diff --git a/edk2-build.rhel-10 b/edk2-build.rhel-10
index f2cf2f7..3aaaa47 100644
--- a/edk2-build.rhel-10
+++ b/edk2-build.rhel-10
@@ -18,6 +18,11 @@ SECURE_BOOT_ENABLE       = TRUE
 SMM_REQUIRE              = TRUE
 BUILD_SHELL              = FALSE
 
+[opts.ovmf.qemu.vars]
+QEMU_PV_VARS             = TRUE
+SECURE_BOOT_ENABLE       = TRUE
+BUILD_SHELL              = FALSE
+
 [opts.ovmf.sb.stateless]
 SECURE_BOOT_ENABLE       = TRUE
 SMM_REQUIRE              = FALSE
@@ -82,6 +87,19 @@ dest = RHEL-10/ovmf
 cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd
 cpy2 = X64/EnrollDefaultKeys.efi
 
+[build.ovmf.qemu.vars]
+desc = ovmf build (64-bit, 4MB, qemu vars, secure boot)
+conf = OvmfPkg/OvmfPkgX64.dsc
+arch = X64
+opts = ovmf.common
+       ovmf.4m
+       ovmf.qemu.vars
+pcds = nx.strict
+       la57
+plat = OvmfX64
+dest = RHEL-10/ovmf
+cpy1 = FV/OVMF.fd OVMF.qemuvars.fd
+
 
 #####################################################################
 # stateless ovmf builds (firmware in rom or r/o flash)
@@ -143,6 +161,20 @@ cpy1 = FV/QEMU_EFI.fd  QEMU_EFI.silent.fd
 cpy2 = FV/QEMU_EFI.fd  QEMU_EFI-silent-pflash.raw
 pad2 = QEMU_EFI-silent-pflash.raw 64m
 
+[build.armvirt.aa64.qemu.vars]
+desc = ArmVirt build for qemu, 64-bit (arm v8), qemu vars, secure boot
+conf = ArmVirtPkg/ArmVirtQemu.dsc
+arch = AARCH64
+opts = ovmf.common
+       ovmf.qemu.vars
+       armvirt.silent
+pcds = nx.strict
+plat = ArmVirtQemu-AARCH64
+dest = RHEL-10/aarch64
+cpy1 = FV/QEMU_EFI.fd  QEMU_EFI.qemuvars.fd
+cpy2 = FV/QEMU_EFI.fd  QEMU_EFI-qemuvars-pflash.raw
+pad2 = QEMU_EFI-qemuvars-pflash.raw 64m
+
 
 #####################################################################
 # riscv build
diff --git a/edk2.spec b/edk2.spec
index 3dd1efa..887c7dd 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -8,7 +8,7 @@ ExclusiveArch: x86_64 aarch64 riscv64
 %define OPENSSL_VER    3.5.0
 %define OPENSSL_HASH   63b528e6476ff36efcf2cda5c083f3f3d7cf9210
 
-%define DBXDATE        20250224
+%define DBXDATE        20250610
 
 %define build_ovmf 0
 %define build_aarch64 0
@@ -25,7 +25,7 @@ ExclusiveArch: x86_64 aarch64 riscv64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -394,6 +394,7 @@ install -m 0644 \
 %{_datadir}/%{name}/ovmf/OVMF.amdsev.fd
 %{_datadir}/%{name}/ovmf/OVMF.inteltdx.fd
 %{_datadir}/%{name}/ovmf/OVMF.inteltdx.secboot.fd
+%{_datadir}/%{name}/ovmf/OVMF.qemuvars.fd
 %{_datadir}/%{name}/ovmf/DBXUpdate*.bin
 %{_datadir}/%{name}/ovmf/UefiShell.iso
 %{_datadir}/OVMF/OVMF_CODE.secboot.fd
@@ -417,12 +418,14 @@ install -m 0644 \
 %dir %{_datadir}/%{name}/aarch64/
 %{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.*
 %{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.*
+%{_datadir}/%{name}/aarch64/QEMU_EFI-qemuvars-pflash.*
 %{_datadir}/%{name}/aarch64/vars-template-pflash.*
 %{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
 %{_datadir}/AAVMF/AAVMF_CODE.fd
 %{_datadir}/AAVMF/AAVMF_VARS.fd
 %{_datadir}/%{name}/aarch64/QEMU_EFI.fd
 %{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd
+%{_datadir}/%{name}/aarch64/QEMU_EFI.qemuvars.fd
 %{_datadir}/%{name}/aarch64/QEMU_VARS.fd
 %{_datadir}/qemu/firmware/50-edk2-aarch64-qcow2.json
 %{_datadir}/qemu/firmware/51-edk2-aarch64-raw.json
@@ -464,6 +467,15 @@ install -m 0644 \
 
 
 %changelog
+* Mon Jun 30 2025 Miroslav Rezanina <mrezanin@redhat.com> - 20250523-2
+- edk2-add-qemu-vars-builds-to-build-config-and-file-lists.patch [RHEL-2908]
+- edk2-add-dbx-update-script.patch [RHEL-96866]
+- edk2-update-dbx-to-20250610.patch [RHEL-96866]
+- Resolves: RHEL-2908
+  ([aarch64][EDK2] UEFI writable variable service in QEMU)
+- Resolves: RHEL-96866
+  ([edk2,rhel-10] dbx update 20250610)
+
 * Tue Jun 10 2025 Miroslav Rezanina <mrezanin@redhat.com> - 20250523-1
 - Rebase to edk2-stable202505 [RHEL-82556]
 - Resolves: RHEL-82556
diff --git a/sources b/sources
index 0051786..01ba7fd 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
-SHA512 (DBXUpdate-20250224.x64.bin) = 05640ada78ce94132670ade66676aacdb6cdc311b992769f2ae0413554aa535b9c15213a513355d5e763bef908b961f1ff1d2226081240a6ebd5d4aef7148828
+SHA512 (DBXUpdate-20250610.x64.bin) = be2bea068e6db47b5ad419fe9402035d9f3e1e75166eff50193387d68c209225f0e45a014fc3781718cb494f55ab98f71f5c28c96c7c21988ac050d94b1df881
 SHA512 (dtc-1.7.0.tar.xz) = d3ba6902a9a2f2cdbaff55f12fca3cfe4a1ec5779074a38e3d8b88097c7abc981835957e8ce72971e10c131e05fde0b1b961768e888ff96d89e42c75edb53afb
 SHA512 (edk2-6951dfe7d59d.tar.xz) = b060dd293110c6f3eabe370b52eda3e56070644923ffb7e7738ceb4f6e00b45aa30f08143b3d39aedfc438cf720d9b8bc2aa248db7511b5356605861ebd068fa
 SHA512 (openssl-rhel-63b528e6476ff36efcf2cda5c083f3f3d7cf9210.tar.xz) = 2982f76e5eb2c94e44b32c1af56ec0020d707412ac8add161b466f853988a1f8ba2094e265a39cfe762cdbc195e1c20545aa66b68d7452231f286abdabdd98a0