From aaba9fffbd86c5239da1960ba84daeb31d18fb9d Mon Sep 17 00:00:00 2001
From: Nils Freydank <nils.freydank@posteo.de>
Date: Thu, 13 Mar 2025 23:24:21 +0100
Subject: [PATCH] pygoscelis: Bump to 6.13.6-T14s and place key out of build
 dir

Starting with 6.13.6-T14s, my kernel signing key will be placed outside
the kernel build dir and thus not installed into the world-readable location
`/usr/src/linux/certs`.

It's configured by flags for portage in `/etc/portage/make.conf/MODULES_SIGN`:
  ```
  MDOULES_SIGN_CERT=".../signing_cert.pem"
  MODULES_SIGN_HASH="sha3-512"
  MODULES_SIGN_KEY=".../signing_key.pem"
  ```
generated using this script:
  ```
  #!/bin/bash
  set -uxa pipefail

  __VERSION__="2025-03-09"

  TODAY="$(date --utc +%Y-%m-%d)"
  SIGN_KVER="6.13.y"
  MY_PRIV_KEY_FILE="${TODAY}.signing_key.pem"
  MY_PUB_CERT_FILE="${TODAY}.signing_cert.pem"

  MY_OPENSSL_PARAMS=(
      req
      -new
      -sha512
      -newkey rsa:4096
      # don't encrypt the file
      -noenc
      # validity: 1024 years, given in days
      -days 374016
      -x509
      -keyout "${MY_PRIV_KEY_FILE}"
      -out "${MY_PUB_CERT_FILE}"
      # adopt to usage
      # keep umlauts in mind, the seem to break here...
      -subj "/C=DE/ST=Baden-Wuerttemberg/L=Karlsruhe/O=/OU=/CN=kernel module signing key (${TODAY}, ${SIGN_KVER})/"
  )

  openssl "${MY_OPENSSL_PARAMS[@]}"
  openssl x509 -noout -text -in "${MY_PUB_CERT_FILE}"
  ```

This change brings the benefit that I can use binpkgs on my machine, do
not need to delete my keys from world-readable `/usr/src/linux` anymore
and can even think about distributing my kernel binary packages.

One negative change is that I'll have to remember to roll-over the keys
myself from time to time.
---
 pygoscelis-config | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pygoscelis-config b/pygoscelis-config
index 27cffe4..9220fa4 100644
--- a/pygoscelis-config
+++ b/pygoscelis-config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.13.5 Kernel Configuration
+# Linux/x86 6.13.6 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="x86_64-pc-linux-gnu-gcc (Gentoo Hardened 14.2.1_p20250301 p8) 14.2.1 20250301"
 CONFIG_CC_IS_GCC=y
@@ -6784,7 +6784,7 @@ CONFIG_PKCS7_MESSAGE_PARSER=y
 #
 # Certificates for signature checking
 #
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY="/var/tmp/portage/sys-kernel/gentoo-kernel-6.13.6/temp/kernel_key.pem"
 # CONFIG_MODULE_SIG_KEY_TYPE_RSA is not set
 CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y