It became a requirement to sign kernel modules when Secure Boot is enabled a long time back. I only encountered this today.
I installed VirtualBox on Ubuntu 17.10 running on a machine that has Secure Boot enabled. The installation finished with a warning.
WARNING: The character device /dev/vboxdrv does not exist. #011 Please install the virtualbox-dkms package and the appropriate #011 headers, most likely linux-headers-generic. #011 You will not be able to start VMs until this problem is fixed.
Yes, I could not create any virtual machine because the
vboxdrv kernel module was not loaded. Using
modprobe to do it returned the following error:
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
The full documentation on module signing is published on Github. However, if you’re here following a Google search and perhaps looking for a quick fix for your broken VirtualBox, then the following is what you need to know.
The signing keys are created using openssl:
openssl req -new -x509 -newkey rsa:2048 -keyout LKM.priv \ -outform DER -out LKM.der -nodes -days 36500 \ -subj "/CN=LKM Signing Key/"
You would probably replace the
CN value with a more descriptive name for the keys. The next step would be to sign the
vboxdrv module with the key using the scripts/sign-file tool available in the Linux kernel source tree.
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 LKM.priv LKM.der $(modinfo -n vboxdrv)
The four arguments supplied are actually:
- The hash algorithm (in this case sha256)
- The private key filename
- The public key filename
- The kernel module to be signed
Before we can load the signed module we have to register the keys to Secure Boot. We use the Machine Owner Key (MOK) utility.
sudo mokutil --import LKM.der
It will ask for a password which will be required after reboot by Secure Boot. Once it is done,
modprobe vboxdrv should execute without any error. In order for VirtualBox to function correctly the following modules will be required (to be signed & loaded) as well:
vboxnetadp vboxnetflt vboxpci