[Req]: Use DKMS for signing the vboxdrv and other modules rather than (or in addition to) update-secureboot-policy #472
Description
Component
Host Installer
What problem are you facing?
At the moment, VirtualBox uses the update-secureboot-policy tool to create and enroll MOK keys. This tool supposedly exists on both Ubuntu and Debian, however the update-secureboot-policy tool on Debian is a radically different tool with a different purpose than the update-secureboot-policy tool on Ubuntu. Under Ubuntu, the tool's purpose is enrolling MOK keys, while under Debian, the tool's purpose is turning Secure Boot validation on or off entirely. That means that the VirtualBox package only works out of the box on Ubuntu at the moment if Secure Boot is enabled, despite /usr/sbin/rcvboxdrv claiming it works on Debian 10 and later.
How can we fix this?
Consider using DKMS to build the VirtualBox kernel modules instead of manually building them under Debian. This will allow integrating with the existing module signing infrastructure already in Debian, and would likely also work on Ubuntu as well. Unless there are other distributions that have update-secureboot-policy, this would remove the need for update-secureboot-policy.
What alternatives or workarounds exist?
Manually signing the module works, which is what the user is told to do if automatic signing fails. This requires manual intervention with every VirtualBox upgrade.
Another alternative is symlinking /var/lib/dkms/mok.key and /var/lib/dkms/mok.pub to /var/lib/shim-signed/mok/MOK.der and /var/lib/shim-signed/mok/MOK.priv. This appears to allow rcvboxdrv to find the existing MOK keys and reuse them.
Anything else we should know?
Request is inspired by a Kicksecure bug report: https://forums.kicksecure.com/t/virtualbox-error-kernel-driver-not-installed-rc-1908/1453