Monday, February 26, 2024
 Popular · Latest · Hot · Upcoming
1
rated 0 times [  1] [ 0]  / answers: 1 / hits: 496  / 2 Years ago, tue, november 30, 2021, 1:38:04

I have a system (22.04.1 LTS) with an Nvidia card
and with EFI secure boot enabled.


Virtualbox refuses to run a VM and claims that "if the system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetapd, vboxpci)"


also


"VERR_VM_DRIVER not installed"


How do I sign those modules?


More From » virtualbox

 Answers
7

First, the issue isn't with EFI; it's with Secure Boot, which is just one specific UEFI feature. Secure Boot can be enabled or disabled and isn't even present on some (mostly older) EFI/UEFI implementations. I mention this because, if you can edit your question's title, doing so would be helpful to others.


Second, to answer your question, you must first have a Secure Boot Machine Owner Key (MOK) or Secure Boot db key installed in your computer. To do this, you must have both openssl and mokutil programs installed (from the openssl and mokutil packages, respectively). In brief:



  1. Using a shell (Terminal program or text-mode login), create and change into a temporary directory.



  2. Create a MOK. This is done by issuing two commands:


    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=Your Name/"
    openssl x509 -in MOK.crt -out MOK.cer -outform DER


  3. Install this MOK in your computer's NVRAM. This can be done in various ways, but the easiest is likely to be to use mokutil. You begin by passing the MOK.cer file to mokutil:


    sudo mokutil -i MOK.cer


  4. Note that sudo may ask for your account password; then mokutil will ask for a new password, and confirmation thereof.



  5. Reboot the computer. If all goes well, you'll be asked to press a key to begin MOK management, then asked for a password -- enter the new one you gave mokutil. (In some recent experiments of mine, the system asked for specific random characters from the password, which is more awkward.) You can then confirm addition of your MOK to the NVRAM's MOK list. When you're done, reboot into Ubuntu.




With the MOK now stored in NVRAM, you can sign your VirtualBox driver binaries. In its most basic form, the command to do this is:


$path_to_binary/sign-file sha256 MOK.key MOK.cer $path_to_driver/vboxdrv.ko

Repeat this for vboxnetadp.ko and vboxnetflt.ko. The sign-file program is actually part of the Linux kernel source code; it's not a standard program in Ubuntu. You can find its location by typing find /usr/src -iname sign-file. If it's not installed, then you should install the linux-headers package. You can also use find to locate where the VirtualBox modules are, if you don't already know.


Once the modules are signed, you can load them with modprobe or reboot the computer.


I do this often enough that I wrote a script to automate the signing part of the process. This script will not automate the MOK creation, though. Here's my script:


#!/bin/bash
# sign-vbox script, copyright (c) 2017 by Rod Smith
# Distributed under the terms of the GPLv3

if [ "$#" -ne 1 ] && [ "$#" -ne 0 ]; then
echo "Usage: $0 [ {kernel-version} ]"
exit 1
fi

if [ "$#" == 0 ]; then
kernel_version=$(uname -r)
# apt-get install virtualbox-dkms --reinstall
else
kernel_version="$1"
fi

sign_file=$(find /usr/src/ -name sign-file | tail -n 1)

if [ -z $sign_file ]; then
echo "Can't find the sign-file binary! Exiting!"
exit 1
else
path_to_modules="/lib/modules/$kernel_version/updates/dkms"

if [ ! -f $path_to_modules/vboxdrv.ko ]; then
echo "Could not find $path_to_modules/vboxdrv.ko!"
echo "Is the kernel version correct?"
exit 1
fi

echo "Signing modules for $kernel_version"
$sign_file sha256 /mnt/keys/MOK.key /mnt/keys/MOK.cer $path_to_modules/vboxdrv.ko
$sign_file sha256 /mnt/keys/MOK.key /mnt/keys/MOK.cer $path_to_modules/vboxnetadp.ko
$sign_file sha256 /mnt/keys/MOK.key /mnt/keys/MOK.cer $path_to_modules/vboxnetflt.ko
modprobe vboxdrv
modprobe vboxnetflt
modprobe vboxpci
modprobe vboxnetadp
echo "Loaded vbox modules:"
lsmod | grep vbox
fi

To use the script, first store it in a file and make it executable (chmod a+x sign-vbox, for instance, if that's the filename you use). You then execute the script as root, as in sudo ./sign-vbox. This will sign the currently-booted kernel's VirtualBox modules. (If you want to sign another kernel's modules, you can pass its version number as an option.) Also, the script uses a hard-coded location for the key files, which brings us to....


Be aware that the MOK.key file (or whatever you call it) is potentially quite sensitive. If an intruder gets ahold of that key, then the intruder could sign kernel modules or boot loaders and use it to get very low-level access to your computer. That's why this script accesses the key files in /mnt/keys; the idea is to put them on a removable disk and mount that disk only when it's needed. Store all of the keys generated earlier by openssl in this way. Adjust the script as necessary for wherever you store your keys.


[#31] Tuesday, November 30, 2021, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
antorchestr

Total Points: 92
Total Questions: 111
Total Answers: 120

Location: Jordan
Member since Wed, Jun 17, 2020
4 Years ago
;