Error loading PIM / PAMSC on Linux running in Secure Boot mode (secureboot)
search cancel

Error loading PIM / PAMSC on Linux running in Secure Boot mode (secureboot)


Article ID: 201507


Updated On:


CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)


When the PIM / PAMSC seos kernel module fails to load in a Linux which is running in Secure Boot mode follow below steps


Release : 14.1



Secure Boot is using a MOK (Machine Owner Key) which basically is securing the boot process by only allowing approved OS components and drivers to load. 


The OS kernel should contain the public key of the module getting inserted as part of trust chain, So the first step in doing this is to add the public key into the kernel system key database,

Every time the PAMSC kernel module loads, the OS kernel checks the signature of the module using the relevant public key.


Following steps are necessary for adding PAMSC public key into the secured kernel key database.

  1. import public key present in the installation directory to the MOK list 

# cd /opt/CA/PAMSC/bin/

# mokutil --import  BroadcomInc.der

input password:

input password again:

This command will ask for a new password of your choice which is required during MOK enrollment    

Note, to avoid issues, use a password consisting of alpha - numeric characters only

  1. Confirm the key is added without any error and restart the machine into Firmware

  1. During the secured efi boot up MOK key enrollment request will be noticed by shim.efi

    You will need to enter the password you previously associated with this request and confirm the enrollment. Your public key is added to the MOK list, which is persistent.
  1. After reboot, verify if the key is in the database by using this command

# mokutil -l

Search for PAMSC or Broadcom strings in the key list to confirm the key is loaded. 

  1. if the key is loaded, you can run seload to start PIM / PAMSC