Technical Support

Need help?

 

Installation of the client software on Linux platforms with Secure Boot

Information applies to:

Products
Panda Adaptive Defense 360 on Aether Platform
Panda Adaptive Defense on Aether Platform
Panda Endpoint Protection Plus on Aether Platform

Some Linux distributions return protection errors that you can see in the computers' details screen when Secure Boot is enabled and you try to install the protection or when the protection is installed and you try to enable Secure Boot.

To solve these errors, you must update the protection repository and then register the Panda protection keys from the command line.

IMPORTANT!

Make sure that you meet these system requirements beforehand:
  • DKMS: mokutil and openssl packages.
  • Oracle Linux 7.x/8.x with kernel UEKR6:
    • Repository ol7_optional_latest enabled.
    • openssl, keyutils, mokutil, pesign, kernel-uek-devel-$(uname -r) packages.
Solution
Follow these steps to solve the protection errors related to Secure Boot from the computer experiencing the problem.
  1. Check the state of Secure Boot:
    $ mokutil --sb-state
    Secure Boot enabled
  2. Verify that the driver is not loaded:
    $ lsmod | grep prot
  3. Import the protection keys:
    $ sudo /usr/src/protection-agent-[version]/scripts/sb_import_key.sh

    IMPORTANT: The agent and protection have this format:
    $ sudo /usr/src/protection-agent-03.01.00.0001-1.5.0_741_g8e14e52/scripts/sb_import_key.sh (the name varies according to the version and the driver).

    You will see a message informing of the implications of using Secure Boot.
  4. Press C to register the certificate used to sign the modules.
  5. Create an 8-character password:

  6. Restart the computer and complete the registration process.
    If it is a virtual machine, use the hypervisor.
    • Press any key to start the registration process. This screen appears for a limited time, so if no keys are pressed, you must restart the registration process.

    • Select Enroll MOK.

    • Select View key to view the keys that are going to be registered.



    • Check that the keys belong to the Panda Security protection, and select Continue to resume the registration process.

    • When prompted Enroll the key, select Yes.
    • Then, enter the password chosen previously.
    • Select Reboot to finish the procedure.

  7. Finally, check that the driver is loaded:
    $ lsmod | grep prot
    protection_agent 184320
Oracle Linux 7.x/8.x with kernel UEKR6
After the general procedure is complete, if the distribution installed is Oracle Linux 7.x/8.x with UEKR6 kernel, follow these additional steps:
  1. Run this command again:
    $ sudo /usr/src/protection-agent-[version]/scripts/sb_import_key.sh

    This adds the certificate used to sign the modules to the list of certificates trusted by the kernel. The modified kernel is signed and added to the list of kernels in GRUB.
  2. Restart the computer.
  3. The module is loaded and started.
  4. To ensure that the certificate has been added correctly, run this command:
    $ sudo /usr/src/protection-agent-[version]/scripts/sb_import_key.sh
The result is:
The signer´s common name is UA-MOK Driver Signing
Image /boot/vmlinuz-kernel-version-panda-secure-boot already signed
Kernel module succesfully loaded
Help nº- 20231117 700121 EN
ALWAYS ONLINE TO HELP YOU TWITTER FORUM
ALWAYS ONLINE TO HELP YOU TWITTER FORUM