nidomiro

Software developer stories
en de

Automatic VirtualBox module signing for UEFI

These steps are for all those people who hate to sign the Virtualbox modules every time and don’t want to disable UEFI.

1) Generate a key /root/module-signing/MOK.priv and /root/module-signing/MOK.der

mkdir /root/module-signing/
cd /root/module-signing/
openssl req -new -x509 -newkey rsa:2048 \
        -nodes -days 99999 -outform DER \
        -keyout "MOK.priv" \
        -out "MOK.der"

2) Add key to uefi sudo mokutil --import /root/module-signing/MOK.der. You will be asked for a password. You can type in any password, but you will be asked for it by UEFI on the next reboot.

3) Create Script (in /root/module-signing/sign-vbox-modules.sh)

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
								/root/module-signing/MOK.priv \
								/root/module-signing/MOK.der "$modfile"
done

modprobe vboxdrv

4) Change access rights on module-signing/ to prevent leakage of the private key by any user but root

chmod -R go-rwx  /root/module-signing/
chmod -R u+rwx  /root/module-signing/

5) create systemd script (/etc/systemd/system/sign-virtualbox.service)

[Unit]
Description=Signing Virtualbox KernelModules for UEFI

[Service]
User=root
ExecStart=/root/module-signing/sign-vbox-modules.sh

[Install]
WantedBy=default.target

6) Start it: sudo systemctl start sign-virtualbox.service

7) Check: systemctl status sign-virtualbox.service

● sign-virtualbox.service - Signing Virtualbox KernelModules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: enabled)
Active: inactive (dead)

Jan 30 09:14:30 HOST systemd[1]: Started Signing Virtualbox KernelModules for UEFI.
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxdrv.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetadp.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetflt.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxpci.ko

8) Enable Boot: sudo systemctl enable sign-virtualbox.service

9) Enjoy the Result :)