Which of the following is needed for Windows and Linux virtual machines to support Secure Boot
The Unified Extensible Firmware Interface (UEFI) Secure Boot feature is supported with some versions of the agent for Linux. For details, see this Secure Boot support table. Show
When Secure Boot is enabled on an agent computer, the Linux kernel performs a signature check on kernel modules before they are installed. These Workload Security features install kernel modules:
If you intend to use any of those features on a computer where Secure Boot is enabled, you must enroll the Trend Micro public key (provided after installation, for example DS20.der) into the Linux computer's firmware so that it recognizes the Trend Micro kernel module's signature. Otherwise, Workload Security features can't be installed. Your platform will determine which keys you need to download and which method you can use to enroll a key:
Download a Trend Micro public keyYou can download Trend Micro public keys from the list below: If you have trouble downloading the following files, right-click and select Save Link As.
Enroll a key using Shim MOK Manager Key DatabaseThe following steps are applicable for any agent using an OS that supports Secure Boot on VMware vSphere 6.5 or newer. To enroll Trend Micro public keys:
Enroll a key using UEFI Secure Boot Key DatabaseThe following steps are applicable for any agent using an OS that supports Secure Boot on Google Cloud Platform.
Sign a key into the kernelThe following steps are applicable for any agent using an OS that supports Secure Boot on Oracle Linux 7 UEK R6 kernel (5.4.17+) and Oracle Linux 8 UEK R6 kernel (5.4.17+).
Update the Trend Micro public keysThe following situations require you to update the Trend Micro public keys: 1. The agent has upgraded to a major release.Workload Security refreshes the Trend Micro kernel module public keys in every major release of the agent (for example, 12.0 and 20.0). To keep security features functioning when you upgrade an agent to a new major release, you must enroll the new public key into any Linux computers that have Secure Boot enabled. Until the new public key is enrolled, an "Engine Offline" error message might appear in the Workload Security console because the operating system did not load the upgraded kernel module. 2. The public key has expired.The public keys' life cycle is the same as the agent's life cycle. The public key will expire at the end of the extended support (EOL). Refer to Deep Security LTS life cycle dates for details. If the DS20.der public key has expired but Deep Security 20 has extended their support date, Trend Micro will create a new key that you must enroll when upgrading the agent.
In rare circumstances, the Linux kernel's behavior for checking loading kernel modules might change, which will require you to update the public keys. For example, SuSE 15 after 5.3.18-24.34-default added an EKU codesign check, which caused the DS20_v2.der key to be required. Which VM generation provides support for Linux Secure boot?Linux Secure Boot is a feature in Windows 10 and Windows Server 2016 that allows some Linux distributions to boot under Hyper-V as Generation 2 virtual machines.
What generation virtual machine supports VM secure boot?Secure Boot is enabled by default for generation 2 virtual machines. If you need to run a guest operating system that's not supported by Secure Boot, you can disable it after the virtual machine's created.
What is the secure boot option in the settings for a generation 2 VM?Secure Boot is a feature available with generation 2 virtual machines that helps prevent unauthorized firmware, operating systems, or Unified Extensible Firmware Interface (UEFI) drivers (also known as option ROMs) from running at boot time. Secure Boot is enabled by default.
Does Hyper1.1 System Requirements for VBS Support
Note: We don't require Secure Boot, but if you're using Hyper-V with Device Guard, Credential Guard or other Microsoft features, you'll need this enabled for the features to work correctly. If you are using Hyper-V in isolation, you don't need Secure Boot to be enabled.
|