diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
--- grub2-2.04/debian/changelog	2019-11-01 19:16:43.000000000 +0000
+++ grub2-2.04/debian/changelog	2020-03-12 16:40:25.000000000 +0000
@@ -1,3 +1,10 @@
+grub2 (2.04-1ubuntu12.2) eoan; urgency=medium
+
+  * Make the linux command in EFI grub always try EFI handover; thanks
+    to Chris Coulson for the patches (LP: #1864533)
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Thu, 12 Mar 2020 17:40:25 +0100
+
 grub2 (2.04-1ubuntu12.1) eoan; urgency=medium
 
   * debian/patches/ubuntu-tpm-unknown-error-non-fatal.patch: treat "unknown"
diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
--- grub2-2.04/debian/.git-dpm	2019-11-01 19:15:33.000000000 +0000
+++ grub2-2.04/debian/.git-dpm	2020-03-12 16:40:25.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-6d556f920f094cbae34bcc45be5f271a74b65f54
-6d556f920f094cbae34bcc45be5f271a74b65f54
+a23307b448748bcfdd39484906330bca9aacef80
+a23307b448748bcfdd39484906330bca9aacef80
 578bb115fbd47e1c464696f1f8d6183e5443975d
 578bb115fbd47e1c464696f1f8d6183e5443975d
 grub2_2.04.orig.tar.xz
diff -Nru grub2-2.04/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch grub2-2.04/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
--- grub2-2.04/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch	1970-01-01 00:00:00.000000000 +0000
+++ grub2-2.04/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch	2020-03-12 16:40:25.000000000 +0000
@@ -0,0 +1,118 @@
+From ffd5d8862d34dcab11452eeb057d3ffeb43d283a Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Wed, 11 Mar 2020 16:46:00 +0100
+Subject: ubuntu: Make the linux command in EFI grub always try EFI handover
+
+The previous implementation only boots via the EFI handover protocol when
+secure boot is enabled. This means that disabling secure boot breaks some
+features that depend on the kernel being booted via the EFI handover entry
+point, such as retrieval of the TCG event log.
+
+Update the linux command to always attempt to defer to linuxefi in EFI grub
+builds, regardless of whether secure boot is enabled or not. This also allows
+a fallback to the non-EFI handover path on kernels that don't support it, but
+only if secure boot is disabled.
+---
+ grub-core/loader/i386/efi/linux.c | 14 +++++----
+ grub-core/loader/i386/linux.c     | 47 +++++++++++++++++--------------
+ 2 files changed, 35 insertions(+), 26 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 6b6aef87f..fe3ca2c59 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -27,6 +27,7 @@
+ #include <grub/lib/cmdline.h>
+ #include <grub/efi/efi.h>
+ #include <grub/efi/linux.h>
++#include <grub/efi/sb.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+       goto fail;
+     }
+ 
+-  rc = grub_linuxefi_secure_validate (kernel, filelen);
+-  if (rc < 0)
++  if (grub_efi_secure_boot ())
+     {
+-      grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
+-		  argv[0]);
+-      goto fail;
++      rc = grub_linuxefi_secure_validate (kernel, filelen);
++      if (rc < 0)
++	{
++	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
++		      argv[0]);
++	  goto fail;
++	}
+     }
+ 
+   params = grub_efi_allocate_pages_max (0x3fffffff,
+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
+index 4328bcbdb..991eb29db 100644
+--- a/grub-core/loader/i386/linux.c
++++ b/grub-core/loader/i386/linux.c
+@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ 
+ #ifdef GRUB_MACHINE_EFI
+   using_linuxefi = 0;
+-  if (grub_efi_secure_boot ())
+-    {
+-      /* linuxefi requires a successful signature check and then hand over
+-	 to the kernel without calling ExitBootServices. */
+-      grub_dl_t mod;
+-      grub_command_t linuxefi_cmd;
+ 
+-      grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
++  grub_dl_t mod;
++  grub_command_t linuxefi_cmd;
++
++  grub_dprintf ("linux", "Trying linuxefi\n");
+ 
+-      mod = grub_dl_load ("linuxefi");
+-      if (mod)
++  mod = grub_dl_load ("linuxefi");
++  if (mod)
++    {
++      grub_dl_ref (mod);
++      linuxefi_cmd = grub_command_find ("linuxefi");
++      initrdefi_cmd = grub_command_find ("initrdefi");
++      if (linuxefi_cmd && initrdefi_cmd)
+ 	{
+-	  grub_dl_ref (mod);
+-	  linuxefi_cmd = grub_command_find ("linuxefi");
+-	  initrdefi_cmd = grub_command_find ("initrdefi");
+-	  if (linuxefi_cmd && initrdefi_cmd)
++	  (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
++	  if (grub_errno == GRUB_ERR_NONE)
++	    {
++	      grub_dprintf ("linux", "Handing off to linuxefi\n");
++	      using_linuxefi = 1;
++	      return GRUB_ERR_NONE;
++	    }
++	  else if (grub_efi_secure_boot ())
+ 	    {
+-	      (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
+-	      if (grub_errno == GRUB_ERR_NONE)
+-		{
+-		  grub_dprintf ("linux", "Handing off to linuxefi\n");
+-		  using_linuxefi = 1;
+-		  return GRUB_ERR_NONE;
+-		}
+-	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
++	      grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
+ 	      goto fail;
+ 	    }
+ 	}
+     }
++
++  if (grub_efi_secure_boot ())
++    {
++      grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
++      goto fail;
++    }
+ #endif
+ 
+   if (argc == 0)
diff -Nru grub2-2.04/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch grub2-2.04/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch
--- grub2-2.04/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch	1970-01-01 00:00:00.000000000 +0000
+++ grub2-2.04/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch	2020-03-12 16:40:25.000000000 +0000
@@ -0,0 +1,25 @@
+From a23307b448748bcfdd39484906330bca9aacef80 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Wed, 11 Mar 2020 16:46:41 +0100
+Subject: ubuntu: Update the linux boot protocol version check.
+
+The EFI implementation of grub_cmd_linux makes use of xloadflags which was
+introduced in to version 2.12 of the kernel's boot protocol, so update the
+check accordingly.
+---
+ grub-core/loader/i386/efi/linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index fe3ca2c59..2929da7a2 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -245,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+     }
+ 
+   grub_dprintf ("linuxefi", "checking lh->version\n");
+-  if (lh->version < grub_cpu_to_le16 (0x020b))
++  if (lh->version < grub_cpu_to_le16 (0x020c))
+     {
+       grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
+       goto fail;
diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
--- grub2-2.04/debian/patches/series	2019-11-01 19:15:33.000000000 +0000
+++ grub2-2.04/debian/patches/series	2020-03-12 16:40:25.000000000 +0000
@@ -68,3 +68,5 @@
 ubuntu-boot-from-multipath-dependent-symlink.patch
 ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
 ubuntu-tpm-unknown-error-non-fatal.patch
+0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
+0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch