AWS AWSEC2 documentation change
Summary
Updated EFA installer version from 1.47.0 to 1.48.0 and added documentation for new optional package signature verification feature using --check-signatures flag
Security assessment
This change adds comprehensive documentation about a new security feature that enables verification of individual RPM/DEB package signatures during installation. The documentation explains how to use the --check-signatures flag to prevent installation of broken or malicious packages. While this enhances security, it documents a new security feature rather than addressing a specific security vulnerability.
Diff
diff --git a/AWSEC2/latest/UserGuide/efa-start-nccl.md b/AWSEC2/latest/UserGuide/efa-start-nccl.md index 312b25f4c..75684a96e 100644 --- a//AWSEC2/latest/UserGuide/efa-start-nccl.md +++ b//AWSEC2/latest/UserGuide/efa-start-nccl.md @@ -444 +444 @@ You can also get the latest version by replacing the version number with `latest - $ curl -O https://efa-installer.amazonaws.com/aws-efa-installer-1.47.0.tar.gz + $ curl -O https://efa-installer.amazonaws.com/aws-efa-installer-1.48.0.tar.gz @@ -468 +468 @@ The command should return a fingerprint that is identical to `4E90 91BC BB97 A96 - $ wget https://efa-installer.amazonaws.com/aws-efa-installer-1.47.0.tar.gz.sig && gpg --verify ./aws-efa-installer-1.47.0.tar.gz.sig + $ wget https://efa-installer.amazonaws.com/aws-efa-installer-1.48.0.tar.gz.sig && gpg --verify ./aws-efa-installer-1.48.0.tar.gz.sig @@ -484 +484 @@ Show moreShow less - $ tar -xf aws-efa-installer-1.47.0.tar.gz && cd aws-efa-installer + $ tar -xf aws-efa-installer-1.48.0.tar.gz && cd aws-efa-installer @@ -486 +486,27 @@ Show moreShow less - 5. Run the EFA software installation script. + 5. (_Optional_) Verify individual package signatures during installation. + +Starting with EFA installer 1.48.0, the installer includes GPG-signed individual RPM and DEB packages. To verify the authenticity and integrity of each individual package during installation, use the `--check-signatures` flag. When you enable this flag, the installer verifies all package signatures first, and only proceeds with installation if every package passes verification. If any package fails verification, the installer exits immediately without installing anything. + + 1. Download the GPG public key. + + $ wget https://efa-installer.amazonaws.com/aws-efa-installer.key + + 2. Export the key path. Then, in the next step, append `--check-signatures` to the installation command and use `sudo -E` instead of `sudo` to preserve the environment variable. + + $ export EFA_INSTALLER_KEY=$(pwd)/aws-efa-installer.key + +On RPM-based systems (Amazon Linux, RHEL, Rocky Linux, and SUSE), the installer verifies each RPM using `rpm --checksig`. On DEB-based systems (Ubuntu, Debian), the installer verifies each DEB using GPG signature verification. + +If verification of any package fails, the installation immediately aborts, protecting your system against broken or malicious packages. + +###### Note + +The `--check-signatures` flag is optional. Without it, the installer does not perform individual signature verification. + +Show moreShow less + + 6. Run the EFA software installation script. + +###### Note + +If you completed the previous optional step to set up package signature verification, append `--check-signatures` to the installation command and use `sudo -E` instead of `sudo`. For example: `sudo -E ./efa_installer.sh -y --mpi=openmpi4 --check-signatures`. @@ -496 +522 @@ From EFA 1.30.0, both Open MPI 4.1 and Open MPI 5 are installed by default. Unle - 6. If the EFA installer prompts you to reboot the instance, do so and then reconnect to the instance. Otherwise, log out of the instance and then log back in to complete the installation. + 7. If the EFA installer prompts you to reboot the instance, do so and then reconnect to the instance. Otherwise, log out of the instance and then log back in to complete the installation. @@ -498 +524 @@ From EFA 1.30.0, both Open MPI 4.1 and Open MPI 5 are installed by default. Unle - 7. Confirm that the EFA software components were successfully installed. + 8. Confirm that the EFA software components were successfully installed.