diff --git a/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch b/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
index 293500b84d06785f7be27970be6251c6bcac8569..f8a73b7ebc0652088f58b2866d3cb5e02b874258 100644
--- a/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
+++ b/SOURCES/0277-envblk-Fix-buffer-overrun-when-attempting-to-shrink-.patch
@@ -38,7 +38,7 @@ Aborted (core dumped)
$ wc -c env
0 grubenv
-Resolves: rhbz#1836196
+Resolves: rhbz#1761496
Reported-by: Renaud Métrich <rmetrich@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
diff --git a/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch b/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e2e2e51c15bb4101304bc89676404522977ce3fd
--- /dev/null
+++ b/SOURCES/0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 11 Aug 2020 13:16:39 +0200
+Subject: [PATCH] blscfg: Always look for BLS snippets in the root device
+
+The blscfg command trying to load the BLS snippets from different devices
+is a left over from when these where located in the ESP in the EFI case.
+
+But now that are always located in the /boot directory, the BLS snippets
+have to be loaded from the root device just like the other files that are
+in the /boot directory (kernel and initrd images).
+
+This only worked for legacy BIOS because the boot and root variables were
+set to the same value. But doesn't work when trying to use a common GRUB
+config file that could be shared between an EFI and legacy BIOS install.
+
+That kind of configuration is needed for example on hybrid images that are
+booted using either EFI or legacy BIOS firmwares.
+
+Resolves: rhbz#1850193
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/commands/blscfg.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
+index c92e1c84543..70ce5c7bf6f 100644
+--- a/grub-core/commands/blscfg.c
++++ b/grub-core/commands/blscfg.c
+@@ -874,14 +874,12 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
+
+ #ifdef GRUB_MACHINE_EMU
+ devid = "host";
+-#elif defined(GRUB_MACHINE_EFI)
++#else
+ devid = grub_env_get ("root");
+-#else
+- devid = grub_env_get ("boot");
+ #endif
+ if (!devid)
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND,
+- N_("variable `%s' isn't set"), "boot");
++ N_("variable `%s' isn't set"), "root");
+
+ grub_dprintf ("blscfg", "opening %s\n", devid);
+ dev = grub_device_open (devid);
diff --git a/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch b/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
new file mode 100644
index 0000000000000000000000000000000000000000..30bbae34003d4ba756a00a4dd53274bf418537de
--- /dev/null
+++ b/SOURCES/0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 11 Aug 2020 13:16:45 +0200
+Subject: [PATCH] blscfg: Don't hardcode an env var as fallback for the BLS
+ options field
+
+If the BLS fragments don't have an options field or if this was set to an
+environment variable that was not defined in the grubenv file, the blscfg
+module searches for a default_kernelopts variable that is defined in the
+grub.cfg file.
+
+But the blscfg module shouldn't hardcode fallbacks variables and instead
+this logic should be handled in the GRUB config file itself.
+
+Also, add a comment explaining where the kernelopts variable is supposed
+to be defined and what is the process for the user to change its value.
+
+Resolves: rhbz#1850193
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ util/grub.d/10_linux.in | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
+index 58d18504790..48857bb81d3 100644
+--- a/util/grub.d/10_linux.in
++++ b/util/grub.d/10_linux.in
+@@ -158,7 +158,17 @@ linux_entry ()
+ populate_header_warn
+
+ cat << EOF
+-set default_kernelopts="root=${linux_root_device_thisversion} ro ${args}"
++# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
++# entries populated from BootLoaderSpec files that use this variable work correctly even
++# without a grubenv file, define a fallback kernelopts variable if this has not been set.
++#
++# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
++# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
++# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
++# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
++if [ -z "\${kernelopts}" ]; then
++ set kernelopts="root=${linux_root_device_thisversion} ro ${args}"
++fi
+
+ insmod blscfg
+ blscfg
diff --git a/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
new file mode 100644
index 0000000000000000000000000000000000000000..60e58b080c32caf5fb74b19c17cecc10a3eb50d3
--- /dev/null
+++ b/SOURCES/0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 24 Aug 2020 14:46:27 +0200
+Subject: [PATCH] tftp: roll over block counter to prevent timeouts with data
+ packets
+
+The block number is a 16-bit counter which only allows to fetch
+files no bigger than 65535 * blksize. To avoid this limit, the
+counter is rolled over. This behavior isn't defined in RFC 1350
+but is handled by many TFTP servers and it's what GRUB was doing
+before implicitly due an overflow.
+
+Fixing that bug led to TFTP timeouts, since GRUB wasn't acking
+data packets anymore for files with size bigger than the maximum
+mentioned above. Restore the old behavior to prevent this issue.
+
+Resolves: rhbz#1871034
+
+Suggested-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/net/tftp.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 2c52f692b25..4f38d7ef1f7 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -183,8 +183,20 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ return GRUB_ERR_NONE;
+ }
+
+- /* Ack old/retransmitted block. */
+- if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1)
++ /*
++ * Ack old/retransmitted block.
++ *
++ * The block number is a 16-bit counter which only allows to fetch
++ * files no bigger than 65535 * blksize. To avoid this limit, the
++ * counter is rolled over. This behavior isn't defined in RFC 1350
++ * but is handled by many TFTP servers and it's what GRUB was doing
++ * before implicitly due an overflow.
++ *
++ * Fixing that bug led to TFTP timeouts, since GRUB wasn't acking
++ * data packets anymore for files with size bigger than the maximum
++ * mentioned above. Restore the old behavior to prevent this issue.
++ */
++ if (grub_be_to_cpu16 (tftph->u.data.block) < ((data->block + 1) & 0xffffu))
+ ack (data, grub_be_to_cpu16 (tftph->u.data.block));
+ /* Ignore unexpected block. */
+ else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1)
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 681d33d7f4e670a0455d325aae9dd65a1fb6f6e3..70e5e54a88b5f881b18e8ada91ac2616cecdec90 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -312,3 +312,6 @@ Patch0311: 0311-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
Patch0312: 0312-linux-loader-avoid-overflow-on-initrd-size-calculati.patch
Patch0313: 0313-linuxefi-fail-kernel-validation-without-shim-protoco.patch
Patch0314: 0314-linux-Fix-integer-overflows-in-initrd-size-handling.patch
+Patch0315: 0315-blscfg-Always-look-for-BLS-snippets-in-the-root-devi.patch
+Patch0316: 0316-blscfg-Don-t-hardcode-an-env-var-as-fallback-for-the.patch
+Patch0317: 0317-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index ec045ab259d7a2a21f1cc7e75068137048276696..52e8c9e2dee79ef128b949fb81b9be2bb751f257 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 87%{?dist}
+Release: 90%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -500,7 +500,31 @@ fi
%endif
%changelog
-* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 2.02-87
+* Mon Aug 31 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-90
+- Roll over TFTP block counter to prevent timeouts with data packets
+ Resolves: rhbz#1871034
+
+* Fri Aug 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-89
+- Fix TFTP timeouts when trying to fetch files larger than 65535 KiB
+ Resolves: rhbz#1871034
+
+* Tue Aug 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-88
+- Fix a legacy BIOS boot issue when a using config file shared with EFI
+ Resolves: rhbz#1850193
+
+* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 2.02-87
+- Couple more late fixes.
+ Resolves: CVE-2020-15705
+
+* Sun Jul 26 2020 Peter Jones <pjones@redhat.com> - 2.02-86
+- Couple more late fixes.
+ Resolves: CVE-2020-10713
+ Resolves: CVE-2020-14308
+ Resolves: CVE-2020-14309
+ Resolves: CVE-2020-14310
+ Resolves: CVE-2020-14311
+
+* Mon Jul 20 2020 Peter Jones <pjones@redhat.com> - 2.02-85
- Fix several CVEs
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
@@ -508,9 +532,26 @@ fi
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
-* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82.el8_2.1
+* Tue May 19 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-84
+- Add fixes for greenboot support
+ Resolves: rhbz#1832336
+
+* Mon May 18 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-83
- Fix a segfault in grub2-editenv when attempting to shrink a variable
- Resolves: rhbz#1836196
+ Resolves: rhbz#1761496
+
+* Mon Apr 27 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.02-82
+- Drop "Disable multiboot, multiboot2, and linux16 modules on EFI builds"
+ Resolves: rhbz#1779480
+- efi/http: Export {fw,http}_path variables to make them global
+ Resolves: rhbz#1811561
+- efi/http: Enclose literal IPv6 addresses in square brackets
+- efi/net: Allow to specify a port number in addresses
+- efi/ip4_config: Improve check to detect literal IPv6 addresses
+- efi/net: Print a debug message if parsing the address fails
+ Resolves: rhbz#1811560
+- Set image base address before jumping to the PE/COFF entry point
+ Resolves: rhbz#1819624
* Thu Dec 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 2.02-81
- Another fix for blscfg variable expansion support