diff --git a/MokVars.txt b/MokVars.txt
index d57fd87..64fe846 100644
--- a/MokVars.txt
+++ b/MokVars.txt
@@ -2,13 +2,13 @@ Variables used by Shim and Mokmanager
 
 Request variables:
 
-MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the 
-UCS-2 representation of the password. The user will be asked to 
-re-enter the password to confirm. If the hash of the entered password 
-matches the contents of MokPW, the user will be prompted to copy MokPW 
+MokPW: Set by MokUtil when setting a password. A SHA-256 hash of the
+UCS-2 representation of the password. The user will be asked to
+re-enter the password to confirm. If the hash of the entered password
+matches the contents of MokPW, the user will be prompted to copy MokPW
 into MokPWState. BS,RT,NV
 
-MokSB: Set by MokUtil when requesting a change in state of signature 
+MokSB: Set by MokUtil when requesting a change in state of signature
 validation. A packed structure as follows:
 
 typedef struct {
@@ -17,15 +17,15 @@ typedef struct {
         CHAR16 Password[PASSWORD_MAX];
 } __attribute__ ((packed)) MokSBvar;
 
-If MokSBState is 0, the user will be prompted to disable signature 
-validation. Otherwise, the user will be prompted to enable it. PWLen 
-is the length of the password, in characters. Password is a UCS-2 
-representation of the password. The user will be prompted to enter 
-three randomly chosen characters from the password. If successful, 
-they will then be prompted to change the signature validation 
+If MokSBState is 0, the user will be prompted to disable signature
+validation. Otherwise, the user will be prompted to enable it. PWLen
+is the length of the password, in characters. Password is a UCS-2
+representation of the password. The user will be prompted to enter
+three randomly chosen characters from the password. If successful,
+they will then be prompted to change the signature validation
 according to MokSBState. BS,RT,NV
 
-MokDB: Set by MokUtil when requesting a change in state of validation 
+MokDB: Set by MokUtil when requesting a change in state of validation
 using db hashes and certs. A packed structure as follows:
 
 typedef struct {
@@ -34,28 +34,28 @@ typedef struct {
         CHAR16 Password[PASSWORD_MAX];
 } __attribute__ ((packed)) MokDBvar;
 
-If MokDBState is 0, the user will be prompted to disable usage of db for 
-validation. Otherwise, the user will be prompted to allow it. PWLen 
-is the length of the password, in characters. Password is a UCS-2 
-representation of the password. The user will be prompted to enter 
-three randomly chosen characters from the password. If successful, 
-they will then be prompted to change the signature validation 
+If MokDBState is 0, the user will be prompted to disable usage of db for
+validation. Otherwise, the user will be prompted to allow it. PWLen
+is the length of the password, in characters. Password is a UCS-2
+representation of the password. The user will be prompted to enter
+three randomly chosen characters from the password. If successful,
+they will then be prompted to change the signature validation
 according to MokDBState. BS,RT,NV
 
-MokNew: Set by MokUtil when requesting the addition or removal of keys 
-from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI 
+MokNew: Set by MokUtil when requesting the addition or removal of keys
+from MokList. Is an EFI_SIGNATURE_LIST as described in the UEFI
 specification. BS,RT,NV
 
-MokAuth: A hash dependent upon the contents of MokNew and the sealing 
-password. The user's password in UCS-2 form should be appended to the 
-contents of MokNew and a SHA-256 hash generated and stored in MokAuth. 
-The hash will be regenerated by MokManager after the user is requested 
-to enter their password to confirm enrolment of the keys. If the hash 
+MokAuth: A hash dependent upon the contents of MokNew and the sealing
+password. The user's password in UCS-2 form should be appended to the
+contents of MokNew and a SHA-256 hash generated and stored in MokAuth.
+The hash will be regenerated by MokManager after the user is requested
+to enter their password to confirm enrolment of the keys. If the hash
 matches MokAuth, the user will be prompted to enrol the keys. BS,RT,NV
 
 State variables:
 
-MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST 
+MokList: A list of whitelisted keys and hashes. An EFI_SIGNATURE_LIST
 as described in the UEFI specification. BS,NV
 
 MokListRT: A copy of MokList made available to the kernel at runtime. RT
@@ -65,15 +65,15 @@ as described in the UEFI specification. BS,NV
 
 MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
 
-MokSBState: An 8-bit unsigned integer. If 1, shim will switch to 
+MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
 insecure mode. BS,NV
 
-MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for 
+MokDBState: An 8-bit unsigned integer. If 1, shim will not use db for
 verification. BS,NV
 
 MokIgnoreDB: An 8-bit unsigned integer.  This allows the OS to query whether
 or not to import DB certs for its own verification purposes.
 
-MokPWStore: A SHA-256 representation of the password set by the user 
-via MokPW. The user will be prompted to enter this password in order 
+MokPWStore: A SHA-256 representation of the password set by the user
+via MokPW. The user will be prompted to enter this password in order
 to interact with MokManager.
diff --git a/README.tpm b/README.tpm
index 62308d5..fd2252d 100644
--- a/README.tpm
+++ b/README.tpm
@@ -24,7 +24,7 @@ PCR8:
 - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command
   line and all grub commands (including all of grub.cfg that gets run) are
   measured into PCR8.
-  
+
 PCR9:
 - If you're using the grub2 TPM patchset we carry in Fedora, the kernel,
   initramfs, and any multiboot modules loaded are measured into PCR9.
diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds
index af3a071..1be23cb 100644
--- a/elf_x86_64_efi.lds
+++ b/elf_x86_64_efi.lds
@@ -8,8 +8,8 @@ SECTIONS
   ImageBase = .;
   .hash : { *(.hash) }	/* this MUST come first! */
   . = ALIGN(4096);
-  .eh_frame : 
-  { 
+  .eh_frame :
+  {
     *(.eh_frame)
   }
   . = ALIGN(4096);
diff --git a/include/configtable.h b/include/configtable.h
index 5e201fb..e44bbba 100644
--- a/include/configtable.h
+++ b/include/configtable.h
@@ -7,7 +7,7 @@
 
 typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;
 
-#define EFI_IMAGE_EXECUTION_AUTHENTICATION      0x00000007 
+#define EFI_IMAGE_EXECUTION_AUTHENTICATION      0x00000007
 #define EFI_IMAGE_EXECUTION_AUTH_UNTESTED       0x00000000
 #define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001
 #define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002
@@ -26,24 +26,24 @@ typedef struct {
   ///
   UINT32                        InfoSize;
   ///
-  /// If this image was a UEFI device driver (for option ROM, for example) this is the 
-  /// null-terminated, user-friendly name for the device. If the image was for an application, 
-  /// then this is the name of the application. If this cannot be determined, then a simple 
+  /// If this image was a UEFI device driver (for option ROM, for example) this is the
+  /// null-terminated, user-friendly name for the device. If the image was for an application,
+  /// then this is the name of the application. If this cannot be determined, then a simple
   /// NULL character should be put in this position.
   /// CHAR16                    Name[];
   ///
 
   ///
-  /// For device drivers, this is the device path of the device for which this device driver 
-  /// was intended. In some cases, the driver itself may be stored as part of the system 
-  /// firmware, but this field should record the device's path, not the firmware path. For 
-  /// applications, this is the device path of the application. If this cannot be determined, 
+  /// For device drivers, this is the device path of the device for which this device driver
+  /// was intended. In some cases, the driver itself may be stored as part of the system
+  /// firmware, but this field should record the device's path, not the firmware path. For
+  /// applications, this is the device path of the application. If this cannot be determined,
   /// a simple end-of-path device node should be put in this position.
   /// EFI_DEVICE_PATH_PROTOCOL  DevicePath;
   ///
 
   ///
-  /// Zero or more image signatures. If the image contained no signatures, 
+  /// Zero or more image signatures. If the image contained no signatures,
   /// then this field is empty.
   ///
   ///EFI_SIGNATURE_LIST            Signature;
@@ -54,14 +54,13 @@ typedef struct {
   ///
   /// Number of EFI_IMAGE_EXECUTION_INFO structures.
   ///
-  UINTN                     NumberOfImages; 
+  UINTN                     NumberOfImages;
   ///
   /// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.
   ///
   EFI_IMAGE_EXECUTION_INFO  InformationInfo[];
 } EFI_IMAGE_EXECUTION_INFO_TABLE;
 
-
 void *
 configtable_get_table(EFI_GUID *guid);
 EFI_IMAGE_EXECUTION_INFO_TABLE *
diff --git a/include/variables.h b/include/variables.h
index 0f2e17f..c65f062 100644
--- a/include/variables.h
+++ b/include/variables.h
@@ -26,7 +26,7 @@ CreatePkX509SignatureList (
   IN	UINT8			    *X509Data,
   IN	UINTN			    X509DataSize,
   IN	EFI_GUID		    owner,
-  OUT   EFI_SIGNATURE_LIST          **PkCert 
+  OUT   EFI_SIGNATURE_LIST          **PkCert
 			   );
 EFI_STATUS
 CreateTimeBasedPayload (
diff --git a/include/wincert.h b/include/wincert.h
index 5b6c1fb..9a5953a 100644
--- a/include/wincert.h
+++ b/include/wincert.h
@@ -8,28 +8,27 @@
 ///
 typedef struct {
   ///
-  /// The length of the entire certificate,  
-  /// including the length of the header, in bytes.                                
+  /// The length of the entire certificate,
+  /// including the length of the header, in bytes.
   ///
   UINT32  dwLength;
   ///
-  /// The revision level of the WIN_CERTIFICATE 
-  /// structure. The current revision level is 0x0200.                                   
+  /// The revision level of the WIN_CERTIFICATE
+  /// structure. The current revision level is 0x0200.
   ///
   UINT16  wRevision;
   ///
-  /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI      
-  /// certificate types. The UEFI specification reserves the range of 
-  /// certificate type values from 0x0EF0 to 0x0EFF.                          
+  /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI
+  /// certificate types. The UEFI specification reserves the range of
+  /// certificate type values from 0x0EF0 to 0x0EFF.
   ///
   UINT16  wCertificateType;
   ///
-  /// The following is the actual certificate. The format of   
+  /// The following is the actual certificate. The format of
   /// the certificate depends on wCertificateType.
   ///
   /// UINT8 bCertificate[ANYSIZE_ARRAY];
   ///
 } WIN_CERTIFICATE;
 
-
 #endif /* SHIM_WINCERT_H */
diff --git a/lib/configtable.c b/lib/configtable.c
index 3d0e1a8..8675fad 100644
--- a/lib/configtable.c
+++ b/lib/configtable.c
@@ -49,22 +49,22 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
 		/* print what we have for debugging */
 		UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2;
 		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
-		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); 
+		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
 		d += 16;
 		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
-		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); 
+		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
 		d += 16;
 		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
-		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); 
+		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
 		d += 16;
 		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
-		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); 
+		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
 		d += 16;
 		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
-		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); 
+		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
 		d += 16;
 		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
-		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); 
+		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
 #endif
 		CHAR16 *name = (CHAR16 *)(e->Data);
 		int skip = 0;
@@ -93,12 +93,12 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
 		console_print(L"Device Path Size %d\n", Size);
 #endif
 		if (Size > e->InfoSize) {
-			/* parse error; the platform obviously has a 
+			/* parse error; the platform obviously has a
 			 * corrupted image table; bail */
 			console_print(L"Image Execution Information table corrupt\n");
 			break;
 		}
-		
+
 		if (CompareMem(dp, (void *)DevicePath, Size) == 0) {
 #ifdef DEBUG_CONFIG
 			console_print(L"***FOUND\n");
diff --git a/lib/execute.c b/lib/execute.c
index 40b4005..f57a632 100644
--- a/lib/execute.c
+++ b/lib/execute.c
@@ -49,7 +49,7 @@ generate_path(CHAR16* name, EFI_LOADED_IMAGE *li, EFI_DEVICE_PATH **path, CHAR16
 	if (name[0] != '\\')
 		StrCat(*PathName, L"\\");
 	StrCat(*PathName, name);
-	
+
 	*path = FileDevicePath(li->DeviceHandle, *PathName);
 
 error:
diff --git a/lib/security_policy.c b/lib/security_policy.c
index da3cdcd..6a9b13e 100644
--- a/lib/security_policy.c
+++ b/lib/security_policy.c
@@ -54,7 +54,7 @@ extern EFI_STATUS thunk_security_policy_authentication(
 	const EFI_SECURITY_PROTOCOL *This,
 	UINT32 AuthenticationStatus,
 	const EFI_DEVICE_PATH_PROTOCOL *DevicePath
-						       ) 
+						       )
 __attribute__((unused));
 
 extern EFI_STATUS thunk_security2_policy_authentication(
@@ -63,7 +63,7 @@ extern EFI_STATUS thunk_security2_policy_authentication(
 	VOID *FileBuffer,
 	UINTN FileSize,
 	BOOLEAN	BootPolicy
-						       ) 
+						       )
 __attribute__((unused));
 
 static __attribute__((used)) EFI_STATUS
@@ -106,7 +106,7 @@ security_policy_authentication (
 	)
 {
 	EFI_STATUS efi_status, fail_status;
-	EFI_DEVICE_PATH *DevPath 
+	EFI_DEVICE_PATH *DevPath
 		= DuplicateDevicePath((EFI_DEVICE_PATH *)DevicePathConst),
 		*OrigDevPath = DevPath;
 	EFI_HANDLE h;
diff --git a/testplan.txt b/testplan.txt
index 0b0569e..1b70e3e 100644
--- a/testplan.txt
+++ b/testplan.txt
@@ -27,7 +27,7 @@ How to test a new shim build for RHEL/fedora:
 	-c "Red Hat Test Certificate"
 9) copy grub.cfg to our test directory:
     cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/test/grub.cfg
-10) *move* \EFI\redhat\BOOT.CSV to \EFI\test 
+10) *move* \EFI\redhat\BOOT.CSV to \EFI\test
     rm -rf /boot/efi/EFI/BOOT/
     mkdir /boot/efi/EFI/BOOT/
     mv /boot/efi/EFI/redhat/BOOT.CSV /boot/efi/EFI/test/BOOT.CSV
@@ -73,7 +73,7 @@ How to test a new shim build for RHEL/fedora:
     removed ‘Boot0002-8be4df61-93ca-11d2-aa0d-00e098032b8c’
     removed ‘Boot2001-8be4df61-93ca-11d2-aa0d-00e098032b8c’
     removed ‘BootOrder-8be4df61-93ca-11d2-aa0d-00e098032b8c’
-    [root@uefi efivars]# 
+    [root@uefi efivars]#
 25) reboot
 26) the system should run \EFI\BOOT\BOOTX64.EFI .  If it doesn't, you may just
     have an old machine.  In that case, go to the EFI shell and run: