1

I recently signed a kernel module to fix a problem with VMware following instructions described in vmware error after upgrade to ubuntu 16.04 and How to sign kernel modules with sign-file?.

After installing some updates - the problem has resurfaced. I assume that there has been an update to the kernal - and the signed modules are either uninstalled - or the signing has become invalidated somehow.

I assume that the public / private key pair I created are still valid (they're just used to sign things?) So why is the module that I signed no-longer valid? Or is it simply no-longer installed?

I tried simply re-running mokutil - but I get told it is already enrolled:

mokutil --import MOK.der 
SKIP: MOK.der is already enrolled

However running a VM in VMware (workstation pro v12)

Could not open /dev/vmmon: No such file or directory.
Please make sure that the kernel module `vmmon' is loaded.

So - question - what is going on here - and what steps of the module signing and enrolment need to be repeated after a kernel update?

Also - is there anything I can to avoid having to do this again in future (ie - whenever I next install updates)

Disclaimer - I have only a hazy understanding of the details, I was mostly just following the instructions.

Kulfy
  • 18,154
Andrew M
  • 2,398

2 Answers2

3

Modules are compiled to match a specific kernel. So if the kernel was updated, then the module was recompiled, or needs to be recompiled, and the new module needs signing.

Your keys are still valid and can be reused.

The only steps that you need to do is compile the module and sign it. Your keys are still in the MOK

the signing command depends on how you sign it (there are few methods)

But yours is

sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
ravery
  • 6,924
2

I found the above answer still relevant in Sept 2020. An update of host Ubuntu 18.04 kernel caused VMware Workstation 15 to not be able to launch a previously-working vm. I reran the commands for vmmon and vmnet and my vm can now run again nicely.

sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)

sudo /usr/src/linux-headers-uname -r/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

This VMware KB article also was originally helpful to me for the first time signing of the modules:

https://kb.vmware.com/s/article/2146460

pomsky
  • 70,557
jsam589
  • 21