MOKUTIL(1) General Commands Manual MOKUTIL(1) NAME mokutil - utility to manipulate machine owner keys SYNOPSIS mokutil [--list-enrolled | -l] ([--mokx | -X]) mokutil [--list-new | -N] ([--mokx | -X]) mokutil [--list-delete | -D] ([--mokx | -X]) mokutil [--import keylist| -i keylist] ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] | [--mokx | -X] | [--ca-check] | [--ignore-keyring]) mokutil [--delete keylist | -d keylist] ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] | [--mokx |- X]) mokutil [--revoke-import] ([--mokx | -X]) mokutil [--revoke-delete] ([--mokx | -X]) mokutil [--export | -x] mokutil [--password | -p] ([--hash-file hashfile | -f hashfile] | [--root-pw | -P]) mokutil [--clear-password | -c] mokutil [--disable-validation] mokutil [--enable-validation] mokutil [--sb-state] mokutil [--test-key keyfile | -t keyfile] ([--mokx | -X] | [--ca-check] | [--ignore-keyring]) mokutil [--reset] ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] | [--mok | -X]) mokutil [--generate-hash=password | -gpassword] mokutil [--ignore-db] mokutil [--use-db] mokutil [--import-hash hash] ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] | [--mokx | -X]) mokutil [--delete-hash hash] ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] | [--mokx | -X]) mokutil [--set-verbosity (true | false)] mokutil [--set-fallback-verbosity (true | false)] mokutil [--set-fallback-noreboot (true | false)] mokutil [--pk] mokutil [--kek] mokutil [--db] mokutil [--dbx] mokutil [--list-sbat-revocations] mokutil [--set-sbat-policy (latest | automatic | delete)] mokutil [--timeout -1,0..0x7fff] mokutil [--trust-mok] mokutil [--untrust-mok] DESCRIPTION mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim. OPTIONS -l, --list-enrolled List the keys the already stored in the database -N, --list-new List the keys to be enrolled -D, --list-delete List the keys to be deleted -i, --import Collect the following files and form an enrolling request to shim. The files must be in DER format. -d, --delete Collect the following files and form a deleting request to shim. The files must be in DER format. --revoke-import Revoke the current import request (MokNew) --revoke-delete Revoke the current delete request (MokDel) -x, --export Export the keys stored in MokListRT -p, --password Setup the password for MokManager (MokPW) -c, --clear-password Clear the password for MokManager (MokPW) --disable-validation Disable the validation process in shim --enable-validation Enable the validation process in shim --sb-state Show SecureBoot State -t, --test-key Test if the key is enrolled or not --reset Reset MOK list --generate-hash Generate the password hash --hash-file Use the password hash from a specific file -P, --root-pw Use the root password hash from /etc/shadow --ignore-db Tell shim to not use the keys in db to verify EFI images --use-db Tell shim to use the keys in db to verify EFI images (default) -X, --mokx Manipulate the MOK blacklist (MOKX) instead of the MOK list --import-hash Create an enrolling request for the hash of a key in DER format. Note that this is not the password hash. --delete-hash Create a deleting request for the hash of a key in DER format. Note that this is not the password hash. --set-verbosity Set the SHIM_VERBOSE to make shim more or less verbose --set-fallback-verbosity Set the FALLBACK_VERBOSE to make fallback more or less verbose --set-fallback-noreboot Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system --pk List the keys in the public Platform Key (PK) --kek List the keys in the Key Exchange Key Signature database (KEK) --db List the keys in the secure boot signature store (db) --dbx List the keys in the secure boot blacklist signature store (dbx) --list-sbat-revocations List the entries in the Secure Boot Advanced Targeting store (SBAT) --set-sbat-policy (latest | automatic) Set the SbatPolicy UEFI Variable to have shim apply either the latest or the automatic SBAT revocations. If UEFI Secure Boot is disabled, then shim will automatically delete SBAT revocations --set-ssp-policy (latest | automatic | delete) Set the SspPolicy UEFI Variable to have shim apply either the latest or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since these are non-native revocations, shim will not automatically delete them. If this is needed, spp-policy can be set to delete when Secure Boot is disabled. The delete policy is non-persistent. --timeout Set the timeout for MOK prompt --ca-check Check if the CA of the given key is already enrolled or blocked in the key databases. --ignore-keyring Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList --trust-mok Trust MOK keys within the kernel keyring --untrust-mok Do not trust MOK keys within the kernel keyring Thu Jul 25 2013 MOKUTIL(1)