Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 (and I want to keep secure boot)
I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
I believe it is related to secure boot which I use and which I want to continue using. Actually with Ubuntu 15.10 secure boot and VirtualBox were working just fine.
Also I tried $ sudo apt-get --reinstall install virtualbox-dkms which built the kernel module successfully but didn't solve this issue.
Any idea how to get vboxdrv loaded while keeping secure boot enabled?
Update 2: Also I tried executing sudo mokutil --disable-validation. When executing this command, during the next boot I get prompted to disable secure boot, add a key or hash from disk. Since I don't want to disable secure boot, it seems that this doesn't solve my issue either. Also I want to keep UEFI activated for a parallel Windows installation.
Note: If you don't mind disabling secure boot, see Why do I get "Required key not available" when install 3rd party kernel modules or after a kernel upgrade? instead.
Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.
So let's try it.
-
Create signing keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"Option: for additional security, skip the -nodes switch, which will ask for a password. Then before moving on to the next step, make sure to
export KBUILD_SIGN_PIN='yourpassword' -
Sign the module (vboxdrv for this example, but repeat for other modules in
ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko)for full functionality)sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv) -
Confirm the module is signed
tail $(modinfo -n vboxdrv) | grep "Module signature appended" -
Register the keys to Secure Boot
sudo mokutil --import MOK.derwhich will ask for a password to use to confirm the import in the next step.
Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
-
Confirm the key is enrolled
mokutil --test-key MOK.der
If VirtualBox still does not load, it may be because the module didn't load (sudo modprobe vboxdrv will fix that) or that the key is not signed. Simply repeat that step and everything should work fine.
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. @zwets for additional security. @shasha_trn for mentioning all the modules.
Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.
On my system I did the following to make it work:
Run mokutil:
sudo mokutil --disable-validation
Then mokutil asked me to set a password for the MOK Manager. After rebooting the PC the BIOS showed a dialog to configure the MOK Manager. I disabled SecureBoot from this dialog, it asked for several characters from the password (ie. enter character (5), etc).
After booting up the vboxdrv modules loaded correctly.
lsmod | grep vboxdrv
vboxdrv 454656 3 vboxnetadp,vboxnetflt,vboxpci
Curiously, mokutil still shows SecureBoot is enabled:
sudo mokutil --sb-state
SecureBoot enabled
I know that this question is too old, but because there is no accepted answer and none of these answers solved the issue in my case, I am writing how I solved this today without disabling the Secure Boot:
When running this command, get this error:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
The problem is that the module is not signed and therefore not loaded with the kernel. This will happen if your computer has the SecureBoot mode activated, something very common in modern equipment.
That's why I get this error opening any machine in the virtual box
Kernel driver not installed (rc=-1908)
Do the following steps to sign a driver, and it is loaded as a kernel module, on Ubuntu systems and also on Debian 9:
1. Install the mkutil package to be able to do signed.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install mokutil
2. generate the signature file:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"
3. Then add it to the kernel:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
4. Register it for the Secure Boot.
IMPORTANT! That will ask you for a password, put the one you want, you will only have to use it once in the next reboot.
sudo mokutil --import MOK.der
5. Finally, restart the computer. A blue screen will appear with a keyboard wait, press the key that asks you to interrupt the boot.
When you are inside the blue screen, select
Enroll MOK > Continue > and it will ask you for the password
that you have previously entered, you will enter it and you will be informed that the operation has been completed successfully.
Now your operating system will start and you can now use VirtualBox without problem :)
Hope this help someone.
You can disable the validation check by
sudo apt install mokutil
sudo mokutil --disable-validation
After that DKMS packages should install.