Create the Amazon binary blob for UEFI Secure Boot
You can use the following steps to customize the UEFI Secure Boot variables during AMI creation. The KEK that is used in these steps is current as of September 2021. If Microsoft updates the KEK, you must use the latest KEK.
To create the Amazon binary blob
-
Create an empty PK signature list.
touch empty_key.crt cert-to-efi-sig-list empty_key.crt PK.esl
-
Download the KEK certificates.
https://go.microsoft.com/fwlink/?LinkId=321185
-
Wrap the KEK certificates in a UEFI signature list (
siglist
).sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK.esl MicCorKEKCA2011_2011-06-24.crt
-
Download Microsoft's db certificates.
https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
-
Generate the db signature list.
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
-
The Unified Extensible Firmware Interface Forum no longer provides the DBX files. They are now provided by Microsoft on GitHub. Download the latest DBX update from the Microsoft Secure Boot updates repository at https://github.com/microsoft/secureboot_objects
. -
Unpack the signed update-binary.
Create
SplitDbxContent.ps1
with the script content below. Alternatively, you can install the script from PowerShell Galleryusing Install-Script -Name SplitDbxContent
.<#PSScriptInfo .VERSION 1.0 .GUID ec45a3fc-5e87-4d90-b55e-bdea083f732d .AUTHOR Microsoft Secure Boot Team .COMPANYNAME Microsoft .COPYRIGHT Microsoft .TAGS Windows Security .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES Version 1.0: Original published version. #> <# .DESCRIPTION Splits a DBX update package into the new DBX variable contents and the signature authorizing the change. To apply an update using the output files of this script, try: Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite' .EXAMPLE .\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin #> # Get file from script input $file = Get-Content -Encoding Byte $args[0] # Identify file signature $chop = $file[40..($file.Length - 1)] if (($chop[0] -ne 0x30) -or ($chop[1] -ne 0x82 )) { Write-Error "Cannot find signature" exit 1 } # Signature is known to be ASN size plus header of 4 bytes $sig_length = ($chop[2] * 256) + $chop[3] + 4 $sig = $chop[0..($sig_length - 1)] if ($sig_length -gt ($file.Length + 40)) { Write-Error "Signature longer than file size!" exit 1 } # Content is everything else $content = $file[0..39] + $chop[$sig_length..($chop.Length - 1)] # Write signature and content to files Set-Content -Encoding Byte signature.p7 $sig Set-Content -Encoding Byte content.bin $content
Use the script to unpack the signed DBX files.
PS C:\Windows\system32> SplitDbxContent.ps1 .\dbx.bin
This produces two files —
signature.p7
andcontent.bin
. Usecontent.bin
in the next step. -
Build a UEFI variable store using the
uefivars.py
script../uefivars.py -i none -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl --dbx ~/content.bin
-
Check the binary blob and the UEFI variable store.
./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o json | less
-
You can update the blob by passing it to the same tool again.
./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl --dbx ~/content.bin
Expected output
Replacing PK Replacing KEK Replacing db Replacing dbx