GRUB 2.14: UKI, TPM2, EROFS support and Argon2 encryption

Key points:
  • Support for Unified Kernel Imaging (UKI) and BLS specification.
  • Automatic unlocking of encrypted disks using TPM 2.0 and Argon2 hash.
  • Compatibility with EROFS file system and improvements to LVM/Btrfs.
  • Massive correction of vulnerabilities (CVEs) in file systems and USB drives.
  • Update to Libgcrypt 1.11.0 and support for ZSTD compression.
David Y. NaranjoUpdated on

4 minutes

Grub

A few days ago, the GNU project announced the official launch of GRUB 2.14, the new stable version of its cross-platform boot manager.

And is that after two years of development since version 2.12, This update represents a significant leap in security, hardware compatibility, and file system flexibility, solidifying its position as the de facto standard in Linux and Unix.

GRUB 2.14 Key New Features

El The most notable change in this version is the modernization of their capabilities of Secure boot and key management. GRUB 2.14 introduces native support for the "Key Protector" mechanism TPM2", which allows automatically unlocking encrypted partitions during boot using keys stored in the Trusted Platform Module (TPM), simplifying the user experience without sacrificing security.

To this sIt also includes compatibility with the Argon2 password hash scheme and support for the Shim loading protocol, crucial to ensuring a verified boot in UEFI Secure Boot environments.

On the file system front, compatibility has been greatly expanded. The following has been added: EROFS support (Enhanced Read-Only File System), a system developed by Huawei optimized for high performance in read-only partitions with compression. Also Significant improvements are being introduced for LVMThis includes the ability to monitor data integrity using dm-integrity and support for cachevol configurations, which accelerate slow mechanical disks by using fast SSDs as cache. Btrfs users, it is now possible to store the variable block of the GRUB environment in a reserved area of ​​the file system header, improving the robustness of the configuration.

The boot architecture also received improvements, and with this new version, it receives...Full support for Unified Kernel Images (UKIThis format packages the kernel, initrd, and UEFI boot stub into a single PE executable file, facilitating digital signing and direct booting from UEFI firmware, aligning with modern Linux security trends. Furthermore, The BLS specification has been implemented (Boot Loader Specification), allowing a standardized and universal configuration of the boot manager using the blscfg command.

In terms of internal security, GRUB 2.14 has performed a deep cleaning of vulnerabilities. Multiple buffer and integer overflows have been fixed in the handling of file systems such as NTFS, HFS+, UFS, and SquashFS, as well as in the processing of JPEG images and tar archives. Of particular note are the corrections to critical vulnerabilities in USB device handling (CVE-2025-61661) and Use-After-Free issues in module management. Furthermore, the internal cryptographic library has been migrated to Libgcrypt 1.11.0, abandoning the outdated 2013 version 1.5.3, and support for decompression using the ZSTD algorithm has been added.

For system administrators who require strict control, The –disable-cli option has been implemented, that It allows you to completely block the GRUB command-line interface, preventing unauthorized users from editing menu entries during startup. Finally, the software is future-proof with support for dates beyond 2038, ensuring its operational longevity.

Finally, if you are interested in knowing more about it, you can consult the details in the following link

Download and install

Last but not least, it should be mentioned that The update is now available on most distributions. of Linux, so all you need to do is run the update command for your distro.

And is that Updating the GRUB bootloader to version 2.14 is not that straightforward how to update a normal application (like Firefox or LibreOffice), since it is a critical system component that is usually managed by the Linux distribution you use.

However If you need any new features (such as EROFS support or TPM2 unlocking) And if you can't wait, you can compile it. from source code.

WARNING: If you fail this process, your system will not boot and you will have to recover it using a Live USB.
  1. To update from source code, the first thing you need to do is Download the grub-2.14.tar.gz package
  2. After that install build dependenciesYou will need tools like gcc, make, bison, flex, python3, and the development libraries (headers) for things like devmapper or fuse if you want all the features.
  3. Compile and install:
tar xzf grub-2.14.tar.gz cd grub-2.14 ./configure --prefix=/usr # Be careful not to overwrite the system prefix make sudo make install

Finally, you should know that installing the software does not update the bootloader in the MBR or EFI partition, and therefore you must run

grub-install

pointing to your disk.