Merge pull request #167204 from helsinki-systems/drop/grub1

grub legacy: remove
2024-11-18 13:19:10 +03:00 · 2023-05-10 21:04:08 +01:00 · 2023-05-10 21:04:08 +01:00 · 9184f1989b
commit 9184f1989b
parent 10e776dca9 1319323458
18 changed files with 683 additions and 971 deletions
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@ -29,7 +29,6 @@
    # GNU GRUB, where available.
    boot.loader.grub.enable = !pkgs.stdenv.isAarch32;
    boot.loader.grub.version = 2;
    # GNU lsh.
    services.openssh.enable = false;
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -694,8 +694,6 @@ in
      }
    ];
    boot.loader.grub.version = 2;
    # Don't build the GRUB menu builder script, since we don't need it
    # here and it causes a cyclic dependency.
    boot.loader.grub.enable = false;
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -651,7 +651,6 @@ EOF
            $bootLoaderConfig = <<EOF;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 with lib;
@ -12,8 +12,7 @@ let
    # Package set of targeted architecture
    if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs;
-  realGrub = if cfg.version == 1 then grubPkgs.grub
+  realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; }
    else if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; }
    else if cfg.trustedBoot.enable
         then if cfg.trustedBoot.isHPLaptop
              then grubPkgs.trustedGrub-for-HP
@ -28,8 +27,7 @@ let
    else realGrub;
  grubEfi =
-    # EFI version of Grub v2
+    if cfg.efiSupport
    if cfg.efiSupport && (cfg.version == 2)
    then realGrub.override { efiSupport = cfg.efiSupport; }
    else null;
@ -52,24 +50,24 @@ let
      fullName = lib.getName realGrub;
      fullVersion = lib.getVersion realGrub;
      grubEfi = f grubEfi;
-      grubTargetEfi = optionalString (cfg.efiSupport && (cfg.version == 2)) (f (grubEfi.grubTarget or ""));
+      grubTargetEfi = optionalString cfg.efiSupport (f (grubEfi.grubTarget or ""));
      bootPath = args.path;
      storePath = config.boot.loader.grub.storePath;
      bootloaderId = if args.efiBootloaderId == null then "${config.system.nixos.distroName}${efiSysMountPoint'}" else args.efiBootloaderId;
      timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
      users = if cfg.users == {} || cfg.version != 1 then cfg.users else throw "GRUB version 1 does not support user accounts.";
      theme = f cfg.theme;
      inherit efiSysMountPoint;
      inherit (args) devices;
      inherit (efi) canTouchEfiVariables;
      inherit (cfg)
-        version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
+        extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
        extraGrubInstallArgs
        extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
-        default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios;
+        default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios
        users;
      path = with pkgs; makeBinPath (
        [ coreutils gnused gnugrep findutils diffutils btrfs-progs util-linux mdadm ]
-        ++ optional (cfg.efiSupport && (cfg.version == 2)) efibootmgr
+        ++ optional cfg.efiSupport efibootmgr
        ++ optionals cfg.useOSProber [ busybox os-prober ]);
      font = if cfg.font == null then ""
        else (if lib.last (lib.splitString "." cfg.font) == "pf2"
@ -109,14 +107,8 @@ in
      };
      version = mkOption {
-        default = 2;
+        visible = false;
        example = 1;
        type = types.int;
        description = lib.mdDoc ''
          The version of GRUB to use: `1` for GRUB
          Legacy (versions 0.9x), or `2` (the
          default) for GRUB 2.
        '';
      };
      device = mkOption {
@ -724,14 +716,7 @@ in
  config = mkMerge [
-    { boot.loader.grub.splashImage = mkDefault (
+    { boot.loader.grub.splashImage = mkDefault defaultSplash; }
        if cfg.version == 1 then pkgs.fetchurl {
          url = "http://www.gnome-look.org/CONTENT/content-files/36909-soft-tux.xpm.gz";
          sha256 = "14kqdx2lfqvh40h6fjjzqgff1mwk74dmbjvmqphi6azzra7z8d59";
        }
        # GRUB 1.97 doesn't support gzipped XPMs.
        else defaultSplash);
    }
    (mkIf (cfg.splashImage == defaultSplash) {
      boot.loader.grub.backgroundColor = mkDefault "#2F302F";
@ -788,10 +773,6 @@ in
        '') config.boot.loader.grub.extraFiles);
      assertions = [
        {
          assertion = !cfg.zfsSupport || cfg.version == 2;
          message = "Only GRUB version 2 provides ZFS support";
        }
        {
          assertion = cfg.mirroredBoots != [ ];
          message = "You must set the option ‘boot.loader.grub.devices’ or "
@ -801,10 +782,6 @@ in
          assertion = cfg.efiSupport || all (c: c < 2) (mapAttrsToList (n: c: if n == "nodev" then 0 else c) bootDeviceCounters);
          message = "You cannot have duplicated devices in mirroredBoots";
        }
        {
          assertion = !cfg.trustedBoot.enable || cfg.version == 2;
          message = "Trusted GRUB is only available for GRUB 2";
        }
        {
          assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;
          message = "Trusted GRUB does not have EFI support";
@ -825,6 +802,10 @@ in
          assertion = cfg.efiInstallAsRemovable -> !config.boot.loader.efi.canTouchEfiVariables;
          message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn off boot.loader.efi.canTouchEfiVariables";
        }
        {
          assertion = !(options.boot.loader.grub.version.isDefined && cfg.version == 1);
          message = "Support for version 0.9x of GRUB was removed after being unsupported upstream for around a decade";
        }
      ] ++ flip concatMap cfg.mirroredBoots (args: [
        {
          assertion = args.devices != [ ];
@ -844,6 +825,11 @@ in
      }));
    })
    (mkIf options.boot.loader.grub.version.isDefined {
      warnings = [ ''
        The boot.loader.grub.version option does not have any effect anymore, please remove it from your configuration.
      '' ];
    })
  ];
--- a/nixos/modules/system/boot/loader/grub/install-grub.pl
+++ b/nixos/modules/system/boot/loader/grub/install-grub.pl
@ -61,7 +61,6 @@ sub runCommand {
 }
 my $grub = get("grub");
 my $grubVersion = int(get("version"));
 my $grubTarget = get("grubTarget");
 my $extraConfig = get("extraConfig");
 my $extraPrepareConfig = get("extraPrepareConfig");
@ -96,9 +95,7 @@ my $theme = get("theme");
 my $saveDefault = $defaultEntry eq "saved";
 $ENV{'PATH'} = get("path");
-die "unsupported GRUB version\n" if $grubVersion != 1 && $grubVersion != 2;
+print STDERR "updating GRUB 2 menu...\n";
 print STDERR "updating GRUB $grubVersion menu...\n";
 mkpath("$bootPath/grub", 0, 0700);
@ -176,76 +173,74 @@ sub GrubFs {
    }
    my $search = "";
-    if ($grubVersion > 1) {
+    # ZFS is completely separate logic as zpools are always identified by a label
-        # ZFS is completely separate logic as zpools are always identified by a label
+    # or custom UUID
-        # or custom UUID
+    if ($fs->type eq 'zfs') {
-        if ($fs->type eq 'zfs') {
+        my $sid = index($fs->device, '/');
            my $sid = index($fs->device, '/');
-            if ($sid < 0) {
+        if ($sid < 0) {
-                $search = '--label ' . $fs->device;
+            $search = '--label ' . $fs->device;
-                $path = '/@' . $path;
+            $path = '/@' . $path;
-            } else {
+        } else {
-                $search = '--label ' . substr($fs->device, 0, $sid);
+            $search = '--label ' . substr($fs->device, 0, $sid);
-                $path = '/' . substr($fs->device, $sid) . '/@' . $path;
+            $path = '/' . substr($fs->device, $sid) . '/@' . $path;
        }
    } else {
        my %types = ('uuid' => '--fs-uuid', 'label' => '--label');
        if ($fsIdentifier eq 'provided') {
            # If the provided dev is identifying the partition using a label or uuid,
            # we should get the label / uuid and do a proper search
            my @matches = $fs->device =~ m/\/dev\/disk\/by-(label|uuid)\/(.*)/;
            if ($#matches > 1) {
                die "Too many matched devices"
            } elsif ($#matches == 1) {
                $search = "$types{$matches[0]} $matches[1]"
            }
        } else {
-            my %types = ('uuid' => '--fs-uuid', 'label' => '--label');
+            # Determine the identifying type
            $search = $types{$fsIdentifier} . ' ';
-            if ($fsIdentifier eq 'provided') {
+            # Based on the type pull in the identifier from the system
-                # If the provided dev is identifying the partition using a label or uuid,
+            my ($status, @devInfo) = runCommand("@utillinux@/bin/blkid", "-o", "export", @{[$fs->device]});
-                # we should get the label / uuid and do a proper search
+            if ($status != 0) {
-                my @matches = $fs->device =~ m/\/dev\/disk\/by-(label|uuid)\/(.*)/;
+                die "Failed to get blkid info (returned $status) for @{[$fs->mount]} on @{[$fs->device]}";
                if ($#matches > 1) {
                    die "Too many matched devices"
                } elsif ($#matches == 1) {
                    $search = "$types{$matches[0]} $matches[1]"
                }
            } else {
                # Determine the identifying type
                $search = $types{$fsIdentifier} . ' ';
                # Based on the type pull in the identifier from the system
                my ($status, @devInfo) = runCommand("@utillinux@/bin/blkid", "-o", "export", @{[$fs->device]});
                if ($status != 0) {
                    die "Failed to get blkid info (returned $status) for @{[$fs->mount]} on @{[$fs->device]}";
                }
                my @matches = join("", @devInfo) =~ m/@{[uc $fsIdentifier]}=([^\n]*)/;
                if ($#matches != 0) {
                    die "Couldn't find a $types{$fsIdentifier} for @{[$fs->device]}\n"
                }
                $search .= $matches[0];
            }
            my @matches = join("", @devInfo) =~ m/@{[uc $fsIdentifier]}=([^\n]*)/;
            if ($#matches != 0) {
                die "Couldn't find a $types{$fsIdentifier} for @{[$fs->device]}\n"
            }
            $search .= $matches[0];
        }
-            # BTRFS is a special case in that we need to fix the referrenced path based on subvolumes
+        # BTRFS is a special case in that we need to fix the referrenced path based on subvolumes
-            if ($fs->type eq 'btrfs') {
+        if ($fs->type eq 'btrfs') {
-                my ($status, @id_info) = runCommand("@btrfsprogs@/bin/btrfs", "subvol", "show", @{[$fs->mount]});
+            my ($status, @id_info) = runCommand("@btrfsprogs@/bin/btrfs", "subvol", "show", @{[$fs->mount]});
            if ($status != 0) {
                die "Failed to retrieve subvolume info for @{[$fs->mount]}\n";
            }
            my @ids = join("\n", @id_info) =~ m/^(?!\/\n).*Subvolume ID:[ \t\n]*([0-9]+)/s;
            if ($#ids > 0) {
                die "Btrfs subvol name for @{[$fs->device]} listed multiple times in mount\n"
            } elsif ($#ids == 0) {
                my ($status, @path_info) = runCommand("@btrfsprogs@/bin/btrfs", "subvol", "list", @{[$fs->mount]});
                if ($status != 0) {
-                    die "Failed to retrieve subvolume info for @{[$fs->mount]}\n";
+                    die "Failed to find @{[$fs->mount]} subvolume id from btrfs\n";
                }
-                my @ids = join("\n", @id_info) =~ m/^(?!\/\n).*Subvolume ID:[ \t\n]*([0-9]+)/s;
+                my @paths = join("", @path_info) =~ m/ID $ids[0] [^\n]* path ([^\n]*)/;
-                if ($#ids > 0) {
+                if ($#paths > 0) {
-                    die "Btrfs subvol name for @{[$fs->device]} listed multiple times in mount\n"
+                    die "Btrfs returned multiple paths for a single subvolume id, mountpoint @{[$fs->mount]}\n";
-                } elsif ($#ids == 0) {
+                } elsif ($#paths != 0) {
-                    my ($status, @path_info) = runCommand("@btrfsprogs@/bin/btrfs", "subvol", "list", @{[$fs->mount]});
+                    die "Btrfs did not return a path for the subvolume at @{[$fs->mount]}\n";
                    if ($status != 0) {
                        die "Failed to find @{[$fs->mount]} subvolume id from btrfs\n";
                    }
                    my @paths = join("", @path_info) =~ m/ID $ids[0] [^\n]* path ([^\n]*)/;
                    if ($#paths > 0) {
                        die "Btrfs returned multiple paths for a single subvolume id, mountpoint @{[$fs->mount]}\n";
                    } elsif ($#paths != 0) {
                        die "Btrfs did not return a path for the subvolume at @{[$fs->mount]}\n";
                    }
                    $path = "/$paths[0]$path";
                }
                $path = "/$paths[0]$path";
            }
        }
-        if (not $search eq "") {
+    }
-            $search = "search --set=drive$driveid " . $search;
+    if (not $search eq "") {
-            $path = "(\$drive$driveid)$path";
+        $search = "search --set=drive$driveid " . $search;
-            $driveid += 1;
+        $path = "(\$drive$driveid)$path";
-        }
+        $driveid += 1;
    }
    return Grub->new(path => $path, search => $search);
 }
@ -258,166 +253,151 @@ if ($copyKernels == 0) {
 # Generate the header.
 my $conf .= "# Automatically generated.  DO NOT EDIT THIS FILE!\n";
-if ($grubVersion == 1) {
+my @users = ();
-    # $defaultEntry might be "saved", indicating that we want to use the last selected configuration as default.
+foreach my $user ($dom->findnodes('/expr/attrs/attr[@name = "users"]/attrs/attr')) {
-    # Incidentally this is already the correct value for the grub 1 config to achieve this behaviour.
+    my $name = $user->findvalue('@name') or die;
-    $conf .= "
+    my $hashedPassword = $user->findvalue('./attrs/attr[@name = "hashedPassword"]/string/@value');
-        default $defaultEntry
+    my $hashedPasswordFile = $user->findvalue('./attrs/attr[@name = "hashedPasswordFile"]/string/@value');
-        timeout $timeout
+    my $password = $user->findvalue('./attrs/attr[@name = "password"]/string/@value');
-    ";
+    my $passwordFile = $user->findvalue('./attrs/attr[@name = "passwordFile"]/string/@value');
-    if ($splashImage) {
+
-        copy $splashImage, "$bootPath/background.xpm.gz" or die "cannot copy $splashImage to $bootPath: $!\n";
+    if ($hashedPasswordFile) {
-        $conf .= "splashimage " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/background.xpm.gz\n";
+        open(my $f, '<', $hashedPasswordFile) or die "Can't read file '$hashedPasswordFile'!";
        $hashedPassword = <$f>;
        chomp $hashedPassword;
    }
    if ($passwordFile) {
        open(my $f, '<', $passwordFile) or die "Can't read file '$passwordFile'!";
        $password = <$f>;
        chomp $password;
    }
 }
-else {
+    if ($hashedPassword) {
-    my @users = ();
+        if (index($hashedPassword, "grub.pbkdf2.") == 0) {
-    foreach my $user ($dom->findnodes('/expr/attrs/attr[@name = "users"]/attrs/attr')) {
+            $conf .= "\npassword_pbkdf2 $name $hashedPassword";
        my $name = $user->findvalue('@name') or die;
        my $hashedPassword = $user->findvalue('./attrs/attr[@name = "hashedPassword"]/string/@value');
        my $hashedPasswordFile = $user->findvalue('./attrs/attr[@name = "hashedPasswordFile"]/string/@value');
        my $password = $user->findvalue('./attrs/attr[@name = "password"]/string/@value');
        my $passwordFile = $user->findvalue('./attrs/attr[@name = "passwordFile"]/string/@value');
        if ($hashedPasswordFile) {
            open(my $f, '<', $hashedPasswordFile) or die "Can't read file '$hashedPasswordFile'!";
            $hashedPassword = <$f>;
            chomp $hashedPassword;
        }
        if ($passwordFile) {
            open(my $f, '<', $passwordFile) or die "Can't read file '$passwordFile'!";
            $password = <$f>;
            chomp $password;
        }
        if ($hashedPassword) {
            if (index($hashedPassword, "grub.pbkdf2.") == 0) {
                $conf .= "\npassword_pbkdf2 $name $hashedPassword";
            }
            else {
                die "Password hash for GRUB user '$name' is not valid!";
            }
        }
        elsif ($password) {
            $conf .= "\npassword $name $password";
        }
        else {
-            die "GRUB user '$name' has no password!";
+            die "Password hash for GRUB user '$name' is not valid!";
        }
        push(@users, $name);
    }
-    if (@users) {
+    elsif ($password) {
-        $conf .= "\nset superusers=\"" . join(' ',@users) . "\"\n";
+        $conf .= "\npassword $name $password";
    }
    else {
        die "GRUB user '$name' has no password!";
    }
    push(@users, $name);
 }
 if (@users) {
    $conf .= "\nset superusers=\"" . join(' ',@users) . "\"\n";
 }
-    if ($copyKernels == 0) {
+if ($copyKernels == 0) {
        $conf .= "
            " . $grubStore->search;
    }
    # FIXME: should use grub-mkconfig.
    my $defaultEntryText = $defaultEntry;
    if ($saveDefault) {
        $defaultEntryText = "\"\${saved_entry}\"";
    }
    $conf .= "
-        " . $grubBoot->search . "
+        " . $grubStore->search;
-        if [ -s \$prefix/grubenv ]; then
+}
-          load_env
+# FIXME: should use grub-mkconfig.
 my $defaultEntryText = $defaultEntry;
 if ($saveDefault) {
    $defaultEntryText = "\"\${saved_entry}\"";
 }
 $conf .= "
    " . $grubBoot->search . "
    if [ -s \$prefix/grubenv ]; then
      load_env
    fi
    # ‘grub-reboot’ sets a one-time saved entry, which we process here and
    # then delete.
    if [ \"\${next_entry}\" ]; then
      set default=\"\${next_entry}\"
      set next_entry=
      save_env next_entry
      set timeout=1
      set boot_once=true
    else
      set default=$defaultEntryText
      set timeout=$timeout
    fi
    function savedefault {
        if [ -z \"\${boot_once}\"]; then
        saved_entry=\"\${chosen}\"
        save_env saved_entry
        fi
    }
-        # ‘grub-reboot’ sets a one-time saved entry, which we process here and
+    # Setup the graphics stack for bios and efi systems
-        # then delete.
+    if [ \"\${grub_platform}\" = \"efi\" ]; then
-        if [ \"\${next_entry}\" ]; then
+      insmod efi_gop
-          set default=\"\${next_entry}\"
+      insmod efi_uga
-          set next_entry=
+    else
-          save_env next_entry
+      insmod vbe
-          set timeout=1
+    fi
-          set boot_once=true
+";
        else
          set default=$defaultEntryText
          set timeout=$timeout
        fi
-        function savedefault {
+if ($font) {
-            if [ -z \"\${boot_once}\"]; then
+    copy $font, "$bootPath/converted-font.pf2" or die "cannot copy $font to $bootPath: $!\n";
-            saved_entry=\"\${chosen}\"
+    $conf .= "
-            save_env saved_entry
+        insmod font
-            fi
+        if loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/converted-font.pf2; then
-        }
+          insmod gfxterm
-
+          if [ \"\${grub_platform}\" = \"efi\" ]; then
-        # Setup the graphics stack for bios and efi systems
+            set gfxmode=$gfxmodeEfi
-        if [ \"\${grub_platform}\" = \"efi\" ]; then
+            set gfxpayload=$gfxpayloadEfi
-          insmod efi_gop
+          else
-          insmod efi_uga
+            set gfxmode=$gfxmodeBios
-        else
+            set gfxpayload=$gfxpayloadBios
-          insmod vbe
+          fi
          terminal_output gfxterm
        fi
    ";
-
+}
-    if ($font) {
+if ($splashImage) {
-        copy $font, "$bootPath/converted-font.pf2" or die "cannot copy $font to $bootPath: $!\n";
+    # Keeps the image's extension.
    my ($filename, $dirs, $suffix) = fileparse($splashImage, qr"\..[^.]*$");
    # The module for jpg is jpeg.
    if ($suffix eq ".jpg") {
        $suffix = ".jpeg";
    }
    if ($backgroundColor) {
        $conf .= "
-            insmod font
+        background_color '$backgroundColor'
            if loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/converted-font.pf2; then
              insmod gfxterm
              if [ \"\${grub_platform}\" = \"efi\" ]; then
                set gfxmode=$gfxmodeEfi
                set gfxpayload=$gfxpayloadEfi
              else
                set gfxmode=$gfxmodeBios
                set gfxpayload=$gfxpayloadBios
              fi
              terminal_output gfxterm
            fi
        ";
    }
-    if ($splashImage) {
+    copy $splashImage, "$bootPath/background$suffix" or die "cannot copy $splashImage to $bootPath: $!\n";
-        # Keeps the image's extension.
+    $conf .= "
-        my ($filename, $dirs, $suffix) = fileparse($splashImage, qr"\..[^.]*$");
+        insmod " . substr($suffix, 1) . "
-        # The module for jpg is jpeg.
+        if background_image --mode '$splashMode' " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/background$suffix; then
-        if ($suffix eq ".jpg") {
+          set color_normal=white/black
-            $suffix = ".jpeg";
+          set color_highlight=black/white
-        }
+        else
-        if ($backgroundColor) {
+          set menu_color_normal=cyan/blue
          set menu_color_highlight=white/blue
        fi
    ";
 }
 rmtree("$bootPath/theme") or die "cannot clean up theme folder in $bootPath\n" if -e "$bootPath/theme";
 if ($theme) {
    # Copy theme
    rcopy($theme, "$bootPath/theme") or die "cannot copy $theme to $bootPath\n";
    $conf .= "
        # Sets theme.
        set theme=" . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/theme.txt
        export theme
        # Load theme fonts, if any
    ";
    find( { wanted => sub {
        if ($_ =~ /\.pf2$/i) {
            $font = File::Spec->abs2rel($File::Find::name, $theme);
            $conf .= "
-            background_color '$backgroundColor'
+                loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/$font
            ";
        }
-        copy $splashImage, "$bootPath/background$suffix" or die "cannot copy $splashImage to $bootPath: $!\n";
+    }, no_chdir => 1 }, $theme );
        $conf .= "
            insmod " . substr($suffix, 1) . "
            if background_image --mode '$splashMode' " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/background$suffix; then
              set color_normal=white/black
              set color_highlight=black/white
            else
              set menu_color_normal=cyan/blue
              set menu_color_highlight=white/blue
            fi
        ";
    }
    rmtree("$bootPath/theme") or die "cannot clean up theme folder in $bootPath\n" if -e "$bootPath/theme";
    if ($theme) {
        # Copy theme
        rcopy($theme, "$bootPath/theme") or die "cannot copy $theme to $bootPath\n";
        $conf .= "
            # Sets theme.
            set theme=" . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/theme.txt
            export theme
            # Load theme fonts, if any
        ";
        find( { wanted => sub {
            if ($_ =~ /\.pf2$/i) {
                $font = File::Spec->abs2rel($File::Find::name, $theme);
                $conf .= "
                    loadfont " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/theme/$font
                ";
            }
        }, no_chdir => 1 }, $theme );
    }
 }
 $conf .= "$extraConfig\n";
@ -494,31 +474,19 @@ sub addEntry {
        readFile("$path/kernel-params");
    my $xenParams = $xen && -e "$path/xen-params" ? readFile("$path/xen-params") : "";
-    if ($grubVersion == 1) {
+    $conf .= "menuentry \"$name\" " . $options . " {\n";
-        $conf .= "title $name\n";
+    if ($saveDefault) {
-        $conf .= "  $extraPerEntryConfig\n" if $extraPerEntryConfig;
+        $conf .= "  savedefault\n";
        $conf .= "  kernel $xen $xenParams\n" if $xen;
        $conf .= "  " . ($xen ? "module" : "kernel") . " $kernel $kernelParams\n";
        $conf .= "  " . ($xen ? "module" : "initrd") . " $initrd\n";
        if ($saveDefault) {
            $conf .= "  savedefault\n";
        }
        $conf .= "\n";
    } else {
        $conf .= "menuentry \"$name\" " . $options . " {\n";
        if ($saveDefault) {
            $conf .= "  savedefault\n";
        }
        $conf .= $grubBoot->search . "\n";
        if ($copyKernels == 0) {
            $conf .= $grubStore->search . "\n";
        }
        $conf .= "  $extraPerEntryConfig\n" if $extraPerEntryConfig;
        $conf .= "  multiboot $xen $xenParams\n" if $xen;
        $conf .= "  " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";
        $conf .= "  " . ($xen ? "module" : "initrd") . " $initrd\n";
        $conf .= "}\n\n";
    }
    $conf .= $grubBoot->search . "\n";
    if ($copyKernels == 0) {
        $conf .= $grubStore->search . "\n";
    }
    $conf .= "  $extraPerEntryConfig\n" if $extraPerEntryConfig;
    $conf .= "  multiboot $xen $xenParams\n" if $xen;
    $conf .= "  " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";
    $conf .= "  " . ($xen ? "module" : "initrd") . " $initrd\n";
    $conf .= "}\n\n";
 }
@ -562,7 +530,7 @@ sub addProfile {
    my ($profile, $description) = @_;
    # Add entries for all generations of this profile.
-    $conf .= "submenu \"$description\" --class submenu {\n" if $grubVersion == 2;
+    $conf .= "submenu \"$description\" --class submenu {\n";
    sub nrFromGen { my ($x) = @_; $x =~ /\/\w+-(\d+)-link/; return $1; }
@ -585,17 +553,15 @@ sub addProfile {
        addEntry("@distroName@ - Configuration " . nrFromGen($link) . " ($date - $version)", $link, $subEntryOptions, 0);
    }
-    $conf .= "}\n" if $grubVersion == 2;
+    $conf .= "}\n";
 }
 addProfile "/nix/var/nix/profiles/system", "@distroName@ - All configurations";
-if ($grubVersion == 2) {
+for my $profile (glob "/nix/var/nix/profiles/system-profiles/*") {
-    for my $profile (glob "/nix/var/nix/profiles/system-profiles/*") {
+    my $name = basename($profile);
-        my $name = basename($profile);
+    next unless $name =~ /^\w+$/;
-        next unless $name =~ /^\w+$/;
+    addProfile $profile, "@distroName@ - Profile '$name'";
        addProfile $profile, "@distroName@ - Profile '$name'";
    }
 }
 # extraPrepareConfig could refer to @bootPath@, which we have to substitute
@ -607,16 +573,14 @@ if ($extraPrepareConfig ne "") {
 }
 # write the GRUB config.
-my $confFile = $grubVersion == 1 ? "$bootPath/grub/menu.lst" : "$bootPath/grub/grub.cfg";
+my $confFile = "$bootPath/grub/grub.cfg";
 my $tmpFile = $confFile . ".tmp";
 writeFile($tmpFile, $conf);
 # check whether to install GRUB EFI or not
 sub getEfiTarget {
-    if ($grubVersion == 1) {
+    if (($grub ne "") && ($grubEfi ne "")) {
        return "no"
    } elsif (($grub ne "") && ($grubEfi ne "")) {
        # EFI can only be installed when target is set;
        # A target is also required then for non-EFI grub
        if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
@ -741,7 +705,7 @@ symlink "$bootPath", "$tmpDir/boot" or die "Failed to symlink $tmpDir/boot: $!";
 if (($requireNewInstall != 0) && ($efiTarget eq "no" || $efiTarget eq "both")) {
    foreach my $dev (@deviceTargets) {
        next if $dev eq "nodev";
-        print STDERR "installing the GRUB $grubVersion boot loader on $dev...\n";
+        print STDERR "installing the GRUB 2 boot loader on $dev...\n";
        my @command = ("$grub/sbin/grub-install", "--recheck", "--root-directory=$tmpDir", Cwd::abs_path($dev), @extraGrubInstallArgs);
        if ($forceInstall eq "true") {
            push @command, "--force";
@ -756,7 +720,7 @@ if (($requireNewInstall != 0) && ($efiTarget eq "no" || $efiTarget eq "both")) {
 # install EFI GRUB
 if (($requireNewInstall != 0) && ($efiTarget eq "only" || $efiTarget eq "both")) {
-    print STDERR "installing the GRUB $grubVersion EFI boot loader into $efiSysMountPoint...\n";
+    print STDERR "installing the GRUB 2 boot loader into $efiSysMountPoint...\n";
    my @command = ("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint", @extraGrubInstallArgs);
    if ($forceInstall eq "true") {
        push @command, "--force";
--- a/nixos/modules/system/boot/loader/grub/ipxe.nix
+++ b/nixos/modules/system/boot/loader/grub/ipxe.nix
@ -46,11 +46,7 @@ in
  config = mkIf (builtins.length scripts != 0) {
-    boot.loader.grub.extraEntries =
+    boot.loader.grub.extraEntries = toString (map grubEntry scripts);
      if config.boot.loader.grub.version == 2 then
        toString (map grubEntry scripts)
      else
        throw "iPXE is not supported with GRUB 1.";
    boot.loader.grub.extraFiles =
      { "ipxe.lkrn" = "${pkgs.ipxe}/ipxe.lkrn"; }
--- a/nixos/modules/system/boot/loader/grub/memtest.nix
+++ b/nixos/modules/system/boot/loader/grub/memtest.nix
@ -84,15 +84,11 @@ in
    })
    (mkIf (cfg.enable && !efiSupport) {
-      boot.loader.grub.extraEntries =
+      boot.loader.grub.extraEntries = ''
-        if config.boot.loader.grub.version == 2 then
+        menuentry "Memtest86+" {
-          ''
+          linux16 @bootRoot@/memtest.bin ${toString cfg.params}
-            menuentry "Memtest86+" {
+        }
-              linux16 @bootRoot@/memtest.bin ${toString cfg.params}
+      '';
            }
          ''
        else
          throw "Memtest86+ is not supported with GRUB 1.";
      boot.loader.grub.extraFiles."memtest.bin" = "${memtest86}/memtest.bin";
    })
--- a/nixos/modules/virtualisation/azure-common.nix
+++ b/nixos/modules/virtualisation/azure-common.nix
@ -12,7 +12,6 @@ with lib;
  # Generate a GRUB menu.
  boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.version = 2;
  boot.loader.timeout = 0;
  boot.growPartition = true;
--- a/nixos/modules/virtualisation/xen-domU.nix
+++ b/nixos/modules/virtualisation/xen-domU.nix
@ -3,7 +3,6 @@
 { ... }:
 {
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "nodev";
  boot.initrd.kernelModules =
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@ -10,7 +10,7 @@ with pkgs.lib;
 let
  # The configuration to install.
-  makeConfig = { bootLoader, grubVersion, grubDevice, grubIdentifier, grubUseEfi
+  makeConfig = { bootLoader, grubDevice, grubIdentifier, grubUseEfi
               , extraConfig, forceGrubReinstallCount ? 0
               }:
    pkgs.writeText "configuration.nix" ''
@ -29,11 +29,6 @@ let
        ${optionalString systemdStage1 "boot.initrd.systemd.enable = true;"}
        ${optionalString (bootLoader == "grub") ''
          boot.loader.grub.version = ${toString grubVersion};
          ${optionalString (grubVersion == 1) ''
            boot.loader.grub.splashImage = null;
          ''}
          boot.loader.grub.extraConfig = "serial; terminal_output serial";
          ${if grubUseEfi then ''
            boot.loader.grub.device = "nodev";
@ -70,11 +65,11 @@ let
  # disk, and then reboot from the hard disk.  It's parameterized with
  # a test script fragment `createPartitions', which must create
  # partitions and filesystems.
-  testScriptFun = { bootLoader, createPartitions, grubVersion, grubDevice, grubUseEfi
+  testScriptFun = { bootLoader, createPartitions, grubDevice, grubUseEfi
                  , grubIdentifier, preBootCommands, postBootCommands, extraConfig
                  , testSpecialisationConfig
                  }:
-    let iface = if grubVersion == 1 then "ide" else "virtio";
+    let iface = "virtio";
        isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi);
        bios  = if pkgs.stdenv.isAarch64 then "QEMU_EFI.fd" else "OVMF.fd";
    in if !isEfi && !pkgs.stdenv.hostPlatform.isx86 then ''
@ -122,7 +117,7 @@ let
          machine.succeed("cat /mnt/etc/nixos/hardware-configuration.nix >&2")
          machine.copy_from_host(
              "${ makeConfig {
-                    inherit bootLoader grubVersion grubDevice grubIdentifier
+                    inherit bootLoader grubDevice grubIdentifier
                            grubUseEfi extraConfig;
                  }
              }",
@ -193,7 +188,7 @@ let
          # doesn't know about the host-guest sharing mechanism.
          machine.copy_from_host_via_shell(
              "${ makeConfig {
-                    inherit bootLoader grubVersion grubDevice grubIdentifier
+                    inherit bootLoader grubDevice grubIdentifier
                            grubUseEfi extraConfig;
                    forceGrubReinstallCount = 1;
                  }
@ -222,7 +217,7 @@ let
      # doesn't know about the host-guest sharing mechanism.
      machine.copy_from_host_via_shell(
          "${ makeConfig {
-                inherit bootLoader grubVersion grubDevice grubIdentifier
+                inherit bootLoader grubDevice grubIdentifier
                grubUseEfi extraConfig;
                forceGrubReinstallCount = 2;
              }
@ -284,7 +279,7 @@ let
    { createPartitions, preBootCommands ? "", postBootCommands ? "", extraConfig ? ""
    , extraInstallerConfig ? {}
    , bootLoader ? "grub" # either "grub" or "systemd-boot"
-    , grubVersion ? 2, grubDevice ? "/dev/vda", grubIdentifier ? "uuid", grubUseEfi ? false
+    , grubDevice ? "/dev/vda", grubIdentifier ? "uuid", grubUseEfi ? false
    , enableOCR ? false, meta ? {}
    , testSpecialisationConfig ? false
    }:
@ -316,11 +311,9 @@ let
          # installer. This ensures the target disk (/dev/vda) is
          # the same during and after installation.
          virtualisation.emptyDiskImages = [ 512 ];
-          virtualisation.rootDevice =
+          virtualisation.rootDevice = "/dev/vdb";
            if grubVersion == 1 then "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive2" else "/dev/vdb";
          virtualisation.bootLoaderDevice = "/dev/vda";
-          virtualisation.qemu.diskInterface =
+          virtualisation.qemu.diskInterface = "virtio";
            if grubVersion == 1 then "scsi" else "virtio";
          # We don't want to have any networking in the guest whatsoever.
          # Also, if any vlans are enabled, the guest will reboot
@ -372,8 +365,7 @@ let
            # curl's tarball, we see what it's trying to download
            curl
          ]
-          ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub
+          ++ optionals (bootLoader == "grub") (let
          ++ optionals (bootLoader == "grub" && grubVersion == 2) (let
            zfsSupport = lib.any (x: x == "zfs")
              (extraInstallerConfig.boot.supportedFilesystems or []);
          in [
@ -392,7 +384,7 @@ let
      testScript = testScriptFun {
        inherit bootLoader createPartitions preBootCommands postBootCommands
-                grubVersion grubDevice grubIdentifier grubUseEfi extraConfig
+                grubDevice grubIdentifier grubUseEfi extraConfig
                testSpecialisationConfig;
      };
    };
@ -875,26 +867,6 @@ in {
    '';
  };
  # Test a basic install using GRUB 1.
  grub1 = makeInstallerTest "grub1" rec {
    createPartitions = ''
      machine.succeed(
          "flock ${grubDevice} parted --script ${grubDevice} -- mklabel msdos"
          + " mkpart primary linux-swap 1M 1024M"
          + " mkpart primary ext2 1024M -1s",
          "udevadm settle",
          "mkswap ${grubDevice}-part1 -L swap",
          "swapon -L swap",
          "mkfs.ext3 -L nixos ${grubDevice}-part2",
          "mount LABEL=nixos /mnt",
          "mkdir -p /mnt/tmp",
      )
    '';
    grubVersion = 1;
    # /dev/sda is not stable, even when the SCSI disk number is.
    grubDevice = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive1";
  };
  # Test using labels to identify volumes in grub
  simpleLabels = makeInstallerTest "simpleLabels" {
    createPartitions = ''
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@ -1,457 +0,0 @@
 { lib, stdenv, fetchurl, flex, bison, python3, autoreconfHook, gnulib, libtool, bash
 , gettext, ncurses, libusb-compat-0_1, freetype, qemu, lvm2, unifont, pkg-config
 , buildPackages
 , fetchpatch
 , pkgsBuildBuild
 , nixosTests
 , fuse # only needed for grub-mount
 , runtimeShell
 , zfs ? null
 , efiSupport ? false
 , zfsSupport ? false
 , xenSupport ? false
 , kbdcompSupport ? false, ckbcomp
 }:
 let
  pcSystems = {
    i686-linux.target = "i386";
    x86_64-linux.target = "i386";
  };
  efiSystemsBuild = {
    i686-linux.target = "i386";
    x86_64-linux.target = "x86_64";
    armv7l-linux.target = "arm";
    aarch64-linux.target = "aarch64";
    riscv32-linux.target = "riscv32";
    riscv64-linux.target = "riscv64";
  };
  # For aarch64, we need to use '--target=aarch64-efi' when building,
  # but '--target=arm64-efi' when installing. Insanity!
  efiSystemsInstall = {
    i686-linux.target = "i386";
    x86_64-linux.target = "x86_64";
    armv7l-linux.target = "arm";
    aarch64-linux.target = "arm64";
    riscv32-linux.target = "riscv32";
    riscv64-linux.target = "riscv64";
  };
  canEfi = lib.any (system: stdenv.hostPlatform.system == system) (lib.mapAttrsToList (name: _: name) efiSystemsBuild);
  inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.mapAttrsToList (name: _: name) pcSystems);
  version = "2.06";
 in (
 assert efiSupport -> canEfi;
 assert zfsSupport -> zfs != null;
 assert !(efiSupport && xenSupport);
 stdenv.mkDerivation rec {
  pname = "grub";
  inherit version;
  src = fetchurl {
    url = "mirror://gnu/grub/grub-${version}.tar.xz";
    sha256 = "sha256-t56kSvkbk9F80/6Ava5u1DdwZ4qaWuGSzOqAPrtlfuE=";
  };
  patches = [
    ./fix-bash-completion.patch
    (fetchpatch {
      name = "Add-hidden-menu-entries.patch";
      # https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00089.html
      url = "https://marc.info/?l=grub-devel&m=146193404929072&q=mbox";
      sha256 = "00wa1q5adiass6i0x7p98vynj9vsz1w0gn1g4dgz89v35mpyw2bi";
    })
    # Pull upstream patch to fix linkage against binutils-2.36.
    (fetchpatch {
      name = "binutils-2.36.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b98275138bf4fc250a1c362dfd2c8b1cf2421701";
      sha256 = "001m058bsl2pcb0ii84jfm5ias8zgzabrfy6k2cc9w6w1y51ii82";
    })
    # Properly handle multiple initrd paths in 30_os-prober
    # Remove this patch once a new release is cut
    (fetchpatch {
      name = "Properly-handle-multiple-initrd-paths-in-os-prober.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=000b5cd04fd228f9741f5dca0491636bc0b89eb8";
      sha256 = "sha256-Mex3qQ0lW7ZCv7ZI7MSSqbylJXZ5RTbR4Pv1+CJ0ciM=";
    })
    # Upstreamed patches for flicker-free boot
    # Remove these patches once a new release is cut
    (fetchpatch {
      # term/efi/console: Do not set colorstate until the first text output
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9381dbe045b39bd9395c9ab4276d95b4041ec9fb";
      sha256 = "sha256-ZFq/PdCYo6aRySZRAfZARO8BmXwGgqeXz+9uNgNJEO8=";
    })
    (fetchpatch {
      # term/efi/console: Do not set cursor until the first text output
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7c316e18301e101e4dcd8abe88c0bed0b1b78857";
      sha256 = "sha256-WJiK7MqmdStzq77vIDsO60Fu7i9LE/jDYzF4E9FXb7c=";
    })
    (fetchpatch {
      # normal/menu: Don't show "Booting `%s'" msg when auto-booting with TIMEOUT_STYLE_HIDDEN
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5bb4f2b7d665c84bde402d1a528b652a61753380";
      sha256 = "sha256-lwJPPyq6yj7X1C2RuHfxnwKKstFkWGxcMXuSQqd9Z4I=";
    })
    (fetchpatch {
      # kern/main: Suppress the "Welcome to GRUB!" message in EFI builds
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=3e4cbbeca0ef35097301a1086f85fd0d119e64aa";
      sha256 = "sha256-cQX4x9V5Y7SU9WACn5FzDjukL2/StAUMMoHY/DRHq+g=";
    })
    (fetchpatch {
      name = "CVE-2021-3981.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0adec29674561034771c13e446069b41ef41e4d4";
      sha256 = "sha256-3vkvWjcSv0hyY2EX3ig2EXEe+XLiRsXYlcd5kpY4wXw=";
    })
    # June 2022 security patches
    # https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.1.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1469983ebb9674753ad333d37087fb8cb20e1dce";
      sha256 = "sha256-oB4S0jvIXsDPcjIz1E2LKm7gwdvZjywuI1j0P6JQdJg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.2.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=14ceb3b3ff6db664649138442b6562c114dcf56e";
      sha256 = "sha256-mKe8gzd0U4PbV8z3TWCdvv7UugEgYaVIkB4dyMrSGEE=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.3.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=04c86e0bb7b58fc2f913f798cdb18934933e532d";
      sha256 = "sha256-sA+PTlk4hwYOVKRZBHkEskabzmsf47Hi4h3mzWOFjwM=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.4.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53";
      sha256 = "sha256-8zmFocUfnjSyhYitUFDHoilHDnm1NJmhcKwO9dueV3k=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.5.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f1ce0e15e70ea1aafcfa26ad93e7585f65783c6f";
      sha256 = "sha256-Wrlam6CRPUAHbKqe/X1YLcRxJ2LQTtmQ/Y66gxUlqK4=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.6.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5bff31cdb6b93d738f850834e6291df1d0b136fa";
      sha256 = "sha256-ReLWSePXjRweymsVAL/uoBgYMWt9vRDcY3iXlDNZT0w=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.7.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=347880a13c239b4c2811c94c9a7cf78b607332e3";
      sha256 = "sha256-07hpHuJFw95xGoJ/6ej7i6HlCFb2QRxP3arvRjKW4uU=";
    })
    ## Needed to apply patch 8
    (fetchpatch {
      name = "video-remove-trailing-whitespaces.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1f48917d8ddb490dcdc70176e0f58136b7f7811a";
      sha256 = "sha256-/yf/LGpwYcQ36KITzmiFfg4BvhcApKbrlFzjKK8V2kI=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.8.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e623866d9286410156e8b9d2c82d6253a1b22d08";
      sha256 = "sha256-zFxP6JY5Q9s3yJHdkbZ2w+dXFKeOCXjFnQKadB5HLCg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.9.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=210245129c932dc9e1c2748d9d35524fb95b5042";
      sha256 = "sha256-FyZhdTlcRVmn7X2hv93RhWP7NOoEMb7ib/DWveyz3Ew=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.10.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=690bee69fae6b4bd911293d6b7e56774e29fdf64";
      sha256 = "sha256-nOAXxebCW/s5M6sjPKdSdx47/PcH1lc0yYT0flVwoC8=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.11.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d5caac8ab79d068ad9a41030c772d03a4d4fbd7b";
      sha256 = "sha256-9fGJJkgZ6+E01MJqVTR1qFITx9EAx41Hv9QNfdqBgu0=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.12.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=768ef2199e0265cf455b154f1a80a612f02274c8";
      sha256 = "sha256-2/JJJux5vqXUc77bi3aXRy8NclbvyD/0e6UN8/6Ui3c=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.13.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=166a4d61448f74745afe1dac2f2cfb85d04909bf";
      sha256 = "sha256-XxTZ8P8qr4qEXELdHwaRACPeIZ/iixlATLB5RvVQsC8=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.14.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6";
      sha256 = "sha256-bzB2gmGvWR2ylvMw779KQ/VHBBMsDNbG96eg9qQlljA=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.15.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=830a9628b2c9e1b6388af624aaf4a80818ed6be0";
      sha256 = "sha256-8fna2VbbUw8zBx77osaOOHlZFgRrHqwQK87RoUtCF6w=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.16.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287";
      sha256 = "sha256-iCZAyRS/a15x5aJCJBYl9nw6Hc3WRCUG7zF5V+OwDKg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.17.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f407e34f3871a4c402bbd516e7c28ea193cef1b7";
      sha256 = "sha256-S45cLZNTWapAodKudUz2fMjnPsW6vbtNz0bIvIBGmu4=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.18.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c1b7eef9fa4aaefbf7d0507505c3bb2914e1ad6b";
      sha256 = "sha256-TWPfEAOePwC77yiVdsTSZIjfsMp7+0XabCz9K3FlV7w=";
    })
    ## Needed to apply patch 19
    (fetchpatch {
      name = "net-remove-trailing-whitespaces.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e453a4a64392a41bc7b37f890aceb358112d1687";
      sha256 = "sha256-JCbUB77Y6js5u99uJ9StDxNjjahNy4nO3crK8/GvmPY=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.19.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=96abf4fb9d829f4a405d5df39bc74bbccbd0e322";
      sha256 = "sha256-6E2MKO5kauFA1TA8YkUgIUusniwHS2Sr44A/a7ZqDCo=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.20.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ee9652031491326736714a988fbbaeab8ef9255c";
      sha256 = "sha256-E21q+Mj+JBQlUW0pe4zbaoL3ErXmCanyizwAsRYYZHk=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.21.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8f287c3e13da2bf82049e2e464eca7ca4fef0a85";
      sha256 = "sha256-dZ24RwYsHeUrMuiU7PDgPcw+iK9cOd6q+E0xWXbtTkE=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.22.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dad94fffe14be476df5f34a8e5a90ea62a41fe12";
      sha256 = "sha256-06TyTEvSy19dsnXZZoKBGx7ymJVWogr0NorzLflEwY4=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.23.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ec6bfd3237394c1c7dbf2fd73417173318d22f4b";
      sha256 = "sha256-NryxSekO8oSxsnv5G9mFZExm4Pwfc778mslyUDuDhlM=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.24.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4";
      sha256 = "sha256-fSH3cxl/76DwkE8dHSR9uao9Vf1sJrhz7SmUSgDNodI=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.25.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4bd9877f62166b7e369773ab92fe24a39f6515f8";
      sha256 = "sha256-VMtR/sF8F1BMKmJ06ZZEPNH/+l0RySy/E6lVWdCyFKE=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.26.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=deae293f399dde3773cf37dfa9b77ca7e04ef772";
      sha256 = "sha256-sCC3KE9adavw7jHMTVlxtyuwDFCPRDqT24H3AKUYf68=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.27.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e40b83335bb33d9a2d1c06cc269875b3b3d6c539";
      sha256 = "sha256-cviCfBkzacAtnHGW87RLshhduE4Ym/v2Vq4h/sZDmZg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.28.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=11e1cffb7e2492ddac4ab8d19ce466783adbb957";
      sha256 = "sha256-I1feoneVeU3XkscKfVprWWJfLUnrc5oauMXYDyDxo5M=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.29.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13dce204cf6f3f0f49c9949971052a4c9657c0c0";
      sha256 = "sha256-DzFHxgR9A8FNZ/y9OMeBvTp1K6J5ePyL06dhHQmk7Ik=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.30.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2f4430cc0a44fd8c8aa7aee5c51887667ad3d6c3";
      sha256 = "sha256-AufP/10/auO4NMjYQ7yPDDbYShwGaktyQtqJx2Jasz8=";
    })
    # October 2022 security patches
    # https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.1.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f6b6236077f059e64ee315f2d7acb8fa4eda87c5";
      sha256 = "sha256-pk02iVf/u6CdsVjl8HaFBh0Bt473ZQzz5zBp9SoBLtE=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.2.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9c76ec09ae08155df27cd237eaea150b4f02f532";
      sha256 = "sha256-axbEOH5WFkUroGna2XY1f2kq7+B1Cs6LiubIA2EBdiM=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.3.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e";
      sha256 = "sha256-aKDUVS/Yx1c87NCrt4EG8BlSpkHijUyAJIwbmtzNjD8=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.4.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c51292274ded3259eb04c2f1c8d253ffbdb5216a";
      sha256 = "sha256-OLNOKuAJuHy2MBMnU2xcYM7AaxmDk9fchXhggoDrxJU=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.5.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=23843fe8947e4da955a05ad3d1858725bfcb56c8";
      sha256 = "sha256-ptn00nqVJlEb1c6HhoMy9nrBuctH077LM4yXKsK47gc=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.6.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b9396daf1c2e3cdc0a1e69b056852e0769fb24de";
      sha256 = "sha256-K7XNneDZjLpZh/C908+5uYsB/0oIdgQqmk0yJrdQLG4=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.7.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1d2015598cc7a9fca4b39186273e3519a88e80c7";
      sha256 = "sha256-s4pZtszH4b/0u85rpzVapZmNQdYEq/wW06SQ3PW/1aU=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.8.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=93a786a00163e50c29f0394df198518617e1c9a5";
      sha256 = "sha256-R8x557RMAxJ0ZV2jb6zDmwOPVlk6875q37fNpqKsPT0=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.9.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1eac01c147b4d85d2ec4a7e5671fa4345f2e8549";
      sha256 = "sha256-eOnhmU3pT5cCVnNHcY/BzDjldfs7yh/OGsxa15tGv94=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.10.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=992c06191babc1e109caf40d6a07ec6fdef427af";
      sha256 = "sha256-kezNKPcLmFXwyZbXtJbaPTIbE8tijmHIzdC2jsKwrNk=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.11.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9d81f71c6b8f55cf20cd56f5fe29c759df9b48cc";
      sha256 = "sha256-jnniVGy4KvFGFmcOP2YLA46k3cK8vwoByo19ismVUzE=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.12.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=22b77b87e10a3a6c9bb9885415bc9a9c678378e6";
      sha256 = "sha256-iYTEqN5997I7MVIg82jt/bbEAYhcgq8fNRCNPpY9ze0=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.13.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1514678888595ef41a968a0c69b7ff769edd1e9c";
      sha256 = "sha256-tgAEoAtaNKJjscjMFkXXiVn59Pa4c+NiQ3iVW6CMrpo=";
    })
  ];
  postPatch = if kbdcompSupport then ''
    sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
  '' else ''
    echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
    echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
  '';
  depsBuildBuild = [ buildPackages.stdenv.cc ];
  nativeBuildInputs = [ bison flex python3 pkg-config gettext freetype autoreconfHook ];
  buildInputs = [ ncurses libusb-compat-0_1 freetype lvm2 fuse libtool bash ]
    ++ lib.optional doCheck qemu
    ++ lib.optional zfsSupport zfs;
  strictDeps = true;
  hardeningDisable = [ "all" ];
  separateDebugInfo = !xenSupport;
  # Work around a bug in the generated flex lexer (upstream flex bug?)
  env.NIX_CFLAGS_COMPILE = "-Wno-error";
  preConfigure =
    '' for i in "tests/util/"*.in
       do
         sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
       done
       # Apparently, the QEMU executable is no longer called
       # `qemu-system-i386', even on i386.
       #
       # In addition, use `-nodefaults' to avoid errors like:
       #
       #  chardev: opening backend "stdio" failed
       #  qemu: could not open serial device 'stdio': Invalid argument
       #
       # See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
       sed -i "tests/util/grub-shell.in" \
           -e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
      unset CPP # setting CPP intereferes with dependency calculation
      patchShebangs .
      substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
    '';
  configureFlags = [
    "--enable-grub-mount" # dep of os-prober
  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
    # grub doesn't do cross-compilation as usual and tries to use unprefixed
    # tools to target the host. Provide toolchain information explicitly for
    # cross builds.
    #
    # Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
    "TARGET_CC=${stdenv.cc.targetPrefix}cc"
    "TARGET_NM=${stdenv.cc.targetPrefix}nm"
    "TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
    "TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
    "TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
  ] ++ lib.optional zfsSupport "--enable-libzfs"
    ++ lib.optionals efiSupport [ "--with-platform=efi" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}" "--program-prefix=" ]
    ++ lib.optionals xenSupport [ "--with-platform=xen" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"];
  # save target that grub is compiled for
  grubTarget = if efiSupport
               then "${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
               else lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";
  doCheck = false;
  enableParallelBuilding = true;
  postInstall = ''
    # Avoid a runtime reference to gcc
    sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
    # just adding bash to buildInputs wasn't enough to fix the shebang
    substituteInPlace $out/lib/grub/*/modinfo.sh \
      --replace ${buildPackages.bash} "/usr/bin/bash"
  '';
  passthru.tests = {
    nixos-grub = nixosTests.grub;
    nixos-install-simple = nixosTests.installer.simple;
    nixos-install-grub1 = nixosTests.installer.grub1;
    nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
    nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
  };
  meta = with lib; {
    description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
    longDescription =
      '' GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
         Unified Bootloader, which was originally designed and implemented by
         Erich Stefan Boleyn.
         Briefly, the boot loader is the first software program that runs when a
         computer starts.  It is responsible for loading and transferring
         control to the operating system kernel software (such as the Hurd or
         the Linux).  The kernel, in turn, initializes the rest of the
         operating system (e.g., GNU).
      '';
    homepage = "https://www.gnu.org/software/grub/";
    license = licenses.gpl3Plus;
    platforms = platforms.gnu ++ platforms.linux;
    maintainers = [ maintainers.samueldr ];
  };
 })
--- a/pkgs/tools/misc/grub/buggybios.patch
+++ b/pkgs/tools/misc/grub/buggybios.patch
@ -1,11 +0,0 @@
 Taken from: http://savannah.gnu.org/bugs/?func=detailitem&item_id=10433
 --- grub-0.95.orig/stage2/bios.c 2004-03-27 17:34:04.000000000 +0100
 +++ grub-0.95/stage2/bios.c 2005-03-02 01:02:29.192582200 +0100
@@ -147,6 +147,7 @@
   grub_memset (&cdrp, 0, sizeof (cdrp));
   cdrp.size = sizeof (cdrp) - sizeof (cdrp.dummy);
   err = biosdisk_int13_extensions (0x4B01, drive, &cdrp);
 +  err = 0; /* really ugly hack to circumvent faulty BIOS versions like Acer 292LMi */
   if (! err && cdrp.drive_no == drive)
     {
        if ((cdrp.media_type & 0x0F) == 0)
--- a/pkgs/tools/misc/grub/default.nix
+++ b/pkgs/tools/misc/grub/default.nix
@ -1,40 +1,456 @@
-{ lib, stdenv, fetchurl, autoreconfHook, texinfo, buggyBiosCDSupport ? true }:
+{ lib, stdenv, fetchurl, flex, bison, python3, autoreconfHook, gnulib, libtool, bash
 , gettext, ncurses, libusb-compat-0_1, freetype, qemu, lvm2, unifont, pkg-config
 , buildPackages
 , fetchpatch
 , pkgsBuildBuild
 , nixosTests
 , fuse # only needed for grub-mount
 , runtimeShell
 , zfs ? null
 , efiSupport ? false
 , zfsSupport ? false
 , xenSupport ? false
 , kbdcompSupport ? false, ckbcomp
 }:
 let
  pcSystems = {
    i686-linux.target = "i386";
    x86_64-linux.target = "i386";
  };
  efiSystemsBuild = {
    i686-linux.target = "i386";
    x86_64-linux.target = "x86_64";
    armv7l-linux.target = "arm";
    aarch64-linux.target = "aarch64";
    riscv32-linux.target = "riscv32";
    riscv64-linux.target = "riscv64";
  };
  # For aarch64, we need to use '--target=aarch64-efi' when building,
  # but '--target=arm64-efi' when installing. Insanity!
  efiSystemsInstall = {
    i686-linux.target = "i386";
    x86_64-linux.target = "x86_64";
    armv7l-linux.target = "arm";
    aarch64-linux.target = "arm64";
    riscv32-linux.target = "riscv32";
    riscv64-linux.target = "riscv64";
  };
  canEfi = lib.any (system: stdenv.hostPlatform.system == system) (lib.mapAttrsToList (name: _: name) efiSystemsBuild);
  inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.mapAttrsToList (name: _: name) pcSystems);
  version = "2.06";
 in (
 assert efiSupport -> canEfi;
 assert zfsSupport -> zfs != null;
 assert !(efiSupport && xenSupport);
 stdenv.mkDerivation rec {
  pname = "grub";
-  version = "0.97-73";
+  inherit version;
  src = fetchurl {
-    url = "https://alpha.gnu.org/gnu/grub/grub-${lib.versions.majorMinor version}.tar.gz";
+    url = "mirror://gnu/grub/grub-${version}.tar.xz";
-    sha256 = "02r6b52r0nsp6ryqfiqchnl7r1d9smm80sqx24494gmx5p8ia7af";
+    sha256 = "sha256-t56kSvkbk9F80/6Ava5u1DdwZ4qaWuGSzOqAPrtlfuE=";
  };
  patches = [
-    # Properly handle the case of symlinks such as
+    ./fix-bash-completion.patch
-    # /dev/disk/by-label/bla.  The symlink resolution code in
+    (fetchpatch {
-    # grub-install isn't smart enough.
+      name = "Add-hidden-menu-entries.patch";
-    ./symlink.patch
+      # https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00089.html
-  ]
+      url = "https://marc.info/?l=grub-devel&m=146193404929072&q=mbox";
-  ++ (lib.optional buggyBiosCDSupport ./buggybios.patch)
+      sha256 = "00wa1q5adiass6i0x7p98vynj9vsz1w0gn1g4dgz89v35mpyw2bi";
-  ++ map fetchurl (import ./grub1.patches.nix)
+    })
  ;
-  preConfigure = ''
+    # Pull upstream patch to fix linkage against binutils-2.36.
-    substituteInPlace ./configure.ac --replace 'AC_PREREQ(2.61)' 'AC_PREREQ(2.64)'
+    (fetchpatch {
      name = "binutils-2.36.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b98275138bf4fc250a1c362dfd2c8b1cf2421701";
      sha256 = "001m058bsl2pcb0ii84jfm5ias8zgzabrfy6k2cc9w6w1y51ii82";
    })
    # Properly handle multiple initrd paths in 30_os-prober
    # Remove this patch once a new release is cut
    (fetchpatch {
      name = "Properly-handle-multiple-initrd-paths-in-os-prober.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=000b5cd04fd228f9741f5dca0491636bc0b89eb8";
      sha256 = "sha256-Mex3qQ0lW7ZCv7ZI7MSSqbylJXZ5RTbR4Pv1+CJ0ciM=";
    })
    # Upstreamed patches for flicker-free boot
    # Remove these patches once a new release is cut
    (fetchpatch {
      # term/efi/console: Do not set colorstate until the first text output
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9381dbe045b39bd9395c9ab4276d95b4041ec9fb";
      sha256 = "sha256-ZFq/PdCYo6aRySZRAfZARO8BmXwGgqeXz+9uNgNJEO8=";
    })
    (fetchpatch {
      # term/efi/console: Do not set cursor until the first text output
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7c316e18301e101e4dcd8abe88c0bed0b1b78857";
      sha256 = "sha256-WJiK7MqmdStzq77vIDsO60Fu7i9LE/jDYzF4E9FXb7c=";
    })
    (fetchpatch {
      # normal/menu: Don't show "Booting `%s'" msg when auto-booting with TIMEOUT_STYLE_HIDDEN
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5bb4f2b7d665c84bde402d1a528b652a61753380";
      sha256 = "sha256-lwJPPyq6yj7X1C2RuHfxnwKKstFkWGxcMXuSQqd9Z4I=";
    })
    (fetchpatch {
      # kern/main: Suppress the "Welcome to GRUB!" message in EFI builds
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=3e4cbbeca0ef35097301a1086f85fd0d119e64aa";
      sha256 = "sha256-cQX4x9V5Y7SU9WACn5FzDjukL2/StAUMMoHY/DRHq+g=";
    })
    (fetchpatch {
      name = "CVE-2021-3981.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=0adec29674561034771c13e446069b41ef41e4d4";
      sha256 = "sha256-3vkvWjcSv0hyY2EX3ig2EXEe+XLiRsXYlcd5kpY4wXw=";
    })
    # June 2022 security patches
    # https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.1.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1469983ebb9674753ad333d37087fb8cb20e1dce";
      sha256 = "sha256-oB4S0jvIXsDPcjIz1E2LKm7gwdvZjywuI1j0P6JQdJg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.2.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=14ceb3b3ff6db664649138442b6562c114dcf56e";
      sha256 = "sha256-mKe8gzd0U4PbV8z3TWCdvv7UugEgYaVIkB4dyMrSGEE=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.3.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=04c86e0bb7b58fc2f913f798cdb18934933e532d";
      sha256 = "sha256-sA+PTlk4hwYOVKRZBHkEskabzmsf47Hi4h3mzWOFjwM=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.4.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53";
      sha256 = "sha256-8zmFocUfnjSyhYitUFDHoilHDnm1NJmhcKwO9dueV3k=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.5.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f1ce0e15e70ea1aafcfa26ad93e7585f65783c6f";
      sha256 = "sha256-Wrlam6CRPUAHbKqe/X1YLcRxJ2LQTtmQ/Y66gxUlqK4=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.6.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=5bff31cdb6b93d738f850834e6291df1d0b136fa";
      sha256 = "sha256-ReLWSePXjRweymsVAL/uoBgYMWt9vRDcY3iXlDNZT0w=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.7.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=347880a13c239b4c2811c94c9a7cf78b607332e3";
      sha256 = "sha256-07hpHuJFw95xGoJ/6ej7i6HlCFb2QRxP3arvRjKW4uU=";
    })
    ## Needed to apply patch 8
    (fetchpatch {
      name = "video-remove-trailing-whitespaces.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1f48917d8ddb490dcdc70176e0f58136b7f7811a";
      sha256 = "sha256-/yf/LGpwYcQ36KITzmiFfg4BvhcApKbrlFzjKK8V2kI=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.8.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e623866d9286410156e8b9d2c82d6253a1b22d08";
      sha256 = "sha256-zFxP6JY5Q9s3yJHdkbZ2w+dXFKeOCXjFnQKadB5HLCg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.9.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=210245129c932dc9e1c2748d9d35524fb95b5042";
      sha256 = "sha256-FyZhdTlcRVmn7X2hv93RhWP7NOoEMb7ib/DWveyz3Ew=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.10.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=690bee69fae6b4bd911293d6b7e56774e29fdf64";
      sha256 = "sha256-nOAXxebCW/s5M6sjPKdSdx47/PcH1lc0yYT0flVwoC8=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.11.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=d5caac8ab79d068ad9a41030c772d03a4d4fbd7b";
      sha256 = "sha256-9fGJJkgZ6+E01MJqVTR1qFITx9EAx41Hv9QNfdqBgu0=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.12.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=768ef2199e0265cf455b154f1a80a612f02274c8";
      sha256 = "sha256-2/JJJux5vqXUc77bi3aXRy8NclbvyD/0e6UN8/6Ui3c=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.13.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=166a4d61448f74745afe1dac2f2cfb85d04909bf";
      sha256 = "sha256-XxTZ8P8qr4qEXELdHwaRACPeIZ/iixlATLB5RvVQsC8=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.14.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6";
      sha256 = "sha256-bzB2gmGvWR2ylvMw779KQ/VHBBMsDNbG96eg9qQlljA=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.15.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=830a9628b2c9e1b6388af624aaf4a80818ed6be0";
      sha256 = "sha256-8fna2VbbUw8zBx77osaOOHlZFgRrHqwQK87RoUtCF6w=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.16.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=3e4817538de828319ba6d59ced2fbb9b5ca13287";
      sha256 = "sha256-iCZAyRS/a15x5aJCJBYl9nw6Hc3WRCUG7zF5V+OwDKg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.17.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f407e34f3871a4c402bbd516e7c28ea193cef1b7";
      sha256 = "sha256-S45cLZNTWapAodKudUz2fMjnPsW6vbtNz0bIvIBGmu4=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.18.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c1b7eef9fa4aaefbf7d0507505c3bb2914e1ad6b";
      sha256 = "sha256-TWPfEAOePwC77yiVdsTSZIjfsMp7+0XabCz9K3FlV7w=";
    })
    ## Needed to apply patch 19
    (fetchpatch {
      name = "net-remove-trailing-whitespaces.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e453a4a64392a41bc7b37f890aceb358112d1687";
      sha256 = "sha256-JCbUB77Y6js5u99uJ9StDxNjjahNy4nO3crK8/GvmPY=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.19.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=96abf4fb9d829f4a405d5df39bc74bbccbd0e322";
      sha256 = "sha256-6E2MKO5kauFA1TA8YkUgIUusniwHS2Sr44A/a7ZqDCo=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.20.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ee9652031491326736714a988fbbaeab8ef9255c";
      sha256 = "sha256-E21q+Mj+JBQlUW0pe4zbaoL3ErXmCanyizwAsRYYZHk=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.21.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=8f287c3e13da2bf82049e2e464eca7ca4fef0a85";
      sha256 = "sha256-dZ24RwYsHeUrMuiU7PDgPcw+iK9cOd6q+E0xWXbtTkE=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.22.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=dad94fffe14be476df5f34a8e5a90ea62a41fe12";
      sha256 = "sha256-06TyTEvSy19dsnXZZoKBGx7ymJVWogr0NorzLflEwY4=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.23.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=ec6bfd3237394c1c7dbf2fd73417173318d22f4b";
      sha256 = "sha256-NryxSekO8oSxsnv5G9mFZExm4Pwfc778mslyUDuDhlM=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.24.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4";
      sha256 = "sha256-fSH3cxl/76DwkE8dHSR9uao9Vf1sJrhz7SmUSgDNodI=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.25.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=4bd9877f62166b7e369773ab92fe24a39f6515f8";
      sha256 = "sha256-VMtR/sF8F1BMKmJ06ZZEPNH/+l0RySy/E6lVWdCyFKE=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.26.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=deae293f399dde3773cf37dfa9b77ca7e04ef772";
      sha256 = "sha256-sCC3KE9adavw7jHMTVlxtyuwDFCPRDqT24H3AKUYf68=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.27.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=e40b83335bb33d9a2d1c06cc269875b3b3d6c539";
      sha256 = "sha256-cviCfBkzacAtnHGW87RLshhduE4Ym/v2Vq4h/sZDmZg=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.28.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=11e1cffb7e2492ddac4ab8d19ce466783adbb957";
      sha256 = "sha256-I1feoneVeU3XkscKfVprWWJfLUnrc5oauMXYDyDxo5M=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.29.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=13dce204cf6f3f0f49c9949971052a4c9657c0c0";
      sha256 = "sha256-DzFHxgR9A8FNZ/y9OMeBvTp1K6J5ePyL06dhHQmk7Ik=";
    })
    (fetchpatch {
      name = "CVE-2021-3695.CVE-2021-3696.CVE-2021-3697.CVE-2022-28733.CVE-2022-28734.CVE-2022-28735.CVE-2022-28736.CVE-2022-28737.30.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=2f4430cc0a44fd8c8aa7aee5c51887667ad3d6c3";
      sha256 = "sha256-AufP/10/auO4NMjYQ7yPDDbYShwGaktyQtqJx2Jasz8=";
    })
    # October 2022 security patches
    # https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.1.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=f6b6236077f059e64ee315f2d7acb8fa4eda87c5";
      sha256 = "sha256-pk02iVf/u6CdsVjl8HaFBh0Bt473ZQzz5zBp9SoBLtE=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.2.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9c76ec09ae08155df27cd237eaea150b4f02f532";
      sha256 = "sha256-axbEOH5WFkUroGna2XY1f2kq7+B1Cs6LiubIA2EBdiM=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.3.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e";
      sha256 = "sha256-aKDUVS/Yx1c87NCrt4EG8BlSpkHijUyAJIwbmtzNjD8=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.4.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c51292274ded3259eb04c2f1c8d253ffbdb5216a";
      sha256 = "sha256-OLNOKuAJuHy2MBMnU2xcYM7AaxmDk9fchXhggoDrxJU=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.5.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=23843fe8947e4da955a05ad3d1858725bfcb56c8";
      sha256 = "sha256-ptn00nqVJlEb1c6HhoMy9nrBuctH077LM4yXKsK47gc=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.6.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b9396daf1c2e3cdc0a1e69b056852e0769fb24de";
      sha256 = "sha256-K7XNneDZjLpZh/C908+5uYsB/0oIdgQqmk0yJrdQLG4=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.7.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1d2015598cc7a9fca4b39186273e3519a88e80c7";
      sha256 = "sha256-s4pZtszH4b/0u85rpzVapZmNQdYEq/wW06SQ3PW/1aU=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.8.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=93a786a00163e50c29f0394df198518617e1c9a5";
      sha256 = "sha256-R8x557RMAxJ0ZV2jb6zDmwOPVlk6875q37fNpqKsPT0=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.9.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1eac01c147b4d85d2ec4a7e5671fa4345f2e8549";
      sha256 = "sha256-eOnhmU3pT5cCVnNHcY/BzDjldfs7yh/OGsxa15tGv94=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.10.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=992c06191babc1e109caf40d6a07ec6fdef427af";
      sha256 = "sha256-kezNKPcLmFXwyZbXtJbaPTIbE8tijmHIzdC2jsKwrNk=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.11.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=9d81f71c6b8f55cf20cd56f5fe29c759df9b48cc";
      sha256 = "sha256-jnniVGy4KvFGFmcOP2YLA46k3cK8vwoByo19ismVUzE=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.12.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=22b77b87e10a3a6c9bb9885415bc9a9c678378e6";
      sha256 = "sha256-iYTEqN5997I7MVIg82jt/bbEAYhcgq8fNRCNPpY9ze0=";
    })
    (fetchpatch {
      name = "CVE-2022-2601.CVE-2022-3775.13.patch";
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=1514678888595ef41a968a0c69b7ff769edd1e9c";
      sha256 = "sha256-tgAEoAtaNKJjscjMFkXXiVn59Pa4c+NiQ3iVW6CMrpo=";
    })
  ];
  postPatch = if kbdcompSupport then ''
    sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
  '' else ''
    echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
    echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
  '';
-  # autoreconfHook required for the splashimage patch.
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ autoreconfHook ];
+  nativeBuildInputs = [ bison flex python3 pkg-config gettext freetype autoreconfHook ];
-  buildInputs = [ texinfo ];
+  buildInputs = [ ncurses libusb-compat-0_1 freetype lvm2 fuse libtool bash ]
    ++ lib.optional doCheck qemu
    ++ lib.optional zfsSupport zfs;
-  hardeningDisable = [ "format" "stackprotector" ];
+  strictDeps = true;
-  passthru.grubTarget = "";
+  hardeningDisable = [ "all" ];
  separateDebugInfo = !xenSupport;
  # Work around a bug in the generated flex lexer (upstream flex bug?)
  env.NIX_CFLAGS_COMPILE = "-Wno-error";
  preConfigure =
    '' for i in "tests/util/"*.in
       do
         sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
       done
       # Apparently, the QEMU executable is no longer called
       # `qemu-system-i386', even on i386.
       #
       # In addition, use `-nodefaults' to avoid errors like:
       #
       #  chardev: opening backend "stdio" failed
       #  qemu: could not open serial device 'stdio': Invalid argument
       #
       # See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
       sed -i "tests/util/grub-shell.in" \
           -e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
      unset CPP # setting CPP intereferes with dependency calculation
      patchShebangs .
      substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
    '';
  configureFlags = [
    "--enable-grub-mount" # dep of os-prober
  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
    # grub doesn't do cross-compilation as usual and tries to use unprefixed
    # tools to target the host. Provide toolchain information explicitly for
    # cross builds.
    #
    # Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
    "TARGET_CC=${stdenv.cc.targetPrefix}cc"
    "TARGET_NM=${stdenv.cc.targetPrefix}nm"
    "TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
    "TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
    "TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
  ] ++ lib.optional zfsSupport "--enable-libzfs"
    ++ lib.optionals efiSupport [ "--with-platform=efi" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}" "--program-prefix=" ]
    ++ lib.optionals xenSupport [ "--with-platform=xen" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"];
  # save target that grub is compiled for
  grubTarget = if efiSupport
               then "${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
               else lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";
  doCheck = false;
  enableParallelBuilding = true;
  postInstall = ''
    # Avoid a runtime reference to gcc
    sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
    # just adding bash to buildInputs wasn't enough to fix the shebang
    substituteInPlace $out/lib/grub/*/modinfo.sh \
      --replace ${buildPackages.bash} "/usr/bin/bash"
  '';
  passthru.tests = {
    nixos-grub = nixosTests.grub;
    nixos-install-simple = nixosTests.installer.simple;
    nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
    nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
  };
  meta = with lib; {
-    homepage = "https://www.gnu.org/software/grub";
+    description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
-    description = "GRand Unified Bootloader";
+
-    license = licenses.gpl2;
+    longDescription =
-    platforms = platforms.linux;
+      '' GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
         Unified Bootloader, which was originally designed and implemented by
         Erich Stefan Boleyn.
         Briefly, the boot loader is the first software program that runs when a
         computer starts.  It is responsible for loading and transferring
         control to the operating system kernel software (such as the Hurd or
         the Linux).  The kernel, in turn, initializes the rest of the
         operating system (e.g., GNU).
      '';
    homepage = "https://www.gnu.org/software/grub/";
    license = licenses.gpl3Plus;
    platforms = platforms.gnu ++ platforms.linux;
    maintainers = [ maintainers.samueldr ];
  };
-}
+})
--- a/pkgs/tools/misc/grub/grub1.patches.nix
+++ b/pkgs/tools/misc/grub/grub1.patches.nix
@ -1,34 +0,0 @@
 # Generated by grub1-patches.sh
 let
  prefix = "https://salsa.debian.org/grub-team/grub-legacy/raw/1dad5507d74ef97fdd3c6cf2a028084f6f2850c3/debian/patches";
 in
 [
 { url = "${prefix}/snapshot.patch"; sha256 = "0ixymrn5w1dq0kkxnzdjwwvhjchgyrlivfvnrfncxcv30v84xzna"; }
 { url = "${prefix}/menu.lst_gnu-hurd.patch"; sha256 = "0mz8dvgmxlyrl28dza1ncfq1xipihxgymw4aw688bgg7xxmw7jbs"; }
 { url = "${prefix}/graphics.patch"; sha256 = "1v9kp832f3rhncfdrd28djhw0zfrznfmiadch33mclnkcxprcqcs"; }
 { url = "${prefix}/raid.patch"; sha256 = "0cq6dz5s7m48g76frvbf296bv4pvqkxqcbydsvs43ymqdsary7hj"; }
 { url = "${prefix}/raid_cciss.patch"; sha256 = "0sy5xvzjsllgbn26nykkq4b69lp1fcwjkjs2kmxq38sk3dzadjfl"; }
 { url = "${prefix}/xfs_freeze.patch"; sha256 = "1wqgj8ar4x4zwa37bj4a7kldiz5v92msigy3cv879nnk6sz4rmhg"; }
 { url = "${prefix}/2gb_limit.patch"; sha256 = "06f9lfl4va3alz87wzli0df5ay0xxlqj2akr2dcay6jr27z6ks29"; }
 { url = "${prefix}/grub-special_device_names.patch"; sha256 = "098608xh20sqdjqf42fm2z23r8xd9ify1v0vmy1j9qhrhk3g9qyz"; }
 { url = "${prefix}/grub-xvd_drives.patch"; sha256 = "13k0m1c1w5d1d4qd1bshjc8kp7qba4agk2j64gb7mg8vfzjd35bj"; }
 { url = "${prefix}/initrd_max_address.patch"; sha256 = "05q90rxdnyncpanhbkrknshkk7g8ff4v8fpk7wj4sg8666d9llg3"; }
 { url = "${prefix}/splashimage_help.patch"; sha256 = "1lj3xh56wf1pdcf0fg585vmggrz7qqfzbhg91qv0rf4snf3ybfvr"; }
 { url = "${prefix}/grub-install_addsyncs.patch"; sha256 = "1dzcpxi806kw3j8mx4amyy4ibc0ir3qhqyyyxz3w43741p351r65"; }
 { url = "${prefix}/grub-install_regexp.patch"; sha256 = "0ph9lb63x858019c25aa3fpsm8rzn00ad8fp88yqqvq0xq2jxq69"; }
 { url = "${prefix}/grub-install_aoe_support.patch"; sha256 = "19szmvg13h2hhijrwbgdszldg26iz7vjnagvajxb7nav7vca6k3n"; }
 { url = "${prefix}/grub-install_xvd.patch"; sha256 = "1cgh731nhs0chj2r2dzh5dcfj5xmap34i3fk0i0aq59j83cwflgz"; }
 { url = "${prefix}/geometry-26kernel.patch"; sha256 = "01vka7jrxrwlj9m1d6schygyh964a3k1rdrm3j9x910xkz74i13n"; }
 { url = "${prefix}/print_func.patch"; sha256 = "0dvrcy1i58fgrv2x1qniqfr5az9b834hm5l94k0cy8ii2nfvk27g"; }
 { url = "${prefix}/mprotect.patch"; sha256 = "0ahgnhgw2b86j024ajs6m3h2fy2shqdssjzz0ahk8ny9f4mnvns6"; }
 { url = "${prefix}/savedefault.patch"; sha256 = "1l6x1s9mxkrf3k4j9dpg7qhvrk816vs70sw073iiisvqspnrz2j3"; }
 { url = "${prefix}/find-grub-dir.patch"; sha256 = "1vkgig4dylji03jflwikhap87lz8l470ck1bhmcy8jh0slg6ndbf"; }
 { url = "${prefix}/intelmac.patch"; sha256 = "04l9mk9xm9ml8vdlpbv3qbj7gbaa0g5k4dl7xp8wm7kmqwxd9l3m"; }
 { url = "${prefix}/crossreference_manpages.patch"; sha256 = "0kd12ck4s4bg414fmllgvq8n4b58i3kgdhmcx6riaz43gg2g2b9p"; }
 { url = "${prefix}/ext3_256byte_inode.patch"; sha256 = "0ay9svbdj7mw8p1ld0iiryg6nhd9hc1xpmr9rqg9990xzmg2h4pi"; }
 { url = "${prefix}/objcopy-absolute.patch"; sha256 = "0hkmicjli7bsmc56kr40ls21v6x3yd188xpwc08dvqxnb0763077"; }
 { url = "${prefix}/no-reorder-functions.patch"; sha256 = "0gmv0nzkqim2901hd0an90kwnr83155qp2zjp52biznad2p415gw"; }
 { url = "${prefix}/modern-automake.patch"; sha256 = "08l3y6cbk6gfj63kpqlpzrlain7nmvki7jjjxq86n7himj078znj"; }
 { url = "${prefix}/no-combine-stack-adjustments.patch"; sha256 = "0h4di8zja0rg45rs02x9qm8q1vxly1bcl6ms08wgdl5ywn6849nr"; }
 { url = "${prefix}/no-pie.patch"; sha256 = "0kshdsclza7lsd31apd28qq04arv42nd6wsj2v6q6jx7f8bgdaqw"; }
 ]
--- a/pkgs/tools/misc/grub/grub1.patches.sh
+++ b/pkgs/tools/misc/grub/grub1.patches.sh
@ -1,70 +0,0 @@
 #!/usr/bin/env nix-shell
 #!nix-shell -p nix -i bash --pure
 # Does like `maintainers/scripts/debian-patches.sh`, but specialized for
 # grub1 patches, and using the new salsa service.
 # Most common usage: `pkgs/tools/misc/grub/grub1.patches.sh pkgs/tools/misc/grub/grub1.patches.nix`
 # That is, after updating the script with the new list from the series file,
 # removing (by commenting) patches as required.
 set -e
 set -u
 # https://salsa.debian.org/grub-team/grub-legacy/tree/master/debian/patches
 SERIES=(
    snapshot.patch
    menu.lst_gnu-hurd.patch
    graphics.patch
    raid.patch
    raid_cciss.patch
    xfs_freeze.patch
    2gb_limit.patch
    grub-special_device_names.patch
    grub-xvd_drives.patch
    initrd_max_address.patch
    splashimage_help.patch
    grub-install_addsyncs.patch
    grub-install_regexp.patch
    grub-install_aoe_support.patch
    grub-install_xvd.patch
    geometry-26kernel.patch
    print_func.patch
    mprotect.patch
    savedefault.patch
    find-grub-dir.patch
    intelmac.patch
    crossreference_manpages.patch
    ext3_256byte_inode.patch
    # Breaks on NixOS.
    #use_grub-probe_in_grub-install.patch
    objcopy-absolute.patch
    no-reorder-functions.patch
    # We aren't building amd64 binaries, see #244498
    #fix_amd64_compile.patch
    modern-automake.patch
    no-combine-stack-adjustments.patch
    no-pie.patch
 )
 # Revision mapping to current tip of the 0.97-73 branch.
 rev="1dad5507d74ef97fdd3c6cf2a028084f6f2850c3"
 prefix="https://salsa.debian.org/grub-team/grub-legacy/raw/${rev}/debian/patches"
 FILE="$1"
 shift
 cat <<EOF > "$FILE"
 # Generated by grub1-patches.sh
 let
  prefix = "${prefix}";
 in
 [
 EOF
 for PATCH in "${SERIES[@]}"; do
    URL="$prefix/$PATCH"
    HASH="$(nix-prefetch-url "$URL")"
    echo "{ url = \"\${prefix}/$PATCH\"; sha256 = \"$HASH\"; }" >> "$FILE"
 done
 echo "]" >> "$FILE"
--- a/pkgs/tools/misc/grub/symlink.patch
+++ b/pkgs/tools/misc/grub/symlink.patch
@ -1,37 +0,0 @@
 diff -rc grub-0.97-orig/util/grub-install.in grub-0.97/util/grub-install.in
 *** grub-0.97-orig/util/grub-install.in	2008-09-18 11:32:13.000000000 +0200
 --- grub-0.97/util/grub-install.in	2008-09-18 11:36:40.000000000 +0200
 ***************
 *** 194,217 ****
  # Usage: resolve_symlink file
  # Find the real file/device that file points at
  resolve_symlink () {
 ! 	tmp_fname=$1
 ! 	# Resolve symlinks
 ! 	while test -L $tmp_fname; do
 ! 		tmp_new_fname=`ls -al $tmp_fname | sed -n 's%.*-> \(.*\)%\1%p'`
 ! 		if test -z "$tmp_new_fname"; then
 ! 			echo "Unrecognized ls output" 2>&1
 ! 			exit 1
 ! 		fi
 ! 
 ! 		# Convert relative symlinks
 ! 		case $tmp_new_fname in
 ! 			/*) tmp_fname="$tmp_new_fname"
 ! 			;;
 ! 			*) tmp_fname="`echo $tmp_fname | sed 's%/[^/]*$%%'`/$tmp_new_fname"
 ! 			;;
 ! 		esac
 ! 	done
 ! 	echo "$tmp_fname"
  }
  # Usage: find_device file
 --- 194,200 ----
  # Usage: resolve_symlink file
  # Find the real file/device that file points at
  resolve_symlink () {
 ! 	readlink -f $1
  }
  # Usage: find_device file
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -648,6 +648,7 @@ mapAliases ({
  gr-osmosdr = gnuradio3_7.pkgs.osmosdr; # Added 2019-05-27, changed 2020-10-16
  gr-rds = gnuradio3_7.pkgs.rds; # Added 2019-05-27, changed 2020-10-16
  grub2_full = grub2; # Added 2022-11-18
  grub = throw "grub1 was removed after not being maintained upstream for a decade. Please switch to another bootloader"; # Added 2023-04-11
  grv = throw "grv has been dropped due to the lack of maintenance from upstream since 2019"; # Added 2022-06-01
  gsettings_desktop_schemas = throw "'gsettings_desktop_schemas' has been renamed to/replaced by 'gsettings-desktop-schemas'"; # Converted to throw 2022-02-22
  gsl_1 = throw "'gsl_1' has been renamed to/replaced by 'gsl'"; # Added 2022-11-19
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -8168,15 +8168,11 @@ with pkgs;
  grpc-client-cli = callPackage ../development/tools/misc/grpc-client-cli { };
  grub = pkgsi686Linux.callPackage ../tools/misc/grub ({
    stdenv = overrideCC stdenv buildPackages.pkgsi686Linux.gcc6;
  } // (config.grub or {}));
  trustedGrub = pkgsi686Linux.callPackage ../tools/misc/grub/trusted.nix { };
  trustedGrub-for-HP = pkgsi686Linux.callPackage ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };
-  grub2 = callPackage ../tools/misc/grub/2.0x.nix {
+  grub2 = callPackage ../tools/misc/grub/default.nix {
    # update breaks grub2
    gnulib = pkgs.gnulib.overrideAttrs (_: rec {
      version = "20200223";