+ (4) "File name or PKCS#11 URI of module signing key" (CONFIG_MODULE_SIG_KEY)
+
+ Setting this option to something other than its default of
+ "signing_key.pem" will disable the autogeneration of signing keys and
+ allow the kernel modules to be signed with a key of your choosing.
+ The string provided should identify a file containing both a private
+ key and its corresponding X.509 certificate in PEM form, or — on
+ systems where the OpenSSL ENGINE_pkcs11 is functional — a PKCS#11 URI
+ as defined by RFC7512. In the latter case, the PKCS#11 URI should
+ reference both a certificate and a private key.
+
+ If the PEM file containing the private key is encrypted, or if the
+ PKCS#11 token requries a PIN, this can be provided at build time by
+ means of the KBUILD_SIGN_PIN variable.
+
+
+ (5) "Additional X.509 keys for default system keyring" (CONFIG_SYSTEM_TRUSTED_KEYS)
+
+ This option can be set to the filename of a PEM-encoded file containing
+ additional certificates which will be included in the system keyring by
+ default.
+
+Note that enabling module signing adds a dependency on the OpenSSL devel
+packages to the kernel build processes for the tool that does the signing.
+
+