AWS AWSEC2 documentation change
Summary
Updated EFA installer version from 1.47.0 to 1.48.0 and added optional package signature verification feature using --check-signatures flag
Security assessment
The change adds documentation for a new security feature (GPG signature verification of individual packages) in EFA installer 1.48.0, which helps protect against broken or malicious packages. This is a proactive security enhancement, not a response to a specific security incident.
Diff
diff --git a/AWSEC2/latest/UserGuide/efa-start.md b/AWSEC2/latest/UserGuide/efa-start.md index dc905ceab..594dd3dd5 100644 --- a//AWSEC2/latest/UserGuide/efa-start.md +++ b//AWSEC2/latest/UserGuide/efa-start.md @@ -182 +182 @@ You can also get the latest version by replacing the version number with `latest - $ curl -O https://efa-installer.amazonaws.com/aws-efa-installer-1.47.0.tar.gz + $ curl -O https://efa-installer.amazonaws.com/aws-efa-installer-1.48.0.tar.gz @@ -206 +206 @@ The command should return a fingerprint that is identical to `4E90 91BC BB97 A96 - $ wget https://efa-installer.amazonaws.com/aws-efa-installer-1.47.0.tar.gz.sig && gpg --verify ./aws-efa-installer-1.47.0.tar.gz.sig + $ wget https://efa-installer.amazonaws.com/aws-efa-installer-1.48.0.tar.gz.sig && gpg --verify ./aws-efa-installer-1.48.0.tar.gz.sig @@ -222 +222 @@ Show moreShow less - $ tar -xf aws-efa-installer-1.47.0.tar.gz && cd aws-efa-installer + $ tar -xf aws-efa-installer-1.48.0.tar.gz && cd aws-efa-installer @@ -224 +224,27 @@ Show moreShow less - 7. Install the EFA software. Do one of the following depending on your use case. + 7. (_Optional_) Verify individual package signatures during installation. + +Starting with EFA installer 1.48.0, the installer includes GPG-signed individual RPM and DEB packages. To verify the authenticity and integrity of each individual package during installation, use the `--check-signatures` flag. When you enable this flag, the installer verifies all package signatures first, and only proceeds with installation if every package passes verification. If any package fails verification, the installer exits immediately without installing anything. + + 1. Download the GPG public key. + + $ wget https://efa-installer.amazonaws.com/aws-efa-installer.key + + 2. Export the key path. Then, in the next step, append `--check-signatures` to the installation command and use `sudo -E` instead of `sudo` to preserve the environment variable. + + $ export EFA_INSTALLER_KEY=$(pwd)/aws-efa-installer.key + +On RPM-based systems (Amazon Linux, RHEL, Rocky Linux, and SUSE), the installer verifies each RPM using `rpm --checksig`. On DEB-based systems (Ubuntu, Debian), the installer verifies each DEB using GPG signature verification. + +If verification of any package fails, the installation immediately aborts, protecting your system against broken or malicious packages. + +###### Note + +The `--check-signatures` flag is optional. Without it, the installer does not perform individual signature verification. + +Show moreShow less + + 8. Install the EFA software. Do one of the following depending on your use case. + +###### Note + +If you completed the previous optional step to set up package signature verification, append `--check-signatures` to the installation command and use `sudo -E` instead of `sudo`. For example: `sudo -E ./efa_installer.sh -y --check-signatures`. @@ -267 +293 @@ To install the EFA software without Libfabric and Open MPI, run the following co - 8. If the EFA installer prompts you to reboot the instance, do so and then reconnect to the instance. Otherwise, log out of the instance and then log back in to complete the installation. + 9. If the EFA installer prompts you to reboot the instance, do so and then reconnect to the instance. Otherwise, log out of the instance and then log back in to complete the installation. @@ -269 +295 @@ To install the EFA software without Libfabric and Open MPI, run the following co - 9. Delete the uncompressed tarball and the tarball itself. Otherwise, these will be included in the EFA-enabled AMI that you create, increasing its size. + 10. Delete the uncompressed tarball and the tarball itself. Otherwise, these will be included in the EFA-enabled AMI that you create, increasing its size.