Question

1

Signing Virtualbox modules with EFI Secure Boot enabled

rated 0 times [ 1] [ 0] / answers: 1 / hits: 513 / 2 Years ago, tue, november 30, 2021, 1:38:04

I have a system (22.04.1 LTS) with an Nvidia card
and with EFI secure boot enabled.

Virtualbox refuses to run a VM and claims that "if the system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetapd, vboxpci)"

also

"VERR_VM_DRIVER not installed"

How do I sign those modules?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

antorchestr

Add To Favorites

Follow

Total Points: 92

Total Questions: 111

Total Answers: 120

Location: Jordan

Member since Wed, Jun 17, 2020

4 Years ago

antorchestr questions

1 Chrome on Ubuntu 22.04.1 LTS takes 30+ seconds to launch and has weird display issues while launching

Fri, Mar 3, 23, 03:26, 1 Year ago

1 gnome-shell consumes several GB of RAM

Wed, Jan 18, 23, 13:48, 1 Year ago

1 Dualboot windows and ubuntu, where to install bootloader

Sat, Sep 10, 22, 00:20, 2 Years ago

1 Why can't I move files from my Ubuntu desktop to other folders?

Wed, Feb 9, 22, 21:20, 2 Years ago

1 Upgrading 18.04.5 to 20.04 LTS also upgrades postgresql?

Mon, Nov 14, 22, 17:10, 1 Year ago

View All

answered 2 Years ago overine · Accepted Answer

First, the issue isn't with EFI; it's with Secure Boot, which is just one specific UEFI feature. Secure Boot can be enabled or disabled and isn't even present on some (mostly older) EFI/UEFI implementations. I mention this because, if you can edit your question's title, doing so would be helpful to others.

Second, to answer your question, you must first have a Secure Boot Machine Owner Key (MOK) or Secure Boot db key installed in your computer. To do this, you must have both openssl and mokutil programs installed (from the openssl and mokutil packages, respectively). In brief:

Using a shell (Terminal program or text-mode login), create and change into a temporary directory.

Create a MOK. This is done by issuing two commands:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=Your Name/"

openssl x509 -in MOK.crt -out MOK.cer -outform DER

Install this MOK in your computer's NVRAM. This can be done in various ways, but the easiest is likely to be to use mokutil. You begin by passing the MOK.cer file to mokutil:
```
sudo mokutil -i MOK.cer
```

Note that sudo may ask for your account password; then mokutil will ask for a new password, and confirmation thereof.

Reboot the computer. If all goes well, you'll be asked to press a key to begin MOK management, then asked for a password -- enter the new one you gave mokutil. (In some recent experiments of mine, the system asked for specific random characters from the password, which is more awkward.) You can then confirm addition of your MOK to the NVRAM's MOK list. When you're done, reboot into Ubuntu.

With the MOK now stored in NVRAM, you can sign your VirtualBox driver binaries. In its most basic form, the command to do this is:

$path_to_binary/sign-file sha256 MOK.key MOK.cer $path_to_driver/vboxdrv.ko

Repeat this for vboxnetadp.ko and vboxnetflt.ko. The sign-file program is actually part of the Linux kernel source code; it's not a standard program in Ubuntu. You can find its location by typing find /usr/src -iname sign-file. If it's not installed, then you should install the linux-headers package. You can also use find to locate where the VirtualBox modules are, if you don't already know.

Once the modules are signed, you can load them with modprobe or reboot the computer.

I do this often enough that I wrote a script to automate the signing part of the process. This script will not automate the MOK creation, though. Here's my script:

#!/bin/bash

# sign-vbox script, copyright (c) 2017 by Rod Smith

# Distributed under the terms of the GPLv3



if [ "$#" -ne 1 ] && [ "$#" -ne 0 ]; then

    echo "Usage: $0 [ {kernel-version} ]"

    exit 1

fi



if [ "$#" == 0 ]; then

    kernel_version=$(uname -r)

#    apt-get install virtualbox-dkms --reinstall

else

    kernel_version="$1"

fi



sign_file=$(find /usr/src/ -name sign-file | tail -n 1)



if [ -z $sign_file ]; then

    echo "Can't find the sign-file binary! Exiting!"

    exit 1

else

    path_to_modules="/lib/modules/$kernel_version/updates/dkms"



    if [ ! -f $path_to_modules/vboxdrv.ko ]; then

        echo "Could not find $path_to_modules/vboxdrv.ko!"

        echo "Is the kernel version correct?"

        exit 1

    fi



    echo "Signing modules for $kernel_version"

    $sign_file sha256 /mnt/keys/MOK.key /mnt/keys/MOK.cer $path_to_modules/vboxdrv.ko

    $sign_file sha256 /mnt/keys/MOK.key /mnt/keys/MOK.cer $path_to_modules/vboxnetadp.ko

    $sign_file sha256 /mnt/keys/MOK.key /mnt/keys/MOK.cer $path_to_modules/vboxnetflt.ko

    modprobe vboxdrv

    modprobe vboxnetflt

    modprobe vboxpci

    modprobe vboxnetadp

    echo "Loaded vbox modules:"

    lsmod | grep vbox

fi

To use the script, first store it in a file and make it executable (chmod a+x sign-vbox, for instance, if that's the filename you use). You then execute the script as root, as in sudo ./sign-vbox. This will sign the currently-booted kernel's VirtualBox modules. (If you want to sign another kernel's modules, you can pass its version number as an option.) Also, the script uses a hard-coded location for the key files, which brings us to....

Be aware that the MOK.key file (or whatever you call it) is potentially quite sensitive. If an intruder gets ahold of that key, then the intruder could sign kernel modules or boot loaders and use it to get very low-level access to your computer. That's why this script accesses the key files in /mnt/keys; the idea is to put them on a removable disk and mount that disk only when it's needed. Store all of the keys generated earlier by openssl in this way. Adjust the script as necessary for wherever you store your keys.