Debian Patches

Status for grub2/2.12-2

Patch Description Author Forwarded Bugs Origin Last update
olpc-prefix-hack.patch Hack prefix for OLPC
This sucks, but it's better than what OFW was giving us.
Colin Watson <> no 2014-01-13
core-in-fs.patch Write marker if core.img was written to filesystem
The Debian bug reporting script includes a warning in this case.
Colin Watson <> no 2014-01-13
grub-legacy-0-based-partitions.patch Support running grub-probe in grub-legacy's update-grub Colin Watson <> not-needed 2013-12-25
disable-floppies.patch Disable use of floppy devices
An ugly kludge. Should this be merged upstream?
Robert Millan no 2014-01-13
gfxpayload-keep-default.patch Disable gfxpayload=keep by default
Setting gfxpayload=keep has been known to cause efifb to be
inappropriately enabled. In any case, with the current Linux kernel the
result of this option is that early kernelspace will be unable to print
anything to the console, so (for example) if boot fails and you end up
dumped to an initramfs prompt, you won't be able to see anything on the
screen. As such it shouldn't be enabled by default in Debian, no matter
what kernel options are enabled.

gfxpayload=keep is a good idea but rather ahead of its time ...
Colin Watson <> no debian 2013-12-25
install-stage2-confusion.patch If GRUB Legacy is still around, tell packaging to ignore it Colin Watson <> not-needed debian 2021-09-24
mkconfig-loopback.patch Handle filesystems loop-mounted on file images
Improve prepare_grub_to_access_device to emit appropriate commands for
such filesystems, and ignore them in Linux grub.d scripts.

This is needed for Ubuntu's Wubi installation method.

This patch isn't inherently Debian/Ubuntu-specific. losetup and
/proc/mounts are Linux-specific, though, so we might need to refine this
before sending it upstream. The changes to the Linux grub.d scripts
might be better handled by integrating 10_lupin properly instead.
Colin Watson <> no 2014-01-13
restore-mkdevicemap.patch Restore grub-mkdevicemap
This is kind of a mess, requiring lots of OS-specific code to iterate
over all possible devices. However, we use it in a number of scripts to
discover devices and reimplementing those in terms of something else
would be very complicated.
Dimitri John Ledkov <> no 2021-09-24
gettext-quiet.patch Silence error messages when translations are unavailable Colin Watson <> yes upstream 2013-11-14
install-efi-fallback.patch Fall back to non-EFI if booted using EFI but -efi is missing
It may be possible, particularly in recovery situations, to be booted
using EFI on x86 when only the i386-pc target is installed, or on ARM
when only the arm-uboot target is installed. There's nothing actually
stopping us installing i386-pc or arm-uboot from an EFI environment, and
it's better than returning a confusing error.
Steve McIntyre <> no 2019-05-24
mkconfig-ubuntu-recovery.patch "single" -> "recovery" when friendly-recovery is installed
If configured with --enable-ubuntu-recovery, also set nomodeset for
recovery mode, and disable 'set gfxpayload=keep' even if the system
normally supports it. See
Stéphane Graber <> no 2013-12-25
install-locale-langpack.patch Prefer translations from Ubuntu language packs if available Colin Watson <> not-needed 2013-12-25
mkconfig-nonexistent-loopback.patch Avoid getting confused by inaccessible loop device backing paths Colin Watson <> no 2021-09-24
default-grub-d.patch Read /etc/default/grub.d/*.cfg after /etc/default/grub Colin Watson <> no 2021-09-24
blacklist-1440x900x32.patch Blacklist 1440x900x32 from VBE preferred mode handling Colin Watson <> no 2013-11-14
mkconfig-ubuntu-distributor.patch Remove GNU/Linux from default distributor string for Ubuntu
Ubuntu is called "Ubuntu", not "Ubuntu GNU/Linux".
Harald Sitter <> not-needed 2013-12-25
maybe-quiet.patch Add configure option to reduce visual clutter at boot time
If this option is enabled, then do all of the following:

Don't display introductory message about line editing unless we're
actually offering a shell prompt. (This is believed to be a workaround
for a different bug. We'll go with this for now, but will drop this in
favour of a better fix upstream if somebody figures out what that is.)

Don't clear the screen just before booting if we never drew the menu in
the first place.

Remove verbose messages printed before reading configuration. In some
ways this is awkward because it makes debugging harder, but it's a
requirement for a smooth-looking boot process; we may be able to do
better in future. Upstream doesn't want this, though.

Disable the cursor as well, for similar reasons of tidiness.

Suppress kernel/initrd progress messages, except in recovery mode.

Suppress "GRUB loading" message unless Shift is held down. Upstream
doesn't want this, as it makes debugging harder. Ubuntu wants it to
provide a cleaner boot experience.
Will Thompson <> invalid 2021-09-24
install-efi-adjust-distributor.patch Adjust efi_distributor for some distributions
This is not a very good approach, and certainly not sanely upstreamable;
we probably need to split GRUB_DISTRIBUTOR into a couple of different
Colin Watson <> not-needed debian 2019-08-06
quick-boot.patch Add configure option to bypass boot menu if possible
If other operating systems are installed, then automatically unhide the
menu. Otherwise, if GRUB_HIDDEN_TIMEOUT is 0, then use keystatus if
available to check whether Shift is pressed. If it is, show the menu,
otherwise boot immediately. If keystatus is not available, then fall
back to a short delay interruptible with Escape.

This may or may not remain Ubuntu-specific, although it's not obviously
wanted upstream. It implements a requirement of

If the previous boot failed (defined as failing to get to the end of one
of the normal runlevels), then show the boot menu regardless.
Robie Basak <> no 2015-09-04
quick-boot-lvm.patch If we don't have writable grubenv and we're on EFI, always show the menu

If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).

Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.

Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
Steve Langasek <> no 2019-06-24
gfxpayload-dynamic.patch Add configure option to enable gfxpayload=keep dynamically
Set GRUB_GFXPAYLOAD_LINUX=keep unless it's known to be unsupported on
the current hardware. See
Colin Watson <> no 2019-05-25
vt-handoff.patch Add configure option to use vt.handoff=7
This is used for non-recovery Linux entries only; it enables
flicker-free booting if gfxpayload=keep is in use and a suitable kernel
is present.
Andy Whitcroft <> not-needed 2013-12-25
probe-fusionio.patch Probe FusionIO devices Colin Watson <> no 2016-09-18
ignore-grub_func_test-failures.patch Ignore functional test failures for now as they are broken Colin Watson <> not-needed 2013-11-19
mkconfig-recovery-title.patch Add GRUB_RECOVERY_TITLE option
This allows the controversial "recovery mode" text to be customised.
Colin Watson <> no 2013-12-25
install-powerpc-machtypes.patch Port yaboot logic for various powerpc machine types
Some powerpc machines require not updating the NVRAM. This can be handled
by existing grub-install command-line options, but it's friendlier to detect
this automatically.

On chrp_ibm machines, use the nvram utility rather than nvsetenv. (This
is possibly suitable for other machines too, but that needs to be
Colin Watson <> no 2014-10-15
ieee1275-clear-reset.patch Include a text attribute reset in the clear command for ppc
Always clear text attribute for clear command in order to avoid problems
after it boots.

* grub-core/term/terminfo.c: Add escape for text attribute reset
Paulo Flabiano Smorigo <> no other, 2014-09-26
ppc64el-disable-vsx.patch Disable VSX instruction
VSX bit is enabled by default for Power7 and Power8 CPU models,
so we need to disable them in order to avoid instruction exceptions.
Kernel will activate it when necessary.

* grub-core/kern/powerpc/ieee1275/startup.S: Disable VSX.
Paulo Flabiano Smorigo <> no other, 2015-01-27
grub-install-pvxen-paths.patch grub-install: Install PV Xen binaries into the upstream specified path

Upstream have defined a specification for where guests ought to place their
xenpv grub binaries in order to facilitate chainloading from a stage 1 grub
loaded from dom0.

The spec calls for installation into /boot/xen/pvboot-i386.elf or
Ian Campbell <> yes debian 2014-10-24
insmod-xzio-and-lzopio-on-xen.patch Arrange to insmod xzio and lzopio when booting a kernel as a Xen guest

This is needed in case the Linux kernel is compiled with CONFIG_KERNEL_XZ or
CONFIG_KERNEL_LZO rather than CONFIG_KERNEL_GZ (gzio is already loaded by
grub.cfg today).
Ian Campbell <> yes debian 2014-11-30
zpool-full-device-name.patch Tell zpool to emit full device names
zfs-initramfs currently provides extraneous, undesired symlinks to
devices directly underneath /dev/ to satisfy zpool's historical output
of unqualified device names. By including this environment variable to
signal our intent to zpool, zfs-linux packages can drop the symlink
behavior when updating to its upstream or backported output behavior.
Chad MILLER <> yes debian upstream 2016-11-01
network/net-http-check-result-of-grub_netbuff_put-in-http_receive.patch net/http: check result of grub_netbuff_put() in http_receive() Robbie Harwood <> no 2023-04-25
network/bootp-new-net_bootp6-command.patch efinet + bootp: add net_bootp6 command supporting dhcpv6
Implement new net_bootp6 command for IPv6 network auto configuration via
the DHCPv6 protocol (RFC3315).
Peter Jones <> no 2023-04-25
network/efinet-add-structures-for-PXE-messages.patch efinet: add structures for PXE messages
When grub2 image is booted from UEFI IPv6 PXE, the DHCPv6 Reply packet
is cached in firmware buffer which can be obtained by PXE Base Code
protocol. The network interface can be setup through the parameters in
that obtained packet.

Augment existing structures to represent this, and make them agnostic
between ipv4 and ipv6.
Michael Chang <> no 2023-04-25
network/bootp-process-dhcpack-http-boot.patch bootp: Process DHCPACK packet during HTTP Boot
The vendor class identifier with the string "HTTPClient" is used to
denote the packet as responding to HTTP boot request. In DHCP4 config,
the filename for HTTP boot is the URL of the boot file, while for PXE
boot it is the path to the boot file. As a consequence, the next-server
becomes obselete because the HTTP URL already contains the server
address for the boot file. For DHCP6 config, there's no difference
definition in existing config as dhcp6.bootfile-url can be used to
specify URL for both HTTP and PXE boot file.

Add processing for "HTTPClient" vendor class identifier in DHCPACK
packet by treating it as HTTP format, not as the PXE format.
Michael Chang <> no 2023-04-25
network/efinet-Configure-network-from-UEFI-device-path.patch efinet Configure network from UEFI device path
The PXE Base Code protocol used to obtain cached PXE DHCPACK packet is
no longer provided for HTTP Boot. Instead, we have to get the HTTP boot
information from the device path nodes defined in following UEFI
Specification sections. IPv4 Device Path IPv6 Device Path Uniform Resource Identifiers (URI) Device Path

This patch basically does:

Add new structure for Uniform Resource Identifiers (URI) Device Path


Check if PXE Base Code is available. If not, try to obtain the netboot
information from the device path where the image booted from. The
DHCPACK packet is recoverd from the information in device patch and fed
into the same DHCP packet processing functions to ensure the network
interface is set up the same way it used to be.
Michael Chang <> no 2023-04-25
network/efinet-set-dns-from-uefi-proto.patch efinet: set DNS server from UEFI protocol
In the URI device path node, any name rather than address can be used
for looking up the resources so that DNS service become needed to get
answer of the name's address. Unfortunately, DNS is not defined in any
of the device path nodes so that we use the EFI_IP4_CONFIG2_PROTOCOL and

These two protcols are defined the sections of UEFI specification.

27.5 EFI IPv4 Configuration II Protocol
27.7 EFI IPv6 Configuration Protocol

Add new structure and protocol UUID of EFI_IP4_CONFIG2_PROTOCOL and

the list of DNS server address for IPv4 and IPv6 respectively. The
address of DNS servers is structured into DHCPACK packet and feed into
the same DHCP packet processing functions to ensure the network
interface is setting up the same way it used to be.

(rebased against 2.12)
Michael Chang <> no 2023-04-25
network/support-uefi-networking-protocols.patch Support UEFI networking protocols Michael Chang <> no 2023-01-09
network/efinet-also-use-the-firmware-acceleration-for-http.patch efinet: also use the firmware acceleration for http Peter Jones <> no 2023-01-09
network/efi-http-match-protocol-hostname-of-boot-url-in-root.patch efi/http: match protocol+hostname of boot url in root_url
This lets you write config files that don't know urls.
Peter Jones <> no 2023-01-09
network/add-fw_path-variable-to-detect-config-file-on-efi.patch Add fw_path variable to detect config file on efi
This patch makes grub look for its config file on efi where the app was
Paulo Flabiano Smorigo <> no 2023-01-09
network/use-fw_path-prefix-when-fallback-searching-for-grub-config.patch use fw_path prefix when fallback searching for grub config
When PXE booting via UEFI firmware, grub was searching for grub.cfg in
the fw_path directory where the grub application was found. If that
didn't exist, a fallback search would look for config file names based
on MAC and IP address. However, the search would look in the prefix
directory which may not be the same fw_path. This patch changes that
behavior to use the fw_path directory for the fallback search. Only if
fw_path is NULL will the prefix directory be searched.
Mark Salter <> no 2023-01-09
network/try-prefixes-for-tftp-config-file.patch Try mac/guid/etc before grub.cfg on tftp config files Peter Jones <> no 2023-01-09
network/prepend-prefix-when-http-path-is-relative.patch Prepend prefix when HTTP path is relative
This sets a couple of variables. With the url :
http_path: /foo/bar
Stephen Benjamin <> no 2023-01-09
network/efi-http-enclose-literal-ipv6-addresses-in-square-br.patch efi/http: Enclose literal IPv6 addresses in square brackets
According to RFC 2732 (, literal IPv6
addresses must be enclosed in square brackets. But GRUB currently does not
do this and is causing HTTP servers to send Bad Request (400) responses.

For example, the following is the HTTP stream when fetching a config file:

HEAD /EFI/BOOT/grub.cfg HTTP/1.1

HTTP/1.1 400 Bad Request

and after enclosing the IPv6 address the HTTP request is successful:

HEAD /EFI/BOOT/grub.cfg HTTP/1.1

HTTP/1.1 200 OK
Javier Martinez Canillas <> no 2020-03-05
network/http-prepend-prefix-when-the-http-path-is-relative.patch http: Prepend prefix when the HTTP path is relative
There are two different HTTP drivers that can be used when requesting an
HTTP resource: the efi/http that uses the EFI_HTTP_PROTOCOL and the http
that uses GRUB's HTTP and TCP/IP implementation.

The efi/http driver appends a prefix that is defined in the variable
http_path, but the http driver doesn't. So using this driver and
attempting to fetch a resource using a relative path fails. Match the
behavior of efi/http.
Javier Martinez Canillas <> no 2023-01-09
network/discover-the-device-to-read-the-config-from-as-fallback.patch normal/main: Discover the device to read the config from as a fallback

When core.img is generated locally, the grub2-probe tool figures out the
device and partition that needs to be read to parse the GRUB
configuration file.

But in some cases the core.img can't be generated on the host and
instead has to be done at package build time. In particular, this will
be true when it needs to be signed with a key that's only available on
the package building infrastructure.

In that case, the prefix variable won't have a device and partition but
only a directory path. So there's no way for GRUB to know from which
device has to read the configuration file.

To allow GRUB to continue working on that scenario, fallback to
iterating over all the available devices if reading the config failed
when using the prefix and fw_path variables.
Javier Martinez Canillas <> no 2023-01-09
network/efinet-add-dhcp-proxy-support.patch efinet: Add DHCP proxy support
If a proxyDHCP configuration is used, the server name, server IP and
boot file values should be taken from the DHCP proxy offer instead of
the DHCP server ack packet.
Ian Page Hands <> no 2023-01-09
network/rhboot-http-message-field-size.patch efi/http: change uint32_t to uintn_t
be UEFI 2.9 compliant.
Keng-Yu Lin <> no 2023-04-26
skip-grub_cmd_set_date.patch Skip flaky grub_cmd_set_date test Colin Watson <> no debian 2018-10-28
bash-completion-drop-have-checks.patch bash-completion: Drop "have" checks
These don't work with and aren't needed by dynamically-loaded
Colin Watson <> no debian 2018-11-16
at_keyboard-module-init.patch at_keyboard: initialize keyboard in module init if keyboard is ready
The change in 0c62a5b2 caused at_keyboard to fail on some
machines. Immediately initializing the keyboard in the module init if
the keyboard is ready makes the problem go away.
Jeroen Dekkers <> no debian 2019-02-09
uefi-secure-boot-cryptomount.patch Fix setup on Secure Boot systems where cryptodisk is in use
On full-encrypted systems, including /boot, the current code omits
cryptodisk commands needed to open the drives if Secure Boot is enabled.
This prevents grub2 from reading any further configuration residing on
the encrypted disk.
This patch fixes this issue by adding the needed "cryptomount" commands in
the load.cfg file that is then copied in the EFI partition.
=?utf-8?q?Herv=C3=A9_Werner?= <> no debian 2019-02-10
efi-variable-storage-minimise-writes.patch Minimise writes to EFI variable storage
Some UEFI firmware is easily provoked into running out of space in its
variable storage. This is usually due to certain kernel drivers (e.g.
pstore), but regardless of the cause it can cause grub-install to fail
because it currently asks efibootmgr to delete and re-add entries, and
the deletion often doesn't result in an immediate garbage collection.
Writing variables frequently also increases wear on the NVRAM which may
have limited write cycles. For these reasons, it's desirable to find a
way to minimise writes while still allowing grub-install to ensure that
a suitable boot entry exists.

Unfortunately, efibootmgr doesn't offer an interface that would let
grub-install do this. It doesn't in general make very much effort to
minimise writes; it doesn't allow modifying an existing Boot* variable
entry, except in certain limited ways; and current versions don't have a
way to export the expected variable data so that grub-install can
compare it to the current data. While it would be possible (and perhaps
desirable?) to add at least some of this to efibootmgr, that would still
leave the problem that there isn't a good upstreamable way for
grub-install to guarantee that it has a new enough version of
efibootmgr. In any case, it's cumbersome and slow for grub-install to
have to fork efibootmgr to get things done.

Fortunately, a few years ago Peter Jones helpfully factored out a
substantial part of efibootmgr to the efivar and efiboot libraries, and
so it's now possible to have grub-install use those directly. We still
have to use some code from efibootmgr, but much less than would
previously have been necessary.

grub-install now reuses existing boot entries where possible, and avoids
writing to variables when the new contents are the same as the old
contents. In the common upgrade case where nothing needs to change, it
no longer writes to NVRAM at all. It's also now slightly faster, since
using libefivar is faster than forking efibootmgr.

Fixes Debian bug #891434.
Colin Watson <> yes debian 2019-03-23
xen-no-xsm-policy-in-non-xsm-options.patch 20_linux_xen: Do not load XSM policy in non-XSM options
For complicated reasons, even if you have XSM/FLASK disabled (as is
the default) the Xen build system still builds a policy file and puts
it in /boot.

Even so, we shouldn't be loading this in the usual non-"XSM enabled"
entries. It doesn't do any particular harm but it is quite confusing.
Ian Jackson <> no debian 2020-05-29
pc-verifiers-module.patch i386-pc: build verifiers API as module
Given no core functions on i386-pc would require verifiers to work and
the only consumer of the verifier API is the pgp module, it looks good
to me that we can move the verifiers out of the kernel image and let
moddep.lst to auto-load it when pgp is loaded on i386-pc platform.

This helps to reduce the size of core image and thus can relax the
tension of exploding on some i386-pc system with very short MBR gap
size. See also a very comprehensive summary from Colin [1] about the


Drop COND_NOT_i386_pc and use !COND_i386_pc.
Add comment in kern/verifiers.c to help understanding what's going on
without digging into the commit history.
Michael Chang <> no debian other, 2021-09-24
debug_verifiers.patch Add debug to display what's going on with verifiers Steve McIntyre <> no 2021-04-17
mkimage-fix-section-sizes.patch util/mkimage: Some fixes to PE binaries section size calculation
Commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
added a helper function to setup PE sections, but it caused regressions
in some arches where the natural alignment lead to wrong section sizes.

This patch fixes a few things that were caused the section sizes to be
calculated wrongly. These fixes are:

* Only align the virtual memory addresses but not the raw data offsets.
* Use aligned sizes for virtual memory sizes but not for raw data sizes.
* Always align the sizes to set the virtual memory sizes.

These seems to not cause problems for x64 and aa64 EFI platforms but was
a problem for ia64. Because the size of the ".data" and "mods" sections
were wrong and didn't have the correct content. Which lead to GRUB not
being able to load any built-in module.
Javier Martinez Canillas <> no debian 2021-04-16
987008-lvrename-boot-fail.patch fix renamed LV detection

It looks like the detection of the LVM logical volumes fails in
certain edge conditions. In particular, it was reported that
renaming an LV will make grub fail to boot from the system as it
cannot properly detect it anymore.
I have looked at the code surrounding the patch and cannot claim to
understand the entire function here, as it is huge and quite
cryptic. But it seems sane: the `ptr` we're inspecting here starts
at the `rlocn->offset`, but we were adding `mda_size` to the
(somewhat) unrelated metadatabuf instead. Now we're marking the
`mda_end` correctly, based on the rlocn->offsite and ->size.
I have not tested this myself as the test setup is quite involved,
but it seems others (e.g. "Hoyer, David" <>)
have tested the patch and confirmed it worked.
Rogier <> yes debian upstream other 2023-02-25
grub_os-prober.patch grub_os-prober GRUB Maintainers <> no 2023-06-19
secure-boot/revert-efi-fallback-to-legacy.patch Disable fallback to legacy mode if shim is loaded on x86 archs
This reverts commits
- 6425c12cd77ad51ad24be84c092aefacf0875089:
this originally adds the fallback
- e60015f574024584e43d1b3b245551e864aa8c4d:
this triggers it in another case
Julian Andres Klode <> no 2023-07-19
secure-boot/loader-framework.patch efi: Provide wrappers for load_image, start_image, unload_image
These can be used to register a different implementation later,
for example, when shim provides a protocol with those functions.
Julian Andres Klode <> no 2023-07-24
secure-boot/efi-use-peimage-shim.patch efi: Provide a shim for load_image, start_image, unload_image
Provide custom implementations of load_image(), start_image(),
and unload_image() to workaround shim just forwarding those
calls to the firmware.

The code consumes a PE-COFF image loaded into memory. The functions

* check validity of header
* copy the sections
* relocate the code
* invalidate the instruction cache
* execute the image
* return to caller

This was previously in use in Ubuntu on riscv64 and arm64 only,
exposed as a single function grub_efi_run_image(). It was
originally written by Heinrich and split up into 3 functions
by Julian to integrate with the upstream boot loader.


- We do not always check for over and underflows, but at the
point we reach this loader, the file has been verified by
shim already, so this is not much of a concern.
Julian Andres Klode <> no 2023-07-24
zstd-require-8-byte-buffer.patch zstd: Require at least 8 byte buffer in entropy_common
This fixes the build on s390x which was rightfully complaining that
iend - 7 = buffer + 4 - 7 = buffer -3 is outside the array bounds.

../../grub-core/lib/zstd/entropy_common.c: In function ‘FSE_readNCount’:
../../grub-core/lib/zstd/entropy_common.c:121:28: error: array subscript -3 is outside array bounds of ‘char[4]’ [-Werror=array-bounds]
121 | if ((ip <= iend-7) || (ip + (bitCount>>3) <= iend-4)) {
| ~~~~^~
../../grub-core/lib/zstd/entropy_common.c:77:14: note: while referencing ‘buffer’
77 | char buffer[4];
| ^~~~~~
../../grub-core/lib/zstd/entropy_common.c:105:30: error: array subscript -1 is outside array bounds of ‘char[4]’ [-Werror=array-bounds]
105 | if (ip < iend-5) {
| ~~~~^~
../../grub-core/lib/zstd/entropy_common.c:77:14: note: while referencing ‘buffer’
77 | char buffer[4];
| ^~~~~~
../../grub-core/lib/zstd/entropy_common.c:150:28: error: array subscript -3 is outside array bounds of ‘char[4]’ [-Werror=array-bounds]
150 | if ((ip <= iend-7) || (ip + (bitCount>>3) <= iend-4)) {
| ~~~~^~
../../grub-core/lib/zstd/entropy_common.c:77:14: note: while referencing ‘buffer’
77 | char buffer[4];
| ^~~~~~

This is fixed in more recent zstd versions in basically the same way,
but the new versions needs more work to import.
Julian Andres Klode <> no 2021-12-02
recovery-dis_ucode_ldr.patch Pass dis_ucode_ldr to kernel for recovery mode
In case of a botched microcode update, this allows people to
easily roll back.

It will of course break in the more unlikely event that you are
missing a microcode update in your firmware that is needed to boot
the system, but editing the entry to remove an option is easier than
having to figure out the option and add it.
Julian Andres Klode <> no 2020-06-19
hwmatch-only-on-grub-pc-platform.patch Call hwmatch only on the grub-pc platform
Call hwmatch only on i386/pc as it is only available there.
This avoids "error: can't find command `hwmatch'." on e.g., x86_64/efi.

The equivalent behavior is linux_gfx_mode=keep because grub is special:
the `if hwmatch` clause is true on that error and `$match = 0` is true
too, as it is undefined (confirmed in grub shell.) A quick fix for now.

Before and After:

grub> hwmatch
error: can't find command `hwmatch'.

grub> echo $grub_platform

grub> echo $linux_gfx_mode
Mauricio Faria de Oliveira <> no debian 2020-08-20
fat-fix-listing-the-root-directory.patch fat: fix listing the root directory
ls / for a FAT partition leads to

error: invalid modification timestamp for /.

Not all entries of the directory are displayed.

Linux never updates the modification timestamp of the /. directory entry.
The FAT specification allows the access and creation date fields to be

We should follow Linux and render initial FAT timestamps as start of
the epoch.
Heinrich Schuchardt <> no 2022-01-21
efivar-check-that-efivarfs-is-writeable.patch [PATCH 1/1] efivar: check that efivarfs is writeable
Some UEFI implementations (notably U-Boot) don't implement the
SetVariable() runtime service. On these systems the GRUB installation
must be completed manually. Write a warning in this case but avoid
throwing an error. (LP: #1965288)
Heinrich Schuchardt <> no 2022-03-18
fdt-add-debug-output-to-devicetree-command.patch [PATCH] fdt: add debug output to devicetree command
For debugging we need feedback that the devicetree command has be executed.
Heinrich Schuchardt <> no 2022-03-24
fdt-device-tree-fixup-protocol.patch [PATCH] efi: EFI Device Tree Fixup Protocol
Device-trees are used to convey information about hardware to the operating
system. Some of the properties are only known at boot time. (One example of
such a property is the number of the boot hart on RISC-V systems.) Therefore
the firmware applies fix-ups to the original device-tree. Some nodes and
properties are added or altered.

When using GRUB's device-tree command the same fix-ups have to be applied.
The EFI Device Tree Fixup Protocol allows to pass the loaded device tree
to the firmware for this purpose.

The protocol can

* add nodes and update properties
* reserve memory according to the /reserved-memory node and the memory
reservation block
* install the device-tree as configuration table

With the patch GRUB checks if the protocol is installed and invokes it if
available. (LP: #1965796)
Heinrich Schuchardt <> no 2021-01-29
extra_deps_lst.patch Checkout "extra_deps.lst" from upstream/master
This file is unfortunately missing from upstream release tarball.
Mate Kukri <> no 2024-01-10
install-signed.patch Install signed images if UEFI Secure Boot is enabled Mathieu Trudel-Lapierre <> no 2023-01-15
grub-install-extra-removable.patch Add support for forcing EFI installation to the removable media path
Add an extra option to grub-install "--force-extra-removable". On EFI
platforms, this will cause an extra copy of the grub-efi image to be
written to the appropriate removable media patch
/boot/efi/EFI/BOOT/BOOT$ARCH.EFI as well. This will help with broken
UEFI implementations where the firmware does not work when configured
with new boot paths.
Steve McIntyre <> invalid debian 2021-09-24
grub-install-removable-shim.patch Deal with --force-extra-removable with signed shim too
In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
and signed Grub as /EFI/BOOT/grubXXX.efi.

Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
/EFI/BOOT/ so that it can work when needed (*iff* we're updating the

[cjwatson: Refactored also_install_removable somewhat for brevity and so
that we're using consistent case-insensitive logic.]
Steve McIntyre <> no debian 2021-09-24

All known versions for source package 'grub2'