GRUB2: Difference between revisions

From coreboot
Jump to navigation Jump to search
m (formatting)
 
(64 intermediate revisions by 7 users not shown)
Line 1: Line 1:
'''[https://www.gnu.org/software/grub/grub.html GRUB2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.  
'''[https://www.gnu.org/software/grub/grub.html GRUB 2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.  


== Status ==
== Status ==
Grub2 can be launched:
GRUB 2 can be launched...
* Directly by coreboot as a payload
* Directly by coreboot as a payload
* Directly by SeaBIOS as a payload
* Directly by SeaBIOS as a payload
* By SeaBIOS, on disk, as it would with a normal BIOS.
* By SeaBIOS, on disk, as it would with a normal BIOS.


Recent bzr versions have improved memory management that removes the memory limitations when ran as a payload.
Recent git versions have improved memory management that removes the memory limitations when run as a payload.


== features ==
== Coreboot-related Features ==
 
Apart from what a typical bootloader supports GRUB implements various features especially helpful in the context of coreboot:
 
* Booting from encrypted LUKS partitions
* Verifying signatures of files (interesting for initramfs and kernels)
* Printing the contents of [[Cbmem_console|cbmem]] with its <code>cbmemc</code> command
* Displaying the UI using the coreboot framebuffer
* Interacting with the nvram/cmos with its <code>cmos*</code> commands
* Running other coreboot payloads from [[CBFS]] (both compressed and uncompressed)
 
See [[#Advanced Features]] for more detailed descriptions and tutorials how to use these.
 
== grub.cfg ==
 
When GRUB is built for coreboot it looks for its runtime configuration in the file <code>etc/grub.cfg</code> within the [[CBFS]].
If this is missing it will provide a limited console only.
 
The file is an ordinary GRUB configuration file as specified in its [https://www.gnu.org/software/grub/manual/grub.html#Configuration|GRUB's documentation].
It specifies menu entries and allows for quite some scripting.
 
=== Chain-loading another GRUB ===
 
Normally, one would write a custom configuration file that is embedded as described above and completely configures GRUB.
However, one could also provide a minimal configuration only and read the remainder from a file system.
This can simply be done by adding something like <code>configfile (ahci0,0)/grub/grub.cfg</code> to the mentioned file.
This would try to load an additional configuration file from the path <code>/grub/grub.cfg</code> of the first partition of the first AHCI device.
 
Note however, that this merely reads in the configuration file and '''does not chain-load''' another GRUB instance.
The latter is not feasible unless that other instance is also built with coreboot as target.
Ordinary GRUBs however rely on the BIOS interfaces that a coreboot GRUB does not provide.
For such cases running SeaBIOS as payload makes more sense.
 
=== Most basic config statements ===
 
# Printing text
echo 'Hello world!'
# Play a beep
play 480 440 1
# Paginate GRUB's output. Very useful for long outputs (help texts!) when working interactively
set pager=1
# Timeout in seconds before loading the default entry
set timeout=1
# Set the path root (/) to the 5th parition of the first AHCI (SATA) device
set root='ahci0,msdos5'
 
Here's an example that creates a menu entry to load a Linux kernel with serial output.
insmod ahci
insmod part_msdos
menuentry 'GNU/Linux [Serial]' {
echo 'Loading Linux librepae kernel ...'
linux /vmlinuz-linux-libre-pae root=/dev/sda6 console=ttyS0,115200
echo 'Loading initial ramdisk ...'
initrd /initramfs-linux-libre-pae.img
}
 
=== Scanning for grub.cfg on local hard drives ===
 
As mentioned above, chain-loading GRUB is seldom feasible, but loading configuration files from hard disks might work.
The code below creates an entry that searches for a config file in two typical directories on all partitions of the first AHCI device and loads it (or them if there are multiple matches).
 
menuentry 'Scan for OS on internal HDD' {
insmod regexp
insmod ahci
insmod part_msdos
for x in (ahci0,*) ; do
if [ -f "$x/grub/grub.cfg" ] ; then
menuentry "Load Config from $x" $x {
root=$2
configfile /grub/grub.cfg
}
fi
if [ -f "$x/boot/grub/grub.cfg" ] ; then
menuentry "Load Config from $x" $x {
root=$2
configfile /boot/grub/grub.cfg
}
fi
done
}
 
=== Serial ===
 
If native graphics initialization is not available one will most likely want to interact with GRUB via a serial connection.
The following subsections show how to enable that in <code>grub.cfg</code>.
 
==== On a real serial port ====
 
To enable serial, add the following on top of your grub.cfg:
 
serial --speed=115200 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial
 
==== On a USB serial or USB debug adapter ====
 
To enable serial, first find out the name of your usb serial port trough:
 
insmod nativedisk # needed not to get the disk disapearing when insmoding the *hci
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
terminal_output
The terminal_output command should print it:
grub> terminal_output
Active output terminals:
serial_usb1 gfxterm
Available output terminals:
console vga_text serial
Here we can see "serial_usb1" so we now know that its name is usb1
 
Then add the following on top of your grub.cfg:
insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
serial --speed=115200 --word=8 --parity=no --stop=1 usb1
terminal_output --append serial_usb1
terminal_input --append serial_usb1
 
The following chips/protocols are supported:
* usbdebug
* ftdi
* pl2303
 
=== Less useful things ===
 
(Some of) these might be obsolete by now:
 
# Change the path to the GRUB directory so that it can load its modules/commands
set prefix=(memdisk)/boot/grub
 
# Add keyboard support
terminal_input --append at_keyboard
 
In case of native graphics you may want the following:
gfxpayload=keep
terminal_output --append gfxterm
 
=== Chain-loading other Payloads ===
 
Here is how to load another payload.
 
menuentry 'SeaBios' {
set root='memdisk'
echo    'Loading SeaBios ...'
chainloader /bios.bin.elf
}
 
== Compilation ==
=== Setup within coreboot's tree ===
 
The coreboot repository contains a GRUB2 submodule that can directly be selected in coreboot's Kconfig.
Additionally, the config file has to be added, e.g. via the following command.
 
  build/cbfstool build/coreboot.rom add -f grub.cfg -n etc/grub.cfg -t raw
 
=== Out of tree compilation ===
 
In case you want to compile GRUB outside coreboot's directory follow the guide below.
 
Retrieve the source code, compile it and install the resulting utilities:
 
git clone git://git.savannah.gnu.org/grub.git grub
cd grub
./autogen.sh
./configure --with-platform=coreboot
make
sudo make install
 
Create target directories:
mkdir -p memdisk/boot/grub/
 
Then copy your grub.cfg into it:
memdisk/boot/grub/grub.cfg
 
Then adapt and run the following lines if need be.
 
rm -f grub2.elf
# Copy the payloads and other required files into the target dir.
cd memdisk
cp ../../seabios/out/bios.bin.elf .
cp ../../coreboot-qemu/payloads/nvramcui/nvramcui.elf .
cp ../../coreboot/payloads/coreinfo/build/coreinfo.elf .
cp ../../memtest86+-4.20/memtest memtest.elf
cp ../../coreboot/bootsplash.jpg  .
grub-mkstandalone -O i386-coreboot -o ../grub2.elf $(find -type f)
 
The resulting <code>.elf</code> can then be run as payload directly by coreboot or SeaBIOS.
Also, grub2.elf can be tested in qemu.
 
To make it available in SeaBIOS add it to CBFS as follows:
 
build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
 
That way it is possible to run GRUB as a payload after SeaBIOS.
 
Alternatively, the <code>.elf</code> can also be added via Kconfig by setting its path.
 
In any case, make sure you have some kinds of output such as VGA or serial (it needs to be activated in both coreboot and GRUB)!
 
== Advanced Features ==
=== Security ===
=== Security ===
==== signed kernels ====
==== Signed kernels ====
===== Howto =====
GRUB is capable of running only trusted(signed) kernels.
It supports both RSA and DSA gpg keys.
 
Here's a HOWTO:
 
First generate a key:
First generate a key:
  $ gpg --gen-key
  $ gpg --gen-key
Line 24: Line 237:
     (3) DSA (sign only)
     (3) DSA (sign only)
     (4) RSA (sign only)
     (4) RSA (sign only)
  Your selection? 4
  Your selection? 3
  RSA keys may be between 1024 and 4096 bits long.
  DSA keys may be between 1024 and 3072 bits long.
  What keysize do you want? (2048) 4096
  What keysize do you want? (2048) 3072
  Requested keysize is 4096 bits
  Requested keysize is 3072 bits
  Please specify how long the key should be valid.
  Please specify how long the key should be valid.
           0 = key does not expire
           0 = key does not expire
Line 34: Line 247:
       <n>m = key expires in n months
       <n>m = key expires in n months
       <n>y = key expires in n years
       <n>y = key expires in n years
  Key is valid for? (0) 0
  Key is valid for? (0)  
  Key does not expire at all
  Key does not expire at all
  Is this correct? (y/N) y
  Is this correct? (y/N) y
Line 42: Line 255:
  Real name: Denis 'GNUtoo' Carikli
  Real name: Denis 'GNUtoo' Carikli
  Email address: GNUtoo@no-log.org
  Email address: GNUtoo@no-log.org
  Comment: kernel siging key
  Comment: Kernel signing key
  You selected this USER-ID:
  You selected this USER-ID:
     "Denis 'GNUtoo' Carikli (kernel siging key) <GNUtoo@no-log.org>"
     "Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"
   
   
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Line 53: Line 266:
  disks) during the prime generation; this gives the random number
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  generator a better chance to gain enough entropy.
  gpg: key F882B81F marked as ultimately trusted
  gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest
size
gpg: key C86D4C64 marked as ultimately trusted
  public and secret key created and signed.
  public and secret key created and signed.
   
   
  gpg: checking the trustdb
  gpg: checking the trustdb
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:  1 signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 1u
  gpg: depth: 0  valid:  2 signed:  0  trust: 0-, 0q, 0n, 0m, 0f, 2u
  pub  4096R/F882B81F 2013-03-13
  pub  3072D/C86D4C64 2013-03-13
       Key fingerprint = E74E 91E5 950C 38B6 B001 4F89 6C93 114F F882 B81F
       Key fingerprint = 7244 AC33 F9A7 9AE8 30DE 8996 9097 B48D C86D 4C64
  uid                  Denis 'GNUtoo' Carikli (kernel siging key) <GNUtoo@no-log.org>
  uid                  Denis 'GNUtoo' Carikli (Kernel signing key)  
<GNUtoo@no-log.org>
   
   
  Note that this key cannot be used for encryption.  You may want to use
  Note that this key cannot be used for encryption.  You may want to use
  the command "--edit-key" to generate a subkey for this purpose.
  the command "--edit-key" to generate a subkey for this purpose.
Then sign the kernels and initramfs:
cd /boot
sudo -E gpg --detach-sign vmlinuz-linux-libre-pae
sudo -E gpg --detach-sign initramfs-linux-libre-pae.img


==== LUKS disks openning ====
gpg --export  > boot.key
grub is capable of opening LUKS disks like that:
Then you can put the key on the memdisk (advised) or the boot partition for test purposes only.
Then in GRUB do (for testing purposes):
trust boot.key
set check_signatures=enforce
to only boot correctly signed kernels and initramfs.
 
Then load kernel and initramfs as usual.
 
==== Trisquel, Ubuntu, Debian ====
 
We want automatics hooks to sign our kernel so we don't have to do it manually each time.
 
The following howto was tested on trisquel 6.
Generate the key as root(sudo su) like we just explained, but without a password
In debian based distributions you can hook the kernel build to sign the result:
Add the following to /etc/kernel/postinst.d/yy-update-signatures
#! /bin/sh
set -e
version="$1"
rm -f /boot/vmlinuz-${version}.sig
gpg --detach-sign /boot/vmlinuz-${version}
rm -f /boot/initrd.img-${version}.sig
gpg --detach-sign /boot/initrd.img-${version}
Then do:
chmod +x /etc/kernel/postinst.d/yy-update-signatures
Then do:
gpg --export  > /boot/boot.key
 
Then modify /etc/grub.d/10_linux to use bash instead of sh like that:
#! /bin/bash
And also modify to that:
<pre>
case x`uname -m` in
    xi?86 | xx86_64)
list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
              done` ;;
    *)
list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
    done` ;;
esac
</pre>
To look like that:
<pre>
case x`uname -m` in
    xi?86 | xx86_64)
list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                  if [[ "$i" != /boot/*.sig ]] ; then
                      if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
                  fi
              done` ;;
    *)
list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                  if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
    done` ;;
esac
</pre>
 
==== LUKS ====
 
GRUB is capable of opening LUKS disks like that:
  grub> ls  
  grub> ls  
  (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
  (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
Line 80: Line 364:
  lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/
  lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/


Note that you have to type the password and so it's better to have some kind of output(VGA, Serial etc...)
Note that you have to type the password, so it's better to have some kind of output (VGA, Serial etc...)
 
=== Other features ===
==== SeaBIOS launching ====
grub is capable of launching seabios like that:
Add Seabios to the memdisk:
tar uvf ../memdisk.tar ../../seabios/out/bios.bin.elf --transform 's#.*#/bios.bin.elf#'
Then add that to grub.cfg:
menuentry 'SeaBios' {
set root='memdisk'
echo    'Loading SeaBios ...'
chainloader /bios.bin.elf
}
== grub.cfg ==
=== Serial ===
To enable serial, add the following on top of your grub.cfg:
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial
 
=== Compiling ===
bzr branch http://bzr.savannah.gnu.org/r/grub/trunk/grub
cd grub
./autogen.sh
./configure --with-platform=coreboot
make
 
=== creating the grub payload (with a memdisk) ===
cd grub-core
tar cvf ../memdisk.tar serial.mod terminal.mod normal.mod echo.mod ahci.mod all_video.mod ata.mod boot.mod cat.mod chain.mod configfile.mod
crypto.mod elf.mod ext2.mod extcmd.mod fshelp.mod help.mod linux.mod memdisk.mod minicmd.mod multiboot2.mod pata.mod part_msdos.mod gettext.mod --transform 's#^#/boot/grub/i386-coreboot/#'
tar uvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard -m ../memdisk.tar
ls -l -h ../../grub2.elf
 
=== creating the grub payload (without a memdisk) ===
cd grub-core
modules="serial terminal normal echo ahci all_video ata boot cat chain configfile crypto elf ext2 extcmd fshelp help linux memdisk minicmd multiboot2 pata part_msdos gettext"
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard ${modules}
ls -l -h ../../grub2.elf
 
=== creating the grub payload (with a memdisk for the config file) ===
cd grub-core
tar cvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
modules="serial terminal normal echo ahci all_video ata boot cat chain configfile crypto elf ext2 extcmd fshelp help linux memdisk minicmd multiboot2 pata part_msdos gettext"
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf memdisk tar ehci ohci uhci at_keyboard usb_keyboard ${modules} -m ../memdisk.tar
ls -l -h ../../grub2.elf
=== With all modules(possible with last grub from bzr) And a memdisk for grub.cfg ===
cd grub-core
tar cvf ../memdisk.tar grub.cfg  --transform 's#^#/boot/grub/#'
memdisk="$(ls *.mod | sed 's#.mod$##g')"
../grub-mkimage -d . -O i386-coreboot -o ../../grub2.elf ${modules} -m ../memdisk.tar
ls -l -h ../../grub2.elf
 
=== combining with coreboot ===
==== As a SeaBIOS payload ====
build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw
build/cbfstool build/coreboot.rom print
That way it will be possible to run grub2 as a payload after SeaBIOS:
The advantage is that it's less risky. At runtime press F12 and you'll
have the grub2 option.
 
==== As a Coreboot payload ====
Advantages: faster, can be used for security
 
Disadvantages: more risky if you have no way to recover
 
===== Howto =====
 
In make menuconfig of coreboot, select the path of grub2.elf.
 
Also make sure you have some kinds of output such as VGA or serial(it
needs to be activated in both coreboot and grub)

Latest revision as of 17:24, 8 January 2017

GRUB 2 is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.

Status

GRUB 2 can be launched...

  • Directly by coreboot as a payload
  • Directly by SeaBIOS as a payload
  • By SeaBIOS, on disk, as it would with a normal BIOS.

Recent git versions have improved memory management that removes the memory limitations when run as a payload.

Coreboot-related Features

Apart from what a typical bootloader supports GRUB implements various features especially helpful in the context of coreboot:

  • Booting from encrypted LUKS partitions
  • Verifying signatures of files (interesting for initramfs and kernels)
  • Printing the contents of cbmem with its cbmemc command
  • Displaying the UI using the coreboot framebuffer
  • Interacting with the nvram/cmos with its cmos* commands
  • Running other coreboot payloads from CBFS (both compressed and uncompressed)

See #Advanced Features for more detailed descriptions and tutorials how to use these.

grub.cfg

When GRUB is built for coreboot it looks for its runtime configuration in the file etc/grub.cfg within the CBFS. If this is missing it will provide a limited console only.

The file is an ordinary GRUB configuration file as specified in its documentation. It specifies menu entries and allows for quite some scripting.

Chain-loading another GRUB

Normally, one would write a custom configuration file that is embedded as described above and completely configures GRUB. However, one could also provide a minimal configuration only and read the remainder from a file system. This can simply be done by adding something like configfile (ahci0,0)/grub/grub.cfg to the mentioned file. This would try to load an additional configuration file from the path /grub/grub.cfg of the first partition of the first AHCI device.

Note however, that this merely reads in the configuration file and does not chain-load another GRUB instance. The latter is not feasible unless that other instance is also built with coreboot as target. Ordinary GRUBs however rely on the BIOS interfaces that a coreboot GRUB does not provide. For such cases running SeaBIOS as payload makes more sense.

Most basic config statements

# Printing text
echo 'Hello world!'
# Play a beep
play 480 440 1
# Paginate GRUB's output. Very useful for long outputs (help texts!) when working interactively
set pager=1
# Timeout in seconds before loading the default entry
set timeout=1
# Set the path root (/) to the 5th parition of the first AHCI (SATA) device
set root='ahci0,msdos5'

Here's an example that creates a menu entry to load a Linux kernel with serial output.

insmod ahci
insmod part_msdos
menuentry 'GNU/Linux [Serial]' {
	echo	'Loading Linux librepae kernel ...'
	linux	/vmlinuz-linux-libre-pae root=/dev/sda6 console=ttyS0,115200
	echo	'Loading initial ramdisk ...'
	initrd	/initramfs-linux-libre-pae.img
}

Scanning for grub.cfg on local hard drives

As mentioned above, chain-loading GRUB is seldom feasible, but loading configuration files from hard disks might work. The code below creates an entry that searches for a config file in two typical directories on all partitions of the first AHCI device and loads it (or them if there are multiple matches).

menuentry 'Scan for OS on internal HDD' {
	insmod regexp
	insmod ahci
	insmod part_msdos
	for x in (ahci0,*) ; do
		if [ -f "$x/grub/grub.cfg" ] ; then
			menuentry "Load Config from $x" $x { 
				root=$2
				configfile /grub/grub.cfg
			}
		fi
		if [ -f "$x/boot/grub/grub.cfg" ] ; then
			menuentry "Load Config from $x" $x {
				root=$2
				configfile /boot/grub/grub.cfg
			}
		fi
	done
}

Serial

If native graphics initialization is not available one will most likely want to interact with GRUB via a serial connection. The following subsections show how to enable that in grub.cfg.

On a real serial port

To enable serial, add the following on top of your grub.cfg:

serial --speed=115200 --word=8 --parity=no --stop=1
terminal_input --append  serial
terminal_output --append serial

On a USB serial or USB debug adapter

To enable serial, first find out the name of your usb serial port trough:

insmod nativedisk # needed not to get the disk disapearing when insmoding the *hci
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
terminal_output

The terminal_output command should print it:

grub> terminal_output 
Active output terminals:
serial_usb1 gfxterm 
Available output terminals:
console vga_text serial 

Here we can see "serial_usb1" so we now know that its name is usb1

Then add the following on top of your grub.cfg:

insmod nativedisk
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbserial_pl2303
insmod usbserial_ftdi
insmod usbserial_usbdebug
serial --speed=115200 --word=8 --parity=no --stop=1 usb1
terminal_output --append serial_usb1
terminal_input --append serial_usb1

The following chips/protocols are supported:

  • usbdebug
  • ftdi
  • pl2303

Less useful things

(Some of) these might be obsolete by now:

# Change the path to the GRUB directory so that it can load its modules/commands
set prefix=(memdisk)/boot/grub
# Add keyboard support
terminal_input --append at_keyboard

In case of native graphics you may want the following:

gfxpayload=keep
terminal_output --append gfxterm

Chain-loading other Payloads

Here is how to load another payload.

menuentry 'SeaBios' {
	set root='memdisk'
	echo    'Loading SeaBios ...'
	chainloader /bios.bin.elf
}

Compilation

Setup within coreboot's tree

The coreboot repository contains a GRUB2 submodule that can directly be selected in coreboot's Kconfig. Additionally, the config file has to be added, e.g. via the following command.

 build/cbfstool build/coreboot.rom add -f grub.cfg -n etc/grub.cfg -t raw

Out of tree compilation

In case you want to compile GRUB outside coreboot's directory follow the guide below.

Retrieve the source code, compile it and install the resulting utilities:

git clone git://git.savannah.gnu.org/grub.git grub
cd grub
./autogen.sh
./configure --with-platform=coreboot
make
sudo make install

Create target directories:

mkdir -p memdisk/boot/grub/

Then copy your grub.cfg into it:

memdisk/boot/grub/grub.cfg

Then adapt and run the following lines if need be.

rm -f grub2.elf
# Copy the payloads and other required files into the target dir.
cd memdisk
cp ../../seabios/out/bios.bin.elf .
cp ../../coreboot-qemu/payloads/nvramcui/nvramcui.elf .
cp ../../coreboot/payloads/coreinfo/build/coreinfo.elf .
cp ../../memtest86+-4.20/memtest memtest.elf
cp ../../coreboot/bootsplash.jpg  .
grub-mkstandalone -O i386-coreboot -o ../grub2.elf $(find -type f)

The resulting .elf can then be run as payload directly by coreboot or SeaBIOS. Also, grub2.elf can be tested in qemu.

To make it available in SeaBIOS add it to CBFS as follows:

build/cbfstool build/coreboot.rom add-payload -n img/grub2 -f grub2.elf -t raw

That way it is possible to run GRUB as a payload after SeaBIOS.

Alternatively, the .elf can also be added via Kconfig by setting its path.

In any case, make sure you have some kinds of output such as VGA or serial (it needs to be activated in both coreboot and GRUB)!

Advanced Features

Security

Signed kernels

GRUB is capable of running only trusted(signed) kernels. It supports both RSA and DSA gpg keys.

Here's a HOWTO:

First generate a key:

$ gpg --gen-key
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Denis 'GNUtoo' Carikli
Email address: GNUtoo@no-log.org
Comment: Kernel signing key
You selected this USER-ID:
    "Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest 
size
gpg: key C86D4C64 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   3072D/C86D4C64 2013-03-13
      Key fingerprint = 7244 AC33 F9A7 9AE8 30DE  8996 9097 B48D C86D 4C64
uid                  Denis 'GNUtoo' Carikli (Kernel signing key) 
<GNUtoo@no-log.org>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

Then sign the kernels and initramfs:

cd /boot
sudo -E gpg --detach-sign vmlinuz-linux-libre-pae
sudo -E gpg --detach-sign initramfs-linux-libre-pae.img
gpg --export  > boot.key

Then you can put the key on the memdisk (advised) or the boot partition for test purposes only. Then in GRUB do (for testing purposes):

trust boot.key
set check_signatures=enforce

to only boot correctly signed kernels and initramfs.

Then load kernel and initramfs as usual.

Trisquel, Ubuntu, Debian

We want automatics hooks to sign our kernel so we don't have to do it manually each time.

The following howto was tested on trisquel 6. Generate the key as root(sudo su) like we just explained, but without a password In debian based distributions you can hook the kernel build to sign the result: Add the following to /etc/kernel/postinst.d/yy-update-signatures

#! /bin/sh
set -e

version="$1"

rm -f /boot/vmlinuz-${version}.sig
gpg --detach-sign /boot/vmlinuz-${version}
rm -f /boot/initrd.img-${version}.sig
gpg --detach-sign /boot/initrd.img-${version}

Then do:

chmod +x /etc/kernel/postinst.d/yy-update-signatures

Then do:

gpg --export  > /boot/boot.key

Then modify /etc/grub.d/10_linux to use bash instead of sh like that:

#! /bin/bash

And also modify to that:

 case x`uname -m` in
     xi?86 | xx86_64)
 	list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                   if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
               done` ;;
     *) 
 	list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                   if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
 	     done` ;;
 esac

To look like that:

 case x`uname -m` in
     xi?86 | xx86_64)
 	list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do
                   if [[ "$i" != /boot/*.sig ]] ; then 
                       if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
                   fi
               done` ;;
     *) 
 	list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do
                   if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi
 	     done` ;;
 esac

LUKS

GRUB is capable of opening LUKS disks like that:

grub> ls 
(ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk)
grub> cryptomount (ata2,msdos3)
Attempting to decrypt master key...
Enter passphrase for ata2,msdos3 (431439b0870f40a3bfe8f3ca3aa7072a):
Slot 0 opened
grub> ls
(crypto0) (ata2) (ata2,msdos3) (ata2,msdos2) (ata2,msdos1) (usb0) (usb0,msdos1) (ata6) (memdisk) 
grub> set root=crypto0
grub> ls /
lost+found/ boot/ var/ dev/ run/ etc/ tmp/ sys/ proc/ usr/ lib/ sbin/ bin/ home/ mnt/ opt/ root/ srv/ media/

Note that you have to type the password, so it's better to have some kind of output (VGA, Serial etc...)