User Manual

InstallationRev 2.2-1.0.1

Mellanox Technologies

2.8 UEFI Secure Boot

All kernel modules included in MLNX_OFED for RHEL7 and SLES12 are signed with x.509

key to support loading the modules when Secure Boot is enabled.

2.8.1 Enrolling Mellanox's x.509 Public Key On your Systems

In order to support loading MLNX_OFED drivers when an OS supporting Secure Boot boots on

a UEFI-based system with Secure Boot enabled, the Mellanox x.509 public key should be added

to the UEFI Secure Boot key database and loaded onto the system key ring by the kernel.

Follow these steps below to add the Mellanox's x.509 public key to your system:

Prior to adding the Mellanox's x.509 public key to your system, please make sure the 'mokutil'

package is installed on your system.

Step 1. Download the x.509 public key.

# wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der

Step 2. Add the public key to the MOK list using the mokutil utility.

You will be asked to enter and confirm a password for this MOK enrollment request.

# mokutil --import mlnx_signing_key_pub.der

Step 3. Reboot the system.

The pending MOK key enrollment request will be noticed by

shim.efi and it will launch Mok-

Manager.efi

to allow you to complete the enrollment from the UEFI console. You will need to

enter the password you previously associated with this request and confirm the enrollment. Once

done, the public key is added to the MOK list, which is persistent. Once a key is in the MOK list,

it will be automatically propagated to the system key ring and subsequent will be booted when

the UEFI Secure Boot is enabled.

To see what keys have been added to the system key ring on the current boot, install the 'keyutils'

package and run: #keyctl list %:.system_keyring