Summary
Customer that are using SuSE15 sp2 with kernel version 5.13.18-24.34-default or higher may encounter issues loading the Deep Security kernel modules. The affected modules are include the following:
Anti-Malware
Integrity Monitoring
Application Control
Firewall
Intrusion Prevention
Web Reputation
In dmesg, OS kernel blocked the driver insertion due to key is not CodeSigning.
=======================================================================================
2020-11-18T15:39:25.259404-03:00 v-dev-mt-tb04 systemd[1]: Starting Trend Micro Deep Security Agent...
2020-11-18T15:39:25.294069-03:00 v-dev-mt-tb04 ds_agent.init[26146]: Starting ds_agent: ..done
2020-11-18T15:39:25.298093-03:00 v-dev-mt-tb04 systemd[1]: Started Trend Micro Deep Security Agent.
2020-11-18T15:39:25.500526-03:00 v-dev-mt-tb04 kernel: [615494.127515] PKCS7: sinfo 1: The signer 3e8692f6 key is not CodeSigning
2020-11-18T15:39:25.500542-03:00 v-dev-mt-tb04 kernel: [615494.127520] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7
=======================================================================================
In ds_agent.log, You can see Deep Security Agent (DSA) is unable to open driver because of CodeSigning error.
=======================================================================================
2020-11-18 15:39:25.359153 [-0300]: [Info/5] | DSA 20.0.0.1337 starting. | ..._Integration_SUSE15x64/src/dsa/core/scripts/ds_agent.lua:205:(null) | 663E:7FDB7834C700:CScriptThread
...
2020-11-18 15:39:25.484645 [-0300]: [Message/3] | Running: /opt/ds_agent/Linux.init start | ...on_SUSE15x64/src/dsa/plugins/filter/dsp/filter/Linux.lua:101:(null) | 663E:7FDB7834C700:CScriptThread
2020-11-18 15:39:25.521083 [-0300]: [Warning/2] | dsp.filter.Updater:Update(): unable to open driver. Error: No such file or directory | ..._SUSE15x64/src/dsa/plugins/filter/dsp/filter/Updater.lua:751:UpdateNolock | 663E:7FDB7834C700:CScriptThread
2020-11-18 15:39:25.000000 [-0300]: [Info/5] | AgentEvent 1000: dsi.open|No such file or directory |
=======================================================================================
Anti-Malware
Integrity Monitoring
Application Control
Firewall
Intrusion Prevention
Web Reputation
In dmesg, OS kernel blocked the driver insertion due to key is not CodeSigning.
=======================================================================================
2020-11-18T15:39:25.259404-03:00 v-dev-mt-tb04 systemd[1]: Starting Trend Micro Deep Security Agent...
2020-11-18T15:39:25.294069-03:00 v-dev-mt-tb04 ds_agent.init[26146]: Starting ds_agent: ..done
2020-11-18T15:39:25.298093-03:00 v-dev-mt-tb04 systemd[1]: Started Trend Micro Deep Security Agent.
2020-11-18T15:39:25.500526-03:00 v-dev-mt-tb04 kernel: [615494.127515] PKCS7: sinfo 1: The signer 3e8692f6 key is not CodeSigning
2020-11-18T15:39:25.500542-03:00 v-dev-mt-tb04 kernel: [615494.127520] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7
=======================================================================================
In ds_agent.log, You can see Deep Security Agent (DSA) is unable to open driver because of CodeSigning error.
=======================================================================================
2020-11-18 15:39:25.359153 [-0300]: [Info/5] | DSA 20.0.0.1337 starting. | ..._Integration_SUSE15x64/src/dsa/core/scripts/ds_agent.lua:205:(null) | 663E:7FDB7834C700:CScriptThread
...
2020-11-18 15:39:25.484645 [-0300]: [Message/3] | Running: /opt/ds_agent/Linux.init start | ...on_SUSE15x64/src/dsa/plugins/filter/dsp/filter/Linux.lua:101:(null) | 663E:7FDB7834C700:CScriptThread
2020-11-18 15:39:25.521083 [-0300]: [Warning/2] | dsp.filter.Updater:Update(): unable to open driver. Error: No such file or directory | ..._SUSE15x64/src/dsa/plugins/filter/dsp/filter/Updater.lua:751:UpdateNolock | 663E:7FDB7834C700:CScriptThread
2020-11-18 15:39:25.000000 [-0300]: [Info/5] | AgentEvent 1000: dsi.open|No such file or directory |
=======================================================================================
Details
SuSE kernel add codesigning EKU checking for their kernel module after 5.3.18-24.34-default, We need to create new secure boot public key with extra filed “Extended Key Usage”. DS20_v2.der has been created and will be included in the future DS20 update. Please follow the instructions on below if you encounter this issue.
Note: new public key should be under /opt/ds_agent/secureboot/DS20_v2.der, please ask support’s help to get this new key if you can’t find it in your agent build.
b. Click Administration
c. Click Software and click “Check for updates”
d. Click Download Center
e. Find lastest SuSE15 KSPs (KernelSupport-SuSE_15-20.0.0-1547.x86_64.zip)
f. Click “IMPORT NOW”
Reference: https://github.com/SUSE/kernel/commit/11340e5c3590a9a4467412887f6218419cbbb194
- Enroll DS20_v2.der again for passing codesigning EKU checking, please follow the instructions on below:
https://help.deepsecurity.trendmicro.com/20_0/on-premise/agent-linux-secure-boot.html
Note: new public key should be under /opt/ds_agent/secureboot/DS20_v2.der, please ask support’s help to get this new key if you can’t find it in your agent build.
- Go to DSM console, do the following steps for importing latest SuSE15 kernel support package.
b. Click Administration
c. Click Software and click “Check for updates”
d. Click Download Center
e. Find lastest SuSE15 KSPs (KernelSupport-SuSE_15-20.0.0-1547.x86_64.zip)
f. Click “IMPORT NOW”
Reference: https://github.com/SUSE/kernel/commit/11340e5c3590a9a4467412887f6218419cbbb194
