In tree kernel modules gets signed with the CONFIG_MODULE_SIG_ALL kernel 
option, but extra (resp. external) modules not. If you (resp. isar) not 
provide an (external) signing key, the kernel build autogenerates a 
private/public key pair. It would be nice if the isar build system provide 
some support for signing kernel modules.

I see currently 2 use cases:
1) let the kernel build to autogenerate private/public key for kernel 
module signing and kernel-module reuse the key for signing (evt. isar 
deletes the private key after image generation)
2) provide an (external) private and public key for kernel module signing 
and will be used in kernel and kernel-module recipes