NVIDIA UFM Enterprise Appliance Software User Manual
NVIDIA UFM Enterprise Appliance Software User Manual
Breadcrumbs

Appendix - Secure Boot Activation and Deactivation



This section provides instructions on how to enable/disable the Secure Boot feature in UFM Enterprise Appliance. 

Enabling Secure Boot

The NVIDIA public certificate needs to be imported to the Machine Owner Key DB (MOK DB) before enabling secure boot. To do so, follow the below steps:

Add NVIDIA Certificate to MOK DB

  1. Download NVIDIA certificate mlnx_signing_key_pub.der to a temporary folder. 
    checksums:
    MD5: c3ce3dcad0f38b02a9cbb991ce1bc7f4
    sha256: ff7fe8c650e936079a8add2900b190f9e7f3806e5ad42e48c2b88408a6ce70aa

    Bash
    cd /tmp
wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der
ls -ltrh ./mlnx_signing_key_pub.der

    Example:
    0.jpg

  2. Import the mlnx_signing_key_pub.der to MOK DB using mok-util:

    Bash
    cd /tmp
mokutil --import ./mlnx_signing_key_pub.der --root-pw

    The certificate is in the enrolled queue at this point. Upon the next server reboot, a 10 second prompt appears at the start of the boot process to confirm the certificate addition. It is important to confirm the certificate addition at this stage. Failure to do so requires you to repeat the procedure.
    To be able to interact with the prompt, a console connection is needed either from the serial port or from the web console available via Remote Management.


    Verify the certificate in the enrolled queue:

    Bash
    mokutil --list-new

    -1.jpg

  3. Login to Remote Management via https://<iDRAC-ip address>

  4. To open the virtual web console, click on "Dashboard"→"Virtual Console" 
    1.jpg

  5. Power cycle the server (at boot startup a 10 second prompt appears to verify the certificate addition)
    On the top menu, go to "Power"→"Reset System (warm boot)"
    2.jpg
    The server will now reboot.

  6. At boot startup, a confirmation prompt appears to verify certificate addition. The prompt closes after 10 seconds, so if missed, the certificate addition procedure needs to be done again.
    When the prompt appears, press any key to interact.
    3.jpg

  7. Navigate to "Delete MOK"
    4.jpg

  8. View the certificate to be enrolled. To verify, press "View key0".
    5.jpg
    7.jpg
    Press "Enter" to exit the view.

  9. Select "Continue" from the menu and press Enter.
    8.jpg

  10. Select "Yes" from the menu, and press Enter.
    9.jpg


  11. A password prompt appears, then, enter the OS Root user credentials.
    10.jpg

  12. Select "Reboot" and press Enter. After the reboot is completed, the certificate is removed.
    11.jpg

Enable Secure Boot

  1. Login to Remote Management available via https://<iDRAC-ip address>

  2. Navigate to "Configuration" → "BIOS Settings" → "System Security" and press the drop down menu (arrow).
    12.jpg

  3. Scroll down to "Secure Boot" and select "Enabled" from the drop menu. Click the "Apply" button.
    13.jpg

  4. Scroll to the bottom of the page and click on "Apply And Reboot" button, this will reboot the server and perform the configuration
    19.jpg

  5. An Information Popup is prompted. Click on the "Job Queue" button (can also be navigated from "Maintenance" → "Job Queue").
    20.jpg

  6. Wait for the Jobs to finish and reach 100%
    21.jpg

  7. Validate that secure boot is enabled and active (from the terminal).

    Bash
    mokutil --sb-state

    00.jpg

    Bash
    mokutil --list-enrolled | grep -i mellanox

    000.jpg

Disable Secure Boot

Disabling secure boot is not recommended and may cause security issues. 


Secure Boot needs to be disabled prior to removing the NVIDIA public certificate.

The removal of the certificate is optional and can be skipped if secure boot should be re-enabled at some point in the future.

Disable Secure Boot in the BIOS

  1. Login to Remote Management (https://<iDRAC-ip address>

  2. Navigate to "Configuration" → "BIOS Settings" → "System Security" and press the drop menu (arrow).
    17.jpg

  3. Scroll down to "Secure Boot" and select "Disabled" from the drop menu, and click the "Apply" button.
    18.jpg

  4. Scroll to the bottom of the page and click on the "Apply And Reboot" button; this will reboot the server and perform the configuration.
    19.jpg

  5. An Information Popup is prompted. Click on the "Job Queue" button (can also be navigated from "Maintenance" → "Job Queue").
    20.jpg

  6. Wait for the completion of the jobs (reach 100%).
    21.jpg

  7. Validate that secure boot is Disabled (from the terminal).

    Bash
    mokutil --sb-state

    0.jpg

Remove the NVIDIA Certificate from MOK db 

Perform this step if you want to entirely remove NVIDIA's certificate from MOK DB. This step is optional and is not required to disable secure boot. Skip this if you wish to enable secure boot at a later time.

  1. Login as root to the UFM server.

  2. Check current enrolled certificates.

    Bash
    mokutil --list-enrolled

    Search for "Issuer: O=Mellanox Technologies.." and note the key ID above the start of this certificate:
    00.jpg

  3. Download the mlnx_signing_key_pub.der to a temporary folder (the DER certificate file must be present to be deleted). If the certificate is not available, it can be exported.

    Bash
    ct /tmp
wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der

    Or export from current keys (all the keys are named MOK-000X.der) and search the NVIDIA certificate.

    Bash
    cd /tmp
mokutil --export 
grep "Mellanox" MOK-0*

    000.jpg
    Validate the certificate:

    Bash
    openssl x509 -inform der -in MOK-0002.der -noout -issuer

    image2023-2-2_17-31-36.png


  4. Remove the certificate from the MOK db. The below example lists MOK-0002.der, the naming convention might be different.

    Bash
    mokutil --delete ./MOK-0002.der --root-pw

    The above can be validated by running 

    Bash
    mokutil --list-delete

    image2023-2-2_17-32-2.png

    The certificate is in the enrolled queue at this point. Upon the next server reboot, a 10 second prompt appears at the start of the boot process to confirm the certificate addition. It is important to confirm the certificate addition at this stage. Failure to do so requires you to repeat the procedure.
    To be able to interact with the prompt, a console connection is needed either from the serial port or from the web console available via Remote Management.

  5. Login to Remote Management (https://<iDRAC-ip address>

  6. click on "Dashboard"→"Virtual Console" to open the virtual web console.
    22.jpg

  7. Power cycle the server (at boot startup, a 10 second prompt appears to verify the certificate deletion).
    On the top menu: "Power" → "Reset System (warm boot)".
    23.jpg
    The server now performs reboot.

  8. Once the startup procedure begins, a confirmation prompt appears to verify certificate deletion. The prompt closes after 10 seconds, if missed, the certificate deletion procedure needs to be repeated.
    Once the prompt appears, press any key to interact.
    24.jpg

  9. Navigate to "Delete MOK".
    25.jpg

  10. View the certificate to be deleted. To verify, press "View key0".
    26.jpg 27.jpg

    Press "Enter" to exit the view.

  11. Select "Continue" from the menu and press the Enter key.
    30.jpg

  12. Select "Yes" from the menu and press the Enter key.
    31.jpg


  13. Once a password prompt appears, enter the OS root user credential. 
    32.jpg

  14. Select "Reboot" from the menu and press Enter. Upon reboot completion, the certificate is removed.
    33.jpg

Last updated: