Salta al contenuto
Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post
Informazioni su re:Post

How to create a al2023 image with secure boot and a third party key

0

Hi, I am trying to enable secure boot on Al2023 but I need to add a third party key from a security vendor, using this process https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-ami-with-uefi-secure-boot.html#uefi-secure-boot-optionB

But the instance is not booting after I created it with this command.

aws ec2 run-instances
--image-id ami-12345
... --region us-east-2
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=AL2023-sb-bin}]'

I have signed these boot file and kernel

sbsign --key db.key --cert db.crt --output /boot/vmlinuz-6.1.144-170.251.amzn2023.x86_64 /boot/vmlinuz-6.1.144-170.251.amzn2023.x86_64 sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/BOOTX64.EFI

I am missing something? I have not found good documentation for this process for AL2023, just for other distributions. A similar process did work for red hat linux.

Thanks

Argomenti
Computazionali
Tag
Amazon Linux 2023
Lingua
English
posta 3 mesi fa60 visualizzazioni
2 Risposte
0

To create an AL2023 image with UEFI Secure Boot using a third-party key, there are a few important considerations that might explain why your instance isn't booting.

First, AL2023 supports UEFI Secure Boot starting with release 2023.1, but there are specific steps needed for custom keys. When using custom keys with AL2023, you need to ensure you're following the complete process:

  1. For the key enrollment, you need to create all three required key databases: Platform Key (PK), Key Exchange Key (KEK), and Signature database (db). These form the chain of trust for UEFI Secure Boot.

  2. When signing boot files, ensure you're signing all necessary components. While you've signed the kernel and the BOOTX64.EFI file, AL2023 uses grub2 as its bootloader, which also needs to be properly signed.

  3. When creating the AMI, make sure you're using the binary blob from the same release of AL2023 that you're using to create the AMI. Using mismatched versions can cause boot failures.

  4. When registering your AMI, ensure you've set the BootMode parameter to uefi and TpmSupport to v2.0 if applicable.

  5. Remember that by default, UEFI Secure Boot is disabled and the system is in "SetupMode." The system exits SetupMode only when the PK is properly set, which enables UEFI Secure Boot.

For AL2023 specifically, you might want to use the amazon-linux-sb enroll command to help with the key enrollment process, though this would be for Amazon's keys rather than your third-party keys.

The process you're following from the EC2 documentation is generally correct, but AL2023 might have specific requirements for its bootloader configuration. Since your similar process worked for Red Hat Linux, the issue might be related to differences in how AL2023 implements UEFI Secure Boot compared to Red Hat.
Sources
Create a Linux AMI with custom UEFI Secure Boot keys - Amazon Elastic Compute Cloud
UEFI Secure Boot on AL2023 - Amazon Linux 2023
Requirements for UEFI Secure Boot on Amazon EC2 - Amazon Elastic Compute Cloud
How UEFI Secure Boot works with Amazon EC2 instances - Amazon Elastic Compute Cloud

con risposta 3 mesi fa
0

Regarding signing grub, I could not find the file grubx64.efi at the /boot directory.

con risposta 3 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Contenuto pertinente