Follow the steps below if you have EFI Secure Boot enabled and need to sign VirtuaBox Kernel Modules.
- Install the virtualbox package
sudo apt install virtualbox
- Create a personal public/private RSA key pair which will be used to sign kernel modules
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=YOUR_NAME/"
Save your MOK in a safe place and don't forget to update the commands/scripts to reflect the new path where your key & cert files are located.
- Use the MOK utility (Machine Owner Key) to import the public key to the system keyring
mokutil --import MOK.der
-
Reboot the machine and enroll the MOK
-
Use the signing utility shippped with the kernel to sign all the VirtualBox modules using the private MOK
#!/bin/bash
SIGNTOOL="/usr/src/linux-headers-$(uname -r)/scripts/sign-file"
for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
$SIGNTOOL sha256 MOK.priv MOK.der "$modfile"
done
- Reload the vbox module and fire the VM up
sudo modprobe vboxdrv
Reference: https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/
For some reason on my debian machine i get Failed to enroll new keys (after doing
mokutil --import MOK.der
)