diff --git a/centossecureboot201.cer b/centossecureboot201.cer
new file mode 100644
index 0000000..ca3c134
Binary files /dev/null and b/centossecureboot201.cer differ
diff --git a/centossecurebootca2.cer b/centossecurebootca2.cer
new file mode 100644
index 0000000..42bdfcf
Binary files /dev/null and b/centossecurebootca2.cer differ
diff --git a/kernel.spec b/kernel.spec
old mode 100755
new mode 100644
index d34fabb..04c3e4b
--- a/kernel.spec
+++ b/kernel.spec
@@ -12,7 +12,7 @@
 # change below to w4T.xzdio):
 %define _binary_payload w3T.xzdio
 
-%global distro_build 478
+%global distro_build 479
 
 # Sign the x86_64 kernel for secure boot authentication
 %ifarch x86_64 aarch64 s390x ppc64le
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 478.rt7.267.el8
+%define pkgrelease 479.rt7.268.el8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 478.rt7.267%{?dist}
+%define specrelease 479.rt7.268%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -147,7 +147,7 @@
 # The preempt RT patch level
 %global rttag .rt7
 # realtimeN
-%global rtbuild .267
+%global rtbuild .268
 %define with_doc 0
 %define with_headers 0
 %define with_cross_headers 0
@@ -446,23 +446,31 @@ Source9: x509.genkey
 %define signing_key_filename kernel-signing-s390.cer
 %endif
 
+%if 0%{?centos}
+Source10: centossecurebootca2.cer
+Source13: centossecureboot201.cer
+%define secureboot_ca_0  %{SOURCE10}
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 centossecureboot201
+%else
 Source10: redhatsecurebootca3.cer
-Source11: redhatsecurebootca5.cer
-Source12: redhatsecureboot301.cer
+#UNUSED, delete file after confirming it works:
+#Source11: redhatsecurebootca5.cer
 Source13: redhatsecureboot501.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
+Source14: redhatsecureboot302.cer
+Source15: redhatsecureboot303.cer
 Source16: redhatsecurebootca7.cer
 
 %define secureboot_ca_0 %{SOURCE10}
-%define secureboot_ca_1 %{SOURCE11}
+# TODO: secureboot_ca_2 is only for ppc64le on rhel -
+# why doesn't it just define secureboot_ca_0 differently
+# instead of using this separate _ca_2 variable?
+# This would simplify some really nasty "if" blocks
 %define secureboot_ca_2 %{SOURCE16}
 
 %ifarch x86_64 aarch64
-%define secureboot_key_0 %{SOURCE12}
-%define pesign_name_0 redhatsecureboot301
-%define secureboot_key_1 %{SOURCE13}
-%define pesign_name_1 redhatsecureboot501
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 redhatsecureboot501
 %endif
 
 %ifarch s390x
@@ -474,6 +482,7 @@ Source16: redhatsecurebootca7.cer
 %define secureboot_key_0 %{SOURCE15}
 %define pesign_name_0 redhatsecureboot701
 %endif
+%endif
 
 Source17: mod-blacklist.sh
 Source18: mod-sign.sh
@@ -573,6 +582,7 @@ Provides: %{name}-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
 Requires(pre): %{kernel_prereq}\
 Requires(pre): %{initrd_prereq}\
 Requires(pre): linux-firmware >= 20200619-99.git3890db36\
+Requires(pre): grub2 >= 2.02-99\
 Requires(preun): systemd >= 200\
 Conflicts: xfsprogs < 4.3.0-1\
 Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
@@ -1161,6 +1171,7 @@ done
 %endif
 
 # Add DUP and kpatch certificates to system trusted keys for RHEL
+%if 0%{?rhel}
 %if %{signkernel}%{signmodules}
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
@@ -1173,6 +1184,7 @@ for i in *.config; do
   sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
 done
 %endif
+%endif
 
 cp %{SOURCE42} .
 ./process_configs.sh -w -c %{name} %{rpmversion} %{?cross_opts}
@@ -1317,9 +1329,7 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
@@ -1745,16 +1755,14 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-        install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-        ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %else
+    %if 0%{?rhel}
         %ifarch ppc64le
             install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
         %else
             install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
         %endif
+    %else
+        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %endif
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
@@ -2701,6 +2709,92 @@ fi
 #
 #
 %changelog
+* Thu Mar 30 2023 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-479.rt7.268.el8]
+- [rt] build kernel-rt-4.18.0-479.rt7.268.el8 [2180997]
+- redhat: add centos signing certs (Denys Vlasenko)
+- redhat: fix "make rh-brew" not choosing _scratch_ build (Denys Vlasenko)
+- mfd: intel-lpss: Add Intel Meteor Lake-P PCI IDs (Prarit Bhargava) [2156843]
+- x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936]
+- redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095]
+- redhat: delete unused script and file (Denys Vlasenko) [2179095]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Denys Vlasenko) [2179095]
+- redhat: align file names with names of signing keys for ppc and s390 (Denys Vlasenko) [2179095]
+- net/tunnel: wait until all sk_user_data reader finish before releasing the sock (Hangbin Liu) [2176344]
+- powerpc/pseries: unregister VPA when hot unplugging a CPU (Mamatha Inamdar) [2143007]
+- net: mana: Fix IRQ name - add PCI and queue number (Mohammed Gamal) [2172474]
+- net: mana: Fix return type of mana_start_xmit() (Mohammed Gamal) [2172474]
+- net: mana: Define data structures for protection domain and memory registration (Mohammed Gamal) [2172474]
+- net: mana: Define and process GDMA response code GDMA_STATUS_MORE_ENTRIES (Mohammed Gamal) [2172474]
+- net: mana: Define max values for SGL entries (Mohammed Gamal) [2172474]
+- net: mana: Move header files to a common location (Mohammed Gamal) [2172474]
+- net: mana: Record port number in netdev (Mohammed Gamal) [2172474]
+- net: mana: Export Work Queue functions for use by RDMA driver (Mohammed Gamal) [2172474]
+- net: mana: Set the DMA device max segment size (Mohammed Gamal) [2172474]
+- net: mana: Handle vport sharing between devices (Mohammed Gamal) [2172474]
+- net: mana: Record the physical address for doorbell page region (Mohammed Gamal) [2172474]
+- net: mana: Add support for auxiliary device (Mohammed Gamal) [2172474]
+- hv_netvsc: Check status in SEND_RNDIS_PKT completion message (Mohammed Gamal) [2172438]
+- hv_netvsc: Allocate memory in netvsc_dma_map() with GFP_ATOMIC (Mohammed Gamal) [2172438]
+- hv_netvsc: Fix missed pagebuf entries in netvsc_dma_map/unmap() (Mohammed Gamal) [2172438]
+- Drivers: hv: Make remove callback of hyperv driver void returned (Mohammed Gamal) [2172438]
+- hv: fix comment typo in vmbus_channel/low_latency (Mohammed Gamal) [2172434]
+- x86/hyperv: Introduce HV_MAX_SPARSE_VCPU_BANKS/HV_VCPUS_PER_SPARSE_BANK constants (Mohammed Gamal) [2172434]
+- x86/hyperv: Fix hv_get/set_register for nested bringup (Mohammed Gamal) [2172434]
+- x86/hyperv: Add an interface to do nested hypercalls (Mohammed Gamal) [2172434]
+- Drivers: hv: Setup synic registers in case of nested root partition (Mohammed Gamal) [2172434]
+- x86/hyperv: Add support for detecting nested hypervisor (Mohammed Gamal) [2172434]
+- x86/hyperv: Add HV_EXPOSE_INVARIANT_TSC define (Mohammed Gamal) [2172434]
+- x86/hyperv: Expand definition of struct hv_vp_assist_page (Mohammed Gamal) [2172434]
+- KVM: x86: hyper-v: Expose support for extended gva ranges for flush hypercalls (Mohammed Gamal) [2172434]
+- x86/hyperv: Move VMCB enlightenment definitions to hyperv-tlfs.h (Mohammed Gamal) [2172434]
+- iommu/hyper-v: Allow hyperv irq remapping without x2apic (Mohammed Gamal) [2172434]
+- smp: Fix offline cpu check in flush_smp_call_function_queue() (Waiman Long) [2169471]
+- sched/fair: Trigger the update of blocked load on newly idle cpu (Waiman Long) [2169471]
+- redhat: rh-dist-git should depend on rh-srpm (Denys Vlasenko)
+- redhat: change kabi tarballs to use the package release (Denys Vlasenko)
+- redhat/Makefile: add variables used in rhel9 makefiles (Denys Vlasenko)
+- redhat/Makefile: Remove RHPRODUCT variable (Denys Vlasenko)
+- redhat/scripts/rh-dist-git.sh: expand sources from srpm (Denys Vlasenko)
+- redhat: remove GL_DISTGIT_USER, RHDISTGIT and unify dist-git cloning (Denys Vlasenko)
+- redhat/scripts/rh-dist-git.sh: Use Makefile variables (Denys Vlasenko)
+- redhat: fix typo and make the output more silent for dist-git sync (Denys Vlasenko)
+- redhat: add initial support for centos stream dist-git sync on Makefiles (Denys Vlasenko)
+- internal: update RHEL_MINOR for the start of RHEL-8.9 development (Denys Vlasenko)
+- watchdog: diag288_wdt: fix __diag288() inline assembly (Tobias Huschle) [2171361]
+- watchdog: diag288_wdt: do not use stack buffers for hardware data (Tobias Huschle) [2171361]
+- bonding: add documentation for peer_notif_delay (Ryosuke Yasuoka) [2171348]
+- net: mana: Fix IRQ name - add PCI and queue number (Mohammed Gamal) [2166787]
+- crypto: des - disallow des3 in FIPS mode (Vladis Dronov) [2175234]
+- self-tests: more rps self tests (Paolo Abeni) [2168878]
+- net: make default_rps_mask a per netns attribute (Paolo Abeni) [2168878]
+- self-tests: introduce self-tests for RPS default mask (Paolo Abeni) [2168878]
+- net: introduce default_rps_mask netns attribute (Paolo Abeni) [2168878]
+- net-sysctl: factor-out rpm mask manipulation helpers (Paolo Abeni) [2168878]
+- net-sysctl: factor out cpumask parsing helper (Paolo Abeni) [2168878]
+- txhash: Make rethinking txhash behavior configurable via sysctl (Paolo Abeni) [2168878]
+- net-sysfs: Call dev_hold always in rx_queue_add_kobject (Paolo Abeni) [2168878]
+- net-sysfs: Call dev_hold always in netdev_queue_add_kobject (Paolo Abeni) [2168878]
+- net-sysfs: fix netdev_queue_add_kobject() breakage (Paolo Abeni) [2168878]
+- net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject (Paolo Abeni) [2168878]
+- ice/ptp: fix the PTP worker retrying indefinitely if the link went down (Petr Oros) [2166392]
+- ice: reschedule ice_ptp_wait_for_offset_valid during reset (Petr Oros) [2166392]
+- ice: make Tx and Rx vernier offset calibration independent (Petr Oros) [2166392]
+- ice: only check set bits in ice_ptp_flush_tx_tracker (Petr Oros) [2166392]
+- ice: handle flushing stale Tx timestamps in ice_ptp_tx_tstamp (Petr Oros) [2166392]
+- ice: cleanup allocations in ice_ptp_alloc_tx_tracker (Petr Oros) [2166392]
+- ice: protect init and calibrating check in ice_ptp_request_ts (Petr Oros) [2166392]
+- ice: check Tx timestamp memory register for ready timestamps (Petr Oros) [2166392]
+- ice: handle discarding old Tx requests in ice_ptp_tx_tstamp (Petr Oros) [2166392]
+- ice: always call ice_ptp_link_change and make it void (Petr Oros) [2166392]
+- ice: fix misuse of "link err" with "link status" (Petr Oros) [2166392]
+- ice: Reset TS memory for all quads (Petr Oros) [2166392]
+- ice: Remove the E822 vernier "bypass" logic (Petr Oros) [2166392]
+- ice: Use more generic names for ice_ptp_tx fields (Petr Oros) [2166392]
+- ice: Merge pin initialization of E810 and E810T adapters (Petr Oros) [2166392]
+- ice: Check if reset in progress while waiting for offsets (Petr Oros) [2166392]
+- NFS: Judge the file access cache's timestamp in rcu path (Benjamin Coddington) [2161321]
+- redhat: switch to z-stream for 8.8 (Lucas Zampieri)
+
 * Thu Mar 30 2023 Luis Claudio R. Goncalves <lgoncalv@redhat.com> [4.18.0-478.rt7.267.el8]
 - [rt] build kernel-rt-4.18.0-478.rt7.267.el8 [2180997]
 - net/tunnel: wait until all sk_user_data reader finish before releasing the sock (Hangbin Liu) [2176344]
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
deleted file mode 100644
index 20e6604..0000000
Binary files a/redhatsecureboot301.cer and /dev/null differ
diff --git a/secureboot_s390.cer b/redhatsecureboot302.cer
similarity index 100%
rename from secureboot_s390.cer
rename to redhatsecureboot302.cer
diff --git a/secureboot_ppc.cer b/redhatsecureboot303.cer
similarity index 100%
rename from secureboot_ppc.cer
rename to redhatsecureboot303.cer
diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
deleted file mode 100644
index dfb0284..0000000
Binary files a/redhatsecurebootca5.cer and /dev/null differ
diff --git a/sources b/sources
index 77d4449..6923605 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (linux-4.18.0-478.rt7.267.el8.tar.xz) = 5d7fce56f84ddba1ea4a7e256a6ed3e964e1716b394958e7b2532955dafa27ff0090c5f503100f190ae92cbafabde382857db595b4a2b6c7290c541596ea943f
+SHA512 (linux-4.18.0-479.rt7.268.el8.tar.xz) = 16417987fd4e3113b97f9da43a27e095d4fd152f29742a95039ebfbe8faacd02db038fccfdf18f2e00e277f4a7f4b93ab544d7c284add4521b9bb8dbe2e69433