Secure boot
To use real-time file system protection and web access protection on a machine with Secure boot enabled, the ESET Server Security for Linux (ESSL) kernel modules must be signed with a private key. The corresponding public key must be imported to UEFI. ESSL comes with a built-in signing script, that operates in interactive or non-interactive mode.
Use the mokutil utility to verify Secure boot is enabled on the machine. Execute the following command from a Terminal window as a privileged user:
mokutil --sb-state |
Interactive mode
If you do not have a public and private key to sign the kernel modules, Interactive mode can generate new keys and sign the kernel module. It also helps enroll the generated keys in UEFI.
1.Execute the following command from a Terminal window as a privileged user:
/opt/eset/efs/lib/install_scripts/sign_modules.sh |
2.When the script prompts you for keys, type N, then press Enter.
3.When prompted to generate new keys, type Y, then press Enter. The script signs the kernel modules with the generated private key.
4.To enroll the generated public key to UEFI semiautomatically, type Y, then press Enter. To complete the enrollment manually, type N, press Enter, and follow the on-screen instructions.
5.When prompted, type a password of your choice. Remember the password; you will need it when completing enrollment (approval of new Machine Owner Key [MOK]) in UEFI.
6.To save the generated keys to your hard drive for later use, type Y, type the path to a directory, press Enter.
7.To reboot and access UEFI, type Y when prompted, and press Enter.
8.Press any key within 10 seconds when prompted to access UEFI.
9.Select Enroll MOK, press Enter.
10.Select Continue, press Enter.
11.Select Yes, press Enter.
12.To complete the enrollment and reboot the machine, type the password from step 5 and press Enter.
Non-interactive mode
Use this mode if you have a private and public key available on the target machine.
Syntax: /opt/eset/efs/lib/install_scripts/sign_modules.sh [OPTIONS]
Options - short form |
Options - long form |
Description |
---|---|---|
-d |
--public-key |
Set the path to a DER format public key to use for signing |
-p |
--private-key |
Set the path to the private key to use for signing |
-k |
--kernel |
Set the name of the kernel whose modules have to be signed. If not specified, the current kernel is selected by default |
-a |
--kernel-all |
Sign (and build) kernel modules on all existing kernels containing headers |
-h |
--help |
Show help |
1.Execute the following command from a Terminal window as a privileged user:
/opt/eset/efs/lib/install_scripts/sign_modules.sh -p <path_to_private_key> -d <path_to_public_key> |
Replace <path_to_private_key> and <path_to_public_key> with the path leading to a private key and public key respectively.
2. If the provided public key is not enrolled in UEFI yet, execute the following command as a privileged user:
mokutil --import <path_to_public_key> |
<path_to_public_key> represents the provided public key.
3.Reboot the machine, access UEFI, select Enroll MOK > Continue > Yes.
On Amazon Linux 2023, the provided script can only be used to sign ESET kernel modules. Only the first step of the script will run in non-interactive mode, as mokutil is not functional. You must follow the official AWS documentation to set up EC2 with custom keys to proceed. |
Managing several devices
Suppose you manage several machines that use the same Linux kernel and have the same public key enrolled in UEFI. In that case, you can sign the ESSL kernel module on one of those machines containing the private key and then transfer the signed kernel module to the other machines. When the signing is complete:
1.Copy/paste the signed kernel modules from /lib/modules/<kernel-version>/eset/efs/eset_rtp and eset_wap to the same path on the target machines.
2.Call depmod <kernel-version> on the target machines.
3.Restart ESET Server Security for Linux on the target machine to update the modules table. Execute the following command as a privileged user:
systemctl restart efs |
In all cases, replace <kernel-version> with the corresponding kernel version.