From 915cc8627b1962a0a1e7d25841310f358873676d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Wed, 26 Sep 2012 10:09:50 +0100
Subject: [PATCH] --- yaml --- r: 334307 b: refs/heads/master c:
 ea0b6dcf71d216dc11733ac19b26df0f5d0fd6c2 h: refs/heads/master i:   334305:
 729325e15e72889b2db88ac15ae46694fb2381d2   334303:
 863e255b88f91e8fa5d3cb99bd3c8ac10f3abefc v: v3

---
 [refs]             |  2 +-
 trunk/init/Kconfig | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 031cd00779fc..8056f64a1a76 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: addbcdbbf549c9127c2bbb39caaa08bb47b996f4
+refs/heads/master: ea0b6dcf71d216dc11733ac19b26df0f5d0fd6c2
diff --git a/trunk/init/Kconfig b/trunk/init/Kconfig
index fa8ccad1ea43..00d45799dee1 100644
--- a/trunk/init/Kconfig
+++ b/trunk/init/Kconfig
@@ -1593,12 +1593,50 @@ config MODULE_SIG
 	  is simply appended to the module. For more information see
 	  Documentation/module-signing.txt.
 
+	  !!!WARNING!!!  If you enable this option, you MUST make sure that the
+	  module DOES NOT get stripped after being signed.  This includes the
+	  debuginfo strip done by some packagers (such as rpmbuild) and
+	  inclusion into an initramfs that wants the module size reduced.
+
 config MODULE_SIG_FORCE
 	bool "Require modules to be validly signed"
 	depends on MODULE_SIG
 	help
 	  Reject unsigned modules or signed modules for which we don't have a
 	  key.  Without this, such modules will simply taint the kernel.
+
+choice
+	prompt "Which hash algorithm should modules be signed with?"
+	depends on MODULE_SIG
+	help
+	  This determines which sort of hashing algorithm will be used during
+	  signature generation.  This algorithm _must_ be built into the kernel
+	  directly so that signature verification can take place.  It is not
+	  possible to load a signed module containing the algorithm to check
+	  the signature on that module.
+
+config MODULE_SIG_SHA1
+	bool "Sign modules with SHA-1"
+	select CRYPTO_SHA1
+
+config MODULE_SIG_SHA224
+	bool "Sign modules with SHA-224"
+	select CRYPTO_SHA256
+
+config MODULE_SIG_SHA256
+	bool "Sign modules with SHA-256"
+	select CRYPTO_SHA256
+
+config MODULE_SIG_SHA384
+	bool "Sign modules with SHA-384"
+	select CRYPTO_SHA512
+
+config MODULE_SIG_SHA512
+	bool "Sign modules with SHA-512"
+	select CRYPTO_SHA512
+
+endchoice
+
 endif # MODULES
 
 config INIT_ALL_POSSIBLE