--- Comment #23 from Ludwig Nussel email@example.com --- (In reply to Martin Wilck from comment #17)
It's indeed not easy. We could use a key stored in a standard location on the user's system. However, at the very least the build procedure should allow to enter the pass phrase for the key in a secure manner. Otherwise the secret key would need to be stored unencrypted on the target system, which would forfeit the use of secure boot, or a locked-down kernel, almost entirely.
Right now we are loading unsigned modules so there is not much of a difference to that. In the worst case if storing the private key really is a concern, a new one could be created for each rebuild of the ko and the private key deleted afterwards. Sure, that means enrolling the key on reboot then. If one really decides to play that secure boot game it's a matter of picking your poison basically :-)