You are not logged in.
- Topics: Active | Unanswered
#1 2026-05-19 17:10:53
- sorbd
- Member
- Registered: 2026-05-19
- Posts: 2
Kernel module signing for virtualbox modules
Kernel do not load the x509 key
uname -r = 7.0.9-hardened1-1-hardened
Virtualbox = 7.2.8
grub kernel parameter: kvm.enable_virt_at_load=0 lockdown=integrity module.sig_enforce=1
Secureboot: On
https://docs.kernel.org/admin-guide/module-signing.html
https://wiki.archlinux.org/title/VirtualBox
https://wiki.gentoo.org/wiki/Signed_ker … roper_keys
https://www.kernel.org/doc/html/v4.15/a … gning.html
[root@host module-signing]# zcat /proc/config.gz |grep CONFIG_MODULE_SIG_KEY
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
zcat /proc/config.gz | grep CONFIG_MODULE_SIG_ALL
CONFIG_MODULE_SIG_ALL=y
[root@host module-signing]# zcat /proc/config.gz | grep CONFIG_MODULE_SIG_HASH
CONFIG_MODULE_SIG_HASH="sha512"
[root@host module-signing]# vim x509.genkey
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = Modules
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
[root@host module-signing]#openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem
[root@host module-signing]#cp signing_key.pem /lib/modules/$(uname -r)/build/certs/signing_key.pem
[root@host module-signing]#cp signing_key.x509 /lib/modules/$(uname -r)/build/certs/signing_key.x509
[root@host module-signing]# find "/lib/modules/$(uname -r)/" '(' -name 'vboxdrv.ko*' -o -name 'vboxnetadp.ko*' -o -name 'vboxnetflt.ko*' ')' -exec /lib/modules/$(uname -r)/build/scripts/sign-file sha512 /lib/modules/$(uname -r)/build/certs/signing_key.pem /lib/modules/$(uname -r)/build/certs/signing_key.x509 {} ';'
[root@host module-signing]# mokutil --import signing_key.x509
[root@host module-signing]# mkinitcpio -P## REBOOT & ENROLL MOK
[root@host dkms]# modinfo vboxdrv | grep '^sig'
sig_id: PKCS#7
signer: Modules
sig_key: 45:7F:97:A2:64:59:70:48:1A:C6:BE:BB:81:F6:16:BD:5D:EB:E4:91
sig_hashalgo: sha512
signature: A2:26:B9:88:54:BE:DC:D7:66:1C:3D:DB:45:17:3F:EE:C6:0C:0B:8D:## Validation part from the Gentoo url:. The commands below do not show the sign_key or the CN "Modules".
dmesg | grep -i 'x.*509'
cat /proc/keysI can't add additional public keys in the kernel because I don't see the .system_keyring. I tried to add it to .builtin_trusted_keys
keyctl padd asymmetric "" 0x21a3ffaf <signing_key.x509
add_key: Permission deniedI successfully signed the vbox modules. The modules do not load because the kernel do not load the x509 key after a rebuild of the kernel. What now?
Last edited by sorbd (2026-05-19 17:30:28)
Offline
#2 2026-05-19 22:58:40
- sorbd
- Member
- Registered: 2026-05-19
- Posts: 2
Re: Kernel module signing for virtualbox modules
I think I need to recompile my installed kernel every time
Offline
#3 2026-05-20 10:53:42
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 15,009
Re: Kernel module signing for virtualbox modules
You have read https://wiki.archlinux.org/title/Signed_kernel_modules ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline