Instructions on signing VirtualBox and VMware modules for Secure Boot

vm-secureboot.md

Signing VirtualBox & VMware modules

Source

Creating a key

You can change "MOK".priv/.der to any desired name; "CN=" MUST hold your username, signing the modules may not work otherwise (on shim, possibly due to a bug).

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=John Doe/"

Signing the modules

Must be repeated at every kernel update; A script can be placed in /etc/kernel/postinst.d to automate this process (couldn't get it to work, though :p).

VirtualBox

# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

VMware

# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)
# /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

Example script

Place it in /etc/kernel/postinst.d

#!/bin/bash

MOK_NAME=".MOK"
MOK_LOCATION="/home/gabriel"

cd $MOK_LOCATION

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmmon)
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./${MOK_NAME}.priv ./${MOK_NAME}.der $(modinfo -n vmnet)

Adding the keys to shim

A reboot will be needed; Follow the menu presented after boot to enroll the key.

# mokutil --import MOK.der

Check if key is present

$ dmesg | grep 'EFI: Loaded cert'
[...]
[    1.626393] EFI: Loaded cert 'Gabriel: f1...30' linked to '.system_keyring'
[    1.627167] EFI: Loaded cert 'Gabriel: 0f...39' linked to '.system_keyring'
[    1.628009] EFI: Loaded cert 'Fedora Secure Boot CA: fd...42' linked to '.system_keyring'

TIP: Convert QEMU (gnome-boxes) image to .vid (VirtualBox)

Source

$ qemu-img convert -p [source] -O raw [dest].raw
$ VBoxManage convertdd [source].raw $HOME/.VirtualBox/VDI/[dest].vdi