Harnessing the Power of Mokutil for Secure Boot Management (with examples)
- Linux
- December 17, 2024
Mokutil is a versatile command-line utility specifically designed for systems using UEFI firmware to manage Machine Owner Keys (MOK) associated with Secure Boot. Secure Boot is a security feature that ensures that only trusted software is allowed to run during the system start-up process. Mokutil enables you to configure Secure Boot settings by allowing you to view the current state, modify settings, and manage keys on your system. In this article, we will explore how to use mokutil through several practical examples.
Use case 1: Show if Secure Boot is enabled
Code:
mokutil --sb-state
Motivation:
Knowing whether Secure Boot is enabled on your system is crucial for maintaining a secure boot environment. Secure Boot ensures that your system only runs software that is trusted by the firmware. By verifying the Secure Boot state, you can ensure that your machine is safeguarded against malicious software during the boot process, maintaining the integrity of your system.
Explanation:
mokutil
: This is the command-line utility used to interact with Machine Owner Keys and Secure Boot configurations.--sb-state
: This option queries the system to check the current status of Secure Boot. It tells you whether Secure Boot is currently enabled or disabled on your machine.
Example Output:
SecureBoot enabled
This output indicates that Secure Boot is currently active on your system. If Secure Boot was disabled, you would see SecureBoot disabled
.
Use case 2: Enable Secure Boot
Code:
mokutil --enable-validation
Motivation:
Enabling Secure Boot is an essential step for users who wish to adopt a more secure computing environment where the integrity of the boot process is protected. By activating Secure Boot, you ensure that only verified and signed applications and drivers are allowed to load during the system’s startup. This greatly mitigates the risk of rootkits and other malware.
Explanation:
mokutil
: This command calls the Mokutil utility.--enable-validation
: This flag enables the validation checks of Secure Boot, effectively turning on the Secure Boot feature if it was previously disabled.
After running this command, you will typically be prompted to reboot your system to apply the changes.
Example Output:
This change takes effect after a reboot
Use case 3: Disable Secure Boot
Code:
mokutil --disable-validation
Motivation:
While Secure Boot is a valuable security feature, there are scenarios where disabling it is necessary. For instance, certain hardware drivers or utilities that do not have signed versions may require Secure Boot to be turned off. Disabling Secure Boot can provide the flexibility to run or test these unsigned software components without restriction.
Explanation:
mokutil
: The command-line tool for managing Secure Boot and MOK.--disable-validation
: This argument disables the validation mechanism of Secure Boot, thus turning off this security feature.
As with enabling Secure Boot, applying this configuration change requires a system reboot.
Example Output:
This change takes effect after a reboot
Use case 4: List enrolled keys
Code:
mokutil --list-enrolled
Motivation:
Listing the enrolled keys gives you an overview of all the current keys that are recognized by the Secure Boot mechanism on your system. This is especially useful for audit and security compliance, allowing you to verify that only the appropriate keys are enrolled and potentially remove unexpected or unauthorized entries.
Explanation:
mokutil
: Invokes the Mokutil function.--list-enrolled
: This flag produces a list of all keys that have been previously enrolled within the system’s MOK database.
Example Output:
[key 1 details...]
[key 2 details...]
...
This output provides the details of each enrolled key, such as the key owner and relevant thumbprints.
Use case 5: Enroll a new key
Code:
mokutil --import path/to/key.der
Motivation:
Enrolling a new key is essential when you are adding new trusted software or operating systems whose keys are not initially present in the MOK database. By importing these keys, you can ensure a smooth boot process for new or updated software components that come with their specific signed keys.
Explanation:
mokutil
: Executes the Mokutil utility.--import
: This argument specifies that you are importing a new key into the MOK list.path/to/key.der
: This is the path to the DER-encoded key file that you wish to enroll.
After executing this command, a reboot is typically necessary to complete the enrollment process.
Example Output:
Input Password:
The system will prompt for a password to confirm the enrollment request.
This change takes effect after a reboot
Use case 6: List the keys to be enrolled
Code:
mokutil --list-new
Motivation:
Before confirming the addition of new keys, it is prudent to review the list of pending keys. This helps in ensuring that only the intended keys are to be enrolled, and prevents unauthorized keys from being added, thereby maintaining the security of the boot process.
Explanation:
mokutil
: The command-line utility to manage MOK and Secure Boot settings.--list-new
: This argument lists keys that have been scheduled for enrollment but have not yet been confirmed through a system reboot.
Example Output:
[key details awaiting enrollment...]
[key details awaiting enrollment...]
...
This will output the details of each key that is slated for future enrollment after a reboot.
Use case 7: Set shim verbosity
Code:
mokutil --set-verbosity true
Motivation:
Setting shim verbosity is useful for diagnostic purposes. When dealing with complex boot issues or validating the behavior of the boot system, enabling verbosity provides detailed debug information about the shim. This can be indispensable during troubleshooting or development.
Explanation:
mokutil
: The command used for MOK adjustments.--set-verbosity
: This command argument is used to adjust the verbosity of the shim’s output.true
: This boolean setting enables detailed information logging by the shim during the boot process. Setting it tofalse
would revert to standard less verbose logs.
Example Output:
The verbosity level is set to true
The change will take effect after a reboot
By increasing verbosity, the user will be equipped with more context for any issues that may arise during initialization.
Conclusion
Mokutil is an indispensable tool for anyone managing Secure Boot on UEFI-based systems. From enabling or disabling Secure Boot, managing keys, to troubleshooting, Mokutil provides a plethora of commands that give administrators control over system integrity and security. The examples provided here offer practical insights into using Mokutil effectively while keeping your system secure and functional.