Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Wrapper for vmware-modconfig to sign the modules for secure boot
#!/bin/bash
# Hook to sign VMware kernel modules after kernel install
# Place at: /etc/kernel/install.d/98-vmware-modconfig.install
COMMAND="${1:-add}"
KERNEL_VER="${2:-$(uname -r)}"
SIGN_CMD="/lib/modules/$KERNEL_VER/build/scripts/sign-file"
SBSIGN_KEY='/etc/efikeys/db.key'
SBSIGN_CRT='/etc/efikeys/db.crt'
case $COMMAND in
add)
echo "$(basename $0): Building VMware kernel modules for kernel $KERNEL_VER ..."
bash -c "/usr/bin/vmware-modconfig --console --install-all -k $KERNEL_VER" &>/dev/null
signer=$(openssl x509 -noout -in $SBSIGN_CRT -subject | awk -F'= ' '{print $NF}')
for module in vmmon vmnet; do
module=$(find /lib/modules/$KERNEL_VER -type f -name "$module.ko")
[[ -f $module && $(modinfo $module -F signer) == $signer ]] || {
echo "$(basename $0): Signing module $module ..."
$SIGN_CMD sha256 $SBSIGN_KEY $SBSIGN_CRT $module
}
done
[[ $KERNEL_VER == $(uname -r) ]] && {
depmod -A && modprobe -a vmmon vmnet && systemctl restart vmware.service
}
;;
remove)
echo "$(basename $0): Removing VMware kernel modules for kernel $KERNEL_VER ..."
find /lib/modules/$KERNEL_VER -type f \( -name 'vmmon.ko' -o -name 'vmnet.ko' \) -delete
[[ $KERNEL_VER == $(uname -r) ]] && {
systemctl stop vmware.service && modprobe -r vmmon vmnet &>/dev/nuill && depmod -a
}
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment