163

I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

I believe it is related to secure boot which I use and which I want to continue using. Actually with Ubuntu 15.10 secure boot and VirtualBox were working just fine.

Also I tried $ sudo apt-get --reinstall install virtualbox-dkms which built the kernel module successfully but didn't solve this issue.

Any idea how to get vboxdrv loaded while keeping secure boot enabled?

Update 2: Also I tried executing sudo mokutil --disable-validation. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Also I want to keep UEFI activated for a parallel Windows installation.

Note: If you don't mind disabling secure boot, see Why do I get "Required key not available" when install 3rd party kernel modules or after a kernel upgrade? instead.

Community
  • 1
jans
  • 1,915
  • 3
    See http://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-dkms-modules-in-ubuntu-16 – Pilot6 Apr 25 '16 at 07:55
  • 1
    Though this question is a duplicate of http://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-dkms-modules-in-ubuntu-16, that question does not feature the answer given by @Majal below. – zwets May 09 '16 at 09:20
  • 1
    Step by step guide: https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/ – Dušan Maďar Oct 24 '17 at 15:23
  • 1
    FWIW, for googlers: with Ubuntu 18.04, installing aptitude install virtualbox virtualbox-dkms will sign the module and ask you for a one-time (?) password. Reboot, enter MOK config and enroll the key using that password. – Raphael Jun 12 '19 at 09:22

9 Answers9

217

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.

So let's try it.

  1. Create signing keys

    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"

    Option: for additional security, skip the -nodes switch, which will ask for a password. Then before moving on to the next step, make sure to export KBUILD_SIGN_PIN='yourpassword'

  2. Sign the module (vboxdrv for this example, but repeat for other modules in ls $(dirname $(modinfo -n vboxdrv)/vbox*.ko) for full functionality)

    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

  3. Confirm the module is signed

    tail $(modinfo -n vboxdrv) | grep "Module signature appended"

  4. Register the keys to Secure Boot

    sudo mokutil --import MOK.der

    which will ask for a password to use to confirm the import in the next step. Choose any password you like and remember it.

  5. Reboot and follow instructions displayed on your screen to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.

  6. Confirm the key is enrolled

    mokutil --test-key MOK.der

If VirtualBox still does not load, it may be because the module didn't load (sudo modprobe vboxdrv will fix that) or that the key is not signed. Simply repeat that step and everything should work fine.

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. @zwets for additional security. @shasha_trn for mentioning all the modules.

Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.

Flimm
  • 41,766
Majal
  • 7,711
  • 8
    I also signed vboxnetadp, vboxnetflt, vboxpci modules to have network and pass throw pci devices in virtual machines. – sasha_trn May 07 '16 at 19:40
  • 4
    Extending @majal's answer, I had to execute sudo apt install --reinstall virtualbox-dkms before following the instructions provided. – tylersDisplayName Jun 13 '16 at 20:28
  • 1
    @zwets could you possibly elaborate on how to properly set the KBUILD_SIGN_PIN environmental variable? export KBUILD_SIGN_PIN=password and export KBUILD_SIGN_PIN="password" before step 2 both resulted in SSL error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read: pem_pkey.c:117 – adempewolff Jul 09 '16 at 06:32
  • 3
    @adempewolff If you password contains characters that your shell will interpret (e.g. '$' in a quoted string), you will need to enclose it in apostrophes ('). – zwets Jul 11 '16 at 08:54
  • 1
    @Majal Thank you for your answer! I also favour signing the modules instead of disabling the feature. I can add: (1) This does also apply to VMware modules "vmmon" and "vmnet", which share the same fate. (2) While adding your created keys, choose your password wisely. During the reboot and secure-boot enrollment phase, your keyboard layout might differ from your locale settings. (-> US-Layout) – one-mb Aug 07 '16 at 21:13
  • 1
    Some additional commands to verify configuration: tail $(modinfo -n vboxdrv) will output ~Module signature appended~ if the module is signed correctly. mokutil -l will list the enrolled SecureBoot keys. mokutil -t MOK.der will confirm whether a particular key is enrolled. – dragon Feb 26 '17 at 14:04
  • In Xubuntu I've got a bug where I recieve "Failed to enroll new keys" when I run mokutil import. Since I only use linux, I just disabled secure boot from bios. – Adrian Lopez Feb 26 '17 at 19:19
  • Did you have any problems installing VirtualBox Extension Pack? I get The installer failed with exit code 1: ** ERROR:pkexec.c:138:pam_conversation_function: code should not be reached. and I am not sure if this problem is related. – Adam Ryczkowski Dec 22 '17 at 08:55
  • (On Ubuntu 17.10) Copy pasting the openssl command resulted in an error: "unknown option req". Instead I only ran openssl to get to the openssl command line. Then I enter the rest of your command (req -new -x509 -newkey ...). Next I got another error when running mokutil: EFI variables are not supported on this system. Hope you can supply help. – phobic Jan 27 '18 at 14:13
  • 2
    I found I needed to sign the module again after enrolling the module, after which everything works fine. – wxl Mar 04 '18 at 06:04
  • @adempewolff You should export a password after sudo, because of sudo cleanups environment. – vitaly.v.ch May 12 '18 at 21:17
  • @adempewolff not necessarily. I'd rephrase that as "make sure that sudo is allowed to pick up the password from the environment variable, see section for --preserve-env in man sudo for details" – Kalle Richter Jan 04 '19 at 10:51
  • Just in case, for Fedora the path is "/usr/src/kernels/" nor "/usr/src/linux-headers/" – Turkhan Badalov Mar 01 '19 at 09:32
  • 1
    mokutil --test-key MOK.der -> MOK.der is not enrolled – Mateja Petrovic Jul 24 '19 at 19:58
  • the part of Enroll MOK (Machine Owner Key) is way too complicated – Mr-Programs Aug 30 '19 at 15:02
  • Do you exectute your script manually on every virtualbox-dkms upgrade or have you automated that process? – 7hibault Nov 28 '20 at 16:37
  • @7hibault, I used to do it manually. But if you'd like to automate it, a section of this article might help: https://www.majlovesreg.one/adding-pagespeed-to-a-running-nginx-instance#updating-the-module. Just to update myself with this topic, is this still an issue these days? It's been over four years since this happened. :-) – Majal Nov 29 '20 at 22:14
  • Well maybe I've messed up somewhere but I've had this issue on a Dell Inspiron 5480 with Secure Boot enabled, using VirtualBox 6.1.10_Ubuntu r138449 running a Windows 10 guest on a Ubuntu 20.04 host. So far I've disabled Secure Boot to be able to simply run the VM but that doesn't feel right. – 7hibault Nov 30 '20 at 08:34
  • dear @Majal could you help me with this topic : https://askubuntu.com/questions/1332631/how-to-create-a-secure-boot-enabled-usb-flash – hamed Apr 20 '21 at 10:45
  • I followed the steps using "-nodes" switch and in step 4 I was asked to add a password. I used something like "/b5G7@*RDH". Then, when I rebooted I was asked to enter this password and it said "Password doesn't match" (3 times). Then I started all over but this time using a passoword like "24556631". Then when I rebooted the system accepted this password. My point is that not all passwords work. – Andrew F. Jan 07 '23 at 21:31
22

I know that this question is too old, but because there is no accepted answer and none of these answers solved the issue in my case, I am writing how I solved this today without disabling the Secure Boot:

When running this command, get this error:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

The problem is that the module is not signed and therefore not loaded with the kernel. This will happen if your computer has the SecureBoot mode activated, something very common in modern equipment.

That's why I get this error opening any machine in the virtual box

Kernel driver not installed (rc=-1908)

Do the following steps to sign a driver, and it is loaded as a kernel module, on Ubuntu systems and also on Debian 9:

1. Install the mkutil package to be able to do signed.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install mokutil

2. generate the signature file:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"

3. Then add it to the kernel:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

4. Register it for the Secure Boot.

IMPORTANT! That will ask you for a password, put the one you want, you will only have to use it once in the next reboot.

sudo mokutil --import MOK.der

5. Finally, restart the computer. A blue screen will appear with a keyboard wait, press the key that asks you to interrupt the boot.

enter image description here

When you are inside the blue screen, select 

Enroll MOK > Continue > and it will ask you for the password

that you have previously entered, you will enter it and you will be informed that the operation has been completed successfully.

Now your operating system will start and you can now use VirtualBox without problem :)

Hope this help someone.

Adriana Hernández
  • 371
20

On my system I did the following to make it work:

Run mokutil:

sudo mokutil --disable-validation

Then mokutil asked me to set a password for the MOK Manager. After rebooting the PC the BIOS showed a dialog to configure the MOK Manager. I disabled SecureBoot from this dialog, it asked for several characters from the password (ie. enter character (5), etc).

After booting up the vboxdrv modules loaded correctly.

lsmod | grep vboxdrv
vboxdrv               454656  3 vboxnetadp,vboxnetflt,vboxpci

Curiously, mokutil still shows SecureBoot is enabled:

sudo mokutil --sb-state
SecureBoot enabled
Pocho
  • 317
  • 10
    As stated in my question, I want to continue using secure boot. So disabling secure boot doesn't solve the issue. – jans Apr 26 '16 at 18:30
  • 2
    Didn't want to disable secure boot but in the end had to do this since nothing else would work - don't want to start signing things manually every time a kernel update comes.. Pity this is the only easy solution forward.

    Btw, UEFI still says secure boot is enabled. ¯_(ツ)_/¯

     – jaywink May 18 '16 at 08:42
  • Thanks because I wanted to do this. – Gringo Suave Apr 06 '20 at 22:41
4

You can disable the validation check by

sudo apt install mokutil
sudo mokutil --disable-validation

After that DKMS packages should install.

Zanna
  • 70,465
Pilot6
  • 90,100
  • 91
  • 213
  • 324
  • 2
    Also I tried executing sudo mokutil --disable-validation. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Please let me know in case I misunderstood this command. – jans Apr 26 '16 at 18:28
  • 2
    Try to disable secure boot. You can enable it back, if that does not help. – Pilot6 Apr 26 '16 at 22:02
  • I tried to disable secure boot - but it is still enabled :( (ubuntu 18.04) – xhudik Oct 02 '18 at 09:45
1

I had this problem with Ubuntu 20.04 (after new install.) I was not running UEFI in bios, and was doing an auto login on Ubuntu.

What fixed it is I changed the auto login to not auto login, and turned UEFI on in bios.

MeSo2
  • 421
  • 1
  • 9
  • 24
  • Can you elaborate? It probably didn't have to do with your login. Describe this UEFI setting, what BIOS software, etc. ... – Chaim Eliyah Apr 07 '21 at 06:08
  • 1
    It is a MSI motherboard. This was some time ago... but I remember that once the auto login was disabled, where you would need to log in at each reboot things started to finally work. And now virtualbox is solid; no more crashes. It used to crash on me every time Ubuntu suggested an update. It was bad. – MeSo2 Apr 09 '21 at 14:57
  • Yeah this is consistent with some of the BIOS settings problems I was running into on ASUS. In my case I had to disable Windows UEFI. tl;dr: check your BIOS settings :-) – Chaim Eliyah Apr 10 '21 at 01:43
0

This worked for me ( build 5.11.0-27-generic )

sudo apt-get autoremove virtualbox-dkms sudo apt-get install virtualbox

it has been recompiled with the new kernel :)

SimoneB
  • 111
0

I got error about vboxdrv after upgrade too. But there was problem with old version (5.0.14) of Oracle VM VirtualBox Extension Pack. I downloaded and installed newer version (5.0.18) of this pack and problem disappeared.

Reling
  • 9
  • Hey, could you please elaborate? Where did you download it from? PPA or deb file? – Karthik Nishanth Apr 23 '16 at 04:34
  • 1
    I downloaded Extension pack from downloads on VirtualBox site, link is "VirtualBox 5.0.18 Oracle VM VirtualBox Extension Pack -> All supported platforms". Then I opened File > Preferences on Oracle VM Virtual Box Manager, selected "Extensions", and added downloaded file to list. It replaced old version of "Oracle VM VirtualBox Extension Pack" (was 5.0.14rxxxxxx). – Reling Apr 24 '16 at 07:11
  • 1
    Extension pack doesnt rectify the error. The error is about signing the module – Karthik Nishanth Apr 25 '16 at 15:43
  • This doesn't apply to my problem. – jans Apr 26 '16 at 18:24
  • 1
    This is unrelated to the problem of the OP. The error message "Required key not available" indicates that the issue is due to an unsigned kernel module on a Secure Boot enabled platform. No VirtualBox update can fix this unless it includes a module signed using a key trusted by the kernel. I.e. either Canonical must sign it, or Oracle must sign it and its public key must be added to the kernel's (or your platform's) trusted keys. – zwets May 09 '16 at 08:04
0

I had the same issue today, I had Windows 10 and Ubuntu 15.10 on a dual boot with uefi enabled on Bios (I didn't disable it so I can run the pre-installed Windows).

After upgrading to Ubuntu 16.04 VirtualBox stopped loading my VMs with the same error message:

modprobe: ERROR: could not insert 'vboxdrv': Required key not available

I suspected UEFI issue because while upgrading the installer asked me if I want to disable it, to which I responded No (Because Yes may make my Windows unusable).

What I did is going to Bios and enable support for legacy BIOS boot WITHOUT disabling secure boot.

Virtualbox works fine now.

Update: As @zwets rightly pointed in the comment, enabling legacy modules causes secure boot to be disabled.

Zeine77
  • 91
  • 1
  • 8
  • 2
    Actually I also need UEFI to boot a parallel Windows installation. So disabling it isn't an option for me either. I updated my question accordingly. – jans Apr 26 '16 at 18:26
  • Have you enabled Support for legacy BIOS modules? This is another option in UEFI bios, different than secure boot. – Zeine77 Apr 26 '16 at 18:50
  • 1
    @Zeine77 can you verify that your BIOS allows enabling "legacy modules" while Secure Boot remains enabled? This is highly unlikely, as the first option allows untrusted code to run in kernel space, which defeats the purpose of the second. – zwets May 09 '16 at 08:11
  • @zwets you are right, I just checked my bios settings; and enabling legacy modules caused secure boot to be disabled. I assumed, as explained in the response, that disabling secure boot would cause Windows 10 boot to fail, this isn't the case. When I first installed 15.10 (Months ago) I took care to not disable secure boot as this would damage Win 10 installation. Does this mean that the pre installed Win 10 works fine with secure mode disabled ? – Zeine77 May 10 '16 at 02:22
0

Alright so after a bit of testing I'm pretty sure this is a secure boot issue.

As in if it's enabled then this is thrown:

WARNING: The vboxdrv kernel module is not loaded. Either there is no module available for the current kernel (4.4.0-21-generic) or it failed to load. Please recompile the kernel module and install it by sudo /sbin/rcvboxdrv setup

However if secure boot is disabled then virtualbox loads just fine with no errors.

I still have my bios set as UEFI.

David Haynes
  • 9
  • 3
    As stated in my question, I want to continue using secure boot. So disabling secure boot doesn't solve the issue. – jans Apr 26 '16 at 18:25