VMware Workstation Linux Module Helper (SecureBoot/Mok/Build/Install/Sign)

vmware_mok.sh

#!/usr/bin/env bash

BASEDIR=$(dirname "$0")
CERT_NAME=vmware_mok_cert
CERT_DIR=$BASEDIR
CERT_PATH_BASENAME=${CERT_DIR}/${CERT_NAME}

set -e

# get root privilege
sudo test 0

# check if secureboot enabled
if sudo mokutil --sb-state | grep -q "enabled"; then
    echo "SecureBoot Enabled"
else
    echo "SecureBoot Disabled, no need to sign"
    exit
fi

# generate cert if needed
if ! [ -e ${CERT_PATH_BASENAME}.priv ] || ! [ -e ${CERT_PATH_BASENAME}.der ]; then
    echo "Cert missing, genernating..."
    rm -f ${CERT_PATH_BASENAME}.*
    openssl req -new -x509 -newkey rsa:2048 -keyout ${CERT_PATH_BASENAME}.priv -outform DER -out ${CERT_PATH_BASENAME}.der -nodes -days 36500 -subj "/CN=Vmware Mok/"
fi

# enroll cert if needed
if sudo mokutil --test-key ${CERT_PATH_BASENAME}.der | grep -1 "is not enrolled" >/dev/null; then
    echo "Cert not enrolled, enrolling..."
    sudo mokutil --import ${CERT_PATH_BASENAME}.der
    echo "Please reboot and finish the enroll process"
    exit
fi

# make and install modules (which will fail because it try to modprobe after build and there is no option to disable this behavior)
set +e
sudo vmware-modconfig --console --install-all
set -e

# sign modules
echo "Signing modules..."
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ${CERT_PATH_BASENAME}.priv ${CERT_PATH_BASENAME}.der $(modinfo -n vmmon)
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ${CERT_PATH_BASENAME}.priv ${CERT_PATH_BASENAME}.der $(modinfo -n vmnet)

# load modules
echo "Loading modules..."
sudo modprobe vmmon
sudo modprobe vmnet

echo "Done"