From: Michael Prokop <mika@grml.org>
Date: Tue, 15 Sep 2020 19:16:49 +0000 (+0200)
Subject: Do not run VirtualBox setup under enabled Secure Boot to avoid errors and startup... 
X-Git-Tag: v0.19.4~1
X-Git-Url: https://git.grml.org/?p=grml-autoconfig.git;a=commitdiff_plain;h=14203ccf156430ede6bfc55fb19a142dcf8c7397

Do not run VirtualBox setup under enabled Secure Boot to avoid errors and startup delays

The VirtualBox package from upstream isn't signed for usage with Secure
Boot with the Debian kernel.

When booting with Secure Boot enabled, then upstream's vboxdrv.service with
its vboxdrv.sh executes all kind of Secure Boot related magic like:

| /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --new-key

This fails and causes a noticeable delay during bootup.  Therefore skip
execution of VirtualBox setup within our config_virtualbox_setup() when
detecting enabled Secure Boot mode, at least until we've a better solution
for this.

While doing so, move detection of enabled Secure Boot mode into a helper
function to avoid DRY code.

Thanks: Ralf Moll for the bugreport
---

diff --git a/autoconfig.functions b/autoconfig.functions
index 8b1c8af..8e4a09f 100755
--- a/autoconfig.functions
+++ b/autoconfig.functions
@@ -543,7 +543,8 @@ config_kernel(){
 # }}}
 
 # {{{ secure boot
-config_secureboot(){
+# helper function to check whether we're running under (enabled) Secure Boot
+running_under_secureboot() {
   # systemd does this for us, but if we are not running under systemd then mokutil
   # doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
   # /sys/firmware/efi/vars would exist)
@@ -556,20 +557,28 @@ config_secureboot(){
   if [ -x /usr/bin/mokutil ] ; then
     local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
     if [ -n "$secstate" ] ; then
-      einfo "SecureBoot is enabled" ; eend 0
+      return 0
     else
-      einfo "SecureBoot not detected" ; eend 0
+      return 1
     fi
   else
     if modprobe efivars &>/dev/null ; then
       if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
-        einfo "SecureBoot is enabled" ; eend 0
+        return 0
       else
-        einfo "SecureBoot not detected" ; eend 0
+        return 1
       fi
     fi
   fi
 }
+
+config_secureboot(){
+  if running_under_secureboot ; then
+      einfo "SecureBoot is enabled" ; eend 0
+  else
+      einfo "SecureBoot not detected" ; eend 0
+  fi
+}
 # }}}
 
 # {{{ timezone
@@ -1950,16 +1959,23 @@ config_virtualbox_setup() {
     return
   fi
 
-  if [ -x /usr/bin/VBox ] ; then
-    einfo "VirtualBox service detected, trying to set up."
-    service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
-
-    config_userfstab
+  if ! [ -x /usr/bin/VBox ] ; then
+    return
+  fi
 
-    einfo "Adding user ${fstabuser:-grml} to group vboxusers."
-    adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
-    eend $?
+  if running_under_secureboot ; then
+    ewarn "VirtualBox service can not be started as running under enabled Secure Boot." ; eend 0
+    return
   fi
+
+  einfo "VirtualBox service detected, trying to set up."
+  service_wrapper vboxdrv restart >>"${DEBUG}" 2>&1 ; eend $?
+
+  config_userfstab
+
+  einfo "Adding user ${fstabuser:-grml} to group vboxusers."
+  adduser "${fstabuser:-grml}" vboxusers >>"${DEBUG}" 2>&1
+  eend $?
 }
 # }}}