Update upstream source from tag 'upstream/15+1613861442.888f5b5'

Update to upstream version '15+1613861442.888f5b5'
with Debian dir 15b0853a73144b1f8571ce2bebc2eea68af4a8e3

29 files changed, 710 insertions, 270 deletions

diff --git a/include/asm.h b/include/asm.h
new file mode 100644
index 00000000..8458d5d2
--- /dev/null
+++ b/include/asm.h
@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+#ifndef SHIM_ASM_H_
+#define SHIM_ASM_H_
+
+#define __stringify_1(x...)     #x
+#define __stringify(x...)       __stringify_1(x)
+
+static inline uint64_t read_counter(void)
+{
+        uint64_t val;
+#if defined (__x86_64__)
+        unsigned long low, high;
+        __asm__ __volatile__("rdtsc" : "=a" (low), "=d" (high));
+        val = (low) | (high) << 32;
+#elif defined(__i386__) || defined(__i686__)
+        __asm__ __volatile__("rdtsc" : "=A" (val));
+#elif defined(__aarch64__)
+        __asm__ __volatile__ ("mrs %0, pmccntr_el0" : "=r" (val));
+#elif defined(__arm__)
+        __asm__ __volatile__ ("mrc p15, 0, %0, c9, c13, 0" : "=r" (val));
+#else
+#error unsupported arch
+#endif
+        return val;
+}
+
+#if defined(__x86_64__) || defined(__i386__) || defined(__i686__)
+static inline void pause(void)
+{
+	__asm__ __volatile__("pause");
+}
+#elif defined(__aarch64__)
+static inline void pause(void)
+{
+		__asm__ __volatile__("wfi");
+}
+#else
+static inline void pause(void)
+{
+        uint64_t a, b;
+        int x;
+        extern void msleep(unsigned long msecs);
+
+        a = read_counter();
+        for (x = 0; x < 1000; x++) {
+                msleep(1000);
+                b = read_counter();
+                if (a != b)
+                        break;
+        }
+}
+#endif
+
+#endif /* !SHIM_ASM_H_ */
+// vim:fenc=utf-8:tw=75:et
diff --git a/include/compiler.h b/include/compiler.h
new file mode 100644
index 00000000..4e44840d
--- /dev/null
+++ b/include/compiler.h
@@ -0,0 +1,156 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+#ifndef COMPILER_H_
+#define COMPILER_H_
+
+#ifndef UNUSED
+#define UNUSED __attribute__((__unused__))
+#endif
+#ifndef HIDDEN
+#define HIDDEN __attribute__((__visibility__ ("hidden")))
+#endif
+#ifndef PUBLIC
+#define PUBLIC __attribute__((__visibility__ ("default")))
+#endif
+#ifndef DESTRUCTOR
+#define DESTRUCTOR __attribute__((destructor))
+#endif
+#ifndef CONSTRUCTOR
+#define CONSTRUCTOR __attribute__((constructor))
+#endif
+#ifndef ALIAS
+#define ALIAS(x) __attribute__((weak, alias (#x)))
+#endif
+#ifndef NONNULL
+#endif
+#define NONNULL(first, args...) __attribute__((__nonnull__(first, ## args)))
+#ifndef PRINTF
+#define PRINTF(first, args...) __attribute__((__format__(printf, first, ## args)))
+#endif
+#ifndef FLATTEN
+#define FLATTEN __attribute__((__flatten__))
+#endif
+#ifndef PACKED
+#define PACKED __attribute__((__packed__))
+#endif
+#ifndef VERSION
+#define VERSION(sym, ver) __asm__(".symver " # sym "," # ver)
+#endif
+#ifndef NORETURN
+#define NORETURN __attribute__((__noreturn__))
+#endif
+#ifndef ALIGNED
+#define ALIGNED(n) __attribute__((__aligned__(n)))
+#endif
+#ifndef CLEANUP_FUNC
+#define CLEANUP_FUNC(x) __attribute__((__cleanup__(x)))
+#endif
+#ifndef USED
+#define USED __attribute__((__used__))
+#endif
+#ifndef SECTION
+#define SECTION(x) __attribute__((__section__(x)))
+#endif
+#ifndef OPTIMIZE
+#define OPTIMIZE(x) __attribute__((__optimize__(x)))
+#endif
+
+#ifndef __CONCAT
+#define __CONCAT3(a, b, c) a ## b ## c
+#endif
+#ifndef CAT
+#define CAT(a, b) __CONCAT(a, b)
+#endif
+#ifndef CAT3
+#define CAT3(a, b, c) __CONCAT3(a, b, c)
+#endif
+#ifndef STRING
+#define STRING(x) __STRING(x)
+#endif
+
+#ifndef WRITE_ONCE
+#define WRITE_ONCE(var, val) \
+        (*((volatile typeof(val) *)(&(var))) = (val))
+#endif
+
+#ifndef READ_ONCE
+#define READ_ONCE(var) (*((volatile typeof(var) *)(&(var))))
+#endif
+
+#ifndef likely
+#define likely(x)	__builtin_expect(!!(x), 1)
+#endif
+
+#ifndef unlikely
+#define unlikely(x)	__builtin_expect(!!(x), 0)
+#endif
+
+/* Are two types/vars the same type (ignoring qualifiers)? */
+#ifndef __same_type
+#define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
+#endif
+
+/* Compile time object size, -1 for unknown */
+#ifndef __compiletime_object_size
+# define __compiletime_object_size(obj) -1
+#endif
+#ifndef __compiletime_warning
+# define __compiletime_warning(message)
+#endif
+#ifndef __compiletime_error
+# define __compiletime_error(message)
+#endif
+
+#ifndef __compiletime_assert
+#define __compiletime_assert(condition, msg, prefix, suffix)		\
+	do {								\
+		extern void prefix ## suffix(void) __compiletime_error(msg); \
+		if (!(condition))					\
+			prefix ## suffix();				\
+	} while (0)
+#endif
+
+#ifndef _compiletime_assert
+#define _compiletime_assert(condition, msg, prefix, suffix) \
+	__compiletime_assert(condition, msg, prefix, suffix)
+#endif
+
+/**
+ * compiletime_assert - break build and emit msg if condition is false
+ * @condition: a compile-time constant condition to check
+ * @msg:       a message to emit if condition is false
+ *
+ * In tradition of POSIX assert, this macro will break the build if the
+ * supplied condition is *false*, emitting the supplied error message if the
+ * compiler has support to do so.
+ */
+#ifndef compiletime_assert
+#define compiletime_assert(condition, msg) \
+	_compiletime_assert(condition, msg, __compiletime_assert_, __LINE__ - 1)
+#endif
+
+/**
+ * BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied
+ *		      error message.
+ * @condition: the condition which the compiler should know is false.
+ *
+ * See BUILD_BUG_ON for description.
+ */
+#ifndef BUILD_BUG_ON_MSG
+#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
+#endif
+
+#ifndef ALIGN
+#define __ALIGN_MASK(x, mask)   (((x) + (mask)) & ~(mask))
+#define __ALIGN(x, a)           __ALIGN_MASK(x, (typeof(x))(a) - 1)
+#define ALIGN(x, a)             __ALIGN((x), (a))
+#endif
+#ifndef ALIGN_DOWN
+#define ALIGN_DOWN(x, a)        __ALIGN((x) - ((a) - 1), (a))
+#endif
+
+#define MIN(a, b) ({(a) < (b) ? (a) : (b);})
+#define MAX(a, b) ({(a) <= (b) ? (b) : (a);})
+
+#endif /* !COMPILER_H_ */
+// vim:fenc=utf-8:tw=75:et
diff --git a/include/configtable.h b/include/configtable.h
index 0c9dfdca..e44bbbae 100644
--- a/include/configtable.h
+++ b/include/configtable.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_CONFIGTABLE_H
 #define SHIM_CONFIGTABLE_H
 
@@ -5,7 +7,7 @@
 
 typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;
 
-#define EFI_IMAGE_EXECUTION_AUTHENTICATION      0x00000007 
+#define EFI_IMAGE_EXECUTION_AUTHENTICATION      0x00000007
 #define EFI_IMAGE_EXECUTION_AUTH_UNTESTED       0x00000000
 #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
 #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
@@ -24,24 +26,24 @@ typedef struct {
   ///
   UINT32                        InfoSize;
   ///
-  /// If this image was a UEFI device driver (for option ROM, for example) this is the 
-  /// null-terminated, user-friendly name for the device. If the image was for an application, 
-  /// then this is the name of the application. If this cannot be determined, then a simple 
+  /// If this image was a UEFI device driver (for option ROM, for example) this is the
+  /// null-terminated, user-friendly name for the device. If the image was for an application,
+  /// then this is the name of the application. If this cannot be determined, then a simple
   /// NULL character should be put in this position.
   /// CHAR16                    Name[];
   ///
 
   ///
-  /// For device drivers, this is the device path of the device for which this device driver 
-  /// was intended. In some cases, the driver itself may be stored as part of the system 
-  /// firmware, but this field should record the device's path, not the firmware path. For 
-  /// applications, this is the device path of the application. If this cannot be determined, 
+  /// For device drivers, this is the device path of the device for which this device driver
+  /// was intended. In some cases, the driver itself may be stored as part of the system
+  /// firmware, but this field should record the device's path, not the firmware path. For
+  /// applications, this is the device path of the application. If this cannot be determined,
   /// a simple end-of-path device node should be put in this position.
   /// EFI_DEVICE_PATH_PROTOCOL  DevicePath;
   ///
 
   ///
-  /// Zero or more image signatures. If the image contained no signatures, 
+  /// Zero or more image signatures. If the image contained no signatures,
   /// then this field is empty.
   ///
   ///EFI_SIGNATURE_LIST            Signature;
@@ -52,14 +54,13 @@ typedef struct {
   ///
   /// Number of EFI_IMAGE_EXECUTION_INFO structures.
   ///
-  UINTN                     NumberOfImages; 
+  UINTN                     NumberOfImages;
   ///
   /// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.
   ///
   EFI_IMAGE_EXECUTION_INFO  InformationInfo[];
 } EFI_IMAGE_EXECUTION_INFO_TABLE;
 
-
 void *
 configtable_get_table(EFI_GUID *guid);
 EFI_IMAGE_EXECUTION_INFO_TABLE *
diff --git a/include/console.h b/include/console.h
index deb4fa3d..b2ab5fe4 100644
--- a/include/console.h
+++ b/include/console.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_CONSOLE_H
 #define SHIM_CONSOLE_H
 
@@ -7,6 +9,12 @@
 #define PrintAt(fmt, ...) \
 	({"Do not directly call PrintAt() use console_print_at() instead" = 1;});
 
+#if !defined(EFI_WARN_UNKNOWN_GLYPH) && defined(EFI_WARN_UNKOWN_GLYPH)
+#define EFI_WARN_UNKNOWN_GLYPH EFI_WARN_UNKOWN_GLYPH
+#elif !defined(EFI_WARN_UNKNOWN_GLYPH)
+#define EFI_WARN_UNKNOWN_GLYPH EFIWARN(1)
+#endif
+
 EFI_STATUS
 console_get_keystroke(EFI_INPUT_KEY *key);
 UINTN
@@ -33,7 +41,15 @@ console_alertbox(CHAR16 **title);
 void
 console_notify(CHAR16 *string);
 void
+console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode);
+void
+console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode);
+int
+console_countdown(CHAR16* title, const CHAR16* message, int timeout);
+void
 console_reset(void);
+void
+console_mode_handle(void);
 #define NOSEL 0x7fffffff
 
 typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL   EFI_CONSOLE_CONTROL_PROTOCOL;
@@ -76,12 +92,19 @@ struct _EFI_CONSOLE_CONTROL_PROTOCOL {
 extern VOID console_fini(VOID);
 extern VOID setup_verbosity(VOID);
 extern UINT32 verbose;
-#define dprint(fmt, ...) ({							\
+#define dprint_(fmt, ...) ({							\
 		UINTN __dprint_ret = 0;						\
 		if (verbose)							\
 			__dprint_ret = console_print((fmt), ##__VA_ARGS__);	\
 		__dprint_ret;							\
 	})
+#define dprint(fmt, ...)                                              \
+	dprint_(L"%a:%d:%a() " fmt, __FILE__, __LINE__ - 1, __func__, \
+	        ##__VA_ARGS__)
+extern EFI_STATUS
+vdprint_(const CHAR16 *fmt, const char *file, int line, const char *func, va_list args);
+#define vdprint(fmt, ...) \
+	vdprint_(fmt, __FILE__, __LINE__ - 1, __func__, ##__VA_ARGS__)
 
 extern EFI_STATUS print_crypto_errors(EFI_STATUS rc, char *file, const char *func, int line);
 #define crypterr(rc) print_crypto_errors((rc), __FILE__, __func__, __LINE__)
diff --git a/include/crypt_blowfish.h b/include/crypt_blowfish.h
index 8d4dd4da..f89ec700 100644
--- a/include/crypt_blowfish.h
+++ b/include/crypt_blowfish.h
@@ -1,4 +1,13 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
 /*
+ * The crypt_blowfish homepage is:
+ *
+ *	http://www.openwall.com/crypt/
+ *
+ * This code comes from John the Ripper password cracker, with reentrant
+ * and crypt(3) interfaces added, but optimizations specific to password
+ * cracking removed.
+ *
  * Written by Solar Designer <solar at openwall.com> in 2000-2011.
  * No copyright is claimed, and the software is hereby placed in the public
  * domain.  In case this attempt to disclaim copyright and place the software
diff --git a/include/efiauthenticated.h b/include/efiauthenticated.h
index 7157ffd2..f2bcefdb 100644
--- a/include/efiauthenticated.h
+++ b/include/efiauthenticated.h
@@ -1,7 +1,9 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_EFIAUTHENTICATED_H
 #define SHIM_EFIAUTHENTICATED_H
 
-#include <wincert.h>
+#include "wincert.h"
 
 /***********************************************************************
  * Signature Database
diff --git a/include/errors.h b/include/errors.h
index 21978bd8..1c6cf528 100644
--- a/include/errors.h
+++ b/include/errors.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_ERRORS_H
 #define SHIM_ERRORS_H
 
diff --git a/include/execute.h b/include/execute.h
index 18d2fa29..23d17728 100644
--- a/include/execute.h
+++ b/include/execute.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_LIB_EXECUTE_H
 #define SHIM_LIB_EXECUTE_H
 
diff --git a/include/guid.h b/include/guid.h
index 81689d6c..114e8707 100644
--- a/include/guid.h
+++ b/include/guid.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_GUID_H
 #define SHIM_GUID_H
 
@@ -35,4 +37,6 @@ extern EFI_GUID SECURITY_PROTOCOL_GUID;
 extern EFI_GUID SECURITY2_PROTOCOL_GUID;
 extern EFI_GUID SHIM_LOCK_GUID;
 
+extern EFI_GUID MOK_VARIABLE_STORE;
+
 #endif /* SHIM_GUID_H */
diff --git a/include/hexdump.h b/include/hexdump.h
index d337b571..8b8b4557 100644
--- a/include/hexdump.h
+++ b/include/hexdump.h
@@ -1,104 +1,147 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef STATIC_HEXDUMP_H
 #define STATIC_HEXDUMP_H
 
-static int
-__attribute__((__unused__))
-isprint(char c)
-{
-	if (c < 0x20)
-		return 0;
-	if (c > 0x7e)
-		return 0;
-	return 1;
-}
+#include <stdint.h>
 
-static UINTN
-__attribute__((__unused__))
-format_hex(UINT8 *data, UINTN size, CHAR16 *buf)
+static inline unsigned long UNUSED
+prepare_hex(const void *data, size_t size, char *buf, unsigned int position)
 {
-	UINTN sz = (UINTN)data % 16;
-	CHAR16 hexchars[] = L"0123456789abcdef";
+	char hexchars[] = "0123456789abcdef";
 	int offset = 0;
-	UINTN i;
-	UINTN j;
+	unsigned long i;
+	unsigned long j;
+	unsigned long ret;
 
-	for (i = 0; i < sz; i++) {
-		buf[offset++] = L' ';
-		buf[offset++] = L' ';
-		buf[offset++] = L' ';
+	unsigned long before = (position % 16);
+	unsigned long after = (before+size >= 16) ? 0 : 16 - (before+size);
+
+	for (i = 0; i < before; i++) {
+		buf[offset++] = 'X';
+		buf[offset++] = 'X';
+		buf[offset++] = ' ';
 		if (i == 7)
-			buf[offset++] = L' ';
+			buf[offset++] = ' ';
 	}
-	for (j = sz; j < 16 && j < size; j++) {
-		UINT8 d = data[j-sz];
+	for (j = 0; j < 16 - after - before; j++) {
+		uint8_t d = ((uint8_t *)data)[j];
 		buf[offset++] = hexchars[(d & 0xf0) >> 4];
 		buf[offset++] = hexchars[(d & 0x0f)];
-		if (j != 15)
-			buf[offset++] = L' ';
-		if (j == 7)
-			buf[offset++] = L' ';
+		if (i+j != 15)
+			buf[offset++] = ' ';
+		if (i+j == 7)
+			buf[offset++] = ' ';
 	}
-	for (i = j; i < 16; i++) {
-		buf[offset++] = L' ';
-		buf[offset++] = L' ';
-		if (i != 15)
-			buf[offset++] = L' ';
-		if (i == 7)
-			buf[offset++] = L' ';
+	ret = 16 - after - before;
+	j += i;
+	for (i = 0; i < after; i++) {
+		buf[offset++] = 'X';
+		buf[offset++] = 'X';
+		if (i+j != 15)
+			buf[offset++] = ' ';
+		if (i+j == 7)
+			buf[offset++] = ' ';
 	}
-	buf[offset] = L'\0';
-	return j - sz;
+	buf[offset] = '\0';
+	return ret;
 }
 
-static void
-__attribute__((__unused__))
-format_text(UINT8 *data, UINTN size, CHAR16 *buf)
+#define isprint(c) ((c) >= 0x20 && (c) <= 0x7e)
+
+static inline void UNUSED
+prepare_text(const void *data, size_t size, char *buf, unsigned int position)
 {
-	UINTN sz = (UINTN)data % 16;
 	int offset = 0;
-	UINTN i;
-	UINTN j;
-
-	for (i = 0; i < sz; i++)
-		buf[offset++] = L' ';
-	buf[offset++] = L'|';
-	for (j = sz; j < 16 && j < size; j++) {
-		if (isprint(data[j-sz]))
-			buf[offset++] = data[j-sz];
+	unsigned long i;
+	unsigned long j;
+
+	unsigned long before = position % 16;
+	unsigned long after = (before+size > 16) ? 0 : 16 - (before+size);
+
+	if (size == 0) {
+		buf[0] = '\0';
+		return;
+	}
+	for (i = 0; i < before; i++)
+		buf[offset++] = 'X';
+	buf[offset++] = '|';
+	for (j = 0; j < 16 - after - before; j++) {
+		if (isprint(((uint8_t *)data)[j]))
+			buf[offset++] = ((uint8_t *)data)[j];
 		else
-			buf[offset++] = L'.';
+			buf[offset++] = '.';
 	}
-	buf[offset++] = L'|';
-	for (i = j; i < 16; i++)
-		buf[offset++] = L' ';
-	buf[offset] = L'\0';
+	buf[offset++] = size > 0 ? '|' : 'X';
+	buf[offset] = '\0';
 }
 
-static void
-__attribute__((__unused__))
-hexdump(UINT8 *data, UINTN size)
+/*
+ * variadic hexdump formatted
+ * think of it as: printf("%s%s\n", vformat(fmt, ap), hexdump(data,size));
+ */
+static inline void UNUSED
+vhexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt, const void *data, unsigned long size, size_t at, va_list ap)
 {
-	UINTN display_offset = (UINTN)data & 0xffffffff;
-	UINTN offset = 0;
-	//console_print(L"hexdump: data=0x%016x size=0x%x\n", data, size);
+	unsigned long display_offset = at;
+	unsigned long offset = 0;
+
+	if (verbose == 0)
+		return;
 
 	while (offset < size) {
-		CHAR16 hexbuf[49];
-		CHAR16 txtbuf[19];
-		UINTN sz;
+		char hexbuf[49];
+		char txtbuf[19];
+		unsigned long sz;
 
-		sz = format_hex(data+offset, size-offset, hexbuf);
+		sz = prepare_hex(data+offset, size-offset, hexbuf,
+				 (unsigned long)data+offset);
 		if (sz == 0)
 			return;
-		msleep(200000);
 
-		format_text(data+offset, size-offset, txtbuf);
-		console_print(L"%08x  %s  %s\n", display_offset, hexbuf, txtbuf);
-		msleep(200000);
+		prepare_text(data+offset, size-offset, txtbuf,
+			     (unsigned long)data+offset);
+		if (fmt && fmt[0] != 0)
+			vdprint_(fmt, file, line, func, ap);
+		dprint_(L"%a:%d:%a() %08lx  %a  %a\n", file, line, func, display_offset, hexbuf, txtbuf);
 
 		display_offset += sz;
 		offset += sz;
 	}
 }
 
+/*
+ * hexdump formatted
+ * think of it as: printf("%s%s", format(fmt, ...), hexdump(data,size)[lineN]);
+ */
+static inline void UNUSED
+hexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt, const void *data, unsigned long size, size_t at, ...)
+{
+	va_list ap;
+
+	va_start(ap, at);
+	vhexdumpf(file, line, func, fmt, data, size, at, ap);
+	va_end(ap);
+}
+
+static inline void UNUSED
+hexdump(const char *file, int line, const char *func, const void *data, unsigned long size)
+{
+	hexdumpf(file, line, func, L"", data, size, (intptr_t)data);
+}
+
+static inline void UNUSED
+hexdumpat(const char *file, int line, const char *func, const void *data, unsigned long size, size_t at)
+{
+	hexdumpf(file, line, func, L"", data, size, at);
+}
+
+#define LogHexdump(data, sz) LogHexdump_(__FILE__, __LINE__, __func__, data, sz)
+#define dhexdump(data, sz)   hexdump(__FILE__, __LINE__, __func__, data, sz)
+#define dhexdumpat(data, sz, at) \
+	hexdumpat(__FILE__, __LINE__ - 1, __func__, data, sz, at)
+#define dhexdumpf(fmt, data, sz, at, ...) \
+	hexdumpf(__FILE__, __LINE__ - 1, __func__, fmt, data, sz, at, ##__VA_ARGS__)
+
 #endif /* STATIC_HEXDUMP_H */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/Http.h b/include/http.h
index 4b3746a7..c89047db 100644
--- a/include/Http.h
+++ b/include/http.h
@@ -1,23 +1,14 @@
-/** @file
-  This file defines the EFI HTTP Protocol interface. It is split into
-  the following two main sections:
-  HTTP Service Binding Protocol (HTTPSB)
-  HTTP Protocol (HTTP)
-
-  Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
-  (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
-  This program and the accompanying materials
-  are licensed and made available under the terms and conditions of the BSD License
-  which accompanies this distribution. The full text of the license may be found at
-  http://opensource.org/licenses/bsd-license.php
-
-  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-  @par Revision Reference:
-  This Protocol is introduced in UEFI Specification 2.5
-
-**/
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+/*
+ * This file defines the EFI HTTP Protocol interface. It is split into
+ * the following two main sections:
+ * HTTP Service Binding Protocol (HTTPSB)
+ * HTTP Protocol (HTTP)
+ *
+ * Copyright (c) 2016, Intel Corporation. All rights reserved.
+ * Copyright 2015 Hewlett Packard Enterprise Development LP
+ */
 
 #ifndef SHIM_HTTP_H
 #define SHIM_HTTP_H
diff --git a/include/httpboot.h b/include/httpboot.h
index b47f6a9d..ea9c57fe 100644
--- a/include/httpboot.h
+++ b/include/httpboot.h
@@ -1,31 +1,7 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
 /*
  * Copyright 2015 SUSE LINUX GmbH <glin@suse.com>
  *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
  * Significant portions of this code are derived from Tianocore
  * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel
  * Corporation.
diff --git a/include/Ip4Config2.h b/include/ip4config2.h
index efacaf83..0955bc26 100644
--- a/include/Ip4Config2.h
+++ b/include/ip4config2.h
@@ -1,20 +1,11 @@
-/** @file
-  This file provides a definition of the EFI IPv4 Configuration II
-  Protocol.
+// SPDX-License-Identifier: BSD-2-Clause-Patent
 
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution.  The full text of the license may be found at<BR>
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-@par Revision Reference:
-This Protocol is introduced in UEFI Specification 2.5
-
-**/
+/*
+ * This file provides a definition of the EFI IPv4 Configuration II
+ * Protocol.
+ *
+ * Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+ */
 #ifndef SHIM_IP4CONFIG2_H
 #define SHIM_IP4CONFIG2_H
 
diff --git a/include/Ip6Config.h b/include/ip6config.h
index f99ce013..8d9025b7 100644
--- a/include/Ip6Config.h
+++ b/include/ip6config.h
@@ -1,17 +1,10 @@
-/** @file
-  This file provides a definition of the EFI IPv6 Configuration
-  Protocol.
-
-Copyright (c) 2008 - 2011, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution.  The full text of the license may be found at<BR>
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * This file provides a definition of the EFI IPv6 Configuration
+ * Protocol.
+ *
+ * Copyright (c) 2008 - 2011, Intel Corporation. All rights reserved.
+ */
 #ifndef SHIM_IP6CONFIG_H
 #define SHIM_IP6CONFIG_H
 
diff --git a/include/list.h b/include/list.h
new file mode 100644
index 00000000..ad87b45b
--- /dev/null
+++ b/include/list.h
@@ -0,0 +1,106 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * list.h - simple list primitives
+ */
+
+#ifndef LIST_H_
+#define LIST_H_
+
+#define container_of(ptr, type, member)                      \
+	({                                                   \
+		void *__mptr = (void *)(ptr);                \
+		((type *)(__mptr - offsetof(type, member))); \
+	})
+
+struct list_head {
+	struct list_head *next;
+	struct list_head *prev;
+};
+
+typedef struct list_head list_t;
+
+#define LIST_HEAD_INIT(name)                     \
+	{                                        \
+		.next = &(name), .prev = &(name) \
+	}
+
+#define LIST_HEAD(name) struct list_head name = LIST_HEAD_INIT(name)
+
+#define INIT_LIST_HEAD(ptr)          \
+	({                           \
+		(ptr)->next = (ptr); \
+		(ptr)->prev = (ptr); \
+	})
+
+static inline int
+list_empty(const struct list_head *head)
+{
+	return head->next == head;
+}
+
+static inline void
+__list_add(struct list_head *new, struct list_head *prev,
+           struct list_head *next)
+{
+	next->prev = new;
+	new->next = next;
+	new->prev = prev;
+	prev->next = new;
+}
+
+static inline void
+list_add(struct list_head *new, struct list_head *head)
+{
+	__list_add(new, head, head->next);
+}
+
+static inline void
+list_add_tail(struct list_head *new, struct list_head *head)
+{
+	__list_add(new, head->prev, head);
+}
+
+static inline void
+__list_del(struct list_head *prev, struct list_head *next)
+{
+	next->prev = prev;
+	prev->next = next;
+}
+
+static inline void
+__list_del_entry(struct list_head *entry)
+{
+	__list_del(entry->prev, entry->next);
+}
+
+static inline void
+list_del(struct list_head *entry)
+{
+	__list_del_entry(entry);
+	entry->next = NULL;
+	entry->prev = NULL;
+}
+
+#define list_entry(ptr, type, member) container_of(ptr, type, member)
+
+#define list_first_entry(ptr, type, member) \
+	list_entry((ptr)->next, type, member)
+
+#define list_last_entry(ptr, type, member) list_entry((ptr)->prev, type, member)
+
+#define list_for_each(pos, head) \
+	for (pos = (head)->next; pos != (head); pos = pos->next)
+
+#define list_for_each_safe(pos, n, head)                       \
+	for (pos = (head)->next, n = pos->next; pos != (head); \
+	     pos = n, n = pos->next)
+
+#define list_for_each_prev(pos, head) \
+	for (pos = (head)->prev; pos != (head); pos = pos->prev)
+
+#define list_for_each_prev_safe(pos, n, head)                  \
+	for (pos = (head)->prev, n = pos->prev; pos != (head); \
+	     pos = n, n = pos->prev)
+
+#endif /* !LIST_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/netboot.h b/include/netboot.h
index d1ad1257..98b174a3 100644
--- a/include/netboot.h
+++ b/include/netboot.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_NETBOOT_H
 #define SHIM_NETBOOT_H
 
diff --git a/include/PasswordCrypt.h b/include/passwordcrypt.h
index cadad727..4c0e3607 100644
--- a/include/PasswordCrypt.h
+++ b/include/passwordcrypt.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_PASSWORDCRYPT_H
 #define SHIM_PASSWORDCRYPT_H
 
diff --git a/include/pe.h b/include/pe.h
new file mode 100644
index 00000000..79bf440c
--- /dev/null
+++ b/include/pe.h
@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * pe.h - helper functions for pe binaries.
+ * Copyright Peter Jones <pjones@redhat.com>
+ */
+
+#ifndef PE_H_
+#define PE_H_
+
+void *
+ImageAddress (void *image, uint64_t size, uint64_t address);
+
+EFI_STATUS
+read_header(void *data, unsigned int datasize,
+	    PE_COFF_LOADER_IMAGE_CONTEXT *context);
+
+EFI_STATUS
+handle_sbat(char *SBATBase, size_t SBATSize);
+
+EFI_STATUS
+handle_image (void *data, unsigned int datasize,
+	      EFI_LOADED_IMAGE *li,
+	      EFI_IMAGE_ENTRY_POINT *entry_point,
+	      EFI_PHYSICAL_ADDRESS *alloc_address,
+	      UINTN *alloc_pages);
+
+EFI_STATUS
+generate_hash (char *data, unsigned int datasize_in,
+	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
+	       UINT8 *sha256hash, UINT8 *sha1hash);
+
+EFI_STATUS
+relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
+	       EFI_IMAGE_SECTION_HEADER *Section,
+	       void *orig, void *data);
+
+#endif /* !PE_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/PeImage.h b/include/peimage.h
index a606e8b2..3b3f01a7 100644
--- a/include/PeImage.h
+++ b/include/peimage.h
@@ -1,28 +1,21 @@
-/** @file

-  EFI image format for PE32, PE32+ and TE. Please note some data structures are 

-  different for PE32 and PE32+. EFI_IMAGE_NT_HEADERS32 is for PE32 and 

-  EFI_IMAGE_NT_HEADERS64 is for PE32+. 

-

-  This file is coded to the Visual Studio, Microsoft Portable Executable and 

-  Common Object File Format Specification, Revision 8.0 - May 16, 2006. 

-  This file also includes some definitions in PI Specification, Revision 1.0.

-

-Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.<BR>

-Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>

-This program and the accompanying materials                          

-are licensed and made available under the terms and conditions of the BSD License         

-which accompanies this distribution.  The full text of the license may be found at        

-http://opensource.org/licenses/bsd-license.php.                                           

-

-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,                     

-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.             

-

-**/

+// SPDX-License-Identifier: BSD-2-Clause-Patent

+/*

+ * EFI image format for PE32, PE32+ and TE. Please note some data structures

+ * are different for PE32 and PE32+. EFI_IMAGE_NT_HEADERS32 is for PE32 and

+ * EFI_IMAGE_NT_HEADERS64 is for PE32+.

+ *

+ * This file is coded to the Visual Studio, Microsoft Portable Executable and

+ * Common Object File Format Specification, Revision 8.0 - May 16, 2006. This

+ * file also includes some definitions in PI Specification, Revision 1.0.

+ *

+ * Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.

+ * Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.

+ */

 

 #ifndef SHIM_PEIMAGE_H

 #define SHIM_PEIMAGE_H

 

-#include <wincert.h>

+#include "wincert.h"

 

 #define SIGNATURE_16(A, B)        ((A) | (B << 8))

 #define SIGNATURE_32(A, B, C, D)  (SIGNATURE_16 (A, B) | (SIGNATURE_16 (C, D) << 16))

@@ -768,7 +761,8 @@ typedef struct {
 	UINT8           CertData[1];

 } WIN_CERTIFICATE_EFI_PKCS;

 

-#define SHA256_DIGEST_SIZE  32

+#define SHA1_DIGEST_SIZE	20

+#define SHA256_DIGEST_SIZE	32

 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002

 

 typedef struct {

diff --git a/include/replacements.h b/include/replacements.h
index ab2a5a58..8b35c857 100644
--- a/include/replacements.h
+++ b/include/replacements.h
@@ -1,30 +1,8 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 /*
- * Copyright 2013 Red Hat, Inc <pjones@redhat.com>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Copyright Red Hat, Inc
+ * Copyright Peter Jones <pjones@redhat.com>
  */
 #ifndef SHIM_REPLACEMENTS_H
 #define SHIM_REPLACEMENTS_H
diff --git a/include/sbat.h b/include/sbat.h
new file mode 100644
index 00000000..ffde202d
--- /dev/null
+++ b/include/sbat.h
@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+/*
+ * sbat.c - parse SBAT data from the .rsrc section data
+ */
+
+#ifndef SBAT_H_
+#define SBAT_H_
+
+extern UINTN _sbat, _esbat;
+
+struct sbat_var {
+	const CHAR8 *component_name;
+	const CHAR8 *component_generation;
+	list_t list;
+};
+extern list_t sbat_var;
+
+EFI_STATUS parse_sbat_var(list_t *entries);
+void cleanup_sbat_var(list_t *entries);
+
+struct sbat_entry {
+	const CHAR8 *component_name;
+	const CHAR8 *component_generation;
+	const CHAR8 *vendor_name;
+	const CHAR8 *vendor_package_name;
+	const CHAR8 *vendor_version;
+	const CHAR8 *vendor_url;
+};
+
+EFI_STATUS parse_sbat(char *sbat_base, size_t sbat_size, size_t *sbats, struct sbat_entry ***sbat);
+void cleanup_sbat_entries(size_t n, struct sbat_entry **entries);
+
+EFI_STATUS verify_sbat(size_t n, struct sbat_entry **entries);
+
+#endif /* !SBAT_H_ */
+// vim:fenc=utf-8:tw=75:noet
diff --git a/include/security_policy.h b/include/security_policy.h
index 7cfbfd03..e03653d2 100644
--- a/include/security_policy.h
+++ b/include/security_policy.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_SECURITY_POLICY_H
 #define SHIM_SECURITY_POLICY_H
 
diff --git a/include/shell.h b/include/shell.h
index fec50137..579a92f5 100644
--- a/include/shell.h
+++ b/include/shell.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_SHELL_H
 #define SHIM_SHELL_H
 
diff --git a/include/simple_file.h b/include/simple_file.h
index 7b019654..b3976626 100644
--- a/include/simple_file.h
+++ b/include/simple_file.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_SIMPLE_FILE_H
 #define SHIM_SIMPLE_FILE_H
 
diff --git a/include/str.h b/include/str.h
index 9a748366..a6fbfefd 100644
--- a/include/str.h
+++ b/include/str.h
@@ -1,12 +1,13 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_STR_H
 #define SHIM_STR_H
 
-static inline
-__attribute__((unused))
-unsigned long strnlena(const CHAR8 *s, unsigned long n)
+static inline __attribute__((unused)) unsigned long
+strnlena(const CHAR8 *s, unsigned long n)
 {
 	unsigned long i;
-	for (i = 0; i <= n; i++)
+	for (i = 0; i < n; i++)
 		if (s[i] == '\0')
 			break;
 	return i;
@@ -45,21 +46,67 @@ strcata(CHAR8 *dest, const CHAR8 *src)
 static inline
 __attribute__((unused))
 CHAR8 *
-translate_slashes(char *str)
+strndupa(const CHAR8 * const src, const UINTN srcmax)
+{
+	UINTN len;
+	CHAR8 *news = NULL;
+
+	if (!src || !srcmax)
+		return news;
+
+	len = strnlena(src, srcmax);
+	news = AllocateZeroPool(len + 1);
+	if (news)
+		strncpya(news, src, len);
+	return news;
+}
+
+static inline
+__attribute__((unused))
+CHAR8 *
+translate_slashes(CHAR8 *out, const char *str)
 {
 	int i;
 	int j;
-	if (str == NULL)
-		return (CHAR8 *)str;
+	if (str == NULL || out == NULL)
+		return NULL;
 
 	for (i = 0, j = 0; str[i] != '\0'; i++, j++) {
 		if (str[i] == '\\') {
-			str[j] = '/';
+			out[j] = '/';
 			if (str[i+1] == '\\')
 				i++;
-		}
+		} else
+			out[j] = str[i];
 	}
-	return (CHAR8 *)str;
+	out[j] = '\0';
+	return out;
+}
+
+static inline UNUSED CHAR8 *
+strchrnula(const CHAR8 *s, int c)
+{
+	unsigned int i;
+
+	if (s == NULL)
+		return NULL;
+
+	for (i = 0; s[i] != '\000' && s[i] != c; i++)
+		;
+
+	return (CHAR8 *)&s[i];
+}
+
+static inline UNUSED CHAR8 *
+strchra(const CHAR8 *s, int c)
+{
+	const CHAR8 *s1;
+
+	s1 = strchrnula(s, c);
+	if (!s1 || s1[0] == '\000')
+		return NULL;
+
+	return (CHAR8 *)s1;
 }
 
 #endif /* SHIM_STR_H */
diff --git a/include/tpm.h b/include/tpm.h
index 746e871f..d5245875 100644
--- a/include/tpm.h
+++ b/include/tpm.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_TPM_H
 #define SHIM_TPM_H
 
@@ -10,8 +12,9 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr,
 			 const CHAR8 *description);
 EFI_STATUS fallback_should_prefer_reset(void);
 
-EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash,
-		      UINT8 pcr);
+EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size,
+		      EFI_PHYSICAL_ADDRESS addr, EFI_DEVICE_PATH *path,
+		      UINT8 *sha1hash, UINT8 pcr);
 
 EFI_STATUS tpm_measure_variable(CHAR16 *dbname, EFI_GUID guid, UINTN size, void *data);
 
@@ -44,7 +47,7 @@ typedef struct _EFI_IMAGE_LOAD_EVENT {
   UINTN ImageLengthInMemory;
   UINTN ImageLinkTimeAddress;
   UINTN LengthOfDevicePath;
-  EFI_DEVICE_PATH DevicePath[1];
+  EFI_DEVICE_PATH DevicePath[0];
 } EFI_IMAGE_LOAD_EVENT;
 
 struct efi_tpm_protocol
diff --git a/include/ucs2.h b/include/ucs2.h
index 806774c7..e43c341f 100644
--- a/include/ucs2.h
+++ b/include/ucs2.h
@@ -1,36 +1,8 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
 /*
- * shim - trivial UEFI first-stage bootloader
- *
- * Copyright 2013 Red Hat, Inc <pjones@redhat.com>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the
- * distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Significant portions of this code are derived from Tianocore
- * (http://tianocore.sf.net) and are Copyright 2009-2012 Intel
- * Corporation.
+ * ucs2.h - UCS-2 string functions
+ * Copyright Red Hat, Inc
+ * Copyright Peter Jones <pjones@redhat.com>
  */
 
 #ifndef SHIM_UCS2_H
diff --git a/include/variables.h b/include/variables.h
index 8566a1a4..09d97c31 100644
--- a/include/variables.h
+++ b/include/variables.h
@@ -1,8 +1,10 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_VARIABLES_H
 #define SHIM_VARIABLES_H
 
-#include <efiauthenticated.h>
-#include <PeImage.h>		/* for SHA256_DIGEST_SIZE */
+#include "efiauthenticated.h"
+#include "peimage.h"		/* for SHA256_DIGEST_SIZE */
 
 #define certlist_for_each_certentry(cl, cl_init, s, s_init)		\
 	for (cl = (EFI_SIGNATURE_LIST *)(cl_init), s = (s_init);	\
@@ -24,7 +26,7 @@ CreatePkX509SignatureList (
   IN	UINT8			    *X509Data,
   IN	UINTN			    X509DataSize,
   IN	EFI_GUID		    owner,
-  OUT   EFI_SIGNATURE_LIST          **PkCert 
+  OUT   EFI_SIGNATURE_LIST          **PkCert
 			   );
 EFI_STATUS
 CreateTimeBasedPayload (
@@ -32,16 +34,15 @@ CreateTimeBasedPayload (
   IN OUT UINT8            **Data
 			);
 EFI_STATUS
-SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, UINT32 options, int createtimebased);
+SetSecureVariable(const CHAR16 * const var, UINT8 *Data, UINTN len, EFI_GUID owner, UINT32 options, int createtimebased);
 EFI_STATUS
-get_variable(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner);
+get_variable(const CHAR16 * const var, UINT8 **data, UINTN *len, EFI_GUID owner);
 EFI_STATUS
-get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner,
-		  UINT32 *attributes);
+get_variable_attr(const CHAR16 * const var, UINT8 **data, UINTN *len, EFI_GUID owner, UINT32 *attributes);
 EFI_STATUS
 find_in_esl(UINT8 *Data, UINTN DataSize, UINT8 *key, UINTN keylen);
 EFI_STATUS
-find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen);
+find_in_variable_esl(const CHAR16 * const var, EFI_GUID owner, UINT8 *key, UINTN keylen);
 
 #define EFI_OS_INDICATIONS_BOOT_TO_FW_UI 0x0000000000000001
 
@@ -54,10 +55,15 @@ variable_is_secureboot(void);
 int
 variable_is_setupmode(int default_return);
 EFI_STATUS
-variable_enroll_hash(CHAR16 *var, EFI_GUID owner,
+variable_enroll_hash(const CHAR16 * const var, EFI_GUID owner,
 		     UINT8 hash[SHA256_DIGEST_SIZE]);
 EFI_STATUS
-variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner,
-		    void **out, int *outlen);
+variable_create_esl(const uint8_t *cert, const size_t cert_len,
+		    const EFI_GUID *type, const EFI_GUID *owner,
+		    uint8_t **out, size_t *outlen);
+EFI_STATUS
+fill_esl(const uint8_t *data, const size_t data_len,
+	 const EFI_GUID *type, const EFI_GUID *owner,
+	 uint8_t *out, size_t *outlen);
 
 #endif /* SHIM_VARIABLES_H */
diff --git a/include/wincert.h b/include/wincert.h
index a3ce12a2..9a5953a5 100644
--- a/include/wincert.h
+++ b/include/wincert.h
@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
 #ifndef SHIM_WINCERT_H
 #define SHIM_WINCERT_H
 
@@ -6,28 +8,27 @@
 ///
 typedef struct {
   ///
-  /// The length of the entire certificate,  
-  /// including the length of the header, in bytes.                                
+  /// The length of the entire certificate,
+  /// including the length of the header, in bytes.
   ///
   UINT32  dwLength;
   ///
-  /// The revision level of the WIN_CERTIFICATE 
-  /// structure. The current revision level is 0x0200.                                   
+  /// The revision level of the WIN_CERTIFICATE
+  /// structure. The current revision level is 0x0200.
   ///
   UINT16  wRevision;
   ///
-  /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI      
-  /// certificate types. The UEFI specification reserves the range of 
-  /// certificate type values from 0x0EF0 to 0x0EFF.                          
+  /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
+  /// certificate types. The UEFI specification reserves the range of
+  /// certificate type values from 0x0EF0 to 0x0EFF.
   ///
   UINT16  wCertificateType;
   ///
-  /// The following is the actual certificate. The format of   
+  /// The following is the actual certificate. The format of
   /// the certificate depends on wCertificateType.
   ///
   /// UINT8 bCertificate[ANYSIZE_ARRAY];
   ///
 } WIN_CERTIFICATE;
 
-
 #endif /* SHIM_WINCERT_H */