Signing VirtualBox Kernel Modules

signing-vbox-kernel-modules.md

Signing VirtualBox Kernel Modules

These are the steps I followed enable VirtualBox on my laptop without disabling UEFI Secure Boot. They're nearly identical to the process described on Øyvind Stegard's blog, save for a few key details. The images here are borrowed from the Systemtap UEFI Secure Boot Wiki.

1. Install the VirtualBox package (this might be different for your platform).

   src='https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo'
   dst='/etc/yum.repos.d/virtualbox.repo'
   sudo curl ${src} > ${dst}
   dnf check-update
   sudo dnf install VirtualBox-6.0

2. Create an RSA key pair to sign kernel modules.

   name="$(getent passwd $(whoami) | awk -F: '{print $5}')"
   out_dir='/root/module-signing'
   sudo mkdir ${out_dir}
   sudo openssl \
       req \
       -new \
       -x509 \
       -newkey \
       rsa:2048 \
       -keyout ${out_dir}/MOK.priv \
       -outform DER \
       -out ${out_dir}/MOK.der \
       -days 36500 \  # This is probably waaay too long.
       -subj "/CN=${name}/"
   sudo chmod 600 ${out_dir}/MOK*

   Note the absence of the -nodes option from Øyvind's post. With this option openssl will create a private key with no passphrase. The omission of this option prompts for a passphrase, which seems like a good idea for something as important as a kernel module signing key.

3. Import the MOK ("Machine Owner Key") so it can be trusted by the system.

   sudo mokutil --import /root/module-signing/MOK.der

   This will prompt for a password. The password is only temporary and will be used on the next boot. It does not have to be the same as the signing key passphrase.

4. Reboot your machine to enter the MOK manager EFI utility.

   • Select Enroll MOK.

   

   • Select Continue.

   

   • Select Yes to enroll the keys.

   

   • Enter the password from earlier.

   

   • Select OK to reboot.

   

   • Verify the key has been loaded by finding the it in the output of

   dmesg | grep '[U]EFI.*cert'

5. Create a script for signing all the VirtualBox kernel modules.

   #!/bin/sh
   
   readonly hash_algo='sha256'
   readonly key='/root/module-signing/MOK.priv'
   readonly x509='/root/module-signing/MOK.der'
   
   readonly name="$(basename $0)"
   readonly esc='\\e'
   readonly reset="${esc}[0m"
   
   green() { local string="${1}"; echo "${esc}[32m${string}${reset}"; }
   blue() { local string="${1}"; echo "${esc}[34m${string}${reset}"; }
   log() { local string="${1}"; echo "[$(blue $name)] ${string}"; }
   
   # The exact location of `sign-file` might vary depending on your platform.
   alias sign-file="/usr/src/kernels/$(uname -r)/scripts/sign-file"
   
   [ -z "${KBUILD_SIGN_PIN}" ] && read -p "Passphrase for ${key}: " KBUILD_SIGN_PIN
   export KBUILD_SIGN_PIN
   
   for module in $(dirname $(modinfo -n vboxdrv))/*.ko; do
     log "Signing $(green ${module})..."
     sign-file "${hash_algo}" "${key}" "${x509}" "${module}"
   done

   This script differs from Øyvind's in two aspects. First, and most importantly, it has ✨ C O L O R S ✨. Second, it uses the magic $KBUILD_SIGN_PIN environment variable that doesn't appear anywhere in the sign-file usage. I went spelunking in the Linux source for it, but in hindsight I could have just read the docs on manual module signing... I wrote this script to /root/bin/sign-vbox-modules as that's usually on root's $PATH.

6. Execute the aforementioned script as root.

   sudo chmod 700 /root/bin/sign-vbox-modules
   sudo -i sign-vbox-modules

7. Load the vboxdrv module.

   sudo modprobe vboxdrv

I'm on Debian Sid and there's any easy (and more automatic way) to sign Virtualbox (and other) modules. This will probably apply to other Debian versions and possibly other distros. In Debian Virtualbox modules are already signed by dkms if compiled by installing the virtualbox-dkms package. The problem is that the key generated and used by dkms is not recognised in the system, so we need to add that particular one to MOK. If you go to /var/lib/dkms you should have a mok.pub and a mok.key file. If so, then issue the command:
mokutil --import /var/lib/dkms/mok.pub
and your pc will enroll the key used by dkms. This way all the modules built by the service will be able to load at startup and on every kernel update automatically.

This is super helpful this post finally helped me a lot with this issue which I tried to solve for many months. I knew what needs to be done, however many updates of system / bios upgraded / etc caused that my solutions didn't work any longer - and this post helped to solved. Thank you.

Some one have tested with Fedora 40 ?

In Fedora Linux 41:

After being prompted with this:
Passphrase for /root/module-signing/MOK.priv:

I got this error:

[\\e[34mvboxsign.sh\\e[0m] Signing \\e[32m/lib/modules/6.12.6-200.fc41.x86_64/extra/VirtualBox/*.ko\\e[0m...
At main.c:302:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: crypto/bio/bss_file.c:75
sign-file: /lib/modules/6.12.6-200.fc41.x86_64/extra/VirtualBox/*.ko

It worked for me on Asus Zenbook.

What the heck. This complexity is hilarious for getting VirtualBox to run. A perfect example why Windows is still king for every-day use ;-) I also ended up disabling SecureBoot as it was not working on my Fedora34 installation on a Huawei Matebook

There are Windows people who don't mind to be sitting and watching chasing nuts on the screen for an hour, and there are Linux people, who don't mind to work for 5 minutes. :)