The Boot Loader Specification

TL;DR: Currently there’s no common boot scheme across architectures and platforms for open-source operating systems. There’s also little cooperation between multiple distributions in dual-boot (or triple, … multi-boot) setups. We’d like to improve this situation by getting everybody to commit to a single boot configuration format that is based on drop-in files, and thus is robust, simple, works without rewriting configuration files and is free of namespace clashes.

The Boot Loader Specification defines a scheme how different operating systems can cooperatively manage a boot loader configuration directory, that accepts drop-in files for boot menu items that are defined in a format that is shared between various boot loader implementations, operating systems, and userspace programs. The same scheme can be used to prepare OS media for cases where the firmware includes a boot loader. The target audience for this specification is:

Why is there a need for this specification?

Of course, without this specification things already work mostly fine. But here’s why we think this specification is needed:

Why not simply rely on the EFI boot menu logic?

EFI is not ubiquitous, especially not in embedded systems. If you have an EFI system, it provides a boot options logic that can offer similar functionality. Here’s why we think that it is not enough for our uses:

Technical Details

Everything described below is located on a placeholder file system $BOOT. The installer program should pick $BOOT according to the following rules:

This placeholder file system shall be determined during installation time, and an fstab entry may be created. It should be mounted to either /boot/ or /efi/. Additional locations like /boot/efi/ (with /boot/ being a separate file system) might be supported by implementations. This is not recommended because the mounting of $BOOT is then dependent on and requires the mounting of the intermediate file system.

Note: $BOOT should be considered shared among all OS installations of a system. Instead of maintaining one $BOOT per installed OS (as /boot/ was traditionally handled), all installed OS share the same place to drop in their boot-time configuration.

For systems where the firmware is able to read file systems directly, $BOOT must be a file system readable by the firmware. For other systems and generic installation and live media, $BOOT must be a VFAT (16 or 32) file system. Applications accessing $BOOT should hence not assume that fancier file system features such as symlinks, hardlinks, access control or case sensitivity are supported.

This specification defines two types of boot loader entries. The first type is text based, very simple and suitable for a variety of firmware, architecture and image types (“Type #1”). The second type is specific to EFI, but allows single-file images that embed all metadata in the kernel binary itself, which is useful to cryptographically sign them as one file for the purpose of SecureBoot (“Type #2”).

Not all boot loader entries will apply to all systems. For example, Type #1 entries that use the efi key and all Type #2 entries only apply to EFI systems. Entries using the architecture key might specify an architecture that doesn’t match the local one. Boot loaders should ignore all entries that don’t match the local platform and what the boot loader can support, and hide them from the user. Only entries matching the feature set of boot loader and system shall be considered and displayed. This allows image builders to put together images that transparently support multiple different architectures.

Note that the $BOOT partition is not supposed to be exclusive territory of this specification. This specification only defines semantics of the /loader/ directory inside the file system (see below), but it doesn’t intend to define ownership of the whole file system exclusively. Boot loaders, firmware, and other software implementing this specification may choose to place other files and directories in the same file system. For example, boot loaders that implement this specification might install their own boot code into the $BOOT partition. On systems where $BOOT is the ESP this is a particularly common setup. Implementations of this specification must be able to operate correctly if files or directories other than /loader/ are found in the top level directory. Implementations that add their own files or directories to the file systems should use well-named directories, to make name collisions between multiple users of the file system unlikely.

Type #1 Boot Loader Specification Entries

We define two directories below $BOOT:

Note: In all cases the /loader/ directory should be located directly in the root of the file system. Specifically, if $BOOT is the ESP, then /loader/ directory should be located directly in the root directory of the ESP, and not in the /EFI/ subdirectory.

Inside the $BOOT/loader/entries/ directory each OS vendor may drop one or more configuration snippets with the suffix “.conf”, one for each boot menu item. The file name of the file is used for identification of the boot item but shall never be presented to the user in the UI. The file name may be chosen freely but should be unique enough to avoid clashes between OS installations. More specifically it is suggested to include the machine ID (/etc/machine-id or the D-Bus machine ID for OSes that lack /etc/machine-id), the kernel version (as returned by uname -r) and an OS identifier (The ID field of /etc/os-release). Example: $BOOT/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf.

In order to maximize compatibility with file system implementations and restricted boot loader environments, and to minimize conflicting character use with other programs, file names shall be chosen from a restricted character set: ASCII upper and lower case characters, digits, “+”, “-“, “_” and “.”. Also, the file names should have a length of at least one and at most 255 characters (including file name suffix).

These configuration snippets shall be Unix-style text files (i.e. line separation with a single newline character), in the UTF-8 encoding. The configuration snippets are loosely inspired on Grub1’s configuration syntax. Lines beginning with ‘#’ shall be ignored and used for commenting. The first word of a line is used as key and shall be separated by one or more spaces from its value. The following keys are known:

Each configuration drop-in snippet must include at least a linux or an efi key and is otherwise not valid. Here’s an example for a complete drop-in file:

# /boot/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf
title        Fedora 19 (Rawhide)
sort-key     fedora
machine-id   6a9857a393724b7a981ebb5b8495b9ea
version      3.8.0-2.fc19.x86_64
options      root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2
architecture x64
linux        /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux
initrd       /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd

On EFI systems all Linux kernel images should be EFI images. In order to increase compatibility with EFI systems it is highly recommended only to install EFI kernel images, even on non-EFI systems, if that’s applicable and supported on the specific architecture.

Conversely, in order to increase compatibility it is recommended to install generic kernel images that make few assumptions about the firmware they run on, i.e. it is a good idea that both images shipped as UEFI PE images and those which are not don’t make unnecessary assumption on the underlying firmware, i.e. don’t hard depend on legacy BIOS calls or UEFI boot services.

Note that these configuration snippets may only reference kernels (and EFI programs) that reside on the same file system as the configuration snippets, i.e. everything referenced must be contained in the same file system. This is by design, as referencing other partitions or devices would require a non-trivial language for denoting device paths. If kernels/initrds are to be read from other partitions/disks the boot loader can do this in its own native configuration, using its own specific device path language, and this is out of focus for this specification. More specifically, on non-EFI systems configuration snippets following this specification cannot be used to spawn other operating systems (such as Windows).

Unfortunately, there are implementations of boot loading infrastructure that are also using the /loader/entries/ directory, but place files in them that are not valid by this specification. In order to minimize confusion a boot loader implementation may place a file /loader/entries.srel next to the /loader/entries/ directory containing the ASCII string “type1” (suffixed with a UNIX newline). Tools that need to determine whether an existing directory implements the semantics described here may check for this file and contents: if it exists and contains the mentioned string, it shall assume a standards compliant implementation is in place. If it exists but contains a different string it shall assume non-standard semantics are implemented. If the file does not exist no assumptions should be made.

Type #2 EFI Unified Kernel Images

A unified kernel image is a single EFI PE executable combining an EFI stub loader, a kernel image, an initramfs image, and the kernel command line. See the description of the --uefi option in dracut(8). Such unified images will be searched for under $BOOT/EFI/Linux/ and must have the extension .efi. Support for images of this type is of course specific to systems with EFI firmware. Ignore this section if you work on systems not supporting EFI.

Type #2 file names should be chosen from the same restricted character set as Type #1 described above (but use a different file name suffix of .efi instead of .conf).

Images of this type have the advantage that all metadata and payload that makes up the boot entry is monopolized in a single PE file that can be signed cryptographically as one for the purpose of EFI SecureBoot.

A valid unified kernel image must contain two PE sections:

The PRETTY_NAME= and VERSION_ID= fields in the embedded os-release file are used the same as title and version in the “boot loader specification” entries. The .cmdline section is used instead of the options field. linux and initrd fields are not necessary, and there is no counterpart for the machine-id field.

On EFI, any such images shall be added to the list of valid boot entries.

Additional notes

Note that these configurations snippets do not need to be the only configuration source for a boot loader. It may extend this list of entries with additional items from other configuration files (for example its own native configuration files) or automatically detected other entries without explicit configuration.

To make this explicitly clear: this specification is designed with “free” operating systems in mind, starting Windows or macOS is out of focus with these configuration snippets, use boot-loader specific solutions for that. In the text above, if we say “OS” we hence imply “free”, i.e. primarily Linux (though this could be easily be extended to the BSDs and whatnot).

Note that all paths used in the configuration snippets use a Unix-style “/” as path separator. This needs to be converted to an EFI-style “\” separator in EFI boot loaders.


A boot loader needs a file system driver to discover and read $BOOT, then simply reads all files $BOOT/loader/entries/*.conf, and populates its boot menu with this. On EFI, it then extends this with any unified kernel images found in $BOOT/EFI/Linux/*.efi. It may also add additional entries, for example a “Reboot into firmware” option. Optionally it may sort the menu based on the sort-key, machine-id and version fields, and possibly others. It uses the file name to identify specific items, for example in case it supports storing away default entry information somewhere. A boot loader should generally not modify these files.

For “Boot Loader Specification Entries” (Type #1), the kernel package installer installs the kernel and initrd images to $BOOT (it is recommended to place these files in a vendor and OS and installation specific directory) and then generates a configuration snippet for it, placing this in $BOOT/loader/entries/xyz.conf, with xyz as concatenation of machine id and version information (see above). The files created by a kernel package are private property of the kernel package and should be removed along with it.

For “EFI Unified Kernel Images” (Type #2), the vendor or kernel package installer creates the combined image and drops it into $BOOT/EFI/Linux/. This file is also private property of the kernel package and should be removed along with it.

A UI application intended to show available boot options shall operate similar to a boot loader, but might apply additional filters, for example by filtering out the booted OS via the machine ID, or by suppressing all but the newest kernel versions.

An OS installer picks the right place for $BOOT as defined above (possibly creating a partition and file system for it) and pre-creates the /loader/entries/ directory in it. It then installs an appropriate boot loader that can read these snippets. Finally, it installs one or more kernel packages.

Out of Focus

There are a couple of items that are out of focus for this specification:

GUID Partition Table
Boot Loader Interface
Discoverable Partitions Specification