Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

Kernels, Network, and Services configuration
Post Reply
Message
Author
yesh
Posts: 1
Joined: 2021-07-22 03:04

Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#1 Post by yesh »

The most recent Debian 10.10 update has killed Virtualbox kernel modules working/signed, using MOK keys. I guess its due to fixes outlined here:
GRUB2 UEFI SecureBoot vulnerabilities - 2021
https://www.debian.org/security/2021-GR ... ecureBoot/

I have been able to sign the vbox modules, after each kernel update since installation (Debian 10.5). I use the keys originally generated at:
/root/MOK.priv
/root/MOK.der

After a kernel upgrade, the following one-liner would fix vbox modules, no problem:
(Updating to latest kernel)

Code: Select all

cd /usr/lib/modules/4.19.0-17-amd64/misc/ && /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxnetadp.ko && /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxnetflt.ko && /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxdrv.ko
Then Reboot.


But since the Debian 10.10 update, after re-signing modules and rebooting, I now get the following error dialog popup when attempting to launch a Virtualbox VM:

VirtualBox - Error in suplibOsInit

Kernel driver not installed (rc=-1908)

The VirtualBox Linux kernel driver is either not loaded or not set up correctly. Please try setting it up again by executing

'/sbin/vboxconfig'

as root.

If your system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them. Please see your Linux system's documentation for more information.

where: suplibOsInit what: 3 VERR_VM_DRIVER_NOT_INSTALLED (-1908) - The support driver is not installed. On linux, open returned ENOENT.



I also tried Qemu/KVM using libvirt and virt-manager, after converting VM's to .qcow2 format, but had way too many issues to even boot the VMs.
I have some Windows VMs that I need to use, and they used to work great in Virtualbox, so would like to get them working again if possible.

What is preventing vbox modules now working with secure boot?
Any ideas, approaches, to help resolve?

p.H
Posts: 1884
Joined: 2017-09-17 07:12

Re: Virtualbox 6.1 - Secure Boot Key Signed Modules - FAIL after Debian 10.10 Update

#2 Post by p.H »

The main suspect is the shim update introduced in point release 10.10.
Maybe this is the same bug as #990311.

Post Reply