Productslamboot-tools › Quick Start

Quick Start

Install, scan, snapshot, and repair in four commands.

STEP 1

Install from a signed release tarball

lamboot-tools targets x86_64 and aarch64 Linux on UEFI and requires bash 4.0 or newer. Today the toolkit ships through GitHub Releases as a signed .tar.gz with a detached .asc signature. Additional distribution channels are being prepared.
Download and verify
# 1. Download the signed tarball and its detached signature
curl -LO https://github.com/lamco-admin/lamboot-tools/releases/download/v0.9.1/lamboot-tools-0.9.1.tar.gz
curl -LO https://github.com/lamco-admin/lamboot-tools/releases/download/v0.9.1/lamboot-tools-0.9.1.tar.gz.asc

# 2. Verify the SHA-256 checksum (published on the release page)
echo "bf4638eeb44560feeaa6aed802918fdac12bc51f5b94b074c04f128647d882b2  lamboot-tools-0.9.1.tar.gz" | sha256sum -c
# lamboot-tools-0.9.1.tar.gz: OK

# 3. Import the Lamco Development LLC signing key
gpg --recv-keys 405CB1E36258DA1DA406A852A236DDB84E0EC96E

# 4. Verify the detached GPG signature
gpg --verify lamboot-tools-0.9.1.tar.gz.asc lamboot-tools-0.9.1.tar.gz
# gpg: Good signature from "Lamco Development LLC"

# 5. Unpack and install the core suite
tar xzf lamboot-tools-0.9.1.tar.gz
cd lamboot-tools-0.9.1
sudo make install

make install places the shell tools at /usr/bin/, the shared library under /usr/lib/lamboot-tools/, man pages under /usr/share/man/, and the two bundled static-musl binaries (lamboot-capcheck and lamboot-reader) at /usr/bin/. To add the optional Proxmox VE companion (5 tools), run sudo make install-pve.

Confirm the suite is in place and see each tool's version:

Confirm install
$ lamboot-toolkit status
lamboot-tools 0.9.1

  lamboot-diagnose       0.7.3   stable
  lamboot-esp            0.6.1   stable
  lamboot-nvram          0.5.2   stable
  lamboot-backup         0.6.0   stable
  lamboot-repair         0.5.4   stable
  lamboot-migrate        0.4.7   stable
  lamboot-doctor         0.5.0   stable
  lamboot-uki-build      0.4.2   stable
  lamboot-signing-keys   0.4.1   stable
  lamboot-inspect        0.3.0   stable

10 core tools plus the lamboot-toolkit dispatcher (11 total).

Each tool reports both its own version and the umbrella release tag:

Version check
$ lamboot-diagnose --version
lamboot-diagnose 0.7.3 (lamboot-tools 0.9.1)
STEP 2

First scan

lamboot-diagnose is a read-only scan of the UEFI boot chain across 11 categories. It changes nothing, so it is safe to run first on any system.
Full boot-chain scan
$ sudo lamboot-diagnose
lamboot-diagnose 0.7.3 (lamboot-tools 0.9.1)

  Firmware mode          UEFI                                    [ ok ]
  ESP mount              /boot/efi  (vfat, 511 MiB, 38% used)    [ ok ]
  ESP filesystem         clean                                   [ ok ]
  Boot entries           6 present, BootOrder valid              [ ok ]
  Dead boot entries      1 found (Boot0004 -> missing loader)    [ warn ]
  Secure Boot            enabled, db populated                   [ ok ]
  Bootloader             systemd-boot 254                        [ ok ]
  Kernel images          3 installed, all resolvable             [ ok ]
  ...

Summary: 10 categories ok, 1 warning, 0 errors, 0 critical

  [warn] Boot0004 references a loader that no longer exists.
         Remediation: sudo lamboot-nvram clean
         Docs: https://github.com/lamco-admin/lamboot-tools

Exit code: 0

Severity and exit codes

SeverityMeaningExit impact
criticalBooting will failExit 2
errorA capability is brokenExit 2
warningWorks now, but riskyExit 0 (warnings alone do not fail)
infoFine as-isExit 0

For machine-readable output, add --json. Every warning-or-above finding includes a remediation command and a documentation URL:

Machine-readable scan
$ lamboot-diagnose --json | jq '.summary'
{
  "ok": 10,
  "warning": 1,
  "error": 0,
  "critical": 0,
  "exit_code": 0
}

$ lamboot-diagnose --json | jq '.findings[] | select(.severity == "warning")'
{
  "category": "nvram",
  "severity": "warning",
  "message": "Boot0004 references a loader that no longer exists.",
  "remediation": "sudo lamboot-nvram clean",
  "doc_url": "https://github.com/lamco-admin/lamboot-tools"
}
STEP 3

First backup

Snapshot the boot configuration before making any change. lamboot-backup save captures NVRAM, boot order, and Secure Boot state into a single restorable snapshot.
Save a snapshot
$ sudo lamboot-backup save
lamboot-backup 0.6.0 (lamboot-tools 0.9.1)

  Captured boot entries        6
  Captured BootOrder           Boot0001,Boot0002,Boot0000
  Captured Secure Boot state   enabled
  Snapshot                     /var/lib/lamboot-tools/backups/2026-06-23T14-21-08.json

Exit code: 0

List and inspect snapshots, then restore one if a later change needs to be undone:

List, show, and restore
$ sudo lamboot-backup list
  2026-06-23T14-21-08   6 entries   Secure Boot: enabled

$ sudo lamboot-backup show /var/lib/lamboot-tools/backups/2026-06-23T14-21-08.json
# ... displays boot order, entries, Secure Boot posture

$ sudo lamboot-backup restore 2026-06-23T14-21-08
STEP 4

Guided doctor

lamboot-doctor chains the read-only scan, an internal policy step, and the repair actions under a single sudo escalation. It shows the plan and any critical finding requires typed confirmation before it acts.
Guided diagnose to repair
$ sudo lamboot-doctor
lamboot-doctor 0.5.0 (lamboot-tools 0.9.1)

  Step 1  Diagnose            11 categories scanned
  Step 2  Plan                1 fix proposed

  Proposed actions:
    1. Remove dead boot entry Boot0004 (missing loader)

  Apply this plan? [y/N] y

  Step 3  Repair              Boot0004 removed
  Step 4  Verify              BootOrder valid, 0 warnings

Summary: 1 fix applied, system healthy
Exit code: 0

--dry-run

Preview the plan without executing it. Reports what would change with no state modifications.

--auto

Non-interactive automation. Implies --yes. Critical findings still require typed confirmation.

--suggest-next-command

Prints the recommended follow-up command based on the output, for scripting use.