Modprobe error: Required key not available
jlam55555 opened this issue · 1 comments
"Bug" Description
When installing on a system with UEFI Secure Boot enabled (and kernel configuration module.sig_enforce=1
), this error may occur during installation:
modprobe veikk
modprobe: ERROR: could not insert 'veikk': Required key not available
Makefile:13: recipe for target 'install' failed
make: *** [install] Error 1
Secure Boot requires all binaries to be signed by a trusted key; disabling it allows for unsigned modules to be installed. This is not an error specific to this driver: this is true for many drivers for Windows and Linux (e.g., Nvidia, Virtualbox). Feel free to use any guides provided by either driver vendors, some of which are listed at the end; the following is a summary of the two main solutions.
Solutions
Solution 1: Disable Secure Boot
Disable Secure Boot from the BIOS, then reinstall normally. This allows unsigned modules to be signed.
(This is similar to the Windows option to allow installation of unsigned modules; see section 13 of the Veikk FAQ.)
Solution 2: Manually sign the driver.
Warning: This is more advanced. Your mileage may vary. This specific tutorial is adapted from this blog post. See the blog post for a more detailed description and images.
-
First, make sure
mokutil
andopenssl
are installed (command for Ubuntu):sudo apt install mokutil openssl
-
Paste the following command into the terminal after changing the credentials in the
[ req_distinguished_name ]
section. This will generate a configuration for the generated key.cat >>/tmp/x509.conf <<EOF [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = extensions [ req_distinguished_name ] O = Example, Inc. CN = Example, Inc. Kernel signing key emailAddress = jdoe@example.com [ extensions ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid EOF
-
Generate the key with
openssl
and enroll it withmokutil
:sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 99999 -batch -config /tmp/x509.conf -outform DER -out pubkey.der -keyout priv.key sudo mokutil --import pubkey.der
-
Reboot your computer. You will be greeted with the
MokManager
(see the blog post for images). Select "Enroll MOK" -> "Continue" -> "Yes" -> create a password for the MOK -> "Reboot" -
If you haven't already, install the module normally. The error will still exist -- this is okay, because we're about to sign it and then load it.
make sudo make install
-
(Additional step not in the blog post for newer kernels, most likely can skip this step): Check the format of the compiled file using
modinfo -n veikk
. If it ends in.ko.xz
rather than.ko
, you need to decompress the file first, and then reloadmodules.dep
. If it ends in.ko
, skip this step.# only if it ends in .ko.xz sudo xz --decompress $(modinfo -n veikk) sudo depmod
-
Sign the file with the enrolled key.
/lib/modules/$(uname -r)/scripts/sign-file sha256 priv.key pubkey.der $(modinfo -n veikk)
-
Load the module. If successful, it should give you no errors:
sudo modprobe veikk
If this method does not work for you, disabling Secure Boot may be the way to go.
Other guides to loading unsigned modules
- Signing Linux Kernel Modules and enforce to load only signed Modules
- How to install nvidia driver with secure boot enabled?
- Kernel module signing facility
- Why do I get “Required key not available” when install 3rd party kernel modules or after a kernel upgrade?
- VirtualBox + Secure Boot + Ubuntu = fail
In step 7, I needed to replace /lib/modules/$(uname -r)
with sudo /usr/src/linux-headers-5.8.0-59-generic
.
Got this solution from here.