Verify whether an instance is enabled for UEFI Secure Boot

You can use the mokutil utility to verify whether a Linux instance is enabled for UEFI Secure Boot. If mokutil is not installed on your instance, you must install it. For the installation instructions for Amazon Linux, see Install software packages on an Amazon Linux instance. For other distributions, see their specific documentation.

To verify whether a Linux instance is enabled for UEFI Secure Boot

Run the following command as root on the instance.


mokutil --sb-state

Expected output:

If UEFI Secure Boot is enabled, the output contains SecureBoot enabled.
If UEFI Secure Boot is not enabled, the output contains SecureBoot disabled or Failed to read SecureBoot.

To verify whether a Windows instance is enabled for UEFI Secure Boot

Open the msinfo32 tool.
Check the Secure Boot State field. Supported indicates that UEFI Secure Boot is enabled.

You can also use the Windows PowerShell Cmdlet Confirm-SecureBootUEFI to check the the Secure Boot status. For more information about the cmdlet, see Confirm-SecureBootUEFI in the Microsoft Documentation website.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Launch an instance with UEFI Secure Boot support

Create a Linux AMI to support UEFI Secure Boot