.TH MOKUTIL 1 "Thu Jul 25 2013"
.SH NAME

mokutil \- utility to manipulate machine owner keys

.SH SYNOPSIS
\fBmokutil\fR [--list-enrolled | -l]
        ([--mokx | -X])
.br
\fBmokutil\fR [--list-new | -N]
        ([--mokx | -X])
.br
\fBmokutil\fR [--list-delete | -D]
        ([--mokx | -X])
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
        ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
         [--mokx | -X] | [--ca-check] | [--ignore-keyring])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
        ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
         [--mokx |- X])
.br
\fBmokutil\fR [--revoke-import]
        ([--mokx | -X])
.br
\fBmokutil\fR [--revoke-delete]
        ([--mokx | -X])
.br
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
        ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--clear-password | -c]
.br
\fBmokutil\fR [--disable-validation]
.br
\fBmokutil\fR [--enable-validation]
.br
\fBmokutil\fR [--sb-state]
.br
\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
        ([--mokx | -X] | [--ca-check] | [--ignore-keyring])
.br
\fBmokutil\fR [--reset]
        ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
         [--mok | -X])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
\fBmokutil\fR [--ignore-db]
.br
\fBmokutil\fR [--use-db]
.br
\fBmokutil\fR [--import-hash \fIhash\fR]
        ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
         [--mokx | -X])
.br
\fBmokutil\fR [--delete-hash \fIhash\fR]
        ([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
         [--mokx | -X])
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
.br
\fBmokutil\fR [--db]
.br
\fBmokutil\fR [--dbx]
.br
\fBmokutil\fR [--list-sbat-revocations]
.br
\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)]
.br
\fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR]
.br

.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
(MOK) stored in the database of shim.

.SH OPTIONS
.TP
\fB-l, --list-enrolled\fR
List the keys the already stored in the database
.TP
\fB-N, --list-new\fR
List the keys to be enrolled
.TP
\fB-D, --list-delete\fR
List the keys to be deleted
.TP
\fB-i, --import\fR
Collect the following files and form an enrolling request to shim. The files must
be in DER format.
.TP
\fB-d, --delete\fR
Collect the following files and form a deleting request to shim. The files must be
in DER format.
.TP
\fB--revoke-import\fR
Revoke the current import request (MokNew)
.TP
\fB--revoke-delete\fR
Revoke the current delete request (MokDel)
.TP
\fB-x, --export\fR
Export the keys stored in MokListRT
.TP
\fB-p, --password\fR
Setup the password for MokManager (MokPW)
.TP
\fB-c, --clear-password\fR
Clear the password for MokManager (MokPW)
.TP
\fB--disable-validation\fR
Disable the validation process in shim
.TP
\fB--enable-validation\fR
Enable the validation process in shim
.TP
\fB--sb-state\fR
Show SecureBoot State
.TP
\fB-t, --test-key\fR
Test if the key is enrolled or not
.TP
\fB--reset\fR
Reset MOK list
.TP
\fB--generate-hash\fR
Generate the password hash
.TP
\fB--hash-file\fR
Use the password hash from a specific file
.TP
\fB-P, --root-pw\fR
Use the root password hash from /etc/shadow
.TP
\fB--ignore-db\fR
Tell shim to not use the keys in db to verify EFI images
.TP
\fB--use-db\fR
Tell shim to use the keys in db to verify EFI images (default)
.TP
\fB-X, --mokx\fR
Manipulate the MOK blacklist (MOKX) instead of the MOK list
.TP
\fB--import-hash\fR
Create an enrolling request for the hash of a key in DER format. Note that
this is not the password hash.
.TP
\fB--delete-hash\fR
Create a deleting request for the hash of a key in DER format. Note that
this is not the password hash.
.TP
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
\fB--set-fallback-verbosity\fR
Set the FALLBACK_VERBOSE to make fallback more or less verbose
.TP
\fB--set-fallback-noreboot\fR
Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP
\fB--kek\fR
List the keys in the Key Exchange Key Signature database (KEK)
.TP
\fB--db\fR
List the keys in the secure boot signature store (db)
.TP
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
\fB--list-sbat-revocations\fR
List the entries in the Secure Boot Advanced Targeting store (SBAT)
.TP
\fB--set-sbat-policy (\fIlatest\fR | \fIprevious\fR | \fIdelete\fR)\fR
Set the SbatPolicy UEFI Variable to have shim apply either the latest
or the previous SBAT revocations.  If UEFI Secure Boot is disabled, then
delete will reset the SBAT revocations to an empty revocation list.
While latest and previous are persistent configuration, delete will be
cleared by shim on the next boot whether or not it succeeds. The default
behavior is for shim to apply the previous revocations.
.TP
\fB--timeout\fR
Set the timeout for MOK prompt
.TP
\fB--ca-check\fR
Check if the CA of the given key is already enrolled or blocked in the key
databases.
.TP
\fB--ignore-keyring\fR
Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
.TP