SEP Linux sisevt and sisap modules are not loading due to signing process failure

search cancel

SEP Linux sisevt and sisap modules are not loading due to signing process failure - MOK related.

book

Article ID: 420038

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The sisevt kernel module is failing to load because the module signing process is failing.

Your configure a secure boot system with Symantec SEP Linux product.

When checking the MOK Key Status i shows enrolled:
MOK key status: /etc/symantec/sis/sis-key.der is already enrolled

However, running: insmod sisevt.ko you see Signing Failure:

Signing Driver: ... /etc/symantec/sis/driver/3.10.0-1160.el7/sisevt-x86_64-default.ko
Error signing /etc/symantec/sis/driver/3.10.0-1160.el7/sisevt-x86_64-default.ko

Environment

SEP Linux 14.3 RU9

Cause

The kernel module is being rejected because the signing step did not complete successfully, leaving the module without a valid signature. Since the kernel only accepts modules signed with trusted keys, it correctly blocks it.

Check the system’s UEFI MOK (Machine Owner Key) list to confirm whether it contains two entries: the active key (sis-key.der) and an older, expired key (sis-key-prev.der).

The expired key in the MOK list is causing the signing script to fail, which results in the module remaining unsigned and therefore not accepted by the kernel.

/07/19 08:02:37: /etc/symantec/sis/sis-key.der: _SIG: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX_SKID: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX /07/19 08:02:37:  -> Expiry Date:  Dec 31 2035
08/06/25 19:02:37: MOK key status: /etc/symantec/sis/sis-key.der is already enrolled
08/06/25 19:02:37: /etc/symantec/sis/sis-key-prev.der: _SIG: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX   _SKID: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX 08/06/25 19:02:37:  -> Expiry Date:  Jan 12 2023
08/06/25 19:02:37: MOK key status: /etc/symantec/sis/sis-key-prev.der is already enrolled

Resolution

Procedure to Remove the Expired Certificate

1. Identify the Hash of the Expired MOK
Run the following command to list all enrolled MOKs and locate the hash associated with the expired Symantec key:

2. Request Deletion of the Expired Key
Initiate the deletion request by running the command below. You will be prompted to create a one-time password—ensure you remember it for use during the next reboot.
Replace <hash-of-the-expired-key> with the value identified in Step 1.

3. Reboot and Complete Deletion in MOK Manager
Upon reboot, the blue MOK Manager interface will appear. Follow the prompts:

- Select Delete MOK
- Confirm the deletion
- Enter the password you created in Step 2
- Select Reboot

4. Post-Removal Verification
After the system returns to the OS, verify that the certificate has been removed and restart the Symantec agent or service as needed.

Additional Information

If there is no expired certificate or If removing the expired certificate does not resolve the issue, please raise a case with Technical Support.

Feedback

thumb_up Yes

thumb_down No