To load the virtual box driver when secure boot enabled, we need it to be signed. The basic idea is to create a mock up CA and use it to sign the compiled modules; or this version.
The driver sign needs to be automated, otherwise it has to be redone each time we install a new kernel. While this can be archived with may options, I opted to patch the installer script as it requires the least amount of extra things.
- Linux system with secure boot enabled. I tested with Fedora; it should work on all rpm based systems. (Debian should also work, kernel headers path needs to be altered IIRC).
- Upstream Virtual Box 5.2 installation; versions from RPM Fusion do not work
git clone https://github.com/helge000/virtualbox-drv.git
this repository- Generate a pair of mok certificates to sign the driver:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox MOK cert/"
- Copy
MOK.priv
andMOK.der
to a static location; eg/etc/drv-sign
and modify$BASEDIR
in./vboxdrv.patch
accordingly - Run
mokutil --import MOK.der
, enter arbitrary password - Reboot your computer and complete the cert enrolment (remember the password from step 3)
- To sign new drivers, patch the install script to have it sign the modules in the
setup
part:
sudo patch /usr/lib/virtualbox/vboxdrv.sh ./vboxdrv.patch
- Rerun setup:
/usr/lib/virtualbox/vboxdrv.sh setup
and note the output about signed modules
- Run
./install_extpack.sh
to download and install the extension pack for your VirtualBox version (requires vboxdrv actually loaded)