Signing VirtualBox Kernel Modules for Secure Boot on CentOS 8

Problem Background and Error Analysis

After installing VirtualBox on CentOS 8, users often encounter issues with booting virtual machines. Running the /sbin/vboxconfig script reveals error messages indicating that kernel modules are unsigned. The typical output is:

vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp vboxpci
See the documenatation for your Linux distribution.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

This problem usually arises when the system has EFI Secure Boot enabled, a feature that requires all loaded kernel modules to be digitally signed to prevent malicious code injection. VirtualBox kernel modules are not signed by default, so they cannot be loaded in a Secure Boot environment, causing virtual machine startup failures.

Solution Overview

Two main approaches address this issue:

1. Disable Secure Boot: Temporarily or permanently disable Secure Boot via BIOS/UEFI settings, but this reduces system security and is not recommended for production environments.
2. Sign Kernel Modules: Use the MOK (Machine Owner Key) tool to generate and apply digital signatures for VirtualBox modules, allowing loading while keeping Secure Boot active. This is the focus of this article.

Detailed Steps for Signing Kernel Modules

The following steps are based on CentOS 8, assuming VirtualBox is installed and the error occurs. Root privileges are required.

Step 1: Install Required Tools

First, update the system and install the mokutil tool, used for managing MOK keys.

sudo dnf update
sudo dnf install mokutil

Step 2: Generate RSA Keys

Create a dedicated directory and generate an RSA key pair, including a private key (MOK.priv) and a public key (MOK.der). The key is valid for 36500 days (approximately 100 years) with the subject set to "VirtualBox".

sudo -i
mkdir /root/signed-modules
cd /root/signed-modules
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
chmod 600 MOK.priv

Here, the openssl command generates the keys, with -nodes indicating the private key is unencrypted, and chmod 600 ensures only root can read and write the private key for enhanced security.

Step 3: Import MOK Key

Use mokutil to import the public key into the system MOK database. This step prompts for a password, which will be used for key enrollment after reboot.

sudo mokutil --import MOK.der

Step 4: Reboot and Enroll Key

After rebooting, a blue MOK management screen appears. Select "Enroll MOK", then "Continue", and enter the previously set password to complete enrollment. The system will then boot normally.

Step 5: Create Automated Signing Script

For convenience (e.g., re-signing after system updates), create a script to automatically sign all VirtualBox kernel modules. First, create the script file in the /root/signed-modules directory.

cd /root/signed-modules
vi sign-virtual-box

The script content uses modinfo to locate module files and the sign-file tool for signing:

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 \
                                /root/signed-modules/MOK.priv \
                                /root/signed-modules/MOK.der "$modfile"
done

If the above sign-file path does not exist, use find /usr/src -name sign-file to locate the correct path and adjust the script accordingly. For example, on some systems, the path might be /usr/src/linux-headers-$(uname -r)/scripts/sign-file.

Step 6: Execute Signing Script

Add execute permissions to the script and run it to sign all VirtualBox modules.

chmod 700 sign-virtual-box
./sign-virtual-box

Step 7: Verify Module Loading

After signing, attempt to load the vboxdrv module to check for success.

modprobe vboxdrv

If no error output appears, the module is successfully signed and loaded. You can now re-run /sbin/vboxconfig or start VirtualBox to manage virtual machines.

Technical Principles and Additional Notes

This solution leverages the Linux kernel module signing mechanism. Secure Boot requires modules to be signed with trusted keys, and MOK allows users to add custom keys to UEFI firmware, avoiding reliance on distribution keys. The signing process uses SHA256 hashing and RSA 2048 keys to ensure module integrity and source verification.

Referencing other answers, the sign-file path in the script may vary based on kernel version or distribution. For instance, on Ubuntu systems, the path might be /usr/src/linux-headers-$(uname -r)/scripts/sign-file. Users should adjust based on find command results to ensure script portability.

Additionally, after each kernel update, VirtualBox modules may need recompilation and re-signing. It is recommended to integrate the signing script into post-update hooks or execute it manually to maintain compatibility.

Conclusion and Best Practices

Signing VirtualBox kernel modules on CentOS 8 is an effective method to resolve Secure Boot compatibility issues. Key steps include generating MOK keys, enrolling keys, and creating automated signing scripts. Compared to disabling Secure Boot, this approach maintains system security while supporting VirtualBox functionality.

Best practices suggest: regularly back up MOK keys to prevent loss; check module signing status after system updates; and refer to official documentation or community resources (e.g., the provided link) for updated information. By following this guide, users can successfully run VirtualBox virtual machines in a Secure Boot-enabled environment.