diff --git a/kernel.spec b/kernel.spec
index b99be01..2692d3f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -24,7 +24,7 @@
 %define sublevel	40
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		5
+%define rpmrel		6
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -78,6 +78,13 @@
 %bcond_with gost_sign
 %endif
 
+# Build binary out-of-tree kernel modules (experimental)
+%if %{mdvver} >= 201905
+%bcond_without binary_extra_modules
+%else
+%bcond_with binary_extra_modules
+%endif
+
 # Kernel flavour
 %if %{with nickel}
 %define flavour		nickel
@@ -156,6 +163,12 @@
 %{?_with_cpupower: %global build_cpupower 1}
 %{?_with_modxz: %global build_modxz 1}
 
+%if %{build_modxz}
+%define kmod_suffix .xz
+%else
+%define kmod_suffix .gz
+%endif
+
 %if !%{build_debug}
 # Disable debug rpms.
 %define _enable_debug_packages 	%{nil}
@@ -197,6 +210,11 @@ Source0: 	https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{ta
 # Needed, because otherwise the -devel won't build correctly.
 Source2: 	disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch
 
+# TODO: make a separate package "ksobirator" and BR it
+# after testing these macros properly
+Source3:	macros.ksobirator
+%{load:%{SOURCE3}}
+
 # Kernel configuration files.
 Source110:	kernel-%{arch_suffix}.config
 
@@ -309,6 +327,17 @@ BuildRequires:		libressl libressl-devel
 BuildRequires:		findutils util-linux
 %endif
 
+%if %{with binary_extra_modules}
+BuildRequires: kernel-source-rtl8821ce
+BuildRequires: kernel-source-shredder-kernel
+BuildRequires: kernel-source-tripso
+BuildRequires: kernel-source-virtualbox
+# TODO: drop it for kernels >= 5.6
+# because all guest modules have been upstreamized
+# https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
+BuildRequires: kernel-source-virtualbox-vboxadditions
+%endif
+
 # might be useful too:
 Recommends:		microcode
 
@@ -846,6 +875,64 @@ latest kernel-uml-modules-%{flavour} %{kernelversion}.%{patchlevel}.x
 
 %endif #endif uml
 
+#------------------------------------------------
+
+%if %{with binary_extra_modules}
+
+%ksob_mk_module_pkg -n 8821ce -s net/wireless
+%ksob_mk_module_pkg -n shredder-kernel -s extra -r rosa-shredder-user
+%ksob_mk_module_pkg -n xt_TRIPSO -s net -r tripso
+
+# virtualbox host
+%ksob_mk_module_pkg -n vboxnetflt -s misc
+%ksob_mk_module_pkg -n vboxnetadp -s misc
+%ksob_mk_module_pkg -n vboxdrv -s misc
+%ksob_mk_module_pkg -n vboxpci -s misc
+
+#------------------------------------------------
+# a package which will pull all those modules
+%package -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+Summary: Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
+Group: System/Kernel and hardware
+Version: 1
+Release: 1
+Requires: kernel-module-vboxnetflt-%{flavour}-%{buildrel}
+Requires: kernel-module-vboxnetadp-%{flavour}-%{buildrel}
+Requires: kernel-module-vboxdrv-%{flavour}-%{buildrel}
+Requires: kernel-module-vboxpci-%{flavour}-%{buildrel}
+
+%description -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
+
+%files -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+# empty
+#------------------------------------------------
+
+# virtualbox guest, to be dropped in kernels 5.6+ (upsreamized)
+%ksob_mk_module_pkg -n vboxvideo -s misc
+%ksob_mk_module_pkg -n vboxguest -s misc
+%ksob_mk_module_pkg -n vboxsf -s misc
+
+#------------------------------------------------
+# a package which will pull all those modules
+%package -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+Summary: Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
+Group: System/Kernel and hardware
+Version: 1
+Release: 1
+Requires: kernel-module-vboxvideo-%{flavour}-%{buildrel}
+Requires: kernel-module-vboxguest-%{flavour}-%{buildrel}
+Requires: kernel-module-vboxsf-%{flavour}-%{buildrel}
+
+%description -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
+
+%files -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
+# empty
+#------------------------------------------------
+
+%endif #binary_extra_modules
+
 ############################################################################
 
 %prep
@@ -1155,6 +1242,76 @@ echo "Building kernel %{kver_full}"
 
 %kmake V=1 -s all
 
+# Install modules
+mkdir -p %{temp_modules}/%{kver_full}
+%smake INSTALL_MOD_PATH=%{temp_root} KERNELRELEASE=%{kver_full} modules_install
+
+%if %{with binary_extra_modules}
+# Build and install procedure is specific to each Makefile from kernmel-source-* packages
+# See also: https://www.kernel.org/doc/html/latest/kbuild/modules.html
+# Copy directory because write permissions are required
+# `make modules_install` must be done before this, otherwise these copied files will be deleted
+
+cp -r "$(rpm -q --qf '/usr/src/rtl8821ce-%%{VERSION}-%%{RELEASE}' kernel-source-rtl8821ce)" kernel-source-rtl8821ce
+pushd kernel-source-rtl8821ce
+%kmake KSRC=%{src_dir} M="$PWD"
+mkdir -p %{temp_modules}/%{kver_full}/kernel/net/wireless/
+cp 8821ce.ko %{temp_modules}/%{kver_full}/kernel/net/wireless/8821ce.ko
+popd
+rm -fr kernel-source-rtl8821ce
+
+cp -r "$(rpm -q --qf '/usr/src/shredder-kernel-%%{VERSION}-%%{RELEASE}' kernel-source-shredder-kernel)" kernel-source-shredder-kernel
+pushd kernel-source-shredder-kernel
+%kmake KERNEL_PATH=%{src_dir}
+mkdir -p %{temp_modules}/%{kver_full}/kernel/extra/
+cp shredder-kernel.ko %{temp_modules}/%{kver_full}/kernel/extra/
+popd
+rm -fr kernel-source-shredder-kernel
+
+cp -r "$(rpm -q --qf '/usr/src/tripso-%%{VERSION}-%%{RELEASE}' kernel-source-tripso)" kernel-source-tripso
+pushd kernel-source-tripso
+%kmake KDIR=%{src_dir}
+mkdir -p %{temp_modules}/%{kver_full}/kernel/net
+cp xt_TRIPSO.ko %{temp_modules}/%{kver_full}/kernel/net/
+popd
+rm -fr kernel-source-tripso
+
+# build commands for virtualbox are based on the ones from the virtualbox package
+cp -r "$(rpm -q --qf '/usr/src/vboxadditions-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox-vboxadditions)" kernel-source-virtualbox-vboxadditions
+mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
+pushd kernel-source-virtualbox-vboxadditions
+%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxguest
+cp -fv vboxguest/Module.symvers vboxsf/
+%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxsf
+# TODO: vboxvideo is also build inside the upstream kernel...
+# vboxsf is not in kernel 5.4
+# https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
+cp -fv vboxsf/Module.symvers vboxvideo/
+%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxvideo
+for i in vboxguest vboxsf vboxvideo
+do
+	cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
+done
+popd
+
+cp -r "$(rpm -q --qf '/usr/src/virtualbox-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox)" kernel-source-virtualbox
+mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
+pushd kernel-source-virtualbox
+make -C vboxdrv KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
+cp -fv vboxdrv/Module.symvers vboxnetflt
+cp -fv vboxdrv/Module.symvers vboxnetadp
+make -C vboxnetflt KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
+make -C vboxnetadp KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
+cp -fv vboxnetadp/Module.symvers vboxpci/
+make -C vboxpci KERN_DIR=%{src_dir} KERN_VER=%{kver_full}
+for i in vboxnetflt vboxnetadp vboxdrv vboxpci
+do
+	cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
+done
+popd
+
+%endif
+
 %if %{with uml}
 cp -rv %{certs_dir_rnd} %{src_dir}.uml/
 pushd %{src_dir}.uml
@@ -1178,7 +1335,6 @@ mkdir -p %{temp_root}/lib/modules-uml/%{kver_full}/
 popd
 %endif
 
-# Start installing stuff
 install -d %{temp_boot}
 install -m 644 System.map %{temp_boot}/System.map-%{kver_full}
 install -m 644 .config %{temp_boot}/config-%{kver_full}
@@ -1186,10 +1342,6 @@ xz -c Module.symvers > %{temp_boot}/symvers-%{kver_full}.xz
 
 cp -f arch/x86/boot/bzImage %{temp_boot}/vmlinuz-%{kver_full}
 
-# modules
-install -d %{temp_modules}/%{kver_full}
-%smake INSTALL_MOD_PATH=%{temp_root} KERNELRELEASE=%{kver_full} modules_install
-
 # headers
 %if %{build_headers}
 %make INSTALL_HDR_PATH=%{temp_root}%{_prefix} KERNELRELEASE=%{kver_full} headers_install
@@ -1268,9 +1420,6 @@ chmod -R a+rX %{temp_devel_root}
 # disable mrproper in -devel rpms
 patch -p1 --fuzz=0 -d %{temp_devel_root} -i %{SOURCE2}
 
-# Create the symlinks needed by DKMS
-mkdir -p %{temp_modules}/%{kver_full}
-
 # endif build_devel
 %endif
 
@@ -1304,11 +1453,7 @@ rm -f %{temp_modules}/debug_module_list
 %endif
 
 %if %{enhanced_security}
-# scripts/sign-file.c fails to sign modules:
-# "CMS routines:func(4095):not supported for this key type"
-# So make a dettached signature via libressl and attach it
-# as a raw signature via sign-file.
-# TODO: fix scripts/sign-file.c
+# https://patchwork.kernel.org/patch/11446123/
 _libressl_sign(){
 	if [ ! -f "$1" ]; then
 	  echo "No file $1"
@@ -1343,6 +1488,15 @@ cat > $kernel_files <<EOF
 %{_bootdir}/config-%{kver_full}
 %{_bootdir}/vmlinuz-%{kver_full}
 %{_modulesdir}/%{kver_full}/kernel
+%if %{with binary_extra_modules}
+# 8821ce.ko.debug will not be excluded and will be in the main debug subpackage
+%exclude %{_modulesdir}/%{kver_full}/kernel/net/wireless/8821ce.ko%{kmod_suffix}
+%exclude %{_modulesdir}/%{kver_full}/kernel/extra/shredder-kernel.ko%{kmod_suffix}
+%exclude %{_modulesdir}/%{kver_full}/kernel/net/xt_TRIPSO.ko%{kmod_suffix}
+# vbox host: vboxnetflt vboxnetadp vboxdrv vboxpci
+# vbox guest: vboxvideo vboxguest vboxsf
+%exclude %{_modulesdir}/%{kver_full}/kernel/misc/vbox*.ko%{kmod_suffix}
+%endif
 %{_modulesdir}/%{kver_full}/modules.*
 EOF
 
@@ -1468,3 +1622,6 @@ install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path
 install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
 install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh
 %endif
+
+# delete junk
+rm -fr %{buildroot}%{_usr}/src/*/kernel-source-virtualbox*
diff --git a/macros.ksobirator b/macros.ksobirator
new file mode 100644
index 0000000..2e42f16
--- /dev/null
+++ b/macros.ksobirator
@@ -0,0 +1,51 @@
+# ksobirator RPM macros
+# For now they are bundled in the kernel package,
+# in the future, after testing, ksobirator will become a separate package
+# which will be BuildRequired from kernel packages
+
+# TODO: define it somewhere else...
+# TODO: avoid depending from %%flavour, %%buildrel etc ?!
+# TODO: fail if needed macros are not defined
+%ksob_kernel %{flavour}-%{buildrel}
+
+# %%ksob_mk_module_pkg -n module name -s module section [ -r additional requires for this package ]
+# Examples:
+# %%ksob_mk_module_pkg -n shredder -s extra -r /usr/bin/wipe
+# %%ksob_mk_module_pkg -n shredder -s extra
+%ksob_mk_module_pkg(n:s:r:) \
+\
+%define module_name        %{-n:%{-n*}}%{!-n:%{error:Module name not defined!}} \
+%define pkg_main kernel-module-%{module_name}-%{ksob_kernel} \
+%define pkg_latest kernel-module-%{module_name}-%{flavour}-%{kernelversion}.%{patchlevel}-latest \
+%define module_section     %{-s:%{-s*}}%{!-s:%{error:Module section (e.g. extra) not defined!}} \
+\
+%{expand: \
+%package -n %{pkg_main} \
+# TODO: convert long kernel name to one macro \
+Summary: Binary module %{module_name} for kernel-%{ksob_kernel} \
+Group: System/Kernel and hardware \
+Version: 1 \
+Release: 1 \
+%{-r:Requires: %{-r*}} \
+\
+%description -n %{pkg_main} \
+Binary module %{module_name} for kernel-%{ksob_kernel} \
+\
+%files -n %{pkg_main} \
+# XXX TODO: how to %%exclude these files from the main package automatically? \
+%{_modulesdir}/%{kver_full}/kernel/%{module_section}/%{module_name}.ko%{kmod_suffix} \
+\
+%package -n %{pkg_latest} \
+Summary: Meta package for the latest binary module %{module_name} for the latest kernel-%{flavour} in %{kernelversion}.%{patchlevel} series \
+Group: System/Kernel and hardware \
+Version: %{kversion} \
+Release: %{fullrpmrel} \
+Requires: %{pkg_main} \
+\
+%description -n %{pkg_latest} \
+Meta package for the latest binary module %{module_name} for the latest \
+kernel-%{flavour} in %{kernelversion}.%{patchlevel} series \
+# No files \
+%files -n %{pkg_latest} \
+%{nil} \
+}