Skip to content

Instantly share code, notes, and snippets.

@chriscz

chriscz/1_generate_certs.sh

Forked from reillysiemens/signing-vbox-kernel-modules.md
Last active October 7, 2023 00:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chriscz/86ae8943fc09438b4708de5124ddc75b to your computer and use it in GitHub Desktop.
Save chriscz/86ae8943fc09438b4708de5124ddc75b to your computer and use it in GitHub Desktop.
Download ZIP
Signing VirtualBox Kernel Modules
Raw
1_generate_certs.sh
#!/usr/bin/env bash
set -eou pipefail
# This is probably waaay too long.
CERTIFICATE_VALID_DAYS=36500
NAME="$(getent passwd $(whoami) | awk -F: '{print $5}')"
OUTPUT_DIR="/root/module-signing"
KEY_FILE="${OUTPUT_DIR}/MOK.priv"
CERT_FILE="${OUTPUT_DIR}/MOK.der"
if sudo test -f "$KEY_FILE"; then
echo "Keyfile ${KEY_FILE} already exists (Check your password manager to see if you have a password for it!). If you want to recreate it. Please run"
echo " rm -rf ${OUTPUT_DIR}"
exit 1
fi
export CERT_PASSWORD=`pwgen -1 24`
echo "*** NOTE Certificate Password: ${CERT_PASSWORD}"
sudo mkdir -p ${OUTPUT_DIR}
sudo -E openssl \
req \
-new \
-x509 \
-newkey \
rsa:2048 \
-passout \
"env:CERT_PASSWORD" \
-keyout "$KEY_FILE" \
-outform DER \
-out "$CERT_FILE" \
-days ${CERTIFICATE_VALID_DAYS} \
-subj "/CN=${NAME}/"
sudo bash -c "chmod 600 ${OUTPUT_DIR}/MOK*"
Raw
2_import_certs.sh
#!/usr/bin/env bash
set -eou pipefail
echo The password is only temporary and will be used on the next boot. **NOTE: It does not have to be the same as the signing key passphrase**
sudo mokutil --import /root/module-signing/MOK.der
Raw
3_sign_modules.sh
#!/usr/bin/env bash
set -eou pipefail
readonly hash_algo='sha256'
readonly key='/root/module-signing/MOK.priv'
readonly x509='/root/module-signing/MOK.der'
function sign_file() {
# The exact location of `sign-file` might vary depending on your platform.
/usr/src/kernels/$(uname -r)/scripts/sign-file "$@"
}
function sign_compressed_file() {
COMPRESSED_MODULE=$4
MODULE=$(echo $COMPRESSED_MODULE | sed -e "s/.xz$//g")
unxz "${COMPRESSED_MODULE}"
sign_file "$1" "$2" "$3" "${MODULE}"
xz -f "${MODULE}"
}
[ -z "${KBUILD_SIGN_PIN+x}" ] && read -p "Passphrase for ${key}: " KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
for module in $(dirname $(modinfo -n vboxdrv))/*.ko.xz; do
echo "* Signing ${module}..."
sign_compressed_file "${hash_algo}" "${key}" "${x509}" "${module}"
done
Raw
README.md

Build the modules

sudo /sbin/vboxconfig

Signing VirtualBox Kernel Modules

These are the steps I followed enable VirtualBox on my laptop without disabling UEFI Secure Boot. They're nearly identical to the process described on Øyvind Stegard's blog, save for a few key details. The images here are borrowed from the Systemtap UEFI Secure Boot Wiki.

  1. Install the VirtualBox package (this might be different for your platform).

    src='https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo'
dst='/etc/yum.repos.d/virtualbox.repo'
sudo curl ${src} > ${dst}
dnf check-update
sudo dnf install VirtualBox-6.0

  2. Create an RSA key pair to sign kernel modules.

    name="$(getent passwd $(whoami) | awk -F: '{print $5}')"
out_dir='/root/module-signing'
sudo mkdir ${out_dir}
sudo openssl \
    req \
    -new \
    -x509 \
    -newkey \
    rsa:2048 \
    -keyout ${out_dir}/MOK.priv \
    -outform DER \
    -out ${out_dir}/MOK.der \
    -days 36500 \  # This is probably waaay too long.
    -subj "/CN=${name}/"
sudo chmod 600 ${out_dir}/MOK*

    Note the absence of the -nodes option from Øyvind's post. With this option openssl will create a private key with no passphrase. The omission of this option prompts for a passphrase, which seems like a good idea for something as important as a kernel module signing key.

  3. Import the MOK ("Machine Owner Key") so it can be trusted by the system.

    sudo mokutil --import /root/module-signing/MOK.der

    This will prompt for a password. The password is only temporary and will be used on the next boot. It does not have to be the same as the signing key passphrase.

  4. Reboot your machine to enter the MOK manager EFI utility.

    • Select Enroll MOK.

    Enroll MOK

    • Select Continue.

    Continue

    • Select Yes to enroll the keys.

    Confirm

    • Enter the password from earlier.

    Enter password

    • Select OK to reboot.

    Reboot

    • Verify the key has been loaded by finding the it in the output of
    dmesg | grep '[U]EFI.*cert'

  5. Create a script for signing all the VirtualBox kernel modules.

    #!/bin/sh

readonly hash_algo='sha256'
readonly key='/root/module-signing/MOK.priv'
readonly x509='/root/module-signing/MOK.der'

readonly name="$(basename $0)"
readonly esc='\\e'
readonly reset="${esc}[0m"

green() { local string="${1}"; echo "${esc}[32m${string}${reset}"; }
blue() { local string="${1}"; echo "${esc}[34m${string}${reset}"; }
log() { local string="${1}"; echo "[$(blue $name)] ${string}"; }

# The exact location of `sign-file` might vary depending on your platform.
alias sign-file="/usr/src/kernels/$(uname -r)/scripts/sign-file"

[ -z "${KBUILD_SIGN_PIN}" ] && read -p "Passphrase for ${key}: " KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN

for module in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  log "Signing $(green ${module})..."
  sign-file "${hash_algo}" "${key}" "${x509}" "${module}"
done

    This script differs from Øyvind's in two aspects. First, and most importantly, it has ✨ C O L O R S ✨. Second, it uses the magic $KBUILD_SIGN_PIN environment variable that doesn't appear anywhere in the sign-file usage. I went spelunking in the Linux source for it, but in hindsight I could have just read the docs on manual module signing... I wrote this script to /root/bin/sign-vbox-modules as that's usually on root's $PATH.

  6. Execute the aforementioned script as root.

    sudo chmod 700 /root/bin/sign-vbox-modules
sudo -i sign-vbox-modules

  7. Load the vboxdrv module.

    sudo modprobe vboxdrv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment