From f5b67a8a82a599d27af6dccd10e016cad0017c77 Mon Sep 17 00:00:00 2001
From: dianlujitao <dianlujitao@lineageos.org>
Date: Sun, 2 Feb 2025 17:50:11 +0800
Subject: [PATCH] kernel: sign GKI modules

Only signed GKI modules are permitted to export symbols listed in the
android/abi_gki_protected_exports file. Attempting to export these
symbols from an unsigned module will result in the module failing to
load, with a 'Permission denied' error message.

Change-Id: Ie15b00a6c288eda21b319eb0f735cf4f9e6e7933
---
 build/tasks/kernel.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build/tasks/kernel.mk b/build/tasks/kernel.mk
index d99f966d59..1275849a9b 100644
--- a/build/tasks/kernel.mk
+++ b/build/tasks/kernel.mk
@@ -529,6 +529,11 @@ $(TARGET_PREBUILT_INT_KERNEL): $(KERNEL_CONFIG) $(DEPMOD) $(DTC) $(KERNEL_MODULE
 					if [[ ! "$(SYSTEM_KERNEL_MODULES)" =~ "$$module_name" ]]; then echo $$n; fi; \
 				done); \
 				($(call build-image-kernel-modules-lineage,$$filtered_modules,$(KERNEL_MODULES_OUT),$(KERNEL_MODULE_MOUNTPOINT)/,$(KERNEL_DEPMOD_STAGING_DIR),$(BOARD_VENDOR_KERNEL_MODULES_LOAD),,$(KERNEL_MODULES_PARTITION_FILE_LIST),$(SYSTEM_KERNEL_DEPMOD_STAGING_DIR)/lib/modules/0.0/$(SYSTEM_KERNEL_MODULE_MOUNTPOINT))) || exit "$$?"; \
+				(for m in $$(find $(SYSTEM_KERNEL_MODULES_OUT) -type f -name "*.ko"); do \
+					$(KERNEL_OUT)/scripts/sign-file sha1 \
+					$(KERNEL_OUT)/certs/signing_key.pem \
+					$(KERNEL_OUT)/certs/signing_key.x509 "$$m"; \
+				done) || exit "$$?"; \
 				,\
 				($(call build-image-kernel-modules-lineage,$$all_modules,$(KERNEL_MODULES_OUT),$(KERNEL_MODULE_MOUNTPOINT)/,$(KERNEL_DEPMOD_STAGING_DIR),$(BOARD_VENDOR_KERNEL_MODULES_LOAD),,$(KERNEL_MODULES_PARTITION_FILE_LIST),)) || exit "$$?"; \
 			) \