diff --git a/debian/changelog b/debian/changelog
index e426d9bae..2f1188c03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ linux (4.15~rc5-1~exp2) UNRELEASED; urgency=medium
 
   * [arm64] Update "add kernel config option to lock down when in Secure Boot
     mode" for 4.15
+  * efi: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT, replacing
+    EFI_SECURE_BOOT_LOCK_DOWN
 
  -- Ben Hutchings <ben@decadent.org.uk>  Sat, 30 Dec 2017 16:00:15 +0000
 
diff --git a/debian/config/arm64/config b/debian/config/arm64/config
index 8b09bf579..e7e0f5639 100644
--- a/debian/config/arm64/config
+++ b/debian/config/arm64/config
@@ -23,7 +23,6 @@ CONFIG_ARM64_PMEM=y
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
 CONFIG_ARM64_ACPI_PARKING_PROTOCOL=y
-CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
 CONFIG_COMPAT=y
 
 ##
diff --git a/debian/config/config b/debian/config/config
index 3b6e1ff29..3e41c0adc 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -7100,6 +7100,7 @@ CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_HARDENED_USERCOPY=y
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 CONFIG_LOCK_DOWN_KERNEL=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 ## choice: Default security module
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 ## end choice
diff --git a/debian/config/kernelarch-x86/config b/debian/config/kernelarch-x86/config
index 94215d3df..a003e48c9 100644
--- a/debian/config/kernelarch-x86/config
+++ b/debian/config/kernelarch-x86/config
@@ -55,7 +55,6 @@ CONFIG_X86_SMAP=y
 CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
-CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
 CONFIG_SECCOMP=y
 CONFIG_KEXEC=y
 CONFIG_CRASH_DUMP=y