Signing VirtualBox Kernel Modules
João Pedro
Posted on August 29, 2023
When facing issues with module signing and errors in the 'vboxdrv, vboxnetflt, vboxnetadp, vboxpci' modules, these were the steps I followed to enable VirtualBox on my Fedora 38 machine without disabling UEFI Secure Boot.
And this method creates a layer of protection between VirtualBox and the kernel.
Installing the package mokutil
:
sudo dnf update
sudo dnf install mokutil
mokutil
will be used to sign your own modules for use with UEFI Secure Boot and to add certificates to the kernel's trusted certificate keyring.
Creating folder for module signing and RSA key:
sudo su
mkdir /root/signed-modules
cd /root/signed-modules
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
chmod 700 MOK.priv
Creating the password for MOK (this password will be needed for the reboot):
sudo mokutil --import MOK.der
Restart the system and follow the MOK processes:
Creating the script to perform the signatures:
cd /root/signed-modules
vi sign-virtual-box
Add the following inside 'sign-virtual-box':
#!/bin/bash
for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
/usr/src/kernels/$(uname -r)/scripts/sign-file sha256 \
/root/signed-modules/MOK.priv \
/root/signed-modules/MOK.der "$modfile"
done
Check for any errors in the script using the command:
find /usr/src -name sign-file
Add permissions to the script and execute it:
chmod 700 sign-virtual-box
./sign-virtual-box
Run VirtualBox:
modprobe vboxdrv
Final conclusions:
If the process doesn't work, an option is to disable Secure Boot, but for various reasons, it's not a recommended practice.
Another option is to check the quality of the VMs you're trying to run. In some cases, they might be corrupted, or even the ISO you're trying to install from.
Posted on August 29, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.