48
1.
2.
3.
1.
separated list of PCI devices to exclude from the firmware update.
Example:
MLNX_EXCLUDE_DEVICES=
"00:05.0,00:07.0"
UEFI Secure Boot
All kernel modules included in MLNX_OFED for RHEL7 and SLES12 are signed with x.509 key to
support loading the modules when Secure Boot is enabled.
Enrolling Mellanox's x.509 Public Key on Your Systems
In order to support loading MLNX_OFED drivers when an OS supporting Secure Boot boots on a UEFI-
based system with Secure Boot enabled, the Mellanox x.509 public key should be added to the UEFI
Secure Boot key database and loaded onto the system key ring by the kernel.
Follow these steps below to add the Mellanox's x.509 public key to your system:
Download the x.509 public key.
# wget http:
//www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der
Add the public key to the MOK list using the mokutil utility.
# mokutil --
import
mlnx_signing_key_pub.der
Reboot the system.
The pending MOK key enrollment request will be noticed by shim.efi and it will launch MokManager.efi
to allow you to complete the enrollment from the UEFI console. You will need to enter the password
you previously associated with this request and confirm the enrollment. Once done, the public key is
added to the MOK list, which is persistent. Once a key is in the MOK list, it will be automatically
propagated to the system key ring and subsequent will be booted when the UEFI Secure Boot is
enabled.
Removing Signature from kernel Modules
The signature can be removed from a signed kernel module using the 'strip' utility which is provided by
the 'binutils' package. The strip utility will change the given file without saving a backup. The operation
can be undo only by resigning the kernel module. Hence, we recommend backing up a copy prior to
removing the signature.
To remove the signature from the MLNX_OFED kernel modules:
Remove the signature.
Prior to adding the Mellanox's x.509 public key to your system, please make sure that (1) The
'mokutil' package is installed on your system, and (2) The system is booted in UEFI mode.
To see what keys have been added to the system key ring on the current boot, install the
'keyutils' package and run: #keyctl list %:.system_keyring#
Summary of Contents for C-ADAB
Page 14: ...14...