1MOKUTIL(1) General Commands Manual MOKUTIL(1)
2
6 mokutil - utility to manipulate machine owner keys
7
10 mokutil [--list-enrolled | -l]
11 ([--mokx | -X])
12 mokutil [--list-new | -N]
13 ([--mokx | -X])
14 mokutil [--list-delete | -D]
15 ([--mokx | -X])
16 mokutil [--import keylist| -i keylist]
17 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
18 [--simple-hash | -s] | [--mokx | -X])
19 mokutil [--delete keylist | -d keylist]
20 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
21 [--simple-hash | -s] | [--mokx |- X])
22 mokutil [--revoke-import]
23 ([--mokx | -X])
24 mokutil [--revoke-delete]
25 ([--mokx | -X])
26 mokutil [--export | -x]
27 mokutil [--password | -p]
28 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
29 [--simple-hash | -s])
30 mokutil [--clear-password | -c]
31 ([--simple-hash | -s])
32 mokutil [--disable-validation]
33 mokutil [--enable-validation]
34 mokutil [--sb-state]
35 mokutil [--test-key keyfile | -t keyfile]
36 ([--mokx | -X])
37 mokutil [--reset]
38 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
39 [--simple-hash | -s] | [--mok | -X])
40 mokutil [--generate-hash=password | -gpassword]
41 mokutil [--ignore-db]
42 mokutil [--use-db]
43 mokutil [--import-hash hash]
44 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
45 [--simple-hash | -s] | [--mokx | -X])
46 mokutil [--delete-hash hash]
47 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
48 [--simple-hash | -s] | [--mokx | -X])
49 mokutil [--set-verbosity (true | false)]
50 mokutil [--pk]
51 mokutil [--kek]
52 mokutil [--db]
53 mokutil [--dbx]
54 mokutil [--sbat]
55
58 mokutil is a tool to import or delete the machines owner keys (MOK)
59 stored in the database of shim.
60
63 -l, --list-enrolled
64 List the keys the already stored in the database
65 -N, --list-new
67 List the keys to be enrolled
68 -D, --list-delete
70 List the keys to be deleted
71 -i, --import
73 Collect the followed files and form a enrolling request to shim.
74 The files must be in DER format.
75 -d, --delete
77 Collect the followed files and form a deleting request to shim.
78 The files must be in DER format.
79 --revoke-import
81 Revoke the current import request (MokNew)
82 --revoke-delete
84 Revoke the current delete request (MokDel)
85 -x, --export
87 Export the keys stored in MokListRT
88 -p, --password
90 Setup the password for MokManager (MokPW)
91 -c, --clear-password
93 Clear the password for MokManager (MokPW)
94 --disable-validation
96 Disable the validation process in shim
97 --enrolled-validation
99 Enable the validation process in shim
100 --sb-state
102 Show SecureBoot State
103 -t, --test-key
105 Test if the key is enrolled or not
106 --reset
108 Reset MOK list
109 --generate-hash
111 Generate the password hash
112 --hash-file
114 Use the password hash from a specific file
115 -P, --root-pw
117 Use the root password hash from /etc/shadow
118 -s, --simple-hash
120 Use the old SHA256 password hash method to hash the password
121 Note: --root-pw invalidates --simple-hash
122 --ignore-db
124 Tell shim to not use the keys in db to verify EFI images
125 --use-db
127 Tell shim to use the keys in db to verify EFI images (default)
128 -X, --mokx
130 Manipulate the MOK blacklist (MOKX) instead of the MOK list
131 -i, --import-hash
133 Create an enrolling request for the hash of a key in DER format.
134 Note that this is not the password hash.
135 -d, --delete-hash
137 Create an deleting request for the hash of a key in DER format.
138 Note that this is not the password hash.
139 --set-verbosity
141 Set the SHIM_VERBOSE to make shim more or less verbose
142 --pk List the keys in the public Platform Key (PK)
144 --kek List the keys in the Key Exchange Key Signature database (KEK)
146 --db List the keys in the secure boot signature store (db)
148 --dbx List the keys in the secure boot blacklist signature store (dbx)
150 --sbat List the entries in the Secure Boot Advanced Targeting store
152 (SBAT)
153