You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _posts/2025/2025-11-13-tw-grub2-bls.md
+25-22Lines changed: 25 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,8 +9,8 @@ title: GRUB2-BLS in openSUSE Tumbleweed is now the default
9
9
categories:
10
10
- Announcements
11
11
- openSUSE
12
-
- tumbleweed
13
-
- boot loader
12
+
- Tumbleweed
13
+
- MicroOS
14
14
tags:
15
15
- openSUSE
16
16
- bootloader
@@ -19,51 +19,54 @@ tags:
19
19
- YaST
20
20
- FDE
21
21
- Full Disk Encryption
22
+
- boot
23
+
- MicroOS
24
+
- initrd
25
+
- sdbootutil
26
+
- FIDO2
27
+
- LUKS2
28
+
- TPM2
22
29
23
30
---
24
31
25
32
[openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/) recently changed the default boot loader from GRUB2 to GRUB2-BLS when installed via YaST.
26
33
27
-
This follows the trend started by MicroOS of adopting boot loaders that are compatible with the [boot loader specification](https://uapi-group.org/specifications/specs/boot_loader_specification/). [MicroOS](https://get.opensuse.org/microos/) is using `systemd-boot`, a very small and fast boot loader from the `systemd` project.
28
-
29
-
One of the reasons for this change is to simplify the integration of new features, like full disk encryption based on `systemd` tools, that will make use of TPM2 or FIDO2 tokens if they are available.
30
-
>>>>>>> master
34
+
This follows the trend started by [MicroOS](https://get.opensuse.org/microos/) of adopting boot loaders that are compatible with the [boot loader specification](https://uapi-group.org/specifications/specs/boot_loader_specification/). MicroOS is using `systemd-boot`, which is a very small and fast boot loader from the `systemd` project.
31
35
36
+
One of the reasons for this change is to simplify the integration of new features. Among them is full disk encryption based on `systemd` tools, which will make use of TPM2 or FIDO2 tokens if they are available.
32
37
33
38
## What is GRUB2-BLS
34
39
35
-
GRUB2-BLS is just GRUB2 but with some patches on top ported from the Fedora project, that includes some compatibility for the boot loader specification for Type #1 boot entries. Those are small text files stored in `/boot/efi/loader/entries` that the boot loader reads to present the initial menu.
36
-
37
-
Each file contains a reference to the kernel, the `initrd`, and the kernel command line that will be used to boot the system, and can be edited directly by the user or managed by tools like `bootctl` and `sdbootutil`.
40
+
GRUB2-BLS is just GRUB2 but with some patches on top ported from the Fedora project, which includes some compatibility for the boot loader specification for Type #1 boot entries. Those are small text files stored in `/boot/efi/loader/entries` that the boot loader reads to present the initial menu.
38
41
39
-
In the next version of GRUB2 (2.14) those patches will be included as part of the project itself, and the upgrade process will be transparent for the final user.
42
+
Each file contains a reference to the kernel, the `initrd`, and the kernel command line that will be used to boot the system. It can be edited directly by the user or managed by tools like `bootctl` and `sdbootutil`.
40
43
41
-
It should be noted that the way openSUSE deploys GRUB2-BLS is different from the classical GRUB2. GRUB2-BLS is deployed as a single EFI binary installed (copied) in `/boot/efi/EFI/opensuse` that will have embedded all the resources (like the modules, configuration file, fonts, themes and graphics) that previously were placed in `/boot/grub2`.
44
+
In the next version of GRUB2 (2.14), those patches will be included as part of the project itself, and the upgrade process will be transparent for the final user.
42
45
46
+
It should be noted that the way openSUSE deploys GRUB2-BLS is different from the classical GRUB2. GRUB2-BLS is deployed as a single EFI binary installed (copied) in `/boot/efi/EFI/opensuse` that will have embedded all the resources (like the modules, configuration file, fonts, themes and graphics), which were previously placed in `/boot/grub2`.
43
47
44
48
## Installation
45
49
46
-
The good news is that with the latest version of YaST the process is automatic. The user just needs to follow the default steps and the system will be based on GRUB2-BLS at the end.
50
+
The good news is that with the latest version of YaST the process is automatic. The user just needs to follow the default steps and the system will be based on GRUB2-BLS at the end.
47
51
48
-
The installer will first propose a large ESP partition of about 1GB. This is required because all the kernel and `initrd`s will now be placed in the FAT32 ESP partition, in `/boot/efi/opensuse-tumbleweed`.
52
+
The installer will first propose a large ESP partition of about 1GB. This is required because all the kernel and `initrd`s will now be placed in the FAT32 ESP partition located in `/boot/efi/opensuse-tumbleweed`.
49
53
50
-
Of course the user can select a different boot loader during the installation, like the classical `GRUB2` or `systemd-boot`. This can be done in the "Installation Settings" screen presented at the end of the installation proposal. Just select the "Booting" header link and choose your boot loader from there.
54
+
Of course the user can select a different boot loader during the installation like the classical `GRUB2` or `systemd-boot`. This can be done in the "Installation Settings" screen presented at the end of the installation proposal. Just select the "Booting" header link and choose your boot loader from there.
51
55
52
56
## Full disk encryption
53
57
54
-
As commented, when using a BLS boot loader we can now install the system with full disk encryption (FDE) based on `systemd`. This can be done from the "Suggested Partitioning" screen. Just press "Guided Setup" and in the "Partitioning Scheme" select "Enable Disk Encryption".
55
-
56
-
From there you can set a LUKS2 password and, optionally, enroll a security device like a TPM2 or a FIDO2 key. For laptops it is recommended to enroll the system with a TPM2+PIN. The TPM2 will first assert that the system is in a healthy (known) state. Than means that elements used during the boot process (from the firmware until the kernel) are the expected ones, and no one tampered with them. After that the TPM2 will ask for a PIN or password, that YaST will set as the one entered for the LUKS2 key slot.
58
+
When using a BLS boot loader, we can now install the system with full disk encryption (FDE) based on `systemd`. This can be done from the "Suggested Partitioning" screen. Just press "Guided Setup" and in the "Partitioning Scheme" select "Enable Disk Encryption".
57
59
60
+
From there, you can set a LUKS2 password and, optionally, enroll a security device like a TPM2 or a FIDO2 key. For laptops, it is recommended to enroll the system with a TPM2+PIN. The TPM2 will first assert that the system is in a healthy (known) state. Than means that elements used during the boot process (from the firmware until the kernel) are the expected ones, and no one tampered with them. After that, the TPM2 will ask for a PIN or password, which YaST will set as the one entered for the LUKS2 key slot.
58
61
59
62
## Usage
60
63
61
-
With GRUB2-BLS we will no longer have grub2 tools like `grub2-mkconfig` or `grub2-install`. Most of them are not required anymore. Boot entries are generated dynamically by the boot loader, so there is no longer any need to generate GRUB2 configuration files, and installation is just copying the new EFI file into the correct place.
64
+
With GRUB2-BLS, we will no longer have grub2 tools like `grub2-mkconfig` or `grub2-install`. Most of them are not required anymore. Boot entries are generated dynamically by the boot loader, so there is no longer any need to generate GRUB2 configuration files, and the installation is just copying the new EFI file into the correct location.
62
65
63
-
The upgrade process is also done by automatically calling `sdbootutil update` from the snapper plugins or the SUSE module tools, so if btrfs is used all the management will be done transparently by this infrastructure, as was done in the traditional boot loader.
66
+
The upgrade process is also done by automatically calling `sdbootutil update` from the snapper plugins or the SUSE module tools, so if btrfs is used, all the management will be done transparently by this infrastructure, as was done in the traditional boot loader.
64
67
65
-
Updating the kernel command line can be now be done by editing the boot loader, or the `/etc/kernel/cmdline` and calling `sdbootutil update-all-entries` to propagate the change into the boot entries of the current snapshot.
68
+
Updating the kernel command line can now be done by editing the boot loader, or the `/etc/kernel/cmdline` and calling `sdbootutil update-all-entries` to propagate the change into the boot entries of the current snapshot.
66
69
67
-
To manage the FDE configuration you can learn more in the [openSUSE wiki](https://en.opensuse.org/Portal:MicroOS/FDE).
70
+
To manage the FDE configuration, you can learn more in the [openSUSE wiki](https://en.opensuse.org/Portal:MicroOS/FDE).
68
71
69
-
<metaname="openSUSE, Open Source, development, Linux, operating systems, Tumbleweed, grub2, sdbootutil, kernel, fde, full disk encryption, systemd"content="HTML,CSS,XML,JavaScript">
72
+
<metaname="openSUSE, Open Source, development, Linux, operating systems, Tumbleweed, grub2, sdbootutil, kernel, fde, full disk encryption, systemd, LUKS2, TPM2, FIDO2, snapper"content="HTML,CSS,XML,JavaScript">
0 commit comments