diff --git a/shim.c b/shim.c
index 23dd0ee..dcb36d0 100644
--- a/shim.c
+++ b/shim.c
@@ -670,13 +670,12 @@ static EFI_STATUS verify_mok (void) {
 	status = get_variable_attr(L"MokList", &MokListData, &MokListDataSize,
 				   shim_lock_guid, &attributes);
 
-	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+	if (!EFI_ERROR(status) && attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
 		Print(L"MokList is compromised!\nErase all keys in MokList!\n");
 		if (LibDeleteVariable(L"MokList", &shim_lock_guid) != EFI_SUCCESS) {
 			Print(L"Failed to erase MokList\n");
+                        return EFI_ACCESS_DENIED;
 		}
-		status = EFI_ACCESS_DENIED;
-		return status;
 	}
 
 	if (MokListData)
@@ -722,7 +721,9 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	/*
 	 * Check that the MOK database hasn't been modified
 	 */
-	verify_mok();
+	status = verify_mok();
+	if (status != EFI_SUCCESS)
+		return status;
 
 	/*
 	 * Ensure that the binary isn't blacklisted