diff --git a/SOURCES/0319-grub-install-disable-support-for-EFI-platforms.patch b/SOURCES/0319-grub-install-disable-support-for-EFI-platforms.patch
new file mode 100644
index 0000000..2591b60
--- /dev/null
+++ b/SOURCES/0319-grub-install-disable-support-for-EFI-platforms.patch
@@ -0,0 +1,118 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jan Hlavac <jhlavac@redhat.com>
+Date: Fri, 20 Nov 2020 23:51:47 +0100
+Subject: [PATCH] grub-install: disable support for EFI platforms
+
+For each platform, GRUB is shipped as a kernel image and a set of
+modules. These files are then used by the grub-install utility to
+install GRUB on a specific device. However, in order to support UEFI
+Secure Boot, the resulting EFI binary must be signed by a recognized
+private key. For this reason, for EFI platforms, most distributions also
+ship prebuilt EFI binaries signed by a distribution-specific private
+key. In this case, however, the grub-install utility should not be used
+because it would overwrite the signed EFI binary.
+
+The current fix is suboptimal because it preserves all EFI-related code.
+A better solution could be to modularize the code and provide a
+build-time option.
+
+Resolves: rhbz#1737444
+
+Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
+---
+ util/grub-install.c | 35 ++++++++++++++++-------------------
+ docs/grub.texi      |  7 +++++++
+ util/grub-install.8 |  4 +++-
+ 3 files changed, 26 insertions(+), 20 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 3bf0e063a86..65bb2f99ef1 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -888,6 +888,22 @@ main (int argc, char *argv[])
+ 
+   platform = grub_install_get_target (grub_install_source_directory);
+ 
++  switch (platform)
++    {
++    case GRUB_INSTALL_PLATFORM_ARM_EFI:
++    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
++    case GRUB_INSTALL_PLATFORM_I386_EFI:
++    case GRUB_INSTALL_PLATFORM_IA64_EFI:
++    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
++      is_efi = 1;
++      grub_util_error (_("this utility cannot be used for EFI platforms"
++                         " because it does not support UEFI Secure Boot"));
++      break;
++    default:
++      is_efi = 0;
++      break;
++    }
++
+   {
+     char *platname = grub_install_get_platform_name (platform);
+     fprintf (stderr, _("Installing for %s platform.\n"), platname);
+@@ -994,26 +1010,7 @@ main (int argc, char *argv[])
+   grub_hostfs_init ();
+   grub_host_init ();
+ 
+-  switch (platform)
+-    {
+-    case GRUB_INSTALL_PLATFORM_I386_EFI:
+-    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+-    case GRUB_INSTALL_PLATFORM_ARM_EFI:
+-    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+-    case GRUB_INSTALL_PLATFORM_IA64_EFI:
+-      is_efi = 1;
+-      break;
+-    default:
+-      is_efi = 0;
+-      break;
+-
+-      /* pacify warning.  */
+-    case GRUB_INSTALL_PLATFORM_MAX:
+-      break;
+-    }
+-
+   /* Find the EFI System Partition.  */
+-
+   if (is_efi)
+     {
+       grub_fs_t fs;
+diff --git a/docs/grub.texi b/docs/grub.texi
+index c54bee31679..fa11cc0aff7 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -6185,6 +6185,13 @@ grub2-install @var{install_device}
+ The device name @var{install_device} is an OS device name or a GRUB
+ device name.
+ 
++In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
++be signed by a recognized private key. For this reason, for EFI
++platforms, most distributions also ship prebuilt GRUB EFI binaries
++signed by a distribution-specific private key. In this case, however,
++@command{grub2-install} should not be used because it would overwrite
++the signed EFI binary.
++
+ @command{grub2-install} accepts the following options:
+ 
+ @table @option
+diff --git a/util/grub-install.8 b/util/grub-install.8
+index 76272a39d2e..02371930fa1 100644
+--- a/util/grub-install.8
++++ b/util/grub-install.8
+@@ -1,4 +1,4 @@
+-.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
++.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
+ .SH NAME
+ \fBgrub-install\fR \(em Install GRUB on a device.
+ 
+@@ -31,6 +31,8 @@
+ .SH DESCRIPTION
+ \fBgrub-install\fR installs GRUB onto a device.  This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
+ 
++In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
++
+ .SH OPTIONS
+ .TP
+ \fB--modules\fR=\fIMODULES\fR\!
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index 97ad69e..fd28335 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -389,6 +389,7 @@ GRUB_MODULES="	all_video boot blscfg btrfs			\\\
 		cat configfile cryptodisk			\\\
 		echo efi_netfs efifwsetup efinet ext2		\\\
 		fat font gcry_rijndael gcry_rsa gcry_serpent	\\\
+		gcry_sha256 gcry_twofish gcry_whirlpool		\\\
 		gfxmenu gfxterm gzio				\\\
 		halt hfsplus http increment iso9660 jpeg	\\\
 		loadenv loopback linux lvm lsefi lsefimmap luks	\\\
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 2222d7f..05136ce 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -316,3 +316,4 @@ Patch0315: 0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
 Patch0316: 0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
 Patch0317: 0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
 Patch0318: 0318-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch
+Patch0319: 0319-grub-install-disable-support-for-EFI-platforms.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 2f09870..9836188 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	91%{?dist}
+Release:	92%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -500,6 +500,12 @@ fi
 %endif
 
 %changelog
+* Mon Nov 23 2020 Jan Hlavac <jhlavac@redhat.com> - 2.02-92
+- grub2-install: disable support for EFI platforms
+  Resolves: rhbz#1737444
+- Include a few more modules to EFI build needed for LUKS support (javierm)
+  Related: rhbz#1873725
+
 * Mon Nov 16 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-91
 - Fix tps-rpmtest failing due /boot/grub2/grubenv attributes mismatch
   Resolves: rhbz#1813959