Download and install Virtual Box 6.x from the website.
You have 2 options: disable secure boot or sign the kernel modules. We only mention how to sign kernel modules without disabling secure boot.
Excerpted from this wonderful article.
- Install the virtualbox package. If the installation detects that Secure Boot is enabled, you will be presented with the issue at hand and given the option to disable Secure Boot. Choose "No".
- Create a personal public/private RSA key pair which will be used to sign kernel modules. We chose to use the root account and the directory
/root/module-signing/to store all things related to signing kernel modules.
$ sudo -i
# mkdir /root/module-signing
# cd /root/module-signing
# openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500
OpenSSL will ask you the subject information. For example, name the CN (Common Name) as VBox Secure Boot Signing and left the rest empty by typing .. For details, you could read this article.
# chmod 600 MOK.priv
- Use the MOK (Machine Owner Key) utility to import the public key so that it can be trusted by the system. This is a two step process where the key is first imported, and then later must be enrolled when the machine is booted the next time. A simple password is good enough, as it is only for temporary use.
# mokutil --import /root/module-signing/MOK.der
- Reboot the machine. When the bootloader starts, the MOK manager EFI utility should automatically start. It will ask for parts of the password supplied in step 3. Choose to "Enroll MOK", then you should see the key imported in step 3. Complete the enrollment steps, then continue with the boot. Before we sign, let’s make sure the key we added really is seen by the kernel. To do this, we can go look at
/proc/keys. Just make sure a key exists there with the attributes (commonName, etc.) you entered earlier.
$ sudo cat /proc/keys
- Using a signing utility shippped with the kernel build files, sign all the VirtualBox modules using the private MOK key generated in step 2. We put this in a small script
/root/module-signing/sign-vbox-modules.sh, so it can be easily run when new kernels are installed as part of regular updates. Remember to change mode (chmod +x /root/module-signing/sign-vbox-modules.sh).
#!/bin/bash
for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
/root/module-signing/MOK.priv \
/root/module-signing/MOK.der "$modfile"
done
modprobe vboxdrv
modprobe vboxnetflt
modprobe vboxpci
modprobe vboxnetadp
echo "Loaded vbox modules:"
lsmod | grep vbox- Run the script from step 5 as root. You will need to run the signing script every time a new kernel update is installed, since this will cause a rebuild of the third party VirtualBox modules. Use the script only after the new kernel has been booted, since it relies on
modinfo -nanduname -rto tell which kernel version to sign for.
# /root/module-signing/sign-vbox-modules.sh
Clone this repository and follow the instruction. You might need to install dmg2img, wget, coreutils and unzip via package manager to finish the installation.