Views:

Prepare your Oracle Linux endpoints to allow Server & Workload Protection to support Secure Boot.

On Oracle Linux UEK R6 releases prior to UEK R6U3, Secure Boot requires slightly different steps. With Unbreakable Enterprise Kernel (UEK), the kernel will only trust keys that are in the built-in keyring. Because of this, the kernel must be recompiled with the Trend Micro public keys, and since that changes the kernel itself, you must also sign the new kernel boot image.
Before you start, make sure to download the Trend Micro public keys and the required CA certificates.

Procedure

  1. Follow the Oracle Linux documentation for Signing Kernel Images and Kernel Modules for Use With Secure Boot.
  2. When you reach the step for Signing the Kernel Module, replace pubkey.der with the name of your Trend Micro public key.
    For example, use the following command to add DS20_v2.der:
    sudo /usr/src/kernels/$(uname -r)/scripts/insert-sys-cert -s /boot/System.map$(uname -r) -z /boot/vmlinuz$(uname -r) -c ./DS20_v2.der
  3. Continue with the remaining steps to sign the kernel boot image.
  4. Verify that the key is listed in the builtin_trusted_keys keyring.
    Use the command sudo keyctl show %:.builtin_trusted_keys | grep 'Trend'