After upgrade to F42, I cannot load VirtualBox drivers signed modules in the kernel (SecureBoot)

Ask Fedora
, , ,
1

Hi, VirtualBox does not longer work after upgrade from F41 to F42 (and Secure Boot enabled). I have installed it from rpmfusion repository. In F41, at each kernel upgrade I had to sign again the modules (vboxdrv, vboxnetadp and vboxnetflt) using a private key enabled in EFI by means of mokutil tool, and the kernel was able to load modules.

In F42 instead the procedure does not work and the kernel (6.14.2) won’t load modules, even if they have been signed. I have also regenerated the key used to sign modules and installed in the EFI.

Any suggest? I attach here the script I have used to generate EFI key:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.d
er -nodes -days 36500 -subj "/CN=VirtualBox/"
chmod 600 MOK.priv
mokutil --import MOK.der

and I sign them by the following command

/usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/module-sig
n/MOK.priv /root/module-sign/MOK.der vboxdrv.ko
2

If I read it correctly, you were able to sign your modules on F42 again with mokutil, right?

If no, then you may suffer from the same issue I have. Try mokutil --sb-state and see what it says. If it says This system doesn't support Secure Boot., then you won’t be able to sign your kernel modules via mokutil until further notice.

If yes, did upgraded RPMFusion’s repo to 42 too? As far as I know, they have repo’s for each specific version. Maybe this helps.

3

No, I was able to sign modules. The problem is that the kernel won’t load signed modules. Here is the output of a verbose modprobe command:

# modprobe -vv vboxdrv 
modprobe: INFO: libkmod/libkmod.c:391 kmod_set_log_fn() custom logging function 0x564add166cf0 registered
insmod /lib/modules/6.14.2-300.fc42.x86_64/extra/VirtualBox/vboxdrv.ko.xz 
modprobe: INFO: libkmod/libkmod-module.c:973 kmod_module_insert_module() Failed to insert module '/lib/modules/6.14.2-300.fc42.x86_64/extra/VirtualBox/vboxdrv.ko.xz': Invalid argument
modprobe: ERROR: could not insert 'vboxdrv': Invalid argument
modprobe: INFO: libkmod/libkmod.c:358 kmod_unref() context 0x564b11506560 released

Of course, I have upgraded RPM Fusion repository to release 42:

# dnf repolist
...
rpmfusion-free                    RPM Fusion for Fedora 42 - Free               
rpmfusion-free-tainted            RPM Fusion for Fedora 42 - Free tainted       
rpmfusion-free-updates            RPM Fusion for Fedora 42 - Free - Updates     
rpmfusion-nonfree                 RPM Fusion for Fedora 42 - Nonfree            
rpmfusion-nonfree-updates         RPM Fusion for Fedora 42 - Nonfree - Updates

I have Secure Boot still enabled:

# mokutil --sb-state
SecureBoot enabled

My issue is however different. You have Secure Boot set to disabled. In my system it is still enabled, but it won’t load signed drivers.

4

That’s the thing: I didn’t disabled it. When I was on F41, it was activated and worked as expected with kmodgenca and mokutil. And after the upgrade to F42, it got disabled automatically and I can’t turn it back on because it says “This system doesn't support Secure Boot”, which is weird and can’t be right. And Secure Boot is (still) activated in my UEFI settings.

5

That’s very odd. I wish you can find and solve the issue.

1 Like
6

Did you sign all three modules? They are

vboxdrv
vboxnetadp
vboxnetflt

Normally the akmods procedure would take care of all that if you use the package from Rpmfusion.

For information about how this works, read /usr/share/doc/akmods/README.secureboot.

7

Yes, I have signed all three modules. I have enrolled also akmods keys as described in the file you have cited ( README.secureboot). I have also verified that, after having forced akmod to rebuild vboxdrv and other modules, they have been signed with proper key by means of kernel script extract-mod-sig.pl. But the kernel still refuses to load modules. It seems that there is a problem in the kernel loading process since enrolling and signing phases are fine.

9

/etc/pki/akmods/certs/public_key.der is already enrolled

serial=425D38178D0F0C395867EAA402138E484F7267DB

425D38178D0F0C395867EAA402138E484F7267DB
425D38178D0F0C395867EAA402138E484F7267DB
425D38178D0F0C395867EAA402138E484F7267DB

× vboxdrv.service - Linux kernel module init script
     Loaded: loaded (/usr/lib/systemd/system/vboxdrv.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf, 50-keep-warm.conf
     Active: failed (Result: exit-code) since Fri 2025-04-18 17:51:39 CEST; 57min ago
 Invocation: 52560866c7044d3b82ff7a16173119dc
    Process: 1407 ExecStart=/sbin/modprobe vboxdrv (code=exited, status=1/FAILURE)
   Main PID: 1407 (code=exited, status=1/FAILURE)
   Mem peak: 1.3M
        CPU: 5ms

apr 18 17:51:39 andymema systemd[1]: Starting vboxdrv.service - Linux kernel module init script...
apr 18 17:51:39 andymema modprobe[1407]: modprobe: ERROR: could not insert 'vboxdrv': Invalid argument
apr 18 17:51:39 andymema systemd[1]: vboxdrv.service: Main process exited, code=exited, status=1/FAILURE
apr 18 17:51:39 andymema systemd[1]: vboxdrv.service: Failed with result 'exit-code'.
apr 18 17:51:39 andymema systemd[1]: Failed to start vboxdrv.service - Linux kernel module init script.
1 Like
11

Perhaps I have already set this, if this is equivalent to /etc/default/grub line


GRUB_CMDLINE_LINUX="rhgb quiet kvm.enable_virt_at_load=0"
1 Like
13

Hello everyone,

as a small hint with the change to Fedora 42 please note:

Only sha512 signed modules are accepted in the kernel config “/boot/config-6.14.2-300.fc42.x86_64”:

# CONFIG_MODULE_SIG_SHA256 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512”
CONFIG_MODULE_COMPRESS=y
CONFIG_MODULE_COMPRESS_XZ=y

Unfortunately, this does not fix the error “decompression failed with status 6” in dmesg, but it could be a step in the right direction.

The script for signing should be adapted as follows:

/usr/src/kernels/$(uname -r)/scripts/sign-file sha512 /root/module-sig
n/MOK.priv /root/module-sign/MOK.der vboxdrv.ko

Best regards

1 Like
14

The decompression issue was fixed a while back in kmodtool, does dkms also compress the modules?

15

Thanks a lot, that’s the solution.

Now i have modify this script [1] for Fedora 42 environment:

#!/bin/sh

#Until Fedora41:
#readonly hash_algo='sha256'
#Since Fedora42:
readonly hash_algo='sha512'
readonly key='/path/to/MOK.priv'
readonly x509='/path/to/MOK.der'

readonly name="$(basename $0)"
readonly esc='\\e'
readonly reset="${esc}[0m"

green() { local string="${1}"; echo "${esc}[32m${string}${reset}"; }
blue() { local string="${1}"; echo "${esc}[34m${string}${reset}"; }
log() { local string="${1}"; echo "[$(blue $name)] ${string}"; }

# The exact location of `sign-file` might vary depending on your platform.
alias sign-file="/usr/src/kernels/$(uname -r)/scripts/sign-file"

[ -z "${KBUILD_SIGN_PIN}" ] && read -p "Passphrase for ${key}: " KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN

for module in $(dirname $(modinfo -n vboxdrv))/*.ko.xz; do
    if [[ $(basename "${module}" .xz) != "${module}" ]]; then
    log "decompress module ${module}"
    xz -d ${module}
    fi
    path=$(dirname "${module}")
    decompressed=$(basename "${module}" .xz)
    log "Signing $(green ${module})..."
    /usr/src/kernels/$(uname -r)/scripts/sign-file "${hash_algo}" "${key}" "${x509}" "${path}/${decompressed}"
    #sign-file "${hash_algo}" "${key}" "${x509}" "${path}/${decompressed}"
    if [[ $(basename "${module}" .xz) != "${module}" ]]; then
    log "recompress module ${module}"
    #Until Fedora41: 
    #xz "${path}"/"${decompressed}"
    #Since Fedora42:
    xz --compress --check=crc32 --lzma2=dict=1MiB "${path}"/"${decompressed}" 
    fi
done

It works for me. Good luck to everyone else.

Best regards

  1. ↩︎

1 Like
16

Thank you very much! This is the correct solution:

  1. replace sha256 with sha512
  2. add flags --check=crc32 --lzma2=dict=1MiB to xz compress command.

I have simply modified following two lines in my script:

/usr/src/kernels/$(uname -r)/scripts/sign-file sha512 /root/module-sign/MOK.priv /root/module-sign/MOK.der  "${module_basename}"
          xz --compress --check=crc32 --lzma2=dict=1MiB -f ${module_basename}

and now it works like a charm!

I suppose that the RPM akmod-VirtualBox needs to be fixed in this way, correct? Pehaps the RPM akmods also?

17

akmods uses kmodtool so were fixed by my commit.

18

I suppose that only rpmfusion akmod-VirtualBox package has to be fixed then.

19

No, it’s fixed by the kmodtool commit

20

So, why does inserting akmod generated module in kernel give error, even if akmod keys have been enrolled in EFI BIOS?

21

Maybe you have been affected by this upgrade issue, did you use discovery or gnome-software or system-upgrade.

sudo depmod -ae
1 Like
22

Yes, I have used dnf system-upgrade to upgrade Fedora from 41 to 42 release.

After executing depmod -ae and rebuilding VirtualBox module (akmods --rebuild), now the vboxdrv module is loaded wihtout error. Thank you.

CONCLUSION

  1. if using self-signed modules, the solution is to add proper flags to sign and compress the module, as suggested by Chris (post #13, my procedure is in post #14)

  2. if using akmod generated modules after an upgrade, a depmod followed by rebuilding modules fixes the issue, as reported by Leigh (post #19).