Introduction

When Secure Boot is enabled in UEFI firmware, the Linux kernel refuses to load kernel modules that are not signed with a trusted key. This causes third-party drivers (NVIDIA, VirtualBox, ZFS, WireGuard out-of-tree modules) to fail with Required key not available errors. The kernel log shows Loading of unsigned module rejected or module verification failed: signature and/or required key missing.

Symptoms

  • modprobe fails with Operation not permitted or Required key not available
  • dmesg shows Loading of unsigned module is rejected
  • NVIDIA driver fails to load: NVRM: module verification failed
  • VirtualBox vboxdrv module refuses to load
  • DKMS builds succeed but module load fails

Common Causes

  • Secure Boot enabled in UEFI/BIOS settings
  • Third-party kernel modules not signed with a Machine Owner Key (MOK)
  • DKMS auto-build after kernel update produces unsigned modules
  • Self-signed key not enrolled in the UEFI Secure Boot database
  • Kernel compiled with CONFIG_MODULE_SIG_FORCE=y

Step-by-Step Fix

  1. 1.Check Secure Boot status:
  2. 2.```bash
  3. 3.mokutil --sb-state
  4. 4.# Output: SecureBoot enabled
  5. 5.`
  6. 6.Option A: Enroll a new Machine Owner Key (MOK):
  7. 7.```bash
  8. 8.# Generate a signing key pair
  9. 9.openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv \
  10. 10.-outform DER -out MOK.der -nodes -days 3650 \
  11. 11.-subj "/CN=My Kernel Module Signing Key/"

# Enroll the key (requires reboot) sudo mokutil --import MOK.der # Set a password when prompted, then reboot to complete enrollment ```

  1. 1.Sign the module with the MOK:
  2. 2.```bash
  3. 3.sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file \
  4. 4.sha256 ./MOK.priv ./MOK.der \
  5. 5.$(modinfo -n nvidia)
  6. 6.# Verify signature
  7. 7.modinfo nvidia | grep signature
  8. 8.`
  9. 9.Sign all DKMS modules at once:
  10. 10.```bash
  11. 11.sudo kmodsign sha512 ./MOK.priv ./MOK.der \
  12. 12.$(modinfo -F filename nvidia 2>/dev/null)
  13. 13.`
  14. 14.Option B: Disable Secure Boot (if signing is not practical):
  15. 15.- Reboot and enter UEFI/BIOS setup
  16. 16.- Navigate to Secure Boot settings
  17. 17.- Change Secure Boot to Disabled
  18. 18.- Save and reboot
  19. 19.Configure DKMS to auto-sign modules with MOK:
  20. 20.```bash
  21. 21.# Add signing configuration to dkms
  22. 22.sudo cp MOK.priv /var/lib/dkms/mok.key
  23. 23.sudo cp MOK.der /var/lib/dkms/mok.crt
  24. 24.# Edit /etc/default/dkms or dkms.conf to reference the key
  25. 25.`

Prevention

  • Pre-enroll MOK keys before installing third-party drivers
  • Use distribution-packaged drivers that come pre-signed
  • Configure DKMS post-build hooks to auto-sign modules
  • Document Secure Boot requirements in runbooks for new deployments
  • Consider using mokutil --disable before kernel updates that rebuild modules