sprout: version 0.0.19

.github/workflows/publish.yml

@@ -27,6 +27,8 @@ jobs:
     name: artifacts
     permissions:
       contents: write # Needed to upload artifacts.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
@@ -46,14 +48,28 @@ jobs:
     - name: 'assemble artifacts'
       run: ./hack/assemble.sh
 
-    - name: 'upload sprout-x86_64.efi artifact'
+    - name: 'upload sprout-x86_64.efi.zip artifact'
+      id: upload-sprout-x86_64-efi
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
-        name: sprout-x86_64.efi
+        name: sprout-x86_64.efi.zip
         path: target/assemble/sprout-x86_64.efi
 
-    - name: 'upload sprout-aarch64.efi artifact'
+    - name: 'upload sprout-aarch64.efi.zip artifact'
+      id: upload-sprout-aarch64-efi
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
-        name: sprout-aarch64.efi
+        name: sprout-aarch64.efi.zip
         path: target/assemble/sprout-aarch64.efi
+
+    - name: 'attest sprout-x86_64.efi.zip artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-name: sprout-x86_64.efi.zip
+        subject-digest: "sha256:${{ steps.upload-sprout-x86_64-efi.outputs.artifact-digest }}"
+
+    - name: 'attest sprout-aarch64.efi.zip artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-name: sprout-aarch64.efi.zip
+        subject-digest: "sha256:${{ steps.upload-sprout-aarch64-efi.outputs.artifact-digest }}"

.github/workflows/release.yml

@@ -20,6 +20,8 @@ jobs:
     name: release
     permissions:
       contents: write # Needed to upload release assets.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
@@ -39,6 +41,16 @@ jobs:
     - name: 'assemble artifacts'
       run: ./hack/assemble.sh
 
+    - name: 'attest sprout-x86_64.efi artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/sprout-x86_64.efi
+
+    - name: 'attest sprout-aarch64.efi artifact'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/sprout-aarch64.efi
+
     - name: 'generate cultivator token'
       uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2
       id: generate-token

Cargo.lock

@@ -2,35 +2,12 @@
 # It is not intended for manual editing.
 version = 4
 
-[[package]]
-name = "adler2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
-
 [[package]]
 name = "anyhow"
 version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
-[[package]]
-name = "async-trait"
-version = "0.1.89"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "autocfg"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
-
 [[package]]
 name = "bit_field"
 version = "0.10.3"
@@ -52,24 +29,6 @@ dependencies = [
  "generic-array",
 ]
 
-[[package]]
-name = "bytemuck"
-version = "1.24.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fbdf580320f38b612e485521afda1ee26d10cc9884efaaa750d383e13e3c5f4"
-
-[[package]]
-name = "byteorder-lite"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
-
-[[package]]
-name = "bytes"
-version = "1.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
-
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
@@ -85,15 +44,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "crc32fast"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
-dependencies = [
- "cfg-if",
-]
-
 [[package]]
 name = "crypto-common"
 version = "0.1.6"
@@ -116,44 +66,32 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout"
-version = "0.0.17"
+version = "0.0.19"
 dependencies = [
  "anyhow",
  "bitflags",
- "image",
+ "edera-sprout-config",
+ "hex",
  "log",
- "serde",
+ "sha2",
- "sha256",
  "toml",
  "uefi",
  "uefi-raw",
 ]
 
+[[package]]
+name = "edera-sprout-config"
+version = "0.0.19"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "equivalent"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
 
-[[package]]
-name = "fdeflate"
-version = "0.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
-dependencies = [
- "simd-adler32",
-]
-
-[[package]]
-name = "flate2"
-version = "1.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfe33edd8e85a12a67454e37f8c75e730830d83e313556ab9ebf9ee7fbeb3bfb"
-dependencies = [
- "crc32fast",
- "miniz_oxide",
-]
-
 [[package]]
 name = "generic-array"
 version = "0.14.9"
@@ -176,19 +114,6 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
-[[package]]
-name = "image"
-version = "0.25.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "529feb3e6769d234375c4cf1ee2ce713682b8e76538cb13f9fc23e1400a591e7"
-dependencies = [
- "bytemuck",
- "byteorder-lite",
- "moxcms",
- "num-traits",
- "png",
-]
-
 [[package]]
 name = "indexmap"
 version = "2.12.0"
@@ -211,47 +136,6 @@ version = "0.4.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
 
-[[package]]
-name = "miniz_oxide"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
-dependencies = [
- "adler2",
- "simd-adler32",
-]
-
-[[package]]
-name = "moxcms"
-version = "0.7.6"
-source = "git+https://github.com/edera-dev/sprout-patched-deps.git?rev=2c4fcc84b50d40c28f540d4271109ea0ca7e1268#2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-dependencies = [
- "num-traits",
- "pxfm",
-]
-
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
-[[package]]
-name = "png"
-version = "0.18.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97baced388464909d42d89643fe4361939af9b7ce7a31ee32a168f832a70f2a0"
-dependencies = [
- "bitflags",
- "crc32fast",
- "fdeflate",
- "flate2",
- "miniz_oxide",
-]
-
 [[package]]
 name = "proc-macro2"
 version = "1.0.103"
@@ -281,15 +165,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "pxfm"
-version = "0.1.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3cbdf373972bf78df4d3b518d07003938e2c7d1fb5891e55f9cb6df57009d84"
-dependencies = [
- "num-traits",
-]
-
 [[package]]
 name = "quote"
 version = "1.0.41"
@@ -349,23 +224,6 @@ dependencies = [
  "digest",
 ]
 
-[[package]]
-name = "sha256"
-version = "1.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f880fc8562bdeb709793f00eb42a2ad0e672c4f883bbe59122b926eca935c8f6"
-dependencies = [
- "async-trait",
- "bytes",
- "hex",
- "sha2",
-]
-
-[[package]]
-name = "simd-adler32"
-version = "0.3.7"
-source = "git+https://github.com/edera-dev/sprout-patched-deps.git?rev=2c4fcc84b50d40c28f540d4271109ea0ca7e1268#2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
 [[package]]
 name = "syn"
 version = "2.0.108"
@@ -476,9 +334,9 @@ checksum = "0c8352f8c05e47892e7eaf13b34abd76a7f4aeaf817b716e88789381927f199c"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.20"
+version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "462eeb75aeb73aea900253ce739c8e18a67423fadf006037cd3ff27e82748a06"
+checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
 
 [[package]]
 name = "version_check"

Cargo.toml

@@ -1,46 +1,32 @@
-[package]
+[workspace]
-name = "edera-sprout"
+members = [
-description = "Modern UEFI bootloader"
+  "crates/config",
+  "crates/sprout",
+]
+resolver = "3"
+
+[workspace.package]
 license = "Apache-2.0"
-version = "0.0.17"
+version = "0.0.19"
 homepage = "https://sprout.edera.dev"
 repository = "https://github.com/edera-dev/sprout"
 edition = "2024"
 
-[dependencies]
+[workspace.dependencies]
 anyhow = "1.0.100"
 bitflags = "2.10.0"
-toml = "0.9.8"
+hex = "0.4.3"
 log = "0.4.28"
+serde = "1.0.228"
+sha2 = "0.10.9"
+toml = "0.9.8"
+uefi = "0.36.0"
+uefi-raw = "0.12.0"
 
-[dependencies.image]
+# Common build profiles
-version = "0.25.8"
+# NOTE: We have to compile everything for opt-level = 2 due to optimization passes
-default-features = false
-features = ["png"]
-optional = true
-
-[dependencies.serde]
-version = "1.0.228"
-features = ["derive"]
-
-[dependencies.sha256]
-version = "1.6.0"
-default-features = false
-
-[dependencies.uefi]
-version = "0.36.0"
-features = ["alloc", "logger"]
-
-[dependencies.uefi-raw]
-version = "0.12.0"
-
-[features]
-default = ["splash"]
-splash = ["dep:image"]
-
-[profile.dev]
-# We have to compile for opt-level = 2 due to optimization passes
 # which don't handle the UEFI target properly.
+[profile.dev]
 opt-level = 2
 
 [profile.release]
@@ -57,15 +43,3 @@ inherits = "dev"
 strip = "debuginfo"
 debug = 0
 opt-level = 2
-
-[patch.crates-io.simd-adler32]
-git = "https://github.com/edera-dev/sprout-patched-deps.git"
-rev = "2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
-[patch.crates-io.moxcms]
-git = "https://github.com/edera-dev/sprout-patched-deps.git"
-rev = "2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
-[[bin]]
-name = "sprout"
-path = "src/main.rs"

README.md

@@ -18,6 +18,9 @@ existing UEFI bootloader or booted by the hardware directly.
 
 Sprout is licensed under Apache 2.0 and is open to modifications and contributions.
 
+**NOTE**: Sprout is still in beta. Some features may not work as expected.
+Please [report any bugs you find](https://github.com/edera-dev/sprout/issues/new/choose).
+
 ## Background
 
 At [Edera] we make compute isolation technology for a wide variety of environments, often ones we do not fully control.
@@ -37,10 +40,22 @@ simplify installation and usage.
 
 ## Documentation
 
-- [Fedora Setup Guide]
+### Setup Guides
-- [Generic Linux Setup Guide]
+
-- [Alpine Edge Setup Guide]
+Some guides support Secure Boot and some do not.
-- [Windows Setup Guide]
+We recommend running Sprout without Secure Boot for development, and with Secure Boot for production.
+
+| Operating System | Secure Boot Enabled | Link                                                  |
+|------------------|---------------------|-------------------------------------------------------|
+| Ubuntu           | ✅                   | [Setup Guide](./docs/setup/signed/ubuntu.md)          |
+| Debian           | ✅                   | [Setup Guide](./docs/setup/signed/debian.md)          |
+| Fedora           | ❌                   | [Setup Guide](./docs/setup/unsigned/fedora.md)        |
+| Alpine Edge      | ❌                   | [Setup Guide](./docs/setup/unsigned/alpine-edge.md)   |
+| Generic Linux    | ❌                   | [Setup Guide](./docs/setup/unsigned/generic-linux.md) |
+| Windows          | ❌                   | [Setup Guide](./docs/setup/unsigned/windows.md)       |
+
+### Project Documentation
+
 - [Development Guide]
 - [Contributing Guide]
 - [Sprout License]
@@ -49,8 +64,6 @@ simplify installation and usage.
 
 ## Features
 
-**NOTE**: Sprout is still in beta.
-
 ### Current
 
 - [x] Loadable driver support
@@ -61,12 +74,12 @@ simplify installation and usage.
 - [x] Load Linux initrd from disk
 - [x] Basic boot menu
 - [x] BLS autoconfiguration support
-- [x] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): partial
+- [x] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): beta
+- [x] [Bootloader interface support](https://github.com/edera-dev/sprout/issues/21): beta
+- [x] [BLS specification conformance](https://github.com/edera-dev/sprout/issues/2): beta
 
 ### Roadmap
 
-- [ ] [Bootloader interface support](https://github.com/edera-dev/sprout/issues/21)
-- [ ] [BLS specification conformance](https://github.com/edera-dev/sprout/issues/2)
 - [ ] [Full-featured boot menu](https://github.com/edera-dev/sprout/issues/1)
 - [ ] [UKI support](https://github.com/edera-dev/sprout/issues/6): partial
 - [ ] [multiboot2 support](https://github.com/edera-dev/sprout/issues/7)
@@ -147,10 +160,6 @@ autoconfigure = true
 ```
 
 [Edera]: https://edera.dev
-[Fedora Setup Guide]: ./docs/fedora-setup.md
-[Generic Linux Setup Guide]: ./docs/generic-linux-setup.md
-[Alpine Edge Setup Guide]: ./docs/alpine-edge-setup.md
-[Windows Setup Guide]: ./docs/windows-setup.md
 [Development Guide]: ./DEVELOPMENT.md
 [Contributing Guide]: ./CONTRIBUTING.md
 [Sprout License]: ./LICENSE

crates/config/Cargo.toml

@@ -0,0 +1,15 @@
+[package]
+name = "edera-sprout-config"
+description = "Sprout Configuration"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies.serde]
+workspace = true
+features = ["derive"]
+
+[lib]
+name = "edera_sprout_config"

crates/config/src/actions.rs

@@ -0,0 +1,32 @@
+use serde::{Deserialize, Serialize};
+
+/// Configuration for the chainload action.
+pub mod chainload;
+
+/// Configuration for the edera action.
+pub mod edera;
+
+/// Configuration for the print action.
+pub mod print;
+
+/// Declares an action that sprout can execute.
+/// Actions allow configuring sprout's internal runtime mechanisms with values
+/// that you can specify via other concepts.
+///
+/// Actions are the main work that Sprout gets done, like booting Linux.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ActionDeclaration {
+    /// Chainload to another EFI application.
+    /// This allows you to load any EFI application, either to boot an operating system
+    /// or to perform more EFI actions and return to sprout.
+    #[serde(default)]
+    pub chainload: Option<chainload::ChainloadConfiguration>,
+    /// Print a string to the EFI console.
+    #[serde(default)]
+    pub print: Option<print::PrintConfiguration>,
+    /// Boot the Edera hypervisor and the root operating system.
+    /// This action is an extension on top of the Xen EFI stub that
+    /// is specific to Edera.
+    #[serde(default, rename = "edera")]
+    pub edera: Option<edera::EderaConfiguration>,
+}

crates/config/src/actions/chainload.rs

@@ -0,0 +1,19 @@
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the chainload action.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ChainloadConfiguration {
+    /// The path to the image to chainload.
+    /// This can be a Linux EFI stub (vmlinuz usually) or a standard EFI executable.
+    pub path: String,
+    /// The options to pass to the image.
+    /// The options are concatenated by a space and then passed to the EFI application.
+    #[serde(default)]
+    pub options: Vec<String>,
+    /// An optional path to a Linux initrd.
+    /// This uses the [LINUX_EFI_INITRD_MEDIA_GUID] mechanism to load the initrd into the EFI stack.
+    /// For Linux, you can also use initrd=\path\to\initrd as an option, but this option is
+    /// generally better and safer as it can support additional load options in the future.
+    #[serde(default, rename = "linux-initrd")]
+    pub linux_initrd: Option<String>,
+}

crates/config/src/actions/edera.rs

@@ -0,0 +1,21 @@
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the edera action which boots the Edera hypervisor.
+/// Edera is based on Xen but modified significantly with a Rust stack.
+/// Sprout is a component of the Edera stack and provides the boot functionality of Xen.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct EderaConfiguration {
+    /// The path to the Xen hypervisor EFI image.
+    pub xen: String,
+    /// The path to the kernel to boot for dom0.
+    pub kernel: String,
+    /// The path to the initrd to load for dom0.
+    #[serde(default)]
+    pub initrd: Option<String>,
+    /// The options to pass to the kernel.
+    #[serde(default, rename = "kernel-options")]
+    pub kernel_options: Vec<String>,
+    /// The options to pass to the Xen hypervisor.
+    #[serde(default, rename = "xen-options")]
+    pub xen_options: Vec<String>,
+}

crates/config/src/actions/print.rs

@@ -0,0 +1,9 @@
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the print action.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct PrintConfiguration {
+    /// The text to print to the console.
+    #[serde(default)]
+    pub text: String,
+}

crates/config/src/drivers.rs

@@ -0,0 +1,12 @@
+use serde::{Deserialize, Serialize};
+
+/// Declares a driver configuration.
+/// Drivers allow extending the functionality of Sprout.
+/// Drivers are loaded at runtime and can provide extra functionality like filesystem support.
+/// Drivers are loaded by their name, which is used to reference them in other concepts.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct DriverDeclaration {
+    /// The filesystem path to the driver.
+    /// This file should be an EFI executable that can be located and executed.
+    pub path: String,
+}

crates/config/src/entries.rs

@@ -0,0 +1,19 @@
+use serde::{Deserialize, Serialize};
+use std::collections::BTreeMap;
+
+/// Declares a boot entry to display in the boot menu.
+///
+/// Entries are the user-facing concept of Sprout, making it possible
+/// to run a set of actions with a specific context.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct EntryDeclaration {
+    /// The title of the entry which will be display in the boot menu.
+    /// This is the pre-stamped value.
+    pub title: String,
+    /// The actions to run when the entry is selected.
+    #[serde(default)]
+    pub actions: Vec<String>,
+    /// The values to insert into the context when the entry is selected.
+    #[serde(default)]
+    pub values: BTreeMap<String, String>,
+}

crates/config/src/extractors.rs

@@ -1,10 +1,7 @@
-use crate::context::SproutContext;
 use crate::extractors::filesystem_device_match::FilesystemDeviceMatchExtractor;
-use anyhow::{Result, bail};
 use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
-/// The filesystem device match extractor.
+/// Configuration for the filesystem-device-match extractor.
 pub mod filesystem_device_match;
 
 /// Declares an extractor configuration.
@@ -19,14 +16,3 @@ pub struct ExtractorDeclaration {
     #[serde(default, rename = "filesystem-device-match")]
     pub filesystem_device_match: Option<FilesystemDeviceMatchExtractor>,
 }
-
-/// Extracts the value using the specified `extractor` under the provided `context`.
-/// The extractor must return a value, and if a value cannot be determined, an error
-/// should be returned.
-pub fn extract(context: Rc<SproutContext>, extractor: &ExtractorDeclaration) -> Result<String> {
-    if let Some(filesystem) = &extractor.filesystem_device_match {
-        filesystem_device_match::extract(context, filesystem)
-    } else {
-        bail!("unknown extractor configuration");
-    }
-}

crates/config/src/extractors/filesystem_device_match.rs

@@ -0,0 +1,29 @@
+use serde::{Deserialize, Serialize};
+
+/// The filesystem device match extractor.
+/// This extractor finds a filesystem using some search criteria and returns
+/// the device root path that can concatenated with subpaths to access files
+/// on a particular filesystem.
+/// The fallback value can be used to provide a value if no match is found.
+///
+/// This extractor requires all the criteria to match. If no criteria is provided,
+/// an error is returned.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct FilesystemDeviceMatchExtractor {
+    /// Matches a filesystem that has the specified label.
+    #[serde(default, rename = "has-label")]
+    pub has_label: Option<String>,
+    /// Matches a filesystem that has the specified item.
+    /// An item is either a directory or file.
+    #[serde(default, rename = "has-item")]
+    pub has_item: Option<String>,
+    /// Matches a filesystem that has the specified partition UUID.
+    #[serde(default, rename = "has-partition-uuid")]
+    pub has_partition_uuid: Option<String>,
+    /// Matches a filesystem that has the specified partition type UUID.
+    #[serde(default, rename = "has-partition-type-uuid")]
+    pub has_partition_type_uuid: Option<String>,
+    /// The fallback value to use if no filesystem matches the criteria.
+    #[serde(default)]
+    pub fallback: Option<String>,
+}

crates/config/src/generators.rs

@@ -1,15 +1,15 @@
-use crate::context::SproutContext;
-use crate::entries::BootableEntry;
 use crate::generators::bls::BlsConfiguration;
 use crate::generators::list::ListConfiguration;
 use crate::generators::matrix::MatrixConfiguration;
-use anyhow::Result;
-use anyhow::bail;
 use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
+/// Configuration for the BLS generator.
 pub mod bls;
+
+/// Configuration for the list generator.
 pub mod list;
+
+/// Configuration for the matrix generator.
 pub mod matrix;
 
 /// Declares a generator configuration.
@@ -38,21 +38,3 @@ pub struct GeneratorDeclaration {
     /// Allows you to specify a list of values to generate an entry from.
     pub list: Option<ListConfiguration>,
 }
-
-/// Runs the generator specified by the `generator` option.
-/// It uses the specified `context` as the parent context for
-/// the generated entries, injecting more values if needed.
-pub fn generate(
-    context: Rc<SproutContext>,
-    generator: &GeneratorDeclaration,
-) -> Result<Vec<BootableEntry>> {
-    if let Some(matrix) = &generator.matrix {
-        matrix::generate(context, matrix)
-    } else if let Some(bls) = &generator.bls {
-        bls::generate(context, bls)
-    } else if let Some(list) = &generator.list {
-        list::generate(context, list)
-    } else {
-        bail!("unknown generator configuration");
-    }
-}

crates/config/src/generators/bls.rs

@@ -0,0 +1,21 @@
+use crate::entries::EntryDeclaration;
+use serde::{Deserialize, Serialize};
+
+/// The default path to the BLS directory.
+const BLS_TEMPLATE_PATH: &str = "\\loader";
+
+/// The configuration of the BLS generator.
+/// The BLS uses the Bootloader Specification to produce
+/// entries from an input template.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct BlsConfiguration {
+    /// The entry to use for as a template.
+    pub entry: EntryDeclaration,
+    /// The path to the BLS directory.
+    #[serde(default = "default_bls_path")]
+    pub path: String,
+}
+
+fn default_bls_path() -> String {
+    BLS_TEMPLATE_PATH.to_string()
+}

crates/config/src/generators/list.rs

@@ -0,0 +1,16 @@
+use crate::entries::EntryDeclaration;
+use serde::{Deserialize, Serialize};
+use std::collections::BTreeMap;
+
+/// List generator configuration.
+/// The list generator produces multiple entries based
+/// on a set of input maps.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ListConfiguration {
+    /// The template entry to use for each generated entry.
+    #[serde(default)]
+    pub entry: EntryDeclaration,
+    /// The values to use as the input for the matrix.
+    #[serde(default)]
+    pub values: Vec<BTreeMap<String, String>>,
+}

crates/config/src/generators/matrix.rs

@@ -0,0 +1,16 @@
+use crate::entries::EntryDeclaration;
+use serde::{Deserialize, Serialize};
+use std::collections::BTreeMap;
+
+/// Matrix generator configuration.
+/// The matrix generator produces multiple entries based
+/// on input values multiplicatively.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct MatrixConfiguration {
+    /// The template entry to use for each generated entry.
+    #[serde(default)]
+    pub entry: EntryDeclaration,
+    /// The values to use as the input for the matrix.
+    #[serde(default)]
+    pub values: BTreeMap<String, Vec<String>>,
+}

crates/config/src/lib.rs

@@ -1,3 +1,6 @@
+//! Sprout configuration descriptions.
+//! This crate provides all the configuration structures for Sprout.
+
 use crate::actions::ActionDeclaration;
 use crate::drivers::DriverDeclaration;
 use crate::entries::EntryDeclaration;
@@ -7,8 +10,12 @@ use crate::phases::PhasesConfiguration;
 use serde::{Deserialize, Serialize};
 use std::collections::BTreeMap;
 
-/// The configuration loader mechanisms.
+pub mod actions;
-pub mod loader;
+pub mod drivers;
+pub mod entries;
+pub mod extractors;
+pub mod generators;
+pub mod phases;
 
 /// This is the latest version of the sprout configuration format.
 /// This must be incremented when the configuration breaks compatibility.
@@ -80,7 +87,8 @@ pub struct OptionsConfiguration {
     pub autoconfigure: bool,
 }
 
-fn latest_version() -> u32 {
+/// Get the latest version of the Sprout configuration format.
+pub fn latest_version() -> u32 {
     LATEST_VERSION
 }
 

crates/config/src/phases.rs

@@ -1,9 +1,5 @@
-use crate::actions;
-use crate::context::SproutContext;
-use anyhow::{Context, Result};
 use serde::{Deserialize, Serialize};
 use std::collections::BTreeMap;
-use std::rc::Rc;
 
 /// Configures the various phases of the boot process.
 /// This allows hooking various phases to run actions.
@@ -32,23 +28,3 @@ pub struct PhaseConfiguration {
     #[serde(default)]
     pub values: BTreeMap<String, String>,
 }
-
-/// Executes the specified [phase] of the boot process.
-/// The value [phase] should be a reference of a specific phase in the [PhasesConfiguration].
-/// Any error from the actions is propagated into the [Result] and will interrupt further
-/// execution of phase actions.
-pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result<()> {
-    for item in phase {
-        let mut context = context.fork();
-        // Insert the values into the context.
-        context.insert(&item.values);
-        let context = context.freeze();
-
-        // Execute all the actions in this phase configuration.
-        for action in item.actions.iter() {
-            actions::execute(context.clone(), action)
-                .context(format!("unable to execute action '{}'", action))?;
-        }
-    }
-    Ok(())
-}

crates/sprout/Cargo.toml

@@ -0,0 +1,28 @@
+[package]
+name = "edera-sprout"
+description = "Modern UEFI bootloader"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+bitflags.workspace = true
+edera-sprout-config.path = "../config"
+hex.workspace = true
+sha2.workspace = true
+toml.workspace = true
+log.workspace = true
+
+[dependencies.uefi]
+workspace = true
+features = ["alloc", "logger"]
+
+[dependencies.uefi-raw]
+workspace = true
+
+[[bin]]
+name = "sprout"
+path = "src/main.rs"

crates/sprout/README.md

@@ -0,0 +1,3 @@
+# Sprout Bootloader
+
+The main bootable crate of the Sprout bootloader.

crates/sprout/src/actions.rs

@@ -1,6 +1,5 @@
 use crate::context::SproutContext;
 use anyhow::{Context, Result, bail};
-use serde::{Deserialize, Serialize};
 use std::rc::Rc;
 
 /// EFI chainloader action.
@@ -10,36 +9,6 @@ pub mod edera;
 /// EFI console print action.
 pub mod print;
 
-/// Splash screen action.
-#[cfg(feature = "splash")]
-pub mod splash;
-
-/// Declares an action that sprout can execute.
-/// Actions allow configuring sprout's internal runtime mechanisms with values
-/// that you can specify via other concepts.
-///
-/// Actions are the main work that Sprout gets done, like booting Linux.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct ActionDeclaration {
-    /// Chainload to another EFI application.
-    /// This allows you to load any EFI application, either to boot an operating system
-    /// or to perform more EFI actions and return to sprout.
-    #[serde(default)]
-    pub chainload: Option<chainload::ChainloadConfiguration>,
-    /// Print a string to the EFI console.
-    #[serde(default)]
-    pub print: Option<print::PrintConfiguration>,
-    /// Show an image as a fullscreen splash screen.
-    #[serde(default)]
-    #[cfg(feature = "splash")]
-    pub splash: Option<splash::SplashConfiguration>,
-    /// Boot the Edera hypervisor and the root operating system.
-    /// This action is an extension on top of the Xen EFI stub that
-    /// is specific to Edera.
-    #[serde(default, rename = "edera")]
-    pub edera: Option<edera::EderaConfiguration>,
-}
-
 /// Execute the action specified by `name` which should be stored in the
 /// root context of the provided `context`. This function may not return
 /// if the provided action executes an operating system or an EFI application
@@ -67,12 +36,6 @@ pub fn execute(context: Rc<SproutContext>, name: impl AsRef<str>) -> Result<()>
         return Ok(());
     }
 
-    #[cfg(feature = "splash")]
-    if let Some(splash) = &action.splash {
-        splash::splash(context.clone(), splash)?;
-        return Ok(());
-    }
-
     // If we reach here, we don't know how to execute the action that was configured.
     // This is likely unreachable, but we should still return an error just in case.
     bail!("unknown action configuration");

crates/sprout/src/actions/chainload.rs

@@ -5,30 +5,12 @@ use crate::utils;
 use crate::utils::media_loader::MediaLoaderHandle;
 use crate::utils::media_loader::constants::linux::LINUX_EFI_INITRD_MEDIA_GUID;
 use anyhow::{Context, Result, bail};
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
 use log::error;
-use serde::{Deserialize, Serialize};
 use std::rc::Rc;
 use uefi::CString16;
 use uefi::proto::loaded_image::LoadedImage;
 
-/// The configuration of the chainload action.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct ChainloadConfiguration {
-    /// The path to the image to chainload.
-    /// This can be a Linux EFI stub (vmlinuz usually) or a standard EFI executable.
-    pub path: String,
-    /// The options to pass to the image.
-    /// The options are concatenated by a space and then passed to the EFI application.
-    #[serde(default)]
-    pub options: Vec<String>,
-    /// An optional path to a Linux initrd.
-    /// This uses the [LINUX_EFI_INITRD_MEDIA_GUID] mechanism to load the initrd into the EFI stack.
-    /// For Linux, you can also use initrd=\path\to\initrd as an option, but this option is
-    /// generally better and safer as it can support additional load options in the future.
-    #[serde(default, rename = "linux-initrd")]
-    pub linux_initrd: Option<String>,
-}
-
 /// Executes the chainload action using the specified `configuration` inside the provided `context`.
 pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfiguration) -> Result<()> {
     // Retrieve the current image handle of sprout.
@@ -53,30 +35,25 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
     let options =
         utils::combine_options(configuration.options.iter().map(|item| context.stamp(item)));
 
-    // Pass the options to the image, if any are provided.
+    // Pass the load options to the image.
-    // The holder must drop at the end of this function to ensure the options are not leaked,
+    // If no options are provided, the resulting string will be empty.
-    // and the holder here ensures it outlives the if block here, as a pointer has to be
+    // The options are pinned and boxed to ensure that they are valid for the lifetime of this
-    // passed to the image.
+    // function, which ensures the lifetime of the options for the image runtime.
-    // SAFETY: The options outlive the usage of the image, and the image is not used after this.
+    let options = Box::pin(
-    let mut options_holder: Option<Box<CString16>> = None;
+        CString16::try_from(&options[..])
-    if !options.is_empty() {
+            .context("unable to convert chainloader options to CString16")?,
-        let options = Box::new(
+    );
-            CString16::try_from(&options[..])
-                .context("unable to convert chainloader options to CString16")?,
-        );
 
-        if options.num_bytes() > u32::MAX as usize {
+    if options.num_bytes() > u32::MAX as usize {
-            bail!("chainloader options too large");
+        bail!("chainloader options too large");
-        }
+    }
 
-        // SAFETY: option size is checked to validate it is safe to pass.
+    // SAFETY: option size is checked to validate it is safe to pass.
-        // Additionally, the pointer is allocated and retained on heap, which makes
+    // Additionally, the pointer is allocated and retained on heap, which makes
-        // passing the `options` pointer safe to the next image.
+    // passing the `options` pointer safe to the next image.
-        unsafe {
+    unsafe {
-            loaded_image_protocol
+        loaded_image_protocol
-                .set_load_options(options.as_ptr() as *const u8, options.num_bytes() as u32);
+            .set_load_options(options.as_ptr() as *const u8, options.num_bytes() as u32);
-        }
-        options_holder = Some(options);
     }
 
     // Stamp the initrd path, if provided.
@@ -118,8 +95,9 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
 
     // Assert there was no error starting the image.
     result.context("unable to start image")?;
-    // Explicitly drop the option holder to clarify the lifetime.
+
-    drop(options_holder);
+    // Explicitly drop the options to clarify the lifetime.
+    drop(options);
 
     // Return control to sprout.
     Ok(())

crates/sprout/src/actions/edera.rs

@@ -1,12 +1,7 @@
 use std::rc::Rc;
 
-use anyhow::{Context, Result};
-use log::error;
-use serde::{Deserialize, Serialize};
-use uefi::Guid;
-
 use crate::{
-    actions::{self, chainload::ChainloadConfiguration},
+    actions,
     context::SproutContext,
     utils::{
         self,
@@ -18,26 +13,11 @@ use crate::{
         },
     },
 };
-
+use anyhow::{Context, Result};
-/// The configuration of the edera action which boots the Edera hypervisor.
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
-/// Edera is based on Xen but modified significantly with a Rust stack.
+use edera_sprout_config::actions::edera::EderaConfiguration;
-/// Sprout is a component of the Edera stack and provides the boot functionality of Xen.
+use log::error;
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+use uefi::Guid;
-pub struct EderaConfiguration {
-    /// The path to the Xen hypervisor EFI image.
-    pub xen: String,
-    /// The path to the kernel to boot for dom0.
-    pub kernel: String,
-    /// The path to the initrd to load for dom0.
-    #[serde(default)]
-    pub initrd: Option<String>,
-    /// The options to pass to the kernel.
-    #[serde(default, rename = "kernel-options")]
-    pub kernel_options: Vec<String>,
-    /// The options to pass to the Xen hypervisor.
-    #[serde(default, rename = "xen-options")]
-    pub xen_options: Vec<String>,
-}
 
 /// Builds a configuration string for the Xen EFI stub using the specified `configuration`.
 fn build_xen_config(context: Rc<SproutContext>, configuration: &EderaConfiguration) -> String {

crates/sprout/src/actions/print.rs

@@ -1,17 +1,9 @@
 use crate::context::SproutContext;
 use anyhow::Result;
+use edera_sprout_config::actions::print::PrintConfiguration;
 use log::info;
-use serde::{Deserialize, Serialize};
 use std::rc::Rc;
 
-/// The configuration of the print action.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct PrintConfiguration {
-    /// The text to print to the console.
-    #[serde(default)]
-    pub text: String,
-}
-
 /// Executes the print action with the specified `configuration` inside the provided `context`.
 pub fn print(context: Rc<SproutContext>, configuration: &PrintConfiguration) -> Result<()> {
     info!("{}", context.stamp(&configuration.text));

crates/sprout/src/autoconfigure.rs

@@ -1,5 +1,5 @@
-use crate::config::RootConfiguration;
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
 use uefi::fs::FileSystem;
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::media::fs::SimpleFileSystem;

crates/sprout/src/autoconfigure/bls.rs

@@ -1,11 +1,11 @@
-use crate::actions::ActionDeclaration;
-use crate::actions::chainload::ChainloadConfiguration;
-use crate::config::RootConfiguration;
-use crate::entries::EntryDeclaration;
-use crate::generators::GeneratorDeclaration;
-use crate::generators::bls::BlsConfiguration;
 use crate::utils;
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use edera_sprout_config::generators::bls::BlsConfiguration;
 use uefi::cstr16;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::DevicePath;

crates/sprout/src/autoconfigure/linux.rs

@@ -1,12 +1,12 @@
-use crate::actions::ActionDeclaration;
-use crate::actions::chainload::ChainloadConfiguration;
-use crate::config::RootConfiguration;
-use crate::entries::EntryDeclaration;
-use crate::generators::GeneratorDeclaration;
-use crate::generators::list::ListConfiguration;
 use crate::utils;
 use crate::utils::vercmp;
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use edera_sprout_config::generators::list::ListConfiguration;
 use std::collections::BTreeMap;
 use uefi::CString16;
 use uefi::fs::{FileSystem, Path, PathBuf};
@@ -27,6 +27,18 @@ const KERNEL_PREFIXES: &[&str] = &["vmlinuz"];
 /// Prefixes of initramfs files to match to.
 const INITRAMFS_PREFIXES: &[&str] = &["initramfs", "initrd", "initrd.img"];
 
+/// This is really silly, but if what we are booting is the Canonical stubble stub,
+/// there is a chance it will assert that the load options are non-empty.
+/// Technically speaking, load options can be empty. However, it assumes load options
+/// have something in it. Canonical's stubble copied code from systemd that does this
+/// and then uses that code improperly by asserting that the pointer is non-null.
+/// To give a good user experience, we place a placeholder value here to ensure it's non-empty.
+/// For stubble, this code ensures the command line pointer becomes null:
+/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L61-L64
+/// Then this code asserts on it, stopping the boot process:
+/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L27
+const DEFAULT_LINUX_OPTIONS: &str = "placeholder";
+
 /// Pair of kernel and initramfs.
 /// This is what scanning a directory is meant to find.
 struct KernelPair {
@@ -212,9 +224,10 @@ pub fn scan(
 
     // Insert a default value for the linux-options if it doesn't exist.
     if !config.values.contains_key("linux-options") {
-        config
+        config.values.insert(
-            .values
+            "linux-options".to_string(),
-            .insert("linux-options".to_string(), "".to_string());
+            DEFAULT_LINUX_OPTIONS.to_string(),
+        );
     }
 
     // Generate a chainload configuration for the list generator.

crates/sprout/src/autoconfigure/windows.rs

@@ -1,9 +1,9 @@
-use crate::actions::ActionDeclaration;
-use crate::actions::chainload::ChainloadConfiguration;
-use crate::config::RootConfiguration;
-use crate::entries::EntryDeclaration;
 use crate::utils;
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
 use uefi::CString16;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::DevicePath;

crates/sprout/src/config.rs

@@ -0,0 +1,2 @@
+/// The configuration loader mechanisms.
+pub mod loader;

crates/sprout/src/config/loader.rs

@@ -1,8 +1,8 @@
-use crate::config::{RootConfiguration, latest_version};
 use crate::options::SproutOptions;
 use crate::platform::tpm::PlatformTpm;
 use crate::utils;
 use anyhow::{Context, Result, bail};
+use edera_sprout_config::{RootConfiguration, latest_version};
 use log::info;
 use std::ops::Deref;
 use toml::Value;

crates/sprout/src/context.rs

@@ -1,8 +1,8 @@
-use crate::actions::ActionDeclaration;
 use crate::options::SproutOptions;
 use crate::platform::timer::PlatformTimer;
 use anyhow::anyhow;
 use anyhow::{Result, bail};
+use edera_sprout_config::actions::ActionDeclaration;
 use std::cmp::Reverse;
 use std::collections::{BTreeMap, BTreeSet};
 use std::rc::Rc;

crates/sprout/src/drivers.rs

@@ -2,23 +2,12 @@ use crate::context::SproutContext;
 use crate::integrations::shim::{ShimInput, ShimSupport};
 use crate::utils;
 use anyhow::{Context, Result};
+pub(crate) use edera_sprout_config::drivers::DriverDeclaration;
 use log::info;
-use serde::{Deserialize, Serialize};
 use std::collections::BTreeMap;
 use std::rc::Rc;
 use uefi::boot::SearchType;
 
-/// Declares a driver configuration.
-/// Drivers allow extending the functionality of Sprout.
-/// Drivers are loaded at runtime and can provide extra functionality like filesystem support.
-/// Drivers are loaded by their name, which is used to reference them in other concepts.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct DriverDeclaration {
-    /// The filesystem path to the driver.
-    /// This file should be an EFI executable that can be located and executed.
-    pub path: String,
-}
-
 /// Loads the driver specified by the `driver` declaration.
 fn load_driver(context: Rc<SproutContext>, driver: &DriverDeclaration) -> Result<()> {
     // Acquire the handle and device path of the loaded image.

crates/sprout/src/entries.rs

@@ -1,25 +1,7 @@
 use crate::context::SproutContext;
-use serde::{Deserialize, Serialize};
+use edera_sprout_config::entries::EntryDeclaration;
-use std::collections::BTreeMap;
 use std::rc::Rc;
 
-/// Declares a boot entry to display in the boot menu.
-///
-/// Entries are the user-facing concept of Sprout, making it possible
-/// to run a set of actions with a specific context.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct EntryDeclaration {
-    /// The title of the entry which will be display in the boot menu.
-    /// This is the pre-stamped value.
-    pub title: String,
-    /// The actions to run when the entry is selected.
-    #[serde(default)]
-    pub actions: Vec<String>,
-    /// The values to insert into the context when the entry is selected.
-    #[serde(default)]
-    pub values: BTreeMap<String, String>,
-}
-
 /// Represents an entry that is stamped and ready to be booted.
 #[derive(Clone)]
 pub struct BootableEntry {

crates/sprout/src/extractors.rs

@@ -0,0 +1,18 @@
+use crate::context::SproutContext;
+use anyhow::{Result, bail};
+use edera_sprout_config::extractors::ExtractorDeclaration;
+use std::rc::Rc;
+
+/// The filesystem device match extractor.
+pub mod filesystem_device_match;
+
+/// Extracts the value using the specified `extractor` under the provided `context`.
+/// The extractor must return a value, and if a value cannot be determined, an error
+/// should be returned.
+pub fn extract(context: Rc<SproutContext>, extractor: &ExtractorDeclaration) -> Result<String> {
+    if let Some(filesystem) = &extractor.filesystem_device_match {
+        filesystem_device_match::extract(context, filesystem)
+    } else {
+        bail!("unknown extractor configuration");
+    }
+}

crates/sprout/src/extractors/filesystem_device_match.rs

@@ -1,7 +1,7 @@
 use crate::context::SproutContext;
 use crate::utils;
 use anyhow::{Context, Result, anyhow, bail};
-use serde::{Deserialize, Serialize};
+use edera_sprout_config::extractors::filesystem_device_match::FilesystemDeviceMatchExtractor;
 use std::ops::Deref;
 use std::rc::Rc;
 use std::str::FromStr;
@@ -11,34 +11,6 @@ use uefi::proto::media::file::{File, FileSystemVolumeLabel};
 use uefi::proto::media::fs::SimpleFileSystem;
 use uefi::{CString16, Guid};
 
-/// The filesystem device match extractor.
-/// This extractor finds a filesystem using some search criteria and returns
-/// the device root path that can concatenated with subpaths to access files
-/// on a particular filesystem.
-/// The fallback value can be used to provide a value if no match is found.
-///
-/// This extractor requires all the criteria to match. If no criteria is provided,
-/// an error is returned.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct FilesystemDeviceMatchExtractor {
-    /// Matches a filesystem that has the specified label.
-    #[serde(default, rename = "has-label")]
-    pub has_label: Option<String>,
-    /// Matches a filesystem that has the specified item.
-    /// An item is either a directory or file.
-    #[serde(default, rename = "has-item")]
-    pub has_item: Option<String>,
-    /// Matches a filesystem that has the specified partition UUID.
-    #[serde(default, rename = "has-partition-uuid")]
-    pub has_partition_uuid: Option<String>,
-    /// Matches a filesystem that has the specified partition type UUID.
-    #[serde(default, rename = "has-partition-type-uuid")]
-    pub has_partition_type_uuid: Option<String>,
-    /// The fallback value to use if no filesystem matches the criteria.
-    #[serde(default)]
-    pub fallback: Option<String>,
-}
-
 /// Extract a filesystem device path using the specified `context` and `extractor` configuration.
 pub fn extract(
     context: Rc<SproutContext>,

crates/sprout/src/generators.rs

@@ -0,0 +1,33 @@
+use crate::context::SproutContext;
+use crate::entries::BootableEntry;
+use anyhow::Result;
+use anyhow::bail;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use std::rc::Rc;
+
+/// The BLS generator.
+pub mod bls;
+
+/// The list generator.
+pub mod list;
+
+/// The matrix generator.
+pub mod matrix;
+
+/// Runs the generator specified by the `generator` option.
+/// It uses the specified `context` as the parent context for
+/// the generated entries, injecting more values if needed.
+pub fn generate(
+    context: Rc<SproutContext>,
+    generator: &GeneratorDeclaration,
+) -> Result<Vec<BootableEntry>> {
+    if let Some(matrix) = &generator.matrix {
+        matrix::generate(context, matrix)
+    } else if let Some(bls) = &generator.bls {
+        bls::generate(context, bls)
+    } else if let Some(list) = &generator.list {
+        list::generate(context, list)
+    } else {
+        bail!("unknown generator configuration");
+    }
+}

crates/sprout/src/generators/bls.rs

@@ -1,10 +1,10 @@
 use crate::context::SproutContext;
-use crate::entries::{BootableEntry, EntryDeclaration};
+use crate::entries::BootableEntry;
 use crate::generators::bls::entry::BlsEntry;
 use crate::utils;
 use crate::utils::vercmp;
 use anyhow::{Context, Result};
-use serde::{Deserialize, Serialize};
+use edera_sprout_config::generators::bls::BlsConfiguration;
 use std::cmp::Ordering;
 use std::rc::Rc;
 use std::str::FromStr;
@@ -16,25 +16,6 @@ use uefi::proto::media::fs::SimpleFileSystem;
 /// BLS entry parser.
 mod entry;
 
-/// The default path to the BLS directory.
-const BLS_TEMPLATE_PATH: &str = "\\loader";
-
-/// The configuration of the BLS generator.
-/// The BLS uses the Bootloader Specification to produce
-/// entries from an input template.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct BlsConfiguration {
-    /// The entry to use for as a template.
-    pub entry: EntryDeclaration,
-    /// The path to the BLS directory.
-    #[serde(default = "default_bls_path")]
-    pub path: String,
-}
-
-fn default_bls_path() -> String {
-    BLS_TEMPLATE_PATH.to_string()
-}
-
 // TODO(azenla): remove this once variable substitution is implemented.
 /// This function is used to remove the `tuned_initrd` variable from entry values.
 /// Fedora uses tuned which adds an initrd that shouldn't be used.

crates/sprout/src/generators/list.rs

@@ -1,23 +1,9 @@
 use crate::context::SproutContext;
-use crate::entries::{BootableEntry, EntryDeclaration};
+use crate::entries::BootableEntry;
 use anyhow::Result;
-use serde::{Deserialize, Serialize};
+use edera_sprout_config::generators::list::ListConfiguration;
-use std::collections::BTreeMap;
 use std::rc::Rc;
 
-/// List generator configuration.
-/// The list generator produces multiple entries based
-/// on a set of input maps.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct ListConfiguration {
-    /// The template entry to use for each generated entry.
-    #[serde(default)]
-    pub entry: EntryDeclaration,
-    /// The values to use as the input for the matrix.
-    #[serde(default)]
-    pub values: Vec<BTreeMap<String, String>>,
-}
-
 /// Generates a set of entries using the specified `list` configuration in the `context`.
 pub fn generate(
     context: Rc<SproutContext>,

crates/sprout/src/generators/matrix.rs

@@ -1,24 +1,12 @@
 use crate::context::SproutContext;
-use crate::entries::{BootableEntry, EntryDeclaration};
+use crate::entries::BootableEntry;
 use crate::generators::list;
 use anyhow::Result;
-use serde::{Deserialize, Serialize};
+use edera_sprout_config::generators::list::ListConfiguration;
+use edera_sprout_config::generators::matrix::MatrixConfiguration;
 use std::collections::BTreeMap;
 use std::rc::Rc;
 
-/// Matrix generator configuration.
-/// The matrix generator produces multiple entries based
-/// on input values multiplicatively.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct MatrixConfiguration {
-    /// The template entry to use for each generated entry.
-    #[serde(default)]
-    pub entry: EntryDeclaration,
-    /// The values to use as the input for the matrix.
-    #[serde(default)]
-    pub values: BTreeMap<String, Vec<String>>,
-}
-
 /// Builds out multiple generations of `input` based on a matrix style.
 /// For example, if input is: {"x": ["a", "b"], "y": ["c", "d"]}
 /// It will produce:
@@ -61,7 +49,7 @@ pub fn generate(
     // Use the list generator to generate entries for each combination.
     list::generate(
         context,
-        &list::ListConfiguration {
+        &ListConfiguration {
             entry: matrix.entry.clone(),
             values: combinations,
         },

crates/sprout/src/main.rs

@@ -4,7 +4,6 @@
 /// The delay to wait for when an error occurs in Sprout.
 const DELAY_ON_ERROR: Duration = Duration::from_secs(10);
 
-use crate::config::RootConfiguration;
 use crate::context::{RootContext, SproutContext};
 use crate::entries::BootableEntry;
 use crate::integrations::bootloader_interface::{BootloaderInterface, BootloaderInterfaceTimeout};
@@ -16,6 +15,7 @@ use crate::platform::tpm::PlatformTpm;
 use crate::secure::SecureBoot;
 use crate::utils::PartitionGuidForm;
 use anyhow::{Context, Result, bail};
+use edera_sprout_config::RootConfiguration;
 use log::{error, info, warn};
 use std::collections::BTreeMap;
 use std::ops::Deref;

crates/sprout/src/phases.rs

@@ -0,0 +1,25 @@
+use crate::actions;
+use crate::context::SproutContext;
+use anyhow::{Context, Result};
+use edera_sprout_config::phases::PhaseConfiguration;
+use std::rc::Rc;
+
+/// Executes the specified [phase] of the boot process.
+/// The value [phase] should be a reference of a specific phase in the [PhasesConfiguration].
+/// Any error from the actions is propagated into the [Result] and will interrupt further
+/// execution of phase actions.
+pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result<()> {
+    for item in phase {
+        let mut context = context.fork();
+        // Insert the values into the context.
+        context.insert(&item.values);
+        let context = context.freeze();
+
+        // Execute all the actions in this phase configuration.
+        for action in item.actions.iter() {
+            actions::execute(context.clone(), action)
+                .context(format!("unable to execute action '{}'", action))?;
+        }
+    }
+    Ok(())
+}

crates/sprout/src/utils.rs

@@ -1,4 +1,5 @@
 use anyhow::{Context, Result, bail};
+use sha2::{Digest, Sha256};
 use std::ops::Deref;
 use uefi::boot::SearchType;
 use uefi::fs::{FileSystem, Path};
@@ -201,7 +202,7 @@ pub fn combine_options<T: AsRef<str>>(options: impl Iterator<Item = T>) -> Strin
 /// Produce a unique hash for the input.
 /// This uses SHA-256, which is unique enough but relatively short.
 pub fn unique_hash(input: &str) -> String {
-    sha256::digest(input.as_bytes())
+    hex::encode(Sha256::digest(input.as_bytes()))
 }
 
 /// Represents the type of partition GUID that can be retrieved.

docs/setup/signed/debian.md

@@ -0,0 +1,145 @@
+# Setup Sprout for Debian with Secure Boot
+
+## Prerequisites
+
+- Modern Debian release: tested on Debian 13 ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- ext4 or FAT32/exFAT formatted `/boot` partition
+- You will need the following packages installed: `openssl`, `shim-signed`, `mokutil`, `sbsigntool`
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+  -newkey rsa:4096 -nodes -keyout mok.key \
+  -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+  -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/sprout/shimx64.efi
+$ cp /usr/lib/shim/mmx64.efi.signed /boot/efi/EFI/sprout/mmx64.efi
+$ cp /usr/lib/shim/fbx64.efi.signed /boot/efi/EFI/sprout/fbx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimaa64.efi.signed /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /usr/lib/shim/mmaa64.efi.signed /boot/efi/EFI/sprout/mmaa64.efi
+$ cp /usr/lib/shim/fbaa64.efi.signed /boot/efi/EFI/sprout/fbaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Debian systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It should work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/ESP_PARTITION with the actual path to the ESP partition block device.
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/ubuntu.md

@@ -0,0 +1,144 @@
+# Setup Sprout for Ubuntu with Secure Boot
+
+## Prerequisites
+
+- Modern Ubuntu release: tested on Ubuntu 25.10 ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- ext4 or FAT32/exFAT formatted `/boot` partition
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+  -newkey rsa:4096 -nodes -keyout mok.key \
+  -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+  -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/sprout/shimx64.efi
+$ cp /usr/lib/shim/mmx64.efi /boot/efi/EFI/sprout/mmx64.efi
+$ cp /usr/lib/shim/fbx64.efi /boot/efi/EFI/sprout/fbx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimaa64.efi.signed /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /usr/lib/shim/mmaa64.efi /boot/efi/EFI/sprout/mmaa64.efi
+$ cp /usr/lib/shim/fbaa64.efi /boot/efi/EFI/sprout/fbaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Ubuntu systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It will work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/ESP_PARTITION with the actual path to the ESP partition block device.
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/unsigned/alpine-edge.md

@@ -1,4 +1,4 @@
-# Setup Sprout on Alpine Edge
+# Setup Sprout for Alpine Edge without Secure Boot
 
 ## Prerequisites
 

docs/setup/unsigned/fedora.md

@@ -1,4 +1,4 @@
-# Setup Sprout on Fedora
+# Setup Sprout for Fedora without Secure Boot
 
 ## Prerequisites
 

docs/setup/unsigned/generic-linux.md

@@ -1,4 +1,4 @@
-# Setup Sprout to boot Linux
+# Setup Sprout for Linux without Secure Boot
 
 ## Prerequisites
 

docs/setup/unsigned/windows.md

@@ -1,4 +1,4 @@
-# Setup Sprout to boot Windows
+# Setup Sprout for Windows without Secure Boot
 
 ## Prerequisites
 

hack/dev/boot/Dockerfile

@@ -12,7 +12,6 @@ COPY shell.efi /work/SHELL.EFI
 COPY xen.efi /work/XEN.EFI
 COPY xen.cfg /work/XEN.CFG
 COPY initramfs /work/INITRAMFS
-COPY edera-splash.png /work/EDERA-SPLASH.PNG
 COPY bls.conf /work/BLS.CONF
 RUN truncate -s128MiB sprout.img && \
     parted --script sprout.img mklabel gpt > /dev/null 2>&1 && \
@@ -29,7 +28,6 @@ RUN truncate -s128MiB sprout.img && \
     mcopy -i sprout.img XEN.EFI ::/EFI/BOOT/ && \
     mcopy -i sprout.img XEN.CFG ::/EFI/BOOT/ && \
     mcopy -i sprout.img SPROUT.TOML ::/ && \
-    mcopy -i sprout.img EDERA-SPLASH.PNG ::/ && \
     mcopy -i sprout.img INITRAMFS ::/ && \
     mcopy -i sprout.img BLS.CONF ::/LOADER/ENTRIES/ && \
     mv sprout.img /sprout.img

hack/dev/build.sh

@@ -107,7 +107,6 @@ if [ "${SKIP_SPROUT_BUILD}" != "1" ]; then
 
 	cp "hack/dev/configs/${SPROUT_CONFIG_NAME}.sprout.toml" "${FINAL_DIR}/sprout.toml"
 	cp "hack/dev/configs/xen.cfg" "${FINAL_DIR}/xen.cfg"
-	cp "hack/dev/assets/edera-splash.png" "${FINAL_DIR}/edera-splash.png"
 	cp "hack/dev/configs/bls.conf" "${FINAL_DIR}/bls.conf"
 
 	mkdir -p "${FINAL_DIR}/efi/EFI/BOOT"
@@ -125,7 +124,6 @@ if [ "${SKIP_SPROUT_BUILD}" != "1" ]; then
 		cp "${FINAL_DIR}/xen.cfg" "${FINAL_DIR}/efi/EFI/BOOT/XEN.CFG"
 	fi
 	cp "${FINAL_DIR}/sprout.toml" "${FINAL_DIR}/efi/SPROUT.TOML"
-	cp "${FINAL_DIR}/edera-splash.png" "${FINAL_DIR}/efi/EDERA-SPLASH.PNG"
 	cp "${FINAL_DIR}/initramfs" "${FINAL_DIR}/efi/INITRAMFS"
 fi
 

src/actions/splash.rs

@@ -1,166 +0,0 @@
-use crate::context::SproutContext;
-use crate::utils::framebuffer::Framebuffer;
-use crate::utils::read_file_contents;
-use anyhow::{Context, Result, bail};
-use image::imageops::{FilterType, resize};
-use image::math::Rect;
-use image::{DynamicImage, ImageBuffer, ImageFormat, ImageReader, Rgba};
-use serde::{Deserialize, Serialize};
-use std::io::Cursor;
-use std::rc::Rc;
-use std::time::Duration;
-use uefi::boot::ScopedProtocol;
-use uefi::proto::console::gop::GraphicsOutput;
-
-/// We set the default splash time to zero, as this makes it so any logging shows up
-/// on top of the splash and does not hold up the boot process.
-const DEFAULT_SPLASH_TIME: u32 = 0;
-
-/// The configuration of the splash action.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct SplashConfiguration {
-    /// The path to the image to display.
-    /// Currently, only PNG images are supported.
-    pub image: String,
-    /// The time to display the splash image without interruption, in seconds.
-    /// The default value is `0` which will display the image and let everything
-    /// continue.
-    #[serde(default = "default_splash_time")]
-    pub time: u32,
-}
-
-fn default_splash_time() -> u32 {
-    DEFAULT_SPLASH_TIME
-}
-
-/// Acquire the [GraphicsOutput]. We will find the first graphics output only.
-fn setup_graphics() -> Result<ScopedProtocol<GraphicsOutput>> {
-    // Grab the handle for the graphics output protocol.
-    let gop_handle = uefi::boot::get_handle_for_protocol::<GraphicsOutput>()
-        .context("unable to get graphics output")?;
-    // Open the graphics output protocol exclusively.
-    uefi::boot::open_protocol_exclusive::<GraphicsOutput>(gop_handle)
-        .context("unable to open graphics output")
-}
-
-/// Produces a [Rect] that fits the `image` inside the specified `frame`.
-/// The output [Rect] should be used to resize the image.
-fn fit_to_frame(image: &DynamicImage, frame: Rect) -> Rect {
-    // Convert the image dimensions to a [Rect].
-    let input = Rect {
-        x: 0,
-        y: 0,
-        width: image.width(),
-        height: image.height(),
-    };
-
-    // Handle the case where the image is zero-sized.
-    if input.height == 0 || input.width == 0 {
-        return input;
-    }
-
-    // Calculate the ratio of the image dimensions.
-    let input_ratio = input.width as f32 / input.height as f32;
-
-    // Calculate the ratio of the frame dimensions.
-    let frame_ratio = frame.width as f32 / frame.height as f32;
-
-    // Create [Rect] to store the output dimensions.
-    let mut output = Rect {
-        x: 0,
-        y: 0,
-        width: frame.width,
-        height: frame.height,
-    };
-
-    // Handle the case where the output is zero-sized.
-    if output.height == 0 || output.width == 0 {
-        return output;
-    }
-
-    if input_ratio < frame_ratio {
-        output.width = (frame.height as f32 * input_ratio).floor() as u32;
-        output.height = frame.height;
-        output.x = frame.x + (frame.width - output.width) / 2;
-        output.y = frame.y;
-    } else {
-        output.width = frame.width;
-        output.height = (frame.width as f32 / input_ratio).floor() as u32;
-        output.x = frame.x;
-        output.y = frame.y + (frame.height - output.height) / 2;
-    }
-
-    output
-}
-
-/// Resize the input `image` to fit the `frame`.
-fn resize_to_fit(image: &DynamicImage, frame: Rect) -> ImageBuffer<Rgba<u8>, Vec<u8>> {
-    let image = image.to_rgba8();
-    resize(&image, frame.width, frame.height, FilterType::Lanczos3)
-}
-
-/// Draw the `image` on the screen using [GraphicsOutput].
-fn draw(image: DynamicImage) -> Result<()> {
-    // Acquire the [GraphicsOutput] protocol.
-    let mut gop = setup_graphics()?;
-
-    // Acquire the current screen size.
-    let (width, height) = gop.current_mode_info().resolution();
-
-    // Create a display frame.
-    let display_frame = Rect {
-        x: 0,
-        y: 0,
-        width: width as _,
-        height: height as _,
-    };
-
-    // Fit the image to the display frame.
-    let fit = fit_to_frame(&image, display_frame);
-
-    // If the image is zero-sized, then we should bail with an error.
-    if fit.width == 0 || fit.height == 0 {
-        bail!("calculated frame size is zero");
-    }
-
-    // Resize the image to fit the display frame.
-    let image = resize_to_fit(&image, fit);
-
-    // Create a framebuffer to draw the image on.
-    let mut framebuffer =
-        Framebuffer::new(width, height).context("unable to create framebuffer")?;
-
-    // Iterate over the pixels in the image and put them on the framebuffer.
-    for (x, y, pixel) in image.enumerate_pixels() {
-        let Some(fb) = framebuffer.pixel((x + fit.x) as usize, (fit.y + y) as usize) else {
-            continue;
-        };
-        fb.red = pixel[0];
-        fb.green = pixel[1];
-        fb.blue = pixel[2];
-    }
-
-    // Blit the framebuffer to the screen.
-    framebuffer.blit(&mut gop)?;
-    Ok(())
-}
-
-/// Runs the splash action with the specified `configuration` inside the provided `context`.
-pub fn splash(context: Rc<SproutContext>, configuration: &SplashConfiguration) -> Result<()> {
-    // Stamp the image path value.
-    let image = context.stamp(&configuration.image);
-    // Read the image contents.
-    let image = read_file_contents(Some(context.root().loaded_image_path()?), &image)?;
-    // Decode the image as a PNG.
-    let image = ImageReader::with_format(Cursor::new(image), ImageFormat::Png)
-        .decode()
-        .context("unable to decode splash image")?;
-    // Draw the image on the screen.
-    draw(image)?;
-
-    // Sleep for the specified time.
-    std::thread::sleep(Duration::from_secs(configuration.time as u64));
-
-    // Return control to sprout.
-    Ok(())
-}