Sign virtualbox/vmplayer drivers on secure boot systems
$ ./generate-mok-cert.sh
$ sudo reboot # and follow the MOK enrollment wizard
$ ./virtualbox-fix.sh
Managing EFI Boot Loaders for Linux: Dealing with Secure Boot
Sign virtualbox/vmplayer drivers on secure boot systems
$ ./generate-mok-cert.sh
$ sudo reboot # and follow the MOK enrollment wizard
$ ./virtualbox-fix.sh
Managing EFI Boot Loaders for Linux: Dealing with Secure Boot
#!/bin/bash | |
set -eu -o pipefail | |
cd /usr/src | |
if [[ $EUID != 0 ]]; then | |
echo "Script is not running as root ($EUID != 0)" | |
sudo "$0" "$@" | |
exit | |
fi | |
echo "Running as $UID ($EUID)" | |
if [[ -e MOK.der ]]; then | |
echo "Certificate 'MOK.der' already exists!" | |
exit 0 | |
fi | |
# Generate the machine owner certificate and key | |
openssl req -new -x509 -newkey rsa:2048 \ | |
-keyout MOK.priv \ | |
-outform DER \ | |
-out MOK.der \ | |
-days 1024 | |
-subj "/CN=$USERNAME@$HOSTNAME/" | |
sudo chmod 600 MOK.{der,priv} | |
# Import the machine owner certificate | |
mokutil --import MOK.der | |
# Reboot and follow wizard to enroll the certificate |
#!/bin/bash | |
set -eu -o pipefail | |
if [[ $EUID != 0 ]]; then | |
echo "Script is not running as root ($EUID != 0)" | |
sudo "$0" "$@" | |
exit | |
fi | |
echo "Running as $UID ($EUID)" | |
cd /usr/src | |
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | |
keyname=${1:-MOK} | |
crt="$DIR/$keyname.der" | |
key="$DIR/$keyname.priv" | |
function warn { | |
tput setaf 1 | |
echo >&2 "$@" | |
tput sgr0 | |
} | |
if [[ ! -r $crt ]]; then | |
warn "Certificate file '$crt' missing or unreadable."; exit 1; | |
fi | |
if [[ ! -r $key ]]; then | |
warn "Key file '$key' missing or unreadable."; exit 1; | |
fi | |
function sign-module() { | |
local module="$1"; shift | |
local module_path=$(modinfo -n "$module") | |
/usr/src/linux-headers-`uname -r`/scripts/sign-file \ | |
sha256 "$key" "$crt" "$module_path" | |
} | |
uname -r | |
echo | |
# Modules requiring signing - as of virtualbox 6.1 | |
modules=(vboxdrv vboxnetflt vboxnetadp) | |
# This was needed at some point but seems to not exist anymore | |
lsmod | grep -i vboxpci && modules+=( vboxpci ) | |
for module in "${modules[@]}"; do | |
echo "Signing $module .." | |
modinfo "$module" | grep -iE '^(filename|version|name|description)' | |
sign-module "$module" | |
echo "Reloading $module ..." | |
modprobe "$module" | |
echo | |
done | |
function test-module { | |
local mod="$1" | |
local msg="$2" | |
echo "Testing if '$mod' was loaded?" | |
{ if ! lsmod | grep "$mod"; then | |
warn "Module '$mod' not loaded." | |
return 1 | |
fi | |
if ! dmesg | tail -n 100 | grep "$msg"; then | |
warn "Module '$mod' does not seem to have been loaded correctly" | |
warn " string '$msg' not found in dmesg output" | |
fi | |
} >/dev/null | |
echo | |
} | |
fail=0 | |
test-module vboxdrv 'vboxdrv: Successfully loaded version' || fail=1 | |
test-module vboxnetflt 'VBoxNetFlt: Successfully started' || fail=1 | |
test-module vboxnetadp 'VBoxNetAdp: Successfully started.' || fail=1 | |
exit $fail |
#!/bin/bash | |
set -eu -o pipefail | |
if [[ $EUID != 0 ]]; then | |
echo "Script is not running as root ($EUID != 0)" | |
sudo "$0" "$@" | |
exit | |
fi | |
echo "Running as $UID ($EUID)" | |
cd /usr/src | |
keyname=MOK | |
sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./${keyname}.priv ./${kfilename_keyeyname}.der $(modinfo -n vmnet) | |
sudo modprobe vmnet | |
sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./${keyname}.priv ./${keyname}.der $(modinfo -n vmmon) | |
sudo modprobe vmmon | |
sudo modprobe modprobe vmw_vmci |