VMWare Workstation Pro on Secure Boot Ubuntu

by | Sep 30, 2021 | IT Tips | 0 comments

I enabled secure boot on my Ubuntu 20.04 workstation running VMWare Workstation Pro.

Problem: Every time the kernel is upgraded VMWare cannot load its unsigned kernel modules

Cause: Secure boot means that all kernel modules have to be marked as trusted by the secure boot module before the kernel can load them

Check if secure boot is enabled

?
1
2
3
sudo mokutil --sb-state?
# output when enabled
SecureBoot enabled

If mokutil is missing

?
1
sudo apt install mokutil
Resolution:

You need to create a couple of certificates and import them as per the vmware article

https://kb.vmware.com/s/article/2146460

Create a private and public key to sign your vmware modules

?
1
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VMware/"
?
1
2
3
4
5
# sign the compiled modules DO THIS AFTER COMPILING THE MODULE (i.e. after you click the install button and it says it failed to insert the kernel modules)
sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)
# install public key
mokutil --import MOK.der

The module signing part as a script:

?
1
2
3
4
5
6
7
8
9
#!/bin/sh
# filename: signModules.sh
# cd to where you store the MOK.priv MOK.der certs
# run this as root e.g. sudo sh ./signModules.sh
for i in vmmon vmnet
do
    echo Signing $i
    sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n $i)
done

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.