.TH MOKUTIL 1 "Thu Jul 25 2013" .SH NAME mokutil \- utility to manipulate machine owner keys .SH SYNOPSIS \fBmokutil\fR [--list-enrolled | -l] ([--mokx | -X]) .br \fBmokutil\fR [--list-new | -N] ([--mokx | -X]) .br \fBmokutil\fR [--list-delete | -D] ([--mokx | -X]) .br \fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | [--simple-hash | -s] | [--mokx | -X]) .br \fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | [--simple-hash | -s] | [--mokx |- X]) .br \fBmokutil\fR [--revoke-import] ([--mokx | -X]) .br \fBmokutil\fR [--revoke-delete] ([--mokx | -X]) .br \fBmokutil\fR [--export | -x] .br \fBmokutil\fR [--password | -p] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | [--simple-hash | -s]) .br \fBmokutil\fR [--clear-password | -c] ([--simple-hash | -s]) .br \fBmokutil\fR [--disable-validation] .br \fBmokutil\fR [--enable-validation] .br \fBmokutil\fR [--sb-state] .br \fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR] ([--mokx | -X]) .br \fBmokutil\fR [--reset] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | [--simple-hash | -s] | [--mok | -X]) .br \fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR] .br \fBmokutil\fR [--ignore-db] .br \fBmokutil\fR [--use-db] .br \fBmokutil\fR [--import-hash \fIhash\fR] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | [--simple-hash | -s] | [--mokx | -X]) .br \fBmokutil\fR [--delete-hash \fIhash\fR] ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] | [--simple-hash | -s] | [--mokx | -X]) .br \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)] .br \fBmokutil\fR [--pk] .br \fBmokutil\fR [--kek] .br \fBmokutil\fR [--db] .br \fBmokutil\fR [--dbx] .br .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys (MOK) stored in the database of shim. .SH OPTIONS .TP \fB-l, --list-enrolled\fR List the keys the already stored in the database .TP \fB-N, --list-new\fR List the keys to be enrolled .TP \fB-D, --list-delete\fR List the keys to be deleted .TP \fB-i, --import\fR Collect the followed files and form a enrolling request to shim. The files must be in DER format. .TP \fB-d, --delete\fR Collect the followed files and form a deleting request to shim. The files must be in DER format. .TP \fB--revoke-import\fR Revoke the current import request (MokNew) .TP \fB--revoke-delete\fR Revoke the current delete request (MokDel) .TP \fB-x, --export\fR Export the keys stored in MokListRT .TP \fB-p, --password\fR Setup the password for MokManager (MokPW) .TP \fB-c, --clear-password\fR Clear the password for MokManager (MokPW) .TP \fB--disable-validation\fR Disable the validation process in shim .TP \fB--enrolled-validation\fR Enable the validation process in shim .TP \fB--sb-state\fR Show SecureBoot State .TP \fB-t, --test-key\fR Test if the key is enrolled or not .TP \fB--reset\fR Reset MOK list .TP \fB--generate-hash\fR Generate the password hash .TP \fB--hash-file\fR Use the password hash from a specific file .TP \fB-P, --root-pw\fR Use the root password hash from /etc/shadow .TP \fB-s, --simple-hash\fR Use the old SHA256 password hash method to hash the password .br Note: --root-pw invalidates --simple-hash .TP \fB--ignore-db\fR Tell shim to not use the keys in db to verify EFI images .TP \fB--use-db\fR Tell shim to use the keys in db to verify EFI images (default) .TP \fB-X, --mokx\fR Manipulate the MOK blacklist (MOKX) instead of the MOK list .TP \fB-i, --import-hash\fR Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash. .TP \fB-d, --delete-hash\fR Create an deleting request for the hash of a key in DER format. Note that this is not the password hash. .TP \fB--set-verbosity\fR Set the SHIM_VERBOSE to make shim more or less verbose .TP \fB--pk\fR List the keys in the public Platform Key (PK) .TP \fB--kek\fR List the keys in the Key Exchange Key Signature database (KEK) .TP \fB--db\fR List the keys in the secure boot signature store (db) .TP \fB--dbx\fR List the keys in the secure boot blacklist signature store (dbx) .TP