About this task
The Machine Owner Key (MOK) facility is a feature that can be used to augment the UEFI Secure Boot key database. When Linux boots on a UEFI-enabled system with Secure Boot enabled, the keys on the MOK list are also added to the system keyring in addition to the keys from the key database. The MOK list keys are also stored persistently and securely in the same fashion as the Secure Boot key database keys, but these are two separate facilities. The MOK facility is supported by the shim first-stage boot loader.
Enrolling a MOK key requires manual interaction by a physically present user at the UEFI system console on each target system.
Follow these steps to add the public key to the MOK list:
Request addition of the public key to the MOK list using the mokutil
user space utility:
# mokutil --import public_key.der
A prompt will ask to enter and confirm a password for this MOK enrollment request.
- Reboot the machine.
- The pending MOK key enrollment request will be noticed by the shim first-stage boot loader which completes the enrollment from the UEFI console. The password previously associated with this request must be entered to confirm the enrollment. The public key is now added to the MOK list, which is persistent. Once a key is on the MOK list, it will be automatically propagated to the system key ring on this and subsequent boots when UEFI Secure Boot is enabled.
After the system reboots, verify the new key is on the system key ring using the keyctl tool from the keyutils package with the following command:
# keyctl list %:.system_keyring