shim-15.6

• What's Changed

• MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
• shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
• post-process-pe: Fix a missing return code check by @vathpela in #462
• Update github actions matrix to be more useful by @frozencemetery in #469
• Add f36 and centos9 CI builds by @vathpela in #470
• post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
• tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
• tests: fix gcc warnings by @akodanev in #463
• Allow MokListTrusted to be enabled by default by @esnowberg in #455
• Add code of conduct by @frozencemetery in #427
• Re-add ARM AArch64 support by @vathpela in #468
• Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
• make: don't treat cert.S specially by @vathpela in #475
• shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
• Break out of the inner sbat loop if we find the entry. by @vathpela in #476
• Support loading additional certificates by @esnowberg in #446
• Add support for NX (W^X) mitigations. by @vathpela in #459
• Misc fixups from scan-build. by @vathpela in #477
• Fix preserve_sbat_uefi_variable() logic by @jsetje in #478
• SBAT Policy latest should be a one-shot by @jsetje in #481
• pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
• pe: Perform image verification earlier when loading grub by @chriscoulson
• Update advertised sbat generation number for shim by @jsetje
• Update SBAT generation requirements for 05/24/22 by @jsetje
• Also avoid CVE-2022-28737 in verify_image() by @vathpela

• New Contributors

• @joeyli made their first contribution in #441
• @akodanev made their first contribution in #463
• @esnowberg made their first contribution in #455

• Full Changelog**: 15.5...15.6