Automatic VirtualBox module signing for UEFI
These steps are for all those people who hate to sign the Virtualbox modules every time and don’t want to disable UEFI.
-
Generate a key
/root/module-signing/MOK.priv
and/root/module-signing/MOK.der
mkdir /root/module-signing/ cd /root/module-signing/ openssl req -new -x509 -newkey rsa:2048 \ -nodes -days 99999 -outform DER \ -keyout "MOK.priv" \ -out "MOK.der"
-
Add key to uefi
sudo mokutil --import /root/module-signing/MOK.der
. You will be asked for a password. You can type in any password, but you will be asked for it by UEFI on the next reboot. -
Create Script (in /root/module-signing/sign-vbox-modules.sh)
#!/bin/bash for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do echo "Signing $modfile" /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \ /root/module-signing/MOK.priv \ /root/module-signing/MOK.der "$modfile" done modprobe vboxdrv
-
Change access rights on module-signing/ to prevent leakage of the private key by any user but root
chmod -R go-rwx /root/module-signing/ chmod -R u+rwx /root/module-signing/
-
create systemd script (/etc/systemd/system/sign-virtualbox.service)
[Unit] Description=Signing Virtualbox KernelModules for UEFI [Service] User=root ExecStart=/root/module-signing/sign-vbox-modules.sh [Install] WantedBy=default.target
-
Start it:
sudo systemctl start sign-virtualbox.service
-
Check:
systemctl status sign-virtualbox.service
● sign-virtualbox.service - Signing Virtualbox KernelModules for UEFI Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: enabled) Active: inactive (dead) Jan 30 09:14:30 HOST systemd[1]: Started Signing Virtualbox KernelModules for UEFI. Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxdrv.ko Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetadp.ko Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetflt.ko Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxpci.ko
-
Enable Boot:
sudo systemctl enable sign-virtualbox.service
-
Enjoy the Result :)