How to get VBox running

faxco · December 9, 2021, 2:56am

#vboxconfig
Sources for building host modules are not present,
Use ‘sudo zypper install virtualbox-host-source kernel-devel kernel-default-devel’ to install them. Quitting …

So I follow the instruction and try again.

#vboxconfig
Building kernel modules…
Kernel modules built correctly. They will now be installed.
insmod /lib/modules/5.3.18-59.37-default/weak-updates/extra/vboxdrv.ko
modprobe: ERROR: could not insert ‘vboxnetflt’: Key was rejected by service
insmod /lib/modules/5.3.18-59.37-default/weak-updates/extra/vboxdrv.ko
modprobe: ERROR: could not insert ‘vboxnetadp’: Key was rejected by service
Kernel modules are installed and loaded.

I can’t get VBox running, what would I do to “Key was rejected by service”?

larryr · December 9, 2021, 4:16am

Virtualbox is prebuilt for OpenSUSE

sudo zypper in virtualbox

Add your user to the group and reboot.

No kernel gen is needed.

It works best if secure boot is disabled - there are instructions to add secure boot signature - I am too lazy to do that.

arvidjaar · December 9, 2021, 7:09am

You need to sign your modules and enroll certificate used to sign them or disable secure boot.

And please, use tags [noparse]

...

[/noparse] around computer text.

faxco · December 9, 2021, 7:45am

Need I reinstall VBox?
I don’t like to disable secure boot to loss secure, and there are guides for VBox on signing kernel on debian, how’s on opensuse?

arvidjaar · December 9, 2021, 8:35am

You use mokutil to enroll your own certificate and use scripts/sign-file to sign your modules. If your Debian guide suggests something different, you could at least post link to it.

VirtualBox is available for openSUSE in default repositories and these modules are signed by openSUSE key, so no manual steps are required at all. You could start with explaining why you need to compile your own modules for default openSUSE kernel in the first place.

arvidjaar · December 9, 2021, 8:37am

Do not spread misinformation. VirtualBox built for openSUSE is signed by openSUSE key.

faxco · December 9, 2021, 12:08pm

You use mokutil to enroll your own certificate and use scripts/sign-file  to sign your modules. If your Debian guide suggests something  different, you could at least post link to it.

https://unix.stackexchange.com/questions/560895/sign-kernel-modules

At first few steps is OK, until:

#/usr/src/linux-5.3.18-59.37-obj/x86_64/default/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der vboxdrv.ko

At main.c:291:
- SSL error:02001002:system library:fopen:No such file or directory: crypto/bio/bss_file.c:69
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: crypto/bio/bss_file.c:76
sign-file: vboxdrv.ko: No such file or directory

I don’t know how to next.

arvidjaar · December 9, 2021, 12:44pm

Provide correct path to file.

faxco · December 9, 2021, 1:23pm

I don’t know the path, I just follow the link.

faxco · December 9, 2021, 1:46pm

Replace vbox.ko with /lib/modules/5.3.18-59.37-default/weak-updates/extra/vboxdrv.ko, and it still problems in vboxconfig.

larryr · December 9, 2021, 3:29pm

Does not work on my Dell 7490 with BIOS 1.21.0. No machine will start.

Secureboot had to be off for VirtualBox on my laptops. It did work with secureboot back in 6.1.14, then it stopped - BIOS back then was 1.16.0. That was a few kernel ago.

My 2 cents.

I did try again last light - no virtualbox machine started - said no virtualbox support in kernel.

Not worth the trouble to diagnose as Larry Finger suggested I turn off secure boot. He is VirtualBox support.

Sauerland · December 9, 2021, 5:22pm

I build my own kernel:stable:backport also some kmps incl virtualbox and have no problems with the kmps and my own key in mok:
https://forums.opensuse.org/showthread.php/560900-Help-on-booting-to-a-5-14-11-kernel-stable-backports-kernel-with-secure-boot-(or-must-I-disable)?p=3073187#post3073187

galko_ferdinand · December 9, 2021, 5:47pm

I had the same problem as you. I am using VirtualBox only from openSUSE repos.
I combined information from
https://forums.opensuse.org/showthread.php/555343-Virtualbox-kernel-driver-no-loading-secureboot-enabled-how-to-sign-modules
and
https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.3/#driver-hardware point 4.1.

I did:

Ensured that the package openSUSE-signkey-cert is installed
Checked already stored keys

mokutil -l

One of CN=openSUSE Secure Boot CA [FONT=arial]or [/FONT][FONT=monospace]CN=SUSE Linux Enterprise Secure Boot CA [FONT=arial]was missing. I don’t remember which one it was.

[/FONT]3. Made
[/FONT]

mokutil -i /etc/uefi/certs/BDD31A9E-kmp.crt

[FONT=arial]
4. [/FONT][FONT=arial]Rebooted and chose to enroll the new key.

[/FONT]

arvidjaar · December 9, 2021, 6:28pm

And openSUSE certificate is enrolled?

larryr · December 9, 2021, 7:31pm

I have not installed it again - do we need to do that with every new kernel?

LLR1:~ # mokutil -l
[key 1]
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
        Validity
            Not Before: Apr 18 14:33:41 2013 GMT
            Not After : Mar 14 14:33:41 2035 GMT
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cd:fd:ab:d7:2a:84:f8:81:c3:36:35:50:35:2c:
                    c7:ec:04:f1:f4:d6:cc:60:4b:c8:13:b3:74:9b:bd:
                    f6:c4:3f:63:3e:66:51:f2:7e:3f:6e:7c:76:7b:71:
                    9d:69:21:2a:15:9b:aa:a5:e5:56:c8:79:98:12:35:
                    cd:7b:63:8c:b8:37:29:ee:77:50:bc:b7:64:8f:fe:
                    26:4a:e5:83:18:1c:6c:5d:b4:87:ef:d7:33:c4:f8:
                    1a:3f:29:9a:84:5a:01:e0:d9:81:6d:31:77:62:29:
                    f5:c1:65:14:df:4a:1d:fb:b7:4a:46:3b:f3:90:8b:
                    a2:b8:26:2a:0a:c3:9e:54:b5:03:60:81:e3:d9:58:
                    35:ed:b0:0b:e2:4f:6b:ef:69:ba:8b:47:df:a4:c5:
                    da:d0:d2:25:aa:85:63:3e:2f:05:db:4c:69:02:a6:
                    0e:35:b3:c2:ae:70:b0:ff:25:80:31:c7:0d:39:74:
                    a3:c0:a4:50:cd:9f:3f:85:b7:62:fb:7b:92:6d:c8:
                    1e:12:d2:ee:0f:96:f4:01:30:d1:ed:e2:10:ec:d2:
                    b2:b8:a1:e1:c5:2d:b3:b1:1e:f8:c5:fa:79:68:9d:
                    e5:a1:92:0f:5e:4f:45:42:7e:90:18:55:8c:fe:c2:
                    13:31:b8:21:de:ac:30:9d:99:e1:6b:44:61:0c:43:
                    3d:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
            X509v3 Authority Key Identifier: 
                keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
                DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
                serial:01

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         12:be:2c:85:85:5a:94:59:cd:49:51:08:17:c1:d9:63:27:29:
         d3:9e:9d:3f:15:03:99:24:14:9e:ed:77:41:18:f9:b2:f7:5f:
         b7:21:3a:ab:5e:0c:aa:a3:fd:b5:f0:a2:12:89:09:79:dd:09:
         70:a6:af:9c:22:21:91:02:26:b5:0f:ba:7b:c1:b8:3b:c2:c8:
         3e:4e:bb:74:cd:91:57:7a:cd:f4:c1:f6:2a:e6:98:df:59:a7:
         44:04:08:0d:09:f7:e4:07:3d:74:4d:28:cb:8d:0a:d5:c1:6e:
         4d:fb:25:09:32:8a:be:af:ce:37:4f:35:79:e8:7b:b2:e8:b0:
         4e:56:12:39:c9:3c:fb:5f:b8:b6:ad:22:58:7f:24:16:33:ca:
         1e:1c:b8:fc:62:5e:4c:ac:e0:7d:83:24:ee:9b:10:78:98:e2:
         e6:4a:ac:0a:cc:98:94:07:4a:69:18:fa:21:74:b5:12:48:42:
         83:76:8e:8a:48:7f:c6:8d:1e:cc:ee:e0:62:73:09:f3:c0:90:
         f7:49:57:d3:f6:7c:7d:1c:a1:76:9d:76:65:1e:fb:39:56:24:
         10:ae:ed:ea:3f:5b:5c:ea:2d:1e:5c:49:cf:4d:85:b6:fb:39:
         19:70:dd:1e:e6:21:f2:a3:31:19:1e:c3:b4:ae:f7:35:a7:a1:
         b4:61:6b:4e
LLR1:~ # efibootmgr -v
BootCurrent: 0001
Timeout: 2 seconds
BootOrder: 0001,0005
Boot0000* opensuse    HD(1,GPT,432043f7-9408-4d02-b38b-281598ac03d1,0x800,0x40000)/File(\EFI\opensuse\grubx64.efi)
Boot0001* opensuse-secureboot    HD(1,GPT,2d22909d-bed6-4eb1-a068-fd4eb54acab8,0x800,0x100000)/File(\EFI\opensuse\shim.efi)
Boot0005* UEFI: INTEL SSDPEKNU010TZ, Partition 1    HD(1,GPT,2d22909d-bed6-4eb1-a068-fd4eb54acab8,0x800,0x100000)/File(EFI\boot\bootx64.efi)..BO
Boot000A* opensuse-secureboot    HD(1,GPT,eb4b1784-a6f4-472c-a4f3-644854222429,0x800,0xfa000)/File(\EFI\opensuse\shim.efi)
LLR1:~ #

arvidjaar · December 10, 2021, 7:27am

You did not install it at all.

do we need to do that with every new kernel?

No.

LLR1:~ # mokutil -l
[key 1]
        Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de

This is default SUSE certificate used to sign kernel which is embedded in SUSE shim. You do not have openSUSE certificate. KMP built for openSUSE Leap 15.3 are signed by openSUSE key, corresponding certificate is available as /etc/uefi/certs/BDD31A9E-kmp.crt which is included in package openSUSE-signkey-cert. This package is Recommended by Base pattern and should normally be present. During installation it creates certificate enrollment request. Unfortunately, users often miss or ignore MokManager screen on next reboot so this enrollment request does not complete.

Interesting attitude. Instead of solving the cause you work around symptoms.

as Larry Finger suggested I turn off secure boot. He is VirtualBox support.

It does not mean he knows how secure boot works.

arvidjaar · December 10, 2021, 8:15am

vboxconfig recreates modules and immediately tries to load them which if course fails because modules are not yet signed. If you used vboxconfig again after having signed modules, you need to sign them again.

larryr · December 10, 2021, 2:50pm

OK, I did load exactly what you said months ago when secure boot caused VirtualBox to fail.

found it in my fc -l buffer.

487     mokutil -i /etc/uefi/certs/BDD31A9E-kmp.crt
488     mokutil -l

Made no difference . That was what Larry Finger suggested to do by the way.

It is installed

LLR1:~ # zypper se -si signkey
Loading repository data...
Reading installed packages...

S | Name                  | Type    | Version            | Arch   | Repository
--+-----------------------+---------+--------------------+--------+------------------------
i | openSUSE-signkey-cert | package | 20210302-lp153.1.1 | x86_64 | openSUSE-Leap-15.3-Oss1
LLR1:~ #

nrickert · December 10, 2021, 3:54pm

Something may be broken.

When I run “mokutil -l” here, it tells me that the list is empty. It shouldn’t be.

Either “mokutil” is broken or the enrolling process is broken.

I suggest you file a bug report on this, and post the bug number here.

Sauerland · December 10, 2021, 5:25pm

Show:

ls -al /etc/uefi/certs/