Create a Linux AMI to support UEFI Secure Boot - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create a Linux AMI to support UEFI Secure Boot

The following procedures describe how to create your own UEFI variable store for secure boot with custom-made private keys. Amazon Linux supports UEFI Secure Boot starting with AL2023 release 2023.1. For more information, see UEFI Secure Boot in the AL2023 User Guide.


The following procedures for creating an AMI to support UEFI Secure Boot are intended for advanced users only. You must have sufficient knowledge of SSL and Linux distribution boot flow to use these procedures.


Newly created instances without UEFI Secure Boot keys are created in SetupMode, which allows you to enroll your own keys. Some AMIs come preconfigured with UEFI Secure Boot and you cannot change the existing keys. If you want to change the keys, you must create a new AMI based on the original AMI.

You have two ways to propagate the keys in the variable store, which are described in Option A and Option B that follow. Option A describes how to do this from within the instance, mimicking the flow of real hardware. Option B describes how to create a binary blob, which is then passed as a base64-encoded file when you create the AMI. For both options, you must first create the three key pairs, which are used for the chain of trust.

To create a Linux AMI to support UEFI Secure Boot, first create the three key pairs, and then complete either Option A or Option B:

These instructions can only be used to create a Linux AMI. If you need a Windows AMI, use one of the supported Windows AMIs. For more information, see Launch an instance with UEFI Secure Boot support in the Amazon EC2 User Guide for Windows Instances.