The VirtualBox package from upstream isn't signed for usage with Secure
Boot with the Debian kernel.
When booting with Secure Boot enabled, then upstream's vboxdrv.service with
its vboxdrv.sh executes all kind of Secure Boot related magic like:
| /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --new-key
This fails and causes a noticeable delay during bootup. Therefore skip
execution of VirtualBox setup within our config_virtualbox_setup() when
detecting enabled Secure Boot mode, at least until we've a better solution
for this.
While doing so, move detection of enabled Secure Boot mode into a helper
function to avoid DRY code.
Thanks: Ralf Moll for the bugreport
+# helper function to check whether we're running under (enabled) Secure Boot
+running_under_secureboot() {
# systemd does this for us, but if we are not running under systemd then mokutil
# doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
# /sys/firmware/efi/vars would exist)
# systemd does this for us, but if we are not running under systemd then mokutil
# doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
# /sys/firmware/efi/vars would exist)
if [ -x /usr/bin/mokutil ] ; then
local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
if [ -n "$secstate" ] ; then
if [ -x /usr/bin/mokutil ] ; then
local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
if [ -n "$secstate" ] ; then
- einfo "SecureBoot is enabled" ; eend 0
- einfo "SecureBoot not detected" ; eend 0
fi
else
if modprobe efivars &>/dev/null ; then
if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
fi
else
if modprobe efivars &>/dev/null ; then
if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
- einfo "SecureBoot is enabled" ; eend 0
- einfo "SecureBoot not detected" ; eend 0
+
+config_secureboot(){
+ if running_under_secureboot ; then
+ einfo "SecureBoot is enabled" ; eend 0
+ else
+ einfo "SecureBoot not detected" ; eend 0
+ fi
+}
- if [ -x /usr/bin/VBox ] ; then
- einfo "VirtualBox service detected, trying to set up."
- service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
-
- config_userfstab
+ if ! [ -x /usr/bin/VBox ] ; then
+ return
+ fi
- einfo "Adding user ${fstabuser:-grml} to group vboxusers."
- adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
- eend $?
+ if running_under_secureboot ; then
+ ewarn "VirtualBox service can not be started as running under enabled Secure Boot." ; eend 0
+ return
+
+ einfo "VirtualBox service detected, trying to set up."
+ service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
+
+ config_userfstab
+
+ einfo "Adding user ${fstabuser:-grml} to group vboxusers."
+ adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
+ eend $?