Hybrid Boot and SEV-SNP support in AWS EC2

A while back AWS introduced UEFI support for specific instance types. Then in March of 2023 AWS enabled hybrid-boot for AMIs and in addition to the memory encryption that has already been supported in EC2, AWS announced the support of attestation, also known as SEV-SNP recently. Throughout this process AWS and SUSE have been working closely together to ensure the support of these features in SUSE Linux Enterprise.

SUSE Linux Enterprise and openSUSE images have been ready for UEFI boot from day 1 and anyone was able to create an image that uses UEFI secure boot. However SLE and openSUSE images published by SUSE reamained set to boot with BIOS, until a few days ago. Any SLE image published with a date stamp of 20230428 or later is set to use the relatively new “uefi-preferred” boot mode setting when an image gets registered. openSUSE images with a datestamp of 20230504 and later have the same setting. This setting indicates that the image is capable of hybrid-boot, more on hybrid-boot below.

With this the logical question is why there has not been a UEFI bootable image published by SUSE until now?

The answer is fairly simply, duplication of images. Until March 6, 2023 an image for x86_64 was either set up for BIOS or UEFI booting. A hybrid boot setup was not recognized by the platform. With the enablement of hybrid boot in EC2 SLE  images with date stamps of 20230428 or later will now boot with UEFI secure boot or BIOS depending on the instance type. For openSUSE images this applies for images with a datestamp of 20230504 or later.

What does hybrid-boot mean?

In general it means that a system can boot either with EFI (Extendable Firmware Interface) of BIOS (Basic Inout/Output System) as fimware. In EC2 the “uefi-preferred” setting means that an x86_64 image will boot using UEFI Secure Boot for instance types that support UEFI and will boot using BIOS for instance types that do not supporte UEFI. Both firmware implementations are supported with the same image.

Support for attestation, i.e. SEV-SNP

Attestation requires that you use SLE 15 SP4 or later Service Packs or openSUSE Leap 15.4 or later images for your instances. Before you can follow the validation process that is part of the AWS documentation some extra steps are required.

1. Install necessary development packages
   1. zypper in git make gcc libopenssl-1_1-devel kernel-source linux-glibc-devel libuuid-devel automake autoconf gcc-c++
2. Update the headers only needed in instances launched with images with a date stamp less than v20230719
   1. cd /usr/src/linux-$VERSION
   2. make headers_install ARCH=x86_64 INSTALL_HDR_PATH=/usr/

After this you can follow the instructions in the AWS Documentation.

We are working on providing the sev-guest tools as a package and the steps above will eventually boil down to a simple zypper install command.