# Create the AWS binary blob for UEFI Secure Boot You can use the following steps to customize the UEFI Secure Boot variables during AMI creation. The KEK that is used in these steps is current as of September 2021. If Microsoft updates the KEK, you must use the latest KEK. **To create the AWS binary blob** 1. Create an empty PK signature list. ``` touch empty_key.crt cert-to-efi-sig-list empty_key.crt PK.esl ``` 1. Download the KEK certificates. ``` https://go.microsoft.com/fwlink/?LinkId=321185 ``` 1. Wrap the KEK certificates in a UEFI signature list (`siglist`). ``` sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK.esl MicCorKEKCA2011_2011-06-24.crt ``` 1. Download Microsoft's db certificates. ``` https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt ``` 1. Generate the db signature list. ``` sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl ``` 1. The Unified Extensible Firmware Interface Forum no longer provides the DBX files. They are now provided by Microsoft on GitHub. Download the latest DBX update from the Microsoft Secure Boot updates repository at [ https://github.com/microsoft/secureboot\$1objects](https://github.com/microsoft/secureboot_objects). 1. Unpack the signed update-binary. Create `SplitDbxContent.ps1` with the script content below. Alternatively, you can install the script from [ PowerShell Gallery](https://www.powershellgallery.com/packages/SplitDbxContent/1.0) using `Install-Script -Name SplitDbxContent`. ``` <#PSScriptInfo .VERSION 1.0 .GUID ec45a3fc-5e87-4d90-b55e-bdea083f732d .AUTHOR Microsoft Secure Boot Team .COMPANYNAME Microsoft .COPYRIGHT Microsoft .TAGS Windows Security .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES Version 1.0: Original published version. #> <# .DESCRIPTION Splits a DBX update package into the new DBX variable contents and the signature authorizing the change. To apply an update using the output files of this script, try: Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite' .EXAMPLE .\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin #> # Get file from script input $file = Get-Content -Encoding Byte $args[0] # Identify file signature $chop = $file[40..($file.Length - 1)] if (($chop[0] -ne 0x30) -or ($chop[1] -ne 0x82 )) { Write-Error "Cannot find signature" exit 1 } # Signature is known to be ASN size plus header of 4 bytes $sig_length = ($chop[2] * 256) + $chop[3] + 4 $sig = $chop[0..($sig_length - 1)] if ($sig_length -gt ($file.Length + 40)) { Write-Error "Signature longer than file size!" exit 1 } # Content is everything else $content = $file[0..39] + $chop[$sig_length..($chop.Length - 1)] # Write signature and content to files Set-Content -Encoding Byte signature.p7 $sig Set-Content -Encoding Byte content.bin $content ``` Use the script to unpack the signed DBX files. ``` PS C:\Windows\system32> SplitDbxContent.ps1 .\dbx.bin ``` This produces two files — `signature.p7` and `content.bin`. Use `content.bin` in the next step. 1. Build a UEFI variable store using the `uefivars.py` script. ``` ./uefivars.py -i none -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl --dbx ~/content.bin ``` 1. Check the binary blob and the UEFI variable store. ``` ./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o json | less ``` 1. You can update the blob by passing it to the same tool again. ``` ./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl --dbx ~/content.bin ``` Expected output ``` Replacing PK Replacing KEK Replacing db Replacing dbx ```