Overview
On systems with UEFI Secure Boot enabled, the Linux kernel only loads signed kernel modules. The Teramind Linux Agent ships a signed kernel module (dlp_lsm.ko) that enables real-time file content monitoring for DLP features. To use it on Secure Boot systems, the Teramind signing certificate must be enrolled as a Machine Owner Key (MOK).
One-time step per machine
MOK enrollment persists across Agent updates, reinstalls, and kernel upgrades - you only need to do this once.
File Tracking Backends
The Agent automatically selects a backend based on MOK enrollment status:
Backend | When Used | Capabilities |
Kernel module ( | Preferred; requires MOK enrolled | Real-time file content scanning; supports DLP rules such as sensitive-data detection and file-transfer blocking |
eBPF | Automatic fallback if MOK not enrolled | Tracks file operations (open, read, write) but cannot inspect file content — content-based DLP rules unavailable |
Secure Boot & MOK Status Reference
Secure Boot | MOK Enrolled | Agent Behavior |
OFF | N/A | Kernel module loads directly |
ON | YES | Kernel module loads directly |
ON | NO | eBPF fallback (automatic); kernel module skipped |
How to Check Secure Boot Status
mokutil --sb-state
Expected output: SecureBoot enabled or SecureBoot disabled.
Installation Options
Option 1: Install Agent First, Enroll MOK Later (Recommended)
This is the simplest approach. The Agent works immediately via eBPF. Enroll MOK when convenient to unlock full DLP capabilities.
Step 1: Install the Agent
DEB (Ubuntu/Debian):
sudo dpkg -i tmagent_*.deb
RPM (RHEL/Rocky):
sudo dnf install ./tmagent_*.rpm
The Agent starts with eBPF file tracking. If Secure Boot is detected and MOK is not enrolled, the installer prints enrollment instructions.
Step 2: Enroll the Signing Key
sudo /usr/share/tmagent/tm-enroll-mok.sh
You will be prompted to create a one-time password - remember it for the next step.
Step 3: Reboot and Confirm
After reboot, the UEFI MOK Manager (blue screen) appears automatically:
Select Enroll MOK
Select Continue
Select Yes
Enter the password you set in Step 2
Select Reboot
After reboot, the Agent automatically switches from eBPF to the kernel module.
Option 2: Enroll MOK Before Installing the Agent
Step 1: Enroll the Signing Key
Choose one method:
Using the standalone enrollment script (attached here):
sudo ./tm-enroll-mok.sh
Or manually with the certificate file:
sudo mokutil --import tm-cert.der
Set a one-time password when prompted.
Step 2: Reboot and Confirm
Do it at the UEFI MOK Manager. The process is the same as Option 1, Step 3 above.
Step 3: Install the Agent
sudo dpkg -i tmagent_*.deb # or sudo dnf install ./tmagent_*.rpm
The kernel module loads immediately - no eBPF fallback.
Verify the Installation
Check Agent status:
sudo /usr/share/tmagent/deploy.sh --status
Confirm these lines appear in the output:
SecureBoot: enabled
MOK status: enrolled
Module sig: signed (Teramind Module Signing)
Kernel module: loaded
Check MOK enrollment status independently:
sudo /usr/share/tmagent/tm-enroll-mok.sh --status
Alternative Enrollment Methods
All methods are equivalent - use whichever fits your workflow:
Method | Command |
Enrollment script (installed Agent) | sudo /usr/share/tmagent/tm-enroll-mok.sh |
Enrollment script (standalone artifact) | sudo ./tm-enroll-mok.sh |
Manual mokutil | sudo mokutil --import /usr/share/tmagent/tm-cert.der |
Frequently Asked Questions (FAQ)
1. Do I need to re-enroll after Agent updates?
No. MOK enrollment is per-certificate, not per-package. As long as the same signing certificate is used, enrollment persists across all Agent updates and reinstalls.
2. Does MOK enrollment affect other software or the OS?
No. It only permits loading of kernel modules signed with the Teramind certificate. It does not affect other software, OS updates, or Secure Boot validation of the OS itself.
3. What happens if I skip MOK enrollment entirely?
The Agent still monitors file activity using the eBPF-based tracker. However, content-aware DLP features, such as sensitive-data detection and file-transfer blocking — require the kernel module and will not work until MOK is enrolled and the machine is rebooted.