mokutil - Man Page
utility to manipulate machine owner keys
Examples (TL;DR)
- Show if Secure Boot is enabled:
mokutil --sb-state - Enable Secure Boot:
mokutil --enable-validation - Disable Secure Boot:
mokutil --disable-validation - List enrolled keys:
mokutil --list-enrolled - Enroll a new key:
mokutil --import path/to/key.der - List the keys to be enrolled:
mokutil --list-new - Set shim verbosity:
mokutil --set-verbosity true
Synopsis
mokutil [--list-enrolled | -l]
([--mokx | -X])
mokutil [--list-new | -N]
([--mokx | -X])
mokutil [--list-delete | -D]
([--mokx | -X])
mokutil [--import keylist| -i keylist]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--delete keylist | -d keylist]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx |- X])
mokutil [--revoke-import]
([--mokx | -X])
mokutil [--revoke-delete]
([--mokx | -X])
mokutil [--export | -x]
mokutil [--password | -p]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
mokutil [--clear-password | -c]
mokutil [--disable-validation]
mokutil [--enable-validation]
mokutil [--sb-state]
mokutil [--test-key keyfile | -t keyfile]
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--reset]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mok | -X])
mokutil [--generate-hash=password | -gpassword]
mokutil [--ignore-db]
mokutil [--use-db]
mokutil [--import-hash hash]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--delete-hash hash]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--set-verbosity (true | false)]
mokutil [--set-fallback-verbosity (true | false)]
mokutil [--set-fallback-noreboot (true | false)]
mokutil [--pk]
mokutil [--kek]
mokutil [--db]
mokutil [--dbx]
mokutil [--list-sbat-revocations]
mokutil [--set-sbat-policy (latest | automatic | delete)]
mokutil [--timeout -1,0..0x7fff]
mokutil [--trust-mok]
mokutil [--untrust-mok]
Description
mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.
Options
- -l, --list-enrolled
List the keys the already stored in the database
- -N, --list-new
List the keys to be enrolled
- -D, --list-delete
List the keys to be deleted
- -i, --import
Collect the following files and form an enrolling request to shim. The files must be in DER format.
- -d, --delete
Collect the following files and form a deleting request to shim. The files must be in DER format.
- --revoke-import
Revoke the current import request (MokNew)
- --revoke-delete
Revoke the current delete request (MokDel)
- -x, --export
Export the keys stored in MokListRT
- -p, --password
Setup the password for MokManager (MokPW)
- -c, --clear-password
Clear the password for MokManager (MokPW)
- --disable-validation
Disable the validation process in shim
- --enable-validation
Enable the validation process in shim
- --sb-state
Show SecureBoot State
- -t, --test-key
Test if the key is enrolled or not
- --reset
Reset MOK list
- --generate-hash
Generate the password hash
- --hash-file
Use the password hash from a specific file
- -P, --root-pw
Use the root password hash from /etc/shadow
- --ignore-db
Tell shim to not use the keys in db to verify EFI images
- --use-db
Tell shim to use the keys in db to verify EFI images (default)
- -X, --mokx
Manipulate the MOK blacklist (MOKX) instead of the MOK list
- --import-hash
Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash.
- --delete-hash
Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.
- --set-verbosity
Set the SHIM_VERBOSE to make shim more or less verbose
- --set-fallback-verbosity
Set the FALLBACK_VERBOSE to make fallback more or less verbose
- --set-fallback-noreboot
Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
- --pk
List the keys in the public Platform Key (PK)
- --kek
List the keys in the Key Exchange Key Signature database (KEK)
- --db
List the keys in the secure boot signature store (db)
- --dbx
List the keys in the secure boot blacklist signature store (dbx)
- --list-sbat-revocations
List the entries in the Secure Boot Advanced Targeting store (SBAT)
- --set-sbat-policy (latest | automatic)
Set the SbatPolicy UEFI Variable to have shim apply either the latest or the automatic SBAT revocations. If UEFI Secure Boot is disabled, then shim will automatically delete SBAT revocations
- --set-ssp-policy (latest | automatic | delete)
Set the SspPolicy UEFI Variable to have shim apply either the latest or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since these are non-native revocations, shim will not automatically delete them. If this is needed, spp-policy can be set to delete when Secure Boot is disabled. The delete policy is non-persistent.
- --timeout
Set the timeout for MOK prompt
- --ca-check
Check if the CA of the given key is already enrolled or blocked in the key databases.
- --ignore-keyring
Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
- --trust-mok
Trust MOK keys within the kernel keyring
- --untrust-mok
Do not trust MOK keys within the kernel keyring