What is mokutil?
mokutil is a Linux command-line utility used to manage Machine Owner Keys (MOKs) in systems that use UEFI Secure Boot. It provides a way for users to enroll, delete, or list keys (certificates) that can be trusted during boot time by the Linux kernel and bootloader under UEFI Secure Boot.
In essence, mokutil bridges the gap between Secure Boot and user-installed kernel modules or drivers.
What does mokutil do?
- Enrolls user-generated keys so custom kernel modules (like NVIDIA drivers or VirtualBox modules) can be loaded with Secure Boot enabled.
- Deletes or revokes keys that are no longer needed or trusted.
- Lists enrolled MOKs and UEFI Secure Boot status.
- Facilitates Secure Boot operations in user space.
Why is this needed?
When Secure Boot is enabled:
- The system only allows loading drivers and kernels signed with trusted certificates.
- If you install a third-party driver (e.g., NVIDIA, DKMS, VirtualBox), it will be rejected unless signed and enrolled using a trusted MOK.
Who Should Use mokutil?
- Linux power users and developers compiling their own kernel or kernel modules.
- System administrators setting up enterprise machines with Secure Boot.
- Anyone using DKMS (Dynamic Kernel Module Support) packages like NVIDIA, VirtualBox, VMWare on a system with Secure Boot enabled.
- Security-conscious users who want the benefits of Secure Boot without giving up flexibility.
Installing mokutil on Linux
✅ Debian/Ubuntu-based systems:
sudo apt update
sudo apt install mokutil✅ RHEL/CentOS/Fedora-based systems:
sudo dnf install mokutilor on older CentOS:
sudo yum install mokutil✅ Arch Linux:
sudo pacman -S mokutilTo verify installation:
mokutil --versionHow to Use mokutil
📌 1. Check if Secure Boot is Enabled
mokutil --sb-stateOutput will show:
SecureBoot enabled📌 2. List Currently Enrolled MOKs
mokutil --list-enrolled📌 3. Enroll a New MOK Key
Suppose you created your own key:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 365Convert it to DER format:
openssl x509 -in MOK.crt -outform DER -out MOK.derThen enroll it:
sudo mokutil --import MOK.der⚠️ After running this command, you'll be prompted to set a password.
On next reboot, a MOK Manager screen appears before booting Linux. You’ll need to select “Enroll MOK” → “Continue” → Enter the password you created → “Yes” → Reboot. Now your key is trusted and you can sign your kernel modules with it.
📌 4. Revoke/Delete a MOK Key
To delete a key:
sudo mokutil --delete MOK.der(You’ll go through the same MOK manager screen during the next reboot.)
Common Use Case: Signing Third-Party Modules
- Enable Secure Boot in UEFI BIOS settings.
- Generate your own key pair and sign your kernel modules:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 MOK.key MOK.crt /path/to/module.ko- Enroll your key using mokutil.
- Reboot, enroll MOK from the MOK Manager UI.
- Load your module — it will now work with Secure Boot.
Usages and Risks of Using mokutil
Usages
- Allows flexibility with Secure Boot.
- Enables use of custom or third-party kernel modules securely.
- Maintains UEFI Secure Boot compliance.
- Useful in enterprises for managing signed module infrastructure.
Risks
- If misused, could allow malicious or unverified drivers.
- MOK keys must be securely generated and stored — leaked keys are a threat.
- MOK Manager boot UI could be bypassed with physical access if BIOS security is weak.
Final Thoughts
mokutil is an essential utility for any Linux user dealing with Secure Boot, custom drivers, or third-party kernel modules. It provides a user-friendly bridge to manage trusted keys within the Secure Boot infrastructure, balancing security with flexibility.
Use mokutil wisely: it gives you control — but with great power comes great responsibility.
){kind=link}
0 Comments