AWS AWSEC2 documentation change
Summary
Updated EFA installer version from 1.47.0 to 1.48.0 and added optional package signature verification feature using --check-signatures flag
Security assessment
The change adds documentation for a new security feature (GPG signature verification of individual packages) in EFA installer 1.48.0, which helps protect against broken or malicious packages. This is a proactive security enhancement, not a response to a specific security incident.
Diff
diff --git a/AWSEC2/latest/UserGuide/efa-start-nixl.md b/AWSEC2/latest/UserGuide/efa-start-nixl.md index 537fa9261..6b798f22f 100644 --- a//AWSEC2/latest/UserGuide/efa-start-nixl.md +++ b//AWSEC2/latest/UserGuide/efa-start-nixl.md @@ -265 +265 @@ Install the EFA-enabled kernel, EFA drivers, and Libfabric stack that is require - $ curl -O https://efa-installer.amazonaws.com/aws-efa-installer-1.47.0.tar.gz + $ curl -O https://efa-installer.amazonaws.com/aws-efa-installer-1.48.0.tar.gz @@ -269 +269 @@ Install the EFA-enabled kernel, EFA drivers, and Libfabric stack that is require - $ tar -xf aws-efa-installer-1.47.0.tar.gz && rm -rf aws-efa-installer-1.47.0.tar.gz && cd aws-efa-installer + $ tar -xf aws-efa-installer-1.48.0.tar.gz && rm -rf aws-efa-installer-1.48.0.tar.gz && cd aws-efa-installer @@ -271 +271,27 @@ Install the EFA-enabled kernel, EFA drivers, and Libfabric stack that is require - 4. Run the EFA software installation script. + 4. (_Optional_) Verify individual package signatures during installation. + +Starting with EFA installer 1.48.0, the installer includes GPG-signed individual RPM and DEB packages. To verify the authenticity and integrity of each individual package during installation, use the `--check-signatures` flag. When you enable this flag, the installer verifies all package signatures first, and only proceeds with installation if every package passes verification. If any package fails verification, the installer exits immediately without installing anything. + + 1. Download the GPG public key. + + $ wget https://efa-installer.amazonaws.com/aws-efa-installer.key + + 2. Export the key path. Then, in the next step, append `--check-signatures` to the installation command and use `sudo -E` instead of `sudo` to preserve the environment variable. + + $ export EFA_INSTALLER_KEY=$(pwd)/aws-efa-installer.key + +On RPM-based systems (Amazon Linux, RHEL, Rocky Linux, and SUSE), the installer verifies each RPM using `rpm --checksig`. On DEB-based systems (Ubuntu, Debian), the installer verifies each DEB using GPG signature verification. + +If verification of any package fails, the installation immediately aborts, protecting your system against broken or malicious packages. + +###### Note + +The `--check-signatures` flag is optional. Without it, the installer does not perform individual signature verification. + +Show moreShow less + + 5. Run the EFA software installation script. + +###### Note + +If you completed the previous optional step to set up package signature verification, append `--check-signatures` to the installation command and use `sudo -E` instead of `sudo`. For example: `sudo -E ./efa_installer.sh -y --check-signatures`. @@ -277 +303 @@ Install the EFA-enabled kernel, EFA drivers, and Libfabric stack that is require - 5. If the EFA installer prompts you to reboot the instance, do so and then reconnect to the instance. Otherwise, log out of the instance and then log back in to complete the installation. + 6. If the EFA installer prompts you to reboot the instance, do so and then reconnect to the instance. Otherwise, log out of the instance and then log back in to complete the installation. @@ -279 +305 @@ Install the EFA-enabled kernel, EFA drivers, and Libfabric stack that is require - 6. Confirm that the EFA software components were successfully installed. + 7. Confirm that the EFA software components were successfully installed.