diff --git a/kernel.spec b/kernel.spec
old mode 100755
new mode 100644
index 7ac958e17..cf13b2d1a
--- a/kernel.spec
+++ b/kernel.spec
@@ -12,7 +12,7 @@
 # change below to w4T.xzdio):
 %define _binary_payload w3T.xzdio
 
-%global distro_build 478
+%global distro_build 479
 
 # Sign the x86_64 kernel for secure boot authentication
 %ifarch x86_64 aarch64 s390x ppc64le
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 478.el8
+%define pkgrelease 479.el8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 478%{?dist}
+%define specrelease 479%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -448,10 +448,9 @@ Source9: x509.genkey
 
 Source10: redhatsecurebootca3.cer
 Source11: redhatsecurebootca5.cer
-Source12: redhatsecureboot301.cer
 Source13: redhatsecureboot501.cer
-Source14: secureboot_s390.cer
-Source15: secureboot_ppc.cer
+Source14: redhatsecureboot302.cer
+Source15: redhatsecureboot303.cer
 Source16: redhatsecurebootca7.cer
 
 %define secureboot_ca_0 %{SOURCE10}
@@ -459,10 +458,8 @@ Source16: redhatsecurebootca7.cer
 %define secureboot_ca_2 %{SOURCE16}
 
 %ifarch x86_64 aarch64
-%define secureboot_key_0 %{SOURCE12}
-%define pesign_name_0 redhatsecureboot301
-%define secureboot_key_1 %{SOURCE13}
-%define pesign_name_1 redhatsecureboot501
+%define secureboot_key_0 %{SOURCE13}
+%define pesign_name_0 redhatsecureboot501
 %endif
 
 %ifarch s390x
@@ -572,6 +569,7 @@ Provides: %{name}-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
 Requires(pre): %{kernel_prereq}\
 Requires(pre): %{initrd_prereq}\
 Requires(pre): linux-firmware >= 20200619-99.git3890db36\
+Requires(pre): grub2 >= 2.02-99\
 Requires(preun): systemd >= 200\
 Conflicts: xfsprogs < 4.3.0-1\
 Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
@@ -1316,9 +1314,7 @@ BuildKernel() {
     fi
 
     %ifarch x86_64 aarch64
-    %pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-    %pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
-    rm vmlinuz.tmp
+    %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
     %endif
     %ifarch s390x ppc64le
     if [ -x /usr/bin/rpm-sign ]; then
@@ -1744,16 +1740,10 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %ifarch x86_64 aarch64
-        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
-        install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
-        ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
+    %ifarch ppc64le
+        install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %else
-        %ifarch ppc64le
-            install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-        %else
-            install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-        %endif
+        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %endif
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
@@ -2698,6 +2688,13 @@ fi
 #
 #
 %changelog
+* Fri Mar 17 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
+- x86/cpu: Add CPU model numbers for Meteor Lake (Prarit Bhargava) [2153936]
+- redhat: require grub2 >= 2.02-99 (Denys Vlasenko) [2179095]
+- redhat: delete unused script and file (Denys Vlasenko) [2179095]
+- redhat: drop certificates that were deprecated after GRUB's BootHole flaw (Denys Vlasenko) [2179095]
+- redhat: align file names with names of signing keys for ppc and s390 (Denys Vlasenko) [2179095]
+
 * Thu Mar 16 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-478.el8]
 - net/tunnel: wait until all sk_user_data reader finish before releasing the sock (Hangbin Liu) [2176344]
 - powerpc/pseries: unregister VPA when hot unplugging a CPU (Mamatha Inamdar) [2143007]
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
deleted file mode 100644
index 20e660479..000000000
Binary files a/redhatsecureboot301.cer and /dev/null differ
diff --git a/secureboot_s390.cer b/redhatsecureboot302.cer
similarity index 100%
rename from secureboot_s390.cer
rename to redhatsecureboot302.cer
diff --git a/secureboot_ppc.cer b/redhatsecureboot303.cer
similarity index 100%
rename from secureboot_ppc.cer
rename to redhatsecureboot303.cer
diff --git a/sources b/sources
index b8b21f47c..f3de3c1b7 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-478.el8.tar.xz) = b03724bc29c2b64cca56feba5e4eeeb433d65882c9032e08840fbbe98769289fd9db6a2fc066b06324a4c9c8d1676e5bda829355512882636307717aa33bef9a
-SHA512 (kernel-abi-stablelists-4.18.0-478.tar.bz2) = 20421438c7acdc6ca8a6d35159a681fafad36e20f8979036fedd62e13a4b9389e6e8a77380d8f31adbe2dfc43b08f3afb0ab8adc884395b1f3344504c07cfefb
-SHA512 (kernel-kabi-dw-4.18.0-478.tar.bz2) = e91527cddef81a7b0e90403b890ca444975ff0f59aae5b99e93ffc187b3e8031e4e09cacaed4d667d25eaa149919b08580f9132e5684229f15d03e21b988439a
+SHA512 (linux-4.18.0-479.el8.tar.xz) = 869dedc389501dc314ff6a50c3550956e29bbb205b4db33c0c19f9fdc044aaaf2f9e71a8cec30de32487ff55a37f9de2cd188b44d53f19ec1f9fbae15864ded2
+SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = dba639a523d927e581d1df43b0b94024a42692f2be79a5e827b3ab971395ac25e7738eba848dc537baec3b7eabdec707ab3fbed9e01e262ecb47bcf544fa4f66
+SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e91527cddef81a7b0e90403b890ca444975ff0f59aae5b99e93ffc187b3e8031e4e09cacaed4d667d25eaa149919b08580f9132e5684229f15d03e21b988439a