nidomiro

Software developer stories
en de

Automatic VirtualBox module signing for UEFI

These steps are for all those people who hate to sign the Virtualbox modules every time and don’t want to disable UEFI.

  1. Generate a key /root/module-signing/MOK.priv and /root/module-signing/MOK.der

    mkdir /root/module-signing/
    cd /root/module-signing/
    openssl req -new -x509 -newkey rsa:2048 \
       -nodes -days 99999 -outform DER \
       -keyout "MOK.priv" \
       -out "MOK.der"
    
  2. Add key to uefi sudo mokutil --import /root/module-signing/MOK.der. You will be asked for a password. You can type in any password, but you will be asked for it by UEFI on the next reboot.

  3. Create Script (in /root/module-signing/sign-vbox-modules.sh)

    #!/bin/bash
    
    for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
    echo "Signing $modfile"
    /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
       /root/module-signing/MOK.priv \
       /root/module-signing/MOK.der "$modfile"
       done
    
    modprobe vboxdrv
    
  4. Change access rights on module-signing/ to prevent leakage of the private key by any user but root

    chmod -R go-rwx  /root/module-signing/
    chmod -R u+rwx  /root/module-signing/
    
  5. create systemd script (/etc/systemd/system/sign-virtualbox.service)

    [Unit]
    Description=Signing Virtualbox KernelModules for UEFI
    
    [Service]
    User=root
    ExecStart=/root/module-signing/sign-vbox-modules.sh
    
    [Install]
    WantedBy=default.target
    
  6. Start it: sudo systemctl start sign-virtualbox.service

  7. Check: systemctl status sign-virtualbox.service

    ● sign-virtualbox.service - Signing Virtualbox KernelModules for UEFI
    Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: enabled)
    Active: inactive (dead)
    
    Jan 30 09:14:30 HOST systemd[1]: Started Signing Virtualbox KernelModules for UEFI.
    Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxdrv.ko
    Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetadp.ko
    Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetflt.ko
    Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxpci.ko
    
  8. Enable Boot: sudo systemctl enable sign-virtualbox.service

  9. Enjoy the Result :)