nidomiro

Software developer stories
en de

Automatic VirtualBox module signing for UEFI

2018-04-17 Infrastructure Linux Ubuntu Tutorials Niclas Roßberger

These steps are for all those people who hate to sign the Virtualbox modules every time and don’t want to disable UEFI.

  1. Generate a key /root/module-signing/MOK.priv and /root/module-signing/MOK.der

    mkdir /root/module-signing/
cd /root/module-signing/
openssl req -new -x509 -newkey rsa:2048 \
   -nodes -days 99999 -outform DER \
   -keyout "MOK.priv" \
   -out "MOK.der"

  2. Add key to uefi sudo mokutil --import /root/module-signing/MOK.der. You will be asked for a password. You can type in any password, but you will be asked for it by UEFI on the next reboot.

  3. Create Script (in /root/module-signing/sign-vbox-modules.sh)

    #!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
   /root/module-signing/MOK.priv \
   /root/module-signing/MOK.der "$modfile"
   done

modprobe vboxdrv

  4. Change access rights on module-signing/ to prevent leakage of the private key by any user but root

    chmod -R go-rwx  /root/module-signing/
chmod -R u+rwx  /root/module-signing/

  5. create systemd script (/etc/systemd/system/sign-virtualbox.service)

    [Unit]
Description=Signing Virtualbox KernelModules for UEFI

[Service]
User=root
ExecStart=/root/module-signing/sign-vbox-modules.sh

[Install]
WantedBy=default.target

  6. Start it: sudo systemctl start sign-virtualbox.service

  7. Check: systemctl status sign-virtualbox.service

    ● sign-virtualbox.service - Signing Virtualbox KernelModules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: enabled)
Active: inactive (dead)

Jan 30 09:14:30 HOST systemd[1]: Started Signing Virtualbox KernelModules for UEFI.
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxdrv.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetadp.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetflt.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxpci.ko

  8. Enable Boot: sudo systemctl enable sign-virtualbox.service

  9. Enjoy the Result :)

Bash Easier Live Linux Mok Openssl Shell Sign Systemd Ubuntu UEFI Virtualbox
© 2025 by Niclas Roßberger
Powered by Bilberry Hugo Theme