GRUB2
The wiki is being retired!
Documentation is now handled by the same processes we use for code: Add something to the Documentation/ directory in the coreboot repo, and it will be rendered to https://doc.coreboot.org/. Contributions welcome!
GRUB2 is a modular, multiboot-capable bootloader for many operating systems.
GRUB2 is an ideal payload for coreboot. It's modular, extensible, supports booting off filesystems, and it has a scriptable shell. Our goal is to replace the common coreboot payload FILO with a coreboot-capable version of GRUB2.
Status
As of the time of this writing, the official GRUB2 can not be loaded in coreboot v2 without a small patch. It works fine with coreboot v3.
- A significant amount of work has been put into GRUB2 in our monotone repository, which also provides snapshots.
- The mainline version of GRUB2 has a wiki page on the coreboot port.
How to build GRUB2 as a payload
It's recommended to use a recent snapshot of the allpatches branch in the GRUB2 monotone repository (you can also just download http://coreboot.org/viewmtn/branch/head/tar/org.coreboot.grub2.allpatches - which resolves to the latest revision on that branch; the top level directory in the resulting tarball represents the revision ID, which is a SHA-1 value over revision data, and thus varies wildly).
$ wget http://coreboot.org/viewmtn/revision/tar/dfb745863916f6f022db54421bf07a6c19ba053e -O grub2.tar $ tar xfv grub2.tar $ cd dfb745863916f6f022db54421bf07a6c19ba053e $ sh autogen.sh $ ./configure --with-platform=linuxbios --prefix=$PWD/installed $ chmod 755 mkinstalldirs $ make && make install $ $PWD/installed/bin/grub-mkimage -o core.img normal fat iso9660 pc ata memdisk lar ls cat cmp hello help serial terminal test configfile multiboot boot loopback
GRUB2 modules
GRUB2 is a modular system, you can include whichever modules you need into the image.
In addition to the full list of available modules in upstream GRUB2 the coreboot version of GRUB2 also adds a few more custom modules.
Suggested modules
We suggest that you use the following modules:
Modules | Reason |
---|---|
serial, terminal, terminfo | serial console support |
coreboot | change to console automatically |
digest | crypto (incl. signature checking) |
memdisk, diskimage, lar or cpio | filesystem in rom |
During development, we used the following list of modules:
coreboot hello cat cmp fat iso9660 help lspci lsusb serial terminal lar terminfo memdisk atadisk ls configfile boot hexdump digest linux multiboot diskimage
Modules specific to coreboot
The following modules are specific to coreboot, or to the coreboot version of GRUB2:
Module name | Description |
---|---|
atadisk | ATA disk driver based on the OpenBIOS driver |
coreboot | load serial console information from coreboot table |
lar | archive format ("filesystem") driver for LAR files (such as coreboot v3 images) |
Building a diskimage module
If you are using coreboot v2, the firmware image is not a LAR archive, as in coreboot v3. If you want to place files in the coreboot+grub2 image, you can still create a diskimage module and include it in your payload.
- create a lar/cpio file
- grub-mkdiskimage lar/cpio-file $GRUB2INST/lib/grub/i386/diskimage.mod
- add diskimage.mod to your grub-mkimage call
Per default GRUB2 looks for a configuration file grub.cfg in the disk image. The path is
(memdisk)/grub.cfg
Checking Signatures
Currently the tools for crypto signature verification are not built automatically. To build them, run
$ cd libs/sigtools $ make
Using sigtools
Create a key pair filename.pub and filename.sec with
$ genkeypair filename
Create a signature of candidate using keyfile.sec and save it as candidate.sig:
$ gensig keyfile candidate
Verification in GRUB2
Load /key.pub as public key and block access to all unsigned files with
$ load-pubkey /key.pub
Verify foo using the signature foo.sig, reporting success or failure and grant access to the file foo with:
$ validate /foo /foo.sig
Example:
multiboot grub-invaders # fails validate grub-invaders grub-invaders.sig multiboot grub-invaders # this time it succeeds
TODO
- Mainstream GRUB2's grub-mkimage needs to put the program headers right after the ELF header (Fix available).
- USB stack integration (in progress).
- See more information in the "Porting GRUB2 to coreboot" milestone in the coreboot issue tracker.
History
Patrick Georgi has been working on GRUB2 for coreboot during the Google Summer of Code 2007. He made an original code submission on August 20th 2007. Please read GRUB2 on coreboot instructions for information on how to use it.
This work was subsequently rejected by the GRUB project, and was eventually re-implemented by Robert Millan, one of the GRUB project members. The re-implementation lacks a couple of fundamental features. From this new base, more work was done.
How to help?
Contact Stefan Reinauer, Patrick Georgi or the coreboot mailing list for more information.