Axcient Knowledge

●  Status of Axcient Services
Submit a Ticket View My Cases

    Axcient Knowledgebase  /  Axcient x360Recover  /  --- FAQs - x360Recover Technical FAQs  /  Linux   /  UEFI Secure Boot in xCloud Agent for Linux- x360Recover

    UEFI Secure Boot in xCloud Agent for Linux- x360Recover

    Super Administrator

    Written By Tami Sutcliffe (Super Administrator)

    Updated at February 26th, 2024

    Overview 

    xCloud Agent for Linux relies upon a custom kernel driver module for capturing a snapshot of the live filesystem for backups.

    Linux does not have a native filesystem snapshot system (like the Volume Shadow copy Service (VSS) within Windows), so we have to inject our own custom driver service to enable this functionality.

    • Due to the nature of kernel-level drivers within Linux, the kernel module (elastio-snap) must be compiled to match the exact build of the Linux kernel running on the system.  As it would be impossible to pre-compile modules ahead of time for all possible kernel releases, Linux uses the Dynamic Kernel Module Service (DKMS) to automate the process of compiling custom driver modules against the running kernel whenever a new kernel update is installed.

    UEFI Secure Boot is a hardware-level security system designed to prevent malicious code from being run during the boot-up of a system. UEFI Secure Boot examines the binary applications being launched by the system loader and validates that they are signed by a trusted certificate to ensure security.  

    • The motherboard of your UEFI system comes pre-loaded with the digital signatures of broadly trusted certificate providers (like Microsoft) 
    • Mainstream Linux distribution providers (like Debian, Red Hat, and Ubuntu) also utilize trusted certificates widely recognized by hardware manufacturers

    However, the custom built DKMS modules installed by third party developers (like Axcient) cannot be signed by these well-known certificates.

    To enable the xCloud Agent for Linux to install and operate properly on a UEFI system using UEFI Secure Boot, you must first generate and enroll a custom certificate for the driver to utilize during installation.

    By design, this process requires a user with root-level access on the specific system to manually perform an enrollment process.  This process cannot be automated (or it would defeat the underlying security layer being provided by UEFI Secure Boot.)

    Below are instructions for performing this process.

    IMPORTANT NOTE #1: Perform the following steps BEFORE installing the Agent for Linux.

    IMPORTANT NOTE #2: UEFI Secure Boot is relevant ONLY for systems booting in UEFI mode. Do not perform this configuration for systems booting in Legacy BIOS mode.

    STEP 1. Install the prerequisite packages

    Before you can generate a signing certificate and enroll the security key in the system BIOS, you must first install the prerequisite packages on your Linux system.

    1.1. First, login to your Linux system and switch to the root user account.

    For Debian and Ubuntu-based Linux distributions, run:

    “apt install -y mokutil dkms openssl”

    For Red Hat-based Linux systems, you must first install and enable the EPEL repository.

    For details in installing EPEL, see the documentation:  Extra Packages for Enterprise Linux (EPEL)

    Once EPEL is enabled, run the following to install the required packages

    “yum install -y mokutil dkms openssl”

    STEP 2. Generate the signing certificate

    2.1. Once you have installed the prerequisite packages, verify that the default signing certificate has been created.

    • You can verify this by making sure that the file MOK.der is present in /var/lib/shim-signed/mok.

    2.2. If this file is not present, you may create it manually. 

    From a shell or terminal login, run the following command to generate the signing certificate:

    openssl req -new -x509 -newkey rsa:2048 -keyout /var/lib/shim-signed/mok/MOK.key -outform DER -out /var/lib/shim-signed/mok/MOK.der -nodes -days 36500 -subj "/CN=Axcient Driver Kmod Signing MOK"

    This will generate the private and public key pair in the /var/lib/shim-signed/mok user folder.  
    NOTE: The agent will require these keys to be present whenever a new kernel image is installed or updated. This will allow rebuilding a new signed kernel module for the elastio-snap driver service.

    STEP 3. Enroll the certificate on the system

    The following process will (a) install the new certificate on the system and (b) allow the motherboard and UEFI Secure Boot mechanism to trust binaries signed with this certificate.

    3.1. To begin the enrollment process, run the following command as the root user from the system console:

    “mokutil --import /var/lib/shim-signed/mok/MOK.der”

    3.2. You will be prompted to create a password.  

    Once completed, the enrollment has been queued.  

    3.3. To continue, reboot the machine.

    Note: You must have access to the physical console of the system, either using (a) the virtual machine console utility, (b) the physical keyboard and monitor, or (c) the IPMI KVM utility.

    3.4. When the machine reboots, the MOK Management system should appear with a Press any key message to continue.  

    3.5. Select Enroll MOK and press Continue.  

    3.6. Enter the password you created above when prompted.  

    3.7. Once completed, reboot the system once again.

    STEP 4. Verify the certificate enrollment

    4.1. Once the system has rebooted, log in and open a shell or terminal window.  

    4.2. Check that the certificate is successfully installed by running:

    mokutil --list-enrolled

    You should see the locally-enrolled certificate listed in the output.

    Note: The system-generated MOK keys are already present on most Linux distros, so having to manually generate the Axcient-labeled key will be rare.

    STEP 5. Continue with the agent for Linux installation

    5.1. Once the signing certificate has been enrolled, continue with installation of the Agent for Linux as usual.  

    The installer will detect that the system is running using UEFI Secure Boot.

    The installer will also verify that the signing certificate is present in /root and will then configure the DKMS driver to automatically build signed binaries using the certificate.

    Troubleshooting

    • Debian 11

    On Debian 11, some manual configuration of DKMS signing is required.

    (a) Edit the file 

    /etc/dkms/sign_helper.sh 

    and add the following line:

    /lib/modules/"$1"/build/scripts/sign-file sha512 /var/lib/shim-signed/mok/MOK.key /var/lib/shim-signed/mok/MOK.der "$2"

    (b) Edit the file

     /etc/dkms/framework.conf 

    and uncomment the sign_tool helper option:

    ## Script to sign modules during build, script is called with kernel version
     ## and module name
     sign_tool="/etc/dkms/sign_helper.sh"

     

     

     

     

    SUPPORT | 720-204-4500 | 800-352-0248

     

    1717

    2406190 

    Related Articles

    RDP access to Linux BMR ISO

    Overview We often receive requests for a process to remotely access a bare metal ...

    Linux (cover page)

    Support for backup and recovery of Linux protected systems has arrived!   Latest ...

    Linux troubleshooting guide - x360Recover

    The following is a comprehensive troubleshooting guide to the x360Recover agent f...

    BMR for Linux (Appliance only)

    Overview of bare metal restore (BMR) for Linux-protected systems (Appliance only)...