Build the sample Amazon Linux 2023 image description
AWS provides a sample Amazon Linux 2023 image description that you can use as a starting point for creating your own custom
Attestable AMIs for your workloads. The sample image description includes Amazon Linux 2023 as the base operating system,
dm-verity and erofs configurations for filesystem immutability, and it removes all interactive
access (such as SSH, EC2 instance connect, and serial console) to create an isolated compute environment.
The sample image description automatically installs the NitroTPM tools (nitro-tpm-pcr-compute and
nitro-tpm-attest) in the built image in the /usr/bin/ directory. This ensures that the tools
are preinstalled on instances launched from the AMI.
The sample image description includes a script, edit_boot_install.sh, which includes the commands needed to
generate the reference measurements. The script mounts the raw disk image file (.raw) created by KIWI NG to a loopback
device, locates the UKI, which has the .efi file extension, and then runs the nitro-tpm-pcr-compute
utility to generate the reference measurements for the AMI. The script is automatically executed by KIWI NG during build time.
This tutorial shows you how to build the sample image description to create an Attestable AMI.
For more information about creating your own image descriptions, see the following KIWI NG documentation:
To build the sample Amazon Linux 2023 image description using KIWI NG
-
Launch an Amazon EC2 instance using the latest AL2023 AMI. To ensure that your instance has enough storage space to build the AMI, ensure that you provision at least 12 GB of storage.
-
Install the required dependencies. The following command installs the following utilities:
-
kiwi-cli -
veritysetup -
erofs-utils -
aws-nitro-tpm-tools
sudo dnf install -y kiwi-cli python3-kiwi kiwi-systemdeps-core python3-poetry-core qemu-img veritysetup erofs-utils git cargo aws-nitro-tpm-tools -
-
Install the
coldsnaputility. This utility enables you to create Amazon EBS snapshots from raw image data. You'll use this utility to create an EBS snapshot from the raw disk image file created by KIWI NG.git clone https://github.com/awslabs/coldsnap.git cd coldsnap cargo install --locked coldsnap cd .. -
Get the sample image description files.
sudo dnf install kiwi-image-descriptions-examplesThe sample image description files are downloaded to the following directory:
/usr/share/kiwi-image-descriptions-examples/al2023/attestable-image-example -
Build the sample image description using the KIWI NG
system buildcommand. The following command creates a raw disk image file in the./imagedirectory.sudo kiwi-ng \ --color-output \ --loglevel 0 \ system build \ --description usr/share/kiwi-image-descriptions-examples/al2023/attestable-image-example \ --target-dir ./imageFor more information, see the kiwi-ng system build
documentation. -
Get the reference measurements for the AMI. The measurements are generated by the
nitro-tpm-pcr-computeutility during image build time in the previous step. You can locate the reference measurements in the following file:./image/pcr_measurements.json.The measurements are provided in the following JSON format:
{ "Measurements": { "HashAlgorithm": "SHA384 { ... }", "PCR4": "PCR4_measurement", "PCR7": "PCR7_measurement" } } -
Use the
coldsnaputility to upload the raw disk image created by KIWI NG to an EBS snapshot. The command returns the snapshot ID. Make a note of the ID, you'll need it for the next step.SNAPSHOT=$(.cargo/bin/coldsnap upload ./image/kiwi*.raw) echo "Created snapshot: $SNAPSHOT"For more information about the
coldsnaputility, see the coldsnap GitHub repo. -
Register a TPM 2.0-enabled AMI with UEFI boot mode using the snapshot from the previous step. For
--architecture, specifyx86_64for Intel, orarm64for Graviton.aws ec2 register-image \ --name "attestable_isolated_al2023_ami" \ --virtualization-type hvm \ --boot-mode uefi \ --architecturex86_64|arm64\ --root-device-name /dev/xvda \ --block-device-mappings DeviceName=/dev/xvda,Ebs={SnapshotId=${SNAPSHOT}} \ --tpm-support v2.0 \ --ena-support
