While installing  CAPAM endpoint VeRsIoN: 14.10-40 (17) using the cumulative release CP04 on SuSE 15 SP3 for which secure boot is enabled and following the procedure in

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/implementing/install-unix-endpoint/Configure-for-Secure-Boot.html

the kernel modules can't still be loaded

Even though the kernel is below 5.4, as required in the documentation, and even though mokutil --test-key <path_to_broadcom_cert>BroadcomInc.der shows that Broadcom certificate has been successfully enrolled to the kernel, trying to load SeOS results in the following error

mymachine:/opt/CA/PAMSC/bin # ./seload
CA Privileged Access Manager Server Control seload v14.10.40.17 - Loader Utility
Copyright (c) 2018 CA. All rights reserved.
SEOS_load: Executing un/load exit file,  /usr/seos/exits/LOAD/SEOS_load_int.always -pre
CA Privileged Access Manager Server Control seversion v14.10.40.17 - Display module's version

Copyright (c) 2018 CA. All rights reserved.

Running under:  Linux
SEOS_load: "SUSE Linux Enterprise Server 15 SP3" Kernel: 5.3.18-150300.59.46-default
SEOS_load: /usr/seos/bin/SEOS_syscall.153-5318-57-SUSEX86_64.MP.ko
CA Privileged Access Manager Server Control seversion v14.10.40.17 - Display module's version

Copyright (c) 2018 CA. All rights reserved.

Running under:  Linux

File name: /opt/CA/PAMSC/bin/SEOS_syscall
Version  : 14.10.40.17
Created  : Jan 09 2022 23:44:07
OS info  : Kernel: 5.3.18-57-SUSE153 _LINUX153-5318
SHA      : A2F4B4AA7703921F175D4436DCA58533810B54CC8403DA08
MD5      : 03F39F069BDF9CA12E2AD9913CF666D7
SEOS_load: dmesg:
[   76.412413] PKCS7: sinfo 1: The signer 1c0fd30b key is not CodeSigning
[   76.412417] seos_1410_40_17: Loading of module with unavailable key is rejected
SEOS_load: Executing un/load exit file,  /usr/seos/exits/LOAD/SEOS_load_int.always -post
SEOS_load: SEOS_syscall WASN'T loaded

PAM SC 14.1 and PIM 14.0 and later

Currently  secure boot for 5 series kernels is not supported, as these kernels come with a lockdown feature which requires signing keys to be in the builtin key database and  this cannot be done using our existing enrollment method..  

The enrollment is much more complicated in the 5 series kernel and currently these kernels have space to enroll a single key. What this means is the system cannot support more than one third party kernel module in secured boot, unless the this key is used to sign all the third party modules.

There is no resolution on Broadcom side for the time being, but this is being considered in QA/Dev. So the only solution is to disable secure boot by running

sudo mokutil --disable-validation  

and then rebooting, confirming setting via uefi menu and rebooting again

QA and Dev groups are working on finding a way to correct this problem and it may be expected as well that the limitation of a single key imposed by the 5.X kernels may be lifted in future releases. Please check periodically our documentation or contact support for possible news regarding this feature