diff --git a/.gitignore b/.gitignore
index 1d56686..3bb8d68 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,7 @@
+SOURCES/fbaa64.efi
+SOURCES/fbia32.efi
+SOURCES/mmaa64.efi
+SOURCES/mmia32.efi
 SOURCES/mokutil-0.3.0.tar.gz
 SOURCES/shimaa64.efi
 SOURCES/shimia32.efi
diff --git a/.shim-signed.metadata b/.shim-signed.metadata
index 69261d6..10d71f8 100644
--- a/.shim-signed.metadata
+++ b/.shim-signed.metadata
@@ -1,4 +1,8 @@
+937d1eead22e310da65b4592fb218249c0d5041c SOURCES/fbaa64.efi
+e27b24b43304e34e37261491842c998baed9689e SOURCES/fbia32.efi
+ffa835477c88fae8da32b5cd6ebfe81e2408a67b SOURCES/mmaa64.efi
+570e5eeceb268cd9d13e594068ccc61d99a29a9f SOURCES/mmia32.efi
 8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz
 98bcb76ae16cd4b6039a95b7ae700a6164f15d0d SOURCES/shimaa64.efi
 9fa2d212a3477d54c9d9a6d066eebc52800f8eb2 SOURCES/shimia32.efi
-f82be486d9be126b3401605456681450546bbf25 SOURCES/shimx64.efi
+8d761eaea27ae077d8bcbb79d89f236c4166c004 SOURCES/shimx64.efi
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
index b1b95bd..356c4d8 100644
--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
@@ -1,8 +1,12 @@
+# Note: aarch64 is actually still at shim-15-9.el7, as 15.6 does not build
+# with the RHEL 7 toolchain.  The only reason we updated to 15.6 was for SBAT
+# revocation, and aarch64 isn't signed into the UEFI chain anyhow.
+
 Name:           shim-signed
-Version:        15
-Release:        11%{?dist}%{?buildid}
+Version:        15.6
+Release:        3%{?dist}%{?buildid}
 Summary:        First-stage UEFI bootloader
-%define unsigned_release 9.el7
+%define unsigned_release 3.el7
 
 License:        BSD
 URL:            https://github.com/rhboot/shim/
@@ -17,6 +21,10 @@ Source12:       shimaa64.efi
 Source20:       BOOTX64.CSV
 Source21:       BOOTIA32.CSV
 Source22:       BOOTAA64.CSV
+Source31:       mmaa64.efi
+Source32:       fbaa64.efi
+Source33:       mmia32.efi
+Source34:       fbia32.efi
 
 Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
 Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
@@ -52,9 +60,8 @@ BuildRequires: git
 BuildRequires: openssl-devel openssl
 BuildRequires: pesign >= 0.106-5%{dist}
 BuildRequires: efivar-devel
-BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
 %ifarch x86_64
-BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
+BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
 %endif
 
 # for mokutil's configure
@@ -147,7 +154,7 @@ cd ..
 %define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
 %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 
-%ifarch %{ca_signed_arches}
+%ifarch x86_64
 pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
 if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
   echo Invalid signature\! > /dev/stderr
@@ -156,35 +163,36 @@ if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
   exit 1
 fi
 cp %{shimsrc} shim%{efiarchlc}.efi
-%ifarch x86_64
-pesign -i %{shimsrcia32} -h -P > shimia32.hash
-if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
-  echo Invalid signature\! > /dev/stderr
-  echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
-  echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
-  exit 1
-fi
+
 cp %{shimsrcia32} shimia32.efi
 %endif
-%endif
-%ifarch %{rh_signed_arches}
-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shim%{efiarchlc}-%{efidir}.efi
+
 %ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shimia32-%{efidir}.efi
+%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shim%{efiarchlc}-%{efidir}.efi
+%pesign -s -i %{SOURCE11} -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shimia32-%{efidir}.efi
 %endif
+
+%ifarch aarch64
+%pesign -s -i %{SOURCE12} -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shimaa64-%{efidir}.efi
 %endif
+
 %ifarch %{rh_signed_arches}
 %ifnarch %{ca_signed_arches}
 cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
 %endif
 %endif
 
+%ifarch x86_64
 %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
 %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
 
-%ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
-%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
+%pesign -s -i %{SOURCE33} -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
+%pesign -s -i %{SOURCE34} -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
+%endif
+
+%ifarch aarch64
+%pesign -s -i %{SOURCE31} -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
+%pesign -s -i %{SOURCE32} -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
 %endif
 
 cd mokutil-%{mokutil_version}
@@ -259,6 +267,19 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %{_datadir}/bash-completion/completions/mokutil
 
 %changelog
+* Mon Apr 17 2023 Robbie Harwood <rharwood@redhat.com> - 15.6-3
+- Restore old ia32 for compatibility
+- Resolves: #2007084
+
+* Fri Apr 14 2023 Robbie Harwood <rharwood@redhat.com> - 15.6-2
+- Add Provides/Obsoletes for ia32 upgrading
+- Resolves: #2007084
+
+* Tue Mar 28 2023 Robbie Harwood <rharwood@redhat.com> - 15.6-1
+- New version for SBAT support (x64 only)
+- Drop ia32
+- Resolves: #2007084
+
 * Wed Sep 16 2020 Peter Jones <pjones@redhat.com> - 15-11
 - Fix incorrect allocation size in set_second_stage()
   Resolves: rhbz#1875486