Why do I get "Required key not available" when install 3rd party kernel modules or after a kernel upgrade?

This issue happens only on UEFI systems with enabled Secure Boot.

When I try to install DKMS modules like VirtualBox, Nvidia, or Broadcom drivers, they do not install and I get Required key not available when I try to modprobe them.

VirtualBox complains that vboxdrv is not loaded.

Broadcom wl driver is shown in lspci -k as a kernel module but is not in use. sudo modprobe wl throws Required key not available.

Also this issue may happen when I install some kernel modules from git sources.

This issue may appear after a kernel update as disabled wireless adapter, black screen after a reboot, etc.

How can I fix it?

Solution 1:

Since Ubuntu kernel 4.4.0-20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel config has been enabled. That prevents from loading unsigned third party modules if UEFI Secure Boot is enabled.

The easiest way to fix this issue is to disable Secure Boot in UEFI (BIOS) settings.

In most cases you can get into UEFI settings using grub menu. Press ESC button on booting, get into grub menu and select System Setup. Secure Boot option should be in "Security" or "Boot" section of the UEFI.

You can get into UEFI directly, but it depends on your hardware. Read your computer manual to see how to get there. It may be Del, or F2 on boot, or something else.

An alternative way is to disable Secure Boot using mokutil.

Since Ubuntu kernel build 4.4.0-21.37 this can be fixed by running

sudo apt install mokutil
sudo mokutil --disable-validation

It will require to create a password. The password should be at least 8 characters long. After you reboot, UEFI will ask if you want to change security settings. Choose "Yes".

Then you will be asked to enter the previously created password. Some UEFI firmware asks not for the full password, but to enter some characters of it, like 1st, 3rd, etc. Be careful. Some people do not understand this. I did not get it from the first attempt either ;-)

Update: Now this kernel config is enabled in all supported Ubuntu kernels. Ubuntu 16.04, 15.10 and 14.04 are affected.

Solution 2:

As suggested by user @zwets, I'm copying (with edits) an answer here:

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.

So let's try it.

1. Create signing keys

   openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"
   

2. Sign the module

   sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /path/to/module
   

Note 1: There can be multiple files to be signed for a single driver/module, so /path/to/module may need to be replaced with $(modinfo -n <modulename>), e.g. $(modinfo -n vboxdrv)

Note 2: sudo kmodsign sha512 ./MOK.priv ./MOK.der /path/to/module is an alternative if sign-file is not available.

3. Register the keys to Secure Boot

   sudo mokutil --import MOK.der
   

   Supply a password for later use after reboot

4. Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.

If the key has been enrolled properly, it will show up under sudo mokutil --list-enrolled.

Please let me know if your modules would run this way on Ubuntu 16.04 (on kernel 4.4.0-21, I believe).

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. (they've been working on it) ;-)

Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.

Additional note for the security (extra-)conscious: ;-)

Since the private key you created (MOK.priv in this example) can be used by anyone who can have access to it, it is good practice to keep it secure. You may chmod it, encrypt (gpg) it, or store it somewhere else safe(r). Or, as noted in this comment, remove the option -nodes in step number 1. This will encrypt the key with a passphrase.

Solution 3:

You can disable Secure Boot (UEFI) in the BIOS with the following steps:

1. Reboot your machine and enter the BIOS Menu (In my case pressing F2)

2. Search for Secure Boot and change to Legacy

In an ASUS motherboard:

• Go to the Advanced Mode (F7)
• Go in the Secure Boot option under the Boot section
• Change "Windows UEFI mode" with "Other OS"
• Save and restart to apply settings (F10)

Solution 4:

You can also Disable Secure Boot in shim-signed running sudo update-secureboot-policy. This wiki page explains this method:

• Open a terminal (Ctrl + Alt + T), and execute sudo update-secureboot-policy and then select Yes.
• Enter a temporary password between 8 to 16 digits. (For example, 12345678, we will use this password later
• Enter the same password again to confirm.
• Reboot the system and press any key when you see the blue screen (MOK management
• Select Change Secure Boot state
• Enter the password you had selected in Step 2 and press Enter.
• Select Yes to disable Secure Boot in shim-signed.
• Press Enter key to finish the whole procedure.

You can still enable Secure Boot in shim-signed again. Just execute

sudo update-secureboot-policy --enable and then follow the steps above