Sign virtual box modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) Centos 8

Issues related to applications and software problems and general support
Post Reply
DarrellJorgensen
Posts: 3
Joined: 2021/06/08 14:20:23

Sign virtual box modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) Centos 8

Post by DarrellJorgensen » 2021/06/14 11:46:56

I started using Centos 8 recently, and I installed VirtualBox to manage my virtual machines, the problem that I encountered with is that my VirtualBox couldn't boot any VMs and it told me to execute this script /sbin/vboxconfig as root, when I run this script the following message appears :

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
vboxdrv vboxnetflt vboxnetadp vboxpci
See the documenatation for your Linux distribution..
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.
TelltheBell
There were problems setting up VirtualBox. To re-start the set-up process, run
/sbin/vboxconfig
as root. If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.
Note that my secure boot is enabled. My question is how to sign these kernel modules in Centos 8 ?

Thanks & Best regards, Younes.

alexei28
Posts: 10
Joined: 2021/07/29 06:36:24

Re: Sign virtual box modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) Centos 8

Post by alexei28 » 2021/07/29 13:33:13

I has the same error on CentOS 7

CentOS 7, Kernel 5.12.8-1.el7.elrepo.x86_64, Virtual Box 6.1 + extension pack

Mike_Rochefort
Posts: 215
Joined: 2016/03/16 02:34:19

Re: Sign virtual box modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) Centos 8

Post by Mike_Rochefort » 2021/07/29 14:23:16

Signing the modules is actually fairly simple, but there are a few steps. They are best documented here in the RHEL docs, and if those are inaccessible, here in the Fedora docs. The only challenge I faced was with loading my key into mokutil on the reboot, as there seems to be an issue with ASRock boards not actually loading the UI, so you have to fly blind.

https://access.redhat.com/documentation ... the-kernel

https://docs.fedoraproject.org/en-US/fe ... ecure-boot

The basic process is:

[One Time Task]
1) Generate self-signing certificate
2) Load certificate into mokutil db (which is what the shim bootloader uses, you need to use shim)
3) Reboot and accept the certificate being added

[Kernel/Module Update Task]
4) Sign the kernel modules
5) Reboot or load the modules

I've been signing the NVIDIA kernel modules on my system with this process, and wrote myself a small script to do it for me with each kernel update:

Code: Select all

#!/bin/bash

kernel="$1"

for module in $(find /usr/lib/modules/$kernel/extra/nvidia -type f -name "*.ko")
do
	echo "Signing $module ..."
	/usr/src/kernels/$kernel/scripts/sign-file sha256 /path/to/mykey.priv /path/to/mykey.der $module
done
Obviously this would need adjusting for kmods other than NVIDIA's. Please note that the kernel-{ml,lt} packages from ELRepo are not signed for SecureBoot, this may cause issues. You may need to sign the actual kernel itself and its own modules.

Cheers,
Mike
Solution Architect @RedHat | RHCE
Former SysAdmin @BlueSkyStudios and @Pixar
Feature animation and VFX enthusiast
--
Report CentOS Stream 8 bugs: https://da.gd/c8s-bugs
Report CentOS Stream 9 bugs: https://da.gd/c9s-bugs

owl102
Posts: 413
Joined: 2014/06/10 19:13:41

Re: Sign virtual box modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) Centos 8

Post by owl102 » 2021/07/29 17:18:55

As an alternative to signing the modules one could disable "Secure Boot" in BIOS/UEFI.
German speaking forum for Fedora and CentOS: https://www.fedoraforum.de/

enigma131
Posts: 18
Joined: 2020/12/13 18:31:11

Re: Sign virtual box modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) Centos 8

Post by enigma131 » 2021/07/30 11:47:37

owl102 wrote:
2021/07/29 17:18:55
As an alternative to signing the modules one could disable "Secure Boot" in BIOS/UEFI.
If you are dual booting with windows 11 you have no more choice than secure boot.
CentOs 8 to RHEL 8 migrated

Post Reply