28 files changed, 0 insertions, 1829 deletions

diff --git a/meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch b/meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch
deleted file mode 100644
index cafa711731..0000000000
--- a/meta/recipes-bsp/grub/files/0001-RISC-V-Restore-the-typcast-to-long.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From b47029e8e582d17c6874d2622fe1a5b834377dbb Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Fri, 26 Mar 2021 11:59:43 -0700
-Subject: [PATCH] RISC-V: Restore the typcast to 64bit type
-
-this makes the type promotions clear and explicit
-It was already typecasted to long but was accidentally dropped in [1]
-which stated to cause failures on riscv32 as reported in [2]
-
-[1] https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2bf40e9e5be9808b17852e688eead87acff14420
-[2] https://savannah.gnu.org/bugs/index.php?60283
-
-Upstream-Status: Submitted
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Cc: Andreas Schwab <schwab@suse.de>
-Cc: Daniel Kiper <daniel.kiper@oracle.com>
-Cc: Chester Lin <clin@suse.com>
-Cc: Nikita Ermakov <arei@altlinux.org>
-Cc: Alistair Francis <alistair.francis@wdc.com>
-
----
- util/grub-mkimagexx.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
-index e50b295..2f09255 100644
---- a/util/grub-mkimagexx.c
-+++ b/util/grub-mkimagexx.c
-@@ -1310,7 +1310,7 @@ SUFFIX (relocate_addrs) (Elf_Ehdr *e, struct section_metadata *smd,
-                  */
- 
-                 sym_addr += addend;
--                off = sym_addr - target_section_addr - offset - image_target->vaddr_offset;
-+                off = (grub_int64_t)sym_addr - target_section_addr - offset - image_target->vaddr_offset;
- 
-                 switch (ELF_R_TYPE (info))
-                   {
diff --git a/meta/recipes-bsp/grub/files/0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch b/meta/recipes-bsp/grub/files/0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch
deleted file mode 100644
index 69dec7695a..0000000000
--- a/meta/recipes-bsp/grub/files/0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From a80592e20f6c4b928a22862f52f268ab9d9908b2 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 13 Jan 2016 19:28:00 +0000
-Subject: [PATCH] grub.d/10_linux.in: add oe's kernel name
-
-Our kernel's name is bzImage, we need add it to grub.d/10_linux.in so
-that the grub-mkconfig and grub-install can work correctly.
-
-We only need add the bzImage to util/grub.d/10_linux.in, but also add it
-to util/grub.d/20_linux_xen.in to keep compatibility.
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Upstream-Status: Inappropriate [OE specific]
-
----
- util/grub.d/10_linux.in     | 6 +++---
- util/grub.d/20_linux_xen.in | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
-index cc393be..8545cb6 100644
---- a/util/grub.d/10_linux.in
-+++ b/util/grub.d/10_linux.in
-@@ -166,12 +166,12 @@ machine=`uname -m`
- case "x$machine" in
-     xi?86 | xx86_64)
-        list=
--       for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
-+       for i in /boot/bzImage-* /bzImage-* /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
-            if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi
-        done ;;
--    *) 
-+    *)
-        list=
--       for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
-+       for i in /boot/bzImage-* /boot/vmlinuz-* /boot/vmlinux-* /bzImage-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
-                   if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi
-        done ;;
- esac
-diff --git a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
-index 94dd8be..36cd554 100644
---- a/util/grub.d/20_linux_xen.in
-+++ b/util/grub.d/20_linux_xen.in
-@@ -181,7 +181,7 @@ EOF
- }
- 
- linux_list=
--for i in /boot/vmlinu[xz]-* /vmlinu[xz]-* /boot/kernel-*; do
-+for i in /boot/bzImage[xz]-* /bzImage[xz]-* /boot/vmlinu[xz]-* /vmlinu[xz]-* /boot/kernel-*; do
-     if grub_file_is_not_garbage "$i"; then
-        basename=$(basename $i)
-        version=$(echo $basename | sed -e "s,^[^0-9]*-,,g")
diff --git a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
deleted file mode 100644
index 0ff6dff33a..0000000000
--- a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Sat, 15 Jun 2024 02:33:08 +0100
-Subject: [PATCH 1/2] misc: Implement grub_strlcpy()
-
-grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
-returning the length of src and ensuring dest is always NUL
-terminated except when size is 0.
-
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
- 1 file changed, 39 insertions(+)
-
-diff --git a/include/grub/misc.h b/include/grub/misc.h
-index 1578f36c3..14d8f37ac 100644
---- a/include/grub/misc.h
-+++ b/include/grub/misc.h
-@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)
-   return d - 1;
- }
- 
-+static inline grub_size_t
-+grub_strlcpy (char *dest, const char *src, grub_size_t size)
-+{
-+  char *d = dest;
-+  grub_size_t res = 0;
-+  /*
-+   * We do not subtract one from size here to avoid dealing with underflowing
-+   * the value, which is why to_copy is always checked to be greater than one
-+   * throughout this function.
-+   */
-+  grub_size_t to_copy = size;
-+
-+  /* Copy size - 1 bytes to dest. */
-+  if (to_copy > 1)
-+    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
-+      ;
-+
-+  /*
-+   * NUL terminate if size != 0. The previous step may have copied a NUL byte
-+   * if it reached the end of the string, but we know dest[size - 1] must always
-+   * be a NUL byte.
-+   */
-+  if (size != 0)
-+    dest[size - 1] = '\0';
-+
-+  /* If there is still space in dest, but are here, we reached the end of src. */
-+  if (to_copy > 1)
-+    return res;
-+
-+  /*
-+   * If we haven't reached the end of the string, iterate through to determine
-+   * the strings total length.
-+   */
-+  while (*src++ != '\0' && ++res)
-+   ;
-+
-+  return res;
-+}
-+
- /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
- static inline void *
- grub_memcpy (void *dest, const void *src, grub_size_t n)
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch
deleted file mode 100644
index 55aecc17d7..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Fri, 8 Mar 2024 22:47:20 +1100
-Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in
- JPEG
-
-Otherwise a subsequent header could change the height and width
-allowing future OOB writes.
-
-Fixes: CVE-2024-45774
-
-Reported-by: Nils Langius <nils@langius.de>
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2024-45774
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/video/readers/jpeg.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
-index ae634fd41..631a89356 100644
---- a/grub-core/video/readers/jpeg.c
-+++ b/grub-core/video/readers/jpeg.c
-@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
-   if (grub_errno != GRUB_ERR_NONE)
-     return grub_errno;
- 
-+  if (data->image_height != 0 || data->image_width != 0)
-+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-+                      "jpeg: cannot have duplicate SOF0 markers");
-+
-   if (grub_jpeg_get_byte (data) != 8)
-     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
-                       "jpeg: only 8-bit precision is supported");
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch
deleted file mode 100644
index 70492b8c2e..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001
-From: Lidong Chen <lidong.chen@oracle.com>
-Date: Fri, 22 Nov 2024 06:27:55 +0000
-Subject: [PATCH] commands/extcmd: Missing check for failed allocation
-
-The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
-a grub_arg_list struct but it does not verify the allocation was successful.
-In case of failed allocation the NULL state pointer can be accessed in
-parse_option() through grub_arg_parse() which may lead to a security issue.
-
-Fixes: CVE-2024-45775
-
-Reported-by: Nils Langius <nils@langius.de>
-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
-
-CVE: CVE-2024-45775
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/commands/extcmd.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
-index 90a5ca24a..c236be13a 100644
---- a/grub-core/commands/extcmd.c
-+++ b/grub-core/commands/extcmd.c
-@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
-     }
- 
-   state = grub_arg_list_alloc (ext, argc, args);
-+  if (state == NULL)
-+    return grub_errno;
-+
-   if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
-     {
-       context.state = state;
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch
deleted file mode 100644
index 8deea958b8..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001
-From: Lidong Chen <lidong.chen@oracle.com>
-Date: Fri, 22 Nov 2024 06:27:56 +0000
-Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
-
-Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
-overflow leading to subsequent OOB write or read. This patch fixes the
-issue by replacing grub_zalloc() and explicit multiplication with
-grub_calloc() which does the same thing in safe manner.
-
-Fixes: CVE-2024-45776
-
-Reported-by: Nils Langius <nils@langius.de>
-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
-
-CVE: CVE-2024-45776
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/gettext/gettext.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
-index e4f4f8ee6..63bb1ab73 100644
---- a/grub-core/gettext/gettext.c
-+++ b/grub-core/gettext/gettext.c
-@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
-   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
-        ctx->grub_gettext_max_log++);
- 
--  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
--                                           * sizeof (ctx->grub_gettext_msg_list[0]));
-+  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
-+                                           sizeof (ctx->grub_gettext_msg_list[0]));
-   if (!ctx->grub_gettext_msg_list)
-     {
-       grub_file_close (fd);
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
deleted file mode 100644
index 0305a95fd5..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
-From: Lidong Chen <lidong.chen@oracle.com>
-Date: Fri, 22 Nov 2024 06:27:57 +0000
-Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
-
-The size calculation of the translation buffer in
-grub_gettext_getstr_from_position() may overflow
-to 0 leading to heap OOB write. This patch fixes
-the issue by using grub_add() and checking for
-an overflow.
-
-Fixes: CVE-2024-45777
-
-Reported-by: Nils Langius <nils@langius.de>
-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
-
-CVE: CVE-2024-45777
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/gettext/gettext.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
-index 63bb1ab73..9ffc73428 100644
---- a/grub-core/gettext/gettext.c
-+++ b/grub-core/gettext/gettext.c
-@@ -26,6 +26,7 @@
- #include <grub/file.h>
- #include <grub/kernel.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
-   char *translation;
-   struct string_descriptor desc;
-   grub_err_t err;
-+  grub_size_t alloc_sz;
- 
-   internal_position = (off + position * sizeof (desc));
- 
-@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
-   length = grub_cpu_to_le32 (desc.length);
-   offset = grub_cpu_to_le32 (desc.offset);
- 
--  translation = grub_malloc (length + 1);
-+  if (grub_add (length, 1, &alloc_sz))
-+    return NULL;
-+
-+  translation = grub_malloc (alloc_sz);
-   if (!translation)
-     return NULL;
- 
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
deleted file mode 100644
index eba013897f..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Sat, 23 Mar 2024 15:59:43 +1100
-Subject: [PATCH] fs/bfs: Disable under lockdown
-
-The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
-This will also disable the AFS.
-
-Fixes: CVE-2024-45778
-Fixes: CVE-2024-45779
-
-Reported-by: Nils Langius <nils@langius.de>
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2024-45778
-CVE: CVE-2024-45779
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/bfs.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
-index 022f69fe2..78aeb051f 100644
---- a/grub-core/fs/bfs.c
-+++ b/grub-core/fs/bfs.c
-@@ -30,6 +30,7 @@
- #include <grub/types.h>
- #include <grub/i18n.h>
- #include <grub/fshelp.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs)
- {
-   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
-                       sizeof (struct grub_bfs_extent));
--  grub_fs_register (&grub_bfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_bfs_fs);
-+    }
- }
- 
- #ifdef MODE_AFS
-@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs)
- GRUB_MOD_FINI (bfs)
- #endif
- {
--  grub_fs_unregister (&grub_bfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_bfs_fs);
- }
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
deleted file mode 100644
index 1de0099f94..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001
-From: Lidong Chen <lidong.chen@oracle.com>
-Date: Fri, 22 Nov 2024 06:27:58 +0000
-Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write
-
-Both namesize and linksize are derived from hd.size, a 12-digit octal
-number parsed by read_number(). Later direct arithmetic calculation like
-"namesize + 1" and "linksize + 1" may exceed the maximum value of
-grub_size_t leading to heap OOB write. This patch fixes the issue by
-using grub_add() and checking for an overflow.
-
-Fixes: CVE-2024-45780
-
-Reported-by: Nils Langius <nils@langius.de>
-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
-
-CVE: CVE-2024-45780
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/tar.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
-index 646bce5eb..386c09022 100644
---- a/grub-core/fs/tar.c
-+++ b/grub-core/fs/tar.c
-@@ -25,6 +25,7 @@
- #include <grub/mm.h>
- #include <grub/dl.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
- {
-   struct head hd;
-   int reread = 0, have_longname = 0, have_longlink = 0;
-+  grub_size_t sz;
- 
-   data->hofs = data->next_hofs;
- 
-@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
-        {
-          grub_err_t err;
-          grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
--         *name = grub_malloc (namesize + 1);
-+
-+         if (grub_add (namesize, 1, &sz))
-+           return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
-+
-+         *name = grub_malloc (sz);
-          if (*name == NULL)
-            return grub_errno;
-          err = grub_disk_read (data->disk, 0,
-@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
-        {
-          grub_err_t err;
-          grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
--         if (data->linkname_alloc < linksize + 1)
-+
-+         if (grub_add (linksize, 1, &sz))
-+           return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
-+
-+         if (data->linkname_alloc < sz)
-            {
-              char *n;
--             n = grub_calloc (2, linksize + 1);
-+             n = grub_calloc (2, sz);
-              if (!n)
-                return grub_errno;
-              grub_free (data->linkname);
-              data->linkname = n;
--             data->linkname_alloc = 2 * (linksize + 1);
-+             data->linkname_alloc = 2 * (sz);
-            }
- 
-          err = grub_disk_read (data->disk, 0,
-@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
-          while (extra_size < sizeof (hd.prefix)
-                 && hd.prefix[extra_size])
-            extra_size++;
--         *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
-+
-+         if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
-+           return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
-+         *name = grub_malloc (sz);
-          if (*name == NULL)
-            return grub_errno;
-          if (hd.prefix[0])
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch
deleted file mode 100644
index bd0b6aa04a..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Sun, 12 May 2024 02:03:33 +0100
-Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write
-
-grub_strcpy() was used to copy a symlink name from the filesystem
-image to a heap allocated buffer. This led to a OOB write to adjacent
-heap allocations. Fix by using grub_strlcpy().
-
-Fixes: CVE-2024-45781
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2024-45781
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/ufs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
-index a354c92d9..01235101b 100644
---- a/grub-core/fs/ufs.c
-+++ b/grub-core/fs/ufs.c
-@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)
-   /* Check against zero is paylindromic, no need to swap.  */
-   if (data->inode.nblocks == 0
-       && INODE_SIZE (data) <= sizeof (data->inode.symlink))
--    grub_strcpy (symlink, (char *) data->inode.symlink);
-+    grub_strlcpy (symlink, (char *) data->inode.symlink, sz);
-   else
-     {
-       if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
deleted file mode 100644
index 41cc025b81..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Sun, 12 May 2024 02:48:33 +0100
-Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy()
-
-Replaced with grub_strlcpy().
-
-Fixes: CVE-2024-45782
-Fixes: CVE-2024-56737
-Fixes: https://savannah.gnu.org/bugs/?66599
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2024-45782
-CVE: CVE-2024-56737
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/hfs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
-index 91dc0e69c..920112b03 100644
---- a/grub-core/fs/hfs.c
-+++ b/grub-core/fs/hfs.c
-@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk)
-      volume name.  */
-   key.parent_dir = grub_cpu_to_be32_compile_time (1);
-   key.strlen = data->sblock.volname[0];
--  grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));
-+  grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str));
- 
-   if (grub_hfs_find_node (data, (char *) &key, data->cat_root,
-                          0, (char *) &dir, sizeof (dir)) == 0)
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch
deleted file mode 100644
index 99c769961b..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Sun, 12 May 2024 06:22:51 +0100
-Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails
-
-It was possible for mount to fail but not set grub_errno. This led to
-a possible double decrement of the module reference count if the NULL
-page was mapped.
-
-Fixing in general as a similar bug was fixed in commit 61b13c187
-(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there
-are likely more variants around.
-
-Fixes: CVE-2024-45783
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2024-45783
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/hfsplus.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
-index 295822f69..de71fd486 100644
---- a/grub-core/fs/hfsplus.c
-+++ b/grub-core/fs/hfsplus.c
-@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk)
- 
-  fail:
- 
--  if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
-+  if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)
-     grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem");
- 
-   grub_free (data);
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
deleted file mode 100644
index c7b64aa6ed..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@arm.com>
-Date: Tue, 9 Sep 2025 14:23:14 +0100
-Subject: [PATCH] CVE-2024-56738
-
-Backport an algorithmic change to grub_crypto_memcmp() so that it completes in
-constant time and thus isn't susceptible to side-channel attacks.
-
-This is a partial backport of grub 0739d24cd
-("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11")
-
-CVE: CVE-2024-56738
-Upstream-Status: Backport [0739d24cd]
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- grub-core/lib/crypto.c | 23 ++++++++++++++++-------
- include/grub/crypto.h  |  2 +-
- 2 files changed, 17 insertions(+), 8 deletions(-)
-
-diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
-index 396f76410..19db7870a 100644
---- a/grub-core/lib/crypto.c
-+++ b/grub-core/lib/crypto.c
-@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)
-   return GRUB_ACCESS_DENIED;
- }
- 
-+/*
-+ * Compare byte arrays of length LEN, return 1 if it's not same,
-+ * 0, otherwise.
-+ */
- int
--grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
-+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)
- {
--  register grub_size_t counter = 0;
--  const grub_uint8_t *pa, *pb;
-+  const grub_uint8_t *a = b1;
-+  const grub_uint8_t *b = b2;
-+  int ab, ba;
-+  grub_size_t i;
- 
--  for (pa = a, pb = b; n; pa++, pb++, n--)
-+  /* Constant-time compare. */
-+  for (i = 0, ab = 0, ba = 0; i < len; i++)
-     {
--      if (*pa != *pb)
--       counter++;
-+      /* If a[i] != b[i], either ab or ba will be negative. */
-+      ab |= a[i] - b[i];
-+      ba |= b[i] - a[i];
-     }
- 
--  return !!counter;
-+  /* 'ab | ba' is negative when buffers are not equal, extract sign bit.  */
-+  return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
- }
- 
- #ifndef GRUB_UTIL
-diff --git a/include/grub/crypto.h b/include/grub/crypto.h
-index 31c87c302..20ad4c5f7 100644
---- a/include/grub/crypto.h
-+++ b/include/grub/crypto.h
-@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
-                    grub_uint8_t *DK, grub_size_t dkLen);
- 
- int
--grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
-+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len);
- 
- int
- grub_password_get (char buf[], unsigned buf_size);
--- 
-2.43.0
-
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
deleted file mode 100644
index 09dbfce5f8..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Fri, 1 Nov 2024 19:24:29 +0000
-Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on
- module unload
-
-If the hooks are not removed they can be called after the module has
-been unloaded leading to an use-after-free.
-
-Fixes: CVE-2025-0622
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0622
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/commands/pgp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
-index c6766f044..5fadc33c4 100644
---- a/grub-core/commands/pgp.c
-+++ b/grub-core/commands/pgp.c
-@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)
- 
- GRUB_MOD_FINI(pgp)
- {
-+  grub_register_variable_hook ("check_signatures", NULL, NULL);
-+  grub_env_unset ("check_signatures");
-   grub_verifier_unregister (&grub_pubkey_verifier);
-   grub_unregister_extcmd (cmd);
-   grub_unregister_extcmd (cmd_trust);
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
deleted file mode 100644
index be01da3355..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Fri, 1 Nov 2024 23:46:55 +0000
-Subject: [PATCH 2/3] normal: Remove variables hooks on module unload
-
-The normal module does not entirely cleanup after itself in
-its GRUB_MOD_FINI() leaving a few variables hooks in place.
-It is not possible to unload normal module now but fix the
-issues for completeness.
-
-On the occasion replace 0s with NULLs for "pager" variable
-hooks unregister.
-
-Fixes: CVE-2025-0622
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0622
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/normal/main.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
-index 838f57fa5..04d058f55 100644
---- a/grub-core/normal/main.c
-+++ b/grub-core/normal/main.c
-@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal)
-   grub_xputs = grub_xputs_saved;
- 
-   grub_set_history (0);
--  grub_register_variable_hook ("pager", 0, 0);
-+  grub_register_variable_hook ("pager", NULL, NULL);
-+  grub_register_variable_hook ("color_normal", NULL, NULL);
-+  grub_register_variable_hook ("color_highlight", NULL, NULL);
-   grub_fs_autoload_hook = 0;
-   grub_unregister_command (cmd_clear);
- }
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
deleted file mode 100644
index 79078a4350..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Fri, 1 Nov 2024 23:52:06 +0000
-Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload
-
-The gettext module does not entirely cleanup after itself in
-its GRUB_MOD_FINI() leaving a few variables hooks in place.
-It is not possible to unload gettext module because normal
-module depends on it. Though fix the issues for completeness.
-
-Fixes: CVE-2025-0622
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0622
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/gettext/gettext.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
-index 7a1c14e4f..e4f4f8ee6 100644
---- a/grub-core/gettext/gettext.c
-+++ b/grub-core/gettext/gettext.c
-@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext)
- 
- GRUB_MOD_FINI (gettext)
- {
-+  grub_register_variable_hook ("locale_dir", NULL, NULL);
-+  grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
-+  grub_register_variable_hook ("lang", NULL, NULL);
-+
-   grub_gettext_delete_list (&main_context);
-   grub_gettext_delete_list (&secondary_context);
- 
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch
deleted file mode 100644
index 229fe6399e..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Fri, 15 Nov 2024 13:12:09 +0000
-Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
-
-The function included a call to grub_strcpy() which copied data from an
-environment variable to a buffer allocated in grub_cmd_normal(). The
-grub_cmd_normal() didn't consider the length of the environment variable.
-So, the copy operation could exceed the allocation and lead to an OOB
-write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
-pass the underlying buffers size to the grub_net_search_config_file().
-
-Fixes: CVE-2025-0624
-
-Reported-by: B Horn <b@horn.uk>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0624
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/net/net.c     | 7 ++++---
- grub-core/normal/main.c | 2 +-
- include/grub/net.h      | 2 +-
- 3 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/grub-core/net/net.c b/grub-core/net/net.c
-index 0e41e21a5..9939ff601 100644
---- a/grub-core/net/net.c
-+++ b/grub-core/net/net.c
-@@ -1909,14 +1909,15 @@ grub_config_search_through (char *config, char *suffix,
- }
- 
- grub_err_t
--grub_net_search_config_file (char *config)
-+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
- {
--  grub_size_t config_len;
-+  grub_size_t config_len, suffix_len;
-   char *suffix;
- 
-   config_len = grub_strlen (config);
-   config[config_len] = '-';
-   suffix = config + config_len + 1;
-+  suffix_len = config_buf_len - (config_len + 1);
- 
-   struct grub_net_network_level_interface *inf;
-   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
-@@ -1942,7 +1943,7 @@ grub_net_search_config_file (char *config)
- 
-       if (client_uuid)
-         {
--          grub_strcpy (suffix, client_uuid);
-+          grub_strlcpy (suffix, client_uuid, suffix_len);
-           if (grub_config_search_through (config, suffix, 1, 0) == 0)
-             return GRUB_ERR_NONE;
-         }
-diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
-index 90879dc21..838f57fa5 100644
---- a/grub-core/normal/main.c
-+++ b/grub-core/normal/main.c
-@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
- 
-           if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
-               !disable_net_search)
--            grub_net_search_config_file (config);
-+            grub_net_search_config_file (config, config_len);
- 
-          grub_enter_normal_mode (config);
-          grub_free (config);
-diff --git a/include/grub/net.h b/include/grub/net.h
-index 228d04963..58a4f83fc 100644
---- a/include/grub/net.h
-+++ b/include/grub/net.h
-@@ -579,7 +579,7 @@ void
- grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
- 
- grub_err_t
--grub_net_search_config_file (char *config);
-+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
- 
- extern char *grub_net_default_server;
- 
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
deleted file mode 100644
index d5563cecc4..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
+++ /dev/null
@@ -1,377 +0,0 @@
-From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001
-From: Daniel Axtens <dja@axtens.net>
-Date: Sat, 23 Mar 2024 16:20:45 +1100
-Subject: [PATCH] fs: Disable many filesystems under lockdown
-
-The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
-hfsplus, iso9660, squash4, tar, xfs and zfs.
-
-The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
-reported by Jonathan Bar Or <jonathanbaror@gmail.com>.
-
-Fixes: CVE-2025-0677
-Fixes: CVE-2025-0684
-Fixes: CVE-2025-0685
-Fixes: CVE-2025-0686
-Fixes: CVE-2025-0689
-
-Suggested-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0677
-CVE: CVE-2025-0684
-CVE: CVE-2025-0685
-CVE: CVE-2025-0686
-CVE: CVE-2025-0689
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/affs.c     | 9 +++++++--
- grub-core/fs/cbfs.c     | 9 +++++++--
- grub-core/fs/jfs.c      | 9 +++++++--
- grub-core/fs/minix.c    | 9 +++++++--
- grub-core/fs/nilfs2.c   | 9 +++++++--
- grub-core/fs/ntfs.c     | 9 +++++++--
- grub-core/fs/reiserfs.c | 9 +++++++--
- grub-core/fs/romfs.c    | 9 +++++++--
- grub-core/fs/sfs.c      | 9 +++++++--
- grub-core/fs/udf.c      | 9 +++++++--
- grub-core/fs/ufs.c      | 9 +++++++--
- 11 files changed, 77 insertions(+), 22 deletions(-)
-
-diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
-index ed606b3f1..352f5d232 100644
---- a/grub-core/fs/affs.c
-+++ b/grub-core/fs/affs.c
-@@ -26,6 +26,7 @@
- #include <grub/types.h>
- #include <grub/fshelp.h>
- #include <grub/charset.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -703,11 +704,15 @@ static struct grub_fs grub_affs_fs =
- 
- GRUB_MOD_INIT(affs)
- {
--  grub_fs_register (&grub_affs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_affs_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI(affs)
- {
--  grub_fs_unregister (&grub_affs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_affs_fs);
- }
-diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
-index 8ab7106af..f6349df34 100644
---- a/grub-core/fs/cbfs.c
-+++ b/grub-core/fs/cbfs.c
-@@ -26,6 +26,7 @@
- #include <grub/dl.h>
- #include <grub/i18n.h>
- #include <grub/cbfs_core.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs)
- #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
-   init_cbfsdisk ();
- #endif
--  grub_fs_register (&grub_cbfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_cbfs_fs);
-+    }
- }
- 
- GRUB_MOD_FINI (cbfs)
- {
--  grub_fs_unregister (&grub_cbfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_cbfs_fs);
- #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
-   fini_cbfsdisk ();
- #endif
-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
-index 6f7c43904..c0bbab8a9 100644
---- a/grub-core/fs/jfs.c
-+++ b/grub-core/fs/jfs.c
-@@ -26,6 +26,7 @@
- #include <grub/types.h>
- #include <grub/charset.h>
- #include <grub/i18n.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs =
- 
- GRUB_MOD_INIT(jfs)
- {
--  grub_fs_register (&grub_jfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_jfs_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI(jfs)
- {
--  grub_fs_unregister (&grub_jfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_jfs_fs);
- }
-diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
-index 5354951d1..c267298b5 100644
---- a/grub-core/fs/minix.c
-+++ b/grub-core/fs/minix.c
-@@ -25,6 +25,7 @@
- #include <grub/dl.h>
- #include <grub/types.h>
- #include <grub/i18n.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -734,7 +735,10 @@ GRUB_MOD_INIT(minix)
- #endif
- #endif
- {
--  grub_fs_register (&grub_minix_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_minix_fs);
-+    }
-   my_mod = mod;
- }
- 
-@@ -756,5 +760,6 @@ GRUB_MOD_FINI(minix)
- #endif
- #endif
- {
--  grub_fs_unregister (&grub_minix_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_minix_fs);
- }
-diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
-index fc7374ead..08abf173f 100644
---- a/grub-core/fs/nilfs2.c
-+++ b/grub-core/fs/nilfs2.c
-@@ -34,6 +34,7 @@
- #include <grub/dl.h>
- #include <grub/types.h>
- #include <grub/fshelp.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2)
-                                  grub_nilfs2_dat_entry));
-   COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
-                       == sizeof (struct grub_nilfs2_inode));
--  grub_fs_register (&grub_nilfs2_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_nilfs2_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI (nilfs2)
- {
--  grub_fs_unregister (&grub_nilfs2_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_nilfs2_fs);
- }
-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
-index de435aa14..8cc2ba3d5 100644
---- a/grub-core/fs/ntfs.c
-+++ b/grub-core/fs/ntfs.c
-@@ -27,6 +27,7 @@
- #include <grub/fshelp.h>
- #include <grub/ntfs.h>
- #include <grub/charset.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -1320,11 +1321,15 @@ static struct grub_fs grub_ntfs_fs =
- 
- GRUB_MOD_INIT (ntfs)
- {
--  grub_fs_register (&grub_ntfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_ntfs_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI (ntfs)
- {
--  grub_fs_unregister (&grub_ntfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_ntfs_fs);
- }
-diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
-index 36b26ac98..cdef2eba0 100644
---- a/grub-core/fs/reiserfs.c
-+++ b/grub-core/fs/reiserfs.c
-@@ -39,6 +39,7 @@
- #include <grub/types.h>
- #include <grub/fshelp.h>
- #include <grub/i18n.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs =
- 
- GRUB_MOD_INIT(reiserfs)
- {
--  grub_fs_register (&grub_reiserfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_reiserfs_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI(reiserfs)
- {
--  grub_fs_unregister (&grub_reiserfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_reiserfs_fs);
- }
-diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
-index 1f7dcfca1..acf8dd21e 100644
---- a/grub-core/fs/romfs.c
-+++ b/grub-core/fs/romfs.c
-@@ -23,6 +23,7 @@
- #include <grub/disk.h>
- #include <grub/fs.h>
- #include <grub/fshelp.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs =
- 
- GRUB_MOD_INIT(romfs)
- {
--  grub_fs_register (&grub_romfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_romfs_fs);
-+    }
- }
- 
- GRUB_MOD_FINI(romfs)
- {
--  grub_fs_unregister (&grub_romfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_romfs_fs);
- }
-diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
-index 983e88008..f64bdd2df 100644
---- a/grub-core/fs/sfs.c
-+++ b/grub-core/fs/sfs.c
-@@ -26,6 +26,7 @@
- #include <grub/types.h>
- #include <grub/fshelp.h>
- #include <grub/charset.h>
-+#include <grub/lockdown.h>
- #include <grub/safemath.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
-@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs =
- 
- GRUB_MOD_INIT(sfs)
- {
--  grub_fs_register (&grub_sfs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_sfs_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI(sfs)
- {
--  grub_fs_unregister (&grub_sfs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_sfs_fs);
- }
-diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
-index b836e6107..a60643be1 100644
---- a/grub-core/fs/udf.c
-+++ b/grub-core/fs/udf.c
-@@ -27,6 +27,7 @@
- #include <grub/fshelp.h>
- #include <grub/charset.h>
- #include <grub/datetime.h>
-+#include <grub/lockdown.h>
- #include <grub/udf.h>
- #include <grub/safemath.h>
- 
-@@ -1455,11 +1456,15 @@ static struct grub_fs grub_udf_fs = {
- 
- GRUB_MOD_INIT (udf)
- {
--  grub_fs_register (&grub_udf_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_udf_fs);
-+    }
-   my_mod = mod;
- }
- 
- GRUB_MOD_FINI (udf)
- {
--  grub_fs_unregister (&grub_udf_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_udf_fs);
- }
-diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
-index 01235101b..6b496e7b8 100644
---- a/grub-core/fs/ufs.c
-+++ b/grub-core/fs/ufs.c
-@@ -25,6 +25,7 @@
- #include <grub/dl.h>
- #include <grub/types.h>
- #include <grub/i18n.h>
-+#include <grub/lockdown.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1)
- #endif
- #endif
- {
--  grub_fs_register (&grub_ufs_fs);
-+  if (!grub_is_lockdown ())
-+    {
-+      grub_fs_register (&grub_ufs_fs);
-+    }
-   my_mod = mod;
- }
- 
-@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1)
- #endif
- #endif
- {
--  grub_fs_unregister (&grub_ufs_fs);
-+  if (!grub_is_lockdown ())
-+    grub_fs_unregister (&grub_ufs_fs);
- }
- 
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
deleted file mode 100644
index 14e67cf35b..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
-From: Lidong Chen <lidong.chen@oracle.com>
-Date: Tue, 21 Jan 2025 19:02:37 +0000
-Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
-
-Use grub_calloc() when allocating memory for arrays to ensure proper
-overflow checks are in place.
-
-The HFS+ and squash4 security vulnerabilities were reported by
-Jonathan Bar Or <jonathanbaror@gmail.com>.
-
-Fixes: CVE-2025-0678
-Fixes: CVE-2025-1125
-
-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0678
-CVE: CVE-2025-1125
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/fs/btrfs.c       | 4 ++--
- grub-core/fs/hfspluscomp.c | 9 +++++++--
- grub-core/fs/squash4.c     | 8 ++++----
- 3 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
-index 0625b1166..9c1e925c9 100644
---- a/grub-core/fs/btrfs.c
-+++ b/grub-core/fs/btrfs.c
-@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
-     }
- 
-   data->n_devices_allocated = 16;
--  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
--                                       * data->n_devices_allocated);
-+  data->devices_attached = grub_calloc (data->n_devices_allocated,
-+                                       sizeof (data->devices_attached[0]));
-   if (!data->devices_attached)
-     {
-       grub_free (data);
-diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
-index 48ae438d8..a80954ee6 100644
---- a/grub-core/fs/hfspluscomp.c
-+++ b/grub-core/fs/hfspluscomp.c
-@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
-          return 0;
-        }
-       node->compress_index_size = grub_le_to_cpu32 (index_size);
--      node->compress_index = grub_malloc (node->compress_index_size
--                                         * sizeof (node->compress_index[0]));
-+      node->compress_index = grub_calloc (node->compress_index_size,
-+                                         sizeof (node->compress_index[0]));
-       if (!node->compress_index)
-        {
-          node->compressed = 0;
-          grub_free (attr_node);
-          return grub_errno;
-        }
-+
-+      /*
-+       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
-+       * due to relevant checks done in grub_calloc() above.
-+       */
-       if (grub_hfsplus_read_file (node, 0, 0,
-                                  0x104 + sizeof (index_size),
-                                  node->compress_index_size
-diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
-index f91ff3bfa..cf2bca822 100644
---- a/grub-core/fs/squash4.c
-+++ b/grub-core/fs/squash4.c
-@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
-          break;
-        }
-       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
--      ino->block_sizes = grub_malloc (total_blocks
--                                     * sizeof (ino->block_sizes[0]));
--      ino->cumulated_block_sizes = grub_malloc (total_blocks
--                                               * sizeof (ino->cumulated_block_sizes[0]));
-+      ino->block_sizes = grub_calloc (total_blocks,
-+                                     sizeof (ino->block_sizes[0]));
-+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
-+                                               sizeof (ino->cumulated_block_sizes[0]));
-       if (!ino->block_sizes || !ino->cumulated_block_sizes)
-        {
-          grub_free (ino->block_sizes);
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
deleted file mode 100644
index be585c96ad..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
-From: Jonathan Bar Or <jonathanbaror@gmail.com>
-Date: Thu, 23 Jan 2025 19:17:05 +0100
-Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
- than 2^31 characters
-
-The grub_getline() function currently has a signed integer variable "i"
-that can be overflown when user supplies more than 2^31 characters.
-It results in a memory corruption of the allocated line buffer as well
-as supplying large negative values to grub_realloc().
-
-Fixes: CVE-2025-0690
-
-Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
-Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-0690
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/commands/read.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
-index 597c90706..8d72e45c9 100644
---- a/grub-core/commands/read.c
-+++ b/grub-core/commands/read.c
-@@ -25,6 +25,7 @@
- #include <grub/types.h>
- #include <grub/extcmd.h>
- #include <grub/i18n.h>
-+#include <grub/safemath.h>
- 
- GRUB_MOD_LICENSE ("GPLv3+");
- 
-@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =
- static char *
- grub_getline (int silent)
- {
--  int i;
-+  grub_size_t i;
-   char *line;
-   char *tmp;
-   int c;
-+  grub_size_t alloc_size;
- 
-   i = 0;
--  line = grub_malloc (1 + i + sizeof('\0'));
-+  line = grub_malloc (1 + sizeof('\0'));
-   if (! line)
-     return NULL;
- 
-@@ -59,8 +61,17 @@ grub_getline (int silent)
-       line[i] = (char) c;
-       if (!silent)
-        grub_printf ("%c", c);
--      i++;
--      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
-+      if (grub_add (i, 1, &i))
-+        {
-+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+          return NULL;
-+        }
-+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
-+        {
-+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
-+          return NULL;
-+        }
-+      tmp = grub_realloc (line, alloc_size);
-       if (! tmp)
-        {
-          grub_free (line);
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch
deleted file mode 100644
index e6906d909c..0000000000
--- a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001
-From: B Horn <b@horn.uk>
-Date: Thu, 18 Apr 2024 20:29:39 +0100
-Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode
-
-The dump enables a user to read memory which should not be possible
-in lockdown mode.
-
-Fixes: CVE-2025-1118
-
-Reported-by: B Horn <b@horn.uk>
-Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
-Signed-off-by: B Horn <b@horn.uk>
-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
-
-CVE: CVE-2025-1118
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- grub-core/commands/minicmd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
-index 286290866..8c5ee3e60 100644
---- a/grub-core/commands/minicmd.c
-+++ b/grub-core/commands/minicmd.c
-@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd)
-     grub_register_command ("help", grub_mini_cmd_help,
-                           0, N_("Show this message."));
-   cmd_dump =
--    grub_register_command ("dump", grub_mini_cmd_dump,
--                          N_("ADDR [SIZE]"), N_("Show memory contents."));
-+    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
-+                                   N_("ADDR [SIZE]"), N_("Show memory contents."));
-   cmd_rmmod =
-     grub_register_command ("rmmod", grub_mini_cmd_rmmod,
-                           N_("MODULE"), N_("Remove a module."));
diff --git a/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch b/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
deleted file mode 100644
index f8dfda90ab..0000000000
--- a/meta/recipes-bsp/grub/files/autogen.sh-exclude-pc.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 14c1d0459fb3561e627d3a5f6e91a0d2f7b4aa45 Mon Sep 17 00:00:00 2001
-From: Naveen Saini <naveen.kumar.saini@intel.com>
-Date: Mon, 15 Mar 2021 14:44:15 +0800
-Subject: [PATCH] autogen.sh: exclude .pc from po/POTFILES.in
-
-Exclude the .pc from po/POTFILES.in since quilt uses "patch --backup",
-which will create the backup file under .pc, this may cause unexpected
-errors, for example, on CentOS 5.x, if the backup file is null
-(newfile), it's mode will be 000, then we will get errors when xgettext
-try to read it.
-
-Upstream-Status: Inappropriate [OE specific]
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
-Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
-
----
- autogen.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/autogen.sh b/autogen.sh
-index 195daa5..773b7b4 100755
---- a/autogen.sh
-+++ b/autogen.sh
-@@ -26,7 +26,7 @@ fi
- export LC_COLLATE=C
- unset LC_ALL
- 
--find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c'  ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' |sort > po/POTFILES.in
-+find . -iname '*.[ch]' ! -ipath './grub-core/lib/libgcrypt-grub/*' ! -ipath './build-aux/*' ! -ipath './grub-core/lib/libgcrypt/src/misc.c' ! -ipath './grub-core/lib/libgcrypt/src/global.c' ! -ipath './grub-core/lib/libgcrypt/src/secmem.c'  ! -ipath './util/grub-gen-widthspec.c' ! -ipath './util/grub-gen-asciih.c' ! -ipath './gnulib/*' ! -ipath './grub-core/lib/gnulib/*' ! -path './.pc/*' |sort > po/POTFILES.in
- find util -iname '*.in' ! -name Makefile.in  |sort > po/POTFILES-shell.in
- 
- echo "Importing unicode..."
diff --git a/meta/recipes-bsp/grub/files/cfg b/meta/recipes-bsp/grub/files/cfg
deleted file mode 100644
index 8ca53d24d7..0000000000
--- a/meta/recipes-bsp/grub/files/cfg
+++ /dev/null
@@ -1,2 +0,0 @@
-search.file ($cmdpath)/EFI/BOOT/grub.cfg root
-set prefix=($root)/EFI/BOOT
diff --git a/meta/recipes-bsp/grub/files/grub-module-explicitly-keeps-symbole-.module_license.patch b/meta/recipes-bsp/grub/files/grub-module-explicitly-keeps-symbole-.module_license.patch
deleted file mode 100644
index 7c8770ce8b..0000000000
--- a/meta/recipes-bsp/grub/files/grub-module-explicitly-keeps-symbole-.module_license.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From b316ed326bd492106006d78f5bfcd767b49a4f2e Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Wed, 17 Aug 2016 04:06:34 -0400
-Subject: [PATCH] grub module explicitly keeps symbole .module_license
-
-While using oe-core toolchain to strip grub module 'all_video.mod',
-it stripped symbol table:
-
----------------
-root@localhost:~# objdump -t all_video.mod
-
-all_video.mod:     file format elf64-x86-64
-
-SYMBOL TABLE:
-no symbols
---------------
-
-It caused grub to load module all_video failed.
---------------
-grub> insmod all_video
-error: no symbol table.
---------------
-
-Tweak strip option to keep symbol .module_license could workaround
-the issue.
---------------
-root@localhost:~# objdump -t all_video.mod
-
-all_video.mod:     file format elf64-x86-64
-
-SYMBOL TABLE:
-0000000000000000 l    d  .text  0000000000000000 .text
-0000000000000000 l    d  .data  0000000000000000 .data
-0000000000000000 l    d  .module_license        0000000000000000 .module_license
-0000000000000000 l    d  .bss   0000000000000000 .bss
-0000000000000000 l    d  .moddeps       0000000000000000 .moddeps
-0000000000000000 l    d  .modname       0000000000000000 .modname
---------------
-
-Upstream-Status: Inappropriate [workaround that needs investigation into @TARGET_STRIP@ behaviour in oe-core vs toolchain used by upstream]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
-
----
- grub-core/genmod.sh.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/genmod.sh.in b/grub-core/genmod.sh.in
-index e57c4d9..42bb1ba 100644
---- a/grub-core/genmod.sh.in
-+++ b/grub-core/genmod.sh.in
-@@ -56,7 +56,7 @@ if test x@TARGET_APPLE_LINKER@ != x1; then
-        if test x@platform@ != xemu; then
-            @TARGET_STRIP@ --strip-unneeded \
-                -K grub_mod_init -K grub_mod_fini \
--               -K _grub_mod_init -K _grub_mod_fini \
-+               -K _grub_mod_init -K _grub_mod_fini -K .module_license \
-                -R .note.gnu.gold-version -R .note.GNU-stack \
-                -R .gnu.build.attributes \
-                -R .rel.gnu.build.attributes \
diff --git a/meta/recipes-bsp/grub/grub-bootconf_1.00.bb b/meta/recipes-bsp/grub/grub-bootconf_1.00.bb
deleted file mode 100644
index 0b4005e5bf..0000000000
--- a/meta/recipes-bsp/grub/grub-bootconf_1.00.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-SUMMARY = "Basic grub.cfg for use in EFI systems"
-DESCRIPTION = "Grub might require different configuration file for \
-different machines."
-HOMEPAGE = "https://www.gnu.org/software/grub/manual/grub/grub.html#Configuration"
-
-RPROVIDES:${PN} += "virtual-grub-bootconf"
-
-inherit grub-efi-cfg
-
-require conf/image-uefi.conf
-
-S = "${UNPACKDIR}"
-
-GRUB_CFG = "${S}/grub-bootconf"
-LABELS = "boot"
-
-ROOT ?= "root=/dev/sda2"
-
-python do_configure() {
-    bb.build.exec_func('build_efi_cfg', d)
-}
-
-do_configure[vardeps] += "APPEND ROOT GRUB_TITLE"
-
-do_install() {
-        install -d ${D}${EFI_FILES_PATH}
-        install grub-bootconf ${D}${EFI_FILES_PATH}/grub.cfg
-}
-
-FILES:${PN} = "${EFI_FILES_PATH}/grub.cfg"
diff --git a/meta/recipes-bsp/grub/grub-efi_2.12.bb b/meta/recipes-bsp/grub/grub-efi_2.12.bb
deleted file mode 100644
index 6354b43989..0000000000
--- a/meta/recipes-bsp/grub/grub-efi_2.12.bb
+++ /dev/null
@@ -1,110 +0,0 @@
-require grub2.inc
-
-require conf/image-uefi.conf
-
-GRUBPLATFORM = "efi"
-
-DEPENDS:append = " grub-native"
-RDEPENDS:${PN} = "grub-common virtual-grub-bootconf"
-
-SRC_URI += " \
-           file://cfg \
-          "
-
-S = "${UNPACKDIR}/grub-${PV}"
-
-# Determine the target arch for the grub modules
-python __anonymous () {
-    import re
-    target = d.getVar('TARGET_ARCH')
-    prefix = "" if d.getVar('EFI_PROVIDER') == "grub-efi" else "grub-efi-"
-    if target == "x86_64":
-        grubtarget = 'x86_64'
-    elif re.match('i.86', target):
-        grubtarget = 'i386'
-    elif re.match('aarch64', target):
-        grubtarget = 'arm64'
-    elif re.match('arm', target):
-        grubtarget = 'arm'
-    elif re.match('riscv64', target):
-        grubtarget = 'riscv64'
-    elif re.match('riscv32', target):
-        grubtarget = 'riscv32'
-    elif re.match('loongarch64', target):
-        grubtarget = 'loongarch64'
-    else:
-        raise bb.parse.SkipRecipe("grub-efi is incompatible with target %s" % target)
-    grubimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-    d.setVar("GRUB_TARGET", grubtarget)
-    d.setVar("GRUB_IMAGE", grubimage)
-    prefix = "grub-efi-" if prefix == "" else ""
-    d.setVar("GRUB_IMAGE_PREFIX", prefix)
-}
-
-inherit deploy
-
-CACHED_CONFIGUREVARS += "ac_cv_path_HELP2MAN="
-EXTRA_OECONF += "--enable-efiemu=no"
-
-# Define GRUB_MKIMAGE_OPTS variable for additional grub-mkimage options (e.g., disabling shim lock)
-GRUB_MKIMAGE_OPTS ?= ""
-
-do_mkimage() {
-        cd ${B}
-
-        GRUB_MKIMAGE_MODULES="${GRUB_BUILDIN}"
-
-        # If 'all' is included in GRUB_BUILDIN we will include all available grub2 modules
-        if [ "${@ bb.utils.contains('GRUB_BUILDIN', 'all', 'True', 'False', d)}" = "True" ]; then
-                bbdebug 1 "Including all available modules"
-                # Get the list of all .mod files in grub-core build directory
-                GRUB_MKIMAGE_MODULES=$(find ${B}/grub-core/ -type f -name "*.mod" -exec basename {} .mod \;)
-        fi
-
-        # Search for the grub.cfg on the local boot media by using the
-        # built in cfg file provided via this recipe
-        grub-mkimage -v -c ${UNPACKDIR}/cfg -p ${EFIDIR} -d ./grub-core/ \
-                       -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \
-                       ${GRUB_MKIMAGE_OPTS} ${GRUB_MKIMAGE_MODULES}
-}
-
-addtask mkimage before do_install after do_compile
-
-do_install() {
-    oe_runmake 'DESTDIR=${D}' -C grub-core install
-
-    # Remove build host references...
-    find "${D}" -name modinfo.sh -type f -exec \
-        sed -i \
-        -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
-        -e 's|${DEBUG_PREFIX_MAP}||g' \
-        -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
-        {} +
-
-    install -d ${D}${EFI_FILES_PATH}
-    install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_IMAGE}
-}
-
-# To include all available modules, add 'all' to GRUB_BUILDIN
-GRUB_BUILDIN ?= "boot linux ext2 fat serial part_msdos part_gpt normal \
-                 efi_gop iso9660 configfile search loadenv test"
-
-# 'xen_boot' is a module valid only for aarch64
-GRUB_BUILDIN:append:aarch64 = "${@bb.utils.contains('DISTRO_FEATURES', 'xen', ' xen_boot', '', d)}"
-
-do_deploy() {
-        install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR}
-}
-
-addtask deploy after do_install before do_build
-
-FILES:${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
-               ${datadir}/grub \
-               ${EFI_FILES_PATH}/${GRUB_IMAGE} \
-               "
-
-# 64-bit binaries are expected for the bootloader with an x32 userland
-INSANE_SKIP:${PN}:append:linux-gnux32 = " arch"
-INSANE_SKIP:${PN}-dbg:append:linux-gnux32 = " arch"
-INSANE_SKIP:${PN}:append:linux-muslx32 = " arch"
-INSANE_SKIP:${PN}-dbg:append:linux-muslx32 = " arch"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
deleted file mode 100644
index 14edda334a..0000000000
--- a/meta/recipes-bsp/grub/grub2.inc
+++ /dev/null
@@ -1,115 +0,0 @@
-SUMMARY = "GRUB2 is the next-generation GRand Unified Bootloader"
-
-DESCRIPTION = "GRUB2 is the next generaion of a GPLed bootloader \
-intended to unify bootloading across x86 operating systems. In \
-addition to loading the Linux kernel, it implements the Multiboot \
-standard, which allows for flexible loading of multiple boot images."
-
-HOMEPAGE = "http://www.gnu.org/software/grub/"
-SECTION = "bootloaders"
-
-LICENSE = "GPL-3.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-
-CVE_PRODUCT = "grub2"
-
-SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
-           file://autogen.sh-exclude-pc.patch \
-           file://grub-module-explicitly-keeps-symbole-.module_license.patch \
-           file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
-           file://0001-RISC-V-Restore-the-typcast-to-long.patch \
-           file://0001-misc-Implement-grub_strlcpy.patch \
-           file://CVE-2024-45781.patch \
-           file://CVE-2024-45782_CVE-2024-56737.patch \
-           file://CVE-2024-45780.patch \
-           file://CVE-2024-45783.patch \
-           file://CVE-2025-0624.patch \
-           file://CVE-2024-45774.patch \
-           file://CVE-2024-45775.patch \
-           file://CVE-2025-0622-01.patch \
-           file://CVE-2025-0622-02.patch \
-           file://CVE-2025-0622-03.patch \
-           file://CVE-2024-45776.patch \
-           file://CVE-2024-45777.patch \
-           file://CVE-2025-0690.patch \
-           file://CVE-2025-1118.patch \
-           file://CVE-2024-45778_CVE-2024-45779.patch \
-           file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
-           file://CVE-2025-0678_CVE-2025-1125.patch \
-           file://CVE-2024-56738.patch \
-"
-
-SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
-
-CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
-CVE_STATUS[CVE-2023-4001]  = "not-applicable-platform: Applies only to RHEL/Fedora"
-CVE_STATUS[CVE-2024-1048]  = "not-applicable-platform: Applies only to RHEL/Fedora"
-CVE_STATUS[CVE-2024-2312]  = "not-applicable-platform: Applies only to Ubuntu"
-
-DEPENDS = "flex-native bison-native gettext-native"
-
-GRUB_COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|loongarch64.*|riscv.*)-(linux.*|freebsd.*)'
-COMPATIBLE_HOST = "${GRUB_COMPATIBLE_HOST}"
-# Grub doesn't support hard float toolchain and won't be able to forcefully
-# disable it on some of the target CPUs. See 'configure.ac' for
-# supported/unsupported CPUs in hardfp.
-COMPATIBLE_HOST:armv7a = "${@'null' if bb.utils.contains('TUNE_CCARGS_MFLOAT', 'hard', True, False, d) else d.getVar('GRUB_COMPATIBLE_HOST')}"
-COMPATIBLE_HOST:armv7ve = "${@'null' if bb.utils.contains('TUNE_CCARGS_MFLOAT', 'hard', True, False, d) else d.getVar('GRUB_COMPATIBLE_HOST')}"
-
-# configure.ac has code to set this automagically from the target tuple
-# but the OE freeform one (core2-foo-bar-linux) don't work with that.
-
-GRUBPLATFORM:arm = "efi"
-GRUBPLATFORM:aarch64 = "efi"
-GRUBPLATFORM:loongarch64 = "efi"
-GRUBPLATFORM:riscv32 = "efi"
-GRUBPLATFORM:riscv64 = "efi"
-GRUBPLATFORM ??= "pc"
-
-inherit autotools gettext texinfo pkgconfig
-
-CFLAGS:remove = "-O2"
-# It doesn't support sse, its make.defaults sets:
-# CFLAGS += -mno-mmx -mno-sse
-# So also remove -mfpmath=sse from TUNE_CCARGS
-TUNE_CCARGS:remove = "-mfpmath=sse"
-TUNE_CCARGS:append:toolchain-clang = " -fuse-ld=bfd -Wno-error=unused-command-line-argument"
-
-EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \
-                --disable-grub-mkfont \
-                --program-prefix="" \
-                --enable-liblzma=no \
-                --enable-libzfs=no \
-                --enable-largefile \
-                --disable-werror \
-"
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[grub-mount] = "--enable-grub-mount,--disable-grub-mount,fuse"
-PACKAGECONFIG[device-mapper] = "--enable-device-mapper,--disable-device-mapper,libdevmapper"
-
-# grub2 creates its own set of -nostdinc / -isystem / -ffreestanding CFLAGS and
-# OE's default BUILD_CFLAGS (assigned to CFLAGS for native builds) etc, conflict
-# with that. Note that since BUILD_CFLAGS etc are not used by grub2 target
-# builds, it's safe to clear them unconditionally for both target and native.
-BUILD_CPPFLAGS = ""
-BUILD_CFLAGS = ""
-BUILD_CXXFLAGS = ""
-BUILD_LDFLAGS = ""
-
-export PYTHON = "python3"
-
-do_configure:prepend() {
-        cd ${S}
-
-        # Remove in next version.
-        # See: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b835601c7639ed1890f2d3db91900a8506011a8e
-        echo "depends bli part_gpt" > ${S}/grub-core/extra_deps.lst
-
-        FROM_BOOTSTRAP=1 ${S}/autogen.sh
-        cd ${B}
-}
-
-# | aarch64-poky-linux-clang: error: invalid argument '-mcmodel=large' only allowed with '-fno-pic'
-# see - https://bugs.gentoo.org/942843
-TOOLCHAIN:aarch64 = "gcc"
diff --git a/meta/recipes-bsp/grub/grub_2.12.bb b/meta/recipes-bsp/grub/grub_2.12.bb
deleted file mode 100644
index 05d462785c..0000000000
--- a/meta/recipes-bsp/grub/grub_2.12.bb
+++ /dev/null
@@ -1,41 +0,0 @@
-require grub2.inc
-
-RDEPENDS:${PN}-common += "${PN}-editenv"
-RDEPENDS:${PN} += "${PN}-common"
-RDEPENDS:${PN}:class-native = ""
-
-RPROVIDES:${PN}-editenv += "${PN}-efi-editenv"
-
-PROVIDES:append:class-native = " grub-efi-native"
-
-PACKAGES =+ "${PN}-editenv ${PN}-common"
-FILES:${PN}-editenv = "${bindir}/grub-editenv"
-FILES:${PN}-common = " \
-    ${bindir} \
-    ${sysconfdir} \
-    ${sbindir} \
-    ${datadir}/grub \
-"
-ALLOW_EMPTY:${PN} = "1"
-
-do_install:append () {
-    # Avoid conflicts with the EFI package for systems such as arm64 where we
-    # need to build grub and grub-efi but only EFI is supported by removing EFI
-    # from this package.
-    rm -rf ${D}${libdir}/grub/*-efi/
-    rmdir --ignore-fail-on-non-empty ${D}${libdir}/grub ${D}${libdir}
-
-    install -d ${D}${sysconfdir}/grub.d
-    # Remove build host references...
-    find "${D}" -name modinfo.sh -type f -exec \
-        sed -i \
-        -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
-        -e 's|${DEBUG_PREFIX_MAP}||g' \
-        -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
-        {} +
-}
-
-INSANE_SKIP:${PN} = "arch"
-INSANE_SKIP:${PN}-dbg = "arch"
-
-BBCLASSEXTEND = "native nativesdk"