diff --git a/grub.macros b/grub.macros
index b3b842cb..50386502 100644
--- a/grub.macros
+++ b/grub.macros
@@ -15,7 +15,12 @@
 %endif
 
 # gnulib actively ignores CFLAGS because it's terrible
+# build aarch64 gnulib with branch protection
+%ifarch aarch64
+%global cc_equals "CC=%{ccpath} -fPIE -Wl,-z,noexecstack -Wl,--no-warn-rwx-segments -mbranch-protection=standard"
+%else
 %global cc_equals "CC=%{ccpath} -fPIE -Wl,-z,noexecstack -Wl,--no-warn-rwx-segments"
+%endif
 
 %global cflags_sed						\\\
 	sed							\\\
@@ -671,7 +676,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/grub2/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/grub2/	        \
 ln -s ../boot/grub2/grub.cfg					\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/grub2.cfg		\
 %{nil}
@@ -680,7 +686,7 @@ ln -s ../boot/grub2/grub.cfg					\\\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/grub2.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
 %ifarch ppc64le							\
@@ -715,7 +721,7 @@ ln -s ../boot/grub2/grub.cfg					\\\
 %endif								\
 %attr(0700,root,root)/boot/grub2/fonts			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/grub2/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/grub2/grub.cfg	\
 %ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
 %config(noreplace) %verify(not size mode md5 mtime) /boot/grub2/grubenv	\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/grub2-%{1}.conf \
diff --git a/grub2.spec b/grub2.spec
index 657c987a..309df79a 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	127%{?dist}.alma.1
+Release:	133%{?dist}.alma.1
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@@ -364,13 +364,25 @@ if ! mountpoint -q ${ESP_PATH}; then
     exit 0 # no ESP mounted, nothing to do
 fi
 
-if test ! -f ${EFI_HOME}/grub.cfg; then
-    # there's no config in ESP, create one
-    grub2-mkconfig -o ${EFI_HOME}/grub.cfg
+# if no GRUB_HOME/grub.cfg file exists, create one, otherwise just check mode is correct
+if ! test -f ${GRUB_HOME}/grub.cfg; then
+    grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
+else
+    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
+    if ! test "${GRUB_CFG_MODE}" = "600"; then
+        chmod 0600 ${GRUB_HOME}/grub.cfg
+    fi
 fi
 
-if ((grep -q "configfile" ${EFI_HOME}/grub.cfg || grep -q "source" ${EFI_HOME}/grub.cfg) && ! grep -q "# It is automatically generated by grub2-mkconfig using templates" ${EFI_HOME}/grub.cfg); then
-    exit 0 #Already unified
+if test -f ${EFI_HOME}/grub.cfg; then
+    # need to move grub.cfg to correct dir for major version upgrade
+    if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
+        cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
+    fi
+
+    if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
+        exit 0 #Already unified
+    fi
 fi
 
 # create a stub grub2 config in EFI
@@ -389,8 +401,6 @@ if test -f ${EFI_HOME}/grubenv; then
     mv --force ${EFI_HOME}/grubenv ${GRUB_HOME}/grubenv
 fi
 
-cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
-cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
 mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 
 %files common -f grub.lang
@@ -564,9 +574,33 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
-* Mon Sep 02 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-127.alma.1
+* Thu Sep 26 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-123.alma.1
 - Debrand for AlmaLinux
 
+* Mon Sep 23 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-133
+- posttrans: condition EFI_HOME/grub.cfg cmds if stub is present
+- Resolves: #RHEL-59796
+
+* Mon Sep 23 2024 Marta Lewandowska <mlewando@redhat.com> - 2.06-132
+- grub.cfg: Fix an issue when doing a major version upgrade
+- Related: #RHEL-56733
+
+* Mon Sep 23 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-131
+- Added more code for the previous CVE fix (CVE-2023-4001)
+- Related: #RHEL-56733
+
+* Wed Sep 18 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-130
+- aarch64/macros: Re-added flags that disappeared with previous commit
+- Related: #RHEL-58821
+
+* Thu Sep 12 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-129
+- aarch64/macros: Build gnulib with -mbranch-protection=standard
+- Resolves: #RHEL-58821
+
+* Mon Sep 2 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-128
+- grub.cfg: Fix rpm grub.cfg verification issues
+- Resolves: #RHEL-56918
+
 * Fri Aug 30 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-127
 - Sync with rhel9 for critical patches
 - Resolves: #RHEL-56733