This morning’s update to VirtualBox 1.36 broke the start of a Win10 guest vm with the error message NS_ERROR_FAILURE 0x80004005.
The vm was able to start by rolling back the VirtualBox and related packages to 1.32 from the main repo.
Regards,
Ed
This morning’s update to VirtualBox 1.36 broke the start of a Win10 guest vm with the error message NS_ERROR_FAILURE 0x80004005.
The vm was able to start by rolling back the VirtualBox and related packages to 1.32 from the main repo.
Regards,
Ed
https://bugzilla.opensuse.org/show_bug.cgi?id=1201813
Does it works with USB 1.1?
Also extensions for 6.1.36 are installed?
I’ve raised a Bug Report because, the V1.36 “vboxdrv” Kernel Module doesn’t load –
You could work around by disabling Secure Boot provided that, you’re happy with that solution.
I had the same problem after a zypper up today on my VirtualBox server(leap15.4) ( …not start with the error message NS_ERROR_FAILURE 0x80004005. ) when trying to start a leap15.4 vm. Was setting USB to 1.1 on that one and it was working again, shut it down. Updated extensions to 1.36 and started a win11 vm, win10vm -both working (with USB 2.0).
Set leap15.4 vm USB back to 2.0. Working again.
I have no idea what was wrong but my vm’s is working again
It appears that Opensuse update a security certificate and you have to “on the MOK screen” re-install it.
If you have to accept the new MOK key or Virtualbox will not load in the kernel.
to recreate the request do this and reboot - accept the new MOK code - you will need the root password to do this:
LLR22:~ # zypper in --force openSUSE-signkey-cert
Loading repository data...
Reading installed packages...
Forcing installation of 'openSUSE-signkey-cert-20220613-lp154.2.3.1.x86_64' from repository 'openSUSE-Leap-15.4-Update'.
Resolving package dependencies...
The following package is going to be reinstalled:
openSUSE-signkey-cert
1 package to reinstall.
Overall download size: 10.5 KiB. Already cached: 0 B. No additional space will
be used or freed after the operation.
Continue? [y/n/v/...? shows all options] (y):
Retrieving package openSUSE-signkey-cert-20220613-lp154.2.3.1.x86_64
(1/1), 10.5 KiB ( 1.1 KiB unpacked)
Retrieving: openSUSE-signkey-cert-20220613-lp154.2.3.1.x86_64.rpm ........[done]
Checking for file conflicts: .............................................[done]
(1/1) Installing: openSUSE-signkey-cert-20220613-lp154.2.3.1.x86_64 ......[done]
LLR22:~ # ll /etc/uefi/certs
total 16
-rw-r--r-- 1 root root 1177 Jun 14 04:20 1F673297-kmp.crt
-rw-r--r-- 1 root root 1288 Jul 18 05:40 40905999.crt
-rw-r--r-- 1 root root 1288 May 11 19:29 4AAA0B54.crt
-rw-r--r-- 1 root root 1257 Jul 16 2021 BCA4E38E-shim.crt
LLR22:~ #
Be aware that, the blue MOK screen expects a US QWERTY keyboard.
[INDENT=2]In other words, if your user “root” has a strong password with mutated vowels and/or, the characters “y/Y/z/Z”, change it, temporarily, to something weaker but, compatible …
[/INDENT]
OMG!
mokutil --import /etc/uefi/certs/1F673297-kmp.crt
and provide whatever password you need at password prompt. Replace file name with whatever certificate you need to enroll.
The highlighted certificate is SUSE kernel certificate, not openSUSE-signkey-cert. openSUSE certificate is 1F673297-kmp.crt.
As a reference, after the VirtualBox patch to version 1.36 from the Leap 15.4 update repository was installed and, the system was rebooted, the following is what the systemd Journal should look like:
# journalctl -b 0 --no-hostname --output=short-monotonic | grep -iE 'secur|cert|box|tpm|spect'
0.000000] kernel: efi: ACPI=0xca78c000 ACPI 2.0=0xca78c014 TPMFinalLog=0xcaa58000 SMBIOS=0xcb805000 SMBIOS 3.0=0xcb804000 MEMATTR=0xc898e018 ESRT=0xc94ac998 MOKvar=0xc6f05000 RNG=0xcb846f18 TPMEventLog=0xc157a018
0.000000] kernel: secureboot: Secure boot enabled
0.000000] kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
0.006243] kernel: secureboot: Secure boot enabled
0.006300] kernel: ACPI: TPM2 0x00000000CA75E000 00004C (v03 ALASKA A M I 00000001 AMI 00000000)
0.006341] kernel: ACPI: Reserving TPM2 table memory at [mem 0xca75e000-0xca75e04b]
0.099113] kernel: LSM: Security Framework initializing
0.099618] kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
0.099620] kernel: Spectre V2 : Mitigation: Retpolines
0.099620] kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
0.099622] kernel: Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
0.820180] kernel: Loading compiled-in X.509 certificates
0.820211] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
0.824021] kernel: integrity: Loading X.509 certificate: UEFI:db
0.847321] kernel: integrity: Loaded X.509 cert 'ASUSTeK MotherBoard SW Key Certificate: da83b990422ebc8c441f8d8b039a65a2'
0.847323] kernel: integrity: Loading X.509 certificate: UEFI:db
0.847492] kernel: integrity: Loaded X.509 cert 'ASUSTeK Notebook SW Key Certificate: b8e581e4df77a5bb4282d5ccfc00c071'
0.847493] kernel: integrity: Loading X.509 certificate: UEFI:db
0.847515] kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
0.847516] kernel: integrity: Loading X.509 certificate: UEFI:db
0.847534] kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
0.847535] kernel: integrity: Loading X.509 certificate: UEFI:db
0.847708] kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
0.848264] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.848438] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
0.848439] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.848458] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 9ddf43d9f1a027273f52c6c0775908ee01671325'
0.848459] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.848480] kernel: integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 5a240449d29fd0d8a7a187e6fc0e26b95d1aa87b'
0.848481] kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
0.848497] kernel: integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e'
0.848503] kernel: Loading compiled-in module X.509 certificates
0.848520] kernel: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: 0ac62b1f3f534271132586e29d3b1041591c824a'
0.979197] kernel: evm: security.selinux
0.979198] kernel: evm: security.SMACK64 (disabled)
0.979199] kernel: evm: security.SMACK64EXEC (disabled)
0.979200] kernel: evm: security.SMACK64TRANSMUTE (disabled)
0.979201] kernel: evm: security.SMACK64MMAP (disabled)
0.979202] kernel: evm: security.apparmor
0.979202] kernel: evm: security.ima
0.979203] kernel: evm: security.capability
1.020769] systemd[1]: systemd 249.11+suse.129.g17d488c53a running in system mode (+PAM +AUDIT +SELINUX +APPARMOR -IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid)
4.980299] systemd[1]: systemd 249.11+suse.129.g17d488c53a running in system mode (+PAM +AUDIT +SELINUX +APPARMOR -IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=hybrid)
5.680262] systemd[1]: Found device /dev/tpm0.
6.126552] kernel: SGI XFS with ACLs, security attributes, quota, no debug enabled
9.689312] systemd[1]: Starting Security Auditing Service...
9.698999] systemd[1]: Condition check resulted in RPC security service for NFS client and server being skipped.
9.699157] systemd[1]: Condition check resulted in RPC security service for NFS server being skipped.
9.788675] systemd[1]: Started Security Auditing Service.
9.805965] systemd[1]: Started Watch for changes in CA certificates.
9.909164] systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
9.911721] systemd[1]: Starting VirtualBox Linux kernel module...
9.971565] tpm2-abrmd[1011]: tcti_conf before: "(null)"
9.971910] tpm2-abrmd[1011]: tcti_conf after: "device:/dev/tpm0"
9.977829] systemd[1]: Started TPM2 Access Broker and Resource Management Daemon.
10.016761] vboxdrv.sh[1013]: vboxdrv.sh: Starting VirtualBox services.
10.018605] vboxdrv.sh[1087]: Starting VirtualBox services.
10.065841] kernel: vboxdrv: loading out-of-tree module taints kernel.
10.071898] systemd-udevd[650]: vboxdrvu: /usr/lib/udev/rules.d/60-vboxdrv.rules:2 Only network interfaces can be renamed, ignoring NAME="vboxdrvu".
10.072444] systemd-udevd[652]: vboxdrv: /usr/lib/udev/rules.d/60-vboxdrv.rules:1 Only network interfaces can be renamed, ignoring NAME="vboxdrv".
10.071646] kernel: vboxdrv: Found 8 processor cores
10.089560] kernel: vboxdrv: TSC mode is Invariant, tentative frequency 3692995220 Hz
10.089569] kernel: vboxdrv: Successfully loaded version 6.1.36_SUSE r152435 (interface 0x00320000)
10.312247] kernel: VBoxNetFlt: Successfully started.
10.330658] systemd-udevd[652]: vboxnetctl: /usr/lib/udev/rules.d/60-vboxdrv.rules:3 Only network interfaces can be renamed, ignoring NAME="vboxnetctl".
10.330244] kernel: VBoxNetAdp: Successfully started.
10.337828] vboxdrv.sh[1104]: VirtualBox services started.
10.339044] systemd[1]: Started VirtualBox Linux kernel module.
10.341198] systemd[1]: Starting vboxautostart-service.service...
10.350805] vboxautostart-service.sh[1108]: Starting VirtualBox VMs configured for autostart.
10.350981] vboxautostart-service.sh[1105]: vboxautostart-service.sh: Starting VirtualBox VMs configured for autostart.
10.352141] systemd[1]: Started vboxautostart-service.service.
#
And, for good measure, the Kernel modules:
# lsmod | grep -i 'box'
vboxnetadp 28672 0
vboxnetflt 32768 0
vboxdrv 540672 2 vboxnetadp,vboxnetflt
#
Yes, I agree but, many of our users will confine themselves to installing the certificates and keys by means of the appropriate packages – with “mokutil --import ???.crt --root-pw”.
# cd /etc/uefi/certs/
# mokutil --password
# mokutil --import «*the new key*»
# systemctl reboot
Such are the woes of using machines which are not setup with US QWERTY keyboards … >:)
I tried using the 1.36 Virtualbox update again today.
If the USB setting is anything other than USB 1.1, the guest Windows 10 vm fails to start with the NS_ERROR_FAILURE of the thread title.
I can set USB 1.1, get the VM running, and then update the guest vm to the 1.36 guest additions. This guest additions update succeeds, but I still cannot start the guest VM with a higher level of USB support. I tried with or without a device filter in place limiting access to a USB webcam. When I try the win10 camera app using USB 1.1, the app complains that the camera is reserved for some other program.
I’m not having an issue with secure boot, and my kernel module and startup info looks like the above success case.
Ok, I did not fully understand the question on Extensions - I see that I am running a 1.32 Extension Pack and I am now looking into updating that. That’s likely the issue.
Have you installed the Virtualbox-Extensions in the Host?
I did not realize the significance of the earlier question on Extensions. I now see that I needed to perform a separate download from Virtualbox.org and get the 1.36 Extension Pack. The issue of USB support went away after downloading and installing updated Extensions. (Virtualbox Manager/File menu/Preferences…/Extensions/+).
I had this issue a couple days ago with a W7 VM. VBox extensions where v1.34 or 1.32, I don’t recall. Updatied to 1.36, same as Vbox version, and the VM started OK.
Thanks. Installing the new Extensions works perfectly. I’ve failed to notice that VirtualBox was updated in the first place.