From c955e35c32d452b05f5d3c9ccebd6f588b1e90ae Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 3 Apr 2016 04:53:27 +0100
Subject: [PATCH] modules: Enable MODULE_SIG and MODULE_SIG_SHA256

...but not MODULE_SIG_ALL as signatures will be packaged separately
---
 debian/changelog                   |  3 +++
 debian/config/armel/config.marvell |  1 +
 debian/config/config               | 15 ++++++++-------
 debian/templates/control.source.in |  2 +-
 4 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 728e71144..a28971875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ linux (4.5-1~exp2) UNRELEASED; urgency=medium
     (Closes: #550379, #573483, #816500)
   * Add Matthew Garrett's securelevel patchset in preparation for Secure Boot
     support (see Documentation/security/securelevel.txt)
+  * modules: Enable MODULE_SIG and MODULE_SIG_SHA256, but not MODULE_SIG_ALL
+    as signatures will be packaged separately
+    - debian/control: Add build-dependency on libssl-dev
 
  -- Ben Hutchings <ben@decadent.org.uk>  Fri, 25 Mar 2016 13:43:57 +0000
 
diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell
index ed9308d95..d80a2cce4 100644
--- a/debian/config/armel/config.marvell
+++ b/debian/config/armel/config.marvell
@@ -672,6 +672,7 @@ CONFIG_ORION_WATCHDOG=m
 # CONFIG_CHECKPOINT_RESTORE is not set
 CONFIG_CC_OPTIMIZE_FOR_SIZE=y
 # CONFIG_PROFILING is not set
+# CONFIG_MODULE_SIG is not set
 
 ##
 ## file: kernel/power/Kconfig
diff --git a/debian/config/config b/debian/config/config
index 9a0daf539..2b826b89c 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -55,11 +55,6 @@ CONFIG_EFI_PARTITION=y
 # CONFIG_SYSV68_PARTITION is not set
 # CONFIG_CMDLINE_PARTITION is not set
 
-##
-## file: certs/Kconfig
-##
-# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
-
 ##
 ## file: crypto/Kconfig
 ##
@@ -5585,8 +5580,14 @@ CONFIG_MODULE_UNLOAD=y
 CONFIG_MODULE_FORCE_UNLOAD=y
 CONFIG_MODVERSIONS=y
 # CONFIG_MODULE_SRCVERSION_ALL is not set
-#. Not yet
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+#. Signature validation is a run-time option
+# CONFIG_MODULE_SIG_FORCE is not set
+#. Signatures are added in linux-signed
+# CONFIG_MODULE_SIG_ALL is not set
+## choice: Which hash algorithm should modules be signed with?
+CONFIG_MODULE_SIG_SHA256=y
+## end choice
 # CONFIG_MODULE_COMPRESS is not set
 
 ##
diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in
index ab65421ea..43677eba7 100644
--- a/debian/templates/control.source.in
+++ b/debian/templates/control.source.in
@@ -4,7 +4,7 @@ Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
 Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <ben@decadent.org.uk>
 Standards-Version: 3.9.5
 Build-Depends: debhelper, python3:any, quilt,
- cpio <!stage1>, kmod <!stage1>, xz-utils <!stage1>, kernel-wedge (>= 2.93~) <!stage1>, bc <!stage1>,
+ cpio <!stage1>, kmod <!stage1>, xz-utils <!stage1>, kernel-wedge (>= 2.93~) <!stage1>, bc <!stage1>, libssl-dev <!stage1>, openssl <!stage1>,
  asciidoc <!stage1>, bison <!stage1>, flex <!stage1>, gcc-multilib [amd64 ppc64 s390x sparc64] <!stage1>, libaudit-dev <!stage1>, libdw-dev <!stage1>, libelf-dev <!stage1>, libiberty-dev <!stage1> | binutils-dev (<< 2.23.91.20131123-1) <!stage1>, libnewt-dev <!stage1>, libnuma-dev [amd64 arm64 hppa i386 mips mips64 mips64el mipsel powerpc powerpcspe ppc64 ppc64el sparc x32] <!stage1>, libperl-dev <!stage1>, libunwind8-dev [amd64 armel armhf arm64 i386] <!stage1>, python-dev <!stage1>, xmlto <!stage1>,
  autoconf <!stage1>, automake <!stage1>, libtool <!stage1>, libglib2.0-dev <!stage1>, libudev-dev <!stage1>, libwrap0-dev <!stage1>, libpci-dev <!stage1>,
  dh-python <!stage1>, dh-systemd <!stage1>