Hello everyone! I hope you have all been well and staying safe. Today’s blog is one that I hope you find helpful.
So while I use KVM primarily for VM’s on my laptop and even on my servers, I still use VMware Workstation on my Laptop for quick testing. However, with the latest release (25H2 as of today), I was still running into issues where the vmmon and the vmnet modules would build, but not install properly. After looking through my logs, I found out that the reason they were not loading is because they were not signed. I use Secure Boot on my Laptop, and because of that, the kernel will not load unsigned modules into memory, thinking they are insecure. However, I have found a way to install the modules, and maintain security of the system. This blog will detail how to create a key, install the key, and sign the kernel modules after they have been compiled so that they will load properly.
So I download and install VMware Workstation from Broadcom’s support site. It’s free now for personal use. Once you download it, I had to change the permissions so that it was executable, and then ran the installer from the terminal:
chmod +x VMware-Workstation-Full-25H2-24995812.x86_64.bundle
sudo ./VMware-Workstation-Full-25H2-24995812.x86_64.bundleAfter the installation, the kernel modules will be build, but they will not install. When you try to run a VM, it will fail saying it couldn’t load the vmmon module. When I tried to install the modules from the CLI, I was presented with the following error:
sudo modprobe vmmon
modprobe: ERROR: could not insert 'vmmon': Key was rejected by serviceAfter a little searching, I found this was becuase I am using Secure Boot and the kernel modules are not signed. So I had to do the following to sign the modules.
First, I had to create a private key and a certificate to sign the modules. I had to create a Machine Owner Key (MOK). This also has to be added to the MOK database in Secure Boot to prove that the modules have been built and trusted by the system. I did the following to create the keys:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=My Kernel Module Signing/"Now I had two files in my home directory, MOK.priv, the Private Key, and MOK.der, the DER formatted Certificate.
I now had to use the mokutil command to install the keys into the database:
sudo mokutil --import MOK.derI had to create a password to install the certificate. Remember this password because when you reboot the machine, it will ask for this password to install the certificate. Do that and then log back in to the machine.
Once logged in, open a terminal and find the path for the modules:
modinfo -n vmmon
modinfo -n vmnetThey will be in the /lib/modules/$(uname -r)/misc directory, however we will be using this as a variable in the next command, which is what we will use to sign the modules:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 MOK.priv MOK.der $(modinfo -n vmmon)
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 MOK.priv MOK.der $(modinfo -n vmnet)You can then use the modprobe command to install the modules, but I normally just reboot my laptop to have everything start correctly, and then I can open VMware Workstation normally.
I hope this helps you, and this process can be used to sign any module that you may need to.
Leave a Reply