Topics on this page
Configure Linux Secure Boot for agents
Some versions of Deep Security Agent for Linux are compatible with Unified Extensible Firmware Interface (UEFI) Secure Boot.
When Secure Boot is enabled, the computer's Linux kernel checks the PKI signature of each kernel module before it is loaded. It does not load unsigned kernel modules, nor modules with invalid signatures. The following Deep Security Agent features install kernel modules:
- Anti-Malware
- Web Reputation
- Firewall
- Integrity Monitoring
- Intrusion Prevention
- Application Control
To use these features with Secure Boot, then you must enroll the public keys from Trend Micro in the computer's firmware so that it can validate those kernel module signatures.
Methods vary by platform:
- Enroll a Secure Boot key for AWS
- Enroll a Secure Boot key for Google Cloud Platform
- Enroll a Secure Boot key for VMware vSphere or physical computers
- Enroll a Secure Boot key for Oracle Linux
- Enroll a Secure Boot key for Azure
Download the Trend Micro public keys
Before you enroll them on Secure Boot computers, you must download the Trend Micro public keys for validating kernel module signatures. If you are experiencing problems with downloading the key files, right-click and select Save Link As.
The public keys are encoded in DER format:
-
DS2022.der
SHA-256 certificate hash:BB FA 4A B8 3C 61 A0 3F 1D D0 4B A7 A4 51 75 E7 D7 EF D3 C8 4B F3 D9 FE A0 CE AB B9 2A F4 8E 92
-
DS20_V2.der
SHA-256 certificate hash:B3 36 43 7B 12 B3 EB 6A 4E 4A 44 62 40 4F 1F BD 21 32 70 77 4C 33 7D 1C 5A 58 7C 99 83 F7 30 C7
When the agent is deployed on SuSE 15 with kernels 5.3.18-24.34-default or later, DS20_v2.der
is required because verification of kernel module signatures has changed.
- DS20.der
SHA-256 certificate hash:CB 44 47 C8 76 CF 28 79 2F 8E B6 76 F1 42 4B D4 93 82 70 0E 46 92 ED 69 83 0C C3 52 E9 E4 71 03
- DS12.der
SHA-256 certificate hash:CB 44 47 C8 76 CF 28 79 2F 8E B6 76 F1 42 4B D4 93 82 70 0E 46 92 ED 69 83 0C C3 52 E9 E4 71 03
- DS11_2022.der
SHA-256 certificate hash:BB FA 4A B8 3C 61 A0 3F 1D D0 4B A7 A4 51 75 E7 D7 EF D3 C8 4B F3 D9 FE A0 CE AB B9 2A F4 8E 92
Note that the old public key for agent version 11 (DS11.der
with a SHA-1 hash 7D 96 56 5C 3A 77 B7 A7 24 49 D5 6A A5 0C 28 AA D7 3B 0B FB
) expired on December 5, 2022. To continue using the agent after this date, you must enroll this new public key. Otherwise an "Engine Offline" error message appears in the console and the computer loses protection.
You also must download the intermediate certificate authority (CA) certificates that are required to validate the signing chain on the Trend Micro public keys. If Microsoft updates these CA certificates, then you need to use the new certificates. The CA certificates are X.509 v3 CRT files encoded in DER format:
- MicWinProPCA2011_2011-10-19.crt
Microsoft Windows Production PCA 2011
SHA-256 certificate hash:E8 E9 5F 07 33 A5 5E 8B AD 7B E0 A1 41 3E E2 3C 51 FC EA 64 B3 C8 FA 6A 78 69 35 FD DC C7 19 61
- MicCorUEFCA2011_2011-06-27.crt
Microsoft Corporation UEFI CA 2011
SHA-256 certificate hash:48 E9 9B 99 1F 57 FC 52 F7 61 49 59 9B FF 0A 58 C4 71 54 22 9B 9F 8D 60 3A C4 0D 35 00 24 85 07
- MicCorKEKCA2011_2011-06-24.crt
Microsoft Corporation KEK CA 2011
SHA-256 certificate hash:A1 11 7F 51 6A 32 CE FC BA 3F 2D 1A CE 10 A8 79 72 FD 6B BE 8F E0 D0 B9 96 E0 9E 65 D8 02 A5 03
Update the Trend Micro public key
You must update your enrolled public keys for signed Trend Micro kernel modules if any of the following applies:
You upgrade the agent to a newer major release
In every major release of Deep Security Agent (for example, 12.0 and 20.0), Trend Micro refreshes the public keys for Secure Boot kernel module signatures. New kernel module signatures cannot be validated with an old public key. As a result, when you upgrade the agent, you must also enroll the new public key.
The public key has expired
Agent version | Key | Expiry date | Comment |
20 | DS2022.der | 24-Nov-2031 | A new replacement key is expected to be released one year before the expiry date. |
DS20.der | 26-Nov-2024 | DS20.der will be replaced by DS2022.der upon its expiry. Ensure that DS2022.der is enrolled prior to the expiry date of DS20.der. | |
DS20_V2.der | 24-Oct-2026 |
|
|
12 | DS12.der | 26-Nov-2024 | DS12.der will be replaced by DS2022.der upon its expiry. Ensure that DS2022.der is enrolled prior to the expiry date of DS12.der. |
11 | DS11_2022.der | 24-Nov-2031 | |
DS11.der | 05-Dec-2022 |
For Deep Security Agent 20 to use Secure Boot, it is essential to have DS2022.der, DS20_V2.der, and DS20.der keys enrolled.
Linux kernel module signature verification has changed
When you update the Linux kernel, the method that it uses to verify kernel module signatures might change. This might require you to replace the enrolled public keys.
For example, SuSE 15 added EKU code signing verification in kernel version 5.3.18-24.34-default, which required a new public key version, DS20_v2.der
.
If a public key for Secure Boot becomes invalid for any of these reasons and you do not replace it, then an "Engine Offline" error message might appear in the console and the computer could become unprotected.
Enroll a Secure Boot key for AWS
-
Download the required CA certificates and Trend Micro public keys for Secure Boot.
-
If you do not have a platform key, see the AWS documentation to generate a Secure Boot platform key .
Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the instance permanently unable to boot.
-
Create an EC2 virtual machine instance from a Linux distribution AMI that supports Secure Boot.
-
In the console on that instance, install the Machine Owner Key (MOK) command
mokutil
,uefivars
, and Python.
On Red Hat Enterprise Linux, enter the following commands:yum install mokutil yum install python3 curl -L -o uefivars.zip https://github.com/awslabs/python-uefivars/archive/refs/heads/main.zip unzip uefivars.zip
On Debian or Ubuntu, enter the following commands:
sudo apt-get update sudo apt-get install efitools sudo apt-get install python3 curl -L -o uefivars.zip https://github.com/awslabs/python-uefivars/archive/refs/heads/main.zip unzip uefivars.zip
-
Upload the CA certificates and Trend Micro public keys to the instance.
-
Put each platform key, CA certificate, and Trend Micro public key inside a UEFI signature list (
.esl
) file. Combine them into one file, and then convert it into binary (.bin
) format.
Depending on which Trend Micro public keys you use, you might enter the following commands:# Convert your platform key into signatures list format cert-to-efi-sig-list YOUR_PLATFORM_KEY.crt YOUR_PLATFORM_KEY.esl # Convert CA certificates sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_KEK.esl MicCorKEKCA2011_2011-06-24.crt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_PROD.esl MicWinProPCA2011_2011-10-19.crt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_UEFI.esl MicCorUEFCA2011_2011-06-27.crt # Convert Trend Micro public keys sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS11.esl DS11_2022.der sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS12.esl DS12.der sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS20.esl DS20.der sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS20_v2.esl DS20_v2.der sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS2022.esl DS2022.der # Combine CA and vendor public keys into one signatures list cat MS_CA_PROD.esl MS_CA_UEFI.esl TREND_UEFI_db_DS11.esl TREND_UEFI_db_DS12.esl TREND_UEFI_db_DS20.esl TREND_UEFI_db_DS20_v2.esl TREND_UEFI_db_DS2022.esl > ALL_SIGNATURES_db.esl cp *.esl /root/ # Combine all and convert to binary ./python-uefivars-main/uefivars.py -i none -o aws -O YOUR_BINARY_SIGNING_CHAIN.bin -P ./YOUR_PLATFORM_KEY.esl -K ./MS_CA_KEK.esl --db ./ALL_SIGNATURES_db.esl
where
77fa9abd-0359-4d32-bd60-28f4e78f784b
is the GUID in theSignatureOwner
field of the Microsoft Corporation KEK CA 2011 certificate. -
Download the
.bin
file. -
Create a new EC2 snapshot of the instance.
-
Go to AWS Cloudshell, select Actions > Files > Upload file, and then select the binary file.
-
Create a new AMI with the snapshot ID and the
.bin
file that you uploaded.
For example, you may enter the following command:aws ec2 register-image --name LIFT-UBUNTU20SecureBootX64 --uefi-data $(cat YOUR_BINARY_SIGNING_CHAIN.bin) --block-device-mappings "DeviceName=/dev/sda1,Ebs= {SnapshotId={{YOUR-SNAPSHOT-ID}},DeleteOnTermination=true}" --architecture x86_64 --root-device-name /dev/sda1 --virtualization-type hvm --boot-mode uefi
-
Use the customized image to create a new instance with Secure Boot enabled.
-
Execute the following command to verify that the keys are successfully enrolled in the MOK list:
mokutil --db | grep Trend
and that the kernel has successfully loaded the Trend Micro public keys:
dmesg | grep cert
Enroll a Secure Boot key for Google Cloud Platform
-
Download the required CA certificates and Trend Micro public keys for Secure Boot.
-
If you do not have a platform key, consult the Google Cloud Platform documentation to generate a Secure Boot platform key.
Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the instance permanently unable to boot.
-
Create customized virtual machine images with the CA certificates and Trend Micro public keys to be used by Secure Boot.
For example, you may enter the following command:gcloud compute images create [IMAGE_NAME] \ --source-image=[SOURCE_IMAGE] \ --source-image-project=[SOURCE_PROJECT] \ --platform-key-file=YOUR_PLATFORM_KEY.der \ --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./DS2022.der,./DS20_v2.der,./DS20.der,./DS12.der,./DS11_2022.der[,OTHER_EXISTING_KEYS] \ --guest-os-features=UEFI_COMPATIBLE
Public keys must be in DER or BIN format. Separate each with a comma (
,
). For details on command usage and the API, see the Google Cloud Platform documentation.You need to include all valid existing Secure Boot keys when you enter the preceding command, as it overwrites all existing keys. If you do not include them, they will be deleted and their kernel modules will not load.
-
Use the customized image to create a new instance with Secure Boot enabled.
-
Execute the following command to verify that the keys have been successfully enrolled:
grep 'Trend' /proc/keys
Enroll a Secure Boot key for VMware vSphere platform
Follow these steps to enroll a Secure Boot key for the VMware vSphere virtualization platform, unless the computer uses a release earlier than the Unbreakable Enterprise Kernel Release 6 Update 3 (UEK R6U3) for Oracle Linux:
-
Download the required CA certificates and Trend Micro public keys for Secure Boot.
-
On the computer where Secure Boot is to be enabled, install the Machine Owner Key (MOK) command
mokutil
.
On Red Hat Enterprise Linux, enter the following command:yum install mokutil
On Debian or Ubuntu, enter the following commands:
sudo apt-get update sudo apt-get install efitools
-
Add the Trend Micro public keys to the MOK list, separating multiple keys with a space (if applicable). For Deep Security Agent version earlier than 20.0.0.7119, execute the following command:
mokutil --import /opt/ds_agent/DS2022.der /opt/ds_agent/DS20_v2.der /opt/ds_agent/DS20.der
For Deep Security Agent version 20.0.0.7119 or later, execute the following command:
mokutil --import /opt/ds_agent/secureboot/DS2022.der /opt/ds_agent/secureboot/DS20_v2.der /opt/ds_agent/DS20.der
When prompted, enter a password that you will use later.
-
Reboot the computer.
-
On the Shim UEFI key management console, press any key to continue.
-
On the Perform MOK Management screen, select Enroll MOK.
-
If you need to verify the certificate hashes of the public keys, select View Key X, and then press any key to return to the Enroll MOK screen.
-
Click Continue on the Enroll the Key(s)? screen.
-
Click Yes, and then enter the password that you entered earlier.
-
On The System Must Now Be Rebooted screen, click OK to confirm your changes and reboot.
-
Execute the following command to verify that the keys are successfully enrolled in the MOK list:
On most operating systems, enter the following command:
mokutil --test-key /opt/ds_agent/${certificate_file}.der
On Debian Linux 11 or Debian Linux 12, enter the following command:
keyctl show %:.platform | grep 'Trend'
If multiple computers need to use Secure Boot, then you should create a virtual machine or OS image file. New computers can be installed from that file.
Enroll a Secure Boot key for physical computers
Follow these steps to enroll a Secure Boot key for a physical computer, unless it uses a release earlier than the Unbreakable Enterprise Kernel Release 6 Update 3 (UEK R6U3) for Oracle Linux:
-
Download the required CA certificates and Trend Micro public keys for Secure Boot.
-
If you do not have a platform key, consult your Linux distribution's documentation to generate a Secure Boot platform key.
Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the instance permanently unable to boot.
-
On the computer where Secure Boot is to be enabled, install the Machine Owner Key (MOK) command
mokutil
.
On Red Hat Enterprise Linux, enter the following command:yum install mokutil
On Debian or Ubuntu, enter the following commands:
sudo apt-get update sudo apt-get install efitools
-
Add the Trend Micro public keys to the MOK list, separating multiple keys with a space (if applicable). For Deep Security Agent version earlier than 20.0.0.7119, execute the following command:
mokutil --import /opt/ds_agent/DS2022.der /opt/ds_agent/DS20_v2.der /opt/ds_agent/DS20.der
For Deep Security Agent version 20.0.0.7119 or later, execute the following command:
mokutil --import /opt/ds_agent/secureboot/DS2022.der /opt/ds_agent/secureboot/DS20_v2.der /opt/ds_agent/DS20.der
When prompted, enter a password that you will use later.
-
Reboot the computer.
-
On the Shim UEFI key management console, press any key to continue.
-
On the Perform MOK Management screen, select Enroll MOK.
-
If you need to verify the certificate hashes of the public keys, select View Key X, and then press any key to return to the Enroll MOK screen.
-
Click Continue on the Enroll the Key(s)? screen.
-
Click Yes, and then enter the password that you entered earlier.
-
On The System Must Now Be Rebooted screen, click OK to confirm your changes and reboot.
-
Execute the following command to verify that the keys are successfully enrolled in the MOK list:
On most operating systems, enter the following command:
mokutil --test-key /opt/ds_agent/${certificate_file}.der
On Debian Linux 11 or Debian Linux 12, enter the following command:
keyctl show %:.platform | grep 'Trend'
If multiple computers need to use Secure Boot, then you should create a virtual machine or OS image file. New computers can be installed from that file.
Enroll a Secure Boot key for Oracle Linux
On the releases earlier than the Unbreakable Enterprise Kernel Release 6 Update 3 (UEK R6U3) for Oracle Linux, Secure Boot requires a slightly different procedure. With the Unbreakable Enterprise Kernel (UEK), the kernel only trusts keys that are in the built-in keyring. Therefore, the kernel must be recompiled with the Trend Micro public keys, and since that changes the kernel itself, you must also sign the new kernel boot image.
- Download the required CA certificates and Trend Micro public keys for Secure Boot.
- Follow the Oracle Linux documentation for Signing kernel images and kernel modules for use with Secure Boot.
-
When you reach the step for Insert the module certificate in the kernel image, replace
pubkey.der
with the name of your Trend Micro public key. For example:sudo /usr/src/kernels/$(uname -r)/scripts/insert-sys-cert -s /boot/System.map$(uname -r) -z /boot/vmlinuz$(uname -r) -c ./DS20_v2.der
-
Continue with the remaining steps to sign the kernel boot image.
-
Execute the following command to verify that the key is listed in the
builtin_trusted_keys
keyring:sudo keyctl show %:.builtin_trusted_keys | grep 'Trend'
Enroll a Secure Boot key for Azure
-
Download the required CA certificates and Trend Micro public keys for Secure Boot.
-
If you have a generation 2 Azure VM created from a Linux distribution image with support for Secure Boot, ensure that this VM meets the following criteria:
-
The security type is specified as Trusted launch virtual machines.
-
The Enable Secure Boot security feature is selected.
If you do not have a generation 2 Azure VM, create it from a Linux distribution image that supports Secure Boot, as follows:
- Select a VM image with generation 2 supported.
- Navigate to the Create a virtual machine page in the Azure portal.
- From the Security type list, select Trusted launch virtual machines.
- In Configure security features, select Enable Secure Boot.
-
-
Ensure that the Azure VM is stopped and note the VM disk name.
-
Execute the
az login
command locally or through the Cloud Shell on Azure. -
Execute the following script line by line to generate a shared access signatures (SAS) URL:
read -p 'Your Subscription ID: ' subscriptionId read -p 'Your Resource Group Name: ' resourceGroupName read -p 'Your Disk Name for Exporting: ' diskName read -p 'Input the Expiry Duration for SAS URL in seconds (for example, 3600): ' sasExpiryDuration read -p 'Your Storage Account Name to Hold this VHD file: ' storageAccountName read -p 'Your Storage Container Name: ' storageContainerName read -p 'Your Storage Account Key: ' storageAccountKey read -p 'Your Destination VHD File Name: ' destinationVHDFileName az account set --subscription $subscriptionId sas=$(az disk grant-access --resource-group $resourceGroupName --name $diskName --duration-in-seconds $sasExpiryDuration --query [accessSas] -o tsv) az storage blob copy start --destination-blob $destinationVHDFileName --destination-container $storageContainerName --account-name $storageAccountName --account-key $storageAccountKey --source-uri $sas
-
Copy the contents of the following file and save it as
CreateSIGFromOSvhdWithCustomUEFIKey.json
:{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json", "contentVersion": "1.0.0.0", "parameters": { "galleryName": { "defaultValue": "{{ change to custom gallary name for the deployed template }}", "type": "String", "metadata": { "description": "Name of the gallery" } }, "imageDefinitionName": { "defaultValue": "{{ change to custom image definition name }}", "type": "String", "metadata": { "description": "Name of the image definition" } }, "versionName": { "defaultValue": "{{ change to custom image version }}", "type": "String", "metadata": { "description": "Name of the image version" } }, "storageAccountName": { "defaultValue": "{{ change to custom storage account name contains the exported OS vhd }}", "type": "string", "metadata": { "description": "Storage account name containing the OS vhd" } }, "vhdURI": { "defaultValue": "{{ change to custom vhd URL of the exported OS vhd }}", "type": "String", "metadata": { "description": "OS vhd URL" } }, "imagePublisher": { "defaultValue": "{{ change to custom image publisher name }}", "type": "String", "metadata": { "description": "Publisher name of the image" } }, "offer": { "defaultValue": "{{ change to custom image offer name }}", "type": "String", "metadata": { "description": "Offer of the image" } }, "sku": { "defaultValue": "{{ change to custom image sku name }}", "type": "String", "metadata": { "description": "Sku of the image" } }, "osType": { "defaultValue": "Linux", "allowedValues": [ "Windows", "Linux" ], "type": "String", "metadata": { "description": "Operating system type" } }, "gallerySecurityType": { "defaultValue": "TrustedLaunchSupported", "type": "String", "allowedValues": [ "TrustedLaunchSupported", "TrustedLaunchAndConfidentialVMSupported" ], "metadata": { "description": "Gallery Image security type" } }, "customDBKeyDS20": { "defaultValue": "MIIFtjCCA56gAwIBAgIJAMeeWqgc+/HdMA0GCSqGSIb3DQEBCwUAMGsxGjAYBgNVBAoMEVRyZW5kIE1pY3JvLCBJbmMuMSUwIwYDVQQDDBxUcmVuZCBNaWNybyBEZWVwIFNlY3VyaXR5IDEyMSYwJAYJKoZIhvcNAQkBFhdjc3VwcG9ydEB0cmVuZG1pY3JvLmNvbTAeFw0xODExMjgwNzE5NTBaFw0yNDExMjYwNzE5NTBaMGsxGjAYBgNVBAoMEVRyZW5kIE1pY3JvLCBJbmMuMSUwIwYDVQQDDBxUcmVuZCBNaWNybyBEZWVwIFNlY3VyaXR5IDEyMSYwJAYJKoZIhvcNAQkBFhdjc3VwcG9ydEB0cmVuZG1pY3JvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANwAWo6ZMy6uJOY7J0rpKjTaaN/C5iJA3Aotgw/CtZj5rOVzYQat3cpnOjTdJzemD/LAvzclzmYR3CP+3xkZ/nOH3W8QDEYBXvjYcBhwdwsttSkBdA1oQb97kBXJwV3izHwGucIYnDQNCwxXZ8dts/YqdNjlqp1Dih/89pVTsu0t+rLx7kM6f3jFCh3D9mLuPXNBb6kTdSRyipJ7KZqHJp0bRRwgm/RC70z7M+rC9n2AJAgVb3qUFwe54G1GfbqKOsrJpnJdHdUIZtggNYMMjZWxA6vwhsbcKC4t5mTkn9nmL6lBcTWO7dEJe58ireScTv8PbuZ/KFu7oAYqaeAICmiDFc2P2qrqkDxNjDkYOvV3RjPpygoxf5KDyYzIisz2CHco6kyXStlIQSWUUnj4FAABTE5702rIMt8hF/EoPk1jFFVNUMVFEzygLob3eNOS2xZgVgCTDx8JqLzIn92BHCVhXQz4aLX4xjIjTrZGe7FLwhbVc3jVBGuT4RTU9LoXS482oDICPGoitMqlMBTNQG3Ktwk2ExFDJ09vU94snMNlwBmQPyr/G5Zz+Fn+XRg7BzqdiIKkekCtGPzeyxrFs3eBByFYflPbQXRfqZjAyLGpSzHHV/hCYIUmJjI/IeZ9tP9zf7eHEhhE435lJGvxD1n3y2Fh3a05tKB64EcBq+DRAgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBRXOdWLbdwOa9iq0lvno8i2r3vcIzAfBgNVHSMEGDAWgBRXOdWLbdwOa9iq0lvno8i2r3vcIzANBgkqhkiG9w0BAQsFAAOCAgEAGxCfUzZIDwQAZppQ0/6rjS5K/S5PUHf7n2fQq+/c52SV3G7mwNdEODWAodDqzoqlKaJMUuyOlYxAX0J/EC8BB+OatDJDiu5pwA0p8JuJrt6+CJOIIraVwRmcRCmVEz4VZhtrTx9KpJFW5ryoFX21Nc4M8HCu6jxN++D8hhd/xQG2CHVr9jr0w7dl+BoYdguB6urfAtHxh+t+iSer+BhEDeu6hLLV+yLM7xpRMr3c+So5/drFwXAdMvKYs4w+zPOZOox7EQ1x6qwepH1vvv4yP0c7uRVnty+o/Uh3/NDz9x5y+5NBVHELWbThX1hMUX/PfJ6ZLm/FB+wnUt1E3fj4t9/W9yVD8NfOAlsedl/FaJ0NrTGUAJPGAyT7NLp73D4Yge3A9Y2cebuFDhxy7ilQxnrIRbn4IpArE/pl8jP7f+QswPrbmXL5Be7oLIiCY6O3kT2EV+kaY5dcKcGiS2CSwoJYMudwDm4KU10XY7qYftGONn0uZ018iC2OBoAjFKyk1QMyWRMcA3CyxOFGkFIpzM5jhjqMdQTurBvGRY8mqYsD3j+17AV/HfJ92x5K3L0x0wttiO9Z90Z5Mz3Z0QtsNk/VlZH80Fl2byLMt+O6dnsh+0tAXiga5cT7V2opq1HFHD3vc3n644wrt7bsR9Ns+uWL3VqD8rN3VOCN+ehgInU=", "type": "String", "metadata": { "description": "Custom UEFI DB DS20.der in base64 format" } }, "customDBKeyDS20V2": { "defaultValue": "MIIFyzCCA7OgAwIBAgIJAOqCjczOdriRMA0GCSqGSIb3DQEBCwUAMGsxGjAYBgNVBAoMEVRyZW5kIE1pY3JvLCBJbmMuMSUwIwYDVQQDDBxUcmVuZCBNaWNybyBEZWVwIFNlY3VyaXR5IDIwMSYwJAYJKoZIhvcNAQkBFhdjc3VwcG9ydEB0cmVuZG1pY3JvLmNvbTAeFw0yMDExMjQwOTIzNTFaFw0yNjEwMjQwOTIzNTFaMGsxGjAYBgNVBAoMEVRyZW5kIE1pY3JvLCBJbmMuMSUwIwYDVQQDDBxUcmVuZCBNaWNybyBEZWVwIFNlY3VyaXR5IDIwMSYwJAYJKoZIhvcNAQkBFhdjc3VwcG9ydEB0cmVuZG1pY3JvLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5e7V+I80gksQSQR74uxAZylIdKaLVqBob/J6Fbca8zt7pdxCLeebu6S3yT0DRiaS5UslWO21v9q09cuqd0GoDCCaImNdMpCfTB91OZf9t3gHili0cTUyzkktT8n4g2/xw2mzoXBrm5PvX2psCFwBFh3FE7Mb5VgeA/Bh8uz7jpV9+7+TjouHQ9DXgV2dIDD2QacvtvaGyFqssNLKoKOnEm6+7o0/Cl/9eIzJT0YKzqS2BFY13ANHVTJieNVrfl9dIu1XxU7ABQ8LOVI835CAIJGJyYtIhnu2bCei7AGZzPYP7Way7djOvmG+2t+NopIE/RMTknsn3NQMJtrUi4oJOAwI36z8dMDBASUUCpglK12C9z6vHelNrE4z/tiUFYei2OBsLB/yNP9HloVDq4CMvcrZzwWbUtxmtcbTIW/uU1LOsqV92aHIMA3ZivLvvAPvlr4/8NltTvEy5N/CsxUxAeC21AbE9OXDyyE/9C+VB16YvrqQIEm5IW1Q0/fmmO6rBwy3Uu+4vZcUkq0QbOji/XcNbu17Cfg5fMuuLKu7kwqtl0JZxhZ0XBNdmhOL+XfwrZbZvCqXIKFZo1QsXsbFIoiOWVakXDonUTLPLJX5n5/7iIrw7hiUViPvTrkAUSjUm5OIu1p+hkKjGDHehdU4XX2bv9rrLAh3vIKxQSCTdlAgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQ50RP6qbc9bEOp0jufVa+TgZWLlzAfBgNVHSMEGDAWgBQ50RP6qbc9bEOp0jufVa+TgZWLlzANBgkqhkiG9w0BAQsFAAOCAgEAXBhNUgJeKlB/ZwwsIjJsGXa9IPczWfTklg85hZILCT5Khcxl36zs6AEdtbW5pjV/hN+bV5LD84ZHoAa76ib4iHdU5nK4Q35AhWFdXMTCjg5bm78lESkyC7vLIjj1ITy2K3k+CgZosDXSe9V77AIN43+R4wwqbsI/FEuXmLw8UHW1DSQphjzcNGXAdbJVXhGoYLLBpyZ/OSFqhcqWwTtHZukrivtfix8fAQZ1GvfPZA0NlseXbSh883aERqwgP/etvdkUFuby0P66YTSaGZ4Dc9Q5NB4sJ+W/GcSz7Tnn2cF/hZor9ErjC+AUD0nvhn0IaJxzcCpz53XjFD8K/XeHVpBP8FqHFCoh7Ro4WcYBFR+DfoCc9Xq6tovWFZlcokybM7AmYw3DDisclkfMZFmhxi+yZQ6fmN9evVp2g7X/+w+hHrV38pnpz323186ALqSXShBPqG3HcQRvjdnS1Ve1nS8UKvy+ae+0+TKR9KTD+jQsL9daW4NfaSaBetFmdnbuNRIlKXscgoSne+Qi3YhtI93BoOnfpxEbWB4sWnSHkDO9iekSa42tabtCaY1d1MHxdYtdEBb1Gx5aWl8CmsZoWB0xRrk1NG7S8Mi+ux/2LiOfECkm1mpzaUY0w4dKfTT7/YeVAm1zgumWX+T0dsDc5Sc3t7AxiLHSmTxtYphFT4c=", "type": "String", "metadata": { "description": "Custom UEFI DB DS20_V2.der in base64 format" } }, "customDBKeyDS2022": { "defaultValue": "MIIFzzCCA7egAwIBAgIJAIfzdTk2xdt2MA0GCSqGSIb3DQEBCwUAMG0xGjAYBgNVBAoMEVRyZW5kIE1pY3JvLCBJbmMuMScwJQYDVQQDDB5UcmVuZCBNaWNybyBEZWVwIFNlY3VyaXR5IDIwMjIxJjAkBgkqhkiG9w0BCQEWF2NzdXBwb3J0QHRyZW5kbWljcm8uY29tMB4XDTIxMTEyNjA2MzI0OVoXDTMxMTEyNDA2MzI0OVowbTEaMBgGA1UECgwRVHJlbmQgTWljcm8sIEluYy4xJzAlBgNVBAMMHlRyZW5kIE1pY3JvIERlZXAgU2VjdXJpdHkgMjAyMjEmMCQGCSqGSIb3DQEJARYXY3N1cHBvcnRAdHJlbmRtaWNyby5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCWb6JAyvw0PoMfHEMoBtj3hsRS8q5TPFoa6vDrAOcJZf0MTw3NZjlbnNzVP/Ri4J5DGpOWDXLte0ngugtdAG+w3y8UY8K2agEq1ehGIB3iUz45zPqDiQWs/huafj96q9FzNlWkLJT+M0E2l0qpNJ9NlyphbQ+cnccm1fHrNOMNtEbm31nW4DVD9VyB7BFf4NRS2h4FiDjRqUTAREMfk84MReQNEP98kPZLXR3ajE4MTZztYF6INR68nK9Jzig/vJjMRpMwFp+VkQaFnbiti6hbfRjS/GbCW62aJJCTHEavbyJKKY1+MRG406lYVlpH632iyvHfj2ni+B7lLvfi5qag+27mX+rBxlqLGuiwNu0geGv5GTlmDyx2onNWRz1akk5GJUloY2xG9ak92o6WsnDdJCXlFHytPc0R+FleZ/nNNpyzPYr1V8pqWenk+wpVcA7BsuRHofWYzut98GkjGYWXXjsipaDt1V2tTKNexFgzMCUIi/tJGmUe3U6czS4zk3tXiTq2Z3kZvrV59nRWJ+QEdax0ICNZH6AEqNNajgvcvP9WcZmOtgozNxoJuQrCETMKcPQ+JgLbSAiZU7zLIp1z7XF358G7Azu/AGFpJ0orSpZ9f2J7f1WQ8CsHUgz9KISw6P7b8j160CCEbLBxcRnORCGSeVpO5tdKt4a7oil5wwIDAQABo3IwcDAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUnbil6RHtl1sidPNZk/35mq9EaWAwHwYDVR0jBBgwFoAUnbil6RHtl1sidPNZk/35mq9EaWAwDQYJKoZIhvcNAQELBQADggIBADsauvVNB9jPnlkOJY48eayLDfDN6JMriDA8Q0s0X9EZtTBMcRSNGIQjtyr4LOCOMNrUGMG2XFKHa8S17QYtcFM/2Y+t7aOilSTokWTkwC9jU1XBESH7fV44d/fYEO5yD3LBYw5BIEgSqJg39rdWWWOD6N1CGRwH3SZwT1aeDj7+YqCYXIUFR/jUm6SXyenoxIlSkn6Ymf3Pil3GtnqqxW1+VfkL6YOa715/3ZxqdWfvf1ArUL0spEtQEm4yHwdCuhPWbIG1RKejSFSLk92B/RdxqvYXiCxZ5SLziOLslvW0s48LrQ0TEr/HWhiuJ2Q//NSSCllUYy9f6CwXnW38xml+zZu/I8qJ5smI19JfO77HeRGACNSp2GC/C2mamLb1dSXSDKG6YomcrEFSO9oll/gfi6hwCw5Lx21/dD2SBjKMnwBYGRvDsovE2BQ26GnzvKQbJZW+kN6s5Gi3L0C56kSLLZUFJUxkKFN2//Qyu0cMC0oeecr+CYDxAHD2FMf4HGJAAScnk9mcEhxYs+B2IW/nCaRjbYvUg1LdaOR9oCXH14rh+FJ9DZmR84ia/YArHOJXSX/ziy0ftePgAGqQBmHNIPDA0TSGUYg/P5fcfYTT2bKO6lV/uXiqmDQuuCm1ietUpaTAJ0kWdDxhDzJem+N1qABRpuT93xbaapiX3199", "type": "String", "metadata": { "description": "Custom UEFI DB DS2022.der in base64 format" } } }, "variables": { "linuxSignatureTemplate": "MicrosoftUefiCertificateAuthorityTemplate", "windowsSignatureTemplate": "MicrosoftWindowsTemplate" }, "resources": [ { "type": "Microsoft.Compute/galleries", "apiVersion": "2022-01-03", "name": "[parameters('galleryName')]", "location": "[resourceGroup().location]", "tags": { "AzSecPackAutoConfigReady": "true" }, "properties": { "identifier": {} } }, { "type": "Microsoft.Compute/galleries/images", "apiVersion": "2022-08-03", "name": "[concat(parameters('galleryName'), '/', parameters('imageDefinitionName'))]", "location": "[resourceGroup().location]", "dependsOn": [ "[resourceId('Microsoft.Compute/galleries', parameters('galleryName'))]" ], "tags": { "AzSecPackAutoConfigReady": "true" }, "properties": { "hyperVGeneration": "V2", "architecture": "x64", "osType": "[parameters('osType')]", "osState": "Generalized", "identifier": { "publisher": "[parameters('imagePublisher')]", "offer": "[parameters('offer')]", "sku": "[parameters('sku')]" }, "features": [ { "name": "SecurityType", "value": "TrustedLaunchSupported" } ], "recommended": { "vCPUs": { "min": 1, "max": 16 }, "memory": { "min": 1, "max": 32 } } } }, { "type": "Microsoft.Compute/galleries/images/versions", "apiVersion": "2022-08-03", "name": "[concat(parameters('galleryName'), '/',parameters('imageDefinitionName'),'/', parameters('versionName'))]", "location": "[resourceGroup().location]", "dependsOn": [ "[resourceId('Microsoft.Compute/galleries/images', parameters('galleryName'), parameters('imageDefinitionName'))]", "[resourceId('Microsoft.Compute/galleries', parameters('galleryName'))]" ], "properties": { "publishingProfile": { "targetRegions": [ { "name": "[resourceGroup().location]", "regionalReplicaCount": 1 } ] }, "storageProfile": { "osDiskImage": { "hostCaching": "ReadOnly", "source": { "uri": "[parameters('vhdURI')]", "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" } } }, "securityProfile": { "uefiSettings": { "signatureTemplateNames": [ "[if(equals(parameters('osType'),'Linux'), variables('linuxSignatureTemplate'), variables('windowsSignatureTemplate'))]" ], "additionalSignatures": { "db": [ { "type": "x509", "value": [ "[parameters('customDBKeyDS20')]" ] }, { "type": "x509", "value": [ "[parameters('customDBKeyDS20V2')]" ] }, { "type": "x509", "value": [ "[parameters('customDBKeyDS2022')]" ] } ] } } } } } ] }
-
Replace the values inside
{{ }}
in the"parameters"
section of theCreateSIGFromOSvhdWithCustomUEFIKey.json
file, keeping in mind the following:-
The preceding
CreateSIGFromOSvhdWithCustomUEFIKey.json
file is an example for custom deployment.DS20.der
,DS20_v2.der
, andDS2022.der
have already been filled in by Base64 format. -
To enroll another public key into the template, use the following command to convert the key to Base64 format, and then add the key to the JSON file:
openssl base64 -in <Trend_Micro_public_key> -A
-
-
Create a Shared Image Gallery (SIG) image using template deployment by Azure CLI, as follows:
az deployment group create --resource-group <resource-group-name> --template-file CreateSIGFromOSvhdWithCustomUEFIKey.json
-
Create an Azure VM by the custom deployment image.
-
Execute the following command to verify that the keys are successfully enrolled in the Machine Owner Key (MOK) list:
mokutil --db | grep Trend
-
Execute the following command to verify that the kernel has loaded the Trend Micro public keys:
dmesg | grep cert
For more information, see Secure Boot UEFI keys.