diff --git a/SOURCES/9998-MokListRT-Fatal.patch b/SOURCES/9998-MokListRT-Fatal.patch
new file mode 100644
index 0000000..6590ae9
--- /dev/null
+++ b/SOURCES/9998-MokListRT-Fatal.patch
@@ -0,0 +1,46 @@
+From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Thu, 6 Dec 2018 10:08:45 +0100
+Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
+ systems
+
+I have come across systems that are unwilling to reserve enough memory for
+a MokListRT big enough for big certificates.
+This seems to be the case with firmware implementations that do not support
+secureboot, which is probably the reason they went with much lower variable
+storage.
+
+This patch set makes sure we can still boot on those systems, by only
+making the copy action fatal if the system has secure boot enabled, or if
+the error was anything other than EFI_INVALID_PARAMETER.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ shim.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index fcc11eb3..89ef0036 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ die:
+ 		console_print(L"Something has gone seriously wrong: %s: %r\n",
+ 			      msgs[msg], efi_status);
+-		msleep(5000000);
+-		gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
+-				 0, NULL);
++		/*
++		 * Make copy failures fatal only if secure_mode is enabled, or
++		 * the error was anything else than EFI_INVALID_PARAMETER.
++		 * There are non-secureboot firmware implementations that don't
++		 * reserve enough EFI variable memory to fit the variable.
++		 */
++		if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) {
++			msleep(5000000);
++			gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
++					 0, NULL);
++		}
+ 	}
+ 
+ 	efi_status = shim_init();