Ticket #11577 (new defect)
Secure Boot doesn't allow 'vboxdrv' module to load - Required key not available
Reported by: | quickbooks | Owned by: | |
---|---|---|---|
Component: | other | Version: | VirtualBox 4.2.8 |
Keywords: | Cc: | quickbooks.office@… | |
Guest type: | all | Host type: | Linux |
Description
Host - Fedora 18 64 bit Bios has Secure Boot enabled.
When I try to start any machine it says:
Kernel driver not installed (rc=-1908) The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing '/etc/init.d/vboxdrv setup' as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.
[user@localhost ~]$ sudo /etc/init.d/vboxdrv setup [sudo] password for user: Stopping VirtualBox kernel modules [ OK ] Uninstalling old VirtualBox DKMS kernel modules [ OK ] Trying to register the VirtualBox kernel modules using DKMS[ OK ] Starting VirtualBox kernel modules [FAILED] (modprobe vboxdrv failed. Please use 'dmesg' to find out why)
[user@localhost ~]$ sudo modprobe vboxdrv modprobe: ERROR: could not insert 'vboxdrv': Required key not available
Change History
comment:2 Changed 6 years ago by frank
- priority changed from blocker to major
This is not really a VirtualBox bug. Oracle cannot sign kernel modules using the Fedora key. See also the Fedora FAQ in this regards.
comment:3 Changed 4 years ago by marcmerlin
If I build my own kernel with signed modules, I have the key, dkms builds the virtualbox modules on my laptop which has the kernel source and my signing key. Can you enhance the dkms script to use /usr/src/linux-xxx/signing_key.* and sign the modules if those files are present?
Thanks
comment:4 Changed 3 years ago by bryanhundven
This is still an issue on Fedora 22, I cannot disable secure boot on my workstation. The change marcmerlin suggested would work.
comment:5 Changed 3 years ago by khatkarrohit
Still a major problem on Ubuntu 16.04 using VirtualBox 5.0
comment:6 Changed 2 years ago by Jdot
im having problems too on Ubuntu 16.04 using VirtualBox 5.1.6. when will this be sorted?
comment:7 Changed 9 months ago by equalitytech
Same problem today Ubuntu 17.10.
I can sign the libraries, but still the installer doesn't work.
#!/bin/bash for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do echo "Signing $modfile" /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \ /root/module-signing/MOK.priv \ /root/module-signing/MOK.der "$modfile" done
./VirtualBox-5.2.13-122773-Linux_amd64.run
Verifying archive integrity... All good. Uncompressing VirtualBox for Linux installation............. VirtualBox Version 5.2.13 r122773 (2018-05-24T09:58:29Z) installer Removing previous installation of VirtualBox 5.2.13 r122773 from /opt/VirtualBox Installing VirtualBox to /opt/VirtualBox Python found: python, installing bindings... Created symlink /etc/systemd/system/multi-user.target.wants/vboxdrv.service → /lib/systemd/system/vboxdrv.service. Created symlink /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service → /lib/systemd/system/vboxballoonctrl-service.service. Created symlink /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service → /lib/systemd/system/vboxautostart-service.service. Created symlink /etc/systemd/system/multi-user.target.wants/vboxweb-service.service → /lib/systemd/system/vboxweb-service.service. vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why. There were problems setting up VirtualBox. To re-start the set-up process, run /sbin/vboxconfig as root. VirtualBox has been installed successfully. You will find useful information about using VirtualBox in the user manual /opt/VirtualBox/UserManual.pdf and in the user FAQ http://www.virtualbox.org/wiki/User_FAQ We hope that you enjoy using VirtualBox. The installation log file is at /var/log/vbox-install.log.
tail /var/log/vbox-install.log
VirtualBox 5.2.13 r122773 installer, built 2018-05-24T09:58:29Z. Testing system setup... Removing previous installation of VirtualBox 5.2.13 r122773 from /opt/VirtualBox vboxdrv.sh: Stopping VirtualBox services. vboxdrv.sh: Building VirtualBox kernel modules. vboxdrv.sh: Starting VirtualBox services. vboxdrv.sh: Building VirtualBox kernel modules.
comment:8 Changed 7 months ago by DiegoRivera
I applied the following workaround for Ubuntu Bionic (18.04). I'm sure it'll also work for Artful (17.10) and Zesty (17.04). Possibly even further back in time. This is based on systemd's RequiredBy capability, shim and mokutils. Please note that you'll need to have MOK keys already created and enrolled, otherwise there won't be anything to sign the modules with.
First, create the following systemd unit as /etc/systemd/system/ensure-vboxdrv-signed.service:
[Unit] SourcePath=/usr/bin/ensure-vbox-signed Description=Ensure the VirtualBox Linux kernel modules are signed Before=vboxdrv.service After= [Service] Type=oneshot Restart=no TimeoutSec=30 IgnoreSIGPIPE=no KillMode=process GuessMainPID=no RemainAfterExit=yes ExecStart=/usr/bin/ensure-vbox-signed [Install] WantedBy=multi-user.target RequiredBy=vboxdrv.service
The above unit is meant to be executed before vboxdrv.service (i.e. before the VirtualBox startup service is run), and be required by it (i.e. can't load the service if driver sigining fails).
Then, create the following script and store it as /usr/bin/ensure-vbox-signed:
#!/bin/bash MOKUTIL="/usr/bin/mokutil" MODPROBE="/sbin/modprobe" MODINFO="/sbin/modinfo" SIG_DIR="/var/lib/shim-signed/mok" PUB="${SIG_DIR}/MOK.der" KEY="${SIG_DIR}/MOK.priv" if ! "${MOKUTIL}" --sb-state | grep -qi '[[:space:]]enabled$' ; then echo "WARNING: Secure Boot is not enabled, signing is not necessary" exit 0 fi # If secure boot is enabled, we try to find the signature keys [ -f "${KEY}" ] || { echo "ERROR: Couldn't find the MOK private key at ${KEY}" ; exit 1 ; } [ -f "${PUB}" ] || { echo "ERROR: Couldn't find the MOK public key at ${PUB}" ; exit 1 ; } INFO="$("${MODINFO}" -n vboxdrv)" if [ -z "${INFO}" ] ; then # If there's no such module, compile it /usr/lib/virtualbox/vboxdrv.sh setup INFO="$("${MODINFO}" -n vboxdrv)" if [ -z "${INFO}" ] ; then echo "ERROR: Module compilation failed (${MODPROBE} couldn't find it after vboxdrv.sh was called)" exit 1 fi fi KVER="${1}" [ -z "${KVER}" ] && KVER="$(uname -r)" KDIR="/usr/src/linux-headers-${KVER}" DIR="$(dirname "${INFO}")" for module in "${DIR}"/vbox*.ko ; do MOD="$(basename "${module}")" MOD="${MOD//.*/}" # Quick check - if the module loads, it needs no signing echo "Loading ${MOD}..." "${MODPROBE}" "${MOD}" && continue # The module didn't load, and it must have been built (above), so it needs signing echo "Signing ${MOD}..." if ! "${KDIR}/scripts/sign-file" sha256 "${KEY}" "${PUB}" "${module}" ; then echo -e "\tFailed to sign ${module} with ${KEY} and ${PUB} (rc=${?}, kernel=${KVER})" exit 1 fi echo "Reloading the signed ${MOD}..." if ! "${MODPROBE}" "${MOD}" ; then echo -e "\tSigned ${MOD}, but failed to load it from ${module}" exit 1 fi echo "Loaded the signed ${MOD}!" done exit 0
All that said, grafting a modified version of the above code into the '/usr/lib/virtualbox/vboxdrv.sh' script to be executed during module installation (check to see if signed, if not then sign) and compilation (sign immediately after compiling) would also do the trick.
Another solution could be to port the entire thing to DKMS and leverage the existing infrastructure, but that's probably far too much work at this point (which is likely why it hasn't been done).
So, for now, you can use the above workaround. This should work fine in other Linux distributions that also use systemd and mokutil. Please note that the path that the service unit needs to be created in may change for different Linux distributions.
Good luck!
Cheers!
comment:9 Changed 7 months ago by michael
Part of the problem is that any automatic way to sign kernel modules is probably only marginally safer than disabling signing altogether. Of course, it is hard to say for sure, just as it is hard to say for sure how much security benefit signing modules even provides, particularly on a desktop system.