Carbon Black Cloud: Linux Sensor Stuck in Bypass mode when Secure Boot enabled
search cancel

Carbon Black Cloud: Linux Sensor Stuck in Bypass mode when Secure Boot enabled

book

Article ID: 286819

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Linux sensor stuck in Bypass mode
  • Linux sensor kernel module is not loading
  • SecureBoot is shown as enabled by running:
    # mokutil --sb-state
    SecureBoot enabled
  • Or by running:
    # bootctl status
    System:
       Machine ID: d26f378df4214075858c2bd2e0ffb141
          Boot ID: 1dc5840315bd4954b97ed888e6c52a1a
      Secure Boot: enabled
       Setup Mode: user
    
    Selected Firmware Entry:
            Title: CentOS
        Partition: /dev/disk/by-partuuid/0c4c5e6a-deaf-4e55-8ed1-d6e16cb5f8f5
             File: └─/EFI/centos/shimx64.efi
    
    No suitable data is provided by the boot manager. See:
      http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
      http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
    for details
  • This directory is empty
    
    # ls -l /sys/firmware/efi/
    total 0

Environment

  • Carbon Black Cloud Sensor: All Supported Versions
  • Linux OS: All Supported Versions for when the Kernel Version is below 4.8

Cause

Linux sensor kernel module is not loading because secure boot is enabled, which is not a supported system configuration currently.

Resolution

  1. Sign kernel module
  2. Disable secure boot

Additional Information

Another way to check secure boot:
# dmesg | grep -i secure
[    0.000000] Secure boot enabled
[    1.219154] EFI: Loaded cert 'CentOS Secure Boot (key 1): f037c6eaec36d4057a526c0ec6d5a95b324ee129' linked to '.system_keyring'