How to use the command 'mokutil' (with examples)
- Linux
- December 25, 2023
The ‘mokutil’ command is used to configure Secure Boot Machine Owner Keys (MOK). Secure Boot is a feature in modern computer systems that ensures only trusted software is allowed to run during the boot process. MOK is a mechanism provided by UEFI (Unified Extensible Firmware Interface) that allows users to manage the keys used for validating the software allowed to run on their system.
Use case 1: Show if Secure Boot is enabled
Code:
mokutil --sb-state
Motivation: By checking if Secure Boot is enabled, users can ensure that their system is protected against unauthorized software during the boot process.
Explanation:
mokutilis the command itself.--sb-stateis the argument used to check if Secure Boot is enabled.
Example output:
SecureBoot enabled
Use case 2: Enable Secure Boot
Code:
mokutil --enable-validation
Motivation: Enabling Secure Boot ensures that only trusted software is allowed to run on the system, providing an additional layer of protection against boot-level attacks.
Explanation:
mokutilis the command itself.--enable-validationis the argument used to enable Secure Boot.
Example output:
SecureBoot disabled, enable it?
Password: <enter password>
Use case 3: Disable Secure Boot
Code:
mokutil --disable-validation
Motivation: Disabling Secure Boot may be necessary to allow the installation of unsigned or self-built software that is not recognized by the system’s secure boot policy.
Explanation:
mokutilis the command itself.--disable-validationis the argument used to disable Secure Boot.
Example output:
SecureBoot enabled, disable it?
Password: <enter password>
Use case 4: List enrolled keys
Code:
mokutil --list-enrolled
Motivation: Listing the enrolled keys allows users to verify which keys are currently being used to validate the software during the boot process. This can help identify any unauthorized or unwanted keys.
Explanation:
mokutilis the command itself.--list-enrolledis the argument used to list the enrolled keys.
Example output:
Enrolled keys:
1. [xxxxxxxxxxxxxxx] <key description>
2. [xxxxxxxxxxxxxxx] <key description>
Use case 5: Enroll a new key
Code:
mokutil --import path/to/key.der
Motivation: Enrolling a new key allows users to add trusted keys to the system, enabling the validation of software during the boot process.
Explanation:
mokutilis the command itself.--importis the argument used to specify the path to the key file in DER format.
Example output:
Importing key from 'path/to/key.der'...
Password: <enter password>
Use case 6: List the keys to be enrolled
Code:
mokutil --list-new
Motivation: Listing the keys to be enrolled provides users with information about which keys are pending enrollment. This can be useful to ensure that the correct keys are being added to the system.
Explanation:
mokutilis the command itself.--list-newis the argument used to list the keys to be enrolled.
Example output:
The following keys are pending enrollment:
1. [xxxxxxxxxxxxxxx] <key description>
2. [xxxxxxxxxxxxxxx] <key description>
Use case 7: Set shim verbosity
Code:
mokutil --set-verbosity true
Motivation: Setting the shim verbosity allows users to control the level of output displayed by the shim bootloader, which is responsible for validating the software during the boot process.
Explanation:
mokutilis the command itself.--set-verbosityis the argument used to set the shim verbosity level.trueis the value passed to the--set-verbosityargument, indicating that the verbosity level should be set.
Example output:
Shim verbosity set to true
Conclusion:
The ‘mokutil’ command provides a comprehensive set of options to manage Secure Boot Machine Owner Keys (MOK) on a system. By using this command, users can enable or disable Secure Boot, enroll new keys, list enrolled keys, and control the verbosity of the shim bootloader. This allows for greater control over the security and trustworthiness of the software running during the system boot process.
