Skip to content

Instantly share code, notes, and snippets.

@kiasaki
Last active June 7, 2024 14:57
Show Gist options
  • Save kiasaki/5f4f491201d621d93a7d719f46e04009 to your computer and use it in GitHub Desktop.
Save kiasaki/5f4f491201d621d93a7d719f46e04009 to your computer and use it in GitHub Desktop.
ubuntu: vboxdrv module signing for secureboot to load it

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.

So let's try it.

Create signing keys

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"

Sign the module (vboxdrv for this example)

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
# also sign: vboxnetadp vboxnetflt vboxpci

Register the keys to Secure Boot

sudo mokutil --import MOK.der

Supply a password for later use after reboot Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time. After the reboot, you may also need to sudo modprobe vboxdrv to load the module. Please let me know if VirtualBox would run this way on Ubuntu 16.04 (on kernel 4.4.0-21 or higher, I believe).

http://gorka.eguileor.com/vbox-vmware-in-secureboot-linux/ https://github.com/Canonical-kernel/Ubuntu-kernel/blob/master/Documentation/module-signing.txt http://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur

@Thierry-Dumont
Copy link

Everything is ok with 4.15.0-33-generic on Ubuntu 18-04.
My only problem was that I use a french keyboard and at boot time, the keyboard isactually not french (when registering the key).
Thanks!
Yours.
t.

@jmberros
Copy link

jmberros commented Aug 21, 2019

A small doubt: when you say "# also sign: vboxnetadp vboxnetflt vboxpci", I understand that line has to be rerun changing the last bit, but do the destination files ./MOK.{priv,der} also have to be renamed and then imported (so the mokutil --impot line would be run four times)? I'm confused about whether the sign-file script overwrites those files completely or just appends/modifies them preserving the info added in the previous steps.

Thanks!

@denis-bezruchkin
Copy link

Worked with 5.3.0-24-generic #26-Ubuntu and 6.0.14 VBox.

@davicrystal
Copy link

It has worked for me as a charm 5.3.0-42-generic #34~18.04.1-Ubuntu

@CireB1925
Copy link

thank you so much you are a life saver. it worked for me ubuntu 20.04 5.4.0-33-generic

@cristiangranero90
Copy link

Thank You! It worked in Ubuntu 24.04LTS. And the kernel 6.8.0-35-generic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment