From daa5bdd118a4bc51f402c8051e9940b27ebb8fa1 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 12 Sep 2018 16:40:19 +0200
Subject: [PATCH] prepare-root.sh: set lockdown=1 on the kernel cmdline

---
 prepare-root.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/prepare-root.sh b/prepare-root.sh
index 2202146..e468b4f 100755
--- a/prepare-root.sh
+++ b/prepare-root.sh
@@ -501,7 +501,7 @@ IMAGE_SIZE=$(stat --printf '%s' "$MY_TMPDIR"/root.img)
 
 # ------------------------------------------------------------------------------
 # make bootx64.efi
-echo -n "quiet rd.shell=0 video=efifb:nobgrt audit=0 selinux=0 verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt
+echo -n "lockdown=1 quiet rd.shell=0 video=efifb:nobgrt audit=0 selinux=0 verity.imagesize=$IMAGE_SIZE verity.roothash=$ROOT_HASH verity.root=PARTUUID=$ROOT_UUID verity.hashoffset=$ROOT_SIZE raid=noautodetect root=/dev/mapper/root" > "$MY_TMPDIR"/options.txt
 echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
 objcopy \
     --add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \