Setup Machine Owner Key (MOK)¶

If your system is using secure boot, you'll need to sign the kernel modules.

Produce a temporary password first!

mkdir /root/module-signing
cd /root/module-signing
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv \
  -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=$(hostname -f)/"
mokutil --import /root/module-signing/MOK.der
sync
reboot

Enroll the key from the Bootloader, and confirm after boot with:

dmesg | grep -i efi

Sign Modules¶

This script is currently configured to sign VirtualBox kernel modules (vbox*.ko). Tweaks will be necessary to sign other modules.

Content of /root/module-signing/sign.sh:

#!/bin/bash

if [ ${#} -eq 0 ]; then
  KVER=$(uname -r)
elif [ ${#} -gt 1 ]; then
  KVER=${1}
else
  echo -e "usage:\n\t$0 [kernel_version]" >&2
  exit 1
fi

MODULE_DIR="/lib/modules/${KVER}/"
SIGN_FILE="/usr/src/linux-headers-${KVER}/scripts/sign-file"

if [ ! -d "${MODULE_DIR}" ]; then
  echo -e "error: missing module directory...\n\t${MODULE_DIR}" >&2
  exit 1
elif [ ! -x "${SIGN_FILE}" ]; then
  echo -e "error: missing or non-executable sign-file script...\n\t${SIGN_FILE}" >&2
  exit 1
fi

find "${MODULE_DIR}" -name 'vbox*.ko' \
  | while read module; do
    echo "Signing '${module##*/}'..."
    "${SIGN_FILE}" \
      sha256 \
      /root/module-signing/MOK.priv \
      /root/module-signing/MOK.der \
      "${module}"
  done

Load Modules¶

modprobe ${MODULE_NAME}

Sign Modules on Kernel Upgrade¶

ln -s /root/module-signing/sign.sh /etc/kernel/postinst.d/module-signing