1MOKUTIL(1) General Commands Manual MOKUTIL(1)
2
6 mokutil - utility to manipulate machine owner keys
7
10 mokutil [--list-enrolled | -l]
11 ([--mokx | -X])
12 mokutil [--list-new | -N]
13 ([--mokx | -X])
14 mokutil [--list-delete | -D]
15 ([--mokx | -X])
16 mokutil [--import keylist| -i keylist]
17 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
18 [--mokx | -X] | [--ca-check] | [--ignore-keyring])
19 mokutil [--delete keylist | -d keylist]
20 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
21 [--mokx |- X])
22 mokutil [--revoke-import]
23 ([--mokx | -X])
24 mokutil [--revoke-delete]
25 ([--mokx | -X])
26 mokutil [--export | -x]
27 mokutil [--password | -p]
28 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
29 mokutil [--clear-password | -c]
30 mokutil [--disable-validation]
31 mokutil [--enable-validation]
32 mokutil [--sb-state]
33 mokutil [--test-key keyfile | -t keyfile]
34 ([--mokx | -X] | [--ca-check] | [--ignore-keyring])
35 mokutil [--reset]
36 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
37 [--mok | -X])
38 mokutil [--generate-hash=password | -gpassword]
39 mokutil [--ignore-db]
40 mokutil [--use-db]
41 mokutil [--import-hash hash]
42 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
43 [--mokx | -X])
44 mokutil [--delete-hash hash]
45 ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
46 [--mokx | -X])
47 mokutil [--set-verbosity (true | false)]
48 mokutil [--set-fallback-verbosity (true | false)]
49 mokutil [--set-fallback-noreboot (true | false)]
50 mokutil [--pk]
51 mokutil [--kek]
52 mokutil [--db]
53 mokutil [--dbx]
54 mokutil [--list-sbat-revocations]
55 mokutil [--set-sbat-policy (latest | previous | delete)]
56 mokutil [--timeout -1,0..0x7fff]
57
60 mokutil is a tool to import or delete the machines owner keys (MOK)
61 stored in the database of shim.
62
65 -l, --list-enrolled
66 List the keys the already stored in the database
67 -N, --list-new
69 List the keys to be enrolled
70 -D, --list-delete
72 List the keys to be deleted
73 -i, --import
75 Collect the following files and form an enrolling request to
76 shim. The files must be in DER format.
77 -d, --delete
79 Collect the following files and form a deleting request to shim.
80 The files must be in DER format.
81 --revoke-import
83 Revoke the current import request (MokNew)
84 --revoke-delete
86 Revoke the current delete request (MokDel)
87 -x, --export
89 Export the keys stored in MokListRT
90 -p, --password
92 Setup the password for MokManager (MokPW)
93 -c, --clear-password
95 Clear the password for MokManager (MokPW)
96 --disable-validation
98 Disable the validation process in shim
99 --enable-validation
101 Enable the validation process in shim
102 --sb-state
104 Show SecureBoot State
105 -t, --test-key
107 Test if the key is enrolled or not
108 --reset
110 Reset MOK list
111 --generate-hash
113 Generate the password hash
114 --hash-file
116 Use the password hash from a specific file
117 -P, --root-pw
119 Use the root password hash from /etc/shadow
120 --ignore-db
122 Tell shim to not use the keys in db to verify EFI images
123 --use-db
125 Tell shim to use the keys in db to verify EFI images (default)
126 -X, --mokx
128 Manipulate the MOK blacklist (MOKX) instead of the MOK list
129 --import-hash
131 Create an enrolling request for the hash of a key in DER format.
132 Note that this is not the password hash.
133 --delete-hash
135 Create a deleting request for the hash of a key in DER format.
136 Note that this is not the password hash.
137 --set-verbosity
139 Set the SHIM_VERBOSE to make shim more or less verbose
140 --set-fallback-verbosity
142 Set the FALLBACK_VERBOSE to make fallback more or less verbose
143 --set-fallback-noreboot
145 Set the FB_NO_REBOOT to prevent fallback from automatically re‐
146 booting the system
147 --pk List the keys in the public Platform Key (PK)
149 --kek List the keys in the Key Exchange Key Signature database (KEK)
151 --db List the keys in the secure boot signature store (db)
153 --dbx List the keys in the secure boot blacklist signature store (dbx)
155 --list-sbat-revocations
157 List the entries in the Secure Boot Advanced Targeting store
158 (SBAT)
159 --set-sbat-policy (latest | previous | delete)
161 Set the SbatPolicy UEFI Variable to have shim apply either the
162 latest or the previous SBAT revocations. If UEFI Secure Boot is
163 disabled, then delete will reset the SBAT revocations to an
164 empty revocation list. While latest and previous are persistent
165 configuration, delete will be cleared by shim on the next boot
166 whether or not it succeeds. The default behavior is for shim to
167 apply the previous revocations.
168 --timeout
170 Set the timeout for MOK prompt
171 --ca-check
173 Check if the CA of the given key is already enrolled or blocked
174 in the key databases.
175 --ignore-keyring
177 Ignore the kernel builtin trusted keys keyring check when en‐
178 rolling a key into MokList
179