File: grub.texi

package info (click to toggle)
grub2 2.14-1
links: PTS, VCS
area: main
in suites:
size: 80,808 kB
sloc: ansic: 551,284; asm: 68,074; sh: 9,844; cpp: 2,095; makefile: 1,895; python: 1,546; sed: 450; lex: 393; yacc: 268; awk: 85; lisp: 54; perl: 31
file content (11470 lines) | stat: -rw-r--r-- 431,549 bytes
parent folder | download | duplicates (2)
\input texinfo
@c -*-texinfo-*-
@c %**start of header
@setfilename grub.info
@include version.texi
@settitle GNU GRUB Manual @value{VERSION}
@c Unify all our little indices for now.
@syncodeindex fn cp
@syncodeindex vr cp
@syncodeindex ky cp
@syncodeindex pg cp
@syncodeindex tp cp
@c %**end of header

@footnotestyle separate
@paragraphindent 3
@finalout

@copying
This manual is for GNU GRUB (version @value{VERSION},
@value{UPDATED}).

Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc.

@quotation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections.
@end quotation
@end copying

@dircategory Kernel
@direntry
* GRUB: (grub).                 The GRand Unified Bootloader
* grub-install: (grub)Invoking grub-install.    Install GRUB on your drive
* grub-mkconfig: (grub)Invoking grub-mkconfig.  Generate GRUB configuration
* grub-mkpasswd-pbkdf2: (grub)Invoking grub-mkpasswd-pbkdf2.
* grub-mkrelpath: (grub)Invoking grub-mkrelpath.
* grub-mkrescue: (grub)Invoking grub-mkrescue.  Make a GRUB rescue image
* grub-mount: (grub)Invoking grub-mount.        Mount a file system using GRUB
* grub-probe: (grub)Invoking grub-probe.        Probe device information
* grub-script-check: (grub)Invoking grub-script-check.
@end direntry

@setchapternewpage odd

@titlepage
@sp 10
@title the GNU GRUB manual
@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
@author Gordon Matzigkeit
@author Yoshinori K. Okuji
@author Colin Watson
@author Colin D. Bennett
@c The following two commands start the copyright page.
@page
@vskip 0pt plus 1filll
@insertcopying
@end titlepage

@c Output the table of contents at the beginning.
@contents

@finalout
@headings double

@ifnottex
@node Top
@top GNU GRUB manual

This is the documentation of GNU GRUB, the GRand Unified Bootloader,
a flexible and powerful boot loader program for a wide range of
architectures.

This edition documents version @value{VERSION}.

@insertcopying
@end ifnottex

@menu
* Introduction::                Capturing the spirit of GRUB
* Naming convention::           Names of your drives in GRUB
* OS-specific notes about grub tools:: 
                                Some notes about OS-specific behaviour of GRUB
                                tools
* Installation::                Installing GRUB on your drive
* Booting::                     How to boot different operating systems
* Configuration::               Writing your own configuration file
* Theme file format::           Format of GRUB theme files
* Network::                     Downloading OS images from a network
* Serial terminal::             Using GRUB via a serial line
* Vendor power-on keys::        Changing GRUB behaviour on vendor power-on keys
* Images::                      GRUB image files
* Core image size limitation::  GRUB image files size limitations
* Filesystem::                  Filesystem syntax and semantics
* Interface::                   The menu and the command-line
* Environment::                 GRUB environment variables
* Modules::                     Available modules
* Commands::                    Available builtin commands
* Internationalisation::        Topics relating to language support
* Security::                    Authentication, authorisation, and signatures
* Platform limitations::        Platform-specific limitations
* Platform-specific operations:: Platform-specific operations
* Supported kernels::           Supported kernels
* Troubleshooting::             Error messages produced by GRUB
* User-space utilities::        Usage of user-space utilities
* Obtaining and Building GRUB:: How to obtain and build GRUB
* Reporting bugs::              Where you should send a bug report
* Future::                      Some future plans on GRUB
* Copying This Manual::         Copying This Manual
* Index::
@end menu


@node Introduction
@chapter Introduction to GRUB

@menu
* Overview::                    What exactly GRUB is and how to use it
* History::                     From maggot to house fly
* Changes from GRUB Legacy::    Differences from previous versions
* Features::                    GRUB features
* Role of a boot loader::       The role of a boot loader
@end menu


@node Overview
@section Overview

Briefly, a @dfn{boot loader} is the first software program that runs when
a computer starts.  It is responsible for loading and transferring
control to an operating system @dfn{kernel} software (such as Linux or
GNU Mach).  The kernel, in turn, initializes the rest of the operating
system (e.g. a GNU system).

GNU GRUB is a very powerful boot loader, which can load a wide variety
of free operating systems, as well as proprietary operating systems with
chain-loading@footnote{@dfn{chain-load} is the mechanism for loading
unsupported operating systems by loading another boot loader. It is
typically used for loading DOS or Windows.}. GRUB is designed to
address the complexity of booting a personal computer; both the
program and this manual are tightly bound to that computer platform,
although porting to other platforms may be addressed in the future.

One of the important features in GRUB is flexibility; GRUB understands
filesystems and kernel executable formats, so you can load an arbitrary
operating system the way you like, without recording the physical
position of your kernel on the disk. Thus you can load the kernel
just by specifying its file name and the drive and partition where the
kernel resides.

When booting with GRUB, you can use either a command-line interface
(@pxref{Command-line interface}), or a menu interface (@pxref{Menu
interface}). Using the command-line interface, you type the drive
specification and file name of the kernel manually. In the menu
interface, you just select an OS using the arrow keys. The menu is
based on a configuration file which you prepare beforehand
(@pxref{Configuration}). While in the menu, you can switch to the
command-line mode, and vice-versa. You can even edit menu entries
before using them.

In the following chapters, you will learn how to specify a drive, a
partition, and a file name (@pxref{Naming convention}) to GRUB, how to
install GRUB on your drive (@pxref{Installation}), and how to boot your
OSes (@pxref{Booting}), step by step.


@node History
@section History of GRUB

GRUB originated in 1995 when Erich Boleyn was trying to boot the GNU
Hurd with the University of Utah's Mach 4 microkernel (now known as GNU
Mach).  Erich and Brian Ford designed the Multiboot Specification
(@pxref{Top, Multiboot Specification, Motivation, multiboot, The Multiboot
Specification}), because they were determined not to add to the large
number of mutually-incompatible PC boot methods.

Erich then began modifying the FreeBSD boot loader so that it would
understand Multiboot. He soon realized that it would be a lot easier
to write his own boot loader from scratch than to keep working on the
FreeBSD boot loader, and so GRUB was born.

Erich added many features to GRUB, but other priorities prevented him
from keeping up with the demands of its quickly-expanding user base. In
1999, Gordon Matzigkeit and Yoshinori K. Okuji adopted GRUB as an
official GNU package, and opened its development by making the latest
sources available via anonymous CVS. @xref{Obtaining and Building
GRUB}, for more information.

Over the next few years, GRUB was extended to meet many needs, but it
quickly became clear that its design was not keeping up with the extensions
being made to it, and we reached the point where it was very difficult to
make any further changes without breaking existing features.  Around 2002,
Yoshinori K. Okuji started work on PUPA (Preliminary Universal Programming
Architecture for GNU GRUB), aiming to rewrite the core of GRUB to make it
cleaner, safer, more robust, and more powerful.  PUPA was eventually renamed
to GRUB 2, and the original version of GRUB was renamed to GRUB Legacy.
Small amounts of maintenance continued to be done on GRUB Legacy, but the
last release (0.97) was made in 2005 and at the time of writing it seems
unlikely that there will be another.

By around 2007, GNU/Linux distributions started to use GRUB 2 to limited
extents, and by the end of 2009 multiple major distributions were installing
it by default.


@node Changes from GRUB Legacy
@section Differences from previous versions

GRUB 2 is a rewrite of GRUB (@pxref{History}), although it shares many
characteristics with the previous version, now known as GRUB Legacy.  Users
of GRUB Legacy may need some guidance to find their way around this new
version.

@itemize @bullet
@item
The configuration file has a new name (@file{grub.cfg} rather than
@file{menu.lst} or @file{grub.conf}), new syntax (@pxref{Configuration}) and
many new commands (@pxref{Commands}).  Configuration cannot be copied over
directly, although most GRUB Legacy users should not find the syntax too
surprising.

@item
@file{grub.cfg} is typically automatically generated by
@command{grub-mkconfig} (@pxref{Simple configuration}).  This makes it
easier to handle versioned kernel upgrades.

@item
Partition numbers in GRUB device names now start at 1, not 0 (@pxref{Naming
convention}).

@item
The configuration file is now written in something closer to a full
scripting language: variables, conditionals, and loops are available.

@item
A small amount of persistent storage is available across reboots, using the
@command{save_env} and @command{load_env} commands in GRUB and the
@command{grub-editenv} utility.  This is not available in all configurations
(@pxref{Environment block}).

@item
GRUB 2 has more reliable ways to find its own files and those of target
kernels on multiple-disk systems, and has commands (@pxref{search}) to find
devices using file system labels or Universally Unique Identifiers (UUIDs).

@item
GRUB 2 is available for several other types of system in addition to the PC
BIOS systems supported by GRUB Legacy: PC EFI, PC coreboot, PowerPC, SPARC,
and MIPS Lemote Yeeloong are all supported.

@item
Many more file systems are supported, including but not limited to ext4,
HFS+, and NTFS.

@item
GRUB 2 can read files directly from LVM and RAID devices.

@item
A graphical terminal and a graphical menu system are available.

@item
GRUB 2's interface can be translated, including menu entry names.

@item
The image files (@pxref{Images}) that make up GRUB have been reorganised;
Stage 1, Stage 1.5, and Stage 2 are no more.

@item
GRUB 2 puts many facilities in dynamically loaded modules, allowing the core
image to be smaller, and allowing the core image to be built in more
flexible ways.
@end itemize


@node Features
@section GRUB features

The primary requirement for GRUB is that it be compliant with the
@dfn{Multiboot Specification}, which is described in @ref{Top, Multiboot
Specification, Motivation, multiboot, The Multiboot Specification}.

The other goals, listed in approximate order of importance, are:

@itemize @bullet{}
@item
Basic functions must be straightforward for end-users.

@item
Rich functionality to support kernel experts and designers.

@item
Backward compatibility for booting FreeBSD, NetBSD, OpenBSD, and
Linux. Proprietary kernels (such as DOS, Windows NT, and OS/2) are
supported via a chain-loading function.
@end itemize

Except for specific compatibility modes (chain-loading and the Linux
@dfn{piggyback} format), all kernels will be started in much the same
state as in the Multiboot Specification. Only kernels loaded at 1 megabyte
or above are presently supported. Any attempt to load below that
boundary will simply result in immediate failure and an error message
reporting the problem.

In addition to the requirements above, GRUB has the following features
(note that the Multiboot Specification doesn't require all the features
that GRUB supports):

@table @asis
@item Recognize multiple executable formats
Support many of the @dfn{a.out} variants plus @dfn{ELF}. Symbol
tables are also loaded.

@item Support non-Multiboot kernels
Support many of the various free 32-bit kernels that lack Multiboot
compliance (primarily FreeBSD, NetBSD@footnote{The NetBSD/i386 kernel
is Multiboot-compliant, but lacks support for Multiboot modules.},
OpenBSD, and Linux). Chain-loading of other boot loaders is also
supported.

@item Load multiples modules
Fully support the Multiboot feature of loading multiple modules.

@item Load a configuration file
Support a human-readable text configuration file with preset boot
commands. You can also load another configuration file dynamically and
embed a preset configuration file in a GRUB image file. The list of
commands (@pxref{Commands}) are a superset of those supported on the
command-line. An example configuration file is provided in
@ref{Configuration}.

@item Provide a menu interface
A menu interface listing preset boot commands, with a programmable
timeout, is available. There is no fixed limit on the number of boot
entries, and the current implementation has space for several hundred.

@item Have a flexible command-line interface
A fairly flexible command-line interface, accessible from the menu,
is available to edit any preset commands, or write a new boot command
set from scratch. If no configuration file is present, GRUB drops to
the command-line.

The list of commands (@pxref{Commands}) are a subset of those supported
for configuration files. Editing commands closely resembles the Bash
command-line (@pxref{Command Line Editing, Bash, Command Line Editing,
features, Bash Features}), with @key{TAB}-completion of commands,
devices, partitions, and files in a directory depending on context.

@item Support multiple filesystem types
Support multiple filesystem types transparently, plus a useful explicit
blocklist notation. The currently supported filesystem types are @dfn{Amiga
Fast FileSystem (AFFS)}, @dfn{AtheOS fs}, @dfn{BeFS},
@dfn{BtrFS} (including raid0, raid1, raid10, gzip and lzo),
@dfn{cpio} (little- and big-endian bin, odc and newc variants),
@dfn{EROFS} (only uncompressed support for now),
@dfn{Linux ext2/ext3/ext4}, @dfn{DOS FAT12/FAT16/FAT32},
@dfn{exFAT}, @dfn{F2FS}, @dfn{HFS}, @dfn{HFS+},
@dfn{ISO9660} (including Joliet, Rock-ridge and multi-chunk files),
@dfn{JFS}, @dfn{Minix fs} (versions 1, 2 and 3), @dfn{nilfs2},
@dfn{NTFS} (including compression), @dfn{ReiserFS}, @dfn{ROMFS},
@dfn{Amiga Smart FileSystem (SFS)}, @dfn{Squash4}, @dfn{tar}, @dfn{UDF},
@dfn{BSD UFS/UFS2}, @dfn{XFS}, and @dfn{ZFS} (including lzjb, gzip,
zle, mirror, stripe, raidz1/2/3 and encryption in AES-CCM and AES-GCM).
@xref{Filesystem}, for more information.
Note: Only a subset of filesystems are supported in lockdown mode (such
as when secure boot is enabled, @pxref{Lockdown} for more information).

@item Support automatic decompression
Can decompress files which were compressed by @command{gzip} or
@command{xz}@footnote{Only CRC32 data integrity check is supported (xz default
is CRC64 so one should use --check=crc32 option). LZMA BCJ filters are
supported.}. This function is both automatic and transparent to the user
(i.e. all functions operate upon the uncompressed contents of the specified
files). This greatly reduces a file size and loading time, a
particularly great benefit for floppies.@footnote{There are a few
pathological cases where loading a very badly organized ELF kernel might
take longer, but in practice this never happen.}

It is conceivable that some kernel modules should be loaded in a
compressed state, so a different module-loading command can be specified
to avoid uncompressing the modules.

@item Access data on any installed device
Support reading data from any or all floppies or hard disk(s) recognized
by the BIOS, independent of the setting of the root device.

@item Be independent of drive geometry translations
Unlike many other boot loaders, GRUB makes the particular drive
translation irrelevant. A drive installed and running with one
translation may be converted to another translation without any adverse
effects or changes in GRUB's configuration.

@item Detect all installed @sc{ram}
GRUB can generally find all the installed @sc{ram} on a PC-compatible
machine. It uses an advanced BIOS query technique for finding all
memory regions. As described on the Multiboot Specification (@pxref{Top,
Multiboot Specification, Motivation, multiboot, The Multiboot
Specification}), not all kernels make use of this information, but GRUB
provides it for those who do.

@item Support Logical Block Address mode
In traditional disk calls (called @dfn{CHS mode}), there is a geometry
translation problem, that is, the BIOS cannot access over 1024
cylinders, so the accessible space is limited to at least 508 MB and to
at most 8GB. GRUB can't universally solve this problem, as there is no
standard interface used in all machines. However, several newer machines
have the new interface, Logical Block Address (@dfn{LBA}) mode. GRUB
automatically detects if LBA mode is available and uses it if
available. In LBA mode, GRUB can access the entire disk.

@item Support network booting
GRUB is basically a disk-based boot loader but also has network
support. You can load OS images from a network by using the @dfn{TFTP}
protocol.

@item Support remote terminals
To support computers with no console, GRUB provides remote terminal
support, so that you can control GRUB from a remote host. Only serial
terminal support is implemented at the moment.
@end table


@node Role of a boot loader
@section The role of a boot loader

The following is a quotation from Gordon Matzigkeit, a GRUB fanatic:

@quotation
Some people like to acknowledge both the operating system and kernel when
they talk about their computers, so they might say they use
``GNU/Linux'' or ``GNU/Hurd''.  Other people seem to think that the
kernel is the most important part of the system, so they like to call
their GNU operating systems ``Linux systems.''

I, personally, believe that this is a grave injustice, because the
@emph{boot loader} is the most important software of all. I used to
refer to the above systems as either ``LILO''@footnote{The LInux LOader,
a boot loader that everybody uses, but nobody likes.} or ``GRUB''
systems.

Unfortunately, nobody ever understood what I was talking about; now I
just use the word ``GNU'' as a pseudonym for GRUB.

So, if you ever hear people talking about their alleged ``GNU'' systems,
remember that they are actually paying homage to the best boot loader
around@dots{} GRUB!
@end quotation

We, the GRUB maintainers, do not (usually) encourage Gordon's level of
fanaticism, but it helps to remember that boot loaders deserve
recognition.  We hope that you enjoy using GNU GRUB as much as we did
writing it.


@node Naming convention
@chapter Naming convention

The device syntax used in GRUB is a wee bit different from what you may
have seen before in your operating system(s), and you need to know it so
that you can specify a drive/partition.

Look at the following examples and explanations:

@example
(fd0)
@end example

First of all, GRUB requires that the device name be enclosed with
@samp{(} and @samp{)}. The @samp{fd} part means that it is a floppy
disk. The number @samp{0} is the drive number, which is counted from
@emph{zero}. This expression means that GRUB will use the whole floppy
disk.

@example
(hd0,msdos2)
@end example

Here, @samp{hd} means it is a hard disk drive. The first integer
@samp{0} indicates the drive number, that is, the first hard disk,
the string @samp{msdos} indicates the partition scheme, while
the second integer, @samp{2}, indicates the partition number (or the
@sc{pc} slice number in the BSD terminology). The partition numbers are
counted from @emph{one}, not from zero (as was the case in previous
versions of GRUB). This expression means the second partition of the
first hard disk drive. In this case, GRUB uses one partition of the
disk, instead of the whole disk.

@example
(hd0,msdos5)
@end example

This specifies the first @dfn{extended partition} of the first hard disk
drive. Note that the partition numbers for extended partitions are
counted from @samp{5}, regardless of the actual number of primary
partitions on your hard disk.

@example
(hd1,msdos1,bsd1)
@end example

This means the BSD @samp{a} partition on first @sc{pc} slice number
of the second hard disk.

Of course, to actually access the disks or partitions with GRUB, you
need to use the device specification in a command, like @samp{set
root=(fd0)} or @samp{parttool (hd0,msdos3) hidden-}. To help you find out
which number specifies a partition you want, the GRUB command-line
(@pxref{Command-line interface}) options have argument
completion. This means that, for example, you only need to type

@example
set root=(
@end example

followed by a @key{TAB}, and GRUB will display the list of drives,
partitions, or file names. So it should be quite easy to determine the
name of your target partition, even with minimal knowledge of the
syntax.

Note that GRUB does @emph{not} distinguish IDE from SCSI - it simply
counts the drive numbers from zero, regardless of their type. Normally,
any IDE drive number is less than any SCSI drive number, although that
is not true if you change the boot sequence by swapping IDE and SCSI
drives in your BIOS.

Now the question is, how to specify a file? Again, consider an
example:

@example
(hd0,msdos1)/vmlinuz
@end example

This specifies the file named @samp{vmlinuz}, found on the first
partition of the first hard disk drive. Note that the argument
completion works with file names, too.

That was easy, admit it. Now read the next chapter, to find out how to
actually install GRUB on your drive.

@node OS-specific notes about grub tools
@chapter OS-specific notes about grub tools

On OS which have device nodes similar to Unix-like OS GRUB tools use the
OS name. E.g. for GNU/Linux:

@example
# @kbd{grub-install /dev/sda}
@end example

On AROS we use another syntax. For volumes:

@example
//:<volume name>
@end example

E.g.

@example
//:DH0
@end example

For disks we use syntax:
@example
//:<driver name>/unit/flags
@end example

E.g.

@example
# @kbd{grub-install //:ata.device/0/0}
@end example

On Windows we use UNC path. For volumes it's typically

@example
\\?\Volume@{<GUID>@}
\\?\<drive letter>:
@end example

E.g.

@example
\\?\Volume@{17f34d50-cf64-4b02-800e-51d79c3aa2ff@}
\\?\C:
@end example


For disks it's

@example
\\?\PhysicalDrive<number>
@end example

E.g.

@example
# @kbd{grub-install \\?\PhysicalDrive0}
@end example

Beware that you may need to further escape the backslashes depending on your
shell.

When compiled with cygwin support then cygwin drive names are automatically
when needed. E.g.

@example
# @kbd{grub-install /dev/sda}
@end example

@node Installation
@chapter Installation

In order to install GRUB as your boot loader, you need to first
install the GRUB system and utilities under your UNIX-like operating
system (@pxref{Obtaining and Building GRUB}). You can do this either
from the source tarball, or as a package for your OS.

After you have done that, you need to install the boot loader on a
drive (floppy or hard disk) by using the utility
@command{grub-install} (@pxref{Invoking grub-install}) on a UNIX-like OS.

GRUB comes with boot images, which are normally put in the directory
@file{/usr/lib/grub/<cpu>-<platform>} (for BIOS-based machines
@file{/usr/lib/grub/i386-pc}). Hereafter, the directory where GRUB images are
initially placed (normally @file{/usr/lib/grub/<cpu>-<platform>}) will be
called the @dfn{image directory}, and the directory where the boot
loader needs to find them (usually @file{/boot}) will be called
the @dfn{boot directory}.

@menu
* Installing GRUB using grub-install::
* Making a GRUB bootable CD-ROM::
* Device map::
* BIOS installation::
@end menu


@node Installing GRUB using grub-install
@section Installing GRUB using grub-install

For information on where GRUB should be installed on PC BIOS platforms,
@pxref{BIOS installation}.

In order to install GRUB under a UNIX-like OS (such
as @sc{gnu}), invoke the program @command{grub-install} (@pxref{Invoking
grub-install}) as the superuser (@dfn{root}).

The usage is basically very simple. You only need to specify one
argument to the program, namely, where to install the boot loader. The
argument has to be either a device file (like @samp{/dev/hda}).
For example, under Linux the following will install GRUB into the MBR
of the first IDE disk:

@example
# @kbd{grub-install /dev/sda}
@end example

Likewise, under GNU/Hurd, this has the same effect:

@example
# @kbd{grub-install /dev/hd0}
@end example

But all the above examples assume that GRUB should put images under
the @file{/boot} directory. If you want GRUB to put images under a directory
other than @file{/boot}, you need to specify the option
@option{--boot-directory}. The typical usage is that you create a GRUB
boot floppy with a filesystem. Here is an example:

@example
@group
# @kbd{mke2fs /dev/fd0}
# @kbd{mount -t ext2 /dev/fd0 /mnt}
# @kbd{mkdir /mnt/boot}
# @kbd{grub-install --boot-directory=/mnt/boot /dev/fd0}
# @kbd{umount /mnt}
@end group
@end example

Some BIOSes have a bug of exposing the first partition of a USB drive as a
floppy instead of exposing the USB drive as a hard disk (they call it
``USB-FDD'' boot). In such cases, you need to install like this:

@example
# @kbd{losetup /dev/loop0 /dev/sdb1}
# @kbd{mount /dev/loop0 /mnt/usb}
# @kbd{grub-install --boot-directory=/mnt/usb/bugbios --force --allow-floppy /dev/loop0}
@end example

This install doesn't conflict with standard install as long as they are in
separate directories.

On EFI systems for fixed disk install you have to mount EFI System Partition.
If you mount it at @file{/boot/efi} then you don't need any special arguments:

@example
# @kbd{grub-install}
@end example

Otherwise you need to specify where your EFI System partition is mounted:

@example
# @kbd{grub-install --efi-directory=/mnt/efi}
@end example

For removable installs you have to use @option{--removable} and specify both
@option{--boot-directory} and @option{--efi-directory}:

@example
# @kbd{grub-install --efi-directory=/mnt/usb --boot-directory=/mnt/usb/boot --removable}
@end example

@node Making a GRUB bootable CD-ROM
@section Making a GRUB bootable CD-ROM

GRUB supports the @dfn{no emulation mode} in the El Torito
specification@footnote{El Torito is a specification for bootable CD
using BIOS functions.}. This means that you can use the whole CD-ROM
from GRUB and you don't have to make a floppy or hard disk image file,
which can cause compatibility problems.

For booting from a CD-ROM, GRUB uses a special image called
@file{cdboot.img}, which is concatenated with @file{core.img}. The
@file{core.img} used for this should be built with at least the
@samp{iso9660} and @samp{biosdisk} modules. Your bootable CD-ROM will
usually also need to include a configuration file @file{grub.cfg} and some
other GRUB modules.

To make a simple generic GRUB rescue CD, you can use the
@command{grub-mkrescue} program (@pxref{Invoking grub-mkrescue}):

@example
$ @kbd{grub-mkrescue -o grub.iso}
@end example

You will often need to include other files in your image. To do this, first
make a top directory for the bootable image, say, @samp{iso}:

@example
$ @kbd{mkdir iso}
@end example

Make a directory for GRUB:

@example
$ @kbd{mkdir -p iso/boot/grub}
@end example

If desired, make the config file @file{grub.cfg} under @file{iso/boot/grub}
(@pxref{Configuration}), and copy any files and directories for the disc to the
directory @file{iso/}.

Finally, make the image:

@example
$ @kbd{grub-mkrescue -o grub.iso iso}
@end example

This produces a file named @file{grub.iso}, which then can be burned
into a CD (or a DVD), or written to a USB mass storage device.

The root device will be set up appropriately on entering your
@file{grub.cfg} configuration file, so you can refer to file names on the CD
without needing to use an explicit device name. This makes it easier to
produce rescue images that will work on both optical drives and USB mass
storage devices.


@node Device map
@section The map between BIOS drives and OS devices

If the device map file exists, the GRUB utilities (@command{grub-probe},
etc.) read it to map BIOS drives to OS devices.  This file consists of lines
like this:

@example
(@var{device}) @var{file}
@end example

@var{device} is a drive specified in the GRUB syntax (@pxref{Device
syntax}), and @var{file} is an OS file, which is normally a device file.

Historically, the device map file was used because GRUB device names had to
be used in the configuration file, and they were derived from BIOS drive
numbers.  The map between BIOS drives and OS devices cannot always be
guessed correctly: for example, GRUB will get the order wrong if you
exchange the boot sequence between IDE and SCSI in your BIOS.

Unfortunately, even OS device names are not always stable.  Modern versions
of the Linux kernel may probe drives in a different order from boot to boot,
and the prefix (@file{/dev/hd*} versus @file{/dev/sd*}) may change depending
on the driver subsystem in use.  As a result, the device map file required
frequent editing on some systems.

GRUB avoids this problem nowadays by using UUIDs or file system labels when
generating @file{grub.cfg}, and we advise that you do the same for any
custom menu entries you write.  If the device map file does not exist, then
the GRUB utilities will assume a temporary device map on the fly.  This is
often good enough, particularly in the common case of single-disk systems.

However, the device map file is not entirely obsolete yet, and it is
used for overriding when current environment is different from the one on boot.
Most common case is if you use a partition or logical volume as a disk for
virtual machine.  You can put any comments in the file if needed,
as the GRUB utilities assume that a line is just a comment if
the first character is @samp{#}.


@node BIOS installation
@section BIOS installation

@heading MBR

The partition table format traditionally used on PC BIOS platforms is called
the Master Boot Record (MBR) format; this is the format that allows up to
four primary partitions and additional logical partitions.  With this
partition table format, there are two ways to install GRUB: it can be
embedded in the area between the MBR and the first partition (called by
various names, such as the "boot track", "MBR gap", or "embedding area", and
which is usually at least 1000 KiB), or the core image can be installed in a
file system and a list of the blocks that make it up can be stored in the
first sector of that partition.

Modern tools usually leave MBR gap of at least 1023 KiB. This amount is
sufficient to cover most configurations. Hence this value is recommended
by the GRUB team.

Historically many tools left only 31 KiB of space. This is not enough to
parse reliably difficult structures like Btrfs, ZFS, RAID or LVM, or to
use difficult disk access methods like ahci. Hence GRUB will warn if attempted
to install into small MBR gap except in a small number of configurations
that were grandfathered. The grandfathered config must:

@itemize @bullet
@item
use biosdisk as disk access module for @file{/boot}

@item
not use any additional partition maps to access @file{/boot}

@item
@file{/boot} must be on one of following filesystems:
   AFFS, AFS, BFS, cpio, newc, odc, ext2/3/4, FAT, exFAT,
   F2FS, HFS, uncompressed HFS+, ISO9660, JFS, Minix, Minix2, Minix3, NILFS2,
   NTFS, ReiserFS, ROMFS, SFS, tar, UDF, UFS1, UFS2, XFS
@end itemize
Note: Only a subset of filesystems are supported in lockdown mode (such
as when secure boot is enabled, @pxref{Lockdown} for more information).

MBR gap has few technical problems.  There is no way to reserve space in
the embedding area with complete safety, and some proprietary software is
known to use it to make it difficult for users to work around licensing
restrictions. GRUB works around it by detecting sectors by other software and
avoiding them and protecting its own sectors using Reed-Solomon encoding.

GRUB team recommends having MBR gap of at least 1000 KiB.

Should it not be possible, GRUB has support for a fallback solution which is
heavily recommended against. Installing to a filesystem means that GRUB is
vulnerable to its blocks being moved around by filesystem features such as
tail packing, or even by aggressive fsck implementations, so this approach
is quite fragile; and this approach can only be used if the @file{/boot}
filesystem is on the same disk that the BIOS boots from, so that GRUB does
not have to rely on guessing BIOS drive numbers.

The GRUB development team generally recommends embedding GRUB before the
first partition, unless you have special requirements.  You must ensure that
the first partition starts at least 1000 KiB (2000 sectors) from the start of
the disk; on modern disks, it is often a performance advantage to align
partitions on larger boundaries anyway, so the first partition might start 1
MiB from the start of the disk.

@heading GPT

Some newer systems use the GUID Partition Table (GPT) format.  This was
specified as part of the Extensible Firmware Interface (EFI), but it can
also be used on BIOS platforms if system software supports it; for example,
GRUB and GNU/Linux can be used in this configuration.  With this format, it
is possible to reserve a whole partition for GRUB, called the BIOS Boot
Partition.  GRUB can then be embedded into that partition without the risk
of being overwritten by other software and without being contained in a
filesystem which might move its blocks around.

When creating a BIOS Boot Partition on a GPT system, you should make sure
that it is at least 31 KiB in size.  (GPT-formatted disks are not usually
particularly small, so we recommend that you make it larger than the bare
minimum, such as 1 MiB, to allow plenty of room for growth.)  You must also
make sure that it has the proper partition type.  Using GNU Parted, you can
set this using a command such as the following:

@example
# @kbd{parted /dev/@var{disk} set @var{partition-number} bios_grub on}
@end example

If you are using gdisk, set the partition type to @samp{0xEF02}.  With
partitioning programs that require setting the GUID directly, it should be
@samp{21686148-6449-6e6f-744e656564454649}.

@strong{Caution:} Be very careful which partition you select!  When GRUB
finds a BIOS Boot Partition during installation, it will automatically
overwrite part of it.  Make sure that the partition does not contain any
other data.


@node Booting
@chapter Booting

GRUB can load Multiboot-compliant kernels in a consistent way,
but for some free operating systems you need to use some OS-specific
magic.

@menu
* General boot methods::        How to boot OSes with GRUB generally
* Loopback booting::            Notes on booting from loopbacks
* LVM cache booting::           Notes on booting from LVM cache logical volume
* OS-specific notes::           Notes on some operating systems
@end menu


@node General boot methods
@section How to boot operating systems

GRUB has three distinct boot methods: loading an operating system
directly, using kexec from userspace, and chainloading another
bootloader. Generally speaking, the first two are more desirable
because you don't need to install or maintain other boot loaders and
GRUB is flexible enough to load an operating system from an arbitrary
disk/partition. However, chainloading is sometimes required, as GRUB
doesn't support all existing operating systems natively.

@menu
* Loading an operating system directly::
* Kexec::
* Chain-loading::
@end menu


@node Loading an operating system directly
@subsection How to boot an OS directly with GRUB

Multiboot (@pxref{Top, Multiboot Specification, Motivation, multiboot,
The Multiboot Specification}) is the native format supported by GRUB.
For the sake of convenience, there is also support for Linux, FreeBSD,
NetBSD and OpenBSD. If you want to boot other operating systems, you
will have to chain-load them (@pxref{Chain-loading}).

FIXME: this section is incomplete.

@enumerate
@item
Run the command @command{boot} (@pxref{boot}).
@end enumerate

However, DOS and Windows have some deficiencies, so you might have to
use more complicated instructions. @xref{DOS/Windows}, for more
information.


@node Kexec
@subsection Kexec with grub2-emu

GRUB can be run in userspace by invoking the grub2-emu tool. It will
read all configuration scripts as if booting directly (see @ref{Loading
an operating system directly}). With the @code{--kexec} flag, and
kexec(8) support from the operating system, the @command{linux} command
will directly boot the target image. For systems that lack working
systemctl(1) support for kexec, passing the @code{--kexec} flag twice
will fallback to invoking kexec(8) directly; note however that this
fallback may be unsafe outside read-only environments, as it does not
invoke shutdown machinery.


@node Chain-loading
@subsection Chain-loading an OS

Operating systems that do not support Multiboot and do not have specific
support in GRUB (specific support is available for Linux, FreeBSD, NetBSD
and OpenBSD) must be chain-loaded, which involves loading another boot
loader and jumping to it in real mode or via the firmware.

The @command{chainloader} command (@pxref{chainloader}) is used to set this
up.  It is normally also necessary to load some GRUB modules and set the
appropriate root device.  Putting this together, we get something like this,
for a Windows system on the first partition of the first hard disk:

@verbatim
menuentry "Windows" {
	insmod chain
	insmod ntfs
	set root=(hd0,1)
	chainloader +1
}
@end verbatim
@c FIXME: document UUIDs.

On systems with multiple hard disks, an additional workaround may be
required.  @xref{DOS/Windows}.

Chain-loading is only supported on PC BIOS and EFI platforms.

@node Loopback booting
@section Loopback booting
GRUB is able to read from an image (be it one of CD or HDD) stored on
any of its accessible storages (refer to @pxref{loopback} command).
However the OS itself should be able to find its root. This usually
involves running a userspace program running before the real root
is discovered. This is achieved by GRUB loading a specially made
small image and passing it as ramdisk to the kernel. This is achieved
by commands @command{kfreebsd_module}, @command{knetbsd_module_elf},
@command{kopenbsd_ramdisk}, @command{initrd} (@pxref{initrd}),
@command{initrd16} (@pxref{initrd16}), @command{multiboot_module},
@command{multiboot2_module} or @command{xnu_ramdisk}
depending on the loader. Note that for knetbsd the image must be put
inside miniroot.kmod and the whole miniroot.kmod has to be loaded. In
kopenbsd payload this is disabled by default. Additionally, behaviour of
initial ramdisk depends on command line options. Several distributors provide
the image for this purpose or it's integrated in their standard ramdisk and
activated by special option. Consult your kernel and distribution manual for
more details. Other loaders like @command{appleloader}, @command{chainloader}
(BIOS, EFI, coreboot), @command{freedos}, @command{ntldr}, @command{plan9}
and @command{truecrypt} provide no possibility of loading initial ramdisk and
as far as author is aware the payloads in question don't support either initial
ramdisk or discovering loopback boot in other way and as such not bootable this
way. Please consider alternative boot methods like copying all files
from the image to actual partition. Consult your OS documentation for
more details.

@node LVM cache booting
@section Booting from LVM cache logical volume

The LVM cache logical volume is the logical volume consisting of the original
and the cache pool logical volume. The original is usually on a larger and
slower storage device while the cache pool is on a smaller and faster one. The
performance of the original volume can be improved by storing the frequently
used data on the cache pool to utilize the greater performance of faster
device.

GRUB boots from LVM cache logical volume merely by reading it's original
logical volume so that dirty data in cache pool volume is disregarded. This is
not a problem for "writethrough" cache mode as it ensures that any data written
will be stored both on the cache and the origin LV. For the other cache mode
"writeback", which delays writing from the cache pool back to the origin LV to
boost performance, GRUB may fail to boot in the wake of accidental power outage
due to it's inability to assemble the cache device for reading the required
dirty data left behind. The situation will be improved after adding full
support to the LVM cache logical volume in the future.

@node OS-specific notes
@section Some caveats on OS-specific issues

Here, we describe some caveats on several operating systems.

@menu
* GNU/Hurd::
* GNU/Linux::
* NetBSD::
* DOS/Windows::
@end menu


@node GNU/Hurd
@subsection GNU/Hurd

Since GNU/Hurd is Multiboot-compliant, it is easy to boot it; there is
nothing special about it. But do not forget that you have to specify a
root partition to the kernel.

@enumerate
@item
Set GRUB's root device to the same drive as GNU/Hurd's.  The command
@code{search --set=root --file /boot/gnumach.gz} or similar may help you
(@pxref{search}).

@item 
Load the kernel and the modules, like this:

@example
@group
grub> @kbd{multiboot /boot/gnumach.gz root=device:hd0s1}
grub> @kbd{module  /hurd/ext2fs.static ext2fs --readonly \
                   --multiboot-command-line='$@{kernel-command-line@}' \
                   --host-priv-port='$@{host-port@}' \
                   --device-master-port='$@{device-port@}' \
                   --exec-server-task='$@{exec-task@}' -T typed '$@{root@}' \
                   '$(task-create)' '$(task-resume)'}
grub> @kbd{module /lib/ld.so.1 exec /hurd/exec '$(exec-task=task-create)'}
@end group
@end example

@item
Finally, run the command @command{boot} (@pxref{boot}).
@end enumerate


@node GNU/Linux
@subsection GNU/Linux

It is relatively easy to boot GNU/Linux from GRUB, because it somewhat
resembles to boot a Multiboot-compliant OS.

@enumerate
@item
Set GRUB's root device to the same drive as GNU/Linux's.  The command
@code{search --set=root --file /vmlinuz} or similar may help you
(@pxref{search}).

@item
Load the kernel using the command @command{linux} (@pxref{linux}):

@example
grub> @kbd{linux /vmlinuz root=/dev/sda1}
@end example

If you need to specify some kernel parameters, just append them to the
command.  For example, to set @option{acpi} to @samp{off}, do this:

@example
grub> @kbd{linux /vmlinuz root=/dev/sda1 acpi=off}
@end example

See the documentation in the Linux source tree for complete information on
the available options.

With @command{linux} GRUB uses 32-bit protocol. Some BIOS services like APM
or EDD aren't available with this protocol. In this case you need to use
@command{linux16}

@example
grub> @kbd{linux16 /vmlinuz root=/dev/sda1 acpi=off}
@end example 

@item
If you use an initrd, execute the command @command{initrd} (@pxref{initrd})
after @command{linux}:

@example
grub> @kbd{initrd /initrd}
@end example

If you used @command{linux16} you need to use @command{initrd16}:

@example
grub> @kbd{initrd16 /initrd}
@end example

@item
Finally, run the command @command{boot} (@pxref{boot}).
@end enumerate


@node NetBSD
@subsection NetBSD

Booting a NetBSD kernel from GRUB is also relatively easy: first set
GRUB's root device, then load the kernel and the modules, and finally
run @command{boot}.

@enumerate
@item
Set GRUB's root device to the partition holding the NetBSD root file
system.  For a disk with a NetBSD disk label, this is usually the first
partition (a:).  In that case, and assuming that the partition is on the
first hard disk, set GRUB's root device as follows:

@example
grub> @kbd{insmod part_bsd}
grub> @kbd{set root=(hd0,netbsd1)}
@end example

For a disk with a GUID Partition Table (GPT), and assuming that the
NetBSD root partition is the third GPT partition, do this:

@example
grub> @kbd{insmod part_gpt}
grub> @kbd{set root=(hd0,gpt3)}
@end example

@item
Load the kernel using the command @command{knetbsd}:

@example
grub> @kbd{knetbsd /netbsd}
@end example

Various options may be given to @command{knetbsd}.  These options are,
for the most part, the same as in the NetBSD boot loader.  For instance,
to boot the system in single-user mode and with verbose messages, do
this:

@example
grub> @kbd{knetbsd /netbsd -s -v}
@end example

@item
If needed, load kernel modules with the command
@command{knetbsd_module_elf}.  A typical example is the module for the
root file system:

@example
grub> @kbd{knetbsd_module_elf /stand/amd64/6.0/modules/ffs/ffs.kmod}
@end example

@item
Finally, run the command @command{boot} (@pxref{boot}).
@end enumerate


@node DOS/Windows
@subsection DOS/Windows

GRUB cannot boot DOS or Windows directly, so you must chain-load them
(@pxref{Chain-loading}). However, their boot loaders have some critical
deficiencies, so it may not work to just chain-load them. To overcome
the problems, GRUB provides you with two helper functions.

If you have installed DOS (or Windows) on a non-first hard disk, you
have to use the disk swapping technique, because that OS cannot boot
from any disks but the first one. The workaround used in GRUB is the
command @command{drivemap} (@pxref{drivemap}), like this:

@example
drivemap -s (hd0) (hd1)
@end example

This performs a @dfn{virtual} swap between your first and second hard
drive.

@strong{Caution:} This is effective only if DOS (or Windows) uses BIOS
to access the swapped disks. If that OS uses a special driver for the
disks, this probably won't work.

Another problem arises if you installed more than one set of DOS/Windows
onto one disk, because they could be confused if there are more than one
primary partitions for DOS/Windows. Certainly you should avoid doing
this, but there is a solution if you do want to do so. Use the partition
hiding/unhiding technique.

If GRUB @dfn{hides} a DOS (or Windows) partition (@pxref{parttool}), DOS (or
Windows) will ignore the partition. If GRUB @dfn{unhides} a DOS (or Windows)
partition, DOS (or Windows) will detect the partition. Thus, if you have
installed DOS (or Windows) on the first and the second partition of the
first hard disk, and you want to boot the copy on the first partition, do
the following:

@example
@group
parttool (hd0,1) hidden-
parttool (hd0,2) hidden+
set root=(hd0,1)
chainloader +1
parttool @verb{'${root}'} boot+
boot
@end group
@end example


@node Configuration
@chapter Writing your own configuration file

GRUB is configured using @file{grub.cfg}, usually located under
@file{/boot/grub}.  This file is quite flexible, but most users will not
need to write the whole thing by hand.

@menu
* Simple configuration::            Recommended for most users
* Root Identification Heuristics::  Summary on how the root file system is identified.
* Shell-like scripting::            For power users and developers
* Multi-boot manual config::        For non-standard multi-OS scenarios
* Embedded configuration::          Embedding a configuration file into GRUB
@end menu


@node Simple configuration
@section Simple configuration handling

The program @command{grub-mkconfig} (@pxref{Invoking grub-mkconfig})
generates @file{grub.cfg} files suitable for most cases.  It is suitable for
use when upgrading a distribution, and will discover available kernels and
attempt to generate menu entries for them.

@command{grub-mkconfig} does have some limitations.  While adding extra
custom menu entries to the end of the list can be done by editing
@file{/etc/grub.d/40_custom} or creating @file{/boot/grub/custom.cfg},
changing the order of menu entries or changing their titles may require
making complex changes to shell scripts stored in @file{/etc/grub.d/}.  This
may be improved in the future.  In the meantime, those who feel that it
would be easier to write @file{grub.cfg} directly are encouraged to do so
(@pxref{Booting}, and @ref{Shell-like scripting}), and to disable any system
provided by their distribution to automatically run @command{grub-mkconfig}.

The file @file{/etc/default/grub} controls the operation of
@command{grub-mkconfig}.  It is sourced by a shell script, and so must be
valid POSIX shell input; normally, it will just be a sequence of
@samp{KEY=value} lines, but if the value contains spaces or other special
characters then it must be quoted.  For example:

@example
GRUB_TERMINAL_INPUT="console serial"
@end example

Valid keys in @file{/etc/default/grub} are as follows:

@table @samp
@item GRUB_DEFAULT
The default menu entry.  This may be a number, in which case it identifies
the Nth entry in the generated menu counted from zero, or the title of a
menu entry, or the special string @samp{saved}.  Using the id may be
useful if you want to set a menu entry as the default even though there may
be a variable number of entries before it.

For example, if you have:

@verbatim
menuentry 'Example GNU/Linux distribution' --class gnu-linux --id example-gnu-linux {
	...
}
@end verbatim

then you can make this the default using:

@example
GRUB_DEFAULT=example-gnu-linux
@end example

Previously it was documented the way to use entry title. While this still
works it's not recommended since titles often contain unstable device names
and may be translated

If you set this to @samp{saved}, then the default menu entry will be that
saved by @samp{GRUB_SAVEDEFAULT} or @command{grub-set-default}.  This relies on
the environment block, which may not be available in all situations
(@pxref{Environment block}).

The default is @samp{0}.

@item GRUB_SAVEDEFAULT
If this option is set to @samp{true}, then, when an entry is selected, save
it as a new default entry for use by future runs of GRUB.  This is only
useful if @samp{GRUB_DEFAULT=saved}; it is a separate option because
@samp{GRUB_DEFAULT=saved} is useful without this option, in conjunction with
@command{grub-set-default}.  Unset by default.
This option relies on the environment block, which may not be available in
all situations (@pxref{Environment block}).

@item GRUB_TIMEOUT
Boot the default entry this many seconds after the menu is displayed, unless
a key is pressed.  The default is @samp{5}.  Set to @samp{0} to boot
immediately without displaying the menu, or to @samp{-1} to wait
indefinitely.

If @samp{GRUB_TIMEOUT_STYLE} is set to @samp{countdown} or @samp{hidden},
the timeout is instead counted before the menu is displayed.

@item GRUB_TIMEOUT_STYLE
If this option is unset or set to @samp{menu}, then GRUB will display the
menu and then wait for the timeout set by @samp{GRUB_TIMEOUT} to expire
before booting the default entry.  Pressing a key interrupts the timeout.

If this option is set to @samp{countdown} or @samp{hidden}, then, before
displaying the menu, GRUB will wait for the timeout set by @samp{GRUB_TIMEOUT}
to expire.  If @key{ESC} or @key{F4} are pressed, or @key{SHIFT} is held down
during that time, it will display the menu and wait for input.  If a hotkey
associated with a menu entry is pressed, it will boot the associated menu entry
immediately. If the timeout expires before either of these happens, it will
boot the default entry.  In the @samp{countdown} case, it will show a one-line
indication of the remaining time.

@item GRUB_DEFAULT_BUTTON
@itemx GRUB_TIMEOUT_BUTTON
@itemx GRUB_TIMEOUT_STYLE_BUTTON
@itemx GRUB_BUTTON_CMOS_ADDRESS
Variants of the corresponding variables without the @samp{_BUTTON} suffix,
used to support vendor-specific power buttons.  @xref{Vendor power-on keys}.

@item GRUB_DISTRIBUTOR
Set by distributors of GRUB to their identifying name.  This is used to
generate more informative menu entry titles.

@item GRUB_TERMINAL_INPUT
Select the terminal input device.  You may select multiple devices here,
separated by spaces.

Valid terminal input names depend on the platform, but may include
@samp{console} (native platform console), @samp{serial} (serial terminal),
@samp{serial_<port>} (serial terminal with explicit port selection),
@samp{at_keyboard} (PC AT keyboard), or @samp{usb_keyboard} (USB keyboard
using the HID Boot Protocol, for cases where the firmware does not handle
this).

The default is to use the platform's native terminal input.

@item GRUB_TERMINAL_OUTPUT
Select the terminal output device.  You may select multiple devices here,
separated by spaces.

Valid terminal output names depend on the platform, but may include
@samp{console} (native platform console), @samp{serial} (serial terminal),
@samp{serial_<port>} (serial terminal with explicit port selection),
@samp{gfxterm} (graphics-mode output), @samp{vga_text} (VGA text output),
@samp{mda_text} (MDA text output), @samp{morse} (Morse-coding using system
beeper) or @samp{spkmodem} (simple data protocol using system speaker).

@samp{spkmodem} is useful when no serial port is available. Connect the output
of sending system (where GRUB is running) to line-in of receiving system
(usually developer machine).
On receiving system compile @samp{spkmodem-recv} from
@samp{util/spkmodem-recv.c} and run:

@example
parecord --channels=1 --rate=48000 --format=s16le | ./spkmodem-recv
@end example

The default is to use the platform's native terminal output.

@item GRUB_TERMINAL
If this option is set, it overrides both @samp{GRUB_TERMINAL_INPUT} and
@samp{GRUB_TERMINAL_OUTPUT} to the same value.

@item GRUB_SERIAL_COMMAND
A command to configure the serial port when using the serial console.
@xref{serial}.  Defaults to @samp{serial}.

@item GRUB_CMDLINE_LINUX
Command-line arguments to add to menu entries for the Linux kernel.

@item GRUB_CMDLINE_LINUX_DEFAULT
Unless @samp{GRUB_DISABLE_RECOVERY} is set to @samp{true}, two menu
entries will be generated for each Linux kernel: one default entry and one
entry for recovery mode.  This option lists command-line arguments to add
only to the default menu entry, after those listed in
@samp{GRUB_CMDLINE_LINUX}.

@item GRUB_CMDLINE_LINUX_RECOVERY
Unless @samp{GRUB_DISABLE_RECOVERY} is set to @samp{true}, two menu
entries will be generated for each Linux kernel: one default entry and one
entry for recovery mode. This option lists command-line arguments to add
only to the recovery menu entry, before those listed in @samp{GRUB_CMDLINE_LINUX}.
The default is @samp{single}.

@item GRUB_CMDLINE_NETBSD
@itemx GRUB_CMDLINE_NETBSD_DEFAULT
As @samp{GRUB_CMDLINE_LINUX} and @samp{GRUB_CMDLINE_LINUX_DEFAULT}, but for
NetBSD.

@item GRUB_CMDLINE_GNUMACH
As @samp{GRUB_CMDLINE_LINUX}, but for GNU Mach.

@item GRUB_CMDLINE_XEN
@itemx GRUB_CMDLINE_XEN_DEFAULT
The values of these options are passed to Xen hypervisor Xen menu entries,
for all respectively normal entries.

@item GRUB_CMDLINE_LINUX_XEN_REPLACE
@item GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT
The values of these options replace the values of @samp{GRUB_CMDLINE_LINUX}
and @samp{GRUB_CMDLINE_LINUX_DEFAULT} for Linux and Xen menu entries.

@item GRUB_TOP_LEVEL
@item GRUB_TOP_LEVEL_XEN
This option should be an absolute path to a kernel image. If provided, the
image specified will be made the top-level entry if it is found in the scan.

@item GRUB_TOP_LEVEL_OS_PROBER
This option should be a line of output from @command{os-prober}. As
@samp{GRUB_TOP_LEVEL}, if provided, the image specified will be made the
top-level entry if it is found in the scan.

@item GRUB_EARLY_INITRD_LINUX_CUSTOM
@itemx GRUB_EARLY_INITRD_LINUX_STOCK
List of space-separated early initrd images to be loaded from @samp{/boot}.
This is for loading things like CPU microcode, firmware, ACPI tables, crypto
keys, and so on. These early images will be loaded in the order declared,
and all will be loaded before the actual functional initrd image.

@samp{GRUB_EARLY_INITRD_LINUX_STOCK} is for your distribution to declare
images that are provided by the distribution. It should not be modified
without understanding the consequences. They will be loaded first.

@samp{GRUB_EARLY_INITRD_LINUX_CUSTOM} is for your custom created images.

The default stock images are as follows, though they may be overridden by
your distribution:
@example
intel-uc.img intel-ucode.img amd-uc.img amd-ucode.img early_ucode.cpio microcode.cpio
@end example

@item GRUB_DISABLE_LINUX_UUID
Normally, @command{grub-mkconfig} will generate menu entries that use
universally-unique identifiers (UUIDs) to identify the root filesystem to
the Linux kernel, using a @samp{root=UUID=...} kernel parameter.  This is
usually more reliable, but in some cases it may not be appropriate.  To
disable the use of UUIDs, set this option to @samp{true}.

@item GRUB_DISABLE_LINUX_PARTUUID
If @command{grub-mkconfig} cannot identify the root filesystem via its
universally-unique indentifier (UUID), @command{grub-mkconfig} can use the UUID
of the partition containing the filesystem to identify the root filesystem to
the Linux kernel via a @samp{root=PARTUUID=...} kernel parameter.  This is not
as reliable as using the filesystem UUID, but is more reliable than using the
Linux device names. When @samp{GRUB_DISABLE_LINUX_PARTUUID} is set to
@samp{false}, the Linux kernel version must be 2.6.37 (3.10 for systems using
the MSDOS partition scheme) or newer.  This option defaults to @samp{true}.  To
enable the use of partition UUIDs, set this option to @samp{false}.

@item GRUB_DISABLE_RECOVERY
If this option is set to @samp{true}, disable the generation of recovery
mode menu entries.

@item GRUB_DISABLE_UUID
Normally, @command{grub-mkconfig} will generate menu entries that use
universally-unique identifiers (UUIDs) to identify various filesystems to
search for files.  This is usually more reliable, but in some cases it may
not be appropriate.  To disable this use of UUIDs, set this option to
@samp{true}. Setting this option to @samp{true}, will also set the options
@samp{GRUB_DISABLE_LINUX_UUID} and @samp{GRUB_DISABLE_LINUX_PARTUUID} to
@samp{true}, unless they have been explicitly set to @samp{false}.

@item GRUB_VIDEO_BACKEND
If graphical video support is required, either because the @samp{gfxterm}
graphical terminal is in use or because @samp{GRUB_GFXPAYLOAD_LINUX} is set,
then @command{grub-mkconfig} will normally load all available GRUB video
drivers and use the one most appropriate for your hardware.  If you need to
override this for some reason, then you can set this option.

After @command{grub-install} has been run, the available video drivers are
listed in @file{/boot/grub/video.lst}.

@item GRUB_GFXMODE
Set the resolution used on the @samp{gfxterm} graphical terminal.  Note that
you can only use modes which your graphics card supports via VESA BIOS
Extensions (VBE), so for example native LCD panel resolutions may not be
available.  The default is @samp{auto}, which tries to select a preferred
resolution.  @xref{gfxmode}.

@item GRUB_BACKGROUND
Set a background image for use with the @samp{gfxterm} graphical terminal.
The value of this option must be a file readable by GRUB at boot time, and
it must end with @file{.png}, @file{.tga}, @file{.jpg}, or @file{.jpeg}.
The image will be scaled if necessary to fit the screen. Image height and
width will be restricted by an artificial limit of 16384.

@item GRUB_THEME
Set a theme for use with the @samp{gfxterm} graphical terminal.

@item GRUB_GFXPAYLOAD_LINUX
Set to @samp{text} to force the Linux kernel to boot in normal text mode,
@samp{keep} to preserve the graphics mode set using @samp{GRUB_GFXMODE},
@samp{@var{width}x@var{height}}[@samp{x@var{depth}}] to set a particular
graphics mode, or a sequence of these separated by commas or semicolons to
try several modes in sequence.  @xref{gfxpayload}.

Depending on your kernel, your distribution, your graphics card, and the
phase of the moon, note that using this option may cause GNU/Linux to suffer
from various display problems, particularly during the early part of the
boot sequence.  If you have problems, set this option to @samp{text} and
GRUB will tell Linux to boot in normal text mode.

@item GRUB_DISABLE_OS_PROBER
The @command{grub-mkconfig} has a feature to use the external
@command{os-prober} program to discover other operating systems installed on
the same machine and generate appropriate menu entries for them. It is disabled
by default since automatic and silent execution of @command{os-prober}, and
creating boot entries based on that data, is a potential attack vector. Set
this option to @samp{false} to enable this feature in the
@command{grub-mkconfig} command.

@item GRUB_OS_PROBER_SKIP_LIST
List of space-separated case insensitive UUIDs of filesystems to be ignored
from os-prober output. For EFI chainloaders it's <UUID>@@<EFI FILE>. For
backward compatibility with previous behaviour, <UUID>@@/dev/* is also accepted
for non-EFI chainloaders even if the device does not match, and comma and
semicolon are also accepted as separator.

@item GRUB_DISABLE_SUBMENU
Normally, @command{grub-mkconfig} will generate top level menu entry for
the kernel with highest version number and put all other found kernels
or alternative menu entries for recovery mode in submenu. For entries returned
by @command{os-prober} first entry will be put on top level and all others
in submenu. If this option is set to @samp{true}, flat menu with all entries
on top level will be generated instead. Changing this option will require
changing existing values of @samp{GRUB_DEFAULT}, @samp{fallback} (@pxref{fallback})
and @samp{default} (@pxref{default}) environment variables as well as saved
default entry using @command{grub-set-default} and value used with
@command{grub-reboot}.

@item GRUB_ENABLE_CRYPTODISK
If set to @samp{y}, @command{grub-mkconfig} and @command{grub-install} will
check for encrypted disks and generate additional commands needed to access
them during boot.  Note that in this case unattended boot is not possible
because GRUB will wait for passphrase to unlock encrypted container.

@item GRUB_INIT_TUNE
Play a tune on the speaker when GRUB starts.  This is particularly useful
for users unable to see the screen.  The value of this option is passed
directly to @ref{play}.

@item GRUB_BADRAM
If this option is set, GRUB will issue a @ref{badram} command to filter
out specified regions of RAM.

@item GRUB_PRELOAD_MODULES
This option may be set to a list of GRUB module names separated by spaces.
Each module will be loaded as early as possible, at the start of
@file{grub.cfg}.

@item GRUB_RECORDFAIL_TIMEOUT
If this option is set, it overrides the default recordfail setting.  A
setting of -1 causes GRUB to wait for user input indefinitely.  However, a
false positive in the recordfail mechanism may occur if power is lost during
boot before boot success is recorded in userspace.  The default setting is
30, which causes GRUB to wait for user input for thirty seconds before
continuing.  This default allows interactive users the opportunity to switch
to a different, working kernel, while avoiding a false positive causing the
boot to block indefinitely on headless and appliance systems where access to
a console is restricted or limited.

This option is only effective when GRUB was configured with the
@option{--enable-quick-boot} option.

@item GRUB_RECOVERY_TITLE
This option sets the English text of the string that will be displayed in
parentheses to indicate that a boot option is provided to help users recover
a broken system.  The default is "recovery mode".

@end table

The following options are still accepted for compatibility with existing
configurations, but have better replacements:

@table @samp
@item GRUB_HIDDEN_TIMEOUT
Wait this many seconds before displaying the menu.  If @key{ESC} or @key{F4} are
pressed, or @key{SHIFT} is held down during that time, display the menu and wait
for input according to @samp{GRUB_TIMEOUT}.  If a hotkey associated with a menu
entry is pressed, boot the associated menu entry immediately.  If the timeout
expires before either of these happens, display the menu for the number of
seconds specified in @samp{GRUB_TIMEOUT} before booting the default entry.

If you set @samp{GRUB_HIDDEN_TIMEOUT}, you should also set
@samp{GRUB_TIMEOUT=0} so that the menu is not displayed at all unless
@key{ESC} or @key{F4} are pressed, or @key{SHIFT} is held down.

This option is unset by default, and is deprecated in favour of the less
confusing @samp{GRUB_TIMEOUT_STYLE=countdown} or
@samp{GRUB_TIMEOUT_STYLE=hidden}.

@item GRUB_HIDDEN_TIMEOUT_QUIET
In conjunction with @samp{GRUB_HIDDEN_TIMEOUT}, set this to @samp{true} to
suppress the verbose countdown while waiting for a key to be pressed before
displaying the menu.

This option is unset by default, and is deprecated in favour of the less
confusing @samp{GRUB_TIMEOUT_STYLE=countdown}.

@item GRUB_HIDDEN_TIMEOUT_BUTTON
Variant of @samp{GRUB_HIDDEN_TIMEOUT}, used to support vendor-specific power
buttons.  @xref{Vendor power-on keys}.

This option is unset by default, and is deprecated in favour of the less
confusing @samp{GRUB_TIMEOUT_STYLE=countdown} or
@samp{GRUB_TIMEOUT_STYLE=hidden}.

@item GRUB_FORCE_EFI_ALL_VIDEO
When set to true, this will allow grub-mkconfig to generate a GRUB config
that supports loading the all_video module on the EFI platform instead of
just the efi_gop and efi_uga modules.

This option is unset by default.

@end table

For more detailed customisation of @command{grub-mkconfig}'s output, you may
edit the scripts in @file{/etc/grub.d} directly.
@file{/etc/grub.d/40_custom} is particularly useful for adding entire custom
menu entries; simply type the menu entries you want to add at the end of
that file, making sure to leave at least the first two lines intact.

@node Root Identification Heuristics
@section Root Identification Heuristics
If the target operating system uses the Linux kernel, @command{grub-mkconfig}
attempts to identify the root file system via a heuristic algoirthm.  This
algorithm selects the identification method of the root file system by
considering three factors.  The first is if an initrd for the target operating
system is also present.  The second is @samp{GRUB_DISABLE_LINUX_UUID} and if set
to @samp{true}, prevents @command{grub-mkconfig} from identifying the root file
system by its UUID.  The third is @samp{GRUB_DISABLE_LINUX_PARTUUID} and if set
to @samp{true}, prevents @command{grub-mkconfig} from identifying the root file
system via the UUID of its enclosing partition.  If the variables are assigned
any other value, that value is considered equivalent to @samp{false}.  The
variables are also considered to be set to @samp{false} if they are not set.

When booting, the Linux kernel will delegate the task of mounting the root
filesystem to the initrd.  Most initrd images determine the root file system by
checking the Linux kernel's command-line for the @samp{root} key and use its
value as the identification method of the root file system.  To improve the
reliability of booting, most initrd images also allow the root file system to be
identified by its UUID.  Because of this behavior, the @command{grub-mkconfig}
command will set @samp{root} to @samp{root=UUID=...} to provide the initrd with
the filesystem UUID of the root file system.

If no initrd is detected or @samp{GRUB_DISABLE_LINUX_UUID} is set to @samp{true}
then @command{grub-command} will identify the root filesystem by setting the
kernel command-line variable @samp{root} to @samp{root=PARTUUID=...} unless
@samp{GRUB_DISABLE_LINUX_PARTUUID} is also set to @samp{true}.  If
@samp{GRUB_DISABLE_LINUX_PARTUUID} is also set to @samp{true},
@command{grub-command} will identify by its Linux device name.

The following table summarizes the behavior of the @command{grub-mkconfig}
command.

@multitable {detected} {GRUB_DISABLE_LINUX_PARTUUID} {GRUB_DISABLE_LINUX_UUID} {Linux Root}
@headitem Initrd detected @tab GRUB_DISABLE_LINUX_PARTUUID Set To @tab GRUB_DISABLE_LINUX_UUID Set To @tab Linux Root ID Method
@item false         @tab false                       @tab false                   @tab part UUID
@item false         @tab false                       @tab true                    @tab part UUID
@item false         @tab true                        @tab false                   @tab dev name
@item false         @tab true                        @tab true                    @tab dev name
@item true          @tab false                       @tab false                   @tab fs UUID
@item true          @tab false                       @tab true                    @tab part UUID
@item true          @tab true                        @tab false                   @tab fs UUID
@item true          @tab true                        @tab true                    @tab dev name
@end multitable

Remember, @samp{GRUB_DISABLE_LINUX_PARTUUID} and @samp{GRUB_DISABLE_LINUX_UUID}
are also considered to be set to @samp{true} and @samp{false}, respectively,
when they are unset.

@node Shell-like scripting
@section Writing full configuration files directly

@c Some of this section is derived from the GNU Bash manual page, also
@c copyrighted by the FSF.

@file{grub.cfg} is written in GRUB's built-in scripting language, which has
a syntax quite similar to that of GNU Bash and other Bourne shell
derivatives.

@heading Words

A @dfn{word} is a sequence of characters considered as a single unit by
GRUB.  Words are separated by @dfn{metacharacters}, which are the following
plus space, tab, and newline:

@example
@{ @} | & $ ; < >
@end example
 
Quoting may be used to include metacharacters in words; see below.

@heading Reserved words

Reserved words have a special meaning to GRUB.  The following words are
recognised as reserved when unquoted and either the first word of a simple
command or the third word of a @code{for} command:

@example
! [[ ]] @{ @}
case do done elif else esac fi for function
if in menuentry select then time until while
@end example

Not all of these reserved words have a useful purpose yet; some are reserved
for future expansion.

@heading Quoting

Quoting is used to remove the special meaning of certain characters or
words.  It can be used to treat metacharacters as part of a word, to prevent
reserved words from being recognised as such, and to prevent variable
expansion.

There are three quoting mechanisms: the escape character, single quotes, and
double quotes.

A non-quoted backslash (\) is the @dfn{escape character}.  It preserves the
literal value of the next character that follows, with the exception of
newline.

Enclosing characters in single quotes preserves the literal value of each
character within the quotes.  A single quote may not occur between single
quotes, even when preceded by a backslash.

Enclosing characters in double quotes preserves the literal value of all
characters within the quotes, with the exception of @samp{$} and @samp{\}.
The @samp{$} character retains its special meaning within double quotes.
The backslash retains its special meaning only when followed by one of the
following characters: @samp{$}, @samp{"}, @samp{\}, or newline.  A
backslash-newline pair is treated as a line continuation (that is, it is
removed from the input stream and effectively ignored@footnote{Currently a
backslash-newline pair within a variable name is not handled properly, so
use this feature with some care.}).  A double quote may be quoted within
double quotes by preceding it with a backslash.

@heading Variable expansion

The @samp{$} character introduces variable expansion.  The variable name to
be expanded may be enclosed in braces, which are optional but serve to
protect the variable to be expanded from characters immediately following it
which could be interpreted as part of the name.

Normal variable names begin with an alphabetic character, followed by zero
or more alphanumeric characters.  These names refer to entries in the GRUB
environment (@pxref{Environment}).

Positional variable names consist of one or more digits.  They represent
parameters passed to function calls, with @samp{$1} representing the first
parameter, and so on.

The special variable name @samp{?} expands to the exit status of the most
recently executed command.  When positional variable names are active, other
special variable names @samp{@@}, @samp{*} and @samp{#} are defined and they
expand to all positional parameters with necessary quoting, positional
parameters without any quoting, and positional parameter count respectively.

@heading Comments

A word beginning with @samp{#} causes that word and all remaining characters
on that line to be ignored.

@heading Simple commands

A @dfn{simple command} is a sequence of words separated by spaces or tabs
and terminated by a semicolon or a newline.  The first word specifies the
command to be executed.  The remaining words are passed as arguments to the
invoked command.

The return value of a simple command is its exit status.  If the reserved
word @code{!} precedes the command, then the return value is instead the
logical negation of the command's exit status.

@heading Compound commands

A @dfn{compound command} is one of the following:

@table @asis
@item for @var{name} in @var{word} @dots{}; do @var{list}; done
The list of words following @code{in} is expanded, generating a list of
items.  The variable @var{name} is set to each element of this list in turn,
and @var{list} is executed each time.  The return value is the exit status
of the last command that executes.  If the expansion of the items following
@code{in} results in an empty list, no commands are executed, and the return
status is 0.

@item if @var{list}; then @var{list}; [elif @var{list}; then @var{list};] @dots{} [else @var{list};] fi
The @code{if} @var{list} is executed, where @var{list} is a series of
@dfn{simple command}s separated by a ";".  If its exit status of the last
command is zero, the @code{then} @var{list} is executed.  Otherwise, each
@code{elif} @var{list} is executed in turn, and if its last command's exit
status is zero, the corresponding @code{then} @var{list} is executed and the
command completes. Otherwise, the @code{else} @var{list} is executed, if
present.  The exit status is the exit status of the last command executed, or
zero if no condition tested true.

@item while @var{cond}; do @var{list}; done
@itemx until @var{cond}; do @var{list}; done
The @code{while} command continuously executes the @code{do} @var{list} as
long as the last command in @var{cond} returns an exit status of zero, where
@var{cond} is a list of @dfn{simple command}s separated by a ";".  The
@code{until} command is identical to the @code{while} command, except that
the test is negated; the @code{do} @var{list} is executed as long as the
last command in @var{cond} returns a non-zero exit status.  The exit status
of the @code{while} and @code{until} commands is the exit status of the last
@code{do} @var{list} command executed, or zero if none was executed.

@item function @var{name} @{ @var{command}; @dots{} @}
This defines a function named @var{name}.  The @dfn{body} of the function is
the list of commands within braces, each of which must be terminated with a
semicolon or a newline.  This list of commands will be executed whenever
@var{name} is specified as the name of a simple command.  Function
definitions do not affect the exit status in @code{$?}.  When executed, the
exit status of a function is the exit status of the last command executed in
the body.

@item menuentry @var{title} [@option{--class=class} @dots{}] [@option{--users=users}] [@option{--unrestricted}] [@option{--hotkey=key}] [@option{--id=id}] @{ @var{command}; @dots{} @}
@xref{menuentry}.
@end table

@heading Built-in Commands

Some built-in commands are also provided by GRUB script to help script
writers perform actions that are otherwise not possible.  For example, these
include commands to jump out of a loop without fully completing it, etc.

@table @asis
@item break [@code{n}]
Exit from within a @code{for}, @code{while}, or @code{until} loop.  If
@code{n} is specified, break @code{n} levels.  @code{n} must be greater than
or equal to 1.  If @code{n} is greater than the number of enclosing loops,
all enclosing loops are exited.  The return value is 0 unless @code{n} is
not greater than or equal to 1.

@item continue [@code{n}]
Resume the next iteration of the enclosing @code{for}, @code{while} or
@code{until} loop.  If @code{n} is specified, resume at the @code{n}th
enclosing loop.  @code{n} must be greater than or equal to 1.  If @code{n}
is greater than the number of enclosing loops, the last enclosing loop (the
@dfn{top-level} loop) is resumed.  The return value is 0 unless @code{n} is
not greater than or equal to 1.

@item return [@code{n}]
Causes a function to exit with the return value specified by @code{n}.  If
@code{n} is omitted, the return status is that of the last command executed
in the function body.  If used outside a function the return status is
false.

@item setparams [@code{arg}] @dots{}
Replace positional parameters starting with @code{$1} with arguments to
@command{setparams}.

@item shift [@code{n}]
The positional parameters from @code{n}+1 @dots{} are renamed to
@code{$1}@dots{}.  Parameters represented by the numbers @code{$#} down to
@code{$#}-@code{n}+1 are unset.  @code{n} must be a non-negative number less
than or equal to @code{$#}.  If @code{n} is 0, no parameters are changed.
If @code{n} is not given, it is assumed to be 1.  If @code{n} is greater
than @code{$#}, the positional parameters are not changed.  The return
status is greater than zero if @code{n} is greater than @code{$#} or less
than zero; otherwise 0.

@end table

@node Multi-boot manual config
@section Multi-boot manual config

Currently autogenerating config files for multi-boot environments depends on
os-prober and has several shortcomings. Due to that it is disabled by default.
It is advised to use the power of GRUB syntax and do it yourself. A possible
configuration is detailed here, feel free to adjust to your needs.

First create a separate GRUB partition, big enough to hold GRUB. Some of the
following entries show how to load OS installer images from this same partition,
for that you obviously need to make the partition large enough to hold those
images as well.
Mount this partition on/mnt/boot and disable GRUB in all OSes and manually
install self-compiled latest GRUB with:

@code{grub-install --boot-directory=/mnt/boot /dev/sda}

In all the OSes install GRUB tools but disable installing GRUB in bootsector,
so you'll have menu.lst and grub.cfg available for use. Also disable os-prober
use by setting:

@code{GRUB_DISABLE_OS_PROBER=true}

in /etc/default/grub

Then write a grub.cfg (/mnt/boot/grub/grub.cfg):

@example

menuentry "OS using grub2" @{
   insmod xfs
   search --set=root --label OS1 --hint hd0,msdos8
   configfile /boot/grub/grub.cfg
@}

menuentry "OS using grub2-legacy" @{
   insmod ext2
   search --set=root --label OS2 --hint hd0,msdos6
   legacy_configfile /boot/grub/menu.lst
@}

menuentry "Windows XP" @{
   insmod ntfs
   search --set=root --label WINDOWS_XP --hint hd0,msdos1
   ntldr /ntldr
@}

menuentry "Windows 7" @{
   insmod ntfs
   search --set=root --label WINDOWS_7 --hint hd0,msdos2
   ntldr /bootmgr
@}

menuentry "FreeBSD" @{
          insmod zfs
          search --set=root --label freepool --hint hd0,msdos7
          kfreebsd /freebsd@@/boot/kernel/kernel
          kfreebsd_module_elf /freebsd@@/boot/kernel/opensolaris.ko
          kfreebsd_module_elf /freebsd@@/boot/kernel/zfs.ko
          kfreebsd_module /freebsd@@/boot/zfs/zpool.cache type=/boot/zfs/zpool.cache
          set kFreeBSD.vfs.root.mountfrom=zfs:freepool/freebsd
          set kFreeBSD.hw.psm.synaptics_support=1
@}

menuentry "experimental GRUB" @{
          search --set=root --label GRUB --hint hd0,msdos5
          multiboot /experimental/grub/i386-pc/core.img
@}

menuentry "Fedora 16 installer" @{
          search --set=root --label GRUB --hint hd0,msdos5
          linux /fedora/vmlinuz lang=en_US keymap=sg resolution=1280x800
          initrd /fedora/initrd.img
@}

menuentry "Fedora rawhide installer" @{
          search --set=root --label GRUB --hint hd0,msdos5
          linux /fedora/vmlinuz repo=ftp://mirror.switch.ch/mirror/fedora/linux/development/rawhide/x86_64 lang=en_US keymap=sg resolution=1280x800
          initrd /fedora/initrd.img
@}

menuentry "Debian sid installer" @{
          search --set=root --label GRUB --hint hd0,msdos5
          linux /debian/dists/sid/main/installer-amd64/current/images/hd-media/vmlinuz
          initrd /debian/dists/sid/main/installer-amd64/current/images/hd-media/initrd.gz
@}

@end example

Notes:
@itemize
@item Argument to search after --label is FS LABEL. You can also use UUIDs with --fs-uuid UUID instead of --label LABEL. You could also use direct @code{root=hd0,msdosX} but this is not recommended due to device name instability.
@end itemize

@node Embedded configuration
@section Embedding a configuration file into GRUB

GRUB supports embedding a configuration file directly into the core image,
so that it is loaded before entering normal mode.  This is useful, for
example, when it is not straightforward to find the real configuration file,
or when you need to debug problems with loading that file.
@command{grub-install} uses this feature when it is not using BIOS disk
functions or when installing to a different disk from the one containing
@file{/boot/grub}, in which case it needs to use the @command{search}
command (@pxref{search}) to find @file{/boot/grub}.

To embed a configuration file, use the @option{-c} option to
@command{grub-mkimage}.  The file is copied into the core image, so it may
reside anywhere on the file system, and may be removed after running
@command{grub-mkimage}.

After the embedded configuration file (if any) is executed, GRUB will load
the @samp{normal} module (@pxref{normal}), which will then read the real
configuration file from @file{$prefix/grub.cfg}.  By this point, the
@code{root} variable will also have been set to the root device name.  For
example, @code{prefix} might be set to @samp{(hd0,1)/boot/grub}, and
@code{root} might be set to @samp{hd0,1}.  Thus, in most cases, the embedded
configuration file only needs to set the @code{prefix} and @code{root}
variables, and then drop through to GRUB's normal processing.  A typical
example of this might look like this:

@example
@group
search.fs_uuid 01234567-89ab-cdef-0123-456789abcdef root
set prefix=($root)/boot/grub
@end group
@end example

(The @samp{search_fs_uuid} module must be included in the core image for this
example to work.)

In more complex cases, it may be useful to read other configuration files
directly from the embedded configuration file.  This allows such things as
reading files not called @file{grub.cfg}, or reading files from a directory
other than that where GRUB's loadable modules are installed.  To do this,
include the @samp{configfile} and @samp{normal} modules in the core image,
and embed a configuration file that uses the @command{configfile} command to
load another file.  The following example of this also requires the
@command{echo}, @command{search_label}, and @command{test} modules to be
included in the core image:

@example
@group
search.fs_label grub root
if [ -e /boot/grub/example/test1.cfg ]; then
    set prefix=($root)/boot/grub
    configfile /boot/grub/example/test1.cfg
else
    if [ -e /boot/grub/example/test2.cfg ]; then
        set prefix=($root)/boot/grub
        configfile /boot/grub/example/test2.cfg
    else
        echo "Could not find an example configuration file!"
    fi
fi
@end group
@end example

The embedded configuration file may not contain menu entries directly, but
may only read them from elsewhere using @command{configfile}.

@node Theme file format
@chapter Theme file format
@section Introduction
The GRUB graphical menu supports themes that can customize the layout and
appearance of the GRUB boot menu.  The theme is configured through a plain
text file that specifies the layout of the various GUI components (including
the boot menu, timeout progress bar, and text messages) as well as the
appearance using colors, fonts, and images. Example is available in docs/example_theme.txt

@section Theme Elements
@subsection Colors

Colors can be specified in several ways:

@itemize
@item HTML-style ``#RRGGBB'' or ``#RGB'' format, where *R*, *G*, and *B* are hexadecimal digits (e.g., ``#8899FF'')
@item as comma-separated decimal RGB values (e.g., ``128, 128, 255'')
@item with ``SVG 1.0 color names'' (e.g., ``cornflowerblue'') which must be specified in lowercase.
@end itemize
@subsection Fonts
The fonts GRUB uses ``PFF2 font format'' bitmap fonts.  Fonts are specified
with full font names.  Currently there is no
provision for a preference list of fonts, or deriving one font from another.
Fonts are loaded with the ``loadfont'' command in GRUB (@ref{loadfont}).  To see the list of
loaded fonts, execute the ``lsfonts'' command (@ref{lsfonts}).  If there are too many fonts to
fit on screen, do ``set pager=1'' before executing ``lsfonts''.


@subsection Progress Bar

@float Figure, Pixmap-styled progress bar
@c @image{Theme_progress_bar,,,,png}
@end float

@float Figure, Plain progress bar, drawn with solid color.
@c @image{Theme_progress_bar_filled,,,,png}
@end float

Progress bars are used to display the remaining time before GRUB boots the
default menu entry.  To create a progress bar that will display the remaining
time before automatic boot, simply create a ``progress_bar'' component with
the id ``__timeout__''.  This indicates to GRUB that the progress bar should
be updated as time passes, and it should be made invisible if the countdown to
automatic boot is interrupted by the user.

Progress bars may optionally have text displayed on them.  This text is
controlled by variable ``text'' which contains a printf template with the
only argument %d is the number of seconds remaining. Additionally special
values ``@@TIMEOUT_NOTIFICATION_SHORT@@'', ``@@TIMEOUT_NOTIFICATION_MIDDLE@@'',
``@@TIMEOUT_NOTIFICATION_LONG@@'' are replaced with standard and translated
templates.

@subsection Circular Progress Indicator

@c @image{Theme_circular_progress,,,,.png}

The circular progress indicator functions similarly to the progress bar.  When
given an id of ``__timeout__'', GRUB updates the circular progress indicator's
value to indicate the time remaining.  For the circular progress indicator,
there are two images used to render it:  the *center* image, and the *tick*
image.  The center image is rendered in the center of the component, while the
tick image is used to render each mark along the circumference of the
indicator.


@subsection Labels

Text labels can be placed on the boot screen.  The font, color, and horizontal
alignment can be specified for labels.  If a label is given the id
``__timeout__'', then the ``text'' property for that label is also updated
with a message informing the user of the number of seconds remaining until
automatic boot.  This is useful in case you want the text displayed somewhere
else instead of directly on the progress bar.


@subsection Boot Menu

@c @image{Theme_boot_menu,,,,.png}

The boot menu where GRUB displays the menu entries from the ``grub.cfg'' file.
It is a list of items, where each item has a title and an optional icon.  The
icon is selected based on the *classes* specified for the menu entry.  If
there is a PNG file named ``myclass.png'' in the ``grub/themes/icons''
directory, it will be displayed for items which have the class *myclass*.  The
boot menu can be customized in several ways, such as the font and color used
for the menu entry title, and by specifying styled boxes for the menu itself
and for the selected item highlight.


@subsection Styled Boxes

One of the most important features for customizing the layout is the use of
 *styled boxes*.  A styled box is composed of 9 rectangular (and potentially
empty) regions, which are used to seamlessly draw the styled box on screen:

@multitable @columnfractions 0.3 0.3 0.3
@item Northwest (nw) @tab North (n)  @tab Northeast (ne)
@item West (w)       @tab Center (c) @tab East (e)
@item Southwest (sw) @tab South (s)  @tab Southeast (se)
@end multitable

To support any size of box on screen, the center slice and the slices for the
top, bottom, and sides are all scaled to the correct size for the component on
screen, using the following rules:

@enumerate
@item The edge slices (north, south, east, and west) are scaled in the direction of the edge they are adjacent to.  For instance, the west slice is scaled vertically.
@item The corner slices (northwest, northeast, southeast, and southwest) are not scaled.
@item The center slice is scaled to fill the remaining space in the middle.
@end enumerate

As an example of how an image might be sliced up, consider the styled box
used for a terminal view.

@float Figure, An example of the slices (in red) used for a terminal window. This drawing was created and sliced in Inkscape_, as the next section explains.
@c @image{Box_slice_example_terminal,,,,.png}
@end float
   
@subsection Creating Styled Box Images

The Inkscape_ scalable vector graphics editor is a very useful tool for
creating styled box images.  One process that works well for slicing a drawing
into the necessary image slices is:

@enumerate
@item Create or open the drawing you'd like use.
@item Create a new layer on the top of the layer stack.  Make it visible.  Select this layer as the current layer.
@item Draw 9 rectangles on your drawing where you'd like the slices to be.  Clear the fill option, and set the stroke to 1 pixel wide solid stroke.  The corners of the slices must meet precisely; if it is off by a single pixel, it will probably be evident when the styled box is rendered in the GRUB menu.  You should probably go to File | Document Properties | Grids and enable a grid or create a guide (click on one of the rulers next to the drawing and drag over the drawing; release the mouse button to place the guide) to help place the rectangles precisely.
@item Right click on the center slice rectangle and choose Object Properties. Change the "Id" to ``slice_c`` and click Set.  Repeat this for the remaining 8 rectangles, giving them Id values of ``slice_n``, ``slice_ne``, ``slice_e``, and so on according to the location.
@item Save the drawing.
@item Select all the slice rectangles.  With the slice layer selected, you can simply press Ctrl+A to select all rectangles.  The status bar should indicate that 9 rectangles are selected.
@item Click the layer hide icon for the slice layer in the layer palette.  The rectangles will remain selected, even though they are hidden.
@item Choose File | Export Bitmap and check the *Batch export 9 selected objects* box.  Make sure that *Hide all except selected* is unchecked. click *Export*.  This will create PNG files in the same directory as the drawing, named after the slices.  These can now be used for a styled box in a GRUB theme.
@end enumerate

@section Theme File Manual

The theme file is a plain text file.  Lines that begin with ``#`` are ignored
and considered comments.  (Note: This may not be the case if the previous line
ended where a value was expected.)

The theme file contains two types of statements:
@enumerate
@item Global properties.
@item Component construction.
@end enumerate

@subsection Global Properties

@subsection Format

Global properties are specified with the simple format:
@itemize
@item name1: value1
@item name2: "value which may contain spaces"
@item name3: #88F
@end itemize

In this example, name3 is assigned a color value.


@subsection Global Property List

@multitable @columnfractions 0.3 0.6
@item title-text
   @tab Specifies the text to display at the top center of the screen as a title.
@item title-font
   @tab Defines the font used for the title message at the top of the screen.
@item title-color
   @tab Defines the color of the title message.
@item message-font
   @tab Currently unused. Left for backward compatibility.
@item message-color
   @tab Currently unused. Left for backward compatibility.
@item message-bg-color
   @tab Currently unused. Left for backward compatibility.
@item desktop-image
   @tab Specifies the image to use as the background.  It will be scaled
   to fit the screen size or proportionally scaled depending on the scale
   method.
@item desktop-image-scale-method
   @tab Specifies the scaling method for the *desktop-image*. Options are
   ``stretch``, ``crop``, ``padding``, ``fitwidth``, ``fitheight``.
   ``stretch`` for fitting the screen size. Otherwise it is proportional
   scaling of a part of *desktop-image* to the part of the screen.
   ``crop`` part of the *desktop-image* will be proportionally scaled to
   fit the screen sizes. ``padding`` the entire *desktop-image* will be
   contained on the screen. ``fitwidth`` for fitting the *desktop-image*'s
   width with screen width. ``fitheight`` for fitting the *desktop-image*'s
   height with the screen height. Default is ``stretch``.
@item desktop-image-h-align
   @tab Specifies the horizontal alignment of the *desktop-image* if
   *desktop-image-scale-method* isn't equeal to ``stretch``. Options are
   ``left``, ``center``, ``right``. Default is ``center``.
@item desktop-image-v-align
   @tab Specifies the vertical alignment of the *desktop-image* if
   *desktop-image-scale-method* isn't equeal to ``stretch``. Options are
   ``top``, ``center``, ``bottom``. Default is ``center``.
@item desktop-color
   @tab Specifies the color for the background if *desktop-image* is not
   specified.
@item terminal-box
   @tab Specifies the file name pattern for the styled box slices used for the
   command line terminal window.  For example, ``terminal-box: terminal_*.png``
   will use the images ``terminal_c.png`` as the center area, ``terminal_n.png``
   as the north (top) edge, ``terminal_nw.png`` as the northwest (upper left)
   corner, and so on.  If the image for any slice is not found, it will simply
   be left empty.
@item terminal-border
   @tab Specifies the border width of the terminal window.
@item terminal-left
   @tab Specifies the left coordinate of the terminal window.
@item terminal-top
   @tab Specifies the top coordinate of the terminal window.
@item terminal-width
   @tab Specifies the width of the terminal window.
@item terminal-height
   @tab Specifies the height of the terminal window.
@end multitable


@subsection Component Construction

Greater customizability comes is provided by components.  A tree of components
forms the user interface.  *Containers* are components that can contain other
components, and there is always a single root component which is an instance
of a *canvas* container.

Components are created in the theme file by prefixing the type of component
with a '+' sign:

@code{   + label @{ text="GRUB" font="aqui 11" color="#8FF" @} }

properties of a component are specified as "name = value" (whitespace
surrounding tokens is optional and is ignored) where *value* may be:
@itemize
@item a single word (e.g., ``align = center``, ``color = #FF8080``),
@item a quoted string (e.g., ``text = "Hello, World!"``), or
@item a tuple (e.g., ``preferred_size = (120, 80)``).
@end itemize

@subsection Component List

The following is a list of the components and the properties they support.

@itemize
@item label
   A label displays a line of text.
   
   Properties:
   @multitable @columnfractions 0.2 0.7
   @item id
      @tab Set to ``__timeout__`` to display the time elapsed to an automatical
      boot of the default entry.
   @item text
      @tab The text to display. If ``id`` is set to ``__timeout__`` and no
      ``text`` property is set then the amount of seconds will be shown.
      If set to ``@@KEYMAP_SHORT@@``, ``@@KEYMAP_MIDDLE@@`` or
      ``@@KEYMAP_LONG@@`` then predefined hotkey information will be shown.
   @item font
      @tab The font to use for text display.
   @item color
      @tab The color of the text.
   @item align
      @tab The horizontal alignment of the text within the component.
      Options are ``left``, ``center`` and ``right``.
   @item visible
      @tab Set to ``false`` to hide the label.
   @end multitable

@item image
   A component that displays an image.  The image is scaled to fit
   the component.

   Properties:

   @multitable @columnfractions 0.2 0.7
   @item file
      @tab The full path to the image file to load.
   @end multitable

@item progress_bar
   Displays a horizontally oriented progress bar.  It can be rendered using
   simple solid filled rectangles, or using a pair of pixmap styled boxes.

   Properties:

   @multitable @columnfractions 0.2 0.7
   @item id
      @tab Set to ``__timeout__`` to display the time elapsed to an automatical
      boot of the default entry.
   @item fg_color
      @tab The foreground color for plain solid color rendering.
   @item bg_color
      @tab The background color for plain solid color rendering.
   @item border_color
      @tab The border color for plain solid color rendering.
   @item text_color
      @tab The text color.
   @item bar_style
      @tab The styled box specification for the frame of the progress bar.
      Example: ``progress_frame_*.png``
      If the value is equal to ``highlight_style`` then no styled boxes
      will be shown.
   @item highlight_style
      @tab The styled box specification for the highlighted region of the
      progress bar. This box will be used to paint just the highlighted region
      of the bar, and will be increased in size as the bar nears completion.
      Example: ``progress_hl_*.png``.
      If the value is equal to ``bar_style`` then no styled boxes
      will be shown.
   @item highlight_overlay
      @tab If this option is set to ``true`` then the highlight box
      side slices (every slice except the center slice) will overlay the
      frame box side slices. And the center slice of the highlight box
      can move all the way (from top to bottom), being drawn on the center
      slice of the frame box. That way we can make a progress bar with
      round-shaped edges so there won't be a free space from the highlight to
      the frame in top and bottom scrollbar positions. Default is ``false``.
   @item font
      @tab The font to use for progress bar.
   @item text
      @tab The text to display on the progress bar.  If the progress bar's ID
      is set to ``__timeout__`` and the value of this property is set to
      ``@@TIMEOUT_NOTIFICATION_SHORT@@``, ``@@TIMEOUT_NOTIFICATION_MIDDLE@@``
      or ``@@TIMEOUT_NOTIFICATION_LONG@@``, then GRUB will update this
      property with an informative message as the timeout approaches.
   @end multitable

@item circular_progress
   Displays a circular progress indicator.  The appearance of this component
   is determined by two images:  the *center* image and the *tick* image.  The
   center image is generally larger and will be drawn in the center of the
   component.  Around the circumference of a circle within the component, the
   tick image will be drawn a certain number of times, depending on the
   properties of the component.

   Properties:

   @multitable @columnfractions 0.3 0.6
   @item id
      @tab Set to ``__timeout__`` to display the time elapsed to an automatical
      boot of the default entry.
   @item center_bitmap
      @tab The file name of the image to draw in the center of the component.
   @item tick_bitmap
      @tab The file name of the image to draw for the tick marks.
   @item num_ticks
      @tab The number of ticks that make up a full circle.
   @item ticks_disappear
      @tab Boolean value indicating whether tick marks should progressively appear,
      or progressively disappear as *value* approaches *end*.  Specify
      ``true`` or ``false``. Default is ``false``.
   @item start_angle
      @tab The position of the first tick mark to appear or disappear.
      Measured in "parrots", 1 "parrot" = 1 / 256 of the full circle.
      Use values ``xxx deg`` or ``xxx \xc2\xb0`` to set the angle in degrees.
   @end multitable

@item boot_menu
   Displays the GRUB boot menu.  It allows selecting items and executing them.

   Properties:

   @multitable @columnfractions 0.4 0.5
   @item item_font
      @tab The font to use for the menu item titles.
   @item selected_item_font
      @tab The font to use for the selected menu item, or ``inherit`` (the default)
      to use ``item_font`` for the selected menu item as well.
   @item item_color
      @tab The color to use for the menu item titles.
   @item selected_item_color
      @tab The color to use for the selected menu item, or ``inherit`` (the default)
      to use ``item_color`` for the selected menu item as well.
   @item icon_width
      @tab The width of menu item icons.  Icons are scaled to the specified size.
   @item icon_height
      @tab The height of menu item icons.
   @item item_height
      @tab The height of each menu item in pixels.
   @item item_padding
      @tab The amount of space in pixels to leave on each side of the menu item
      contents.
   @item item_icon_space
      @tab The space between an item's icon and the title text, in pixels.
   @item item_spacing
      @tab The amount of space to leave between menu items, in pixels.
   @item menu_pixmap_style
      @tab The image file pattern for the menu frame styled box.
      Example:  ``menu_*.png`` (this will use images such as ``menu_c.png``,
      ``menu_w.png``, `menu_nw.png``, etc.)
   @item item_pixmap_style
      @tab The image file pattern for the item styled box.
   @item selected_item_pixmap_style
      @tab The image file pattern for the selected item highlight styled box.
   @item scrollbar
      @tab Boolean value indicating whether the scroll bar should be drawn if the
      frame and thumb styled boxes are configured.
   @item scrollbar_frame
      @tab The image file pattern for the entire scroll bar.
      Example:  ``scrollbar_*.png``
   @item scrollbar_thumb
      @tab The image file pattern for the scroll bar thumb (the part of the scroll
      bar that moves as scrolling occurs).
      Example:  ``scrollbar_thumb_*.png``
   @item scrollbar_thumb_overlay
      @tab If this option is set to ``true`` then the scrollbar thumb
      side slices (every slice except the center slice) will overlay the
      scrollbar frame side slices. And the center slice of the scrollbar_thumb
      can move all the way (from top to bottom), being drawn on the center
      slice of the scrollbar frame. That way we can make a scrollbar with
      round-shaped edges so there won't be a free space from the thumb to
      the frame in top and bottom scrollbar positions. Default is ``false``.
   @item scrollbar_slice
      @tab The menu frame styled box's slice in which the scrollbar will be
      drawn. Possible values are ``west``, ``center``, ``east`` (default).
      ``west`` - the scrollbar will be drawn in the west slice (right-aligned).
      ``east`` - the scrollbar will be drawn in the east slice (left-aligned).
      ``center`` - the scrollbar will be drawn in the center slice.
      Note: in case of ``center`` slice:
      a) If the scrollbar should be drawn then boot menu entry's width is
      decreased by the scrollbar's width and the scrollbar is drawn at the
      right side of the center slice.
      b) If the scrollbar won't be drawn then the boot menu entry's width
      is the width of the center slice.
      c) We don't necessary need the menu pixmap box to display the scrollbar.
   @item scrollbar_left_pad
      @tab The left scrollbar padding in pixels.
      Unused if ``scrollbar_slice`` is ``west``.
   @item scrollbar_right_pad
      @tab The right scrollbar padding in pixels.
      Unused if ``scrollbar_slice`` is ``east``.
   @item scrollbar_top_pad
      @tab The top scrollbar padding in pixels.
   @item scrollbar_bottom_pad
      @tab The bottom scrollbar padding in pixels.
   @item visible
      @tab Set to ``false`` to hide the boot menu.
   @end multitable

@item canvas
   Canvas is a container that allows manual placement of components within it.
   It does not alter the positions of its child components.  It assigns all
   child components their preferred sizes.

@item hbox
   The *hbox* container lays out its children from left to right, giving each
   one its preferred width.  The height of each child is set to the maximum of
   the preferred heights of all children.
   
@item vbox
   The *vbox* container lays out its children from top to bottom, giving each
   one its preferred height.  The width of each child is set to the maximum of
   the preferred widths of all children.
@end itemize


@subsection Common properties

The following properties are supported by all components:
@table @samp
@item left
     The distance from the left border of container to left border of the object in either of three formats:
        @multitable @columnfractions 0.2 0.7
             @item x @tab Value in pixels
             @item p% @tab Percentage
             @item p%+x @tab mixture of both
        @end multitable
@item top
      The distance from the left border of container to left border of the object in same format.
@item width
      The width of object in same format.
@item height
      The height of object in same format.
@item id 
   The identifier for the component.  This can be any arbitrary string.
   The ID can be used by scripts to refer to various components in the GUI
   component tree.  Currently, there is one special ID value that GRUB
   recognizes:

   @multitable @columnfractions 0.2 0.7
   @item ``__timeout__``
      @tab Component with this ID will be updated by GRUB and will indicate
      time elapsed to an automatical boot of the default entry.
      Affected components: ``label``, ``circular_progress``, ``progress_bar``.
   @end multitable
@end table



@node Network
@chapter Booting GRUB from the network

The following instructions don't work for *-emu, i386-qemu, i386-coreboot,
i386-multiboot, mips_loongson, mips-arc and mips_qemu_mips

To generate a netbootable directory, run:

@example
@group
grub-mknetdir --net-directory=/srv/tftp --subdir=/boot/grub -d /usr/lib/grub/<platform>
@end group
@end example

E.g. for i386-pc:

@example
@group
grub-mknetdir --net-directory=/srv/tftp --subdir=/boot/grub -d /usr/lib/grub/i386-pc
@end group
@end example

Then follow instructions printed out by grub-mknetdir on configuring your DHCP
server.

The grub.cfg file is placed in the same directory as the path output by
grub-mknetdir hereafter referred to as FWPATH. GRUB will search for its
configuration files in order using the following rules where the appended
value corresponds to a value on the client machine.

@example
@group
@samp{(FWPATH)}/grub.cfg-@samp{(UUID OF MACHINE)}
@samp{(FWPATH)}/grub.cfg-01-@samp{(MAC ADDRESS OF NIC)}
@samp{(FWPATH)}/grub.cfg-@samp{(IPv4 OR IPv6 ADDRESS)}
@samp{(FWPATH)}/grub.cfg
@end group
@end example

The UUID is the Client Machine Identifier Option Definition as specified in
RFC 4578. The client will only attempt to look up a UUID config file if it
was provided by the DHCP server.

The client will only attempt to look up an IPv6 address config once, however,
it will try the IPv4 multiple times. The concrete example below shows what
would happen under the IPv4 case.

@example
@group
UUID: 7726a678-7fc0-4853-a4f6-c85ac36a120a
MAC:  52:54:00:ec:33:81
IPV4: 10.0.0.130 (0A000082)
@end group
@end example

@example
@group
@samp{(FWPATH)}/grub.cfg-7726a678-7fc0-4853-a4f6-c85ac36a120a
@samp{(FWPATH)}/grub.cfg-01-52-54-00-ec-33-81
@samp{(FWPATH)}/grub.cfg-0A000082
@samp{(FWPATH)}/grub.cfg-0A00008
@samp{(FWPATH)}/grub.cfg-0A0000
@samp{(FWPATH)}/grub.cfg-0A000
@samp{(FWPATH)}/grub.cfg-0A00
@samp{(FWPATH)}/grub.cfg-0A0
@samp{(FWPATH)}/grub.cfg-0A
@samp{(FWPATH)}/grub.cfg-0
@samp{(FWPATH)}/grub.cfg
@end group
@end example

This feature is enabled by default but it can be disabled by setting the
@samp{feature_net_search_cfg} to @samp{n}. Since this happens before the
configuration file is read by GRUB, this option has to be disabled in an
embedded configuration file (@pxref{Embedded configuration}).

After GRUB has started, files on the TFTP server will be accessible via the
@samp{(tftp)} device.

The server IP address can be controlled by changing the
@samp{(tftp)} device name to @samp{(tftp,@var{server-ip})}. Note that
this should be changed both in the prefix and in any references to the
device name in the configuration file.

GRUB provides several environment variables which may be used to inspect or
change the behaviour of the PXE device. In the following description
@var{<interface>} is placeholder for the name of network interface (platform
dependent):

@table @samp
@item net_@var{<interface>}_ip
The network interface's IP address.  Read-only.

@item net_@var{<interface>}_mac
The network interface's MAC address.  Read-only.

@item net_@var{<interface>}_clientid
The client id provided by DHCP.  Read-only.

@item net_@var{<interface>}_clientuuid
The client uuid provided by DHCP.  Read-only.

@item net_@var{<interface>}_hostname
The client host name provided by DHCP.  Read-only.

@item net_@var{<interface>}_domain
The client domain name provided by DHCP.  Read-only.

@item net_@var{<interface>}_rootpath
The path to the client's root disk provided by DHCP.  Read-only.

@item net_@var{<interface>}_extensionspath
The path to additional DHCP vendor extensions provided by DHCP.  Read-only.

@item net_@var{<interface>}_boot_file
The boot file name provided by DHCP.  Read-only.

@item net_@var{<interface>}_dhcp_server_name
The name of the DHCP server responsible for these boot parameters.
Read-only.

@item net_@var{<interface>}_next_server
The IP address of the next (usually, TFTP) server provided by DHCP.
Read-only.

@item net_default_interface
Initially set to name of network interface that was used to load grub.
Read-write, although setting it affects only interpretation of
@samp{net_default_ip} and @samp{net_default_mac}

@item net_default_ip
The IP address of default interface.  Read-only. This is alias for the
@samp{net_$@{net_default_interface@}_ip}.

@item net_default_mac
The default interface's MAC address.  Read-only.  This is alias for the
@samp{net_$@{net_default_interface@}_mac}.

@item net_default_server
The default server used by network drives (@pxref{Device syntax}).  Read-write,
although setting this is only useful before opening a network device.

@item pxe_default_server
This performs the same function as @samp{net_default_server}.

@end table


@node Serial terminal
@chapter Using GRUB via a serial line

This chapter describes how to use the serial terminal support in GRUB.

If you have many computers or computers with no display/keyboard, it
could be very useful to control the computers through serial
communications. To connect one computer with another via a serial line,
you need to prepare a null-modem (cross) serial cable, and you may need
to have multiport serial boards, if your computer doesn't have extra
serial ports. In addition, a terminal emulator is also required, such as
minicom. Refer to a manual of your operating system, for more
information.

As for GRUB, the instruction to set up a serial terminal is quite
simple.  Here is an example:

@example
@group
grub> @kbd{serial --unit=0 --speed=9600}
grub> @kbd{terminal_input serial; terminal_output serial}
@end group
@end example

The command @command{serial} initializes the serial unit 0 with the
speed 9600bps. The serial unit 0 is usually called @samp{COM1}, so, if
you want to use COM2, you must specify @samp{--unit=1} instead. This
command accepts many other options, @pxref{serial} for more details.

Without argument or with @samp{--port=auto}, GRUB will attempt to use
ACPI when available to auto-detect the default serial port and its
configuration.

The commands @command{terminal_input} (@pxref{terminal_input}) and
@command{terminal_output} (@pxref{terminal_output}) choose which type of
terminal you want to use. In the case above, the terminal will be a
serial terminal, but you can also pass @code{console} to the command,
as @samp{terminal_input serial console}. In this case, a terminal in which
you press any key will be selected as a GRUB terminal. In the example above,
note that you need to put both commands on the same command line, as you
will lose the ability to type commands on the console after the first
command.

However, note that GRUB assumes that your terminal emulator is
compatible with VT100 by default. This is true for most terminal
emulators nowadays. However if your terminal emulator is not VT100-compatible
or implements few VT100 escape sequences, you shoud tell GRUB that the
terminal is dumb using the @command{terminfo} (@pxref{terminfo}) command.
This will have GRUB provide you with an alternative menu interface, because
the normal menu requires several fancy features of your terminal.


@node Vendor power-on keys
@chapter Using GRUB with vendor power-on keys

Some laptop vendors provide an additional power-on button which boots
another OS.  GRUB supports such buttons with the @samp{GRUB_TIMEOUT_BUTTON},
@samp{GRUB_TIMEOUT_STYLE_BUTTON}, @samp{GRUB_DEFAULT_BUTTON}, and
@samp{GRUB_BUTTON_CMOS_ADDRESS} variables in default/grub (@pxref{Simple
configuration}).  @samp{GRUB_TIMEOUT_BUTTON},
@samp{GRUB_TIMEOUT_STYLE_BUTTON}, and @samp{GRUB_DEFAULT_BUTTON} are used
instead of the corresponding variables without the @samp{_BUTTON} suffix
when powered on using the special button.  @samp{GRUB_BUTTON_CMOS_ADDRESS}
is vendor-specific and partially model-specific.  Values known to the GRUB
team are:

@table @key
@item Dell XPS M1330M
121:3
@item Dell XPS M1530
85:3
@item Dell Latitude E4300
85:3
@item Asus EeePC 1005PE 
84:1 (unconfirmed)
@item LENOVO ThinkPad T410s (2912W1C)
101:3
@end table

To take full advantage of this function, install GRUB into the MBR
(@pxref{Installing GRUB using grub-install}).

If you have a laptop which has a similar feature and not in the above list
could you figure your address and contribute?
To discover the address do the following:
@itemize
@item boot normally
@item
@example
sudo modprobe nvram
sudo cat /dev/nvram | xxd > normal_button.txt
@end example
@item boot using vendor button
@item
@example
sudo modprobe nvram
sudo cat /dev/nvram | xxd > normal_vendor.txt
@end example
@end itemize

Then compare these text files and find where a bit was toggled. E.g. in
case of Dell XPS it was:
@example
byte 0x47: 20 --> 28
@end example
It's a bit number 3 as seen from following table:
@multitable @columnfractions .2 .2
@item 0 @tab 01
@item 1 @tab 02
@item 2 @tab 04
@item 3 @tab 08
@item 4 @tab 10
@item 5 @tab 20
@item 6 @tab 40
@item 7 @tab 80
@end multitable

0x47 is decimal 71. Linux nvram implementation cuts first 14 bytes of
CMOS. So the real byte address in CMOS is 71+14=85
So complete address is 85:3

@node Images
@chapter GRUB image files

@c FIXME: parts of this section are specific to PC BIOS right now.

GRUB consists of several images: a variety of bootstrap images for starting
GRUB in various ways, a kernel image, and a set of modules which are
combined with the kernel image to form a core image.  Here is a short
overview of them.

@table @file
@item boot.img
On PC BIOS systems, this image is the first part of GRUB to start.  It is
written to a master boot record (MBR) or to the boot sector of a partition.
Because a PC boot sector is 512 bytes, the size of this image is exactly 512
bytes.

The sole function of @file{boot.img} is to read the first sector of the core
image from a local disk and jump to it.  Because of the size restriction,
@file{boot.img} cannot understand any file system structure, so
@command{grub-install} hardcodes the location of the first sector of the
core image into @file{boot.img} when installing GRUB.

@item diskboot.img
This image is used as the first sector of the core image when booting from a
hard disk.  It reads the rest of the core image into memory and starts the
kernel.  Since file system handling is not yet available, it encodes the
location of the core image using a block list format.

@item cdboot.img
This image is used as the first sector of the core image when booting from a
CD-ROM drive.  It performs a similar function to @file{diskboot.img}.

@item pxeboot.img
This image is used as the start of the core image when booting from the
network using PXE.  @xref{Network}.

@item lnxboot.img
This image may be placed at the start of the core image in order to make
GRUB look enough like a Linux kernel that it can be booted by LILO using an
@samp{image=} section.

@item kernel.img
This image contains GRUB's basic run-time facilities: frameworks for device
and file handling, environment variables, the rescue mode command-line
parser, and so on.  It is rarely used directly, but is built into all core
images.

@item core.img
This is the core image of GRUB.  It is built dynamically from the kernel
image and an arbitrary list of modules by the @command{grub-mkimage}
program.  Usually, it contains enough modules to access @file{/boot/grub},
and loads everything else (including menu handling, the ability to load
target operating systems, and so on) from the file system at run-time.  The
modular design allows the core image to be kept small, since the areas of
disk where it must be installed are often as small as 32KB.

@xref{BIOS installation}, for details on where the core image can be
installed on PC systems.

@item *.mod
Everything else in GRUB resides in dynamically loadable modules.  These are
often loaded automatically, or built into the core image if they are
essential, but may also be loaded manually using the @command{insmod}
command (@pxref{insmod}).
@end table

@heading For GRUB Legacy users

GRUB 2 has a different design from GRUB Legacy, and so correspondences with
the images it used cannot be exact.  Nevertheless, GRUB Legacy users often
ask questions in the terms they are familiar with, and so here is a brief
guide to how GRUB 2's images relate to that.

@table @file
@item stage1
Stage 1 from GRUB Legacy was very similar to @file{boot.img} in GRUB 2, and
they serve the same function.

@item *_stage1_5
In GRUB Legacy, Stage 1.5's function was to include enough filesystem code
to allow the much larger Stage 2 to be read from an ordinary filesystem.  In
this respect, its function was similar to @file{core.img} in GRUB 2.
However, @file{core.img} is much more capable than Stage 1.5 was; since it
offers a rescue shell, it is sometimes possible to recover manually in the
event that it is unable to load any other modules, for example if partition
numbers have changed.  @file{core.img} is built in a more flexible way,
allowing GRUB 2 to support reading modules from advanced disk types such as
LVM and RAID.

GRUB Legacy could run with only Stage 1 and Stage 2 in some limited
configurations, while GRUB 2 requires @file{core.img} and cannot work
without it.

@item stage2
GRUB 2 has no single Stage 2 image.  Instead, it loads modules from
@file{/boot/grub} at run-time.

@item stage2_eltorito
In GRUB 2, images for booting from CD-ROM drives are now constructed using
@file{cdboot.img} and @file{core.img}, making sure that the core image
contains the @samp{iso9660} module.  It is usually best to use the
@command{grub-mkrescue} program for this.

@item nbgrub
There is as yet no equivalent for @file{nbgrub} in GRUB 2; it was used by
Etherboot and some other network boot loaders.

@item pxegrub
In GRUB 2, images for PXE network booting are now constructed using
@file{pxeboot.img} and @file{core.img}, making sure that the core image
contains the @samp{pxe} and @samp{pxecmd} modules.  @xref{Network}.
@end table

@node Core image size limitation
@chapter Core image size limitation

Heavily limited platforms:
@itemize
@item i386-pc (normal and PXE): the core image size (compressed) is limited by 458240 bytes.
 kernel.img (.text + .data + .bss, uncompressed) is limited by 392704 bytes.
 module size (uncompressed) + kernel.img (.text + .data, uncompressed) is limited by the size of contiguous chunk at 1M address.
@item sparc64-ieee1275: kernel.img (.text + .data + .bss) + modules + 256K (stack) + 2M (heap) is limited by space available at 0x4400. On most platforms it's just 3 or 4M since ieee1275 maps only so much.
@item i386-ieee1275: kernel.img  (.text + .data + .bss) + modules is limited by memory available at 0x10000, at most 596K
@end itemize

Lightly limited platforms:

@itemize
@item *-xen: limited only by address space and RAM size.
@item i386-qemu: kernel.img (.text + .data + .bss) is limited by 392704 bytes.
                 (core.img would be limited by ROM size but it's unlimited on qemu
@item All EFI platforms: limited by contiguous RAM size and possibly firmware bugs
@item Coreboot and multiboot. kernel.img (.text + .data + .bss) is limited by 392704 bytes.
      module size is limited by the size of contiguous chunk at 1M address.
@item mipsel-loongson (ELF), mips(el)-qemu_mips (ELF): if uncompressed:
                kernel.img (.text + .data) + modules is limited by the space from 80200000 forward
                if compressed:
                kernel.img (.text + .data, uncompressed) + modules (uncompressed)
                + (modules + kernel.img (.text + .data)) (compressed)
                + decompressor is limited by the space from 80200000 forward
@item mipsel-loongson (Flash), mips(el)-qemu_mips (Flash): kernel.img (.text + .data) + modules is limited by the space from 80200000 forward
                               core.img (final) is limited by flash size (512K on yeeloong and fulooong)
@item mips-arc: if uncompressed:
                kernel.img (.text + .data) is limited by the space from 8bd00000 forward
                modules + dummy decompressor  is limited by the space from 8bd00000 backward
                if compressed:
                kernel.img (.text + .data, uncompressed) is limited by the space from 8bd00000 forward
                modules (uncompressed) + (modules + kernel.img (.text + .data)) (compressed, aligned to 1M)
                + 1M (decompressor + scratch space) is limited by the space from 8bd00000 backward
@item powerpc-ieee1275: kernel.img (.text + .data + .bss) + modules is limited by space available at 0x200000
@end itemize

@node Filesystem
@chapter Filesystem syntax and semantics

GRUB uses a special syntax for specifying disk drives which can be
accessed by BIOS. Because of BIOS limitations, GRUB cannot distinguish
between IDE, ESDI, SCSI, or others. You must know yourself which BIOS
device is equivalent to which OS device. Normally, that will be clear if
you see the files in a device or use the command @command{search}
(@pxref{search}).

@menu
* Device syntax::               How to specify devices
* File name syntax::            How to specify files
* Block list syntax::           How to specify block lists
@end menu


@node Device syntax
@section How to specify devices

The device syntax is like this:

@example
@code{(@var{device}[,@var{partmap-name1}@var{part-num1}[,@var{partmap-name2}@var{part-num2}[,...]]])}
@end example

@samp{[]} means the parameter is optional. @var{device} depends on the disk
driver in use. BIOS and EFI disks use either @samp{fd} or @samp{hd} followed
by a digit, like @samp{fd0}, or @samp{cd}.
AHCI, PATA (ata), crypto, USB use the name of driver followed by a number.
Memdisk and host are limited to one disk and so it's referred just by driver
name.
RAID (md), ofdisk (ieee1275 and nand), LVM (lvm), LDM, virtio (vdsk)
and arcdisk (arc) use intrinsic name of disk prefixed by driver name.
Additionally just ``nand'' refers to the disk aliased as ``nand''.
Conflicts are solved by suffixing a number if necessary.
Commas need to be escaped.
Loopback uses whatever name specified to @command{loopback} command.
Hostdisk uses names specified in device.map as long as it's of the form
[fhc]d[0-9]* or hostdisk/<OS DEVICE>.
For crypto and RAID (md) additionally you can use the syntax
<driver name>uuid/<uuid>.  For LVM additionally you can use the syntax
lvmid/<volume-group-uuid>/<volume-uuid>.

@example
(fd0)
(hd0)
(cd)
(ahci0)
(ata0)
(crypto0)
(usb0)
(cryptouuid/123456789abcdef0123456789abcdef0)
(mduuid/123456789abcdef0123456789abcdef0)
(lvm/system-root)
(lvmid/F1ikgD-2RES-306G-il9M-7iwa-4NKW-EbV1NV/eLGuCQ-L4Ka-XUgR-sjtJ-ffch-bajr-fCNfz5)
(md/myraid)
(md/0)
(ieee1275/disk2)
(ieee1275//pci@@1f\,0/ide@@d/disk@@2)
(nand)
(memdisk)
(host)
(myloop)
(hostdisk//dev/sda)
@end example

@var{part-num} represents the partition number of @var{device}, starting
from one. @var{partname} is optional but is recommended since disk may have
several top-level partmaps. Specifying third and later component you can access
to subpartitions.

The syntax @samp{(hd0)} represents using the entire disk (or the
MBR when installing GRUB), while the syntax @samp{(hd0,1)}
represents using the first partition of the disk (or the boot sector
of the partition when installing GRUB).

@example
(hd0,msdos1)
(hd0,msdos1,msdos5)
(hd0,msdos1,bsd3)
(hd0,netbsd1)
(hd0,gpt1)
(hd0,1,3)
@end example

If you enabled the network support, the special drives
@code{(@var{protocol}[,@var{server}])} are also available. Supported protocols
are @samp{http} and @samp{tftp}. If @var{server} is omitted, value of
environment variable @samp{net_default_server} is used.
Before using the network drive, you must initialize the network.
@xref{Network}, for more information.

When using @samp{http} or @samp{tftp}, ports other than @samp{80} can be
specified using a colon (@samp{:}) after the address.  To avoid parsing
conflicts, when using IPv6 addresses with custom ports, the addresses
must be enclosed with square brackets (@samp{[]}), as is standard
practice.

@example
(http,grub.example.com:31337)
(http,192.0.2.1:339)
(http,[2001:db8::1]:11235)
@end example

If you boot GRUB from a CD-ROM, @samp{(cd)} is available. @xref{Making
a GRUB bootable CD-ROM}, for details.


@node File name syntax
@section How to specify files

There are two ways to specify files, by @dfn{absolute file name} and by
@dfn{block list}.

An absolute file name resembles a Unix absolute file name, using
@samp{/} for the directory separator (not @samp{\} as in DOS). One
example is @samp{(hd0,1)/boot/grub/grub.cfg}. This means the file
@file{/boot/grub/grub.cfg} in the first partition of the first hard
disk. If you omit the device name in an absolute file name, GRUB uses
GRUB's @dfn{root device} implicitly. So if you set the root device to,
say, @samp{(hd1,1)} by the command @samp{set root=(hd1,1)} (@pxref{set}),
then @code{/boot/kernel} is the same as @code{(hd1,1)/boot/kernel}.

On ZFS filesystem the first path component must be
@var{volume}@samp{@@}[@var{snapshot}].
So @samp{/rootvol@@snap-129/boot/grub/grub.cfg} refers to file
@samp{/boot/grub/grub.cfg} in snapshot of volume @samp{rootvol} with name
@samp{snap-129}.  Trailing @samp{@@} after volume name is mandatory even if
snapshot name is omitted.


@node Block list syntax
@section How to specify block lists

A block list is used for specifying a file that doesn't appear in the
filesystem, like a chainloader. The syntax is
@code{[@var{offset}]+[@var{length}][,[@var{offset}]+[@var{length}]]@dots{}}.
Here is an example:

@example
@code{0+100,200+1,300+300,800+}
@end example

This represents that GRUB should read blocks 0 through 99, block 200,
blocks 300 through 599, and blocks 800 until the end of the device.
If you omit an offset, then GRUB assumes the offset is zero. If the
length is omitted, then GRUB assumes the block list extends until the
end of the device.

Like the file name syntax (@pxref{File name syntax}), if a blocklist
does not contain a device name, then GRUB uses GRUB's @dfn{root
device}. So @code{(hd0,2)+1} is the same as @code{+1} when the root
device is @samp{(hd0,2)}.


@node Interface
@chapter GRUB's user interface

GRUB has both a simple menu interface for choosing preset entries from a
configuration file, and a highly flexible command-line for performing
any desired combination of boot commands.

GRUB looks for its configuration file as soon as it is loaded. If one
is found, then the full menu interface is activated using whatever
entries were found in the file. If you choose the @dfn{command-line} menu
option, or if the configuration file was not found, then GRUB drops to
the command-line interface.

@menu
* Command-line interface::      The flexible command-line interface
* Menu interface::              The simple menu interface
* Menu entry editor::           Editing a menu entry
@end menu


@node Command-line interface
@section The flexible command-line interface

The command-line interface provides a prompt and after it an editable
text area much like a command-line in Unix or DOS. Each command is
immediately executed after it is entered@footnote{However, this
behavior will be changed in the future version, in a user-invisible
way.}. The commands (@pxref{Commands}) are a subset of those available
in the configuration file, used with exactly the same syntax.

Cursor movement and editing of the text on the line can be done via a
subset of the functions available in the Bash shell:

@table @key
@item C-f
@itemx PC right key
Move forward one character.

@item C-b
@itemx PC left key
Move back one character.

@item C-a
@itemx HOME
Move to the start of the line.

@item C-e
@itemx END
Move the the end of the line.

@item C-d
@itemx DEL
Delete the character underneath the cursor.

@item C-h
@itemx BS
Delete the character to the left of the cursor.

@item C-k
Kill the text from the current cursor position to the end of the line.

@item C-u
Kill backward from the cursor to the beginning of the line.

@item C-y
Yank the killed text back into the buffer at the cursor.

@item C-p
@itemx PC up key
Move up through the history list.

@item C-n
@itemx PC down key
Move down through the history list.
@end table

When typing commands interactively, if the cursor is within or before
the first word in the command-line, pressing the @key{TAB} key (or
@key{C-i}) will display a listing of the available commands, and if the
cursor is after the first word, the @kbd{@key{TAB}} will provide a
completion listing of disks, partitions, and file names depending on the
context. Note that to obtain a list of drives, one must open a
parenthesis, as @command{root (}.

Note that you cannot use the completion functionality in the TFTP
filesystem. This is because TFTP doesn't support file name listing for
the security.


@node Menu interface
@section The simple menu interface

The menu interface is quite easy to use. Its commands are both
reasonably intuitive and described on screen.

Basically, the menu interface provides a list of @dfn{boot entries} to
the user to choose from. Use the arrow keys to select the entry of
choice, then press @key{RET} to run it.  An optional timeout is
available to boot the default entry (the first one if not set), which is
aborted by pressing any key.

Commands are available to enter a bare command-line by pressing @key{c}
(which operates exactly like the non-config-file version of GRUB, but
allows one to return to the menu if desired by pressing @key{ESC}) or to
edit any of the @dfn{boot entries} by pressing @key{e}.

If you protect the menu interface with a password (@pxref{Security}),
all you can do is choose an entry by pressing @key{RET}, or press
@key{p} to enter the password.

Pressing @key{Ctrl-l} will refresh the menu, which can be useful when
connecting via serial after the menu has been drawn.


@node Menu entry editor
@section Editing a menu entry

The menu entry editor looks much like the main menu interface, but the
lines in the menu are individual commands in the selected entry instead
of entry names.

If an @key{ESC} is pressed in the editor, it aborts all the changes made
to the configuration entry and returns to the main menu interface.

Each line in the menu entry can be edited freely, and you can add new lines
by pressing @key{RET} at the end of a line.  To boot the edited entry, press
@key{Ctrl-x}.

Although GRUB unfortunately does not support @dfn{undo}, you can do almost
the same thing by just returning to the main menu using @key{ESC}.


@node Environment
@chapter GRUB environment variables

GRUB supports environment variables which are rather like those offered by
all Unix-like systems.  Environment variables have a name, which is unique
and is usually a short identifier, and a value, which is an arbitrary string
of characters.  They may be set (@pxref{set}), unset (@pxref{unset}), or
looked up (@pxref{Shell-like scripting}) by name.

A number of environment variables have special meanings to various parts of
GRUB.  Others may be used freely in GRUB configuration files.


@menu
* Special environment variables::
* Environment block::
* Special environment block variables::
* Passing environment variables through Xen::
@end menu


@node Special environment variables
@section Special environment variables

These variables have special meaning to GRUB.

@menu
* appendedsig_key_mgmt::
* biosnum::
* blsuki_save_default::
* check_appended_signatures::
* check_signatures::
* chosen::
* cmdpath::
* color_highlight::
* color_normal::
* config_directory::
* config_file::
* cryptodisk_passphrase_tries::
* debug::
* default::
* fallback::
* gfxmode::
* gfxpayload::
* gfxterm_font::
* grub_cpu::
* grub_platform::
* icondir::
* lang::
* locale_dir::
* lockdown::
* menu_color_highlight::
* menu_color_normal::
* net_@var{<interface>}_boot_file::
* net_@var{<interface>}_clientid::
* net_@var{<interface>}_clientuuid::
* net_@var{<interface>}_dhcp_server_name::
* net_@var{<interface>}_domain::
* net_@var{<interface>}_extensionspath::
* net_@var{<interface>}_hostname::
* net_@var{<interface>}_ip::
* net_@var{<interface>}_mac::
* net_@var{<interface>}_next_server::
* net_@var{<interface>}_rootpath::
* net_default_interface::
* net_default_ip::
* net_default_mac::
* net_default_server::
* pager::
* prefix::
* pxe_default_server::
* root::
* shim_lock::
* superusers::
* theme::
* timeout::
* timeout_style::
* tpm_fail_fatal::
@end menu


@node appendedsig_key_mgmt
@subsection appendedsig_key_mgmt

This variable controls whether GRUB enforces appended signature validation
using either @code{static} or @code{dynamic} key management. It is automatically
set by GRUB to either @code{static} or @code{dynamic} based on the
@strong{'ibm,secure-boot'} device tree property and Platform KeyStore (PKS).
Also, it can be explicitly set to either @code{static} or @code{dynamic} by
setting the @code{appendedsig_key_mgmt} variable from the GRUB console
when the GRUB is not locked down.

@xref{Using appended signatures} for more information.

@node biosnum
@subsection biosnum

When chain-loading another boot loader (@pxref{Chain-loading}), GRUB may
need to know what BIOS drive number corresponds to the root device
(@pxref{root}) so that it can set up registers properly.  If the
@var{biosnum} variable is set, it overrides GRUB's own means of guessing
this.

For an alternative approach which also changes BIOS drive mappings for the
chain-loaded system, @pxref{drivemap}.


@node blsuki_save_default
@subsection blsuki_save_default

If this variable is set, menu entries generated from BLS config files
(@pxref{blscfg}) or UKI files (@pxref{uki}) will be set as the default boot
entry when selected.

@node check_appended_signatures
@subsection check_appended_signatures

This variable controls whether GRUB enforces appended signature validation on
loaded kernel and GRUB module files. It is automatically set by GRUB
to either @code{no} or @code{yes} based on the @strong{'ibm,secure-boot'} device
tree property. Also, it can be explicitly set to either @code{no} or @code{yes} by
setting the @code{check_appended_signatures} variable from the GRUB console
when the GRUB is not locked down.

@xref{Using appended signatures} for more information.

@node check_signatures
@subsection check_signatures

This variable controls whether GRUB enforces GPG-style digital signature
validation on loaded files. @xref{Using GPG-style digital signatures}.

@node chosen
@subsection chosen

When executing a menu entry, GRUB sets the @var{chosen} variable to the
title of the entry being executed.

If the menu entry is in one or more submenus, then @var{chosen} is set to
the titles of each of the submenus starting from the top level followed by
the title of the menu entry itself, separated by @samp{>}.


@node cmdpath
@subsection cmdpath

The location from which @file{core.img} was loaded as an absolute
directory name (@pxref{File name syntax}).  This is set by GRUB at
startup based on information returned by platform firmware.  Not every
platform provides this information and some may return only device
without path name.


@node color_highlight
@subsection color_highlight

This variable contains the ``highlight'' foreground and background terminal
colors, separated by a slash (@samp{/}).  Setting this variable changes
those colors.  For the available color names, @pxref{color_normal}.

The default is @samp{black/light-gray}.


@node color_normal
@subsection color_normal

This variable contains the ``normal'' foreground and background terminal
colors, separated by a slash (@samp{/}).  Setting this variable changes
those colors.  Each color must be a name from the following list:

@itemize @bullet
@item black
@item blue
@item green
@item cyan
@item red
@item magenta
@item brown
@item light-gray
@item dark-gray
@item light-blue
@item light-green
@item light-cyan
@item light-red
@item light-magenta
@item yellow
@item white
@end itemize

The default is @samp{light-gray/black}.

The color support support varies from terminal to terminal.

@samp{morse} has no color support at all.

@samp{mda_text} color support is limited to highlighting by
black/white reversal.

@samp{console} on ARC, EMU and IEEE1275, @samp{serial_*} and
@samp{spkmodem} are governed by terminfo and support
only 8 colors if in modes @samp{vt100-color} (default for console on emu),
@samp{arc} (default for console on ARC), @samp{ieee1275} (default
for console on IEEE1275). When in mode @samp{vt100}
then the color support is limited to highlighting by black/white
reversal. When in mode @samp{dumb} there is no color support.

When console supports no colors this setting is ignored.
When console supports 8 colors, then the colors from the
second half of the previous list are mapped to the
matching colors of first half.

@samp{console} on EFI and BIOS and @samp{vga_text} support all 16 colors.

@samp{gfxterm} supports all 16 colors and would be theoretically extendable
to support whole rgb24 palette but currently there is no compelling reason
to go beyond the current 16 colors.


@node config_directory
@subsection config_directory

This variable is automatically set by GRUB to the directory part of
current configuration file name (@pxref{config_file}).


@node config_file
@subsection config_file

This variable is automatically set by GRUB to the name of configuration file that is being
processed by commands @command{configfile} (@pxref{configfile}) or @command{normal}
(@pxref{normal}).  It is restored to the previous value when command completes.


@node cryptodisk_passphrase_tries
@subsection cryptodisk_passphrase_tries

When prompting the user for a cryptodisk passphrase, allow this many attempts
before giving up. Defaults to @samp{3} if unset or set to an invalid value.
(The user can give up early by entering an empty passphrase.)


@node debug
@subsection debug

This variable may be set to enable debugging output from various components
of GRUB. The value is an ordered list of debug facility names separated by
whitespace or @samp{,}. If the special facility named @samp{all} is present
then debugging output of all facility names is enabled at the start of
processing the value of this variable. A facility's debug output can then be
disabled by prefixing its name with a @samp{-}. The last occurence facility
name with or without a leading @samp{-} takes precendent over any previous
occurence. This allows the easy enabling or disabling of facilities by
appending a @samp{,} and then the facility name with or without the leading
@samp{-}, which will preserve the state of the rest of the facilities.
The facility names are the first argument to grub_dprintf. Consult the
source for more details.


@node default
@subsection default

If this variable is set, it identifies a menu entry that should be
selected by default, possibly after a timeout (@pxref{timeout}).  The
entry may be identified by number (starting from 0 at each level of
the hierarchy), by title, or by id.

For example, if you have:

@verbatim
menuentry 'Example GNU/Linux distribution' --class gnu-linux --id example-gnu-linux {
	...
}
@end verbatim

then you can make this the default using:

@example
default=example-gnu-linux
@end example

If the entry is in a submenu, then it must be identified using the
number, title, or id of each of the submenus starting from the top
level, followed by the number, title, or id of the menu entry itself,
with each element separated by @samp{>}.  For example, take the
following menu structure:

@example
GNU/Hurd --id gnu-hurd
  Standard Boot --id=gnu-hurd-std
  Rescue shell --id=gnu-hurd-rescue
Other platforms --id=other
  Minix --id=minix
    Version 3.4.0 --id=minix-3.4.0
    Version 3.3.0 --id=minix-3.3.0
  GRUB Invaders --id=grub-invaders
@end example

The more recent release of Minix would then be identified as
@samp{Other platforms>Minix>Version 3.4.0}, or as @samp{1>0>0}, or as
@samp{other>minix>minix-3.4.0}.

This variable is often set by @samp{GRUB_DEFAULT} (@pxref{Simple
configuration}), @command{grub-set-default}, or @command{grub-reboot}.


@node fallback
@subsection fallback

If this variable is set, it identifies a menu entry that should be selected
if the default menu entry fails to boot.  Entries are identified in the same
way as for @samp{default} (@pxref{default}).


@node gfxmode
@subsection gfxmode

If this variable is set, it sets the resolution used on the @samp{gfxterm}
graphical terminal.  Note that you can only use modes which your graphics
card supports via VESA BIOS Extensions (VBE), so for example native LCD
panel resolutions may not be available.  The default is @samp{auto}, which
selects a platform-specific default that should look reasonable. Supported
modes can be listed by @samp{videoinfo} command in GRUB.

The resolution may be specified as a sequence of one or more modes,
separated by commas (@samp{,}) or semicolons (@samp{;}); each will be tried
in turn until one is found.  Each mode should be either @samp{auto},
@samp{@var{width}x@var{height}}, or
@samp{@var{width}x@var{height}x@var{depth}}.


@node gfxpayload
@subsection gfxpayload

If this variable is set, it controls the video mode in which the Linux
kernel starts up, replacing the @samp{vga=} boot option (@pxref{linux}).  It
may be set to @samp{text} to force the Linux kernel to boot in normal text
mode, @samp{keep} to preserve the graphics mode set using @samp{gfxmode}, or
any of the permitted values for @samp{gfxmode} to set a particular graphics
mode (@pxref{gfxmode}).

Depending on your kernel, your distribution, your graphics card, and the
phase of the moon, note that using this option may cause GNU/Linux to suffer
from various display problems, particularly during the early part of the
boot sequence.  If you have problems, set this variable to @samp{text} and
GRUB will tell Linux to boot in normal text mode.

The default is platform-specific.  On platforms with a native text mode
(such as PC BIOS platforms), the default is @samp{text}.  Otherwise the
default may be @samp{auto} or a specific video mode.

This variable is often set by @samp{GRUB_GFXPAYLOAD_LINUX} (@pxref{Simple
configuration}).


@node gfxterm_font
@subsection gfxterm_font

If this variable is set, it names a font to use for text on the
@samp{gfxterm} graphical terminal.  Otherwise, @samp{gfxterm} may use any
available font.


@node grub_cpu
@subsection grub_cpu

In normal mode (@pxref{normal}), GRUB sets the @samp{grub_cpu} variable to
the CPU type for which GRUB was built (e.g. @samp{i386} or @samp{powerpc}).


@node grub_platform
@subsection grub_platform

In normal mode (@pxref{normal}), GRUB sets the @samp{grub_platform} variable
to the platform for which GRUB was built (e.g. @samp{pc} or @samp{efi}).


@node icondir
@subsection icondir

If this variable is set, it names a directory in which the GRUB graphical
menu should look for icons after looking in the theme's @samp{icons}
directory.  @xref{Theme file format}.


@node lang
@subsection lang

If this variable is set, it names the language code that the
@command{gettext} command (@pxref{gettext}) uses to translate strings.  For
example, French would be named as @samp{fr}, and Simplified Chinese as
@samp{zh_CN}.

@command{grub-mkconfig} (@pxref{Simple configuration}) will try to set a
reasonable default for this variable based on the system locale.


@node locale_dir
@subsection locale_dir

If this variable is set, it names the directory where translation files may
be found (@pxref{gettext}), usually @file{/boot/grub/locale}.  Otherwise,
internationalization is disabled.

@command{grub-mkconfig} (@pxref{Simple configuration}) will set a reasonable
default for this variable if internationalization is needed and any
translation files are available.


@node lockdown
@subsection lockdown

If this variable is set to @samp{y}, it means that GRUB has entered
@pxref{Lockdown} mode.


@node menu_color_highlight
@subsection menu_color_highlight

This variable contains the foreground and background colors to be used for
the highlighted menu entry, separated by a slash (@samp{/}).  Setting this
variable changes those colors.  For the available color names,
@pxref{color_normal}.

The default is the value of @samp{color_highlight}
(@pxref{color_highlight}).


@node menu_color_normal
@subsection menu_color_normal

This variable contains the foreground and background colors to be used for
non-highlighted menu entries, separated by a slash (@samp{/}).  Setting this
variable changes those colors.  For the available color names,
@pxref{color_normal}.

The default is the value of @samp{color_normal} (@pxref{color_normal}).


@node net_@var{<interface>}_boot_file
@subsection net_@var{<interface>}_boot_file

@xref{Network}.


@node net_@var{<interface>}_clientid
@subsection net_@var{<interface>}_clientid

@xref{Network}.


@node net_@var{<interface>}_clientuuid
@subsection net_@var{<interface>}_clientuuid

@xref{Network}.


@node net_@var{<interface>}_dhcp_server_name
@subsection net_@var{<interface>}_dhcp_server_name

@xref{Network}.


@node net_@var{<interface>}_domain
@subsection net_@var{<interface>}_domain

@xref{Network}.


@node net_@var{<interface>}_extensionspath
@subsection net_@var{<interface>}_extensionspath

@xref{Network}.


@node net_@var{<interface>}_hostname
@subsection net_@var{<interface>}_hostname

@xref{Network}.


@node net_@var{<interface>}_ip
@subsection net_@var{<interface>}_ip

@xref{Network}.


@node net_@var{<interface>}_mac
@subsection net_@var{<interface>}_mac

@xref{Network}.


@node net_@var{<interface>}_next_server
@subsection net_@var{<interface>}_next_server

@xref{Network}.


@node net_@var{<interface>}_rootpath
@subsection net_@var{<interface>}_rootpath

@xref{Network}.


@node net_default_interface
@subsection net_default_interface

@xref{Network}.


@node net_default_ip
@subsection net_default_ip

@xref{Network}.


@node net_default_mac
@subsection net_default_mac

@xref{Network}.


@node net_default_server
@subsection net_default_server

@xref{Network}.


@node pager
@subsection pager

If set to @samp{1}, pause output after each screenful and wait for keyboard
input.  The default is not to pause output.


@node prefix
@subsection prefix

The location of the @samp{/boot/grub} directory as an absolute file name
(@pxref{File name syntax}).  This is normally set by GRUB at startup based
on information provided by @command{grub-install}.  GRUB modules are
dynamically loaded from this directory, so it must be set correctly in order
for many parts of GRUB to work.


@node pxe_default_server
@subsection pxe_default_server

@xref{Network}.


@node root
@subsection root

The root device name (@pxref{Device syntax}).  Any file names that do not
specify an explicit device name are read from this device.  The default is
normally set by GRUB at startup based on the value of @samp{prefix}
(@pxref{prefix}).

For example, if GRUB was installed to the first partition of the first hard
disk, then @samp{prefix} might be set to @samp{(hd0,msdos1)/boot/grub} and
@samp{root} to @samp{hd0,msdos1}.


@node shim_lock
@subsection shim_lock

If this variable is set to @samp{y}, it means that the shim_lock verifier
is registered (see @pxref{UEFI secure boot and shim}).


@node superusers
@subsection superusers

This variable may be set to a list of superuser names to enable
authentication support.  @xref{Security}.


@node theme
@subsection theme

This variable may be set to a directory containing a GRUB graphical menu
theme.  @xref{Theme file format}.

This variable is often set by @samp{GRUB_THEME} (@pxref{Simple
configuration}).


@node timeout
@subsection timeout

If this variable is set, it specifies the time in seconds to wait for
keyboard input before booting the default menu entry.  A timeout of @samp{0}
means to boot the default entry immediately without displaying the menu; a
timeout of @samp{-1} (or unset) means to wait indefinitely.

If @samp{timeout_style} (@pxref{timeout_style}) is set to @samp{countdown}
or @samp{hidden}, the timeout is instead counted before the menu is
displayed.

This variable is often set by @samp{GRUB_TIMEOUT} (@pxref{Simple
configuration}).


@node timeout_style
@subsection timeout_style

This variable may be set to @samp{menu}, @samp{countdown}, or @samp{hidden}
to control the way in which the timeout (@pxref{timeout}) interacts with
displaying the menu.  See the documentation of @samp{GRUB_TIMEOUT_STYLE}
(@pxref{Simple configuration}) for details.


@node tpm_fail_fatal
@subsection tpm_fail_fatal

If this variable is set and true (i.e., not set to ``0'', ``false'',
``disable'', or ``no''), TPM measurements that fail will be treated as
fatal. Otherwise, they will merely be debug-logged and boot will
continue.

Call to EFI firmware, like hash_log_extend_event(), can return an unknown
error, i.e. due to bug present in firmware. When this variable is set and
true (same values as with TPM measurements) this situation will be considered
to be fatal and error-logged as ``unknown TPM error''. If not set, booting
the OS will be enabled.

@node Environment block
@section The GRUB environment block

It is often useful to be able to remember a small amount of information from
one boot to the next.  For example, you might want to set the default menu
entry based on what was selected the last time.  GRUB deliberately does not
implement support for writing files in order to minimise the possibility of
the boot loader being responsible for file system corruption, so a GRUB
configuration file cannot just create a file in the ordinary way.  However,
GRUB provides an ``environment block'' which can be used to save a small
amount of state.

The environment block is a preallocated 1024-byte file, which normally lives
in @file{/boot/grub/grubenv} (although you should not assume this).  At boot
time, the @command{load_env} command (@pxref{load_env}) loads environment
variables from it, and the @command{save_env} (@pxref{save_env}) command
saves environment variables to it.  From a running system, the
@command{grub-editenv} utility can be used to edit the environment block.

For safety reasons, this storage is only available when installed on a plain
disk (no LVM or RAID), using a non-checksumming filesystem (no ZFS), and
using BIOS or EFI functions (no ATA, USB or IEEE1275).

On Btrfs filesystems, a reserved area in the filesystem header may be used to
store the environment block. This static block avoids the problems of updating
a normal file on a copy-on-write filesystem, where writing raw block is not
stable and requires metadata update. The reserved area provides a fixed
location that GRUB can update directly, allowing commands such as
@command{grub-reboot} and @samp{GRUB_SAVEDEFAULT} to function correctly on
Btrfs volumes.

@command{grub-mkconfig} uses this facility to implement
@samp{GRUB_SAVEDEFAULT} (@pxref{Simple configuration}).


@node Special environment block variables
@section Special environment block variables

These special variables are usually written to the environment block
(@pxref{Environment block}) to customize the behavior of @file{grub.cfg}
generated by @command{grub-mkconfig}.

@menu
* saved_entry::
* next_entry::
* env_block::
@end menu


@node saved_entry
@subsection saved_entry

The @var{saved_entry} variable sets the default boot entry in @file{grub.cfg}
created by @command{grub-mkconfig}. It can be set with
@command{grub-set-default} to choose a default entry, or at runtime with the
@code{savedefault} function in grub.cfg to save the current entry as the new
default. This may require write access by GRUB.


@node next_entry
@subsection next_entry

The @var{next_entry} variable sets the boot entry for the next boot only. After
it is used, GRUB clears the value so it is not reused. This requires write
access to the environment block (@pxref{Environment block}) at runtime. The
@command{grub-reboot} command is usually used instead of changing this variable
directly.


@node env_block
@subsection env_block

If the filesystem is Btrfs and the disk is not an abstracted device such as
LVM, RAID, or encryption, the reserved space in the Btrfs header can be used as
the environment block (@pxref{Environment block}). This provides a fixed raw
block that GRUB can reliably write to. The @var{env_block} records this
location in GRUB blocklist syntax (@pxref{Block list syntax}) so that
@command{grub-editenv} and @file{grub.cfg} know how to access and use the
external raw block.

This variable is initialized when @file{grubenv} is first created by
@command{grub-editenv} and is treated as read-only to avoid being overwritten
with an unpredictable value.


@node Passing environment variables through Xen
@section Passing environment variables through Xen

If you are using a GRUB image as the kernel for a PV or PVH Xen virtual
machine, you can pass environment variables from Xen's dom0 to the VM through
the Xen-provided kernel command line. When combined with a properly configured
guest, this can be used to customize the guest's behavior on bootup via the
VM's Xen configuration file.

GRUB will parse the kernel command line passed to it by Xen during bootup.
The command line will be split into space-delimited words. Single and
double quotes may be used to quote words or portions of words that contain
spaces. Single quotes will be considered part of a word if inside double
quotes, and vice versa. Arbitrary characters may be backslash-escaped to make
them a literal component of a word rather than being parsed as quotes or word
separators. The command line must consist entirely of printable 7-bit ASCII
characters and spaces. If a non-printing ASCII character is found anywhere in
the command line, the entire command line will be ignored by GRUB. (This
splitter algorithm is meant to behave somewhat like Bash's word splitting.)

Each word should be a variable assignment in the format ``variable'' or
``variable=value''. Variable names must contain only the characters A-Z, a-z,
and underscore (``_''). Variable names must begin with the string
``xen_grub_env_''. Variable values can contain arbitrary printable 7-bit
ASCII characters and space. If any variable contains an illegal name, that
variable will be ignored.

If a variable name and value are both specified, the variable will be set to
the specified value. If only a variable name is specified, the variable's
value will be set to ``1''.

The following is a simple example of how to use this functionality to append
arbitrary variables to a guest's kernel command line:

@example
# In the Xen configuration file for the guest
name = "linux_vm"
type = "pvh"
kernel = "/path/to/grub-i386-xen_pvh.bin"
extra = "xen_grub_env_linux_append='loglevel=3'"
memory = 1024
disk = [ "file:/srv/vms/linux_vm.img,sda,w" ]

# In the guest's GRUB configuration file
menuentry "Linux VM with dom0-specified kernel parameters" @{
    search --set=root --label linux_vm --hint hd0,msdos1
    linux /boot/vmlinuz root=LABEL=linux_vm $@{xen_grub_env_linux_append@}
    initrd /boot/initrd.img
@}
@end example

@node Modules
@chapter Modules

In this chapter, we list all modules that are available in GRUB.

Modules can be loaded via the @command{insmod} (@pxref{insmod}) command.

@menu
* acpi_module::
* adler32_module::
* affs_module::
* afs_module::
* afsplitter_module::
* ahci_module::
* all_video_module::
* aout_module::
* appleldr_module::
* archelp_module::
* argon2_module::
* argon2_test_module::
* at_keyboard_module::
* ata_module::
* backtrace_module::
* bfs_module::
* biosdisk_module::
* bitmap_module::
* bitmap_scale_module::
* bli_module::
* blocklist_module::
* boot_module::
* boottime_module::
* bsd_module::
* bswap_test_module::
* btrfs_module::
* bufio_module::
* cacheinfo_module::
* cat_module::
* cbfs_module::
* cbls_module::
* cbmemc_module::
* cbtable_module::
* cbtime_module::
* chain_module::
* cmdline_cat_test_module::
* cmosdump_module::
* cmostest_module::
* cmp_module::
* cmp_test_module::
* configfile_module::
* cpio_module::
* cpio_be_module::
* cpuid_module::
* crc64_module::
* crypto_cipher_mode_test_module::
* crypto_module::
* cryptodisk_module::
* cs5536_module::
* ctz_test_module::
* date_module::
* datehook_module::
* datetime_module::
* disk_module::
* diskfilter_module::
* div_module::
* div_test_module::
* dm_nv_module::
* drivemap_module::
* dsa_sexp_test_module::
* echo_module::
* efi_gop_module::
* efi_uga_module::
* efiemu_module::
* efifwsetup_module::
* efinet_module::
* efitextmode_module::
* ehci_module::
* elf_module::
* emunet_module::
* emupci_module::
* erofs_module::
* escc_module::
* eval_module::
* exfat_module::
* exfctest_module::
* ext2_module::
* extcmd_module::
* f2fs_module::
* fat_module::
* fdt_module::
* file_module::
* fixvideo_module::
* font_module::
* freedos_module::
* fshelp_module::
* functional_test_module::
* gcry_arcfour_module::
* gcry_aria_module::
* gcry_blake2_module::
* gcry_blowfish_module::
* gcry_camellia_module::
* gcry_cast5_module::
* gcry_crc_module::
* gcry_des_module::
* gcry_dsa_module::
* gcry_gost28147_module::
* gcry_gostr3411_94_module::
* gcry_idea_module::
* gcry_keccak_module::
* gcry_md4_module::
* gcry_md5_module::
* gcry_rfc2268_module::
* gcry_rijndael_module::
* gcry_rmd160_module::
* gcry_rsa_module::
* gcry_salsa20_module::
* gcry_seed_module::
* gcry_serpent_module::
* gcry_sha1_module::
* gcry_sha256_module::
* gcry_sha512_module::
* gcry_sm3_module::
* gcry_sm4_module::
* gcry_stribog_module::
* gcry_tiger_module::
* gcry_twofish_module::
* gcry_whirlpool_module::
* gdb_module::
* geli_module::
* gettext_module::
* gfxmenu_module::
* gfxterm_module::
* gfxterm_background_module::
* gfxterm_menu_module::
* gptsync_module::
* gzio_module::
* halt_module::
* hashsum_module::
* hdparm_module::
* hello_module::
* help_module::
* hexdump_module::
* hfs_module::
* hfsplus_module::
* hfspluscomp_module::
* http_module::
* ieee1275_fb_module::
* iorw_module::
* iso9660_module::
* jfs_module::
* jpeg_module::
* json_module::
* keylayouts_module::
* keystatus_module::
* ldm_module::
* legacy_password_test_module::
* legacycfg_module::
* linux_module::
* linux16_module::
* loadbios_module::
* loadenv_module::
* loopback_module::
* ls_module::
* lsacpi_module::
* lsapm_module::
* lsdev_module::
* lsefi_module::
* lsefimmap_module::
* lsefisystab_module::
* lsmmap_module::
* lspci_module::
* lssal_module::
* lsspd_module::
* lsxen_module::
* luks_module::
* luks2_module::
* lvm_module::
* lzopio_module::
* macbless_module::
* macho_module::
* mda_text_module::
* mdraid09_module::
* mdraid09_be_module::
* mdraid1x_module::
* memdisk_module::
* memrw_module::
* memtools_module::
* minicmd_module::
* minix_module::
* minix2_module::
* minix2_be_module::
* minix3_module::
* minix3_be_module::
* minix_be_module::
* mmap_module::
* morse_module::
* mpi_module::
* msdospart_module::
* mul_test_module::
* multiboot_module::
* multiboot2_module::
* nand_module::
* nativedisk_module::
* net_module::
* newc_module::
* nilfs2_module::
* normal_module::
* ntfs_module::
* ntfscomp_module::
* ntldr_module::
* odc_module::
* offsetio_module::
* ofnet_module::
* ohci_module::
* part_acorn_module::
* part_amiga_module::
* part_apple_module::
* part_bsd_module::
* part_dfly_module::
* part_dvh_module::
* part_gpt_module::
* part_msdos_module::
* part_plan_module::
* part_sun_module::
* part_sunpc_module::
* parttool_module::
* password_module::
* password_pbkdf2_module::
* pata_module::
* pbkdf2_module::
* pbkdf2_test_module::
* pci_module::
* pcidump_module::
* pgp_module::
* plainmount_module::
* plan9_module::
* play_module::
* png_module::
* priority_queue_module::
* probe_module::
* procfs_module::
* progress_module::
* pubkey_module::
* pxe_module::
* pxechain_module::
* raid5rec_module::
* raid6rec_module::
* random_module::
* rdmsr_module::
* read_module::
* reboot_module::
* regexp_module::
* reiserfs_module::
* relocator_module::
* romfs_module::
* rsa_sexp_test_module::
* scsi_module::
* sdl_module::
* search_module::
* search_fs_file_module::
* search_fs_uuid_module::
* search_label_module::
* sendkey_module::
* serial_module::
* setjmp_module::
* setjmp_test_module::
* setpci_module::
* sfs_module::
* shift_test_module::
* signature_test_module::
* sleep_module::
* sleep_test_module::
* smbios_module::
* spkmodem_module::
* squash4_module::
* strtoull_test_module::
* suspend_module::
* syslinuxcfg_module::
* tar_module::
* terminal_module::
* terminfo_module::
* test_module::
* test_blockarg_module::
* testload_module::
* testspeed_module::
* tftp_module::
* tga_module::
* time_module::
* tpm_module::
* tr_module::
* trig_module::
* true_module::
* truecrypt_module::
* ubootnet_module::
* udf_module::
* ufs1_module::
* ufs1_be_module::
* ufs2_module::
* uhci_module::
* usb_module::
* usb_keyboard_module::
* usbms_module::
* usbserial_common_module::
* usbserial_ftdi_module::
* usbserial_pl2303_module::
* usbserial_usbdebug_module::
* usbtest_module::
* vbe_module::
* verifiers_module::
* vga_module::
* vga_text_module::
* video_module::
* video_bochs_module::
* video_cirrus_module::
* video_colors_module::
* video_fb_module::
* videoinfo_module::
* videotest_module::
* videotest_checksum_module::
* wrmsr_module::
* xen_boot_module::
* xfs_module::
* xnu_module::
* xnu_uuid_module::
* xnu_uuid_test_module::
* xzio_module::
* zfs_module::
* zfscrypt_module::
* zfsinfo_module::
* zstd_module::

@end menu

@node acpi_module
@section acpi
This module provides the command @command{acpi} for loading / replacing Advanced
Configuration and Power Interface (ACPI) tables. Please @pxref{acpi} for more
information.

@node adler32_module
@section adler32
This module provides the library implementation for the adler32 checksum.
This is used as part of LZO decompression / compression.

@node affs_module
@section affs
This module provides support for the Amiga Fast FileSystem (AFFS).
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node afs_module
@section afs
This module provides support for the AtheOS File System (AFS).
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node afsplitter_module
@section afsplitter
This module provides library support for the Anti forensic information splitter
(AFS) operation @code{AF_merge}. This is used by LUKS and LUKS2.

@node ahci_module
@section ahci
This module provides support for the Advanced Host Controller Interface protocol
to access disks supporting this standard. AHCI is often an option for Serial
ATA (SATA) controllers  (meant to replace the older IDE protocol).

@node all_video_module
@section all_video
This is a "dummy module" with no actual function except to load all other video
modules as dependencies (a convenient way to load all video modules).

@node aout_module
@section aout
This module provides support for loading files packaged in the "a.out" format.
The "a.out" format is considered to be an older format than some alternatives
such as "ELF", for example support for the "a.out" format was removed from the
Linux kernel in 5.18.

@node appleldr_module
@section appleldr
This module provides support for loading files on a BIOS / EFI based Apple Mac
computer (Intel based Macs).

@node archelp_module
@section archelp
This module provides Archive Helper functions for archive based file systems
such as TAR and CPIO archives.

@node argon2_module
@section argon2
This module provides support for the Argon2 key derivation function.

@node argon2_test_module
@section argon2_test
This module is intended for performing a functional test of the Argon2
operation in GRUB.

@node at_keyboard_module
@section at_keyboard
This module provides support for the AT keyboard input for the GRUB terminal.

@node ata_module
@section ata
This modules provides support for direct ATA and ATAPI access to compatible
disks.

@node backtrace_module
@section backtrace
This module provides the command @command{backtrace} for printing a backtrace
to the terminal for the current call stack.

@node bfs_module
@section bfs
This module provides support for the BeOS "Be File System" (BFS).
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node biosdisk_module
@section biosdisk
This module provides support for booting from a bootable removable disk such
as a CD-ROM, BD-ROM, etc.

@node bitmap_module
@section bitmap
This module provides support for reading and interacting with bitmap image
files.

@node bitmap_scale_module
@section bitmap_scale
This module provides support for scaling bitmap image files.

@node bli_module
@section bli
This module provides basic support for the Boot Loader Interface. The Boot
Loader Interface specifies a set of EFI variables that are used to communicate
boot-time information between the bootloader and the operating system.

The following variables are placed under the vendor UUID
@code{4a67b082-0a4c-41cf-b6c7-440b29bb8c4f} when the module is loaded:

The GPT partition UUID of the EFI System Partition used during boot is
published via the @code{LoaderDevicePartUUID} variable. The Boot Loader
Interface specification requires GPT formatted drives. The bli module
ignores drives/partitions in any other format. If GRUB is loaded from
a non-GPT partition, e.g. from an MSDOS formatted drive or network,
this variable will not be set.

A string identifying GRUB as the active bootloader including the version
number is stored in @code{LoaderInfo}.

This module is only available on UEFI platforms.

@node blocklist_module
@section blocklist
This module provides support for the command @command{blocklist} to list
blocks for a given file. Please @pxref{blocklist} for more information.

@node boot_module
@section boot
This module provides support for the command @command{boot} to boot an
operating system. Please @pxref{boot} for more information.

@node boottime_module
@section boottime
This module provides support for the command @command{boottime} to display
time taken to perform various GRUB operations. This module is only available
when GRUB is built with the conditional compile option @code{BOOT_TIME_STATS}.

@node bsd_module
@section bsd
This module provides support for loading BSD operating system images via
commands such as: @command{kfreebsd_loadenv}, @command{kfreebsd_module_elf},
@command{kfreebsd_module}, @command{kfreebsd}, @command{knetbsd_module_elf},
@command{knetbsd_module}, @command{knetbsd}, @command{kopenbsd}, and
@command{kopenbsd_ramdisk}. Please @pxref{Loader commands} for more info.

@node bswap_test_module
@section bswap_test
This module is intended for performing a functional test of the byte swapping
functionality of GRUB.

@node btrfs_module
@section btrfs
This module provides support for the B-Tree File System (BTRFS).

@node bufio_module
@section bufio
This module is a library module for support buffered I/O of files to support
file reads performed in other modules.

@node cacheinfo_module
@section cacheinfo
This module provides support for the command @command{cacheinfo} which provides
statistics on disk cache accesses. This module is only built if
@code{DISK_CACHE_STATS} is enabled.

@node cat_module
@section cat
This module provides support for the command @command{cat} which outputs the
content of a file to the terminal. Please @pxref{cat} for more info.

@node cbfs_module
@section cbfs
This module provides support for the Coreboot File System (CBFS) which is an
archive based file system.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node cbls_module
@section cbls
This module provides support for the command @command{lscoreboot} to list the
Coreboot tables.

@node cbmemc_module
@section cbmemc
This module provides support for the command @command{cbmemc} to show the
content of the Coreboot Memory console.

@node cbtable_module
@section cbtable
This module provides support for accessing the Coreboot tables.

@node cbtime_module
@section cbtime
This module provides support for the command @command{coreboot_boottime} to show
the Coreboot boot time statistics.

@node chain_module
@section chain
This module provides support for the command @command{chainloader} to boot
another bootloader. Please @pxref{chainloader} for more information.

@node cmdline_cat_test_module
@section cmdline_cat_test
This module is intended for performing a functional test of the @command{cat}
command of GRUB.

@node cmosdump_module
@section cmosdump
This module provides support for the command @command{cmosdump} to show a raw
dump of the CMOS contents. Please @pxref{cmosdump} for more information.

@node cmostest_module
@section cmostest
This module provides support for the commands @command{cmostest},
@command{cmosclean}, and @command{cmosset} to interact with a CMOS.
@xref{cmostest} / @pxref{cmosclean} for more information.

@node cmp_module
@section cmp
This module provides support for the command @command{cmp} to compare the
content of two files. @xref{cmp} for more information.

@node cmp_test_module
@section cmp_test
This module is intended for performing a functional test of relational
operations in GRUB. Note that this module is *not* associated with the
@command{cmp} command and does not test the @command{cmp} command.

@node configfile_module
@section configfile
This module provides support for the commands: @command{configfile},
@command{source}, @command{extract_entries_source},
@command{extract_entries_configfile}, @command{.} (dot command).
@xref{configfile} / @pxref{source}.

@node cpio_module
@section cpio
This module provides support for the CPIO archive file format. This module is
for the "bin" version of CPIO (default of GNU CPIO) supporting around 2GB.

@node cpio_be_module
@section cpio_be
This module provides support for the CPIO archive file format in big-endian
format. This module is for the "bin" version of CPIO (default of GNU CPIO)
supporting around 2GB.

@node cpuid_module
@section cpuid
This module provides support for the command @command{cpuid} to test for
various CPU features. @xref{cpuid} for more information.

@node crc64_module
@section crc64
This module provides support for the CRC64 operation.

@node crypto_cipher_mode_test_module
@section crypto_cipher_mode_test
This module performs various cipher mode encryption/decryption tests

@node crypto_module
@section crypto
This module provides library support for various base cryptography operations
in GRUB.

@node cryptodisk_module
@section cryptodisk
This module provides support for the command @command{cryptomount} to interact
with encrypted file systems. @xref{cryptomount} for more information.

@node cs5536_module
@section cs5536
This module provides support for the AMD Geode CS5536 companion device.

@node ctz_test_module
@section ctz_test
This module is intended for performing a functional test of the ctz functions
in GRUB used to Count Trailing Zeros.

@node date_module
@section date
This module provides support for the command @command{date} to get the date/time
or set the date/time. @xref{date} for more information.

@node datehook_module
@section datehook
This module provides support for populating / providing the environment
variables @code{YEAR}, @code{MONTH}, @code{DAY}, @code{HOUR}, @code{MINUTE},
@code{SECOND}, @code{WEEKDAY}.

@node datetime_module
@section datetime
This module provides library support for getting and setting the date / time
from / to a hardware clock device.

@node disk_module
@section disk
This module provides library support for writing to a storage disk.

@node diskfilter_module
@section diskfilter
This module provides library support for reading a disk RAID array.
It also provides support for the command @command{cryptocheck}.
@xref{cryptocheck} for more information.

@node div_module
@section div
This module provides library support for some operations such as divmod.

@node div_test_module
@section div_test
This module is intended for performing a functional test of the divmod function
in GRUB.

@node dm_nv_module
@section dm_nv
This module provides support for handling some Nvidia "fakeraid" disk devices.

@node drivemap_module
@section drivemap
This module provides support for the @command{drivemap} to manage BIOS drive
mappings. @xref{drivemap} for more information.

@node dsa_sexp_test_module
@section dsa_sexp_test
This module provides a test of the libgcrypt DSA functionality in GRUB.

@node echo_module
@section echo
This module provides support for the @command{echo} to display a line of text.
@xref{echo} for more information.

@node efi_gop_module
@section efi_gop
This module provides support for the UEFI video output protocol "Graphics
Output Protocol" (GOP).

@node efi_uga_module
@section efi_uga
This module provides support for the EFI video protocol "Universal Graphic
Adapter" (UGA).

@node efiemu_module
@section efiemu
This module provides support for the commands @command{efiemu_loadcore},
@command{efiemu_prepare}, and @command{efiemu_unload}. This provides an EFI
emulation.

@node efifwsetup_module
@section efifwsetup
This modules provides support for the command @command{fwsetup} to reboot into
the firmware setup menu. @xref{fwsetup} for more information.

@node efinet_module
@section efinet
This module provides support for UEFI Network Booting for loading images and
data from the network.

@node efitextmode_module
@section efitextmode
This module provides support for command @command{efitextmode} to get and set
output mode resolution. @xref{efitextmode} for more information.

@node ehci_module
@section ehci
This module provides support for the USB Enhanced Host Controller Interface
(EHCI) specification (USB 2.0).

@node elf_module
@section elf
This module provides support for loading Executable and Linkable Format (ELF)
files.

@node emunet_module
@section emunet
This module provides support for networking in GRUB on the emu platform.

@node emupci_module
@section emupci
This module provides support for accessing the PCI bus in GRUB on the emu
platform.

@node erofs_module
@section erofs
This module provides support for the Enhanced Read Only File System (EROFS).

@node escc_module
@section escc
This module provides support for the "mac-io" terminal device on PowerPC.

@node eval_module
@section eval
This module provides support for command @command{eval} to evaluate the provided
input as a sequence of GRUB commands. @xref{eval} for more information.

@node exfat_module
@section exfat
This module provides support for the Extensible File Allocation Table (exFAT)
file system in GRUB.

@node exfctest_module
@section exfctest
This module is intended to provide an Example Functional Test of GRUB functions
to use as a template for developing other GRUB functional tests.

@node ext2_module
@section ext2
This module provides support for the Extended File System versions 2, 3, and 4
(ext2, ext3, and ext4) file systems in GRUB.

@node extcmd_module
@section extcmd
This module is a support module to provide wrapper functions for registering
other module commands depending on the state of the lockdown variable.

@node f2fs_module
@section f2fs
This module provides support for the Flash-Friendly File System (F2FS) in GRUB.

@node fat_module
@section fat
This module provides support for the File Allocation Table 12-bit, 16-bit, and
32-bit (FAT12, FAT16, and FAT32) file systems in GRUB.

@node fdt_module
@section fdt
This module provides support for the commands @command{fdtdump} and
@command{devicetree} to dump the contents of a device tree blob (.dtb) to the
console and to load a device tree blob (.dtb) from a filesystem, for
later use by a Linux kernel, respectively. @xref{devicetree} and
@pxref{fdtdump} for more information.

@node file_module
@section file
This module provides support for the command @command{file} to test if the
provided filename is of the specified type. @xref{file} for more information.

@node fixvideo_module
@section fixvideo
This module provides support for the command @command{fix_video} to fix video
problems in specific PCIe video devices by "patching" specific device register
settings. Currently supports Intel 945GM (PCI ID @code{0x27a28086}) and Intel
965GM (PCI ID @code{0x2a028086}).

@node font_module
@section font
This module provides support for the commands @command{loadfont} and
@command{lsfonts} to load a given font or list the loaded fonts. @xref{loadfont}
and @pxref{lsfonts} for more information.

@node freedos_module
@section freedos
This module provides support for command @command{freedos} for loading a FreeDOS
kernel.

@node fshelp_module
@section fshelp
This module provides support functions (helper functions) for file systems.

@node functional_test_module
@section functional_test
This module provides support for running the GRUB functional tests using
commands @command{functional_test} and @command{all_functional_test}.

@node gcry_arcfour_module
@section gcry_arcfour
This module provides support for the arcfour stream cipher also known as RC4.
If security is a concern, RC4 / arcfour cipher is consider broken (multiple
known vulnerabilities make this insecure).
This GRUB module is based on libgcrypt.

@node gcry_aria_module
@section gcry_aria
This module provides support for the ARIA cipher.
This GRUB module is based on libgcrypt.

@node gcry_blake2_module
@section gcry_blake2
This module provides support for the BLAKE2b and BLAKE2s message digests.
This GRUB module is based on libgcrypt.

@node gcry_blowfish_module
@section gcry_blowfish
This module provides support for the Blowfish cipher.
This GRUB module is based on libgcrypt.

@node gcry_camellia_module
@section gcry_camellia
This module provides support for the Camellia cipher.
This GRUB module is based on libgcrypt.

@node gcry_cast5_module
@section gcry_cast5
This module provides support for the CAST5 (RFC2144, also known as CAST-128)
cipher. This GRUB module is based on libgcrypt.

@node gcry_crc_module
@section gcry_crc
This module provides support for the CRC32, CRC32 RFC1510, and CRC24 RFC2440
cyclic redundancy checks.
This GRUB module is based on libgcrypt.

@node gcry_des_module
@section gcry_des
This module provides support for the Data Encryption Standard (DES) and
Triple-DES ciphers.
If security is a concern, DES has known vulnerabilities and is not recommended,
and Triple-DES is no longer recommended by NIST.
This GRUB module is based on libgcrypt.

@node gcry_dsa_module
@section gcry_dsa
This module provides support for the Digital Signature Algorithm (DSA) cipher.
This GRUB module is based on libgcrypt.

@node gcry_gost28147_module
@section gcry_gost28147
This module provides support for the GOST 28147-89 cipher.
This GRUB module is based on libgcrypt.

@node gcry_gostr3411_94_module
@section gcry_gostr3411_94
This module provides support for the GOST R 34.11-94 message digest.
This GRUB module is based on libgcrypt.

@node gcry_idea_module
@section gcry_idea
This module provides support for the International Data Encryption Algorithm
(IDEA) cipher.
This GRUB module is based on libgcrypt.

@node gcry_keccak_module
@section gcry_keccak
This module provides support for the SHA3 hash message digests (including
SHAKE128 and SHAKE256).
This GRUB module is based on libgcrypt.

@node gcry_md4_module
@section gcry_md4
This module provides support for the Message Digest 4 (MD4) message digest.
If security is a concern, MD4 has known vulnerabilities and is not recommended.
This GRUB module is based on libgcrypt.

@node gcry_md5_module
@section gcry_md5
This module provides support for the Message Digest 5 (MD5) message digest.
If security is a concern, MD5 has known vulnerabilities and is not recommended.
This GRUB module is based on libgcrypt.

@node gcry_rfc2268_module
@section gcry_rfc2268
This module provides support for the RFC2268 (RC2 / Ron's Cipher 2) cipher.
If security is a concern, RC2 has known vulnerabilities and is not recommended.
This GRUB module is based on libgcrypt.

@node gcry_rijndael_module
@section gcry_rijndael
This module provides support for the Advanced Encryption Standard (AES-128,
AES-192, and AES-256) ciphers.
This GRUB module is based on libgcrypt.

@node gcry_rmd160_module
@section gcry_rmd160
This module provides support for the RIPEMD-160 message digest.
This GRUB module is based on libgcrypt.

@node gcry_rsa_module
@section gcry_rsa
This module provides support for the Rivest–Shamir–Adleman (RSA) cipher.
This GRUB module is based on libgcrypt.

@node gcry_salsa20_module
@section gcry_salsa20
This module provides support for the Salsa20 cipher.
This GRUB module is based on libgcrypt.

@node gcry_seed_module
@section gcry_seed
This module provides support for the SEED cipher.
This GRUB module is based on libgcrypt.

@node gcry_serpent_module
@section gcry_serpent
This module provides support for the Serpent (128, 192, and 256) ciphers.
This GRUB module is based on libgcrypt.

@node gcry_sha1_module
@section gcry_sha1
This module provides support for the Secure Hash Algorithm 1 (SHA-1) message
digest.
If security is a concern, SHA-1 has known vulnerabilities and is not
recommended.
This GRUB module is based on libgcrypt.

@node gcry_sha256_module
@section gcry_sha256
This module provides support for the Secure Hash Algorithm 2 (224 and 256 bit)
(SHA-224 / SHA-256) message digests.
This GRUB module is based on libgcrypt.

@node gcry_sha512_module
@section gcry_sha512
This module provides support for the Secure Hash Algorithm 2 (384 and 512 bit)
(SHA-384 / SHA-512) message digests.
This GRUB module is based on libgcrypt.

@node gcry_sm3_module
@section gcry_sm3
This module provides support for the SM3 message digest.
This GRUB module is based on libgcrypt.

@node gcry_sm4_module
@section gcry_sm4
This module provides support for the SM4 cipher.
This GRUB module is based on libgcrypt.

@node gcry_stribog_module
@section gcry_stribog
This module provides support for the GOST R 34.11-2012 (Stribog) message digest.
This GRUB module is based on libgcrypt.

@node gcry_tiger_module
@section gcry_tiger
This module provides support for the Tiger, Tiger 1, and Tiger 2 message
digests.
This GRUB module is based on libgcrypt.

@node gcry_twofish_module
@section gcry_twofish
This module provides support for the Twofish (128 and 256) ciphers.
This GRUB module is based on libgcrypt.

@node gcry_whirlpool_module
@section gcry_whirlpool
This module provides support for the Whirlpool message digest.
This GRUB module is based on libgcrypt.

@node gdb_module
@section gdb
This module provides support for remotely debugging GRUB using the GNU
Debugger (GDB) over serial. This is typically done when troubleshooting GRUB
during development and not required for normal GRUB operation. This module adds
support for commands required by the GDB remote debug function including
@command{gdbstub} to start GDB stub on given serial port,
@command{gdbstub_break} to break into GDB, @command{gdbstub_stop} to stop the
GDB stub.

@node geli_module
@section geli
This module provides support for the GEOM ELI (GELI) disk encryption /
decryption protocol used by FreeBSD. This module supports the following ciphers
using the associated "gcry" modules: DES, Triple-DES, Blowfish, CAST5, AES, and
Camellia 128.

@node gettext_module
@section gettext
This module provides support for the @command{gettext} command to support
translating information displayed / output by GRUB. @xref{gettext} for more
information.

@node gfxmenu_module
@section gfxmenu
This module provides support for displaying a graphical menu / user interface
from GRUB. This includes features such as graphical font support, theme support,
image support, and icon support.

@node gfxterm_module
@section gfxterm
This module provides support for displaying a terminal and menu interface from
GRUB using graphics mode.

@node gfxterm_background_module
@section gfxterm_background
This module provides support for setting the gfxterm background color and
background image using commands @command{background_color} and
@command{background_image}. @xref{background_color} and @pxref{background_image}
for more information.

@node gfxterm_menu_module
@section gfxterm_menu
This module is intended for performing a functional test of the gfxmenu function
in GRUB.

@node gptsync_module
@section gptsync
This module provides support for the @command{gptsync} command.. @xref{gptsync}
for more information.

@node gzio_module
@section gzio
This module provides support for decompression (inflate) of files compressed
with the GZ compression algorithm. This supports only the "DEFLATE" method for
GZIP. Unsupported flags (will result in failure to inflate) include:
@code{GRUB_GZ_CONTINUATION}, @code{GRUB_GZ_ENCRYPTED},
@code{GRUB_GZ_RESERVED}, and @code{GRUB_GZ_EXTRA_FIELD}.

@node halt_module
@section halt
This module provides support for the @command{halt} command to shutdown / halt
the system. @xref{halt} for more information.

@node hashsum_module
@section hashsum
This module provide support for the commands @command{hashsum},
@command{md5sum}, @command{sha1sum}, @command{sha256sum}, @command{sha512sum},
and @command{crc} to calculate or check hashes of files using various methods.
@xref{hashsum}, @pxref{md5sum} @pxref{sha1sum}, @pxref{sha256sum},
@pxref{sha512sum}, and @pxref{crc}.

@node hdparm_module
@section hdparm
This module provides support for the @command{hdparm} command to get or set
various ATA disk parameters. This includes controlling Advanced Power Management
(APM), displaying power mode, freezing ATA security settings until reset,
displaying SMART status, controlling automatic acoustic management, setting
standby timeout, setting the drive to standby mode, setting the drive to sleep
mode, displaying the drive identification and settings, and enable/disable
SMART.

@node hello_module
@section hello
This provides support for the @command{hello} command to simply output
"Hello World". This is intended for testing GRUB module loading / functionality.

@node help_module
@section help
This module provides support for the @command{help} command to output help
text. @xref{help} for more information.

@node hexdump_module
@section hexdump
This module provides support for the @command{hexdump} command to dump the
contents of a file in hexadecimal. @xref{hexdump} for more information.

@node hfs_module
@section hfs
This module provides support for the Hierarchical File System (HFS) file system
in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node hfsplus_module
@section hfsplus
This module provides support for the Hierarchical File System Plus (HFS+) file
system in GRUB.

@node hfspluscomp_module
@section hfspluscomp
This module provides support for the Hierarchical File System Plus Compressed
(HFS+ Compressed) file system in GRUB.

@node http_module
@section http
This module provides support for getting data over the HTTP network protocol in
GRUB (using the HTTP GET method). This may be used, for example, to obtain
an operating system over HTTP (network boot).

@node ieee1275_fb_module
@section ieee1275_fb
This module provides support for the IEEE1275 video driver output for PowerPC
with a IEEE-1275 platform.

@node iorw_module
@section iorw
This module provides support for commands @command{inb}, @command{inw},
@command{inl}, @command{outb}, @command{outw}, and @command{outl} to read /
write data to physical I/O ports. The "in" commands accept one
parameter to specify the source port. The "out" commands require either two
or three parameters, with the order: port, value, <optional mask>.

@node iso9660_module
@section iso9660
This module provides support for the ISO9660 file system (often associated with
optical disks such as CD-ROMs and DVD-ROMs, with extensions:
System Use Sharing Protocol (SUSP), Rock Ridge (UNIX style permissions and
longer names)

@node jfs_module
@section jfs
This module provides support for the Journaled File System (JFS) file system.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node jpeg_module
@section jpeg
This module provides support for reading JPEG image files in GRUB, such as
to support displaying a JPEG image as a background image of the gfxmenu.

@node json_module
@section json
This module provides library support for parsing / processing JavaScript Object
Notation (JSON) formatted data. This is used, for example, to support LUKS2
disk encryption / decryption as metadata is encoded in JSON.

@node keylayouts_module
@section keylayouts
This module provides support for the @command{keymap} command. This command
accepts one parameter to specify either the @var{layout_name} or the
@var{filename}.
When specifying the @var{layout_name}, this command will attempt to open the
GRUB keymap file based on the following logic:

Get the "prefix" from environment variable @var{prefix}

Open keymap file @var{prefix}/layouts/@var{layout_name}.gkb

When specifying the @var{filename}, the full path to the ".gkb" file should be
provided. The ".gkb" file can be generated by grub-kbdcomp.

@node keystatus_module
@section keystatus
This module provides support for the @command{keystatus} command to check key
modifier status. @xref{keystatus} for more information.

@node ldm_module
@section ldm
This module provides support for the Logical Disk Manager (LDM) disk format.
LDM is used to add support for logical volumes most often with Microsoft
Windows systems. A logical volume can be defined to span more than one physical
disk.

@node legacy_password_test_module
@section legacy_password_test
This module is intended for performing a functional test of the legacy password
function in GRUB.

@node legacycfg_module
@section legacycfg
This module provides support for commands @command{legacy_source},
@command{legacy_configfile}, @command{extract_legacy_entries_source},
@command{extract_legacy_entries_configfile}, @command{legacy_kernel},
@command{legacy_initrd}, @command{legacy_initrd_nounzip},
@command{legacy_password}, and @command{legacy_check_password}. For new uses /
configurations of GRUB other commands / modules offer the modern equivalents.

@node linux_module
@section linux
This module provides support for the commands @command{linux} and
@command{initrd} to load Linux and an Initial RAM Disk respectively.
@xref{linux} and @pxref{initrd} for more information.

@node linux16_module
@section linux16
This module provides support for the commands @command{linux16} and
@command{initrd16} to load Linux in 16-bit mode and an Initial RAM Disk
in 16-bit mode respectively.
@xref{linux16} and @pxref{initrd16} for more information.

@node loadbios_module
@section loadbios
This module provides support for the commands @command{fakebios} and
@command{loadbios}. These commands may only be useful on platforms with
issues requiring work-arounds. Command @command{fakebios} is used to create
BIOS-like structures for backward compatibility with existing OS. Command
@command{loadbios} is used to load a BIOS dump.

@node loadenv_module
@section loadenv
This module provides support for commands @command{load_env},
@command{list_env}, and @command{save_env}. These commands can be used to
load environment variables from a file, list environment variables in a file,
and save environment variables to a file. @xref{load_env}, @pxref{list_env}, and
@pxref{save_env}.

@node loopback_module
@section loopback
This module provides support for the @command{loopback} command.
@xref{loopback} for more information.

@node ls_module
@section ls
This module provides support for the @command{ls} command.
@xref{ls} for more information.

@node lsacpi_module
@section lsacpi
This module provides support for the @command{lsacpi} command. This command
can be used to display Advanced Configuration and Power Interface (ACPI) tables.

@node lsapm_module
@section lsapm
This module provides support for the @command{lsapm} command. This command
can be used to display Advanced power management (APM) information.

@node lsdev_module
@section lsdev
This module provides support for the @command{lsdev} command. This command
can be used on MIPS Advanced RISC Computing (ARC) platforms to display devices.

@node lsefi_module
@section lsefi
This module provides support for the @command{lsefi} command. This command
can be used on EFI platforms to display EFI handles.

@node lsefimmap_module
@section lsefimmap
This module provides support for the @command{lsefimmap} command. This command
can be used on EFI platforms to display the EFI memory map.

@node lsefisystab_module
@section lsefisystab
This module provides support for the @command{lsefisystab} command. This
command can be used on EFI platforms to display the EFI system tables.

@node lsmmap_module
@section lsmmap
This module provides support for the @command{lsmmap} command. This
command can be used to display the memory map provided by firmware.

@node lspci_module
@section lspci
This module provides support for the @command{lspci} command. This
command can be used to display the PCI / PCIe devices.

@node lssal_module
@section lssal
This module provides support for the @command{lsefisystab} command. This
command can be used on Itanium (IA-64) EFI platforms to display the EFI
System Abstraction Layer system table.

@node lsspd_module
@section lsspd
This module provides support for the @command{lsspd} command. This
command can be used on MIPS Loongson platforms to display the DDR RAM Serial
Presence Detect (SPD) EEPROM data.

@node lsxen_module
@section lsxen
This module provides support for the commands @command{xen_ls} and
@command{xen_cat} on Xen platforms to list Xen storage.

@node luks_module
@section luks
This module provides support for the Linux Unified Key Setup (LUKS) (version 1)
disk encryption / decryption protocol.

@node luks2_module
@section luks2
This module provides support for the Linux Unified Key Setup 2 (LUKS2)
disk encryption / decryption protocol.

@node lvm_module
@section lvm
This module provides support for reading Logical Volume Management "logical"
disks. For example, a single "logical" disk may be mapped to span more than one
physical disk. This would be used when booting from a LVM formatted disk as may
be setup in Linux.

@node lzopio_module
@section lzopio
This module provides support for decompressing LZO / LZOP compressed files /
archives.

@node macbless_module
@section macbless
This module provides support for commands @command{mactelbless} and
@command{macppcbless} for "blessing" a bootloader on Intel / PPC based MACs
using the HFS or HFS+ file system. On HFS / HFS+ - "blessing" makes a file
run as the bootloader.

@node macho_module
@section macho
This module provides support for Mach Object (Mach-O) object / executable files
in GRUB often used in MacOS.

@node mda_text_module
@section mda_text
This module provides support for the Monochrome Display Adapter (MDA) terminal
output device. MDA is a predecessor to VGA.

@node mdraid09_module
@section mdraid09
This module provides support for handling Linux compatible "version 0.9"
software-based RAID disks in little-endian format. The "version 0.9" format
was largely replaced around the year 2009 with the "version 1.x" format
(@pxref{mdraid1x_module} for more information).

@node mdraid09_be_module
@section mdraid09_be
This module provides support for handling Linux compatible "version 0.9"
software-based RAID disks in bid-endian format. The "version 0.9" format
was largely replaced around the year 2009 with the "version 1.x" format
(@pxref{mdraid1x_module} for more information).

@node mdraid1x_module
@section mdraid1x
This module provides support for handling Linux compatible "version 1.x"
software-based RAID disks. This includes the current version used by Linux
at the time of writing.

@node memdisk_module
@section memdisk
This module provides support for a memdisk device. A memdisk is a memory mapped
emulated disk.

@node memrw_module
@section memrw
This module provides support for commands @command{read_byte},
@command{read_word}, @command{read_dword}, @command{write_byte},
@command{write_word}, and @command{write_dword} to read /
write data to physical memory (addresses). The "read" commands accept one
parameter to specify the source address. The "write" commands require either two
or three parameters, with the order: address, value, <optional mask>.
Note: The commands provided by this module are not allowed when lockdown is
enforced (@pxref{Lockdown}).

@node memtools_module
@section memtools
This module provides support for GRUB development / debugging commands
@command{lsmem}, @command{lsfreemem}, @command{lsmemregions}, and
@command{stress_big_allocs}.

@node minicmd_module
@section minicmd
This module provides support for a subset of commands for GRUB rescue mode
including: @command{cat}, @command{help}, @command{dump}, @command{rmmod},
@command{lsmod}, and @command{exit}. The version of the commands in this module
are similar to their full-fledged counterparts implemented in other GRUB
modules.
Note: The @command{dump} command is not allowed when lockdown is enforced
(@pxref{Lockdown}).

@node minix_module
@section minix
This module provides support for the Minix filesystem, version 1.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node minix2_module
@section minix2
This module provides support for the Minix filesystem, version 2.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node minix2_be_module
@section minix2_be
This module provides support for the Minix filesystem, version 2 big-endian.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node minix3_module
@section minix3
This module provides support for the Minix filesystem, version 3.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node minix3_be_module
@section minix3_be
This module provides support for the Minix filesystem, version 3 big-endian.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node minix_be_module
@section minix_be
This module provides support for the Minix filesystem, version 1 big-endian.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node mmap_module
@section mmap
This module provides support for mapping or unmapping devices or files into
memory as well as commands @command{badram} and @command{cutmem}.
@xref{badram} and @ref{cutmem}.

@node morse_module
@section morse
This module provides support for outputting terminal output via Morse code
to an audio speaker output.

@node mpi_module
@section mpi
This module provides support for multi-precision-integers (MPIs) in GRUB. MPIs
are used by the crypto functions as many depend on mathematics of large numbers.
This GRUB module is based on libgcrypt.

@node msdospart_module
@section msdospart
This module provides support for modifying MSDOS formatted disk partitions
through the separate @command{parttool} command.

@node mul_test_module
@section mul_test
This module is intended for performing a functional test of the multiplication
operations in GRUB.

@node multiboot_module
@section multiboot
This module provides support for commands @command{multiboot} and
@command{module} to load a multiboot kernel and load a multiboot module,
respectively. @xref{multiboot} and @ref{module} for more information. This
is for loading data formatted per the GNU Multiboot specification.

@node multiboot2_module
@section multiboot2
This module provides support for commands @command{multiboot2} and
@command{module2} to load a multiboot kernel and load a multiboot module,
respectively. This is for loading data formatted per the GNU Multiboot
specification.

@node nand_module
@section nand
This module provides support for accessing an IEEE-1275 compliant NAND disk
from GRUB.

@node nativedisk_module
@section nativedisk
This module provides support for the @command{nativedisk} command.
@xref{nativedisk} for more information.

@node net_module
@section net
This module provides support for networking protocols including ARP, BOOTP,
DNS, Ethernet, ICMPv6, ICMP, IP, TCP, and UDP. Support is included for both
IPv4 and IPv6.
This includes the following commands:
@itemize @bullet
@item
@command{net_bootp} - @pxref{net_bootp}

@item
@command{net_dhcp} - @pxref{net_dhcp}

@item
@command{net_get_dhcp_option} - @pxref{net_get_dhcp_option}

@item
@command{net_nslookup} - @pxref{net_nslookup}

@item
@command{net_add_dns} - @pxref{net_add_dns}

@item
@command{net_del_dns} - @pxref{net_del_dns}

@item
@command{net_ls_dns} - @pxref{net_ls_dns}

@item
@command{net_add_addr} - @pxref{net_add_addr}

@item
@command{net_ipv6_autoconf} - @pxref{net_ipv6_autoconf}

@item
@command{net_del_addr} - @pxref{net_del_addr}

@item
@command{net_add_route} - @pxref{net_add_route}

@item
@command{net_del_route} - @pxref{net_del_route}

@item
@command{net_set_vlan} - @pxref{net_set_vlan}

@item
@command{net_ls_routes} - @pxref{net_ls_routes}

@item
@command{net_ls_cards} - @pxref{net_ls_cards}

@item
@command{net_ls_addr} - @pxref{net_ls_addr}

@end itemize

@node newc_module
@section newc
This module provides support for accessing a CPIO archive as a file system
from GRUB. This module is for the following newer variants of the CPIO archive
supported by GNU CPIO (but GNU CPIO defaults to the "bin" format which is
handled by the module @ref{cpio_module}).

These are the variants supported by this module:

@itemize @bullet
@item
"newc" - SVR4 portable format without CRC. GNU file utility will identify these
as something like "ASCII cpio archive (SVR4 with no CRC)"

@item
‘crc’  - SVR4 portable format with CRC. GNU file utility will identify these as
something like "ASCII cpio archive (SVR4 with CRC)"

@end itemize

@node nilfs2_module
@section nilfs2
This module provides support for the New Implementation of Log filesystem
(nilfs2).
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node normal_module
@section normal
This module provides support for the normal mode in GRUB. @xref{normal} for
more information.

@node ntfs_module
@section ntfs
This module provides support for the New Technology File System (NTFS) in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node ntfscomp_module
@section ntfscomp
This module provides support for compression with the New Technology File
System (NTFS) in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node ntldr_module
@section ntldr
This module provides support for the @command{ntldr} command. This is may be
used to boot a Windows boot loader such as NTLDR or BootMGR.

@node odc_module
@section odc
This module provides support for accessing a CPIO archive as a file system
from GRUB. This module is for "odc" variant of the CPIO archive
supported by GNU CPIO (but GNU CPIO defaults to the "bin" format which is
handled by the module @ref{cpio_module}).

GNU file utility will identify these as something like "ASCII cpio archive
(pre-SVR4 or odc)"

@node offsetio_module
@section offsetio
This module provides support for reading from a file / archive at specified
offsets in GRUB.

@node ofnet_module
@section ofnet
This module provides support for the Open Firmware (IEEE-1275) network device
support in GRUB.

@node ohci_module
@section ohci
This module provides support for the Open Host Controller Interface (OHCI) for
USB 1 / USB 1.1 support in GRUB.

@node part_acorn_module
@section part_acorn
This module provides support for reading from disks partitioned with the
Acorn Disc Filing System (ADFS) used on RiscOS.

@node part_amiga_module
@section part_amiga
This module provides support for reading from disks partitioned with the
Amiga partition table.

@node part_apple_module
@section part_apple
This module provides support for reading from disks partitioned with the
Macintosh partition table.

@node part_bsd_module
@section part_bsd
This module provides support for reading from disks partitioned with BSD
style partition tables.

@node part_dfly_module
@section part_dfly
This module provides support for reading from disks partitioned with the
DragonFly BSD partition table.

@node part_dvh_module
@section part_dvh
This module provides support for reading from disks partitioned with the
SGI Disk Volume Header partition table.

@node part_gpt_module
@section part_gpt
This module provides support for reading from disks partitioned with the
GUID Partition Tables (GPT) partition table.

@node part_msdos_module
@section part_msdos
This module provides support for reading from disks partitioned with the
MSDOS (Master Boot Record / MBR) style partition tables.

@node part_plan_module
@section part_plan
This module provides support for reading from disk partitioned with the
Plan9 style partition table.

@node part_sun_module
@section part_sun
This module provides support for reading from disk partitioned with the
Sun style partition table.

@node part_sunpc_module
@section part_sunpc
This module provides support for reading from disk partitioned with the
Sun PC style partition table.

@node parttool_module
@section parttool
This module provides support for the @command{parttool} command. @xref{parttool}
for more information.

@node password_module
@section password
This module provides support for the @command{password} command. Please note
that this uses the password in plain text, if security is a concern consider
using @ref{password_pbkdf2_module} instead. @xref{password} for more
information.

@node password_pbkdf2_module
@section password_pbkdf2
This module provides support for the @command{password_pbkdf2} command.
@xref{password_pbkdf2} for more information.

@node pata_module
@section pata
This module provides support for Parallel ATA (PATA) disk device interfaces.

@node pbkdf2_module
@section pbkdf2
This module provides support for the Password-Based Key Derivation Function 2
(PBKDF2) / PKCS#5 PBKDF2 as per RFC 2898.

@node pbkdf2_test_module
@section pbkdf2_test
This module is intended for performing a functional test of the PBKDF2
operation in GRUB.

@node pci_module
@section pci
This module provides support for generic Peripheral Component Interconnect (PCI)
bus in GRUB.

@node pcidump_module
@section pcidump
This module provides support for the @command{pcidump} command in GRUB to dump
the PCI configuration registers in hexadecimal of a specified PCI device
(vendor / device ID) or by position on the bus.

@node pgp_module
@section pgp
This module provides support for the commands: @command{verify_detached},
@command{trust}, @command{list_trusted}, @command{distrust} associated with
digital signature checking via the "Open Pretty Good Privacy" (PGP) protocol /
RFC 4880 using a provided public key. This module also uses / sets
environment variable @code{check_signatures}. @xref{verify_detached},
@ref{trust}, @ref{list_trusted}, @ref{distrust}, and @ref{check_signatures}.

@node plainmount_module
@section plainmount
This module provides support for accessing / mounting partitions encrypted
by "cryptsetup" operating in "plain mode". @xref{plainmount} for more
information.

@node plan9_module
@section plan9
This module provides support for the @command{plan9} command to load a Plan9
kernel.

@node play_module
@section play
This module provides support for the @command{play} command to play a tune
through the PC speaker. @xref{play} for more information.

@node png_module
@section png
This module provides support for reading Portable Network Graphics (PNG) image
files in GRUB.

@node priority_queue_module
@section priority_queue
This module provides support for a priority queue function within GRUB such as
to support networking functions.

@node probe_module
@section probe
This module provides support for the @command{probe} command to retrieve device
information. @xref{probe} for more information.

@node procfs_module
@section procfs
This module provides support for a Proc File System to provide a file system
like interface to some GRUB internal data.

@node progress_module
@section progress
This module provides support for showing file loading progress to the terminal.

@node pubkey_module
@section pubkey
This module provides supporting functions for using RSA and DSA public keys.
This GRUB module is based on libgcrypt.

@node pxe_module
@section pxe
This module provides support for Preboot Execution Environment (PXE) network
boot services as a file system driver for other GRUB modules.

@node pxechain_module
@section pxechain
This module provides support for the @command{pxechainloader} command to load
another bootloader by PXE.

@node raid5rec_module
@section raid5rec
This module provides support for recovering from faulty RAID4/5 disk arrays

@node raid6rec_module
@section raid6rec
This module provides support for recovering from faulty RAID6 disk arrays.

@node random_module
@section random
This module provides support for library functions to get random data via
the hardware ACPI Power Management Timer and the TSC time source (Timestamp
Counter).

@node rdmsr_module
@section rdmsr
This module provides support for the @command{rdmsr} command to read CPU
Model Specific Registers. @xref{rdmsr} for more information.

@node read_module
@section read
This module provides support for the @command{read} command for getting user
input. @xref{read} for more information.

@node reboot_module
@section reboot
This module provides support for the @command{reboot} command to reboot the
computer. @xref{reboot} for more information.

@node regexp_module
@section regexp
This module provides support for the @command{regexp} command to check if a
regular expression matches a string. This module also provides support for the
GRUB script wildcard translator. @xref{regexp} for more information.

@node reiserfs_module
@section reiserfs
This module provides support for the ReiserFS File System in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node relocator_module
@section relocator
This module provides support for relocating the image / executable being loaded
to the expected memory location(s) and jumping to (invoking) the executable.

@node romfs_module
@section romfs
This module provides support for the Read-Only Memory File System (ROMFS).
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node rsa_sexp_test_module
@section rsa_sexp_test
This module provides a test of the libgcrypt RSA functionality in GRUB.

@node scsi_module
@section scsi
This module provides support for the Small Computer System Interface (SCSI)
protocol used for some types of disk communication include some modern ones
such as USB Mass Storage Devices supporting "USB Attached SCSI" (UAS).

@node sdl_module
@section sdl
This module provides support for Simple DirectMedia Layer (SDL) video / image
output from the grub-emu tool used to preview the GRUB menu from a running
Operating System such as Linux (useful to test GRUB menu configuration changes
without rebooting). When available in the compilation target environment, SDL2
will be used instead of SDL1.

@node search_module
@section search
This module provides support for the @command{search} command to search devices
by file, filesystem label, or filesystem UUID. @xref{search} for more
information.

@node search_fs_file_module
@section search_fs_file
This module provides support for the @command{search.file} command which
is an alias for the corresponding @command{search} command. @xref{search} for
more information.

@node search_fs_uuid_module
@section search_fs_uuid
This module provides support for the @command{search.fs_uuid} command which
is an alias for the corresponding @command{search} command. @xref{search} for
more information.

@node search_label_module
@section search_label
This module provides support for the @command{search.fs_label} command which
is an alias for the corresponding @command{search} command. @xref{search} for
more information.

@node sendkey_module
@section sendkey
This module provides support for the @command{sendkey} command to send
emulated keystrokes. @xref{sendkey} for more information.

@node serial_module
@section serial
This module provides support for the @command{serial} command and associated
driver support for communication over a serial interface from GRUB.
@xref{serial} for more information.

@node setjmp_module
@section setjmp
This module provides support for the @code{setjmp} and @code{longjmp} functions
used within GRUB.

@node setjmp_test_module
@section setjmp_test
This module is intended for performing a functional test of the @code{setjmp}
and @code{longjmp} functions in GRUB.

@node setpci_module
@section setpci
This module provides support for the @command{setpci} command to get / set
values from / to specified PCI / PCIe devices.

@node sfs_module
@section sfs
This module provides support for the Amiga Smart File System (SFS) in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node shift_test_module
@section shift_test
This module is intended for performing a functional test of the bit-wise shift
operations in GRUB.

@node signature_test_module
@section signature_test
This module is intended for performing a functional test of the digital
signature verification functions in GRUB.

@node sleep_module
@section sleep
This module provides support for the @command{sleep} command to wait a specified
number of seconds in GRUB. @xref{sleep} for more information.

@node sleep_test_module
@section sleep_test
This module is intended for performing a functional test of the sleep function
in GRUB.

@node smbios_module
@section smbios
This module provides support for the @command{smbios} command to retrieve SMBIOS
information in GRUB. @xref{smbios} for more information.

@node spkmodem_module
@section spkmodem
This module provides support for outputting GRUB console information over an
audio output. This output can be fed into another computer's sound input
and decoded using the @code{spkmodem_recv} utility. Note that this will slow
down GRUB's performance.

@node squash4_module
@section squash4
This module provides support for the SquashFS compressed read-only file system
in GRUB.

@node strtoull_test_module
@section strtoull_test
This module is intended for performing a functional test of the strtoull
function in GRUB.

@node suspend_module
@section suspend
This module provides support for the @command{suspend} command in GRUB to
return to IEEE1275 prompt on "Open Firmware" systems.

@node syslinuxcfg_module
@section syslinuxcfg
This module provides support for commands @command{syslinux_source},
@command{syslinux_configfile}, @command{extract_syslinux_entries_source},
and @command{extract_syslinux_entries_configfile} in GRUB. These commands
can be used to parse and display GRUB menu entries based on a Syslinux based
configuration (used for SYSLINUX, ISOLINUX, and PXELINUX). It can also
be used to execute the Syslinux loader from GRUB.

@node tar_module
@section tar
This module provides support for the GNU Tar and POSIX Tar file archives as a
file system in GRUB.

@node terminal_module
@section terminal
This module provides support for the commands @command{terminal_input} and
@command{terminal_output} in GRUB. @xref{terminal_input} and
@ref{terminal_output} for more information.

@node terminfo_module
@section terminfo
This module provides support for the @command{terminfo} command in GRUB to
set various terminal modes / options. @xref{terminfo} for more information.

@node test_module
@section test
This module provides support for the commands @command{test} and @command{[}.
These commands can be used to evaluate (test) an expression. @xref{test} for
more information.

@node test_blockarg_module
@section test_blockarg
This module is intended for performing a functional test of the "block" command
argument function in GRUB internal functions via a test command
@command{test_blockarg}.

@node testload_module
@section testload
This module is intended for performing a functional test of some file reading /
seeking functions in GRUB internals via a test command @command{testload}.

@node testspeed_module
@section testspeed
This module provides support for the @command{testspeed} command to test and
print file read speed of a specified file.

@node tftp_module
@section tftp
This module provides support for the Trivial File Transfer Protocol (TFTP) for
receiving files via the network to GRUB. TFTP may be used along with PXE for
network booting for example.

@node tga_module
@section tga
This module provides support for reading Truevision Graphics Adapter (TGA)
image files in GRUB.

@node time_module
@section time
This module provides support for the @command{time} command to measure the
time taken by a given command and output it to the terminal.

@node tpm_module
@section tpm
This module provides support for interacting with a Trusted Platform Module
(TPM) with GRUB to perform Measured Boot. @xref{Measured Boot} for more
information.

@node tr_module
@section tr
This module provides support for the @command{tr} command in GRUB. This can be
used to translate characters in a string according to the provided arguments.
For example this can be used to convert upper-case to lower-case and visa-versa.

@node trig_module
@section trig
This module provides support for internal trig functions @code{grub_cos} and
@code{grub_sin} using lookup based computation. Currently these trig functions
are used by the gfxmenu circular progress bar.

@node true_module
@section true
This module provides support for the commands @command{true} and
@command{false}. @xref{true} and @ref{false} for more information.

@node truecrypt_module
@section truecrypt
This module provides support for the @command{truecrypt} command. This can be
used to load a Truecrypt ISO image.

@node ubootnet_module
@section ubootnet
This module provides support for configuring network interfaces in GRUB using
information provided by a U-Boot bootloader.

@node udf_module
@section udf
This module provides support for the Universal Disk Format (UDF) used on some
newer optical disks.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node ufs1_module
@section ufs1
This module provides support for the Unix File System version 1 in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node ufs1_be_module
@section ufs1_be
This module provides support for the Unix File System version 1 (big-endian) in
GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node ufs2_module
@section ufs2
This module provides support for the Unix File System version 2 in GRUB.
Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
information.

@node uhci_module
@section uhci
This module provides support for the Universal Host Controller Interface (UHCI)
for USB 1.x.

@node usb_module
@section usb
This module provides support for USB interfaces, USB hubs, and USB transfers
in GRUB.

@node usb_keyboard_module
@section usb_keyboard
This module provides support for a USB keyboard in GRUB.

@node usbms_module
@section usbms
This module provides support for USB Mass Storage devices in GRUB.

@node usbserial_common_module
@section usbserial_common
This module provides support for common operations needed to support USB Serial
port adapters in GRUB (to support a model / type specific USB to serial
adapter defined in another module).

@node usbserial_ftdi_module
@section usbserial_ftdi
This module provides support for USB to serial adapters with vendor ID 0x0403
and product ID 0x6001 (often associated with FTDI devices).

@node usbserial_pl2303_module
@section usbserial_pl2303
This module provides support for USB to serial adapters with vendor ID 0x067b
and product ID 0x2303 (PL2303 USB to Serial adapter).

@node usbserial_usbdebug_module
@section usbserial_usbdebug
This module provides support for debugging GRUB via a "USB 2.0 Debug Cable".
The USB 2.0 specification includes a "USB2 Debug Device Functional
Specification" that this driver is intended to support for GRUB. This may
integrate with GDB server function in GRUB (@pxref{gdb_module}).

@node usbtest_module
@section usbtest
This module provides support for the @command{usb} command in GRUB to test USB
functionality by iterating through all connected USB devices and printing
information for each to the terminal.

@node vbe_module
@section vbe
This module provides support for the VESA BIOS Extension (VBE) Video Driver in
GRUB.

@node verifiers_module
@section verifiers
This module is a built-in kernel module to provide a framework for GRUB file
verifiers and string verifiers.

@node vga_module
@section vga
This module provides support for the Video Graphics Array (VGA) Video Driver in
GRUB.

@node vga_text_module
@section vga_text
This module provides support for the Video Graphics Array (VGA) terminal
output device.

@node video_module
@section video
This module provides support for video output support functions within GRUB.

@node video_bochs_module
@section video_bochs
This module provides support for the Bochs PCI Video Driver (also known as
Bochs Graphics Adapter / BGA) in GRUB.

@node video_cirrus_module
@section video_cirrus
This module provides support for the Cirrus CLGD 5446 PCI Video Driver (Cirrus
Video) in GRUB.

@node video_colors_module
@section video_colors
This module provides support for interpreting named colors and parsing RBG
hexadecimal values.

@node video_fb_module
@section video_fb
This module provides support for video frame buffer (FB) support in GRUB.

@node videoinfo_module
@section videoinfo
This module provides support for the @command{videoinfo} command and (depending
on architecture) the @command{vbeinfo} command. @xref{videoinfo} for more
information.

@node videotest_module
@section videotest
This module provides support for the @command{videotest} command and (depending
on architecture) the @command{vbetest} to test the video subsystem in the
specified width and height.

@node videotest_checksum_module
@section videotest_checksum
This module is intended for performing a functional test of the video
functions in GRUB by displaying a test image and capturing a checksum.

@node wrmsr_module
@section wrmsr
This module provides support for the @command{wrmsr} command to write to CPU
model-specific registers. @xref{wrmsr} for more information.

@node xen_boot_module
@section xen_boot
This module provides support for the commands @command{xen_hypervisor} and
@command{xen_module} to load a XEN hypervisor and module respectively.

@node xfs_module
@section xfs
This module provides support for the XFS file system in GRUB.

@node xnu_module
@section xnu
This module provides support for the commands: @command{xnu_devprop_load},
@command{xnu_kernel}, @command{xnu_kernel64}, @command{xnu_mkext},
@command{xnu_kext}, @command{xnu_kextdir}, @command{xnu_ramdisk},
@command{xnu_splash}, and @command{xnu_resume} (only for emulated machine).
These commands support loading and interacting with a XNU (MacOS / Apple) based
system / kernel.

@node xnu_uuid_module
@section xnu_uuid
This module provides support for the @command{xnu_uuid} command to transform
a 64-bit UUID to a format suitable for XNU.

@node xnu_uuid_test_module
@section xnu_uuid_test
This module is intended for performing a functional test of the XNU UUID
conversion function.

@node xzio_module
@section xzio
This module provides support for decompression of XZ compressed data.

@node zfs_module
@section zfs
This module provides support for the ZFS file system in GRUB.

@node zfscrypt_module
@section zfscrypt
This module provides support for the @command{zfskey} to import a decryption
key as well as decryption support for encrypted ZFS file systems.

@node zfsinfo_module
@section zfsinfo
This module provides support for the commands @command{zfsinfo} to output ZFS
info about a device and @command{zfs-bootfs} to output ZFS-BOOTFSOBJ or store
it into a variable.

@node zstd_module
@section zstd
This module provides support for the Zstandard (zstd) decompression algorithm
in GRUB.

@node Commands
@chapter Available commands

In this chapter, we list all commands that are available in GRUB.

Commands belong to different groups. A few can only be used in
the global section of the configuration file (or ``menu''); most
of them can be entered on the command-line and can be used either
anywhere in the menu or specifically in the menu entries.

In rescue mode, only the @command{insmod} (@pxref{insmod}), @command{ls}
(@pxref{ls}), @command{set} (@pxref{set}), and @command{unset}
(@pxref{unset}) commands are normally available.  If you end up in rescue
mode and do not know what to do, then @pxref{GRUB only offers a rescue
shell}.

@menu
* Menu-specific commands::
* Loader commands::
* General commands::
* Command-line commands::
* Networking commands::
* Undocumented commands::
@end menu


@node Menu-specific commands
@section Commands for the menu only

The semantics used in parsing the configuration file are the following:

@itemize @bullet
@item
The files @emph{must} be in plain-text format.

@item
@samp{#} at the beginning of a line in a configuration file means it is
only a comment.

@item
Options are separated by spaces.

@item
All numbers can be either decimal or hexadecimal. A hexadecimal number
must be preceded by @samp{0x}, and is case-insensitive.
@end itemize

These commands can only be used in the menu:

@menu
* menuentry::                   Start a menu entry
* submenu::                     Group menu entries
@end menu


@node menuentry
@subsection menuentry

@deffn Command menuentry @var{title} @
 [@option{--class=class} @dots{}] [@option{--users=users}] @
 [@option{--unrestricted}] [@option{--hotkey=key}] [@option{--id=id}] @
 [@var{arg} @dots{}] @{ @var{command}; @dots{} @}
This defines a GRUB menu entry named @var{title}.  When this entry is
selected from the menu, GRUB will set the @var{chosen} environment variable
to value of @option{--id} if @option{--id} is given, execute the list of
commands given within braces, and if the last command in the list returned
successfully and a kernel was loaded it will execute the @command{boot} command.

The @option{--class} option may be used any number of times to group menu
entries into classes.  Menu themes may display different classes using
different styles.

The @option{--users} option grants specific users access to specific menu
entries.  @xref{Security}.

The @option{--unrestricted} option grants all users access to specific menu
entries.  @xref{Security}.

The @option{--hotkey} option associates a hotkey with a menu entry.
@var{key} may be a single letter, or one of the aliases @samp{backspace},
@samp{tab}, or @samp{delete}.

The @option{--id} may be used to associate unique identifier with a menu entry.
@var{id} is string of ASCII aphanumeric characters, underscore and hyphen
and should not start with a digit.

All other arguments including @var{title} are passed as positional parameters
when list of commands is executed with @var{title} always assigned to @code{$1}.
@end deffn


@node submenu
@subsection submenu

@deffn Command submenu @var{title} @
 [@option{--class=class} @dots{}] [@option{--users=users}] @
 [@option{--unrestricted}] [@option{--hotkey=key}] [@option{--id=id}] @
 @{ @var{menu entries} @dots{} @}
This defines a submenu.  An entry called @var{title} will be added to the
menu; when that entry is selected, a new menu will be displayed showing all
the entries within this submenu.

All options are the same as in the @command{menuentry} command
(@pxref{menuentry}).
@end deffn


@node Loader commands
@section Various loader commands

These commands are used to load necessary components to boot desired OS.
Many of the loader commands are not sufficiently documented. The following is
a list of commands that could use more documentation:

@itemize @bullet
@item @command{appleloader} -  Boot BIOS-based system.
@item @command{freedos} - Load FreeDOS kernel.sys.
@item @command{kfreebsd_loadenv} - Load FreeBSD env.
@item @command{kfreebsd_module_elf} - Load FreeBSD kernel module (ELF).
@item @command{kfreebsd_module} - Load FreeBSD kernel module.
@item @command{kfreebsd} - Load kernel of FreeBSD.
@item @command{knetbsd_module_elf} - Load NetBSD kernel module (ELF).
@item @command{knetbsd_module} - Load NetBSD kernel module.
@item @command{knetbsd} - Load kernel of NetBSD.
@item @command{kopenbsd} - Load kernel of OpenBSD.
@item @command{kopenbsd_ramdisk} -  Load kOpenBSD ramdisk.
@item @command{legacy_initrd_nounzip} - Simulate grub-legacy `modulenounzip' command
@item @command{legacy_initrd} - Simulate grub-legacy `initrd' command
@item @command{legacy_kernel} - Simulate grub-legacy `kernel' command
@item @command{module2} - Load a multiboot 2 module.
@item @command{module} - Load a multiboot module.
@item @command{multiboot2} - Load a multiboot 2 kernel.
@item @command{multiboot} - Load a multiboot kernel.
@item @command{ntldr} - Load NTLDR or BootMGR.
@item @command{plan9} - Load Plan9 kernel.
@item @command{pxechainloader} - Load a PXE image.
@item @command{truecrypt} - Load Truecrypt ISO.
@item @command{xnu_kernel64} - Load 64-bit XNU image.
@item @command{xnu_kernel} - Load XNU image.
@item @command{xnu_kextdir} -  Load XNU extension directory.
@item @command{xnu_kext} - Load XNU extension.
@item @command{xnu_mkext} - Load XNU extension package.
@item @command{xnu_ramdisk} -  Load XNU ramdisk. It will be available in OS as md0.
@item @command{xnu_resume} - Load an image of hibernated XNU.
@item @command{xnu_splash} - Load a splash image for XNU.
@end itemize


@menu
* chainloader::                 Chain-load another boot loader
* initrd::                      Load a Linux initrd
* initrd16::                    Load a Linux initrd (16-bit mode)
* linux::                       Load a Linux kernel
* linux16::                     Load a Linux kernel (16-bit mode)
@comment * xen_*::              Xen boot commands for AArch64
* xen_hypervisor::              Load xen hypervisor binary (only on AArch64)
* xen_module::                  Load xen modules for xen hypervisor (only on AArch64)
@end menu


@node chainloader
@subsection chainloader

@deffn Command chainloader [@option{--force}] file [args...]
Load @var{file} as a chain-loader. Like any other file loaded by the
filesystem code, it can use the blocklist notation (@pxref{Block list
syntax}) to grab the first sector of the current partition with @samp{+1}.
On EFI platforms, any arguments after @var{file} will be sent to the loaded
image.

If you specify the option @option{--force}, then load @var{file} forcibly,
whether it has a correct signature or not. This is required when you want to
load a defective boot loader, such as SCO UnixWare 7.1.
@end deffn


@node initrd
@subsection initrd

@deffn Command initrd file [file @dots{}]
Load, in order, all initrds for a Linux kernel image, and set the
appropriate parameters in the Linux setup area in memory.  This may only
be used after the @command{linux} command (@pxref{linux}) has been run.
See @ref{GNU/Linux} for more info on booting GNU/Linux.  For more
information on initrds see the GNU/Linux kernel
@uref{https://docs.kernel.org/filesystems/ramfs-rootfs-initramfs.html,
documentation}.

A new-style initrd (for kernels newer than 2.6) containing one file
with leading path components can also be generated at run time. This
can be done by prefixing an argument with @code{newc:} followed by the
path of the file in the new initrd, a @code{:}, and then the GRUB file
path to the file data to be be included.

For example:
@example
initrd newc:/etc/ssh/config:(hd0,2)/home/user/.ssh/config \
       newc:/etc/ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key \
       /boot/initrd.gz \
       newc:/init:/home/user/init.fixed
@end example

This command will generate two new-style initrds on the fly. The first
contains the path @samp{/etc/ssh/config} with the contents of
@samp{(hd0,2)/home/user/.ssh/config} and the path
@samp{/etc/ssh/ssh_host_rsa_key} with the contents of
@samp{/etc/ssh/ssh_host_rsa_key} on the @var{root} device. Parent directory
paths will automatically be generated as needed. This first generated initrd
will then have @samp{/boot/initrd.gz} concatenated after it. Next, another
new-style archive will be generated with the contents of @samp{/home/user/init.fixed}
in the path @samp{/init} and appended to the previous concatenation. Finally,
the result will be sent to the kernel when booted.

Keep in mind that paths that come later will take precedence. So in the
example above, the generated path @samp{/init} will overwrite any @samp{/init}
in @samp{/boot/initrd.gz}. This can be useful when changing the main initrd
is undesirable or difficult.
@end deffn


@node initrd16
@subsection initrd16

@deffn Command initrd16 file [file @dots{}]
Load, in order, all initrds for a Linux kernel image to be booted in
16-bit mode, and set the appropriate parameters in the Linux setup area in
memory.  This may only be used after the @command{linux16} command
(@pxref{linux16}) has been run.  See also @ref{GNU/Linux} and the @command{initrd}
command (@pxref{initrd}) for more details on arguments.

This command is only available on the pc platform for x86 systems.
@end deffn


@node linux
@subsection linux

@deffn Command linux file @dots{}
Load a Linux kernel image from @var{file}.  The rest of the line is passed
verbatim as the @dfn{kernel command-line}.  Any initrd must be reloaded
after using this command (@pxref{initrd}).

On x86 systems, the kernel will be booted using the 32-bit boot protocol.
Note that this means that the @samp{vga=} boot option will not work; if you
want to set a special video mode, you will need to use GRUB commands such as
@samp{set gfxpayload=1024x768} or @samp{set gfxpayload=keep} (to keep the
same mode as used in GRUB) instead.  GRUB can automatically detect some uses
of @samp{vga=} and translate them to appropriate settings of
@samp{gfxpayload}.  The @command{linux16} command (@pxref{linux16}) avoids
this restriction.
@end deffn


@node linux16
@subsection linux16

@deffn Command linux16 file @dots{}
Load a Linux kernel image from @var{file} in 16-bit mode.  The rest of the
line is passed verbatim as the @dfn{kernel command-line}.  Any initrd must
be reloaded after using this command (@pxref{initrd16}).

The kernel will be booted using the traditional 16-bit boot protocol.  As
well as bypassing problems with @samp{vga=} described in @ref{linux}, this
permits booting some other programs that implement the Linux boot protocol
for the sake of convenience.

This command is only available on x86 systems.
@end deffn


@node xen_hypervisor
@subsection xen_hypervisor

@deffn Command xen_hypervisor file  [arguments] @dots{}
Load a Xen hypervisor binary from @var{file}. The rest of the line is passed
verbatim as the @dfn{kernel command-line}. Any other binaries must be
reloaded after using this command.
This command is only available on AArch64 systems.
@end deffn


@node xen_module
@subsection xen_module

@deffn Command xen_module [--nounzip] file [arguments]
Load a module for xen hypervisor at the booting process of xen.
The rest of the line is passed verbatim as the module command line.
Modules should be loaded in the following order:
 - dom0 kernel image
 - dom0 ramdisk if present
 - XSM policy if present
This command is only available on AArch64 systems.
@end deffn


@node General commands
@section General commands

Commands usable anywhere in the menu and in the command-line.

@menu
* serial::                      Set up a serial device
* terminal_input::              Manage input terminals
* terminal_output::             Manage output terminals
* terminfo::                    Define terminal type
@end menu


@node serial
@subsection serial

@deffn Command serial [@option{--unit=unit}] [@option{--port=port}] [@option{--speed=speed}] [@option{--word=word}] [@option{--parity=parity}] [@option{--stop=stop}]
Initialize a serial device. @var{unit} is a number in the range 0-3
specifying which serial port to use; default is 0, which corresponds to
the port often called COM1.

@var{port} is the I/O port where the UART is to be found or, if prefixed
with @samp{mmio,}, the MMIO address of the UART. If specified it takes
precedence over @var{unit}.

Additionally, an MMIO address can be suffixed with:
@itemize @bullet
@item
@samp{.b} for bytes access (default)
@item
@samp{.w} for 16-bit word access
@item
@samp{.l} for 32-bit long word access or
@item
@samp{.q} for 64-bit long long word access
@end itemize

Also, @var{port} can be of the form @samp{pci,XX:XX.X} to indicate a serial
device exposed on the PCI bus.

@var{speed} is the transmission speed; default is 9600. @var{word} and
@var{stop} are the number of data bits and stop bits. Data bits must
be in the range 5-8 and stop bits must be 1 or 2. Default is 8 data
bits and one stop bit. @var{parity} is one of @samp{no}, @samp{odd},
@samp{even} and defaults to @samp{no}.

If passed no @var{unit} nor @var{port}, or if @var{port} is set to
@samp{auto} then GRUB will attempt to use ACPI to automatically detect
the system default serial port and its configuration. If this information
is not available, it will default to @var{unit} 0.

The serial port is not used as a communication channel unless the
@command{terminal_input} or @command{terminal_output} command is used
(@pxref{terminal_input}, @pxref{terminal_output}).

Note, valid @var{port} values, excluding IO port addresses, can be found
by listing terminals with @command{terminal_output}, selecting all names
prefixed by @samp{serial_} and removing that prefix.

Examples:
@example
serial --port=0x3f8 --speed=9600
serial --port=mmio,fefb0000.l --speed=115200
serial --port=pci,00:16.3 --speed=115200
@end example

See also @ref{Serial terminal}.
@end deffn


@node terminal_input
@subsection terminal_input

@deffn Command terminal_input [@option{--append}|@option{--remove}] @
 [terminal1] [terminal2] @dots{}
List or select an input terminal.

With no arguments, list the active and available input terminals.

With @option{--append}, add the named terminals to the list of active input
terminals; any of these may be used to provide input to GRUB.

With @option{--remove}, remove the named terminals from the active list.

With no options but a list of terminal names, make only the listed terminal
names active.
@end deffn


@node terminal_output
@subsection terminal_output

@deffn Command terminal_output [@option{--append}|@option{--remove}] @
 [terminal1] [terminal2] @dots{}
List or select an output terminal.

With no arguments, list the active and available output terminals.

With @option{--append}, add the named terminals to the list of active output
terminals; all of these will receive output from GRUB.

With @option{--remove}, remove the named terminals from the active list.

With no options but a list of terminal names, make only the listed terminal
names active.
@end deffn


@node terminfo
@subsection terminfo

@deffn Command terminfo [@option{-a}|@option{-u}|@option{-v}] [@option{-g WxH}] [term] [type]
Define the capabilities of your terminal by giving the name of an entry in
the terminfo database, which should correspond roughly to a @samp{TERM}
environment variable in Unix.

The currently available terminal types are @samp{vt100}, @samp{vt100-color},
@samp{ieee1275}, and @samp{dumb}.  If you need other terminal types, please
contact us to discuss the best way to include support for these in GRUB.

The @option{-a} (@option{--ascii}), @option{-u} (@option{--utf8}), and
@option{-v} (@option{--visual-utf8}) options control how non-ASCII text is
displayed.  @option{-a} specifies an ASCII-only terminal; @option{-u}
specifies logically-ordered UTF-8; and @option{-v} specifies
"visually-ordered UTF-8" (in other words, arranged such that a terminal
emulator without bidirectional text support will display right-to-left text
in the proper order; this is not really proper UTF-8, but a workaround).

The @option{-g} (@option{--geometry}) can be used to specify terminal geometry.

If no option or terminal type is specified, the current terminal type is
printed.
@end deffn


@node Command-line commands
@section Command-line commands

These commands are usable in the command-line and in menu entries.  If
you forget a command, you can run the command @command{help}
(@pxref{help}).

@menu
* [::                           Check file types and compare values
* acpi::                        Load ACPI tables
* append_add_db_cert::          Add trusted certificate to the db list
* append_add_db_hash::          Add trusted certificate/binary hash to the db list
* append_add_dbx_cert::         Add distrusted certificate to the dbx list
* append_add_dbx_hash::         Add distrusted certificate/binary hash to the dbx list
* append_list_db::              List all trusted certificates from the db list
* append_list_dbx::             List all distrusted certificates and binary/certificate hashes from the dbx list
* append_verify::               Verify appended digital signature using db and dbx lists
* authenticate::                Check whether user is in user list
* background_color::            Set background color for active terminal
* background_image::            Load background image for active terminal
* badram::                      Filter out bad regions of RAM
* blocklist::                   Print a block list
* blscfg::                      Load Boot Loader Specification menu entries
* boot::                        Start up your operating system
* cat::                         Show the contents of a file
* clear::                       Clear the screen
* cmosclean::                   Clear bit in CMOS
* cmosdump::                    Dump CMOS contents
* cmostest::                    Test bit in CMOS
* cmp::                         Compare two files
* configfile::                  Load a configuration file
* cpuid::                       Check for CPU features
* crc::                         Compute or check CRC32 checksums
* cryptocheck::                 Check if a device is encrypted
* cryptomount::                 Mount a crypto device
* cutmem::                      Remove memory regions
* date::                        Display or set current date and time
* devicetree::                  Load a device tree blob
* distrust::                    Remove a pubkey from trusted keys
* drivemap::                    Map a drive to another
* echo::                        Display a line of text
* efitextmode::                 Set/Get text output mode resolution
* eval::                        Evaluate agruments as GRUB commands
* export::                      Export an environment variable
* false::                       Do nothing, unsuccessfully
* fdtdump::                     Retrieve device tree information
* file::                        Test the provided file against a type
* fwsetup::                     Reboot into the firmware setup menu
* gdbinfo::                     Provide info for debugging with GDB
* gettext::                     Translate a string
* gptsync::                     Fill an MBR based on GPT entries
* halt::                        Shut down your computer
* hashsum::                     Compute or check hash checksum
* help::                        Show help messages
* hexdump::                     Show raw contents of a file or memory
* insmod::                      Insert a module
* keystatus::                   Check key modifier status
* list_env::                    List variables in environment block
* list_trusted::                List trusted public keys
* load_env::                    Load variables from environment block
* loadfont::                    Load font files
* loopback::                    Make a device from a filesystem image
* ls::                          List devices or files
* lsfonts::                     List loaded fonts
* lsfreemem::                   List free memory blocks
* lsmod::                       Show loaded modules
* lsmem::                       List free and allocated memory blocks
* lsmemregions::                List memory regions
* md5sum::                      Compute or check MD5 hash
* module::                      Load module for multiboot kernel
* multiboot::                   Load multiboot compliant kernel
* nativedisk::                  Switch to native disk drivers
* normal::                      Enter normal mode
* normal_exit::                 Exit from normal mode
* parttool::                    Modify partition table entries
* password::                    Set a clear-text password
* password_pbkdf2::             Set a hashed password
* plainmount::                  Open device encrypted in plain mode
* play::                        Play a tune
* probe::                       Retrieve device info
* rdmsr::                       Read values from model-specific registers
* read::                        Read user input
* reboot::                      Reboot your computer
* regexp::                      Test if regular expression matches string
* rmmod::                       Remove a module
* save_env::                    Save variables to environment block
* search::                      Search devices by file, label, or UUID
* sendkey::                     Emulate keystrokes
* set::                         Set an environment variable
* sha1sum::                     Compute or check SHA1 hash
* sha256sum::                   Compute or check SHA256 hash
* sha512sum::                   Compute or check SHA512 hash
* sleep::                       Wait for a specified number of seconds
* smbios::                      Retrieve SMBIOS information
* source::                      Read a configuration file in same context
* stress_big_allocs::           Stress test large memory allocations
* test::                        Check file types and compare values
* tpm2_key_protector_init::     Initialize the TPM2 key protector
* tpm2_key_protector_clear::    Clear the TPM2 key protector
* tpm2_dump_pcr::               Dump TPM2 PCRs
* true::                        Do nothing, successfully
* trust::                       Add public key to list of trusted keys
* uki::                         Load Unified Kernel Image menu entries
* unset::                       Unset an environment variable
@comment * vbeinfo::                     List available video modes
* verify_detached::             Verify detached digital signature
* videoinfo::                   List available video modes
* wrmsr::                       Write values to model-specific registers
@end menu


@node [
@subsection [
@deffn Command @code{[} expression @code{]}
Alias for @code{test @var{expression}} (@pxref{test}).
@end deffn


@node acpi
@subsection acpi

@deffn Command acpi [@option{-1}|@option{-2}] @
 [@option{--exclude=table1,@dots{}}|@option{--load-only=table1,@dots{}}] @
 [@option{--oemid=id}] [@option{--oemtable=table}] @
 [@option{--oemtablerev=rev}] [@option{--oemtablecreator=creator}] @
 [@option{--oemtablecreatorrev=rev}] [@option{--no-ebda}] @
 filename @dots{}
Modern BIOS systems normally implement the Advanced Configuration and Power
Interface (ACPI), and define various tables that describe the interface
between an ACPI-compliant operating system and the firmware. In some cases,
the tables provided by default only work well with certain operating
systems, and it may be necessary to replace some of them.

Normally, this command will replace the Root System Description Pointer
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
@option{--no-ebda} option is used, the new tables will be known only to
GRUB, but may be used by GRUB's EFI emulation.

Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
      Otherwise an attacker can instruct the GRUB to load an SSDT table to
      overwrite the kernel lockdown configuration and later load and execute
      unsigned code.
@end deffn

@node append_add_db_cert
@subsection append_add_db_cert

@deffn Command append_add_db_cert <X509_certificate>
Read an X.509 certificate from the file @var{X509_certificate}
and add it to GRUB's internal db list of trusted certificates.
These certificates are used to validate appended signatures when the
environment variable @code{check_appended_signatures} (@pxref{check_appended_signatures})
is set to @code{yes} or the @command{append_verify} (@pxref{append_verify})
command is executed from the GRUB console.

@xref{Using appended signatures} for more information.
@end deffn

@node append_add_db_hash
@subsection append_add_db_hash

@deffn Command append_add_db_hash <hash_file>
Read a binary hash from the file @var{hash_file}
and add it to GRUB's internal db list of trusted binary hashes. These
hashes are used to validate the Linux kernel/GRUB module binary hashes when the
environment variable @code{check_appended_signatures}
(@pxref{check_appended_signatures}) is set to @code{yes} or the
@command{append_verify} (@pxref{append_verify}) command is executed
from the GRUB console.

Here is an example for how to generate a SHA-256 hash for a file. The hash
will be in binary format:

@example

# The vmlinux (kernel image) file is your binary file, and
# it should be unsigned.
#
# Generate the binary_hash.bin file from the vmlinux file
# using OpenSSL command

openssl dgst -binary -sha256 -out binary_hash.bin vmlinux

@end example

@xref{Using appended signatures} for more information.
@end deffn

@node append_add_dbx_cert
@subsection append_add_dbx_cert

@deffn Command append_add_dbx_cert <X509_certificate>
Read an X.509 certificate from the file @var{X509_certificate}
and add it to GRUB's internal dbx list of distrusted certificates.
These certificates are used to ensure that the distrusted certificates
are rejected during appended signatures validation when the environment
variable @code{check_appended_signatures} is set to @code{yes}
(@pxref{check_appended_signatures}) or the @command{append_verify}
(@pxref{append_verify}) command is executed from the GRUB console.
Also, these certificates are used to prevent distrusted certificates from
being added to the db list later on.

@xref{Using appended signatures} for more information.
@end deffn

@node append_add_dbx_hash
@subsection append_add_dbx_hash

@deffn Command append_add_dbx_hash [@option{-b}|@option{-c}] <hash_file>
Read a binary/certificate hash from the file @var{hash_file}
and add it to GRUB's internal dbx list of distrusted binary/certificate hashes.
When the environment variable @code{check_appended_signatures} (@pxref{check_appended_signatures})
is set to @code{yes} or the @command{append_verify} (@pxref{append_verify}) command
is executed from the GRUB console, then matching distrusted binary hashes or the signature
validation with distrusted certificates may lead to the rejection of the Linux kernel or GRUB modules.
Also, these hashes are used to prevent distrusted certificates and binary hashes from being
added to the db list later on.

The @option{-b} (@option{--binary-hash}) can be used to specify a binary hash file and
@option{-c} (@option{--cert-hash}) can be used to specify a certificate hash file.

Here is an example for how to generate a SHA-256 hash for a binary and a
certificate file. The hash will be in binary format:

@example

# The vmlinux (kernel image) file is your binary file, and
# it should be unsigned. The kernel.der is your certificate file.
#
# Generate the cert_hash.bin file from the kernel.der file

openssl dgst -binary -sha256 -out cert_hash.bin kernel.der

# Generate the binary_hash.bin file from the vmlinux file

openssl dgst -binary -sha256 -out binary_hash.bin vmlinux

@end example

@xref{Using appended signatures} for more information.
@end deffn

@node append_list_db
@subsection append_list_db

@deffn Command append_list_db
List all X.509 certificates and binary hashes trusted by GRUB for validating
appended signatures. The output is a numbered list of certificates and binary hashes,
showing the certificate's version, serial number, issuer, subject,
public key algorithm, RSA public key size, and certificate fingerprint.

@xref{Using appended signatures} for more information.
@end deffn

@node append_list_dbx
@subsection append_list_dbx

@deffn Command append_list_dbx
List all the distrusted X.509 certificates and binary/certificate hashes.
The output is a numbered list of certificates and binary/certificate hashes,
showing the certificate's version, serial number, issuer, subject,
public key algorithm, RSA public key size, and certificate fingerprint.

@xref{Using appended signatures} for more information.
@end deffn

@node append_verify
@subsection append_verify

@deffn Command append_verify <signed_file>
Verifies an appended signature on @var{signed_file} against the trusted X.509 certificates
and hashes known to GRUB (@pxref{append_list_db},@pxref{append_list_dbx}, @pxref{append_add_db_cert},
@pxref{append_add_db_hash}, @pxref{append_add_dbx_hash} and @pxref{append_add_dbx_cert}).
Exit code @code{$?} is set to 0 if the signature validates successfully.
If validation fails, it is set to a non-zero value.

@xref{Using appended signatures} for more information.
@end deffn

@node authenticate
@subsection authenticate
@deffn Command authenticate [userlist]
Check whether user is in @var{userlist} or listed in the value of variable
@samp{superusers}. See @pxref{superusers} for valid user list format.
If @samp{superusers} is empty, this command returns true. @xref{Security}.
@end deffn


@node background_color
@subsection background_color

@deffn Command background_color color
Set background color for active terminal. For valid color specifications see
@pxref{Theme file format, ,Colors}. Background color can be changed only when
using @samp{gfxterm} for terminal output.

This command sets color of empty areas without text. Text background color
is controlled by environment variables @var{color_normal}, @var{color_highlight},
@var{menu_color_normal}, @var{menu_color_highlight}. @xref{Special environment variables}.
@end deffn


@node background_image
@subsection background_image

@deffn Command background_image [[@option{--mode} @samp{stretch}|@samp{normal}] file]
Load background image for active terminal from @var{file}. Image is stretched
to fill up entire screen unless option @option{--mode} @samp{normal} is given.
Without arguments remove currently loaded background image. Background image
can be changed only when using @samp{gfxterm} for terminal output.

@end deffn


@node badram
@subsection badram

@deffn Command badram addr,mask[,addr,mask...]
Filter out bad RAM.

This command notifies the memory manager that specified regions of
RAM ought to be filtered out (usually, because they're damaged).  This
remains in effect after a payload kernel has been loaded by GRUB, as
long as the loaded kernel obtains its memory map from GRUB.  Kernels that
support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
kernels in general.

Syntax is the same as provided by the @uref{http://www.memtest.org/,
Memtest86+ utility}: a list of address/mask pairs.  Given a page-aligned
address and a base address / mask pair, if all the bits of the page-aligned
address that are enabled by the mask match with the base address, it means
this page is to be filtered.  This syntax makes it easy to represent patterns
that are often result of memory damage, due to physical distribution of memory
cells.

The command is similar to @command{cutmem} command.

Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
      This prevents removing EFI memory regions to potentially subvert the
      security mechanisms provided by the UEFI secure boot.
@end deffn

@node blocklist
@subsection blocklist

@deffn Command blocklist file
Print a block list (@pxref{Block list syntax}) for @var{file}.
@end deffn


@node blscfg
@subsection blscfg

@deffn Command blscfg [@option{-p|--path} dir] [@option{-f|--enable-fallback}] [@option{-d|--show-default}] [@option{-n|--show-non-default}] [@option{-e|--entry} file]
Load Boot Loader Specification (BLS) entries into the GRUB menu. Boot entries
generated from @command{blscfg} won't interfere with entries from @file{grub.cfg} appearing in
the GRUB menu. Also, entries generated from @command{blscfg} exists only in memory and
don't update @file{grub.cfg}.

By default, the BLS entries are stored in the @file{/loader/entries} directory in the
boot partition. If BLS entries are stored elsewhere, the @option{--path} option can be
used to check a different directory instead of the default location. If no BLS
entries are found while using the @option{--path} option, the @option{--enable-fallback} option
can be used to check for entries in the default location.

The @option{--show-default} option allows the default boot entry to be added to the
GRUB menu from the BLS entries.

The @option{--show-non-default} option allows non-default boot entries to be added to
the GRUB menu from the BLS entries.

The @option{--entry} option allows specific boot entries to be added to the GRUB menu
from the BLS entries.

The @option{--entry}, @option{--show-default}, and @option{--show-non-default} options
are used to filter which BLS entries are added to the GRUB menu. If none are
used, all entries in the default location or the location specified by @option{--path}
will be added to the GRUB menu.

A BLS config file example:
@example
# /boot/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf
title        Fedora 19 (Rawhide)
sort-key     fedora
machine-id   6a9857a393724b7a981ebb5b8495b9ea
version      3.8.0-2.fc19.x86_64
options      root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2 quiet
architecture x64
linux        /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux
initrd       /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd
@end example

For more information on BLS entry keys as well as other information on BLS,
see: @uref{https://uapi-group.org/specifications/specs/boot_loader_specification/, The Boot Loader Specification}. For the GRUB, there are a few additional
BLS entry keys based on the @command{menuentry} command (@pxref{menuentry}).

The @code{grub_class} key may be used any number of times to group menu entries into
classes. Menu themes may display different classes using different styles.

The @code{grub_users} key grants specific users access to specific menu
entries.  @xref{Security}.

The @code{grub_hotkey} key associates a hotkey with a menu entry.
@var{key} may be a single letter, or one of the aliases @samp{backspace},
@samp{tab}, or @samp{delete}.

The @code{grub_args} key can be used for any other argument to be passed as positonal
parameters when the list of commands generated from the BLS config file are
executed.

Variable expansion using the @samp{$} character (@xref{Shell-like scripting}) may be
used with BLS config files for the GRUB but might not be compatible with other
bootloaders.
@end deffn


@node boot
@subsection boot

@deffn Command boot
Boot the OS or chain-loader which has been loaded. Only necessary if
running the fully interactive command-line (it is implicit at the end of
a menu entry).
@end deffn


@node cat
@subsection cat

@deffn Command cat [@option{--dos}] file
Display the contents of the file @var{file}. This command may be useful
to remind you of your OS's root partition:

@example
grub> @kbd{cat /etc/fstab}
@end example

If the @option{--dos} option is used, then carriage return / new line pairs
will be displayed as a simple new line.  Otherwise, the carriage return will
be displayed as a control character (@samp{<d>}) to make it easier to see
when boot problems are caused by a file formatted using DOS-style line
endings.

Note: @command{cat} can be used to view the contents of devices using the
block list syntax (@pxref{Block list syntax}). However, it is not advised
to view binary data because it will try to decode UTF-8 strings, which can
lead to some bytes missing or added in the output. Instead, use the
@command{hexdump} command (@pxref{hexdump}).
@end deffn


@node clear
@subsection clear

@deffn Command clear
Clear the screen.
@end deffn


@node cmosclean
@subsection cmosclean

@deffn Command cmosclean byte:bit
Clear value of bit in CMOS at location @var{byte}:@var{bit}. This command
is available only on platforms that support CMOS.
@end deffn


@node cmosdump
@subsection cmosdump

@deffn Dump CMOS contents
Dump full CMOS contents as hexadecimal values. This command is available only
on platforms that support CMOS.
@end deffn


@node cmostest
@subsection cmostest

@deffn Command cmostest byte:bit
Test value of bit in CMOS at location @var{byte}:@var{bit}. Exit status
is zero if bit is set, non zero otherwise. This command is available only
on platforms that support CMOS.
@end deffn


@node cmp
@subsection cmp

@deffn Command cmp [@option{-v}] file1 file2
Compare the file @var{file1} with the file @var{file2}. If they are completely
identical, @code{$?} will be set to 0. Otherwise, if the files are not identical,
@code{$?} will be set to a nonzero value.

By default nothing will be output. If the @option{-v} is used, verbose mode is
enabled. In this mode when when the files differ in size, print the sizes like
this:

@example
Differ in size: 0x1234 [foo], 0x4321 [bar]
@end example

If the sizes are equal but the bytes at an offset differ, then print the
bytes like this:

@example
Differ at the offset 777: 0xbe [foo], 0xef [bar]
@end example

@end deffn


@node configfile
@subsection configfile

@deffn Command configfile file
Load @var{file} as a configuration file.  If @var{file} defines any menu
entries, then show a menu containing them immediately.  Any environment
variable changes made by the commands in @var{file} will not be preserved
after @command{configfile} returns.
@end deffn


@node cpuid
@subsection cpuid

@deffn Command cpuid [-l] [-p]
Check for CPU features.  This command is only available on x86 systems.

With the @option{-l} option, return true if the CPU supports long mode
(64-bit).

With the @option{-p} option, return true if the CPU supports Physical
Address Extension (PAE).

If invoked without options, this command currently behaves as if it had been
invoked with @option{-l}.  This may change in the future.
@end deffn


@node crc
@subsection crc

@deffn Command crc arg @dots{}
Alias for @code{hashsum --hash crc32 arg @dots{}}. See command @command{hashsum}
(@pxref{hashsum}) for full description.
@end deffn

@node cryptocheck
@subsection cryptocheck

@deffn Command cryptocheck [ @option{--quiet} ] device
Check if a given diskfilter device is backed by encrypted devices
(@pxref{cryptomount} for additional information).

The command examines all backing devices, physical volumes, of a specified
logical volume, like LVM2, and fails when at least one of them is unencrypted.

The option @option{--quiet} can be given to suppress the output.
@end deffn

@node cryptomount
@subsection cryptomount

@deffn Command cryptomount [ [@option{-p} password] | [@option{-k} keyfile [@option{-O} keyoffset] [@option{-S} keysize] ] | [@option{-P} protector] | [@option{-A}] ] [@option{-H} file] device|@option{-u} uuid|@option{-a}|@option{-b}
Setup access to encrypted device. A passphrase will be requested interactively,
if neither the @option{-p} nor @option{-k} options are given. The option
@option{-p} can be used to supply a passphrase (useful for scripts).
Alternatively the @option{-k} option can be used to supply a keyfile with
options @option{-O} and @option{-S} optionally supplying the offset and size,
respectively, of the key data in the given key file. Besides the keyfile,
the key can be stored in a key protector, and option @option{-P} configures
specific key protector, e.g. tpm2, to retrieve the key from. The option @option{-A}
enables hardware acceleration in libgcrypt to speed up decryption.
The @option{-H} options can be used to supply cryptomount backends with an
alternative header file (aka detached header). Not all backends have headers
nor support alternative header files (currently only LUKS1 and LUKS2 support them).
Argument @var{device} configures specific grub device
(@pxref{Naming convention}); option @option{-u} @var{uuid} configures device
with specified @var{uuid}; option @option{-a} configures all detected encrypted
devices; option @option{-b} configures all geli containers that have boot flag set.

Devices are not allowed to be given as key files nor as detached header files.
However, this limitation can be worked around by using blocklist syntax. So
for instance, @code{(hd1,gpt2)} can not be used, but @code{(hd1,gpt2)0+} will
achieve the desired result.

GRUB supports devices encrypted using LUKS, LUKS2 and geli. Note that necessary
modules (@var{luks}, @var{luks2} and @var{geli}) have to be loaded manually
before this command can be used. For LUKS2 only the PBKDF2 key derivation
function is supported, as Argon2 is not yet supported.

Successfully decrypted disks are named as (cryptoX) and have increasing numeration
suffix for each new decrypted disk. If the encrypted disk hosts some higher level
of abstraction (like LVM2 or MDRAID) it will be created under a separate device
namespace in addition to the cryptodisk namespace.

Support for plain encryption mode (plain dm-crypt) is provided via separate
@command{@pxref{plainmount}} command.

On the EFI platform, GRUB tries to erase master keys from memory when the cryptodisk
module is unloaded or the command @command{exit} is executed. All secrets remain in
memory when the command @command{chainloader} is issued, because execution can
return to GRUB on the EFI platform.
@end deffn

@node cutmem
@subsection cutmem

@deffn Command cutmem from[K|M|G] to[K|M|G]
Remove any memory regions in specified range.

This command notifies the memory manager that specified regions of RAM ought to
be filtered out. This remains in effect after a payload kernel has been loaded
by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
kernels in general.

The command is similar to @command{badram} command.

Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
      This prevents removing EFI memory regions to potentially subvert the
      security mechanisms provided by the UEFI secure boot.
@end deffn

@node date
@subsection date

@deffn Command date [[year-]month-day] [hour:minute[:second]]
With no arguments, print the current date and time.

Otherwise, take the current date and time, change any elements specified as
arguments, and set the result as the new date and time.  For example, `date
01-01' will set the current month and day to January 1, but leave the year,
hour, minute, and second unchanged.
@end deffn


@node devicetree
@subsection devicetree

@deffn Command devicetree file
Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
kernel. Does not perform merging with any device tree supplied by firmware,
but rather replaces it completely.

Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
      This is done to prevent subverting various security mechanisms.
@end deffn

@node distrust
@subsection distrust

@deffn Command distrust pubkey_id
Remove public key @var{pubkey_id} from GRUB's keyring of trusted keys.
@var{pubkey_id} is the last four bytes (eight hexadecimal digits) of
the GPG v4 key id, which is also the output of @command{list_trusted}
(@pxref{list_trusted}).  Outside of GRUB, the key id can be obtained
using @code{gpg --fingerprint}).
These keys are used to validate signatures when environment variable
@code{check_signatures} is set to @code{enforce}
(@pxref{check_signatures}), and by some invocations of
@command{verify_detached} (@pxref{verify_detached}).  @xref{Using
GPG-style digital signatures}, for more information.
@end deffn

@node drivemap
@subsection drivemap

@deffn Command drivemap @option{-l}|@option{-r}|[@option{-s}] @
 from_drive to_drive
Without options, map the drive @var{from_drive} to the drive @var{to_drive}.
This is necessary when you chain-load some operating systems, such as DOS,
if such an OS resides at a non-first drive.  For convenience, any partition
suffix on the drive is ignored, so you can safely use @verb{'${root}'} as a
drive specification.

With the @option{-s} option, perform the reverse mapping as well, swapping
the two drives.

With the @option{-l} option, list the current mappings.

With the @option{-r} option, reset all mappings to the default values.

For example:

@example
drivemap -s (hd0) (hd1)
@end example

NOTE: Only available on i386-pc.
@end deffn


@node echo
@subsection echo

@deffn Command echo [@option{-n}] [@option{-e}] string @dots{}
Display the requested text and, unless the @option{-n} option is used, a
trailing new line.  If there is more than one string, they are separated by
spaces in the output.  As usual in GRUB commands, variables may be
substituted using @samp{$@{var@}}.

The @option{-e} option enables interpretation of backslash escapes.  The
following sequences are recognised:

@table @code
@item \\
backslash

@item \a
alert (BEL)

@item \c
suppress trailing new line

@item \f
form feed

@item \n
new line

@item \r
carriage return

@item \t
horizontal tab

@item \v
vertical tab
@end table

When interpreting backslash escapes, backslash followed by any other
character will print that character.
@end deffn


@node efitextmode
@subsection efitextmode

@deffn Command efitextmode [min | max | <mode_num> | <cols> <rows>]
When used with no arguments displays all available text output modes. The
set mode determines the columns and rows of the text display when in
text mode. An asterisk, @samp{*}, will be at the end of the line of the
currently set mode.

If given a single parameter, it must be @samp{min}, @samp{max}, or a mode
number given by the listing when run with no arguments. These arguments set
the mode to the minimum, maximum, and particular mode respectively.

Otherwise, the command must be given two numerical arguments specifying the
columns and rows of the desired mode. Specifying a columns and rows
combination that corresponds to no supported mode, will return error, but
otherwise have no effect.

By default GRUB will start in whatever mode the EFI firmware defaults to.
There are firmwares known to set up the default mode such that output
behaves strangely, for example the cursor in the GRUB shell never reaches
the bottom of the screen or, when typing characters at the prompt,
characters from previous command output are overwritten. Setting the mode
may fix this.

The EFI specification says that mode 0 must be available and have
columns and rows of 80 and 25 respectively. Mode 1 may be defined and if
so must have columns and rows of 80 and 50 respectively. Any other modes
may have columns and rows arbitrarily defined by the firmware. This means
that a mode with columns and rows of 100 and 31 on one firmware may be
a different mode number on a different firmware or not exist at all.
Likewise, mode number 2 on one firmware may have a different number of
columns and rows than mode 2 on a different firmware. So one should not
rely on a particular mode number or a mode of a certain number of columns
and rows existing on all firmwares, except for mode 0.

Note: This command is only available on EFI platforms and is similar to
EFI shell "mode" command.
@end deffn


@node eval
@subsection eval

@deffn Command eval string ...
Concatenate arguments together using single space as separator and evaluate
result as sequence of GRUB commands.
@end deffn


@node export
@subsection export

@deffn Command export envvar
Export the environment variable @var{envvar}. Exported variables are visible
to subsidiary configuration files loaded using @command{configfile}.
@end deffn


@node false
@subsection false

@deffn Command false
Do nothing, unsuccessfully.  This is mainly useful in control constructs
such as @code{if} and @code{while} (@pxref{Shell-like scripting}).
@end deffn


@node fdtdump
@subsection fdtdump

@deffn Command fdtdump @
 [@option{--prop} @var{prop}] @
 [@option{--set} @var{variable}]
Retrieve device tree information.

The @command{fdtdump} command returns the value of a property in the device
tree provided by the firmware.  The @option{--prop} option determines which
property to select.

The default action is to print the value of the requested field to the console,
but a variable name can be specified with @option{--set} to store the value
instead of printing it.

For example, this will store and then display the model string.

@example
fdtdump --prop model --set machine_model
echo $machine_model
@end example
@end deffn


@node file
@subsection file

@deffn Command file is_file_type filename

The @command{file} command tests whether the provided @var{filename} is the
type provided by @var{is_file_type}. When the @command{file} is of type
@var{is_file_type} this command will return 0, otherwise it will return
non-zero (no output is provided to the terminal).

@var{is_file_type} may be one of the following options:
@itemize @bullet
@item
@option{--is-i386-xen-pae-domu} Check if @var{filename} can be booted as i386
PAE Xen unprivileged guest kernel
@item
@option{--is-x86_64-xen-domu} Check if @var{filename} can be booted as x86_64
Xen unprivileged guest kernel
@item
@option{--is-x86-xen-dom0} Check if @var{filename} can be used as Xen x86
privileged guest kernel
@item
@option{--is-x86-multiboot} Check if @var{filename} can be used as x86
multiboot kernel
@item
@option{--is-x86-multiboot2} Check if @var{filename} can be used as x86
multiboot2 kernel
@item
@option{--is-arm-linux} Check if @var{filename} is ARM Linux
@item
@option{--is-arm64-linux} Check if @var{filename} is ARM64 Linux
@item
@option{--is-ia64-linux} Check if @var{filename} is IA64 Linux
@item
@option{--is-mips-linux} Check if @var{filename} is MIPS Linux
@item
@option{--is-mipsel-linux} Check if @var{filename} is MIPSEL Linux
@item
@option{--is-sparc64-linux} Check if @var{filename} is SPARC64 Linux
@item
@option{--is-powerpc-linux} Check if @var{filename} is POWERPC Linux
@item
@option{--is-x86-linux} Check if @var{filename} is x86 Linux
@item
@option{--is-x86-linux32} Check if @var{filename} is x86 Linux supporting
32-bit protocol
@item
@option{--is-x86-kfreebsd} Check if @var{filename} is x86 kFreeBSD
@item
@option{--is-i386-kfreebsd} Check if @var{filename} is i386 kFreeBSD
@item
@option{--is-x86_64-kfreebsd} Check if @var{filename} is x86_64 kFreeBSD
@item
@option{--is-x86-knetbsd} Check if @var{filename} is x86 kNetBSD
@item
@option{--is-i386-knetbsd} Check if @var{filename} is i386 kNetBSD
@item
@option{--is-x86_64-knetbsd} Check if @var{filename} is x86_64 kNetBSD
@item
@option{--is-i386-efi} Check if @var{filename} is i386 EFI file
@item
@option{--is-x86_64-efi} Check if @var{filename} is x86_64 EFI file
@item
@option{--is-ia64-efi} Check if @var{filename} is IA64 EFI file
@item
@option{--is-arm64-efi} Check if @var{filename} is ARM64 EFI file
@item
@option{--is-arm-efi} Check if @var{filename} is ARM EFI file
@item
@option{--is-riscv32-efi} Check if @var{filename} is RISC-V 32bit EFI file
@item
@option{--is-riscv64-efi} Check if @var{filename} is RISC-V 64bit EFI file
@item
@option{--is-hibernated-hiberfil} Check if @var{filename} is hiberfil.sys in
hibernated state
@item
@option{--is-x86_64-xnu} Check if @var{filename} is x86_64 XNU (Mac OS X kernel)
@item
@option{--is-i386-xnu} Check if @var{filename} is i386 XNU (Mac OS X kernel)
@item
@option{--is-xnu-hibr} Check if @var{filename} is XNU (Mac OS X kernel)
hibernated image
@item
@option{--is-x86-bios-bootsector} Check if @var{filename} is BIOS bootsector
@end itemize
@end deffn


@node fwsetup
@subsection fwsetup

@deffn Command fwsetup [@option{--is-supported}]
Reboot into the firmware setup menu. If @option{--is-supported} option is
specified, instead check whether the firmware supports a setup menu and
exit successfully if so.
@end deffn


@node gdbinfo
@subsection gdbinfo

@deffn Command gdbinfo
Output text to be used as a GDB command for a GDB session using the gdb_grub
script and attached to a running GRUB instance. The GDB command that is
output will tell GDB how to load debugging symbols to their proper runtime
address. Currently this is only available for EFI platforms. See the Debugging
in the developer documentation for more information.
@end deffn


@node gettext
@subsection gettext

@deffn Command gettext string
Translate @var{string} into the current language.

The current language code is stored in the @samp{lang} variable in GRUB's
environment (@pxref{lang}).  Translation files in MO format are read from
@samp{locale_dir} (@pxref{locale_dir}), usually @file{/boot/grub/locale}.
@end deffn


@node gptsync
@subsection gptsync

@deffn Command gptsync device [partition[+/-[type]]] @dots{}
Disks using the GUID Partition Table (GPT) also have a legacy Master Boot
Record (MBR) partition table for compatibility with the BIOS and with older
operating systems.  The legacy MBR can only represent a limited subset of
GPT partition entries.

This command populates the legacy MBR with the specified @var{partition}
entries on @var{device}.  Up to three partitions may be used.

@var{type} is an MBR partition type code; prefix with @samp{0x} if you want
to enter this in hexadecimal.  The separator between @var{partition} and
@var{type} may be @samp{+} to make the partition active, or @samp{-} to make
it inactive; only one partition may be active.  If both the separator and
type are omitted, then the partition will be inactive.
@end deffn


@node halt
@subsection halt

@deffn Command halt [@option{--no-apm}]
The command halts the computer. On the i386-pc target, the @option{--no-apm}
option, or short @option{-n}, is specified, no APM BIOS call is performed.
Otherwise, the computer is shut down using APM on that target.
@end deffn


@node hashsum
@subsection hashsum

@deffn Command hashsum @option{--hash} hash @option{--keep-going} @option{--uncompress} @option{--check} file [@option{--prefix} dir]|file @dots{}
Compute or verify file hashes. Hash type is selected with option @option{--hash}.
Supported hashes are: @samp{adler32}, @samp{crc64}, @samp{crc32},
@samp{crc32rfc1510}, @samp{crc24rfc2440}, @samp{md4}, @samp{md5},
@samp{ripemd160}, @samp{sha1}, @samp{sha224}, @samp{sha256}, @samp{sha512},
@samp{sha384}, @samp{tiger192}, @samp{tiger}, @samp{tiger2}, @samp{whirlpool}.
Option @option{--uncompress} uncompresses files before computing hash.

When list of files is given, hash of each file is computed and printed,
followed by file name, each file on a new line.

When option @option{--check} is given, it points to a file that contains
list of @var{hash name} pairs in the same format as used by UNIX
@command{md5sum} command. Option @option{--prefix}
may be used to give directory where files are located. Hash verification
stops after the first mismatch was found unless option @option{--keep-going}
was given.  The exit code @code{$?} is set to 0 if hash verification
is successful.  If it fails, @code{$?} is set to a nonzero value.
@end deffn


@node help
@subsection help

@deffn Command help [pattern @dots{}]
Display helpful information about builtin commands. If you do not
specify @var{pattern}, this command shows short descriptions of all
available commands.

If you specify any @var{patterns}, it displays longer information
about each of the commands whose names begin with those @var{patterns}.
@end deffn


@node hexdump
@subsection hexdump

@deffn Command hexdump [--skip offset] [--length len] FILE_OR_DEVICE
Show raw contents of a file or memory. When option @option{--skip} is given,
@samp{offset} number of bytes are skipped from the start of the device or
file given. And @option{--length} allows specifying a maximum number of bytes
to be shown.

If given the special device named @samp{(mem)}, then the @samp{offset} given to
@option{--skip} is treated as the address of a memory location to dump from.

Note: The dumping of RAM memory (by the (mem) argument) is not allowed when
when lockdown is enforced (@pxref{Lockdown}). The dumping of disk or file
data is allowed when lockdown is enforced.

@end deffn


@node insmod
@subsection insmod

@deffn Command insmod module
Insert the dynamic GRUB module called @var{module}.
@end deffn


@node keystatus
@subsection keystatus

@deffn Command keystatus [@option{--shift}] [@option{--ctrl}] [@option{--alt}]
Return true if the Shift, Control, or Alt modifier keys are held down, as
requested by options. This is useful in scripting, to allow some user
control over behaviour without having to wait for a keypress.

Checking key modifier status is only supported on some platforms. If invoked
without any options, the @command{keystatus} command returns true if and
only if checking key modifier status is supported.
@end deffn


@node list_env
@subsection list_env

@deffn Command list_env [@option{--file} file]
List all variables in the environment block file.  @xref{Environment block}.

The @option{--file} option overrides the default location of the
environment block.
@end deffn

@node list_trusted
@subsection list_trusted

@deffn Command list_trusted
List all public keys trusted by GRUB for validating signatures.
The output is in GPG's v4 key fingerprint format (i.e., the output of
@code{gpg --fingerprint}).  The least significant four bytes (last
eight hexadecimal digits) can be used as an argument to
@command{distrust} (@pxref{distrust}).
@xref{Using GPG-style digital signatures}, for more information about uses for
these keys.
@end deffn

@node load_env
@subsection load_env

@deffn Command load_env [@option{--file} file] [@option{--skip-sig}] [whitelisted_variable_name] @dots{}
Load all variables from the environment block file into the environment.
@xref{Environment block}.

The @option{--file} option overrides the default location of the environment
block.

The @option{--skip-sig} option skips signature checking even when the
value of environment variable @code{check_signatures} is set to
@code{enforce} (@pxref{check_signatures}).

If one or more variable names are provided as arguments, they are
interpreted as a whitelist of variables to load from the environment
block file.  Variables set in the file but not present in the
whitelist are ignored.

The @option{--skip-sig} option should be used with care, and should
always be used in concert with a whitelist of acceptable variables
whose values should be set.  Failure to employ a carefully constructed
whitelist could result in reading a malicious value into critical
environment variables from the file, such as setting
@code{check_signatures=no}, modifying @code{prefix} to boot from an
unexpected location or not at all, etc.

When used with care, @option{--skip-sig} and the whitelist enable an
administrator to configure a system to boot only signed
configurations, but to allow the user to select from among multiple
configurations, and to enable ``one-shot'' boot attempts and
``savedefault'' behavior.  @xref{Using GPG-style digital signatures}, for more
information.

If the environment variable @code{check_appended_signatures} value is set to
@code{yes} and GRUB is in lockeddown mode, the user is not allowed to set
@code{check_appended_signatures} to @code{no} and @code{appendedsig_key_mgmt}
to @code{static} or @code{dynamic} either directly using @command{load_env}
command or via environment block file. @xref{Using appended signatures}, for
more information.
@end deffn


@node loadfont
@subsection loadfont

@deffn Command loadfont file @dots{}
Load specified font files. Unless absolute pathname is given, @var{file}
is assumed to be in directory @samp{$prefix/fonts} with
suffix @samp{.pf2} appended. @xref{Theme file format,,Fonts}.
@end deffn


@node loopback
@subsection loopback

@deffn Command loopback [@option{-d}] [@option{-D}] device file
Make the device named @var{device} correspond to the contents of the
filesystem image in @var{file}.  For example:

@example
loopback loop0 /path/to/image
ls (loop0)/
@end example

Specifying the @option{-D} option allows the loopback file to be tranparently
decompressed if there is an appropriate decompressor loaded.

With the @option{-d} option, delete a device previously created using this
command.
@end deffn


@node ls
@subsection ls

@deffn Command ls [arg @dots{}]
List devices or files.

With no arguments, print all devices known to GRUB.

If the argument is a device name enclosed in parentheses (@pxref{Device
syntax}), then print the name of the filesystem of that device.

If the argument is a directory given as an absolute file name (@pxref{File
name syntax}), then list the contents of that directory.
@end deffn


@node lsfonts
@subsection lsfonts

@deffn Command lsfonts
List loaded fonts.
@end deffn


@node lsfreemem
@subsection lsfreemem

@deffn Command lsfreemem
List free memory blocks.
@end deffn


@node lsmod
@subsection lsmod

@deffn Command lsmod
Show list of loaded modules.
@end deffn


@node lsmem
@subsection lsmem

@deffn Command lsmem
List free and allocated memory blocks.
@end deffn


@node lsmemregions
@subsection lsmemregions

@deffn Command lsmemregions
Prints memory region general information including size, number of
blocks, and total free / total allocated memory per region.
@end deffn


@node md5sum
@subsection md5sum

@deffn Command md5sum arg @dots{}
Alias for @code{hashsum --hash md5 arg @dots{}}. See command @command{hashsum}
(@pxref{hashsum}) for full description.
@end deffn

@node module
@subsection module

@deffn Command module [--nounzip] file [arguments]
Load a module for multiboot kernel image.  The rest of the
line is passed verbatim as the module command line.
@end deffn

@node multiboot
@subsection multiboot

@deffn Command multiboot [--quirk-bad-kludge] [--quirk-modules-after-kernel] file @dots{}
Load a multiboot kernel image from @var{file}.  The rest of the
line is passed verbatim as the @dfn{kernel command-line}.  Any module must
be reloaded after using this command (@pxref{module}).

Some kernels have known problems. You need to specify --quirk-* for those.
--quirk-bad-kludge is a problem seen in several products that they include
loading kludge information with invalid data in ELF file. GRUB prior to 0.97
and some custom builds preferred ELF information while 0.97 and GRUB 2
use kludge. Use this option to ignore kludge.
Known affected systems: old Solaris, SkyOS.

--quirk-modules-after-kernel is needed for kernels which load at relatively
high address e.g. 16MiB mark and can't cope with modules stuffed between
1MiB mark and beginning of the kernel.
Known afftected systems: VMWare.
@end deffn

@node nativedisk
@subsection nativedisk

@deffn Command nativedisk
Switch from firmware disk drivers to native ones.
Really useful only on platforms where both
firmware and native disk drives are available.
Currently i386-pc, i386-efi, i386-ieee1275 and
x86_64-efi.
@end deffn

@node normal
@subsection normal

@deffn Command normal [file]
Enter normal mode and display the GRUB menu.

In normal mode, commands, filesystem modules, and cryptography modules are
automatically loaded, and the full GRUB script parser is available.  Other
modules may be explicitly loaded using @command{insmod} (@pxref{insmod}).

If a @var{file} is given, then commands will be read from that file.
Otherwise, they will be read from @file{$prefix/grub.cfg} if it exists.

@command{normal} may be called from within normal mode, creating a nested
environment.  It is more usual to use @command{configfile}
(@pxref{configfile}) for this.
@end deffn


@node normal_exit
@subsection normal_exit

@deffn Command normal_exit
Exit normal mode (@pxref{normal}).  If this instance of normal mode was not
nested within another one, then return to rescue mode.
@end deffn


@node parttool
@subsection parttool

@deffn Command parttool partition commands
Make various modifications to partition table entries.

Each @var{command} is either a boolean option, in which case it must be
followed with @samp{+} or @samp{-} (with no intervening space) to enable or
disable that option, or else it takes a value in the form
@samp{@var{command}=@var{value}}.

Currently, @command{parttool} is only useful on DOS partition tables (also
known as Master Boot Record, or MBR).  On these partition tables, the
following commands are available:

@table @asis
@item @samp{boot} (boolean)
When enabled, this makes the selected partition be the active (bootable)
partition on its disk, clearing the active flag on all other partitions.
This command is limited to @emph{primary} partitions.

@item @samp{type} (value)
Change the type of an existing partition.  The value must be a number in the
range 0-0xFF (prefix with @samp{0x} to enter it in hexadecimal).

@item @samp{hidden} (boolean)
When enabled, this hides the selected partition by setting the @dfn{hidden}
bit in its partition type code; when disabled, unhides the selected
partition by clearing this bit.  This is useful only when booting DOS or
Windows and multiple primary FAT partitions exist in one disk.  See also
@ref{DOS/Windows}.
@end table
@end deffn


@node password
@subsection password

@deffn Command password user clear-password
Define a user named @var{user} with password @var{clear-password}.
@xref{Security}.
@end deffn


@node password_pbkdf2
@subsection password_pbkdf2

@deffn Command password_pbkdf2 user hashed-password
Define a user named @var{user} with password hash @var{hashed-password}.
Use @command{grub-mkpasswd-pbkdf2} (@pxref{Invoking grub-mkpasswd-pbkdf2})
to generate password hashes.  @xref{Security}.
@end deffn


@node plainmount
@subsection plainmount

@deffn Command plainmount device @option{-c} cipher @option{-s} key size [@option{-h} hash]
[@option{-S} sector size] [@option{-p} password] [@option{-u} uuid]
[[@option{-d} keyfile] [@option{-O} keyfile offset]]


Setup access to the encrypted device in plain mode. Offset of the encrypted
data at the device is specified in terms of 512 byte sectors using the blocklist
syntax and loopback device. The following example shows how to specify 1MiB
offset:

@example
loopback node (hd0,gpt1)2048+
plainmount node @var{...}
@end example

The @command{plainmount} command can be used to open LUKS encrypted volume
if its master key and parameters (key size, cipher, offset, etc) are known.

There are two ways to specify a password: a keyfile and a secret passphrase.
The keyfile path parameter has higher priority than the secret passphrase
parameter and is specified with the option @option{-d}. Password data obtained
from keyfiles is not hashed and is used directly as a cipher key. An optional
offset of password data in the keyfile can be specified with the option
@option{-O} or directly with the option @option{-d} and GRUB blocklist syntax,
if the keyfile data can be accessed from a device and is 512 byte aligned.
The following example shows both methods to specify password data in the
keyfile at offset 1MiB:

@example
plainmount -d (hd0,gpt1)2048+ @var{...}
plainmount -d (hd0,gpt1)+ -O 1048576 @var{...}
@end example

If no keyfile is specified then the password is set to the string specified
by option @option{-p} or is requested interactively from the console. In both
cases the provided password is hashed with the algorithm specified by the
option @option{-h}. This option is mandatory if no keyfile is specified, but
it can be set to @samp{plain} which means that no hashing is done and such
password is used directly as a key.

Cipher @option{-c} and keysize @option{-s} options specify the cipher algorithm
and the key size respectively and are mandatory options. Cipher must be specified
with the mode separated by a dash (for example, @samp{aes-xts-plain64}). Key size
option @option{-s} is the key size of the cipher in bits, not to be confused with
the offset of the key data in a keyfile specified with the @option{-O} option. It
must not exceed 1024 bits, so a 32 byte key would be specified as 256 bits

The optional parameter @option{-S} specifies encrypted device sector size. It
must be at least 512 bytes long (default value) and a power of 2. @footnote{Current
implementation of cryptsetup supports only 512/1024/2048/4096 byte sectors}.
Disk sector size is configured when creating the encrypted volume. Attempting
to decrypt volumes with a different sector size than it was created with will
not result in an error, but will decrypt to random bytes and thus prevent
accessing the volume (in some cases the filesystem driver can detect the presence
of a filesystem, but nevertheless will refuse to mount it).

By default new plainmount devices will be given a UUID starting with
'109fea84-a6b7-34a8-4bd1-1c506305a401' where the last digits are incremented
by one for each plainmounted device beyond the first up to 2^10 devices.

All encryption arguments (cipher, hash, key size, disk offset and disk sector
size) must match the parameters used to create the volume. If any of them does
not match the actual arguments used during the initial encryption, plainmount
will create virtual device with the garbage data and GRUB will report unknown
filesystem for such device.
@end deffn


@node play
@subsection play

@deffn Command play file | tempo [pitch1 duration1] [pitch2 duration2] @dots{}
Plays a tune

If the argument is a file name (@pxref{File name syntax}), play the tune
recorded in it.  The file format is first the tempo as an unsigned 32bit
little-endian number, then pairs of unsigned 16bit little-endian numbers for
pitch and duration pairs.

If the arguments are a series of numbers, play the inline tune.

The tempo is the base for all note durations. 60 gives a 1-second base, 120
gives a half-second base, etc.  Pitches are Hz.  Set pitch to 0 to produce
a rest.
@end deffn


@node probe
@subsection probe

@deffn Command probe [@option{--set} var] @option{--driver}|@option{--partmap}|@option{--fs}|@option{--fs-uuid}|@option{--label}|@option{--part-uuid} device
Retrieve device information. If option @option{--set} is given, assign result
to variable @var{var}, otherwise print information on the screen.

The option @option{--part-uuid} is currently only implemented for MSDOS and GPT formatted disks.
@end deffn


@node rdmsr
@subsection rdmsr

@deffn Command: rdmsr 0xADDR [-v VARNAME]
Read a model-specific register at address 0xADDR. If the parameter
@option{-v} is used and an environment variable @var{VARNAME} is
given, set that environment variable to the value that was read.

Please note that on SMP systems, reading from a MSR that has a
scope per hardware thread, implies that the value that is returned
only applies to the particular cpu/core/thread that runs the command.

Also, if you specify a reserved or unimplemented MSR address, it will
cause a general protection exception (which is not currently being handled)
and the system will reboot.
@end deffn


@node read
@subsection read

@deffn Command read [-s] [var]
Read a line of input from the user.  If an environment variable @var{var} is
given, set that environment variable to the line of input that was read,
with no terminating newline. If the parameter @option{-s} is used, enable
silent mode where input is not printed to the terminal.
@end deffn


@node reboot
@subsection reboot

@deffn Command reboot
Reboot the computer.
@end deffn


@node regexp
@subsection regexp

@deffn Command regexp [@option{--set} [number:]var] regexp string
Test if regular expression @var{regexp} matches @var{string}. Supported
regular expressions are POSIX.2 Extended Regular Expressions. If option
@option{--set} is given, store @var{number}th matched subexpression in
variable @var{var}. Subexpressions are numbered in order of their opening
parentheses starting from @samp{1}.  @var{number} defaults to @samp{1}.
@end deffn


@node rmmod
@subsection rmmod

@deffn Command rmmod module
Remove a loaded @var{module}.
@end deffn


@node save_env
@subsection save_env

@deffn Command save_env [@option{--file} file] var @dots{}
Save the named variables from the environment to the environment block file.
@xref{Environment block}.

The @option{--file} option overrides the default location of the environment
block.

This command will operate successfully even when environment variable
@code{check_signatures} is set to @code{enforce}
(@pxref{check_signatures}), since it writes to disk and does not alter
the behavior of GRUB based on any contents of disk that have been
read.  It is possible to modify a digitally signed environment block
file from within GRUB using this command, such that its signature will
no longer be valid on subsequent boots.  Care should be taken in such
advanced configurations to avoid rendering the system
unbootable. @xref{Using GPG-style digital signatures}, for more information.
@end deffn


@node search
@subsection search

@deffn Command search @
 [@option{--file}|@option{--label}|@option{--fs-uuid}] @
 [@option{--set} [var]] [@option{--no-floppy}|@option{--efidisk-only}|@option{--cryptodisk-only}] @
 name
Search devices by file (@option{-f}, @option{--file}), filesystem label
(@option{-l}, @option{--label}), or filesystem UUID (@option{-u},
@option{--fs-uuid}).

If the (@option{-s}, @option{--set}) option is used, the first device found is
set as the value of environment variable @var{var}. The default variable is
@samp{root}.

The (@option{-n}, @option{--no-floppy}) option prevents searching floppy
devices, which can be slow.

The (@option{--efidisk-only}) option prevents searching any other devices then
EFI disks. This is typically used when chainloading to local EFI partition.

The (@option{--cryptodisk-only}) option prevents searching any devices other
than encrypted disks. This is typically used when booting from an encrypted
file system to ensure that no code gets executed from an unencrypted device
having the same filesystem UUID or label.

This option implicitly invokes the command @command{cryptocheck}, if it is
available (@pxref{cryptocheck} for additional information).

The @samp{search.file}, @samp{search.fs_label}, and @samp{search.fs_uuid}
commands are aliases for @samp{search --file}, @samp{search --label}, and
@samp{search --fs-uuid} respectively.

Also hints as to which device may be the most likely to contain the item
searched for may be given via the (@option{-h}, @option{--hint}) option with
a device name as an argument. If the argument ends with a comma, then partitions
on the device are also searched. Furthermore, platform specific hints may be
given via the options @option{--hint-ieee1275}, @option{--hint-bios},
@option{--hint-baremetal}, @option{--hint-efi}, and @option{--hint-arc}. When
specified, these options take an argument and operate like @option{--hint}, but
only on the specified platform.
@end deffn


@node sendkey
@subsection sendkey

@deffn Command sendkey @
 [@option{--num}|@option{--caps}|@option{--scroll}|@option{--insert}|@
@option{--pause}|@option{--left-shift}|@option{--right-shift}|@
@option{--sysrq}|@option{--numkey}|@option{--capskey}|@option{--scrollkey}|@
@option{--insertkey}|@option{--left-alt}|@option{--right-alt}|@
@option{--left-ctrl}|@option{--right-ctrl} @
 @samp{on}|@samp{off}]@dots{} @
 [@option{no-led}] @
 keystroke
Insert keystrokes into the keyboard buffer when booting.  Sometimes an
operating system or chainloaded boot loader requires particular keys to be
pressed: for example, one might need to press a particular key to enter
"safe mode", or when chainloading another boot loader one might send
keystrokes to it to navigate its menu.

Note: This command is currently only available on the i386-pc target.

You may provide up to 16 keystrokes (the length of the BIOS keyboard
buffer).  Keystroke names may be upper-case or lower-case letters, digits,
or taken from the following table:

@c Please keep this table in the same order as in
@c commands/i386/pc/sendkey.c, for ease of maintenance.
@c Exception: The function and numeric keys are sorted, for aesthetics.

@multitable @columnfractions .4 .5
@headitem Name @tab Key
@item escape @tab Escape
@item exclam @tab !
@item at @tab @@
@item numbersign @tab #
@item dollar @tab $
@item percent @tab %
@item caret @tab ^
@item ampersand @tab &
@item asterisk @tab *
@item parenleft @tab (
@item parenright @tab )
@item minus @tab -
@item underscore @tab _
@item equal @tab =
@item plus @tab +
@item backspace @tab Backspace
@item tab @tab Tab
@item bracketleft @tab [
@item braceleft @tab @{
@item bracketright @tab ]
@item braceright @tab @}
@item enter @tab Enter
@item control @tab press and release Control
@item semicolon @tab ;
@item colon @tab :
@item quote @tab '
@item doublequote @tab "
@item backquote @tab `
@item tilde @tab ~
@item shift @tab press and release left Shift
@item backslash @tab \
@item bar @tab |
@item comma @tab ,
@item less @tab <
@item period @tab .
@item greater @tab >
@item slash @tab /
@item question @tab ?
@item rshift @tab press and release right Shift
@item alt @tab press and release Alt
@item space @tab space bar
@item capslock @tab Caps Lock
@item F1 @tab F1
@item F2 @tab F2
@item F3 @tab F3
@item F4 @tab F4
@item F5 @tab F5
@item F6 @tab F6
@item F7 @tab F7
@item F8 @tab F8
@item F9 @tab F9
@item F10 @tab F10
@item F11 @tab F11
@item F12 @tab F12
@item num1 @tab 1 (numeric keypad)
@item num2 @tab 2 (numeric keypad)
@item num3 @tab 3 (numeric keypad)
@item num4 @tab 4 (numeric keypad)
@item num5 @tab 5 (numeric keypad)
@item num6 @tab 6 (numeric keypad)
@item num7 @tab 7 (numeric keypad)
@item num8 @tab 8 (numeric keypad)
@item num9 @tab 9 (numeric keypad)
@item num0 @tab 0 (numeric keypad)
@item numperiod @tab . (numeric keypad)
@item numend @tab End (numeric keypad)
@item numdown @tab Down (numeric keypad)
@item numpgdown @tab Page Down (numeric keypad)
@item numleft @tab Left (numeric keypad)
@item numcenter @tab 5 with Num Lock inactive (numeric keypad)
@item numright @tab Right (numeric keypad)
@item numhome @tab Home (numeric keypad)
@item numup @tab Up (numeric keypad)
@item numpgup @tab Page Up (numeric keypad)
@item numinsert @tab Insert (numeric keypad)
@item numdelete @tab Delete (numeric keypad)
@item numasterisk @tab * (numeric keypad)
@item numminus @tab - (numeric keypad)
@item numplus @tab + (numeric keypad)
@item numslash @tab / (numeric keypad)
@item numenter @tab Enter (numeric keypad)
@item delete @tab Delete
@item insert @tab Insert
@item home @tab Home
@item end @tab End
@item pgdown @tab Page Down
@item pgup @tab Page Up
@item down @tab Down
@item up @tab Up
@item left @tab Left
@item right @tab Right
@end multitable

As well as keystrokes, the @command{sendkey} command takes various options
that affect the BIOS keyboard status flags.  These options take an @samp{on}
or @samp{off} parameter, specifying that the corresponding status flag be
set or unset; omitting the option for a given status flag will leave that
flag at its initial state at boot.  The @option{--num}, @option{--caps},
@option{--scroll}, and @option{--insert} options emulate setting the
corresponding mode, while the @option{--numkey}, @option{--capskey},
@option{--scrollkey}, and @option{--insertkey} options emulate pressing and
holding the corresponding key.  The other status flag options are
self-explanatory.

If the @option{--no-led} option is given, the status flag options will have
no effect on keyboard LEDs.

If the @command{sendkey} command is given multiple times, then only the last
invocation has any effect.

Since @command{sendkey} manipulates the BIOS keyboard buffer, it may cause
hangs, reboots, or other misbehaviour on some systems.  If the operating
system or boot loader that runs after GRUB uses its own keyboard driver
rather than the BIOS keyboard functions, then @command{sendkey} will have no
effect.

This command is only available on PC BIOS systems.
@end deffn


@node set
@subsection set

@deffn Command set [envvar=value]
Set the environment variable @var{envvar} to @var{value}. If invoked with no
arguments, print all environment variables with their values. For the list of
environment variables currently used by GRUB itself see the relevant section
@pxref{Environment}.
@end deffn


@node sha1sum
@subsection sha1sum

@deffn Command sha1sum arg @dots{}
Alias for @code{hashsum --hash sha1 arg @dots{}}. See command @command{hashsum}
(@pxref{hashsum}) for full description.
@end deffn


@node sha256sum
@subsection sha256sum

@deffn Command sha256sum arg @dots{}
Alias for @code{hashsum --hash sha256 arg @dots{}}. See command @command{hashsum}
(@pxref{hashsum}) for full description.
@end deffn


@node sha512sum
@subsection sha512sum

@deffn Command sha512sum arg @dots{}
Alias for @code{hashsum --hash sha512 arg @dots{}}. See command @command{hashsum}
(@pxref{hashsum}) for full description.
@end deffn


@node sleep
@subsection sleep

@deffn Command sleep [@option{--verbose}] [@option{--interruptible}] count
Sleep for @var{count} seconds. If option @option{--interruptible} is given,
allow pressing @key{ESC}, @key{F4} or holding down @key{SHIFT} to interrupt
sleep.  With @option{--verbose} show countdown of remaining seconds. Exit code
is set to 0 if timeout expired and to 1 if timeout was interrupted using any
of the mentioned keys.
@end deffn


@node smbios
@subsection smbios

@deffn Command smbios @
 [@option{--type} @var{type}] @
 [@option{--handle} @var{handle}] @
 [@option{--match} @var{match}] @
 (@option{--get-byte} | @option{--get-word} | @option{--get-dword} | @
  @option{--get-qword} | @option{--get-string} | @option{--get-uuid}) @
 @var{offset} @
 [@option{--set} @var{variable}]
Retrieve SMBIOS information.

The @command{smbios} command returns the value of a field in an SMBIOS
structure.  The following options determine which structure to select.

@itemize @bullet
@item
Specifying @option{--type} will select structures with a matching
@var{type}.  The type can be any integer from 0 to 255.
@item
Specifying @option{--handle} will select structures with a matching
@var{handle}.  The handle can be any integer from 0 to 65535.
@item
Specifying @option{--match} will select structure number @var{match} in the
filtered list of structures; e.g. @code{smbios --type 4 --match 2} will select
the second Process Information (Type 4) structure.  The list is always ordered
the same as the hardware's SMBIOS table.  The match number must be a positive
integer.  If unspecified, the first matching structure will be selected.
@end itemize

The remaining options determine which field in the selected SMBIOS structure to
return.  Only one of these options may be specified at a time.

@itemize @bullet
@item
When given @option{--get-byte}, return the value of the byte
at @var{offset} bytes into the selected SMBIOS structure.
It will be formatted as an unsigned decimal integer.
@item
When given @option{--get-word}, return the value of the word (two bytes)
at @var{offset} bytes into the selected SMBIOS structure.
It will be formatted as an unsigned decimal integer.
@item
When given @option{--get-dword}, return the value of the dword (four bytes)
at @var{offset} bytes into the selected SMBIOS structure.
It will be formatted as an unsigned decimal integer.
@item
When given @option{--get-qword}, return the value of the qword (eight bytes)
at @var{offset} bytes into the selected SMBIOS structure.
It will be formatted as an unsigned decimal integer.
@item
When given @option{--get-string}, return the string with its index found
at @var{offset} bytes into the selected SMBIOS structure.
@item
When given @option{--get-uuid}, return the value of the UUID (sixteen bytes)
at @var{offset} bytes into the selected SMBIOS structure.
It will be formatted as lower-case hyphenated hexadecimal digits, with the
first three fields as little-endian, and the rest printed byte-by-byte.
@end itemize

The default action is to print the value of the requested field to the console,
but a variable name can be specified with @option{--set} to store the value
instead of printing it.

For example, this will store and then display the system manufacturer's name.

@example
smbios --type 1 --get-string 4 --set system_manufacturer
echo $system_manufacturer
@end example
@end deffn


@node source
@subsection source

@deffn Command source file
Read @var{file} as a configuration file, as if its contents had been
incorporated directly into the sourcing file.  Unlike @command{configfile}
(@pxref{configfile}), this executes the contents of @var{file} without
changing context: any environment variable changes made by the commands in
@var{file} will be preserved after @command{source} returns, and the menu
will not be shown immediately.
@end deffn


@node stress_big_allocs
@subsection stress_big_allocs

@deffn Command stress_big_allocs
Stress test large memory allocations.
@end deffn


@node test
@subsection test

@deffn Command test expression
Evaluate @var{expression} and return zero exit status if result is true,
non zero status otherwise.

@var{expression} is one of:

@table @asis
@item @var{string1} @code{==} @var{string2}
the strings are equal
@item @var{string1} @code{!=} @var{string2}
the strings are not equal
@item @var{string1} @code{<} @var{string2}
@var{string1} is lexicographically less than @var{string2}
@item @var{string1} @code{<=} @var{string2}
@var{string1} is lexicographically less or equal than @var{string2}
@item @var{string1} @code{>} @var{string2}
@var{string1} is lexicographically greater than @var{string2}
@item @var{string1} @code{>=} @var{string2}
@var{string1} is lexicographically greater or equal than @var{string2}
@item @var{integer1} @code{-eq} @var{integer2}
@var{integer1} is equal to @var{integer2}
@item @var{integer1} @code{-ge} @var{integer2}
@var{integer1} is greater than or equal to @var{integer2}
@item @var{integer1} @code{-gt} @var{integer2}
@var{integer1} is greater than @var{integer2}
@item @var{integer1} @code{-le} @var{integer2}
@var{integer1} is less than or equal to @var{integer2}
@item @var{integer1} @code{-lt} @var{integer2}
@var{integer1} is less than @var{integer2}
@item @var{integer1} @code{-ne} @var{integer2}
@var{integer1} is not equal to @var{integer2}
@item @var{prefix}@var{integer1} @code{-pgt} @var{prefix}@var{integer2}
@var{integer1} is greater than @var{integer2} after stripping off common non-numeric @var{prefix}.
@item @var{prefix}@var{integer1} @code{-plt} @var{prefix}@var{integer2}
@var{integer1} is less than @var{integer2} after stripping off common non-numeric @var{prefix}.
@item @var{file1} @code{-nt} @var{file2}
@var{file1} is newer than @var{file2} (modification time). Optionally numeric @var{bias} may be directly appended to @code{-nt} in which case it is added to the first file modification time.
@item @var{file1} @code{-ot} @var{file2}
@var{file1} is older than @var{file2} (modification time). Optionally numeric @var{bias} may be directly appended to @code{-ot} in which case it is added to the first file modification time.
@item @code{-d} @var{file}
@var{file} exists and is a directory
@item @code{-e} @var{file}
@var{file} exists
@item @code{-f} @var{file}
@var{file} exists and is not a directory
@item @code{-s} @var{file}
@var{file} exists and has a size greater than zero
@item @code{-n} @var{string}
the length of @var{string} is nonzero
@item @var{string}
@var{string} is equivalent to @code{-n @var{string}}
@item @code{-z} @var{string}
the length of @var{string} is zero
@item @code{(} @var{expression} @code{)}
@var{expression} is true
@item @code{!} @var{expression}
@var{expression} is false
@item @var{expression1} @code{-a} @var{expression2}
both @var{expression1} and @var{expression2} are true
@item @var{expression1} @var{expression2}
both @var{expression1} and @var{expression2} are true. This syntax is not POSIX-compliant and is not recommended.
@item @var{expression1} @code{-o} @var{expression2}
either @var{expression1} or @var{expression2} is true
@end table
@end deffn

@node tpm2_key_protector_init
@subsection tpm2_key_protector_init

@deffn Command tpm2_key_protector_init [@option{--mode} | @option{-m} mode] | [@option{--pcrs} | @option{-p} pcrlist] | [@option{--bank} | @option{-b} pcrbank] | [@option{--cap-pcrs} | @option{-c} pcrlist] | [ [@option{--tpm2key} | @option{-T} tpm2key_file] | [@option{--keyfile} | @option{-k} keyfile] ] | [@option{--srk} | @option{-s} handle] | [@option{--asymmetric} | @option{-a} srk_type] | [@option{--nvindex} | @option{-n} nv_index]
Initialize the TPM2 key protector to unseal the key for the @command{cryptomount}
(@pxref{cryptomount}) command. There are two supported modes,
SRK(@kbd{srk}) and NV index(@kbd{nv}), to be specified by the option
@option{-m}. The default mode is SRK. The main difference between SRK mode
and NV index mode is the storage of the sealed key. For SRK mode, the sealed
key is stored in a file while NV index mode stores the sealed key in the
non-volatile memory inside TPM with a given NV index.

The @option{-p} and @option{-b} options are used to supply the PCR list and
bank that the key is sealed with. The PCR list is a comma-separated list, e.g.,
'0,2,4,7,9', to represent the involved PCRs, and the default is '7'. The PCR
bank is chosen by selecting a hash algorithm. The current supported PCR banks
are SHA1, SHA256, SHA384, and SHA512, and the default is SHA256.

The @option{-c} option is introduced to enable the "capping" of a specified list of
PCRs. This feature addresses scenarios where a user wants to ensure a sealed key
cannot be unsealed again after its initial use. When the @option{-c} option is
employed, and the key is successfully unsealed, the TPM2 key protector automatically
extends the selected PCRs with an EV_SEPARATOR event. This action cryptographically
alters the PCR values, thereby preventing the associated key from being unsealed in
any subsequent attempts until those specific PCRs are reset to their original state,
which typically occurs during a system reboot. In general, it is sufficient to
extend one associated PCR to cap the key.

It's noteworthy that a key sealed against PCR 8 naturally incorporates a "capping"
behavior, even without explicitly using a @option{-c} option. This is because GRUB
measures all commands into PCR 8, including those from configuration files. As a
result, the value of PCR 8 changes with virtually every command execution during
the boot process. Consequently, a key sealed against PCR 8 can only be unsealed
once in a given boot session, as any subsequent GRUB command will alter PCR 8,
invalidating the unsealing policy and effectively "capping" the key.

Some options are only available for the specific mode. The SRK-specific
options are @option{-T}, @option{-k}, @option{-a}, and @option{-s}. On the
other hand, the NV index-specific option is @option{-n}.

The key file for SRK mode can be supplied with either @option{-T} or
@option{-k}. Those two options were used to distinguish the file formats but
are same now. There are two supported file formats: raw format and TPM 2.0
Key File format. When using the key file in the raw format, the @option{-p}
and @option{-b} options are necessary for the non-default PCR list or bank.
On the other hand, when using the key file in TPM 2.0 Key File format, the
the parameters for the TPM commands are written in the file, and there is no
need to set the PCR list(@option{-p}) and bank(@option{-b}). In general,
TPM 2.0 Key File format is preferred due to the simplified GRUB command
options and the authorized policy support

Besides the key file, there are two options, @option{-a} and @option{-s}, to
tweak the TPM Storage Root Key (SRK). The SRK can be either created at
runtime or stored in the non-volatile memory. When creating SRK at runtime,
GRUB provides the SRK template to the TPM to create the key. There are two SRK
templates for the @option{-a} option, ECC and RSA, and the default is ECC.
If the SRK is stored in a specific handle, e.g. @code{0x81000001}, the
@option{-s} option can be used to set the handle to notify GRUB to load
the SRK from the given handle.

The only NV index-specific option is the @option{-n} option which is used to
set the NV index containing the sealed key. Then GRUB can load the sealed
key and unseal it with the given PCR list and bank.
@end deffn

@node tpm2_key_protector_clear
@subsection tpm2_key_protector_clear

@deffn Command tpm2_key_protector_clear
Clear the TPM2 key protector if previously initialized.
@end deffn

@node tpm2_dump_pcr
@subsection tpm2_dump_pcr

@deffn Command tpm2_dump_pcr [@var{bank}]
Print all PCRs of the specified TPM 2.0 @var{bank}. The supported banks are
@samp{sha1}, @samp{sha256}, @samp{sha384}, and @samp{sha512}. If @var{bank}
is not specified, @samp{sha256} is chosen by default.

Since GRUB measures every command into PCR 8, invoking @command{tpm2_dump_pcr}
also extends PCR 8, so PCR 8 will not be a stable value in GRUB shell.
@end deffn

@node true
@subsection true

@deffn Command true
Do nothing, successfully.  This is mainly useful in control constructs such
as @code{if} and @code{while} (@pxref{Shell-like scripting}).
@end deffn

@node trust
@subsection trust

@deffn Command trust [@option{--skip-sig}] pubkey_file
Read public key from @var{pubkey_file} and add it to GRUB's internal
list of trusted public keys.  These keys are used to validate digital
signatures when environment variable @code{check_signatures} is set to
@code{enforce}.  Note that if @code{check_signatures} is set to
@code{enforce} when @command{trust} executes, then @var{pubkey_file}
must itself be properly signed.  The @option{--skip-sig} option can be
used to disable signature-checking when reading @var{pubkey_file}
itself. It is expected that @option{--skip-sig} is useful for testing
and manual booting. @xref{Using GPG-style digital signatures}, for more
information.
@end deffn


@node uki
@subsection uki

@deffn Command uki [@option{-p|--path} dir] [@option{-f|--enable-fallback}] [@option{-d|--show-default}] [@option{-n|--show-non-default}] [@option{-e|--entry} file]
Load Unified Kernel Image (UKI) files into the GRUB menu. Boot entries
generated from @command{uki} won't interfere with entries from @file{grub.cfg} appearing in the
GRUB menu. Also, entries generated from @command{uki} exists only in memory and don't
update @file{grub.cfg}.

By default, the UKI files are stored in the @file{/EFI/Linux} directory in the EFI
system partition. If UKI files are stored elsewhere, the @option{--path} option can be
used to check a different directory instead of the default location. If no UKI
files are found while using the @option{--path} option, the @option{--enable-fallback} option can
be used to check for files in the default location.

The @option{--show-default} option allows the default boot entry to be added to the
GRUB menu from the UKI files.

The @option{--show-non-default} option allows non-default boot entries to be added to
the GRUB menu from the UKI files.

The @option{--entry} option allows specific boot entries to be added to the GRUB menu
from the UKI files.

The @option{--entry}, @option{--show-default}, and @option{--show-non-default} options
are used to filter which UKI files are added to the GRUB menu. If none are
used, all files in the default location or the location specified by @option{--path}
will be added to the GRUB menu.

For more information on UKI, see: @uref{https://uapi-group.org/specifications/specs/unified_kernel_image/, The Unified Kernel Image Specification}
@end deffn

@node unset
@subsection unset

@deffn Command unset envvar
Unset the environment variable @var{envvar}.
@end deffn


@ignore
@node vbeinfo
@subsection vbeinfo

@deffn Command vbeinfo [[WxH]xD]
Alias for command @command{videoinfo} (@pxref{videoinfo}). It is available
only on PC BIOS platforms.
@end deffn
@end ignore


@node verify_detached
@subsection verify_detached

@deffn Command verify_detached [@option{--skip-sig}] file signature_file [pubkey_file]
Verifies a GPG-style detached signature, where the signed file is
@var{file}, and the signature itself is in file @var{signature_file}.
Optionally, a specific public key to use can be specified using
@var{pubkey_file}.  When environment variable @code{check_signatures}
is set to @code{enforce}, then @var{pubkey_file} must itself be
properly signed by an already-trusted key.  An unsigned
@var{pubkey_file} can be loaded by specifying @option{--skip-sig}.
If @var{pubkey_file} is omitted, then public keys from GRUB's trusted keys
(@pxref{list_trusted}, @pxref{trust}, and @pxref{distrust}) are
tried.

Exit code @code{$?} is set to 0 if the signature validates
successfully.  If validation fails, it is set to a non-zero value.
@xref{Using GPG-style digital signatures}, for more information.
@end deffn

@node videoinfo
@subsection videoinfo

@deffn Command videoinfo [[WxH]xD]
List available video modes. If resolution is given, show only matching modes.
@end deffn

@node wrmsr
@subsection wrmsr

@deffn Command: wrmsr 0xADDR 0xVALUE
Write a 0xVALUE to a model-specific register at address 0xADDR.

Please note that on SMP systems, writing to a MSR that has a scope
per hardware thread, implies that the value that is written
only applies to the particular cpu/core/thread that runs the command.

Also, if you specify a reserved or unimplemented MSR address, it will
cause a general protection exception (which is not currently being handled)
and the system will reboot.

Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
      This is done to prevent subverting various security mechanisms.
@end deffn

@node Networking commands
@section Networking commands

@menu
* net_add_addr::                Add a network address
* net_add_dns::                 Add a DNS server
* net_add_route::               Add routing entry
* net_bootp::                   Perform a bootp/DHCP autoconfiguration
* net_del_addr::                Remove IP address from interface
* net_del_dns::                 Remove a DNS server
* net_del_route::               Remove a route entry
* net_dhcp::                    Perform a DHCP autoconfiguration
* net_get_dhcp_option::         Retrieve DHCP options
* net_ipv6_autoconf::           Perform IPv6 autoconfiguration
* net_ls_addr::                 List interfaces
* net_ls_cards::                List network cards
* net_ls_dns::                  List DNS servers
* net_ls_routes::               List routing entries
* net_nslookup::                Perform a DNS lookup
* net_set_vlan::                Set vlan id on an interface
@end menu


@node net_add_addr
@subsection net_add_addr

@deffn Command net_add_addr @var{interface} @var{card} @var{address}
Configure additional network @var{interface} with @var{address} on a
network @var{card}. @var{address} can be either IP in dotted decimal notation,
or symbolic name which is resolved using DNS lookup. If successful, this command
also adds local link routing entry to the default subnet of @var{address}
with name @var{interface}@samp{:local} via @var{interface}.
@end deffn


@node net_add_dns
@subsection net_add_dns

@deffn Command net_add_dns @var{server}
Resolve @var{server} IP address and add to the list of DNS servers used during
name lookup.
@end deffn


@node net_add_route
@subsection net_add_route

@deffn Command net_add_route @var{shortname} @var{ip}[/@var{prefix}] [@var{interface} | @samp{gw} @var{gateway}]
Add route to network with address @var{ip} as modified by @var{prefix} via
either local @var{interface} or @var{gateway}. @var{prefix} is optional and
defaults to 32 for IPv4 address and 128 for IPv6 address. Route is identified
by @var{shortname} which can be used to remove it (@pxref{net_del_route}).
@end deffn


@node net_bootp
@subsection net_bootp

@deffn Command net_bootp [@var{card}]
Alias for net_dhcp, for compatibility with older Grub versions. Will perform
the same DHCP handshake with potential fallback to BOOTP as the net_dhcp
command (@pxref{net_dhcp}).

@end deffn


@node net_del_addr
@subsection net_del_addr

@deffn Command net_del_addr @var{interface}
Remove configured @var{interface} with associated address.
@end deffn


@node net_del_dns
@subsection net_del_dns

@deffn Command net_del_dns @var{address}
Remove @var{address} from list of servers used during name lookup.
@end deffn


@node net_del_route
@subsection net_del_route

@deffn Command net_del_route @var{shortname}
Remove route entry identified by @var{shortname}.
@end deffn


@node net_dhcp
@subsection net_dhcp

@deffn Command net_dhcp [@var{card}]
Perform configuration of @var{card} using DHCP protocol. If no card name
is specified, try to configure all existing cards.
Falls back to the BOOTP protocol, if needed. If configuration was
successful, interface with name @var{card}@samp{:dhcp} and configured
address is added to @var{card}.
@comment If server provided gateway information in
@comment DHCP ACK packet, it is added as route entry with the name @var{card}@samp{:dhcp:gw}.
Additionally the following DHCP options are recognized and processed:

@table @samp
@item 1 (Subnet Mask)
Used to calculate network local routing entry for interface @var{card}@samp{:dhcp}.
@item 3 (Router)
Adds default route entry with the name @var{card}@samp{:dhcp:default} via gateway
from DHCP option. Note that only option with single route is accepted.
@item 6 (Domain Name Server)
Adds all servers from option value to the list of servers used during name resolution.
@item 12 (Host Name)
Sets environment variable @samp{net_}@var{<card>}@samp{_dhcp_hostname}
(@pxref{net_@var{<interface>}_hostname}) to the value of option.
@item 15 (Domain Name)
Sets environment variable @samp{net_}@var{<card>}@samp{_dhcp_domain}
(@pxref{net_@var{<interface>}_domain}) to the value of option.
@item 17 (Root Path)
Sets environment variable @samp{net_}@var{<card>}@samp{_dhcp_rootpath}
(@pxref{net_@var{<interface>}_rootpath}) to the value of option.
@item 18 (Extensions Path)
Sets environment variable @samp{net_}@var{<card>}@samp{_dhcp_extensionspath}
(@pxref{net_@var{<interface>}_extensionspath}) to the value of option.
@item 66 (TFTP Server Name)
Sets environment variable @samp{net_}@var{<card>}@samp{_dhcp_server_name}
(@pxref{net_@var{<interface>}_dhcp_server_name}) to the value of option.
@item 67 (Filename)
Sets environment variable @samp{net_}@var{<card>}@samp{_boot_file}
(@pxref{net_@var{<interface>}_boot_file}) to the value of option.
@end table

@end deffn


@node net_get_dhcp_option
@subsection net_get_dhcp_option

@deffn Command net_get_dhcp_option @var{var} @var{interface} @var{number} @var{type}
Request DHCP option @var{number} of @var{type} via @var{interface}. @var{type}
can be one of @samp{string}, @samp{number} or @samp{hex}. If option is found,
assign its value to variable @var{var}. Values of types @samp{number} and @samp{hex}
are converted to string representation.
@end deffn


@node net_ipv6_autoconf
@subsection net_ipv6_autoconf

@deffn Command net_ipv6_autoconf [@var{card}]
Perform IPv6 autoconfiguration by adding to the @var{card} interface with name
@var{card}@samp{:link} and link local MAC-based address. If no card is specified,
perform autoconfiguration for all existing cards.
@end deffn


@node net_ls_addr
@subsection net_ls_addr

@deffn Command net_ls_addr
List all configured interfaces with their MAC and IP addresses.
@end deffn


@node net_ls_cards
@subsection net_ls_cards

@deffn Command net_ls_cards
List all detected network cards with their MAC address.
@end deffn


@node net_ls_dns
@subsection net_ls_dns

@deffn Command net_ls_dns
List addresses of DNS servers used during name lookup.
@end deffn


@node net_ls_routes
@subsection net_ls_routes

@deffn Command net_ls_routes
List routing entries.
@end deffn


@node net_nslookup
@subsection net_nslookup

@deffn Command net_nslookup @var{name} [@var{server}]
Resolve address of @var{name} using DNS server @var{server}. If no server
is given, use default list of servers.
@end deffn


@node net_set_vlan
@subsection net_set_vlan

@deffn Command net_set_vlan @var{interface} @var{vlanid}
Set the 802.1Q VLAN identifier on @var{interface} to @var{vlanid}. For example,
to set the VLAN identifier on interface @samp{efinet1} to @samp{100}:

@example
net_set_vlan efinet1 100
@end example

The VLAN identifier can be removed by setting it to @samp{0}:

@example
net_set_vlan efinet1 0
@end example
@end deffn


@node Undocumented commands
@section Commands currently undocumented
Unfortunately, not all GRUB commands are documented at this time due to
developer resource constraints. One way to contribute back to the GRUB
project would be to help document these commands, and submit patches or
ideas to the mailing list. The following is a (most likely incomplete)
list of undocumented or poorly documented commands and not all of them
are allowed for all platforms. Running the command help from within the
GRUB shell may provide more information on parameters and usage.

@itemize @bullet
@item @command{all_functional_test} - Run all functional tests.
@item @command{backtrace} - Print backtrace.
@item @command{boottime} - Show boot time statistics.
@item @command{cacheinfo} - Get disk cache info.
@item @command{cbmemc} - Show CBMEM console content.
@item @command{cmosset} -  Set bit at BYTE:BIT in CMOS.
@item @command{coreboot_boottime} - Show coreboot boot time statistics.
@item @command{dump} - Show memory contents.
@item @command{efiemu_loadcore} - Load and initialize EFI emulator.
@item @command{efiemu_prepare} - Finalize loading of EFI emulator.
@item @command{efiemu_unload} - Unload EFI emulator.
@item @command{exit} - Exit from GRUB.
@item @command{extract_entries_configfile} - Load another config file but take only menu entries.
@item @command{extract_entries_source} - Load another config file without changing context but take only menu entries.
@item @command{extract_legacy_entries_configfile} - Parse legacy config in new context taking only menu entries
@item @command{extract_legacy_entries_source} - Parse legacy config in same context taking only menu entries
@item @command{extract_syslinux_entries_configfile} - Execute syslinux config in new context taking only menu entries
@item @command{extract_syslinux_entries_source} - Execute syslinux config in same context taking only menu entries
@item @command{fakebios} - Create BIOS-like structures for backward compatibility with existing OS.
@item @command{fix_video} - Fix video problem.
@item @command{fpswa} - Display FPSWA version.
@item @command{functional_test} - Run all loaded functional tests.
@item @command{gdbstub_break} - Break into GDB
@item @command{gdbstub} -  Start GDB stub on given port
@item @command{gdbstub_stop} - Stop GDB stub
@item @command{hdparm} - Get/set ATA disk parameters.
@item @command{hexdump_random} - Hexdump random data.
@item @command{inb} - Read 8-bit value from PORT.
@item @command{inl} - Read 32-bit value from PORT.
@item @command{inw} - Read 16-bit value from PORT.
@item @command{jpegtest} - Tests loading of JPEG bitmap.
@item @command{keymap} - Load a keyboard layout.
@item @command{legacy_check_password} - Simulate grub-legacy `password' command in menu entry mode
@item @command{legacy_configfile} - Parse legacy config in new context
@item @command{legacy_password} - Simulate grub-legacy `password' command
@item @command{legacy_source} -  Parse legacy config in same context
@item @command{loadbios} - Load BIOS dump.
@item @command{lsacpi} - Show ACPI information.
@item @command{lsapm} - Show APM information.
@item @command{lscoreboot} - List coreboot tables.
@item @command{lsdev} - List devices.
@item @command{lsefi} - Display EFI handles.
@item @command{lsefimmap} - Display EFI memory map.
@item @command{lsefisystab} - Display EFI system tables.
@item @command{lsmmap} - List memory map provided by firmware.
@item @command{lspci} - List PCI devices.
@item @command{lssal} - Display SAL system table.
@item @command{lsspd} - Print Memory information.
@item @command{macppcbless} - Bless DIR of HFS or HFS+ partition for PPC macs.
@item @command{mactelbless} - Bless FILE of HFS or HFS+ partition for intel macs.
@item @command{net_set_vlan} - Set an interface's vlan id.
@item @command{outb} - Write 8-bit VALUE to PORT.
@item @command{outl} - Write 32-bit VALUE to PORT.
@item @command{outw} - Write 16-bit VALUE to PORT.
@item @command{pcidump} - Show raw dump of the PCI configuration space.
@item @command{pngtest} - Tests loading of PNG bitmap.
@item @command{read_byte} - Read 8-bit value from ADDR.
@item @command{read_dword} - Read 32-bit value from ADDR.
@item @command{read_word} - Read 16-bit value from ADDR.
@item @command{setpci} - Manipulate PCI devices.
@item @command{suspend} - Return to IEEE1275 prompt.
@item @command{syslinux_configfile} - Execute syslinux config in new context
@item @command{syslinux_source} - Execute syslinux config in same context
@item @command{test_blockarg} - Print and execute block argument., 0
@item @command{testload} - Load the same file in multiple ways.
@item @command{testspeed} - Test file read speed.
@item @command{tgatest} - Tests loading of TGA bitmap.
@item @command{time} - Measure time used by COMMAND
@item @command{tr} - Translate SET1 characters to SET2 in STRING.
@item @command{usb} - Test USB support.
@item @command{vbeinfo} - List available video modes. If resolution is given show only modes matching it.
@item @command{vbetest} - Test video subsystem.
@item @command{videotest} - Test video subsystem in mode WxH.
@item @command{write_byte} - Write 8-bit VALUE to ADDR.
@item @command{write_dword} - Write 32-bit VALUE to ADDR.
@item @command{write_word} - Write 16-bit VALUE to ADDR.
@item @command{xen_cat} - List Xen storage.
@item @command{xen_ls} - List Xen storage.
@item @command{xnu_devprop_load} - Load `device-properties' dump.
@item @command{xnu_uuid} - Transform 64-bit UUID to format suitable for XNU. If -l is given keep it lowercase as done by blkid.
@item @command{zfs-bootfs} - Print ZFS-BOOTFSOBJ or store it into VARIABLE
@item @command{zfsinfo} - Print ZFS info about DEVICE.
@item @command{zfskey} - Import ZFS wrapping key stored in FILE.
@end itemize


@node Internationalisation
@chapter Internationalisation

@section Charset
GRUB uses UTF-8 internally other than in rendering where some GRUB-specific
appropriate representation is used. All text files (including config) are
assumed to be encoded in UTF-8.

@section Filesystems
NTFS, JFS, UDF, HFS+, exFAT, long filenames in FAT, Joliet part of
ISO9660 are treated as UTF-16 as per specification. AFS and BFS are read
as UTF-8, again according to specification. BtrFS, cpio, tar, squash4, minix,
minix2, minix3, ROMFS, ReiserFS, XFS, EROFS, ext2, ext3, ext4, FAT (short names),
F2FS, RockRidge part of ISO9660, nilfs2, UFS1, UFS2 and ZFS are assumed
to be UTF-8. This might be false on systems configured with legacy charset
but as long as the charset used is superset of ASCII you should be able to
access ASCII-named files. And it's recommended to configure your system to use
UTF-8 to access the filesystem, convmv may help with migration. ISO9660 (plain)
filenames are specified as being ASCII or being described with unspecified
escape sequences. GRUB assumes that the ISO9660 names are UTF-8 (since
any ASCII is valid UTF-8). There are some old CD-ROMs which use CP437
in non-compliant way. You're still able to access files with names containing
only ASCII characters on such filesystems though. You're also able to access
any file if the filesystem contains valid Joliet (UTF-16) or RockRidge (UTF-8).
AFFS, SFS and HFS never use unicode and GRUB assumes them to be in Latin1,
Latin1 and MacRoman respectively. GRUB handles filesystem case-insensitivity
however no attempt is performed at case conversion of international characters
so e.g. a file named lowercase greek alpha is treated as different from
the one named as uppercase alpha. The filesystems in questions are
NTFS (except POSIX namespace), HFS+ (configurable at mkfs time, default
insensitive), SFS (configurable at mkfs time, default insensitive),
JFS (configurable at mkfs time, default sensitive), HFS, AFFS, FAT, exFAT
and ZFS (configurable on per-subvolume basis by property ``casesensitivity'',
default sensitive). On ZFS subvolumes marked as case insensitive files
containing lowercase international characters are inaccessible.
Also like all supported filesystems except HFS+ and ZFS (configurable on
per-subvolume basis by property ``normalization'', default none) GRUB makes
no attempt at check of canonical equivalence so a file name u-diaresis is
treated as distinct from u+combining diaresis. This however means that in
order to access file on HFS+ its name must be specified in normalisation form D.
On normalized ZFS subvolumes filenames out of normalisation are inaccessible.

@section Output terminal
Firmware output console ``console'' on ARC and IEEE1275 are limited to ASCII.

BIOS firmware console and VGA text are limited to ASCII and some pseudographics.

None of above mentioned is appropriate for displaying international and any
unsupported character is replaced with question mark except pseudographics
which we attempt to approximate with ASCII.

EFI console on the other hand nominally supports UTF-16 but actual language
coverage depends on firmware and may be very limited.

The encoding used on serial can be chosen with @command{terminfo} as
either ASCII, UTF-8 or ``visual UTF-8''. Last one is against the specification
but results in correct rendering of right-to-left on some readers which don't
have own bidi implementation.

On emu GRUB checks if charset is UTF-8 and uses it if so and uses ASCII
otherwise.

When using gfxterm or gfxmenu GRUB itself is responsible for rendering the
text. In this case GRUB is limited by loaded fonts. If fonts contain all
required characters then bidirectional text, cursive variants and combining
marks other than enclosing, half (e.g. left half tilde or combining overline)
and double ones. Ligatures aren't supported though. This should cover European,
Middle Eastern (if you don't mind lack of lam-alif ligature in Arabic) and
East Asian scripts. Notable unsupported scripts are Brahmic family and
derived as well as Mongolian, Tifinagh, Korean Jamo (precomposed characters
have no problem) and tonal writing (2e5-2e9). GRUB also ignores deprecated
(as specified in Unicode) characters (e.g. tags). GRUB also doesn't handle so
called ``annotation characters'' If you can complete either of
two lists or, better, propose a patch to improve rendering, please contact
developer team.

@section Input terminal
Firmware console on BIOS, IEEE1275 and ARC doesn't allow you to enter non-ASCII
characters. EFI specification allows for such but author is unaware of any
actual implementations. Serial input is currently limited for latin1 (unlikely
to change). Own keyboard implementations (at_keyboard and usb_keyboard) 
supports any key but work on one-char-per-keystroke.
So no dead keys or advanced input method. Also there is no keymap change hotkey.
In practice it makes difficult to enter any text using non-Latin alphabet.
Moreover all current input consumers are limited to ASCII.

@section Gettext
GRUB supports being translated. For this you need to have language *.mo files in $prefix/locale, load gettext module and set ``lang'' variable.

@section Regexp
Regexps work on unicode characters, however no attempt at checking canonical
equivalence has been made. Moreover the classes like [:alpha:] match only
ASCII subset.

@section Other
Currently GRUB always uses YEAR-MONTH-DAY HOUR:MINUTE:SECOND [WEEKDAY] 24-hour
datetime format but weekdays are translated.
GRUB always uses the decimal number format with [0-9] as digits and . as
descimal separator and no group separator.
IEEE1275 aliases are matched case-insensitively except non-ASCII which is
matched as binary. Similar behaviour is for matching OSBundleRequired.
Since IEEE1275 aliases and OSBundleRequired don't contain any non-ASCII it
should never be a problem in practice.
Case-sensitive identifiers are matched as raw strings, no canonical
equivalence check is performed. Case-insensitive identifiers are matched
as RAW but additionally [a-z] is equivalent to [A-Z]. GRUB-defined
identifiers use only ASCII and so should user-defined ones.
Identifiers containing non-ASCII may work but aren't supported.
Only the ASCII space characters (space U+0020, tab U+000b, CR U+000d and
LF U+000a) are recognised. Other unicode space characters aren't a valid
field separator.
@command{test} (@pxref{test}) tests <, >, <=, >=, -pgt and -plt compare the strings in the
lexicographical order of unicode codepoints, replicating the behaviour of
test from coreutils.
environment variables and commands are listed in the same order.

@node Security
@chapter Security

@menu
* Authentication and authorisation::   Users and access control
* Using GPG-style digital signatures:: Booting digitally signed code
* Using appended signatures::          An alternative approach to booting digitally signed code
* UEFI secure boot and shim::          Booting digitally signed PE files
* Secure Boot Advanced Targeting::     Embedded information for generation number based revocation
* Measured Boot::                      Measuring boot components
* Lockdown::                           Lockdown when booting on a secure setup
* TPM2 key protector::                 Managing disk key with TPM2 key protector
* Signing certificate and hash files:: Certificate and hash file signing
* Signing GRUB itself::                Ensuring the integrity of the GRUB core image
* Hardening::                          Configuration and customization to maximize security
@end menu

@node Authentication and authorisation
@section Authentication and authorisation in GRUB

By default, the boot loader interface is accessible to anyone with physical
access to the console: anyone can select and edit any menu entry, and anyone
can get direct access to a GRUB shell prompt.  For most systems, this is
reasonable since anyone with direct physical access has a variety of other
ways to gain full access, and requiring authentication at the boot loader
level would only serve to make it difficult to recover broken systems.

However, in some environments, such as kiosks, it may be appropriate to lock
down the boot loader to require authentication before performing certain
operations.

The @samp{password} (@pxref{password}) and @samp{password_pbkdf2}
(@pxref{password_pbkdf2}) commands can be used to define users, each of
which has an associated password.  @samp{password} sets the password in
plain text, requiring @file{grub.cfg} to be secure; @samp{password_pbkdf2}
sets the password hashed using the Password-Based Key Derivation Function
(RFC 2898), requiring the use of @command{grub-mkpasswd-pbkdf2}
(@pxref{Invoking grub-mkpasswd-pbkdf2}) to generate password hashes.

In order to enable authentication support, the @samp{superusers} environment
variable must be set to a list of usernames, separated by any of spaces,
commas, semicolons, pipes, or ampersands.  Superusers are permitted to use
the GRUB command line, edit menu entries, and execute any menu entry.  If
@samp{superusers} is set, then use of the command line and editing of menu
entries are automatically restricted to superusers. Setting @samp{superusers}
to empty string effectively disables both access to CLI and editing of menu
entries. Building a grub image with @samp{--disable-cli} option will also
disable access to CLI and editing of menu entries, as well as disabling rescue
mode. Note: The environment variable needs to be exported to also affect the
section defined by the @samp{submenu} command (@pxref{submenu}).

Other users may be allowed to execute specific menu entries by giving a list of
usernames (as above) using the @option{--users} option to the
@samp{menuentry} command (@pxref{menuentry}).  If the @option{--unrestricted}
option is used for a menu entry, then that entry is unrestricted.
If the @option{--users} option is not used for a menu entry, then that
only superusers are able to use it.

Putting this together, a typical @file{grub.cfg} fragment might look like
this:

@example
@group
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.biglongstring
password user1 insecure

menuentry "May be run by any user" --unrestricted @{
	set root=(hd0,1)
	linux /vmlinuz
@}

menuentry "Superusers only" --users "" @{
	set root=(hd0,1)
	linux /vmlinuz single
@}

menuentry "May be run by user1 or a superuser" --users user1 @{
	set root=(hd0,2)
	chainloader +1
@}
@end group
@end example

The @command{grub-mkconfig} program does not yet have built-in support for
generating configuration files with authentication.  You can use
@file{/etc/grub.d/40_custom} to add simple superuser authentication, by
adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
commands.

@node Using GPG-style digital signatures
@section Using GPG-style digital signatures in GRUB

GRUB's @file{core.img} can optionally provide enforcement that all files
subsequently read from disk are covered by a valid digital signature.
This section does @strong{not} cover how to ensure that your
platform's firmware (e.g., Coreboot) validates @file{core.img}.

If environment variable @code{check_signatures}
(@pxref{check_signatures}) is set to @code{enforce}, then every
attempt by the GRUB @file{core.img} to load another file @file{foo}
implicitly invokes @code{verify_detached foo foo.sig}
(@pxref{verify_detached}).  @code{foo.sig} must contain a valid
digital signature over the contents of @code{foo}, which can be
verified with a public key currently trusted by GRUB
(@pxref{list_trusted}, @pxref{trust}, and @pxref{distrust}).  If
validation fails, then file @file{foo} cannot be opened.  This failure
may halt or otherwise impact the boot process.

An initial trusted public key can be embedded within the GRUB @file{core.img}
using the @code{--pubkey} option to @command{grub-install}
(@pxref{Invoking grub-install}).

GRUB uses GPG-style detached signatures (meaning that a file
@file{foo.sig} will be produced when file @file{foo} is signed), and
currently supports the DSA and RSA signing algorithms. A signing key
can be generated as follows:

@example
gpg --gen-key
@end example

An individual file can be signed as follows:

@example
gpg --detach-sign /path/to/file
@end example

For successful validation of all of GRUB's subcomponents and the
loaded OS kernel, they must all be signed.  One way to accomplish this
is the following (after having already produced the desired
@file{grub.cfg} file, e.g., by running @command{grub-mkconfig}
(@pxref{Invoking grub-mkconfig}):

@example
@group
# Edit /dev/shm/passphrase.txt to contain your signing key's passphrase
for i in `find /boot -name "*.cfg" -or -name "*.lst" -or \
  -name "*.mod" -or -name "vmlinuz*" -or -name "initrd*" -or \
  -name "grubenv"`;
do
  gpg --batch --detach-sign --passphrase-fd 0 $i < \
    /dev/shm/passphrase.txt
done
shred /dev/shm/passphrase.txt
@end group
@end example

See also: @ref{check_signatures}, @ref{verify_detached}, @ref{trust},
@ref{list_trusted}, @ref{distrust}, @ref{load_env}, @ref{save_env}.

Note that internally signature enforcement is controlled by setting
the environment variable @code{check_signatures} equal to
@code{enforce}.  Passing one or more @code{--pubkey} options to
@command{grub-mkimage} implicitly defines @code{check_signatures}
equal to @code{enforce} in @file{core.img} prior to processing any
configuration files.

Note that signature checking does @strong{not} prevent an attacker
with (serial, physical, ...) console access from dropping manually to
the GRUB console and executing:

@example
set check_signatures=no
@end example

To prevent this, password-protection (@pxref{Authentication and
authorisation}) is essential.  Note that even with GRUB password
protection, GRUB itself cannot prevent someone with physical access to
the machine from altering that machine's firmware (e.g., Coreboot
or BIOS) configuration to cause the machine to boot from a different
(attacker-controlled) device.  GRUB is at best only one link in a
secure boot chain.

@node Using appended signatures
@section Using appended signatures in GRUB

GRUB supports verifying Linux-style 'appended signatures' for Linux on Power LPAR
secure boot. Appended signatures are PKCS#7 messages containing a signature over the
contents of a file, plus some metadata, appended to the end of a file. A file
with an appended signature ends with the magic string:

@example
~Module signature appended~\n
@end example

where @code{\n} represents the line feed character, @code{0x0a}.

Linux on Power LPAR secure boot is controlled by @strong{'ibm,secure-boot'}
device tree property and if this property is set to @code{2} (@samp{enforce}),
GRUB enters lockdown mode. There are three secure boot modes. They are

@itemize
@item @samp{0 - disabled}: Secure boot is disabled. This is the default.
@item @samp{1 - audit}: Enforce signature verification by setting
      @code{check_appended_signatures} (@pxref{check_appended_signatures}) to
      @code{yes} and do not enter lockdown mode. Signature verification
      is performed and if signature verification fails, display the errors and
      allow the boot to continue.
@item @samp{2 - enforce}: Enter lockdown mode and enforce signature verification by setting
      @code{check_appended_signatures} (@pxref{check_appended_signatures}) to @code{yes}.
@end itemize

Note that Linux on Power LPAR only supports @samp{0 - disabled} and @samp{2 - enforce},
and @samp{1 - audit} is considered as secure boot being disabled.

Enforcement of signature verification is controlled by the environment variable
@code{check_appended_signatures} (@pxref{check_appended_signatures}).

@itemize
@item @samp{no}: No verification is performed. This is the default.
@item @samp{yes}: Signature verification is performed and if signature verification fails,
      display the errors and stop the boot. Signature verification cannot be disabled by setting
      the @code{check_appended_signatures} variable back to @samp{no}.
@end itemize

To enable appended signature verification, load the appendedsig module and an
X.509 certificate for verification. It is recommended to build the appendedsig module
into the core GRUB image.

Key management is controlled by the environment variable @code{appendedsig_key_mgmt}
(@pxref{appendedsig_key_mgmt}).

@itemize
@item @samp{static}: Enforce static key management signature verification. This is the default.
      When GRUB is in lockdown mode, then the user cannot change the value of the
      @code{appendedsig_key_mgmt}.
@item @samp{dynamic}: Enforce dynamic key management signature verification. When GRUB is in
      lockdown mode, then the user cannot change the value of the @code{appendedsig_key_mgmt}.
@end itemize

In static key management mode, certificates will be built into the core image using
the @code{--x509} parameter to @command{grub-mkimage}. The list of trusted certificates
available at boot time can be shown using @command{append_list_db} (@pxref{append_list_db}).
Distrusted certificates can be explicitly removed from the db using @command{append_add_dbx_cert}
(@pxref{append_add_dbx_cert}). Also, trusted certificates can be explicitly added to the db using
@command{append_add_db_cert} (@pxref{append_add_db_cert}).

In dynamic key management mode, db and dbx are read from the Platform KeyStore (PKS). If
db does not exist in PKS, static keys (built-in keys) are used as the default keys.
The list of trusted certificates and binary hashes available at boot time can be shown using
@command{append_list_db} (@pxref{append_list_db}) and the list of distrusted certificates and
binary/certificate hashes available at boot time can be shown using @command{append_list_dbx}
(@pxref{append_list_dbx}). The trusted certificates and binary hashes can be explicitly added
to the db using @command{append_add_db_cert} (@pxref{append_add_db_cert}) and
@command{append_add_db_hash} (@pxref{append_add_db_hash}). Distrusted certificates can be explicitly
added to the dbx using @command{append_add_dbx_cert} (@pxref{append_add_dbx_cert}) and distrusted
certificate/binary hashes can be explicitly added to the dbx using @command{append_add_dbx_hash}
(@pxref{append_add_dbx_hash}).

A file can be explicitly verified using @command{append_verify} (@pxref{append_verify}).

Note that when the environment variable @code{check_appended_signatures} is set to @code{yes},
the @command{append_add_db_cert} and @command{append_add_dbx_cert} commands only accept
the file @samp{@var{X509_certificate}} that is signed with an appended signature
(@pxref{Signing certificate and hash files}), and the @command{append_add_db_hash} and
@command{append_add_dbx_hash} commands only accept the file @samp{@var{hash_file}} that is
signed with an appended signature (@pxref{Signing certificate and hash files}).
The signature is verified by the appendedsig module.
When the environment variable @code{check_appended_signatures} is set to @code{no},
these commands accept files without an appended signature.

Also, note that @samp{@var{X509_certificate}} should be in DER-format and @samp{@var{hash_file}}
should be in binary format. Only SHA-256, SHA-384, or SHA-512 hashes of binary/certificate are allowed.
Certificates/hashes of certificates/binaries added through @command{append_add_db_cert},
@command{append_add_dbx_cert}, @command{append_add_db_hash}, and @command{append_add_dbx_hash}
will not be persisted across boots.

Only signatures created using SHA-256 or SHA-512 hash algorithm along with RSA keys of size 2048,
3072, or 4096 bits are supported.

A file can be signed with the @command{sign-file} utility supplied with the
Linux kernel source. For example, if you have @code{signing.key} as the private
key and @code{certificate.der} as the X.509 certificate containing the public key:

@example
sign-file SHA256 signing.key certificate.der vmlinux vmlinux.signed
@end example

Once signature verification is turned on, the following file types must carry
appended signatures:

@enumerate
@item Linux kernels
@item GRUB modules, except those built in to the core image
@item Any new certificate or binary hash files to be trusted
@item Any new certificate/binary hash files to be distrusted
@end enumerate

When GRUB is in lockdown mode (when secure boot mode is set to @code{enforce}),
signature verification cannot be @strong{disabled} by setting the
@code{check_appended_signatures} (@pxref{check_appended_signatures}) variable
to @code{no} or using the @command{load_env} (@pxref{load_env}) command from
the GRUB console.

@node UEFI secure boot and shim
@section UEFI secure boot and shim support

The GRUB works with UEFI secure boot and the shim. This functionality is
provided by the shim_lock verifier. It is built into the @file{core.img} and is
registered if the UEFI secure boot is enabled. The @samp{shim_lock} variable is
set to @samp{y} when shim_lock verifier is registered. If it is desired to use
UEFI secure boot without shim, one can disable shim_lock by disabling shim
verification with MokSbState UEFI variable or by building grub image with
@samp{--disable-shim-lock} option.

All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
and @command{memrw} will not be available when the UEFI secure boot is enabled.
This is done for security reasons and are enforced by the GRUB Lockdown mechanism
(@pxref{Lockdown}).

@node Secure Boot Advanced Targeting
@section Embedded information for generation number based revocation

The Secure Boot Advanced Targeting (SBAT) is a mechanism to allow the revocation
of components in the boot path by using generation numbers embedded into the EFI
binaries. The SBAT metadata is located in an .sbat data section that has set of
UTF-8 strings as comma-separated values (CSV). See
@uref{https://github.com/rhboot/shim/blob/main/SBAT.md} for more details.

To add a data section containing the SBAT information into the binary, the
@option{--sbat} option of @command{grub-mkimage} command should be used. The content
of a CSV file, encoded with UTF-8, is copied as is to the .sbat data section into
the generated EFI binary. The CSV file can be stored anywhere on the file system.

@example
grub-mkimage -O x86_64-efi -o grubx64.efi -p '(tftp)/grub' --sbat sbat.csv efinet tftp
@end example

@node Measured Boot
@section Measuring boot components

If the tpm module is loaded and the platform has a Trusted Platform Module
installed, GRUB will log each command executed and each file loaded into the
TPM event log and extend the PCR values in the TPM correspondingly. All events
will be logged into the PCR described below with a type of EV_IPL and an
event description as described below.

@multitable @columnfractions 0.3 0.1 0.6
@headitem Event type @tab PCR @tab Description
@item Command
@tab 8
@tab All executed commands (including those from configuration files) will be
logged and measured as entered with a prefix of ``grub_cmd: ``
@item Kernel command line
@tab 8
@tab Any command line passed to a kernel will be logged and measured as entered
with a prefix of ``kernel_cmdline: ''
@item Module command line
@tab 8
@tab Any command line passed to a kernel module will be logged and measured as
entered with a prefix of ``module_cmdline: ``
@item Files
@tab 9
@tab Any file read by GRUB will be logged and measured with a descriptive text
corresponding to the filename.
@end multitable

GRUB will not measure its own @file{core.img} - it is expected that firmware
will carry this out. GRUB will also not perform any measurements until the
tpm module is loaded. As such it is recommended that the tpm module be built
into @file{core.img} in order to avoid a potential gap in measurement between
@file{core.img} being loaded and the tpm module being loaded.

Measured boot is currently only supported on EFI and IBM IEEE1275 PowerPC
platforms.

@node Lockdown
@section Lockdown when booting on a secure setup

The GRUB can be locked down when booted on a secure boot environment, for example
if UEFI or Power secure boot is enabled. On a locked down configuration, the GRUB will
be restricted and some operations/commands cannot be executed. This also includes
limiting which filesystems are supported to those thought to be more robust and
widely used within GRUB.

The filesystems currently allowed in lockdown mode include:
@itemize @bullet
@item BtrFS
@item cpio
@item exFAT
@item Enhanced Read-Only File System (EROFS)
@item Linux ext2/ext3/ext4
@item F2FS
@item DOS FAT12/FAT16/FAT32
@item HFS+
@item ISO9660
@item Squash4
@item tar
@item XFS
@item ZFS
@end itemize

The filesystems currently not allowed in lockdown mode include:
@itemize @bullet
@item Amiga Fast FileSystem (AFFS)
@item AtheOS File System (AFS)
@item Bee File System (BFS)
@item Coreboot File System (CBFS)
@item Hierarchical File System (HFS)
@item Journaled File System (JFS)
@item Minix filesystem
@item New Implementation of Log filesystem (nilfs2)
@item Windows New Technology File System (NTFS)
@item ReiserFS
@item Read-Only Memory File System (ROMFS)
@item Amiga Smart File System (SFS)
@item Universal Disk Format (UDF)
@item Unix File System (UFS)
@end itemize

The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
Otherwise it does not exist.

@node TPM2 key protector
@section TPM2 key protector in GRUB

TPM2 key protector extends measured boot to unlock the encrypted partition
without user intervention. It uses the TPM Storage Root Key (SRK) to seal
the disk key with a given set of PCR values. If the system state matches,
i.e. PCR values match the sealed PCR set, TPM2 key protector unseals the
disk key for @command{cryptomount} (@pxref{cryptomount}) to unlock the
encrypted partition. In case the unsealed key fails to unlock the
partition, @command{cryptomount} falls back to the passphrase prompt.

Please note that TPM2 key protector uses the SRK in the owner hierarchy
@emph{without} authorization. If the owner hierarchy is password-protected,
TPM2 key protector may fail to unseal the key due to the absence of the
password. For the systems that already enable the password protection for the
owner hierarchy, the following command removes the password protection with
the existing password.

@example
# @kbd{tpm2_changeauth -c owner -p password}
@end example

There are two supported modes to store the sealed key, SRK and NV index.
The details will be addressed in later sections.

TPM2 key protector is currently only supported on EFI and EMU platforms.

@subsection TPM PCR usage

Since TPM2 key protector relies on PCRs to check the system state, it is
important to decide which PCRs to seal the key with. The following table
lists uses of PCRs and the measured objects on EFI platforms.

@multitable @columnfractions 0.1 0.2 0.7
@headitem PCR @tab Used by @tab Measured Objects
@item 0
@tab Firmware
@tab Core system firmware executable code
@item 1
@tab Firmware
@tab Core system firmware data/host platform configuration; typically
contains serial and model numbers
@item 2
@tab Firmware
@tab Extended or pluggable executable code; includes option ROMs on
pluggable hardware
@item 3
@tab Firmware
@tab Extended or pluggable firmware data; includes information about
pluggable hardware
@item 4
@tab Firmware
@tab Boot loader and additional drivers; binaries and extensions loaded
by the boot loader
@item 5
@tab Firmware
@tab GPT/Partition table
@item 7
@tab Firmware
@tab SecureBoot state
@item 8
@tab GRUB
@tab Commands and kernel command line
@item 9
@tab GRUB
@tab All files read (including kernel image)
@item 9
@tab Linux Kernel
@tab All passed initrds (when the new LOAD_FILE2 initrd protocol is used)
@item 10
@tab Linux Kernel
@tab Protection of the IMA measurement log
@item 14
@tab shim
@tab “MOK” certificates and hashes
@end multitable

PCR 0, 2, 4, and 7 can be used to check the integrity of the firmware code
and bootloaders. PCR 8 and 9 are useful to check the file and data processed
by GRUB. PCRs 10, 11, 12, 13, and 15 are controlled by the operating system,
so those PCRs are usually still in the initial state when GRUB is running.

In general, it is nice to include PCR 0, 2, 4, and 7 to ensure the integrity
of the firmware and bootloaders. For PCR 8 and 9, a sophisticated tool is
required to examine the GRUB configuration files and the files to be loaded
to calculate the correct PCR values.

Please note that PCRs are sensitive to any change, so an update of a component
could invalidate the sealed key, due to the so-called PCR brittleness. For the
bootloader update, PCR 4 may be affected. This can be mitigated by extracting
the events from the TPM event log and predict the value with the updated
bootloader binary. On the other hand, it is difficult to predict PCR 0~7 after
a firmware update since the content of the code and the order of drivers may
not follow the TPM event log from the previous firmware version, so it is
necessary to reboot the system to update the measurement results of PCR 0~7
and seal or sign the sealed key again.

Reference: @url{https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/, Linux TPM PCR Registry}

@subsection Setting up the extra disk key

Instead of using the existing password, it is recommended to seal a new
random disk key and use the existing password for recovery.

Here are the sample commands to create a 128 random bytes key file and
enroll the key into the target partition (sda2).

@example
# @kbd{dd if=/dev/urandom of=luks.key bs=1 count=128}
# @kbd{cryptsetup luksAddKey /dev/sda2 luks.key --pbkdf=pbkdf2 --hash=sha512}
@end example

@subsection SRK mode

To unlock the partition with SRK mode, assume that the sealed key is in
@file{(hd0,gpt1)/efi/grub/sealed.tpm}, the following GRUB commands
unseal the disk key with SRK mode and supply it to @command{cryptomount}.

@example
grub> @kbd{tpm2_key_protector_init -T (hd0,gpt1)/efi/grub/sealed.tpm}
grub> @kbd{cryptomount -u <UUID> -P tpm2}
@end example

There are two programs to create the sealed key for SRK mode: @command{grub-protect}
and @command{pcr-oracle} (@url{https://github.com/okirch/pcr-oracle}).

The following sample command uses @command{grub-protect} to seal the random
key, @file{luks.key}, with PCR 0, 2, 4 and 7 in TPM 2.0 Key File format.

@example
@group
# @kbd{grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm}
@end group
@end example

@command{grub-protect} only seals the key with the current PCR values.
Therefore, when a boot component, such as shim or GRUB, is updated, it is
necessary to reboot the system to update the measurement results and seal
the key again. That means the random disk key has to be stored in cleartext
for the next key sealing. Besides this, the measurement result of some PCRs
may differ between boot time and OS runtime. For example, PCR 9 measures the
files loaded by GRUB including the Linux kernel and initrd. To unlock the disk
containing the kernel and initrd, the key has to be sealed with PCR 9 value
before loading the kernel and initrd. However, PCR 9 changes after GRUB
loading the kernel and initrd, so PCR 9 at OS runtime cannot be used directly
for key sealing.

To solve these problems, @command{pcr-oracle} takes a different approach. It
reads the TPM eventlog and predicts the PCR values. Besides,
@command{pcr-oracle} also supports ``authorized policy'' which allows the
PCR policy to be updated with a valid signature, so that the user only seals
the random disk key once. If at some later time the PCR values change due to
an update of the system firmware, bootloader, or config file, the user just
needs to update the signature of the PCR policy.

To seal the key with the authorized policy, the first thing is to generate
the RSA policy key, @file{policy-key.pem}, and the authorized policy file,
@file{authorized.policy}. In this example, PCR 0, 2, 4, 7 and 9 are chosen
for key sealing.

@example
@group
# @kbd{pcr-oracle --rsa-generate-key \
             --private-key policy-key.pem \
             --auth authorized.policy \
             create-authorized-policy 0,2,4,7,9}
@end group
@end example

Then, we seal the random disk key, @file{luks.key}, with the authorized
policy file and save the sealed key in @file{sealed.key}.

@example
@group
# @kbd{pcr-oracle --key-format tpm2.0 \
             --auth authorized.policy \
             --input luks.key \
             --output sealed.key \
             seal-secret}
@end group
@end example

Since we now have the sealed key, we can remove the random disk key file
@file{luks.key}.

The last step is to sign the predicted PCR policy and save the final key
file, @file{sealed.tpm}.

@example
@group
# @kbd{pcr-oracle --key-format tpm2.0 \
             --private-key policy-key.pem \
             --from eventlog \
             --stop-event "grub-file=grub.cfg" \
             --after \
             --input sealed.key \
             --output /boot/efi/efi/grub/sealed.tpm \
             sign 0,2,4,7,9}
@end group
@end example

Here we also set a stop event for the prediction. With
@kbd{--stop-event grub-file=grub.cfg --after}, @command{pcr-oracle} stops
the calculation of PCR values right after GRUB loads @file{grub.cfg}.

When/After the shim or GRUB are updated, it only requires to run the last
@command{pcr-oracle} command to update the predicted PCR policy.

@subsection NV index mode

Instead of storing the sealed key in a file, NV index mode uses the TPM
non-volatile memory to store the sealed key and could be useful when accessing
the file is not possible.

However, the Linux root user must be careful who she/he gives access to the
TPM (tss group) since those users will also be able to modify the NV index
that's holding the key.

There are two types of TPM handles supported by NV index mode: persistent
handle and NV index handle.

@subsubsection Persistent handle

The range of persistent handles is from @kbd{0x81000000} to @kbd{0x81FFFFFF}.
The persistent handle is designed to make TPM objects persistent through
power cycles, and only TPM objects, such as RSA or EC keys, are accepted.
Thus, only the raw format is supported by persistent handles. The following
shows the @command{grub-protect} command to seal the disk key @file{luks.key}
into the persistent handle @kbd{0x81000000} with the PCRs @kbd{0,2,4,7}.

@example
@group
# @kbd{grub-protect \
             --protector=tpm2 \
             --action=add \
             --tpm2-bank=sha256 \
             --tpm2-pcrs=0,2,4,7 \
             --tpm2-keyfile=luks.key \
             --tpm2-nvindex=0x81000000}
@end group
@end example

To unseal the key, we have to specify the mode @kbd{nv}, the persistent handle
@kbd{0x81000000}, and the PCRs @kbd{0,2,4,7} for the @command{tpm2_key_protector_init}
command.

@example
grub> @kbd{tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=0,2,4,7}
grub> @kbd{cryptomount -u <UUID> --protector tpm2}
@end example

If the key in the persistent handle becomes unwanted, the following
@command{grub-protect} command removes the specified persistent handle
@kbd{0x81000000}.

@example
@group
# @kbd{grub-protect \
             --protector=tpm2 \
             --action=remove \
             --tpm2-evict \
             --tpm2-nvindex=0x81000000}
@end group
@end example

@subsubsection NV index handle

The range of NV index handles is from @kbd{0x1000000} to @kbd{0x1FFFFFF}.
Unlike the persistent handle, the NV index handle allows user-defined data,
so it can easily support both the TPM 2.0 Key File format as well as the raw
format.

The following @kbd{grub-protect} command seals the disk key @file{luks.key}
into the NV index handle @kbd{0x1000000} with the PCRs @kbd{0,2,4,7} while
using the TPM 2.0 Key File format.

@example
@group
# @kbd{grub-protect \
             --protector=tpm2 \
             --action=add \
             --tpm2key \
             --tpm2-bank=sha256 \
             --tpm2-pcrs=0,2,4,7 \
             --tpm2-keyfile=luks.key \
             --tpm2-nvindex=0x1000000}
@end group
@end example

Furthermore, it is also possible to insert an existing key file,
@file{sealed.tpm}, into a specific NV index handle using the following
tpm2-tools (@url{https://github.com/tpm2-software/tpm2-tools}) commands.

@example
@group
# @kbd{tpm2_nvdefine -C o \
             -a "ownerread|ownerwrite" \
             -s $(stat -c %s sealed.tpm) \
             0x1000000}
@end group
# @kbd{tpm2_nvwrite -C o -i sealed.tpm 0x1000000}
@end example

When unsealing the key in TPM 2.0 Key File format, only the mode @kbd{nv}
and the NV index handle @kbd{0x1000000} have to be specified for the
@command{tpm2_key_protector_init} command.

@example
grub> @kbd{tpm2_key_protector_init --mode=nv --nvindex=0x1000000}
grub> @kbd{cryptomount -u <UUID> --protector tpm2}
@end example

The following @command{grub-protect} command allows to remove the specified
NV index handle @kbd{0x1000000}.

@example
@group
# @kbd{grub-protect \
             --protector=tpm2 \
             --action=remove \
             --tpm2-evict \
             --tpm2-nvindex=0x1000000}
@end group
@end example

@subsection Setting up software TPM for EMU platform

In order to test TPM2 key protector and TPM2 Software Stack (TSS2), it is
useful to set up a software TPM (swtpm) instance and run the commands on the
EMU platform.

Here are the commands to start a swtpm instance which provides a character
device interface. To store the TPM states, the directory, @file{swtpm-state},
is created before the @command{swtpm} command.  All the messages are stored
in @file{swtpm.log} including the name of the character device.

@example
# @kbd{mkdir swtpm-state}
@group
# @kbd{swtpm chardev --vtpm-proxy --tpmstate dir=swtpm-state \
        --tpm2 --ctrl type=unixio,path="swtpm-state/ctrl" \
        --flags startup-clear --daemon > swtpm.log}
@end group
@end example

Then, we extract the name of the character device from @file{swtpm.log} and
save it to the variable, @samp{tpm2dev}.

@example
# @kbd{tpm2dev=$(grep "New TPM device" swtpm.log | cut -d' ' -f 4)}
@end example

Now we can start @kbd{grub-emu} with @kbd{--tpm-device $tpm2dev} to interact
with the swtpm instance.

@example
# @kbd{grub-emu --tpm-device $tpm2dev}
@end example

On the host, the tpm2-tools commands can interact with the swtpm instance by
setting @samp{TPM2TOOLS_TCTI}.

@example
# @kbd{export TPM2TOOLS_TCTI="device:$tpm2dev"}
@end example

When the test is done, use @kbd{swtpm_ioctl} to send the shutdown
command through the swtpm control channel.

@example
# @kbd{swtpm_ioctl -s --unix swtpm-state/ctrl}
@end example

@subsection Command line and menuentry editor protection

The TPM key protector provides full disk encryption support on servers or
virtual machine images, meanwhile keeping the boot process unattended. This
prevents service disruptions by eliminating the need for manual password input
during startup, improving system uptime and continuity. It is achieved by TPM,
which verifies the integrity of boot components by checking cryptographic
hashes against securely stored values, to confirm the disks are unlocked in a
trusted state.

However, for users to access the system interactively, some form of
authentication is still required, as the disks are not unlocked by an
authorized user. This raised concerns about using an unprotected
@samp{command-line interface} (@pxref{Command-line interface}), as anyone could
execute commands to access decrypted data. To address this issue, the LUKS
password is used to ensure that only authorized users are granted access to the
interface. Additionally, the @samp{menu entry editor} (@pxref{Menu entry
editor}) is also safeguarded by the LUKS password, as modifying a boot entry is
effectively the same as altering the @file{grub.cfg} file read from encrypted
files.

It is worth mentioning that the built-in password support, as described in
@samp{Authentication and Authorization in GRUB} (@pxref{Authentication and
authorisation}), can also be used to protect the command-line interface from
unauthorized access. However, it is not recommended to rely on this approach as
it is an optional step. Setting it up requires additional manual intervention,
which increases the risk of password leakage during the process. Moreover, the
superuser list must be well maintained, and the password used cannot be
synchronized with LUKS key rotation.

@node Signing certificate and hash files
@section Signing certificate and hash files
X.509 certificate (public key) files and hash files (binary/certificate hash files)
can be signed with a Linux kernel module-style appended signature.

The signer.key is a private key used for signing and signer.der is the corresponding
public key (certificate) used for appended signature verification. Note that the
signer.der (certificate) should exist in the db (@pxref{Using appended signatures}).

@itemize
@item Signing the X.509 certificate file using @file{sign-file}.
The kernel.der is an X.509 certificate file.
@example

sign-file SHA256 signer.key signer.der kernel.der \
  kernel.der.signed

@end example
@item Signing the hash file using @file{sign-file}.
The binary_hash.bin is a binary hash file.
@example

sign-file SHA256 signer.key signer.der binary_hash.bin \
  binary_hash.signed

@end example
@end itemize

@node Signing GRUB itself
@section Signing GRUB itself
To ensure a complete secure-boot chain, there must be a way for the code that
loads GRUB to verify the integrity of the core image.
This is ultimately platform-specific and individual platforms can define their
own mechanisms. However, there are general-purpose mechanisms that can be used
with GRUB.

@subsection Signing GRUB for UEFI secure boot
On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
with a tool such as @command{pesign} or @command{sbsign}. Refer to the
suggestions in @pxref{UEFI secure boot and shim} to ensure that the final
image works under UEFI secure boot and can maintain the secure-boot chain. It
will also be necessary to enroll the public key used into a relevant firmware
key database.

@subsection Signing GRUB with an appended signature
The @file{core.elf} itself can be signed with a Linux kernel module-style
appended signature (@pxref{Using appended signatures}).
To support IEEE1275 platforms where the boot image is often loaded directly
from a disk partition rather than from a file system, the @file{core.elf}
can specify the size and location of the appended signature with an ELF
Note added by @command{grub-install} or @command{grub-mkimage}.
An image can be signed this way using the @command{sign-file} command from
the Linux kernel:

@itemize
@item Signing a GRUB image using a single signer key. The grub.key is your
private key used for GRUB signing, grub.der is a corresponding public key
(certificate) used for GRUB signature verification, and the kernel.der is
your public key (certificate) used for kernel signature verification.
@example
@group
# Determine the size of the appended signature. It depends on the
# signing key and the hash algorithm.
#
# Signing /dev/null with an appended signature.

sign-file SHA256 grub.key grub.der /dev/null ./empty.sig

# Build a GRUB image for the signature.

grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel.der \
  -p /grub --appended-signature-size $(stat -c '%s' ./empty.sig) \
  --modules="appendedsig ..." ...

# Remove the signature file.

rm ./empty.sig

# Signing a GRUB image with an appended signature.

sign-file SHA256 grub.key grub.der core.elf.unsigned core.elf.signed

@end group
@end example
@item Signing a GRUB image using more than one signer key. The grub1.key and
grub2.key are private keys used for GRUB signing, grub1.der and grub2.der
are corresponding public keys (certificates) used for GRUB signature verification.
The kernel1.der and kernel2.der are your public keys (certificates) used for
kernel signature verification.
@example
@group
# Generate a signature by signing /dev/null.

openssl cms -sign -binary -nocerts -in /dev/null -signer \
  grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \
  -out ./empty.p7s -outform DER -noattr -md sha256

# To be able to determine the size of an appended signature, sign an
# empty file (/dev/null) to which a signature will be appended to.

sign-file -s ./empty.p7s sha256 /dev/null /dev/null ./empty.sig

# Build a GRUB image for the signature.

grub-mkimage -O powerpc-ieee1275 -o core.elf.unsigned -x kernel1.der \
  kernel2.der -p /grub --appended-signature-size $(stat -c '%s' ./empty.sig) \
  --modules="appendedsig ..." ...

# Remove the signature files.

rm ./empty.sig ./empty.p7s

# Generate a raw signature for GRUB image signing using OpenSSL.

openssl cms -sign -binary -nocerts -in core.elf.unsigned -signer \
  grub1.der -inkey grub1.key -signer grub2.der -inkey grub2.key \
  -out core.p7s -outform DER -noattr -md sha256

# Sign a GRUB image to get an image file with an appended signature.

sign-file -s core.p7s sha256 /dev/null core.elf.unsigned core.elf.signed

@end group
@end example
@item Don't forget to install the signed image as required
(e.g. on powerpc-ieee1275, to the PReP partition).
@example
@group
# Install signed GRUB image to the PReP partition on powerpc-ieee1275

dd if=core.elf.signed of=/dev/sda1

@end group
@end example
@end itemize

As with UEFI secure boot, it is necessary to build-in the required modules,
or sign them if they are not part of the GRUB image.

@node Hardening
@section Hardening

Security hardening involves additional / optional configuration and
customization steps to GRUB to maximize security. The extent to which
hardening can be accomplished depends on the threats attempting to be
mitigated for a given system / device, the device architecture, and number
of GRUB features required. The following is a listing of hardening steps which
may be considered:

@itemize
@item (EFI Only) Enable secure boot to enable lockdown mode. This will limit
the attack surface of GRUB by limiting the commands and file systems
supported. (@pxref{Lockdown})
@item (EFI Only) No-Execute capability of memory segments will be configured
by GRUB as indicated by the UEFI. This makes some classes of vulnerabilities
more difficult to exploit by providing support for marking memory as either
writable or executable.
@item (EFI Only) While building GRUB, the stack protector feature may be
enabled during the configuration step. This feature can make certain
vulnerabilities caused by stack buffer overflows more difficult to exploit.
This can be enabled by including the "--enable-stack-protector" flag to the
configure script:
@example
# @kbd{./configure --enable-stack-protector}
@end example
Please reference the file @file{INSTALL} for detailed instructions on how to
build GRUB.
@item Minimize the installed modules included with the GRUB installation.
For instance, if a specific file system is used for a given system, modules
for other file systems may be excluded. @pxref{Modules} for a list of
modules.
@item Minimize boot sources. In the GRUB configuration, reduce the possible
boot sources to the minimum needed for system operation. For instance, if
booting only from an internal drive, remove support for network booting
and booting from removable media.
@item Disable network support in GRUB if not required. Ensure network
interfaces are not configured in the GRUB configuration and consider
setting environment variable @samp{feature_net_search_cfg} to @samp{n} in an
embedded GRUB config file in order to disable attempting to use the
network for obtaining a GRUB config file.
@end itemize


@node Platform limitations
@chapter Platform limitations

GRUB2 is designed to be portable and is actually ported across platforms. We
try to keep all platforms at the level. Unfortunately some platforms are better
supported than others. This is detailed in current and 2 following sections.

All platforms have an artificially GRUB imposed disk size restriction of 1 EiB.
In some cases, larger disk sizes can be used, but access will not be allowed
beyond 1 EiB.

LUKS2 devices with size larger than 16 EiB are currently not supported. They
can not be created as crypto devices by cryptomount, so can not even be
partially read from. LUKS have no limitations other than those imposed by the
format.

ARC platform is unable to change datetime (firmware doesn't seem to provide a
function for it).
EMU has similar limitation.

On EMU platform no serial port is available.

Console charset refers only to firmware-assisted console. gfxterm is always
Unicode (see Internationalisation section for its limitations). Serial is
configurable to UTF-8 or ASCII (see Internationalisation). In case of qemu
and coreboot ports the referred console is vga_text. Loongson always uses
gfxterm.

Most limited one is ASCII. CP437 provides additionally pseudographics.
GRUB2 doesn't use any language characters from CP437 as often CP437 is replaced
by national encoding compatible only in pseudographics.
Unicode is the most versatile charset which supports many languages. However
the actual console may be much more limited depending on firmware

On BIOS, network is supported only if the image is loaded through network.
On sparc64, GRUB is unable to determine which server it was booted from.

Direct ATA/AHCI support allows to circumvent various firmware limitations but
isn't needed for normal operation except on baremetal ports.

AT keyboard support allows keyboard layout remapping and support for keys not
available through firmware. It isn't needed for normal operation except
baremetal ports.

Speaker allows morse and spkmodem communication.

USB support provides benefits similar to ATA (for USB disks) or AT (for USB
keyboards). In addition it allows USBserial.

Chainloading refers to the ability to load another bootloader through the same protocol
and on some platforms, like EFI, allow that bootloader to return to the GRUB.

Hints allow faster disk discovery by already knowing in advance which is the disk in
question. On some platforms hints are correct unless you move the disk between boots.
On other platforms it's just an educated guess.
Note that hint failure results in just reduced performance, not a failure

BadRAM is the ability to mark some of the RAM as ``bad''. Note: due to protocol
limitations mips-loongson (with Linux protocol)
and mips-qemu_mips can use only memory up to first hole.

Bootlocation is ability of GRUB to automatically detect where it boots from.
``disk'' means the detection is limited to detecting the disk with partition
being discovered on install time. ``partition'' means that disk and partiton
can be automatically discovered. ``file'' means that boot image file name as
well as disk and partition can be discovered. For consistency, default install ignores
partition and relies solely on disk detection. If no bootlocation discovery is available
or boot and grub-root disks are different, UUID is used instead. On ARC if no device
to install to is specified, UUID is used instead as well.


@multitable @columnfractions .20 .20 .20 .20 .20
@item                    @tab BIOS    @tab Coreboot @tab Multiboot    @tab Qemu 
@item video              @tab yes     @tab yes      @tab yes          @tab yes
@item console charset    @tab CP437   @tab CP437    @tab CP437        @tab CP437
@item network            @tab yes (*) @tab no       @tab no           @tab no
@item ATA/AHCI           @tab yes     @tab yes      @tab yes          @tab yes
@item AT keyboard        @tab yes     @tab yes      @tab yes          @tab yes
@item Speaker            @tab yes     @tab yes      @tab yes          @tab yes
@item USB                @tab yes     @tab yes      @tab yes          @tab yes
@item chainloader        @tab local   @tab yes      @tab yes          @tab no
@item cpuid              @tab partial @tab partial  @tab partial      @tab partial
@item rdmsr              @tab partial @tab partial  @tab partial      @tab partial
@item wrmsr              @tab partial @tab partial  @tab partial      @tab partial
@item hints              @tab guess   @tab guess    @tab guess        @tab guess
@item PCI                @tab yes     @tab yes      @tab yes          @tab yes
@item badram             @tab yes     @tab yes      @tab yes          @tab yes
@item compression        @tab always  @tab pointless @tab no           @tab no
@item exit               @tab yes     @tab no       @tab no           @tab no
@item bootlocation       @tab disk    @tab no       @tab no           @tab no
@end multitable

@multitable @columnfractions .20 .20 .20 .20 .20
@item                    @tab ia32 EFI    @tab amd64 EFI @tab ia32 IEEE1275 @tab Itanium
@item video              @tab yes         @tab yes       @tab no            @tab no
@item console charset    @tab Unicode     @tab Unicode   @tab ASCII         @tab Unicode
@item network            @tab yes         @tab yes       @tab yes           @tab yes
@item ATA/AHCI           @tab yes         @tab yes       @tab yes           @tab no
@item AT keyboard        @tab yes         @tab yes       @tab yes           @tab no
@item Speaker            @tab yes         @tab yes       @tab yes           @tab no
@item USB                @tab yes         @tab yes       @tab yes           @tab no
@item chainloader        @tab local       @tab local     @tab no            @tab local
@item cpuid              @tab partial     @tab partial   @tab partial       @tab no
@item rdmsr              @tab partial     @tab partial   @tab partial       @tab no
@item wrmsr              @tab partial     @tab partial   @tab partial       @tab no
@item hints              @tab guess       @tab guess     @tab good          @tab guess
@item PCI                @tab yes         @tab yes       @tab yes           @tab no
@item badram             @tab yes         @tab yes       @tab no            @tab yes
@item compression        @tab no          @tab no        @tab no            @tab no
@item exit               @tab yes         @tab yes       @tab yes           @tab yes
@item bootlocation       @tab file        @tab file      @tab file, ignored @tab file
@end multitable

@multitable @columnfractions .20 .20 .20 .20 .20
@item                    @tab Loongson    @tab sparc64 @tab Powerpc @tab ARC
@item video              @tab yes         @tab no      @tab yes     @tab no
@item console charset    @tab N/A         @tab ASCII   @tab ASCII   @tab ASCII
@item network            @tab no          @tab yes (*) @tab yes     @tab no
@item ATA/AHCI           @tab yes         @tab no      @tab no      @tab no
@item AT keyboard        @tab yes         @tab no      @tab no      @tab no
@item Speaker            @tab no          @tab no      @tab no      @tab no
@item USB                @tab yes         @tab no      @tab no      @tab no
@item chainloader        @tab yes         @tab no      @tab no      @tab no
@item cpuid              @tab no          @tab no      @tab no      @tab no
@item rdmsr              @tab no          @tab no      @tab no      @tab no
@item wrmsr              @tab no          @tab no      @tab no      @tab no
@item hints              @tab good        @tab good    @tab good    @tab no
@item PCI                @tab yes         @tab no      @tab no      @tab no
@item badram             @tab yes (*)     @tab no      @tab no      @tab no
@item compression        @tab configurable @tab no     @tab no      @tab configurable
@item exit               @tab no          @tab yes     @tab yes     @tab yes
@item bootlocation       @tab no          @tab partition @tab file  @tab file (*)
@end multitable

@multitable @columnfractions .20 .20 .20 .20 .20
@item                    @tab MIPS qemu @tab emu         @tab xen
@item video              @tab no        @tab yes         @tab no
@item console charset    @tab CP437     @tab Unicode (*) @tab ASCII
@item network            @tab no        @tab yes         @tab no
@item ATA/AHCI           @tab yes       @tab no          @tab no
@item AT keyboard        @tab yes       @tab no          @tab no
@item Speaker            @tab no        @tab no          @tab no
@item USB                @tab N/A       @tab yes         @tab no
@item chainloader        @tab yes       @tab no          @tab yes
@item cpuid              @tab no        @tab no          @tab yes
@item rdmsr              @tab no        @tab no          @tab yes
@item wrmsr              @tab no        @tab no          @tab yes
@item hints              @tab guess     @tab no          @tab no
@item PCI                @tab no        @tab no          @tab no
@item badram             @tab yes (*)   @tab no          @tab no
@item compression        @tab configurable @tab no       @tab no
@item exit               @tab no        @tab yes         @tab no
@item bootlocation       @tab no        @tab file        @tab no
@end multitable

@node Platform-specific operations
@chapter Platform-specific operations

Some platforms have features which allow implementation of
certain commands that cannot be implemented on others.

Quick summary:

Information retrieval:

@itemize
@item mipsel-loongson: lsspd
@item mips-arc: lsdev
@item efi: lsefisystab, lssal, lsefimmap, lsefi
@item i386-pc: lsapm
@item i386-coreboot: lscoreboot, coreboot_boottime, cbmemc
@item acpi-enabled (i386-pc, i386-coreboot, i386-multiboot, *-efi): lsacpi
@end itemize

Workarounds for platform-specific issues:
@itemize
@item i386-efi/x86_64-efi: loadbios, fakebios, fix_video
@item acpi-enabled (i386-pc, i386-coreboot, i386-multiboot, *-efi):
    acpi (override ACPI tables)
@item i386-pc: drivemap
@item i386-pc: sendkey
@end itemize

Advanced operations for power users:
@itemize
@item x86: iorw (direct access to I/O ports)
@end itemize

Miscellaneous:
@itemize
@item cmos (x86-*, ieee1275, mips-qemu_mips, mips-loongson): cmostest
    (used on some laptops to check for special power-on key), cmosclean
@item i386-pc: play
@end itemize

@node Supported kernels
@chapter Supported boot targets

X86 support is summarised in the following table. ``Yes'' means that the kernel works on the given platform, ``crashes'' means an early kernel crash which we hope will be fixed by concerned kernel developers. ``no'' means GRUB doesn't load the given kernel on a given platform. ``headless'' means that the kernel works but lacks console drivers (you can still use serial or network console).  In case of ``no'' and ``crashes'' the reason is given in footnote.
@multitable @columnfractions .50 .22 .22
@item                                @tab BIOS    @tab Coreboot
@item BIOS chainloading              @tab yes     @tab no (1)
@item NTLDR                          @tab yes     @tab no (1)
@item Plan9                          @tab yes     @tab no (1)
@item Freedos                        @tab yes     @tab no (1)
@item FreeBSD bootloader             @tab yes     @tab crashes (1)
@item 32-bit kFreeBSD                @tab yes     @tab crashes (5)
@item 64-bit kFreeBSD                @tab yes     @tab crashes (5)
@item 32-bit kNetBSD                 @tab yes     @tab crashes (1)
@item 64-bit kNetBSD                 @tab yes     @tab crashes
@item 32-bit kOpenBSD                @tab yes     @tab yes
@item 64-bit kOpenBSD                @tab yes     @tab yes
@item Multiboot                      @tab yes     @tab yes
@item Multiboot2                     @tab yes     @tab yes
@item 32-bit Linux (legacy protocol) @tab yes     @tab no (1)
@item 64-bit Linux (legacy protocol) @tab yes     @tab no (1)
@item 32-bit Linux (modern protocol) @tab yes     @tab yes
@item 64-bit Linux (modern protocol) @tab yes     @tab yes
@item 32-bit XNU                     @tab yes     @tab ?
@item 64-bit XNU                     @tab yes     @tab ?
@item 32-bit EFI chainloader         @tab no (2)  @tab no (2)
@item 64-bit EFI chainloader         @tab no (2)  @tab no (2)
@item Appleloader                    @tab no (2)  @tab no (2)
@end multitable

@multitable @columnfractions .50 .22 .22
@item                                @tab Multiboot    @tab Qemu 
@item BIOS chainloading              @tab no (1)       @tab no (1)
@item NTLDR                          @tab no (1)       @tab no (1)
@item Plan9                          @tab no (1)       @tab no (1)
@item FreeDOS                        @tab no (1)       @tab no (1)
@item FreeBSD bootloader             @tab crashes (1)  @tab crashes (1)
@item 32-bit kFreeBSD                @tab crashes (5)  @tab crashes (5)
@item 64-bit kFreeBSD                @tab crashes (5)  @tab crashes (5)
@item 32-bit kNetBSD                 @tab crashes (1)  @tab crashes (1)  
@item 64-bit kNetBSD                 @tab yes          @tab yes
@item 32-bit kOpenBSD                @tab yes          @tab yes
@item 64-bit kOpenBSD                @tab yes          @tab yes
@item Multiboot                      @tab yes          @tab yes
@item Multiboot2                     @tab yes          @tab yes
@item 32-bit Linux (legacy protocol) @tab no (1)       @tab no (1)
@item 64-bit Linux (legacy protocol) @tab no (1)       @tab no (1)
@item 32-bit Linux (modern protocol) @tab yes          @tab yes
@item 64-bit Linux (modern protocol) @tab yes          @tab yes
@item 32-bit XNU                     @tab ?            @tab ?
@item 64-bit XNU                     @tab ?            @tab ?
@item 32-bit EFI chainloader         @tab no (2)       @tab no (2)
@item 64-bit EFI chainloader         @tab no (2)       @tab no (2)
@item Appleloader                    @tab no (2)       @tab no (2)
@end multitable

@multitable @columnfractions .50 .22 .22
@item                                @tab ia32 EFI      @tab amd64 EFI
@item BIOS chainloading              @tab no (1)        @tab no (1)
@item NTLDR                          @tab no (1)        @tab no (1)
@item Plan9                          @tab no (1)        @tab no (1)
@item FreeDOS                        @tab no (1)        @tab no (1)
@item FreeBSD bootloader             @tab crashes (1)   @tab crashes (1)
@item 32-bit kFreeBSD                @tab headless      @tab headless
@item 64-bit kFreeBSD                @tab headless      @tab headless
@item 32-bit kNetBSD                 @tab crashes (1)   @tab crashes (1)
@item 64-bit kNetBSD                 @tab yes           @tab yes
@item 32-bit kOpenBSD                @tab headless      @tab headless
@item 64-bit kOpenBSD                @tab headless      @tab headless
@item Multiboot                      @tab yes           @tab yes
@item Multiboot2                     @tab yes           @tab yes
@item 32-bit Linux (legacy protocol) @tab no (1)        @tab no (1)
@item 64-bit Linux (legacy protocol) @tab no (1)        @tab no (1)
@item 32-bit Linux (modern protocol) @tab yes           @tab yes
@item 64-bit Linux (modern protocol) @tab yes           @tab yes
@item 32-bit XNU                     @tab yes           @tab yes
@item 64-bit XNU                     @tab yes (4)       @tab yes
@item 32-bit EFI chainloader         @tab yes           @tab no (3)
@item 64-bit EFI chainloader         @tab no (3)        @tab yes
@item Appleloader                    @tab yes           @tab yes
@end multitable

@multitable @columnfractions .50 .22 .22
@item                                @tab ia32 IEEE1275
@item BIOS chainloading              @tab no (1)
@item NTLDR                          @tab no (1)
@item Plan9                          @tab no (1)
@item FreeDOS                        @tab no (1)
@item FreeBSD bootloader             @tab crashes (1)
@item 32-bit kFreeBSD                @tab crashes (5)
@item 64-bit kFreeBSD                @tab crashes (5)
@item 32-bit kNetBSD                 @tab crashes (1)
@item 64-bit kNetBSD                 @tab ?
@item 32-bit kOpenBSD                @tab ?
@item 64-bit kOpenBSD                @tab ?
@item Multiboot                      @tab ?
@item Multiboot2                     @tab ?
@item 32-bit Linux (legacy protocol) @tab no (1)
@item 64-bit Linux (legacy protocol) @tab no (1)
@item 32-bit Linux (modern protocol) @tab ?
@item 64-bit Linux (modern protocol) @tab ?
@item 32-bit XNU                     @tab ?
@item 64-bit XNU                     @tab ?
@item 32-bit EFI chainloader         @tab no (2)
@item 64-bit EFI chainloader         @tab no (2)
@item Appleloader                    @tab no (2)
@end multitable

@enumerate
@item Requires BIOS
@item EFI only
@item 32-bit and 64-bit EFI have different structures and work in different CPU modes so it's not possible to chainload 32-bit bootloader on 64-bit platform and vice-versa
@item Some modules may need to be disabled
@item Requires ACPI
@end enumerate

PowerPC, IA64 and Sparc64 ports support only Linux. MIPS port supports Linux
and multiboot2.

@section Boot tests

As you have seen in previous chapter the support matrix is pretty big and some of the configurations are only rarely used. To ensure the quality bootchecks are available for all x86 targets except EFI chainloader, Appleloader and XNU. All x86 platforms have bootcheck facility except ieee1275. Multiboot, multiboot2, BIOS chainloader, ntldr and freebsd-bootloader boot targets are tested only with a fake kernel images. Only Linux is tested among the payloads using Linux protocols.

Following variables must be defined:

@multitable  @columnfractions .30 .65
@item GRUB_PAYLOADS_DIR @tab directory containing the required kernels
@item GRUB_CBFSTOOL @tab cbfstool from Coreboot package (for coreboot platform only)
@item GRUB_COREBOOT_ROM @tab empty Coreboot ROM
@item GRUB_QEMU_OPTS @tab additional options to be supplied to QEMU
@end multitable

Required files are:

@multitable  @columnfractions .40 .55
@item kfreebsd_env.i386 @tab 32-bit kFreeBSD device hints
@item kfreebsd.i386 @tab 32-bit FreeBSD kernel image
@item kfreebsd.x86_64, kfreebsd_env.x86_64 @tab same from 64-bit kFreeBSD
@item knetbsd.i386 @tab 32-bit NetBSD kernel image
@item knetbsd.miniroot.i386 @tab 32-bit kNetBSD miniroot.kmod.
@item knetbsd.x86_64, knetbsd.miniroot.x86_64  @tab same from 64-bit kNetBSD
@item kopenbsd.i386 @tab 32-bit OpenBSD kernel bsd.rd image
@item kopenbsd.x86_64 @tab same from 64-bit kOpenBSD
@item linux.i386 @tab 32-bit Linux
@item linux.x86_64 @tab 64-bit Linux
@end multitable

@node Troubleshooting
@chapter Error messages produced by GRUB

@menu
* GRUB only offers a rescue shell::
* Firmware stalls instead of booting GRUB::
@end menu


@node GRUB only offers a rescue shell
@section GRUB only offers a rescue shell

GRUB's normal start-up procedure involves setting the @samp{prefix}
environment variable to a value set in the core image by
@command{grub-install}, setting the @samp{root} variable to match, loading
the @samp{normal} module from the prefix, and running the @samp{normal}
command (@pxref{normal}).  This command is responsible for reading
@file{/boot/grub/grub.cfg}, running the menu, and doing all the useful
things GRUB is supposed to do.

If, instead, you only get a rescue shell, this usually means that GRUB
failed to load the @samp{normal} module for some reason.  It may be possible
to work around this temporarily: for instance, if the reason for the failure
is that @samp{prefix} is wrong (perhaps it refers to the wrong device, or
perhaps the path to @file{/boot/grub} was not correctly made relative to the
device), then you can correct this and enter normal mode manually:

@example
@group
# Inspect the current prefix (and other preset variables):
set
# Find out which devices are available:
ls
# Set to the correct value, which might be something like this:
set prefix=(hd0,1)/grub
set root=(hd0,1)
insmod normal
normal
@end group
@end example

However, any problem that leaves you in the rescue shell probably means that
GRUB was not correctly installed.  It may be more useful to try to reinstall
it properly using @kbd{grub-install @var{device}} (@pxref{Invoking
grub-install}).  When doing this, there are a few things to remember:

@itemize @bullet{}
@item
Drive ordering in your operating system may not be the same as the boot
drive ordering used by your firmware.  Do not assume that your first hard
drive (e.g. @samp{/dev/sda}) is the one that your firmware will boot from.
@file{device.map} (@pxref{Device map}) can be used to override this, but it
is usually better to use UUIDs or file system labels and avoid depending on
drive ordering entirely.

@item
At least on BIOS systems, if you tell @command{grub-install} to install GRUB
to a partition but GRUB has already been installed in the master boot
record, then the GRUB installation in the partition will be ignored.

@item
If possible, it is generally best to avoid installing GRUB to a partition
(unless it is a special partition for the use of GRUB alone, such as the
BIOS Boot Partition used on GPT).  Doing this means that GRUB may stop being
able to read its core image due to a file system moving blocks around, such
as while defragmenting, running checks, or even during normal operation.
Installing to the whole disk device is normally more robust.

@item
Check that GRUB actually knows how to read from the device and file system
containing @file{/boot/grub}.  It will not be able to read from encrypted
devices with unsupported encryption scheme, nor from file systems for which
support has not yet been added to GRUB.
@end itemize


@node Firmware stalls instead of booting GRUB
@section Firmware stalls instead of booting GRUB

The EFI implementation of some older MacBook laptops stalls when it gets
presented a grub-mkrescue ISO image for x86_64-efi target on an USB stick.
Affected are models of year 2010 or earlier. Workaround is to zeroize the
bytes 446 to 461 of the EFI partition, where mformat has put a partition table
entry which claims partition start at block 0. This change will not hamper
bootability on other machines.


@node User-space utilities
@chapter User-space utilities

@menu
* Invoking grub-install::       How to use the GRUB installer
* Invoking grub-mkconfig::      Generate a GRUB configuration file
* Invoking grub-mkpasswd-pbkdf2::
                                Generate GRUB password hashes
* Invoking grub-mkrelpath::     Make system path relative to its root
* Invoking grub-mkrescue::      Make a GRUB rescue image
* Invoking grub-mount::         Mount a file system using GRUB
* Invoking grub-probe::         Probe device information for GRUB
* Invoking grub-protect::       Protect a disk key with a key protector
* Invoking grub-script-check::  Check GRUB script file for syntax errors
@end menu


@node Invoking grub-install
@section Invoking grub-install

The program @command{grub-install} generates a GRUB core image using
@command{grub-mkimage} and installs it on your system.  You must specify the
device name on which you want to install GRUB, like this:

@example
grub-install @var{install_device}
@end example

The device name @var{install_device} is an OS device name or a GRUB
device name.

@command{grub-install} accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item --boot-directory=@var{dir}
Install GRUB images under the directory @file{@var{dir}/grub/}
This option is useful when you want to install GRUB into a
separate partition or a removable disk.
If this option is not specified then it defaults to @file{/boot}, so

@example
@kbd{grub-install /dev/sda}
@end example

is equivalent to

@example
@kbd{grub-install --boot-directory=/boot/ /dev/sda}
@end example

Here is an example in which you have a separate @dfn{boot} partition which is 
mounted on
@file{/mnt/boot}:

@example
@kbd{grub-install --boot-directory=/mnt/boot /dev/sdb}
@end example

@item --recheck
Recheck the device map, even if @file{/boot/grub/device.map} already
exists. You should use this option whenever you add/remove a disk
into/from your computer.

@item --no-rs-codes
By default on x86 BIOS systems, @command{grub-install} will use some
extra space in the bootloader embedding area for Reed-Solomon
error-correcting codes. This enables GRUB to still boot successfully
if some blocks are corrupted.  The exact amount of protection offered
is dependent on available space in the embedding area.  R sectors of
redundancy can tolerate up to R/2 corrupted sectors. This
redundancy may be cumbersome if attempting to cryptographically
validate the contents of the bootloader embedding area, or in more
modern systems with GPT-style partition tables (@pxref{BIOS
installation}) where GRUB does not reside in any unpartitioned space
outside of the MBR.  Disable the Reed-Solomon codes with this option.
@end table

@node Invoking grub-mkconfig
@section Invoking grub-mkconfig

The program @command{grub-mkconfig} generates a configuration file for GRUB
(@pxref{Simple configuration}).

@example
grub-mkconfig -o /boot/grub/grub.cfg
@end example

@command{grub-mkconfig} accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item -o @var{file}
@itemx --output=@var{file}
Send the generated configuration file to @var{file}.  The default is to send
it to standard output.
@end table


@node Invoking grub-mkpasswd-pbkdf2
@section Invoking grub-mkpasswd-pbkdf2

The program @command{grub-mkpasswd-pbkdf2} generates password hashes for
GRUB (@pxref{Security}).

@example
grub-mkpasswd-pbkdf2
@end example

@command{grub-mkpasswd-pbkdf2} accepts the following options:

@table @option
@item -c @var{number}
@itemx --iteration-count=@var{number}
Number of iterations of the underlying pseudo-random function.  Defaults to
10000.

@item -l @var{number}
@itemx --buflen=@var{number}
Length of the generated hash.  Defaults to 64.

@item -s @var{number}
@itemx --salt=@var{number}
Length of the salt.  Defaults to 64.
@end table


@node Invoking grub-mkrelpath
@section Invoking grub-mkrelpath

The program @command{grub-mkrelpath} makes a file system path relative to
the root of its containing file system.  For instance, if @file{/usr} is a
mount point, then:

@example
$ @kbd{grub-mkrelpath /usr/share/grub/unicode.pf2}
@samp{/share/grub/unicode.pf2}
@end example

This is mainly used internally by other GRUB utilities such as
@command{grub-mkconfig} (@pxref{Invoking grub-mkconfig}), but may
occasionally also be useful for debugging.

@command{grub-mkrelpath} accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.
@end table


@node Invoking grub-mkrescue
@section Invoking grub-mkrescue

The program @command{grub-mkrescue} generates a bootable GRUB rescue image
(@pxref{Making a GRUB bootable CD-ROM}).

@example
grub-mkrescue -o grub.iso
@end example

All arguments not explicitly listed as @command{grub-mkrescue} options are
passed on directly to @command{xorriso} in @command{mkisofs} emulation mode.
Options passed to @command{xorriso} will normally be interpreted as
@command{mkisofs} options; if the option @samp{--} is used, then anything
after that will be interpreted as native @command{xorriso} options.

Non-option arguments specify additional source directories.  This is
commonly used to add extra files to the image:

@example
mkdir -p disk/boot/grub
@r{(add extra files to @file{disk/boot/grub})}
grub-mkrescue -o grub.iso disk
@end example

@command{grub-mkrescue} accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item -o @var{file}
@itemx --output=@var{file}
Save output in @var{file}.  This "option" is required.

@item --modules=@var{modules}
Pre-load the named GRUB modules in the image.  Multiple entries in
@var{modules} should be separated by whitespace (so you will probably need
to quote this for your shell).

@item --rom-directory=@var{dir}
If generating images for the QEMU or Coreboot platforms, copy the resulting
@file{qemu.img} or @file{coreboot.elf} files respectively to the @var{dir}
directory as well as including them in the image.

@item --xorriso=@var{file}
Use @var{file} as the @command{xorriso} program, rather than the built-in
default.

@item --grub-mkimage=@var{file}
Use @var{file} as the @command{grub-mkimage} program, rather than the
built-in default.
@end table


@node Invoking grub-mount
@section Invoking grub-mount

The program @command{grub-mount} performs a read-only mount of any file
system or file system image that GRUB understands, using GRUB's file system
drivers via FUSE.  (It is only available if FUSE development files were
present when GRUB was built.)  This has a number of uses:

@itemize @bullet
@item
It provides a convenient way to check how GRUB will view a file system at
boot time.  You can use normal command-line tools to compare that view with
that of your operating system, making it easy to find bugs.

@item
It offers true read-only mounts.  Linux does not have these for journalling
file systems, because it will always attempt to replay the journal at mount
time; while you can temporarily mark the block device read-only to avoid
this, that causes the mount to fail.  Since GRUB intentionally contains no
code for writing to file systems, it can easily provide a guaranteed
read-only mount mechanism.

@item
It allows you to examine any file system that GRUB understands without
needing to load additional modules into your running kernel, which may be
useful in constrained environments such as installers.

@item
Since it can examine file system images (contained in regular files) just as
easily as file systems on block devices, you can use it to inspect any file
system image that GRUB understands with only enough privileges to use FUSE,
even if nobody has yet written a FUSE module specifically for that file
system type.
@end itemize

Using @command{grub-mount} is normally as simple as:

@example
grub-mount /dev/sda1 /mnt
@end example

@command{grub-mount} must be given one or more images and a mount point as
non-option arguments (if it is given more than one image, it will treat them
as a RAID set), and also accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item -C
@itemx --crypto
Mount encrypted devices, prompting for a passphrase if necessary.

@item -d @var{string}
@itemx --debug=@var{string}
Show debugging output for conditions matching @var{string}.

@item -K prompt|@var{file}
@itemx --zfs-key=prompt|@var{file}
Load a ZFS encryption key.  If you use @samp{prompt} as the argument,
@command{grub-mount} will read a passphrase from the terminal; otherwise, it
will read key material from the specified file.

@item -r @var{device}
@itemx --root=@var{device}
Set the GRUB root device to @var{device}.  You do not normally need to set
this; @command{grub-mount} will automatically set the root device to the
root of the supplied file system.

If @var{device} is just a number, then it will be treated as a partition
number within the supplied image.  This means that, if you have an image of
an entire disk in @file{disk.img}, then you can use this command to mount
its second partition:

@example
grub-mount -r 2 disk.img mount-point
@end example

@item -v
@itemx --verbose
Print verbose messages.
@end table


@node Invoking grub-probe
@section Invoking grub-probe

The program @command{grub-probe} probes device information for a given path
or device.

@example
grub-probe --target=fs /boot/grub
grub-probe --target=drive --device /dev/sda1
@end example

@command{grub-probe} must be given a path or device as a non-option
argument, and also accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item -d
@itemx --device
If this option is given, then the non-option argument is a system device
name (such as @samp{/dev/sda1}), and @command{grub-probe} will print
information about that device.  If it is not given, then the non-option
argument is a filesystem path (such as @samp{/boot/grub}), and
@command{grub-probe} will print information about the device containing that
part of the filesystem.

@item -m @var{file}
@itemx --device-map=@var{file}
Use @var{file} as the device map (@pxref{Device map}) rather than the
default, usually @samp{/boot/grub/device.map}.

@item -t @var{target}
@itemx --target=@var{target}
Print information about the given path or device as defined by @var{target}.
The available targets and their meanings are:

@table @samp
@item fs
GRUB filesystem module.
@item fs_uuid
Filesystem Universally Unique Identifier (UUID).
@item fs_label
Filesystem label.
@item drive
GRUB device name.
@item device
System device name.
@item partmap
GRUB partition map module.
@item abstraction
GRUB abstraction module (e.g. @samp{lvm}).
@item cryptodisk_uuid
Crypto device UUID.
@item msdos_parttype
MBR partition type code (two hexadecimal digits).
@item hints_string
A string of platform search hints suitable for passing to the
@command{search} command (@pxref{search}).
@item bios_hints
Search hints for the PC BIOS platform.
@item ieee1275_hints
Search hints for the IEEE1275 platform.
@item baremetal_hints
Search hints for platforms where disks are addressed directly rather than
via firmware.
@item efi_hints
Search hints for the EFI platform.
@item arc_hints
Search hints for the ARC platform.
@item compatibility_hint
A guess at a reasonable GRUB drive name for this device, which may be
used as a fallback if the @command{search} command fails.
@item disk
System device name for the whole disk.
@end table

@item -v
@itemx --verbose
Print verbose messages.
@end table


@node Invoking grub-protect
@section Invoking grub-protect

The program @command{grub-protect} protects a disk encryption key with
a specified key protector.

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item -a add|remove
@itemx --action=add|remove
Add or remove a key protector to or from a key.

@item -p @var{protector}
@itemx --protector=@var{protector}
Set the key protector. Currently, @samp{tpm2} is the only supported key
protector.

@item --tpm2-asymmetric=@var{type}
Choose the the type of SRK. The valid options are @samp{RSA} (@samp{RSA2048})
and @samp{ECC} (@samp{ECC_NIST_P256}).(default: @samp{ECC})

@item --tpm2-bank=@var{alg}
Choose bank of PCRs used to authorize key release: @samp{SHA1}, @samp{SHA256},
@samp{SHA384}, or @samp{SHA512}. (default: @samp{SHA256})

@item --tpm2-device=@var{device}
Set the path to the TPM2 device. (default: @samp{/dev/tpm0})

@item --tpm2-evict
Evict a previously persisted SRK from the TPM, if any.

@item --tpm2-keyfile=@var{file}
Set the path to a file that contains the cleartext key to protect.

@item --tpm2-outfile=@var{file}
Set the path to the file that will contain the key after sealing
(must be accessible to GRUB during boot).

@item --tpm2-pcrs=@var{pcrs}
Set a comma-separated list of PCRs used to authorize key release e.g., @samp{7,11}.
Please be aware that PCR 0~7 are used by the firmware and the measurement result
may change after a firmware update (for baremetal systems) or a package
(OVMF/SLOF) update in the VM host. This may lead to the failure of key
unsealing. (default: @samp{7})

@item --tpm2-srk=@var{handle}
Set the SRK handle, e.g. @samp{0x81000000}, if the SRK is to be made persistent.

@item --tpm2-nvindex=@var{handle}
Set the handle, e.g. @samp{0x81000000} or @samp{0x1000000}, for NV index mode.

@item --tpm2key
Use TPM 2.0 Key File format.

@end table

@subsection 'Add' action

Before sealing the key, please check the TPM PCR usage
(@pxref{TPM2 key protector, TPM PCR usage}) to choose a proper set of PCRs.

Assume that there is a key file, @file{luks.key}, to be sealed with PCR 0, 2,
4, and 7, and here is the @command{grub-protect} command to create the sealed
key file:

@example
@group
# @kbd{grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm}
@end group
@end example

Then, GRUB can unlock the target partition with the following commands:

@example
grub> @kbd{tpm2_key_protector_init -T (hd0,gpt1)/efi/grub/sealed.tpm}
grub> @kbd{cryptomount -u <UUID> -P tpm2}
@end example

Besides writing the PCR-sealed key into a file, @command{grub-protect} can
write the sealed key into TPM non-volatile memory. Here is the
@command{grub-protect} command to write the sealed key into the NV index
handle @samp{0x1000000}.

@example
@group
# @kbd{grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-nvindex=0x1000000}
@end group
@end example

Later, GRUB can fetch the key from @samp{0x1000000}.

@example
grub> @kbd{tpm2_key_protector_init --mode=nv --nvindex=0x1000000}
grub> @kbd{cryptomount -u <UUID> -P tpm2}
@end example

In most of cases, the user only needs to create the key with the `add' action.
If auto-unlocking is unwanted, just remove the file and the
@command{tpm2_key_protector_init} command and invoke the @command{cryptomount}
command without @kbd{-P tpm2}.

@subsection 'Remove' action

The `remove' action is used to remove the handles for NV index mode and the
persistent SRK.

@subsubsection Handles for NV index mode

There are two types of TPM handles supported by NV index mode: persistent
handles and NV index handles, and @command{tpm2_getcap} can be used to
check the existing handles.

To display the list of existing persistent handles:

@example
@group
# @kbd{tpm2_getcap handles-persistent}
- 0x81000000
@end group
@end example

Similarly, to display the list of existing NV index handles:

@example
@group
# @kbd{tpm2_getcap handles-nv-index}
- 0x1000000
@end group
@end example

If the sealed key at an NV index handle is not needed anymore, the user can
remove the handle with @kbd{--tpm2-nvindex} and @kbd{--tpm2-evict}. For
example, this command removes the data from NV index @samp{0x1000000}:

@example
@group
# @kbd{grub-protect --action=remove \
               --protector=tpm2 \
               --tpm2-evict \
               --tpm2-nvindex 0x1000000} \
@end group
@end example

@subsubsection Persistent SRK

There are two supported SRKs in @command{grub-protect}: @samp{RSA} and @samp{ECC}.
Due to slower key generation, some users of the @samp{RSA} SRK may prefer
making it persistent so that the TPM can skip the SRK generation when GRUB tries
to unseal the key.

The available persistent handles can be checked with @command{tpm2_getcap}.

@example
@group
# @kbd{tpm2_getcap properties-variable}
...
TPM2_PT_HR_PERSISTENT: 0x0
TPM2_PT_HR_PERSISTENT_AVAIL: 0x41
...
@end group
@end example

In this system, there is no persistent handle. A TPM handle is an unsigned
32-bit integer, and the persistent handles starts with @samp{0x81}. Here
we choose the well-known persistent handle: @samp{0x81000000}.

@example
@group
# @kbd{grub-protect --action=add \
               --protector=tpm2 \
               --tpm2-pcrs=0,2,4,7 \
               --tpm2-asymmetric=RSA \
               --tpm2-srk=0x81000000 \
               --tpm2key \
               --tpm2-keyfile=luks.key \
               --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm}
@end group
@end example

The additional @kbd{--tpm2-asymmetric=RSA} and @kbd{--tpm2-srk=0x81000000}
options are used to make the key sealed with the RSA SRK and store the SRK
in @samp{0x81000000}.

For the @command{tpm2_key_protector_init} command, the additional @kbd{-s 0x81000000}
informs the TPM2 key protector to fetch the SRK from @samp{0x81000000}.

@example
grub> @kbd{tpm2_key_protector_init -s 0x81000000 -T (hd0,gpt1)/efi/grub/sealed.tpm}
grub> @kbd{cryptomount -u <UUID> -P tpm2}
@end example

After making the SRK handle persistent, we can check the status of the
persistent handles with @command{tpm2_getcap}.

@example
@group
# @kbd{tpm2_getcap properties-variable}
...
TPM2_PT_HR_PERSISTENT: 0x1
TPM2_PT_HR_PERSISTENT_AVAIL: 0x40
...
# @kbd{tpm2_getcap handles-persistent}
- 0x81000000
@end group
@end example

The sealed key can be removed once the user does not want to use the TPM2 key
protector anymore. Here is the command to remove the persistent SRK handle
(@samp{0x81000000}) with @kbd{--tpm2-srk} and @kbd{--tpm2-evict}.

@example
@group
# @kbd{grub-protect --action=remove \
               --protector=tpm2 \
               --tpm2-srk 0x81000000 \
               --tpm2-evict}
@end group
@end example


@node Invoking grub-script-check
@section Invoking grub-script-check

The program @command{grub-script-check} takes a GRUB script file
(@pxref{Shell-like scripting}) and checks it for syntax errors, similar to
commands such as @command{sh -n}.  It may take a @var{path} as a non-option
argument; if none is supplied, it will read from standard input.

@example
grub-script-check /boot/grub/grub.cfg
@end example

@command{grub-script-check} accepts the following options:

@table @option
@item --help
Print a summary of the command-line options and exit.

@item --version
Print the version number of GRUB and exit.

@item -v
@itemx --verbose
Print each line of input after reading it.
@end table


@node Obtaining and Building GRUB
@appendix How to obtain and build GRUB

@quotation
@strong{Caution:} GRUB requires binutils-2.9.1.0.23 or later because the
GNU assembler has been changed so that it can produce real 16bits
machine code between 2.9.1 and 2.9.1.0.x. See
@uref{https://www.gnu.org/software/binutils/}, to obtain information on
how to get the latest version.
@end quotation

GRUB is available from the GNU alpha archive site
@uref{https://ftp.gnu.org/gnu/grub/} or any of its mirrors. The file
will be named grub-version.tar.gz. The current version is
@value{VERSION}, so the file you should grab is:

@uref{https://ftp.gnu.org/gnu/grub/grub-@value{VERSION}.tar.gz}

To unbundle GRUB use the instruction:

@example
@kbd{zcat grub-@value{VERSION}.tar.gz | tar xvf -}
@end example

which will create a directory called @file{grub-@value{VERSION}} with
all the sources. You can look at the file @file{INSTALL} for detailed
instructions on how to build and install GRUB, but you should be able to
just do:

@example
@group
@kbd{cd grub-@value{VERSION}}
@kbd{./configure}
@kbd{make install}
@end group
@end example

Also, the latest version is available using Git. See
@uref{https://www.gnu.org/software/grub/grub-download.html} for more
information.

@node Reporting bugs
@appendix Reporting bugs

These are the guideline for how to report bugs. Take a look at this
list below before you submit bugs:

@enumerate
@item
Before getting unsettled, read this manual through and through. Also,
see the @uref{https://www.gnu.org/software/grub/grub-faq.html, GNU GRUB FAQ}.

@item
Always mention the information on your GRUB. The version number and the
configuration are quite important. If you build it yourself, write the
options specified to the configure script and your operating system,
including the versions of gcc and binutils.

@item
If you have trouble with the installation, inform us of how you
installed GRUB. Don't omit error messages, if any. Just @samp{GRUB hangs
up when it boots} is not enough.

The information on your hardware is also essential. These are especially
important: the geometries and the partition tables of your hard disk
drives and your BIOS.

@item
If GRUB cannot boot your operating system, write down
@emph{everything} you see on the screen. Don't paraphrase them, like
@samp{The foo OS crashes with GRUB, even though it can boot with the
bar boot loader just fine}. Mention the commands you executed, the
messages printed by them, and information on your operating system
including the version number.

@item
Explain what you wanted to do. It is very useful to know your purpose
and your wish, and how GRUB didn't satisfy you.

@item
If you can investigate the problem yourself, please do. That will give
you and us much more information on the problem. Attaching a patch is
even better.

When you attach a patch, make the patch in unified diff format, and
write ChangeLog entries. But, even when you make a patch, don't forget
to explain the problem, so that we can understand what your patch is
for.

@item
Write down anything that you think might be related. Please understand
that we often need to reproduce the same problem you encountered in our
environment. So your information should be sufficient for us to do the
same thing---Don't forget that we cannot see your computer directly. If
you are not sure whether to state a fact or leave it out, state it!
Reporting too many things is much better than omitting something
important.
@end enumerate

If you follow the guideline above, submit a report to the
@uref{https://savannah.gnu.org/bugs/?group=grub, Bug Tracking System}.
Alternatively, you can submit a report via electronic mail to
@email{bug-grub@@gnu.org}, but we strongly recommend that you use the
Bug Tracking System, because e-mail can be passed over easily.

Once we get your report, we will try to fix the bugs.


@node Future
@appendix Where GRUB will go

GRUB 2 is now quite stable and used in many production systems.  We are
currently working on the 2.x series.

If you are interested in the development of GRUB 2, take a look at
@uref{https://www.gnu.org/software/grub/grub.html, the homepage}.





@node Copying This Manual
@appendix Copying This Manual

@menu
* GNU Free Documentation License::  License for copying this manual.
@end menu

@include fdl.texi


@node Index
@unnumbered Index

@c Currently, we use only the Concept Index.
@printindex cp


@bye

Some notes:

  This is an attempt to make a manual for GRUB 2. The contents are
  copied from the GRUB manual in GRUB Legacy, so they are not always
  appropriate yet for GRUB 2.