diff --git a/SOURCES/0318-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch b/SOURCES/0318-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch
new file mode 100644
index 0000000..33eb525
--- /dev/null
+++ b/SOURCES/0318-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch
@@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 6 Nov 2020 14:14:24 +0100
+Subject: [PATCH] at_keyboard: Fix keyboards that report IBM PC AT scan codes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GRUB has support for both the IBM PC XT (Set 1) and IBM PC AT (Set 2) key
+scan code mappings. But the driver always hardcodes to Set 1, overwriting
+the mode that was queried in the grub_keyboard_controller_init() function.
+
+This breaks keyboard mapping on machines whose firmwares are not using the
+Set 1. For example, this is the case in Lenovo P71 and HP Elitebook 8770W
+laptops that report key scan codes using Set 2.
+
+Instead of hardcoding to Set 1, use the value that was queried before.
+
+Reported-by: Renaud Métrich <rmetrich@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/term/at_keyboard.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/term/at_keyboard.c b/grub-core/term/at_keyboard.c
+index f0a986eb176..ff36b21932d 100644
+--- a/grub-core/term/at_keyboard.c
++++ b/grub-core/term/at_keyboard.c
+@@ -165,7 +165,7 @@ set_scancodes (void)
+     }
+ 
+ #if !USE_SCANCODE_SET
+-  ps2_state.current_set = 1;
++  ps2_state.current_set = grub_keyboard_orig_set;
+   return;
+ #else
+ 
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der
deleted file mode 100644
index e8216b1..0000000
Binary files a/SOURCES/centossecureboot001.der and /dev/null differ
diff --git a/SOURCES/centossecureboot202.der b/SOURCES/centossecureboot202.der
deleted file mode 100644
index ab8213c..0000000
Binary files a/SOURCES/centossecureboot202.der and /dev/null differ
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
deleted file mode 100644
index 42bdfcf..0000000
Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
index ee043da..97ad69e 100644
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -386,11 +386,12 @@ done								\
 
 %define do_efi_build_images()					\
 GRUB_MODULES="	all_video boot blscfg btrfs			\\\
-		cat configfile					\\\
+		cat configfile cryptodisk			\\\
 		echo efi_netfs efifwsetup efinet ext2		\\\
-		fat font gfxmenu gfxterm gzio			\\\
+		fat font gcry_rijndael gcry_rsa gcry_serpent	\\\
+		gfxmenu gfxterm gzio				\\\
 		halt hfsplus http increment iso9660 jpeg	\\\
-		loadenv loopback linux lvm lsefi lsefimmap	\\\
+		loadenv loopback linux lvm lsefi lsefimmap luks	\\\
 		mdraid09 mdraid1x minicmd net			\\\
 		normal part_apple part_msdos part_gpt		\\\
 		password_pbkdf2 png reboot			\\\
@@ -556,7 +557,7 @@ touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
 %dir %attr(0700,root,root)%{efi_esp_dir}/fonts			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
-%config(noreplace) /boot/grub2/grubenv					\
+%config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv	\
 %ghost %config(noreplace) %attr(0700,root,root)%{efi_esp_dir}/grubenv	\
 %{expand:%if 0%{?without_efi_modules}				\
 %exclude %{_libdir}/grub/%{6}					\
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 70e5e54..2222d7f 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -315,3 +315,4 @@ Patch0314: 0314-linux-Fix-integer-overflows-in-initrd-size-handling.patch
 Patch0315: 0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
 Patch0316: 0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
 Patch0317: 0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
+Patch0318: 0318-at_keyboard-Fix-keyboards-that-report-IBM-PC-AT-scan.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 9544d2f..2f09870 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	90%{?dist}
+Release:	91%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -24,10 +24,10 @@ Source6:	gitignore
 Source8:	strtoull_test.c
 Source9:	20-grub.install
 Source12:	99-grub-mkconfig.install
-Source13:	centos-ca-secureboot.der
-Source14:	centossecureboot001.der
-Source15:	centossecurebootca2.der
-Source16:	centossecureboot202.der
+Source13:	redhatsecurebootca3.cer
+Source14:	redhatsecureboot301.cer
+Source15:	redhatsecurebootca5.cer
+Source16:	redhatsecureboot502.cer
 
 %include %{SOURCE1}
 
@@ -54,11 +54,7 @@ BuildRequires:	pesign >= 0.99-8
 BuildRequires:	ccache
 %endif
 
-%if 0%{?centos}
-%global efidir centos
-%endif
-
-ExcludeArch:	s390 s390x
+ExcludeArch:	s390 s390x %{arm}
 Obsoletes:	%{name} <= %{evr}
 
 %if 0%{with_legacy_arch}
@@ -170,10 +166,10 @@ git commit -m "After making subdirs"
 
 %build
 %if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
 %endif
 %if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} centossecureboot001 %{SOURCE15} %{SOURCE16} centossecureboot202}
+%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{SOURCE13} %{SOURCE14} redhatsecureboot301 %{SOURCE15} %{SOURCE16} redhatsecureboot502}
 %endif
 %if 0%{with_legacy_arch}
 %{expand:%do_legacy_build %%{grublegacyarch}}
@@ -355,7 +351,7 @@ fi
 %dir %attr(0700,root,root) %{efi_esp_dir}
 %exclude %{efi_esp_dir}/*
 %license COPYING
-%ghost %config(noreplace) /boot/grub2/grubenv
+%ghost %config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv
 %doc INSTALL
 %doc NEWS
 %doc README
@@ -504,6 +500,14 @@ fi
 %endif
 
 %changelog
+* Mon Nov 16 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-91
+- Fix tps-rpmtest failing due /boot/grub2/grubenv attributes mismatch
+  Resolves: rhbz#1813959
+- Include in EFI build the modules needed for LUKS support
+  Resolves: rhbz#1873725
+- Fix keyboards that report IBM PC AT scan codes
+  Resolves: rhbz#1897587
+
 * Mon Aug 31 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
 - Roll over TFTP block counter to prevent timeouts with data packets
   Resolves: rhbz#1871034