Update 20210723: Virtual box didn't recognize my network hardware. Since I still have my old laptop I'll use that one for Windows (ugh!). This was the end of My Virtual Box adventure. I leave the text below, it's still valid.
NOTES
Virtual Box [Recommended: 18.04 LTS but installed on 20.04.2 (find your with: lsb_release -a)]
It's said some of the modules in Virtual box needs signing if run on an UEFI system:
vboxdrv
vboxnetadp
vboxnetflt
vboxpci
So let's create a key!
* apt update
* apt-get install linux-headers-$(uname -r)
* apt install build-essential
* openssl version <Enter>
OpenSSL 1.1.1f 31 Mar 2020
* vim /usr/lib/shim/mok/openssl.cnf <Enter>
/usr/lib/shim/mok/openssl.cnf, after editing, looks like:
--- begin openssl.cnf:
HOME = /var/lib/shim-signed/mok
RANDFILE = /var/lib/shim-signed/mok/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = (like US, GB, NO etc)
stateOrProvinceName = (something suitable)
localityName = (your home town?)
0.organizationName = (hostname of my machine)
commonName = Secure Boot Signing
emailAddress = xxx.yyy@some.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
# We use extended key usage information to limit what this auto-generated
# key can be used for.
#
# codeSigning: specifies that this key is used to sign code.
#
# 1.3.6.1.4.1.2312.16.1.2: defines this key as used for module signing
# only. See https://lkml.org/lkml/2015/8/26/741.
#
extendedKeyUsage = codeSigning,1.3.6.1.4.1.2312.16.1.2
nsComment = "OpenSSL Generated Certificate"
--- :end openssl.cnf
* openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der" <Enter>
Oooops!
Can't load /var/lib/shim-signed/mok/.rnd into RNG
140194088219968:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/var/lib/shim-signed/mok/.rnd
Explanation:
NOTE: current version of openssl on this system: v1.1.1f !!
Quote:
"https://github.com/wazuh/wazuh/issues/3395
Error cause
The error message is due the version of OpenSSL, concretly v1.1.1.
This error is fixed in v1.1.1a. Error fixed.
Consequences
Despite the error message, OpenSSL works well. It generates different keys and certificates values, so it hasn't got important consequences.
Posible solutions
Comment RANDFILE variable at the beginning of /etc/ssl/openssl.conf file.
Ignore error message.
Conclusion
Considering that it doesn't affect to our system's security, we could ignore the error message"
END of quote
DUH!
checking for /var/lib/shim-signed/mok/.rnd [OK!]
* locate MOK.priv <Enter>
/usr/lib/shim/mok/MOK.priv [OK!]
* locate MOK.der <Enter>
/usr/lib/shim/mok/MOK.der [OK!]
* mokutil --import MOK.der <Enter>
input password: [secret]
input password again: [guess what!]
root@myMachine:/usr/lib/shim/mok#
From https://ubuntu.com/blog/how-to-sign-things-for-secure-boot:
"Once this is done, reboot. Just before loading GRUB, shim will show a blue screen (which is actually another piece of the shim project called “MokManager”). use that screen to select “Enroll MOK” and follow the menus to finish the enrolling process. You can also look at some of the properties of the key you’re trying to add, just to make sure it’s indeed the right one using “View key”. MokManager will ask you for the password we typed in earlier when running mokutil; and will save the key, and we’ll reboot again."
When that blue screen shows itself there are three alternatives, two of then have to do with things on the disk. Skip these, choose the first one (I just can't remember what it said but it was very short, one word, related to the subject at hand.)
So let's check if the new key is in the system...
* cat /proc/keys <Enter>
11b98d3e I------ 1 perm 1f010000 0 0 asymmetri (hostname of my machine): Secure Boot Signing: 91888ab4e46ee6eaeb96d3ae588a2e75df735c1b: X509.rsa df735c1b []
120c60ec I--Q--- 1 perm 3f030000 0 0 keyring _ses: 2
124cadb8 I------ 2 perm 1f010000 0 0 blacklist bin:3b0287533e0cc3d0ec1aa823cbf0a941aad8721579d1c499802dd1c3a636b8a9
12804b37 I------ 2 perm 1f010000 0 0 blacklist bin:fecfb232d12e994b6d485d2c7167728aa5525984ad5ca61e7516221f079a1436
12cad596 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1
138da1cb I------ 2 perm 1f010000 0 0 blacklist bin:aeebae3151271273ed95aa2e671139ed31a98567303a332298f83709a9d55aa1
1390873b I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16
13f385bb I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16
1407a2b3 I------ 2 perm 1f010000 0 0 blacklist bin:ad6826e1946d26d3eaf3685c88d97d85de3b4dcb3d0ee2ae81c70560d13c5720
143480ec I------ 2 perm 1f010000 0 0 blacklist bin:29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
Looking for the names, check the "asymmetri" entries! It's quite confusing at first with a LOT of lines and strange number sequences.
Done!
These modules must eventually be signed if the installation didn't manage to leave the installable.
/usr/lib/modules/5.8.0-53-generic/misc/vboxdrv.ko
usr/lib/modules/5.8.0-53-generic/misc/vboxnetadp.ko
/usr/lib/modules/5.8.0-53-generic/misc/vboxnetflt.ko
vboxpci.ko was not found to be installed.
* lsmod | grep vbox <Enter>
vboxnetadp 28672 0
vboxnetflt 28672 0
vboxdrv 516096 2 vboxnetadp,vboxnetflt
This looks good. I do not have to sign them, the kernel has accepted to load them already.
Waiting for a dvd burner so I can install XP from one of my CD copies...
To be continued... NOPE it ends here!
