Merge tag '16.0' into vyos/current

shim-16.0

What's Changed
* Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in https://github.com/rhboot/shim/pull/646
* sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in https://github.com/rhboot/shim/pull/651
* sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in https://github.com/rhboot/shim/pull/653
* undo change that limits certificate files to a single file by @jsetje in https://github.com/rhboot/shim/pull/659
* shim: don't set second_stage to the empty string by @jjd27 in https://github.com/rhboot/shim/pull/640
* Fix SBAT.md for today's consensus about numbers by @aronowski in https://github.com/rhboot/shim/pull/672
* Update Code of Conduct contact address by @aronowski in https://github.com/rhboot/shim/pull/683
* make-certs: Handle missing OpenSSL installation by @aronowski in https://github.com/rhboot/shim/pull/595
* Update MokVars.txt by @mikebeaton in https://github.com/rhboot/shim/pull/598
* export DEFINES for sub makefile by @bryteise in https://github.com/rhboot/shim/pull/600
* Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in https://github.com/rhboot/shim/pull/609
* Null-terminate 'arguments' in fallback by @vittyvk in https://github.com/rhboot/shim/pull/611
* Fix "Verifiying" typo in error message by @chrisbainbridge in https://github.com/rhboot/shim/pull/706
* Update Fedora CI targets by @vathpela in https://github.com/rhboot/shim/pull/708
* Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in https://github.com/rhboot/shim/pull/607
* Minor housekeeping 2024121700 by @vathpela in https://github.com/rhboot/shim/pull/709
* Discard load-options that start with WINDOWS by @Metabolix in https://github.com/rhboot/shim/pull/621
* Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in https://github.com/rhboot/shim/pull/703
* shim: Allow data after the end of device path node in load options by @dbnicholson in https://github.com/rhboot/shim/pull/694
* Handle network file not found like disks by @dbnicholson in https://github.com/rhboot/shim/pull/695
* Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in https://github.com/rhboot/shim/pull/674
* Increase EFI file alignment by @lumag in https://github.com/rhboot/shim/pull/673
* avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in https://github.com/rhboot/shim/pull/690
* Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in https://github.com/rhboot/shim/pull/667
* Provide better error message when MokManager is not found by @rmetrich in https://github.com/rhboot/shim/pull/663
* tpm: Boot with a warning if the event log is full by @kukrimate in https://github.com/rhboot/shim/pull/657
* MokManager: remove redundant logical constraints by @xypron in https://github.com/rhboot/shim/pull/409
* Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in https://github.com/rhboot/shim/pull/417
* test-mok-mirror: minor bug fix by @vathpela in https://github.com/rhboot/shim/pull/715
* Fix file system browser hang when enrolling MOK from disk by @miczyg1 in https://github.com/rhboot/shim/pull/622
* Ignore a minor clang-tidy nit by @vathpela in https://github.com/rhboot/shim/pull/716
* Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in https://github.com/rhboot/shim/pull/666
* test.mk: don't use a temporary random.bin by @vathpela in https://github.com/rhboot/shim/pull/718
* pe: Enhance debug report for update_mem_attrs by @jongwu in https://github.com/rhboot/shim/pull/594
* Multiple certificate handling improvements by @rosslagerwall in https://github.com/rhboot/shim/pull/644
* Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in https://github.com/rhboot/shim/pull/711
* Apply EKU check with compile option by @dennis-tseng99 in https://github.com/rhboot/shim/pull/664
* Add configuration option to boot an alternative 2nd stage by @esnowberg in https://github.com/rhboot/shim/pull/608
* Loader protocol (with Device Path resolution support) by @kukrimate in https://github.com/rhboot/shim/pull/656
* netboot cleanup for additional files by @jsetje in https://github.com/rhboot/shim/pull/686
* Document how revocations can be delivered by @jsetje in https://github.com/rhboot/shim/pull/722
* post-process-pe: add tests to validate NX compliance by @vathpela in https://github.com/rhboot/shim/pull/705
* regression: CopyMem() in ad8692e copies out of bounds by @jsetje in https://github.com/rhboot/shim/pull/725
* Save the debug and error logs in mok-variables by @vathpela in https://github.com/rhboot/shim/pull/726
* Add features for the Host Security ID program by @vathpela in https://github.com/rhboot/shim/pull/660
* Mirror some more efi variables to mok-variables by @vathpela in https://github.com/rhboot/shim/pull/723
* This adds DXE Services measurements to HSI and uses them for NX by @vathpela in https://github.com/rhboot/shim/pull/724
* Add shim's current NX_COMPAT status to HSIStatus by @vathpela in https://github.com/rhboot/shim/pull/727
* README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in https://github.com/rhboot/shim/pull/728
* Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in https://github.com/rhboot/shim/pull/637
* Disable log saving by @vathpela in https://github.com/rhboot/shim/pull/729
* fallback: don't add new boot order entries backwards by @vathpela in https://github.com/rhboot/shim/pull/730
* Misc fixes... by @vathpela in https://github.com/rhboot/shim/pull/735
* README.tpm: Update MokList entry to MokListRT by @trungams in https://github.com/rhboot/shim/pull/732
* SBAT Level update for February 2025 GRUB CVEs by @jsetje in https://github.com/rhboot/shim/pull/736

New Contributors
* @jjd27 made their first contribution in https://github.com/rhboot/shim/pull/640
* @mikebeaton made their first contribution in https://github.com/rhboot/shim/pull/598
* @bryteise made their first contribution in https://github.com/rhboot/shim/pull/600
* @vittyvk made their first contribution in https://github.com/rhboot/shim/pull/609
* @chrisbainbridge made their first contribution in https://github.com/rhboot/shim/pull/706
* @Metabolix made their first contribution in https://github.com/rhboot/shim/pull/621
* @15058718379 made their first contribution in https://github.com/rhboot/shim/pull/703
* @dbnicholson made their first contribution in https://github.com/rhboot/shim/pull/694
* @lumag made their first contribution in https://github.com/rhboot/shim/pull/673
* @eduardacatrinei made their first contribution in https://github.com/rhboot/shim/pull/690
* @kukrimate made their first contribution in https://github.com/rhboot/shim/pull/657
* @miczyg1 made their first contribution in https://github.com/rhboot/shim/pull/622
* @nathan-omeara made their first contribution in https://github.com/rhboot/shim/pull/666
* @jongwu made their first contribution in https://github.com/rhboot/shim/pull/594
* @rosslagerwall made their first contribution in https://github.com/rhboot/shim/pull/644
* @trungams made their first contribution in https://github.com/rhboot/shim/pull/732

**Full Changelog**: https://github.com/rhboot/shim/compare/15.8...16.0

* tag '16.0': (451 commits)
  Update version to 16.0
  SBAT Level update for February 2025 GRUB CVEs
  README.tpm: Update MokList entry to MokListRT
  Make 'make fanalyzer' work again.
  simple_dir_filter(): test our 'next' pointer
  shim_load_image(): initialize the buffer fully
  mirror_mok_db(): Free our mok variable name correctly
  mirror_one_mok_variable(): fix a memory leak on TPM log error.
  mirror_mok_db(): get rid of an unused variable+allocation
  generate_sbat_var_defs: Ensure revlistentry->revocations is initialized.
  generate_sbat_var_defs: Fix memory leak on realloc failure and fd leak.
  generate_sbat_var_defs: run clang-format on readfile()
  SetSecureVariable(): free Cert on failure
  Update version to 16.0~rc1
  make-archive: some minor housekeeping
  makefiles: Make GITTAG swizzle tildes to dashes
  fallback: don't add new boot order entries backwards
  Disable log saving for now.
  Some save_logs() improvements.
  reject message with different values in multiple Content-Length header field
  ...

22 files changed, 203 insertions, 66 deletions

diff --git a/include/compiler.h b/include/compiler.h
index 8e8a658d..6a19217c 100644
--- a/include/compiler.h
+++ b/include/compiler.h
@@ -175,14 +175,19 @@
 #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
 #endif
 
-#ifndef ALIGN
+#ifndef __ALIGN
 #define __ALIGN_MASK(x, mask)   (((x) + (mask)) & ~(mask))
 #define __ALIGN(x, a)           __ALIGN_MASK(x, (typeof(x))(a) - 1)
+#endif
+#ifndef ALIGN
 #define ALIGN(x, a)             __ALIGN((x), (a))
 #endif
 #ifndef ALIGN_DOWN
 #define ALIGN_DOWN(x, a)        __ALIGN((x) - ((a) - 1), (a))
 #endif
+#ifndef ALIGN_UP
+#define ALIGN_UP(addr, align) (((addr) + (typeof (addr)) (align) - 1) & ~((typeof (addr)) (align) - 1))
+#endif
 
 #define MIN(a, b) ({(a) < (b) ? (a) : (b);})
 #define MAX(a, b) ({(a) <= (b) ? (b) : (a);})
@@ -205,6 +210,7 @@
 #define GNUC_PREREQ(maj, min) 0
 #endif
 
+#if !defined(CLANG_PREREQ)
 #if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
 #define CLANG_PREREQ(maj, min)        \
 	((__clang_major__ > (maj)) || \
@@ -212,6 +218,7 @@
 #else
 #define CLANG_PREREQ(maj, min) 0
 #endif
+#endif /* CLANG_PREREQ */
 
 #if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
 #define checked_add(addend0, addend1, sum) \
diff --git a/include/console.h b/include/console.h
index 7ac4e113..c90e3e71 100644
--- a/include/console.h
+++ b/include/console.h
@@ -98,6 +98,7 @@ extern UINT32 verbose;
 #ifndef SHIM_UNIT_TEST
 #define dprint_(fmt, ...) ({							\
 		UINTN __dprint_ret = 0;						\
+		log_debug_print((fmt), ##__VA_ARGS__);				\
 		if (verbose)							\
 			__dprint_ret = console_print((fmt), ##__VA_ARGS__);	\
 		__dprint_ret;							\
diff --git a/include/dp.h b/include/dp.h
new file mode 100644
index 00000000..884c1460
--- /dev/null
+++ b/include/dp.h
@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * dp.h - device path helper functions
+ * Copyright Peter Jones <pjones@redhat.com>
+ */
+
+#ifndef DP_H_
+#define DP_H_
+
+int
+is_removable_media_path(EFI_LOADED_IMAGE *li);
+
+#endif /* !DP_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/errlog.h b/include/errlog.h
new file mode 100644
index 00000000..b9f089b8
--- /dev/null
+++ b/include/errlog.h
@@ -0,0 +1,22 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * errlog.h - error logging utilities
+ * Copyright Peter Jones <pjones@redhat.com>
+ */
+
+#ifndef ERRLOG_H_
+#define ERRLOG_H_
+
+extern EFI_STATUS EFIAPI LogError_(const char *file, int line, const char *func,
+                                   const CHAR16 *fmt, ...);
+extern EFI_STATUS EFIAPI VLogError(const char *file, int line, const char *func,
+                                   const CHAR16 *fmt, ms_va_list args);
+extern VOID LogHexdump_(const char *file, int line, const char *func,
+                        const void *data, size_t sz);
+extern VOID PrintErrors(VOID);
+extern VOID ClearErrors(VOID);
+extern void save_logs(void);
+extern UINTN EFIAPI log_debug_print(const CHAR16 *fmt, ...);
+
+#endif /* !ERRLOG_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/errors.h b/include/errors.h
index 67d821e0..eab58453 100644
--- a/include/errors.h
+++ b/include/errors.h
@@ -9,5 +9,8 @@
 #ifndef EFI_SECURITY_VIOLATION
 #define EFI_SECURITY_VIOLATION		EFIERR(26)
 #endif
+#ifndef EFI_HTTP_ERROR
+#define EFI_HTTP_ERROR			EFIERR(35)
+#endif
 
 #endif /* SHIM_ERRORS_H */
diff --git a/include/fanalyzer.mk b/include/fanalyzer.mk
index a0679e3e..b22656ea 100644
--- a/include/fanalyzer.mk
+++ b/include/fanalyzer.mk
@@ -21,7 +21,7 @@ fanalyzer-build-all : COMPILER=gcc
 fanalyzer-build-all : CCACHE_DISABLE=1
 fanalyzer-build-all : FEATUREFLAGS+=-fanalyzer
 fanalyzer-build-all : WERRFLAGS=-Werror=analyzer-null-dereference
-fanalyzer-build-all : IGNORE_COMPILER_ERRORS=" || :"
+fanalyzer-build-all : IGNORE_COMPILER_ERRORS= || :
 fanalyzer-build-all : all
 
 fanalyzer-no-openssl : | fanalyzer-test
diff --git a/include/guid.h b/include/guid.h
index 898c4fad..26628d1e 100644
--- a/include/guid.h
+++ b/include/guid.h
@@ -3,6 +3,16 @@
 #ifndef SHIM_GUID_H
 #define SHIM_GUID_H
 
+#define LGUID_FMT L"%08x-%04hx-%04hx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
+#define GUID_FMT "%08x-%04hx-%04hx-%02hhx%02hhx-%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
+
+#define GUID_ARGS(guid) \
+  ((EFI_GUID)guid).Data1, ((EFI_GUID)guid).Data2, ((EFI_GUID)guid).Data3, \
+  ((EFI_GUID)guid).Data4[1], ((EFI_GUID)guid).Data4[0], \
+  ((EFI_GUID)guid).Data4[2], ((EFI_GUID)guid).Data4[3], \
+  ((EFI_GUID)guid).Data4[4], ((EFI_GUID)guid).Data4[5], \
+  ((EFI_GUID)guid).Data4[6], ((EFI_GUID)guid).Data4[7]
+
 extern EFI_GUID BDS_GUID;
 extern EFI_GUID GV_GUID;
 extern EFI_GUID SIG_DB;
@@ -36,6 +46,8 @@ extern EFI_GUID SECURITY_PROTOCOL_GUID;
 extern EFI_GUID SECURITY2_PROTOCOL_GUID;
 extern EFI_GUID EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID;
 extern EFI_GUID SHIM_LOCK_GUID;
+extern EFI_GUID SHIM_IMAGE_LOADER_GUID;
+extern EFI_GUID SHIM_LOADED_IMAGE_GUID;
 extern EFI_GUID MOK_VARIABLE_STORE;
 extern EFI_GUID SECUREBOOT_EFI_NAMESPACE_GUID;
 
diff --git a/include/hexdump.h b/include/hexdump.h
index e8f4fe1a..6f3d5fa5 100644
--- a/include/hexdump.h
+++ b/include/hexdump.h
@@ -89,10 +89,14 @@ vhexdumpf(const char *file, int line, const char *func, const CHAR16 *const fmt,
 	if (verbose == 0)
 		return;
 
-	if (!data || !size) {
+	if (!data) {
 		dprint(L"hexdump of a NULL pointer!\n");
 		return;
 	}
+	if (!size) {
+		dprint(L"hexdump of a 0 size region!\n");
+		return;
+	}
 
 	while (offset < size) {
 		char hexbuf[49];
diff --git a/include/load-options.h b/include/load-options.h
index d2bee3bb..78b1dcce 100644
--- a/include/load-options.h
+++ b/include/load-options.h
@@ -13,6 +13,7 @@ EFI_STATUS generate_path_from_image_path(EFI_LOADED_IMAGE *li,
 EFI_STATUS parse_load_options(EFI_LOADED_IMAGE *li);
 
 extern CHAR16 *second_stage;
+extern CHAR16 *optional_second_stage;
 extern void *load_options;
 extern UINT32 load_options_size;
 
diff --git a/include/replacements.h b/include/loader-proto.h
index 8b35c857..db8e670e 100644
--- a/include/replacements.h
+++ b/include/loader-proto.h
@@ -16,7 +16,6 @@ typedef enum {
 } verification_method_t;
 
 extern verification_method_t verification_method;
-extern int loader_is_participating;
 
 extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
 extern void unhook_system_services(void);
@@ -24,7 +23,14 @@ extern void unhook_system_services(void);
 extern void hook_exit(EFI_SYSTEM_TABLE *local_systab);
 extern void unhook_exit(void);
 
-extern EFI_STATUS install_shim_protocols(void);
-extern void uninstall_shim_protocols(void);
+typedef struct _SHIM_IMAGE_LOADER {
+	EFI_IMAGE_LOAD LoadImage;
+	EFI_IMAGE_START StartImage;
+	EFI_EXIT Exit;
+	EFI_IMAGE_UNLOAD UnloadImage;
+} SHIM_IMAGE_LOADER;
+
+extern SHIM_IMAGE_LOADER shim_image_loader_interface;
+extern void init_image_loader(void);
 
 #endif /* SHIM_REPLACEMENTS_H */
diff --git a/include/memattrs.h b/include/memattrs.h
new file mode 100644
index 00000000..193da988
--- /dev/null
+++ b/include/memattrs.h
@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * memattrs.h - EFI and DXE memory attribute helpers
+ * Copyright Peter Jones <pjones@redhat.com>
+ */
+
+#ifndef SHIM_MEMATTRS_H_
+#define SHIM_MEMATTRS_H_
+
+extern EFI_STATUS get_mem_attrs (uintptr_t addr, size_t size, uint64_t *attrs);
+extern EFI_STATUS update_mem_attrs(uintptr_t addr, uint64_t size,
+				   uint64_t set_attrs, uint64_t clear_attrs);
+
+extern void get_hsi_mem_info(void);
+extern char *decode_hsi_bits(UINTN hsi);
+
+#endif /* !SHIM_MEMATTRS_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/mock-variables.h b/include/mock-variables.h
index 9f276e63..b7ee1cb4 100644
--- a/include/mock-variables.h
+++ b/include/mock-variables.h
@@ -115,6 +115,9 @@ void mock_uninstall_query_variable_info(void);
 void mock_reset_variables(void);
 void mock_reset_config_table(void);
 void mock_finalize_vars_and_configs(void);
+void mock_set_usage_limits(list_t *limit_list,
+			   struct mock_variable_limits *limits);
+void mock_set_default_usage_limits(void);
 
 typedef enum {
 	NONE = 0,
diff --git a/include/mok.h b/include/mok.h
index fb19423b..f4468ab0 100644
--- a/include/mok.h
+++ b/include/mok.h
@@ -17,6 +17,14 @@ typedef enum {
 
 struct mok_state_variable;
 typedef vendor_addend_category_t (vendor_addend_categorizer_t)(struct mok_state_variable *);
+typedef UINTN (mok_variable_format_helper_t)(UINT8 *buf, size_t sz, struct mok_state_variable *);
+
+#define MOK_MIRROR_KEYDB		0x01
+#define MOK_MIRROR_DELETE_FIRST		0x02
+#define MOK_VARIABLE_MEASURE		0x04
+#define MOK_VARIABLE_LOG		0x08
+#define MOK_VARIABLE_INVERSE		0x10
+#define MOK_VARIABLE_CONFIG_ONLY	0x20
 
 /*
  * MoK variables that need to have their storage validated.
@@ -81,6 +89,8 @@ struct mok_state_variable {
 	 * MOK_MIRROR_DELETE_FIRST  delete any existing variable first
 	 * MOK_VARIABLE_MEASURE	    extend PCR 7 and log the hash change
 	 * MOK_VARIABLE_LOG	    measure into whatever .pcr says and log
+	 * MOK_VARIABLE_CONFIG_ONLY don't create a UEFI variable, only add
+	 *                          it to the config space variables.
 	 */
 	UINTN pcr;		/* PCR to measure and hash to */
 
@@ -89,6 +99,23 @@ struct mok_state_variable {
 	 * mirrored.
 	 */
 	UINT8 *state;
+
+	/*
+	 * If this is non-NULL, this function will be called during the
+	 * "import" phase to format the variable data.  It'll get called
+	 * twice, once as:
+	 *
+	 *   sz = format(NULL, 0, ptr);
+	 *
+	 * a buffer of size sz will then be allocated, and it'll be called
+	 * again to fill the buffer:
+	 *
+	 *   format(buf, sz, ptr);
+	 *
+	 * Note that as an implementation detail data and data_size must be
+	 * NULL and 0 respectively for this entry.
+	 */
+	mok_variable_format_helper_t *format;
 };
 
 extern size_t n_mok_state_variables;
@@ -100,10 +127,31 @@ struct mok_variable_config_entry {
 	UINT8 data[];
 };
 
+extern EFI_PHYSICAL_ADDRESS mok_config_table;
+extern UINTN mok_config_table_pages;
+
 /*
  * bit definitions for MokPolicy
  */
 #define MOK_POLICY_REQUIRE_NX	1
 
+extern UINTN hsi_status;
+/* heap is executable */
+#define SHIM_HSI_STATUS_HEAPX		0x00000001ULL
+/* stack is executable */
+#define SHIM_HSI_STATUS_STACKX		0x00000002ULL
+/* read-only sections are writable */
+#define SHIM_HSI_STATUS_ROW		0x00000004ULL
+/* platform provides the EFI Memory Attribute Protocol */
+#define SHIM_HSI_STATUS_HASMAP		0x00000008ULL
+/* platform provides DXE Services Table */
+#define SHIM_HSI_STATUS_HASDST		0x00000010ULL
+/* platform has DST->GetMemorySpaceDescriptor */
+#define SHIM_HSI_STATUS_HASDSTGMSD	0x00000020ULL
+/* platform has DST->SetMemorySpaceAttributes */
+#define SHIM_HSI_STATUS_HASDSTSMSA	0x00000040ULL
+/* This shim has the NX_COMPAT bit set */
+#define SHIM_HSI_STATUS_NX		0x00000100ULL
+
 #endif /* !SHIM_MOK_H_ */
 // vim:fenc=utf-8:tw=75:noet
diff --git a/include/netboot.h b/include/netboot.h
index a7bf6cd8..296f10f0 100644
--- a/include/netboot.h
+++ b/include/netboot.h
@@ -3,10 +3,13 @@
 #ifndef SHIM_NETBOOT_H
 #define SHIM_NETBOOT_H
 
+#define SUPPRESS_NETBOOT_OPEN_FAILURE_NOISE 1
+
 extern BOOLEAN findNetboot(EFI_HANDLE image_handle);
 
 extern EFI_STATUS parseNetbootinfo(EFI_HANDLE image_handle, CHAR8 *name);
 
-extern EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *bufsiz);
+extern EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer,
+	UINT64 *bufsiz, int flags);
 
 #endif /* SHIM_NETBOOT_H */
diff --git a/include/pe.h b/include/pe.h
index 9ea9eb44..ea40184b 100644
--- a/include/pe.h
+++ b/include/pe.h
@@ -12,7 +12,8 @@ ImageAddress (void *image, uint64_t size, uint64_t address);
 
 EFI_STATUS
 read_header(void *data, unsigned int datasize,
-	    PE_COFF_LOADER_IMAGE_CONTEXT *context);
+	    PE_COFF_LOADER_IMAGE_CONTEXT *context,
+	    bool check_secdir);
 
 EFI_STATUS verify_image(void *data, unsigned int datasize,
 			EFI_LOADED_IMAGE *li,
@@ -52,5 +53,8 @@ relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 	       EFI_IMAGE_SECTION_HEADER *Section,
 	       void *orig, void *data);
 
+void
+get_shim_nx_capability(EFI_HANDLE image_handle);
+
 #endif /* !PE_H_ */
 // vim:fenc=utf-8:tw=75:noet
diff --git a/include/peimage.h b/include/peimage.h
index 6eef1051..5d049686 100644
--- a/include/peimage.h
+++ b/include/peimage.h
@@ -144,12 +144,12 @@ typedef struct {
 

 ///

 /// @attention

-/// EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC means PE32 and 

+/// EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC means PE32 and

 /// EFI_IMAGE_OPTIONAL_HEADER32 must be used. The data structures only vary

 /// after NT additional fields.

 ///

 #define EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b

-          

+

 ///

 /// Optional Header Standard Fields for PE32.

 ///

@@ -195,7 +195,7 @@ typedef struct {
 

 ///

 /// @attention

-/// EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC means PE32+ and 

+/// EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC means PE32+ and

 /// EFI_IMAGE_OPTIONAL_HEADER64 must be used. The data structures only vary

 /// after NT additional fields.

 ///

@@ -465,7 +465,7 @@ typedef struct {
 #define EFI_IMAGE_COMDAT_SELECT_SAME_SIZE       3

 #define EFI_IMAGE_COMDAT_SELECT_EXACT_MATCH     4

 #define EFI_IMAGE_COMDAT_SELECT_ASSOCIATIVE     5

-                                       

+

 //

 // the following values only be referred in PeCoff, not defined in PECOFF.

 //

@@ -500,9 +500,9 @@ typedef struct {
 #define EFI_IMAGE_REL_I386_SECREL   0x000B

 #define EFI_IMAGE_REL_I386_REL32    0x0014  ///< PC-relative 32-bit reference to the symbols virtual address.

 

-// 

+//

 // x64 processor relocation types.

-// 

+//

 #define IMAGE_REL_AMD64_ABSOLUTE  0x0000

 #define IMAGE_REL_AMD64_ADDR64    0x0001

 #define IMAGE_REL_AMD64_ADDR32    0x0002

@@ -824,6 +824,7 @@ typedef struct {
 	EFI_IMAGE_DATA_DIRECTORY *RelocDir;

 	EFI_IMAGE_DATA_DIRECTORY *SecDir;

 	UINT64 NumberOfRvaAndSizes;

+	UINT16 DllCharacteristics;

 	EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr;

 } PE_COFF_LOADER_IMAGE_CONTEXT;

 

diff --git a/include/sbat.h b/include/sbat.h
index bb523e7e..093bb64a 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -38,7 +38,8 @@
 #define POLICY_RESET		3
 #define POLICY_NOTREAD		255
 
-#define REVOCATIONFILE L"revocations.efi"
+#define SBATREVOCATIONFILE L"revocations_sbat.efi"
+#define SKUSIREVOCATIONFILE L"revocations_sku.efi"
 
 extern UINTN _sbat, _esbat;
 
diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
index f8cba029..f4f5a27b 100644
--- a/include/sbat_var_defs.h
+++ b/include/sbat_var_defs.h
@@ -7,7 +7,9 @@
 #define QUOTE(s) #s
 
 /*
- * This is the entry for the sbat data format
+ * SbatLevel Epoch and SHIM_DEVEL definitions are here
+ * Actual revocations are now soley defined in
+ * SbatLevel_Variable.txt
  */
 #define SBAT_VAR_SIG "sbat,"
 #define SBAT_VAR_VERSION "1,"
@@ -22,46 +24,10 @@
 
 #define SBAT_VAR_LATEST_DATE "2022050100"
 #define SBAT_VAR_LATEST_REVOCATIONS "component,2\nothercomponent,2\n"
-#define SBAT_VAR_LATEST \
-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
-	SBAT_VAR_LATEST_REVOCATIONS
-#else /* !ENABLE_SHIM_DEVEL */
-
-/*
- * Some distros may want to apply revocations from 2022052400
- * or 2022111500 automatically. They can be selected by setting
- * SBAT_AUTOMATIC_DATE=<datestamp> at build time. Otherwise the
- * default is to apply the second to most recent revocations
- * automatically. Distros that need to manage automatic updates
- * externally from shim can choose the epoch 2021030218 emtpy
- * revocations.
- */
-#ifndef SBAT_AUTOMATIC_DATE
-#define SBAT_AUTOMATIC_DATE 2023012900
-#endif /* SBAT_AUTOMATIC_DATE */
-#if SBAT_AUTOMATIC_DATE == 2021030218
-#define SBAT_VAR_AUTOMATIC_REVOCATIONS
-#elif SBAT_AUTOMATIC_DATE == 2022052400
-#define SBAT_VAR_AUTOMATIC_REVOCATIONS "grub,2\n"
-#elif SBAT_AUTOMATIC_DATE == 2022111500
-#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
-#elif SBAT_AUTOMATIC_DATE == 2023012900
-#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
-#else
-#error "Unknown SBAT_AUTOMATIC_DATE"
-#endif /* SBAT_AUTOMATIC_DATE == */
-#define SBAT_VAR_AUTOMATIC_DATE QUOTEVAL(SBAT_AUTOMATIC_DATE)
-#define SBAT_VAR_AUTOMATIC \
-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_AUTOMATIC_DATE "\n" \
-	SBAT_VAR_AUTOMATIC_REVOCATIONS
 
-/*
- * Revocations for January 2024 shim CVEs
- */
-#define SBAT_VAR_LATEST_DATE "2024010900"
-#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
 #define SBAT_VAR_LATEST \
 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
 	SBAT_VAR_LATEST_REVOCATIONS
 #endif /* ENABLE_SHIM_DEVEL */
+
 #endif /* !SBAT_VAR_DEFS_H_ */
diff --git a/include/test-data-efivars-1.h b/include/test-data-efivars-1.h
index 2831bd23..259558e0 100644
--- a/include/test-data-efivars-1.h
+++ b/include/test-data-efivars-1.h
@@ -106,5 +106,16 @@ static const unsigned char test_data_efivars_1_MokListTrustedRT[] ={
 	0x01
 };
 
+static const unsigned char test_data_efivars_1_HSIStatus[] =
+	"heap-is-executable: 0\n"
+	"stack-is-executable: 0\n"
+	"ro-sections-are-writable: 0\n"
+	"has-memory-attribute-protocol: 0\n"
+	"has-dxe-services-table: 0\n"
+	"has-get-memory-space-descriptor: 0\n"
+	"has-set-memory-space-attributes: 0\n"
+	"shim-has-nx-compat-set: 0\n"
+	;
+
 #endif /* !TEST_DATA_EFIVARS_1_H_ */
 // vim:fenc=utf-8:tw=75:noet
diff --git a/include/test.h b/include/test.h
index 5261dbd9..ccb61148 100644
--- a/include/test.h
+++ b/include/test.h
@@ -85,14 +85,14 @@ extern EFI_RUNTIME_SERVICES *RT;
 static inline INT64
 guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 	printf("%s:%d:%s(): Comparing "GUID_FMT" to "GUID_FMT"\n",
 	       __FILE__, __LINE__-1, __func__,
 	       GUID_ARGS(*guid0), GUID_ARGS(*guid1));
 #endif
 
 	if (guid0->Data1 != guid1->Data1) {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 		printf("%s:%d:%s(): returning 0x%"PRIx64"-0x%"PRIx64"->0x%"PRIx64"\n",
 		       __FILE__, __LINE__-1, __func__,
 		       (INT64)guid0->Data1, (INT64)guid1->Data1,
@@ -102,7 +102,7 @@ guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 	}
 
 	if (guid0->Data2 != guid1->Data2) {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 		printf("%s:%d:%s(): returning 0x%"PRIx64"-0x%"PRIx64"->0x%"PRIx64"\n",
 		       __FILE__, __LINE__-1, __func__,
 		       (INT64)guid0->Data2, (INT64)guid1->Data2,
@@ -112,7 +112,7 @@ guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 	}
 
 	if (guid0->Data3 != guid1->Data3) {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 		printf("%s:%d:%s(): returning 0x%"PRIx64"-0x%"PRIx64"->0x%"PRIx64"\n",
 		       __FILE__, __LINE__-1, __func__,
 		       (INT64)guid0->Data3, (INT64)guid1->Data3,
@@ -126,7 +126,7 @@ guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 	 * representation of it.
 	 */
 	if (guid0->Data4[1] != guid1->Data4[1]) {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 		printf("%s:%d:%s(): returning 0x%"PRIx64"-0x%"PRIx64"->0x%"PRIx64"\n",
 		       __FILE__, __LINE__-1, __func__,
 		       (INT64)guid0->Data4[1], (INT64)guid1->Data4[1],
@@ -136,7 +136,7 @@ guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 	}
 
 	if (guid0->Data4[0] != guid1->Data4[0]) {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 		printf("%s:%d:%s(): returning 0x%"PRIx64"-0x%"PRIx64"->0x%"PRIx64"\n",
 		       __FILE__, __LINE__-1, __func__,
 		       (INT64)guid0->Data4[0], (INT64)guid1->Data4[0],
@@ -147,7 +147,7 @@ guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 
 	for (UINTN i = 2; i < 8; i++) {
 		if (guid0->Data4[i] != guid1->Data4[i]) {
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 			printf("%s:%d:%s(): returning 0x%"PRIx64"-0x%"PRIx64"->0x%"PRIx64"\n",
 			       __FILE__, __LINE__-1, __func__,
 			       (INT64)guid0->Data4[i], (INT64)guid1->Data4[i],
@@ -157,7 +157,7 @@ guidcmp_helper(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 		}
 	}
 
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 	printf("%s:%d:%s(): returning 0x0\n",
 	       __FILE__, __LINE__-1, __func__);
 #endif
@@ -177,7 +177,7 @@ guidcmp(const EFI_GUID * const guid0, const EFI_GUID * const guid1)
 
 	cmp = guidcmp_helper(guida, guidb);
 	ret = cmp < 0 ? -1 : (cmp > 0 ? 1 : 0);
-#if (defined(SHIM_DEBUG) && SHIM_DEBUG != 0)
+#if defined(SHIM_DEBUG) && SHIM_DEBUG >= 2
 	printf("%s:%d:%s():CompareGuid("GUID_FMT","GUID_FMT")->%lld (%d)\n",
 	       __FILE__, __LINE__-1, __func__,
 	       GUID_ARGS(*guida), GUID_ARGS(*guidb), cmp, ret);
diff --git a/include/test.mk b/include/test.mk
index e6d46594..ee2d2fde 100644
--- a/include/test.mk
+++ b/include/test.mk
@@ -76,8 +76,12 @@ libefi-test.a :
 		clean
 
 test-random.h:
-	dd if=/dev/urandom bs=512 count=17 of=random.bin
-	xxd -i random.bin test-random.h
+	dd if=/dev/urandom bs=512 count=17 status=none | ( \
+		echo "unsigned char random_bin[] = {" ; \
+		xxd -i - ; \
+		echo "};" ; \
+		echo "unsigned int random_bin_len = 8704;" ; \
+	) > test-random.h
 
 $(wildcard test-*.c) :: %.c : test-random.h
 $(patsubst %.c,%,$(wildcard test-*.c)) :: | test-random.h
@@ -119,7 +123,7 @@ test-coverage : CFLAGS_GCOV+=--coverage
 test-coverage : $(tests)
 
 test-clean :
-	@rm -vf test-random.h random.bin libefi-test.a
+	@rm -vf test-random.h libefi-test.a
 	@rm -vf *.gcda *.gcno *.gcov vgcore.*
 
 clean : test-clean
@@ -127,6 +131,5 @@ clean : test-clean
 all : test-clean test
 
 .PHONY: $(tests) all test clean
-.SECONDARY: random.bin
 
 # vim:ft=make
diff --git a/include/utils.h b/include/utils.h
new file mode 100644
index 00000000..654f05d8
--- /dev/null
+++ b/include/utils.h
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+#ifndef UTILS_H_
+#define UTILS_H_
+
+EFI_STATUS get_file_size(EFI_FILE_HANDLE fh, UINTN *retsize);
+EFI_STATUS
+read_file(EFI_FILE_HANDLE fh, CHAR16 *fullpath, CHAR16 **buffer, UINT64 *bs);
+
+#endif /* UTILS_H_ */