Part 1, enable AES-NI
That this was even disabled is weird.
Part 2, disable the "AMD Secure Processor"
Looks as it's blocking AES-NI and my kernel does not support it:
`modprobe: ERROR: could not insert 'ccp_crypto': No such device`
and
`ccp_crypto: Cannot load: there are no available CCPs`
This disables CONFIG_GENTOO_KERNEL_SELF_PROTECTION_COMMON by itself
and lockdown by choice as my system did not let me hibernate with
enabled lockdown, even though fwupdmgr recognized the encrypted swap.
For the decryption of swap I added a second rd.luks.uuid entry
aswell as resume=UUID=... - first one pointing to the outside LUKS
container, second one to the unlocked swap partition.
For now I have to enter passphrases for / and swap at boot and resume.
Starting with 6.13.6-T14s, my kernel signing key will be placed outside
the kernel build dir and thus not installed into the world-readable location
`/usr/src/linux/certs`.
It's configured by flags for portage in `/etc/portage/make.conf/MODULES_SIGN`:
```
MDOULES_SIGN_CERT=".../signing_cert.pem"
MODULES_SIGN_HASH="sha3-512"
MODULES_SIGN_KEY=".../signing_key.pem"
```
generated using this script:
```
#!/bin/bash
set -uxa pipefail
__VERSION__="2025-03-09"
TODAY="$(date --utc +%Y-%m-%d)"
SIGN_KVER="6.13.y"
MY_PRIV_KEY_FILE="${TODAY}.signing_key.pem"
MY_PUB_CERT_FILE="${TODAY}.signing_cert.pem"
MY_OPENSSL_PARAMS=(
req
-new
-sha512
-newkey rsa:4096
# don't encrypt the file
-noenc
# validity: 1024 years, given in days
-days 374016
-x509
-keyout "${MY_PRIV_KEY_FILE}"
-out "${MY_PUB_CERT_FILE}"
# adopt to usage
# keep umlauts in mind, the seem to break here...
-subj "/C=DE/ST=Baden-Wuerttemberg/L=Karlsruhe/O=/OU=/CN=kernel module signing key (${TODAY}, ${SIGN_KVER})/"
)
openssl "${MY_OPENSSL_PARAMS[@]}"
openssl x509 -noout -text -in "${MY_PUB_CERT_FILE}"
```
This change brings the benefit that I can use binpkgs on my machine, do
not need to delete my keys from world-readable `/usr/src/linux` anymore
and can even think about distributing my kernel binary packages.
One negative change is that I'll have to remember to roll-over the keys
myself from time to time.
This was enabled by the bump to 6.12.3-T14s on 2024-12-07
in commit 89b8f450bea1375b10effabf6d92efcf157588f8.
I never used it and assume it's save to drop it for my machine.
Enabling this serves is intended two purposes:
- fixing my missing webcam USB device, maybe due to a firmware bug
- trying out things that might improve my hardware support
`lspci | grep -i renesas` gives me on my machine:
05:00.0 USB controller: Renesas Electronics Corp. uPD720202 USB 3.0 Host Controller (rev 02)
This feature was enabled for testing in 2024-Oct-05
in commit 1634abbecef44187f573dc29f7af92ee2279eafd.
Tests with a specific BT player failed, so I can
disable it agian.
This was already enabled in 2022 (7b2b827d34bce12ea8aec1e370c32654eb46fd70)
but disabled when bpf support was enabled for use within systemd 243
(01b1f8af0442d0938bf1e7337f62ba6571b2fb1e).
Looks as we can enable both now in 6.12, so let's do that.
