UEFI Variables For Amazon EC2 Instances
Introduction
When you start an
instance with the boot mode configured as UEFI, a key-value storage for
variables is initialized. This storage can be utilized by both UEFI and the
operating system of the instance to keep UEFI variables.
UEFI variables are
utilized by the boot loader and the operating system to set up the initial
system startup. They enable the operating system to control specific aspects of
the boot process, such as the order in which devices boot or handling the keys
for UEFI Secure Boot.
UEFI Secure Boot for
Amazon EC2 Instances
UEFI Secure Boot enhances
the traditional secure boot mechanism of Amazon EC2 and provides extra layers
of defense to help customers protect their software from threats that survive
reboots. It guarantees that the instance boots only software that is verified
with cryptographic keys. These keys are maintained within the key database of
the UEFI non-volatile variable store. UEFI Secure Boot inhibits any
unauthorized alterations to the instance's boot process.
How UEFI Secure Boot Works
With Amazon EC2 Instances?
UEFI Secure Boot is a
feature defined within UEFI that provides assurance regarding the condition of
the boot sequence. Its purpose is to guarantee that only UEFI binaries that
have been cryptographically verified are executed following the initial setup
of the firmware. These binaries encompass UEFI drivers, the primary bootloader,
and any components loaded in a chain. UEFI Secure Boot outlines four essential
databases that are utilized in maintaining a chain of trust. These databases
are kept in the UEFI variable store.
The chain of trust is as
follows:
- Platform Key (PK)
database- The PK database serves as the foundation of trust. It
holds one public PK key that is utilized within the trust chain for refreshing
the key exchange key (KEK) database. To modify the PK database, possession of
the private PK key is required to authorize an update request. This process
also encompasses the option of eliminating the PK database by assigning an
empty PK key.
- Key Exchange Key (KEK)
database- The KEK database consists of a collection of public
KEK keys that play a role in establishing the chain of trust for updating the
signature (db) and denylist (dbx) databases. To modify the public KEK database,
it is necessary to possess the private PK key to authorize a request for an
update.
- Signature (db) database- The
db database consists of a collection of public keys and hashes utilized in the
chain of trust for verifying all UEFI boot binaries. To modify the db database,
possession of the private PK key or any of the private KEK keys is required to
sign a request for an update.
- Signature denylist (dbx)
database- The dbx database contains a collection of public keys
and binary hashes that are considered untrusted and serve as a revocation file
within the chain of trust. This dbx database holds priority over all other key
databases. To modify the dbx database, possession of the private PK key or one
of the private KEK keys is required to sign a request for an update. By
default, UEFI Secure Boot is turned off and the system operates in Setup Mode.
In Setup Mode, all key variables can be modified without requiring a
cryptographic signature. Once the PK is configured, UEFI Secure Boot becomes
active and the system leaves Setup Mode.
Requirements For UEFI
Secure Boot on Amazon EC2
When you start an Amazon
EC2 instance using a compatible AMI and an approved instance type, the instance
will automatically check UEFI boot binaries against its UEFI Secure Boot
database. There is no further setup needed. Additionally, you have the option
to set up UEFI Secure Boot on an instance after it has been launched.
Conclusion
Some UEFI variables for Amazon EC2 instances are discussed above.
Comments
Post a Comment