{"id":51433188,"url":"https://github.com/jayelbotvibe-web/vmware-secureboot-fix","last_synced_at":"2026-07-05T05:03:50.515Z","repository":{"id":365621955,"uuid":"1272378442","full_name":"jayelbotvibe-web/vmware-secureboot-fix","owner":"jayelbotvibe-web","description":"Fix 'Virtual machine monitor failed' and 'Loading of unsigned module is rejected' on VMware Workstation after Ubuntu kernel updates — auto-compile, sign for Secure Boot, and keep working across reboots","archived":false,"fork":false,"pushed_at":"2026-06-18T05:30:10.000Z","size":17,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T07:24:08.643Z","etag":null,"topics":["automation","debian","kernel-modules","kernel-update","linux","linux-kernel","modprobe","module-signing","mok","secure-boot","sign-file","systemd","ubuntu","unsigned-module-rejected","virtual-machine-monitor-failed","vmware","vmware-player","vmware-workstation"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jayelbotvibe-web.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-17T14:52:15.000Z","updated_at":"2026-06-18T05:30:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jayelbotvibe-web/vmware-secureboot-fix","commit_stats":null,"previous_names":["jayelbotvibe-web/vmware-secureboot-fix"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/jayelbotvibe-web/vmware-secureboot-fix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jayelbotvibe-web%2Fvmware-secureboot-fix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jayelbotvibe-web%2Fvmware-secureboot-fix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jayelbotvibe-web%2Fvmware-secureboot-fix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jayelbotvibe-web%2Fvmware-secureboot-fix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jayelbotvibe-web","download_url":"https://codeload.github.com/jayelbotvibe-web/vmware-secureboot-fix/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jayelbotvibe-web%2Fvmware-secureboot-fix/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35143824,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-05T02:00:06.290Z","response_time":100,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","debian","kernel-modules","kernel-update","linux","linux-kernel","modprobe","module-signing","mok","secure-boot","sign-file","systemd","ubuntu","unsigned-module-rejected","virtual-machine-monitor-failed","vmware","vmware-player","vmware-workstation"],"created_at":"2026-07-05T05:03:49.956Z","updated_at":"2026-07-05T05:03:50.502Z","avatar_url":"https://github.com/jayelbotvibe-web.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fix VMware \"Virtual Machine Monitor Failed\" After Ubuntu Kernel Update\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n[![Platform](https://img.shields.io/badge/platform-Ubuntu%20%7C%20Debian-orange)]()\n\n**Every kernel update breaks VMware. This fixes it — once, permanently.**\n\nIf you see this after `apt upgrade`:\n\n```\n$ systemctl status vmware\n× vmware.service - LSB: This service starts and stops VMware services\n   Virtual machine monitor - failed\n   Virtual ethernet - failed\n\n$ dmesg | grep module\nLoading of unsigned module is rejected\nLoading of unsigned module is rejected\n```\n\nYou're in the right place.\n\n---\n\n## Quick Fix (VMware is broken *right now*)\n\nThis rebuilds and signs modules for your current kernel immediately:\n\n```bash\ngit clone https://github.com/jayelbotvibe-web/vmware-secureboot-fix.git\ncd vmware-secureboot-fix\nsudo ./fix-vmware.sh\n```\n\nVMware works again. But the next kernel update will break it again — unless you install the auto-fix below.\n\n---\n\n## Permanent Fix (never breaks again)\n\nThis installs a hook that runs automatically after every kernel update. Next time `apt` installs a new kernel, VMware modules are rebuilt, signed, and ready **before you even reboot**.\n\n```bash\nsudo cp vmware-sign-modules /etc/kernel/postinst.d/vmware-sign-modules\nsudo chmod +x /etc/kernel/postinst.d/vmware-sign-modules\n```\n\n**That's it.** No terminal, no googling, no `vmware-modconfig` ever again. Kernel updates become boring.\n\n\u003e **How it works:** The hook compiles `vmmon.ko` and `vmnet.ko` against the *new* kernel's headers (not the running kernel — that's the bug every other approach misses), signs them if Secure Boot is on, and clears any stale `failed` state from systemd. When you reboot, VMware starts clean.\n\n---\n\n## Secure Boot Setup (one-time, only if Secure Boot is ON)\n\nCheck first:\n\n```bash\nmokutil --sb-state\n```\n\nIf it says `SecureBoot enabled`, you need a Machine Owner Key (MOK) so the kernel trusts signed modules. Do this once, before or after installing the hook.\n\n### Step 1: Generate a key\n\n```bash\nsudo mkdir -p /root/.vmware-keys\nsudo openssl req -new -x509 -newkey rsa:2048 \\\n  -keyout /root/.vmware-keys/MOK.priv \\\n  -outform DER -out /root/.vmware-keys/MOK.der \\\n  -nodes -days 36500 -subj \"/CN=VMware-MOK\"\n```\n\n### Step 2: Tell the system to enroll it\n\n```bash\nsudo mokutil --import /root/.vmware-keys/MOK.der\n```\n\nYou'll be asked to set a one-time password. Make it simple — you only use it once.\n\n### Step 3: Reboot into the MOK manager\n\n```bash\nsudo reboot\n```\n\nDuring boot, you'll see a **blue screen with white text** (the MOK Manager — it looks like BIOS, not Ubuntu). This screen only appears once.\n\nWhat to do on the blue screen:\n- Select **\"Enroll MOK\"** → Enter\n- Select **\"Continue\"** → Enter\n- Type the password you set in Step 2 → Enter\n- Select **\"Reboot\"** → Enter\n\nThe system reboots normally. From now on, VMware modules signed with your key are trusted.\n\n\u003e **Missed the blue screen?** It only shows once after `mokutil --import`. Run `sudo mokutil --import` again to re-trigger it.\n\n### Secure Boot is OFF?\n\nSkip this entire section. The hook auto-detects this and skips signing. Nothing to configure.\n\n---\n\n## The Three Bugs This Fixes\n\nWhy do existing approaches fail? Three compounding issues:\n\n### 🐛 Bug 1: Compiling and signing for the wrong kernel\n\nKernel hooks run during package installation, **before reboot**. The running kernel is still the old one. Two things go wrong:\n\n- `vmware-modconfig` calls `uname -r` → compiles modules for the OLD kernel → they land in `/lib/modules/OLD_KERNEL/`\n- `modinfo -n vmmon` also queries the running kernel → signing targets the wrong path\n\nThe hook then looks in `/lib/modules/NEW_KERNEL/` — but the modules were never compiled there.\n\n**Our fix:** bypass `vmware-modconfig` entirely. Compile directly against the new kernel's build system (`make -C /lib/modules/$NEW_KERNEL/build`), then sign the result at the correct path.\n\n### 🐛 Bug 2: Disabled service\n\n`vmware.service` defaults to `disabled`. Systemd won't auto-start a disabled service after reboot, even with perfectly compiled and signed modules.\n\n**Our fix:** `systemctl enable vmware` in the hook.\n\n### 🐛 Bug 3: Persisted failed state\n\nPrevious failed boot attempts leave `vmware.service` in a `failed` state. That state survives reboots and blocks auto-start, even after modules are fixed.\n\n**Our fix:** `systemctl reset-failed vmware` to clear the stale state.\n\n---\n\n## Troubleshooting\n\n### Check the hook log\n\n```bash\ncat /var/log/vmware-hook.log\n```\n\nEvery run is timestamped. Look for `ERROR` lines.\n\n### \"ERROR: vmmon.tar not found\"\n\nVMware Workstation / Player isn't installed, or it's installed in a non-standard location. The hook expects `/usr/lib/vmware/modules/source/`.\n\n### \"ERROR: compilation failed\"\n\nMissing kernel headers or build tools:\n```bash\nsudo apt install linux-headers-$(uname -r) build-essential\n```\n\n### \"ERROR: Secure Boot is ON but no MOK keys\"\n\nYou skipped the Secure Boot setup. See the section above — generate and enroll a key.\n\n### \"ERROR: depmod failed\"\n\nSomething is wrong with the kernel module tree. Try:\n```bash\nsudo depmod $(uname -r)\n```\n\n### VMware still broken after reboot?\n\n1. Check if the hook actually ran: `cat /var/log/vmware-hook.log | grep $(uname -r)`\n2. Check module signatures: `modinfo /lib/modules/$(uname -r)/misc/vmmon.ko | grep sig_id`\n3. Check service state: `systemctl status vmware`\n\n---\n\n## Configuration\n\nSet in `/etc/default/vmware-sign-modules` or at the top of the hook file:\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `MOK_PRIV_DIR` | `/root/.vmware-keys` | Where your MOK keypair lives |\n| `LOG_FILE` | `/var/log/vmware-hook.log` | Hook log location |\n| `MAX_RETRIES` | `3` | Retries for headers/signing |\n| `RETRY_DELAY` | `30` | Seconds between retries |\n\n---\n\n## Compatibility\n\n- **VMware Workstation 17+ / Player 17+**\n- **Ubuntu 22.04+ / Debian 12+** (any distro with `/etc/kernel/postinst.d/`)\n- **Secure Boot** on or off — auto-detected, no config needed\n- **Any kernel version**\n\n## Files\n\n| File | Purpose |\n|------|---------|\n| `vmware-sign-modules` | Kernel post-install hook (the auto-fix) |\n| `fix-vmware.sh` | Manual one-shot fix for right now |\n| `README.md` | This file |\n\n## License\n\nMIT — use it, fork it, ship it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjayelbotvibe-web%2Fvmware-secureboot-fix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjayelbotvibe-web%2Fvmware-secureboot-fix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjayelbotvibe-web%2Fvmware-secureboot-fix/lists"}