Sponsor:

Your company here — click to reach over 10,000 unique daily visitors

mokutil - Man Page

utility to manipulate machine owner keys

Examples (TL;DR)

Synopsis

mokutil [--list-enrolled | -l]
       ([--mokx | -X])
mokutil [--list-new | -N]
       ([--mokx | -X])
mokutil [--list-delete | -D]
       ([--mokx | -X])
mokutil [--import keylist| -i keylist]
       ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
        [--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--delete keylist | -d keylist]
       ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
        [--mokx |- X])
mokutil [--revoke-import]
       ([--mokx | -X])
mokutil [--revoke-delete]
       ([--mokx | -X])
mokutil [--export | -x]
mokutil [--password | -p]
       ([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
mokutil [--clear-password | -c]
mokutil [--disable-validation]
mokutil [--enable-validation]
mokutil [--sb-state]
mokutil [--test-key keyfile | -t keyfile]
       ([--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--reset]
       ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
        [--mok | -X])
mokutil [--generate-hash=password | -gpassword]
mokutil [--ignore-db]
mokutil [--use-db]
mokutil [--import-hash hash]
       ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
        [--mokx | -X])
mokutil [--delete-hash hash]
       ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
        [--mokx | -X])
mokutil [--set-verbosity (true | false)]
mokutil [--set-fallback-verbosity (true | false)]
mokutil [--set-fallback-noreboot (true | false)]
mokutil [--pk]
mokutil [--kek]
mokutil [--db]
mokutil [--dbx]
mokutil [--list-sbat-revocations]
mokutil [--set-sbat-policy (latest | automatic | delete)]
mokutil [--timeout -1,0..0x7fff]
mokutil [--trust-mok]
mokutil [--untrust-mok]

Description

mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.

Options

-l,  --list-enrolled

List the keys the already stored in the database

-N,  --list-new

List the keys to be enrolled

-D,  --list-delete

List the keys to be deleted

-i,  --import

Collect the following files and form an enrolling request to shim. The files must be in DER format.

-d,  --delete

Collect the following files and form a deleting request to shim. The files must be in DER format.

--revoke-import

Revoke the current import request (MokNew)

--revoke-delete

Revoke the current delete request (MokDel)

-x,  --export

Export the keys stored in MokListRT

-p,  --password

Setup the password for MokManager (MokPW)

-c,  --clear-password

Clear the password for MokManager (MokPW)

--disable-validation

Disable the validation process in shim

--enable-validation

Enable the validation process in shim

--sb-state

Show SecureBoot State

-t,  --test-key

Test if the key is enrolled or not

--reset

Reset MOK list

--generate-hash

Generate the password hash

--hash-file

Use the password hash from a specific file

-P,  --root-pw

Use the root password hash from /etc/shadow

--ignore-db

Tell shim to not use the keys in db to verify EFI images

--use-db

Tell shim to use the keys in db to verify EFI images (default)

-X,  --mokx

Manipulate the MOK blacklist (MOKX) instead of the MOK list

--import-hash

Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash.

--delete-hash

Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.

--set-verbosity

Set the SHIM_VERBOSE to make shim more or less verbose

--set-fallback-verbosity

Set the FALLBACK_VERBOSE to make fallback more or less verbose

--set-fallback-noreboot

Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system

--pk

List the keys in the public Platform Key (PK)

--kek

List the keys in the Key Exchange Key Signature database (KEK)

--db

List the keys in the secure boot signature store (db)

--dbx

List the keys in the secure boot blacklist signature store (dbx)

--list-sbat-revocations

List the entries in the Secure Boot Advanced Targeting store (SBAT)

--set-sbat-policy (latest | automatic)

Set the SbatPolicy UEFI Variable to have shim apply either the latest or the automatic SBAT revocations.  If UEFI Secure Boot is disabled, then shim will automatically delete SBAT revocations

--set-ssp-policy (latest | automatic | delete)

Set the SspPolicy UEFI Variable to have shim apply either the latest or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since these are non-native revocations, shim will not automatically delete them. If this is needed, spp-policy can be set to delete when Secure Boot is disabled. The delete policy is non-persistent.

--timeout

Set the timeout for MOK prompt

--ca-check

Check if the CA of the given key is already enrolled or blocked in the key databases.

--ignore-keyring

Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList

--trust-mok

Trust MOK keys within the kernel keyring

--untrust-mok

Do not trust MOK keys within the kernel keyring

Info

Thu Jul 25 2013