Sign Kernel Modules
There are three steps involved in signing modules:
- create a Machine Owner Key
- enroll it
- sign kernel modules with it
The first two steps only need to be done once, the last will need to be redone every time the modules are built.
To create a MOK:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes
replacing My Name with something appropriate. (The following instructions assume you run this as root, in root’s home directory, /root.)
To enroll it:
mokutil --import MOK.der
This will prompt for a password, which is a temporary password used on the next boot only. Reboot your system, and you will enter the UEFI MOK management tool; see this handy guide with screenshots and follow the instructions to enroll your key.
This will reboot again, and you will then be able to check that your key is loaded:
dmesg | grep cert
To sign modules with your key, go to the directory containing the modules, and run
/usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxdrv.ko
replacing “4.19” and vboxdrv.ko as appropriate.
Related videos on Youtube
11 : 46
04 : 49
09 : 50
12 : 05
30 : 18
printf
Updated on September 18, 2022Comments
-
printf over 1 year
So i am on a debian buster 10 system and i installed virtualbox and i encountered an error which tells me to load some kernel modules manually.
sudo ./vboxconfig [sudo] password for user: vboxdrv.sh: Stopping VirtualBox services. vboxdrv.sh: Starting VirtualBox services. vboxdrv.sh: You must sign these kernel modules before using VirtualBox: vboxdrv vboxnetflt vboxnetadp See the documenatation for your Linux distribution.. vboxdrv.sh: Building VirtualBox kernel modulesSo i just need some help to load the vboxdrv, vboxnetflt and vboxnetadp kernel modules to complete my virtual box installation and i am not too sure how this is done. I am using a UEFI system which has secure boot enabled.
-
Stephen Kitt over 4 yearsYou only need to enrol your key once, but you need to sign your modules whenever they change: when a new kernel is installed, or when a new version of VirtualBox is installed.
-
printf over 4 yearsI have enrolled the keys successfully and I have also signed the modules to the keys and followed your steps, but it still does not allow me to start virtualbox, I only got it to start when I manually loaded the kernel modules with insmod *.ko Any ideas why?
-
Stephen Kitt over 4 yearsDid you run
vboxconfigafter signing the modules? -
printf over 4 yearsAh no I did not I'll try that
-
printf over 4 yearsI just did all the steps and then ran /sbin/vboxconfig and it gives me the error of debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable and vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why. as well as the the usual errors to sign the modules when i already have, it only allowed me to start virtualbox successfully when i manually loaded the modules myself with insmod *.ko. i may just have to set a cron task to execute this command every time i start my system. whats your thoughts?
-
Stephen Kitt over 4 yearsThere should be a service which sets everything up for you correctly; that’s what
vboxconfigruns when it prints “Starting VirtualBox services.” If you look in/etc/init.dthere should be something VirtualBox-related... -
printf over 4 yearsI just looked in /etc/init.d and there is no virtualbox related file there for some reason
-
Shawn Eary about 2 yearsHow do you use compile time signing with stripping? kernel.org/doc/html/v4.15/admin-guide/module-signing.html
-
Stephen Kitt about 2 years@Shawn have you tried stripping before signing?
