Views:

Prepare your AWS environment to allow Server & Workload Protection to support Secure Boot.

Important
Important
  • You must have a platform key to enroll Secure Boot keys. If you do not have a platform key, see the AWS documentation to generate a Secure Boot platform key.
  • Do not replace the platform key if you cannot access the firmware of all devices that are loaded during boot, such as the GPU. If you cannot update the firmware signing chain to use your new platform key, Secure Boot could make the instance permanently unable to boot.
Before you start, make sure to download the Trend Micro public keys and the required CA certificates.

Procedure

  1. Create an EC2 virtual machine instance from a Linux distribution AMI that supports Secure Boot.
  2. In the console for that instance, install the Machine Owner Key (MOK) commands mokutil, uefivars, and Python.
    For example, on Red Hat Enterprise Linux, type the following commands:
    yum install mokutil
yum install python3
curl -L -o uefivars.zip https://github.com/awslabs/python-uefivars/archive/refs/heads/main.zip
unzip uefivars.zip
    For Debian or Ubuntu, use the commands:
    sudo apt-get update
sudo apt-get install efitools
sudo apt-get install python3
curl -L -o uefivars.zip https://github.com/awslabs/python-uefivars/archive/refs/heads/main.zip
unzip uefivars.zip
  3. Upload the CA certificates and Trend Micro public keys to the instance.
  4. Combine the platform key, CA certificates, and Trend Micro public key into a single binary file (.bin)
    The following is a sample code which converts each item into .esl files, then combines them and converts the set into .bin, where 77fa9abd-0359-4d32-bd60-28f4e78f784b is the GUID in the SignatureOwner field of the Microsoft Corporation KEK CA 2011 certificate.
    # Convert your platform key into signatures list format
cert-to-efi-sig-list YOUR_PLATFORM_KEY.crt YOUR_PLATFORM_KEY.esl
# Convert CA certificates
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_KEK.esl MicCorKEKCA2011_2011-06-24.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_PROD.esl MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_CA_UEFI.esl MicCorUEFCA2011_2011-06-27.crt
# Convert Trend Micro public keys
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS20_v2.esl DS20_v2.der
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output TREND_UEFI_db_DS2022.esl DS2022.der
# Combine CA and vendor public keys into one signatures list
cat MS_CA_PROD.esl MS_CA_UEFI.esl TREND_UEFI_db_DS20_v2.esl TREND_UEFI_db_DS2022.esl > ALL_SIGNATURES_db.esl
cp *.esl /root/
# Combine all and convert to binary
./python-uefivars-main/uefivars.py -i none -o aws -O YOUR_BINARY_SIGNING_CHAIN.bin -P ./YOUR_PLATFORM_KEY.esl -K ./MS_CA_KEK.esl --db ./ALL_SIGNATURES_db.esl
  5. Download the binary file.
  6. Create a new EC2 snapshot of the instance.
  7. Access AWS Cloudshell.
  8. Go to Actions Files Upload file and select the binary file.
  9. Create a new AMI with the snapshot ID and the .bin file that you uploaded.
    For example:
    aws ec2 register-image --name LIFT-UBUNTU20SecureBootX64 --uefi-data $(cat YOUR_BINARY_SIGNING_CHAIN.bin) --block-device-mappings "DeviceName=/dev/sda1,Ebs= {SnapshotId={{YOUR-SNAPSHOT-ID}},DeleteOnTermination=true}" --architecture x86_64 --root-device-name /dev/sda1 --virtualization-type hvm --boot-mode uefi
  10. Use the customized image to create a new instance with Secure Boot enabled.
  11. Verify that the keys are successfully enrolled in the MOK list.
    Use the command mokutil --db | grep Trend.
  12. Verify that the kernel has successfully loaded the Trend Micro publik keys.
    Use the command dmesg | grep cert.