使用 SecureBoot 运行 VirtualBox

使用 SecureBoot 运行 VirtualBox

我尝试在启用安全启动的情况下在 Ubuntu 23.10 上运行 VirtualBox。

在 VirtualBox 中启动任何 Virtual Mache 时显示错误:

Kernel driver not installed (rc=-1908)
The VirtualBox Linux kernel driver is either not loaded or not set up correctly. Please reinstall virtualbox-dkms package and load the kernel module by executing

'modprobe vboxdrv'

as root.

我阅读了很多关于此的帖子和文章,但是太多了,我无法区分。

因此我确实重新安装了 virtualbox-dkms:

sudo apt install virtualbox-dkms --reinstall
Paketlisten werden gelesen… Fertig
Abhängigkeitsbaum wird aufgebaut… Fertig
Statusinformationen werden eingelesen… Fertig
0 aktualisiert, 0 neu installiert, 1 erneut installiert, 0 zu entfernen und 10 nicht aktualisiert.
Es müssen noch 0 B von 761 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
(Lese Datenbank ... 238469 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../virtualbox-dkms_7.0.10-dfsg-3_amd64.deb ...
Module virtualbox-7.0.10 for kernel 6.5.0-14-generic (x86_64).
Before uninstall, this module version was ACTIVE on this kernel.

vboxdrv.ko.zst:
 - Uninstallation
   - Module was not found within /lib/modules/6.5.0-14-generic/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

vboxnetadp.ko.zst:
 - Uninstallation
   - Deleting from: /lib/modules/6.5.0-14-generic/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.

vboxnetflt.ko.zst:
 - Uninstallation
   - Deleting from: /lib/modules/6.5.0-14-generic/updates/dkms/
 - Original module
   - No original module was found for this module on this kernel.
   - Use the dkms install command to reinstall any previous module version.
depmod...
Deleting module virtualbox-7.0.10 completely from the DKMS tree.
Entpacken von virtualbox-dkms (7.0.10-dfsg-3) über (7.0.10-dfsg-3) ...
virtualbox-dkms (7.0.10-dfsg-3) wird eingerichtet ...
Loading new virtualbox-7.0.10 DKMS files...
Building for 6.5.0-14-generic
Building initial module for 6.5.0-14-generic
Done.

vboxdrv.ko.zst:
Running module version sanity check.
libkmod: ERROR ../libkmod/libkmod-file.c:136 zstd_decompress_block: zstd: Unknown frame descriptor
 - Original module
 - Installation
   - Installing to /lib/modules/6.5.0-14-generic/updates/dkms/

vboxnetadp.ko.zst:
Running module version sanity check.
 - Original module
 - Installation
   - Installing to /lib/modules/6.5.0-14-generic/updates/dkms/

vboxnetflt.ko.zst:
Running module version sanity check.
 - Original module
 - Installation
   - Installing to /lib/modules/6.5.0-14-generic/updates/dkms/
depmod...

接下来我创建了密钥:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"

并添加了密钥:

sudo mokutil --import MOK.der

并签署内核文件:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

然后我检查 VirtualBox Linux 内核模块服务状态:

sudo systemctl status vboxdrv
Unit vboxdrv.service could not be found.
sudo systemctl status virtualbox.service 
× virtualbox.service - LSB: VirtualBox Linux kernel module
     Loaded: loaded (/etc/init.d/virtualbox; generated)
     Active: failed (Result: exit-code) since Tue 2024-01-02 18:27:13 CET; 6min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 3481 ExecStart=/etc/init.d/virtualbox start (code=exited, status=1/FAILURE)
        CPU: 50ms

Jan 02 18:27:13 wolf-expertbook systemd[1]: Starting virtualbox.service - LSB: VirtualBox Linux kernel module...
Jan 02 18:27:13 wolf-expertbook virtualbox[3481]:  * Loading VirtualBox kernel modules...
Jan 02 18:27:13 wolf-expertbook virtualbox[3481]:  * modprobe vboxdrv failed. Please use 'dmesg' to find out why
Jan 02 18:27:13 wolf-expertbook virtualbox[3481]:    ...fail!
Jan 02 18:27:13 wolf-expertbook systemd[1]: virtualbox.service: Control process exited, code=exited, status=1/FAILURE
Jan 02 18:27:13 wolf-expertbook systemd[1]: virtualbox.service: Failed with result 'exit-code'.
Jan 02 18:27:13 wolf-expertbook systemd[1]: Failed to start virtualbox.service - LSB: VirtualBox Linux kernel module.

这很奇怪……但我不知道该怎么办。所以我继续看操作说明:

sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Key was rejected by service

我该怎么办?错误在哪里?经过多次测试,我已经为安全启动签名了一些密钥:

sudo mokutil --test-key MOK.der
MOK.der is already enrolled
wolf@wolf-expertbook:~/downloads/sign$ sudo mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:41:24:a0:18:2c:92:67
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bf:5b:3a:16:74:ee:21:5d:ae:61:ed:9d:56:ac:
                    bd:de:de:72:f3:dd:7e:2d:4c:62:0f:ac:c0:6d:48:
                    08:11:cf:8d:8b:fb:61:1f:27:cc:11:6e:d9:55:3d:
                    39:54:eb:40:3b:b1:bb:e2:85:34:79:ca:f7:7b:bf:
                    ba:7a:c8:10:2d:19:7d:ad:59:cf:a6:d4:e9:4e:0f:
                    da:ae:52:ea:4c:9e:90:ce:c6:99:0d:4e:67:65:78:
                    5d:f9:d1:d5:38:4a:4a:7a:8f:93:9c:7f:1a:a3:85:
                    db:ce:fa:8b:f7:c2:a2:21:2d:9b:54:41:35:10:57:
                    13:8d:6c:bc:29:06:50:4a:7e:ea:99:a9:68:a7:3b:
                    c7:07:1b:32:9e:a0:19:87:0e:79:bb:68:99:2d:7e:
                    93:52:e5:f6:eb:c9:9b:f9:2b:ed:b8:68:49:bc:d9:
                    95:50:40:5b:c5:b2:71:aa:eb:5c:57:de:71:f9:40:
                    0a:dd:5b:ac:1e:84:2d:50:1a:52:d6:e1:f3:6b:6e:
                    90:64:4f:5b:b4:eb:20:e4:61:10:da:5a:f0:ea:e4:
                    42:d7:01:c4:fe:21:1f:d9:b9:c0:54:95:42:81:52:
                    72:1f:49:64:7a:c8:6c:24:f1:08:70:0b:4d:a5:a0:
                    32:d1:a0:1c:57:a8:4d:e3:af:a5:8e:05:05:3e:10:
                    43:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3f:7d:f6:76:a5:b3:83:b4:2b:7a:d0:6d:52:1a:03:83:c4:12:
        a7:50:9c:47:92:cc:c0:94:77:82:d2:ae:57:b3:99:04:f5:32:
        3a:c6:55:1d:07:db:12:a9:56:fa:d8:d4:76:20:eb:e4:c3:51:
        db:9a:5c:9c:92:3f:18:73:da:94:6a:a1:99:38:8c:a4:88:6d:
        c1:fc:39:71:d0:74:76:16:03:3e:56:23:35:d5:55:47:5b:1a:
        1d:41:c2:d3:12:4c:dc:ff:ae:0a:92:9c:62:0a:17:01:9c:73:
        e0:5e:b1:fd:bc:d6:b5:19:11:7a:7e:cd:3e:03:7e:66:db:5b:
        a8:c9:39:48:51:ff:53:e1:9c:31:53:91:1b:3b:10:75:03:17:
        ba:e6:81:02:80:94:70:4c:46:b7:94:b0:3d:15:cd:1f:8e:02:
        e0:68:02:8f:fb:f9:47:1d:7d:a2:01:c6:07:51:c4:9a:cc:ed:
        dd:cf:a3:5d:ed:92:bb:be:d1:fd:e6:ec:1f:33:51:73:04:be:
        3c:72:b0:7d:08:f8:01:ff:98:7d:cb:9c:e0:69:39:77:25:47:
        71:88:b1:8d:27:a5:2e:a8:f7:3f:5f:80:69:97:3e:a9:f4:99:
        14:db:ce:03:0e:0b:66:c4:1c:6d:bd:b8:27:77:c1:42:94:bd:
        fc:6a:0a:bc

[key 2]
SHA1 Fingerprint: 80:34:03:45:13:b1:19:03:00:26:76:ea:2a:08:5c:5e:cb:fe:3c:b9
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            59:e4:f7:46:db:46:19:d7:f7:56:29:5f:15:74:33:99:83:a4:a2:5f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=VirtualBoxTest1
        Validity
            Not Before: Jan  2 16:07:57 2024 GMT
            Not After : Dec  9 16:07:57 2123 GMT
        Subject: CN=VirtualBoxTest1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:cf:8b:dc:c9:ff:3c:52:9e:0d:73:3b:ab:1c:
                    a3:59:8e:c1:8d:3b:98:78:ea:ad:f6:97:87:e3:51:
                    8f:1e:19:28:75:c6:9b:1b:0a:fc:4d:02:78:90:59:
                    90:ca:3a:4d:51:b1:cc:bb:9e:7c:65:2e:0a:25:a5:
                    52:90:2a:28:e0:4e:8d:b1:7a:30:c5:6f:6f:f9:94:
                    00:a7:46:a1:8c:5c:63:b8:d0:04:07:91:8a:d3:35:
                    74:a9:ca:d5:fa:a0:2d:7b:b4:8a:57:c5:a7:87:88:
                    c1:ce:fd:27:6e:44:06:59:ba:5a:9b:e8:b2:49:f6:
                    22:72:9c:e4:0f:97:af:9a:b9:b7:fa:f5:18:5c:eb:
                    13:82:eb:41:13:5f:85:a2:a2:b9:08:4d:c2:db:d4:
                    46:b6:00:2f:44:f1:d2:7c:d7:61:3a:12:a5:88:cd:
                    bf:5e:91:cb:3e:e2:63:30:22:6a:34:10:48:72:45:
                    b5:68:4f:cd:c5:88:02:52:32:ae:14:07:8f:ae:87:
                    62:c7:f3:24:38:d1:fb:17:f9:dc:d2:2a:ff:37:ae:
                    d9:51:c3:87:7a:d7:c3:ce:fd:76:03:20:d1:e9:d3:
                    03:82:c7:b8:38:27:dd:31:de:0a:5d:26:4b:58:b4:
                    2b:7f:a1:67:34:21:b4:32:cf:ee:85:2e:c1:d0:a1:
                    d0:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                98:5C:4C:C3:00:F6:4C:96:D2:65:4D:95:5D:E8:5D:E7:4B:FB:A8:2E
            X509v3 Authority Key Identifier: 
                98:5C:4C:C3:00:F6:4C:96:D2:65:4D:95:5D:E8:5D:E7:4B:FB:A8:2E
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        35:e7:7b:d8:0f:31:d3:89:eb:fb:89:31:8b:30:27:6f:84:4a:
        d4:41:df:bc:fe:03:5f:7c:68:18:d3:b0:3a:69:34:30:ae:18:
        00:a0:cc:d2:5a:4f:5d:54:5a:44:78:39:6b:b2:63:d4:5d:38:
        23:1b:f1:98:a8:ec:96:13:dd:62:ad:0d:f1:2f:2e:e5:0e:bd:
        d3:d3:07:e1:fe:7c:0a:6a:fd:09:eb:6e:e1:f1:64:29:61:95:
        10:14:b3:9f:91:c4:26:e1:44:ec:ad:34:6a:01:e7:77:3d:59:
        f5:6f:07:77:6e:1d:ff:63:13:2e:26:99:ce:72:ab:9f:d4:4f:
        7b:5d:cc:3a:5f:96:75:ad:fa:c2:66:68:94:1a:fa:65:74:eb:
        01:e6:00:53:58:d3:74:39:38:39:25:3a:b4:12:d2:ed:e9:10:
        02:f4:11:e0:cd:6a:08:7b:dd:23:ed:6a:81:22:eb:6e:22:3c:
        07:ee:00:f2:db:a3:f0:cb:fa:4c:eb:b2:73:28:93:a6:1b:c7:
        7b:06:c9:bd:0a:a1:87:9e:b9:a9:6e:34:63:1d:68:d6:a9:26:
        c5:ca:99:58:d3:e9:13:d8:c8:83:5a:cd:b6:d1:4f:ff:c2:2f:
        3e:31:c9:e3:30:05:05:66:1c:4b:1f:e2:7c:f6:b2:e7:93:dd:
        35:55:c9:2f

[key 3]
SHA1 Fingerprint: 9e:48:8d:a2:7b:b0:47:ea:4d:6d:7d:01:53:9b:32:a9:0c:8e:37:b0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3e:21:52:dc:35:55:c6:32:2f:28:c2:6e:ec:68:92:42:2b:06:b3:66
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=VirtualBox
        Validity
            Not Before: Jan  2 16:21:50 2024 GMT
            Not After : Dec  9 16:21:50 2123 GMT
        Subject: CN=VirtualBox
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:cf:12:40:9d:92:b1:71:6f:4f:06:f8:64:92:
                    c3:1f:6e:49:24:3a:5b:45:4f:cc:7a:8d:e0:ea:f1:
                    24:02:e7:46:3c:2f:2c:e7:19:30:28:f5:80:eb:1b:
                    f9:5b:ff:7f:76:1b:f7:7d:06:4e:db:e6:96:4a:b6:
                    91:6a:26:d6:b9:63:5a:05:18:eb:27:ca:95:5e:2e:
                    4c:8e:87:ec:9a:6f:e8:b6:4a:43:bc:63:4f:35:dc:
                    08:19:87:b8:46:9c:93:f2:6b:cd:c3:89:43:60:a2:
                    18:e6:28:9d:9e:44:b0:e6:54:97:37:4d:33:5f:41:
                    9d:5e:2e:ab:08:f6:6c:5c:84:0d:ec:a1:07:c8:f8:
                    72:18:27:1e:14:7d:5e:a7:42:78:39:a0:95:f4:1a:
                    9c:e4:4c:1e:17:c7:6d:00:b0:3b:2f:6c:62:c3:49:
                    0d:5d:f6:ae:a9:61:21:0e:d6:dd:b9:d5:93:60:4e:
                    42:f0:68:b0:60:2e:c4:9d:d7:ea:d9:b1:1c:c5:e3:
                    0d:56:23:5b:a1:e5:cc:62:a0:ad:59:7e:33:4d:ea:
                    db:a5:70:ca:80:82:e7:51:f8:c4:c5:45:8d:bf:50:
                    8c:ff:54:ea:e1:7f:66:22:cb:c4:97:fa:d6:a1:33:
                    7e:c5:1c:1d:5c:5f:b6:6b:dd:e4:e1:a0:e2:e4:ce:
                    11:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                05:28:BD:D2:7B:16:15:19:F0:A1:12:AB:52:CF:10:A1:98:26:8A:0F
            X509v3 Authority Key Identifier: 
                05:28:BD:D2:7B:16:15:19:F0:A1:12:AB:52:CF:10:A1:98:26:8A:0F
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        bc:55:fa:a1:73:2b:b7:ef:dd:80:5c:04:60:5c:e2:f7:8c:72:
        ff:1e:90:f1:01:10:7c:1c:44:3b:da:ff:ab:74:28:b6:d9:ab:
        be:3a:26:cb:1a:2e:8c:d9:be:b2:2f:94:0b:92:ac:38:03:6f:
        07:57:e6:3b:9a:89:1c:32:fe:ac:54:e8:b9:53:b9:f2:3b:27:
        65:65:c8:a7:e8:80:2b:60:94:68:64:d7:bf:71:88:fd:ae:9b:
        99:51:0f:10:28:f5:7c:95:2e:da:83:0e:08:58:56:b5:42:4d:
        0f:cb:d1:68:7a:cc:c4:79:e8:45:6e:86:6e:45:fc:df:5a:7e:
        59:84:cb:a1:69:55:dc:39:06:8f:ed:71:c1:10:83:28:bf:f5:
        09:99:8c:42:40:e8:0b:ba:4b:d3:c9:21:bc:01:9b:86:34:73:
        27:b6:44:d5:67:58:96:c0:70:85:89:39:8d:fa:84:74:40:e2:
        4d:34:fe:d7:de:a8:de:c9:7a:db:f3:2f:ca:a9:f5:33:1f:d0:
        c0:29:0c:4d:52:3a:4a:82:41:4e:af:8f:2a:6c:b1:35:ed:4f:
        06:93:b4:f2:68:3f:33:cb:c8:f0:44:bb:9d:28:34:f0:d5:b8:
        c4:6f:f4:f2:48:4a:99:6d:d9:c1:db:9a:27:a4:e0:c2:87:9f:
        e9:42:65:b9
``

答案1

所以我找到了一个解决方案。我“真的”不明白,但也许,希望在我再次签名之前,这个问题能得到解决。但这个问题从 Ubuntu 22.10 开始就已经存在了。

以下是附加命令和提出解决方案的线程:

sudo mokutil --import /var/lib/shim-signed/mok/MOK.der 

https://gist.github.com/reillysiemens/ac6bea1e6c7684d62f544bd79b2182a4?permalink_comment_id=4649263#gistcomment-4649263 并阅读以下内容:https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1992673

相关内容