#!/usr/bin/env bash
#
# Script for guide:
# https://gorka.eguileor.com/vbox-vmware-in-secureboot-linux-2016-update/
#
# Verification:
# dmesg | grep "EFI:.*cert.*${cert_name}"
#
set -eu
set -o pipefail
cert_name="VBoxCert"
# Build VirtualBox kernel module
sudo /sbin/vboxconfig
# Generate certificate if it was not already
if [ ! -e "./${cert_name}.priv" ] && [ ! -e "./${cert_name}.der" ]; then
openssl req -new -x509 \
-newkey rsa:2048 \
-keyout ${cert_name}.priv \
-outform DER \
-out ${cert_name}.der \
-nodes \
-days 3650 \
-subj "/CN=${cert_name}/"
fi
# Get path to vboxdrv module and sign vbox modules with certificate
vboxdrv_path=$(modinfo -n vboxdrv)
vboxdrv_dirname=$(dirname "$vboxdrv_path")
for f in "${vboxdrv_dirname}"/*.ko; do
echo "Signing $f"
sudo "/usr/src/kernels/$(uname -r)/scripts/sign-file" \
sha256 \
${cert_name}.priv \
${cert_name}.der \
"$f"
done
# Manually add the public key to shim’s MOK list.
# You will be asked for a password that will be
# used during the UEFI boot to enroll the new key.
echo "Enter password for new certificate key."
echo "You will be asked to enter it on next boot."
sudo mokutil --import ${cert_name}.der
exit 0