From 483528dfb0106106db4aaf549642b344ec37dce7 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 21 Mar 2020 09:12:48 +0100
Subject: [PATCH] Refresh "efi: Lock down the kernel if booted in secure boot
 mode"

---
 ...e-kernel-if-booted-in-secure-boot-mo.patch | 35 ++++++++-----------
 1 file changed, 15 insertions(+), 20 deletions(-)

diff --git a/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index cbca76f5f..9ab10afb3 100644
--- a/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -18,10 +18,8 @@ cc: linux-efi@vger.kernel.org
  security/lock_down.c    |  1 +
  3 files changed, 19 insertions(+), 2 deletions(-)
 
-Index: linux/arch/x86/kernel/setup.c
-===================================================================
---- linux.orig/arch/x86/kernel/setup.c
-+++ linux/arch/x86/kernel/setup.c
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
 @@ -65,6 +65,7 @@
  #include <linux/dma-mapping.h>
  #include <linux/ctype.h>
@@ -49,13 +47,11 @@ Index: linux/arch/x86/kernel/setup.c
  	reserve_initrd();
  
  	acpi_table_upgrade();
-Index: linux/security/Kconfig
-===================================================================
---- linux.orig/security/Kconfig
-+++ linux/security/Kconfig
-@@ -256,6 +256,20 @@ config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
- 	  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
- 	  combination on a wired keyboard.
+--- a/security/Kconfig
++++ b/security/Kconfig
+@@ -247,6 +247,21 @@ config LOCK_DOWN_KERNEL
+ 	  turns off various features that might otherwise allow access to the
+ 	  kernel image (eg. setting MSR registers).
  
 +config LOCK_DOWN_IN_EFI_SECURE_BOOT
 +	bool "Lock down the kernel in EFI Secure Boot mode"
@@ -71,18 +67,17 @@ Index: linux/security/Kconfig
 +	  Enabling this option turns on results in kernel lockdown being
 +	  triggered if EFI Secure Boot is set.
 +
- 
++
  source security/selinux/Kconfig
  source security/smack/Kconfig
-Index: linux/security/lock_down.c
-===================================================================
---- linux.orig/security/lock_down.c
-+++ linux/security/lock_down.c
-@@ -12,6 +12,7 @@
+ source security/tomoyo/Kconfig
+--- a/security/lock_down.c
++++ b/security/lock_down.c
+@@ -11,6 +11,7 @@
+ 
  #include <linux/security.h>
  #include <linux/export.h>
- #include <linux/sysrq.h>
 +#include <linux/efi.h>
- #include <asm/setup.h>
  
- #ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
+ static __ro_after_init bool kernel_locked_down;
+