diff --git a/tboot-bsc#1207833-copy-mbi.patch b/tboot-bsc#1207833-copy-mbi.patch
new file mode 100644
index 0000000..639cf45
--- /dev/null
+++ b/tboot-bsc#1207833-copy-mbi.patch
@@ -0,0 +1,24 @@
+--- tboot-1.10.2/tboot/common/loader.c.orig	2023-05-31 01:49:45.935321582 -0500
++++ tboot-1.10.2/tboot/common/loader.c	2023-05-31 01:57:27.914405762 -0500
+@@ -1099,11 +1099,17 @@ move_modules(loader_ctx *lctx)
+ 
+     if ( below_tboot(lowest) )
+         from = lowest;
+-    else
+-        if ( below_tboot((unsigned long)lctx->addr) )
++
++    /*
++     * if MBI is below tboot & the lowest module, make sure it gets
++     * copied, too!
++     */
++    if ( below_tboot((unsigned long)lctx->addr) && 
++	 (unsigned long)lctx->addr < lowest )
+             from = (unsigned long)lctx->addr;
+-        else
+-            return;
++
++    if (from == 0)
++	    return;
+ 
+     unsigned long highest = get_highest_mod_end(lctx);
+     unsigned long to = PAGE_UP(highest);
diff --git a/tboot.changes b/tboot.changes
index e8ddc95..37e23f6 100644
--- a/tboot.changes
+++ b/tboot.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue Jun 25 07:34:57 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower
+  address above tboot (bsc#1207833). This fixes a broken boot situation in
+  some configurations stopping with log line "TBOOT: loader context was moved
+  from 0x<address> to 0x<address>".
+
+  this patch syncs the Factory package with the SLE package. For some reason I
+  forgot to add the patch to Factory first. Also upstream did not react to the
+  patch, that I posted to their mailing list, so it's not contained in the
+  upstream tarball.
+
 -------------------------------------------------------------------
 Mon Jun 17 13:09:34 UTC 2024 - Matthias Gerstner <matthias.gerstner@suse.com>
 
diff --git a/tboot.spec b/tboot.spec
index 9476eb9..e4f176b 100644
--- a/tboot.spec
+++ b/tboot.spec
@@ -30,6 +30,7 @@ Patch3:         tboot-grub2-fix-menu-in-xen-host-server.patch
 Patch4:         tboot-grub2-fix-xen-submenu-name.patch
 Patch7:         tboot-distributor.patch
 Patch8:         tboot-grub2-refuse-secure-boot.patch
+Patch9:         tboot-bsc#1207833-copy-mbi.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  %{ix86} x86_64
 BuildRequires:  openssl-devel