How to sign a kernel module Ubuntu 18.04
I am new to using Ubuntu. I am trying to install Genymotion so I can have access to an android emulator. In order to use Genymotion, it is required I have VirtualBox. I have VirtualBox installed but it seems as if I need to sign a kernal module... and I really am not sure how to do it. This is the error message I get after running /sbin/vboxconfig
:
vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.
There were problems setting up VirtualBox. To re-start the set-up process, run
/sbin/vboxconfig
as root. If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.
I have tried googling this, but can not seem to find a clear and concise answer with sequential steps. Again, I am fairly new to linux, so any help is welcome. Thanks in advance to all of those who reply.
Solution 1:
In order to get VirtualBox working without simply disabling UEFI Secure Boot, then you'll need to do the following:
- Create a personal public/private RSA key pair to sign the kernel modules. As recommended in the link below, I chose to store the key/pair in the /root/module-signing/ directory.
sudo -i
mkdir /root/module-signing
cd /root/module-signing
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=YOUR_NAME/"
chmod 600 MOK.priv
- Use mokutil, a tool to import or delete the machine owner keys (MOK), to import the public key, and then enroll it when the machine is rebooted. The password in this step is a temporary use password you'll only need to remember for a few minutes.
mokutil --import /root/module-signing/MOK.der
input password:
input password again:
Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in step 2. Then select OK to continue the system boot.
Future kernel updates would require the updated kernels to be signed again, so it makes sense to put the signing commands in a script that can be run at a later date as necessary. A sample script /root/module-signing/sign-vbox-modules is given below.
#!/bin/bash
for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
/root/module-signing/MOK.priv \
/root/module-signing/MOK.der "$modfile"
done
- Add execution permission, and run the script above as root from the /root/module-signing/ directory.
sudo -i
cd /root/module-signing
chmod 700 /root/module-signing/sign-vbox-modules
./sign-vbox-modules
- Load vboxdrv module and launch VirtualBox.
modprobe vboxdrv
Most of this information was gained from the following link, and can be referred to for additional information https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/.
Solution 2:
I know that this question is old, but because there is no accepted answer and none of these answers solved the issue for me, I am writing how I solved this today:
When running this command, get this error:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
The problem is that the module is not signed and therefore not loaded with the kernel. This will happen if your computer has the SecureBoot mode activated, something very common in modern equipment.
That's why I get this error opening any machine in the virtual box
Kernel driver not installed (rc=-1908)
Do the following steps to sign a driver, and it is loaded as a kernel module, on Ubuntu systems and also on Debian 9:
-
Install the
mkutil
package to be able to do signed.sudo apt-get update sudo apt-get upgrade sudo apt-get install mokutil
-
Generate the signature file:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
-
Then add it to the kernel:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
-
Register it for the Secure Boot.
IMPORTANT! That will ask you for a password, put the one you want, you will only have to use it once in the next reboot.
sudo mokutil --import MOK.der
-
Finally, restart the computer. A blue screen will appear with a keyboard wait, press the key that asks you to interrupt the boot.
When you are inside the blue screen, select
Enroll MOK -> Continue -> and it will ask you for the password
that you have previously entered, you will enter it and you will be informed that the operation has been completed successfully.
Now your operating system will start and you can now use VirtualBox without problem :)
Hope this helps someone.