Products › LamBoot
v0.8.3 · Secure Boot ReleaseLamBoot
Memory-safe UEFI. Honest Secure Boot.
A memory-safe UEFI bootloader written in Rust. Secure Boot signing, shim + MOK integration, and the industry’s first user-visible trust-evidence log — not just another GRUB replacement.
#![no_std]
|
MIT OR Apache-2.0
A bootloader that tells you why
LamBoot is a memory-safe UEFI bootloader written in Rust, built for Proxmox VM fleets, homelabs, and security-conscious Linux desktops. It talks the same Boot Loader Specification language as systemd-boot, runs Linux via LoadFile2 like a modern loader should, but adds things no mainstream bootloader ships:
- A graphical menu with full mouse support
- An NVRAM-based crash-loop state machine
- Loadable EFI filesystem drivers
- Pre-boot diagnostic modules
- — and most importantly, a JSON trust-evidence log written to the ESP on every boot that documents every image-authentication decision the firmware and bootloader made.
When things go wrong, LamBoot tells you why.
Six capabilities no mainstream bootloader ships
Memory safety is the seventh. These six are what make LamBoot different in kind, not just in language. Full tour on the Innovations page.
Trust-evidence log
Every image-auth decision written to \loader\boot-trust.log as structured JSON. No other mainstream bootloader ships this.
Security page →
NVRAM state, host-readable
Crash-loop state in UEFI NVRAM that the Proxmox host reads from OVMF_VARS — no in-VM agent required.
Proxmox integration →
Rich UKI PE parsing
Menu labels from .osrel, cmdline from .cmdline, sort by .uname, hardware match via .hwids. Not just filenames.
Innovations →
GUI with mouse
Double-buffered GOP renderer, full mouse support via UEFI Simple/Absolute Pointer. Serial fallback. Unique in the Rust bootloader field.
Architecture →
Loadable diagnostic modules
NVMe SMART, memory test, PCI inventory, diag shell — standalone signed EFI apps, chainloadable from the menu. No rescue shell needed.
Module framework →
Companion host CLI toolkit
Five bash CLIs: diagnose, esp, backup, repair, migrate. Online against running systems or offline against stopped VM disks.
Tools reference →
Network management API (HTTP server in the bootloader, first of its kind) is on the v0.9.x roadmap.
Who LamBoot is built for
| Audience | Pain | LamBoot’s answer |
|---|---|---|
| Proxmox VM fleet operators | Dozens of VMs; no visibility when one enters a boot loop. | Host-side monitor reads NVRAM crash state. No in-VM agent. |
| Homelab Linux enthusiasts | GRUB breaks on kernel upgrades; no decent graphical menu. | BLS-native with kernel-install plugin, GUI with mouse, tiny binary. |
| Security-conscious desktop users | Secure Boot works but is a black box — no way to audit. | Trust-evidence log. TPM measurements. Documented threat model. |
| Rust / systems developers | Want to read a bootloader that isn’t 40k lines of 1990s C. | 3,500 lines of idiomatic Rust. Documented unsafe. Clear subsystem map. |
| Audit / compliance teams | Need evidence of which kernel signature verified, and how. | Every boot writes \loader\boot-trust.log. TPM measurements on PCR 4/5/12. |
What the log looks like
A real extract from \loader\boot-trust.log after a normal boot. One JSON object per line. Written fresh every boot (v0.8.3; Path G in v0.9.x makes it append-mode with crypto signatures).
{"seq":0,"event":"boot_start","path":"","size":0,"sha256":"","verified_via":"","status":"","note":"secure_boot=true"}
{"seq":1,"event":"driver_loaded","path":"\\EFI\\LamBoot\\drivers\\ext4_x64.efi","size":0,"sha256":"","verified_via":"shim_mok","status":"Success","note":""}
{"seq":2,"event":"boot_attempt","path":"\\EFI\\Linux\\ubuntu-6.11.efi","size":0,"sha256":"","verified_via":"firmware_db","status":"Success","note":"uki"}
No other mainstream bootloader ships this. GRUB, systemd-boot, rEFInd, even shim itself — none of them expose trust decisions to the OS as structured data. LamBoot makes Secure Boot auditable, not just claimed.
What’s in v0.8.3
Security & trust
- — Trust-evidence log v1 (JSON lines)
- — Secure Boot: firmware DB, shim + MOK, SecurityOverride (Path F)
- — TPM measured boot (PCR 4, 5, 12)
- — SBAT metadata for generation-based revocation
- — Four documented Secure Boot configurations
Boot management
- — BLS Type 1 with UAPI.10 version sort
- — Unified Kernel Images, first-class menu entries
- — Linux boot via LoadFile2 (no legacy handoff)
- — Loadable EFI filesystem drivers (ext4/btrfs/xfs/zfs/…)
- — Windows chainload, diagnostic modules
Reliability & recovery
- — NVRAM crash-loop state machine
- —
systemd-bless-boot-compatible boot counting - — BLS preflight + stale-entry regeneration
- — No-entries recovery screen
Interface
- — Double-buffered GOP renderer (no flicker)
- — Full mouse support — unique among Rust bootloaders
- — Keyboard shortcuts (F1/F2/F12/…)
- — Serial console fallback (headless VMs, SOL)
Platform
- — x86_64 UEFI (~215 KB), aarch64 UEFI (~200 KB)
- — Memory-safe Rust; every
unsafedocumented - — Dual MIT / Apache-2.0 license
Integration
- — Proxmox host-side monitor (
lamboot-monitor.py) - —
kernel-installplugin for Fedora - — Kernel postinst hooks for Debian/Ubuntu
- — systemd Boot Loader Interface variables
What LamBoot is not
Honesty sells. Read this before installing.
- —Not a drop-in GRUB replacement for GRUB’s entire feature surface. No Btrfs snapshot menu, no GRUB scripting, no multi-boot exotica.
- —Not a Windows-only loader. Primarily Linux; Windows is chainloaded via the ESP as any UEFI loader would.
- —Not shim-review-approved yet. v0.8.3 ships with self-signed db keys or requires MOK enrollment. Shim-review submission is on the v1.0 roadmap.
- —Not an enterprise vendor-supported product. Community-supported, dual-licensed open source. Commercial support is a future conversation.
- —Not a firmware replacement. It runs on UEFI firmware (EDK II, AMI, Phoenix, Insyde). Not a coreboot alternative.
- —Not a rescue shell. No interactive CLI. The GUI picks an entry; diagnostic modules are chainloaded EFI applications.
Install in 30 seconds. Audit every boot after that.
Community Edition is free forever. MIT / Apache-2.0 dual license. Start with the homelab flow; graduate to Secure Boot + shim when you’re ready.