Do not run VirtualBox setup under enabled Secure Boot to avoid errors and startup...

The VirtualBox package from upstream isn't signed for usage with Secure
Boot with the Debian kernel.

When booting with Secure Boot enabled, then upstream's vboxdrv.service with
its vboxdrv.sh executes all kind of Secure Boot related magic like:

| /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --new-key

This fails and causes a noticeable delay during bootup.  Therefore skip
execution of VirtualBox setup within our config_virtualbox_setup() when
detecting enabled Secure Boot mode, at least until we've a better solution
for this.

While doing so, move detection of enabled Secure Boot mode into a helper
function to avoid DRY code.

Thanks: Ralf Moll for the bugreport

diff --git a/autoconfig.functions b/autoconfig.functions
index 8b1c8af..8e4a09f 100755 (executable)
--- a/autoconfig.functions
+++ b/autoconfig.functions
@@ -543,7 +543,8 @@ config_kernel(){
 # }}}
 
 # {{{ secure boot
 # }}}
 
 # {{{ secure boot

-config_secureboot(){
+# helper function to check whether we're running under (enabled) Secure Boot
+running_under_secureboot() {

   # systemd does this for us, but if we are not running under systemd then mokutil
   # doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
   # /sys/firmware/efi/vars would exist)
   # systemd does this for us, but if we are not running under systemd then mokutil
   # doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
   # /sys/firmware/efi/vars would exist)


@@ -556,20 +557,28 @@ config_secureboot(){
   if [ -x /usr/bin/mokutil ] ; then
     local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
     if [ -n "$secstate" ] ; then
   if [ -x /usr/bin/mokutil ] ; then
     local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
     if [ -n "$secstate" ] ; then

-      einfo "SecureBoot is enabled" ; eend 0
+      return 0

     else
     else

-      einfo "SecureBoot not detected" ; eend 0
+      return 1

     fi
   else
     if modprobe efivars &>/dev/null ; then
       if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
     fi
   else
     if modprobe efivars &>/dev/null ; then
       if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then

-        einfo "SecureBoot is enabled" ; eend 0
+        return 0

       else
       else

-        einfo "SecureBoot not detected" ; eend 0
+        return 1

       fi
     fi
   fi
 }
       fi
     fi
   fi
 }

+
+config_secureboot(){
+  if running_under_secureboot ; then
+      einfo "SecureBoot is enabled" ; eend 0
+  else
+      einfo "SecureBoot not detected" ; eend 0
+  fi
+}

 # }}}
 
 # {{{ timezone
 # }}}
 
 # {{{ timezone


@@ -1950,16 +1959,23 @@ config_virtualbox_setup() {
     return
   fi
 
     return
   fi
 

-  if [ -x /usr/bin/VBox ] ; then
-    einfo "VirtualBox service detected, trying to set up."
-    service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
-
-    config_userfstab
+  if ! [ -x /usr/bin/VBox ] ; then
+    return
+  fi

 
 

-    einfo "Adding user ${fstabuser:-grml} to group vboxusers."
-    adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
-    eend $?
+  if running_under_secureboot ; then
+    ewarn "VirtualBox service can not be started as running under enabled Secure Boot." ; eend 0
+    return

   fi
   fi

+
+  einfo "VirtualBox service detected, trying to set up."
+  service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
+
+  config_userfstab
+
+  einfo "Adding user ${fstabuser:-grml} to group vboxusers."
+  adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
+  eend $?

 }
 # }}}
 
 }
 # }}}