Wrapper for vmware-modconfig to sign the modules for secure boot

98-vmware-modconfig.install.sh

#!/bin/bash
# Hook to sign VMware kernel modules after kernel install
# Place at: /etc/kernel/install.d/98-vmware-modconfig.install

COMMAND="${1:-add}"
KERNEL_VER="${2:-$(uname -r)}"
SIGN_CMD="/lib/modules/$KERNEL_VER/build/scripts/sign-file"
SBSIGN_KEY='/etc/efikeys/db.key'
SBSIGN_CRT='/etc/efikeys/db.crt'

case $COMMAND in
    add)
        echo "$(basename $0): Building VMware kernel modules for kernel $KERNEL_VER ..."
        bash -c "/usr/bin/vmware-modconfig --console --install-all -k $KERNEL_VER" &>/dev/null

        signer=$(openssl x509 -noout -in $SBSIGN_CRT -subject | awk -F'= ' '{print $NF}')

        for module in vmmon vmnet; do
            module=$(find /lib/modules/$KERNEL_VER -type f -name "$module.ko")

            [[ -f $module && $(modinfo $module -F signer) == $signer ]] || {
                echo "$(basename $0): Signing module $module ..."
                $SIGN_CMD sha256 $SBSIGN_KEY $SBSIGN_CRT $module
            }
        done

        [[ $KERNEL_VER == $(uname -r) ]] && {
            depmod -A && modprobe -a vmmon vmnet && systemctl restart vmware.service
        }
        ;;
    remove)
        echo "$(basename $0): Removing VMware kernel modules for kernel $KERNEL_VER ..."
        find /lib/modules/$KERNEL_VER -type f \( -name 'vmmon.ko' -o -name 'vmnet.ko' \) -delete

        [[ $KERNEL_VER == $(uname -r) ]] && {
            systemctl stop vmware.service && modprobe -r vmmon vmnet &>/dev/nuill && depmod -a
        }
        ;;
esac