diff --git a/SOURCES/0002-MokListRT-Fatal.patch b/SOURCES/0002-MokListRT-Fatal.patch
new file mode 100644
index 0000000..6590ae9
--- /dev/null
+++ b/SOURCES/0002-MokListRT-Fatal.patch
@@ -0,0 +1,46 @@
+From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Thu, 6 Dec 2018 10:08:45 +0100
+Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
+ systems
+
+I have come across systems that are unwilling to reserve enough memory for
+a MokListRT big enough for big certificates.
+This seems to be the case with firmware implementations that do not support
+secureboot, which is probably the reason they went with much lower variable
+storage.
+
+This patch set makes sure we can still boot on those systems, by only
+making the copy action fatal if the system has secure boot enabled, or if
+the error was anything other than EFI_INVALID_PARAMETER.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ shim.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index fcc11eb3..89ef0036 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ die:
+ 		console_print(L"Something has gone seriously wrong: %s: %r\n",
+ 			      msgs[msg], efi_status);
+-		msleep(5000000);
+-		gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
+-				 0, NULL);
++		/*
++		 * Make copy failures fatal only if secure_mode is enabled, or
++		 * the error was anything else than EFI_INVALID_PARAMETER.
++		 * There are non-secureboot firmware implementations that don't
++		 * reserve enough EFI variable memory to fit the variable.
++		 */
++		if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) {
++			msleep(5000000);
++			gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
++					 0, NULL);
++		}
+ 	}
+ 
+ 	efi_status = shim_init();
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index cc652ac..d43865d 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,6 +1,6 @@
 Name:           shim
 Version:        15
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        First-stage UEFI bootloader
 
 License:        BSD
@@ -14,6 +14,7 @@ Source4:        shim-find-debuginfo.sh
 Source5:	centos.esl
 
 Patch0:		0001-Add-vendor-esl.patch
+Patch1:		0002-MokListRT-Fatal.patch
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
@@ -228,6 +229,9 @@ cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %changelog
+* Thu Dec 06 2018 Fabian Arrotin <arrfab@centos.org> - 15-2.el7.centos
+-  0002-MokListRT-Fatal.patch (https://github.com/rhboot/shim/pull/157) (#15522)
+
 * Tue Oct 30 2018 Fabian Arrotin <arrfab@centos.org> - 15-1.el7.centos
 - Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
 - Rebuilt with combined centos.esl (so new and previous crt)