Rebuilding VirtualBox on Fedora: Secure Boot, akmods, and MOK Keys Explained

You need to do this every time you change kernels in Fedora.

Along with my update to Fedora 43 I started to run the latest available kernel which always messes with the MOK keys that VirtualBox needs to run properly for my local WordPress environment. This means that when you type vagrant up you'll get an error instead of a running virtual machine.

Today we'll diagnose the issue while ensuring we're running the latest version of VirtualBox, rebuilding the required kernel modules, and signing them so they work with Secure Boot.

Diagnosing the issue

Your first note that you have a problem is going to be when you sit down to run a virtual machine by typing vagrant up and get this error.

VirtualBox is complaining that the kernel module is not loaded.

This error means that the vboxdrv.ko driver isn't loaded in the kernel. In our case we know it's because it's not signed for use with our current kernel version because we just changed kernels. Yes there are some instructions on how to fix this provided in the terminal, but they always end up running around in circles without resolving the issue.

Check VirtualBox Versions

The first step is to make sure you are running the latest version of VirtualBox. Using the command line you can type VBoxManage --version and get the version running on your machine. Go to the changelog to see what the current version is and if you're behind it's time to update.

Fedora often bumps kernels faster than Oracle updates the VirtualBox repo which means the official .rpm download from Oracle is the fastest way to get a working version of VirtualBox running again.

First remove any old versions.

sudo dnf remove -y VirtualBox\*
sudo rm -f /etc/yum.repos.d/virtualbox.repo
sudo dnf clean all

Then go to your ~/Downloads folder where you downloaded the latest .rpm package, and install it with the following command.

sudo dnf install -y ./VirtualBox-<version>.rpm

Verify the install again with VBoxManage --version which should match the current version you just downloaded.

Rebuild Kernel Modules

As the subtitle says, now we need to rebuild the kernel modules for VirtualBox so that they're ready for the version of the kernel we're running.

sudo dnf install -y akmods kernel-devel-$(uname -r) gcc make
sudo akmods --force --kernels $(uname -r)
sudo journalctl -b -u akmods.service -g VirtualBox --no-pager

$(uname -r) will correspond to the version of the kernel you're running and can also be used in your terminal to check which version of the kernel you're running. If akmods fails you'll need to look in /var/cache/akmods/VirtualBox/ for build logs. Here you're looking for compile errors saying that your headers don't match the running kernel version. The file you're looking for will have a naming scheme similar to VirtualBox-kmod-<kernel-version>.log and the failing log will look something like this.

Checking kmods exist for 6.17.7-300.fc43.x86_64       [OK]
Building modules, stage 2.
MODPOST 0 modules
Building VirtualBox kernel modules for 6.17.7-300.fc43.x86_64

Building the main VirtualBox module (vboxdrv)...
make V=1 CONFIG_MODULE_SIG= -C /lib/modules/6.17.7-300.fc43.x86_64/build M=/usr/src/akmods/VirtualBox-kmod.latest/build/vboxdrv 
make[1]: Entering directory '/usr/src/kernels/6.17.7-300.fc43.x86_64'
CC [M]  /usr/src/akmods/VirtualBox-kmod.latest/build/vboxdrv/linux/SUPDrv-linux.o
/usr/src/akmods/VirtualBox-kmod.latest/build/vboxdrv/linux/SUPDrv-linux.c:98:10: fatal error: linux/version.h: No such file or directory
98 | #include <linux/version.h>
    |          ^~~~~~~~~~~~~~~~~
compilation terminated.
make[2]: *** [Makefile:1878: /usr/src/akmods/VirtualBox-kmod.latest/build/vboxdrv/linux/SUPDrv-linux.o] Error 1
make[1]: *** [Makefile:231: __sub-make] Error 2
make[1]: Leaving directory '/usr/src/kernels/6.17.7-300.fc43.x86_64'
make: *** [Makefile:81: vboxdrv] Error 2

Build failed for VirtualBox-kmod-7.2.4 for kernel 6.17.7-300.fc43.x86_64
See /var/cache/akmods/VirtualBox/VirtualBox-kmod-last.log for details.

ERROR: Kernel headers for kernel 6.17.7-300.fc43.x86_64 are not installed.
    Run: sudo dnf install kernel-devel-$(uname -r)

You can see the last few lines highlighting the error.

Generate Secure Boot Keys

Now we have our kernel modules built, but they are unsigned and won't work with Secure Boot. You can check if Secure Boot is enabled by typing mokutil --sb-state. If it returns SecureBoot enabled then Secure Boot is on and VirtualBox won't run without being signed. We'll use the akmods key with the following command. We use akmods because it automatically generates a local key at /etc/pki/akmods/certs/public_key.der. When we import this key it should mean that future kernel module rebuilds will continue to be trusted without going back through all these steps.

sudo mokutil --import /etc/pki/akmods/certs/public_key.der

Now reboot your system.

Select Enroll MOK -> Continue -> Yes, then enter the password you created above.

Load and Verify the Modules

Now let's make sure everything is installed properly.

sudo modprobe vboxdrv vboxnetflt vboxnetadp
lsmod | grep vbox
VBoxManage --version

Which should yield output similar to this:

vboxnetadp             32768  0
vboxnetflt             49152  1
vboxdrv               712704  4 vboxnetadp,vboxnetflt
kvm                  1490944  1 vboxdrv
7.2.4r170995

If you're still having issues then use dmesg | grep -i vbox to get detailed Secure Boot and signature messages for debugging.

Vagrant Up

You should be good to go now. Change to your VirtualBox directory, ~/vvv in my case, and then type vagrant up. Everything should start without issue.

From now on, when Fedora updates the kernel, akmods will rebuild and re-sign the VirtualBox modules automatically using the enrolled key — no more manual signing needed unless you change machines or wipe Secure Boot keys.