diff --git a/lib/libsecureboot/h/libsecureboot.h b/lib/libsecureboot/h/libsecureboot.h
index d0ec327b866a..6599db299aef 100644
--- a/lib/libsecureboot/h/libsecureboot.h
+++ b/lib/libsecureboot/h/libsecureboot.h
@@ -86,6 +86,7 @@ ssize_t ve_pcr_get(unsigned char *, size_t);
 #define VEF_VERBOSE		1
 
 #define VE_FINGERPRINT_OK	1
+#define VE_FINGERPRINT_IGNORE	2
 /* errors from verify_fd */
 #define VE_FINGERPRINT_NONE	-2
 #define VE_FINGERPRINT_WRONG	-3
diff --git a/lib/libsecureboot/vectx.c b/lib/libsecureboot/vectx.c
index 879cecac188d..97a8d97efb88 100644
--- a/lib/libsecureboot/vectx.c
+++ b/lib/libsecureboot/vectx.c
@@ -120,7 +120,10 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, int *error)
 		ctx->vec_status = VE_FINGERPRINT_NONE;
 		ve_error_set("%s: no entry", path);
 	} else {
-		if (strncmp(cp, "sha256=", 7) == 0) {
+		if (strncmp(cp, "no_hash", 7) == 0) {
+			ctx->vec_status = VE_FINGERPRINT_IGNORE;
+			hashsz = 0;
+		} else if (strncmp(cp, "sha256=", 7) == 0) {
 			ctx->vec_md = &br_sha256_vtable;
 			hashsz = br_sha256_SIZE;
 			cp += 7;
@@ -150,11 +153,13 @@ vectx_open(int fd, const char *path, off_t off, struct stat *stp, int *error)
 	*error = ctx->vec_status;
 	ctx->vec_hashsz = hashsz;
 	ctx->vec_want = cp;
-	ctx->vec_md->init(&ctx->vec_ctx.vtable);
+	if (hashsz > 0) {
+		ctx->vec_md->init(&ctx->vec_ctx.vtable);
 
-	if (hashsz > 0 && off > 0) {
-		lseek(fd, 0, SEEK_SET);
-		vectx_lseek(ctx, off, SEEK_SET);
+		if (off > 0) {
+			lseek(fd, 0, SEEK_SET);
+			vectx_lseek(ctx, off, SEEK_SET);
+		}
 	}
 	return (ctx);
 
diff --git a/lib/libsecureboot/veopen.c b/lib/libsecureboot/veopen.c
index b9da7e4479d8..6ecf85c44af1 100644
--- a/lib/libsecureboot/veopen.c
+++ b/lib/libsecureboot/veopen.c
@@ -345,7 +345,9 @@ verify_fingerprint(int fd, const char *path, const char *cp, off_t off)
 	size_t hlen;
 	int n;
 
-	if (strncmp(cp, "sha256=", 7) == 0) {
+	if (strncmp(cp, "no_hash", 7) == 0) {
+		return (VE_FINGERPRINT_IGNORE);
+	} else if (strncmp(cp, "sha256=", 7) == 0) {
 		md = &br_sha256_vtable;
 		hlen = br_sha256_SIZE;
 		cp += 7;
@@ -423,6 +425,7 @@ verify_fd(int fd, const char *path, off_t off, struct stat *stp)
 	rc = verify_fingerprint(fd, path, cp, off);
 	switch (rc) {
 	case VE_FINGERPRINT_OK:
+	case VE_FINGERPRINT_IGNORE:
 	case VE_FINGERPRINT_UNKNOWN:
 		return (rc);
 	default:
diff --git a/lib/libsecureboot/verify_file.c b/lib/libsecureboot/verify_file.c
index 369c0bb8eb37..00822aa480d5 100644
--- a/lib/libsecureboot/verify_file.c
+++ b/lib/libsecureboot/verify_file.c
@@ -343,10 +343,14 @@ verify_file(int fd, const char *filename, off_t off, int severity)
 		if ((rc = verify_fd(fd, filename, off, &st)) >= 0) {
 			if (verbose || severity > VE_WANT) {
 #if defined(VE_DEBUG_LEVEL) && VE_DEBUG_LEVEL > 0
-				printf("Verified %s %llu,%llu\n", filename,
+				printf("%serified %s %llu,%llu\n",
+				    (rc == VE_FINGERPRINT_IGNORE) ? "Unv" : "V",
+				    filename,
 				    (long long)st.st_dev, (long long)st.st_ino);
 #else
-				printf("Verified %s\n", filename);
+				printf("%serified %s\n",
+				    (rc == VE_FINGERPRINT_IGNORE) ? "Unv" : "V",
+				    filename);
 #endif
 			}
 			if (severity < VE_MUST) { /* not a kernel or module */