VirtualBox

source: vbox/trunk/src/VBox/Installer/linux/vboxdrv.sh@ 97017

Last change on this file since 97017 was 97017, checked in by vboxsync, 3 years ago

Installer: Linux: rcvboxdrv.sh: Do not use update-secureboot-policy tool if it does not support required commandline switches, bugref:10287.

Unlike Ubuntu and simillar distributions, on Debian, update-secureboot-policy tool
does not support '--new-key' and '--enroll-key' command line switches. This makes it
no use for us on Debian. Moreover, 'update-secureboot-policy --enroll-key' will open
interactive user-input dialog which will result in 5 minutes hang on host boot. So,
just don't use it in this case and let user to generate and enroll keys manually.
  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
File size: 28.6 KB
Line 
1#! /bin/sh
2# Oracle VM VirtualBox
3# Linux kernel module init script
4
5#
6# Copyright (C) 2006-2022 Oracle and/or its affiliates.
7#
8# This file is part of VirtualBox base platform packages, as
9# available from https://www.virtualbox.org.
10#
11# This program is free software; you can redistribute it and/or
12# modify it under the terms of the GNU General Public License
13# as published by the Free Software Foundation, in version 3 of the
14# License.
15#
16# This program is distributed in the hope that it will be useful, but
17# WITHOUT ANY WARRANTY; without even the implied warranty of
18# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19# General Public License for more details.
20#
21# You should have received a copy of the GNU General Public License
22# along with this program; if not, see <https://www.gnu.org/licenses>.
23#
24# SPDX-License-Identifier: GPL-3.0-only
25#
26
27# chkconfig: 345 20 80
28# description: VirtualBox Linux kernel module
29#
30### BEGIN INIT INFO
31# Provides: vboxdrv
32# Required-Start: $syslog
33# Required-Stop:
34# Default-Start: 2 3 4 5
35# Default-Stop: 0 1 6
36# Short-Description: VirtualBox Linux kernel module
37### END INIT INFO
38
39## @todo This file duplicates a lot of script with vboxadd.sh. When making
40# changes please try to reduce differences between the two wherever possible.
41
42## @todo Remove the stop_vms target so that this script is only relevant to
43# kernel modules. Nice but not urgent.
44
45PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
46DEVICE=/dev/vboxdrv
47MODPROBE=/sbin/modprobe
48SCRIPTNAME=vboxdrv.sh
49
50# The below is GNU-specific. See VBox.sh for the longer Solaris/OS X version.
51TARGET=`readlink -e -- "${0}"` || exit 1
52SCRIPT_DIR="${TARGET%/[!/]*}"
53
54if $MODPROBE -c | grep -q '^allow_unsupported_modules *0'; then
55 MODPROBE="$MODPROBE --allow-unsupported-modules"
56fi
57
58setup_log()
59{
60 test -n "${LOG}" && return 0
61 # Rotate log files
62 LOG="/var/log/vbox-setup.log"
63 mv "${LOG}.3" "${LOG}.4" 2>/dev/null
64 mv "${LOG}.2" "${LOG}.3" 2>/dev/null
65 mv "${LOG}.1" "${LOG}.2" 2>/dev/null
66 mv "${LOG}" "${LOG}.1" 2>/dev/null
67}
68
69[ -f /etc/vbox/vbox.cfg ] && . /etc/vbox/vbox.cfg
70export VBOX_KBUILD_TYPE
71export USERNAME
72export USER=$USERNAME
73
74if test -n "${INSTALL_DIR}" && test -x "${INSTALL_DIR}/VirtualBox"; then
75 MODULE_SRC="${INSTALL_DIR}/src/vboxhost"
76elif test -x /usr/lib/virtualbox/VirtualBox; then
77 INSTALL_DIR=/usr/lib/virtualbox
78 MODULE_SRC="/usr/share/virtualbox/src/vboxhost"
79elif test -x "${SCRIPT_DIR}/VirtualBox"; then
80 # Executing from the build directory
81 INSTALL_DIR="${SCRIPT_DIR}"
82 MODULE_SRC="${INSTALL_DIR}/src"
83else
84 # Silently exit if the package was uninstalled but not purged.
85 # Applies to Debian packages only (but shouldn't hurt elsewhere)
86 exit 0
87fi
88VIRTUALBOX="${INSTALL_DIR}/VirtualBox"
89VBOXMANAGE="${INSTALL_DIR}/VBoxManage"
90BUILDINTMP="${MODULE_SRC}/build_in_tmp"
91if test -u "${VIRTUALBOX}"; then
92 GROUP=root
93 DEVICE_MODE=0600
94else
95 GROUP=vboxusers
96 DEVICE_MODE=0660
97fi
98
99KERN_VER=`uname -r`
100if test -e "${MODULE_SRC}/vboxpci"; then
101 MODULE_LIST="vboxdrv vboxnetflt vboxnetadp vboxpci"
102else
103 MODULE_LIST="vboxdrv vboxnetflt vboxnetadp"
104fi
105# Secure boot state.
106case "`mokutil --sb-state 2>/dev/null`" in
107 *"disabled in shim"*) unset HAVE_SEC_BOOT;;
108 *"SecureBoot enabled"*) HAVE_SEC_BOOT=true;;
109 *) unset HAVE_SEC_BOOT;;
110esac
111# So far we can only sign modules on Ubuntu and on Debian 10 and later.
112DEB_PUB_KEY=/var/lib/shim-signed/mok/MOK.der
113DEB_PRIV_KEY=/var/lib/shim-signed/mok/MOK.priv
114unset HAVE_DEB_KEY
115case "`mokutil --test-key "$DEB_PUB_KEY" 2>/dev/null`" in
116 *"is already"*) DEB_KEY_ENROLLED=true;;
117 *) unset DEB_KEY_ENROLLED;;
118esac
119
120# Try to find a tool for modules signing.
121SIGN_TOOL=$(which kmodsign 2>/dev/null)
122# Attempt to use in-kernel signing tool if kmodsign not found.
123if test -z "$SIGN_TOOL"; then
124 if test -x "/lib/modules/$KERN_VER/build/scripts/sign-file"; then
125 SIGN_TOOL="/lib/modules/$KERN_VER/build/scripts/sign-file"
126 fi
127fi
128
129# Check if update-secureboot-policy tool supports required commandline options.
130update_secureboot_policy_supports()
131{
132 opt_name="$1"
133 [ -n "$opt_name" ] || return
134
135 [ -z "$(update-secureboot-policy --help 2>&1 | grep "$opt_name")" ] && return
136 echo "1"
137}
138
139HAVE_UPDATE_SECUREBOOT_POLICY_TOOL=
140if type update-secureboot-policy >/dev/null 2>&1; then
141 [ "$(update_secureboot_policy_supports new-key)" = "1" -a "$(update_secureboot_policy_supports enroll-key)" = "1" ] && \
142 HAVE_UPDATE_SECUREBOOT_POLICY_TOOL=true
143fi
144
145[ -r /etc/default/virtualbox ] && . /etc/default/virtualbox
146
147# Preamble for Gentoo
148if [ "`which $0`" = "/sbin/rc" ]; then
149 shift
150fi
151
152begin_msg()
153{
154 test -n "${2}" && echo "${SCRIPTNAME}: ${1}."
155 logger -t "${SCRIPTNAME}" "${1}."
156}
157
158succ_msg()
159{
160 logger -t "${SCRIPTNAME}" "${1}."
161}
162
163fail_msg()
164{
165 echo "${SCRIPTNAME}: failed: ${1}." >&2
166 logger -t "${SCRIPTNAME}" "failed: ${1}."
167}
168
169failure()
170{
171 fail_msg "$1"
172 exit 1
173}
174
175running()
176{
177 lsmod | grep -q "$1[^_-]"
178}
179
180log()
181{
182 setup_log
183 echo "${1}" >> "${LOG}"
184}
185
186module_build_log()
187{
188 setup_log
189 echo "${1}" | egrep -v \
190 "^test -e include/generated/autoconf.h|^echo >&2|^/bin/false\)$" \
191 >> "${LOG}"
192}
193
194# Detect VirtualBox version info or report error.
195VBOX_VERSION="`"$VBOXMANAGE" -v | cut -d r -f1`"
196[ -n "$VBOX_VERSION" ] || failure 'Cannot detect VirtualBox version number'
197VBOX_REVISION="r`"$VBOXMANAGE" -v | cut -d r -f2`"
198[ "$VBOX_REVISION" != "r" ] || failure 'Cannot detect VirtualBox revision number'
199
200## Output the vboxdrv part of our udev rule. This is redirected to the right file.
201udev_write_vboxdrv() {
202 VBOXDRV_GRP="$1"
203 VBOXDRV_MODE="$2"
204
205 echo "KERNEL==\"vboxdrv\", OWNER=\"root\", GROUP=\"$VBOXDRV_GRP\", MODE=\"$VBOXDRV_MODE\""
206 echo "KERNEL==\"vboxdrvu\", OWNER=\"root\", GROUP=\"root\", MODE=\"0666\""
207 echo "KERNEL==\"vboxnetctl\", OWNER=\"root\", GROUP=\"$VBOXDRV_GRP\", MODE=\"$VBOXDRV_MODE\""
208}
209
210## Output the USB part of our udev rule. This is redirected to the right file.
211udev_write_usb() {
212 INSTALLATION_DIR="$1"
213 USB_GROUP="$2"
214
215 echo "SUBSYSTEM==\"usb_device\", ACTION==\"add\", RUN+=\"$INSTALLATION_DIR/VBoxCreateUSBNode.sh \$major \$minor \$attr{bDeviceClass}${USB_GROUP}\""
216 echo "SUBSYSTEM==\"usb\", ACTION==\"add\", ENV{DEVTYPE}==\"usb_device\", RUN+=\"$INSTALLATION_DIR/VBoxCreateUSBNode.sh \$major \$minor \$attr{bDeviceClass}${USB_GROUP}\""
217 echo "SUBSYSTEM==\"usb_device\", ACTION==\"remove\", RUN+=\"$INSTALLATION_DIR/VBoxCreateUSBNode.sh --remove \$major \$minor\""
218 echo "SUBSYSTEM==\"usb\", ACTION==\"remove\", ENV{DEVTYPE}==\"usb_device\", RUN+=\"$INSTALLATION_DIR/VBoxCreateUSBNode.sh --remove \$major \$minor\""
219}
220
221## Generate our udev rule file. This takes a change in udev rule syntax in
222## version 55 into account. It only creates rules for USB for udev versions
223## recent enough to support USB device nodes.
224generate_udev_rule() {
225 VBOXDRV_GRP="$1" # The group owning the vboxdrv device
226 VBOXDRV_MODE="$2" # The access mode for the vboxdrv device
227 INSTALLATION_DIR="$3" # The directory VirtualBox is installed in
228 USB_GROUP="$4" # The group that has permission to access USB devices
229 NO_INSTALL="$5" # Set this to "1" to remove but not re-install rules
230
231 # Extra space!
232 case "$USB_GROUP" in ?*) USB_GROUP=" $USB_GROUP" ;; esac
233 case "$NO_INSTALL" in "1") return ;; esac
234 udev_write_vboxdrv "$VBOXDRV_GRP" "$VBOXDRV_MODE"
235 udev_write_usb "$INSTALLATION_DIR" "$USB_GROUP"
236}
237
238## Install udev rule (disable with INSTALL_NO_UDEV=1 in
239## /etc/default/virtualbox).
240install_udev() {
241 VBOXDRV_GRP="$1" # The group owning the vboxdrv device
242 VBOXDRV_MODE="$2" # The access mode for the vboxdrv device
243 INSTALLATION_DIR="$3" # The directory VirtualBox is installed in
244 USB_GROUP="$4" # The group that has permission to access USB devices
245 NO_INSTALL="$5" # Set this to "1" to remove but not re-install rules
246
247 if test -d /etc/udev/rules.d; then
248 generate_udev_rule "$VBOXDRV_GRP" "$VBOXDRV_MODE" "$INSTALLATION_DIR" \
249 "$USB_GROUP" "$NO_INSTALL"
250 fi
251 # Remove old udev description file
252 rm -f /etc/udev/rules.d/10-vboxdrv.rules 2> /dev/null
253}
254
255## Create a usb device node for a given sysfs path to a USB device.
256install_create_usb_node_for_sysfs() {
257 path="$1" # sysfs path for the device
258 usb_createnode="$2" # Path to the USB device node creation script
259 usb_group="$3" # The group to give ownership of the node to
260 if test -r "${path}/dev"; then
261 dev="`cat "${path}/dev" 2> /dev/null`"
262 major="`expr "$dev" : '\(.*\):' 2> /dev/null`"
263 minor="`expr "$dev" : '.*:\(.*\)' 2> /dev/null`"
264 class="`cat ${path}/bDeviceClass 2> /dev/null`"
265 sh "${usb_createnode}" "$major" "$minor" "$class" \
266 "${usb_group}" 2>/dev/null
267 fi
268}
269
270udev_rule_file=/etc/udev/rules.d/60-vboxdrv.rules
271sysfs_usb_devices="/sys/bus/usb/devices/*"
272
273## Install udev rules and create device nodes for usb access
274setup_usb() {
275 VBOXDRV_GRP="$1" # The group that should own /dev/vboxdrv
276 VBOXDRV_MODE="$2" # The mode to be used for /dev/vboxdrv
277 INSTALLATION_DIR="$3" # The directory VirtualBox is installed in
278 USB_GROUP="$4" # The group that should own the /dev/vboxusb device
279 # nodes unless INSTALL_NO_GROUP=1 in
280 # /etc/default/virtualbox. Optional.
281 usb_createnode="$INSTALLATION_DIR/VBoxCreateUSBNode.sh"
282 # install udev rule (disable with INSTALL_NO_UDEV=1 in
283 # /etc/default/virtualbox)
284 if [ "$INSTALL_NO_GROUP" != "1" ]; then
285 usb_group=$USB_GROUP
286 vboxdrv_group=$VBOXDRV_GRP
287 else
288 usb_group=root
289 vboxdrv_group=root
290 fi
291 install_udev "${vboxdrv_group}" "$VBOXDRV_MODE" \
292 "$INSTALLATION_DIR" "${usb_group}" \
293 "$INSTALL_NO_UDEV" > ${udev_rule_file}
294 # Build our device tree
295 for i in ${sysfs_usb_devices}; do # This line intentionally without quotes.
296 install_create_usb_node_for_sysfs "$i" "${usb_createnode}" \
297 "${usb_group}"
298 done
299}
300
301cleanup_usb()
302{
303 # Remove udev description file
304 rm -f /etc/udev/rules.d/60-vboxdrv.rules
305 rm -f /etc/udev/rules.d/10-vboxdrv.rules
306
307 # Remove our USB device tree
308 rm -rf /dev/vboxusb
309}
310
311# Returns path to module file as seen by modinfo(8) or empty string.
312module_path()
313{
314 mod="$1"
315 [ -n "$mod" ] || return
316
317 modinfo "$mod" 2>/dev/null | grep -e "^filename:" | tr -s ' ' | cut -d " " -f2
318}
319
320# Returns module version if module is available or empty string.
321module_version()
322{
323 mod="$1"
324 [ -n "$mod" ] || return
325
326 modinfo "$mod" 2>/dev/null | grep -e "^version:" | tr -s ' ' | cut -d " " -f2
327}
328
329# Returns module revision if module is available in the system or empty string.
330module_revision()
331{
332 mod="$1"
333 [ -n "$mod" ] || return
334
335 modinfo "$mod" 2>/dev/null | grep -e "^version:" | tr -s ' ' | cut -d " " -f3
336}
337
338# Reads kernel configuration option.
339kernel_get_config_opt()
340{
341 opt_name="$1"
342 [ -n "$opt_name" ] || return
343
344 # Check if there is a kernel tool which can extract config option.
345 if test -x /lib/modules/"$KERN_VER"/build/scripts/config; then
346 /lib/modules/"$KERN_VER"/build/scripts/config \
347 --file /lib/modules/"$KERN_VER"/build/.config \
348 --state "$opt_name" 2>/dev/null
349 elif test -f /lib/modules/"$KERN_VER"/build/.config; then
350 # Extract config option manually.
351 grep "$opt_name" /lib/modules/"$KERN_VER"/build/.config | sed -e "s/^$opt_name=//" -e "s/\"//g"
352 fi
353}
354
355# Reads CONFIG_MODULE_SIG_HASH from kernel config.
356kernel_module_sig_hash()
357{
358 kernel_get_config_opt "CONFIG_MODULE_SIG_HASH"
359}
360
361# Returns "1" if kernel module signature hash algorithm
362# is supported by us. Or empty string otherwise.
363module_sig_hash_supported()
364{
365 sig_hashalgo="$1"
366 [ -n "$sig_hashalgo" ] || return
367
368 # Go through supported list.
369 [ "$sig_hashalgo" = "sha1" \
370 -o "$sig_hashalgo" = "sha224" \
371 -o "$sig_hashalgo" = "sha256" \
372 -o "$sig_hashalgo" = "sha384" \
373 -o "$sig_hashalgo" = "sha512" ] || return
374
375 echo "1"
376}
377
378# Returns "1" if module is signed and signature can be verified
379# with public key provided in DEB_PUB_KEY. Or empty string otherwise.
380module_signed()
381{
382 mod="$1"
383 [ -n "$mod" ] || return
384
385 extraction_tool=/lib/modules/"$(uname -r)"/build/scripts/extract-module-sig.pl
386 mod_path=$(module_path "$mod" 2>/dev/null)
387 openssl_tool=$(which openssl 2>/dev/null)
388 # Do not use built-in printf!
389 printf_tool=$(which printf 2>/dev/null)
390
391 # Make sure all the tools required for signature validation are available.
392 [ -x "$extraction_tool" ] || return
393 [ -n "$mod_path" ] || return
394 [ -n "$openssl_tool" ] || return
395 [ -n "$printf_tool" ] || return
396
397 # Make sure openssl can handle hash algorithm.
398 sig_hashalgo=$(modinfo -F sig_hashalgo vboxdrv 2>/dev/null)
399 [ "$(module_sig_hash_supported $sig_hashalgo)" = "1" ] || return
400
401 # Generate file names for temporary stuff.
402 mod_pub_key=$(mktemp -u)
403 mod_signature=$(mktemp -u)
404 mod_unsigned=$(mktemp -u)
405
406 # Convert public key in DER format into X509 certificate form.
407 "$openssl_tool" x509 -pubkey -inform DER -in "$DEB_PUB_KEY" -out "$mod_pub_key" 2>/dev/null
408 # Extract raw module signature and convert it into binary format.
409 "$printf_tool" \\x$(modinfo -F signature "$mod" | sed -z 's/[ \t\n]//g' | sed -e "s/:/\\\x/g") 2>/dev/null > "$mod_signature"
410 # Extract unsigned module for further digest calculation.
411 "$extraction_tool" -0 "$mod_path" 2>/dev/null > "$mod_unsigned"
412
413 # Verify signature.
414 rc=""
415 "$openssl_tool" dgst "-$sig_hashalgo" -binary -verify "$mod_pub_key" -signature "$mod_signature" "$mod_unsigned" 2>&1 >/dev/null && rc="1"
416 # Clean up.
417 rm -f $mod_pub_key $mod_signature $mod_unsigned
418
419 # Check result.
420 [ "$rc" = "1" ] || return
421
422 echo "1"
423}
424
425# Returns "1" if externally built module is available in the system and its
426# version and revision number do match to current VirtualBox installation.
427# Or empty string otherwise.
428module_available()
429{
430 mod="$1"
431 [ -n "$mod" ] || return
432
433 [ "$VBOX_VERSION" = "$(module_version "$mod")" ] || return
434 [ "$VBOX_REVISION" = "$(module_revision "$mod")" ] || return
435
436 # Check if module belongs to VirtualBox installation.
437 #
438 # We have a convention that only modules from /lib/modules/*/misc
439 # belong to us. Modules from other locations are treated as
440 # externally built.
441 mod_path="$(module_path "$mod")"
442
443 # If module path points to a symbolic link, resolve actual file location.
444 [ -L "$mod_path" ] && mod_path="$(readlink -e -- "$mod_path")"
445
446 # File exists?
447 [ -f "$mod_path" ] || return
448
449 # Extract last component of module path and check whether it is located
450 # outside of /lib/modules/*/misc.
451 mod_dir="$(dirname "$mod_path" | sed 's;^.*/;;')"
452 [ "$mod_dir" = "misc" ] || return
453
454 # In case if system is running in Secure Boot mode, check if module is signed.
455 if test -n "$HAVE_SEC_BOOT"; then
456 [ "$(module_signed "$mod")" = "1" ] || return
457 fi
458
459 echo "1"
460}
461
462# Check if required modules are installed in the system and versions match.
463setup_complete()
464{
465 [ "$(module_available vboxdrv)" = "1" ] || return
466 [ "$(module_available vboxnetflt)" = "1" ] || return
467 [ "$(module_available vboxnetadp)" = "1" ] || return
468
469 # All modules are in place.
470 echo "1"
471}
472
473start()
474{
475 begin_msg "Starting VirtualBox services" console
476 if [ -d /proc/xen ]; then
477 failure "Running VirtualBox in a Xen environment is not supported"
478 fi
479 if test -n "$HAVE_SEC_BOOT" && test -z "$DEB_KEY_ENROLLED"; then
480 if test -n "$HAVE_DEB_KEY"; then
481 begin_msg "You must re-start your system to finish Debian secure boot set-up." console
482 else
483 begin_msg "You must sign these kernel modules before using VirtualBox:
484 $MODULE_LIST
485See the documentation for your Linux distribution." console
486 fi
487 fi
488
489 if ! running vboxdrv; then
490
491 # Check if system already has matching modules installed.
492 [ "$(setup_complete)" = "1" ] || setup
493
494 if ! rm -f $DEVICE; then
495 failure "Cannot remove $DEVICE"
496 fi
497 if ! $MODPROBE vboxdrv > /dev/null 2>&1; then
498 failure "modprobe vboxdrv failed. Please use 'dmesg' to find out why"
499 fi
500 sleep .2
501 fi
502 # ensure the character special exists
503 if [ ! -c $DEVICE ]; then
504 MAJOR=`sed -n 's;\([0-9]\+\) vboxdrv$;\1;p' /proc/devices`
505 if [ ! -z "$MAJOR" ]; then
506 MINOR=0
507 else
508 MINOR=`sed -n 's;\([0-9]\+\) vboxdrv$;\1;p' /proc/misc`
509 if [ ! -z "$MINOR" ]; then
510 MAJOR=10
511 fi
512 fi
513 if [ -z "$MAJOR" ]; then
514 rmmod vboxdrv 2>/dev/null
515 failure "Cannot locate the VirtualBox device"
516 fi
517 if ! mknod -m 0660 $DEVICE c $MAJOR $MINOR 2>/dev/null; then
518 rmmod vboxdrv 2>/dev/null
519 failure "Cannot create device $DEVICE with major $MAJOR and minor $MINOR"
520 fi
521 fi
522 # ensure permissions
523 if ! chown :"${GROUP}" $DEVICE 2>/dev/null; then
524 rmmod vboxpci 2>/dev/null
525 rmmod vboxnetadp 2>/dev/null
526 rmmod vboxnetflt 2>/dev/null
527 rmmod vboxdrv 2>/dev/null
528 failure "Cannot change group ${GROUP} for device $DEVICE"
529 fi
530 if ! $MODPROBE vboxnetflt > /dev/null 2>&1; then
531 failure "modprobe vboxnetflt failed. Please use 'dmesg' to find out why"
532 fi
533 if ! $MODPROBE vboxnetadp > /dev/null 2>&1; then
534 failure "modprobe vboxnetadp failed. Please use 'dmesg' to find out why"
535 fi
536 if test -e "${MODULE_SRC}/vboxpci" && ! $MODPROBE vboxpci > /dev/null 2>&1; then
537 failure "modprobe vboxpci failed. Please use 'dmesg' to find out why"
538 fi
539 # Create the /dev/vboxusb directory if the host supports that method
540 # of USB access. The USB code checks for the existance of that path.
541 if grep -q usb_device /proc/devices; then
542 mkdir -p -m 0750 /dev/vboxusb 2>/dev/null
543 chown root:vboxusers /dev/vboxusb 2>/dev/null
544 fi
545 # Remove any kernel modules left over from previously installed kernels.
546 cleanup only_old
547 succ_msg "VirtualBox services started"
548}
549
550stop()
551{
552 begin_msg "Stopping VirtualBox services" console
553
554 if running vboxpci; then
555 if ! rmmod vboxpci 2>/dev/null; then
556 failure "Cannot unload module vboxpci"
557 fi
558 fi
559 if running vboxnetadp; then
560 if ! rmmod vboxnetadp 2>/dev/null; then
561 failure "Cannot unload module vboxnetadp"
562 fi
563 fi
564 if running vboxdrv; then
565 if running vboxnetflt; then
566 if ! rmmod vboxnetflt 2>/dev/null; then
567 failure "Cannot unload module vboxnetflt"
568 fi
569 fi
570 if ! rmmod vboxdrv 2>/dev/null; then
571 failure "Cannot unload module vboxdrv"
572 fi
573 if ! rm -f $DEVICE; then
574 failure "Cannot unlink $DEVICE"
575 fi
576 fi
577 succ_msg "VirtualBox services stopped"
578}
579
580# enter the following variables in /etc/default/virtualbox:
581# SHUTDOWN_USERS="foo bar"
582# check for running VMs of user foo and user bar
583# SHUTDOWN=poweroff
584# SHUTDOWN=acpibutton
585# SHUTDOWN=savestate
586# select one of these shutdown methods for running VMs
587stop_vms()
588{
589 wait=0
590 for i in $SHUTDOWN_USERS; do
591 # don't create the ipcd directory with wrong permissions!
592 if [ -d /tmp/.vbox-$i-ipc ]; then
593 export VBOX_IPC_SOCKETID="$i"
594 VMS=`$VBOXMANAGE --nologo list runningvms | sed -e 's/^".*".*{\(.*\)}/\1/' 2>/dev/null`
595 if [ -n "$VMS" ]; then
596 if [ "$SHUTDOWN" = "poweroff" ]; then
597 begin_msg "Powering off remaining VMs"
598 for v in $VMS; do
599 $VBOXMANAGE --nologo controlvm $v poweroff
600 done
601 succ_msg "Remaining VMs powered off"
602 elif [ "$SHUTDOWN" = "acpibutton" ]; then
603 begin_msg "Sending ACPI power button event to remaining VMs"
604 for v in $VMS; do
605 $VBOXMANAGE --nologo controlvm $v acpipowerbutton
606 wait=30
607 done
608 succ_msg "ACPI power button event sent to remaining VMs"
609 elif [ "$SHUTDOWN" = "savestate" ]; then
610 begin_msg "Saving state of remaining VMs"
611 for v in $VMS; do
612 $VBOXMANAGE --nologo controlvm $v savestate
613 done
614 succ_msg "State of remaining VMs saved"
615 fi
616 fi
617 fi
618 done
619 # wait for some seconds when doing ACPI shutdown
620 if [ "$wait" -ne 0 ]; then
621 begin_msg "Waiting for $wait seconds for VM shutdown"
622 sleep $wait
623 succ_msg "Waited for $wait seconds for VM shutdown"
624 fi
625}
626
627cleanup()
628{
629 # If this is set, only remove kernel modules for no longer installed
630 # kernels. Note that only generated kernel modules should be placed
631 # in /lib/modules/*/misc. Anything that we should not remove automatically
632 # should go elsewhere.
633 only_old="${1}"
634 for i in /lib/modules/*; do
635 # Check whether we are only cleaning up for uninstalled kernels.
636 test -n "${only_old}" && test -e "${i}/kernel/drivers" && continue
637 # We could just do "rm -f", but we only want to try deleting folders if
638 # we are sure they were ours, i.e. they had our modules in beforehand.
639 if test -e "${i}/misc/vboxdrv.ko" \
640 || test -e "${i}/misc/vboxnetadp.ko" \
641 || test -e "${i}/misc/vboxnetflt.ko" \
642 || test -e "${i}/misc/vboxpci.ko"; then
643 rm -f "${i}/misc/vboxdrv.ko" "${i}/misc/vboxnetadp.ko" \
644 "${i}/misc/vboxnetflt.ko" "${i}/misc/vboxpci.ko"
645 version=`expr "${i}" : "/lib/modules/\(.*\)"`
646 depmod -a "${version}"
647 sync
648 fi
649 # Remove the kernel version folder if it was empty except for us.
650 test "`echo ${i}/misc/* ${i}/misc/.?* ${i}/* ${i}/.?*`" \
651 = "${i}/misc/* ${i}/misc/.. ${i}/misc ${i}/.." &&
652 rmdir "${i}/misc" "${i}" # We used to leave empty folders.
653 done
654}
655
656# setup_script
657setup()
658{
659 begin_msg "Building VirtualBox kernel modules" console
660 log "Building the main VirtualBox module."
661
662 # Detect if kernel was built with clang.
663 unset LLVM
664 vbox_cc_is_clang=$(kernel_get_config_opt "CONFIG_MODULE_SIG_HASH")
665 if test "${vbox_cc_is_clang}" = "y"; then
666 log "Using clang compiler."
667 export LLVM=1
668 fi
669
670 if ! myerr=`$BUILDINTMP \
671 --save-module-symvers /tmp/vboxdrv-Module.symvers \
672 --module-source "$MODULE_SRC/vboxdrv" \
673 --no-print-directory install 2>&1`; then
674 "${INSTALL_DIR}/check_module_dependencies.sh" || exit 1
675 log "Error building the module:"
676 module_build_log "$myerr"
677 failure "Look at $LOG to find out what went wrong"
678 fi
679 log "Building the net filter module."
680 if ! myerr=`$BUILDINTMP \
681 --use-module-symvers /tmp/vboxdrv-Module.symvers \
682 --module-source "$MODULE_SRC/vboxnetflt" \
683 --no-print-directory install 2>&1`; then
684 log "Error building the module:"
685 module_build_log "$myerr"
686 failure "Look at $LOG to find out what went wrong"
687 fi
688 log "Building the net adaptor module."
689 if ! myerr=`$BUILDINTMP \
690 --use-module-symvers /tmp/vboxdrv-Module.symvers \
691 --module-source "$MODULE_SRC/vboxnetadp" \
692 --no-print-directory install 2>&1`; then
693 log "Error building the module:"
694 module_build_log "$myerr"
695 failure "Look at $LOG to find out what went wrong"
696 fi
697 if test -e "$MODULE_SRC/vboxpci"; then
698 log "Building the PCI pass-through module."
699 if ! myerr=`$BUILDINTMP \
700 --use-module-symvers /tmp/vboxdrv-Module.symvers \
701 --module-source "$MODULE_SRC/vboxpci" \
702 --no-print-directory install 2>&1`; then
703 log "Error building the module:"
704 module_build_log "$myerr"
705 failure "Look at $LOG to find out what went wrong"
706 fi
707 fi
708 rm -f /etc/vbox/module_not_compiled
709 depmod -a
710 sync
711 succ_msg "VirtualBox kernel modules built"
712
713 # Secure boot on Ubuntu, Debian and Oracle Linux.
714 if test -n "$HAVE_SEC_BOOT"; then
715 begin_msg "Signing VirtualBox kernel modules" console
716
717 # Generate new signing key if needed.
718 [ -n "$HAVE_UPDATE_SECUREBOOT_POLICY_TOOL" ] && SHIM_NOTRIGGER=y update-secureboot-policy --new-key
719
720 # Check if signing keys are in place.
721 if test ! -f "$DEB_PUB_KEY" || ! test -f "$DEB_PRIV_KEY"; then
722 # update-secureboot-policy tool present in the system, but keys were not generated.
723 [ -n "$HAVE_UPDATE_SECUREBOOT_POLICY_TOOL" ] && fail_msg "
724
725update-secureboot-policy tool does not generate signing keys
726in your distribution, see below on how to generate them manually
727"
728
729 # update-secureboot-policy not present in the system, recommend generate keys manually.
730 failure "
731
732System is running in Secure Boot mode, however your distribution
733does not provide tools for automatic generation of keys needed for
734modules signing. Please consider to generate and enroll them manually:
735
736 sudo mkdir -p /var/lib/shim-signed/mok
737 sudo openssl req -nodes -new -x509 -newkey rsa:2048 -outform DER -keyout $DEB_PRIV_KEY -out $DEB_PUB_KEY
738 sudo sudo mokutil --import $DEB_PUB_KEY
739 sudo reboot
740
741Restart \"rcvboxdrv setup\" after system is rebooted
742"
743 fi
744
745 # Check if signing tool is available.
746 [ -n "$SIGN_TOOL" ] || failure "Unable to find signing tool"
747
748 # Get kernel signature hash algorithm from kernel config and validate it.
749 sig_hashalgo=$(kernel_module_sig_hash)
750 [ "$(module_sig_hash_supported $sig_hashalgo)" = "1" ] \
751 || failure "Unsupported kernel signature hash algorithm $sig_hashalgo"
752
753 # Sign modules.
754 for i in $MODULE_LIST; do
755 "$SIGN_TOOL" "$sig_hashalgo" "$DEB_PRIV_KEY" "$DEB_PUB_KEY" \
756 /lib/modules/"$KERN_VER"/misc/"$i".ko 2>/dev/null || failure "Unable to sign $i.ko"
757 done
758
759 # Enroll signing key if needed.
760 if test -n "$HAVE_UPDATE_SECUREBOOT_POLICY_TOOL"; then
761 # update-secureboot-policy "expects" DKMS modules.
762 # Work around this and talk to the authors as soon
763 # as possible to fix it.
764 mkdir -p /var/lib/dkms/vbox-temp
765 update-secureboot-policy --enroll-key 2>/dev/null ||
766 begin_msg "Failed to enroll secure boot key." console
767 rmdir -p /var/lib/dkms/vbox-temp 2>/dev/null
768
769 # Indicate that key has been enrolled and reboot is needed.
770 HAVE_DEB_KEY=true
771 fi
772 succ_msg "Signing completed"
773 fi
774}
775
776dmnstatus()
777{
778 if running vboxdrv; then
779 str="vboxdrv"
780 if running vboxnetflt; then
781 str="$str, vboxnetflt"
782 if running vboxnetadp; then
783 str="$str, vboxnetadp"
784 fi
785 fi
786 if running vboxpci; then
787 str="$str, vboxpci"
788 fi
789 echo "VirtualBox kernel modules ($str) are loaded."
790 for i in $SHUTDOWN_USERS; do
791 # don't create the ipcd directory with wrong permissions!
792 if [ -d /tmp/.vbox-$i-ipc ]; then
793 export VBOX_IPC_SOCKETID="$i"
794 VMS=`$VBOXMANAGE --nologo list runningvms | sed -e 's/^".*".*{\(.*\)}/\1/' 2>/dev/null`
795 if [ -n "$VMS" ]; then
796 echo "The following VMs are currently running:"
797 for v in $VMS; do
798 echo " $v"
799 done
800 fi
801 fi
802 done
803 else
804 echo "VirtualBox kernel module is not loaded."
805 fi
806}
807
808case "$1" in
809start)
810 start
811 ;;
812stop)
813 stop_vms
814 stop
815 ;;
816stop_vms)
817 stop_vms
818 ;;
819restart)
820 stop && start
821 ;;
822setup)
823 test -n "${2}" && export KERN_VER="${2}"
824 # Create udev rule and USB device nodes.
825 ## todo Wouldn't it make more sense to install the rule to /lib/udev? This
826 ## is not a user-created configuration file after all.
827 ## todo Do we need a udev rule to create /dev/vboxdrv[u] at all? We have
828 ## working fall-back code here anyway, and the "right" code is more complex
829 ## than the fall-back. Unnecessary duplication?
830 stop && cleanup
831 setup_usb "$GROUP" "$DEVICE_MODE" "$INSTALL_DIR"
832 start
833 ;;
834cleanup)
835 stop && cleanup
836 cleanup_usb
837 ;;
838force-reload)
839 stop
840 start
841 ;;
842status)
843 dmnstatus
844 ;;
845*)
846 echo "Usage: $0 {start|stop|stop_vms|restart|setup|cleanup|force-reload|status}"
847 exit 1
848esac
849
850exit 0
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette