Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 [required key not available]

Bug #1574300 reported by Karthik Nishanth on 2016-04-24
182
This bug affects 36 people
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
High
Unassigned

Bug Description

http://askubuntu.com/q/760671

I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

There are some solutions which require signing the modules locally. But, why did virtualbox break on upgrade?
I installed the new kernel sources, dpkg-reconfigured virtualbox-dkms package, but still get the same error.

Please let me know if you need additional logs/info

Thanks.

This is the apt-get install output

DKMS: install completed.
Setting up virtualbox (5.0.18-dfsg-2build1) ...
vboxweb.service is a disabled or a static unit, not starting it.
Job for virtualbox.service failed because the control process exited with error code. See "systemctl status virtualbox.service" and "journalctl -xe" for details.
invoke-rc.d: initscript virtualbox, action "restart" failed.
Setting up virtualbox-qt (5.0.18-dfsg-2build1) ...
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for systemd (229-4ubuntu4) ...
Processing triggers for ureadahead (0.100.0-19) ...

systemctl status virtualbox.service output

● virtualbox.service - LSB: VirtualBox Linux kernel module
   Loaded: loaded (/etc/init.d/virtualbox; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2016-04-24 20:34:40 IST; 1min 1s ago
     Docs: man:systemd-sysv-generator(8)

Apr 24 20:34:40 x1 systemd[1]: Starting LSB: VirtualBox Linux kernel module...
Apr 24 20:34:40 x1 virtualbox[19997]: * Starting VirtualBox kernel modules
Apr 24 20:34:40 x1 virtualbox[19997]: * modprobe vboxdrv failed. Please use 'dmesg' to find out why
Apr 24 20:34:40 x1 virtualbox[19997]: ...fail!
Apr 24 20:34:40 x1 systemd[1]: virtualbox.service: Control process exited, code=exited status=1
Apr 24 20:34:40 x1 systemd[1]: Failed to start LSB: VirtualBox Linux kernel module.
Apr 24 20:34:40 x1 systemd[1]: virtualbox.service: Unit entered failed state.
Apr 24 20:34:40 x1 systemd[1]: virtualbox.service: Failed with result 'exit-code'.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox (Ubuntu):
status: New → Confirmed

it does not seem a bug, but a policy; see

https://answers.launchpad.net/ubuntu/+question/292158

https://www.virtualbox.org/ticket/11577#comment:2

to disable validation of modules (and maybe of kernel too?) see http://askubuntu.com/a/762248/534960

But if something works in 15.10 and breaks in 16.04 LTS, then it can be considered a bug :)
it does not seem a bug, but a policy; see

https://answers.launchpad.net/ubuntu/+question/292158

https://www.virtualbox.org/ticket/11577#comment:2

to disable validation of modules (and maybe of kernel too?) see
http://askubuntu.com/a/762248/534960

** Bug watch added: Virtualbox Trac #11577
   http://www.virtualbox.org/ticket/11577

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1574300

Title:
  Could not load 'vboxdrv' after upgrade to Ubuntu 16.04

Status in virtualbox package in Ubuntu:
  Confirmed

Bug description:
  http://askubuntu.com/q/760671

  I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  There are some solutions which require signing the modules locally. But, why did virtualbox break on upgrade?
  I installed the new kernel sources, dpkg-reconfigured virtualbox-dkms package, but still get the same error.

  Please let me know if you need additional logs/info

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1574300/+subscriptions

Thanks for the info. This is not a bug,

"Since Ubuntu kernel 4.4.0-20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel config has been enabled. That prevents from loading unsigned third party modules if UEFI Secure Boot is enabled.

Since Ubuntu kernel build 4.4.0-21.37 this can be fixed by running

sudo apt install mokutil
sudo mokutil --disable-validation"

Can we close this?

are you sure that

  sudo mokutil --disable-validation"

is equivalent to disable EFI_SECURE_BOOT_SIG_ENFORCE?

Could it be that the latter disables only validation of modules, the former of the kernel too?

Manuel Fonseca (manuelfonseca) wrote :

Please do not close this.

using mokutil to "disable-validation" did not help, I'm still stuck and vboxdrv will not load.

Am I missing something?
How can I fix this without disabling secure boot, or go through the loops and sign the module?

I used the kernel-source/scripts/sign-file utility to sign the driver, but still I get the same error. How to find out if a module is signed or not?

John (ejohn) wrote :

I am struggling with the same issue. This page gives some information on what I have been trying. http://gorka.eguileor.com/vbox-vmware-in-secureboot-linux/. I have successfully done mokutils --import but that key does not appear in the keyctl system_keyring list. In my case modinfo does not show the signature information as shown in that page . In order to verify the driver was even touched, you can grep for "~Module signature appended~" after signing.

@ejohn Yes, I did the same too.

output of
> sudo mokutil --list-enrolled

lists the key I created.

And also,

> strings driver.ko

has a `~Module signature appended~` at the end, with my signature name.

Inference is that I have successfully enrolled the key which I created in mokutils.
The module is signed too, with my generated key.

Any idea how to proceed further?

Flavio Elawi (flavioelawi) wrote :

there is Bug #1461412 that stops this workaround process, and it is open since 2015-06-03.
That gives you a hint at how much canonical developers and community cares about systems security and LTS releases.

There is already a fix in the kernel -proposed. just try it, help in debugging instead of bothering about having a fix.

You are the community, and testing is the best way to get a fix released.

Lars Kumbier (derlars) wrote :

@costamagnagianfranco where did you find the information, that the proposed kernel contains a fix? Does not solve the problem for me.

Does the proposed kernel disable signature verification by default? If not, the bug will persist.

Moreover, this enforcement was by design.

@derlars, I'm the virtualbox maintainer, I asked to sync the kernel modules, because I'm pretty sure with signature verification enabled you can't just install the dkms package.
So I was hoping the official kernel virtualbox module (the one embedded in linux kernel) was signed with the same key.

I still think that removing --purge the virtualbox-dkms and installing the kernel vbox module should fix the issue.

Lars Kumbier (derlars) wrote :

@costamagnagianfranco From my understanding, all new modules will now have to be signed since the signature enforcement was activated in the kernel. So, the dkms system would have to generate a local system key, add this local key to the trusted keystore and would have to sign all third-party-modules in the future.

I removed and purged the virtualbox-dkms (which obviously wouldn't fix the problem), but am unsure on how to proceed from here. Would I have to build and sign the kernel module myself - and do so for every new kernel installation? Or will there be a convenience package from you doing that?

Virtualbox uses dkms, so I expect the fix should be there.

Lars Kumbier (derlars) wrote :

@costamagnagianfranco yes, but what should oracle do? the dkms framework will rebuild the module every time a new kernel is installed, so oracle can't really do much, since the problem is the dkms framework not having a plan for UEFI systems with secure boot.

Anything I can do to solve the problem beside disabling secure boot on my system (which seems to be the current "solution")? Thanks for your comments and help so far.

well, this week somebody picked up the fact on Debian that dkms was unmaintained.
Fortunately there have been a lot of activity and two uploads so far, seems it is becoming again back on track.
https://lists.alioth.debian.org/pipermail/pkg-dkms-maint/2016-April/thread.html

I think forwarding the issues there might be a really nice and quick way to get in touch with somebody with an higher knowledge on the topic than me :)

Flavio Elawi (flavioelawi) wrote :

@derlars, well, you can create your public - private key and import the private key in your MOK, sign the vboxdrv module with your key combination and then load the module.
But guess what, ubuntu does not load the key in the system keyring because of bug #1461412 .
Fedora loads the keys in the keyring without any issues.

Flavio Elawi (flavioelawi) wrote :

@LocutusOfBorg , the links you provided did not give any insight of the problem at hand.

I think the work is still ongoing according to the blueprints.

Blaze (blaze) wrote :

Possible temporary workaround is to use different kernel version which does not have EFI_SECURE_BOOT_SIG_ENFORCE option enabled.

Jason Robinson (jaywink) wrote :

Ran into this after upgrading work computer from trusty to xenial. Tried all possible install alternatives for VirtualBox (official and repos), but module always refused to load.

In the end, as a hopefully temporary solution, disabled validation, booted, confirmed to disable secure boot and voila, everything loads. Not a very optimal solution, really the modules should just be signed for kernel 4.4.

This is what I did:
> sudo sudo mokutil --disable-validation

Curiously, after boot and confirming to disable secure boot, UEFI still shows it enabled and so does `sudo mokutil --sb-state`.. Some kind of "enabled but not validating modules" state?

isabel (isabel-t) wrote :

@jaywink

What did you do after disabling validation? Because I still get the same error with virtualbox:
WARNING: The character device /dev/vboxdrv does not exist.
  Please install the virtualbox-dkms package and the appropriate
  headers, most likely linux-headers-generic.

  You will not be able to start VMs until this problem is fixed.

When I try to reconfigure:
sudo sudo mokutil --disable-validation
DKMS: install completed.
Job for virtualbox.service failed because the control process exited with error code. See "systemctl status virtualbox.service" and "journalctl -xe" for details.
invoke-rc.d: initscript virtualbox, action "restart" failed.

Thanks

systemctl status virtualbox?

isabel (isabel-t) wrote :

anne@anne-Latitude-E7250:~$ systemctl status virtualbox
● virtualbox.service - LSB: VirtualBox Linux kernel module
   Loaded: loaded (/etc/init.d/virtualbox; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2016-06-30 13:21:06 CEST; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 26203 ExecStart=/etc/init.d/virtualbox start (code=exited, status=1/FAILURE)

Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: Stopped LSB: VirtualBox Linux kernel module.
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: Starting LSB: VirtualBox Linux kernel module...
Jun 30 13:21:06 anne-Latitude-E7250 virtualbox[26203]: * Starting VirtualBox kernel modules
Jun 30 13:21:06 anne-Latitude-E7250 virtualbox[26203]: * modprobe vboxdrv failed. Please use 'dmesg' to find out
Jun 30 13:21:06 anne-Latitude-E7250 virtualbox[26203]: ...fail!
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: virtualbox.service: Control process exited, code=exited status=1
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: Failed to start LSB: VirtualBox Linux kernel module.
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: virtualbox.service: Unit entered failed state.
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: virtualbox.service: Failed with result 'exit-code'.

Thanks

Jason Robinson (jaywink) wrote :

@isabel-t, maybe try to reinstall virtualbox, assuming your disabling of the validation was successful and that isn't the problem any more. Sorry, don't have much more on this, for me disabling validation solved the problem.

sudo dpkg-reconfigure virtualbox-dkms should fix the issue too

isabel (isabel-t) wrote :

@jaywink, thanks, it worked after I uninstalled virtualbox, disabled, rebooted and confirmed disable, then reinstalled virtualbox.

Case of me, Virtualbox need upper gcc 5.0
2016. 6. 30. 오후 9:51에 "isabel" <email address hidden>님이 작성:

> @jaywink, thanks, it worked after I uninstalled virtualbox, disabled,
> rebooted and confirmed disable, then reinstalled virtualbox.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1574300
>
> Title:
> Could not load 'vboxdrv' after upgrade to Ubuntu 16.04
>
> Status in virtualbox package in Ubuntu:
> Confirmed
>
> Bug description:
> http://askubuntu.com/q/760671
>
>
> I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18
> isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So
> I try to load it and get the following error:
>
> $ sudo modprobe vboxdrv
> modprobe: ERROR: could not insert 'vboxdrv': Required key not available
>
> There are some solutions which require signing the modules locally. But,
> why did virtualbox break on upgrade?
> I installed the new kernel sources, dpkg-reconfigured virtualbox-dkms
> package, but still get the same error.
>
> Please let me know if you need additional logs/info
>
> Thanks.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1574300/+subscriptions
>

Can someone tell me why vboxdrv cannot be signed?

Probably because kernel modules are built during installation, and you have not the Ubuntu signing key, and moreover dkms doesn't support right now the kernel signature done by the end user

fminori (ghena) wrote :

@jaywink: thanks, it worked for me too!

For you all, here are the steps:

<code>
>sudo apt purge virtualbox-dkms
>sudo apt purge virtualbox
>sudo sudo mokutil --disable-validation
>reboot
</code>

then, on reboot, disable the secure boot through the GUI

<code>
>sudo apt install virtualbox
>sudo apt install virtualbox-dkms
</code>

Changed in virtualbox (Ubuntu):
importance: Undecided → High
John Rose (johnaaronrose) wrote :

On "sudo sudo mokutil --disable-validation", I get:
john@NewLaptop:~$ sudo sudo mokutil --disable-validation
password length: 8~16
input password:
I've tried my login password and "password".

Any ideas please?

Blaze (blaze) wrote :

That's not login password. You should enter some NEW password here, which will be asked after reboot.

John Rose (johnaaronrose) wrote :

Thanks for reply about password. I entered the password twice and it went into a mokutil screen for a few seconds. However, I don't understand the instruction "on reboot, disable the secure boot through the GUI". How do I do that?

John Rose (johnaaronrose) wrote :

I understand now about "on reboot, disable the secure boot through the GUI". It came up after my entering "sudo apt install virtualbox". So I selected Disable etc. The command finished OK as did "sudo apt install virtualbox-dkms" though that didn't do anything as it must have been installed by "sudo apt install virtualbox". However, on starting VirtualBox again and doing "New" for Windows 7 32-bit, I still got the same error i.e. a dialog box about vboxdrv. Any ideas?

sudo dpkg-reconfigure virtualbox-dkms?

John Rose (johnaaronrose) wrote :

Doing sudo dpkg-reconfigure virtualbox-dkms didn't help.

VirtualBox is Version 5.0.24_Ubuntu r108355.

Attached are tar.gz of screenshots of dialog boxes in VirtualBox.

John Rose (johnaaronrose) wrote :

Nothing worked in http: //askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur
In my BIOS, there is no mention of "Enable support for legacy ...". So I disabled secure boot (in the BIOS) & rebooted. Mow "Sudo modprobe vboxdrv" works and so does VirtualBox. AFAIK secure boot is only required if you also run Windows. As I don't, what do I care. Please tell me if I'm wrong on this point.

Changed in virtualbox (Ubuntu):
importance: High → Critical
summary: - Could not load 'vboxdrv' after upgrade to Ubuntu 16.04
+ Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 [required key not
+ available]
Changed in virtualbox (Ubuntu):
importance: Critical → High
Ed Peterson (mreddiep) wrote :

This is my first post. I don't like to post. However, I've used ubuntu and a few other linux versions for more than 10 years. I used to be able to build a VM, install ubuntu, and be running in about 30 minutes. Now I can't do that in a day (or unfortunately, sometimes days, or even weeks...!). I'm old school. Back in the day, if an install didn't work, I'd discard it, select an alternative, and move on. This particular problem, generating all this commotion, isn't quality work. I understand linux is a volunteer effort, however frankly, what's the point if it won't install, can't upgrade, and/or routinely breaks without warning nor apparent reason. I've lost all trust in ubunu, and now am looking for alternatives. This is a very sad commentary, routinely in past I'd recommend and implement ubuntu as a solution with great confidence, now I can't. I can't afford all the time and uncertainty in trying again and again to use this anymore.

So, thank you all for the past ~10 years + of good, dependable code, and Good bye!

@Ed Peterson this bug is really fixed in 18.04 LTS release.
I'm sad to see you go, but we cared and fixed it almost one year ago.
(and such security feature was optional, and experimental, so people with broken systems were not really using the default path)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.