{"id":7730,"date":"2020-11-05T21:19:00","date_gmt":"2020-11-05T20:19:00","guid":{"rendered":"https:\/\/monodes.com\/predaelli\/?p=7730"},"modified":"2020-11-05T14:21:03","modified_gmt":"2020-11-05T13:21:03","slug":"7730","status":"publish","type":"post","link":"https:\/\/monodes.com\/predaelli\/2020\/11\/05\/7730\/","title":{"rendered":""},"content":{"rendered":"\n<div class=\"wp-block-coblocks-gist\"><script src=\"https:\/\/gist.github.com\/reillysiemens\/ac6bea1e6c7684d62f544bd79b2182a4.js\"><\/script><noscript><a href=\"https:\/\/gist.github.com\/reillysiemens\/ac6bea1e6c7684d62f544bd79b2182a4\">View this gist on GitHub<\/a><\/noscript><\/div>\n\n\n\n<!--more-->\n\n\n\n<p>Nel caso vada fuori linea vedi pagina 2<\/p>\n\n\n\n<!--nextpage-->\n\n\n\n<h1 class=\"wp-block-heading\">Signing VirtualBox Kernel Modules<\/h1>\n\n\n\n<p>These are the steps I followed enable VirtualBox on my laptop <strong>without disabling UEFI Secure Boot<\/strong>. They&#8217;re nearly identical to the process described on <a href=\"https:\/\/stegard.net\/2016\/10\/virtualbox-secure-boot-ubuntu-fail\/\">\u00d8yvind Stegard&#8217;s blog<\/a>, save for a few <em>key<\/em> details. The images here are borrowed from the <a href=\"https:\/\/sourceware.org\/systemtap\/wiki\/SecureBoot\">Systemtap UEFI Secure Boot Wiki<\/a>.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Install the VirtualBox package (this might be different for your platform). src=&#8217;https:\/\/download.virtualbox.org\/virtualbox\/rpm\/fedora\/virtualbox.repo&#8217; dst=&#8217;\/etc\/yum.repos.d\/virtualbox.repo&#8217; sudo curl ${src} > ${dst} dnf check-update sudo dnf install VirtualBox-6.0<\/li><li>Create an RSA key pair to sign kernel modules. name=&#8221;$(getent passwd $(whoami) | awk -F: &#8216;{print $5}&#8217;)&#8221; out_dir=&#8217;\/root\/module-signing&#8217; sudo mkdir ${out_dir} sudo openssl \\ req \\ -new \\ -x509 \\ -newkey \\ rsa:2048 \\ -keyout ${out_dir}\/MOK.priv \\ -outform DER \\ -out ${out_dir}\/MOK.der \\ -days 36500 \\ # This is probably waaay too long. -subj &#8220;\/CN=${name}\/&#8221; sudo chmod 600 ${out_dir}\/MOK* Note the absence of the <code class=\"\" data-line=\"\">-nodes<\/code> option from \u00d8yvind&#8217;s post. With this option <code class=\"\" data-line=\"\">openssl<\/code> will create a private key with no passphrase. The omission of this option prompts for a passphrase, which seems like a good idea for something as important as a kernel module signing key.<\/li><li>Import the MOK (&#8220;Machine Owner Key&#8221;) so it can be trusted by the system. sudo mokutil &#8211;import \/root\/module-signing\/MOK.der This will prompt for a password. The password is only temporary and will be used on the next boot. It does <strong>not<\/strong> have to be the same as the signing key passphrase.<\/li><li>Reboot your machine to enter the MOK manager EFI utility.<ul><li>Select <em>Enroll MOK<\/em>.<\/li><li>Select <em>Continue<\/em>.<\/li><li>Select <em>Yes<\/em> to enroll the keys.<\/li><li>Enter the password from earlier.<\/li><li>Select <em>OK<\/em> to reboot.<\/li><\/ul><\/li><\/ol>\n\n\n\n<ul class=\"wp-block-list\"><li>Verify the key has been loaded by finding the it in the output of<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">dmesg | grep '[U]EFI.*cert'<\/pre>\n\n\n\n<p>Create a script for signing <strong>all<\/strong> the VirtualBox kernel modules.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">#!\/bin\/sh\n\nreadonly hash_algo='sha256'\nreadonly key='\/root\/module-signing\/MOK.priv'\nreadonly x509='\/root\/module-signing\/MOK.der'\n\nreadonly name=\"$(basename $0)\"\nreadonly esc='\\\\e'\nreadonly reset=\"${esc}[0m\"\n\ngreen() { local string=\"${1}\"; echo \"${esc}[32m${string}${reset}\"; }\nblue() { local string=\"${1}\"; echo \"${esc}[34m${string}${reset}\"; }\nlog() { local string=\"${1}\"; echo \"[$(blue $name)] ${string}\"; }\n\n# The exact location of `sign-file` might vary depending on your platform.\nalias sign-file=\"\/usr\/src\/kernels\/$(uname -r)\/scripts\/sign-file\"\n\n[ -z \"${KBUILD_SIGN_PIN}\" ] &amp;&amp; read -p \"Passphrase for ${key}: \" KBUILD_SIGN_PIN\nexport KBUILD_SIGN_PIN\n\nfor module in $(dirname $(modinfo -n vboxdrv))\/*.ko; do\n  log \"Signing $(green ${module})...\"\n  sign-file \"${hash_algo}\" \"${key}\" \"${x509}\" \"${module}\"\ndone<\/pre>\n\n\n\n<p>This script differs from \u00d8yvind&#8217;s in two aspects. First, and most importantly, it has <img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" alt=\"sparkles\" src=\"https:\/\/i0.wp.com\/github.githubassets.com\/images\/icons\/emoji\/unicode\/2728.png?resize=20%2C20&#038;ssl=1\" width=\"20\" height=\"20\"\/> <strong>C O L O R S<\/strong> <img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" alt=\"sparkles\" src=\"https:\/\/i0.wp.com\/github.githubassets.com\/images\/icons\/emoji\/unicode\/2728.png?resize=20%2C20&#038;ssl=1\" width=\"20\" height=\"20\"\/>. Second, it uses the magic <a href=\"https:\/\/github.com\/torvalds\/linux\/blob\/12491ed354d23c0ecbe02459bf4be58b8c772bc8\/scripts\/sign-file.c#L236\"><code class=\"\" data-line=\"\">$KBUILD_SIGN_PIN<\/code><\/a> environment variable that doesn&#8217;t appear <em>anywhere<\/em> in the <code class=\"\" data-line=\"\">sign-file<\/code> usage. I went spelunking in the <a href=\"https:\/\/github.com\/torvalds\/linux\/blob\/12491ed354d23c0ecbe02459bf4be58b8c772bc8\/scripts\/sign-file.c\">Linux source<\/a> for it, but in hindsight I could have just read the docs on manual <a href=\"https:\/\/www.kernel.org\/doc\/html\/v4.20\/admin-guide\/module-signing.html#manually-signing-modules\">module signing<\/a>&#8230; I wrote this script to <code class=\"\" data-line=\"\">\/root\/bin\/sign-vbox-modules<\/code> as that&#8217;s usually on <code class=\"\" data-line=\"\">root<\/code>&#8216;s <code class=\"\" data-line=\"\">$PATH<\/code>.<\/p>\n\n\n\n<p>Execute the aforementioned script as <code class=\"\" data-line=\"\">root<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo chmod 700 \/root\/bin\/sign-vbox-modules\nsudo -i sign-vbox-modules<\/pre>\n\n\n\n<p>Load the <code class=\"\" data-line=\"\">vboxdrv<\/code> module.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo modprobe vboxdrv<\/pre>\n","protected":false},"excerpt":{"rendered":"<p class=\"excerpt\">\n<p class=\"more-link-p\"><a class=\"more-link\" href=\"https:\/\/monodes.com\/predaelli\/2020\/11\/05\/7730\/\">Read more &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[72],"tags":[],"class_list":["post-7730","post","type-post","status-publish","format-standard","hentry","category-documentations"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/s6daft-7730","jetpack-related-posts":[{"id":14026,"url":"https:\/\/monodes.com\/predaelli\/2025\/09\/26\/virtualbox-cant-enable-the-amd-v-extension\/","url_meta":{"origin":7730,"position":0},"title":"VirtualBox can&#8217;t enable the AMD-V extension?","author":"Paolo Redaelli","date":"2025-09-26","format":false,"excerpt":"Scared by this error and by the almost menacing suggestion to recompile the kernel? No worries, just \"sudo rmmod kvm_amd\". Well, actually I shall thank the AI of search.brave.com for the summary\u2026","rel":"","context":"In &quot;Tricks&quot;","block_context":{"text":"Tricks","link":"https:\/\/monodes.com\/predaelli\/category\/documentations\/tricks\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":492,"url":"https:\/\/monodes.com\/predaelli\/2015\/06\/28\/growing-your-virtualbox-virtual-disk\/","url_meta":{"origin":7730,"position":1},"title":"Growing your VirtualBox Virtual Disk","author":"Paolo Redaelli","date":"2015-06-28","format":false,"excerpt":"Most people simply had to deal with proprietary software that more or less runs exclusively on Microsoft OSes. For example when I bought my Dell laptop I used the Microsoft license that I grudgingly had to bought to create a fully legal installation into a virtual machine as the physical\u2026","rel":"","context":"In &quot;Microsoft&quot;","block_context":{"text":"Microsoft","link":"https:\/\/monodes.com\/predaelli\/category\/microsoft\/"},"img":{"alt_text":"low-disk-space","src":"https:\/\/i0.wp.com\/monodes.com\/predaelli\/wp-content\/uploads\/sites\/4\/2015\/06\/low-disk-space1.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":11302,"url":"https:\/\/monodes.com\/predaelli\/2024\/02\/05\/quickemu\/","url_meta":{"origin":7730,"position":2},"title":"Quickemu","author":"Paolo Redaelli","date":"2024-02-05","format":false,"excerpt":"This quickemu could easily dislodge VirtualBox as my favorite desktop virtualization solution: Quickly create and run highly optimized desktop virtual machines for Linux, macOS and Windows; ... Quickemu now also includes comprehensive support for macOS and Windows. Features macOS Monterey, Big Sur, Catalina, Mojave & High Sierra Windows 10 and\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/monodes.com\/predaelli\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/monodes.com\/predaelli\/wp-content\/uploads\/sites\/4\/2024\/02\/quickemu-logo.webp?fit=512%2C512&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts\/7730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/comments?post=7730"}],"version-history":[{"count":0,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts\/7730\/revisions"}],"wp:attachment":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/media?parent=7730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/categories?post=7730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/tags?post=7730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}