If you have a Linux system running in Secure Boot and you install VirtualBox or VMware player you will see, with some frustration, that you won’t be able to run any VMs.
This post also applies if you are running your system with module signature verification enabled (CONFIG_MODULE_SIG) even if it’s not running in Secure Boot.
This is an old issue, and I’ve already written about it in another post almost 2 years ago, but at this point some degree of imagination is needed to succeed following that guide, so I have finally decided to update it. The reason why it took me so long to update the post is that I haven’t had VirtualBox or VMware player installed for quite a long time.
To install VirtualBox we’ll use the repository:
Earlier picture shows what you’ll see from the GUI, but if you run it from the console you’ll see:
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
available for the current kernel (4.5.7-202.fc23.x86_64) or it failed to
load. Please recompile the kernel module and install it by
sudo /sbin/rcvboxdrv setup
You will not be able to start VMs until this problem is fixed.
Now we have to compile the Kernel Modules for VirtualBox
Checking kmods exist for 4.5.7-202.fc23.x86_64 [ OK ]
If we try to load any of these modules we’ll see the main problem:
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
And then you’ll realize what the problem is, modprobe is complaining about required key not being available. Which actually means that the module is not signed and therefore cannot be loaded.
Now that you know what the problem is, the solution is quite simple; you just need to sign the module and make sure that the system recognizes the key as valid.
If you already have a X.509 key you can skip the key creation part and go directly to signing the module and enrolling the key. But if you don’t, you’ll need to generate a key to sign any third party module you want to install or any custom module you use.
Creating an X.509 Key Pair to sign the driver is easy:
In the above command, replace MOK with the name of the file you want for the key and Akrog with the Common Name you want to use. It’s usually the organization that signs it, but you can write whatever you like, although I recommend a significant name as it will be inserted into the system’s key ring.
VirtualBox uses multiple kernel modules and we need to sign them all. In my previous post I went into a little bit more detail, but I think it’s enough to say that we need to get the location of the modules using modinfo and then signing them using sign-file script like this:
If you don’t fee confortable with that script you can do it manually, but be careful, as they may add or remove modules from dirname $(modinfo -n vboxdrv) directory:
user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo vboxguest)
user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo vboxnetadp)
user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo vboxnetflt)
user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo vboxpci)
user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo vboxsf)
user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo vboxvideo)
Modinfo no longer displays module signed information, so we’ll have to trust that this has worked.
To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed. You can check this running
Now we have to manually add the public key to shim’s MOK list and we’ll be asked for a password that will be used during the UEFI boot to enroll the new key, so make sure you remember it at least for a minute ;-):
input password again:
Failed to write MokAuth
Failed to unset MokNew
Despite the errors I got it seems to work just fine.
What we’ve done with this is request the MOK manager to insert a new key, but we haven’t inserted it yet, so we need to reboot for that and follow the enrolling process that is quite straight forward: Press a key to start the process if you are asked to, then select “Enroll MOK”, then “Continue”, and then “Yes”; and the key has been inserted. This is a persistent operation, so you’ll only need to do this once.
When you have finished booting you can easily check that the key is in the system key ring using the CN we used when creating the X.509 key:
112560593: ---lswrv 0 0 asymmetric: Fedora kernel signing key: e948c9015e04bd4cd5879fe2f9230a1d70859c7d
489921950: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
98641885: ---lswrv 0 0 asymmetric: Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b
525156767: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
1001714488: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
And that it was EFI who loaded it:
[ 0.456158] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring'
[ 0.456194] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
[ 0.457111] EFI: Loaded cert 'Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b' linked to '.system_keyring'
[ 0.457768] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring'
Now you should be able to run VirtualBox VMs without problem.
For a more detailed description of the process of signing kernel modules you can check Red Hat’s documentation here.
If you read VirtualBox ticket regarding this issue you’ll see they wash their hands on the matter saying: “This is not really a VirtualBox bug. Oracle cannot sign kernel modules using the Fedora key”.
I for one believe that this is a bug in the installation, as they could easilly see if the installation is running on a BIOS or EFI/UEFI system (checking for /sys/firmware/efi directory) and whether Secure Boot is enabled or not (checking the efivar SecureBoot) and if it’s enable request a key to sign the driver or ask you if you want to create one and have it inserted it in the MOK automatically.
VMware signing should be the very similar, unfortunately I cannot check it because the installer won’t work when you have KVM running, as is my case, and even when I disabled KVM modules temporarily and was able to install it, the module compilation using vmware-modconfig wouldn’t work as it should. So I’ll assume we have the VMware player installed and the kernel modules compiled.
For those fighting the VMware installation, it’s worth mentioning that in the older post Pipio was having trouble with VMware and this post in the message board helped in the resolution of the problem.
The last time I run VMware without signed kernel modules the error that was displayed was this:
So for VMware the signing would be like for VirtualBox, but replacing vboxdrv with vmmon like this:
Ubuntu seems to need a slightly different script (thanks Kinnaird McQuade):
PS: I used Fedora 23, but the signing process should work on any Linux using EFI shim for UEFI boot.