There are various things that make up an operating system. In any operating system, one of the most critical parts is powering on the machine. During this process, the computer will execute a small program in read-only memory (ROM) to begin initiating the startup process. This small program is known by many names, but most often called a boot loader. In almost every Linux distribution, including Fedora, GRUB2 (or GRand Unified Bootloader 2) is the default boot loader. Even though it is a critical piece of the operating system, many people aren’t aware of the boot loader, all that goes into it, or how it can be customized.
Every computer operating system needs a kernel and boot loader to load and boot the operating system. In a Linux system, the kernel and the initial ramdisk (or initrd) play major roles for loading the operating system from a disk drive and into memory (or RAM). GRUB2 supports all computer operating systems including Windows, all Linux distributions, and nearly all Unix-like operating systems like macOS.
There are many different types of firmware that initialize system hardware during the startup process. Some of these include options such as Open-Efi and legacy / UEFI BIOS. GRUB2 supports these. This broad range of compatibility with various firmware ensures that GRUB2 can be used on almost any system. It works on some of the oldest machines still running as well as some of the newest hardware on the market.
It also has a special ability to boot from any file system format, such as HFS+ (macOS), NTFS (often Windows), ext3/4 (often Linux), XFS, and more. It also supports MBR (Master Boot Record) and GPT (GUID Partition Tables) partitioning schemes.
The design of GRUB2 is security-oriented and flexible for a variety of needs. It has two well-known security and privacy features to help protect your system. Normally when starting your option, you are able to enter your BIOS or UEFI settings and change them without logging in. GRUB2 allows you to set a password that must be entered to change these settings. This helps keep your system safe and secure from someone who may have physical access to your machine. An example of this being used is blocking USB devices from booting up on the system.
Additionally, GRUB2 supports Linux Unified Key Setup, or LUKS. When installing an operating system for the first time or formatting a hard drive, there is an extra security option to encrypt the entire file system. LUKS is the tool used to add an encryption layer from the root directory across all parts of the machine. Before you are able to reach the login screen of Fedora or another Linux distribution, you must enter an encryption passphrase to unlock your system. GRUB2 integrates with LUKS and supports booting with an encrypted file system.
In the world of security, not every threat may come from the Internet or a remote hacker. Sometimes the biggest security breach is at the physical layer with who has access to a system. Together, these two security features allow you to keep your system locked down and secure in the event you lose access to your machine.
GRUB2 has powerful settings for security and initializing the operating system, but it also has more features to customize the user experience. It supports background wallpapers, different fonts, and more to personalize your system. The Grub Customizer tool allows you to make these customizations quickly and easily.
To install the tool, open up a command line and enter the following command. You are prompted to install the package.
$ sudo dnf install grub-customizer
After installing, you will be able to open the application on your desktop. When opening it, you will enter your password so the application can make changes to the GRUB2 configuration file. This tool can make advanced changes to your system configuration, but for this guide, we will focus on the Appearance settings tab at the top.
This tab will present you with a variety of options to theme and customize your system. You can select a background image, change the font family, and alter the font colors. The center part of the screen will update with a live preview of what it will look like while you make changes. When you’re done making changes, hit the Save button in the upper-left corner and reboot to see your changes take effect.
Note that if you use a custom font, you MUST use a font size that will fit in your system’s resolution. If the font size is too large for the resolution of your system, GRUB2 will enter a crash loop and you will have to boot from live media (e.g. a USB or CD) to fix this.
Sorry, but I think there are some inaccuracies in this article.
The boot loader is not a ROM program, we could not install it if it was. It’s executed by the late ROM POST code, loading the first 512 bytes of the HD and executing it (in major cases).
GRUB2 cannot secure BIOS or EFI settings, you have to set a password in the BIOS or EFI, GRUB2 can secure its settings with a password. And this is not a hard security, because you can boot with a cdrom or other means to bypass it.
Booting an encrypted system is not a GRUB2 job, but the initial ramdisk is in charge of decrypting a LUKS partition, asking for a password.
AFAIK this has been true till now, if I’m wrong please forgive me.
For this disable CD-ROM and also set password protection to Your UEFI BIOS.
I’ve always tried to hide the GRUB menu to start immediately but it doesn’t work, what can I do?
Edit the file /etc/default/grub and set the GRUB_TIMEOUT (1st value in my files) to 0, then run the following:
$ sudo grub2-mkconfig -o /etc/grub2.cfg
Or, if you’re on a system with a (U)EFI:
$ sudo grub2-mkconfig -o /etc/grub2-efi.cfg
Thank you for your reply but I wonder why it doesn’t work with grub customizer, no matter what I do, I won’t safe the timeout setting to 0.
Thank you for your reply but I wonder why it doesn’t work with grub customizer, no matter what I do, It won’t save the timeout setting to 0.
Hi, I reduced the amount of time for booting from 5 seconds to 3 and it worked. However, the image I chose was not displayed. It appears to be a SELinux issue, from what I noticed while booting. I am using Fedora 25 Beta.
This doesn’t seem to work under Wayland…
Confirmed from my side, running from terminal just says:
“Invalid MIT-MAGIC-COOKIE-1 keyUnable to init server: Could not connect: Connection refused
(grub-customizer:7611): Gtk-WARNING **: cannot open display: :0”
GRUB Served me great for decades was easy to configure with simple human readable conf files.
GRUB 2 has made life difficult for no reason. the neither facebook ,google nor NSA won’t care if you encrypt your home directory then will get all the information they can sell directly from you.
forget theory in pratice GRUB2 is no protection as anyone with your hardware can pull out the disk read the files
It doesn’t work in my Fedora 23 64-bit KDE edition. I can see the background in grub customizer but when I reboot I still see the black screen. Some people say it’s related to resolution. My resolution is 1920×1080. I choose a 1280×720 image but still no background image. I tried vbeinfo in grub command bu mine doesn’t recognize it.
Paul W. Frields
Folks, this is a magazine, not a user help forum. If you need help with GRUB2 or anything else that’s part of your Fedora operating system, visit https://fedoraproject.org/wiki/Communicating_and_getting_help to locate a venue where you can get assistance.
I cannot fully agree you Paul. When article is released it would be great if people can see beside of the original article how others though about and especially if others have had some troubles with it. I know that in some times it might be great for the publisher if there are lot of feedback without respect.
This of course distribute the knowledge into 100s different web sites and user forums might get less focus. But for that purpose we have “free” google to find answers.
Grub2 in ROM?!
It is super great that article opens the known pains as well like:
“If the font size is too large for the resolution of your system, GRUB2 will enter a crash loop and you will have to boot from live media ”
But think about this from rookie point of view: which one is broken, the tool which is letting you do such a configuration which kills your system, or the GRUPB2 which do not have exception handling to avoid such a loop?
I’m just asking this, because we all like to see the day when Linux is replacing the Windows from the workstations. But the features like what Grub Customization brings for – not so Linux aware – users and make the system looks a real professional and perhaps a bit cool 😉 – very easily. In my mind those apps should not be able to kill the system just by using incorrect font.
Wish to see a preview feature on the Grub Customization.