2

I encounter the exact same problem as here except I'm not able to recover using the proposed solution.

Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 (and I want to keep secure boot)

I have followed the recommended solution and everything seems fine but still the module could not be loaded.

The key seems correctly loaded:

$ sudo mokutil --list-enrolled
[key 1]
[…]
[key 2]
SHA1 Fingerprint: 0f:6f:8e:7a:39:d0:27:33:7d:eb:e0:62:cf:38:b1:af:4c:82:98:c4
Certificate:
[…]
        Issuer: CN=modssign
[…]
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                83:83:25:5B:D6:6E:A0:BB:87:44:A9:8C:EA:47:58:DD:07:B9:A6:C7
            X509v3 Authority Key Identifier: 
                keyid:83:83:25:5B:D6:6E:A0:BB:87:44:A9:8C:EA:47:58:DD:07:B9:A6:C7
[…]

And the module is signed with this key:

$ sudo modinfo vboxdrv
filename:       /lib/modules/3.16.0-77-generic/misc/vboxdrv.ko
version:        5.1.0 r108711 (0x00260000)
license:        GPL
description:    Oracle VM VirtualBox Support Driver
author:         Oracle Corporation
srcversion:     32F3C607C8086AE6187D18B
depends:        
vermagic:       3.16.0-77-generic SMP mod_unload modversions 
signer:         modssign
sig_key:        83:83:25:5B:D6:6E:A0:BB:87:44:A9:8C:EA:47:58:DD:07:B9:A6:C7
sig_hashalgo:   sha256

But the module still failed to insert:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

Do you have any idea? I thought I had correctly follow all the steps (including enrolling the new key at boot, etc)

More technical information:

  • Ubuntu 14.04.4 LTS freshly updated
  • Linux 3.16.0-77-generic
  • Virtualbox 5.1.0 r108711 freshly downloaded from the Virtualbox.org website

Thanks in advance for your hints!

Edit of 2016-08-23:

I think the issue is due to the fact my certificate is never loaded by the kernel at boot.

The certificate loaded by the kernel is 4a94:

$ sudo dmesg | grep 'Loaded X.509 cert'
[    1.126207] Loaded X.509 cert 'Magrathea: Glacier signing key: 4a94aff5eff7b539906b3f2a9d0cca00dac4cbb0'

And all modules are well loaded because they are signed with this specific key (4a94):

$ sudo modinfo ip_tables | grep sig_key
sig_key:        4A:94:AF:F5:EF:F7:B5:39:90:6B:3F:2A:9D:0C:CA:00:DA:C4:CB:B0

But even if my certificate is shown in mokutil --list-enrolled, it seems to not be loaded at boot.

How could I add my certificate to the kernel at boot sequence? Do I have to rebuild a new kernel with my certificate in it?

Community
  • 1
yaap
  • 311

0 Answers0