diff --git a/Patchlist.changelog b/Patchlist.changelog
index b084adf74..06f718004 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,6 @@
+"https://gitlab.com/cki-project/kernel-ark/-/commit"/f1d87b42e9ac0ca6233ba1906ddcec6407510018
+ f1d87b42e9ac0ca6233ba1906ddcec6407510018 tpm: Enable hwrng only for Pluton on AMD CPUs
+
 "https://gitlab.com/cki-project/kernel-ark/-/commit"/96a82a41ac7aafd328375d3391873f0c3b2cb7e8
  96a82a41ac7aafd328375d3391873f0c3b2cb7e8 erofs: ensure that the post-EOF tails are all zeroed
 
diff --git a/kernel.spec b/kernel.spec
index e9812fab7..bc7e03d08 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -171,18 +171,18 @@ Summary: The Linux kernel
 #  the --with-release option overrides this setting.)
 %define debugbuildsenabled 1
 # define buildid .local
-%define specrpmversion 6.4.14
-%define specversion 6.4.14
+%define specrpmversion 6.4.15
+%define specversion 6.4.15
 %define patchversion 6.4
 %define pkgrelease 200
 %define kversion 6
-%define tarfile_release 6.4.14
+%define tarfile_release 6.4.15
 # This is needed to do merge window version magic
 %define patchlevel 4
 # This allows pkg_release to have configurable %%{?dist} tag
 %define specrelease 200%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.4.14
+%define kabiversion 6.4.15
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -3817,6 +3817,11 @@ fi\
 #
 #
 %changelog
+* Wed Sep 06 2023 Augusto Caringi <acaringi@redhat.com> [6.4.15-0]
+- Add TPM bug to BugsFixed (Justin M. Forbes)
+- tpm: Enable hwrng only for Pluton on AMD CPUs (Jarkko Sakkinen)
+- Linux v6.4.15
+
 * Sat Sep 02 2023 Justin M. Forbes <jforbes@fedoraproject.org> [6.4.14-0]
 - Add bug fixed by 6.4.14 (Justin M. Forbes)
 - erofs: ensure that the post-EOF tails are all zeroed (Gao Xiang)
diff --git a/patch-6.4-redhat.patch b/patch-6.4-redhat.patch
index 5663f7765..40e55150a 100644
--- a/patch-6.4-redhat.patch
+++ b/patch-6.4-redhat.patch
@@ -12,6 +12,7 @@
  drivers/ata/libahci.c                              |  18 +++
  drivers/char/ipmi/ipmi_dmi.c                       |  15 +++
  drivers/char/ipmi/ipmi_msghandler.c                |  16 ++-
+ drivers/char/tpm/tpm_crb.c                         |  33 ++----
  drivers/firmware/efi/Makefile                      |   1 +
  drivers/firmware/efi/efi.c                         | 124 +++++++++++++++------
  drivers/firmware/efi/secureboot.c                  |  38 +++++++
@@ -22,7 +23,6 @@
  drivers/iommu/iommu.c                              |  22 ++++
  drivers/pci/quirks.c                               |  24 ++++
  drivers/usb/core/hub.c                             |   7 ++
- fs/erofs/zdata.c                                   |   2 +
  include/linux/efi.h                                |  22 ++--
  include/linux/lsm_hook_defs.h                      |   2 +
  include/linux/module.h                             |   1 +
@@ -38,10 +38,10 @@
  security/lockdown/Kconfig                          |  13 +++
  security/lockdown/lockdown.c                       |   1 +
  security/security.c                                |  12 ++
- 40 files changed, 520 insertions(+), 191 deletions(-)
+ 40 files changed, 526 insertions(+), 216 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 97611fe99c8f..d10c062e632d 100644
+index 212d1c7e4a1a..85f5a8b70878 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -22,6 +22,18 @@ $(if $(filter __%, $(MAKECMDGOALS)), \
@@ -430,6 +430,57 @@ index 186f1fee7534..93e3a76596ff 100644
  	mutex_lock(&ipmi_interfaces_mutex);
  	rv = ipmi_register_driver();
  	mutex_unlock(&ipmi_interfaces_mutex);
+diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
+index 9eb1a1859012..a5dbebb1acfc 100644
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -463,28 +463,6 @@ static bool crb_req_canceled(struct tpm_chip *chip, u8 status)
+ 	return (cancel & CRB_CANCEL_INVOKE) == CRB_CANCEL_INVOKE;
+ }
+
+-static int crb_check_flags(struct tpm_chip *chip)
+-{
+-	u32 val;
+-	int ret;
+-
+-	ret = crb_request_locality(chip, 0);
+-	if (ret)
+-		return ret;
+-
+-	ret = tpm2_get_tpm_pt(chip, TPM2_PT_MANUFACTURER, &val, NULL);
+-	if (ret)
+-		goto release;
+-
+-	if (val == 0x414D4400U /* AMD */)
+-		chip->flags |= TPM_CHIP_FLAG_HWRNG_DISABLED;
+-
+-release:
+-	crb_relinquish_locality(chip, 0);
+-
+-	return ret;
+-}
+-
+ static const struct tpm_class_ops tpm_crb = {
+ 	.flags = TPM_OPS_AUTO_STARTUP,
+ 	.status = crb_status,
+@@ -826,9 +804,14 @@ static int crb_acpi_add(struct acpi_device *device)
+ 	if (rc)
+ 		goto out;
+
+-	rc = crb_check_flags(chip);
+-	if (rc)
+-		goto out;
++#ifdef CONFIG_X86
++	/* A quirk for https://www.amd.com/en/support/kb/faq/pa-410 */
++	if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD &&
++	    priv->sm != ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON) {
++		dev_info(dev, "Disabling hwrng\n");
++		chip->flags |= TPM_CHIP_FLAG_HWRNG_DISABLED;
++	}
++#endif /* CONFIG_X86 */
+
+ 	rc = tpm_chip_register(chip);
+
 diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
 index b51f2a4c821e..be31d32aba53 100644
 --- a/drivers/firmware/efi/Makefile
@@ -1105,19 +1156,6 @@ index 97a0f8faea6e..d837548d2024 100644
  	/* Lock the device, then check to see if we were
  	 * disconnected while waiting for the lock to succeed. */
  	usb_lock_device(hdev);
-diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
-index 470988bb7867..9a7c8bb0590f 100644
---- a/fs/erofs/zdata.c
-+++ b/fs/erofs/zdata.c
-@@ -993,6 +993,8 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
- 	cur = end - min_t(erofs_off_t, offset + end - map->m_la, end);
- 	if (!(map->m_flags & EROFS_MAP_MAPPED)) {
- 		zero_user_segment(page, cur, end);
-+		++spiltted;
-+		tight = false;
- 		goto next_part;
- 	}
- 	if (map->m_flags & EROFS_MAP_FRAGMENT) {
 diff --git a/include/linux/efi.h b/include/linux/efi.h
 index 571d1a6e1b74..8f786e38de3f 100644
 --- a/include/linux/efi.h
@@ -1264,7 +1302,7 @@ index 8103ffd217e9..00bc9fa0828b 100644
  	uprobe_dup_mmap(oldmm, mm);
  	/*
 diff --git a/kernel/module/main.c b/kernel/module/main.c
-index f1facc898a64..e1b9c2f1a3bd 100644
+index a04e94c9f8a4..f5bd4217cd6f 100644
 --- a/kernel/module/main.c
 +++ b/kernel/module/main.c
 @@ -528,6 +528,7 @@ static struct module_attribute modinfo_##field = {                    \
diff --git a/sources b/sources
index 45993533e..db6b0a869 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-6.4.14.tar.xz) = 3b10213aee9dc21740e4ad935b8eaaf950419fa5666a4b41afdecaf1e3edd96a278f069d0378f63a4caec85750d33b77eb7f47296f498a496600c38e6a432c0c
-SHA512 (kernel-abi-stablelists-6.4.14.tar.bz2) = f2f7ea14ae40df25e997c33d7f23600021caf7ff9ab6633fded0dbb42772dd67d39de04371248cbe9ad384bcd48acc3544f80573a2826e73e3fd53b37f10efe8
-SHA512 (kernel-kabi-dw-6.4.14.tar.bz2) = 41bd38fb7555f325409db757ed124ec51e1ebaf3aaf6500f944e242e52bfc026398d0316bdbde523bdb4d525b51d1631fc97038e228152459aee384a5e80a81e
+SHA512 (linux-6.4.15.tar.xz) = 9b38a23e65e15a4efef724d3f308c415fce68d138df653de18b57bbb8cb61b1281af016e74898db3387f7b75b9cefd7361339e0aa50d8344bb1e3fc7469e3ee6
+SHA512 (kernel-abi-stablelists-6.4.15.tar.bz2) = 81239647b9390ce9b203ce865002222b62d060984f47f2caeddb060bebc5c7daddad194e3a1e4dc63cc39ce0edf3b2d8fb492e8a8454574c6d1c228a5aed95b9
+SHA512 (kernel-kabi-dw-6.4.15.tar.bz2) = cebea1321199f828844453a4ede76f3dd182c88fd5a83a0d28e2b14cda501de3b30902e0301bac4d52444b9d14151a1908166ccc1500dc90f667df7e4b3a8b37