Fedora developers want to change how virtual machines boot in secure environments. A new proposal for the upcoming Fedora 45 release introduces a stripped-down version of the GRUB bootloader. This variant targets confidential computing workloads exclusively.
Red Hat engineers Leo Sandoval and Marta Lewandowska put forward the plan. Their Fedora Discussion post outlines a separate package. It contains only the modules absolutely necessary for UEFI virtual machines. The goal remains straightforward. Keep TPM platform configuration register values stable across time.
Confidential VMs depend on measured boot and remote attestation. Any update to the bootloader alters those PCR measurements. Attestation then fails. The result disrupts operations that assume predictable boot behavior. A lighter GRUB reduces the frequency of such updates. Fewer built-in modules shrink the attack surface too.
The package focuses on UEFI boot with Secure Boot enabled. It loads Unified Kernel Images quickly. It reads Bootloader Specification files. UKIs bundle the kernel, initramfs and command line into one signed artifact. This approach eliminates the risk of an unsigned initramfs. CoreOS already favors UKIs. Confidential computing environments do as well.
Standard GRUB stays untouched. It remains the default for Fedora Linux desktops and servers. The new package, currently packaged as grub2-efi-x64-cc in Rawhide, serves a narrow purpose. Administrators install it on purpose for confidential VMs. No compatibility impact hits regular users.
Early discussions weighed systemd-boot as an alternative. The team rejected it. Systemd developers resist requests for extra features. Systemd-boot lacks the extensive testing and fuzzing applied to GRUB. Maintaining two distinct bootloaders would create technical debt. Support for additional architectures would require yet another solution anyway. So the project chose to slim GRUB instead.
Phoronix first reported the proposal on June 13, 2026. Michael Larabel noted the hope for more stable confidential computing experiences. The lighter bootloader produces consistent PCR8 values when swapping between different UKIs. Testers verify this with the tpm2_pcrread command.
Rawhide already ships test RPMs for x86_64 and aarch64. They carry signatures from the existing GRUB Secure Boot key. Plans call for a dedicated signing key later. Work also proceeds on bootupd support so that sealed bootable container images can update the bootloader safely.
But challenges remain. UKIs expect their files on the EFI system partition. Administrators must adjust BLS entries to use the efi keyword instead of linux. Command-line parameters bundled inside the UKI can complicate matters on custom hardware. Tools such as ukify and pesign help build and sign custom UKIs or addons. The process involves generating keys, enrolling them with mokutil and careful file placement.
Confidential computing gains traction across cloud providers. IBM and Red Hat have advanced Confidential Containers that isolate workloads inside hardware enclaves. A Red Hat blog post from October 2024 described how these protect data in use from privileged administrators. Stable boot measurements strengthen the trust chain that remote parties verify.
Recent coverage echoes the same technical points. No major new developments appeared in the past 48 hours beyond the initial Phoronix story and Fedora thread. Discussions on X highlight the decision to refine GRUB rather than adopt systemd-boot. One Japanese-language account summarized the proposal accurately. It stressed how bootloader updates break remote attestation and why a minimal GRUB package addresses the issue without abandoning a battle-tested codebase.
The change remains a proposal. The Fedora Engineering and Steering Committee must approve it. If accepted, the package appears in Fedora 45. Virtual machine images built for confidential environments would adopt the lighter bootloader by default. Desktop users notice nothing.
Attack surface reduction matters. Every unnecessary module adds code that could contain flaws. Updates to that code trigger PCR changes. A minimal footprint limits both risks. At the same time, GRUB retains its maturity. The project avoided trading proven fuzzing coverage for a lighter but less scrutinized alternative.
Implementation details continue to evolve. Developers test replacing the standard grubx64.efi with the cc variant. They confirm UKI menu entries appear. Editing an entry reveals chainloader commands pointing to the UKI path. The EFI binary itself measures smaller than the full-featured one.
Fedora’s move fits broader industry patterns. Cloud operators seek predictable attestation results. Container platforms emphasize immutable boot artifacts. UKIs deliver that immutability. A bootloader that loads them without frequent changes completes the picture. Whether this light GRUB becomes the foundation for future confidential Fedora images depends on committee review. For now, the proposal offers a practical path forward. One that builds on existing infrastructure rather than introducing new maintenance burdens.
And the timing feels right. Interest in confidential computing continues to climb. Enterprises want stronger guarantees that their sensitive workloads stay isolated even from the cloud provider. A stable measured boot process forms a critical piece of that guarantee. Fedora’s experiment with a purpose-built GRUB could influence other distributions. The code already lives in Rawhide. Early testers can experiment today.
WebProNews is an iEntry Publication