From b17a8a19e232caaffe62f369269ec9614e00ba4c Mon Sep 17 00:00:00 2001
From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
Date: Fri, 7 Aug 2020 12:56:45 +0200
Subject: libre: Add grub-crypt-git

Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
---
 ...35x_bone+am335x_boneblack-devicetree-file.patch |  92 +++
 ...x_xen-detect-omap3_beagle-devicetree-file.patch |  58 ++
 ...en-detect-omap3_beagle_xm-devicetree-file.patch |  58 ++
 ...detect-omap3_beagle_xm_ab-devicetree-file.patch |  58 ++
 ...ux-20_linux_xen-detect-parabola-initramfs.patch | 126 +++
 ...-20_linux_xen-detect-udoo-devicetree-file.patch |  58 ++
 ...0_linux-20_linux_xen-rebrand-free-distros.patch |  44 ++
 .../0004-add-GRUB_COLOR_variables.patch            |  32 +
 libre/grub-crypt-git/09_parabola                   | 195 +++++
 libre/grub-crypt-git/PKGBUILD                      | 873 +++++++++++++++++++++
 libre/grub-crypt-git/arm-extra                     | 333 ++++++++
 libre/grub-crypt-git/grub.default                  |  57 ++
 libre/grub-crypt-git/grub.install                  |  17 +
 ...sk-luks-unify-grub_cryptodisk_dev-functio.patch |  38 +
 ...sk-geli-unify-grub_cryptodisk_dev-functio.patch |  49 ++
 ...sk-enable-the-backends-to-implement-detac.patch | 285 +++++++
 ...sk-add-support-for-LUKS1-detached-headers.patch | 114 +++
 ...sk-enable-the-backends-to-implement-key-f.patch | 251 ++++++
 ...ryptodisk-Add-support-for-LUKS1-key-files.patch |  97 +++
 19 files changed, 2835 insertions(+)
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch
 create mode 100644 libre/grub-crypt-git/0003-10_linux-20_linux_xen-rebrand-free-distros.patch
 create mode 100644 libre/grub-crypt-git/0004-add-GRUB_COLOR_variables.patch
 create mode 100644 libre/grub-crypt-git/09_parabola
 create mode 100644 libre/grub-crypt-git/PKGBUILD
 create mode 100644 libre/grub-crypt-git/arm-extra
 create mode 100644 libre/grub-crypt-git/grub.default
 create mode 100644 libre/grub-crypt-git/grub.install
 create mode 100644 libre/grub-crypt-git/v6-0001-cryptodisk-luks-unify-grub_cryptodisk_dev-functio.patch
 create mode 100644 libre/grub-crypt-git/v6-0002-cryptodisk-geli-unify-grub_cryptodisk_dev-functio.patch
 create mode 100644 libre/grub-crypt-git/v6-0003-cryptodisk-enable-the-backends-to-implement-detac.patch
 create mode 100644 libre/grub-crypt-git/v6-0004-cryptodisk-add-support-for-LUKS1-detached-headers.patch
 create mode 100644 libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch
 create mode 100644 libre/grub-crypt-git/v6-0006-cryptodisk-Add-support-for-LUKS1-key-files.patch

(limited to 'libre/grub-crypt-git')

diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch
new file mode 100644
index 000000000..b620a39d0
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch
@@ -0,0 +1,92 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-10-16 08:28:56.901970897 -0300
++++ b/util/grub.d/10_linux.in	2015-10-16 08:30:45.112786124 -0300
+@@ -139,6 +139,25 @@
+ 	initrd	${rel_dirname}/${initrd}
+ EOF
+   fi
++  if [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BONE' ]; then
++    if test -f "${rel_dirname}/dtbs/${version}/am335x-bone.dtb" ; then
++    # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++    message="$(gettext_printf "Loading devices tree file ...")"
++    sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/am335x-bone.dtb
++EOF
++    fi
++  elif [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BNLT' ]; then
++    if test -f "${rel_dirname}/dtbs/${version}/am335x-boneblack.dtb" ; then
++    # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++    message="$(gettext_printf "Loading devices tree file ...")"
++    sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/am335x-boneblack.dtb
++EOF
++    fi
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -222,6 +241,16 @@
+     linux_root_device_thisversion=${GRUB_DEVICE}
+   fi
+ 
++  if [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BONE' ]; then
++    if test -f "${dirname}/dtbs/${version}/am335x-bone.dtb" ; then
++      gettext_printf "Found device tree file: %s\n" "${dirname}/dtbs/${version}/am335x-bone.dtb" >&2
++    fi
++  elif [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BNLT' ]; then
++    if test -f "${dirname}/dtbs/${version}/am335x-boneblack.dtb" ; then
++      gettext_printf "Found device tree file: %s\n" "${dirname}/dtbs/${version}/am335x-boneblack.dtb" >&2
++    fi
++  fi
++
+   if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+     linux_entry "${OS}" "${version}" simple \
+     "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-10-16 08:28:56.901970897 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-10-16 08:31:03.152921373 -0300
+@@ -132,6 +132,25 @@
+ 	module	--nounzip   ${rel_dirname}/${initrd}
+ EOF
+   fi
++  if [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BONE' ]; then
++    if test -f "${rel_dirname}/dtbs/${version}/am335x-bone.dtb" ; then
++    # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++    message="$(gettext_printf "Loading devices tree file ...")"
++    sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/am335x-bone.dtb
++EOF
++    fi
++  elif [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BNLT' ]; then
++    if test -f "${rel_dirname}/dtbs/${version}/am335x-boneblack.dtb" ; then
++    # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++    message="$(gettext_printf "Loading devices tree file ...")"
++    sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/am335x-boneblack.dtb
++EOF
++    fi
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -235,6 +254,16 @@
+ 	    linux_root_device_thisversion=${GRUB_DEVICE}
+ 	fi
+ 
++  if [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BONE' ]; then
++    if test -f "${dirname}/dtbs/${version}/am335x-bone.dtb" ; then
++      gettext_printf "Found device tree file: %s\n" "${dirname}/dtbs/${version}/am335x-bone.dtb" >&2
++    fi
++  elif [ "$(cat /sys/devices/platform/bone_capemgr/baseboard/board-name)" = 'A335BNLT' ]; then
++    if test -f "${dirname}/dtbs/${version}/am335x-boneblack.dtb" ; then
++      gettext_printf "Found device tree file: %s\n" "${dirname}/dtbs/${version}/am335x-boneblack.dtb" >&2
++    fi
++  fi
++
+ 	if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" simple \
+ 		"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch
new file mode 100644
index 000000000..0e5bc382a
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch
@@ -0,0 +1,58 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/10_linux.in	2015-09-27 18:43:26.911364096 -0300
+@@ -139,6 +139,14 @@
+ 	initrd	${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/omap3-beagle.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/omap3-beagle.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -222,6 +230,10 @@
+     linux_root_device_thisversion=${GRUB_DEVICE}
+   fi
+ 
++  if test -d "${dirname}/dtbs/${version}/omap3-beagle.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/omap3-beagle.dtb" >&2
++  fi
++
+   if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+     linux_entry "${OS}" "${version}" simple \
+     "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-09-27 18:47:34.953427471 -0300
+@@ -132,6 +132,14 @@
+ 	module	--nounzip   ${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/omap3-beagle.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/omap3-beagle.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -235,6 +243,10 @@
+ 	    linux_root_device_thisversion=${GRUB_DEVICE}
+ 	fi
+ 
++  if test -d "${dirname}/dtbs/${version}/omap3-beagle.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/omap3-beagle.dtb" >&2
++  fi
++
+ 	if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" simple \
+ 		"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch
new file mode 100644
index 000000000..387ebbcc5
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch
@@ -0,0 +1,58 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/10_linux.in	2015-09-27 18:43:26.911364096 -0300
+@@ -139,6 +139,14 @@
+ 	initrd	${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/omap3-beagle-xm.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/omap3-beagle-xm.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -222,6 +230,10 @@
+     linux_root_device_thisversion=${GRUB_DEVICE}
+   fi
+ 
++  if test -d "${dirname}/dtbs/${version}/omap3-beagle-xm.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/omap3-beagle-xm.dtb" >&2
++  fi
++
+   if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+     linux_entry "${OS}" "${version}" simple \
+     "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-09-27 18:47:34.953427471 -0300
+@@ -132,6 +132,14 @@
+ 	module	--nounzip   ${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/omap3-beagle-xm.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/omap3-beagle-xm.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -235,6 +243,10 @@
+ 	    linux_root_device_thisversion=${GRUB_DEVICE}
+ 	fi
+ 
++  if test -d "${dirname}/dtbs/${version}/omap3-beagle-xm.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/omap3-beagle-xm.dtb" >&2
++  fi
++
+ 	if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" simple \
+ 		"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch
new file mode 100644
index 000000000..31b59890e
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch
@@ -0,0 +1,58 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/10_linux.in	2015-09-27 18:43:26.911364096 -0300
+@@ -139,6 +139,14 @@
+ 	initrd	${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -222,6 +230,10 @@
+     linux_root_device_thisversion=${GRUB_DEVICE}
+   fi
+ 
++  if test -d "${dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb" >&2
++  fi
++
+   if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+     linux_entry "${OS}" "${version}" simple \
+     "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-09-27 18:47:34.953427471 -0300
+@@ -132,6 +132,14 @@
+ 	module	--nounzip   ${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -235,6 +243,10 @@
+ 	    linux_root_device_thisversion=${GRUB_DEVICE}
+ 	fi
+ 
++  if test -d "${dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/omap3-beagle-xm-ab.dtb" >&2
++  fi
++
+ 	if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" simple \
+ 		"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch
new file mode 100644
index 000000000..8184871b5
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch
@@ -0,0 +1,126 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/10_linux.in	2015-09-27 15:34:19.822404966 -0300
+@@ -80,9 +80,11 @@
+   if [ x$type != xsimple ] ; then
+       case $type in
+ 	  recovery)
+-	      title="$(gettext_printf "%s, with Linux %s (recovery mode)" "${os}" "${version}")" ;;
++	      title="$(gettext_printf "%s, %s kernel (recovery mode)" "${os}" "${version}")" ;;
++	  fallback)
++	      title="$(gettext_printf "%s, %s kernel (fallback initramfs)" "${os}" "${version}")" ;;
+ 	  *)
+-	      title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;;
++	      title="$(gettext_printf "%s, %s kernel" "${os}" "${version}")" ;;
+       esac
+       if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
+ 	  replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
+@@ -94,7 +96,7 @@
+   else
+       echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+   fi      
+-  if [ x$type != xrecovery ] ; then
++  if [ x$type != xrecovery ] && [ x$type != xfallback ] ; then
+       save_default_entry | grub_add_tab
+   fi
+ 
+@@ -126,7 +128,7 @@
+     fi
+     printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
+   fi
+-  message="$(gettext_printf "Loading Linux %s ..." ${version})"
++  message="$(gettext_printf "Loading %s kernel ..." ${version})"
+   sed "s/^/$submenu_indentation/" << EOF
+ 	echo	'$(echo "$message" | grub_quote)'
+ 	linux	${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
+@@ -182,7 +184,7 @@
+   basename=`basename $linux`
+   dirname=`dirname $linux`
+   rel_dirname=`make_system_path_relative_to_its_root $dirname`
+-  version=`echo $basename | sed -e "s,^[^0-9]*-,,g"`
++  version=`echo $basename | sed -e "s,vmlinuz-,,g"`
+   alt_version=`echo $version | sed -e "s,\.old$,,g"`
+   linux_root_device_thisversion="${LINUX_ROOT_DEVICE}"
+ 
+@@ -238,6 +240,18 @@
+ 
+   linux_entry "${OS}" "${version}" advanced \
+               "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
++  
++  if test -e "${dirname}/initramfs-${version}-fallback.img" ; then
++    initrd="initramfs-${version}-fallback.img"
++    
++    if test -n "${initrd}" ; then
++      gettext_printf "Found fallback initramfs image: %s\n" "${dirname}/${initrd}" >&2
++    fi
++    
++    linux_entry "${OS}" "${version}" fallback \
++                "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
++  fi
++  
+   if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then
+     linux_entry "${OS}" "${version}" recovery \
+                 "single ${GRUB_CMDLINE_LINUX}"
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-09-27 15:35:00.589739244 -0300
+@@ -88,9 +88,11 @@
+   fi
+   if [ x$type != xsimple ] ; then
+       if [ x$type = xrecovery ] ; then
+-	  title="$(gettext_printf "%s, with Xen %s and Linux %s (recovery mode)" "${os}" "${xen_version}" "${version}")"
++	  title="$(gettext_printf "%s, with Xen %s and %s kernel (recovery mode)" "${os}" "${xen_version}" "${version}")"
++      elif [ x$type = xfallback ] ; then
++	  title="$(gettext_printf "%s, with Xen %s and %s kernel (fallback initramfs)" "${os}" "${xen_version}" "${version}")"
+       else
+-	  title="$(gettext_printf "%s, with Xen %s and Linux %s" "${os}" "${xen_version}" "${version}")"
++	  title="$(gettext_printf "%s, with Xen %s and %s kernel" "${os}" "${xen_version}" "${version}")"
+       fi
+       replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
+       if [ x"Xen ${xen_version}>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
+@@ -103,7 +105,7 @@
+       title="$(gettext_printf "%s, with Xen hypervisor" "${os}")"
+       echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'xen-gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
+   fi
+-  if [ x$type != xrecovery ] ; then
++  if [ x$type != xrecovery ] && [ x$type != xfallback ] ; then
+       save_default_entry | grub_add_tab | sed "s/^/$submenu_indentation/"
+   fi
+ 
+@@ -112,7 +114,7 @@
+   fi
+   printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/"
+   xmessage="$(gettext_printf "Loading Xen %s ..." ${xen_version})"
+-  lmessage="$(gettext_printf "Loading Linux %s ..." ${version})"
++  lmessage="$(gettext_printf "Loading %s kernel ..." ${version})"
+   sed "s/^/$submenu_indentation/" << EOF
+ 	echo	'$(echo "$xmessage" | grub_quote)'
+         if [ "\$grub_platform" = "pc" -o "\$grub_platform" = "" ]; then
+@@ -210,7 +212,7 @@
+ 	basename=`basename $linux`
+ 	dirname=`dirname $linux`
+ 	rel_dirname=`make_system_path_relative_to_its_root $dirname`
+-	version=`echo $basename | sed -e "s,^[^0-9]*-,,g"`
++	version=`echo $basename | sed -e "s,vmlinuz-,,g"`
+ 	alt_version=`echo $version | sed -e "s,\.old$,,g"`
+ 	linux_root_device_thisversion="${LINUX_ROOT_DEVICE}"
+ 
+@@ -252,6 +254,18 @@
+ 
+ 	linux_entry "${OS}" "${version}" "${xen_version}" advanced \
+ 	    "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
++
++	if test -e "${dirname}/initramfs-${version}-fallback.img" ; then
++	    initrd="initramfs-${version}-fallback.img"
++	    
++	    if test -n "${initrd}" ; then
++	        gettext_printf "Found fallback initramfs image: %s\n" "${dirname}/${initrd}" >&2
++	    fi
++	    
++	    linux_entry "${OS}" "${version}" "${xen_version}" fallback \
++	        "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
++	fi
++
+ 	if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" recovery \
+ 		"single ${GRUB_CMDLINE_LINUX}" "${GRUB_CMDLINE_XEN}"
diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch
new file mode 100644
index 000000000..7cd6be6b4
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch
@@ -0,0 +1,58 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/10_linux.in	2015-09-27 18:43:26.911364096 -0300
+@@ -139,6 +139,14 @@
+ 	initrd	${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/imx6q-udoo.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/imx6q-udoo.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -222,6 +230,10 @@
+     linux_root_device_thisversion=${GRUB_DEVICE}
+   fi
+ 
++  if test -d "${dirname}/dtbs/${version}/imx6q-udoo.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/imx6q-udoo.dtb" >&2
++  fi
++
+   if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+     linux_entry "${OS}" "${version}" simple \
+     "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-09-27 18:47:34.953427471 -0300
+@@ -132,6 +132,14 @@
+ 	module	--nounzip   ${rel_dirname}/${initrd}
+ EOF
+   fi
++  if test -d "${rel_dirname}/dtbs/${version}/imx6q-udoo.dtb" ; then
++  # TRANSLATORS: Device tree path isn't identifier. Should be translated.
++  message="$(gettext_printf "Loading devices tree path ...")"
++  sed "s/^/$submenu_indentation/" << EOF
++	echo	'$(echo "$message" | grub_quote)'
++	devicetree	${rel_dirname}/dtbs/${version}/imx6q-udoo.dtb
++EOF
++  fi
+   sed "s/^/$submenu_indentation/" << EOF
+ }
+ EOF
+@@ -235,6 +243,10 @@
+ 	    linux_root_device_thisversion=${GRUB_DEVICE}
+ 	fi
+ 
++  if test -d "${dirname}/dtbs/${version}/imx6q-udoo.dtb" ; then
++    gettext_printf "Found device tree directory: %s\n" "${dirname}/dtbs/${version}/imx6q-udoo.dtb" >&2
++  fi
++
+ 	if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
+ 	    linux_entry "${OS}" "${version}" "${xen_version}" simple \
+ 		"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" "${GRUB_CMDLINE_XEN} ${GRUB_CMDLINE_XEN_DEFAULT}"
diff --git a/libre/grub-crypt-git/0003-10_linux-20_linux_xen-rebrand-free-distros.patch b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-rebrand-free-distros.patch
new file mode 100644
index 000000000..47added0d
--- /dev/null
+++ b/libre/grub-crypt-git/0003-10_linux-20_linux_xen-rebrand-free-distros.patch
@@ -0,0 +1,44 @@
+diff -Nur a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+--- a/util/grub.d/10_linux.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/10_linux.in	2015-09-27 14:58:23.533917184 -0300
+@@ -31,7 +31,17 @@
+ if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
+   OS=GNU/Linux
+ else
+-  OS="${GRUB_DISTRIBUTOR} GNU/Linux"
++  if echo ${GRUB_DISTRIBUTOR} | grep -qi Parabola ; then
++      OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre"
++  elif echo ${GRUB_DISTRIBUTOR} | grep -qi Blag ; then
++      OS="${GRUB_DISTRIBUTOR} Linux and GNU"
++  elif echo ${GRUB_DISTRIBUTOR} | grep -qi Musix ; then
++      OS="${GRUB_DISTRIBUTOR} GNU+Linux"
++  elif echo ${GRUB_DISTRIBUTOR} | grep -qi Dragora ; then
++      OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre"
++  else
++      OS="${GRUB_DISTRIBUTOR} GNU/Linux"
++  fi
+   CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}"
+ fi
+ 
+diff -Nur a/util/grub.d/20_linux_xen.in b/util/grub.d/20_linux_xen.in
+--- a/util/grub.d/20_linux_xen.in	2015-09-27 14:14:45.544730230 -0300
++++ b/util/grub.d/20_linux_xen.in	2015-09-27 14:59:16.319319658 -0300
+@@ -31,7 +31,17 @@
+ if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
+   OS=GNU/Linux
+ else
+-  OS="${GRUB_DISTRIBUTOR} GNU/Linux"
++  if echo ${GRUB_DISTRIBUTOR} | grep -qi Parabola ; then
++      OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre"
++  elif echo ${GRUB_DISTRIBUTOR} | grep -qi Blag ; then
++      OS="${GRUB_DISTRIBUTOR} Linux and GNU"
++  elif echo ${GRUB_DISTRIBUTOR} | grep -qi Musix ; then
++      OS="${GRUB_DISTRIBUTOR} GNU+Linux"
++  elif echo ${GRUB_DISTRIBUTOR} | grep -qi Dragora ; then
++      OS="${GRUB_DISTRIBUTOR} GNU/Linux-libre"
++  else
++      OS="${GRUB_DISTRIBUTOR} GNU/Linux"
++  fi
+   CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}"
+ fi
+ 
diff --git a/libre/grub-crypt-git/0004-add-GRUB_COLOR_variables.patch b/libre/grub-crypt-git/0004-add-GRUB_COLOR_variables.patch
new file mode 100644
index 000000000..c113a81d5
--- /dev/null
+++ b/libre/grub-crypt-git/0004-add-GRUB_COLOR_variables.patch
@@ -0,0 +1,32 @@
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 3390ba9..c416489 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -218,6 +218,8 @@ export GRUB_DEFAULT \
+   GRUB_THEME \
+   GRUB_GFXPAYLOAD_LINUX \
+   GRUB_DISABLE_OS_PROBER \
++  GRUB_COLOR_NORMAL \
++  GRUB_COLOR_HIGHLIGHT \
+   GRUB_INIT_TUNE \
+   GRUB_SAVEDEFAULT \
+   GRUB_ENABLE_CRYPTODISK \
+diff --git a/util/grub.d/00_header.in b/util/grub.d/00_header.in
+index d2e7252..8259f45 100644
+--- a/util/grub.d/00_header.in
++++ b/util/grub.d/00_header.in
+@@ -125,6 +125,14 @@ cat <<EOF
+ 
+ EOF
+ 
++if [ x$GRUB_COLOR_NORMAL != x ] && [ x$GRUB_COLOR_HIGHLIGHT != x ] ; then
++    cat << EOF
++set menu_color_normal=$GRUB_COLOR_NORMAL
++set menu_color_highlight=$GRUB_COLOR_HIGHLIGHT
++
++EOF
++fi
++
+ serial=0;
+ gfxterm=0;
+ for x in ${GRUB_TERMINAL_INPUT} ${GRUB_TERMINAL_OUTPUT}; do
diff --git a/libre/grub-crypt-git/09_parabola b/libre/grub-crypt-git/09_parabola
new file mode 100644
index 000000000..90a9062a3
--- /dev/null
+++ b/libre/grub-crypt-git/09_parabola
@@ -0,0 +1,195 @@
+#!/usr/bin/env bash
+
+##
+## grub-mkconfig helper script specific to Parabola GNU/Linux-libre
+## Contributed by "Keshav Amburay" <the ddoott ridikulus ddoott rat aatt geemmayil ddoott ccoomm>
+## Rebranded for Parabola by "André Silva" <emulatorman@parabola.nu>
+## Updated on 08 February 2014
+##
+## Script based on do_grub_config() function in Arch Archboot ISO Installer/Setup script 
+## Some parts taken from /etc/grub.d/10_linux script shipped by GRUB(2) upstream
+##
+## This script can be freely distributed and/or modified 
+## under the terms of the GNU General Public License as published by
+## the Free Software Foundation, either version 3 of the License, or
+## (at your option) any later version.
+##
+## This script is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+
+_FUNC_GRUB_FILE_PRESENT() {
+    
+    [[ -z "${GRUB_PLATFORM}" ]] && GRUB_PLATFORM="x86"
+    
+    if [[ "${GRUB_PLATFORM}" == "x86" ]]; then
+        check="--is-x86-linux32"
+    elif [[ "${GRUB_PLATFORM}" == "i386-xen-pae" ]]; then
+        check="--is-i386-xen-pae-domu"
+    elif [[ "${GRUB_PLATFORM}" == "x86_64-xen" ]]; then
+        check="--is-x86_64-xen-domu"
+    else
+        check="--is-${GRUB_PLATFORM}-linux"
+    fi
+    
+    case "${GRUB_PLATFORM}" in
+        x86)
+            list="$(for i in "${GRUB_ROOT}"/boot/vmlinuz-linux* ; do
+                        if grub_file_is_not_garbage "${i}" && "${grub_file}" ${check} "${i}" ; then echo -n "${i} " ; fi
+                    done)" ;;
+        *) 
+          list="$(for i in "${GRUB_ROOT}"/boot/vmlinuz-linux* ; do
+                      if grub_file_is_not_garbage "${i}" && "${grub_file}" ${check} "${i}" ; then echo -n "${i} " ; fi
+                  done)" ;;
+    esac
+}
+
+set -e
+
+prefix="/usr"
+exec_prefix="${prefix}"
+datarootdir="/usr/share"
+datadir="${datarootdir}"
+sysconfdir="/etc"
+
+. "${datarootdir}/grub/grub-mkconfig_lib"
+
+. "${sysconfdir}/default/grub"
+
+export TEXTDOMAIN="grub"
+export TEXTDOMAINDIR="${datarootdir}/locale"
+
+CLASS="--class parabola --class gnu-linux --class gnu --class os"
+
+[[ "${grub_file}" != "" ]] && _FUNC_GRUB_FILE_PRESENT
+
+BOOT_PART_FS_UUID="$(${grub_probe} --target="fs_uuid" "/boot" 2>/dev/null)"
+BOOT_PART_HINTS_STRING="$(${grub_probe} --target="hints_string" "/boot" 2>/dev/null || true)"
+BOOT_PART_FS="$(${grub_probe} --target="fs" "/boot" 2>/dev/null)"
+
+ROOT_PART_GRUB_DEVICE="$(${grub_probe} --target=device / || true)"
+ROOT_PART_FS="$(${grub_probe} --device ${ROOT_PART_GRUB_DEVICE} --target=fs 2> /dev/null || echo "unknown")"
+
+if [[ "${GRUB_LINUX_ROOT_DEVICE}" == "" ]]; then
+    
+    case "${ROOT_PART_FS}" in
+        btrfs)
+            rootsubvol="$(make_system_path_relative_to_its_root /)"
+            rootsubvol="${rootsubvol#/}"
+            if [[ "${rootsubvol}" != "" ]]; then
+                GRUB_LINUX_ROOT_DEVICE="subvol=${rootsubvol}"
+            fi
+        ;;
+        zfs)
+            rpool="$(${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true)"
+            bootfs="$(make_system_path_relative_to_its_root / | sed -e "s,@$,,")"
+            GRUB_LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs}"
+        ;;
+    esac
+    
+    if [[ "${GRUB_DEVICE_UUID}" == "" ]] || \
+       [[ "${GRUB_DISABLE_LINUX_UUID}" == "true" ]] || \
+       [[ ! -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" ]] || \
+       uses_abstraction "${GRUB_DEVICE}" lvm ; then
+           GRUB_LINUX_ROOT_DEVICE="${GRUB_DEVICE}"
+    else
+       GRUB_LINUX_ROOT_DEVICE="UUID=${GRUB_DEVICE_UUID}"
+    fi
+fi
+
+[[ "${GRUB_LINUX_PARAMS}" == "" ]] && GRUB_LINUX_PARAMS="${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+
+for _KERNEL_ in ${list} ; do
+    
+    echo "Found linux image: ${_KERNEL_}" >&2
+    
+    basename="$(basename "${_KERNEL_}")"
+    dirname="$(dirname "${_KERNEL_}")"
+    REAL_DIR="$(make_system_path_relative_to_its_root "${dirname}")"
+  
+    _KERNEL_FILE_="$(echo ${_KERNEL_} | sed 's,/boot/,,g')"
+    _KERNEL_PKG_="pkg-$(echo ${_KERNEL_FILE_} | sed 's,vmlinuz-,,g')"
+    
+    _INITRAMFS_="${_KERNEL_FILE_/vmlinuz-/initramfs-}.img"
+    
+    if [[ -e "/boot/${_INITRAMFS_}" ]]; then
+    
+    echo "Found initramfs image: /boot/${_INITRAMFS_}" >&2
+    
+cat << EOF
+
+menuentry "Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel" ${CLASS} {
+    $(save_default_entry)
+    if [ x\$feature_all_video_module = xy ]; then
+        insmod all_video
+    fi
+    set gfxpayload=keep
+    insmod ${BOOT_PART_FS}
+    if [ x\$feature_platform_search_hint = xy ]; then
+        search --no-floppy --fs-uuid  --set=root ${BOOT_PART_HINTS_STRING} ${BOOT_PART_FS_UUID}
+    else
+        search --no-floppy --fs-uuid  --set=root ${BOOT_PART_FS_UUID}
+    fi
+    echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel ...'
+    linux ${REAL_DIR}/${_KERNEL_FILE_} root=${GRUB_LINUX_ROOT_DEVICE} rw ${GRUB_LINUX_PARAMS}
+    echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel initramfs ...'
+    initrd ${REAL_DIR}/${_INITRAMFS_}
+}
+
+EOF
+    fi
+    
+    _INITRAMFS_FALLBACK_="${_KERNEL_FILE_/vmlinuz-/initramfs-}-fallback.img"
+    
+    if [[ -e "/boot/${_INITRAMFS_FALLBACK_}" ]]; then
+    
+    echo "Found fallback initramfs image: /boot/${_INITRAMFS_FALLBACK_}" >&2
+    
+cat << EOF
+
+menuentry "Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel (fallback initramfs)" ${CLASS} {
+    $(save_default_entry)
+    if [ x\$feature_all_video_module = xy ]; then
+        insmod all_video
+    fi
+    set gfxpayload=keep
+    insmod ${BOOT_PART_FS}
+    if [ x\$feature_platform_search_hint = xy ]; then
+        search --no-floppy --fs-uuid  --set=root ${BOOT_PART_HINTS_STRING} ${BOOT_PART_FS_UUID}
+    else
+        search --no-floppy --fs-uuid  --set=root ${BOOT_PART_FS_UUID}
+    fi
+    echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel ...'
+    linux ${REAL_DIR}/${_KERNEL_FILE_} root=${GRUB_LINUX_ROOT_DEVICE} rw ${GRUB_LINUX_PARAMS}
+    echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel fallback initramfs ...'
+    initrd ${REAL_DIR}/${_INITRAMFS_FALLBACK_}
+}
+
+EOF
+    fi
+    
+    if [[ ! -e "/boot/${_INITRAMFS_}" ]] && [[ ! -e "/boot/${_INITRAMFS_FALLBACK_}" ]]; then
+cat << EOF
+
+menuentry "Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel (no initramfs)" ${CLASS} {
+    $(save_default_entry)
+    if [ x\$feature_all_video_module = xy ]; then
+        insmod all_video
+    fi
+    set gfxpayload=keep
+    insmod ${BOOT_PART_FS}
+    if [ x\$feature_platform_search_hint = xy ]; then
+        search --no-floppy --fs-uuid  --set=root ${BOOT_PART_HINTS_STRING} ${BOOT_PART_FS_UUID}
+    else
+        search --no-floppy --fs-uuid  --set=root ${BOOT_PART_FS_UUID}
+    fi
+    echo 'Loading Parabola GNU/Linux-libre ${_KERNEL_PKG_} kernel ...'
+    linux ${REAL_DIR}/${_KERNEL_FILE_} root=${GRUB_LINUX_ROOT_DEVICE} rw ${GRUB_LINUX_PARAMS}
+}
+
+EOF
+    fi
+    
+done
diff --git a/libre/grub-crypt-git/PKGBUILD b/libre/grub-crypt-git/PKGBUILD
new file mode 100644
index 000000000..0dc41543c
--- /dev/null
+++ b/libre/grub-crypt-git/PKGBUILD
@@ -0,0 +1,873 @@
+# Maintainer (Arch): Christian Hesse <mail@eworm.de>
+# Maintainer (Arch): Ronald van Haren <ronald.archlinux.org>
+# Contributor (Arch): Tobias Powalowski <tpowa@archlinux.org>
+# Contributor (Arch): Keshav Amburay <(the ddoott ridikulus ddoott rat) (aatt) (gemmaeiil) (ddoott) (ccoomm)>
+# Maintainer (Hyperbola): André Silva <emulatorman@hyperbola.info>
+# Maintainer (Hyperbola): Márcio Silva <coadde@hyperbola.info>
+# Maintainer: Omar Vega Ramos <ovruni@gnu.org.pe>
+
+## '1' to enable Xen support, '0' to disable
+_XEN='1'
+
+## '1' to enable IA32-EFI build in Arch x86_64, '0' to disable
+_IA32_EFI_IN_ARCH_X64='1'
+
+## '1' to enable IA32-XEN build in Arch x86_64, "0" to disable
+_IA32_XEN_IN_ARCH_X64='1'
+
+## '1' to enable EMU build (x86_64 and i686 only), "0" to disable
+_GRUB_EMU_BUILD='0'
+
+_UNIFONT_VER="12.1.02"
+
+[[ "${CARCH}" = "armv7h" ]] && _EFI_ARCH="arm"
+[[ "${CARCH}" = "x86_64" ]] && _EFI_ARCH="x86_64"
+[[ "${CARCH}" = "i686" ]] && _EFI_ARCH="i386"
+
+[[ "${CARCH}" = "x86_64" ]] && _XEN_ARCH="x86_64"
+[[ "${CARCH}" = "i686" ]] && _XEN_ARCH="i386"
+
+[[ "${CARCH}" = "armv7h" ]] && _EMU_ARCH="arm"
+[[ "${CARCH}" = "x86_64" ]] && _EMU_ARCH="x86_64"
+[[ "${CARCH}" = "i686" ]] && _EMU_ARCH="i386"
+
+pkgbase='grub'
+pkgname=('grub-crypt-git')
+[[ $CARCH = armv7h ]] && pkgname+=('grub-crypt-git-am335x_bone'
+				   'grub-crypt-git-udoo'
+				   'grub-crypt-git-omap3_beagle'
+				   'grub-crypt-git-omap3_beagle_xm'
+				   'grub-crypt-git-omap3_beagle_xm_ab')
+
+# GRUB crypt are a set of patches that are available at
+# https://grub.johnlane.ie/ however as they are not upstream.
+#
+# As distributions like ubuntu used them, the patches also ended up in Trisquel.
+# The consequence is that organizations like the FSF started depending on these
+# patches in their infrastructure which results in having only  Trisquel
+# supported in the virtual machines that are provided to projects like
+# Replicant.
+#
+# To be able to use other distributions than Trisquel (like Guix or Parabola) we
+# needed such patches and upstreaming those that we needed was a saner decision
+# than maintaining ethernally these patches in every distributions we wanted to
+# use.
+#
+# As I need to test the patches anyway and that compiling and testing GRUB by
+# hand is time consuming, I ended up making a PKGBUILD to make testing faster.
+#
+# As the patches are interesting per se I added this PKGBUILD to Parabola, and
+# it will need to be replaced by a grub-git package once they land in GRUB
+# master and removed when we have a release of GRUB that incorporates the
+# patches.
+#
+# Note that not all GRUB crypt patches were sent upstream. Only the support
+# for LUKS1 detached headers and detached key files were sent.
+pkgdesc='GRUB with pending patches for detached header and key files.'
+_pkgver=2.04
+pkgver=${_pkgver/-/}
+pkgrel=2
+pkgrel+=.par1
+epoch=2
+url='https://www.gnu.org/software/grub/'
+arch=('x86_64')
+arch+=('i686' 'armv7h')
+license=('GPL3')
+backup=('etc/default/grub'
+        'etc/grub.d/40_custom')
+install="${pkgbase}.install"
+options=('!makeflags')
+
+makedepends=('git' 'rsync' 'xz' 'freetype2' 'ttf-dejavu' 'python' 'autogen'
+             'texinfo' 'help2man' 'gettext' 'device-mapper' 'fuse')
+depends=('sh' 'xz' 'gettext' 'device-mapper')
+optdepends=('freetype2: For grub-mkfont usage'
+            'fuse: For grub-mount usage')
+
+if [[ "${CARCH}" = 'x86_64' ]] && [[ "${_XEN}" = '1' ]]; then
+	makedepends+=('xen')
+fi
+
+if [[ "${_GRUB_EMU_BUILD}" = "1" ]]; then
+	makedepends+=('libusbx' 'sdl')
+fi
+
+if [[ "${CARCH}" = 'x86_64' ]] || [[ "${CARCH}" = 'i686' ]]; then
+	provides=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}")
+	conflicts=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}" 'grub-legacy' 'grub-parabola')
+	replaces=('grub-common' 'grub-bios' 'grub-emu' "grub-efi-${_EFI_ARCH}" 'grub-parabola')
+elif [[ "${CARCH}" = 'armv7h' ]]; then
+	provides=('grub-common' 'grub-emu' "grub-efi-${_EFI_ARCH}")
+	conflicts=('grub-common' 'grub-emu' "grub-efi-${_EFI_ARCH}")
+	replaces=('grub-common' 'grub-emu' "grub-efi-${_EFI_ARCH}")
+fi
+
+validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209'  # Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
+              'BE5C23209ACDDACEB20DB0A28C8189F1988C2166'  # Daniel Kiper <dkiper@net-space.pl>
+              '95D2E9AB8740D8046387FD151A09227B1F435A33') #Paul Hardy
+
+source=("git+https://git.savannah.gnu.org/git/grub.git"
+        "git+https://git.savannah.gnu.org/git/grub-extras.git"
+        "git+https://git.savannah.gnu.org/git/gnulib.git"
+        "https://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz"{,.sig}
+        '0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch'
+        '0004-add-GRUB_COLOR_variables.patch'
+        'grub.default'
+        '0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch'
+        '0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch'
+        '0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch'
+        '0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch'
+        '0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch'
+        '0003-10_linux-20_linux_xen-rebrand-free-distros.patch'
+        'v6-0001-cryptodisk-luks-unify-grub_cryptodisk_dev-functio.patch'
+        'v6-0002-cryptodisk-geli-unify-grub_cryptodisk_dev-functio.patch'
+        'v6-0003-cryptodisk-enable-the-backends-to-implement-detac.patch'
+        'v6-0004-cryptodisk-add-support-for-LUKS1-detached-headers.patch'
+        'v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch'
+        'v6-0006-cryptodisk-Add-support-for-LUKS1-key-files.patch')
+
+sha256sums=('SKIP'
+            'SKIP'
+            'SKIP'
+            '04d652be1e28a6d464965c75c71ac84633085cd0960c2687466651c34c94bd89'
+            'SKIP'
+            '3f68a78ecba0284b9d39af60431236cb2ebc8547d3dc1fb26a1ac7a6b9afbbc7'
+            'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29'
+            'c700a3a2e0bdb47620a78b454aaa4bbf52989102eb47b08672240192e91b2a57'
+            '9ece1db537a989ce4dc55ece471883e19b8ab16902f8c4feb68436c3b5700f71'
+            'de71452b9b0fbfb08ea742e9fa217ab34fddf6312452f155fb9d82ebf1c024a5'
+            '222da944b4af43a1d86be0e3d91f2e1a82324fa51c7ad36cc25246ffa3739ab1'
+            '9002c69e74143553ef8cdd32ca04e8bdcb7a1a0ba1c4564163bae061fe68d855'
+            '6584a0dda9dbf6d70dbdfba619abbb628b1a092bd61d6d05e462d6771354223b'
+            '7374137d183957ec8834ce749163c9fa98ff8ee61bbb74b0b38e29daf93857a4'
+            'SKIP'
+            'SKIP'
+            'SKIP'
+            'SKIP'
+            'SKIP'
+            'SKIP')
+
+_backports=(
+)
+
+_configure_options=(
+	FREETYPE="pkg-config freetype2"
+	--enable-mm-debug
+	--enable-nls
+	--enable-device-mapper
+	--enable-cache-stats
+	--enable-grub-mkfont
+	--enable-grub-mount
+	--prefix="/usr"
+	--bindir="/usr/bin"
+	--sbindir="/usr/bin"
+	--mandir="/usr/share/man"
+	--infodir="/usr/share/info"
+	--datarootdir="/usr/share"
+	--sysconfdir="/etc"
+	--program-prefix=""
+	--with-bootdir="/boot"
+	--with-grubdir="grub"
+	--disable-silent-rules
+	--disable-werror
+)
+
+prepare() {
+	cd "${srcdir}/grub/"
+
+	echo "Apply backports..."
+	local _c
+	for _c in "${_backports[@]}"; do
+		git log --oneline -1 "${_c}"
+		git cherry-pick -n "${_c}"
+	done
+
+	echo "Patch to detect of Parabola GNU/Linux-libre initramfs images by grub-mkconfig..."
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-parabola-initramfs.patch"
+
+	echo "Patch to enable GRUB_COLOR_* variables in grub-mkconfig..."
+	## Based on http://lists.gnu.org/archive/html/grub-devel/2012-02/msg00021.html
+	patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch"
+
+	echo "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme..."
+	sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"
+
+	echo "Rebranding for some free distros..."
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-rebrand-free-distros.patch"
+
+	echo "Fix mkinitcpio 'rw' FS#36275..."
+	sed 's| ro | rw |g' -i "util/grub.d/10_linux.in"
+
+	echo "Pull in latest language files..."
+	./linguas.sh
+
+	echo "Remove not working langs which need LC_ALL=C.UTF-8..."
+	sed -e 's#en@cyrillic en@greek##g' -i "po/LINGUAS"
+
+	echo "Avoid problem with unifont during compile of grub..."
+        # http://savannah.gnu.org/bugs/?40330 and https://bugs.archlinux.org/task/37847
+	gzip -cd "${srcdir}/unifont-${_UNIFONT_VER}.bdf.gz" > "unifont.bdf"
+
+	echo "Add the grub-extra sources for BIOS build..."
+	install -d "grub-extras"
+	cp -r "${srcdir}/grub-extras/915resolution" \
+		"grub-extras/915resolution"
+	export GRUB_CONTRIB="${srcdir}/grub/grub-extras/"
+}
+
+_build_grub-efi() {
+	echo "Copy the source for building the ${_EFI_ARCH} EFI part..."
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-efi-${_EFI_ARCH}/"
+	cd "${srcdir}/grub-efi-${_EFI_ARCH}/"
+
+	echo "Unset all compiler FLAGS for ${_EFI_ARCH} EFI build..."
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo "Run bootstrap for ${_EFI_ARCH} EFI build..."
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo "Run ./configure for ${_EFI_ARCH} EFI build..."
+	./configure \
+		--with-platform="efi" \
+		--target="${_EFI_ARCH}" \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo "Run make for ${_EFI_ARCH} EFI build..."
+	make
+}
+
+_build_grub-xen() {
+	echo "Copy the source for building the ${_XEN_ARCH} XEN part..."
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-xen-${_XEN_ARCH}/"
+	cd "${srcdir}/grub-xen-${_XEN_ARCH}/"
+
+	echo "Unset all compiler FLAGS for ${_XEN_ARCH} XEN build..."
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo "Run bootstrap for ${_XEN_ARCH} XEN build..."
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo "Run ./configure for ${_XEN_ARCH} XEN build..."
+	./configure \
+		--with-platform='xen' \
+		--target="${_XEN_ARCH}" \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo "Run make for ${_XEN_ARCH} XEN build..."
+	make
+}
+
+_build_grub-bios() {
+	echo 'Set ARCH dependent variables for BIOS build...'
+	if [[ "${CARCH}" = 'x86_64' ]]; then
+		_EFIEMU='--enable-efiemu'
+	else
+		_EFIEMU='--disable-efiemu'
+	fi
+
+	echo 'Copy the source for building the BIOS part...'
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-bios/"
+	cd "${srcdir}/grub-bios/"
+
+	echo 'Unset all compiler FLAGS for BIOS build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo 'Run bootstrap for BIOS build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for BIOS build...'
+	./configure \
+		--with-platform='pc' \
+		--target='i386' \
+		"${_EFIEMU}" \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo 'Run make for BIOS build...'
+	make
+}
+
+_build_grub-qemu() {
+	echo 'Copy the source for building the QEMU part...'
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-qemu/"
+	cd "${srcdir}/grub-qemu/"
+
+	echo 'Unset all compiler FLAGS for QEMU build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo 'Run bootstrap for QEMU build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for QEMU build...'
+	./configure \
+		BUILD_FREETYPE="pkg-config freetype2" \
+		--with-platform='qemu' \
+		--target='i386' \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo 'Run make for QEMU build...'
+	make
+}
+
+_build_grub-ieee1275() {
+	echo 'Copy the source for building the IEEE1275 (OpenFirmware) part...'
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-ieee1275/"
+	cd "${srcdir}/grub-ieee1275/"
+
+	echo 'Unset all compiler FLAGS for IEEE1275 (OpenFirmware) build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo 'Run bootstrap for IEEE1275 (OpenFirmware) build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for IEEE1275 (OpenFirmware) build...'
+	./configure \
+		--with-platform='ieee1275' \
+		--target='i386' \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo 'Run make for IEEE1275 (OpenFirmware) build...'
+	make
+}
+
+_build_grub-libreboot() {
+	echo 'Copy the source for building the Libreboot part...'
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-libreboot/"
+	cd "${srcdir}/grub-libreboot/"
+
+	echo 'Unset all compiler FLAGS for Libreboot build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo 'Run bootstrap for Libreboot build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for Libreboot build...'
+	./configure \
+		BUILD_FREETYPE="pkg-config freetype2" \
+		--with-platform='coreboot' \
+		--target='i386' \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo 'Run make for Libreboot build...'
+	make
+}
+
+_build_grub-multiboot() {
+	echo 'Copy the source for building the Multiboot part...'
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-multiboot/"
+	cd "${srcdir}/grub-multiboot/"
+
+	echo 'Unset all compiler FLAGS for Multiboot build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo 'Run bootstrap for Multiboot build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for Multiboot build...'
+	./configure \
+		--with-platform='multiboot' \
+		--target='i386' \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo 'Run make for Multiboot build...'
+	make
+}
+
+_build_grub-emu() {
+	echo 'Copy the source for building the emu part...'
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-emu/"
+	cd "${srcdir}/grub-emu/"
+
+	echo 'Unset all compiler FLAGS for emu build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	echo 'Run bootstrap for emu build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for emu build...'
+	./configure \
+		--with-platform='emu' \
+		--target="${_EMU_ARCH}" \
+		--enable-grub-emu-usb=no \
+		--enable-grub-emu-sdl=no \
+		--disable-grub-emu-pci \
+		"${_configure_options[@]}"
+
+	echo 'Run make for emu build...'
+	make
+}
+
+_build_grub-uboot() {
+	echo "Copy the source for building the U-Boot part..."
+	cp -r "${srcdir}/grub/" "${srcdir}/grub-uboot/"
+	cd "${srcdir}/grub-uboot/"
+
+	echo 'Unset all compiler FLAGS for U-Boot build...'
+	unset CFLAGS
+	unset CPPFLAGS
+	unset CXXFLAGS
+	unset LDFLAGS
+	unset MAKEFLAGS
+
+	#sed -i '\|grub_arm_disable_caches_mmu|,+4 d
+	#       ' grub-core/loader/arm/linux.c
+
+	echo 'Run bootstrap for U-Boot build...'
+	./bootstrap \
+		--gnulib-srcdir="${srcdir}/gnulib/" \
+		--no-git
+
+	echo 'Run ./configure for U-Boot build...'
+	./configure \
+		--with-platform='uboot' \
+		--target='arm' \
+		--disable-efiemu \
+		--enable-boot-time \
+		"${_configure_options[@]}"
+
+	echo 'Run make for U-Boot build...'
+	make
+}
+
+build() {
+	cd "${srcdir}/grub/"
+
+	if [[ "${CARCH}" = 'x86_64' ]] || [[ "${CARCH}" = 'i686' ]] || [[ "${CARCH}" = 'armv7h' ]]; then
+		echo "Build grub ${_EFI_ARCH} EFI stuff..."
+		_build_grub-efi
+
+		if [[ "${CARCH}" = 'x86_64' ]] && [[ "${_IA32_EFI_IN_ARCH_X64}" = '1' ]]; then
+			echo 'Build grub i386 EFI stuff...'
+			_EFI_ARCH='i386' _build_grub-efi
+		fi
+	fi
+
+	if [[ "${CARCH}" = 'x86_64' ]] || [[ "${CARCH}" = 'i686' ]]; then
+		if [[ "${_XEN}" = '1' ]]; then
+			echo "Build grub ${_XEN_ARCH} XEN stuff..."
+			_build_grub-xen
+
+			if [[ "${_IA32_XEN_IN_ARCH_X64}" = '1' ]]; then
+				echo 'Build grub i386 XEN stuff...'
+				_XEN_ARCH='i386' _build_grub-xen
+			fi
+		fi
+
+		echo 'Build grub BIOS stuff...'
+		_build_grub-bios
+
+		echo 'Build grub QEMU stuff...'
+		_build_grub-qemu
+
+		echo 'Build grub IEEE1275 (OpenFirmware) stuff...'
+		_build_grub-ieee1275
+
+		echo 'Build grub Libreboot stuff...'
+		_build_grub-libreboot
+
+		echo 'Build grub Multiboot stuff...'
+		_build_grub-multiboot
+	elif [[ "${CARCH}" = 'armv7h' ]]; then
+		echo 'Build grub U-Boot stuff...'
+		_build_grub-uboot
+	fi
+
+	if [[ "${_GRUB_EMU_BUILD}" = '1' ]]; then
+		echo 'Build grub emu stuff...'
+		_build_grub-emu
+	fi
+}
+
+_package_grub-crypt-git-efi() {
+	cd "${srcdir}/grub-efi-${_EFI_ARCH}/"
+
+	echo "Run make install for ${_EFI_ARCH} EFI build..."
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo "Remove gdb debugging related files for ${_EFI_ARCH} EFI build..."
+	rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/${_EFI_ARCH}-efi"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-xen() {
+	cd "${srcdir}/grub-xen-${_XEN_ARCH}/"
+
+	echo "Run make install for ${_XEN_ARCH} XEN build..."
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo "Remove gdb debugging related files for ${_XEN_ARCH} XEN build..."
+	rm -f "${pkgdir}/usr/lib/grub/${_XEN_ARCH}-xen"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/${_XEN_ARCH}-xen"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/${_XEN_ARCH}-xen"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-bios() {
+	cd "${srcdir}/grub-bios/"
+
+	echo 'Run make install for BIOS build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for BIOS build...'
+	rm -f "${pkgdir}/usr/lib/grub/i386-pc"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-pc"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-pc"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-qemu() {
+	cd "${srcdir}/grub-qemu/"
+
+	echo 'Run make install for QEMU build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for QEMU build...'
+	rm -f "${pkgdir}/usr/lib/grub/i386-qemu"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-qemu"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-qemu"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-ieee1275() {
+	cd "${srcdir}/grub-ieee1275/"
+
+	echo 'Run make install for IEEE1275 (OpenFirmware) build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for IEEE1275 (OpenFirmware) build...'
+	rm -f "${pkgdir}/usr/lib/grub/i386-ieee1275"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-ieee1275"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-ieee1275"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-libreboot() {
+	cd "${srcdir}/grub-libreboot/"
+
+	echo 'Run make install for Libreboot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for Libreboot build...'
+	rm -f "${pkgdir}/usr/lib/grub/i386-coreboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-coreboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-coreboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-multiboot() {
+	cd "${srcdir}/grub-multiboot/"
+
+	echo 'Run make install for Multiboot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for Multiboot build...'
+	rm -f "${pkgdir}/usr/lib/grub/i386-multiboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-multiboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/i386-multiboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-emu() {
+	cd "${srcdir}/grub-emu/"
+
+	echo 'Run make install for emu build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for emu build...'
+	rm -f "${pkgdir}/usr/lib/grub/${_EMU_ARCH}-emu"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/${_EMU_ARCH}-emu"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/${_EMU_ARCH}-emu"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+_package_grub-crypt-git-uboot() {
+	cd "${srcdir}/grub-uboot/"
+
+	echo 'Run make install for U-Boot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for U-Boot build...'
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+}
+
+package_grub-crypt-git() {
+	optdepends+=('dosfstools: For grub-mkrescue FAT FS and EFI support'
+	             'efibootmgr: For grub-install EFI support'
+	             'libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue'
+	             'os-prober: To detect other OSes when generating grub.cfg in BIOS systems'
+	             'mtools: For grub-mkrescue FAT FS support')
+
+	if [[ "${_GRUB_EMU_BUILD}" = '1' ]]; then
+		optdepends+=('libusbx: For grub-emu USB support'
+		             'sdl: For grub-emu SDL support')
+	fi
+
+	cd "${srcdir}/grub/"
+
+	if [[ "${CARCH}" = 'x86_64' ]] || [[ "${CARCH}" = 'i686' ]] || [[ "${CARCH}" = 'armv7h' ]]; then	
+		echo "Package grub ${_EFI_ARCH} EFI stuff..."
+		_package_grub-efi
+
+		if [[ "${CARCH}" = 'x86_64' ]] && [[ "${_IA32_EFI_IN_ARCH_X64}" = '1' ]]; then
+			echo 'Package grub i386 EFI stuff...'
+			_EFI_ARCH='i386' _package_grub-efi
+		fi
+	fi
+
+	if [[ "${CARCH}" = 'x86_64' ]] || [[ "${CARCH}" = 'i686' ]]; then
+		if [[ "${_XEN}" = '1' ]]; then
+			echo "Package grub ${_XEN_ARCH} XEN stuff..."
+			_package_grub-xen
+
+			if [[ "${_IA32_XEN_IN_ARCH_X64}" = '1' ]]; then
+				echo 'Package grub i386 XEN stuff...'
+				_XEN_ARCH='i386' _package_grub-xen
+			fi
+		fi
+
+		echo 'Package grub BIOS stuff...'
+		_package_grub-bios
+
+		echo 'Package grub QEMU stuff...'
+		_package_grub-qemu
+
+		echo 'Package grub IEEE1275 (OpenFirmware) stuff...'
+		_package_grub-ieee1275
+
+		echo 'Package grub Libreboot stuff...'
+		_package_grub-libreboot
+
+		echo 'Package grub Multiboot stuff...'
+		_package_grub-multiboot
+	elif [[ "${CARCH}" = 'armv7h' ]]; then
+		echo 'Package grub U-Boot stuff...'
+		_package_grub-uboot
+	fi
+
+	if [[ "${_GRUB_EMU_BUILD}" = '1' ]]; then
+		echo 'Package grub emu stuff...'
+		_package_grub-emu
+	fi
+
+	echo 'Install /etc/default/grub (used by grub-mkconfig)...'
+	install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub"
+}
+
+package_grub-crypt-git-am335x_bone() {
+	pkgdesc='GNU GRand Unified Bootloader (2) for BeagleBone and BeagleBone Black (am335x-bone), (Parabola rebranded)'
+	optdepends+=('dosfstools: For grub-mkrescue FAT FS'
+	             'os-prober: To detect other OSes when generating grub.cfg in BIOS systems'
+	             'mtools: For grub-mkrescue FAT FS support')
+
+	echo "Copy the source for packaging the U-Boot (am335x-bone) part..."
+	cp -r "${srcdir}/grub-uboot/" "${srcdir}/grub-uboot_am335x-bone/"
+	cd "${srcdir}/grub-uboot_am335x-bone/"
+
+	echo 'Patch to detect am335x-bone device tree blob file (dtb)...'
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch"
+
+	echo 'Package grub U-Boot stuff...'
+	## _package_grub-uboot
+
+	echo 'Run make install for U-Boot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for U-Boot build...'
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+
+	echo 'Install /etc/default/grub (used by grub-mkconfig)...'
+	install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub"
+
+	## echo 'Patch to detect am335x-bone device tree blob file (dtb)...'
+	## cd "${pkgdir}/etc/grub.d/"
+	## patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-am335x_bone+am335x_boneblack-devicetree-file.patch"
+}
+
+package_grub-crypt-git-omap3_beagle() {
+	pkgdesc='GNU GRand Unified Bootloader (2) for BeagleBoard (omap3_beagle), (Parabola rebranded)'
+	provides+=('grub-beagleboard')
+	optdepends+=('dosfstools: For grub-mkrescue FAT FS'
+	             'os-prober: To detect other OSes when generating grub.cfg in BIOS systems'
+	             'mtools: For grub-mkrescue FAT FS support')
+
+	echo "Copy the source for packaging the U-Boot (omap3_beagle) part..."
+	cp -r "${srcdir}/grub-uboot/" "${srcdir}/grub-uboot_omap3_beagle/"
+	cd "${srcdir}/grub-uboot_omap3_beagle/"
+
+	echo 'Patch to detect omap3_beagle device tree blob file (dtb)...'
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch"
+
+	echo 'Package grub U-Boot stuff...'
+	## _package_grub-uboot
+
+	echo 'Run make install for U-Boot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for U-Boot build...'
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+
+	echo 'Install /etc/default/grub (used by grub-mkconfig)...'
+	install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub"
+
+	## echo 'Patch to detect omap3_beagle device tree blob file (dtb)...'
+	## cd "${pkgdir}/etc/grub.d/"
+	## patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-omap3_beagle-devicetree-file.patch"
+}
+
+package_grub-crypt-git-omap3_beagle_xm() {
+	pkgdesc='GNU GRand Unified Bootloader (2) for BeagleBoard-xM (omap3_beagle_xm), (Parabola rebranded)'
+	provides+=('grub-beagleboard')
+	optdepends+=('dosfstools: For grub-mkrescue FAT FS'
+	             'os-prober: To detect other OSes when generating grub.cfg in BIOS systems'
+	             'mtools: For grub-mkrescue FAT FS support')
+
+	echo "Copy the source for packaging the U-Boot (omap3_beagle_xm) part..."
+	cp -r "${srcdir}/grub-uboot/" "${srcdir}/grub-uboot_omap3_beagle_xm/"
+	cd "${srcdir}/grub-uboot_omap3_beagle_xm/"
+
+	echo 'Patch to detect omap3_beagle_xm device tree blob file (dtb)...'
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch"
+
+	echo 'Package grub U-Boot stuff...'
+	## _package_grub-uboot
+
+	echo 'Run make install for U-Boot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for U-Boot build...'
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+
+	echo 'Install /etc/default/grub (used by grub-mkconfig)...'
+	install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub"
+
+	## echo 'Patch to detect omap3_beagle_xm device tree blob file (dtb)...'
+	## cd "${pkgdir}/etc/grub.d/"
+	## patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm-devicetree-file.patch"
+}
+
+package_grub-crypt-git-omap3_beagle_xm_ab() {
+	pkgdesc='GNU GRand Unified Bootloader (2) for BeagleBoard-xM rev A/B (omap3_beagle_xm_ab), (Parabola rebranded)'
+	provides+=('grub-beagleboard')
+	optdepends+=('dosfstools: For grub-mkrescue FAT FS'
+	             'os-prober: To detect other OSes when generating grub.cfg in BIOS systems'
+	             'mtools: For grub-mkrescue FAT FS support')
+
+	echo "Copy the source for packaging the U-Boot (omap3_beagle_xm_ab) part..."
+	cp -r "${srcdir}/grub-uboot/" "${srcdir}/grub-uboot_omap3_beagle_xm_ab/"
+	cd "${srcdir}/grub-uboot_omap3_beagle_xm_ab/"
+
+	echo 'Patch to detect omap3_beagle_xm_ab device tree blob file (dtb)...'
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch"
+
+	echo 'Package grub U-Boot stuff...'
+	## _package_grub-uboot
+
+	echo 'Run make install for U-Boot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for U-Boot build...'
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+
+	echo 'Install /etc/default/grub (used by grub-mkconfig)...'
+	install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub"
+
+	## echo 'Patch to detect omap3_beagle_xm_ab device tree blob file (dtb)...'
+	## cd "${pkgdir}/etc/grub.d/"
+	## patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-omap3_beagle_xm_ab-devicetree-file.patch"
+}
+
+package_grub-crypt-git-udoo() {
+	pkgdesc='GNU GRand Unified Bootloader (2) for UDOO (udoo), (Parabola rebranded)'
+	optdepends+=('dosfstools: For grub-mkrescue FAT FS'
+	             'os-prober: To detect other OSes when generating grub.cfg in BIOS systems'
+	             'mtools: For grub-mkrescue FAT FS support')
+
+	echo "Copy the source for packaging the U-Boot (udoo) part..."
+	cp -r "${srcdir}/grub-uboot/" "${srcdir}/grub-uboot_udoo/"
+	cd "${srcdir}/grub-uboot_udoo/"
+
+	echo 'Patch to detect udoo device tree blob file (dtb)...'
+	patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch"
+
+	echo 'Package grub U-Boot stuff...'
+	## _package_grub-uboot
+
+	echo 'Run make install for U-Boot build...'
+	make DESTDIR="${pkgdir}/" bashcompletiondir="/usr/share/bash-completion/completions" install
+
+	echo 'Remove gdb debugging related files for U-Boot build...'
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.module || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/*.image || true
+	rm -f "${pkgdir}/usr/lib/grub/arm-uboot"/{kernel.exec,gdb_grub,gmodule.pl} || true
+
+	echo 'Install /etc/default/grub (used by grub-mkconfig)...'
+	install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub"
+
+	## echo 'Patch to detect udoo device tree blob file (dtb)...'
+	## cd "${pkgdir}/etc/grub.d/"
+	## patch -Np1 -i "${srcdir}/0003-10_linux-20_linux_xen-detect-udoo-devicetree-file.patch"
+}
diff --git a/libre/grub-crypt-git/arm-extra b/libre/grub-crypt-git/arm-extra
new file mode 100644
index 000000000..87d4aa8f6
--- /dev/null
+++ b/libre/grub-crypt-git/arm-extra
@@ -0,0 +1,333 @@
+### ARM_UBOOT - loadaddr ###
+# 0x00007fc0   - versatile[versatile_ab/versatile_pb]
+# 0x00100000   - snowball/u8500_href
+# 0x00800000   - dns325/highbank/wireless_space
+# 0x02000000   - zynq[zynq_microzed/zynq_picozed/zynq_zc702/zynq_zc706/zynq_zc70x/zynq_zc770[zynq_zc770_xm010/zynq_zc770_xm012/zynq_zc770_xm013]/zynq_zed/zynq_zybo]
+# 0x08000000   - grub
+# 0x10800000   - cm_fx6
+# 0x12000000   - aristainetos[aristainetos/aristainetos2]/mx6[mx6slevk/mx6sxsabresd]
+# 0x40007000   - origen
+# 0x43e00000   - origen
+# 0x60008000   - vexpress_ca9x4
+# 0x70800000   - ima3-mx53/mx53evk/mx53smd
+# 0x72000000   - mx53ard/mx53loco
+# 0x80000000   - am335x_bur[kwb/tseries]/am3517[am3517_crane/am3517_evm]/mcx
+# 0x80007fc0   - am335x_ti[pcm051]
+# 0x80008000   - vexpress_ca9x4/vexpress[vexpress_ca15_tc2/vexpress_ca5x2](extended-mem)
+# 0x80100000   - am335x_bur[kwb]/ls2085a[ls2085a_emu/ls2085a_simu/ls2085aqds/ls2085ardb]
+# 0x80200000   - am335x_bur[tseries]/am335x_ti[am335x_evm/omap3_beagle/pengwyn]/ti814x_evm
+# 0x80800000   - * flea3/mx31ads/mx35pdk/qong/woodburn/woodburn_sd
+# 0x81000000   - ti814x_evm * mx25pdk/omap3_logic/ti816x_evm/tx25
+# 0x82000000   - am335x_ti[am335x_evm/omap3_beagle/pcm051/pengwyn]/am3517[am3517_crane/am3517_evm]/mcx
+#               /mx6[gw_ventana[gwventana]/mx6cuboxi/mx6qarm2[mx6dlarm2]/mx6qsabreauto[mx6dlsabreauto]/mx6sabresd[mx6dlsabresd/mx6qsabresd]]
+#               /omap3_ti[devkit8000]
+# *              bav335x/cm_t335/cm_t3517/dig297/omap3_evm/omap3_igep00x0/omap3_mvblx/omap3_sdp3430/omap3_zoom1/tao3530
+# 0x84000000   - am335x_baltos
+# 0x90000000   - vexpress64_base[vexpress_aemv8a_semi]/vexpress64_juno[vexpress_aemv8a_juno]
+# 0x90000000UL - ls2085a[ls2085a_emu/ls2085a_simu/ls2085aqds/ls2085ardb]
+# 0x90800000   - vision2
+# 0x92000000   - mx51evk
+# 0xa0008000   - vexpress[vexpress_ca15_tc2/vexpress_ca5x2](extended-mem)
+# 0xa0800000   - imx27lite
+# 0xc0000014   - davinci[ea20]
+# 0xc0700000   - davinci[ea20]
+# 0x12000000   - udoo_dl udoo_quad
+
+# alt
+# am335x_igep0033
+# am43xx_evm
+# apalis_t30
+# apf27
+# apx4devkit
+# armadillo-800eva
+# arndale
+# aspenite
+# at91rm9200ek
+# at91sam9260ek at91sam9g20ek/at91sam9xeek
+# at91sam9261ek at91sam9g10ek
+# at91sam9263ek
+# at91sam9m10g45ek
+# at91sam9n12ek
+# at91sam9rlek
+# at91sam9x5ek
+# balloon3
+# bav335x birdland_bav335a/birdland_bav335b
+# bcm28155_ap bcm11130/bcm28155_w1d
+# bcmcygnus bcm911360/bcm911360k/bcm958300k/bcm958305k
+# bcmnsp bcm958622hr
+# beagle_x15
+# beaver
+# bg0900
+# calimain
+# cam_enc_4xx
+# cardhu
+# cgtqmx6eval cgtqmx6qeval
+# cm_t335
+# cm_t3517
+# cm_t35
+# cm_t54
+# colibri_pxa270
+# colibri_t20
+# colibri_t30
+# colibri_vf
+# corvus
+# cpu9260 cpu9G20
+# cpuat91
+# da830evm
+# da850evm da850_am18xxevm
+# dalmore
+# davinci_dm355evm
+# davinci_dm355leopard
+# davinci_dm365evm
+# davinci_dm6467evm davinci_dm6467Tevm
+# davinci_dvevm
+# davinci_schmoogie
+# davinci_sffsdr
+# davinci_sonata
+# db-88f6820-gp
+# db-mv784mp-gp
+# devkit3250
+# devkit8000
+# dig297
+# dockstar
+# dra7xx_evm
+# draco
+# dreamplug
+# duovero
+# eb_cpux9k2
+# eco5pk
+# edb93xx edb9315a
+# edminiv2
+# embestmx6boards marsboard/riotboard
+# enbw_cmc
+# ethernut5
+# flea3
+# goflexhome
+# gose
+# gplugd
+# guruplug
+# h2200
+# harmony
+# ib62x0
+# iconnect
+# imx27lite
+# imx31_litekit
+# imx31_phycore
+# integrator_ap integratorap_cm720t/integratorap_cm920t/integratorap_cm926ej_s/integratorap_cm946es
+# integrator_cp integratorcp_cm1136/integratorcp_cm920t/integratorcp_cm926ej_s/integratorcp_cm946es
+# ipam390
+# jetson-tk1
+# jornada
+# k2e_evm
+# k2hk_evm
+# k2l_evm
+# km_kirkwood kmcoge5un/kmnusa/kmsugp1/kmsuv31/mgcoge3un/portl2
+# koelsch
+# kosagi_novena novena
+# kzm9g
+# lager
+# lp8x4x
+# ls1021aqds
+# ls1021atwr
+# lsxl lschlv2/lsxhl
+# magnesium
+# maxbcm
+# mcx
+# medcom-wide
+# meesc
+# m28evk
+# m53evk
+# mt_ventoux
+# mv88f6281gtw_ge
+# mx23_olinuxino
+# mx23evk
+# mx25pdk
+# mx28evk
+# mx31ads
+# mx31pdk
+# mx35pdk
+# mx51_efikamx mx51_efikasb
+# mx51evk
+# nas220
+# net2big_v2 d2net_v2
+# netspace_v2 inetspace_v2/netspace_lite_v2/netspace_max_v2/netspace_mini_v2
+# nitrogen6x mx6qsabrelite/nitrogen6dl2g/nitrogen6dl/nitrogen6q2g/nitrogen6q/nitrogen6s1g/nitrogen6s
+# nokia_rx51
+# nomadik_nhk8815
+# nyan-big
+# odroid
+# odroid-xu3
+# omap3_cairo cairo
+# omap3_evm
+# omap3_evm_quick
+# omap3_igep00x0 igep0020/igep0030/igep0032
+# omap3_logic
+# omap3_mvblx
+# omap3_overo
+# omap3_pandora
+# omap3_sdp3430
+# omap3_zoom1
+# omap4_panda
+# omap4_sdp4430
+# omap5_uevm
+# omapl138_lcdk
+# openrd
+# origen
+# ot1200
+# otc570
+# palmld
+# palmtreo680
+# paz00
+# peach-pi
+# peach-pit
+# pengwyn
+# pepper
+# platinum_picon
+# platinum_titanium
+# plutux
+# pm9261
+# pm9263
+# pm9g45
+# pogo_e02
+# porter
+# pxa255_idp
+# pxm2
+# qong
+# rastaban
+# rd6281a
+# rpi_2
+# rpi
+# rut
+# s5p_goni
+# s5pc210_universal
+# sama5d3_xplained
+# sama5d3xek
+# sama5d4_xplained
+# sama5d4ek
+# sansa_fuze_plus
+# sc_sps_1
+# scb9328
+# seaboard
+# secomx6 secomx6quq7
+# sheevaplug
+# silk
+# smdk2410
+# smdk5250
+# smdk5420
+# smdkc100
+# smdkv310
+# snapper9260 snapper9g20
+# snow
+# socfpga_arria5
+# socfpga_cyclone5 socfpga_socrates
+# spear300
+# spear310
+# spear320
+# spear600
+# stamp9g20 portuxg20
+# stm32f429-discovery
+# stv0991
+# sun4i-a10-a1000(mele)
+# sun4i-a10-ba10-tvbox
+# sun4i-a10-chuwi-v7-cw0825
+# sun4i-a10-cubieboard
+# sun4i-a10-gemei-g9
+# sun4i-a10-hyundai-a7hd
+# sun4i-a10-inet-3f
+# sun4i-a10-inet-3w
+# sun4i-a10-jesurun-q5
+# sun4i-a10-marsboard
+# sun4i-a10-mini-xplus
+# sun4i-a10-mk802
+# sun4i-a10-mk802ii
+# sun4i-a10-olinuxino-lime
+# sun4i-a10-pcduino
+# sun5i-a10s-auxtek-t004
+# sun5i-a10s-mk802
+# sun5i-a10s-olinuxino-micro
+# sun5i-a10s-r7-tv-dongle
+# sun5i-a13-ampe-a76
+# sun5i-a13-forfun-q88db
+# sun5i-a13-inet-86vs
+# sun5i-a13-olinuxino
+# sun5i-a13-olinuxino-micro
+# sun5i-a13-tzx-q8-713b7
+# sun5i-a13-utoo-p66
+# sun6i-a31-colombus
+# sun6i-a31-hummingbird
+# sun6i-a31-i7(mele)
+# sun6i-a31-m9(mele)
+# sun6i-a31-mele-a1000g-quad
+# sun6i-a31-mixtile-loftq
+# sun6i-a31s-cs908
+# sun6i-a31s-primo81(msi)
+# sun7i-a20-ainol-aw1
+# sun7i-a20-bananapi
+# sun7i-a20-bananapro
+# sun7i-a20-cubieboard2
+# sun7i-a20-cubietruck
+# sun7i-a20-i12-tvbox
+# sun7i-a20-m3(mele)
+# sun7i-a20-m5(mele)
+# sun7i-a20-mk808c
+# sun7i-a20-olinuxino-lime
+# sun7i-a20-olinuxino-lime2
+# sun7i-a20-olinuxino-micro
+# sun7i-a20-orangepi
+# sun7i-a20-orangepi-mini
+# sun7i-a20-pcduino3
+# sun7i-a20-pcduino3-nano
+# sun7i-a20-primo73(msi)
+# sun7i-a20-wexler-tab7200
+# sun7i-a20-wits-pro-a20-dkt
+# sun7i-a20-yones-toptech-bd1078
+# sun8i-a23-ippo-q8h-v1.2
+# sun8i-a23-ippo-q8h-v5
+# sun8i-a33-et-q8-v1.6
+# sun8i-a33-ga10h-v1.1
+# sun8i-a33-ippo-q8h-v1.2
+# sun8i-a33-sinlinx-sina33
+# sun9i-a80-optimus(merri)
+# tao3530 omap3_ha
+# taurus axm
+# tbs2910
+# tec
+# tec-ng
+# thuban
+# ti814x_evm
+# ti816x_evm
+# titanium
+# tk71
+# tqma6 tqma6q_mba6/tqma6s_mba6
+# trats
+# trats2
+# tricorder
+# trimslice
+# trizepsiv polaris
+# tseries
+# tt01
+# twister
+# tx25
+# uniphier-ph1-ld4-ref
+# uniphier-ph1-pro4-ref
+# uniphier-ph1-sld8-ref
+# usb_a9263
+# usbarmory
+# VCMA9
+# venice2
+# ventana
+# vf610twr
+# vl_ma2sc
+# vpac270
+# wandboard
+# warp
+# whistler
+# woodburn
+# woodburn_sd
+# work_92105
+# x600
+# xaeniax
+# xfi3
+# xilinx_zynqmp
+# zipitz2
+# zmx25
diff --git a/libre/grub-crypt-git/grub.default b/libre/grub-crypt-git/grub.default
new file mode 100644
index 000000000..c3e010419
--- /dev/null
+++ b/libre/grub-crypt-git/grub.default
@@ -0,0 +1,57 @@
+# GRUB boot loader configuration
+
+GRUB_DEFAULT=0
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="Parabola"
+GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
+GRUB_CMDLINE_LINUX=""
+
+# Preload both GPT and MBR modules so that they are not missed
+GRUB_PRELOAD_MODULES="part_gpt part_msdos"
+
+# Uncomment to enable booting from LUKS encrypted devices
+#GRUB_ENABLE_CRYPTODISK=y
+
+# Set to 'countdown' or 'hidden' to change timeout behavior,
+# press ESC key to display menu.
+GRUB_TIMEOUT_STYLE=menu
+
+# Uncomment to use basic console
+GRUB_TERMINAL_INPUT=console
+
+# Uncomment to disable graphical terminal
+#GRUB_TERMINAL_OUTPUT=console
+
+# The resolution used on graphical terminal
+# note that you can use only modes which your graphic card supports via VBE
+# you can see them in real GRUB with the command `vbeinfo'
+GRUB_GFXMODE=auto
+
+# Uncomment to allow the kernel use the same resolution used by grub
+GRUB_GFXPAYLOAD_LINUX=keep
+
+# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
+# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
+#GRUB_DISABLE_LINUX_UUID=true
+
+# Uncomment to disable generation of recovery mode menu entries
+GRUB_DISABLE_RECOVERY=true
+
+# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
+# modes only.  Entries specified as foreground/background.
+GRUB_COLOR_NORMAL="magenta/black"
+GRUB_COLOR_HIGHLIGHT="white/magenta"
+
+# Uncomment one of them for the gfx desired, a image background or a gfxtheme
+#GRUB_BACKGROUND="/path/to/wallpaper"
+#GRUB_THEME="/path/to/gfxtheme"
+
+# Uncomment to get a beep at GRUB start
+#GRUB_INIT_TUNE="480 440 1"
+
+# Uncomment to make GRUB remember the last selection. This requires to
+# set 'GRUB_DEFAULT=saved' above.
+#GRUB_SAVEDEFAULT="true"
+
+# Disable advanced submenu
+GRUB_DISABLE_SUBMENU="y"
diff --git a/libre/grub-crypt-git/grub.install b/libre/grub-crypt-git/grub.install
new file mode 100644
index 000000000..c13ef99c7
--- /dev/null
+++ b/libre/grub-crypt-git/grub.install
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+post_upgrade() {
+  # We used to package /boot/grub/grub.cfg, but there is no reason to.
+  # Remove the file from package, but move real file back in place.
+  if [ ! -f /boot/grub/grub.cfg -a -f /boot/grub/grub.cfg.pacsave ]; then
+    mv /boot/grub/grub.cfg.pacsave /boot/grub/grub.cfg
+  fi
+}
+
+post_install() {
+  cat << 'EOM'
+Generate your bootloader configuration with:
+  grub-mkconfig -o /boot/grub/grub.cfg
+EOM
+}
+
diff --git a/libre/grub-crypt-git/v6-0001-cryptodisk-luks-unify-grub_cryptodisk_dev-functio.patch b/libre/grub-crypt-git/v6-0001-cryptodisk-luks-unify-grub_cryptodisk_dev-functio.patch
new file mode 100644
index 000000000..4ce48a241
--- /dev/null
+++ b/libre/grub-crypt-git/v6-0001-cryptodisk-luks-unify-grub_cryptodisk_dev-functio.patch
@@ -0,0 +1,38 @@
+From 76e1f305277f7901d9f710c61a78d715b2816035 Mon Sep 17 00:00:00 2001
+From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Date: Tue, 10 Mar 2020 04:31:16 +0100
+Subject: [PATCH v6 1/6] cryptodisk: luks: unify grub_cryptodisk_dev function
+ names
+
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Reviewed-by: Patrick Steinhardt <ps@pks.im>
+---
+ grub-core/disk/luks.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 6ae162601..b50f6fd02 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -65,8 +65,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
+ 			  grub_size_t blocknumbers);
+ 
+ static grub_cryptodisk_t
+-configure_ciphers (grub_disk_t disk, const char *check_uuid,
+-		   int check_boot)
++luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
+ {
+   grub_cryptodisk_t newdev;
+   const char *iptr;
+@@ -310,7 +309,7 @@ luks_recover_key (grub_disk_t source,
+ }
+ 
+ struct grub_cryptodisk_dev luks_crypto = {
+-  .scan = configure_ciphers,
++  .scan = luks_scan,
+   .recover_key = luks_recover_key
+ };
+ 
+-- 
+2.28.0
+
diff --git a/libre/grub-crypt-git/v6-0002-cryptodisk-geli-unify-grub_cryptodisk_dev-functio.patch b/libre/grub-crypt-git/v6-0002-cryptodisk-geli-unify-grub_cryptodisk_dev-functio.patch
new file mode 100644
index 000000000..8576a7b61
--- /dev/null
+++ b/libre/grub-crypt-git/v6-0002-cryptodisk-geli-unify-grub_cryptodisk_dev-functio.patch
@@ -0,0 +1,49 @@
+From 90f9191faff3f7f4c8f98d0ff6023a8b92069022 Mon Sep 17 00:00:00 2001
+From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Date: Tue, 10 Mar 2020 04:31:16 +0100
+Subject: [PATCH v6 2/6] cryptodisk: geli: unify grub_cryptodisk_dev function
+ names
+
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Reviewed-by: Patrick Steinhardt <ps@pks.im>
+---
+ grub-core/disk/geli.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index e9d23299a..581631c1d 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -242,8 +242,7 @@ grub_util_get_geli_uuid (const char *dev)
+ #endif
+ 
+ static grub_cryptodisk_t
+-configure_ciphers (grub_disk_t disk, const char *check_uuid,
+-		   int boot_only)
++geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+ {
+   grub_cryptodisk_t newdev;
+   struct grub_geli_phdr header;
+@@ -398,7 +397,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
+ }
+ 
+ static grub_err_t
+-recover_key (grub_disk_t source, grub_cryptodisk_t dev)
++geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+ {
+   grub_size_t keysize;
+   grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+@@ -580,8 +579,8 @@ recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+ }
+ 
+ struct grub_cryptodisk_dev geli_crypto = {
+-  .scan = configure_ciphers,
+-  .recover_key = recover_key
++  .scan = geli_scan,
++  .recover_key = geli_recover_key
+ };
+ 
+ GRUB_MOD_INIT (geli)
+-- 
+2.28.0
+
diff --git a/libre/grub-crypt-git/v6-0003-cryptodisk-enable-the-backends-to-implement-detac.patch b/libre/grub-crypt-git/v6-0003-cryptodisk-enable-the-backends-to-implement-detac.patch
new file mode 100644
index 000000000..b3b7c8950
--- /dev/null
+++ b/libre/grub-crypt-git/v6-0003-cryptodisk-enable-the-backends-to-implement-detac.patch
@@ -0,0 +1,285 @@
+From 7ebc9fc1076b2bf8dc728eca345db4a6b8ddff91 Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Tue, 23 Jun 2015 11:16:30 +0100
+Subject: [PATCH v6 3/6] cryptodisk: enable the backends to implement detached
+ headers
+
+Signed-off-by: John Lane <john@lane.uk.net>
+GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Reviewed-by: Patrick Steinhardt <ps@pks.im>
+---
+ grub-core/disk/cryptodisk.c | 24 ++++++++++++++++++++----
+ grub-core/disk/geli.c       | 15 +++++++++++++--
+ grub-core/disk/luks.c       | 14 +++++++++++---
+ grub-core/disk/luks2.c      | 15 ++++++++++++---
+ include/grub/cryptodisk.h   |  6 ++++--
+ include/grub/file.h         |  2 ++
+ 6 files changed, 62 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 1897acc4b..6ad2e486e 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
+     /* TRANSLATORS: It's still restricted to cryptodisks only.  */
+     {"all", 'a', 0, N_("Mount all."), 0, 0},
+     {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
++    {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
+     {0, 0, 0, 0, 0, 0}
+   };
+ 
+@@ -970,6 +971,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
+ 
+ static int check_boot, have_it;
+ static char *search_uuid;
++static grub_file_t hdr;
+ 
+ static void
+ cryptodisk_close (grub_cryptodisk_t dev)
+@@ -994,13 +996,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
+ 
+   FOR_CRYPTODISK_DEVS (cr)
+   {
+-    dev = cr->scan (source, search_uuid, check_boot);
++    dev = cr->scan (source, search_uuid, check_boot, hdr);
+     if (grub_errno)
+       return grub_errno;
+     if (!dev)
+       continue;
+     
+-    err = cr->recover_key (source, dev);
++    err = cr->recover_key (source, dev, hdr);
+     if (err)
+     {
+       cryptodisk_close (dev);
+@@ -1041,7 +1043,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat)
+ 
+   FOR_CRYPTODISK_DEVS (cr)
+   {
+-    dev = cr->scan (source, search_uuid, check_boot);
++    dev = cr->scan (source, search_uuid, check_boot, NULL);
+     if (grub_errno)
+       return grub_errno;
+     if (!dev)
+@@ -1095,6 +1097,20 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+   if (argc < 1 && !state[1].set && !state[2].set)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required");
+ 
++  if (state[3].set) /* Detached header */
++    {
++      if (state[0].set)
++	return grub_error (GRUB_ERR_BAD_ARGUMENT,
++			   N_("Cannot use UUID lookup with detached header"));
++
++      hdr = grub_file_open (state[3].arg,
++			    GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER);
++      if (!hdr)
++	return grub_errno;
++    }
++  else
++    hdr = NULL;
++
+   have_it = 0;
+   if (state[0].set)
+     {
+@@ -1302,7 +1318,7 @@ GRUB_MOD_INIT (cryptodisk)
+ {
+   grub_disk_dev_register (&grub_cryptodisk_dev);
+   cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
+-			      N_("SOURCE|-u UUID|-a|-b"),
++			      N_("SOURCE|-u UUID|-a|-b|-H file"),
+ 			      N_("Mount a crypto device."), options);
+   grub_procfs_register ("luks_script", &luks_script);
+ }
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index 581631c1d..acd09d874 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -52,6 +52,7 @@
+ #include <grub/dl.h>
+ #include <grub/err.h>
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+@@ -121,6 +122,7 @@ enum
+ 
+ /* FIXME: support version 0.  */
+ /* FIXME: support big-endian pre-version-4 volumes.  */
++/* FIXME: support for detached headers.  */
+ /* FIXME: support for keyfiles.  */
+ /* FIXME: support for HMAC.  */
+ const char *algorithms[] = {
+@@ -242,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev)
+ #endif
+ 
+ static grub_cryptodisk_t
+-geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
++geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
++	   grub_file_t hdr)
+ {
+   grub_cryptodisk_t newdev;
+   struct grub_geli_phdr header;
+@@ -254,6 +257,10 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+   grub_disk_addr_t sector;
+   grub_err_t err;
+ 
++  /* Detached headers are not implemented yet */
++  if (hdr)
++    return NULL;
++
+   if (2 * GRUB_MD_SHA256->mdlen + 1 > GRUB_CRYPTODISK_MAX_UUID_LENGTH)
+     return NULL;
+ 
+@@ -397,7 +404,7 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only)
+ }
+ 
+ static grub_err_t
+-geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
++geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
+ {
+   grub_size_t keysize;
+   grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+@@ -413,6 +420,10 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev)
+   grub_disk_addr_t sector;
+   grub_err_t err;
+ 
++  /* Detached headers are not implemented yet */
++  if (hdr)
++    return GRUB_ERR_NOT_IMPLEMENTED_YET;
++
+   if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE)
+     return grub_error (GRUB_ERR_BUG, "cipher block is too long");
+ 
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index b50f6fd02..685235565 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -65,7 +65,8 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
+ 			  grub_size_t blocknumbers);
+ 
+ static grub_cryptodisk_t
+-luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
++luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
++	   grub_file_t hdr)
+ {
+   grub_cryptodisk_t newdev;
+   const char *iptr;
+@@ -77,6 +78,10 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
+   char hashspec[sizeof (header.hashSpec) + 1];
+   grub_err_t err;
+ 
++  /* Detached headers are not implemented yet */
++  if (hdr)
++    return NULL;
++
+   if (check_boot)
+     return NULL;
+ 
+@@ -149,8 +154,7 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
+ }
+ 
+ static grub_err_t
+-luks_recover_key (grub_disk_t source,
+-		  grub_cryptodisk_t dev)
++luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
+ {
+   struct grub_luks_phdr header;
+   grub_size_t keysize;
+@@ -163,6 +167,10 @@ luks_recover_key (grub_disk_t source,
+   grub_size_t max_stripes = 1;
+   char *tmp;
+ 
++  /* Detached headers are not implemented yet */
++  if (hdr)
++    return GRUB_ERR_NOT_IMPLEMENTED_YET;
++
+   err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+   if (err)
+     return err;
+diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
+index e3ff7c83d..bc00e8bbc 100644
+--- a/grub-core/disk/luks2.c
++++ b/grub-core/disk/luks2.c
+@@ -342,11 +342,16 @@ luks2_read_header (grub_disk_t disk, grub_luks2_header_t *outhdr)
+ }
+ 
+ static grub_cryptodisk_t
+-luks2_scan (grub_disk_t disk, const char *check_uuid, int check_boot)
++luks2_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
++	    grub_file_t hdr_file)
+ {
+   grub_cryptodisk_t cryptodisk;
+   grub_luks2_header_t header;
+ 
++  /* Detached headers are not implemented yet */
++  if (hdr_file)
++    return NULL;
++
+   if (check_boot)
+     return NULL;
+ 
+@@ -523,8 +528,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
+ }
+ 
+ static grub_err_t
+-luks2_recover_key (grub_disk_t disk,
+-		   grub_cryptodisk_t crypt)
++luks2_recover_key (grub_disk_t disk, grub_cryptodisk_t crypt,
++		   grub_file_t hdr_file)
+ {
+   grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+   char passphrase[MAX_PASSPHRASE], cipher[32];
+@@ -538,6 +543,10 @@ luks2_recover_key (grub_disk_t disk,
+   grub_json_t *json = NULL, keyslots;
+   grub_err_t ret;
+ 
++  /* Detached headers are not implemented yet */
++  if (hdr_file)
++    return GRUB_ERR_NOT_IMPLEMENTED_YET;
++
+   ret = luks2_read_header (disk, &header);
+   if (ret)
+     return ret;
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index e1b21e785..e24b1b8cb 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -20,6 +20,7 @@
+ #define GRUB_CRYPTODISK_HEADER	1
+ 
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/list.h>
+ #ifdef GRUB_UTIL
+@@ -107,8 +108,9 @@ struct grub_cryptodisk_dev
+   struct grub_cryptodisk_dev **prev;
+ 
+   grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+-			     int boot_only);
+-  grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev);
++			     int boot_only, grub_file_t hdr);
++  grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
++			     grub_file_t hdr);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+ 
+diff --git a/include/grub/file.h b/include/grub/file.h
+index 31567483c..a7d7be853 100644
+--- a/include/grub/file.h
++++ b/include/grub/file.h
+@@ -90,6 +90,8 @@ enum grub_file_type
+     GRUB_FILE_TYPE_FONT,
+     /* File holding encryption key for encrypted ZFS.  */
+     GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
++    /* File holiding the encryption metadata header */
++    GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER,
+     /* File we open n grub-fstest.  */
+     GRUB_FILE_TYPE_FSTEST,
+     /* File we open n grub-mount.  */
+-- 
+2.28.0
+
diff --git a/libre/grub-crypt-git/v6-0004-cryptodisk-add-support-for-LUKS1-detached-headers.patch b/libre/grub-crypt-git/v6-0004-cryptodisk-add-support-for-LUKS1-detached-headers.patch
new file mode 100644
index 000000000..64dd90d9c
--- /dev/null
+++ b/libre/grub-crypt-git/v6-0004-cryptodisk-add-support-for-LUKS1-detached-headers.patch
@@ -0,0 +1,114 @@
+From 53ad601c16ca9e718c459141b70e417634d0a76b Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Tue, 23 Jun 2015 11:16:30 +0100
+Subject: [PATCH v6 4/6] cryptodisk: add support for LUKS1 detached headers
+
+cryptsetup supports having a detached header through the
+--header command line argument for both LUKS1 and LUKS2.
+
+This adds support for LUKS1 detached headers.
+
+Signed-off-by: John Lane <john@lane.uk.net>
+GNUtoo@cyberdimension.org: rebase, small fixes, commit message
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Reviewed-by: Patrick Steinhardt <ps@pks.im>
+---
+ grub-core/disk/luks.c | 48 ++++++++++++++++++++++++++++++-------------
+ 1 file changed, 34 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 685235565..6286302e7 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -23,6 +23,7 @@
+ #include <grub/dl.h>
+ #include <grub/err.h>
+ #include <grub/disk.h>
++#include <grub/file.h>
+ #include <grub/crypto.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
+@@ -76,17 +77,23 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
+   char ciphername[sizeof (header.cipherName) + 1];
+   char ciphermode[sizeof (header.cipherMode) + 1];
+   char hashspec[sizeof (header.hashSpec) + 1];
+-  grub_err_t err;
+-
+-  /* Detached headers are not implemented yet */
+-  if (hdr)
+-    return NULL;
++  grub_err_t err = GRUB_ERR_NONE;
+ 
+   if (check_boot)
+     return NULL;
+ 
+   /* Read the LUKS header.  */
+-  err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
++  if (hdr)
++    {
++      if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
++	return NULL;
++
++      if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
++	return NULL;
++    }
++  else
++    err = grub_disk_read (disk, 0, 0, sizeof (header), &header);
++
+   if (err)
+     {
+       if (err == GRUB_ERR_OUT_OF_RANGE)
+@@ -163,15 +170,22 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
+   grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
+   unsigned i;
+   grub_size_t length;
+-  grub_err_t err;
++  grub_err_t err = GRUB_ERR_NONE;
+   grub_size_t max_stripes = 1;
+   char *tmp;
++  grub_uint32_t sector;
+ 
+-  /* Detached headers are not implemented yet */
+   if (hdr)
+-    return GRUB_ERR_NOT_IMPLEMENTED_YET;
++    {
++      if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
++	return grub_errno;
++
++      if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header))
++	return grub_errno;
++    }
++  else
++    err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+ 
+-  err = grub_disk_read (source, 0, 0, sizeof (header), &header);
+   if (err)
+     return err;
+ 
+@@ -240,13 +254,19 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
+ 	  return grub_crypto_gcry_error (gcry_err);
+ 	}
+ 
++      sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
+       length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
+ 
+       /* Read and decrypt the key material from the disk.  */
+-      err = grub_disk_read (source,
+-			    grub_be_to_cpu32 (header.keyblock
+-					      [i].keyMaterialOffset), 0,
+-			    length, split_key);
++      if (hdr)
++      {
++        if (grub_file_seek (hdr, sector * 512) == (grub_off_t) -1)
++          return grub_errno;
++        if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
++          return grub_errno;
++      }
++      else
++        err = grub_disk_read (source, sector, 0, length, split_key);
+       if (err)
+ 	{
+ 	  grub_free (split_key);
+-- 
+2.28.0
+
diff --git a/libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch b/libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch
new file mode 100644
index 000000000..b9f727211
--- /dev/null
+++ b/libre/grub-crypt-git/v6-0005-cryptodisk-enable-the-backends-to-implement-key-f.patch
@@ -0,0 +1,251 @@
+From f17a54035876808331c7ab753a0706de4bf46a7a Mon Sep 17 00:00:00 2001
+From: John Lane <john@lane.uk.net>
+Date: Tue, 23 Jun 2015 11:16:30 +0100
+Subject: [PATCH v6 5/6] cryptodisk: enable the backends to implement key files
+
+Signed-off-by: John Lane <john@lane.uk.net>
+GNUtoo@cyberdimension.org: rebase, patch split, small fixes, commit message
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Reviewed-by: Patrick Steinhardt <ps@pks.im>
+---
+ grub-core/disk/cryptodisk.c | 87 ++++++++++++++++++++++++++++++++++++-
+ grub-core/disk/geli.c       |  7 +--
+ grub-core/disk/luks.c       |  7 ++-
+ grub-core/disk/luks2.c      |  7 +--
+ include/grub/cryptodisk.h   |  5 ++-
+ include/grub/file.h         |  2 +
+ 6 files changed, 106 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 6ad2e486e..dd94736d3 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] =
+     {"all", 'a', 0, N_("Mount all."), 0, 0},
+     {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0},
+     {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
++    {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING},
++    {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
++    {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
+     {0, 0, 0, 0, 0, 0}
+   };
+ 
+@@ -972,6 +975,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk)
+ static int check_boot, have_it;
+ static char *search_uuid;
+ static grub_file_t hdr;
++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE];
++static grub_ssize_t key_size;
+ 
+ static void
+ cryptodisk_close (grub_cryptodisk_t dev)
+@@ -1002,7 +1007,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source)
+     if (!dev)
+       continue;
+     
+-    err = cr->recover_key (source, dev, hdr);
++    err = cr->recover_key (source, dev, hdr, key, key_size);
+     if (err)
+     {
+       cryptodisk_close (dev);
+@@ -1112,6 +1117,86 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+     hdr = NULL;
+ 
+   have_it = 0;
++  key = NULL;
++
++  if (state[4].set) /* keyfile */
++    {
++      const char *p = NULL;
++      grub_file_t keyfile;
++      int keyfile_offset;
++      grub_size_t requested_keyfile_size = 0;
++
++
++      if (state[5].set) /* keyfile-offset */
++	{
++	  keyfile_offset = grub_strtoul (state[5].arg, &p, 0);
++
++	  if (grub_errno != GRUB_ERR_NONE)
++	    return grub_errno;
++
++	  if (*p != '\0')
++	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
++			       N_("unrecognized number"));
++	}
++      else
++	{
++	  keyfile_offset = 0;
++	}
++
++      if (state[6].set) /* keyfile-size */
++	{
++	  requested_keyfile_size = grub_strtoul (state[6].arg, &p, 0);
++
++	  if (*p != '\0')
++	    return grub_error (GRUB_ERR_BAD_ARGUMENT,
++			       N_("unrecognized number"));
++
++	  if (grub_errno != GRUB_ERR_NONE)
++	    return grub_errno;
++
++	  if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE)
++	    return grub_error (GRUB_ERR_OUT_OF_RANGE,
++			      N_("Key file size exceeds maximum (%"
++				 PRIuGRUB_SIZE ")\n"),
++			      GRUB_CRYPTODISK_MAX_KEYFILE_SIZE);
++
++	  if (requested_keyfile_size == 0)
++	    return grub_error (GRUB_ERR_OUT_OF_RANGE,
++			      N_("Key file size is 0\n"));
++	}
++
++      keyfile = grub_file_open (state[4].arg,
++				GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY);
++      if (!keyfile)
++	return grub_errno;
++
++      if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1)
++	return grub_errno;
++
++      if (requested_keyfile_size)
++	{
++	  if (requested_keyfile_size > (keyfile->size - keyfile_offset))
++	    return grub_error (GRUB_ERR_FILE_READ_ERROR,
++			       N_("Keyfile is too small: "
++				  "requested %" PRIuGRUB_SIZE " bytes, "
++				  "but the file only has %" PRIuGRUB_SIZE
++				  " bytes.\n"),
++			       requested_keyfile_size,
++			       keyfile->size);
++
++	  key_size = requested_keyfile_size;
++	}
++      else
++	{
++	  key_size = keyfile->size - keyfile_offset;
++	}
++
++      if (grub_file_read (keyfile, keyfile_buffer, key_size) != key_size)
++	return grub_error (GRUB_ERR_FILE_READ_ERROR,
++			   (N_("Error reading key file\n")));
++      key = keyfile_buffer;
++    }
++
+   if (state[0].set)
+     {
+       grub_cryptodisk_t dev;
+diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c
+index acd09d874..159ac0f96 100644
+--- a/grub-core/disk/geli.c
++++ b/grub-core/disk/geli.c
+@@ -404,7 +404,8 @@ geli_scan (grub_disk_t disk, const char *check_uuid, int boot_only,
+ }
+ 
+ static grub_err_t
+-geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
++geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
++		  grub_uint8_t *key, grub_size_t keyfile_size)
+ {
+   grub_size_t keysize;
+   grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN];
+@@ -420,8 +421,8 @@ geli_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
+   grub_disk_addr_t sector;
+   grub_err_t err;
+ 
+-  /* Detached headers are not implemented yet */
+-  if (hdr)
++  /* Detached headers and keyfiles are not implemented yet */
++  if (hdr || key || keyfile_size)
+     return GRUB_ERR_NOT_IMPLEMENTED_YET;
+ 
+   if (dev->cipher->cipher->blocksize > GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE)
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 6286302e7..0dd33b2af 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -161,7 +161,8 @@ luks_scan (grub_disk_t disk, const char *check_uuid, int check_boot,
+ }
+ 
+ static grub_err_t
+-luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
++luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
++		  grub_uint8_t *keyfile_bytes, grub_size_t keyfile_bytes_size)
+ {
+   struct grub_luks_phdr header;
+   grub_size_t keysize;
+@@ -175,6 +176,10 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr)
+   char *tmp;
+   grub_uint32_t sector;
+ 
++  /* Keyfiles are not implemented yet */
++  if (keyfile_bytes || keyfile_bytes_size)
++     return GRUB_ERR_NOT_IMPLEMENTED_YET;
++
+   if (hdr)
+     {
+       if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
+index bc00e8bbc..6a38a1f4d 100644
+--- a/grub-core/disk/luks2.c
++++ b/grub-core/disk/luks2.c
+@@ -529,7 +529,8 @@ luks2_decrypt_key (grub_uint8_t *out_key,
+ 
+ static grub_err_t
+ luks2_recover_key (grub_disk_t disk, grub_cryptodisk_t crypt,
+-		   grub_file_t hdr_file)
++		   grub_file_t hdr_file, grub_uint8_t *key,
++		   grub_size_t keyfile_size)
+ {
+   grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
+   char passphrase[MAX_PASSPHRASE], cipher[32];
+@@ -543,8 +544,8 @@ luks2_recover_key (grub_disk_t disk, grub_cryptodisk_t crypt,
+   grub_json_t *json = NULL, keyslots;
+   grub_err_t ret;
+ 
+-  /* Detached headers are not implemented yet */
+-  if (hdr_file)
++  /* Detached headers and keyfiles are not implemented yet */
++  if (hdr_file || key || keyfile_size)
+     return GRUB_ERR_NOT_IMPLEMENTED_YET;
+ 
+   ret = luks2_read_header (disk, &header);
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index e24b1b8cb..6d2610f93 100644
+--- a/include/grub/cryptodisk.h
++++ b/include/grub/cryptodisk.h
+@@ -55,6 +55,8 @@ typedef enum
+ #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES)
+ #define GRUB_CRYPTODISK_MAX_KEYLEN 128
+ 
++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192
++
+ struct grub_cryptodisk;
+ 
+ typedef gcry_err_code_t
+@@ -110,7 +112,8 @@ struct grub_cryptodisk_dev
+   grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid,
+ 			     int boot_only, grub_file_t hdr);
+   grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev,
+-			     grub_file_t hdr);
++			     grub_file_t hdr, grub_uint8_t *key,
++			     grub_size_t keyfile_size);
+ };
+ typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t;
+ 
+diff --git a/include/grub/file.h b/include/grub/file.h
+index a7d7be853..97678aa45 100644
+--- a/include/grub/file.h
++++ b/include/grub/file.h
+@@ -92,6 +92,8 @@ enum grub_file_type
+     GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY,
+     /* File holiding the encryption metadata header */
+     GRUB_FILE_TYPE_CRYPTODISK_DETACHED_HEADER,
++    /* File holiding the encryption key */
++    GRUB_FILE_TYPE_CRYPTODISK_ENCRYPTION_KEY,
+     /* File we open n grub-fstest.  */
+     GRUB_FILE_TYPE_FSTEST,
+     /* File we open n grub-mount.  */
+-- 
+2.28.0
+
diff --git a/libre/grub-crypt-git/v6-0006-cryptodisk-Add-support-for-LUKS1-key-files.patch b/libre/grub-crypt-git/v6-0006-cryptodisk-Add-support-for-LUKS1-key-files.patch
new file mode 100644
index 000000000..7b544316f
--- /dev/null
+++ b/libre/grub-crypt-git/v6-0006-cryptodisk-Add-support-for-LUKS1-key-files.patch
@@ -0,0 +1,97 @@
+From 6251a7f5223b61605a9b4ba11bb18ed607c05f50 Mon Sep 17 00:00:00 2001
+From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Date: Tue, 17 Mar 2020 08:02:10 +0100
+Subject: [PATCH v6 6/6] cryptodisk: Add support for LUKS1 key files
+
+cryptsetup supports key files thourh the --key-file
+--header command line argument for both LUKS1 and LUKS2.
+
+This adds support for LUKS1 key files.
+
+Signed-off-by: John Lane <john@lane.uk.net>
+GNUtoo@cyberdimension.org: rebase, fixes, commit message
+Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+Reviewed-by: Patrick Steinhardt <ps@pks.im>
+---
+ grub-core/disk/luks.c | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 0dd33b2af..125a21902 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -167,7 +167,9 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
+   struct grub_luks_phdr header;
+   grub_size_t keysize;
+   grub_uint8_t *split_key = NULL;
+-  char passphrase[MAX_PASSPHRASE] = "";
++  char interactive_passphrase[MAX_PASSPHRASE] = "";
++  grub_uint8_t *passphrase;
++  grub_size_t passphrase_length;
+   grub_uint8_t candidate_digest[sizeof (header.mkDigest)];
+   unsigned i;
+   grub_size_t length;
+@@ -176,10 +178,6 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
+   char *tmp;
+   grub_uint32_t sector;
+ 
+-  /* Keyfiles are not implemented yet */
+-  if (keyfile_bytes || keyfile_bytes_size)
+-     return GRUB_ERR_NOT_IMPLEMENTED_YET;
+-
+   if (hdr)
+     {
+       if (grub_file_seek (hdr, 0) == (grub_off_t) -1)
+@@ -208,18 +206,29 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
+   if (!split_key)
+     return grub_errno;
+ 
+-  /* Get the passphrase from the user.  */
+-  tmp = NULL;
+-  if (source->partition)
+-    tmp = grub_partition_get_name (source->partition);
+-  grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+-	       source->partition ? "," : "", tmp ? : "",
+-	       dev->uuid);
+-  grub_free (tmp);
+-  if (!grub_password_get (passphrase, MAX_PASSPHRASE))
++  if (keyfile_bytes)
+     {
+-      grub_free (split_key);
+-      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++      /* Use bytestring from key file as passphrase */
++      passphrase = keyfile_bytes;
++      passphrase_length = keyfile_bytes_size;
++    }
++  else
++    {
++      /* Get the passphrase from the user.  */
++      tmp = NULL;
++      if (source->partition)
++        tmp = grub_partition_get_name (source->partition);
++      grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
++		    source->partition ? "," : "", tmp ? : "", dev->uuid);
++      grub_free (tmp);
++      if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
++        {
++          grub_free (split_key);
++          return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
++        }
++
++      passphrase = (grub_uint8_t *)interactive_passphrase;
++      passphrase_length = grub_strlen (interactive_passphrase);
+     }
+ 
+   /* Try to recover master key from each active keyslot.  */
+@@ -237,7 +246,7 @@ luks_recover_key (grub_disk_t source, grub_cryptodisk_t dev, grub_file_t hdr,
+ 
+       /* Calculate the PBKDF2 of the user supplied passphrase.  */
+       gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
+-				     grub_strlen (passphrase),
++				     passphrase_length,
+ 				     header.keyblock[i].passwordSalt,
+ 				     sizeof (header.keyblock[i].passwordSalt),
+ 				     grub_be_to_cpu32 (header.keyblock[i].
+-- 
+2.28.0
+
-- 
cgit v1.2.3