Merge pull request #34 from edera-dev/chore/release-0.0.25

chore(release): sprout: version 0.0.25

.github/workflows/ci-actions.yml

@@ -35,7 +35,7 @@ jobs:
         persist-credentials: false
 
     - name: setup uv
-      uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v7.1.1
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
     - name: zizmor
       run: uvx zizmor --pedantic --format sarif . > results.sarif
@@ -43,7 +43,7 @@ jobs:
         GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
     - name: upload
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: results.sarif
         category: zizmor

.github/workflows/codeql.yml

@@ -47,13 +47,13 @@ jobs:
         persist-credentials: false
 
     - name: initialize codeql
-      uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         config-file: ./.github/codeql/codeql-config.yaml
 
     - name: perform codeql analysis
-      uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         category: "/language:${{matrix.language}}"

Cargo.lock

@@ -46,9 +46,9 @@ dependencies = [
 
 [[package]]
 name = "crypto-common"
-version = "0.1.6"
+version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
 dependencies = [
  "generic-array",
  "typenum",
@@ -66,7 +66,7 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout-boot"
-version = "0.0.23"
+version = "0.0.25"
 dependencies = [
  "anyhow",
  "edera-sprout-build",
@@ -82,18 +82,18 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout-build"
-version = "0.0.23"
+version = "0.0.25"
 
 [[package]]
 name = "edera-sprout-config"
-version = "0.0.23"
+version = "0.0.25"
 dependencies = [
  "serde",
 ]
 
 [[package]]
 name = "edera-sprout-eficore"
-version = "0.0.23"
+version = "0.0.25"
 dependencies = [
  "anyhow",
  "bitflags",
@@ -106,9 +106,9 @@ dependencies = [
 
 [[package]]
 name = "generic-array"
-version = "0.14.9"
+version = "0.14.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4bb6743198531e02858aeaea5398fcc883e71851fcbcb5a2f773e2fb6cb1edf2"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
  "typenum",
  "version_check",
@@ -172,9 +172,9 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
  "proc-macro2",
 ]
@@ -252,9 +252,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.108"
+version = "2.0.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -309,9 +309,9 @@ dependencies = [
 
 [[package]]
 name = "uefi"
-version = "0.36.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f123e69767fc287c44d70ee19af3b39d1bfb735dbaff5090e95b5b13cd656d16"
+checksum = "71fe9058b73ee2b6559524af9e33199c13b2485ddbf3ad1181b68051cdc50c17"
 dependencies = [
  "bitflags",
  "cfg-if",
@@ -336,9 +336,9 @@ dependencies = [
 
 [[package]]
 name = "uefi-raw"
-version = "0.12.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8aff2f4f2b556a36a201d335a1e0a57754967a96857b1f47a52d5a23825cac84"
+checksum = "7f64fe59e11af447d12fd60a403c74106eb104309f34b4c6dbce6e927d97da9d"
 dependencies = [
  "bitflags",
  "uguid",

Cargo.toml

@@ -9,7 +9,7 @@ resolver = "3"
 
 [workspace.package]
 license = "Apache-2.0"
-version = "0.0.23"
+version = "0.0.25"
 homepage = "https://sprout.edera.dev"
 repository = "https://github.com/edera-dev/sprout"
 edition = "2024"
@@ -18,7 +18,7 @@ edition = "2024"
 bitflags = "2.10.0"
 log = "0.4.28"
 spin = "0.10.0"
-uefi-raw = "0.12.0"
+uefi-raw = "0.13.0"
 
 [workspace.dependencies.anyhow]
 version = "1.0.100"
@@ -48,7 +48,7 @@ default-features = false
 features = ["serde", "parse"]
 
 [workspace.dependencies.uefi]
-version = "0.36.0"
+version = "0.36.1"
 default-features = false
 features = ["alloc", "global_allocator", "panic_handler"]
 

Dockerfile

@@ -2,7 +2,7 @@
 ARG RUST_PROFILE=release
 ARG RUST_TARGET_SUBDIR=release
 
-FROM --platform=$BUILDPLATFORM rust:1.91.0-alpine@sha256:a3e3d30122c08c0ed85dcd8867d956f066be23c32ed67a0453bc04ce478ad69b AS build
+FROM --platform=$BUILDPLATFORM rust:1.91.1-alpine@sha256:fbcca3e30e26f79986809d5dbfcdbeaaf8d3f8a4475b7a19a973363b45c74d97 AS build
 RUN apk --no-cache add musl-dev busybox-static
 ARG RUST_PROFILE
 RUN adduser -S -s /bin/sh build

README.md

@@ -47,8 +47,9 @@ We recommend running Sprout without Secure Boot for development, and with Secure
 
 | Operating System | Secure Boot Enabled | Link                                                  |
 |------------------|---------------------|-------------------------------------------------------|
-| Ubuntu           | ✅                   | [Setup Guide](./docs/setup/signed/ubuntu.md)          |
+| Fedora           | ✅                   | [Setup Guide](./docs/setup/signed/fedora.md)          |
 | Debian           | ✅                   | [Setup Guide](./docs/setup/signed/debian.md)          |
+| Ubuntu           | ✅                   | [Setup Guide](./docs/setup/signed/ubuntu.md)          |
 | openSUSE         | ✅                   | [Setup Guide](./docs/setup/signed/opensuse.md)        |
 | Fedora           | ❌                   | [Setup Guide](./docs/setup/unsigned/fedora.md)        |
 | Alpine Edge      | ❌                   | [Setup Guide](./docs/setup/unsigned/alpine-edge.md)   |

crates/boot/src/actions/chainload.rs

@@ -5,9 +5,10 @@ use alloc::rc::Rc;
 use anyhow::{Context, Result, bail};
 use edera_sprout_config::actions::chainload::ChainloadConfiguration;
 use eficore::bootloader_interface::BootloaderInterface;
+use eficore::loader::source::ImageSource;
+use eficore::loader::{ImageLoadRequest, ImageLoader};
 use eficore::media_loader::MediaLoaderHandle;
 use eficore::media_loader::constants::linux::LINUX_EFI_INITRD_MEDIA_GUID;
-use eficore::shim::{ShimInput, ShimSupport};
 use log::error;
 use uefi::CString16;
 use uefi::proto::loaded_image::LoadedImage;
@@ -24,12 +25,16 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
     )
     .context("unable to resolve chainload path")?;
 
-    // Load the image to chainload using the shim support integration.
+    // Create a new image load request with the current image and the resolved path.
+    let request = ImageLoadRequest::new(sprout_image, ImageSource::ResolvedPath(&resolved));
+
+    // Load the image to chainload using the image loader support module.
     // It will determine if the image needs to be loaded via the shim or can be loaded directly.
-    let image = ShimSupport::load(sprout_image, ShimInput::ResolvedPath(&resolved))?;
+    let image = ImageLoader::load(request)?;
 
     // Open the LoadedImage protocol of the image to chainload.
-    let mut loaded_image_protocol = uefi::boot::open_protocol_exclusive::<LoadedImage>(image)
+    let mut loaded_image_protocol =
+        uefi::boot::open_protocol_exclusive::<LoadedImage>(*image.handle())
             .context("unable to open loaded image protocol")?;
 
     // Stamp and combine the options to pass to the image.
@@ -87,7 +92,7 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
     // This call might return, or it may pass full control to another image that will never return.
     // Capture the result to ensure we can return an error if the image fails to start, but only
     // after the optional initrd has been unregistered.
-    let result = uefi::boot::start_image(image);
+    let result = uefi::boot::start_image(*image.handle());
 
     // Unregister the initrd if it was registered.
     if let Some(initrd_handle) = initrd_handle

crates/boot/src/drivers.rs

@@ -5,7 +5,8 @@ use alloc::rc::Rc;
 use alloc::string::String;
 use anyhow::{Context, Result};
 use edera_sprout_config::drivers::DriverDeclaration;
-use eficore::shim::{ShimInput, ShimSupport};
+use eficore::loader::source::ImageSource;
+use eficore::loader::{ImageLoadRequest, ImageLoader};
 use log::info;
 use uefi::boot::SearchType;
 
@@ -21,14 +22,17 @@ fn load_driver(context: Rc<SproutContext>, driver: &DriverDeclaration) -> Result
     )
     .context("unable to resolve path to driver")?;
 
-    // Load the driver image using the shim support integration.
+    // Create an image load request with the current image and the resolved path.
+    let request = ImageLoadRequest::new(sprout_image, ImageSource::ResolvedPath(&resolved));
+
+    // Load the driver image using the image loader support module.
     // It will determine if the image needs to be loaded via the shim or can be loaded directly.
-    let image = ShimSupport::load(sprout_image, ShimInput::ResolvedPath(&resolved))?;
+    let image = ImageLoader::load(request)?;
 
     // Start the driver image, this is expected to return control to sprout.
     // There is no guarantee that the driver will actually return control as it is
     // just a standard EFI image.
-    uefi::boot::start_image(image).context("unable to start driver image")?;
+    uefi::boot::start_image(*image.handle()).context("unable to start driver image")?;
 
     Ok(())
 }

crates/boot/src/main.rs

@@ -385,7 +385,7 @@ fn efi_main() -> Status {
     let result = run();
     if let Err(ref error) = result {
         // Print an error trace.
-        error!("sprout encountered an error:");
+        error!("sprout encountered an error: {}", error);
         for (index, stack) in error.chain().enumerate() {
             error!("[{}]: {}", index, stack);
         }

crates/eficore/src/lib.rs

@@ -6,6 +6,9 @@ extern crate alloc;
 /// EFI handle helpers.
 pub mod handle;
 
+/// Load and start EFI images.
+pub mod loader;
+
 /// Logging support for EFI applications.
 pub mod logger;
 

crates/eficore/src/loader.rs

@@ -0,0 +1,141 @@
+use crate::loader::source::ImageSource;
+use crate::secure::SecureBoot;
+use crate::shim::hook::SecurityHook;
+use crate::shim::{ShimInput, ShimSupport};
+use anyhow::{Context, Result, bail};
+use log::warn;
+use uefi::Handle;
+use uefi::boot::LoadImageSource;
+
+/// Represents EFI image sources generically.
+pub mod source;
+
+/// Handle to a loaded EFI image.
+pub struct ImageHandle {
+    /// Handle to the loaded image.
+    handle: Handle,
+}
+
+impl ImageHandle {
+    /// Create a new image handle based on a handle from the UEFI stack.
+    pub fn new(handle: Handle) -> Self {
+        Self { handle }
+    }
+
+    /// Retrieve the underlying handle.
+    pub fn handle(&self) -> &Handle {
+        &self.handle
+    }
+}
+
+/// Request to load an image from a source, with support for additional validation features.
+pub struct ImageLoadRequest<'source> {
+    /// Handle to the current image.
+    current_image: Handle,
+    /// Source of the image to load.
+    source: ImageSource<'source>,
+}
+
+impl<'source> ImageLoadRequest<'source> {
+    /// Create a new image load request with a current image and a source.
+    pub fn new(current_image: Handle, source: ImageSource<'source>) -> Self {
+        Self {
+            current_image,
+            source,
+        }
+    }
+
+    /// Retrieve the current image.
+    pub fn current_image(&self) -> &Handle {
+        &self.current_image
+    }
+
+    /// Retrieve the source of the image to load.
+    pub fn source(&'source self) -> &'source ImageSource<'source> {
+        &self.source
+    }
+
+    /// Convert the request into a source.
+    pub fn into_source(self) -> ImageSource<'source> {
+        self.source
+    }
+}
+
+/// EFI image loader.
+pub struct ImageLoader;
+
+impl ImageLoader {
+    /// Load an image using the image `request` which allows
+    pub fn load(request: ImageLoadRequest) -> Result<ImageHandle> {
+        // Determine whether Secure Boot is enabled.
+        let secure_boot =
+            SecureBoot::enabled().context("unable to determine if secure boot is enabled")?;
+
+        // Determine whether the shim is loaded.
+        let shim_loaded = ShimSupport::loaded().context("unable to determine if shim is loaded")?;
+
+        // Determine whether the shim loader is available.
+        let shim_loader_available = ShimSupport::loader_available()
+            .context("unable to determine if shim loader is available")?;
+
+        // Determines whether LoadImage in Boot Services must be patched.
+        // Version 16 of the shim doesn't require extra effort to load Secure Boot binaries.
+        // If the image loader is installed, we can skip over the security hook.
+        let requires_security_hook = secure_boot && shim_loaded && !shim_loader_available;
+
+        // If the security hook is required, we will bail for now.
+        if requires_security_hook {
+            // Install the security hook, if possible. If it's not, this is necessary to continue,
+            // so we should bail.
+            let installed = SecurityHook::install().context("unable to install security hook")?;
+            if !installed {
+                bail!("unable to install security hook required for this platform");
+            }
+        }
+
+        // If the shim is loaded, we will need to retain the shim protocol to allow
+        // loading multiple images.
+        if shim_loaded {
+            // Retain the shim protocol after loading the image.
+            ShimSupport::retain()?;
+        }
+
+        // Clone the current image handle to use for loading the image.
+        let current_image = *request.current_image();
+
+        // Converts the source to a shim input with an owned data buffer.
+        let input = ShimInput::from(request.into_source())
+            .into_owned_data_buffer()
+            .context("unable to convert input to loaded data buffer")?;
+
+        // Constructs a LoadImageSource from the input.
+        let source = LoadImageSource::FromBuffer {
+            buffer: input.buffer().context("unable to get buffer from input")?,
+            file_path: input.file_path(),
+        };
+
+        // Loads the image using Boot Services LoadImage function.
+        let result = uefi::boot::load_image(current_image, source).context("unable to load image");
+
+        // If the security override is required, we will uninstall the security hook.
+        if requires_security_hook {
+            let uninstall_result = crate::shim::hook::SecurityHook::uninstall();
+            // Ensure we don't mask load image errors if uninstalling fails.
+            if result.is_err()
+                && let Err(uninstall_error) = &uninstall_result
+            {
+                // Warn on the error since the load image error is more important.
+                warn!("unable to uninstall security hook: {}", uninstall_error);
+            } else {
+                // Otherwise, ensure we handle the original uninstallation result.
+                uninstall_result?;
+            }
+        }
+
+        // Assert the result and grab the handle.
+        let handle = result?;
+
+        // Retrieve the handle from the result and make a new image handle.
+        Ok(ImageHandle::new(handle))
+    }
+}

crates/eficore/src/loader/source.rs

@@ -0,0 +1,25 @@
+use crate::path::ResolvedPath;
+use crate::shim::ShimInput;
+
+/// Represents a source of an EFI image.
+pub enum ImageSource<'source> {
+    /// The image is located at the specified path that has been resolved.
+    ResolvedPath(&'source ResolvedPath),
+    /// The image is located in a buffer.
+    DataBuffer {
+        /// Optional path to the image.
+        path: Option<&'source ResolvedPath>,
+        /// Buffer containing the image.
+        buffer: &'source [u8],
+    },
+}
+
+/// Implement conversion from `ImageSource` to `ShimInput`, which is used by the shim support code.
+impl<'source> From<ImageSource<'source>> for ShimInput<'source> {
+    fn from(value: ImageSource<'source>) -> Self {
+        match value {
+            ImageSource::ResolvedPath(path) => ShimInput::ResolvedPath(path),
+            ImageSource::DataBuffer { path, buffer } => ShimInput::DataBuffer(path, buffer),
+        }
+    }
+}

crates/eficore/src/media_loader.rs

@@ -161,14 +161,31 @@ impl MediaLoaderHandle {
 
         // Install a protocol interface for the device path.
         // This ensures it can be located by other EFI programs.
-        let primary_handle = unsafe {
+        let primary_handle = match unsafe {
             uefi::boot::install_protocol_interface(
                 None,
                 &DevicePathProtocol::GUID,
                 path.as_ffi_ptr() as *mut c_void,
             )
         }
-        .context("unable to install media loader device path handle")?;
+        .context("unable to install media loader device path handle")
+        {
+            // Acquiring the primary handle succeeded, so we can return the handle.
+            Ok(handle) => handle,
+            // If acquiring the primary handle failed, we free the device path and return the error.
+            Err(error) => {
+                // SAFETY: We know that the device path is leaked,
+                // so we can safely take a reference to it again.
+                // The UEFI stack failed to install the protocol interface
+                // if we reach here, so the path is no longer in use.
+                let path = unsafe { Box::from_raw(path) };
+                // Explicitly drop the path to clarify the lifetime.
+                drop(path);
+
+                // Return the original error.
+                return Err(error);
+            }
+        };
 
         // Leak the data we need to pass to the UEFI stack.
         let data = Box::leak(data);

crates/eficore/src/shim.rs

@@ -1,6 +1,4 @@
 use crate::path::ResolvedPath;
-use crate::secure::SecureBoot;
-use crate::shim::hook::SecurityHook;
 use crate::variables::{VariableClass, VariableController};
 use alloc::boxed::Box;
 use alloc::string::ToString;
@@ -8,9 +6,6 @@ use alloc::vec::Vec;
 use anyhow::{Context, Result, anyhow, bail};
 use core::ffi::c_void;
 use core::pin::Pin;
-use log::warn;
-use uefi::Handle;
-use uefi::boot::LoadImageSource;
 use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
 use uefi::proto::device_path::{DevicePath, FfiDevicePath};
 use uefi::proto::unsafe_protocol;
@@ -18,7 +13,7 @@ use uefi_raw::table::runtime::VariableVendor;
 use uefi_raw::{Guid, Status, guid};
 
 /// Security hook support.
-mod hook;
+pub mod hook;
 
 /// Support for the shim loader application for Secure Boot.
 pub struct ShimSupport;
@@ -237,72 +232,6 @@ impl ShimSupport {
             .unwrap_or(ShimVerificationOutput::VerifiedDataNotLoaded))
     }
 
-    /// Load the image specified by the `input` and returns an image handle.
-    pub fn load(current_image: Handle, input: ShimInput) -> Result<Handle> {
-        // Determine whether Secure Boot is enabled.
-        let secure_boot =
-            SecureBoot::enabled().context("unable to determine if secure boot is enabled")?;
-
-        // Determine whether the shim is loaded.
-        let shim_loaded = Self::loaded().context("unable to determine if shim is loaded")?;
-
-        // Determine whether the shim loader is available.
-        let shim_loader_available =
-            Self::loader_available().context("unable to determine if shim loader is available")?;
-
-        // Determines whether LoadImage in Boot Services must be patched.
-        // Version 16 of the shim doesn't require extra effort to load Secure Boot binaries.
-        // If the image loader is installed, we can skip over the security hook.
-        let requires_security_hook = secure_boot && shim_loaded && !shim_loader_available;
-
-        // If the security hook is required, we will bail for now.
-        if requires_security_hook {
-            // Install the security hook, if possible. If it's not, this is necessary to continue,
-            // so we should bail.
-            let installed = SecurityHook::install().context("unable to install security hook")?;
-            if !installed {
-                bail!("unable to install security hook required for this platform");
-            }
-        }
-
-        // If the shim is loaded, we will need to retain the shim protocol to allow
-        // loading multiple images.
-        if shim_loaded {
-            // Retain the shim protocol after loading the image.
-            Self::retain()?;
-        }
-
-        // Converts the shim input to an owned data buffer.
-        let input = input
-            .into_owned_data_buffer()
-            .context("unable to convert input to loaded data buffer")?;
-
-        // Constructs a LoadImageSource from the input.
-        let source = LoadImageSource::FromBuffer {
-            buffer: input.buffer().context("unable to get buffer from input")?,
-            file_path: input.file_path(),
-        };
-
-        // Loads the image using Boot Services LoadImage function.
-        let result = uefi::boot::load_image(current_image, source).context("unable to load image");
-
-        // If the security override is required, we will uninstall the security hook.
-        if requires_security_hook {
-            let uninstall_result = SecurityHook::uninstall();
-            // Ensure we don't mask load image errors if uninstalling fails.
-            if result.is_err()
-                && let Err(uninstall_error) = &uninstall_result
-            {
-                // Warn on the error since the load image error is more important.
-                warn!("unable to uninstall security hook: {}", uninstall_error);
-            } else {
-                // Otherwise, ensure we handle the original uninstallation result.
-                uninstall_result?;
-            }
-        }
-        result
-    }
-
     /// Set the ShimRetainProtocol variable to indicate that shim should retain the protocols
     /// for the full lifetime of boot services.
     pub fn retain() -> Result<()> {

docs/setup/signed/debian.md

@@ -60,7 +60,7 @@ Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.e
 ## Step 4: Sign Sprout for Secure Boot
 
 ```bash
-# For x86_64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
 $ sbsign \
     --key /etc/sprout/secure-boot/mok.key \
     --cert /etc/sprout/secure-boot/mok.crt \
@@ -120,8 +120,8 @@ path = "\\EFI\\sprout\\ext4.efi"
 
 # global options.
 [options]
-# enable autoconfiguration by detecting bls enabled
-# filesystems and generating boot entries for them.
+# enable autoconfiguration by detecting installed kernels
+# generating boot entries for them.
 autoconfigure = true
 ```
 
@@ -130,14 +130,16 @@ If you do not have any drivers, exclude the drivers section entirely.
 
 ## Step 7: Configure Sprout Boot Entry
 
-In the following commands, replace /dev/ESP_PARTITION with the actual path to the ESP partition block device.
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
 
 ```bash
 # For x86_64, run this command to add Sprout as the default boot entry.
-$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
 
 # For aarch64, run this command to add Sprout as the default boot entry.
-$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
 ```
 
 Reboot your machine and it should boot into Sprout.

docs/setup/signed/fedora.md

@@ -0,0 +1,172 @@
+# Setup Sprout for Fedora with Secure Boot
+
+## Prerequisites
+
+- Modern Fedora release: tested on Fedora 43 x86_64.
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `mokutil`, `sbsigntools`, `efibootmgr`
+
+**NOTE**: Fedora on ARM64 itself does not support Secure Boot consistently.
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/sprout/shimx64.efi
+$ cp /boot/efi/EFI/fedora/mmx64.efi /boot/efi/EFI/sprout/mmx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /boot/efi/EFI/fedora/shimaa64.efi /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /boot/efi/EFI/fedora/mmaa64.efi /boot/efi/EFI/sprout/mmaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+
+### ext4
+
+Most Fedora systems use an ext4 filesystem for `/boot`, if that is the case, use the ext4 instructions here:
+
+Install the necessary `edk2-ext4` package:
+
+```bash
+# Install the ext4 driver from the package manager.
+$ dnf install edk2-ext4
+```
+
+Copy the ext4 driver to `/boot/efi/EFI/sprout/ext4.unsigned.efi`:
+
+```bash
+# For x86_64, copy the ext4x64.efi driver to the Sprout EFI directory.
+$ cp /usr/share/edk2/drivers/ext4x64.efi /boot/efi/EFI/sprout/ext4.unsigned.efi
+
+# For aarch64, copy the ext4aa64.efi driver to the Sprout EFI directory.
+$ cp /usr/share/edk2/drivers/ext4aa64.efi /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+### Other Filesystems
+
+If you need another driver, you can download EFI filesystem drivers from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+Copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing, then sign it like this:
+
+```bash
+# Sign your driver, placing it at DRIVER_NAME.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/DRIVER_NAME.efi \
+    /boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi
+```
+
+You will add the driver in your Sprout configuration below, like this:
+
+```toml
+[drivers.DRIVER_NAME]
+path = "\\EFI\\sprout\\DRIVER_NAME.efi"
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/opensuse.md

@@ -128,11 +128,13 @@ If you do not have any drivers, exclude the drivers section entirely.
 
 ## Step 7: Configure Sprout Boot Entry
 
-In the following commands, replace /dev/ESP_PARTITION with the actual path to the ESP partition block device.
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
 
 ```bash
 # Run this command to add Sprout as the default boot entry.
-$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shim.efi'
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shim.efi'
 ```
 
 Reboot your machine and it should boot into Sprout.

docs/setup/signed/ubuntu.md

@@ -59,7 +59,7 @@ Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.e
 ## Step 4: Sign Sprout for Secure Boot
 
 ```bash
-# For x86_64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
 $ sbsign \
     --key /etc/sprout/secure-boot/mok.key \
     --cert /etc/sprout/secure-boot/mok.crt \
@@ -119,8 +119,8 @@ path = "\\EFI\\sprout\\ext4.efi"
 
 # global options.
 [options]
-# enable autoconfiguration by detecting bls enabled
-# filesystems and generating boot entries for them.
+# enable autoconfiguration by detecting installed kernels
+# generating boot entries for them.
 autoconfigure = true
 ```
 
@@ -129,14 +129,18 @@ If you do not have any drivers, exclude the drivers section entirely.
 
 ## Step 7: Configure Sprout Boot Entry
 
-In the following commands, replace /dev/ESP_PARTITION with the actual path to the ESP partition block device.
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
 
 ```bash
 # For x86_64, run this command to add Sprout as the default boot entry.
-$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
 
 # For aarch64, run this command to add Sprout as the default boot entry.
-$ efibootmgr -d /dev/ESP_PARTITION -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
 ```
 
 Reboot your machine and it should boot into Sprout.

hack/dev/boot/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:fd8f5a1df07b5195613e4b9a0b6a947d3772a151b81975db27d47f093f60c6e6 AS build
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS build
 ARG BUILDPLATFORM
 ARG EFI_NAME
 RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \

hack/dev/kernel/Dockerfile

@@ -1,7 +1,7 @@
-ARG KERNEL_SOURCE_URL=https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.17.2.tar.xz
-ARG KERNEL_CHECKSUM=sha256:fdebcb065065f5c1b8dc68a6fb59cda50cdddbf9103d207c2196d55ea764f57f
+ARG KERNEL_SOURCE_URL=https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.17.8.tar.xz
+ARG KERNEL_CHECKSUM=sha256:5a8de64a75fca706c01c6c0a77cf75a74618439db195e25f1f0268af6b2fb1da
 
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:fd8f5a1df07b5195613e4b9a0b6a947d3772a151b81975db27d47f093f60c6e6 AS buildenv
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS buildenv
 RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \
       build-essential squashfs-tools python3-yaml \
       patch diffutils sed mawk findutils zstd \

hack/dev/utils/Dockerfile.copy-direct

@@ -1 +1 @@
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:fd8f5a1df07b5195613e4b9a0b6a947d3772a151b81975db27d47f093f60c6e6
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598

hack/dev/utils/Dockerfile.copy-polyfill

@@ -1,4 +1,4 @@
 ARG TARGET_IMAGE=scratch
 FROM ${TARGET_IMAGE} AS image
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:fd8f5a1df07b5195613e4b9a0b6a947d3772a151b81975db27d47f093f60c6e6 AS final
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS final
 COPY --from=image / /image

hack/dev/vm/Dockerfile.initramfs

@@ -1,4 +1,4 @@
-FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 AS rootfs
+FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS rootfs
 RUN apk --no-cache add alpine-base tzdata
 RUN rc-update add devfs sysinit && \
     rc-update add dmesg sysinit && \
@@ -18,7 +18,7 @@ RUN rc-update add devfs sysinit && \
     ln -s /usr/share/zoneinfo/UTC /etc/localtime && \
     echo 'hvc0::respawn:/sbin/getty -L hvc0 115200 vt100' >> /etc/inittab
 
-FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 AS build
+FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS build
 COPY --from=rootfs / /rootfs
 WORKDIR /rootfs
 RUN find . | cpio -R 0:0 --ignore-devno --renumber-inodes -o -H newc --quiet > /initramfs

hack/dev/vm/Dockerfile.ovmf

@@ -1,4 +1,4 @@
-FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 AS build
+FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS build
 ARG TARGETPLATFORM
 RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ] || [ "${TARGETPLATFORM}" = "linux/x86_64" ]; then \
       apk --no-cache add ovmf edk2-shell; cp /usr/share/ovmf/bios.bin /ovmf.fd; fi

hack/dev/vm/Dockerfile.xen

@@ -1,4 +1,4 @@
-FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1 AS build
+FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS build
 ARG TARGETPLATFORM
 RUN apk add --no-cache xen-hypervisor && cp /usr/lib/efi/xen.efi /xen.efi
 

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.91.0"
+channel = "1.91.1"
 components = ["rustfmt", "clippy"]
 targets = ["x86_64-unknown-uefi", "aarch64-unknown-uefi"]