1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
.TH MOKUTIL 1 "Thu Jul 25 2013"
.SH NAME
mokutil \- utility to manipulate machine owner keys
.SH SYNOPSIS
\fBmokutil\fR [--list-enrolled | -l]
([--mokx | -X])
.br
\fBmokutil\fR [--list-new | -N]
([--mokx | -X])
.br
\fBmokutil\fR [--list-delete | -D]
([--mokx | -X])
.br
\fBmokutil\fR [--import \fIkeylist\fR| -i \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
[--mokx | -X] | [--ca-check] | [--ignore-keyring])
.br
\fBmokutil\fR [--delete \fIkeylist\fR | -d \fIkeylist\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
[--mokx |- X])
.br
\fBmokutil\fR [--revoke-import]
([--mokx | -X])
.br
\fBmokutil\fR [--revoke-delete]
([--mokx | -X])
.br
\fBmokutil\fR [--export | -x]
.br
\fBmokutil\fR [--password | -p]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P])
.br
\fBmokutil\fR [--clear-password | -c]
.br
\fBmokutil\fR [--disable-validation]
.br
\fBmokutil\fR [--enable-validation]
.br
\fBmokutil\fR [--sb-state]
.br
\fBmokutil\fR [--test-key \fIkeyfile\fR | -t \fIkeyfile\fR]
([--mokx | -X] | [--ca-check] | [--ignore-keyring])
.br
\fBmokutil\fR [--reset]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
[--mok | -X])
.br
\fBmokutil\fR [--generate-hash=\fIpassword\fR | -g\fIpassword\fR]
.br
\fBmokutil\fR [--ignore-db]
.br
\fBmokutil\fR [--use-db]
.br
\fBmokutil\fR [--import-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
[--mokx | -X])
.br
\fBmokutil\fR [--delete-hash \fIhash\fR]
([--hash-file \fIhashfile\fR | -f \fIhashfile\fR] | [--root-pw | -P] |
[--mokx | -X])
.br
\fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
.br
\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
.br
\fBmokutil\fR [--pk]
.br
\fBmokutil\fR [--kek]
.br
\fBmokutil\fR [--db]
.br
\fBmokutil\fR [--dbx]
.br
\fBmokutil\fR [--list-sbat-revocations]
.br
\fBmokutil\fR [--set-sbat-policy (\fIlatest\fR | \fIautomatic\fR | \fIdelete\fR)]
.br
\fBmokutil\fR [--timeout \fI-1,0..0x7fff\fR]
.br
\fBmokutil\fR [--trust-mok]
.br
\fBmokutil\fR [--untrust-mok]
.br
.SH DESCRIPTION
\fBmokutil\fR is a tool to import or delete the machines owner keys
(MOK) stored in the database of shim.
.SH OPTIONS
.TP
\fB-l, --list-enrolled\fR
List the keys the already stored in the database
.TP
\fB-N, --list-new\fR
List the keys to be enrolled
.TP
\fB-D, --list-delete\fR
List the keys to be deleted
.TP
\fB-i, --import\fR
Collect the following files and form an enrolling request to shim. The files must
be in DER format.
.TP
\fB-d, --delete\fR
Collect the following files and form a deleting request to shim. The files must be
in DER format.
.TP
\fB--revoke-import\fR
Revoke the current import request (MokNew)
.TP
\fB--revoke-delete\fR
Revoke the current delete request (MokDel)
.TP
\fB-x, --export\fR
Export the keys stored in MokListRT
.TP
\fB-p, --password\fR
Setup the password for MokManager (MokPW)
.TP
\fB-c, --clear-password\fR
Clear the password for MokManager (MokPW)
.TP
\fB--disable-validation\fR
Disable the validation process in shim
.TP
\fB--enable-validation\fR
Enable the validation process in shim
.TP
\fB--sb-state\fR
Show SecureBoot State
.TP
\fB-t, --test-key\fR
Test if the key is enrolled or not
.TP
\fB--reset\fR
Reset MOK list
.TP
\fB--generate-hash\fR
Generate the password hash
.TP
\fB--hash-file\fR
Use the password hash from a specific file
.TP
\fB-P, --root-pw\fR
Use the root password hash from /etc/shadow
.TP
\fB--ignore-db\fR
Tell shim to not use the keys in db to verify EFI images
.TP
\fB--use-db\fR
Tell shim to use the keys in db to verify EFI images (default)
.TP
\fB-X, --mokx\fR
Manipulate the MOK blacklist (MOKX) instead of the MOK list
.TP
\fB--import-hash\fR
Create an enrolling request for the hash of a key in DER format. Note that
this is not the password hash.
.TP
\fB--delete-hash\fR
Create a deleting request for the hash of a key in DER format. Note that
this is not the password hash.
.TP
\fB--set-verbosity\fR
Set the SHIM_VERBOSE to make shim more or less verbose
.TP
\fB--set-fallback-verbosity\fR
Set the FALLBACK_VERBOSE to make fallback more or less verbose
.TP
\fB--set-fallback-noreboot\fR
Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
.TP
\fB--pk\fR
List the keys in the public Platform Key (PK)
.TP
\fB--kek\fR
List the keys in the Key Exchange Key Signature database (KEK)
.TP
\fB--db\fR
List the keys in the secure boot signature store (db)
.TP
\fB--dbx\fR
List the keys in the secure boot blacklist signature store (dbx)
.TP
\fB--list-sbat-revocations\fR
List the entries in the Secure Boot Advanced Targeting store (SBAT)
.TP
\fB--set-sbat-policy (\fIlatest\fR | \fIautomatic\fR)\fR
Set the SbatPolicy UEFI Variable to have shim apply either the latest
or the automatic SBAT revocations. If UEFI Secure Boot is disabled, then
shim will automatically delete SBAT revocations
.TP
\fB--set-ssp-policy (\fIlatest\fR | \fIautomatic\fR | \fIdelete\fR)\fR
Set the SspPolicy UEFI Variable to have shim apply either the latest
or the automatic Windows SkuSiPolicy to manage bootmgr revocations. Since
these are non-native revocations, shim will not automatically delete
them. If this is needed, spp-policy can be set to delete when Secure
Boot is disabled. The delete policy is non-persistent.
.TP
\fB--timeout\fR
Set the timeout for MOK prompt
.TP
\fB--ca-check\fR
Check if the CA of the given key is already enrolled or blocked in the key
databases.
.TP
\fB--ignore-keyring\fR
Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList
.TP
\fB--trust-mok\fR
Trust MOK keys within the kernel keyring
.TP
\fB--untrust-mok\fR
Do not trust MOK keys within the kernel keyring
.TP
|
