Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enrolling Trend Micro public key on Linux Secure Boot-enabled environment for Trend Micro Endpoint Sensor

    • Updated:
    • 17 Jun 2021
    • Product/Version:
    • Trend Micro Vision One All
    • Platform:
Summary

The Unified Extensible Firmware Interface (UEFI) Secure Boot feature is supported from RHEL 7 and CentOS 7 of XDR Sensor on Linux. When Secure Boot is enabled, the Linux kernel performs a signature check on kernel modules before they are installed.

If you intend to use XDR Sensor on Linux where Secure Boot is enabled, you must enroll the Trend Micro public key into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, the Sensor features can't be enabled.

This article will guide users on how to enroll the Trend Micro public key.

Details
Public

Users should follow the steps below to enroll the Trend Micro public key:

  1. Enable XDR capability for the endpoint from Trend Micro Vision One Endpoint Inventory. After enabled, the Trend Micro public key is in /opt/TrendMicro/vls_agent/DS20.der.
  2. Install the Machine Owner Key (MOK) facility, if it isn't already installed. Use the following command:

    • for RHEL and CentOS

      yum install mokutil

    • for Ubuntu

      apt-get install mokutil

  3. Add the public key, DS20.der, to the MOK list:

    mokutil --import DS20.der

     
    For details about manually adding the public key to the MOK list, see your Linux documentation.
     
  4. When prompted, enter a password that you will use later in this procedure.
  5. Reboot the system.
  6. After the computer restarts, the Shim UEFI key management console opens.

    Shim UEFI key management console

  7. Press any key to get started.
  8. On the Perform MOK management screen, select Enroll MOK.
  9. On the Enroll MOK screen, select View key 0.
  10. On the Enroll the key(s)? screen, select Yes and then enter the password you set in step 4, above.
  11. On the The system must now be rebooted screen, select OK to confirm your changes and reboot.
  12. Use the mokutil utility to check if the key successfully enrolled or not. Use the following command:

    mokutil --test-key /opt/TrendMicro/vls_agent/DS20.der

Premium
Internal
Partner
Rating:
Category:
Install
Solution Id:
000284184
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.