diff -Nru shim-0.9+1465500757.14a5905/debian/changelog shim-0.9+1465500757.14a5905/debian/changelog
--- shim-0.9+1465500757.14a5905/debian/changelog	2016-07-26 15:48:40.000000000 -0500
+++ shim-0.9+1465500757.14a5905/debian/changelog	2016-09-21 08:03:49.000000000 -0500
@@ -1,3 +1,11 @@
+shim (0.9+1465500757.14a5905-0ubuntu2) yakkety; urgency=medium
+
+  * add d/p/{MokManager-Try-APPEND_WRITE-first.patch,
+    MokManager-Remove-the-usage-of-APPEND_WRITE.patch}:
+    - fix issues with adding keys on certain Lenovo machines (LP: #1600452)
+
+ -- Chris J Arges <chris.j.arges@canonical.com>  Wed, 21 Sep 2016 08:03:26 -0500
+
 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 
   * New upstream release.
diff -Nru shim-0.9+1465500757.14a5905/debian/patches/MokManager-free-new_data-after-use.patch shim-0.9+1465500757.14a5905/debian/patches/MokManager-free-new_data-after-use.patch
--- shim-0.9+1465500757.14a5905/debian/patches/MokManager-free-new_data-after-use.patch	1969-12-31 18:00:00.000000000 -0600
+++ shim-0.9+1465500757.14a5905/debian/patches/MokManager-free-new_data-after-use.patch	2016-09-21 08:02:49.000000000 -0500
@@ -0,0 +1,30 @@
+From 903674a2c407d6c5de53e3ef860f36f4a6740ce8 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 7 Sep 2016 16:54:27 +0800
+Subject: [PATCH 3/3] MokManager: free new_data after use
+
+new_data in write_db() wasn't freed after SetVariable.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ MokManager.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/MokManager.c b/MokManager.c
+index 039a747..20db532 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -916,6 +916,10 @@ out:
+ 		FreePool(old_data);
+ 	}
+ 
++	if (new_data != NULL) {
++		FreePool(new_data);
++	}
++
+ 	return status;
+ }
+ 
+-- 
+2.7.4
+
diff -Nru shim-0.9+1465500757.14a5905/debian/patches/MokManager-Remove-the-usage-of-APPEND_WRITE.patch shim-0.9+1465500757.14a5905/debian/patches/MokManager-Remove-the-usage-of-APPEND_WRITE.patch
--- shim-0.9+1465500757.14a5905/debian/patches/MokManager-Remove-the-usage-of-APPEND_WRITE.patch	1969-12-31 18:00:00.000000000 -0600
+++ shim-0.9+1465500757.14a5905/debian/patches/MokManager-Remove-the-usage-of-APPEND_WRITE.patch	2016-09-21 08:02:49.000000000 -0500
@@ -0,0 +1,103 @@
+From 5597a493e291ef6335a400db520472d2fb59db1d Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 28 Jul 2016 15:11:14 +0800
+Subject: [PATCH 1/3] MokManager: Remove the usage of APPEND_WRITE
+
+We got the bug report about the usage of APPEND_WRITE that may cause the
+failure when writing a variable in Lenovo machines. Although
+EFI_VARIABLE_APPEND_WRITE already exists in the UEFI spec for years,
+unfortunately, some vendors just ignore it and never implement the
+attribute. This commit removes the usage of EFI_VARIABLE_APPEND_WRITE to
+make MokManager work on those machines.
+
+https://github.com/rhinstaller/shim/issues/55
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ MokManager.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 48 insertions(+), 8 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 3928196..3a9e7ba 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -24,8 +24,6 @@
+ #define SHIM_VENDOR L"Shim"
+ #endif
+ 
+-#define EFI_VARIABLE_APPEND_WRITE 0x00000040
+-
+ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+ EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
+ EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
+@@ -864,6 +862,53 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt,
+ 	return EFI_SUCCESS;
+ }
+ 
++static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize)
++{
++	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
++	EFI_STATUS status;
++	UINT32 attributes;
++	void *old_data = NULL;
++	void *new_data = NULL;
++	UINTN old_size;
++	UINTN new_size;
++
++	status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size,
++				   shim_lock_guid, &attributes);
++	if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
++		return status;
++	}
++
++	/* Check if the old db is compromised or not */
++	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
++		FreePool(old_data);
++		old_data = NULL;
++		old_size = 0;
++	}
++
++	new_size = old_size + MokNewSize;
++	new_data = AllocatePool(new_size);
++	if (new_data == NULL) {
++		status = EFI_OUT_OF_RESOURCES;
++		goto out;
++	}
++
++	CopyMem(new_data, old_data, old_size);
++	CopyMem(new_data + old_size, MokNew, MokNewSize);
++
++	status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
++				   &shim_lock_guid,
++				   EFI_VARIABLE_NON_VOLATILE
++				   | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++				   new_size, new_data);
++
++out:
++	if (old_size > 0) {
++		FreePool(old_data);
++	}
++
++	return status;
++}
++
+ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
+ 			      BOOLEAN MokX)
+ {
+@@ -918,12 +963,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
+ 					       0, NULL);
+ 	} else {
+ 		/* Write new MOK */
+-		efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
+-					       &shim_lock_guid,
+-					       EFI_VARIABLE_NON_VOLATILE
+-					       | EFI_VARIABLE_BOOTSERVICE_ACCESS
+-					       | EFI_VARIABLE_APPEND_WRITE,
+-					       MokNewSize, MokNew);
++		efi_status = write_db(db_name, MokNew, MokNewSize);
+ 	}
+ 
+ 	if (efi_status != EFI_SUCCESS) {
+-- 
+2.7.4
+
diff -Nru shim-0.9+1465500757.14a5905/debian/patches/MokManager-Try-APPEND_WRITE-first.patch shim-0.9+1465500757.14a5905/debian/patches/MokManager-Try-APPEND_WRITE-first.patch
--- shim-0.9+1465500757.14a5905/debian/patches/MokManager-Try-APPEND_WRITE-first.patch	1969-12-31 18:00:00.000000000 -0600
+++ shim-0.9+1465500757.14a5905/debian/patches/MokManager-Try-APPEND_WRITE-first.patch	2016-09-21 08:02:49.000000000 -0500
@@ -0,0 +1,37 @@
+From e21068b499c9fa4e75e84c0e0223dfb0575219e3 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 3 Aug 2016 16:53:51 +0800
+Subject: [PATCH 2/3] MokManager: Try APPEND_WRITE first
+
+Try to append the MOK/MOKX list first and then fallback to the normal
+SetVariable if the firmware doesn't support EFI_VARIABLE_APPEND_WRITE.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ MokManager.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/MokManager.c b/MokManager.c
+index 3a9e7ba..039a747 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -872,6 +872,16 @@ static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize)
+ 	UINTN old_size;
+ 	UINTN new_size;
+ 
++	status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
++				   &shim_lock_guid,
++				   EFI_VARIABLE_NON_VOLATILE
++				   | EFI_VARIABLE_BOOTSERVICE_ACCESS
++				   | EFI_VARIABLE_APPEND_WRITE,
++				   MokNewSize, MokNew);
++	if (status == EFI_SUCCESS || status != EFI_INVALID_PARAMETER) {
++		return status;
++	}
++
+ 	status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size,
+ 				   shim_lock_guid, &attributes);
+ 	if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
+-- 
+2.7.4
+
diff -Nru shim-0.9+1465500757.14a5905/debian/patches/series shim-0.9+1465500757.14a5905/debian/patches/series
--- shim-0.9+1465500757.14a5905/debian/patches/series	2016-07-26 13:28:46.000000000 -0500
+++ shim-0.9+1465500757.14a5905/debian/patches/series	2016-09-21 08:03:21.000000000 -0500
@@ -2,3 +2,6 @@
 sbsigntool-not-pesign
 unused-variable
 binutils-version-matching
+MokManager-Remove-the-usage-of-APPEND_WRITE.patch
+MokManager-Try-APPEND_WRITE-first.patch
+MokManager-free-new_data-after-use.patch