Linux Secure Boot support for agents

The Unified Extensible Firmware Interface (UEFI) Secure Boot feature is supported with some versions of Deep Security Agent for Linux. For details, see this Secure Boot support table.

When Secure Boot is enabled on an agent computer, the Linux kernel performs a signature check on kernel modules before they are installed. These Workload Security features install kernel modules:

  • Anti-Malware
  • Web Reputation
  • Firewall
  • Integrity Monitoring
  • Intrusion Prevention
  • Application Control

If you intend to use any of those features on a computer where Secure Boot is enabled, you must enroll the Trend Micro public key (provided after installation, for example DS20.der) into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, Workload Security features can't be installed.

Your platform will determine which keys you need to download and which method you can use to enroll a key:

Download a Trend Micro public key

You can download Trend Micro public keys from the list below:

If you have trouble downloading the following files, right-click and select Save Link As.

  • DS20_V2.der
    Deep Security Secure Boot key DS20_V2 with a SHA1 hash of 87 fa 6d 96 b4 0d 34 96 39 48 47 00 b8 f3 dc f6 57 b9 dd 96
  • DS20.der / DS12.der
    Deep Security Secure Boot key DS20 / DS12 with a SHA1 hash of eb 8e 8a cf 5d 60 ac 47 e7 8e b9 b4 ad ef 8f b7 05 c4 9f f3
  • DS11.der
    Deep Security Secure Boot key DS11 with a SHA1 hash of 7d 96 56 5c 3a 77 b7 a7 24 49 d5 6a a5 0c 28 aa d7 3b 0b fb

Enroll a key using Shim MOK Manager Key Database

The following steps are applicable for any Deep Security Agent using an OS that supports Secure Boot on VMware vSphere 6.5 or newer.

To enroll Trend Micro public keys:

  1. On the computer that you want to protect, and where Secure Boot is enabled, install the Deep Security Agent, if it isn't installed already.

  2. Install the Machine Owner Key (MOK) facility, if it isn't already installed:

    yum install mokutil

  3. Add the public keys to the MOK list:

    mokutil --import /opt/ds_agent/DS20_v2.der /opt/ds_agent/DS20.der /opt/ds_agent/DS12.der /opt/ds_agent/DS11.der

    For the mokutil --import command to work, its paths need to match the location of your keys. The command above is adding keys from /opt/ds_agent/.

    For details about manually adding the public key to the MOK list, see your Linux documentation.

    For SuSE 15 after 5.3.18-24.34-default, DS20_v2.der is required because the checking kernel modules behavior has changed.

  4. When prompted, enter a password that you will use later in this procedure.

  5. Reboot the system.
  6. After the computer restarts, the Shim UEFI key management console opens.
  7. Press any key to get started.
  8. On the Perform MOK management screen, select Enroll MOK.
  9. On the Enroll MOK screen, you can select View key X to check the details of the keys, and press any key to go back to the Enroll MOK screen.
  10. Select Continue on the Enroll the key(s)? screen.
  11. Select Yes, then enter the password you set in Step 4.
  12. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  13. Use the mokutil utility to check whether the keys added to the MOK list (in Step 3 above) enrolled successfully:

    mokutil --test-key /opt/ds_agent/DS20_v2.der

    mokutil --test-key /opt/ds_agent/DS20.der

    mokutil --test-key /opt/ds_agent/DS12.der

    mokutil --test-key /opt/ds_agent/DS11.der

    For the mokutil --test-key command to work, its path needs to match the location of your key. The commands above are testing keys from /opt/ds_agent/.

Enroll a key using UEFI Secure Boot Key Database

The following steps are applicable for any Deep Security Agent using an OS that supports Secure Boot on Google Cloud Platform.

  1. Prepare the following certificates, along with any Trend Micro public keys (see Download a Trend Micro public key):

    • MicWinProPCA2011_2011-10-19.crt from Microsoft
      The Microsoft Windows Production PCA 2011 with a SHA-1 Cert Hash of 58 0a 6f 4c c4 e4 b6 69 b9 eb dc 1b 2b 3e 08 7b 80 d0 67 8d
    • MicCorUEFCA2011_2011-06-27.crt from Microsoft
      The Microsoft Corporation UEFI CA 2011 with a SHA-1 Certificate Hash of 46 de f6 3b 5c e6 1c f8 ba 0d e2 e6 63 9c 10 19 d0 ed 14 f3
  2. Set up certificates for Secure Boot by creating customized images with the gcloud command-line tool:

    gcloud compute images create [IMAGE_NAME] \

    --source-image=[SOURCE_IMAGE] \

    --source-image-project=[SOURCE_PROJECT] \

    --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS20_v2.der,./DS20.der,./DS12.der,./DS11.der [ Add other required keys with der / bin format here ] \

    --guest-os-features=UEFI_COMPATIBLE

    Refer to the latest Google Cloud Platform documentation for details on commands and API.

    The above command will overwrite the default ones rather than merging them with the ones you provide due to the limitation of GCP, please ensure to append your own key if required.

  3. Create an instance from the customized images with Secure Boot enabled.

  4. Check whether the keys are successfully enrolled in /proc/keys:

    grep 'Trend' /proc/keys

Update the Trend Micro public keys

The following situations require you to update the Trend Micro public keys:

1. Deep Security Agent has upgraded to a major release.

Workload Security refreshes the Trend Micro kernel module public keys in every major release of the agent (for example, 12.0 and 20.0). To keep security features functioning when you upgrade a Deep Security Agent to a new major release, you must enroll the new public key into any Linux computers that have Secure Boot enabled. Until the new public key is enrolled, an "Engine Offline" error message might appear in the Workload Security console because the operating system did not load the upgraded kernel module.

2. The public key has expired.

The public keys' life cycle is the same as Deep Security's life cycle. The public key will expire at the end of the extended support (EOL). Refer to Deep Security LTS life cycle dates for details.

If the DS20.der public key has expired but Deep Security 20 has extended their support date, Trend Micro will create a new key that you must enroll when upgrading Deep Security Agent.

Key Expiry date
DS20.der 26-Nov-2024
DS20_v2.der 24-Oct-2026

Required for SuSE 15 after 5.3.18-24.34-default

DS12.der 26-Nov-2024
DS11.der 05-Dec-2022

3. The Linux kernel behavior has changed.

In rare circumstances, the Linux kernel's behavior for checking loading kernel modules might change, which will require you to update the public keys.

For example, SuSE 15 after 5.3.18-24.34-default added an EKU codesign check, which caused the DS20_v2.der key to be required.