Enrolling MOK certificate with dkms and virtualbox-dkms (Virtualbox with secure boot enabled)

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms







share|improve this question























  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36















up vote
0
down vote

favorite












As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms







share|improve this question























  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36













up vote
0
down vote

favorite









up vote
0
down vote

favorite











As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms







share|improve this question















As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms




virtualbox secure-boot dkms






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 19 at 15:45

























asked Mar 19 at 15:29









lurix66

1133




1133











  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36

















  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36
















btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
– lurix66
Mar 19 at 16:33





btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
– lurix66
Mar 19 at 16:33













... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
– lurix66
Mar 19 at 16:36





... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
– lurix66
Mar 19 at 16:36
















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1017338%2fenrolling-mok-certificate-with-dkms-and-virtualbox-dkms-virtualbox-with-secure%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1017338%2fenrolling-mok-certificate-with-dkms-and-virtualbox-dkms-virtualbox-with-secure%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

How do so many people here on Academia.SE, and in general, afford lavish higher education programs?

Image
Clash Royale CLAN TAG #URR8PPP up vote 45 down vote favorite 7 I graduated last year with a BS in Computer Science. I do not come from a particularly wealthy family, (very low middle class), and was only able to afford my education via school loans/scholarships and working low-wage jobs, with no support from my family or anyone else. I realize some scholarship/loan programs extend into grad school. But I don't think those cover all costs. Now I'm lucky enough to have a decent-paying salary in industry, along with benefits and living on my own, and I'm thinking one day (sooner rather than later) I'd like to try my hand at research or continue my degree, but these things cost money, in addition to my regular living expenses. I read posts here often about academic people being in positions of choosing between these crazy research grad programs, some in Japan, or Ireland (while they currently live in the U.S./U.K.) then moving around between countries/universit...
Read more

Unable to upgrade pip

Image
Clash Royale CLAN TAG #URR8PPP up vote 15 down vote favorite 3 I am new to Linux and Ubuntu. I was trying to upgrade pip but ran into this... $ sudo pip install --upgrade pip Cannot fetch index base URL https://pypi.python.org/simple/ Downloading/unpacking pip from https://pypi.python.org/packages/py2.py3/p/pip/pip-7.1.0-py2.py3-none-any.whl#md5=b108384a762825ec20345bb9b5b7209f Downloading pip-7.1.0-py2.py3-none-any.whl (1.1MB): 1.1MB downloaded Installing collected packages: pip Found existing installation: pip 1.5.4 Not uninstalling pip at /usr/lib/python2.7/dist-packages, owned by OS Successfully installed pip Cleaning up... Any idea why? upgrade python share | improve this question edited Aug 29 '17 at 23:52 Zanna 48k 13 119 228 asked Jul 5 '15 at 23:13 Spencer Lee 78 1 1 4 2 try apt i.e. sudo apt-get install python-pip to upgrade pip – heemayl Jul 5 '15 at 23:15 hmmm... s...
Read more

Cutting all the characters after the last /

Image
Clash Royale CLAN TAG #URR8PPP up vote 8 down vote favorite 1 How do I cut all characters after the last '/'? This text xxxx/x/xx/xx/xxxx/x/yyyyy xxx/xxxx/xxxxx/yyy should return xxxx/x/xx/xx/xxxx/x xxx/xxxx/xxxxx command-line text-processing share | improve this question edited Feb 28 at 3:57 muru 130k 19 274 467 asked Feb 27 at 15:27 Josef Klimuk 542 1 12 4 Are you trying to omit or isolate the characters after the last / ? – dsstorefile1 Feb 27 at 15:34 Good question, I just realised that we didn't understand the question the same way – Félicien Feb 27 at 15:35 3 The commands basename and dirname do this already. – Michael Hampton Feb 28 at 0:49 I don't think edit #5 to the question was correct. Using the word "cut" might be ambiguous; if you cut something, do you throw away that part...
Read more