Views:
Some versions of the agent for Linux are compatible with Unified Extensible Firmware Interface (UEFI) Secure Boot.
When Secure Boot is enabled, the computer's Linux kernel checks the PKI signature of each kernel module before it is loaded. It won't load unsigned kernel modules, nor modules with invalid signatures. These agent features install kernel modules:
  • Anti-Malware
  • Web Reputation
  • Firewall
  • Integrity Monitoring
  • Intrusion Prevention
  • Application Control
Therefore if you want to use those features with Secure Boot, then you must enroll the public keys from Trend Micro in the computer's firmware so that it can validate those kernel module signatures.
Methods vary by platform:

Download the Trend Micro public keys

Before you enrol them on Secure Boot computers, you must first download the Trend Micro public keys that will be used to validate kernel module signatures. The public keys are encoded in DER format.
Tip
Tip
If you have trouble downloading the key files, right-click and select Save Link As.
  • DS2022.der SHA-256 certificate hash: BB FA 4A B8 3C 61 A0 3F 1D D0 4B A7 A4 51 75 E7 D7 EF D3 C8 4B F3 D9 FE A0 CE AB B9 2A F4 8E 92
  • DS20_V2.der SHA-256 certificate hash: B3 36 43 7B 12 B3 EB 6A 4E 4A 44 62 40 4F 1F BD 21 32 70 77 4C 33 7D 1C 5A 58 7C 99 83 F7 30 C7
Note
Note
When the agent is deployed on SuSE 15 with kernels 5.3.18-24.34-default or later, DS20_v2.der is required because verification of kernel module signatures has changed.
  • DS20.der SHA-256 certificate hash: CB 44 47 C8 76 CF 28 79 2F 8E B6 76 F1 42 4B D4 93 82 70 0E 46 92 ED 69 83 0C C3 52 E9 E4 71 03
  • DS12.der SHA-256 certificate hash: CB 44 47 C8 76 CF 28 79 2F 8E B6 76 F1 42 4B D4 93 82 70 0E 46 92 ED 69 83 0C C3 52 E9 E4 71 03
  • DS11_2022.der SHA-256 certificate hash: BB FA 4A B8 3C 61 A0 3F 1D D0 4B A7 A4 51 75 E7 D7 EF D3 C8 4B F3 D9 FE A0 CE AB B9 2A F4 8E 92
    Note
    Note
    The old public key for agent version 11 (DS11.der with a SHA-1 hash 7D 96 56 5C 3A 77 B7 A7 24 49 D5 6A A5 0C 28 AA D7 3B 0B FB) expired on December 5, 2022. To continue using the agent after this date, you must enroll this new public key. Otherwise an "Engine Offline" error message will appear in the console, and the computer will not be protected.
You also must download the intermediate certificate authority (CA) certificates that are required to validate the signing chain on the Trend Micro public keys. If Microsoft updates these CA certificates, then you will need to use the new certificates. The CA certificates are X.509 v3 CRT files encoded in DER format.
  • MicWinProPCA2011_2011-10-19.crt Microsoft Windows Production PCA 2011 SHA-256 certificate hash: E8 E9 5F 07 33 A5 5E 8B AD 7B E0 A1 41 3E E2 3C 51 FC EA 64 B3 C8 FA 6A 78 69 35 FD DC C7 19 61
  • MicCorUEFCA2011_2011-06-27.crt Microsoft Corporation UEFI CA 2011 SHA-256 certificate hash: 48 E9 9B 99 1F 57 FC 52 F7 61 49 59 9B FF 0A 58 C4 71 54 22 9B 9F 8D 60 3A C4 0D 35 00 24 85 07
  • MicCorKEKCA2011_2011-06-24.crt Microsoft Corporation KEK CA 2011 SHA-256 certificate hash: A1 11 7F 51 6A 32 CE FC BA 3F 2D 1A CE 10 A8 79 72 FD 6B BE 8F E0 D0 B9 96 E0 9E 65 D8 02 A5 03

Update the Trend Micro public key

You will be required to update your enrolled public keys for signed Trend Micro kernel modules during certain scenarios.
Scenario
Description
You upgrade the agent to a newer major release
In every major release of the agent (for example, agent 12.0 and 20.0), Trend Micro refreshes the public keys for Secure Boot kernel module signatures. New kernel module signatures cannot be validated with an old public key. As a result, when you upgrade the agent, you must also enroll the new public key.
The public key has expired
The public key will expire at the end of the agent's extended support life cycle (EOL). See also Deep Security LTS life cycle dates.
If Trend Micro extends an EOL date, then Trend Micro will create a new public key to match the new EOL date. You will need to replace the old public key with the new one, and then upgrade the agent.
Key
Expiry date
DS2022.der
24-Nov-2031
DS20.der
26-Nov-2024
DS20_v2.der
24-Oct-2026 Required for SuSE 15 after 5.3.18-24.34-default
DS12.der
26-Nov-2024
DS11_2022.der
24-Nov-2031
DS11.der
05-Dec-2022
Linux kernel module signature verification has changed
When you update the Linux kernel, the method that it uses to verify kernel module signatures might change. This might require you to replace the enrolled public keys.
For example, SuSE 15 added EKU code signing verification in kernel version 5.3.18-24.34-default, which required a new public key version, DS20_v2.der.
WARNING
WARNING
If a public key for Secure Boot becomes invalid for any of these reasons, and you don't replace it, then an "Engine Offline" error message could appear in the console, and the computer will not be protected.

Enroll a Secure Boot key for AWS

  1. Download the required CA certificates and Trend Micro public keys for Secure Boot.
  2. If you do not have a platform key, see the AWS documentation to generate a Secure Boot platform key .
    WARNING
    WARNING
    Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the instance permanently unable to boot.
  3. Create an EC2 virtual machine instance from a Linux distribution AMI that supports Secure Boot.
  4. In the console on that instance, install the Machine Owner Key (MOK) command mokutil, uefivars, and Python. For example, on Red Hat Enterprise Linux, enter the commands:
    yum install mokutil
yum install python3
curl -L -o uefivars.zip https://github.com/awslabs/python-uefivars/archive/refs/heads/main.zip
unzip uefivars.zip
    On Debian or Ubuntu, enter the commands:
    sudo apt-get update
sudo apt-get install efitools
sudo apt-get install python3
curl -L -o uefivars.zip https://github.com/awslabs/python-uefivars/archive/refs/heads/main.zip
unzip uefivars.zip
  5. Upload the CA certificates and Trend Micro public keys to the instance.
  6. Put each platform key, CA certificate, and Trend Micro public key inside a UEFI signature list (.esl) file. Combine them into one file, and then convert it into binary (.bin) format. For example, depending on which Trend Micro public keys you use, you might enter the commands:
    # Convert your platform key into signatures list format
cert-to-efi-sig-list YOUR_PLATFORM_KEY.crt YOUR_PLATFORM_KEY.esl
# Convert CA certificates
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_KEK.esl MicCorKEKCA2011_2011-06-24.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_PROD.esl MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_UEFI.esl MicCorUEFCA2011_2011-06-27.crt
# Convert Trend Micro public keys
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS11.esl DS11_2022.der
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS12.esl DS12.der
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS20.esl DS20.der
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS20_v2.esl DS20_v2.der
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS2022.esl DS2022.der
# Combine CA and vendor public keys into one signatures list
cat MS_CA_PROD.esl MS_CA_UEFI.esl TREND_UEFI_db_DS11.esl TREND_UEFI_db_DS12.esl TREND_UEFI_db_DS20.esl TREND_UEFI_db_DS20_v2.esl TREND_UEFI_db_DS2022.esl > ALL_SIGNATURES_db.esl
cp *.esl /root/
# Combine all and convert to binary
./python-uefivars-main/uefivars.py -i none -o aws -O YOUR_BINARY_SIGNING_CHAIN.bin -P ./YOUR_PLATFORM_KEY.esl -K ./MS_CA_KEK.esl --db ./ALL_SIGNATURES_db.esl
    where 77fa9abd-0359-4d32-bd60-28f4e78f784b is the GUID in the SignatureOwner field of the Microsoft Corporation KEK CA 2011 certificate.
  7. Download the .bin file.
  8. Create a new EC2 snapshot of the instance.
  9. Go to AWS Cloudshell. Select Actions Files Upload file and then select the binary file.
  10. Create a new AMI with the snapshot ID and the .bin file that you uploaded. For example, you could enter the command:
    aws ec2 register-image --name LIFT-UBUNTU20SecureBootX64 --uefi-data $(cat YOUR_BINARY_SIGNING_CHAIN.bin) --block-device-mappings "DeviceName=/dev/sda1,Ebs= {SnapshotId={{YOUR-SNAPSHOT-ID}},DeleteOnTermination=true}" --architecture x86_64 --root-device-name /dev/sda1 --virtualization-type hvm --boot-mode uefi
  11. Use the customized image to create a new instance with Secure Boot enabled.
  12. Verify that the keys are successfully enrolled in the MOK list:
    mokutil --db | grep Trend
    and that the kernel has successfully loaded the Trend Micro public keys:
    dmesg | grep cert

Enroll a Secure Boot key for Google Cloud Platform

  1. Download the required CA certificates and Trend Micro public keys for Secure Boot.
  2. If you do not have a platform key, see the Google Cloud Platform documentation to generate a Secure Boot platform key.
    WARNING
    WARNING
    Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the instance permanently unable to boot.
  3. Create customized virtual machine images with the CA certificates and Trend Micro public keys that will be used by Secure Boot. For example, you could enter the command:
    gcloud compute images create [IMAGE_NAME] \
 --source-image=[SOURCE_IMAGE] \
 --source-image-project=[SOURCE_PROJECT] \
 --platform-key-file=YOUR_PLATFORM_KEY.der \
 --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS2022.der,./DS20_v2.der,./DS20.der,./DS12.der,./DS11_2022.der[,OTHER_EXISTING_KEYS] \
 --guest-os-features=UEFI_COMPATIBLE
    Public keys must be in DER or BIN format. Separate each with a comma ( , ). For details on command usage and the API, see the Google Cloud Platform documentation.
    WARNING
    WARNING
    Include all valid existing Secure Boot keys when you enter this command. This command overwrites all existing keys. If you do not include them, they will be deleted and their kernel modules will not load.
  4. Use the customized image to create a new instance with Secure Boot enabled.
  5. Verify that the keys are successfully enrolled:
    grep 'Trend' /proc/keys

Enroll a Secure Boot key for VMware vSphere or physical computers

Tip
Tip
If many computers will use Secure Boot, then create a virtual machine or OS image file after you complete this procedure. New computers can be installed from that file.
Note
Note
If the computer uses Oracle Linux prior to UEK R6U3, then don't use this procedure. Instead, see Enroll a Secure Boot key for Oracle Linux.
  1. Download the required CA certificates and Trend Micro public keys for Secure Boot.
  2. If you do not have a platform key, see your Linux distribution's documentation to generate a Secure Boot platform key.
    WARNING
    WARNING
    Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the computer permanently unable to boot.
  3. On the computer where Secure Boot will be enabled, install the Machine Owner Key (MOK) command mokutil. For example, on Red Hat Enterprise Linux, enter the command:
    yum install mokutil
    On Debian or Ubuntu, enter the commands:
    sudo apt-get update
sudo apt-get install efitools
  4. Add the Trend Micro public keys to the MOK list. Separate multiple keys (if required) with a space. For example:
    mokutil --import /opt/ds_agent/DS2022.der /opt/ds_agent/DS20_v2.der /opt/ds_agent/DS20.der
    When prompted, enter a password that you will use later in this procedure.
  5. Reboot the computer.
  6. When the computer restarts, the Shim UEFI key management console opens. Press any key to continue.
  7. On the Perform MOK management screen, select Enroll MOK.
  8. Select View key X if you need to verify the certificate hashes of the public keys. Press any key to return to the Enroll MOK screen.
  9. Select Continue on the Enroll the key(s)? screen.
  10. Select Yes, then enter the password that you entered earlier.
  11. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  12. Verify that the keys are successfully enrolled in the MOK list:
    • On most operating systems, enter the command: mokutil --test-key /opt/ds_agent/${certificate_file}.der
    • On Debian 11, enter the command: keyctl show %:.platform | grep 'Trend'

Enroll a Secure Boot key for Oracle Linux

On Oracle Linux UEK R6 releases prior to UEK R6U3, Secure Boot requires slightly different steps. With Unbreakable Enterprise Kernel (UEK), the kernel will only trust keys that are in the built-in keyring. Because of this, the kernel must be recompiled with the Trend Micro public keys, and since that changes the kernel itself, you must also sign the new kernel boot image.
  1. Download the required CA certificates and Trend Micro public keys for Secure Boot.
  2. Follow the Oracle Linux documentation for Signing Kernel Images and Kernel Modules for Use With Secure Boot.
  3. When you reach the step for Insert the Module Certificate in the Kernel Image, replace pubkey.der with the name of your Trend Micro public key. For example:
    sudo /usr/src/kernels/$(uname -r)/scripts/insert-sys-cert -s /boot/System.map$(uname -r) -z /boot/vmlinuz$(uname -r) -c ./DS20_v2.der
  4. Continue with the remaining steps to sign the kernel boot image.
  5. Verify that the key is listed in the builtin_trusted_keys keyring:
    sudo keyctl show %:.builtin_trusted_keys | grep 'Trend'