After upgrading from Leap 15.1 to Leap 15.2 on a Lenovo T490 with secure boot enabled virtualbox cannot start virtual machines anymore.
The vboxdrv driver cannot be loaded anymore. See the following outputs:
That’s reported in the virtualbox popup window:
Kernel driver not installed (rc=-1908)
The VirtualBox Linux kernel driver is either not loaded or not set up correctly. Please try setting it up again by executing
'/sbin/vboxconfig'
as root.
If your system has EFI Secure Boot enabled you may also need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them. Please see your Linux system's documentation for more information.
where: suplibOsInit what: 3 VERR_VM_DRIVER_NOT_INSTALLED (-1908) - The support driver is not installed. On linux, open returned ENOENT.
And here ist the text from the details section:
Failed to open a session for the virtual machine Windows7.
The virtual machine 'Windows7' has terminated unexpectedly during startup with exit code 1 (0x1).
Result Code: NS_ERROR_FAILURE (0x80004005)
Component: MachineWrap
Interface: IMachine {85632c68-b5bb-4316-a900-5eb28d3413df}
Manually loading the kernel driver doesn’t work either:
wdf-lap-1443:~ # zypper install virtualbox
Loading repository data...
Reading installed packages...
Resolving package dependencies...
The following 2 NEW packages are going to be installed:
virtualbox virtualbox-kmp-default
2 new packages to install.
Overall download size: 31.9 MiB. Already cached: 0 B. After the operation, additional 86.7 MiB will be used.
Continue? [y/n/v/...? shows all options] (y):
Retrieving package virtualbox-kmp-default-6.1.10_k5.3.18_lp152.18-lp152.1.1.x86_64 (1/2), 521.8 KiB ( 1.7 MiB unpacked)
Retrieving: virtualbox-kmp-default-6.1.10_k5.3.18_lp152.18-lp152.1.1.x86_64.rpm ..........................................................................................[done (15.8 KiB/s)]
Retrieving package virtualbox-6.1.10-lp152.1.1.x86_64 (2/2), 31.4 MiB ( 85.0 MiB unpacked)
Retrieving: virtualbox-6.1.10-lp152.1.1.x86_64.rpm ........................................................................................................................[done (3.0 MiB/s)]
Checking for file conflicts: ..........................................................................................................................................................[done]
(1/2) Installing: virtualbox-kmp-default-6.1.10_k5.3.18_lp152.18-lp152.1.1.x86_64 .....................................................................................................[done]
(2/2) Installing: virtualbox-6.1.10-lp152.1.1.x86_64 ..................................................................................................................................[done]
Additional rpm output:
setting /usr/lib/virtualbox/VBoxNetNAT to root:vboxusers 4750. (wrong permissions 0755)
setting /usr/lib/virtualbox/VBoxNetDHCP to root:vboxusers 4750. (wrong permissions 0755)
setting /usr/lib/virtualbox/VBoxNetAdpCtl to root:vboxusers 4750. (wrong permissions 0755)
setting /usr/lib/virtualbox/VBoxHeadless to root:vboxusers 4750. (wrong permissions 0755)
Executing %posttrans scripts ..........................................................................................................................................................[done]
wdf-lap-1443:~ # ls /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra
vboxdrv.ko vboxguest.ko vboxnetadp.ko vboxnetflt.ko vboxsf.ko vboxvideo.ko
wdf-lap-1443:~ # rpm -qf /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
file /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko is not owned by any package
wdf-lap-1443:~ # modprobe -v vboxdrv
insmod /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted
wdf-lap-1443:~ # zypper info virtualbox-kmp-default
Loading repository data...
Reading installed packages...
Information for package virtualbox-kmp-default:
-----------------------------------------------
Repository : Main Repository
Name : virtualbox-kmp-default
Version : 6.1.10_k5.3.18_lp152.18-lp152.1.1
Arch : x86_64
Vendor : openSUSE
Installed Size : 1.7 MiB
Installed : Yes (automatically)
Status : up-to-date
Source package : virtualbox-6.1.10-lp152.1.1.src
Summary : Kernel modules for VirtualBox
Description :
VirtualBox is a hosted hypervisor for x86 computers. It supports the
creation and management of guest virtual machines running versions
and derivations of Windows, Linux, BSD, OS/2, Solaris, Haiku, OSx86
and others, and limited virtualization of macOS guests on Apple
hardware. VirtualBox is freely available as Open Source Software under
the terms of the GNU Public License (GPL).
Do I have to sign the driver?
Aren’t drivers from the OpenSuse repositories meant to work out of the box?
I’m not using virtualbox, so I can’t check any of this.
Question 1: Does it work if you disable secure-boot in your BIOS?
Question 2: Did you, at some time, see a blue screen during boot which offered to enroll a key?
For example, I saw that blue screen on my last boot, after updating the kernel. I told it to enroll the key, and I gave the root password when asked. It enrolled a key with:
As a workaround I have put a key into UEFI and signed the kernel modules.
After that the kernel module(s) can be loaded and VirtualBox can start the machine again.
# Module cannot be loaded
wdf-lap-1443:~ # modprobe -v vboxdrv
insmod /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted
# Create new key/cert pair:
openssl req -new -x509 -newkey rsa:2048 -keyout modulesigningkey.pri -outform DER -out modulesigningkey.pub -nodes -days 36500 -subj "/CN=i001385"
# Prepare import to UEFI
mokutil --import modulesigningkey.pub
# Check that cert is prepared for integration into UEFI
mokutil --list-new
# Reboot
# Enroll MOK in UEFI UI
# Reboot
# Check that new key is now in UEFI
mokutil --list-enrolled
# Sign modules
cd /usr/src/linux-obj/x86_64/default/scripts
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxguest.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxnetadp.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxnetflt.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxsf.ko
./sign-file sha512 /home/i001385/keys/modulesigningkey.pri /home/i001385/keys/modulesigningkey.pub /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxvideo.ko
# Finally load kernel module
wdf-lap-1443:~ # modprobe -v vboxdrv
insmod /lib/modules/5.3.18-lp152.20.7-default/weak-updates/extra/vboxdrv.ko
# Unload module again
rmmod vboxdrv
# Prepare Virtualbox
/sbin/vboxconfig
Based on the comments of that bug report, the virtualbox driver was signed by the key “/etc/certs/F1C08E27.crt”, which is the key that I was prompted to enroll after the kernel update.
Vbox kernel modules(and other kernel modules) have been signed for a long time.
You can search this Forum for “sign kernel modules” to display a number of posts over the years.
Looks like an oversight,
Kernel modules can either be signed within each build, or there is a kernel setting that automatically signs all modules during building.
Maintainers will need to sort out why modules weren’t signed for this scenario.
There is also a “permissive” kernel setting that only warns when a module isn’t signed but I’m not aware anyone has reported warnings(the system still works) before.
This week I bought a new notebook HP 470 G7. There is not possible to have it without Win 10. I will remove it in a near future. But now I decided to use it with dual boot for a while. I installed openSUSE Leap 15.2 without a problem. I use VirtualBox as my virtulisation tool. The problem was that when I tried to start a virtual machine an error message containing “If your system is using EFI Secure Boot you may need to sign the kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load them.” appeared.
Finally I found this procedure (https://stackoverflow.com/questions/61248315/sign-virtual-box-modules-vboxdrv-vboxnetflt-vboxnetadp-vboxpci-centos-8) how to solve singing of virtualbox modules due to secure boot.
Install kernel-devel package with all dependencies.
My Install script → https://paste.opensuse.org/53405695
Run that script after a clean install of virtualbox with dependencies and recommended packages installed.
Run as normal user. root password is asked for issuing sudo.