1 files changed, 38 insertions, 0 deletions

diff --git a/init/Kconfig b/init/Kconfig
index fa8ccad1ea43..00d45799dee1 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1593,12 +1593,50 @@ config MODULE_SIG
           is simply appended to the module. For more information see
           Documentation/module-signing.txt.
 
+          !!!WARNING!!!  If you enable this option, you MUST make sure that the
+          module DOES NOT get stripped after being signed.  This includes the
+          debuginfo strip done by some packagers (such as rpmbuild) and
+          inclusion into an initramfs that wants the module size reduced.
+
 config MODULE_SIG_FORCE
         bool "Require modules to be validly signed"
         depends on MODULE_SIG
         help
           Reject unsigned modules or signed modules for which we don't have a
           key.  Without this, such modules will simply taint the kernel.
+
+choice
+        prompt "Which hash algorithm should modules be signed with?"
+        depends on MODULE_SIG
+        help
+          This determines which sort of hashing algorithm will be used during
+          signature generation.  This algorithm _must_ be built into the kernel
+          directly so that signature verification can take place.  It is not
+          possible to load a signed module containing the algorithm to check
+          the signature on that module.
+
+config MODULE_SIG_SHA1
+        bool "Sign modules with SHA-1"
+        select CRYPTO_SHA1
+
+config MODULE_SIG_SHA224
+        bool "Sign modules with SHA-224"
+        select CRYPTO_SHA256
+
+config MODULE_SIG_SHA256
+        bool "Sign modules with SHA-256"
+        select CRYPTO_SHA256
+
+config MODULE_SIG_SHA384
+        bool "Sign modules with SHA-384"
+        select CRYPTO_SHA512
+
+config MODULE_SIG_SHA512
+        bool "Sign modules with SHA-512"
+        select CRYPTO_SHA512
+
+endchoice
+
 endif # MODULES
 
 config INIT_ALL_POSSIBLE