diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b3be566..a2523f5 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -544,6 +544,18 @@ HashPeImage (
       if (!Status) {
         goto Done;
       }
+      /*
+       * Problem: some unsigned PECOFF binaries don't always end on an aligned
+       * size. For this case, pad them with zeros up to the aligned size
+       */
+      if (ALIGN_SIZE(mImageSize)) {
+	UINT64 zerofill = 0;
+
+	Status  = mHash[HashAlg].HashUpdate(HashCtx, &zerofill, ALIGN_SIZE(mImageSize));
+	if (!Status) {
+	  goto Done;
+	}
+      }
     } else if (mImageSize < CertSize + SumOfBytesHashed) {
       Status = FALSE;
       goto Done;
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
index 55371e9..bdf27ac 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
@@ -43,6 +43,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #define MAX_NOTIFY_STRING_LEN             64
 #define TWO_BYTE_ENCODE                   0x82
 
+#define ALIGNMENT_SIZE                    8
+#define ALIGN_SIZE(a) (((a) % ALIGNMENT_SIZE) ? ALIGNMENT_SIZE - ((a) % ALIGNMENT_SIZE) : 0)
+
 //
 // Image type definitions
 //