Drivers fail: PKCS#7 signature not signed with a trusted key

We have to use UEFI, and Secure boot. When I install the latest MLNX drivers for our ConnectX-6 card, I get the following in the log

Feb 03 17:04:51 management-node kernel: PKCS#7 signature not signed with a trusted key

Feb 03 17:04:51 management-node kernel: Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7

and obviously the drivers will not work. Are the drivers not signed properly? Or is there something I can do to add a credential to the kernel’s trusted keys?

I am not sure how to move forward. We have a significant number of HCA’s all in the same predicament.

Is Ubuntu supposed to have a system_keyring? Because mine certainly does not; I only have something called “.secondary_trusted_keys”; see a couple of posts up.

Apologies, here is my OS and driver version:

Ubuntu 18.04.5 LTS

MLNX_OFED_LINUX-5.2-1.0.4.0-ubuntu18.04-x86_64

Apologies again, I believe this answers my own question. Sorry for the noise.

UEFI Secure Boot - MLNX_OFED v5.2-1.0.4.0 - Mellanox Docs

I spoke too soon. I followed that procedure, but it does not seem to make a difference. I downloaded the key from Mellanox, applied it via mokutil, rebooted, got the screen to enroll the key, enrolled the key.

I noticed that my system does not have

keyctl list %:.system_keyring

But I do have the following keyrings, and Mellanox is in them:

root@management-node:~# keyctl list %:.builtin_trusted_keys

1 key in keyring:

158064321: —lswrv 0 0 asymmetric: Build time autogenerated kernel key: xxx

root@management-node:~# keyctl list %:.secondary_trusted_keys

8 keys in keyring:

634468722: —lswrv 0 0 keyring: .builtin_trusted_keys

163067684: —lswrv 0 0 asymmetric: Canonical Ltd. Master Certificate Authority: xxx

366975476: —lswrv 0 0 asymmetric: SomeOrg: shim: xxx

658563297: —lswrv 0 0 asymmetric: Mellanox Technologies signing key: xxx

53066224: —lswrv 0 0 asymmetric: VMware, Inc.: VMware Secure Boot Signing: xxx

1073723880: —lswrv 0 0 asymmetric: VMware, Inc.: xxx

299092182: —lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: xxx

388698450: —lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: xxx

Can you advise?

Hello Daniel,

Thank you for posting your inquiry on the NVEX Networking Community.

Please do in the following sequence:

Based on above procedure we were not able to reproduce the issue in our lab and the driver installation was successful without the 'PKCS#7 signature not signed with a trusted key’ message.

If the issue still exists after this installation, please open a NVEX Networking Technical support ticket by sending an email to networking-support@nvidia.com

Thank you and regards,

~NVEX Networking Technical Support

Unfortunately, this did not work; same result. I have opened a case. I’m not sure if I’m supposed to do that through other means, because I have a support contract, or not.

Hello Daniel,

I see the case in the system and you have been updated what some of the same info you already tried.

I will move the case to our L3 as we need to do a repro in the lab. The procedure needs to work for all supported OSses.

We will support you through the support case.

Thank you and regards,

~NVEX Networking Technical Support