uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948
this can do it nicely.

Signed-off-by: Anton Arapov <anton@deadbeef.mx>

pkgs/tools/misc/grub/2.0x.nix

@@ -0,0 +1,189 @@
+{ lib, stdenv, fetchurl, flex, bison, python3, autoreconfHook, gnulib, libtool, bash
+, gettext, ncurses, libusb-compat-0_1, freetype, qemu, lvm2, unifont, pkg-config
+, buildPackages
+, fetchpatch
+, pkgsBuildBuild
+, nixosTests
+, fuse # only needed for grub-mount
+, runtimeShell
+, zfs ? null
+, efiSupport ? false
+, zfsSupport ? false
+, xenSupport ? false
+, kbdcompSupport ? false, ckbcomp
+}:
+
+with lib;
+let
+  pcSystems = {
+    i686-linux.target = "i386";
+    x86_64-linux.target = "i386";
+  };
+
+  efiSystemsBuild = {
+    i686-linux.target = "i386";
+    x86_64-linux.target = "x86_64";
+    armv7l-linux.target = "arm";
+    aarch64-linux.target = "aarch64";
+  };
+
+  # For aarch64, we need to use '--target=aarch64-efi' when building,
+  # but '--target=arm64-efi' when installing. Insanity!
+  efiSystemsInstall = {
+    i686-linux.target = "i386";
+    x86_64-linux.target = "x86_64";
+    armv7l-linux.target = "arm";
+    aarch64-linux.target = "arm64";
+  };
+
+  canEfi = any (system: stdenv.hostPlatform.system == system) (mapAttrsToList (name: _: name) efiSystemsBuild);
+  inPCSystems = any (system: stdenv.hostPlatform.system == system) (mapAttrsToList (name: _: name) pcSystems);
+
+  version = "2.06";
+
+in (
+
+assert efiSupport -> canEfi;
+assert zfsSupport -> zfs != null;
+assert !(efiSupport && xenSupport);
+
+stdenv.mkDerivation rec {
+  pname = "grub";
+  inherit version;
+
+  src = fetchurl {
+    url = "mirror://gnu/grub/grub-${version}.tar.xz";
+    sha256 = "sha256-t56kSvkbk9F80/6Ava5u1DdwZ4qaWuGSzOqAPrtlfuE=";
+  };
+
+  patches = [
+    ./fix-bash-completion.patch
+    (fetchpatch {
+      name = "Add-hidden-menu-entries.patch";
+      # https://lists.gnu.org/archive/html/grub-devel/2016-04/msg00089.html
+      url = "https://marc.info/?l=grub-devel&m=146193404929072&q=mbox";
+      sha256 = "00wa1q5adiass6i0x7p98vynj9vsz1w0gn1g4dgz89v35mpyw2bi";
+    })
+
+    # Pull upstream patch to fix linkage against binutils-2.36.
+    (fetchpatch {
+      name = "binutils-2.36";
+      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=b98275138bf4fc250a1c362dfd2c8b1cf2421701";
+      sha256 = "001m058bsl2pcb0ii84jfm5ias8zgzabrfy6k2cc9w6w1y51ii82";
+    })
+  ];
+
+  postPatch = if kbdcompSupport then ''
+    sed -i util/grub-kbdcomp.in -e 's@\bckbcomp\b@${ckbcomp}/bin/ckbcomp@'
+  '' else ''
+    echo '#! ${runtimeShell}' > util/grub-kbdcomp.in
+    echo 'echo "Compile grub2 with { kbdcompSupport = true; } to enable support for this command."' >> util/grub-kbdcomp.in
+  '';
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ bison flex python3 pkg-config gettext freetype autoreconfHook ];
+  buildInputs = [ ncurses libusb-compat-0_1 freetype lvm2 fuse libtool bash ]
+    ++ optional doCheck qemu
+    ++ optional zfsSupport zfs;
+
+  strictDeps = true;
+
+  hardeningDisable = [ "all" ];
+
+  separateDebugInfo = true;
+
+  # Work around a bug in the generated flex lexer (upstream flex bug?)
+  NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  preConfigure =
+    '' for i in "tests/util/"*.in
+       do
+         sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
+       done
+
+       # Apparently, the QEMU executable is no longer called
+       # `qemu-system-i386', even on i386.
+       #
+       # In addition, use `-nodefaults' to avoid errors like:
+       #
+       #  chardev: opening backend "stdio" failed
+       #  qemu: could not open serial device 'stdio': Invalid argument
+       #
+       # See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
+       sed -i "tests/util/grub-shell.in" \
+           -e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
+
+      unset CPP # setting CPP intereferes with dependency calculation
+
+      patchShebangs .
+
+      substituteInPlace ./configure --replace '/usr/share/fonts/unifont' '${unifont}/share/fonts'
+    '';
+
+  configureFlags = [
+    "--enable-grub-mount" # dep of os-prober
+  ] ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    # grub doesn't do cross-compilation as usual and tries to use unprefixed
+    # tools to target the host. Provide toolchain information explicitly for
+    # cross builds.
+    #
+    # Ref: # https://github.com/buildroot/buildroot/blob/master/boot/grub2/grub2.mk#L108
+    "TARGET_CC=${stdenv.cc.targetPrefix}cc"
+    "TARGET_NM=${stdenv.cc.targetPrefix}nm"
+    "TARGET_OBJCOPY=${stdenv.cc.targetPrefix}objcopy"
+    "TARGET_RANLIB=${stdenv.cc.targetPrefix}ranlib"
+    "TARGET_STRIP=${stdenv.cc.targetPrefix}strip"
+  ] ++ optional zfsSupport "--enable-libzfs"
+    ++ optionals efiSupport [ "--with-platform=efi" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}" "--program-prefix=" ]
+    ++ optionals xenSupport [ "--with-platform=xen" "--target=${efiSystemsBuild.${stdenv.hostPlatform.system}.target}"];
+
+  # save target that grub is compiled for
+  grubTarget = if efiSupport
+               then "${efiSystemsInstall.${stdenv.hostPlatform.system}.target}-efi"
+               else if inPCSystems
+                    then "${pcSystems.${stdenv.hostPlatform.system}.target}-pc"
+                    else "";
+
+  doCheck = false;
+  enableParallelBuilding = true;
+
+  postInstall = ''
+    # Avoid a runtime reference to gcc
+    sed -i $out/lib/grub/*/modinfo.sh -e "/grub_target_cppflags=/ s|'.*'|' '|"
+    # just adding bash to buildInputs wasn't enough to fix the shebang
+    substituteInPlace $out/lib/grub/*/modinfo.sh \
+      --replace ${buildPackages.bash} "/usr/bin/bash"
+  '';
+
+  passthru.tests = {
+    nixos-grub = nixosTests.grub;
+    nixos-install-simple = nixosTests.installer.simple;
+    nixos-install-grub1 = nixosTests.installer.grub1;
+    nixos-install-grub-uefi = nixosTests.installer.simpleUefiGrub;
+    nixos-install-grub-uefi-spec = nixosTests.installer.simpleUefiGrubSpecialisation;
+  };
+
+  meta = with lib; {
+    description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
+
+    longDescription =
+      '' GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand
+         Unified Bootloader, which was originally designed and implemented by
+         Erich Stefan Boleyn.
+
+         Briefly, the boot loader is the first software program that runs when a
+         computer starts.  It is responsible for loading and transferring
+         control to the operating system kernel software (such as the Hurd or
+         the Linux).  The kernel, in turn, initializes the rest of the
+         operating system (e.g., GNU).
+      '';
+
+    homepage = "https://www.gnu.org/software/grub/";
+
+    license = licenses.gpl3Plus;
+
+    platforms = platforms.gnu ++ platforms.linux;
+
+    maintainers = [ maintainers.samueldr ];
+  };
+})

pkgs/tools/misc/grub/buggybios.patch

@@ -0,0 +1,11 @@
+Taken from: http://savannah.gnu.org/bugs/?func=detailitem&item_id=10433
+--- grub-0.95.orig/stage2/bios.c 2004-03-27 17:34:04.000000000 +0100
++++ grub-0.95/stage2/bios.c 2005-03-02 01:02:29.192582200 +0100
+@@ -147,6 +147,7 @@
+   grub_memset (&cdrp, 0, sizeof (cdrp));
+   cdrp.size = sizeof (cdrp) - sizeof (cdrp.dummy);
+   err = biosdisk_int13_extensions (0x4B01, drive, &cdrp);
++  err = 0; /* really ugly hack to circumvent faulty BIOS versions like Acer 292LMi */
+   if (! err && cdrp.drive_no == drive)
+     {
+        if ((cdrp.media_type & 0x0F) == 0)

pkgs/tools/misc/grub/default.nix

@@ -0,0 +1,40 @@
+{ lib, stdenv, fetchurl, autoreconfHook, texinfo, buggyBiosCDSupport ? true }:
+
+stdenv.mkDerivation rec {
+  pname = "grub";
+  version = "0.97-73";
+
+  src = fetchurl {
+    url = "https://alpha.gnu.org/gnu/grub/grub-${lib.versions.majorMinor version}.tar.gz";
+    sha256 = "02r6b52r0nsp6ryqfiqchnl7r1d9smm80sqx24494gmx5p8ia7af";
+  };
+
+  patches = [
+    # Properly handle the case of symlinks such as
+    # /dev/disk/by-label/bla.  The symlink resolution code in
+    # grub-install isn't smart enough.
+    ./symlink.patch
+  ]
+  ++ (lib.optional buggyBiosCDSupport ./buggybios.patch)
+  ++ map fetchurl (import ./grub1.patches.nix)
+  ;
+
+  preConfigure = ''
+    substituteInPlace ./configure.ac --replace 'AC_PREREQ(2.61)' 'AC_PREREQ(2.64)'
+  '';
+
+  # autoreconfHook required for the splashimage patch.
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ texinfo ];
+
+  hardeningDisable = [ "format" "stackprotector" ];
+
+  passthru.grubTarget = "";
+
+  meta = with lib; {
+    homepage = "https://www.gnu.org/software/grub";
+    description = "GRand Unified Bootloader";
+    license = licenses.gpl2;
+    platforms = platforms.linux;
+  };
+}

pkgs/tools/misc/grub/fix-bash-completion.patch

@@ -0,0 +1,24 @@
+diff -ubr grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in grub-2.00/util/bash-completion.d/grub-completion.bash.in
+--- grub-2.00-orig/util/bash-completion.d/grub-completion.bash.in	2012-10-16 19:02:36.342733957 +0200
++++ grub-2.00/util/bash-completion.d/grub-completion.bash.in	2012-10-16 19:04:48.262733941 +0200
+@@ -17,6 +17,12 @@
+ # along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ # bash completion for grub
+ 
++have()
++{
++    unset -v have
++    _have $1 && have=yes
++}
++
+ __grub_dir() {
+     local i c=1 boot_dir
+ 
+@@ -479,6 +485,7 @@
+ have ${__grub_script_check_program} && \
+  complete -F _grub_script_check -o filenames ${__grub_script_check_program}
+ 
++unset -f have
+ 
+ # Local variables:
+ # mode: shell-script

pkgs/tools/misc/grub/grub1.patches.nix

@@ -0,0 +1,34 @@
+# Generated by grub1-patches.sh
+let
+  prefix = "https://salsa.debian.org/grub-team/grub-legacy/raw/1dad5507d74ef97fdd3c6cf2a028084f6f2850c3/debian/patches";
+in
+[
+{ url = "${prefix}/snapshot.patch"; sha256 = "0ixymrn5w1dq0kkxnzdjwwvhjchgyrlivfvnrfncxcv30v84xzna"; }
+{ url = "${prefix}/menu.lst_gnu-hurd.patch"; sha256 = "0mz8dvgmxlyrl28dza1ncfq1xipihxgymw4aw688bgg7xxmw7jbs"; }
+{ url = "${prefix}/graphics.patch"; sha256 = "1v9kp832f3rhncfdrd28djhw0zfrznfmiadch33mclnkcxprcqcs"; }
+{ url = "${prefix}/raid.patch"; sha256 = "0cq6dz5s7m48g76frvbf296bv4pvqkxqcbydsvs43ymqdsary7hj"; }
+{ url = "${prefix}/raid_cciss.patch"; sha256 = "0sy5xvzjsllgbn26nykkq4b69lp1fcwjkjs2kmxq38sk3dzadjfl"; }
+{ url = "${prefix}/xfs_freeze.patch"; sha256 = "1wqgj8ar4x4zwa37bj4a7kldiz5v92msigy3cv879nnk6sz4rmhg"; }
+{ url = "${prefix}/2gb_limit.patch"; sha256 = "06f9lfl4va3alz87wzli0df5ay0xxlqj2akr2dcay6jr27z6ks29"; }
+{ url = "${prefix}/grub-special_device_names.patch"; sha256 = "098608xh20sqdjqf42fm2z23r8xd9ify1v0vmy1j9qhrhk3g9qyz"; }
+{ url = "${prefix}/grub-xvd_drives.patch"; sha256 = "13k0m1c1w5d1d4qd1bshjc8kp7qba4agk2j64gb7mg8vfzjd35bj"; }
+{ url = "${prefix}/initrd_max_address.patch"; sha256 = "05q90rxdnyncpanhbkrknshkk7g8ff4v8fpk7wj4sg8666d9llg3"; }
+{ url = "${prefix}/splashimage_help.patch"; sha256 = "1lj3xh56wf1pdcf0fg585vmggrz7qqfzbhg91qv0rf4snf3ybfvr"; }
+{ url = "${prefix}/grub-install_addsyncs.patch"; sha256 = "1dzcpxi806kw3j8mx4amyy4ibc0ir3qhqyyyxz3w43741p351r65"; }
+{ url = "${prefix}/grub-install_regexp.patch"; sha256 = "0ph9lb63x858019c25aa3fpsm8rzn00ad8fp88yqqvq0xq2jxq69"; }
+{ url = "${prefix}/grub-install_aoe_support.patch"; sha256 = "19szmvg13h2hhijrwbgdszldg26iz7vjnagvajxb7nav7vca6k3n"; }
+{ url = "${prefix}/grub-install_xvd.patch"; sha256 = "1cgh731nhs0chj2r2dzh5dcfj5xmap34i3fk0i0aq59j83cwflgz"; }
+{ url = "${prefix}/geometry-26kernel.patch"; sha256 = "01vka7jrxrwlj9m1d6schygyh964a3k1rdrm3j9x910xkz74i13n"; }
+{ url = "${prefix}/print_func.patch"; sha256 = "0dvrcy1i58fgrv2x1qniqfr5az9b834hm5l94k0cy8ii2nfvk27g"; }
+{ url = "${prefix}/mprotect.patch"; sha256 = "0ahgnhgw2b86j024ajs6m3h2fy2shqdssjzz0ahk8ny9f4mnvns6"; }
+{ url = "${prefix}/savedefault.patch"; sha256 = "1l6x1s9mxkrf3k4j9dpg7qhvrk816vs70sw073iiisvqspnrz2j3"; }
+{ url = "${prefix}/find-grub-dir.patch"; sha256 = "1vkgig4dylji03jflwikhap87lz8l470ck1bhmcy8jh0slg6ndbf"; }
+{ url = "${prefix}/intelmac.patch"; sha256 = "04l9mk9xm9ml8vdlpbv3qbj7gbaa0g5k4dl7xp8wm7kmqwxd9l3m"; }
+{ url = "${prefix}/crossreference_manpages.patch"; sha256 = "0kd12ck4s4bg414fmllgvq8n4b58i3kgdhmcx6riaz43gg2g2b9p"; }
+{ url = "${prefix}/ext3_256byte_inode.patch"; sha256 = "0ay9svbdj7mw8p1ld0iiryg6nhd9hc1xpmr9rqg9990xzmg2h4pi"; }
+{ url = "${prefix}/objcopy-absolute.patch"; sha256 = "0hkmicjli7bsmc56kr40ls21v6x3yd188xpwc08dvqxnb0763077"; }
+{ url = "${prefix}/no-reorder-functions.patch"; sha256 = "0gmv0nzkqim2901hd0an90kwnr83155qp2zjp52biznad2p415gw"; }
+{ url = "${prefix}/modern-automake.patch"; sha256 = "08l3y6cbk6gfj63kpqlpzrlain7nmvki7jjjxq86n7himj078znj"; }
+{ url = "${prefix}/no-combine-stack-adjustments.patch"; sha256 = "0h4di8zja0rg45rs02x9qm8q1vxly1bcl6ms08wgdl5ywn6849nr"; }
+{ url = "${prefix}/no-pie.patch"; sha256 = "0kshdsclza7lsd31apd28qq04arv42nd6wsj2v6q6jx7f8bgdaqw"; }
+]

pkgs/tools/misc/grub/grub1.patches.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p nix -i bash --pure
+
+# Does like `maintainers/scripts/debian-patches.sh`, but specialized for
+# grub1 patches, and using the new salsa service.
+
+# Most common usage: `pkgs/tools/misc/grub/grub1.patches.sh pkgs/tools/misc/grub/grub1.patches.nix`
+# That is, after updating the script with the new list from the series file,
+# removing (by commenting) patches as required.
+
+set -e
+set -u
+
+# https://salsa.debian.org/grub-team/grub-legacy/tree/master/debian/patches
+SERIES=(
+    snapshot.patch
+    menu.lst_gnu-hurd.patch
+    graphics.patch
+    raid.patch
+    raid_cciss.patch
+    xfs_freeze.patch
+    2gb_limit.patch
+    grub-special_device_names.patch
+    grub-xvd_drives.patch
+    initrd_max_address.patch
+    splashimage_help.patch
+    grub-install_addsyncs.patch
+    grub-install_regexp.patch
+    grub-install_aoe_support.patch
+    grub-install_xvd.patch
+    geometry-26kernel.patch
+    print_func.patch
+    mprotect.patch
+    savedefault.patch
+    find-grub-dir.patch
+    intelmac.patch
+    crossreference_manpages.patch
+    ext3_256byte_inode.patch
+    # Breaks on NixOS.
+    #use_grub-probe_in_grub-install.patch
+    objcopy-absolute.patch
+    no-reorder-functions.patch
+
+    # We aren't building amd64 binaries, see #244498
+    #fix_amd64_compile.patch
+    modern-automake.patch
+    no-combine-stack-adjustments.patch
+    no-pie.patch
+)
+
+# Revision mapping to current tip of the 0.97-73 branch.
+rev="1dad5507d74ef97fdd3c6cf2a028084f6f2850c3"
+prefix="https://salsa.debian.org/grub-team/grub-legacy/raw/${rev}/debian/patches"
+FILE="$1"
+shift
+
+cat <<EOF > "$FILE"
+# Generated by grub1-patches.sh
+let
+  prefix = "${prefix}";
+in
+[
+EOF
+
+for PATCH in "${SERIES[@]}"; do
+    URL="$prefix/$PATCH"
+    HASH="$(nix-prefetch-url "$URL")"
+    echo "{ url = \"\${prefix}/$PATCH\"; sha256 = \"$HASH\"; }" >> "$FILE"
+done
+echo "]" >> "$FILE"

pkgs/tools/misc/grub/pvgrub_image/configs/grub-bootstrap.cfg

@@ -0,0 +1 @@
+normal (memdisk)/grub.cfg

pkgs/tools/misc/grub/pvgrub_image/configs/grub.cfg

@@ -0,0 +1,10 @@
+# The parentheses around ${root} here to match Grub's config file syntax
+if search -s -f /boot/grub/grub.cfg ; then
+        echo "Reading (${root})/boot/grub/grub.cfg"
+	configfile /boot/grub/grub.cfg
+fi
+
+if search -s -f /grub/grub.cfg ; then
+	echo "Reading (${root})/grub/grub.cfg"
+	configfile /grub/grub.cfg
+fi

pkgs/tools/misc/grub/pvgrub_image/default.nix

@@ -0,0 +1,42 @@
+{ lib, stdenv, grub2_xen }:
+
+with lib;
+let
+  efiSystemsBuild = {
+    i686-linux.target = "i386";
+    x86_64-linux.target = "x86_64";
+    aarch64-linux.target = "aarch64";
+  };
+
+in (
+
+stdenv.mkDerivation rec {
+  name = "pvgrub-image";
+
+  configs = ./configs;
+
+  buildInputs = [ grub2_xen ];
+
+  buildCommand = ''
+    cp "${configs}"/* .
+    tar -cf memdisk.tar grub.cfg
+    # We include all modules except all_video.mod as otherwise grub will fail printing "no symbol table"
+    # if we include it.
+    grub-mkimage -O "${efiSystemsBuild.${stdenv.hostPlatform.system}.target}-xen" -c grub-bootstrap.cfg \
+      -m memdisk.tar -o "grub-${efiSystemsBuild.${stdenv.hostPlatform.system}.target}-xen.bin" \
+      $(ls "${grub2_xen}/lib/grub/${efiSystemsBuild.${stdenv.hostPlatform.system}.target}-xen/" |grep 'mod''$'|grep -v '^all_video\.mod''$')
+    mkdir -p "$out/lib/grub-xen"
+    cp "grub-${efiSystemsBuild.${stdenv.hostPlatform.system}.target}-xen.bin" $out/lib/grub-xen/
+  '';
+
+  meta = with lib; {
+    description = "PvGrub image for use for booting PV Xen guests";
+
+    longDescription =
+      '' This package provides a PvGrub image for booting Para-Virtualized (PV)
+         Xen guests
+      '';
+
+    platforms = platforms.gnu ++ platforms.linux;
+  };
+})

pkgs/tools/misc/grub/symlink.patch

@@ -0,0 +1,37 @@
+diff -rc grub-0.97-orig/util/grub-install.in grub-0.97/util/grub-install.in
+*** grub-0.97-orig/util/grub-install.in	2008-09-18 11:32:13.000000000 +0200
+--- grub-0.97/util/grub-install.in	2008-09-18 11:36:40.000000000 +0200
+***************
+*** 194,217 ****
+  # Usage: resolve_symlink file
+  # Find the real file/device that file points at
+  resolve_symlink () {
+! 	tmp_fname=$1
+! 	# Resolve symlinks
+! 	while test -L $tmp_fname; do
+! 		tmp_new_fname=`ls -al $tmp_fname | sed -n 's%.*-> \(.*\)%\1%p'`
+! 		if test -z "$tmp_new_fname"; then
+! 			echo "Unrecognized ls output" 2>&1
+! 			exit 1
+! 		fi
+! 
+! 		# Convert relative symlinks
+! 		case $tmp_new_fname in
+! 			/*) tmp_fname="$tmp_new_fname"
+! 			;;
+! 			*) tmp_fname="`echo $tmp_fname | sed 's%/[^/]*$%%'`/$tmp_new_fname"
+! 			;;
+! 		esac
+! 	done
+! 	echo "$tmp_fname"
+  }
+  
+  # Usage: find_device file
+--- 194,200 ----
+  # Usage: resolve_symlink file
+  # Find the real file/device that file points at
+  resolve_symlink () {
+! 	readlink -f $1
+  }
+  
+  # Usage: find_device file

pkgs/tools/misc/grub/trusted.nix

@@ -0,0 +1,123 @@
+{ lib
+, stdenv
+, fetchurl
+, fetchFromGitHub
+, fetchpatch
+, autogen
+, flex
+, bison
+, python2
+, autoconf
+, automake
+, gettext
+, ncurses
+, libusb-compat-0_1
+, freetype
+, qemu
+, lvm2
+, for_HP_laptop ? false
+}:
+
+with lib;
+let
+  pcSystems = {
+    i686-linux.target = "i386";
+    x86_64-linux.target = "i386";
+  };
+
+  inPCSystems = any (system: stdenv.hostPlatform.system == system) (mapAttrsToList (name: _: name) pcSystems);
+
+  version = if for_HP_laptop then "1.2.1" else "1.2.0";
+
+  unifont_bdf = fetchurl {
+    url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";
+    sha256 = "0s0qfff6n6282q28nwwblp5x295zd6n71kl43xj40vgvdqxv0fxx";
+  };
+
+  po_src = fetchurl {
+    name = "grub-2.02-beta2.tar.gz";
+    url = "https://alpha.gnu.org/gnu/grub/grub-2.02~beta2.tar.gz";
+    sha256 = "1lr9h3xcx0wwrnkxdnkfjwy08j7g7mdlmmbdip2db4zfgi69h0rm";
+
+  };
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "trustedGRUB2";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "Sirrix-AG";
+    repo = "TrustedGRUB2";
+    rev = version;
+    sha256 =
+      if for_HP_laptop
+      then "sha256-H1JzT/RgnbHqnW2/FmvXFuI6gnHI2vQU3W1iq2FqwJw="
+      else "sha256-k8DGHjTIpnjWw7GNN2kyR8rRl2MAq1xkfOndd0znLns=";
+  };
+
+  nativeBuildInputs = [ autogen flex bison python2 autoconf automake ];
+  buildInputs = [ ncurses libusb-compat-0_1 freetype gettext lvm2 ]
+    ++ optional doCheck qemu;
+
+  hardeningDisable = [ "stackprotector" "pic" ];
+
+  NIX_CFLAGS_COMPILE = "-Wno-error"; # generated code redefines yyfree
+
+  preConfigure =
+    '' for i in "tests/util/"*.in
+       do
+         sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
+       done
+
+       # Apparently, the QEMU executable is no longer called
+       # `qemu-system-i386', even on i386.
+       #
+       # In addition, use `-nodefaults' to avoid errors like:
+       #
+       #  chardev: opening backend "stdio" failed
+       #  qemu: could not open serial device 'stdio': Invalid argument
+       #
+       # See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
+       sed -i "tests/util/grub-shell.in" \
+           -e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
+    '';
+
+  prePatch =
+    '' tar zxf ${po_src} grub-2.02~beta2/po
+       rm -rf po
+       mv grub-2.02~beta2/po po
+       sh autogen.sh
+       gunzip < "${unifont_bdf}" > "unifont.bdf"
+       sed -i "configure" \
+           -e "s|/usr/src/unifont.bdf|$PWD/unifont.bdf|g"
+    '';
+
+  patches = [
+    ./fix-bash-completion.patch
+    (fetchpatch {
+      # glibc-2.26 and above needs '<sys/sysmacros.h>'
+      url = "https://github.com/Rohde-Schwarz/TrustedGRUB2/commit/7a5b301e3adb8e054288518a325135a1883c1c6c.patch";
+      sha256 = "1jfrrmcrd9a8w7n419kszxgbpshx7888wc05smg5q4jvc1ag3xm7";
+    })
+  ];
+
+  # save target that grub is compiled for
+  grubTarget =
+    if inPCSystems
+    then "${pcSystems.${stdenv.hostPlatform.system}.target}-pc"
+    else "";
+
+  doCheck = false;
+  # On -j16 races with early header creation:
+  #  config.h:38:10: fatal error: ./config-util.h: No such file or directory
+  enableParallelBuilding = false;
+
+  meta = with lib; {
+    description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
+    homepage = "https://github.com/Sirrix-AG/TrustedGRUB2";
+    license = licenses.gpl3Plus;
+    platforms = platforms.gnu ++ platforms.linux;
+  };
+}