LamBoot Tools
The Linux UEFI boot toolkit. A shell suite that diagnoses, repairs, and migrates UEFI boot on any Linux system.
One suite that federated, not one that shrank
lamboot-tools is the Linux UEFI boot toolkit from Lamco Development LLC. It is a shell-only suite of command-line tools that diagnose, inventory, back up, repair, and migrate UEFI boot, on any UEFI Linux system. This release, version 0.8.0, changes the architecture: the suite now bundles prebuilt, statically linked binaries of two Rust components that have moved into their own repositories. The product did not get smaller. It federated. The shell tools orchestrate. The Rust components, lamboot-capcheck and lamboot-reader, do the heavy parsing and auditing, and they ship inside the release. Every tool speaks one structured JSON schema, version 1, and every warning-or-above finding comes with a machine-readable remediation command and a documentation URL, so a person or a script can act on it without guessing.
One brand, four products
LamBoot is a family of four products under one brand, all owned by Lamco Development LLC.
| Product | What it is | Version |
|---|---|---|
| lamboot | The memory-safe UEFI bootloader, written in Rust. A separate product. | public v0.15.2 |
| lamboot-tools | This suite. The Linux UEFI boot toolkit. | 0.8.0 |
| lamboot-reader | A Rust GRUB config reader and resolver. Bundled binary. | 0.1.0 |
| lamboot-capcheck | A Rust firmware and platform capability auditor. Bundled binary. | 0.1.0 |
The bootloader stands on its own. The tools work on any UEFI Linux system regardless of which bootloader is installed. The two Rust components ship as compiled binaries inside the lamboot-tools release.
GRUB, systemd-boot, rEFInd, Limine, and LamBoot as peers
lamboot-tools treats every UEFI bootloader as a first-class peer. GRUB, systemd-boot, rEFInd, Limine, and LamBoot are all supported targets. The suite requires bash 4.0 or newer and orchestrates the standard Linux boot utilities: efibootmgr, sgdisk, dosfstools, sbsign, and others. There is no runtime dependency on a specific bootloader. If your system boots through UEFI, these tools work on it.
The nine shell tools
Install lamboot-tools for the core suite. The Proxmox VE companion is covered below.
| Tool | What it does |
|---|---|
| lamboot-diagnose | Read-only scan of the UEFI boot chain across 11 categories, with a remediation command for every finding. |
| lamboot-esp | EFI System Partition health, inventory, stale-file cleanup, and deploy. |
| lamboot-backup | Save, restore, show, and list boot-config snapshots (NVRAM, boot order, Secure Boot state). |
| lamboot-repair | Boot repair, online or against an offline disk, following diagnose, plan, show, confirm, execute, verify. |
| lamboot-migrate | BIOS to UEFI conversion and cross-bootloader migration, with verification and rollback. Optional capability gate via --capcheck-gate. |
| lamboot-doctor | Guided wrapper that chains diagnose to repair, consuming lamboot-capcheck for capability context. |
| lamboot-uki-build | Build, inspect, sign, and verify Unified Kernel Images. |
| lamboot-signing-keys | Secure Boot key lifecycle: generate, rotate, inspect, MOK enroll, and OVMF VARS handling. |
| lamboot-inspect | LamBoot-specific introspection of boot reports and the trust log. Written in Python, mirrored from the bootloader. |
| lamboot-toolkit | The suite dispatcher: status, help, run, version, and verify across all tools. |
Start with lamboot-toolkit status to see what is installed, or <tool> --help for any tool.
Two compiled binaries, shipped inside the release
Two Rust components live in their own private repositories and ship as prebuilt, statically linked binaries inside the lamboot-tools release. Both are built static against musl, so one binary per architecture runs across distributions with different glibc versions (Debian, RHEL 9, openSUSE Leap) with no runtime dependency.
lamboot-capcheck 0.1.0
A vendor-neutral firmware and platform capability auditor. It audits 12 domains of firmware and platform capability and reports them as structured JSON. lamboot-doctor consumes it for capability context, and lamboot-migrate uses it through the optional --capcheck-gate to check a target system before a migration.
x86_64 5.2 MB · aarch64 4.3 MB · static musl, stripped
lamboot-reader 0.1.0
A GRUB config reader and resolver. It answers which entry boots, with what kernel command line, and detects drift between configured and actual boot state. It is a standalone command-line tool.
x86_64 1.1 MB · aarch64 904 KB · static musl
JSON with a fix attached to every finding
Every tool in the suite emits structured JSON on --json, against a stable schema (the output carries schema_version v1). Every finding at warning level or above carries two machine-readable fields: a remediation command you can run, and a documentation URL that explains it. A person reading the terminal sees the fix. A script parsing the JSON gets the same fix as data. This is what makes the suite auditable: the tool tells you what it found, how it verified it, and exactly what to do next.
lamboot-toolkit-pve
For people running Linux in VMs on Proxmox, the lamboot-toolkit-pve subpackage adds host-side fleet tooling on top of the core suite.
| Tool | What it does |
|---|---|
| lamboot-pve-setup | Per-VM LamBoot integration setup on a Proxmox host. |
| lamboot-pve-fleet | Fleet-wide inventory, setup, and reporting across VMs. |
| lamboot-pve-monitor | Host-side reader of guest boot-health state, with nothing running inside the guest. |
| lamboot-pve-ovmf-vars | Build OVMF_VARS.fd with a signing certificate pre-enrolled in db. |
This companion is the bridge between the standalone bootloader and fleet operation. See the LamBoot Proxmox page for how the host reads guest boot health.
Where each part is available today
The full product, including the bundled Rust binaries, ships through these channels:
- GitHub Releases. The signed, full product, including the two bundled binaries. This is the primary channel.
- Fedora COPR. The full product, including an architecture-specific
lamboot-tools-firmwaresubpackage that carries the bundled binaries. - AUR. The full product, for Arch and derivatives.
- A Homebrew tap. The full product, for Linux administrators who manage with Homebrew.
The shell core ships through these curated distribution channels:
- RPM Fusion and Debian carry the shell core, the still-functional shell suite. The Rust components stay in private repositories for now, so these channels deliver the complete shell toolkit on its own.
# GitHub Releases: download, verify, install
tar xzf lamboot-tools-0.8.0.tar.gz && cd lamboot-tools-0.8.0
sudo make install # core suite, bundled binaries, and man pages
sudo make install-pve # optional: Proxmox VE companion
# Fedora COPR
sudo dnf copr enable lamco/lamboot-tools
sudo dnf install lamboot-tools # core shell suite
sudo dnf install lamboot-tools-firmware # the architecture-specific bundled binaries
# AUR (Arch and derivatives)
paru -S lamboot-tools
# Homebrew tap
brew tap lamco-admin/tap && brew install lamboot-tools
Install the core suite, then run the dispatcher to confirm what landed:
lamboot-toolkit status # list installed tools and versions
sudo lamboot-diagnose # full boot-chain scan, 11 categories
sudo lamboot-esp check # ESP health
sudo lamboot-backup save # snapshot boot config before changes
sudo lamboot-doctor # guided diagnose to repair
One umbrella, versioned parts
lamboot-tools uses a hybrid version model. The umbrella version, lamboot-tools 0.8.0, is the release tag, and it bundles per-tool semantic versions plus the versions of the two bundled components, lamboot-capcheck 0.1.0 and lamboot-reader 0.1.0. Each tool reports both its own version and the umbrella version through --version. The structured JSON output carries its own independent schema_version, currently v1, so the data contract can hold steady while individual tools advance.
Ownership and license
All intellectual property in lamboot-tools and its bundled components is owned by Lamco Development LLC. The ownership transfer completed on 2026-06-02. The Rust component source lives in private repositories, and their compiled binaries ship with the release. lamboot-tools is licensed under MIT OR Apache-2.0.
(c) 2025-2026 Lamco Development LLC. All rights reserved.
Get the tools
Related work at LamBoot