uefi - ubuntu 16.10 virtualbox doesn't get signed - Ask Ubuntu


i having problems virtualbox5.1 working on ubuntu 16.10 uefi secure boot enabled, start selfstudy of vagrant , further :). hoping, can me pinpoint problem or direct me in right way.

i researched web lot, , came procedure, not working me, when "sudo modinfo vboxdrv", missing signature info.

i show output, think relevant. if need more info, feel free tell me:

uname -r 4.8.0-26-generic  dpkg -s sign-file linux-headers-4.8.0-22-generic: /usr/src/linux-headers-4.8.0-22-generic/scripts/.sign-file.cmd linux-headers-4.8.0-26-generic: /usr/src/linux-headers-4.8.0-26-generic/scripts/.sign-file.cmd linux-headers-4.8.0-26: /usr/src/linux-headers-4.8.0-26/scripts/sign-file.c linux-headers-4.8.0-22-generic: /usr/src/linux-headers-4.8.0-22-generic/scripts/sign-file linux-headers-4.8.0-26-generic: /usr/src/linux-headers-4.8.0-26-generic/scripts/sign-file linux-headers-4.8.0-22: /usr/src/linux-headers-4.8.0-22/scripts/sign-file.c linux-headers-4.8.0-22-generic: /usr/src/linux-headers-4.8.0-22-generic/scripts/sign-file.c linux-headers-4.8.0-26-generic: /usr/src/linux-headers-4.8.0-26-generic/scripts/sign-file.c  cd .ssh  openssl req -new -x509 -newkey rsa:2048 -keyout mok.priv -outform der -out mok.der -days 36500 -subj "/cn=computername.module.signing@gmail.com"

“enter password twice”, since omitted -nodes (extra security ;])

chmod 600 mok.priv  export kbuild_sign_pin=”p4$$w<>rd” (not real password off-course:])  -rw-------  1 username username 1834 okt 21 14:44 mok.priv -rw-r--r--  1 username username  837 okt 21 14:44 mok.der -rwx------  1 username username 1113 okt 21 15:20 signscript  f in $(dirname $(modinfo -n vboxdrv))/*.ko; echo "signing $f"; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./mok.priv ./mok.der $f; done  signing /lib/modules/4.8.0-26-generic/misc/vboxdrv.ko @ main.c:161: - ssl error:0907b068:pem routines:pem_read_bio_privatekey:bad password read: pem_pkey.c:117 sign-file: ./mok.priv: success signing /lib/modules/4.8.0-26-generic/misc/vboxnetadp.ko @ main.c:161: - ssl error:0907b068:pem routines:pem_read_bio_privatekey:bad password read: pem_pkey.c:117 sign-file: ./mok.priv: success signing /lib/modules/4.8.0-26-generic/misc/vboxnetflt.ko @ main.c:161: - ssl error:0907b068:pem routines:pem_read_bio_privatekey:bad password read: pem_pkey.c:117 sign-file: ./mok.priv: success signing /lib/modules/4.8.0-26-generic/misc/vboxpci.ko @ main.c:161: - ssl error:0907b068:pem routines:pem_read_bio_privatekey:bad password read: pem_pkey.c:117 sign-file: ./mok.priv: success  sudo mokutil --import mok.der

i reboot computer , succesfully enroll certificate. when verify if vboxdrv got signed:

sudo modinfo vboxdrv     filename:       /lib/modules/4.8.0-26-generic/misc/vboxdrv.ko     version:        5.1.8 r111374 (0x00280000)     license:        gpl     description:    oracle vm virtualbox support driver     author:         oracle corporation     srcversion:     0194e56703167bb8828186f     depends:         jjjjjjjjjjjjjjjjj     vermagic:       4.8.0-26-generic smp mod_unload modversions      parm:           force_async_tsc:force asynchronous tsc mode (int)

the module isn't signed missing info output:

signer: sig_key: 11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11 sig_hashalgo: sha256

to make sure didn't make error, used script: https://github.com/majal/maj-scripts/blob/master/vboxsign

#!/bin/bash # sign , load virtualbox modules # run root [ "`whoami`" = root ] || exec sudo "$0" "$@" # set working directory dir=/home/username/.ssh cd $dir # (optional) setting env kbuild_sign_pin encrypted keys printf "please enter key passphrase (leave blank if not needed): "; read -s export kbuild_sign_pin="$reply" # (optional) decrypt private key. encrypt, run `gpg -c mok.priv` shred mok.priv #gpg -d --batch --passphrase-file /owned/by/root/.pass mok.priv.gpg > mok.priv echo # sign , load modules module in vboxdrv vboxnetflt vboxnetadp vboxpci;  [ "`hexdump -e '"%_p"' $(modinfo -n $module) | tail | grep signature`" ] && echo -e "\e[93mmodule $module signed. skipping.\e[0m" || /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./mok.priv ./mok.der $(modinfo -n $module)  printf "$module: "  echo `hexdump -e '"%_p"' $(modinfo -n $module) | tail | grep signature`  modprobe $module && echo -e "\e[92m$module loaded\e[0m" || echo -e "\e[91mfailed load $module\e[0m"  done # (optional) shred private key echo #shred -vfuz mok.priv

unfortunately without success, ssl errors, sign-file script tells me signed succesfully "sign-file: ./mok.priv: success"

at main.c:161: - ssl error:06065064:digital envelope routines:evp_decryptfinal_ex:bad decrypt: evp_enc.c:529 - ssl error:23077074:pkcs12 routines:pkcs12_pbe_crypt:pkcs12 cipherfinal error: p12_decr.c:108 - ssl error:2306a075:pkcs12 routines:pkcs12_item_decrypt_d2i:pkcs12 pbe crypt error: p12_decr.c:139 - ssl error:0907b00d:pem routines:pem_read_bio_privatekey:asn1 lib: pem_pkey.c:141 sign-file: ./mok.priv: success vboxpci:  modprobe: error: not insert 'vboxpci': required key not available failed load vboxpci

when do:

sudo /sbin/vboxconfig  created symlink /etc/systemd/system/multi-user.target.wants/vboxdrv.service → /lib/systemd/system/vboxdrv.service. created symlink /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service → /lib/systemd/system/vboxballoonctrl-service.service. created symlink /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service → /lib/systemd/system/vboxautostart-service.service. created symlink /etc/systemd/system/multi-user.target.wants/vboxweb-service.service → /lib/systemd/system/vboxweb-service.service. vboxdrv.sh: building virtualbox kernel modules. vboxdrv.sh: starting virtualbox services. vboxdrv.sh: building virtualbox kernel modules. vboxdrv.sh: failed: modprobe vboxdrv failed. please use 'dmesg' find out why.  there problems setting virtualbox.  re-start set-up process, run   /sbin/vboxconfig root.

"sudo dmesg | grep vbox" empty, though

i know lot of info, hope me, or point me in right direction.

this clean install, can play around, if needed :)

your provided output shows password error during signing process of each module:

signing /lib/modules/4.8.0-26-generic/misc/vboxdrv.ko @ main.c:161: - ssl error:0907b068:pem routines:pem_read_bio_privatekey:bad password read: pem_pkey.c:117

the problem password never reaching openssl. specify password environment variable current user:

export kbuild_sign_pin=”p4$$w<>rd”

but when run signing script few lines down, using sudo run in root environment instead of user's environment:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./mok.priv ./mok.der $f

the script run root, , kbuild_sign_pin variable not in root environment, script cannot access kbuild_sign_pin.

one fix putting environment variable after sudo, make sure set in root environment:

sudo kbuild_sign_pin="p4$$w<>rd" /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./mok.priv ./mok.der $f

Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried ...
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more