The role of a boot loader
The following is a quotation from Gordon Matzigkeit, a GRUB fanatic:
Some people like to acknowledge both the operating system and kernel when they talk about their computers, so they might say they use “GNU/Linux” or “GNU/Hurd”. Other people seem to think that the kernel is the most important part of the system, so they like to call their GNU operating systems “Linux systems.”
I, personally, believe that this is a grave injustice, because the boot loader is the most important software of all. I used to refer to the above systems as either “LILO”3 or “GRUB” systems.
Unfortunately, nobody ever understood what I was talking about; now I just use the word “GNU” as a pseudonym for GRUB.
So, if you ever hear people talking about their alleged “GNU” systems, remember that they are actually paying homage to the best boot loader around… GRUB!
We, the GRUB maintainers, do not (usually) encourage Gordon’s level of fanaticism, but it helps to remember that boot loaders deserve recognition. We hope that you enjoy using GNU GRUB as much as we did writing it.
Naming convention
The device syntax used in GRUB is a wee bit different from what you may have seen before in your operating system(s), and you need to know it so that you can specify a drive/partition.
Look at the following examples and explanations:
(fd0)
First of all, GRUB requires that the device name is enclosed with ( and ). The fd part means that it is a floppy disk. The number 0 is the drive number, which is counted from zero. This expression means that GRUB will use the whole floppy disk.
(hd0,1)
Here, hd means it is a hard disk drive. The first integer 0 indicates the drive number, that is, the first hard disk, while the second integer, 1, indicates the partition number (or the PC slice number in the BSD terminology). Once again, please note that the partition numbers are counted from zero, not from one. This expression means the second partition of the first hard disk drive. In this case, GRUB uses one partition of the disk, instead of the whole disk.
(hd0,4)
This specifies the first extended partition of the first hard disk drive. Note that the partition numbers for extended partitions are counted from 4, regardless of the actual number of primary partitions on your hard disk.
(hd1,a)
This means the BSD a partition of the second hard disk. If you need to specify which PC slice number should be used, use something like this: (hd1,0,a). If the PC slice number is omitted, GRUB searches for the first PC slice which has a BSD a partition.
Of course, to actually access the disks or partitions with GRUB, you need to use the device specification in a command, like root (fd0) or unhide (hd0,2). To help you find out which number is a partition you want, the GRUB command-line (see Command-line interface) options have argument completion. That means that, for example, you only need to type root (, followed by a <TAB>, and GRUB will display the list of drives, partitions, or file names, so it should be quite easy to determine the name of your target partition, even with minimal knowledge of the syntax.
Note that GRUB does not distinguish IDE from SCSI – it simply counts the drive numbers from zero, regardless of their type. Normally, any IDE drive number is less than any SCSI drive number, although that is not true if you change the boot sequence by swapping IDE and SCSI drives in your BIOS.
Now the question is, how to specify a file? Again, see this example:
(hd0,0)/vmlinuz
This specifies the file named vmlinuz, found on the first partition of the first hard disk drive. Note that the argument completion works with file names, too.
That was easy, admit it. Do read the next chapter, to find out how to actually install GRUB on your drive
Creating a GRUB boot floppy
To create a GRUB boot floppy, you need to take the files stage1 and stage2 from the image directory, and write them to the first and the second block of the floppy disk, respectively.
Caution: This procedure will destroy any data currently stored on the floppy.
On a UNIX-like operating system, that is done with the following commands:
# cd /usr/share/grub/i386-pc
# dd if=stage1 of=/dev/fd0 bs=512 count=1
1+0 records in
1+0 records out
# dd if=stage2 of=/dev/fd0 bs=512 seek=1
153+1 records in
153+1 records out
#
Installing GRUB natively
Caution: Installing GRUB’s stage1 in this manner will erase the normal boot-sector used by an OS.
GRUB can currently boot GNU Mach, Linux, FreeBSD, NetBSD, and OpenBSD directly, so using it on a boot sector should be okay. But generally, it would be a good idea to back up the first sector of the partition on which you are installing GRUB’s stage1. This isn’t as important if you are installing GRUB on the first sector of a hard disk, since it’s easy to reinitialize it (e.g. by running FDISK /MBR from DOS).
If you decide to install GRUB in the native environment, which is definitely desirable, you’ll need to create the GRUB boot disk, and reboot your computer with it. Otherwise, see Installing GRUB using grub-install, for more details.
Once started, GRUB will show the command-line interface (see Command-line interface). First, set the GRUB’s root device4 to the boot directory, like this:
grub> root (hd0,0)
If you are not sure which partition actually holds these files, use the command find (see find), like this:
grub> find /boot/grub/stage1
This will search for the file name /boot/grub/stage1 and show the devices which contain the file.
Once you’ve set the root device correctly, run the command setup (see setup):
grub> setup (hd0)
This command will install GRUB on the MBR in the first drive. If you want to install GRUB into the boot sector of a partition instead of the MBR, specify a partition into which you want to install GRUB:
grub> setup (hd0,0)
If you install GRUB into a partition or a drive other than the first one, you must chain-load GRUB from another boot loader. Refer to the manual for the boot loader to know how to chain-load GRUB.
Now you can boot GRUB without a GRUB floppy. See the chapter Booting to find out how to boot your operating systems from GRUB.
Installing GRUB using grub-install
Caution: This procedure is definitely deprecated, because there are several posibilities that your computer can be unbootable. For example, most operating systems don’t tell GRUB how to map BIOS drives to OS devices correctly, GRUB merely guesses the mapping. This will succeed in most cases, but not always. So GRUB provides you with a user-defined map file called device map, which you must fix, if it is wrong. See Device map, for more details.
Unfortunately, if you do want to install GRUB under a UNIX-like OS (such as GNU), invoke the program grub-install (see Invoking grub-install) as the superuser (root).
The usage is basically very easy. You only need to specify one argument to the program, namely, where to install GRUB. The argument can be either of a device file or a GRUB’s drive/partition. So, this will install GRUB into the MBR of the first IDE disk under Linux:
# grub-install /dev/hda
Likewise, under GNU/Hurd, this has the same effect:
# grub-install /dev/hd0
If it is the first BIOS drive, this is the same as well:
# grub-install ‘(hd0)’
But all the above examples assume that you use GRUB images under the root directory. If you want GRUB to use images under a directory other than the root directory, you need to specify the option –root-directory. The typical usage is that you create a GRUB boot floppy with a filesystem. Here is an example:
# mke2fs /dev/fd0
# mount -t ext2 /dev/fd0 /mnt
# grub-install –root-directory=/mnt ‘(fd0)’
# umount /mnt
Another example is in case that you have a separate boot partition which is mounted at /boot. Since GRUB is a boot loader, it doesn’t know anything about mountpoints at all. Thus, you need to run grub-install like this:
# grub-install –root-directory=/boot /dev/hda
By the way, as noted above, it is quite difficult to guess BIOS drives correctly under a UNIX-like OS. Thus, grub-install will prompt you to check if it could really guess the correct mappings, after the installation. The format is defined in Device map. Please be careful enough. If the output is wrong, it is unlikely that your computer can boot with no problem.
Note that grub-install is actually just a shell script and the real task is done by the grub shell grub (see Invoking the grub shell). Therefore, you may run grub directly to install GRUB, without using grub-install. Don’t do that, however, unless you are very familiar with the internals of GRUB. Installing a boot loader on a running OS may be extremely dangerous.
Load another boot loader to boot unsupported operating systems
If you want to boot an unsupported operating system (e.g. Windows 95), chain-load a boot loader for the operating system. Normally, the boot loader is embedded in the boot sector of the partition on which the operating system is installed.
Set GRUB’s root device to the partition by the command rootnoverify (see rootnoverify):
grub> rootnoverify (hd0,0)
Set the active flag in the partition by the command makeactive5 (see makeactive):
grub> makeactive
Load the boot loader by the command chainloader (see chainloader):
grub> chainloader +1
+1 indicates that GRUB should read one sector from the start of the partition. The complete description about this syntax can be found in Block list syntax.
Run the command boot (see boot).
However, DOS and Windows have some deficiencies, so you might have to use more complicated instructions. See DOS/Windows, for more information.
Protecting your computer from cracking
You may be interested in how to prevent ordinary users from doing whatever they like, if you share your computer with other people. So this chapter describes how to improve the security of GRUB.
One thing which could be a security hole is that the user can do too many things with GRUB, because GRUB allows to modify its configuration and run arbitrary commands at run-time. For example, the user can read even /etc/passwd in the command-line interface by the command cat (see cat). So it is necessary to disable all the interactive operations.
Thus, GRUB provides password feature, so that only administrators can start the interactive operations (i.e. editing menu entries and entering the command-line interface). To use this feature, you need to run the command password in your configuration file (see password), like this:
password –md5 PASSWORD
If this is specified, GRUB disallows any interactive control, until you press the key <p> and enter a correct password. The option –md5 tells GRUB that PASSWORD is in MD5 format. If it is omitted, GRUB assumes the PASSWORD is in clear text.
You can encrypt your password with the command md5crypt (see md5crypt). For example, run the grub shell (see Invoking the grub shell), and enter your password:
grub> md5crypt
Password: **********
Encrypted: $1$U$JK7xFegdxWH6VuppCUSIb.
Then, cut and paste the encrypted password to your configuration file.
Also, you can specify an optional argument to password. See this example:
password PASSWORD /boot/grub/menu-admin.lst
In this case, GRUB will load /boot/grub/menu-admin.lst as a configuration file when you enter the valid password.
Another thing which may be dangerous is that any user can choose any menu entry. Usually, this wouldn’t be problematic, but you might want to permit only administrators to run some of your menu entries, such as an entry for booting an insecure OS like DOS.
GRUB provides the command lock (see lock). This command always fails until you enter a valid password, so you can use it, like this:
title Boot DOS
lock
rootnoverify (hd0,1)
makeactive
chainload +1
You should insert lock right after title, because any user can execute commands in an entry, until GRUB encounters lock.
You can also use the command password instead of lock. In this case the boot process will ask for the password and stop if it was entere
