This fixes the two CVEs and various other OOB bugs in the ntfs driver.

Reported-by: Maxim Suhanov <dfirblog@gmail.com>

Closes: #1034409

Add debconf logic for GRUB_DISABLE_OS_PROBER to make it easier to
control things here. Particularly useful for the installer.
Closes: #1031594, #1012865.

Add arm64-handover-to-kernel-if-sb-enabled.patch

See merge request grub-team/grub!32

Fix Secure Boot on arm64 with patch
arm64-handover-to-kernel-if-sb-enabled.patch.

Fix: #1033657

- disk/cryptodisk: When cheatmounting, use the sector info of the cheat
  device
- osdep/devmapper/getroot: Have devmapper recognize LUKS2
- osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM
  parameters

Thanks for tracking this down Antoine!

I've mostly retired from GRUB maintenance since early 2022, so I think
it would be better if I weren't listed as an uploader in bookworm.
Thanks to Steve and Julian for picking up the torch!

Closes: #1030846

Closes: #1026915. Thanks to Pascal Hambourg for the patch.

It only causes problems. Closes: #1016737

Fixes #845683

to install onto devices

Apply patch from upstream,

Closes: #1001414

Closes: #1026092

Also needs backports from upstream commits to fix warnings/errors
from using gcc 12:

be8eb0eed util/mkimage: Fix dangling pointer may be used error
acffb8148 build: Fix -Werror=array-bounds array subscript 0 is outside array bounds
3ce13d974 lib/reed_solomon: Fix array subscript 0 is outside array bounds

Closes: #1021846. Thanks to программист некто for helping to debug the
problem!

Make font fallback handling work!

Due to a mistake in the buster update that left the CVE-2022-2601 bugs
in place, we need to bump SBAT for all of the Debian GRUB binaries. :-(

The previous security updates disallowed loading unsigned fonts when
in SB mode. To make things work again:

 * Embed the "unicode" font into the embedded memdisk image so it can
   be loaded.
 * Add the memdisk to our normal grubx64.efi loader too
 * Add a patch from Chris Coulson to make the font loader look for
   fonts in the memdisk whenever they're loaded.

Closes: #1024395, #1025352, #1024447

CVE-2022-2601, CVE-2022-3775

Bump SBAT level to 3 for grub-efi packages

The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
However, code in grub_unicode_aglomerate_comb() doesn't check for an
overflow when incrementing out->ncomb. If out->ncomb is already 255,
after incrementing it will get 0 instead of 256, and cause illegal
memory access in subsequent processing.

This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
acceptable value of ncomb. The code now checks for this limit and
ignores additional combining characters when limit is reached.

Reported-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>