Last active
February 3, 2019 10:54
-
-
Save Lirt/9944e1b61cd9439377c39fe00cf09f6c to your computer and use it in GitHub Desktop.
Sign VirtualBox kernel modules to run with SecureBoot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # Script for guide: | |
| # https://gorka.eguileor.com/vbox-vmware-in-secureboot-linux-2016-update/ | |
| # | |
| # Verification: | |
| # dmesg | grep "EFI:.*cert.*${cert_name}" | |
| # | |
| set -eu | |
| set -o pipefail | |
| cert_name="VBoxCert" | |
| # Build VirtualBox kernel module | |
| sudo /sbin/vboxconfig | |
| # Generate certificate if it was not already | |
| if [ ! -e "./${cert_name}.priv" ] && [ ! -e "./${cert_name}.der" ]; then | |
| openssl req -new -x509 \ | |
| -newkey rsa:2048 \ | |
| -keyout ${cert_name}.priv \ | |
| -outform DER \ | |
| -out ${cert_name}.der \ | |
| -nodes \ | |
| -days 3650 \ | |
| -subj "/CN=${cert_name}/" | |
| fi | |
| # Get path to vboxdrv module and sign vbox modules with certificate | |
| vboxdrv_path=$(modinfo -n vboxdrv) | |
| vboxdrv_dirname=$(dirname "$vboxdrv_path") | |
| for f in "${vboxdrv_dirname}"/*.ko; do | |
| echo "Signing $f" | |
| sudo "/usr/src/kernels/$(uname -r)/scripts/sign-file" \ | |
| sha256 \ | |
| ${cert_name}.priv \ | |
| ${cert_name}.der \ | |
| "$f" | |
| done | |
| # Manually add the public key to shim’s MOK list. | |
| # You will be asked for a password that will be | |
| # used during the UEFI boot to enroll the new key. | |
| echo "Enter password for new certificate key." | |
| echo "You will be asked to enter it on next boot." | |
| sudo mokutil --import ${cert_name}.der | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment