Skip to content

Instantly share code, notes, and snippets.

@gabrieljcs
Last active May 8, 2023 03:21
  • Star 12 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save gabrieljcs/68939c7eeadfabfdbc6b40100130270d to your computer and use it in GitHub Desktop.
Instructions on signing VirtualBox and VMware modules for Secure Boot

Signing VirtualBox & VMware modules

Source

Creating a key

You can change "MOK".priv/.der to any desired name; "CN=" MUST hold your username, signing the modules may not work otherwise (on shim, possibly due to a bug).

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=John Doe/"

Signing the modules

Must be repeated at every kernel update; A script can be placed in /etc/kernel/postinst.d to automate this process (couldn't get it to work, though :p).

VirtualBox

# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

VMware

# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

Example script

Place it in /etc/kernel/postinst.d

#!/bin/bash

MOK_NAME=".MOK"
MOK_LOCATION="/home/gabriel"

cd $MOK_LOCATION

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmmon)
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmnet)

Adding the keys to shim

A reboot will be needed; Follow the menu presented after boot to enroll the key.

# mokutil --import MOK.der

Check if key is present

$ dmesg | grep 'EFI: Loaded cert'
[...]
[    1.626393] EFI: Loaded cert 'Gabriel: f1...30' linked to '.system_keyring'
[    1.627167] EFI: Loaded cert 'Gabriel: 0f...39' linked to '.system_keyring'
[    1.628009] EFI: Loaded cert 'Fedora Secure Boot CA: fd...42' linked to '.system_keyring'

TIP: Convert QEMU (gnome-boxes) image to .vid (VirtualBox)

Source

$ qemu-img convert -p [source] -O raw [dest].raw
$ VBoxManage convertdd [source].raw $HOME/.VirtualBox/VDI/[dest].vdi
@McCauliflower
Copy link

McCauliflower commented Nov 10, 2016

Note that for Ubuntu 16.04 the "kernel" directory is removed, and the new path is /usr/src/linux-headers-'uname -r'/scripts/sign-file

@chozian
Copy link

chozian commented Jun 6, 2019

Thank you very much for providing this info!

@pluveto
Copy link

pluveto commented Feb 26, 2023

   ~  # /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)  ✔

modinfo: ERROR: Module vboxdrv not found.
zsh: bad pattern: #
   ~  /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)  1 ✘
modinfo: ERROR: Module vmmon not found.
zsh: no such file or directory: /usr/src/kernels/6.1.12-1-MANJARO/scripts/sign-file
   ~  /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)  127 ✘
modinfo: ERROR: Module vmnet not found.
zsh: no such file or directory: /usr/src/kernels/6.1.12-1-MANJARO/scripts/sign-file
   ~ 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment