Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- I had the same problem. After searching for a solution for days, I finally found an easy fix here: "gorka(dot)eguileor(dot)com(slash)vbox-vmware-in-secureboot-linux" (sorry can't fully post the link as I'm a new member)
- If you have a Linux system running in Secure Boot and you install VirtualBox or VMware player you will see, with some frustration, that you won’t be able to run any VMs. I haven’t found any post that explains this properly, and most people suggest disabling Secure Boot as a solution and I find that to be a very poor solution, so here’s my 2 cents. Earlier picture shows what you’ll see from the GUI, but if you run it from the console you’ll see:
- user@localhost:$ virtualbox
- WARNING: The vboxdrv kernel module is not loaded. Either there is no module
- available for the current kernel (3.15.8-200.fc20.x86_64) or it failed to
- load. Please recompile the kernel module and install it by
- sudo /etc/init.d/vboxdrv setup
- You will not be able to start VMs until this problem is fixed.
- But probably even before that, when you installed VirtualBox you already had an error that you missed:
- user@localhost:$ sudo yum localinstall VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64.rpm
- Installing : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1
- Creating group 'vboxusers'. VM users must be member of that group!
- No precompiled module for this kernel found -- trying to build one. Messages
- emitted during module compilation will be logged to /var/log/vbox-install.log.
- Stopping VirtualBox kernel modules [ OK ]
- Uninstalling old VirtualBox DKMS kernel modules [ OK ]
- Trying to register the VirtualBox kernel modules using DKMS [ OK ]
- Starting VirtualBox kernel modules [FAILED]
- (modprobe vboxdrv failed. Please use 'dmesg' to find out why)
- Verifying : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1
- Installed:
- VirtualBox-4.3.x86_64 0:4.3.14_95030_fedora18-1
- You’ll realize that dmesg will not tell you much so you’ll probably check the vboxdrv service:
- user@localhost:$ sudo systemctl status vboxdrv
- vboxdrv.service - LSB: VirtualBox Linux kernel module
- Loaded: loaded (/etc/rc.d/init.d/vboxdrv)
- Active: inactive (dead)
- And see there’s not much info here either, so maybe you’ll try to load the module yourself to see what the problem is:
- user@localhost:$ sudo modprobe -v vboxdrv
- insmod /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
- modprobe: ERROR: could not insert 'vboxdrv': Required key not available
- And then you’ll realize what the problem is, modprobe is complaining about required key not being available. Which actually means that the module is not signed and therefore cannot be loaded.
- Now that you know what the problem is, the solution is quite simple; you just need to sign the module and make sure that the system recognizes the key as valid. If you already have a X.509 key you can skip the key creation part and go directly to signing the module and enrolling the key But if you don’t, you’ll need to generate a key to sign any third party module you want to install or any custom module you use.
- Creating an X.509 Key Pair to sign the driver is easy:
- user@localhost:$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Akrog/"
- In the above command, replace MOK with the name of the file you want for the key and Akrog with the Common Name you want to use. It’s usually the organization that signs it.
- Now you just need to sign the driver, but where’s the driver located?
- user@localhost:$ modinfo vboxdrv
- filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
- version: 4.3.14 (0x001a0007)
- license: GPL
- description: Oracle VM VirtualBox Support Driver
- author: Oracle Corporation
- srcversion: 6284D16B33B2564B26EFAB2
- depends:
- vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
- parm: force_async_tsc:force the asynchronous TSC mode (int)
- Now we’ll proceed to sign the module using modinfo to locate the driver:
- user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
- user@localhost:$ modinfo vboxdrv
- filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
- version: 4.3.14 (0x001a0007)
- license: GPL
- description: Oracle VM VirtualBox Support Driver
- author: Oracle Corporation
- srcversion: 6284D16B33B2564B26EFAB2
- depends:
- vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
- signer: Akrog
- sig_key: D5:D3:E2:00:89:07:A7:CE:BC:89:14:78:0B:D2:9B:03:FE:CC:21:4B
- sig_hashalgo: sha256
- parm: force_async_tsc:force the asynchronous TSC mode (int)
- PS: on ubuntu 16 you have to use:
- sudo /usr/src/linux-headers-4.4.0-21-generic/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/4.4.0-21-generic/updates/dkms/vboxdrv.ko
- We have confirmed that the module has been signed.
- To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed.
- Now we have to manually add the public key to shim’s MOK list:
- user@localhost:$ sudo mokutil --import MOK.der
- Now you just need to reboot and follow the screen menus that will appear during the UEFI boot to enroll the new key (on ubuntu 16 it's automatic it seems).
- This is a persistent operation, so you’ll only need to do this once.
- When you have finished booting you can check that the key is in the system:
- user@localhost:$ sudo keyctl list %:.system_keyring
- 112560593: ---lswrv 0 0 asymmetric: Fedora kernel signing key: e948c9015e04bd4cd5879fe2f9230a1d70859c7d
- 489921950: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
- 98641885: ---lswrv 0 0 asymmetric: Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b
- 525156767: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
- 1001714488: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
- And that it was EFI who loaded it:
- user@localhost:$ dmesg | grep Loaded
- [ 0.456158] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring'
- [ 0.456194] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
- [ 0.457111] EFI: Loaded cert 'Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b' linked to '.system_keyring'
- [ 0.457768] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring'
- Now vboxdrv should be loaded and ready to run your VMs.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement