diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d23331458e1bab1b7a742558bec236e3612..0000000000000000000000000000000000000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch b/SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bd1bd0c00eba361b5c2fa74238f259fd5c0c8d54
--- /dev/null
+++ b/SOURCES/0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Michael Chang via Grub-devel <grub-devel@gnu.org>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: restore umask for grub.cfg
+
+Since commit:
+
+  ab2e53c8a grub-mkconfig: Honor a symlink when generating configuration
+by grub-mkconfig
+
+has inadvertently discarded umask for creating grub.cfg in the process
+of grub-mkconfig. The resulting wrong permission (0644) would allow
+unprivileged users to read grub's configuration file content. This
+presents a low confidentiality risk as grub.cfg may contain non-secured
+plain-text passwords.
+
+This patch restores the missing umask and set the file mode of creation
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+(cherry picked from commit 2acad06610da1488bfa387f56a847119ab758766)
+---
+ util/grub-mkconfig.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index f55339a3f64..520a672cd2c 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -311,7 +311,9 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
++    oldumask=$(umask); umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
diff --git a/SOURCES/99-grub-mkconfig.install b/SOURCES/99-grub-mkconfig.install
index d9686b51a22f01e8d2a3133e33373771d890543c..2c7faad50cc30fc53ffc3a789d231d3c8689b162 100755
--- a/SOURCES/99-grub-mkconfig.install
+++ b/SOURCES/99-grub-mkconfig.install
@@ -40,14 +40,17 @@ if [[ $DISABLE_BLS = "true" ]]; then
     fi
 fi
 
+[ -f /etc/default/grub ] && . /etc/default/grub
+if [ x$GRUB_ENABLE_BLSCFG = xfalse ]; then
+   RUN_MKCONFIG=true
+fi
+
 # A traditional grub configuration file needs to be generated only in the case when
 # the bootloaders are not capable of populating a menu entry from the BLS fragments.
 if [[ $RUN_MKCONFIG != "true" ]]; then
     exit 0
 fi
 
-[[ -f /etc/default/grub ]] && . /etc/default/grub
-
 COMMAND="$1"
 
 case "$COMMAND" in
diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros
old mode 100644
new mode 100755
index 168223fc7920797293d8ab73452d9c5626163870..cd8b7d2b028ab95a0fd11a1b96ad4af24e92d86e
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@@ -68,7 +68,6 @@
 %global efi_target_ldflags %{expand:%%(echo %{target_ldflags})}
 
 %global with_efi_arch 0
-%global with_alt_efi_arch 0
 %global with_legacy_arch 0
 %global with_emu_arch 1
 %global emuarch %{_arch}
@@ -154,19 +153,6 @@
 %global legacy_target_cpu_name i386
 %global legacy_package_arch pc
 %global platform pc
-
-%global alt_efi_arch ia32
-%global alt_target_cpu_name i386
-%global alt_grub_target_name i386-efi
-%global alt_platform efi
-%global alt_package_arch efi-ia32
-
-%global alt_efi_host_cflags %{expand:%%(echo %{efi_host_cflags})}
-%global alt_efi_target_cflags					\\\
-	%{expand:%%(echo %{target_cflags} |			\\\
-	%{cflags_sed}						\\\
-		-e 's/-m64//g'					\\\
-	)}
 %endif
 
 %ifarch aarch64
@@ -200,7 +186,6 @@
 %endif
 
 %global _target_platform %{target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
-%global _alt_target_platform %{alt_target_cpu_name}-%{_vendor}-%{_target_os}%{?_gnu}
 
 %ifarch %{efi_arch}
 %global with_efi_arch 1
@@ -216,13 +201,6 @@
 %endif
 %endif
 
-%if 0%{?alt_efi_arch:1}
-%global with_alt_efi_arch 1
-%global grubaltefiname grub%{alt_efi_arch}.efi
-%global grubalteficdname gcd%{alt_efi_arch}.efi
-%global grubaltefiarch %{alt_target_cpu_name}-efi
-%endif
-
 %ifnarch %{efi_only}
 %global with_legacy_arch 1
 %global grublegacyarch %{legacy_target_cpu_name}-%{platform}
@@ -416,11 +394,8 @@ rm -f %{1}.conf							\
 	${GRUB_MODULES}						\
 %{expand:%%define ___pesign_client_cert %{?___pesign_client_cert}%{!?___pesign_client_cert:%{__pesign_client_cert}}} \
 %{?__pesign_client_cert:%{expand:%%define __pesign_client_cert %{___pesign_client_cert}}} \
-%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
-%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.onesig -a %%{5} -c %%{6} -n %%{7}}}	\
-%{expand:%%define __pesign_client_cert %{name}-signer} \
-%{expand:%%{pesign -s -i %%{2}.onesig -o %%{2} -a %%{8} -c %%{9} -n %%{10}}}	\
-%{expand:%%{pesign -s -i %%{3}.onesig -o %%{3} -a %%{8} -c %%{9} -n %%{10}}}	\
+%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}}	\
+%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}}	\
 %{nil}
 %else
 %define efi_mkimage()						\
@@ -438,7 +413,7 @@ rm -f %{1}.conf							\
 APPENDED_SIG_SIZE=0						\
 if [ -x /usr/bin/rpm-sign ]; then				\
 	touch empty.unsigned					\
-	rpm-sign --key %{5}					\\\
+	rpm-sign --key %{4}					\\\
 		 --lkmsign empty.unsigned			\\\
 		 --output empty.signed				\
 	APPENDED_SIG_SIZE="$(stat -c '%s' empty.signed)"	\
@@ -447,12 +422,12 @@ fi								\
 # FIXME: using this prefix is fragile, must be done properly	\
 ./grub-mkimage -O %{1} -o %{2}.orig				\\\
 	-p '/grub2' -d grub-core				\\\
-	-x %{3} -x %{4}						\\\
+	-x %{3}							\\\
 	--appended-signature-size ${APPENDED_SIG_SIZE}		\\\
 	${GRUB_MODULES}						\
 if [ -x /usr/bin/rpm-sign ]; then				\
 	truncate -s -${APPENDED_SIG_SIZE} %{2}.orig		\
-	rpm-sign --key %{5}					\\\
+	rpm-sign --key %{4}					\\\
 		 --lkmsign %{2}.orig				\\\
 		 --output %{2}					\
 else								\
@@ -468,12 +443,12 @@ GRUB_MODULES+=%{platform_modules}				\
 %{expand:%%{efi_mkimage %{1} %{2} %{3} %{4} %{5} %{6} %{7} %{8} %{9} %{10}}}	\
 %{nil}
 
-%define do_ieee1275_build_images()				\
-GRUB_MODULES+=%{grub_modules}					\
-GRUB_MODULES+=%{platform_modules}				\
-cd grub-%{1}-%{tarversion}					\
-%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4} %%{5}}	\
-cd ..								\
+%define do_ieee1275_build_images()			\
+GRUB_MODULES+=%{grub_modules}				\
+GRUB_MODULES+=%{platform_modules}			\
+cd grub-%{1}-%{tarversion}				\
+%{expand:%%ieee1275_mkimage %%{1} %%{2} %%{3} %%{4}}	\
+cd ..							\
 %{nil}
 
 %define do_primary_efi_build()					\
@@ -484,15 +459,6 @@ cd grub-%{1}-%{tarversion}					\
 cd ..								\
 %{nil}
 
-%define do_alt_efi_build()					\
-cd grub-%{1}-%{tarversion}					\
-%{expand:%%do_efi_configure %%{4} %%{5} %%{6}}			\
-%do_efi_build_modules						\
-%{expand:%%do_efi_link_utils %{grubefiarch}}			\
-%{expand:%%do_efi_build_images %{alt_grub_target_name} %{2} %{3} ../grub-%{grubefiarch}-%{tarversion}/ %{7} %{8} %{9} %{10} %{11} %{12}} \
-cd ..								\
-%{nil}
-
 %define do_legacy_build()					\
 cd grub-%{1}-%{tarversion}					\
 %configure							\\\
@@ -534,26 +500,6 @@ make %{?_smp_mflags} -C grub-core				\
 cd ..								\
 %{nil}
 
-%define do_alt_efi_install()					\
-cd grub-%{1}-%{tarversion}					\
-install -d -m 755 $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \
-find . '(' -iname gdb_grub					\\\
-	-o -iname kernel.exec					\\\
-	-o -iname kernel.img					\\\
-	-o -iname config.h					\\\
-	-o -iname gmodule.pl					\\\
-	-o -iname modinfo.sh					\\\
-	-o -iname '*.lst'					\\\
-	-o -iname '*.mod'					\\\
-	')'							\\\
-	-exec cp {} $RPM_BUILD_ROOT/usr/lib/grub/%{grubaltefiarch}/ \\\; \
-find $RPM_BUILD_ROOT -type f -iname "*.mod*" -exec chmod a-x {} '\;'	\
-install -m 700 %{2} $RPM_BUILD_ROOT%{efi_esp_dir}/%{2}	\
-install -m 700 %{3} $RPM_BUILD_ROOT%{efi_esp_dir}/%{3} \
-%{expand:%%do_install_protected_file %{name}-%{alt_package_arch}} \
-cd ..								\
-%{nil}
-
 %define do_efi_install()					\
 cd grub-%{1}-%{tarversion}					\
 make DESTDIR=$RPM_BUILD_ROOT install				\
@@ -595,7 +541,7 @@ if [ -f $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp ]; then \
 	mv $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp	\\\
 	   $RPM_BUILD_ROOT/%{_libdir}/grub/%{1}/%{name}.chrp	\
 fi								\
-if [ %{3} -eq 0 ]; then						\
+if [ %{2} -eq 0 ]; then						\
 	${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv		\\\
 		${RPM_BUILD_ROOT}/boot/%{name}/grubenv create	\
 fi								\
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 0d1e9c70f5b4affbed9233503e9b0f72b25c9591..694f9b7b2571371fb9536d454734369a32da8e55 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -221,3 +221,4 @@ Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
 Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
 Patch0222: 0222-Print-module-name-on-license-check-failure.patch
 Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch
+Patch0224: 0224-grub-mkconfig-restore-umask-for-grub.cfg.patch
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
deleted file mode 100644
index 4ff8b79e6736e566dbf39603e0887a53345aa4e4..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot301.cer and /dev/null differ
diff --git a/SOURCES/redhatsecureboot303.cer b/SOURCES/redhatsecureboot303.cer
deleted file mode 100644
index 2c0087dbc5da376aef641bb23833401857c34940..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot303.cer and /dev/null differ
diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer
deleted file mode 100644
index be0b5e211ccf8ad7ba74c88841c921cfdbad5a70..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot502.cer and /dev/null differ
diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer
deleted file mode 100644
index c92b96b4e0d360b90333361ea61f565f196ea20e..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecureboot601.cer and /dev/null differ
diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
deleted file mode 100644
index b2354007b9668258683b99a68fa5bdd3067c31b1..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecurebootca3.cer and /dev/null differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
deleted file mode 100644
index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000
Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index f5ee3a2851a91ce3bdb7a1951512ccaf34ed3cae..7da682790a6127e935faa5b6e1bdb0810722f1e9 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -14,7 +14,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	16%{?dist}
+Release:	23%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -32,29 +32,27 @@ Source9:	strtoull_test.c
 Source10:	20-grub.install
 Source11:	grub.patches
 Source12:	sbat.csv.in
-Source13:	redhatsecurebootca3.cer
-Source14:	redhatsecureboot301.cer
-Source15:	redhatsecurebootca5.cer
-Source16:	redhatsecureboot502.cer
-Source17:	redhatsecureboot303.cer
-Source18:	redhatsecureboot601.cer
 
 %include %{SOURCE1}
 
-%if 0%{with_efi_arch}
-%define old_sb_ca	%{SOURCE13}
-%define old_sb_cer	%{SOURCE14}
-%define old_sb_key	redhatsecureboot301
-%define sb_ca		%{SOURCE15}
-%define sb_cer		%{SOURCE16}
-%define sb_key		redhatsecureboot502
+%ifarch x86_64 aarch64 ppc64le
+%define sb_ca		%{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define sb_cer		%{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
 %endif
 
+%if 0%{?centos}
+%ifarch x86_64 aarch64 ppc64le
+%define sb_key		centossecureboot202
+%endif
+%else
+%ifarch x86_64 aarch64
+%define sb_key		redhatsecureboot502
+%endif
 %ifarch ppc64le
-%define old_sb_cer	%{SOURCE17}
-%define sb_cer		%{SOURCE18}
 %define sb_key		redhatsecureboot602
 %endif
+%endif
+
 
 BuildRequires:	gcc efi-srpm-macros
 BuildRequires:	flex bison binutils python3
@@ -72,6 +70,9 @@ BuildRequires:	systemd
 %ifarch %{efi_arch}
 BuildRequires:	pesign >= 0.99-8
 %endif
+%ifarch aarch64 ppc64le x86_64
+BuildRequires:	system-sb-certs
+%endif
 %if %{?_with_ccache: 1}%{?!_with_ccache: 0}
 BuildRequires:	ccache
 %endif
@@ -156,9 +157,6 @@ This subpackage provides tools for support of all platforms.
 %if 0%{with_efi_arch}
 %{expand:%define_efi_variant %%{package_arch} -o}
 %endif
-%if 0%{with_alt_efi_arch}
-%{expand:%define_efi_variant %%{alt_package_arch}}
-%endif
 %if 0%{with_legacy_arch}
 %{expand:%define_legacy_variant %%{legacy_package_arch}}
 %endif
@@ -191,12 +189,6 @@ sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{relea
     %{SOURCE12} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
 git add grub-%{grubefiarch}-%{tarversion}
 %endif
-%if 0%{with_alt_efi_arch}
-mkdir grub-%{grubaltefiarch}-%{tarversion}
-grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubaltefiarch}-%{tarversion}/.gitignore
-cp %{SOURCE4} grub-%{grubaltefiarch}-%{tarversion}/unifont.pcf.gz
-git add grub-%{grubaltefiarch}-%{tarversion}
-%endif
 %if 0%{with_legacy_arch}
 mkdir grub-%{grublegacyarch}-%{tarversion}
 grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grublegacyarch}-%{tarversion}/.gitignore
@@ -213,10 +205,7 @@ git commit -m "After making subdirs"
 
 %build
 %if 0%{with_efi_arch}
-%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
-%endif
-%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_build %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname} %%{_alt_target_platform} %%{alt_efi_target_cflags} %%{alt_efi_host_cflags} %{old_sb_ca} %{old_sb_cer} %{old_sb_key} %{sb_ca} %{sb_cer} %{sb_key}}
+%{expand:%do_primary_efi_build %%{grubefiarch} %%{grubefiname} %%{grubeficdname} %%{_target_platform} %%{efi_target_cflags} %%{efi_host_cflags} %{sb_ca} %{sb_cer} %{sb_key}}
 %endif
 %if 0%{with_legacy_arch}
 %{expand:%do_legacy_build %%{grublegacyarch}}
@@ -225,7 +214,7 @@ git commit -m "After making subdirs"
 %{expand:%do_emu_build}
 %endif
 %ifarch ppc64le
-%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{old_sb_cer} %{sb_cer} %{sb_key}}
+%{expand:%do_ieee1275_build_images %%{grublegacyarch} %{grubelfname} %{sb_cer} %{sb_key}}
 %endif
 makeinfo --info --no-split -I docs -o docs/grub-dev.info \
 	docs/grub-dev.texi
@@ -244,11 +233,8 @@ rm -fr $RPM_BUILD_ROOT
 %if 0%{with_efi_arch}
 %{expand:%do_efi_install %%{grubefiarch} %%{grubefiname} %%{grubeficdname}}
 %endif
-%if 0%{with_alt_efi_arch}
-%{expand:%do_alt_efi_install %%{grubaltefiarch} %%{grubaltefiname} %%{grubalteficdname}}
-%endif
 %if 0%{with_legacy_arch}
-%{expand:%do_legacy_install %%{grublegacyarch} %%{alt_grub_target_name} 0%{with_efi_arch}}
+%{expand:%do_legacy_install %%{grublegacyarch} 0%{with_efi_arch}}
 %endif
 %if 0%{with_emu_arch}
 %{expand:%do_emu_install %%{package_arch}}
@@ -529,9 +515,6 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %if 0%{with_efi_arch}
 %{expand:%define_efi_variant_files %%{package_arch} %%{grubefiname} %%{grubeficdname} %%{grubefiarch} %%{target_cpu_name} %%{grub_target_name}}
 %endif
-%if 0%{with_alt_efi_arch}
-%{expand:%define_efi_variant_files %%{alt_package_arch} %%{grubaltefiname} %%{grubalteficdname} %%{grubaltefiarch} %%{alt_target_cpu_name} %%{alt_grub_target_name}}
-%endif
 %if 0%{with_legacy_arch}
 %{expand:%define_legacy_variant_files %%{legacy_package_arch} %%{grublegacyarch}}
 %endif
@@ -547,7 +530,35 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
-* Tue Jan 04 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-16
+* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-23
+- Re-arm GRUB_ENABLE_BLSCFG=false
+- Resolves: #2018331
+
+* Fri Feb 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-22
+- Stop building unsupported 32-bit UEFI stuff
+- Resolves: #2038401
+
+* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-21
+- Require Secure Boot certs based on architecture
+- Resolves: #2049214
+
+* Wed Feb 16 2022 Brian Stinson <bstinson@redhat.com> - 2.06-20
+- Conditionalize Secure Boot settings per architecture
+- Resolves: #2049214
+
+* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-19
+- Attempt to fix ppc64le signing bugs in previous change
+- Resolves: #2049214
+
+* Wed Feb 16 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-18
+- Switch to single-signing and use certs from package (bstinson)
+- Resolves: #2049214
+
+* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-17
+- CVE-2021-3981 (Incorrect read permission in grub.cfg)
+- Resolves: rhbz#2030724
+
+* Tue Jan 04 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-16
 - Stop having this problem and just copy over the beta tree
 - Resolves: rhbz#2006784