Signing VirtualBox Kernel Modules

joaoprd

João Pedro

Posted on August 29, 2023

Signing VirtualBox Kernel Modules

When facing issues with module signing and errors in the 'vboxdrv, vboxnetflt, vboxnetadp, vboxpci' modules, these were the steps I followed to enable VirtualBox on my Fedora 38 machine without disabling UEFI Secure Boot.

And this method creates a layer of protection between VirtualBox and the kernel.

Installing the package mokutil:

sudo dnf update
sudo dnf install mokutil

mokutil will be used to sign your own modules for use with UEFI Secure Boot and to add certificates to the kernel's trusted certificate keyring.

Creating folder for module signing and RSA key:

sudo su
mkdir /root/signed-modules
cd /root/signed-modules
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
chmod 700 MOK.priv

Creating the password for MOK (this password will be needed for the reboot):

sudo mokutil --import MOK.der

Restart the system and follow the MOK processes:

  • Select 'Enroll MOK
    Image description

  • Select Continue
    Image description

  • Select 'Yes' to add the keys
    Image description

  • Enter the password created with mokutil"
    Image description

  • Proceed to reboot
    Image description

Creating the script to perform the signatures:

cd /root/signed-modules
vi sign-virtual-box

Add the following inside 'sign-virtual-box':

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 \
                                /root/signed-modules/MOK.priv \
                                /root/signed-modules/MOK.der "$modfile"
done
Enter fullscreen mode Exit fullscreen mode

Check for any errors in the script using the command:

find /usr/src -name sign-file

Add permissions to the script and execute it:

chmod 700 sign-virtual-box
./sign-virtual-box

Run VirtualBox:

modprobe vboxdrv

Final conclusions:

If the process doesn't work, an option is to disable Secure Boot, but for various reasons, it's not a recommended practice.

Another option is to check the quality of the VMs you're trying to run. In some cases, they might be corrupted, or even the ISO you're trying to install from.

💖 💪 🙅 🚩
joaoprd
João Pedro

Posted on August 29, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Signing VirtualBox Kernel Modules
linux Signing VirtualBox Kernel Modules

August 29, 2023