Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Instructions on signing VirtualBox and VMware modules for Secure Boot

Signing VirtualBox & VMware modules

Source

Creating a key

You can change "MOK".priv/.der to any desired name; "CN=" MUST hold your username, signing the modules may not work otherwise (on shim, possibly due to a bug).

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=John Doe/"

Signing the modules

Must be repeated at every kernel update; A script can be placed in /etc/kernel/postinst.d to automate this process (couldn't get it to work, though :p).

VirtualBox

# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

VMware

# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

Example script

Place it in /etc/kernel/postinst.d

#!/bin/bash

MOK_NAME=".MOK"
MOK_LOCATION="/home/gabriel"

cd $MOK_LOCATION

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmmon)
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmnet)

Adding the keys to shim

A reboot will be needed; Follow the menu presented after boot to enroll the key.

# mokutil --import MOK.der

Check if key is present

$ dmesg | grep 'EFI: Loaded cert'
[...]
[    1.626393] EFI: Loaded cert 'Gabriel: f1...30' linked to '.system_keyring'
[    1.627167] EFI: Loaded cert 'Gabriel: 0f...39' linked to '.system_keyring'
[    1.628009] EFI: Loaded cert 'Fedora Secure Boot CA: fd...42' linked to '.system_keyring'

TIP: Convert QEMU (gnome-boxes) image to .vid (VirtualBox)

Source

$ qemu-img convert -p [source] -O raw [dest].raw
$ VBoxManage convertdd [source].raw $HOME/.VirtualBox/VDI/[dest].vdi
@electricAlchemy

This comment has been minimized.

Copy link

commented Nov 10, 2016

Note that for Ubuntu 16.04 the "kernel" directory is removed, and the new path is /usr/src/linux-headers-'uname -r'/scripts/sign-file

@chozian

This comment has been minimized.

Copy link

commented Jun 6, 2019

Thank you very much for providing this info!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.