Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Instructions on signing VirtualBox and VMware modules for Secure Boot

Signing VirtualBox & VMware modules


Creating a key

You can change "MOK".priv/.der to any desired name; "CN=" MUST hold your username, signing the modules may not work otherwise (on shim, possibly due to a bug).

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=John Doe/"

Signing the modules

Must be repeated at every kernel update; A script can be placed in /etc/kernel/postinst.d to automate this process (couldn't get it to work, though :p).


# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)


# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

Example script

Place it in /etc/kernel/postinst.d




sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmmon)
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmnet)

Adding the keys to shim

A reboot will be needed; Follow the menu presented after boot to enroll the key.

# mokutil --import MOK.der

Check if key is present

$ dmesg | grep 'EFI: Loaded cert'
[    1.626393] EFI: Loaded cert 'Gabriel: f1...30' linked to '.system_keyring'
[    1.627167] EFI: Loaded cert 'Gabriel: 0f...39' linked to '.system_keyring'
[    1.628009] EFI: Loaded cert 'Fedora Secure Boot CA: fd...42' linked to '.system_keyring'

TIP: Convert QEMU (gnome-boxes) image to .vid (VirtualBox)


$ qemu-img convert -p [source] -O raw [dest].raw
$ VBoxManage convertdd [source].raw $HOME/.VirtualBox/VDI/[dest].vdi
Copy link

McCauliflower commented Nov 10, 2016

Note that for Ubuntu 16.04 the "kernel" directory is removed, and the new path is /usr/src/linux-headers-'uname -r'/scripts/sign-file

Copy link

chozian commented Jun 6, 2019

Thank you very much for providing this info!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment