+- Added support for using Matthew Garrett's Shim program and its Machine
+ Owner Keys (MOKs) to extend Secure Boot capabilities. If rEFInd is
+ launched from Shim on a computer with Secure Boot active, rEFInd will
+ launch programs signed with either a standard UEFI Secure Boot key or a
+ MOK. For the moment, this feature works only on x86-64 systems.
+
+- Added new "dont_scan_files" (aka "don't_scan_files") token for
+ refind.conf. The effect is similar to dont_scan_dirs, but it creates a
+ blacklist of filenames within directories rather than directory names.
+ I'm initially using it to place shim.efi and MokManager.efi in the
+ blacklist to keep these programs out of the OS list. (MokManager.efi is
+ scanned separately as a tool; see below.) I've moved checks for
+ ebounce.efi, GraphicsConsole.efi, and TextMode.efi to this list. (These
+ three had previously been blacklisted by hard-coding in ScanLoaderDir().)
+