Do not run VirtualBox setup under enabled Secure Boot to avoid errors…

… and startup delays The VirtualBox package from upstream isn't signed for usage with Secure Boot with the Debian kernel. When booting with Secure Boot enabled, then upstream's vboxdrv.service with its vboxdrv.sh executes all kind of Secure Boot related magic like: | /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --new-key This fails and causes a noticeable delay during bootup. Therefore skip execution of VirtualBox setup within our config_virtualbox_setup() when detecting enabled Secure Boot mode, at least until we've a better solution for this. While doing so, move detection of enabled Secure Boot mode into a helper function to avoid DRY code. Thanks: Ralf Moll for the bugreport
grml · Sep 15, 2020 · 14203cc · 14203cc
1 parent 8b19d85
commit 14203cc
Showing 1 changed file with 29 additions and 13 deletions.
diff --git a/autoconfig.functions b/autoconfig.functions
@@ -543,7 +543,8 @@ config_kernel(){
 # }}}
 
 # {{{ secure boot
-config_secureboot(){
+# helper function to check whether we're running under (enabled) Secure Boot
+running_under_secureboot() {
   # systemd does this for us, but if we are not running under systemd then mokutil
   # doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
   # /sys/firmware/efi/vars would exist)
@@ -556,20 +557,28 @@ config_secureboot(){
   if [ -x /usr/bin/mokutil ] ; then
     local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
     if [ -n "$secstate" ] ; then
-      einfo "SecureBoot is enabled" ; eend 0
+      return 0
     else
-      einfo "SecureBoot not detected" ; eend 0
+      return 1
     fi
   else
     if modprobe efivars &>/dev/null ; then
       if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
-        einfo "SecureBoot is enabled" ; eend 0
+        return 0
       else
-        einfo "SecureBoot not detected" ; eend 0
+        return 1
       fi
     fi
   fi
 }
+
+config_secureboot(){
+  if running_under_secureboot ; then
+      einfo "SecureBoot is enabled" ; eend 0
+  else
+      einfo "SecureBoot not detected" ; eend 0
+  fi
+}
 # }}}
 
 # {{{ timezone
@@ -1950,16 +1959,23 @@ config_virtualbox_setup() {
     return
   fi
 
-  if [ -x /usr/bin/VBox ] ; then
-    einfo "VirtualBox service detected, trying to set up."
-    service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
-
-    config_userfstab
+  if ! [ -x /usr/bin/VBox ] ; then
+    return
+  fi
 
-    einfo "Adding user ${fstabuser:-grml} to group vboxusers."
-    adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
-    eend $?
+  if running_under_secureboot ; then
+    ewarn "VirtualBox service can not be started as running under enabled Secure Boot." ; eend 0
+    return
   fi
+
+  einfo "VirtualBox service detected, trying to set up."
+  service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
+
+  config_userfstab
+
+  einfo "Adding user ${fstabuser:-grml} to group vboxusers."
+  adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
+  eend $?
 }
 # }}}