Modprobe error: Required key not available

[jlam55555]

"Bug" Description

When installing on a system with UEFI Secure Boot enabled (and kernel configuration module.sig_enforce=1), this error may occur during installation:

modprobe veikk
modprobe: ERROR: could not insert 'veikk': Required key not available
Makefile:13: recipe for target 'install' failed
make: *** [install] Error 1

Secure Boot requires all binaries to be signed by a trusted key; disabling it allows for unsigned modules to be installed. This is not an error specific to this driver: this is true for many drivers for Windows and Linux (e.g., Nvidia, Virtualbox). Feel free to use any guides provided by either driver vendors, some of which are listed at the end; the following is a summary of the two main solutions.

Solutions

Solution 1: Disable Secure Boot

Disable Secure Boot from the BIOS, then reinstall normally. This allows unsigned modules to be signed.

(This is similar to the Windows option to allow installation of unsigned modules; see section 13 of the Veikk FAQ.)

Solution 2: Manually sign the driver.

Warning: This is more advanced. Your mileage may vary. This specific tutorial is adapted from this blog post. See the blog post for a more detailed description and images.

1. First, make sure mokutil and openssl are installed (command for Ubuntu):

    sudo apt install mokutil openssl
   

2. Paste the following command into the terminal after changing the credentials in the [ req_distinguished_name ] section. This will generate a configuration for the generated key.

   cat >>/tmp/x509.conf <<EOF
   [ req ]
   default_bits = 4096
   distinguished_name = req_distinguished_name
   prompt = no
   string_mask = utf8only
   x509_extensions = extensions
   
   [ req_distinguished_name ]
   O = Example, Inc.
   CN = Example, Inc. Kernel signing key
   emailAddress = jdoe@example.com
   
   [ extensions ]
   basicConstraints=critical,CA:FALSE
   keyUsage=digitalSignature
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid
   EOF
   

3. Generate the key with openssl and enroll it with mokutil:

   sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 99999 -batch -config /tmp/x509.conf -outform DER -out pubkey.der -keyout priv.key
   sudo mokutil --import pubkey.der
   

4. Reboot your computer. You will be greeted with the MokManager (see the blog post for images). Select "Enroll MOK" -> "Continue" -> "Yes" -> create a password for the MOK -> "Reboot"

5. If you haven't already, install the module normally. The error will still exist -- this is okay, because we're about to sign it and then load it.

    make
    sudo make install
   

6. (Additional step not in the blog post for newer kernels, most likely can skip this step): Check the format of the compiled file using modinfo -n veikk. If it ends in .ko.xz rather than .ko, you need to decompress the file first, and then reload modules.dep. If it ends in .ko, skip this step.

    # only if it ends in .ko.xz
    sudo xz --decompress $(modinfo -n veikk)
    sudo depmod
   

7. Sign the file with the enrolled key.

    /lib/modules/$(uname -r)/scripts/sign-file sha256 priv.key pubkey.der $(modinfo -n veikk)
   

8. Load the module. If successful, it should give you no errors:

    sudo modprobe veikk
   

If this method does not work for you, disabling Secure Boot may be the way to go.

Other guides to loading unsigned modules

• Signing Linux Kernel Modules and enforce to load only signed Modules
• How to install nvidia driver with secure boot enabled?
• Kernel module signing facility
• Why do I get “Required key not available” when install 3rd party kernel modules or after a kernel upgrade?
• VirtualBox + Secure Boot + Ubuntu = fail

[Nuwaisir-1998]

In step 7, I needed to replace /lib/modules/$(uname -r) with sudo /usr/src/linux-headers-5.8.0-59-generic.
Got this solution from here.