diff --git a/.kernel.metadata b/.kernel.metadata
index 1f4d570..ec1fca1 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,2 +1,2 @@
 98ae49ad49397d5a4dcb3ff9a082223edf7c5bbd  SOURCES/linux-5.4.tar.xz
-a30b67644a937079ba12ee45025cba3f6606144d  SOURCES/patch-5.4.65.xz
+8d06345619804d1c13016d22d28606af24d052b2  SOURCES/patch-5.4.72.xz
diff --git a/SOURCES/0001-e1000e-Add-support-for-Comet-Lake.patch b/SOURCES/0001-e1000e-Add-support-for-Comet-Lake.patch
deleted file mode 100644
index 63da675..0000000
--- a/SOURCES/0001-e1000e-Add-support-for-Comet-Lake.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 914ee9c436cbe90c8ca8a46ec8433cb614a2ada5 Mon Sep 17 00:00:00 2001
-From: Sasha Neftin <sasha.neftin@intel.com>
-Date: Thu, 10 Oct 2019 13:15:39 +0300
-Subject: [PATCH] e1000e: Add support for Comet Lake
-
-Add devices ID's for the next LOM generations that will be
-available on the next Intel Client platform (Comet Lake)
-This patch provides the initial support for these devices
-
-Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
-Tested-by: Aaron Brown <aaron.f.brown@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
----
- drivers/net/ethernet/intel/e1000e/hw.h     | 6 ++++++
- drivers/net/ethernet/intel/e1000e/netdev.c | 6 ++++++
- 2 files changed, 12 insertions(+)
-
-diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h
-index eff75bd8a8f0..11fdc27faa82 100644
---- a/drivers/net/ethernet/intel/e1000e/hw.h
-+++ b/drivers/net/ethernet/intel/e1000e/hw.h
-@@ -86,6 +86,12 @@ struct e1000_hw;
- #define E1000_DEV_ID_PCH_ICP_I219_V8		0x15E0
- #define E1000_DEV_ID_PCH_ICP_I219_LM9		0x15E1
- #define E1000_DEV_ID_PCH_ICP_I219_V9		0x15E2
-+#define E1000_DEV_ID_PCH_CMP_I219_LM10		0x0D4E
-+#define E1000_DEV_ID_PCH_CMP_I219_V10		0x0D4F
-+#define E1000_DEV_ID_PCH_CMP_I219_LM11		0x0D4C
-+#define E1000_DEV_ID_PCH_CMP_I219_V11		0x0D4D
-+#define E1000_DEV_ID_PCH_CMP_I219_LM12		0x0D53
-+#define E1000_DEV_ID_PCH_CMP_I219_V12		0x0D55
-
- #define E1000_REVISION_4	4
-
-diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
-index 42f57ab8fb8e..731e1b3e103a 100644
---- a/drivers/net/ethernet/intel/e1000e/netdev.c
-+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
-@@ -7749,6 +7749,12 @@ static const struct pci_device_id e1000_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ICP_I219_V8), board_pch_cnp },
- 	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ICP_I219_LM9), board_pch_cnp },
- 	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ICP_I219_V9), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_LM10), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_V10), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_LM11), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_V11), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_LM12), board_pch_spt },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_V12), board_pch_spt },
-
- 	{ 0, 0, 0, 0, 0, 0, 0 }	/* terminate list */
- };
--- 
-2.24.1
-
diff --git a/SOURCES/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch b/SOURCES/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch
deleted file mode 100644
index 001fa32..0000000
--- a/SOURCES/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From mboxrd@z Thu Jan  1 00:00:00 1970
-Return-Path: <SRS0=e2dy=XH=vger.kernel.org=selinux-owner@kernel.org>
-X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
-	aws-us-west-2-korg-lkml-1.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-15.0 required=3.0
-	tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
-	MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT
-	autolearn=ham autolearn_force=no version=3.4.0
-Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
-	by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE63C4CEC5
-	for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:40 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id DC0B020CC7
-	for <selinux@archiver.kernel.org>; Thu, 12 Sep 2019 13:30:39 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1732192AbfILNaj (ORCPT <rfc822;selinux@archiver.kernel.org>);
-        Thu, 12 Sep 2019 09:30:39 -0400
-Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com"
-        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
-        id S1731687AbfILNaj (ORCPT <rfc822;selinux@vger.kernel.org>);
-        Thu, 12 Sep 2019 09:30:39 -0400
-Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197])
-        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
-        (No client certificate requested)
-        by mx1.redhat.com (Postfix) with ESMTPS id 97CC359465
-        for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 13:30:38 +0000 (UTC)
-Received: by mail-qt1-f197.google.com with SMTP id c8so13609684qtd.20
-        for <selinux@vger.kernel.org>; Thu, 12 Sep 2019 06:30:38 -0700 (PDT)
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=1e100.net; s=20161025;
-        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
-         :content-transfer-encoding;
-        bh=S/MIBrjCy5DTvfqPzJTJqDQQH1pDu780wgGyHs56w4k=;
-        b=H7fZr4X/c4ge0SXeHHRXrq3U4J60PWfSRqdCphTWxKjyLvBs8nktbJczT562oH7Hxv
-         hdvVjKgAzNxIXFdQetnmveDXojtHFrE21PNdo5ONQIyh35oZyrJB4ewZdUrNfbrvDc2y
-         ElMr/HoKEX5pY+GMJE4nzeBotlfCWU9BoAxJPUhzKA9Oib+AqDzQ0hCGH6pQY9RXRXBV
-         IMH21FE5dxQGtLHNCJXVxE14edDeRo8qQFWQw6ooogK7JvduuJrWBn3BmCbKz1YLTNZE
-         9wRXvaHFVGNhr79JrRcItTp6Sx+tZ3XY46CV+Wi6Rq1fu8MePP9zFdIQXw9wqyd+UgLa
-         AIlw==
-X-Gm-Message-State: APjAAAXpWx500L+bZRH8M7OzuSb0aBlsvvjaBYCGvSkzojpa2nRWjtk0
-        cjKEj45ivsUgPW2Bbi6CGEtspqM4wmwb72z+ajR4hy5OjMT3KRh6W71HFbVPrlLYQTvse11Ax2d
-        wGOma7U/qIGDDYkjh/Q==
-X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094193qtu.11.1568295037636;
-        Thu, 12 Sep 2019 06:30:37 -0700 (PDT)
-X-Google-Smtp-Source: APXvYqzybFpoaFyGZXafGEdtHCL3XllpHltaXggcIZEb7De49V/kJzm1pU6vpg1gN8HtgnB3cilLuA==
-X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094176qtu.11.1568295037442;
-        Thu, 12 Sep 2019 06:30:37 -0700 (PDT)
-Received: from localhost.localdomain ([12.133.141.2])
-        by smtp.gmail.com with ESMTPSA id h68sm11848865qkd.35.2019.09.12.06.30.35
-        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
-        Thu, 12 Sep 2019 06:30:36 -0700 (PDT)
-From:   Jonathan Lebon <jlebon@redhat.com>
-To:     selinux@vger.kernel.org
-Cc:     Jonathan Lebon <jlebon@redhat.com>,
-        Victor Kamensky <kamensky@cisco.com>
-Subject: [PATCH v2] selinux: allow labeling before policy is loaded
-Date:   Thu, 12 Sep 2019 09:30:07 -0400
-Message-Id: <20190912133007.27545-1-jlebon@redhat.com>
-X-Mailer: git-send-email 2.21.0
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Sender: selinux-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <selinux.vger.kernel.org>
-X-Mailing-List: selinux@vger.kernel.org
-Archived-At: <https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/>
-List-Archive: <https://lore.kernel.org/selinux/>
-List-Post: <mailto:selinux@vger.kernel.org>
-
-Currently, the SELinux LSM prevents one from setting the
-`security.selinux` xattr on an inode without a policy first being
-loaded. However, this restriction is problematic: it makes it impossible
-to have newly created files with the correct label before actually
-loading the policy.
-
-This is relevant in distributions like Fedora, where the policy is
-loaded by systemd shortly after pivoting out of the initrd. In such
-instances, all files created prior to pivoting will be unlabeled. One
-then has to relabel them after pivoting, an operation which inherently
-races with other processes trying to access those same files.
-
-Going further, there are use cases for creating the entire root
-filesystem on first boot from the initrd (e.g. Container Linux supports
-this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
-One can imagine doing this in two ways: at the block device level (e.g.
-laying down a disk image), or at the filesystem level. In the former,
-labeling can simply be part of the image. But even in the latter
-scenario, one still really wants to be able to set the right labels when
-populating the new filesystem.
-
-This patch enables this by changing behaviour in the following two ways:
-1. allow `setxattr` if we're not initialized
-2. don't try to set the in-core inode SID if we're not initialized;
-   instead leave it as `LABEL_INVALID` so that revalidation may be
-   attempted at a later time
-
-Note the first hunk of this patch is mostly the same as a previously
-discussed one[3], though it was part of a larger series which wasn't
-accepted.
-
-Co-developed-by: Victor Kamensky <kamensky@cisco.com>
-Signed-off-by: Victor Kamensky <kamensky@cisco.com>
-Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
-
-[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html
-[2] https://github.com/coreos/fedora-coreos-tracker/issues/94
-[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html
-
----
-
-v2:
-  - return early in selinux_inode_setxattr if policy hasn't been loaded
-
----
-
- security/selinux/hooks.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 94de51628..dbe96c707 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3142,6 +3142,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
- 		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
- 	}
- 
-+	if (!selinux_state.initialized)
-+		return (inode_owner_or_capable(inode) ? 0 : -EPERM);
-+
- 	sbsec = inode->i_sb->s_security;
- 	if (!(sbsec->flags & SBLABEL_MNT))
- 		return -EOPNOTSUPP;
-@@ -3225,6 +3228,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
- 		return;
- 	}
- 
-+	if (!selinux_state.initialized) {
-+		/* If we haven't even been initialized, then we can't validate
-+		 * against a policy, so leave the label as invalid. It may
-+		 * resolve to a valid label on the next revalidation try if
-+		 * we've since initialized.
-+		 */
-+		return;
-+	}
-+
- 	rc = security_context_to_sid_force(&selinux_state, value, size,
- 					   &newsid);
- 	if (rc) {
--- 
-2.21.0
-
-
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index b90dbbb..dd84767 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -89,7 +89,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 65
+%define stable_update 72
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -867,7 +867,6 @@ Patch325: arm64-usb-host-xhci-tegra-set-MODULE_FIRMWARE-for-tegra186.patch
 # 400 - IBM (ppc/s390x) patches
 
 # 500 - Temp fixes/CVEs etc
-Patch500: PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch
 
 # rhbz 1431375
 Patch501: input-rmi4-remove-the-need-for-artifical-IRQ.patch
@@ -884,9 +883,6 @@ Patch503: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 # https://lkml.org/lkml/2019/8/29/1772
 Patch504: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch
 
-# This is already in 5.5 rhbz 1794369
-Patch603: 0001-e1000e-Add-support-for-Comet-Lake.patch
-
 #KVM fix
 Patch700: 0001-arm64-kvm-Fix-IDMAP-overlap-with-HYP-VA.patch
 
@@ -3013,6 +3009,11 @@ fi
 #
 #
 %changelog
+* Sun Oct 18 2020 Pablo Greco <pgreco@centosproject.org> - 5.4.72-200
+- Update to version v5.4.72
+- Add initial bits for secure boot
+- Remove upstreamed patches
+
 * Sat Sep 12 2020 Pablo Greco <pgreco@centosproject.org> - 5.4.65-200
 - Update to version v5.4.65