Option B: Create a binary blob containing a pre-filled variable store
After you have created the three key pairs, you can create a binary blob containing a pre-filled variable store containing the UEFI Secure Boot keys.
Warning
You must sign your boot images before you enroll the keys, otherwise you won’t be able to boot your instance.
Option B steps:
Step 1: Create a new variable store or update an existing one
You can create the variable store offline without a running instance by using the python-uefivars tool. The tool can create a new variable store from your keys. The script currently supports the EDK2 format, the Amazon format, and a JSON representation that is easier to edit with higher-level tooling.
To create the variable store offline without a running instance
-
Download the tool at the following link.
https://github.com/awslabs/python-uefivars -
Create a new variable store from your keys by running the following command. This will create a base64-encoded binary blob in
your_binary_blob.bin. The tool also supports updating a binary blob via the-Iparameter../uefivars.py -i none -o aws -Oyour_binary_blob.bin -P PK.esl -K KEK.esl --db db.esl --dbx dbx.esl
Step 2: Upload the binary blob on AMI creation
Use register-image to pass your UEFI
variable store data. For the --uefi-data parameter, specify
your binary blob, and for the --boot-mode parameter,
specify uefi.
aws ec2 register-image \ --name uefi_sb_tpm_register_image_test \ --uefi-data $(catyour_binary_blob.bin) \ --block-device-mappings "DeviceName=/dev/sda1,Ebs= {SnapshotId=snap-0123456789example,DeleteOnTermination=true}" \ --architecture x86_64 \ --root-device-name /dev/sda1 \ --virtualization-type hvm \ --ena-support \ --boot-mode uefi