GRUB Project: 2025 and Beyond

Linux
1

The GRUB (GRand Unified Bootloader) project is constantly being refined with the addition of new functionalities, bolstered security measures, and overall improvements. This article highlights the recent advancements in GRUB, based on the project status report presented by Daniel Kiper from Oracle at FOSDEM 2025 in Brussels on February 1, 2025.

What is GRUB?

GRUB (Grand Unified Bootloader) stands as a robust and versatile bootloader favored by numerous Linux distributions. Its core function involves loading the operating system upon computer startup. GRUB grants users the ability to select from various operating systems, tailor boot parameters, and handle system recovery procedures.

Key Updates in GRUB

Updates in the Last Year

In the past year, GRUB has gained new features aimed at boosting system security and performance:

  • EROFS Support: GRUB now supports the Enhanced Read-Only File System (EROFS), offering improved performance and space utilization for read-only partitions.

  • Improved Security Controls: When GRUB is compiled with --disable-cli, command-line access and menu entry editing are disabled, mitigating potential security risks.

  • Core NX Support for EFI: GRUB now supports the Non-Executable (NX) bit on EFI platforms, bolstering memory security.

  • Stricter PE File Section Alignment: GRUB mandates alignment with the page size (minimum 4KB), promoting compatibility with contemporary hardware and security standards.

  • Better Memory Protection: GRUB now prevents sections from being both writable and executable, adhering to established security practices.

  • SBAT Support for ELF Files: This enhances Secure Boot management, thereby strengthening system integrity.

  • TPM2-Based Automatic Disk Unlocking: Users on EFI and IEEE1275 PowerPC platforms can now unlock disks automatically using TPM2.

  • Enhanced Font Detection: The build system features refined font detection for improved UI rendering.

  • Better Upstream Patch Management: More patches are being incorporated into the main GRUB codebase, reducing fragmentation.

Current Year Developments in the GRUB Project

The GRUB team is actively developing several notable features and enhancements:

  1. Shim Loader Protocol Support for EFI Platforms: This enhancement improves compatibility with secure boot implementations.

  2. TrenchBoot Support for x86 Architectures: TrenchBoot integration, a project focused on securing the boot process, is underway for both Intel and AMD systems.

  3. BLS and UKI Support: Adding support for Boot Loader Specification (BLS) and Unified Kernel Image (UKI) to optimize boot procedures.

  4. Appended Signature Secure Boot for PowerPC: Strengthening secure boot capabilities on PowerPC systems via this addition.

  5. Library Updates: Updating embedded libraries, like libgcrypt (necessary for Argon2 KDF), to their latest versions.

  6. Downstream Patch Forward Porting: Continuing the integration of patches from various distributions into the main codebase.

  7. CI Infrastructure Setup: Developing a Continuous Integration (CI) system to automate testing and improve code robustness.

  8. Next Code Freeze and Release: Plans for a code freeze in the near future, leading to a new GRUB release.

Fedora’s Downstream GRUB Patches

Alec Brown from Oracle provided statistics regarding Fedora’s downstream GRUB patches:

  • GRUB 2.02: Across 11 Fedora versions (21 to 31), the number of patches increased from 151 to 370, encompassing backported and new patches.

  • GRUB 2.04: Fedora 32 and 33 included a total of 437 patches, featuring 28 backported and 67 new patches.

  • GRUB 2.06: From Fedora 34 to 40, the patch count reached 544, with 84 backported and 98 new patches implemented.

These figures underscore the cooperative effort between the GRUB development community and Fedora in refining the bootloader. The numbers also reveal that while Fedora significantly contributes to GRUB, numerous patches are integrated upstream, which reduces the requirement for separate downstream fixes.

What’s Next for GRUB?

Through ongoing advancements, GRUB remains a prevalent bootloader across Linux systems. The team is focused on:

  • Increasing the inclusion of Fedora patches into the upstream codebase.

  • Improving security measures, especially concerning Secure Boot and TPM-based authentication.

  • Refining the testing framework to ensure GRUB maintains its reliability on modern hardware.

Please refer to the full presentation for more detailed information.

GRUB’s ongoing development demonstrates a commitment to security, performance, and compatibility, ensuring its continued relevance in the Linux ecosystem.