Secure boot

To use real-time file system protection on a machine with Secure boot enabled, the ESET Server Security for Linux (EFS) kernel module must be signed with a private key. The corresponding public key must be imported to UEFI. EFS version 8 comes with a built-in signing script, that operates in interactive or non-interactive mode.

Use the mokutil utility to verify Secure boot is enabled on the machine. Execute the following command from a Terminal window as a privileged user:

mokutil --sb-state

Interactive mode

If you do not have a public and private key to sign the kernel module, Interactive mode can generate new keys and sign the kernel module. It also helps enroll the generated keys in UEFI.

1.Execute the following command from a Terminal window as a privileged user:

/opt/eset/efs/lib/install_scripts/sign_modules.sh

2.When the script prompts you for keys, type n, then press Enter.

3.When prompted to generate new keys, type y, then press Enter. The script signs the kernel module with the generated private key.

4.To enroll the generated public key to UEFI semiautomatically, type y, then press Enter. To complete the enrollment manually, type n, press Enter, and follow the on-screen instructions.

5.When prompted, enter a password of your choice. Remember the password; you will need it when completing enrollment (approval of new Machine Owner Key [MOK]) in UEFI.

6.To save the generated keys to your hard drive for later use, type y, enter the path to a directory, press Enter.

7.To reboot and access UEFI, type y when prompted, and press Enter.

8.Press any key within 10 seconds when prompted to access UEFI.

9.Select Enroll MOK, press Enter.

10.Select Continue, press Enter.

11.Select Yes, press Enter.

12.To complete the enrollment and reboot the machine, type the password from step 5 and press Enter.

Non-interactive mode

Use this mode if you have a private and public key available on the target machine.

Syntax: /opt/eset/efs/lib/install_scripts/sign_modules.sh [OPTIONS]

Options - short form

Options - long form

Description

-d

--public-key

Set the path to a DER format public key to use for signing

-p

--private-key

Set the path to the private key to use for signing

-k

--kernel

Set the name of the kernel whose modules have to be signed. If not specified, the current kernel is selected by default

-a

--kernel-all

Sign (and build) kernel modules on all existing kernels containing headers

-h

--help

Show help

1.Execute the following command from a Terminal window as a privileged user:

/opt/eset/efs/lib/install_scripts/sign_modules.sh -p <path_to_private_key> -d <path_to_public_key>

Replace <path_to_private_key> and <path_to_public_key> with the path leading to a private key and public key respectively.

2. If the provided public key is not enrolled in UEFI yet, execute the following command as a privileged user:

mokutil --import <path_to_public_key>

<path_to_public_key> represents the provided public key.

3.Reboot the machine, access UEFI, select Enroll MOK > Continue > Yes.

Managing several devices

Suppose you manage several machines that use the same Linux kernel and have the same public key enrolled in UEFI. In that case, you can sign the EFS kernel module on one of those machines containing the private key and then transfer the signed kernel module to the other machines. When the signing is complete:

1.Copy/paste the signed kernel module from /lib/modules/<kernel-version>/eset/efs/eset_rtp to the same path on the target machines.

2.Call depmod <kernel-version> on the target machines.

3.Restart ESET Server Security for Linux on the target machine to update the modules table. Execute the following command as a privileged user:

systemctl restart efs

In all cases, replace <kernel-version> with the corresponding kernel version.