-
-
Save orgcontrib/1ebb41a780c96c40793e01db2f3a51cc to your computer and use it in GitHub Desktop.
Sign VirtualBox kernel modules to run with SecureBoot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# Script for guide: | |
# https://gorka.eguileor.com/vbox-vmware-in-secureboot-linux-2016-update/ | |
# | |
# Verification: | |
# dmesg | grep "EFI:.*cert.*${cert_name}" | |
# | |
set -eu | |
set -o pipefail | |
cert_name="VBoxCert" | |
# To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed | |
if [[ $(sudo find /boot -name MokManager.efi | wc -l) -gt 0 ]]; then | |
echo "Found MokManager.efi" | |
else | |
echo "ERROR: Did not found MokManager.efi" | |
exit 1 | |
fi | |
# Generate certificate if it was not already | |
if [ ! -e "./${cert_name}.priv" ] && [ ! -e "./${cert_name}.der" ]; then | |
openssl req -new -x509 -newkey rsa:2048 -keyout ${cert_name}.priv -outform DER -out ${cert_name}.der -nodes -days 3650 -subj "/CN=${cert_name}/" | |
fi | |
# Sign vbox modules with certificate | |
for f in $(dirname $(modinfo -n vboxdrv))/*.ko; do | |
echo "Signing $f" | |
sudo "/usr/src/kernels/$(uname -r)/scripts/sign-file" sha256 ./${cert_name}.priv ./${cert_name}.der "$f" | |
done | |
# Manually add the public key to shim’s MOK list | |
# We’ll be asked for a password that will be used during the UEFI boot to enroll the new key | |
sudo mokutil --import ${cert_name}.der | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment