File grub2-blsbumpcounter-menu.patch of Package grub2
Call the command bls_bumpcounter when an entry is executed. Adding the
bls_bumpcounter command in the list of commands generated by blscfg breaks FDE,
as each command is logged in the PCR. Do not unset `enable_blscfg` grub env var,
otherwise bls_bumpcounter would not be called.
Index: grub-2.12/grub-core/commands/blscfg.c
===================================================================
--- grub-2.12.orig/grub-core/commands/blscfg.c
+++ grub-2.12/grub-core/commands/blscfg.c
@@ -1049,19 +1049,6 @@ static void create_entry (struct bls_ent
       grub_free(prefix);
     }
 
-  /* "bls_bumpcounter " + id + "\n" */
-  int bumpcounter_size = sizeof("bls_bumpcounter ") + grub_strlen(id) + 1;
-  bumpcounter = grub_malloc(bumpcounter_size);
-  if (!bumpcounter)
-  {
-    grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
-    goto finish;
-  }
-  char *tmp = bumpcounter;
-  tmp = grub_stpcpy(tmp, "bls_bumpcounter ");
-  tmp = grub_stpcpy(tmp, id);
-  tmp = grub_stpcpy(tmp, "\n");
-
   grub_dprintf ("blscfg2", "devicetree %s for id:\"%s\"\n", dt, id);
 
   const char *sdval = grub_env_get("save_default");
@@ -1074,7 +1061,7 @@ static void create_entry (struct bls_ent
 			"insmod gzio\n"
 			"linux %s%s%s%s\n"
 #endif
-			"%s%s%s",
+			"%s%s",
 			savedefault ? "savedefault\n" : "",
 #ifdef GRUB_MACHINE_EMU
 			separate_boot ? GRUB_BOOT_DEVICE : "",
@@ -1082,8 +1069,7 @@ static void create_entry (struct bls_ent
 			bootdev,
 #endif
 			clinux, options ? " " : "", options ? options : "",
-			bumpcounter ? bumpcounter : "", initrd ? initrd : "",
-			dt ? dt : "");
+			initrd ? initrd : "", dt ? dt : "");
 
   grub_normal_add_menu_entry (argc, argv, classes, id, users, hotkey, NULL, src, 0, 0, &index, entry);
   grub_dprintf ("blscfg", "Added entry %d id:\"%s\"\n", index, id);
Index: grub-2.12/grub-core/normal/menu.c
===================================================================
--- grub-2.12.orig/grub-core/normal/menu.c
+++ grub-2.12/grub-core/normal/menu.c
@@ -331,6 +331,23 @@ grub_menu_execute_entry(grub_menu_entry_
     grub_env_set ("default", ptr + 1);
   else
     grub_env_unset ("default");
+
+#ifdef GRUB_MACHINE_EFI
+  const char* val = grub_env_get ("enable_blscfg");
+  if (val && (val[0] == '1' || val[0] == 'y') && entry->bls != NULL)
+    {
+      char* id = grub_strdup (entry->bls->filename);
+      if (id == NULL)
+        {
+          grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
+        } else {
+          char* args[] = { id };
+          grub_command_execute ("bls_bumpcounter", 1, args);
+        }
+    }
+  grub_env_unset ("enable_blscfg");
+#endif
+
 #ifdef GRUB_MACHINE_IEEE1275
   char *cas_entry_id = NULL;
   char *cas_entry_source;
Index: grub-2.12/grub-core/normal/main.c
===================================================================
--- grub-2.12.orig/grub-core/normal/main.c
+++ grub-2.12/grub-core/normal/main.c
@@ -356,7 +356,6 @@ grub_normal_execute (const char *config,
       /* Ignore any error.  */
       grub_errno = GRUB_ERR_NONE;
       /* unset to let configfile and source commands continue to work */
-      grub_env_unset ("enable_blscfg");
       goto check_batch;
     }
 #endif