[vbox-dev] Proposed niche argument to .../src/VBox/Installer/linux/vboxdrv.sh

Sun Aug 19 22:12:39 UTC 2018

Longtime VM and VBox enthusiast, first-time contributor.

This change takes longer to explain than the change itself.  I have a Dell laptop running Ubuntu 16.04.  It came with Windows 10, 
but I used the VMware Standalone Converter tool to virtualize the Windows installation, installed Ubuntu from scratch on the 
physical machine, and re-materialized the original Windows in a VirtualBox VM.  It all works nicely.

My problem is change management.  This machine uses EFI security, so all kernel-mode modules require digital signatures before the 
hardware will allow loading them.  I worked out a repeatable flow where I can pull a new VBox version, stop the service, build & 
sign the new Virtualbox modules (with openssl -x509keys), install them, then start the VBox service; I've reduced this to a handy 
script.

The other main use-case, installing an upgraded kernel while keeping the same VBox, is not as smooth.  The /sbin/vboxconfigscript 
does not offer an opportunity to stop and sign the re-built VBox modules after installing them into the new kernel's 
/lib/modules/`uname -r`area, so it immediately tries to start the service, which fails to run because Linux will not load the 
unsigned modules.

I walked into the logic of vboxconfig, and found where it calls vboxdrv.shto install the modules into the new kernel's 
/lib/modulesand start the service.  This patch adds a setup-onlyargument to vboxdrv.sh, to do everything as setup/e//xcept /start 
the service.  Then, my script can sign the modules and start the VBox service itself.  Since VBox is already set up otherwise, the 
rest of vboxconfigdoesn't matter.  In summary, the flow is:

sudo apt install updated-kernel
sudo systemctl stop vboxdrv.service
sudo systemctl disable vboxdrv.service
sudo reboot
sudo /usr/lib/virtualbox/vboxdrv.sh setup-only# New argument
sudo <Sign all modules *.kounder /lib/modules/`uname -r`/misc(with .../scripts/sign-filemethod keys ...)>
sudo systemctl enable vboxdrv.service
sudo systemctl start vboxdrv.service

This is a point solution to a point problem, though I have to think anyone upgrading VBox or the kernel on an EFI Linux machine 
would face this issue.  Does this change fit the "VBox way"?  Could VBox sign modules when it builds them for the new kernel, to 
avoid substituting for vboxconfig like this?

Index: vboxdrv.sh
===================================================================

--- vboxdrv.sh    (revision 73488)
+++ vboxdrv.sh    (working copy)
@@ -511,7 +511,7 @@
  restart)
      stop && start
      ;;
-setup)
+setup|setup-only)
      test -n "${2}" && export KERN_VER="${2}"
      # Create udev rule and USB device nodes.
      ## todo Wouldn't it make more sense to install the rule to /lib/udev?  This
@@ -521,7 +521,9 @@
      ## than the fall-back.  Unnecessary duplication?
      stop && cleanup
      setup_usb "$GROUP" "$DEVICE_MODE" "$INSTALL_DIR"
-    start
+    if [ "$1" = "setup" ]; then
+        start
+    fi
      ;;
  cleanup)
      stop && cleanup

Thanks!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20180819/ee14b604/attachment.html>
