Install from a package channel
LamBoot 0.15.2 installs from three package channels, plus the GitHub release. Installing stages LamBoot under /usr/share/lamboot and does not modify your EFI System Partition. You then deploy it and register the boot entry with sudo lamboot-install (the configurations further down).
Debian / Ubuntu / Proxmox
Arch / Manjaro
Fedora / openSUSE / RHEL
release tarball
Debian, Ubuntu, and Proxmox (apt.lamco.ai)
curl -fsSL https://apt.lamco.ai/key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/lamco.gpg
echo "deb [signed-by=/usr/share/keyrings/lamco.gpg] https://apt.lamco.ai stable main" | \
sudo tee /etc/apt/sources.list.d/lamco.list
sudo apt update && sudo apt install lamboot
Arch and derivatives (AUR)
yay -S lamboot-bin
# or: git clone https://aur.archlinux.org/lamboot-bin.git && cd lamboot-bin && makepkg -si
Fedora, openSUSE, and the RHEL family (OBS)
# Fedora (42 / 43 / 44)
sudo dnf config-manager addrepo --from-repofile=https://download.opensuse.org/repositories/home:/lamco-development:/lamboot/Fedora_44/home:lamco-development:lamboot.repo
sudo dnf install lamboot
# openSUSE Tumbleweed (or openSUSE_Leap_16.0)
sudo zypper ar https://download.opensuse.org/repositories/home:/lamco-development:/lamboot/openSUSE_Tumbleweed/home:lamco-development:lamboot.repo
sudo zypper refresh && sudo zypper install lamboot
# AlmaLinux / Rocky / RHEL (9 or 10)
sudo dnf config-manager addrepo --from-repofile=https://download.opensuse.org/repositories/home:/lamco-development:/lamboot/AlmaLinux_9/home:lamco-development:lamboot.repo
sudo dnf install lamboot
GitHub release tarball
curl -L -o lamboot-0.15.2-x86_64.tar.gz \
https://github.com/lamco-admin/lamboot/releases/download/v0.15.2/lamboot-0.15.2-x86_64.tar.gz
tar xzf lamboot-0.15.2-x86_64.tar.gz && cd lamboot-0.15.2
sudo ./lamboot-install
Download lamboot-0.15.2-x86_64.tar.gz → (signed; verify with the release .asc and .sha256).
After installing from any channel
- Installing stages LamBoot under
/usr/share/lambootand does not modify your EFI System Partition. Deploy it and register the boot entry withsudo lamboot-install. - Under Secure Boot, enroll the signing certificate first:
sudo mokutil --import /usr/share/lamboot/lamboot-signing.der(see the MOK enrollment guide). - Available for x86_64 today. arm64 is in progress.
- Especially relevant for Proxmox hosts, which are Debian-based.
Then deploy it: pick your configuration
Once LamBoot is installed from a channel above, lamboot-install deploys it to the ESP. Pick the configuration that matches your machine.
30-second install
The fastest path. Secure Boot is off, so every binary runs without verification. Good for a lab, not for production.
# Download the release tarball from GitHub
curl -L -o lamboot-0.15.2-x86_64.tar.gz \
https://github.com/lamco-admin/lamboot/releases/download/v0.15.2/lamboot-0.15.2-x86_64.tar.gz
tar xzf lamboot-0.15.2-x86_64.tar.gz && cd lamboot-0.15.2
sudo ./lamboot-install
# Reboot, then pick LamBoot from the firmware boot menu.
The trust log still writes to \loader\boot-trust.log with verified_via: sb_disabled records. GRUB stays in place as a secondary UEFI entry.
Secure Boot with MOK enrollment
Standard Linux practice: signed binaries, shim stays in the chain, and MOK enrollment is the one-time interactive step. v0.15.2 boots stock distro /boot on ext4 end to end through the native ext4 reader and native PE loader. UKI on the ESP also works first-class.
sudo ./lamboot-install --signed
# Reboot into MokManager (blue screen), Enroll MOK,
# enter the passphrase, Continue, reboot.
What the installer does under --signed
- Deploys the signed LamBoot binary.
- Places it at the shim chainload-target name, so the shim chain resolves.
- Stages LamBoot's certificate for MOK enrollment.
- Registers a UEFI boot entry that chains shim into LamBoot. GRUB stays a separate boot entry.
Pre-enrolled OVMF_VARS for VM templates
LamBoot's db cert is enrolled into firmware at VM-template build time, so the firmware trusts LamBoot without MokManager. Shim still rides in the chain (it is what validates the kernel against the guest's distro MOK). Zero-touch means no interactive MokManager prompt. Cloned VMs boot LamBoot under Secure Boot with no enrollment step.
# Apply LamBoot-enrolled OVMF_VARS to the VM
cp lamboot-0.15.2/OVMF_VARS_lamboot.fd /var/lib/vz/images/<vmid>/OVMF_VARS_<vmid>.fd
sudo ./lamboot-install --signed --no-mok
Convert the VM to a template, and clones inherit the trust state. The Proxmox page covers the host-side monitoring story built on top of this.
Removal
A clean uninstall restores the previous default boot entry and removes LamBoot from the ESP.
sudo ./lamboot-install --remove
# Restores the previous default boot entry and cleans LamBoot's BLS entries.
# Add --keep-entries or --keep-logs to preserve those.
lamboot-install flags
Grouped to mirror the live tool. Run --dry-run first to preview the planned actions without writing. The full reference is in the Docs portal.
| Operation selectors | |
| --update | Update an existing install, preserve policy.toml, skip unchanged files. |
| --remove | Remove LamBoot, delete the UEFI entry, disable services. |
| --repair-bls | Force-rebuild ESP BLS entries: re-derive cmdline, overwrite all, prune removed kernels. |
| Target and ESP | |
| --esp PATH | Override ESP auto-detection with an explicit mount point. |
| --root PATH | Operate against a chroot or target root, for distro-installer and installer-time use. NVRAM ops defer to first boot. |
| Boot entry and default selection | |
| --set-default | Make LamBoot first in BootOrder. This is already the install default. |
| --no-make-default | Leave the prior default first, append LamBoot last in BootOrder. |
| --fallback | Also install at the removable-media path. Auto-enabled under --root. |
| --replace | Replace an existing bootloader (backup, then make default). |
| Secure Boot | |
| --signed | Deploy the pre-signed binary. Required for Secure Boot. |
| --no-mok | Skip the MOK-enrollment prompt (Config 4, pre-enrolled OVMF). Shim is still deployed. |
| --no-shim | Advanced. Skip the shim chain. Requires a firmware-DB-signed kernel. Pair with --kernel-firmware-db-signed. |
| Filesystem drivers | |
| --with-drivers | Install every applicable legacy UEFI FS driver. By default a driver is installed only for a /boot filesystem LamBoot does not natively cover. |
| --with-modules | Install the diagnostic modules under EFI/LamBoot/modules/. |
| Removal modifiers | |
| --keep-entries | With --remove, keep the generated BLS entries. |
| --keep-logs | With --remove, keep the forensic data under reports/. |
| Proxmox VE host modes | |
| --proxmox-host | Coexist install: LamBoot rides alongside Proxmox shim and GRUB via a chainload menu entry. GRUB stays default. |
| --replace-grub | Add BLS generation and cmdline derivation from the GRUB config. Implies --proxmox-host. |
| Installer protocol v1 (for distro installers) | |
| --capabilities | Print the capability JSON (filesystems, signing modes, SB, flags, exit codes) and exit. |
| --protocol-version | Print the protocol version integer and exit. |
| --json | Emit structured JSON events on stdout instead of human text. |
| --no-prompt | Non-interactive: never prompt, exit with a documented code where input would be required. |
| Output and safety | |
| --dry-run | Show what would happen without doing it. |
| --version | Print lamboot-install <version> and exit. |
| --help, -h | Print usage and exit. |
Release artefacts (v0.15.2)
The v0.15.2 release ships lamboot-0.15.2-x86_64.tar.gz with a .sha256 checksum and a .asc GPG signature. This is the first GPG-signed release. aarch64 UEFI is a supported target, built from source from the same tree.
Tarball SHA-256: b628146bf0b7f1f1f2ba5d1b0d2f73e3e0d2c0c6dc278f5635b01c8dfb22ad45
Verify with the Lamco release key, fingerprint CA11F781516743D5D9A1A12F17B95B68A50CD3A7:
gpg --verify lamboot-0.15.2-x86_64.tar.gz.asc lamboot-0.15.2-x86_64.tar.gz
sha256sum -c lamboot-0.15.2-x86_64.tar.gz.sha256