Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 (and I want to keep secure boot)

kernel virtualbox 16.04 secure-boot dkms

237,781

Solution 1

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.

So let's try it.

Create signing keys
```
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"
```
Option: for additional security, skip the -nodes switch, which will ask for a password. Then before moving on to the next step, make sure to export KBUILD_SIGN_PIN='yourpassword'
Sign the module (vboxdrv for this example, but repeat for other modules in ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko) for full functionality)
```
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
```

Confirm the module is signed

tail $(modinfo -n vboxdrv) | grep "Module signature appended"

Register the keys to Secure Boot
```
sudo mokutil --import MOK.der
```
which will ask for a password to use to confirm the import in the next step.
Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Confirm the key is enrolled
```
mokutil --test-key MOK.der
```

If VirtualBox still does not load, it may be because the module didn't load (sudo modprobe vboxdrv will fix that) or that the key is not signed. Simply repeat that step and everything should work fine.

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. @zwets for additional security. @shasha_trn for mentioning all the modules.

Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.

Solution 2

On my system I did the following to make it work:

Run mokutil:

sudo mokutil --disable-validation

Then mokutil asked me to set a password for the MOK Manager. After rebooting the PC the BIOS showed a dialog to configure the MOK Manager. I disabled SecureBoot from this dialog, it asked for several characters from the password (ie. enter character (5), etc).

After booting up the vboxdrv modules loaded correctly.

lsmod | grep vboxdrv
vboxdrv               454656  3 vboxnetadp,vboxnetflt,vboxpci

Curiously, mokutil still shows SecureBoot is enabled:

sudo mokutil --sb-state
SecureBoot enabled

Solution 3

I know that this question is too old, but because there is no accepted answer and none of these answers solved the issue in my case, I am writing how I solved this today without disabling the Secure Boot:

When running this command, get this error:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

The problem is that the module is not signed and therefore not loaded with the kernel. This will happen if your computer has the SecureBoot mode activated, something very common in modern equipment.

That's why I get this error opening any machine in the virtual box

Kernel driver not installed (rc=-1908)

Do the following steps to sign a driver, and it is loaded as a kernel module, on Ubuntu systems and also on Debian 9:

1. Install the mkutil package to be able to do signed.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install mokutil

2. generate the signature file:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"

3. Then add it to the kernel:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

4. Register it for the Secure Boot.

IMPORTANT! That will ask you for a password, put the one you want, you will only have to use it once in the next reboot.

sudo mokutil --import MOK.der

5. Finally, restart the computer. A blue screen will appear with a keyboard wait, press the key that asks you to interrupt the boot.

When you are inside the blue screen, select

Enroll MOK > Continue > and it will ask you for the password

that you have previously entered, you will enter it and you will be informed that the operation has been completed successfully.

Now your operating system will start and you can now use VirtualBox without problem :)

Hope this help someone.

Solution 4

You can disable the validation check by

sudo apt install mokutil
sudo mokutil --disable-validation

After that DKMS packages should install.

Solution 5

I had this problem with Ubuntu 20.04 (after new install.) I was not running UEFI in bios, and was doing an auto login on Ubuntu.

What fixed it is I changed the auto login to not auto login, and turned UEFI on in bios.

View more solutions

237,781

jans

Updated on September 18, 2022

Comments

jans over 1 year
I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:
```
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
```
I believe it is related to secure boot which I use and which I want to continue using. Actually with Ubuntu 15.10 secure boot and VirtualBox were working just fine.

Also I tried $ sudo apt-get --reinstall install virtualbox-dkms which built the kernel module successfully but didn't solve this issue.

Any idea how to get vboxdrv loaded while keeping secure boot enabled?

Update 2: Also I tried executing sudo mokutil --disable-validation. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Also I want to keep UEFI activated for a parallel Windows installation.

Note: If you don't mind disabling secure boot, see Why do I get "Required key not available" when install 3rd party kernel modules or after a kernel upgrade? instead.
- zwets almost 8 years
  
  Though this question is a duplicate of askubuntu.com/questions/762254/…, that question does not feature the answer given by @Majal below.
- Dušan Maďar over 6 years
  
  Step by step guide: stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail
- Raphael almost 5 years
  
  FWIW, for googlers: with Ubuntu 18.04, installing aptitude install virtualbox virtualbox-dkms will sign the module and ask you for a one-time (?) password. Reboot, enter MOK config and enroll the key using that password.
Karthik Nishanth about 8 years

Hey, could you please elaborate? Where did you download it from? PPA or deb file?
Reling about 8 years

I downloaded Extension pack from downloads on VirtualBox site, link is "VirtualBox 5.0.18 Oracle VM VirtualBox Extension Pack -> All supported platforms". Then I opened File > Preferences on Oracle VM Virtual Box Manager, selected "Extensions", and added downloaded file to list. It replaced old version of "Oracle VM VirtualBox Extension Pack" (was 5.0.14rxxxxxx).
Karthik Nishanth about 8 years

Extension pack doesnt rectify the error. The error is about signing the module
jans about 8 years

This doesn't apply to my problem.
jans about 8 years

As stated in my question, I want to continue using secure boot. So disabling secure boot doesn't solve the issue.
jans about 8 years

Actually I also need UEFI to boot a parallel Windows installation. So disabling it isn't an option for me either. I updated my question accordingly.
jans about 8 years

Also I tried executing sudo mokutil --disable-validation. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Please let me know in case I misunderstood this command.
jans about 8 years

As stated in my question, I want to continue using secure boot. So disabling secure boot doesn't solve the issue.
Pilot6 about 8 years

Try to disable secure boot. You can enable it back, if that does not help.
sasha_trn almost 8 years

I also signed vboxnetadp, vboxnetflt, vboxpci modules to have network and pass throw pci devices in virtual machines.
zwets almost 8 years

This is unrelated to the problem of the OP. The error message "Required key not available" indicates that the issue is due to an unsigned kernel module on a Secure Boot enabled platform. No VirtualBox update can fix this unless it includes a module signed using a key trusted by the kernel. I.e. either Canonical must sign it, or Oracle must sign it and its public key must be added to the kernel's (or your platform's) trusted keys.
zwets almost 8 years

@Zeine77 can you verify that your BIOS allows enabling "legacy modules" while Secure Boot remains enabled? This is highly unlikely, as the first option allows untrusted code to run in kernel space, which defeats the purpose of the second.
Zeine77 almost 8 years

@zwets you are right, I just checked my bios settings; and enabling legacy modules caused secure boot to be disabled. I assumed, as explained in the response, that disabling secure boot would cause Windows 10 boot to fail, this isn't the case. When I first installed 15.10 (Months ago) I took care to not disable secure boot as this would damage Win 10 installation. Does this mean that the pre installed Win 10 works fine with secure mode disabled ?
jaywink almost 8 years

Didn't want to disable secure boot but in the end had to do this since nothing else would work - don't want to start signing things manually every time a kernel update comes.. Pity this is the only easy solution forward. Btw, UEFI still says secure boot is enabled. ¯_(ツ)_/¯
TylersSN almost 8 years

Extending @majal's answer, I had to execute sudo apt install --reinstall virtualbox-dkms before following the instructions provided.
adempewolff almost 8 years

@zwets could you possibly elaborate on how to properly set the KBUILD_SIGN_PIN environmental variable? export KBUILD_SIGN_PIN=password and export KBUILD_SIGN_PIN="password" before step 2 both resulted in SSL error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read: pem_pkey.c:117
zwets almost 8 years

@adempewolff If you password contains characters that your shell will interpret (e.g. '$' in a quoted string), you will need to enclose it in apostrophes (').
one-mb over 7 years

@Majal Thank you for your answer! I also favour signing the modules instead of disabling the feature. I can add: (1) This does also apply to VMware modules "vmmon" and "vmnet", which share the same fate. (2) While adding your created keys, choose your password wisely. During the reboot and secure-boot enrollment phase, your keyboard layout might differ from your locale settings. (-> US-Layout)
dragon about 7 years

Some additional commands to verify configuration: tail $(modinfo -n vboxdrv) will output ~Module signature appended~ if the module is signed correctly. mokutil -l will list the enrolled SecureBoot keys. mokutil -t MOK.der will confirm whether a particular key is enrolled.
Adrian Lopez about 7 years

In Xubuntu I've got a bug where I recieve "Failed to enroll new keys" when I run mokutil import. Since I only use linux, I just disabled secure boot from bios.
Adam Ryczkowski over 6 years

Did you have any problems installing VirtualBox Extension Pack? I get The installer failed with exit code 1: ** ERROR:pkexec.c:138:pam_conversation_function: code should not be reached. and I am not sure if this problem is related.
phobic over 6 years

(On Ubuntu 17.10) Copy pasting the openssl command resulted in an error: "unknown option req". Instead I only ran openssl to get to the openssl command line. Then I enter the rest of your command (req -new -x509 -newkey ...). Next I got another error when running mokutil: EFI variables are not supported on this system. Hope you can supply help.
wxl about 6 years

I found I needed to sign the module again after enrolling the module, after which everything works fine.
vitaly.v.ch almost 6 years

@adempewolff You should export a password after sudo, because of sudo cleanups environment.
xhudik over 5 years

I tried to disable secure boot - but it is still enabled :( (ubuntu 18.04)
Kalle Richter over 5 years

@adempewolff not necessarily. I'd rephrase that as "make sure that sudo is allowed to pick up the password from the environment variable, see section for --preserve-env in man sudo for details"
Turkhan Badalov about 5 years

Just in case, for Fedora the path is "/usr/src/kernels/" nor "/usr/src/linux-headers/"
Mateja Petrovic almost 5 years

mokutil --test-key MOK.der -> MOK.der is not enrolled
Mr-Programs over 4 years

the part of Enroll MOK (Machine Owner Key) is way too complicated
0x8BADF00D about 4 years

Thx. Your steps. The issue.
Gringo Suave about 4 years

Thanks because I wanted to do this.
Anda B about 4 years

Thanks! It worked.
Anthony O almost 4 years

This worked for me! Thanks so much
MeSo2 over 3 years

on step 4 I am getting EFI variables are not supported on this system
7hibault over 3 years

Do you need to do this foro every virtualbox-dkms upgrade?
7hibault over 3 years

Do you exectute your script manually on every virtualbox-dkms upgrade or have you automated that process?
Majal over 3 years

@7hibault, I used to do it manually. But if you'd like to automate it, a section of this article might help: majlovesreg.one/…. Just to update myself with this topic, is this still an issue these days? It's been over four years since this happened. :-)
7hibault over 3 years

Well maybe I've messed up somewhere but I've had this issue on a Dell Inspiron 5480 with Secure Boot enabled, using VirtualBox 6.1.10_Ubuntu r138449 running a Windows 10 guest on a Ubuntu 20.04 host. So far I've disabled Secure Boot to be able to simply run the VM but that doesn't feel right.
Chaim Eliyah about 3 years

Can you elaborate? It probably didn't have to do with your login. Describe this UEFI setting, what BIOS software, etc. ...
MeSo2 about 3 years

It is a MSI motherboard. This was some time ago... but I remember that once the auto login was disabled, where you would need to log in at each reboot things started to finally work. And now virtualbox is solid; no more crashes. It used to crash on me every time Ubuntu suggested an update. It was bad.
Chaim Eliyah about 3 years

Yeah this is consistent with some of the BIOS settings problems I was running into on ASUS. In my case I had to disable Windows UEFI. tl;dr: check your BIOS settings :-)
hamed about 3 years

dear @Majal could you help me with this topic : askubuntu.com/questions/1332631/…
manidos almost 3 years

After trying out top 2 answers this one did it for me