VBox & VMware in SecureBoot Linux 23


Kernel driver not installed (rc=-1908) The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there is a permission problem with /dev/vboxdrv. Please reinstall the kernel module by executing 'etc/init.d/vobxdrv setup' as root. If it is available in your distribution, you should install the DKMS package first. This package keeps track of Linux kernel changes and recompiles the vboxdrv kernel module if necessary.

2016-07-11: An updated version of this post has been published, we recommend reading it instead.

If you have a Linux system running in Secure Boot and you install VirtualBox or VMware player you will see, with some frustration, that you won’t be able to run any VMs.

This post also applies if you are running your system with module signature verification enabled (CONFIG_MODULE_SIG) even if it’s not running in Secure Boot.

I know this is an old issue, but I haven’t found any post that explains this properly, and most people sugest disabling Secure Boot as a solution and I find that to be a very poor solution, so here’s my 2 cents.

Earlier picture shows what you’ll see from the GUI, but if you run it from the console you’ll see:

user@localhost:$ virtualbox
WARNING: The vboxdrv kernel module is not loaded. Either there is no module
available for the current kernel (3.15.8-200.fc20.x86_64) or it failed to
load. Please recompile the kernel module and install it by

sudo /etc/init.d/vboxdrv setup

You will not be able to start VMs until this problem is fixed.

But probably even before that, when you installed VirtualBox you already had an error that you missed:

user@localhost:$ sudo yum localinstall VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64.rpm

Installing : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1

Creating group 'vboxusers'. VM users must be member of that group!

No precompiled module for this kernel found -- trying to build one. Messages
emitted during module compilation will be logged to /var/log/vbox-install.log.

Stopping VirtualBox kernel modules [ OK ]
Uninstalling old VirtualBox DKMS kernel modules [ OK ]
Trying to register the VirtualBox kernel modules using DKMS [ OK ]
Starting VirtualBox kernel modules [FAILED]
(modprobe vboxdrv failed. Please use 'dmesg' to find out why)
Verifying : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1

Installed:
VirtualBox-4.3.x86_64 0:4.3.14_95030_fedora18-1

You’ll realize that dmesg will not tell you much so you’ll probably check the vboxdrv service:

user@localhost:$ sudo systemctl status vboxdrv
vboxdrv.service - LSB: VirtualBox Linux kernel module
Loaded: loaded (/etc/rc.d/init.d/vboxdrv)
Active: inactive (dead)

And see there’s not much info here either, so maybe you’ll try to load the module yourself to see what the problem is:

user@localhost:$ sudo modprobe -v vboxdrv
insmod /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

And then you’ll realize what the problem is, modprobe is complaining about required key not being available. Which actually means that the module is not signed and therefore cannot be loaded.

Now that you know what the problem is, the solution is quite simple; you just need to sign the module and make sure that the system recognizes the key as valid.

If you already have a X.509 key you can skip the key creation part and go directly to signing the module and enrolling the key But if you don’t, you’ll need to generate a key to sign any third party module you want to install or any custom module you use.

Creating an X.509 Key Pair to sign the driver is easy:

user@localhost:$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Akrog/"

In the above command, replace MOK with the name of the file you want for the key and Akrog with the Common Name you want to use. It’s usually the organization that signs it.

Now you just need to sign the driver, but where’s the driver located?

user@localhost:$ modinfo vboxdrv
filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
version: 4.3.14 (0x001a0007)
license: GPL
description: Oracle VM VirtualBox Support Driver
author: Oracle Corporation
srcversion: 6284D16B33B2564B26EFAB2
depends:
vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
parm: force_async_tsc:force the asynchronous TSC mode (int)

Now we’ll proceed to sign the module using modinfo to locate the driver:

user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

user@localhost:$ modinfo vboxdrv
filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
version: 4.3.14 (0x001a0007)
license: GPL
description: Oracle VM VirtualBox Support Driver
author: Oracle Corporation
srcversion: 6284D16B33B2564B26EFAB2
depends:
vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
signer: Akrog
sig_key: D5:D3:E2:00:89:07:A7:CE:BC:89:14:78:0B:D2:9B:03:FE:CC:21:4B
sig_hashalgo: sha256
parm: force_async_tsc:force the asynchronous TSC mode (int)

We have confirmed that the module has been signed.

To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed.

Now we have to manually add the public key to shim’s MOK list:

user@localhost:$ mokutil --import MOK.der

Now you just need to reboot and follow the screen menus that will appear during the UEFI boot to enroll the new key. This is a persisten operation, so you’ll only need to do this once.

When you have finished booting you can check that the key is in the system:

user@localhost:$ keyctl list %:.system_keyring
112560593: ---lswrv 0 0 asymmetric: Fedora kernel signing key: e948c9015e04bd4cd5879fe2f9230a1d70859c7d
489921950: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
98641885: ---lswrv 0 0 asymmetric: Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b
525156767: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
1001714488: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53

And that it was EFI who loaded it:

user@localhost:$ dmesg | grep 'EFI: Loaded cert'
[ 0.456158] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring'
[ 0.456194] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
[ 0.457111] EFI: Loaded cert 'Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b' linked to '.system_keyring'
[ 0.457768] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring'

Now vboxdrv should be loaded and ready to run your VMs.

For a more detailed description of the process of signing kernel modules you can check Red Hat’s documentation here.

If you read VirtualBox ticket regarding this issue you’ll see they wash their hands on the matter saying: “This is not really a VirtualBox bug. Oracle cannot sign kernel modules using the Fedora key”.
I for one believe that this is a bug in the installation, as they could easilly see if the installation is running on a BIOS or EFI/UEFI system (checking for /sys/firmware/efi directory) and whether Secure Boot is enabled or not (checking the efivar SecureBoot) and if it’s enable request a key to sign the driver or ask you if you want to create one and have it inserted it in the MOK automatically.

Now, for VMware Player is mostly the same as we’ve just done for VirtualBox.
After downloading the bundle and running the install you still won’t be able to run VMs.

user@localhost:$ sudo sh VMware-Player-6.0.3-1895310.x86_64.bundle

You’ll get an error when trying to run a VM:

Error when trying to run VM:    Could not open /dev/vmmon: No such file or directory.    Please make sure that the kernel module `vmmon' is loaded.

With VMware you’ll have 2 modules with this problem, vmmon and vmnet. So you’ll have to sign them both:

user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmmon)

user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vmnet)

PS: I use Fedora 20, but what I’ve written in the post applies to any Linux using EFI shim for UEFI boot.