mokutil:tldr:705c4

mokutil: Enroll a new key.

mokutil

$ mokutil --import ${path-to-key-der}

try on your machine

The command "mokutil --import ${path-to-key-der}" is used to import a Machine Owner Key (MOK) into the system's firmware.

MOK is a feature primarily used on Linux systems that allows users to install and use third-party kernel modules that are not signed by the system's Secure Boot key. Secure Boot is a security mechanism that verifies the authenticity and integrity of the system's firmware and bootloaders, ensuring only trusted software is executed during the boot process.

When Secure Boot is enabled, the system will only load signed modules, which can prevent the installation or operation of certain software components. However, if a user has a valid MOK that corresponds to an unsigned module, they can import it into the system's firmware to authorize its use during the boot process.

In the given command, "${path-to-key-der}" represents the file path to the MOK in DER (Distinguished Encoding Rules) format. This is typically a binary file that contains the MOK's key data. By executing the command, the system's firmware will import the MOK, enabling the use of unsigned kernel modules signed with the corresponding MOK key.

This explanation was created by an AI. In most cases those are correct. But please always be careful and never run a command you are not sure if it is safe.

back to the mokutil tool