<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Cambria">Longtime VM and VBox enthusiast, first-time
contributor.<br>
<br>
This change takes longer to explain than the change itself. I
have a Dell laptop running Ubuntu 16.04. It came with Windows 10,
but I used the VMware Standalone Converter tool to virtualize the
Windows installation, installed Ubuntu from scratch on the
physical machine, and re-materialized the original Windows in a
VirtualBox VM. It all works nicely.<br>
<br>
My problem is change management. This machine uses EFI security,
so all kernel-mode modules require digital signatures before the
hardware will allow loading them. I worked out a repeatable flow
where I can pull a new VBox version, stop the service, build &
sign the new Virtualbox modules (with </font><font face="Cambria"><tt>openssl
-x509</tt><font face="Cambria"> keys),</font> install them, then
start the VBox service; I've reduced this to a handy script</font><font
face="Cambria">. <br>
<br>
The other main use-case, installing an upgraded kernel while
keeping the same VBox, is not as smooth. The </font><tt>/sbin/vboxconfig</tt><font
face="Cambria"> script does not offer an opportunity to stop and
sign the re-built VBox modules after installing them into the new
kernel's </font><tt>/lib/modules/`uname -r`</tt><font
face="Cambria"> area, so it immediately tries to start the
service, which fails to run because Linux will not load the
unsigned modules.<br>
<br>
I walked into the logic of </font><tt>vboxconfig</tt><font
face="Cambria">, and found where it calls </font><tt>vboxdrv.sh</tt><font
face="Cambria"> to install the modules into the new kernel's </font><tt>/lib/modules</tt><font
face="Cambria"> and start the service. This patch adds a </font><tt>setup-only</tt><font
face="Cambria"> argument to </font><tt>vboxdrv.sh</tt><font
face="Cambria">, to do everything as </font><tt>setup<font
face="Cambria"> <i>e</i></font></tt><font face="Cambria"><i>xcept
</i>start the service. Then, my script can sign the modules and
start the VBox service itself. Since VBox is already set up
otherwise, the rest of </font><tt>vboxconfig</tt><font
face="Cambria"> doesn't matter. In summary, the flow is:<br>
<br>
</font><tt>sudo apt install </tt><font face="Cambria">updated-kernel<br>
</font><tt><tt>sudo </tt>systemctl stop vboxdrv.service</tt><font
face="Cambria"><br>
</font><tt><tt>sudo </tt>systemctl disable vboxdrv.service</tt><font
face="Cambria"><br>
</font><tt><tt>sudo </tt>reboot</tt><font face="Cambria"><br>
</font><tt><tt>sudo </tt>/usr/lib/virtualbox</tt><tt>/vboxdrv.sh
setup-only</tt><tt> </tt><tt># New argument</tt><font
face="Cambria"><br>
</font><font face="Cambria"><tt>sudo <</tt>Sign all modules </font><tt>*.ko</tt><font
face="Cambria"> under </font><tt>/lib/modules/`uname -r`/misc</tt><font
face="Cambria"> (with </font><tt>.../scripts/sign-file</tt><font
face="Cambria"> method keys ...)><br>
</font><tt><tt>sudo </tt>s</tt><tt>ystemctl enable vboxdrv.service</tt><tt><br>
</tt><tt><tt>sudo </tt>systemctl start vboxdrv.service</tt><tt><br>
<br>
</tt><font face="Cambria">This is a point solution to a point
problem, though I have to think anyone upgrading VBox or the
kernel on an EFI Linux machine would face this issue. Does this
change fit the "VBox way"? Could VBox sign modules when it builds
them for the new kernel, to avoid <font face="Courier New,
Courier, monospace"><font face="Cambria">substituting for </font>vboxconfig</font>
like this?</font><font face="Cambria"><br>
<br>
</font><tt>Index: vboxdrv.sh<br>
===================================================================<br>
--- vboxdrv.sh (revision 73488)<br>
+++ vboxdrv.sh (working copy)<br>
@@ -511,7 +511,7 @@<br>
restart)<br>
stop && start<br>
;;<br>
-setup)<br>
+setup|setup-only)<br>
test -n "${2}" && export KERN_VER="${2}"<br>
# Create udev rule and USB device nodes.<br>
## todo Wouldn't it make more sense to install the rule to
/lib/udev? This<br>
@@ -521,7 +521,9 @@<br>
## than the fall-back. Unnecessary duplication?<br>
stop && cleanup<br>
setup_usb "$GROUP" "$DEVICE_MODE" "$INSTALL_DIR"<br>
- start<br>
+ if [ "$1" = "setup" ]; then<br>
+ start<br>
+ fi<br>
;;<br>
cleanup)<br>
stop && cleanup<br>
<br>
</tt><font face="Cambria">Thanks!<br>
<br>
</font><tt></tt><font face="Cambria"><br>
</font>
</body>
</html>