diff --git a/.grub2.checksum b/.grub2.checksum
new file mode 100644
index 0000000000000000000000000000000000000000..37febd36dfe22b4e07dffdb592cb28639088140f
--- /dev/null
+++ b/.grub2.checksum
@@ -0,0 +1 @@
+f8f13ebd0564656ed6cee3cbe152952e083325c8b9201b5e87f6abad1c2fc3b3
diff --git a/.grub2.metadata b/.grub2.metadata
index 3bb3b94bc028347dd803a54974ce2e5b7b7fcb91..1cf5135b8ac9235094c02ba39ba062687b2b2d6e 100644
--- a/.grub2.metadata
+++ b/.grub2.metadata
@@ -1,3 +1,9 @@
-3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
-cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
-87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz
+c6d43c94bcbc73c81df3026bc201a88886b8ceebe98188cdb69bdd61bd6be287 SOURCES/redhatsecureboot701.cer
+9996c73616ee42f13396c9abfb4b646b538c3c80940474b710afdbe53bf17d32 SOURCES/redhatsecurebootca3.cer
+810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f SOURCES/grub-2.02.tar.xz
+40175d4c7c5ab4bd753a493f47952f1d8dcf1c219b836968a693e48bd4766135 SOURCES/redhatsecurebootca5.cer
+1fddd06b4854598a18ff3742c472c6a5c609929ce1ab74ec9901812aaf30be02 SOURCES/theme.tar.bz2
+122b9c470f29b70223b0e07404a6dfa7f339fcfa6ae74c024f478945af7a9a63 SOURCES/unifont-5.1.20080820.pcf.gz
+224f7059328df355810fee105e79af2e9fc7e520504f9f545c08ca4e32e8c200 SOURCES/redhatsecureboot301.cer
+3f564ef41227562f9ea45c3fd8f96bea9ab8205247ef72dd025fdcd728373a00 SOURCES/redhatsecureboot502.cer
+8f435a96261e571ed557f9243e7fe7db5b93bc8f7eefcfc5b0c154d5d29292fb SOURCES/redhatsecureboot601.cer
diff --git a/SOURCES/0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch b/SOURCES/0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
new file mode 100644
index 0000000000000000000000000000000000000000..65ac476ebfc3879aa6b969835fc1429bd7cdaa63
--- /dev/null
+++ b/SOURCES/0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matt Hsiao <matt.hsiao@hpe.com>
+Date: Mon, 24 Apr 2023 13:39:05 +0800
+Subject: [PATCH] efi/http: change uint32_t to uintn_t for
+ grub_efi_http_message_t
+
+Modify UINT32 to UINTN in EFI_HTTP_MESSAGE to be UEFI 2.9 compliant.
+
+Signed-off-by: Matt Hsiao <matt.hsiao@hpe.com>
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ include/grub/efi/http.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/grub/efi/http.h b/include/grub/efi/http.h
+index c5e9a89f5050..ad164ba1913d 100644
+--- a/include/grub/efi/http.h
++++ b/include/grub/efi/http.h
+@@ -171,9 +171,9 @@ typedef struct {
+ grub_efi_http_request_data_t *request;
+ grub_efi_http_response_data_t *response;
+ } data;
+- grub_efi_uint32_t header_count;
++ grub_efi_uintn_t header_count;
+ grub_efi_http_header_t *headers;
+- grub_efi_uint32_t body_length;
++ grub_efi_uintn_t body_length;
+ void *body;
+ } grub_efi_http_message_t;
+
diff --git a/SOURCES/0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch b/SOURCES/0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ce3e113f0971ca30d4e13e85b7d59a5cb0068f64
--- /dev/null
+++ b/SOURCES/0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2023 08:16:25 -0400
+Subject: [PATCH] ieee1275 : Converting plain numbers to constants in Vec5
+
+This patch converts the plain numbers used in Vec5 properties to
+constants.
+
+1. LPAR : Client program supports logical partitioning and
+ associated hcall()s.
+2. SPLPAR : Client program supports the Shared
+ Processor LPAR Option.
+3. CMO : Enables the Cooperative Memory Over-commitment Option.
+4. MAX_CPU : Defines maximum number of CPUs supported.
+
+Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+---
+ grub-core/kern/ieee1275/init.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 3ea9b73b2a59..2516e02091cb 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -56,6 +56,12 @@ extern char _end[];
+ grub_addr_t grub_ieee1275_original_stack;
+ #endif
+
++#define LPAR 0x80
++#define SPLPAR 0x40
++#define BYTE2 (LPAR | SPLPAR)
++#define CMO 0x80
++#define MAX_CPU 256
++
+ void
+ grub_exit (int rc __attribute__((unused)))
+ {
+@@ -372,7 +378,7 @@ grub_ieee1275_ibm_cas (void)
+ .vec4 = 0x0001, // set required minimum capacity % to the lowest value
+ .vec5_size = 1 + sizeof(struct option_vector5) - 2,
+ .vec5 = {
+- 0, 192, 0, 128, 0, 0, 0, 0, 256
++ 0, BYTE2, 0, CMO, 0, 0, 0, 0, MAX_CPU
+ }
+ };
+
diff --git a/SOURCES/0578-ieee1275-extended-support-in-options-vector5.patch b/SOURCES/0578-ieee1275-extended-support-in-options-vector5.patch
new file mode 100644
index 0000000000000000000000000000000000000000..48b224c149c642890bdd2a5b6734cb25206d9b44
--- /dev/null
+++ b/SOURCES/0578-ieee1275-extended-support-in-options-vector5.patch
@@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2023 08:33:12 -0400
+Subject: [PATCH] ieee1275 : extended support in options vector5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch enables the multiple options in Options Vector5 which are
+required and solves the boot issue seen on some machines which are looking for these specific options.
+
+1. LPAR : Client program supports logical partitioning and
+ associated hcall()s.
+2. SPLPAR : Client program supports the Shared
+ Processor LPAR Option.
+3. DYN_RCON_MEM : Client program supports the
+ “ibm,dynamic-reconfiguration-memory†property and it may be
+ presented in the device tree.
+4. LARGE_PAGES : Client supports pages larger than 4 KB.
+5. DONATE_DCPU_CLS : Client supports donating dedicated processor cycles.
+6. PCI_EXP : Client supports PCI Express implementations
+ utilizing Message Signaled Interrupts (MSIs).
+
+7. CMOC : Enables the Cooperative Memory Over-commitment Option.
+8. EXT_CMO : Enables the Extended Cooperative Memory Over-commit
+ Option.
+
+9. ASSOC_REF : Enables “ibm,associativity†and
+ “ibm,associativity-reference-points†properties.
+10. AFFINITY : Enables Platform Resource Reassignment Notification.
+11. NUMA : Supports NUMA Distance Lookup Table Option.
+
+12. HOTPLUG_INTRPT : Supports Hotplug Interrupts.
+13. HPT_RESIZE : Enable Hash Page Table Resize Option.
+
+14. MAX_CPU : Defines maximum number of CPUs supported.
+
+15. PFO_HWRNG : Supports Random Number Generator.
+16. PFO_HW_COMP : Supports Compression Engine.
+17. PFO_ENCRYPT : Supports Encryption Engine.
+
+18. SUB_PROCESSORS : Supports Sub-Processors.
+
+19. DY_MEM_V2 : Client program supports the “ibm,dynamic-memory-v2†property in the
+ “ibm,dynamic-reconfiguration-memory†node and it may be presented in the device tree.
+20. DRC_INFO : Client program supports the “ibm,drc-info†property definition and it may be
+ presented in the device tree.
+
+Signed-off-by: Avnish Chouhan <avnish@linux.vnet.ibm.com>
+---
+ grub-core/kern/ieee1275/init.c | 47 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 41 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
+index 2516e02091cb..1fae84440403 100644
+--- a/grub-core/kern/ieee1275/init.c
++++ b/grub-core/kern/ieee1275/init.c
+@@ -56,11 +56,41 @@ extern char _end[];
+ grub_addr_t grub_ieee1275_original_stack;
+ #endif
+
+-#define LPAR 0x80
+-#define SPLPAR 0x40
+-#define BYTE2 (LPAR | SPLPAR)
+-#define CMO 0x80
+-#define MAX_CPU 256
++/* Options vector5 properties */
++
++#define LPAR 0x80
++#define SPLPAR 0x40
++#define DYN_RCON_MEM 0x20
++#define LARGE_PAGES 0x10
++#define DONATE_DCPU_CLS 0x02
++#define PCI_EXP 0x01
++#define BYTE2 (LPAR | SPLPAR | DYN_RCON_MEM | LARGE_PAGES | DONATE_DCPU_CLS | PCI_EXP)
++
++#define CMOC 0x80
++#define EXT_CMO 0x40
++#define CMO (CMOC | EXT_CMO)
++
++#define ASSOC_REF 0x80
++#define AFFINITY 0x40
++#define NUMA 0x20
++#define ASSOCIATIVITY (ASSOC_REF | AFFINITY | NUMA)
++
++#define HOTPLUG_INTRPT 0x04
++#define HPT_RESIZE 0x01
++#define BIN_OPTS (HOTPLUG_INTRPT | HPT_RESIZE)
++
++#define MAX_CPU 256
++
++#define PFO_HWRNG 0x80000000
++#define PFO_HW_COMP 0x40000000
++#define PFO_ENCRYPT 0x20000000
++#define PLATFORM_FACILITIES (PFO_HWRNG | PFO_HW_COMP | PFO_ENCRYPT)
++
++#define SUB_PROCESSORS 1
++
++#define DY_MEM_V2 0x80
++#define DRC_INFO 0x40
++#define BYTE22 (DY_MEM_V2 | DRC_INFO)
+
+ void
+ grub_exit (int rc __attribute__((unused)))
+@@ -323,6 +353,11 @@ struct option_vector5 {
+ grub_uint8_t micro_checkpoint;
+ grub_uint8_t reserved0;
+ grub_uint32_t max_cpus;
++ grub_uint16_t base_PAPR;
++ grub_uint16_t mem_reference;
++ grub_uint32_t platform_facilities;
++ grub_uint8_t sub_processors;
++ grub_uint8_t byte22;
+ } __attribute__((packed));
+
+ struct pvr_entry {
+@@ -378,7 +413,7 @@ grub_ieee1275_ibm_cas (void)
+ .vec4 = 0x0001, // set required minimum capacity % to the lowest value
+ .vec5_size = 1 + sizeof(struct option_vector5) - 2,
+ .vec5 = {
+- 0, BYTE2, 0, CMO, 0, 0, 0, 0, MAX_CPU
++ 0, BYTE2, 0, CMO, ASSOCIATIVITY, BIN_OPTS, 0, 0, MAX_CPU, 0, 0, PLATFORM_FACILITIES, SUB_PROCESSORS, BYTE22
+ }
+ };
+
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 3eacbac02cfe7db6bfba604f9fa74f740783fcd9..3bb7067f5b3115a6d1ef67874ba8e71badb6611f 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -573,3 +573,6 @@ Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch
Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch
+Patch0576: 0576-efi-http-change-uint32_t-to-uintn_t-for-grub_efi_htt.patch
+Patch0577: 0577-ieee1275-Converting-plain-numbers-to-constants-in-Ve.patch
+Patch0578: 0578-ieee1275-extended-support-in-options-vector5.patch
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
deleted file mode 100644
index 4ff8b79e6736e566dbf39603e0887a53345aa4e4..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot301.cer and /dev/null differ
diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer
deleted file mode 100644
index be0b5e211ccf8ad7ba74c88841c921cfdbad5a70..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot502.cer and /dev/null differ
diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer
deleted file mode 100644
index c92b96b4e0d360b90333361ea61f565f196ea20e..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot601.cer and /dev/null differ
diff --git a/SOURCES/redhatsecureboot701.cer b/SOURCES/redhatsecureboot701.cer
deleted file mode 100644
index 25e3743e47c3c1f06da0124a1d99e99e4920f6e7..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot701.cer and /dev/null differ
diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
deleted file mode 100644
index b2354007b9668258683b99a68fa5bdd3067c31b1..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecurebootca3.cer and /dev/null differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
deleted file mode 100644
index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index ec803eedbfbdfbe9d796b53801e55f5d7632d688..a1b649fa9e488ec590a799bab28b2bedb180e758 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -7,7 +7,7 @@
Name: grub2
Epoch: 1
Version: 2.02
-Release: 148%{?dist}.rocky.0.3
+Release: 148%{?dist}.1.rocky.0.3
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
License: GPLv3+
@@ -508,7 +508,7 @@ fi
%endif
%changelog
-* Tue May 16 2023 Release Engineering <releng@rockylinux.org> - 2.02-148.rocky.0.3
+* Tue Aug 08 2023 Release Engineering <releng@rockylinux.org> - 2.02-148.rocky.0.3
- Removing redhat old cert sources entries (Sherif Nagy)
- Preserving rhel8 sbat entry based on shim-review feedback ticket no. 194
- Adding prod cert
@@ -517,6 +517,10 @@ fi
- Cleaning up grup.macro extra signing certs
- Adding Rocky testing CA, CERT and sbat files
+* Fri Jun 16 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.02-148.el8_8.1
+- Sync with 8.9 (actually 2.02-150)
+- Resolves: #2207972
+
* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-148
- ppc64le: cas5, take 3
- Resolves: #2139508