Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 [required key not available]

Bug #1574300 reported by Karthik Nishanth
182
This bug affects 36 people
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
High
Unassigned

Bug Description

http://askubuntu.com/q/760671

I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

There are some solutions which require signing the modules locally. But, why did virtualbox break on upgrade?
I installed the new kernel sources, dpkg-reconfigured virtualbox-dkms package, but still get the same error.

Please let me know if you need additional logs/info

Thanks.

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote :

This is the apt-get install output

DKMS: install completed.
Setting up virtualbox (5.0.18-dfsg-2build1) ...
vboxweb.service is a disabled or a static unit, not starting it.
Job for virtualbox.service failed because the control process exited with error code. See "systemctl status virtualbox.service" and "journalctl -xe" for details.
invoke-rc.d: initscript virtualbox, action "restart" failed.
Setting up virtualbox-qt (5.0.18-dfsg-2build1) ...
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for systemd (229-4ubuntu4) ...
Processing triggers for ureadahead (0.100.0-19) ...

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote :

systemctl status virtualbox.service output

● virtualbox.service - LSB: VirtualBox Linux kernel module
   Loaded: loaded (/etc/init.d/virtualbox; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2016-04-24 20:34:40 IST; 1min 1s ago
     Docs: man:systemd-sysv-generator(8)

Apr 24 20:34:40 x1 systemd[1]: Starting LSB: VirtualBox Linux kernel module...
Apr 24 20:34:40 x1 virtualbox[19997]: * Starting VirtualBox kernel modules
Apr 24 20:34:40 x1 virtualbox[19997]: * modprobe vboxdrv failed. Please use 'dmesg' to find out why
Apr 24 20:34:40 x1 virtualbox[19997]: ...fail!
Apr 24 20:34:40 x1 systemd[1]: virtualbox.service: Control process exited, code=exited status=1
Apr 24 20:34:40 x1 systemd[1]: Failed to start LSB: VirtualBox Linux kernel module.
Apr 24 20:34:40 x1 systemd[1]: virtualbox.service: Unit entered failed state.
Apr 24 20:34:40 x1 systemd[1]: virtualbox.service: Failed with result 'exit-code'.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox (Ubuntu):
status: New → Confirmed
Revision history for this message
lazily trying to help (8b4f1d5ed0df3e346d0efc2a742c8b) wrote :

it does not seem a bug, but a policy; see

https://answers.launchpad.net/ubuntu/+question/292158

https://www.virtualbox.org/ticket/11577#comment:2

to disable validation of modules (and maybe of kernel too?) see http://askubuntu.com/a/762248/534960

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote : Re: [Bug 1574300] Re: Could not load 'vboxdrv' after upgrade to Ubuntu 16.04

But if something works in 15.10 and breaks in 16.04 LTS, then it can be considered a bug :)
it does not seem a bug, but a policy; see

https://answers.launchpad.net/ubuntu/+question/292158

https://www.virtualbox.org/ticket/11577#comment:2

to disable validation of modules (and maybe of kernel too?) see
http://askubuntu.com/a/762248/534960

** Bug watch added: Virtualbox Trac #11577
   http://www.virtualbox.org/ticket/11577

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1574300

Title:
  Could not load 'vboxdrv' after upgrade to Ubuntu 16.04

Status in virtualbox package in Ubuntu:
  Confirmed

Bug description:
  http://askubuntu.com/q/760671

  I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18 isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So I try to load it and get the following error:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  There are some solutions which require signing the modules locally. But, why did virtualbox break on upgrade?
  I installed the new kernel sources, dpkg-reconfigured virtualbox-dkms package, but still get the same error.

  Please let me know if you need additional logs/info

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1574300/+subscriptions

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote : Re: Could not load 'vboxdrv' after upgrade to Ubuntu 16.04

Thanks for the info. This is not a bug,

"Since Ubuntu kernel 4.4.0-20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel config has been enabled. That prevents from loading unsigned third party modules if UEFI Secure Boot is enabled.

Since Ubuntu kernel build 4.4.0-21.37 this can be fixed by running

sudo apt install mokutil
sudo mokutil --disable-validation"

Can we close this?

Revision history for this message
lazily trying to help (8b4f1d5ed0df3e346d0efc2a742c8b) wrote :

are you sure that

  sudo mokutil --disable-validation"

is equivalent to disable EFI_SECURE_BOOT_SIG_ENFORCE?

Could it be that the latter disables only validation of modules, the former of the kernel too?

Revision history for this message
Manuel Fonseca (manuelfonseca) wrote :

Please do not close this.

using mokutil to "disable-validation" did not help, I'm still stuck and vboxdrv will not load.

Am I missing something?
How can I fix this without disabling secure boot, or go through the loops and sign the module?

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote :

I used the kernel-source/scripts/sign-file utility to sign the driver, but still I get the same error. How to find out if a module is signed or not?

Revision history for this message
John (ejohn) wrote :

I am struggling with the same issue. This page gives some information on what I have been trying. http://gorka.eguileor.com/vbox-vmware-in-secureboot-linux/. I have successfully done mokutils --import but that key does not appear in the keyctl system_keyring list. In my case modinfo does not show the signature information as shown in that page . In order to verify the driver was even touched, you can grep for "~Module signature appended~" after signing.

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote :

@ejohn Yes, I did the same too.

output of
> sudo mokutil --list-enrolled

lists the key I created.

And also,

> strings driver.ko

has a `~Module signature appended~` at the end, with my signature name.

Inference is that I have successfully enrolled the key which I created in mokutils.
The module is signed too, with my generated key.

Any idea how to proceed further?

Revision history for this message
Flavio Elawi (flavioelawi) wrote :

there is Bug #1461412 that stops this workaround process, and it is open since 2015-06-03.
That gives you a hint at how much canonical developers and community cares about systems security and LTS releases.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

There is already a fix in the kernel -proposed. just try it, help in debugging instead of bothering about having a fix.

You are the community, and testing is the best way to get a fix released.

Revision history for this message
Lars Kumbier (derlars) wrote :

@costamagnagianfranco where did you find the information, that the proposed kernel contains a fix? Does not solve the problem for me.

Revision history for this message
Karthik Nishanth (nishanthkarthik) wrote :

Does the proposed kernel disable signature verification by default? If not, the bug will persist.

Moreover, this enforcement was by design.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

@derlars, I'm the virtualbox maintainer, I asked to sync the kernel modules, because I'm pretty sure with signature verification enabled you can't just install the dkms package.
So I was hoping the official kernel virtualbox module (the one embedded in linux kernel) was signed with the same key.

I still think that removing --purge the virtualbox-dkms and installing the kernel vbox module should fix the issue.

Revision history for this message
Lars Kumbier (derlars) wrote :

@costamagnagianfranco From my understanding, all new modules will now have to be signed since the signature enforcement was activated in the kernel. So, the dkms system would have to generate a local system key, add this local key to the trusted keystore and would have to sign all third-party-modules in the future.

I removed and purged the virtualbox-dkms (which obviously wouldn't fix the problem), but am unsure on how to proceed from here. Would I have to build and sign the kernel module myself - and do so for every new kernel installation? Or will there be a convenience package from you doing that?

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Virtualbox uses dkms, so I expect the fix should be there.

Revision history for this message
Lars Kumbier (derlars) wrote :

@costamagnagianfranco yes, but what should oracle do? the dkms framework will rebuild the module every time a new kernel is installed, so oracle can't really do much, since the problem is the dkms framework not having a plan for UEFI systems with secure boot.

Anything I can do to solve the problem beside disabling secure boot on my system (which seems to be the current "solution")? Thanks for your comments and help so far.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

well, this week somebody picked up the fact on Debian that dkms was unmaintained.
Fortunately there have been a lot of activity and two uploads so far, seems it is becoming again back on track.
https://lists.alioth.debian.org/pipermail/pkg-dkms-maint/2016-April/thread.html

I think forwarding the issues there might be a really nice and quick way to get in touch with somebody with an higher knowledge on the topic than me :)

Revision history for this message
Flavio Elawi (flavioelawi) wrote :

@derlars, well, you can create your public - private key and import the private key in your MOK, sign the vboxdrv module with your key combination and then load the module.
But guess what, ubuntu does not load the key in the system keyring because of bug #1461412 .
Fedora loads the keys in the keyring without any issues.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :
Revision history for this message
Flavio Elawi (flavioelawi) wrote :

@LocutusOfBorg , the links you provided did not give any insight of the problem at hand.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

I think the work is still ongoing according to the blueprints.

Revision history for this message
Blaze (blaze) wrote :

Possible temporary workaround is to use different kernel version which does not have EFI_SECURE_BOOT_SIG_ENFORCE option enabled.

Revision history for this message
Jason Robinson (jaywink) wrote :

Ran into this after upgrading work computer from trusty to xenial. Tried all possible install alternatives for VirtualBox (official and repos), but module always refused to load.

In the end, as a hopefully temporary solution, disabled validation, booted, confirmed to disable secure boot and voila, everything loads. Not a very optimal solution, really the modules should just be signed for kernel 4.4.

This is what I did:
> sudo sudo mokutil --disable-validation

Curiously, after boot and confirming to disable secure boot, UEFI still shows it enabled and so does `sudo mokutil --sb-state`.. Some kind of "enabled but not validating modules" state?

Revision history for this message
isabel (isabel-t) wrote :

@jaywink

What did you do after disabling validation? Because I still get the same error with virtualbox:
WARNING: The character device /dev/vboxdrv does not exist.
  Please install the virtualbox-dkms package and the appropriate
  headers, most likely linux-headers-generic.

  You will not be able to start VMs until this problem is fixed.

When I try to reconfigure:
sudo sudo mokutil --disable-validation
DKMS: install completed.
Job for virtualbox.service failed because the control process exited with error code. See "systemctl status virtualbox.service" and "journalctl -xe" for details.
invoke-rc.d: initscript virtualbox, action "restart" failed.

Thanks

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

systemctl status virtualbox?

Revision history for this message
isabel (isabel-t) wrote :

anne@anne-Latitude-E7250:~$ systemctl status virtualbox
● virtualbox.service - LSB: VirtualBox Linux kernel module
   Loaded: loaded (/etc/init.d/virtualbox; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2016-06-30 13:21:06 CEST; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 26203 ExecStart=/etc/init.d/virtualbox start (code=exited, status=1/FAILURE)

Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: Stopped LSB: VirtualBox Linux kernel module.
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: Starting LSB: VirtualBox Linux kernel module...
Jun 30 13:21:06 anne-Latitude-E7250 virtualbox[26203]: * Starting VirtualBox kernel modules
Jun 30 13:21:06 anne-Latitude-E7250 virtualbox[26203]: * modprobe vboxdrv failed. Please use 'dmesg' to find out
Jun 30 13:21:06 anne-Latitude-E7250 virtualbox[26203]: ...fail!
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: virtualbox.service: Control process exited, code=exited status=1
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: Failed to start LSB: VirtualBox Linux kernel module.
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: virtualbox.service: Unit entered failed state.
Jun 30 13:21:06 anne-Latitude-E7250 systemd[1]: virtualbox.service: Failed with result 'exit-code'.

Thanks

Revision history for this message
Jason Robinson (jaywink) wrote :

@isabel-t, maybe try to reinstall virtualbox, assuming your disabling of the validation was successful and that isn't the problem any more. Sorry, don't have much more on this, for me disabling validation solved the problem.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

sudo dpkg-reconfigure virtualbox-dkms should fix the issue too

Revision history for this message
isabel (isabel-t) wrote :

@jaywink, thanks, it worked after I uninstalled virtualbox, disabled, rebooted and confirmed disable, then reinstalled virtualbox.

Revision history for this message
chae gum shuck (coolguy4229) wrote : Re: [Bug 1574300] Re: Could not load 'vboxdrv' after upgrade to Ubuntu 16.04

Case of me, Virtualbox need upper gcc 5.0
2016. 6. 30. 오후 9:51에 "isabel" <email address hidden>님이 작성:

> @jaywink, thanks, it worked after I uninstalled virtualbox, disabled,
> rebooted and confirmed disable, then reinstalled virtualbox.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1574300
>
> Title:
> Could not load 'vboxdrv' after upgrade to Ubuntu 16.04
>
> Status in virtualbox package in Ubuntu:
> Confirmed
>
> Bug description:
> http://askubuntu.com/q/760671
>
>
> I upgrade from Ubuntu 15.10 to 16.04 and since then VirtualBox 5.0.18
> isn't starting my VMs anymore. It complains that 'vboxdrv' isn't loaded. So
> I try to load it and get the following error:
>
> $ sudo modprobe vboxdrv
> modprobe: ERROR: could not insert 'vboxdrv': Required key not available
>
> There are some solutions which require signing the modules locally. But,
> why did virtualbox break on upgrade?
> I installed the new kernel sources, dpkg-reconfigured virtualbox-dkms
> package, but still get the same error.
>
> Please let me know if you need additional logs/info
>
> Thanks.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1574300/+subscriptions
>

Revision history for this message
Blaze (blaze) wrote : Re: Could not load 'vboxdrv' after upgrade to Ubuntu 16.04

Can someone tell me why vboxdrv cannot be signed?

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Probably because kernel modules are built during installation, and you have not the Ubuntu signing key, and moreover dkms doesn't support right now the kernel signature done by the end user

Revision history for this message
fminori (ghena) wrote :

@jaywink: thanks, it worked for me too!

For you all, here are the steps:

<code>
>sudo apt purge virtualbox-dkms
>sudo apt purge virtualbox
>sudo sudo mokutil --disable-validation
>reboot
</code>

then, on reboot, disable the secure boot through the GUI

<code>
>sudo apt install virtualbox
>sudo apt install virtualbox-dkms
</code>

Changed in virtualbox (Ubuntu):
importance: Undecided → High
Revision history for this message
John Rose (johnaaronrose) wrote :

On "sudo sudo mokutil --disable-validation", I get:
john@NewLaptop:~$ sudo sudo mokutil --disable-validation
password length: 8~16
input password:
I've tried my login password and "password".

Any ideas please?

Revision history for this message
Blaze (blaze) wrote :

That's not login password. You should enter some NEW password here, which will be asked after reboot.

Revision history for this message
John Rose (johnaaronrose) wrote :

Thanks for reply about password. I entered the password twice and it went into a mokutil screen for a few seconds. However, I don't understand the instruction "on reboot, disable the secure boot through the GUI". How do I do that?

Revision history for this message
John Rose (johnaaronrose) wrote :

I understand now about "on reboot, disable the secure boot through the GUI". It came up after my entering "sudo apt install virtualbox". So I selected Disable etc. The command finished OK as did "sudo apt install virtualbox-dkms" though that didn't do anything as it must have been installed by "sudo apt install virtualbox". However, on starting VirtualBox again and doing "New" for Windows 7 32-bit, I still got the same error i.e. a dialog box about vboxdrv. Any ideas?

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

sudo dpkg-reconfigure virtualbox-dkms?

Revision history for this message
John Rose (johnaaronrose) wrote :

Doing sudo dpkg-reconfigure virtualbox-dkms didn't help.

VirtualBox is Version 5.0.24_Ubuntu r108355.

Attached are tar.gz of screenshots of dialog boxes in VirtualBox.

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :
Revision history for this message
John Rose (johnaaronrose) wrote :

Nothing worked in http: //askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur
In my BIOS, there is no mention of "Enable support for legacy ...". So I disabled secure boot (in the BIOS) & rebooted. Mow "Sudo modprobe vboxdrv" works and so does VirtualBox. AFAIK secure boot is only required if you also run Windows. As I don't, what do I care. Please tell me if I'm wrong on this point.

Changed in virtualbox (Ubuntu):
importance: High → Critical
summary: - Could not load 'vboxdrv' after upgrade to Ubuntu 16.04
+ Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 [required key not
+ available]
Changed in virtualbox (Ubuntu):
importance: Critical → High
Revision history for this message
Ed Peterson (mreddiep) wrote :

This is my first post. I don't like to post. However, I've used ubuntu and a few other linux versions for more than 10 years. I used to be able to build a VM, install ubuntu, and be running in about 30 minutes. Now I can't do that in a day (or unfortunately, sometimes days, or even weeks...!). I'm old school. Back in the day, if an install didn't work, I'd discard it, select an alternative, and move on. This particular problem, generating all this commotion, isn't quality work. I understand linux is a volunteer effort, however frankly, what's the point if it won't install, can't upgrade, and/or routinely breaks without warning nor apparent reason. I've lost all trust in ubunu, and now am looking for alternatives. This is a very sad commentary, routinely in past I'd recommend and implement ubuntu as a solution with great confidence, now I can't. I can't afford all the time and uncertainty in trying again and again to use this anymore.

So, thank you all for the past ~10 years + of good, dependable code, and Good bye!

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

@Ed Peterson this bug is really fixed in 18.04 LTS release.
I'm sad to see you go, but we cared and fixed it almost one year ago.
(and such security feature was optional, and experimental, so people with broken systems were not really using the default path)

Revision history for this message
Michiel Dethmers (michiel-tincan) wrote :

I just bumped into this issue on Ubuntu 18.04.3 LTS

However, when I ran

sudo apt remove virtualbox-dkms virtualbox
and then
sudo apt install virtualbox-dkms

it guided me through the MOK process and after a reboot, Virtualbox was happily loading again.

Revision history for this message
Jerry Quinn (jlquinn) wrote :

In 18.04 vboxdrv still taints the kernel:

May 26 12:23:53 cerberus virtualbox[3244]: * Loading VirtualBox kernel modules...
May 26 12:23:53 cerberus kernel: vboxdrv: loading out-of-tree module taints kernel.
May 26 12:23:53 cerberus kernel: vboxdrv: module verification failed: signature and/or required key missing - tainting kernel
May 26 12:23:53 cerberus kernel: vboxdrv: Found 72 processor cores

jlquinn@cerberus:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
jlquinn@cerberus:~$ dpkg -l virtualbox
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==========================================-==========================-==========================-=========================================================================================
ii virtualbox 5.2.34-dfsg-0~ubuntu18.04. amd64 x86 virtualization solution - base binaries

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.