Topics on this page
Linux Secure Boot support for agents
When Secure Boot is enabled on an agent computer, the Linux kernel performs a signature check on kernel modules before they are installed. These Workload Security features install kernel modules:
- Web Reputation
- Integrity Monitoring
- Intrusion Prevention
- Application Control
If you intend to use any of those features on a computer where Secure Boot is enabled, you must enroll the Trend Micro public key (provided after installation, for example DS20.der) into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, Workload Security features can't be installed.
Your platform will determine which keys you need to download and which method you can use to enroll a key:
- For VMWare vSphere, Enroll a key using Shim MOK Manager Key Database
- For Google Cloud Platform, Enroll a key using UEFI Secure Boot Key Database
Download a Trend Micro public key
You can download Trend Micro public keys from the list below:
If you have trouble downloading the following files, right-click and select Save Link As.
Deep Security Secure Boot key DS20_V2 with a SHA1 hash of
87 fa 6d 96 b4 0d 34 96 39 48 47 00 b8 f3 dc f6 57 b9 dd 96
- DS20.der / DS12.der
Deep Security Secure Boot key DS20 / DS12 with a SHA1 hash of
eb 8e 8a cf 5d 60 ac 47 e7 8e b9 b4 ad ef 8f b7 05 c4 9f f3
Deep Security Secure Boot key DS11 with a SHA1 hash of
7d 96 56 5c 3a 77 b7 a7 24 49 d5 6a a5 0c 28 aa d7 3b 0b fb
Enroll a key using Shim MOK Manager Key Database
The following steps are applicable for any Deep Security Agent using an OS that supports Secure Boot on VMware vSphere 6.5 or newer.
To enroll Trend Micro public keys:
On the computer that you want to protect, and where Secure Boot is enabled, install the Deep Security Agent, if it isn't installed already.
Install the Machine Owner Key (MOK) facility, if it isn't already installed:
yum install mokutil
Add the public keys to the MOK list:
mokutil --import /opt/ds_agent/DS20_v2.der /opt/ds_agent/DS20.der /opt/ds_agent/DS12.der /opt/ds_agent/DS11.der
mokutil --importcommand to work, its paths need to match the location of your keys. The command above is adding keys from
For details about manually adding the public key to the MOK list, see your Linux documentation.
For SuSE 15 after 5.3.18-24.34-default, DS20_v2.der is required because the checking kernel modules behavior has changed.
When prompted, enter a password that you will use later in this procedure.
- Reboot the system.
- After the computer restarts, the Shim UEFI key management console opens.
- Press any key to get started.
- On the Perform MOK management screen, select Enroll MOK.
- On the Enroll MOK screen, you can select View key X to check the details of the keys, and press any key to go back to the Enroll MOK screen.
- Select Continue on the Enroll the key(s)? screen.
- Select Yes, then enter the password you set in Step 4.
- On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
mokutilutility to check whether the keys added to the MOK list (in Step 3 above) enrolled successfully:
mokutil --test-key /opt/ds_agent/DS20_v2.der
mokutil --test-key /opt/ds_agent/DS20.der
mokutil --test-key /opt/ds_agent/DS12.der
mokutil --test-key /opt/ds_agent/DS11.der
mokutil --test-keycommand to work, its path needs to match the location of your key. The commands above are testing keys from
Enroll a key using UEFI Secure Boot Key Database
The following steps are applicable for any Deep Security Agent using an OS that supports Secure Boot on Google Cloud Platform.
Prepare the following certificates, along with any Trend Micro public keys (see Download a Trend Micro public key):
- MicWinProPCA2011_2011-10-19.crt from Microsoft
The Microsoft Windows Production PCA 2011 with a SHA-1 Cert Hash of
58 0a 6f 4c c4 e4 b6 69 b9 eb dc 1b 2b 3e 08 7b 80 d0 67 8d
- MicCorUEFCA2011_2011-06-27.crt from Microsoft
The Microsoft Corporation UEFI CA 2011 with a SHA-1 Certificate Hash of
46 de f6 3b 5c e6 1c f8 ba 0d e2 e6 63 9c 10 19 d0 ed 14 f3
- MicWinProPCA2011_2011-10-19.crt from Microsoft The Microsoft Windows Production PCA 2011 with a SHA-1 Cert Hash of
Set up certificates for Secure Boot by creating customized images with the gcloud command-line tool:
gcloud compute images create [IMAGE_NAME] \
--signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS20_v2.der,./DS20.der,./DS12.der,./DS11.der [ Add other required keys with der / bin format here ] \
Refer to the latest Google Cloud Platform documentation for details on commands and API.
The above command will overwrite the default ones rather than merging them with the ones you provide due to the limitation of GCP, please ensure to append your own key if required.
Create an instance from the customized images with Secure Boot enabled.
Check whether the keys are successfully enrolled in /proc/keys:
grep 'Trend' /proc/keys
Update the Trend Micro public keys
The following situations require you to update the Trend Micro public keys:
1. Deep Security Agent has upgraded to a major release.
Workload Security refreshes the Trend Micro kernel module public keys in every major release of the agent (for example, 12.0 and 20.0). To keep security features functioning when you upgrade a Deep Security Agent to a new major release, you must enroll the new public key into any Linux computers that have Secure Boot enabled. Until the new public key is enrolled, an "Engine Offline" error message might appear in the Workload Security console because the operating system did not load the upgraded kernel module.
2. The public key has expired.
The public keys' life cycle is the same as Deep Security's life cycle. The public key will expire at the end of the extended support (EOL). Refer to Deep Security LTS life cycle dates for details.
If the DS20.der public key has expired but Deep Security 20 has extended their support date, Trend Micro will create a new key that you must enroll when upgrading Deep Security Agent.
Required for SuSE 15 after 5.3.18-24.34-default
3. The Linux kernel behavior has changed.
In rare circumstances, the Linux kernel's behavior for checking loading kernel modules might change, which will require you to update the public keys.
For example, SuSE 15 after 5.3.18-24.34-default added an EKU codesign check, which caused the DS20_v2.der key to be required.