diff --git a/debian/changelog b/debian/changelog
index 613a57f82..e6eba69af 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -40,6 +40,8 @@ linux (4.19.132-1) UNRELEASED; urgency=medium
   * [rt] Update to 4.19.132-rt59
   * Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb"
     (Closes: #964153, #964480)
+  * efi: Restrict efivar_ssdt_load when the kernel is locked down
+    (CVE-2019-20908)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 14 Jul 2020 21:48:28 +0200
 
diff --git a/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch b/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch
new file mode 100644
index 000000000..bb2f4f60b
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch
@@ -0,0 +1,36 @@
+From: Matthew Garrett <matthewgarrett@google.com>
+Date: Wed, 31 Jul 2019 15:16:16 -0700
+Subject: efi: Restrict efivar_ssdt_load when the kernel is locked down
+Origin: https://patchwork.kernel.org/patch/11069659/
+
+efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an
+EFI variable, which gives arbitrary code execution in ring 0. Prevent
+that when the kernel is locked down.
+
+Signed-off-by: Matthew Garrett <mjg59@google.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: linux-efi@vger.kernel.org
+[bwh: Convert back to the non-LSM lockdown API]
+---
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -30,6 +30,7 @@
+ #include <linux/acpi.h>
+ #include <linux/ucs2_string.h>
+ #include <linux/memblock.h>
++#include <linux/security.h>
+ 
+ #include <asm/early_ioremap.h>
+ 
+@@ -241,6 +242,9 @@ static void generic_ops_unregister(void)
+ static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
+ static int __init efivar_ssdt_setup(char *str)
+ {
++	if (kernel_is_locked_down("ACPI tables"))
++		return -EPERM;
++
+ 	if (strlen(str) < sizeof(efivar_ssdt))
+ 		memcpy(efivar_ssdt, str, strlen(str));
+ 	else
diff --git a/debian/patches/series b/debian/patches/series
index 91d32418b..32745a09e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,6 +133,7 @@ features/all/lockdown/0026-Lock-down-kprobes.patch
 features/all/lockdown/0027-bpf-Restrict-kernel-image-access-functions-when-the-.patch
 features/all/lockdown/0028-efi-Add-an-EFI_SECURE_BOOT-flag-to-indicate-secure-b.patch
 features/all/lockdown/0029-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+features/all/lockdown/0032-efi-Restrict-efivar_ssdt_load-when-the-kernel-is-loc.patch
 # some missing pieces
 features/all/lockdown/enable-cold-boot-attack-mitigation.patch
 features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch