diff --git a/.gitignore b/.gitignore
index 586bc24..d0d9129 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 certdb
 shim_cert.h
 *.a
+*.CSV
 *.cer
 *.crl
 *.crt
diff --git a/BUILDING b/BUILDING
new file mode 100644
index 0000000..3609b5b
--- /dev/null
+++ b/BUILDING
@@ -0,0 +1,56 @@
+It's pretty straightforward:
+
+cp $MY_DER_ENCODED_CERT pub.cer
+make VENDOR_CERT_FILE=pub.cer
+make EFIDIR=my_esp_dir_name install
+
+There are a couple of ways to customize the build:
+
+Install targets:
+- install
+  installs shim as if to a hard drive, including installing MokManager and
+  fallback appropriately.
+- install-as-data
+  installs shim files to /usr/share/shim/$(EFI_ARCH)-$(VERSION)/
+
+Variables you should set to customize the build:
+- EFIDIR
+  This is the name of the ESP directory.  The install targets won't work
+  without it.
+- DESTDIR
+  This will be prepended to any install targets, so you don't have to
+  install to a live root directory.
+- DEFAULT_LOADER
+  defaults to \\\\grub$(EFI_ARCH).efi , but you could set it to whatever.
+  Be careful with the leading backslashes, they can be hard to get
+  correct.
+
+Variables you could set to customize the build:
+- ENABLE_HTTPBOOT
+  build support for http booting
+- ARCH
+  This allows you to do a build for a different arch that we support.  For
+  instance, on x86_64 you could do "setarch linux32 make ARCH=ia32" to get
+  the ia32 build instead.  (DEFAULT_LOADER will be automatically adjusted
+  in that case.)
+- TOPDIR
+  You can use this along with make -f to build in a subdir.  For instance,
+  on an x86_64 machine you could do:
+
+    mkdir build-ia32 build-x64 inst
+    cd build-ia32
+    setarch linux32 make TOPDIR=.. ARCH=ia32 -f ../Makefile
+    setarch linux32 make TOPDIR=.. ARCH=ia32 \
+			 DESTDIR=../inst EFIDIR=debian \
+			 -f ../Makefile install
+    cd ../build-x64
+    make TOPDIR=.. -f ../Makefile
+    make TOPDIR=.. DESTDIR=../inst EFIDIR=debian \
+			-f ../Makefile install
+
+  That would get you x86_64 and ia32 builds in the "inst" subdir.
+- OSLABEL
+  This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
+  By default this is the same value as EFIDIR .
+
+# vim:filetype=mail:tw=74
diff --git a/Makefile b/Makefile
index 219d0c0..79140a3 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,8 @@
 VERSION		= 12
-RELEASE		:=
-ifneq ($(RELEASE),"")
-	RELEASE:="-$(RELEASE)"
+ifneq ($(origin RELEASE),undefined)
+DASHRELEASE	?= -$(RELEASE)
+else
+DASHRELEASE	?=
 endif
 
 ifeq ($(MAKELEVEL),0)
@@ -10,18 +11,27 @@ endif
 override TOPDIR	:= $(abspath $(TOPDIR))
 VPATH		= $(TOPDIR)
 
-
 CC		= $(CROSS_COMPILE)gcc
 LD		= $(CROSS_COMPILE)ld
 OBJCOPY		= $(CROSS_COMPILE)objcopy
 OPENSSL		?= openssl
 HEXDUMP		?= hexdump
+INSTALL		?= install
 PK12UTIL	?= pk12util
 CERTUTIL	?= certutil
 PESIGN		?= pesign
+prefix		?= /usr
+prefix		:= $(abspath $(prefix))
+datadir		?= $(prefix)/share/
+ESPROOTDIR	?= boot/efi/
+EFIBOOTDIR	?= $(ESPROOTDIR)EFI/BOOT/
+TARGETDIR	?= $(ESPROOTDIR)EFI/$(EFIDIR)/
+DATATARGETDIR	?= $(datadir)/$(PKGNAME)/$(VERSION)$(DASHRELEASE)/$(ARCH_SUFFIX)/
+OSLABEL		?= $(EFIDIR)
+DEFAULT_LOADER	:= \\\\grub.efi
 
 ARCH		?= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
-OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
+OBJCOPY_GTE224	= $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24)
 
 SUBDIRS		= $(TOPDIR)/Cryptlib $(TOPDIR)/lib
 
@@ -36,7 +46,6 @@ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
 EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
 EFI_LDS		= $(TOPDIR)/elf_$(ARCH)_efi.lds
 
-DEFAULT_LOADER	:= \\\\grub.efi
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
@@ -44,9 +53,6 @@ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
 		  $(EFI_INCLUDES)
-SHIMNAME	= shim
-MMNAME		= MokManager
-FBNAME		= fallback
 
 COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
 
@@ -60,38 +66,56 @@ endif
 
 ifeq ($(ARCH),x86_64)
 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
-		-maccumulate-outgoing-args \
-		-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
-		-DNO_BUILTIN_VA_FUNCS \
-		-DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
-		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
-	MMNAME	= mmx64
-	FBNAME	= fbx64
-	SHIMNAME= shimx64
-	EFI_PATH:=/usr/lib64/gnuefi
-	LIB_PATH:=/usr/lib64
-
+		   -maccumulate-outgoing-args \
+		   -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
+		   -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096
+	LIBDIR			?= $(prefix)/lib64
+	ARCH_SUFFIX		?= x64
+	ARCH_SUFFIX_UPPER	?= X64
 endif
 ifeq ($(ARCH),ia32)
 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
-		-maccumulate-outgoing-args -m32 \
-		-DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \
-		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
-	MMNAME	= mmia32
-	FBNAME	= fbia32
-	SHIMNAME= shimia32
-	EFI_PATH:=/usr/lib/gnuefi
-	LIB_PATH:=/usr/lib
+		   -maccumulate-outgoing-args -m32 \
+		   -DMDE_CPU_IA32 -DPAGE_SIZE=4096
+	LIBDIR			?= $(prefix)/lib
+	ARCH_SUFFIX		?= ia32
+	ARCH_SUFFIX_UPPER	?= IA32
 endif
 ifeq ($(ARCH),aarch64)
-	CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \
-		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
-	MMNAME	= mmaa64
-	FBNAME	= fbaa64
-	SHIMNAME= shimaa64
-	EFI_PATH:=/usr/lib64/gnuefi
-	LIB_PATH:=/usr/lib64
+	CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096
+	LIBDIR			?= $(prefix)/lib64
+	ARCH_SUFFIX		?= aa64
+	ARCH_SUFFIX_UPPER	?= AA64
+	FORMAT			:= -O binary
+	SUBSYSTEM		:= 0xa
+	LDFLAGS			+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
 endif
+ifeq ($(ARCH),arm)
+	CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096
+	LIBDIR			?= $(prefix)/lib
+	ARCH_SUFFIX		?= arm
+	ARCH_SUFFIX_UPPER	?= ARM
+	FORMAT			:= -O binary
+	SUBSYSTEM		:= 0xa
+	LDFLAGS			+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+FORMAT		?= --target efi-app-$(ARCH)
+EFI_PATH	?= $(LIBDIR)/gnuefi
+
+MMSTEM		?= mm$(ARCH_SUFFIX)
+MMNAME		= $(MMSTEM).efi
+MMSONAME	= $(MMSTEM).so
+FBSTEM		?= fb$(ARCH_SUFFIX)
+FBNAME		= $(FBSTEM).efi
+FBSONAME	= $(FBSTEM).so
+SHIMSTEM	?= shim$(ARCH_SUFFIX)
+SHIMNAME	= $(SHIMSTEM).efi
+SHIMSONAME	= $(SHIMSTEM).so
+BOOTEFINAME	?= BOOT$(ARCH_SUFFIX_UPPER).EFI
+BOOTCSVNAME	?= BOOT$(ARCH_SUFFIX_UPPER).CSV
+
+CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
 
 ifneq ($(origin VENDOR_CERT_FILE), undefined)
 	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
@@ -100,9 +124,11 @@ ifneq ($(origin VENDOR_DBX_FILE), undefined)
 	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
 endif
 
-LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
+LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
 
-TARGET	= $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
+TARGETS	= $(SHIMNAME)
+TARGETS	+= $(MMNAME).signed $(FBNAME).signed
+TARGETS += $(MMNAME) $(FBNAME)
 OBJS	= shim.o netboot.o cert.o replacements.o tpm.o version.o
 KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
 ORIG_SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.h
@@ -120,7 +146,7 @@ SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
 MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
 FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
 
-all: $(TARGET)
+all: $(TARGETS)
 
 shim.crt:
 	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
@@ -144,23 +170,28 @@ certdb/secmod.db: shim.crt
 	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
 	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
 
-shim.o: $(SOURCES) shim_cert.h
-shim.o: $(wildcard $(TOPDIR)/*.h *.h)
+shim.o: $(SOURCES)
+shim.o: shim_cert.h
+shim.o: $(wildcard $(TOPDIR)/*.h)
 
 cert.o : $(TOPDIR)/cert.S
 	$(CC) $(CFLAGS) -c -o $@ $<
 
-$(SHIMNAME).so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+$(SHIMNAME) : $(SHIMSONAME)
+$(MMNAME) : $(MMSONAME)
+$(FBNAME) : $(FBSONAME)
+
+$(SHIMSONAME): $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 
 fallback.o: $(FALLBACK_SRCS)
 
-$(FBNAME).so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+$(FBSONAME): $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
 
 MokManager.o: $(MOK_SOURCES)
 
-$(MMNAME).so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+$(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 
 Cryptlib/libcryptlib.a:
@@ -175,19 +206,44 @@ lib/lib.a:
 	if [ ! -d lib ]; then mkdir lib ; fi
 	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) CFLAGS="$(CFLAGS)" -C lib -f $(TOPDIR)/lib/Makefile
 
-ifeq ($(ARCH),aarch64)
-FORMAT		:= -O binary
-SUBSYSTEM	:= 0xa
-LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+$(BOOTCSVNAME) :
+	@echo Making $@
+	@( printf "\xff\xfe" ; echo "$(SHIMNAME),$(OSLABEL),,This is the boot entry for $(OSLABEL)" | sed -z 's/./&\x00/g' ) > $@
+
+install-check :
+ifeq ($(origin LIBDIR),undefined)
+	$(error Architecture $(ARCH) is not a supported build target.)
+endif
+ifeq ($(origin EFIDIR),undefined)
+	$(error EFIDIR must be set to your reserved EFI System Partition subdirectory name)
 endif
 
-ifeq ($(ARCH),arm)
-FORMAT		:= -O binary
-SUBSYSTEM	:= 0xa
-LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
-endif
+install-deps : $(TARGETS)
+install-deps : $(BOOTCSVNAME)
 
-FORMAT		?= --target efi-app-$(ARCH)
+install : | install-check
+install : install-deps
+	$(INSTALL) -d -m 0755 $(DESTDIR)/
+	$(INSTALL) -d -m 0700 $(DESTDIR)/$(ESPROOTDIR)
+	$(INSTALL) -d -m 0755 $(DESTDIR)/$(EFIBOOTDIR)
+	$(INSTALL) -d -m 0755 $(DESTDIR)/$(TARGETDIR)
+	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(EFIBOOTDIR)/$(BOOTEFINAME)
+	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(TARGETDIR)/
+	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(TARGETDIR)/
+	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(FBNAME)
+	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(EFIBOOTDIR)/$(MMNAME)
+	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(TARGETDIR)/$(MMNAME)
+	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(EFIBOOTDIR)/
+	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(EFIBOOTDIR)/
+	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(TARGETDIR)/
+
+install-as-data : install-deps
+	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
+	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
+	$(INSTALL) -m 0644 $(MMNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
+	$(INSTALL) -m 0644 $(FBNAME).signed $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
+	$(INSTALL) -m 0644 $(MMNAME) $(DESTDIR)/$(DATATARGETDIR)/$(MMNAME)
+	$(INSTALL) -m 0644 $(FBNAME) $(DESTDIR)/$(DATATARGETDIR)/$(FBNAME)
 
 %.efi: %.so
 ifneq ($(OBJCOPY_GTE224),1)
@@ -243,4 +299,6 @@ archive: tag
 	@rm -rf /tmp/shim-$(VERSION)
 	@echo "The archive is in shim-$(VERSION).tar.bz2"
 
+.PHONY : install-deps
+
 export ARCH CC LD OBJCOPY EFI_INCLUDE
diff --git a/README b/README
index bfc2d5c..ec9403a 100644
--- a/README
+++ b/README
@@ -18,3 +18,6 @@ loading.  A full list is in the file README.tpm .
 
 To use shim, simply place a DER-encoded public certificate in a file such as
 pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".
+
+There are a couple of build options, and a couple of ways to customize the
+build, described in BUILDING.