Loggin vboxdrv.sh fills syslog

[rickyx]

In Debian 10 the script vboxdrv.sh fills syslog with logs.

Looking in /var/log/ you can see the size of the files:

...
-rw-r-----   1 root              adm             103M gen 13 00:39 syslog
-rw-r-----   1 root              adm             2,0G gen 13 00:00 syslog.1
-rw-r-----   1 root              adm              20M gen 12 10:02 syslog.2.gz
...

The log is full of an neverending sequence of this writing:

Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Password non valida
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: La chiave per il Secure Boot inserita non è valida. La password utilizzata deve
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: contenere da 8 a 16 caratteri.
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Inserire una password per configurare il Secure Boot UEFI.
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Questa password verrà usata dopo il riavvio per confermare l'autorizzazione per
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: una modifica allo stato del Secure Boot.
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Password per Secure Boot UEFI:
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Inserire nuovamente la stessa password per verificare di averla digitata
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: correttamente.
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Reinserire la password per verifica:
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 111.
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 111.

A clean and translated version is:

Invalid password. The Secure Boot key you entered is invalid. The password used must contain 8 to 16 characters.
Please enter a password to configure UEFI Secure Boot.
This password will be used after reboot to confirm authorization for a change in Secure Boot status.
Password for Secure Boot UEFI:
Enter the same password again to verify that you have typed it correctly.
Re-enter the password for verification:
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 111.
Jan 13 00:42:17 Bisonx vboxdrv.sh[974]: Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 111.

I'm aware about the problem regarding the kernel signature, but I point out that this problem is about too intense logging and could fill the whole disk of some machines. It would be enough if the warning did not repeat 23 times per second, as it does now.

I think that this problem, of which I am unable to give any indication on how to reproduce it, occurred after a bios firmware update.

Thank you, Riccardo

[Mike_M]

I have the same problem on Debian Bullseye.

I narrowed it down to a problem of signing the kernel modules during install. If the kernel modules are not signed, then vboxdrv.sh tries to issue a new UEFI Secure Boot key after next reboot. Because the password can't be entered, the script is continuously producing above errors in syslog.

This is caused by

499: if test -n "$HAVE_SEC_BOOT" &&
500:        type update-secureboot-policy >/dev/null 2>&1; then
501:        SHIM_NOTRIGGER=y update-secureboot-policy --new-key
502:    fi

in vboxdrv.sh.

I tried some workarounds like manually signing the kernel modules, deleting the process with "update-secureboot-policy" after every reboot or modifying some scripts. But this means that the error occurs again after every update of VirtualBox, the BIOS firmware or maybe other secure boot things.

---

Finally I resolved the problem on Debian. Maybe it is the same on Ubuntu. It consists of two problems:

1. In vboxdrv.sh the location of the secure boot keys is hardcoded.

102: DEB_PUB_KEY=/var/lib/shim-signed/mok/MOK.der
103: DEB_PRIV_KEY=/var/lib/shim-signed/mok/MOK.priv

and later

506: kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv \
507:     /var/lib/shim-signed/mok/MOK.der \
508:     /lib/modules/"$KERN_VER"/misc/"$i".ko

Here the previously defined variables aren't even being used!

This means if you saved your key files in a different location the script ends with ""VirtualBox kernel module is not loaded." and you don't even know why.

So $DEB_PUB_KEY and $DEB_PRIV_KEY should be made user configurable and they should be used consequently later on.

---

2. On Debian bullseye "kmodsign" doesn't exist. Instead there is "sign-modules" which is located in "/usr/lib/linux-kbuild-'kernelver'/scripts/" e.g. "/usr/lib/linux-kbuild-5.10/scripts/sign-file".

So on Debian the above lines should look somehow like that

506: /usr/lib/linux-kbuild-"$KERN_VER_SHORT"/scripts/sign-file sha512 $DEB_PRIV_KEY \
507:     $DEB_PUB_KEY \
508:     /lib/modules/"$KERN_VER"/misc/"$i".ko

where $KERN_VER_SHORT should come form somewhere maybe "uname -r" with some REGEX.

---

I'm no coder so maybe someone could fix this properly and submit a pull request. A detection if "kmodsign" or "sign-file" is present must be added.

A quick and dirty fix with hardcoded paths and filenames in vboxdrv.sh and a following "vboxconfig" works for me.