diff --git a/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch b/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
index 293500b..f8a73b7 100644
--- a/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
+++ b/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
@@ -38,7 +38,7 @@ Aborted (core dumped)
$ wc -c env
0 grubenv
-Resolves: rhbz#1836196
+Resolves: rhbz#1761496
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
diff --git a/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch b/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
new file mode 100644
index 0000000..e2e2e51
--- /dev/null
+++ b/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 11 Aug 2020 13:16:39 +0200
+Subject: [PATCH] blscfg: Always look for BLS snippets in the root device
+
+The blscfg command trying to load the BLS snippets from different devices
+is a left over from when these where located in the ESP in the EFI case.
+
+But now that are always located in the /boot directory, the BLS snippets
+have to be loaded from the root device just like the other files that are
+in the /boot directory (kernel and initrd images).
+
+This only worked for legacy BIOS because the boot and root variables were
+set to the same value. But doesn't work when trying to use a common GRUB
+config file that could be shared between an EFI and legacy BIOS install.
+
+That kind of configuration is needed for example on hybrid images that are
+booted using either EFI or legacy BIOS firmwares.
+
+Resolves: rhbz#1850193
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/commands/blscfg.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
+index c92e1c84543..70ce5c7bf6f 100644
+--- a/grub-core/commands/blscfg.c
++++ b/grub-core/commands/blscfg.c
+@@ -874,14 +874,12 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
+
+ #ifdef GRUB_MACHINE_EMU
+ devid = "host";
+-#elif defined(GRUB_MACHINE_EFI)
++#else
+ devid = grub_env_get ("root");
+-#else
+- devid = grub_env_get ("boot");
+ #endif
+ if (!devid)
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND,
+- N_("variable `%s' isn't set"), "boot");
++ N_("variable `%s' isn't set"), "root");
+
+ grub_dprintf ("blscfg", "opening %s\n", devid);
+ dev = grub_device_open (devid);
diff --git a/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch b/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
new file mode 100644
index 0000000..30bbae3
--- /dev/null
+++ b/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 11 Aug 2020 13:16:45 +0200
+Subject: [PATCH] blscfg: Don't hardcode an env var as fallback for the BLS
+ options field
+
+If the BLS fragments don't have an options field or if this was set to an
+environment variable that was not defined in the grubenv file, the blscfg
+module searches for a default_kernelopts variable that is defined in the
+grub.cfg file.
+
+But the blscfg module shouldn't hardcode fallbacks variables and instead
+this logic should be handled in the GRUB config file itself.
+
+Also, add a comment explaining where the kernelopts variable is supposed
+to be defined and what is the process for the user to change its value.
+
+Resolves: rhbz#1850193
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ util/grub.d/10_linux.in | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+index 58d18504790..48857bb81d3 100644
+--- a/util/grub.d/10_linux.in
++++ b/util/grub.d/10_linux.in
+@@ -158,7 +158,17 @@ linux_entry ()
+ populate_header_warn
+
+ cat << EOF
+-set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}"
++# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
++# entries populated from BootLoaderSpec files that use this variable work correctly even
++# without a grubenv file, define a fallback kernelopts variable if this has not been set.
++#
++# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
++# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
++# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
++# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
++if [ -z "\${kernelopts}" ]; then
++ set kernelopts="root=${linux_root_device_thisversion} ro ${args}"
++fi
+
+ insmod blscfg
+ blscfg
diff --git a/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
new file mode 100644
index 0000000..60e58b0
--- /dev/null
+++ b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 24 Aug 2020 14:46:27 +0200
+Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data
+ packets
+
+The block number is a 16-bit counter which only allows to fetch
+files no bigger than 65535 * blksize. To avoid this limit, the
+counter is rolled over. This behavior isn't defined in RFC 1350
+but is handled by many TFTP servers and it's what GRUB was doing
+before implicitly due an overflow.
+
+Fixing that bug led to TFTP timeouts, since GRUB wasn't acking
+data packets anymore for files with size bigger than the maximum
+mentioned above. Restore the old behavior to prevent this issue.
+
+Resolves: rhbz#1871034
+
+Suggested-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/net/tftp.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 2c52f692b25..4f38d7ef1f7 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ return GRUB_ERR_NONE;
+ }
+
+- /* Ack old/retransmitted block. */
+- if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1)
++ /*
++ * Ack old/retransmitted block.
++ *
++ * The block number is a 16-bit counter which only allows to fetch
++ * files no bigger than 65535 * blksize. To avoid this limit, the
++ * counter is rolled over. This behavior isn't defined in RFC 1350
++ * but is handled by many TFTP servers and it's what GRUB was doing
++ * before implicitly due an overflow.
++ *
++ * Fixing that bug led to TFTP timeouts, since GRUB wasn't acking
++ * data packets anymore for files with size bigger than the maximum
++ * mentioned above. Restore the old behavior to prevent this issue.
++ */
++ if (grub_be_to_cpu16 (tftph->u.data.block) < ((data->block + 1) & 0xffffu))
+ ack (data, grub_be_to_cpu16 (tftph->u.data.block));
+ /* Ignore unexpected block. */
+ else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1)
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 321c4ec..0000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b6:16:15:71:72:fb:31:7e
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
- Validity
- Not Before: Aug 1 11:47:30 2018 GMT
- Not After : Dec 31 11:47:30 2037 GMT
- Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
- 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
- cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
- 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
- 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
- bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
- 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
- a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
- 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
- 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
- aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
- 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
- f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
- 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
- 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
- 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
- 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
- 94:0f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature
- X509v3 Subject Key Identifier:
- F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
- X509v3 Authority Key Identifier:
- keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
- Signature Algorithm: sha256WithRSAEncryption
- 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
- dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
- 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
- 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
- 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
- b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
- f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
- 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
- a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
- 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
- ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
- 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
- 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
- da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
- da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
diff --git a/SOURCES/centossecureboot202.crt b/SOURCES/centossecureboot202.crt
deleted file mode 100644
index fba3730..0000000
--- a/SOURCES/centossecureboot202.crt
+++ /dev/null
@@ -1,84 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- 93:c2:04:d8:bd:77:6b:12
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org
- Validity
- Not Before: Jun 9 10:37:54 2020 GMT
- Not After : Jan 18 10:37:54 2038 GMT
- Subject: CN=CentOS Secure Boot Signing 202/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (2048 bit)
- Modulus:
- 00:d4:f0:32:4d:50:7a:c0:41:d6:61:68:59:5e:5b:
- ce:65:e3:e9:7b:01:e4:53:94:c9:b7:c1:6b:b7:12:
- 0b:bc:8f:d7:17:1b:c1:77:3a:08:17:ba:23:f1:bd:
- 98:f0:7c:cb:96:70:2e:0e:2e:96:66:b7:9f:29:12:
- 6f:ee:30:33:a1:a5:ee:f9:4b:a3:fb:52:45:d8:7e:
- c2:e8:a9:20:a9:f2:2e:f4:44:b7:85:3f:34:7c:c0:
- 73:1d:73:63:2f:11:a0:7d:df:e7:5a:20:b9:b9:ff:
- 5d:0e:6d:90:86:1f:2e:fa:c7:b5:94:37:80:46:0d:
- fb:5f:f8:26:f4:ce:2f:0d:5b:bf:e5:8d:a5:12:d7:
- ba:cf:16:f2:5c:10:ae:a0:80:a8:dc:c4:6b:00:24:
- f4:4b:f0:01:82:7e:4b:1c:b6:d6:ac:e1:72:32:07:
- 5d:48:4a:cd:ba:5c:9c:09:72:89:b2:2e:60:f7:b7:
- ed:ea:b6:0d:ae:63:f8:09:a1:8f:62:ee:09:d2:cb:
- 0a:81:df:7c:72:4b:bf:bd:fb:59:24:84:1f:1d:ce:
- 36:bc:4c:13:84:ca:c5:e0:81:bb:ec:61:8f:9f:78:
- 88:43:8d:e0:16:b2:ab:90:14:23:29:ce:1d:e7:a1:
- bb:4a:93:f9:f8:8d:b8:ff:2f:30:74:66:b2:31:89:
- b1:7d
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage: critical
- Digital Signature
- X509v3 Extended Key Usage: critical
- Code Signing
- X509v3 Subject Key Identifier:
- 1E:55:FF:FF:01:71:5F:F1:28:7F:C8:A9:7C:AF:83:9F:ED:7A:33:0B
- X509v3 Authority Key Identifier:
- keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA
-
- Signature Algorithm: sha256WithRSAEncryption
- 6b:1b:fa:f3:a8:c0:1e:e7:55:49:f2:4e:16:1f:9a:1b:22:9c:
- ff:c9:81:d0:5b:d6:28:3c:38:91:65:b5:ca:63:e6:9d:13:2d:
- 5f:f5:cc:67:c2:82:55:73:8f:8b:0c:0c:a9:60:2a:a8:b2:19:
- c1:a7:87:94:d8:69:5e:3c:88:e5:32:8a:4c:a6:6f:69:8b:c5:
- f2:7e:8e:d2:af:37:2d:27:73:c7:ad:9d:bc:14:08:a8:aa:57:
- 22:37:be:c6:d2:2d:a3:70:81:4a:88:8c:a3:44:89:6c:7d:9d:
- 9f:db:ff:5c:c6:ec:6d:97:b0:08:8d:76:c6:14:d0:25:81:a3:
- 09:b6:f2:89:32:12:b2:f2:71:71:b6:ac:c1:65:d1:9c:6b:e1:
- a4:4e:74:d0:01:17:ad:38:0f:17:86:07:56:b3:a1:86:5d:99:
- ef:d6:55:98:b9:ce:63:46:8b:37:c4:53:55:8b:7a:10:75:90:
- fd:e6:62:f0:6c:af:89:91:17:34:f7:99:77:6d:29:fa:92:bb:
- c3:45:77:fe:a3:15:da:54:7d:47:16:b6:6f:94:09:b8:5f:ca:
- e9:34:a2:bf:18:cd:d3:f4:17:2c:98:e4:e4:ca:46:ad:4b:a4:
- 34:77:47:ec:5d:21:a6:cf:5c:b9:5a:47:ca:04:a1:93:56:13:
- 0a:cc:47:91
------BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sSMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
-BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
-cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMzc1NFoXDTM4MDExODEwMzc1NFow
-TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAyMSIwIAYJ
-KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEA1PAyTVB6wEHWYWhZXlvOZePpewHkU5TJt8FrtxILvI/X
-FxvBdzoIF7oj8b2Y8HzLlnAuDi6WZrefKRJv7jAzoaXu+Uuj+1JF2H7C6KkgqfIu
-9ES3hT80fMBzHXNjLxGgfd/nWiC5uf9dDm2Qhh8u+se1lDeARg37X/gm9M4vDVu/
-5Y2lEte6zxbyXBCuoICo3MRrACT0S/ABgn5LHLbWrOFyMgddSErNulycCXKJsi5g
-97ft6rYNrmP4CaGPYu4J0ssKgd98cku/vftZJIQfHc42vEwThMrF4IG77GGPn3iI
-Q43gFrKrkBQjKc4d56G7SpP5+I24/y8wdGayMYmxfQIDAQABo3gwdjAMBgNVHRMB
-Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd
-BgNVHQ4EFgQUHlX//wFxX/Eof8ipfK+Dn+16MwswHwYDVR0jBBgwFoAUcAB/mSCc
-EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBAGsb+vOowB7nVUnyThYf
-mhsinP/JgdBb1ig8OJFltcpj5p0TLV/1zGfCglVzj4sMDKlgKqiyGcGnh5TYaV48
-iOUyikymb2mLxfJ+jtKvNy0nc8etnbwUCKiqVyI3vsbSLaNwgUqIjKNEiWx9nZ/b
-/1zG7G2XsAiNdsYU0CWBowm28okyErLycXG2rMFl0Zxr4aROdNABF604DxeGB1az
-oYZdme/WVZi5zmNGizfEU1WLehB1kP3mYvBsr4mRFzT3mXdtKfqSu8NFd/6jFdpU
-fUcWtm+UCbhfyuk0or8YzdP0FyyY5OTKRq1LpDR3R+xdIabPXLlaR8oEoZNWEwrM
-R5E=
------END CERTIFICATE-----
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
deleted file mode 100644
index 42bdfcf..0000000
Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 681d33d..70e5e54 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -312,3 +312,6 @@ Patch0311: 0311-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
Patch0312: 0312-linux-loader-avoid-overflow-on-initrd-size-calculati.patch
Patch0313: 0313-linuxefi-fail-kernel-validation-without-shim-protoco.patch
Patch0314: 0314-linux-Fix-integer-overflows-in-initrd-size-handling.patch
+Patch0315: 0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
+Patch0316: 0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
+Patch0317: 0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index d1234f5..52e8c9e 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 87%{?dist}
+Release: 90%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -24,10 +24,10 @@ Source6: gitignore
Source8: strtoull_test.c
Source9: 20-grub.install
Source12: 99-grub-mkconfig.install
-Source13: centos-ca-secureboot.der
-Source14: centossecureboot001.crt
-Source15: centossecurebootca2.der
-Source16: centossecureboot202.crt
+Source13: redhatsecurebootca3.cer
+Source14: redhatsecureboot301.cer
+Source15: redhatsecurebootca5.cer
+Source16: redhatsecureboot502.cer
%include %{SOURCE1}
@@ -54,11 +54,7 @@ BuildRequires: pesign >= 0.99-8
BuildRequires: ccache
%endif
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch: s390 s390x
+ExcludeArch: s390 s390x %{arm}
Obsoletes: %{name} <= %{evr}
%if 0%{with_legacy_arch}
@@ -170,10 +166,10 @@ git commit -m "After making subdirs"
%build
%if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
%endif
%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
%endif
%if 0%{with_legacy_arch}
%{expand:%do_legacy_build %%{grublegacyarch}}
@@ -504,7 +500,31 @@ fi
%endif
%changelog
-* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 2.02-87
+* Mon Aug 31 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
+- Roll over TFTP block counter to prevent timeouts with data packets
+ Resolves: rhbz#1871034
+
+* Fri Aug 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-89
+- Fix TFTP timeouts when trying to fetch files larger than 65535 KiB
+ Resolves: rhbz#1871034
+
+* Tue Aug 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-88
+- Fix a legacy BIOS boot issue when a using config file shared with EFI
+ Resolves: rhbz#1850193
+
+* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 2.02-87
+- Couple more late fixes.
+ Resolves: CVE-2020-15705
+
+* Sun Jul 26 2020 Peter Jones <pjones@redhat.com> - 2.02-86
+- Couple more late fixes.
+ Resolves: CVE-2020-10713
+ Resolves: CVE-2020-14308
+ Resolves: CVE-2020-14309
+ Resolves: CVE-2020-14310
+ Resolves: CVE-2020-14311
+
+* Mon Jul 20 2020 Peter Jones <pjones@redhat.com> - 2.02-85
- Fix several CVEs
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
@@ -512,9 +532,26 @@ fi
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
-* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82.el8_2.1
+* Tue May 19 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-84
+- Add fixes for greenboot support
+ Resolves: rhbz#1832336
+
+* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-83
- Fix a segfault in grub2-editenv when attempting to shrink a variable
- Resolves: rhbz#1836196
+ Resolves: rhbz#1761496
+
+* Mon Apr 27 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82
+- Drop "Disable multiboot, multiboot2, and linux16 modules on EFI builds"
+ Resolves: rhbz#1779480
+- efi/http: Export {fw,http}_path variables to make them global
+ Resolves: rhbz#1811561
+- efi/http: Enclose literal IPv6 addresses in square brackets
+- efi/net: Allow to specify a port number in addresses
+- efi/ip4_config: Improve check to detect literal IPv6 addresses
+- efi/net: Print a debug message if parsing the address fails
+ Resolves: rhbz#1811560
+- Set image base address before jumping to the PE/COFF entry point
+ Resolves: rhbz#1819624
* Thu Dec 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-81
- Another fix for blscfg variable expansion support