This issue happens only on UEFI systems with enabled Secure Boot.
When I try to install DKMS modules like VirtualBox, Nvidia, or Broadcom drivers, they do not install and I get Required key not available when I try to modprobe them.
VirtualBox complains that vboxdrv is not loaded.
Broadcom wl driver is shown in lspci -k as a kernel module but is not in use. sudo modprobe wl throws Required key not available.
Also this issue may happen when I install some kernel modules from git sources.
This issue may appear after a kernel update as disabled wireless adapter, black screen after a reboot, etc.
How can I fix it?
Since Ubuntu kernel 4.4.0-20 the
EFI_SECURE_BOOT_SIG_ENFORCEkernel config has been enabled. That prevents from loading unsigned third party modules if UEFI Secure Boot is enabled.The easiest way to fix this issue is to disable Secure Boot in UEFI (BIOS) settings.
In most cases you can get into UEFI settings using grub menu. Press ESC button on booting, get into grub menu and select System Setup. Secure Boot option should be in "Security" or "Boot" section of the UEFI.
You can get into UEFI directly, but it depends on your hardware. Read your computer manual to see how to get there. It may be Del, or F2 on boot, or something else.
An alternative way is to disable Secure Boot using
mokutil.Since Ubuntu kernel build 4.4.0-21.37 this can be fixed by running
It will require to create a password. The password should be at least 8 characters long. After you reboot, UEFI will ask if you want to change security settings. Choose "Yes".
Then you will be asked to enter the previously created password. Some UEFI firmware asks not for the full password, but to enter some characters of it, like 1st, 3rd, etc. Be careful. Some people do not understand this. I did not get it from the first attempt either ;-)
Update: Now this kernel config is enabled in all supported Ubuntu kernels. Ubuntu 16.04, 15.10 and 14.04 are affected.
As suggested by user @zwets, I'm copying (with edits) an answer here:
Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.
So let's try it.
Create signing keys
Sign the module
Note 1: There can be multiple files to be signed for a single driver/module, so
/path/to/modulemay need to be replaced with$(modinfo -n <modulename>), e.g.$(modinfo -n vboxdrv)Note 2:
sudo kmodsign sha512 ./MOK.priv ./MOK.der /path/to/moduleis an alternative ifsign-fileis not available.Register the keys to Secure Boot
Supply a password for later use after reboot
Rebootand follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.If the key has been enrolled properly, it will show up under
sudo mokutil --list-enrolled.Please let me know if your modules would run this way on Ubuntu 16.04 (on kernel 4.4.0-21, I believe).
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. (they've been working on it) ;-)
Additional resource: I created a bash script for my own use every time
virtualbox-dkmsupgrades and thus overwrites the signed modules. Check out myvboxsignoriginally on GitHub.Additional note for the security (extra-)conscious: ;-)
Since the private key you created (
MOK.privin this example) can be used by anyone who can have access to it, it is good practice to keep it secure. You maychmodit, encrypt (gpg) it, or store it somewhere else safe(r). Or, as noted in this comment, remove the option-nodesin step number 1. This will encrypt the key with a passphrase.You can disable Secure Boot (UEFI) in the BIOS with the following steps:
Reboot your machine and enter the BIOS Menu (In my case pressing F2)
Search for Secure Boot and change to Legacy
In an ASUS motherboard:
You can also Disable Secure Boot in shim-signed running
sudo update-secureboot-policy. This wiki page explains this method: