diff --git a/grub2-SUSE-Add-the-t-hotkey.patch b/grub2-SUSE-Add-the-t-hotkey.patch
index 2e84634..b2de145 100644
--- a/grub2-SUSE-Add-the-t-hotkey.patch
+++ b/grub2-SUSE-Add-the-t-hotkey.patch
@@ -11,18 +11,21 @@ allow them to get their boot menu on the serial console, let's add a new
 hidden option "t" that switches the output device back to the firmware default.
 
 Signed-off-by: Alexander Graf <agraf@suse.de>
-
 ---
 
 v1 -> v2
 
   - use hiddenentry instead of --hidden
 
-diff --git a/Makefile.util.def b/Makefile.util.def
-index f9caccb..d94de92 100644
---- a/Makefile.util.def
-+++ b/Makefile.util.def
-@@ -504,6 +504,12 @@ script = {
+v2 -> v3 (by fvogt@suse.de)
+
+  - make it a runtime decision (bsc#1164385)
+
+Index: grub-2.04/Makefile.util.def
+===================================================================
+--- grub-2.04.orig/Makefile.util.def
++++ grub-2.04/Makefile.util.def
+@@ -525,6 +525,12 @@ script = {
    installdir = grubconf;
  };
  
@@ -35,34 +38,35 @@ index f9caccb..d94de92 100644
  program = {
    mansection = 1;
    name = grub-mkrescue;
-diff --git a/util/grub.d/00_header.in b/util/grub.d/00_header.in
-index 93a9023..b6ec7e2 100644
---- a/util/grub.d/00_header.in
-+++ b/util/grub.d/00_header.in
-@@ -184,6 +184,9 @@ EOF
- 	    fi
+Index: grub-2.04/util/grub.d/00_header.in
+===================================================================
+--- grub-2.04.orig/util/grub.d/00_header.in
++++ grub-2.04/util/grub.d/00_header.in
+@@ -240,6 +240,10 @@ EOF
  	fi
  
-+    if [ -d /sys/firmware/efi ]; then
-+      echo 'echo "Please press 't' to show the boot menu on this console"'
-+    fi
      cat << EOF
++  if [ "\${grub_platform}" = "efi" ]; then
++    echo "Please press 't' to show the boot menu on this console"
++  fi
++
    set gfxmode=${GRUB_GFXMODE}
    load_video
-diff --git a/util/grub.d/95_textmode.in b/util/grub.d/95_textmode.in
-new file mode 100644
-index 0000000..fa48cf9
+   insmod gfxterm
+Index: grub-2.04/util/grub.d/95_textmode.in
+===================================================================
 --- /dev/null
-+++ b/util/grub.d/95_textmode.in
-@@ -0,0 +1,11 @@
++++ grub-2.04/util/grub.d/95_textmode.in
+@@ -0,0 +1,12 @@
 +#!/bin/sh
 +
-+if [ -d /sys/firmware/efi ]; then
-+    echo "
-+    # On EFI systems we can only have graphics *or* serial, so allow the user
-+    # to switch between the two
-+    hiddenentry 'Text mode' --hotkey 't' {
-+	set textmode=true
-+	terminal_output console
-+    }"
++cat <<EOF
++if [ "\${grub_platform}" = "efi" ]; then
++  # On EFI systems we can only have graphics *or* serial, so allow the user
++  # to switch between the two
++  hiddenentry 'Text mode' --hotkey 't' {
++    set textmode=true
++    terminal_output console
++  }
 +fi
++EOF
diff --git a/grub2-s390x-11-secureboot.patch b/grub2-s390x-11-secureboot.patch
new file mode 100644
index 0000000..6a8b177
--- /dev/null
+++ b/grub2-s390x-11-secureboot.patch
@@ -0,0 +1,153 @@
+---
+ grub-core/loader/emu/linux.c  |    4 ++--
+ util/s390x/dracut-grub2.sh.in |   14 ++++++++++++--
+ util/s390x/zipl2grub.conf.in  |    1 +
+ util/s390x/zipl2grub.pl.in    |   31 ++++++++++++++++++++++---------
+ 4 files changed, 37 insertions(+), 13 deletions(-)
+
+--- a/grub-core/loader/emu/linux.c
++++ b/grub-core/loader/emu/linux.c
+@@ -38,7 +38,7 @@ grub_linux_boot (void)
+ {
+   grub_err_t rc = GRUB_ERR_NONE;
+   char *initrd_param;
+-  const char *kexec[] = { "kexec", "-l", kernel_path, boot_cmdline, NULL, NULL };
++  const char *kexec[] = { "kexec", "-la", kernel_path, boot_cmdline, NULL, NULL };
+   const char *systemctl[] = { "systemctl", "kexec", NULL };
+   int kexecute = grub_util_get_kexecute();
+ 
+@@ -51,7 +51,7 @@ grub_linux_boot (void)
+     //return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("initrd required!"));
+   }
+ 
+-  grub_printf("%serforming 'kexec -l %s %s %s'\n",
++  grub_printf("%serforming 'kexec -la %s %s %s'\n",
+ 	(kexecute) ? "P" : "Not p",
+ 	kernel_path, initrd_param, boot_cmdline);
+ 
+--- a/util/s390x/dracut-grub2.sh.in
++++ b/util/s390x/dracut-grub2.sh.in
+@@ -18,6 +18,9 @@ if getargbool 0 initgrub && [ ! -e /grub
+    done < /proc/mounts
+    echo $rofs
+   }
++  checkcat() {
++    [ -r $1 ] && cat $1
++  }
+   checkd() {
+     [ -d $1 ] && echo true || echo false
+   }
+@@ -63,6 +66,7 @@ if getargbool 0 initgrub && [ ! -e /grub
+     export grub2bootfs=$(checkboot)
+     export grub2devfs=$(checkd /sysroot/dev/disk)
+     export grub2snap=$(checksnap)
++    export grub2secure=$(checkcat /sys/firmware/ipl/secure)
+     debug "" export -p
+ 
+         _ctty="$(RD_DEBUG= getarg rd.ctty=)" && _ctty="/dev/${_ctty##*/}"
+@@ -93,7 +97,7 @@ if getargbool 0 initgrub && [ ! -e /grub
+     debug "Trying grub2-emu (ro=$grub2rofs, TERM=$TERM, ctty=$_ctty)..."
+     setsid $CTTY -- chroot /sysroot $bindir/grub2-emu -X -X 0<>$_ctty 1>&0 2>&0
+ 
+-    if [ -x /sysroot@libdir@/grub2/zipl-refresh ]; then
++    if [ "$grub2secure" != 1 ]&&[ -x /sysroot@libdir@/grub2/zipl-refresh ]; then
+ 	setsid $CTTY -- /sysroot@libdir@/grub2/zipl-refresh 0<>$_ctty 1>&0 2>&0
+ 	if [ $? != 0 ]; then
+ 	    warn "Not continuing"
+@@ -103,12 +107,18 @@ if getargbool 0 initgrub && [ ! -e /grub
+ 	    sleep 3
+ 	    reboot
+ 	fi
+-    else
++    elif [ "$grub2secure" != 1 ]; then
+ 	echo "
+   Attention: 'grub2' failed to start the target kernel and 'zipl-refresh'
+   is not available.  This should never happen.  Please contact support." >& $_ctty
+ 	warn "Not continuing"
+ 	emergency_shell -n grub2-emu-kexec
++    else
++	echo "
++  Attention: 'grub2' failed to start the target kernel and secure boot seems
++  active.  Automatic recovery not available.  Please contact support." >& $_ctty
++	warn "Not continuing"
++	emergency_shell -n grub2-emu-kexec
+     fi
+ 
+     $grub2snap || umount /sysroot/.snapshots
+--- a/util/s390x/zipl2grub.conf.in
++++ b/util/s390x/zipl2grub.conf.in
+@@ -45,6 +45,7 @@ defaultmenu = menu
+     timeout = 60
+     default = 1
+     prompt = 0
++    secure = @SUSE_SECURE_BOOT@
+     1 = grub2
+     2 = skip-grub2
+     3 = grub2-mem1G
+--- a/util/s390x/zipl2grub.pl.in
++++ b/util/s390x/zipl2grub.pl.in
+@@ -21,6 +21,7 @@ my $miss = 0;
+ my $cfg = "";
+ my %fsdev = ();
+ my %fstype = ();
++my %SBL = (); # key/value of $sysconfbl
+ 
+ my %C = (
+   GRUB_CMDLINE_LINUX_DEFAULT => "quiet splash=silent",
+@@ -251,6 +252,15 @@ if ( -r $default ) {
+   }
+   close( IN);
+ }
++if ( -r $sysconfbl ) {
++  open( IN, "< $sysconfbl") ||  die;
++  while ( <IN> ) {
++    next if ( m{^\s*#} );
++    next unless ( m{^\s*([^=#\s]+)="(.*)"(?:\s*|\s+#.*)$} );
++    $SBL{$1} = $2;
++  }
++  close( IN);
++}
+ if ( -r "/etc/fstab" ) {
+   my $regex = qr{^(\S+)\s+(\S+)\s+(\S+)\s+\S+\s+\S+\s+\S+\s*(?:#.*)?$};
+   open( IN, "< /etc/fstab") || die;
+@@ -313,21 +323,21 @@ if ( ! exists( $C{GRUB_DEVICE}) ) {
+   }
+ }
+ if ( $C{GRUB_CMDLINE_LINUX_DEFAULT} eq "quiet splash=silent" &&
+-     -r $sysconfbl) {
+-  open( IN, "< $sysconfbl") ||  die;
+-  while ( <IN> ) {
+-    next if ( m{^\s*#} );
+-    if ( m{^DEFAULT_APPEND=".*"(?:\s*|\s+#.*)$} ) {
+-      $C{GRUB_CMDLINE_LINUX_DEFAULT} = $1;
+-    }
+-  }
+-  close( IN);
++     exists( $SBL{DEFAULT_APPEND}) ) {
++  $C{GRUB_CMDLINE_LINUX_DEFAULT} = $SBL{DEFAULT_APPEND};
+ }
+ 
+ if ( ! exists( $C{GRUB_DEVICE})) {
+   Panic( 0, "$C: Default not ready and no fallback.  Please retry later!\n");
+ }
+ 
++if ( !exists( $C{SUSE_SECURE_BOOT}) ) {
++  $C{SUSE_SECURE_BOOT} = "0";
++  if ( exists( $SBL{SECURE_BOOT}) && $SBL{SECURE_BOOT} =~ m{^(yes|true|1)$} ) {
++    $C{SUSE_SECURE_BOOT} = "1";
++  }
++}
++
+ if ( ! exists( $C{GRUB_EMU_CONMODE}) && exists( $C{GRUB_CONMODE}) ) {
+   # GRUB_CONMODE is used for 'grub2-emu' as well
+   $C{GRUB_EMU_CONMODE} = $C{GRUB_CONMODE};
+@@ -360,6 +370,9 @@ if ( $debug && $verbose > 2 ) {
+   foreach ( sort( keys( %C)) ) {
+     printf( "%s=\"%s\"\n", $_, $C{$_});
+   }
++  foreach ( sort( keys( %SBL)) ) {
++    printf( "SBL: %s=\"%s\"\n", $_, $SBL{$_});
++  }
+ }
+ 
+ open( IN, "< $in") ||
diff --git a/grub2.changes b/grub2.changes
index 74c9e09..2373e8d 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Mar 12 08:29:55 UTC 2020 - Fabian Vogt <fvogt@suse.com>
+
+- Adjust patch to make EFI detection a runtime decision (bsc#1164385):
+  * grub2-SUSE-Add-the-t-hotkey.patch
+
+-------------------------------------------------------------------
+Fri Feb 28 16:36:57 UTC 2020 - rw@suse.com
+
+- Add secure boot support for s390x.  (jsc#SLE-9425)
+  * grub2-s390x-11-secureboot.patch
+
 -------------------------------------------------------------------
 Tue Feb 18 08:43:30 UTC 2020 - Michael Chang <mchang@suse.com>
 
diff --git a/grub2.spec b/grub2.spec
index 9af7ddd..41fccd4 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package grub2
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -153,7 +153,7 @@ Release:        0
 Summary:        Bootloader with support for Linux, Multiboot and more
 License:        GPL-3.0-or-later
 Group:          System/Boot
-Url:            http://www.gnu.org/software/grub/
+URL:            http://www.gnu.org/software/grub/
 Source0:        https://ftp.gnu.org/gnu/grub/grub-%{version}.tar.xz
 Source1:        90_persistent
 Source2:        grub.default
@@ -279,6 +279,7 @@ Patch421:       0002-AUDIT-0-http-boot-tracker-bug.patch
 # and/or use fallback entry if default kernel entry removed (bsc#1065349)
 Patch430:       grub2-mkconfig-default-entry-correction.patch
 Patch431:       grub2-s390x-10-keep-network-at-kexec.patch
+Patch432:       grub2-s390x-11-secureboot.patch
 # Support for UEFI Secure Boot on AArch64 (FATE#326541)
 Patch450:       grub2-secureboot-install-signed-grub.patch
 Patch501:       grub2-btrfs-help-on-snapper-rollback.patch
@@ -553,6 +554,7 @@ swap partition while in resuming
 %patch421 -p1
 %patch430 -p1
 %patch431 -p1
+%patch432 -p1
 %patch450 -p1
 %patch501 -p1
 %patch510 -p1