Create the Amazon binary blob for UEFI Secure Boot - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create the Amazon binary blob for UEFI Secure Boot

You can use the following steps to customize the UEFI Secure Boot variables during AMI creation. The KEK that is used in these steps is current as of September 2021. If Microsoft updates the KEK, you must use the latest KEK.

To create the Amazon binary blob

  1. Create an empty PK signature list.

    touch empty_key.crt
cert-to-efi-sig-list empty_key.crt PK.esl

  2. Download the KEK certificates.

    https://go.microsoft.com/fwlink/?LinkId=321185

  3. Wrap the KEK certificates in a UEFI signature list (siglist).

    sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK.esl MicCorKEKCA2011_2011-06-24.crt

  4. Download Microsoft's db certificates.

    https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

  5. Generate the db signature list.

    sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl

  6. Download an updated dbx change request from the following link.

    https://uefi.org/revocationlistfile

  7. The dbx change request that you downloaded in the previous step is already signed with the Microsoft KEK, so you need to strip or unpack it. You can use the following links.

    https://gist.github.com/out0xb2/f8e0bae94214889a89ac67fceb37f8c0
    https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-e3b9e4cb-a330-b3ba-a602-15083965d9ca

  8. Build a UEFI variable store using the uefivars.py script.

    ./uefivars.py -i none -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl  --dbx ~/dbx-2021-April.bin

  9. Check the binary blob and the UEFI variable store.

    ./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o json | less

  10. You can update the blob by passing it to the same tool again.

    ./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl  --dbx ~/dbx-2021-April.bin

    Expected output

    Replacing PK
Replacing KEK
Replacing db
Replacing dbx