Arch Linux

johndavis

Member

Registered: 2024-11-09

Posts: 7

Putting /boot and GRUB on a usb drive based [SOLVED]

Hi everyone,

Recently I got my hands on a few spare mini PCs and I am using them to play around with Arch and better understanding different tools like encryption, logical volume manager etc. I was going over the dm-crypt specialties section about securing the unencrypted boot partition and I wanted to ask before I try it if the way I am approaching it is correct at least on a purely theoretical level before applying it. So here we go. I am doing a new fresh arch install and instead of having my boot paritition on my main internal drive I want to have it on a USB drive partition. At the same time I want to install GRUB on that same USB drive but at a different partition that I have created on it. Now both of these action are fairly trivial. On the USB I have created two partitions both formatted as FAT32; 1) for GRUB I will install it using:

grub-install --target=x86_64-efi --bootloader-id=GRUB --efi-directory=/mnt/usb/efi --boot-directory=/mnt/usb/boot --removable

After that is done I will generate the fstab file with genfstab.

My understanding based on the arch wiki so far is that grub-install uses the efibootmgr to write the boot entries to NVRAM using PARTUUID. While with genfstab passing the -U parameter does the same with UUIDs for boot and any other drives it discovers that are mounted during the installation process. This means that the on NVRAM the drive entries are using persistent naming that will not change like the kernel name on mounted drives does sometimes like going from sdd1 to sdb1 for example. My understanding on this is that during boot the firmware (UEFI) will look for those unique identifiers provided that the USB is plugged to load GRUB and boot from. The question that I have is simple if anyone has tried it before is my thought process correct if not what would I need to tweak.

The only thing I can possibly think is that UEFI uses internal drives to look for first to read and boot from so maybe I need to change the boot order to USB first instead of drive to make this work?

Any thoughts on this?

SOLUTION
So for those in the future who wish to have their boot partition and grub on a USB/s drive/s the Arch Wiki on GRUB/Tips and Tricks section 1.1.2 explains very well the process to do at least for installing GRUB on a removable USB drive. As for boot it is as simple as making sure that during installation the usb parition that you want to put it to is mounted and then just follow the instructions from the arch wiki regular installation. Something that Scimmia  pointed out and it was really helpful and gave me more insight was that the --removable option in the grub install command I pasted above makes it so that grub is installed in the default fallback path in the efi parition on the usb drive WITHOUT creating any entries on nvram. This makes it so that the UEFI firmware uses that default path (esp/EFI/BOOT/BOOTX64.EFI) every time the USB is connected during boot. If the --removable option was not specified then GRUB would still be installed in the usb partition but there would also be an NVRAM entry for it as  well in which case if the USB was not found during boot  the UEFI would remove that entry from NVRAM and next time there was a boot attempt with the USB plugged in, I would have to reinstall grub with a live Arch iso. Apparently most UEFI implementation removed NVRAM entries when they are not found. Also I did not have to change my boot order at any point for this to work. I have tested it twice on my X220 thinkpad.

If you think there are any inaccuracies on the post please feel free to comment and I or a moderator can make the changes.

Last edited by johndavis (2026-03-07 14:45:32)

Scimmia

Fellow

Registered: 2012-09-01

Posts: 13,602

Re: Putting /boot and GRUB on a usb drive based [SOLVED]

One misconception here, you install grub with an NVRAM entry (and bootloader-id) OR you install it as removable, which installs to the default loader location and does not add it to NVRAM. You can technically do both, but only one will be used, so it doesn't make much sense. If using an NVRAM entry, many or even most UEFI implementations will remove the entry if it doesn't exist, ie when you pull the drive. Is this what you're going to be doing?

johndavis

Member

Registered: 2024-11-09

Posts: 7

Re: Putting /boot and GRUB on a usb drive based [SOLVED]

Ohh I see you are correct the --removable option makes it so that NVRAM is not modified by efibootmgr and instead grub is installed in the default fallback location on the drive. I actually do not want to do that. My end goal is to have both the boot and EFI partitions on a USB drive  (different partitions though) and use it as a two factor authentication so if someone let's say presses the power button they get back to the uefi shell unless my usb drive is plugged in which case GRUB would load and give me boot options. Now I am not saying this is a the best approach for security I am just trying to implement this method correctly and understand it.

Also I did not know that moderm UEFI implementations will delete NVRAM entries if not found. I ahve been reading the most recent UEFI specification but it is a bit hard as I am not on the CS field though savvy enough to understand a few things. So if the NVRAM entries are deleted when the PC tries to power on but the USB is not plugged would that mean that I would have reinstall GRUB every time or just set the boot order to USB drive so that UEFI looks for the EFI partition on a USB instead of the internal drive first?

I hope what I am saying makes sense technically.

frostschutz

Member

Registered: 2013-11-15

Posts: 1,619

Re: Putting /boot and GRUB on a usb drive based [SOLVED]

would that mean that I would have reinstall GRUB every time

Yes, or re-add the missing entry some other way. Installing grub twice (with and without --removable) is for convenience, allows you to boot it as a fallback in case its inadvertently removed.

johndavis

Member

Registered: 2024-11-09

Posts: 7

Re: Putting /boot and GRUB on a usb drive based [SOLVED]

would that mean that I would have reinstall GRUB every time

Yes, or re-add the missing entry some other way. Installing grub twice (with and without --removable) is for convenience, allows you to boot it as a fallback in case its inadvertently removed.

This seems a bit counter productive. On the arch wiki they talk about the process of having GRUB at least on a USB. Why would they do that if every time the PC is booted and the USB is not plugged the NVRAM entries get deleted. I thought that the UEFI would at least fallback to the UEFI shell until you reboot and plug the USB in which case it would find the bootloader and the boot partition.

Scimmia

Fellow

Registered: 2012-09-01

Posts: 13,602

Re: Putting /boot and GRUB on a usb drive based [SOLVED]

GRUB on USB usually means using --removable and telling the system firmware to just boot that drive, not use a NVRAM entry.