How to sign a kernel module Ubuntu 18.04

14

7

I am new to using Ubuntu. I am trying to install Genymotion so I can have access to an android emulator. In order to use Genymotion, it is required I have VirtualBox. I have VirtualBox installed but it seems as if I need to sign a kernal module... and I really am not sure how to do it. This is the error message I get after running /sbin/vboxconfig :

vboxdrv.sh: Stopping VirtualBox services.
vboxdrv.sh: Starting VirtualBox services.
vboxdrv.sh: Building VirtualBox kernel modules.
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox.  To re-start the set-up process, run
  /sbin/vboxconfig
as root.  If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.

I have tried googling this, but can not seem to find a clear and concise answer with sequential steps. Again, I am fairly new to linux, so any help is welcome. Thanks in advance to all of those who reply.

aty0

Posted 2019-05-18T03:06:32.557

Reputation: 141

Answers

16

In order to get VirtualBox working without simply disabling UEFI Secure Boot, then you'll need to do the following:

  1. Create a personal public/private RSA key pair to sign the kernel modules. As recommended in the link below, I chose to store the key/pair in the /root/module-signing/ directory.
    sudo -i
    mkdir /root/module-signing
    cd /root/module-signing
    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=YOUR_NAME/"
    chmod 600 MOK.priv
  1. Use mokutil, a tool to import or delete the machine owner keys (MOK), to import the public key, and then enroll it when the machine is rebooted. The password in this step is a temporary use password you'll only need to remember for a few minutes.
    mokutil --import /root/module-signing/MOK.der
    input password:
    input password again:

  1. Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in step 2. Then select OK to continue the system boot.

  2. Future kernel updates would require the updated kernels to be signed again, so it makes sense to put the signing commands in a script that can be run at a later date as necessary. A sample script /root/module-signing/sign-vbox-modules is given below. 

#!/bin/bash

for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
                                /root/module-signing/MOK.priv \
                                /root/module-signing/MOK.der "$modfile"
done
  1. Add execution permission, and run the script above as root from the /root/module-signing/ directory.
    sudo -i
    cd /root/module-signing
    chmod 700 /root/module-signing/sign-vbox-modules
    ./sign-vbox-modules
  1. Load vboxdrv module and launch VirtualBox.
    modprobe vboxdrv

Most of this information was gained from the following link, and can be referred to for additional information https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/.

balast

Posted 2019-05-18T03:06:32.557

Reputation: 161

1excellent answer, works flawless in Ubuntu 18.04.3 LTS – bobby – 2019-10-15T18:48:29.737

+1 to this answer! Fixed my problem! Thanks! – Woootiness – 2019-11-04T07:04:51.490

1did not work with fedora 30, had a stessful couple hours, where I thought I might have to do a clean install...If you don't know what you're doing (like me), proceed with caution! – Albert Rothman – 2019-11-07T23:51:58.803

worked in Ubuntu 19.10 – gr4nt3d – 2019-12-29T13:34:28.230

How would you create the script in step4 – sanster9292 – 2020-01-13T04:33:28.343

3

I had this issue. Disable Secure Boot : https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS

ejaenv

Posted 2019-05-18T03:06:32.557

Reputation: 131

3

I know that this question is old, but because there is no accepted answer and none of these answers solved the issue for me, I am writing how I solved this today:

When running this command, get this error:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

The problem is that the module is not signed and therefore not loaded with the kernel. This will happen if your computer has the SecureBoot mode activated, something very common in modern equipment.

That's why I get this error opening any machine in the virtual box

Kernel driver not installed (rc=-1908)

Do the following steps to sign a driver, and it is loaded as a kernel module, on Ubuntu systems and also on Debian 9:

  1. Install the mkutil package to be able to do signed.

    sudo apt-get update
sudo apt-get upgrade
sudo apt-get install mokutil

  2. Generate the signature file:

    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox/"

  3. Then add it to the kernel:

    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

  4. Register it for the Secure Boot.

    IMPORTANT! That will ask you for a password, put the one you want, you will only have to use it once in the next reboot.

    sudo mokutil --import MOK.der

  5. Finally, restart the computer. A blue screen will appear with a keyboard wait, press the key that asks you to interrupt the boot.

    enter image description here

When you are inside the blue screen, select

Enroll MOK -> Continue -> and it will ask you for the password

that you have previously entered, you will enter it and you will be informed that the operation has been completed successfully.

Now your operating system will start and you can now use VirtualBox without problem :)

Hope this helps someone.

Adriana Hernández

Posted 2019-05-18T03:06:32.557

Reputation: 131

0

This was very helpful and correct. I would add, if your installing VirtualBOX on a laptop,start by making sure your default BIOS has been set up for VirtualBox or VM. You'll need to go into BIOS and change the virtualization permission to ALLOW or ENABLED under the processor section, save and exit, then reboot. I missed this and wasted several frustrating hours.

user1128819

Posted 2019-05-18T03:06:32.557

Reputation: 1

Asked: 2019-05-18T03:06:32.557

Viewed: 20 733 times

Active: 2020-01-10T21:35:59.087