4. RHEL / CentOS / Rocky Linux / Alma Linux 10 / 9 / 8 Secure Boot: Howto sign VirtualBox kernel modules (DKMS + .run installer)

This page shows how to keep UEFI Secure Boot enabled and still use VirtualBox installed using this guide (Oracle repo + .run installer + DKMS).

NOTE: This Secure Boot guide is an initial version. If you have problems or something doesn’t work on your system, please drop a comment and tell it to me (include your distro version, kernel version and VirtualBox version).

Important: If you plan to keep Secure Boot enabled, do steps 4.1 – 4.4 before you install VirtualBox. After the installation, do 4.6 so DKMS rebuilt modules are signed automatically on kernel updates.

When Secure Boot is enabled, the Linux kernel will usually refuse to load unsigned third-party kernel modules. This means vboxdrv, vboxnetflt, vboxnetadp, vboxpci modules must be signed with a key trusted by your system firmware (MOK).

4.1 Check is Secure Boot enabled

mokutil --sb-state

If output is SecureBoot enabled, then you need to sign the VirtualBox kernel modules.

4.2 Change root user

su -
## OR ##
sudo -i

4.3 Install needed tools

## RHEL / CentOS / Rocky Linux / Alma Linux 10 / 9 / 8 ##
dnf install openssl mokutil kernel-devel kernel-headers

4.4 Create your own MOK key pair

NOTE: Keep the private key safe. Anyone who has your private key can sign kernel modules which may load on your system.

mkdir -p /root/module-signing
cd /root/module-signing

## Create key + certificate for module signing ##
openssl req -new -x509 -newkey rsa:2048 \
	-keyout MOK-vbox.priv \
	-outform DER -out MOK-vbox.der \
	-nodes -days 36500 \
	-subj "/CN=RHEL VirtualBox DKMS Module Signing/"

chmod 600 /root/module-signing/MOK-vbox.priv

## VirtualBox installer module signing options ##
## You can use MOK-vbox.priv directly as the secret key.
## Export certificate as PEM (.x509) for installer option.
openssl x509 -inform DER -in /root/module-signing/MOK-vbox.der -out /root/module-signing/signing-vbox.x509

4.5 Enroll the public key (MOK) to Secure Boot

mokutil --import /root/module-signing/MOK-vbox.der
  • Set a one-time password
  • Reboot
  • On next boot you will see MOK Manager
  • Select Enroll MOKContinueYes and type the password you just created

After enrollment, boot normally and continue installation from either:

4.6 Sign VirtualBox modules (one-time manual method)

If you installed VirtualBox using Oracle repo or the .run installer and everything works, you can usually skip this step. This is useful right after you install VirtualBox to verify (or fix) module signatures.

NOTE (important):

  • Make sure you are signing modules for the same kernel you will boot (check uname -r).
  • If DKMS rebuilds VirtualBox modules after you sign them, then the rebuilt modules are unsigned again. Create DKMS post-build hook on step 4.7.

Check is your MOK key enrolled:

mokutil --test-key /root/module-signing/MOK-vbox.der
## OR ##
mokutil --list-enrolled |grep -i "RHEL VirtualBox DKMS Module Signing" || true
KERNELVER=$(uname -r)
SIGNFILE=/usr/src/kernels/${KERNELVER}/scripts/sign-file

## Sign the installed VirtualBox modules for current kernel ##
for m in vboxdrv vboxnetflt vboxnetadp vboxpci; do
	modpath=$(modinfo -F filename "$m" 2>/dev/null || echo "")
	if [ -n "$modpath" ]; then
		echo "Signing $m -> $modpath"
		${SIGNFILE} sha256 /root/module-signing/MOK-vbox.priv /root/module-signing/MOK-vbox.der "$modpath"
	fi
done

Verify signatures:

modinfo vboxdrv | egrep -i "signer|sig_key|sig_hash"

If signing succeeded, rebuild module dependencies:

depmod -a

With DKMS, modules will be rebuilt on every kernel update. If you don’t automate signing, you may not be able to start VirtualBox after an update because the VirtualBox modules fail to load.

Do this step after VirtualBox installation to make sure kernel updates keep working with Secure Boot enabled.

On RHEL-based systems, DKMS can sign modules automatically as part of dkms install. This is the preferred way (no custom hook scripts needed).

For VirtualBox modules only, use module-specific configuration:

mkdir -p /etc/dkms/vboxhost
cat > /etc/dkms/vboxhost.conf <<EOF
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
EOF

Alternatively, if you prefer to add to the global config file (/etc/dkms/framework.conf), make sure to add these variables:

mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"

You can add these to the global config file with:

cat >> /etc/dkms/framework.conf <<EOF
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
EOF

After this, DKMS signs VirtualBox kernel modules automatically on every rebuild.

If you still get Key was rejected by service, then the signing key/certificate is not enrolled. Enroll the key you actually use:

  • if you use your own key from step 4.4, enroll /root/module-signing/MOK-vbox.der
  • if DKMS uses its own key, enroll /var/lib/dkms/mok.pub (see 4.7.2)

4.7.2 Note about dkms status showing “Differences between built and installed modules”

If you see output like:

vboxhost/<version>, <kernel>, x86_64: installed (Differences between built and installed modules)

This can be normal when:

  • the modules are signed (signing changes the file), and/or
  • the installed modules are compressed by the system (for example *.ko.xz under /lib/modules/<kernel>/...).

Don’t use dkms status alone to decide if Secure Boot signing works. Verify the actual module signature for the kernel you are going to boot.

Check which kernel will be used:

uname -r

Verify module exists and signature is present for a specific kernel:

KERNELVER="5.14.0-503.11.1.el10_0.x86_64"  ## RHEL 10 example ##
## KERNELVER="5.14.0-427.13.1.el9_4.x86_64"  ## RHEL 9 example ##
## KERNELVER="4.18.0-553.16.1.el8_10.x86_64"  ## RHEL 8 example ##

modinfo -k "${KERNELVER}" vboxdrv | egrep -i "filename|signer|sig_key|sig_hash"
modinfo -k "${KERNELVER}" vboxnetflt | egrep -i "filename|signer|sig_key|sig_hash"

If the signer/sig_* fields are missing or modules won’t load, do a clean reinstall for that kernel:

KERNELVER="5.14.0-503.11.1.el10_0.x86_64"
VER="7.2.6"

## NOTE: do not use --all together with -k ##
dkms remove -m vboxhost -v "${VER}" -k "${KERNELVER}" || true
dkms install -m vboxhost -v "${VER}" -k "${KERNELVER}" --force

depmod -a "${KERNELVER}"

4.7.3 RHEL note: DKMS may use its own signing key

On RHEL-based systems, DKMS can sign modules automatically using its own key pair (example paths):

  • Private key: /var/lib/dkms/mok.key
  • Public certificate: /var/lib/dkms/mok.pub

In this case modinfo may show:

  • signer: DKMS module signing key

If Secure Boot is enabled and the key is not enrolled to MOK, then loading modules fails with:

  • modprobe: ERROR: could not insert 'vboxdrv': Key was rejected by service

Fix option A (recommended): Enroll the DKMS public key

mokutil --import /var/lib/dkms/mok.pub
reboot

Then enroll it on next boot using MOK Manager (Enroll MOK).

Fix option B: Force DKMS to use your own MOK key for vboxhost only (created in step 4.4)

If you want DKMS to sign VirtualBox modules using your own key/cert instead of /var/lib/dkms/mok.*, configure DKMS signing key paths.

For VirtualBox modules only (recommended), use module-specific config:

mkdir -p /etc/dkms/vboxhost
cat > /etc/dkms/vboxhost.conf <<EOF
mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"
EOF

Alternatively, add to global config file /etc/dkms/framework.conf:

mok_signing_key="/root/module-signing/MOK-vbox.priv"
mok_certificate="/root/module-signing/MOK-vbox.der"

After changing DKMS config, rebuild/install the module for the kernel again.

4.8 Howto fix vboxdrv.sh/vboxconfig command to work with custom module signing keys

When you run /sbin/vboxconfig or /usr/lib/virtualbox/vboxdrv.sh setup to rebuild VirtualBox modules (after kernel updates or manually), the command needs to know about your custom MOK keys if Secure Boot is enabled. Otherwise, it will rebuild modules without signing, causing “Key was rejected by service” errors.

Option A: Use DKMS directly (recommended)

Instead of /sbin/vboxconfig or vboxdrv.sh setup, use DKMS to rebuild modules with proper signing:

## Find the installed VirtualBox module version ##
dkms status

## Example output: vboxhost/7.2.4, 5.14.0-503.11.1.el10_0.x86_64, x86_64: installed ##

## Rebuild for current kernel using DKMS (respects /etc/dkms/vboxhost.conf signing config) ##
dkms install -m vboxhost -v 7.2.4 --force

This method automatically uses the signing keys configured in /etc/dkms/vboxhost.conf (or /etc/dkms/framework.conf).

Option B: Configure vboxconfig environment variables (if DKMS config fails)

If DKMS environment variables are not picked up by vboxconfig, you can manually set signing variables before running vboxconfig:

export KBUILD_SIGN_PIN=""
export KBUILD_SIGN_MODULE="1"
export KBUILD_MODKEY_PRIVKEY="/root/module-signing/MOK-vbox.priv"
export KBUILD_MODKEY_PUBKEY="/root/module-signing/MOK-vbox.der"

/usr/lib/virtualbox/vboxdrv.sh setup
## OR ##
/sbin/vboxconfig

Option C: Use a wrapper script for vboxdrv.sh

Create a script /root/vboxdrv-signed.sh:

#!/bin/bash

# Set signing variables for vboxdrv.sh
export KBUILD_SIGN_PIN=""
export KBUILD_SIGN_MODULE="1"
export KBUILD_MODKEY_PRIVKEY="/root/module-signing/MOK-vbox.priv"
export KBUILD_MODKEY_PUBKEY="/root/module-signing/MOK-vbox.der"

# Run vboxdrv.sh with signing environment
exec /usr/lib/virtualbox/vboxdrv.sh "$@"

Make it executable and use it instead of vboxdrv.sh:

chmod +x /root/vboxdrv-signed.sh
/root/vboxdrv-signed.sh setup

Verify modules are signed after rebuild:

modinfo vboxdrv | egrep -i "signer|sig_key|sig_hash"

If you see signer information, the modules are properly signed.

4.9 Troubleshooting

  • VirtualBox modules won’t load: check journalctl -b -k |grep -i -E "vbox|Lockdown|secure|mok|signature"
  • MOK Manager not shown after mokutil --import: confirm you are booting UEFI (not legacy BIOS) and Secure Boot is actually enabled.
  • Key rotation: if you want to regenerate keys later, enroll the new MOK-vbox.der and re-sign modules.

Typical Secure Boot error looks like:

  • Lockdown: ... unsigned module loading is restricted
  • module verification failed: signature and/or required key missing

Check also VirtualBox’s own module signing documentation:

4.10 VirtualBox with Secure Boot enabled on RHEL / CentOS / Rocky Linux / Alma Linux 10 / 9 / 8

After successful module signing and enrollment, VirtualBox should work normally with Secure Boot enabled.

You can verify Secure Boot status with:

mokutil --sb-state

And verify VirtualBox modules are properly signed and loaded:

lsmod | grep vbox
modinfo vboxdrv | egrep -i "signer|sig_key|sig_hash"