diff --git a/BUILD.bazel b/BUILD.bazel
index ceff2c8f0e79..0ecc69b64c88 100644
--- a/BUILD.bazel
+++ b/BUILD.bazel
@@ -17,7 +17,9 @@ package(
     ],
 )
 
+load("//build/bazel_common_rules/dist:dist.bzl", "copy_to_dist_dir")
 load("//build/kernel/kleaf:common_kernels.bzl", "define_common_kernels", "define_db845c")
+load("//build/kernel/kleaf:kernel.bzl", "kernel_build")
 
 # This uses android/abi_gki_aarch64* in kmi_configs. If the list of
 # glob(["android/abi_gki_aarch64*"]) differs from
@@ -218,3 +220,20 @@ define_db845c(
         "sound/soc/qcom/snd-soc-sm8250.ko",
     ],
 )
+
+kernel_build(
+    name = "fips140",
+    outs = [],
+    base_kernel = ":kernel_aarch64",
+    build_config = "build.config.gki.aarch64.fips140",
+    module_outs = ["crypto/fips140.ko"],
+)
+
+copy_to_dist_dir(
+    name = "fips140_dist",
+    data = [
+        ":fips140",
+    ],
+    dist_dir = "out/fips140/dist",
+    flat = True,
+)
diff --git a/arch/arm64/configs/fips140_gki.fragment b/arch/arm64/configs/fips140_gki.fragment
index 68292520be10..198cd3367a24 100644
--- a/arch/arm64/configs/fips140_gki.fragment
+++ b/arch/arm64/configs/fips140_gki.fragment
@@ -1 +1,2 @@
 CONFIG_CRYPTO_FIPS140_MOD=y
+# CONFIG_MODULE_SIG_ALL is not set
diff --git a/build.config.gki.aarch64.fips140 b/build.config.gki.aarch64.fips140
index 040d73af3d2a..522a0f3e2d41 100644
--- a/build.config.gki.aarch64.fips140
+++ b/build.config.gki.aarch64.fips140
@@ -1,9 +1,15 @@
-. ${ROOT_DIR}/${KERNEL_DIR}/build.config.gki.aarch64
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.common
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.aarch64
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.gki
 
-FILES="${FILES}
+FILES="
 crypto/fips140.ko
 "
 
+MAKE_GOALS="
+modules
+"
+
 if [ "${LTO}" = "none" ]; then
 	echo "The FIPS140 module needs LTO to be enabled."
 	exit 1
@@ -13,5 +19,5 @@ MODULES_ORDER=android/gki_aarch64_fips140_modules
 KERNEL_DIR=common
 
 DEFCONFIG=fips140_gki_defconfig
-PRE_DEFCONFIG_CMDS="cat ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/gki_defconfig ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/fips140_gki.fragment > ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/${DEFCONFIG};"
-POST_DEFCONFIG_CMDS="rm ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/${DEFCONFIG}"
+PRE_DEFCONFIG_CMDS="mkdir -p \${OUT_DIR}/arch/arm64/configs/ && KCONFIG_CONFIG=\${OUT_DIR}/arch/arm64/configs/${DEFCONFIG} ${ROOT_DIR}/${KERNEL_DIR}/scripts/kconfig/merge_config.sh -m -r ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/gki_defconfig ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/fips140_gki.fragment"
+POST_DEFCONFIG_CMDS=""