I forgot my MOK password

thfedo · October 9, 2023, 8:55am

I was in the process of installing Virtualbox and because I have secure boot activated, the system does not provide the tools for the automatic generation of keys needed for module signing, which is why I had to generate these keys manually from the command line. commands:
The commands used to create the keys were:

sudo mkdir -p /var/lib/shim-signed/mok
sudo openssl req -nodes -new -x509 -newkey rsa:2048 -outform DER -addext "extendedKeyUsage=codeSigning" -keyout /var/lib/shim-signed/mok/MOK.priv -out /var/lib/shim-signed /mok/MOK.der
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
sudo reboot

However, I forgot (according to me not) the MOK password to be able to correctly add the keys, so I have not been able to return to the form to enter the password since I got tired of trying and left the menu, however now when I restart it does not return me to that menu again but it takes me directly to the desktop (as it normally did), and I don’t know how to try to enter the password again, is it necessary to import the key again? or what can I do in this case? I summarize my questions:

How can I return to the form where it asks me for the MOK password to continue correctly to try again.
In case you cannot return to that menu with the MOK password form, is it necessary to import the key again? Is it overwritten or what would happen?
If I can return to the form and the MOK password does not work again, how can I change it?

I appreciate any help

vgaetera · October 9, 2023, 9:00am

Yes, that should work.

VirtualBox from the RPM Fusion repos does this automatically.
There’s also a script that works for VirtualBox from the Oracle repo:

sudo tee /usr/local/sbin/update-secureboot-policy << "EOF" > /dev/null
#!/bin/bash
COMMAND="${1}"
MOK_KEY="/var/lib/shim-signed/mok/MOK.priv"
MOK_PASS="fedora"
case "${COMMAND}" in
(--help)
tee << EOI ;;
--new-key
--enroll-key
EOI
(--new-key)
if [ -f "${MOK_KEY}" ]; then exit 0; fi
mkdir -p "${MOK_KEY%/*}"
openssl req -nodes -new -x509 -newkey "rsa:2048" \
-addext "extendedKeyUsage=codeSigning" \
-outform "DER" -subj "/CN=VirtualBox/" \
-keyout "${MOK_KEY}" -out "${MOK_KEY%.*}.der" ;;
(--enroll-key)
mokutil -i "${MOK_KEY%.*}.der" << EOI ;;
${MOK_PASS}
${MOK_PASS}
EOI
esac
EOF
sudo chmod +x /usr/local/sbin/update-secureboot-policy
sudo systemctl restart vboxdrv.service

computersavvy · October 9, 2023, 1:06pm

Unstated, but useful, is that if you installed virtualbox from rpmfusion then the instructions in the file /var/share/doc/akmods/README.secureboot give all the steps to create and enroll the key with mokutil. Following that initial enrollment then akmods does the automatic updates required to compile and sign the modules with every kernel upgrade.

thfedo · October 9, 2023, 2:43pm

I used the command you provided, however when I run it, I receive the following error as output:

Job for vboxdrv.service failed because the control process exited with error code.

Since it hasn’t worked, should I revert the changes made with the command? or it is not problematic

using systemctl status vboxdrv.service I receive the following information:


vboxdrv.service - VirtualBox Linux kernel module
     Loaded: loaded (/usr/lib/virtualbox/vboxdrv.sh; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Mon 2023-10-09 09:37:18 -05; 6min ago
    Process: 13871 ExecStart=/usr/lib/virtualbox/vboxdrv.sh start (code=exited, status=1/FAILURE)
        CPU: 1.745s

oct 09 07:37:17 hrq vboxdrv.sh[13871]: vboxdrv.sh: Starting VirtualBox services.
oct 09 07:37:17 hrq vboxdrv.sh[13871]: vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
oct 09 07:37:17 hrq vboxdrv.sh[13871]:   vboxdrv vboxnetflt vboxnetadp
oct 09 07:37:17 hrq vboxdrv.sh[13871]: See the documentation for your Linux distribution..
oct 09 07:37:17 hrq vboxdrv.sh[13958]: You must sign these kernel modules before using VirtualBox:
                                              vboxdrv vboxnetflt vboxnetadp
                                            See the documentation for your Linux distribution..
oct 09 07:37:18 hrq vboxdrv.sh[13871]: vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.
oct 09 07:37:18 hrq systemd[1]: vboxdrv.service: Control process exited, code=exited, status=1/FAILURE
oct 09 07:37:18 hrq systemd[1]: vboxdrv.service: Failed with result 'exit-code'.
oct 09 07:37:18 hrq systemd[1]: Failed to start vboxdrv.service - VirtualBox Linux kernel module.
oct 09 07:37:18 hrq systemd[1]: vboxdrv.service: Consumed 1.745s CPU time.

vgaetera · October 9, 2023, 9:04pm

The above script should automatically sign the modules on kernel update.
Rebuild the modules and reboot to enroll the MOK key:

sudo /usr/lib/virtualbox/vboxdrv.sh cleanup
sudo /usr/lib/virtualbox/vboxdrv.sh setup