virtualbox-dkms installation hangs in 18.04 (with secure boot)

Bug #1775672 reported by wastrel on 2018-06-07
64
This bug affects 12 people
Affects Status Importance Assigned to Milestone
DKMS
Undecided
Unassigned
dkms (Ubuntu)
Undecided
Unassigned

Bug Description

apt install virtualbox hangs during virtualbox-dkms installation:

# apt install virtualbox
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  dkms libgsoap-2.8.60 libqt5opengl5 libqt5printsupport5 libvncserver1
  virtualbox-dkms virtualbox-qt
Suggested packages:
  menu vde2 virtualbox-guest-additions-iso
The following NEW packages will be installed:
  dkms libgsoap-2.8.60 libqt5opengl5 libqt5printsupport5 libvncserver1
  virtualbox virtualbox-dkms virtualbox-qt
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/27.0 MB of archives.
After this operation, 117 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Selecting previously unselected package dkms.
(Reading database ... 185903 files and directories currently installed.)
Preparing to unpack .../0-dkms_2.3-3ubuntu9.1_all.deb ...
Unpacking dkms (2.3-3ubuntu9.1) ...
Selecting previously unselected package libgsoap-2.8.60:amd64.
Preparing to unpack .../1-libgsoap-2.8.60_2.8.60-2build1_amd64.deb ...
Unpacking libgsoap-2.8.60:amd64 (2.8.60-2build1) ...
Selecting previously unselected package libqt5opengl5:amd64.
Preparing to unpack .../2-libqt5opengl5_5.9.5+dfsg-0ubuntu1_amd64.deb ...
Unpacking libqt5opengl5:amd64 (5.9.5+dfsg-0ubuntu1) ...
Selecting previously unselected package libqt5printsupport5:amd64.
Preparing to unpack .../3-libqt5printsupport5_5.9.5+dfsg-0ubuntu1_amd64.deb ...
Unpacking libqt5printsupport5:amd64 (5.9.5+dfsg-0ubuntu1) ...
Selecting previously unselected package libvncserver1:amd64.
Preparing to unpack .../4-libvncserver1_0.9.11+dfsg-1ubuntu1_amd64.deb ...
Unpacking libvncserver1:amd64 (0.9.11+dfsg-1ubuntu1) ...
Selecting previously unselected package virtualbox-dkms.
Preparing to unpack .../5-virtualbox-dkms_5.2.10-dfsg-6_all.deb ...
Unpacking virtualbox-dkms (5.2.10-dfsg-6) ...
Selecting previously unselected package virtualbox.
Preparing to unpack .../6-virtualbox_5.2.10-dfsg-6_amd64.deb ...
Unpacking virtualbox (5.2.10-dfsg-6) ...
Selecting previously unselected package virtualbox-qt.
Preparing to unpack .../7-virtualbox-qt_5.2.10-dfsg-6_amd64.deb ...
Unpacking virtualbox-qt (5.2.10-dfsg-6) ...
Setting up libvncserver1:amd64 (0.9.11+dfsg-1ubuntu1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for ureadahead (0.100.0-20) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3) ...
Setting up libqt5printsupport5:amd64 (5.9.5+dfsg-0ubuntu1) ...
Setting up libqt5opengl5:amd64 (5.9.5+dfsg-0ubuntu1) ...
Processing triggers for bamfdaemon (0.5.3+18.04.20180207.2-0ubuntu1) ...
Rebuilding /usr/share/applications/bamf-2.index...
Setting up libgsoap-2.8.60:amd64 (2.8.60-2build1) ...
Setting up dkms (2.3-3ubuntu9.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for systemd (237-3ubuntu10) ...
Processing triggers for man-db (2.8.3-2) ...
Processing triggers for shared-mime-info (1.9-2) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Setting up virtualbox-dkms (5.2.10-dfsg-6) ...
Loading new virtualbox-5.2.10 DKMS files...
Building for 4.15.0-22-generic
Progress: [ 85%] [#################################################.........]

$ dpkg -l | grep virtualbox
ii unity-scope-virtualbox 0.1+13.10.20130723-0ubuntu1 all VirtualBox scope for Unity
iU virtualbox 5.2.10-dfsg-6 amd64 x86 virtualization solution - base binaries
iF virtualbox-dkms 5.2.10-dfsg-6 all x86 virtualization solution - kernel module sources for dkms
iU virtualbox-qt 5.2.10-dfsg-6 amd64 x86 virtualization solution - Qt based user interface
$

$ lsb_release -rd
Description: Ubuntu 18.04 LTS
Release: 18.04
$

$ apt-cache policy virtualbox-dkms
virtualbox-dkms:
  Installed: 5.2.10-dfsg-6
  Candidate: 5.2.10-dfsg-6
  Version table:
 *** 5.2.10-dfsg-6 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/multiverse i386 Packages
        100 /var/lib/dpkg/status
$ apt-cache policy dkms
dkms:
  Installed: 2.3-3ubuntu9.1
  Candidate: 2.3-3ubuntu9.1
  Version table:
 *** 2.3-3ubuntu9.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main i386 Packages
        100 /var/lib/dpkg/status
     2.3-3ubuntu9 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/main i386 Packages
$

What I expected to happen: successfully install the package & dependencies
What happened instead: installation stalled at 85%

wastrel (wastrel) wrote :

After killing the hung apt process I ran dpkg --configure -a , which hung again. Killing the hung dpkg process and running dpkg --configure -a again allowed the package installation to complete but resulted in a broken module:

$ VirtualBox
WARNING: The character device /dev/vboxdrv does not exist.
  Please install the virtualbox-dkms package and the appropriate
  headers, most likely linux-headers-generic.

  You will not be able to start VMs until this problem is fixed.
$

wastrel (wastrel) wrote :

FWIW:

$ apt-cache policy linux-headers-generic
linux-headers-generic:
  Installed: 4.15.0.22.23
  Candidate: 4.15.0.22.23
  Version table:
 *** 4.15.0.22.23 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     4.15.0.20.23 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
$

wastrel (wastrel) wrote :

After working on this a bit more, this problem is probably caused by Secure Boot being enabled on my dual-boot (w/ windows 10) system.

https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur

BlackDragon (walbertr) wrote :

I am having the same problem. Ubuntu 18.04 installed with Windows 10 as dual boot. Secure boot enabled. The system has been working for years like this (since before 16.04). I have updated to every release since and it was working on all of them. It even worked on 18.04 before the latest kernel update. I suspect a work around could be to downgrade to a previous kernel or to disable module signing, but we should not have to.

 I sign my own modules with the following:

(only required once)
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"

After every kernel upgrade I sign the modules with:
#!/bin/bash

for f in $(dirname $(modinfo -n vboxdrv))/*.ko; do echo "Signing $f"; sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $f; done
modprobe vboxdrv

The kernel upgrade to 4.15.0-22 broke this process. Now the install of virtual box will stall on the following:
Building initial module for 4.15.0-22-generic

wastrel (wastrel) wrote :

My workaround was to set up the upstream VirtualBox PPA and install the packages from there:

https://www.virtualbox.org/wiki/Linux_Downloads

Then maunally sign them.

wastrel (wastrel) on 2018-06-08
summary: - virtualbox-dkms installation hangs in 18.04
+ virtualbox-dkms installation hangs in 18.04 (with secure boot)
affects: virtualbox (Ubuntu) → dkms (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dkms (Ubuntu):
status: New → Confirmed
Marco van Zwetselaar (zwets) wrote :

The problem is that the DKMS hook in virtualbox-dkms starts a whiptail dialog explaining that a new signing key will be enrolled in the MOK database, but this dialog does not get displayed, which is why the system appears to hang.

Below is the output of 'pstree' showing the stack of commands and the whiptail content.

Secondary issue (with DKMS): I have a signing key in the MOK database already (like commenter #4), with which I have always used signed the vbox drivers, so I do not want to enrol a _new_ signing key. So even if I would see the dialog, it does not present the appropriate option.

I have tried this with aptitude, apt, dpkg --configure, both inside and outside of a 'screen' session (to make sure I was on a plain console), but the dialog does not show up in any of these cases.

This is the pstree output:

└─aptitude,5796
   ├─sh,11827 -c DPKG_NO_TSTP=1 dpkg --configure -a
   └─dpkg,11828 --configure -a
       └─virtualbox-dkms,11829 /var/lib/dpkg/info/virtualbox-dkms.postinst configure 5.2.10-dfsg-6ubuntu18.04.1
          └─common.postinst,11830 /usr/lib/dkms/common.postinst virtualbox 5.2.10 /usr/share/virtualbox-dkms 5.2.10-dfsg-6ubuntu18.04.1
             └─dkms,12103 /usr/sbin/dkms build -m virtualbox -v 5.2.10 -k 4.15.0-24-generic
                └─dkms,12120 /usr/sbin/dkms build -m virtualbox -v 5.2.10 -k 4.15.0-24-generic
                   └─frontend,15868 -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --enroll-key
                      ├─update-securebo,15882 /usr/sbin/update-secureboot-policy --enroll-key
                      └─whiptail,15897 --backtitle Package configuration --title Configuring Secure Boot --output-fd 12 --nocancel --msgbox Y our system has UEFI Secure Boot enabled.\012\012UEFI Secure Boot requires additional configuration to work with third-party drivers.\012\012The system will assist you in configuring UEFI Secure Boot. To permit the use of third-party drivers, a new Machine-Owner Key (MOK) has been generated. This key now needs to be enrolled in your system's \012firmware.\012\012To ensure that this change is being made by you as an authorized user, and not by an attacker, you must choose a password now and then confirm the change after reboot using the same password, in both the\012"Enroll MOK" and "Change Secure Boot state" menus that will be presented to you when this system reboots.\012\012If you proceed but do not confirm the password upon reboot, Ubuntu will still be able to boot on your system but any hardware that requires third-party drivers to work correctly may not be usable. 17 208

Jörg Rebenstorf (crayor) wrote :

Using ...

sudo apt install --reinstall virtualbox-dkms

... I have the same issue as user zwets above in this message thread:

whiptail command hangs infinitely and does not show a menu possibly because of the bad environment it is running in.

My workaround was to kill the perl process and run it standalone ...

sudo perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --enroll-key

... in a usual interactive shell, so that whiptail shows the menu to set a password.

Afterwards (that is, after reboot and enrolling this password key during boot) VirtualBox is running for me on Ubuntu 18.04 with secure boot and does not complain about an unsigned vboxdrv anymore.

Seems to be a design flaw to prevent interactivity during installation.

Colin Watson (cjwatson) wrote :

My current workaround is to remove the redirection of /usr/lib/dkms/dkms_autoinstaller's stdout to /dev/null in /etc/kernel/header_postinst.d/dkms. This may even be the correct fix: it's a little noisier, but not unacceptably so and it's definitely better than a hung installation.

Felix Eckhofer (eckhofer) wrote :

The same problem with redirection to /dev/null seems also to be present in /usr/lib/dkms/common.postinst, causing hangs on upgrades...

Christopher Smith (cbsmith) wrote :

I'm suffering with this again. Is the work around really to turn off boot protection?

Matt Harris (charrismatic) wrote :

I've struggled through this several times now. I don't have a definitive solution but the general routine was something like this. When you asked to enroll the machine owner key to sign the kernel module there is an interface that popups up and waits for user input. I tried this in in a shell-only session and in a gnome session several times. In both cases the process that spawns the window gets stuck in a child process and I think it was sent to a different tty altogether. One time I accidentally recover the interface by killing all the login window session processes while I was in a trying something else in a shell session. When i jumped back everything redrew and there was a new window that asked me to enroll the MOK key password.

I was not able to reproduce that the next time I got stuck in this spot, but what worked for me was disabling my machines nvidia video card proprietary drivers, and then switching from wayland to gnome (or gnome to wayland) after I did that then the processes worked as it was supposed to.

This issue is very frustrating, but you should be able to keep secure boot enabled. I saved the logs from those times I was able to get it to work. I'll see if I can find anything to back up what I'm saying here.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers