Skip to content

Instantly share code, notes, and snippets.

@kiasaki

kiasaki/readme.md

Last active Aug 3, 2020
Embed
What would you like to do?
ubuntu: vboxdrv module signing for secureboot to load it

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.

So let's try it.

Create signing keys

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"

Sign the module (vboxdrv for this example)

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
# also sign: vboxnetadp vboxnetflt vboxpci

Register the keys to Secure Boot

sudo mokutil --import MOK.der

Supply a password for later use after reboot Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time. After the reboot, you may also need to sudo modprobe vboxdrv to load the module. Please let me know if VirtualBox would run this way on Ubuntu 16.04 (on kernel 4.4.0-21 or higher, I believe).

http://gorka.eguileor.com/vbox-vmware-in-secureboot-linux/ https://github.com/Canonical-kernel/Ubuntu-kernel/blob/master/Documentation/module-signing.txt http://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur

@Thierry-Dumont

This comment has been minimized.

Copy link

@Thierry-Dumont Thierry-Dumont commented Sep 4, 2018

Everything is ok with 4.15.0-33-generic on Ubuntu 18-04.
My only problem was that I use a french keyboard and at boot time, the keyboard isactually not french (when registering the key).
Thanks!
Yours.
t.

@jmberros

This comment has been minimized.

Copy link

@jmberros jmberros commented Aug 21, 2019

A small doubt: when you say "# also sign: vboxnetadp vboxnetflt vboxpci", I understand that line has to be rerun changing the last bit, but do the destination files ./MOK.{priv,der} also have to be renamed and then imported (so the mokutil --impot line would be run four times)? I'm confused about whether the sign-file script overwrites those files completely or just appends/modifies them preserving the info added in the previous steps.

Thanks!

@denis-bezruchkin

This comment has been minimized.

Copy link

@denis-bezruchkin denis-bezruchkin commented Dec 30, 2019

Worked with 5.3.0-24-generic #26-Ubuntu and 6.0.14 VBox.

@davicrystal

This comment has been minimized.

Copy link

@davicrystal davicrystal commented Mar 24, 2020

It has worked for me as a charm 5.3.0-42-generic #34~18.04.1-Ubuntu

@CireB1925

This comment has been minimized.

Copy link

@CireB1925 CireB1925 commented Jun 5, 2020

thank you so much you are a life saver. it worked for me ubuntu 20.04 5.4.0-33-generic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment