Casnnot sign vbox kernel modules after kernel update

agh63 · March 9, 2023, 11:10am

Dear Community,

I was running Virtual Box on Leap 15.4 on an UEFI machine (secure boot) with backport kernel 6.1.9-lp153.2. I had enrolled a Machine User Key, and after build of the kernels vboxdrv.ko etc., Virtual box 7.0.4 worked fine.
After a kernel update, kernel modules could not be loaded. To sign the kernels, I ran:

 /usr/src/linux-6.2.2-lp154.2.g62a3141-obj/x86_64/default/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der vboxdrv.ko

/usr/src/linux-6.2.2-lp154.2.g62a3141-obj/x86_64/default/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der vboxnetadp.ko

 /usr/src/linux-6.2.2-lp154.2.g62a3141-obj/x86_64/default/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der vboxnetflp.ko

in /lib/modules/6.2.2-lp154.2.g62a3141-default/misc #
This seemed to have worked, at least I got no error message.
However, running /sbin/vboxconfig gave an error message:

vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

With dmesg | grep modprobe I got:

[  138.230109] Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7

Does anybody know, what was wrong and how I could sign the kernel modules?
Many thanks in advance, agh63

arvidjaar · March 9, 2023, 11:44am

6.2.1 will have lockdown patches - openSUSE Factory - openSUSE Mailing Lists

And please note, that while these patches are reverted for Tumbleweed they remain in master kernel sources that you are apparently using.

The problem is not signing, but verification. For now, your options are keeping older kernel or disabling Secure Boot.

agh63 · March 9, 2023, 12:19pm

Dear arvidjaar,

thank you very much for the fast reply. I am afraid, I did not really get what to do about these 6.2.1 lockdown patches. Shall I install some patches? How does it work? I followed the link, but I did not understand what to do…
How can I get back to the older kernel? I would like to keep secure boot. I am sorry, I am not so experienced with backport kernel stuff…

arvidjaar · March 9, 2023, 1:39pm

Assuming working kernel is still present on your system, you could configure zypper to keep it (see SDB:Keep multiple kernel versions - openSUSE Wiki) and set it as default in bootloader configuration. If kernel was already purged, you could rollback to a previous snapshot if you are using btrfs.

agh63 · March 9, 2023, 2:30pm

Dear arvidjaar,

thanks again - I modified grub.cfg and boot to 6.1.9 now. Everything works.
Still I do not understand the problem with 6.2.2: is it a bug? Will there be an updated kernel version that allows me to verify the kernel modules?

By the way: although I am using btrfs, there was no snapshot for the backport kernel 6.1.9 - the latest one before 6.2.2 was 5.14.21. Do you have an idea, why the kernel update from 6.1.9 to 6.2.2 did not produce a snapshot?

arvidjaar · March 9, 2023, 2:38pm

If you define “bug” as “does not work as expected” - yes, it is a bug.

We all hope there will. When it is ready …

As was posted on factory list, short term lockdown patches are removed in Factory (Tumbleweed) and Kernel:stable repository. You did not say which repository you are using.

No. You need to give more detailed description how you performed this update.