Virtualbox driver not signed for Secure Boot in Leap 15.6?

Hello, guys. I need your help because I’ve migrated my work laptop from Tumbleweed to Leap 15.6 and now I cannot run Virtualbox machines because its drivers/modules seem to be unsigned for Secure Boot: Virtualbox works flawlessly in Leap with Secure Boot switched off but I’ve never had to switch it off with Tumbleweed and I need Secure Boot active. What could be the reason for not signing VBox modules in Leap when they’re signed in TW? Is this the normal behaviour of Virtualbox in Leap or is it a one-off problem?

I’m using Virtualbox from official repos (currently, 7.0.18_SUSE r162988) but I’ve tried Oracle’s repo with the same result (maybe that’s not strange being a third party repo). I leave an screenshot of the error window to be sure I’m not misreading it (although VBox works with SB off, so I think there’s little space for misunderstanding).

VirtualBox-Secure_Boot

Thank you in advance for you help.

On reboot, have you added the key in the blue mok Screen?

Also post:
zypper se -si virtualbox

I stopped reading further. Describe exactly how you did it.

Thank you for your answers.

I enrolled a SUSE key that was available in the blue mok screen, and now I have 2 SUSE keys in mok:
key 1 with fingerprint: “bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8”,
key 2 with fingerprint “76:b6:a6:a0:b2:2b:cc:b1:3f:46:5f:7c:48:9e:79:39:fd:e0:9e:83”.

S  | Name                   | Type    | Version                           | Arch   | Repository
---+------------------------+---------+-----------------------------------+--------+----------------------
i+ | virtualbox             | paquete | 7.0.18-lp156.1.6                  | x86_64 | repo-oss (15.6)
i+ | virtualbox             | paquete | 7.0.18-lp156.1.6                  | x86_64 | Repositorio principal
i+ | virtualbox-host-source | paquete | 7.0.18-lp156.1.6                  | noarch | repo-oss (15.6)
i+ | virtualbox-host-source | paquete | 7.0.18-lp156.1.6                  | noarch | Repositorio principal
i  | virtualbox-kmp-default | paquete | 7.0.18_k6.4.0_150600.21-lp156.1.4 | x86_64 | repo-oss (15.6)
i  | virtualbox-kmp-default | paquete | 7.0.18_k6.4.0_150600.21-lp156.1.4 | x86_64 | Repositorio principal
i  | virtualbox-qt          | paquete | 7.0.18-lp156.1.6                  | x86_64 | repo-oss (15.6)
i  | virtualbox-qt          | paquete | 7.0.18-lp156.1.6                  | x86_64 | Repositorio principal

I’m sorry that maybe “migrated” was a confusing term: I formatted the whole disk and performed a clean Leap installation; no data reused.

Thank you for you support.

This is SUSE certificate SUSE Linux Enterprise Secure Boot CA.

I do not know what it is. On Leap 15.6 I see the certificate openSUSE Secure Boot Signkey with 1F:67:32:97:DA:56:8A:E0:DE:DF:DB:7C:8C:C6:8F:9E:CB:85:72:75 fingerprint. Show

ls -l /etc/uefi/certs
rpm -qf /etc/uefi/certs/*

My 2nd key has the same issuer and subject, the only difference is its validity from 1 March 2023 to 28 September 2033. I post a “mokutil list-enrolled”:

[key 1]
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
        Validity
            Not Before: Apr 18 14:33:41 2013 GMT
            Not After : Mar 14 14:33:41 2035 GMT
        Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cd:fd:ab:d7:2a:84:f8:81:c3:36:35:50:35:2c:
                    c7:ec:04:f1:f4:d6:cc:60:4b:c8:13:b3:74:9b:bd:
                    f6:c4:3f:63:3e:66:51:f2:7e:3f:6e:7c:76:7b:71:
                    9d:69:21:2a:15:9b:aa:a5:e5:56:c8:79:98:12:35:
                    cd:7b:63:8c:b8:37:29:ee:77:50:bc:b7:64:8f:fe:
                    26:4a:e5:83:18:1c:6c:5d:b4:87:ef:d7:33:c4:f8:
                    1a:3f:29:9a:84:5a:01:e0:d9:81:6d:31:77:62:29:
                    f5:c1:65:14:df:4a:1d:fb:b7:4a:46:3b:f3:90:8b:
                    a2:b8:26:2a:0a:c3:9e:54:b5:03:60:81:e3:d9:58:
                    35:ed:b0:0b:e2:4f:6b:ef:69:ba:8b:47:df:a4:c5:
                    da:d0:d2:25:aa:85:63:3e:2f:05:db:4c:69:02:a6:
                    0e:35:b3:c2:ae:70:b0:ff:25:80:31:c7:0d:39:74:
                    a3:c0:a4:50:cd:9f:3f:85:b7:62:fb:7b:92:6d:c8:
                    1e:12:d2:ee:0f:96:f4:01:30:d1:ed:e2:10:ec:d2:
                    b2:b8:a1:e1:c5:2d:b3:b1:1e:f8:c5:fa:79:68:9d:
                    e5:a1:92:0f:5e:4f:45:42:7e:90:18:55:8c:fe:c2:
                    13:31:b8:21:de:ac:30:9d:99:e1:6b:44:61:0c:43:
                    3d:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
            X509v3 Authority Key Identifier: 
                keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
                DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
                serial:01
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:be:2c:85:85:5a:94:59:cd:49:51:08:17:c1:d9:63:27:29:
        d3:9e:9d:3f:15:03:99:24:14:9e:ed:77:41:18:f9:b2:f7:5f:
        b7:21:3a:ab:5e:0c:aa:a3:fd:b5:f0:a2:12:89:09:79:dd:09:
        70:a6:af:9c:22:21:91:02:26:b5:0f:ba:7b:c1:b8:3b:c2:c8:
        3e:4e:bb:74:cd:91:57:7a:cd:f4:c1:f6:2a:e6:98:df:59:a7:
        44:04:08:0d:09:f7:e4:07:3d:74:4d:28:cb:8d:0a:d5:c1:6e:
        4d:fb:25:09:32:8a:be:af:ce:37:4f:35:79:e8:7b:b2:e8:b0:
        4e:56:12:39:c9:3c:fb:5f:b8:b6:ad:22:58:7f:24:16:33:ca:
        1e:1c:b8:fc:62:5e:4c:ac:e0:7d:83:24:ee:9b:10:78:98:e2:
        e6:4a:ac:0a:cc:98:94:07:4a:69:18:fa:21:74:b5:12:48:42:
        83:76:8e:8a:48:7f:c6:8d:1e:cc:ee:e0:62:73:09:f3:c0:90:
        f7:49:57:d3:f6:7c:7d:1c:a1:76:9d:76:65:1e:fb:39:56:24:
        10:ae:ed:ea:3f:5b:5c:ea:2d:1e:5c:49:cf:4d:85:b6:fb:39:
        19:70:dd:1e:e6:21:f2:a3:31:19:1e:c3:b4:ae:f7:35:a7:a1:
        b4:61:6b:4e

[key 2]
SHA1 Fingerprint: 76:b6:a6:a0:b2:2b:cc:b1:3f:46:5f:7c:48:9e:79:39:fd:e0:9e:83
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ca:fc:b5:d7:5e:c5:89:82
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
        Validity
            Not Before: Mar  1 13:56:59 2023 GMT
            Not After : Sep 28 13:56:59 2033 GMT
        Subject: CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:00:22:70:ef:90:9c:ca:3a:12:f1:f1:a2:16:
                    8b:94:54:2a:d9:ce:61:50:bc:d2:c2:3b:99:cc:8e:
                    e6:1c:81:59:e5:fc:8a:3a:78:53:fd:71:61:a8:af:
                    0b:23:c0:5b:9f:da:43:e7:c9:d4:84:b5:e5:f7:ef:
                    9a:fb:01:ee:9d:10:29:c7:f8:6e:ee:91:60:17:00:
                    43:56:d1:d3:ed:ad:b1:55:2f:be:0a:e6:38:bf:9b:
                    43:61:f7:7a:4f:cd:48:74:b2:a2:1e:e5:0c:4f:c4:
                    81:df:3a:8d:57:af:f5:10:f5:57:ee:74:75:19:c4:
                    49:ab:a4:70:0b:e1:a0:ef:ca:de:ac:4e:0a:ea:d6:
                    41:87:ff:e7:87:ef:e2:fd:19:5a:e9:e5:24:b9:65:
                    ce:3c:b1:fa:3f:f8:8f:41:93:70:e1:72:86:a0:29:
                    9e:58:6b:fa:81:28:63:80:90:de:3d:ac:61:e5:f0:
                    ed:df:86:6b:26:20:05:b6:a8:4d:c3:5f:95:14:77:
                    4a:42:f5:2b:ec:93:0c:8e:04:b6:23:12:56:b3:b2:
                    e0:1f:9c:97:47:ea:3a:1d:72:58:03:0d:f6:e0:95:
                    f9:00:2f:b3:b1:f7:ab:c9:b9:02:6b:a5:8a:63:7f:
                    66:dd:3f:18:15:9c:eb:be:0d:fc:cf:9d:d6:7a:3a:
                    e8:6b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                A7:46:B6:4B:6C:B7:1F:13:38:56:38:05:5F:46:16:2B:AC:63:2A:CD
            X509v3 Authority Key Identifier: 
                keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
                DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
                serial:01
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        a7:b7:86:b9:12:e9:92:12:17:6a:4e:80:7c:6c:82:25:01:8a:
        18:7e:bf:94:f2:e0:57:71:96:13:9c:f6:ec:97:65:bc:61:ff:
        18:9d:a2:95:e8:ad:5f:70:84:83:b7:fb:35:22:27:bd:c9:c9:
        01:39:c1:a0:a4:a6:71:05:a0:45:ee:05:73:9e:be:2c:08:ea:
        73:cb:b2:31:f3:d0:2d:3d:df:80:55:df:54:12:94:08:92:68:
        3a:f7:5b:d8:b8:50:3f:e7:72:67:b0:9c:11:f1:58:32:a2:53:
        38:91:f3:b3:9e:8a:de:04:4c:44:15:95:20:c1:e5:52:38:5a:
        be:63:bd:b3:35:bb:45:21:8c:2d:90:bb:23:d0:b2:9d:09:f4:
        16:bd:e9:ae:77:27:2d:f2:3d:89:f0:a4:83:9e:96:db:d4:63:
        57:52:75:0a:f1:df:a6:a5:22:32:ec:16:a9:36:d5:a4:ae:39:
        97:1b:95:b9:00:c4:7c:a9:90:c4:2c:ea:9a:7f:b7:c9:3a:84:
        0f:54:78:17:d6:32:bf:46:f1:11:0e:00:26:77:cd:ee:04:e7:
        44:a6:85:c2:3a:c5:69:4e:76:6a:d0:10:82:df:0e:d5:d1:8b:
        a1:1b:36:c6:d6:c9:03:42:4b:db:e9:97:40:a6:1b:dc:e3:97:
        ba:28:7f:a6

total 12
-rw-r--r-- 1 root root 1177 may 28 09:04 1F673297-kmp.crt
-rw-r--r-- 1 root root 1288 oct  2 10:47 76B6A6A0.crt
-rw-r--r-- 1 root root 1257 abr 18  2024 BCA4E38E-shim.crt
openSUSE-signkey-cert-20220613-lp156.4.2.x86_64
kernel-default-6.4.0-150600.23.22.1.x86_64
kernel-default-6.4.0-150600.23.25.1.x86_64
shim-15.8-150300.4.20.2.x86_64

That is the certificate you need to enroll.

mokutil --import /etc/uefi/certs/1F673297-kmp.crt --root-pw

reboot, answer MokManager prompts.

1 Like

That’s solved the issue!! Thank you very very much @arvidjaar

I guess the blue screen of the Mok Manager appeared on first reboot after Leap installation and I didn’t notice it because, coming from TW, I didn’t expect it to appear; I take good note.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.