Provided by: mokutil_0.6.0-2~18.04.1_amd64 bug

NAME
       mokutil - utility to manipulate machine owner keys


SYNOPSIS
       mokutil [--list-enrolled | -l]
               ([--mokx | -X])
       mokutil [--list-new | -N]
               ([--mokx | -X])
       mokutil [--list-delete | -D]
               ([--mokx | -X])
       mokutil [--import keylist| -i keylist]
               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
                [--mokx | -X] | [--ca-check] | [--ignore-keyring])
       mokutil [--delete keylist | -d keylist]
               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
                [--mokx |- X])
       mokutil [--revoke-import]
               ([--mokx | -X])
       mokutil [--revoke-delete]
               ([--mokx | -X])
       mokutil [--export | -x]
       mokutil [--password | -p]
               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P])
       mokutil [--clear-password | -c]
       mokutil [--disable-validation]
       mokutil [--enable-validation]
       mokutil [--sb-state]
       mokutil [--test-key keyfile | -t keyfile]
               ([--mokx | -X] | [--ca-check] | [--ignore-keyring])
       mokutil [--reset]
               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
                [--mok | -X])
       mokutil [--generate-hash=password | -gpassword]
       mokutil [--ignore-db]
       mokutil [--use-db]
       mokutil [--import-hash hash]
               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
                [--mokx | -X])
       mokutil [--delete-hash hash]
               ([--hash-file hashfile | -f hashfile] | [--root-pw | -P] |
                [--mokx | -X])
       mokutil [--set-verbosity (true | false)]
       mokutil [--set-fallback-verbosity (true | false)]
       mokutil [--set-fallback-noreboot (true | false)]
       mokutil [--pk]
       mokutil [--kek]
       mokutil [--db]
       mokutil [--dbx]
       mokutil [--list-sbat-revocations]
       mokutil [--set-sbat-policy (latest | previous | delete)]
       mokutil [--timeout -1,0..0x7fff]


DESCRIPTION
       mokutil is a tool to import or delete the machines owner keys (MOK) stored in the database of shim.


OPTIONS
       -l, --list-enrolled
              List the keys the already stored in the database

       -N, --list-new
              List the keys to be enrolled

       -D, --list-delete
              List the keys to be deleted

       -i, --import
              Collect  the  following  files  and  form  an  enrolling request to shim. The files must be in DER
              format.

       -d, --delete
              Collect the following files and form a deleting request to shim. The files must be in DER format.

       --revoke-import
              Revoke the current import request (MokNew)

       --revoke-delete
              Revoke the current delete request (MokDel)

       -x, --export
              Export the keys stored in MokListRT

       -p, --password
              Setup the password for MokManager (MokPW)

       -c, --clear-password
              Clear the password for MokManager (MokPW)

       --disable-validation
              Disable the validation process in shim

       --enable-validation
              Enable the validation process in shim

       --sb-state
              Show SecureBoot State

       -t, --test-key
              Test if the key is enrolled or not

       --reset
              Reset MOK list

       --generate-hash
              Generate the password hash

       --hash-file
              Use the password hash from a specific file

       -P, --root-pw
              Use the root password hash from /etc/shadow

       --ignore-db
              Tell shim to not use the keys in db to verify EFI images

       --use-db
              Tell shim to use the keys in db to verify EFI images (default)

       -X, --mokx
              Manipulate the MOK blacklist (MOKX) instead of the MOK list

       --import-hash
              Create an enrolling request for the hash of a key in  DER  format.  Note  that  this  is  not  the
              password hash.

       --delete-hash
              Create  a deleting request for the hash of a key in DER format. Note that this is not the password
              hash.

       --set-verbosity
              Set the SHIM_VERBOSE to make shim more or less verbose

       --set-fallback-verbosity
              Set the FALLBACK_VERBOSE to make fallback more or less verbose

       --set-fallback-noreboot
              Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system

       --pk   List the keys in the public Platform Key (PK)

       --kek  List the keys in the Key Exchange Key Signature database (KEK)

       --db   List the keys in the secure boot signature store (db)

       --dbx  List the keys in the secure boot blacklist signature store (dbx)

       --list-sbat-revocations
              List the entries in the Secure Boot Advanced Targeting store (SBAT)

       --set-sbat-policy (latest | previous | delete)
              Set the SbatPolicy UEFI Variable to have shim  apply  either  the  latest  or  the  previous  SBAT
              revocations.   If  UEFI Secure Boot is disabled, then delete will reset the SBAT revocations to an
              empty revocation list.  While latest and previous are persistent  configuration,  delete  will  be
              cleared  by  shim on the next boot whether or not it succeeds. The default behavior is for shim to
              apply the previous revocations.

       --timeout
              Set the timeout for MOK prompt

       --ca-check
              Check if the CA of the given key is already enrolled or blocked in the key databases.

       --ignore-keyring
              Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList