Views:

Prepare your Azure environment to allow Server & Workload Protection to support Secure Boot.

Before you start:
For more information, see Secure Boot UEFI keys.

Procedure

  1. Select or create a generation 2 Azure VM with a Linux distribution image that supports Secure Boot.
    Server & Workload Protection requires a generation 2 Azure VM created from a Linux distribution image with support for Secure Boot, that meets the following criteria:
    • The security type is specified as Trusted launch virtual machines.
    • The Enable Secure Boot security feature is selected.
    If you do not have a generation 2 Azure VM, create one from a Linux distribution image that supports Secure Boot.
    1. When creating a new VM, select a VM image with generation 2 supported.
    2. Go to the Create a virtual machine page in the Azure portal.
    3. From the Security type list, select Trusted launch virtual machines.
    4. In Configure security features, select Enable Secure Boot.
  2. Ensure the Azure VM is stopped and note the VM disk name.
  3. Execute the az login command locally or through the Cloud Shell on Azure.
  4. Execute the following script line by line to generate a shared access signatures (SAS) URL:
    read -p 'Your Subscription ID: ' subscriptionId
read -p 'Your Resource Group Name: ' resourceGroupName
read -p 'Your Disk Name for Exporting: ' diskName
read -p 'Input the Expiry Duration for SAS URL in seconds (for example, 3600): ' sasExpiryDuration
read -p 'Your Storage Account Name to Hold this VHD file: ' storageAccountName
read -p 'Your Storage Container Name: ' storageContainerName
read -p 'Your Storage Account Key: ' storageAccountKey
read -p 'Your Destination VHD File Name: ' destinationVHDFileName
az account set --subscription $subscriptionId
sas=$(az disk grant-access --resource-group $resourceGroupName --name $diskName --duration-in-seconds $sasExpiryDuration --query [accessSas] -o tsv)
az storage blob copy start --destination-blob $destinationVHDFileName --destination-container $storageContainerName --account-name $storageAccountName --account-key $storageAccountKey --source-uri $sas
  5. Copy the code from Script for enrolling Secure Boot keys with Azure and save it as CreateSIGFromOSvhdWithCustomUEFIKey.json
  6. Replace the values inside the double brackets {{ }} in the "parameters" section of the JSON file.
    Keep in mind the following:
    • The CreateSIGFromOSvhdWithCustomUEFIKey.json file is an example for custom deployment. DS20_v2.der and DS2022.der have already been filled in by Base64 format.
    • To enroll another public key into the template, use the following command to convert the key to Base64 format, and then add the key to the JSON file:
      openssl base64 -in <Trend_Micro_public_key> -A
  7. Create a Shared Image Gallery (SIG) image using template deployment by Azure CLI.
    Use the following command:
    az deployment group create --resource-group <resource-group-name> --template-file CreateSIGFromOSvhdWithCustomUEFIKey.json
  8. Create an Azure VM using the custom deployment image.
  9. Verify that the keys are successfully enrolled in the Machine Owner Key (MOK) list.
    Use the following command:
    mokutil --db | grep Trend
  10. Verify that the kernel has loaded the Trend Micro public keys.
    Use the following command:
    dmesg | grep cert
Related information