sprout: version 0.0.28

Bumps the actions-updates group with 1 update: [step-security/harden-runner](https://github.com/step-security/harden-runner).


Updates `step-security/harden-runner` from 2.14.0 to 2.14.1
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](20cf305ff2...e3f713f2d8)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/ci-actions.yml

@@ -25,17 +25,17 @@ jobs:
       actions: read # Needed to analyze action metadata.
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
     - name: setup uv
-      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
+      uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
 
     - name: zizmor
       run: uvx zizmor --pedantic --format sarif . > results.sarif

.github/workflows/ci-code.yml

@@ -21,12 +21,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
@@ -51,12 +51,12 @@ jobs:
     name: 'build ${{ matrix.arch }}'
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
@@ -80,12 +80,12 @@ jobs:
     name: 'clippy ${{ matrix.arch }}'
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 

.github/workflows/codeql.yml

@@ -37,12 +37,12 @@ jobs:
           build-mode: none
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 

.github/workflows/publish.yml

@@ -25,12 +25,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
@@ -43,13 +43,14 @@ jobs:
 
     - name: 'upload artifacts'
       id: upload
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: artifacts
         path: target/assemble/*
 
     - name: 'attest artifacts'
-      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
       with:
         subject-name: artifacts.zip
         subject-digest: "sha256:${{ steps.upload.outputs.artifact-digest }}"
+      if: github.event_name != 'pull_request'

.github/workflows/release.yml

@@ -25,12 +25,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
       with:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
@@ -42,7 +42,7 @@ jobs:
       run: ./hack/assemble.sh
 
     - name: 'attest release artifacts'
-      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
       with:
         subject-path: target/assemble/*
 

Cargo.lock

@@ -66,7 +66,7 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout-boot"
-version = "0.0.26"
+version = "0.0.28"
 dependencies = [
  "anyhow",
  "edera-sprout-build",
@@ -83,18 +83,18 @@ dependencies = [
 
 [[package]]
 name = "edera-sprout-build"
-version = "0.0.26"
+version = "0.0.28"
 
 [[package]]
 name = "edera-sprout-config"
-version = "0.0.26"
+version = "0.0.28"
 dependencies = [
  "serde",
 ]
 
 [[package]]
 name = "edera-sprout-eficore"
-version = "0.0.26"
+version = "0.0.28"
 dependencies = [
  "anyhow",
  "bitflags",
@@ -123,15 +123,15 @@ checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
 [[package]]
 name = "jaarg"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b216e5405f7e759ee0d16007f9d5c3346f9803a2e86cf01fc8df8baac43d0fa"
+checksum = "534d589df1ef528a238f4bc4b1db081a1280f3aedf2695fd8971e9853a7fa4f6"
 
 [[package]]
 name = "libc"
-version = "0.2.177"
+version = "0.2.178"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
+checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091"
 
 [[package]]
 name = "lock_api"
@@ -144,9 +144,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.28"
+version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
 [[package]]
 name = "proc-macro2"
@@ -224,9 +224,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e24345aa0fe688594e73770a5f6d1b216508b4f93484c0026d521acd30134392"
+checksum = "f8bbf91e5a4d6315eee45e704372590b30e260ee83af6639d64557f51b067776"
 dependencies = [
  "serde_core",
 ]
@@ -259,9 +259,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.110"
+version = "2.0.111"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
+checksum = "390cc9a294ab71bdb1aa2e99d13be9c753cd2d7bd6560c77118597410c4d2e87"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -270,9 +270,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "0.9.8"
+version = "0.9.11+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8"
+checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46"
 dependencies = [
  "serde_core",
  "serde_spanned",
@@ -283,18 +283,18 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.7.3"
+version = "0.7.5+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2cdb639ebbc97961c51720f858597f7f24c4fc295327923af55b74c3c724533"
+checksum = "92e1cfed4a3038bc5a127e35a2d360f145e1f4b971b551a2ba5fd7aedf7e1347"
 dependencies = [
  "serde_core",
 ]
 
 [[package]]
 name = "toml_parser"
-version = "1.0.4"
+version = "1.0.6+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0cbe268d35bdb4bb5a56a2de88d0ad0eb70af5384a99d648cd4b3d04039800e"
+checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44"
 dependencies = [
  "winnow",
 ]
@@ -371,6 +371,6 @@ checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
 
 [[package]]
 name = "winnow"
-version = "0.7.13"
+version = "0.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf"
+checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"

Cargo.toml

@@ -9,14 +9,14 @@ resolver = "3"
 
 [workspace.package]
 license = "Apache-2.0"
-version = "0.0.26"
+version = "0.0.28"
 homepage = "https://sprout.edera.dev"
 repository = "https://github.com/edera-dev/sprout"
 edition = "2024"
 
 [workspace.dependencies]
 bitflags = "2.10.0"
-log = "0.4.28"
+log = "0.4.29"
 spin = "0.10.0"
 uefi-raw = "0.13.0"
 
@@ -30,7 +30,7 @@ default-features = false
 features = ["alloc"]
 
 [workspace.dependencies.jaarg]
-version = "0.2.1"
+version = "0.2.2"
 default-features = false
 features = ["alloc"]
 
@@ -48,7 +48,7 @@ version = "1.3.0"
 default-features = false
 
 [workspace.dependencies.toml]
-version = "0.9.8"
+version = "0.9.11"
 default-features = false
 features = ["serde", "parse"]
 

Dockerfile

@@ -2,7 +2,7 @@
 ARG RUST_PROFILE=release
 ARG RUST_TARGET_SUBDIR=release
 
-FROM --platform=$BUILDPLATFORM rust:1.91.1-alpine@sha256:fbcca3e30e26f79986809d5dbfcdbeaaf8d3f8a4475b7a19a973363b45c74d97 AS build
+FROM --platform=$BUILDPLATFORM rust:1.92.0-alpine@sha256:f6c22e0a256c05d44fca23bf530120b5d4a6249a393734884281ca80782329bc AS build
 RUN apk --no-cache add musl-dev busybox-static
 ARG RUST_PROFILE
 RUN adduser -S -s /bin/sh build

crates/boot/src/actions/chainload.rs

@@ -1,4 +1,5 @@
 use crate::context::SproutContext;
+use crate::phases::before_handoff;
 use crate::utils;
 use alloc::boxed::Box;
 use alloc::rc::Rc;
@@ -9,7 +10,6 @@ use eficore::loader::source::ImageSource;
 use eficore::loader::{ImageLoadRequest, ImageLoader};
 use eficore::media_loader::MediaLoaderHandle;
 use eficore::media_loader::constants::linux::LINUX_EFI_INITRD_MEDIA_GUID;
-use log::error;
 use uefi::CString16;
 use uefi::proto::loaded_image::LoadedImage;
 
@@ -21,7 +21,7 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
     // Resolve the path to the image to chainload.
     let resolved = eficore::path::resolve_path(
         Some(context.root().loaded_image_path()?),
-        &context.stamp(&configuration.path),
+        context.stamp(&configuration.path),
     )
     .context("unable to resolve chainload path")?;
 
@@ -38,8 +38,7 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
             .context("unable to open loaded image protocol")?;
 
     // Stamp and combine the options to pass to the image.
-    let options =
-        utils::combine_options(configuration.options.iter().map(|item| context.stamp(item)));
+    let options = utils::combine_options(context.stamp_iter(configuration.options.iter()));
 
     // Pass the load options to the image.
     // If no options are provided, the resulting string will be empty.
@@ -50,6 +49,7 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
             .context("unable to convert chainloader options to CString16")?,
     );
 
+    // Ensure the chainloader options limit is not exceeded.
     if options.num_bytes() > u32::MAX as usize {
         bail!("chainloader options too large");
     }
@@ -88,25 +88,25 @@ pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfigurat
     BootloaderInterface::mark_exec(context.root().timer())
         .context("unable to mark execution of boot entry in bootloader interface")?;
 
+    // Since we are about to hand off control to another image, we need to execute the handoff hook.
+    // This will perform operations like clearing the screen.
+    before_handoff(&context).context("unable to execute before handoff hook")?;
+
     // Start the loaded image.
     // This call might return, or it may pass full control to another image that will never return.
     // Capture the result to ensure we can return an error if the image fails to start, but only
     // after the optional initrd has been unregistered.
     let result = uefi::boot::start_image(*image.handle());
 
-    // Unregister the initrd if it was registered.
-    if let Some(initrd_handle) = initrd_handle
-        && let Err(error) = initrd_handle.unregister()
-    {
-        error!("unable to unregister linux initrd: {}", error);
-    }
-
     // Assert there was no error starting the image.
     result.context("unable to start image")?;
 
     // Explicitly drop the options to clarify the lifetime.
     drop(options);
 
+    // Explicitly drop the initrd handle to clarify when it should be unregistered.
+    drop(initrd_handle);
+
     // Return control to sprout.
     Ok(())
 }

crates/boot/src/actions/edera.rs

@@ -15,26 +15,16 @@ use eficore::media_loader::{
         XEN_EFI_CONFIG_MEDIA_GUID, XEN_EFI_KERNEL_MEDIA_GUID, XEN_EFI_RAMDISK_MEDIA_GUID,
     },
 };
-use log::error;
 use uefi::Guid;
 
 /// Builds a configuration string for the Xen EFI stub using the specified `configuration`.
 fn build_xen_config(context: Rc<SproutContext>, configuration: &EderaConfiguration) -> String {
     // Stamp xen options and combine them.
-    let xen_options = utils::combine_options(
-        configuration
-            .xen_options
-            .iter()
-            .map(|item| context.stamp(item)),
-    );
+    let xen_options = utils::combine_options(context.stamp_iter(configuration.xen_options.iter()));
 
     // Stamp kernel options and combine them.
-    let kernel_options = utils::combine_options(
-        configuration
-            .kernel_options
-            .iter()
-            .map(|item| context.stamp(item)),
-    );
+    let kernel_options =
+        utils::combine_options(context.stamp_iter(configuration.kernel_options.iter()));
 
     // xen config file format is ini-like
     [
@@ -105,7 +95,7 @@ pub fn edera(context: Rc<SproutContext>, configuration: &EderaConfiguration) ->
     )
     .context("unable to register kernel media loader")?;
 
-    // Create a vector of media loaders to unregister on error.
+    // Create a vector of media loaders to drop them only after this function completes.
     let mut media_loaders = vec![config, kernel];
 
     // Register the initrd if it is provided.
@@ -127,12 +117,8 @@ pub fn edera(context: Rc<SproutContext>, configuration: &EderaConfiguration) ->
     )
     .context("unable to chainload to xen");
 
-    // Unregister the media loaders when an error happens.
-    for media_loader in media_loaders {
-        if let Err(error) = media_loader.unregister() {
-            error!("unable to unregister media loader: {}", error);
-        }
-    }
+    // Explicitly drop the media loaders to clarify when they should be unregistered.
+    drop(media_loaders);
 
     result
 }

crates/boot/src/autoconfigure/linux.rs

@@ -1,5 +1,4 @@
 use crate::utils;
-use crate::utils::vercmp;
 use alloc::collections::BTreeMap;
 use alloc::string::{String, ToString};
 use alloc::vec::Vec;
@@ -37,9 +36,9 @@ const INITRAMFS_PREFIXES: &[&str] = &["initramfs", "initrd", "initrd.img"];
 /// and then uses that code improperly by asserting that the pointer is non-null.
 /// To give a good user experience, we place a placeholder value here to ensure it's non-empty.
 /// For stubble, this code ensures the command line pointer becomes null:
-/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L61-L64
+/// <https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L61-L64>
 /// Then this code asserts on it, stopping the boot process:
-/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L27
+/// <https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L27>
 const DEFAULT_LINUX_OPTIONS: &str = "placeholder";
 
 /// Pair of kernel and initramfs.
@@ -186,17 +185,15 @@ pub fn scan(
         return Ok(false);
     }
 
-    // Sort the kernel pairs by kernel version, if it has one, newer kernels first.
-    pairs.sort_by(|a, b| vercmp::compare_versions(&a.kernel, &b.kernel).reverse());
-
     // Generate a unique name for the linux chainload action.
-    let chainload_action_name = format!("{}{}", LINUX_CHAINLOAD_ACTION_PREFIX, root_unique_hash,);
+    let chainload_action_name = format!("{}{}", LINUX_CHAINLOAD_ACTION_PREFIX, root_unique_hash);
 
     // Kernel pairs are detected, generate a list configuration for it.
     let generator = ListConfiguration {
         entry: EntryDeclaration {
             title: "Boot Linux $name".to_string(),
             actions: vec![chainload_action_name.clone()],
+            sort_key: Some("$kernel".to_string()),
             ..Default::default()
         },
         values: pairs

crates/boot/src/autoconfigure/windows.rs

@@ -51,13 +51,14 @@ pub fn scan(
     let chainload_action_name = format!("{}{}", WINDOWS_CHAINLOAD_ACTION_PREFIX, root_unique_hash,);
 
     // Generate an entry name for Windows.
-    let entry_name = format!("auto-windows-{}", root_unique_hash,);
+    let entry_name = format!("auto-windows-{}", root_unique_hash);
 
     // Create an entry for Windows and insert it into the configuration.
     let entry = EntryDeclaration {
         title: "Boot Windows".to_string(),
         actions: vec![chainload_action_name.clone()],
         values: Default::default(),
+        sort_key: None, // Use the default sort key.
     };
     config.entries.insert(entry_name, entry);
 

crates/boot/src/context.rs

@@ -269,6 +269,15 @@ impl SproutContext {
         Self::stamp_values(&self.all_values(), text.as_ref()).1
     }
 
+    /// Stamps all the items from the iterator `input` with all the values in this [SproutContext]
+    /// and it's parents. This calls [self.stamp] on each item.
+    pub fn stamp_iter(
+        &self,
+        input: impl Iterator<Item = impl AsRef<str>>,
+    ) -> impl Iterator<Item = String> {
+        input.map(|item| self.stamp(item))
+    }
+
     /// Unloads a [SproutContext] back into an owned context. This
     /// may not succeed if something else is holding onto the value.
     pub fn unload(self: Rc<SproutContext>) -> Option<SproutContext> {

crates/boot/src/drivers.rs

@@ -18,7 +18,7 @@ fn load_driver(context: Rc<SproutContext>, driver: &DriverDeclaration) -> Result
     // Resolve the path to the driver image.
     let resolved = eficore::path::resolve_path(
         Some(context.root().loaded_image_path()?),
-        &context.stamp(&driver.path),
+        context.stamp(&driver.path),
     )
     .context("unable to resolve path to driver")?;
 

crates/boot/src/entries.rs

@@ -12,6 +12,7 @@ pub struct BootableEntry {
     declaration: EntryDeclaration,
     default: bool,
     pin_name: bool,
+    sort_key: Option<String>,
 }
 
 impl BootableEntry {
@@ -29,6 +30,7 @@ impl BootableEntry {
             declaration,
             default: false,
             pin_name: false,
+            sort_key: None,
         }
     }
 
@@ -107,6 +109,22 @@ impl BootableEntry {
         self.name == needle || self.title == needle
     }
 
+    /// Set the sort key of the entry. This is used to sort entries via version comparison.
+    pub fn set_sort_key(&mut self, sort_key: String) {
+        self.sort_key = Some(sort_key);
+    }
+
+    /// Retrieve a reference to the sort key of the entry. If one is not specified, we will use the
+    /// name of the entry.
+    pub fn sort_key(&self) -> &str {
+        // Use the sort key specified in the bootable entry, or use the declaration sort key,
+        // or use the name of the entry.
+        self.sort_key
+            .as_deref()
+            .or(self.declaration.sort_key.as_deref())
+            .unwrap_or(&self.name)
+    }
+
     /// Find an entry by `needle` inside the entry iterator `haystack`.
     /// This will search for an entry by name, title, or index.
     pub fn find<'a>(

crates/boot/src/generators/bls.rs

@@ -26,7 +26,7 @@ fn quirk_initrd_remove_tuned(input: String) -> String {
 }
 
 /// Sorts two entries according to the BLS sort system.
-/// Reference: https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting
+/// Reference: <https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting>
 fn sort_entries(a: &(BlsEntry, BootableEntry), b: &(BlsEntry, BootableEntry)) -> Ordering {
     // Grab the components of both entries.
     let (a_bls, a_boot) = a;
@@ -206,6 +206,16 @@ pub fn generate(context: Rc<SproutContext>, bls: &BlsConfiguration) -> Result<Ve
     // Sort all the entries according to the BLS sort system.
     entries.sort_by(sort_entries);
 
+    // Grab the number of entries that we have, so we can calculate a reverse index.
+    let entry_count = entries.len();
+
+    // Set the sort keys of all the bootable entries to a semi-unique prefix + the BLS sort order.
+    // The final comparison happens using version comparison, so this will sort
+    // things properly.
+    for (idx, (_bls, boot)) in entries.iter_mut().enumerate() {
+        boot.set_sort_key(format!("bls-{}-{}", path, entry_count - idx - 1));
+    }
+
     // Collect all the bootable entries and return them.
     Ok(entries.into_iter().map(|(_, boot)| boot).collect())
 }

crates/boot/src/generators/list.rs

@@ -22,11 +22,10 @@ pub fn generate(
 
         // Stamp the entry title and actions from the template.
         let mut entry = list.entry.clone();
-        entry.actions = entry
-            .actions
-            .into_iter()
-            .map(|action| context.stamp(action))
-            .collect();
+
+        // Stamp all the actions this entry references.
+        entry.actions = context.stamp_iter(entry.actions.into_iter()).collect();
+
         // Push the entry into the list with the new context.
         entries.push(BootableEntry::new(
             index.to_string(),

crates/boot/src/main.rs

@@ -7,6 +7,7 @@ use crate::context::{RootContext, SproutContext};
 use crate::entries::BootableEntry;
 use crate::options::SproutOptions;
 use crate::phases::phase;
+use crate::utils::vercmp::compare_versions;
 use alloc::collections::BTreeMap;
 use alloc::format;
 use alloc::string::ToString;
@@ -257,6 +258,10 @@ fn run() -> Result<()> {
         }
     }
 
+    // Sort the entries by their sort key, finalizing the order to show entries. This happens
+    // in reverse order so that entries that would come last show up first in the menu.
+    entries.sort_by(|a, b| compare_versions(a.sort_key(), b.sort_key()).reverse());
+
     // Tell the bootloader interface what entries are available.
     BootloaderInterface::set_entries(entries.iter().map(|entry| entry.name()))
         .context("unable to set entries in bootloader interface")?;

crates/boot/src/options.rs

@@ -1,10 +1,9 @@
 use alloc::string::{String, ToString};
-use anyhow::{Context, Result, bail};
+use anyhow::Result;
 use core::ptr::null_mut;
-use jaarg::alloc::ParseMapResult;
 use jaarg::{
     ErrorUsageWriter, ErrorUsageWriterContext, HelpWriter, HelpWriterContext, Opt, Opts,
-    StandardErrorUsageWriter, StandardFullHelpWriter,
+    ParseControl, ParseResult, StandardErrorUsageWriter, StandardFullHelpWriter,
 };
 use log::{error, info};
 use uefi_raw::Status;
@@ -25,6 +24,8 @@ pub struct SproutOptions {
     pub force_menu: bool,
     /// The timeout for the boot menu in seconds.
     pub menu_timeout: Option<u64>,
+    /// Retains the boot console before boot.
+    pub retain_boot_console: bool,
 }
 
 /// The default Sprout options.
@@ -36,6 +37,7 @@ impl Default for SproutOptions {
             boot: None,
             force_menu: false,
             menu_timeout: None,
+            retain_boot_console: false,
         }
     }
 }
@@ -43,34 +45,80 @@ impl Default for SproutOptions {
 /// The options parser mechanism for Sprout.
 impl SproutOptions {
     /// Produces [SproutOptions] from the arguments provided by the UEFI core.
-    /// Internally we utilize the `jaarg` argument parser which has excellent no_std support.
+    /// Internally, we use the `jaarg` argument parser which has excellent no_std support.
     pub fn parse() -> Result<Self> {
+        enum ArgID {
+            Help,
+            AutoConfigure,
+            Config,
+            Boot,
+            ForceMenu,
+            MenuTimeout,
+            RetainBootConsole,
+        }
+
         // All the options for the Sprout executable.
-        const OPTIONS: Opts<&str> = Opts::new(&[
-            Opt::help_flag("help", &["--help"]).help_text("Display Sprout Help"),
-            Opt::flag("autoconfigure", &["--autoconfigure"])
+        const OPTIONS: Opts<ArgID> = Opts::new(&[
+            Opt::help_flag(ArgID::Help, &["--help"]).help_text("Display Sprout Help"),
+            Opt::flag(ArgID::AutoConfigure, &["--autoconfigure"])
                 .help_text("Enable Sprout autoconfiguration"),
-            Opt::value("config", &["--config"], "PATH")
+            Opt::value(ArgID::Config, &["--config"], "PATH")
                 .help_text("Path to Sprout configuration file"),
-            Opt::value("boot", &["--boot"], "ENTRY").help_text("Entry to boot, bypassing the menu"),
-            Opt::flag("force-menu", &["--force-menu"]).help_text("Force showing the boot menu"),
-            Opt::value("menu-timeout", &["--menu-timeout"], "TIMEOUT")
+            Opt::value(ArgID::Boot, &["--boot"], "ENTRY")
+                .help_text("Entry to boot, bypassing the menu"),
+            Opt::flag(ArgID::ForceMenu, &["--force-menu"]).help_text("Force showing the boot menu"),
+            Opt::value(ArgID::MenuTimeout, &["--menu-timeout"], "TIMEOUT")
                 .help_text("Boot menu timeout, in seconds"),
+            Opt::flag(ArgID::RetainBootConsole, &["--retain-boot-console"])
+                .help_text("Retain boot console before boot"),
         ]);
 
         // Acquire the arguments as determined by the UEFI core.
         let args = eficore::env::args()?;
 
+        // Use the default value of sprout options and have the raw options be parsed into it.
+        let mut result = Self::default();
+
         // Parse the OPTIONS into a map using jaarg.
-        let parsed = match OPTIONS.parse_map(
+        match OPTIONS.parse(
             "sprout",
             args.iter(),
-            |program_name| {
+            |program_name, id, _opt, _name, value| {
+                match id {
+                    ArgID::AutoConfigure => {
+                        // Enable autoconfiguration.
+                        result.autoconfigure = true;
+                    }
+                    ArgID::Config => {
+                        // The configuration file to load.
+                        result.config = value.into();
+                    }
+                    ArgID::Boot => {
+                        // The entry to boot.
+                        result.boot = Some(value.into());
+                    }
+                    ArgID::ForceMenu => {
+                        // Force showing of the boot menu.
+                        result.force_menu = true;
+                    }
+                    ArgID::MenuTimeout => {
+                        // The timeout for the boot menu in seconds.
+                        result.menu_timeout = Some(value.parse::<u64>()?);
+                    }
+                    ArgID::RetainBootConsole => {
+                        // Retain the boot console before booting.
+                        result.retain_boot_console = true;
+                    }
+                    ArgID::Help => {
                         let ctx = HelpWriterContext {
                             options: &OPTIONS,
                             program_name,
                         };
                         info!("{}", StandardFullHelpWriter::new(ctx));
+                        return Ok(ParseControl::Quit);
+                    }
+                }
+                Ok(ParseControl::Continue)
             },
             |program_name, error| {
                 let ctx = ErrorUsageWriterContext {
@@ -81,52 +129,14 @@ impl SproutOptions {
                 error!("{}", StandardErrorUsageWriter::new(ctx));
             },
         ) {
-            ParseMapResult::Map(map) => map,
-            ParseMapResult::ExitSuccess => unsafe {
+            ParseResult::ContinueSuccess => Ok(result),
+            ParseResult::ExitSuccess => unsafe {
                 uefi::boot::exit(uefi::boot::image_handle(), Status::SUCCESS, 0, null_mut());
             },
 
-            ParseMapResult::ExitFailure => unsafe {
+            ParseResult::ExitError => unsafe {
                 uefi::boot::exit(uefi::boot::image_handle(), Status::ABORTED, 0, null_mut());
             },
-        };
-
-        // Use the default value of sprout options and have the raw options be parsed into it.
-        let mut result = Self::default();
-
-        for (key, value) in parsed {
-            match key {
-                "autoconfigure" => {
-                    // Enable autoconfiguration.
-                    result.autoconfigure = true;
-                }
-
-                "config" => {
-                    // The configuration file to load.
-                    result.config = value;
-                }
-
-                "boot" => {
-                    // The entry to boot.
-                    result.boot = Some(value);
-                }
-
-                "force-menu" => {
-                    // Force showing of the boot menu.
-                    result.force_menu = true;
-                }
-
-                "menu-timeout" => {
-                    // The timeout for the boot menu in seconds.
-                    let value = value
-                        .parse::<u64>()
-                        .context("menu-timeout must be a number")?;
-                    result.menu_timeout = Some(value);
-                }
-
-                _ => bail!("unknown option: --{key}"),
         }
     }
-        Ok(result)
-    }
 }

crates/boot/src/phases.rs

@@ -6,7 +6,7 @@ use anyhow::{Context, Result};
 use edera_sprout_config::phases::PhaseConfiguration;
 
 /// Executes the specified [phase] of the boot process.
-/// The value [phase] should be a reference of a specific phase in the [PhasesConfiguration].
+/// The value [phase] should be a reference of a specific phase in the `PhasesConfiguration`.
 /// Any error from the actions is propagated into the [Result] and will interrupt further
 /// execution of phase actions.
 pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result<()> {
@@ -24,3 +24,18 @@ pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result
     }
     Ok(())
 }
+
+/// Manual hook called by code in the bootloader that hands off to another image.
+/// This is used to perform actions like clearing the screen.
+pub fn before_handoff(context: &SproutContext) -> Result<()> {
+    // If we have not been asked to retain the boot console, then we should clear the screen.
+    if !context.root().options().retain_boot_console {
+        // Clear the screen. We use clear here instead of reset because some firmware,
+        // particularly Dell firmware, does not clear the screen on reset.
+        // We clear both stdout and stderr because it's not guaranteed that they are the same
+        // text output.
+        uefi::system::with_stdout(|stdout| stdout.clear()).context("unable to clear screen")?;
+        uefi::system::with_stderr(|stderr| stderr.clear()).context("unable to clear screen")?;
+    }
+    Ok(())
+}

crates/boot/src/utils/vercmp.rs

@@ -33,7 +33,7 @@ pub fn compare_versions_optional(a: Option<&str>, b: Option<&str>) -> Ordering {
 }
 
 /// Compares two strings using the BLS version comparison specification.
-/// See: https://uapi-group.org/specifications/specs/version_format_specification/
+/// See: <https://uapi-group.org/specifications/specs/version_format_specification/>
 pub fn compare_versions(a: &str, b: &str) -> Ordering {
     // Acquire a peekable iterator for each string.
     let mut a_chars = a.chars().peekable();

crates/build/src/sbat.template.rs

@@ -1,5 +1,5 @@
 /// Define the SBAT attestation by including the sbat.csv file.
-/// See this document for more details: https://github.com/rhboot/shim/blob/main/SBAT.md
+/// See this document for more details: <https://github.com/rhboot/shim/blob/main/SBAT.md>
 /// NOTE: This data must be aligned by 512 bytes.
 #[used]
 #[unsafe(link_section = ".sbat")]

crates/config/src/actions/chainload.rs

@@ -13,7 +13,7 @@ pub struct ChainloadConfiguration {
     #[serde(default)]
     pub options: Vec<String>,
     /// An optional path to a Linux initrd.
-    /// This uses the [LINUX_EFI_INITRD_MEDIA_GUID] mechanism to load the initrd into the EFI stack.
+    /// This uses the `LINUX_EFI_INITRD_MEDIA_GUID` mechanism to load the initrd into the EFI stack.
     /// For Linux, you can also use initrd=\path\to\initrd as an option, but this option is
     /// generally better and safer as it can support additional load options in the future.
     #[serde(default, rename = "linux-initrd")]

crates/config/src/entries.rs

@@ -18,4 +18,7 @@ pub struct EntryDeclaration {
     /// The values to insert into the context when the entry is selected.
     #[serde(default)]
     pub values: BTreeMap<String, String>,
+    /// The key to sort entries, via version comparison.
+    #[serde(default, rename = "sort-key")]
+    pub sort_key: Option<String>,
 }

crates/eficore/src/lib.rs

@@ -1,5 +1,8 @@
-//! Sprout EFI Core.
-//! This crate provides tools for working with the EFI environment.
+//! Sprout EFI core.
+//! This crate provides core EFI functionality for Sprout.
+
+// For some reason this triggers, and I can't figure out why.
+#![allow(rustdoc::bare_urls)]
 #![no_std]
 extern crate alloc;
 

crates/eficore/src/media_loader.rs

@@ -3,6 +3,7 @@ use alloc::vec::Vec;
 use anyhow::{Context, Result, bail};
 use core::ffi::c_void;
 use core::ptr;
+use log::error;
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::device_path::build::DevicePathBuilder;
 use uefi::proto::device_path::build::media::Vendor;
@@ -33,8 +34,7 @@ struct MediaLoaderProtocol {
 }
 
 /// Represents a media loader which has been registered in the UEFI stack.
-/// You MUST call [MediaLoaderHandle::unregister] when ready to unregister.
-/// [Drop] is not implemented for this type.
+/// Calling `drop` on this handle will unregister the media loader.
 pub struct MediaLoaderHandle {
     /// The handle of the media loader in the UEFI stack.
     handle: Handle,
@@ -255,7 +255,7 @@ impl MediaLoaderHandle {
 
     /// Unregisters a media loader from the UEFI stack.
     /// This will free the memory allocated by the passed data.
-    pub fn unregister(self) -> Result<()> {
+    fn unregister(&self) -> Result<()> {
         // SAFETY: We know that the media loader is registered if the handle is valid,
         // so we can safely uninstall it.
         // We should have allocated the pointers involved, so we can safely free them.
@@ -293,3 +293,14 @@ impl MediaLoaderHandle {
         Ok(())
     }
 }
+
+/// Implement drop for the handle to automatically unregister the media loader.
+impl Drop for MediaLoaderHandle {
+    fn drop(&mut self) {
+        // If unregister fails, print an error to the log.
+        // This may leak stuff, but the only other option is to panic.
+        if let Err(error) = self.unregister() {
+            error!("unable to unregister media loader: {}", error);
+        }
+    }
+}

crates/eficore/src/path.rs

@@ -48,8 +48,8 @@ fn cstring16_contains_char(string: &CString16, c: char) -> bool {
 
 /// Parses the input `path` as a [DevicePath].
 /// Uses the [DevicePathFromText] protocol exclusively, and will fail if it cannot acquire the protocol.
-pub fn text_to_device_path(path: &str) -> Result<PoolDevicePath> {
-    let path = CString16::try_from(path).context("unable to convert path to CString16")?;
+pub fn text_to_device_path(path: impl AsRef<str>) -> Result<PoolDevicePath> {
+    let path = CString16::try_from(path.as_ref()).context("unable to convert path to CString16")?;
     let device_path_from_text = uefi::boot::open_protocol_exclusive::<DevicePathFromText>(
         uefi::boot::get_handle_for_protocol::<DevicePathFromText>()
             .context("no device path from text protocol")?,
@@ -113,8 +113,13 @@ pub fn device_path_subpath(path: &DevicePath) -> Result<String> {
 /// Resolve a path specified by `input` to its various components.
 /// Uses `default_root_path` as the base root if one is not specified in the path.
 /// Returns [ResolvedPath] which contains the resolved components.
-pub fn resolve_path(default_root_path: Option<&DevicePath>, input: &str) -> Result<ResolvedPath> {
-    let mut path = text_to_device_path(input).context("unable to convert text to path")?;
+pub fn resolve_path(
+    default_root_path: Option<&DevicePath>,
+    input: impl ToString,
+) -> Result<ResolvedPath> {
+    let mut input = input.to_string();
+
+    let mut path = text_to_device_path(&input).context("unable to convert text to path")?;
     let path_has_device = path
         .node_iter()
         .next()
@@ -125,7 +130,6 @@ pub fn resolve_path(default_root_path: Option<&DevicePath>, input: &str) -> Resu
         .map(|it| it.to_string().contains('('))
         .unwrap_or(false);
     if !path_has_device {
-        let mut input = input.to_string();
         if !input.starts_with('\\') {
             input.insert(0, '\\');
         }

crates/eficore/src/shim.rs

@@ -84,7 +84,7 @@ impl<'a> ShimInput<'a> {
                 let path = path
                     .to_string(DisplayOnly(false), AllowShortcuts(false))
                     .context("unable to convert device path to string")?;
-                let path = crate::path::resolve_path(None, &path.to_string())
+                let path = crate::path::resolve_path(None, path.to_string())
                     .context("unable to resolve path")?;
                 // Read the file path.
                 let data = path.read_file()?;

hack/dev/boot.sh

@@ -40,9 +40,9 @@ else
 			set -- "${@}" -serial stdio
 		else
 			set -- "${@}" \
-				-device virtio-serial-pci,id=vs0 \
-				-chardev stdio,id=stdio0,signal=off \
-				-device virtconsole,chardev=stdio0,id=console0
+				-device 'virtio-serial-pci,id=vs0' \
+				-chardev 'stdio,id=stdio0,signal=off' \
+				-device 'virtconsole,chardev=stdio0,id=console0,name=alpine'
 		fi
 	fi
 
@@ -64,8 +64,8 @@ fi
 
 if [ "${NO_NETWORK}" != "1" ]; then
 	set -- "${@}" \
-		-netdev user,id=network0 \
-		-device virtio-net-pci,netdev=network0
+		-netdev 'user,id=network0' \
+		-device 'virtio-net-pci,netdev=network0'
 fi
 
 rm -f "${FINAL_DIR}/ovmf-boot.fd"
@@ -76,7 +76,7 @@ fi
 # shellcheck disable=SC2086
 set -- "${@}" \
 	-drive "if=pflash,file=${FINAL_DIR}/ovmf-boot.fd,format=raw,readonly=on" \
-	-device nvme,drive=disk1,serial=cafebabe
+	-device 'nvme,drive=disk1,serial=cafebabe'
 
 set -- "${@}" \
 	-drive "if=none,file=${FINAL_DIR}/sprout.img,format=raw,id=disk1,readonly=on"

hack/dev/boot/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS build
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:0d01188e8dd0ac63bf155900fad49279131a876a1ea7fac917c62e87ccb2732d AS build
 ARG BUILDPLATFORM
 ARG EFI_NAME
 RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \

hack/dev/build.sh

@@ -72,6 +72,7 @@ if [ "${SKIP_KERNEL_BUILD}" != "1" ]; then
 	fi
 
 	copy_from_image "${DOCKER_PREFIX}/sprout-kernel-${TARGET_ARCH}" "kernel.efi" "${FINAL_DIR}/kernel.efi"
+	copy_from_image "${DOCKER_PREFIX}/sprout-kernel-${TARGET_ARCH}" "kernel.modules.tgz" "${FINAL_DIR}/kernel.modules.tgz"
 fi
 
 if [ "${SKIP_VM_BUILD}" != "1" ]; then
@@ -80,8 +81,12 @@ if [ "${SKIP_VM_BUILD}" != "1" ]; then
 		-f hack/dev/vm/Dockerfile.ovmf "${FINAL_DIR}"
 	copy_from_image "${DOCKER_PREFIX}/sprout-ovmf-${TARGET_ARCH}" "ovmf.fd" "${FINAL_DIR}/ovmf.fd"
 	copy_from_image "${DOCKER_PREFIX}/sprout-ovmf-${TARGET_ARCH}" "shell.efi" "${FINAL_DIR}/shell.efi"
+	rm -rf "${FINAL_DIR}/initramfs.build"
+	mkdir -p "${FINAL_DIR}/initramfs.build"
+	cp -r "hack/dev/vm/files" "${FINAL_DIR}/initramfs.build/files"
+	cp "${FINAL_DIR}/kernel.modules.tgz" "${FINAL_DIR}/initramfs.build/kernel.modules.tgz"
 	docker build --platform="${DOCKER_TARGET}" -t "${DOCKER_PREFIX}/sprout-initramfs-${TARGET_ARCH}:${DOCKER_TAG}" \
-		-f hack/dev/vm/Dockerfile.initramfs "hack/dev/vm"
+		-f hack/dev/vm/Dockerfile.initramfs "${FINAL_DIR}/initramfs.build"
 	copy_from_image "${DOCKER_PREFIX}/sprout-initramfs-${TARGET_ARCH}" "initramfs" "${FINAL_DIR}/initramfs"
 
 	if [ -n "${SPROUT_XEN_EFI_OVERRIDE}" ]; then
@@ -108,23 +113,6 @@ if [ "${SKIP_SPROUT_BUILD}" != "1" ]; then
 	cp "hack/dev/configs/${SPROUT_CONFIG_NAME}.sprout.toml" "${FINAL_DIR}/sprout.toml"
 	cp "hack/dev/configs/xen.cfg" "${FINAL_DIR}/xen.cfg"
 	cp "hack/dev/configs/bls.conf" "${FINAL_DIR}/bls.conf"
-
-	mkdir -p "${FINAL_DIR}/efi/EFI/BOOT"
-	cp "${FINAL_DIR}/sprout.efi" "${FINAL_DIR}/efi/EFI/BOOT/${EFI_NAME}.EFI"
-	if [ -f "${FINAL_DIR}/kernel.efi" ]; then
-		cp "${FINAL_DIR}/kernel.efi" "${FINAL_DIR}/efi/EFI/BOOT/KERNEL.EFI"
-	fi
-	if [ -f "${FINAL_DIR}/shell.efi" ]; then
-		cp "${FINAL_DIR}/shell.efi" "${FINAL_DIR}/efi/EFI/BOOT/SHELL.EFI"
-	fi
-	if [ -f "${FINAL_DIR}/xen.efi" ]; then
-		cp "${FINAL_DIR}/xen.efi" "${FINAL_DIR}/efi/EFI/BOOT/XEN.EFI"
-	fi
-	if [ -f "${FINAL_DIR}/xen.cfg" ]; then
-		cp "${FINAL_DIR}/xen.cfg" "${FINAL_DIR}/efi/EFI/BOOT/XEN.CFG"
-	fi
-	cp "${FINAL_DIR}/sprout.toml" "${FINAL_DIR}/efi/SPROUT.TOML"
-	cp "${FINAL_DIR}/initramfs" "${FINAL_DIR}/efi/INITRAMFS"
 fi
 
 if [ "${SKIP_BOOT_BUILD}" != "1" ]; then

hack/dev/configs/xen.cfg

@@ -3,5 +3,5 @@ default=sprout
 
 [sprout]
 options=clocksource=tsc smp=on smt=on ioapic_ack=new dom0_vcpus_pin=on spec-ctrl=gds-mit=no noreboot console=com1
-kernel=\EFI\BOOT\KERNEL.EFI console=hvc0
-ramdisk=\initramfs
+kernel=\VMLINUZ console=hvc0
+ramdisk=\INITRAMFS

hack/dev/kernel/Dockerfile

@@ -1,7 +1,7 @@
-ARG KERNEL_SOURCE_URL=https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.17.8.tar.xz
-ARG KERNEL_CHECKSUM=sha256:5a8de64a75fca706c01c6c0a77cf75a74618439db195e25f1f0268af6b2fb1da
+ARG KERNEL_SOURCE_URL=https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.18.2.tar.xz
+ARG KERNEL_CHECKSUM=sha256:558c6bbab749492b34f99827fe807b0039a744693c21d3a7e03b3a48edaab96a
 
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS buildenv
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:0d01188e8dd0ac63bf155900fad49279131a876a1ea7fac917c62e87ccb2732d AS buildenv
 RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y \
       build-essential squashfs-tools python3-yaml \
       patch diffutils sed mawk findutils zstd \
@@ -32,6 +32,9 @@ ENV BUILDPLATFORM=${BUILDPLATFORM}
 ENV TARGETPLATFORM=${TARGETPLATFORM}
 WORKDIR /build/src
 RUN /build/docker-build.sh
+COPY --chown=build:build docker-install.sh /build/docker-install.sh
+RUN /build/docker-install.sh
 
 FROM scratch AS final
 COPY --from=build /build/src/kernel.image /kernel.efi
+COPY --from=build /build/src/kernel.modules.tgz /kernel.modules.tgz

hack/dev/kernel/docker-build.sh

@@ -28,17 +28,27 @@ else
 	exit 1
 fi
 
+echo "CROSS_COMPILE=${MAYBE_CROSS_COMPILE}" > kernel.buildenv
+echo "TARGET_KARCH=${TARGET_KARCH}" >> kernel.buildenv
+
 make CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}" defconfig
 if [ "${TARGET_KARCH}" = "x86_64" ]; then
 	make CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}" xen.config
 	./scripts/config -e XEN_PV
 	./scripts/config -e XEN_PV_DOM0
 fi
-make CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}" mod2yesconfig
+
+./scripts/config -e IPV6
+
+./scripts/config -e BPF_SYSCALL
 
 ./scripts/config -e UEVENT_HELPER
 ./scripts/config --set-str UEVENT_HELPER_PATH "/sbin/hotplug"
 
+./scripts/config -e SYN_COOKIES
+
+./scripts/config -d DEBUG_STACK_USAGE
+
 ./scripts/config -e DRM_VIRTIO_GPU
 ./scripts/config -e FRAMEBUFFER_CONSOLE
 ./scripts/config -e FRAMEBUFFER_CONSOLE_DETECT_PRIMARY
@@ -46,8 +56,11 @@ make CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}" mod2yesconfig
 
 ./scripts/config -e XEN_DOM0
 
+make CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}" mod2noconfig
+
 make "-j$(nproc)" CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}"
 
 [ -f "arch/x86/boot/bzImage" ] && cp "arch/x86/boot/bzImage" kernel.image
 [ -f "arch/arm64/boot/Image.gz" ] && gzip -d <"arch/arm64/boot/Image.gz" >kernel.image
+
 exit 0

hack/dev/kernel/docker-install.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+. /build/src/kernel.buildenv
+
+[ -f "arch/x86/boot/bzImage" ] && cp "arch/x86/boot/bzImage" kernel.image
+[ -f "arch/arm64/boot/Image.gz" ] && gzip -d <"arch/arm64/boot/Image.gz" >kernel.image
+
+make CROSS_COMPILE="${MAYBE_CROSS_COMPILE}" ARCH="${TARGET_KARCH}" INSTALL_MOD_PATH="/build/install" modules_install
+cd /build/install
+tar czpf /build/src/kernel.modules.tgz .

hack/dev/utils/Dockerfile.copy-direct

@@ -1 +1 @@
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:0d01188e8dd0ac63bf155900fad49279131a876a1ea7fac917c62e87ccb2732d

hack/dev/utils/Dockerfile.copy-polyfill

@@ -1,4 +1,4 @@
 ARG TARGET_IMAGE=scratch
 FROM ${TARGET_IMAGE} AS image
-FROM --platform=$BUILDPLATFORM debian:trixie@sha256:01a723bf5bfb21b9dda0c9a33e0538106e4d02cce8f557e118dd61259553d598 AS final
+FROM --platform=$BUILDPLATFORM debian:trixie@sha256:0d01188e8dd0ac63bf155900fad49279131a876a1ea7fac917c62e87ccb2732d AS final
 COPY --from=image / /image

hack/dev/vm/Dockerfile.initramfs

@@ -1,5 +1,5 @@
-FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS rootfs
-RUN apk --no-cache add alpine-base tzdata ifupdown-ng agetty
+FROM alpine:3.23@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 AS rootfs
+RUN apk --no-cache add alpine-base tzdata wireless-regdb ifupdown-ng agetty
 RUN rc-update add devfs sysinit && \
     rc-update add dmesg sysinit && \
     rc-update add mdev sysinit && \
@@ -18,9 +18,10 @@ RUN rc-update add devfs sysinit && \
     rm /etc/motd && \
     ln -s /usr/share/zoneinfo/UTC /etc/localtime && \
     echo 'hvc0::respawn:/sbin/agetty --autologin root -L hvc0 115200 vt100' >> /etc/inittab
+ADD kernel.modules.tgz /
 COPY files/interfaces /etc/network/interfaces
 
-FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS build
+FROM alpine:3.23@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 AS build
 COPY --from=rootfs / /rootfs
 WORKDIR /rootfs
 RUN find . | cpio -R 0:0 --ignore-devno --renumber-inodes -o -H newc --quiet > /initramfs

hack/dev/vm/Dockerfile.ovmf

@@ -1,4 +1,4 @@
-FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS build
+FROM alpine:3.23@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 AS build
 ARG TARGETPLATFORM
 RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ] || [ "${TARGETPLATFORM}" = "linux/x86_64" ]; then \
       apk --no-cache add ovmf edk2-shell; cp /usr/share/ovmf/bios.bin /ovmf.fd; fi

hack/dev/vm/Dockerfile.xen

@@ -1,4 +1,4 @@
-FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS build
+FROM alpine:3.23@sha256:865b95f46d98cf867a156fe4a135ad3fe50d2056aa3f25ed31662dff6da4eb62 AS build
 ARG TARGETPLATFORM
 RUN apk add --no-cache xen-hypervisor && cp /usr/lib/efi/xen.efi /xen.efi
 

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.91.1"
+channel = "1.92.0"
 components = ["rustfmt", "clippy"]
 targets = ["x86_64-unknown-uefi", "aarch64-unknown-uefi"]