How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems

How to Sign VMware Workstation Pro Kernel Modules on UEFI Secure Boot Enabled Linux Systems

For VMware Workstation Pro kernel modules to load on UEFI Secure Boot enabled Linux systems, you must sign them manually. Unsigned VMware Workstation Pro kernel modules won’t load, resulting in VMware Workstation Pro services failing to start.

As you can see, VMware Workstation Pro services failed to start after the VMware Workstation Pro kernel modules were compiled successfully.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 1

Sponsored

 

The vmware systemd service also failed to start.

$ sudo systemctl status vmware

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 2

 

One solution to this problem is to disable UEFI secure boot from the BIOS/UEFI firmware of your motherboard. But if you don’t want to disable UEFI secure boot on your computer, then you must generate a kernel module signing key and sign the VMware Workstation Pro kernel modules using the generated key.

In this article, I will show you how to generate a kernel module signing key and sign the VMware Workstation Pro kernel modules with it so that the VMware Workstation Pro kernel modules load correctly on UEFI secure boot enabled Linux systems.

 

 

 

Table of Contents

  1. Generating a UEFI Kernel Module Signing Key
  2. Finding the Full Path of the sign-file Kernel Script
  3. Signing the VMware Workstation Pro Kernel Modules for UEFI Secure Boot
  4. Adding the UEFI Kernel Signing Keys to the shim
  5. Enrolling the UEFI Kernel Signing Keys
  6. Checking if VMware Workstation Pro Kernel Modules are Signed for UEFI Secure Boot
  7. Conclusion
  8. References

 

 

Generating a UEFI Kernel Module Signing Key

To generate a new UEFI kernel module signing key pair and save them in the ~/.VMware-MOK.priv and ~/.VMware-MOK.der file, run the following command:

$ openssl req -new -x509 -newkey rsa:2048 -keyout ~/.VMware-MOK.priv -outform DER -out ~/.VMware-MOK.der -nodes -days 36500 -subj “/CN=VMware/”

 

As you can see a new UEFI kernel module signing key pair .VMware-MOK.priv and .VMware-MOK.der is created in my login user’s home directory.

$ ls -lh ~/.VMware*

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 3

 

 

Finding the Full Path of the sign-file Kernel Script

To sign the VMware Workstation Pro kernel modules using the generated key pair, you need the sign-file kernel script. The sign-file kernel script is available in different path in different Linux distributions.

 

To find the full path of the sign-file kernel script on your Linux distribution, run the following command:

$ sudo find /usr/src -wholename “*/scripts/sign-file”

 

On my Ubuntu 24.04 LTS system, the sign-file kernel script is in path /usr/src/linux-headers-6.8.0-31-generic/scripts/sign-file.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 4

 

 

Signing the VMware Workstation Pro Kernel Modules for UEFI Secure Boot

To sign the VMware Workstation Pro kernel modules vmmon and vmnet using the key pairs ~/.VMware-MOK.priv and ~/.VMware-MOK.der with the sign-file kernel script, run the following commands:

$ sudo /usr/src/linux-headers-6.8.0-31-generic/scripts/sign-file sha256 ~/.VMware-MOK.priv ~/.VMware-MOK.der $(modinfo -n vmmon)

$ sudo /usr/src/linux-headers-6.8.0-31-generic/scripts/sign-file sha256 ~/.VMware-MOK.priv ~/.VMware-MOK.der $(modinfo -n vmnet)

 

 

Adding the UEFI Kernel Signing Keys to the shim

Once the VMware Workstation Pro kernel modules are signed with the generated key pairs ~/.VMware-MOK.priv and ~/.VMware-MOK.der, you must add/import the ~/.VMware-MOK.der file to the UEFI shim and enroll it from the UEFI firmware of your computer.

To add/import the ~/.VMware-MOK.der file to the UEFI shim, run the following command:

$ sudo mokutil –import ~/.VMware-MOK.der

 

See also  Install & Setup Veyon Classroom Management App in Ubuntu 22.04

Type in a password of your choice and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 5

 

Retype the password and press . The ~/.VMware-MOK.der file should be added/imported to the UEFI shim.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 6

 

 

 

Enrolling the UEFI Kernel Signing Keys

To enroll the key (~/.VMware-MOK.der) imported to the UEFI shim, reboot your Linux system as follows:

Sponsored
$ sudo reboot

 

You will see a similar shim UEFI key management window.

Press any key to perform MOK management.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 7

 

 

Select Enroll MOK and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 8

 

To view the key being enrolled, select View key and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 9

 

The key that you are about to enroll should be displayed.

To go back, press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 10

 

To enroll the key, select Continue and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 11

 

Select Yes and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 12

 

Type in the password that you’ve set while adding the generated key to the UEFI shim and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 13

 

Select Reboot and press .

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 14

 

Checking if VMware Workstation Pro Kernel Modules are Signed for UEFI Secure Boot

Once your Linux system boots, you can verify if the VMware Workstation Pro kernel modules are signed just by checking if they are loaded at boot time with the command below:

$ lsmod | egrep “vmmon|vmnet”

 

If the vmmon and vmnet kernel modules are loaded, then the VMware Workstation Pro kernel modules are successfully signed for your UEFI secure boot enabled Linux system.

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 15

 

 

If the VMware Workstation Pro kernel modules are signed, the vmware systemd service should be running on your Linux system.

$ sudo systemctl status vmware

How to sign vmware workstation pro kernel modules on uefi secure boot enabled linux systems 16

 

 

Conclusion

In this article, I have shown you how to sign the VMware Workstation Pro kernel modules so that they can be loaded on UEFI secure boot enabled Linux systems. Without signed VMware Workstation Pro kernel modules, VMware Workstation Pro won’t work on UEFI secure boot enabled systems.

 

 

 

References

  1. Instructions on signing VirtualBox and VMware modules for Secure Boot

  2. Re-signing kernel modules after update – VMMON – Ask Ubuntu


Discover more from Ubuntu-Server.com

Subscribe to get the latest posts sent to your email.

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply