Views:

Prepare your endpoints to allow Server & Workload Protection to support Secure Boot.

Important
Important
  • You must have a platform key to enroll Secure Boot keys. If you do not have a platform key, refer to the documentation for your Linux distribution to generate a Secure Boot platform key.
  • Do not replace the platform key if you cannot access the firmware of all devices that are loaded during boot, such as the GPU. If you cannot update the firmware signing chain to use your new platform key, Secure Boot could make the instance permanently unable to boot.
  • If the computer uses Oracle Linux prior to UEK R6U3, then don't use this procedure. Instead, see .
  • If you plan on configuring many endpoints to use Secure Boot, Trend Micro recommends creating a golden image after completing this procedure. For more information, see Deployment using a golden image.
Before you start, make sure to download the Trend Micro public keys and the required CA certificates.

Procedure

  1. On the endpoint you want to enable Secure Boot, install the Machine Owner Key (MOK) command mokutil.
    For example, on Red Hat Enterprise Linux, type the command:
    yum install mokutil
    For Debian or Ubuntu, type the commands:
    sudo apt-get update
sudo apt-get install efitools
  2. Add the Trend Micro public keys to the MOK list.
    Separate multiple keys with a space. For example:
    mokutil --import /opt/ds_agent/secureboot/DS2022.der /opt/ds_agent/secureboot/DS20_v2.der
    When prompted, provide a password. Make sure to save the password, or use a password you can remember. The endpoint requires the password to enroll the keys in a later step.
  3. Reboot the endpoint.
    When the endpoint restarts, the Shim UEFI key management console appears.
  4. Press any key to continue.
  5. On the Perform MOK management screen, select Enroll MOK.
  6. If you need to verify the certificate hashes of the public keys, select View key X.
  7. On the Enroll the key(s)? screen, select Continue.
  8. Select Yes, and provide the password you configured previously.
  9. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  10. After the endpoint finishes rebooting, verify the keys are successfully enrolle din the MOK list.
    On most operating systems, use the command mokutil --test-key /opt/ds_agent/${certificate_file}.der
    For Debian 11, use the command keyctl show %:.platform | grep 'Trend'