ProductsLamBoot › Install

Install LamBoot

Three paths — homelab, Linux desktop with Secure Boot, or Proxmox zero-touch

PICK A PATH

Which install is right?

Homelab

Secure Boot off. 30-second install.

Jump ↓
Linux desktop

Shim + MOK enrollment. Ubuntu / Debian / Fedora.

Jump ↓
Proxmox zero-touch

Pre-enrolled OVMF_VARS. No MokManager dance.

Jump ↓
HOMELAB / SB OFF

30-second install

Fastest path. Secure Boot is off; every binary runs without verification. Fine for lab, not for production.

lamboot homelab install 
# Download release tarball from GitHub
curl -L -o lamboot.tar.gz \
  https://github.com/lamco-admin/lamboot/releases/download/v0.8.3/lamboot-0.8.3-x86_64.tar.gz
tar xzf lamboot.tar.gz && cd lamboot-0.8.3

# Install
sudo ./lamboot-install

# Reboot and pick "LamBoot" from the firmware boot menu

Trust log still writes to \loader\boot-trust.log with verified_via: sb_disabled entries. GRUB stays in place as a secondary UEFI entry.

LINUX DESKTOP / SHIM + MOK

Secure Boot with MOK enrollment

Standard Linux practice: signed binaries, MOK enrollment via MokManager. Works on Ubuntu, Debian, Fedora.

signed install with MOK 
# Install with signed binaries and MOK enrollment
sudo ./lamboot-install --signed

# You will be prompted to set a MOK enrollment passphrase.
# Reboot; in MokManager (blue screen) → Enroll MOK → Continue
# → enter passphrase → Yes → Reboot.

What the installer does

  • — Deploys the signed LamBoot binary to \EFI\LamBoot\lambootx64-signed.efi
  • — Deploys the distro shim as \EFI\LamBoot\shimx64.efi
  • — Installs the bundled lamboot-signing.der cert for MOK enrollment
  • — Registers a UEFI boot entry that chains shim → LamBoot
  • — Never touches GRUB — it remains a separate boot entry
PROXMOX / ZERO-TOUCH

VM template deployment

Custom OVMF_VARS_lamboot.fd ships with LamBoot’s db cert pre-enrolled. No MokManager dance. Every cloned VM boots LamBoot under Secure Boot from first boot.

on the Proxmox host 
# Apply LamBoot-enrolled OVMF_VARS to a VM
cp lamboot-0.8.3/OVMF_VARS_lamboot.fd /var/lib/vz/images/100/OVMF_VARS_100.fd
inside the VM (first boot into Linux installer) 
sudo ./lamboot-install --signed --no-mok   # cert already in firmware DB

Convert VM to template. All clones boot LamBoot without MokManager. See the Proxmox integration page for the monitoring story on top of this.

UNINSTALL

Removal

Clean uninstall restores the previous default boot entry and removes LamBoot from the ESP.

remove 
sudo lamboot-install --remove
# Restores previous default boot entry, removes \EFI\LamBoot, cleans BLS entries
REFERENCE

lamboot-install flags

Flag Meaning
(default)Unsigned install, SB off path
--signedInstall signed binaries + shim, enroll MOK
--no-shimInstall signed binary directly; assumes firmware DB trusts LamBoot cert (Config 2)
--no-mokSkip MokManager enrollment (for Config 4 Proxmox VMs with pre-enrolled OVMF)
--removeUninstall and restore previous default boot entry
DOWNLOADS

Release artefacts

v0.8.3 release assets come from the public GitHub repo.

Release tarball

lamboot-0.8.3-x86_64.tar.gz
Signing cert

lamboot-signing.der
OVMF_VARS template

OVMF_VARS_lamboot.fd