Create a Linux AMI to support UEFI Secure Boot
The following procedures describe how to create your own UEFI variable store for secure boot with custom-made private keys. Amazon Linux supports UEFI Secure Boot starting with AL2023 release 2023.1. For more information, see UEFI Secure Boot in the AL2023 User Guide.
Important
The following procedures for creating an AMI to support UEFI Secure Boot are intended for advanced users only. You must have sufficient knowledge of SSL and Linux distribution boot flow to use these procedures.
Prerequisites
-
The following tools will be used:
-
OpenSSL – https://www.openssl.org/
-
efivar – https://github.com/rhboot/efivar
-
efitools – https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/
-
get-instance-uefi-data AWS CLI command
-
-
Your Linux instance must have been launched with a Linux AMI that supports UEFI boot mode, and have non-volatile data present.
Newly created instances without UEFI Secure Boot keys are created in
SetupMode, which allows you to enroll your own keys. Some AMIs come
preconfigured with UEFI Secure Boot and you cannot change the existing keys. If you
want to change the keys, you must create a new AMI based on the original AMI.
You have two ways to propagate the keys in the variable store, which are described in Option A and Option B that follow. Option A describes how to do this from within the instance, mimicking the flow of real hardware. Option B describes how to create a binary blob, which is then passed as a base64-encoded file when you create the AMI. For both options, you must first create the three key pairs, which are used for the chain of trust.
To create a Linux AMI to support UEFI Secure Boot, first create the three key pairs, and then complete either Option A or Option B:
Note
These instructions can only be used to create a Linux AMI. If you need a Windows AMI, use one of the supported Windows AMIs. For more information, see Launch an instance with UEFI Secure Boot support in the Amazon EC2 User Guide for Windows Instances.
