From a44d0b29e985f769540491f7f39b8ffe9ddc3768 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Tue, 26 Nov 2019 14:40:07 +0800
Subject: [PATCH] efi: Lock down the kernel at the integrity level if booted in
 secure boot mode
Patch-mainline: Never, SUSE specific tweak 
References: jsc#SLE-9870

The perf and bpf are restricted in confidentiality level, but those
functions are available on SLE. So we use integrity level here.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 arch/x86/kernel/setup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 303abf8..a94e2b0 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -1032,7 +1032,7 @@ void __init setup_arch(char **cmdline_p)
 
 #ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
 	if (efi_enabled(EFI_SECURE_BOOT))
-		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_CONFIDENTIALITY_MAX);
+		security_lock_kernel_down("EFI Secure Boot mode", LOCKDOWN_INTEGRITY_MAX);
 #endif
 
 	dmi_setup();
-- 
2.16.4