Removing Signature From Kernel Modules - Mellanox Technologies ConnectX-5 User Manual

You will be asked to enter and confirm a password for this MOK enrollment request.
Reboot the system.
Step 3.
The pending MOK key enrollment request will be noticed by
Manager.efi
enter the password you previously associated with this request and confirm the enrollment. Once
done, the public key is added to the MOK list, which is persistent. Once a key is in the MOK list,
it will be automatically propagated to the system key ring and subsequent will be booted when
the UEFI Secure Boot is enabled.
To see what keys have been added to the system key ring on the current boot, install the 'keyutils'
package and run:

4.1.7.2 Removing Signature from kernel Modules

The signature can be removed from a signed kernel module using the 'strip' utility which is pro-
vided by the 'binutils' package.
# strip -g my_module.ko
The strip utility will change the given file without saving a backup. The operation can be undo
only by resigning the kernel module. Hence, we recommend backing up a copy prior to removing
the signature.
 To remove the signature from the MLNX_OFED kernel modules:
Remove the signature.
Step 1.
After the signature has been removed, a massage as the below will no longer be presented
upon module loading:
However, please note that a similar message as the following will still be presented:
This message is presented once, only for each boot for the first module that either has no
signature or whose key is not in the kernel key ring. So it's much easier to miss this mes-
sage. You won't see it on repeated tests where you unload and reload a kernel module until
you reboot. There is no way to eliminate this message.
Update the initramfs on RHEL systems with the stripped modules.
Step 2.
Rev 1.5
# mokutil --import mlnx_signing_key_pub.der
to allow you to complete the enrollment from the UEFI console. You will need to
#keyctl list %:.system_keyring
# rpm -qa | grep -E "kernel-ib|mlnx-ofa_kernel|iser|srp|knem|mlnx-rds|mlnx-nfs-
rdma|mlnx-nvme|mlnx-rdma-rxe" | xargs rpm -ql | grep "\.ko$" | xargs strip -g
"Request for unknown module key 'Mellanox Technologies signing key:
61feb074fc7292f958419386ffdd9d5ca999e403' err -11"
"my_module: module verification failed: signature and/or required key missing - taint-
ing kernel"
mkinitrd /boot/initramfs-$(uname -r).img $(uname -r) --force
Mellanox Technologies
Driver Installation
and it will launch
shim.efi Mok-
36