diff --git a/include/pe.h b/include/pe.h
index 7f2236e..79bf440 100644
--- a/include/pe.h
+++ b/include/pe.h
@@ -14,6 +14,9 @@ EFI_STATUS
 read_header(void *data, unsigned int datasize,
 	    PE_COFF_LOADER_IMAGE_CONTEXT *context);
 
+EFI_STATUS
+handle_sbat(char *SBATBase, size_t SBATSize);
+
 EFI_STATUS
 handle_image (void *data, unsigned int datasize,
 	      EFI_LOADED_IMAGE *li,
diff --git a/include/sbat.h b/include/sbat.h
index 9230b58..ffde202 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -6,6 +6,8 @@
 #ifndef SBAT_H_
 #define SBAT_H_
 
+extern UINTN _sbat, _esbat;
+
 struct sbat_var {
 	const CHAR8 *component_name;
 	const CHAR8 *component_generation;
diff --git a/pe.c b/pe.c
index d9c65a6..d1c105e 100644
--- a/pe.c
+++ b/pe.c
@@ -823,7 +823,7 @@ read_header(void *data, unsigned int datasize,
 	return EFI_SUCCESS;
 }
 
-static EFI_STATUS
+EFI_STATUS
 handle_sbat(char *SBATBase, size_t SBATSize)
 {
 	unsigned int i;
diff --git a/shim.c b/shim.c
index 749b6ec..765c925 100644
--- a/shim.c
+++ b/shim.c
@@ -1858,12 +1858,14 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		L"import_mok_state() failed",
 		L"shim_init() failed",
 		L"import of SBAT data failed",
+		L"SBAT self-check failed",
 		NULL
 	};
 	enum {
 		IMPORT_MOK_STATE,
 		SHIM_INIT,
 		IMPORT_SBAT,
+		SBAT_SELF_CHECK,
 	} msg = IMPORT_MOK_STATE;
 
 	/*
@@ -1908,6 +1910,19 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		goto die;
 	}
 
+	if (secure_mode ()) {
+		char *sbat_start = (char *)&_sbat;
+		char *sbat_end = (char *)&_esbat;
+
+		efi_status = handle_sbat(sbat_start, sbat_end - sbat_start);
+		if (EFI_ERROR(efi_status)) {
+			perror(L"Verifiying shim SBAT data failed: %r\n",
+			       efi_status);
+			msg = SBAT_SELF_CHECK;;
+			goto die;
+		}
+	}
+
 	init_openssl();
 
 	/*