| |

SecureBoot and VirtualBox kernel modules

Byetzion

Installing VirtualBox on Ubuntu 18 (same as for modern Fedora Core) with SecureBoot will result in the following error when running the command /sbin/vboxsetup

The error message would be something like this:

There were problems setting up VirtualBox. To re-start the set-up process, run
/sbin/vboxconfig
as root. If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system’s documentation for more information.

This is because SecureBoot would not allow for non-signed kernel drivers, and VirtualBox creates its own drivers as part of its configuration.

I have found a great solution for this problem in the answers to this question here, which goes as follows:

Create a file (as root) called /usr/bin/ensure-vbox-signed with the following content:

#!/bin/bash

MOKUTIL="/usr/bin/mokutil"
MODPROBE="/sbin/modprobe"
MODINFO="/sbin/modinfo"
SIG_DIR="/var/lib/shim-signed/mok"
PUB="${SIG_DIR}/MOK.der"
KEY="${SIG_DIR}/MOK.priv"

if ! "${MOKUTIL}" --sb-state | grep -qi '[[:space:]]enabled$' ; then
	echo "WARNING: Secure Boot is not enabled, signing is not necessary"
	exit 0
fi

# If secure boot is enabled, we try to find the signature keys
[ -f "${KEY}" ] || { echo "ERROR: Couldn't find the MOK private key at ${KEY}" ; exit 1 ; }
[ -f "${PUB}" ] || { echo "ERROR: Couldn't find the MOK public key at ${PUB}" ; exit 1 ; }

INFO="$("${MODINFO}" -n vboxdrv)"
if [ -z "${INFO}" ] ; then
	# If there's no such module, compile it
	/usr/lib/virtualbox/vboxdrv.sh setup
	INFO="$("${MODINFO}" -n vboxdrv)"
	if [ -z "${INFO}" ] ; then
		echo "ERROR: Module compilation failed (${MODPROBE} couldn't find it after vboxdrv.sh was called)"
		exit 1
	fi
fi

KVER="${1}"
[ -z "${KVER}" ] && KVER="$(uname -r)"

KDIR="/usr/src/linux-headers-${KVER}"
DIR="$(dirname "${INFO}")"

for module in "${DIR}"/vbox*.ko ; do
	MOD="$(basename "${module}")"
	MOD="${MOD//.*/}"

	# Quick check - if the module loads, it needs no signing
	echo "Loading ${MOD}..."
	"${MODPROBE}" "${MOD}" && continue

	# The module didn't load, and it must have been built (above), so it needs signing
	echo "Signing ${MOD}..."
	if ! "${KDIR}/scripts/sign-file" sha256 "${KEY}" "${PUB}" "${module}" ; then
		echo -e "\tFailed to sign ${module} with ${KEY} and ${PUB} (rc=${?}, kernel=${KVER})"
		exit 1
	fi

	echo "Reloading the signed ${MOD}..."
	if ! "${MODPROBE}" "${MOD}" ; then
		echo -e "\tSigned ${MOD}, but failed to load it from ${module}"
		exit 1
	fi
	echo "Loaded the signed ${MOD}!"
done
exit 0

Make sure this file is executable by root. Create a systemd service /etc/systemd/system/ensure-vboxdrv-signed.service with the following contents:

[Unit]
SourcePath=/usr/bin/ensure-vbox-signed
Description=Ensure the VirtualBox Linux kernel modules are signed
Before=vboxdrv.service
After=

[Service]
Type=oneshot
Restart=no
TimeoutSec=30
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
ExecStart=/usr/bin/ensure-vbox-signed

[Install]
WantedBy=multi-user.target
RequiredBy=vboxdrv.service

Run sudo systemctl reload-daemon, and then enable the service by running sudo systemctl start ensure-vboxdrv-signed.service

It should sign and enable your vbox drivers, and allow you to run your VirtualBox machines.

Related posts:

  1. ZFS with Redhat Cluster Suite
  2. Rotate Beryl/Compiz cube from command line
  3. Stateless Systems (diskless, boot from net) on RHEL5/Centos5

Powered by YARPP.

Similar Posts

Graphing on-demand Linux system performance parameters

Byetzion

Current servers are way more powerful than we could have imagined before. With quad-core CPUs, even the simple dual-socket servers contain lots of horse-power. Remember our attitude towards CPU power five years ago, and see that we’re way beyond our needs. When modern servers are equipped with at least eight cores, other, non-CPU related issues…

4 Comments

    1. You should be more specific as to where in the process it shows you this error, but it could be because your TPM is not reset upon starting the process. You can reset it through the BIOS.

      Reply

  2. Im using Fedora 33 and It brings this error :-

    Job for ensure-vboxdrv-signed.service failed because the control process exited with error code.
    See “systemctl status ensure-vboxdrv-signed.service” and “journalctl -xe” for details

    Status:-

    localhost.localdomain systemd[1]: Starting Ensure the VirtualBox Linux kernel modules are sign>
    localhost.localdomain sys: ensure-vboxdrv-signed.service: Failed to execute command>
    localhost.localdomain systemd[12736]: ensure-vboxdrv-signed.service: Failed at step EXEC spawn>
    localhost.localdomain systemd[1]: ensure-vboxdrv-signed.service: Main process exited, code=exi>
    localhost.localdomain systemd[1]: ensure-vboxdrv-signed.service: Failed with result ‘exit-code>
    localhost.localdomain systemd[1]: Failed to start Ensure the VirtualBox Linux kernel modules a>

    Reply

    1. I think that your systemd module (ensure-vboxdrv-signed.service) points to incorrect path of executables, so the service fails. Verify that the contents of the module are correct.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.