Products › lamboot-tools › Workflows
Workflows
End-to-end guides for the three most common lamboot-tools use patterns.
BIOS/CSM to UEFI migration
Convert a legacy BIOS/CSM machine to native UEFI without reinstalling the OS. Estimated time: 15 to 30 minutes.
Before you begin
- Have a bootable rescue medium ready (live USB or PXE).
- Confirm your firmware has UEFI support (most machines since 2011 do).
- Ensure your storage is GPT or has space for conversion. MBR disks are converted to GPT as part of this workflow.
- lamboot-tools 0.9.1 must be installed. x86_64 or aarch64 only.
Step 1: Preflight check
Run the preflight check without making any changes. Review all output before proceeding.
sudo lamboot-migrate preflight
# Exit 0 = ready. Exit 4 = safety check failed; review output.
# Exit 7 = missing prerequisites; install them first.
Step 2: Backup
Create an explicit pre-migration backup. lamboot-migrate creates one automatically, but a named backup makes recovery easier if the machine can't boot.
sudo lamboot-backup save pre-migration
sudo lamboot-backup list # Confirm backup appears
Step 3: Run the migration
sudo lamboot-migrate to-uefi
# The tool will:
# 1. Create an additional backup
# 2. Add an ESP if none exists (or resize if < 512 MB)
# 3. Install the UEFI bootloader
# 4. Register NVRAM boot entries
# 5. Update /etc/fstab if needed
# 6. Print a summary and recommended next step
# Check exit code
rc=$?
case $rc in
0) echo "Migration complete. Reboot when ready." ;;
3) echo "Already UEFI - nothing to do." ;;
4) echo "Safety check refused the migration. Review output." ;;
*) echo "Migration failed ($rc). Do not reboot until resolved." ;;
esac
Step 4: Reboot and verify
# After reboot, verify the system is running in UEFI mode
sudo lamboot-diagnose --json | jq '.summary.status'
# Expect: "pass" or "warn"
# Check firmware mode specifically
sudo lamboot-diagnose --category=nvram
Recovery: if the machine doesn't boot
# Boot from a rescue medium with lamboot-tools installed
# Mount your root filesystem, then:
sudo lamboot-backup list
sudo lamboot-backup restore pre-migration
Diagnose and repair
Find and fix boot environment issues on any machine. The right workflow for routine health checks and targeted problem-solving.
Option A: Interactive guided session (recommended)
lamboot-doctor runs the full diagnostic, groups findings by priority, explains each issue, proposes fixes, and walks you through applying them.
sudo lamboot-doctor run
# Doctor will:
# 1. Run lamboot-diagnose (all categories)
# 2. Group and explain findings by priority
# 3. For each actionable group, propose the right repair tool
# 4. Ask before applying any change
# 5. Re-run diagnose at the end and report the delta
Option B: Manual diagnose-then-repair
Run lamboot-diagnose first, review all findings, then apply targeted repairs.
# 1. Full audit - shows all categories
sudo lamboot-diagnose
# 2. Review findings; focus on error/critical first
sudo lamboot-diagnose --min-severity warning
# 3. Get remediation commands for actionable findings
sudo lamboot-diagnose --json | \
jq -r '.findings[] | select(.severity != "info") | "\(.id): \(.remediation.command)"'
# 4. Backup before applying any repair
sudo lamboot-backup save before-repair
# 5. Apply all safe automated repairs
sudo lamboot-repair run --dry-run # Preview first
sudo lamboot-repair run
# 6. Re-diagnose to confirm
sudo lamboot-diagnose
Option C: Automated pipeline
For CI or unattended hosts, use --auto mode. The exit code drives the pipeline.
sudo lamboot-diagnose --json --fail-on warning > /tmp/diag.json
rc=$?
if [[ $rc -ne 0 ]]; then
sudo lamboot-backup save auto-repair-$(date +%Y%m%d)
sudo lamboot-repair run --auto --yes
# Re-diagnose; fail the pipeline if issues remain
sudo lamboot-diagnose --json --fail-on error
fi
Secure Boot with Unified Kernel Images
Enroll custom Secure Boot keys and build a signed UKI that loads without a shim. Prerequisite: the machine must already be in native UEFI mode.
Who this is for: system administrators who want firmware-verified boot with their own signing key rather than distro keys. Not required for most use cases. Standard Secure Boot with shim and distro keys is a supported configuration that lamboot-diagnose will confirm as healthy.
Step 1: Generate signing keys
sudo lamboot-signing-keys generate \
--org "Acme Corp" \
--cn "Acme Boot Keys 2026"
# Keys are created at /etc/lamboot/keys/
# - platform.key (PK)
# - key-exchange.key (KEK)
# - signature-db.key (db)
# and their corresponding .crt and .cer counterparts
Step 2: Enter Setup Mode and enroll keys
# Check current Secure Boot state
sudo lamboot-diagnose --category secureboot
# lamboot-signing-keys enroll requires Setup Mode
# Enter Setup Mode in firmware settings (clear PK), then:
sudo lamboot-signing-keys enroll
# The tool enrolls PK, KEK, and db in the correct order
# and writes the Secure Boot state after enrollment.
Step 3: Build and sign a UKI
# Build a UKI from the current running kernel
sudo lamboot-uki-build build
# Or specify a kernel version
sudo lamboot-uki-build build --kernel 6.8.12-amd64
# Verify the signature
sudo lamboot-uki-build verify /boot/efi/EFI/Linux/linux-6.8.12.efi
Step 4: Install to ESP and register boot entry
# Install the UKI to the ESP
sudo lamboot-uki-build install
# Verify it appears in NVRAM boot order
sudo lamboot-nvram list
# Final health check
sudo lamboot-diagnose
Step 5: Automate kernel updates
# /etc/kernel/postinst.d/90-lamboot-uki
#!/bin/sh
set -e
VERSION="$1"
sudo lamboot-uki-build build --kernel "$VERSION"
sudo lamboot-uki-build install --kernel "$VERSION"
Place this script in /etc/kernel/postinst.d/ and make it executable. On Debian/Ubuntu, the kernel package calls all hooks in that directory on every kernel install or upgrade, ensuring a signed UKI is installed and registered automatically.