Enable Secure Boot for Linux Agents

You can use this procedure to enable secure boot on a Carbon Black App Control Linux Agents. This feature is available only on agent version 8.8.0 and subsequent versions.

Prerequisites

In order to enable secure boot, you must first:

Download the public key used for signing App Control agent kernel modules.
1. Log into the Broadcom customer portal and then select Cyber Security Software from the drop-down at the top of the page.
2. Select My Downloads from the menu on the left to see the list of products that you are entitled to download for the selected division.
  Important: If you do not see the product you are looking for in your download list, you should contact Broadcom's Global Customer Assistance. Do one of the following:
  - Call the support number here: https://support.broadcom.com/web/ecx/contact-support
  - Fill out this form: https://broadcomcms-software.wolkenservicedesk.com/web-form
3. Navigate to, or search for the Carbon Black App Control Linux Agent and then select the Agent you need to download.
  The public key required to sign the App Control Linux Agent kernel modules is included in the Linux Agent package.
  In the example image below, you can see that the App Control Linux Agent 8.8.0 package contains both the installer package and the required signing key, cb_kernel_mod_signing_key_pub.der, along with required SHA2 keys.
Download cb_kernel_mod_signing_key_pub.der.
Import the public key on the endpoint to authenticate and load agent kernel modules.
Install the Carbon Black App Control Linux Agent. See: Install Linux Agents on Endpoints.

Tip: For additional assistance with downloads, see: Product Download Help.

Procedure

Import your public key into the MOK list. The mokutil import command prompts you to enter (create) a password.
This the same password you use while enrolling the key.
```
# mokutil --import cb_kernel_mod_signing_key_pub.der 
input password: 
input password again: 
#
```
and
Reboot the machine and go to the endpoint machine console.
After rebooting, the UEFI SHIM should automatically start MokManager which is used to add the MOK key to the UEFI Secure Boot key database.
Choose Enroll MOK.
Enter the password you previously associated with this request.
Confirm the enrollment by selecting Yes to Enroll the key(s).
Reboot the machine.

Your public key is added to the MOK list, which is persistent.
Important: Once a key is on the MOK list, it is automatically propagated to the platform keyring on this and subsequent boots when UEFI Secure Boot is enabled.

Verify the key in the. platform keyring (Carbonblack: CB Kernel module signing key):

# keyctl list %:.platform

The 6 keys in keyring:

303429724: ---lswrv     0     0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
170154433: ---lswrv     0     0 asymmetric: Carbonblack: CB Kernel module signing key: 6d6e00113731b310ef08654d1e91741c144a9fc4
750692654: ---lswrv     0     0 asymmetric: Red Hat Secure Boot CA 5: cc6fa5e72868ba494e939bbd680b9144769a9f8f
117739269: ---lswrv     0     0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
515584087: ---lswrv     0     0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
986080246: ---lswrv     0     0 asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7