To load the virtual box driver when secure boot enabled, we need it to be signed. The basic idea is to create a mock up CA and use it to sign the compiled modules; or this version.
The driver sign needs to be automated, otherwise it has to be redone each time we install a new kernel. While this can be archived with may options, I opted to patch the installer script as it requires the least amount of extra things.
- Linux system with secure boot enabled. I tested with Fedora; it should work on all rpm based systems. (Debian should also work, kernel headers path needs to be altered IIRC).
- Upstream Virtual Box 5.2 installation; versions from RPM Fusion do not work
git clone https://github.com/helge000/virtualbox-drv.gitthis repository- Generate a pair of mok certificates to sign the driver:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox MOK cert/"- Copy
MOK.privandMOK.derto a static location; eg/etc/drv-signand modify$BASEDIRin./vboxdrv.patchaccordingly - Run
mokutil --import MOK.der, enter arbitrary password - Reboot your computer and complete the cert enrolment (remember the password from step 3)
- To sign new drivers, patch the install script to have it sign the modules in the
setuppart:
sudo patch /usr/lib/virtualbox/vboxdrv.sh ./vboxdrv.patch- Rerun setup:
/usr/lib/virtualbox/vboxdrv.sh setupand note the output about signed modules
- Run
./install_extpack.shto download and install the extension pack for your VirtualBox version (requires vboxdrv actually loaded)