[d-kernel] [PATCH v2 6/6] config: Enable LOCK_DOWN_IN_EFI_SECURE_BOOT

[Egor Ignatov]

Enable automatic kernel lockdown when booted in UEFI Secure Boot mode.
This is required by the shim-review process, which asks how the signed
kernel enforces lockdown under Secure Boot and will not sign the shim
otherwise.

Link: https://github.com/rhboot/shim-review#how-does-your-signed-kernel-enforce-lockdown-when-your-system-runs-with-secure-boot-enabled
Signed-off-by: Egor Ignatov <egori at altlinux.org>
---
 config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config b/config
index 9aaf07ae98..596785caa3 100644
--- a/config
+++ b/config
@@ -10132,6 +10132,7 @@ CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
-- 
2.50.1