diff --git a/Makefile.rhelver b/Makefile.rhelver
index c65665116..aa1461a54 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 8
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 627
+RHEL_RELEASE = 628
 
 #
 # ZSTREAM
diff --git a/kernel.changelog b/kernel.changelog
index dbe4b8a3d..7af23ced2 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,24 @@
+* Wed Oct 22 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-628.el9]
+- s390/qeth: Make hw_trap sysfs attribute idempotent (Mete Durlu) [RHEL-99997]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119116] {CVE-2025-39841}
+- cgroup/cpuset: Remove the unnecessary css_get/put() in cpuset_partition_write() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix a partition error with CPU hotplug (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: drop useless cpumask_empty() in compute_effective_exclusive_cpumask() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix obsolete comment in cpuset_css_offline() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Always use cpu_active_mask (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove unneeded goto in sched_partition_write() and rename it (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Don't allow creation of local partition over a remote one (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: remove kernfs active break (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove stale text (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set (Waiman Long) [RHEL-107751]
+- do_io_accounting: use sig->stats_lock (Waiman Long) [RHEL-105165]
+- do_io_accounting: use __for_each_thread() (Waiman Long) [RHEL-105165]
+- procfs: block chmod on /proc/thread-self/comm (Waiman Long) [RHEL-105165]
+Resolves: RHEL-105165, RHEL-107751, RHEL-119116, RHEL-99997
+
 * Tue Oct 21 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-627.el9]
 - pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122069] {CVE-2023-53331}
 - NFSv4: handle ERR_GRACE on delegation recalls (Scott Mayhew) [RHEL-115855]
@@ -1287,6 +1308,10 @@ Resolves: RHEL-102691, RHEL-105063, RHEL-107194, RHEL-110206, RHEL-110235, RHEL-
 - soc/tegra: pmc: Add SD wake event for Tegra234 (Marcin Juszkiewicz) [RHEL-26405]
 Resolves: RHEL-102713, RHEL-104119, RHEL-104667, RHEL-105598, RHEL-105605, RHEL-26405, RHEL-26426, RHEL-95631
 
+* Fri Oct 17 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.5.1.el9_7]
+- redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122230]
+Resolves: RHEL-122230
+
 * Wed Oct 08 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.4.1.el9_7]
 - drm/amdgpu: Include sdma_4_4_4.bin (Peter Colberg) [RHEL-117568]
 - redhat: use new x86/aarch64 signing key (801/804) (Augusto Caringi) [RHEL-116727]
diff --git a/kernel.spec b/kernel.spec
index f20aa567e..3cc069492 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 627
+%define pkgrelease 628
 %define kversion 5
-%define tarfile_release 5.14.0-627.el9
+%define tarfile_release 5.14.0-628.el9
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 627%{?buildid}%{?dist}
+%define specrelease 628%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-627.el9
+%define kabiversion 5.14.0-628.el9
 
 #
 # End of genspec.sh variables
@@ -902,6 +902,9 @@ Source150: dracut-virt.conf
 Source151: uki_create_addons.py
 Source152: uki_addons.json
 
+# Temporary use redhatsecureboot504 for x86 UKI, see RHEL-122230
+Source153: redhatsecureboot504.cer
+
 Source200: check-kabi
 
 Source201: Module.kabi_aarch64
@@ -2417,10 +2420,12 @@ BuildKernel() {
 
 %if 0%{?centos}
 	UKI_secureboot_name=centossecureboot204
-%else
-	UKI_secureboot_name=redhatsecureboot804
-%endif
 	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
+%else
+	# RHEL only builds UKI for x86
+	UKI_secureboot_name=redhatsecureboot504
+	UKI_secureboot_cert=%{SOURCE153}
+%endif
 
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
         if [ ! -s $KernelUnifiedImage.signed ]; then
@@ -2435,6 +2440,9 @@ BuildKernel() {
         mv $addon.signed $addon
       done
 
+      mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
+      cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer
+
 # signkernel
 %endif
 
@@ -3684,6 +3692,26 @@ fi
 #
 #
 %changelog
+* Wed Oct 22 2025 Patrick Talbert <ptalbert@redhat.com> [5.14.0-628.el9]
+- s390/qeth: Make hw_trap sysfs attribute idempotent (Mete Durlu) [RHEL-99997]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119116] {CVE-2025-39841}
+- cgroup/cpuset: Remove the unnecessary css_get/put() in cpuset_partition_write() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix a partition error with CPU hotplug (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: drop useless cpumask_empty() in compute_effective_exclusive_cpumask() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Extend kthread_is_per_cpu() check to all PF_NO_SETAFFINITY tasks (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Fix obsolete comment in cpuset_css_offline() (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Always use cpu_active_mask (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove unneeded goto in sched_partition_write() and rename it (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Don't allow creation of local partition over a remote one (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: remove kernfs active break (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Remove stale text (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Disable cpuset_cpumask_can_shrink() test if not load balancing (Waiman Long) [RHEL-107751]
+- cgroup/cpuset: Further optimize code if CONFIG_CPUSETS_V1 not set (Waiman Long) [RHEL-107751]
+- do_io_accounting: use sig->stats_lock (Waiman Long) [RHEL-105165]
+- do_io_accounting: use __for_each_thread() (Waiman Long) [RHEL-105165]
+- procfs: block chmod on /proc/thread-self/comm (Waiman Long) [RHEL-105165]
+
 * Tue Oct 21 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-627.el9]
 - pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122069] {CVE-2023-53331}
 - NFSv4: handle ERR_GRACE on delegation recalls (Scott Mayhew) [RHEL-115855]
diff --git a/redhatsecureboot504.cer b/redhatsecureboot504.cer
new file mode 100644
index 000000000..dfeccf644
Binary files /dev/null and b/redhatsecureboot504.cer differ
diff --git a/sources b/sources
index 816a329fe..26c154af3 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14.0-627.el9.tar.xz) = b2370c082157a4c8f873eeac8a22efdd8a034fc960bb35e64dac668bd0e248f480c432f8a74ae5928eb4c66289365b697adb5a207f6e30f7094835503f7c4c67
-SHA512 (kernel-abi-stablelists-5.14.0-627.el9.tar.bz2) = 161af0e5dc7c76a3fd207686a5a750ec6fe71ec01fbc620342f56d2bc2a6ddb04048094f62e4c3d3e53cdc169473f0c35f2a2d09202705a563bc1c94678083de
-SHA512 (kernel-kabi-dw-5.14.0-627.el9.tar.bz2) = 0a9710400b727f3821fd722ad5fa95d4fe14014732513f7fcca6ad83f5017cb8378e7fa70fa97b4bc4204627f6d05ec17a09a52c75a5acbfc5d81409842060c4
+SHA512 (linux-5.14.0-628.el9.tar.xz) = 34e6264a7f073df413228a6387d69ec6b442193061d523c8c78ff0c6fefd13585a5b4c5c5a590ba96cf506a4b1a587a9e0a017498acead6b6e2196a10ec2917c
+SHA512 (kernel-abi-stablelists-5.14.0-628.el9.tar.bz2) = 5e482cef14ee8a1e7261009547c35b56ced18d79024f812d21e26fcac3d4aed4d99d09539f5df8f7e17352bdaf51e7b087617d3c86c5f0626389c3a61d2e30f2
+SHA512 (kernel-kabi-dw-5.14.0-628.el9.tar.bz2) = ff3357fa5572b2558a6e39245d8ab35a4e1a74a33ca02a85ca20a2b97a93e202078515275dc7d8097291af45ceab78636ed836a43f7fbb987fd91b476265a7f3