its working! Thank you so much its been a really frustrating morning. To those having facing the same issue its 5 easy steps:

First install vmware player/workstation pro

then open terminal:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=My Name/"

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

sudo mokutil --import MOK.der

now reboot and re-enroll your key.

Just to clarify on the TPM maintenance, for the vmware certificates i used sudo mokutil --import MOK.der which I'm guessing means MOK.der is where the certificates are stored for vmware on the TPM, next time there's a kernel update and i need to update my certificates again i can just do sudo mokutil --delete MOK.der to remove them and redo the cert signing process to get vmware back up and running right? There no risk of me getting locked out of my desktop because deleted the ubantu keys right? MOK.der in this instance is strictly for vmware kernel modules right?

kind regards,

Christopher

I don't have a full grasp of the technicals of those command lines (just being monkey-see monkey-do with KB2146460); but I operate under the assumption that these are to prevent from the kernel modules being tampered with and the certificates are used as a form of trust. Another assumption is that the .der would contain the signature (probably the SHA256 hash) of the two newly built binaries.

So my assumption could very well be wrong...

With that in mind, here is what I do for my own system.

I place a suffix of the uname -r

sudo openssl req -new -x509 -newkey rsa:2048 -keyout VMware16-$(uname -r).priv -outform DER -out VMware16-$(uname -r).der -nodes -days 365 -subj "/CN=VMware/"

sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./VMware16-$(uname -r).priv ./VMware16-$(uname -r).der $(modinfo -n vmmon)

sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./VMware16-$(uname -r).priv ./VMware16-$(uname -r).der $(modinfo -n vmnet)

sudo mokutil --import VMware16-$(uname -r).der

So the easiest way to manage this without having the certificates accumulate in the TPM is once a new .der is enrolled and it works fine, the previous one can then be deleted.

For example, the previous kernel version

mokutil --delete VMware-16-5.19.0-40-generic.der
reboot to delete certificate

You don't have to necessarily follow this method as this works for me as an individual and not an enterprise with dozens or even thousands of PCs/laptops to manage. It might be different also for an enterprise rollout as the .priv and .der probably shouldn't be readily accessible by any ordinary user nor stored on the local storage of the PC/laptop for security reasons as it is probably like leaving the keys to the main door of a house on the doormat.

You can also list the .der with mokutil --export. And it will create a list of MOK0001.der through MOK00??.der however many is stored in the TPM. But then you have to figure out which correct MOK00??.der to delete/remove from the TPM.

This is perfect, I'm going to implement this for my own system. Thank you for your time, hopefully this will help others as well.