mokutil

Show if Secure Boot is enabled

$ mokutil --sb-state

$ mokutil --enable-validation

$ mokutil --disable-validation

$ mokutil -l

$ mokutil -i [path/to/key.der]

$ mokutil -N

$ mokutil -d [path/to/key.der]

$ mokutil -t [path/to/key.der]

mokutil [--sb-state] [-l] [-i keyfile] [-d keyfile] [--enable-validation] [--disable-validation] [options]

mokutil manages Machine Owner Keys (MOK) stored in the shim database. MOKs are cryptographic keys used in the Secure Boot process to verify the authenticity of boot components on UEFI systems.
The tool allows importing, deleting, and managing keys that authorize kernel modules, bootloaders, and other signed code. Changes to the MOK database require a reboot, during which the MokManager prompts for confirmation with the configured password.

--sb-state

Display current Secure Boot state

List currently enrolled keys

Show keys pending enrollment

Show keys marked for deletion

Add key (DER format) to enrollment queue

Queue key for removal

Extract stored keys from MokListRT

Verify if a key is enrolled

Enable shim validation (Secure Boot)

Disable shim validation

Clear the MOK list

Set MokManager password

Remove password protection

Use root password hash from /etc/shadow

List keys in various Secure Boot databases

Set MOK prompt duration at boot

Operate on MOK blacklist instead of standard list

Operations that modify the MOK database (import, delete, enable/disable validation) require a reboot to take effect. A password must be entered at boot time via MokManager to confirm changes. Keys must be in DER format for import. Improper key management can render the system unbootable with Secure Boot enabled.

mokutil is part of the shim project, developed to enable Secure Boot on Linux systems. Shim is a first-stage bootloader signed by Microsoft, allowing Linux distributions to boot on UEFI systems with Secure Boot enabled by using MOKs to authorize distribution-specific signing keys.

sbsign(1), sbverify(1), efibootmgr(8)