Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SUSE 15 SecureBoot checking codeSigning EKU for kernel module after kernel 5.3.18-24.34-default update

    • Updated:
    • 7 Dec 2020
    • Product/Version:
    • Deep Security All
    • Platform:
    • SUSE15
Summary
Customer that are using SuSE15 sp2 with kernel version 5.13.18-24.34-default or higher may encounter issues loading the Deep Security kernel modules. The affected modules are include the following:

Anti-Malware
Integrity Monitoring
Application Control
Firewall
Intrusion Prevention
Web Reputation

In dmesg, OS kernel blocked the driver insertion due to key is not CodeSigning.  

=======================================================================================
2020-11-18T15:39:25.259404-03:00 v-dev-mt-tb04 systemd[1]: Starting Trend Micro Deep Security Agent...

2020-11-18T15:39:25.294069-03:00 v-dev-mt-tb04 ds_agent.init[26146]: Starting ds_agent: ..done
2020-11-18T15:39:25.298093-03:00 v-dev-mt-tb04 systemd[1]: Started Trend Micro Deep Security Agent.
2020-11-18T15:39:25.500526-03:00 v-dev-mt-tb04 kernel: [615494.127515] PKCS7: sinfo 1: The signer 3e8692f6 key is not CodeSigning
2020-11-18T15:39:25.500542-03:00 v-dev-mt-tb04 kernel: [615494.127520] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7
=======================================================================================

 In ds_agent.log,  You can see Deep Security Agent (DSA) is unable to open driver because of CodeSigning error.
=======================================================================================
2020-11-18 15:39:25.359153 [-0300]: [Info/5] | DSA 20.0.0.1337 starting. | ..._Integration_SUSE15x64/src/dsa/core/scripts/ds_agent.lua:205:(null) | 663E:7FDB7834C700:CScriptThread
...
2020-11-18 15:39:25.484645 [-0300]: [Message/3] | Running: /opt/ds_agent/Linux.init start | ...on_SUSE15x64/src/dsa/plugins/filter/dsp/filter/Linux.lua:101:(null) | 663E:7FDB7834C700:CScriptThread
2020-11-18 15:39:25.521083 [-0300]: [Warning/2] | dsp.filter.Updater:Update(): unable to open driver. Error: No such file or directory | ..._SUSE15x64/src/dsa/plugins/filter/dsp/filter/Updater.lua:751:UpdateNolock | 663E:7FDB7834C700:CScriptThread
2020-11-18 15:39:25.000000 [-0300]: [Info/5] | AgentEvent 1000: dsi.open|No such file or directory |
=======================================================================================
 
Details
Public
SuSE kernel add codesigning EKU checking for their kernel module after 5.3.18-24.34-default,  We need to create new secure boot public key with extra filed “Extended Key Usage”. DS20_v2.der has been created and will be included in the future DS20 update. Please follow the instructions on below if you encounter this issue.
 
  1. Enroll DS20_v2.der again for passing codesigning EKU checking, please follow the instructions on below:
    https://help.deepsecurity.trendmicro.com/20_0/on-premise/agent-linux-secure-boot.html

Note: new public key should be under /opt/ds_agent/secureboot/DS20_v2.der, please ask support’s help to get this new key if you can’t find it in your agent build.
 
  1. Go to DSM console, do the following steps for importing latest SuSE15 kernel support package.
 a. Login to DSM
b. Click Administration
c. Click Software and click “Check for updates”
d. Click Download Center
e. Find lastest SuSE15 KSPs (KernelSupport-SuSE_15-20.0.0-1547.x86_64.zip)
f. Click “IMPORT NOW”


Reference: https://github.com/SUSE/kernel/commit/11340e5c3590a9a4467412887f6218419cbbb194

 
Premium
Internal
Partner
Rating:
Category:
Configure; Deploy; Upgrade
Solution Id:
000283063
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.