Presenting GRUB2 BLS
8. Oct 2024 | Alberto Planas | CC-BY-SA-3.0
GRUB2 with BLS is now in MicroOS and Tumbleweed
Recently the openSUSE project released for MicroOS and Tumbleweed a new version of the GRUB2 package, with a new subpackage grub2-$ARCH-efi-bls
. This subpackage deliver a new EFI file, grubbls.efi
, that can be used as replacement of the traditional grub.efi
.
The new PE binary is a version of GRUB2 that includes a set of patches from Fedora, which makes the bootloader follow the Boot Loader Specification (BLS). This will make GRUB2 understand the boot entries from /boot/efi/loader/entries
, and dynamically generate the boot menu showed during boot time.
This is really important for full disk encryption (FDE) because this means that now we can re-use all the architecture and tools designed for systemd-boot
. For example, installing or updating the bootloader can now be done with sdbootutil install
, the suse-module-tools
scriptlets will create new BLS entries when a new kernel is installed, and the tukit
and snapper
plugins will take care of doing the right thing when snapshots are created or removed.
Reusing all those tools without modification was a significant win, but even better, many of the quirks that classical GRUB2 had when extending the event log are no longer present. Before this package, sdbootutil
needed to take ownership of the grub.conf
file, as this will be measured by GRUB2 by executed lines. That is right! For each line that is read and executed by the GRUB2 parser, a new PCR#8 will take place, and because GRUB2 support conditional as other complex constructors, it is very hard to predict the final value of PCR#8 without imposing a very minimal and strict grub.conf
.
However, with the new BLS subpackage, this file, along with the fonts and graphical assets for the theme, and the necessary modules (such as bli.mod
), are now included in the internal squashfs
within the EFI binary. GRUB2 will no longer measure those internal files without compromising security guarantees because now it is the firmware that measures the entire EFI when the bootloader is executed during the boot process.
As today, we cannot use YaST2 to install GRUB2 with BLS, but we can do that manually very easily. We need to make a systemd-boot
installation, replace LOADER_TYPE
from systemd-boot
to grub2-bls
in /etc/sysconfig/bootloader
, install the new GRUB2 BLS package, and do sdbootutil install
. Another option is to play with one of the available images for MicroOS or Tumbleweed.
Have a lot of fun!