How to sign kernel modules with sign-file?
Solution 1:
On Ubuntu, that would be /usr/src/linux-headers-$(uname -r)/scripts/sign-file.
How did I figure that out? I did a search for sign-file:
dpkg -S sign-file
which told me which package provides this file (currently linux-headers-4.4.0-22-generic) and where it was installed, i.e. in /usr/src/linux-headers-4.4.0-22-generic/scripts/.
The uname -r part is just to keep the command independent from the currently-installed headers-generic package.
Solution 2:
From VMware's site, the cause of your problem is likely that:
On Linux host with secure mode enabled, it is not allowed to load any unsigned drivers. Due to this, VMware drivers, such as vmmon and vmnet, are not able to be loaded which prevents virtual machine to power on.
To fix this without turning off secure boot, you can do the following in a terminal:
-
Generate a key pair using the openssl to sign vmmon and vmnet modules:
~$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VMware/"
(Replace MOK with the name of the file you want for the key.)
-
Sign the modules using the generated key by running these commands:
~$ sudo /usr/src/linux-headers-
uname -r/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)~$ sudo /usr/src/linux-headers-
uname -r/scripts/sign-file sha256 ./MOK.priv ./MOK.der $ (modinfo -n vmnet) -
Import the public key to the system's MOK list by running this command:
~$ sudo mokutil --import MOK.der
Confirm a password for this MOK enrollment request.
- Reboot your machine. Follow the instructions to complete the enrollment from the UEFI console.
Cited from this VMWare article: https://kb.vmware.com/kb/2146460