Hi Joe Thanks for giving this a try! It's about the same procedure that we're using for signing our nvidia kernel modules right after building on the target sytem. Just that we don't use "-nodes" option, but add -addext "extendedKeyUsage=codeSigning" The latter was needed at some point for Leap Kernels (boo#1178793). Nevertheless now with TW's current lockdowned 6.2.1 kernel we're suffering from the same issue as you. :-( Thanks, Stefan On Mon, Mar 06, 2023 at 04:54:48PM -0500, Joe Salmeri wrote:
You can sign the modules and load the key to MOK too.
Hi Jiri,
Ok, I tried signing the vmware modules and loading the key and it is still not working.
Here's exactly what I did...
I compiled the vmware modules ( vmmon and vmnet ) and then signed the modules and loaded the key.
I followed the steps in this vmware kb article but the path to sign-file was wrong so I fixed it to the correct location.
https://kb.vmware.com/s/article/2146460
mokutil --sb-state SecureBoot enabled
uname -r 6.2.1-1-default
# Generate Key
openssl req -new -x509 -newkey rsa:2048 -keyout vmware.joe.priv -outform DER -out vmware.joe.der -nodes -days 36500 -subj "/CN=VMware/"
# Sign vmmon and vmnet with key
/usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./ vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmmon.ko /usr/src/linux-6.2.1-1-obj/x86_64/default/scripts/sign-file sha256 ./ vmware.joe.priv ./vmware.joe.der /usr/lib/modules/6.2.1-1-default/misc/vmnet.ko
# Import key
mokutil --import ./vmware.joe.der
reboot
Perform MOK Management / Enroll MOK / Enroll the key
reboot
mokutil --list-enrolled
Shows the new key
systemctl status vmware
Shows that the service failed to start
modprobe vmmon modprobe: ERROR: could not insert 'vmmon': Operation not permitted
modprobe vmnet modprobe: ERROR: could not insert 'vmnet': Operation not permitted
journal -xe
Mar 06 15:44:14 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 Mar 06 15:44:24 localhost.localdomain kernel: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7
Comparing a copy of the vmmon.ko and vmnet.ko files before sign-file was shows that were signed so I don't understand why it says those modules are unsigned???
mokutil --import ./vmware.joe.der SKIP: ./vmware.joe.der is already enrolled
So, a key was generated, the compiled vmware modules were signed with that key, the key was imported with mokutil, the system was rebooted and the new key enrolled yet the modules are still not loaded and are being treated like they are unsigned.
Looking at the *.ko files they do have '~Module signature appended~' at the end.
Is there some other step that is needed ?
Public Key available ------------------------------------------------------ Stefan Dirsch (Res. & Dev.) SUSE Software Solutions Germany GmbH Tel: 0911-740 53 0 Frankenstraße 146 FAX: 0911-740 53 479 D-90461 Nürnberg http://www.suse.de Germany ---------------------------------------------------------------- Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman (HRB 36809, AG Nürnberg) ----------------------------------------------------------------