# UEFI Secure Boot for Amazon EC2 instances
UEFI Secure Boot builds on the long-standing secure boot process of Amazon EC2, and provides additional defense-in-depth that helps customers secure software from threats that persist across reboots. It ensures that the instance only boots software that is signed with cryptographic keys. The keys are stored in the key database of the [UEFI non-volatile variable store](uefi-variables.md). UEFI Secure Boot prevents unauthorized modification of the instance boot flow.
**Topics**
+ [How UEFI Secure Boot works with Amazon EC2 instances](how-uefi-secure-boot-works.md)
+ [Requirements for UEFI Secure Boot on Amazon EC2](launch-instance-with-uefi-sb.md)
+ [Verify whether an Amazon EC2 instance is enabled for UEFI Secure Boot](verify-uefi-secure-boot.md)
+ [Create a Linux AMI with custom UEFI Secure Boot keys](create-ami-with-uefi-secure-boot.md)
+ [Create the AWS binary blob for UEFI Secure Boot](aws-binary-blob-creation.md)
# How UEFI Secure Boot works with Amazon EC2 instances
UEFI Secure Boot is a feature specified in UEFI, which provides verification about the state of the boot chain. It is designed to ensure that only cryptographically verified UEFI binaries are executed after the self-initialization of the firmware. These binaries include UEFI drivers and the main bootloader, as well as chain-loaded components.
UEFI Secure Boot specifies four key databases, which are used in a chain of trust. The databases are stored in the UEFI variable store.
The chain of trust is as follows:
**Platform key (PK) database**
The PK database is the root of trust. It contains a single public PK key that is used in the chain of trust for updating the key exchange key (KEK) database.
To change the PK database, you must have the private PK key to sign an update request. This includes deleting the PK database by writing an empty PK key.
**Key exchange key (KEK) database**
The KEK database is a list of public KEK keys that are used in the chain of trust for updating the signature (db) and denylist (dbx) databases.
To change the public KEK database, you must have the private PK key to sign an update request.
**Signature (db) database**
The db database is a list of public keys and hashes that are used in the chain of trust to validate all UEFI boot binaries.
To change the db database, you must have the private PK key or any of the private KEK keys to sign an update request.
**Signature denylist (dbx) database**
The dbx database is a list of public keys and binary hashes that are not trusted, and are used in the chain of trust as a revocation file.
The dbx database always takes precedence over all other key databases.
To change the dbx database, you must have the private PK key or any of the private KEK keys to sign an update request.
The UEFI Forum maintains a publicly available dbx for many known-bad binaries and certs at [https://uefi.org/revocationlistfile](https://uefi.org/revocationlistfile).
**Important**
UEFI Secure Boot enforces signature validation on any UEFI binaries. To permit execution of a UEFI binary in UEFI Secure Boot, you sign it with any of the private db keys described above.
By default, UEFI Secure Boot is disabled and the system is in `SetupMode`. When the system is in `SetupMode`, all key variables can be updated without a cryptographic signature. When the PK is set, UEFI Secure Boot is enabled and the SetupMode is exited.
# Requirements for UEFI Secure Boot on Amazon EC2
When you [launch an Amazon EC2 instance](LaunchingAndUsingInstances.md) with a supported AMI and a supported instance type, that instance will automatically validate UEFI boot binaries against its UEFI Secure Boot database. No additional configuration is required. You can also configure UEFI Secure Boot on an instance after launch.
**Note**
UEFI Secure Boot protects your instance and its operating system against boot flow modifications. If you create a new AMI from a source AMI that has UEFI Secure Boot enabled and modify certain parameters during the copy process, such as changing the `UefiData` within the AMI, you can disable UEFI Secure Boot.
**Topics**
+ [Supported AMIs](#uefi-amis)
+ [Supported instance types](#uefi-instance)
## Supported AMIs
**Linux AMIs**
To launch a Linux instance, the Linux AMI must have UEFI Secure Boot enabled.
Amazon Linux supports UEFI Secure Boot starting with AL2023 release 2023.1. However, UEFI Secure Boot isn't enabled in the default AMIs. For more information, see [UEFI Secure Boot](https://docs.aws.amazon.com/linux/al2023/ug/uefi-secure-boot.html) in the *AL2023 User Guide*. Older versions of Amazon Linux AMIs aren't enabled for UEFI Secure Boot. To use a supported AMI, you must perform a number of configuration steps on your own Linux AMI. For more information, see [Create a Linux AMI with custom UEFI Secure Boot keys](create-ami-with-uefi-secure-boot.md).
**Windows AMIs**
To launch a Windows instance, the Windows AMI must have UEFI Secure Boot enabled. To find an AWS Windows AMI that's preconfigured for UEFI Secure Boot with Microsoft keys, see [Find Windows Server AMIs configured with NitroTPM and UEFI Secure Boot](https://docs.aws.amazon.com/ec2/latest/windows-ami-reference/ami-windows-tpm.html#ami-windows-tpm-find) in the *AWS Windows AMIs Reference*.
Currently, we do not support importing Windows with UEFI Secure Boot by using the [import-image](https://docs.aws.amazon.com/cli/latest/reference/ec2/import-image.html) command.
## Supported instance types
All virtualized instance types that support UEFI also support UEFI Secure Boot. For the instance types that support UEFI Secure Boot, see [Requirements for UEFI boot mode](launch-instance-boot-mode.md).
**Note**
Bare metal instance types do not support UEFI Secure Boot.
# Verify whether an Amazon EC2 instance is enabled for UEFI Secure Boot
You can use the following procedures to determine whether an Amazon EC2 is enabled for UEFI Secure Boot.
## Linux instances
You can use the `mokutil` utility to verify whether a Linux instance is enabled for UEFI Secure Boot. If `mokutil` is not installed on your instance, you must install it. For the installation instructions for Amazon Linux 2, see [Find and install software packages on an Amazon Linux 2 instance](https://docs.aws.amazon.com/linux/al2/ug/find-install-software.html). For other Linux distributions, see their specific documentation.
**To verify whether a Linux instance is enabled for UEFI Secure Boot**
Connect to your instance and run the following command as `root` in a terminal window.
```
mokutil --sb-state
```
The following is example output.
+ If UEFI Secure Boot is enabled, the output contains `SecureBoot enabled`.
+ If UEFI Secure Boot is not enabled, the output contains `SecureBoot disabled` or `Failed to read SecureBoot`.
## Windows instances
**To verify whether a Windows instance is enabled for UEFI Secure Boot**
1. Connect to your instance.
1. Open the msinfo32 tool.
1. Check the **Secure Boot State** field. If UEFI Secure Boot is enabled, the value is **Supported**, as shown in the following image.
![\[Secure Boot State within System Information.\]](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/images/secure-boot-state-win.png)
You can also use the Windows PowerShell Cmdlet `Confirm-SecureBootUEFI` to check the Secure Boot status. For more information about the cmdlet, see [Confirm-SecureBootUEFI](https://learn.microsoft.com/en-us/powershell/module/secureboot/confirm-securebootuefi) in the Microsoft Documentation.
# Create a Linux AMI with custom UEFI Secure Boot keys
These instructions show you how to create a Linux AMI with UEFI Secure Boot and custom-made private keys. Amazon Linux supports UEFI Secure Boot starting with AL2023 release 2023.1. For more information, see [UEFI Secure Boot on AL2023](https://docs.aws.amazon.com/linux/al2023/ug/uefi-secure-boot.html) in the *Amazon Linux 2023 User Guide*.
**Important**
The following procedure is intended for **advanced users only**. You must have sufficient knowledge of SSL and Linux distribution boot flow to use these procedures.
**Prerequisites**
+ The following tools will be used:
+ OpenSSL – [https://www.openssl.org/](https://www.openssl.org/)
+ efivar – [https://github.com/rhboot/efivar](https://github.com/rhboot/efivar)
+ efitools – [https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/)
+ [get-instance-uefi-data](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-uefi-data.html) command
+ Your Linux instance must have been launched with a Linux AMI that supports UEFI boot mode, and have non-volatile data present.
Newly created instances without UEFI Secure Boot keys are created in `SetupMode`, which allows you to enroll your own keys. Some AMIs come preconfigured with UEFI Secure Boot and you cannot change the existing keys. If you want to change the keys, you must create a new AMI based on the original AMI.
You have two ways to propagate the keys in the variable store, which are described in Option A and Option B that follow. Option A describes how to do this from within the instance, mimicking the flow of real hardware. Option B describes how to create a binary blob, which is then passed as a base64-encoded file when you create the AMI. For both options, you must first create the three key pairs, which are used for the chain of trust.
**Topics**
+ [Task 1: Create key pairs](#uefi-secure-boot-create-three-key-pairs)
+ [Task 2 - Option A: Add keys to the variable store from within the instance](#uefi-secure-boot-optionA)
+ [Task 2 - Option B: Create a binary blob containing a pre-filled variable store](#uefi-secure-boot-optionB)
## Task 1: Create key pairs
UEFI Secure Boot is based on the following three key databases, which are used in a chain of trust: the platform key (PK), the key exchange key (KEK), and the signature database (db).¹
You create each key on the instance. To prepare the public keys in a format that is valid for the UEFI Secure Boot standard, you create a certificate for each key. `DER` defines the SSL format (binary encoding of a format). You then convert each certificate into a UEFI signature list, which is the binary format that is understood by UEFI Secure Boot. And finally, you sign each certificate with the relevant key.
**Topics**
+ [Prepare to create the key pairs](#uefisb-prepare-to-create-key-pairs)
+ [Key pair 1: Create the platform key (PK)](#uefisb-create-key-pair-1)
+ [Key pair 2: Create the key exchange key (KEK)](#uefisb-create-key-pair-2)
+ [Key pair 3: Create the signature database (db)](#uefisb-create-key-pair-3)
+ [Sign the boot image (kernel) with the private key](#uefi-secure-boot-sign-kernel)
### Prepare to create the key pairs
Before creating the key pairs, create a globally unique identifier (GUID) to be used in key generation.
1. [Connect to the instance](connect.md).
1. Run the following command in a shell prompt.
```
uuidgen --random > GUID.txt
```
### Key pair 1: Create the platform key (PK)
The PK is the root of trust for UEFI Secure Boot instances. The private PK is used to update the KEK, which in turn can be used to add authorized keys to the signature database (db).
The X.509 standard is used for creating the key pair. For information about the standard, see [X.509](https://en.wikipedia.org/wiki/X.509) on *Wikipedia*.
**To create the PK**
1. Create the key. You must name the variable `PK`.
```
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Platform key/" -out PK.crt
```
The following parameters are specified:
+ `-keyout PK.key` – The private key file.
+ `-days 3650` – The number of days that the certificate is valid.
+ `-out PK.crt` – The certificate that is used to create the UEFI variable.
+ `CN=Platform key` – The common name (CN) for the key. You can enter the name of your own organization instead of *Platform key*.
1. Create the certificate.
```
openssl x509 -outform DER -in PK.crt -out PK.cer
```
1. Convert the certificate into a UEFI signature list.
```
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
```
1. Sign the UEFI signature list with the private PK (self-signed).
```
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
```
### Key pair 2: Create the key exchange key (KEK)
The private KEK is used to add keys to the db, which is the list of authorized signatures to boot on the system.
**To create the KEK**
1. Create the key.
```
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Key Exchange Key/" -out KEK.crt
```
1. Create the certificate.
```
openssl x509 -outform DER -in KEK.crt -out KEK.cer
```
1. Convert the certificate into a UEFI signature list.
```
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
```
1. Sign the signature list with the private PK.
```
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
```
### Key pair 3: Create the signature database (db)
The db list contains authorized keys that are authorized to be booted on the system. To modify the list, the private KEK is necessary. Boot images will be signed with the private key that is created in this step.
**To create the db**
1. Create the key.
```
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Signature Database key/" -out db.crt
```
1. Create the certificate.
```
openssl x509 -outform DER -in db.crt -out db.cer
```
1. Convert the certificate into a UEFI signature list.
```
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
```
1. Sign the signature list with the private KEK.
```
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
```
### Sign the boot image (kernel) with the private key
For Ubuntu 22.04, the following images require signatures.
```
/boot/efi/EFI/ubuntu/shimx64.efi
/boot/efi/EFI/ubuntu/mmx64.efi
/boot/efi/EFI/ubuntu/grubx64.efi
/boot/vmlinuz
```
**To sign an image**
Use the following syntax to sign an image.
```
sbsign --key db.key --cert db.crt --output /boot/vmlinuz /boot/vmlinuz
```
**Note**
You must sign all new kernels. *`/boot/vmlinuz`* will usually symlink to the last installed kernel.
Refer to the documentation for your distribution to find out about your boot chain and required images.
¹ Thanks to the ArchWiki community for all of the work they have done. The commands for creating the PK, creating the KEK, creating the DB, and signing the image are from [Creating keys](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_keys), authored by the ArchWiki Maintenance Team and/or the ArchWiki contributors.
## Task 2 - Option A: Add keys to the variable store from within the instance
After you have created the [three key pairs](#uefi-secure-boot-create-three-key-pairs), you can connect to your instance and add the keys to the variable store from within the instance by completing the following steps. Alternatively, complete the steps in [Task 2 - Option B: Create a binary blob containing a pre-filled variable store](#uefi-secure-boot-optionB).
**Topics**
+ [Step 1: Launch an instance that will support UEFI Secure Boot](#step1-launch-uefi-sb)
+ [Step 2: Configure an instance to support UEFI Secure Boot](#step2-launch-uefi-sb)
+ [Step 3: Create an AMI from the instance](#step3-launch-uefi-sb)
### Step 1: Launch an instance that will support UEFI Secure Boot
When you [launch an instance](LaunchingAndUsingInstances.md) with the following prerequisites, the instance will then be ready to be configured to support UEFI Secure Boot. You can only enable support for UEFI Secure Boot on an instance at launch; you can't enable it later.
**Prerequisites**
+ **AMI** – The Linux AMI must support UEFI boot mode. To verify that the AMI supports UEFI boot mode, the AMI boot mode parameter must be **uefi**. For more information, see [Determine the boot mode parameter of an Amazon EC2 AMI](ami-boot-mode.md).
Note that AWS only provides Linux AMIs configured to support UEFI for Graviton-based instance types. AWS currently does not provide x86\$164 Linux AMIs that support UEFI boot mode. You can configure your own AMI to support UEFI boot mode for all architectures. To configure your own AMI to support UEFI boot mode, you must perform a number of configuration steps on your own AMI. For more information, see [Set the boot mode of an Amazon EC2 AMI](set-ami-boot-mode.md).
+ **Instance type** – All virtualized instance types that support UEFI also support UEFI Secure Boot. Bare metal instance types do not support UEFI Secure Boot. For the instance types that support UEFI Secure Boot, see [Requirements for UEFI boot mode](launch-instance-boot-mode.md).
+ Launch your instance after the release of UEFI Secure Boot. Only instances launched after May 10, 2022 (when UEFI Secure Boot was released) can support UEFI Secure Boot.
After you’ve launched your instance, you can verify that it is ready to be configured to support UEFI Secure Boot (in other words, you can proceed to [Step 2](#step2-launch-uefi-sb)) by checking whether UEFI data is present. The presence of UEFI data indicates that non-volatile data is persisted.
**To verify whether your instance is ready for Step 2**
Use the [https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-uefi-data.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-uefi-data.html) command and specify the instance ID.
```
aws ec2 get-instance-uefi-data --instance-id i-1234567890abcdef0
```
The instance is ready for Step 2 if UEFI data is present in the output. If the output is empty, the instance cannot be configured to support UEFI Secure Boot. This can happen if your instance was launched before UEFI Secure Boot support became available. Launch a new instance and try again.
### Step 2: Configure an instance to support UEFI Secure Boot
#### Enroll the key pairs in your UEFI variable store on the instance
**Warning**
You must sign your boot images *after* you enroll the keys, otherwise you won’t be able to boot your instance.
After you create the signed UEFI signature lists (`PK`, `KEK`, and `db`), they must be enrolled into the UEFI firmware.
Writing to the `PK` variable is possible only if:
+ No PK is enrolled yet, which is indicated if the `SetupMode` variable is `1`. Check this by using the following command. The output is either `1` or `0`.
```
efivar -d -n 8be4df61-93ca-11d2-aa0d-00e098032b8c-SetupMode
```
+ The new PK is signed by the private key of the existing PK.
**To enroll the keys in your UEFI variable store**
The following commands must be run on the instance.
If SetupMode is enabled (the value is `1`), the keys can be enrolled by running the following commands on the instance:
```
[ec2-user ~]$ efi-updatevar -f db.auth db
```
```
[ec2-user ~]$ efi-updatevar -f KEK.auth KEK
```
```
[ec2-user ~]$ efi-updatevar -f PK.auth PK
```
**To verify that UEFI Secure Boot is enabled**
To verify that UEFI Secure Boot is enabled, follow the steps in [Verify whether an Amazon EC2 instance is enabled for UEFI Secure Boot](verify-uefi-secure-boot.md).
You can now export your UEFI variable store with the [https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-uefi-data.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-instance-uefi-data.html) CLI command, or you continue to the next step and sign your boot images to reboot into a UEFI Secure Boot-enabled instance.
### Step 3: Create an AMI from the instance
To create an AMI from the instance, you can use the console or the `CreateImage` API, CLI, or SDKs. For the console instructions, see [Create an Amazon EBS-backed AMI](creating-an-ami-ebs.md). For the API instructions, see [CreateImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateImage.html).
**Note**
The `CreateImage` API automatically copies the UEFI variable store of the instance to the AMI. The console uses the `CreateImage` API. After you launch instances using this AMI, the instances will have the same UEFI variable store.
## Task 2 - Option B: Create a binary blob containing a pre-filled variable store
After you have created the [three key pairs](#uefi-secure-boot-create-three-key-pairs), you can create a binary blob containing a pre-filled variable store containing the UEFI Secure Boot keys. Alternatively, complete the steps in [Task 2 - Option A: Add keys to the variable store from within the instance](#uefi-secure-boot-optionA).
**Warning**
You must sign your boot images *before* you enroll the keys, otherwise you won’t be able to boot your instance.
**Topics**
+ [Step 1: Create a new variable store or update an existing one](#uefi-secure-boot-create-or-update-variable)
+ [Step 2: Upload the binary blob on AMI creation](#uefi-secure-boot-upload-binary-blob-on-ami-creation)
### Step 1: Create a new variable store or update an existing one
You can create the variable store *offline* without a running instance by using the python-uefivars tool. The tool can create a new variable store from your keys. The script currently supports the EDK2 format, the AWS format, and a JSON representation that is easier to edit with higher-level tooling.
**To create the variable store offline without a running instance**
1. Download the tool at the following link.
```
https://github.com/awslabs/python-uefivars
```
1. Create a new variable store from your keys by running the following command. This will create a base64-encoded binary blob in *your\$1binary\$1blob*.bin. The tool also supports updating a binary blob via the `-I` parameter.
```
./uefivars.py -i none -o aws -O your_binary_blob.bin -P PK.esl -K KEK.esl --db db.esl --dbx dbx.esl
```
### Step 2: Upload the binary blob on AMI creation
Use [https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/register-image.html) to pass your UEFI variable store data. For the `--uefi-data` parameter, specify your binary blob, and for the `--boot-mode` parameter, specify `uefi`.
```
aws ec2 register-image \
--name uefi_sb_tpm_register_image_test \
--uefi-data $(cat your_binary_blob.bin) \
--block-device-mappings "DeviceName=/dev/sda1,Ebs= {SnapshotId=snap-0123456789example,DeleteOnTermination=true}" \
--architecture x86_64 \
--root-device-name /dev/sda1 \
--virtualization-type hvm \
--ena-support \
--boot-mode uefi
```
# Create the AWS binary blob for UEFI Secure Boot
You can use the following steps to customize the UEFI Secure Boot variables during AMI creation. The KEK that is used in these steps is current as of September 2021. If Microsoft updates the KEK, you must use the latest KEK.
**To create the AWS binary blob**
1. Create an empty PK signature list.
```
touch empty_key.crt
cert-to-efi-sig-list empty_key.crt PK.esl
```
1. Download the KEK certificates.
```
https://go.microsoft.com/fwlink/?LinkId=321185
```
1. Wrap the KEK certificates in a UEFI signature list (`siglist`).
```
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_KEK.esl MicCorKEKCA2011_2011-06-24.crt
```
1. Download Microsoft's db certificates.
```
https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
```
1. Generate the db signature list.
```
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
```
1. The Unified Extensible Firmware Interface Forum no longer provides the DBX files. They are now provided by Microsoft on GitHub. Download the latest DBX update from the Microsoft Secure Boot updates repository at [ https://github.com/microsoft/secureboot\$1objects](https://github.com/microsoft/secureboot_objects).
1. Unpack the signed update-binary.
Create `SplitDbxContent.ps1` with the script content below. Alternatively, you can install the script from [ PowerShell Gallery](https://www.powershellgallery.com/packages/SplitDbxContent/1.0) using `Install-Script -Name SplitDbxContent`.
```
<#PSScriptInfo
.VERSION 1.0
.GUID ec45a3fc-5e87-4d90-b55e-bdea083f732d
.AUTHOR Microsoft Secure Boot Team
.COMPANYNAME Microsoft
.COPYRIGHT Microsoft
.TAGS Windows Security
.LICENSEURI
.PROJECTURI
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
Version 1.0: Original published version.
#>
<#
.DESCRIPTION
Splits a DBX update package into the new DBX variable contents and the signature authorizing the change.
To apply an update using the output files of this script, try:
Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite'
.EXAMPLE
.\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin
#>
# Get file from script input
$file = Get-Content -Encoding Byte $args[0]
# Identify file signature
$chop = $file[40..($file.Length - 1)]
if (($chop[0] -ne 0x30) -or ($chop[1] -ne 0x82 )) {
Write-Error "Cannot find signature"
exit 1
}
# Signature is known to be ASN size plus header of 4 bytes
$sig_length = ($chop[2] * 256) + $chop[3] + 4
$sig = $chop[0..($sig_length - 1)]
if ($sig_length -gt ($file.Length + 40)) {
Write-Error "Signature longer than file size!"
exit 1
}
# Content is everything else
$content = $file[0..39] + $chop[$sig_length..($chop.Length - 1)]
# Write signature and content to files
Set-Content -Encoding Byte signature.p7 $sig
Set-Content -Encoding Byte content.bin $content
```
Use the script to unpack the signed DBX files.
```
PS C:\Windows\system32> SplitDbxContent.ps1 .\dbx.bin
```
This produces two files — `signature.p7` and `content.bin`. Use `content.bin` in the next step.
1. Build a UEFI variable store using the `uefivars.py` script.
```
./uefivars.py -i none -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl --dbx ~/content.bin
```
1. Check the binary blob and the UEFI variable store.
```
./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o json | less
```
1. You can update the blob by passing it to the same tool again.
```
./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl --dbx ~/content.bin
```
Expected output
```
Replacing PK
Replacing KEK
Replacing db
Replacing dbx
```