Man page - mokutil(1)

Packages contains this manual

Package:  mokutil
apt-get install mokutil

Manuals in package:
• mokutil(1)
Documentations in package:
• mokutil

Manual

MOKUTIL

NAME
SYNOPSIS
DESCRIPTION
OPTIONS

---

NAME

mokutil - utility to manipulate machine owner keys

SYNOPSIS

mokutil [--list-enrolled | -l]
([--mokx | -X])
mokutil [--list-new | -N]
([--mokx | -X])
mokutil [--list-delete | -D]
([--mokx | -X])
mokutil [--import keylist | -i keylist ]
([--hash-file hashfile | -f hashfile ] | [--root-pw | -P] |
[--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--delete keylist | -d keylist ]
([--hash-file hashfile | -f hashfile ] | [--root-pw | -P] |
[--mokx |- X])
mokutil [--revoke-import]
([--mokx | -X])
mokutil [--revoke-delete]
([--mokx | -X])
mokutil [--export | -x]
mokutil [--password | -p]
([--hash-file hashfile | -f hashfile ] | [--root-pw | -P])
mokutil [--clear-password | -c]
mokutil [--disable-validation]
mokutil [--enable-validation]
mokutil [--sb-state]
mokutil [--test-key keyfile | -t keyfile ]
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
mokutil [--reset]
([--hash-file hashfile | -f hashfile ] | [--root-pw | -P] |
[--mok | -X])
mokutil [--generate-hash= password | -g password ]
mokutil [--ignore-db]
mokutil [--use-db]
mokutil [--import-hash hash ]
([--hash-file hashfile | -f hashfile ] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--delete-hash hash ]
([--hash-file hashfile | -f hashfile ] | [--root-pw | -P] |
[--mokx | -X])
mokutil [--set-verbosity ( true | false )]
mokutil [--set-fallback-verbosity ( true | false )]
mokutil [--set-fallback-noreboot ( true | false )]
mokutil [--pk]
mokutil [--kek]
mokutil [--db]
mokutil [--dbx]
mokutil [--list-sbat-revocations]
mokutil [--set-sbat-policy ( latest | automatic | delete )]
mokutil [--timeout -1,0..0x7fff ]
mokutil [--trust-mok]
mokutil [--untrust-mok]

DESCRIPTION

mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.

OPTIONS

-l, --list-enrolled

List the keys the already stored in the database

-N, --list-new

List the keys to be enrolled

-D, --list-delete

List the keys to be deleted

-i, --import

Collect the following files and form an enrolling request to shim. The files must be in DER format.

-d, --delete

Collect the following files and form a deleting request to shim. The files must be in DER format.

--revoke-import

Revoke the current import request (MokNew)

--revoke-delete

Revoke the current delete request (MokDel)

-x, --export

Export the keys stored in MokListRT

-p, --password

Setup the password for MokManager (MokPW)

-c, --clear-password

Clear the password for MokManager (MokPW)

--disable-validation

Disable the validation process in shim

--enable-validation

Enable the validation process in shim

--sb-state

Show SecureBoot State

-t, --test-key

Test if the key is enrolled or not

--reset

Reset MOK list

--generate-hash

Generate the password hash

--hash-file

Use the password hash from a specific file

-P, --root-pw

Use the root password hash from /etc/shadow

--ignore-db

Tell shim to not use the keys in db to verify EFI images

--use-db

Tell shim to use the keys in db to verify EFI images (default)

-X, --mokx

Manipulate the MOK blacklist (MOKX) instead of the MOK list

--import-hash

Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash.

--delete-hash

Create a deleting request for the hash of a key in DER format. Note that this is not the password hash.

--set-verbosity

Set the SHIM_VERBOSE to make shim more or less verbose

--set-fallback-verbosity

Set the FALLBACK_VERBOSE to make fallback more or less verbose

--set-fallback-noreboot

Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system

	--pk		List the keys in the public Platform Key (PK)
	--kek		List the keys in the Key Exchange Key Signature database (KEK)
	--db		List the keys in the secure boot signature store (db)
	--dbx		List the keys in the secure boot blacklist signature store (dbx)

--list-sbat-revocations

List the entries in the Secure Boot Advanced Targeting store (SBAT)

--set-sbat-policy ( latest | automatic )

Set the SbatPolicy UEFI Variable to have shim apply either the latest or the automatic SBAT revocations. If UEFI Secure Boot is disabled, then shim will automatically delete SBAT revocations

--set-ssp-policy ( latest | automatic | delete )

Set the SspPolicy UEFI Variable to have shim apply either the latest or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since these are non-native revocations, shim will not automatically delete them. If this is needed, spp-policy can be set to delete when Secure Boot is disabled. The delete policy is non-persistent.

--timeout

Set the timeout for MOK prompt

--ca-check

Check if the CA of the given key is already enrolled or blocked in the key databases.

--ignore-keyring

Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList

--trust-mok

Trust MOK keys within the kernel keyring

--untrust-mok

Do not trust MOK keys within the kernel keyring

---