diff --git a/SOURCES/0261-Fix-grub_net_hwaddr_to_str.patch b/SOURCES/0261-Fix-grub_net_hwaddr_to_str.patch
new file mode 100644
index 0000000..fabd948
--- /dev/null
+++ b/SOURCES/0261-Fix-grub_net_hwaddr_to_str.patch
@@ -0,0 +1,44 @@
+From f1fa4958044effea7f3ea0506097e27ca5b520f1 Mon Sep 17 00:00:00 2001
+From: Mark Salter <msalter@redhat.com>
+Date: Tue, 22 Aug 2017 12:21:12 -0400
+Subject: [PATCH 261/261] Fix grub_net_hwaddr_to_str
+
+commit 5c3b78c92f8 introduced support for larger network hw addresses.
+However, grub_net_hwaddr_to_str() relies on GRUB_NET_MAX_STR_ADDRESS_SIZE
+to prevent a spurious ':' at the end of the string. So now, if actual
+hwaddr size is less than max, an extra ':' appears at the end of the
+string. So calculate max string size based on actual hwaddr length to
+fix the problem.
+
+Signed-off-by: Mark Salter <msalter@redhat.com>
+---
+ grub-core/net/net.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 6b4b10ba4..a6566bdb0 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -784,6 +784,7 @@ grub_net_hwaddr_to_str (const grub_net_link_level_address_t *addr, char *str)
+ {
+   char *ptr;
+   unsigned i;
++  int maxstr;
+ 
+   if (addr->len > GRUB_NET_MAX_LINK_ADDRESS_SIZE)
+     {
+@@ -792,9 +793,10 @@ grub_net_hwaddr_to_str (const grub_net_link_level_address_t *addr, char *str)
+ 		    addr->type, addr->len);
+        return;
+     }
++  maxstr = addr->len * grub_strlen ("XX:");
+   for (ptr = str, i = 0; i < addr->len; i++)
+     {
+-      ptr += grub_snprintf (ptr, GRUB_NET_MAX_STR_HWADDR_LEN - (ptr - str),
++      ptr += grub_snprintf (ptr, maxstr - (ptr - str),
+ 		     "%02x:", addr->mac[i] & 0xff);
+     }
+ }
+-- 
+2.13.5
+
diff --git a/SOURCES/centos.cer b/SOURCES/centos.cer
deleted file mode 100644
index 00a5580..0000000
Binary files a/SOURCES/centos.cer and /dev/null differ
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index 168b89b..a739023 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -1,4 +1,7 @@
 # vim:filetype=spec
+
+%global flagday 1:2.02-0.65.el7_4
+
 # Modules always contain just 32-bit code
 %global _libdir %{_exec_prefix}/lib
 %global _binaries_in_noarch_packages_terminate_build 0
@@ -205,7 +208,7 @@ Requires:	%{name}-tools-minimal >= %{evr}				\
 Requires:	%{name}-tools-extra = %{evr}				\
 Requires:	%{name}-tools = %{evr}					\
 %{-p:Provides:	%{name}-efi = %{evr}}					\
-%{-p:Obsoletes:	%{name}-efi < %{evr}}					\
+%{-p:Obsoletes:	%{name}-efi <= %{flagday}}				\
 									\
 %{expand:%%description %{1}}						\
 %{desc}									\
@@ -218,7 +221,7 @@ Group:		System Environment/Base					\
 BuildArch:	noarch							\
 Requires:	%{name}-common = %{evr}					\
 %{-p:Provides:	%{name}-efi-modules = %{evr}}				\
-%{-p:Obsoletes:	%{name}-efi-modules < %{evr}}				\
+%{-p:Obsoletes:	%{name}-efi-modules <= %{flagday}}			\
 %{expand:%%description %{1}-modules}					\
 %{desc}									\
 This subpackage provides support for rebuilding your own grub.efi.	\
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 2ef8ce5..bac4594 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -257,3 +257,4 @@ Patch0256: 0256-efinet-Setting-DNS-server-from-UEFI-protocol.patch
 Patch0257: 0257-set-rootpath.patch
 Patch0258: 0258-Fix-one-more-coverity-complaint.patch
 Patch0260: 0260-Fix-up-linux-params-usage.patch
+Patch0261: 0261-Fix-grub_net_hwaddr_to_str.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 340b4ab..08a9e83 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -6,7 +6,7 @@
 Name:           grub2
 Epoch:          1
 Version:        2.02
-Release:        0.64%{?dist}%{?buildid}
+Release:        0.65%{?dist}%{?buildid}.2
 Summary:        Bootloader with support for Linux, Multiboot and more
 Group:          System Environment/Base
 License:        GPLv3+
@@ -15,8 +15,8 @@ Source0:        ftp://alpha.gnu.org/gnu/grub/grub-%{tarversion}.tar.xz
 #Source0:	ftp://ftp.gnu.org/gnu/grub/grub-%%{tarversion}.tar.xz
 Source1:	grub.macros
 Source2:	grub.patches
-Source3:	centos.cer
-# (source removed)
+Source3:	securebootca.cer
+Source4:	secureboot.cer
 Source5:	http://unifoundry.com/unifont-5.1.20080820.pcf.gz
 Source6:	gitignore
 
@@ -60,7 +60,7 @@ BuildRequires:  ccache
 %endif
 
 ExcludeArch:	s390 s390x %{arm} %{?ix86}
-Obsoletes:	%{name} <= %{evr}
+Obsoletes:	%{name} <= %{flagday}
 
 %if 0%{with_legacy_arch}
 Requires:	%{name}-%{legacy_package_arch} = %{evr}
@@ -90,8 +90,11 @@ subpackages.
 %package tools
 Summary:	Support tools for GRUB.
 Group:		System Environment/Base
-Obsoletes:	%{name}-tools < %{evr}
-Requires:	%{name}-common = %{epoch}:%{version}-%{release}
+Obsoletes:	%{name}-tools <= %{flagday}
+Obsoletes:	%{name}-tools-efi <= %{flagday}
+Provides:	%{name}-tools-efi = %{evr}
+Requires:	%{name}-tools-minimal = %{evr}
+Requires:	%{name}-common = %{evr}
 Requires:	gettext os-prober which file
 Requires(pre):  dracut
 Requires(post): dracut
@@ -100,25 +103,12 @@ Requires(post): dracut
 %{desc}
 This subpackage provides tools for support of all platforms.
 
-%ifarch x86_64 %{ix86}
-%package tools-efi
-Summary:	Support tools for GRUB.
-Group:		System Environment/Base
-Requires:	gettext os-prober which file
-Requires:	%{name}-common = %{epoch}:%{version}-%{release}
-Obsoletes:	%{name}-tools < %{evr}
-
-%description tools-efi
-%{desc}
-This subpackage provides tools for support of EFI platforms.
-%endif
-
 %package tools-minimal
 Summary:	Support tools for GRUB.
 Group:		System Environment/Base
 Requires:	gettext
-Requires:	%{name}-common = %{epoch}:%{version}-%{release}
-Obsoletes:	%{name}-tools < %{evr}
+Requires:	%{name}-common = %{evr}
+Obsoletes:	%{name}-tools <= %{flagday}
 
 %description tools-minimal
 %{desc}
@@ -130,7 +120,8 @@ Group:		System Environment/Base
 Requires:	gettext os-prober which file
 Requires:	%{name}-tools-minimal = %{epoch}:%{version}-%{release}
 Requires:	%{name}-common = %{epoch}:%{version}-%{release}
-Obsoletes:	%{name}-tools < %{evr}
+Requires:	%{name}-tools = %{evr}
+Obsoletes:	%{name}-tools <= %{flagday}
 
 %description tools-extra
 %{desc}
@@ -161,10 +152,10 @@ This subpackage provides tools for support of all platforms.
 
 %build
 %if 0%{with_efi_arch}
-%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE3} %{SOURCE3} redhatsecureboot301
+%do_primary_efi_build %{grubefiarch} %{grubefiname} %{grubeficdname} %{_target_platform} "'%{efi_cflags}'" %{SOURCE3} %{SOURCE4} redhatsecureboot301
 %endif
 %if 0%{with_alt_efi_arch}
-%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE3} %{SOURCE3} redhatsecureboot301
+%do_alt_efi_build %{grubaltefiarch} %{grubaltefiname} %{grubalteficdname} %{_alt_target_platform} "'%{alt_efi_cflags}'" %{SOURCE3} %{SOURCE4} redhatsecureboot301
 %endif
 %if 0%{with_legacy_arch}
 %do_legacy_build %{grublegacyarch}
@@ -176,13 +167,6 @@ set -e
 rm -fr $RPM_BUILD_ROOT
 
 %do_common_install
-# Fix for hardcoded efidir
-sed -i.orig -e 's@/efi/EFI/redhat/@/efi/EFI/%{efidir}/@' \
-    grub-%{tarversion}/util/grub-setpassword.in
-touch --reference=grub-%{tarversion}/util/grub-setpassword.in.orig \
-    grub-%{tarversion}/util/grub-setpassword.in
-rm -f grub-%{tarversion}/util/grub-setpassword.in.orig
-
 %if 0%{with_efi_arch}
 %do_efi_install %{grubefiarch} %{grubefiname} %{grubeficdname}
 %endif
@@ -344,15 +328,6 @@ fi
 %{_datadir}/man/man1/%{name}-editenv*
 %{_datadir}/man/man1/%{name}-mkpasswd-*
 
-%ifarch x86_64 %{ix86}
-%files tools-efi
-%defattr(-,root,root,-)
-%{_sbindir}/%{name}-macbless
-%{_bindir}/%{name}-render-label
-%{_datadir}/man/man8/%{name}-macbless*
-%{_datadir}/man/man1/%{name}-render-label*
-%endif
-
 %files tools
 %defattr(-,root,root,-)
 %attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/default/grub
@@ -394,8 +369,18 @@ fi
 %exclude %{_datadir}/man/man8/%{name}-setpassword*
 %exclude %{_datadir}/man/man1/%{name}-editenv*
 %exclude %{_datadir}/man/man1/%{name}-mkpasswd-*
+
+%ifarch x86_64 %{ix86}
+%{_sbindir}/%{name}-macbless
+%{_bindir}/%{name}-render-label
+%{_datadir}/man/man8/%{name}-macbless*
+%{_datadir}/man/man1/%{name}-render-label*
+%else
+%exclude %{_sbindir}/%{name}-macbless
+%exclude %{_bindir}/%{name}-render-label
 %exclude %{_datadir}/man/man8/%{name}-macbless*
 %exclude %{_datadir}/man/man1/%{name}-render-label*
+%endif
 
 %if %{with_legacy_arch}
 %{_sbindir}/%{name}-install
@@ -461,8 +446,18 @@ fi
 %endif
 
 %changelog
-* Wed Aug  9 2017 Johnny Hughes <johnny@centos.org> - 2.02-0.64
-- Manual Debranding after auto debranding failed
+* Mon Oct 09 2017 Peter Jones <pjones@redhat.com> - 2.02-0.65.el7_4.2
+- Fix an incorrect man page exclusion on x86_64.
+  Related: rhbz#1499669
+
+* Fri Oct 06 2017 Peter Jones <pjones@redhat.com> - 2.02-0.65.1
+- More precise requires and obsoletes on the -tools* subpackages to avoid
+  issues with mixing and matching repos the subpackages are split between.
+  Resolves: rhbz#1499669
+
+* Tue Oct 03 2017 Peter Jones <pjones@redhat.com> - 2.02-0.65
+- Fix spurious : at the end of the mac address netboot paths.
+  Resolves: rhbz#1497323
 
 * Wed May 31 2017 Peter Jones <pjones@redhat.com> - 2.02-0.64
 - Revert pkglibdir usage; we have to coordinate this with Lorax.