Oracle VirtualBox - Mainboard died with a VB Client active

Does anyone know if, Oracle VirtualBox Clients have a chance to survive a Mainboard failure?

  • I was running a Windows 10 Update in a VB Client and, the Mainboard died during a coffee break.
    I mean, really died – no Video – Keyboard dead – on reboot, no BIOS/UEFI, no disk activity – BIOS/UEFI reset by means of Jumper and removal of the CMOS battery and Jumper with removed CMOS battery, didn’t help.
    Fans are still spinning – Mainboard LEDs are on – Ethernet interface is powered on (Green LED).

[HR][/HR]I’ll know if Leap 15.4 survived next week, Tuesday, when a replacement Mainboard is due to be delivered.

NTFS is a journaling file system - unless you were in the reboot / update part where the dll’s are being updated - it moves the old one out and moves the new ones in - it cannot recover from that part - windows 10 and 11 should recover upon a reboot.

@larryr:

You’re right.

  • Back with a new Mainboard and, new Memory – when I first booted with the new Mainboard it didn’t, but, the new Hardware has POST LEDs which indicated that, the DRAM had a problem –
    Removed one of the two 8GB memory cards and, it booted – re-inserted the dead memory and, DRAM failure.
    Purchased a 2x16 GB memory kit with more allowable MHz …

Linux booted OK, except that I can’t persuade the AMD B550 chipset to allow Secure Boot – it continually complains that a needed Key isn’t available.
The rest is, AFAICS, all OK – the Oracle VirtualBox VM with Windows 10 restarted OK – Windows installed an update OK and, resumed the Feature Update which got killed by the Mainboard.
[INDENT=2]Everything seems to be OK …
[/INDENT]

You can force install the secure key with zypper then reboot and in the bootup mode turn on secure boot and allow the security key to be installed into the mainboard on reboot.

sudo zypper in --force openSUSE-signkey-cert

Thanks for the hint but, also that doesn’t work with an ASUS PRIME B550-PLUS Mainboard with the newest UEFI/BIOS version from ASUS.

  • “mokutil --install” didn’t ever, with the new Mainboard, trigger a “MokUtil Blue Screen” on boot.
  • All the certificates in ‘/etc/uefi/certs/’ have been copied to ‘/boot/efi/EFI/’ and loaded from there by means of the ASUS UEFI interface into the UEFI/BIOS databases.
  • Those certificates load a boot time despite, Secure Boot being disabled –

 # journalctl -b 0 --no-hostname --output=short-monotonic --system | grep -iE 'secur|cert|box|tpm|spect'
    0.000000] kernel: efi: ACPI=0xca93b000 ACPI 2.0=0xca93b014 TPMFinalLog=0xcac1d000 SMBIOS=0xcb9f5000 SMBIOS 3.0=0xcb9f4000 MEMATTR=0xc7270818 ESRT=0xc9739018 RNG=0xcba37f18 TPMEventLog=0xc198c018 
    0.000000] kernel: secureboot: Secure boot disabled
    0.005489] kernel: secureboot: Secure boot disabled
    0.005551] kernel: ACPI: TPM2 0x00000000CA82E000 00004C (v04 ALASKA A M I    00000001 AMI  00000000)
    0.005599] kernel: ACPI: Reserving TPM2 table memory at [mem 0xca82e000-0xca82e04b]
    0.107475] kernel: LSM: Security Framework initializing
    0.108075] kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
    0.108077] kernel: Spectre V2 : Mitigation: Retpolines
    0.108077] kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
    0.108078] kernel: Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
    0.108080] kernel: Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
    0.859269] kernel: Loading compiled-in X.509 certificates
    0.859295] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
    0.862962] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890030] kernel: integrity: Loaded X.509 cert 'ASUSTeK MotherBoard SW Key Certificate: da83b990422ebc8c441f8d8b039a65a2'
    0.890035] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890268] kernel: integrity: Loaded X.509 cert 'ASUSTeK Notebook SW Key Certificate: b8e581e4df77a5bb4282d5ccfc00c071'
    0.890269] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890292] kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
    0.890293] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890316] kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
    0.890318] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890519] kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
    0.890520] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890546] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
    0.890547] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890752] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.890754] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890774] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
    0.890775] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.890792] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
    0.891366] kernel: Loading compiled-in module X.509 certificates
    0.891395] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
    1.025082] kernel: evm: security.selinux
    1.025085] kernel: evm: security.SMACK64 (disabled)
    1.025087] kernel: evm: security.SMACK64EXEC (disabled)
    1.025089] kernel: evm: security.SMACK64TRANSMUTE (disabled)
    1.025090] kernel: evm: security.SMACK64MMAP (disabled)
    1.025092] kernel: evm: security.apparmor
    1.025093] kernel: evm: security.ima
    1.025094] kernel: evm: security.capability
    1.076592] systemd[1]: systemd 249.12+suse.135.g7b70d88264 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR -IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid)
    5.951436] systemd[1]: systemd 249.12+suse.135.g7b70d88264 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR -IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid)
    6.651431] systemd[1]: Found device /dev/tpm0.
    6.898685] kernel: SGI XFS with ACLs, security attributes, quota, no debug enabled
    8.343466] systemd[1]: Starting Security Auditing Service...
    8.351975] systemd[1]: Condition check resulted in RPC security service for NFS client and server being skipped.
    8.352124] systemd[1]: Condition check resulted in RPC security service for NFS server being skipped.
    8.442114] systemd[1]: Started Security Auditing Service.
    8.458532] systemd[1]: Started Watch for changes in CA certificates.
    8.501590] systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
    8.503297] systemd[1]: Starting VirtualBox Linux kernel module...
    8.576655] tpm2-abrmd[1009]: tcti_conf before: "(null)"
    8.577025] tpm2-abrmd[1009]: tcti_conf after: "device:/dev/tpm0"
    8.599842] systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
    8.640958] vboxdrv.sh[1011]: vboxdrv.sh: Starting VirtualBox services.
    8.644854] vboxdrv.sh[1095]: Starting VirtualBox services.
    8.670091] kernel: vboxdrv: loading out-of-tree module taints kernel.
    8.676837] kernel: vboxdrv: Found 8 processor cores
    8.677423] systemd-udevd[646]: vboxdrv: /usr/lib/udev/rules.d/60-vboxdrv.rules:1 Only network interfaces can be renamed, ignoring NAME="vboxdrv".
    8.677751] systemd-udevd[647]: vboxdrvu: /usr/lib/udev/rules.d/60-vboxdrv.rules:2 Only network interfaces can be renamed, ignoring NAME="vboxdrvu".
    8.697310] kernel: vboxdrv: TSC mode is Invariant, tentative frequency 3693307152 Hz
    8.697318] kernel: vboxdrv: Successfully loaded version 6.1.36_SUSE r152435 (interface 0x00320000)
    8.911496] kernel: VBoxNetFlt: Successfully started.
    8.916434] kernel: VBoxNetAdp: Successfully started.
    8.916900] systemd-udevd[646]: vboxnetctl: /usr/lib/udev/rules.d/60-vboxdrv.rules:3 Only network interfaces can be renamed, ignoring NAME="vboxnetctl".
    8.922249] vboxdrv.sh[1110]: VirtualBox services started.
    8.923874] systemd[1]: Started VirtualBox Linux kernel module.
    8.926344] systemd[1]: Starting vboxautostart-service.service...
    8.932953] vboxautostart-service.sh[1111]: vboxautostart-service.sh: Starting VirtualBox VMs configured for autostart.
    8.934700] vboxautostart-service.sh[1114]: Starting VirtualBox VMs configured for autostart.
    8.941839] systemd[1]: Started vboxautostart-service.service.
 # 

I’m suspecting a vendor-specific UEFI/BIOS Secure Boot issue …

My error was –

  • I had too many Keys in the UEFI Key Exchange Key Signature database (KEK).
  • I deleted – using the Mainboard’s UEFI BIOS setup menus – all the openSUSE/SUSE keys which weren’t “Secure Boot CA” …

 > mokutil --kek | grep -iE 'Subject:|SHA1 Fingerprint:'
SHA1 Fingerprint: 29:76:43:59:2d:af:e8:1f:6b:11:6e:89:d9:6d:57:75:2f:1a:b8:0b
        Subject: CN=ASUSTeK MotherBoard KEK Certificate
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: ec:56:e9:13:44:95:92:5f:d8:db:b4:8e:2c:31:8a:0d:79:e8:f8:e3
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
 > 
 > mokutil --kek | grep -i '  Validity' --after-context\=3
        Validity
            Not Before: Dec 26 23:34:59 2011 GMT
            Not After : Dec 26 23:34:58 2031 GMT
        Subject: CN=ASUSTeK MotherBoard KEK Certificate
--
        Validity
            Not Before: Jun 24 20:41:29 2011 GMT
            Not After : Jun 24 20:51:29 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
--
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
--
        Validity
            Not Before: Apr 18 14:33:41 2013 GMT
            Not After : Mar 14 14:33:41 2035 GMT
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
--
        Validity
            Not Before: Jan 22 14:20:08 2013 GMT
            Not After : Dec 18 14:20:08 2034 GMT
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
 > 

Also, before rebooting and deleting the extraneous KEK keys, I re-ran the YaST Bootloader setup.

And then, the mokutil “Blue Screen” appeared at the next boot with, the Secure Boot OS Type set to “Windows UEFI Mode” …
The current UEFI secure boot signature store (db) keys are:


 > mokutil --db | grep -iE 'Subject:|SHA1 Fingerprint:'
SHA1 Fingerprint: 16:b3:6b:31:bb:b6:cb:eb:a3:b1:2e:dd:5a:32:32:e9:93:f3:7d:d1
        Subject: CN=ASUSTeK MotherBoard SW Key Certificate
SHA1 Fingerprint: 62:b5:1e:d2:e6:c7:5e:27:33:52:c8:b0:52:1a:97:48:18:e9:23:3e
        Subject: CN=ASUSTeK Notebook SW Key Certificate
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
SHA1 Fingerprint: 4a:aa:0b:54:67:76:1e:cf:c0:0a:42:32:b1:7a:b4:8b:3e:09:a3:bf
        Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: 40:90:59:99:c6:a8:81:6f:68:f7:17:bc:9f:e3:76:fd:6e:4c:3c:ef
        Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
SHA1 Fingerprint: 1f:67:32:97:da:56:8a:e0:de:df:db:7c:8c:c6:8f:9e:cb:85:72:75
        Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org
 > 

And now, the Secure Boot is just fine – systemd Journal entries:


    0.000000] kernel: secureboot: Secure boot enabled
    0.000000] kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
    0.005643] kernel: secureboot: Secure boot enabled

But, I have keys being loaded from both the UEFI “db” and, the MOKvar table (MokListRT) –


    0.839252] kernel: Loading compiled-in X.509 certificates
    0.839293] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
    0.843207] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.868671] kernel: integrity: Loaded X.509 cert 'ASUSTeK MotherBoard SW Key Certificate: da83b990422ebc8c441f8d8b039a65a2'
    0.868677] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869088] kernel: integrity: Loaded X.509 cert 'ASUSTeK Notebook SW Key Certificate: b8e581e4df77a5bb4282d5ccfc00c071'
    0.869090] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869134] kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
    0.869137] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869182] kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
    0.869184] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869459] kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
    0.869460] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869482] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
    0.869483] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869682] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.869683] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869707] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
    0.869708] kernel: integrity: Loading X.509 certificate: UEFI:db
    0.869726] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
    0.869945] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.870177] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.870179] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.870199] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
    0.870200] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.870407] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.870408] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.870429] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
    0.870430] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.870631] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.870632] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.871269] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f'
    0.871270] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.871290] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
    0.871291] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.871310] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
    0.871311] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.871514] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
    0.871515] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    0.871534] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
    0.871543] kernel: Loading compiled-in module X.509 certificates
    0.871562] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'

How that needs to be cleaned up, remains as an open work item …