Views:

Prepare your Google Cloud environment to allow Server & Workload Protection to support Secure Boot.

Important
Important
  • You must have a platform key to enroll Secure Boot keys. If you do not have a platform key, see the Google Cloud documentation to generate a Secure Boot platform key.
  • Do not replace the platform key if you cannot access the firmware of all devices that are loaded during boot, such as the GPU. If you cannot update the firmware signing chain to use your new platform key, Secure Boot could make the instance permanently unable to boot.
Before you start, make sure to download the Trend Micro public keys and the required CA certificates.

Procedure

  1. Create customized virtual machine images with the CA certificates and Trend Micro public keys that will be used by Secure Boot.
    Important
    Important
    Include all valid existing Secure Boot keys when you enter this command. This command overwrites all existing keys. If you do not include them, they will be deleted and their kernel modules will not load.
    For example, you can use the following commands:
    gcloud compute images create [IMAGE_NAME] \
 --source-image=[SOURCE_IMAGE] \
 --source-image-project=[SOURCE_PROJECT] \
 --platform-key-file=YOUR_PLATFORM_KEY.der \
 --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS2022.der,./DS20_v2.der,[OTHER_EXISTING_KEYS] \
 --guest-os-features=UEFI_COMPATIBLE
    Public keys must be in DER or BIN format. Separate each with a comma ( , ). For details on command usage and the API, see the Google Cloud Platform documentation.
  2. Use the customized image to create a new instance with Secure Boot enabled.
  3. Verify that the keys are successfully enrolled.
    Use the command grep 'Trend' /proc/keys