diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 6d7dbfc165c..a68af31ac4b 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -797,7 +797,6 @@ EOF
   # calculated. Only for unofficial builds as official builds get signed later.
   if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
     do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
-    cleanup_sbsign_certs
   fi
 
   if [[ -n "${image_kernel}" ]]; then
@@ -904,7 +903,7 @@ sbsign_image() {
 
   "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
       mount "${disk_img}" "${root_fs_dir}"
-  trap "cleanup_mounts '${root_fs_dir}'; cleanup_sbsign_certs" EXIT
+  trap "cleanup_mounts '${root_fs_dir}'" EXIT
 
   # Sign the kernel with the shim-embedded key.
   do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
@@ -934,7 +933,6 @@ sbsign_image() {
   fi
 
   cleanup_mounts "${root_fs_dir}"
-  cleanup_sbsign_certs
   trap - EXIT
 
   if [[ -n "${pcr_policy}" ]]; then
diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 61e2fc6fb83..03e33d2cfca 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -90,7 +90,6 @@ ESP_DIR=
 LOOP_DEV=
 
 cleanup() {
-    cleanup_sbsign_certs
     if [[ -d "${ESP_DIR}" ]]; then
         if mountpoint -q "${ESP_DIR}"; then
             sudo umount "${ESP_DIR}"
@@ -200,8 +199,8 @@ case "${FLAGS_target}" in
 
             # Unofficial build: Sign shim with our development key.
             sudo sbsign \
-                --key /usr/share/sb_keys/DB.key \
-                --cert /usr/share/sb_keys/DB.crt \
+                --key /usr/share/sb_keys/unofficial/DB.key \
+                --cert /usr/share/sb_keys/unofficial/DB.pem \
                 --output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
                 "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
         else
diff --git a/build_library/sbsign_util.sh b/build_library/sbsign_util.sh
index 4d7fcf22106..77587dec231 100644
--- a/build_library/sbsign_util.sh
+++ b/build_library/sbsign_util.sh
@@ -3,44 +3,23 @@
 # found in the LICENSE file.
 
 if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
-    SBSIGN_KEY="/usr/share/sb_keys/shim.key"
-    SBSIGN_CERT="/usr/share/sb_keys/shim.pem"
+    SBSIGN_KEY="/usr/share/sb_keys/unofficial/shim.key"
+    SBSIGN_CERT="/usr/share/sb_keys/unofficial/shim.pem"
 else
     SBSIGN_KEY="pkcs11:token=flatcar-sb-dev-hsm-sign-2025"
-    unset SBSIGN_CERT
+    SBSIGN_CERT="/usr/share/sb_keys/official/signing.pem"
 fi
 
-PKCS11_MODULE_PATH="/usr/$(get_sdk_libdir)/pkcs11/azure-keyvault-pkcs11.so"
+PKCS11_MODULE_PATH="$(pkg-config p11-kit-1 --variable p11_module_path)/azure-keyvault-pkcs11.so"
 
 PKCS11_ENV=(
+    AZURE_CORE_COLLECT_TELEMETRY=no
     AZURE_KEYVAULT_URL="https://flatcar-sb-dev-kv.vault.azure.net/"
     PKCS11_MODULE_PATH="${PKCS11_MODULE_PATH}"
     AZURE_KEYVAULT_PKCS11_DEBUG=1
 )
 
-get_sbsign_cert() {
-    if [[ ${SBSIGN_KEY} != pkcs11:* || -s ${SBSIGN_CERT-} ]]; then
-        return
-    fi
-
-    SBSIGN_CERT=$(mktemp -t signing-cert.XXXXXXXXXX.pem)
-    info "Fetching ${SBSIGN_KEY} from Azure"
-
-    # Needs Key Vault Reader role.
-    env "${PKCS11_ENV[@]}" p11-kit export-object \
-        --provider "${PKCS11_MODULE_PATH}" \
-        "${SBSIGN_KEY};type=cert" \
-        | tee "${SBSIGN_CERT}"
-}
-
-cleanup_sbsign_certs() {
-    if [[ ${SBSIGN_CERT-} == "${TMPDIR-/tmp}"/* ]]; then
-        rm -f -- "${SBSIGN_CERT}"
-    fi
-}
-
 do_sbsign() {
-    get_sbsign_cert
     info "Signing ${@:$#} with ${SBSIGN_KEY}"
 
     if [[ ${SBSIGN_KEY} == pkcs11:* ]]; then
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 1a6950ea2f1..b0fd5879bec 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -863,7 +863,7 @@ _write_qemu_uefi_secure_conf() {
     local flash_rw="$(_dst_name "_efi_vars.qcow2")"
     local flash_ro="$(_dst_name "_efi_code.qcow2")"
     local script="$(_dst_dir)/$(_dst_name ".sh")"
-    local owner="00000000-0000-0000-0000-000000000000"
+    local owner=$(</usr/share/sb_keys/owner.txt)
     local flash_in
 
     _write_qemu_uefi_conf
@@ -886,7 +886,7 @@ _write_qemu_uefi_secure_conf() {
     virt-fw-vars \
         --input "${flash_in}" \
         --output "$(_dst_dir)/${flash_rw}" \
-        --add-db "${owner}" /usr/share/sb_keys/DB.crt \
+        --add-db "${owner}" /usr/share/sb_keys/unofficial/DB.pem \
         --add-db "${owner}" "${BUILD_LIBRARY_DIR}/flatcar-sb-dev-shim-2025.cert"
 
     sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
index f50820c9450..77f406af6f5 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md
@@ -12,5 +12,4 @@ Generate the our shim certificates:
 ```
 openssl genrsa -out "shim.key" 2048
 openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300
-openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER
 ```
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild
deleted file mode 100644
index 5080f9ec8c9..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild
+++ /dev/null
@@ -1,26 +0,0 @@
-# Copyright (c) 2015 CoreOS Inc.
-# Copyright (c) 2024 The Flatcar Maintainers.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DESCRIPTION="Flatcar Secure Boot keys"
-HOMEPAGE=""
-SRC_URI=""
-LICENSE="BSD"
-SLOT="0"
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-S="${WORKDIR}"
-
-src_install() {
-  insinto /usr/share/sb_keys
-  newins "${FILESDIR}/DB.key" DB.key
-  newins "${FILESDIR}/DB.crt" DB.crt
-
-  # shim keys
-  newins "${FILESDIR}/shim.key" shim.key
-  newins "${FILESDIR}/shim.der" shim.der
-  newins "${FILESDIR}/shim.pem" shim.pem
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-2.0.0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-2.0.0.ebuild
new file mode 100644
index 00000000000..2a6ffb79d37
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-2.0.0.ebuild
@@ -0,0 +1,60 @@
+# Copyright (c) 2015 CoreOS Inc.
+# Copyright (c) 2024 The Flatcar Maintainers.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Flatcar Secure Boot keys"
+HOMEPAGE="https://www.flatcar.org/"
+S="${WORKDIR}"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="amd64 arm64"
+
+BDEPEND="
+	app-emulation/virt-firmware
+	dev-libs/openssl
+"
+
+# Arbitrary value created for Flatcar.
+OWNER_GUID="4a974879-bf65-4eb8-b404-ac3a6141121e"
+
+src_compile() {
+	local TYPE
+	for TYPE in unofficial official; do
+		mkdir "${TYPE}" || die
+
+		# Gather all the shim vendor PEM certs into an array.
+		local FILES=( "${FILESDIR}/${TYPE}"/shim-*.pem )
+
+		# Rewrite the newest shim vendor PEM cert in a consistent PEM format,
+		# checking its validity. Only the newest is needed in PEM format for
+		# inserting into the kernel to verify the verity root hash at boot time.
+		openssl x509 -in "${FILES[-1]}" -inform PEM -out "${TYPE}"/shim.pem || die
+
+		local ARGS=() FILE
+		for FILE in "${FILES[@]}"; do
+			# Add each shim vendor PEM cert to the DER ESL creation below.
+			ARGS+=( --add-cert "${OWNER_GUID}" "${FILE}" )
+		done
+
+		# This ingests shim vendor PEM certs and outputs a combined DER ESL.
+		virt-fw-sigdb "${ARGS[@]}" --output "${TYPE}"/shim.esl || die
+	done
+
+	# Rewrite the official signing PEM cert in a consistent PEM format, checking
+	# its validity. Only the newest is needed in PEM format to sign the
+	# bootloader and the kernel image. Unofficial builds are already covered
+	# above because the shim vendor cert /is/ the signing cert, not a CA.
+	openssl x509 -in "${FILESDIR}"/official/signing.pem -inform PEM -out official/signing.pem || die
+}
+
+src_install() {
+	insinto /usr/share/sb_keys
+	newins - owner.txt <<< "${OWNER_GUID}"
+	doins -r unofficial official
+
+	insinto /usr/share/sb_keys/unofficial
+	doins "${FILESDIR}"/unofficial/{DB.{key,pem},shim.key}
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/official/shim-20241107.pem b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/official/shim-20241107.pem
new file mode 100644
index 00000000000..204b7b485d0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/official/shim-20241107.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIRAINN27bWbE7vq1xOCROIuyMwDQYJKoZIhvcNAQELBQAw
+PTE7MDkGA1UEAxMyRmxhdGNhciBDb250YWluZXIgTGludXggU2VjdXJlIEJvb3Qg
+RGV2ZWxvcG1lbnQgQ0EwHhcNMjQxMTA3MTkwMjIyWhcNMzcwMTE5MDMxNDA3WjA9
+MTswOQYDVQQDEzJGbGF0Y2FyIENvbnRhaW5lciBMaW51eCBTZWN1cmUgQm9vdCBE
+ZXZlbG9wbWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ5q
+pvNmeh7nGFp5k4WnsOnBct1DtRcgCPbKVNOs6tvmSiygkrnw4l6mR2FJr7JPl5IE
+IDttPQnotGYjKJhhEkYIcLUn91w8UAuq68iKfHcr3RKfD0u3ZzxqXzGrPaIcqbGl
+GQwFxtoFxwf8MOskyM3R1zIKKYKABpEZj8Nq7Y/1tYdqip63KygJ4NGs+qYkaPcX
+TlCh2rSZsc39kiGdASzHn0LsSU4IFFSLUQvNOO3DXwI0RCOrvl4KoyXtPRB33dUN
+H80A/bPXUe67GBhlZyzctJ+YDSXzkPZftlAgMB/+/rtxHCSJXgGFmm5smICW4yRT
+byKpnlp5apcc4x2TbQUCAwEAAaNjMGEwHwYDVR0jBBgwFoAUbfTa4PZ82LTaSzln
+iD0LyFf+h7AwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+BBYEFG302uD2fNi02ks5Z4g9C8hX/oewMA0GCSqGSIb3DQEBCwUAA4IBAQBPx4C1
+z5/eVwMTaDT2zo1qe+pqscMjZ1+TClQ+wK33tkHrvzfHtDnjgPDEM/rpHKucSoeS
+xAdFlXqnJja0MEWdCh4503/KWOxl4quQdQclVFlV6A6/f8kbCB2hzb2k5NMUPE2b
+Vg+wTOd22dm7HSeCsxkvAbtAQPDXLaBJ6dxGS7KEk3akHHIYqBSBbXEuhjgIcdJ2
+5mzUCAXJEpZ1J/nqQZsZD+Ugp7iMB3JV9xC01JNWMuMlGoeI1F6orssR6jU3aCjk
+jZjSnyqDINcqddkevpYWg+ffvg3ewQ4lMcFPwjGDxqPOCPZmAw/l7xd6LqFTq//C
+iAQ/ssvyzfqSgqWN
+-----END CERTIFICATE-----
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/official/signing.pem b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/official/signing.pem
new file mode 100644
index 00000000000..54cae7a1f36
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/official/signing.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELTCCAxWgAwIBAgICCSkwDQYJKoZIhvcNAQELBQAwPTE7MDkGA1UEAxMyRmxh
+dGNhciBDb250YWluZXIgTGludXggU2VjdXJlIEJvb3QgRGV2ZWxvcG1lbnQgQ0Ew
+HhcNMjUwMzIwMTE0ODIyWhcNMjgwMzIwMTE0ODIyWjBCMUAwPgYDVQQDEzdGbGF0
+Y2FyIENvbnRhaW5lciBMaW51eCBTZWN1cmUgQm9vdCBEZXZlbG9wbWVudCBTaWdu
+aW5nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi4DQeJdbATc+6bXu
+fC45iOj+fuA9p/L7WvY0FoT4ohmynoaYgBzUXMV333H7Pzy1qknZ1Kz8A8c8nlp0
+BQOr0cnvoJhPt2lOP7EofCdylOBOfWPqP9l73pATp2/jJnUi+288eSTHBX6GgLqk
+PYceTjIxQWP6OzjP94ZCOBQnB6Ib4TaMbuylkz7vrog1JMPoGOdrSmZvaWqHebx5
+GaPwNOQzJAw6d4rFrphqso51r/Q4vxps+fMQZoJAMP4xT1SCIQO1kFt+3Q6MFi3m
+ztte5Y/Q46IvKEZaWU8K5umFnBaOWCDeFelV268TsvyrBBrCBB4Q5ooo2NiZESh4
+7fS1lT3Jcr8Unw3b2E91Y/hmGRDwrC+yp+7f51gRC3UIP5AsF1oX/nF+kD+mrhhg
+3gPtCXdx88ttaJBdOCMfdgoONvY8Yl1WlbjbC5pCEMK3/gV5SGCbvlAaqBkh6gvY
+dsFKMCbSHg/eD6PS3bgRtfcb1jCsIXGrzJRVi/Fgu0u9D9UylNkGkrvHQ0r1ffKM
+O7hlgooo9SLloU+4MLMHCujOQo978XIdsYy2DCiRQdD33LXEgQMGEcZvENIXkmFU
+Iujq32PMKc31P84JPGzyeUN3VkdUPww4HRwEcsfUFJ8b4xEEmAUi/+zqz5XCo3m1
+nh62zX/ByIyCmY56rgWFWmSON4UCAwEAAaMyMDAwCQYDVR0TBAIwADATBgNVHSUE
+DDAKBggrBgEFBQcDAzAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEB
+AGKZATREaf6bdjfYmrM0cKwlPcd9Bo95gX/uucRzLmAvgo5KftgFABhqNxQeb6g2
+mkz9EKCtYt8WPH7j914yXQLLes/nrqARPIV2n0IP5SxRDmDxhSl3jhStp97idGvv
+zS07tM7oHqPycwitfrJl0kbrIYXr5f2PyG2kANjPgoYHcl5KLnffv95XSokNhWFK
+17asGpHUrtOlOJm1mCgjpmiotYgMIGtKFMiKB8yFQRFRnyMb7uowkq/G9btDjW/7
+kVJwppmwXXL5qiAAzvFQcbBbWmiIwVXjb8OLO43dsB0znt+IMDf7itUiUCLSOjqQ
+z3S4t9QNWU6jp0RBwEQfI6g=
+-----END CERTIFICATE-----
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der
deleted file mode 100644
index 2194987d0f9..00000000000
Binary files a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der and /dev/null differ
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/DB.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/DB.key
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/DB.key
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/DB.key
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/DB.crt b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/DB.pem
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/DB.crt
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/DB.pem
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/shim-20231123.pem
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/shim-20231123.pem
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/shim.key
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key
rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/unofficial/shim.key
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
deleted file mode 100644
index 10defae63cb..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r2.ebuild
+++ /dev/null
@@ -1,72 +0,0 @@
-# Copyright 2015 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit multilib
-
-DESCRIPTION="UEFI Shim loader"
-HOMEPAGE="https://github.com/rhboot/shim"
-SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2"
-KEYWORDS="amd64 arm64"
-
-LICENSE="BSD"
-SLOT="0"
-IUSE="official"
-
-RDEPEND=""
-# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
-# currently the shim insists on using the bundled copy. This will need
-# to be addressed by patching this check out after making sure that
-# our copy of gnu-efi is as usable as the bundled one.
-DEPEND="
-  dev-libs/openssl
-  coreos-base/coreos-sb-keys
-"
-
-PATCHES=(
-	"${FILESDIR}/0001-Fix-parallel-build-of-gnu-efi.patch"
-)
-
-src_compile() {
-  local emake_args=(
-    CROSS_COMPILE="${CHOST}-"
-  )
-
-  sed -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${WORKDIR}/sbat.csv" || die
-
-  # Apparently our environment already has the ARCH variable in
-  # it, and Makefile picks it up instead of figuring it out
-  # itself with the compiler -dumpmachine flag. But also it
-  # expects a different format of the values. It wants x86_64
-  # instead of amd64, and aarch64 instead of arm64.
-  if use amd64; then
-    emake_args+=( ARCH=x86_64 )
-  elif use arm64; then
-    emake_args+=( ARCH=aarch64 )
-  fi
-  emake_args+=( ENABLE_SBSIGN=1 )
-  emake_args+=( SBATPATH="${WORKDIR}/sbat.csv" )
-
-  if use official; then
-    if [ -z "${SHIM_SIGNING_CERTIFICATE}" ]; then
-      die "use production flag needs env SHIM_SIGNING_CERTIFICATE"
-    fi
-    emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE}" )
-  else
-    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
-  fi
-  emake "${emake_args[@]}" || die
-}
-
-src_install() {
-  local suffix
-  suffix=''
-  if use amd64; then
-    suffix=x64
-  elif use arm64; then
-    suffix=aa64
-  fi
-  insinto /usr/lib/shim
-  newins "shim${suffix}.efi" "shim${suffix}.efi"
-  newins "mm${suffix}.efi" "mm${suffix}.efi"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild
new file mode 100644
index 00000000000..daf58253b98
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild
@@ -0,0 +1,44 @@
+# Copyright 2015 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="UEFI Shim loader"
+HOMEPAGE="https://github.com/rhboot/shim"
+SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2"
+KEYWORDS="amd64 arm64"
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="official"
+
+# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
+# currently the shim insists on using the bundled copy. This will need
+# to be addressed by patching this check out after making sure that
+# our copy of gnu-efi is as usable as the bundled one.
+DEPEND="
+	dev-libs/openssl
+"
+BDEPEND="
+	coreos-base/coreos-sb-keys
+"
+
+PATCHES=(
+	"${FILESDIR}/0001-Fix-parallel-build-of-gnu-efi.patch"
+)
+
+src_compile() {
+	sed -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${WORKDIR}/sbat.csv" || die
+
+	unset ARCH
+	emake \
+		CROSS_COMPILE="${CHOST}-" \
+		ENABLE_SBSIGN=1 \
+		SBATPATH="${WORKDIR}"/sbat.csv \
+		VENDOR_DB_FILE="${BROOT}"/usr/share/sb_keys/$(usex official official unofficial)/shim.esl
+}
+
+src_install() {
+	insinto /usr/lib/shim
+	doins shim?*.efi mm?*.efi
+}