chore(deps): bump log from 0.4.28 to 0.4.29 in the cargo-updates group

Bumps the cargo-updates group with 1 update: [log](https://github.com/rust-lang/log).


Updates `log` from 0.4.28 to 0.4.29
- [Release notes](https://github.com/rust-lang/log/releases)
- [Changelog](https://github.com/rust-lang/log/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/log/compare/0.4.28...0.4.29)

---
updated-dependencies:
- dependency-name: log
  dependency-version: 0.4.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo-updates
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/ci-actions.yml

@@ -1,10 +1,12 @@
 name: zizmor
 
 on:
-  push:
-    branches: ["main"]
   pull_request:
-    branches: ["**"]
+    branches:
+    - main
+  push:
+    branches:
+    - main
 
 permissions:
   contents: read # Needed to checkout the repository.
@@ -23,7 +25,7 @@ jobs:
       actions: read # Needed to analyze action metadata.
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 
@@ -33,7 +35,7 @@ jobs:
         persist-credentials: false
 
     - name: setup uv
-      uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
     - name: zizmor
       run: uvx zizmor --pedantic --format sarif . > results.sarif
@@ -41,7 +43,7 @@ jobs:
         GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
     - name: upload
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: results.sarif
         category: zizmor

.github/workflows/ci-code.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 
@@ -51,7 +51,7 @@ jobs:
     name: 'build ${{ matrix.arch }}'
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 
@@ -80,7 +80,7 @@ jobs:
     name: 'clippy ${{ matrix.arch }}'
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 

.github/workflows/codeql.yml

@@ -1,10 +1,12 @@
 name: codeql
 
 on:
-  push:
-    branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches:
+    - main
+  push:
+    branches:
+    - main
   schedule:
   - cron: '33 16 * * 0'
 
@@ -35,7 +37,7 @@ jobs:
           build-mode: none
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 
@@ -45,13 +47,13 @@ jobs:
         persist-credentials: false
 
     - name: initialize codeql
-      uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         config-file: ./.github/codeql/codeql-config.yaml
 
     - name: perform codeql analysis
-      uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/publish.yml

@@ -1,19 +1,12 @@
 name: publish
 
 on:
-  push:
-    branches:
-    - main
-
   pull_request:
     branches:
     - main
-    paths:
-    - bin/**
-    - src/**
-    - Cargo.*
-    - rust-toolchain.toml
-    - .github/workflows/publish.yaml
+  push:
+    branches:
+    - main
 
 permissions:
   contents: read # Needed to checkout the repository.
@@ -27,10 +20,12 @@ jobs:
     name: artifacts
     permissions:
       contents: write # Needed to upload artifacts.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 
@@ -46,14 +41,16 @@ jobs:
     - name: 'assemble artifacts'
       run: ./hack/assemble.sh
 
-    - name: 'upload sprout-x86_64.efi artifact'
+    - name: 'upload artifacts'
+      id: upload
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
-        name: sprout-x86_64.efi
-        path: target/assemble/sprout-x86_64.efi
+        name: artifacts
+        path: target/assemble/*
 
-    - name: 'upload sprout-aarch64.efi artifact'
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+    - name: 'attest artifacts'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
       with:
-        name: sprout-aarch64.efi
-        path: target/assemble/sprout-aarch64.efi
+        subject-name: artifacts.zip
+        subject-digest: "sha256:${{ steps.upload.outputs.artifact-digest }}"
+      if: github.event_name != 'pull_request'

.github/workflows/release.yml

@@ -20,10 +20,12 @@ jobs:
     name: release
     permissions:
       contents: write # Needed to upload release assets.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
       with:
         egress-policy: audit
 
@@ -36,9 +38,14 @@ jobs:
       run: |
         cargo version
 
-    - name: 'assemble artifacts'
+    - name: 'assemble release artifacts'
       run: ./hack/assemble.sh
 
+    - name: 'attest release artifacts'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: target/assemble/*
+
     - name: 'generate cultivator token'
       uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2
       id: generate-token

Cargo.lock

@@ -2,35 +2,12 @@
 # It is not intended for manual editing.
 version = 4
 
-[[package]]
-name = "adler2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
-
 [[package]]
 name = "anyhow"
 version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
-[[package]]
-name = "async-trait"
-version = "0.1.89"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "autocfg"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
-
 [[package]]
 name = "bit_field"
 version = "0.10.3"
@@ -52,24 +29,6 @@ dependencies = [
  "generic-array",
 ]
 
-[[package]]
-name = "bytemuck"
-version = "1.24.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fbdf580320f38b612e485521afda1ee26d10cc9884efaaa750d383e13e3c5f4"
-
-[[package]]
-name = "byteorder-lite"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
-
-[[package]]
-name = "bytes"
-version = "1.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
-
 [[package]]
 name = "cfg-if"
 version = "1.0.4"
@@ -85,20 +44,11 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "crc32fast"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
-dependencies = [
- "cfg-if",
-]
-
 [[package]]
 name = "crypto-common"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
  "generic-array",
  "typenum",
@@ -115,61 +65,56 @@ dependencies = [
 ]
 
 [[package]]
-name = "edera-sprout"
-version = "0.0.17"
+name = "edera-sprout-boot"
+version = "0.0.26"
 dependencies = [
  "anyhow",
- "bitflags",
- "image",
+ "edera-sprout-build",
+ "edera-sprout-config",
+ "edera-sprout-eficore",
+ "hex",
+ "jaarg",
  "log",
- "serde",
- "sha256",
+ "sha2",
  "toml",
  "uefi",
  "uefi-raw",
 ]
 
 [[package]]
-name = "equivalent"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+name = "edera-sprout-build"
+version = "0.0.26"
 
 [[package]]
-name = "fdeflate"
-version = "0.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
+name = "edera-sprout-config"
+version = "0.0.26"
 dependencies = [
- "simd-adler32",
+ "serde",
 ]
 
 [[package]]
-name = "flate2"
-version = "1.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfe33edd8e85a12a67454e37f8c75e730830d83e313556ab9ebf9ee7fbeb3bfb"
+name = "edera-sprout-eficore"
+version = "0.0.26"
 dependencies = [
- "crc32fast",
- "miniz_oxide",
+ "anyhow",
+ "bitflags",
+ "log",
+ "shlex",
+ "spin",
+ "uefi",
+ "uefi-raw",
 ]
 
 [[package]]
 name = "generic-array"
-version = "0.14.9"
+version = "0.14.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4bb6743198531e02858aeaea5398fcc883e71851fcbcb5a2f773e2fb6cb1edf2"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
 ]
 
-[[package]]
-name = "hashbrown"
-version = "0.16.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
-
 [[package]]
 name = "hex"
 version = "0.4.3"
@@ -177,27 +122,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
-name = "image"
-version = "0.25.8"
+name = "jaarg"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "529feb3e6769d234375c4cf1ee2ce713682b8e76538cb13f9fc23e1400a591e7"
-dependencies = [
- "bytemuck",
- "byteorder-lite",
- "moxcms",
- "num-traits",
- "png",
-]
-
-[[package]]
-name = "indexmap"
-version = "2.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6717a8d2a5a929a1a2eb43a12812498ed141a0bcfb7e8f7844fbdbe4303bba9f"
-dependencies = [
- "equivalent",
- "hashbrown",
-]
+checksum = "534d589df1ef528a238f4bc4b1db081a1280f3aedf2695fd8971e9853a7fa4f6"
 
 [[package]]
 name = "libc"
@@ -205,52 +133,20 @@ version = "0.2.177"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
 
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
+dependencies = [
+ "scopeguard",
+]
+
 [[package]]
 name = "log"
-version = "0.4.28"
+version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
-
-[[package]]
-name = "miniz_oxide"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
-dependencies = [
- "adler2",
- "simd-adler32",
-]
-
-[[package]]
-name = "moxcms"
-version = "0.7.6"
-source = "git+https://github.com/edera-dev/sprout-patched-deps.git?rev=2c4fcc84b50d40c28f540d4271109ea0ca7e1268#2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-dependencies = [
- "num-traits",
- "pxfm",
-]
-
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
-[[package]]
-name = "png"
-version = "0.18.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97baced388464909d42d89643fe4361939af9b7ce7a31ee32a168f832a70f2a0"
-dependencies = [
- "bitflags",
- "crc32fast",
- "fdeflate",
- "flate2",
- "miniz_oxide",
-]
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
 [[package]]
 name = "proc-macro2"
@@ -281,24 +177,21 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "pxfm"
-version = "0.1.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3cbdf373972bf78df4d3b518d07003938e2c7d1fb5891e55f9cb6df57009d84"
-dependencies = [
- "num-traits",
-]
-
 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -350,27 +243,25 @@ dependencies = [
 ]
 
 [[package]]
-name = "sha256"
-version = "1.6.0"
+name = "shlex"
+version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f880fc8562bdeb709793f00eb42a2ad0e672c4f883bbe59122b926eca935c8f6"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "spin"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5fe4ccb98d9c292d56fec89a5e07da7fc4cf0dc11e156b41793132775d3e591"
 dependencies = [
- "async-trait",
- "bytes",
- "hex",
- "sha2",
+ "lock_api",
 ]
 
-[[package]]
-name = "simd-adler32"
-version = "0.3.7"
-source = "git+https://github.com/edera-dev/sprout-patched-deps.git?rev=2c4fcc84b50d40c28f540d4271109ea0ca7e1268#2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
 [[package]]
 name = "syn"
-version = "2.0.108"
+version = "2.0.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -383,12 +274,10 @@ version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8"
 dependencies = [
- "indexmap",
  "serde_core",
  "serde_spanned",
  "toml_datetime",
  "toml_parser",
- "toml_writer",
  "winnow",
 ]
 
@@ -410,12 +299,6 @@ dependencies = [
  "winnow",
 ]
 
-[[package]]
-name = "toml_writer"
-version = "1.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df8b2b54733674ad286d16267dcfc7a71ed5c776e4ac7aa3c3e2561f7c637bf2"
-
 [[package]]
 name = "typenum"
 version = "1.19.0"
@@ -433,9 +316,9 @@ dependencies = [
 
 [[package]]
 name = "uefi"
-version = "0.36.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f123e69767fc287c44d70ee19af3b39d1bfb735dbaff5090e95b5b13cd656d16"
+checksum = "71fe9058b73ee2b6559524af9e33199c13b2485ddbf3ad1181b68051cdc50c17"
 dependencies = [
  "bitflags",
  "cfg-if",
@@ -460,9 +343,9 @@ dependencies = [
 
 [[package]]
 name = "uefi-raw"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8aff2f4f2b556a36a201d335a1e0a57754967a96857b1f47a52d5a23825cac84"
+checksum = "7f64fe59e11af447d12fd60a403c74106eb104309f34b4c6dbce6e927d97da9d"
 dependencies = [
  "bitflags",
  "uguid",
@@ -476,9 +359,9 @@ checksum = "0c8352f8c05e47892e7eaf13b34abd76a7f4aeaf817b716e88789381927f199c"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.20"
+version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "462eeb75aeb73aea900253ce739c8e18a67423fadf006037cd3ff27e82748a06"
+checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
 
 [[package]]
 name = "version_check"

Cargo.toml

@@ -1,46 +1,66 @@
-[package]
-name = "edera-sprout"
-description = "Modern UEFI bootloader"
+[workspace]
+members = [
+  "crates/boot",
+  "crates/build",
+  "crates/config",
+  "crates/eficore",
+]
+resolver = "3"
+
+[workspace.package]
 license = "Apache-2.0"
-version = "0.0.17"
+version = "0.0.26"
 homepage = "https://sprout.edera.dev"
 repository = "https://github.com/edera-dev/sprout"
 edition = "2024"
 
-[dependencies]
-anyhow = "1.0.100"
+[workspace.dependencies]
 bitflags = "2.10.0"
-toml = "0.9.8"
-log = "0.4.28"
+log = "0.4.29"
+spin = "0.10.0"
+uefi-raw = "0.13.0"
 
-[dependencies.image]
-version = "0.25.8"
+[workspace.dependencies.anyhow]
+version = "1.0.100"
 default-features = false
-features = ["png"]
-optional = true
 
-[dependencies.serde]
+[workspace.dependencies.hex]
+version = "0.4.3"
+default-features = false
+features = ["alloc"]
+
+[workspace.dependencies.jaarg]
+version = "0.2.2"
+default-features = false
+features = ["alloc"]
+
+[workspace.dependencies.serde]
 version = "1.0.228"
-features = ["derive"]
+default-features = false
+features = ["alloc", "derive"]
 
-[dependencies.sha256]
-version = "1.6.0"
+[workspace.dependencies.sha2]
+version = "0.10.9"
 default-features = false
 
-[dependencies.uefi]
-version = "0.36.0"
-features = ["alloc", "logger"]
+[workspace.dependencies.shlex]
+version = "1.3.0"
+default-features = false
 
-[dependencies.uefi-raw]
-version = "0.12.0"
+[workspace.dependencies.toml]
+version = "0.9.8"
+default-features = false
+features = ["serde", "parse"]
 
-[features]
-default = ["splash"]
-splash = ["dep:image"]
+[workspace.dependencies.uefi]
+version = "0.36.1"
+default-features = false
+features = ["alloc", "global_allocator", "panic_handler"]
 
-[profile.dev]
-# We have to compile for opt-level = 2 due to optimization passes
+# Common build profiles
+# NOTE: We have to compile everything for opt-level = 2 due to optimization passes
 # which don't handle the UEFI target properly.
+[profile.dev]
 opt-level = 2
 
 [profile.release]
@@ -57,15 +77,3 @@ inherits = "dev"
 strip = "debuginfo"
 debug = 0
 opt-level = 2
-
-[patch.crates-io.simd-adler32]
-git = "https://github.com/edera-dev/sprout-patched-deps.git"
-rev = "2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
-[patch.crates-io.moxcms]
-git = "https://github.com/edera-dev/sprout-patched-deps.git"
-rev = "2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
-[[bin]]
-name = "sprout"
-path = "src/main.rs"

DEVELOPMENT.md

@@ -5,16 +5,23 @@ This guide is a work in progress.
 ## Development Setup
 
 You can use any Rust development environment to develop Sprout.
-
 Rustup is recommended as the Rust toolchain manager to manage Rust versions and targets.
-
-Sprout currently requires Rust nightly to support uefi_std. See [uefi_std](https://doc.rust-lang.org/beta/rustc/platform-support/unknown-uefi.html) for more details.
-
 We currently only support `x86_64-unknown-uefi` and `aarch64-unknown-uefi` targets.
 
 To test your changes in QEMU, please run `./hack/dev/boot.sh`, you can specify `x86_64` or `aarch64`
 as an argument to boot.sh to boot the specified architecture.
 
+## Crate Structure
+
+Sprout is split into multiple crates:
+
+- `edera-sprout-boot` as `crates/boot`: Bootloader entrypoint for Sprout.
+- `edera-sprout-build` at `crates/build`: Build logic for Sprout.
+- `edera-sprout-config` at `crates/config`: Serialization structures for the Sprout configuration file.
+- `edera-sprout-eficore` at `crates/eficore`: Core library for Sprout EFI code.
+
+It is intended that overtime Sprout will be split into even more crates.
+
 ## Hack Scripts
 
 You can use the `./hack` scripts to run common development tasks:

Dockerfile

@@ -2,7 +2,7 @@
 ARG RUST_PROFILE=release
 ARG RUST_TARGET_SUBDIR=release
 
-FROM --platform=$BUILDPLATFORM rustlang/rust:nightly-alpine@sha256:34532121803db17008af0cdc4e2e1210466cb257cc9d3840dac42d706640fee5 AS build
+FROM --platform=$BUILDPLATFORM rust:1.91.1-alpine@sha256:fbcca3e30e26f79986809d5dbfcdbeaaf8d3f8a4475b7a19a973363b45c74d97 AS build
 RUN apk --no-cache add musl-dev busybox-static
 ARG RUST_PROFILE
 RUN adduser -S -s /bin/sh build

README.md

@@ -18,6 +18,9 @@ existing UEFI bootloader or booted by the hardware directly.
 
 Sprout is licensed under Apache 2.0 and is open to modifications and contributions.
 
+**NOTE**: Sprout is still in beta. Some features may not work as expected.
+Please [report any bugs you find](https://github.com/edera-dev/sprout/issues/new/choose).
+
 ## Background
 
 At [Edera] we make compute isolation technology for a wide variety of environments, often ones we do not fully control.
@@ -37,10 +40,24 @@ simplify installation and usage.
 
 ## Documentation
 
-- [Fedora Setup Guide]
-- [Generic Linux Setup Guide]
-- [Alpine Edge Setup Guide]
-- [Windows Setup Guide]
+### Setup Guides
+
+Some guides support Secure Boot and some do not.
+We recommend running Sprout without Secure Boot for development, and with Secure Boot for production.
+
+| Operating System | Secure Boot Enabled | Link                                                  |
+|------------------|---------------------|-------------------------------------------------------|
+| Fedora           | ✅                   | [Setup Guide](./docs/setup/signed/fedora.md)          |
+| Debian           | ✅                   | [Setup Guide](./docs/setup/signed/debian.md)          |
+| Ubuntu           | ✅                   | [Setup Guide](./docs/setup/signed/ubuntu.md)          |
+| openSUSE         | ✅                   | [Setup Guide](./docs/setup/signed/opensuse.md)        |
+| Fedora           | ❌                   | [Setup Guide](./docs/setup/unsigned/fedora.md)        |
+| Alpine Edge      | ❌                   | [Setup Guide](./docs/setup/unsigned/alpine-edge.md)   |
+| Generic Linux    | ❌                   | [Setup Guide](./docs/setup/unsigned/generic-linux.md) |
+| Windows          | ❌                   | [Setup Guide](./docs/setup/unsigned/windows.md)       |
+
+### Project Documentation
+
 - [Development Guide]
 - [Contributing Guide]
 - [Sprout License]
@@ -49,8 +66,6 @@ simplify installation and usage.
 
 ## Features
 
-**NOTE**: Sprout is still in beta.
-
 ### Current
 
 - [x] Loadable driver support
@@ -61,12 +76,12 @@ simplify installation and usage.
 - [x] Load Linux initrd from disk
 - [x] Basic boot menu
 - [x] BLS autoconfiguration support
-- [x] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): partial
+- [x] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): beta
+- [x] [Bootloader interface support](https://github.com/edera-dev/sprout/issues/21): beta
+- [x] [BLS specification conformance](https://github.com/edera-dev/sprout/issues/2): beta
 
 ### Roadmap
 
-- [ ] [Bootloader interface support](https://github.com/edera-dev/sprout/issues/21)
-- [ ] [BLS specification conformance](https://github.com/edera-dev/sprout/issues/2)
 - [ ] [Full-featured boot menu](https://github.com/edera-dev/sprout/issues/1)
 - [ ] [UKI support](https://github.com/edera-dev/sprout/issues/6): partial
 - [ ] [multiboot2 support](https://github.com/edera-dev/sprout/issues/7)
@@ -147,10 +162,6 @@ autoconfigure = true
 ```
 
 [Edera]: https://edera.dev
-[Fedora Setup Guide]: ./docs/fedora-setup.md
-[Generic Linux Setup Guide]: ./docs/generic-linux-setup.md
-[Alpine Edge Setup Guide]: ./docs/alpine-edge-setup.md
-[Windows Setup Guide]: ./docs/windows-setup.md
 [Development Guide]: ./DEVELOPMENT.md
 [Contributing Guide]: ./CONTRIBUTING.md
 [Sprout License]: ./LICENSE

build.rs

@@ -1,57 +0,0 @@
-use std::path::PathBuf;
-use std::{env, fs};
-
-/// The size of the sbat.csv file.
-const SBAT_SIZE: usize = 512;
-
-/// Generate the sbat.csv for the .sbat link section.
-///
-/// We intake a sbat.template.tsv and output a sbat.csv which is included by src/sbat.rs
-fn generate_sbat_csv() {
-    // Notify Cargo that if the Sprout version changes, we need to regenerate the sbat.csv.
-    println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
-
-    // The version of the sprout crate.
-    let sprout_version = env::var("CARGO_PKG_VERSION").expect("CARGO_PKG_VERSION not set");
-
-    // The output directory to place the sbat.csv into.
-    let output_dir = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR not set"));
-
-    // The output path to the sbat.csv.
-    let output_file = output_dir.join("sbat.csv");
-
-    // The path to the root of the sprout crate.
-    let sprout_root =
-        PathBuf::from(env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set"));
-
-    // The path to the sbat.template.tsv file is in the source directory of the sprout crate.
-    let template_path = sprout_root.join("src/sbat.template.csv");
-
-    // Read the sbat.csv template file.
-    let template = fs::read_to_string(&template_path).expect("unable to read template file");
-
-    // Replace the version placeholder in the template with the actual version.
-    let sbat = template.replace("{version}", &sprout_version);
-
-    // Encode the sbat.csv as bytes.
-    let mut encoded = sbat.as_bytes().to_vec();
-
-    if encoded.len() > SBAT_SIZE {
-        panic!("sbat.csv is too large");
-    }
-
-    // Pad the sbat.csv to the required size.
-    while encoded.len() < SBAT_SIZE {
-        encoded.push(0);
-    }
-
-    // Write the sbat.csv to the output directory.
-    fs::write(&output_file, encoded).expect("unable to write sbat.csv");
-}
-
-/// Build script entry point.
-/// Right now, all we need to do is generate the sbat.csv file.
-fn main() {
-    // Generate the sbat.csv file.
-    generate_sbat_csv();
-}

crates/boot/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "edera-sprout-boot"
+description = "Sprout: Modern UEFI Bootloader"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+edera-sprout-config.path = "../config"
+edera-sprout-eficore.path = "../eficore"
+hex.workspace = true
+jaarg.workspace = true
+sha2.workspace = true
+toml.workspace = true
+log.workspace = true
+uefi.workspace = true
+uefi-raw.workspace = true
+
+[build-dependencies]
+edera-sprout-build.path = "../build"
+
+[[bin]]
+name = "sprout"
+path = "src/main.rs"

crates/boot/README.md

@@ -0,0 +1,3 @@
+# Sprout Bootloader
+
+The main bootable crate of the Sprout bootloader.

crates/boot/build.rs

@@ -0,0 +1,7 @@
+use edera_sprout_build::generate_sbat_module;
+
+/// Build script entry point for Sprout.
+fn main() {
+    // Generate the sbat.generated.rs file.
+    generate_sbat_module();
+}

crates/boot/src/actions.rs

@@ -1,7 +1,6 @@
 use crate::context::SproutContext;
+use alloc::rc::Rc;
 use anyhow::{Context, Result, bail};
-use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
 /// EFI chainloader action.
 pub mod chainload;
@@ -10,36 +9,6 @@ pub mod edera;
 /// EFI console print action.
 pub mod print;
 
-/// Splash screen action.
-#[cfg(feature = "splash")]
-pub mod splash;
-
-/// Declares an action that sprout can execute.
-/// Actions allow configuring sprout's internal runtime mechanisms with values
-/// that you can specify via other concepts.
-///
-/// Actions are the main work that Sprout gets done, like booting Linux.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct ActionDeclaration {
-    /// Chainload to another EFI application.
-    /// This allows you to load any EFI application, either to boot an operating system
-    /// or to perform more EFI actions and return to sprout.
-    #[serde(default)]
-    pub chainload: Option<chainload::ChainloadConfiguration>,
-    /// Print a string to the EFI console.
-    #[serde(default)]
-    pub print: Option<print::PrintConfiguration>,
-    /// Show an image as a fullscreen splash screen.
-    #[serde(default)]
-    #[cfg(feature = "splash")]
-    pub splash: Option<splash::SplashConfiguration>,
-    /// Boot the Edera hypervisor and the root operating system.
-    /// This action is an extension on top of the Xen EFI stub that
-    /// is specific to Edera.
-    #[serde(default, rename = "edera")]
-    pub edera: Option<edera::EderaConfiguration>,
-}
-
 /// Execute the action specified by `name` which should be stored in the
 /// root context of the provided `context`. This function may not return
 /// if the provided action executes an operating system or an EFI application
@@ -67,12 +36,6 @@ pub fn execute(context: Rc<SproutContext>, name: impl AsRef<str>) -> Result<()>
         return Ok(());
     }
 
-    #[cfg(feature = "splash")]
-    if let Some(splash) = &action.splash {
-        splash::splash(context.clone(), splash)?;
-        return Ok(());
-    }
-
     // If we reach here, we don't know how to execute the action that was configured.
     // This is likely unreachable, but we should still return an error just in case.
     bail!("unknown action configuration");

crates/boot/src/actions/chainload.rs

@@ -0,0 +1,112 @@
+use crate::context::SproutContext;
+use crate::utils;
+use alloc::boxed::Box;
+use alloc::rc::Rc;
+use anyhow::{Context, Result, bail};
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use eficore::bootloader_interface::BootloaderInterface;
+use eficore::loader::source::ImageSource;
+use eficore::loader::{ImageLoadRequest, ImageLoader};
+use eficore::media_loader::MediaLoaderHandle;
+use eficore::media_loader::constants::linux::LINUX_EFI_INITRD_MEDIA_GUID;
+use log::error;
+use uefi::CString16;
+use uefi::proto::loaded_image::LoadedImage;
+
+/// Executes the chainload action using the specified `configuration` inside the provided `context`.
+pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfiguration) -> Result<()> {
+    // Retrieve the current image handle of sprout.
+    let sprout_image = uefi::boot::image_handle();
+
+    // Resolve the path to the image to chainload.
+    let resolved = eficore::path::resolve_path(
+        Some(context.root().loaded_image_path()?),
+        &context.stamp(&configuration.path),
+    )
+    .context("unable to resolve chainload path")?;
+
+    // Create a new image load request with the current image and the resolved path.
+    let request = ImageLoadRequest::new(sprout_image, ImageSource::ResolvedPath(&resolved));
+
+    // Load the image to chainload using the image loader support module.
+    // It will determine if the image needs to be loaded via the shim or can be loaded directly.
+    let image = ImageLoader::load(request)?;
+
+    // Open the LoadedImage protocol of the image to chainload.
+    let mut loaded_image_protocol =
+        uefi::boot::open_protocol_exclusive::<LoadedImage>(*image.handle())
+            .context("unable to open loaded image protocol")?;
+
+    // Stamp and combine the options to pass to the image.
+    let options =
+        utils::combine_options(configuration.options.iter().map(|item| context.stamp(item)));
+
+    // Pass the load options to the image.
+    // If no options are provided, the resulting string will be empty.
+    // The options are pinned and boxed to ensure that they are valid for the lifetime of this
+    // function, which ensures the lifetime of the options for the image runtime.
+    let options = Box::pin(
+        CString16::try_from(&options[..])
+            .context("unable to convert chainloader options to CString16")?,
+    );
+
+    if options.num_bytes() > u32::MAX as usize {
+        bail!("chainloader options too large");
+    }
+
+    // SAFETY: option size is checked to validate it is safe to pass.
+    // Additionally, the pointer is allocated and retained on heap, which makes
+    // passing the `options` pointer safe to the next image.
+    unsafe {
+        loaded_image_protocol
+            .set_load_options(options.as_ptr() as *const u8, options.num_bytes() as u32);
+    }
+
+    // Stamp the initrd path, if provided.
+    let initrd = configuration
+        .linux_initrd
+        .as_ref()
+        .map(|item| context.stamp(item));
+    // The initrd can be None or empty, so we need to collapse that into a single Option.
+    let initrd = utils::empty_is_none(initrd);
+
+    // If an initrd is provided, register it with the EFI stack.
+    let mut initrd_handle = None;
+    if let Some(linux_initrd) = initrd {
+        let content = eficore::path::read_file_contents(
+            Some(context.root().loaded_image_path()?),
+            &linux_initrd,
+        )
+        .context("unable to read linux initrd")?;
+        let handle =
+            MediaLoaderHandle::register(LINUX_EFI_INITRD_MEDIA_GUID, content.into_boxed_slice())
+                .context("unable to register linux initrd")?;
+        initrd_handle = Some(handle);
+    }
+
+    // Mark execution of an entry in the bootloader interface.
+    BootloaderInterface::mark_exec(context.root().timer())
+        .context("unable to mark execution of boot entry in bootloader interface")?;
+
+    // Start the loaded image.
+    // This call might return, or it may pass full control to another image that will never return.
+    // Capture the result to ensure we can return an error if the image fails to start, but only
+    // after the optional initrd has been unregistered.
+    let result = uefi::boot::start_image(*image.handle());
+
+    // Unregister the initrd if it was registered.
+    if let Some(initrd_handle) = initrd_handle
+        && let Err(error) = initrd_handle.unregister()
+    {
+        error!("unable to unregister linux initrd: {}", error);
+    }
+
+    // Assert there was no error starting the image.
+    result.context("unable to start image")?;
+
+    // Explicitly drop the options to clarify the lifetime.
+    drop(options);
+
+    // Return control to sprout.
+    Ok(())
+}

crates/boot/src/actions/edera.rs

@@ -1,43 +1,22 @@
-use std::rc::Rc;
-
-use anyhow::{Context, Result};
-use log::error;
-use serde::{Deserialize, Serialize};
-use uefi::Guid;
-
 use crate::{
-    actions::{self, chainload::ChainloadConfiguration},
+    actions,
     context::SproutContext,
-    utils::{
-        self,
-        media_loader::{
-            MediaLoaderHandle,
-            constants::xen::{
-                XEN_EFI_CONFIG_MEDIA_GUID, XEN_EFI_KERNEL_MEDIA_GUID, XEN_EFI_RAMDISK_MEDIA_GUID,
-            },
-        },
+    utils::{self},
+};
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use alloc::{format, vec};
+use anyhow::{Context, Result};
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::actions::edera::EderaConfiguration;
+use eficore::media_loader::{
+    MediaLoaderHandle,
+    constants::xen::{
+        XEN_EFI_CONFIG_MEDIA_GUID, XEN_EFI_KERNEL_MEDIA_GUID, XEN_EFI_RAMDISK_MEDIA_GUID,
     },
 };
-
-/// The configuration of the edera action which boots the Edera hypervisor.
-/// Edera is based on Xen but modified significantly with a Rust stack.
-/// Sprout is a component of the Edera stack and provides the boot functionality of Xen.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct EderaConfiguration {
-    /// The path to the Xen hypervisor EFI image.
-    pub xen: String,
-    /// The path to the kernel to boot for dom0.
-    pub kernel: String,
-    /// The path to the initrd to load for dom0.
-    #[serde(default)]
-    pub initrd: Option<String>,
-    /// The options to pass to the kernel.
-    #[serde(default, rename = "kernel-options")]
-    pub kernel_options: Vec<String>,
-    /// The options to pass to the Xen hypervisor.
-    #[serde(default, rename = "xen-options")]
-    pub xen_options: Vec<String>,
-}
+use log::error;
+use uefi::Guid;
 
 /// Builds a configuration string for the Xen EFI stub using the specified `configuration`.
 fn build_xen_config(context: Rc<SproutContext>, configuration: &EderaConfiguration) -> String {
@@ -98,8 +77,9 @@ fn register_media_loader_file(
     // Stamp the path to the file.
     let path = context.stamp(path);
     // Read the file contents.
-    let content = utils::read_file_contents(Some(context.root().loaded_image_path()?), &path)
-        .context(format!("unable to read {} file", what))?;
+    let content =
+        eficore::path::read_file_contents(Some(context.root().loaded_image_path()?), &path)
+            .context(format!("unable to read {} file", what))?;
     // Register the media loader.
     let handle = MediaLoaderHandle::register(guid, content.into_boxed_slice())
         .context(format!("unable to register {} media loader", what))?;

crates/boot/src/actions/print.rs

@@ -1,16 +1,8 @@
 use crate::context::SproutContext;
+use alloc::rc::Rc;
 use anyhow::Result;
+use edera_sprout_config::actions::print::PrintConfiguration;
 use log::info;
-use serde::{Deserialize, Serialize};
-use std::rc::Rc;
-
-/// The configuration of the print action.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct PrintConfiguration {
-    /// The text to print to the console.
-    #[serde(default)]
-    pub text: String,
-}
 
 /// Executes the print action with the specified `configuration` inside the provided `context`.
 pub fn print(context: Rc<SproutContext>, configuration: &PrintConfiguration) -> Result<()> {

crates/boot/src/autoconfigure.rs

@@ -1,5 +1,5 @@
-use crate::config::RootConfiguration;
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
 use uefi::fs::FileSystem;
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::media::fs::SimpleFileSystem;

crates/boot/src/autoconfigure/bls.rs

@@ -1,11 +1,13 @@
-use crate::actions::ActionDeclaration;
-use crate::actions::chainload::ChainloadConfiguration;
-use crate::config::RootConfiguration;
-use crate::entries::EntryDeclaration;
-use crate::generators::GeneratorDeclaration;
-use crate::generators::bls::BlsConfiguration;
 use crate::utils;
+use alloc::string::ToString;
+use alloc::{format, vec};
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use edera_sprout_config::generators::bls::BlsConfiguration;
 use uefi::cstr16;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::DevicePath;

crates/boot/src/autoconfigure/linux.rs

@@ -1,13 +1,16 @@
-use crate::actions::ActionDeclaration;
-use crate::actions::chainload::ChainloadConfiguration;
-use crate::config::RootConfiguration;
-use crate::entries::EntryDeclaration;
-use crate::generators::GeneratorDeclaration;
-use crate::generators::list::ListConfiguration;
 use crate::utils;
 use crate::utils::vercmp;
+use alloc::collections::BTreeMap;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use alloc::{format, vec};
 use anyhow::{Context, Result};
-use std::collections::BTreeMap;
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use edera_sprout_config::generators::list::ListConfiguration;
 use uefi::CString16;
 use uefi::fs::{FileSystem, Path, PathBuf};
 use uefi::proto::device_path::DevicePath;
@@ -22,11 +25,23 @@ const LINUX_CHAINLOAD_ACTION_PREFIX: &str = "linux-chainload-";
 const SCAN_LOCATIONS: &[&str] = &["\\boot", "\\"];
 
 /// Prefixes of kernel files to scan for.
-const KERNEL_PREFIXES: &[&str] = &["vmlinuz"];
+const KERNEL_PREFIXES: &[&str] = &["vmlinuz", "Image"];
 
 /// Prefixes of initramfs files to match to.
 const INITRAMFS_PREFIXES: &[&str] = &["initramfs", "initrd", "initrd.img"];
 
+/// This is really silly, but if what we are booting is the Canonical stubble stub,
+/// there is a chance it will assert that the load options are non-empty.
+/// Technically speaking, load options can be empty. However, it assumes load options
+/// have something in it. Canonical's stubble copied code from systemd that does this
+/// and then uses that code improperly by asserting that the pointer is non-null.
+/// To give a good user experience, we place a placeholder value here to ensure it's non-empty.
+/// For stubble, this code ensures the command line pointer becomes null:
+/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L61-L64
+/// Then this code asserts on it, stopping the boot process:
+/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L27
+const DEFAULT_LINUX_OPTIONS: &str = "placeholder";
+
 /// Pair of kernel and initramfs.
 /// This is what scanning a directory is meant to find.
 struct KernelPair {
@@ -212,9 +227,10 @@ pub fn scan(
 
     // Insert a default value for the linux-options if it doesn't exist.
     if !config.values.contains_key("linux-options") {
-        config
-            .values
-            .insert("linux-options".to_string(), "".to_string());
+        config.values.insert(
+            "linux-options".to_string(),
+            DEFAULT_LINUX_OPTIONS.to_string(),
+        );
     }
 
     // Generate a chainload configuration for the list generator.

crates/boot/src/autoconfigure/windows.rs

@@ -1,9 +1,11 @@
-use crate::actions::ActionDeclaration;
-use crate::actions::chainload::ChainloadConfiguration;
-use crate::config::RootConfiguration;
-use crate::entries::EntryDeclaration;
 use crate::utils;
+use alloc::string::ToString;
+use alloc::{format, vec};
 use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
 use uefi::CString16;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::DevicePath;

crates/boot/src/config.rs

@@ -0,0 +1,2 @@
+/// The configuration loader mechanisms.
+pub mod loader;

crates/boot/src/config/loader.rs

@@ -1,10 +1,10 @@
-use crate::config::{RootConfiguration, latest_version};
 use crate::options::SproutOptions;
-use crate::platform::tpm::PlatformTpm;
-use crate::utils;
+use alloc::vec::Vec;
 use anyhow::{Context, Result, bail};
+use core::ops::Deref;
+use edera_sprout_config::{RootConfiguration, latest_version};
+use eficore::platform::tpm::PlatformTpm;
 use log::info;
-use std::ops::Deref;
 use toml::Value;
 use uefi::proto::device_path::LoadedImageDevicePath;
 
@@ -20,7 +20,7 @@ fn load_raw_config(options: &SproutOptions) -> Result<Vec<u8>> {
     info!("configuration file: {}", options.config);
 
     // Read the contents of the sprout config file.
-    let content = utils::read_file_contents(Some(&path), &options.config)
+    let content = eficore::path::read_file_contents(Some(&path), &options.config)
         .context("unable to read sprout config file")?;
 
     // Measure the sprout.toml into the TPM, if needed and possible.

crates/boot/src/context.rs

@@ -1,11 +1,15 @@
-use crate::actions::ActionDeclaration;
 use crate::options::SproutOptions;
-use crate::platform::timer::PlatformTimer;
+use alloc::boxed::Box;
+use alloc::collections::{BTreeMap, BTreeSet};
+use alloc::format;
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
 use anyhow::anyhow;
 use anyhow::{Result, bail};
-use std::cmp::Reverse;
-use std::collections::{BTreeMap, BTreeSet};
-use std::rc::Rc;
+use core::cmp::Reverse;
+use edera_sprout_config::actions::ActionDeclaration;
+use eficore::platform::timer::PlatformTimer;
 use uefi::proto::device_path::DevicePath;
 
 /// The maximum number of iterations that can be performed in [SproutContext::finalize].

crates/boot/src/drivers.rs

@@ -1,44 +1,38 @@
 use crate::context::SproutContext;
-use crate::integrations::shim::{ShimInput, ShimSupport};
-use crate::utils;
+use alloc::collections::BTreeMap;
+use alloc::format;
+use alloc::rc::Rc;
+use alloc::string::String;
 use anyhow::{Context, Result};
+use edera_sprout_config::drivers::DriverDeclaration;
+use eficore::loader::source::ImageSource;
+use eficore::loader::{ImageLoadRequest, ImageLoader};
 use log::info;
-use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
 use uefi::boot::SearchType;
 
-/// Declares a driver configuration.
-/// Drivers allow extending the functionality of Sprout.
-/// Drivers are loaded at runtime and can provide extra functionality like filesystem support.
-/// Drivers are loaded by their name, which is used to reference them in other concepts.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct DriverDeclaration {
-    /// The filesystem path to the driver.
-    /// This file should be an EFI executable that can be located and executed.
-    pub path: String,
-}
-
 /// Loads the driver specified by the `driver` declaration.
 fn load_driver(context: Rc<SproutContext>, driver: &DriverDeclaration) -> Result<()> {
     // Acquire the handle and device path of the loaded image.
     let sprout_image = uefi::boot::image_handle();
 
     // Resolve the path to the driver image.
-    let resolved = utils::resolve_path(
+    let resolved = eficore::path::resolve_path(
         Some(context.root().loaded_image_path()?),
         &context.stamp(&driver.path),
     )
     .context("unable to resolve path to driver")?;
 
-    // Load the driver image using the shim support integration.
+    // Create an image load request with the current image and the resolved path.
+    let request = ImageLoadRequest::new(sprout_image, ImageSource::ResolvedPath(&resolved));
+
+    // Load the driver image using the image loader support module.
     // It will determine if the image needs to be loaded via the shim or can be loaded directly.
-    let image = ShimSupport::load(sprout_image, ShimInput::ResolvedPath(&resolved))?;
+    let image = ImageLoader::load(request)?;
 
     // Start the driver image, this is expected to return control to sprout.
     // There is no guarantee that the driver will actually return control as it is
     // just a standard EFI image.
-    uefi::boot::start_image(image).context("unable to start driver image")?;
+    uefi::boot::start_image(*image.handle()).context("unable to start driver image")?;
 
     Ok(())
 }

crates/boot/src/entries.rs

@@ -1,24 +1,7 @@
 use crate::context::SproutContext;
-use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
-
-/// Declares a boot entry to display in the boot menu.
-///
-/// Entries are the user-facing concept of Sprout, making it possible
-/// to run a set of actions with a specific context.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct EntryDeclaration {
-    /// The title of the entry which will be display in the boot menu.
-    /// This is the pre-stamped value.
-    pub title: String,
-    /// The actions to run when the entry is selected.
-    #[serde(default)]
-    pub actions: Vec<String>,
-    /// The values to insert into the context when the entry is selected.
-    #[serde(default)]
-    pub values: BTreeMap<String, String>,
-}
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use edera_sprout_config::entries::EntryDeclaration;
 
 /// Represents an entry that is stamped and ready to be booted.
 #[derive(Clone)]
@@ -110,7 +93,17 @@ impl BootableEntry {
     }
 
     /// Determine if this entry matches `needle` by comparing to the name or title of the entry.
+    /// If `needle` ends with *, we will match a partial match.
     pub fn is_match(&self, needle: &str) -> bool {
+        // If the needle ends with '*', we will accept a partial match.
+        if needle.ends_with("*") {
+            // Strip off any '*' at the end.
+            let partial = needle.trim_end_matches("*");
+            // Check if the name or title start with the partial match.
+            return self.name.starts_with(partial) || self.title.starts_with(partial);
+        }
+
+        // Standard quality matching rules.
         self.name == needle || self.title == needle
     }
 

crates/boot/src/extractors.rs

@@ -0,0 +1,19 @@
+use crate::context::SproutContext;
+use alloc::rc::Rc;
+use alloc::string::String;
+use anyhow::{Result, bail};
+use edera_sprout_config::extractors::ExtractorDeclaration;
+
+/// The filesystem device match extractor.
+pub mod filesystem_device_match;
+
+/// Extracts the value using the specified `extractor` under the provided `context`.
+/// The extractor must return a value, and if a value cannot be determined, an error
+/// should be returned.
+pub fn extract(context: Rc<SproutContext>, extractor: &ExtractorDeclaration) -> Result<String> {
+    if let Some(filesystem) = &extractor.filesystem_device_match {
+        filesystem_device_match::extract(context, filesystem)
+    } else {
+        bail!("unknown extractor configuration");
+    }
+}

crates/boot/src/extractors/filesystem_device_match.rs

@@ -1,44 +1,17 @@
 use crate::context::SproutContext;
-use crate::utils;
+use alloc::rc::Rc;
+use alloc::string::String;
 use anyhow::{Context, Result, anyhow, bail};
-use serde::{Deserialize, Serialize};
-use std::ops::Deref;
-use std::rc::Rc;
-use std::str::FromStr;
+use core::ops::Deref;
+use core::str::FromStr;
+use edera_sprout_config::extractors::filesystem_device_match::FilesystemDeviceMatchExtractor;
+use eficore::partition::PartitionGuidForm;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::media::file::{File, FileSystemVolumeLabel};
 use uefi::proto::media::fs::SimpleFileSystem;
 use uefi::{CString16, Guid};
 
-/// The filesystem device match extractor.
-/// This extractor finds a filesystem using some search criteria and returns
-/// the device root path that can concatenated with subpaths to access files
-/// on a particular filesystem.
-/// The fallback value can be used to provide a value if no match is found.
-///
-/// This extractor requires all the criteria to match. If no criteria is provided,
-/// an error is returned.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct FilesystemDeviceMatchExtractor {
-    /// Matches a filesystem that has the specified label.
-    #[serde(default, rename = "has-label")]
-    pub has_label: Option<String>,
-    /// Matches a filesystem that has the specified item.
-    /// An item is either a directory or file.
-    #[serde(default, rename = "has-item")]
-    pub has_item: Option<String>,
-    /// Matches a filesystem that has the specified partition UUID.
-    #[serde(default, rename = "has-partition-uuid")]
-    pub has_partition_uuid: Option<String>,
-    /// Matches a filesystem that has the specified partition type UUID.
-    #[serde(default, rename = "has-partition-type-uuid")]
-    pub has_partition_type_uuid: Option<String>,
-    /// The fallback value to use if no filesystem matches the criteria.
-    #[serde(default)]
-    pub fallback: Option<String>,
-}
-
 /// Extract a filesystem device path using the specified `context` and `extractor` configuration.
 pub fn extract(
     context: Rc<SproutContext>,
@@ -75,8 +48,9 @@ pub fn extract(
                 .to_boxed();
 
             // Fetch the partition uuid for this filesystem.
-            let partition_uuid = utils::partition_guid(&root, utils::PartitionGuidForm::Partition)
-                .context("unable to fetch the partition uuid of the filesystem")?;
+            let partition_uuid =
+                eficore::partition::partition_guid(&root, PartitionGuidForm::Partition)
+                    .context("unable to fetch the partition uuid of the filesystem")?;
 
             // Compare the partition uuid to the parsed uuid.
             // If it does not match, continue to the next filesystem.
@@ -100,7 +74,7 @@ pub fn extract(
 
             // Fetch the partition type uuid for this filesystem.
             let partition_type_uuid =
-                utils::partition_guid(&root, utils::PartitionGuidForm::PartitionType)
+                eficore::partition::partition_guid(&root, PartitionGuidForm::PartitionType)
                     .context("unable to fetch the partition uuid of the filesystem")?;
             // Compare the partition type uuid to the parsed uuid.
             // If it does not match, continue to the next filesystem.
@@ -160,7 +134,7 @@ pub fn extract(
             .context("unable to open filesystem device path")?;
         let path = path.deref();
         // Acquire the device path root as a string.
-        return utils::device_path_root(path).context("unable to get device path root");
+        return eficore::path::device_path_root(path).context("unable to get device path root");
     }
 
     // If there is a fallback value, use it at this point.

crates/boot/src/generators.rs

@@ -0,0 +1,34 @@
+use crate::context::SproutContext;
+use crate::entries::BootableEntry;
+use alloc::rc::Rc;
+use alloc::vec::Vec;
+use anyhow::Result;
+use anyhow::bail;
+use edera_sprout_config::generators::GeneratorDeclaration;
+
+/// The BLS generator.
+pub mod bls;
+
+/// The list generator.
+pub mod list;
+
+/// The matrix generator.
+pub mod matrix;
+
+/// Runs the generator specified by the `generator` option.
+/// It uses the specified `context` as the parent context for
+/// the generated entries, injecting more values if needed.
+pub fn generate(
+    context: Rc<SproutContext>,
+    generator: &GeneratorDeclaration,
+) -> Result<Vec<BootableEntry>> {
+    if let Some(matrix) = &generator.matrix {
+        matrix::generate(context, matrix)
+    } else if let Some(bls) = &generator.bls {
+        bls::generate(context, bls)
+    } else if let Some(list) = &generator.list {
+        list::generate(context, list)
+    } else {
+        bail!("unknown generator configuration");
+    }
+}

crates/boot/src/generators/bls.rs

@@ -1,13 +1,15 @@
 use crate::context::SproutContext;
-use crate::entries::{BootableEntry, EntryDeclaration};
+use crate::entries::BootableEntry;
 use crate::generators::bls::entry::BlsEntry;
-use crate::utils;
 use crate::utils::vercmp;
+use alloc::format;
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
 use anyhow::{Context, Result};
-use serde::{Deserialize, Serialize};
-use std::cmp::Ordering;
-use std::rc::Rc;
-use std::str::FromStr;
+use core::cmp::Ordering;
+use core::str::FromStr;
+use edera_sprout_config::generators::bls::BlsConfiguration;
 use uefi::cstr16;
 use uefi::fs::{FileSystem, PathBuf};
 use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
@@ -16,25 +18,6 @@ use uefi::proto::media::fs::SimpleFileSystem;
 /// BLS entry parser.
 mod entry;
 
-/// The default path to the BLS directory.
-const BLS_TEMPLATE_PATH: &str = "\\loader";
-
-/// The configuration of the BLS generator.
-/// The BLS uses the Bootloader Specification to produce
-/// entries from an input template.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct BlsConfiguration {
-    /// The entry to use for as a template.
-    pub entry: EntryDeclaration,
-    /// The path to the BLS directory.
-    #[serde(default = "default_bls_path")]
-    pub path: String,
-}
-
-fn default_bls_path() -> String {
-    BLS_TEMPLATE_PATH.to_string()
-}
-
 // TODO(azenla): remove this once variable substitution is implemented.
 /// This function is used to remove the `tuned_initrd` variable from entry values.
 /// Fedora uses tuned which adds an initrd that shouldn't be used.
@@ -105,8 +88,9 @@ pub fn generate(context: Rc<SproutContext>, bls: &BlsConfiguration) -> Result<Ve
     let path = context.stamp(&bls.path);
 
     // Resolve the path to the BLS directory.
-    let bls_resolved = utils::resolve_path(Some(context.root().loaded_image_path()?), &path)
-        .context("unable to resolve bls path")?;
+    let bls_resolved =
+        eficore::path::resolve_path(Some(context.root().loaded_image_path()?), &path)
+            .context("unable to resolve bls path")?;
 
     // Construct a filesystem path to the BLS entries directory.
     let mut entries_path = PathBuf::from(

crates/boot/src/generators/bls/entry.rs

@@ -1,5 +1,6 @@
+use alloc::string::{String, ToString};
 use anyhow::{Error, Result};
-use std::str::FromStr;
+use core::str::FromStr;
 
 /// Represents a parsed BLS entry.
 /// Fields unrelated to Sprout are not included.

crates/boot/src/generators/list.rs

@@ -1,22 +1,10 @@
 use crate::context::SproutContext;
-use crate::entries::{BootableEntry, EntryDeclaration};
+use crate::entries::BootableEntry;
+use alloc::rc::Rc;
+use alloc::string::ToString;
+use alloc::vec::Vec;
 use anyhow::Result;
-use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
-
-/// List generator configuration.
-/// The list generator produces multiple entries based
-/// on a set of input maps.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct ListConfiguration {
-    /// The template entry to use for each generated entry.
-    #[serde(default)]
-    pub entry: EntryDeclaration,
-    /// The values to use as the input for the matrix.
-    #[serde(default)]
-    pub values: Vec<BTreeMap<String, String>>,
-}
+use edera_sprout_config::generators::list::ListConfiguration;
 
 /// Generates a set of entries using the specified `list` configuration in the `context`.
 pub fn generate(

crates/boot/src/generators/matrix.rs

@@ -1,23 +1,14 @@
 use crate::context::SproutContext;
-use crate::entries::{BootableEntry, EntryDeclaration};
+use crate::entries::BootableEntry;
 use crate::generators::list;
+use alloc::collections::BTreeMap;
+use alloc::rc::Rc;
+use alloc::string::String;
+use alloc::vec;
+use alloc::vec::Vec;
 use anyhow::Result;
-use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
-
-/// Matrix generator configuration.
-/// The matrix generator produces multiple entries based
-/// on input values multiplicatively.
-#[derive(Serialize, Deserialize, Debug, Default, Clone)]
-pub struct MatrixConfiguration {
-    /// The template entry to use for each generated entry.
-    #[serde(default)]
-    pub entry: EntryDeclaration,
-    /// The values to use as the input for the matrix.
-    #[serde(default)]
-    pub values: BTreeMap<String, Vec<String>>,
-}
+use edera_sprout_config::generators::list::ListConfiguration;
+use edera_sprout_config::generators::matrix::MatrixConfiguration;
 
 /// Builds out multiple generations of `input` based on a matrix style.
 /// For example, if input is: {"x": ["a", "b"], "y": ["c", "d"]}
@@ -61,7 +52,7 @@ pub fn generate(
     // Use the list generator to generate entries for each combination.
     list::generate(
         context,
-        &list::ListConfiguration {
+        &ListConfiguration {
             entry: matrix.entry.clone(),
             values: combinations,
         },

crates/boot/src/main.rs

@@ -1,26 +1,30 @@
 #![doc = include_str!("../README.md")]
-#![feature(uefi_std)]
+#![no_std]
+#![no_main]
+extern crate alloc;
 
-/// The delay to wait for when an error occurs in Sprout.
-const DELAY_ON_ERROR: Duration = Duration::from_secs(10);
-
-use crate::config::RootConfiguration;
 use crate::context::{RootContext, SproutContext};
 use crate::entries::BootableEntry;
-use crate::integrations::bootloader_interface::{BootloaderInterface, BootloaderInterfaceTimeout};
 use crate::options::SproutOptions;
-use crate::options::parser::OptionsRepresentable;
 use crate::phases::phase;
-use crate::platform::timer::PlatformTimer;
-use crate::platform::tpm::PlatformTpm;
-use crate::secure::SecureBoot;
-use crate::utils::PartitionGuidForm;
+use alloc::collections::BTreeMap;
+use alloc::format;
+use alloc::string::ToString;
+use alloc::vec::Vec;
 use anyhow::{Context, Result, bail};
+use core::ops::Deref;
+use core::time::Duration;
+use edera_sprout_config::RootConfiguration;
+use eficore::bootloader_interface::{BootloaderInterface, BootloaderInterfaceTimeout};
+use eficore::partition::PartitionGuidForm;
+use eficore::platform::timer::PlatformTimer;
+use eficore::platform::tpm::PlatformTpm;
+use eficore::secure::SecureBoot;
+use eficore::setup;
 use log::{error, info, warn};
-use std::collections::BTreeMap;
-use std::ops::Deref;
-use std::time::Duration;
+use uefi::entry;
 use uefi::proto::device_path::LoadedImageDevicePath;
+use uefi_raw::Status;
 
 /// actions: Code that can be configured and executed by Sprout.
 pub mod actions;
@@ -46,14 +50,11 @@ pub mod extractors;
 /// generators: Runtime code that can generate entries with specific values.
 pub mod generators;
 
-/// platform: Integration or support code for specific hardware platforms.
-pub mod platform;
-
 /// menu: Display a boot menu to select an entry to boot.
 pub mod menu;
 
-/// integrations: Code that interacts with other systems.
-pub mod integrations;
+/// options: Parse the options of the Sprout executable.
+pub mod options;
 
 /// phases: Hooks into specific parts of the boot process.
 pub mod phases;
@@ -61,23 +62,17 @@ pub mod phases;
 /// sbat: Secure Boot Attestation section.
 pub mod sbat;
 
-/// secure: Secure Boot support.
-pub mod secure;
-
-/// setup: Code that initializes the UEFI environment for Sprout.
-pub mod setup;
-
-/// options: Parse the options of the Sprout executable.
-pub mod options;
-
 /// utils: Utility functions that are used by other parts of Sprout.
 pub mod utils;
 
+/// The delay to wait for when an error occurs in Sprout.
+const DELAY_ON_ERROR: Duration = Duration::from_secs(10);
+
 /// Run Sprout, returning an error if one occurs.
 fn run() -> Result<()> {
     // For safety reasons, we will note that Secure Boot is in beta on Sprout.
     if SecureBoot::enabled().context("unable to determine Secure Boot status")? {
-        warn!("Secure Boot is enabled. Sprout Secure Boot is in beta.");
+        warn!("Sprout Secure Boot is in beta. Some functionality may not work as expected.");
     }
 
     // Start the platform timer.
@@ -128,7 +123,7 @@ fn run() -> Result<()> {
 
     // Grab the partition GUID of the ESP that sprout was loaded from.
     let loaded_image_partition_guid =
-        utils::partition_guid(&loaded_image_path, PartitionGuidForm::Partition)
+        eficore::partition::partition_guid(&loaded_image_path, PartitionGuidForm::Partition)
             .context("unable to retrieve loaded image partition guid")?;
 
     // Set the partition GUID of the ESP that sprout was loaded from in the bootloader interface.
@@ -373,23 +368,32 @@ fn run() -> Result<()> {
 /// The main entrypoint of sprout.
 /// It is possible this function will not return if actions that are executed
 /// exit boot services or do not return control to sprout.
-fn main() -> Result<()> {
+#[entry]
+fn efi_main() -> Status {
     // Initialize the basic UEFI environment.
-    setup::init()?;
+    // If initialization fails, we will return ABORTED.
+    // NOTE: This function will also initialize the logger.
+    // The logger will panic if it is unable to initialize.
+    // It is guaranteed that if this returns, the logger is initialized.
+    if let Err(error) = setup::init() {
+        error!("unable to initialize environment: {}", error);
+        return Status::ABORTED;
+    }
 
     // Run Sprout, then handle the error.
     let result = run();
     if let Err(ref error) = result {
         // Print an error trace.
-        error!("sprout encountered an error");
+        error!("sprout encountered an error: {}", error);
         for (index, stack) in error.chain().enumerate() {
             error!("[{}]: {}", index, stack);
         }
         // Sleep to allow the user to read the error.
         uefi::boot::stall(DELAY_ON_ERROR);
+        return Status::ABORTED;
     }
 
     // Sprout doesn't necessarily guarantee anything was booted.
     // If we reach here, we will exit back to whoever called us.
-    Ok(())
+    Status::SUCCESS
 }

crates/boot/src/menu.rs

@@ -1,9 +1,10 @@
 use crate::entries::BootableEntry;
-use crate::integrations::bootloader_interface::BootloaderInterface;
-use crate::platform::timer::PlatformTimer;
+use alloc::vec;
 use anyhow::{Context, Result, bail};
+use core::time::Duration;
+use eficore::bootloader_interface::BootloaderInterface;
+use eficore::platform::timer::PlatformTimer;
 use log::{info, warn};
-use std::time::Duration;
 use uefi::ResultExt;
 use uefi::boot::TimerTrigger;
 use uefi::proto::console::text::{Input, Key, ScanCode};
@@ -65,6 +66,7 @@ fn read(input: &mut Input, timeout: &Duration) -> Result<MenuOperation> {
 
     // Close the timer event that we acquired.
     // We don't need to close the key event because it is owned globally.
+    // This should always be called in practice as events are not modified by wait_for_event.
     if let Some(timer_event) = events.into_iter().next() {
         // Store the result of the close event so we can determine if we can safely assert it.
         let close_event_result =

crates/boot/src/options.rs

@@ -0,0 +1,132 @@
+use alloc::string::{String, ToString};
+use anyhow::Result;
+use core::ptr::null_mut;
+use jaarg::{
+    ErrorUsageWriter, ErrorUsageWriterContext, HelpWriter, HelpWriterContext, Opt, Opts,
+    ParseControl, ParseResult, StandardErrorUsageWriter, StandardFullHelpWriter,
+};
+use log::{error, info};
+use uefi_raw::Status;
+
+/// Default configuration file path.
+const DEFAULT_CONFIG_PATH: &str = "\\sprout.toml";
+
+/// The parsed options of sprout.
+#[derive(Debug)]
+pub struct SproutOptions {
+    /// Configures Sprout automatically based on the environment.
+    pub autoconfigure: bool,
+    /// Path to a configuration file to load.
+    pub config: String,
+    /// Entry to boot without showing the boot menu.
+    pub boot: Option<String>,
+    /// Force display of the boot menu.
+    pub force_menu: bool,
+    /// The timeout for the boot menu in seconds.
+    pub menu_timeout: Option<u64>,
+}
+
+/// The default Sprout options.
+impl Default for SproutOptions {
+    fn default() -> Self {
+        Self {
+            autoconfigure: false,
+            config: DEFAULT_CONFIG_PATH.to_string(),
+            boot: None,
+            force_menu: false,
+            menu_timeout: None,
+        }
+    }
+}
+
+/// The options parser mechanism for Sprout.
+impl SproutOptions {
+    /// Produces [SproutOptions] from the arguments provided by the UEFI core.
+    /// Internally we utilize the `jaarg` argument parser which has excellent no_std support.
+    pub fn parse() -> Result<Self> {
+        enum ArgID {
+            Help,
+            AutoConfigure,
+            Config,
+            Boot,
+            ForceMenu,
+            MenuTimeout,
+        }
+
+        // All the options for the Sprout executable.
+        const OPTIONS: Opts<ArgID> = Opts::new(&[
+            Opt::help_flag(ArgID::Help, &["--help"]).help_text("Display Sprout Help"),
+            Opt::flag(ArgID::AutoConfigure, &["--autoconfigure"])
+                .help_text("Enable Sprout autoconfiguration"),
+            Opt::value(ArgID::Config, &["--config"], "PATH")
+                .help_text("Path to Sprout configuration file"),
+            Opt::value(ArgID::Boot, &["--boot"], "ENTRY")
+                .help_text("Entry to boot, bypassing the menu"),
+            Opt::flag(ArgID::ForceMenu, &["--force-menu"]).help_text("Force showing the boot menu"),
+            Opt::value(ArgID::MenuTimeout, &["--menu-timeout"], "TIMEOUT")
+                .help_text("Boot menu timeout, in seconds"),
+        ]);
+
+        // Acquire the arguments as determined by the UEFI core.
+        let args = eficore::env::args()?;
+
+        // Use the default value of sprout options and have the raw options be parsed into it.
+        let mut result = Self::default();
+
+        // Parse the OPTIONS into a map using jaarg.
+        match OPTIONS.parse(
+            "sprout",
+            args.iter(),
+            |program_name, id, _opt, _name, value| {
+                match id {
+                    ArgID::AutoConfigure => {
+                        // Enable autoconfiguration.
+                        result.autoconfigure = true;
+                    }
+                    ArgID::Config => {
+                        // The configuration file to load.
+                        result.config = value.into();
+                    }
+                    ArgID::Boot => {
+                        // The entry to boot.
+                        result.boot = Some(value.into());
+                    }
+                    ArgID::ForceMenu => {
+                        // Force showing of the boot menu.
+                        result.force_menu = true;
+                    }
+                    ArgID::MenuTimeout => {
+                        // The timeout for the boot menu in seconds.
+                        result.menu_timeout = Some(value.parse::<u64>()?);
+                    }
+                    ArgID::Help => {
+                        let ctx = HelpWriterContext {
+                            options: &OPTIONS,
+                            program_name,
+                        };
+                        info!("{}", StandardFullHelpWriter::new(ctx));
+                        return Ok(ParseControl::Quit);
+                    }
+                }
+                Ok(ParseControl::Continue)
+            },
+            |program_name, error| {
+                let ctx = ErrorUsageWriterContext {
+                    options: &OPTIONS,
+                    program_name,
+                    error,
+                };
+                error!("{}", StandardErrorUsageWriter::new(ctx));
+            },
+        ) {
+            ParseResult::ContinueSuccess => Ok(result),
+            ParseResult::ExitSuccess => unsafe {
+                uefi::boot::exit(uefi::boot::image_handle(), Status::SUCCESS, 0, null_mut());
+            },
+
+            ParseResult::ExitError => unsafe {
+                uefi::boot::exit(uefi::boot::image_handle(), Status::ABORTED, 0, null_mut());
+            },
+        }
+    }
+}

crates/boot/src/phases.rs

@@ -0,0 +1,26 @@
+use crate::actions;
+use crate::context::SproutContext;
+use alloc::format;
+use alloc::rc::Rc;
+use anyhow::{Context, Result};
+use edera_sprout_config::phases::PhaseConfiguration;
+
+/// Executes the specified [phase] of the boot process.
+/// The value [phase] should be a reference of a specific phase in the [PhasesConfiguration].
+/// Any error from the actions is propagated into the [Result] and will interrupt further
+/// execution of phase actions.
+pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result<()> {
+    for item in phase {
+        let mut context = context.fork();
+        // Insert the values into the context.
+        context.insert(&item.values);
+        let context = context.freeze();
+
+        // Execute all the actions in this phase configuration.
+        for action in item.actions.iter() {
+            actions::execute(context.clone(), action)
+                .context(format!("unable to execute action '{}'", action))?;
+        }
+    }
+    Ok(())
+}

crates/boot/src/sbat.rs

@@ -0,0 +1,2 @@
+// Include the generated sbat section in this file.
+include!(concat!(env!("OUT_DIR"), "/sbat.generated.rs"));

crates/boot/src/utils.rs

@@ -0,0 +1,26 @@
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use sha2::{Digest, Sha256};
+
+/// Implements a version comparison algorithm according to the BLS specification.
+pub mod vercmp;
+
+/// Combine a sequence of strings into a single string, separated by spaces, ignoring empty strings.
+pub fn combine_options<T: AsRef<str>>(options: impl Iterator<Item = T>) -> String {
+    options
+        .flat_map(|item| empty_is_none(Some(item)))
+        .map(|item| item.as_ref().to_string())
+        .collect::<Vec<_>>()
+        .join(" ")
+}
+
+/// Produce a unique hash for the input.
+/// This uses SHA-256, which is unique enough but relatively short.
+pub fn unique_hash(input: &str) -> String {
+    hex::encode(Sha256::digest(input.as_bytes()))
+}
+
+/// Filter a string-like Option `input` such that an empty string is [None].
+pub fn empty_is_none<T: AsRef<str>>(input: Option<T>) -> Option<T> {
+    input.filter(|input| !input.as_ref().is_empty())
+}

crates/boot/src/utils/vercmp.rs

@@ -1,5 +1,5 @@
-use std::cmp::Ordering;
-use std::iter::Peekable;
+use core::cmp::Ordering;
+use core::iter::Peekable;
 
 /// Handles single character advancement and comparison.
 macro_rules! handle_single_char {
@@ -23,9 +23,9 @@ pub fn compare_versions_optional(a: Option<&str>, b: Option<&str>) -> Ordering {
     match (a, b) {
         // If both have values, compare them.
         (Some(a), Some(b)) => compare_versions(a, b),
-        // If the second value is None, return that it is less than the first.
+        // If the second value is None, then `a` is less than `b`.
         (Some(_a), None) => Ordering::Less,
-        // If the first value is None, return that it is greater than the second.
+        // If the first value is None, the `a` is greater than `b`.
         (None, Some(_b)) => Ordering::Greater,
         // If both values are None, return that they are equal.
         (None, None) => Ordering::Equal,

crates/build/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "edera-sprout-build"
+description = "Sprout Build Tools"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[lib]
+name = "edera_sprout_build"
+path = "src/lib.rs"

crates/build/src/lib.rs

@@ -0,0 +1,76 @@
+use std::path::PathBuf;
+use std::{env, fs};
+
+/// Block size of the sbat section.
+const SBAT_BLOCK_SIZE: usize = 512;
+
+/// Template contents for the sbat.generated.rs file.
+const SBAT_RS_TEMPLATE: &str = include_str!("sbat.template.rs");
+
+/// Pad with zeros the given `data` to a multiple of `block_size`.
+fn block_pad(data: &mut Vec<u8>, block_size: usize) {
+    let needed = data.len().div_ceil(block_size).max(1) * block_size;
+
+    if needed != data.len() {
+        data.resize(needed, 0);
+    }
+}
+
+/// Generate an .sbat link section module. This should be coupled with including the sbat module in
+/// the crate that intends to embed the sbat section.
+/// We intake a sbat.template.csv file in the calling crate and output a sbat.dat
+/// which is included by a generated sbat.generated.rs file.
+pub fn generate_sbat_module() {
+    // Notify Cargo that if the version changes, we need to regenerate the sbat.out file.
+    println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
+
+    // The version of the package.
+    let version = env::var("CARGO_PKG_VERSION").expect("CARGO_PKG_VERSION not set");
+
+    // The output directory to place the sbat.csv into.
+    let output_dir = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR not set"));
+
+    // The output path to the sbat.out file.
+    let out_file = output_dir.join("sbat.out");
+
+    // The output path to the sbat.generated.rs file.
+    let rs_file = output_dir.join("sbat.generated.rs");
+
+    // The path to the root of the crate.
+    let crate_root =
+        PathBuf::from(env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set"));
+
+    // The path to the sbat.template.tsv file is in the source directory of the crate.
+    let sbat_template_file = crate_root.join("src/sbat.csv");
+
+    // Notify Cargo that if sbat.csv changes, we need to regenerate the sbat.out file.
+    println!(
+        "cargo:rerun-if-changed={}",
+        sbat_template_file
+            .to_str()
+            .expect("unable to convert sbat template path file to a string")
+    );
+
+    // Read the sbat.csv template file.
+    let sbat_template =
+        fs::read_to_string(&sbat_template_file).expect("unable to read sbat.csv file");
+
+    // Replace the version placeholder in the template with the actual version.
+    let sbat = sbat_template.replace("{version}", &version);
+
+    // Encode the sbat.csv as bytes.
+    let mut encoded = sbat.as_bytes().to_vec();
+
+    // Pad the sbat.csv to the required block size.
+    block_pad(&mut encoded, SBAT_BLOCK_SIZE);
+
+    // Write the sbat.out file to the output directory.
+    fs::write(&out_file, &encoded).expect("unable to write sbat.out");
+
+    // Generate the contents of the sbat.generated.rs file.
+    // The size must tbe size of the encoded sbat.out file.
+    let sbat_rs = SBAT_RS_TEMPLATE.replace("{size}", &encoded.len().to_string());
+
+    // Write the sbat.generated.rs file to the output directory.
+    fs::write(&rs_file, sbat_rs).expect("unable to write sbat.generated.rs");
+}

crates/build/src/sbat.template.rs

@@ -0,0 +1,6 @@
+/// Define the SBAT attestation by including the sbat.csv file.
+/// See this document for more details: https://github.com/rhboot/shim/blob/main/SBAT.md
+/// NOTE: This data must be aligned by 512 bytes.
+#[used]
+#[unsafe(link_section = ".sbat")]
+static SBAT: [u8; {size}] = *include_bytes!(concat!(env!("OUT_DIR"), "/sbat.out"));

crates/config/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "edera-sprout-config"
+description = "Sprout Configuration"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies.serde]
+workspace = true
+default-features = false
+
+[lib]
+name = "edera_sprout_config"
+path = "src/lib.rs"

crates/config/src/actions.rs

@@ -0,0 +1,32 @@
+use serde::{Deserialize, Serialize};
+
+/// Configuration for the chainload action.
+pub mod chainload;
+
+/// Configuration for the edera action.
+pub mod edera;
+
+/// Configuration for the print action.
+pub mod print;
+
+/// Declares an action that sprout can execute.
+/// Actions allow configuring sprout's internal runtime mechanisms with values
+/// that you can specify via other concepts.
+///
+/// Actions are the main work that Sprout gets done, like booting Linux.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ActionDeclaration {
+    /// Chainload to another EFI application.
+    /// This allows you to load any EFI application, either to boot an operating system
+    /// or to perform more EFI actions and return to sprout.
+    #[serde(default)]
+    pub chainload: Option<chainload::ChainloadConfiguration>,
+    /// Print a string to the EFI console.
+    #[serde(default)]
+    pub print: Option<print::PrintConfiguration>,
+    /// Boot the Edera hypervisor and the root operating system.
+    /// This action is an extension on top of the Xen EFI stub that
+    /// is specific to Edera.
+    #[serde(default, rename = "edera")]
+    pub edera: Option<edera::EderaConfiguration>,
+}

crates/config/src/actions/chainload.rs

@@ -0,0 +1,21 @@
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the chainload action.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ChainloadConfiguration {
+    /// The path to the image to chainload.
+    /// This can be a Linux EFI stub (vmlinuz usually) or a standard EFI executable.
+    pub path: String,
+    /// The options to pass to the image.
+    /// The options are concatenated by a space and then passed to the EFI application.
+    #[serde(default)]
+    pub options: Vec<String>,
+    /// An optional path to a Linux initrd.
+    /// This uses the [LINUX_EFI_INITRD_MEDIA_GUID] mechanism to load the initrd into the EFI stack.
+    /// For Linux, you can also use initrd=\path\to\initrd as an option, but this option is
+    /// generally better and safer as it can support additional load options in the future.
+    #[serde(default, rename = "linux-initrd")]
+    pub linux_initrd: Option<String>,
+}

crates/config/src/actions/edera.rs

@@ -0,0 +1,23 @@
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the edera action which boots the Edera hypervisor.
+/// Edera is based on Xen but modified significantly with a Rust stack.
+/// Sprout is a component of the Edera stack and provides the boot functionality of Xen.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct EderaConfiguration {
+    /// The path to the Xen hypervisor EFI image.
+    pub xen: String,
+    /// The path to the kernel to boot for dom0.
+    pub kernel: String,
+    /// The path to the initrd to load for dom0.
+    #[serde(default)]
+    pub initrd: Option<String>,
+    /// The options to pass to the kernel.
+    #[serde(default, rename = "kernel-options")]
+    pub kernel_options: Vec<String>,
+    /// The options to pass to the Xen hypervisor.
+    #[serde(default, rename = "xen-options")]
+    pub xen_options: Vec<String>,
+}

crates/config/src/actions/print.rs

@@ -0,0 +1,10 @@
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the print action.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct PrintConfiguration {
+    /// The text to print to the console.
+    #[serde(default)]
+    pub text: String,
+}

crates/config/src/drivers.rs

@@ -0,0 +1,13 @@
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+/// Declares a driver configuration.
+/// Drivers allow extending the functionality of Sprout.
+/// Drivers are loaded at runtime and can provide extra functionality like filesystem support.
+/// Drivers are loaded by their name, which is used to reference them in other concepts.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct DriverDeclaration {
+    /// The filesystem path to the driver.
+    /// This file should be an EFI executable that can be located and executed.
+    pub path: String,
+}

crates/config/src/entries.rs

@@ -0,0 +1,21 @@
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// Declares a boot entry to display in the boot menu.
+///
+/// Entries are the user-facing concept of Sprout, making it possible
+/// to run a set of actions with a specific context.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct EntryDeclaration {
+    /// The title of the entry which will be display in the boot menu.
+    /// This is the pre-stamped value.
+    pub title: String,
+    /// The actions to run when the entry is selected.
+    #[serde(default)]
+    pub actions: Vec<String>,
+    /// The values to insert into the context when the entry is selected.
+    #[serde(default)]
+    pub values: BTreeMap<String, String>,
+}

crates/config/src/extractors.rs

@@ -1,10 +1,7 @@
-use crate::context::SproutContext;
 use crate::extractors::filesystem_device_match::FilesystemDeviceMatchExtractor;
-use anyhow::{Result, bail};
 use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
-/// The filesystem device match extractor.
+/// Configuration for the filesystem-device-match extractor.
 pub mod filesystem_device_match;
 
 /// Declares an extractor configuration.
@@ -19,14 +16,3 @@ pub struct ExtractorDeclaration {
     #[serde(default, rename = "filesystem-device-match")]
     pub filesystem_device_match: Option<FilesystemDeviceMatchExtractor>,
 }
-
-/// Extracts the value using the specified `extractor` under the provided `context`.
-/// The extractor must return a value, and if a value cannot be determined, an error
-/// should be returned.
-pub fn extract(context: Rc<SproutContext>, extractor: &ExtractorDeclaration) -> Result<String> {
-    if let Some(filesystem) = &extractor.filesystem_device_match {
-        filesystem_device_match::extract(context, filesystem)
-    } else {
-        bail!("unknown extractor configuration");
-    }
-}

crates/config/src/extractors/filesystem_device_match.rs

@@ -0,0 +1,30 @@
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+/// The filesystem device match extractor.
+/// This extractor finds a filesystem using some search criteria and returns
+/// the device root path that can concatenated with subpaths to access files
+/// on a particular filesystem.
+/// The fallback value can be used to provide a value if no match is found.
+///
+/// This extractor requires all the criteria to match. If no criteria is provided,
+/// an error is returned.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct FilesystemDeviceMatchExtractor {
+    /// Matches a filesystem that has the specified label.
+    #[serde(default, rename = "has-label")]
+    pub has_label: Option<String>,
+    /// Matches a filesystem that has the specified item.
+    /// An item is either a directory or file.
+    #[serde(default, rename = "has-item")]
+    pub has_item: Option<String>,
+    /// Matches a filesystem that has the specified partition UUID.
+    #[serde(default, rename = "has-partition-uuid")]
+    pub has_partition_uuid: Option<String>,
+    /// Matches a filesystem that has the specified partition type UUID.
+    #[serde(default, rename = "has-partition-type-uuid")]
+    pub has_partition_type_uuid: Option<String>,
+    /// The fallback value to use if no filesystem matches the criteria.
+    #[serde(default)]
+    pub fallback: Option<String>,
+}

crates/config/src/generators.rs

@@ -1,15 +1,15 @@
-use crate::context::SproutContext;
-use crate::entries::BootableEntry;
 use crate::generators::bls::BlsConfiguration;
 use crate::generators::list::ListConfiguration;
 use crate::generators::matrix::MatrixConfiguration;
-use anyhow::Result;
-use anyhow::bail;
 use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
+/// Configuration for the BLS generator.
 pub mod bls;
+
+/// Configuration for the list generator.
 pub mod list;
+
+/// Configuration for the matrix generator.
 pub mod matrix;
 
 /// Declares a generator configuration.
@@ -38,21 +38,3 @@ pub struct GeneratorDeclaration {
     /// Allows you to specify a list of values to generate an entry from.
     pub list: Option<ListConfiguration>,
 }
-
-/// Runs the generator specified by the `generator` option.
-/// It uses the specified `context` as the parent context for
-/// the generated entries, injecting more values if needed.
-pub fn generate(
-    context: Rc<SproutContext>,
-    generator: &GeneratorDeclaration,
-) -> Result<Vec<BootableEntry>> {
-    if let Some(matrix) = &generator.matrix {
-        matrix::generate(context, matrix)
-    } else if let Some(bls) = &generator.bls {
-        bls::generate(context, bls)
-    } else if let Some(list) = &generator.list {
-        list::generate(context, list)
-    } else {
-        bail!("unknown generator configuration");
-    }
-}

crates/config/src/generators/bls.rs

@@ -0,0 +1,22 @@
+use crate::entries::EntryDeclaration;
+use alloc::string::{String, ToString};
+use serde::{Deserialize, Serialize};
+
+/// The default path to the BLS directory.
+const BLS_TEMPLATE_PATH: &str = "\\loader";
+
+/// The configuration of the BLS generator.
+/// The BLS uses the Bootloader Specification to produce
+/// entries from an input template.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct BlsConfiguration {
+    /// The entry to use for as a template.
+    pub entry: EntryDeclaration,
+    /// The path to the BLS directory.
+    #[serde(default = "default_bls_path")]
+    pub path: String,
+}
+
+fn default_bls_path() -> String {
+    BLS_TEMPLATE_PATH.to_string()
+}

crates/config/src/generators/list.rs

@@ -0,0 +1,18 @@
+use crate::entries::EntryDeclaration;
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// List generator configuration.
+/// The list generator produces multiple entries based
+/// on a set of input maps.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ListConfiguration {
+    /// The template entry to use for each generated entry.
+    #[serde(default)]
+    pub entry: EntryDeclaration,
+    /// The values to use as the input for the matrix.
+    #[serde(default)]
+    pub values: Vec<BTreeMap<String, String>>,
+}

crates/config/src/generators/matrix.rs

@@ -0,0 +1,18 @@
+use crate::entries::EntryDeclaration;
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// Matrix generator configuration.
+/// The matrix generator produces multiple entries based
+/// on input values multiplicatively.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct MatrixConfiguration {
+    /// The template entry to use for each generated entry.
+    #[serde(default)]
+    pub entry: EntryDeclaration,
+    /// The values to use as the input for the matrix.
+    #[serde(default)]
+    pub values: BTreeMap<String, Vec<String>>,
+}

crates/config/src/lib.rs

@@ -1,14 +1,24 @@
+//! Sprout configuration descriptions.
+//! This crate provides all the configuration structures for Sprout.
+#![no_std]
+extern crate alloc;
+
 use crate::actions::ActionDeclaration;
 use crate::drivers::DriverDeclaration;
 use crate::entries::EntryDeclaration;
 use crate::extractors::ExtractorDeclaration;
 use crate::generators::GeneratorDeclaration;
 use crate::phases::PhasesConfiguration;
+use alloc::collections::BTreeMap;
+use alloc::string::String;
 use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
 
-/// The configuration loader mechanisms.
-pub mod loader;
+pub mod actions;
+pub mod drivers;
+pub mod entries;
+pub mod extractors;
+pub mod generators;
+pub mod phases;
 
 /// This is the latest version of the sprout configuration format.
 /// This must be incremented when the configuration breaks compatibility.
@@ -68,8 +78,7 @@ pub struct RootConfiguration {
 /// Options configuration for Sprout, used when the corresponding options are not specified.
 #[derive(Serialize, Deserialize, Debug, Default, Clone)]
 pub struct OptionsConfiguration {
-    /// The entry to boot without showing the boot menu.
-    /// If not specified, a boot menu is shown.
+    /// The entry to mark as the default entry, instead of the first entry.
     #[serde(rename = "default-entry", default)]
     pub default_entry: Option<String>,
     /// The timeout of the boot menu.
@@ -80,7 +89,8 @@ pub struct OptionsConfiguration {
     pub autoconfigure: bool,
 }
 
-fn latest_version() -> u32 {
+/// Get the latest version of the Sprout configuration format.
+pub fn latest_version() -> u32 {
     LATEST_VERSION
 }
 

crates/config/src/phases.rs

@@ -1,9 +1,7 @@
-use crate::actions;
-use crate::context::SproutContext;
-use anyhow::{Context, Result};
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
 use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
 
 /// Configures the various phases of the boot process.
 /// This allows hooking various phases to run actions.
@@ -32,23 +30,3 @@ pub struct PhaseConfiguration {
     #[serde(default)]
     pub values: BTreeMap<String, String>,
 }
-
-/// Executes the specified [phase] of the boot process.
-/// The value [phase] should be a reference of a specific phase in the [PhasesConfiguration].
-/// Any error from the actions is propagated into the [Result] and will interrupt further
-/// execution of phase actions.
-pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result<()> {
-    for item in phase {
-        let mut context = context.fork();
-        // Insert the values into the context.
-        context.insert(&item.values);
-        let context = context.freeze();
-
-        // Execute all the actions in this phase configuration.
-        for action in item.actions.iter() {
-            actions::execute(context.clone(), action)
-                .context(format!("unable to execute action '{}'", action))?;
-        }
-    }
-    Ok(())
-}

crates/eficore/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "edera-sprout-eficore"
+description = "Sprout EFI Core"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+bitflags.workspace = true
+log.workspace = true
+shlex.workspace = true
+spin.workspace = true
+uefi.workspace = true
+uefi-raw.workspace = true
+
+[lib]
+name = "eficore"
+path = "src/lib.rs"

crates/eficore/src/bootloader_interface.rs

@@ -1,7 +1,9 @@
-use crate::integrations::bootloader_interface::bitflags::LoaderFeatures;
+use crate::bootloader_interface::bitflags::LoaderFeatures;
 use crate::platform::timer::PlatformTimer;
-use crate::utils::device_path_subpath;
-use crate::utils::variables::{VariableClass, VariableController};
+use crate::variables::{VariableClass, VariableController};
+use alloc::format;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
 use anyhow::{Context, Result};
 use uefi::proto::device_path::DevicePath;
 use uefi::{Guid, guid};
@@ -100,7 +102,8 @@ impl BootloaderInterface {
 
     /// Tell the system the relative path to the partition root of the current bootloader.
     pub fn set_loader_path(path: &DevicePath) -> Result<()> {
-        let subpath = device_path_subpath(path).context("unable to get loader path subpath")?;
+        let subpath =
+            crate::path::device_path_subpath(path).context("unable to get loader path subpath")?;
         Self::VENDOR.set_cstr16(
             "LoaderImageIdentifier",
             &subpath,

crates/eficore/src/env.rs

@@ -0,0 +1,69 @@
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use anyhow::{Context, Result, bail};
+use uefi::proto::loaded_image::{LoadOptionsError, LoadedImage};
+
+/// Loads the command-line arguments passed to the current image.
+pub fn args() -> Result<Vec<String>> {
+    // Acquire the current image handle.
+    let handle = uefi::boot::image_handle();
+
+    // Open the LoadedImage protocol for the current image.
+    let loaded_image = uefi::boot::open_protocol_exclusive::<LoadedImage>(handle)
+        .context("unable to open loaded image protocol for current image")?;
+
+    // Load the command-line argument string.
+    let options = match loaded_image.load_options_as_cstr16() {
+        // Load options were passed. We will return them for processing.
+        Ok(options) => options,
+
+        // No load options were passed. We will return an empty vector.
+        Err(LoadOptionsError::NotSet) => {
+            return Ok(Vec::new());
+        }
+
+        Err(LoadOptionsError::NotAligned) => {
+            bail!("load options are not properly aligned");
+        }
+
+        Err(LoadOptionsError::InvalidString(error)) => {
+            bail!("load options are not a valid string: {}", error);
+        }
+    };
+
+    // Convert the options to a string.
+    let options = options.to_string();
+
+    // Use shlex to parse the options.
+    // If shlex fails, we will perform a simple whitespace split.
+    let mut args = shlex::split(&options).unwrap_or_else(|| {
+        options
+            .split_ascii_whitespace()
+            .map(|string| string.to_string())
+            .collect::<Vec<_>>()
+    });
+
+    // Correct firmware that may add invalid arguments at the start.
+    // Witnessed this on a Dell Precision 5690 when direct booting.
+    args = args
+        .into_iter()
+        .skip_while(|arg| {
+            arg.chars()
+                .next()
+                // Filter out unprintable characters and backticks.
+                // Both of which have been observed in the wild.
+                .map(|c| c < 0x1f as char || c == '`')
+                .unwrap_or(false)
+        })
+        .collect();
+
+    // If there is a first argument, check if it is not an option.
+    // If it is not, we will assume it is the path to the executable and remove it.
+    if let Some(arg) = args.first()
+        && !arg.starts_with('-')
+    {
+        args.remove(0);
+    }
+
+    Ok(args)
+}

crates/eficore/src/framebuffer.rs

@@ -1,3 +1,5 @@
+use alloc::vec;
+use alloc::vec::Vec;
 use anyhow::{Context, Result};
 use uefi::proto::console::gop::{BltOp, BltPixel, BltRegion, GraphicsOutput};
 

crates/eficore/src/handle.rs

@@ -0,0 +1,26 @@
+use anyhow::{Context, Result};
+use uefi::boot::SearchType;
+use uefi::{Guid, Handle};
+use uefi_raw::Status;
+
+/// Find a handle that provides the specified `protocol`.
+pub fn find_handle(protocol: &Guid) -> Result<Option<Handle>> {
+    // Locate the requested protocol handle.
+    match uefi::boot::locate_handle_buffer(SearchType::ByProtocol(protocol)) {
+        // If a handle is found, the protocol is available.
+        Ok(handles) => Ok(if handles.is_empty() {
+            None
+        } else {
+            Some(handles[0])
+        }),
+        // If an error occurs, check if it is because the protocol is not available.
+        // If so, return false. Otherwise, return the error.
+        Err(error) => {
+            if error.status() == Status::NOT_FOUND {
+                Ok(None)
+            } else {
+                Err(error).context("unable to determine if the protocol is available")
+            }
+        }
+    }
+}

crates/eficore/src/lib.rs

@@ -0,0 +1,44 @@
+//! Sprout EFI Core.
+//! This crate provides tools for working with the EFI environment.
+#![no_std]
+extern crate alloc;
+
+/// EFI handle helpers.
+pub mod handle;
+
+/// Load and start EFI images.
+pub mod loader;
+
+/// Logging support for EFI applications.
+pub mod logger;
+
+/// Disk partitioning support infrastructure.
+pub mod partition;
+
+/// Path handling for UEFI.
+pub mod path;
+
+/// platform: Integration or support code for specific hardware platforms.
+pub mod platform;
+
+/// Secure Boot support.
+pub mod secure;
+
+/// Support for the shim loader application that enables Secure Boot.
+pub mod shim;
+
+/// String utilities.
+pub mod strings;
+
+/// Implements support for the bootloader interface specification.
+pub mod bootloader_interface;
+/// Acquire arguments from UEFI environment.
+pub mod env;
+/// Support code for the EFI framebuffer.
+pub mod framebuffer;
+/// Support code for the media loader protocol.
+pub mod media_loader;
+/// setup: Code that initializes the UEFI environment for Sprout.
+pub mod setup;
+/// Support code for EFI variables.
+pub mod variables;

crates/eficore/src/loader.rs

@@ -0,0 +1,141 @@
+use crate::loader::source::ImageSource;
+use crate::secure::SecureBoot;
+use crate::shim::hook::SecurityHook;
+use crate::shim::{ShimInput, ShimSupport};
+use anyhow::{Context, Result, bail};
+use log::warn;
+use uefi::Handle;
+use uefi::boot::LoadImageSource;
+
+/// Represents EFI image sources generically.
+pub mod source;
+
+/// Handle to a loaded EFI image.
+pub struct ImageHandle {
+    /// Handle to the loaded image.
+    handle: Handle,
+}
+
+impl ImageHandle {
+    /// Create a new image handle based on a handle from the UEFI stack.
+    pub fn new(handle: Handle) -> Self {
+        Self { handle }
+    }
+
+    /// Retrieve the underlying handle.
+    pub fn handle(&self) -> &Handle {
+        &self.handle
+    }
+}
+
+/// Request to load an image from a source, with support for additional validation features.
+pub struct ImageLoadRequest<'source> {
+    /// Handle to the current image.
+    current_image: Handle,
+    /// Source of the image to load.
+    source: ImageSource<'source>,
+}
+
+impl<'source> ImageLoadRequest<'source> {
+    /// Create a new image load request with a current image and a source.
+    pub fn new(current_image: Handle, source: ImageSource<'source>) -> Self {
+        Self {
+            current_image,
+            source,
+        }
+    }
+
+    /// Retrieve the current image.
+    pub fn current_image(&self) -> &Handle {
+        &self.current_image
+    }
+
+    /// Retrieve the source of the image to load.
+    pub fn source(&'source self) -> &'source ImageSource<'source> {
+        &self.source
+    }
+
+    /// Convert the request into a source.
+    pub fn into_source(self) -> ImageSource<'source> {
+        self.source
+    }
+}
+
+/// EFI image loader.
+pub struct ImageLoader;
+
+impl ImageLoader {
+    /// Load an image using the image `request` which allows
+    pub fn load(request: ImageLoadRequest) -> Result<ImageHandle> {
+        // Determine whether Secure Boot is enabled.
+        let secure_boot =
+            SecureBoot::enabled().context("unable to determine if secure boot is enabled")?;
+
+        // Determine whether the shim is loaded.
+        let shim_loaded = ShimSupport::loaded().context("unable to determine if shim is loaded")?;
+
+        // Determine whether the shim loader is available.
+        let shim_loader_available = ShimSupport::loader_available()
+            .context("unable to determine if shim loader is available")?;
+
+        // Determines whether LoadImage in Boot Services must be patched.
+        // Version 16 of the shim doesn't require extra effort to load Secure Boot binaries.
+        // If the image loader is installed, we can skip over the security hook.
+        let requires_security_hook = secure_boot && shim_loaded && !shim_loader_available;
+
+        // If the security hook is required, we will bail for now.
+        if requires_security_hook {
+            // Install the security hook, if possible. If it's not, this is necessary to continue,
+            // so we should bail.
+            let installed = SecurityHook::install().context("unable to install security hook")?;
+            if !installed {
+                bail!("unable to install security hook required for this platform");
+            }
+        }
+
+        // If the shim is loaded, we will need to retain the shim protocol to allow
+        // loading multiple images.
+        if shim_loaded {
+            // Retain the shim protocol after loading the image.
+            ShimSupport::retain()?;
+        }
+
+        // Clone the current image handle to use for loading the image.
+        let current_image = *request.current_image();
+
+        // Converts the source to a shim input with an owned data buffer.
+        let input = ShimInput::from(request.into_source())
+            .into_owned_data_buffer()
+            .context("unable to convert input to loaded data buffer")?;
+
+        // Constructs a LoadImageSource from the input.
+        let source = LoadImageSource::FromBuffer {
+            buffer: input.buffer().context("unable to get buffer from input")?,
+            file_path: input.file_path(),
+        };
+
+        // Loads the image using Boot Services LoadImage function.
+        let result = uefi::boot::load_image(current_image, source).context("unable to load image");
+
+        // If the security override is required, we will uninstall the security hook.
+        if requires_security_hook {
+            let uninstall_result = crate::shim::hook::SecurityHook::uninstall();
+            // Ensure we don't mask load image errors if uninstalling fails.
+            if result.is_err()
+                && let Err(uninstall_error) = &uninstall_result
+            {
+                // Warn on the error since the load image error is more important.
+                warn!("unable to uninstall security hook: {}", uninstall_error);
+            } else {
+                // Otherwise, ensure we handle the original uninstallation result.
+                uninstall_result?;
+            }
+        }
+
+        // Assert the result and grab the handle.
+        let handle = result?;
+
+        // Retrieve the handle from the result and make a new image handle.
+        Ok(ImageHandle::new(handle))
+    }
+}

crates/eficore/src/loader/source.rs

@@ -0,0 +1,25 @@
+use crate::path::ResolvedPath;
+use crate::shim::ShimInput;
+
+/// Represents a source of an EFI image.
+pub enum ImageSource<'source> {
+    /// The image is located at the specified path that has been resolved.
+    ResolvedPath(&'source ResolvedPath),
+    /// The image is located in a buffer.
+    DataBuffer {
+        /// Optional path to the image.
+        path: Option<&'source ResolvedPath>,
+        /// Buffer containing the image.
+        buffer: &'source [u8],
+    },
+}
+
+/// Implement conversion from `ImageSource` to `ShimInput`, which is used by the shim support code.
+impl<'source> From<ImageSource<'source>> for ShimInput<'source> {
+    fn from(value: ImageSource<'source>) -> Self {
+        match value {
+            ImageSource::ResolvedPath(path) => ShimInput::ResolvedPath(path),
+            ImageSource::DataBuffer { path, buffer } => ShimInput::DataBuffer(path, buffer),
+        }
+    }
+}

crates/eficore/src/logger.rs

@@ -0,0 +1,94 @@
+//! Based on: https://github.com/rust-osdev/uefi-rs/blob/main/uefi/src/helpers/logger.rs
+
+use alloc::format;
+use core::fmt::Write;
+use core::ptr;
+use core::sync::atomic::{AtomicPtr, Ordering};
+use log::{Log, Record};
+use uefi::proto::console::text::Output;
+
+/// The global logger object.
+static LOGGER: Logger = Logger::new();
+
+/// Logging mechanism for Sprout.
+/// Must be initialized to be used, as we use atomic pointers to store the output to write to.
+pub struct Logger {
+    writer: AtomicPtr<Output>,
+}
+
+impl Default for Logger {
+    /// Creates a default logger, which is uninitialized with an output.
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Logger {
+    /// Create a new logger with an output not specified.
+    /// This will cause the logger to not print anything until it is configured.
+    pub const fn new() -> Self {
+        Self {
+            writer: AtomicPtr::new(ptr::null_mut()),
+        }
+    }
+
+    /// Retrieves the pointer to the output.
+    /// SAFETY: This pointer might be null, it should be checked before use.
+    #[must_use]
+    fn output(&self) -> *mut Output {
+        self.writer.load(Ordering::Acquire)
+    }
+
+    /// Sets the output to write to.
+    ///
+    /// # Safety
+    /// This function is unsafe because the output is technically leaked and unmanaged.
+    pub unsafe fn set_output(&self, output: *mut Output) {
+        self.writer.store(output, Ordering::Release);
+    }
+}
+
+impl Log for Logger {
+    /// Enable the logger always.
+    fn enabled(&self, _metadata: &log::Metadata<'_>) -> bool {
+        true
+    }
+
+    /// Log the specified `record` to the output if one is set.
+    fn log(&self, record: &Record) {
+        // Acquire the output. If one is not set, we do nothing.
+        let Some(output) = (unsafe { self.output().as_mut() }) else {
+            return;
+        };
+
+        // Format the log message.
+        let message = format!("{}", record.args());
+
+        // Iterate over every line, formatting the message and writing it to the output.
+        for line in message.lines() {
+            // The format writes the log level in front of every line of text.
+            let _ = writeln!(output, "[{:>5}] {}", record.level(), line);
+        }
+    }
+
+    /// This log is not buffered, so flushing isn't required.
+    fn flush(&self) {}
+}
+
+/// Initialize the logging environment, calling panic if something goes wrong.
+pub fn init() {
+    // Retrieve the stdout handle and set it as the output for the global logger.
+    uefi::system::with_stdout(|stdout| unsafe {
+        // SAFETY: We are using the stdout handle to create a pointer to the output.
+        // The handle is global and is guaranteed to be valid for the lifetime of the program.
+        LOGGER.set_output(stdout);
+    });
+
+    // Set the logger to the global logger.
+    if let Err(error) = log::set_logger(&LOGGER) {
+        panic!("unable to set logger: {}", error);
+    }
+
+    // Set the max level to the level specified by the log features.
+    log::set_max_level(log::STATIC_MAX_LEVEL);
+}

crates/eficore/src/media_loader.rs

@@ -1,5 +1,8 @@
+use alloc::boxed::Box;
+use alloc::vec::Vec;
 use anyhow::{Context, Result, bail};
-use std::ffi::c_void;
+use core::ffi::c_void;
+use core::ptr;
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::device_path::build::DevicePathBuilder;
 use uefi::proto::device_path::build::media::Vendor;
@@ -158,14 +161,31 @@ impl MediaLoaderHandle {
 
         // Install a protocol interface for the device path.
         // This ensures it can be located by other EFI programs.
-        let primary_handle = unsafe {
+        let primary_handle = match unsafe {
             uefi::boot::install_protocol_interface(
                 None,
                 &DevicePathProtocol::GUID,
                 path.as_ffi_ptr() as *mut c_void,
             )
         }
-        .context("unable to install media loader device path handle")?;
+        .context("unable to install media loader device path handle")
+        {
+            // Acquiring the primary handle succeeded, so we can return the handle.
+            Ok(handle) => handle,
+            // If acquiring the primary handle failed, we free the device path and return the error.
+            Err(error) => {
+                // SAFETY: We know that the device path is leaked,
+                // so we can safely take a reference to it again.
+                // The UEFI stack failed to install the protocol interface
+                // if we reach here, so the path is no longer in use.
+                let path = unsafe { Box::from_raw(path) };
+                // Explicitly drop the path to clarify the lifetime.
+                drop(path);
+
+                // Return the original error.
+                return Err(error);
+            }
+        };
 
         // Leak the data we need to pass to the UEFI stack.
         let data = Box::leak(data);
@@ -261,8 +281,7 @@ impl MediaLoaderHandle {
             let protocol = Box::from_raw(self.protocol);
 
             // Retrieve a box for the data we passed in.
-            let slice =
-                std::ptr::slice_from_raw_parts_mut(protocol.address as *mut u8, protocol.length);
+            let slice = ptr::slice_from_raw_parts_mut(protocol.address as *mut u8, protocol.length);
             let data = Box::from_raw(slice);
 
             // Drop all the allocations explicitly, as we don't want to leak them.

crates/eficore/src/partition.rs

@@ -0,0 +1,55 @@
+use anyhow::{Context, Result};
+use uefi::Guid;
+use uefi::proto::device_path::DevicePath;
+use uefi::proto::media::partition::PartitionInfo;
+use uefi_raw::Status;
+
+/// Represents the type of partition GUID that can be retrieved.
+#[derive(PartialEq, Eq)]
+pub enum PartitionGuidForm {
+    /// The partition GUID is the unique partition GUID.
+    Partition,
+    /// The partition GUID is the partition type GUID.
+    PartitionType,
+}
+
+/// Retrieve the partition / partition type GUID of the device root `path`.
+/// This only works on GPT partitions. If the root is not a GPT partition, None is returned.
+/// If the GUID is all zeros, this will return None.
+pub fn partition_guid(path: &DevicePath, form: PartitionGuidForm) -> Result<Option<Guid>> {
+    // Clone the path so we can pass it to the UEFI stack.
+    let path = path.to_boxed();
+    let result = uefi::boot::locate_device_path::<PartitionInfo>(&mut &*path);
+    let handle = match result {
+        Ok(handle) => Ok(Some(handle)),
+        Err(error) => {
+            // If the error is NOT_FOUND or UNSUPPORTED, we can return None.
+            // These are non-fatal errors.
+            if error.status() == Status::NOT_FOUND || error.status() == Status::UNSUPPORTED {
+                Ok(None)
+            } else {
+                Err(error)
+            }
+        }
+    }
+    .context("unable to locate device path")?;
+
+    // If we have the handle, we can try to open the partition info protocol.
+    if let Some(handle) = handle {
+        // Open the partition info protocol.
+        let partition_info = uefi::boot::open_protocol_exclusive::<PartitionInfo>(handle)
+            .context("unable to open partition info protocol")?;
+        // Find the unique partition GUID.
+        // If this is not a GPT partition, this will produce None.
+        Ok(partition_info
+            .gpt_partition_entry()
+            .map(|entry| match form {
+                // Match the form of the partition GUID.
+                PartitionGuidForm::Partition => entry.unique_partition_guid,
+                PartitionGuidForm::PartitionType => entry.partition_type_guid.0,
+            })
+            .filter(|guid| !guid.is_zero()))
+    } else {
+        Ok(None)
+    }
+}

crates/eficore/src/path.rs

@@ -1,25 +1,50 @@
-use anyhow::{Context, Result, bail};
-use std::ops::Deref;
-use uefi::boot::SearchType;
+use alloc::borrow::ToOwned;
+use alloc::boxed::Box;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use anyhow::{Context, Result};
+use core::ops::Deref;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::text::{AllowShortcuts, DevicePathFromText, DisplayOnly};
 use uefi::proto::device_path::{DevicePath, PoolDevicePath};
 use uefi::proto::media::fs::SimpleFileSystem;
-use uefi::proto::media::partition::PartitionInfo;
-use uefi::{CString16, Guid, Handle};
-use uefi_raw::Status;
+use uefi::{CString16, Handle};
 
-/// Support code for the EFI framebuffer.
-pub mod framebuffer;
+/// Represents the components of a resolved path.
+pub struct ResolvedPath {
+    /// The root path of the resolved path. This is the device itself.
+    /// For example, "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/"
+    pub root_path: Box<DevicePath>,
+    /// The subpath of the resolved path. This is the path to the file.
+    /// For example, "\EFI\BOOT\BOOTX64.efi"
+    pub sub_path: Box<DevicePath>,
+    /// The full path of the resolved path. This is the safest path to use.
+    /// For example, "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
+    pub full_path: Box<DevicePath>,
+    /// The handle of the filesystem containing the path.
+    /// This can be used to acquire a [SimpleFileSystem] protocol to read the file.
+    pub filesystem_handle: Handle,
+}
 
-/// Support code for the media loader protocol.
-pub mod media_loader;
+impl ResolvedPath {
+    /// Read the file specified by this path into a buffer and return it.
+    pub fn read_file(&self) -> Result<Vec<u8>> {
+        let fs = uefi::boot::open_protocol_exclusive::<SimpleFileSystem>(self.filesystem_handle)
+            .context("unable to open filesystem protocol")?;
+        let mut fs = FileSystem::new(fs);
+        let path = self
+            .sub_path
+            .to_string(DisplayOnly(false), AllowShortcuts(false))?;
+        let content = fs.read(Path::new(&path));
+        content.context("unable to read file contents")
+    }
+}
 
-/// Support code for EFI variables.
-pub mod variables;
-
-/// Implements a version comparison algorithm according to the BLS specification.
-pub mod vercmp;
+/// Checks if a [CString16] contains a char `c`.
+/// We need to call to_string() because CString16 doesn't support `contains` with a char.
+fn cstring16_contains_char(string: &CString16, c: char) -> bool {
+    string.to_string().contains(c)
+}
 
 /// Parses the input `path` as a [DevicePath].
 /// Uses the [DevicePathFromText] protocol exclusively, and will fail if it cannot acquire the protocol.
@@ -36,12 +61,6 @@ pub fn text_to_device_path(path: &str) -> Result<PoolDevicePath> {
         .context("unable to convert text to device path")
 }
 
-/// Checks if a [CString16] contains a char `c`.
-/// We need to call to_string() because CString16 doesn't support `contains` with a char.
-fn cstring16_contains_char(string: &CString16, c: char) -> bool {
-    string.to_string().contains(c)
-}
-
 /// Grabs the root part of the `path`.
 /// For example, given "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
 /// it will give "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)"
@@ -91,36 +110,6 @@ pub fn device_path_subpath(path: &DevicePath) -> Result<String> {
     Ok(path)
 }
 
-/// Represents the components of a resolved path.
-pub struct ResolvedPath {
-    /// The root path of the resolved path. This is the device itself.
-    /// For example, "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/"
-    pub root_path: Box<DevicePath>,
-    /// The subpath of the resolved path. This is the path to the file.
-    /// For example, "\EFI\BOOT\BOOTX64.efi"
-    pub sub_path: Box<DevicePath>,
-    /// The full path of the resolved path. This is the safest path to use.
-    /// For example, "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
-    pub full_path: Box<DevicePath>,
-    /// The handle of the filesystem containing the path.
-    /// This can be used to acquire a [SimpleFileSystem] protocol to read the file.
-    pub filesystem_handle: Handle,
-}
-
-impl ResolvedPath {
-    /// Read the file specified by this path into a buffer and return it.
-    pub fn read_file(&self) -> Result<Vec<u8>> {
-        let fs = uefi::boot::open_protocol_exclusive::<SimpleFileSystem>(self.filesystem_handle)
-            .context("unable to open filesystem protocol")?;
-        let mut fs = FileSystem::new(fs);
-        let path = self
-            .sub_path
-            .to_string(DisplayOnly(false), AllowShortcuts(false))?;
-        let content = fs.read(Path::new(&path));
-        content.context("unable to read file contents")
-    }
-}
-
 /// Resolve a path specified by `input` to its various components.
 /// Uses `default_root_path` as the base root if one is not specified in the path.
 /// Returns [ResolvedPath] which contains the resolved components.
@@ -183,114 +172,3 @@ pub fn read_file_contents(default_root_path: Option<&DevicePath>, input: &str) -
     let resolved = resolve_path(default_root_path, input)?;
     resolved.read_file()
 }
-
-/// Filter a string-like Option `input` such that an empty string is [None].
-pub fn empty_is_none<T: AsRef<str>>(input: Option<T>) -> Option<T> {
-    input.filter(|input| !input.as_ref().is_empty())
-}
-
-/// Combine a sequence of strings into a single string, separated by spaces, ignoring empty strings.
-pub fn combine_options<T: AsRef<str>>(options: impl Iterator<Item = T>) -> String {
-    options
-        .flat_map(|item| empty_is_none(Some(item)))
-        .map(|item| item.as_ref().to_string())
-        .collect::<Vec<_>>()
-        .join(" ")
-}
-
-/// Produce a unique hash for the input.
-/// This uses SHA-256, which is unique enough but relatively short.
-pub fn unique_hash(input: &str) -> String {
-    sha256::digest(input.as_bytes())
-}
-
-/// Represents the type of partition GUID that can be retrieved.
-#[derive(PartialEq, Eq)]
-pub enum PartitionGuidForm {
-    /// The partition GUID is the unique partition GUID.
-    Partition,
-    /// The partition GUID is the partition type GUID.
-    PartitionType,
-}
-
-/// Retrieve the partition / partition type GUID of the device root `path`.
-/// This only works on GPT partitions. If the root is not a GPT partition, None is returned.
-/// If the GUID is all zeros, this will return None.
-pub fn partition_guid(path: &DevicePath, form: PartitionGuidForm) -> Result<Option<Guid>> {
-    // Clone the path so we can pass it to the UEFI stack.
-    let path = path.to_boxed();
-    let result = uefi::boot::locate_device_path::<PartitionInfo>(&mut &*path);
-    let handle = match result {
-        Ok(handle) => Ok(Some(handle)),
-        Err(error) => {
-            // If the error is NOT_FOUND or UNSUPPORTED, we can return None.
-            // These are non-fatal errors.
-            if error.status() == Status::NOT_FOUND || error.status() == Status::UNSUPPORTED {
-                Ok(None)
-            } else {
-                Err(error)
-            }
-        }
-    }
-    .context("unable to locate device path")?;
-
-    // If we have the handle, we can try to open the partition info protocol.
-    if let Some(handle) = handle {
-        // Open the partition info protocol.
-        let partition_info = uefi::boot::open_protocol_exclusive::<PartitionInfo>(handle)
-            .context("unable to open partition info protocol")?;
-        // Find the unique partition GUID.
-        // If this is not a GPT partition, this will produce None.
-        Ok(partition_info
-            .gpt_partition_entry()
-            .map(|entry| match form {
-                // Match the form of the partition GUID.
-                PartitionGuidForm::Partition => entry.unique_partition_guid,
-                PartitionGuidForm::PartitionType => entry.partition_type_guid.0,
-            })
-            .filter(|guid| !guid.is_zero()))
-    } else {
-        Ok(None)
-    }
-}
-
-/// Find a handle that provides the specified `protocol`.
-pub fn find_handle(protocol: &Guid) -> Result<Option<Handle>> {
-    // Locate the requested protocol handle.
-    match uefi::boot::locate_handle_buffer(SearchType::ByProtocol(protocol)) {
-        // If a handle is found, the protocol is available.
-        Ok(handles) => Ok(if handles.is_empty() {
-            None
-        } else {
-            Some(handles[0])
-        }),
-        // If an error occurs, check if it is because the protocol is not available.
-        // If so, return false. Otherwise, return the error.
-        Err(error) => {
-            if error.status() == Status::NOT_FOUND {
-                Ok(None)
-            } else {
-                Err(error).context("unable to determine if the protocol is available")
-            }
-        }
-    }
-}
-
-/// Convert a byte slice into a CString16.
-pub fn utf16_bytes_to_cstring16(bytes: &[u8]) -> Result<CString16> {
-    // Validate the input bytes are the right length.
-    if !bytes.len().is_multiple_of(2) {
-        bail!("utf16 bytes must be a multiple of 2");
-    }
-
-    // Convert the bytes to UTF-16 data.
-    let data = bytes
-        // Chunk everything into two bytes.
-        .chunks_exact(2)
-        // Reinterpret the bytes as u16 little-endian.
-        .map(|chunk| u16::from_le_bytes([chunk[0], chunk[1]]))
-        // Collect the result into a vector.
-        .collect::<Vec<_>>();
-
-    CString16::try_from(data).context("unable to convert utf16 bytes to CString16")
-}

crates/eficore/src/platform.rs

@@ -0,0 +1,4 @@
+/// Timer support.
+pub mod timer;
+/// TPM support.
+pub mod tpm;

crates/eficore/src/platform/timer.rs

@@ -1,7 +1,7 @@
 // Referenced https://github.com/sheroz/tick_counter (MIT license) as a baseline.
 // Architecturally modified to support UEFI and remove x86 (32-bit) support.
 
-use std::time::Duration;
+use core::time::Duration;
 
 /// Support for aarch64 timers.
 #[cfg(target_arch = "aarch64")]
@@ -17,7 +17,7 @@ pub enum TickFrequency {
     /// The platform provides the tick frequency.
     Hardware(u64),
     /// The tick frequency is measured internally.
-    Measured(u64, Duration),
+    Measured(u64),
 }
 
 impl TickFrequency {
@@ -25,7 +25,7 @@ impl TickFrequency {
     fn ticks(&self) -> u64 {
         match self {
             TickFrequency::Hardware(frequency) => *frequency,
-            TickFrequency::Measured(frequency, _) => *frequency,
+            TickFrequency::Measured(frequency) => *frequency,
         }
     }
 

crates/eficore/src/platform/timer/aarch64.rs

@@ -1,5 +1,5 @@
 use crate::platform::timer::TickFrequency;
-use std::arch::asm;
+use core::arch::asm;
 
 /// Reads the cntvct_el0 counter and returns the value.
 pub fn ticks() -> u64 {
@@ -10,16 +10,6 @@ pub fn ticks() -> u64 {
     counter
 }
 
-/// We can use the actual ticks value as our start value.
-pub fn start() -> u64 {
-    ticks()
-}
-
-/// We can use the actual ticks value as our stop value.
-pub fn stop() -> u64 {
-    ticks()
-}
-
 /// Our frequency is provided by cntfrq_el0 on the platform.
 pub fn frequency() -> TickFrequency {
     let frequency: u64;

crates/eficore/src/platform/timer/x86_64.rs

@@ -0,0 +1,29 @@
+use crate::platform::timer::TickFrequency;
+use core::time::Duration;
+
+/// We will measure the frequency of the timer based on 1000 microseconds.
+/// This will result in a call to BS->Stall(1000) in the end.
+const MEASURE_FREQUENCY_DURATION: Duration = Duration::from_micros(1000);
+
+/// Read the number of ticks from the platform timer.
+pub fn ticks() -> u64 {
+    // SAFETY: Reads the platform timer, which is safe in any context.
+    unsafe { core::arch::x86_64::_rdtsc() }
+}
+
+/// Measure the frequency of the platform timer.
+/// NOTE: Intentionally, we do not synchronize rdtsc during measurement to match systemd behavior.
+fn measure_frequency() -> u64 {
+    let start = ticks();
+    uefi::boot::stall(MEASURE_FREQUENCY_DURATION);
+    let stop = ticks();
+    let elapsed = stop.wrapping_sub(start) as f64;
+    (elapsed / MEASURE_FREQUENCY_DURATION.as_secs_f64()) as u64
+}
+
+/// Acquire the platform timer frequency.
+/// On x86_64, this is slightly expensive, so it should be done once.
+pub fn frequency() -> TickFrequency {
+    let frequency = measure_frequency();
+    TickFrequency::Measured(frequency)
+}

crates/eficore/src/platform/tpm.rs

@@ -1,4 +1,3 @@
-use crate::utils;
 use anyhow::{Context, Result};
 use uefi::ResultExt;
 use uefi::boot::ScopedProtocol;
@@ -43,8 +42,8 @@ impl PlatformTpm {
     /// Returns None if TPM is not available.
     fn protocol() -> Result<Option<TpmProtocolHandle>> {
         // Attempt to acquire the TCG2 protocol handle. If it's not available, return None.
-        let Some(handle) =
-            utils::find_handle(&Tcg2Protocol::GUID).context("unable to determine tpm presence")?
+        let Some(handle) = crate::handle::find_handle(&Tcg2Protocol::GUID)
+            .context("unable to determine tpm presence")?
         else {
             return Ok(None);
         };
@@ -85,7 +84,9 @@ impl PlatformTpm {
         };
 
         // Check if the TPM supports `GetActivePcrBanks`, and if it doesn't return zero.
-        if handle.version().major < 1 || handle.version().major == 1 && handle.version().minor < 1 {
+        if (handle.version().major < 1)
+            || (handle.version().major == 1 && (handle.version().minor < 1))
+        {
             return Ok(0);
         }
 

crates/eficore/src/secure.rs

@@ -1,4 +1,4 @@
-use crate::utils::variables::VariableController;
+use crate::variables::VariableController;
 use anyhow::Result;
 
 /// Secure boot services.

crates/eficore/src/setup.rs

@@ -0,0 +1,14 @@
+use crate::logger;
+use anyhow::{Context, Result};
+
+/// Initializes the UEFI environment.
+pub fn init() -> Result<()> {
+    // Initialize the logger for Sprout.
+    // NOTE: This cannot use a result type as errors need to be printed
+    // using the logger, which is not initialized until this returns.
+    logger::init();
+
+    // Initialize further UEFI internals.
+    uefi::helpers::init().context("unable to initialize uefi environment")?;
+    Ok(())
+}

crates/eficore/src/shim.rs

@@ -1,14 +1,11 @@
-use crate::integrations::shim::hook::SecurityHook;
-use crate::secure::SecureBoot;
-use crate::utils;
-use crate::utils::ResolvedPath;
-use crate::utils::variables::{VariableClass, VariableController};
+use crate::path::ResolvedPath;
+use crate::variables::{VariableClass, VariableController};
+use alloc::boxed::Box;
+use alloc::string::ToString;
+use alloc::vec::Vec;
 use anyhow::{Context, Result, anyhow, bail};
-use log::warn;
-use std::ffi::c_void;
-use std::pin::Pin;
-use uefi::Handle;
-use uefi::boot::LoadImageSource;
+use core::ffi::c_void;
+use core::pin::Pin;
 use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
 use uefi::proto::device_path::{DevicePath, FfiDevicePath};
 use uefi::proto::unsafe_protocol;
@@ -16,7 +13,7 @@ use uefi_raw::table::runtime::VariableVendor;
 use uefi_raw::{Guid, Status, guid};
 
 /// Security hook support.
-mod hook;
+pub mod hook;
 
 /// Support for the shim loader application for Secure Boot.
 pub struct ShimSupport;
@@ -87,7 +84,7 @@ impl<'a> ShimInput<'a> {
                 let path = path
                     .to_string(DisplayOnly(false), AllowShortcuts(false))
                     .context("unable to convert device path to string")?;
-                let path = utils::resolve_path(None, &path.to_string())
+                let path = crate::path::resolve_path(None, &path.to_string())
                     .context("unable to resolve path")?;
                 // Read the file path.
                 let data = path.read_file()?;
@@ -160,14 +157,14 @@ impl ShimSupport {
 
     /// Determines whether the shim is loaded.
     pub fn loaded() -> Result<bool> {
-        Ok(utils::find_handle(&Self::SHIM_LOCK_GUID)
+        Ok(crate::handle::find_handle(&Self::SHIM_LOCK_GUID)
             .context("unable to find shim lock protocol")?
             .is_some())
     }
 
     /// Determines whether the shim loader is available.
     pub fn loader_available() -> Result<bool> {
-        Ok(utils::find_handle(&Self::SHIM_IMAGE_LOADER_GUID)
+        Ok(crate::handle::find_handle(&Self::SHIM_IMAGE_LOADER_GUID)
             .context("unable to find shim image loader protocol")?
             .is_some())
     }
@@ -175,7 +172,7 @@ impl ShimSupport {
     /// Use the shim to validate the `input`, returning [ShimVerificationOutput] when complete.
     pub fn verify(input: ShimInput) -> Result<ShimVerificationOutput> {
         // Acquire the handle to the shim lock protocol.
-        let handle = utils::find_handle(&Self::SHIM_LOCK_GUID)
+        let handle = crate::handle::find_handle(&Self::SHIM_LOCK_GUID)
             .context("unable to find shim lock protocol")?
             .ok_or_else(|| anyhow!("unable to find shim lock protocol"))?;
         // Acquire the protocol exclusively to the shim lock.
@@ -235,72 +232,6 @@ impl ShimSupport {
             .unwrap_or(ShimVerificationOutput::VerifiedDataNotLoaded))
     }
 
-    /// Load the image specified by the `input` and returns an image handle.
-    pub fn load(current_image: Handle, input: ShimInput) -> Result<Handle> {
-        // Determine whether Secure Boot is enabled.
-        let secure_boot =
-            SecureBoot::enabled().context("unable to determine if secure boot is enabled")?;
-
-        // Determine whether the shim is loaded.
-        let shim_loaded = Self::loaded().context("unable to determine if shim is loaded")?;
-
-        // Determine whether the shim loader is available.
-        let shim_loader_available =
-            Self::loader_available().context("unable to determine if shim loader is available")?;
-
-        // Determines whether LoadImage in Boot Services must be patched.
-        // Version 16 of the shim doesn't require extra effort to load Secure Boot binaries.
-        // If the image loader is installed, we can skip over the security hook.
-        let requires_security_hook = secure_boot && shim_loaded && !shim_loader_available;
-
-        // If the security hook is required, we will bail for now.
-        if requires_security_hook {
-            // Install the security hook, if possible. If it's not, this is necessary to continue,
-            // so we should bail.
-            let installed = SecurityHook::install().context("unable to install security hook")?;
-            if !installed {
-                bail!("unable to install security hook required for this platform");
-            }
-        }
-
-        // If the shim is loaded, we will need to retain the shim protocol to allow
-        // loading multiple images.
-        if shim_loaded {
-            // Retain the shim protocol after loading the image.
-            Self::retain()?;
-        }
-
-        // Converts the shim input to an owned data buffer.
-        let input = input
-            .into_owned_data_buffer()
-            .context("unable to convert input to loaded data buffer")?;
-
-        // Constructs a LoadImageSource from the input.
-        let source = LoadImageSource::FromBuffer {
-            buffer: input.buffer().context("unable to get buffer from input")?,
-            file_path: input.file_path(),
-        };
-
-        // Loads the image using Boot Services LoadImage function.
-        let result = uefi::boot::load_image(current_image, source).context("unable to load image");
-
-        // If the security override is required, we will uninstall the security hook.
-        if requires_security_hook {
-            let uninstall_result = SecurityHook::uninstall();
-            // Ensure we don't mask load image errors if uninstalling fails.
-            if result.is_err()
-                && let Err(uninstall_error) = &uninstall_result
-            {
-                // Warn on the error since the load image error is more important.
-                warn!("unable to uninstall security hook: {}", uninstall_error);
-            } else {
-                // Otherwise, ensure we handle the original uninstallation result.
-                uninstall_result?;
-            }
-        }
-        result
-    }
-
     /// Set the ShimRetainProtocol variable to indicate that shim should retain the protocols
     /// for the full lifetime of boot services.
     pub fn retain() -> Result<()> {

crates/eficore/src/shim/hook.rs

@@ -1,8 +1,8 @@
-use crate::integrations::shim::{ShimInput, ShimSupport, ShimVerificationOutput};
-use crate::utils;
-use anyhow::{Context, Result, bail};
+use crate::shim::{ShimInput, ShimSupport, ShimVerificationOutput};
+use anyhow::{Context, Result};
+use core::slice;
 use log::warn;
-use std::sync::{LazyLock, Mutex};
+use spin::{Lazy, Mutex};
 use uefi::proto::device_path::FfiDevicePath;
 use uefi::proto::unsafe_protocol;
 use uefi::{Guid, guid};
@@ -45,8 +45,7 @@ struct SecurityHookState {
 
 /// Global state for the security hook.
 /// This is messy, but it is safe given the mutex.
-static GLOBAL_HOOK_STATE: LazyLock<Mutex<Option<SecurityHookState>>> =
-    LazyLock::new(|| Mutex::new(None));
+static GLOBAL_HOOK_STATE: Lazy<Mutex<Option<SecurityHookState>>> = Lazy::new(|| Mutex::new(None));
 
 /// Security hook helper.
 pub struct SecurityHook;
@@ -110,24 +109,13 @@ impl SecurityHook {
         // Verify the input, if it fails, call the original hook.
         if !Self::verify(input) {
             // Acquire the global hook state to grab the original hook.
-            let function = match GLOBAL_HOOK_STATE.lock() {
-                // We have acquired the lock, so we can find the original hook.
-                Ok(state) => match state.as_ref() {
-                    // The hook state is available, so we can acquire the original hook.
-                    Some(state) => state.original_hook.file_authentication_state,
+            let function = match GLOBAL_HOOK_STATE.lock().as_ref() {
+                // The hook state is available, so we can acquire the original hook.
+                Some(state) => state.original_hook.file_authentication_state,
 
-                    // The hook state is not available, so we can't call the original hook.
-                    None => {
-                        warn!("global hook state is not available, unable to call original hook");
-                        return Status::LOAD_ERROR;
-                    }
-                },
-
-                Err(error) => {
-                    warn!(
-                        "unable to acquire global hook state lock to call original hook: {}",
-                        error,
-                    );
+                // The hook state is not available, so we can't call the original hook.
+                None => {
+                    warn!("global hook state is not available, unable to call original hook");
                     return Status::LOAD_ERROR;
                 }
             };
@@ -161,7 +149,7 @@ impl SecurityHook {
         }
 
         // Construct a slice out of the file buffer and size.
-        let buffer = unsafe { std::slice::from_raw_parts(file_buffer, file_size) };
+        let buffer = unsafe { slice::from_raw_parts(file_buffer, file_size) };
 
         // Construct a shim input from the path.
         let input = ShimInput::SecurityHookBuffer(Some(path), buffer);
@@ -169,24 +157,13 @@ impl SecurityHook {
         // Verify the input, if it fails, call the original hook.
         if !Self::verify(input) {
             // Acquire the global hook state to grab the original hook.
-            let function = match GLOBAL_HOOK_STATE.lock() {
-                // We have acquired the lock, so we can find the original hook.
-                Ok(state) => match state.as_ref() {
-                    // The hook state is available, so we can acquire the original hook.
-                    Some(state) => state.original_hook2.file_authentication,
+            let function = match GLOBAL_HOOK_STATE.lock().as_ref() {
+                // The hook state is available, so we can acquire the original hook.
+                Some(state) => state.original_hook2.file_authentication,
 
-                    // The hook state is not available, so we can't call the original hook.
-                    None => {
-                        warn!("global hook state is not available, unable to call original hook");
-                        return Status::LOAD_ERROR;
-                    }
-                },
-
-                Err(error) => {
-                    warn!(
-                        "unable to acquire global hook state lock to call original hook: {}",
-                        error
-                    );
+                // The hook state is not available, so we can't call the original hook.
+                None => {
+                    warn!("global hook state is not available, unable to call original hook");
                     return Status::LOAD_ERROR;
                 }
             };
@@ -203,14 +180,14 @@ impl SecurityHook {
     /// Install the security hook if needed.
     pub fn install() -> Result<bool> {
         // Find the security arch protocol. If we can't find it, we will return false.
-        let Some(hook_arch) = utils::find_handle(&SECURITY_ARCH_GUID)
+        let Some(hook_arch) = crate::handle::find_handle(&SECURITY_ARCH_GUID)
             .context("unable to check security arch existence")?
         else {
             return Ok(false);
         };
 
         // Find the security arch2 protocol. If we can't find it, we will return false.
-        let Some(hook_arch2) = utils::find_handle(&SECURITY_ARCH2_GUID)
+        let Some(hook_arch2) = crate::handle::find_handle(&SECURITY_ARCH2_GUID)
             .context("unable to check security arch2 existence")?
         else {
             return Ok(false);
@@ -237,9 +214,7 @@ impl SecurityHook {
         };
 
         // Acquire the lock to the global state and replace it.
-        let Ok(mut global_state) = GLOBAL_HOOK_STATE.lock() else {
-            bail!("unable to acquire global hook state lock");
-        };
+        let mut global_state = GLOBAL_HOOK_STATE.lock();
         global_state.replace(state);
 
         // Install the hooks into the UEFI stack.
@@ -252,14 +227,14 @@ impl SecurityHook {
     /// Uninstalls the global security hook, if installed.
     pub fn uninstall() -> Result<()> {
         // Find the security arch protocol. If we can't find it, we will do nothing.
-        let Some(hook_arch) = utils::find_handle(&SECURITY_ARCH_GUID)
+        let Some(hook_arch) = crate::handle::find_handle(&SECURITY_ARCH_GUID)
             .context("unable to check security arch existence")?
         else {
             return Ok(());
         };
 
         // Find the security arch2 protocol. If we can't find it, we will do nothing.
-        let Some(hook_arch2) = utils::find_handle(&SECURITY_ARCH2_GUID)
+        let Some(hook_arch2) = crate::handle::find_handle(&SECURITY_ARCH2_GUID)
             .context("unable to check security arch2 existence")?
         else {
             return Ok(());
@@ -276,9 +251,7 @@ impl SecurityHook {
                 .context("unable to open security arch2 protocol")?;
 
         // Acquire the lock to the global state.
-        let Ok(mut global_state) = GLOBAL_HOOK_STATE.lock() else {
-            bail!("unable to acquire global hook state lock");
-        };
+        let mut global_state = GLOBAL_HOOK_STATE.lock();
 
         // Take the state and replace the original functions.
         let Some(state) = global_state.take() else {

crates/eficore/src/strings.rs

@@ -0,0 +1,22 @@
+use alloc::vec::Vec;
+use anyhow::{Context, Result, bail};
+use uefi::CString16;
+
+/// Convert a byte slice into a CString16.
+pub fn utf16_bytes_to_cstring16(bytes: &[u8]) -> Result<CString16> {
+    // Validate the input bytes are the right length.
+    if !bytes.len().is_multiple_of(2) {
+        bail!("utf16 bytes must be a multiple of 2");
+    }
+
+    // Convert the bytes to UTF-16 data.
+    let data = bytes
+        // Chunk everything into two bytes.
+        .chunks_exact(2)
+        // Reinterpret the bytes as u16 little-endian.
+        .map(|chunk| u16::from_le_bytes([chunk[0], chunk[1]]))
+        // Collect the result into a vector.
+        .collect::<Vec<_>>();
+
+    CString16::try_from(data).context("unable to convert utf16 bytes to CString16")
+}

crates/eficore/src/variables.rs

@@ -1,4 +1,7 @@
-use crate::utils;
+use crate::strings;
+use alloc::format;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
 use anyhow::{Context, Result};
 use log::warn;
 use uefi::{CString16, guid};
@@ -56,7 +59,7 @@ impl VariableController {
         match uefi::runtime::get_variable_boxed(&name, &self.vendor) {
             Ok((data, _)) => {
                 // Try to decode UTF-16 bytes to a CString16.
-                match utils::utf16_bytes_to_cstring16(&data) {
+                match strings::utf16_bytes_to_cstring16(&data) {
                     Ok(value) => {
                         // We have a value, so return the UTF-8 value.
                         Ok(Some(value.to_string()))
@@ -142,6 +145,8 @@ impl VariableController {
         self.set(key, &value.to_le_bytes(), class)
     }
 
+    /// Remove the variable specified by `key`.
+    /// This can fail if the variable is not set.
     pub fn remove(&self, key: &str) -> Result<()> {
         let name = Self::name(key)?;
 

docs/setup/signed/debian.md

@@ -0,0 +1,146 @@
+# Setup Sprout for Debian with Secure Boot
+
+## Prerequisites
+
+- Modern Debian release: tested on Debian 13 ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `shim-signed`, `mokutil`, `sbsigntool`
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/sprout/shimx64.efi
+$ cp /usr/lib/shim/mmx64.efi.signed /boot/efi/EFI/sprout/mmx64.efi
+$ cp /usr/lib/shim/fbx64.efi.signed /boot/efi/EFI/sprout/fbx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimaa64.efi.signed /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /usr/lib/shim/mmaa64.efi.signed /boot/efi/EFI/sprout/mmaa64.efi
+$ cp /usr/lib/shim/fbaa64.efi.signed /boot/efi/EFI/sprout/fbaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Debian systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It should work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting installed kernels
+# generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/fedora.md

@@ -0,0 +1,172 @@
+# Setup Sprout for Fedora with Secure Boot
+
+## Prerequisites
+
+- Modern Fedora release: tested on Fedora 43 x86_64.
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `mokutil`, `sbsigntools`, `efibootmgr`
+
+**NOTE**: Fedora on ARM64 itself does not support Secure Boot consistently.
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/sprout/shimx64.efi
+$ cp /boot/efi/EFI/fedora/mmx64.efi /boot/efi/EFI/sprout/mmx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /boot/efi/EFI/fedora/shimaa64.efi /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /boot/efi/EFI/fedora/mmaa64.efi /boot/efi/EFI/sprout/mmaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+
+### ext4
+
+Most Fedora systems use an ext4 filesystem for `/boot`, if that is the case, use the ext4 instructions here:
+
+Install the necessary `edk2-ext4` package:
+
+```bash
+# Install the ext4 driver from the package manager.
+$ dnf install edk2-ext4
+```
+
+Copy the ext4 driver to `/boot/efi/EFI/sprout/ext4.unsigned.efi`:
+
+```bash
+# For x86_64, copy the ext4x64.efi driver to the Sprout EFI directory.
+$ cp /usr/share/edk2/drivers/ext4x64.efi /boot/efi/EFI/sprout/ext4.unsigned.efi
+
+# For aarch64, copy the ext4aa64.efi driver to the Sprout EFI directory.
+$ cp /usr/share/edk2/drivers/ext4aa64.efi /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+### Other Filesystems
+
+If you need another driver, you can download EFI filesystem drivers from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+Copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing, then sign it like this:
+
+```bash
+# Sign your driver, placing it at DRIVER_NAME.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/DRIVER_NAME.efi \
+    /boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi
+```
+
+You will add the driver in your Sprout configuration below, like this:
+
+```toml
+[drivers.DRIVER_NAME]
+path = "\\EFI\\sprout\\DRIVER_NAME.efi"
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/opensuse.md

@@ -0,0 +1,141 @@
+# Setup Sprout for openSUSE with Secure Boot
+
+**NOTE:** This guide may not function as written if the system validates hashes.
+If your system validates hashes in the shim, you will need to use MokManager to enroll the hashes
+of every EFI file involved, such as Sprout and any EFI drivers.
+
+## Prerequisites
+
+- Modern openSUSE release: tested on openSUSE Tumbleweed ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `shim`, `mokutil`, `sbsigntools`
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/sprout/shim.efi
+$ cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/sprout/MokManager.efi
+$ cp /usr/share/efi/x86_64/fallback.efi /boot/efi/EFI/sprout/fallback.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/share/efi/aarch64/shim.efi /boot/efi/EFI/sprout/shim.efi
+$ cp /usr/share/efi/aarch64/MokManager.efi /boot/efi/EFI/sprout/MokManager.efi
+$ cp /usr/share/efi/aarch64/fallback.efi /boot/efi/EFI/sprout/fallback.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi`
+file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# Sign the unsigned Sprout artifact and name it grub.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grub.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Debian systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It should work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled filesystems
+# or linux kernels and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# Run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shim.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/ubuntu.md

@@ -0,0 +1,147 @@
+# Setup Sprout for Ubuntu with Secure Boot
+
+## Prerequisites
+
+- Modern Ubuntu release: tested on Ubuntu 25.10 ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/sprout/shimx64.efi
+$ cp /usr/lib/shim/mmx64.efi /boot/efi/EFI/sprout/mmx64.efi
+$ cp /usr/lib/shim/fbx64.efi /boot/efi/EFI/sprout/fbx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimaa64.efi.signed /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /usr/lib/shim/mmaa64.efi /boot/efi/EFI/sprout/mmaa64.efi
+$ cp /usr/lib/shim/fbaa64.efi /boot/efi/EFI/sprout/fbaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Ubuntu systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It will work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting installed kernels
+# generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/unsigned/alpine-edge.md

@@ -1,4 +1,4 @@
-# Setup Sprout on Alpine Edge
+# Setup Sprout for Alpine Edge without Secure Boot
 
 ## Prerequisites
 

docs/setup/unsigned/fedora.md

@@ -1,4 +1,4 @@
-# Setup Sprout on Fedora
+# Setup Sprout for Fedora without Secure Boot
 
 ## Prerequisites
 

docs/setup/unsigned/generic-linux.md

@@ -1,4 +1,4 @@
-# Setup Sprout to boot Linux
+# Setup Sprout for Linux without Secure Boot
 
 ## Prerequisites
 

docs/setup/unsigned/windows.md

@@ -1,4 +1,4 @@
-# Setup Sprout to boot Windows
+# Setup Sprout for Windows without Secure Boot
 
 ## Prerequisites
 

hack/clean.sh

@@ -27,4 +27,6 @@ if command -v docker >/dev/null 2>&1; then
 	delete_image sprout-kernel-build-aarch64 || true
 	delete_image sprout-boot-x86_64 || true
 	delete_image sprout-boot-aarch64 || true
+	delete_image sprout-xen-x86_64 || true
+	delete_image sprout-xen-aarch64 || true
 fi

hack/dev/boot.sh

@@ -30,9 +30,9 @@ if [ "${QEMU_GDB_WAIT}" = "1" ]; then
 	set -- "${@}" "-S"
 fi
 
-set -- "${@}" -smp 2 -m 4096
+set -- "${@}" -nodefaults -smp 2 -m 4096
 
-if [ "${NO_GRAPHICAL_BOOT}" = "1" ]; then
+if [ "${NO_GRAPHICAL}" = "1" ]; then
 	set -- "${@}" -nographic
 else
 	if [ "${GRAPHICAL_ONLY}" != "1" ]; then
@@ -40,9 +40,9 @@ else
 			set -- "${@}" -serial stdio
 		else
 			set -- "${@}" \
-				-device virtio-serial-pci,id=vs0 \
-				-chardev stdio,id=stdio0 \
-				-device virtconsole,chardev=stdio0,id=console0
+				-device 'virtio-serial-pci,id=vs0' \
+				-chardev 'stdio,id=stdio0,signal=off' \
+				-device 'virtconsole,chardev=stdio0,id=console0,name=alpine'
 		fi
 	fi
 
@@ -55,6 +55,19 @@ else
 	fi
 fi
 
+if [ "${NO_INPUT}" != "1" ]; then
+	set -- "${@}" \
+		-device qemu-xhci \
+		-device usb-kbd \
+		-device usb-mouse
+fi
+
+if [ "${NO_NETWORK}" != "1" ]; then
+	set -- "${@}" \
+		-netdev 'user,id=network0' \
+		-device 'virtio-net-pci,netdev=network0'
+fi
+
 rm -f "${FINAL_DIR}/ovmf-boot.fd"
 cp "${FINAL_DIR}/ovmf.fd" "${FINAL_DIR}/ovmf-boot.fd"
 if [ "${TARGET_ARCH}" = "aarch64" ]; then
@@ -63,7 +76,7 @@ fi
 # shellcheck disable=SC2086
 set -- "${@}" \
 	-drive "if=pflash,file=${FINAL_DIR}/ovmf-boot.fd,format=raw,readonly=on" \
-	-device nvme,drive=disk1,serial=cafebabe
+	-device 'nvme,drive=disk1,serial=cafebabe'
 
 set -- "${@}" \
 	-drive "if=none,file=${FINAL_DIR}/sprout.img,format=raw,id=disk1,readonly=on"

hack/dev/boot/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:fd8f5a1df07b5195613e4b9a0b6a947d3772a151b81975db27d47f093f60c6e6 AS build
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS build
 ARG BUILDPLATFORM
 ARG EFI_NAME
 RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \
@@ -12,7 +12,6 @@ COPY shell.efi /work/SHELL.EFI
 COPY xen.efi /work/XEN.EFI
 COPY xen.cfg /work/XEN.CFG
 COPY initramfs /work/INITRAMFS
-COPY edera-splash.png /work/EDERA-SPLASH.PNG
 COPY bls.conf /work/BLS.CONF
 RUN truncate -s128MiB sprout.img && \
     parted --script sprout.img mklabel gpt > /dev/null 2>&1 && \
@@ -29,7 +28,6 @@ RUN truncate -s128MiB sprout.img && \
     mcopy -i sprout.img XEN.EFI ::/EFI/BOOT/ && \
     mcopy -i sprout.img XEN.CFG ::/EFI/BOOT/ && \
     mcopy -i sprout.img SPROUT.TOML ::/ && \
-    mcopy -i sprout.img EDERA-SPLASH.PNG ::/ && \
     mcopy -i sprout.img INITRAMFS ::/ && \
     mcopy -i sprout.img BLS.CONF ::/LOADER/ENTRIES/ && \
     mv sprout.img /sprout.img

hack/dev/build.sh

@@ -48,7 +48,7 @@ copy_from_image_polyfill() {
 	SOURCE="${2}"
 	TARGET="${3}"
 
-	docker build -t "${IMAGE}-copy-polyfill:${DOCKER_TAG}" --build-arg "TARGET_IMAGE=${IMAGE}:${DOCKER_TAG}" \
+	docker build --platform="${DOCKER_TARGET}" -t "${IMAGE}-copy-polyfill:${DOCKER_TAG}" --build-arg "TARGET_IMAGE=${IMAGE}:${DOCKER_TAG}" \
 		-f hack/dev/utils/Dockerfile.copy-polyfill hack
 	# note: the -w '//' is a workaround for Git Bash where / is magically rewritten.
 	docker run --rm -i -w '//' "${IMAGE}-copy-polyfill:${DOCKER_TAG}" cat "image/${SOURCE}" >"${TARGET}"
@@ -72,6 +72,7 @@ if [ "${SKIP_KERNEL_BUILD}" != "1" ]; then
 	fi
 
 	copy_from_image "${DOCKER_PREFIX}/sprout-kernel-${TARGET_ARCH}" "kernel.efi" "${FINAL_DIR}/kernel.efi"
+	copy_from_image "${DOCKER_PREFIX}/sprout-kernel-${TARGET_ARCH}" "kernel.modules.tgz" "${FINAL_DIR}/kernel.modules.tgz"
 fi
 
 if [ "${SKIP_VM_BUILD}" != "1" ]; then
@@ -80,8 +81,12 @@ if [ "${SKIP_VM_BUILD}" != "1" ]; then
 		-f hack/dev/vm/Dockerfile.ovmf "${FINAL_DIR}"
 	copy_from_image "${DOCKER_PREFIX}/sprout-ovmf-${TARGET_ARCH}" "ovmf.fd" "${FINAL_DIR}/ovmf.fd"
 	copy_from_image "${DOCKER_PREFIX}/sprout-ovmf-${TARGET_ARCH}" "shell.efi" "${FINAL_DIR}/shell.efi"
+	rm -rf "${FINAL_DIR}/initramfs.build"
+	mkdir -p "${FINAL_DIR}/initramfs.build"
+	cp -r "hack/dev/vm/files" "${FINAL_DIR}/initramfs.build/files"
+	cp "${FINAL_DIR}/kernel.modules.tgz" "${FINAL_DIR}/initramfs.build/kernel.modules.tgz"
 	docker build --platform="${DOCKER_TARGET}" -t "${DOCKER_PREFIX}/sprout-initramfs-${TARGET_ARCH}:${DOCKER_TAG}" \
-		-f hack/dev/vm/Dockerfile.initramfs "${FINAL_DIR}"
+		-f hack/dev/vm/Dockerfile.initramfs "${FINAL_DIR}/initramfs.build"
 	copy_from_image "${DOCKER_PREFIX}/sprout-initramfs-${TARGET_ARCH}" "initramfs" "${FINAL_DIR}/initramfs"
 
 	if [ -n "${SPROUT_XEN_EFI_OVERRIDE}" ]; then
@@ -107,7 +112,6 @@ if [ "${SKIP_SPROUT_BUILD}" != "1" ]; then
 
 	cp "hack/dev/configs/${SPROUT_CONFIG_NAME}.sprout.toml" "${FINAL_DIR}/sprout.toml"
 	cp "hack/dev/configs/xen.cfg" "${FINAL_DIR}/xen.cfg"
-	cp "hack/dev/assets/edera-splash.png" "${FINAL_DIR}/edera-splash.png"
 	cp "hack/dev/configs/bls.conf" "${FINAL_DIR}/bls.conf"
 
 	mkdir -p "${FINAL_DIR}/efi/EFI/BOOT"
@@ -125,7 +129,6 @@ if [ "${SKIP_SPROUT_BUILD}" != "1" ]; then
 		cp "${FINAL_DIR}/xen.cfg" "${FINAL_DIR}/efi/EFI/BOOT/XEN.CFG"
 	fi
 	cp "${FINAL_DIR}/sprout.toml" "${FINAL_DIR}/efi/SPROUT.TOML"
-	cp "${FINAL_DIR}/edera-splash.png" "${FINAL_DIR}/efi/EDERA-SPLASH.PNG"
 	cp "${FINAL_DIR}/initramfs" "${FINAL_DIR}/efi/INITRAMFS"
 fi
 

hack/dev/configs/all.sprout.toml

@@ -8,7 +8,7 @@ has-item = "\\vmlinuz"
 
 [actions.chainload-kernel]
 chainload.path = "$boot\\vmlinuz"
-chainload.options = ["console=hvc0"]
+chainload.options = ["console=hvc0", "overlaytmpfs=yes"]
 chainload.linux-initrd = "$boot\\initramfs"
 
 [entries.kernel]

hack/dev/configs/kernel.sprout.toml

@@ -9,7 +9,7 @@ has-item = "\\vmlinuz"
 
 [actions.chainload-kernel]
 chainload.path = "$boot\\vmlinuz"
-chainload.options = ["console=hvc0"]
+chainload.options = ["console=hvc0", "overlaytmpfs=yes"]
 chainload.linux-initrd = "$boot\\initramfs"
 
 [entries.kernel]