Starting with 6.13.6-T14s, my kernel signing key will be placed outside
the kernel build dir and thus not installed into the world-readable location
`/usr/src/linux/certs`.
It's configured by flags for portage in `/etc/portage/make.conf/MODULES_SIGN`:
```
MDOULES_SIGN_CERT=".../signing_cert.pem"
MODULES_SIGN_HASH="sha3-512"
MODULES_SIGN_KEY=".../signing_key.pem"
```
generated using this script:
```
#!/bin/bash
set -uxa pipefail
__VERSION__="2025-03-09"
TODAY="$(date --utc +%Y-%m-%d)"
SIGN_KVER="6.13.y"
MY_PRIV_KEY_FILE="${TODAY}.signing_key.pem"
MY_PUB_CERT_FILE="${TODAY}.signing_cert.pem"
MY_OPENSSL_PARAMS=(
req
-new
-sha512
-newkey rsa:4096
# don't encrypt the file
-noenc
# validity: 1024 years, given in days
-days 374016
-x509
-keyout "${MY_PRIV_KEY_FILE}"
-out "${MY_PUB_CERT_FILE}"
# adopt to usage
# keep umlauts in mind, the seem to break here...
-subj "/C=DE/ST=Baden-Wuerttemberg/L=Karlsruhe/O=/OU=/CN=kernel module signing key (${TODAY}, ${SIGN_KVER})/"
)
openssl "${MY_OPENSSL_PARAMS[@]}"
openssl x509 -noout -text -in "${MY_PUB_CERT_FILE}"
```
This change brings the benefit that I can use binpkgs on my machine, do
not need to delete my keys from world-readable `/usr/src/linux` anymore
and can even think about distributing my kernel binary packages.
One negative change is that I'll have to remember to roll-over the keys
myself from time to time.
This was enabled by the bump to 6.12.3-T14s on 2024-12-07
in commit 89b8f450bea1375b10effabf6d92efcf157588f8.
I never used it and assume it's save to drop it for my machine.
Enabling this serves is intended two purposes:
- fixing my missing webcam USB device, maybe due to a firmware bug
- trying out things that might improve my hardware support
`lspci | grep -i renesas` gives me on my machine:
05:00.0 USB controller: Renesas Electronics Corp. uPD720202 USB 3.0 Host Controller (rev 02)
