+34 900 840 407
support@cytomic.ai

Installation of the Cytomic client software on Linux platforms with Secure Boot

Related Products_
  • Cytomic EPDR
  • Cytomic EDR
Situation_

Some Linux distributions detect whether the computer has the SecureBoot feature enabled, disabling protection software that is not correctly signed. SecureBoot can be detected at the time of installing the software or later, if the distribution did not initially support this feature but it was added in a later update. In either case, an error is displayed in the console and the protection software will not run.

Solution_

To enable the protection software in this case, follow this procedure directly on the computer in order to interact with the boot system:

  1. Go to the computer console and run this command:
    sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh
    IMPORTANT! The protection agent version looks has this format: protection-agent-03.01.00.0001-1.5.0_741_g8e14e52
    A message is displayed informing of the implications of using SecureBoot.
  2. Press C to register the certificate used to sign the modules.
  3. Create an 8-character password.
  4. Restart the computer and complete the registration process:
    • Press any key to start the registration process (this screen appears for a limited time, so if no keys are pressed, it is necessary to restart the registration process).
    • From the menu, select Enroll MOK. A new menu opens showing the number of KEYS to register.
    • Check that the KEYS are those corresponding to the Cytomic protection, and select Continue to continue the registration process.
    • Enter the password created in step 3 and use the REBOOT option to restart the computer.

Oracle Linux 7.x/8.x with UEKR6 kernel
After the general procedure is complete, if the distribution installed is Oracle Linux 7.x/8.x with UEKR6 kernel, follow these additional steps:

  1. Rerun this command:
    sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh
    This adds the certificate used to sign the modules to the list of certificates trusted by the kernel. The modified kernel is signed and added to the list of kernels in GRUB.
  2. The module is loaded and started.
  3. To check the certificate has been added correctly, run this command:
    sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh

The result is:

The signers common name is UA-MOK Driver Signing

Image /boot/vmlinuz-kernel-version-panda-secure-boot already signed

Kernel module successfully loaded