API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 1st, 2019
701
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.76 KB | None | 0 0
raw download clone embed print report
  1. I had the same problem. After searching for a solution for days, I finally found an easy fix here: "gorka(dot)eguileor(dot)com(slash)vbox-vmware-in-secureboot-linux" (sorry can't fully post the link as I'm a new member)
  2.  
  3. If you have a Linux system running in Secure Boot and you install VirtualBox or VMware player you will see, with some frustration, that you won’t be able to run any VMs. I haven’t found any post that explains this properly, and most people suggest disabling Secure Boot as a solution and I find that to be a very poor solution, so here’s my 2 cents. Earlier picture shows what you’ll see from the GUI, but if you run it from the console you’ll see:
  4.  
  5. user@localhost:$ virtualbox
  6. WARNING: The vboxdrv kernel module is not loaded. Either there is no module
  7. available for the current kernel (3.15.8-200.fc20.x86_64) or it failed to
  8. load. Please recompile the kernel module and install it by
  9.  
  10. sudo /etc/init.d/vboxdrv setup
  11.  
  12. You will not be able to start VMs until this problem is fixed.
  13.  
  14.  
  15.  
  16. But probably even before that, when you installed VirtualBox you already had an error that you missed:
  17.  
  18. user@localhost:$ sudo yum localinstall VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64.rpm
  19.  
  20. Installing : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1
  21.  
  22. Creating group 'vboxusers'. VM users must be member of that group!
  23.  
  24. No precompiled module for this kernel found -- trying to build one. Messages
  25. emitted during module compilation will be logged to /var/log/vbox-install.log.
  26.  
  27. Stopping VirtualBox kernel modules [ OK ]
  28. Uninstalling old VirtualBox DKMS kernel modules [ OK ]
  29. Trying to register the VirtualBox kernel modules using DKMS [ OK ]
  30. Starting VirtualBox kernel modules [FAILED]
  31. (modprobe vboxdrv failed. Please use 'dmesg' to find out why)
  32. Verifying : VirtualBox-4.3-4.3.14_95030_fedora18-1.x86_64 1/1
  33.  
  34. Installed:
  35. VirtualBox-4.3.x86_64 0:4.3.14_95030_fedora18-1
  36.  
  37.  
  38.  
  39. You’ll realize that dmesg will not tell you much so you’ll probably check the vboxdrv service:
  40.  
  41. user@localhost:$ sudo systemctl status vboxdrv
  42. vboxdrv.service - LSB: VirtualBox Linux kernel module
  43. Loaded: loaded (/etc/rc.d/init.d/vboxdrv)
  44. Active: inactive (dead)
  45.  
  46.  
  47.  
  48. And see there’s not much info here either, so maybe you’ll try to load the module yourself to see what the problem is:
  49.  
  50. user@localhost:$ sudo modprobe -v vboxdrv
  51. insmod /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
  52. modprobe: ERROR: could not insert 'vboxdrv': Required key not available
  53.  
  54.  
  55.  
  56. And then you’ll realize what the problem is, modprobe is complaining about required key not being available. Which actually means that the module is not signed and therefore cannot be loaded.
  57.  
  58. Now that you know what the problem is, the solution is quite simple; you just need to sign the module and make sure that the system recognizes the key as valid. If you already have a X.509 key you can skip the key creation part and go directly to signing the module and enrolling the key But if you don’t, you’ll need to generate a key to sign any third party module you want to install or any custom module you use.
  59.  
  60. Creating an X.509 Key Pair to sign the driver is easy:
  61.  
  62. user@localhost:$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Akrog/"
  63.  
  64.  
  65. In the above command, replace MOK with the name of the file you want for the key and Akrog with the Common Name you want to use. It’s usually the organization that signs it.
  66.  
  67. Now you just need to sign the driver, but where’s the driver located?
  68.  
  69. user@localhost:$ modinfo vboxdrv
  70. filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
  71. version: 4.3.14 (0x001a0007)
  72. license: GPL
  73. description: Oracle VM VirtualBox Support Driver
  74. author: Oracle Corporation
  75. srcversion: 6284D16B33B2564B26EFAB2
  76. depends:
  77. vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
  78. parm: force_async_tsc:force the asynchronous TSC mode (int)
  79.  
  80.  
  81.  
  82. Now we’ll proceed to sign the module using modinfo to locate the driver:
  83.  
  84. user@localhost:$ sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
  85.  
  86. user@localhost:$ modinfo vboxdrv
  87. filename: /lib/modules/3.15.8-200.fc20.x86_64/extra/vboxdrv.ko
  88. version: 4.3.14 (0x001a0007)
  89. license: GPL
  90. description: Oracle VM VirtualBox Support Driver
  91. author: Oracle Corporation
  92. srcversion: 6284D16B33B2564B26EFAB2
  93. depends:
  94. vermagic: 3.15.8-200.fc20.x86_64 SMP mod_unload
  95. signer: Akrog
  96. sig_key: D5:D3:E2:00:89:07:A7:CE:BC:89:14:78:0B:D2:9B:03:FE:CC:21:4B
  97. sig_hashalgo: sha256
  98. parm: force_async_tsc:force the asynchronous TSC mode (int)
  99.  
  100.  
  101.  
  102. PS: on ubuntu 16 you have to use:
  103.  
  104. sudo /usr/src/linux-headers-4.4.0-21-generic/scripts/sign-file sha256 ./MOK.priv ./MOK.der /lib/modules/4.4.0-21-generic/updates/dkms/vboxdrv.ko
  105.  
  106.  
  107.  
  108. We have confirmed that the module has been signed.
  109.  
  110. To enroll the public key in the MOK (Module owned Key) your UEFI partition must have MokManager.efi installed.
  111.  
  112. Now we have to manually add the public key to shim’s MOK list:
  113.  
  114. user@localhost:$ sudo mokutil --import MOK.der
  115.  
  116.  
  117. Now you just need to reboot and follow the screen menus that will appear during the UEFI boot to enroll the new key (on ubuntu 16 it's automatic it seems).
  118. This is a persistent operation, so you’ll only need to do this once.
  119.  
  120. When you have finished booting you can check that the key is in the system:
  121.  
  122. user@localhost:$ sudo keyctl list %:.system_keyring
  123.  
  124.  
  125. 112560593: ---lswrv 0 0 asymmetric: Fedora kernel signing key: e948c9015e04bd4cd5879fe2f9230a1d70859c7d
  126. 489921950: ---lswrv 0 0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
  127. 98641885: ---lswrv 0 0 asymmetric: Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b
  128. 525156767: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
  129. 1001714488: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
  130.  
  131. And that it was EFI who loaded it:
  132.  
  133. user@localhost:$ dmesg | grep Loaded
  134. [ 0.456158] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring'
  135. [ 0.456194] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
  136. [ 0.457111] EFI: Loaded cert 'Akrog: d5d3e2008907a7cebc8914780bd29b03fecc214b' linked to '.system_keyring'
  137. [ 0.457768] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring'
  138.  
  139.  
  140.  
  141. Now vboxdrv should be loaded and ready to run your VMs.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!