[Solved] Setting up a MOK on Ubuntu will it break dual boot Windows? needed for VirtualBox on Ubuntu

RavenLunatic · 1 Nov 2025 at 15:57

I have managed to break secure boot in my Ubuntu install after updating the Nvidia driver via software and updates 3rd Party drivers.

Every time I try to upgrade to Ubuntu 25.10 it asks me to setup a MOK.

My concern is it might break my Windows install on the same SSD which also requires secure boot and is working fine.

I want to keep my current Ubuntu install as I have made a load of custom modifications over the last year that would be a pain to redo.

Will setting up MOK break my Windows install?

RavenLunatic · 3 Nov 2025 at 14:40

Could not find an answer other than it "should not/might not" break Windows secure boot from AI.

If it works it might cause another problem, as it could add Window's to grub which will increase boot time because grub insists on scanning all my SSD's for operating systems at every boot.

Not sure what to do.

Subliminal Aura · 3 Nov 2025 at 15:18

You need to tell is

- what boot loader you're currently using to dual boot ?
- Are both OSs on the same drive, if so how is it partitioned
- If using multiple drives are there any bootloaders on those drives ? Specify if so

If it were me, I would run the os's on separate drives .... the days of multibooting different operating systems from a single drive are far far behind me

randal · 3 Nov 2025 at 15:28

No. I’ve registered MOKs for my Debian install when setting up Nvidia drivers and it didn’t effect my W11 install.

Removing the drivers when I moved to an AMD card did however, I had to reactivate Windows iirc.

RavenLunatic · 3 Nov 2025 at 15:28

I am using the BIOS EFI loader
Both OS's are on the same SSD partitions are 1GB EFI bootloader FAT, 256GB Ubuntu EXT4, 1TB Windows 11 NTFS, and a recovery partition.
The only bootloader (grub) runs when I select Ubuntu from the BIOS boot menu.

My problem seems to be a failed install of Virtual box, dpkg keeps trying to run the installer every time I attempt to upgrade landing me with the mok setup.

Subliminal Aura · 3 Nov 2025 at 15:40

RavenLunatic said:
My problem seems to be a failed install of Virtual box, dpkg keeps trying to run the installer every time I attempt to upgrade landing me with the mok setup.

Try purging the packages also read this in it's entirety, should help bump confidence

Reddit - The heart of the internet

www.reddit.com

RavenLunatic · 4 Nov 2025 at 09:42

I was able to finally remove Virtual Box partial install doing the following thanks to Eve online discord

sudo apt-get remove --purge virtualbox-7.2
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable

sudo fuser -v /var/cache/debconf/config.dat
USER PID ACCESS COMMAND/var/cache/debconf/config.dat: root 6689 F.... frontend

sudo kill -9 6689

sudo rm /var/cache/debconf/*.dat

sudo apt-get remove --purge virtualbox-7.2

and Virtual box and MOK was gone :-)

Subliminal Aura · 4 Nov 2025 at 09:56

Well done

Not going to still try the upgrade?

We had popcorn ready

RavenLunatic · 4 Nov 2025 at 13:19

I was about to go ahead kill or cure style, but it took allot of effort to get Windows 11 back on my system as for what ever reason the Windows 11 installer always crashes during the update stage presumably due to some driver error. I had to install windows 10 with drivers then do an upgrade to 11 which failed a couple of times before eventually working.

Trying to remove the block on Ubuntu and potentially breaking it was the least worse possible outcome.

I can run Virtual box on Windows, so I still have that functionality, and I now have a working Ubuntu install for everything else.

Makhaira · 4 Nov 2025 at 20:58

I've set up MOK with an existing W11 install twice with no issues.

RavenLunatic · Saturday at 15:57

I decided to revisit this problem, and I can confirm setting up a MOK on Linux does not break dual boot Windows install :-)

Unfortunately VirtualBox still refuses to install which may be a good thing.

I get a message that it is rejecting my key and fails to create the kernel packages.

I do not know what else to do.

RavenLunatic · 2025-12-14T15:41:22+0000

Several hours of back and fourth between Copilot and Terminal it turned out the VirtualBox kernel modules where compressed with .zst which prevented them from getting signed with my MOK key. Once decompressed the signing process worked after several attempts. I do not know why but not all the signing processes worked each time but i got there in the end.

Copilot even came up with a script to automate the process in the event of an update once the problem was solved.

Saved to /etc/dkms/post_install.d/virtualbox-sign.sh and made executable

Code:

#!/bin/bash
# DKMS post-install hook for VirtualBox modules under Secure Boot
# Automatically decompresses, signs, deletes .zst, and refreshes modules

KERNEL_VERSION="$1"
MODULES_DIR="/lib/modules/${KERNEL_VERSION}/updates/dkms"
KEY="/root/secureboot/MOK.priv"
CERT="/root/secureboot/MOK.pem"
SIGN="/usr/src/linux-headers-${KERNEL_VERSION}/scripts/sign-file"

# Ensure zstd is available
command -v unzstd >/dev/null 2>&1 || exit 0

for mod in vboxdrv vboxnetflt vboxnetadp; do
    FILE_ZST="${MODULES_DIR}/${mod}.ko.zst"
    FILE_KO="${MODULES_DIR}/${mod}.ko"

    # If compressed, decompress and remove the .zst
    if [ -f "$FILE_ZST" ]; then
        sudo unzstd "$FILE_ZST" -o "$FILE_KO"
        sudo rm -f "$FILE_ZST"
    fi

    # If uncompressed exists, sign it
    if [ -f "$FILE_KO" ]; then
        sudo "$SIGN" sha256 "$KEY" "$CERT" "$FILE_KO"
    fi
done

# Refresh module dependencies
sudo depmod -a "$KERNEL_VERSION"

# Optional logging
echo "VirtualBox modules signed for kernel $KERNEL_VERSION" >> /var/log/dkms_virtualbox_sign.log

Not being an expert in coding it seems to be doing what I want. I will find out if it works next time the Kernel updates.

Progress

The next problem

Code:

HM ring-0 init failed: VERR_NOT_AVAILABLE (VERR_NOT_AVAILABLE). Result Code: NS_ERROR_FAILURE (0x80004005) Component: ConsoleWrap Interface: IConsole {6ac83d89-6ee7-4e33-8ae6-b257b2e81be8}

For some reason VirtualBox was trying to us kvm. This was odd because when I first ever used VirtualBox on Linux I had to blacklist kvm and kvm_intel as it could not co-exist. Yet Copilot was telling me that they could.

So just as a test thought if it wants kvm I would give it all kvm that I blocked previously . I hashed out the kvm enteries in my blacklist.conf and sudo update-initramfs -u and rebooted.

Error cleared, more progress :-)

New error

Code:

unable to enumerate USB

This was simpler as I have encured this error before, all that is needed is to add vboxusers to my user account

Code:

sudo usermod -aG vboxusers ravenlun

And after all that VirtualBox worked :-)

I hope this post helps someone in the future!

Edit: Moved my MOK keys to "/root/secureboot/" from home folder