VBox & VMware in SecureBoot Linux 16


Kernel driver not installed (rc=-1908) The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing 'etc/init.d/vobxdrv setup' as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.

2016-07-11: An updated version of this post has been published, we recommend reading it instead.

If you have a Linux system running in Secure Boot and you install VirtualBox or VMware player you will see, with some frustration, that you won’t be able to run any VMs.

This post also applies if you are running your system with module signature verification enabled (CONFIG_MODULE_SIG) even if it’s not running in Secure Boot.

I know this is an old issue, but I haven’t found any post that explains this properly, and most people sugest disabling Secure Boot as a solution and I find that to be a very poor solution, so here’s my 2 cents.

Earlier picture shows what you’ll see from the GUI, but if you run it from the console you’ll see:

user@localhost:$ virtualbox
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
available for the current kernel (3.15.8-200.fc20.x86_64) or it failed to
load. Please recompile the kernel module and install it by

sudo /etc/init.d/vboxdrv setup

You will not be able to start VMs until this problem is fixed.

But probably even before that, when you installed VirtualBox you already had an error that you missed:

user@localhost:$ sudo yum localinstall VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64.rpm

Installing : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1

Creating group 'vboxusers'. VM users must be member of that group!

No precompiled module for this kernel found -- trying to build one. Messages
emitted during module compilation will be logged to /var/log/vbox-install.log.

Stopping VirtualBox kernel modules [ OK ]
Uninstalling old VirtualBox DKMS kernel modules [ OK ]
Trying to register the VirtualBox kernel modules using DKMS [ OK ]
Starting VirtualBox kernel modules [FAILED]
(modprobe vboxdrv failed. Please use 'dmesg' to find out why)
Verifying : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1

Installed:
VirtualBox-4.3.x86_64 0:4.3.14_95030_fedora18-1

You’ll realize that dmesg will not tell you much so you’ll probably check the vboxdrv service:

user@localhost:$ sudo systemctl status vboxdrv
vboxdrv.service - LSB: VirtualBox Linux kernel module
Loaded: loaded (/etc/rc.d/init.d/vboxdrv)
Active: inactive (dead)

And see there’s not much info here either, so maybe you’ll try to load the module yourself to see what the problem is:

user@localhost:$ sudo modprobe -v vboxdrv
insmod /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

And then you’ll realize what the problem is, modprobe is complaining about required key not being available. Which actually means that the module is not signed and therefore cannot be loaded.

Now that you know what the problem is, the solution is quite simple; you just need to sign the module and make sure that the system recognizes the key as valid.

If you already have a X.509 key you can skip the key creation part and go directly to signing the module and enrolling the key But if you don’t, you’ll need to generate a key to sign any third party module you want to install or any custom module you use.

Creating an X.509 Key Pair to sign the driver is easy:

user@localhost:$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Akrog/"

In the above command, replace MOK with the name of the file you want for the key and Akrog with the Common Name you want to use. It’s usually the organization that signs it.

Now you just need to sign the driver, but where’s the driver located?

user@localhost:$ modinfo vboxdrv
filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
version: 4.3.14 (0x001a0007)
license: GPL
description: Oracle VM VirtualBox Support Driver
author: Oracle Corporation
srcversion: 6284D16B33B2564B26EFAB2
depends:
vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
parm: force_async_tsc:force the asynchronous TSC mode (int)

Now we’ll proceed to sign the module using modinfo to locate the driver:

user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

user@localhost:$ modinfo vboxdrv
filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
version: 4.3.14 (0x001a0007)
license: GPL
description: Oracle VM VirtualBox Support Driver
author: Oracle Corporation
srcversion: 6284D16B33B2564B26EFAB2
depends:
vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
signer: Akrog
sig_key: D5:D3:E2:00:89:07:A7:CE:BC:89:14:78:0B:D2:9B:03:FE:CC:21:4B
sig_hashalgo: sha256
parm: force_async_tsc:force the asynchronous TSC mode (int)

We have confirmed that the module has been signed.

To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed.

Now we have to manually add the public key to shim’s MOK list:

user@localhost:$ mokutil --import MOK.der

Now you just need to reboot and follow the screen menus that will appear during the UEFI boot to enroll the new key. This is a persisten operation, so you’ll only need to do this once.

When you have finished booting you can check that the key is in the system:

user@localhost:$ keyctl list %:.system_keyring
112560593: ---lswrv 0 0 asymmetric: Fedora kernel signing key: e948c9015e04bd4cd5879fe2f9230a1d70859c7d
489921950: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
98641885: ---lswrv 0 0 asymmetric: Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b
525156767: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
1001714488: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53

And that it was EFI who loaded it:

user@localhost:$ dmesg | grep 'EFI: Loaded cert'
[ 0.456158] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring'
[ 0.456194] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
[ 0.457111] EFI: Loaded cert 'Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b' linked to '.system_keyring'
[ 0.457768] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring'

Now vboxdrv should be loaded and ready to run your VMs.

For a more detailed description of the process of signing kernel modules you can check Red Hat’s documentation here.

If you read VirtualBox ticket regarding this issue you’ll see they wash their hands on the matter saying: “This is not really a VirtualBox bug. Oracle cannot sign kernel modules using the Fedora key”.
I for one believe that this is a bug in the installation, as they could easilly see if the installation is running on a BIOS or EFI/UEFI system (checking for /sys/firmware/efi directory) and whether Secure Boot is enabled or not (checking the efivar SecureBoot) and if it’s enable request a key to sign the driver or ask you if you want to create one and have it inserted it in the MOK automatically.

Now, for VMware Player is mostly the same as we’ve just done for VirtualBox.
After downloading the bundle and running the install you still won’t be able to run VMs.

user@localhost:$ sudo sh VMware-Player-6.0.3-1895310.x86_64.bundle

You’ll get an error when trying to run a VM:

Error when trying to run VM:    Could not open /dev/vmmon: No such file or directory.    Please make sure that the kernel module `vmmon' is loaded.

With VMware you’ll have 2 modules with this problem, vmmon and vmnet. So you’ll have to sign them both:

user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)

user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

PS: I use Fedora 20, but what I’ve written in the post applies to any Linux using EFI shim for UEFI boot.


Leave a comment

Your email address will not be published. Required fields are marked *

16 thoughts on “VBox & VMware in SecureBoot Linux

  • Kim Westlund

    Seems like signing vboxdrv was only a part of the problem. I ended up signing all VirtualBox drivers located in “/usr/lib/modules/$(uname -r)/extra/VirtualBox/”.

  • Daniel Helgenberger

    Thanks, great article! I confirm this works flawless with fedora 21, using stock VirtualBox 4.3.20 from the Oracle site.

    I think two things are worth mentioning:

    – The password, witch was needed in the mokutil –import step and then again in MOK.efi

    – Since stock VirualBox has to rebuild the module (via dkms I think) for each kernel, the signing procedure has to be redone on every kernel update

    Since this is quite cheap to do it might be a good idea to put this step as PreExec in the vboxdrv.service unit..

    • Daniel Helgenberger

      Toying with the idea I went changing the init.d file to add an option called ‘modsign’. This should keep comatibility with other Linux systems as long as Oracle does not provide a unit file. The function is also called in the setup function witch should pretty much automate the process. Also, Kim was right; signing only the vboxdrv module is not enough, so all modules will be signed.

      Call the function directly:

      
      /etc/init.d/vboxdrv modsign 
      

      This patch assumes you followed the above guide. Do not forget to set the BASDIR variable to point to the certificates.

      
      $ md5sum /etc/init.d/vboxdrv 
      1188b035877eebcfd07257e9f2aaede9  vboxdrv #check for correct init.d file prior to patching
      $ patch /etc/init.d/vboxdrv < vboxdrv.patch
      $ cat vboxdrv.patch
      
      
      --- vboxdrv	2015-01-22 11:59:14.429107239 +0100
      +++ /etc/init.d/vboxdrv	2015-01-22 11:56:25.114590812 +0100
      @@ -150,6 +150,20 @@
           exit 0
       }
       
      +mod_sign()
      +{
      +    BASEDIR= #set directory containing certificates
      +    for i in vboxdrv vboxnetadp vboxnetflt vboxpci; do
      +      if [ -z "$(modinfo $i|grep signer)" ]; then
      +        /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 "$BASEDIR/MOK.priv" "$BASEDIR/MOK.der" $(modinfo -n $i)
      +        echo Signed module $i
      +      else 
      +        echo Module $i alreday signed
      +     fi
      +   done
      +}
      +
      +
       running()
       {
           lsmod | grep -q "$1[^_-]"
      @@ -358,6 +372,7 @@
           fi
           rm -f /etc/vbox/module_not_compiled
           succ_msg
      +    mod_sign
           start
       }
       
      @@ -414,12 +429,18 @@
       setup)
           setup
           ;;
      +modsign)
      +   mod_sign
      +   ;;
       status)
           dmnstatus
           ;;
       *)
      -    echo "Usage: $0 {start|stop|stop_vms|restart|force-reload|status|setup}"
      +    echo "Usage: $0 {start|stop|stop_vms|restart|force-reload|status|setup|modsign}"
           exit 1
       esac
       
       exit 0
      +
      +
      +
      
  • Ehsan

    Hi, Thanks for great post.
    I followed your post but it didn’t work for me on fedora 23 with kernel 4.3.4-300.fc23.x86_64.

    # keyctl list %:.system_keyring
    7 keys in keyring:
    378468587: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
    276786744: ---lswrv 0 0 asymmetric: Fedora kernel signing key: 9329eed1ece2058ee04cca65fef80cf16c91c24c
    252471648: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
    152225754: ---lswrv 0 0 asymmetric: Akrog: e69de070606dfd8b941d1f9e1b5d8c6dc09cb0b1
    840838081: ---lswrv 0 0 asymmetric: VBoxCN: d7aa44fb776ffae49ae7375f6910a6d3aeb13f90
    778484261: ---lswrv 0 0 asymmetric: Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949
    309323950: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
    # dmesg | grep 'EFI: Loaded cert'
    [ 0.527812] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring'
    [ 0.527824] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
    [ 0.527830] EFI: Loaded cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949' linked to '.system_keyring'
    [ 0.528183] EFI: Loaded cert 'VBoxCN: d7aa44fb776ffae49ae7375f6910a6d3aeb13f90' linked to '.system_keyring'
    [ 0.528363] EFI: Loaded cert 'Akrog: e69de070606dfd8b941d1f9e1b5d8c6dc09cb0b1' linked to '.system_keyring'
    [ 0.528552] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring'

    But when I try to setup the vboxdrv it fails.

    # KERN_DIR=/usr/src/kernels/`uname -r`
    # export KERN_DIR
    # /usr/lib/virtualbox/vboxdrv.sh setup
    Stopping VirtualBox kernel modules [ OK ]
    Uninstalling old VirtualBox DKMS kernel modules [ OK ]
    Trying to register the VirtualBox kernel modules using DKMS[ OK ]
    Starting VirtualBox kernel modules [FAILED]
    (modprobe vboxdrv failed. Please use 'dmesg' to find out why)

    I appreciate any support on this.

  • Øyvind Matheson Wergeland

    Excellent how-to! You saved my day!

    As Daniel Helgenberger have pointed out, you need a password when importing the key into UEFI.

    Additionaly, when I ran modinfo after signing, the signing attributes where not included in the output, but the module did load after the key was imported nevertheless.

  • Eric D

    No longer appears to work for Fedora 23 (unless I am messing up this guide). I am able to complete all the steps except for signing the module (takes the command, zero errors, but does not end up showing key data via the “modinfo vboxdrv” command).

    [root@localhost /]# modinfo vboxdrv
    filename: /lib/modules/4.5.5-201.fc23.x86_64/extra/vboxdrv.ko
    version: 5.0.20 r106931 (0x00240000)
    license: GPL
    description: Oracle VM VirtualBox Support Driver
    author: Oracle Corporation
    srcversion: C981062BCBF028ED7F46777
    depends:
    vermagic: 4.5.5-201.fc23.x86_64 SMP mod_unload
    parm: force_async_tsc:force the asynchronous TSC mode (int)
    [root@localhost /]# keyctl list %:.system_keyring
    8 keys in keyring:
    1015322909: —lswrv 0 0 asymmetric: ASUSTeK MotherBoard SW Key Certificate: da83b990422ebc8c441f8d8b039a65a2
    218767277: —lswrv 0 0 asymmetric: Fedora kernel signing key: e546768ce7869b5a19bb3d480171653f24d0fb7b
    557227832: —lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
    37838208: —lswrv 0 0 asymmetric: Akrog: 40570bb04be48d998d84b4495e22fc118c55eb2f
    956025025: —lswrv 0 0 asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
    377040033: —lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
    634447511: —lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
    10459983: —lswrv 0 0 asymmetric: ASUSTeK Notebook SW Key Certificate: b8e581e4df77a5bb4282d5ccfc00c071
    [root@localhost /]# modprobe -v vboxdrv
    insmod /lib/modules/4.5.5-201.fc23.x86_64/extra/vboxdrv.ko
    modprobe: ERROR: could not insert ‘vboxdrv’: Required key not available

    Fantastic guide! Not sure why Oracle does not fix this internally, as I have have zero issues when using Vbox on Windows 10 using EFI/Secure Boot. Disabling Secure Boot is a poor workaround is not a solution; fix your stuff Oracle!

    • geguileo Post author

      I have just tested this on Fedora 23 and it’s working with some minor changes. I am publishing a new post with the updated version.

  • Jefferson Torres

    I tried to run the command “mok useful –import MOK.der” and showed the following error “Failed to enroll new keys”.
    How could I solve the problem?

    • Jefferson Torres

      I typed the following command: sudo mokutil –import MOK.der.
      After that I restarted the PC and follow the instructions to import the key.

      Now the problem is solved. Thank you for your help! This article solved my problem.