NAME¶

mokutil - utility to manipulate machine owner keys

SYNOPSIS¶

DESCRIPTION¶

mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.

OPTIONS¶

-l, --list-enrolled: List the keys the already stored in the database
-N, --list-new: List the keys to be enrolled
-D, --list-delete: List the keys to be deleted
-i, --import: Collect the following files and form an enrolling request to shim. The files must be in DER format.
-d, --delete: Collect the following files and form a deleting request to shim. The files must be in DER format.
--revoke-import: Revoke the current import request (MokNew)
--revoke-delete: Revoke the current delete request (MokDel)
-x, --export: Export the keys stored in MokListRT
-p, --password: Setup the password for MokManager (MokPW)
-c, --clear-password: Clear the password for MokManager (MokPW)
--disable-validation: Disable the validation process in shim
--enable-validation: Enable the validation process in shim
--sb-state: Show SecureBoot State
-t, --test-key: Test if the key is enrolled or not
--reset: Reset MOK list
--generate-hash: Generate the password hash
--hash-file: Use the password hash from a specific file
-P, --root-pw: Use the root password hash from /etc/shadow
--ignore-db: Tell shim to not use the keys in db to verify EFI images
--use-db: Tell shim to use the keys in db to verify EFI images (default)
-X, --mokx: Manipulate the MOK blacklist (MOKX) instead of the MOK list
--import-hash: Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash.
--delete-hash: Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.
--set-verbosity: Set the SHIM_VERBOSE to make shim more or less verbose
--set-fallback-verbosity: Set the FALLBACK_VERBOSE to make fallback more or less verbose
--set-fallback-noreboot: Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
--pk: List the keys in the public Platform Key (PK)
--kek: List the keys in the Key Exchange Key Signature database (KEK)
--db: List the keys in the secure boot signature store (db)
--dbx: List the keys in the secure boot blacklist signature store (dbx)
--list-sbat-revocations: List the entries in the Secure Boot Advanced Targeting store (SBAT)
--set-sbat-policy (latest | automatic): Set the SbatPolicy UEFI Variable to have shim apply either the latest or the automatic SBAT revocations. If UEFI Secure Boot is disabled, then shim will automatically delete SBAT revocations
--set-ssp-policy (latest | automatic | delete): Set the SspPolicy UEFI Variable to have shim apply either the latest or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since these are non-native revocations, shim will not automatically delete them. If this is needed, spp-policy can be set to delete when Secure Boot is disabled. The delete policy is non-persistent.
--timeout: Set the timeout for MOK prompt
--ca-check: Check if the CA of the given key is already enrolled or blocked in the key databases.
--ignore-keyring: Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
--trust-mok: Trust MOK keys within the kernel keyring
--untrust-mok: Do not trust MOK keys within the kernel keyring

Thu Jul 25 2013

Source file:	mokutil.1.en.gz (from mokutil 0.7.0-1.2)
Source last updated:	2024-03-01T08:23:26Z
Converted to HTML:	2025-01-02T01:14:19Z