You can sign the modules and load the key to MOK too.

Hi Jiri,

Ok, I tried signing the vmware modules and loading the key and it is still not working.

Here's exactly what I did...

I compiled the vmware modules ( vmmon and vmnet ) and then signed the modules and loaded the key.

I followed the steps in this vmware kb article but the path to sign-file was wrong so I fixed it to the correct location.

    https://kb.vmware.com/s/article/2146460

mokutil --sb-state
SecureBoot enabled

uname -r
6.2.1-1-default

# Generate Key

openssl req -new -x509 -newkey rsa:2048 -keyout vmware.joe.priv -outform DER -out vmware.joe.der -nodes -days 36500 -subj "/CN=VMware/"

# Sign vmmon and vmnet with key

/usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmmon.ko
/usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmnet.ko

# Import key

mokutil --import ./vmware.joe.der

reboot

Perform MOK Management / Enroll MOK / Enroll the key

reboot

mokutil --list-enrolled

    Shows the new key

systemctl status vmware

    Shows that the service failed to start

modprobe vmmon
modprobe: ERROR: could not insert 'vmmon': Operation not permitted

modprobe vmnet
modprobe: ERROR: could not insert 'vmnet': Operation not permitted

journal -xe

Mar 06 15:44:14 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
Mar 06 15:44:24 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7

Comparing a copy of the vmmon.ko and vmnet.ko files before sign-file was shows that were signed so I don't understand why it says those modules are unsigned???

mokutil --import ./vmware.joe.der
SKIP: ./vmware.joe.der is already enrolled


So, a key was generated, the compiled vmware modules were signed with that key, the key was imported with mokutil, the system
was rebooted and the new key enrolled yet the modules are still not loaded and are being treated like they are unsigned.

Looking at the *.ko files they do have '~Module signature appended~' at the end.

Is there some other step that is needed ?