diff --git a/Makefile b/Makefile
index b6a66a1..c19968e 100644
--- a/Makefile
+++ b/Makefile
@@ -49,6 +49,14 @@ define VENDOR_DB =
 	--change-section-address .db=$(call DB_ADDRESS, $(1), 1),)
 endef
 
+define add-vendor-sbat
+$(OBJCOPY) --add-section ".$(patsubst %.csv,%,$(1))=$(1)" $(2)
+
+endef
+
+SBATPATH = $(TOPDIR)/data/sbat.csv
+VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
+
 OBJFLAGS =
 SOLIBS =
 
@@ -78,11 +86,12 @@ endif
 
 all : certmule.efi
 
+certmule.so : sbat_data.o certmule.o
 certmule.so : SOLIBS=
 certmule.so : SOFLAGS=
 certmule.so : BUILDFLAGS+=-DVENDOR_DB
 certmule.efi : OBJFLAGS = --strip-unneeded $(call VENDOR_DB, $<)
-certmule.efi : SECTIONS=.text .reloc .db
+certmule.efi : SECTIONS=.text .reloc .db .sbat
 certmule.efi : VENDOR_DB_FILE?=db.esl
 
 %.efi : %.so
@@ -94,6 +103,14 @@ endif
 		   $(OBJFLAGS) \
 		   $(FORMAT) $^ $@
 
+sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
+sbat_data.o : /dev/null
+	$(CC) $(BUILDFLAGS) -x c -c -o $@ $<
+	$(OBJCOPY) --add-section .sbat=$(SBATPATH) \
+		--set-section-flags .sbat=contents,alloc,load,readonly,data \
+		$@
+	$(foreach vs,$(VENDOR_SBATS),$(call add-vendor-sbat,$(vs),$@))
+
 %.so : %.o
 	$(CC) $(CCLDFLAGS) $(SOFLAGS) -o $@ $^ $(SOLIBS) \
 		$(shell $(CC) -print-libgcc-file-name) \
diff --git a/data/sbat.csv b/data/sbat.csv
new file mode 100755
index 0000000..d40938d
--- /dev/null
+++ b/data/sbat.csv
@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+certmule,1,UEFI certmule,certmule,1,https://github.com/rhboot/certmule