mokutil 命令

常用示例

说明

mokutil manages Machine Owner Keys (MOK) stored in the shim database. MOKs are cryptographic keys used in the Secure Boot process to verify the authenticity of boot components on UEFI systems. The tool allows importing, deleting, and managing keys that authorize kernel modules, bootloaders, and other signed code. Changes to the MOK database require a reboot, during which the MokManager prompts for confirmation with the configured password.

参数

--sb-state

Display current Secure Boot state

-l, --list-enrolled

List currently enrolled keys

-N, --list-new

Show keys pending enrollment

-D, --list-delete

Show keys marked for deletion

-i, --import _keyfile_

Add key (DER format) to enrollment queue

-d, --delete _keyfile_

Queue key for removal

-x, --export

Extract stored keys from MokListRT

-t, --test-key _keyfile_

Verify if a key is enrolled

--enable-validation

Enable shim validation (Secure Boot)

--disable-validation

Disable shim validation

--reset

Clear the MOK list

-p, --password

Set MokManager password

-c, --clear-password

Remove password protection

-P, --root-pw

Use root password hash from /etc/shadow

--pk, --kek, --db, --dbx

List keys in various Secure Boot databases

--timeout _seconds_

Set MOK prompt duration at boot

-X, --mokx

Operate on MOK blacklist instead of standard list