I am having problems running VirtualBox on my Ubuntu laptop. My laptop is dual boot, and running (Windows 10 – I think, haven’t used it in years), as well as Ubuntu 16.0.4 LTS.
I have secure boot enabled on the BIOS settings of my laptop.
I am aware that there are similar questions posted on here, specifically these two:
- Failed installation of Virtualbox 5.1 on Ubuntu 16.04
- VirtualBox Installation gives message “modprobe vboxdrv” failed
I have followed all of the instructions given in the answers sections for those two questions – yet, the problem remains unresolved.
Here is the console output, when I attempt to run virtualbox:
me@YOURBOX:~$ virtualbox WARNING: The vboxdrv kernel module is not loaded. Either there is no module available for the current kernel (4.4.0-47-generic) or it failed to load. Please recompile the kernel module and install it by sudo /sbin/vboxconfig You will not be able to start VMs until this problem is fixed.
here is the console output when I run
me@YOURBOX:~$ sudo /sbin/vboxconfig vboxdrv.sh: Stopping VirtualBox services. vboxdrv.sh: Building VirtualBox kernel modules. vboxdrv.sh: Starting VirtualBox services. vboxdrv.sh: Building VirtualBox kernel modules. vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why. There were problems setting up VirtualBox. To re-start the set-up process, run /sbin/vboxconfig as root.
Here is the tail end of the output of
[ 44.319682] audit: type=1400 audit(1491313982.374:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/evince-previewer" pid=705 comm="apparmor_parser" [ 45.041433] cgroup: new mount options do not match the existing superblock, will be ignored [ 59.682936] IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready [ 59.697820] IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready [ 59.702008] IPv6: ADDRCONF(NETDEV_UP): enp2s0f0: link is not ready [ 60.267000] IPv6: ADDRCONF(NETDEV_UP): enp2s0f0: link is not ready [ 62.473044] IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready [ 70.681706] audit_printk_skb: 60 callbacks suppressed [ 70.681709] audit: type=1400 audit(1491314008.734:32): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=2009 comm="apparmor_parser" [ 70.850936] aufs 4.x-rcN-20160111 [ 75.407218] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 75.408555] Bridge firewalling registered [ 75.427172] nf_conntrack version 0.5.0 (16384 buckets, 65536 max) [ 75.848416] ip_tables: (C) 2000-2006 Netfilter Core Team [ 76.703232] Initializing XFRM netlink socket [ 77.060003] IPv6: ADDRCONF(NETDEV_UP): docker0: link is not ready [ 80.101042] aufs au_opts_verify:1597:dockerd: dirperm1 breaks the protection by the permission bits on the lower branch [ 113.895236] wlp3s0: authenticate with 84:16:f9:77:e1:54 [ 113.910483] wlp3s0: send auth to 84:16:f9:77:e1:54 (try 1/3) [ 113.912712] wlp3s0: authenticated [ 113.915101] wlp3s0: associate with 84:16:f9:77:e1:54 (try 1/3) [ 113.919397] wlp3s0: RX AssocResp from 84:16:f9:77:e1:54 (capab=0x1411 status=0 aid=1) [ 113.919516] wlp3s0: associated [ 113.919559] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
Now, I’m not going to lie – I have absolutely no idea what dmesg just spewed out – and as far as I can tell, there are no error messages in the log output – which makes the situation even more infuriating.
Has anyone ever installed VirtualBox 5.x on a laptop running Ubuntu 16.0.4 LTS – but with secure boot enabled on BIOS ? – if yes, what is the solution. ???!
Lots of people have this problem – even going a few years back. it is very strange that no one seems to have a solution for it – ???
VirtualBox + Secure Boot + Ubuntu = fail
The problem is the requirement that all kernel modules must be signed
by a key trusted by the UEFI system, otherwise loading will fail.
Ubuntu does not sign the third party vbox* kernel modules, but rather
gives the user the option to disable Secure Boot upon installation of
the virtualbox package. I could do that, but then I would see an
annoying “Booting in insecure mode” message every time the machine
starts, and also the dual boot Windows 10 installation I have would
Ubuntu 16.04 on a Dell Latitude E7440 with BIOS A18, and with a dual boot Windows 10 installation.
Credit goes to the primary source of information I used to resolve
this problem, which applies specifically to Fedora/Redhat:
And a relevant Ask Ubuntu question:
Could not load ‘vboxdrv’ after upgrade to Ubuntu 16.04 (and I want to keep secure boot)
Steps to make it work, specifically for Ubuntu/Debian
Install the virtualbox package. If the installation detects that Secure Boot is enabled, you will be presented with the issue at hand
and given the option to disable Secure Boot. Choose “No”.
Create a personal public/private RSA key pair which will be used to sign kernel modules. I chose to use the root account and the directory
/root/module-signing/ to store all things related to signing kernel
$ sudo -i # mkdir /root/module-signing # cd /root/module-signing # openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=YOUR_NAME/" [...] # chmod 600 MOK.priv
Use the MOK (“Machine Owner Key”) utility to import the public key so that it can be trusted by the system. This is a two step process
where the key is first imported, and then later must be enrolled when
the machine is booted the next time. A simple password is good enough,
as it is only for temporary use.
# mokutil --import /root/module-signing/MOK.der input password: input password again:
Reboot the machine. When the bootloader starts, the MOK manager EFI utility should automatically start. It will ask for parts of the
password supplied in step 3. Choose to “Enroll MOK”, then you should
see the key imported in step 3. Complete the enrollment steps, then
continue with the boot. The Linux kernel will log the keys that are
loaded, and you should be able to see your own key with the command:
dmesg|grep 'EFI: Loaded cert'
Using a signing utility shippped with the kernel build files, sign all the VirtualBox modules using the private MOK key generated in step 2.
I put this in a small script
/root/module-signing/sign-vbox-modules, so it can be easily run when new kernels are installed as part of regular updates:
#!/bin/bash for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do echo "Signing $modfile" /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \ /root/module-signing/MOK.priv \ /root/module-signing/MOK.der "$modfile" done
# chmod 700 /root/module-signing/sign-vbox-modules
Run the script from step 5 as root. You will need to run the signing script every time a new kernel update is installed, since this
will cause a rebuild of the third party VirtualBox modules. Use the
script only after the new kernel has been booted, since it relies on
uname -rto tell which kernel version to sign for.
Load vboxdrv module and fire up VirtualBox:
# modprobe vboxdrv
The procedure can also be used to sign other third party kernel
modules, like the nvidia graphics drivers, if so is required. (I have
not tested that myself.)
Note: The above answer was wholly sourced from Øyvind Stegard’s blog post, VirtualBox + Secure Boot + Ubuntu = fail.