1MOKUTIL(1) General Commands Manual MOKUTIL(1)
2
3
4
6 mokutil - utility to manipulate machine owner keys
7
8
10 mokutil [--list-enrolled | -l]
11 ([--mokx | -X])
12 mokutil [--list-new | -N]
13 ([--mokx | -X])
14 mokutil [--list-delete | -D]
15 ([--mokx | -X])
16 mokutil [--import keylist| -i keylist]
17 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
18 [--mokx | -X] | [--ca-check] | [--ignore-keyring])
19 mokutil [--delete keylist | -d keylist]
20 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
21 [--mokx |- X])
22 mokutil [--revoke-import]
23 ([--mokx | -X])
24 mokutil [--revoke-delete]
25 ([--mokx | -X])
26 mokutil [--export | -x]
27 mokutil [--password | -p]
28 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
29 mokutil [--clear-password | -c]
30 mokutil [--disable-validation]
31 mokutil [--enable-validation]
32 mokutil [--sb-state]
33 mokutil [--test-key keyfile | -t keyfile]
34 ([--mokx | -X] | [--ca-check] | [--ignore-keyring])
35 mokutil [--reset]
36 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
37 [--mok | -X])
38 mokutil [--generate-hash=password | -gpassword]
39 mokutil [--ignore-db]
40 mokutil [--use-db]
41 mokutil [--import-hash hash]
42 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
43 [--mokx | -X])
44 mokutil [--delete-hash hash]
45 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
46 [--mokx | -X])
47 mokutil [--set-verbosity (true | false)]
48 mokutil [--pk]
49 mokutil [--kek]
50 mokutil [--db]
51 mokutil [--dbx]
52 mokutil [--sbat]
53 mokutil [--timeout -1,0..0x7fff]
54
55
57 mokutil is a tool to import or delete the machines owner keys (MOK)
58 stored in the database of shim.
59
60
62 -l, --list-enrolled
63 List the keys the already stored in the database
64
65 -N, --list-new
66 List the keys to be enrolled
67
68 -D, --list-delete
69 List the keys to be deleted
70
71 -i, --import
72 Collect the following files and form an enrolling request to
73 shim. The files must be in DER format.
74
75 -d, --delete
76 Collect the following files and form a deleting request to shim.
77 The files must be in DER format.
78
79 --revoke-import
80 Revoke the current import request (MokNew)
81
82 --revoke-delete
83 Revoke the current delete request (MokDel)
84
85 -x, --export
86 Export the keys stored in MokListRT
87
88 -p, --password
89 Setup the password for MokManager (MokPW)
90
91 -c, --clear-password
92 Clear the password for MokManager (MokPW)
93
94 --disable-validation
95 Disable the validation process in shim
96
97 --enable-validation
98 Enable the validation process in shim
99
100 --sb-state
101 Show SecureBoot State
102
103 -t, --test-key
104 Test if the key is enrolled or not
105
106 --reset
107 Reset MOK list
108
109 --generate-hash
110 Generate the password hash
111
112 --hash-file
113 Use the password hash from a specific file
114
115 -P, --root-pw
116 Use the root password hash from /etc/shadow
117
118 --ignore-db
119 Tell shim to not use the keys in db to verify EFI images
120
121 --use-db
122 Tell shim to use the keys in db to verify EFI images (default)
123
124 -X, --mokx
125 Manipulate the MOK blacklist (MOKX) instead of the MOK list
126
127 --import-hash
128 Create an enrolling request for the hash of a key in DER format.
129 Note that this is not the password hash.
130
131 --delete-hash
132 Create a deleting request for the hash of a key in DER format.
133 Note that this is not the password hash.
134
135 --set-verbosity
136 Set the SHIM_VERBOSE to make shim more or less verbose
137
138 --pk List the keys in the public Platform Key (PK)
139
140 --kek List the keys in the Key Exchange Key Signature database (KEK)
141
142 --db List the keys in the secure boot signature store (db)
143
144 --dbx List the keys in the secure boot blacklist signature store (dbx)
145
146 --sbat List the entries in the Secure Boot Advanced Targeting store
147 (SBAT)
148
149 --timeout
150 Set the timeout for MOK prompt
151
152 --ca-check
153 Check if the CA of the given key is already enrolled or blocked
154 in the key databases.
155
156 --ignore-keyring
157 Ignore the kernel builtin trusted keys keyring check when en‐
158 rolling a key into MokList
159