diff --git a/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch b/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7449e5d250fcf087f0382e90c8a2886168330728
--- /dev/null
+++ b/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
@@ -0,0 +1,48 @@
+From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001
+From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Date: Tue, 16 May 2023 14:31:13 -0700
+Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled
+
+Unless an explict sbat policy is specified, always delete SbatLevel
+when secure boot is disabled.
+
+Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
+---
+ sbat.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/sbat.c b/sbat.c
+index f1d6e98..cdf4e93 100644
+--- a/sbat.c
++++ b/sbat.c
+@@ -412,7 +412,12 @@ set_sbat_uefi_variable(void)
+ 				       &attributes);
+ 	if (EFI_ERROR(efi_status)) {
+ 		dprint("Default sbat policy: previous\n");
+-		sbat_var = SBAT_VAR_PREVIOUS;
++		if (secure_mode()) {
++		    sbat_var = SBAT_VAR_PREVIOUS;
++		} else {
++		    reset_sbat = true;
++		    sbat_var = SBAT_VAR_ORIGINAL;
++		}
+ 	} else {
+ 		switch (*sbat_policy) {
+ 			case SBAT_POLICY_LATEST:
+@@ -438,7 +443,12 @@ set_sbat_uefi_variable(void)
+ 			default:
+ 				console_error(L"SBAT policy state %llu is invalid",
+ 					      EFI_INVALID_PARAMETER);
+-				sbat_var = SBAT_VAR_PREVIOUS;
++				if (secure_mode()) {
++				    sbat_var = SBAT_VAR_PREVIOUS;
++				} else {
++				    reset_sbat = true;
++				    sbat_var = SBAT_VAR_ORIGINAL;
++				}
+ 				clear_sbat_policy();
+ 				break;
+ 		}
+-- 
+2.33.0
+
diff --git a/shim.spec b/shim.spec
index a0e7fbd494022b96b7d732b2d9ae1aed02169298..9df5e323471cf70dd3e078ea8be8e3f5ae1bf9e7 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.6
-Release:	   20
+Release:	   21
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -86,6 +86,7 @@ Patch48:backport-CVE-2023-40549-Authenticode-verify-that-the-signatur.patch
 Patch49: backport-CVE-2023-2650.patch
 Patch50: backport-CVE-2023-0465.patch
 Patch51: backport-CVE-2024-0727.patch
+Patch52: backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
 
 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@@ -223,6 +224,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Tue Mar 26 2024 yixiangzhike <yixiangzhike007@163.com> - 15.6-21
+- backport patch from upstream
+
 * Wed Feb 28 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 15.6-20
 - fix CVE-2023-0465 CVE-2023-2650 CVE-2024-0727