AWS Security ChangesHomeSearch

AWS AWSEC2 medium security documentation change

Service: AWSEC2 · 2025-07-10 · Security-related medium

File: AWSEC2/latest/UserGuide/aws-binary-blob-creation.md

Summary

Updated instructions for handling UEFI Secure Boot variables, changed DBX file source to Microsoft's GitHub, added PowerShell script for splitting DBX content

Security assessment

Directly documents Secure Boot configuration processes and updates procedures for handling security-critical DBX revocation lists. Addresses changes in secure boot revocation list sources which is fundamental to maintaining secure boot integrity.

Diff

diff --git a/AWSEC2/latest/UserGuide/aws-binary-blob-creation.md b/AWSEC2/latest/UserGuide/aws-binary-blob-creation.md
index 0d9b68b7d..b53420e61 100644
--- a//AWSEC2/latest/UserGuide/aws-binary-blob-creation.md
+++ b//AWSEC2/latest/UserGuide/aws-binary-blob-creation.md
@@ -35 +35 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-  6. Download an updated dbx change request from the following link.
+  6. The Unified Extensible Firmware Interface Forum no longer provides the DBX files. They are now provided by Microsoft on GitHub. Download the latest DBX update from the Microsoft Secure Boot updates repository at [ https://github.com/microsoft/secureboot_objects](https://github.com/microsoft/secureboot_objects).
@@ -37 +37 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-        https://uefi.org/revocationlistfile
+  7. Unpack the signed update-binary.
@@ -39 +39 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-  7. The dbx change request that you downloaded in the previous step is already signed with the Microsoft KEK, so you need to strip or unpack it. You can use the following links.
+Create `SplitDbxContent.ps1` with the script content below. Alternatively, you can install the script from [ PowerShell Gallery](https://www.powershellgallery.com/packages/SplitDbxContent/1.0) using `Install-Script -Name SplitDbxContent`.
@@ -41 +41 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-        https://gist.github.com/out0xb2/f8e0bae94214889a89ac67fceb37f8c0
+        <#PSScriptInfo
@@ -43 +43,70 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-        https://support.microsoft.com/en-us/topic/microsoft-guidance-for-applying-secure-boot-dbx-update-e3b9e4cb-a330-b3ba-a602-15083965d9ca
+    .VERSION 1.0
+     
+    .GUID ec45a3fc-5e87-4d90-b55e-bdea083f732d
+     
+    .AUTHOR Microsoft Secure Boot Team
+     
+    .COMPANYNAME Microsoft
+     
+    .COPYRIGHT Microsoft
+     
+    .TAGS Windows Security
+     
+    .LICENSEURI
+     
+    .PROJECTURI
+     
+    .ICONURI
+     
+    .EXTERNALMODULEDEPENDENCIES
+     
+    .REQUIREDSCRIPTS
+     
+    .EXTERNALSCRIPTDEPENDENCIES
+     
+    .RELEASENOTES
+    Version 1.0: Original published version.
+     
+    #>
+    
+    <#
+    .DESCRIPTION
+     Splits a DBX update package into the new DBX variable contents and the signature authorizing the change.
+     To apply an update using the output files of this script, try:
+     Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite'
+    .EXAMPLE
+    .\SplitDbxAuthInfo.ps1 DbxUpdate_x64.bin
+    #>
+    
+    
+    # Get file from script input
+    $file  = Get-Content -Encoding Byte $args[0]
+    
+    # Identify file signature
+    $chop = $file[40..($file.Length - 1)]
+    if (($chop[0] -ne 0x30) -or ($chop[1] -ne 0x82 )) {
+        Write-Error "Cannot find signature"
+        exit 1
+    }
+    
+    # Signature is known to be ASN size plus header of 4 bytes
+    $sig_length = ($chop[2] * 256) + $chop[3] + 4
+    $sig = $chop[0..($sig_length - 1)]
+    
+    if ($sig_length -gt ($file.Length + 40)) {
+        Write-Error "Signature longer than file size!"
+        exit 1
+    }
+    
+    # Content is everything else
+    $content = $file[0..39] + $chop[$sig_length..($chop.Length - 1)]
+    
+    # Write signature and content to files
+    Set-Content -Encoding Byte signature.p7 $sig
+    Set-Content -Encoding Byte content.bin $content
+
+Use the script to unpack the signed DBX files.
+    
+        PS C:\Windows\system32> SplitDbxContent.ps1 .\dbx.bin
+
+This produces two files — `signature.p7` and `content.bin`. Use `content.bin` in the next step.
@@ -47 +116 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-        ./uefivars.py -i none -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl  --dbx ~/dbx-2021-April.bin 
+        ./uefivars.py -i none -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl  --dbx ~/content.bin 
@@ -55 +124 @@ You can use the following steps to customize the UEFI Secure Boot variables duri
-        ./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl  --dbx ~/dbx-2021-April.bin						
+        ./uefivars.py -i aws -I uefiblob-microsoft-keys-empty-pk.bin -o aws -O uefiblob-microsoft-keys-empty-pk.bin -P ~/PK.esl -K ~/MS_Win_KEK.esl --db ~/MS_db.esl  --dbx ~/content.bin