mokutil

Show if Secure Boot is enabled

$ mokutil --sb-state

$ mokutil --enable-validation

$ mokutil --disable-validation

$ mokutil --list-enrolled

$ mokutil --import [path/to/key.der]

$ mokutil --list-new

$ mokutil --set-verbosity true

mokutil [options]

--list-new
    Lists keys pending enrollment in the MOK database.

--list-old
    Lists keys pending deletion from the MOK database.

--list-enrolled
    Lists keys currently enrolled in the MOK database.

--import <file>
    Stages certificate(s) from file for import into the MOK database. Requires reboot and user confirmation.

--delete <file>
    Stages certificate(s) from file for deletion from the MOK database. Requires reboot and user confirmation.

--reset
    Stages the MOK database for a complete reset (clearing all entries). Requires reboot and user confirmation.

--revoke-offline
    Attempts to revoke all MOK entries and temporarily disable Secure Boot. Use with caution.

--pk-auth
    Performs PK (Platform Key) authentication for Secure Boot bypass.

--disable-bgrt
    Disables the Boot Graphics Resource Table (BGRT) display.

--enable-bgrt
    Enables the Boot Graphics Resource Table (BGRT) display.

--set-verbosity <level>
    Sets the verbosity level (0-3) for mokutil operations.

--set-default-key <file>
    Sets the default key file for MOK operations.

--export-key
    Exports the default key used by mokutil.

--test-key <file>
    Tests a key from file against the MOK database.

--sb-state
    Displays the current Secure Boot state (enabled or disabled).

--disk-import
    Imports keys from disk, typically from removable media.

--timeout <seconds>
    Sets the timeout in seconds for the MOK confirmation screen during boot.

--ignore-dbx
    Ignores the DBX (Forbidden Signatures Database) during key checks.

--boot-next <efi_path>
    Sets the next boot entry in the UEFI firmware's boot order.

--verbose
    Enables verbose output for more detailed information.

--help
    Displays the help message and exits.

--version
    Displays version information and exits.

mokutil is a crucial utility for managing Machine Owner Keys (MOK) within a UEFI Secure Boot environment. Secure Boot is a security standard ensuring only software trusted by the Original Equipment Manufacturer (OEM) or platform owner can boot. When enabled, only bootloaders and kernel modules signed with trusted keys can load.

mokutil interacts with the MOK list, which extends the standard UEFI Secure Boot DB (Database) and DBX (Forbidden Signatures Database). It enables users to import new keys (e.g., for custom-signed kernels or modules), delete existing keys, and reset the MOK list. These operations typically require a system reboot and user interaction in the UEFI pre-boot environment to confirm changes, ensuring security. mokutil is essential for users who want to run software not signed by Microsoft or their OEM while keeping Secure Boot enabled, bridging the gap for third-party drivers and custom Linux setups.

Most operations involving key enrollment or deletion (e.g., --import, --delete, --reset) require root privileges and a subsequent system reboot. During the reboot, the system will enter a special UEFI pre-boot screen (often blue) where you must manually confirm the pending MOK changes. This security measure prevents unauthorized manipulation of the MOK list. Incorrect use can potentially render the system unbootable if crucial keys are mishandled.

The MOK list managed by mokutil is distinct from the standard UEFI DB (authorized keys) and DBX (forbidden keys) databases. The shim bootloader, which is loaded by the UEFI firmware when Secure Boot is active, specifically checks the MOK list. This allows the system to trust additional keys without altering the firmware's core Secure Boot databases.

When mokutil commands like --import or --delete are executed, changes are not immediately applied. Instead, they are staged. Upon the next system reboot, the shim bootloader intercepts the boot process and presents a graphical UEFI interface (often called 'MokManager' or 'Enroll MOK') where the user must manually confirm the pending key operations. This confirmation step is a critical security measure to ensure that only the legitimate system owner can modify the MOK list.

mokutil emerged as a vital tool for Linux distributions to achieve compatibility with UEFI Secure Boot. Initially, Secure Boot primarily trusted keys pre-installed by the OEM (often Microsoft's key). To allow Linux systems to boot and use custom kernel modules or third-party drivers while Secure Boot remained enabled, the shim bootloader was developed. The shim is signed by Microsoft, and it, in turn, trusts keys present in the Machine Owner Key (MOK) list. mokutil was created to provide a command-line interface for managing this MOK list, enabling users to enroll their own keys. This development was crucial for distributions like Fedora and Ubuntu to support Secure Boot out-of-the-box, offering users a way to maintain security without disabling the feature for custom configurations.

efibootmgr(8), shim(8), grub-install(8), sbsigntools(1)