mlnxofedinstall with option --add-kernel-support generate unsigned module

If we use mlnxofedinstal with option --add-kernel-support module will be unsigned and unusable on server with UEFI secure boot enabled.

Hello Cyrille,

Thank you for posting your question on the Mellanox Community.

How to setup secure boot depends on which OS you are using. If you are using Redhat or SLES you can follow the instructions presented here:

https://docs.mellanox.com/display/MLNXOFEDv531001/UEFI+Secure+Boot

If you are using Ubuntu, unlike in Red Hat and SLES, the kernel modules installed by the Mellanox OFED are not pre-signed with the Mellanox signing keys. This is because DKMS on Ubuntu installs modules in such a way that it does not allow for modules to be pre-signed as they are in Red Hat and SLES. This means in order to work with the Mellanox kernel modules on Ubuntu with SecureBoot the modules must be manually signed a key that is user created.

The following is the process for creating a private/public key pair and using that key pair to sign the Mellanox kernel modules:

  1. To Create a key follow the steps in this article: https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
  • Here is overview of how process:Create a SSL certificate. The following is an example:

# This definition stops the following lines choking if HOME isn’t

# defined.

HOME = .

RANDFILE = $ENV::HOME/.rnd

[ req ]

distinguished_name = req_distinguished_name

x509_extensions = v3

string_mask = utf8only

prompt = no

[ req_distinguished_name ]

countryName = CA

stateOrProvinceName = Quebec

localityName = Montreal

0.organizationName = cyphermox

commonName = Secure Boot Signing

emailAddress = example@example.com

[ v3 ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical,CA:FALSE

extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2

nsComment = “OpenSSL Generated Certificate”

Use the SSL certificate to create a private/public key pair. Using openssl.cnf as the example certificate, use the following command:

  • # openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout “MOK.priv” -out “MOK.der”
  • Enroll the public key with:
    • mokutil --import MOK.der

  • Reboot the node and enroll the key in the MOK Manager at the time the OS boots.
  1. Ensure the Mellanox kernel modules are unsigned with the following commands. 5.4.0-66-generic is the kernel that ships with Ubuntu 20.04, this can be changed to whichever kernel is loaded on the system:

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/mlx5_core.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/rdma_ucm.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/rdma_cm.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/ib_ipoib.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/mlx5_ib.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/ib_uverbs.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/ib_cm.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/ib_core.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/mlxfw.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/mlx_compat.ko

# strip --strip-debug /lib/modules/5.4.0-66-generic/updates/dkms/iw_cm.ko

  1. Sign the kernel modules with the private and public key using the following commands:

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/mlx5_core.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/ib_core.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/rdma_ucm.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/rdma_cm.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/ib_ipoib.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/mlx5_ib.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/ib_uverbs.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/ib_umad.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/ib_cm.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/mlxfw.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/mlx_compat.ko

# kmodsign sha512 MOK.priv MOK.der /lib/modules/5.4.0-66-generic/updates/dkms/iw_cm.ko

Once these steps are followed, openibd will be allowed to load the signed modules. This procedure has been tested and proven to work on Ubuntu 18.04 and Ubuntu 20.04

Thanks and regards,

~Mellanox Technical Support