 	assert.NoError(t, err)
 
-	copy_2_contents, err := os.ReadFile(copy_2_path)
+	animalsFileOrigPath := filepath.Join(baseConfigPath, "dirs/a/usr/local/bin/animals.sh")
+	animalsFileNewPath := filepath.Join(chroot.RootDir(), "/usr/local/bin/animals.sh")
+
+	// Verify file and directory contents and permissions.
+	verifyFileContentsSame(t, animalsFileOrigPath, animalsFileNewPath)
+	verifyFilePermissions(t, os.FileMode(0o755), animalsFileNewPath)
+
+	verifyFilePermissions(t, os.FileMode(0o750), filepath.Join(chroot.RootDir(), "/usr/local/bin"))
+	verifyFilePermissions(t, os.FileMode(0o750), filepath.Join(chroot.RootDir(), "/usr/local"))
+	verifyFilePermissions(t, os.FileMode(0o750), filepath.Join(chroot.RootDir(), "/usr"))
+
+	// Copy a different directory to the same location but change up the file and directory permissions.
+	err = copyAdditionalDirs(baseConfigPath,
+		imagecustomizerapi.DirConfigList{
+			{
+				SourcePath:           "dirs/b",
+				DestinationPath:      "/usr/local",
+				ChildFilePermissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o750)),
+				MergedDirPermissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o755)),
+			},
+		},
+		chroot)
 	assert.NoError(t, err)
 
-	assert.Equal(t, orig_contents, copy_1_contents)
-	assert.Equal(t, orig_contents, copy_2_contents)
+	animalsFileOrigPath = filepath.Join(baseConfigPath, "dirs/b/bin/animals.sh")
+
+	// Verify file and directory contents and permissions.
+	verifyFileContentsSame(t, animalsFileOrigPath, animalsFileNewPath)
+	verifyFilePermissions(t, os.FileMode(0o750), animalsFileNewPath)
+
+	verifyFilePermissions(t, os.FileMode(0o755), filepath.Join(chroot.RootDir(), "/usr/local/bin"))
+	verifyFilePermissions(t, os.FileMode(0o755), filepath.Join(chroot.RootDir(), "/usr/local"))
+	verifyFilePermissions(t, os.FileMode(0o750), filepath.Join(chroot.RootDir(), "/usr"))
+}
+
+func TestCustomizeImageAdditionalDirs(t *testing.T) {
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+
+	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageAdditionalDirs")
+	buildDir := filepath.Join(testTmpDir, "build")
+	configFile := filepath.Join(testDir, "adddirs-config.yaml")
+	outImageFilePath := filepath.Join(buildDir, "image.qcow2")
+
+	// Customize image.
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
+		false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Connect to customized image.
+	imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer imageConnection.Close()
+
+	animalsFileOrigPath := filepath.Join(testDir, "dirs/a/usr/local/bin/animals.sh")
+	animalsFileNewPath := filepath.Join(imageConnection.Chroot().RootDir(), "/usr/local/bin/animals.sh")
+
+	// Verify file and directory contents and permissions.
+	verifyFileContentsSame(t, animalsFileOrigPath, animalsFileNewPath)
 }
 
 func TestAddCustomizerRelease(t *testing.T) {
@@ -145,3 +261,38 @@ func TestAddCustomizerRelease(t *testing.T) {
 	assert.Equal(t, expectedVersion, config["TOOL_VERSION"])
 	assert.Equal(t, expectedDate, config["BUILD_DATE"])
 }
+
+func verifyFileContentsSame(t *testing.T, origPath string, newPath string) {
+	orignContents, err := os.ReadFile(origPath)
+	if !assert.NoErrorf(t, err, "read original file (%s)", origPath) {
+		return
+	}
+
+	newContents, err := os.ReadFile(newPath)
+	if !assert.NoErrorf(t, err, "read new file (%s)", newPath) {
+		return
+	}
+
+	assert.Equalf(t, orignContents, newContents, "file contents differ (%s) from (%s)", newPath, origPath)
+}
+
+func verifyFilePermissions(t *testing.T, expectedPermissions os.FileMode, path string) {
+	stat, err := os.Stat(path)
+	if assert.NoError(t, err) {
+		assert.Equal(t, expectedPermissions&os.ModePerm, stat.Mode()&os.ModePerm)
+	}
+}
+
+func verifyFilePermissionsSame(t *testing.T, origPath string, newPath string) {
+	origStat, err := os.Stat(origPath)
+	if assert.NoErrorf(t, err, "stat original file (%s)", origPath) {
+		return
+	}
+
+	newStat, err := os.Stat(newPath)
+	if assert.NoErrorf(t, err, "stat new file (%s)", newPath) {
+		return
+	}
+
+	assert.Equal(t, origStat.Mode()&os.ModePerm, newStat.Mode()&os.ModePerm)
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml
new file mode 100644
index 00000000000..18d438b3d86
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml
@@ -0,0 +1,4 @@
+os:
+  additionalDirs:
+  - sourcePath: dirs/a
+    destinationPath: /
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml
index 25f4ba96e31..e761d388e14 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml
@@ -1,3 +1,6 @@
 os:
   additionalFiles:
     files/a.txt: /a.txt
+    files/helloworld.sh:
+    - path: /usr/local/bin/helloworld.sh
+      permissions: 755
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/.gitignore b/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/.gitignore
new file mode 100644
index 00000000000..c0094bb5ced
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/.gitignore
@@ -0,0 +1 @@
+!bin/
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/a/usr/local/bin/animals.sh b/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/a/usr/local/bin/animals.sh
new file mode 100644
index 00000000000..708ebbcd9d2
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/a/usr/local/bin/animals.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+echo "cats and dogs"
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/b/bin/animals.sh b/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/b/bin/animals.sh
new file mode 100644
index 00000000000..4140a96d500
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/dirs/b/bin/animals.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+echo "racoons and tigers"
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/files/b.txt b/toolkit/tools/pkg/imagecustomizerlib/testdata/files/b.txt
new file mode 100644
index 00000000000..e81bd06d997
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/files/b.txt
@@ -0,0 +1 @@
+hijklmnop
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/files/helloworld.sh b/toolkit/tools/pkg/imagecustomizerlib/testdata/files/helloworld.sh
new file mode 100644
index 00000000000..f5696bc9994
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/files/helloworld.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+echo "Hello, World"

From 63a3aa7b1f746ddb40626d22776a20967d423925 Mon Sep 17 00:00:00 2001
From: Andrew Phelps <anphel31@users.noreply.github.com>
Date: Fri, 21 Jun 2024 16:37:21 -0700
Subject: [PATCH 40/40] gcc: update and re-enable CVE-2023-4039.patch (#9465)

---
 SPECS/gcc/CVE-2023-4039.patch                 | 922 +++++++++++-------
 SPECS/gcc/gcc.spec                            |   7 +-
 .../manifests/package/pkggen_core_aarch64.txt |  18 +-
 .../manifests/package/pkggen_core_x86_64.txt  |  18 +-
 .../manifests/package/toolchain_aarch64.txt   |  24 +-
 .../manifests/package/toolchain_x86_64.txt    |  30 +-
 .../container/toolchain_build_in_chroot.sh    |   2 +-
 .../container/toolchain_build_temp_tools.sh   |   2 +-
 8 files changed, 613 insertions(+), 410 deletions(-)

diff --git a/SPECS/gcc/CVE-2023-4039.patch b/SPECS/gcc/CVE-2023-4039.patch
index b9de29d9abe..7a7a399c0bd 100644
--- a/SPECS/gcc/CVE-2023-4039.patch
+++ b/SPECS/gcc/CVE-2023-4039.patch
@@ -1,6 +1,6 @@
-From 12f648c158fb9f3be7aa2b6ab377d128a0c1bf1c Mon Sep 17 00:00:00 2001
+From 71a2aa2127283f450c623d3604dbcabe0e14a8d4 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:43 +0100
+Date: Tue, 12 Sep 2023 16:07:12 +0100
 Subject: [PATCH 01/19] aarch64: Use local frame vars in shrink-wrapping code
 
 aarch64_layout_frame uses a shorthand for referring to
@@ -12,7 +12,7 @@ This patch does the same for some other heavy users of the structure.
 No functional change intended.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_save_callee_saves): Use
+	* config/aarch64/aarch64.cc (aarch64_save_callee_saves): Use
 	a local shorthand for cfun->machine->frame.
 	(aarch64_restore_callee_saves, aarch64_get_separate_components):
 	(aarch64_process_components): Likewise.
@@ -20,14 +20,23 @@ gcc/
 	(aarch64_expand_prologue, aarch64_expand_epilogue): Likewise.
 	(aarch64_layout_frame): Use existing shorthand for one more case.
 ---
- gcc/config/aarch64/aarch64.c | 115 ++++++++++++++++++-----------------
- 1 file changed, 60 insertions(+), 55 deletions(-)
-
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index c2f4b27f6..2ddd01b34 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7733,6 +7733,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+ gcc/config/aarch64/aarch64.cc | 123 ++++++++++++++++++----------------
+ 1 file changed, 64 insertions(+), 59 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 822a2b49a46..5d473d161d9 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8612,7 +8612,7 @@ aarch64_layout_frame (void)
+   frame.is_scs_enabled
+     = (!crtl->calls_eh_return
+        && sanitize_flags_p (SANITIZE_SHADOW_CALL_STACK)
+-       && known_ge (cfun->machine->frame.reg_offset[LR_REGNUM], 0));
++       && known_ge (frame.reg_offset[LR_REGNUM], 0));
+ 
+   /* When shadow call stack is enabled, the scs_pop in the epilogue will
+      restore x30, and we don't need to pop x30 again in the traditional
+@@ -9078,6 +9078,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
  			   unsigned start, unsigned limit, bool skip_wb,
  			   bool hard_fp_valid_p)
  {
@@ -35,18 +44,18 @@ index c2f4b27f6..2ddd01b34 100644
    rtx_insn *insn;
    unsigned regno;
    unsigned regno2;
-@@ -7747,8 +7748,8 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9092,8 +9093,8 @@ aarch64_save_callee_saves (poly_int64 start_offset,
        bool frame_related_p = aarch64_emit_cfi_for_reg_p (regno);
  
        if (skip_wb
--	  && (regno == cfun->machine->frame.wb_candidate1
--	      || regno == cfun->machine->frame.wb_candidate2))
-+	  && (regno == frame.wb_candidate1
-+	      || regno == frame.wb_candidate2))
+-	  && (regno == cfun->machine->frame.wb_push_candidate1
+-	      || regno == cfun->machine->frame.wb_push_candidate2))
++	  && (regno == frame.wb_push_candidate1
++	      || regno == frame.wb_push_candidate2))
  	continue;
  
        if (cfun->machine->reg_is_wrapped_separately[regno])
-@@ -7756,7 +7757,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9101,7 +9102,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
  
        machine_mode mode = aarch64_reg_save_mode (regno);
        reg = gen_rtx_REG (mode, regno);
@@ -55,7 +64,7 @@ index c2f4b27f6..2ddd01b34 100644
        rtx base_rtx = stack_pointer_rtx;
        poly_int64 sp_offset = offset;
  
-@@ -7769,7 +7770,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9114,7 +9115,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
  	{
  	  gcc_assert (known_eq (start_offset, 0));
  	  poly_int64 fp_offset
@@ -64,7 +73,7 @@ index c2f4b27f6..2ddd01b34 100644
  	  if (hard_fp_valid_p)
  	    base_rtx = hard_frame_pointer_rtx;
  	  else
-@@ -7791,8 +7792,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9136,8 +9137,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
  	  && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit
  	  && !cfun->machine->reg_is_wrapped_separately[regno2]
  	  && known_eq (GET_MODE_SIZE (mode),
@@ -74,7 +83,7 @@ index c2f4b27f6..2ddd01b34 100644
  	{
  	  rtx reg2 = gen_rtx_REG (mode, regno2);
  	  rtx mem2;
-@@ -7842,6 +7842,7 @@ static void
+@@ -9187,6 +9187,7 @@ static void
  aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
  			      unsigned limit, bool skip_wb, rtx *cfi_ops)
  {
@@ -82,14 +91,14 @@ index c2f4b27f6..2ddd01b34 100644
    unsigned regno;
    unsigned regno2;
    poly_int64 offset;
-@@ -7858,13 +7859,13 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
+@@ -9203,13 +9204,13 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
        rtx reg, mem;
  
        if (skip_wb
--	  && (regno == cfun->machine->frame.wb_candidate1
--	      || regno == cfun->machine->frame.wb_candidate2))
-+	  && (regno == frame.wb_candidate1
-+	      || regno == frame.wb_candidate2))
+-	  && (regno == cfun->machine->frame.wb_pop_candidate1
+-	      || regno == cfun->machine->frame.wb_pop_candidate2))
++	  && (regno == frame.wb_pop_candidate1
++	      || regno == frame.wb_pop_candidate2))
  	continue;
  
        machine_mode mode = aarch64_reg_save_mode (regno);
@@ -99,7 +108,7 @@ index c2f4b27f6..2ddd01b34 100644
        rtx base_rtx = stack_pointer_rtx;
        if (mode == VNx2DImode && BYTES_BIG_ENDIAN)
  	aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg,
-@@ -7875,8 +7876,7 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
+@@ -9220,8 +9221,7 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
  	  && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit
  	  && !cfun->machine->reg_is_wrapped_separately[regno2]
  	  && known_eq (GET_MODE_SIZE (mode),
@@ -109,7 +118,7 @@ index c2f4b27f6..2ddd01b34 100644
  	{
  	  rtx reg2 = gen_rtx_REG (mode, regno2);
  	  rtx mem2;
-@@ -7981,6 +7981,7 @@ offset_12bit_unsigned_scaled_p (machine_mode mode, poly_int64 offset)
+@@ -9326,6 +9326,7 @@ offset_12bit_unsigned_scaled_p (machine_mode mode, poly_int64 offset)
  static sbitmap
  aarch64_get_separate_components (void)
  {
@@ -117,7 +126,7 @@ index c2f4b27f6..2ddd01b34 100644
    sbitmap components = sbitmap_alloc (LAST_SAVED_REGNUM + 1);
    bitmap_clear (components);
  
-@@ -7997,18 +7998,18 @@ aarch64_get_separate_components (void)
+@@ -9342,18 +9343,18 @@ aarch64_get_separate_components (void)
  	if (mode == VNx2DImode && BYTES_BIG_ENDIAN)
  	  continue;
  
@@ -139,7 +148,7 @@ index c2f4b27f6..2ddd01b34 100644
  	else
  	  offset += crtl->outgoing_args_size;
  
-@@ -8027,11 +8028,11 @@ aarch64_get_separate_components (void)
+@@ -9372,11 +9373,11 @@ aarch64_get_separate_components (void)
    /* If the spare predicate register used by big-endian SVE code
       is call-preserved, it must be saved in the main prologue
       before any saves that use it.  */
@@ -148,14 +157,14 @@ index c2f4b27f6..2ddd01b34 100644
 +  if (frame.spare_pred_reg != INVALID_REGNUM)
 +    bitmap_clear_bit (components, frame.spare_pred_reg);
  
--  unsigned reg1 = cfun->machine->frame.wb_candidate1;
--  unsigned reg2 = cfun->machine->frame.wb_candidate2;
-+  unsigned reg1 = frame.wb_candidate1;
-+  unsigned reg2 = frame.wb_candidate2;
+-  unsigned reg1 = cfun->machine->frame.wb_push_candidate1;
+-  unsigned reg2 = cfun->machine->frame.wb_push_candidate2;
++  unsigned reg1 = frame.wb_push_candidate1;
++  unsigned reg2 = frame.wb_push_candidate2;
    /* If registers have been chosen to be stored/restored with
       writeback don't interfere with them to avoid having to output explicit
       stack adjustment instructions.  */
-@@ -8140,6 +8141,7 @@ aarch64_get_next_set_bit (sbitmap bmp, unsigned int start)
+@@ -9485,6 +9486,7 @@ aarch64_get_next_set_bit (sbitmap bmp, unsigned int start)
  static void
  aarch64_process_components (sbitmap components, bool prologue_p)
  {
@@ -163,7 +172,7 @@ index c2f4b27f6..2ddd01b34 100644
    rtx ptr_reg = gen_rtx_REG (Pmode, frame_pointer_needed
  			     ? HARD_FRAME_POINTER_REGNUM
  			     : STACK_POINTER_REGNUM);
-@@ -8154,9 +8156,9 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9499,9 +9501,9 @@ aarch64_process_components (sbitmap components, bool prologue_p)
        machine_mode mode = aarch64_reg_save_mode (regno);
        
        rtx reg = gen_rtx_REG (mode, regno);
@@ -175,7 +184,7 @@ index c2f4b27f6..2ddd01b34 100644
        else
  	offset += crtl->outgoing_args_size;
  
-@@ -8181,14 +8183,14 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9526,14 +9528,14 @@ aarch64_process_components (sbitmap components, bool prologue_p)
  	  break;
  	}
  
@@ -192,7 +201,7 @@ index c2f4b27f6..2ddd01b34 100644
  		       GET_MODE_SIZE (mode)))
  	{
  	  insn = emit_insn (set);
-@@ -8210,7 +8212,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9555,7 +9557,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
        /* REGNO2 can be saved/restored in a pair with REGNO.  */
        rtx reg2 = gen_rtx_REG (mode, regno2);
        if (frame_pointer_needed)
@@ -201,7 +210,7 @@ index c2f4b27f6..2ddd01b34 100644
        else
  	offset2 += crtl->outgoing_args_size;
        rtx addr2 = plus_constant (Pmode, ptr_reg, offset2);
-@@ -8305,6 +8307,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -9650,6 +9652,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
  					bool frame_related_p,
  					bool final_adjustment_p)
  {
@@ -209,7 +218,7 @@ index c2f4b27f6..2ddd01b34 100644
    HOST_WIDE_INT guard_size
      = 1 << param_stack_clash_protection_guard_size;
    HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD;
-@@ -8325,25 +8328,25 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -9670,25 +9673,25 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
         register as a probe.  We can't assume that LR was saved at position 0
         though, so treat any space below it as unprobed.  */
    if (final_adjustment_p
@@ -241,7 +250,7 @@ index c2f4b27f6..2ddd01b34 100644
  
        if (known_eq (frame_size, 0))
  	{
-@@ -8632,17 +8635,18 @@ aarch64_epilogue_uses (int regno)
+@@ -9977,17 +9980,18 @@ aarch64_epilogue_uses (int regno)
  void
  aarch64_expand_prologue (void)
  {
@@ -260,17 +269,26 @@ index c2f4b27f6..2ddd01b34 100644
 +  poly_int64 sve_callee_adjust = frame.sve_callee_adjust;
    poly_int64 below_hard_fp_saved_regs_size
 -    = cfun->machine->frame.below_hard_fp_saved_regs_size;
--  unsigned reg1 = cfun->machine->frame.wb_candidate1;
--  unsigned reg2 = cfun->machine->frame.wb_candidate2;
+-  unsigned reg1 = cfun->machine->frame.wb_push_candidate1;
+-  unsigned reg2 = cfun->machine->frame.wb_push_candidate2;
 -  bool emit_frame_chain = cfun->machine->frame.emit_frame_chain;
 +    = frame.below_hard_fp_saved_regs_size;
-+  unsigned reg1 = frame.wb_candidate1;
-+  unsigned reg2 = frame.wb_candidate2;
++  unsigned reg1 = frame.wb_push_candidate1;
++  unsigned reg2 = frame.wb_push_candidate2;
 +  bool emit_frame_chain = frame.emit_frame_chain;
    rtx_insn *insn;
  
    if (flag_stack_clash_protection && known_eq (callee_adjust, 0))
-@@ -8708,7 +8712,7 @@ aarch64_expand_prologue (void)
+@@ -10018,7 +10022,7 @@ aarch64_expand_prologue (void)
+     }
+ 
+   /* Push return address to shadow call stack.  */
+-  if (cfun->machine->frame.is_scs_enabled)
++  if (frame.is_scs_enabled)
+     emit_insn (gen_scs_push ());
+ 
+   if (flag_stack_usage_info)
+@@ -10057,7 +10061,7 @@ aarch64_expand_prologue (void)
  
    /* The offset of the frame chain record (if any) from the current SP.  */
    poly_int64 chain_offset = (initial_adjust + callee_adjust
@@ -279,7 +297,7 @@ index c2f4b27f6..2ddd01b34 100644
    gcc_assert (known_ge (chain_offset, 0));
  
    /* The offset of the bottom of the save area from the current SP.  */
-@@ -8811,15 +8815,16 @@ aarch64_use_return_insn_p (void)
+@@ -10160,16 +10164,17 @@ aarch64_use_return_insn_p (void)
  void
  aarch64_expand_epilogue (bool for_sibcall)
  {
@@ -296,15 +314,17 @@ index c2f4b27f6..2ddd01b34 100644
 +  poly_int64 sve_callee_adjust = frame.sve_callee_adjust;
    poly_int64 below_hard_fp_saved_regs_size
 -    = cfun->machine->frame.below_hard_fp_saved_regs_size;
--  unsigned reg1 = cfun->machine->frame.wb_candidate1;
--  unsigned reg2 = cfun->machine->frame.wb_candidate2;
+-  unsigned reg1 = cfun->machine->frame.wb_pop_candidate1;
+-  unsigned reg2 = cfun->machine->frame.wb_pop_candidate2;
+-  unsigned int last_gpr = (cfun->machine->frame.is_scs_enabled
 +    = frame.below_hard_fp_saved_regs_size;
-+  unsigned reg1 = frame.wb_candidate1;
-+  unsigned reg2 = frame.wb_candidate2;
++  unsigned reg1 = frame.wb_pop_candidate1;
++  unsigned reg2 = frame.wb_pop_candidate2;
++  unsigned int last_gpr = (frame.is_scs_enabled
+ 			   ? R29_REGNUM : R30_REGNUM);
    rtx cfi_ops = NULL;
    rtx_insn *insn;
-   /* A stack clash protection prologue may not have left EP0_REGNUM or
-@@ -8852,7 +8857,7 @@ aarch64_expand_epilogue (bool for_sibcall)
+@@ -10203,7 +10208,7 @@ aarch64_expand_epilogue (bool for_sibcall)
    /* We need to add memory barrier to prevent read from deallocated stack.  */
    bool need_barrier_p
      = maybe_ne (get_frame_size ()
@@ -313,7 +333,16 @@ index c2f4b27f6..2ddd01b34 100644
  
    /* Emit a barrier to prevent loads from a deallocated stack.  */
    if (maybe_gt (final_adjust, crtl->outgoing_args_size)
-@@ -11483,24 +11488,24 @@ aarch64_can_eliminate (const int from ATTRIBUTE_UNUSED, const int to)
+@@ -10284,7 +10289,7 @@ aarch64_expand_epilogue (bool for_sibcall)
+     }
+ 
+   /* Pop return address from shadow call stack.  */
+-  if (cfun->machine->frame.is_scs_enabled)
++  if (frame.is_scs_enabled)
+     {
+       machine_mode mode = aarch64_reg_save_mode (R30_REGNUM);
+       rtx reg = gen_rtx_REG (mode, R30_REGNUM);
+@@ -12740,24 +12745,24 @@ aarch64_can_eliminate (const int from ATTRIBUTE_UNUSED, const int to)
  poly_int64
  aarch64_initial_elimination_offset (unsigned from, unsigned to)
  {
@@ -345,12 +374,12 @@ index c2f4b27f6..2ddd01b34 100644
  
  
 -- 
-2.17.1
+2.39.4
 
 
-From e6f4ab027ccd405ad6b1a293fa7bd304f6995e83 Mon Sep 17 00:00:00 2001
+From 89a9fa287706c5011f61926eaf65e7b996b963a3 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:44 +0100
+Date: Tue, 12 Sep 2023 16:07:12 +0100
 Subject: [PATCH 02/19] aarch64: Avoid a use of callee_offset
 
 When we emit the frame chain, i.e. when we reach Here in this statement
@@ -390,17 +419,17 @@ CFA note to be in sync, and it's more convenient for later patches
 if it uses chain_offset.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_expand_prologue): Use
+	* config/aarch64/aarch64.cc (aarch64_expand_prologue): Use
 	chain_offset rather than callee_offset.
 ---
- gcc/config/aarch64/aarch64.c | 4 +---
+ gcc/config/aarch64/aarch64.cc | 4 +---
  1 file changed, 1 insertion(+), 3 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 2ddd01b34..e67d44edd 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -8640,7 +8640,6 @@ aarch64_expand_prologue (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 5d473d161d9..4f233c95140 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -9985,7 +9985,6 @@ aarch64_expand_prologue (void)
    poly_int64 initial_adjust = frame.initial_adjust;
    HOST_WIDE_INT callee_adjust = frame.callee_adjust;
    poly_int64 final_adjust = frame.final_adjust;
@@ -408,7 +437,7 @@ index 2ddd01b34..e67d44edd 100644
    poly_int64 sve_callee_adjust = frame.sve_callee_adjust;
    poly_int64 below_hard_fp_saved_regs_size
      = frame.below_hard_fp_saved_regs_size;
-@@ -8749,8 +8748,7 @@ aarch64_expand_prologue (void)
+@@ -10098,8 +10097,7 @@ aarch64_expand_prologue (void)
  	     implicit.  */
  	  if (!find_reg_note (insn, REG_CFA_ADJUST_CFA, NULL_RTX))
  	    {
@@ -419,12 +448,12 @@ index 2ddd01b34..e67d44edd 100644
  			    gen_rtx_SET (hard_frame_pointer_rtx, src));
  	    }
 -- 
-2.17.1
+2.39.4
 
 
-From dd53b165c9c18c8b9459ea9472f6e01aaf9403d5 Mon Sep 17 00:00:00 2001
+From b36a2a78040722dab6124366c5d6baf8eaf80aef Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:44 +0100
+Date: Tue, 12 Sep 2023 16:07:13 +0100
 Subject: [PATCH 03/19] aarch64: Explicitly handle frames with no saved
  registers
 
@@ -443,17 +472,17 @@ no outgoing arguments, and so all the frame will be above where
 the saved registers normally go.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Explicitly
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Explicitly
 	allocate the frame in one go if there are no saved registers.
 ---
- gcc/config/aarch64/aarch64.c | 8 +++++---
+ gcc/config/aarch64/aarch64.cc | 8 +++++---
  1 file changed, 5 insertions(+), 3 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index e67d44edd..1667593a1 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7348,9 +7348,11 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 4f233c95140..37643041ffb 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8639,9 +8639,11 @@ aarch64_layout_frame (void)
  
    HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset;
    HOST_WIDE_INT const_saved_regs_size;
@@ -469,12 +498,12 @@ index e67d44edd..1667593a1 100644
        /* Simple, small frame with no outgoing arguments:
  
 -- 
-2.17.1
+2.39.4
 
 
-From 2e30d93703ccc3d3bedda1402540b3a665c01136 Mon Sep 17 00:00:00 2001
+From ada2ab0093596be707f23a3466ac82cff59fcffe Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:45 +0100
+Date: Tue, 12 Sep 2023 16:07:13 +0100
 Subject: [PATCH 04/19] aarch64: Add bytes_below_saved_regs to frame info
 
 The frame layout code currently hard-codes the assumption that
@@ -485,21 +514,21 @@ value into a new field of aarch64_frame.
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::bytes_below_saved_regs): New
 	field.
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Initialize it,
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize it,
 	and use it instead of crtl->outgoing_args_size.
 	(aarch64_get_separate_components): Use bytes_below_saved_regs instead
 	of outgoing_args_size.
 	(aarch64_process_components): Likewise.
 ---
- gcc/config/aarch64/aarch64.c | 71 ++++++++++++++++++------------------
- gcc/config/aarch64/aarch64.h |  5 +++
+ gcc/config/aarch64/aarch64.cc | 71 ++++++++++++++++++-----------------
+ gcc/config/aarch64/aarch64.h  |  5 +++
  2 files changed, 41 insertions(+), 35 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 1667593a1..d77c13b70 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7215,6 +7215,8 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 37643041ffb..dacc2b0e4dd 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8478,6 +8478,8 @@ aarch64_layout_frame (void)
    gcc_assert (crtl->is_leaf
  	      || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED));
  
@@ -508,7 +537,7 @@ index 1667593a1..d77c13b70 100644
    /* Now assign stack slots for the registers.  Start with the predicate
       registers, since predicate LDR and STR have a relatively small
       offset range.  These saves happen below the hard frame pointer.  */
-@@ -7319,18 +7321,18 @@ aarch64_layout_frame (void)
+@@ -8582,18 +8584,18 @@ aarch64_layout_frame (void)
  
    poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size;
  
@@ -531,8 +560,8 @@ index 1667593a1..d77c13b70 100644
  
    frame.locals_offset = frame.saved_varargs_size;
  
-@@ -7346,7 +7348,7 @@ aarch64_layout_frame (void)
-   else if (frame.wb_candidate1 != INVALID_REGNUM)
+@@ -8637,7 +8639,7 @@ aarch64_layout_frame (void)
+   else if (frame.wb_pop_candidate1 != INVALID_REGNUM)
      max_push_offset = 256;
  
 -  HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset;
@@ -540,7 +569,7 @@ index 1667593a1..d77c13b70 100644
    HOST_WIDE_INT const_saved_regs_size;
    if (known_eq (frame.saved_regs_size, 0))
      frame.initial_adjust = frame.frame_size;
-@@ -7354,31 +7356,31 @@ aarch64_layout_frame (void)
+@@ -8645,31 +8647,31 @@ aarch64_layout_frame (void)
  	   && const_size < max_push_offset
  	   && known_eq (frame.hard_fp_offset, const_size))
      {
@@ -584,7 +613,7 @@ index 1667593a1..d77c13b70 100644
      }
    else if (saves_below_hard_fp_p
  	   && known_eq (frame.saved_regs_size,
-@@ -7388,30 +7390,29 @@ aarch64_layout_frame (void)
+@@ -8679,30 +8681,29 @@ aarch64_layout_frame (void)
  
  	 sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size
  	 save SVE registers relative to SP
@@ -622,7 +651,7 @@ index 1667593a1..d77c13b70 100644
  
  	 sub sp, sp, hard_fp_offset
  	 stp x29, x30, [sp, 0]
-@@ -7419,10 +7420,10 @@ aarch64_layout_frame (void)
+@@ -8710,10 +8711,10 @@ aarch64_layout_frame (void)
  	 stp reg3, reg4, [sp, 16]
  	 [sub sp, sp, below_hard_fp_saved_regs_size]
  	 [save SVE registers relative to SP]
@@ -635,7 +664,7 @@ index 1667593a1..d77c13b70 100644
      }
  
    /* Make sure the individual adjustments add up to the full frame size.  */
-@@ -8013,7 +8014,7 @@ aarch64_get_separate_components (void)
+@@ -9358,7 +9359,7 @@ aarch64_get_separate_components (void)
  	if (frame_pointer_needed)
  	  offset -= frame.below_hard_fp_saved_regs_size;
  	else
@@ -644,7 +673,7 @@ index 1667593a1..d77c13b70 100644
  
  	/* Check that we can access the stack slot of the register with one
  	   direct load with no adjustments needed.  */
-@@ -8162,7 +8163,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9507,7 +9508,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
        if (frame_pointer_needed)
  	offset -= frame.below_hard_fp_saved_regs_size;
        else
@@ -653,7 +682,7 @@ index 1667593a1..d77c13b70 100644
  
        rtx addr = plus_constant (Pmode, ptr_reg, offset);
        rtx mem = gen_frame_mem (mode, addr);
-@@ -8216,7 +8217,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9561,7 +9562,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
        if (frame_pointer_needed)
  	offset2 -= frame.below_hard_fp_saved_regs_size;
        else
@@ -662,7 +691,7 @@ index 1667593a1..d77c13b70 100644
        rtx addr2 = plus_constant (Pmode, ptr_reg, offset2);
        rtx mem2 = gen_frame_mem (mode, addr2);
        rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2)
-@@ -8290,10 +8291,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void)
+@@ -9635,10 +9636,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void)
     registers.  If POLY_SIZE is not large enough to require a probe this function
     will only adjust the stack.  When allocating the stack space
     FRAME_RELATED_P is then used to indicate if the allocation is frame related.
@@ -677,7 +706,7 @@ index 1667593a1..d77c13b70 100644
  
     We emit barriers after each stack adjustment to prevent optimizations from
     breaking the invariant that we never drop the stack more than a page.  This
-@@ -8502,7 +8503,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -9847,7 +9848,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
    /* Handle any residuals.  Residuals of at least MIN_PROBE_THRESHOLD have to
       be probed.  This maintains the requirement that each page is probed at
       least once.  For initial probing we probe only if the allocation is
@@ -687,10 +716,10 @@ index 1667593a1..d77c13b70 100644
       GUARD_SIZE.  This works that for any allocation that is large enough to
       trigger a probe here, we'll have at least one, and if they're not large
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index bfffbcd6a..3bb2f29af 100644
+index 73b09e20508..0b6faa3ddf1 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -835,6 +835,11 @@ struct GTY (()) aarch64_frame
+@@ -777,6 +777,11 @@ struct GTY (()) aarch64_frame
    /* The size of the callee-save registers with a slot in REG_OFFSET.  */
    poly_int64 saved_regs_size;
  
@@ -703,12 +732,12 @@ index bfffbcd6a..3bb2f29af 100644
       are saved below the hard frame pointer.  */
    poly_int64 below_hard_fp_saved_regs_size;
 -- 
-2.17.1
+2.39.4
 
 
-From 3e826e897e104db564a4f6292fa4bf0a69f18c7e Mon Sep 17 00:00:00 2001
+From 82f6b3e1b596ef0f4e3ac3bb9c6e88fb4458f402 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:45 +0100
+Date: Tue, 12 Sep 2023 16:07:14 +0100
 Subject: [PATCH 05/19] aarch64: Add bytes_below_hard_fp to frame info
 
 Following on from the previous bytes_below_saved_regs patch, this one
@@ -732,19 +761,19 @@ from the outset.
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::bytes_below_hard_fp): New
 	field.
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Initialize it.
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize it.
 	(aarch64_expand_epilogue): Use it instead of
 	below_hard_fp_saved_regs_size.
 ---
- gcc/config/aarch64/aarch64.c | 6 +++---
- gcc/config/aarch64/aarch64.h | 5 +++++
+ gcc/config/aarch64/aarch64.cc | 6 +++---
+ gcc/config/aarch64/aarch64.h  | 5 +++++
  2 files changed, 8 insertions(+), 3 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index d77c13b70..ef3903757 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7267,6 +7267,7 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index dacc2b0e4dd..a3f7aabcc59 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8530,6 +8530,7 @@ aarch64_layout_frame (void)
       of the callee save area.  */
    bool saves_below_hard_fp_p = maybe_ne (offset, 0);
    frame.below_hard_fp_saved_regs_size = offset;
@@ -752,17 +781,17 @@ index d77c13b70..ef3903757 100644
    if (frame.emit_frame_chain)
      {
        /* FP and LR are placed in the linkage record.  */
-@@ -8822,8 +8823,7 @@ aarch64_expand_epilogue (bool for_sibcall)
+@@ -10171,8 +10172,7 @@ aarch64_expand_epilogue (bool for_sibcall)
    poly_int64 final_adjust = frame.final_adjust;
    poly_int64 callee_offset = frame.callee_offset;
    poly_int64 sve_callee_adjust = frame.sve_callee_adjust;
 -  poly_int64 below_hard_fp_saved_regs_size
 -    = frame.below_hard_fp_saved_regs_size;
 +  poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp;
-   unsigned reg1 = frame.wb_candidate1;
-   unsigned reg2 = frame.wb_candidate2;
-   rtx cfi_ops = NULL;
-@@ -8879,7 +8879,7 @@ aarch64_expand_epilogue (bool for_sibcall)
+   unsigned reg1 = frame.wb_pop_candidate1;
+   unsigned reg2 = frame.wb_pop_candidate2;
+   unsigned int last_gpr = (frame.is_scs_enabled
+@@ -10230,7 +10230,7 @@ aarch64_expand_epilogue (bool for_sibcall)
         is restored on the instruction doing the writeback.  */
      aarch64_add_offset (Pmode, stack_pointer_rtx,
  			hard_frame_pointer_rtx,
@@ -772,10 +801,10 @@ index d77c13b70..ef3903757 100644
    else
       /* The case where we need to re-use the register here is very rare, so
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 3bb2f29af..5c5f5b738 100644
+index 0b6faa3ddf1..4263d29d29d 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -844,6 +844,11 @@ struct GTY (()) aarch64_frame
+@@ -786,6 +786,11 @@ struct GTY (()) aarch64_frame
       are saved below the hard frame pointer.  */
    poly_int64 below_hard_fp_saved_regs_size;
  
@@ -788,12 +817,12 @@ index 3bb2f29af..5c5f5b738 100644
       top of the locals area.  This value is always a multiple of
       STACK_BOUNDARY.  */
 -- 
-2.17.1
+2.39.4
 
 
-From c77beb190156920fab3418047f6729badcfd8c7b Mon Sep 17 00:00:00 2001
+From 86fa43e9fe4a8bf954f2919f07cbe3646d1d1df3 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:46 +0100
+Date: Tue, 12 Sep 2023 16:07:14 +0100
 Subject: [PATCH 06/19] aarch64: Tweak aarch64_save/restore_callee_saves
 
 aarch64_save_callee_saves and aarch64_restore_callee_saves took
@@ -809,7 +838,7 @@ makes sense in combination with the follow-on patches.
 
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::callee_offset): Delete.
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Remove
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Remove
 	callee_offset handling.
 	(aarch64_save_callee_saves): Replace the start_offset parameter
 	with a bytes_below_sp parameter.
@@ -817,23 +846,23 @@ gcc/
 	(aarch64_expand_prologue): Update accordingly.
 	(aarch64_expand_epilogue): Likewise.
 ---
- gcc/config/aarch64/aarch64.c | 56 ++++++++++++++++++------------------
- gcc/config/aarch64/aarch64.h |  4 ---
+ gcc/config/aarch64/aarch64.cc | 56 +++++++++++++++++------------------
+ gcc/config/aarch64/aarch64.h  |  4 ---
  2 files changed, 28 insertions(+), 32 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index ef3903757..1923d751f 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7341,7 +7341,6 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index a3f7aabcc59..46ae5cf7673 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8604,7 +8604,6 @@ aarch64_layout_frame (void)
    frame.final_adjust = 0;
    frame.callee_adjust = 0;
    frame.sve_callee_adjust = 0;
 -  frame.callee_offset = 0;
  
-   HOST_WIDE_INT max_push_offset = 0;
-   if (frame.wb_candidate2 != INVALID_REGNUM)
-@@ -7381,7 +7380,6 @@ aarch64_layout_frame (void)
+   frame.wb_pop_candidate1 = frame.wb_push_candidate1;
+   frame.wb_pop_candidate2 = frame.wb_push_candidate2;
+@@ -8672,7 +8671,6 @@ aarch64_layout_frame (void)
  	 stp reg1, reg2, [sp, bytes_below_saved_regs]
  	 stp reg3, reg4, [sp, bytes_below_saved_regs + 16]  */
        frame.initial_adjust = frame.frame_size;
@@ -841,7 +870,7 @@ index ef3903757..1923d751f 100644
      }
    else if (saves_below_hard_fp_p
  	   && known_eq (frame.saved_regs_size,
-@@ -7728,12 +7726,13 @@ aarch64_add_cfa_expression (rtx_insn *insn, rtx reg,
+@@ -9073,12 +9071,13 @@ aarch64_add_cfa_expression (rtx_insn *insn, rtx reg,
  }
  
  /* Emit code to save the callee-saved registers from register number START
@@ -859,7 +888,7 @@ index ef3903757..1923d751f 100644
  			   unsigned start, unsigned limit, bool skip_wb,
  			   bool hard_fp_valid_p)
  {
-@@ -7761,7 +7760,9 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9106,7 +9105,9 @@ aarch64_save_callee_saves (poly_int64 start_offset,
  
        machine_mode mode = aarch64_reg_save_mode (regno);
        reg = gen_rtx_REG (mode, regno);
@@ -870,7 +899,7 @@ index ef3903757..1923d751f 100644
        rtx base_rtx = stack_pointer_rtx;
        poly_int64 sp_offset = offset;
  
-@@ -7772,9 +7773,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9117,9 +9118,7 @@ aarch64_save_callee_saves (poly_int64 start_offset,
        else if (GP_REGNUM_P (regno)
  	       && (!offset.is_constant (&const_offset) || const_offset >= 512))
  	{
@@ -881,7 +910,7 @@ index ef3903757..1923d751f 100644
  	  if (hard_fp_valid_p)
  	    base_rtx = hard_frame_pointer_rtx;
  	  else
-@@ -7838,12 +7837,13 @@ aarch64_save_callee_saves (poly_int64 start_offset,
+@@ -9183,12 +9182,13 @@ aarch64_save_callee_saves (poly_int64 start_offset,
  }
  
  /* Emit code to restore the callee registers from register number START
@@ -899,7 +928,7 @@ index ef3903757..1923d751f 100644
  			      unsigned limit, bool skip_wb, rtx *cfi_ops)
  {
    aarch64_frame &frame = cfun->machine->frame;
-@@ -7869,7 +7869,9 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
+@@ -9214,7 +9214,9 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start,
  
        machine_mode mode = aarch64_reg_save_mode (regno);
        reg = gen_rtx_REG (mode, regno);
@@ -910,16 +939,16 @@ index ef3903757..1923d751f 100644
        rtx base_rtx = stack_pointer_rtx;
        if (mode == VNx2DImode && BYTES_BIG_ENDIAN)
  	aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg,
-@@ -8645,8 +8647,6 @@ aarch64_expand_prologue (void)
+@@ -9990,8 +9992,6 @@ aarch64_expand_prologue (void)
    HOST_WIDE_INT callee_adjust = frame.callee_adjust;
    poly_int64 final_adjust = frame.final_adjust;
    poly_int64 sve_callee_adjust = frame.sve_callee_adjust;
 -  poly_int64 below_hard_fp_saved_regs_size
 -    = frame.below_hard_fp_saved_regs_size;
-   unsigned reg1 = frame.wb_candidate1;
-   unsigned reg2 = frame.wb_candidate2;
+   unsigned reg1 = frame.wb_push_candidate1;
+   unsigned reg2 = frame.wb_push_candidate2;
    bool emit_frame_chain = frame.emit_frame_chain;
-@@ -8718,8 +8718,8 @@ aarch64_expand_prologue (void)
+@@ -10067,8 +10067,8 @@ aarch64_expand_prologue (void)
  			     - frame.hard_fp_offset);
    gcc_assert (known_ge (chain_offset, 0));
  
@@ -930,7 +959,7 @@ index ef3903757..1923d751f 100644
  
    if (emit_frame_chain)
      {
-@@ -8727,7 +8727,7 @@ aarch64_expand_prologue (void)
+@@ -10076,7 +10076,7 @@ aarch64_expand_prologue (void)
  	{
  	  reg1 = R29_REGNUM;
  	  reg2 = R30_REGNUM;
@@ -939,7 +968,7 @@ index ef3903757..1923d751f 100644
  				     false, false);
  	}
        else
-@@ -8767,7 +8767,7 @@ aarch64_expand_prologue (void)
+@@ -10116,7 +10116,7 @@ aarch64_expand_prologue (void)
        emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx));
      }
  
@@ -948,7 +977,7 @@ index ef3903757..1923d751f 100644
  			     callee_adjust != 0 || emit_frame_chain,
  			     emit_frame_chain);
    if (maybe_ne (sve_callee_adjust, 0))
-@@ -8777,16 +8777,17 @@ aarch64_expand_prologue (void)
+@@ -10126,16 +10126,17 @@ aarch64_expand_prologue (void)
        aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx,
  					      sve_callee_adjust,
  					      !frame_pointer_needed, false);
@@ -969,15 +998,15 @@ index ef3903757..1923d751f 100644
    aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust,
  					  !frame_pointer_needed, true);
  }
-@@ -8821,7 +8822,6 @@ aarch64_expand_epilogue (bool for_sibcall)
+@@ -10170,7 +10171,6 @@ aarch64_expand_epilogue (bool for_sibcall)
    poly_int64 initial_adjust = frame.initial_adjust;
    HOST_WIDE_INT callee_adjust = frame.callee_adjust;
    poly_int64 final_adjust = frame.final_adjust;
 -  poly_int64 callee_offset = frame.callee_offset;
    poly_int64 sve_callee_adjust = frame.sve_callee_adjust;
    poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp;
-   unsigned reg1 = frame.wb_candidate1;
-@@ -8889,13 +8889,13 @@ aarch64_expand_epilogue (bool for_sibcall)
+   unsigned reg1 = frame.wb_pop_candidate1;
+@@ -10240,9 +10240,9 @@ aarch64_expand_epilogue (bool for_sibcall)
  
    /* Restore the vector registers before the predicate registers,
       so that we can use P4 as a temporary for big-endian SVE frames.  */
@@ -989,16 +1018,20 @@ index ef3903757..1923d751f 100644
  				false, &cfi_ops);
    if (maybe_ne (sve_callee_adjust, 0))
      aarch64_add_sp (NULL_RTX, NULL_RTX, sve_callee_adjust, true);
+@@ -10250,7 +10250,7 @@ aarch64_expand_epilogue (bool for_sibcall)
+   /* When shadow call stack is enabled, the scs_pop in the epilogue will
+      restore x30, we don't need to restore x30 again in the traditional
+      way.  */
 -  aarch64_restore_callee_saves (callee_offset - sve_callee_adjust,
 +  aarch64_restore_callee_saves (final_adjust + sve_callee_adjust,
- 				R0_REGNUM, R30_REGNUM,
+ 				R0_REGNUM, last_gpr,
  				callee_adjust != 0, &cfi_ops);
  
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 5c5f5b738..10d6a2de5 100644
+index 4263d29d29d..fd820b1be4e 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -871,10 +871,6 @@ struct GTY (()) aarch64_frame
+@@ -813,10 +813,6 @@ struct GTY (()) aarch64_frame
       It is zero when no push is used.  */
    HOST_WIDE_INT callee_adjust;
  
@@ -1010,12 +1043,12 @@ index 5c5f5b738..10d6a2de5 100644
       SVE registers.  */
    poly_int64 sve_callee_adjust;
 -- 
-2.17.1
+2.39.4
 
 
-From 7cf697ed1ecca280ccc5f357c855a692796ee329 Mon Sep 17 00:00:00 2001
+From 8ae9181426f2700c2e5a2909487fa630e6fa406b Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:46 +0100
+Date: Tue, 12 Sep 2023 16:07:15 +0100
 Subject: [PATCH 07/19] aarch64: Only calculate chain_offset if there is a
  chain
 
@@ -1023,17 +1056,17 @@ After previous patches, it is no longer necessary to calculate
 a chain_offset in cases where there is no chain record.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_expand_prologue): Move the
+	* config/aarch64/aarch64.cc (aarch64_expand_prologue): Move the
 	calculation of chain_offset into the emit_frame_chain block.
 ---
- gcc/config/aarch64/aarch64.c | 10 +++++-----
+ gcc/config/aarch64/aarch64.cc | 10 +++++-----
  1 file changed, 5 insertions(+), 5 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 1923d751f..94403152e 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -8713,16 +8713,16 @@ aarch64_expand_prologue (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 46ae5cf7673..0e9b9717c08 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -10062,16 +10062,16 @@ aarch64_expand_prologue (void)
    if (callee_adjust != 0)
      aarch64_push_regs (reg1, reg2, callee_adjust);
  
@@ -1056,12 +1089,12 @@ index 1923d751f..94403152e 100644
  	{
  	  reg1 = R29_REGNUM;
 -- 
-2.17.1
+2.39.4
 
 
-From 8fdb29e28738ee2ca3aaa329352cf1e2f2fe8b24 Mon Sep 17 00:00:00 2001
+From 375794feb614cee1f41b710b9cc1b6f25da6c1cb Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:46 +0100
+Date: Tue, 12 Sep 2023 16:07:15 +0100
 Subject: [PATCH 08/19] aarch64: Rename locals_offset to bytes_above_locals
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1093,18 +1126,18 @@ that by renaming locals_offset to bytes_above_locals.
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::locals_offset): Rename to...
 	(aarch64_frame::bytes_above_locals): ...this.
-	* config/aarch64/aarch64.c (aarch64_layout_frame)
+	* config/aarch64/aarch64.cc (aarch64_layout_frame)
 	(aarch64_initial_elimination_offset): Update accordingly.
 ---
- gcc/config/aarch64/aarch64.c | 6 +++---
- gcc/config/aarch64/aarch64.h | 6 +++---
+ gcc/config/aarch64/aarch64.cc | 6 +++---
+ gcc/config/aarch64/aarch64.h  | 6 +++---
  2 files changed, 6 insertions(+), 6 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 94403152e..c41cf5682 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7335,7 +7335,7 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 0e9b9717c08..0a22f91520e 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8598,7 +8598,7 @@ aarch64_layout_frame (void)
  			  STACK_BOUNDARY / BITS_PER_UNIT));
    frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs;
  
@@ -1113,7 +1146,7 @@ index 94403152e..c41cf5682 100644
  
    frame.initial_adjust = 0;
    frame.final_adjust = 0;
-@@ -11497,13 +11497,13 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
+@@ -12754,13 +12754,13 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
  	return frame.hard_fp_offset;
  
        if (from == FRAME_POINTER_REGNUM)
@@ -1130,10 +1163,10 @@ index 94403152e..c41cf5682 100644
  
    return frame.frame_size;
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 10d6a2de5..7615e95e2 100644
+index fd820b1be4e..7ae12d13e2b 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -849,10 +849,10 @@ struct GTY (()) aarch64_frame
+@@ -791,10 +791,10 @@ struct GTY (()) aarch64_frame
       always a multiple of STACK_BOUNDARY.  */
    poly_int64 bytes_below_hard_fp;
  
@@ -1148,12 +1181,12 @@ index 10d6a2de5..7615e95e2 100644
    /* Offset from the base of the frame (incomming SP) to the
       hard_frame_pointer.  This value is always a multiple of
 -- 
-2.17.1
+2.39.4
 
 
-From bc36b36ed615bc2671e7239cd61e4aa37fd38976 Mon Sep 17 00:00:00 2001
+From 1a9ea1c45c75615ffbfabe652b3598a1d7be2168 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:47 +0100
+Date: Tue, 12 Sep 2023 16:07:16 +0100
 Subject: [PATCH 09/19] aarch64: Rename hard_fp_offset to bytes_above_hard_fp
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1174,19 +1207,19 @@ gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::hard_fp_offset): Rename
 	to...
 	(aarch64_frame::bytes_above_hard_fp): ...this.
-	* config/aarch64/aarch64.c (aarch64_layout_frame)
+	* config/aarch64/aarch64.cc (aarch64_layout_frame)
 	(aarch64_expand_prologue): Update accordingly.
 	(aarch64_initial_elimination_offset): Likewise.
 ---
- gcc/config/aarch64/aarch64.c | 26 +++++++++++++-------------
- gcc/config/aarch64/aarch64.h |  6 +++---
+ gcc/config/aarch64/aarch64.cc | 26 +++++++++++++-------------
+ gcc/config/aarch64/aarch64.h  |  6 +++---
  2 files changed, 16 insertions(+), 16 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index c41cf5682..04c5f417d 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7327,7 +7327,7 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 0a22f91520e..95499ae49ba 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8590,7 +8590,7 @@ aarch64_layout_frame (void)
  			   + get_frame_size (),
  			   STACK_BOUNDARY / BITS_PER_UNIT);
  
@@ -1195,8 +1228,8 @@ index c41cf5682..04c5f417d 100644
      = saved_regs_and_above - frame.below_hard_fp_saved_regs_size;
  
    /* Both these values are already aligned.  */
-@@ -7348,13 +7348,13 @@ aarch64_layout_frame (void)
-   else if (frame.wb_candidate1 != INVALID_REGNUM)
+@@ -8639,13 +8639,13 @@ aarch64_layout_frame (void)
+   else if (frame.wb_pop_candidate1 != INVALID_REGNUM)
      max_push_offset = 256;
  
 -  HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset;
@@ -1211,7 +1244,7 @@ index c41cf5682..04c5f417d 100644
      {
        /* Simple, small frame with no data below the saved registers.
  
-@@ -7371,8 +7371,8 @@ aarch64_layout_frame (void)
+@@ -8662,8 +8662,8 @@ aarch64_layout_frame (void)
  	      case that it hardly seems worth the effort though.  */
  	   && (!saves_below_hard_fp_p || const_below_saved_regs == 0)
  	   && !(cfun->calls_alloca
@@ -1222,7 +1255,7 @@ index c41cf5682..04c5f417d 100644
      {
        /* Frame with small area below the saved registers:
  
-@@ -7390,12 +7390,12 @@ aarch64_layout_frame (void)
+@@ -8681,12 +8681,12 @@ aarch64_layout_frame (void)
  	 sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size
  	 save SVE registers relative to SP
  	 sub sp, sp, bytes_below_saved_regs  */
@@ -1238,7 +1271,7 @@ index c41cf5682..04c5f417d 100644
      {
        /* Frame with large area below the saved registers, or with SVE saves,
  	 but with a small area above:
-@@ -7405,7 +7405,7 @@ aarch64_layout_frame (void)
+@@ -8696,7 +8696,7 @@ aarch64_layout_frame (void)
  	 [sub sp, sp, below_hard_fp_saved_regs_size]
  	 [save SVE registers relative to SP]
  	 sub sp, sp, bytes_below_saved_regs  */
@@ -1247,7 +1280,7 @@ index c41cf5682..04c5f417d 100644
        frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size;
        frame.final_adjust = frame.bytes_below_saved_regs;
      }
-@@ -7420,7 +7420,7 @@ aarch64_layout_frame (void)
+@@ -8711,7 +8711,7 @@ aarch64_layout_frame (void)
  	 [sub sp, sp, below_hard_fp_saved_regs_size]
  	 [save SVE registers relative to SP]
  	 sub sp, sp, bytes_below_saved_regs  */
@@ -1256,7 +1289,7 @@ index c41cf5682..04c5f417d 100644
        frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size;
        frame.final_adjust = frame.bytes_below_saved_regs;
      }
-@@ -8720,7 +8720,7 @@ aarch64_expand_prologue (void)
+@@ -10069,7 +10069,7 @@ aarch64_expand_prologue (void)
      {
        /* The offset of the frame chain record (if any) from the current SP.  */
        poly_int64 chain_offset = (initial_adjust + callee_adjust
@@ -1265,7 +1298,7 @@ index c41cf5682..04c5f417d 100644
        gcc_assert (known_ge (chain_offset, 0));
  
        if (callee_adjust == 0)
-@@ -11494,10 +11494,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
+@@ -12751,10 +12751,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to)
    if (to == HARD_FRAME_POINTER_REGNUM)
      {
        if (from == ARG_POINTER_REGNUM)
@@ -1279,10 +1312,10 @@ index c41cf5682..04c5f417d 100644
  
    if (to == STACK_POINTER_REGNUM)
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 7615e95e2..f1157c391 100644
+index 7ae12d13e2b..3808f49e9ca 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -854,10 +854,10 @@ struct GTY (()) aarch64_frame
+@@ -796,10 +796,10 @@ struct GTY (()) aarch64_frame
       STACK_BOUNDARY.  */
    poly_int64 bytes_above_locals;
  
@@ -1297,12 +1330,12 @@ index 7615e95e2..f1157c391 100644
    /* The size of the frame.  This value is the offset from base of the
       frame (incomming SP) to the stack_pointer.  This value is always
 -- 
-2.17.1
+2.39.4
 
 
-From 04f77be1650925ac080e283cb1a1051ecfc1a54c Mon Sep 17 00:00:00 2001
+From d202ce1ecf60a36a3e1009917dd76109248ce9be Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:47 +0100
+Date: Tue, 12 Sep 2023 16:07:16 +0100
 Subject: [PATCH 10/19] aarch64: Tweak frame_size comment
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -1318,10 +1351,10 @@ gcc/
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index f1157c391..8f84f66ad 100644
+index 3808f49e9ca..108a5731b0d 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -859,8 +859,8 @@ struct GTY (()) aarch64_frame
+@@ -801,8 +801,8 @@ struct GTY (()) aarch64_frame
       STACK_BOUNDARY.  */
    poly_int64 bytes_above_hard_fp;
  
@@ -1333,12 +1366,12 @@ index f1157c391..8f84f66ad 100644
    poly_int64 frame_size;
  
 -- 
-2.17.1
+2.39.4
 
 
-From 908f0d4682e6d0cbf8c3e090885e13b41bb1484b Mon Sep 17 00:00:00 2001
+From f2b585375205b0a1802d79c682ba33766ecd1f0f Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:48 +0100
+Date: Tue, 12 Sep 2023 16:07:17 +0100
 Subject: [PATCH 11/19] aarch64: Measure reg_offset from the bottom of the
  frame
 
@@ -1356,7 +1389,7 @@ in its own right.
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame): Add comment above
 	reg_offset.
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Walk offsets
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Walk offsets
 	from the bottom of the frame, rather than the bottom of the saved
 	register area.  Measure reg_offset from the bottom of the frame
 	rather than the bottom of the saved register area.
@@ -1365,15 +1398,15 @@ gcc/
 	(aarch64_get_separate_components): Likewise.
 	(aarch64_process_components): Likewise.
 ---
- gcc/config/aarch64/aarch64.c | 53 ++++++++++++++++--------------------
- gcc/config/aarch64/aarch64.h |  3 ++
+ gcc/config/aarch64/aarch64.cc | 53 ++++++++++++++++-------------------
+ gcc/config/aarch64/aarch64.h  |  3 ++
  2 files changed, 27 insertions(+), 29 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 04c5f417d..6322f5873 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7137,7 +7137,6 @@ aarch64_needs_frame_chain (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 95499ae49ba..af99807ef8a 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8400,7 +8400,6 @@ aarch64_needs_frame_chain (void)
  static void
  aarch64_layout_frame (void)
  {
@@ -1381,7 +1414,7 @@ index 04c5f417d..6322f5873 100644
    int regno, last_fp_reg = INVALID_REGNUM;
    machine_mode vector_save_mode = aarch64_reg_save_mode (V8_REGNUM);
    poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode);
-@@ -7215,7 +7214,9 @@ aarch64_layout_frame (void)
+@@ -8478,7 +8477,9 @@ aarch64_layout_frame (void)
    gcc_assert (crtl->is_leaf
  	      || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED));
  
@@ -1392,7 +1425,7 @@ index 04c5f417d..6322f5873 100644
  
    /* Now assign stack slots for the registers.  Start with the predicate
       registers, since predicate LDR and STR have a relatively small
-@@ -7227,7 +7228,8 @@ aarch64_layout_frame (void)
+@@ -8490,7 +8491,8 @@ aarch64_layout_frame (void)
  	offset += BYTES_PER_SVE_PRED;
        }
  
@@ -1402,7 +1435,7 @@ index 04c5f417d..6322f5873 100644
      {
        /* If we have any vector registers to save above the predicate registers,
  	 the offset of the vector register save slots need to be a multiple
-@@ -7245,10 +7247,10 @@ aarch64_layout_frame (void)
+@@ -8508,10 +8510,10 @@ aarch64_layout_frame (void)
  	offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
        else
  	{
@@ -1417,7 +1450,7 @@ index 04c5f417d..6322f5873 100644
  	  else
  	    gcc_unreachable ();
  	}
-@@ -7265,9 +7267,10 @@ aarch64_layout_frame (void)
+@@ -8528,9 +8530,10 @@ aarch64_layout_frame (void)
  
    /* OFFSET is now the offset of the hard frame pointer from the bottom
       of the callee save area.  */
@@ -1431,7 +1464,7 @@ index 04c5f417d..6322f5873 100644
    if (frame.emit_frame_chain)
      {
        /* FP and LR are placed in the linkage record.  */
-@@ -7318,9 +7321,10 @@ aarch64_layout_frame (void)
+@@ -8581,9 +8584,10 @@ aarch64_layout_frame (void)
  
    offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
  
@@ -1444,7 +1477,7 @@ index 04c5f417d..6322f5873 100644
  
    poly_int64 saved_regs_and_above
      = aligned_upper_bound (varargs_and_saved_regs_size
-@@ -7760,9 +7764,7 @@ aarch64_save_callee_saves (poly_int64 bytes_below_sp,
+@@ -9105,9 +9109,7 @@ aarch64_save_callee_saves (poly_int64 bytes_below_sp,
  
        machine_mode mode = aarch64_reg_save_mode (regno);
        reg = gen_rtx_REG (mode, regno);
@@ -1455,7 +1488,7 @@ index 04c5f417d..6322f5873 100644
        rtx base_rtx = stack_pointer_rtx;
        poly_int64 sp_offset = offset;
  
-@@ -7869,9 +7871,7 @@ aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start,
+@@ -9214,9 +9216,7 @@ aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start,
  
        machine_mode mode = aarch64_reg_save_mode (regno);
        reg = gen_rtx_REG (mode, regno);
@@ -1466,7 +1499,7 @@ index 04c5f417d..6322f5873 100644
        rtx base_rtx = stack_pointer_rtx;
        if (mode == VNx2DImode && BYTES_BIG_ENDIAN)
  	aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg,
-@@ -8010,14 +8010,12 @@ aarch64_get_separate_components (void)
+@@ -9355,14 +9355,12 @@ aarch64_get_separate_components (void)
  	   it as a stack probe for -fstack-clash-protection.  */
  	if (flag_stack_clash_protection
  	    && maybe_ne (frame.below_hard_fp_saved_regs_size, 0)
@@ -1483,7 +1516,7 @@ index 04c5f417d..6322f5873 100644
  
  	/* Check that we can access the stack slot of the register with one
  	   direct load with no adjustments needed.  */
-@@ -8164,9 +8162,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9509,9 +9507,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
        rtx reg = gen_rtx_REG (mode, regno);
        poly_int64 offset = frame.reg_offset[regno];
        if (frame_pointer_needed)
@@ -1494,7 +1527,7 @@ index 04c5f417d..6322f5873 100644
  
        rtx addr = plus_constant (Pmode, ptr_reg, offset);
        rtx mem = gen_frame_mem (mode, addr);
-@@ -8218,9 +8214,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
+@@ -9563,9 +9559,7 @@ aarch64_process_components (sbitmap components, bool prologue_p)
        /* REGNO2 can be saved/restored in a pair with REGNO.  */
        rtx reg2 = gen_rtx_REG (mode, regno2);
        if (frame_pointer_needed)
@@ -1505,7 +1538,7 @@ index 04c5f417d..6322f5873 100644
        rtx addr2 = plus_constant (Pmode, ptr_reg, offset2);
        rtx mem2 = gen_frame_mem (mode, addr2);
        rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2)
-@@ -8336,7 +8330,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -9681,7 +9675,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
    if (final_adjustment_p
        && known_eq (frame.below_hard_fp_saved_regs_size, 0))
      {
@@ -1516,10 +1549,10 @@ index 04c5f417d..6322f5873 100644
  	min_probe_threshold -= lr_offset.to_constant ();
        else
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 8f84f66ad..beef542d7 100644
+index 108a5731b0d..c8becb098c8 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -824,6 +824,9 @@ extern enum aarch64_processor aarch64_tune;
+@@ -766,6 +766,9 @@ extern enum aarch64_processor aarch64_tune;
  #ifdef HAVE_POLY_INT_H
  struct GTY (()) aarch64_frame
  {
@@ -1530,12 +1563,12 @@ index 8f84f66ad..beef542d7 100644
  
    /* The number of extra stack bytes taken up by register varargs.
 -- 
-2.17.1
+2.39.4
 
 
-From 6b1fdbe7f3771e7e2c9a37332e1a2146a113b539 Mon Sep 17 00:00:00 2001
+From 79faabda181d0d9fd29a3cf5726ba65bdee945b5 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:48 +0100
+Date: Tue, 12 Sep 2023 16:07:17 +0100
 Subject: [PATCH 12/19] aarch64: Simplify top of frame allocation
 
 After previous patches, it no longer really makes sense to allocate
@@ -1543,17 +1576,17 @@ the top of the frame in terms of varargs_and_saved_regs_size and
 saved_regs_and_above.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Simplify
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Simplify
 	the allocation of the top of the frame.
 ---
- gcc/config/aarch64/aarch64.c | 23 ++++++++---------------
+ gcc/config/aarch64/aarch64.cc | 23 ++++++++---------------
  1 file changed, 8 insertions(+), 15 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 6322f5873..b4c1006e6 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7323,23 +7323,16 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index af99807ef8a..31b00094c2a 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8586,23 +8586,16 @@ aarch64_layout_frame (void)
  
    frame.saved_regs_size = offset - frame.bytes_below_saved_regs;
  
@@ -1586,12 +1619,12 @@ index 6322f5873..b4c1006e6 100644
    frame.initial_adjust = 0;
    frame.final_adjust = 0;
 -- 
-2.17.1
+2.39.4
 
 
-From 9ddd52ddd2427a2a69309bde19d175b4362e26da Mon Sep 17 00:00:00 2001
+From 4e62049e403b141e6f916176160dac8cbd65fe47 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:49 +0100
+Date: Tue, 12 Sep 2023 16:07:18 +0100
 Subject: [PATCH 13/19] aarch64: Minor initial adjustment tweak
 
 This patch just changes a calculation of initial_adjust
@@ -1599,18 +1632,18 @@ to one that makes it slightly more obvious that the total
 adjustment is frame.frame_size.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Tweak
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Tweak
 	calculation of initial_adjust for frames in which all saves
 	are SVE saves.
 ---
- gcc/config/aarch64/aarch64.c | 5 ++---
+ gcc/config/aarch64/aarch64.cc | 5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index b4c1006e6..3f4716897 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7384,11 +7384,10 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 31b00094c2a..1aa79da0673 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8675,11 +8675,10 @@ aarch64_layout_frame (void)
      {
        /* Frame in which all saves are SVE saves:
  
@@ -1625,12 +1658,12 @@ index b4c1006e6..3f4716897 100644
      }
    else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp)
 -- 
-2.17.1
+2.39.4
 
 
-From 0d013411f079b578e45e7ef466ea4e3ad7287015 Mon Sep 17 00:00:00 2001
+From aaa1a0a5912d9e5d571e5f1c6f09ceac99544ab5 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:49 +0100
+Date: Tue, 12 Sep 2023 16:07:18 +0100
 Subject: [PATCH 14/19] aarch64: Tweak stack clash boundary condition
 
 The AArch64 ABI says that, when stack clash protection is used,
@@ -1660,23 +1693,23 @@ as required.  Continuing to probe allocations of exactly 1KiB
 would complicate later patches.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space):
+	* config/aarch64/aarch64.cc (aarch64_allocate_and_probe_stack_space):
 	Don't probe final allocations that are exactly 1KiB in size (after
 	unprobed space above the final allocation has been deducted).
 
 gcc/testsuite/
 	* gcc.target/aarch64/stack-check-prologue-17.c: New test.
 ---
- gcc/config/aarch64/aarch64.c                  |  4 +-
+ gcc/config/aarch64/aarch64.cc                 |  4 +-
  .../aarch64/stack-check-prologue-17.c         | 55 +++++++++++++++++++
  2 files changed, 58 insertions(+), 1 deletion(-)
  create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 3f4716897..d9cf978b0 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -8303,9 +8303,11 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 1aa79da0673..5cad847977a 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -9648,9 +9648,11 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
    HOST_WIDE_INT guard_size
      = 1 << param_stack_clash_protection_guard_size;
    HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD;
@@ -1691,7 +1724,7 @@ index 3f4716897..d9cf978b0 100644
       account any unprobed space there is above the current SP.  There are
 diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
 new file mode 100644
-index 000000000..0d8a25d73
+index 00000000000..0d8a25d73a2
 --- /dev/null
 +++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
 @@ -0,0 +1,55 @@
@@ -1751,12 +1784,12 @@ index 000000000..0d8a25d73
 +  return 1;
 +}
 -- 
-2.17.1
+2.39.4
 
 
-From 5fc70b2d3b0425076ef69ff18afc9556ae1dd8d0 Mon Sep 17 00:00:00 2001
+From 8433953434a7b58c0923140d39eb3c5988c1d097 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:49 +0100
+Date: Tue, 12 Sep 2023 16:07:19 +0100
 Subject: [PATCH 15/19] aarch64: Put LR save probe in first 16 bytes
 
 -fstack-clash-protection uses the save of LR as a probe for the next
@@ -1795,31 +1828,41 @@ which allocates guard page size + 64 consecutive unprobed bytes.
 
 This patch requires the LR probe to be in the first 16 bytes of the
 save area when stack clash protection is active.  Doing it
-unconditionally would cause code-quality regressions, but a later
-patch deals with that.
+unconditionally would cause code-quality regressions.
+
+Putting LR before other registers prevents push/pop allocation
+when shadow call stacks are enabled, since LR is restored
+separately from the other callee-saved registers.
 
 The new comment doesn't say that the probe register is required
 to be LR, since a later patch removes that restriction.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Ensure that
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Ensure that
 	the LR save slot is in the first 16 bytes of the register save area.
+	Only form STP/LDP push/pop candidates if both registers are valid.
 	(aarch64_allocate_and_probe_stack_space): Remove workaround for
 	when LR was not in the first 16 bytes.
 
 gcc/testsuite/
 	* gcc.target/aarch64/stack-check-prologue-18.c: New test.
+	* gcc.target/aarch64/stack-check-prologue-19.c: Likewise.
+	* gcc.target/aarch64/stack-check-prologue-20.c: Likewise.
 ---
- gcc/config/aarch64/aarch64.c                  |  61 ++++-------
+ gcc/config/aarch64/aarch64.cc                 |  72 ++++++-------
  .../aarch64/stack-check-prologue-18.c         | 100 ++++++++++++++++++
- 2 files changed, 123 insertions(+), 38 deletions(-)
+ .../aarch64/stack-check-prologue-19.c         | 100 ++++++++++++++++++
+ .../aarch64/stack-check-prologue-20.c         |   3 +
+ 4 files changed, 233 insertions(+), 42 deletions(-)
  create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
-
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index d9cf978b0..aa8763662 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7271,26 +7271,34 @@ aarch64_layout_frame (void)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c
+
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 5cad847977a..a765f92329d 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8534,26 +8534,34 @@ aarch64_layout_frame (void)
    bool saves_below_hard_fp_p
      = maybe_ne (frame.below_hard_fp_saved_regs_size, 0);
    frame.bytes_below_hard_fp = offset;
@@ -1827,10 +1870,10 @@ index d9cf978b0..aa8763662 100644
 +  auto allocate_gpr_slot = [&](unsigned int regno)
 +    {
 +      frame.reg_offset[regno] = offset;
-+      if (frame.wb_candidate1 == INVALID_REGNUM)
-+	frame.wb_candidate1 = regno;
-+      else if (frame.wb_candidate2 == INVALID_REGNUM)
-+	frame.wb_candidate2 = regno;
++      if (frame.wb_push_candidate1 == INVALID_REGNUM)
++	frame.wb_push_candidate1 = regno;
++      else if (frame.wb_push_candidate2 == INVALID_REGNUM)
++	frame.wb_push_candidate2 = regno;
 +      offset += UNITS_PER_WORD;
 +    };
 +
@@ -1838,9 +1881,9 @@ index d9cf978b0..aa8763662 100644
      {
        /* FP and LR are placed in the linkage record.  */
 -      frame.reg_offset[R29_REGNUM] = offset;
--      frame.wb_candidate1 = R29_REGNUM;
+-      frame.wb_push_candidate1 = R29_REGNUM;
 -      frame.reg_offset[R30_REGNUM] = offset + UNITS_PER_WORD;
--      frame.wb_candidate2 = R30_REGNUM;
+-      frame.wb_push_candidate2 = R30_REGNUM;
 -      offset += 2 * UNITS_PER_WORD;
 +      allocate_gpr_slot (R29_REGNUM);
 +      allocate_gpr_slot (R30_REGNUM);
@@ -1857,17 +1900,35 @@ index d9cf978b0..aa8763662 100644
      if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED))
 -      {
 -	frame.reg_offset[regno] = offset;
--	if (frame.wb_candidate1 == INVALID_REGNUM)
--	  frame.wb_candidate1 = regno;
--	else if (frame.wb_candidate2 == INVALID_REGNUM)
--	  frame.wb_candidate2 = regno;
+-	if (frame.wb_push_candidate1 == INVALID_REGNUM)
+-	  frame.wb_push_candidate1 = regno;
+-	else if (frame.wb_push_candidate2 == INVALID_REGNUM)
+-	  frame.wb_push_candidate2 = regno;
 -	offset += UNITS_PER_WORD;
 -      }
 +      allocate_gpr_slot (regno);
  
    poly_int64 max_int_offset = offset;
    offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
-@@ -8309,29 +8317,6 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -8631,10 +8639,13 @@ aarch64_layout_frame (void)
+      max_push_offset to 0, because no registers are popped at this time,
+      so callee_adjust cannot be adjusted.  */
+   HOST_WIDE_INT max_push_offset = 0;
+-  if (frame.wb_pop_candidate2 != INVALID_REGNUM)
+-    max_push_offset = 512;
+-  else if (frame.wb_pop_candidate1 != INVALID_REGNUM)
+-    max_push_offset = 256;
++  if (frame.wb_pop_candidate1 != INVALID_REGNUM)
++    {
++      if (frame.wb_pop_candidate2 != INVALID_REGNUM)
++	max_push_offset = 512;
++      else
++	max_push_offset = 256;
++    }
+ 
+   HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp;
+   HOST_WIDE_INT const_saved_regs_size;
+@@ -9654,29 +9665,6 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
      = (final_adjustment_p
         ? guard_used_by_caller + byte_sp_alignment
         : guard_size - guard_used_by_caller);
@@ -1897,7 +1958,7 @@ index d9cf978b0..aa8763662 100644
    poly_int64 frame_size = frame.frame_size;
  
    /* We should always have a positive probe threshold.  */
-@@ -8511,8 +8496,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -9856,8 +9844,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
        if (final_adjustment_p && rounded_size != 0)
  	min_probe_threshold = 0;
        /* If doing a small final adjustment, we always probe at offset 0.
@@ -1910,7 +1971,7 @@ index d9cf978b0..aa8763662 100644
  
 diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
 new file mode 100644
-index 000000000..82447d20f
+index 00000000000..82447d20fff
 --- /dev/null
 +++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
 @@ -0,0 +1,100 @@
@@ -2014,13 +2075,128 @@ index 000000000..82447d20f
 +  g();
 +  return 1;
 +}
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
+new file mode 100644
+index 00000000000..73ac3e4e4eb
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
+@@ -0,0 +1,100 @@
++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12 -fsanitize=shadow-call-stack -ffixed-x18" } */
++/* { dg-final { check-function-bodies "**" "" } } */
++
++void f(int, ...);
++void g();
++
++/*
++** test1:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #4064
++**	str	xzr, \[sp\]
++**	cbnz	w0, .*
++**	bl	g
++**	...
++**	str	x26, \[sp, #?4128\]
++**	...
++*/
++int test1(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      asm volatile ("" :::
++		    "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x);
++    }
++  g();
++  return 1;
++}
++
++/*
++** test2:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #1040
++**	str	xzr, \[sp\]
++**	cbnz	w0, .*
++**	bl	g
++**	...
++*/
++int test2(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      asm volatile ("" :::
++		    "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x);
++    }
++  g();
++  return 1;
++}
++
++/*
++** test3:
++**	...
++**	str	x30, \[sp\]
++**	sub	sp, sp, #1024
++**	cbnz	w0, .*
++**	bl	g
++**	...
++*/
++int test3(int z) {
++  __uint128_t x = 0;
++  int y[0x400];
++  if (z)
++    {
++      asm volatile ("" :::
++		    "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26");
++      f(0, 0, 0, 0, 0, 0, 0, &y,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x,
++	x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x);
++    }
++  g();
++  return 1;
++}
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c
+new file mode 100644
+index 00000000000..690aae8dfd5
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-20.c
+@@ -0,0 +1,3 @@
++/* { dg-options "-O2 -fstack-protector-all -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12 -fsanitize=shadow-call-stack -ffixed-x18" } */
++
++#include "stack-check-prologue-19.c"
 -- 
-2.17.1
+2.39.4
 
 
-From 24c1410b55c15966311ab39039f5b0aab0a658f7 Mon Sep 17 00:00:00 2001
+From eea1759073e09dd1aefbc9a881601ab1eebfdd18 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:51 +0100
+Date: Tue, 12 Sep 2023 16:07:19 +0100
 Subject: [PATCH 16/19] aarch64: Simplify probe of final frame allocation
 
 Previous patches ensured that the final frame allocation only needs
@@ -2031,7 +2207,7 @@ The main motivation for doing this is to simplify the code and
 remove the number of special cases.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space):
+	* config/aarch64/aarch64.cc (aarch64_allocate_and_probe_stack_space):
 	Always probe the residual allocation at offset 1024, asserting
 	that that is in range.
 
@@ -2039,17 +2215,19 @@ gcc/testsuite/
 	* gcc.target/aarch64/stack-check-prologue-17.c: Expect the probe
 	to be at offset 1024 rather than offset 0.
 	* gcc.target/aarch64/stack-check-prologue-18.c: Likewise.
+	* gcc.target/aarch64/stack-check-prologue-19.c: Likewise.
 ---
- gcc/config/aarch64/aarch64.c                         | 12 ++++--------
+ gcc/config/aarch64/aarch64.cc                        | 12 ++++--------
  .../gcc.target/aarch64/stack-check-prologue-17.c     |  2 +-
  .../gcc.target/aarch64/stack-check-prologue-18.c     |  4 ++--
- 3 files changed, 7 insertions(+), 11 deletions(-)
-
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index aa8763662..2a6fddb69 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -8490,16 +8490,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+ .../gcc.target/aarch64/stack-check-prologue-19.c     |  4 ++--
+ 4 files changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index a765f92329d..37809a306f7 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -9838,16 +9838,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
       are still safe.  */
    if (residual)
      {
@@ -2068,7 +2246,7 @@ index aa8763662..2a6fddb69 100644
  
        aarch64_sub_sp (temp1, temp2, residual, frame_related_p);
        if (residual >= min_probe_threshold)
-@@ -8510,8 +8506,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
+@@ -9858,8 +9854,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
  		     HOST_WIDE_INT_PRINT_DEC " bytes, probing will be required."
  		     "\n", residual);
  
@@ -2080,7 +2258,7 @@ index aa8763662..2a6fddb69 100644
  	}
      }
 diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
-index 0d8a25d73..f0ec13897 100644
+index 0d8a25d73a2..f0ec1389771 100644
 --- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
 +++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c
 @@ -33,7 +33,7 @@ int test1(int z) {
@@ -2093,7 +2271,7 @@ index 0d8a25d73..f0ec13897 100644
  **	bl	g
  **	...
 diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
-index 82447d20f..6383bec5e 100644
+index 82447d20fff..6383bec5ebc 100644
 --- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
 +++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c
 @@ -9,7 +9,7 @@ void g();
@@ -2110,17 +2288,39 @@ index 82447d20f..6383bec5e 100644
  **	str	x30, \[sp\]
  **	sub	sp, sp, #1040
 -**	str	xzr, \[sp\]
++**	str	xzr, \[sp, #?1024\]
+ **	cbnz	w0, .*
+ **	bl	g
+ **	...
+diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
+index 73ac3e4e4eb..562039b5e9b 100644
+--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-19.c
+@@ -9,7 +9,7 @@ void g();
+ **	...
+ **	str	x30, \[sp\]
+ **	sub	sp, sp, #4064
+-**	str	xzr, \[sp\]
++**	str	xzr, \[sp, #?1024\]
+ **	cbnz	w0, .*
+ **	bl	g
+ **	...
+@@ -50,7 +50,7 @@ int test1(int z) {
+ **	...
+ **	str	x30, \[sp\]
+ **	sub	sp, sp, #1040
+-**	str	xzr, \[sp\]
 +**	str	xzr, \[sp, #?1024\]
  **	cbnz	w0, .*
  **	bl	g
  **	...
 -- 
-2.17.1
+2.39.4
 
 
-From d9ea75050b701dd9258822f0de5efb7bfa197ed1 Mon Sep 17 00:00:00 2001
+From 96d85187c3b9c9a7efc2fd698c3d452e80d8aa47 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:52 +0100
+Date: Tue, 12 Sep 2023 16:07:20 +0100
 Subject: [PATCH 17/19] aarch64: Explicitly record probe registers in frame
  info
 
@@ -2176,7 +2376,7 @@ The patch also avoids unnecessary probes in sve/pcs/stack_clash_3.c.
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::sve_save_and_probe)
 	(aarch64_frame::hard_fp_save_and_probe): New fields.
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Initialize them.
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Initialize them.
 	Rather than asserting that a leaf function saves LR, instead assert
 	that a leaf function saves something.
 	(aarch64_get_separate_components): Prevent the chosen probe
@@ -2187,16 +2387,16 @@ gcc/
 gcc/testsuite/
 	* gcc.target/aarch64/sve/pcs/stack_clash_3.c: Avoid redundant probes.
 ---
- gcc/config/aarch64/aarch64.c                  | 68 +++++++++++++++----
+ gcc/config/aarch64/aarch64.cc                 | 68 +++++++++++++++----
  gcc/config/aarch64/aarch64.h                  |  8 +++
  .../aarch64/sve/pcs/stack_clash_3.c           |  6 +-
  3 files changed, 64 insertions(+), 18 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 2a6fddb69..5fb4ef251 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7208,15 +7208,11 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 37809a306f7..6c59c39a639 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8471,15 +8471,11 @@ aarch64_layout_frame (void)
  	&& !crtl->abi->clobbers_full_reg_p (regno))
        frame.reg_offset[regno] = SLOT_REQUIRED;
  
@@ -2213,7 +2413,7 @@ index 2a6fddb69..5fb4ef251 100644
  
    /* Now assign stack slots for the registers.  Start with the predicate
       registers, since predicate LDR and STR have a relatively small
-@@ -7224,6 +7220,8 @@ aarch64_layout_frame (void)
+@@ -8487,6 +8483,8 @@ aarch64_layout_frame (void)
    for (regno = P0_REGNUM; regno <= P15_REGNUM; regno++)
      if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED))
        {
@@ -2222,7 +2422,7 @@ index 2a6fddb69..5fb4ef251 100644
  	frame.reg_offset[regno] = offset;
  	offset += BYTES_PER_SVE_PRED;
        }
-@@ -7261,6 +7259,8 @@ aarch64_layout_frame (void)
+@@ -8524,6 +8522,8 @@ aarch64_layout_frame (void)
      for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++)
        if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED))
  	{
@@ -2231,7 +2431,7 @@ index 2a6fddb69..5fb4ef251 100644
  	  frame.reg_offset[regno] = offset;
  	  offset += vector_save_size;
  	}
-@@ -7270,10 +7270,18 @@ aarch64_layout_frame (void)
+@@ -8533,10 +8533,18 @@ aarch64_layout_frame (void)
    frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs;
    bool saves_below_hard_fp_p
      = maybe_ne (frame.below_hard_fp_saved_regs_size, 0);
@@ -2248,9 +2448,9 @@ index 2a6fddb69..5fb4ef251 100644
 +      if (frame.hard_fp_save_and_probe == INVALID_REGNUM)
 +	frame.hard_fp_save_and_probe = regno;
        frame.reg_offset[regno] = offset;
-       if (frame.wb_candidate1 == INVALID_REGNUM)
- 	frame.wb_candidate1 = regno;
-@@ -7307,6 +7315,8 @@ aarch64_layout_frame (void)
+       if (frame.wb_push_candidate1 == INVALID_REGNUM)
+ 	frame.wb_push_candidate1 = regno;
+@@ -8570,6 +8578,8 @@ aarch64_layout_frame (void)
    for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++)
      if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED))
        {
@@ -2259,7 +2459,7 @@ index 2a6fddb69..5fb4ef251 100644
  	/* If there is an alignment gap between integer and fp callee-saves,
  	   allocate the last fp register to it if possible.  */
  	if (regno == last_fp_reg
-@@ -7330,6 +7340,17 @@ aarch64_layout_frame (void)
+@@ -8593,6 +8603,17 @@ aarch64_layout_frame (void)
    offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
  
    frame.saved_regs_size = offset - frame.bytes_below_saved_regs;
@@ -2277,7 +2477,7 @@ index 2a6fddb69..5fb4ef251 100644
  
    offset += get_frame_size ();
    offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
-@@ -7429,6 +7450,25 @@ aarch64_layout_frame (void)
+@@ -8723,6 +8744,25 @@ aarch64_layout_frame (void)
        frame.final_adjust = frame.bytes_below_saved_regs;
      }
  
@@ -2303,7 +2503,7 @@ index 2a6fddb69..5fb4ef251 100644
    /* Make sure the individual adjustments add up to the full frame size.  */
    gcc_assert (known_eq (frame.initial_adjust
  			+ frame.callee_adjust
-@@ -8006,13 +8046,6 @@ aarch64_get_separate_components (void)
+@@ -9354,13 +9394,6 @@ aarch64_get_separate_components (void)
  
  	poly_int64 offset = frame.reg_offset[regno];
  
@@ -2317,7 +2517,7 @@ index 2a6fddb69..5fb4ef251 100644
  	/* Get the offset relative to the register we'll use.  */
  	if (frame_pointer_needed)
  	  offset -= frame.bytes_below_hard_fp;
-@@ -8047,6 +8080,13 @@ aarch64_get_separate_components (void)
+@@ -9395,6 +9428,13 @@ aarch64_get_separate_components (void)
  
    bitmap_clear_bit (components, LR_REGNUM);
    bitmap_clear_bit (components, SP_REGNUM);
@@ -2331,7 +2531,7 @@ index 2a6fddb69..5fb4ef251 100644
  
    return components;
  }
-@@ -8583,8 +8623,8 @@ aarch64_epilogue_uses (int regno)
+@@ -9931,8 +9971,8 @@ aarch64_epilogue_uses (int regno)
     When probing is needed, we emit a probe at the start of the prologue
     and every PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE bytes thereafter.
  
@@ -2343,10 +2543,10 @@ index 2a6fddb69..5fb4ef251 100644
     For outgoing arguments we probe if the size is larger than 1KB, such that
     the ABI specified buffer is maintained for the next callee.
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index beef542d7..8f6f44992 100644
+index c8becb098c8..fbfb73545ba 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -909,6 +909,14 @@ struct GTY (()) aarch64_frame
+@@ -863,6 +863,14 @@ struct GTY (()) aarch64_frame
       This is the register they should use.  */
    unsigned spare_pred_reg;
  
@@ -2359,10 +2559,10 @@ index beef542d7..8f6f44992 100644
 +  unsigned hard_fp_save_and_probe;
 +
    bool laid_out;
- };
  
+   /* True if shadow call stack should be enabled for the current function.  */
 diff --git a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c
-index 3e01ec36c..3530a0d50 100644
+index 3e01ec36c3a..3530a0d504b 100644
 --- a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c
 +++ b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c
 @@ -11,11 +11,10 @@
@@ -2394,12 +2594,12 @@ index 3e01ec36c..3530a0d50 100644
  **	ldr	x24, \[sp\], 32
  **	ret
 -- 
-2.17.1
+2.39.4
 
 
-From a302261309a560c4dfd43d1bc0550901df66ad32 Mon Sep 17 00:00:00 2001
+From 56df065080950bb30dda9c260f71be54269bdda5 Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:52 +0100
+Date: Tue, 12 Sep 2023 16:07:20 +0100
 Subject: [PATCH 18/19] aarch64: Remove below_hard_fp_saved_regs_size
 
 After previous patches, it's no longer necessary to store
@@ -2410,17 +2610,17 @@ reference points.
 gcc/
 	* config/aarch64/aarch64.h (aarch64_frame::saved_regs_size)
 	(aarch64_frame::below_hard_fp_saved_regs_size): Delete.
-	* config/aarch64/aarch64.c (aarch64_layout_frame): Update accordingly.
+	* config/aarch64/aarch64.cc (aarch64_layout_frame): Update accordingly.
 ---
- gcc/config/aarch64/aarch64.c | 45 +++++++++++++++++-------------------
- gcc/config/aarch64/aarch64.h |  7 ------
+ gcc/config/aarch64/aarch64.cc | 45 ++++++++++++++++-------------------
+ gcc/config/aarch64/aarch64.h  |  7 ------
  2 files changed, 21 insertions(+), 31 deletions(-)
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index 5fb4ef251..dd1d894f4 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7267,9 +7267,8 @@ aarch64_layout_frame (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index 6c59c39a639..b95e805a8cc 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8530,9 +8530,8 @@ aarch64_layout_frame (void)
  
    /* OFFSET is now the offset of the hard frame pointer from the bottom
       of the callee save area.  */
@@ -2432,7 +2632,7 @@ index 5fb4ef251..dd1d894f4 100644
    gcc_assert (!saves_below_hard_fp_p
  	      || (frame.sve_save_and_probe != INVALID_REGNUM
  		  && known_eq (frame.reg_offset[frame.sve_save_and_probe],
-@@ -7339,9 +7338,8 @@ aarch64_layout_frame (void)
+@@ -8602,9 +8601,8 @@ aarch64_layout_frame (void)
  
    offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
  
@@ -2444,7 +2644,7 @@ index 5fb4ef251..dd1d894f4 100644
  	      || (frame.hard_fp_save_and_probe != INVALID_REGNUM
  		  && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe],
  			       frame.bytes_below_hard_fp)));
-@@ -7350,7 +7348,7 @@ aarch64_layout_frame (void)
+@@ -8613,7 +8611,7 @@ aarch64_layout_frame (void)
       The saving of the bottommost register counts as an implicit probe,
       which allows us to maintain the invariant described in the comment
       at expand_prologue.  */
@@ -2453,7 +2653,7 @@ index 5fb4ef251..dd1d894f4 100644
  
    offset += get_frame_size ();
    offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT);
-@@ -7376,7 +7374,7 @@ aarch64_layout_frame (void)
+@@ -8670,7 +8668,7 @@ aarch64_layout_frame (void)
  
    HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp;
    HOST_WIDE_INT const_saved_regs_size;
@@ -2462,7 +2662,7 @@ index 5fb4ef251..dd1d894f4 100644
      frame.initial_adjust = frame.frame_size;
    else if (frame.frame_size.is_constant (&const_size)
  	   && const_size < max_push_offset
-@@ -7389,7 +7387,7 @@ aarch64_layout_frame (void)
+@@ -8683,7 +8681,7 @@ aarch64_layout_frame (void)
        frame.callee_adjust = const_size;
      }
    else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs)
@@ -2471,7 +2671,7 @@ index 5fb4ef251..dd1d894f4 100644
  	   && const_below_saved_regs + const_saved_regs_size < 512
  	   /* We could handle this case even with data below the saved
  	      registers, provided that that data left us with valid offsets
-@@ -7408,8 +7406,7 @@ aarch64_layout_frame (void)
+@@ -8702,8 +8700,7 @@ aarch64_layout_frame (void)
        frame.initial_adjust = frame.frame_size;
      }
    else if (saves_below_hard_fp_p
@@ -2481,7 +2681,7 @@ index 5fb4ef251..dd1d894f4 100644
      {
        /* Frame in which all saves are SVE saves:
  
-@@ -7431,7 +7428,7 @@ aarch64_layout_frame (void)
+@@ -8725,7 +8722,7 @@ aarch64_layout_frame (void)
  	 [save SVE registers relative to SP]
  	 sub sp, sp, bytes_below_saved_regs  */
        frame.callee_adjust = const_above_fp;
@@ -2490,7 +2690,7 @@ index 5fb4ef251..dd1d894f4 100644
        frame.final_adjust = frame.bytes_below_saved_regs;
      }
    else
-@@ -7446,7 +7443,7 @@ aarch64_layout_frame (void)
+@@ -8740,7 +8737,7 @@ aarch64_layout_frame (void)
  	 [save SVE registers relative to SP]
  	 sub sp, sp, bytes_below_saved_regs  */
        frame.initial_adjust = frame.bytes_above_hard_fp;
@@ -2499,7 +2699,7 @@ index 5fb4ef251..dd1d894f4 100644
        frame.final_adjust = frame.bytes_below_saved_regs;
      }
  
-@@ -8588,17 +8585,17 @@ aarch64_epilogue_uses (int regno)
+@@ -9936,17 +9933,17 @@ aarch64_epilogue_uses (int regno)
  	|  local variables              | <-- frame_pointer_rtx
  	|                               |
  	+-------------------------------+
@@ -2529,10 +2729,10 @@ index 5fb4ef251..dd1d894f4 100644
  	|  dynamic allocation           |
  	+-------------------------------+
 diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
-index 8f6f44992..e408af22e 100644
+index fbfb73545ba..cfeaf4657ab 100644
 --- a/gcc/config/aarch64/aarch64.h
 +++ b/gcc/config/aarch64/aarch64.h
-@@ -835,18 +835,11 @@ struct GTY (()) aarch64_frame
+@@ -777,18 +777,11 @@ struct GTY (()) aarch64_frame
       STACK_BOUNDARY.  */
    HOST_WIDE_INT saved_varargs_size;
  
@@ -2552,12 +2752,12 @@ index 8f6f44992..e408af22e 100644
       of the outgoing arguments) and the hard frame pointer.  This value is
       always a multiple of STACK_BOUNDARY.  */
 -- 
-2.17.1
+2.39.4
 
 
-From 8a28201f0697927351c00bd5bc7e7775f074c2a3 Mon Sep 17 00:00:00 2001
+From b96e66fd4ef3e36983969fb8cdd1956f551a074b Mon Sep 17 00:00:00 2001
 From: Richard Sandiford <richard.sandiford@arm.com>
-Date: Tue, 12 Sep 2023 16:19:52 +0100
+Date: Tue, 12 Sep 2023 16:07:21 +0100
 Subject: [PATCH 19/19] aarch64: Make stack smash canary protect saved
  registers
 
@@ -2577,7 +2777,7 @@ the saved registers when stack smash protection is active.
 The patch fixes CVE-2023-4039.
 
 gcc/
-	* config/aarch64/aarch64.c (aarch64_save_regs_above_locals_p):
+	* config/aarch64/aarch64.cc (aarch64_save_regs_above_locals_p):
 	New function.
 	(aarch64_layout_frame): Use it to decide whether locals should
 	go above or below the saved registers.
@@ -2588,18 +2788,18 @@ gcc/testsuite/
 	* gcc.target/aarch64/stack-protector-8.c: New test.
 	* gcc.target/aarch64/stack-protector-9.c: Likewise.
 ---
- gcc/config/aarch64/aarch64.c                  | 46 +++++++--
+ gcc/config/aarch64/aarch64.cc                 | 46 +++++++--
  .../gcc.target/aarch64/stack-protector-8.c    | 95 +++++++++++++++++++
  .../gcc.target/aarch64/stack-protector-9.c    | 33 +++++++
  3 files changed, 168 insertions(+), 6 deletions(-)
  create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
  create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
 
-diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
-index dd1d894f4..a97b39421 100644
---- a/gcc/config/aarch64/aarch64.c
-+++ b/gcc/config/aarch64/aarch64.c
-@@ -7131,6 +7131,20 @@ aarch64_needs_frame_chain (void)
+diff --git a/gcc/config/aarch64/aarch64.cc b/gcc/config/aarch64/aarch64.cc
+index b95e805a8cc..389c0e29353 100644
+--- a/gcc/config/aarch64/aarch64.cc
++++ b/gcc/config/aarch64/aarch64.cc
+@@ -8394,6 +8394,20 @@ aarch64_needs_frame_chain (void)
    return aarch64_use_frame_pointer;
  }
  
@@ -2620,7 +2820,7 @@ index dd1d894f4..a97b39421 100644
  /* Mark the registers that need to be saved by the callee and calculate
     the size of the callee-saved registers area and frame record (both FP
     and LR may be omitted).  */
-@@ -7142,6 +7156,7 @@ aarch64_layout_frame (void)
+@@ -8405,6 +8419,7 @@ aarch64_layout_frame (void)
    poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode);
    bool frame_related_fp_reg_p = false;
    aarch64_frame &frame = cfun->machine->frame;
@@ -2628,7 +2828,7 @@ index dd1d894f4..a97b39421 100644
  
    frame.emit_frame_chain = aarch64_needs_frame_chain ();
  
-@@ -7208,9 +7223,16 @@ aarch64_layout_frame (void)
+@@ -8471,9 +8486,16 @@ aarch64_layout_frame (void)
  	&& !crtl->abi->clobbers_full_reg_p (regno))
        frame.reg_offset[regno] = SLOT_REQUIRED;
  
@@ -2645,7 +2845,7 @@ index dd1d894f4..a97b39421 100644
    frame.bytes_below_saved_regs = offset;
    frame.sve_save_and_probe = INVALID_REGNUM;
  
-@@ -7350,15 +7372,18 @@ aarch64_layout_frame (void)
+@@ -8613,15 +8635,18 @@ aarch64_layout_frame (void)
       at expand_prologue.  */
    gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0));
  
@@ -2668,7 +2868,7 @@ index dd1d894f4..a97b39421 100644
    frame.bytes_above_locals = frame.frame_size - top_of_locals;
  
    frame.initial_adjust = 0;
-@@ -8582,10 +8607,10 @@ aarch64_epilogue_uses (int regno)
+@@ -9930,10 +9955,10 @@ aarch64_epilogue_uses (int regno)
  	|  for register varargs         |
  	|                               |
  	+-------------------------------+
@@ -2681,7 +2881,7 @@ index dd1d894f4..a97b39421 100644
  	+-------------------------------+
  	|  callee-saved registers       |
  	+-------------------------------+
-@@ -8597,6 +8622,10 @@ aarch64_epilogue_uses (int regno)
+@@ -9945,6 +9970,10 @@ aarch64_epilogue_uses (int regno)
  	+-------------------------------+
  	|  SVE predicate registers      |
  	+-------------------------------+
@@ -2692,7 +2892,7 @@ index dd1d894f4..a97b39421 100644
  	|  dynamic allocation           |
  	+-------------------------------+
  	|  padding                      |
-@@ -8606,6 +8635,9 @@ aarch64_epilogue_uses (int regno)
+@@ -9954,6 +9983,9 @@ aarch64_epilogue_uses (int regno)
  	+-------------------------------+
  	|                               | <-- stack_pointer_rtx (aligned)
  
@@ -2702,7 +2902,7 @@ index dd1d894f4..a97b39421 100644
     Dynamic stack allocations via alloca() decrease stack_pointer_rtx
     but leave frame_pointer_rtx and hard_frame_pointer_rtx
     unchanged.
-@@ -8797,6 +8829,8 @@ aarch64_expand_prologue (void)
+@@ -10149,6 +10181,8 @@ aarch64_expand_prologue (void)
    gcc_assert (known_eq (bytes_below_sp, final_adjust));
    aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust,
  					  !frame_pointer_needed, true);
@@ -2713,7 +2913,7 @@ index dd1d894f4..a97b39421 100644
  /* Return TRUE if we can use a simple_return insn.
 diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
 new file mode 100644
-index 000000000..e71d820e3
+index 00000000000..e71d820e365
 --- /dev/null
 +++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c
 @@ -0,0 +1,95 @@
@@ -2814,7 +3014,7 @@ index 000000000..e71d820e3
 +}
 diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
 new file mode 100644
-index 000000000..58f322aa4
+index 00000000000..58f322aa480
 --- /dev/null
 +++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c
 @@ -0,0 +1,33 @@
@@ -2852,5 +3052,5 @@ index 000000000..58f322aa4
 +  return 0;
 +}
 -- 
-2.17.1
+2.39.4
 
diff --git a/SPECS/gcc/gcc.spec b/SPECS/gcc/gcc.spec
index b050745feec..fd22dbf7877 100644
--- a/SPECS/gcc/gcc.spec
+++ b/SPECS/gcc/gcc.spec
@@ -56,14 +56,14 @@
 Summary:        Contains the GNU compiler collection
 Name:           gcc
 Version:        13.2.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://gcc.gnu.org/
 Source0:        https://ftp.gnu.org/gnu/gcc/%{name}-%{version}/%{name}-%{version}.tar.xz
-#Patch0:         CVE-2023-4039.patch
+Patch0:         CVE-2023-4039.patch
 Patch1:         0011-libsanitizer-Remove-crypt-and-crypt_r-interceptors.patch
 
 BuildRequires:  gmp-devel
@@ -523,6 +523,9 @@ $tests_ok
 %do_files aarch64-linux-gnu %{build_cross}
 
 %changelog
+* Fri Jun 21 2024 Andrew Phelps <anphel@microsoft.com> - 13.2.0-7
+- Re-enable CVE-2023-4039.patch and refresh against 13.2.0 source
+
 * Tue Apr 09 2024 Andrew Phelps <anphel@microsoft.com> - 13.2.0-6
 - Revert change to baseline architecture for x86-64-v3
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 03d7260f579..7592798b978 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -21,15 +21,15 @@ mpfr-4.2.1-1.azl3.aarch64.rpm
 mpfr-devel-4.2.1-1.azl3.aarch64.rpm
 libmetalink-0.1.3-1.azl3.aarch64.rpm
 libmpc-1.3.1-1.azl3.aarch64.rpm
-libgcc-13.2.0-6.azl3.aarch64.rpm
-libgcc-atomic-13.2.0-6.azl3.aarch64.rpm
-libgcc-devel-13.2.0-6.azl3.aarch64.rpm
-libstdc++-13.2.0-6.azl3.aarch64.rpm
-libstdc++-devel-13.2.0-6.azl3.aarch64.rpm
-libgomp-13.2.0-6.azl3.aarch64.rpm
-libgomp-devel-13.2.0-6.azl3.aarch64.rpm
-gcc-13.2.0-6.azl3.aarch64.rpm
-gcc-c++-13.2.0-6.azl3.aarch64.rpm
+libgcc-13.2.0-7.azl3.aarch64.rpm
+libgcc-atomic-13.2.0-7.azl3.aarch64.rpm
+libgcc-devel-13.2.0-7.azl3.aarch64.rpm
+libstdc++-13.2.0-7.azl3.aarch64.rpm
+libstdc++-devel-13.2.0-7.azl3.aarch64.rpm
+libgomp-13.2.0-7.azl3.aarch64.rpm
+libgomp-devel-13.2.0-7.azl3.aarch64.rpm
+gcc-13.2.0-7.azl3.aarch64.rpm
+gcc-c++-13.2.0-7.azl3.aarch64.rpm
 libpkgconf-2.0.2-1.azl3.aarch64.rpm
 pkgconf-2.0.2-1.azl3.aarch64.rpm
 pkgconf-m4-2.0.2-1.azl3.noarch.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index a46cc23d0d3..4aa49e01f1f 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -21,15 +21,15 @@ mpfr-4.2.1-1.azl3.x86_64.rpm
 mpfr-devel-4.2.1-1.azl3.x86_64.rpm
 libmetalink-0.1.3-1.azl3.x86_64.rpm
 libmpc-1.3.1-1.azl3.x86_64.rpm
-libgcc-13.2.0-6.azl3.x86_64.rpm
-libgcc-atomic-13.2.0-6.azl3.x86_64.rpm
-libgcc-devel-13.2.0-6.azl3.x86_64.rpm
-libstdc++-13.2.0-6.azl3.x86_64.rpm
-libstdc++-devel-13.2.0-6.azl3.x86_64.rpm
-libgomp-13.2.0-6.azl3.x86_64.rpm
-libgomp-devel-13.2.0-6.azl3.x86_64.rpm
-gcc-13.2.0-6.azl3.x86_64.rpm
-gcc-c++-13.2.0-6.azl3.x86_64.rpm
+libgcc-13.2.0-7.azl3.x86_64.rpm
+libgcc-atomic-13.2.0-7.azl3.x86_64.rpm
+libgcc-devel-13.2.0-7.azl3.x86_64.rpm
+libstdc++-13.2.0-7.azl3.x86_64.rpm
+libstdc++-devel-13.2.0-7.azl3.x86_64.rpm
+libgomp-13.2.0-7.azl3.x86_64.rpm
+libgomp-devel-13.2.0-7.azl3.x86_64.rpm
+gcc-13.2.0-7.azl3.x86_64.rpm
+gcc-c++-13.2.0-7.azl3.x86_64.rpm
 libpkgconf-2.0.2-1.azl3.x86_64.rpm
 pkgconf-2.0.2-1.azl3.x86_64.rpm
 pkgconf-m4-2.0.2-1.azl3.noarch.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index b8839fb5b94..a8106317dab 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -106,16 +106,16 @@ flex-debuginfo-2.6.4-7.azl3.aarch64.rpm
 flex-devel-2.6.4-7.azl3.aarch64.rpm
 gawk-5.2.2-1.azl3.aarch64.rpm
 gawk-debuginfo-5.2.2-1.azl3.aarch64.rpm
-gcc-13.2.0-6.azl3.aarch64.rpm
-gcc-c++-13.2.0-6.azl3.aarch64.rpm
-gcc-debuginfo-13.2.0-6.azl3.aarch64.rpm
+gcc-13.2.0-7.azl3.aarch64.rpm
+gcc-c++-13.2.0-7.azl3.aarch64.rpm
+gcc-debuginfo-13.2.0-7.azl3.aarch64.rpm
 gdbm-1.23-1.azl3.aarch64.rpm
 gdbm-debuginfo-1.23-1.azl3.aarch64.rpm
 gdbm-devel-1.23-1.azl3.aarch64.rpm
 gdbm-lang-1.23-1.azl3.aarch64.rpm
 gettext-0.22-1.azl3.aarch64.rpm
 gettext-debuginfo-0.22-1.azl3.aarch64.rpm
-gfortran-13.2.0-6.azl3.aarch64.rpm
+gfortran-13.2.0-7.azl3.aarch64.rpm
 glib-2.78.1-4.azl3.aarch64.rpm
 glib-debuginfo-2.78.1-4.azl3.aarch64.rpm
 glib-devel-2.78.1-4.azl3.aarch64.rpm
@@ -166,7 +166,7 @@ libarchive-devel-3.7.1-1.azl3.aarch64.rpm
 libassuan-2.5.6-1.azl3.aarch64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm
 libassuan-devel-2.5.6-1.azl3.aarch64.rpm
-libbacktrace-static-13.2.0-6.azl3.aarch64.rpm
+libbacktrace-static-13.2.0-7.azl3.aarch64.rpm
 libcap-2.69-1.azl3.aarch64.rpm
 libcap-debuginfo-2.69-1.azl3.aarch64.rpm
 libcap-devel-2.69-1.azl3.aarch64.rpm
@@ -176,14 +176,14 @@ libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm
 libffi-3.4.4-1.azl3.aarch64.rpm
 libffi-debuginfo-3.4.4-1.azl3.aarch64.rpm
 libffi-devel-3.4.4-1.azl3.aarch64.rpm
-libgcc-13.2.0-6.azl3.aarch64.rpm
-libgcc-atomic-13.2.0-6.azl3.aarch64.rpm
-libgcc-devel-13.2.0-6.azl3.aarch64.rpm
+libgcc-13.2.0-7.azl3.aarch64.rpm
+libgcc-atomic-13.2.0-7.azl3.aarch64.rpm
+libgcc-devel-13.2.0-7.azl3.aarch64.rpm
 libgcrypt-1.10.2-1.azl3.aarch64.rpm
 libgcrypt-debuginfo-1.10.2-1.azl3.aarch64.rpm
 libgcrypt-devel-1.10.2-1.azl3.aarch64.rpm
-libgomp-13.2.0-6.azl3.aarch64.rpm
-libgomp-devel-13.2.0-6.azl3.aarch64.rpm
+libgomp-13.2.0-7.azl3.aarch64.rpm
+libgomp-devel-13.2.0-7.azl3.aarch64.rpm
 libgpg-error-1.47-1.azl3.aarch64.rpm
 libgpg-error-debuginfo-1.47-1.azl3.aarch64.rpm
 libgpg-error-devel-1.47-1.azl3.aarch64.rpm
@@ -222,8 +222,8 @@ libsolv-tools-0.7.28-1.azl3.aarch64.rpm
 libssh2-1.11.0-1.azl3.aarch64.rpm
 libssh2-debuginfo-1.11.0-1.azl3.aarch64.rpm
 libssh2-devel-1.11.0-1.azl3.aarch64.rpm
-libstdc++-13.2.0-6.azl3.aarch64.rpm
-libstdc++-devel-13.2.0-6.azl3.aarch64.rpm
+libstdc++-13.2.0-7.azl3.aarch64.rpm
+libstdc++-devel-13.2.0-7.azl3.aarch64.rpm
 libtasn1-4.19.0-1.azl3.aarch64.rpm
 libtasn1-debuginfo-4.19.0-1.azl3.aarch64.rpm
 libtasn1-devel-4.19.0-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index a90fa9b2ade..2c87d644722 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -63,7 +63,7 @@ createrepo_c-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
 cross-binutils-common-2.41-2.azl3.noarch.rpm
-cross-gcc-common-13.2.0-6.azl3.noarch.rpm
+cross-gcc-common-13.2.0-7.azl3.noarch.rpm
 curl-8.5.0-1.azl3.x86_64.rpm
 curl-debuginfo-8.5.0-1.azl3.x86_64.rpm
 curl-devel-8.5.0-1.azl3.x86_64.rpm
@@ -109,18 +109,18 @@ flex-debuginfo-2.6.4-7.azl3.x86_64.rpm
 flex-devel-2.6.4-7.azl3.x86_64.rpm
 gawk-5.2.2-1.azl3.x86_64.rpm
 gawk-debuginfo-5.2.2-1.azl3.x86_64.rpm
-gcc-13.2.0-6.azl3.x86_64.rpm
-gcc-aarch64-linux-gnu-13.2.0-6.azl3.x86_64.rpm
-gcc-c++-13.2.0-6.azl3.x86_64.rpm
-gcc-c++-aarch64-linux-gnu-13.2.0-6.azl3.x86_64.rpm
-gcc-debuginfo-13.2.0-6.azl3.x86_64.rpm
+gcc-13.2.0-7.azl3.x86_64.rpm
+gcc-aarch64-linux-gnu-13.2.0-7.azl3.x86_64.rpm
+gcc-c++-13.2.0-7.azl3.x86_64.rpm
+gcc-c++-aarch64-linux-gnu-13.2.0-7.azl3.x86_64.rpm
+gcc-debuginfo-13.2.0-7.azl3.x86_64.rpm
 gdbm-1.23-1.azl3.x86_64.rpm
 gdbm-debuginfo-1.23-1.azl3.x86_64.rpm
 gdbm-devel-1.23-1.azl3.x86_64.rpm
 gdbm-lang-1.23-1.azl3.x86_64.rpm
 gettext-0.22-1.azl3.x86_64.rpm
 gettext-debuginfo-0.22-1.azl3.x86_64.rpm
-gfortran-13.2.0-6.azl3.x86_64.rpm
+gfortran-13.2.0-7.azl3.x86_64.rpm
 glib-2.78.1-4.azl3.x86_64.rpm
 glib-debuginfo-2.78.1-4.azl3.x86_64.rpm
 glib-devel-2.78.1-4.azl3.x86_64.rpm
@@ -172,7 +172,7 @@ libarchive-devel-3.7.1-1.azl3.x86_64.rpm
 libassuan-2.5.6-1.azl3.x86_64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm
 libassuan-devel-2.5.6-1.azl3.x86_64.rpm
-libbacktrace-static-13.2.0-6.azl3.x86_64.rpm
+libbacktrace-static-13.2.0-7.azl3.x86_64.rpm
 libcap-2.69-1.azl3.x86_64.rpm
 libcap-debuginfo-2.69-1.azl3.x86_64.rpm
 libcap-devel-2.69-1.azl3.x86_64.rpm
@@ -182,14 +182,14 @@ libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm
 libffi-3.4.4-1.azl3.x86_64.rpm
 libffi-debuginfo-3.4.4-1.azl3.x86_64.rpm
 libffi-devel-3.4.4-1.azl3.x86_64.rpm
-libgcc-13.2.0-6.azl3.x86_64.rpm
-libgcc-atomic-13.2.0-6.azl3.x86_64.rpm
-libgcc-devel-13.2.0-6.azl3.x86_64.rpm
+libgcc-13.2.0-7.azl3.x86_64.rpm
+libgcc-atomic-13.2.0-7.azl3.x86_64.rpm
+libgcc-devel-13.2.0-7.azl3.x86_64.rpm
 libgcrypt-1.10.2-1.azl3.x86_64.rpm
 libgcrypt-debuginfo-1.10.2-1.azl3.x86_64.rpm
 libgcrypt-devel-1.10.2-1.azl3.x86_64.rpm
-libgomp-13.2.0-6.azl3.x86_64.rpm
-libgomp-devel-13.2.0-6.azl3.x86_64.rpm
+libgomp-13.2.0-7.azl3.x86_64.rpm
+libgomp-devel-13.2.0-7.azl3.x86_64.rpm
 libgpg-error-1.47-1.azl3.x86_64.rpm
 libgpg-error-debuginfo-1.47-1.azl3.x86_64.rpm
 libgpg-error-devel-1.47-1.azl3.x86_64.rpm
@@ -228,8 +228,8 @@ libsolv-tools-0.7.28-1.azl3.x86_64.rpm
 libssh2-1.11.0-1.azl3.x86_64.rpm
 libssh2-debuginfo-1.11.0-1.azl3.x86_64.rpm
 libssh2-devel-1.11.0-1.azl3.x86_64.rpm
-libstdc++-13.2.0-6.azl3.x86_64.rpm
-libstdc++-devel-13.2.0-6.azl3.x86_64.rpm
+libstdc++-13.2.0-7.azl3.x86_64.rpm
+libstdc++-devel-13.2.0-7.azl3.x86_64.rpm
 libtasn1-4.19.0-1.azl3.x86_64.rpm
 libtasn1-debuginfo-4.19.0-1.azl3.x86_64.rpm
 libtasn1-devel-4.19.0-1.azl3.x86_64.rpm
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
index 47ba8bc46e8..5eae03d57bc 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
@@ -348,7 +348,7 @@ case $(uname -m) in
     sed -e '/mabi.lp64=/s/lib64/lib/' -i.orig gcc/config/aarch64/t-aarch64-linux
   ;;
 esac
-# TODO: patch -Np1 -i /tools/CVE-2023-4039.patch
+patch -Np1 -i /tools/CVE-2023-4039.patch
 mkdir -v build
 cd       build
 LD=ld \
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
index 749ac0c92a8..12aa5442906 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
@@ -53,7 +53,7 @@ case $(uname -m) in
     sed -e '/mabi.lp64=/s/lib64/lib/' -i.orig gcc/config/aarch64/t-aarch64-linux
   ;;
 esac
-# TODO: patch -Np1 -i /tools/CVE-2023-4039.patch
+patch -Np1 -i /tools/CVE-2023-4039.patch
 mkdir -v build
 cd       build
 ../configure                                       \