Secure boot (Symantec Agent for Linux–

DCS and SEP)

1.0 Steps to configure a Secure Boot system with DCS or SEP
Linux products................................................................................... 3
1.1 Problem Description: ................................................................................................. 3
1.2 Supported Products .................................................................................................. 3
1.3 Linux Platforms .......................................................................................................... 3
1.4 Verify Environment .................................................................................................... 3
1.4.1 Install the mokutil package as root. .................................................................................. 3
1.4.2 Verify the system is in Secure Boot mode. ...................................................................... 3
1.5 Install the Product (DCS or SEP Linux) .................................................................... 4
1.5.1 Install or update the product to get the latest driver kmod package............................. 4
1.5.2 DCS with prevention policy enabled ................................................................................. 4
1.6 Import public key into MOK key store ...................................................................... 4
1.6.1 Import the certificate key into the MOK list using mokutil. ............................................ 4
1.6.2 Reboot the system. ............................................................................................................. 4
1.6.3 Enter the Shim UEFI key in the management console during boot. .............................. 4
1.6.4 Press any key to enter the MOK Manager. ....................................................................... 5
1.6.5 On the Perform MOK management screen, select Enroll MOK...................................... 5
1.6.6 On the Enroll MOK screen, select View key 0. ................................................................. 5
1.6.7 On the Enroll the key(s) screen, select Yes. .................................................................... 5
1.6.8 Select OK to confirm your changes and reboot. ............................................................. 6
1.7 Verify keys and modules are loaded ........................................................................ 6
1.7.1 Use the mokutil utility to check if the key successfully enrolled................................... 6

2.0 Steps to configure Support for Oracle Linux with UEK R6..... 7
2.1 Installing Required Packages (UEK R6 only) ........................................................... 7
2.1.1 Install required repositories for Oracle Linux 7 ............................................................... 7
2.1.2 Install required repositories for Oracle Linux 8 ............................................................... 7
2.2 Generating a Signing Certificate for Kernel Image signing (UEK R6 only) ............ 8
2.2.1 Introduction ......................................................................................................................... 8
2.2.2 Create a configuration file .................................................................................................. 8
2.2.3 Generate a new key pair using the configuration file...................................................... 8
2.2.4 Export the certificate in PEM format. ................................................................................ 9
2.3 Inserting the Symantec Module Certificate in the Kernel and Signing the Kernel
Image (UEK R6 Only) ........................................................................................................... 9
2.3.1 Introduction ......................................................................................................................... 9

pg. 1 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
 2.3.2 Configure an NSS Database. .............................................................................................. 9
2.3.3 Insert the Module Certificate in the Kernel Image. .......................................................... 9
2.3.4 Sign the Kernel Image. ..................................................................................................... 10
2.3.5 Copy the signed kernel back to /boot. ............................................................................ 10
2.4 Import the kernel signing public key into the MOK key store................................11
2.4.1 Import the certificate key into the MOK list using mokutil. .......................................... 11
2.4.2 Enroll the key that was used to sign the kernel image. ................................................ 11
2.4.3 Complete Importing of the kernel signing key. .............................................................. 11
2.5 Kernel update maintenance .....................................................................................11
2.5.1 Repeat the following steps whenever a new UEK R6 kernel update is installed. ...... 11

pg. 2 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
1.0 Steps to configure a Secure Boot
system with DCS or SEP Linux
products

1.1 Problem Description:

Systems that are configured with the Unified Extensible Firmware Interface ( UEFI) secure boot do not
load any kernel module that is not digitally signed. Signed kernel modules for DCS and SEP Linux agents
are now available by product update (kmod). The system also needs to have the signed certificate to
verify the kernel modules. The public key of the signing certificate must be imported, a single time, to the
system.

Note: On older systems where secure boot is not available or on non-secure booted systems, the
following message may appear in your syslog:

Request for unknown module key '<signing_key_common_name>' err -11

Please note that this is expected. For more details, please click here.

1.2 Supported Products

 Symantec Endpoint Protection (SEP) Linux 14.3 RU3 or later
 Data Center Security: Server Advanced (DCS:SA) 6.9.1 or later

1.3 Linux Platforms

 On systems that are running any Linux platform except Oracle Linux 7/8, follow steps 1.4 thru 1.7.
 On systems that are running Oracle Linux 7/8 with UEK R6 or newer kernels, run steps 1.4 thru
1.7 as well as the steps detailed in section 2.0 Support for Oracle Linux UEK R6 kernels.

1.4 Verify Environment

1.4.1 Install the mokutil package as root.

 yum install -y mokutil # RedHat based systems
 zypper in -y mokutil # SuSE based systems
 apt install -y mokutil # Ubuntu/Debian based systems

1.4.2 Verify that the system is in Secure Boot mode.

The output should show “Secure Boot enabled"

pg. 3 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
  mokutil --sb-state

1.5 Install the Product (DCS or SEP Linux)

1.5.1 Install or update the product to get the latest driver kmod package.

The kmod package sdcss-kmod-10.0.2-1161, or later for DCS, and sdcss-kmod-10.0.1-1126, or later
for SEP Linux, from the Symantec Linux repository is required. This step requires internet access.

Along with the product update (kmod), digitally signed kernel modules and the public key of the signing
certificate are delivered.

If you are using the latest installer, a message describing these steps will be displayed on your console
during the install or upgrade process.

 ./LinuxInstaller # SEP Linux 14.3RU3 or later

-or-
 ./agent64-linux-*.bin # DCS Linux 6.9.1 or later

1.5.2 DCS with prevention policy enabled

If you want to have prevention enabled, make sure to use an updated DCS 6.9.1 prevention policy pack
(24 Nov 2021 or later) before rebooting the agent with secure boot mode enabled. You can choose to
merge existing prevention policies with the updated policy pack. Do not use an older prevention policy on
secure booted systems.

DCS 6.9.1 updated prevention policy pack is also attached to this article.

1.6 Import public key into MOK key store

1.6.1 Import the certificate key into the MOK list using mokutil.
As a root user, importing the Symantec public key into the MOK key store is required on a system with
UEFI secure boot configured. You will be prompted for a password. Make sure to note this down. After
you reboot, the MokManager will prompt for this password.

 mokutil --import /usr/lib/symantec/sdcssagent/driver/sis-key.der

1.6.2 Reboot the system.

1.6.3 Enter the Shim UEFI key in the management console during boot.
Open the system console (not an SSH terminal) and access the Shim UEFI key management console
during boot. After your machine restarts, the Shim UEFI key management console is displayed on the
system console.

pg. 4 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
1.6.4 Press any key to enter the MOK Manager.
If you fail to access the Shim UEFI key management console within the default time of ten seconds, you
must go back to step 1.6.1
1.6.5 On the Perform MOK management screen, select Enroll MOK.

1.6.6 On the Enroll MOK screen, select View key 0.

Press Enter after confirming the key details.

1.6.7 On the Enroll the key(s) screen, select Yes.

Enter the password you set above for mokutil

pg. 5 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
1.6.8 Select OK to confirm your changes and reboot.

1.6.9 If you do not respond to the system prompt to update the MOK when the host restarts, a timeout
occurs. You must run the mokutil command again to import the Symantec public key.
1.6.10 When prompted, reboot the host again. After the host is rebooted the second time, verify that
the certificate is properly added to the MOK list using the mokutil --test-key command.

1.7 Verify keys and modules are loaded

1.7.1 Use the mokutil utility to check if the key successfully enrolled.
 mokutil --test-key /usr/lib/symantec/sdcssagent/driver/sis-
key.der
Output: /usr/lib/symantec/sdcssagent/driver/sis-key.der is
already enrolled
The signed kernel modules are loaded after the boot completes.
 # lsmod |grep sis
For DCS
 sisap 102613 2
 sisevt 136726 2 sisap
 sisfim 144572 2
 sisips 134564 2
For SEP Linux
 sisap 102613 2
 sisevt 136726 2 sisap

At this point, the product is fully functional.

pg. 6 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
2.0 Steps to configure Support for Oracle
Linux with UEK R6
Before you can sign a module, you must install several required packages, including the kernel source for
the kernel where the module is loaded. A signing certificate is required for a key pair that you created for
this purpose.

If you are running Oracle Linux UEK R6 or later, the key that is used to sign the module must be compiled
into the kernel. The kernel must be signed again. In addition to the steps above to import the module
signing key into the MOK, the following additional steps are required for UEK R6 support.

2.1 Installing Required Packages (UEK R6 only)

A standard minimal installation of the latest Oracle Linux 7 or Oracle Linux 8 update release is required
for this procedure. Note that you must enable any required repositories prior to installing the required
packages.

2.1.1 Install required repositories for Oracle Linux 7

 yum update # Optional, you should ensure you have the most recent
kernel and related packages
 yum install kernel-uek-devel-$(uname -r)
 yum-config-manager --enable ol7_optional_latest
 yum install openssl keyutils mokutil pesign

2.1.2 Install required repositories for Oracle Linux 8

 dnf update # Optional, you should ensure you have the most recent
kernel and related packages
 dnf install kernel-uek-devel-$(uname -r)
 dnf install openssl keyutils mokutil pesign

pg. 7 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
2.2 Generating a Signing Certificate for Kernel Image
signing (UEK R6 only)

2.2.1 Introduction
If you do not already have a signing certificate that you intend to use to sign your modules or kernel
images, you can generate one by using the OpenSSL utilities that are available in Oracle Linux.

Note: If you already have a certificate, you will need the private key, as well as .DER and .PEM
formats. These are referenced below as priv.key, pubkey.der and pubkey.pem.

2.2.2 Create a configuration file

Create a configuration file that OpenSSL can use to obtain the default values when you generate your
certificates. You can create this file at any location. It is useful to keep this file with the rest of your
OpenSSL configuration in /etc/ssl/x509.conf. The file should look similar to the following:

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = extensions

[ req_distinguished_name ]
O = Module Signing Example
CN = Module Signing Example Key
emailAddress = first.last@example.com

[ extensions ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
extendedKeyUsage = codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid

You should edit the O, CN and emailAddress fields to something more appropriate. Note that in
the extensions section of the configuration, the keyUsage field is set as
digitalSignature. Additionally, the extendedKeyUsage option is set to codeSigning for
compatibility with some key verification tools.

2.2.3 Generate a new key pair using the configuration file.

 openssl req -x509 -new -nodes -utf8 -sha512 -days 3650 -batch -
config /etc/ssl/x509.conf -outform DER -out
/etc/ssl/certs/pubkey.der -keyout /etc/ssl/certs/priv.key

This signing certificate is valid for 10 years (3,650 days). Ensure that the keys are adequately
protected.

pg. 8 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
2.2.4 Export the certificate in PEM format.
 openssl x509 -inform DER -in /etc/ssl/certs/pubkey.der -out
/etc/ssl/certs/pubkey.pem

2.3 Inserting the Symantec Module Certificate in the

Kernel and Signing the Kernel Image (UEK R6
Only)

2.3.1 Introduction

The Symantec product key that was used to sign the modules must be inserted into the compiled kernel
image. UEK R6 only trusts modules that are signed with keys that are listed in the kernel builtin, trusted
keyring. Because the kernel image is modified, it must be signed again using the certificate generated
above and also added to the UEFI or MOK database. It is useful to perform the following steps in the
same directory that your certificates are stored. Run these commands as the root user.

 cd /etc/ssl/certs

2.3.2 Configure an NSS Database.

The pesign tool that you use to sign the kernel with requires that the kernel signing key is stored within
an NSS database. The NSS database is designed for storing complete sets of keys.
When you use the certutil command, you are prompted for a password for the NSS database. Choose a
password for the database. This password is required when signing the kernel.
Create an NSS database to use with pesign:
 certutil -d . -N

NSS utilities are only capable of working with PKCS#12 formatted key files. For this reason, you must
export a PKCS#12 version of the kernel signing key so that you can sign the kernel image:

 openssl pkcs12 -export -inkey /etc/ssl/certs/priv.key -in

/etc/ssl/certs/pubkey.pem \ -name cert -out /etc/ssl/certs/cert.p12

The previous step requires that you enter a password for the PKCS#12 archive. It is useful if this
password matches the password that you use for the NSS database, where this data is ultimately stored.

Add the PKCS#12 version of the kernel signing key to the new database. You are prompted first for the
password of the NSS database that you have just created Next, you are prompted for the password that
you used when you exported the PKCS#12 key file.

 pk12util -d . -i cert.p12

2.3.3 Insert the Module Certificate in the Kernel Image.

Use the insert-sys-cert utility provided in the kernel to insert the raw DER certificate that was used to
sign the module into the compressed kernel boot image:

pg. 9 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
  /usr/src/kernels/$(uname -r)/scripts/insert-sys-cert -s
/boot/System.map-$(uname -r) \

-z /boot/vmlinuz-$(uname -r) -c
/usr/lib/symantec/sdcssagent/driver/sis-key.der

Important: Only a single custom certificate can be added to the kernel because the compressed size of
the kernel's boot image cannot increase. Do not attempt to add multiple certificates to the kernel boot
image.

2.3.4 Sign the Kernel Image.

Use the pesign utility to remove the existing PE signature and resign the kernel with the new key that is
stored in the NSS database. Note that you are prompted for the password of the NSS certificate database
that you created in Configure an NSS Database.
 pesign -u 0 -i /boot/vmlinuz-$(uname -r) --remove-signature -o
vmlinuz.unsigned
 pesign -n . -c cert -i vmlinuz.unsigned -o vmlinuz.signed -s
2.3.5 Copy the signed kernel back to /boot.

Note that the copy command uses the -b option to create a backup of the original kernel image. When
prompted to overwrite existing /boot/vmlinuz file, type yes.

 cp -bf vmlinuz.signed /boot/vmlinuz-$(uname -r)

pg. 10 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
2.4 Import the kernel signing public key into the MOK
key store
Importing of the public key used to sign the kernel into MOK key store is required on a system with UEFI
secure boot configured.

2.4.1 Import the certificate key into the MOK list using mokutil.
You are prompted for a password. Make because a note of this password. After a reboot, the
MokManager prompts for this password.

2.4.2 Enroll the key that was used to sign the kernel image.
For systems that run UEK R6, you must enroll the key that was used to sign the kernel image into the
MOK database.

 mokutil --import /etc/ssl/certs/pubkey.der

2.4.3 Complete Importing of the kernel signing key.

Repeat the following steps to complete the import of the kernel signing key into the MOK key store and
verify that the modules are loaded:

• 1.6.2 thru 1.6.8 Import public key into MOK key store
• 1.7 Verify keys and modules are loaded

2.5 Kernel update maintenance

2.5.1 Repeat the following steps whenever a new UEK R6 kernel update is installed.

Repeat the following steps after booting into the new kernel:
 2.1 Installing Required Packages (UEK R6 only)
 2.3.3 - 2.3.5 Inserting the Symantec Module Certificate in the Kernel and Signing the
Kernel Image

Optional cleanup
The following packages can be removed from the system if they were installed. They are not required
(until next kernel update is required to be signed).

pg. 11 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0
  yum remove kernel-uek-devel pesign keyutils

pg. 12 How to configure a secure boot system with Symantec DCS or SEP Linux products v1.0