gummiboot

From gummiboot homepage:

gummiboot is a simple UEFI boot manager which executes configured EFI images. The default entry is selected by a configured pattern (glob) or an on-screen menu.

It is simple to configure, but can only start EFI executables, the Linux kernel EFISTUB, UEFI Shell, grub.efi, and such.

Warning: gummiboot simply provides a boot menu for EFISTUB kernels. In case you have issues booting EFISTUB kernels like in FS#33745, you should use a boot loader which does not use EFISTUB, like GRUB, Syslinux or ELILO.
Note: In the entire article $esp denotes the mountpoint of the EFI System Partition aka ESP.

Installation

EFI boot

First, make sure you are booted in UEFI mode, your EFI variables are accessible, your EFI System Partition is properly mounted and your kernel and initramfs are copied onto that ESP as gummiboot cannot load EFI binaries from other partitions. It is therefore strongly recommended to mount your ESP to /boot if you use gummiboot.

Then, install the package gummiboot from the official repositories.

Finally, type the following command to copy the gummiboot binary to your EFI System Partition and add gummiboot itself as the default EFI application (default boot entry) loaded by the EFI Boot Manager. If you are not booted in UEFI mode and your EFI variables are not accessible, creating the boot entry will fail. You should however still be able to boot gummiboot as it copies the binary to the default EFI binary location on your ESP ($esp/EFI/boot/bootx64.efi on x64 systems) unless a non-gummiboot EFI application is already present as the same filename.

# gummiboot --path=$esp install

Legacy boot

Note: This is not the recommended process

You can also successfully install gummiboot if booted with a legacy OS. However, this requires that you later on tell your firmware to launch gummiboot's EFI file on boot:

  • you either have a working EFI shell somewhere;
  • or your firmware interface provides you with a way of properly setting the EFI file that will be loaded at boot time.
Note: E.g. on Dell's Latitude series, the firmware interface provides everything you need to setup EFI boot, and the EFI Shell won't be able to write to the computer's ROM.

If you can do so, the installation is easier: install gummiboot from the official repositories, go into your EFI shell or your firmware configuration interface and change your machine's default EFI file to /<EFI boot partition>/efi/gummiboot/gummibootx64.efi.

Updating

gummiboot assumes that your EFI System Partition is mounted on /boot in which case, each time a new gummiboot version is installed, the command gummiboot --path=$esp update will be called automatically by the post_install method of the install script. If your ESP is not mounted on /boot, you will have to call manually that command.

Configuration

Basic configuration

The basic configuration is kept in $esp/loader/loader.conf, with just two possible configuration options:

  • default – default entry to select (without the .conf suffix); can be a wildcard like arch-*
  • timeout – menu timeout in seconds. If this is not set, the menu will only be shown when you hold the space key while booting.

Example:

$esp/loader/loader.conf
default  arch
timeout  4

Note that both options can be changed in the boot menu itself, which will store them as EFI variables.

Note: If no timeout is configured, which is the default setting, and no key pressed during bootup, the default entry is executed right away.

Adding boot entries

Note: gummiboot will automatically check for "Windows Boot Manager" (\EFI\Microsoft\Boot\Bootmgfw.efi), "EFI Shell" (\shellx64.efi) and "EFI Default Loader" (\EFI\Boot\bootx64.efi). Where detected, entries will also automatically be generated for them as well. However, it does not auto-detect other EFI applications (unlike rEFInd), so for booting the kernel, manual configuration entries must be created.
Tip: You can find the PARTUUID for your Root partition with the command blkid -s PARTUUID -o value /dev/sdxY, where 'x' is the device letter and 'Y' is the partition number. This is required only for your Root partition, not $esp.

gummiboot searches for boot menu items in $esp/loader/entries/*.conf – each file found must contain exactly one boot entry. The possible options are:

  • title – operating system name. Required.
  • version – kernel version, shown only when multiple entries with same title exist. Optional.
  • machine-id – machine identifier from /etc/machine-id, shown only when multiple entries with same title and version exist. Optional.
  • efi – EFI program to start, relative to your ESP ($esp); e.g. /vmlinuz-linux. Either this or linux (see below) is required.
  • options – command line options to pass to the EFI program. Optional, but you will need at least initrd=efipath and root=dev if booting Linux.

For Linux, you can specify linux path-to-vmlinuz and initrd path-to-initramfs; this will be automatically translated to efi path and options initrd=path – this syntax is only supported for convenience and has no differences in function.

Standard root installations

Here is an example entry for a root partition without LVM or LUKS:

$esp/loader/entries/arch.conf
title          Arch Linux
linux          /vmlinuz-linux
initrd         /initramfs-linux.img
options        root=PARTUUID=14420948-2cea-4de7-b042-40f67c618660 rw

Please note in the example above that PARTUUID/PARTLABEL identifies a GPT partition, and differs from UUID/LABEL, which identifies a filesystem. Using the PARTUUID/PARTLABEL is advantageous because it is invariant (i.e. unchanging) if you reformat the partition with another filesystem, or if the /dev/sd* mapping changed for some reason. It is also useful if you do not have a filesystem on the partition (or use LUKS, which does not support LABELs).

LVM root installations

Here is an example for a root partition using Logical Volume Management:

$esp/loader/entries/arch-lvm.conf
title          Arch Linux (LVM)
linux          /vmlinuz-linux
initrd         /initramfs-linux.img
options        root=/dev/mapper/<VolumeGroup-LogicalVolume> rw

Replace <VolumeGroup-LogicalVolume> with the actual VG and LV names (e.g. root=/dev/mapper/volgroup00-lvolroot). Alternatively, it is also possible to use a UUID instead:

....
options  root=UUID=<UUID identifier> rw

Note that root=UUID= is used instead of root=PARTUUID=, which is used for Root partitions without LVM or LUKS.

Encrypted Root Installations

Here is an example configuration file for an encrypted root partition (DM-Crypt / LUKS):

$esp/loader/entries/arch-encrypted.conf
title Arch Linux Encrypted
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:<mapped-name> root=UUID=<luks-UUID> quiet ro

UUID is used in this example; PARTUUID should be able to replace the UUID, if so desired. Note that <luks-UUID> denotes the UUID of the actual decrypted root filesystem (the one under /dev/mapper/<mapped-name>) and not the UUID of the device. See Dm-crypt/System configuration#Boot loader.

You can also add other EFI programs such as \EFI\arch\grub.efi.

Add security

You have to note that the kernel command line parameters can be edited from the gummiboot's boot manager menu (see #Keys inside the boot menu) by pressing e. This is a major security flaw since if you redefine the init= kernel argument with init=/bin/bash for example, this will boot your machine directly as root without any password, bypassing easily the root password that has been defined! Since gummiboot does not currently have a password feature and has no ability to prevent kernel parameters changes, you need to make sure to define a password at hardware level (UEFI/BIOS) which prevents the computer to boot if the right password has not been entered.

Since security is made of several levels and physical access already breaks any security systems, maybe encrypting your disk with dm-crypt would come in handy especially if your machine is a laptop. But this is another concern not related to gummiboot.

Support hibernation

Please refer to that article Suspend and hibernate, especially the Example for gummiboot.

Keys inside the boot menu

The following keys are used inside the menu:

  • Up/Down - select entry
  • Enter - boot the selected entry
  • d - select the default entry to boot (stored in a non-volatile EFI variable)
  • -/T - decrease the timeout (stored in a non-volatile EFI variable)
  • +/t - increase the timeout (stored in a non-volatile EFI variable)
  • e - edit the kernel command line
  • v - show the gummiboot and UEFI version
  • Q - quit
  • P - print the current configuration
  • h/? - help

These hotkeys will, when pressed inside the menu or during bootup, directly boot a specific entry:

  • l - Linux
  • w - Windows
  • a - OS X
  • s - EFI Shell
  • 1-9 - number of entry

Troubleshooting

Manual entry using efibootmgr

If gummiboot install command failed, you can create a EFI boot entry manually using efibootmgr utility:

# efibootmgr -c -d /dev/sdX -p Y -l /EFI/gummiboot/gummibootx64.efi -L "Gummiboot"

where /dev/sdXY is the EFISYS partition.

Menu does not appear after Windows upgrade

For example, if you upgraded from Windows 8 to Windows 8.1, and you no longer see a boot menu after the upgrade (i.e., Windows boots immediately):

  • Make sure Secure Boot (UEFI setting) and Fast Startup (Windows power option setting) are both disabled.
  • Make sure your UEFI prefers Linux Boot Manager over Windows Boot Manager (UEFI setting like Hard Drive Disk Priority).

See also