https://github.com/jayelbotvibe-web/vmware-secureboot-fix
Fix 'Virtual machine monitor failed' and 'Loading of unsigned module is rejected' on VMware Workstation after Ubuntu kernel updates — auto-compile, sign for Secure Boot, and keep working across reboots
https://github.com/jayelbotvibe-web/vmware-secureboot-fix
automation debian kernel-modules kernel-update linux linux-kernel modprobe module-signing mok secure-boot sign-file systemd ubuntu unsigned-module-rejected virtual-machine-monitor-failed vmware vmware-player vmware-workstation
Last synced: 1 day ago
JSON representation
Fix 'Virtual machine monitor failed' and 'Loading of unsigned module is rejected' on VMware Workstation after Ubuntu kernel updates — auto-compile, sign for Secure Boot, and keep working across reboots
- Host: GitHub
- URL: https://github.com/jayelbotvibe-web/vmware-secureboot-fix
- Owner: jayelbotvibe-web
- License: mit
- Created: 2026-06-17T14:52:15.000Z (19 days ago)
- Default Branch: main
- Last Pushed: 2026-06-18T05:30:10.000Z (19 days ago)
- Last Synced: 2026-06-18T07:24:08.643Z (19 days ago)
- Topics: automation, debian, kernel-modules, kernel-update, linux, linux-kernel, modprobe, module-signing, mok, secure-boot, sign-file, systemd, ubuntu, unsigned-module-rejected, virtual-machine-monitor-failed, vmware, vmware-player, vmware-workstation
- Language: Shell
- Size: 16.6 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Fix VMware "Virtual Machine Monitor Failed" After Ubuntu Kernel Update
[](LICENSE)
[]()
**Every kernel update breaks VMware. This fixes it — once, permanently.**
If you see this after `apt upgrade`:
```
$ systemctl status vmware
× vmware.service - LSB: This service starts and stops VMware services
Virtual machine monitor - failed
Virtual ethernet - failed
$ dmesg | grep module
Loading of unsigned module is rejected
Loading of unsigned module is rejected
```
You're in the right place.
---
## Quick Fix (VMware is broken *right now*)
This rebuilds and signs modules for your current kernel immediately:
```bash
git clone https://github.com/jayelbotvibe-web/vmware-secureboot-fix.git
cd vmware-secureboot-fix
sudo ./fix-vmware.sh
```
VMware works again. But the next kernel update will break it again — unless you install the auto-fix below.
---
## Permanent Fix (never breaks again)
This installs a hook that runs automatically after every kernel update. Next time `apt` installs a new kernel, VMware modules are rebuilt, signed, and ready **before you even reboot**.
```bash
sudo cp vmware-sign-modules /etc/kernel/postinst.d/vmware-sign-modules
sudo chmod +x /etc/kernel/postinst.d/vmware-sign-modules
```
**That's it.** No terminal, no googling, no `vmware-modconfig` ever again. Kernel updates become boring.
> **How it works:** The hook compiles `vmmon.ko` and `vmnet.ko` against the *new* kernel's headers (not the running kernel — that's the bug every other approach misses), signs them if Secure Boot is on, and clears any stale `failed` state from systemd. When you reboot, VMware starts clean.
---
## Secure Boot Setup (one-time, only if Secure Boot is ON)
Check first:
```bash
mokutil --sb-state
```
If it says `SecureBoot enabled`, you need a Machine Owner Key (MOK) so the kernel trusts signed modules. Do this once, before or after installing the hook.
### Step 1: Generate a key
```bash
sudo mkdir -p /root/.vmware-keys
sudo openssl req -new -x509 -newkey rsa:2048 \
-keyout /root/.vmware-keys/MOK.priv \
-outform DER -out /root/.vmware-keys/MOK.der \
-nodes -days 36500 -subj "/CN=VMware-MOK"
```
### Step 2: Tell the system to enroll it
```bash
sudo mokutil --import /root/.vmware-keys/MOK.der
```
You'll be asked to set a one-time password. Make it simple — you only use it once.
### Step 3: Reboot into the MOK manager
```bash
sudo reboot
```
During boot, you'll see a **blue screen with white text** (the MOK Manager — it looks like BIOS, not Ubuntu). This screen only appears once.
What to do on the blue screen:
- Select **"Enroll MOK"** → Enter
- Select **"Continue"** → Enter
- Type the password you set in Step 2 → Enter
- Select **"Reboot"** → Enter
The system reboots normally. From now on, VMware modules signed with your key are trusted.
> **Missed the blue screen?** It only shows once after `mokutil --import`. Run `sudo mokutil --import` again to re-trigger it.
### Secure Boot is OFF?
Skip this entire section. The hook auto-detects this and skips signing. Nothing to configure.
---
## The Three Bugs This Fixes
Why do existing approaches fail? Three compounding issues:
### 🐛 Bug 1: Compiling and signing for the wrong kernel
Kernel hooks run during package installation, **before reboot**. The running kernel is still the old one. Two things go wrong:
- `vmware-modconfig` calls `uname -r` → compiles modules for the OLD kernel → they land in `/lib/modules/OLD_KERNEL/`
- `modinfo -n vmmon` also queries the running kernel → signing targets the wrong path
The hook then looks in `/lib/modules/NEW_KERNEL/` — but the modules were never compiled there.
**Our fix:** bypass `vmware-modconfig` entirely. Compile directly against the new kernel's build system (`make -C /lib/modules/$NEW_KERNEL/build`), then sign the result at the correct path.
### 🐛 Bug 2: Disabled service
`vmware.service` defaults to `disabled`. Systemd won't auto-start a disabled service after reboot, even with perfectly compiled and signed modules.
**Our fix:** `systemctl enable vmware` in the hook.
### 🐛 Bug 3: Persisted failed state
Previous failed boot attempts leave `vmware.service` in a `failed` state. That state survives reboots and blocks auto-start, even after modules are fixed.
**Our fix:** `systemctl reset-failed vmware` to clear the stale state.
---
## Troubleshooting
### Check the hook log
```bash
cat /var/log/vmware-hook.log
```
Every run is timestamped. Look for `ERROR` lines.
### "ERROR: vmmon.tar not found"
VMware Workstation / Player isn't installed, or it's installed in a non-standard location. The hook expects `/usr/lib/vmware/modules/source/`.
### "ERROR: compilation failed"
Missing kernel headers or build tools:
```bash
sudo apt install linux-headers-$(uname -r) build-essential
```
### "ERROR: Secure Boot is ON but no MOK keys"
You skipped the Secure Boot setup. See the section above — generate and enroll a key.
### "ERROR: depmod failed"
Something is wrong with the kernel module tree. Try:
```bash
sudo depmod $(uname -r)
```
### VMware still broken after reboot?
1. Check if the hook actually ran: `cat /var/log/vmware-hook.log | grep $(uname -r)`
2. Check module signatures: `modinfo /lib/modules/$(uname -r)/misc/vmmon.ko | grep sig_id`
3. Check service state: `systemctl status vmware`
---
## Configuration
Set in `/etc/default/vmware-sign-modules` or at the top of the hook file:
| Variable | Default | Description |
|----------|---------|-------------|
| `MOK_PRIV_DIR` | `/root/.vmware-keys` | Where your MOK keypair lives |
| `LOG_FILE` | `/var/log/vmware-hook.log` | Hook log location |
| `MAX_RETRIES` | `3` | Retries for headers/signing |
| `RETRY_DELAY` | `30` | Seconds between retries |
---
## Compatibility
- **VMware Workstation 17+ / Player 17+**
- **Ubuntu 22.04+ / Debian 12+** (any distro with `/etc/kernel/postinst.d/`)
- **Secure Boot** on or off — auto-detected, no config needed
- **Any kernel version**
## Files
| File | Purpose |
|------|---------|
| `vmware-sign-modules` | Kernel post-install hook (the auto-fix) |
| `fix-vmware.sh` | Manual one-shot fix for right now |
| `README.md` | This file |
## License
MIT — use it, fork it, ship it.