Starting with 6.13.6-T14s, my kernel signing key will be placed outside
the kernel build dir and thus not installed into the world-readable location
`/usr/src/linux/certs`.
It's configured by flags for portage in `/etc/portage/make.conf/MODULES_SIGN`:
```
MDOULES_SIGN_CERT=".../signing_cert.pem"
MODULES_SIGN_HASH="sha3-512"
MODULES_SIGN_KEY=".../signing_key.pem"
```
generated using this script:
```
#!/bin/bash
set -uxa pipefail
__VERSION__="2025-03-09"
TODAY="$(date --utc +%Y-%m-%d)"
SIGN_KVER="6.13.y"
MY_PRIV_KEY_FILE="${TODAY}.signing_key.pem"
MY_PUB_CERT_FILE="${TODAY}.signing_cert.pem"
MY_OPENSSL_PARAMS=(
req
-new
-sha512
-newkey rsa:4096
# don't encrypt the file
-noenc
# validity: 1024 years, given in days
-days 374016
-x509
-keyout "${MY_PRIV_KEY_FILE}"
-out "${MY_PUB_CERT_FILE}"
# adopt to usage
# keep umlauts in mind, the seem to break here...
-subj "/C=DE/ST=Baden-Wuerttemberg/L=Karlsruhe/O=/OU=/CN=kernel module signing key (${TODAY}, ${SIGN_KVER})/"
)
openssl "${MY_OPENSSL_PARAMS[@]}"
openssl x509 -noout -text -in "${MY_PUB_CERT_FILE}"
```
This change brings the benefit that I can use binpkgs on my machine, do
not need to delete my keys from world-readable `/usr/src/linux` anymore
and can even think about distributing my kernel binary packages.
One negative change is that I'll have to remember to roll-over the keys
myself from time to time.
This was enabled by the bump to 6.12.3-T14s on 2024-12-07
in commit 89b8f450bea1375b10effabf6d92efcf157588f8.
I never used it and assume it's save to drop it for my machine.
Enabling this serves is intended two purposes:
- fixing my missing webcam USB device, maybe due to a firmware bug
- trying out things that might improve my hardware support
`lspci | grep -i renesas` gives me on my machine:
05:00.0 USB controller: Renesas Electronics Corp. uPD720202 USB 3.0 Host Controller (rev 02)
This feature was enabled for testing in 2024-Oct-05
in commit 1634abbecef44187f573dc29f7af92ee2279eafd.
Tests with a specific BT player failed, so I can
disable it agian.
This was already enabled in 2022 (7b2b827d34bce12ea8aec1e370c32654eb46fd70)
but disabled when bpf support was enabled for use within systemd 243
(01b1f8af0442d0938bf1e7337f62ba6571b2fb1e).
Looks as we can enable both now in 6.12, so let's do that.
