diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch
deleted file mode 100644
index c7de89d..0000000
--- a/SOURCES/0001-Add-vendor-esl.patch
+++ /dev/null
@@ -1,318 +0,0 @@
-From ad8b20e8e2cd71418a536a8068f8e37222bd3855 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Sat, 21 Jul 2018 04:12:57 +0200
-Subject: [PATCH] Implement vendor EFI Signature List (ESL)
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- Make.defaults |   3 ++
- cert.S        |  30 +++++++++++++++
- mok.c         | 100 +++++++++++++++++++++++++++++---------------------
- shim.c        |  25 +++++++++++++
- shim.h        |   2 +
- 5 files changed, 119 insertions(+), 41 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index bbfc1d7f..d8b4ba25 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -124,6 +124,9 @@ CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/sha
- ifneq ($(origin VENDOR_CERT_FILE), undefined)
- 	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
- endif
-+ifneq ($(origin VENDOR_ESL_FILE), undefined)
-+	CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
-+endif
- ifneq ($(origin VENDOR_DBX_FILE), undefined)
- 	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
- endif
-diff --git a/cert.S b/cert.S
-index cfc4525b..7ad782ab 100644
---- a/cert.S
-+++ b/cert.S
-@@ -8,12 +8,18 @@ cert_table:
- #else
- 	.long	0
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+	.long	vendor_esl_priv_end - vendor_esl_priv
-+#else
-+	.long	0
-+#endif
- #if defined(VENDOR_DBX_FILE)
- 	.long	vendor_dbx_priv_end - vendor_dbx_priv
- #else
- 	.long	0
- #endif
- 	.long	vendor_cert_priv - cert_table
-+	.long	vendor_esl_priv - cert_table
- 	.long	vendor_dbx_priv - cert_table
- #if defined(VENDOR_CERT_FILE)
- 	.data
-@@ -39,6 +45,30 @@ vendor_cert_priv:
- 	.section .vendor_cert, "a", %progbits
- vendor_cert_priv_end:
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+	.data
-+	.align	1
-+	.type	vendor_esl_priv, %object
-+	.size	vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
-+	.section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+.incbin VENDOR_ESL_FILE
-+vendor_esl_priv_end:
-+#else
-+	.bss
-+	.type	vendor_esl_priv, %object
-+	.size	vendor_esl_priv, 1
-+	.section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+	.zero	1
-+
-+	.data
-+	.align 4
-+	.type	vendor_esl_size_priv, %object
-+	.size	vendor_esl_size_priv, 4
-+	.section .vendor_cert, "a", %progbits
-+vendor_esl_priv_end:
-+#endif
- #if defined(VENDOR_DBX_FILE)
- 	.data
- 	.align	1
-diff --git a/mok.c b/mok.c
-index 38675211..7734806b 100644
---- a/mok.c
-+++ b/mok.c
-@@ -62,12 +62,6 @@ struct mok_state_variable {
- 	EFI_GUID *guid;
- 	UINT8 *data;
- 	UINTN data_size;
--	/*
--	 * These two are indirect pointers just to make initialization
--	 * saner...
--	 */
--	UINT8 **addend_source;
--	UINT32 *addend_size;
- 	UINT32 yes_attr;
- 	UINT32 no_attr;
- 	UINT32 flags;
-@@ -75,10 +69,11 @@ struct mok_state_variable {
- 	UINT8 *state;
- };
- 
--#define MOK_MIRROR_KEYDB	0x01
--#define MOK_MIRROR_DELETE_FIRST	0x02
--#define MOK_VARIABLE_MEASURE	0x04
--#define MOK_VARIABLE_LOG	0x08
-+#define MOK_MIRROR_KEYDB		0x01
-+#define MOK_MIRROR_DELETE_FIRST		0x02
-+#define MOK_VARIABLE_MEASURE		0x04
-+#define MOK_VARIABLE_LOG		0x08
-+#define MOK_VARIABLE_APPEND_CERT	0x10
- 
- struct mok_state_variable mok_state_variables[] = {
- 	{.name = L"MokList",
-@@ -88,10 +83,9 @@ struct mok_state_variable mok_state_variables[] = {
- 	 .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS |
- 		     EFI_VARIABLE_NON_VOLATILE,
- 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
--	 .addend_source = &vendor_cert,
--	 .addend_size = &vendor_cert_size,
- 	 .flags = MOK_MIRROR_KEYDB |
--		  MOK_VARIABLE_LOG,
-+		  MOK_VARIABLE_LOG |
-+		  MOK_VARIABLE_APPEND_CERT,
- 	 .pcr = 14,
- 	},
- 	{.name = L"MokListX",
-@@ -138,40 +132,54 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
- 	uint8_t *p = NULL;
- 
- 	if ((v->flags & MOK_MIRROR_KEYDB) &&
--	    v->addend_source && *v->addend_source &&
--	    v->addend_size && *v->addend_size) {
--		EFI_SIGNATURE_LIST *CertList = NULL;
--		EFI_SIGNATURE_DATA *CertData = NULL;
--		FullDataSize = v->data_size
--			     + sizeof (*CertList)
--			     + sizeof (EFI_GUID)
--			     + *v->addend_size;
-+	    (v->flags & MOK_VARIABLE_APPEND_CERT)) {
-+		FullDataSize = v->data_size;
-+
-+		if (vendor_esl_size) {
-+			FullDataSize += vendor_esl_size;
-+		}
-+		if (vendor_cert_size) {
-+			FullDataSize += sizeof (EFI_SIGNATURE_LIST)
-+				     + sizeof (EFI_GUID)
-+			             + vendor_cert_size;
-+		}
-+
- 		FullData = AllocatePool(FullDataSize);
- 		if (!FullData) {
- 			perror(L"Failed to allocate space for MokListRT\n");
- 			return EFI_OUT_OF_RESOURCES;
- 		}
- 		p = FullData;
--
- 		if (!EFI_ERROR(efi_status) && v->data_size > 0) {
- 			CopyMem(p, v->data, v->data_size);
- 			p += v->data_size;
- 		}
--		CertList = (EFI_SIGNATURE_LIST *)p;
--		p += sizeof (*CertList);
--		CertData = (EFI_SIGNATURE_DATA *)p;
--		p += sizeof (EFI_GUID);
--
--		CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
--		CertList->SignatureListSize = *v->addend_size
--					      + sizeof (*CertList)
--					      + sizeof (*CertData)
--					      -1;
--		CertList->SignatureHeaderSize = 0;
--		CertList->SignatureSize = *v->addend_size + sizeof (EFI_GUID);
--
--		CertData->SignatureOwner = SHIM_LOCK_GUID;
--		CopyMem(p, *v->addend_source, *v->addend_size);
-+
-+		if (vendor_esl_size) {
-+			CopyMem(p, vendor_esl, vendor_esl_size);
-+			p += vendor_esl_size;
-+		}
-+
-+		if (vendor_cert_size) {
-+			EFI_SIGNATURE_LIST *CertList = NULL;
-+			EFI_SIGNATURE_DATA *CertData = NULL;
-+
-+			CertList = (EFI_SIGNATURE_LIST *)p;
-+			p += sizeof (*CertList);
-+			CertData = (EFI_SIGNATURE_DATA *)p;
-+			p += sizeof (EFI_GUID);
-+
-+			CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
-+			CertList->SignatureListSize = vendor_cert_size
-+						      + sizeof (*CertList)
-+						      + sizeof (*CertData)
-+						      -1;
-+			CertList->SignatureHeaderSize = 0;
-+			CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
-+
-+			CertData->SignatureOwner = SHIM_LOCK_GUID;
-+			CopyMem(p, vendor_cert, vendor_cert_size);
-+		}
- 
- 		if (v->data && v->data_size)
- 			FreePool(v->data);
-@@ -223,11 +231,24 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- 		UINT32 attrs = 0;
- 		BOOLEAN delete = FALSE, present, addend;
- 
-+		addend = (v->flags & MOK_VARIABLE_APPEND_CERT) != 0;
-+
- 		efi_status = get_variable_attr(v->name,
- 					       &v->data, &v->data_size,
- 					       *v->guid, &attrs);
--		if (efi_status == EFI_NOT_FOUND)
-+		if (efi_status == EFI_NOT_FOUND) {
-+			if (v->rtname && addend) {
-+				efi_status = mirror_one_mok_variable(v);
-+				if (EFI_ERROR(efi_status) &&
-+				    ret != EFI_SECURITY_VIOLATION)
-+					ret = efi_status;
-+			}
-+			/*
-+			 * after possibly adding, we can continue, no
-+			 * further checks to be done.
-+			 */
- 			continue;
-+		}
- 		if (EFI_ERROR(efi_status)) {
- 			perror(L"Could not verify %s: %r\n", v->name,
- 			       efi_status);
-@@ -272,9 +293,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- 		}
- 
- 		present = (v->data && v->data_size) ? TRUE : FALSE;
--		addend = (v->addend_source && v->addend_size &&
--			  *v->addend_source && *v->addend_size)
--			? TRUE : FALSE;
- 
- 		if (v->flags & MOK_VARIABLE_MEASURE && present) {
- 			/*
-diff --git a/shim.c b/shim.c
-index 05fc6500..64b79da5 100644
---- a/shim.c
-+++ b/shim.c
-@@ -66,14 +66,18 @@ static UINT32 load_options_size;
-  */
- extern struct {
- 	UINT32 vendor_cert_size;
-+	UINT32 vendor_esl_size;
- 	UINT32 vendor_dbx_size;
- 	UINT32 vendor_cert_offset;
-+	UINT32 vendor_esl_offset;
- 	UINT32 vendor_dbx_offset;
- } cert_table;
- 
- UINT32 vendor_cert_size;
-+UINT32 vendor_esl_size;
- UINT32 vendor_dbx_size;
- UINT8 *vendor_cert;
-+UINT8 *vendor_esl;
- UINT8 *vendor_dbx;
- 
- /*
-@@ -1065,6 +1069,25 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 		}
- #endif /* defined(ENABLE_SHIM_CERT) */
- 
-+		/*
-+		 * Check against a built-in EFI Signature List (ESL)
-+		 */
-+		if (vendor_esl_size &&
-+		    check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
-+					 vendor_esl_size,
-+					 cert,
-+					 sha256hash,
-+					 L"Shim",
-+					 SHIM_LOCK_GUID) == DATA_FOUND) {
-+			update_verification_method(VERIFIED_BY_CERT);
-+			// tpm_measurement is done by check_db_cert_in_ram
-+			efi_status = EFI_SUCCESS;
-+			drain_openssl_errors();
-+			return efi_status;
-+		} else {
-+			LogError(L"check_db_cert_in_ram(vendor_esl) failed\n");
-+		}
-+
- 		/*
- 		 * And finally, check against shim's built-in key
- 		 */
-@@ -2541,8 +2564,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 	verification_method = VERIFIED_BY_NOTHING;
- 
- 	vendor_cert_size = cert_table.vendor_cert_size;
-+	vendor_esl_size = cert_table.vendor_esl_size;
- 	vendor_dbx_size = cert_table.vendor_dbx_size;
- 	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
-+	vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
- 	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
- 	CHAR16 *msgs[] = {
- 		L"import_mok_state() failed\n",
-diff --git a/shim.h b/shim.h
-index 2b359d82..2e411040 100644
---- a/shim.h
-+++ b/shim.h
-@@ -167,8 +167,10 @@ extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
- extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
- 
- extern UINT32 vendor_cert_size;
-+extern UINT32 vendor_esl_size;
- extern UINT32 vendor_dbx_size;
- extern UINT8 *vendor_cert;
-+extern UINT8 *vendor_esl;
- extern UINT8 *vendor_dbx;
- 
- extern UINT8 user_insecure_mode;
diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
new file mode 100644
index 0000000..0779498
--- /dev/null
+++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
@@ -0,0 +1,60 @@
+From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Mon, 5 Nov 2018 14:51:16 +0100
+Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored
+
+Without this, if a Mok variable doesn't exist in Boot Services, it will also
+not be copied to Runtime, even if we have data to be added to it (vendor cert).
+This patch makes sure that if we have extra data to append, we still mirror
+the variable.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ mok.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 38675211e0e..00dd1ad3034 100644
+--- a/mok.c
++++ b/mok.c
+@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 		UINT32 attrs = 0;
+ 		BOOLEAN delete = FALSE, present, addend;
+ 
++		addend = (v->addend_source && v->addend_size &&
++			  *v->addend_source && *v->addend_size)
++			? TRUE : FALSE;
++
+ 		efi_status = get_variable_attr(v->name,
+ 					       &v->data, &v->data_size,
+ 					       *v->guid, &attrs);
+-		if (efi_status == EFI_NOT_FOUND)
++		if (efi_status == EFI_NOT_FOUND) {
++			if (v->rtname && addend) {
++				efi_status = mirror_one_mok_variable(v);
++				if (EFI_ERROR(efi_status) &&
++				    ret != EFI_SECURITY_VIOLATION)
++					ret = efi_status;
++			}
++			/*
++			 * after possibly adding, we can continue, no
++			 * further checks to be done.
++			 */
+ 			continue;
++		}
+ 		if (EFI_ERROR(efi_status)) {
+ 			perror(L"Could not verify %s: %r\n", v->name,
+ 			       efi_status);
+@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 		}
+ 
+ 		present = (v->data && v->data_size) ? TRUE : FALSE;
+-		addend = (v->addend_source && v->addend_size &&
+-			  *v->addend_source && *v->addend_size)
+-			? TRUE : FALSE;
+ 
+ 		if (v->flags & MOK_VARIABLE_MEASURE && present) {
+ 			/*
+-- 
+2.20.1
+
diff --git a/SOURCES/0002-MokListRT-Fatal.patch b/SOURCES/0002-MokListRT-Fatal.patch
deleted file mode 100644
index 6590ae9..0000000
--- a/SOURCES/0002-MokListRT-Fatal.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Thu, 6 Dec 2018 10:08:45 +0100
-Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
- systems
-
-I have come across systems that are unwilling to reserve enough memory for
-a MokListRT big enough for big certificates.
-This seems to be the case with firmware implementations that do not support
-secureboot, which is probably the reason they went with much lower variable
-storage.
-
-This patch set makes sure we can still boot on those systems, by only
-making the copy action fatal if the system has secure boot enabled, or if
-the error was anything other than EFI_INVALID_PARAMETER.
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- shim.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index fcc11eb3..89ef0036 100644
---- a/shim.c
-+++ b/shim.c
-@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- die:
- 		console_print(L"Something has gone seriously wrong: %s: %r\n",
- 			      msgs[msg], efi_status);
--		msleep(5000000);
--		gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
--				 0, NULL);
-+		/*
-+		 * Make copy failures fatal only if secure_mode is enabled, or
-+		 * the error was anything else than EFI_INVALID_PARAMETER.
-+		 * There are non-secureboot firmware implementations that don't
-+		 * reserve enough EFI variable memory to fit the variable.
-+		 */
-+		if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) {
-+			msleep(5000000);
-+			gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
-+					 0, NULL);
-+		}
- 	}
- 
- 	efi_status = shim_init();
diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
new file mode 100644
index 0000000..fc2adbc
--- /dev/null
+++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
@@ -0,0 +1,49 @@
+From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 21 Nov 2018 12:47:43 +0800
+Subject: [PATCH 2/3] mok: fix the mirroring of RT variables
+
+When there is no key in MokList, import_mok_state() just skipped MokList
+even though it should always mirror the vendor cert. Besides, the faulty
+check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
+MokSBStateRT, and MokIgnoreDB.
+
+https://github.com/rhboot/shim/issues/154
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 00dd1ad3034..41925abbb49 100644
+--- a/mok.c
++++ b/mok.c
+@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 					       &v->data, &v->data_size,
+ 					       *v->guid, &attrs);
+ 		if (efi_status == EFI_NOT_FOUND) {
+-			if (v->rtname && addend) {
+-				efi_status = mirror_one_mok_variable(v);
+-				if (EFI_ERROR(efi_status) &&
+-				    ret != EFI_SECURITY_VIOLATION)
+-					ret = efi_status;
+-			}
++			if (addend)
++				goto mirror_addend;
+ 			/*
+ 			 * after possibly adding, we can continue, no
+ 			 * further checks to be done.
+@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 			}
+ 		}
+ 
+-		if (v->rtname && present && addend) {
++mirror_addend:
++		if (v->rtname && (present || addend)) {
+ 			if (v->flags & MOK_MIRROR_DELETE_FIRST)
+ 				LibDeleteVariable(v->rtname, v->guid);
+ 
+-- 
+2.20.1
+
diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
new file mode 100644
index 0000000..caded4e
--- /dev/null
+++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
@@ -0,0 +1,109 @@
+From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 31 Jan 2019 13:45:30 -0500
+Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of
+ using goto
+
+There's no reason to complicate the logic with a goto here, instead just
+pull the logic we're jumping to out to a helper function.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ mok.c  | 41 ++++++++++++++++++++++++++++-------------
+ shim.h |  2 ++
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 41925abbb49..2f495e6cf25 100644
+--- a/mok.c
++++ b/mok.c
+@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = {
+ 	{ NULL, }
+ };
+ 
+-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
++static EFI_STATUS nonnull(1)
++mirror_one_mok_variable(struct mok_state_variable *v)
+ {
+ 	EFI_STATUS efi_status = EFI_SUCCESS;
+ 	void *FullData = NULL;
+@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
+ 	return efi_status;
+ }
+ 
++/*
++ * Mirror a variable if it has an rtname, and preserve any
++ * EFI_SECURITY_VIOLATION status at the same time.
++ */
++static EFI_STATUS nonnull(1)
++maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret)
++{
++	EFI_STATUS efi_status;
++	if (v->rtname) {
++		if (v->flags & MOK_MIRROR_DELETE_FIRST)
++			LibDeleteVariable(v->rtname, v->guid);
++
++		efi_status = mirror_one_mok_variable(v);
++		if (EFI_ERROR(efi_status)) {
++			if (ret != EFI_SECURITY_VIOLATION)
++				ret = efi_status;
++			perror(L"Could not create %s: %r\n", v->rtname,
++			       efi_status);
++		}
++	}
++	return ret;
++}
++
+ /*
+  * Verify our non-volatile MoK state.  This checks the variables above
+  * accessable and have valid attributes.  If they don't, it removes
+@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 					       *v->guid, &attrs);
+ 		if (efi_status == EFI_NOT_FOUND) {
+ 			if (addend)
+-				goto mirror_addend;
++				ret = maybe_mirror_one_mok_variable(v, ret);
+ 			/*
+ 			 * after possibly adding, we can continue, no
+ 			 * further checks to be done.
+@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 			}
+ 		}
+ 
+-mirror_addend:
+-		if (v->rtname && (present || addend)) {
+-			if (v->flags & MOK_MIRROR_DELETE_FIRST)
+-				LibDeleteVariable(v->rtname, v->guid);
+-
+-			efi_status = mirror_one_mok_variable(v);
+-			if (EFI_ERROR(efi_status) &&
+-			    ret != EFI_SECURITY_VIOLATION)
+-				ret = efi_status;
+-		}
++		if (present)
++			ret = maybe_mirror_one_mok_variable(v, ret);
+ 	}
+ 
+ 	/*
+@@ -340,4 +356,4 @@ mirror_addend:
+ 	return ret;
+ }
+ 
+-// vim:fenc=utf-8:tw=75
++// vim:fenc=utf-8:tw=75:noet
+diff --git a/shim.h b/shim.h
+index 2b359d821e3..c26d5f06538 100644
+--- a/shim.h
++++ b/shim.h
+@@ -30,6 +30,8 @@
+ 
+ #include <stddef.h>
+ 
++#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__)))
++
+ #define min(a, b) ({(a) < (b) ? (a) : (b);})
+ 
+ #ifdef __x86_64__
+-- 
+2.20.1
+
diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
new file mode 100644
index 0000000..2e5ca64
--- /dev/null
+++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
@@ -0,0 +1,50 @@
+From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 12 Feb 2019 18:04:49 -0500
+Subject: [PATCH 4/4] Make VLogError() behave as expected.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ errlog.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/errlog.c b/errlog.c
+index 18be4822d53..eebb266d396 100644
+--- a/errlog.c
++++ b/errlog.c
+@@ -14,29 +14,20 @@ EFI_STATUS
+ VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
+ {
+ 	va_list args2;
+-	UINTN size = 0, size2;
+ 	CHAR16 **newerrs;
+ 
+-	size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
+-	va_copy(args2, args);
+-	size2 = VSPrint(NULL, 0, fmt, args2);
+-	va_end(args2);
+-
+ 	newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
+ 				       (nerrs + 3) * sizeof(*errs));
+ 	if (!newerrs)
+ 		return EFI_OUT_OF_RESOURCES;
+ 
+-	newerrs[nerrs] = AllocatePool(size*2+2);
++	newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
+ 	if (!newerrs[nerrs])
+ 		return EFI_OUT_OF_RESOURCES;
+-	newerrs[nerrs+1] = AllocatePool(size2*2+2);
++	va_copy(args2, args);
++	newerrs[nerrs+1] = VPoolPrint(fmt, args2);
+ 	if (!newerrs[nerrs+1])
+ 		return EFI_OUT_OF_RESOURCES;
+-
+-	SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
+-	va_copy(args2, args);
+-	VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
+ 	va_end(args2);
+ 
+ 	nerrs += 2;
+-- 
+2.20.1
+
diff --git a/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
new file mode 100644
index 0000000..8e3c47a
--- /dev/null
+++ b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
@@ -0,0 +1,97 @@
+From fea3f2ec1936cfb9ed0b3ee62d9d23698097b814 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Mar 2019 09:52:02 -0400
+Subject: [PATCH] Once again, try even harder to get binaries without
+ timestamps in them.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date'
+Time/Date		Thu Jan  1 00:00:08 1970
+$ _
+
+"What is despair? I have known it—hear my song. Despair is when you’re
+debugging a kernel driver and you look at a memory dump and you see that
+a pointer has a value of 7."
+ - http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf
+
+objcopy only knows about -D for some targets.
+ld only believes in --no-insert-timestamp in some versions.
+dd takes off and nukes the site from orbit.
+
+It's the only way to be sure.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 4 ++++
+ Makefile      | 6 ++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index e11ab5a7f2c..4c26c1adf1f 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -72,6 +72,7 @@ ifeq ($(ARCH),x86_64)
+ 	ARCH_SUFFIX		?= x64
+ 	ARCH_SUFFIX_UPPER	?= X64
+ 	ARCH_LDFLAGS		?=
++	TIMESTAMP_LOCATION	:= 136
+ endif
+ ifeq ($(ARCH),ia32)
+ 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+@@ -81,6 +82,7 @@ ifeq ($(ARCH),ia32)
+ 	ARCH_SUFFIX		?= ia32
+ 	ARCH_SUFFIX_UPPER	?= IA32
+ 	ARCH_LDFLAGS		?=
++	TIMESTAMP_LOCATION	:= 136
+ endif
+ ifeq ($(ARCH),aarch64)
+ 	CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align
+@@ -90,6 +92,7 @@ ifeq ($(ARCH),aarch64)
+ 	FORMAT			:= -O binary
+ 	SUBSYSTEM		:= 0xa
+ 	ARCH_LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
++	TIMESTAMP_LOCATION	:= 72
+ endif
+ ifeq ($(ARCH),arm)
+ 	CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align
+@@ -99,6 +102,7 @@ ifeq ($(ARCH),arm)
+ 	FORMAT			:= -O binary
+ 	SUBSYSTEM		:= 0xa
+ 	ARCH_LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
++	TIMESTAMP_LOCATION	:= 72
+ endif
+ 
+ FORMAT		?= --target efi-app-$(ARCH)
+diff --git a/Makefile b/Makefile
+index 115e7f08c0f..a012c9f0d16 100644
+--- a/Makefile
++++ b/Makefile
+@@ -189,11 +189,13 @@ endif
+ ifneq ($(OBJCOPY_GTE224),1)
+ 	$(error objcopy >= 2.24 is required)
+ endif
+-	$(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
++	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ 		-j .dynamic -j .dynsym -j .rel* \
+ 		-j .rela* -j .reloc -j .eh_frame \
+ 		-j .vendor_cert \
+ 		$(FORMAT) $^ $@
++	# I am tired of wasting my time fighting binutils timestamp code.
++	dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
+ 
+ ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+ %.hash : %.efi
+@@ -204,7 +206,7 @@ endif
+ ifneq ($(OBJCOPY_GTE224),1)
+ 	$(error objcopy >= 2.24 is required)
+ endif
+-	$(OBJCOPY) -j .text -j .sdata -j .data \
++	$(OBJCOPY) -D -j .text -j .sdata -j .data \
+ 		-j .dynamic -j .dynsym -j .rel* \
+ 		-j .rela* -j .reloc -j .eh_frame \
+ 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
+-- 
+2.20.1
+
diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl
deleted file mode 100644
index c0815a7..0000000
Binary files a/SOURCES/centos.esl and /dev/null differ
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index d43865d..c42bf48 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,20 +1,22 @@
 Name:           shim
 Version:        15
-Release:        2%{?dist}
+Release:        5%{?dist}
 Summary:        First-stage UEFI bootloader
 
 License:        BSD
 URL:            http://www.codon.org.uk/~mjg59/shim/
 Source0:        https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-#Source1:        centos.crt
+Source1:        securebootca.cer
 # currently here's what's in our dbx: # nothing.
 #Source2:       dbx-x64.esl
 #Source3:       dbx-aa64.esl
 Source4:        shim-find-debuginfo.sh
-Source5:	centos.esl
 
-Patch0:		0001-Add-vendor-esl.patch
-Patch1:		0002-MokListRT-Fatal.patch
+Patch0001:      0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
+Patch0002:      0002-mok-fix-the-mirroring-of-RT-variables.patch
+Patch0003:      0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
+Patch0004:      0004-Make-VLogError-behave-as-expected.patch
+Patch0005:      0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
@@ -122,8 +124,8 @@ git config --unset user.name
 %endif
 
 %build
-COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit)
-MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}"
+COMMIT_ID=$(cat %{name}-%{version}-%{efiarch}/commit)
+MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMIT_ID=${COMMIT_ID}"
 %ifarch aarch64
 if [ -f "%{SOURCE1}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@@ -131,10 +133,6 @@ fi
 if [ -f "%{SOURCE3}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
 fi
-if [ -f "%{SOURCE5}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
-fi
-
 %else
 if [ -f "%{SOURCE1}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@@ -142,17 +140,13 @@ fi
 if [ -f "%{SOURCE2}" ]; then
         MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-if [ -f "%{SOURCE5}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
-fi
-
 %endif
 cd %{name}-%{version}-%{efiarch}
 make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
 
 %ifarch x86_64
 cd ../%{name}-%{version}-ia32
-setarch linux32 -B make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
+setarch linux32 make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
 cd ../%{name}-%{version}-%{efiarch}
 %endif
 
@@ -229,12 +223,23 @@ cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %changelog
-* Thu Dec 06 2018 Fabian Arrotin <arrfab@centos.org> - 15-2.el7.centos
--  0002-MokListRT-Fatal.patch (https://github.com/rhboot/shim/pull/157) (#15522)
-
-* Tue Oct 30 2018 Fabian Arrotin <arrfab@centos.org> - 15-1.el7.centos
-- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
-- Rebuilt with combined centos.esl (so new and previous crt) 
+* Mon Mar 18 2019 Peter Jones <pjones@redhat.com> - 15-5
+- Fix a couple more things that are breaking reproducability, and thus
+  breaking external review.
+  Related: rhbz#1649270
+
+* Fri Mar 15 2019 Peter Jones <pjones@redhat.com> - 15-4
+- Fight with binutils to try to get a binary without timestamps in it.
+  Again, but without breaking aarch64 this time.
+  Related: rhbz#1649270
+
+* Fri Mar 15 2019 Peter Jones <pjones@redhat.com> - 15-3
+- Fight with binutils to try to get a binary without timestamps in it.  Again.
+  Related: rhbz#1649270
+
+* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
+- Fix MoK mirroring issue which breaks kdump without intervention
+  Related: rhbz#1649270
 
 * Mon Jun 18 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15