mokutil - Man Page
utility to manipulate machine owner keys
Examples (TL;DR)
- Show if Secure Boot is enabled:
mokutil --sb-state - Enable Secure Boot:
mokutil --enable-validation - Disable Secure Boot:
mokutil --disable-validation - List enrolled keys:
mokutil --list-enrolled - Enroll a new key:
mokutil --import path/to/key.der - List the keys to be enrolled:
mokutil --list-new - Set shim verbosity:
mokutil --set-verbosity true
Synopsis
mokutil [--list-enrolled | -l]
([--mokx | -X])
mokutil [--list-new | -N]
([--mokx | -X])
mokutil [--list-delete | -D]
([--mokx | -X])
mokutil [--import keylist| -i keylist]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--delete keylist | -d keylist]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx |- X])
mokutil [--revoke-import]
([--mokx | -X])
mokutil [--revoke-delete]
([--mokx | -X])
mokutil [--export | -x]
mokutil [--password | -p]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
mokutil [--clear-password | -c]
mokutil [--disable-validation]
mokutil [--enable-validation]
mokutil [--sb-state]
mokutil [--test-key keyfile | -t keyfile]
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--reset]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mok | -X])
mokutil [--generate-hash=password | -gpassword]
mokutil [--ignore-db]
mokutil [--use-db]
mokutil [--import-hash hash]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--delete-hash hash]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--set-verbosity (true | false)]
mokutil [--set-fallback-verbosity (true | false)]
mokutil [--set-fallback-noreboot (true | false)]
mokutil [--pk]
mokutil [--kek]
mokutil [--db]
mokutil [--dbx]
mokutil [--list-sbat-revocations]
mokutil [--set-sbat-policy (latest | previous | delete)]
mokutil [--timeout -1,0..0x7fff]
Description
mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.
Options
- -l, --list-enrolled
List the keys the already stored in the database
- -N, --list-new
List the keys to be enrolled
- -D, --list-delete
List the keys to be deleted
- -i, --import
Collect the following files and form an enrolling request to shim. The files must be in DER format.
- -d, --delete
Collect the following files and form a deleting request to shim. The files must be in DER format.
- --revoke-import
Revoke the current import request (MokNew)
- --revoke-delete
Revoke the current delete request (MokDel)
- -x, --export
Export the keys stored in MokListRT
- -p, --password
Setup the password for MokManager (MokPW)
- -c, --clear-password
Clear the password for MokManager (MokPW)
- --disable-validation
Disable the validation process in shim
- --enable-validation
Enable the validation process in shim
- --sb-state
Show SecureBoot State
- -t, --test-key
Test if the key is enrolled or not
- --reset
Reset MOK list
- --generate-hash
Generate the password hash
- --hash-file
Use the password hash from a specific file
- -P, --root-pw
Use the root password hash from /etc/shadow
- --ignore-db
Tell shim to not use the keys in db to verify EFI images
- --use-db
Tell shim to use the keys in db to verify EFI images (default)
- -X, --mokx
Manipulate the MOK blacklist (MOKX) instead of the MOK list
- --import-hash
Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash.
- --delete-hash
Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.
- --set-verbosity
Set the SHIM_VERBOSE to make shim more or less verbose
- --set-fallback-verbosity
Set the FALLBACK_VERBOSE to make fallback more or less verbose
- --set-fallback-noreboot
Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
- --pk
List the keys in the public Platform Key (PK)
- --kek
List the keys in the Key Exchange Key Signature database (KEK)
- --db
List the keys in the secure boot signature store (db)
- --dbx
List the keys in the secure boot blacklist signature store (dbx)
- --list-sbat-revocations
List the entries in the Secure Boot Advanced Targeting store (SBAT)
- --set-sbat-policy (latest | previous | delete)
Set the SbatPolicy UEFI Variable to have shim apply either the latest or the previous SBAT revocations. If UEFI Secure Boot is disabled, then delete will reset the SBAT revocations to an empty revocation list. While latest and previous are persistent configuration, delete will be cleared by shim on the next boot whether or not it succeeds. The default behavior is for shim to apply the previous revocations.
- --timeout
Set the timeout for MOK prompt
- --ca-check
Check if the CA of the given key is already enrolled or blocked in the key databases.
- --ignore-keyring
Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList