DEV Community

Cover image for Signing VirtualBox Kernel Modules
João Pedro
João Pedro

Posted on

Signing VirtualBox Kernel Modules

When facing issues with module signing and errors in the 'vboxdrv, vboxnetflt, vboxnetadp, vboxpci' modules, these were the steps I followed to enable VirtualBox on my Fedora 38 machine without disabling UEFI Secure Boot.

And this method creates a layer of protection between VirtualBox and the kernel.

Installing the package mokutil:

sudo dnf update
sudo dnf install mokutil

mokutil will be used to sign your own modules for use with UEFI Secure Boot and to add certificates to the kernel's trusted certificate keyring.

Creating folder for module signing and RSA key:

sudo su
mkdir /root/signed-modules
cd /root/signed-modules
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
chmod 700 MOK.priv

Creating the password for MOK (this password will be needed for the reboot):

sudo mokutil --import MOK.der

Restart the system and follow the MOK processes:

  • Select 'Enroll MOK
    Image description

  • Select Continue
    Image description

  • Select 'Yes' to add the keys
    Image description

  • Enter the password created with mokutil"
    Image description

  • Proceed to reboot
    Image description

Creating the script to perform the signatures:

cd /root/signed-modules
vi sign-virtual-box

Add the following inside 'sign-virtual-box':

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 \
                                /root/signed-modules/MOK.priv \
                                /root/signed-modules/MOK.der "$modfile"
done
Enter fullscreen mode Exit fullscreen mode

Check for any errors in the script using the command:

find /usr/src -name sign-file

Add permissions to the script and execute it:

chmod 700 sign-virtual-box
./sign-virtual-box

Run VirtualBox:

modprobe vboxdrv

Final conclusions:

If the process doesn't work, an option is to disable Secure Boot, but for various reasons, it's not a recommended practice.

Another option is to check the quality of the VMs you're trying to run. In some cases, they might be corrupted, or even the ISO you're trying to install from.

Top comments (2)

Collapse
 
drumm profile image
Sam J. • Edited

Mmm, the official way of starting vbox services is by running
sudo /sbin/vboxconfig
I get this output, meaning the signing didn't really work, is that a user problem?

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp
See the documentation for your Linux distribution..
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: Signing VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.
Enter fullscreen mode Exit fullscreen mode

The dmesg message is:
[ 307.613232] Loading of module with unavailable key is rejected

Collapse
 
drumm profile image
Sam J.

Thanks! It got strange output when running the sign script the first time, but second time it was fine.
Just a tip: cat > sign-virtual-box entering the lines and hitting CTRL+D is a better way of creating a script.