Hi Jiri,
You can sign the modules and load the key to MOK too.
Ok, I tried signing the vmware modules and loading the key and it is still not working. Here's exactly what I did... I compiled the vmware modules ( vmmon and vmnet ) and then signed the modules and loaded the key. I followed the steps in this vmware kb article but the path to sign-file was wrong so I fixed it to the correct location. https://kb.vmware.com/s/article/2146460 mokutil --sb-state SecureBoot enabled uname -r 6.2.1-1-default # Generate Key openssl req -new -x509 -newkey rsa:2048 -keyout vmware.joe.priv -outform DER -out vmware.joe.der -nodes -days 36500 -subj "/CN=VMware/" # Sign vmmon and vmnet with key /usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmmon.ko /usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmnet.ko # Import key mokutil --import ./vmware.joe.der reboot Perform MOK Management / Enroll MOK / Enroll the key reboot mokutil --list-enrolled Shows the new key systemctl status vmware Shows that the service failed to start modprobe vmmon modprobe: ERROR: could not insert 'vmmon': Operation not permitted modprobe vmnet modprobe: ERROR: could not insert 'vmnet': Operation not permitted journal -xe Mar 06 15:44:14 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 Mar 06 15:44:24 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 Comparing a copy of the vmmon.ko and vmnet.ko files before sign-file was shows that were signed so I don't understand why it says those modules are unsigned??? mokutil --import ./vmware.joe.der SKIP: ./vmware.joe.der is already enrolled So, a key was generated, the compiled vmware modules were signed with that key, the key was imported with mokutil, the system was rebooted and the new key enrolled yet the modules are still not loaded and are being treated like they are unsigned. Looking at the *.ko files they do have '~Module signature appended~' at the end. Is there some other step that is needed ?