Install VirtualBox while keeping Secure Boot
I have not tried either of those procedures. I do, however, do this in a different way -- but it's a very tedious method. This description will make it seem easier than that because I refer to a big page I've written that covers the worst of the tedious parts. My procedure is:
- Take control of Secure Boot -- In my case, I've configured my computer so that I embed my own Secure Boot public key in the firmware. This way I don't need to use Shim or MOKs. I've removed Microsoft's keys from and added my own and Canonical's keys to the computer on which I use this procedure, but you can set yours up with whatever keys you like. The critical part for the purposes of your question is that you must include a key that you generate, with a private key that you retain to make it work. You'll also need keys used to sign standard components -- Canonical's key, Microsoft's public marketplace key, or both. If you dual-boot with Windows, you'll need the public key for the one Microsoft uses to sign its own boot loader. See this page of mine for all the gory details -- but be aware that this is a tedious and finicky procedure, so you may spend quite a while getting this part working. Note that most UEFIs make it pretty easy to restore the standard key set, so the risk involved in trying this procedure is low.
- Sign the VirtualBox modules -- The next step is to sign the VirtualBox kernel modules. This is done in pretty much the same way as the pages to which you've linked describe; however, I have a script to help automate this process (see below).
-
Load the VirtualBox module -- After signing the modules, they must be loaded. This should happen automatically on reboot; but if you want to use VirtualBox without rebooting, you must explicitly use
modprobe
for each of the modules (vboxdrv
,vboxnetflt
,vboxpci
, andvboxnetadp
). - Repeat steps 2-3 after every kernel update -- After a kernel update, steps #2 and #3 must be repeated.
For convenience, I've written a script to do steps #2 and #3 in one command. I call it sign-vbox
. Here it is:
#!/bin/bash
# sign-vbox script, copyright (c) 2017 by Rod Smith
# Distributed under the terms of the GPLv3
if [ "$#" -ne 1 ] && [ "$#" -ne 0 ]; then
echo "Usage: $0 [ {kernel-version} ]"
exit 1
fi
if [ "$#" == 0 ]; then
kernel_version=$(uname -r)
else
kernel_version="$1"
fi
sign_file=$(find /usr/src/ -name sign-file | tail -n 1)
if [ -z $sign_file ]; then
echo "Can't find the sign-file binary! Exiting!"
exit 1
else
path_to_modules="/lib/modules/$kernel_version/updates/dkms"
if [ ! -f $path_to_modules/vboxdrv.ko ]; then
echo "Could not find $path_to_modules/vboxdrv.ko!"
echo "Is the kernel version correct?"
exit 1
fi
echo "Signing modules for $kernel_version"
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxdrv.ko
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxnetadp.ko
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxnetflt.ko
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxpci.ko
modprobe vboxdrv
modprobe vboxnetflt
modprobe vboxpci
modprobe vboxnetadp
echo "Loaded vbox modules:"
lsmod | grep vbox
fi
To use this script, simply type its name. It signs the VirtualBox modules associated with the currently-running kernel. If you pass it a kernel version number, it should sign the kernels associated with that kernel version, but there's no room for error in specifying the kernel version number. (It expects the same format that uname -r
would return if the kernel were running.)
Note that the script expects to find private (refind_local.key
) and public (refind_local.cer
) keys in /etc/refind.d/keys/
. You'll have to change that location for your own system, unless you use rEFInd and use local keys for it. The private key file should be as secure as you can make it, such as having 0400 (-r--------
) permissions. Limiting access to the directory itself may be helpful, too. Better yet, put it on a USB flash drive that you plug in only when you run this command.
Also, I wrote this script for my own personal use. It probably has bugs, particularly if used in a way I don't expect. Certainly it fails pretty badly if the necessary kernel source files aren't installed.
It's conceivable that this script would work with the MOK-based methods you tried to use if you pointed it at the key files you generated, the public file of which you loaded into the MOK. I can't promise this, though, and of course your problems could be due to either improperly signed kernel modules or problems on the Shim/MOK end. Using this script would help only if your kernel modules were not properly signed.
VirtualBox 6.1 will install on 19.10 with secure boot enabled.