On Tue, Mar 7, 2023 at 12:13 PM Joe Salmeri <jmscdba@gmail.com> wrote:
Hi Jiri,
You can sign the modules and load the key to MOK too.
Ok, I tried signing the vmware modules and loading the key and it is still not working.
Here's exactly what I did...
I compiled the vmware modules ( vmmon and vmnet ) and then signed the modules and loaded the key.
I followed the steps in this vmware kb article but the path to sign-file was wrong so I fixed it to the correct location.
https://kb.vmware.com/s/article/2146460
mokutil --sb-state SecureBoot enabled
uname -r 6.2.1-1-default
# Generate Key
openssl req -new -x509 -newkey rsa:2048 -keyout vmware.joe.priv -outform DER -out vmware.joe.der -nodes -days 36500 -subj "/CN=VMware/"
# Sign vmmon and vmnet with key
/usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmmon.ko /usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmnet.ko
It is quite possible that there are modules in another location (hint - initrd).
# Import key
mokutil --import ./vmware.joe.der
reboot
Perform MOK Management / Enroll MOK / Enroll the key
reboot
mokutil --list-enrolled
Shows the new key
systemctl status vmware
Shows that the service failed to start
modprobe vmmon modprobe: ERROR: could not insert 'vmmon': Operation not permitted
modprobe vmnet modprobe: ERROR: could not insert 'vmnet': Operation not permitted
journal -xe
Mar 06 15:44:14 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 Mar 06 15:44:24 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
In general, showing random lines which *you* think are important is not that useful. Full "journalctl -b" after boot may give some more information.
Comparing a copy of the vmmon.ko and vmnet.ko files before sign-file was shows that were signed so I don't understand why it says those modules are unsigned???
mokutil --import ./vmware.joe.der SKIP: ./vmware.joe.der is already enrolled
So, a key was generated, the compiled vmware modules were signed with that key, the key was imported with mokutil, the system was rebooted and the new key enrolled yet the modules are still not loaded and are being treated like they are unsigned.
Looking at the *.ko files they do have '~Module signature appended~' at the end.
Is there some other step that is needed ?