shalomb/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Sign virtualbox/vmplayer drivers on secure boot systems
Usage

$ ./generate-mok-cert.sh
$ sudo reboot  # and follow the MOK enrollment wizard
$ ./virtualbox-fix.sh

Managing EFI Boot Loaders for Linux: Dealing with Secure Boot

  
## generate-mok-cert.sh
#!/bin/bash

set -eu -o pipefail

cd /usr/src

if [[ $EUID != 0 ]]; then
  echo "Script is not running as root ($EUID != 0)"
  sudo "$0" "$@"
  exit
fi

echo "Running as $UID ($EUID)"

if [[ -e MOK.der ]]; then
  echo "Certificate 'MOK.der' already exists!"
  exit 0
fi

# Generate the machine owner certificate and key
openssl req -new -x509 -newkey rsa:2048 \
  -keyout MOK.priv \
  -outform DER \
  -out MOK.der \
  -days 1024
  -subj "/CN=$USERNAME@$HOSTNAME/"

sudo chmod 600 MOK.{der,priv}

# Import the machine owner certificate
mokutil --import MOK.der

# Reboot and follow wizard to enroll the certificate

## virtualbox-fix.sh
#!/bin/bash

set -eu -o pipefail

if [[ $EUID != 0 ]]; then
  echo "Script is not running as root ($EUID != 0)"
  sudo "$0" "$@"
  exit
fi

echo "Running as $UID ($EUID)"

cd /usr/src

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

keyname=${1:-MOK}
crt="$DIR/$keyname.der"
key="$DIR/$keyname.priv"

function warn {
  tput setaf 1
  echo >&2 "$@"
  tput sgr0
}

if [[ ! -r $crt ]]; then
  warn "Certificate file '$crt' missing or unreadable."; exit 1;
fi
if [[ ! -r $key ]]; then
  warn "Key file '$key' missing or unreadable."; exit 1;
fi


function sign-module() {
  local module="$1"; shift
  local module_path=$(modinfo -n "$module")

  /usr/src/linux-headers-`uname -r`/scripts/sign-file \
    sha256 "$key" "$crt" "$module_path"
}

uname -r
echo

# Modules requiring signing - as of virtualbox 6.1
modules=(vboxdrv  vboxnetflt  vboxnetadp)

# This was needed at some point but seems to not exist anymore
lsmod | grep -i vboxpci && modules+=( vboxpci )

for module in "${modules[@]}"; do
  echo "Signing $module .."
  modinfo "$module" | grep -iE '^(filename|version|name|description)'
  sign-module "$module"
  echo "Reloading $module ..."
  modprobe "$module"
  echo
done

function test-module {
  local mod="$1"
  local msg="$2"
  echo "Testing if '$mod' was loaded?"
  { if ! lsmod | grep "$mod"; then
      warn "Module '$mod' not loaded."
      return 1
    fi
    if ! dmesg | tail -n 100 | grep "$msg"; then
      warn "Module '$mod' does not seem to have been loaded correctly"
      warn "  string '$msg' not found in dmesg output"
    fi
  } >/dev/null
  echo
}

fail=0
test-module vboxdrv    'vboxdrv: Successfully loaded version'  || fail=1
test-module vboxnetflt 'VBoxNetFlt: Successfully started'      || fail=1
test-module vboxnetadp 'VBoxNetAdp: Successfully started.'     || fail=1

exit $fail

## vmware-fix.sh
#!/bin/bash

set -eu -o pipefail

if [[ $EUID != 0 ]]; then
  echo "Script is not running as root ($EUID != 0)"
  sudo "$0" "$@"
  exit
fi

echo "Running as $UID ($EUID)"

cd /usr/src

keyname=MOK

sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./${keyname}.priv ./${kfilename_keyeyname}.der $(modinfo -n vmnet)
sudo modprobe vmnet

sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 ./${keyname}.priv ./${keyname}.der $(modinfo -n vmmon)
sudo modprobe vmmon

sudo modprobe modprobe vmw_vmci
	#!/bin/bash

	set -eu -o pipefail

	cd /usr/src

	if [[ $EUID != 0 ]]; then
	echo "Script is not running as root ($EUID != 0)"
	sudo "$0" "$@"
	exit
	fi

	echo "Running as $UID ($EUID)"

	if [[ -e MOK.der ]]; then
	echo "Certificate 'MOK.der' already exists!"
	exit 0
	fi

	# Generate the machine owner certificate and key
	openssl req -new -x509 -newkey rsa:2048 \
	-keyout MOK.priv \
	-outform DER \
	-out MOK.der \
	-days 1024
	-subj "/CN=$USERNAME@$HOSTNAME/"

	sudo chmod 600 MOK.{der,priv}

	# Import the machine owner certificate
	mokutil --import MOK.der

	# Reboot and follow wizard to enroll the certificate