How Does Linux Boot? Part 3: UEFI to Shim to the Next Link in the Chain

Two weeks ago I started explaining how Linux boots.  Last week I got as far as the UEFI firmware finding a running a “shim” program named shim.efi to satisfy the Secure Boot security policy with its digital signature from a trusted signing authority (which, to further discourage the conspiracy theories, is not Microsoft or somehow under their control). UEFI runs whatever you tell it to run in the EFI System Partition, a specially tagged FAT32 file system. That might be EFI\BOOT\BOOTX64.EFI on a Windows system, but on Red Hat Enterprise Linux it’s EFI\REDHAT\SHIM.EFI. I showed you how to discover that with the efibootmgr program. How can you figure out what happens next? We have watched the system boot and noticed that the GRUB boot loader is involved. Look at this:

# tree /boot/efi
+-- EFI
    +-- BOOT
    |   +-- BOOTX64.EFI
    |   +-- fallback.efi
    +-- redhat
        +-- BOOT.CSV
        +-- fonts
        |   +-- unicode.pf2
        +-- gcdx64.efi
        +-- grub.cfg
        +-- grubx64.efi
        +-- MokManager.efi
        +-- shim.efi
        +-- shim-redhat.efi

4 directories, 10 files

We suspect that shim.efi calls grubx64.efi, but how can we verify that? Like this:

# hexdump -C /boot/efi/EFI/redhat/shim.efi | egrep -i -C 2 'grub|g.r.u.b'
000c50d0  74 00 20 00 4d 00 6f 00  6b 00 49 00 67 00 6e 00  |t. .M.o.k.I.g.n.|
000c50e0  6f 00 72 00 65 00 44 00  42 00 3a 00 20 00 25 00  |o.r.e.D.B.:. .%.|
000c50f0  72 00 0a 00 00 00 5c 00  67 00 72 00 75 00 62 00  |r.....\.g.r.u.b.| 000c5100 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 |x.6.4...e.f.i...| 000c5110 46 00 61 00 69 00 6c 00 65 00 64 00 20 00 74 00 |F.a.i.l.e.d. .t.| -- 000c51f0 69 00 6e 00 20 00 69 00 6e 00 73 00 65 00 63 00 |i.n. .i.n.s.e.c.| 000c5200 75 00 72 00 65 00 20 00 6d 00 6f 00 64 00 65 00 |u.r.e. .m.o.d.e.| 000c5210 0a 00 00 00 00 00 00 00 5c 67 72 75 62 78 36 34 |........\grubx64| 000c5220 2e 65 66 69 00 74 66 74 70 3a 2f 2f 00 00 00 00 |.efi.tftp://....| 000c5230 55 00 52 00 4c 00 53 00 20 00 4d 00 55 00 53 00 |U.R.L.S. .M.U.S.| -- 00144470 00 58 35 30 39 5f 41 54 54 52 49 42 55 54 45 5f |.X509_ATTRIBUTE_| 00144480 63 72 65 61 74 65 5f 62 79 5f 4f 42 4a 00 69 6e |create_by_OBJ.in| 00144490 69 74 5f 67 72 75 62 00 52 53 41 5f 70 72 69 6e |it_grub.RSA_prin| 001444a0 74 00 58 35 30 39 5f 74 72 75 73 74 5f 63 6c 65 |t.X509_trust_cle| 001444b0 61 72 00 42 49 4f 5f 73 5f 6e 75 6c 6c 00 58 35 |ar.BIO_s_null.X5|

OK, so what was all that about? The hexdump program shows the hexadecimal byte values and displays the printable characters with “.” in place of unprintable ones. We didn’t know if the string grub would appear as a 4-byte ASCII sequence, or if it would be UTF-16 Unicode. So we used egrep and told it to search for lines with either the first regular expression or the second one. We didn’t know if the string would be lower or upper case, or even a mix, so we used the -i option to ignore case. Finally, we used -C 2 to ask for 2 lines of context around each match. Red Hat sets up system-wide aliases for all the grep versions to add the option --color=auto, which very nicely highlights the matches. If you want to learn these “power tools” tricks, check out Learning Tree’s Tools and Utilities course. So yes, our suspicion has been verified: shim.efi does call grubx64.efi. We got lucky here, the patterns all appeared within one 16-byte block, not spanning two blocks. We could have searched for partial patterns. Or, for messier output, opened the file with the vim editor. The first and second instances in our output have to do with verifying our theory about the chain-loading sequence. The third is part of the embedded x509v3 digital certificate. Now we have verified this much of the booting chain: UEFI → shim.efigrubx64.efi Does grubx64.efi read /boot/efi/EFI/redhat/grub.cfg as we suspect? Yes:

# strings /boot/efi/EFI/redhat/grubx64.efi | grep grub.cfg
%s/grub.cfg

We have taken things as far as the GRUB boot loader, which in this case is part of an EFI-specific package:

# rpm -qf /boot/efi/EFI/redhat/grubx64.efi
grub2-efi-2.02-0.2.10.el7.x86_64

Next week we will look at the GRUB boot loader. Many current distributions offer nothing but GRUB 2. You probably know what I’m about to say: it’s more capable, but at the expense of greater complexity! Check next week’s entry for the details! PS – Make sure to view our entire Linux/UNIX curriculum including our new 4-day course on Linux Virtualization & 2 new 1-day online courses!

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.