diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 182e8090cfe8..667aa28d9125 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -96,17 +96,18 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
 }
 
 /*
- * load_moklist_certs() - Load MokList certs
+ * load_moklist_certs() - Load Mok(X)List certs
+ * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false
  *
- * Load the certs contained in the UEFI MokListRT database into the
- * platform trusted keyring.
+ * Load the certs contained in the UEFI MokList(X)RT database into the
+ * platform trusted/denied keyring.
  *
  * This routine checks the EFI MOK config table first. If and only if
- * that fails, this routine uses the MokListRT ordinary UEFI variable.
+ * that fails, this routine uses the MokList(X)RT ordinary UEFI variable.
  *
  * Return:	Status
  */
-static int __init load_moklist_certs(void)
+static int __init load_moklist_certs(const bool load_db)
 {
 	struct efi_mokvar_table_entry *mokvar_entry;
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
@@ -114,41 +115,55 @@ static int __init load_moklist_certs(void)
 	unsigned long moksize;
 	efi_status_t status;
 	int rc;
+	const char *mokvar_name = "MokListRT";
+	/* Should be const, but get_cert_list() doesn't have it as const yet */
+	efi_char16_t *efivar_name = L"MokListRT";
+	const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)";
+	const char *parse_efivar_name = "UEFI:MokListRT";
+	efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db;
+
+	if (!load_db) {
+		mokvar_name = "MokListXRT";
+		efivar_name = L"MokListXRT";
+		parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)";
+		parse_efivar_name = "UEFI:MokListXRT";
+		get_handler_for_guid = get_handler_for_dbx;
+	}
 
 	/* First try to load certs from the EFI MOKvar config table.
 	 * It's not an error if the MOKvar config table doesn't exist
 	 * or the MokListRT entry is not found in it.
 	 */
-	mokvar_entry = efi_mokvar_entry_find("MokListRT");
+	mokvar_entry = efi_mokvar_entry_find(mokvar_name);
 	if (mokvar_entry) {
-		rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)",
+		rc = parse_efi_signature_list(parse_mokvar_name,
 					      mokvar_entry->data,
 					      mokvar_entry->data_size,
-					      get_handler_for_mok);
+					      get_handler_for_guid);
 		/* All done if that worked. */
 		if (!rc)
 			return rc;
 
-		pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n",
-		       rc);
+		pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n",
+		       mokvar_name, rc);
 	}
 
 	/* Get MokListRT. It might not exist, so it isn't an error
 	 * if we can't get it.
 	 */
-	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+	mok = get_cert_list(efivar_name, &mok_var, &moksize, &status);
 	if (mok) {
-		rc = parse_efi_signature_list("UEFI:MokListRT",
-					      mok, moksize, get_handler_for_mok);
+		rc = parse_efi_signature_list(parse_efivar_name,
+					      mok, moksize, get_handler_for_guid);
 		kfree(mok);
 		if (rc)
-			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+			pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc);
 		return rc;
 	}
 	if (status == EFI_NOT_FOUND)
-		pr_debug("MokListRT variable wasn't found\n");
+		pr_debug("%s variable wasn't found\n", mokvar_name);
 	else
-		pr_info("Couldn't get UEFI MokListRT\n");
+		pr_info("Couldn't get UEFI %s\n", mokvar_name);
 	return 0;
 }
 
@@ -162,9 +177,8 @@ static int __init load_moklist_certs(void)
 static int __init load_uefi_certs(void)
 {
 	efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
-	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
-	void *db = NULL, *dbx = NULL, *mokx = NULL;
-	unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
+	void *db = NULL, *dbx = NULL;
+	unsigned long dbsize = 0, dbxsize = 0;
 	efi_status_t status;
 	int rc = 0;
 	const struct dmi_system_id *dmi_id;
@@ -217,23 +231,15 @@ static int __init load_uefi_certs(void)
 	if (!arch_ima_get_secureboot())
 		return 0;
 
-	mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
-	if (!mokx) {
-		if (status == EFI_NOT_FOUND)
-			pr_debug("mokx variable wasn't found\n");
-		else
-			pr_info("Couldn't get mokx list\n");
-	} else {
-		rc = parse_efi_signature_list("UEFI:MokListXRT",
-					      mokx, mokxsize,
-					      get_handler_for_dbx);
-		if (rc)
-			pr_err("Couldn't parse mokx signatures %d\n", rc);
-		kfree(mokx);
-	}
+	/* Load the MokListXRT certs */
+	rc = load_moklist_certs(false);
+	if (rc)
+		pr_err("Couldn't parse mokx signatures: %d\n", rc);
 
 	/* Load the MokListRT certs */
-	rc = load_moklist_certs();
+	rc = load_moklist_certs(true);
+	if (rc)
+		pr_err("Couldn't parse mok signatures: %d\n", rc);
 
 	return rc;
 }