nidomiro

Software developer stories
en de

Automatic VirtualBox module signing for UEFI

2018-04-17 Infrastructure Linux Ubuntu Tutorials Niclas Roßberger

These steps are for all those people who hate to sign the Virtualbox modules every time and don’t want to disable UEFI.

1) Generate a key /root/module-signing/MOK.priv and /root/module-signing/MOK.der

mkdir /root/module-signing/
cd /root/module-signing/
openssl req -new -x509 -newkey rsa:2048 \
        -nodes -days 99999 -outform DER \
        -keyout "MOK.priv" \
        -out "MOK.der"

2) Add key to uefi sudo mokutil --import /root/module-signing/MOK.der. You will be asked for a password. You can type in any password, but you will be asked for it by UEFI on the next reboot.

3) Create Script (in /root/module-signing/sign-vbox-modules.sh)

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
								/root/module-signing/MOK.priv \
								/root/module-signing/MOK.der "$modfile"
done

modprobe vboxdrv

4) Change access rights on module-signing/ to prevent leakage of the private key by any user but root

chmod -R go-rwx  /root/module-signing/
chmod -R u+rwx  /root/module-signing/

5) create systemd script (/etc/systemd/system/sign-virtualbox.service)

[Unit]
Description=Signing Virtualbox KernelModules for UEFI

[Service]
User=root
ExecStart=/root/module-signing/sign-vbox-modules.sh

[Install]
WantedBy=default.target

6) Start it: sudo systemctl start sign-virtualbox.service

7) Check: systemctl status sign-virtualbox.service

● sign-virtualbox.service - Signing Virtualbox KernelModules for UEFI
Loaded: loaded (/etc/systemd/system/sign-virtualbox.service; enabled; vendor preset: enabled)
Active: inactive (dead)

Jan 30 09:14:30 HOST systemd[1]: Started Signing Virtualbox KernelModules for UEFI.
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxdrv.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetadp.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxnetflt.ko
Jan 30 09:14:30 HOST sign-vbox-modules.sh[7268]: Signing /lib/modules/4.13.0-32-generic/misc/vboxpci.ko

8) Enable Boot: sudo systemctl enable sign-virtualbox.service

9) Enjoy the Result :)

bash easier Live Linux mok openssl shell sign systemd ubuntu UEFI Virtualbox
© 2020 by Niclas Roßberger
Powered by Bilberry Hugo Theme