Getting VirtualBox to work with secure boot

Discussions related to using VirtualBox on Linux hosts.
Post Reply
Lyr
Posts: 1
Joined: 8. Jan 2019, 11:43

Getting VirtualBox to work with secure boot

Post by Lyr »

Hi

Here's a summary of an issue and how I fixed it, if anyone hit the same issue.

I'm running Ubuntu Cosmic (18.04) with secure boot enabled.

VBoxManage --version said

Code: Select all

VBoxManage --version    
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
         available for the current kernel (4.18.0-13-generic) or it failed to
         load. Please recompile the kernel module and install it by

           sudo /sbin/vboxconfig

         You will not be able to start VMs until this problem is fixed.
6.0.0r127566
Tried the vboxconfig

Code: Select all

sudo vboxconfig 
vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.
dmesg said

Code: Select all

PKCS#7 signature not signed with a trusted key
Not exactly explicit, so I gave a shot at a verbose modprobe

Code: Select all

sudo modprobe vboxdrv -v
insmod /lib/modules/4.18.0-13-generic/updates/dkms/vboxdrv.ko 
modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted
socratis from #vbox on Freenode IRC gave me the hint, I had to sign it. I took some inspiration from the web, and here is roughly how I fixed my install. I can't guarantee it'll work out of the box for someone else, since I spent half an hour trying various combination. But that should be it.

Code: Select all

# Will at least compile the module, effectively creating /lib/modules/4.18.0-13-generic/updates/dkms/vboxdrv.ko file # 4.18.0-13-generic is your kernel version, see uname -r
sudo vboxconfig

# Generate a key for you using /usr/lib/shim/mok/openssl.cnf in /var/lib/shim-signed/mok/ folder
sudo update-secureboot-policy --new-key

# Be careful to pick a QWERTY okay password when prompted !!! 
sudo update-secureboot-policy --enroll-key

# A reboot is required, you'll end up in a MOK blue ncurse interface, choose the first sign option (aka not on disk), enter the previous password (QWERTY !)
sudo reboot
# Once finish it'll reboot again

# Now you can sign (well you could beforehand but wouldn't have helped)
sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/$(uname -r)/updates/dkms/vboxdrv.ko

# Should be ok now (aka no output)
sudo modprobe vboxdrv -v

# A service restart just to be sure
sudo systemctl restart virtualboxt
# Box service status & any VBoxManage command should work without complaining 
sudo systemctl status virtualbox
VBoxManage --version
Service status should be all green, VBoxManage --version should just output the version without the previous warning
Top
Post Reply

Return to “VirtualBox on Linux Hosts”