Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

  1. #11
    Join Date
    Sep 2012
    Posts
    6,633

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    Quote Originally Posted by w2tq View Post
    Although I uninstalled and reinstalled the signkey certificate in YaST (openSUSE-signkey-cert-20210302-lp153.1.1) as suggested in https://bugzilla.opensuse.org/show_b...id=1186784#c14, # mokutil -l reports that MokListRT is empty.
    Did you reboot after installation?

  2. #12

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    Yes, I did reboot and the error remains. Also, immediately after post, a warning about the lack of a secret EFI key appears (this has been present from the initial install). From the warn log:
    Code:
    EFI secret key getting failed: EFI_NOT_FOUND 0x800000000000000e
    EFI secret key size 0 is less than 64. Please regenerate secret key
    In the interim I disabled secure boot, on reboot the EFI secret key warning was not present, but VirtualBox was still unable to start the machine, now stating there is now an issue with virtualization:
    Code:
    Failed to open a session for the virtual machine win7-1.
    VT-x is disabled in the BIOS for all CPU modes (VERR_VMX_MSR_ALL_VMX_DISABLED).
    In BIOS, I see that virtualization is disabled [Advanced > CPU configuration > Intel Virtualization Technology: Disabled].

    I re-enabled secure boot and the original driver error re-appears.

    So, yes, I did reboot a number of times.

    Would enabling virtualization and disabling secure boot work? Or should I seek another solution?

  3. #13

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    I see from my notes going back at least five years that I did previously enable virtualization in BIOS (and it makes sense that this would be needed).

    In the interim, I decided to try what I proposed in my last post: enabling virtualization and disabling secure boot. And that works!

    My customizations didn't carry over, but I can copy and then insert configuration files from the originating machine or re-configure the new machine OS and apps.

    I still need to determine if the lack of secure boot will be an issue going forward.

  4. #14
    Join Date
    Sep 2012
    Posts
    6,633

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    Quote Originally Posted by w2tq View Post
    Yes, I did reboot and the error remains.
    On reboot immediately following installation of openSUSE-signkey-cert you should see MokManager interface requesting you to enroll these keys. Installation of package only creates enrollment request; enrollment itself must be done before OS (and bootloader) are started. If you have not seen MokManager, nothing was enrolled at all. Enrollment requests are cleared by shim, so they are valid for one reboot only.

    Also, immediately after post, a warning about the lack of a secret EFI key appears (this has been present from the initial install). From the warn log:
    Code:
    EFI secret key getting failed: EFI_NOT_FOUND 0x800000000000000e
    EFI secret key size 0 is less than 64. Please regenerate secret key
    Is it exact message? It could be the reason why MokManager is not started, but I do not see this error string in shim sources. Please post photo of this error.

  5. #15

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    arvidjaar -

    I did not get a MOK management request, although I expected one. (I did receive such a request when I installed 15.2 on a Dell laptop this past February.)

    Joel

  6. #16
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,254

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    Quote Originally Posted by w2tq View Post
    Although I uninstalled and reinstalled the signkey certificate in YaST (openSUSE-signkey-cert-20210302-lp153.1.1) as suggested in https://bugzilla.opensuse.org/show_b...id=1186784#c14, # mokutil -l reports that MokListRT is empty.
    I'm experiencing this on a Lenovo G505s laptop – AMD CPU – not new, at all …
    The openSUSE certificates are refusing to enroll – I'm beginning to suspect that this hardware is EOL and, will run with Secure Boot disabled until it finally dies …

  7. #17

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    dcurtisfra -

    I have disabled secure boot on a relatively new machine and it runs fine. I acknowledge that this poses a security risk.

  8. #18
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,254

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    @Everyone:

    Continuing with this Laptop –
    Code:
     # inxi --admin --filter --cpu --machine
    Machine:   Type: Laptop System: LENOVO product: 20255 v: Lenovo G505s serial: <filter> Chassis: type: 10 
               v: Lenovo G505s serial: <filter> 
               Mobo: LENOVO model: Lenovo G505s v: 31900003Std serial: <filter> UEFI: LENOVO v: 83CN53WW(V3.00) 
               date: 01/08/2014 
    CPU:       Topology: Quad Core model: AMD A10-5750M APU with Radeon HD Graphics bits: 64 type: MCP arch: Piledriver 
               family: 15 (21) model-id: 13 (19) stepping: 1 microcode: 6001119 L1 cache: 192 KiB L2 cache: 2048 KiB 
               flags: avx lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 19961 
               Speed: 1328 MHz min/max: 1400/2500 MHz boost: enabled Core speeds (MHz): 1: 1359 2: 1362 3: 1199 4: 1217 
               Vulnerabilities: Type: itlb_multihit status: Not affected 
               Type: l1tf status: Not affected 
               Type: mds status: Not affected 
               Type: meltdown status: Not affected 
               Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl and seccomp 
               Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization 
               Type: spectre_v2 mitigation: Full AMD retpoline, STIBP: disabled, RSB filling 
               Type: srbds status: Not affected 
               Type: tsx_async_abort status: Not affected 
     #
    1. The MOK “Blue Screen” at boot assumes a US Keyboard layout – if another keyboard change the root password to something which only uses those common between your keyboard and the US Keyboard layout …
    2. From the systemd “Rescue” system state, tried resetting the MOK list; clearing the MokManage password (MokPW); enrolling the BCA4E38E-shim certificate; enrolling the BDD31A9E-kmp.crt openSUSE sign key certificate …
    3. Nothing, no go – the (older) Lenovo UEFI will not behave …
    4. Reverted back to –

    Code:
     # mokutil --sb-state 
    SecureBoot disabled
     #

  9. #19
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,254

    Default Re: Virtualbox kernel driver no loading - secureboot enabled - how to sign modules?

    @Everyone:

    More info – upgraded my Desktop machine to Leap 15.3 – after some effort, Oracle VirtualBox is running with UEFI Secure Boot and TPM enabled …
    Code:
     # inxi --admin --filter --cpu --machine
    Machine:   Type: Desktop Mobo: ASUSTeK model: PRIME B450-PLUS v: Rev X.0x serial: <filter> UEFI: American Megatrends v: 3002 
               date: 03/11/2021 
    CPU:       Topology: Quad Core model: AMD Ryzen 5 3400G with Radeon Vega Graphics bits: 64 type: MT MCP arch: Zen+ 
               family: 17 (23) model-id: 18 (24) stepping: 1 microcode: 8108109 L1 cache: 384 KiB L2 cache: 2048 KiB 
               L3 cache: 4096 KiB 
               flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 59091 
               Speed: 1726 MHz min/max: 1400/3700 MHz boost: enabled Core speeds (MHz): 1: 1884 2: 1401 3: 1402 4: 1403 5: 1856 
               6: 1409 7: 1407 8: 1400 
               Vulnerabilities: Type: itlb_multihit status: Not affected 
               Type: l1tf status: Not affected 
               Type: mds status: Not affected 
               Type: meltdown status: Not affected 
               Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl and seccomp 
               Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization 
               Type: spectre_v2 mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling 
               Type: srbds status: Not affected 
               Type: tsx_async_abort status: Not affected 
    eck001:/root # 
     # mokutil --sb-state
    SecureBoot enabled
     # 
     # journalctl -b 0 --output=short-monotonic --no-hostname | grep -i 'tpm'
    [    0.000000] kernel: efi: ACPI=0xca7d1000 ACPI 2.0=0xca7d1014 TPMFinalLog=0xcaa9d000 SMBIOS=0xcb816000 SMBIOS 3.0=0xcb815000 MEMATTR=0xc6f67018 ESRT=0xc90a1198 MOKvar=0xc6ef7000 RNG=0xcb846f98 TPMEventLog=0x9011a018 
    [    0.004902] kernel: ACPI: TPM2 0x00000000CA7A3000 00004C (v03 ALASKA A M I    00000001 AMI  00000000)
    [    8.361478] udevadm[549]: systemd-udev-settle.service is deprecated. Please fix wickedd.service, tpm2-abrmd.service not to pull it in.
    [    8.631727] systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
    [    8.660651] tpm2-abrmd[1234]: tcti_conf before: "device:/dev/tpm0"
    [    8.660941] tpm2-abrmd[1234]: tcti_conf after: "device:/dev/tpm0"
    [    8.699281] systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
     # 
     # systemctl status vboxdrv.service 
    ● vboxdrv.service - VirtualBox Linux kernel module
         Loaded: loaded (/usr/lib/virtualbox/vboxdrv.sh; disabled; vendor preset: disabled)
         Active: active (exited) since Wed 2021-07-14 19:48:35 CEST; 24min ago
        Process: 1236 ExecStart=/usr/lib/virtualbox/vboxdrv.sh start (code=exited, status=0/SUCCESS)
    
    Jul 14 19:48:35 xxx systemd[1]: Starting VirtualBox Linux kernel module...
    Jul 14 19:48:35 xxx vboxdrv.sh[1236]: vboxdrv.sh: Starting VirtualBox services.
    Jul 14 19:48:35 xxx vboxdrv.sh[1298]: Starting VirtualBox services.
    Jul 14 19:48:35 xxx vboxdrv.sh[1236]: vboxdrv.sh: You must sign these kernel modules before using VirtualBox:
    Jul 14 19:48:35 xxx vboxdrv.sh[1236]:   vboxdrv vboxnetflt vboxnetadp
    Jul 14 19:48:35 xxx vboxdrv.sh[1236]: See the documenatation for your Linux distribution..
    Jul 14 19:48:35 xxx vboxdrv.sh[1299]: You must sign these kernel modules before using VirtualBox:
                                               vboxdrv vboxnetflt vboxnetadp
                                             See the documenatation for your Linux distribution..
    Jul 14 19:48:35 xxx systemd[1]: Started VirtualBox Linux kernel module.
     #
    The trick is –
    1. Use the VirtualBox version 6.1.22-lp153.2.3.2 package from the Leap 15.3 update repository – <http://download.opensuse.org/update/leap/15.3/oss> – The package in the Virtualisation repository <https://download.opensuse.org/reposi...USE_Leap_15.3/> isn't signed with the correct key.
    2. Make sure that, the EFI key included in the “openSUSE-signkey-cert” has been enrolled.

    It seems that, 2 keys have to be enrolled – “mokutil --list-enrolled”
    • One with the issuer “CN=SUSE Linux Enterprise Secure Boot CA” – “Subject: CN=SUSE Linux Enterprise Secure Boot CA”.
    • The other with the issuer “CN=openSUSE Secure Boot CA” – “Subject: CN=openSUSE Secure Boot Signkey”.

    Assuming that, the host hardware has a UEFI which is new enough to allowed these keys to be enrolled …

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •