为什么我无法在启用 SecureBoot 的 Debian 中加载已签名的 VirtualBox 内核模块?

tag-icon tag-icon debian virtualbox kernel-modules secure-boot
为什么我无法在启用 SecureBoot 的 Debian 中加载已签名的 VirtualBox 内核模块?

启用 Debian 测试和 SecureBoot 后:

我需要签署 VirtualBox 模块,如命令的输出vboxconfig所示:

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp
See the documenatation for your Linux distribution..
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.

关于 SecureBoot 的 Debian Wiki我做了:

# openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes

# mokutil --import MOK.der // prompts for one-time password

# mokutil --list-new // recheck your key will be prompted on next boot

<rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot>

# dmesg | grep cert // verify your key is loaded

并签署模块:

# /usr/src/linux-headers-5.7.0-1-amd64/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der /lib/modules/5.7.0-1-amd64/misc/vboxdrv.ko

# /usr/src/linux-headers-5.7.0-1-amd64/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der /lib/modules/5.7.0-1-amd64/misc/vboxnetflt.ko

# /usr/src/linux-headers-5.7.0-1-amd64/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der /lib/modules/5.7.0-1-amd64/misc/vboxnetadp.ko

注意:我没有签署该模块vboxpci,因为sudo modinfo -n vboxpci找不到它:

modinfo: ERROR: Module vboxpci not found.

之后,如果我尝试再次执行vboxconfig(也以 root 身份),我会得到相同的结果,因为它无法加载模块:

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp
See the documenatation for your Linux distribution..
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.

注意:如果我尝试自己加载模块,sudo modprobe vboxdrv也会出现错误:

modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted

命令dmesg显示模块未签名:

[   35.668028] Lockdown: modprobe: unsigned module loading is restricted; see https://wiki.debian.org/SecureBoot
[   59.965757] Lockdown: modprobe: unsigned module loading is restricted; see https://wiki.debian.org/SecureBoot
[  247.249605] Lockdown: modprobe: unsigned module loading is restricted; see https://wiki.debian.org/SecureBoot

我能怎么做???不禁用 SecureBoot?

答案1

我按照相同的程序遇到了同样的问题,但无法弄清楚为什么它不起作用,然后我意识到问题在签署模块后再次运行 vboxconfig,因为它会触发内核模块重建:“ vboxdrv.sh:构建 VirtualBox 内核模块。”

此时我刚刚对模块进行了签名并使用 modprobe 加载它们,并且它们加载没有任何问题。

别担心,自从第一次运行 vboxconfig 以来,您不需要每次都手动加载模块,vboxconfig 已经完成了设置,只需重新启动即可(至少对我有用)干杯

答案2

对于 Fedora 34 和 VirtualBox 6.1.22,步骤如下:

  1. 构建 VirtualBox 模块 sudo /sbin/vboxconfig

  2. 安装openssl sudo dnf install openssl

  3. 创建密钥并注册它

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes

sudo mokutil --import MOK.der

echo "Please reboot the machine"

  1. 重新启动并确保在 BIOS 中注册密钥。您将需要在步骤 (3) 中选择的密码

  2. 签署 VirtualBox 内核模块

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/misc/vboxdrv.ko
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/misc/vboxnetadp.ko
sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/$(uname -r)/misc/vboxnetflt.ko
  1. 加载 VirtualBox 内核模块
sudo modprobe vboxdrv
sudo modprobe vboxnetadp
sudo modprobe vboxnetflt

启动 VirtualBox,它应该可以工作。

相关内容