Fedora 39 Can´t sign vmmon and vmnet kernel drivers

Hi all,
about this subject and the error I get I found many topics in the search engines, but none of the proposed solutions worked for me.
Summarizing, I was able to create a key pair Public and private, put them under the relevant directory in /etc/pki/akmods/ and to enroll the public key.
When I try to sign the modules with the sign-file script, no matter if the keys are already enrolled or not, I get this result :

/usr/src/kernels/$(uname -r)/scripts/sign-file
sha256
/etc/pki/akmods/certs/VMware_public_key.der
/etc/pki/akmods/private/VMware_private_key.priv
/lib/modules/6.7.9-200.fc39.x86_64/misc/vmmon.ko

At main.c:298:

  • SSL error:FFFFFFFF80000002:system library::No such file or directory: crypto/bio/bss_file.c:67
  • SSL error:10000080:BIO routines::no such file: crypto/bio/bss_file.c:75
    sign-file: /lib/modules/6.7.9-200.fc39.x86_64/misc/vmmon.ko

Any idea about how to solve the error?

Thanks in advance to anybody will try to help me.

1 Like

The claim in the error seems to be that there is no such file as /lib/modules/6.7.9-200.fc39.x86_64/misc/vmmon.ko, have you checked that the file exists?

Thanks, You are right, that error happened after a kernel upgrade before launching again the program and thus compile the modules for the new kernel. I don’t know why those lines remained in my clipboard in place of the right ones, that are:

/usr/src/kernels/$(uname -r)/scripts/sign-file
sha256
/etc/pki/akmods/certs/VMware_public_key.der
/etc/pki/akmods/private/VMware_private_key.priv
/lib/modules/$(uname -r)/misc/vmmon.ko
At main.c:170:

  • SSL error:1E08010C:DECODER routines::unsupported: crypto/encode_decode/decoder_lib.c:102
    sign-file: /etc/pki/akmods/certs/VMware_public_key.der

It looks like there is an encryption problem, but I am not able to figure out which and why.

There is code in the rpmfusion nvidia driver package to sign that driver.
You could install thoses rpms and read the code to see how they sign the driver.
There are also docs on how to creating a signing key and install it into the ufi bios.

As long as I can understand the drivers are installed already signed with rpmfusion keys. The instructions are relevant to the launch of a script that writes such keys in the /etc/pki/akmods directory and to the enrollement of those keys. Something that works and allowed me to install Virtual Box.
I tried to sign the virtual box drivers with the RpmFusion keys, obtaining the same error that I get with my keys.
All the tutorials refer to the same instructions to generate the keys, sign the drivers and enroll the keys. The differences are, in my opinion, irrelevant.
The only thing I didn’t mention is that I use Kde as desktop, but I don’t think that this does matter in my case.

I would not look at tutorials, as they do not work for you.

What I would do is read the shell scripts that are used to sign the nvidia drivers, as that does work, and use that method for the vm drivers.

I realise that this does require a knowledge of scripting.

The private keys goes before the public key

Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
1 Like

Thank you, that was my mistake, but without your help I had no chance to identify it, so far was this possibility from my mind. Of course, to identify it, I had to read the code of the sign-file script. Something to remember in the future.
I followed the suggestion of Barry A Scott, that I thank too, but none of the scripts I extracted from the Rpmfusion Nvidia RPMs looked able to sign files, so I deduced that the drivers were supplied already signed.

Thank you again Everybody

You probably won’t find it as it is very well hidden. Of you open the log file somewhere in /var/cache/akmods you might find a line with

2024/03/14 06:20:20 akmodsbuild: + /usr/lib/rpm/brp-kmodsign /etc/pki/akmods/private/private_key.priv /etc/pki/akmods/certs/public_key.der /tmp/akmodsbuild.tARW6jAc//BUILDROOT/VirtualBox-kmod-7.0.14-2.fc39.x86_64/lib/modules/6.7.9-200.fc39.x86_64/extra/VirtualBox/ /usr/src/kernels/6.7.9-200.fc39.x86_64

Then /usr/lib/rpm/brp-kmodsign is the script that does the signing.

Thank you again, Villy, for your further clarification about a so cryptic subject.