VMWare Workstation Pro on Secure Boot Ubuntu

Written by James McDonald

September 30, 2021

I enabled secure boot on my Ubuntu 20.04 workstation running VMWare Workstation Pro.

Problem: Every time the kernel is upgraded VMWare cannot load its unsigned kernel modules

Cause: Secure boot means that all kernel modules have to be marked as trusted by the secure boot module before the kernel can load them

Check if secure boot is enabled

sudo mokutil --sb-state?
# output when enabled
SecureBoot enabled

If mokutil is missing

sudo apt install mokutil
Resolution:

You need to create a couple of certificates and import them as per the vmware article

https://kb.vmware.com/s/article/2146460

Create a private and public key to sign your vmware modules

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VMware/"
# sign the compiled modules DO THIS AFTER COMPILING THE MODULE (i.e. after you click the install button and it says it failed to insert the kernel modules)
sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)
# install public key 
mokutil --import MOK.der

The module signing part as a script:

#!/bin/sh
# filename: signModules.sh
# cd to where you store the MOK.priv MOK.der certs
# run this as root e.g. sudo sh ./signModules.sh
for i in vmmon vmnet
do
    echo Signing $i
    sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n $i)
done

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…