From 38ea360ed40329336c8322b222751767f740829a Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 2 May 2017 16:21:36 +0100
Subject: [PATCH] crypto: Change CRYPTO_SHA256 from module to built-in, as
 required by IMA

---
 debian/changelog                   | 1 +
 debian/config/armel/config.marvell | 1 +
 debian/config/config               | 3 ++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 47bc7cec4..9f6321353 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -397,6 +397,7 @@ linux (4.9.25-1) UNRELEASED; urgency=medium
     reverted using the kernel parameter: checkreqprot=1
   * udeb: Move mfd-core to kernel-image, as both input-modules and
     mmc-modules need it
+  * crypto: Change CRYPTO_SHA256 from module to built-in, as required by IMA
 
   [ Salvatore Bonaccorso ]
   * ping: implement proper locking (CVE-2017-2671)
diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell
index bd0381c84..c1ef08220 100644
--- a/debian/config/armel/config.marvell
+++ b/debian/config/armel/config.marvell
@@ -119,6 +119,7 @@ CONFIG_SUN_PARTITION=y
 ## file: crypto/Kconfig
 ##
 # CONFIG_CRYPTO_FIPS is not set
+CONFIG_CRYPTO_SHA256=m
 
 ##
 ## file: drivers/ata/Kconfig
diff --git a/debian/config/config b/debian/config/config
index 55df382cf..93b0e3973 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -109,7 +109,8 @@ CONFIG_CRYPTO_RMD256=m
 CONFIG_CRYPTO_RMD320=m
 CONFIG_CRYPTO_SHA1=m
 # CONFIG_CRYPTO_SHA1_MB is not set
-CONFIG_CRYPTO_SHA256=m
+#. Must be built-in for IMA_DEFAULT_HASH_SHA256
+CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m