From 3c840dfd7749c2aff0ec0c5d229f22a06e13e0d6 Mon Sep 17 00:00:00 2001
From: Yumi Yukimura <me.cafebabe@gmail.com>
Date: Mon, 19 May 2025 03:15:52 +0800
Subject: [PATCH] kernel: Sign kernel modules only if
 CONFIG_MODULE_SIG_FORMAT=y

Change-Id: If8ef12f2b751390fc1689edb551379ca2e4e78be
---
 build/tasks/kernel.mk | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/build/tasks/kernel.mk b/build/tasks/kernel.mk
index 08c18017..85c145b9 100644
--- a/build/tasks/kernel.mk
+++ b/build/tasks/kernel.mk
@@ -595,11 +595,13 @@ $(TARGET_PREBUILT_INT_KERNEL): $(KERNEL_CONFIG) $(DEPMOD) $(DTC) $(KERNEL_MODULE
 					if [[ ! "$(SYSTEM_KERNEL_MODULES)" =~ "$$module_name" ]]; then echo $$n; fi; \
 				done); \
 				($(call build-image-kernel-modules-lineage,$$filtered_modules,$(KERNEL_MODULES_OUT),$(KERNEL_MODULE_MOUNTPOINT)/,$(KERNEL_DEPMOD_STAGING_DIR),$(BOARD_VENDOR_KERNEL_MODULES_LOAD),,$(KERNEL_MODULES_PARTITION_FILE_LIST),$(SYSTEM_KERNEL_DEPMOD_STAGING_DIR)/lib/modules/0.0/$(SYSTEM_KERNEL_MODULE_MOUNTPOINT))) || exit "$$?"; \
-				(for m in $$(find $(SYSTEM_KERNEL_MODULES_OUT) -type f -name "*.ko"); do \
-					$(KERNEL_OUT)/scripts/sign-file sha1 \
-					$(KERNEL_OUT)/certs/signing_key.pem \
-					$(KERNEL_OUT)/certs/signing_key.x509 "$$m"; \
-				done) || exit "$$?"; \
+				if grep -q 'CONFIG_MODULE_SIG_FORMAT=y' $(KERNEL_CONFIG); then \
+					(for m in $$(find $(SYSTEM_KERNEL_MODULES_OUT) -type f -name "*.ko"); do \
+						$(KERNEL_OUT)/scripts/sign-file sha1 \
+						$(KERNEL_OUT)/certs/signing_key.pem \
+						$(KERNEL_OUT)/certs/signing_key.x509 "$$m"; \
+					done) || exit "$$?"; \
+				fi; \
 				,\
 				($(call build-image-kernel-modules-lineage,$$all_modules,$(KERNEL_MODULES_OUT),$(KERNEL_MODULE_MOUNTPOINT)/,$(KERNEL_DEPMOD_STAGING_DIR),$(BOARD_VENDOR_KERNEL_MODULES_LOAD),,$(KERNEL_MODULES_PARTITION_FILE_LIST),)) || exit "$$?"; \
 			) \