efi: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT, replacing EFI_SECURE_BOOT_LOCK_DOWN

2017-12-30 16:04:43 +00:00 · 2017-12-30 16:04:43 +00:00 · cb21ae6740
parent 20aa9b586e
commit cb21ae6740
4 changed files with 3 additions and 2 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -2,6 +2,8 @@ linux (4.15~rc5-1~exp2) UNRELEASED; urgency=medium

  * [arm64] Update "add kernel config option to lock down when in Secure Boot
    mode" for 4.15
+  * efi: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT, replacing
+    EFI_SECURE_BOOT_LOCK_DOWN

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 30 Dec 2017 16:00:15 +0000

--- a/debian/config/arm64/config
+++ b/debian/config/arm64/config
@ -23,7 +23,6 @@ CONFIG_ARM64_PMEM=y
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
 CONFIG_ARM64_ACPI_PARKING_PROTOCOL=y
-CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
 CONFIG_COMPAT=y

 ##
--- a/debian/config/config
+++ b/debian/config/config
@ -7100,6 +7100,7 @@ CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 CONFIG_LOCK_DOWN_KERNEL=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 ## choice: Default security module
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 ## end choice
--- a/debian/config/kernelarch-x86/config
+++ b/debian/config/kernelarch-x86/config
@ -55,7 +55,6 @@ CONFIG_X86_SMAP=y
 CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
-CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
 CONFIG_SECCOMP=y
 CONFIG_KEXEC=y
 CONFIG_CRASH_DUMP=y