{"id":13339072,"url":"https://github.com/MichaelSchaecher/mokey","last_synced_at":"2025-03-11T12:31:12.315Z","repository":{"id":108296047,"uuid":"420870036","full_name":"MichaelSchaecher/mokey","owner":"MichaelSchaecher","description":"Manage shim openssl certificates for efi Secure Boot.","archived":true,"fork":false,"pushed_at":"2021-11-08T15:36:23.000Z","size":140,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-10-24T00:22:14.392Z","etag":null,"topics":["secure-boot","shim","uefi"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MichaelSchaecher.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-25T03:49:17.000Z","updated_at":"2023-10-08T22:20:28.000Z","dependencies_parsed_at":"2023-05-21T13:15:32.759Z","dependency_job_id":null,"html_url":"https://github.com/MichaelSchaecher/mokey","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MichaelSchaecher%2Fmokey","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MichaelSchaecher%2Fmokey/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MichaelSchaecher%2Fmokey/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MichaelSchaecher%2Fmokey/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MichaelSchaecher","download_url":"https://codeload.github.com/MichaelSchaecher/mokey/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243034811,"owners_count":20225409,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["secure-boot","shim","uefi"],"created_at":"2024-07-29T19:19:01.006Z","updated_at":"2025-03-11T12:31:12.298Z","avatar_url":"https://github.com/MichaelSchaecher.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\t\u003cimg src=\"images/MOK-manager.png\"\u003e\n\t \u003cbr\u003e\n   \t\t\u003cstrong\u003e\n\t\t\tCreate, manage and sign.\n\t\t\u003c/strong\u003e\n\t\u003c/br\u003e\n\u003c/p\u003e\n\n\u003ch1\u003eWhat is MOK\u003c/h1\u003e\n\n\u003cp align=\"justify\"\u003e\u003cb\u003eMOK\u003c/b\u003e or \u003cb\u003eMachine Owner Key\u003c/b\u003e is a part of a binary set that is signed by \u003ca href=\"https://www.microsoft.com\"\u003e\u003cu\u003eMicrosoft\u003c/u\u003e\u003c/a\u003e to aid none Windows operating systems to be able to boot without UEFI Secure Boot from being disabled. The main part is the shim.efi bootloader which only has one job and that is to loader either the primary bootloader or kernel, but only if the binary and/or kernel modules are signed and the certificate is registered. If the.\n\n\u003cp align=\"justify\"\u003eThe downside to MOK is that it is not as secure as the certificates that are installed in the UEFI firmware. With some PC's those certificates can be changes. however, doing so can be process and may end in a computer that cannot boot, so only do so at your own risk.\n\n\u003cp align=\"justify\"\u003eIn order to understand what MOK is first you must understand how Secure Boot works. The first step in the boot process is that the BIOS looks for a bootable binary. Once one is located then it attempts to load what ever it may be, in most cases this a a bootloader, but before it is loader the BIOS checks if it is signed and validates the signed file against a public certificate. If however, the file is not signed or that if the key that was use does not match then the system cannot boot.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/secure-boot-violation.png\"\u003e\u003cbr\u003eBootloader not signed or signed with wrong certificate.\u003c/br\u003e\u003c/img\u003e\n\n\u003cp align=\"justify\"\u003eFor operating systems like Ubuntu, Fadora and openSUSE shim is the UEFI signed bootlaoder with only two jobs. Verifying that the primary bootloader (usually GRUB) is signed and that the certificate matches what is loaded into its firmware. If the binary passes the mustard then the initram or kernel is loaded. GRUB by its self doesn't require that a kernel and/or modules be signed unless it is configured to.\n\n\u003cp align=\"justify\"\u003eIf GRUB is not set to load only signed kernels and modules, this can be a small security risk.\n\n\u003ch1\u003eMOKEY (formally MOKUTIL-KEY)\u003c/h1\u003e\n\n\u003cp align=\"justify\"\u003e\u003cb\u003eMokutil-key\u003c/b\u003e was a bash script that was written very dirtily and did not receive any updates for over a year. Mostly because I switched to \u003ca href=\"https://archlinux.org/\"\u003e\u003cu\u003eArch\u003c/u\u003e\u003c/a\u003e and then got stuck on Windows. Sadly, I'm still stuck on Windows, but that is no reason to not do anything was a script that is a fix for a simple problem. So after some time gone I started reworking the script file and soon realized that it was becoming a different animal all together and like everything in natures evolves \u003cb\u003eMokutil-key\u003c/b\u003e had to evolve and so \u003cb\u003emokey\u003c/b\u003e was born.\n\n\u003cp align=\"justify\"\u003eMost Linux base distributions use MOK for booting with Secure Boot, with the exception of \u003ca href=\"https://archlinux.org/\"\u003e\u003cu\u003eArch\u003c/u\u003e\u003c/a\u003e, but that is not to say that it cannot be done. To learn how to setup Secure Boot on \u003ca href=\"https://archlinux.org/\"\u003e\u003cu\u003eArch\u003c/u\u003e\u003c/a\u003e follow this \u003ca href=\"https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader\"\u003e\u003cu\u003eguide\u003c/u\u003e\u003c/a\u003e.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"images/UEFI.png\"\u003e\u003cbr\u003eBoot order for UEFI and SHIM.\u003c/br\u003e\u003c/img\u003e","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMichaelSchaecher%2Fmokey","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMichaelSchaecher%2Fmokey","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMichaelSchaecher%2Fmokey/lists"}