GRUB/Tips and tricks

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Alternative installation methods

Install to external USB stick

BIOS

Assume your USB stick's first partition is FAT32 and its partition is /dev/sdy1

# mkdir -p /mnt/usb
# mount /dev/sdy1 /mnt/usb
# grub-install --target=i386-pc --debug --boot-directory=/mnt/usb/boot /dev/sdy
# grub-mkconfig -o /mnt/usb/boot/grub/grub.cfg

Optionally backup configuration files of grub.cfg:

# mkdir -p /mnt/usb/etc/default
# cp /etc/default/grub /mnt/usb/etc/default
# cp -a /etc/grub.d /mnt/usb/etc
# sync; umount /mnt/usb

EFI

To have grub write its EFI image to esp/EFI/BOOT/BOOTX64.efi, which the boot firmware will be able to find without any UEFI boot entry, use --removable when you run grub-install.

Install to partition or partitionless disk

Warning: GRUB strongly discourages installation to a partition boot sector or a partitionless disk as GRUB Legacy or Syslinux does. This setup is prone to breakage, especially during updates, and is not supported by the Arch developers.

To set up grub to a partition boot sector, to a partitionless disk (also called superfloppy) or to a floppy disk, run (using for example /dev/sdaX as the /boot partition):

# chattr -i /boot/grub/i386-pc/core.img
# grub-install --target=i386-pc --debug --force /dev/sdaX
# chattr +i /boot/grub/i386-pc/core.img
Note:
  • /dev/sdaX used for example only.
  • --target=i386-pc instructs grub-install to install for BIOS systems only. It is recommended to always use this option to remove ambiguity in grub-install.

You need to use the --force option to allow usage of blocklists and should not use --grub-setup=/bin/true (which is similar to simply generating core.img).

grub-install will give out warnings like which should give you the idea of what might go wrong with this approach:

/sbin/grub-setup: warn: Attempting to install GRUB to a partitionless disk or to a partition. This is a BAD idea.
/sbin/grub-setup: warn: Embedding is not possible. GRUB can only be installed in this setup by using blocklists.
                        However, blocklists are UNRELIABLE and their use is discouraged.

Without --force you may get the below error and grub-setup will not setup its boot code in the partition boot sector:

/sbin/grub-setup: error: will not proceed with blocklists

With --force you should get:

Installation finished. No error reported.

The reason why grub-setup does not by default allow this is because in case of partition or a partitionless disk is that GRUB relies on embedded blocklists in the partition bootsector to locate the /boot/grub/i386-pc/core.img file and the prefix directory /boot/grub. The sector locations of core.img may change whenever the file system in the partition is being altered (files copied, deleted etc.). For more info, see https://bugzilla.redhat.com/show_bug.cgi?id=728742 and https://bugzilla.redhat.com/show_bug.cgi?id=730915.

The workaround for this is to set the immutable flag on /boot/grub/i386-pc/core.img (using chattr command as mentioned above) so that the sector locations of the core.img file in the disk is not altered. The immutable flag on /boot/grub/i386-pc/core.img needs to be set only if GRUB is installed to a partition boot sector or a partitionless disk, not in case of installation to MBR or simple generation of core.img without embedding any bootsector (mentioned above).

Unfortunately, the grub.cfg file that is created will not contain the proper UUID in order to boot, even if it reports no errors. see https://bbs.archlinux.org/viewtopic.php?pid=1294604#p1294604. In order to fix this issue the following commands:

# mount /dev/sdxY /mnt        #Your root partition.
# mount /dev/sdxZ /mnt/boot   #Your boot partition (if you have one).
# arch-chroot /mnt

Now, install linux, then:

# grub-mkconfig -o /boot/grub/grub.cfg

Generate core.img alone

To populate the /boot/grub directory and generate a /boot/grub/i386-pc/core.img file without embedding any GRUB bootsector code in the MBR, post-MBR region, or the partition bootsector, add --grub-setup=/bin/true to grub-install:

# grub-install --target=i386-pc --grub-setup=/bin/true --debug /dev/sda
Note:
  • /dev/sda used for example only.
  • --target=i386-pc instructs grub-install to install for BIOS systems only. It is recommended to always use this option to remove ambiguity in grub-install.

You can then chainload GRUB's core.img from GRUB Legacy or syslinux as a Linux kernel or as a multiboot kernel (see also Syslinux#Chainloading).

GUI configuration tools

  • grub-customizer — GTK customizer for GRUB or BURG
https://launchpad.net/grub-customizer || grub-customizer

Visual configuration

In GRUB it is possible, by default, to change the look of the menu. Make sure to initialize, if not done already, GRUB graphical terminal, gfxterm, with proper video mode, gfxmode, in GRUB. This video mode is passed by GRUB to the linux kernel via 'gfxpayload' so any visual configurations need this mode in order to be in effect.

Setting the framebuffer resolution

GRUB can set the framebuffer for both GRUB itself and the kernel. The old vga= way is deprecated. The preferred method is editing /etc/default/grub as the following sample to set width (pixels) x height (pixels) x color depth:

GRUB_GFXMODE=1024x768x32
GRUB_GFXPAYLOAD_LINUX=keep

Multiple resolutions can be specified, including the default auto, so it is recommended that you edit the line to resemble GRUB_GFXMODE=desired_resolution,fallback_such_as_1024x768,auto. For more information, refer to the GRUB gfxmode documentation. The gfxpayload property will make sure the kernel keeps the resolution.

Note:
  • Only the modes supported by the graphics card via VESA BIOS Extensions can be used. To view the list of supported modes, install hwinfo and run hwinfo --framebuffer as root. Alternatively, enter the GRUB command line and run the command videoinfo.
  • Earlier versions of the NVIDIA proprietary driver (tested with GeForce GTX 970, driver: nvidia 370) accepts GRUB_GFXMODE in format widthxheight-depth (e.g. 1920x1200-24, but not 1920x1200x24). This does not appear to apply to newer cards and drivers. Pascal cards with more recent drivers (tested with GeForce GTX 1060 and nvidia 381.22) will not work with the suggested format and attempting to use it results in serious issues, including but not limited to system crashes and hard locks. The current driver and cards are best configured with GRUB_GFXMODE in the standard widthxheightxdepth format.
  • Make sure to run grub-mkconfig -o /boot/grub/grub.cfg after making changes.

If this method does not work for you, the deprecated vga= method will still work. Just add it next to the "GRUB_CMDLINE_LINUX_DEFAULT=" line in /etc/default/grub for example: "GRUB_CMDLINE_LINUX_DEFAULT="quiet splash vga=792" will give you a 1024x768 resolution.

915resolution hack

Sometimes for Intel graphic adapters neither # hwinfo --framebuffer nor videoinfo will show you the desired resolution. In this case you can use the 915resolution hack. This hack will temporarily modify video BIOS and add needed resolution. See 915resolution's home page. The package can be found here: 915resolutionAUR

First you need to find a video mode which will be modified later. For that we need the GRUB command shell:

sh:grub> 915resolution -l
Intel 800/900 Series VBIOS Hack : version 0.5.3
[...]
Mode 30 : 640x480, 8 bits/pixel
[...]

Next, we overwrite the Mode 30 with 1440x900 resolution:

/etc/grub.d/00_header
[...]
915resolution 30 1440 900  # Inserted line
set gfxmode=${GRUB_GFXMODE}
[...]

Lastly we need to set GRUB_GFXMODE as described earlier, regenerate grub.cfg and reboot to test changes.

Background image and bitmap fonts

GRUB comes with support for background images and bitmap fonts in pf2 format. The unifont font is included in the grub package under the filename unicode.pf2, or, as only ASCII characters under the name ascii.pf2. Run pacman -Ql grub | grep pf2 to get the file paths.

Image formats supported include tga, png and jpeg, providing the correct modules are loaded. The maximum supported resolution depends on your hardware.

Make sure you have set up the proper framebuffer resolution.

Edit /etc/default/grub like this:

GRUB_BACKGROUND="/boot/grub/myimage"
#GRUB_THEME="/path/to/gfxtheme"
GRUB_FONT="/path/to/font.pf2"
Note: If you have installed GRUB on a separate partition, /boot/grub/myimage automatically becomes /grub/myimage in grub.cfg.

Re-generate grub.cfg to apply the changes. If adding the splash image was successful, the user will see "Found background image..." in the terminal as the command is executed. If this phrase is not seen, the image information was probably not incorporated into the grub.cfg file.

If the image is not displayed, check:

  • The path and the filename in /etc/default/grub are correct
  • The image is of the proper size and format (tga, png, 8-bit jpg)
  • The image was saved in the RGB mode, and is not indexed
  • The console mode is not enabled in /etc/default/grub
  • The command grub-mkconfig must be executed to place the background image information into the /boot/grub/grub.cfg file
  • The grub-mkconfig scripts will not quote the file name in grub.cfg so make sure it does not contain spaces

Theme

Here is an example for configuring Starfield theme which was included in GRUB package.

Edit /etc/default/grub:

GRUB_THEME="/usr/share/grub/themes/starfield/theme.txt"

Re-generate grub.cfg to apply the changes. If configuring the theme was successful, you will see Found theme: /usr/share/grub/themes/starfield/theme.txt in the terminal.

Your splash image will usually not be displayed when using a theme.

Menu colors

You can set the menu colors in GRUB. The available colors for GRUB can be found in the GRUB Manual. Here is an example:

Edit /etc/default/grub:

GRUB_COLOR_NORMAL="light-blue/black"
GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

Hidden menu

One of the unique features of GRUB is hiding/skipping the menu and showing it by holding Esc when needed. You can also adjust whether you want to see the timeout counter.

Edit /etc/default/grub as you wish. Here are the lines you need to add to enable this feature, the timeout has been set to five seconds and to be shown to the user:

GRUB_TIMEOUT=5
GRUB_TIMEOUT_STYLE='countdown'

GRUB_TIMEOUT is how many seconds before displaying menu.

Disable framebuffer

Users who use NVIDIA proprietary driver might wish to disable GRUB's framebuffer as it can cause problems with the binary driver.

To disable framebuffer, edit /etc/default/grub and uncomment the following line:

GRUB_TERMINAL_OUTPUT=console

Another option if you want to keep the framebuffer in GRUB is to revert to text mode just before starting the kernel. To do that modify the variable in /etc/default/grub:

GRUB_GFXPAYLOAD_LINUX=text

Booting ISO9660 image file directly via GRUB

GRUB supports booting from ISO images directly via loopback devices, see Multiboot USB drive#Using GRUB and loopback devices for examples.

Password protection of GRUB menu

Warning: If someone has physical access to your machine and is able to boot a live USB/disk (i.e., BIOS allows booting from an external disk), it is fairly trivial for one to modify GRUB configuration files to bypass this if /boot resides on an unencrypted partition. See GRUB#Encrypted /boot and Security#Data-at-rest encryption.

If you want to secure GRUB so it is not possible for anyone to change boot parameters or use the command line, you can add a user/password combination to GRUB's configuration files. To do this, run the command grub-mkpasswd-pbkdf2. Enter a password and confirm it:

$ grub-mkpasswd-pbkdf2
[...]
Your PBKDF2 is grub.pbkdf2.sha512.10000.C8ABD3E93C4DFC83138B0C7A3D719BC650E6234310DA069E6FDB0DD4156313DA3D0D9BFFC2846C21D5A2DDA515114CF6378F8A064C94198D0618E70D23717E82.509BFA8A4217EAD0B33C87432524C0B6B64B34FBAD22D3E6E6874D9B101996C5F98AB1746FE7C7199147ECF4ABD8661C222EEEDB7D14A843261FFF2C07B1269A

Then, adjust permissions on /etc/grub.d/40_custom such that only root can read it and add the following to this file:

/etc/grub.d/40_custom
set superusers="username"
password_pbkdf2 username password

where password is the string generated by grub-mkpasswd_pbkdf2.

Regenerate your configuration file. Your GRUB command line, boot parameters and all boot entries are now protected.

This can be relaxed and further customized with more users as described in the "Security" part of the GRUB manual.

Password protection of GRUB edit and console options only

Adding --unrestricted to a menu entry will allow any user to boot the OS while preventing the user from editing the entry and preventing access to the grub command console. Only a superuser or users specified with the --user switch will be able to edit the menu entry.

/boot/grub/grub.cfg
menuentry 'Arch Linux' --unrestricted --class arch --class gnu-linux --class os ...

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: /etc/grub.d/10_linux should not be edited, it will be overwritten when grub is updated. (Discuss in Talk:GRUB/Tips and tricks)

In order to make Linux entries --unrestricted, the CLASS variable in the beginning of /etc/grub.d/10_linux can be modified.

/etc/grub.d/10_linux
CLASS="--class gnu-linux --class gnu --class os --unrestricted"

Hide GRUB unless the Shift key is held down

In order to achieve the fastest possible boot, instead of having GRUB wait for a timeout, it is possible for GRUB to hide the menu, unless the Shift key is held down during GRUB's start-up.

In order to achieve this, you should add the following line to /etc/default/grub:

GRUB_FORCE_HIDDEN_MENU="true"

Then create the file /etc/grub.d/31_hold_shift containing [1], make it exectuable, and regenerate the grub configuration:

# chmod a+x /etc/grub.d/31_hold_shift
# grub-mkconfig -o /boot/grub/grub.cfg
Note: This setup uses keystatus to detect keypress event so it may not work on some machines.

Combining the use of UUIDs and basic scripting

If you like the idea of using UUIDs to avoid unreliable BIOS mappings or are struggling with GRUB's syntax, here is an example boot menu item that uses UUIDs and a small script to direct GRUB to the proper disk partitions for your system. All you need to do is replace the UUIDs in the sample with the correct UUIDs for your system. The example applies to a system with a boot and root partition. You will obviously need to modify the GRUB configuration if you have additional partitions:

menuentry "Arch Linux 64" {
    # Set the UUIDs for your boot and root partition respectively
    set the_boot_uuid=ece0448f-bb08-486d-9864-ac3271bd8d07
    set the_root_uuid=c55da16f-e2af-4603-9e0b-03f5f565ec4a

    # (Note: This may be the same as your boot partition)

    # Get the boot/root devices and set them in the root and grub_boot variables
    search --fs-uuid $the_root_uuid --set=root
    search --fs-uuid $the_boot_uuid --set=grub_boot

    # Check to see if boot and root are equal.
    # If they are, then append /boot to $grub_boot (Since $grub_boot is actually the root partition)
    if [ $the_boot_uuid == $the_root_uuid ] ; then
        set grub_boot=($grub_boot)/boot
    else
        set grub_boot=($grub_boot)
    fi

    # $grub_boot now points to the correct location, so the following will properly find the kernel and initrd
    linux $grub_boot/vmlinuz-linux root=/dev/disk/by-uuid/$the_root_uuid ro
    initrd $grub_boot/initramfs-linux.img
}

Multiple entries

Disable submenu

If you have multiple kernels installed, say linux and linux-lts, by default grub-mkconfig groups them in a submenu. If you do not like this behaviour you can go back to one single menu by adding the following line to /etc/default/grub:

GRUB_DISABLE_SUBMENU=y

Recall previous entry

GRUB can remember the last entry you booted from and use this as the default entry to boot from next time. This is useful if you have multiple kernels (i.e., the current Arch one and the LTS kernel as a fallback option) or operating systems. To do this, edit /etc/default/grub and change the value of GRUB_DEFAULT:

GRUB_DEFAULT=saved

This ensures that GRUB will default to the saved entry. To enable saving the selected entry, add the following line to /etc/default/grub:

GRUB_SAVEDEFAULT=true

This will only work if /boot is not a btrfs, because grub cannot write to btrfs. But it will generate a misleading error message: "sparse file not allowed. Press any key to continue.".

Note: Manually added menu items, e.g. Windows in /etc/grub.d/40_custom or /boot/grub/custom.cfg, will need savedefault added.

Changing the default menu entry

To change the default selected entry, edit /etc/default/grub and change the value of GRUB_DEFAULT:

Using menu titles :

GRUB_DEFAULT='Advanced options for Arch Linux>Arch Linux, with Linux linux'

Using numbers :

GRUB_DEFAULT="1>2"

Grub identifies entries in generated menu counted from zero. That means 0 for the first entry which is the default value, 1 for the second and so on. Main and submenu entries are separated by a >.

The example above boots the third entry from the main menu 'Advanced options for Arch Linux'.

Boot non-default entry only once

The command grub-reboot is very helpful to boot another entry than the default only once. GRUB loads the entry passed in the first command line argument, when the system is rebooted the next time. Most importantly GRUB returns to loading the default entry for all future booting. Changing the configuration file or selecting an entry in the GRUB menu is not necessary.

Note: This requires GRUB_DEFAULT=saved in /etc/default/grub (and then regenerating grub.cfg) or, in case of hand-made grub.cfg, the line set default="${saved_entry}".

Play a tune

You can play a tune through the PC-speaker while booting (right before the menu appears) by modifying the variable GRUB_INIT_TUNE. For example, to play Berlioz's extract from Sabbath Night of Symphonie Fantastique (bassoon part) you can add the following:

GRUB_INIT_TUNE="312 262 3 247 3 262 3 220 3 247 3 196 3 220 3 220 3 262 3 262 3 294 3 262 3 247 3 220 3 196 3 247 3 262 3 247 5 220 1 220 5"

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: Common samples should be listed elsewhere, there should be just a link. (Discuss in Talk:GRUB/Tips and tricks)

You can add a menu entry to play each of these common GRUB_INIT_TUNE samples by creating the following file and then re-running grub-mkconfig.

/etc/grub.d/91_tune_demo
#!/bin/sh
exec tail -n +3 $0
menuentry "INIT_TUNE Demos" {
   echo "Close Encounters/5 Tone"
   play 480 900 2 1000 2 800 2 400 2 600 3
   echo "Fur Elise (note long)"
   play 480 420 1 400 1 420 1 400 1 420 1 315 1 370 1 335 1 282 3 180 1 215 1 282 1 315 3 213 1 262 1 315 1 335 3 213 1 420 1 400 1 420 1 400 1 420 1 315 1 370 1 335 1 282 3 180 1 215 1 282 1 315 3 213 1 330 1 315 1 282 3
   echo "Berlioz's extract from Sabbath Night of Symphonie Fantastique"
   play 312 262 3 247 3 262 3 220 3 247 3 196 3 220 3 220 3 262 3 262 3 294 3 262 3 247 3 220 3 196 3 247 3 262 3 247 5 220 1 220 5
   echo "Oldskool Batman tune"
   play 380 120 1 140 1 160 1 200 8 190 4
   echo "Legend of Zelda tune"
   play 12000 440 100 0 1 329 150 440 50 0 1 440 25 493 25 523 25 587 25 659 200
   echo "Super Mario"
   play 1000 334 1 334 1 0 1 334 1 0 1 261 1 334 1 0 1 392 2 0 4 196 2
   echo "Super Mario Alternate"
   play 480 165 2 165 2 165 3 554 1 587 1 554 2 370 1 554 1 523 2 349 1 523 1 494 3 165 2 165 2 165 2
   echo "Mario Mushroom"
   play 1750 523 1 392 1 523 1 659 1 784 1 1047 1 784 1 415 1 523 1 622 1 831 1 622 1 831 1 1046 1 1244 1 1661 1 1244 1 466 1 587 1 698 1 932 1 1175 1 1397 1 1865 1 1397 1
   echo "Star Wars Imperial Death March"
   play 480 440 4 440 4 440 4 349 3 523 1 440 4 349 3 523 1 440 8 659 4 659 4 659 4 698 3 523 1 415 4 349 3 523 1 440 8
   echo "My Little Pony"
   play 2400 587 18 554 4 587 8 659 12 587 16 0 10 587 4 659 4 740 8 587 4 784 12 740 8 659 8 587 4 740 20 587 40
   echo "Wolfenstein 3D"
   play 300 131 1 196 1 196 1 196 1 294 1 196 1 294 1 196 1 131 1
   echo "Mall (Nothing Special)"
   play 180 440 1 554 1 659 1
   echo "Final Countdown"
   play 480 554 1 494 1 554 4 370 6 10 3 587 1 554 1 587 2 554 2 494 6
   echo "Xie-Jelei's Tune"
   play 2000 400 4 0 1 500 4 0 1 600 4 0 1 800 6
   echo "Random tune"
   play 480 220 1 277 1 330 1 440 1 185 1 220 1 277 1 370 1 294 1 370 1 440 1 587 1 330 1 415 1 494 1 659 1
   echo "Fleetwood Mac: The Chain Bass Riff (about 5 seconds)"
   play 304 55 5 0 1 55 1 62 1 65 2 62 1 55 1 49 1 55 1 62 2 41 8
   echo "Fleetwood Mac: The Chain Bass Riff Extended Version (WARNING, 25 SECONDS)"
   play 9120 55 150 0 30 55 30 62 30 65 60 62 30 55 30 49 30 55 30 62 60 41 360 0 120 55 150 0 30 55 30 62 30 65 60 62 30 55 30 49 30 55 30 62 60 41 360 0 60 41 12 42 3 43 3 44 3 45 3 46 6 47 3 48 3 49 6 50 3 51 3 52 6 53 3 54 3 55 150 0 30 55 30 62 30 65 60 62 30 55 30 49 30 55 30 62 60 41 240 82 20 0 10 82 26 0 4 82 26 0 4 82 26 0 4 82 56 0 4 82 60 55 150 0 30 55 30 62 30 65 60 62 30 55 30 49 30 55 30 62 60 41 360 0 120
}

For information on this, you can look at info grub -n play.

Manual configuration of core image for early boot

If you require a special keymap or other complex steps that GRUB is not able to configure automatically in order to make /boot available to the GRUB environment, you can generate a core image yourself. On UEFI systems, the core image is the grubx64.efi file that is loaded by the firmware on boot. Building your own core image will allow you to embed any modules required for very early boot, as well as a configuration script to bootstrap GRUB.

Firstly, taking as an example a requirement for the dvorak keymap embedded in early-boot in order to enter a password for an encrypted /boot on a UEFI system:

Determine from the generated /boot/grub/grub.cfg file what modules are required in order to mount the crypted /boot. For instance, under your menuentry you should see lines similar to:

insmod diskfilter cryptodisk luks gcry_rijndael gcry_rijndael gcry_sha256
insmod ext2
cryptomount -u 1234abcdef1234abcdef1234abcdef
set root='cryptouuid/1234abcdef1234abcdef1234abcdef'

Take note of all of those modules: they will need to be included in the core image. Now, create a tarball containing your keymap. This will be bundled in the core image as a memdisk:

# grub-kbdcomp -o dvorak.gkb dvorak
# tar cf memdisk.tar dvorak.gkb

Now create a configuration file to be used in the GRUB core image. This is in the same format as your regular grub config, but need contain only a few lines to find and load the main config file on the /boot partition:

early-grub.cfg
set root=(memdisk)
set prefix=($root)/

terminal_input at_keyboard
keymap /dvorak.gkb

cryptomount -u 1234abcdef1234abcdef1234abcdef
set root='cryptouuid/1234abcdef1234abcdef1234abcdef'
set prefix=($root)/grub

configfile grub.cfg

Finally, generate the core image, listing all of the modules determined to be required in the generated grub.cfg, along with any modules used in the early-grub.cfg script. The example above needs memdisk, tar, at_keyboard, keylayouts and configfile.

# grub-mkimage -c early-grub.cfg -o grubx64.efi -O x86_64-efi -m memdisk.tar diskfilter cryptodisk luks gcry_rijndael gcry_sha256 ext2 memdisk tar at_keyboard keylayouts configfile

The generated EFI core image can now be used in the same way as the image that is generated automatically by grub-install: place it in your EFI partition and enable it with efibootmgr, or configure as appropriate for your system firmware.

See also Debian cryptsetup docs.

UEFI further reading

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: This could be made more concise, better organized. (Discuss in Talk:GRUB/Tips and tricks)

Below is other relevant information regarding installing Arch via UEFI.

Alternative install method

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: What would be the reason to place all of GRUB's files in the ESP? (Discuss in Talk:GRUB/Tips and tricks)

Usually, GRUB keeps all files, including configuration files, in /boot, regardless of where the EFI System Partition is mounted.

If you want to keep these files inside the EFI System Partition itself, add --boot-directory=esp to the grub-install command:

# grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=grub --boot-directory=esp --debug

This puts all GRUB files in esp/grub, instead of in /boot/grub. When using this method, make sure you have grub-mkconfig put the configuration file in the same place:

# grub-mkconfig -o esp/grub/grub.cfg

Configuration is otherwise the same.

UEFI firmware workaround

See GRUB#Default/fallback boot path.

GRUB standalone

This section assumes you are creating a standalone GRUB for x86_64 systems (x86_64-efi). For 32-bit (IA32) EFI systems, replace x86_64-efi with i386-efi where appropriate.

It is possible to create a grubx64_standalone.efi application which has all the modules embedded in a tar archive within the UEFI application, thus removing the need to have a separate directory populated with all of the GRUB UEFI modules and other related files. This is done using the grub-mkstandalone command (included in grub) as follows:

# echo 'configfile ${cmdpath}/grub.cfg' > /tmp/grub.cfg
# grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --modules="part_gpt part_msdos" --locales="en@quot" --themes="" -o "esp/EFI/grub/grubx64_standalone.efi" "boot/grub/grub.cfg=/tmp/grub.cfg" -v

Then copy the GRUB config file to esp/EFI/grub/grub.cfg and create a UEFI Boot Manager entry for esp/EFI/grub/grubx64_standalone.efi using efibootmgr.

Note: The option --modules="part_gpt part_msdos" (with the quotes) is necessary for the ${cmdpath} feature to work properly.
Warning: You may find that the grub.cfg file is not loaded due to ${cmdpath} missing a slash (i.e. (hd1,msdos2)EFI/Boot instead of (hd1,msdos2)/EFI/Boot) and so you are dropped into a GRUB shell. If this happens determine what ${cmdpath} is set to (echo ${cmdpath} ) and then load the config file manually (e.g. configfile (hd1,msdos2)/EFI/Boot/grub.cfg).

Technical information

The GRUB EFI file always expects its config file to be at ${prefix}/grub.cfg. However in the standalone GRUB EFI file, the ${prefix} is located inside a tar archive and embedded inside the standalone GRUB EFI file itself (inside the GRUB environment, it is denoted by "(memdisk)", without quotes). This tar archive contains all the files that would be stored normally at /boot/grub in case of a normal GRUB EFI install.

Due to this embedding of /boot/grub contents inside the standalone image itself, it does not rely on actual (external) /boot/grub for anything. Thus in case of standalone GRUB EFI file ${prefix}==(memdisk)/boot/grub and the standalone GRUB EFI file reads expects the config file to be at ${prefix}/grub.cfg==(memdisk)/boot/grub/grub.cfg.

Hence to make sure the standalone GRUB EFI file reads the external grub.cfg located in the same directory as the EFI file (inside the GRUB environment, it is denoted by ${cmdpath} ), we create a simple /tmp/grub.cfg which instructs GRUB to use ${cmdpath}/grub.cfg as its config (configfile ${cmdpath}/grub.cfg command in (memdisk)/boot/grub/grub.cfg). We then instruct grub-mkstandalone to copy this /tmp/grub.cfg file to ${prefix}/grub.cfg (which is actually (memdisk)/boot/grub/grub.cfg) using the option "boot/grub/grub.cfg=/tmp/grub.cfg".

This way, the standalone GRUB EFI file and actual grub.cfg can be stored in any directory inside the EFI System Partition (as long as they are in the same directory), thus making them portable.

Speeding up LUKS decryption in GRUB

Warning: Before following this section, make sure you understand the importance of high entropy passwords. Information on how to generate secure passwords can be found at Wikipedia:Password strength.

Upon boot GRUB may in some cases take a long time to verify the password. This can be due to a high PBKDF iteration count, which you can check as follows:

# cryptsetup luksDump /dev/sda3

The problem is that the iteration count for a given keyslot is generated when the key is added to ensure a balance between being high enough to protect against brute force attacks and low enough to allow for fast key derivation by estimating the capabilities of your computer. However, when GRUB is started, it might not have the same computational resources at hand, thus being vastly slower.

If your password provides enough entropy to counter common attacks by itself, you can lower this number:

# cryptsetup luksChangeKey --pbkdf-force-iterations 1000 /dev/sda3

A minimum of 1000 iterations is recommended as per RFC 2898, but you should aim for higher values if you can (The cost for an attacker as well as the time for key derivation scale linearly).

Tip: GRUB tries enabled key slots sequentially. When adding keys, the --key-slot option can be used to specify a key slot explicitly.

See also