Table of contents

Linux Secure Boot support for agents

The Unified Extensible Firmware Interface (UEFI) Secure Boot feature is supported with some versions of the agent for Linux. For details, see this Secure Boot support table.

When Secure Boot is enabled on an agent computer, the Linux kernel performs a signature check on kernel modules before they are installed. These Workload Security features install kernel modules:

  • Anti-Malware
  • Web Reputation
  • Firewall
  • Integrity Monitoring
  • Intrusion Prevention
  • Application Control

If you intend to use any of those features on a computer where Secure Boot is enabled, you must enroll the Trend Micro public key (provided after installation, for example DS20.der) into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, Workload Security features can't be installed.

Your platform will determine which keys you need to download and which method you can use to enroll a key:

Download a Trend Micro public key

You can download Trend Micro public keys from the list below:

If you have trouble downloading the following files, right-click and select Save Link As.

  • DS2022.der
    Secure Boot key DS2022 with a SHA1 hash of 0d 0b 3b ff ee 28 fa df 30 80 e9 bb 88 63 d0 57 fe 07 47 af

  • DS20_V2.der
    Secure Boot key DS20_V2 with a SHA1 hash of 87 fa 6d 96 b4 0d 34 96 39 48 47 00 b8 f3 dc f6 57 b9 dd 96

When the agent is deployed on SuSE 15 kernels after 5.3.18-24.34-default, DS20_v2.der is required because the checking kernel modules behavior has changed.

  • DS20.der / DS12.der
    Secure Boot key DS20 / DS12 with a SHA1 hash of eb 8e 8a cf 5d 60 ac 47 e7 8e b9 b4 ad ef 8f b7 05 c4 9f f3
  • DS11_2022.der
    Secure Boot key DS11_2022 with a SHA1 hash of 0d 0b 3b ff ee 28 fa df 30 80 e9 bb 88 63 d0 57 fe 07 47 af

    The DS11.der public key for Deep Security Agent 11 (with a SHA1 hash of 7d 96 56 5c 3a 77 b7 a7 24 49 d5 6a a5 0c 28 aa d7 3b 0b fb) expired on December 5, 2022. To continue using the Deep Security 11 agent after this date, you must enroll the new DS11_2022.der Secure Boot key.

Enroll a key using Shim MOK Manager Key Database

The following steps are applicable for any agent using an OS that supports Secure Boot on VMware vSphere 6.5 or newer.

To enroll Trend Micro public keys:

  1. On the computer that you want to protect, and where Secure Boot is enabled, install the agent, if it isn't installed already.

  2. Install the Machine Owner Key (MOK) facility, if it isn't already installed:

    yum install mokutil

  3. Add the public keys to the MOK list:

    For Deep Security Agent 20: mokutil --import /opt/ds_agent/DS2022.der /opt/ds_agent/DS20_v2.der /opt/ds_agent/DS20.der For Deep Security Agent 12: mokutil --import /opt/ds_agent/DS12.der For Deep Security Agent 11: mokutil --import /opt/ds_agent/DS11_2022.der

    For the mokutil --import command to work, its paths need to match the location of your keys. The command above is adding keys from /opt/ds_agent/.

    For details about manually adding the public key to the MOK list, see your Linux documentation.

  4. When prompted, enter a password that you will use later in this procedure.

  5. Reboot the system.
  6. After the computer restarts, the Shim UEFI key management console opens.
  7. Press any key to get started.
  8. On the Perform MOK management screen, select Enroll MOK.
  9. On the Enroll MOK screen, you can select View key X to check the details of the keys, and press any key to go back to the Enroll MOK screen.
  10. Select Continue on the Enroll the key(s)? screen.
  11. Select Yes, then enter the password you set in Step 4.
  12. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  13. Check whether the keys added to the MOK list (in Step 3 above) enrolled successfully:

    • For most operating systems, use the mokutil utility: mokutil --test-key /opt/ds_agent/${certificate_file}.der

      For the mokutil --test-key command to work, its path needs to match the location of your key. The commands above are testing keys from /opt/ds_agent/.

    • For Debian 11, mokutil will not work. Use keyctl instead: keyctl show %:.platform | grep 'Trend'

Enroll a key using UEFI Secure Boot Key Database

The following steps are applicable for any agent using an OS that supports Secure Boot on Google Cloud Platform.

  1. Prepare the following certificates, along with any Trend Micro public keys (see Download a Trend Micro public key):

    • MicWinProPCA2011_2011-10-19.crt from Microsoft
      The Microsoft Windows Production PCA 2011 with a SHA-1 Cert Hash of 58 0a 6f 4c c4 e4 b6 69 b9 eb dc 1b 2b 3e 08 7b 80 d0 67 8d
    • MicCorUEFCA2011_2011-06-27.crt from Microsoft
      The Microsoft Corporation UEFI CA 2011 with a SHA-1 Certificate Hash of 46 de f6 3b 5c e6 1c f8 ba 0d e2 e6 63 9c 10 19 d0 ed 14 f3
  2. Set up certificates for Secure Boot by creating customized images with the gcloud command-line tool:

    gcloud compute images create [IMAGE_NAME] \

    --source-image=[SOURCE_IMAGE] \

    --source-image-project=[SOURCE_PROJECT] \

    --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS2022.der,./DS20_v2.der,./DS20.der,./DS12.der,./DS11_2022.der [ Add other required keys with der / bin format here ] \


    Refer to the latest Google Cloud Platform documentation for details on commands and API.

    The above command will overwrite the default ones rather than merging them with the ones you provide due to the limitation of GCP, please ensure to append your own key if required.

  3. Create an instance from the customized images with Secure Boot enabled.

  4. Check whether the keys are successfully enrolled in /proc/keys:

    grep 'Trend' /proc/keys

Sign a key into the kernel

The following steps are applicable for any agent using an OS that supports Secure Boot on Oracle Linux 7 UEK R6 kernel (5.4.17+) and Oracle Linux 8 UEK R6 kernel (5.4.17+).

  1. Follow the Oracle Linux Help Center instructions for Signing Kernel Modules for Use With Secure Boot.
  2. When you reach section 3.3 (Inserting the Module Certificate in the Kernel and Signing the Kernel Image (UEK R6 Only)), instead of entering pubkey.der in the command, enter your DS key and path (for example, ./DS20_v2.der) to sign it into the kernel image:

    sudo /usr/src/kernels/$(uname -r)/scripts/insert-sys-cert -s /boot/$(uname -r) -z /boot/vmlinuz$(uname -r) -c ./DS20_v2.der

  3. Check whether the key is listed in the kernel builtin_trusted_keys keyring:

    sudo keyctl show %:.builtin_trusted_keys | grep 'Trend'

Update the Trend Micro public keys

The following situations require you to update the Trend Micro public keys:

1. The agent has upgraded to a major release.

Workload Security refreshes the Trend Micro kernel module public keys in every major release of the agent (for example, 12.0 and 20.0). To keep security features functioning when you upgrade an agent to a new major release, you must enroll the new public key into any Linux computers that have Secure Boot enabled. Until the new public key is enrolled, an "Engine Offline" error message might appear in the Workload Security console because the operating system did not load the upgraded kernel module.

2. The public key has expired.

The public keys' life cycle is the same as the agent's life cycle. The public key will expire at the end of the extended support (EOL). Refer to Deep Security LTS life cycle dates for details.

If the DS20.der public key has expired but Deep Security 20 has extended their support date, Trend Micro will create a new key that you must enroll when upgrading the agent.

Key Expiry date
DS2022.der 24-Nov-2031
DS20.der 26-Nov-2024
DS20_v2.der 24-Oct-2026

Required for SuSE 15 after 5.3.18-24.34-default

DS12.der 26-Nov-2024
DS11_2022.der 24-Nov-2031
DS11.der 05-Dec-2022

3. The Linux kernel behavior has changed.

In rare circumstances, the Linux kernel's behavior for checking loading kernel modules might change, which will require you to update the public keys.

For example, SuSE 15 after 5.3.18-24.34-default added an EKU codesign check, which caused the DS20_v2.der key to be required.