diff --git a/debian/changelog b/debian/changelog
index 31fe082d06..e56bdfa680 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,6 +30,10 @@ linux (5.6.2-1~exp1) UNRELEASED; urgency=medium
   * [x86] udeb: Add crc32_pclmul to crc-modules
   * udeb: Add crc32_generic to crc-modules
 
+  [ Luca Boccassi ]
+  * lockdown: set default (with Secure Boot) to LOCKDOWN_INTEGRITY_MAX
+    (Closes: #956197)
+
  -- Ben Hutchings <benh@debian.org>  Mon, 30 Mar 2020 14:50:42 +0100
 
 linux (5.5.13-1) unstable; urgency=medium
diff --git a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
index 7d7eada166..e251ce9e02 100644
--- a/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
+++ b/debian/patches/features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
@@ -56,7 +56,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
  			set_bit(EFI_SECURE_BOOT, &efi.flags);
 +#ifdef CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
 +			lock_kernel_down("EFI Secure Boot",
-+					 LOCKDOWN_CONFIDENTIALITY_MAX);
++					 LOCKDOWN_INTEGRITY_MAX);
 +#endif
  			pr_info("Secure boot enabled\n");
  			break;