[Solved] Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

Kernels, Network, and Services configuration
Post Reply
Message
Author
User avatar
yesh
Posts: 5
Joined: 2021-07-22 03:04

[Solved] Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#1 Post by yesh »

The most recent Debian 10.10 update has killed Virtualbox kernel modules working/signed, using MOK keys. I guess its due to fixes outlined here:
GRUB2 UEFI SecureBoot vulnerabilities - 2021
https://www.debian.org/security/2021-GR ... ecureBoot/

I have been able to sign the vbox modules, after each kernel update since installation (Debian 10.5). I use the keys originally generated at:
/root/MOK.priv
/root/MOK.der

After a kernel upgrade, the following one-liner would fix vbox modules, no problem:
(Updating to latest kernel)

Code: Select all

cd /usr/lib/modules/4.19.0-17-amd64/misc/ && /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxnetadp.ko && /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxnetflt.ko && /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxdrv.ko
Then Reboot.


But since the Debian 10.10 update, after re-signing modules and rebooting, I now get the following error dialog popup when attempting to launch a Virtualbox VM:

VirtualBox - Error in suplibOsInit

Kernel driver not installed (rc=-1908)

The VirtualBox Linux kernel driver is either not loaded or not set up correctly. Please try setting it up again by executing

'/sbin/vboxconfig'

as root.

If your system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them. Please see your Linux system's documentation for more information.

where: suplibOsInit what: 3 VERR_VM_DRIVER_NOT_INSTALLED (-1908) - The support driver is not installed. On linux, open returned ENOENT.



I also tried Qemu/KVM using libvirt and virt-manager, after converting VM's to .qcow2 format, but had way too many issues to even boot the VMs.
I have some Windows VMs that I need to use, and they used to work great in Virtualbox, so would like to get them working again if possible.

What is preventing vbox modules now working with secure boot?
Any ideas, approaches, to help resolve?
Last edited by yesh on 2021-09-05 01:56, edited 1 time in total.
Debian 11 Bullseye Xfce - HP Notebook 15 BS143TU Intel® Core™ i5-8250U, 8GB DDR4 2400Mhz, Intel® UHD Graphics 620, 1366x768 15.6", 1 TB SATA

p.H
Posts: 1969
Joined: 2017-09-17 07:12
Been thanked: 9 times

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#2 Post by p.H »

The main suspect is the shim update introduced in point release 10.10.
Maybe this is the same bug as #990311.

User avatar
yesh
Posts: 5
Joined: 2021-07-22 03:04

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#3 Post by yesh »

I prefer not to downgrade "shim*" packages, as described in that link.
I would like to understand the problem, and resolve it permanently, without excluding the security updates.
Am I the only one using Virtualbox on Debian with secure boot?
Debian 11 Bullseye Xfce - HP Notebook 15 BS143TU Intel® Core™ i5-8250U, 8GB DDR4 2400Mhz, Intel® UHD Graphics 620, 1366x768 15.6", 1 TB SATA

invaderzim
Posts: 2
Joined: 2021-08-04 00:20

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#4 Post by invaderzim »

Hi.

I'm running debian 10.10 with Virtualbox 6.1.26 r145957 and secure boot installed with kernel Debian 5.10.24-1~bpo10+1 as host in a Dell Laptop.

I get Virtualbox upgrades using apt (/etc/apt/sources.list.d/virtualbox.list):

Code: Select all

deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian/ buster contrib
also i have installed:

Code: Select all

shim-signed:amd64                                 1.36~1+deb10u2+15.4-5~deb10u1
The main issue is to sign the modules to get this done. I would recommend:

1) Use the kernel from buster-updates

2) Remove the kernels that you are not using to avoid signing for another kernel.

3) Edit the /usr/lib/virtualbox/vboxdrv.sh file. Here is a diff of the changes:

Code: Select all

< DEB_PUB_KEY=/var/lib/shim-signed/mok/MOK.der
< DEB_PRIV_KEY=/var/lib/shim-signed/mok/MOK.priv
---
> DEB_PUB_KEY=/root/secureboot/MOK.der
> DEB_PRIV_KEY=/root/secureboot/MOK.priv
584,586c584,589
<             kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv \
<                 /var/lib/shim-signed/mok/MOK.der \
<                 /lib/modules/"$KERN_VER"/misc/"$i".ko
---
>     #        kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv \
>     #            /var/lib/shim-signed/mok/MOK.der \
>     #            /lib/modules/"$KERN_VER"/misc/"$i".ko
>              /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /root/secureboot/MOK.priv \
>                  /root/secureboot/MOK.der \
>                  /lib/modules/"$KERN_VER"/misc/"$i".ko
4) Run "/usr/lib/virtualbox/vboxdrv.sh setup" as root. NOT /sbin/vboxconfig. Also be sure to include the parameter.

5) Once is done, check if the modules are loaded.

6) If not, check also that you have the right headers installed:

Code: Select all

ii  linux-headers-5.10.0-0.bpo.5-amd64                5.10.24-1~bpo10+1                            amd64        Header files for Linux 5.10.0-0.bpo.5-amd64
ii  linux-headers-5.10.0-0.bpo.5-common               5.10.24-1~bpo10+1                            all          Common header files for Linux 5.10.0-0.bpo.5
ii  linux-image-5.10.0-0.bpo.5-amd64                  5.10.24-1~bpo10+1                            amd64        Linux 5.10 for 64-bit PCs (signed)
ii  linux-kbuild-5.10                                 5.10.46-2~bpo10+1                            amd64        Kbuild infrastructure for Linux 5.10
7) Installing the extpack can be done in command line:

Code: Select all

# VBoxManage extpack install --replace /home/user/.config/VirtualBox/Oracle_VM_VirtualBox_Extension_Pack-6.1.26.vbox-extpack
I'm guessing that the problem could be with the kernel 4.19 that comes by Debian 10.10.

Hope this helps.

User avatar
yesh
Posts: 5
Joined: 2021-07-22 03:04

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#5 Post by yesh »

Thanks for your help. I followed all your post except for upgrading headers to 5.10 - didn't quite understand what you meant by "Use the kernel from buster-updates".
I have tried a few things, and experienced problems booting into xfce desktop, so am a bit apprehensive with big upgrade on kernel.
Next week Debian 11 Bullseye gets released, I will likely upgrade (or clean install) then, and attack it again...
Debian 11 Bullseye Xfce - HP Notebook 15 BS143TU Intel® Core™ i5-8250U, 8GB DDR4 2400Mhz, Intel® UHD Graphics 620, 1366x768 15.6", 1 TB SATA

invaderzim
Posts: 2
Joined: 2021-08-04 00:20

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#6 Post by invaderzim »

Hi again.

Sorry. I mean buster backports. There you can obtain a newer kernel than the venerable 4.19 that maybe is good for servers but too old for a desktop in my opinion.

My suggestion depends on how open are you to get packages different from the absolute stable repository. In my desktop I use:

1) Edit /etc/apt/sources.list

deb http://deb.debian.org/debian/ buster main non-free contrib
deb http://security.debian.org/debian-security/ buster/updates main non-free contrib
deb http://deb.debian.org/debian/ buster-updates main non-free contrib
deb http://deb.debian.org/debian/ buster-backports main non-free contrib
deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian/ buster contrib

2) # apt update

3) # apt -t buster-backports install linux-image-5.10.0-0.bpo.5-amd64 linux-headers-5.10.0-0.bpo.5-amd64

4) # apt install virtualbox-6.1

Then, apply the previous recipe that I mentioned.

Regards

Zim

User avatar
yesh
Posts: 5
Joined: 2021-07-22 03:04

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#7 Post by yesh »

Thanks again Zim, makes more sense this time.
I am still inclined to wait another week, in case I blow my install. Really want to go to Debian 11, as I have not used Debian for a full cycle yet. Only started with pure Debian (10.5) last year, after having used Ubuntu/Mint for over 13 years. Funny, I have had less problems with Debian, than with those other so-called "polished" "user-friendly" systems. This Virtualbox secure boot issue, is really the first problem that has proved a difficulty.
I guess there will be a Virtualbox repository available for Bullseye.
Anyway, I will update here after its done.
Debian 11 Bullseye Xfce - HP Notebook 15 BS143TU Intel® Core™ i5-8250U, 8GB DDR4 2400Mhz, Intel® UHD Graphics 620, 1366x768 15.6", 1 TB SATA

killy9999
Posts: 6
Joined: 2019-07-22 14:41

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#8 Post by killy9999 »

yesh wrote: 2021-07-29 04:05Am I the only one using Virtualbox on Debian with secure boot?
You're not alone. Same problem. I'm using 5.7 kernel from buster-backports and the same thing happens. (Yes, I know there are newer kernels in backports.) Annoyingly, in addition to VirtualBox not working, after each reboot a perl script runs in an attempt to update Secure Boot configuration resulting in 40% CPU usage on of the cores.

User avatar
yesh
Posts: 5
Joined: 2021-07-22 03:04

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#9 Post by yesh »

Got it working fine on Bullseye, using Fast Track repository - new instructions here:
https://wiki.debian.org/VirtualBox#Debi ... ullseye.22
Debian 11 Bullseye Xfce - HP Notebook 15 BS143TU Intel® Core™ i5-8250U, 8GB DDR4 2400Mhz, Intel® UHD Graphics 620, 1366x768 15.6", 1 TB SATA

Post Reply