GNU GRUB Manual 2.14

Next: , Up: (dir)   [Contents][Index]

GNU GRUB manual

This is the documentation of GNU GRUB, the GRand Unified Bootloader, a flexible and powerful boot loader program for a wide range of architectures.

This edition documents version 2.14.

This manual is for GNU GRUB (version 2.14, 8 January 2026).

Copyright © 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections.

Table of Contents

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

1 Introduction to GRUB

Next: , Up: Introduction to GRUB   [Contents][Index]

1.1 Overview

Briefly, a boot loader is the first software program that runs when a computer starts. It is responsible for loading and transferring control to an operating system kernel software (such as Linux or GNU Mach). The kernel, in turn, initializes the rest of the operating system (e.g. a GNU system).

GNU GRUB is a very powerful boot loader, which can load a wide variety of free operating systems, as well as proprietary operating systems with chain-loading1. GRUB is designed to address the complexity of booting a personal computer; both the program and this manual are tightly bound to that computer platform, although porting to other platforms may be addressed in the future.

One of the important features in GRUB is flexibility; GRUB understands filesystems and kernel executable formats, so you can load an arbitrary operating system the way you like, without recording the physical position of your kernel on the disk. Thus you can load the kernel just by specifying its file name and the drive and partition where the kernel resides.

When booting with GRUB, you can use either a command-line interface (see The flexible command-line interface), or a menu interface (see The simple menu interface). Using the command-line interface, you type the drive specification and file name of the kernel manually. In the menu interface, you just select an OS using the arrow keys. The menu is based on a configuration file which you prepare beforehand (see Writing your own configuration file). While in the menu, you can switch to the command-line mode, and vice-versa. You can even edit menu entries before using them.

In the following chapters, you will learn how to specify a drive, a partition, and a file name (see Naming convention) to GRUB, how to install GRUB on your drive (see Installation), and how to boot your OSes (see Booting), step by step.

Next: , Previous: , Up: Introduction to GRUB   [Contents][Index]

1.2 History of GRUB

GRUB originated in 1995 when Erich Boleyn was trying to boot the GNU Hurd with the University of Utah’s Mach 4 microkernel (now known as GNU Mach). Erich and Brian Ford designed the Multiboot Specification (see Motivation in The Multiboot Specification), because they were determined not to add to the large number of mutually-incompatible PC boot methods.

Erich then began modifying the FreeBSD boot loader so that it would understand Multiboot. He soon realized that it would be a lot easier to write his own boot loader from scratch than to keep working on the FreeBSD boot loader, and so GRUB was born.

Erich added many features to GRUB, but other priorities prevented him from keeping up with the demands of its quickly-expanding user base. In 1999, Gordon Matzigkeit and Yoshinori K. Okuji adopted GRUB as an official GNU package, and opened its development by making the latest sources available via anonymous CVS. See How to obtain and build GRUB, for more information.

Over the next few years, GRUB was extended to meet many needs, but it quickly became clear that its design was not keeping up with the extensions being made to it, and we reached the point where it was very difficult to make any further changes without breaking existing features. Around 2002, Yoshinori K. Okuji started work on PUPA (Preliminary Universal Programming Architecture for GNU GRUB), aiming to rewrite the core of GRUB to make it cleaner, safer, more robust, and more powerful. PUPA was eventually renamed to GRUB 2, and the original version of GRUB was renamed to GRUB Legacy. Small amounts of maintenance continued to be done on GRUB Legacy, but the last release (0.97) was made in 2005 and at the time of writing it seems unlikely that there will be another.

By around 2007, GNU/Linux distributions started to use GRUB 2 to limited extents, and by the end of 2009 multiple major distributions were installing it by default.

Next: , Previous: , Up: Introduction to GRUB   [Contents][Index]

1.3 Differences from previous versions

GRUB 2 is a rewrite of GRUB (see History of GRUB), although it shares many characteristics with the previous version, now known as GRUB Legacy. Users of GRUB Legacy may need some guidance to find their way around this new version.

  • The configuration file has a new name (grub.cfg rather than menu.lst or grub.conf), new syntax (see Writing your own configuration file) and many new commands (see Available commands). Configuration cannot be copied over directly, although most GRUB Legacy users should not find the syntax too surprising.
  • grub.cfg is typically automatically generated by grub-mkconfig (see Simple configuration handling). This makes it easier to handle versioned kernel upgrades.
  • Partition numbers in GRUB device names now start at 1, not 0 (see Naming convention).
  • The configuration file is now written in something closer to a full scripting language: variables, conditionals, and loops are available.
  • A small amount of persistent storage is available across reboots, using the save_env and load_env commands in GRUB and the grub-editenv utility. This is not available in all configurations (see The GRUB environment block).
  • GRUB 2 has more reliable ways to find its own files and those of target kernels on multiple-disk systems, and has commands (see search) to find devices using file system labels or Universally Unique Identifiers (UUIDs).
  • GRUB 2 is available for several other types of system in addition to the PC BIOS systems supported by GRUB Legacy: PC EFI, PC coreboot, PowerPC, SPARC, and MIPS Lemote Yeeloong are all supported.
  • Many more file systems are supported, including but not limited to ext4, HFS+, and NTFS.
  • GRUB 2 can read files directly from LVM and RAID devices.
  • A graphical terminal and a graphical menu system are available.
  • GRUB 2’s interface can be translated, including menu entry names.
  • The image files (see GRUB image files) that make up GRUB have been reorganised; Stage 1, Stage 1.5, and Stage 2 are no more.
  • GRUB 2 puts many facilities in dynamically loaded modules, allowing the core image to be smaller, and allowing the core image to be built in more flexible ways.

Next: , Previous: , Up: Introduction to GRUB   [Contents][Index]

1.4 GRUB features

The primary requirement for GRUB is that it be compliant with the Multiboot Specification, which is described in Motivation in The Multiboot Specification.

The other goals, listed in approximate order of importance, are:

  • Basic functions must be straightforward for end-users.
  • Rich functionality to support kernel experts and designers.
  • Backward compatibility for booting FreeBSD, NetBSD, OpenBSD, and Linux. Proprietary kernels (such as DOS, Windows NT, and OS/2) are supported via a chain-loading function.

Except for specific compatibility modes (chain-loading and the Linux piggyback format), all kernels will be started in much the same state as in the Multiboot Specification. Only kernels loaded at 1 megabyte or above are presently supported. Any attempt to load below that boundary will simply result in immediate failure and an error message reporting the problem.

In addition to the requirements above, GRUB has the following features (note that the Multiboot Specification doesn’t require all the features that GRUB supports):

Recognize multiple executable formats

Support many of the a.out variants plus ELF. Symbol tables are also loaded.

Support non-Multiboot kernels

Support many of the various free 32-bit kernels that lack Multiboot compliance (primarily FreeBSD, NetBSD2, OpenBSD, and Linux). Chain-loading of other boot loaders is also supported.

Load multiples modules

Fully support the Multiboot feature of loading multiple modules.

Load a configuration file

Support a human-readable text configuration file with preset boot commands. You can also load another configuration file dynamically and embed a preset configuration file in a GRUB image file. The list of commands (see Available commands) are a superset of those supported on the command-line. An example configuration file is provided in Writing your own configuration file.

Provide a menu interface

A menu interface listing preset boot commands, with a programmable timeout, is available. There is no fixed limit on the number of boot entries, and the current implementation has space for several hundred.

Have a flexible command-line interface

A fairly flexible command-line interface, accessible from the menu, is available to edit any preset commands, or write a new boot command set from scratch. If no configuration file is present, GRUB drops to the command-line.

The list of commands (see Available commands) are a subset of those supported for configuration files. Editing commands closely resembles the Bash command-line (see Command Line Editing in Bash Features), with TAB-completion of commands, devices, partitions, and files in a directory depending on context.

Support multiple filesystem types

Support multiple filesystem types transparently, plus a useful explicit blocklist notation. The currently supported filesystem types are Amiga Fast FileSystem (AFFS), AtheOS fs, BeFS, BtrFS (including raid0, raid1, raid10, gzip and lzo), cpio (little- and big-endian bin, odc and newc variants), EROFS (only uncompressed support for now), Linux ext2/ext3/ext4, DOS FAT12/FAT16/FAT32, exFAT, F2FS, HFS, HFS+, ISO9660 (including Joliet, Rock-ridge and multi-chunk files), JFS, Minix fs (versions 1, 2 and 3), nilfs2, NTFS (including compression), ReiserFS, ROMFS, Amiga Smart FileSystem (SFS), Squash4, tar, UDF, BSD UFS/UFS2, XFS, and ZFS (including lzjb, gzip, zle, mirror, stripe, raidz1/2/3 and encryption in AES-CCM and AES-GCM). See Filesystem syntax and semantics, for more information. Note: Only a subset of filesystems are supported in lockdown mode (such as when secure boot is enabled, see Lockdown when booting on a secure setup for more information).

Support automatic decompression

Can decompress files which were compressed by gzip or xz3. This function is both automatic and transparent to the user (i.e. all functions operate upon the uncompressed contents of the specified files). This greatly reduces a file size and loading time, a particularly great benefit for floppies.4

It is conceivable that some kernel modules should be loaded in a compressed state, so a different module-loading command can be specified to avoid uncompressing the modules.

Access data on any installed device

Support reading data from any or all floppies or hard disk(s) recognized by the BIOS, independent of the setting of the root device.

Be independent of drive geometry translations

Unlike many other boot loaders, GRUB makes the particular drive translation irrelevant. A drive installed and running with one translation may be converted to another translation without any adverse effects or changes in GRUB’s configuration.

Detect all installed RAM

GRUB can generally find all the installed RAM on a PC-compatible machine. It uses an advanced BIOS query technique for finding all memory regions. As described on the Multiboot Specification (see Motivation in The Multiboot Specification), not all kernels make use of this information, but GRUB provides it for those who do.

Support Logical Block Address mode

In traditional disk calls (called CHS mode), there is a geometry translation problem, that is, the BIOS cannot access over 1024 cylinders, so the accessible space is limited to at least 508 MB and to at most 8GB. GRUB can’t universally solve this problem, as there is no standard interface used in all machines. However, several newer machines have the new interface, Logical Block Address (LBA) mode. GRUB automatically detects if LBA mode is available and uses it if available. In LBA mode, GRUB can access the entire disk.

Support network booting

GRUB is basically a disk-based boot loader but also has network support. You can load OS images from a network by using the TFTP protocol.

Support remote terminals

To support computers with no console, GRUB provides remote terminal support, so that you can control GRUB from a remote host. Only serial terminal support is implemented at the moment.

Previous: , Up: Introduction to GRUB   [Contents][Index]

1.5 The role of a boot loader

The following is a quotation from Gordon Matzigkeit, a GRUB fanatic:

Some people like to acknowledge both the operating system and kernel when they talk about their computers, so they might say they use “GNU/Linux” or “GNU/Hurd”. Other people seem to think that the kernel is the most important part of the system, so they like to call their GNU operating systems “Linux systems.”

I, personally, believe that this is a grave injustice, because the boot loader is the most important software of all. I used to refer to the above systems as either “LILO”5 or “GRUB” systems.

Unfortunately, nobody ever understood what I was talking about; now I just use the word “GNU” as a pseudonym for GRUB.

So, if you ever hear people talking about their alleged “GNU” systems, remember that they are actually paying homage to the best boot loader around… GRUB!

We, the GRUB maintainers, do not (usually) encourage Gordon’s level of fanaticism, but it helps to remember that boot loaders deserve recognition. We hope that you enjoy using GNU GRUB as much as we did writing it.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

2 Naming convention

The device syntax used in GRUB is a wee bit different from what you may have seen before in your operating system(s), and you need to know it so that you can specify a drive/partition.

Look at the following examples and explanations: 

(fd0)

First of all, GRUB requires that the device name be enclosed with ‘(’ and ‘)’. The ‘fd’ part means that it is a floppy disk. The number ‘0’ is the drive number, which is counted from zero. This expression means that GRUB will use the whole floppy disk. 

(hd0,msdos2)

Here, ‘hd’ means it is a hard disk drive. The first integer ‘0’ indicates the drive number, that is, the first hard disk, the string ‘msdos’ indicates the partition scheme, while the second integer, ‘2’, indicates the partition number (or the PC slice number in the BSD terminology). The partition numbers are counted from one, not from zero (as was the case in previous versions of GRUB). This expression means the second partition of the first hard disk drive. In this case, GRUB uses one partition of the disk, instead of the whole disk. 

(hd0,msdos5)

This specifies the first extended partition of the first hard disk drive. Note that the partition numbers for extended partitions are counted from ‘5’, regardless of the actual number of primary partitions on your hard disk. 

(hd1,msdos1,bsd1)

This means the BSD ‘a’ partition on first PC slice number of the second hard disk.

Of course, to actually access the disks or partitions with GRUB, you need to use the device specification in a command, like ‘set root=(fd0)’ or ‘parttool (hd0,msdos3) hidden-’. To help you find out which number specifies a partition you want, the GRUB command-line (see The flexible command-line interface) options have argument completion. This means that, for example, you only need to type 

set root=(

followed by a TAB, and GRUB will display the list of drives, partitions, or file names. So it should be quite easy to determine the name of your target partition, even with minimal knowledge of the syntax.

Note that GRUB does not distinguish IDE from SCSI - it simply counts the drive numbers from zero, regardless of their type. Normally, any IDE drive number is less than any SCSI drive number, although that is not true if you change the boot sequence by swapping IDE and SCSI drives in your BIOS.

Now the question is, how to specify a file? Again, consider an example: 

(hd0,msdos1)/vmlinuz

This specifies the file named ‘vmlinuz’, found on the first partition of the first hard disk drive. Note that the argument completion works with file names, too.

That was easy, admit it. Now read the next chapter, to find out how to actually install GRUB on your drive.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

3 OS-specific notes about grub tools

On OS which have device nodes similar to Unix-like OS GRUB tools use the OS name. E.g. for GNU/Linux: 

# grub-install /dev/sda

On AROS we use another syntax. For volumes: 

//:<volume name>

E.g. 

//:DH0

For disks we use syntax: 

//:<driver name>/unit/flags

E.g. 

# grub-install //:ata.device/0/0

On Windows we use UNC path. For volumes it’s typically 

\\?\Volume{<GUID>}
\\?\<drive letter>:

E.g. 

\\?\Volume{17f34d50-cf64-4b02-800e-51d79c3aa2ff}
\\?\C:

For disks it’s 

\\?\PhysicalDrive<number>

E.g. 

# grub-install \\?\PhysicalDrive0

Beware that you may need to further escape the backslashes depending on your shell.

When compiled with cygwin support then cygwin drive names are automatically when needed. E.g. 

# grub-install /dev/sda

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

4 Installation

In order to install GRUB as your boot loader, you need to first install the GRUB system and utilities under your UNIX-like operating system (see How to obtain and build GRUB). You can do this either from the source tarball, or as a package for your OS.

After you have done that, you need to install the boot loader on a drive (floppy or hard disk) by using the utility grub-install (see Invoking grub-install) on a UNIX-like OS.

GRUB comes with boot images, which are normally put in the directory /usr/lib/grub/<cpu>-<platform> (for BIOS-based machines /usr/lib/grub/i386-pc). Hereafter, the directory where GRUB images are initially placed (normally /usr/lib/grub/<cpu>-<platform>) will be called the image directory, and the directory where the boot loader needs to find them (usually /boot) will be called the boot directory.

Next: , Up: Installation   [Contents][Index]

4.1 Installing GRUB using grub-install

For information on where GRUB should be installed on PC BIOS platforms, see BIOS installation.

In order to install GRUB under a UNIX-like OS (such as GNU), invoke the program grub-install (see Invoking grub-install) as the superuser (root).

The usage is basically very simple. You only need to specify one argument to the program, namely, where to install the boot loader. The argument has to be either a device file (like ‘/dev/hda’). For example, under Linux the following will install GRUB into the MBR of the first IDE disk: 

# grub-install /dev/sda

Likewise, under GNU/Hurd, this has the same effect: 

# grub-install /dev/hd0

But all the above examples assume that GRUB should put images under the /boot directory. If you want GRUB to put images under a directory other than /boot, you need to specify the option --boot-directory. The typical usage is that you create a GRUB boot floppy with a filesystem. Here is an example: 

# mke2fs /dev/fd0
# mount -t ext2 /dev/fd0 /mnt
# mkdir /mnt/boot
# grub-install --boot-directory=/mnt/boot /dev/fd0
# umount /mnt

Some BIOSes have a bug of exposing the first partition of a USB drive as a floppy instead of exposing the USB drive as a hard disk (they call it “USB-FDD” boot). In such cases, you need to install like this: 

# losetup /dev/loop0 /dev/sdb1
# mount /dev/loop0 /mnt/usb
# grub-install --boot-directory=/mnt/usb/bugbios --force --allow-floppy /dev/loop0

This install doesn’t conflict with standard install as long as they are in separate directories.

On EFI systems for fixed disk install you have to mount EFI System Partition. If you mount it at /boot/efi then you don’t need any special arguments: 

# grub-install

Otherwise you need to specify where your EFI System partition is mounted: 

# grub-install --efi-directory=/mnt/efi

For removable installs you have to use --removable and specify both --boot-directory and --efi-directory: 

# grub-install --efi-directory=/mnt/usb --boot-directory=/mnt/usb/boot --removable

Next: , Previous: , Up: Installation   [Contents][Index]

4.2 Making a GRUB bootable CD-ROM

GRUB supports the no emulation mode in the El Torito specification6. This means that you can use the whole CD-ROM from GRUB and you don’t have to make a floppy or hard disk image file, which can cause compatibility problems.

For booting from a CD-ROM, GRUB uses a special image called cdboot.img, which is concatenated with core.img. The core.img used for this should be built with at least the ‘iso9660’ and ‘biosdisk’ modules. Your bootable CD-ROM will usually also need to include a configuration file grub.cfg and some other GRUB modules.

To make a simple generic GRUB rescue CD, you can use the grub-mkrescue program (see Invoking grub-mkrescue): 

$ grub-mkrescue -o grub.iso

You will often need to include other files in your image. To do this, first make a top directory for the bootable image, say, ‘iso’: 

$ mkdir iso

Make a directory for GRUB: 

$ mkdir -p iso/boot/grub

If desired, make the config file grub.cfg under iso/boot/grub (see Writing your own configuration file), and copy any files and directories for the disc to the directory iso/.

Finally, make the image: 

$ grub-mkrescue -o grub.iso iso

This produces a file named grub.iso, which then can be burned into a CD (or a DVD), or written to a USB mass storage device.

The root device will be set up appropriately on entering your grub.cfg configuration file, so you can refer to file names on the CD without needing to use an explicit device name. This makes it easier to produce rescue images that will work on both optical drives and USB mass storage devices.

Next: , Previous: , Up: Installation   [Contents][Index]

4.3 The map between BIOS drives and OS devices

If the device map file exists, the GRUB utilities (grub-probe, etc.) read it to map BIOS drives to OS devices. This file consists of lines like this: 

(device) file

device is a drive specified in the GRUB syntax (see How to specify devices), and file is an OS file, which is normally a device file.

Historically, the device map file was used because GRUB device names had to be used in the configuration file, and they were derived from BIOS drive numbers. The map between BIOS drives and OS devices cannot always be guessed correctly: for example, GRUB will get the order wrong if you exchange the boot sequence between IDE and SCSI in your BIOS.

Unfortunately, even OS device names are not always stable. Modern versions of the Linux kernel may probe drives in a different order from boot to boot, and the prefix (/dev/hd* versus /dev/sd*) may change depending on the driver subsystem in use. As a result, the device map file required frequent editing on some systems.

GRUB avoids this problem nowadays by using UUIDs or file system labels when generating grub.cfg, and we advise that you do the same for any custom menu entries you write. If the device map file does not exist, then the GRUB utilities will assume a temporary device map on the fly. This is often good enough, particularly in the common case of single-disk systems.

However, the device map file is not entirely obsolete yet, and it is used for overriding when current environment is different from the one on boot. Most common case is if you use a partition or logical volume as a disk for virtual machine. You can put any comments in the file if needed, as the GRUB utilities assume that a line is just a comment if the first character is ‘#’.

Previous: , Up: Installation   [Contents][Index]

4.4 BIOS installation

MBR

The partition table format traditionally used on PC BIOS platforms is called the Master Boot Record (MBR) format; this is the format that allows up to four primary partitions and additional logical partitions. With this partition table format, there are two ways to install GRUB: it can be embedded in the area between the MBR and the first partition (called by various names, such as the "boot track", "MBR gap", or "embedding area", and which is usually at least 1000 KiB), or the core image can be installed in a file system and a list of the blocks that make it up can be stored in the first sector of that partition.

Modern tools usually leave MBR gap of at least 1023 KiB. This amount is sufficient to cover most configurations. Hence this value is recommended by the GRUB team.

Historically many tools left only 31 KiB of space. This is not enough to parse reliably difficult structures like Btrfs, ZFS, RAID or LVM, or to use difficult disk access methods like ahci. Hence GRUB will warn if attempted to install into small MBR gap except in a small number of configurations that were grandfathered. The grandfathered config must:

  • use biosdisk as disk access module for /boot
  • not use any additional partition maps to access /boot
  • /boot must be on one of following filesystems: AFFS, AFS, BFS, cpio, newc, odc, ext2/3/4, FAT, exFAT, F2FS, HFS, uncompressed HFS+, ISO9660, JFS, Minix, Minix2, Minix3, NILFS2, NTFS, ReiserFS, ROMFS, SFS, tar, UDF, UFS1, UFS2, XFS

Note: Only a subset of filesystems are supported in lockdown mode (such as when secure boot is enabled, see Lockdown when booting on a secure setup for more information).

MBR gap has few technical problems. There is no way to reserve space in the embedding area with complete safety, and some proprietary software is known to use it to make it difficult for users to work around licensing restrictions. GRUB works around it by detecting sectors by other software and avoiding them and protecting its own sectors using Reed-Solomon encoding.

GRUB team recommends having MBR gap of at least 1000 KiB.

Should it not be possible, GRUB has support for a fallback solution which is heavily recommended against. Installing to a filesystem means that GRUB is vulnerable to its blocks being moved around by filesystem features such as tail packing, or even by aggressive fsck implementations, so this approach is quite fragile; and this approach can only be used if the /boot filesystem is on the same disk that the BIOS boots from, so that GRUB does not have to rely on guessing BIOS drive numbers.

The GRUB development team generally recommends embedding GRUB before the first partition, unless you have special requirements. You must ensure that the first partition starts at least 1000 KiB (2000 sectors) from the start of the disk; on modern disks, it is often a performance advantage to align partitions on larger boundaries anyway, so the first partition might start 1 MiB from the start of the disk.

GPT

Some newer systems use the GUID Partition Table (GPT) format. This was specified as part of the Extensible Firmware Interface (EFI), but it can also be used on BIOS platforms if system software supports it; for example, GRUB and GNU/Linux can be used in this configuration. With this format, it is possible to reserve a whole partition for GRUB, called the BIOS Boot Partition. GRUB can then be embedded into that partition without the risk of being overwritten by other software and without being contained in a filesystem which might move its blocks around.

When creating a BIOS Boot Partition on a GPT system, you should make sure that it is at least 31 KiB in size. (GPT-formatted disks are not usually particularly small, so we recommend that you make it larger than the bare minimum, such as 1 MiB, to allow plenty of room for growth.) You must also make sure that it has the proper partition type. Using GNU Parted, you can set this using a command such as the following: 

# parted /dev/disk set partition-number bios_grub on

If you are using gdisk, set the partition type to ‘0xEF02’. With partitioning programs that require setting the GUID directly, it should be ‘21686148-6449-6e6f-744e656564454649’.

Caution: Be very careful which partition you select! When GRUB finds a BIOS Boot Partition during installation, it will automatically overwrite part of it. Make sure that the partition does not contain any other data.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

5 Booting

GRUB can load Multiboot-compliant kernels in a consistent way, but for some free operating systems you need to use some OS-specific magic.

Next: , Up: Booting   [Contents][Index]

5.1 How to boot operating systems

GRUB has three distinct boot methods: loading an operating system directly, using kexec from userspace, and chainloading another bootloader. Generally speaking, the first two are more desirable because you don’t need to install or maintain other boot loaders and GRUB is flexible enough to load an operating system from an arbitrary disk/partition. However, chainloading is sometimes required, as GRUB doesn’t support all existing operating systems natively.

Next: , Up: How to boot operating systems   [Contents][Index]

5.1.1 How to boot an OS directly with GRUB

Multiboot (see Motivation in The Multiboot Specification) is the native format supported by GRUB. For the sake of convenience, there is also support for Linux, FreeBSD, NetBSD and OpenBSD. If you want to boot other operating systems, you will have to chain-load them (see Chain-loading an OS).

FIXME: this section is incomplete.

  1. Run the command boot (see boot).

However, DOS and Windows have some deficiencies, so you might have to use more complicated instructions. See DOS/Windows, for more information.

Next: , Previous: , Up: How to boot operating systems   [Contents][Index]

5.1.2 Kexec with grub2-emu

GRUB can be run in userspace by invoking the grub2-emu tool. It will read all configuration scripts as if booting directly (see How to boot an OS directly with GRUB). With the --kexec flag, and kexec(8) support from the operating system, the linux command will directly boot the target image. For systems that lack working systemctl(1) support for kexec, passing the --kexec flag twice will fallback to invoking kexec(8) directly; note however that this fallback may be unsafe outside read-only environments, as it does not invoke shutdown machinery.

Previous: , Up: How to boot operating systems   [Contents][Index]

5.1.3 Chain-loading an OS

Operating systems that do not support Multiboot and do not have specific support in GRUB (specific support is available for Linux, FreeBSD, NetBSD and OpenBSD) must be chain-loaded, which involves loading another boot loader and jumping to it in real mode or via the firmware.

The chainloader command (see chainloader) is used to set this up. It is normally also necessary to load some GRUB modules and set the appropriate root device. Putting this together, we get something like this, for a Windows system on the first partition of the first hard disk: 

menuentry "Windows" {
	insmod chain
	insmod ntfs
	set root=(hd0,1)
	chainloader +1
}

On systems with multiple hard disks, an additional workaround may be required. See DOS/Windows.

Chain-loading is only supported on PC BIOS and EFI platforms.

Next: , Previous: , Up: Booting   [Contents][Index]

5.2 Loopback booting

GRUB is able to read from an image (be it one of CD or HDD) stored on any of its accessible storages (refer to see loopback command). However the OS itself should be able to find its root. This usually involves running a userspace program running before the real root is discovered. This is achieved by GRUB loading a specially made small image and passing it as ramdisk to the kernel. This is achieved by commands kfreebsd_module, knetbsd_module_elf, kopenbsd_ramdisk, initrd (see initrd), initrd16 (see initrd16), multiboot_module, multiboot2_module or xnu_ramdisk depending on the loader. Note that for knetbsd the image must be put inside miniroot.kmod and the whole miniroot.kmod has to be loaded. In kopenbsd payload this is disabled by default. Additionally, behaviour of initial ramdisk depends on command line options. Several distributors provide the image for this purpose or it’s integrated in their standard ramdisk and activated by special option. Consult your kernel and distribution manual for more details. Other loaders like appleloader, chainloader (BIOS, EFI, coreboot), freedos, ntldr, plan9 and truecrypt provide no possibility of loading initial ramdisk and as far as author is aware the payloads in question don’t support either initial ramdisk or discovering loopback boot in other way and as such not bootable this way. Please consider alternative boot methods like copying all files from the image to actual partition. Consult your OS documentation for more details.

Next: , Previous: , Up: Booting   [Contents][Index]

5.3 Booting from LVM cache logical volume

The LVM cache logical volume is the logical volume consisting of the original and the cache pool logical volume. The original is usually on a larger and slower storage device while the cache pool is on a smaller and faster one. The performance of the original volume can be improved by storing the frequently used data on the cache pool to utilize the greater performance of faster device.

GRUB boots from LVM cache logical volume merely by reading it’s original logical volume so that dirty data in cache pool volume is disregarded. This is not a problem for "writethrough" cache mode as it ensures that any data written will be stored both on the cache and the origin LV. For the other cache mode "writeback", which delays writing from the cache pool back to the origin LV to boost performance, GRUB may fail to boot in the wake of accidental power outage due to it’s inability to assemble the cache device for reading the required dirty data left behind. The situation will be improved after adding full support to the LVM cache logical volume in the future.

Previous: , Up: Booting   [Contents][Index]

5.4 Some caveats on OS-specific issues

Here, we describe some caveats on several operating systems.

Next: , Up: Some caveats on OS-specific issues   [Contents][Index]

5.4.1 GNU/Hurd

Since GNU/Hurd is Multiboot-compliant, it is easy to boot it; there is nothing special about it. But do not forget that you have to specify a root partition to the kernel.

  1. Set GRUB’s root device to the same drive as GNU/Hurd’s. The command search --set=root --file /boot/gnumach.gz or similar may help you (see search).
  2. Load the kernel and the modules, like this: 
    grub> multiboot /boot/gnumach.gz root=device:hd0s1
grub> module  /hurd/ext2fs.static ext2fs --readonly \
                   --multiboot-command-line='${kernel-command-line}' \
                   --host-priv-port='${host-port}' \
                   --device-master-port='${device-port}' \
                   --exec-server-task='${exec-task}' -T typed '${root}' \
                   '$(task-create)' '$(task-resume)'
grub> module /lib/ld.so.1 exec /hurd/exec '$(exec-task=task-create)'
  3. Finally, run the command boot (see boot).

Next: , Previous: , Up: Some caveats on OS-specific issues   [Contents][Index]

5.4.2 GNU/Linux

It is relatively easy to boot GNU/Linux from GRUB, because it somewhat resembles to boot a Multiboot-compliant OS.

  1. Set GRUB’s root device to the same drive as GNU/Linux’s. The command search --set=root --file /vmlinuz or similar may help you (see search).
  2. Load the kernel using the command linux (see linux): 
    grub> linux /vmlinuz root=/dev/sda1

    If you need to specify some kernel parameters, just append them to the command. For example, to set acpi to ‘off’, do this: 

    grub> linux /vmlinuz root=/dev/sda1 acpi=off

    See the documentation in the Linux source tree for complete information on the available options.

    With linux GRUB uses 32-bit protocol. Some BIOS services like APM or EDD aren’t available with this protocol. In this case you need to use linux16 

    grub> linux16 /vmlinuz root=/dev/sda1 acpi=off
  3. If you use an initrd, execute the command initrd (see initrd) after linux: 
    grub> initrd /initrd

    If you used linux16 you need to use initrd16: 

    grub> initrd16 /initrd
  4. Finally, run the command boot (see boot).

Next: , Previous: , Up: Some caveats on OS-specific issues   [Contents][Index]

5.4.3 NetBSD

Booting a NetBSD kernel from GRUB is also relatively easy: first set GRUB’s root device, then load the kernel and the modules, and finally run boot.

  1. Set GRUB’s root device to the partition holding the NetBSD root file system. For a disk with a NetBSD disk label, this is usually the first partition (a:). In that case, and assuming that the partition is on the first hard disk, set GRUB’s root device as follows: 
    grub> insmod part_bsd
grub> set root=(hd0,netbsd1)

    For a disk with a GUID Partition Table (GPT), and assuming that the NetBSD root partition is the third GPT partition, do this: 

    grub> insmod part_gpt
grub> set root=(hd0,gpt3)
  2. Load the kernel using the command knetbsd: 
    grub> knetbsd /netbsd

    Various options may be given to knetbsd. These options are, for the most part, the same as in the NetBSD boot loader. For instance, to boot the system in single-user mode and with verbose messages, do this: 

    grub> knetbsd /netbsd -s -v
  3. If needed, load kernel modules with the command knetbsd_module_elf. A typical example is the module for the root file system: 
    grub> knetbsd_module_elf /stand/amd64/6.0/modules/ffs/ffs.kmod
  4. Finally, run the command boot (see boot).

Previous: , Up: Some caveats on OS-specific issues   [Contents][Index]

5.4.4 DOS/Windows

GRUB cannot boot DOS or Windows directly, so you must chain-load them (see Chain-loading an OS). However, their boot loaders have some critical deficiencies, so it may not work to just chain-load them. To overcome the problems, GRUB provides you with two helper functions.

If you have installed DOS (or Windows) on a non-first hard disk, you have to use the disk swapping technique, because that OS cannot boot from any disks but the first one. The workaround used in GRUB is the command drivemap (see drivemap), like this: 

drivemap -s (hd0) (hd1)

This performs a virtual swap between your first and second hard drive.

Caution: This is effective only if DOS (or Windows) uses BIOS to access the swapped disks. If that OS uses a special driver for the disks, this probably won’t work.

Another problem arises if you installed more than one set of DOS/Windows onto one disk, because they could be confused if there are more than one primary partitions for DOS/Windows. Certainly you should avoid doing this, but there is a solution if you do want to do so. Use the partition hiding/unhiding technique.

If GRUB hides a DOS (or Windows) partition (see parttool), DOS (or Windows) will ignore the partition. If GRUB unhides a DOS (or Windows) partition, DOS (or Windows) will detect the partition. Thus, if you have installed DOS (or Windows) on the first and the second partition of the first hard disk, and you want to boot the copy on the first partition, do the following: 

parttool (hd0,1) hidden-
parttool (hd0,2) hidden+
set root=(hd0,1)
chainloader +1
parttool ${root} boot+
boot

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

6 Writing your own configuration file

GRUB is configured using grub.cfg, usually located under /boot/grub. This file is quite flexible, but most users will not need to write the whole thing by hand.

Next: , Up: Writing your own configuration file   [Contents][Index]

6.1 Simple configuration handling

The program grub-mkconfig (see Invoking grub-mkconfig) generates grub.cfg files suitable for most cases. It is suitable for use when upgrading a distribution, and will discover available kernels and attempt to generate menu entries for them.

grub-mkconfig does have some limitations. While adding extra custom menu entries to the end of the list can be done by editing /etc/grub.d/40_custom or creating /boot/grub/custom.cfg, changing the order of menu entries or changing their titles may require making complex changes to shell scripts stored in /etc/grub.d/. This may be improved in the future. In the meantime, those who feel that it would be easier to write grub.cfg directly are encouraged to do so (see Booting, and Writing full configuration files directly), and to disable any system provided by their distribution to automatically run grub-mkconfig.

The file /etc/default/grub controls the operation of grub-mkconfig. It is sourced by a shell script, and so must be valid POSIX shell input; normally, it will just be a sequence of ‘KEY=value’ lines, but if the value contains spaces or other special characters then it must be quoted. For example: 

GRUB_TERMINAL_INPUT="console serial"

Valid keys in /etc/default/grub are as follows:

GRUB_DEFAULT

The default menu entry. This may be a number, in which case it identifies the Nth entry in the generated menu counted from zero, or the title of a menu entry, or the special string ‘saved’. Using the id may be useful if you want to set a menu entry as the default even though there may be a variable number of entries before it.

For example, if you have: 

menuentry 'Example GNU/Linux distribution' --class gnu-linux --id example-gnu-linux {
	...
}

then you can make this the default using: 

GRUB_DEFAULT=example-gnu-linux

Previously it was documented the way to use entry title. While this still works it’s not recommended since titles often contain unstable device names and may be translated

If you set this to ‘saved’, then the default menu entry will be that saved by ‘GRUB_SAVEDEFAULT’ or grub-set-default. This relies on the environment block, which may not be available in all situations (see The GRUB environment block).

The default is ‘0’.

GRUB_SAVEDEFAULT

If this option is set to ‘true’, then, when an entry is selected, save it as a new default entry for use by future runs of GRUB. This is only useful if ‘GRUB_DEFAULT=saved’; it is a separate option because ‘GRUB_DEFAULT=saved’ is useful without this option, in conjunction with grub-set-default. Unset by default. This option relies on the environment block, which may not be available in all situations (see The GRUB environment block).

GRUB_TIMEOUT

Boot the default entry this many seconds after the menu is displayed, unless a key is pressed. The default is ‘5’. Set to ‘0’ to boot immediately without displaying the menu, or to ‘-1’ to wait indefinitely.

If ‘GRUB_TIMEOUT_STYLE’ is set to ‘countdown’ or ‘hidden’, the timeout is instead counted before the menu is displayed.

GRUB_TIMEOUT_STYLE

If this option is unset or set to ‘menu’, then GRUB will display the menu and then wait for the timeout set by ‘GRUB_TIMEOUT’ to expire before booting the default entry. Pressing a key interrupts the timeout.

If this option is set to ‘countdown’ or ‘hidden’, then, before displaying the menu, GRUB will wait for the timeout set by ‘GRUB_TIMEOUT’ to expire. If ESC or F4 are pressed, or SHIFT is held down during that time, it will display the menu and wait for input. If a hotkey associated with a menu entry is pressed, it will boot the associated menu entry immediately. If the timeout expires before either of these happens, it will boot the default entry. In the ‘countdown’ case, it will show a one-line indication of the remaining time.

GRUB_DEFAULT_BUTTON
GRUB_TIMEOUT_BUTTON
GRUB_TIMEOUT_STYLE_BUTTON
GRUB_BUTTON_CMOS_ADDRESS

Variants of the corresponding variables without the ‘_BUTTON’ suffix, used to support vendor-specific power buttons. See Using GRUB with vendor power-on keys.

GRUB_DISTRIBUTOR

Set by distributors of GRUB to their identifying name. This is used to generate more informative menu entry titles.

GRUB_TERMINAL_INPUT

Select the terminal input device. You may select multiple devices here, separated by spaces.

Valid terminal input names depend on the platform, but may include ‘console’ (native platform console), ‘serial’ (serial terminal), ‘serial_<port>’ (serial terminal with explicit port selection), ‘at_keyboard’ (PC AT keyboard), or ‘usb_keyboard’ (USB keyboard using the HID Boot Protocol, for cases where the firmware does not handle this).

The default is to use the platform’s native terminal input.

GRUB_TERMINAL_OUTPUT

Select the terminal output device. You may select multiple devices here, separated by spaces.

Valid terminal output names depend on the platform, but may include ‘console’ (native platform console), ‘serial’ (serial terminal), ‘serial_<port>’ (serial terminal with explicit port selection), ‘gfxterm’ (graphics-mode output), ‘vga_text’ (VGA text output), ‘mda_text’ (MDA text output), ‘morse’ (Morse-coding using system beeper) or ‘spkmodem’ (simple data protocol using system speaker).

spkmodem’ is useful when no serial port is available. Connect the output of sending system (where GRUB is running) to line-in of receiving system (usually developer machine). On receiving system compile ‘spkmodem-recv’ from ‘util/spkmodem-recv.c’ and run: 

parecord --channels=1 --rate=48000 --format=s16le | ./spkmodem-recv

The default is to use the platform’s native terminal output.

GRUB_TERMINAL

If this option is set, it overrides both ‘GRUB_TERMINAL_INPUT’ and ‘GRUB_TERMINAL_OUTPUT’ to the same value.

GRUB_SERIAL_COMMAND

A command to configure the serial port when using the serial console. See serial. Defaults to ‘serial’.

GRUB_CMDLINE_LINUX

Command-line arguments to add to menu entries for the Linux kernel.

GRUB_CMDLINE_LINUX_DEFAULT

Unless ‘GRUB_DISABLE_RECOVERY’ is set to ‘true’, two menu entries will be generated for each Linux kernel: one default entry and one entry for recovery mode. This option lists command-line arguments to add only to the default menu entry, after those listed in ‘GRUB_CMDLINE_LINUX’.

GRUB_CMDLINE_LINUX_RECOVERY

Unless ‘GRUB_DISABLE_RECOVERY’ is set to ‘true’, two menu entries will be generated for each Linux kernel: one default entry and one entry for recovery mode. This option lists command-line arguments to add only to the recovery menu entry, before those listed in ‘GRUB_CMDLINE_LINUX’. The default is ‘single’.

GRUB_CMDLINE_NETBSD
GRUB_CMDLINE_NETBSD_DEFAULT

As ‘GRUB_CMDLINE_LINUX’ and ‘GRUB_CMDLINE_LINUX_DEFAULT’, but for NetBSD.

GRUB_CMDLINE_GNUMACH

As ‘GRUB_CMDLINE_LINUX’, but for GNU Mach.

GRUB_CMDLINE_XEN
GRUB_CMDLINE_XEN_DEFAULT

The values of these options are passed to Xen hypervisor Xen menu entries, for all respectively normal entries.

GRUB_CMDLINE_LINUX_XEN_REPLACE
GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT

The values of these options replace the values of ‘GRUB_CMDLINE_LINUX’ and ‘GRUB_CMDLINE_LINUX_DEFAULT’ for Linux and Xen menu entries.

GRUB_TOP_LEVEL
GRUB_TOP_LEVEL_XEN

This option should be an absolute path to a kernel image. If provided, the image specified will be made the top-level entry if it is found in the scan.

GRUB_TOP_LEVEL_OS_PROBER

This option should be a line of output from os-prober. As ‘GRUB_TOP_LEVEL’, if provided, the image specified will be made the top-level entry if it is found in the scan.

GRUB_EARLY_INITRD_LINUX_CUSTOM
GRUB_EARLY_INITRD_LINUX_STOCK

List of space-separated early initrd images to be loaded from ‘/boot’. This is for loading things like CPU microcode, firmware, ACPI tables, crypto keys, and so on. These early images will be loaded in the order declared, and all will be loaded before the actual functional initrd image.

GRUB_EARLY_INITRD_LINUX_STOCK’ is for your distribution to declare images that are provided by the distribution. It should not be modified without understanding the consequences. They will be loaded first.

GRUB_EARLY_INITRD_LINUX_CUSTOM’ is for your custom created images.

The default stock images are as follows, though they may be overridden by your distribution: 

intel-uc.img intel-ucode.img amd-uc.img amd-ucode.img early_ucode.cpio microcode.cpio
GRUB_DISABLE_LINUX_UUID

Normally, grub-mkconfig will generate menu entries that use universally-unique identifiers (UUIDs) to identify the root filesystem to the Linux kernel, using a ‘root=UUID=...’ kernel parameter. This is usually more reliable, but in some cases it may not be appropriate. To disable the use of UUIDs, set this option to ‘true’.

GRUB_DISABLE_LINUX_PARTUUID

If grub-mkconfig cannot identify the root filesystem via its universally-unique indentifier (UUID), grub-mkconfig can use the UUID of the partition containing the filesystem to identify the root filesystem to the Linux kernel via a ‘root=PARTUUID=...’ kernel parameter. This is not as reliable as using the filesystem UUID, but is more reliable than using the Linux device names. When ‘GRUB_DISABLE_LINUX_PARTUUID’ is set to ‘false’, the Linux kernel version must be 2.6.37 (3.10 for systems using the MSDOS partition scheme) or newer. This option defaults to ‘true’. To enable the use of partition UUIDs, set this option to ‘false’.

GRUB_DISABLE_RECOVERY

If this option is set to ‘true’, disable the generation of recovery mode menu entries.

GRUB_DISABLE_UUID

Normally, grub-mkconfig will generate menu entries that use universally-unique identifiers (UUIDs) to identify various filesystems to search for files. This is usually more reliable, but in some cases it may not be appropriate. To disable this use of UUIDs, set this option to ‘true’. Setting this option to ‘true’, will also set the options ‘GRUB_DISABLE_LINUX_UUID’ and ‘GRUB_DISABLE_LINUX_PARTUUID’ to ‘true’, unless they have been explicitly set to ‘false’.

GRUB_VIDEO_BACKEND

If graphical video support is required, either because the ‘gfxterm’ graphical terminal is in use or because ‘GRUB_GFXPAYLOAD_LINUX’ is set, then grub-mkconfig will normally load all available GRUB video drivers and use the one most appropriate for your hardware. If you need to override this for some reason, then you can set this option.

After grub-install has been run, the available video drivers are listed in /boot/grub/video.lst.

GRUB_GFXMODE

Set the resolution used on the ‘gfxterm’ graphical terminal. Note that you can only use modes which your graphics card supports via VESA BIOS Extensions (VBE), so for example native LCD panel resolutions may not be available. The default is ‘auto’, which tries to select a preferred resolution. See gfxmode.

GRUB_BACKGROUND

Set a background image for use with the ‘gfxterm’ graphical terminal. The value of this option must be a file readable by GRUB at boot time, and it must end with .png, .tga, .jpg, or .jpeg. The image will be scaled if necessary to fit the screen. Image height and width will be restricted by an artificial limit of 16384.

GRUB_THEME

Set a theme for use with the ‘gfxterm’ graphical terminal.

GRUB_GFXPAYLOAD_LINUX

Set to ‘text’ to force the Linux kernel to boot in normal text mode, ‘keep’ to preserve the graphics mode set using ‘GRUB_GFXMODE’, ‘widthxheight’[‘xdepth’] to set a particular graphics mode, or a sequence of these separated by commas or semicolons to try several modes in sequence. See gfxpayload.

Depending on your kernel, your distribution, your graphics card, and the phase of the moon, note that using this option may cause GNU/Linux to suffer from various display problems, particularly during the early part of the boot sequence. If you have problems, set this option to ‘text’ and GRUB will tell Linux to boot in normal text mode.

GRUB_DISABLE_OS_PROBER

The grub-mkconfig has a feature to use the external os-prober program to discover other operating systems installed on the same machine and generate appropriate menu entries for them. It is disabled by default since automatic and silent execution of os-prober, and creating boot entries based on that data, is a potential attack vector. Set this option to ‘false’ to enable this feature in the grub-mkconfig command.

GRUB_OS_PROBER_SKIP_LIST

List of space-separated case insensitive UUIDs of filesystems to be ignored from os-prober output. For EFI chainloaders it’s <UUID>@<EFI FILE>. For backward compatibility with previous behaviour, <UUID>@/dev/* is also accepted for non-EFI chainloaders even if the device does not match, and comma and semicolon are also accepted as separator.

GRUB_DISABLE_SUBMENU

Normally, grub-mkconfig will generate top level menu entry for the kernel with highest version number and put all other found kernels or alternative menu entries for recovery mode in submenu. For entries returned by os-prober first entry will be put on top level and all others in submenu. If this option is set to ‘true’, flat menu with all entries on top level will be generated instead. Changing this option will require changing existing values of ‘GRUB_DEFAULT’, ‘fallback’ (see fallback) and ‘default’ (see default) environment variables as well as saved default entry using grub-set-default and value used with grub-reboot.

GRUB_ENABLE_CRYPTODISK

If set to ‘y’, grub-mkconfig and grub-install will check for encrypted disks and generate additional commands needed to access them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container.

GRUB_INIT_TUNE

Play a tune on the speaker when GRUB starts. This is particularly useful for users unable to see the screen. The value of this option is passed directly to play.

GRUB_BADRAM

If this option is set, GRUB will issue a badram command to filter out specified regions of RAM.

GRUB_PRELOAD_MODULES

This option may be set to a list of GRUB module names separated by spaces. Each module will be loaded as early as possible, at the start of grub.cfg.

The following options are still accepted for compatibility with existing configurations, but have better replacements:

GRUB_HIDDEN_TIMEOUT

Wait this many seconds before displaying the menu. If ESC or F4 are pressed, or SHIFT is held down during that time, display the menu and wait for input according to ‘GRUB_TIMEOUT’. If a hotkey associated with a menu entry is pressed, boot the associated menu entry immediately. If the timeout expires before either of these happens, display the menu for the number of seconds specified in ‘GRUB_TIMEOUT’ before booting the default entry.

If you set ‘GRUB_HIDDEN_TIMEOUT’, you should also set ‘GRUB_TIMEOUT=0’ so that the menu is not displayed at all unless ESC or F4 are pressed, or SHIFT is held down.

This option is unset by default, and is deprecated in favour of the less confusing ‘GRUB_TIMEOUT_STYLE=countdown’ or ‘GRUB_TIMEOUT_STYLE=hidden’.

GRUB_HIDDEN_TIMEOUT_QUIET

In conjunction with ‘GRUB_HIDDEN_TIMEOUT’, set this to ‘true’ to suppress the verbose countdown while waiting for a key to be pressed before displaying the menu.

This option is unset by default, and is deprecated in favour of the less confusing ‘GRUB_TIMEOUT_STYLE=countdown’.

GRUB_HIDDEN_TIMEOUT_BUTTON

Variant of ‘GRUB_HIDDEN_TIMEOUT’, used to support vendor-specific power buttons. See Using GRUB with vendor power-on keys.

This option is unset by default, and is deprecated in favour of the less confusing ‘GRUB_TIMEOUT_STYLE=countdown’ or ‘GRUB_TIMEOUT_STYLE=hidden’.

GRUB_FORCE_EFI_ALL_VIDEO

When set to true, this will allow grub-mkconfig to generate a GRUB config that supports loading the all_video module on the EFI platform instead of just the efi_gop and efi_uga modules.

This option is unset by default.

For more detailed customisation of grub-mkconfig’s output, you may edit the scripts in /etc/grub.d directly. /etc/grub.d/40_custom is particularly useful for adding entire custom menu entries; simply type the menu entries you want to add at the end of that file, making sure to leave at least the first two lines intact.

Next: , Previous: , Up: Writing your own configuration file   [Contents][Index]

6.2 Root Identification Heuristics

If the target operating system uses the Linux kernel, grub-mkconfig attempts to identify the root file system via a heuristic algoirthm. This algorithm selects the identification method of the root file system by considering three factors. The first is if an initrd for the target operating system is also present. The second is ‘GRUB_DISABLE_LINUX_UUID’ and if set to ‘true’, prevents grub-mkconfig from identifying the root file system by its UUID. The third is ‘GRUB_DISABLE_LINUX_PARTUUID’ and if set to ‘true’, prevents grub-mkconfig from identifying the root file system via the UUID of its enclosing partition. If the variables are assigned any other value, that value is considered equivalent to ‘false’. The variables are also considered to be set to ‘false’ if they are not set.

When booting, the Linux kernel will delegate the task of mounting the root filesystem to the initrd. Most initrd images determine the root file system by checking the Linux kernel’s command-line for the ‘root’ key and use its value as the identification method of the root file system. To improve the reliability of booting, most initrd images also allow the root file system to be identified by its UUID. Because of this behavior, the grub-mkconfig command will set ‘root’ to ‘root=UUID=...’ to provide the initrd with the filesystem UUID of the root file system.

If no initrd is detected or ‘GRUB_DISABLE_LINUX_UUID’ is set to ‘true’ then grub-command will identify the root filesystem by setting the kernel command-line variable ‘root’ to ‘root=PARTUUID=...’ unless ‘GRUB_DISABLE_LINUX_PARTUUID’ is also set to ‘true’. If ‘GRUB_DISABLE_LINUX_PARTUUID’ is also set to ‘true’, grub-command will identify by its Linux device name.

The following table summarizes the behavior of the grub-mkconfig command.

Initrd detectedGRUB_DISABLE_LINUX_PARTUUID Set ToGRUB_DISABLE_LINUX_UUID Set ToLinux Root ID Method
falsefalsefalsepart UUID
falsefalsetruepart UUID
falsetruefalsedev name
falsetruetruedev name
truefalsefalsefs UUID
truefalsetruepart UUID
truetruefalsefs UUID
truetruetruedev name

Remember, ‘GRUB_DISABLE_LINUX_PARTUUID’ and ‘GRUB_DISABLE_LINUX_UUID’ are also considered to be set to ‘true’ and ‘false’, respectively, when they are unset.

Next: , Previous: , Up: Writing your own configuration file   [Contents][Index]

6.3 Writing full configuration files directly

grub.cfg is written in GRUB’s built-in scripting language, which has a syntax quite similar to that of GNU Bash and other Bourne shell derivatives.

Words

A word is a sequence of characters considered as a single unit by GRUB. Words are separated by metacharacters, which are the following plus space, tab, and newline: 

{ } | & $ ; < >

Quoting may be used to include metacharacters in words; see below.

Reserved words

Reserved words have a special meaning to GRUB. The following words are recognised as reserved when unquoted and either the first word of a simple command or the third word of a for command: 

! [[ ]] { }
case do done elif else esac fi for function
if in menuentry select then time until while

Not all of these reserved words have a useful purpose yet; some are reserved for future expansion.

Quoting

Quoting is used to remove the special meaning of certain characters or words. It can be used to treat metacharacters as part of a word, to prevent reserved words from being recognised as such, and to prevent variable expansion.

There are three quoting mechanisms: the escape character, single quotes, and double quotes.

A non-quoted backslash (\) is the escape character. It preserves the literal value of the next character that follows, with the exception of newline.

Enclosing characters in single quotes preserves the literal value of each character within the quotes. A single quote may not occur between single quotes, even when preceded by a backslash.

Enclosing characters in double quotes preserves the literal value of all characters within the quotes, with the exception of ‘$’ and ‘\’. The ‘$’ character retains its special meaning within double quotes. The backslash retains its special meaning only when followed by one of the following characters: ‘$’, ‘"’, ‘\’, or newline. A backslash-newline pair is treated as a line continuation (that is, it is removed from the input stream and effectively ignored7). A double quote may be quoted within double quotes by preceding it with a backslash.

Variable expansion

The ‘$’ character introduces variable expansion. The variable name to be expanded may be enclosed in braces, which are optional but serve to protect the variable to be expanded from characters immediately following it which could be interpreted as part of the name.

Normal variable names begin with an alphabetic character, followed by zero or more alphanumeric characters. These names refer to entries in the GRUB environment (see GRUB environment variables).

Positional variable names consist of one or more digits. They represent parameters passed to function calls, with ‘$1’ representing the first parameter, and so on.

The special variable name ‘?’ expands to the exit status of the most recently executed command. When positional variable names are active, other special variable names ‘@’, ‘*’ and ‘#’ are defined and they expand to all positional parameters with necessary quoting, positional parameters without any quoting, and positional parameter count respectively.

Comments

A word beginning with ‘#’ causes that word and all remaining characters on that line to be ignored.

Simple commands

A simple command is a sequence of words separated by spaces or tabs and terminated by a semicolon or a newline. The first word specifies the command to be executed. The remaining words are passed as arguments to the invoked command.

The return value of a simple command is its exit status. If the reserved word ! precedes the command, then the return value is instead the logical negation of the command’s exit status.

Compound commands

A compound command is one of the following:

for name in word …; do list; done

The list of words following in is expanded, generating a list of items. The variable name is set to each element of this list in turn, and list is executed each time. The return value is the exit status of the last command that executes. If the expansion of the items following in results in an empty list, no commands are executed, and the return status is 0.

if list; then list; [elif list; then list;] … [else list;] fi

The if list is executed, where list is a series of simple commands separated by a ";". If its exit status of the last command is zero, the then list is executed. Otherwise, each elif list is executed in turn, and if its last command’s exit status is zero, the corresponding then list is executed and the command completes. Otherwise, the else list is executed, if present. The exit status is the exit status of the last command executed, or zero if no condition tested true.

while cond; do list; done
until cond; do list; done

The while command continuously executes the do list as long as the last command in cond returns an exit status of zero, where cond is a list of simple commands separated by a ";". The until command is identical to the while command, except that the test is negated; the do list is executed as long as the last command in cond returns a non-zero exit status. The exit status of the while and until commands is the exit status of the last do list command executed, or zero if none was executed.

function name { command; … }

This defines a function named name. The body of the function is the list of commands within braces, each of which must be terminated with a semicolon or a newline. This list of commands will be executed whenever name is specified as the name of a simple command. Function definitions do not affect the exit status in $?. When executed, the exit status of a function is the exit status of the last command executed in the body.

menuentry title [--class=class …] [--users=users] [--unrestricted] [--hotkey=key] [--id=id] { command; … }

See menuentry.

Built-in Commands

Some built-in commands are also provided by GRUB script to help script writers perform actions that are otherwise not possible. For example, these include commands to jump out of a loop without fully completing it, etc.

break [n]

Exit from within a for, while, or until loop. If n is specified, break n levels. n must be greater than or equal to 1. If n is greater than the number of enclosing loops, all enclosing loops are exited. The return value is 0 unless n is not greater than or equal to 1.

continue [n]

Resume the next iteration of the enclosing for, while or until loop. If n is specified, resume at the nth enclosing loop. n must be greater than or equal to 1. If n is greater than the number of enclosing loops, the last enclosing loop (the top-level loop) is resumed. The return value is 0 unless n is not greater than or equal to 1.

return [n]

Causes a function to exit with the return value specified by n. If n is omitted, the return status is that of the last command executed in the function body. If used outside a function the return status is false.

setparams [arg] …

Replace positional parameters starting with $1 with arguments to setparams.

shift [n]

The positional parameters from n+1 … are renamed to $1…. Parameters represented by the numbers $# down to $#-n+1 are unset. n must be a non-negative number less than or equal to $#. If n is 0, no parameters are changed. If n is not given, it is assumed to be 1. If n is greater than $#, the positional parameters are not changed. The return status is greater than zero if n is greater than $# or less than zero; otherwise 0.

Next: , Previous: , Up: Writing your own configuration file   [Contents][Index]

6.4 Multi-boot manual config

Currently autogenerating config files for multi-boot environments depends on os-prober and has several shortcomings. Due to that it is disabled by default. It is advised to use the power of GRUB syntax and do it yourself. A possible configuration is detailed here, feel free to adjust to your needs.

First create a separate GRUB partition, big enough to hold GRUB. Some of the following entries show how to load OS installer images from this same partition, for that you obviously need to make the partition large enough to hold those images as well. Mount this partition on/mnt/boot and disable GRUB in all OSes and manually install self-compiled latest GRUB with:

grub-install --boot-directory=/mnt/boot /dev/sda

In all the OSes install GRUB tools but disable installing GRUB in bootsector, so you’ll have menu.lst and grub.cfg available for use. Also disable os-prober use by setting:

GRUB_DISABLE_OS_PROBER=true

in /etc/default/grub

Then write a grub.cfg (/mnt/boot/grub/grub.cfg): 


menuentry "OS using grub2" {
   insmod xfs
   search --set=root --label OS1 --hint hd0,msdos8
   configfile /boot/grub/grub.cfg
}

menuentry "OS using grub2-legacy" {
   insmod ext2
   search --set=root --label OS2 --hint hd0,msdos6
   legacy_configfile /boot/grub/menu.lst
}

menuentry "Windows XP" {
   insmod ntfs
   search --set=root --label WINDOWS_XP --hint hd0,msdos1
   ntldr /ntldr
}

menuentry "Windows 7" {
   insmod ntfs
   search --set=root --label WINDOWS_7 --hint hd0,msdos2
   ntldr /bootmgr
}

menuentry "FreeBSD" {
          insmod zfs
          search --set=root --label freepool --hint hd0,msdos7
          kfreebsd /freebsd@/boot/kernel/kernel
          kfreebsd_module_elf /freebsd@/boot/kernel/opensolaris.ko
          kfreebsd_module_elf /freebsd@/boot/kernel/zfs.ko
          kfreebsd_module /freebsd@/boot/zfs/zpool.cache type=/boot/zfs/zpool.cache
          set kFreeBSD.vfs.root.mountfrom=zfs:freepool/freebsd
          set kFreeBSD.hw.psm.synaptics_support=1
}

menuentry "experimental GRUB" {
          search --set=root --label GRUB --hint hd0,msdos5
          multiboot /experimental/grub/i386-pc/core.img
}

menuentry "Fedora 16 installer" {
          search --set=root --label GRUB --hint hd0,msdos5
          linux /fedora/vmlinuz lang=en_US keymap=sg resolution=1280x800
          initrd /fedora/initrd.img
}

menuentry "Fedora rawhide installer" {
          search --set=root --label GRUB --hint hd0,msdos5
          linux /fedora/vmlinuz repo=ftp://mirror.switch.ch/mirror/fedora/linux/development/rawhide/x86_64 lang=en_US keymap=sg resolution=1280x800
          initrd /fedora/initrd.img
}

menuentry "Debian sid installer" {
          search --set=root --label GRUB --hint hd0,msdos5
          linux /debian/dists/sid/main/installer-amd64/current/images/hd-media/vmlinuz
          initrd /debian/dists/sid/main/installer-amd64/current/images/hd-media/initrd.gz
}

Notes:

  • Argument to search after –label is FS LABEL. You can also use UUIDs with –fs-uuid UUID instead of –label LABEL. You could also use direct root=hd0,msdosX but this is not recommended due to device name instability.

Previous: , Up: Writing your own configuration file   [Contents][Index]

6.5 Embedding a configuration file into GRUB

GRUB supports embedding a configuration file directly into the core image, so that it is loaded before entering normal mode. This is useful, for example, when it is not straightforward to find the real configuration file, or when you need to debug problems with loading that file. grub-install uses this feature when it is not using BIOS disk functions or when installing to a different disk from the one containing /boot/grub, in which case it needs to use the search command (see search) to find /boot/grub.

To embed a configuration file, use the -c option to grub-mkimage. The file is copied into the core image, so it may reside anywhere on the file system, and may be removed after running grub-mkimage.

After the embedded configuration file (if any) is executed, GRUB will load the ‘normal’ module (see normal), which will then read the real configuration file from $prefix/grub.cfg. By this point, the root variable will also have been set to the root device name. For example, prefix might be set to ‘(hd0,1)/boot/grub’, and root might be set to ‘hd0,1’. Thus, in most cases, the embedded configuration file only needs to set the prefix and root variables, and then drop through to GRUB’s normal processing. A typical example of this might look like this: 

search.fs_uuid 01234567-89ab-cdef-0123-456789abcdef root
set prefix=($root)/boot/grub

(The ‘search_fs_uuid’ module must be included in the core image for this example to work.)

In more complex cases, it may be useful to read other configuration files directly from the embedded configuration file. This allows such things as reading files not called grub.cfg, or reading files from a directory other than that where GRUB’s loadable modules are installed. To do this, include the ‘configfile’ and ‘normal’ modules in the core image, and embed a configuration file that uses the configfile command to load another file. The following example of this also requires the echo, search_label, and test modules to be included in the core image: 

search.fs_label grub root
if [ -e /boot/grub/example/test1.cfg ]; then
    set prefix=($root)/boot/grub
    configfile /boot/grub/example/test1.cfg
else
    if [ -e /boot/grub/example/test2.cfg ]; then
        set prefix=($root)/boot/grub
        configfile /boot/grub/example/test2.cfg
    else
        echo "Could not find an example configuration file!"
    fi
fi

The embedded configuration file may not contain menu entries directly, but may only read them from elsewhere using configfile.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

7 Theme file format

7.1 Introduction

The GRUB graphical menu supports themes that can customize the layout and appearance of the GRUB boot menu. The theme is configured through a plain text file that specifies the layout of the various GUI components (including the boot menu, timeout progress bar, and text messages) as well as the appearance using colors, fonts, and images. Example is available in docs/example_theme.txt

7.2 Theme Elements

7.2.1 Colors

Colors can be specified in several ways:

  • HTML-style “#RRGGBB” or “#RGB” format, where *R*, *G*, and *B* are hexadecimal digits (e.g., “#8899FF”)
  • as comma-separated decimal RGB values (e.g., “128, 128, 255”)
  • with “SVG 1.0 color names” (e.g., “cornflowerblue”) which must be specified in lowercase.

7.2.2 Fonts

The fonts GRUB uses “PFF2 font format” bitmap fonts. Fonts are specified with full font names. Currently there is no provision for a preference list of fonts, or deriving one font from another. Fonts are loaded with the “loadfont” command in GRUB (loadfont). To see the list of loaded fonts, execute the “lsfonts” command (lsfonts). If there are too many fonts to fit on screen, do “set pager=1” before executing “lsfonts”.

7.2.3 Progress Bar

Figure 7.1

Figure 7.2

Progress bars are used to display the remaining time before GRUB boots the default menu entry. To create a progress bar that will display the remaining time before automatic boot, simply create a “progress_bar” component with the id “__timeout__”. This indicates to GRUB that the progress bar should be updated as time passes, and it should be made invisible if the countdown to automatic boot is interrupted by the user.

Progress bars may optionally have text displayed on them. This text is controlled by variable “text” which contains a printf template with the only argument %d is the number of seconds remaining. Additionally special values “@TIMEOUT_NOTIFICATION_SHORT@”, “@TIMEOUT_NOTIFICATION_MIDDLE@”, “@TIMEOUT_NOTIFICATION_LONG@” are replaced with standard and translated templates.

7.2.4 Circular Progress Indicator

The circular progress indicator functions similarly to the progress bar. When given an id of “__timeout__”, GRUB updates the circular progress indicator’s value to indicate the time remaining. For the circular progress indicator, there are two images used to render it: the *center* image, and the *tick* image. The center image is rendered in the center of the component, while the tick image is used to render each mark along the circumference of the indicator.

7.2.5 Labels

Text labels can be placed on the boot screen. The font, color, and horizontal alignment can be specified for labels. If a label is given the id “__timeout__”, then the “text” property for that label is also updated with a message informing the user of the number of seconds remaining until automatic boot. This is useful in case you want the text displayed somewhere else instead of directly on the progress bar.

7.2.6 Boot Menu

The boot menu where GRUB displays the menu entries from the “grub.cfg” file. It is a list of items, where each item has a title and an optional icon. The icon is selected based on the *classes* specified for the menu entry. If there is a PNG file named “myclass.png” in the “grub/themes/icons” directory, it will be displayed for items which have the class *myclass*. The boot menu can be customized in several ways, such as the font and color used for the menu entry title, and by specifying styled boxes for the menu itself and for the selected item highlight.

7.2.7 Styled Boxes

One of the most important features for customizing the layout is the use of *styled boxes*. A styled box is composed of 9 rectangular (and potentially empty) regions, which are used to seamlessly draw the styled box on screen:

Northwest (nw)North (n)Northeast (ne)
West (w)Center (c)East (e)
Southwest (sw)South (s)Southeast (se)

To support any size of box on screen, the center slice and the slices for the top, bottom, and sides are all scaled to the correct size for the component on screen, using the following rules:

  1. The edge slices (north, south, east, and west) are scaled in the direction of the edge they are adjacent to. For instance, the west slice is scaled vertically.
  2. The corner slices (northwest, northeast, southeast, and southwest) are not scaled.
  3. The center slice is scaled to fill the remaining space in the middle.

As an example of how an image might be sliced up, consider the styled box used for a terminal view.

Figure 7.3

7.2.8 Creating Styled Box Images

The Inkscape_ scalable vector graphics editor is a very useful tool for creating styled box images. One process that works well for slicing a drawing into the necessary image slices is:

  1. Create or open the drawing you’d like use.
  2. Create a new layer on the top of the layer stack. Make it visible. Select this layer as the current layer.
  3. Draw 9 rectangles on your drawing where you’d like the slices to be. Clear the fill option, and set the stroke to 1 pixel wide solid stroke. The corners of the slices must meet precisely; if it is off by a single pixel, it will probably be evident when the styled box is rendered in the GRUB menu. You should probably go to File | Document Properties | Grids and enable a grid or create a guide (click on one of the rulers next to the drawing and drag over the drawing; release the mouse button to place the guide) to help place the rectangles precisely.
  4. Right click on the center slice rectangle and choose Object Properties. Change the "Id" to “slice_c“ and click Set. Repeat this for the remaining 8 rectangles, giving them Id values of “slice_n“, “slice_ne“, “slice_e“, and so on according to the location.
  5. Save the drawing.
  6. Select all the slice rectangles. With the slice layer selected, you can simply press Ctrl+A to select all rectangles. The status bar should indicate that 9 rectangles are selected.
  7. Click the layer hide icon for the slice layer in the layer palette. The rectangles will remain selected, even though they are hidden.
  8. Choose File | Export Bitmap and check the *Batch export 9 selected objects* box. Make sure that *Hide all except selected* is unchecked. click *Export*. This will create PNG files in the same directory as the drawing, named after the slices. These can now be used for a styled box in a GRUB theme.

7.3 Theme File Manual

The theme file is a plain text file. Lines that begin with “#“ are ignored and considered comments. (Note: This may not be the case if the previous line ended where a value was expected.)

The theme file contains two types of statements:

  1. Global properties.
  2. Component construction.

7.3.1 Global Properties

7.3.2 Format

Global properties are specified with the simple format:

  • name1: value1
  • name2: "value which may contain spaces"
  • name3: #88F

In this example, name3 is assigned a color value.

7.3.3 Global Property List

title-textSpecifies the text to display at the top center of the screen as a title.
title-fontDefines the font used for the title message at the top of the screen.
title-colorDefines the color of the title message.
message-fontCurrently unused. Left for backward compatibility.
message-colorCurrently unused. Left for backward compatibility.
message-bg-colorCurrently unused. Left for backward compatibility.
desktop-imageSpecifies the image to use as the background. It will be scaled to fit the screen size or proportionally scaled depending on the scale method.
desktop-image-scale-methodSpecifies the scaling method for the *desktop-image*. Options are “stretch“, “crop“, “padding“, “fitwidth“, “fitheight“. “stretch“ for fitting the screen size. Otherwise it is proportional scaling of a part of *desktop-image* to the part of the screen. “crop“ part of the *desktop-image* will be proportionally scaled to fit the screen sizes. “padding“ the entire *desktop-image* will be contained on the screen. “fitwidth“ for fitting the *desktop-image*’s width with screen width. “fitheight“ for fitting the *desktop-image*’s height with the screen height. Default is “stretch“.
desktop-image-h-alignSpecifies the horizontal alignment of the *desktop-image* if *desktop-image-scale-method* isn’t equeal to “stretch“. Options are “left“, “center“, “right“. Default is “center“.
desktop-image-v-alignSpecifies the vertical alignment of the *desktop-image* if *desktop-image-scale-method* isn’t equeal to “stretch“. Options are “top“, “center“, “bottom“. Default is “center“.
desktop-colorSpecifies the color for the background if *desktop-image* is not specified.
terminal-boxSpecifies the file name pattern for the styled box slices used for the command line terminal window. For example, “terminal-box: terminal_*.png“ will use the images “terminal_c.png“ as the center area, “terminal_n.png“ as the north (top) edge, “terminal_nw.png“ as the northwest (upper left) corner, and so on. If the image for any slice is not found, it will simply be left empty.
terminal-borderSpecifies the border width of the terminal window.
terminal-leftSpecifies the left coordinate of the terminal window.
terminal-topSpecifies the top coordinate of the terminal window.
terminal-widthSpecifies the width of the terminal window.
terminal-heightSpecifies the height of the terminal window.

7.3.4 Component Construction

Greater customizability comes is provided by components. A tree of components forms the user interface. *Containers* are components that can contain other components, and there is always a single root component which is an instance of a *canvas* container.

Components are created in the theme file by prefixing the type of component with a ’+’ sign:

+ label { text="GRUB" font="aqui 11" color="#8FF" }

properties of a component are specified as "name = value" (whitespace surrounding tokens is optional and is ignored) where *value* may be:

  • a single word (e.g., “align = center“, “color = #FF8080“),
  • a quoted string (e.g., “text = "Hello, World!"“), or
  • a tuple (e.g., “preferred_size = (120, 80)“).

7.3.5 Component List

The following is a list of the components and the properties they support.

  • label A label displays a line of text.

    Properties:

    idSet to “__timeout__“ to display the time elapsed to an automatical boot of the default entry.
    textThe text to display. If “id“ is set to “__timeout__“ and no “text“ property is set then the amount of seconds will be shown. If set to “@KEYMAP_SHORT@“, “@KEYMAP_MIDDLE@“ or “@KEYMAP_LONG@“ then predefined hotkey information will be shown.
    fontThe font to use for text display.
    colorThe color of the text.
    alignThe horizontal alignment of the text within the component. Options are “left“, “center“ and “right“.
    visibleSet to “false“ to hide the label.
  • image A component that displays an image. The image is scaled to fit the component.

    Properties:

    fileThe full path to the image file to load.
  • progress_bar Displays a horizontally oriented progress bar. It can be rendered using simple solid filled rectangles, or using a pair of pixmap styled boxes.

    Properties:

    idSet to “__timeout__“ to display the time elapsed to an automatical boot of the default entry.
    fg_colorThe foreground color for plain solid color rendering.
    bg_colorThe background color for plain solid color rendering.
    border_colorThe border color for plain solid color rendering.
    text_colorThe text color.
    bar_styleThe styled box specification for the frame of the progress bar. Example: “progress_frame_*.png“ If the value is equal to “highlight_style“ then no styled boxes will be shown.
    highlight_styleThe styled box specification for the highlighted region of the progress bar. This box will be used to paint just the highlighted region of the bar, and will be increased in size as the bar nears completion. Example: “progress_hl_*.png“. If the value is equal to “bar_style“ then no styled boxes will be shown.
    highlight_overlayIf this option is set to “true“ then the highlight box side slices (every slice except the center slice) will overlay the frame box side slices. And the center slice of the highlight box can move all the way (from top to bottom), being drawn on the center slice of the frame box. That way we can make a progress bar with round-shaped edges so there won’t be a free space from the highlight to the frame in top and bottom scrollbar positions. Default is “false“.
    fontThe font to use for progress bar.
    textThe text to display on the progress bar. If the progress bar’s ID is set to “__timeout__“ and the value of this property is set to “@TIMEOUT_NOTIFICATION_SHORT@“, “@TIMEOUT_NOTIFICATION_MIDDLE@“ or “@TIMEOUT_NOTIFICATION_LONG@“, then GRUB will update this property with an informative message as the timeout approaches.
  • circular_progress Displays a circular progress indicator. The appearance of this component is determined by two images: the *center* image and the *tick* image. The center image is generally larger and will be drawn in the center of the component. Around the circumference of a circle within the component, the tick image will be drawn a certain number of times, depending on the properties of the component.

    Properties:

    idSet to “__timeout__“ to display the time elapsed to an automatical boot of the default entry.
    center_bitmapThe file name of the image to draw in the center of the component.
    tick_bitmapThe file name of the image to draw for the tick marks.
    num_ticksThe number of ticks that make up a full circle.
    ticks_disappearBoolean value indicating whether tick marks should progressively appear, or progressively disappear as *value* approaches *end*. Specify “true“ or “false“. Default is “false“.
    start_angleThe position of the first tick mark to appear or disappear. Measured in "parrots", 1 "parrot" = 1 / 256 of the full circle. Use values “xxx deg“ or “xxx \xc2\xb0“ to set the angle in degrees.
  • boot_menu Displays the GRUB boot menu. It allows selecting items and executing them.

    Properties:

    item_fontThe font to use for the menu item titles.
    selected_item_fontThe font to use for the selected menu item, or “inherit“ (the default) to use “item_font“ for the selected menu item as well.
    item_colorThe color to use for the menu item titles.
    selected_item_colorThe color to use for the selected menu item, or “inherit“ (the default) to use “item_color“ for the selected menu item as well.
    icon_widthThe width of menu item icons. Icons are scaled to the specified size.
    icon_heightThe height of menu item icons.
    item_heightThe height of each menu item in pixels.
    item_paddingThe amount of space in pixels to leave on each side of the menu item contents.
    item_icon_spaceThe space between an item’s icon and the title text, in pixels.
    item_spacingThe amount of space to leave between menu items, in pixels.
    menu_pixmap_styleThe image file pattern for the menu frame styled box. Example: “menu_*.png“ (this will use images such as “menu_c.png“, “menu_w.png“, ‘menu_nw.png“, etc.)
    item_pixmap_styleThe image file pattern for the item styled box.
    selected_item_pixmap_styleThe image file pattern for the selected item highlight styled box.
    scrollbarBoolean value indicating whether the scroll bar should be drawn if the frame and thumb styled boxes are configured.
    scrollbar_frameThe image file pattern for the entire scroll bar. Example: “scrollbar_*.png“
    scrollbar_thumbThe image file pattern for the scroll bar thumb (the part of the scroll bar that moves as scrolling occurs). Example: “scrollbar_thumb_*.png“
    scrollbar_thumb_overlayIf this option is set to “true“ then the scrollbar thumb side slices (every slice except the center slice) will overlay the scrollbar frame side slices. And the center slice of the scrollbar_thumb can move all the way (from top to bottom), being drawn on the center slice of the scrollbar frame. That way we can make a scrollbar with round-shaped edges so there won’t be a free space from the thumb to the frame in top and bottom scrollbar positions. Default is “false“.
    scrollbar_sliceThe menu frame styled box’s slice in which the scrollbar will be drawn. Possible values are “west“, “center“, “east“ (default). “west“ - the scrollbar will be drawn in the west slice (right-aligned). “east“ - the scrollbar will be drawn in the east slice (left-aligned). “center“ - the scrollbar will be drawn in the center slice. Note: in case of “center“ slice: a) If the scrollbar should be drawn then boot menu entry’s width is decreased by the scrollbar’s width and the scrollbar is drawn at the right side of the center slice. b) If the scrollbar won’t be drawn then the boot menu entry’s width is the width of the center slice. c) We don’t necessary need the menu pixmap box to display the scrollbar.
    scrollbar_left_padThe left scrollbar padding in pixels. Unused if “scrollbar_slice“ is “west“.
    scrollbar_right_padThe right scrollbar padding in pixels. Unused if “scrollbar_slice“ is “east“.
    scrollbar_top_padThe top scrollbar padding in pixels.
    scrollbar_bottom_padThe bottom scrollbar padding in pixels.
    visibleSet to “false“ to hide the boot menu.
  • canvas Canvas is a container that allows manual placement of components within it. It does not alter the positions of its child components. It assigns all child components their preferred sizes.
  • hbox The *hbox* container lays out its children from left to right, giving each one its preferred width. The height of each child is set to the maximum of the preferred heights of all children.
  • vbox The *vbox* container lays out its children from top to bottom, giving each one its preferred height. The width of each child is set to the maximum of the preferred widths of all children.

7.3.6 Common properties

The following properties are supported by all components:

left

The distance from the left border of container to left border of the object in either of three formats:

xValue in pixels
p%Percentage
p%+xmixture of both
top

The distance from the left border of container to left border of the object in same format.

width

The width of object in same format.

height

The height of object in same format.

id

The identifier for the component. This can be any arbitrary string. The ID can be used by scripts to refer to various components in the GUI component tree. Currently, there is one special ID value that GRUB recognizes:

“__timeout__“Component with this ID will be updated by GRUB and will indicate time elapsed to an automatical boot of the default entry. Affected components: “label“, “circular_progress“, “progress_bar“.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

8 Booting GRUB from the network

The following instructions don’t work for *-emu, i386-qemu, i386-coreboot, i386-multiboot, mips_loongson, mips-arc and mips_qemu_mips

To generate a netbootable directory, run: 

grub-mknetdir --net-directory=/srv/tftp --subdir=/boot/grub -d /usr/lib/grub/<platform>

E.g. for i386-pc: 

grub-mknetdir --net-directory=/srv/tftp --subdir=/boot/grub -d /usr/lib/grub/i386-pc

Then follow instructions printed out by grub-mknetdir on configuring your DHCP server.

The grub.cfg file is placed in the same directory as the path output by grub-mknetdir hereafter referred to as FWPATH. GRUB will search for its configuration files in order using the following rules where the appended value corresponds to a value on the client machine. 

(FWPATH)’/grub.cfg-‘(UUID OF MACHINE)’
‘(FWPATH)’/grub.cfg-01-‘(MAC ADDRESS OF NIC)’
‘(FWPATH)’/grub.cfg-‘(IPv4 OR IPv6 ADDRESS)’
‘(FWPATH)’/grub.cfg

The UUID is the Client Machine Identifier Option Definition as specified in RFC 4578. The client will only attempt to look up a UUID config file if it was provided by the DHCP server.

The client will only attempt to look up an IPv6 address config once, however, it will try the IPv4 multiple times. The concrete example below shows what would happen under the IPv4 case. 

UUID: 7726a678-7fc0-4853-a4f6-c85ac36a120a
MAC:  52:54:00:ec:33:81
IPV4: 10.0.0.130 (0A000082)

(FWPATH)’/grub.cfg-7726a678-7fc0-4853-a4f6-c85ac36a120a
‘(FWPATH)’/grub.cfg-01-52-54-00-ec-33-81
‘(FWPATH)’/grub.cfg-0A000082
‘(FWPATH)’/grub.cfg-0A00008
‘(FWPATH)’/grub.cfg-0A0000
‘(FWPATH)’/grub.cfg-0A000
‘(FWPATH)’/grub.cfg-0A00
‘(FWPATH)’/grub.cfg-0A0
‘(FWPATH)’/grub.cfg-0A
‘(FWPATH)’/grub.cfg-0
‘(FWPATH)’/grub.cfg

This feature is enabled by default but it can be disabled by setting the ‘feature_net_search_cfg’ to ‘n’. Since this happens before the configuration file is read by GRUB, this option has to be disabled in an embedded configuration file (see Embedding a configuration file into GRUB).

After GRUB has started, files on the TFTP server will be accessible via the ‘(tftp)’ device.

The server IP address can be controlled by changing the ‘(tftp)’ device name to ‘(tftp,server-ip)’. Note that this should be changed both in the prefix and in any references to the device name in the configuration file.

GRUB provides several environment variables which may be used to inspect or change the behaviour of the PXE device. In the following description <interface> is placeholder for the name of network interface (platform dependent):

net_<interface>_ip

The network interface’s IP address. Read-only.

net_<interface>_mac

The network interface’s MAC address. Read-only.

net_<interface>_clientid

The client id provided by DHCP. Read-only.

net_<interface>_clientuuid

The client uuid provided by DHCP. Read-only.

net_<interface>_hostname

The client host name provided by DHCP. Read-only.

net_<interface>_domain

The client domain name provided by DHCP. Read-only.

net_<interface>_rootpath

The path to the client’s root disk provided by DHCP. Read-only.

net_<interface>_extensionspath

The path to additional DHCP vendor extensions provided by DHCP. Read-only.

net_<interface>_boot_file

The boot file name provided by DHCP. Read-only.

net_<interface>_dhcp_server_name

The name of the DHCP server responsible for these boot parameters. Read-only.

net_<interface>_next_server

The IP address of the next (usually, TFTP) server provided by DHCP. Read-only.

net_default_interface

Initially set to name of network interface that was used to load grub. Read-write, although setting it affects only interpretation of ‘net_default_ip’ and ‘net_default_mac

net_default_ip

The IP address of default interface. Read-only. This is alias for the ‘net_${net_default_interface}_ip’.

net_default_mac

The default interface’s MAC address. Read-only. This is alias for the ‘net_${net_default_interface}_mac’.

net_default_server

The default server used by network drives (see How to specify devices). Read-write, although setting this is only useful before opening a network device.

pxe_default_server

This performs the same function as ‘net_default_server’.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

9 Using GRUB via a serial line

This chapter describes how to use the serial terminal support in GRUB.

If you have many computers or computers with no display/keyboard, it could be very useful to control the computers through serial communications. To connect one computer with another via a serial line, you need to prepare a null-modem (cross) serial cable, and you may need to have multiport serial boards, if your computer doesn’t have extra serial ports. In addition, a terminal emulator is also required, such as minicom. Refer to a manual of your operating system, for more information.

As for GRUB, the instruction to set up a serial terminal is quite simple. Here is an example: 

grub> serial --unit=0 --speed=9600
grub> terminal_input serial; terminal_output serial

The command serial initializes the serial unit 0 with the speed 9600bps. The serial unit 0 is usually called ‘COM1’, so, if you want to use COM2, you must specify ‘--unit=1’ instead. This command accepts many other options, see serial for more details.

Without argument or with ‘--port=auto’, GRUB will attempt to use ACPI when available to auto-detect the default serial port and its configuration.

The commands terminal_input (see terminal_input) and terminal_output (see terminal_output) choose which type of terminal you want to use. In the case above, the terminal will be a serial terminal, but you can also pass console to the command, as ‘terminal_input serial console’. In this case, a terminal in which you press any key will be selected as a GRUB terminal. In the example above, note that you need to put both commands on the same command line, as you will lose the ability to type commands on the console after the first command.

However, note that GRUB assumes that your terminal emulator is compatible with VT100 by default. This is true for most terminal emulators nowadays. However if your terminal emulator is not VT100-compatible or implements few VT100 escape sequences, you shoud tell GRUB that the terminal is dumb using the terminfo (see terminfo) command. This will have GRUB provide you with an alternative menu interface, because the normal menu requires several fancy features of your terminal.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

10 Using GRUB with vendor power-on keys

Some laptop vendors provide an additional power-on button which boots another OS. GRUB supports such buttons with the ‘GRUB_TIMEOUT_BUTTON’, ‘GRUB_TIMEOUT_STYLE_BUTTON’, ‘GRUB_DEFAULT_BUTTON’, and ‘GRUB_BUTTON_CMOS_ADDRESS’ variables in default/grub (see Simple configuration handling). ‘GRUB_TIMEOUT_BUTTON’, ‘GRUB_TIMEOUT_STYLE_BUTTON’, and ‘GRUB_DEFAULT_BUTTON’ are used instead of the corresponding variables without the ‘_BUTTON’ suffix when powered on using the special button. ‘GRUB_BUTTON_CMOS_ADDRESS’ is vendor-specific and partially model-specific. Values known to the GRUB team are:

Dell XPS M1330M

121:3

Dell XPS M1530

85:3

Dell Latitude E4300

85:3

Asus EeePC 1005PE

84:1 (unconfirmed)

LENOVO ThinkPad T410s (2912W1C)

101:3

To take full advantage of this function, install GRUB into the MBR (see Installing GRUB using grub-install).

If you have a laptop which has a similar feature and not in the above list could you figure your address and contribute? To discover the address do the following:

Then compare these text files and find where a bit was toggled. E.g. in case of Dell XPS it was: 

byte 0x47: 20 --> 28

It’s a bit number 3 as seen from following table:

001
102
204
308
410
520
640
780

0x47 is decimal 71. Linux nvram implementation cuts first 14 bytes of CMOS. So the real byte address in CMOS is 71+14=85 So complete address is 85:3

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

11 GRUB image files

GRUB consists of several images: a variety of bootstrap images for starting GRUB in various ways, a kernel image, and a set of modules which are combined with the kernel image to form a core image. Here is a short overview of them.

boot.img

On PC BIOS systems, this image is the first part of GRUB to start. It is written to a master boot record (MBR) or to the boot sector of a partition. Because a PC boot sector is 512 bytes, the size of this image is exactly 512 bytes.

The sole function of boot.img is to read the first sector of the core image from a local disk and jump to it. Because of the size restriction, boot.img cannot understand any file system structure, so grub-install hardcodes the location of the first sector of the core image into boot.img when installing GRUB.

diskboot.img

This image is used as the first sector of the core image when booting from a hard disk. It reads the rest of the core image into memory and starts the kernel. Since file system handling is not yet available, it encodes the location of the core image using a block list format.

cdboot.img

This image is used as the first sector of the core image when booting from a CD-ROM drive. It performs a similar function to diskboot.img.

pxeboot.img

This image is used as the start of the core image when booting from the network using PXE. See Booting GRUB from the network.

lnxboot.img

This image may be placed at the start of the core image in order to make GRUB look enough like a Linux kernel that it can be booted by LILO using an ‘image=’ section.

kernel.img

This image contains GRUB’s basic run-time facilities: frameworks for device and file handling, environment variables, the rescue mode command-line parser, and so on. It is rarely used directly, but is built into all core images.

core.img

This is the core image of GRUB. It is built dynamically from the kernel image and an arbitrary list of modules by the grub-mkimage program. Usually, it contains enough modules to access /boot/grub, and loads everything else (including menu handling, the ability to load target operating systems, and so on) from the file system at run-time. The modular design allows the core image to be kept small, since the areas of disk where it must be installed are often as small as 32KB.

See BIOS installation, for details on where the core image can be installed on PC systems.

*.mod

Everything else in GRUB resides in dynamically loadable modules. These are often loaded automatically, or built into the core image if they are essential, but may also be loaded manually using the insmod command (see insmod).

For GRUB Legacy users

GRUB 2 has a different design from GRUB Legacy, and so correspondences with the images it used cannot be exact. Nevertheless, GRUB Legacy users often ask questions in the terms they are familiar with, and so here is a brief guide to how GRUB 2’s images relate to that.

stage1

Stage 1 from GRUB Legacy was very similar to boot.img in GRUB 2, and they serve the same function.

*_stage1_5

In GRUB Legacy, Stage 1.5’s function was to include enough filesystem code to allow the much larger Stage 2 to be read from an ordinary filesystem. In this respect, its function was similar to core.img in GRUB 2. However, core.img is much more capable than Stage 1.5 was; since it offers a rescue shell, it is sometimes possible to recover manually in the event that it is unable to load any other modules, for example if partition numbers have changed. core.img is built in a more flexible way, allowing GRUB 2 to support reading modules from advanced disk types such as LVM and RAID.

GRUB Legacy could run with only Stage 1 and Stage 2 in some limited configurations, while GRUB 2 requires core.img and cannot work without it.

stage2

GRUB 2 has no single Stage 2 image. Instead, it loads modules from /boot/grub at run-time.

stage2_eltorito

In GRUB 2, images for booting from CD-ROM drives are now constructed using cdboot.img and core.img, making sure that the core image contains the ‘iso9660’ module. It is usually best to use the grub-mkrescue program for this.

nbgrub

There is as yet no equivalent for nbgrub in GRUB 2; it was used by Etherboot and some other network boot loaders.

pxegrub

In GRUB 2, images for PXE network booting are now constructed using pxeboot.img and core.img, making sure that the core image contains the ‘pxe’ and ‘pxecmd’ modules. See Booting GRUB from the network.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

12 Core image size limitation

Heavily limited platforms:

Lightly limited platforms:

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

13 Filesystem syntax and semantics

GRUB uses a special syntax for specifying disk drives which can be accessed by BIOS. Because of BIOS limitations, GRUB cannot distinguish between IDE, ESDI, SCSI, or others. You must know yourself which BIOS device is equivalent to which OS device. Normally, that will be clear if you see the files in a device or use the command search (see search).

Next: , Up: Filesystem syntax and semantics   [Contents][Index]

13.1 How to specify devices

The device syntax is like this: 

(device[,partmap-name1part-num1[,partmap-name2part-num2[,...]]])

[]’ means the parameter is optional. device depends on the disk driver in use. BIOS and EFI disks use either ‘fd’ or ‘hd’ followed by a digit, like ‘fd0’, or ‘cd’. AHCI, PATA (ata), crypto, USB use the name of driver followed by a number. Memdisk and host are limited to one disk and so it’s referred just by driver name. RAID (md), ofdisk (ieee1275 and nand), LVM (lvm), LDM, virtio (vdsk) and arcdisk (arc) use intrinsic name of disk prefixed by driver name. Additionally just “nand” refers to the disk aliased as “nand”. Conflicts are solved by suffixing a number if necessary. Commas need to be escaped. Loopback uses whatever name specified to loopback command. Hostdisk uses names specified in device.map as long as it’s of the form [fhc]d[0-9]* or hostdisk/<OS DEVICE>. For crypto and RAID (md) additionally you can use the syntax <driver name>uuid/<uuid>. For LVM additionally you can use the syntax lvmid/<volume-group-uuid>/<volume-uuid>. 

(fd0)
(hd0)
(cd)
(ahci0)
(ata0)
(crypto0)
(usb0)
(cryptouuid/123456789abcdef0123456789abcdef0)
(mduuid/123456789abcdef0123456789abcdef0)
(lvm/system-root)
(lvmid/F1ikgD-2RES-306G-il9M-7iwa-4NKW-EbV1NV/eLGuCQ-L4Ka-XUgR-sjtJ-ffch-bajr-fCNfz5)
(md/myraid)
(md/0)
(ieee1275/disk2)
(ieee1275//pci@1f\,0/ide@d/disk@2)
(nand)
(memdisk)
(host)
(myloop)
(hostdisk//dev/sda)

part-num represents the partition number of device, starting from one. partname is optional but is recommended since disk may have several top-level partmaps. Specifying third and later component you can access to subpartitions.

The syntax ‘(hd0)’ represents using the entire disk (or the MBR when installing GRUB), while the syntax ‘(hd0,1)’ represents using the first partition of the disk (or the boot sector of the partition when installing GRUB). 

(hd0,msdos1)
(hd0,msdos1,msdos5)
(hd0,msdos1,bsd3)
(hd0,netbsd1)
(hd0,gpt1)
(hd0,1,3)

If you enabled the network support, the special drives (protocol[,server]) are also available. Supported protocols are ‘http’ and ‘tftp’. If server is omitted, value of environment variable ‘net_default_server’ is used. Before using the network drive, you must initialize the network. See Booting GRUB from the network, for more information.

When using ‘http’ or ‘tftp’, ports other than ‘80’ can be specified using a colon (‘:’) after the address. To avoid parsing conflicts, when using IPv6 addresses with custom ports, the addresses must be enclosed with square brackets (‘[]’), as is standard practice. 

(http,grub.example.com:31337)
(http,192.0.2.1:339)
(http,[2001:db8::1]:11235)

If you boot GRUB from a CD-ROM, ‘(cd)’ is available. See Making a GRUB bootable CD-ROM, for details.

Next: , Previous: , Up: Filesystem syntax and semantics   [Contents][Index]

13.2 How to specify files

There are two ways to specify files, by absolute file name and by block list.

An absolute file name resembles a Unix absolute file name, using ‘/’ for the directory separator (not ‘\’ as in DOS). One example is ‘(hd0,1)/boot/grub/grub.cfg’. This means the file /boot/grub/grub.cfg in the first partition of the first hard disk. If you omit the device name in an absolute file name, GRUB uses GRUB’s root device implicitly. So if you set the root device to, say, ‘(hd1,1)’ by the command ‘set root=(hd1,1)’ (see set), then /boot/kernel is the same as (hd1,1)/boot/kernel.

On ZFS filesystem the first path component must be volume@’[snapshot]. So ‘/rootvol@snap-129/boot/grub/grub.cfg’ refers to file ‘/boot/grub/grub.cfg’ in snapshot of volume ‘rootvol’ with name ‘snap-129’. Trailing ‘@’ after volume name is mandatory even if snapshot name is omitted.

Previous: , Up: Filesystem syntax and semantics   [Contents][Index]

13.3 How to specify block lists

A block list is used for specifying a file that doesn’t appear in the filesystem, like a chainloader. The syntax is [offset]+[length][,[offset]+[length]]…. Here is an example: 

0+100,200+1,300+300,800+

This represents that GRUB should read blocks 0 through 99, block 200, blocks 300 through 599, and blocks 800 until the end of the device. If you omit an offset, then GRUB assumes the offset is zero. If the length is omitted, then GRUB assumes the block list extends until the end of the device.

Like the file name syntax (see How to specify files), if a blocklist does not contain a device name, then GRUB uses GRUB’s root device. So (hd0,2)+1 is the same as +1 when the root device is ‘(hd0,2)’.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

14 GRUB’s user interface

GRUB has both a simple menu interface for choosing preset entries from a configuration file, and a highly flexible command-line for performing any desired combination of boot commands.

GRUB looks for its configuration file as soon as it is loaded. If one is found, then the full menu interface is activated using whatever entries were found in the file. If you choose the command-line menu option, or if the configuration file was not found, then GRUB drops to the command-line interface.

Next: , Up: GRUB’s user interface   [Contents][Index]

14.1 The flexible command-line interface

The command-line interface provides a prompt and after it an editable text area much like a command-line in Unix or DOS. Each command is immediately executed after it is entered8. The commands (see Available commands) are a subset of those available in the configuration file, used with exactly the same syntax.

Cursor movement and editing of the text on the line can be done via a subset of the functions available in the Bash shell:

C-f
PC right key

Move forward one character.

C-b
PC left key

Move back one character.

C-a
HOME

Move to the start of the line.

C-e
END

Move the the end of the line.

C-d
DEL

Delete the character underneath the cursor.

C-h
BS

Delete the character to the left of the cursor.

C-k

Kill the text from the current cursor position to the end of the line.

C-u

Kill backward from the cursor to the beginning of the line.

C-y

Yank the killed text back into the buffer at the cursor.

C-p
PC up key

Move up through the history list.

C-n
PC down key

Move down through the history list.

When typing commands interactively, if the cursor is within or before the first word in the command-line, pressing the TAB key (or C-i) will display a listing of the available commands, and if the cursor is after the first word, the TAB will provide a completion listing of disks, partitions, and file names depending on the context. Note that to obtain a list of drives, one must open a parenthesis, as root (.

Note that you cannot use the completion functionality in the TFTP filesystem. This is because TFTP doesn’t support file name listing for the security.

Previous: , Up: GRUB’s user interface   [Contents][Index]

14.3 Editing a menu entry

The menu entry editor looks much like the main menu interface, but the lines in the menu are individual commands in the selected entry instead of entry names.

If an ESC is pressed in the editor, it aborts all the changes made to the configuration entry and returns to the main menu interface.

Each line in the menu entry can be edited freely, and you can add new lines by pressing RET at the end of a line. To boot the edited entry, press Ctrl-x.

Although GRUB unfortunately does not support undo, you can do almost the same thing by just returning to the main menu using ESC.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

15 GRUB environment variables

GRUB supports environment variables which are rather like those offered by all Unix-like systems. Environment variables have a name, which is unique and is usually a short identifier, and a value, which is an arbitrary string of characters. They may be set (see set), unset (see unset), or looked up (see Writing full configuration files directly) by name.

A number of environment variables have special meanings to various parts of GRUB. Others may be used freely in GRUB configuration files.

Next: , Up: GRUB environment variables   [Contents][Index]

15.1 Special environment variables

These variables have special meaning to GRUB.

Next: , Up: Special environment variables   [Contents][Index]

15.1.1 appendedsig_key_mgmt

This variable controls whether GRUB enforces appended signature validation using either static or dynamic key management. It is automatically set by GRUB to either static or dynamic based on the ’ibm,secure-boot’ device tree property and Platform KeyStore (PKS). Also, it can be explicitly set to either static or dynamic by setting the appendedsig_key_mgmt variable from the GRUB console when the GRUB is not locked down.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.2 biosnum

When chain-loading another boot loader (see Chain-loading an OS), GRUB may need to know what BIOS drive number corresponds to the root device (see root) so that it can set up registers properly. If the biosnum variable is set, it overrides GRUB’s own means of guessing this.

For an alternative approach which also changes BIOS drive mappings for the chain-loaded system, see drivemap.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.3 blsuki_save_default

If this variable is set, menu entries generated from BLS config files (see blscfg) or UKI files (see uki) will be set as the default boot entry when selected.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.4 check_appended_signatures

This variable controls whether GRUB enforces appended signature validation on loaded kernel and GRUB module files. It is automatically set by GRUB to either no or yes based on the ’ibm,secure-boot’ device tree property. Also, it can be explicitly set to either no or yes by setting the check_appended_signatures variable from the GRUB console when the GRUB is not locked down.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.5 check_signatures

This variable controls whether GRUB enforces GPG-style digital signature validation on loaded files. See Using GPG-style digital signatures in GRUB.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.6 chosen

When executing a menu entry, GRUB sets the chosen variable to the title of the entry being executed.

If the menu entry is in one or more submenus, then chosen is set to the titles of each of the submenus starting from the top level followed by the title of the menu entry itself, separated by ‘>’.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.7 cmdpath

The location from which core.img was loaded as an absolute directory name (see How to specify files). This is set by GRUB at startup based on information returned by platform firmware. Not every platform provides this information and some may return only device without path name.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.8 color_highlight

This variable contains the “highlight” foreground and background terminal colors, separated by a slash (‘/’). Setting this variable changes those colors. For the available color names, see color_normal.

The default is ‘black/light-gray’.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.9 color_normal

This variable contains the “normal” foreground and background terminal colors, separated by a slash (‘/’). Setting this variable changes those colors. Each color must be a name from the following list:

  • black
  • blue
  • green
  • cyan
  • red
  • magenta
  • brown
  • light-gray
  • dark-gray
  • light-blue
  • light-green
  • light-cyan
  • light-red
  • light-magenta
  • yellow
  • white

The default is ‘light-gray/black’.

The color support support varies from terminal to terminal.

morse’ has no color support at all.

mda_text’ color support is limited to highlighting by black/white reversal.

console’ on ARC, EMU and IEEE1275, ‘serial_*’ and ‘spkmodem’ are governed by terminfo and support only 8 colors if in modes ‘vt100-color’ (default for console on emu), ‘arc’ (default for console on ARC), ‘ieee1275’ (default for console on IEEE1275). When in mode ‘vt100’ then the color support is limited to highlighting by black/white reversal. When in mode ‘dumb’ there is no color support.

When console supports no colors this setting is ignored. When console supports 8 colors, then the colors from the second half of the previous list are mapped to the matching colors of first half.

console’ on EFI and BIOS and ‘vga_text’ support all 16 colors.

gfxterm’ supports all 16 colors and would be theoretically extendable to support whole rgb24 palette but currently there is no compelling reason to go beyond the current 16 colors.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.10 config_directory

This variable is automatically set by GRUB to the directory part of current configuration file name (see config_file).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.11 config_file

This variable is automatically set by GRUB to the name of configuration file that is being processed by commands configfile (see configfile) or normal (see normal). It is restored to the previous value when command completes.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.12 cryptodisk_passphrase_tries

When prompting the user for a cryptodisk passphrase, allow this many attempts before giving up. Defaults to ‘3’ if unset or set to an invalid value. (The user can give up early by entering an empty passphrase.)

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.13 debug

This variable may be set to enable debugging output from various components of GRUB. The value is an ordered list of debug facility names separated by whitespace or ‘,’. If the special facility named ‘all’ is present then debugging output of all facility names is enabled at the start of processing the value of this variable. A facility’s debug output can then be disabled by prefixing its name with a ‘-’. The last occurence facility name with or without a leading ‘-’ takes precendent over any previous occurence. This allows the easy enabling or disabling of facilities by appending a ‘,’ and then the facility name with or without the leading ‘-’, which will preserve the state of the rest of the facilities. The facility names are the first argument to grub_dprintf. Consult the source for more details.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.14 default

If this variable is set, it identifies a menu entry that should be selected by default, possibly after a timeout (see timeout). The entry may be identified by number (starting from 0 at each level of the hierarchy), by title, or by id.

For example, if you have: 

menuentry 'Example GNU/Linux distribution' --class gnu-linux --id example-gnu-linux {
	...
}

then you can make this the default using: 

default=example-gnu-linux

If the entry is in a submenu, then it must be identified using the number, title, or id of each of the submenus starting from the top level, followed by the number, title, or id of the menu entry itself, with each element separated by ‘>’. For example, take the following menu structure: 

GNU/Hurd --id gnu-hurd
  Standard Boot --id=gnu-hurd-std
  Rescue shell --id=gnu-hurd-rescue
Other platforms --id=other
  Minix --id=minix
    Version 3.4.0 --id=minix-3.4.0
    Version 3.3.0 --id=minix-3.3.0
  GRUB Invaders --id=grub-invaders

The more recent release of Minix would then be identified as ‘Other platforms>Minix>Version 3.4.0’, or as ‘1>0>0’, or as ‘other>minix>minix-3.4.0’.

This variable is often set by ‘GRUB_DEFAULT’ (see Simple configuration handling), grub-set-default, or grub-reboot.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.15 fallback

If this variable is set, it identifies a menu entry that should be selected if the default menu entry fails to boot. Entries are identified in the same way as for ‘default’ (see default).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.16 gfxmode

If this variable is set, it sets the resolution used on the ‘gfxterm’ graphical terminal. Note that you can only use modes which your graphics card supports via VESA BIOS Extensions (VBE), so for example native LCD panel resolutions may not be available. The default is ‘auto’, which selects a platform-specific default that should look reasonable. Supported modes can be listed by ‘videoinfo’ command in GRUB.

The resolution may be specified as a sequence of one or more modes, separated by commas (‘,’) or semicolons (‘;’); each will be tried in turn until one is found. Each mode should be either ‘auto’, ‘widthxheight’, or ‘widthxheightxdepth’.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.17 gfxpayload

If this variable is set, it controls the video mode in which the Linux kernel starts up, replacing the ‘vga=’ boot option (see linux). It may be set to ‘text’ to force the Linux kernel to boot in normal text mode, ‘keep’ to preserve the graphics mode set using ‘gfxmode’, or any of the permitted values for ‘gfxmode’ to set a particular graphics mode (see gfxmode).

Depending on your kernel, your distribution, your graphics card, and the phase of the moon, note that using this option may cause GNU/Linux to suffer from various display problems, particularly during the early part of the boot sequence. If you have problems, set this variable to ‘text’ and GRUB will tell Linux to boot in normal text mode.

The default is platform-specific. On platforms with a native text mode (such as PC BIOS platforms), the default is ‘text’. Otherwise the default may be ‘auto’ or a specific video mode.

This variable is often set by ‘GRUB_GFXPAYLOAD_LINUX’ (see Simple configuration handling).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.18 gfxterm_font

If this variable is set, it names a font to use for text on the ‘gfxterm’ graphical terminal. Otherwise, ‘gfxterm’ may use any available font.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.19 grub_cpu

In normal mode (see normal), GRUB sets the ‘grub_cpu’ variable to the CPU type for which GRUB was built (e.g. ‘i386’ or ‘powerpc’).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.20 grub_platform

In normal mode (see normal), GRUB sets the ‘grub_platform’ variable to the platform for which GRUB was built (e.g. ‘pc’ or ‘efi’).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.21 icondir

If this variable is set, it names a directory in which the GRUB graphical menu should look for icons after looking in the theme’s ‘icons’ directory. See Theme file format.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.22 lang

If this variable is set, it names the language code that the gettext command (see gettext) uses to translate strings. For example, French would be named as ‘fr’, and Simplified Chinese as ‘zh_CN’.

grub-mkconfig (see Simple configuration handling) will try to set a reasonable default for this variable based on the system locale.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.23 locale_dir

If this variable is set, it names the directory where translation files may be found (see gettext), usually /boot/grub/locale. Otherwise, internationalization is disabled.

grub-mkconfig (see Simple configuration handling) will set a reasonable default for this variable if internationalization is needed and any translation files are available.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.24 lockdown

If this variable is set to ‘y’, it means that GRUB has entered see Lockdown when booting on a secure setup mode.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.30 net_<interface>_dhcp_server_name

See Booting GRUB from the network.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.32 net_<interface>_extensionspath

See Booting GRUB from the network.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.36 net_<interface>_next_server

See Booting GRUB from the network.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.41 net_default_server

See Booting GRUB from the network.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.42 pager

If set to ‘1’, pause output after each screenful and wait for keyboard input. The default is not to pause output.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.43 prefix

The location of the ‘/boot/grub’ directory as an absolute file name (see How to specify files). This is normally set by GRUB at startup based on information provided by grub-install. GRUB modules are dynamically loaded from this directory, so it must be set correctly in order for many parts of GRUB to work.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.44 pxe_default_server

See Booting GRUB from the network.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.45 root

The root device name (see How to specify devices). Any file names that do not specify an explicit device name are read from this device. The default is normally set by GRUB at startup based on the value of ‘prefix’ (see prefix).

For example, if GRUB was installed to the first partition of the first hard disk, then ‘prefix’ might be set to ‘(hd0,msdos1)/boot/grub’ and ‘root’ to ‘hd0,msdos1’.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.46 shim_lock

If this variable is set to ‘y’, it means that the shim_lock verifier is registered (see see UEFI secure boot and shim support).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.47 superusers

This variable may be set to a list of superuser names to enable authentication support. See Security.

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.48 theme

This variable may be set to a directory containing a GRUB graphical menu theme. See Theme file format.

This variable is often set by ‘GRUB_THEME’ (see Simple configuration handling).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.49 timeout

If this variable is set, it specifies the time in seconds to wait for keyboard input before booting the default menu entry. A timeout of ‘0’ means to boot the default entry immediately without displaying the menu; a timeout of ‘-1’ (or unset) means to wait indefinitely.

If ‘timeout_style’ (see timeout_style) is set to ‘countdown’ or ‘hidden’, the timeout is instead counted before the menu is displayed.

This variable is often set by ‘GRUB_TIMEOUT’ (see Simple configuration handling).

Next: , Previous: , Up: Special environment variables   [Contents][Index]

15.1.50 timeout_style

This variable may be set to ‘menu’, ‘countdown’, or ‘hidden’ to control the way in which the timeout (see timeout) interacts with displaying the menu. See the documentation of ‘GRUB_TIMEOUT_STYLE’ (see Simple configuration handling) for details.

Previous: , Up: Special environment variables   [Contents][Index]

15.1.51 tpm_fail_fatal

If this variable is set and true (i.e., not set to “0”, “false”, “disable”, or “no”), TPM measurements that fail will be treated as fatal. Otherwise, they will merely be debug-logged and boot will continue.

Call to EFI firmware, like hash_log_extend_event(), can return an unknown error, i.e. due to bug present in firmware. When this variable is set and true (same values as with TPM measurements) this situation will be considered to be fatal and error-logged as “unknown TPM error”. If not set, booting the OS will be enabled.

Next: , Previous: , Up: GRUB environment variables   [Contents][Index]

15.2 The GRUB environment block

It is often useful to be able to remember a small amount of information from one boot to the next. For example, you might want to set the default menu entry based on what was selected the last time. GRUB deliberately does not implement support for writing files in order to minimise the possibility of the boot loader being responsible for file system corruption, so a GRUB configuration file cannot just create a file in the ordinary way. However, GRUB provides an “environment block” which can be used to save a small amount of state.

The environment block is a preallocated 1024-byte file, which normally lives in /boot/grub/grubenv (although you should not assume this). At boot time, the load_env command (see load_env) loads environment variables from it, and the save_env (see save_env) command saves environment variables to it. From a running system, the grub-editenv utility can be used to edit the environment block.

For safety reasons, this storage is only available when installed on a plain disk (no LVM or RAID), using a non-checksumming filesystem (no ZFS), and using BIOS or EFI functions (no ATA, USB or IEEE1275).

On Btrfs filesystems, a reserved area in the filesystem header may be used to store the environment block. This static block avoids the problems of updating a normal file on a copy-on-write filesystem, where writing raw block is not stable and requires metadata update. The reserved area provides a fixed location that GRUB can update directly, allowing commands such as grub-reboot and ‘GRUB_SAVEDEFAULT’ to function correctly on Btrfs volumes.

grub-mkconfig uses this facility to implement ‘GRUB_SAVEDEFAULT’ (see Simple configuration handling).

Next: , Previous: , Up: GRUB environment variables   [Contents][Index]

15.3 Special environment block variables

These special variables are usually written to the environment block (see The GRUB environment block) to customize the behavior of grub.cfg generated by grub-mkconfig.

Next: , Up: Special environment block variables   [Contents][Index]

15.3.1 saved_entry

The saved_entry variable sets the default boot entry in grub.cfg created by grub-mkconfig. It can be set with grub-set-default to choose a default entry, or at runtime with the savedefault function in grub.cfg to save the current entry as the new default. This may require write access by GRUB.

Next: , Previous: , Up: Special environment block variables   [Contents][Index]

15.3.2 next_entry

The next_entry variable sets the boot entry for the next boot only. After it is used, GRUB clears the value so it is not reused. This requires write access to the environment block (see The GRUB environment block) at runtime. The grub-reboot command is usually used instead of changing this variable directly.

Previous: , Up: Special environment block variables   [Contents][Index]

15.3.3 env_block

If the filesystem is Btrfs and the disk is not an abstracted device such as LVM, RAID, or encryption, the reserved space in the Btrfs header can be used as the environment block (see The GRUB environment block). This provides a fixed raw block that GRUB can reliably write to. The env_block records this location in GRUB blocklist syntax (see How to specify block lists) so that grub-editenv and grub.cfg know how to access and use the external raw block.

This variable is initialized when grubenv is first created by grub-editenv and is treated as read-only to avoid being overwritten with an unpredictable value.

Previous: , Up: GRUB environment variables   [Contents][Index]

15.4 Passing environment variables through Xen

If you are using a GRUB image as the kernel for a PV or PVH Xen virtual machine, you can pass environment variables from Xen’s dom0 to the VM through the Xen-provided kernel command line. When combined with a properly configured guest, this can be used to customize the guest’s behavior on bootup via the VM’s Xen configuration file.

GRUB will parse the kernel command line passed to it by Xen during bootup. The command line will be split into space-delimited words. Single and double quotes may be used to quote words or portions of words that contain spaces. Single quotes will be considered part of a word if inside double quotes, and vice versa. Arbitrary characters may be backslash-escaped to make them a literal component of a word rather than being parsed as quotes or word separators. The command line must consist entirely of printable 7-bit ASCII characters and spaces. If a non-printing ASCII character is found anywhere in the command line, the entire command line will be ignored by GRUB. (This splitter algorithm is meant to behave somewhat like Bash’s word splitting.)

Each word should be a variable assignment in the format “variable” or “variable=value”. Variable names must contain only the characters A-Z, a-z, and underscore (“_”). Variable names must begin with the string “xen_grub_env_”. Variable values can contain arbitrary printable 7-bit ASCII characters and space. If any variable contains an illegal name, that variable will be ignored.

If a variable name and value are both specified, the variable will be set to the specified value. If only a variable name is specified, the variable’s value will be set to “1”.

The following is a simple example of how to use this functionality to append arbitrary variables to a guest’s kernel command line: 

# In the Xen configuration file for the guest
name = "linux_vm"
type = "pvh"
kernel = "/path/to/grub-i386-xen_pvh.bin"
extra = "xen_grub_env_linux_append='loglevel=3'"
memory = 1024
disk = [ "file:/srv/vms/linux_vm.img,sda,w" ]

# In the guest's GRUB configuration file
menuentry "Linux VM with dom0-specified kernel parameters" {
    search --set=root --label linux_vm --hint hd0,msdos1
    linux /boot/vmlinuz root=LABEL=linux_vm ${xen_grub_env_linux_append}
    initrd /boot/initrd.img
}

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

16 Modules

In this chapter, we list all modules that are available in GRUB.

Modules can be loaded via the insmod (see insmod) command.

Next: , Up: Modules   [Contents][Index]

16.1 acpi

This module provides the command acpi for loading / replacing Advanced Configuration and Power Interface (ACPI) tables. Please see acpi for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.2 adler32

This module provides the library implementation for the adler32 checksum. This is used as part of LZO decompression / compression.

Next: , Previous: , Up: Modules   [Contents][Index]

16.3 affs

This module provides support for the Amiga Fast FileSystem (AFFS). Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.4 afs

This module provides support for the AtheOS File System (AFS). Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.5 afsplitter

This module provides library support for the Anti forensic information splitter (AFS) operation AF_merge. This is used by LUKS and LUKS2.

Next: , Previous: , Up: Modules   [Contents][Index]

16.6 ahci

This module provides support for the Advanced Host Controller Interface protocol to access disks supporting this standard. AHCI is often an option for Serial ATA (SATA) controllers (meant to replace the older IDE protocol).

Next: , Previous: , Up: Modules   [Contents][Index]

16.7 all_video

This is a "dummy module" with no actual function except to load all other video modules as dependencies (a convenient way to load all video modules).

Next: , Previous: , Up: Modules   [Contents][Index]

16.8 aout

This module provides support for loading files packaged in the "a.out" format. The "a.out" format is considered to be an older format than some alternatives such as "ELF", for example support for the "a.out" format was removed from the Linux kernel in 5.18.

Next: , Previous: , Up: Modules   [Contents][Index]

16.9 appleldr

This module provides support for loading files on a BIOS / EFI based Apple Mac computer (Intel based Macs).

Next: , Previous: , Up: Modules   [Contents][Index]

16.10 archelp

This module provides Archive Helper functions for archive based file systems such as TAR and CPIO archives.

Next: , Previous: , Up: Modules   [Contents][Index]

16.11 argon2

This module provides support for the Argon2 key derivation function.

Next: , Previous: , Up: Modules   [Contents][Index]

16.12 argon2_test

This module is intended for performing a functional test of the Argon2 operation in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.13 at_keyboard

This module provides support for the AT keyboard input for the GRUB terminal.

Next: , Previous: , Up: Modules   [Contents][Index]

16.14 ata

This modules provides support for direct ATA and ATAPI access to compatible disks.

Next: , Previous: , Up: Modules   [Contents][Index]

16.15 backtrace

This module provides the command backtrace for printing a backtrace to the terminal for the current call stack.

Next: , Previous: , Up: Modules   [Contents][Index]

16.16 bfs

This module provides support for the BeOS "Be File System" (BFS). Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.17 biosdisk

This module provides support for booting from a bootable removable disk such as a CD-ROM, BD-ROM, etc.

Next: , Previous: , Up: Modules   [Contents][Index]

16.18 bitmap

This module provides support for reading and interacting with bitmap image files.

Next: , Previous: , Up: Modules   [Contents][Index]

16.19 bitmap_scale

This module provides support for scaling bitmap image files.

Next: , Previous: , Up: Modules   [Contents][Index]

16.20 bli

This module provides basic support for the Boot Loader Interface. The Boot Loader Interface specifies a set of EFI variables that are used to communicate boot-time information between the bootloader and the operating system.

The following variables are placed under the vendor UUID 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f when the module is loaded:

The GPT partition UUID of the EFI System Partition used during boot is published via the LoaderDevicePartUUID variable. The Boot Loader Interface specification requires GPT formatted drives. The bli module ignores drives/partitions in any other format. If GRUB is loaded from a non-GPT partition, e.g. from an MSDOS formatted drive or network, this variable will not be set.

A string identifying GRUB as the active bootloader including the version number is stored in LoaderInfo.

This module is only available on UEFI platforms.

Next: , Previous: , Up: Modules   [Contents][Index]

16.21 blocklist

This module provides support for the command blocklist to list blocks for a given file. Please see blocklist for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.22 boot

This module provides support for the command boot to boot an operating system. Please see boot for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.23 boottime

This module provides support for the command boottime to display time taken to perform various GRUB operations. This module is only available when GRUB is built with the conditional compile option BOOT_TIME_STATS.

Next: , Previous: , Up: Modules   [Contents][Index]

16.24 bsd

This module provides support for loading BSD operating system images via commands such as: kfreebsd_loadenv, kfreebsd_module_elf, kfreebsd_module, kfreebsd, knetbsd_module_elf, knetbsd_module, knetbsd, kopenbsd, and kopenbsd_ramdisk. Please see Various loader commands for more info.

Next: , Previous: , Up: Modules   [Contents][Index]

16.25 bswap_test

This module is intended for performing a functional test of the byte swapping functionality of GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.26 btrfs

This module provides support for the B-Tree File System (BTRFS).

Next: , Previous: , Up: Modules   [Contents][Index]

16.27 bufio

This module is a library module for support buffered I/O of files to support file reads performed in other modules.

Next: , Previous: , Up: Modules   [Contents][Index]

16.28 cacheinfo

This module provides support for the command cacheinfo which provides statistics on disk cache accesses. This module is only built if DISK_CACHE_STATS is enabled.

Next: , Previous: , Up: Modules   [Contents][Index]

16.29 cat

This module provides support for the command cat which outputs the content of a file to the terminal. Please see cat for more info.

Next: , Previous: , Up: Modules   [Contents][Index]

16.30 cbfs

This module provides support for the Coreboot File System (CBFS) which is an archive based file system. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.31 cbls

This module provides support for the command lscoreboot to list the Coreboot tables.

Next: , Previous: , Up: Modules   [Contents][Index]

16.32 cbmemc

This module provides support for the command cbmemc to show the content of the Coreboot Memory console.

Next: , Previous: , Up: Modules   [Contents][Index]

16.33 cbtable

This module provides support for accessing the Coreboot tables.

Next: , Previous: , Up: Modules   [Contents][Index]

16.34 cbtime

This module provides support for the command coreboot_boottime to show the Coreboot boot time statistics.

Next: , Previous: , Up: Modules   [Contents][Index]

16.35 chain

This module provides support for the command chainloader to boot another bootloader. Please see chainloader for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.36 cmdline_cat_test

This module is intended for performing a functional test of the cat command of GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.37 cmosdump

This module provides support for the command cmosdump to show a raw dump of the CMOS contents. Please see cmosdump for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.38 cmostest

This module provides support for the commands cmostest, cmosclean, and cmosset to interact with a CMOS. See cmostest / see cmosclean for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.39 cmp

This module provides support for the command cmp to compare the content of two files. See cmp for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.40 cmp_test

This module is intended for performing a functional test of relational operations in GRUB. Note that this module is *not* associated with the cmp command and does not test the cmp command.

Next: , Previous: , Up: Modules   [Contents][Index]

16.41 configfile

This module provides support for the commands: configfile, source, extract_entries_source, extract_entries_configfile, . (dot command). See configfile / see source.

Next: , Previous: , Up: Modules   [Contents][Index]

16.42 cpio

This module provides support for the CPIO archive file format. This module is for the "bin" version of CPIO (default of GNU CPIO) supporting around 2GB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.43 cpio_be

This module provides support for the CPIO archive file format in big-endian format. This module is for the "bin" version of CPIO (default of GNU CPIO) supporting around 2GB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.44 cpuid

This module provides support for the command cpuid to test for various CPU features. See cpuid for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.45 crc64

This module provides support for the CRC64 operation.

Next: , Previous: , Up: Modules   [Contents][Index]

16.46 crypto_cipher_mode_test

This module performs various cipher mode encryption/decryption tests

Next: , Previous: , Up: Modules   [Contents][Index]

16.47 crypto

This module provides library support for various base cryptography operations in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.48 cryptodisk

This module provides support for the command cryptomount to interact with encrypted file systems. See cryptomount for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.49 cs5536

This module provides support for the AMD Geode CS5536 companion device.

Next: , Previous: , Up: Modules   [Contents][Index]

16.50 ctz_test

This module is intended for performing a functional test of the ctz functions in GRUB used to Count Trailing Zeros.

Next: , Previous: , Up: Modules   [Contents][Index]

16.51 date

This module provides support for the command date to get the date/time or set the date/time. See date for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.52 datehook

This module provides support for populating / providing the environment variables YEAR, MONTH, DAY, HOUR, MINUTE, SECOND, WEEKDAY.

Next: , Previous: , Up: Modules   [Contents][Index]

16.53 datetime

This module provides library support for getting and setting the date / time from / to a hardware clock device.

Next: , Previous: , Up: Modules   [Contents][Index]

16.54 disk

This module provides library support for writing to a storage disk.

Next: , Previous: , Up: Modules   [Contents][Index]

16.55 diskfilter

This module provides library support for reading a disk RAID array. It also provides support for the command cryptocheck. See cryptocheck for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.56 div

This module provides library support for some operations such as divmod.

Next: , Previous: , Up: Modules   [Contents][Index]

16.57 div_test

This module is intended for performing a functional test of the divmod function in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.58 dm_nv

This module provides support for handling some Nvidia "fakeraid" disk devices.

Next: , Previous: , Up: Modules   [Contents][Index]

16.59 drivemap

This module provides support for the drivemap to manage BIOS drive mappings. See drivemap for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.60 dsa_sexp_test

This module provides a test of the libgcrypt DSA functionality in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.61 echo

This module provides support for the echo to display a line of text. See echo for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.62 efi_gop

This module provides support for the UEFI video output protocol "Graphics Output Protocol" (GOP).

Next: , Previous: , Up: Modules   [Contents][Index]

16.63 efi_uga

This module provides support for the EFI video protocol "Universal Graphic Adapter" (UGA).

Next: , Previous: , Up: Modules   [Contents][Index]

16.64 efiemu

This module provides support for the commands efiemu_loadcore, efiemu_prepare, and efiemu_unload. This provides an EFI emulation.

Next: , Previous: , Up: Modules   [Contents][Index]

16.65 efifwsetup

This modules provides support for the command fwsetup to reboot into the firmware setup menu. See fwsetup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.66 efinet

This module provides support for UEFI Network Booting for loading images and data from the network.

Next: , Previous: , Up: Modules   [Contents][Index]

16.67 efitextmode

This module provides support for command efitextmode to get and set output mode resolution. See efitextmode for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.68 ehci

This module provides support for the USB Enhanced Host Controller Interface (EHCI) specification (USB 2.0).

Next: , Previous: , Up: Modules   [Contents][Index]

16.69 elf

This module provides support for loading Executable and Linkable Format (ELF) files.

Next: , Previous: , Up: Modules   [Contents][Index]

16.70 emunet

This module provides support for networking in GRUB on the emu platform.

Next: , Previous: , Up: Modules   [Contents][Index]

16.71 emupci

This module provides support for accessing the PCI bus in GRUB on the emu platform.

Next: , Previous: , Up: Modules   [Contents][Index]

16.72 erofs

This module provides support for the Enhanced Read Only File System (EROFS).

Next: , Previous: , Up: Modules   [Contents][Index]

16.73 escc

This module provides support for the "mac-io" terminal device on PowerPC.

Next: , Previous: , Up: Modules   [Contents][Index]

16.74 eval

This module provides support for command eval to evaluate the provided input as a sequence of GRUB commands. See eval for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.75 exfat

This module provides support for the Extensible File Allocation Table (exFAT) file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.76 exfctest

This module is intended to provide an Example Functional Test of GRUB functions to use as a template for developing other GRUB functional tests.

Next: , Previous: , Up: Modules   [Contents][Index]

16.77 ext2

This module provides support for the Extended File System versions 2, 3, and 4 (ext2, ext3, and ext4) file systems in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.78 extcmd

This module is a support module to provide wrapper functions for registering other module commands depending on the state of the lockdown variable.

Next: , Previous: , Up: Modules   [Contents][Index]

16.79 f2fs

This module provides support for the Flash-Friendly File System (F2FS) in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.80 fat

This module provides support for the File Allocation Table 12-bit, 16-bit, and 32-bit (FAT12, FAT16, and FAT32) file systems in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.81 fdt

This module provides support for the commands fdtdump and devicetree to dump the contents of a device tree blob (.dtb) to the console and to load a device tree blob (.dtb) from a filesystem, for later use by a Linux kernel, respectively. See devicetree and see fdtdump for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.82 file

This module provides support for the command file to test if the provided filename is of the specified type. See file for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.83 fixvideo

This module provides support for the command fix_video to fix video problems in specific PCIe video devices by "patching" specific device register settings. Currently supports Intel 945GM (PCI ID 0x27a28086) and Intel 965GM (PCI ID 0x2a028086).

Next: , Previous: , Up: Modules   [Contents][Index]

16.84 font

This module provides support for the commands loadfont and lsfonts to load a given font or list the loaded fonts. See loadfont and see lsfonts for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.85 freedos

This module provides support for command freedos for loading a FreeDOS kernel.

Next: , Previous: , Up: Modules   [Contents][Index]

16.86 fshelp

This module provides support functions (helper functions) for file systems.

Next: , Previous: , Up: Modules   [Contents][Index]

16.87 functional_test

This module provides support for running the GRUB functional tests using commands functional_test and all_functional_test.

Next: , Previous: , Up: Modules   [Contents][Index]

16.88 gcry_arcfour

This module provides support for the arcfour stream cipher also known as RC4. If security is a concern, RC4 / arcfour cipher is consider broken (multiple known vulnerabilities make this insecure). This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.89 gcry_aria

This module provides support for the ARIA cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.90 gcry_blake2

This module provides support for the BLAKE2b and BLAKE2s message digests. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.91 gcry_blowfish

This module provides support for the Blowfish cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.92 gcry_camellia

This module provides support for the Camellia cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.93 gcry_cast5

This module provides support for the CAST5 (RFC2144, also known as CAST-128) cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.94 gcry_crc

This module provides support for the CRC32, CRC32 RFC1510, and CRC24 RFC2440 cyclic redundancy checks. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.95 gcry_des

This module provides support for the Data Encryption Standard (DES) and Triple-DES ciphers. If security is a concern, DES has known vulnerabilities and is not recommended, and Triple-DES is no longer recommended by NIST. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.96 gcry_dsa

This module provides support for the Digital Signature Algorithm (DSA) cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.97 gcry_gost28147

This module provides support for the GOST 28147-89 cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.98 gcry_gostr3411_94

This module provides support for the GOST R 34.11-94 message digest. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.99 gcry_idea

This module provides support for the International Data Encryption Algorithm (IDEA) cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.100 gcry_keccak

This module provides support for the SHA3 hash message digests (including SHAKE128 and SHAKE256). This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.101 gcry_md4

This module provides support for the Message Digest 4 (MD4) message digest. If security is a concern, MD4 has known vulnerabilities and is not recommended. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.102 gcry_md5

This module provides support for the Message Digest 5 (MD5) message digest. If security is a concern, MD5 has known vulnerabilities and is not recommended. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.103 gcry_rfc2268

This module provides support for the RFC2268 (RC2 / Ron’s Cipher 2) cipher. If security is a concern, RC2 has known vulnerabilities and is not recommended. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.104 gcry_rijndael

This module provides support for the Advanced Encryption Standard (AES-128, AES-192, and AES-256) ciphers. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.105 gcry_rmd160

This module provides support for the RIPEMD-160 message digest. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.106 gcry_rsa

This module provides support for the Rivest–Shamir–Adleman (RSA) cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.107 gcry_salsa20

This module provides support for the Salsa20 cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.108 gcry_seed

This module provides support for the SEED cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.109 gcry_serpent

This module provides support for the Serpent (128, 192, and 256) ciphers. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.110 gcry_sha1

This module provides support for the Secure Hash Algorithm 1 (SHA-1) message digest. If security is a concern, SHA-1 has known vulnerabilities and is not recommended. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.111 gcry_sha256

This module provides support for the Secure Hash Algorithm 2 (224 and 256 bit) (SHA-224 / SHA-256) message digests. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.112 gcry_sha512

This module provides support for the Secure Hash Algorithm 2 (384 and 512 bit) (SHA-384 / SHA-512) message digests. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.113 gcry_sm3

This module provides support for the SM3 message digest. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.114 gcry_sm4

This module provides support for the SM4 cipher. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.115 gcry_stribog

This module provides support for the GOST R 34.11-2012 (Stribog) message digest. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.116 gcry_tiger

This module provides support for the Tiger, Tiger 1, and Tiger 2 message digests. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.117 gcry_twofish

This module provides support for the Twofish (128 and 256) ciphers. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.118 gcry_whirlpool

This module provides support for the Whirlpool message digest. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.119 gdb

This module provides support for remotely debugging GRUB using the GNU Debugger (GDB) over serial. This is typically done when troubleshooting GRUB during development and not required for normal GRUB operation. This module adds support for commands required by the GDB remote debug function including gdbstub to start GDB stub on given serial port, gdbstub_break to break into GDB, gdbstub_stop to stop the GDB stub.

Next: , Previous: , Up: Modules   [Contents][Index]

16.120 geli

This module provides support for the GEOM ELI (GELI) disk encryption / decryption protocol used by FreeBSD. This module supports the following ciphers using the associated "gcry" modules: DES, Triple-DES, Blowfish, CAST5, AES, and Camellia 128.

Next: , Previous: , Up: Modules   [Contents][Index]

16.121 gettext

This module provides support for the gettext command to support translating information displayed / output by GRUB. See gettext for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.122 gfxmenu

This module provides support for displaying a graphical menu / user interface from GRUB. This includes features such as graphical font support, theme support, image support, and icon support.

Next: , Previous: , Up: Modules   [Contents][Index]

16.123 gfxterm

This module provides support for displaying a terminal and menu interface from GRUB using graphics mode.

Next: , Previous: , Up: Modules   [Contents][Index]

16.124 gfxterm_background

This module provides support for setting the gfxterm background color and background image using commands background_color and background_image. See background_color and see background_image for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.125 gfxterm_menu

This module is intended for performing a functional test of the gfxmenu function in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.126 gptsync

This module provides support for the gptsync command.. See gptsync for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.127 gzio

This module provides support for decompression (inflate) of files compressed with the GZ compression algorithm. This supports only the "DEFLATE" method for GZIP. Unsupported flags (will result in failure to inflate) include: GRUB_GZ_CONTINUATION, GRUB_GZ_ENCRYPTED, GRUB_GZ_RESERVED, and GRUB_GZ_EXTRA_FIELD.

Next: , Previous: , Up: Modules   [Contents][Index]

16.128 halt

This module provides support for the halt command to shutdown / halt the system. See halt for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.129 hashsum

This module provide support for the commands hashsum, md5sum, sha1sum, sha256sum, sha512sum, and crc to calculate or check hashes of files using various methods. See hashsum, see md5sum see sha1sum, see sha256sum, see sha512sum, and see crc.

Next: , Previous: , Up: Modules   [Contents][Index]

16.130 hdparm

This module provides support for the hdparm command to get or set various ATA disk parameters. This includes controlling Advanced Power Management (APM), displaying power mode, freezing ATA security settings until reset, displaying SMART status, controlling automatic acoustic management, setting standby timeout, setting the drive to standby mode, setting the drive to sleep mode, displaying the drive identification and settings, and enable/disable SMART.

Next: , Previous: , Up: Modules   [Contents][Index]

16.131 hello

This provides support for the hello command to simply output "Hello World". This is intended for testing GRUB module loading / functionality.

Next: , Previous: , Up: Modules   [Contents][Index]

16.132 help

This module provides support for the help command to output help text. See help for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.133 hexdump

This module provides support for the hexdump command to dump the contents of a file in hexadecimal. See hexdump for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.134 hfs

This module provides support for the Hierarchical File System (HFS) file system in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.135 hfsplus

This module provides support for the Hierarchical File System Plus (HFS+) file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.136 hfspluscomp

This module provides support for the Hierarchical File System Plus Compressed (HFS+ Compressed) file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.137 http

This module provides support for getting data over the HTTP network protocol in GRUB (using the HTTP GET method). This may be used, for example, to obtain an operating system over HTTP (network boot).

Next: , Previous: , Up: Modules   [Contents][Index]

16.138 ieee1275_fb

This module provides support for the IEEE1275 video driver output for PowerPC with a IEEE-1275 platform.

Next: , Previous: , Up: Modules   [Contents][Index]

16.139 iorw

This module provides support for commands inb, inw, inl, outb, outw, and outl to read / write data to physical I/O ports. The "in" commands accept one parameter to specify the source port. The "out" commands require either two or three parameters, with the order: port, value, <optional mask>.

Next: , Previous: , Up: Modules   [Contents][Index]

16.140 iso9660

This module provides support for the ISO9660 file system (often associated with optical disks such as CD-ROMs and DVD-ROMs, with extensions: System Use Sharing Protocol (SUSP), Rock Ridge (UNIX style permissions and longer names)

Next: , Previous: , Up: Modules   [Contents][Index]

16.141 jfs

This module provides support for the Journaled File System (JFS) file system. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.142 jpeg

This module provides support for reading JPEG image files in GRUB, such as to support displaying a JPEG image as a background image of the gfxmenu.

Next: , Previous: , Up: Modules   [Contents][Index]

16.143 json

This module provides library support for parsing / processing JavaScript Object Notation (JSON) formatted data. This is used, for example, to support LUKS2 disk encryption / decryption as metadata is encoded in JSON.

Next: , Previous: , Up: Modules   [Contents][Index]

16.144 keylayouts

This module provides support for the keymap command. This command accepts one parameter to specify either the layout_name or the filename. When specifying the layout_name, this command will attempt to open the GRUB keymap file based on the following logic:

Get the "prefix" from environment variable prefix

Open keymap file prefix/layouts/layout_name.gkb

When specifying the filename, the full path to the ".gkb" file should be provided. The ".gkb" file can be generated by grub-kbdcomp.

Next: , Previous: , Up: Modules   [Contents][Index]

16.145 keystatus

This module provides support for the keystatus command to check key modifier status. See keystatus for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.146 ldm

This module provides support for the Logical Disk Manager (LDM) disk format. LDM is used to add support for logical volumes most often with Microsoft Windows systems. A logical volume can be defined to span more than one physical disk.

Next: , Previous: , Up: Modules   [Contents][Index]

16.147 legacy_password_test

This module is intended for performing a functional test of the legacy password function in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.148 legacycfg

This module provides support for commands legacy_source, legacy_configfile, extract_legacy_entries_source, extract_legacy_entries_configfile, legacy_kernel, legacy_initrd, legacy_initrd_nounzip, legacy_password, and legacy_check_password. For new uses / configurations of GRUB other commands / modules offer the modern equivalents.

Next: , Previous: , Up: Modules   [Contents][Index]

16.149 linux

This module provides support for the commands linux and initrd to load Linux and an Initial RAM Disk respectively. See linux and see initrd for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.150 linux16

This module provides support for the commands linux16 and initrd16 to load Linux in 16-bit mode and an Initial RAM Disk in 16-bit mode respectively. See linux16 and see initrd16 for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.151 loadbios

This module provides support for the commands fakebios and loadbios. These commands may only be useful on platforms with issues requiring work-arounds. Command fakebios is used to create BIOS-like structures for backward compatibility with existing OS. Command loadbios is used to load a BIOS dump.

Next: , Previous: , Up: Modules   [Contents][Index]

16.152 loadenv

This module provides support for commands load_env, list_env, and save_env. These commands can be used to load environment variables from a file, list environment variables in a file, and save environment variables to a file. See load_env, see list_env, and see save_env.

Next: , Previous: , Up: Modules   [Contents][Index]

16.153 loopback

This module provides support for the loopback command. See loopback for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.154 ls

This module provides support for the ls command. See ls for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.155 lsacpi

This module provides support for the lsacpi command. This command can be used to display Advanced Configuration and Power Interface (ACPI) tables.

Next: , Previous: , Up: Modules   [Contents][Index]

16.156 lsapm

This module provides support for the lsapm command. This command can be used to display Advanced power management (APM) information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.157 lsdev

This module provides support for the lsdev command. This command can be used on MIPS Advanced RISC Computing (ARC) platforms to display devices.

Next: , Previous: , Up: Modules   [Contents][Index]

16.158 lsefi

This module provides support for the lsefi command. This command can be used on EFI platforms to display EFI handles.

Next: , Previous: , Up: Modules   [Contents][Index]

16.159 lsefimmap

This module provides support for the lsefimmap command. This command can be used on EFI platforms to display the EFI memory map.

Next: , Previous: , Up: Modules   [Contents][Index]

16.160 lsefisystab

This module provides support for the lsefisystab command. This command can be used on EFI platforms to display the EFI system tables.

Next: , Previous: , Up: Modules   [Contents][Index]

16.161 lsmmap

This module provides support for the lsmmap command. This command can be used to display the memory map provided by firmware.

Next: , Previous: , Up: Modules   [Contents][Index]

16.162 lspci

This module provides support for the lspci command. This command can be used to display the PCI / PCIe devices.

Next: , Previous: , Up: Modules   [Contents][Index]

16.163 lssal

This module provides support for the lsefisystab command. This command can be used on Itanium (IA-64) EFI platforms to display the EFI System Abstraction Layer system table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.164 lsspd

This module provides support for the lsspd command. This command can be used on MIPS Loongson platforms to display the DDR RAM Serial Presence Detect (SPD) EEPROM data.

Next: , Previous: , Up: Modules   [Contents][Index]

16.165 lsxen

This module provides support for the commands xen_ls and xen_cat on Xen platforms to list Xen storage.

Next: , Previous: , Up: Modules   [Contents][Index]

16.166 luks

This module provides support for the Linux Unified Key Setup (LUKS) (version 1) disk encryption / decryption protocol.

Next: , Previous: , Up: Modules   [Contents][Index]

16.167 luks2

This module provides support for the Linux Unified Key Setup 2 (LUKS2) disk encryption / decryption protocol.

Next: , Previous: , Up: Modules   [Contents][Index]

16.168 lvm

This module provides support for reading Logical Volume Management "logical" disks. For example, a single "logical" disk may be mapped to span more than one physical disk. This would be used when booting from a LVM formatted disk as may be setup in Linux.

Next: , Previous: , Up: Modules   [Contents][Index]

16.169 lzopio

This module provides support for decompressing LZO / LZOP compressed files / archives.

Next: , Previous: , Up: Modules   [Contents][Index]

16.170 macbless

This module provides support for commands mactelbless and macppcbless for "blessing" a bootloader on Intel / PPC based MACs using the HFS or HFS+ file system. On HFS / HFS+ - "blessing" makes a file run as the bootloader.

Next: , Previous: , Up: Modules   [Contents][Index]

16.171 macho

This module provides support for Mach Object (Mach-O) object / executable files in GRUB often used in MacOS.

Next: , Previous: , Up: Modules   [Contents][Index]

16.172 mda_text

This module provides support for the Monochrome Display Adapter (MDA) terminal output device. MDA is a predecessor to VGA.

Next: , Previous: , Up: Modules   [Contents][Index]

16.173 mdraid09

This module provides support for handling Linux compatible "version 0.9" software-based RAID disks in little-endian format. The "version 0.9" format was largely replaced around the year 2009 with the "version 1.x" format (see mdraid1x for more information).

Next: , Previous: , Up: Modules   [Contents][Index]

16.174 mdraid09_be

This module provides support for handling Linux compatible "version 0.9" software-based RAID disks in bid-endian format. The "version 0.9" format was largely replaced around the year 2009 with the "version 1.x" format (see mdraid1x for more information).

Next: , Previous: , Up: Modules   [Contents][Index]

16.175 mdraid1x

This module provides support for handling Linux compatible "version 1.x" software-based RAID disks. This includes the current version used by Linux at the time of writing.

Next: , Previous: , Up: Modules   [Contents][Index]

16.176 memdisk

This module provides support for a memdisk device. A memdisk is a memory mapped emulated disk.

Next: , Previous: , Up: Modules   [Contents][Index]

16.177 memrw

This module provides support for commands read_byte, read_word, read_dword, write_byte, write_word, and write_dword to read / write data to physical memory (addresses). The "read" commands accept one parameter to specify the source address. The "write" commands require either two or three parameters, with the order: address, value, <optional mask>. Note: The commands provided by this module are not allowed when lockdown is enforced (see Lockdown when booting on a secure setup).

Next: , Previous: , Up: Modules   [Contents][Index]

16.178 memtools

This module provides support for GRUB development / debugging commands lsmem, lsfreemem, lsmemregions, and stress_big_allocs.

Next: , Previous: , Up: Modules   [Contents][Index]

16.179 minicmd

This module provides support for a subset of commands for GRUB rescue mode including: cat, help, dump, rmmod, lsmod, and exit. The version of the commands in this module are similar to their full-fledged counterparts implemented in other GRUB modules. Note: The dump command is not allowed when lockdown is enforced (see Lockdown when booting on a secure setup).

Next: , Previous: , Up: Modules   [Contents][Index]

16.180 minix

This module provides support for the Minix filesystem, version 1. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.181 minix2

This module provides support for the Minix filesystem, version 2. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.182 minix2_be

This module provides support for the Minix filesystem, version 2 big-endian. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.183 minix3

This module provides support for the Minix filesystem, version 3. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.184 minix3_be

This module provides support for the Minix filesystem, version 3 big-endian. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.185 minix_be

This module provides support for the Minix filesystem, version 1 big-endian. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.186 mmap

This module provides support for mapping or unmapping devices or files into memory as well as commands badram and cutmem. See badram and cutmem.

Next: , Previous: , Up: Modules   [Contents][Index]

16.187 morse

This module provides support for outputting terminal output via Morse code to an audio speaker output.

Next: , Previous: , Up: Modules   [Contents][Index]

16.188 mpi

This module provides support for multi-precision-integers (MPIs) in GRUB. MPIs are used by the crypto functions as many depend on mathematics of large numbers. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.189 msdospart

This module provides support for modifying MSDOS formatted disk partitions through the separate parttool command.

Next: , Previous: , Up: Modules   [Contents][Index]

16.190 mul_test

This module is intended for performing a functional test of the multiplication operations in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.191 multiboot

This module provides support for commands multiboot and module to load a multiboot kernel and load a multiboot module, respectively. See multiboot and module for more information. This is for loading data formatted per the GNU Multiboot specification.

Next: , Previous: , Up: Modules   [Contents][Index]

16.192 multiboot2

This module provides support for commands multiboot2 and module2 to load a multiboot kernel and load a multiboot module, respectively. This is for loading data formatted per the GNU Multiboot specification.

Next: , Previous: , Up: Modules   [Contents][Index]

16.193 nand

This module provides support for accessing an IEEE-1275 compliant NAND disk from GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.194 nativedisk

This module provides support for the nativedisk command. See nativedisk for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.195 net

This module provides support for networking protocols including ARP, BOOTP, DNS, Ethernet, ICMPv6, ICMP, IP, TCP, and UDP. Support is included for both IPv4 and IPv6. This includes the following commands:

Next: , Previous: , Up: Modules   [Contents][Index]

16.196 newc

This module provides support for accessing a CPIO archive as a file system from GRUB. This module is for the following newer variants of the CPIO archive supported by GNU CPIO (but GNU CPIO defaults to the "bin" format which is handled by the module cpio).

These are the variants supported by this module:

  • "newc" - SVR4 portable format without CRC. GNU file utility will identify these as something like "ASCII cpio archive (SVR4 with no CRC)"
  • ‘crc’ - SVR4 portable format with CRC. GNU file utility will identify these as something like "ASCII cpio archive (SVR4 with CRC)"

Next: , Previous: , Up: Modules   [Contents][Index]

16.197 nilfs2

This module provides support for the New Implementation of Log filesystem (nilfs2). Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.198 normal

This module provides support for the normal mode in GRUB. See normal for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.199 ntfs

This module provides support for the New Technology File System (NTFS) in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.200 ntfscomp

This module provides support for compression with the New Technology File System (NTFS) in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.201 ntldr

This module provides support for the ntldr command. This is may be used to boot a Windows boot loader such as NTLDR or BootMGR.

Next: , Previous: , Up: Modules   [Contents][Index]

16.202 odc

This module provides support for accessing a CPIO archive as a file system from GRUB. This module is for "odc" variant of the CPIO archive supported by GNU CPIO (but GNU CPIO defaults to the "bin" format which is handled by the module cpio).

GNU file utility will identify these as something like "ASCII cpio archive (pre-SVR4 or odc)"

Next: , Previous: , Up: Modules   [Contents][Index]

16.203 offsetio

This module provides support for reading from a file / archive at specified offsets in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.204 ofnet

This module provides support for the Open Firmware (IEEE-1275) network device support in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.205 ohci

This module provides support for the Open Host Controller Interface (OHCI) for USB 1 / USB 1.1 support in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.206 part_acorn

This module provides support for reading from disks partitioned with the Acorn Disc Filing System (ADFS) used on RiscOS.

Next: , Previous: , Up: Modules   [Contents][Index]

16.207 part_amiga

This module provides support for reading from disks partitioned with the Amiga partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.208 part_apple

This module provides support for reading from disks partitioned with the Macintosh partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.209 part_bsd

This module provides support for reading from disks partitioned with BSD style partition tables.

Next: , Previous: , Up: Modules   [Contents][Index]

16.210 part_dfly

This module provides support for reading from disks partitioned with the DragonFly BSD partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.211 part_dvh

This module provides support for reading from disks partitioned with the SGI Disk Volume Header partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.212 part_gpt

This module provides support for reading from disks partitioned with the GUID Partition Tables (GPT) partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.213 part_msdos

This module provides support for reading from disks partitioned with the MSDOS (Master Boot Record / MBR) style partition tables.

Next: , Previous: , Up: Modules   [Contents][Index]

16.214 part_plan

This module provides support for reading from disk partitioned with the Plan9 style partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.215 part_sun

This module provides support for reading from disk partitioned with the Sun style partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.216 part_sunpc

This module provides support for reading from disk partitioned with the Sun PC style partition table.

Next: , Previous: , Up: Modules   [Contents][Index]

16.217 parttool

This module provides support for the parttool command. See parttool for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.218 password

This module provides support for the password command. Please note that this uses the password in plain text, if security is a concern consider using password_pbkdf2 instead. See password for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.219 password_pbkdf2

This module provides support for the password_pbkdf2 command. See password_pbkdf2 for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.220 pata

This module provides support for Parallel ATA (PATA) disk device interfaces.

Next: , Previous: , Up: Modules   [Contents][Index]

16.221 pbkdf2

This module provides support for the Password-Based Key Derivation Function 2 (PBKDF2) / PKCS#5 PBKDF2 as per RFC 2898.

Next: , Previous: , Up: Modules   [Contents][Index]

16.222 pbkdf2_test

This module is intended for performing a functional test of the PBKDF2 operation in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.223 pci

This module provides support for generic Peripheral Component Interconnect (PCI) bus in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.224 pcidump

This module provides support for the pcidump command in GRUB to dump the PCI configuration registers in hexadecimal of a specified PCI device (vendor / device ID) or by position on the bus.

Next: , Previous: , Up: Modules   [Contents][Index]

16.225 pgp

This module provides support for the commands: verify_detached, trust, list_trusted, distrust associated with digital signature checking via the "Open Pretty Good Privacy" (PGP) protocol / RFC 4880 using a provided public key. This module also uses / sets environment variable check_signatures. See verify_detached, trust, list_trusted, distrust, and check_signatures.

Next: , Previous: , Up: Modules   [Contents][Index]

16.226 plainmount

This module provides support for accessing / mounting partitions encrypted by "cryptsetup" operating in "plain mode". See plainmount for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.227 plan9

This module provides support for the plan9 command to load a Plan9 kernel.

Next: , Previous: , Up: Modules   [Contents][Index]

16.228 play

This module provides support for the play command to play a tune through the PC speaker. See play for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.229 png

This module provides support for reading Portable Network Graphics (PNG) image files in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.230 priority_queue

This module provides support for a priority queue function within GRUB such as to support networking functions.

Next: , Previous: , Up: Modules   [Contents][Index]

16.231 probe

This module provides support for the probe command to retrieve device information. See probe for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.232 procfs

This module provides support for a Proc File System to provide a file system like interface to some GRUB internal data.

Next: , Previous: , Up: Modules   [Contents][Index]

16.233 progress

This module provides support for showing file loading progress to the terminal.

Next: , Previous: , Up: Modules   [Contents][Index]

16.234 pubkey

This module provides supporting functions for using RSA and DSA public keys. This GRUB module is based on libgcrypt.

Next: , Previous: , Up: Modules   [Contents][Index]

16.235 pxe

This module provides support for Preboot Execution Environment (PXE) network boot services as a file system driver for other GRUB modules.

Next: , Previous: , Up: Modules   [Contents][Index]

16.236 pxechain

This module provides support for the pxechainloader command to load another bootloader by PXE.

Next: , Previous: , Up: Modules   [Contents][Index]

16.237 raid5rec

This module provides support for recovering from faulty RAID4/5 disk arrays

Next: , Previous: , Up: Modules   [Contents][Index]

16.238 raid6rec

This module provides support for recovering from faulty RAID6 disk arrays.

Next: , Previous: , Up: Modules   [Contents][Index]

16.239 random

This module provides support for library functions to get random data via the hardware ACPI Power Management Timer and the TSC time source (Timestamp Counter).

Next: , Previous: , Up: Modules   [Contents][Index]

16.240 rdmsr

This module provides support for the rdmsr command to read CPU Model Specific Registers. See rdmsr for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.241 read

This module provides support for the read command for getting user input. See read for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.242 reboot

This module provides support for the reboot command to reboot the computer. See reboot for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.243 regexp

This module provides support for the regexp command to check if a regular expression matches a string. This module also provides support for the GRUB script wildcard translator. See regexp for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.244 reiserfs

This module provides support for the ReiserFS File System in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.245 relocator

This module provides support for relocating the image / executable being loaded to the expected memory location(s) and jumping to (invoking) the executable.

Next: , Previous: , Up: Modules   [Contents][Index]

16.246 romfs

This module provides support for the Read-Only Memory File System (ROMFS). Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.247 rsa_sexp_test

This module provides a test of the libgcrypt RSA functionality in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.248 scsi

This module provides support for the Small Computer System Interface (SCSI) protocol used for some types of disk communication include some modern ones such as USB Mass Storage Devices supporting "USB Attached SCSI" (UAS).

Next: , Previous: , Up: Modules   [Contents][Index]

16.249 sdl

This module provides support for Simple DirectMedia Layer (SDL) video / image output from the grub-emu tool used to preview the GRUB menu from a running Operating System such as Linux (useful to test GRUB menu configuration changes without rebooting). When available in the compilation target environment, SDL2 will be used instead of SDL1.

Next: , Previous: , Up: Modules   [Contents][Index]

16.250 search

This module provides support for the search command to search devices by file, filesystem label, or filesystem UUID. See search for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.251 search_fs_file

This module provides support for the search.file command which is an alias for the corresponding search command. See search for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.252 search_fs_uuid

This module provides support for the search.fs_uuid command which is an alias for the corresponding search command. See search for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.253 search_label

This module provides support for the search.fs_label command which is an alias for the corresponding search command. See search for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.254 sendkey

This module provides support for the sendkey command to send emulated keystrokes. See sendkey for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.255 serial

This module provides support for the serial command and associated driver support for communication over a serial interface from GRUB. See serial for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.256 setjmp

This module provides support for the setjmp and longjmp functions used within GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.257 setjmp_test

This module is intended for performing a functional test of the setjmp and longjmp functions in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.258 setpci

This module provides support for the setpci command to get / set values from / to specified PCI / PCIe devices.

Next: , Previous: , Up: Modules   [Contents][Index]

16.259 sfs

This module provides support for the Amiga Smart File System (SFS) in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.260 shift_test

This module is intended for performing a functional test of the bit-wise shift operations in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.261 signature_test

This module is intended for performing a functional test of the digital signature verification functions in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.262 sleep

This module provides support for the sleep command to wait a specified number of seconds in GRUB. See sleep for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.263 sleep_test

This module is intended for performing a functional test of the sleep function in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.264 smbios

This module provides support for the smbios command to retrieve SMBIOS information in GRUB. See smbios for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.265 spkmodem

This module provides support for outputting GRUB console information over an audio output. This output can be fed into another computer’s sound input and decoded using the spkmodem_recv utility. Note that this will slow down GRUB’s performance.

Next: , Previous: , Up: Modules   [Contents][Index]

16.266 squash4

This module provides support for the SquashFS compressed read-only file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.267 strtoull_test

This module is intended for performing a functional test of the strtoull function in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.268 suspend

This module provides support for the suspend command in GRUB to return to IEEE1275 prompt on "Open Firmware" systems.

Next: , Previous: , Up: Modules   [Contents][Index]

16.269 syslinuxcfg

This module provides support for commands syslinux_source, syslinux_configfile, extract_syslinux_entries_source, and extract_syslinux_entries_configfile in GRUB. These commands can be used to parse and display GRUB menu entries based on a Syslinux based configuration (used for SYSLINUX, ISOLINUX, and PXELINUX). It can also be used to execute the Syslinux loader from GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.270 tar

This module provides support for the GNU Tar and POSIX Tar file archives as a file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.271 terminal

This module provides support for the commands terminal_input and terminal_output in GRUB. See terminal_input and terminal_output for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.272 terminfo

This module provides support for the terminfo command in GRUB to set various terminal modes / options. See terminfo for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.273 test

This module provides support for the commands test and [. These commands can be used to evaluate (test) an expression. See test for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.274 test_blockarg

This module is intended for performing a functional test of the "block" command argument function in GRUB internal functions via a test command test_blockarg.

Next: , Previous: , Up: Modules   [Contents][Index]

16.275 testload

This module is intended for performing a functional test of some file reading / seeking functions in GRUB internals via a test command testload.

Next: , Previous: , Up: Modules   [Contents][Index]

16.276 testspeed

This module provides support for the testspeed command to test and print file read speed of a specified file.

Next: , Previous: , Up: Modules   [Contents][Index]

16.277 tftp

This module provides support for the Trivial File Transfer Protocol (TFTP) for receiving files via the network to GRUB. TFTP may be used along with PXE for network booting for example.

Next: , Previous: , Up: Modules   [Contents][Index]

16.278 tga

This module provides support for reading Truevision Graphics Adapter (TGA) image files in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.279 time

This module provides support for the time command to measure the time taken by a given command and output it to the terminal.

Next: , Previous: , Up: Modules   [Contents][Index]

16.280 tpm

This module provides support for interacting with a Trusted Platform Module (TPM) with GRUB to perform Measured Boot. See Measuring boot components for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.281 tr

This module provides support for the tr command in GRUB. This can be used to translate characters in a string according to the provided arguments. For example this can be used to convert upper-case to lower-case and visa-versa.

Next: , Previous: , Up: Modules   [Contents][Index]

16.282 trig

This module provides support for internal trig functions grub_cos and grub_sin using lookup based computation. Currently these trig functions are used by the gfxmenu circular progress bar.

Next: , Previous: , Up: Modules   [Contents][Index]

16.283 true

This module provides support for the commands true and false. See true and false for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.284 truecrypt

This module provides support for the truecrypt command. This can be used to load a Truecrypt ISO image.

Next: , Previous: , Up: Modules   [Contents][Index]

16.285 ubootnet

This module provides support for configuring network interfaces in GRUB using information provided by a U-Boot bootloader.

Next: , Previous: , Up: Modules   [Contents][Index]

16.286 udf

This module provides support for the Universal Disk Format (UDF) used on some newer optical disks. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.287 ufs1

This module provides support for the Unix File System version 1 in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.288 ufs1_be

This module provides support for the Unix File System version 1 (big-endian) in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.289 ufs2

This module provides support for the Unix File System version 2 in GRUB. Note: This module is not allowed in lockdown mode, see Lockdown when booting on a secure setup for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.290 uhci

This module provides support for the Universal Host Controller Interface (UHCI) for USB 1.x.

Next: , Previous: , Up: Modules   [Contents][Index]

16.291 usb

This module provides support for USB interfaces, USB hubs, and USB transfers in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.292 usb_keyboard

This module provides support for a USB keyboard in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.293 usbms

This module provides support for USB Mass Storage devices in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.294 usbserial_common

This module provides support for common operations needed to support USB Serial port adapters in GRUB (to support a model / type specific USB to serial adapter defined in another module).

Next: , Previous: , Up: Modules   [Contents][Index]

16.295 usbserial_ftdi

This module provides support for USB to serial adapters with vendor ID 0x0403 and product ID 0x6001 (often associated with FTDI devices).

Next: , Previous: , Up: Modules   [Contents][Index]

16.296 usbserial_pl2303

This module provides support for USB to serial adapters with vendor ID 0x067b and product ID 0x2303 (PL2303 USB to Serial adapter).

Next: , Previous: , Up: Modules   [Contents][Index]

16.297 usbserial_usbdebug

This module provides support for debugging GRUB via a "USB 2.0 Debug Cable". The USB 2.0 specification includes a "USB2 Debug Device Functional Specification" that this driver is intended to support for GRUB. This may integrate with GDB server function in GRUB (see gdb).

Next: , Previous: , Up: Modules   [Contents][Index]

16.298 usbtest

This module provides support for the usb command in GRUB to test USB functionality by iterating through all connected USB devices and printing information for each to the terminal.

Next: , Previous: , Up: Modules   [Contents][Index]

16.299 vbe

This module provides support for the VESA BIOS Extension (VBE) Video Driver in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.300 verifiers

This module is a built-in kernel module to provide a framework for GRUB file verifiers and string verifiers.

Next: , Previous: , Up: Modules   [Contents][Index]

16.301 vga

This module provides support for the Video Graphics Array (VGA) Video Driver in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.302 vga_text

This module provides support for the Video Graphics Array (VGA) terminal output device.

Next: , Previous: , Up: Modules   [Contents][Index]

16.303 video

This module provides support for video output support functions within GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.304 video_bochs

This module provides support for the Bochs PCI Video Driver (also known as Bochs Graphics Adapter / BGA) in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.305 video_cirrus

This module provides support for the Cirrus CLGD 5446 PCI Video Driver (Cirrus Video) in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.306 video_colors

This module provides support for interpreting named colors and parsing RBG hexadecimal values.

Next: , Previous: , Up: Modules   [Contents][Index]

16.307 video_fb

This module provides support for video frame buffer (FB) support in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.308 videoinfo

This module provides support for the videoinfo command and (depending on architecture) the vbeinfo command. See videoinfo for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.309 videotest

This module provides support for the videotest command and (depending on architecture) the vbetest to test the video subsystem in the specified width and height.

Next: , Previous: , Up: Modules   [Contents][Index]

16.310 videotest_checksum

This module is intended for performing a functional test of the video functions in GRUB by displaying a test image and capturing a checksum.

Next: , Previous: , Up: Modules   [Contents][Index]

16.311 wrmsr

This module provides support for the wrmsr command to write to CPU model-specific registers. See wrmsr for more information.

Next: , Previous: , Up: Modules   [Contents][Index]

16.312 xen_boot

This module provides support for the commands xen_hypervisor and xen_module to load a XEN hypervisor and module respectively.

Next: , Previous: , Up: Modules   [Contents][Index]

16.313 xfs

This module provides support for the XFS file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.314 xnu

This module provides support for the commands: xnu_devprop_load, xnu_kernel, xnu_kernel64, xnu_mkext, xnu_kext, xnu_kextdir, xnu_ramdisk, xnu_splash, and xnu_resume (only for emulated machine). These commands support loading and interacting with a XNU (MacOS / Apple) based system / kernel.

Next: , Previous: , Up: Modules   [Contents][Index]

16.315 xnu_uuid

This module provides support for the xnu_uuid command to transform a 64-bit UUID to a format suitable for XNU.

Next: , Previous: , Up: Modules   [Contents][Index]

16.316 xnu_uuid_test

This module is intended for performing a functional test of the XNU UUID conversion function.

Next: , Previous: , Up: Modules   [Contents][Index]

16.317 xzio

This module provides support for decompression of XZ compressed data.

Next: , Previous: , Up: Modules   [Contents][Index]

16.318 zfs

This module provides support for the ZFS file system in GRUB.

Next: , Previous: , Up: Modules   [Contents][Index]

16.319 zfscrypt

This module provides support for the zfskey to import a decryption key as well as decryption support for encrypted ZFS file systems.

Next: , Previous: , Up: Modules   [Contents][Index]

16.320 zfsinfo

This module provides support for the commands zfsinfo to output ZFS info about a device and zfs-bootfs to output ZFS-BOOTFSOBJ or store it into a variable.

Previous: , Up: Modules   [Contents][Index]

16.321 zstd

This module provides support for the Zstandard (zstd) decompression algorithm in GRUB.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

17 Available commands

In this chapter, we list all commands that are available in GRUB.

Commands belong to different groups. A few can only be used in the global section of the configuration file (or “menu”); most of them can be entered on the command-line and can be used either anywhere in the menu or specifically in the menu entries.

In rescue mode, only the insmod (see insmod), ls (see ls), set (see set), and unset (see unset) commands are normally available. If you end up in rescue mode and do not know what to do, then see GRUB only offers a rescue shell.

Next: , Previous: , Up: Available commands   [Contents][Index]

17.2 Various loader commands

These commands are used to load necessary components to boot desired OS. Many of the loader commands are not sufficiently documented. The following is a list of commands that could use more documentation:

  • appleloader - Boot BIOS-based system.
  • freedos - Load FreeDOS kernel.sys.
  • kfreebsd_loadenv - Load FreeBSD env.
  • kfreebsd_module_elf - Load FreeBSD kernel module (ELF).
  • kfreebsd_module - Load FreeBSD kernel module.
  • kfreebsd - Load kernel of FreeBSD.
  • knetbsd_module_elf - Load NetBSD kernel module (ELF).
  • knetbsd_module - Load NetBSD kernel module.
  • knetbsd - Load kernel of NetBSD.
  • kopenbsd - Load kernel of OpenBSD.
  • kopenbsd_ramdisk - Load kOpenBSD ramdisk.
  • legacy_initrd_nounzip - Simulate grub-legacy ‘modulenounzip’ command
  • legacy_initrd - Simulate grub-legacy ‘initrd’ command
  • legacy_kernel - Simulate grub-legacy ‘kernel’ command
  • module2 - Load a multiboot 2 module.
  • module - Load a multiboot module.
  • multiboot2 - Load a multiboot 2 kernel.
  • multiboot - Load a multiboot kernel.
  • ntldr - Load NTLDR or BootMGR.
  • plan9 - Load Plan9 kernel.
  • pxechainloader - Load a PXE image.
  • truecrypt - Load Truecrypt ISO.
  • xnu_kernel64 - Load 64-bit XNU image.
  • xnu_kernel - Load XNU image.
  • xnu_kextdir - Load XNU extension directory.
  • xnu_kext - Load XNU extension.
  • xnu_mkext - Load XNU extension package.
  • xnu_ramdisk - Load XNU ramdisk. It will be available in OS as md0.
  • xnu_resume - Load an image of hibernated XNU.
  • xnu_splash - Load a splash image for XNU.

Next: , Up: Various loader commands   [Contents][Index]

17.2.1 chainloader

Command: chainloader [--force] file [args...]

Load file as a chain-loader. Like any other file loaded by the filesystem code, it can use the blocklist notation (see How to specify block lists) to grab the first sector of the current partition with ‘+1’. On EFI platforms, any arguments after file will be sent to the loaded image.

If you specify the option --force, then load file forcibly, whether it has a correct signature or not. This is required when you want to load a defective boot loader, such as SCO UnixWare 7.1.

Next: , Previous: , Up: Various loader commands   [Contents][Index]

17.2.2 initrd

Command: initrd file [file …]

Load, in order, all initrds for a Linux kernel image, and set the appropriate parameters in the Linux setup area in memory. This may only be used after the linux command (see linux) has been run. See GNU/Linux for more info on booting GNU/Linux. For more information on initrds see the GNU/Linux kernel documentation.

A new-style initrd (for kernels newer than 2.6) containing one file with leading path components can also be generated at run time. This can be done by prefixing an argument with newc: followed by the path of the file in the new initrd, a :, and then the GRUB file path to the file data to be be included.

For example: 

initrd newc:/etc/ssh/config:(hd0,2)/home/user/.ssh/config \
       newc:/etc/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key \
       /boot/initrd.gz \
       newc:/init:/home/user/init.fixed

This command will generate two new-style initrds on the fly. The first contains the path ‘/etc/ssh/config’ with the contents of ‘(hd0,2)/home/user/.ssh/config’ and the path ‘/etc/ssh/ssh_host_rsa_key’ with the contents of ‘/etc/ssh/ssh_host_rsa_key’ on the root device. Parent directory paths will automatically be generated as needed. This first generated initrd will then have ‘/boot/initrd.gz’ concatenated after it. Next, another new-style archive will be generated with the contents of ‘/home/user/init.fixed’ in the path ‘/init’ and appended to the previous concatenation. Finally, the result will be sent to the kernel when booted.

Keep in mind that paths that come later will take precedence. So in the example above, the generated path ‘/init’ will overwrite any ‘/init’ in ‘/boot/initrd.gz’. This can be useful when changing the main initrd is undesirable or difficult.

Next: , Previous: , Up: Various loader commands   [Contents][Index]

17.2.3 initrd16

Command: initrd16 file [file …]

Load, in order, all initrds for a Linux kernel image to be booted in 16-bit mode, and set the appropriate parameters in the Linux setup area in memory. This may only be used after the linux16 command (see linux16) has been run. See also GNU/Linux and the initrd command (see initrd) for more details on arguments.

This command is only available on the pc platform for x86 systems.

Next: , Previous: , Up: Various loader commands   [Contents][Index]

17.2.4 linux

Command: linux file …

Load a Linux kernel image from file. The rest of the line is passed verbatim as the kernel command-line. Any initrd must be reloaded after using this command (see initrd).

On x86 systems, the kernel will be booted using the 32-bit boot protocol. Note that this means that the ‘vga=’ boot option will not work; if you want to set a special video mode, you will need to use GRUB commands such as ‘set gfxpayload=1024x768’ or ‘set gfxpayload=keep’ (to keep the same mode as used in GRUB) instead. GRUB can automatically detect some uses of ‘vga=’ and translate them to appropriate settings of ‘gfxpayload’. The linux16 command (see linux16) avoids this restriction.

Next: , Previous: , Up: Various loader commands   [Contents][Index]

17.2.5 linux16

Command: linux16 file …

Load a Linux kernel image from file in 16-bit mode. The rest of the line is passed verbatim as the kernel command-line. Any initrd must be reloaded after using this command (see initrd16).

The kernel will be booted using the traditional 16-bit boot protocol. As well as bypassing problems with ‘vga=’ described in linux, this permits booting some other programs that implement the Linux boot protocol for the sake of convenience.

This command is only available on x86 systems.

Next: , Previous: , Up: Various loader commands   [Contents][Index]

17.2.6 xen_hypervisor

Command: xen_hypervisor file [arguments] …

Load a Xen hypervisor binary from file. The rest of the line is passed verbatim as the kernel command-line. Any other binaries must be reloaded after using this command. This command is only available on AArch64 systems.

Previous: , Up: Various loader commands   [Contents][Index]

17.2.7 xen_module

Command: xen_module [--nounzip] file [arguments]

Load a module for xen hypervisor at the booting process of xen. The rest of the line is passed verbatim as the module command line. Modules should be loaded in the following order: - dom0 kernel image - dom0 ramdisk if present - XSM policy if present This command is only available on AArch64 systems.

Next: , Previous: , Up: Available commands   [Contents][Index]

17.3 General commands

Commands usable anywhere in the menu and in the command-line.

Next: , Up: General commands   [Contents][Index]

17.3.1 serial

Command: serial [--unit=unit] [--port=port] [--speed=speed] [--word=word] [--parity=parity] [--stop=stop]

Initialize a serial device. unit is a number in the range 0-3 specifying which serial port to use; default is 0, which corresponds to the port often called COM1.

port is the I/O port where the UART is to be found or, if prefixed with ‘mmio,’, the MMIO address of the UART. If specified it takes precedence over unit.

Additionally, an MMIO address can be suffixed with:

  • .b’ for bytes access (default)
  • .w’ for 16-bit word access
  • .l’ for 32-bit long word access or
  • .q’ for 64-bit long long word access

Also, port can be of the form ‘pci,XX:XX.X’ to indicate a serial device exposed on the PCI bus.

speed is the transmission speed; default is 9600. word and stop are the number of data bits and stop bits. Data bits must be in the range 5-8 and stop bits must be 1 or 2. Default is 8 data bits and one stop bit. parity is one of ‘no’, ‘odd’, ‘even’ and defaults to ‘no’.

If passed no unit nor port, or if port is set to ‘auto’ then GRUB will attempt to use ACPI to automatically detect the system default serial port and its configuration. If this information is not available, it will default to unit 0.

The serial port is not used as a communication channel unless the terminal_input or terminal_output command is used (see terminal_input, see terminal_output).

Note, valid port values, excluding IO port addresses, can be found by listing terminals with terminal_output, selecting all names prefixed by ‘serial_’ and removing that prefix.

Examples: 

serial --port=0x3f8 --speed=9600
serial --port=mmio,fefb0000.l --speed=115200
serial --port=pci,00:16.3 --speed=115200

See also Using GRUB via a serial line.

Next: , Previous: , Up: General commands   [Contents][Index]

17.3.2 terminal_input

Command: terminal_input [--append|--remove] [terminal1] [terminal2] …

List or select an input terminal.

With no arguments, list the active and available input terminals.

With --append, add the named terminals to the list of active input terminals; any of these may be used to provide input to GRUB.

With --remove, remove the named terminals from the active list.

With no options but a list of terminal names, make only the listed terminal names active.

Next: , Previous: , Up: General commands   [Contents][Index]

17.3.3 terminal_output

Command: terminal_output [--append|--remove] [terminal1] [terminal2] …

List or select an output terminal.

With no arguments, list the active and available output terminals.

With --append, add the named terminals to the list of active output terminals; all of these will receive output from GRUB.

With --remove, remove the named terminals from the active list.

With no options but a list of terminal names, make only the listed terminal names active.

Previous: , Up: General commands   [Contents][Index]

17.3.4 terminfo

Command: terminfo [-a|-u|-v] [-g WxH] [term] [type]

Define the capabilities of your terminal by giving the name of an entry in the terminfo database, which should correspond roughly to a ‘TERM’ environment variable in Unix.

The currently available terminal types are ‘vt100’, ‘vt100-color’, ‘ieee1275’, and ‘dumb’. If you need other terminal types, please contact us to discuss the best way to include support for these in GRUB.

The -a (--ascii), -u (--utf8), and -v (--visual-utf8) options control how non-ASCII text is displayed. -a specifies an ASCII-only terminal; -u specifies logically-ordered UTF-8; and -v specifies "visually-ordered UTF-8" (in other words, arranged such that a terminal emulator without bidirectional text support will display right-to-left text in the proper order; this is not really proper UTF-8, but a workaround).

The -g (--geometry) can be used to specify terminal geometry.

If no option or terminal type is specified, the current terminal type is printed.

Next: , Previous: , Up: Available commands   [Contents][Index]

17.4 Command-line commands

These commands are usable in the command-line and in menu entries. If you forget a command, you can run the command help (see help).

Next: , Up: Command-line commands   [Contents][Index]

17.4.1 [

Command: [ expression ]

Alias for test expression (see test).

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.2 acpi

Command: acpi [-1|-2] [--exclude=table1,…|--load-only=table1,…] [--oemid=id] [--oemtable=table] [--oemtablerev=rev] [--oemtablecreator=creator] [--oemtablecreatorrev=rev] [--no-ebda] filename …

Modern BIOS systems normally implement the Advanced Configuration and Power Interface (ACPI), and define various tables that describe the interface between an ACPI-compliant operating system and the firmware. In some cases, the tables provided by default only work well with certain operating systems, and it may be necessary to replace some of them.

Normally, this command will replace the Root System Description Pointer (RSDP) in the Extended BIOS Data Area to point to the new tables. If the --no-ebda option is used, the new tables will be known only to GRUB, but may be used by GRUB’s EFI emulation.

Note: The command is not allowed when lockdown is enforced (see Lockdown when booting on a secure setup). Otherwise an attacker can instruct the GRUB to load an SSDT table to overwrite the kernel lockdown configuration and later load and execute unsigned code.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.3 append_add_db_cert

Command: append_add_db_cert <X509_certificate>

Read an X.509 certificate from the file X509_certificate and add it to GRUB’s internal db list of trusted certificates. These certificates are used to validate appended signatures when the environment variable check_appended_signatures (see check_appended_signatures) is set to yes or the append_verify (see append_verify) command is executed from the GRUB console.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.4 append_add_db_hash

Command: append_add_db_hash <hash_file>

Read a binary hash from the file hash_file and add it to GRUB’s internal db list of trusted binary hashes. These hashes are used to validate the Linux kernel/GRUB module binary hashes when the environment variable check_appended_signatures (see check_appended_signatures) is set to yes or the append_verify (see append_verify) command is executed from the GRUB console.

Here is an example for how to generate a SHA-256 hash for a file. The hash will be in binary format: 


# The vmlinux (kernel image) file is your binary file, and
# it should be unsigned.
#
# Generate the binary_hash.bin file from the vmlinux file
# using OpenSSL command

openssl dgst -binary -sha256 -out binary_hash.bin vmlinux

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.5 append_add_dbx_cert

Command: append_add_dbx_cert <X509_certificate>

Read an X.509 certificate from the file X509_certificate and add it to GRUB’s internal dbx list of distrusted certificates. These certificates are used to ensure that the distrusted certificates are rejected during appended signatures validation when the environment variable check_appended_signatures is set to yes (see check_appended_signatures) or the append_verify (see append_verify) command is executed from the GRUB console. Also, these certificates are used to prevent distrusted certificates from being added to the db list later on.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.6 append_add_dbx_hash

Command: append_add_dbx_hash [-b|-c] <hash_file>

Read a binary/certificate hash from the file hash_file and add it to GRUB’s internal dbx list of distrusted binary/certificate hashes. When the environment variable check_appended_signatures (see check_appended_signatures) is set to yes or the append_verify (see append_verify) command is executed from the GRUB console, then matching distrusted binary hashes or the signature validation with distrusted certificates may lead to the rejection of the Linux kernel or GRUB modules. Also, these hashes are used to prevent distrusted certificates and binary hashes from being added to the db list later on.

The -b (--binary-hash) can be used to specify a binary hash file and -c (--cert-hash) can be used to specify a certificate hash file.

Here is an example for how to generate a SHA-256 hash for a binary and a certificate file. The hash will be in binary format: 


# The vmlinux (kernel image) file is your binary file, and
# it should be unsigned. The kernel.der is your certificate file.
#
# Generate the cert_hash.bin file from the kernel.der file

openssl dgst -binary -sha256 -out cert_hash.bin kernel.der

# Generate the binary_hash.bin file from the vmlinux file

openssl dgst -binary -sha256 -out binary_hash.bin vmlinux

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.7 append_list_db

Command: append_list_db

List all X.509 certificates and binary hashes trusted by GRUB for validating appended signatures. The output is a numbered list of certificates and binary hashes, showing the certificate’s version, serial number, issuer, subject, public key algorithm, RSA public key size, and certificate fingerprint.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.8 append_list_dbx

Command: append_list_dbx

List all the distrusted X.509 certificates and binary/certificate hashes. The output is a numbered list of certificates and binary/certificate hashes, showing the certificate’s version, serial number, issuer, subject, public key algorithm, RSA public key size, and certificate fingerprint.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.9 append_verify

Command: append_verify <signed_file>

Verifies an appended signature on signed_file against the trusted X.509 certificates and hashes known to GRUB (see append_list_db,see append_list_dbx, see append_add_db_cert, see append_add_db_hash, see append_add_dbx_hash and see append_add_dbx_cert). Exit code $? is set to 0 if the signature validates successfully. If validation fails, it is set to a non-zero value.

See Using appended signatures in GRUB for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.10 authenticate

Command: authenticate [userlist]

Check whether user is in userlist or listed in the value of variable ‘superusers’. See see superusers for valid user list format. If ‘superusers’ is empty, this command returns true. See Security.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.11 background_color

Command: background_color color

Set background color for active terminal. For valid color specifications see see Colors. Background color can be changed only when using ‘gfxterm’ for terminal output.

This command sets color of empty areas without text. Text background color is controlled by environment variables color_normal, color_highlight, menu_color_normal, menu_color_highlight. See Special environment variables.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.12 background_image

Command: background_image [[--modestretch’|‘normal’] file]

Load background image for active terminal from file. Image is stretched to fill up entire screen unless option --modenormal’ is given. Without arguments remove currently loaded background image. Background image can be changed only when using ‘gfxterm’ for terminal output.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.13 badram

Command: badram addr,mask[,addr,mask...]

Filter out bad RAM.

This command notifies the memory manager that specified regions of RAM ought to be filtered out (usually, because they’re damaged). This remains in effect after a payload kernel has been loaded by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot kernels in general.

Syntax is the same as provided by the Memtest86+ utility: a list of address/mask pairs. Given a page-aligned address and a base address / mask pair, if all the bits of the page-aligned address that are enabled by the mask match with the base address, it means this page is to be filtered. This syntax makes it easy to represent patterns that are often result of memory damage, due to physical distribution of memory cells.

The command is similar to cutmem command.

Note: The command is not allowed when lockdown is enforced (see Lockdown when booting on a secure setup). This prevents removing EFI memory regions to potentially subvert the security mechanisms provided by the UEFI secure boot.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.14 blocklist

Command: blocklist file

Print a block list (see How to specify block lists) for file.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.15 blscfg

Command: blscfg [-p|--path dir] [-f|--enable-fallback] [-d|--show-default] [-n|--show-non-default] [-e|--entry file]

Load Boot Loader Specification (BLS) entries into the GRUB menu. Boot entries generated from blscfg won’t interfere with entries from grub.cfg appearing in the GRUB menu. Also, entries generated from blscfg exists only in memory and don’t update grub.cfg.

By default, the BLS entries are stored in the /loader/entries directory in the boot partition. If BLS entries are stored elsewhere, the --path option can be used to check a different directory instead of the default location. If no BLS entries are found while using the --path option, the --enable-fallback option can be used to check for entries in the default location.

The --show-default option allows the default boot entry to be added to the GRUB menu from the BLS entries.

The --show-non-default option allows non-default boot entries to be added to the GRUB menu from the BLS entries.

The --entry option allows specific boot entries to be added to the GRUB menu from the BLS entries.

The --entry, --show-default, and --show-non-default options are used to filter which BLS entries are added to the GRUB menu. If none are used, all entries in the default location or the location specified by --path will be added to the GRUB menu.

A BLS config file example: 

# /boot/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf
title        Fedora 19 (Rawhide)
sort-key     fedora
machine-id   6a9857a393724b7a981ebb5b8495b9ea
version      3.8.0-2.fc19.x86_64
options      root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2 quiet
architecture x64
linux        /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux
initrd       /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd

For more information on BLS entry keys as well as other information on BLS, see: The Boot Loader Specification. For the GRUB, there are a few additional BLS entry keys based on the menuentry command (see menuentry).

The grub_class key may be used any number of times to group menu entries into classes. Menu themes may display different classes using different styles.

The grub_users key grants specific users access to specific menu entries. See Security.

The grub_hotkey key associates a hotkey with a menu entry. key may be a single letter, or one of the aliases ‘backspace’, ‘tab’, or ‘delete’.

The grub_args key can be used for any other argument to be passed as positonal parameters when the list of commands generated from the BLS config file are executed.

Variable expansion using the ‘$’ character (See Writing full configuration files directly) may be used with BLS config files for the GRUB but might not be compatible with other bootloaders.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.16 boot

Command: boot

Boot the OS or chain-loader which has been loaded. Only necessary if running the fully interactive command-line (it is implicit at the end of a menu entry).

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.17 cat

Command: cat [--dos] file

Display the contents of the file file. This command may be useful to remind you of your OS’s root partition: 

grub> cat /etc/fstab

If the --dos option is used, then carriage return / new line pairs will be displayed as a simple new line. Otherwise, the carriage return will be displayed as a control character (‘<d>’) to make it easier to see when boot problems are caused by a file formatted using DOS-style line endings.

Note: cat can be used to view the contents of devices using the block list syntax (see How to specify block lists). However, it is not advised to view binary data because it will try to decode UTF-8 strings, which can lead to some bytes missing or added in the output. Instead, use the hexdump command (see hexdump).

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.18 clear

Command: clear

Clear the screen.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.19 cmosclean

Command: cmosclean byte:bit

Clear value of bit in CMOS at location byte:bit. This command is available only on platforms that support CMOS.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.20 cmosdump

Dump: CMOS contents

Dump full CMOS contents as hexadecimal values. This command is available only on platforms that support CMOS.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.21 cmostest

Command: cmostest byte:bit

Test value of bit in CMOS at location byte:bit. Exit status is zero if bit is set, non zero otherwise. This command is available only on platforms that support CMOS.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.22 cmp

Command: cmp [-v] file1 file2

Compare the file file1 with the file file2. If they are completely identical, $? will be set to 0. Otherwise, if the files are not identical, $? will be set to a nonzero value.

By default nothing will be output. If the -v is used, verbose mode is enabled. In this mode when when the files differ in size, print the sizes like this: 

Differ in size: 0x1234 [foo], 0x4321 [bar]

If the sizes are equal but the bytes at an offset differ, then print the bytes like this: 

Differ at the offset 777: 0xbe [foo], 0xef [bar]

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.23 configfile

Command: configfile file

Load file as a configuration file. If file defines any menu entries, then show a menu containing them immediately. Any environment variable changes made by the commands in file will not be preserved after configfile returns.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.24 cpuid

Command: cpuid [-l] [-p]

Check for CPU features. This command is only available on x86 systems.

With the -l option, return true if the CPU supports long mode (64-bit).

With the -p option, return true if the CPU supports Physical Address Extension (PAE).

If invoked without options, this command currently behaves as if it had been invoked with -l. This may change in the future.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.25 crc

Command: crc arg …

Alias for hashsum --hash crc32 arg …. See command hashsum (see hashsum) for full description.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.26 cryptocheck

Command: cryptocheck [ --quiet ] device

Check if a given diskfilter device is backed by encrypted devices (see cryptomount for additional information).

The command examines all backing devices, physical volumes, of a specified logical volume, like LVM2, and fails when at least one of them is unencrypted.

The option --quiet can be given to suppress the output.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.27 cryptomount

Command: cryptomount [ [-p password] | [-k keyfile [-O keyoffset] [-S keysize] ] | [-P protector] | [-A] ] [-H file] device|-u uuid|-a|-b

Setup access to encrypted device. A passphrase will be requested interactively, if neither the -p nor -k options are given. The option -p can be used to supply a passphrase (useful for scripts). Alternatively the -k option can be used to supply a keyfile with options -O and -S optionally supplying the offset and size, respectively, of the key data in the given key file. Besides the keyfile, the key can be stored in a key protector, and option -P configures specific key protector, e.g. tpm2, to retrieve the key from. The option -A enables hardware acceleration in libgcrypt to speed up decryption. The -H options can be used to supply cryptomount backends with an alternative header file (aka detached header). Not all backends have headers nor support alternative header files (currently only LUKS1 and LUKS2 support them). Argument device configures specific grub device (see Naming convention); option -u uuid configures device with specified uuid; option -a configures all detected encrypted devices; option -b configures all geli containers that have boot flag set.

Devices are not allowed to be given as key files nor as detached header files. However, this limitation can be worked around by using blocklist syntax. So for instance, (hd1,gpt2) can not be used, but (hd1,gpt2)0+ will achieve the desired result.

GRUB supports devices encrypted using LUKS, LUKS2 and geli. Note that necessary modules (luks, luks2 and geli) have to be loaded manually before this command can be used. For LUKS2 only the PBKDF2 key derivation function is supported, as Argon2 is not yet supported.

Successfully decrypted disks are named as (cryptoX) and have increasing numeration suffix for each new decrypted disk. If the encrypted disk hosts some higher level of abstraction (like LVM2 or MDRAID) it will be created under a separate device namespace in addition to the cryptodisk namespace.

Support for plain encryption mode (plain dm-crypt) is provided via separate see plainmount command.

On the EFI platform, GRUB tries to erase master keys from memory when the cryptodisk module is unloaded or the command exit is executed. All secrets remain in memory when the command chainloader is issued, because execution can return to GRUB on the EFI platform.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.28 cutmem

Command: cutmem from[K|M|G] to[K|M|G]

Remove any memory regions in specified range.

This command notifies the memory manager that specified regions of RAM ought to be filtered out. This remains in effect after a payload kernel has been loaded by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot kernels in general.

The command is similar to badram command.

Note: The command is not allowed when lockdown is enforced (see Lockdown when booting on a secure setup). This prevents removing EFI memory regions to potentially subvert the security mechanisms provided by the UEFI secure boot.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.29 date

Command: date [[year-]month-day] [hour:minute[:second]]

With no arguments, print the current date and time.

Otherwise, take the current date and time, change any elements specified as arguments, and set the result as the new date and time. For example, ‘date 01-01’ will set the current month and day to January 1, but leave the year, hour, minute, and second unchanged.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.30 devicetree

Command: devicetree file

Load a device tree blob (.dtb) from a filesystem, for later use by a Linux kernel. Does not perform merging with any device tree supplied by firmware, but rather replaces it completely.

Note: The command is not allowed when lockdown is enforced (see Lockdown when booting on a secure setup). This is done to prevent subverting various security mechanisms.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.31 distrust

Command: distrust pubkey_id

Remove public key pubkey_id from GRUB’s keyring of trusted keys. pubkey_id is the last four bytes (eight hexadecimal digits) of the GPG v4 key id, which is also the output of list_trusted (see list_trusted). Outside of GRUB, the key id can be obtained using gpg --fingerprint). These keys are used to validate signatures when environment variable check_signatures is set to enforce (see check_signatures), and by some invocations of verify_detached (see verify_detached). See Using GPG-style digital signatures in GRUB, for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.32 drivemap

Command: drivemap -l|-r|[-s] from_drive to_drive

Without options, map the drive from_drive to the drive to_drive. This is necessary when you chain-load some operating systems, such as DOS, if such an OS resides at a non-first drive. For convenience, any partition suffix on the drive is ignored, so you can safely use ${root} as a drive specification.

With the -s option, perform the reverse mapping as well, swapping the two drives.

With the -l option, list the current mappings.

With the -r option, reset all mappings to the default values.

For example: 

drivemap -s (hd0) (hd1)

NOTE: Only available on i386-pc.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.33 echo

Command: echo [-n] [-e] string …

Display the requested text and, unless the -n option is used, a trailing new line. If there is more than one string, they are separated by spaces in the output. As usual in GRUB commands, variables may be substituted using ‘${var}’.

The -e option enables interpretation of backslash escapes. The following sequences are recognised:

\\

backslash

\a

alert (BEL)

\c

suppress trailing new line

\f

form feed

\n

new line

\r

carriage return

\t

horizontal tab

\v

vertical tab

When interpreting backslash escapes, backslash followed by any other character will print that character.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.34 efitextmode

Command: efitextmode [min | max | <mode_num> | <cols> <rows>]

When used with no arguments displays all available text output modes. The set mode determines the columns and rows of the text display when in text mode. An asterisk, ‘*’, will be at the end of the line of the currently set mode.

If given a single parameter, it must be ‘min’, ‘max’, or a mode number given by the listing when run with no arguments. These arguments set the mode to the minimum, maximum, and particular mode respectively.

Otherwise, the command must be given two numerical arguments specifying the columns and rows of the desired mode. Specifying a columns and rows combination that corresponds to no supported mode, will return error, but otherwise have no effect.

By default GRUB will start in whatever mode the EFI firmware defaults to. There are firmwares known to set up the default mode such that output behaves strangely, for example the cursor in the GRUB shell never reaches the bottom of the screen or, when typing characters at the prompt, characters from previous command output are overwritten. Setting the mode may fix this.

The EFI specification says that mode 0 must be available and have columns and rows of 80 and 25 respectively. Mode 1 may be defined and if so must have columns and rows of 80 and 50 respectively. Any other modes may have columns and rows arbitrarily defined by the firmware. This means that a mode with columns and rows of 100 and 31 on one firmware may be a different mode number on a different firmware or not exist at all. Likewise, mode number 2 on one firmware may have a different number of columns and rows than mode 2 on a different firmware. So one should not rely on a particular mode number or a mode of a certain number of columns and rows existing on all firmwares, except for mode 0.

Note: This command is only available on EFI platforms and is similar to EFI shell "mode" command.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.35 eval

Command: eval string ...

Concatenate arguments together using single space as separator and evaluate result as sequence of GRUB commands.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.36 export

Command: export envvar

Export the environment variable envvar. Exported variables are visible to subsidiary configuration files loaded using configfile.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.37 false

Command: false

Do nothing, unsuccessfully. This is mainly useful in control constructs such as if and while (see Writing full configuration files directly).

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.38 fdtdump

Command: fdtdump [--prop prop] [--set variable]

Retrieve device tree information.

The fdtdump command returns the value of a property in the device tree provided by the firmware. The --prop option determines which property to select.

The default action is to print the value of the requested field to the console, but a variable name can be specified with --set to store the value instead of printing it.

For example, this will store and then display the model string. 

fdtdump --prop model --set machine_model
echo $machine_model

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.39 file

Command: file is_file_type filename

The file command tests whether the provided filename is the type provided by is_file_type. When the file is of type is_file_type this command will return 0, otherwise it will return non-zero (no output is provided to the terminal).

is_file_type may be one of the following options:

  • --is-i386-xen-pae-domu Check if filename can be booted as i386 PAE Xen unprivileged guest kernel
  • --is-x86_64-xen-domu Check if filename can be booted as x86_64 Xen unprivileged guest kernel
  • --is-x86-xen-dom0 Check if filename can be used as Xen x86 privileged guest kernel
  • --is-x86-multiboot Check if filename can be used as x86 multiboot kernel
  • --is-x86-multiboot2 Check if filename can be used as x86 multiboot2 kernel
  • --is-arm-linux Check if filename is ARM Linux
  • --is-arm64-linux Check if filename is ARM64 Linux
  • --is-ia64-linux Check if filename is IA64 Linux
  • --is-mips-linux Check if filename is MIPS Linux
  • --is-mipsel-linux Check if filename is MIPSEL Linux
  • --is-sparc64-linux Check if filename is SPARC64 Linux
  • --is-powerpc-linux Check if filename is POWERPC Linux
  • --is-x86-linux Check if filename is x86 Linux
  • --is-x86-linux32 Check if filename is x86 Linux supporting 32-bit protocol
  • --is-x86-kfreebsd Check if filename is x86 kFreeBSD
  • --is-i386-kfreebsd Check if filename is i386 kFreeBSD
  • --is-x86_64-kfreebsd Check if filename is x86_64 kFreeBSD
  • --is-x86-knetbsd Check if filename is x86 kNetBSD
  • --is-i386-knetbsd Check if filename is i386 kNetBSD
  • --is-x86_64-knetbsd Check if filename is x86_64 kNetBSD
  • --is-i386-efi Check if filename is i386 EFI file
  • --is-x86_64-efi Check if filename is x86_64 EFI file
  • --is-ia64-efi Check if filename is IA64 EFI file
  • --is-arm64-efi Check if filename is ARM64 EFI file
  • --is-arm-efi Check if filename is ARM EFI file
  • --is-riscv32-efi Check if filename is RISC-V 32bit EFI file
  • --is-riscv64-efi Check if filename is RISC-V 64bit EFI file
  • --is-hibernated-hiberfil Check if filename is hiberfil.sys in hibernated state
  • --is-x86_64-xnu Check if filename is x86_64 XNU (Mac OS X kernel)
  • --is-i386-xnu Check if filename is i386 XNU (Mac OS X kernel)
  • --is-xnu-hibr Check if filename is XNU (Mac OS X kernel) hibernated image
  • --is-x86-bios-bootsector Check if filename is BIOS bootsector

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.40 fwsetup

Command: fwsetup [--is-supported]

Reboot into the firmware setup menu. If --is-supported option is specified, instead check whether the firmware supports a setup menu and exit successfully if so.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.41 gdbinfo

Command: gdbinfo

Output text to be used as a GDB command for a GDB session using the gdb_grub script and attached to a running GRUB instance. The GDB command that is output will tell GDB how to load debugging symbols to their proper runtime address. Currently this is only available for EFI platforms. See the Debugging in the developer documentation for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.42 gettext

Command: gettext string

Translate string into the current language.

The current language code is stored in the ‘lang’ variable in GRUB’s environment (see lang). Translation files in MO format are read from ‘locale_dir’ (see locale_dir), usually /boot/grub/locale.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.43 gptsync

Command: gptsync device [partition[+/-[type]]] …

Disks using the GUID Partition Table (GPT) also have a legacy Master Boot Record (MBR) partition table for compatibility with the BIOS and with older operating systems. The legacy MBR can only represent a limited subset of GPT partition entries.

This command populates the legacy MBR with the specified partition entries on device. Up to three partitions may be used.

type is an MBR partition type code; prefix with ‘0x’ if you want to enter this in hexadecimal. The separator between partition and type may be ‘+’ to make the partition active, or ‘-’ to make it inactive; only one partition may be active. If both the separator and type are omitted, then the partition will be inactive.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.44 halt

Command: halt [--no-apm]

The command halts the computer. On the i386-pc target, the --no-apm option, or short -n, is specified, no APM BIOS call is performed. Otherwise, the computer is shut down using APM on that target.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.45 hashsum

Command: hashsum --hash hash --keep-going --uncompress --check file [--prefix dir]|file …

Compute or verify file hashes. Hash type is selected with option --hash. Supported hashes are: ‘adler32’, ‘crc64’, ‘crc32’, ‘crc32rfc1510’, ‘crc24rfc2440’, ‘md4’, ‘md5’, ‘ripemd160’, ‘sha1’, ‘sha224’, ‘sha256’, ‘sha512’, ‘sha384’, ‘tiger192’, ‘tiger’, ‘tiger2’, ‘whirlpool’. Option --uncompress uncompresses files before computing hash.

When list of files is given, hash of each file is computed and printed, followed by file name, each file on a new line.

When option --check is given, it points to a file that contains list of hash name pairs in the same format as used by UNIX md5sum command. Option --prefix may be used to give directory where files are located. Hash verification stops after the first mismatch was found unless option --keep-going was given. The exit code $? is set to 0 if hash verification is successful. If it fails, $? is set to a nonzero value.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.46 help

Command: help [pattern …]

Display helpful information about builtin commands. If you do not specify pattern, this command shows short descriptions of all available commands.

If you specify any patterns, it displays longer information about each of the commands whose names begin with those patterns.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.47 hexdump

Command: hexdump [--skip offset] [--length len] FILE_OR_DEVICE

Show raw contents of a file or memory. When option --skip is given, ‘offset’ number of bytes are skipped from the start of the device or file given. And --length allows specifying a maximum number of bytes to be shown.

If given the special device named ‘(mem)’, then the ‘offset’ given to --skip is treated as the address of a memory location to dump from.

Note: The dumping of RAM memory (by the (mem) argument) is not allowed when when lockdown is enforced (see Lockdown when booting on a secure setup). The dumping of disk or file data is allowed when lockdown is enforced.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.48 insmod

Command: insmod module

Insert the dynamic GRUB module called module.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.49 keystatus

Command: keystatus [--shift] [--ctrl] [--alt]

Return true if the Shift, Control, or Alt modifier keys are held down, as requested by options. This is useful in scripting, to allow some user control over behaviour without having to wait for a keypress.

Checking key modifier status is only supported on some platforms. If invoked without any options, the keystatus command returns true if and only if checking key modifier status is supported.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.50 list_env

Command: list_env [--file file]

List all variables in the environment block file. See The GRUB environment block.

The --file option overrides the default location of the environment block.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.51 list_trusted

Command: list_trusted

List all public keys trusted by GRUB for validating signatures. The output is in GPG’s v4 key fingerprint format (i.e., the output of gpg --fingerprint). The least significant four bytes (last eight hexadecimal digits) can be used as an argument to distrust (see distrust). See Using GPG-style digital signatures in GRUB, for more information about uses for these keys.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.52 load_env

Command: load_env [--file file] [--skip-sig] [whitelisted_variable_name] …

Load all variables from the environment block file into the environment. See The GRUB environment block.

The --file option overrides the default location of the environment block.

The --skip-sig option skips signature checking even when the value of environment variable check_signatures is set to enforce (see check_signatures).

If one or more variable names are provided as arguments, they are interpreted as a whitelist of variables to load from the environment block file. Variables set in the file but not present in the whitelist are ignored.

The --skip-sig option should be used with care, and should always be used in concert with a whitelist of acceptable variables whose values should be set. Failure to employ a carefully constructed whitelist could result in reading a malicious value into critical environment variables from the file, such as setting check_signatures=no, modifying prefix to boot from an unexpected location or not at all, etc.

When used with care, --skip-sig and the whitelist enable an administrator to configure a system to boot only signed configurations, but to allow the user to select from among multiple configurations, and to enable “one-shot” boot attempts and “savedefault” behavior. See Using GPG-style digital signatures in GRUB, for more information.

If the environment variable check_appended_signatures value is set to yes and GRUB is in lockeddown mode, the user is not allowed to set check_appended_signatures to no and appendedsig_key_mgmt to static or dynamic either directly using load_env command or via environment block file. See Using appended signatures in GRUB, for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.53 loadfont

Command: loadfont file …

Load specified font files. Unless absolute pathname is given, file is assumed to be in directory ‘$prefix/fonts’ with suffix ‘.pf2’ appended. See Fonts.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.54 loopback

Command: loopback [-d] [-D] device file

Make the device named device correspond to the contents of the filesystem image in file. For example: 

loopback loop0 /path/to/image
ls (loop0)/

Specifying the -D option allows the loopback file to be tranparently decompressed if there is an appropriate decompressor loaded.

With the -d option, delete a device previously created using this command.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.55 ls

Command: ls [arg …]

List devices or files.

With no arguments, print all devices known to GRUB.

If the argument is a device name enclosed in parentheses (see How to specify devices), then print the name of the filesystem of that device.

If the argument is a directory given as an absolute file name (see How to specify files), then list the contents of that directory.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.56 lsfonts

Command: lsfonts

List loaded fonts.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.57 lsfreemem

Command: lsfreemem

List free memory blocks.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.58 lsmod

Command: lsmod

Show list of loaded modules.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.59 lsmem

Command: lsmem

List free and allocated memory blocks.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.60 lsmemregions

Command: lsmemregions

Prints memory region general information including size, number of blocks, and total free / total allocated memory per region.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.61 md5sum

Command: md5sum arg …

Alias for hashsum --hash md5 arg …. See command hashsum (see hashsum) for full description.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.62 module

Command: module [--nounzip] file [arguments]

Load a module for multiboot kernel image. The rest of the line is passed verbatim as the module command line.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.63 multiboot

Command: multiboot [--quirk-bad-kludge] [--quirk-modules-after-kernel] file …

Load a multiboot kernel image from file. The rest of the line is passed verbatim as the kernel command-line. Any module must be reloaded after using this command (see module).

Some kernels have known problems. You need to specify –quirk-* for those. –quirk-bad-kludge is a problem seen in several products that they include loading kludge information with invalid data in ELF file. GRUB prior to 0.97 and some custom builds preferred ELF information while 0.97 and GRUB 2 use kludge. Use this option to ignore kludge. Known affected systems: old Solaris, SkyOS.

–quirk-modules-after-kernel is needed for kernels which load at relatively high address e.g. 16MiB mark and can’t cope with modules stuffed between 1MiB mark and beginning of the kernel. Known afftected systems: VMWare.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.64 nativedisk

Command: nativedisk

Switch from firmware disk drivers to native ones. Really useful only on platforms where both firmware and native disk drives are available. Currently i386-pc, i386-efi, i386-ieee1275 and x86_64-efi.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.65 normal

Command: normal [file]

Enter normal mode and display the GRUB menu.

In normal mode, commands, filesystem modules, and cryptography modules are automatically loaded, and the full GRUB script parser is available. Other modules may be explicitly loaded using insmod (see insmod).

If a file is given, then commands will be read from that file. Otherwise, they will be read from $prefix/grub.cfg if it exists.

normal may be called from within normal mode, creating a nested environment. It is more usual to use configfile (see configfile) for this.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.66 normal_exit

Command: normal_exit

Exit normal mode (see normal). If this instance of normal mode was not nested within another one, then return to rescue mode.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.67 parttool

Command: parttool partition commands

Make various modifications to partition table entries.

Each command is either a boolean option, in which case it must be followed with ‘+’ or ‘-’ (with no intervening space) to enable or disable that option, or else it takes a value in the form ‘command=value’.

Currently, parttool is only useful on DOS partition tables (also known as Master Boot Record, or MBR). On these partition tables, the following commands are available:

boot’ (boolean)

When enabled, this makes the selected partition be the active (bootable) partition on its disk, clearing the active flag on all other partitions. This command is limited to primary partitions.

type’ (value)

Change the type of an existing partition. The value must be a number in the range 0-0xFF (prefix with ‘0x’ to enter it in hexadecimal).

hidden’ (boolean)

When enabled, this hides the selected partition by setting the hidden bit in its partition type code; when disabled, unhides the selected partition by clearing this bit. This is useful only when booting DOS or Windows and multiple primary FAT partitions exist in one disk. See also DOS/Windows.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.68 password

Command: password user clear-password

Define a user named user with password clear-password. See Security.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.69 password_pbkdf2

Command: password_pbkdf2 user hashed-password

Define a user named user with password hash hashed-password. Use grub-mkpasswd-pbkdf2 (see Invoking grub-mkpasswd-pbkdf2) to generate password hashes. See Security.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.70 plainmount

Command: plainmount device -c cipher -s key size [-h hash]

[-S sector size] [-p password] [-u uuid] [[-d keyfile] [-O keyfile offset]]

Setup access to the encrypted device in plain mode. Offset of the encrypted data at the device is specified in terms of 512 byte sectors using the blocklist syntax and loopback device. The following example shows how to specify 1MiB offset: 

loopback node (hd0,gpt1)2048+
plainmount node ...

The plainmount command can be used to open LUKS encrypted volume if its master key and parameters (key size, cipher, offset, etc) are known.

There are two ways to specify a password: a keyfile and a secret passphrase. The keyfile path parameter has higher priority than the secret passphrase parameter and is specified with the option -d. Password data obtained from keyfiles is not hashed and is used directly as a cipher key. An optional offset of password data in the keyfile can be specified with the option -O or directly with the option -d and GRUB blocklist syntax, if the keyfile data can be accessed from a device and is 512 byte aligned. The following example shows both methods to specify password data in the keyfile at offset 1MiB: 

plainmount -d (hd0,gpt1)2048+ ...
plainmount -d (hd0,gpt1)+ -O 1048576 ...

If no keyfile is specified then the password is set to the string specified by option -p or is requested interactively from the console. In both cases the provided password is hashed with the algorithm specified by the option -h. This option is mandatory if no keyfile is specified, but it can be set to ‘plain’ which means that no hashing is done and such password is used directly as a key.

Cipher -c and keysize -s options specify the cipher algorithm and the key size respectively and are mandatory options. Cipher must be specified with the mode separated by a dash (for example, ‘aes-xts-plain64’). Key size option -s is the key size of the cipher in bits, not to be confused with the offset of the key data in a keyfile specified with the -O option. It must not exceed 1024 bits, so a 32 byte key would be specified as 256 bits

The optional parameter -S specifies encrypted device sector size. It must be at least 512 bytes long (default value) and a power of 2. 9. Disk sector size is configured when creating the encrypted volume. Attempting to decrypt volumes with a different sector size than it was created with will not result in an error, but will decrypt to random bytes and thus prevent accessing the volume (in some cases the filesystem driver can detect the presence of a filesystem, but nevertheless will refuse to mount it).

By default new plainmount devices will be given a UUID starting with ’109fea84-a6b7-34a8-4bd1-1c506305a401’ where the last digits are incremented by one for each plainmounted device beyond the first up to 2^10 devices.

All encryption arguments (cipher, hash, key size, disk offset and disk sector size) must match the parameters used to create the volume. If any of them does not match the actual arguments used during the initial encryption, plainmount will create virtual device with the garbage data and GRUB will report unknown filesystem for such device.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.71 play

Command: play file | tempo [pitch1 duration1] [pitch2 duration2] …

Plays a tune

If the argument is a file name (see How to specify files), play the tune recorded in it. The file format is first the tempo as an unsigned 32bit little-endian number, then pairs of unsigned 16bit little-endian numbers for pitch and duration pairs.

If the arguments are a series of numbers, play the inline tune.

The tempo is the base for all note durations. 60 gives a 1-second base, 120 gives a half-second base, etc. Pitches are Hz. Set pitch to 0 to produce a rest.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.72 probe

Command: probe [--set var] --driver|--partmap|--fs|--fs-uuid|--label|--part-uuid device

Retrieve device information. If option --set is given, assign result to variable var, otherwise print information on the screen.

The option --part-uuid is currently only implemented for MSDOS and GPT formatted disks.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.73 rdmsr

Command:: rdmsr 0xADDR [-v VARNAME]

Read a model-specific register at address 0xADDR. If the parameter -v is used and an environment variable VARNAME is given, set that environment variable to the value that was read.

Please note that on SMP systems, reading from a MSR that has a scope per hardware thread, implies that the value that is returned only applies to the particular cpu/core/thread that runs the command.

Also, if you specify a reserved or unimplemented MSR address, it will cause a general protection exception (which is not currently being handled) and the system will reboot.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.74 read

Command: read [-s] [var]

Read a line of input from the user. If an environment variable var is given, set that environment variable to the line of input that was read, with no terminating newline. If the parameter -s is used, enable silent mode where input is not printed to the terminal.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.75 reboot

Command: reboot

Reboot the computer.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.76 regexp

Command: regexp [--set [number:]var] regexp string

Test if regular expression regexp matches string. Supported regular expressions are POSIX.2 Extended Regular Expressions. If option --set is given, store numberth matched subexpression in variable var. Subexpressions are numbered in order of their opening parentheses starting from ‘1’. number defaults to ‘1’.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.77 rmmod

Command: rmmod module

Remove a loaded module.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.78 save_env

Command: save_env [--file file] var …

Save the named variables from the environment to the environment block file. See The GRUB environment block.

The --file option overrides the default location of the environment block.

This command will operate successfully even when environment variable check_signatures is set to enforce (see check_signatures), since it writes to disk and does not alter the behavior of GRUB based on any contents of disk that have been read. It is possible to modify a digitally signed environment block file from within GRUB using this command, such that its signature will no longer be valid on subsequent boots. Care should be taken in such advanced configurations to avoid rendering the system unbootable. See Using GPG-style digital signatures in GRUB, for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.80 sendkey

Command: sendkey [--num|--caps|--scroll|--insert|--pause|--left-shift|--right-shift|--sysrq|--numkey|--capskey|--scrollkey|--insertkey|--left-alt|--right-alt|--left-ctrl|--right-ctrlon’|‘off’]… [no-led] keystroke

Insert keystrokes into the keyboard buffer when booting. Sometimes an operating system or chainloaded boot loader requires particular keys to be pressed: for example, one might need to press a particular key to enter "safe mode", or when chainloading another boot loader one might send keystrokes to it to navigate its menu.

Note: This command is currently only available on the i386-pc target.

You may provide up to 16 keystrokes (the length of the BIOS keyboard buffer). Keystroke names may be upper-case or lower-case letters, digits, or taken from the following table:

NameKey
escapeEscape
exclam!
at@
numbersign#
dollar$
percent%
caret^
ampersand&
asterisk*
parenleft(
parenright)
minus-
underscore_
equal=
plus+
backspaceBackspace
tabTab
bracketleft[
braceleft{
bracketright]
braceright}
enterEnter
controlpress and release Control
semicolon;
colon:
quote
doublequote"
backquote
tilde~
shiftpress and release left Shift
backslash\
bar|
comma,
less<
period.
greater>
slash/
question?
rshiftpress and release right Shift
altpress and release Alt
spacespace bar
capslockCaps Lock
F1F1
F2F2
F3F3
F4F4
F5F5
F6F6
F7F7
F8F8
F9F9
F10F10
F11F11
F12F12
num11 (numeric keypad)
num22 (numeric keypad)
num33 (numeric keypad)
num44 (numeric keypad)
num55 (numeric keypad)
num66 (numeric keypad)
num77 (numeric keypad)
num88 (numeric keypad)
num99 (numeric keypad)
num00 (numeric keypad)
numperiod. (numeric keypad)
numendEnd (numeric keypad)
numdownDown (numeric keypad)
numpgdownPage Down (numeric keypad)
numleftLeft (numeric keypad)
numcenter5 with Num Lock inactive (numeric keypad)
numrightRight (numeric keypad)
numhomeHome (numeric keypad)
numupUp (numeric keypad)
numpgupPage Up (numeric keypad)
numinsertInsert (numeric keypad)
numdeleteDelete (numeric keypad)
numasterisk* (numeric keypad)
numminus- (numeric keypad)
numplus+ (numeric keypad)
numslash/ (numeric keypad)
numenterEnter (numeric keypad)
deleteDelete
insertInsert
homeHome
endEnd
pgdownPage Down
pgupPage Up
downDown
upUp
leftLeft
rightRight

As well as keystrokes, the sendkey command takes various options that affect the BIOS keyboard status flags. These options take an ‘on’ or ‘off’ parameter, specifying that the corresponding status flag be set or unset; omitting the option for a given status flag will leave that flag at its initial state at boot. The --num, --caps, --scroll, and --insert options emulate setting the corresponding mode, while the --numkey, --capskey, --scrollkey, and --insertkey options emulate pressing and holding the corresponding key. The other status flag options are self-explanatory.

If the --no-led option is given, the status flag options will have no effect on keyboard LEDs.

If the sendkey command is given multiple times, then only the last invocation has any effect.

Since sendkey manipulates the BIOS keyboard buffer, it may cause hangs, reboots, or other misbehaviour on some systems. If the operating system or boot loader that runs after GRUB uses its own keyboard driver rather than the BIOS keyboard functions, then sendkey will have no effect.

This command is only available on PC BIOS systems.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.81 set

Command: set [envvar=value]

Set the environment variable envvar to value. If invoked with no arguments, print all environment variables with their values. For the list of environment variables currently used by GRUB itself see the relevant section see GRUB environment variables.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.82 sha1sum

Command: sha1sum arg …

Alias for hashsum --hash sha1 arg …. See command hashsum (see hashsum) for full description.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.83 sha256sum

Command: sha256sum arg …

Alias for hashsum --hash sha256 arg …. See command hashsum (see hashsum) for full description.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.84 sha512sum

Command: sha512sum arg …

Alias for hashsum --hash sha512 arg …. See command hashsum (see hashsum) for full description.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.85 sleep

Command: sleep [--verbose] [--interruptible] count

Sleep for count seconds. If option --interruptible is given, allow pressing ESC, F4 or holding down SHIFT to interrupt sleep. With --verbose show countdown of remaining seconds. Exit code is set to 0 if timeout expired and to 1 if timeout was interrupted using any of the mentioned keys.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.86 smbios

Command: smbios [--type type] [--handle handle] [--match match] (--get-byte | --get-word | --get-dword | --get-qword | --get-string | --get-uuid) offset [--set variable]

Retrieve SMBIOS information.

The smbios command returns the value of a field in an SMBIOS structure. The following options determine which structure to select.

  • Specifying --type will select structures with a matching type. The type can be any integer from 0 to 255.
  • Specifying --handle will select structures with a matching handle. The handle can be any integer from 0 to 65535.
  • Specifying --match will select structure number match in the filtered list of structures; e.g. smbios --type 4 --match 2 will select the second Process Information (Type 4) structure. The list is always ordered the same as the hardware’s SMBIOS table. The match number must be a positive integer. If unspecified, the first matching structure will be selected.

The remaining options determine which field in the selected SMBIOS structure to return. Only one of these options may be specified at a time.

  • When given --get-byte, return the value of the byte at offset bytes into the selected SMBIOS structure. It will be formatted as an unsigned decimal integer.
  • When given --get-word, return the value of the word (two bytes) at offset bytes into the selected SMBIOS structure. It will be formatted as an unsigned decimal integer.
  • When given --get-dword, return the value of the dword (four bytes) at offset bytes into the selected SMBIOS structure. It will be formatted as an unsigned decimal integer.
  • When given --get-qword, return the value of the qword (eight bytes) at offset bytes into the selected SMBIOS structure. It will be formatted as an unsigned decimal integer.
  • When given --get-string, return the string with its index found at offset bytes into the selected SMBIOS structure.
  • When given --get-uuid, return the value of the UUID (sixteen bytes) at offset bytes into the selected SMBIOS structure. It will be formatted as lower-case hyphenated hexadecimal digits, with the first three fields as little-endian, and the rest printed byte-by-byte.

The default action is to print the value of the requested field to the console, but a variable name can be specified with --set to store the value instead of printing it.

For example, this will store and then display the system manufacturer’s name. 

smbios --type 1 --get-string 4 --set system_manufacturer
echo $system_manufacturer

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.87 source

Command: source file

Read file as a configuration file, as if its contents had been incorporated directly into the sourcing file. Unlike configfile (see configfile), this executes the contents of file without changing context: any environment variable changes made by the commands in file will be preserved after source returns, and the menu will not be shown immediately.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.88 stress_big_allocs

Command: stress_big_allocs

Stress test large memory allocations.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.89 test

Command: test expression

Evaluate expression and return zero exit status if result is true, non zero status otherwise.

expression is one of:

string1 == string2

the strings are equal

string1 != string2

the strings are not equal

string1 < string2

string1 is lexicographically less than string2

string1 <= string2

string1 is lexicographically less or equal than string2

string1 > string2

string1 is lexicographically greater than string2

string1 >= string2

string1 is lexicographically greater or equal than string2

integer1 -eq integer2

integer1 is equal to integer2

integer1 -ge integer2

integer1 is greater than or equal to integer2

integer1 -gt integer2

integer1 is greater than integer2

integer1 -le integer2

integer1 is less than or equal to integer2

integer1 -lt integer2

integer1 is less than integer2

integer1 -ne integer2

integer1 is not equal to integer2

prefixinteger1 -pgt prefixinteger2

integer1 is greater than integer2 after stripping off common non-numeric prefix.

prefixinteger1 -plt prefixinteger2

integer1 is less than integer2 after stripping off common non-numeric prefix.

file1 -nt file2

file1 is newer than file2 (modification time). Optionally numeric bias may be directly appended to -nt in which case it is added to the first file modification time.

file1 -ot file2

file1 is older than file2 (modification time). Optionally numeric bias may be directly appended to -ot in which case it is added to the first file modification time.

-d file

file exists and is a directory

-e file

file exists

-f file

file exists and is not a directory

-s file

file exists and has a size greater than zero

-n string

the length of string is nonzero

string

string is equivalent to -n string

-z string

the length of string is zero

( expression )

expression is true

! expression

expression is false

expression1 -a expression2

both expression1 and expression2 are true

expression1 expression2

both expression1 and expression2 are true. This syntax is not POSIX-compliant and is not recommended.

expression1 -o expression2

either expression1 or expression2 is true

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.90 tpm2_key_protector_init

Command: tpm2_key_protector_init [--mode | -m mode] | [--pcrs | -p pcrlist] | [--bank | -b pcrbank] | [--cap-pcrs | -c pcrlist] | [ [--tpm2key | -T tpm2key_file] | [--keyfile | -k keyfile] ] | [--srk | -s handle] | [--asymmetric | -a srk_type] | [--nvindex | -n nv_index]

Initialize the TPM2 key protector to unseal the key for the cryptomount (see cryptomount) command. There are two supported modes, SRK(srk) and NV index(nv), to be specified by the option -m. The default mode is SRK. The main difference between SRK mode and NV index mode is the storage of the sealed key. For SRK mode, the sealed key is stored in a file while NV index mode stores the sealed key in the non-volatile memory inside TPM with a given NV index.

The -p and -b options are used to supply the PCR list and bank that the key is sealed with. The PCR list is a comma-separated list, e.g., ’0,2,4,7,9’, to represent the involved PCRs, and the default is ’7’. The PCR bank is chosen by selecting a hash algorithm. The current supported PCR banks are SHA1, SHA256, SHA384, and SHA512, and the default is SHA256.

The -c option is introduced to enable the "capping" of a specified list of PCRs. This feature addresses scenarios where a user wants to ensure a sealed key cannot be unsealed again after its initial use. When the -c option is employed, and the key is successfully unsealed, the TPM2 key protector automatically extends the selected PCRs with an EV_SEPARATOR event. This action cryptographically alters the PCR values, thereby preventing the associated key from being unsealed in any subsequent attempts until those specific PCRs are reset to their original state, which typically occurs during a system reboot. In general, it is sufficient to extend one associated PCR to cap the key.

It’s noteworthy that a key sealed against PCR 8 naturally incorporates a "capping" behavior, even without explicitly using a -c option. This is because GRUB measures all commands into PCR 8, including those from configuration files. As a result, the value of PCR 8 changes with virtually every command execution during the boot process. Consequently, a key sealed against PCR 8 can only be unsealed once in a given boot session, as any subsequent GRUB command will alter PCR 8, invalidating the unsealing policy and effectively "capping" the key.

Some options are only available for the specific mode. The SRK-specific options are -T, -k, -a, and -s. On the other hand, the NV index-specific option is -n.

The key file for SRK mode can be supplied with either -T or -k. Those two options were used to distinguish the file formats but are same now. There are two supported file formats: raw format and TPM 2.0 Key File format. When using the key file in the raw format, the -p and -b options are necessary for the non-default PCR list or bank. On the other hand, when using the key file in TPM 2.0 Key File format, the the parameters for the TPM commands are written in the file, and there is no need to set the PCR list(-p) and bank(-b). In general, TPM 2.0 Key File format is preferred due to the simplified GRUB command options and the authorized policy support

Besides the key file, there are two options, -a and -s, to tweak the TPM Storage Root Key (SRK). The SRK can be either created at runtime or stored in the non-volatile memory. When creating SRK at runtime, GRUB provides the SRK template to the TPM to create the key. There are two SRK templates for the -a option, ECC and RSA, and the default is ECC. If the SRK is stored in a specific handle, e.g. 0x81000001, the -s option can be used to set the handle to notify GRUB to load the SRK from the given handle.

The only NV index-specific option is the -n option which is used to set the NV index containing the sealed key. Then GRUB can load the sealed key and unseal it with the given PCR list and bank.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.91 tpm2_key_protector_clear

Command: tpm2_key_protector_clear

Clear the TPM2 key protector if previously initialized.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.92 tpm2_dump_pcr

Command: tpm2_dump_pcr [bank]

Print all PCRs of the specified TPM 2.0 bank. The supported banks are ‘sha1’, ‘sha256’, ‘sha384’, and ‘sha512’. If bank is not specified, ‘sha256’ is chosen by default.

Since GRUB measures every command into PCR 8, invoking tpm2_dump_pcr also extends PCR 8, so PCR 8 will not be a stable value in GRUB shell.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.93 true

Command: true

Do nothing, successfully. This is mainly useful in control constructs such as if and while (see Writing full configuration files directly).

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.94 trust

Command: trust [--skip-sig] pubkey_file

Read public key from pubkey_file and add it to GRUB’s internal list of trusted public keys. These keys are used to validate digital signatures when environment variable check_signatures is set to enforce. Note that if check_signatures is set to enforce when trust executes, then pubkey_file must itself be properly signed. The --skip-sig option can be used to disable signature-checking when reading pubkey_file itself. It is expected that --skip-sig is useful for testing and manual booting. See Using GPG-style digital signatures in GRUB, for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.95 uki

Command: uki [-p|--path dir] [-f|--enable-fallback] [-d|--show-default] [-n|--show-non-default] [-e|--entry file]

Load Unified Kernel Image (UKI) files into the GRUB menu. Boot entries generated from uki won’t interfere with entries from grub.cfg appearing in the GRUB menu. Also, entries generated from uki exists only in memory and don’t update grub.cfg.

By default, the UKI files are stored in the /EFI/Linux directory in the EFI system partition. If UKI files are stored elsewhere, the --path option can be used to check a different directory instead of the default location. If no UKI files are found while using the --path option, the --enable-fallback option can be used to check for files in the default location.

The --show-default option allows the default boot entry to be added to the GRUB menu from the UKI files.

The --show-non-default option allows non-default boot entries to be added to the GRUB menu from the UKI files.

The --entry option allows specific boot entries to be added to the GRUB menu from the UKI files.

The --entry, --show-default, and --show-non-default options are used to filter which UKI files are added to the GRUB menu. If none are used, all files in the default location or the location specified by --path will be added to the GRUB menu.

For more information on UKI, see: The Unified Kernel Image Specification

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.96 unset

Command: unset envvar

Unset the environment variable envvar.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.97 verify_detached

Command: verify_detached [--skip-sig] file signature_file [pubkey_file]

Verifies a GPG-style detached signature, where the signed file is file, and the signature itself is in file signature_file. Optionally, a specific public key to use can be specified using pubkey_file. When environment variable check_signatures is set to enforce, then pubkey_file must itself be properly signed by an already-trusted key. An unsigned pubkey_file can be loaded by specifying --skip-sig. If pubkey_file is omitted, then public keys from GRUB’s trusted keys (see list_trusted, see trust, and see distrust) are tried.

Exit code $? is set to 0 if the signature validates successfully. If validation fails, it is set to a non-zero value. See Using GPG-style digital signatures in GRUB, for more information.

Next: , Previous: , Up: Command-line commands   [Contents][Index]

17.4.98 videoinfo

Command: videoinfo [[WxH]xD]

List available video modes. If resolution is given, show only matching modes.

Previous: , Up: Command-line commands   [Contents][Index]

17.4.99 wrmsr

Command:: wrmsr 0xADDR 0xVALUE

Write a 0xVALUE to a model-specific register at address 0xADDR.

Please note that on SMP systems, writing to a MSR that has a scope per hardware thread, implies that the value that is written only applies to the particular cpu/core/thread that runs the command.

Also, if you specify a reserved or unimplemented MSR address, it will cause a general protection exception (which is not currently being handled) and the system will reboot.

Note: The command is not allowed when lockdown is enforced (see Lockdown when booting on a secure setup). This is done to prevent subverting various security mechanisms.

Next: , Previous: , Up: Available commands   [Contents][Index]

17.5 Networking commands

Next: , Up: Networking commands   [Contents][Index]

17.5.1 net_add_addr

Command: net_add_addr interface card address

Configure additional network interface with address on a network card. address can be either IP in dotted decimal notation, or symbolic name which is resolved using DNS lookup. If successful, this command also adds local link routing entry to the default subnet of address with name interface:local’ via interface.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.2 net_add_dns

Command: net_add_dns server

Resolve server IP address and add to the list of DNS servers used during name lookup.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.3 net_add_route

Command: net_add_route shortname ip[/prefix] [interface | ‘gwgateway]

Add route to network with address ip as modified by prefix via either local interface or gateway. prefix is optional and defaults to 32 for IPv4 address and 128 for IPv6 address. Route is identified by shortname which can be used to remove it (see net_del_route).

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.4 net_bootp

Command: net_bootp [card]

Alias for net_dhcp, for compatibility with older Grub versions. Will perform the same DHCP handshake with potential fallback to BOOTP as the net_dhcp command (see net_dhcp).

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.5 net_del_addr

Command: net_del_addr interface

Remove configured interface with associated address.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.6 net_del_dns

Command: net_del_dns address

Remove address from list of servers used during name lookup.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.7 net_del_route

Command: net_del_route shortname

Remove route entry identified by shortname.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.8 net_dhcp

Command: net_dhcp [card]

Perform configuration of card using DHCP protocol. If no card name is specified, try to configure all existing cards. Falls back to the BOOTP protocol, if needed. If configuration was successful, interface with name card:dhcp’ and configured address is added to card. Additionally the following DHCP options are recognized and processed:

1 (Subnet Mask)

Used to calculate network local routing entry for interface card:dhcp’.

3 (Router)

Adds default route entry with the name card:dhcp:default’ via gateway from DHCP option. Note that only option with single route is accepted.

6 (Domain Name Server)

Adds all servers from option value to the list of servers used during name resolution.

12 (Host Name)

Sets environment variable ‘net_<card>_dhcp_hostname’ (see net_<interface>_hostname) to the value of option.

15 (Domain Name)

Sets environment variable ‘net_<card>_dhcp_domain’ (see net_<interface>_domain) to the value of option.

17 (Root Path)

Sets environment variable ‘net_<card>_dhcp_rootpath’ (see net_<interface>_rootpath) to the value of option.

18 (Extensions Path)

Sets environment variable ‘net_<card>_dhcp_extensionspath’ (see net_<interface>_extensionspath) to the value of option.

66 (TFTP Server Name)

Sets environment variable ‘net_<card>_dhcp_server_name’ (see net_<interface>_dhcp_server_name) to the value of option.

67 (Filename)

Sets environment variable ‘net_<card>_boot_file’ (see net_<interface>_boot_file) to the value of option.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.9 net_get_dhcp_option

Command: net_get_dhcp_option var interface number type

Request DHCP option number of type via interface. type can be one of ‘string’, ‘number’ or ‘hex’. If option is found, assign its value to variable var. Values of types ‘number’ and ‘hex’ are converted to string representation.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.10 net_ipv6_autoconf

Command: net_ipv6_autoconf [card]

Perform IPv6 autoconfiguration by adding to the card interface with name card:link’ and link local MAC-based address. If no card is specified, perform autoconfiguration for all existing cards.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.11 net_ls_addr

Command: net_ls_addr

List all configured interfaces with their MAC and IP addresses.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.12 net_ls_cards

Command: net_ls_cards

List all detected network cards with their MAC address.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.13 net_ls_dns

Command: net_ls_dns

List addresses of DNS servers used during name lookup.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.14 net_ls_routes

Command: net_ls_routes

List routing entries.

Next: , Previous: , Up: Networking commands   [Contents][Index]

17.5.15 net_nslookup

Command: net_nslookup name [server]

Resolve address of name using DNS server server. If no server is given, use default list of servers.

Previous: , Up: Networking commands   [Contents][Index]

17.5.16 net_set_vlan

Command: net_set_vlan interface vlanid

Set the 802.1Q VLAN identifier on interface to vlanid. For example, to set the VLAN identifier on interface ‘efinet1’ to ‘100’: 

net_set_vlan efinet1 100

The VLAN identifier can be removed by setting it to ‘0’: 

net_set_vlan efinet1 0

Previous: , Up: Available commands   [Contents][Index]

17.6 Commands currently undocumented

Unfortunately, not all GRUB commands are documented at this time due to developer resource constraints. One way to contribute back to the GRUB project would be to help document these commands, and submit patches or ideas to the mailing list. The following is a (most likely incomplete) list of undocumented or poorly documented commands and not all of them are allowed for all platforms. Running the command help from within the GRUB shell may provide more information on parameters and usage.

  • all_functional_test - Run all functional tests.
  • backtrace - Print backtrace.
  • boottime - Show boot time statistics.
  • cacheinfo - Get disk cache info.
  • cbmemc - Show CBMEM console content.
  • cmosset - Set bit at BYTE:BIT in CMOS.
  • coreboot_boottime - Show coreboot boot time statistics.
  • dump - Show memory contents.
  • efiemu_loadcore - Load and initialize EFI emulator.
  • efiemu_prepare - Finalize loading of EFI emulator.
  • efiemu_unload - Unload EFI emulator.
  • exit - Exit from GRUB.
  • extract_entries_configfile - Load another config file but take only menu entries.
  • extract_entries_source - Load another config file without changing context but take only menu entries.
  • extract_legacy_entries_configfile - Parse legacy config in new context taking only menu entries
  • extract_legacy_entries_source - Parse legacy config in same context taking only menu entries
  • extract_syslinux_entries_configfile - Execute syslinux config in new context taking only menu entries
  • extract_syslinux_entries_source - Execute syslinux config in same context taking only menu entries
  • fakebios - Create BIOS-like structures for backward compatibility with existing OS.
  • fix_video - Fix video problem.
  • fpswa - Display FPSWA version.
  • functional_test - Run all loaded functional tests.
  • gdbstub_break - Break into GDB
  • gdbstub - Start GDB stub on given port
  • gdbstub_stop - Stop GDB stub
  • hdparm - Get/set ATA disk parameters.
  • hexdump_random - Hexdump random data.
  • inb - Read 8-bit value from PORT.
  • inl - Read 32-bit value from PORT.
  • inw - Read 16-bit value from PORT.
  • jpegtest - Tests loading of JPEG bitmap.
  • keymap - Load a keyboard layout.
  • legacy_check_password - Simulate grub-legacy ‘password’ command in menu entry mode
  • legacy_configfile - Parse legacy config in new context
  • legacy_password - Simulate grub-legacy ‘password’ command
  • legacy_source - Parse legacy config in same context
  • loadbios - Load BIOS dump.
  • lsacpi - Show ACPI information.
  • lsapm - Show APM information.
  • lscoreboot - List coreboot tables.
  • lsdev - List devices.
  • lsefi - Display EFI handles.
  • lsefimmap - Display EFI memory map.
  • lsefisystab - Display EFI system tables.
  • lsmmap - List memory map provided by firmware.
  • lspci - List PCI devices.
  • lssal - Display SAL system table.
  • lsspd - Print Memory information.
  • macppcbless - Bless DIR of HFS or HFS+ partition for PPC macs.
  • mactelbless - Bless FILE of HFS or HFS+ partition for intel macs.
  • net_set_vlan - Set an interface’s vlan id.
  • outb - Write 8-bit VALUE to PORT.
  • outl - Write 32-bit VALUE to PORT.
  • outw - Write 16-bit VALUE to PORT.
  • pcidump - Show raw dump of the PCI configuration space.
  • pngtest - Tests loading of PNG bitmap.
  • read_byte - Read 8-bit value from ADDR.
  • read_dword - Read 32-bit value from ADDR.
  • read_word - Read 16-bit value from ADDR.
  • setpci - Manipulate PCI devices.
  • suspend - Return to IEEE1275 prompt.
  • syslinux_configfile - Execute syslinux config in new context
  • syslinux_source - Execute syslinux config in same context
  • test_blockarg - Print and execute block argument., 0
  • testload - Load the same file in multiple ways.
  • testspeed - Test file read speed.
  • tgatest - Tests loading of TGA bitmap.
  • time - Measure time used by COMMAND
  • tr - Translate SET1 characters to SET2 in STRING.
  • usb - Test USB support.
  • vbeinfo - List available video modes. If resolution is given show only modes matching it.
  • vbetest - Test video subsystem.
  • videotest - Test video subsystem in mode WxH.
  • write_byte - Write 8-bit VALUE to ADDR.
  • write_dword - Write 32-bit VALUE to ADDR.
  • write_word - Write 16-bit VALUE to ADDR.
  • xen_cat - List Xen storage.
  • xen_ls - List Xen storage.
  • xnu_devprop_load - Load ‘device-properties’ dump.
  • xnu_uuid - Transform 64-bit UUID to format suitable for XNU. If -l is given keep it lowercase as done by blkid.
  • zfs-bootfs - Print ZFS-BOOTFSOBJ or store it into VARIABLE
  • zfsinfo - Print ZFS info about DEVICE.
  • zfskey - Import ZFS wrapping key stored in FILE.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

18 Internationalisation

18.1 Charset

GRUB uses UTF-8 internally other than in rendering where some GRUB-specific appropriate representation is used. All text files (including config) are assumed to be encoded in UTF-8.

18.2 Filesystems

NTFS, JFS, UDF, HFS+, exFAT, long filenames in FAT, Joliet part of ISO9660 are treated as UTF-16 as per specification. AFS and BFS are read as UTF-8, again according to specification. BtrFS, cpio, tar, squash4, minix, minix2, minix3, ROMFS, ReiserFS, XFS, EROFS, ext2, ext3, ext4, FAT (short names), F2FS, RockRidge part of ISO9660, nilfs2, UFS1, UFS2 and ZFS are assumed to be UTF-8. This might be false on systems configured with legacy charset but as long as the charset used is superset of ASCII you should be able to access ASCII-named files. And it’s recommended to configure your system to use UTF-8 to access the filesystem, convmv may help with migration. ISO9660 (plain) filenames are specified as being ASCII or being described with unspecified escape sequences. GRUB assumes that the ISO9660 names are UTF-8 (since any ASCII is valid UTF-8). There are some old CD-ROMs which use CP437 in non-compliant way. You’re still able to access files with names containing only ASCII characters on such filesystems though. You’re also able to access any file if the filesystem contains valid Joliet (UTF-16) or RockRidge (UTF-8). AFFS, SFS and HFS never use unicode and GRUB assumes them to be in Latin1, Latin1 and MacRoman respectively. GRUB handles filesystem case-insensitivity however no attempt is performed at case conversion of international characters so e.g. a file named lowercase greek alpha is treated as different from the one named as uppercase alpha. The filesystems in questions are NTFS (except POSIX namespace), HFS+ (configurable at mkfs time, default insensitive), SFS (configurable at mkfs time, default insensitive), JFS (configurable at mkfs time, default sensitive), HFS, AFFS, FAT, exFAT and ZFS (configurable on per-subvolume basis by property “casesensitivity”, default sensitive). On ZFS subvolumes marked as case insensitive files containing lowercase international characters are inaccessible. Also like all supported filesystems except HFS+ and ZFS (configurable on per-subvolume basis by property “normalization”, default none) GRUB makes no attempt at check of canonical equivalence so a file name u-diaresis is treated as distinct from u+combining diaresis. This however means that in order to access file on HFS+ its name must be specified in normalisation form D. On normalized ZFS subvolumes filenames out of normalisation are inaccessible.

18.3 Output terminal

Firmware output console “console” on ARC and IEEE1275 are limited to ASCII.

BIOS firmware console and VGA text are limited to ASCII and some pseudographics.

None of above mentioned is appropriate for displaying international and any unsupported character is replaced with question mark except pseudographics which we attempt to approximate with ASCII.

EFI console on the other hand nominally supports UTF-16 but actual language coverage depends on firmware and may be very limited.

The encoding used on serial can be chosen with terminfo as either ASCII, UTF-8 or “visual UTF-8”. Last one is against the specification but results in correct rendering of right-to-left on some readers which don’t have own bidi implementation.

On emu GRUB checks if charset is UTF-8 and uses it if so and uses ASCII otherwise.

When using gfxterm or gfxmenu GRUB itself is responsible for rendering the text. In this case GRUB is limited by loaded fonts. If fonts contain all required characters then bidirectional text, cursive variants and combining marks other than enclosing, half (e.g. left half tilde or combining overline) and double ones. Ligatures aren’t supported though. This should cover European, Middle Eastern (if you don’t mind lack of lam-alif ligature in Arabic) and East Asian scripts. Notable unsupported scripts are Brahmic family and derived as well as Mongolian, Tifinagh, Korean Jamo (precomposed characters have no problem) and tonal writing (2e5-2e9). GRUB also ignores deprecated (as specified in Unicode) characters (e.g. tags). GRUB also doesn’t handle so called “annotation characters” If you can complete either of two lists or, better, propose a patch to improve rendering, please contact developer team.

18.4 Input terminal

Firmware console on BIOS, IEEE1275 and ARC doesn’t allow you to enter non-ASCII characters. EFI specification allows for such but author is unaware of any actual implementations. Serial input is currently limited for latin1 (unlikely to change). Own keyboard implementations (at_keyboard and usb_keyboard) supports any key but work on one-char-per-keystroke. So no dead keys or advanced input method. Also there is no keymap change hotkey. In practice it makes difficult to enter any text using non-Latin alphabet. Moreover all current input consumers are limited to ASCII.

18.5 Gettext

GRUB supports being translated. For this you need to have language *.mo files in $prefix/locale, load gettext module and set “lang” variable.

18.6 Regexp

Regexps work on unicode characters, however no attempt at checking canonical equivalence has been made. Moreover the classes like [:alpha:] match only ASCII subset.

18.7 Other

Currently GRUB always uses YEAR-MONTH-DAY HOUR:MINUTE:SECOND [WEEKDAY] 24-hour datetime format but weekdays are translated. GRUB always uses the decimal number format with [0-9] as digits and . as descimal separator and no group separator. IEEE1275 aliases are matched case-insensitively except non-ASCII which is matched as binary. Similar behaviour is for matching OSBundleRequired. Since IEEE1275 aliases and OSBundleRequired don’t contain any non-ASCII it should never be a problem in practice. Case-sensitive identifiers are matched as raw strings, no canonical equivalence check is performed. Case-insensitive identifiers are matched as RAW but additionally [a-z] is equivalent to [A-Z]. GRUB-defined identifiers use only ASCII and so should user-defined ones. Identifiers containing non-ASCII may work but aren’t supported. Only the ASCII space characters (space U+0020, tab U+000b, CR U+000d and LF U+000a) are recognised. Other unicode space characters aren’t a valid field separator. test (see test) tests <, >, <=, >=, -pgt and -plt compare the strings in the lexicographical order of unicode codepoints, replicating the behaviour of test from coreutils. environment variables and commands are listed in the same order.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

19 Security

Next: , Up: Security   [Contents][Index]

19.1 Authentication and authorisation in GRUB

By default, the boot loader interface is accessible to anyone with physical access to the console: anyone can select and edit any menu entry, and anyone can get direct access to a GRUB shell prompt. For most systems, this is reasonable since anyone with direct physical access has a variety of other ways to gain full access, and requiring authentication at the boot loader level would only serve to make it difficult to recover broken systems.

However, in some environments, such as kiosks, it may be appropriate to lock down the boot loader to require authentication before performing certain operations.

The ‘password’ (see password) and ‘password_pbkdf2’ (see password_pbkdf2) commands can be used to define users, each of which has an associated password. ‘password’ sets the password in plain text, requiring grub.cfg to be secure; ‘password_pbkdf2’ sets the password hashed using the Password-Based Key Derivation Function (RFC 2898), requiring the use of grub-mkpasswd-pbkdf2 (see Invoking grub-mkpasswd-pbkdf2) to generate password hashes.

In order to enable authentication support, the ‘superusers’ environment variable must be set to a list of usernames, separated by any of spaces, commas, semicolons, pipes, or ampersands. Superusers are permitted to use the GRUB command line, edit menu entries, and execute any menu entry. If ‘superusers’ is set, then use of the command line and editing of menu entries are automatically restricted to superusers. Setting ‘superusers’ to empty string effectively disables both access to CLI and editing of menu entries. Building a grub image with ‘--disable-cli’ option will also disable access to CLI and editing of menu entries, as well as disabling rescue mode. Note: The environment variable needs to be exported to also affect the section defined by the ‘submenu’ command (see submenu).

Other users may be allowed to execute specific menu entries by giving a list of usernames (as above) using the --users option to the ‘menuentry’ command (see menuentry). If the --unrestricted option is used for a menu entry, then that entry is unrestricted. If the --users option is not used for a menu entry, then that only superusers are able to use it.

Putting this together, a typical grub.cfg fragment might look like this: 

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure

menuentry "May be run by any user" --unrestricted {
	set root=(hd0,1)
	linux /vmlinuz
}

menuentry "Superusers only" --users "" {
	set root=(hd0,1)
	linux /vmlinuz single
}

menuentry "May be run by user1 or a superuser" --users user1 {
	set root=(hd0,2)
	chainloader +1
}

The grub-mkconfig program does not yet have built-in support for generating configuration files with authentication. You can use /etc/grub.d/40_custom to add simple superuser authentication, by adding set superusers= and password or password_pbkdf2 commands.

Next: , Previous: , Up: Security   [Contents][Index]

19.2 Using GPG-style digital signatures in GRUB

GRUB’s core.img can optionally provide enforcement that all files subsequently read from disk are covered by a valid digital signature. This section does not cover how to ensure that your platform’s firmware (e.g., Coreboot) validates core.img.

If environment variable check_signatures (see check_signatures) is set to enforce, then every attempt by the GRUB core.img to load another file foo implicitly invokes verify_detached foo foo.sig (see verify_detached). foo.sig must contain a valid digital signature over the contents of foo, which can be verified with a public key currently trusted by GRUB (see list_trusted, see trust, and see distrust). If validation fails, then file foo cannot be opened. This failure may halt or otherwise impact the boot process.

An initial trusted public key can be embedded within the GRUB core.img using the --pubkey option to grub-install (see Invoking grub-install).

GRUB uses GPG-style detached signatures (meaning that a file foo.sig will be produced when file foo is signed), and currently supports the DSA and RSA signing algorithms. A signing key can be generated as follows: 

gpg --gen-key

An individual file can be signed as follows: 

gpg --detach-sign /path/to/file

For successful validation of all of GRUB’s subcomponents and the loaded OS kernel, they must all be signed. One way to accomplish this is the following (after having already produced the desired grub.cfg file, e.g., by running grub-mkconfig (see Invoking grub-mkconfig): 

# Edit /dev/shm/passphrase.txt to contain your signing key's passphrase
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
  -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
  -name "grubenv"`;
do
  gpg --batch --detach-sign --passphrase-fd 0 $i < \
    /dev/shm/passphrase.txt
done
shred /dev/shm/passphrase.txt

See also: check_signatures, verify_detached, trust, list_trusted, distrust, load_env, save_env.

Note that internally signature enforcement is controlled by setting the environment variable check_signatures equal to enforce. Passing one or more --pubkey options to grub-mkimage implicitly defines check_signatures equal to enforce in core.img prior to processing any configuration files.

Note that signature checking does not prevent an attacker with (serial, physical, ...) console access from dropping manually to the GRUB console and executing: 

set check_signatures=no

To prevent this, password-protection (see Authentication and authorisation in GRUB) is essential. Note that even with GRUB password protection, GRUB itself cannot prevent someone with physical access to the machine from altering that machine’s firmware (e.g., Coreboot or BIOS) configuration to cause the machine to boot from a different (attacker-controlled) device. GRUB is at best only one link in a secure boot chain.

Next: , Previous: , Up: Security   [Contents][Index]

19.3 Using appended signatures in GRUB

GRUB supports verifying Linux-style ’appended signatures’ for Linux on Power LPAR secure boot. Appended signatures are PKCS#7 messages containing a signature over the contents of a file, plus some metadata, appended to the end of a file. A file with an appended signature ends with the magic string: 

~Module signature appended~\n

where \n represents the line feed character, 0x0a.

Linux on Power LPAR secure boot is controlled by ’ibm,secure-boot’ device tree property and if this property is set to 2 (‘enforce’), GRUB enters lockdown mode. There are three secure boot modes. They are

  • 0 - disabled’: Secure boot is disabled. This is the default.
  • 1 - audit’: Enforce signature verification by setting check_appended_signatures (see check_appended_signatures) to yes and do not enter lockdown mode. Signature verification is performed and if signature verification fails, display the errors and allow the boot to continue.
  • 2 - enforce’: Enter lockdown mode and enforce signature verification by setting check_appended_signatures (see check_appended_signatures) to yes.

Note that Linux on Power LPAR only supports ‘0 - disabled’ and ‘2 - enforce’, and ‘1 - audit’ is considered as secure boot being disabled.

Enforcement of signature verification is controlled by the environment variable check_appended_signatures (see check_appended_signatures).

  • no’: No verification is performed. This is the default.
  • yes’: Signature verification is performed and if signature verification fails, display the errors and stop the boot. Signature verification cannot be disabled by setting the check_appended_signatures variable back to ‘no’.

To enable appended signature verification, load the appendedsig module and an X.509 certificate for verification. It is recommended to build the appendedsig module into the core GRUB image.

Key management is controlled by the environment variable appendedsig_key_mgmt (see appendedsig_key_mgmt).

  • static’: Enforce static key management signature verification. This is the default. When GRUB is in lockdown mode, then the user cannot change the value of the appendedsig_key_mgmt.
  • dynamic’: Enforce dynamic key management signature verification. When GRUB is in lockdown mode, then the user cannot change the value of the appendedsig_key_mgmt.

In static key management mode, certificates will be built into the core image using the --x509 parameter to grub-mkimage. The list of trusted certificates available at boot time can be shown using append_list_db (see append_list_db). Distrusted certificates can be explicitly removed from the db using append_add_dbx_cert (see append_add_dbx_cert). Also, trusted certificates can be explicitly added to the db using append_add_db_cert (see append_add_db_cert).

In dynamic key management mode, db and dbx are read from the Platform KeyStore (PKS). If db does not exist in PKS, static keys (built-in keys) are used as the default keys. The list of trusted certificates and binary hashes available at boot time can be shown using append_list_db (see append_list_db) and the list of distrusted certificates and binary/certificate hashes available at boot time can be shown using append_list_dbx (see append_list_dbx). The trusted certificates and binary hashes can be explicitly added to the db using append_add_db_cert (see append_add_db_cert) and append_add_db_hash (see append_add_db_hash). Distrusted certificates can be explicitly added to the dbx using append_add_dbx_cert (see append_add_dbx_cert) and distrusted certificate/binary hashes can be explicitly added to the dbx using append_add_dbx_hash (see append_add_dbx_hash).

A file can be explicitly verified using append_verify (see append_verify).

Note that when the environment variable check_appended_signatures is set to yes, the append_add_db_cert and append_add_dbx_cert commands only accept the file ‘X509_certificate’ that is signed with an appended signature (see Signing certificate and hash files), and the append_add_db_hash and append_add_dbx_hash commands only accept the file ‘hash_file’ that is signed with an appended signature (see Signing certificate and hash files). The signature is verified by the appendedsig module. When the environment variable check_appended_signatures is set to no, these commands accept files without an appended signature.

Also, note that ‘X509_certificate’ should be in DER-format and ‘hash_file’ should be in binary format. Only SHA-256, SHA-384, or SHA-512 hashes of binary/certificate are allowed. Certificates/hashes of certificates/binaries added through append_add_db_cert, append_add_dbx_cert, append_add_db_hash, and append_add_dbx_hash will not be persisted across boots.

Only signatures created using SHA-256 or SHA-512 hash algorithm along with RSA keys of size 2048, 3072, or 4096 bits are supported.

A file can be signed with the sign-file utility supplied with the Linux kernel source. For example, if you have signing.key as the private key and certificate.der as the X.509 certificate containing the public key: 

sign-file SHA256 signing.key certificate.der vmlinux vmlinux.signed

Once signature verification is turned on, the following file types must carry appended signatures:

  1. Linux kernels
  2. GRUB modules, except those built in to the core image
  3. Any new certificate or binary hash files to be trusted
  4. Any new certificate/binary hash files to be distrusted

When GRUB is in lockdown mode (when secure boot mode is set to enforce), signature verification cannot be disabled by setting the check_appended_signatures (see check_appended_signatures) variable to no or using the load_env (see load_env) command from the GRUB console.

Next: , Previous: , Up: Security   [Contents][Index]

19.4 UEFI secure boot and shim support

The GRUB works with UEFI secure boot and the shim. This functionality is provided by the shim_lock verifier. It is built into the core.img and is registered if the UEFI secure boot is enabled. The ‘shim_lock’ variable is set to ‘y’ when shim_lock verifier is registered. If it is desired to use UEFI secure boot without shim, one can disable shim_lock by disabling shim verification with MokSbState UEFI variable or by building grub image with ‘--disable-shim-lock’ option.

All GRUB modules not stored in the core.img, OS kernels, ACPI tables, Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands that can be used to subvert the UEFI secure boot mechanism, such as iorw and memrw will not be available when the UEFI secure boot is enabled. This is done for security reasons and are enforced by the GRUB Lockdown mechanism (see Lockdown when booting on a secure setup).

Next: , Previous: , Up: Security   [Contents][Index]

19.5 Embedded information for generation number based revocation

The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the revocation of components in the boot path by using generation numbers embedded into the EFI binaries. The SBAT metadata is located in an .sbat data section that has set of UTF-8 strings as comma-separated values (CSV). See https://github.com/rhboot/shim/blob/main/SBAT.md for more details.

To add a data section containing the SBAT information into the binary, the --sbat option of grub-mkimage command should be used. The content of a CSV file, encoded with UTF-8, is copied as is to the .sbat data section into the generated EFI binary. The CSV file can be stored anywhere on the file system. 

grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp

Next: , Previous: , Up: Security   [Contents][Index]

19.6 Measuring boot components

If the tpm module is loaded and the platform has a Trusted Platform Module installed, GRUB will log each command executed and each file loaded into the TPM event log and extend the PCR values in the TPM correspondingly. All events will be logged into the PCR described below with a type of EV_IPL and an event description as described below.

Event typePCRDescription
Command8All executed commands (including those from configuration files) will be logged and measured as entered with a prefix of “grub_cmd: “
Kernel command line8Any command line passed to a kernel will be logged and measured as entered with a prefix of “kernel_cmdline: ”
Module command line8Any command line passed to a kernel module will be logged and measured as entered with a prefix of “module_cmdline: “
Files9Any file read by GRUB will be logged and measured with a descriptive text corresponding to the filename.

GRUB will not measure its own core.img - it is expected that firmware will carry this out. GRUB will also not perform any measurements until the tpm module is loaded. As such it is recommended that the tpm module be built into core.img in order to avoid a potential gap in measurement between core.img being loaded and the tpm module being loaded.

Measured boot is currently only supported on EFI and IBM IEEE1275 PowerPC platforms.

Next: , Previous: , Up: Security   [Contents][Index]

19.7 Lockdown when booting on a secure setup

The GRUB can be locked down when booted on a secure boot environment, for example if UEFI or Power secure boot is enabled. On a locked down configuration, the GRUB will be restricted and some operations/commands cannot be executed. This also includes limiting which filesystems are supported to those thought to be more robust and widely used within GRUB.

The filesystems currently allowed in lockdown mode include:

  • BtrFS
  • cpio
  • exFAT
  • Enhanced Read-Only File System (EROFS)
  • Linux ext2/ext3/ext4
  • F2FS
  • DOS FAT12/FAT16/FAT32
  • HFS+
  • ISO9660
  • Squash4
  • tar
  • XFS
  • ZFS

The filesystems currently not allowed in lockdown mode include:

  • Amiga Fast FileSystem (AFFS)
  • AtheOS File System (AFS)
  • Bee File System (BFS)
  • Coreboot File System (CBFS)
  • Hierarchical File System (HFS)
  • Journaled File System (JFS)
  • Minix filesystem
  • New Implementation of Log filesystem (nilfs2)
  • Windows New Technology File System (NTFS)
  • ReiserFS
  • Read-Only Memory File System (ROMFS)
  • Amiga Smart File System (SFS)
  • Universal Disk Format (UDF)
  • Unix File System (UFS)

The ‘lockdown’ variable is set to ‘y’ when the GRUB is locked down. Otherwise it does not exist.

Next: , Previous: , Up: Security   [Contents][Index]

19.8 TPM2 key protector in GRUB

TPM2 key protector extends measured boot to unlock the encrypted partition without user intervention. It uses the TPM Storage Root Key (SRK) to seal the disk key with a given set of PCR values. If the system state matches, i.e. PCR values match the sealed PCR set, TPM2 key protector unseals the disk key for cryptomount (see cryptomount) to unlock the encrypted partition. In case the unsealed key fails to unlock the partition, cryptomount falls back to the passphrase prompt.

Please note that TPM2 key protector uses the SRK in the owner hierarchy without authorization. If the owner hierarchy is password-protected, TPM2 key protector may fail to unseal the key due to the absence of the password. For the systems that already enable the password protection for the owner hierarchy, the following command removes the password protection with the existing password. 

# tpm2_changeauth -c owner -p password

There are two supported modes to store the sealed key, SRK and NV index. The details will be addressed in later sections.

TPM2 key protector is currently only supported on EFI and EMU platforms.

19.8.1 TPM PCR usage

Since TPM2 key protector relies on PCRs to check the system state, it is important to decide which PCRs to seal the key with. The following table lists uses of PCRs and the measured objects on EFI platforms.

PCRUsed byMeasured Objects
0FirmwareCore system firmware executable code
1FirmwareCore system firmware data/host platform configuration; typically contains serial and model numbers
2FirmwareExtended or pluggable executable code; includes option ROMs on pluggable hardware
3FirmwareExtended or pluggable firmware data; includes information about pluggable hardware
4FirmwareBoot loader and additional drivers; binaries and extensions loaded by the boot loader
5FirmwareGPT/Partition table
7FirmwareSecureBoot state
8GRUBCommands and kernel command line
9GRUBAll files read (including kernel image)
9Linux KernelAll passed initrds (when the new LOAD_FILE2 initrd protocol is used)
10Linux KernelProtection of the IMA measurement log
14shim“MOK” certificates and hashes

PCR 0, 2, 4, and 7 can be used to check the integrity of the firmware code and bootloaders. PCR 8 and 9 are useful to check the file and data processed by GRUB. PCRs 10, 11, 12, 13, and 15 are controlled by the operating system, so those PCRs are usually still in the initial state when GRUB is running.

In general, it is nice to include PCR 0, 2, 4, and 7 to ensure the integrity of the firmware and bootloaders. For PCR 8 and 9, a sophisticated tool is required to examine the GRUB configuration files and the files to be loaded to calculate the correct PCR values.

Please note that PCRs are sensitive to any change, so an update of a component could invalidate the sealed key, due to the so-called PCR brittleness. For the bootloader update, PCR 4 may be affected. This can be mitigated by extracting the events from the TPM event log and predict the value with the updated bootloader binary. On the other hand, it is difficult to predict PCR 0~7 after a firmware update since the content of the code and the order of drivers may not follow the TPM event log from the previous firmware version, so it is necessary to reboot the system to update the measurement results of PCR 0~7 and seal or sign the sealed key again.

Reference: Linux TPM PCR Registry

19.8.2 Setting up the extra disk key

Instead of using the existing password, it is recommended to seal a new random disk key and use the existing password for recovery.

Here are the sample commands to create a 128 random bytes key file and enroll the key into the target partition (sda2). 

# dd if=/dev/urandom of=luks.key bs=1 count=128
# cryptsetup luksAddKey /dev/sda2 luks.key --pbkdf=pbkdf2 --hash=sha512

19.8.3 SRK mode

To unlock the partition with SRK mode, assume that the sealed key is in (hd0,gpt1)/efi/grub/sealed.tpm, the following GRUB commands unseal the disk key with SRK mode and supply it to cryptomount. 

grub> tpm2_key_protector_init -T (hd0,gpt1)/efi/grub/sealed.tpm
grub> cryptomount -u <UUID> -P tpm2

There are two programs to create the sealed key for SRK mode: grub-protect and pcr-oracle (https://github.com/okirch/pcr-oracle).

The following sample command uses grub-protect to seal the random key, luks.key, with PCR 0, 2, 4 and 7 in TPM 2.0 Key File format. 

# grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm

grub-protect only seals the key with the current PCR values. Therefore, when a boot component, such as shim or GRUB, is updated, it is necessary to reboot the system to update the measurement results and seal the key again. That means the random disk key has to be stored in cleartext for the next key sealing. Besides this, the measurement result of some PCRs may differ between boot time and OS runtime. For example, PCR 9 measures the files loaded by GRUB including the Linux kernel and initrd. To unlock the disk containing the kernel and initrd, the key has to be sealed with PCR 9 value before loading the kernel and initrd. However, PCR 9 changes after GRUB loading the kernel and initrd, so PCR 9 at OS runtime cannot be used directly for key sealing.

To solve these problems, pcr-oracle takes a different approach. It reads the TPM eventlog and predicts the PCR values. Besides, pcr-oracle also supports “authorized policy” which allows the PCR policy to be updated with a valid signature, so that the user only seals the random disk key once. If at some later time the PCR values change due to an update of the system firmware, bootloader, or config file, the user just needs to update the signature of the PCR policy.

To seal the key with the authorized policy, the first thing is to generate the RSA policy key, policy-key.pem, and the authorized policy file, authorized.policy. In this example, PCR 0, 2, 4, 7 and 9 are chosen for key sealing. 

# pcr-oracle --rsa-generate-key \
             --private-key policy-key.pem \
             --auth authorized.policy \
             create-authorized-policy 0,2,4,7,9

Then, we seal the random disk key, luks.key, with the authorized policy file and save the sealed key in sealed.key. 

# pcr-oracle --key-format tpm2.0 \
             --auth authorized.policy \
             --input luks.key \
             --output sealed.key \
             seal-secret

Since we now have the sealed key, we can remove the random disk key file luks.key.

The last step is to sign the predicted PCR policy and save the final key file, sealed.tpm. 

# pcr-oracle --key-format tpm2.0 \
             --private-key policy-key.pem \
             --from eventlog \
             --stop-event "grub-file=grub.cfg" \
             --after \
             --input sealed.key \
             --output /boot/efi/efi/grub/sealed.tpm \
             sign 0,2,4,7,9

Here we also set a stop event for the prediction. With --stop-event grub-file=grub.cfg --after, pcr-oracle stops the calculation of PCR values right after GRUB loads grub.cfg.

When/After the shim or GRUB are updated, it only requires to run the last pcr-oracle command to update the predicted PCR policy.

19.8.4 NV index mode

Instead of storing the sealed key in a file, NV index mode uses the TPM non-volatile memory to store the sealed key and could be useful when accessing the file is not possible.

However, the Linux root user must be careful who she/he gives access to the TPM (tss group) since those users will also be able to modify the NV index that’s holding the key.

There are two types of TPM handles supported by NV index mode: persistent handle and NV index handle.

19.8.4.1 Persistent handle

The range of persistent handles is from 0x81000000 to 0x81FFFFFF. The persistent handle is designed to make TPM objects persistent through power cycles, and only TPM objects, such as RSA or EC keys, are accepted. Thus, only the raw format is supported by persistent handles. The following shows the grub-protect command to seal the disk key luks.key into the persistent handle 0x81000000 with the PCRs 0,2,4,7. 

# grub-protect \
             --protector=tpm2 \
             --action=add \
             --tpm2-bank=sha256 \
             --tpm2-pcrs=0,2,4,7 \
             --tpm2-keyfile=luks.key \
             --tpm2-nvindex=0x81000000

To unseal the key, we have to specify the mode nv, the persistent handle 0x81000000, and the PCRs 0,2,4,7 for the tpm2_key_protector_init command. 

grub> tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=0,2,4,7
grub> cryptomount -u <UUID> --protector tpm2

If the key in the persistent handle becomes unwanted, the following grub-protect command removes the specified persistent handle 0x81000000. 

# grub-protect \
             --protector=tpm2 \
             --action=remove \
             --tpm2-evict \
             --tpm2-nvindex=0x81000000

19.8.4.2 NV index handle

The range of NV index handles is from 0x1000000 to 0x1FFFFFF. Unlike the persistent handle, the NV index handle allows user-defined data, so it can easily support both the TPM 2.0 Key File format as well as the raw format.

The following grub-protect command seals the disk key luks.key into the NV index handle 0x1000000 with the PCRs 0,2,4,7 while using the TPM 2.0 Key File format. 

# grub-protect \
             --protector=tpm2 \
             --action=add \
             --tpm2key \
             --tpm2-bank=sha256 \
             --tpm2-pcrs=0,2,4,7 \
             --tpm2-keyfile=luks.key \
             --tpm2-nvindex=0x1000000

Furthermore, it is also possible to insert an existing key file, sealed.tpm, into a specific NV index handle using the following tpm2-tools (https://github.com/tpm2-software/tpm2-tools) commands. 

# tpm2_nvdefine -C o \
             -a "ownerread|ownerwrite" \
             -s $(stat -c %s sealed.tpm) \
             0x1000000

# tpm2_nvwrite -C o -i sealed.tpm 0x1000000

When unsealing the key in TPM 2.0 Key File format, only the mode nv and the NV index handle 0x1000000 have to be specified for the tpm2_key_protector_init command. 

grub> tpm2_key_protector_init --mode=nv --nvindex=0x1000000
grub> cryptomount -u <UUID> --protector tpm2

The following grub-protect command allows to remove the specified NV index handle 0x1000000. 

# grub-protect \
             --protector=tpm2 \
             --action=remove \
             --tpm2-evict \
             --tpm2-nvindex=0x1000000

19.8.5 Setting up software TPM for EMU platform

In order to test TPM2 key protector and TPM2 Software Stack (TSS2), it is useful to set up a software TPM (swtpm) instance and run the commands on the EMU platform.

Here are the commands to start a swtpm instance which provides a character device interface. To store the TPM states, the directory, swtpm-state, is created before the swtpm command. All the messages are stored in swtpm.log including the name of the character device. 

# mkdir swtpm-state

# swtpm chardev --vtpm-proxy --tpmstate dir=swtpm-state \
        --tpm2 --ctrl type=unixio,path="swtpm-state/ctrl" \
        --flags startup-clear --daemon > swtpm.log

Then, we extract the name of the character device from swtpm.log and save it to the variable, ‘tpm2dev’. 

# tpm2dev=$(grep "New TPM device" swtpm.log | cut -d' ' -f 4)

Now we can start grub-emu with --tpm-device $tpm2dev to interact with the swtpm instance. 

# grub-emu --tpm-device $tpm2dev

On the host, the tpm2-tools commands can interact with the swtpm instance by setting ‘TPM2TOOLS_TCTI’. 

# export TPM2TOOLS_TCTI="device:$tpm2dev"

When the test is done, use swtpm_ioctl to send the shutdown command through the swtpm control channel. 

# swtpm_ioctl -s --unix swtpm-state/ctrl

19.8.6 Command line and menuentry editor protection

The TPM key protector provides full disk encryption support on servers or virtual machine images, meanwhile keeping the boot process unattended. This prevents service disruptions by eliminating the need for manual password input during startup, improving system uptime and continuity. It is achieved by TPM, which verifies the integrity of boot components by checking cryptographic hashes against securely stored values, to confirm the disks are unlocked in a trusted state.

However, for users to access the system interactively, some form of authentication is still required, as the disks are not unlocked by an authorized user. This raised concerns about using an unprotected ‘command-line interface’ (see The flexible command-line interface), as anyone could execute commands to access decrypted data. To address this issue, the LUKS password is used to ensure that only authorized users are granted access to the interface. Additionally, the ‘menu entry editor’ (see Editing a menu entry) is also safeguarded by the LUKS password, as modifying a boot entry is effectively the same as altering the grub.cfg file read from encrypted files.

It is worth mentioning that the built-in password support, as described in ‘Authentication and Authorization in GRUB’ (see Authentication and authorisation in GRUB), can also be used to protect the command-line interface from unauthorized access. However, it is not recommended to rely on this approach as it is an optional step. Setting it up requires additional manual intervention, which increases the risk of password leakage during the process. Moreover, the superuser list must be well maintained, and the password used cannot be synchronized with LUKS key rotation.

Next: , Previous: , Up: Security   [Contents][Index]

19.9 Signing certificate and hash files

X.509 certificate (public key) files and hash files (binary/certificate hash files) can be signed with a Linux kernel module-style appended signature.

The signer.key is a private key used for signing and signer.der is the corresponding public key (certificate) used for appended signature verification. Note that the signer.der (certificate) should exist in the db (see Using appended signatures in GRUB).

  • Signing the X.509 certificate file using sign-file. The kernel.der is an X.509 certificate file. 
    
sign-file SHA256 signer.key signer.der kernel.der \
  kernel.der.signed
  • Signing the hash file using sign-file. The binary_hash.bin is a binary hash file. 
    
sign-file SHA256 signer.key signer.der binary_hash.bin \
  binary_hash.signed

Next: , Previous: , Up: Security   [Contents][Index]

19.10 Signing GRUB itself

To ensure a complete secure-boot chain, there must be a way for the code that loads GRUB to verify the integrity of the core image. This is ultimately platform-specific and individual platforms can define their own mechanisms. However, there are general-purpose mechanisms that can be used with GRUB.

19.10.1 Signing GRUB for UEFI secure boot

On UEFI platforms, core.img is a PE binary. Therefore, it can be signed with a tool such as pesign or sbsign. Refer to the suggestions in see UEFI secure boot and shim support to ensure that the final image works under UEFI secure boot and can maintain the secure-boot chain. It will also be necessary to enroll the public key used into a relevant firmware key database.

19.10.2 Signing GRUB with an appended signature

The core.elf itself can be signed with a Linux kernel module-style appended signature (see Using appended signatures in GRUB). To support IEEE1275 platforms where the boot image is often loaded directly from a disk partition rather than from a file system, the core.elf can specify the size and location of the appended signature with an ELF Note added by grub-install or grub-mkimage. An image can be signed this way using the sign-file command from the Linux kernel:

  • Signing a GRUB image using a single signer key. The grub.key is your private key used for GRUB signing, grub.der is a corresponding public key (certificate) used for GRUB signature verification, and the kernel.der is your public key (certificate) used for kernel signature verification. 
    # Determine the size of the appended signature. It depends on the
# signing key and the hash algorithm.
#
# Signing /dev/null with an appended signature.

sign-file SHA256 grub.key grub.der /dev/null ./empty.sig

# Build a GRUB image for the signature.

grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der \
  -p /grub --appended-signature-size $(stat -c '%s' ./empty.sig) \
  --modules="appendedsig ..." ...

# Remove the signature file.

rm ./empty.sig

# Signing a GRUB image with an appended signature.

sign-file SHA256 grub.key grub.der core.elf.unsigned core.elf.signed
  • Signing a GRUB image using more than one signer key. The grub1.key and grub2.key are private keys used for GRUB signing, grub1.der and grub2.der are corresponding public keys (certificates) used for GRUB signature verification. The kernel1.der and kernel2.der are your public keys (certificates) used for kernel signature verification. 
    # Generate a signature by signing /dev/null.

openssl cms -sign -binary -nocerts -in /dev/null -signer \
  grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \
  -out ./empty.p7s -outform DER -noattr -md sha256

# To be able to determine the size of an appended signature, sign an
# empty file (/dev/null) to which a signature will be appended to.

sign-file -s ./empty.p7s sha256 /dev/null /dev/null ./empty.sig

# Build a GRUB image for the signature.

grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel1.der \
  kernel2.der -p /grub --appended-signature-size $(stat -c '%s' ./empty.sig) \
  --modules="appendedsig ..." ...

# Remove the signature files.

rm ./empty.sig ./empty.p7s

# Generate a raw signature for GRUB image signing using OpenSSL.

openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer \
  grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \
  -out core.p7s -outform DER -noattr -md sha256

# Sign a GRUB image to get an image file with an appended signature.

sign-file -s core.p7s sha256 /dev/null core.elf.unsigned core.elf.signed
  • Don’t forget to install the signed image as required (e.g. on powerpc-ieee1275, to the PReP partition). 
    # Install signed GRUB image to the PReP partition on powerpc-ieee1275

dd if=core.elf.signed of=/dev/sda1

As with UEFI secure boot, it is necessary to build-in the required modules, or sign them if they are not part of the GRUB image.

Previous: , Up: Security   [Contents][Index]

19.11 Hardening

Security hardening involves additional / optional configuration and customization steps to GRUB to maximize security. The extent to which hardening can be accomplished depends on the threats attempting to be mitigated for a given system / device, the device architecture, and number of GRUB features required. The following is a listing of hardening steps which may be considered:

  • (EFI Only) Enable secure boot to enable lockdown mode. This will limit the attack surface of GRUB by limiting the commands and file systems supported. (see Lockdown when booting on a secure setup)
  • (EFI Only) No-Execute capability of memory segments will be configured by GRUB as indicated by the UEFI. This makes some classes of vulnerabilities more difficult to exploit by providing support for marking memory as either writable or executable.
  • (EFI Only) While building GRUB, the stack protector feature may be enabled during the configuration step. This feature can make certain vulnerabilities caused by stack buffer overflows more difficult to exploit. This can be enabled by including the "–enable-stack-protector" flag to the configure script: 
    # ./configure --enable-stack-protector

    Please reference the file INSTALL for detailed instructions on how to build GRUB.

  • Minimize the installed modules included with the GRUB installation. For instance, if a specific file system is used for a given system, modules for other file systems may be excluded. see Modules for a list of modules.
  • Minimize boot sources. In the GRUB configuration, reduce the possible boot sources to the minimum needed for system operation. For instance, if booting only from an internal drive, remove support for network booting and booting from removable media.
  • Disable network support in GRUB if not required. Ensure network interfaces are not configured in the GRUB configuration and consider setting environment variable ‘feature_net_search_cfg’ to ‘n’ in an embedded GRUB config file in order to disable attempting to use the network for obtaining a GRUB config file.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

20 Platform limitations

GRUB2 is designed to be portable and is actually ported across platforms. We try to keep all platforms at the level. Unfortunately some platforms are better supported than others. This is detailed in current and 2 following sections.

All platforms have an artificially GRUB imposed disk size restriction of 1 EiB. In some cases, larger disk sizes can be used, but access will not be allowed beyond 1 EiB.

LUKS2 devices with size larger than 16 EiB are currently not supported. They can not be created as crypto devices by cryptomount, so can not even be partially read from. LUKS have no limitations other than those imposed by the format.

ARC platform is unable to change datetime (firmware doesn’t seem to provide a function for it). EMU has similar limitation.

On EMU platform no serial port is available.

Console charset refers only to firmware-assisted console. gfxterm is always Unicode (see Internationalisation section for its limitations). Serial is configurable to UTF-8 or ASCII (see Internationalisation). In case of qemu and coreboot ports the referred console is vga_text. Loongson always uses gfxterm.

Most limited one is ASCII. CP437 provides additionally pseudographics. GRUB2 doesn’t use any language characters from CP437 as often CP437 is replaced by national encoding compatible only in pseudographics. Unicode is the most versatile charset which supports many languages. However the actual console may be much more limited depending on firmware

On BIOS, network is supported only if the image is loaded through network. On sparc64, GRUB is unable to determine which server it was booted from.

Direct ATA/AHCI support allows to circumvent various firmware limitations but isn’t needed for normal operation except on baremetal ports.

AT keyboard support allows keyboard layout remapping and support for keys not available through firmware. It isn’t needed for normal operation except baremetal ports.

Speaker allows morse and spkmodem communication.

USB support provides benefits similar to ATA (for USB disks) or AT (for USB keyboards). In addition it allows USBserial.

Chainloading refers to the ability to load another bootloader through the same protocol and on some platforms, like EFI, allow that bootloader to return to the GRUB.

Hints allow faster disk discovery by already knowing in advance which is the disk in question. On some platforms hints are correct unless you move the disk between boots. On other platforms it’s just an educated guess. Note that hint failure results in just reduced performance, not a failure

BadRAM is the ability to mark some of the RAM as “bad”. Note: due to protocol limitations mips-loongson (with Linux protocol) and mips-qemu_mips can use only memory up to first hole.

Bootlocation is ability of GRUB to automatically detect where it boots from. “disk” means the detection is limited to detecting the disk with partition being discovered on install time. “partition” means that disk and partiton can be automatically discovered. “file” means that boot image file name as well as disk and partition can be discovered. For consistency, default install ignores partition and relies solely on disk detection. If no bootlocation discovery is available or boot and grub-root disks are different, UUID is used instead. On ARC if no device to install to is specified, UUID is used instead as well.

BIOSCorebootMultibootQemu
videoyesyesyesyes
console charsetCP437CP437CP437CP437
networkyes (*)nonono
ATA/AHCIyesyesyesyes
AT keyboardyesyesyesyes
Speakeryesyesyesyes
USByesyesyesyes
chainloaderlocalyesyesno
cpuidpartialpartialpartialpartial
rdmsrpartialpartialpartialpartial
wrmsrpartialpartialpartialpartial
hintsguessguessguessguess
PCIyesyesyesyes
badramyesyesyesyes
compressionalwayspointlessnono
exityesnonono
bootlocationdisknonono
ia32 EFIamd64 EFIia32 IEEE1275Itanium
videoyesyesnono
console charsetUnicodeUnicodeASCIIUnicode
networkyesyesyesyes
ATA/AHCIyesyesyesno
AT keyboardyesyesyesno
Speakeryesyesyesno
USByesyesyesno
chainloaderlocallocalnolocal
cpuidpartialpartialpartialno
rdmsrpartialpartialpartialno
wrmsrpartialpartialpartialno
hintsguessguessgoodguess
PCIyesyesyesno
badramyesyesnoyes
compressionnononono
exityesyesyesyes
bootlocationfilefilefile, ignoredfile
Loongsonsparc64PowerpcARC
videoyesnoyesno
console charsetN/AASCIIASCIIASCII
networknoyes (*)yesno
ATA/AHCIyesnonono
AT keyboardyesnonono
Speakernononono
USByesnonono
chainloaderyesnonono
cpuidnononono
rdmsrnononono
wrmsrnononono
hintsgoodgoodgoodno
PCIyesnonono
badramyes (*)nonono
compressionconfigurablenonoconfigurable
exitnoyesyesyes
bootlocationnopartitionfilefile (*)
MIPS qemuemuxen
videonoyesno
console charsetCP437Unicode (*)ASCII
networknoyesno
ATA/AHCIyesnono
AT keyboardyesnono
Speakernonono
USBN/Ayesno
chainloaderyesnoyes
cpuidnonoyes
rdmsrnonoyes
wrmsrnonoyes
hintsguessnono
PCInonono
badramyes (*)nono
compressionconfigurablenono
exitnoyesno
bootlocationnofileno

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

21 Platform-specific operations

Some platforms have features which allow implementation of certain commands that cannot be implemented on others.

Quick summary:

Information retrieval:

Workarounds for platform-specific issues:

Advanced operations for power users:

Miscellaneous:

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

22 Supported boot targets

X86 support is summarised in the following table. “Yes” means that the kernel works on the given platform, “crashes” means an early kernel crash which we hope will be fixed by concerned kernel developers. “no” means GRUB doesn’t load the given kernel on a given platform. “headless” means that the kernel works but lacks console drivers (you can still use serial or network console). In case of “no” and “crashes” the reason is given in footnote.

BIOSCoreboot
BIOS chainloadingyesno (1)
NTLDRyesno (1)
Plan9yesno (1)
Freedosyesno (1)
FreeBSD bootloaderyescrashes (1)
32-bit kFreeBSDyescrashes (5)
64-bit kFreeBSDyescrashes (5)
32-bit kNetBSDyescrashes (1)
64-bit kNetBSDyescrashes
32-bit kOpenBSDyesyes
64-bit kOpenBSDyesyes
Multibootyesyes
Multiboot2yesyes
32-bit Linux (legacy protocol)yesno (1)
64-bit Linux (legacy protocol)yesno (1)
32-bit Linux (modern protocol)yesyes
64-bit Linux (modern protocol)yesyes
32-bit XNUyes?
64-bit XNUyes?
32-bit EFI chainloaderno (2)no (2)
64-bit EFI chainloaderno (2)no (2)
Appleloaderno (2)no (2)
MultibootQemu
BIOS chainloadingno (1)no (1)
NTLDRno (1)no (1)
Plan9no (1)no (1)
FreeDOSno (1)no (1)
FreeBSD bootloadercrashes (1)crashes (1)
32-bit kFreeBSDcrashes (5)crashes (5)
64-bit kFreeBSDcrashes (5)crashes (5)
32-bit kNetBSDcrashes (1)crashes (1)
64-bit kNetBSDyesyes
32-bit kOpenBSDyesyes
64-bit kOpenBSDyesyes
Multibootyesyes
Multiboot2yesyes
32-bit Linux (legacy protocol)no (1)no (1)
64-bit Linux (legacy protocol)no (1)no (1)
32-bit Linux (modern protocol)yesyes
64-bit Linux (modern protocol)yesyes
32-bit XNU??
64-bit XNU??
32-bit EFI chainloaderno (2)no (2)
64-bit EFI chainloaderno (2)no (2)
Appleloaderno (2)no (2)
ia32 EFIamd64 EFI
BIOS chainloadingno (1)no (1)
NTLDRno (1)no (1)
Plan9no (1)no (1)
FreeDOSno (1)no (1)
FreeBSD bootloadercrashes (1)crashes (1)
32-bit kFreeBSDheadlessheadless
64-bit kFreeBSDheadlessheadless
32-bit kNetBSDcrashes (1)crashes (1)
64-bit kNetBSDyesyes
32-bit kOpenBSDheadlessheadless
64-bit kOpenBSDheadlessheadless
Multibootyesyes
Multiboot2yesyes
32-bit Linux (legacy protocol)no (1)no (1)
64-bit Linux (legacy protocol)no (1)no (1)
32-bit Linux (modern protocol)yesyes
64-bit Linux (modern protocol)yesyes
32-bit XNUyesyes
64-bit XNUyes (4)yes
32-bit EFI chainloaderyesno (3)
64-bit EFI chainloaderno (3)yes
Appleloaderyesyes
ia32 IEEE1275
BIOS chainloadingno (1)
NTLDRno (1)
Plan9no (1)
FreeDOSno (1)
FreeBSD bootloadercrashes (1)
32-bit kFreeBSDcrashes (5)
64-bit kFreeBSDcrashes (5)
32-bit kNetBSDcrashes (1)
64-bit kNetBSD?
32-bit kOpenBSD?
64-bit kOpenBSD?
Multiboot?
Multiboot2?
32-bit Linux (legacy protocol)no (1)
64-bit Linux (legacy protocol)no (1)
32-bit Linux (modern protocol)?
64-bit Linux (modern protocol)?
32-bit XNU?
64-bit XNU?
32-bit EFI chainloaderno (2)
64-bit EFI chainloaderno (2)
Appleloaderno (2)
  1. Requires BIOS
  2. EFI only
  3. 32-bit and 64-bit EFI have different structures and work in different CPU modes so it’s not possible to chainload 32-bit bootloader on 64-bit platform and vice-versa
  4. Some modules may need to be disabled
  5. Requires ACPI

PowerPC, IA64 and Sparc64 ports support only Linux. MIPS port supports Linux and multiboot2.

22.1 Boot tests

As you have seen in previous chapter the support matrix is pretty big and some of the configurations are only rarely used. To ensure the quality bootchecks are available for all x86 targets except EFI chainloader, Appleloader and XNU. All x86 platforms have bootcheck facility except ieee1275. Multiboot, multiboot2, BIOS chainloader, ntldr and freebsd-bootloader boot targets are tested only with a fake kernel images. Only Linux is tested among the payloads using Linux protocols.

Following variables must be defined:

GRUB_PAYLOADS_DIRdirectory containing the required kernels
GRUB_CBFSTOOLcbfstool from Coreboot package (for coreboot platform only)
GRUB_COREBOOT_ROMempty Coreboot ROM
GRUB_QEMU_OPTSadditional options to be supplied to QEMU

Required files are:

kfreebsd_env.i38632-bit kFreeBSD device hints
kfreebsd.i38632-bit FreeBSD kernel image
kfreebsd.x86_64, kfreebsd_env.x86_64same from 64-bit kFreeBSD
knetbsd.i38632-bit NetBSD kernel image
knetbsd.miniroot.i38632-bit kNetBSD miniroot.kmod.
knetbsd.x86_64, knetbsd.miniroot.x86_64same from 64-bit kNetBSD
kopenbsd.i38632-bit OpenBSD kernel bsd.rd image
kopenbsd.x86_64same from 64-bit kOpenBSD
linux.i38632-bit Linux
linux.x86_6464-bit Linux

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

23 Error messages produced by GRUB

Next: , Up: Error messages produced by GRUB   [Contents][Index]

23.1 GRUB only offers a rescue shell

GRUB’s normal start-up procedure involves setting the ‘prefix’ environment variable to a value set in the core image by grub-install, setting the ‘root’ variable to match, loading the ‘normal’ module from the prefix, and running the ‘normal’ command (see normal). This command is responsible for reading /boot/grub/grub.cfg, running the menu, and doing all the useful things GRUB is supposed to do.

If, instead, you only get a rescue shell, this usually means that GRUB failed to load the ‘normal’ module for some reason. It may be possible to work around this temporarily: for instance, if the reason for the failure is that ‘prefix’ is wrong (perhaps it refers to the wrong device, or perhaps the path to /boot/grub was not correctly made relative to the device), then you can correct this and enter normal mode manually: 

# Inspect the current prefix (and other preset variables):
set
# Find out which devices are available:
ls
# Set to the correct value, which might be something like this:
set prefix=(hd0,1)/grub
set root=(hd0,1)
insmod normal
normal

However, any problem that leaves you in the rescue shell probably means that GRUB was not correctly installed. It may be more useful to try to reinstall it properly using grub-install device (see Invoking grub-install). When doing this, there are a few things to remember:

  • Drive ordering in your operating system may not be the same as the boot drive ordering used by your firmware. Do not assume that your first hard drive (e.g. ‘/dev/sda’) is the one that your firmware will boot from. device.map (see The map between BIOS drives and OS devices) can be used to override this, but it is usually better to use UUIDs or file system labels and avoid depending on drive ordering entirely.
  • At least on BIOS systems, if you tell grub-install to install GRUB to a partition but GRUB has already been installed in the master boot record, then the GRUB installation in the partition will be ignored.
  • If possible, it is generally best to avoid installing GRUB to a partition (unless it is a special partition for the use of GRUB alone, such as the BIOS Boot Partition used on GPT). Doing this means that GRUB may stop being able to read its core image due to a file system moving blocks around, such as while defragmenting, running checks, or even during normal operation. Installing to the whole disk device is normally more robust.
  • Check that GRUB actually knows how to read from the device and file system containing /boot/grub. It will not be able to read from encrypted devices with unsupported encryption scheme, nor from file systems for which support has not yet been added to GRUB.

Previous: , Up: Error messages produced by GRUB   [Contents][Index]

23.2 Firmware stalls instead of booting GRUB

The EFI implementation of some older MacBook laptops stalls when it gets presented a grub-mkrescue ISO image for x86_64-efi target on an USB stick. Affected are models of year 2010 or earlier. Workaround is to zeroize the bytes 446 to 461 of the EFI partition, where mformat has put a partition table entry which claims partition start at block 0. This change will not hamper bootability on other machines.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

24 User-space utilities

Next: , Up: User-space utilities   [Contents][Index]

24.1 Invoking grub-install

The program grub-install generates a GRUB core image using grub-mkimage and installs it on your system. You must specify the device name on which you want to install GRUB, like this: 

grub-install install_device

The device name install_device is an OS device name or a GRUB device name.

grub-install accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

--boot-directory=dir

Install GRUB images under the directory dir/grub/ This option is useful when you want to install GRUB into a separate partition or a removable disk. If this option is not specified then it defaults to /boot, so 

grub-install /dev/sda

is equivalent to 

grub-install --boot-directory=/boot/ /dev/sda

Here is an example in which you have a separate boot partition which is mounted on /mnt/boot: 

grub-install --boot-directory=/mnt/boot /dev/sdb
--recheck

Recheck the device map, even if /boot/grub/device.map already exists. You should use this option whenever you add/remove a disk into/from your computer.

--no-rs-codes

By default on x86 BIOS systems, grub-install will use some extra space in the bootloader embedding area for Reed-Solomon error-correcting codes. This enables GRUB to still boot successfully if some blocks are corrupted. The exact amount of protection offered is dependent on available space in the embedding area. R sectors of redundancy can tolerate up to R/2 corrupted sectors. This redundancy may be cumbersome if attempting to cryptographically validate the contents of the bootloader embedding area, or in more modern systems with GPT-style partition tables (see BIOS installation) where GRUB does not reside in any unpartitioned space outside of the MBR. Disable the Reed-Solomon codes with this option.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.2 Invoking grub-mkconfig

The program grub-mkconfig generates a configuration file for GRUB (see Simple configuration handling). 

grub-mkconfig -o /boot/grub/grub.cfg

grub-mkconfig accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

-o file
--output=file

Send the generated configuration file to file. The default is to send it to standard output.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.3 Invoking grub-mkpasswd-pbkdf2

The program grub-mkpasswd-pbkdf2 generates password hashes for GRUB (see Security). 

grub-mkpasswd-pbkdf2

grub-mkpasswd-pbkdf2 accepts the following options:

-c number
--iteration-count=number

Number of iterations of the underlying pseudo-random function. Defaults to 10000.

-l number
--buflen=number

Length of the generated hash. Defaults to 64.

-s number
--salt=number

Length of the salt. Defaults to 64.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.4 Invoking grub-mkrelpath

The program grub-mkrelpath makes a file system path relative to the root of its containing file system. For instance, if /usr is a mount point, then: 

$ grub-mkrelpath /usr/share/grub/unicode.pf2/share/grub/unicode.pf2

This is mainly used internally by other GRUB utilities such as grub-mkconfig (see Invoking grub-mkconfig), but may occasionally also be useful for debugging.

grub-mkrelpath accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.5 Invoking grub-mkrescue

The program grub-mkrescue generates a bootable GRUB rescue image (see Making a GRUB bootable CD-ROM). 

grub-mkrescue -o grub.iso

All arguments not explicitly listed as grub-mkrescue options are passed on directly to xorriso in mkisofs emulation mode. Options passed to xorriso will normally be interpreted as mkisofs options; if the option ‘--’ is used, then anything after that will be interpreted as native xorriso options.

Non-option arguments specify additional source directories. This is commonly used to add extra files to the image: 

mkdir -p disk/boot/grub
(add extra files to disk/boot/grub)
grub-mkrescue -o grub.iso disk

grub-mkrescue accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

-o file
--output=file

Save output in file. This "option" is required.

--modules=modules

Pre-load the named GRUB modules in the image. Multiple entries in modules should be separated by whitespace (so you will probably need to quote this for your shell).

--rom-directory=dir

If generating images for the QEMU or Coreboot platforms, copy the resulting qemu.img or coreboot.elf files respectively to the dir directory as well as including them in the image.

--xorriso=file

Use file as the xorriso program, rather than the built-in default.

--grub-mkimage=file

Use file as the grub-mkimage program, rather than the built-in default.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.6 Invoking grub-mount

The program grub-mount performs a read-only mount of any file system or file system image that GRUB understands, using GRUB’s file system drivers via FUSE. (It is only available if FUSE development files were present when GRUB was built.) This has a number of uses:

  • It provides a convenient way to check how GRUB will view a file system at boot time. You can use normal command-line tools to compare that view with that of your operating system, making it easy to find bugs.
  • It offers true read-only mounts. Linux does not have these for journalling file systems, because it will always attempt to replay the journal at mount time; while you can temporarily mark the block device read-only to avoid this, that causes the mount to fail. Since GRUB intentionally contains no code for writing to file systems, it can easily provide a guaranteed read-only mount mechanism.
  • It allows you to examine any file system that GRUB understands without needing to load additional modules into your running kernel, which may be useful in constrained environments such as installers.
  • Since it can examine file system images (contained in regular files) just as easily as file systems on block devices, you can use it to inspect any file system image that GRUB understands with only enough privileges to use FUSE, even if nobody has yet written a FUSE module specifically for that file system type.

Using grub-mount is normally as simple as: 

grub-mount /dev/sda1 /mnt

grub-mount must be given one or more images and a mount point as non-option arguments (if it is given more than one image, it will treat them as a RAID set), and also accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

-C
--crypto

Mount encrypted devices, prompting for a passphrase if necessary.

-d string
--debug=string

Show debugging output for conditions matching string.

-K prompt|file
--zfs-key=prompt|file

Load a ZFS encryption key. If you use ‘prompt’ as the argument, grub-mount will read a passphrase from the terminal; otherwise, it will read key material from the specified file.

-r device
--root=device

Set the GRUB root device to device. You do not normally need to set this; grub-mount will automatically set the root device to the root of the supplied file system.

If device is just a number, then it will be treated as a partition number within the supplied image. This means that, if you have an image of an entire disk in disk.img, then you can use this command to mount its second partition: 

grub-mount -r 2 disk.img mount-point
-v
--verbose

Print verbose messages.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.7 Invoking grub-probe

The program grub-probe probes device information for a given path or device. 

grub-probe --target=fs /boot/grub
grub-probe --target=drive --device /dev/sda1

grub-probe must be given a path or device as a non-option argument, and also accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

-d
--device

If this option is given, then the non-option argument is a system device name (such as ‘/dev/sda1’), and grub-probe will print information about that device. If it is not given, then the non-option argument is a filesystem path (such as ‘/boot/grub’), and grub-probe will print information about the device containing that part of the filesystem.

-m file
--device-map=file

Use file as the device map (see The map between BIOS drives and OS devices) rather than the default, usually ‘/boot/grub/device.map’.

-t target
--target=target

Print information about the given path or device as defined by target. The available targets and their meanings are:

fs

GRUB filesystem module.

fs_uuid

Filesystem Universally Unique Identifier (UUID).

fs_label

Filesystem label.

drive

GRUB device name.

device

System device name.

partmap

GRUB partition map module.

abstraction

GRUB abstraction module (e.g. ‘lvm’).

cryptodisk_uuid

Crypto device UUID.

msdos_parttype

MBR partition type code (two hexadecimal digits).

hints_string

A string of platform search hints suitable for passing to the search command (see search).

bios_hints

Search hints for the PC BIOS platform.

ieee1275_hints

Search hints for the IEEE1275 platform.

baremetal_hints

Search hints for platforms where disks are addressed directly rather than via firmware.

efi_hints

Search hints for the EFI platform.

arc_hints

Search hints for the ARC platform.

compatibility_hint

A guess at a reasonable GRUB drive name for this device, which may be used as a fallback if the search command fails.

disk

System device name for the whole disk.

-v
--verbose

Print verbose messages.

Next: , Previous: , Up: User-space utilities   [Contents][Index]

24.8 Invoking grub-protect

The program grub-protect protects a disk encryption key with a specified key protector.

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

-a add|remove
--action=add|remove

Add or remove a key protector to or from a key.

-p protector
--protector=protector

Set the key protector. Currently, ‘tpm2’ is the only supported key protector.

--tpm2-asymmetric=type

Choose the the type of SRK. The valid options are ‘RSA’ (‘RSA2048’) and ‘ECC’ (‘ECC_NIST_P256’).(default: ‘ECC’)

--tpm2-bank=alg

Choose bank of PCRs used to authorize key release: ‘SHA1’, ‘SHA256’, ‘SHA384’, or ‘SHA512’. (default: ‘SHA256’)

--tpm2-device=device

Set the path to the TPM2 device. (default: ‘/dev/tpm0’)

--tpm2-evict

Evict a previously persisted SRK from the TPM, if any.

--tpm2-keyfile=file

Set the path to a file that contains the cleartext key to protect.

--tpm2-outfile=file

Set the path to the file that will contain the key after sealing (must be accessible to GRUB during boot).

--tpm2-pcrs=pcrs

Set a comma-separated list of PCRs used to authorize key release e.g., ‘7,11’. Please be aware that PCR 0~7 are used by the firmware and the measurement result may change after a firmware update (for baremetal systems) or a package (OVMF/SLOF) update in the VM host. This may lead to the failure of key unsealing. (default: ‘7’)

--tpm2-srk=handle

Set the SRK handle, e.g. ‘0x81000000’, if the SRK is to be made persistent.

--tpm2-nvindex=handle

Set the handle, e.g. ‘0x81000000’ or ‘0x1000000’, for NV index mode.

--tpm2key

Use TPM 2.0 Key File format.

24.8.1 ’Add’ action

Before sealing the key, please check the TPM PCR usage (see TPM PCR usage) to choose a proper set of PCRs.

Assume that there is a key file, luks.key, to be sealed with PCR 0, 2, 4, and 7, and here is the grub-protect command to create the sealed key file: 

# grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm

Then, GRUB can unlock the target partition with the following commands: 

grub> tpm2_key_protector_init -T (hd0,gpt1)/efi/grub/sealed.tpm
grub> cryptomount -u <UUID> -P tpm2

Besides writing the PCR-sealed key into a file, grub-protect can write the sealed key into TPM non-volatile memory. Here is the grub-protect command to write the sealed key into the NV index handle ‘0x1000000’. 

# grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-nvindex=0x1000000

Later, GRUB can fetch the key from ‘0x1000000’. 

grub> tpm2_key_protector_init --mode=nv --nvindex=0x1000000
grub> cryptomount -u <UUID> -P tpm2

In most of cases, the user only needs to create the key with the ‘add’ action. If auto-unlocking is unwanted, just remove the file and the tpm2_key_protector_init command and invoke the cryptomount command without -P tpm2.

24.8.2 ’Remove’ action

The ‘remove’ action is used to remove the handles for NV index mode and the persistent SRK.

24.8.2.1 Handles for NV index mode

There are two types of TPM handles supported by NV index mode: persistent handles and NV index handles, and tpm2_getcap can be used to check the existing handles.

To display the list of existing persistent handles: 

# tpm2_getcap handles-persistent
- 0x81000000

Similarly, to display the list of existing NV index handles: 

# tpm2_getcap handles-nv-index
- 0x1000000

If the sealed key at an NV index handle is not needed anymore, the user can remove the handle with --tpm2-nvindex and --tpm2-evict. For example, this command removes the data from NV index ‘0x1000000’: 

# grub-protect --action=remove \
               --protector=tpm2 \
               --tpm2-evict \
               --tpm2-nvindex 0x1000000 \

24.8.2.2 Persistent SRK

There are two supported SRKs in grub-protect: ‘RSA’ and ‘ECC’. Due to slower key generation, some users of the ‘RSA’ SRK may prefer making it persistent so that the TPM can skip the SRK generation when GRUB tries to unseal the key.

The available persistent handles can be checked with tpm2_getcap. 

# tpm2_getcap properties-variable
...
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x41
...

In this system, there is no persistent handle. A TPM handle is an unsigned 32-bit integer, and the persistent handles starts with ‘0x81’. Here we choose the well-known persistent handle: ‘0x81000000’. 

# grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2-asymmetric=RSA \
               --tpm2-srk=0x81000000 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm

The additional --tpm2-asymmetric=RSA and --tpm2-srk=0x81000000 options are used to make the key sealed with the RSA SRK and store the SRK in ‘0x81000000’.

For the tpm2_key_protector_init command, the additional -s 0x81000000 informs the TPM2 key protector to fetch the SRK from ‘0x81000000’. 

grub> tpm2_key_protector_init -s 0x81000000 -T (hd0,gpt1)/efi/grub/sealed.tpm
grub> cryptomount -u <UUID> -P tpm2

After making the SRK handle persistent, we can check the status of the persistent handles with tpm2_getcap. 

# tpm2_getcap properties-variable
...
TPM2_PT_HR_PERSISTENT: 0x1
TPM2_PT_HR_PERSISTENT_AVAIL: 0x40
...
# tpm2_getcap handles-persistent
- 0x81000000

The sealed key can be removed once the user does not want to use the TPM2 key protector anymore. Here is the command to remove the persistent SRK handle (‘0x81000000’) with --tpm2-srk and --tpm2-evict. 

# grub-protect --action=remove \
               --protector=tpm2 \
               --tpm2-srk 0x81000000 \
               --tpm2-evict

Previous: , Up: User-space utilities   [Contents][Index]

24.9 Invoking grub-script-check

The program grub-script-check takes a GRUB script file (see Writing full configuration files directly) and checks it for syntax errors, similar to commands such as sh -n. It may take a path as a non-option argument; if none is supplied, it will read from standard input. 

grub-script-check /boot/grub/grub.cfg

grub-script-check accepts the following options:

--help

Print a summary of the command-line options and exit.

--version

Print the version number of GRUB and exit.

-v
--verbose

Print each line of input after reading it.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

Appendix A How to obtain and build GRUB

Caution: GRUB requires binutils-2.9.1.0.23 or later because the GNU assembler has been changed so that it can produce real 16bits machine code between 2.9.1 and 2.9.1.0.x. See https://www.gnu.org/software/binutils/, to obtain information on how to get the latest version.

GRUB is available from the GNU alpha archive site https://ftp.gnu.org/gnu/grub/ or any of its mirrors. The file will be named grub-version.tar.gz. The current version is 2.14, so the file you should grab is:

https://ftp.gnu.org/gnu/grub/grub-2.14.tar.gz

To unbundle GRUB use the instruction: 

zcat grub-2.14.tar.gz | tar xvf -

which will create a directory called grub-2.14 with all the sources. You can look at the file INSTALL for detailed instructions on how to build and install GRUB, but you should be able to just do: 

cd grub-2.14
./configure
make install

Also, the latest version is available using Git. See https://www.gnu.org/software/grub/grub-download.html for more information.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

Appendix B Reporting bugs

These are the guideline for how to report bugs. Take a look at this list below before you submit bugs:

  1. Before getting unsettled, read this manual through and through. Also, see the GNU GRUB FAQ.
  2. Always mention the information on your GRUB. The version number and the configuration are quite important. If you build it yourself, write the options specified to the configure script and your operating system, including the versions of gcc and binutils.
  3. If you have trouble with the installation, inform us of how you installed GRUB. Don’t omit error messages, if any. Just ‘GRUB hangs up when it boots’ is not enough.

    The information on your hardware is also essential. These are especially important: the geometries and the partition tables of your hard disk drives and your BIOS.

  4. If GRUB cannot boot your operating system, write down everything you see on the screen. Don’t paraphrase them, like ‘The foo OS crashes with GRUB, even though it can boot with the bar boot loader just fine’. Mention the commands you executed, the messages printed by them, and information on your operating system including the version number.
  5. Explain what you wanted to do. It is very useful to know your purpose and your wish, and how GRUB didn’t satisfy you.
  6. If you can investigate the problem yourself, please do. That will give you and us much more information on the problem. Attaching a patch is even better.

    When you attach a patch, make the patch in unified diff format, and write ChangeLog entries. But, even when you make a patch, don’t forget to explain the problem, so that we can understand what your patch is for.

  7. Write down anything that you think might be related. Please understand that we often need to reproduce the same problem you encountered in our environment. So your information should be sufficient for us to do the same thing—Don’t forget that we cannot see your computer directly. If you are not sure whether to state a fact or leave it out, state it! Reporting too many things is much better than omitting something important.

If you follow the guideline above, submit a report to the Bug Tracking System. Alternatively, you can submit a report via electronic mail to bug-grub@gnu.org, but we strongly recommend that you use the Bug Tracking System, because e-mail can be passed over easily.

Once we get your report, we will try to fix the bugs.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

Appendix C Where GRUB will go

GRUB 2 is now quite stable and used in many production systems. We are currently working on the 2.x series.

If you are interested in the development of GRUB 2, take a look at the homepage.

Next: , Previous: , Up: GNU GRUB manual   [Contents][Index]

Appendix D Copying This Manual

Up: Copying This Manual   [Contents][Index]

D.1 GNU Free Documentation License

Version 1.2, November 2002 
Copyright © 2000,2001,2002 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA  02110-1301, USA

Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
  1. PREAMBLE

    The purpose of this License is to make a manual, textbook, or other functional and useful document free in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

    This License is a kind of “copyleft”, which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

    We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

  2. APPLICABILITY AND DEFINITIONS

    This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The “Document”, below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as “you”. You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

    A “Modified Version” of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

    A “Secondary Section” is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

    The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

    The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

    A “Transparent” copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not “Transparent” is called “Opaque”.

    Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

    The “Title Page” means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, “Title Page” means the text near the most prominent appearance of the work’s title, preceding the beginning of the body of the text.

    A section “Entitled XYZ” means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as “Acknowledgements”, “Dedications”, “Endorsements”, or “History”.) To “Preserve the Title” of such a section when you modify the Document means that it remains a section “Entitled XYZ” according to this definition.

    The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

  3. VERBATIM COPYING

    You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

    You may also lend copies, under the same conditions stated above, and you may publicly display copies.

  4. COPYING IN QUANTITY

    If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

    If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

    If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

    It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

  5. MODIFICATIONS

    You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

    1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.
    2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.
    3. State on the Title page the name of the publisher of the Modified Version, as the publisher.
    4. Preserve all the copyright notices of the Document.
    5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
    6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.
    7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document’s license notice.
    8. Include an unaltered copy of this License.
    9. Preserve the section Entitled “History”, Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled “History” in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.
    10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the “History” section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.
    11. For any section Entitled “Acknowledgements” or “Dedications”, Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.
    12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.
    13. Delete any section Entitled “Endorsements”. Such a section may not be included in the Modified Version.
    14. Do not retitle any existing section to be Entitled “Endorsements” or to conflict in title with any Invariant Section.
    15. Preserve any Warranty Disclaimers.

    If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version’s license notice. These titles must be distinct from any other section titles.

    You may add a section Entitled “Endorsements”, provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

    You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

    The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

  6. COMBINING DOCUMENTS

    You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

    The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

    In the combination, you must combine any sections Entitled “History” in the various original documents, forming one section Entitled “History”; likewise combine any sections Entitled “Acknowledgements”, and any sections Entitled “Dedications”. You must delete all sections Entitled “Endorsements.”

  7. COLLECTIONS OF DOCUMENTS

    You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

    You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

  8. AGGREGATION WITH INDEPENDENT WORKS

    A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an “aggregate” if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

    If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document’s Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

  9. TRANSLATION

    Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

    If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

  10. TERMINATION

    You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  11. FUTURE REVISIONS OF THIS LICENSE

    The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

    Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License “or any later version” applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

D.1.1 ADDENDUM: How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page: 

  Copyright (C)  year  your name.
  Permission is granted to copy, distribute and/or modify this document
  under the terms of the GNU Free Documentation License, Version 1.2
  or any later version published by the Free Software Foundation;
  with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
  Texts.  A copy of the license is included in the section entitled ``GNU
  Free Documentation License''.

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with...Texts.” line with this: 

    with the Invariant Sections being list their titles, with
    the Front-Cover Texts being list, and with the Back-Cover Texts
    being list.

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

Previous: , Up: GNU GRUB manual   [Contents][Index]

Index

Jump to:   [  
A   B   C   D   E   F   G   H   I   K   L   M   N   P   R   S   T   U   V   W   X  
Index Entry  Section
[
[: [
A
acpi: acpi
append_add_dbx_cert: append_add_dbx_cert
append_add_dbx_hash: append_add_dbx_hash
append_add_db_cert: append_add_db_cert
append_add_db_hash: append_add_db_hash
append_list_db: append_list_db
append_list_dbx: append_list_dbx
append_verify: append_verify
authenticate: authenticate
B
background_color: background_color
background_image: background_image
badram: badram
blocklist: blocklist
blscfg: blscfg
boot: boot
C
cat: cat
chainloader: chainloader
clear: clear
CMOS: cmosdump
cmosclean: cmosclean
cmostest: cmostest
cmp: cmp
configfile: configfile
cpuid: cpuid
crc: crc
cryptocheck: cryptocheck
cryptomount: cryptomount
cutmem: cutmem
D
date: date
devicetree: devicetree
distrust: distrust
drivemap: drivemap
E
echo: echo
efitextmode: efitextmode
eval: eval
export: export
F
false: false
FDL, GNU Free Documentation License: GNU Free Documentation License
fdtdump: fdtdump
file: file
fwsetup: fwsetup
G
gdbinfo: gdbinfo
gettext: gettext
gptsync: gptsync
H
halt: halt
hashsum: hashsum
help: help
hexdump: hexdump
I
initrd: initrd
initrd16: initrd16
insmod: insmod
K
keystatus: keystatus
L
linux: linux
linux16: linux16
list_env: list_env
list_trusted: list_trusted
loadfont: loadfont
load_env: load_env
loopback: loopback
ls: ls
lsfonts: lsfonts
lsfreemem: lsfreemem
lsmem: lsmem
lsmemregions: lsmemregions
lsmod: lsmod
M
md5sum: md5sum
menuentry: menuentry
module: module
multiboot: multiboot
N
nativedisk: nativedisk
net_add_addr: net_add_addr
net_add_dns: net_add_dns
net_add_route: net_add_route
net_bootp: net_bootp
net_del_addr: net_del_addr
net_del_dns: net_del_dns
net_del_route: net_del_route
net_dhcp: net_dhcp
net_get_dhcp_option: net_get_dhcp_option
net_ipv6_autoconf: net_ipv6_autoconf
net_ls_addr: net_ls_addr
net_ls_cards: net_ls_cards
net_ls_dns: net_ls_dns
net_ls_routes: net_ls_routes
net_nslookup: net_nslookup
net_set_vlan: net_set_vlan
normal: normal
normal_exit: normal_exit
P
parttool: parttool
password: password
password_pbkdf2: password_pbkdf2
plainmount: plainmount
play: play
probe: probe
R
rdmsr: rdmsr
read: read
reboot: reboot
regexp: regexp
rmmod: rmmod
S
save_env: save_env
search: search
sendkey: sendkey
serial: serial
set: set
sha1sum: sha1sum
sha256sum: sha256sum
sha512sum: sha512sum
sleep: sleep
smbios: smbios
source: source
stress_big_allocs: stress_big_allocs
submenu: submenu
T
terminal_input: terminal_input
terminal_output: terminal_output
terminfo: terminfo
test: test
tpm2_dump_pcr: tpm2_dump_pcr
tpm2_key_protector_clear: tpm2_key_protector_clear
tpm2_key_protector_init: tpm2_key_protector_init
true: true
trust: trust
U
uki: uki
unset: unset
V
verify_detached: verify_detached
videoinfo: videoinfo
W
wrmsr: wrmsr
X
xen_hypervisor: xen_hypervisor
xen_module: xen_module
Jump to:   [  
A   B   C   D   E   F   G   H   I   K   L   M   N   P   R   S   T   U   V   W   X  

  [Contents][Index]

Footnotes

(1)

chain-load is the mechanism for loading unsupported operating systems by loading another boot loader. It is typically used for loading DOS or Windows.

(2)

The NetBSD/i386 kernel is Multiboot-compliant, but lacks support for Multiboot modules.

(3)

Only CRC32 data integrity check is supported (xz default is CRC64 so one should use –check=crc32 option). LZMA BCJ filters are supported.

(4)

There are a few pathological cases where loading a very badly organized ELF kernel might take longer, but in practice this never happen.

(5)

The LInux LOader, a boot loader that everybody uses, but nobody likes.

(6)

El Torito is a specification for bootable CD using BIOS functions.

(7)

Currently a backslash-newline pair within a variable name is not handled properly, so use this feature with some care.

(8)

However, this behavior will be changed in the future version, in a user-invisible way.

(9)

Current implementation of cryptsetup supports only 512/1024/2048/4096 byte sectors