diff --git a/src/boot/linux.c b/src/boot/linux.c
index 0eb8f9913f..1e8fe15bd1 100644
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@@ -106,22 +106,28 @@ EFI_STATUS linux_exec(
         if (err != EFI_SUCCESS)
                 return log_error_status(err, "Bad kernel image: %m");
 
-        EFI_LOADED_IMAGE_PROTOCOL* parent_loaded_image;
+        EFI_LOADED_IMAGE_PROTOCOL *parent_loaded_image;
         err = BS->HandleProtocol(
                         parent, MAKE_GUID_PTR(EFI_LOADED_IMAGE_PROTOCOL), (void **) &parent_loaded_image);
         if (err != EFI_SUCCESS)
                 return log_error_status(err, "Cannot get parent loaded image: %m");
 
-        /* If shim provides LoadImage, it comes from version 16.1 or later and does the following:
-         * - It keeps a database of all PE sections that it already authenticated.
-         * - shim's LoadImage always verifies PE images against denylists: dbx, mokx, sbat.
-         * - If the PE image was not authenticated as a PE section it will also:
-         *   + verify it against allowlists: db, mok
-         *   + measure it on PCR 4
+        /* If shim provides LoadImage, it comes from the new SHIM_IMAGE_LOADER interface added in shim 16,
+         * and implements the following:
+         * - shim hashes PE sections of PE binaries it authenticates and stores the hashes in a global
+         *   database.
+         * - shim's LoadImage always verifies PE images against denylists: DBX, MOKX, SBAT.
+         * - If the PE image was _not_ authenticated as a PE section it will also:
+         *   + verify it against allowlists: DB, MOK,
+         *   + measure it on PCR 4.
          *
-         * In our case, we are loading a PE section that was already authenticated as part of the UKI.
-         * So in contrast to a normal UEFI LoadImage, shim will verify extra denylists (mokx, sbat),
-         * while skipping all allowlists and measurements.
+         * (Compared to standard UEFI LoadImage(), the patched shim version of LoadImage() is both stricter —
+         * as it checks SBAT + MOKX for all PE payloads — and more relaxed — as it disables DB checks for PE
+         * payloads it has seen as part of another PE binary before.)
+         *
+         * In our case, we are loading a PE section that was already authenticated as part of the UKI. In
+         * contrast to a normal UEFI LoadImage, shim will verify extra denylists (MOKX, SBAT), but skip all
+         * allowlists and measurements.
          *
          * See https://github.com/rhboot/shim/blob/main/README.md#shim-loader-protocol
          */
@@ -187,8 +193,8 @@ EFI_STATUS linux_exec(
                 .FilePath = file_path,
                 .ImageBase = loaded_kernel,
                 .ImageSize = kernel_size_in_memory,
-                .ImageCodeType = /*EFI_LOADER_CODE*/1,
-                .ImageDataType = /*EFI_LOADER_DATA*/2,
+                .ImageCodeType = 1 /* EFI_LOADER_CODE */,
+                .ImageDataType = 2 /* EFI_LOADER_DATA */,
         };
 
         if (cmdline) {
diff --git a/src/boot/shim.c b/src/boot/shim.c
index c84e7fe589..0168bb424d 100644
--- a/src/boot/shim.c
+++ b/src/boot/shim.c
@@ -42,11 +42,7 @@ bool shim_loaded(void) {
         return BS->LocateProtocol(MAKE_GUID_PTR(SHIM_LOCK), NULL, (void **) &shim_lock) == EFI_SUCCESS;
 }
 
-/* The shim lock protocol is for pre-v16 shim, where it was not hooked up to the BS->LoadImage() system
- * table and friends, and it has to be checked manually via the shim_validate() helper. If the shim image
- * loader protocol is available (shim v16 and newer), then it will have overridden BS->LoadImage() and
- * friends in the system table, so no specific helper is needed, and the standard BS->LoadImage() and
- * friends can be called instead. */
+/* Check if SHIM_IMAGE_LOADER is available, shim 16 or newer. */
 bool shim_loader_available(void) {
         void *shim_image_loader;
 
@@ -104,7 +100,15 @@ EFI_STATUS shim_load_image(
         assert(device_path);
         assert(ret_image);
 
+        /* The shim lock protocol is for pre-v16 shim, where it was not hooked up to the BS->LoadImage()
+         * system table and friends, and it has to be checked manually via the shim_validate() helper. If the
+         * shim image loader protocol is available (shim v16 and newer), then it will have overridden
+         * BS->LoadImage() and friends in the system table, so no specific helper is needed, and the standard
+         * BS->LoadImage() and friends can be called instead.
+         */
+
         // TODO: drop lock protocol and just use plain BS->LoadImage once Shim < 16 is no longer supported
+
         bool have_shim = shim_loaded() && !shim_loader_available();
 
         if (have_shim)
diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c
index fb56c6e641..595180a6fd 100644
--- a/src/shared/conf-parser.c
+++ b/src/shared/conf-parser.c
@@ -618,7 +618,7 @@ int config_parse_many(
         r = conf_files_list_dropins(&files, dropin_dirname, root, conf_file_dirs);
         if (r < 0)
                 return log_full_errno(FLAGS_SET(flags, CONFIG_PARSE_WARN) ? LOG_WARNING : LOG_DEBUG, r,
-                                      "Failed to list up drop-in configs in %s: %m", dropin_dirname);
+                                      "Failed to list drop-ins in %s: %m", dropin_dirname);
 
         r = config_parse_many_files(root, conf_files, files, sections, lookup, table, flags, userdata, ret_stats_by_path);
         if (r < 0)