Part 1, enable AES-NI
That this was even disabled is weird.
Part 2, disable the "AMD Secure Processor"
Looks as it's blocking AES-NI and my kernel does not support it:
`modprobe: ERROR: could not insert 'ccp_crypto': No such device`
and
`ccp_crypto: Cannot load: there are no available CCPs`
This disables CONFIG_GENTOO_KERNEL_SELF_PROTECTION_COMMON by itself
and lockdown by choice as my system did not let me hibernate with
enabled lockdown, even though fwupdmgr recognized the encrypted swap.
For the decryption of swap I added a second rd.luks.uuid entry
aswell as resume=UUID=... - first one pointing to the outside LUKS
container, second one to the unlocked swap partition.
For now I have to enter passphrases for / and swap at boot and resume.
Starting with 6.13.6-T14s, my kernel signing key will be placed outside
the kernel build dir and thus not installed into the world-readable location
`/usr/src/linux/certs`.
It's configured by flags for portage in `/etc/portage/make.conf/MODULES_SIGN`:
```
MDOULES_SIGN_CERT=".../signing_cert.pem"
MODULES_SIGN_HASH="sha3-512"
MODULES_SIGN_KEY=".../signing_key.pem"
```
generated using this script:
```
#!/bin/bash
set -uxa pipefail
__VERSION__="2025-03-09"
TODAY="$(date --utc +%Y-%m-%d)"
SIGN_KVER="6.13.y"
MY_PRIV_KEY_FILE="${TODAY}.signing_key.pem"
MY_PUB_CERT_FILE="${TODAY}.signing_cert.pem"
MY_OPENSSL_PARAMS=(
req
-new
-sha512
-newkey rsa:4096
# don't encrypt the file
-noenc
# validity: 1024 years, given in days
-days 374016
-x509
-keyout "${MY_PRIV_KEY_FILE}"
-out "${MY_PUB_CERT_FILE}"
# adopt to usage
# keep umlauts in mind, the seem to break here...
-subj "/C=DE/ST=Baden-Wuerttemberg/L=Karlsruhe/O=/OU=/CN=kernel module signing key (${TODAY}, ${SIGN_KVER})/"
)
openssl "${MY_OPENSSL_PARAMS[@]}"
openssl x509 -noout -text -in "${MY_PUB_CERT_FILE}"
```
This change brings the benefit that I can use binpkgs on my machine, do
not need to delete my keys from world-readable `/usr/src/linux` anymore
and can even think about distributing my kernel binary packages.
One negative change is that I'll have to remember to roll-over the keys
myself from time to time.
This was enabled by the bump to 6.12.3-T14s on 2024-12-07
in commit 89b8f450bea1375b10effabf6d92efcf157588f8.
I never used it and assume it's save to drop it for my machine.
