Linux – How to sign a kernel module Ubuntu 18.04

linux-kernelUbuntuvirtualbox

I am new to using Ubuntu. I am trying to install Genymotion so I can have access to an android emulator. In order to use Genymotion, it is required I have VirtualBox. I have VirtualBox installed but it seems as if I need to sign a kernal module… and I really am not sure how to do it. This is the error message I get after running /sbin/vboxconfig :

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.

I have tried googling this, but can not seem to find a clear and concise answer with sequential steps. Again, I am fairly new to linux, so any help is welcome. Thanks in advance to all of those who reply.

Best Answer

In order to get VirtualBox working without simply disabling UEFI Secure Boot, then you'll need to do the following:

  1. Create a personal public/private RSA key pair to sign the kernel modules. As recommended in the link below, I chose to store the key/pair in the /root/module-signing/ directory.
    sudo -i
    mkdir /root/module-signing
    cd /root/module-signing
    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=YOUR_NAME/"
    chmod 600 MOK.priv 
  1. Use mokutil, a tool to import or delete the machine owner keys (MOK), to import the public key, and then enroll it when the machine is rebooted. The password in this step is a temporary use password you'll only need to remember for a few minutes.
    mokutil --import /root/module-signing/MOK.der
    input password:
    input password again:
  1. Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in step 2. Then select OK to continue the system boot.

  2. Future kernel updates would require the updated kernels to be signed again, so it makes sense to put the signing commands in a script that can be run at a later date as necessary. A sample script /root/module-signing/sign-vbox-modules is given below.

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
                                /root/module-signing/MOK.priv \
                                /root/module-signing/MOK.der "$modfile"
done
  1. Add execution permission, and run the script above as root from the /root/module-signing/ directory.
    sudo -i
    cd /root/module-signing
    chmod 700 /root/module-signing/sign-vbox-modules
    ./sign-vbox-modules
  1. Load vboxdrv module and launch VirtualBox.
    modprobe vboxdrv 

Most of this information was gained from the following link, and can be referred to for additional information https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/.