diff --git a/packages/g/grub2/.files b/packages/g/grub2/.files
index b98326eef9e..b53e9224ea4 100644
Binary files a/packages/g/grub2/.files and b/packages/g/grub2/.files differ
diff --git a/packages/g/grub2/.rev b/packages/g/grub2/.rev
index 2bb2b667dc9..9f507d3c464 100644
--- a/packages/g/grub2/.rev
+++ b/packages/g/grub2/.rev
@@ -2617,4 +2617,12 @@ pretty much the same. The main user visible changes are
1118449
+
+ a9cf2d21d98c81093f0d96c6dc96ccf9
+ 2.12~rc1
+
+ anag+factory
+
+ 1120471
+
diff --git a/packages/g/grub2/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch b/packages/g/grub2/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
new file mode 100644
index 00000000000..6a71e3152c7
--- /dev/null
+++ b/packages/g/grub2/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
@@ -0,0 +1,142 @@
+From 06af22d6c893b0249712e9a486e0cbae15160e5c Mon Sep 17 00:00:00 2001
+From: Michael Chang
+Date: Mon, 23 Oct 2023 16:11:53 +0800
+Subject: [PATCH] luks2: Use grub-tpm2 token for TPM2-protected volume unlock
+
+This commit enables the use of the grub-tpm2 token for unlocking LUKS2
+volumes protected by TPM2. The token tracks keyslots associated with a
+sealed key, making the unsealing process more efficient and secure.
+
+Signed-Off-by Michael Chang
+---
+ grub-core/disk/luks2.c | 81 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 79 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
+index d5106402f..fe5ba777a 100644
+--- a/grub-core/disk/luks2.c
++++ b/grub-core/disk/luks2.c
+@@ -124,6 +124,14 @@ struct grub_luks2_digest
+ };
+ typedef struct grub_luks2_digest grub_luks2_digest_t;
+
++struct grub_luks2_token_tpm
++{
++ grub_uint64_t idx;
++ grub_uint64_t keyslots;
++ const char *timestamp;
++};
++typedef struct grub_luks2_token_tpm grub_luks2_token_tpm_t;
++
+ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
+ grub_uint8_t * dst, grub_size_t blocksize,
+ grub_size_t blocknumbers);
+@@ -257,6 +265,39 @@ luks2_parse_digest (grub_luks2_digest_t *out, const grub_json_t *digest)
+ return GRUB_ERR_NONE;
+ }
+
++static grub_err_t
++luks2_parse_token_tpm (grub_luks2_token_tpm_t *out, const grub_json_t *token)
++{
++ grub_json_t keyslots, o;
++ grub_size_t i, size;
++ grub_uint64_t bit;
++ const char *type;
++
++ if (grub_json_getstring (&type, token, "type"))
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid token type");
++ else if (grub_strcmp (type, "grub-tpm2"))
++ return GRUB_ERR_NONE;
++
++ if (grub_json_getvalue (&keyslots, token, "keyslots") ||
++ grub_json_getstring (&out->timestamp, token, "timestamp"))
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing token parameters");
++
++ if (grub_json_getsize (&size, &keyslots))
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ "Token references no keyslots");
++
++ out->keyslots = 0;
++ for (i = 0; i < size; i++)
++ {
++ if (grub_json_getchild (&o, &keyslots, i) ||
++ grub_json_getuint64 (&bit, &o, NULL))
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot");
++ out->keyslots |= (1 << bit);
++ }
++
++ return GRUB_ERR_NONE;
++}
++
+ static grub_err_t
+ luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d, grub_luks2_segment_t *s,
+ const grub_json_t *root, grub_size_t keyslot_json_idx)
+@@ -561,13 +602,14 @@ luks2_recover_key (grub_disk_t source,
+ {
+ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+ char cipher[32], *json_header = NULL, *ptr;
+- grub_size_t candidate_key_len = 0, json_idx, size;
++ grub_size_t candidate_key_len = 0, json_idx, size, tsize;
+ grub_luks2_header_t header;
+ grub_luks2_keyslot_t keyslot;
+ grub_luks2_digest_t digest;
+ grub_luks2_segment_t segment;
++ grub_luks2_token_tpm_t token_tpm;
+ gcry_err_code_t gcry_ret;
+- grub_json_t *json = NULL, keyslots;
++ grub_json_t *json = NULL, keyslots, tokens;
+ grub_err_t ret;
+
+ if (cargs->key_data == NULL || cargs->key_len == 0)
+@@ -605,6 +647,37 @@ luks2_recover_key (grub_disk_t source,
+ goto err;
+ }
+
++ token_tpm.keyslots = 0;
++ tsize = 0;
++ if (cargs->protectors)
++ {
++ int i;
++ for (i = 0; cargs->protectors[i]; i++)
++ if (grub_strcmp(cargs->protectors[i], "tpm2") == 0)
++ break;
++
++ if (!cargs->protectors[i] ||
++ cargs->key_cache[i].invalid ||
++ grub_json_getvalue (&tokens, json, "tokens") ||
++ grub_json_getsize (&tsize, &tokens))
++ grub_dprintf ("luks2", "No valid token or not a tpm2 protector\n");
++ }
++
++ for (json_idx = 0; json_idx < tsize; json_idx++)
++ {
++ grub_json_t token;
++
++ if (grub_json_getchild (&token, &tokens, json_idx) ||
++ grub_json_getuint64 (&token_tpm.idx, &token, NULL) ||
++ grub_json_getchild (&token, &token, 0) ||
++ luks2_parse_token_tpm (&token_tpm, &token))
++ {
++ grub_dprintf ("luks2", "Could not parse token index %" PRIuGRUB_SIZE "\n", json_idx);
++ grub_errno = GRUB_ERR_NONE;
++ continue;
++ }
++ }
++
+ if (grub_disk_native_sectors (source) == GRUB_DISK_SIZE_UNKNOWN)
+ {
+ /* FIXME: Allow use of source disk, and maybe cause errors in read. */
+@@ -641,6 +714,10 @@ luks2_recover_key (grub_disk_t source,
+ continue;
+ }
+
++ if (token_tpm.keyslots &&
++ !(token_tpm.keyslots & (1 << keyslot.idx)))
++ continue;
++
+ grub_dprintf ("luks2", "Trying keyslot \"%" PRIuGRUB_UINT64_T "\"\n", keyslot.idx);
+
+ /* Sector size should be one of 512, 1024, 2048, or 4096. */
+--
+2.42.0
+
diff --git a/packages/g/grub2/Fix-the-size-calculation-for-the-synthesized-initrd.patch b/packages/g/grub2/Fix-the-size-calculation-for-the-synthesized-initrd.patch
new file mode 100644
index 00000000000..9fff1a60865
--- /dev/null
+++ b/packages/g/grub2/Fix-the-size-calculation-for-the-synthesized-initrd.patch
@@ -0,0 +1,86 @@
+From d441356c924102b43b303520cc1c62a624b014d6 Mon Sep 17 00:00:00 2001
+From: Gary Lin
+Date: Thu, 26 Oct 2023 13:18:24 +0800
+Subject: [PATCH] Fix the size calculation for the synthesized initrd
+
+When calculating the size of the synthesized initrd in
+grub_initrd_component(), the ending "TRAILER!!!" is counted in for every
+synthesized initrd. However, in grub_initrd_load(), only one "TRAILER!!!"
+will be appended for one group of consecutive synthesized initrds. The
+additional size calculation for the ending "TRAILER!!!" could make the
+linux kernel to read uninitialized bytes and result in the error message
+like this:
+
+Initramfs unpacking failed: invalid magic at start of compressed archive
+
+To fit into the original 'newc' design, the ending "TRAILER!!!" is
+removed from grub_initrd_component(). Instead, in grub_initrd_init(),
+the 'newc' flag is set when calculating size of the synthesized initrd
+to append the ending "TRAILER!!!" later. As for grub_initrd_load(),
+since the path to the unsealed key is specified in 'newc_name', it's
+unnecessary to set the 'newc' flag while copying the unsealed key
+because the flag is already set when parsing the path name.
+
+Signed-off-by: Gary Lin
+---
+ grub-core/loader/linux.c | 23 ++++++++---------------
+ 1 file changed, 8 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index 4e028f5..9ee8f37 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -209,13 +209,6 @@ grub_initrd_component (const char *buf, int bufsz, const char *newc_name,
+ &initrd_ctx->size))
+ goto overflow;
+
+- initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
+- if (grub_add (initrd_ctx->size,
+- ALIGN_UP (sizeof (struct newc_head)
+- + sizeof ("TRAILER!!!") - 1, 4),
+- &initrd_ctx->size))
+- goto overflow;
+-
+ free_dir (root);
+ root = 0;
+ return GRUB_ERR_NONE;
+@@ -312,6 +305,13 @@ grub_initrd_init (int argc, char *argv[],
+ goto overflow;
+ }
+
++ FOR_LIST_ELEMENTS (pk, kpuber)
++ if (pk->key && pk->path)
++ {
++ grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx);
++ newc = 1;
++ }
++
+ if (newc)
+ {
+ initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
+@@ -324,10 +324,6 @@ grub_initrd_init (int argc, char *argv[],
+ root = 0;
+ }
+
+- FOR_LIST_ELEMENTS (pk, kpuber)
+- if (pk->key && pk->path)
+- grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx);
+-
+ return GRUB_ERR_NONE;
+
+ overflow:
+@@ -404,10 +400,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+
+ cursize = initrd_ctx->components[i].size;
+ if (initrd_ctx->components[i].buf)
+- {
+- grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize);
+- newc = 1;
+- }
++ grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize);
+ else if (grub_file_read (initrd_ctx->components[i].file, ptr, cursize)
+ != cursize)
+ {
+--
+2.35.3
+
diff --git a/packages/g/grub2/grub2-efi-chainload-harder.patch b/packages/g/grub2/grub2-efi-chainload-harder.patch
index 6f77b911db1..4793bae0620 100644
--- a/packages/g/grub2/grub2-efi-chainload-harder.patch
+++ b/packages/g/grub2/grub2-efi-chainload-harder.patch
@@ -2,6 +2,10 @@
v2:
Use grub_efi_get_secureboot to get secure boot status
+v3:
+Fix null sb_context->file_path due to missing assignment of chainloaded image's
+file_path (bsc#1216081)
+
---
grub-core/loader/efi/chainloader.c | 62 +++++++++++++++++++++----------------
1 file changed, 36 insertions(+), 26 deletions(-)
@@ -73,7 +77,7 @@ Use grub_efi_get_secureboot to get secure boot status
}
static void*
-@@ -604,6 +605,9 @@
+@@ -607,6 +608,9 @@
if (buffer)
b->free_pool (buffer);
@@ -83,7 +87,7 @@ Use grub_efi_get_secureboot to get secure boot status
return 0;
}
-@@ -821,6 +825,30 @@
+@@ -825,6 +829,31 @@
status = b->load_image (0, grub_efi_image_handle, file_path,
boot_image, size,
&image_handle);
@@ -105,6 +109,7 @@ Use grub_efi_get_secureboot to get secure boot status
+ sb_context->dev_handle = dev_handle;
+ sb_context->address = address;
+ sb_context->pages = pages;
++ sb_context->file_path = file_path;
+ grub_file_close (file);
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
+ grub_secureboot_chainloader_unload, sb_context, 0);
diff --git a/packages/g/grub2/grub2.changes b/packages/g/grub2/grub2.changes
index 89a88db1139..0641abe8b53 100644
--- a/packages/g/grub2/grub2.changes
+++ b/packages/g/grub2/grub2.changes
@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu Oct 26 06:04:54 UTC 2023 - Gary Ching-Pang Lin
+
+- Fix a potential error when appending multiple keys into the
+ synthesized initrd
+ * Fix-the-size-calculation-for-the-synthesized-initrd.patch
+
+-------------------------------------------------------------------
+Wed Oct 25 01:56:09 UTC 2023 - Michael Chang
+
+- Fix Xen chainloding error of no matching file path found (bsc#1216081)
+ * grub2-efi-chainload-harder.patch
+
+-------------------------------------------------------------------
+Mon Oct 23 13:11:45 UTC 2023 - Michael Chang
+
+- Use grub-tpm2 token to unlock keyslots to make the unsealing process more
+ efficient and secure.
+ * 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
+
-------------------------------------------------------------------
Mon Oct 16 08:05:03 UTC 2023 - Michael Chang
@@ -785,7 +805,7 @@ Wed Jun 8 03:25:26 UTC 2022 - Michael Chang
-------------------------------------------------------------------
Wed Jun 8 03:17:29 UTC 2022 - Michael Chang
-- Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668)
+- Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) (jsc#PED-1276)
* 0001-luks2-Add-debug-message-to-align-with-luks-and-geli-.patch
* 0002-cryptodisk-Refactor-to-discard-have_it-global.patch
* 0003-cryptodisk-Return-failure-in-cryptomount-when-no-cry.patch
@@ -868,7 +888,7 @@ Thu May 26 10:10:56 UTC 2022 - Michael Chang
Tue May 17 10:46:38 UTC 2022 - Michael Chang
- Fix installation over serial console ends up in infinite boot loop
- (bsc#1187810)
+ (bsc#1187810) (bsc#1209667) (bsc#1209372)
* 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
- Fix ppc64le build error for new IEEE long double ABI
* 0001-libc-config-merge-from-glibc.patch
diff --git a/packages/g/grub2/grub2.spec b/packages/g/grub2/grub2.spec
index 12d861879d7..2ee3e176bf1 100644
--- a/packages/g/grub2/grub2.spec
+++ b/packages/g/grub2/grub2.spec
@@ -387,6 +387,8 @@ Patch194: 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
Patch195: 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
Patch196: 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
Patch197: 0006-fs-ntfs-Make-code-more-readable.patch
+Patch198: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
+Patch199: Fix-the-size-calculation-for-the-synthesized-initrd.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140