GRUB
GRUB (GRand Unified Bootloader) is a boot loader. The current GRUB is also referred to as GRUB 2. The original GRUB, or GRUB Legacy, corresponds to versions 0.9x. This page exclusively describes GRUB 2.
esp
denotes the mountpoint of the EFI system partition aka ESP.Supported file systems
GRUB bundles its own support for multiple file systems, notably FAT32, ext4, Btrfs or XFS. See #Unsupported file systems for some caveats.
/boot
unless disabling incompatible features. This can be typically avoided by using a separate /boot partition with a universally supported file system such as FAT32.UEFI systems
- It is recommended to read and understand the Unified Extensible Firmware Interface, Partitioning#GUID Partition Table and Arch boot process#Under UEFI pages.
- When installing to use UEFI it is important to boot the installation media in UEFI mode, otherwise efibootmgr will not be able to add the GRUB UEFI boot entry. Installing to the fallback boot path will still work even in BIOS mode since it does not touch the NVRAM.
- To boot from a disk using UEFI, an EFI system partition is required. Follow EFI system partition#Check for an existing partition to find out if you have one already, otherwise you need to create it.
- This whole article assumes that inserting additional GRUB2 modules via
insmod
is possible. As discussed in #Shim-lock, this is not the case on UEFI systems with Secure Boot enabled. If you want to use any additional GRUB module that is not included in the standard GRUB EFI filegrubx64.efi
on a Secure Boot system, you have to re-generate the GRUB EFIgrubx64.efi
withgrub-mkstandalone
or reinstall GRUB usinggrub-install
with the additional GRUB modules included.
Installation
- UEFI firmwares are not implemented consistently across manufacturers. The procedure described below is intended to work on a wide range of UEFI systems but those experiencing problems despite applying this method are encouraged to share detailed information, and if possible the workarounds found, for their hardware-specific case. A /EFI examples article has been provided for such cases.
- The section assumes you are installing GRUB for x64 (64-bit) UEFI. For IA32 (32-bit) UEFI (not to be confused with 32-bit CPUs), replace
x86_64-efi
withi386-efi
where appropriate. Follow the instructions in Unified Extensible Firmware Interface#Checking the firmware bitness to figure out your UEFI's bitness.
First, install the packages grub and efibootmgr: GRUB is the boot loader while efibootmgr is used by the GRUB installation script to write boot entries to NVRAM.
Then follow the below steps to install GRUB to your disk:
- Mount the EFI system partition and in the remainder of this section, substitute
esp
with its mount point. - Choose a boot loader identifier, here named
GRUB
. A directory of that name will be created inesp/EFI/
to store the EFI binary and this is the name that will appear in the UEFI boot menu to identify the GRUB boot entry. - Execute the following command to install the GRUB EFI application
grubx64.efi
toesp/EFI/GRUB/
and install its modules to/boot/grub/x86_64-efi/
.
- Note:
- Make sure to install the packages and run the
grub-install
command from the system in which GRUB will be installed as the boot loader. That means if you are booting from the live installation environment, you need to be inside the chroot when runninggrub-install
. If for some reason it is necessary to rungrub-install
from outside of the installed system, append the--boot-directory=
option with the path to the mounted/boot
directory, e.g--boot-directory=/mnt/boot
. - Some motherboards cannot handle
bootloader-id
with spaces in it.
- Make sure to install the packages and run the
# grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB
After the above installation completed, the main GRUB directory is located at /boot/grub/
. Read /Tips and tricks#Alternative install method for how to specify an alternative location. Note that grub-install
also tries to create an entry in the firmware boot manager, named GRUB
in the above example – this will, however, fail if your boot entries are full; use efibootmgr to remove unnecessary entries.
Remember to #Generate the main configuration file after finalizing the configuration.
--removable
then GRUB will be installed to esp/EFI/BOOT/BOOTX64.EFI
(or esp/EFI/BOOT/BOOTIA32.EFI
for the i386-efi
target) and you will have the additional ability of being able to boot from the drive in case EFI variables are reset or you move the drive to another computer. Usually you can do this by selecting the drive itself, similar to how you would using BIOS. If dual booting with Windows, be aware Windows usually places an EFI executable there, but its only purpose is to recreate the UEFI boot entry for Windows. If you are installing GRUB on a Mac, you will have to use this option. Some desktop motherboards will only look for an EFI executable in this location, making this option mandatory, in particular with MSI boards.
If you execute a UEFI update, this update might delete the existing UEFI boot entries. Therefore, it is a potential fallback strategy to have the "removable" boot entry enabled.--efi-directory
and--bootloader-id
are specific to GRUB UEFI,--efi-directory
replaces--root-directory
which is deprecated.- You might note the absence of a device_path option (e.g.:
/dev/sda
) in thegrub-install
command. In fact any device_path provided will be ignored by the GRUB UEFI install script. Indeed, UEFI boot loaders do not use a MBR bootcode or partition boot sector at all.
See UEFI troubleshooting in case of problems. Additionally see /Tips and tricks#UEFI further reading.
Secure Boot support
GRUB fully supports secure boot utilising either CA keys or shim, the installation command however is different depending on which you intend to use.
- Incorrectly configuring Secure Boot can render your system unbootable. If for any reason you cannot boot after enabling secure boot then you should disable it in firmware and reboot the system.
- Loading unnecessary modules in your bootloader has the potential to present a security risk, only use these commands if you need them.
CA Keys
To make use of CA Keys the command is:
# grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=GRUB --modules="tpm" --disable-shim-lock
Shim-lock
When using Shim-lock, GRUB can only be successfully booted in Secure Boot mode if its EFI binary includes all of the modules necessary to read the filesystem containing the vmlinuz and initramfs images.
Since GRUB version 2.06.r261.g2f4430cc0
, loading modules in Secure Boot Mode via insmod
is no longer allowed, as this would violate the expectation to not sideload arbitrary code. If the GRUB modules are not embedded in the EFI binary, and GRUB tries to sideload/insmod
them, GRUB will fail to boot with the message:
error: prohibited by secure boot policy
Ubuntu, according to its official build script, embeds the following GRUB modules in its signed GRUB EFI binary grubx64.efi
:
- the "basic" modules, necessary for booting from a CD or from a simple-partitioned disk:
all_video
,boot
,btrfs
,cat
,chain
,configfile
,echo
,efifwsetup
,efinet
,ext2
,fat
,font
,gettext
,gfxmenu
,gfxterm
,gfxterm_background
,gzio
,halt
,help
,hfsplus
,iso9660
,jpeg
,keystatus
,loadenv
,loopback
,linux
,ls
,lsefi
,lsefimmap
,lsefisystab
,lssal
,memdisk
,minicmd
,normal
,ntfs
,part_apple
,part_msdos
,part_gpt
,password_pbkdf2
,png
,probe
,reboot
,regexp
,search
,search_fs_uuid
,search_fs_file
,search_label
,sleep
,smbios
,squash4
,test
,true
,video
,xfs
,zfs
,zfscrypt
,zfsinfo
- the "platform-specific" modules for x86_64-efi architecture, necessary for e.g.:
play
: to play sounds during bootcpuid
: to the CPU at boottpm
: to support Measured Boot / Trusted Platform Modules
- the "advanced" modules, consisting of modules:
cryptodisk
: to boot from plain-mode encrypted disksgcry_algorithm
: to support particular hashing and encryption algorithmsluks
: to boot from LUKS-encrypted disks:lvm
: to boot from LVM logical volume disksmdraid09
,mdraid1x
,raid5rec
,raid6rec
: to boot from RAID virtual disks
You must construct your list of GRUB modules in the form of a shell variable that we denote as GRUB_MODULES
. You can use the latest Ubuntu script as a starting point, and trim away modules that are not necessary on your system. Omitting modules will make the boot process relatively faster, and save some space on the ESP partition.
You also need a Secure Boot Advanced Targeting (SBAT) file/section included in the EFI binary, to improve the security; if GRUB is launched from the UEFI shim loader. This SBAT file/section contains metadata about the GRUB binary (version, maintainer, developer, upstream URL) and makes it easier for shim to block certain GRUB versions from being loaded if they have security vulnerabilities[1][2], as explained in the UEFI shim bootloader secure boot life-cycle improvements document from shim.
The first-stage UEFI bootloader shim will fail to launch grubx64.efi
if the SBAT section from grubx64.efi
is missing!
If GRUB is installed, a sample SBAT .csv file is provided under /usr/share/grub/sbat.csv
.
Reinstall GRUB using the provided /usr/share/grub/sbat.csv
file and all the needed GRUB_MODULES
and sign it:
# grub-install --target=x86_64-efi --efi-directory=esp --modules=${GRUB_MODULES} --sbat /usr/share/grub/sbat.csv # sbsign --key MOK.key --cert MOK.crt --output esp/EFI/GRUB/grubx64.efi esp/EFI/GRUB/grubx64.efi # cp esp/EFI/GRUB/grubx64.efi esp/EFI/BOOT/grubx64.efi
Reboot, select the key in MokManager, and Secure Boot should be working.
Using Secure Boot
After installation see Secure Boot#Implementing Secure Boot for instructions on enabling it.
If you are using the CA Keys method then key management, enrolment and file signing can be automated by using sbctl, see Secure Boot#Assisted process with sbctl for details.
BIOS systems
GUID Partition Table (GPT) specific instructions
On a BIOS/GPT configuration, a BIOS boot partition is required. GRUB embeds its core.img
into this partition.
- Before attempting this method keep in mind that not all systems will be able to support this partitioning scheme. Read more on Partitioning#GUID Partition Table.
- The BIOS boot partition is only needed by GRUB on a BIOS/GPT setup. On a BIOS/MBR setup, GRUB uses the post-MBR gap for the embedding the
core.img
. On GPT, however, there is no guaranteed unused space before the first partition. - For UEFI systems this extra partition is not required, since no embedding of boot sectors takes place in that case. However, UEFI systems still require an EFI system partition.
Create a mebibyte partition (+1M
with fdisk or gdisk) on the disk with no file system and with partition type GUID 21686148-6449-6E6F-744E-656564454649
.
- Select partition type
BIOS boot
for fdisk. - Select partition type code
ef02
for gdisk. - For parted set/activate the flag
bios_grub
on the partition.
This partition can be in any position order but has to be on the first 2 TiB of the disk. This partition needs to be created before GRUB installation. When the partition is ready, install the boot loader as per the instructions below.
The space before the first partition can also be used as the BIOS boot partition though it will be out of GPT alignment specification. Since the partition will not be regularly accessed performance issues can be disregarded, though some disk utilities will display a warning about it. In fdisk or gdisk create a new partition starting at sector 34 and spanning to 2047 and set the type. To have the viewable partitions begin at the base consider adding this partition last.
Master Boot Record (MBR) specific instructions
Usually the post-MBR gap (after the 512 byte MBR region and before the start of the first partition) in many MBR partitioned systems is 31 KiB when DOS compatibility cylinder alignment issues are satisfied in the partition table. However a post-MBR gap of about 1 to 2 MiB is recommended to provide sufficient room for embedding GRUB's core.img
(FS#24103). It is advisable to use a partitioning tool that supports 1 MiB partition alignment to obtain this space as well as to satisfy other non-512-byte-sector issues (which are unrelated to embedding of core.img
).
Installation
Install the grub package. (It will replace grub-legacyAUR if that is already installed.) Then do:
# grub-install --target=i386-pc /dev/sdX
where i386-pc
is deliberately used regardless of your actual architecture, and /dev/sdX
is the disk (not a partition) where GRUB is to be installed. For example /dev/sda
or /dev/nvme0n1
, or /dev/mmcblk0
. See Device file#Block device names for a description of the block device naming scheme.
Now you must generate the main configuration file.
If you use LVM for your /boot
, you can install GRUB on multiple physical disks.
See grub-install(8) and GRUB Manual for more details on the grub-install
command.
Configuration
On an installed system, GRUB loads the /boot/grub/grub.cfg
configuration file each boot. You can follow #Generated grub.cfg for using a tool, or #Custom grub.cfg for a manual creation.
Generated grub.cfg
This section only covers editing the /etc/default/grub
configuration file. See /Tips and tricks for more information.
/etc/default/grub
and/or files in /etc/grub.d/
. Generate the main configuration file
After the installation, the main configuration file /boot/grub/grub.cfg
needs to be generated. The generation process can be influenced by a variety of options in /etc/default/grub
and scripts in /etc/grub.d/
. For the list of options in /etc/default/grub
and a concise description of each refer to GNU's documentation.
If you have not done additional configuration, the automatic generation will determine the root filesystem of the system to boot for the configuration file. For that to succeed it is important that the system is either booted or chrooted into.
- The default file path is
/boot/grub/grub.cfg
, not/boot/grub/i386-pc/grub.cfg
. - If you are trying to run grub-mkconfig in a chroot or systemd-nspawn container, you might notice that it does not work:
grub-probe: error: failed to get canonical path of /dev/sdaX
. In this case, try using arch-chroot as described in the BBS post.
Use the grub-mkconfig tool to generate /boot/grub/grub.cfg
:
# grub-mkconfig -o /boot/grub/grub.cfg
By default the generation scripts automatically add menu entries for all installed Arch Linux kernels to the generated configuration.
- After installing or removing a kernel, you just need to re-run the above grub-mkconfig command.
- For tips on managing multiple GRUB entries, for example when using both linux and linux-lts kernels, see /Tips and tricks#Multiple entries.
To automatically add entries for other installed operating systems, see #Detecting other operating systems.
You can add additional custom menu entries by editing /etc/grub.d/40_custom
and re-generating /boot/grub/grub.cfg
. Or you can create /boot/grub/custom.cfg
and add them there. Changes to /boot/grub/custom.cfg
do not require re-running grub-mkconfig, since /etc/grub.d/41_custom
adds the necessary source
statement to the generated configuration file.
/etc/grub.d/40_custom
can be used as a template to create /etc/grub.d/nn_custom
, where nn
defines the precedence, indicating the order the script is executed. The order scripts are executed determine the placement in the GRUB boot menu. nn
should be greater than 06
to ensure necessary scripts are executed first.See #Boot menu entry examples for custom menu entry examples.
Detecting other operating systems
To have grub-mkconfig search for other installed systems and automatically add them to the menu, install the os-prober package and mount the partitions from which the other systems boot. Then re-run grub-mkconfig. If you get the following output: Warning: os-prober will not be executed to detect other bootable partitions
then edit /etc/default/grub
and add/uncomment:
GRUB_DISABLE_OS_PROBER=false
Then try again.
- The exact mount point does not matter, os-prober reads the
mtab
to identify places to search for bootable entries. - Remember to mount the partitions each time you run grub-mkconfig in order to include the other operating systems every time.
- os-prober might not work properly when run in a chroot. Try again after rebooting into the system if you experience this.
Windows
For Windows installed in UEFI mode, make sure the EFI system partition containing the Windows Boot Manager (bootmgfw.efi
) is mounted. Run os-prober
as root to detect and generate an entry for it.
For Windows installed in BIOS mode, mount the Windows system partition (its file system label should be System Reserved
or SYSTEM
). Run os-prober
as root to detect and generate an entry for it.
- NTFS partitions may not always be detected when mounted with the default Linux drivers. If GRUB is not detecting it, try installing NTFS-3G and remounting.
- Encrypted Windows partitions may need to be decrypted before mounting. For BitLocker, this can be done with cryptsetup or dislockerAUR. This should be sufficient for os-prober to add the correct entry.
Additional arguments
To pass custom additional arguments to the Linux image, you can set the GRUB_CMDLINE_LINUX
+ GRUB_CMDLINE_LINUX_DEFAULT
variables in /etc/default/grub
. The two are appended to each other and passed to kernel when generating regular boot entries. For the recovery boot entry, only GRUB_CMDLINE_LINUX
is used in the generation.
It is not necessary to use both, but can be useful. For example, you could use GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=uuid-of-swap-partition quiet"
where uuid-of-swap-partition
is the UUID of your swap partition to enable resume after hibernation. This would generate a recovery boot entry without the resume and without quiet
suppressing kernel messages during a boot from that menu entry. Though, the other (regular) menu entries would have them as options.
By default grub-mkconfig determines the UUID of the root filesystem for the configuration. To disable this, uncomment GRUB_DISABLE_LINUX_UUID=true
.
For generating the GRUB recovery entry you have to ensure that GRUB_DISABLE_RECOVERY
is not set to true
in /etc/default/grub
.
See Kernel parameters for more info.
By default, grub-mkconfig sorts the included kernels using sort -V
and uses the first kernel in that list as the top-level entry. This means that, for example, since /boot/vmlinuz-linux-lts
is sorted before /boot/vmlinuz-linux
, if you have both linux-lts and linux installed, the LTS kernel will be the top-level menu entry, which may not be desirable. This can be overridden by specifying GRUB_TOP_LEVEL=path_to_kernel"
in /etc/default/grub
. For example, to make the regular kernel be the top-level menu entry, you can use GRUB_TOP_LEVEL="/boot/vmlinuz-linux"
.
LVM
If you use LVM for your /boot
or /
root partition, make sure that the lvm
module is preloaded:
/etc/default/grub
GRUB_PRELOAD_MODULES="... lvm"
RAID
GRUB provides convenient handling of RAID volumes. You need to load GRUB modules mdraid09
or mdraid1x
to allow you to address the volume natively:
/etc/default/grub
GRUB_PRELOAD_MODULES="... mdraid09 mdraid1x"
For example, /dev/md0
becomes:
set root=(md/0)
whereas a partitioned RAID volume (e.g. /dev/md0p1
) becomes:
set root=(md/0,1)
To install grub when using RAID1 as the /boot
partition (or using /boot
housed on a RAID1 root partition), on BIOS systems, simply run grub-install on both of the drives, such as:
# grub-install --target=i386-pc --debug /dev/sda # grub-install --target=i386-pc --debug /dev/sdb
Where the RAID 1 array housing /boot
is housed on /dev/sda
and /dev/sdb
.
Encrypted /boot
GRUB also has special support for booting with an encrypted /boot
. This is done by unlocking a LUKS blockdevice in order to read its configuration and load any initramfs and kernel from it. This option tries to solve the issue of having an unencrypted boot partition.
/boot
is not required to be kept in a separate partition; it may also stay under the system's root /
directory tree.To enable this feature encrypt the partition with /boot
residing on it using LUKS as normal. Then add the following option to /etc/default/grub
:
/etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
This option is used by grub-install to generate the grub core.img
.
Make sure to install grub after modifying this option or encrypting the partition.
Without further changes you will be prompted twice for a passphrase: the first for GRUB to unlock the /boot
mount point in early boot, the second to unlock the root filesystem itself as implemented by the initramfs. You can use a keyfile to avoid this.
- If you want to generate the main configuration file, make sure that
/boot
is mounted. - In order to perform system updates involving the
/boot
mount point, ensure that the encrypted/boot
is unlocked and mounted before performing an update. With a separate/boot
partition, this may be accomplished automatically on boot by using crypttab with a keyfile.
- If you use a special keymap, a default GRUB installation will not know it. This is relevant for how to enter the passphrase to unlock the LUKS blockdevice. See /Tips and tricks#Manual configuration of core image for early boot.
- If you experience issues getting the prompt for a password to display (errors regarding cryptouuid, cryptodisk, or "device not found"), try reinstalling GRUB and appending
--modules="part_gpt part_msdos"
to the end of yourgrub-install
command.
/boot
when upgrades need to access related files.LUKS2
Use grub-install
as described in the #Installation section to create a bootable GRUB image with LUKS support. Note the following caveats:
- Initial LUKS2 support was added to GRUB 2.06, but with several limitations that are only partially addressed in GRUB 2.12rc1. See GRUB bug #55093.
- Since GRUB 2.12rc1,
grub-install
can create a core image to unlock LUKS2. However, it only supports PBKDF2, not Argon2. - Argon2id (cryptsetup default) and Argon2i PBKDFs are not supported (GRUB bug #59409), only PBKDF2 is.
- Tip: You can use grub-improved-luks2-gitAUR that has been patched for LUKS2 as well as Argon support. Note the package's Argon support requires an UEFI system.[3]
grub-mkimage
with a custom GRUB config file. For example, /boot/grub/grub-pre.cfg
, with calls to cryptomount
, insmod normal
, and normal
. This is no longer needed, grub-install
is sufficient. However, you may have to run grub-mkconfig -o /boot/grub/grub.cfg
at least once after upgrading from 2.06.If you enter an invalid passphrase during boot and end up at the GRUB rescue shell, try cryptomount -a
to mount all (hopefully only one) encrypted partitions or use cryptomount -u $crypto_uuid
to mount a specific one. Then proceed with insmod normal
and normal
as usual.
If you enter a correct passphrase, but an Invalid passphrase
error is immediately returned, make sure that the right cryptographic modules are specified. Use cryptsetup luksDump /dev/nvme0n1p2
and check whether the hash function (SHA-256, SHA-512) matches the modules (gcry_sha256
, gcry_sha512
) installed and the PBKDF algorithm is pbkdf2. The hash and PBDKDF algorithms can be changed for existing keys by using cryptsetup luksConvertKey --hash sha256 --pbkdf pbkdf2 /dev/nvme0n1p2
. Under normal circumstances it should take a few seconds before the passphrase is processed.
Custom grub.cfg
This section describes the manual creation of GRUB boot entries in /boot/grub/grub.cfg
instead of relying on grub-mkconfig.
A basic GRUB config file uses the following options:
(hdX,Y)
is the partition Y on disk X, partition numbers starting at 1, disk numbers starting at 0set default=N
is the default boot entry that is chosen after timeout for user actionset timeout=M
is the time M to wait in seconds for a user selection before default is bootedmenuentry "title" {entry options}
is a boot entry titledtitle
set root=(hdX,Y)
sets the boot partition, where the kernel and GRUB modules are stored (boot need not be a separate partition, and may simply be a directory under the "root" partition (/
)
LoaderDevicePartUUID
For GRUB to set the LoaderDevicePartUUID
UEFI variable required by systemd-gpt-auto-generator(8) for GPT partition automounting, load the bli
module in grub.cfg
:
if [ "$grub_platform" = "efi" ]; then insmod bli fi
/boot/grub/grub.cfg
generated by grub-mkconfig. Add them to /etc/grub.d/40_custom
and re-generate the main configuration file or add them to /boot/grub/custom.cfg
.For tips on managing multiple GRUB entries, for example when using both linux and linux-lts kernels, see /Tips and tricks#Multiple entries.
For Archiso and Archboot boot menu entries see Multiboot USB drive#Boot entries.
GRUB commands
menuentry "System shutdown" { echo "System shutting down..." halt }
menuentry "System restart" { echo "System rebooting..." reboot }
if [ ${grub_platform} == "efi" ]; then menuentry 'UEFI Firmware Settings' --id 'uefi-firmware' { fwsetup } fi
EFI binaries
When launched in UEFI mode, GRUB can chainload other EFI binaries.
if
statement:
if [ ${grub_platform} == "efi" ]; then place UEFI-only menu entries here fi
UEFI Shell
You can launch UEFI Shell by placing it in the root of the EFI system partition and adding this menu entry:
menuentry "UEFI Shell" { insmod fat insmod chain search --no-floppy --set=root --file /shellx64.efi chainloader /shellx64.efi }
gdisk
Download the gdisk EFI application and copy gdisk_x64.efi
to esp/EFI/tools/
.
menuentry "gdisk" { insmod fat insmod chain search --no-floppy --set=root --file /EFI/tools/gdisk_x64.efi chainloader /EFI/tools/gdisk_x64.efi }
Chainloading a unified kernel image
If you have a unified kernel image generated from following Secure Boot or other means, you can add it to the boot menu. For example:
menuentry "Arch Linux" { insmod fat insmod chain search --no-floppy --set=root --fs-uuid FILESYSTEM_UUID chainloader /EFI/Linux/arch-linux.efi }
Dual-booting
GNU/Linux
Assuming that the other distribution is on partition sda2
:
menuentry "Other Linux" { set root=(hd0,2) linux /boot/vmlinuz (add other options here as required) initrd /boot/initrd.img (if the other kernel uses/needs one) }
Alternatively let GRUB search for the right partition by UUID or file system label:
menuentry "Other Linux" { # assuming that UUID is 763A-9CB6 search --no-floppy --set=root --fs-uuid 763A-9CB6 # search by label OTHER_LINUX (make sure that partition label is unambiguous) #search --no-floppy --set=root --label OTHER_LINUX linux /boot/vmlinuz (add other options here as required, for example: root=UUID=763A-9CB6) initrd /boot/initrd.img (if the other kernel uses/needs one) }
If the other distribution has already a valid /boot
folder with installed GRUB, grub.cfg
, kernel and initramfs, GRUB can be instructed to load these other grub.cfg
files on-the-fly during boot. For example, for hd0
and the fourth GPT partition:
menuentry "configfile hd0,gpt4" { insmod part_gpt insmod btrfs insmod ext2 set root='hd0,gpt4' configfile /boot/grub/grub.cfg }
When choosing this entry, GRUB loads the grub.cfg
file from the other volume and displays that menu. Any environment variable changes made by the commands in file will not be preserved after configfile
returns. Press Esc
to return to the first GRUB menu.
Windows installed in UEFI/GPT mode
This mode determines where the Windows boot loader resides and chain-loads it after GRUB when the menu entry is selected. The main task here is finding the EFI system partition and running the bootloader from it.
if [ "${grub_platform}" == "efi" ]; then menuentry "Microsoft Windows Vista/7/8/8.1 UEFI/GPT" { insmod part_gpt insmod fat insmod chain search --no-floppy --fs-uuid --set=root $hints_string $fs_uuid chainloader /EFI/Microsoft/Boot/bootmgfw.efi } fi
where $hints_string
and $fs_uuid
are obtained with the following two commands.
The $fs_uuid
command determines the UUID of the EFI system partition:
# grub-probe --target=fs_uuid esp/EFI/Microsoft/Boot/bootmgfw.efi
1ce5-7f28
Alternatively one can run lsblk --fs
and read the UUID of the EFI system partition from there.
The $hints_string
command will determine the location of the EFI system partition, in this case harddrive 0:
# grub-probe --target=hints_string esp/EFI/Microsoft/Boot/bootmgfw.efi
--hint-bios=hd0,gpt1 --hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1
These two commands assume the ESP Windows uses is mounted at esp
. There might be case differences in the path to Windows's EFI file, what with being Windows, and all.
Windows installed in BIOS/MBR mode
bootmgr
directly and chainloading of partition boot sector is no longer required to boot Windows in a BIOS/MBR setup./bootmgr
, not your "real" Windows partition (usually C:
). The system partition's filesystem label is System Reserved
or SYSTEM
and the partition is only about 100 to 549 MiB in size. See Wikipedia:System partition and boot partition for more information.Throughout this section, it is assumed your Windows partition is /dev/sda1
. A different partition will change every instance of hd0,msdos1
.
In both examples XXXX-XXXX
is the filesystem UUID which can be found with command lsblk --fs
.
For Windows Vista/7/8/8.1/10:
if [ "${grub_platform}" == "pc" ]; then menuentry "Microsoft Windows Vista/7/8/8.1/10 BIOS/MBR" { insmod part_msdos insmod ntfs insmod ntldr search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 XXXX-XXXX ntldr /bootmgr } fi
For Windows XP:
if [ "${grub_platform}" == "pc" ]; then menuentry "Microsoft Windows XP" { insmod part_msdos insmod ntfs insmod ntldr search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 XXXX-XXXX ntldr /ntldr } fi
\boot\bcd
(error code 0xc000000f
). You can fix it by going to Windows Recovery Console (cmd.exe
from install disk) and executing:
X:\> bootrec.exe /fixboot X:\> bootrec.exe /RebuildBcd
Do not use bootrec.exe /Fixmbr
because it will wipe GRUB out.
Or you can use Boot Repair function in the Troubleshooting menu - it will not wipe out GRUB but will fix most errors.
Also you would better keep plugged in both the target hard drive and your bootable device ONLY. Windows usually fails to repair boot information if any other devices are connected.
Using labels
It is possible to use file system labels, human-readable strings attached to file systems, by using the --label
option to search
. First of all, make sure your file system has a label.
Then, add an entry using labels. An example of this:
menuentry "Arch Linux, session texte" { search --label --set=root archroot linux /boot/vmlinuz-linux root=/dev/disk/by-label/archroot ro initrd /boot/initramfs-linux.img }
Using the command shell
Since the MBR is too small to store all GRUB modules, only the menu and a few basic commands reside there. The majority of GRUB functionality remains in modules in /boot/grub/
, which are inserted as needed. In error conditions (e.g. if the partition layout changes) GRUB may fail to boot. When this happens, a command shell may appear.
GRUB offers multiple shells/prompts. If there is a problem reading the menu but the bootloader is able to find the disk, you will likely be dropped to the "normal" shell:
grub>
If there is a more serious problem (e.g. GRUB cannot find required files), you may instead be dropped to the "rescue" shell:
grub rescue>
The rescue shell is a restricted subset of the normal shell, offering much less functionality. If dumped to the rescue shell, first try inserting the "normal" module, then starting the "normal" shell:
grub rescue> set prefix=(hdX,Y)/boot/grub grub rescue> insmod (hdX,Y)/boot/grub/i386-pc/normal.mod rescue:grub> normal
Pager support
GRUB supports pager for reading commands that provide long output (like the help
command). This works only in normal shell mode and not in rescue mode. To enable pager, in GRUB command shell type:
sh:grub> set pager=1
Using the command shell environment to boot operating systems
grub>
The GRUB's command shell environment can be used to boot operating systems. A common scenario may be to boot Windows / Linux stored on a drive/partition via chainloading.
Chainloading means to load another boot-loader from the current one, ie, chain-loading.
The other bootloader may be embedded at the start of a partitioned disk (MBR), at the start of a partition or a partitionless disk (VBR), or as an EFI binary in the case of UEFI.
Chainloading a partition's VBR
set root=(hdX,Y) chainloader +1 boot
X=0,1,2... Y=1,2,3...
For example to chainload Windows stored in the first partition of the first hard disk,
set root=(hd0,1) chainloader +1 boot
Similarly GRUB installed to a partition can be chainloaded.
Chainloading a disk's MBR or a partitionless disk's VBR
set root=hdX chainloader +1 boot
Chainloading Windows/Linux installed in UEFI mode
insmod fat set root=(hd0,gpt4) chainloader (${root})/EFI/Microsoft/Boot/bootmgfw.efi boot
insmod fat
is used for loading the FAT file system module for accessing the Windows bootloader on the EFI system partition.
(hd0,gpt4)
or /dev/sda4
is the EFI system partition in this example.
The entry in the chainloader
line specifies the path of the .efi file to be chain-loaded.
Normal loading
See the examples in #Using the rescue console
Using the rescue console
See #Using the command shell first. If unable to activate the standard shell, one possible solution is to boot using a live CD or some other rescue disk to correct configuration errors and reinstall GRUB. However, such a boot disk is not always available (nor necessary); the rescue console is surprisingly robust.
The available commands in GRUB rescue include insmod
, ls
, set
, and unset
. This example uses set
and insmod
. set
modifies variables and insmod
inserts new modules to add functionality.
Before starting, the user must know the location of their /boot
partition (be it a separate partition, or a subdirectory under their root):
grub rescue> set prefix=(hdX,Y)/boot/grub
where X
is the physical drive number and Y
is the partition number.
/boot
from the path (i.e. type set prefix=(hdX,Y)/grub
).To expand console capabilities, insert the linux
module:
grub rescue> insmod i386-pc/linux.mod
or simply
grub rescue> insmod linux
This introduces the linux
and initrd
commands, which should be familiar.
An example, booting Arch Linux:
set root=(hd0,5) linux /boot/vmlinuz-linux root=/dev/sda5 initrd /boot/initramfs-linux.img boot
With a separate boot partition (e.g. when using UEFI), again change the lines accordingly:
set root=(hd0,5) linux (hdX,Y)/vmlinuz-linux root=/dev/sda6 initrd (hdX,Y)/initramfs-linux.img boot
error: premature end of file /YOUR_KERNEL_NAME
during execution of linux
command, you can try linux16
instead.After successfully booting the Arch Linux installation, users can correct grub.cfg
as needed and then reinstall GRUB.
To reinstall GRUB and fix the problem completely, changing /dev/sda
if needed. See #Installation for details.
GRUB removal
UEFI systems
Before removing grub, make sure that some other boot loader is installed and configured to take over.
$ efibootmgr
BootOrder: 0003,0001,0000,0002 Boot0000* Windows Boot Manager HD(2,GPT,4dabbedf-191b-4432-bc09-8bcbd1d7dabf,0x109000,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi) Boot0001* GRUB HD(2,GPT,4dabbedf-191b-4432-bc09-8bcbd1d7dabf,0x109000,0x32000)/File(\EFI\GRUB\grubx64.efi) Boot0002* Linux-Firmware-Updater HD(2,GPT,5dabbedf-191b-4432-bc09-8bcbd1d7dabf,0x109000,0x32000)/File(\EFI\arch\fwupdx64.efi) Boot0003* Linux Boot Manager HD(2,GPT,4dabbedf-191b-4432-bc09-8bcbd1d7dabf,0x109000,0x32000)/File(\EFI\systemd\systemd-bootx64.efi)
If BootOrder
has grub as the first entry, install another bootloader to put it in front, such as systemd-boot above. grub can then be removed using its bootnum.
# efibootmgr --delete-bootnum -b 1
Also delete the esp/EFI/grub
and /boot/grub
directories.
BIOS systems
To replace grub with any other BIOS boot loader, simply install them, which will overwrite the MBR boot code.
grub-install
creates the /boot/grub
directory that needs to be removed manually. Though some users will want to keep it, should they want to install grub again.
After migrating to UEFI/GPT one may want to remove the MBR boot code using dd.
Troubleshooting
Unsupported file systems
In case that GRUB does not support the root file system, an alternative /boot
partition with a supported file system must be created. In some cases, the development version of GRUB grub-gitAUR may have native support for the file system.
If GRUB is used with an unsupported file system it is not able to extract the UUID of your drive so it uses classic non-persistent /dev/sdXx
names instead. In this case you might have to manually edit /boot/grub/grub.cfg
and replace root=/dev/sdXx
with root=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
. You can use the blkid
command to get the UUID of your device, see Persistent block device naming.
While GRUB supports F2FS since version 2.0.4, it cannot correctly read its boot files from an F2FS partition that was created with the extra_attr
flag enabled.
Enable debug messages
Add:
set pager=1 set debug=all
to grub.cfg
.
msdos-style error message
grub-setup: warn: This msdos-style partition label has no post-MBR gap; embedding will not be possible! grub-setup: warn: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and its use is discouraged. grub-setup: error: If you really want blocklists, use --force.
This error may occur when you try installing GRUB in a VMware container. Read more about it here. It happens when the first partition starts just after the MBR (block 63), without the usual space of 1 MiB (2048 blocks) before the first partition. Read #Master Boot Record (MBR) specific instructions
UEFI
Common installation errors
- An error that may occur on some UEFI devices is
Could not prepare Boot variable: Read-only file system
. You have to remount/sys/firmware/efi/efivars
with read-write enabled.# mount -o remount,rw,nosuid,nodev,noexec --types efivarfs efivarfs /sys/firmware/efi/efivars
See the Gentoo Wiki on installing the boot loader. - If you have a problem running grub-install with sysfs or procfs and it says you must run
modprobe efivarfs
try mounting the efivarfs with the command above. - Without
--target
or--directory
option, grub-install cannot determine for which firmware to install. In such casesgrub-install
will printsource_dir does not exist. Please specify --target or --directory
. - If after running grub-install you get
error: esp doesn't look like an EFI partition
, then the partition is most likely not FAT32 formatted.
Create a GRUB entry in the firmware boot manager
grub-install
automatically tries to create a menu entry in the boot manager. If it does not, then see UEFI#efibootmgr for instructions to use efibootmgr
to create a menu entry. However, the problem is likely to be that you have not booted your CD/USB in UEFI mode, as in UEFI#Create UEFI bootable USB from ISO.
As another example of creating a GRUB entry in the firmware boot manager, consider efibootmgr -c
. This assumes that /dev/sda1
is the EFI System Partition, and is mounted at /boot/efi
. Which are the default behavior of efibootmgr
. It creates a new boot option, called "Linux", and puts it at the top of the boot order list. Options may be passed to modify the default behavior. The default OS Loader is \EFI\arch\grub.efi
.
Drop to rescue shell
If GRUB loads but drops into the rescue shell with no errors, it can be due to one of these two reasons:
- It may be because of a missing or misplaced
grub.cfg
. This will happen if GRUB UEFI was installed with--boot-directory
andgrub.cfg
is missing, - It also happens if the boot partition, which is hardcoded into the
grubx64.efi
file, has changed.
GRUB UEFI not loaded
An example of a working UEFI:
# efibootmgr -u
BootCurrent: 0000 Timeout: 3 seconds BootOrder: 0000,0001,0002 Boot0000* GRUB HD(1,800,32000,23532fbb-1bfa-4e46-851a-b494bfe9478c)File(\EFI\GRUB\grubx64.efi) Boot0001* Shell HD(1,800,32000,23532fbb-1bfa-4e46-851a-b494bfe9478c)File(\shellx64.efi) Boot0002* Festplatte BIOS(2,0,00)P0: SAMSUNG HD204UI
If the screen only goes black for a second and the next boot option is tried afterwards, according to this post, moving GRUB to the partition root can help. The boot option has to be deleted and recreated afterwards. The entry for GRUB should look like this then:
Boot0000* GRUB HD(1,800,32000,23532fbb-1bfa-4e46-851a-b494bfe9478c)File(\grubx64.efi)
Default/fallback boot path
Some UEFI firmwares require a bootable file at a known location before they will show UEFI NVRAM boot entries. If this is the case, grub-install
will claim efibootmgr
has added an entry to boot GRUB, however the entry will not show up in the VisualBIOS boot order selector. The solution is to install GRUB at the default/fallback boot path:
# grub-install --target=x86_64-efi --efi-directory=esp --removable
Alternatively you can move an already installed GRUB EFI executable to the default/fallback path:
# mv esp/EFI/grub esp/EFI/BOOT # mv esp/EFI/BOOT/grubx64.efi esp/EFI/BOOT/BOOTX64.EFI
Invalid signature
If trying to boot Windows results in an "invalid signature" error, e.g. after reconfiguring partitions or adding additional hard drives, (re)move GRUB's device configuration and let it reconfigure:
# mv /boot/grub/device.map /boot/grub/device.map-old # grub-mkconfig -o /boot/grub/grub.cfg
grub-mkconfig
should now mention all found boot options, including Windows. If it works, remove /boot/grub/device.map-old
.
Boot freezes
If booting gets stuck without any error message after GRUB loading the kernel and the initial ramdisk, try removing the add_efi_memmap
kernel parameter.
Arch not found from other OS
Some have reported that other distributions may have trouble finding Arch Linux automatically with os-prober
. If this problem arises, it has been reported that detection can be improved with the presence of /etc/lsb-release
. This file and updating tool is available with the package lsb-release.
Warning when installing in chroot
When installing GRUB on a LVM system in a chroot environment (e.g. during system installation), you may receive warnings like
/run/lvm/lvmetad.socket: connect failed: No such file or directory
or
WARNING: failed to connect to lvmetad: No such file or directory. Falling back to internal scanning.
This is because /run
is not available inside the chroot. These warnings will not prevent the system from booting, provided that everything has been done correctly, so you may continue with the installation.
GRUB loads slowly
GRUB can take a long time to load when disk space is low. Check if you have sufficient free disk space on your /boot
or /
partition when you are having problems.
error: unknown filesystem
GRUB may output error: unknown filesystem
and refuse to boot for a few reasons. If you are certain that all UUIDs are correct and all filesystems are valid and supported, it may be because your BIOS Boot Partition is located outside the first 2 TiB of the drive [4]. Use a partitioning tool of your choice to ensure this partition is located fully within the first 2 TiB, then reinstall and reconfigure GRUB.
This error might also be caused by an ext4 filesystem having unsupported features set:
large_dir
- unsupported.metadata_csum_seed
- will be supported in GRUB 2.11 (commit).
/boot
file system.grub-reboot not resetting
GRUB seems to be unable to write to root Btrfs partitions [5]. If you use grub-reboot to boot into another entry it will therefore be unable to update its on-disk environment. Either run grub-reboot from the other entry (for example when switching between various distributions) or consider a different file system. You can reset a "sticky" entry by executing grub-editenv create
and setting GRUB_DEFAULT=0
in your /etc/default/grub
(do not forget grub-mkconfig -o /boot/grub/grub.cfg
).
Old Btrfs prevents installation
If a drive is formatted with Btrfs without creating a partition table (eg. /dev/sdx), then later has partition table written to, there are parts of the BTRFS format that persist. Most utilities and OS's do not see this, but GRUB will refuse to install, even with --force
# grub-install: warning: Attempting to install GRUB to a disk with multiple partition labels. This is not supported yet.. # grub-install: error: filesystem `btrfs' does not support blocklists.
You can zero the drive, but the easy solution that leaves your data alone is to erase the Btrfs superblock with wipefs -o 0x10040 /dev/sdx
Windows 8/10 not found
A setting in Windows 8/10 called "Hiberboot", "Hybrid Boot" or "Fast Boot" can prevent the Windows partition from being mounted, so grub-mkconfig
will not find a Windows install. Disabling Hiberboot in Windows will allow it to be added to the GRUB menu.
GRUB rescue and encrypted /boot
When using an encrypted /boot, and you fail to input a correct password, you will be dropped in grub-rescue prompt.
This grub-rescue prompt has limited capabilities. Use the following commands to complete the boot:
grub rescue> cryptomount <partition> grub rescue> insmod normal grub rescue> normal
See this blog post[dead link 2023-04-23 ⓘ] for a better description.
Check /etc/default/grub
if GRUB_TIMEOUT
is set to 0
, in which case set it to a positive number: it sets the number of seconds before the default GRUB entry is loaded. Also check if GRUB_TIMEOUT_STYLE
is set to hidden
and set it to menu
, so that the menu will be shown by default. Then regenerate the main configuration file and reboot to check if it worked.
If it does not work, there may be incompatibility problems with the graphical terminal. Set GRUB_TERMINAL_OUTPUT
to console
in /etc/default/grub
to disable the GRUB graphical terminal.