Appendix - Secure Boot Activation and Deactivation

This section provides instructions on how to enable/disable the Secure Boot feature in UFM Enterprise Appliance.

The NVIDIA public certificate needs to be imported to the Machine Owner Key DB (MOK DB) before enabling secure boot. To do so, follow the below steps:

Add NVIDIA Certificate to MOK DB

  1. Download NVIDIA certificate mlnx_signing_key_pub.der to a temporary folder.
    checksums:
    MD5: c3ce3dcad0f38b02a9cbb991ce1bc7f4
    sha256: ff7fe8c650e936079a8add2900b190f9e7f3806e5ad42e48c2b88408a6ce70aa

    Copy
    Copied!
                

    cd /tmp wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der ls -ltrh ./mlnx_signing_key_pub.der

    Example:

    0-version-1-modificationdate-1675390262920-api-v2.jpg

  2. Import the mlnx_signing_key_pub.der to MOK DB using mok-util:

    Copy
    Copied!
                

    cd /tmp mokutil --import ./mlnx_signing_key_pub.der --root-pw

    Important

    The certificate is in the enrolled queue at this point. Upon the next server reboot, a 10 second prompt appears at the start of the boot process to confirm the certificate addition. It is important to confirm the certificate addition at this stage. Failure to do so requires you to repeat the procedure.
    To be able to interact with the prompt, a console connection is needed either from the serial port or from the web console available via Remote Management.


    Verify the certificate in the enrolled queue:

    Copy
    Copied!
                

    mokutil --list-new

    -1-version-1-modificationdate-1675390557200-api-v2.jpg

  3. Login to Remote Management via https://<iDRAC-ip address>

  4. To open the virtual web console, click on "Dashboard"→"Virtual Console"

    1-version-1-modificationdate-1675390286237-api-v2.jpg

  5. Power cycle the server (at boot startup a 10 second prompt appears to verify the certificate addition)
    On the top menu, go to "Power"→"Reset System (warm boot)"

    2-version-1-modificationdate-1675390285537-api-v2.jpg

    The server will now reboot.

  6. At boot startup, a confirmation prompt appears to verify certificate addition. The prompt closes after 10 seconds, so if missed, the certificate addition procedure needs to be done again.
    When the prompt appears, press any key to interact.

    3-version-1-modificationdate-1675390284973-api-v2.jpg

  7. Navigate to "Delete MOK"

    4-version-1-modificationdate-1675390284527-api-v2.jpg

  8. View the certificate to be enrolled. To verify, press "View key0".

    5-version-1-modificationdate-1675390284003-api-v2.jpg

    7-version-1-modificationdate-1675390282710-api-v2.jpg

    Press "Enter" to exit the view.

  9. Select "Continue" from the menu and press Enter.

    8-version-1-modificationdate-1675390282050-api-v2.jpg

  10. Select "Yes" from the menu, and press Enter.

    9-version-1-modificationdate-1675390281270-api-v2.jpg

  11. A password prompt appears, then, enter the OS Root user credentials.

    10-version-1-modificationdate-1675390280533-api-v2.jpg

  12. Select "Reboot" and press Enter. After the reboot is completed, the certificate is removed.

    11-version-1-modificationdate-1675390279790-api-v2.jpg

Enable Secure Boot

  1. Login to Remote Management available via https://<iDRAC-ip address>

  2. Navigate to "Configuration" → "BIOS Settings" → "System Security" and press the drop down menu (arrow).

    12-version-1-modificationdate-1675390278900-api-v2.jpg

  3. Scroll down to "Secure Boot" and select "Enabled" from the drop menu. Click the "Apply" button.

    13-version-1-modificationdate-1675390278283-api-v2.jpg

  4. Scroll to the bottom of the page and click on "Apply And Reboot" button, this will reboot the server and perform the configuration

    19-version-1-modificationdate-1675390274597-api-v2.jpg

  5. An Information Popup is prompted. Click on the "Job Queue" button (can also be navigated from "Maintenance" → "Job Queue").

    20-version-1-modificationdate-1675390274103-api-v2.jpg

  6. Wait for the Jobs to finish and reach 100%

    21-version-1-modificationdate-1675390273403-api-v2.jpg

  7. Validate that secure boot is enabled and active (from the terminal).

    Copy
    Copied!
                

    mokutil --sb-state

    00-version-1-modificationdate-1675390998317-api-v2.jpg

    Copy
    Copied!
                

    mokutil --list-enrolled | grep -i mellanox

    000-version-1-modificationdate-1675390997783-api-v2.jpg

Important

Disabling secure boot is not recommended and may cause security issues.

Secure Boot needs to be disabled prior to removing the NVIDIA public certificate.

The removal of the certificate is optional and can be skipped if secure boot should be re-enabled at some point in the future.

Disable Secure Boot in the BIOS

  1. Login to Remote Management (https://<iDRAC-ip address>

  2. Navigate to "Configuration" → "BIOS Settings" → "System Security" and press the drop menu (arrow).

    17-version-1-modificationdate-1675390275733-api-v2.jpg

  3. Scroll down to "Secure Boot" and select "Disabled" from the drop menu, and click the "Apply" button.

    18-version-1-modificationdate-1675390275213-api-v2.jpg

  4. Scroll to the bottom of the page and click on the "Apply And Reboot" button; this will reboot the server and perform the configuration.

    19-version-1-modificationdate-1675390274597-api-v2.jpg

  5. An Information Popup is prompted. Click on the "Job Queue" button (can also be navigated from "Maintenance" → "Job Queue").

    20-version-1-modificationdate-1675390274103-api-v2.jpg

  6. Wait for the completion of the jobs (reach 100%).

    21-version-1-modificationdate-1675390273403-api-v2.jpg

  7. Validate that secure boot is Disabled (from the terminal).

    Copy
    Copied!
                

    mokutil --sb-state

    0-version-1-modificationdate-1675390262920-api-v2.jpg

Remove the NVIDIA Certificate from MOK db

Perform this step if you want to entirely remove NVIDIA's certificate from MOK DB. This step is optional and is not required to disable secure boot. Skip this if you wish to enable secure boot at a later time.

  1. Login as root to the UFM server.

  2. Check current enrolled certificates.

    Copy
    Copied!
                

    mokutil --list-enrolled

    Search for "Issuer: O=Mellanox Technologies.." and note the key ID above the start of this certificate:

    00-version-1-modificationdate-1675390998317-api-v2.jpg

  3. Download the mlnx_signing_key_pub.der to a temporary folder (the DER certificate file must be present to be deleted). If the certificate is not available, it can be exported.

    Copy
    Copied!
                

    ct /tmp wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der

    Or export from current keys (all the keys are named MOK-000X.der) and search the NVIDIA certificate.

    Copy
    Copied!
                

    cd /tmp mokutil --export  grep "Mellanox" MOK-0*

    000-version-1-modificationdate-1675390997783-api-v2.jpg

    Validate the certificate:

    Copy
    Copied!
                

    openssl x509 -inform der -in MOK-0002.der -noout -issuer

    image2023-2-2_17-31-36-version-1-modificationdate-1675391497490-api-v2.png

  4. Remove the certificate from the MOK db. The below example lists MOK-0002.der, the naming convention might be different.

    Copy
    Copied!
                

    mokutil --delete ./MOK-0002.der --root-pw

    The above can be validated by running

    Copy
    Copied!
                

    mokutil --list-delete

    image2023-2-2_17-32-2-version-1-modificationdate-1675391523233-api-v2.png

    Important

    The certificate is in the enrolled queue at this point. Upon the next server reboot, a 10 second prompt appears at the start of the boot process to confirm the certificate addition. It is important to confirm the certificate addition at this stage. Failure to do so requires you to repeat the procedure.
    To be able to interact with the prompt, a console connection is needed either from the serial port or from the web console available via Remote Management.

  5. Login to Remote Management (https://<iDRAC-ip address>

  6. click on "Dashboard"→"Virtual Console" to open the virtual web console.

    22-version-1-modificationdate-1675390272320-api-v2.jpg

  7. Power cycle the server (at boot startup, a 10 second prompt appears to verify the certificate deletion).
    On the top menu: "Power" → "Reset System (warm boot)".

    23-version-1-modificationdate-1675390271633-api-v2.jpg

    The server now performs reboot.

  8. Once the startup procedure begins, a confirmation prompt appears to verify certificate deletion. The prompt closes after 10 seconds, if missed, the certificate deletion procedure needs to be repeated.
    Once the prompt appears, press any key to interact.

    24-version-1-modificationdate-1675390270923-api-v2.jpg

  9. Navigate to "Delete MOK".

    25-version-1-modificationdate-1675390270213-api-v2.jpg

  10. View the certificate to be deleted. To verify, press "View key0".

    26-version-1-modificationdate-1675390269217-api-v2.jpg

    27-version-1-modificationdate-1675390268157-api-v2.jpg

    Press "Enter" to exit the view.

  11. Select "Continue" from the menu and press the Enter key.

    30-version-1-modificationdate-1675391693237-api-v2.jpg

  12. Select "Yes" from the menu and press the Enter key.

    31-version-1-modificationdate-1675391692563-api-v2.jpg

  13. Once a password prompt appears, enter the OS root user credential.

    32-version-1-modificationdate-1675391691860-api-v2.jpg

  14. Select "Reboot" from the menu and press Enter. Upon reboot completion, the certificate is removed.

    33-version-1-modificationdate-1675391691017-api-v2.jpg

© Copyright 2023, NVIDIA. Last updated on Dec 13, 2023.