VirtualBox: Cannot load vboxdrv module after upgrade from Leap 15.1 with secure boot

After upgrading from Leap 15.1 to Leap 15.2 on a Lenovo T490 with secure boot enabled virtualbox cannot start virtual machines anymore.
The vboxdrv driver cannot be loaded anymore. See the following outputs:

That’s reported in the virtualbox popup window:


Kernel driver not installed (rc=-1908)

The VirtualBox Linux kernel driver is either not loaded or not set up correctly. Please try setting it up again by executing

'/sbin/vboxconfig'

as root.

If your system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them. Please see your Linux system's documentation for more information.

where: suplibOsInit what: 3 VERR_VM_DRIVER_NOT_INSTALLED (-1908) - The support driver is not installed. On linux, open returned ENOENT. 


And here ist the text from the details section:


Failed to open a session for the virtual machine Windows7.

The virtual machine 'Windows7' has terminated unexpectedly during startup with exit code 1 (0x1).

Result Code: NS_ERROR_FAILURE (0x80004005)
Component: MachineWrap
Interface: IMachine {85632c68-b5bb-4316-a900-5eb28d3413df}

Manually loading the kernel driver doesn’t work either:


wdf-lap-1443:~ # zypper install virtualbox
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 2 NEW packages are going to be installed:
  virtualbox virtualbox-kmp-default

2 new packages to install.
Overall download size: 31.9 MiB. Already cached: 0 B. After the operation, additional 86.7 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): 
Retrieving package virtualbox-kmp-default-6.1.10_k5.3.18_lp152.18-lp152.1.1.x86_64                                                                      (1/2), 521.8 KiB (  1.7 MiB unpacked)
Retrieving: virtualbox-kmp-default-6.1.10_k5.3.18_lp152.18-lp152.1.1.x86_64.rpm ..........................................................................................[done (15.8 KiB/s)]
Retrieving package virtualbox-6.1.10-lp152.1.1.x86_64                                                                                                   (2/2),  31.4 MiB ( 85.0 MiB unpacked)
Retrieving: virtualbox-6.1.10-lp152.1.1.x86_64.rpm ........................................................................................................................[done (3.0 MiB/s)]

Checking for file conflicts: ..........................................................................................................................................................[done]
(1/2) Installing: virtualbox-kmp-default-6.1.10_k5.3.18_lp152.18-lp152.1.1.x86_64 .....................................................................................................[done]
(2/2) Installing: virtualbox-6.1.10-lp152.1.1.x86_64 ..................................................................................................................................[done]
Additional rpm output:
setting /usr/lib/virtualbox/VBoxNetNAT to root:vboxusers 4750. (wrong permissions 0755)
setting /usr/lib/virtualbox/VBoxNetDHCP to root:vboxusers 4750. (wrong permissions 0755)
setting /usr/lib/virtualbox/VBoxNetAdpCtl to root:vboxusers 4750. (wrong permissions 0755)
setting /usr/lib/virtualbox/VBoxHeadless to root:vboxusers 4750. (wrong permissions 0755)


Executing %posttrans scripts ..........................................................................................................................................................[done]
wdf-lap-1443:~ # ls /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra
vboxdrv.ko  vboxguest.ko  vboxnetadp.ko  vboxnetflt.ko  vboxsf.ko  vboxvideo.ko
wdf-lap-1443:~ # rpm -qf /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
file /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko is not owned by any package
wdf-lap-1443:~ # modprobe -v vboxdrv
insmod /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko 
modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted
wdf-lap-1443:~ # zypper info virtualbox-kmp-default
Loading repository data...
Reading installed packages...


Information for package virtualbox-kmp-default:
-----------------------------------------------
Repository     : Main Repository
Name           : virtualbox-kmp-default
Version        : 6.1.10_k5.3.18_lp152.18-lp152.1.1
Arch           : x86_64
Vendor         : openSUSE
Installed Size : 1.7 MiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : virtualbox-6.1.10-lp152.1.1.src
Summary        : Kernel modules for VirtualBox
Description    : 
    VirtualBox is a hosted hypervisor for x86 computers. It supports the
    creation and management of guest virtual machines running versions
    and derivations of Windows, Linux, BSD, OS/2, Solaris, Haiku, OSx86
    and others, and limited virtualization of macOS guests on Apple
    hardware. VirtualBox is freely available as Open Source Software under
    the terms of the GNU Public License (GPL).

Do I have to sign the driver?

Aren’t drivers from the OpenSuse repositories meant to work out of the box?

I made the same experience with OpenSUSE and Virtualbox repository. Has anybody seen this happening also on a clean new installation of LEAP 15.2?

I’m not using virtualbox, so I can’t check any of this.

Question 1: Does it work if you disable secure-boot in your BIOS?

Question 2: Did you, at some time, see a blue screen during boot which offered to enroll a key?

For example, I saw that blue screen on my last boot, after updating the kernel. I told it to enroll the key, and I gave the root password when asked. It enrolled a key with:

SHA1 Fingerprint: f1:c0:8e:27:f3:5f:3f:39:c5:5c:cb:f8:58:18:c6:27:df:49:4e:34

If you ignored that prompt (or just hit enter), then the key was not enrolled.

I’m not sure, but it is possible that this is the key used to sign foreign modules (modules are not part of the standard kernel).

You can check enrolled keys with

mokutil --list-enrolled

As far as I know, signature checking of modules was not done with Leap 15.1, but is done with Leap 15.2.

As a workaround I have put a key into UEFI and signed the kernel modules.
After that the kernel module(s) can be loaded and VirtualBox can start the machine again.


# Module cannot be loaded
wdf-lap-1443:~ # modprobe -v vboxdrv
insmod /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko 
modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted

# Create new key/cert pair:
 openssl req -new -x509 -newkey rsa:2048 -keyout modulesigningkey.pri -outform DER -out modulesigningkey.pub -nodes -days 36500 -subj "/CN=i001385"

# Prepare import to UEFI
mokutil --import modulesigningkey.pub

# Check that cert is prepared for integration into UEFI
mokutil --list-new

# Reboot

# Enroll MOK in UEFI UI

# Reboot

# Check that new key is now in UEFI
mokutil --list-enrolled

# Sign modules
cd /usr/src/linux-obj/x86_64/default/scripts
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxguest.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxnetadp.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxnetflt.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxsf.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxvideo.ko

# Finally load kernel module
wdf-lap-1443:~ # modprobe -v vboxdrv
insmod /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko

# Unload module again
rmmod vboxdrv

# Prepare Virtualbox
/sbin/vboxconfig

https://bugzilla.opensuse.org/show_bug.cgi?id=1173944

Based on the comments of that bug report, the virtualbox driver was signed by the key “/etc/certs/F1C08E27.crt”, which is the key that I was prompted to enroll after the kernel update.

Vbox kernel modules(and other kernel modules) have been signed for a long time.
You can search this Forum for “sign kernel modules” to display a number of posts over the years.

Looks like an oversight,
Kernel modules can either be signed within each build, or there is a kernel setting that automatically signs all modules during building.
Maintainers will need to sort out why modules weren’t signed for this scenario.
There is also a “permissive” kernel setting that only warns when a module isn’t signed but I’m not aware anyone has reported warnings(the system still works) before.

TSU

This week I bought a new notebook HP 470 G7. There is not possible to have it without Win 10. I will remove it in a near future. But now I decided to use it with dual boot for a while. I installed openSUSE Leap 15.2 without a problem. I use VirtualBox as my virtulisation tool. The problem was that when I tried to start a virtual machine an error message containing “If your system is using EFI Secure Boot you may need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them.” appeared.
Finally I found this procedure (https://stackoverflow.com/questions/61248315/sign-virtual-box-modules-vboxdrv-vboxnetflt-vboxnetadp-vboxpci-centos-8) how to solve singing of virtualbox modules due to secure boot.

  1. Install kernel-devel package with all dependencies.
  2. Continue according to procedure at https://stackoverflow.com/questions/61248315/sign-virtual-box-modules-vboxdrv-vboxnetflt-vboxnetadp-vboxpci-centos-8
  3. Use this updated sign-virtual-box script in the 5. step of the above mentioned procedure

#!/bin/bash


for modfile in $(dirname $(modinfo -n vboxdrv))/*.ko; do
  echo "Signing $modfile"
  /usr/src/linux-$((uname -r) | sed 's/default/obj/')/x86_64/default/scripts/sign-file sha256 \
                                /root/signed-modules/MOK.priv \
                                /root/signed-modules/MOK.der "$modfile"
done

When using

sign-file ...............

I got a bad password error.

Of course I am not giving a password as nobody seems to use one in this thread.

Any help is welcome.

This has nothing to do with signing kernel.
My bug report is no help. https://bugzilla.opensuse.org/show_bug.cgi?id=1174492
The full story and a workaround is there : https://www.virtualbox.org/ticket/19724
Thanks to ichamel

The short story :

Patch file : patch123.diff → https://paste.opensuse.org/30651673

My Install script → https://paste.opensuse.org/53405695
Run that script after a clean install of virtualbox with dependencies and recommended packages installed.
Run as normal user. root password is asked for issuing sudo.

Thank you everybody for helping.