Products › LamBoot

v0.9.1 · Native /boot + Pop!_OS + Trust Chain

LamBoot

Modern, memory-safe UEFI boot for Linux.

Rust. Read-only /boot. Graphical menu with a mouse. Proxmox-native. Honest Secure Boot.

Eight thousand lines of Rust that do what a bootloader should do — and tell you what they did.

Get LamBoot → What makes it different Architecture GitHub

v0.9.1 | ~480 KB binary | x86_64 + aarch64 UEFI | Rust, #![no_std] | MIT OR Apache-2.0

WHAT IT IS

A bootloader that tells you why

LamBoot is a memory-safe UEFI bootloader written in Rust, built for Proxmox VM fleets, homelabs, and security-conscious Linux desktops. It talks the same Boot Loader Specification language as systemd-boot, runs Linux via LoadFile2 like a modern loader should, but adds things no mainstream bootloader ships:

A graphical menu with full mouse support
An NVRAM-based crash-loop state machine
Loadable EFI filesystem drivers
Pre-boot diagnostic modules
— and most importantly, a JSON trust-evidence log written to the ESP on every boot that documents every image-authentication decision the firmware and bootloader made.

When things go wrong, LamBoot tells you why.

WHAT MAKES IT DIFFERENT

Designed, not accreted

ARCHITECTURE

Elegant by design. Eight layers. Each with a single job.

Read-only filesystem access. No hacks. Contribute in an afternoon, or audit the whole boot path in one sitting. Every module declares its layer; dependencies flow one way; Trust & Audit is a right-hand rail that every layer writes to and nothing reads from.

Read the architecture →

┌────────────────────────┐  ┌────┐
│ 7  Orchestration       │  │    │
│ 6  Presentation        │  │ 5  │
│ 4  Policy & State      │←→│ Tr │
│ 3  Content Parsers     │←→│ us │
│ 2  Filesystem          │←→│ t  │
│ 1  UEFI Firmware       │←→│ &  │
│ 0  Platform            │←→│ Au │
└────────────────────────┘  └────┘
  deps flow down      writes →

~8,300 LoC Rust · vs. GRUB’s 40k+ of C

Built for Proxmox.

Host-side VM boot-health monitoring, no agent inside the guest. NVRAM state readable via OVMF_VARS. The first Linux bootloader with fleet operations as a first-class concern.

Proxmox integration →

Modern Linux, done right.

BLS Type 1 entries with UAPI.10 version sort. Unified Kernel Images as first-class citizens. LoadFile2 initrd handoff (kernel 5.7+). kernel-install and postinst hooks. Plus systemd-boot-discoverable-EFI layouts (/EFI/<distro>-<uuid>/vmlinuz.efi) — picks up Pop!_OS, Garuda, and any custom systemd-boot installation.

See all innovations →

Graphical menu with a mouse.

Double-buffered GOP rendering. Full pointer support (unique among Rust bootloaders). Serial console fallback. None of this is theoretical — it ships today.

Presentation layer →

Honest Secure Boot.

Trust-evidence JSON log written to the ESP on every boot. Every image-authentication decision recorded. Read-only filesystem access means we literally cannot corrupt /boot.

Read the threat model →

WHO IT’S FOR

Who LamBoot is built for

Audience	Pain	LamBoot’s answer
Rust / systems developers	Want to read a bootloader that isn’t 40k lines of 1990s C.	~8,300 lines of idiomatic Rust across 8 clean layers. Documented `unsafe`. Read-only `/boot` guaranteed by the crate.
Proxmox VM fleet operators	Dozens of VMs; no visibility when one enters a boot loop.	Host-side monitor reads NVRAM crash state. No in-VM agent.
Homelab Linux enthusiasts	GRUB breaks on kernel upgrades; no decent graphical menu.	BLS-native with `kernel-install` plugin, GUI with mouse, tiny binary.
Security-conscious desktop users	Secure Boot works but is a black box — no way to audit.	Trust-evidence log. TPM measurements. Documented threat model.
Audit / compliance teams	Need evidence of which kernel signature verified, and how.	Every boot writes `\loader\boot-trust.log`. TPM measurements on PCR 4/5/12.

DEBUG BY READING A FILE

Because LamBoot records its decisions

You can debug a failed boot by reading a file. Here’s what that looks like — a real extract from \loader\boot-trust.log after a normal boot. One JSON object per line.

\loader\boot-trust.log

{"seq":0,"event":"boot_start","path":"","size":0,"sha256":"","verified_via":"","status":"","note":"secure_boot=true"}
{"seq":1,"event":"driver_loaded","path":"\\EFI\\LamBoot\\drivers\\ext4_x64.efi","size":0,"sha256":"","verified_via":"shim_mok","status":"Success","note":""}
{"seq":2,"event":"boot_attempt","path":"\\EFI\\Linux\\ubuntu-6.11.efi","size":0,"sha256":"","verified_via":"firmware_db","status":"Success","note":"uki"}

Append-mode with per-image SHA-256 in v0.9.0; firmware-LoadImage events now flush to disk before kernel handoff (v0.9.1 fix); per-event crypto signing on the v0.9.x polish track. Full schema on the security page.

FEATURE CATALOG

What’s in v0.9.1

Platform

— x86_64 UEFI (~480 KB), aarch64 UEFI (~400 KB)
— Memory-safe Rust; every unsafe documented
— Dual MIT / Apache-2.0 license
— Native ext4 read backend (v0.9.0) — read your /boot directly, no UEFI FS driver gymnastics; native btrfs/xfs in v1.x

Interface

— Double-buffered GOP renderer (no flicker)
— Full mouse support — unique among Rust bootloaders
— Keyboard shortcuts (F1/F2/F12/…)
— Serial console fallback (headless VMs, SOL)

Boot management

— BLS Type 1 with UAPI.10 version sort
— Unified Kernel Images, first-class menu entries
— systemd-boot-discoverable-EFI scan (Pop!_OS, Garuda, custom layouts)
— Linux boot via LoadFile2 (no legacy handoff)
— Native Rust ext4 read backend (v0.9.0) + native PE loader; loadable EFI filesystem drivers as fallback for btrfs/xfs/zfs/… until native backends land in v1.x
— Windows chainload, diagnostic modules

Reliability & recovery

— NVRAM crash-loop state machine
— systemd-bless-boot-compatible boot counting
— BLS preflight + stale-entry regeneration
— No-entries recovery screen

Integration

— Proxmox host-side monitor (lamboot-monitor.py)
— kernel-install plugin for Fedora
— Kernel postinst hooks for Debian/Ubuntu
— systemd Boot Loader Interface variables

Security & trust

— Trust-evidence log v1 (JSON lines)
— Secure Boot: firmware DB, shim + MOK, SecurityOverride (Path F)
— TPM measured boot (PCR 4, 5, 12)
— SBAT metadata for generation-based revocation
— Four documented Secure Boot configurations (with honest works-when notes — see security)

EXPECTATION-SETTING

What LamBoot is not

Honesty sells. Read this before installing.

—Not a drop-in GRUB replacement for GRUB’s entire feature surface. No Btrfs snapshot menu, no GRUB scripting, no multi-boot exotica.
—Not a Windows-only loader. Primarily Linux; Windows is chainloaded via the ESP as any UEFI loader would.
—Not shim-review-approved yet. v0.9.1 ships with self-signed db keys or requires MOK enrollment. Path D — Microsoft shim-review submission — is the v1.0 trust-baseline expansion.
—Not an enterprise vendor-supported product. Community-supported, dual-licensed open source. Commercial support is a future conversation.
—Not a firmware replacement. It runs on UEFI firmware (EDK II, AMI, Phoenix, Insyde). Not a coreboot alternative.
—Not a rescue shell. No interactive CLI. The GUI picks an entry; diagnostic modules are chainloaded EFI applications.
—Not finished. v0.9.1 ships native /boot reading + native PE loader + native trust chain — closing the long-standing shim 15.8 gap. Path D (Microsoft shim-review submission) is the v1.0 trust-baseline expansion. Public, traceable roadmap — not marketing fiction.

Install today. Contribute next. Read the code on the way to bed.

MIT / Apache-2.0 dual license. ~8,300 lines of Rust across 8 clean layers. Install paths from homelab SB-off to Proxmox zero-touch.

Install LamBoot Read the architecture Contribute on GitHub

ECOSYSTEM

Related work at Lamco

Proxmox focus area

Companion — LamBoot is the host-health layer in the Proxmox-integration story.

RDP focus area

Sibling product line — same Linux-infrastructure voice, different surface.

About Lamco

Who builds this — Complex Tech, Simple Tools.