How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems
Posted inUbuntu

How to Sign VMware Workstation Pro Kernel Modules on UEFI Secure Boot Enabled Linux Systems

Posted by No Comments

For VMware Workstation Pro kernel modules to load on UEFI Secure Boot enabled Linux systems, you must sign them manually. Unsigned VMware Workstation Pro kernel modules won’t load, resulting in VMware Workstation Pro services failing to start.

As you can see, VMware Workstation Pro services failed to start after the VMware Workstation Pro kernel modules were compiled successfully.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 65

 

The vmware systemd service also failed to start.

$ sudo systemctl status vmware

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 66

 

One solution to this problem is to disable UEFI secure boot from the BIOS/UEFI firmware of your motherboard. But if you don’t want to disable UEFI secure boot on your computer, then you must generate a kernel module signing key and sign the VMware Workstation Pro kernel modules using the generated key.

In this article, I will show you how to generate a kernel module signing key and sign the VMware Workstation Pro kernel modules with it so that the VMware Workstation Pro kernel modules load correctly on UEFI secure boot enabled Linux systems.

 

 

 

Table of Contents

  1. Generating a UEFI Kernel Module Signing Key
  2. Finding the Full Path of the sign-file Kernel Script
  3. Signing the VMware Workstation Pro Kernel Modules for UEFI Secure Boot
  4. Adding the UEFI Kernel Signing Keys to the shim
  5. Enrolling the UEFI Kernel Signing Keys
  6. Checking if VMware Workstation Pro Kernel Modules are Signed for UEFI Secure Boot
  7. Conclusion
  8. References
See also  How to configure the Ubuntu DHCP client

 

 

Generating a UEFI Kernel Module Signing Key

To generate a new UEFI kernel module signing key pair and save them in the ~/.VMware-MOK.priv and ~/.VMware-MOK.der file, run the following command:

$ openssl req -new -x509 -newkey rsa:2048 -keyout ~/.VMware-MOK.priv -outform DER -out ~/.VMware-MOK.der -nodes -days 36500 -subj “/CN=VMware/”

 

As you can see a new UEFI kernel module signing key pair .VMware-MOK.priv and .VMware-MOK.der is created in my login user’s home directory.

$ ls -lh ~/.VMware*

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 67

 

 

Finding the Full Path of the sign-file Kernel Script

To sign the VMware Workstation Pro kernel modules using the generated key pair, you need the sign-file kernel script. The sign-file kernel script is available in different path in different Linux distributions.

 

To find the full path of the sign-file kernel script on your Linux distribution, run the following command:

$ sudo find /usr/src -wholename “*/scripts/sign-file”

 

On my Ubuntu 24.04 LTS system, the sign-file kernel script is in path /usr/src/linux-headers-6.8.0-31-generic/scripts/sign-file.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 68

 

 

Signing the VMware Workstation Pro Kernel Modules for UEFI Secure Boot

To sign the VMware Workstation Pro kernel modules vmmon and vmnet using the key pairs ~/.VMware-MOK.priv and ~/.VMware-MOK.der with the sign-file kernel script, run the following commands:

$ sudo /usr/src/linux-headers-6.8.0-31-generic/scripts/sign-file sha256 ~/.VMware-MOK.priv ~/.VMware-MOK.der $(modinfo -n vmmon)

$ sudo /usr/src/linux-headers-6.8.0-31-generic/scripts/sign-file sha256 ~/.VMware-MOK.priv ~/.VMware-MOK.der $(modinfo -n vmnet)

See also  Repatriation to reduce public cloud spend – easier said than done?

 

 

Adding the UEFI Kernel Signing Keys to the shim

Once the VMware Workstation Pro kernel modules are signed with the generated key pairs ~/.VMware-MOK.priv and ~/.VMware-MOK.der, you must add/import the ~/.VMware-MOK.der file to the UEFI shim and enroll it from the UEFI firmware of your computer.

To add/import the ~/.VMware-MOK.der file to the UEFI shim, run the following command:

$ sudo mokutil –import ~/.VMware-MOK.der

 

Type in a password of your choice and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 69

 

Retype the password and press . The ~/.VMware-MOK.der file should be added/imported to the UEFI shim.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 70

 

 

 

Enrolling the UEFI Kernel Signing Keys

To enroll the key (~/.VMware-MOK.der) imported to the UEFI shim, reboot your Linux system as follows:

$ sudo reboot

 

You will see a similar shim UEFI key management window.

Press any key to perform MOK management.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 71

 

 

Select Enroll MOK and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 72

 

To view the key being enrolled, select View key and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 73

 

The key that you are about to enroll should be displayed.

To go back, press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 74

 

To enroll the key, select Continue and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 75

 

See also  Karafka framework 2.1 announcement

Select Yes and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 76

 

Type in the password that you’ve set while adding the generated key to the UEFI shim and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 77

 

Select Reboot and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 78

 

Checking if VMware Workstation Pro Kernel Modules are Signed for UEFI Secure Boot

Once your Linux system boots, you can verify if the VMware Workstation Pro kernel modules are signed just by checking if they are loaded at boot time with the command below:

$ lsmod | egrep “vmmon|vmnet”

 

If the vmmon and vmnet kernel modules are loaded, then the VMware Workstation Pro kernel modules are successfully signed for your UEFI secure boot enabled Linux system.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 79

 

 

If the VMware Workstation Pro kernel modules are signed, the vmware systemd service should be running on your Linux system.

$ sudo systemctl status vmware

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 80

 

 

Conclusion

In this article, I have shown you how to sign the VMware Workstation Pro kernel modules so that they can be loaded on UEFI secure boot enabled Linux systems. Without signed VMware Workstation Pro kernel modules, VMware Workstation Pro won’t work on UEFI secure boot enabled systems.

 

 

 

References

  1. Instructions on signing VirtualBox and VMware modules for Secure Boot

  2. Re-signing kernel modules after update – VMMON – Ask Ubuntu

Discover more from Ubuntu-Server.com

Subscribe to get the latest posts sent to your email.

View All Posts

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply