I have not tried either of those procedures. I do, however, do this in a different way -- but it's a very tedious method. This description will make it seem easier than that because I refer to a big page I've written that covers the worst of the tedious parts. My procedure is:
- Take control of Secure Boot -- In my case, I've configured my computer so that I embed my own Secure Boot public key in the firmware. This way I don't need to use Shim or MOKs. I've removed Microsoft's keys from and added my own and Canonical's keys to the computer on which I use this procedure, but you can set yours up with whatever keys you like. The critical part for the purposes of your question is that you must include a key that you generate, with a private key that you retain to make it work. You'll also need keys used to sign standard components -- Canonical's key, Microsoft's public marketplace key, or both. If you dual-boot with Windows, you'll need the public key for the one Microsoft uses to sign its own boot loader. See this page of mine for all the gory details -- but be aware that this is a tedious and finicky procedure, so you may spend quite a while getting this part working. Note that most UEFIs make it pretty easy to restore the standard key set, so the risk involved in trying this procedure is low.
- Sign the VirtualBox modules -- The next step is to sign the VirtualBox kernel modules. This is done in pretty much the same way as the pages to which you've linked describe; however, I have a script to help automate this process (see below).
- Load the VirtualBox module -- After signing the modules, they must be loaded. This should happen automatically on reboot; but if you want to use VirtualBox without rebooting, you must explicitly use
modprobe
for each of the modules (vboxdrv
, vboxnetflt
, vboxpci
, and vboxnetadp
).
- Repeat steps 2-3 after every kernel update -- After a kernel update, steps #2 and #3 must be repeated.
For convenience, I've written a script to do steps #2 and #3 in one command. I call it sign-vbox
. Here it is:
#!/bin/bash
# sign-vbox script, copyright (c) 2017 by Rod Smith
# Distributed under the terms of the GPLv3
if [ "$#" -ne 1 ] && [ "$#" -ne 0 ]; then
echo "Usage: $0 [ {kernel-version} ]"
exit 1
fi
if [ "$#" == 0 ]; then
kernel_version=$(uname -r)
else
kernel_version="$1"
fi
sign_file=$(find /usr/src/ -name sign-file | tail -n 1)
if [ -z $sign_file ]; then
echo "Can't find the sign-file binary! Exiting!"
exit 1
else
path_to_modules="/lib/modules/$kernel_version/updates/dkms"
if [ ! -f $path_to_modules/vboxdrv.ko ]; then
echo "Could not find $path_to_modules/vboxdrv.ko!"
echo "Is the kernel version correct?"
exit 1
fi
echo "Signing modules for $kernel_version"
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxdrv.ko
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxnetadp.ko
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxnetflt.ko
$sign_file sha256 /etc/refind.d/keys/refind_local.key /etc/refind.d/keys/refind_local.cer $path_to_modules/vboxpci.ko
modprobe vboxdrv
modprobe vboxnetflt
modprobe vboxpci
modprobe vboxnetadp
echo "Loaded vbox modules:"
lsmod | grep vbox
fi
To use this script, simply type its name. It signs the VirtualBox modules associated with the currently-running kernel. If you pass it a kernel version number, it should sign the kernels associated with that kernel version, but there's no room for error in specifying the kernel version number. (It expects the same format that uname -r
would return if the kernel were running.)
Note that the script expects to find private (refind_local.key
) and public (refind_local.cer
) keys in /etc/refind.d/keys/
. You'll have to change that location for your own system, unless you use rEFInd and use local keys for it. The private key file should be as secure as you can make it, such as having 0400 (-r--------
) permissions. Limiting access to the directory itself may be helpful, too. Better yet, put it on a USB flash drive that you plug in only when you run this command.
Also, I wrote this script for my own personal use. It probably has bugs, particularly if used in a way I don't expect. Certainly it fails pretty badly if the necessary kernel source files aren't installed.
It's conceivable that this script would work with the MOK-based methods you tried to use if you pointed it at the key files you generated, the public file of which you loaded into the MOK. I can't promise this, though, and of course your problems could be due to either improperly signed kernel modules or problems on the Shim/MOK end. Using this script would help only if your kernel modules were not properly signed.
My steps to make it work with secure boot were as follows:
When I was installing Ubuntu 18.04.1, when I reached the "updates and other software stage" in the installation, there was an option to set a password for secure boot, so I went ahead and enabled the check box and entered a new password for secure boot.
Later on after the installation, when I wanted to install Nvidia drivers, I did the following:
Standard Ubuntu procedure:
sudo apt-get update
sudo apt-get upgrade
Add the Official Nvidia PPA to Ubuntu
sudo add-apt-repository ppa:graphics-drivers/ppa
Update and upgrade again
sudo apt-get update
sudo apt-get upgrade
I checked which was the recommended driver for my GPU via the command:
ubuntu-drivers devices
I opened "Software & Updates" and clicked the "Additional Drivers" tab, I then chose the recommended driver and clicked "Apply Changes", while the driver was installing somewhere in the middle it prompted me for secure boot password, that it when I entered the password I set up when I was installing Ubuntu, after it finished applying I restarted my device, when it was rebooting a blue menu appeared asking to press any key, I pressed then a menu labeled as "Perform MOK Management" appeared, there were the following four options:
- Continue boot
- Enroll Key
- Enroll Key from Disk
- Enroll Key from Hash
I chose option number 2, then I continued to boot, it finally worked, I went to Ubuntu settings->Details and my Graphic Card name was shown correctly.
Best Answer
Try this:
- Step 1: Download latest driver from NVIDIA website, https://www.geforce.com/drivers.
- Step 2: Create new pair private key (Nvidia.key) and public key (Nvidia.der) by entering command:
Example:
- Step 3: Enroll public key (nvidia.der) to MOK (Machine Owner Key) by entering command:
Example:
--> This command requires you create password for enrolling. Afterwards, reboot your computer, in the next boot, the system will ask you enroll, you enter your password (which you created in this step) to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot
- Step 4: For the first time install NVidia driver, you need to disable Nouveau kernel driver by entering command:
--> Reboot.
-Step 5: Install driver by entering command
where:
XXXXXX
: name of file installer (download from NVIDIA).PATH_TO_PRIVATE_KEY
: full path to private key. If you place in home folder, use/home/USER_NAME/
instead of~
PATH_TO_PUBLIC_KEY
: full path to public key. If you place in home folder, use/home/USER_NAME/
instead of~
Example:
--> Done
Read more https://us.download.nvidia.com/XFree86/Linux-x86/319.32/README/installdriver.html