Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 (and I want to keep secure boot)
Solution 1
Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.
So let's try it.
-
Create signing keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"
Option: for additional security, skip the -nodes switch, which will ask for a password. Then before moving on to the next step, make sure to
export KBUILD_SIGN_PIN='yourpassword'
-
Sign the module (vboxdrv for this example, but repeat for other modules in
ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko)
for full functionality)sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
-
Confirm the module is signed
tail $(modinfo -n vboxdrv) | grep "Module signature appended"
-
Register the keys to Secure Boot
sudo mokutil --import MOK.der
which will ask for a password to use to confirm the import in the next step.
Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
-
Confirm the key is enrolled
mokutil --test-key MOK.der
If VirtualBox still does not load, it may be because the module didn't load (sudo modprobe vboxdrv
will fix that) or that the key is not signed. Simply repeat that step and everything should work fine.
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. @zwets for additional security. @shasha_trn for mentioning all the modules.
Additional resource: I created a bash script for my own use every time virtualbox-dkms
upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.
Solution 2
On my system I did the following to make it work:
Run mokutil:
sudo mokutil --disable-validation
Then mokutil asked me to set a password for the MOK Manager. After rebooting the PC the BIOS showed a dialog to configure the MOK Manager. I disabled SecureBoot from this dialog, it asked for several characters from the password (ie. enter character (5), etc).
After booting up the vboxdrv modules loaded correctly.
lsmod | grep vboxdrv
vboxdrv 454656 3 vboxnetadp,vboxnetflt,vboxpci
Curiously, mokutil still shows SecureBoot is enabled:
sudo mokutil --sb-state
SecureBoot enabled
Solution 3
I know that this question is too old, but because there is no accepted answer and none of these answers solved the issue in my case, I am writing how I solved this today without disabling the Secure Boot:
When running this command, get this error:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
The problem is that the module is not signed and therefore not loaded with the kernel. This will happen if your computer has the SecureBoot mode activated, something very common in modern equipment.
That's why I get this error opening any machine in the virtual box
Kernel driver not installed (rc=-1908)
Do the following steps to sign a driver, and it is loaded as a kernel module, on Ubuntu systems and also on Debian 9:
1. Install the mkutil package to be able to do signed.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install mokutil
2. generate the signature file:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
3. Then add it to the kernel:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
4. Register it for the Secure Boot.
IMPORTANT! That will ask you for a password, put the one you want, you will only have to use it once in the next reboot.
sudo mokutil --import MOK.der
5. Finally, restart the computer. A blue screen will appear with a keyboard wait, press the key that asks you to interrupt the boot.
When you are inside the blue screen, select
Enroll MOK > Continue > and it will ask you for the password
that you have previously entered, you will enter it and you will be informed that the operation has been completed successfully.
Now your operating system will start and you can now use VirtualBox without problem :)
Hope this help someone.
Solution 4
You can disable the validation check by
sudo apt install mokutil
sudo mokutil --disable-validation
After that DKMS packages should install.
Solution 5
I had this problem with Ubuntu 20.04 (after new install.) I was not running UEFI in bios, and was doing an auto login on Ubuntu.
What fixed it is I changed the auto login to not auto login, and turned UEFI on in bios.
Related videos on Youtube
jans
Updated on September 18, 2022Comments
-
jans over 1 year
I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:
$ sudo modprobe vboxdrv modprobe: ERROR: could not insert 'vboxdrv': Required key not available
I believe it is related to secure boot which I use and which I want to continue using. Actually with Ubuntu 15.10 secure boot and VirtualBox were working just fine.
Also I tried
$ sudo apt-get --reinstall install virtualbox-dkms
which built the kernel module successfully but didn't solve this issue.Any idea how to get vboxdrv loaded while keeping secure boot enabled?
Update 2: Also I tried executing
sudo mokutil --disable-validation
. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Also I want to keep UEFI activated for a parallel Windows installation.Note: If you don't mind disabling secure boot, see Why do I get "Required key not available" when install 3rd party kernel modules or after a kernel upgrade? instead.
-
zwets almost 8 yearsThough this question is a duplicate of askubuntu.com/questions/762254/…, that question does not feature the answer given by @Majal below.
-
Dušan Maďar over 6 yearsStep by step guide: stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail
-
Raphael almost 5 yearsFWIW, for googlers: with Ubuntu 18.04, installing
aptitude install virtualbox virtualbox-dkms
will sign the module and ask you for a one-time (?) password. Reboot, enter MOK config and enroll the key using that password.
-
-
Karthik Nishanth about 8 yearsHey, could you please elaborate? Where did you download it from? PPA or deb file?
-
Reling about 8 yearsI downloaded Extension pack from downloads on VirtualBox site, link is "VirtualBox 5.0.18 Oracle VM VirtualBox Extension Pack -> All supported platforms". Then I opened File > Preferences on Oracle VM Virtual Box Manager, selected "Extensions", and added downloaded file to list. It replaced old version of "Oracle VM VirtualBox Extension Pack" (was 5.0.14rxxxxxx).
-
Karthik Nishanth about 8 yearsExtension pack doesnt rectify the error. The error is about signing the module
-
jans about 8 yearsThis doesn't apply to my problem.
-
jans about 8 yearsAs stated in my question, I want to continue using secure boot. So disabling secure boot doesn't solve the issue.
-
jans about 8 yearsActually I also need UEFI to boot a parallel Windows installation. So disabling it isn't an option for me either. I updated my question accordingly.
-
jans about 8 yearsAlso I tried executing sudo mokutil --disable-validation. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Please let me know in case I misunderstood this command.
-
jans about 8 yearsAs stated in my question, I want to continue using secure boot. So disabling secure boot doesn't solve the issue.
-
Pilot6 about 8 yearsTry to disable secure boot. You can enable it back, if that does not help.
-
sasha_trn almost 8 yearsI also signed vboxnetadp, vboxnetflt, vboxpci modules to have network and pass throw pci devices in virtual machines.
-
zwets almost 8 yearsThis is unrelated to the problem of the OP. The error message "Required key not available" indicates that the issue is due to an unsigned kernel module on a Secure Boot enabled platform. No VirtualBox update can fix this unless it includes a module signed using a key trusted by the kernel. I.e. either Canonical must sign it, or Oracle must sign it and its public key must be added to the kernel's (or your platform's) trusted keys.
-
zwets almost 8 years@Zeine77 can you verify that your BIOS allows enabling "legacy modules" while Secure Boot remains enabled? This is highly unlikely, as the first option allows untrusted code to run in kernel space, which defeats the purpose of the second.
-
Zeine77 almost 8 years@zwets you are right, I just checked my bios settings; and enabling legacy modules caused secure boot to be disabled. I assumed, as explained in the response, that disabling secure boot would cause Windows 10 boot to fail, this isn't the case. When I first installed 15.10 (Months ago) I took care to not disable secure boot as this would damage Win 10 installation. Does this mean that the pre installed Win 10 works fine with secure mode disabled ?
-
jaywink almost 8 yearsDidn't want to disable secure boot but in the end had to do this since nothing else would work - don't want to start signing things manually every time a kernel update comes.. Pity this is the only easy solution forward. Btw, UEFI still says secure boot is enabled. ¯_(ツ)_/¯
-
TylersSN almost 8 yearsExtending @majal's answer, I had to execute
sudo apt install --reinstall virtualbox-dkms
before following the instructions provided. -
adempewolff almost 8 years@zwets could you possibly elaborate on how to properly set the
KBUILD_SIGN_PIN
environmental variable?export KBUILD_SIGN_PIN=password
andexport KBUILD_SIGN_PIN="password"
before step 2 both resulted inSSL error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read: pem_pkey.c:117
-
zwets almost 8 years@adempewolff If you password contains characters that your shell will interpret (e.g. '$' in a quoted string), you will need to enclose it in apostrophes (').
-
one-mb over 7 years@Majal Thank you for your answer! I also favour signing the modules instead of disabling the feature. I can add: (1) This does also apply to VMware modules "vmmon" and "vmnet", which share the same fate. (2) While adding your created keys, choose your password wisely. During the reboot and secure-boot enrollment phase, your keyboard layout might differ from your locale settings. (-> US-Layout)
-
dragon about 7 yearsSome additional commands to verify configuration:
tail $(modinfo -n vboxdrv)
will output ~Module signature appended~ if the module is signed correctly.mokutil -l
will list the enrolled SecureBoot keys.mokutil -t MOK.der
will confirm whether a particular key is enrolled. -
Adrian Lopez about 7 yearsIn Xubuntu I've got a bug where I recieve "Failed to enroll new keys" when I run mokutil import. Since I only use linux, I just disabled secure boot from bios.
-
Adam Ryczkowski over 6 yearsDid you have any problems installing VirtualBox Extension Pack? I get
The installer failed with exit code 1: ** ERROR:pkexec.c:138:pam_conversation_function: code should not be reached.
and I am not sure if this problem is related. -
phobic over 6 years(On Ubuntu 17.10) Copy pasting the openssl command resulted in an error: "unknown option req". Instead I only ran openssl to get to the openssl command line. Then I enter the rest of your command (req -new -x509 -newkey ...). Next I got another error when running mokutil: EFI variables are not supported on this system. Hope you can supply help.
-
wxl about 6 yearsI found I needed to sign the module again after enrolling the module, after which everything works fine.
-
vitaly.v.ch almost 6 years@adempewolff You should export a password after sudo, because of sudo cleanups environment.
-
xhudik over 5 yearsI tried to disable secure boot - but it is still enabled :( (ubuntu 18.04)
-
Kalle Richter over 5 years@adempewolff not necessarily. I'd rephrase that as "make sure that
sudo
is allowed to pick up the password from the environment variable, see section for--preserve-env
inman sudo
for details" -
Turkhan Badalov about 5 yearsJust in case, for Fedora the path is "/usr/src/kernels/" nor "/usr/src/linux-headers/"
-
Mateja Petrovic almost 5 years
mokutil --test-key MOK.der
->MOK.der is not enrolled
-
Mr-Programs over 4 yearsthe part of Enroll MOK (Machine Owner Key) is way too complicated
-
0x8BADF00D about 4 yearsThx. Your steps. The issue.
-
Gringo Suave about 4 yearsThanks because I wanted to do this.
-
Anda B about 4 yearsThanks! It worked.
-
Anthony O almost 4 yearsThis worked for me! Thanks so much
-
MeSo2 over 3 yearson step 4 I am getting
EFI variables are not supported on this system
-
7hibault over 3 yearsDo you need to do this foro every virtualbox-dkms upgrade?
-
7hibault over 3 yearsDo you exectute your script manually on every virtualbox-dkms upgrade or have you automated that process?
-
Majal over 3 years@7hibault, I used to do it manually. But if you'd like to automate it, a section of this article might help: majlovesreg.one/…. Just to update myself with this topic, is this still an issue these days? It's been over four years since this happened. :-)
-
7hibault over 3 yearsWell maybe I've messed up somewhere but I've had this issue on a Dell Inspiron 5480 with Secure Boot enabled, using VirtualBox 6.1.10_Ubuntu r138449 running a Windows 10 guest on a Ubuntu 20.04 host. So far I've disabled Secure Boot to be able to simply run the VM but that doesn't feel right.
-
Chaim Eliyah about 3 yearsCan you elaborate? It probably didn't have to do with your login. Describe this UEFI setting, what BIOS software, etc. ...
-
MeSo2 about 3 yearsIt is a MSI motherboard. This was some time ago... but I remember that once the auto login was disabled, where you would need to log in at each reboot things started to finally work. And now
virtualbox
is solid; no more crashes. It used to crash on me every time Ubuntu suggested an update. It was bad. -
Chaim Eliyah about 3 yearsYeah this is consistent with some of the BIOS settings problems I was running into on ASUS. In my case I had to disable Windows UEFI. tl;dr: check your BIOS settings :-)
-
hamed about 3 yearsdear @Majal could you help me with this topic : askubuntu.com/questions/1332631/…
-
manidos almost 3 yearsAfter trying out top 2 answers this one did it for me