1MOKUTIL(1)                  General Commands Manual                 MOKUTIL(1)
2
3
4

NAME

6       mokutil - utility to manipulate machine owner keys
7
8

SYNOPSIS

10       mokutil [--list-enrolled | -l]
11               ([--mokx | -X])
12       mokutil [--list-new | -N]
13               ([--mokx | -X])
14       mokutil [--list-delete | -D]
15               ([--mokx | -X])
16       mokutil [--import keylist| -i keylist]
17               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
18                [--mokx | -X] | [--ca-check] | [--ignore-keyring])
19       mokutil [--delete keylist | -d keylist]
20               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
21                [--mokx |- X])
22       mokutil [--revoke-import]
23               ([--mokx | -X])
24       mokutil [--revoke-delete]
25               ([--mokx | -X])
26       mokutil [--export | -x]
27       mokutil [--password | -p]
28               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
29       mokutil [--clear-password | -c]
30       mokutil [--disable-validation]
31       mokutil [--enable-validation]
32       mokutil [--sb-state]
33       mokutil [--test-key keyfile | -t keyfile]
34               ([--mokx | -X] | [--ca-check] | [--ignore-keyring])
35       mokutil [--reset]
36               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
37                [--mok | -X])
38       mokutil [--generate-hash=password | -gpassword]
39       mokutil [--ignore-db]
40       mokutil [--use-db]
41       mokutil [--import-hash hash]
42               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
43                [--mokx | -X])
44       mokutil [--delete-hash hash]
45               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
46                [--mokx | -X])
47       mokutil [--set-verbosity (true | false)]
48       mokutil [--set-fallback-verbosity (true | false)]
49       mokutil [--set-fallback-noreboot (true | false)]
50       mokutil [--pk]
51       mokutil [--kek]
52       mokutil [--db]
53       mokutil [--dbx]
54       mokutil [--list-sbat-revocations]
55       mokutil [--set-sbat-policy (latest | previous | delete)]
56       mokutil [--timeout -1,0..0x7fff]
57
58

DESCRIPTION

60       mokutil  is  a  tool  to import or delete the machines owner keys (MOK)
61       stored in the database of shim.
62
63

OPTIONS

65       -l, --list-enrolled
66              List the keys the already stored in the database
67
68       -N, --list-new
69              List the keys to be enrolled
70
71       -D, --list-delete
72              List the keys to be deleted
73
74       -i, --import
75              Collect the following files and form  an  enrolling  request  to
76              shim. The files must be in DER format.
77
78       -d, --delete
79              Collect the following files and form a deleting request to shim.
80              The files must be in DER format.
81
82       --revoke-import
83              Revoke the current import request (MokNew)
84
85       --revoke-delete
86              Revoke the current delete request (MokDel)
87
88       -x, --export
89              Export the keys stored in MokListRT
90
91       -p, --password
92              Setup the password for MokManager (MokPW)
93
94       -c, --clear-password
95              Clear the password for MokManager (MokPW)
96
97       --disable-validation
98              Disable the validation process in shim
99
100       --enable-validation
101              Enable the validation process in shim
102
103       --sb-state
104              Show SecureBoot State
105
106       -t, --test-key
107              Test if the key is enrolled or not
108
109       --reset
110              Reset MOK list
111
112       --generate-hash
113              Generate the password hash
114
115       --hash-file
116              Use the password hash from a specific file
117
118       -P, --root-pw
119              Use the root password hash from /etc/shadow
120
121       --ignore-db
122              Tell shim to not use the keys in db to verify EFI images
123
124       --use-db
125              Tell shim to use the keys in db to verify EFI images (default)
126
127       -X, --mokx
128              Manipulate the MOK blacklist (MOKX) instead of the MOK list
129
130       --import-hash
131              Create an enrolling request for the hash of a key in DER format.
132              Note that this is not the password hash.
133
134       --delete-hash
135              Create  a  deleting request for the hash of a key in DER format.
136              Note that this is not the password hash.
137
138       --set-verbosity
139              Set the SHIM_VERBOSE to make shim more or less verbose
140
141       --set-fallback-verbosity
142              Set the FALLBACK_VERBOSE to make fallback more or less verbose
143
144       --set-fallback-noreboot
145              Set the FB_NO_REBOOT to prevent fallback from automatically  re‐
146              booting the system
147
148       --pk   List the keys in the public Platform Key (PK)
149
150       --kek  List the keys in the Key Exchange Key Signature database (KEK)
151
152       --db   List the keys in the secure boot signature store (db)
153
154       --dbx  List the keys in the secure boot blacklist signature store (dbx)
155
156       --list-sbat-revocations
157              List  the  entries  in  the Secure Boot Advanced Targeting store
158              (SBAT)
159
160       --set-sbat-policy (latest | previous | delete)
161              Set the SbatPolicy UEFI Variable to have shim apply  either  the
162              latest or the previous SBAT revocations.  If UEFI Secure Boot is
163              disabled, then delete will reset  the  SBAT  revocations  to  an
164              empty revocation list.  While latest and previous are persistent
165              configuration, delete will be cleared by shim on the  next  boot
166              whether  or not it succeeds. The default behavior is for shim to
167              apply the previous revocations.
168
169       --timeout
170              Set the timeout for MOK prompt
171
172       --ca-check
173              Check if the CA of the given key is already enrolled or  blocked
174              in the key databases.
175
176       --ignore-keyring
177              Ignore  the  kernel  builtin trusted keys keyring check when en‐
178              rolling a key into MokList
179
Impressum