30-second install
Fastest path. Secure Boot is off; every binary runs without verification. Fine for lab, not for production.
# Download release tarball from GitHub
curl -L -o lamboot.tar.gz \
https://github.com/lamco-admin/lamboot/releases/download/v0.9.0/lamboot-0.9.0-x86_64.tar.gz
tar xzf lamboot.tar.gz && cd lamboot-0.9.0
# Install
sudo ./lamboot-install
# Reboot and pick "LamBoot" from the firmware boot menu
Trust log still writes to \loader\boot-trust.log with verified_via: sb_disabled entries. GRUB stays in place as a secondary UEFI entry.
Secure Boot with MOK enrollment
Standard Linux practice: signed binaries, shim is deployed in the chain by default, MOK enrollment is the one-time interactive step. v0.9.0 boots stock distro /boot-on-ext4 end-to-end via the native ext4 reader + native PE loader; UKI on the ESP also works first-class.
# Install with signed binaries and MOK enrollment
sudo ./lamboot-install --signed
# You will be prompted to set a MOK enrollment passphrase.
# Reboot; in MokManager (blue screen) → Enroll MOK → Continue
# → enter passphrase → Yes → Reboot.
What the installer does
- — Deploys the signed LamBoot binary to
\EFI\LamBoot\lambootx64-signed.efi - — Deploys the distro shim as
\EFI\LamBoot\shimx64.efi - — Installs the bundled
lamboot-signing.dercert for MOK enrollment - — Registers a UEFI boot entry that chains shim → LamBoot
- — Never touches GRUB — it remains a separate boot entry
Pre-enrolled OVMF_VARS for VM templates
Config 4 — Pre-enrolled OVMF_VARS. LamBoot’s db cert is enrolled into firmware at VM-template build time, so the firmware trusts LamBoot without MokManager. Shim is still deployed in the chain (it’s what validates the kernel against the guest’s distro MOK). “Zero-touch” means no interactive MokManager prompt — it does not mean no shim.
v0.9.0 closes the historical shim 15.8 ShimLock-uninstall gap:
via a native ext4 reader (no UEFI driver required) + native PE loader (bypasses the firmware LoadImage pathway entirely) + native trust chain. Stock distro images on ext4 boot end-to-end under Secure Boot with no UKI workaround required. UKI-based images remain a first-class option.
# Apply LamBoot-enrolled OVMF_VARS to a VM
cp lamboot-0.9.0/OVMF_VARS_lamboot.fd /var/lib/vz/images/100/OVMF_VARS_100.fd
sudo ./lamboot-install --signed --no-mok
Convert VM to template. Clones inherit the trust state. See the Proxmox integration page for the host-side monitoring story on top of this.
Removal
Clean uninstall restores the previous default boot entry and removes LamBoot from the ESP.
sudo lamboot-install --remove
# Restores previous default boot entry, removes \EFI\LamBoot, cleans BLS entries
lamboot-install flags
| Flag | Meaning |
|---|---|
| (default) | Unsigned install, SB off path |
| --signed | Install signed binaries + shim, enroll MOK |
| --no-shim | Advanced. Install signed binary directly without shim; requires a firmware-DB-signed kernel (Config 2). Pair with --kernel-firmware-db-signed — installer guardrail refuses otherwise. |
| --no-mok | Skip MokManager enrollment (for Config 4 Proxmox VMs with pre-enrolled OVMF; shim still deployed in the chain by default) |
| --remove | Uninstall and restore previous default boot entry |
Release artefacts
v0.9.0 release assets come from the public GitHub repo. Tarball SHA-256: b7058cc5e58c5406d877cdb2991c75fe20919fef6c6b2b712c259bfaa0b9918d.