Why do I get "Required key not available" when install 3rd party kernel modules or after a kernel upgrade?
Since Ubuntu kernel 4.4.0-20 the EFI_SECURE_BOOT_SIG_ENFORCE kernel config has been enabled. That prevents from loading unsigned third party modules if UEFI Secure Boot is enabled.
The easiest way to fix this issue is to disable Secure Boot in UEFI (BIOS) settings.
In most cases you can get into UEFI settings using grub menu. Press ESC button on booting, get into grub menu and select System Setup. Secure Boot option should be in "Security" or "Boot" section of the UEFI.
You can get into UEFI directly, but it depends on your hardware. Read your computer manual to see how to get there. It may be Del, or F2 on boot, or something else.
An alternative way is to disable Secure Boot using mokutil.
Since Ubuntu kernel build 4.4.0-21.37 this can be fixed by running
sudo apt install mokutil
sudo mokutil --disable-validation
It will require to create a password. The password should be at least 8 characters long. After you reboot, UEFI will ask if you want to change security settings. Choose "Yes".
Then you will be asked to enter the previously created password. Some UEFI firmware asks not for the full password, but to enter some characters of it, like 1st, 3rd, etc. Be careful. Some people do not understand this. I did not get it from the first attempt either ;-)
Update: Now this kernel config is enabled in all supported Ubuntu kernels. Ubuntu 16.04, 15.10 and 14.04 are affected.
As suggested by user @zwets, I'm copying (with edits) an answer here:
Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.
So let's try it.
Create signing keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"Sign the module
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /path/to/module
Note 1: There can be multiple files to be signed for a single driver/module, so /path/to/module may need to be replaced with $(modinfo -n <modulename>), e.g. $(modinfo -n vboxdrv)
Note 2: sudo kmodsign sha512 ./MOK.priv ./MOK.der /path/to/module is an alternative if sign-file is not available.
Register the keys to Secure Boot
sudo mokutil --import MOK.derSupply a password for later use after reboot
Rebootand follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
If the key has been enrolled properly, it will show up under sudo mokutil --list-enrolled.
Please let me know if your modules would run this way on Ubuntu 16.04 (on kernel 4.4.0-21, I believe).
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. (they've been working on it) ;-)
Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.
Additional note for the security (extra-)conscious: ;-)
Since the private key you created (MOK.priv in this example) can be used by anyone who can have access to it, it is good practice to keep it secure. You may chmod it, encrypt (gpg) it, or store it somewhere else safe(r). Or, as noted in this comment, remove the option -nodes in step number 1. This will encrypt the key with a passphrase.
You can disable Secure Boot (UEFI) in the BIOS with the following steps:
Reboot your machine and enter the BIOS Menu (In my case pressing F2)
Search for Secure Boot and change to Legacy
In an ASUS motherboard:
- Go to the Advanced Mode (F7)
- Go in the Secure Boot option under the Boot section
- Change "Windows UEFI mode" with "Other OS"
- Save and restart to apply settings (F10)