How to sign kernel modules with sign-file?

kernel vmware

18,671

Solution 1

On Ubuntu, that would be /usr/src/linux-headers-$(uname -r)/scripts/sign-file.

How did I figure that out? I did a search for sign-file:

dpkg -S sign-file

which told me which package provides this file (currently linux-headers-4.4.0-22-generic) and where it was installed, i.e. in /usr/src/linux-headers-4.4.0-22-generic/scripts/.

The uname -r part is just to keep the command independent from the currently-installed headers-generic package.

Solution 2

From VMware's site, the cause of your problem is likely that:

On Linux host with secure mode enabled, it is not allowed to load any unsigned drivers. Due to this, VMware drivers, such as vmmon and vmnet, are not able to be loaded which prevents virtual machine to power on.

To fix this without turning off secure boot, you can do the following in a terminal:

Generate a key pair using the openssl to sign vmmon and vmnet modules:

~$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VMware/"

(Replace MOK with the name of the file you want for the key.)
Sign the modules using the generated key by running these commands:

~$ sudo /usr/src/linux-headers-uname -r/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)

~$ sudo /usr/src/linux-headers-uname -r/scripts/sign-file sha256 ./MOK.priv ./MOK.der $ (modinfo -n vmnet)
Import the public key to the system's MOK list by running this command:

~$ sudo mokutil --import MOK.der
Confirm a password for this MOK enrollment request.
Reboot your machine. Follow the instructions to complete the enrollment from the UEFI console.

Cited from this VMWare article: https://kb.vmware.com/kb/2146460

18,671

Matsmath

Mathematics and more...

Updated on September 18, 2022

Comments

Matsmath over 1 year

I just installed Ubuntu 16.04 with secure boot and encountered the same vmware-error as described there:

modprobe: ERROR: could not insert 'vmnet': Required key not available.

One way to circumvent this problem is to disable the secure boot, but I don't want to do that. The other way is to sign the kernel modules by myself, following this very detailed thread. There is a tutorial on how to do that in RHEL and in fedora, but all of these solutions are relying on some script I cannot seem to find:

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)

Where do I find this sign-file script in Ubuntu?

Related: https://github.com/bergwolf/rhel6/blob/master/Documentation/module-signing.txt and sign a module after kernel compilation.
- Matsmath about 8 years
  
  All right, this is a gigantic mess. Not only seems that the signature stats for Kernel modules are no longer visible, mokutils fails to write new keys.
Matsmath about 8 years

Thank you for your answer. I did exactly as you suggested, and I believe I managed to sign my files (as no errors triggered at execution). However, when I try to verify that, modinfo vmmon does not show the relevant lines regarding digital signature information (such as signer, sig-key, etc.). I am still trying to figuring this out.
Matsmath over 7 years

Hi Eric, thank you for your answer. Hopefully it will help future visitors.
Brayam Valero over 4 years

I had to do this (stated in the link you shared): To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed. Now we have to manually add the public key to shim’s MOK list: user@localhost:$ mokutil --import MOK.der Now you just need to reboot and follow the screen menus that will appear during the UEFI boot to enroll the new key. This is a persisten operation, so you’ll only need to do this once.