Debian 13/12 Secure Boot: Sign VirtualBox Kernel Modules (DKMS + .run installer)
Table of Contents
4. Debian 13/12 Secure Boot: Howto sign VirtualBox kernel modules (DKMS + .run installer)⌗
This page shows how to keep UEFI Secure Boot enabled and still use VirtualBox installed using this guide (Oracle repo + .run installer + DKMS).
NOTE: This Secure Boot guide is an initial version. If you have problems or something doesn’t work on your system, please drop a comment and tell it to me (include your Debian version, kernel version and VirtualBox version).
Important: If you plan to keep Secure Boot enabled, do steps 4.1 – 4.4 before you install VirtualBox. After the installation, do 4.6 so DKMS rebuilt modules are signed automatically on kernel updates.
When Secure Boot is enabled, the Linux kernel will usually refuse to load unsigned third-party kernel modules. This means vboxdrv, vboxnetflt, vboxnetadp, vboxpci modules must be signed with a key trusted by your system firmware (MOK).
4.1 Check is Secure Boot enabled⌗
mokutil --sb-state
If output is SecureBoot enabled, then you need to sign the VirtualBox kernel modules.
4.2 Change root user⌗
su -
## OR ##
sudo -i
4.3 Install needed tools⌗
## Debian 13/12 ##
apt update
apt install openssl mokutil linux-headers-$(uname -r)
4.4 Create your own MOK key pair⌗
NOTE: Keep the private key safe. Anyone who has your private key can sign kernel modules which may load on your system.
mkdir -p /root/module-signing
cd /root/module-signing
## Create key + certificate for module signing ##
openssl req -new -x509 -newkey rsa:2048 \
-keyout MOK-vbox.priv \
-outform DER -out MOK-vbox.der \
-nodes -days 36500 \
-subj "/CN=Debian VirtualBox DKMS Module Signing/"
chmod 600 /root/module-signing/MOK-vbox.priv
## VirtualBox installer module signing options ##
## You can use MOK-vbox.priv directly as the secret key.
## Export certificate as PEM (.x509) for installer option.
openssl x509 -inform DER -in /root/module-signing/MOK-vbox.der -out /root/module-signing/signing-vbox.x509
4.5 Enroll the public key (MOK) to Secure Boot⌗
mokutil --import /root/module-signing/MOK-vbox.der
- Set a one-time password
- Reboot
- On next boot you will see MOK Manager
- Select Enroll MOK → Continue → Yes and type the password you just created
After enrollment, boot normally and continue installation from either:
4.6 Sign VirtualBox modules (one-time manual method)⌗
If you installed VirtualBox using Oracle repo or the .run installer and everything works, you can usually skip this step. This is useful right after you install VirtualBox to verify (or fix) module signatures.
NOTE (important):
- Make sure you are signing modules for the same kernel you will boot (check
uname -r). - If DKMS rebuilds VirtualBox modules after you sign them, then the rebuilt modules are unsigned again. Create DKMS post-build hook on step 4.7.
Check is your MOK key enrolled:
mokutil --test-key /root/module-signing/MOK-vbox.der
## OR ##
mokutil --list-enrolled |grep -i "Debian VirtualBox DKMS Module Signing" || true
KERNELVER=$(uname -r)
SIGNFILE=/usr/src/linux-headers-${KERNELVER}/scripts/sign-file
## Sign the installed VirtualBox modules for current kernel ##
for m in vboxdrv vboxnetflt vboxnetadp vboxpci; do
modpath=$(modinfo -F filename "$m" 2>/dev/null || echo "")
if [ -n "$modpath" ]; then
echo "Signing $m -> $modpath"
${SIGNFILE} sha256 /root/module-signing/MOK-vbox.priv /root/module-signing/MOK-vbox.der "$modpath"
fi
done
Verify signatures:
modinfo vboxdrv | egrep -i "signer|sig_key|sig_hash"
If signing succeeded, rebuild module dependencies:
depmod -a
4.7 Auto-sign VirtualBox modules after every DKMS rebuild (recommended)⌗
With DKMS, modules will be rebuilt on every kernel update. If you don’t automate signing, you may not be able to start VirtualBox after an update because the VirtualBox modules fail to load.
Do this step after VirtualBox installation to make sure kernel updates keep working with Secure Boot enabled.
4.7.1 Configure DKMS module signing (recommended)⌗
On Debian, DKMS can sign modules automatically as part of dkms install. This is the preferred way (no custom hook scripts needed).
For VirtualBox modules only, use module-specific configuration:
mkdir -p /etc/dkms/vboxhost
cat > /etc/dkms/vboxhost.conf <<EOF
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
EOF
Alternatively, if you prefer to add to the global config file (/etc/dkms/framework.conf), make sure to add these variables:
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
You can add these to the global config file with:
cat >> /etc/dkms/framework.conf <<EOF
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
EOF
After this, DKMS signs VirtualBox kernel modules automatically on every rebuild.
If you still get Key was rejected by service, then the signing key/certificate is not enrolled. Enroll the key you actually use:
- if you use your own key from step 4.4, enroll
/root/module-signing/MOK-vbox.der - if DKMS uses its own key, enroll
/var/lib/dkms/mok.pub(see 4.7.2)
4.7.2 Note about dkms status showing “Differences between built and installed modules”⌗
If you see output like:
vboxhost/<version>, <kernel>, x86_64: installed (Differences between built and installed modules)
This can be normal when:
- the modules are signed (signing changes the file), and/or
- the installed modules are compressed by the system (for example
*.ko.xzunder/lib/modules/<kernel>/...).
Don’t use dkms status alone to decide if Secure Boot signing works. Verify the actual module signature for the kernel you are going to boot.
Check which kernel will be used:
uname -r
Verify module exists and signature is present for a specific kernel:
KERNELVER="6.12.6-amd64"
modinfo -k "${KERNELVER}" vboxdrv | egrep -i "filename|signer|sig_key|sig_hash"
modinfo -k "${KERNELVER}" vboxnetflt | egrep -i "filename|signer|sig_key|sig_hash"
If the signer/sig_* fields are missing or modules won’t load, do a clean reinstall for that kernel:
KERNELVER="6.12.6-amd64"
VER="7.2.6"
## NOTE: do not use --all together with -k ##
dkms remove -m vboxhost -v "${VER}" -k "${KERNELVER}" || true
dkms install -m vboxhost -v "${VER}" -k "${KERNELVER}" --force
depmod -a "${KERNELVER}"
4.7.3 Debian note: DKMS may use its own signing key⌗
On Debian, DKMS can sign modules automatically using its own key pair (example paths):
- Private key:
/var/lib/dkms/mok.key - Public certificate:
/var/lib/dkms/mok.pub
In this case modinfo may show:
signer: DKMS module signing key
If Secure Boot is enabled and the key is not enrolled to MOK, then loading modules fails with:
modprobe: ERROR: could not insert 'vboxdrv': Key was rejected by service
Fix option A (recommended): Enroll the DKMS public key
mokutil --import /var/lib/dkms/mok.pub
reboot
Then enroll it on next boot using MOK Manager (Enroll MOK).
Fix option B: Force DKMS to use your own MOK key for vboxhost only (created in step 4.4)
If you want DKMS to sign VirtualBox modules using your own key/cert instead of /var/lib/dkms/mok.*, configure DKMS signing key paths.
For VirtualBox modules only (recommended), use module-specific config:
mkdir -p /etc/dkms/vboxhost
cat > /etc/dkms/vboxhost.conf <<EOF
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
EOF
Alternatively, add to global config file /etc/dkms/framework.conf:
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
After changing DKMS config, rebuild/install the module for the kernel again.
4.8 Troubleshooting⌗
- VirtualBox modules won’t load: check
journalctl -b -k |grep -i -E "vbox|Lockdown|secure|mok|signature" - MOK Manager not shown after
mokutil --import: confirm you are booting UEFI (not legacy BIOS) and Secure Boot is actually enabled. - Key rotation: if you want to regenerate keys later, enroll the new
MOK-vbox.derand re-sign modules.
Typical Secure Boot error looks like:
Lockdown: ... unsigned module loading is restrictedmodule verification failed: signature and/or required key missing
Check also VirtualBox’s own module signing documentation:
4.8 Howto fix vboxconfig command to work with custom module signing keys⌗
When you run /sbin/vboxconfig to rebuild VirtualBox modules (after kernel updates or manually), the command needs to know about your custom MOK keys if Secure Boot is enabled. Otherwise, it will rebuild modules without signing, causing “Key was rejected by service” errors.
Option A: Use DKMS directly (recommended)⌗
Instead of /sbin/vboxconfig, use DKMS to rebuild modules with proper signing:
## Find the installed VirtualBox module version ##
dkms status
## Example output: vboxhost/7.2.4, 6.12.6-amd64, x86_64: installed ##
## Rebuild for current kernel using DKMS (respects /etc/dkms/vboxhost.conf signing config) ##
dkms install -m vboxhost -v 7.2.4 --force
This method automatically uses the signing keys configured in /etc/dkms/vboxhost.conf (or /etc/dkms/framework.conf).
Option B: Configure vboxconfig environment variables (if DKMS config fails)⌗
If DKMS environment variables are not picked up by vboxconfig, you can manually set signing variables before running vboxconfig:
export KBUILD_SIGN_PIN=""
export KBUILD_SIGN_MODULE="1"
export KBUILD_MODKEY_PRIVKEY="/root/module-signing/MOK-vbox.priv"
export KBUILD_MODKEY_PUBKEY="/root/module-signing/MOK-vbox.der"
/sbin/vboxconfig
Option C: Use a wrapper script for vboxconfig⌗
Create a script /root/vboxconfig-signed.sh:
#!/bin/bash
# Set signing variables for vboxconfig
export KBUILD_SIGN_PIN=""
export KBUILD_SIGN_MODULE="1"
export KBUILD_MODKEY_PRIVKEY="/root/module-signing/MOK-vbox.priv"
export KBUILD_MODKEY_PUBKEY="/root/module-signing/MOK-vbox.der"
# Run vboxconfig with signing environment
exec /sbin/vboxconfig "$@"
Make it executable and use it instead of vboxconfig:
chmod +x /root/vboxconfig-signed.sh
/root/vboxconfig-signed.sh
Verify modules are signed after rebuild:
modinfo vboxdrv | egrep -i "signer|sig_key|sig_hash"
If you see signer information, the modules are properly signed.
4.9 VirtualBox with Secure Boot enabled on Debian 13⌗
After successful module signing and enrollment, VirtualBox should work normally with Secure Boot enabled.
You can verify Secure Boot status with:
mokutil --sb-state
And verify VirtualBox modules are properly signed and loaded:
lsmod | grep vbox
modinfo vboxdrv | egrep -i "signer|sig_key|sig_hash"