Opened 21 months ago
Last modified 20 months ago
#21347 new defect
VB systemd unit persistently rebuilding kernel modules with secureboot
| Reported by: | lxop | Owned by: | |
|---|---|---|---|
| Component: | host support | Version: | VirtualBox-7.0.4 |
| Keywords: | kernel modules, secureboot | Cc: | |
| Guest type: | all | Host type: | Linux |
Description
In Debian, the kernel source script extract-module-sig.pl is not available in the kernel modules build/scripts directory. The VirtualBox systemd unit script relies on this script to determine whether the VB kernel modules are appropriately signed if it detects that secureboot is enabled. Since it can't find the script, it believes there is something wrong with the modules, and rebuilds them every time the service starts (at least on every boot), regardless of whether they were correctly signed. This means that every time I reboot my machine, VirtualBox refuses to operate until I go back and sign the newly-built kernel modules.
System: Debian Bullseye VB installed with the deb distributed by the download.virtualbox.org repository.
Change History (3)
comment:1 by , 21 months ago
comment:2 by , 20 months ago
Hi galitsyn,
Thanks for your response. I have a passphrase on the signing key, so it will not be possible to sign the modules automatically (to do so would completely defeat the purpose of secureboot). I don't mind signing the modules manually, but only when the kernel is updated - on every boot is silly.
However, even if I were to make use of automatic signing, the systemd unit script would be (automatically) signing the modules every time it runs, since the lack of extract-module-sig.pl would cause it to believe the modules are unsigned.
Many thanks,
lxop
comment:3 by , 20 months ago
In addition, if the kernel modules are built/signed/all ok but simply not loaded, the vboxdrv.sh script will consider them broken and rebuild because the vboxmanage -v command includes a big warning banner on stdout, thus confusing the vboxdrv.sh script when it tries to get the version.


Hi lxop,
If you setup signing environment in your Debian distro (either host or guest), you should not sign modules manually, it should be done automatically (by either
rcvboxdrvorrcvboxadd). If it is not a case, let's look at it a bit closer. Could you please double check?