From b770e356cbc48f6fee6b1a8f33e02066e1496e73 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Thu, 13 Feb 2020 01:17:39 +0200
Subject: [PATCH] etc/default/grub.d: add lockdown.cfg

---
 etc/default/grub.d/lockdown.cfg | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 etc/default/grub.d/lockdown.cfg

diff --git a/etc/default/grub.d/lockdown.cfg b/etc/default/grub.d/lockdown.cfg
new file mode 100644
index 00000000..63a1d757
--- /dev/null
+++ b/etc/default/grub.d/lockdown.cfg
@@ -0,0 +1,6 @@
+# Enable the kernel lockdown feature. If set to integrity, kernel features
+# that allow userland to modify the running kernel are disabled. If set to
+# confidentiality, kernel features that allow userland to extract
+# confidential information from the kernel are also disabled.
+# https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lockdown=confidentiality"