Enroll Secure Boot Key in a GCP Image for Symantec Endpoint Protection (SEP) Linux Agent 

- SEP 14.3 RU3 and Later
- Google Cloud Platform
- Linux

1. Download the required Secure Boot key sis-key.der for the SEP Linux agent.
   sis-key.der is present under /etc/symantec/sis/ directory
   
   

2. Download the CA Intermediate certificates 

   You also must download the intermediate certificate authority (CA) certificates that are required to validate the signing chain on the Trend Micro public keys. The CA certificates are X.509 v3 CRT files encoded in DER format:
   
   

   • MicWinProPCA2011_2011-10-19.crt
     Microsoft Windows Production PCA 2011
     SHA-256 certificate hash: E8 E9 5F 07 33 A5 5E 8B AD 7B E0 A1 41 3E E2 3C 51 FC EA 64 B3 C8 FA 6A 78 69 35 FD DC C7 19 61
     
     

   • MicCorUEFCA2011_2011-06-27.crt
     Microsoft Corporation UEFI CA 2011
     SHA-256 certificate hash: 48 E9 9B 99 1F 57 FC 52 F7 61 49 59 9B FF 0A 58 C4 71 54 22 9B 9F 8D 60 3A C4 0D 35 00 24 85 07
     
     

   • MicCorKEKCA2011_2011-06-24.crt
     Microsoft Corporation KEK CA 2011
     SHA-256 certificate hash: A1 11 7F 51 6A 32 CE FC BA 3F 2D 1A CE 10 A8 79 72 FD 6B BE 8F E0 D0 B9 96 E0 9E 65 D8 02 A5 03

3. Identify the source image to customize the UEFI firmware.
   
   List all available images
   gcloud compute images list
   Note down the image name and project names for SOURCE_IMAGE_NAME and SOURCE_IMAGE_PROJECT 
   
   SecureBoot supported distros in GCP

   For the full list of operating systems that Shielded VM supports, see Images with Shielded VM support.
   https://cloud.google.com/compute/docs/images/os-details#security-features

4. Optionally generate a platform key
   If you're modifying a default Linux distribution that supports Secure Boot (i.e. "Shielded VM" supported platform from link above), the platform key (PK) is not typically required to be modified, but rather it is usually configured by the system firmware or the operating system at the time of installation.  If you need to generate a platform key in the system firmware (UEFI), follow the following GCP instructions to generate a platform key.
   
   Only replace the platform key if you can access the firmware of all devices that are loaded during boot (for example, the GPU). If you cannot update the firmware's signing chain to use your new platform key, then Secure Boot could make the instance permanently unable to boot.

5. Customize the Linux image 
   In order to boot a Linux virtual machine instance in Secure Boot mode with a SEP Linux agent in GCP, the Linux machine image needs to be modified by enrolling the Secure Boot key in the UEFI firmware. 
   In order to create a custom Linux image in GCP with the SecureBoot key enrolled in the system firmware (UEFI), use the gcloud compute images create  command.  For details on command usage and the API, see the Google Cloud Platform documentation.
   
   gcloud compute images create [CUSTOM_IMAGE_NAME] \

          --source-image=[SOURCE_IMAGE_NAME] \

          --source-image-project=[SOURCE_IMAGE_PROJECT] \

          --platform-key-file=[OPTIONAL_PLATFORM_KEY] \

          --signature-database-file=./MicCorUEFCA2011_2011-06-27.crt,./MicWinProPCA2011_2011-10-19.crt,./MicCorKEKCA2011_2011-06-24.crt,./sis-key.der \

          --guest-os-features=UEFI_COMPATIBLE

   Parameter substitution
   Where:
        CUSTOM_IMAGE_NAME      - Desired virtual machine image name
        SOURCE_IMAGE_PROJECT   - The source image project from step 3
        SOURCE_IMAGE_NAME      - The source image name from step 3
        OPTIONAL_PLATFORM_KEY  - If needed specify with --platform-key-file, otherwise this parameter can be left out

6.  Create an instance from custom image with Secure Boot enabled
   Use the customized image CUSTOM_IMAGE_NAME to create new virtual machine instances with Secure Boot enabled.
   When using the gcloud compute instances create command line to create, be sure to specify the --shielded-secure-boot parameter to enable Secure Boot.
   When using the GCP console to create the instance, select the "Turn on Secure Boot" checkbox under Security → Shielded VM, as shown below.

    
   
   

7.  Verify the Secure Boot key was successfully enrolled in the UEFI database
   grep Broadcom /proc/keys

8. Install the SEP Linux Agent.

9. Run the below command to check the SEP Modules status
   /usr/lib/symantec/status.sh
   
   
10. Run the below command to check the Secure Boot Status 
    mokutil --sb-state

Configure a secure boot system with Symantec DCS or SEP Linux products