Technical Support

Need help?

 

Installation of the client software on Linux platforms with Secure Boot

Information applies to:

Products
Panda Adaptive Defense 360 on Aether Platform
Panda Adaptive Defense on Aether Platform
Panda Endpoint Protection Plus on Aether Platform

Some Linux distributions return protection errors that you can see in the computers' details screen when Secure Boot is enabled and you try to install the protection or when the protection is installed and you try to enable Secure Boot.

To solve these errors, you must update the protection repository and then register the Panda protection keys from the command line.

IMPORTANT!

Make sure that you meet these system requirements beforehand:
  • DKMS: mokutil and openssl packages.
  • Oracle Linux 7.x/8.x with kernel UEKR6:
    • Repository ol7_optional_latest enabled.
    • openssl, keyutils, mokutil, pesign, kernel-uek-devel-$(uname -r) packages.
Solution
Follow these steps to solve the protection errors related to Secure Boot from the computer experiencing the problem.
  1. Check the state of Secure Boot:
    $ mokutil --sb-state
    Secure Boot enabled
  2. Verify that the driver is not loaded:
    $ lsmod | grep prot
  3. Update the Panda protection repository:
    $ sudo /usr/local/management-agent/repositories/pa/install --add-repo=https://repository.pandasecurity.com/aether/installers/protection/linux/3.01.00.0001
  4. If you use a proxy server to access the Internet, add this parameter: --proxy. If you want to specify a list of proxies, use the parameter --proxy-list and enter the proxy servers separated by commas:

    $ sudo /usr/local/management-agent/repositories/pa/install --add-repo=https://repository.pandasecurity.com/aether/installers/protection/linux/3.01.00.0001 --proxy-list=http://ip_proxy1:port, http://ip_proxy2:port
  5. Upgrade the protection driver:
    sudo /usr/local/management-agent/repositories/pa/install --install --kernel-only

    NOTE: For SUSE, use this command:
    $ sudo zypper up protection-agent-kmp-default
  6. Import the protection keys:
    $ sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh

    IMPORTANT: The agent and protection have this format:
    protection-agent-03.01.00.0001-1.5.0_741_g8e14e52 (the name varies according to the version and the driver).

    You will see a message informing of the implications of using Secure Boot.
  7. Press C to register the certificate used to sign the modules.
  8. Create an 8-character password:

  9. Restart the computer and complete the registration process.
    If it is a virtual machine, use the hypervisor.
    • Press any key to start the registration process. This screen appears for a limited time, so if no keys are pressed, you must restart the registration process.

    • Select Enroll MOK.

    • Select View key to view the keys that are going to be registered.



    • Check that the keys belong to the Panda Security protection, and select Continue to resume the registration process.

    • When prompted Enroll the key, select Yes.
    • Then, enter the password chosen previously.
    • Select Reboot to finish the procedure.

  10. Finally, check that the driver is loaded:
    $ lsmod | grep prot
    protection_agent 184320
Oracle Linux 7.x/8.x with kernel UEKR6
After the general procedure is complete, if the distribution installed is Oracle Linux 7.x/8.x with UEKR6 kernel, follow these additional steps:
  1. Run this command again:
    $ sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh

    This adds the certificate used to sign the modules to the list of certificates trusted by the kernel. The modified kernel is signed and added to the list of kernels in GRUB.
  2. Restart the computer.
  3. The module is loaded and started.
  4. To ensure that the certificate has been added correctly, run this command:
    $ sudo /usr/scr/protection-agent-version/scripts/sb_import_key.sh
The result is:
The signer´s common name is UA-MOK Driver Signing
Image /boot/vmlinuz-kernel-version-panda-secure-boot already signed
Kernel module succesfully loaded
Help nº- 20220513 700121 EN

Have you resolved your query with this article?

yes no

Thanks for your answer


Why didn't you find it helpful?


The instructions are too complex.
The instructions are too long.
The instructions don't work.
I'd rather have a video.
Other reasons.




Talk to a technician!

 

Business hours: Mondays-Fridays 9:00 to 18:00 CET

Outside business hours, please use the online form.





ALWAYS ONLINE TO HELP YOU TWITTER FORUM CHAT
ALWAYS ONLINE TO HELP YOU TWITTER FORUM CHAT

Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!