diff --git a/Makefile b/Makefile
index 39ca7bf..6f4adf1 100644
--- a/Makefile
+++ b/Makefile
@@ -68,9 +68,6 @@ shim.o: $(SOURCES) shim_cert.h
 cert.o : cert.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
-dbx.o : dbx.S
-	$(CC) $(CFLAGS) -c -o $@ $<
-
 shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 
diff --git a/cert.S b/cert.S
index 66a05b8..3cfd665 100644
--- a/cert.S
+++ b/cert.S
@@ -1,36 +1,67 @@
+	.globl cert_table
+	.data
+	.align 16
+	.type	cert_table, @object
+	.size	cert_table, 4
+	.section .vendor_cert, "a", @progbits
+cert_table:
 #if defined(VENDOR_CERT_FILE)
-	.globl	vendor_cert_size
-	.data
-	.align	1
-	.type	vendor_cert_size, @object
-	.size	vendor_cert_size, 4
-	.section .vendor_cert, "a", @progbits
-vendor_cert_size:
-	.long	.L0 - vendor_cert
-	.globl	vendor_cert
-	.data
-	.align	1
-	.type	vendor_cert, @object
-	.size	vendor_cert, .L0-vendor_cert
-	.section .vendor_cert, "a", @progbits
-vendor_cert:
-.incbin VENDOR_CERT_FILE
-.L0:
+	.long	vendor_cert_priv_end - vendor_cert_priv
 #else
-	.globl	vendor_cert
-	.bss
-	.type	vendor_cert, @object
-	.size	vendor_cert, 1
-	.section .vendor_cert, "a", @progbits
-vendor_cert:
-	.zero	1
-
-	.globl	vendor_cert_size
-	.data
-	.align 4
-	.type	vendor_cert_size, @object
-	.size	vendor_cert_size, 4
-	.section .vendor_cert, "a", @progbits
-vendor_cert_size:
 	.long	0
 #endif
+#if defined(VENDOR_DBX_FILE)
+	.long	vendor_dbx_priv_end - vendor_dbx_priv
+#else
+	.long	0
+#endif
+	.long	vendor_cert_priv - cert_table
+	.long	vendor_dbx_priv - cert_table
+#if defined(VENDOR_CERT_FILE)
+	.data
+	.align	1
+	.type	vendor_cert_priv, @object
+	.size	vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv
+	.section .vendor_cert, "a", @progbits
+vendor_cert_priv:
+.incbin VENDOR_CERT_FILE
+vendor_cert_priv_end:
+#else
+	.bss
+	.type	vendor_cert_priv, @object
+	.size	vendor_cert_priv, 1
+	.section .vendor_cert, "a", @progbits
+vendor_cert_priv:
+	.zero	1
+
+	.data
+	.align 4
+	.type	vendor_cert_size_priv, @object
+	.size	vendor_cert_size_priv, 4
+	.section .vendor_cert, "a", @progbits
+vendor_cert_priv_end:
+#endif
+#if defined(VENDOR_DBX_FILE)
+	.data
+	.align	1
+	.type	vendor_dbx_priv, @object
+	.size	vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv
+	.section .vendor_cert, "a", @progbits
+vendor_dbx_priv:
+.incbin VENDOR_DBX_FILE
+vendor_dbx_priv_end:
+#else
+	.bss
+	.type	vendor_dbx_priv, @object
+	.size	vendor_dbx_priv, 1
+	.section .vendor_cert, "a", @progbits
+vendor_dbx_priv:
+	.zero	1
+
+	.data
+	.align 4
+	.type	vendor_dbx_size_priv, @object
+	.size	vendor_dbx_size_priv, 4
+	.section .vendor_cert, "a", @progbits
+vendor_dbx_priv_end:
+#endif
diff --git a/dbx.S b/dbx.S
deleted file mode 100644
index 7b19c5c..0000000
--- a/dbx.S
+++ /dev/null
@@ -1,36 +0,0 @@
-#if defined(VENDOR_DBX_FILE)
-	.globl	vendor_dbx_size
-	.data
-	.align	1
-	.type	vendor_dbx_size, @object
-	.size	vendor_dbx_size, 4
-	.section .vendor_cert, "a", @progbits
-vendor_dbx_size:
-	.long	.L0 - vendor_dbx
-	.globl	vendor_dbx
-	.data
-	.align	1
-	.type	vendor_dbx, @object
-	.size	vendor_dbx, .L0-vendor_dbx
-	.section .vendor_cert, "a", @progbits
-vendor_dbx:
-.incbin VENDOR_DBX_FILE
-.L0:
-#else
-	.globl	vendor_dbx
-	.bss
-	.type	vendor_dbx, @object
-	.size	vendor_dbx, 1
-	.section .vendor_cert, "a", @progbits
-vendor_dbx:
-	.zero	1
-
-	.globl	vendor_dbx_size
-	.data
-	.align 4
-	.type	vendor_dbx_size, @object
-	.size	vendor_dbx_size, 4
-	.section .vendor_cert, "a", @progbits
-vendor_dbx_size:
-	.long	0
-#endif
diff --git a/shim.c b/shim.c
index f644f3f..a923e7e 100644
--- a/shim.c
+++ b/shim.c
@@ -63,10 +63,17 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8,
 /*
  * The vendor certificate used for validating the second stage loader
  */
-extern UINT8 vendor_cert[];
-extern UINT32 vendor_cert_size;
-extern UINT8 vendor_dbx[];
-extern UINT32 vendor_dbx_size;
+extern struct {
+	UINT32 vendor_cert_size;
+	UINT32 vendor_dbx_size;
+	UINT32 vendor_cert_offset;
+	UINT32 vendor_dbx_offset;
+} cert_table;
+
+UINT32 vendor_cert_size;
+UINT32 vendor_dbx_size;
+UINT8 *vendor_cert;
+UINT8 *vendor_dbx;
 
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
 
@@ -1493,6 +1500,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	UINTN verbose_check_size;
 	EFI_GUID global_var = EFI_GLOBAL_VARIABLE;
 
+	vendor_cert_size = cert_table.vendor_cert_size;
+	vendor_dbx_size = cert_table.vendor_dbx_size;
+	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
+	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
+
 	/*
 	 * Set up the shim lock protocol so that grub and MokManager can
 	 * call back in and use shim functions