Ubuntu – Ubuntu 16.04 kernel 4.4.0-21 not loading nvidia/vboxdrv modules anymore (Required key not available)

driverskernelnvidia

The latest kernel for Ubuntu 16.04 (4.4.0-21) doesn't load the nvidia (and vboxdrv) module anymore.

$ sudo modprobe -v nvidia
insmod /lib/modules/4.4.0-21-generic/updates/dkms/nvidia_361.ko 
modprobe: ERROR: could not insert 'nvidia_361': Required key not available

With 4.4.0-18 it still works. What has changed? How do I fix the problem?

Best Answer

There is a way to leave secure boot on and use proprietary kernel modules like NVidia or VirtualBox. First download xca app:

sudo apt install xca

Then create new database and generate new key. Next generate CA certificate from that private key. Export private key to PEM format and CA public cert to DER format. Import CA cert to MOK database:

sudo mokutil --import CAcert.cer

Program asks you for password for MOK database. After reboot MOKManager will be executed before GRUB. Select Enroll keys, select cert that you add before and enter password for confirmation. After that your CA cert is added to MOK database. Reboot.

Next find sign-file program in kernel headers scripts directory. For me it is in:

/usr/src/linux-headers-4.4.0-22-lowlatency/scripts/sign-file

Now sign all kernel modules in /lib/modules/4.4.0-22-lowlatency/updates/dkms/. For example:

/usr/src/linux-headers-4.4.0-22-lowlatency/scripts/sign-file sha256 CA.pem CAcert.cer /lib/modules/4.4.0-22-lowlatency/updates/dkms/nvidia_361.ko

After that you will be able to load module without Required key not available error.

After install new kernel or new version of module kernels from dkms directory you must repeat signing procedure.

Links to read to clarify:

https://wiki.ubuntu.com/SecurityTeam/SecureBoot

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html

Related Solutions

Ubuntu – Ubuntu stops using Nvidia driver after kernel upgrade

when there is a new kernel-update by update-manager, then simply after reboot - with ubuntu-package manager uninstall nvidia-drivers (and bumblebee) - then install nvidia-drivers again.

this looks inconvenient, but its easier ?!

Ubuntu – get “Required key not available” when install 3rd party kernel modules or after a kernel upgrade

Since Ubuntu kernel 4.4.0-20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel config has been enabled. That prevents from loading unsigned third party modules if UEFI Secure Boot is enabled.

The easiest way to fix this issue is to disable Secure Boot in UEFI (BIOS) settings.

In most cases you can get into UEFI settings using grub menu. Press ESC button on booting, get into grub menu and select System Setup. Secure Boot option should be in "Security" or "Boot" section of the UEFI.

You can get into UEFI directly, but it depends on your hardware. Read your computer manual to see how to get there. It may be Del, or F2 on boot, or something else.

An alternative way is to disable Secure Boot using mokutil.

Since Ubuntu kernel build 4.4.0-21.37 this can be fixed by running

sudo apt install mokutil
sudo mokutil --disable-validation

It will require to create a password. The password should be at least 8 characters long. After you reboot, UEFI will ask if you want to change security settings. Choose "Yes".

Then you will be asked to enter the previously created password. Some UEFI firmware asks not for the full password, but to enter some characters of it, like 1st, 3rd, etc. Be careful. Some people do not understand this. I did not get it from the first attempt either ;-)

Update: Now this kernel config is enabled in all supported Ubuntu kernels. Ubuntu 16.04, 15.10 and 14.04 are affected.

Best Answer

Related Solutions

Ubuntu – Ubuntu stops using Nvidia driver after kernel upgrade

Ubuntu – get “Required key not available” when install 3rd party kernel modules or after a kernel upgrade

Related Question