Enrolling MOK certificate with dkms and virtualbox-dkms (Virtualbox with secure boot enabled)

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
0
down vote

favorite












As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms







share|improve this question























  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36















up vote
0
down vote

favorite












As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms







share|improve this question























  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36













up vote
0
down vote

favorite









up vote
0
down vote

favorite











As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms







share|improve this question















As many others, I need to run a Windows instance from Virtualbox, don't want to disable Secure Boot, and therefore have problems in making Virtualbox work after kernel updates.



I have already run through the necessary steps, but something must have gone wrong. At present, Virtualbox runs if I disable secure boot, but freezes the whole system as soon as I try to run a VM (which at the moment is in an interrupted state) when secure boot is enabled.



I checked the following:



  • I have generated a certificate (with -subj "/CN=MyName/"). A MOK.der is there, and I enrolled it (mokutil --list-enrolled shows it with another from Canonical). In fact if I try another mokutil -n import MOK.der, I get the output SKIP: MOK.der is already enrolled


  • I am able to sign virtualbox modules by this script:



    <!-- language: bash -->
    #!/bin/bash
    for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do
     echo "Signing $modfile"
     /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 
     /root/module-signing/MOK.priv 
     /root/module-signing/MOK.der "$modfile"
    done



  • ... and I can check that they are all signed:



    $ grep "MyName" $(dirname $(modinfo -n vboxdrv))/vbox*.ko 
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxdrv.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetadp.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxnetflt.ko corrisponde
    Il file binario /lib/modules/4.13.0-37-generic/updates/dkms/vboxpci.ko corrisponde


  • In fact I can load the modules from command line, with no error messages:
    $ for modfile in $(dirname $(modinfo -n vboxdrv))/vbox*.ko; do modprobe $(basename -s .ko $modfile); done


  • Nevertheless, I can't find my certificate among those known at BIOS level: None of mokutil --pk , mokutil --kek, mokutil --db, includes "MyName" in the output (but some of them include "Canonical")


So, the questions:



  • Where is the enrolled MOK stored if not in the PK, DB, or KEK? (in fact the modules can be loaded). Which name should I search for in my BIOS utility?

  • What is the shim?

  • I have dkms package installed, and only recently installed also virtualbox-dkms. Are these packages needed or not? In which sequence should I install them? before or after the above procedure? Or should they rather do the whole of it, instead of leaving it to be done by me manually?

  • Should I rather try uninstalling virtualbox, dkms, virtualbox-dkms (etc?) and redo the procedure from scratch?


  • What of the above remains applicable fopr the rest of the modules in the /lib/modules/4.13.0-37-generic/updates/dkms directory (namely bbswitch and nvidia*)? In fact, from the System Settings menu, under System/Software & Updates I see that the Nvidia 384.111 proprietary driver is being used, but then I can neither see it by lsmod | grep nvidia nor modprobe it:



    $ modprobe nvidia_384
    modprobe: ERROR: could not insert 'nvidia_384': Required key not available


Is the situation inconsistent? Where to start from to fix it?



Thanks






virtualbox secure-boot dkms




virtualbox secure-boot dkms






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 19 at 15:45

























asked Mar 19 at 15:29









lurix66

1133




1133











  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36

















  • btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
    – lurix66
    Mar 19 at 16:33











  • ... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
    – lurix66
    Mar 19 at 16:36
















btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
– lurix66
Mar 19 at 16:33





btw, I now discovered that sbin/vboxconfig makes modules and saves them in /var/lib/dkms/, while all instructions and code snippets will do the signing in /lib/modules/4.13.0-37-generic/updates/dkms/, and the two are not symlinked... Am I signing the right modules?
– lurix66
Mar 19 at 16:33













... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
– lurix66
Mar 19 at 16:36





... and..., what should I check about consistency of version of packages, as I have virtualbox-5.2, dkms, virtualbox-dkms, etc? How to get back to a fresh install?
– lurix66
Mar 19 at 16:36
















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1017338%2fenrolling-mok-certificate-with-dkms-and-virtualbox-dkms-virtualbox-with-secure%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1017338%2fenrolling-mok-certificate-with-dkms-and-virtualbox-dkms-virtualbox-with-secure%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

pylint3 and pip3 broken

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have tried sudo apt remove --purge on various packages. I get the same when I reinstall. I have also tried reinstall using aptitude. This does not work. My current workaround is to run pylint3 as root, which works, but is bad practice. pip3 $ pip3 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pip/_vendor/__init__.py", line 33, in vendored __import__(vendored_name, globals(), locals(), level=0) ImportError: No module named 'pip._vendor.pkg_resources' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/pip3", line 9, in <module> from pip import main File "/usr/lib/python3/dist-packages/pip/__init__.py", line 13, in <module> from pip.exceptions import InstallationError, CommandError, PipError File "/usr/lib/python3/dist-packages/pip/exceptions.py", line 6, ...
Read more

Missing snmpget and snmpwalk

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried to install it with: apt-get install net-snmp-utils but I have error message: Unable to locate package. I have also check what from SNMP is preinstalled and there is: libsnmp-base libsnmp30:amd64 snmp-mibs-downloader snmpd snmptrapd snmptrapfmt How can I install snmpget and snmpwalk ? snmp zabbix share | improve this question edited Jan 29 at 10:10 Yaron 8,552 7 18 38 asked Jan 29 at 9:51 Alfista 1 apt install snmp perhaps ? If named differently - apt cache snmp – fugitive Jan 29 at 10:00 add a comment  |  up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more