Secure Boot and Stuff

The VirtualBox does not seem to work out of the box on Fedora 23. I got the hint when I downloaded the RPM for Fedora 22 and I was to try it on Fedora 23 which obviously will have a different kernel and the vbox drivers may fail to load. As expected I see the error about drivers while running a pre-installed VM image. I rebuild the driver for my running kernel and still the same error. I saw the modules were not loaded for vbox and I tried to load them manually, and saw a strange failure – “modprobe: ERROR: could not insert ‘vboxdrv’: Required key not available” – for the first time. I google and found lots and lots of information, so I thought of summarizing it here.

The module loading failed, because it needs to be signed for running kernel. This sign checking can be disabled if “Secure Boot” is disabled from BIOS. Details about the secure boot later, but first of all, how to get the modules signed? That seems really weird to me that why cannot I load my custom modules? This does not happen on Ubuntu, but Fedora has added an extra level of security (may be its a RedHat mandate). To get the modules signed, there is a non-trivial method, which is documented really nicely here.

As mentioned, this is not required if the secure boot is disabled from BIOS/UEFI console during bootup. However, I was not aware about the details of Secure Boot, so thought of reading about it online. There are many videos about how to disable the secure boot on youtube but none of them explained very clearly – or it is me who cannot find the videos. So I got this Linux Journal article and one really good explanation about secure boot requirement and features.

I still have not added my custom keys on Fedora, so VirtualBox is still non-functional, but would post the procedure if I do that.

EDIT: VirtualBox up and running, however…

With kernel 4.3, there have been some changes in the way you verify the signature of the module. “modinfo” does not list the signature of the module, due to this open issue. The alternative can be to run “hexdump -C vboxdrv.ko | tail” and see the last couple of lines containing anything strings like  “signature”.

After the modules are signed, the custom key needs to be registered, and the method is explained in the above mentioned link. I used the MoK method which can be used if system is running Fedora, and which is fairly straight forward. After the key registration during bootup, the kernel prints debug info during bootup to verify whether the certificate is loaded or not; “dmesg | grep -i EFI” will be handy to do that.

The next step is _just_ to modprobe the signed version of vboxdrv. There is no need to run the “ setup” again, otherwise it would rebuild the module and then it needs to be signed again. If you have configured the bridged networking mode, you may also need to sign the vboxnetadp.ko and vboxnetflt.ko modules and load them.

Viola! VirtualBox is up and running finally :-) I never expected that the ride would be really bumpy, but I learned something.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s