Linux Secure Boot support for agents

The Unified Extensible Firmware Interface (UEFI) Secure Boot feature is supported with some versions of Deep Security Agent for Linux. For details, see this Secure Boot support table.

When Secure Boot is enabled on an agent computer, the Linux kernel performs a signature check on kernel modules before they are installed. These Workload Security features install kernel modules:

  • Anti-Malware
  • Web Reputation
  • Firewall
  • Integrity Monitoring
  • Intrusion Prevention
  • Application Control

If you intend to use any of those features on a computer where Secure Boot is enabled, you must enroll the Trend Micro public key (provided after install as DSversion.der, depending on which Deep Security Agent you have installed, for example DS20.der) into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, the Workload Security features can't be installed.

To enroll the Trend Micro public key:

  1. On the computer that you want to protect, and where Secure Boot is enabled, install the Deep Security Agent, if it isn't installed already.

    After installation, the Trend Micro public key is in /opt/ds_agent/DS20.der.

  2. Install the Machine Owner Key (MOK) facility, if it isn't already installed.

    yum install mokutil

  3. Add the public key, DS20.der, to the MOK list:

    mokutil --import DS20.der

    For details about manually adding the public key to the MOK list, see your Linux documentation.

  4. When prompted, enter a password that you will use later in this procedure.
  5. Reboot the system.
  6. After the computer restarts, the Shim UEFI key management console opens:
  7. Shim UEFI key management console
  8. Press any key to get started.
  9. On the Perform MOK management screen, select Enroll MOK.
  10. On the Enroll MOK screen, select View key 0.
  11. On the Enroll the key(s)? screen, select Yes and then enter the password you set in step 4, above.
  12. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  13. Use the mokutil utility to check if the key successfully enrolled or not.
  14. mokutil --test-key /opt/ds_agent/DS20.der

  15. Next, use the keyctl utility to check that the key is on the system key ring. If the keyctl utility is not already installed, use this command to install it:

    yum install keyutils

  16. To list the keys that are on the system key ring:

    keyctl list %:.system_keyring

    You should see the Trend Micro signing key listed.

Upgrade the agent if you're using Secure Boot

Workload Security refreshes the Trend Micro kernel module signing key in every major release of the agent (for example, 11.0 and 12). To keep security features functioning when you upgrade a Deep Security Agent to a new major release, you must enroll the new public key into any Linux computers that have Secure Boot enabled. You may see "Engine Offline" error message in the Workload Security console because the operating system will not load the upgraded kernel module until the new public key is enrolled.