Option A: Add keys to the variable store from within the instance
After you have created the three key pairs, you can connect to your instance and add the keys to the variable store from within the instance by completing the following steps.
Option A steps:
Step 1: Launch an instance that will support UEFI Secure Boot
When you launch an instance with the following prerequisites, the instance will then be ready to be configured to support UEFI Secure Boot. You can only enable support for UEFI Secure Boot on an instance at launch; you can't enable it later.
Prerequisites
-
AMI – The Linux AMI must support UEFI boot mode. To verify that the AMI supports UEFI boot mode, the AMI boot mode parameter must be uefi. For more information, see Determine the boot mode parameter of an AMI.
Note that AWS only provides Linux AMIs configured to support UEFI for Graviton-based instance types. AWS currently does not provide x86_64 Linux AMIs that support UEFI boot mode. You can configure your own AMI to support UEFI boot mode for all architectures. To configure your own AMI to support UEFI boot mode, you must perform a number of configuration steps on your own AMI. For more information, see Set the boot mode of an AMI.
-
Instance type – All virtualized instance types that support UEFI also support UEFI Secure Boot. Bare metal instance types do not support UEFI Secure Boot. For the instance types that support UEFI Secure Boot, see Considerations.
-
Launch your instance after the release of UEFI Secure Boot. Only instances launched after May 10, 2022 (when UEFI Secure Boot was released) can support UEFI Secure Boot.
After you’ve launched your instance, you can verify that it is ready to be configured to support UEFI Secure Boot (in other words, you can proceed to Step 2) by checking whether UEFI data is present. The presence of UEFI data indicates that non-volatile data is persisted.
To verify whether your instance is ready for Step 2
Use the get-instance-uefi-data command and specify the instance ID.
aws ec2 get-instance-uefi-data --instance-id
i-0123456789example
The instance is ready for Step 2 if UEFI data is present in the output. If the output is empty, the instance cannot be configured to support UEFI Secure Boot. This can happen if your instance was launched before UEFI Secure Boot support became available. Launch a new instance and try again.
Step 2: Configure an instance to support UEFI Secure Boot
Enroll the key pairs in your UEFI variable store on the instance
Warning
You must sign your boot images after you enroll the keys, otherwise you won’t be able to boot your instance.
After you create the signed UEFI signature lists (PK
,
KEK
, and db
), they must be enrolled into
the UEFI firmware.
Writing to the PK
variable is possible only if:
-
No PK is enrolled yet, which is indicated if the
SetupMode
variable is1
. Check this by using the following command. The output is either1
or0
.efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SetupMode
-
The new PK is signed by the private key of the existing PK.
To enroll the keys in your UEFI variable store
The following commands must be run on the instance.
If SetupMode is enabled (the value is 1
), the keys can be
enrolled by running the following commands on the instance:
[ec2-user ~]$
efi-updatevar -f db.auth db
[ec2-user ~]$
efi-updatevar -f KEK.auth KEK
[ec2-user ~]$
efi-updatevar -f PK.auth PK
To verify that UEFI Secure Boot is enabled
To verify that UEFI Secure Boot is enabled, follow the steps in Verify whether an instance is enabled for UEFI Secure Boot.
You can now export your UEFI variable store with the get-instance-uefi-data CLI command, or you continue to the next step and sign your boot images to reboot into a UEFI Secure Boot-enabled instance.
Step 3: Create an AMI from the instance
To create an AMI from the instance, you can use the console or the
CreateImage
API, CLI, or SDKs. For the console
instructions, see Create an Amazon EBS-backed Linux AMI . For the API instructions, see
CreateImage.
Note
The CreateImage
API automatically copies the UEFI variable store of the
instance to the AMI. The console uses the CreateImage
API.
After you launch instances using this AMI, the instances will have the
same UEFI variable store.