VirtualBox

Opened 12 years ago

Last modified 3 years ago

#11577 new defect

Secure Boot doesn't allow 'vboxdrv' module to load (now works for Ubuntu and Debian 10+ hosts)

Reported by: Quickbooks Office Owned by:
Component: other Version: VirtualBox 4.2.8
Keywords: Cc: quickbooks.office@…
Guest type: all Host type: Linux

Description

Host - Fedora 18 64 bit Bios has Secure Boot enabled.

When I try to start any machine it says:

Kernel driver not installed (rc=-1908)

The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing

'/etc/init.d/vboxdrv setup'

as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.
[user@localhost ~]$ sudo /etc/init.d/vboxdrv setup
[sudo] password for user: 
Stopping VirtualBox kernel modules                         [  OK  ]
Uninstalling old VirtualBox DKMS kernel modules            [  OK  ]
Trying to register the VirtualBox kernel modules using DKMS[  OK  ]
Starting VirtualBox kernel modules                         [FAILED]
  (modprobe vboxdrv failed. Please use 'dmesg' to find out why)

[user@localhost ~]$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

Attachments (2)

Print1.png (70.8 KB ) - added by miyo 5 years ago.
COnfiguring UEFI Secure Boot - print1
Print2.png (24.5 KB ) - added by miyo 5 years ago.
Configuring UEFI Secure Boot - print2

Download all attachments as: .zip

Change History (36)

comment:1 by Quickbooks Office, 12 years ago

[user@localhost ~]$ sudo virtualbox
[sudo] password for user: 
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
         available for the current kernel (3.8.2-206.fc18.x86_64) or it failed to
         load. Please recompile the kernel module and install it by

           sudo /etc/init.d/vboxdrv setup

         You will not be able to start VMs until this problem is fixed.


comment:2 by Frank Mehnert, 12 years ago

priority: blockermajor

This is not really a VirtualBox bug. Oracle cannot sign kernel modules using the Fedora key. See also the Fedora FAQ in this regards.

comment:3 by marcmerlin, 10 years ago

If I build my own kernel with signed modules, I have the key, dkms builds the virtualbox modules on my laptop which has the kernel source and my signing key. Can you enhance the dkms script to use /usr/src/linux-xxx/signing_key.* and sign the modules if those files are present?

Thanks

comment:4 by bryanhundven, 9 years ago

This is still an issue on Fedora 22, I cannot disable secure boot on my workstation. The change marcmerlin suggested would work.

comment:5 by khatkarrohit, 9 years ago

Still a major problem on Ubuntu 16.04 using VirtualBox 5.0

Last edited 9 years ago by khatkarrohit (previous) (diff)

comment:6 by Jdot, 8 years ago

im having problems too on Ubuntu 16.04 using VirtualBox 5.1.6. when will this be sorted?

comment:7 by equalitytech, 7 years ago

Same problem today Ubuntu 17.10.

I can sign the libraries, but still the installer doesn't work.

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
                                /root/module-signing/MOK.priv \
                                /root/module-signing/MOK.der "$modfile"
done

./VirtualBox-5.2.13-122773-Linux_amd64.run

Verifying archive integrity... All good.
Uncompressing VirtualBox for Linux installation.............
VirtualBox Version 5.2.13 r122773 (2018-05-24T09:58:29Z) installer
Removing previous installation of VirtualBox 5.2.13 r122773 from /opt/VirtualBox
Installing VirtualBox to /opt/VirtualBox
Python found: python, installing bindings...
Created symlink /etc/systemd/system/multi-user.target.wants/vboxdrv.service → /lib/systemd/system/vboxdrv.service.                                    
Created symlink /etc/systemd/system/multi-user.target.wants/vboxballoonctrl-service.service → /lib/systemd/system/vboxballoonctrl-service.service.
Created symlink /etc/systemd/system/multi-user.target.wants/vboxautostart-service.service → /lib/systemd/system/vboxautostart-service.service.
Created symlink /etc/systemd/system/multi-user.target.wants/vboxweb-service.service → /lib/systemd/system/vboxweb-service.service.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.

VirtualBox has been installed successfully.

You will find useful information about using VirtualBox in the user manual
  /opt/VirtualBox/UserManual.pdf
and in the user FAQ
  http://www.virtualbox.org/wiki/User_FAQ

We hope that you enjoy using VirtualBox.

The installation log file is at /var/log/vbox-install.log.

tail /var/log/vbox-install.log

VirtualBox 5.2.13 r122773 installer, built 2018-05-24T09:58:29Z.

Testing system setup...
Removing previous installation of VirtualBox 5.2.13 r122773 from /opt/VirtualBox

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.

comment:8 by DiegoRivera, 6 years ago

I applied the following workaround for Ubuntu Bionic (18.04). I'm sure it'll also work for Artful (17.10) and Zesty (17.04). Possibly even further back in time. This is based on systemd's RequiredBy capability, shim and mokutils. Please note that you'll need to have MOK keys already created and enrolled, otherwise there won't be anything to sign the modules with.

First, create the following systemd unit as /etc/systemd/system/ensure-vboxdrv-signed.service:

[Unit]
SourcePath=/usr/bin/ensure-vbox-signed
Description=Ensure the VirtualBox Linux kernel modules are signed
Before=vboxdrv.service
After=

[Service]
Type=oneshot
Restart=no
TimeoutSec=30
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
ExecStart=/usr/bin/ensure-vbox-signed

[Install]
WantedBy=multi-user.target
RequiredBy=vboxdrv.service

The above unit is meant to be executed before vboxdrv.service (i.e. before the VirtualBox startup service is run), and be required by it (i.e. can't load the service if driver sigining fails).

Then, create the following script and store it as /usr/bin/ensure-vbox-signed:

#!/bin/bash

MOKUTIL="/usr/bin/mokutil"
MODPROBE="/sbin/modprobe"
MODINFO="/sbin/modinfo"
SIG_DIR="/var/lib/shim-signed/mok"
PUB="${SIG_DIR}/MOK.der"
KEY="${SIG_DIR}/MOK.priv"

if ! "${MOKUTIL}" --sb-state | grep -qi '[[:space:]]enabled$' ; then
	echo "WARNING: Secure Boot is not enabled, signing is not necessary"
	exit 0
fi

# If secure boot is enabled, we try to find the signature keys
[ -f "${KEY}" ] || { echo "ERROR: Couldn't find the MOK private key at ${KEY}" ; exit 1 ; }
[ -f "${PUB}" ] || { echo "ERROR: Couldn't find the MOK public key at ${PUB}" ; exit 1 ; }

INFO="$("${MODINFO}" -n vboxdrv)"
if [ -z "${INFO}" ] ; then
	# If there's no such module, compile it
	/usr/lib/virtualbox/vboxdrv.sh setup
	INFO="$("${MODINFO}" -n vboxdrv)"
	if [ -z "${INFO}" ] ; then
		echo "ERROR: Module compilation failed (${MODPROBE} couldn't find it after vboxdrv.sh was called)"
		exit 1
	fi
fi

KVER="${1}"
[ -z "${KVER}" ] && KVER="$(uname -r)"

KDIR="/usr/src/linux-headers-${KVER}"
DIR="$(dirname "${INFO}")"

for module in "${DIR}"/vbox*.ko ; do
	MOD="$(basename "${module}")"
	MOD="${MOD//.*/}"

	# Quick check - if the module loads, it needs no signing
	echo "Loading ${MOD}..."
	"${MODPROBE}" "${MOD}" && continue

	# The module didn't load, and it must have been built (above), so it needs signing
	echo "Signing ${MOD}..."
	if ! "${KDIR}/scripts/sign-file" sha256 "${KEY}" "${PUB}" "${module}" ; then
		echo -e "\tFailed to sign ${module} with ${KEY} and ${PUB} (rc=${?}, kernel=${KVER})"
		exit 1
	fi

	echo "Reloading the signed ${MOD}..."
	if ! "${MODPROBE}" "${MOD}" ; then
		echo -e "\tSigned ${MOD}, but failed to load it from ${module}"
		exit 1
	fi
	echo "Loaded the signed ${MOD}!"
done
exit 0

All that said, grafting a modified version of the above code into the '/usr/lib/virtualbox/vboxdrv.sh' script to be executed during module installation (check to see if signed, if not then sign) and compilation (sign immediately after compiling) would also do the trick.

Another solution could be to port the entire thing to DKMS and leverage the existing infrastructure, but that's probably far too much work at this point (which is likely why it hasn't been done).

So, for now, you can use the above workaround. This should work fine in other Linux distributions that also use systemd and mokutil. Please note that the path that the service unit needs to be created in may change for different Linux distributions.

Good luck!

Cheers!

Last edited 6 years ago by DiegoRivera (previous) (diff)

comment:9 by Michael Thayer, 6 years ago

Part of the problem is that any automatic way to sign kernel modules is probably only marginally safer than disabling signing altogether. Of course, it is hard to say for sure, just as it is hard to say for sure how much security benefit signing modules even provides, particularly on a desktop system.

comment:10 by Michael Thayer, 5 years ago

This is fixed for Ubuntu as of the current 6.0 and trunk test builds<1>. The reason it was possible to do it for Ubuntu is that they already provide a mechanism of their own for use with DKMS modules. The problems I mentioned in my last comment still apply, but since Ubuntu has decided to provide this themselves this was their decision not ours.

<1> https://www.virtualbox.org/wiki/Testbuilds

Last edited 5 years ago by Michael Thayer (previous) (diff)

comment:11 by Michael Thayer, 5 years ago

Summary: Secure Boot doesn't allow 'vboxdrv' module to load - Required key not availableSecure Boot doesn't allow 'vboxdrv' module to load (now works for Ubuntu and Debian 10+ hosts)

Please note that I am not marking this as fixed, just mentioning that the special case of Ubuntu and Debian 10+ hosts now works.

comment:12 by Michael Thayer, 5 years ago

A suggestion for anyone who wants this fixed for other host distributions: ask your distributions to provide a mechanism we can use. If the mechanism is compatible with Ubuntu's one then it will be automatically supported, as we only check for the mechanism, not the distribution.

comment:13 by Michael Thayer, 5 years ago

If it helps anything, this is the change:

https://www.virtualbox.org/changeset/79186/vbox

comment:14 by zardoz, 5 years ago

Unfortunately, you have completely broken this for Fedora SecureBoot users.

The unconditional "return 0" on line 280 of https://www.virtualbox.org/changeset/79186/vbox means that the modules will not even be compiled. This leaves us Fedora users, who are quite capable of signing kernel modules, with nothing to sign.

It would be far better, if it's not a Debian/Ubuntu environment, for the code to complete as previously, regardless of the SecureBoot status of the system and a simple, warning to be printed.

I have been manually applying the following patch to vboxdrv.sh to do the post-compile module signing on Fedora 2x & 3x versions. Now, the above changes have crippled any chance of this working.

*** vboxdrv.sh.orig     2019-07-12 07:19:37.000000000 -0400
--- vboxdrv.sh  2019-07-17 09:06:59.743301592 -0400
***************
*** 487,492 ****
--- 487,498 ----
          failure "Look at $LOG to find out what went wrong"
      fi
      rm -f /etc/vbox/module_not_compiled
+ 
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxdrv)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxnetflt)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxnetadp)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxpci)
+ 
      depmod -a
      sync
      succ_msg "VirtualBox kernel modules built"

comment:15 by zardoz, 5 years ago

Changing the above patch, for VB 6.0.10, seems to work for Fedora 30 again.

*** vboxdrv.sh.orig	2019-07-12 07:19:37.000000000 -0400
--- vboxdrv.sh	2019-07-17 09:51:34.919935227 -0400
***************
*** 277,283 ****
    $MODULE_LIST
  See the documenatation for your Linux distribution." console
          fi
!         return 0
      fi
      if ! running vboxdrv; then
          if ! rm -f $DEVICE; then
--- 277,283 ----
    $MODULE_LIST
  See the documenatation for your Linux distribution." console
          fi
!         # return 0
      fi
      if ! running vboxdrv; then
          if ! rm -f $DEVICE; then
***************
*** 487,492 ****
--- 487,498 ----
          failure "Look at $LOG to find out what went wrong"
      fi
      rm -f /etc/vbox/module_not_compiled
+ 
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxdrv)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxnetflt)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxnetadp)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxpci)
+ 
      depmod -a
      sync
      succ_msg "VirtualBox kernel modules built"

comment:16 by ploni, 5 years ago

This has also completely broken this for me (Ubuntu 19.04 with Secure Boot).

apt update && apt upgrade

didn't provide any warnings.

sudo /sbin/vboxconfig just gives the standard output:

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
  vboxdrv vboxnetflt vboxnetadp vboxpci
See the documenatation for your Linux distribution..

But my signing script, which uses modinfo -n vboxdrv to find the files to sign, fails with:

modinfo: ERROR: Module vboxdrv not found.

After further testing, my problem is the same as #14, except that my computer has the correct files. The problem is that (for whatever reason) it's not enrolled, cutting me off with the same unconditional "return 0".

Last edited 5 years ago by ploni (previous) (diff)

comment:17 by Michael Thayer, 5 years ago

@pioni See the patch provided by zardoz above, specifically the commented out "return 0". Make just that change locally.

@zardoz Thank you for pointing out the problem, would you like to be credited in the change log?

in reply to:  15 comment:18 by CW Huling, 5 years ago

This worked for CentOS 7, thank you.

Replying to zardoz:

Changing the above patch, for VB 6.0.10, seems to work for Fedora 30 again.

*** vboxdrv.sh.orig	2019-07-12 07:19:37.000000000 -0400
--- vboxdrv.sh	2019-07-17 09:51:34.919935227 -0400
***************
*** 277,283 ****
    $MODULE_LIST
  See the documenatation for your Linux distribution." console
          fi
!         return 0
      fi
      if ! running vboxdrv; then
          if ! rm -f $DEVICE; then
--- 277,283 ----
    $MODULE_LIST
  See the documenatation for your Linux distribution." console
          fi
!         # return 0
      fi
      if ! running vboxdrv; then
          if ! rm -f $DEVICE; then
***************
*** 487,492 ****
--- 487,498 ----
          failure "Look at $LOG to find out what went wrong"
      fi
      rm -f /etc/vbox/module_not_compiled
+ 
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxdrv)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxnetflt)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxnetadp)
+     /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/MOK.priv /root/MOK.der $(modinfo -n vboxpci)
+ 
      depmod -a
      sync
      succ_msg "VirtualBox kernel modules built"

comment:19 by zardoz, 5 years ago

@michael - No need to credit me for anything.. Thanks for sorting it out.

Last edited 5 years ago by zardoz (previous) (diff)

comment:20 by beta_tester, 5 years ago

Replying to michael:

Please note that I am not marking this as fixed, just mentioning that the special case of Ubuntu and Debian 10+ hosts now works.

i can not confirm that VirtualBox is working under Debian 10.
see #18770.
i can't get VirtualBox Version 6.0.10 r132072 (Qt5.11.3) running under
Debian Buster 10 64bit (KDE) + UEFI + SecureBoot.

comment:21 by Haase, 5 years ago

Yes. Indeed, I have a some issue with drivers of virtualbox 6.0.10. I solved the updated issue of linux-headers for VBox 6.0.10 but I am problem with drivers. The OS I using is Ubuntu 18.04 Bionic at x64.How must I proceed? The virtualBox open, compile but not running. My hardware architecture is a Intel i5 with UEFI.

~$ vitualbox

WARNING: The vboxdrv kernel module is not loaded. Either there is no module available for current kernel (4.18.0-25-generic) or it failed load. Please recomplile the kernel module install it by

sudo/sbin/vboxconfig

You will not able to start VMs untill this problem fixed.

However, the VBox open but did not running host ISO.Thus, whenever I did type the instruction:

root@linux:/sbin# vboxconfig

vboxdrv.sh: Stopping VirtualBox services.

vboxdrv.sh: Starting VirtualBox services.

vboxdrv.sh: You must sign these kernel modules before using

VirtualBox: vboxdrv vboxnetflt vboxnetadp vboxpci

See the documentation for your Linux distribution

In the interface of VBox show the other one joint that information - you're use EFI SECURE BOOT. Yes, indeed, it onboard my architecture. The news architectures are coming with this UEFI secure boot. But I did try off that and the VBox following reporting me about Error: KERNEL DRIVE NOT INSTALLED (rc=1908)

Thanks.

Last edited 5 years ago by Haase (previous) (diff)

comment:22 by eliwap, 5 years ago

Same problem on Opensuse 15.1

in reply to:  22 comment:23 by Socratis, 5 years ago

Replying to eliwap:

Same problem on Opensuse 15.1

The ticket says that this is specifically fixed for recent Ubuntu and Debian10 installations, it doesn't cover everything. Does OpenSUSE provide the infrastructure required, as this was laid out by 'michael' on comments 10 and especially 12?

Comment 10, 2019-06-18 08:03:18:

This is fixed for Ubuntu as of the current 6.0 and trunk test builds. The reason it was possible to do it for Ubuntu is that they already provide a mechanism of their own for use with DKMS modules. The problems I mentioned in my last comment still apply, but since Ubuntu has decided to provide this themselves this was their decision not ours.


Comment 12, 2019-06-18 11:54:07, emphasis mine:

A suggestion for anyone who wants this fixed for other host distributions: ask your distributions to provide a mechanism we can use. If the mechanism is compatible with Ubuntu's one then it will be automatically supported, as we only check for the mechanism, not the distribution.

comment:24 by Michael Thayer, 5 years ago

I think I would count this as the same problem if the system is using secure boot and the kernel modules now fail to build, and if removing the two "return 0" lines from /sbin/rcvboxdrv as pointed out in zardoz's patch fix the problem.

comment:25 by okuhama, 5 years ago

Unfortunately michael's fix not even works for (some) Ubuntus:

$ uname -r
4.15.0-55-generic
$ dpkg-query --list | grep virtualbox-6.0
ii  virtualbox-6.0          6.0.10-132072~Ubuntu~bionic        amd64        Oracle VM VirtualBox

I experienced the already mentioned problem that after upgrade to 6.0.10 (via apt full-upgrade) and also after dpkg-reconfigure virtualbox-6.0 there where no vbox* kernel modules anymore.

Commenting the return 0 in /usr/lib/virtualbox/vboxdrv.sh line 280 helped me out in that the script at least compiled the kernel modules. Since I already had some module signing script in place and using it for months I was not interested in fixing this part of vboxdrv.sh.

comment:26 by m-c, 5 years ago

Here is a slightly other situation: I am running a vanilla Ubuntu 18.04 with Secure Boot enabled in BIOS. This is a stock Ubuntu kernel and I have *not* set up anything for signing self compiled modules, and I don't *want* to do that unless I'm forced to. VirtualBox installed from official repo just worked out-of-the box until 6.0.8, and with those changes in 6.0.10 it tried to force me into creating and enrolling signing keys.

The problem seems to be that vboxdrv.sh only checks the output of "mokutil --sb-state" to decide if it needs to create/enroll a key and kmodsign the modules. In my case mokutil prints "SecureBoot enabled", but everything is working fine *without* signing! I think vboxdrv.sh needs to check something else in addition to "mokutil --sb-state" to make sure it is *really* neccessary to mess around with UEFI variables.

I fixed that by moving the "return 0" from line 280 to line 493, right before the signing procedure. BTW, that "update-secureboot-policy --new-key" curses tool has *no* way to cancel. Had to kill it manually.

I effectively reverted https://www.virtualbox.org/changeset/79186/vbox and everything is working fine for me. Don't need self signed modules and don't want them. Especially since it does not provide any significant security benefit when the key is right there on the target system...

comment:27 by beta_tester, 5 years ago

i still can't get virtualbox working on a Debian 10 host.

what else can i try to get virtualbox working under Debian 10 + UEFI + SecureBoot, without touching UEFI/BIOS settings of the computer and without selfsigning/compiling virtualbox/modules?

why isn't there a virtualbox package available in the Debian Buster repository itself?

comment:28 by jimloki, 5 years ago

Hi,

On Debian 'sign-file' doesn't seem to be placed in '/usr/src/kernels/.../scripts/' but rather in '/usr/src/linux-headers-.../scripts/'

So you should try to modify the patch by replacing '/usr/src/kernels/$(uname -r)/scripts/sign-file' with '/usr/src/linux-headers-$(uname -r)/scripts/sign-file'

comment:29 by tom.isaacson, 5 years ago

You might want to fix the spelling of "documenatation" while you're patching this.

I'm using Ubuntu 18.04.2 LTS. I tried applying the patch and changing the path to '/usr/src/linux-headers-$(uname -r)/scripts/sign-file' but I'm now getting:

modinfo: ERROR: Module vboxdrv not found.
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]
modinfo: ERROR: Module vboxnetflt not found.
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]
modinfo: ERROR: Module vboxnetadp not found.
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]
modinfo: ERROR: Module vboxpci not found.
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]
Last edited 5 years ago by tom.isaacson (previous) (diff)

by miyo, 5 years ago

Attachment: Print1.png added

COnfiguring UEFI Secure Boot - print1

by miyo, 5 years ago

Attachment: Print2.png added

Configuring UEFI Secure Boot - print2

comment:30 by miyo, 5 years ago

Hi guys,

I could solve the issue of virtualbox-6.0.10 signing modules with SecureBoot Enabled on Debian 10, about the following WARNING:

root@mipc:~/instalaciones# virtualbox WARNING: The vboxdrv kernel module is not loaded. Either there is no module

available for the current kernel (4.19.0-5-amd64) or it failed to load. Please recompile the kernel module and install it by

sudo /sbin/vboxconfig

You will not be able to start VMs until this problem is fixed.

Qt WARNING: QXcbConnection: Could not connect to display
Qt CRITICAL: Could not connect to any X display.
root@mipc:~/instalaciones#
root@mipc:~/instalaciones#
root@mipc:~/instalaciones# /sbin/vboxconfig
vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: You must sign these kernel modules before using VirtualBox:

vboxdrv vboxnetflt vboxnetadp vboxpci

See the documenatation for your Linux distribution..


These were the steps I followed, in order to solve it:

1) Create a personal public/private RSA key pair which will be used to sign kernel modules

  • mkdir /root/module-signing
  • cd /root/module-signing
  • openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"

2) Sign the modules to the kernel

  • /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
  • /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetflt)
  • /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetadp)
  • /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxpci)

3) Use mokutil utily to do a request for enrolling the key so it can be trusted by the system and set a simple password

mokutil --import /root/module-signing/MOK.der

4) Reboot the system and enroll the key (Enroll MOK).

reboot

5) Do the following changes to the /usr/lib/virtualbox/vboxdrv.sh script

  • Backup the script: vboxdrv.sh cp -p /usr/lib/virtualbox/vboxdrv.sh /usr/lib/virtualbox/vboxdrv.sh.orig
  • Edit the script: /usr/lib/virtualbox/vboxdrv.sh
  • Comment lines: 98,99

#DEB_PUB_KEY=/var/lib/shim-signed/mok/MOK.der
#DEB_PRIV_KEY=/var/lib/shim-signed/mok/MOK.priv

Change for:
DEB_PUB_KEY=/root/module-signing/MOK.der
DEB_PRIV_KEY=/root/module-signing/MOK.priv

  • Comment lines: 501,503
    #kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv \
    # /var/lib/shim-signed/mok/MOK.der \
    # /lib/modules/"$KERN_VER"/misc/"$i".ko
    ---
    Change for:
    /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /root/module-signing/MOK.priv \

/root/module-signing/MOK.der \
/lib/modules/"$KERN_VER"/misc/"$i".ko

6) Run the command "/usr/lib/virtualbox/vboxdrv.sh setup"

root@mipc:~# /usr/lib/virtualbox/vboxdrv.sh setup
vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
No DKMS packages installed: not changing Secure Boot validation state.

It will print the following some instructions you have to follow, it will probably ask you for the password you set when import MOK.der key in step (3)

COnfiguring UEFI Secure Boot - print1

Configuring UEFI Secure Boot - print2

6) verify the modules are loaded:

root@mipc:~# lsmod | grep box
vboxpci 28672 0
vboxnetadp 28672 0
vboxnetflt 32768 0
vboxdrv 487424 3 vboxpci,vboxnetadp,vboxnetflt

7) Before running virtualbox remember download the extention pack for the current virtualbox version.

8) With the local user run virtualbox

I hope it could helps you.

Thank you everyone for commenting.

Last edited 5 years ago by miyo (previous) (diff)

comment:31 by adrelanos, 5 years ago

Subscribe.

comment:32 by adrelanos, 5 years ago

New versions of DKMS have a SIGN_TOOL= feature. Please have a look, see if that looks alright, and give feedback to the DKMS developers:

SIGN_TOOL=

The module signing tool to be run at a build. Two arguments will be passed to the signing tool. The first argument is the target kernel version, the second is the module file path. If the tool exits with a non-zero value, the build will be aborted.

in reply to:  28 comment:33 by Frank Batschulat (Oracle), 5 years ago

Replying to jimloki:

On Debian 'sign-file' doesn't seem to be placed in '/usr/src/kernels/.../scripts/' but rather in '/usr/src/linux-headers-.../scripts/'

So you should try to modify the patch by replacing '/usr/src/kernels/$(uname -r)/scripts/sign-file' with '/usr/src/linux-headers-$(uname -r)/scripts/sign-file'

We do not use this tool anylonger in vboxdr.sh, instead we now use:

/usr/bin/kmodsign

503     if test -f "$DEB_PUB_KEY" && test -f "$DEB_PRIV_KEY"; then
504         HAVE_DEB_KEY=true
505         for i in $MODULE_LIST; do
506             kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv \
507                 /var/lib/shim-signed/mok/MOK.der \
508                 /lib/modules/"$KERN_VER"/misc/"$i".ko
509         done

comment:34 by kieb, 3 years ago

---

Last edited 3 years ago by kieb (previous) (diff)
Note: See TracTickets for help on using tickets.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette