Fedora 34 - unable to 'permanently' load signed modules

Discussions related to using VirtualBox on Linux hosts.
Post Reply
ffc820
Posts: 2
Joined: 23. Jul 2021, 11:37

Fedora 34 - unable to 'permanently' load signed modules

Post by ffc820 »

Hi,

Compiling vboxdrv,... by runing '/sbin/vboxconfig' results in following error.
I have signed and loaded the modules as shown bellow but still not able to 'vboxconfig' with success.

Short system description
[*]Fedora 34:

Code: Select all

Linux fedora 5.13.4-200.fc34.x86_64 #1 SMP Tue Jul 20 20:27:29 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[*]VirutalBox:

Code: Select all

[root@fedora ~]# rpm -qa |grep -i virtual
virtualbox-guest-additions-6.1.22-1.fc34.x86_64
VirtualBox-6.1-6.1.24_145767_fedora33-1.x86_64


Error from '/sbin/vboxconfig' execution

Code: Select all

[root@fedora ~]# /sbin/vboxconfig
vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp
See the documentation for your Linux distribution..
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.
Module signing

[*]All modules present in '/lib/modules/5.13.4-200.fc34.x86_64/misc' will be signed.

Code: Select all

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 \
                                /root/signed-modules/MOK.priv \
                                /root/signed-modules/MOK.der "$modfile"
done
All (but only) 3 modules are signed:

Code: Select all

Signing /lib/modules/5.13.4-200.fc34.x86_64/misc/vboxdrv.ko
Signing /lib/modules/5.13.4-200.fc34.x86_64/misc/vboxnetadp.ko
Signing /lib/modules/5.13.4-200.fc34.x86_64/misc/vboxnetflt.ko
[*]Loading modules:

Code: Select all

modprobe vboxdrv
modprobe vboxnetadp
modprobe vboxnetflt
[*]Modules are loaded:

Code: Select all

[root@fedora ~]# lsmod |grep vb
vboxnetflt             32768  0
vboxnetadp             28672  0
vboxdrv               557056  2 vboxnetadp,vboxnetflt
Execute '/sbin/vboxconfig' once again

[*]Results in same error as above:

Code: Select all

[root@fedora ~]# /sbin/vboxconfig 
vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp
See the documentation for your Linux distribution..
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.
[*] dmesg says:

Code: Select all

[ 3553.338818] Loading of unsigned module is rejected

Other items checked
[*]Certificate is loaded

Code: Select all

mokutil --list-enrolled

Code: Select all

...
[key 2]
SHA1 Fingerprint: 4c:7e:98:70:df:ba:f1:da:85:be:20:d7:8e:6c:f8:e7:f9:4f:33:3f
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            35:cd:93:37:04:4a:60:c9:05:af:fa:8a:78:3f:37:7d:b3:2a:b6:22
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=VirtualBox
        Validity
            Not Before: Jun 14 22:54:56 2021 GMT
            Not After : May 21 22:54:56 2121 GMT
        Subject: CN=VirtualBox
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
...

[*] if loaded again, modules are rejected:

Code: Select all

[root@fedora ~]# modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Key was rejected by service
Seems to indicate that when '/sbin/vboxconfig' is executed the original (unsigned) modules are restored.

At this point any hint welcome!

Thanks,
ffc
ffc820
Posts: 2
Joined: 23. Jul 2021, 11:37

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by ffc820 »

The reported issue above - is not issue.
Sorry, for spamming.

There were 2 issues, first issue: modules signing, was solved using method described above.
Second issue was that the 'extension pack' needed to be updated as well - which is pretty easy to update following vbox documents.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by scottgus1 »

'Twasn't spamming at all! Thanks for taking the time to report what you were seeing and how you fixed it.

Welcome to the forum!
pgaltieri
Posts: 4
Joined: 9. Aug 2021, 17:50

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by pgaltieri »

I'm encountering this issue as well and the problem comes down to the fact that /sbin/vboxconfig is run during boot. I'm running F34 and I run vboxconfig after a kernel update and sign the modules. I verify the signatures and reboot the system and when I do an lsmod after the boot the vbox modules are not loaded. When I check the dates on the vbox modules they are dated after the ones I built, and hence are not signed. I don't understand why vboxconfig can't check and see that the modules already exist and not do anything.

Paolo
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by fth0 »

This is a known regression in VirtualBox 6.1.24|26:

The VirtualBox kernel drivers are rebuilt on every boot of a Linux host OS. Please use the workaround described in 20465 to prevent that.
pgaltieri
Posts: 4
Joined: 9. Aug 2021, 17:50

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by pgaltieri »

In looking at the vboxdrv.sh file I find the following comment

# So far we can only sign modules on Ubuntu and on Debian 10 and later.

it then lists the location of the MOK.der and MOK.priv files, but I can't find these files. This probably needs to include Fedora releases as well.

Paolo
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by fth0 »

FWIW, the UEFI Secure Boot Machine Owner Key (MOK) is usually created by either the host OS itself or by their administrator, not by VirtualBox.
pgaltieri
Posts: 4
Joined: 9. Aug 2021, 17:50

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by pgaltieri »

I know, which is why I don't understand the comment in vboxdrv.sh and the explicit reference to MOK.der and MOK.priv. In vboxdrv.sh there are places where it signs modules using the keys found in

DEB_PUB_KEY=/var/lib/shim-signed/mok/MOK.der
DEB_PRIV_KEY=/var/lib/shim-signed/mok/MOK.priv

but there are no similar references for other OS's. When I signed the vbox modules I created the .der and .priv manually and signed the vbox modules manually, I never expected vbox to do so.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by fth0 »

AFAIR, VirtualBox signing the VirtualBox kernel modules isn't advertised at all (it's only mentioned in 2.3.2.1. Kernel Modules and UEFI Secure Boot that you may have to do it yourself). You could call it a missing feature, and you're welcome to send patches.

Since you didn't acknowledge it so far: You've solved your problem with the modification proposed in the bug ticket, haven't you? ;)
pgaltieri
Posts: 4
Joined: 9. Aug 2021, 17:50

Re: Fedora 34 - unable to 'permanently' load signed modules

Post by pgaltieri »

Yes, the fix suggested addressed my problem. It was in modifying the file as recommended that I saw the comment about signing modules for Ubuntu and Debian.
Post Reply