Setup Machine Owner Key (MOK)¶
If your system is using secure boot, you'll need to sign the kernel modules.
Produce a temporary password first!
mkdir /root/module-signing cd /root/module-signing openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv \ -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=$(hostname -f)/" mokutil --import /root/module-signing/MOK.der sync reboot
Enroll the key from the Bootloader, and confirm after boot with:
dmesg | grep -i efi
Sign Modules¶
This script is currently configured to sign VirtualBox kernel modules (vbox*.ko
). Tweaks will be necessary to sign other modules.
Content of /root/module-signing/sign.sh
:
#!/bin/bash if [ ${#} -eq 0 ]; then KVER=$(uname -r) elif [ ${#} -gt 1 ]; then KVER=${1} else echo -e "usage:\n\t$0 [kernel_version]" >&2 exit 1 fi MODULE_DIR="/lib/modules/${KVER}/" SIGN_FILE="/usr/src/linux-headers-${KVER}/scripts/sign-file" if [ ! -d "${MODULE_DIR}" ]; then echo -e "error: missing module directory...\n\t${MODULE_DIR}" >&2 exit 1 elif [ ! -x "${SIGN_FILE}" ]; then echo -e "error: missing or non-executable sign-file script...\n\t${SIGN_FILE}" >&2 exit 1 fi find "${MODULE_DIR}" -name 'vbox*.ko' \ | while read module; do echo "Signing '${module##*/}'..." "${SIGN_FILE}" \ sha256 \ /root/module-signing/MOK.priv \ /root/module-signing/MOK.der \ "${module}" done
Load Modules¶
modprobe ${MODULE_NAME}
Sign Modules on Kernel Upgrade¶
ln -s /root/module-signing/sign.sh /etc/kernel/postinst.d/module-signing