Hello,
I did a test installation of virtualbox-7.0 (from Oracle repositories) in a Secure Boot installation of Debian Bookworm (12.4); I used the following command after configuring the virtualbox repository and installing its certificate:
The previous command terminated with the following message:Therefore, I gave the following commands (as root):I then restarted the computer.
At the next firmware reboot, the UEFI firmware recognised the MOK (Machine Owner Key) and asked to confirm its enrollment by asking for its password.
When Debian had finished rebooting, I entered the following command (as root):with the following output:Then, I checked that the signed vboxdrv kernel module was loaded by the kernel (and it was):This are the details of the signed module:So it would seem that everything is ok.
Hope this helps.
I did a test installation of virtualbox-7.0 (from Oracle repositories) in a Secure Boot installation of Debian Bookworm (12.4); I used the following command after configuring the virtualbox repository and installing its certificate:
Code:
# apt install virtualbox-7.0Code:
[..]Adding group «vboxusers» (GID 140) ...Done.vboxdrv.sh: failed: System is running in Secure Boot mode, however your distributiondoes not provide tools for automatic generation of keys needed formodules signing. Please consider to generate and enroll them manually: sudo mkdir -p /var/lib/shim-signed/mok sudo openssl req -nodes -new -x509 -newkey rsa:2048 -outform DER -addext "extendedKeyUsage=codeSigning" -keyout /var/lib/shim-signed/mok/MOK.priv -out /var/lib/shim-signed/mok/MOK.der sudo mokutil --import /var/lib/shim-signed/mok/MOK.der sudo rebootRestart "rcvboxdrv setup" after system is rebooted.There were problems setting up VirtualBox. To re-start the set-up process, run /sbin/vboxconfigas root. If your system is using EFI Secure Boot you may need to sign thekernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can loadthem. Please see your Linux system's documentation for more information.Code:
# mkdir -p /var/lib/shim-signed/mok# openssl req -nodes -new -x509 -newkey rsa:2048 -outform DER -addext "extendedKeyUsage=codeSigning" -keyout /var/lib/shim-signed/mok/MOK.priv -out /var/lib/shim-signed/mok/MOK.der..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...............+...+.......+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...+..+....+......+..+.......+.....+.+..................+.........+..+...+...+.........+.+........+.......+............+...............+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+...+............+.........+..........+..+.............+..+....+......+.........+..............+.+......+.....+...+.......+..+......+.......+..............+.+..+.....................+.+...+...+...+..+.......+...+...+......+.....+...+.+...........+.+..+.......+...........+.........+....+......+.........+.....+.+...............+.....................+........+...............+......+.+.....+..........+...+......+...........+..........+............+............+........+...+...+.......+..+...+.........................+..............+...+......+.+...+........+.......+...........+......+.+..+.+......+...+........+....+..................+...+...+..+.............+.....+.+.........+..+...................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:XXState or Province Name (full name) [Some-State]:XXXXXLocality Name (eg, city) []:XXXXOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []:Email Address []:# mokutil --import /var/lib/shim-signed/mok/MOK.derinput password: input password again: At the next firmware reboot, the UEFI firmware recognised the MOK (Machine Owner Key) and asked to confirm its enrollment by asking for its password.
When Debian had finished rebooting, I entered the following command (as root):
Code:
# rcvboxdrv setupCode:
vboxdrv.sh: Stopping VirtualBox services.vboxdrv.sh: Starting VirtualBox services.vboxdrv.sh: Building VirtualBox kernel modules.vboxdrv.sh: Signing VirtualBox kernel modules.Code:
# lsmod | grep vboxvboxnetadp 28672 0vboxnetflt 32768 0vboxdrv 602112 2 vboxnetadp,vboxnetfltCode:
modinfo vboxdrvfilename: /lib/modules/6.1.0-17-amd64/misc/vboxdrv.koversion: 7.0.14 r161095 (0x00330004)license: GPLdescription: Oracle VM VirtualBox Support Driverauthor: Oracle and/or its affiliatessrcversion: 152A8CB5D422DE621E72BD6depends: retpoline: Yname: vboxdrvvermagic: 6.1.0-17-amd64 SMP preempt mod_unload modversions sig_id: PKCS#7signer: Internet Widgits Pty Ltdsig_key: 16:30:C0:46:0D:66:A9:6B:F2:B9:CE:BA:85:B1:B6:97:AF:6F:A1:78sig_hashalgo: sha256signature: 5B:8A:41:AA:DF:AF:20:D4:2A:62:AD:9D:2A:46:EF:AB:63:DC:98:98:7A:C1:18:51:9A:C4:14:31:B1:D7:01:DE:D8:D3:CC:D2:4E:32:DE:81:4C:33:26:E4:44:D8:D7:B4:B5:87:0D:9D:FF:17:6C:3B:A8:C7:A9:12:D0:85:7C:C2:33:73:FE:55:99:B1:D8:2E:6C:04:1C:90:06:49:70:C7:B1:37:B0:DE:47:35:99:69:24:AD:C9:91:09:85:1D:A2:CD:E9:B5:67:CB:47:56:99:51:10:AA:3D:A6:9B:7C:05:18:EC:89:1C:B7:AA:78:6A:C5:C9:82:59:75:B5:C9:99:65:01:72:47:D1:67:F1:AD:E3:5C:FD:6C:14:AA:AB:F7:EE:41:92:6F:18:49:A9:84:27:94:42:8B:A3:F4:36:8A:44:FC:D8:B0:C8:87:55:C2:2A:6A:35:44:D1:88:68:5E:F7:96:22:AE:9C:A0:A3:F4:C7:4A:52:EF:FB:38:5B:76:DB:8A:C6:15:13:3E:44:8B:27:81:DB:6C:B0:0B:24:B7:D8:7F:17:7A:99:84:55:1F:7B:DD:D1:C8:B0:AE:14:84:F9:89:3D:70:05:6D:74:4C:AF:B1:99:28:AD:16:11:A9:E2:D3:A6:12:D7:CB:15:CA:DC:9F:54:2B:AF:B5:08:39parm: force_async_tsc:force the asynchronous TSC mode (int)Hope this helps.
Statistics: Posted by Aki — 2024-01-29 20:54