Rev 1.1
Mellanox Technologies Confidential
44
ring by the kernel.
Follow these steps below to add the Mellanox's x.509 public key to your system:
Prior to adding the Mellanox's x.509 public key to your system, please make sure that (1) The
'mokutil' package is installed on your system, and (2) The system is booted in UEFI mode.
•
Download the x.509 public key.
# wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der
•
Add the public key to the MOK list using the mokutil utility.
# mokutil --import mlnx_signing_key_pub.der
•
Reboot the system.
The pending MOK key enrollment request will be noticed by shim.efi and it will launch
MokManager.efi to allow you to complete the enrollment from the UEFI console. You will
need to enter the password you previously associated with this request and confirm the
enrollment. Once done, the public key is added to the MOK list, which is persistent. Once
a key is in the MOK list, it will be automatically propagated to the system key ring and
subsequent will be booted when the UEFI Secure Boot is enabled.
To see what keys have been added to the system key ring on the current boot, install the 'keyutils' package
and run: #keyctl list %:.system_keyring#
4.1.7.2
Removing Signature from kernel Modules
The signature can be removed from a signed kernel module using the 'strip' utility which
is provided by the 'binutils' package. The strip utility will change the given file without
saving a backup. The operation can be undo only by resigning the kernel module. Hence,
we recommend backing up a copy prior to removing the signature.
To remove the signature from the MLNX_OFED kernel modules:
•
Remove the signature.
# rpm -qa | grep -E "kernel-ib|mlnx-ofa_kernel|iser|srp|knem|mlnx-rds|mlnx-nfsrdma|mlnx-nvme|mlnx-
rdma-rxe" | xargs rpm -ql | grep "\.ko$" | xargs strip -g
After the signature has been removed, a massage as the below will no longer be
presented upon module loading:
Request for unknown module key 'Mellanox Technologies signing key:
61feb074fc7292f958419386ffdd9d5ca999e403' err -11"
However, please note that a similar message as the following will still be presented:
"my_module: module verification failed: signature and/or required key missing - tainting kernel"
This message is only presented once, upon first module boot that either has no signature
or whose key is not in the kernel key ring. Therefore, this message may go unnoticed.
Once the system is rebooted after unloading and reloading a kernel module, the message
will appear. (Note that this message cannot be eliminated.)
•
Update the initramfs on RHEL systems with the stripped modules.
mkinitrd /boot/initramfs-$(uname -r).img $(uname -r) --force
