#40 Build AWS EC2 images with UEFI (secure boot) enabled
Closed: Rejected 2 years ago by lkocman. Opened 2 years ago by Pharaoh_Atem.

Currently, AWS EC2 images are built with "EFI" mode, which does not include support for Secure Boot. Since AWS now supports full UEFI in EC2, our images should switch to UEFI like the Azure and GCP ones do now.

Note, SLE should also do the same if they haven't already...

Metadata Update from @lkocman:
- Issue assigned to lkocman

2 years ago

Lubos will reach out to Robert Schweikert and Marcus Schaeffer.
We will also discuss the status on SLE side.

Meanwhile, I did notify Robert about the request.

After further investigation it turns out this appears to be a red herring. "UEFI Secure Boot is currently not supported." from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html

Also it is unclear whether an image set to UEFI is still available for efi boot, I am investigating that part. Based on what I know now it looks like our images are set up properly. EFI will be used for Graviton instances and BIOS is used for x86_64.

It seems like we do not plan to build separate images based on conversation with Robert S.

KIWI's UEFI mode produces hybrid boot images that support all three modes (UEFI + EFI + BIOS boot). Switching to producing UEFI images with KIWI makes it work with everything.

@davdunc told me that AWS x86_64 systems now do support UEFI, which is why Fedora has made the switch to produce hybrid UEFI+BIOS with GPT for Fedora Linux 35: https://fedoraproject.org/wiki/Changes/FedoraCloudHybridBoot

Specifics are here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-boot.html

It's not secure boot that is supported, it is specifically the UEFI suport. UEFI secure boot is not a part of the current program and there is no date at which I can say that it will be supported.

I did receive a comment from Robert (who is unfortunately unable to login to code-o-o)

I confirmed that if you set the "boot-mode" parameter to uefi, which is getting supported in ec2imgutils via bsc#1190538 then AWS will turn off a bunch of instances, i.e. all instances that are designed to boot via bios. AWS currently has no support for a hybrid boot setup which is the way our images are built. There is nothing to do

Marking as closed

Metadata Update from @lkocman:
- Issue close_status updated to: Rejected
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.