VirtualBox from the Virtualization repository and UEFI Secure Boot kernel module signing

It seems that, the version 6.1.14 Oracle VirtualBox in the Virtualization repository currently doesn’t have kernel modules which have been signed for UEFI Secure Boot.

  • The affected modules are “vboxdrv”, “vboxnetadp” and “vboxnetflt” – modprobe fails with an “Operation not permitted” message.

Changing back to the Leap 15.2 update repository fixed the problem without having to roll back to a previous VirtualBox version.
[HR][/HR]Does anyone suspect that this issue needs to be flagged to the Virtualization repository maintainers?

??? How exactly kernel modules are related to UEFI Secure Boot?

Modules are obviously signed:

filename:       /home/bor/tmp/./lib/modules/5.8.12-1-default/extra/vboxdrv.ko
version:        6.1.14_SUSE r140239 (0x002e0000)
sig_id:         PKCS#7
signer:         Virtualization OBS Project
sig_key:        C6:31:15:59:C3:47:91:38
sig_hashalgo:   sha256
signature:      1A:46:C1:1E:35:A6:F4:40:A7:01:2C:08:86:5D:3B:47:91:DF:20:BF:

Each project has its own key, that is not new. You either need to manually trust all keys of every project or simply do not enforce module signature check.

Thx for reporting, you should submit a bug to
Since this is not the first time the problem has happened, I suspect that Larry (or whomever) is manually signing and hasn’t automated the process.

Kernel modules like what VBox are need to be signed nowadays (things weren’t so strict years ago).
Is to verify the authenticity of the modules so that some malicious hacker doesn’t load a module and then reboot injecting malware.
Is not related to OBS projects.

An Internet search will return a number of hits, the following is from


This is incorrect, the build service automatically signs all packages, no use interaction is required!

Alas, also some hints in Forums such as Stack Overflow which indicate that, the Kernel’s signature checking should be disabled to allow the “modprobe” to successfully execute …

  • The issue is not new – I was involved in a similar issue on an embedded remotely managed system more than 10 years ago …

Agreed!!! – The issue is related to the “Experimental” nature of the Virtualization repository …

I think you misunderstand my post and the situation.

kernel module signing has nothing to do with OBS project signing.
Apples and Oranges.


I’d strongly discourage breaking security by disabling the signature check unless there is no alternative and then the consequences carefully considered.
It’s not that difficult for the module to be signed and that’s how it should be done.


I’m not talking about project signing!! Packages and kmp’s, ok!! They are signed automatically via pesign (go peruse the build logs) and the OBS tools, there is NO user interaction at this level.

Look at the output from /sbin/modinfo for any module…

If OBS actually does sign kernel modules as necessary then,
It’s curious why the signing isn’t recognized and that some procedure to disable security is recommended.


Did a quick search.
As I suspected, kernel module signing is available but not enabled by default… Needs to be configured and enabled.


Your trying my patience, LOOK at the virtualbox build log it is quite clear that the two packages mentioned are used in the build process, it’s the default, the modules are signed!

Better than relying on the build log is to read the kernel module loaded on your system.

To inspect for the existence or absence of kernel module signing,

  1. Identify your current running kernel so you know how to complete the path described in step 2
uname -a
  1. Run the following command. If the module is signed, you will see a response. If the module is unsigned, the command will return an empty response
    I’m guessing a bit what the path would be after …/kernel/ because I don’t have Virtualbox installed on a Linux box at the moment… And I’m simply showing the generic “module.ko” because you’d probably want to test several modules.
readelf -S /lib/modules/[kernel name]/kernel/virt/module.ko | grep sig.*NOTE

If the signature exists, then perhaps the signing not isn’t configured correctly.


You persistence shows your ignorance, look at user arvidjaar post #2, all the module signing information is available via modinfo.

readelf -S /lib/modules/5.3.18-lp152.44-default/kernel/drivers/virt/vboxguest/vboxguest.ko | grep sig.*NOTE
<zip, nada, nothing>

/sbin/modinfo vboxguest |grep sig
sig_id:         PKCS#7
signer:         openSUSE Secure Boot CA
sig_key:        30:81:81:31:20:30:1E:06:03:55:04:03:0C:17:6F:70:65:6E:53:55:
sig_hashalgo:   sha256
signature:      45:44:28:0F:20:44:15:70:76:08:8D:A1:07:91:9C:E4:E4:F7:B8:C3:

Which is what the openSUSE / SUSE Build Service does by default and, openQA usually checks that, the signing has been properly and correctly applied …

  • Unfortunately, sadly, the current offering in the Experimental “Virtualization” repository slipped through the net …

I preceded the sentence referring to a StackOverflow suggestion with “Alas” …


Alas – used to express unhappiness, pity, or concern


Alas – used to show you are sad or sorry


Alas – used to express sadness or feeling sorry about something


Alas – You use alas to say that you think that the facts you are talking about are sad or unfortunate.