Linux Secure Boot support for agents

The Unified Extensible Firmware Interface (UEFI) Secure Boot feature is supported with some versions of Deep Security Agent for Linux. For details, see this Secure Boot support table.

When Secure Boot is enabled on an agent computer, the Linux kernel performs a signature check on kernel modules before they are installed. These Workload Security features install kernel modules:

  • Anti-Malware
  • Web Reputation
  • Firewall
  • Integrity Monitoring
  • Intrusion Prevention
  • Application Control

If you intend to use any of those features on a computer where Secure Boot is enabled, you must enroll the Trend Micro public key (provided installation, for example DS20.der) into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, the Workload Security features can't be installed.

To enroll the Trend Micro public key:

  1. On the computer that you want to protect, and where Secure Boot is enabled, install the Deep Security Agent, if it isn't installed already.

    After installation, the Trend Micro public keys are in /opt/ds_agent/DS20.der and /opt/ds_agent/secureboot/DS20_v2.der.

  2. Install the Machine Owner Key (MOK) facility, if it isn't already installed.

    yum install mokutil

  3. Add the public keys, to the MOK list:

    mokutil --import /opt/ds_agent/DS20.der /opt/ds_agent/secureboot/DS20_v2.der

    For details about manually adding the public key to the MOK list, see your Linux documentation.

    For SuSE 15 after 5.3.18-24.34-default, DS20_v2.der is required because the checking kernel modules behavior has changed.

  4. When prompted, enter a password that you will use later in this procedure.

  5. Reboot the system.
  6. After the computer restarts, the Shim UEFI key management console opens.
  7. Press any key to get started.
  8. On the Perform MOK management screen, select Enroll MOK.
  9. On the Enroll MOK screen, you can select View key X to check the details of the keys, and press any key to go back to the Enroll MOK screen.
  10. Select Continue on the Enroll the key(s)? screen.
  11. Select Yes, then enter the password you set in step 4.
  12. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  13. Use the mokutil utility to check if the key successfully enrolled or not.

    mokutil --test-key /opt/ds_agent/DS20.der

    mokutil --test-key /opt/ds_agent/secureboot/DS20_v2.der

Update the Trend Micro public keys

The following situations require you to update the Trend Micro public keys:

1. Deep Security Agent has upgraded to a major release.

Workload Security refreshes the Trend Micro kernel module public keys in every major release of the agent (for example, 12.0 and 20.0). To keep security features functioning when you upgrade a Deep Security Agent to a new major release, you must enroll the new public key into any Linux computers that have Secure Boot enabled. Until the new public key is enrolled, an "Engine Offline" error message might appear in the Workload Security console because the operating system did not load the upgraded kernel module.

2. The public key has expired.

The public keys' life cycle is the same as Deep Security's life cycle. The public key will expire at the end of the extended support (EOL). Refer to Deep Security LTS life cycle dates for details.

If the DS20.der public key has expired but Deep Security 20 has extended their support date, Trend Micro will create a new key that you must enroll when upgrading Deep Security Agent.

Key Expiry date
DS20.der 26-Nov-2024
DS20_v2.der 24-Oct-2026

Required for SuSE 15 after 5.3.18-24.34-default

3. The Linux kernel behavior has changed.

In rare circumstances, the Linux kernel's behavior for checking loading kernel modules might change, which will require you to update the public keys.

For example, SuSE 15 after 5.3.18-24.34-default added an EKU codesign check, which caused the DS20_v2.der key to be required.