(lwn.net)

253 points pabs3 | 3 comments | 18 Jul 25 03:53 UTC | HN request time: 0.93s | source

1. xiconfjs ◴[18 Jul 25 08:26 UTC] No.44602485[source]▶

Is there a reliable command in Ubutu to check for the secure boot key and its expiration date?

replies(1): >>44602679 #

2. porridgeraisin ◴[18 Jul 25 09:13 UTC] No.44602679[source]▶

>>44602485 (TP) #

mokutil

Check its various options

The 'Validity' field in the output will tell you the expiration date.

replies(1): >>44603061 #

3. eqvinox ◴[18 Jul 25 10:20 UTC] No.44603061[source]▶

>>44602679 #

mokutil is technically the wrong tool for this, it lists shim-installed machine owner keys (MOK). This is about UEFI-installed key exchange keys (KEK). If you don't know what's going on you'll be very confused about empty key lists. It can in fact show KEKs but you need to know that this is a KEK thing to begin with…

  mokutil --kek | egrep '(Not |Subject:|^[^ ])'

is the magic incantation if you really want to use mokutil

↑

Linux and Secure Boot certificate expiration