diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
index 9b142b9d5187..d6b207e8e084 100644
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -35,6 +35,7 @@
 #include <linux/of_irq.h>
 #include <linux/hugetlb.h>
 #include <linux/pgtable.h>
+#include <linux/security.h>
 #include <asm/io.h>
 #include <asm/paca.h>
 #include <asm/processor.h>
@@ -67,6 +68,7 @@
 #include <asm/cpu_has_feature.h>
 #include <asm/kasan.h>
 #include <asm/mce.h>
+#include <asm/secure_boot.h>
 
 #include "setup.h"
 
@@ -896,6 +898,16 @@ void __init setup_arch(char **cmdline_p)
 	 */
 	initialize_cache_info();
 
+	/*
+	 * Lock down the kernel if booted in secure mode. This is required to
+	 * maintain kernel integrity.
+	 */
+	if (IS_ENABLED(CONFIG_LOCK_DOWN_IN_SECURE_BOOT)) {
+		if (is_ppc_secureboot_enabled())
+			security_lock_kernel_down("PowerNV Secure Boot mode",
+						  LOCKDOWN_INTEGRITY_MAX);
+	}
+
 	/* Initialize RTAS if available. */
 	rtas_initialize();
 
diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
index e508c99a6607..a598a4f95ee8 100644
--- a/security/lockdown/Kconfig
+++ b/security/lockdown/Kconfig
@@ -19,7 +19,7 @@ config SECURITY_LOCKDOWN_LSM_EARLY
 config LOCK_DOWN_IN_SECURE_BOOT
 	bool "Lock down the kernel in Secure Boot mode"
 	default n
-	depends on (EFI || S390) && SECURITY_LOCKDOWN_LSM_EARLY
+	depends on (EFI || S390 || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
 	help
 	  Secure Boot provides a mechanism for ensuring that the firmware will
 	  only load signed bootloaders and kernels.  Secure boot mode