Scroll to navigation

MOKUTIL(1) General Commands Manual MOKUTIL(1)

NAME

mokutil - utility to manipulate machine owner keys

SYNOPSIS

mokutil [--list-enrolled | -l]
([--mokx | -X])
mokutil [--list-new | -N]
([--mokx | -X])
mokutil [--list-delete | -D]
([--mokx | -X])
mokutil [--import keylist| -i keylist]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--delete keylist | -d keylist]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx |- X])
mokutil [--revoke-import]
([--mokx | -X])
mokutil [--revoke-delete]
([--mokx | -X])
mokutil [--export | -x]
mokutil [--password | -p]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
mokutil [--clear-password | -c]
mokutil [--disable-validation]
mokutil [--enable-validation]
mokutil [--sb-state]
mokutil [--test-key keyfile | -t keyfile]
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--reset]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mok | -X])
mokutil [--generate-hash=password | -gpassword]
mokutil [--ignore-db]
mokutil [--use-db]
mokutil [--import-hash hash]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--delete-hash hash]
([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--set-verbosity (true | false)]
mokutil [--set-fallback-verbosity (true | false)]
mokutil [--set-fallback-noreboot (true | false)]
mokutil [--pk]
mokutil [--kek]
mokutil [--db]
mokutil [--dbx]
mokutil [--list-sbat-revocations]
mokutil [--set-sbat-policy (latest | previous | delete)]
mokutil [--timeout -1,0..0x7fff]

DESCRIPTION

mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.

OPTIONS

List the keys the already stored in the database
List the keys to be enrolled
List the keys to be deleted
Collect the following files and form an enrolling request to shim. The files must be in DER format.
Collect the following files and form a deleting request to shim. The files must be in DER format.
Revoke the current import request (MokNew)
Revoke the current delete request (MokDel)
Export the keys stored in MokListRT
Setup the password for MokManager (MokPW)
Clear the password for MokManager (MokPW)
Disable the validation process in shim
Enable the validation process in shim
Show SecureBoot State
Test if the key is enrolled or not
Reset MOK list
Generate the password hash
Use the password hash from a specific file
Use the root password hash from /etc/shadow
Tell shim to not use the keys in db to verify EFI images
Tell shim to use the keys in db to verify EFI images (default)
Manipulate the MOK blacklist (MOKX) instead of the MOK list
Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash.
Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.
Set the SHIM_VERBOSE to make shim more or less verbose
Set the FALLBACK_VERBOSE to make fallback more or less verbose
Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
List the keys in the public Platform Key (PK)
List the keys in the Key Exchange Key Signature database (KEK)
List the keys in the secure boot signature store (db)
List the keys in the secure boot blacklist signature store (dbx)
List the entries in the Secure Boot Advanced Targeting store (SBAT)
Set the SbatPolicy UEFI Variable to have shim apply either the latest or the previous SBAT revocations. If UEFI Secure Boot is disabled, then delete will reset the SBAT revocations to an empty revocation list. While latest and previous are persistent configuration, delete will be cleared by shim on the next boot whether or not it succeeds. The default behavior is for shim to apply the previous revocations.
Set the timeout for MOK prompt
Check if the CA of the given key is already enrolled or blocked in the key databases.
Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
Thu Jul 25 2013