grub bootloader Configuration Changes
Kernel Boot Parameter Changes
Introduction[edit]
Before trying specific kernel boot parameters, it is advisable to first add them temporarily for testing or troubleshooting purposes. When the parameters have the intended effect, they can then be added permanently.
Kernel boot parameters are text strings that disable/enable certain features or change specific system behaviors. To achieve the desired change, note kernel boot parameters: [1]
- can be a simple keywords (like "
splash
" or "noapic
") - are case-sensitive (for example "
Noapic
" would not have any effect but "noapic
" would take effect) - might have an
=
sign to denote values (like "acpi_backlight=vendor
") - might include punctuation (""
i8042.noloop
")
Kernel boot parameters have no effect unless entered exactly as advised -- spelling/formatting errors or invalid values do not result in an error message.
Kernel Boot Parameter Change[edit]
Follow these steps to temporarily add kernel boot parameters. Useful for testing such a normal (non-recovery mode) boot while enabling verbose boot messages. Alternatively, if that is accessible [2], see Permanent Configuration Changes.
1. Restart the system. [3]
2. Access the grub menu.
Repeatedly press the Esc
key until the grub menu appears. Alternatively the Shift
key can be held down continuously for BIOS-mode (not UEFI-mode) until the menu appears. [4]
3. Select the relevant entry to edit.
Use the arrow keys to highlight the relevant entry and then press the e
key to enter edit mode.
4. Add kernel boot parameter changes.
Use the arrow keys to move down to the line that contains boot arguments: [5]
- On BIOS systems the line will begin with
linux
. - On UEFI systems the line begins with
linuxefi
.
Press the End
key to move the cursor to the end of that line. Press the space bar and carefully type in kernel boot parameters -- multiple parameters are separated with a space, but no spaces are added before/after any =
signs or for punctuation in parameters.
5. Reboot the system.
Press Ctrl
+ X
to boot the system with the new, temporary parameters.
The effect will only last for this boot session; once the system is restarted they will no longer have any effect.
Permanent Configuration Changes[edit]
1. Learn how to configure permanent changes.
Inspect the following resources:
- folder
/etc/default/grub.d
- file
/etc/default/grub.d/40_kernel_hardening.cfg
2. Create a new configuration file.
Open file /etc/default/grub.d/50_user.cfg
in an editor with root rights.
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/default/grub.d/50_user.cfg
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/default/grub.d/50_user.cfg
3. Paste the necessary kernel parameters.
Notes:
- The following example uses kernel parameter
nomodeset
. - Replace only
nomodeset
with the actual kernel parameters you want to add. - Do not remove the leading text (underlined):
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nomodeset"
. - Do not remove the trailing quote (
"
; marked in bold):GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nomodeset"
.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nomodeset"
4. Save.
5. Regenerate grub configuration.
sudo update-grub
6. Done.
The process of adding a kernel parameter is complete.
7. Verification.
Optional.
Inspect /boot/grub/grub.cfg
because that is the generated file which is actually used during the boot process.
Inspect Grub Configuration Changes[edit]
1. Put folder /boot/grub
under git version control.
Git is a useful tool to record which files in a folder changed in what way.
Git setup for folder /boot/grub
.
Install package(s) git auditd
. Follow steps A to E.
Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
Update the package lists and upgrade the system .
sudo apt update && sudo apt full-upgrade
Install the git auditd
package(s).
Using apt
command line
--no-install-recommends
option
is in most cases optional.
sudo apt install --no-install-recommends git auditd
Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification .
Done.
The procedure of installing package(s) git auditd
is complete.
Change directory to folder /boot/grub
.
cd /boot/grub
Initialize git in that folder.
sudo git init
Git needs an e-mail address. That e-mail address doesn't need to actually exist. That e-mail address would appear in git commit change logs if that git repository was ever pushed to any remote. If only used locally, the default you@example.com
could be kept. Otherwise, the user may change you@example.com
to any e-mail address of their choice.
sudo git config user.email "you@example.com"
Git needs an name. That name address doesn't need to actually exist. That name would appear in git commit change logs if that git repository was ever pushed to any remote. If only used locally, the default Your Name
could be kept. Otherwise, the user may change Your Name
to any name of their choice.
sudo git config user.name "Your Name"
Add all files in that folder to git.
sudo git add -A
Commit all files to git. [6]
sudo git commit -a -m .
2. Change grub configuration.
Make changes according to Permanent Configuration Changes.
3. See which files were modified by update-grub
.
From the same folder.
git status
4. Inspect the changes.
Using command line using default diff viewer diff
which might be a bit difficult to read but an alternative is presented in the next step.
git diff
A graphical diff viewer can be used. Unspecific. Undocumented.
git difftool
Inspect Kernel Command Line[edit]
To view the kernel command line of the currently booted kernel, run.
cat /proc/cmdline
If too much output, use grep to filter.
Note: Replace parameter
with the actual kernel parameter you are looking for.
cat /proc/cmdline | grep parameter
Goodies[edit]
- https://packages.debian.org/bookworm/grub-image-boot
- https://packages.debian.org/bookworm/grub-customizer
Boot with Manual Commands[edit]
TODO: document
https://forums.kicksecure.com/t/kicksecure-no-password-prompt-on-gnu-grub/483/3
Boot Related Screenshots[edit]
TODO: document
Legacy BIOS - GRUB Encryption Password Prompt[edit]
Figure: GRUB encryption password prompt (Legacy BIOS)
EFI - GRUB Encryption Password Prompt[edit]
Figure: GRUB encryption password prompt (EFI)
EFI - SecureBoot - Boot Error Message[edit]
Known issue. No bug report needed.
To resolve this, see Secure Boot.
initramfs (initramfs-tools or dracut) based encryption password prompt[edit]
Figure: initramfs (initramfs-tools or dracut) based encryption password prompt
See Also[edit]
Footnotes[edit]
- ↑ https://wiki.ubuntu.com/Kernel/KernelBootParameters
- ↑ Not accessible if boot is broken obviously.
- ↑ Or shut it down and power it on again.
- ↑
The system might hang when holding down the
Shift
key. If that happens, just briefly release theShift
key and hold it down again until the grub menu appears. - ↑ https://web.archive.org/web/20220312140233/https://docs.fedoraproject.org/en-US/Fedora/22/html/Multiboot_Guide/GRUB-runtime.html
- ↑
Commits all files to git with commit message
.
for simplicity. Commit message could also be something else such as{{{sudo_maybe}}} git commit -a -m "initial commit"
.
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!