Merge pull request #40 from edera-dev/chore/release-v0.0.26

chore(release): sprout: version 0.0.26

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,42 @@
+name: Report a bug
+description: File a bug report.
+title: "bug: "
+labels: ["bug", "triage"]
+type: bug
+assignees:
+- edera-dev/engineering
+body:
+- type: markdown
+  attributes:
+    value: |
+      Thanks for taking the time to fill out this bug report!
+- type: input
+  id: version
+  attributes:
+    label: Version / Commit
+    description: What version of Sprout are you running?
+  validations:
+    required: true
+- type: textarea
+  id: what-happened
+  attributes:
+    label: What happened?
+    description: Tell us what you expected to happen.
+    placeholder: Tell us what you see!
+    value: "A bug happened!"
+  validations:
+    required: true
+- type: textarea
+  id: logs
+  attributes:
+    label: Log output
+    description: Please provide any relevant log output.
+    render: log
+- type: checkboxes
+  id: terms
+  attributes:
+    label: Code of Conduct
+    description: By submitting this report, you agree to follow our [Code of Conduct](https://github.com/edera-dev/sprout/blob/main/CODE_OF_CONDUCT.md).
+    options:
+    - label: I agree to follow the Sprout Code of Conduct.
+      required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,6 @@
+blank_issues_enabled: false
+contact_links:
+- name: Ask a question
+  url: https://github.com/edera-dev/sprout/discussions
+  about: Please ask and answer questions here.
+# Note that GitHub will automatically display our security policy in the new issue form.

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,29 @@
+name: Request a feature
+description: Request a feature.
+title: "want: "
+labels: ["enhancement", "triage"]
+type: feature
+assignees:
+- edera-dev/engineering
+body:
+- type: markdown
+  attributes:
+    value: |
+      Thanks for taking the time to fill out a feature request!
+- type: textarea
+  id: description
+  attributes:
+    label: Description
+    description:
+    placeholder: Tell us what you want to see!
+    value: "Your hopes and dreams here!"
+  validations:
+    required: true
+- type: checkboxes
+  id: terms
+  attributes:
+    label: Code of Conduct
+    description: By submitting this report, you agree to follow our [Code of Conduct](https://github.com/edera-dev/sprout/blob/main/CODE_OF_CONDUCT.md).
+    options:
+    - label: I agree to follow the Sprout Code of Conduct.
+      required: true

.github/workflows/ci-actions.yml

@@ -1,14 +1,20 @@
 name: zizmor
 
 on:
-  push:
-    branches: ["main"]
   pull_request:
-    branches: ["**"]
+    branches:
+    - main
+  push:
+    branches:
+    - main
 
 permissions:
   contents: read # Needed to checkout the repository.
 
+concurrency:
+  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
+  cancel-in-progress: true
+
 jobs:
   zizmor:
     name: zizmor
@@ -24,12 +30,12 @@ jobs:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
 
     - name: setup uv
-      uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
     - name: zizmor
       run: uvx zizmor --pedantic --format sarif . > results.sarif
@@ -37,7 +43,7 @@ jobs:
         GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
     - name: upload
-      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: results.sarif
         category: zizmor

.github/workflows/ci-code.yml

@@ -11,6 +11,10 @@ on:
 permissions:
   contents: read # Needed to checkout the repository.
 
+concurrency:
+  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
+  cancel-in-progress: true
+
 jobs:
   rustfmt:
     name: rustfmt
@@ -22,7 +26,7 @@ jobs:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
 
@@ -52,7 +56,7 @@ jobs:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
 
@@ -81,7 +85,7 @@ jobs:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
 

.github/workflows/codeql.yml

@@ -1,16 +1,22 @@
 name: codeql
 
 on:
-  push:
-    branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches:
+    - main
+  push:
+    branches:
+    - main
   schedule:
   - cron: '33 16 * * 0'
 
 permissions:
   contents: read # Needed to checkout the repository.
 
+concurrency:
+  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: analyze (${{ matrix.language }})
@@ -36,18 +42,18 @@ jobs:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
 
     - name: initialize codeql
-      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 #v4
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         config-file: ./.github/codeql/codeql-config.yaml
 
     - name: perform codeql analysis
-      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 #v4
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/publish.yml

@@ -0,0 +1,55 @@
+name: publish
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+
+permissions:
+  contents: read # Needed to checkout the repository.
+
+concurrency:
+  group: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ github.sha }}"
+  cancel-in-progress: true
+
+jobs:
+  artifacts:
+    name: artifacts
+    permissions:
+      contents: write # Needed to upload artifacts.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
+    runs-on: ubuntu-latest
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - name: checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+
+    - name: 'install rust toolchain'
+      run: |
+        cargo version
+
+    - name: 'assemble artifacts'
+      run: ./hack/assemble.sh
+
+    - name: 'upload artifacts'
+      id: upload
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      with:
+        name: artifacts
+        path: target/assemble/*
+
+    - name: 'attest artifacts'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-name: artifacts.zip
+        subject-digest: "sha256:${{ steps.upload.outputs.artifact-digest }}"

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: publish
+name: release
 
 on:
   workflow_dispatch:
@@ -8,28 +8,20 @@ on:
         required: true
         type: string
 
-  push:
-    branches:
-    - main
-
-  pull_request:
-    branches:
-    - main
-    paths:
-    - bin/**
-    - src/**
-    - Cargo.*
-    - rust-toolchain.toml
-    - .github/workflows/publish.yaml
-
 permissions:
   contents: read # Needed to checkout the repository.
 
+concurrency:
+  group: "${{ github.workflow }}-${{ github.event.inputs.release-tag }}"
+  cancel-in-progress: true
+
 jobs:
-  artifacts:
-    name: artifacts
+  release:
+    name: release
     permissions:
-      contents: write # Needed to upload release assets and artifacts.
+      contents: write # Needed to upload release assets.
+      id-token: write # Needed for attestation.
+      attestations: write # Needed for attestations.
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
@@ -38,7 +30,7 @@ jobs:
         egress-policy: audit
 
     - name: checkout
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
 
@@ -46,23 +38,16 @@ jobs:
       run: |
         cargo version
 
-    - name: 'assemble artifacts'
+    - name: 'assemble release artifacts'
       run: ./hack/assemble.sh
 
-    - name: 'upload sprout-x86_64.efi artifact'
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+    - name: 'attest release artifacts'
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
       with:
-        name: sprout-x86_64.efi
-        path: target/assemble/sprout-x86_64.efi
-
-    - name: 'upload sprout-aarch64.efi artifact'
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-      with:
-        name: sprout-aarch64.efi
-        path: target/assemble/sprout-aarch64.efi
+        subject-path: target/assemble/*
 
     - name: 'generate cultivator token'
-      uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+      uses: actions/create-github-app-token@bf559f85448f9380bcfa2899dbdc01eb5b37be3a # v3.0.0-beta.2
       id: generate-token
       with:
         app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"

Cargo.lock

@@ -2,24 +2,12 @@
 # It is not intended for manual editing.
 version = 4
 
-[[package]]
-name = "adler2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
-
 [[package]]
 name = "anyhow"
 version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
-[[package]]
-name = "autocfg"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
-
 [[package]]
 name = "bit_field"
 version = "0.10.3"
@@ -28,102 +16,130 @@ checksum = "1e4b40c7323adcfc0a41c4b88143ed58346ff65a288fc144329c5c45e05d70c6"
 
 [[package]]
 name = "bitflags"
-version = "2.9.4"
+version = "2.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2261d10cca569e4643e526d8dc2e62e433cc8aba21ab764233731f8d369bf394"
+checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3"
 
 [[package]]
-name = "bytemuck"
-version = "1.24.0"
+name = "block-buffer"
+version = "0.10.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fbdf580320f38b612e485521afda1ee26d10cc9884efaaa750d383e13e3c5f4"
-
-[[package]]
-name = "byteorder-lite"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
-
-[[package]]
-name = "cfg-if"
-version = "1.0.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2fd1289c04a9ea8cb22300a459a72a385d7c73d3259e2ed7dcb2af674838cfa9"
-
-[[package]]
-name = "crc32fast"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
 dependencies = [
- "cfg-if",
+ "generic-array",
 ]
 
 [[package]]
-name = "edera-sprout"
-version = "0.0.4"
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+]
+
+[[package]]
+name = "edera-sprout-boot"
+version = "0.0.26"
 dependencies = [
  "anyhow",
- "image",
+ "edera-sprout-build",
+ "edera-sprout-config",
+ "edera-sprout-eficore",
+ "hex",
+ "jaarg",
  "log",
- "serde",
+ "sha2",
  "toml",
  "uefi",
  "uefi-raw",
 ]
 
 [[package]]
-name = "equivalent"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+name = "edera-sprout-build"
+version = "0.0.26"
 
 [[package]]
-name = "fdeflate"
-version = "0.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
+name = "edera-sprout-config"
+version = "0.0.26"
 dependencies = [
- "simd-adler32",
+ "serde",
 ]
 
 [[package]]
-name = "flate2"
-version = "1.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04bcaeafafdd3cd1cb5d986ff32096ad1136630207c49b9091e3ae541090d938"
+name = "edera-sprout-eficore"
+version = "0.0.26"
 dependencies = [
- "crc32fast",
- "miniz_oxide",
+ "anyhow",
+ "bitflags",
+ "log",
+ "shlex",
+ "spin",
+ "uefi",
+ "uefi-raw",
 ]
 
 [[package]]
-name = "hashbrown"
-version = "0.16.0"
+name = "generic-array"
+version = "0.14.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d"
-
-[[package]]
-name = "image"
-version = "0.25.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "529feb3e6769d234375c4cf1ee2ce713682b8e76538cb13f9fc23e1400a591e7"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
 dependencies = [
- "bytemuck",
- "byteorder-lite",
- "moxcms",
- "num-traits",
- "png",
+ "typenum",
+ "version_check",
 ]
 
 [[package]]
-name = "indexmap"
-version = "2.11.4"
+name = "hex"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+
+[[package]]
+name = "jaarg"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b216e5405f7e759ee0d16007f9d5c3346f9803a2e86cf01fc8df8baac43d0fa"
+
+[[package]]
+name = "libc"
+version = "0.2.177"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"
+
+[[package]]
+name = "lock_api"
+version = "0.4.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965"
 dependencies = [
- "equivalent",
- "hashbrown",
+ "scopeguard",
 ]
 
 [[package]]
@@ -132,52 +148,11 @@ version = "0.4.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
 
-[[package]]
-name = "miniz_oxide"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
-dependencies = [
- "adler2",
- "simd-adler32",
-]
-
-[[package]]
-name = "moxcms"
-version = "0.7.6"
-source = "git+https://github.com/edera-dev/sprout-patched-deps.git?rev=2c4fcc84b50d40c28f540d4271109ea0ca7e1268#2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-dependencies = [
- "num-traits",
- "pxfm",
-]
-
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
-[[package]]
-name = "png"
-version = "0.18.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97baced388464909d42d89643fe4361939af9b7ce7a31ee32a168f832a70f2a0"
-dependencies = [
- "bitflags",
- "crc32fast",
- "fdeflate",
- "flate2",
- "miniz_oxide",
-]
-
 [[package]]
 name = "proc-macro2"
-version = "1.0.101"
+version = "1.0.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89ae43fd86e4158d6db51ad8e2b80f313af9cc74f5c0e03ccb87de09998732de"
+checksum = "5ee95bc4ef87b8d5ba32e8b7714ccc834865276eab0aed5c9958d00ec45f49e8"
 dependencies = [
  "unicode-ident",
 ]
@@ -202,24 +177,21 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "pxfm"
-version = "0.1.24"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83f9b339b02259ada5c0f4a389b7fb472f933aa17ce176fd2ad98f28bb401fde"
-dependencies = [
- "num-traits",
-]
-
 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -260,15 +232,36 @@ dependencies = [
 ]
 
 [[package]]
-name = "simd-adler32"
-version = "0.3.7"
-source = "git+https://github.com/edera-dev/sprout-patched-deps.git?rev=2c4fcc84b50d40c28f540d4271109ea0ca7e1268#2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
+name = "sha2"
+version = "0.10.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "shlex"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
+
+[[package]]
+name = "spin"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5fe4ccb98d9c292d56fec89a5e07da7fc4cf0dc11e156b41793132775d3e591"
+dependencies = [
+ "lock_api",
+]
 
 [[package]]
 name = "syn"
-version = "2.0.106"
+version = "2.0.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ede7c438028d4436d71104916910f5bb611972c5cfd7f89b8300a8186e6fada6"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -281,12 +274,10 @@ version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0dc8b1fb61449e27716ec0e1bdf0f6b8f3e8f6b05391e8497b8b6d7804ea6d8"
 dependencies = [
- "indexmap",
  "serde_core",
  "serde_spanned",
  "toml_datetime",
  "toml_parser",
- "toml_writer",
  "winnow",
 ]
 
@@ -309,10 +300,10 @@ dependencies = [
 ]
 
 [[package]]
-name = "toml_writer"
-version = "1.0.4"
+name = "typenum"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df8b2b54733674ad286d16267dcfc7a71ed5c776e4ac7aa3c3e2561f7c637bf2"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
 
 [[package]]
 name = "ucs2"
@@ -325,9 +316,9 @@ dependencies = [
 
 [[package]]
 name = "uefi"
-version = "0.35.0"
+version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da7569ceafb898907ff764629bac90ac24ba4203c38c33ef79ee88c74aa35b11"
+checksum = "71fe9058b73ee2b6559524af9e33199c13b2485ddbf3ad1181b68051cdc50c17"
 dependencies = [
  "bitflags",
  "cfg-if",
@@ -341,9 +332,9 @@ dependencies = [
 
 [[package]]
 name = "uefi-macros"
-version = "0.18.1"
+version = "0.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3dad47b3af8f99116c0f6d4d669c439487d9aaf1c8d9480d686cda6f3a8aa23"
+checksum = "4687412b5ac74d245d5bfb1733ede50c31be19bf8a4b6a967a29b451bab49e67"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -352,9 +343,9 @@ dependencies = [
 
 [[package]]
 name = "uefi-raw"
-version = "0.11.0"
+version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7cad96b8baaf1615d3fdd0f03d04a0b487d857c1b51b19dcbfe05e2e3c447b78"
+checksum = "7f64fe59e11af447d12fd60a403c74106eb104309f34b4c6dbce6e927d97da9d"
 dependencies = [
  "bitflags",
  "uguid",
@@ -362,15 +353,21 @@ dependencies = [
 
 [[package]]
 name = "uguid"
-version = "2.2.0"
+version = "2.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab14ea9660d240e7865ce9d54ecdbd1cd9fa5802ae6f4512f093c7907e921533"
+checksum = "0c8352f8c05e47892e7eaf13b34abd76a7f4aeaf817b716e88789381927f199c"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.19"
+version = "1.0.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d"
+checksum = "9312f7c4f6ff9069b165498234ce8be658059c6728633667c526e27dc2cf1df5"
+
+[[package]]
+name = "version_check"
+version = "0.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
 
 [[package]]
 name = "winnow"

Cargo.toml

@@ -1,37 +1,67 @@
-[package]
-name = "edera-sprout"
-description = "Modern UEFI bootloader"
+[workspace]
+members = [
+  "crates/boot",
+  "crates/build",
+  "crates/config",
+  "crates/eficore",
+]
+resolver = "3"
+
+[workspace.package]
 license = "Apache-2.0"
-version = "0.0.4"
+version = "0.0.26"
 homepage = "https://sprout.edera.dev"
 repository = "https://github.com/edera-dev/sprout"
 edition = "2024"
 
-[dependencies]
-anyhow = "1.0.100"
-toml = "0.9.8"
+[workspace.dependencies]
+bitflags = "2.10.0"
 log = "0.4.28"
+spin = "0.10.0"
+uefi-raw = "0.13.0"
 
-[dependencies.image]
-version = "0.25.6"
+[workspace.dependencies.anyhow]
+version = "1.0.100"
 default-features = false
-features = ["png"]
-optional = true
 
-[dependencies.serde]
+[workspace.dependencies.hex]
+version = "0.4.3"
+default-features = false
+features = ["alloc"]
+
+[workspace.dependencies.jaarg]
+version = "0.2.1"
+default-features = false
+features = ["alloc"]
+
+[workspace.dependencies.serde]
 version = "1.0.228"
-features = ["derive"]
+default-features = false
+features = ["alloc", "derive"]
 
-[dependencies.uefi]
-version =  "0.35.0"
-features = ["alloc", "logger"]
+[workspace.dependencies.sha2]
+version = "0.10.9"
+default-features = false
 
-[dependencies.uefi-raw]
-version =  "0.11.0"
+[workspace.dependencies.shlex]
+version = "1.3.0"
+default-features = false
 
-[features]
-default = ["splash"]
-splash = ["dep:image"]
+[workspace.dependencies.toml]
+version = "0.9.8"
+default-features = false
+features = ["serde", "parse"]
+
+[workspace.dependencies.uefi]
+version = "0.36.1"
+default-features = false
+features = ["alloc", "global_allocator", "panic_handler"]
+
+# Common build profiles
+# NOTE: We have to compile everything for opt-level = 2 due to optimization passes
+# which don't handle the UEFI target properly.
+[profile.dev]
+opt-level = 2
 
 [profile.release]
 lto = "thin"
@@ -46,15 +76,4 @@ debug = 1
 inherits = "dev"
 strip = "debuginfo"
 debug = 0
-
-[patch.crates-io.simd-adler32]
-git = "https://github.com/edera-dev/sprout-patched-deps.git"
-rev = "2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
-[patch.crates-io.moxcms]
-git = "https://github.com/edera-dev/sprout-patched-deps.git"
-rev = "2c4fcc84b50d40c28f540d4271109ea0ca7e1268"
-
-[[bin]]
-name = "sprout"
-path = "src/main.rs"
+opt-level = 2

DEVELOPMENT.md

@@ -5,16 +5,23 @@ This guide is a work in progress.
 ## Development Setup
 
 You can use any Rust development environment to develop Sprout.
-
 Rustup is recommended as the Rust toolchain manager to manage Rust versions and targets.
-
-Sprout currently requires Rust nightly to support uefi_std. See [uefi_std](https://doc.rust-lang.org/beta/rustc/platform-support/unknown-uefi.html) for more details.
-
 We currently only support `x86_64-unknown-uefi` and `aarch64-unknown-uefi` targets.
 
 To test your changes in QEMU, please run `./hack/dev/boot.sh`, you can specify `x86_64` or `aarch64`
 as an argument to boot.sh to boot the specified architecture.
 
+## Crate Structure
+
+Sprout is split into multiple crates:
+
+- `edera-sprout-boot` as `crates/boot`: Bootloader entrypoint for Sprout.
+- `edera-sprout-build` at `crates/build`: Build logic for Sprout.
+- `edera-sprout-config` at `crates/config`: Serialization structures for the Sprout configuration file.
+- `edera-sprout-eficore` at `crates/eficore`: Core library for Sprout EFI code.
+
+It is intended that overtime Sprout will be split into even more crates.
+
 ## Hack Scripts
 
 You can use the `./hack` scripts to run common development tasks:

Dockerfile

@@ -2,7 +2,7 @@
 ARG RUST_PROFILE=release
 ARG RUST_TARGET_SUBDIR=release
 
-FROM --platform=$BUILDPLATFORM rustlang/rust:nightly-alpine@sha256:141e9a7f13f77237dd4d462364c3a1b21cb8a6791d8924c409573e77b788af5e AS build
+FROM --platform=$BUILDPLATFORM rust:1.91.1-alpine@sha256:fbcca3e30e26f79986809d5dbfcdbeaaf8d3f8a4475b7a19a973363b45c74d97 AS build
 RUN apk --no-cache add musl-dev busybox-static
 ARG RUST_PROFILE
 RUN adduser -S -s /bin/sh build

README.md

@@ -1,16 +1,16 @@
 <div align="center">
 
-![Sprout Logo](assets/logo.png)
+![Sprout Logo](assets/logo-small.png)
 
 # Sprout
 
 </div>
 
-Sprout is an **EXPERIMENTAL** programmable UEFI bootloader written in Rust.
+Sprout is a programmable UEFI bootloader written in Rust.
 
-Sprout is in use at Edera today in development environments and is intended to ship to production soon.
+It is in use at Edera today in development environments and is intended to ship to production soon.
 
-The name "sprout" is derived from our company name "Edera" which means "ivy."
+The name "Sprout" is derived from our company name "Edera" which means "ivy."
 Given that Sprout is the first thing intended to start on an Edera system, the name was apt.
 
 It supports `x86_64` and `ARM64` EFI-capable systems. It is designed to require UEFI and can be chainloaded from an
@@ -18,9 +18,46 @@ existing UEFI bootloader or booted by the hardware directly.
 
 Sprout is licensed under Apache 2.0 and is open to modifications and contributions.
 
+**NOTE**: Sprout is still in beta. Some features may not work as expected.
+Please [report any bugs you find](https://github.com/edera-dev/sprout/issues/new/choose).
+
+## Background
+
+At [Edera] we make compute isolation technology for a wide variety of environments, often ones we do not fully control.
+Our technology uses a hypervisor to boot the host system to provide a new isolation mechanism that works
+with or without hardware virtualization support. To do this, we need to inject our hypervisor at boot time.
+
+Unfortunately, GRUB, the most common bootloader on Linux systems today, uses a shell-script like
+configuration system. Both the code that runs to generate a GRUB config and the GRUB config
+itself is fully turing complete. This makes modifying boot configuration difficult and error-prone.
+
+Sprout was designed to take in a machine-readable, writable, and modifiable configuration that treats boot information
+like data plus configuration, and can be chained from both UEFI firmware and GRUB alike.
+
+Sprout aims to be flexible, secure, and modern. Written in Rust, it handles data safely and uses unsafe code as little
+as possible. It also critically must be easy to install into all common distributions, relying on simple principles to
+simplify installation and usage.
+
 ## Documentation
 
-- [Fedora Setup Guide]
+### Setup Guides
+
+Some guides support Secure Boot and some do not.
+We recommend running Sprout without Secure Boot for development, and with Secure Boot for production.
+
+| Operating System | Secure Boot Enabled | Link                                                  |
+|------------------|---------------------|-------------------------------------------------------|
+| Fedora           | ✅                   | [Setup Guide](./docs/setup/signed/fedora.md)          |
+| Debian           | ✅                   | [Setup Guide](./docs/setup/signed/debian.md)          |
+| Ubuntu           | ✅                   | [Setup Guide](./docs/setup/signed/ubuntu.md)          |
+| openSUSE         | ✅                   | [Setup Guide](./docs/setup/signed/opensuse.md)        |
+| Fedora           | ❌                   | [Setup Guide](./docs/setup/unsigned/fedora.md)        |
+| Alpine Edge      | ❌                   | [Setup Guide](./docs/setup/unsigned/alpine-edge.md)   |
+| Generic Linux    | ❌                   | [Setup Guide](./docs/setup/unsigned/generic-linux.md) |
+| Windows          | ❌                   | [Setup Guide](./docs/setup/unsigned/windows.md)       |
+
+### Project Documentation
+
 - [Development Guide]
 - [Contributing Guide]
 - [Sprout License]
@@ -29,30 +66,31 @@ Sprout is licensed under Apache 2.0 and is open to modifications and contributio
 
 ## Features
 
-NOTE: Currently, Sprout is experimental and is not intended for production use. For example, it doesn't currently
-have secure boot support. In fact, as of writing, it doesn't even have a boot menu. Instead, it boots the first entry it sees, or fails.
-
 ### Current
 
 - [x] Loadable driver support
-- [x] [Bootloader specification (BLS)](https://uapi-group.org/specifications/specs/boot_loader_specification/) support
+- [x] Basic [Bootloader specification (BLS)](https://uapi-group.org/specifications/specs/boot_loader_specification/) support
 - [x] Chainload support
 - [x] Linux boot support via EFI stub
+- [x] Windows boot support via chainload
 - [x] Load Linux initrd from disk
-- [x] Boot first configured entry
+- [x] Basic boot menu
+- [x] BLS autoconfiguration support
+- [x] [Secure Boot support](https://github.com/edera-dev/sprout/issues/20): beta
+- [x] [Bootloader interface support](https://github.com/edera-dev/sprout/issues/21): beta
+- [x] [BLS specification conformance](https://github.com/edera-dev/sprout/issues/2): beta
 
 ### Roadmap
 
-- [ ] Boot menu
-- [ ] Secure Boot support: work in progress
-- [ ] UKI support: partial
-- [ ] Windows boot support (untested via chainload)
-- [ ] multiboot2 support
-- [ ] Linux boot protocol (boot without EFI stub)
+- [ ] [Full-featured boot menu](https://github.com/edera-dev/sprout/issues/1)
+- [ ] [UKI support](https://github.com/edera-dev/sprout/issues/6): partial
+- [ ] [multiboot2 support](https://github.com/edera-dev/sprout/issues/7)
+- [ ] [Linux boot protocol (boot without EFI stub)](https://github.com/edera-dev/sprout/issues/7)
 
 ## Concepts
 
 - drivers: loadable EFI modules that can add functionality to the EFI system.
+- autoconfiguration: code that can automatically generate sprout.toml based on the EFI environment.
 - actions: executable code with a configuration that can be run by various other sprout concepts.
 - generators: code that can generate boot entries based on inputs or runtime code.
 - extractors: code that can extract values from the EFI environment.
@@ -71,6 +109,19 @@ See [Configuration](#configuration) for how to configure sprout.
 
 Sprout is configured using a TOML file at `\sprout.toml` on the root of the EFI partition sprout was booted from.
 
+### Command Line Options
+
+Sprout supports some command line options that can be combined to modify behavior without the configuration file.
+
+```bash
+# Boot Sprout with a specific configuration file.
+$ sprout.efi --config=\path\to\config.toml
+# Boot a specific entry, bypassing the menu.
+$ sprout.efi --boot="Boot Xen"
+# Autoconfigure Sprout, without loading a configuration file.
+$ sprout.efi --autoconfigure
+```
+
 ### Boot Linux from ESP
 
 ```toml
@@ -103,30 +154,14 @@ version = 1
 [drivers.ext4]
 path = "\\sprout\\drivers\\ext4.efi"
 
-# extract the full path of the first filesystem
-# that contains \loader\entries as a directory
-# into the value called "boot"
-[extractors.boot.filesystem-device-match]
-has-item = "\\loader\\entries"
-
-# use the sprout bls module to scan a bls
-# directory for entries and load them as boot
-# entries in sprout, using the entry template
-# as specified here. the bls action below will
-# be passed the extracted values from bls.
-[generators.boot.bls]
-path = "$boot\\loader\\entries"
-entry.title = "$title"
-entry.actions = ["bls"]
-
-# the action that is used for each bls entry above.
-[actions.bls]
-chainload.path = "$boot\\$chainload"
-chainload.options = ["$options"]
-chainload.linux-initrd = "$boot\\$initrd"
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
 ```
 
-[Fedora Setup Guide]: ./docs/fedora-setup.md
+[Edera]: https://edera.dev
 [Development Guide]: ./DEVELOPMENT.md
 [Contributing Guide]: ./CONTRIBUTING.md
 [Sprout License]: ./LICENSE

crates/boot/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "edera-sprout-boot"
+description = "Sprout: Modern UEFI Bootloader"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+edera-sprout-config.path = "../config"
+edera-sprout-eficore.path = "../eficore"
+hex.workspace = true
+jaarg.workspace = true
+sha2.workspace = true
+toml.workspace = true
+log.workspace = true
+uefi.workspace = true
+uefi-raw.workspace = true
+
+[build-dependencies]
+edera-sprout-build.path = "../build"
+
+[[bin]]
+name = "sprout"
+path = "src/main.rs"

crates/boot/README.md

@@ -0,0 +1,3 @@
+# Sprout Bootloader
+
+The main bootable crate of the Sprout bootloader.

crates/boot/build.rs

@@ -0,0 +1,7 @@
+use edera_sprout_build::generate_sbat_module;
+
+/// Build script entry point for Sprout.
+fn main() {
+    // Generate the sbat.generated.rs file.
+    generate_sbat_module();
+}

crates/boot/src/actions.rs

@@ -0,0 +1,42 @@
+use crate::context::SproutContext;
+use alloc::rc::Rc;
+use anyhow::{Context, Result, bail};
+
+/// EFI chainloader action.
+pub mod chainload;
+/// Edera hypervisor action.
+pub mod edera;
+/// EFI console print action.
+pub mod print;
+
+/// Execute the action specified by `name` which should be stored in the
+/// root context of the provided `context`. This function may not return
+/// if the provided action executes an operating system or an EFI application
+/// that does not return control to sprout.
+pub fn execute(context: Rc<SproutContext>, name: impl AsRef<str>) -> Result<()> {
+    // Retrieve the action from the root context.
+    let Some(action) = context.root().actions().get(name.as_ref()) else {
+        bail!("unknown action '{}'", name.as_ref());
+    };
+    // Finalize the context and freeze it.
+    let context = context
+        .finalize()
+        .context("unable to finalize context")?
+        .freeze();
+
+    // Execute the action.
+    if let Some(chainload) = &action.chainload {
+        chainload::chainload(context.clone(), chainload)?;
+        return Ok(());
+    } else if let Some(print) = &action.print {
+        print::print(context.clone(), print)?;
+        return Ok(());
+    } else if let Some(edera) = &action.edera {
+        edera::edera(context.clone(), edera)?;
+        return Ok(());
+    }
+
+    // If we reach here, we don't know how to execute the action that was configured.
+    // This is likely unreachable, but we should still return an error just in case.
+    bail!("unknown action configuration");
+}

crates/boot/src/actions/chainload.rs

@@ -0,0 +1,112 @@
+use crate::context::SproutContext;
+use crate::utils;
+use alloc::boxed::Box;
+use alloc::rc::Rc;
+use anyhow::{Context, Result, bail};
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use eficore::bootloader_interface::BootloaderInterface;
+use eficore::loader::source::ImageSource;
+use eficore::loader::{ImageLoadRequest, ImageLoader};
+use eficore::media_loader::MediaLoaderHandle;
+use eficore::media_loader::constants::linux::LINUX_EFI_INITRD_MEDIA_GUID;
+use log::error;
+use uefi::CString16;
+use uefi::proto::loaded_image::LoadedImage;
+
+/// Executes the chainload action using the specified `configuration` inside the provided `context`.
+pub fn chainload(context: Rc<SproutContext>, configuration: &ChainloadConfiguration) -> Result<()> {
+    // Retrieve the current image handle of sprout.
+    let sprout_image = uefi::boot::image_handle();
+
+    // Resolve the path to the image to chainload.
+    let resolved = eficore::path::resolve_path(
+        Some(context.root().loaded_image_path()?),
+        &context.stamp(&configuration.path),
+    )
+    .context("unable to resolve chainload path")?;
+
+    // Create a new image load request with the current image and the resolved path.
+    let request = ImageLoadRequest::new(sprout_image, ImageSource::ResolvedPath(&resolved));
+
+    // Load the image to chainload using the image loader support module.
+    // It will determine if the image needs to be loaded via the shim or can be loaded directly.
+    let image = ImageLoader::load(request)?;
+
+    // Open the LoadedImage protocol of the image to chainload.
+    let mut loaded_image_protocol =
+        uefi::boot::open_protocol_exclusive::<LoadedImage>(*image.handle())
+            .context("unable to open loaded image protocol")?;
+
+    // Stamp and combine the options to pass to the image.
+    let options =
+        utils::combine_options(configuration.options.iter().map(|item| context.stamp(item)));
+
+    // Pass the load options to the image.
+    // If no options are provided, the resulting string will be empty.
+    // The options are pinned and boxed to ensure that they are valid for the lifetime of this
+    // function, which ensures the lifetime of the options for the image runtime.
+    let options = Box::pin(
+        CString16::try_from(&options[..])
+            .context("unable to convert chainloader options to CString16")?,
+    );
+
+    if options.num_bytes() > u32::MAX as usize {
+        bail!("chainloader options too large");
+    }
+
+    // SAFETY: option size is checked to validate it is safe to pass.
+    // Additionally, the pointer is allocated and retained on heap, which makes
+    // passing the `options` pointer safe to the next image.
+    unsafe {
+        loaded_image_protocol
+            .set_load_options(options.as_ptr() as *const u8, options.num_bytes() as u32);
+    }
+
+    // Stamp the initrd path, if provided.
+    let initrd = configuration
+        .linux_initrd
+        .as_ref()
+        .map(|item| context.stamp(item));
+    // The initrd can be None or empty, so we need to collapse that into a single Option.
+    let initrd = utils::empty_is_none(initrd);
+
+    // If an initrd is provided, register it with the EFI stack.
+    let mut initrd_handle = None;
+    if let Some(linux_initrd) = initrd {
+        let content = eficore::path::read_file_contents(
+            Some(context.root().loaded_image_path()?),
+            &linux_initrd,
+        )
+        .context("unable to read linux initrd")?;
+        let handle =
+            MediaLoaderHandle::register(LINUX_EFI_INITRD_MEDIA_GUID, content.into_boxed_slice())
+                .context("unable to register linux initrd")?;
+        initrd_handle = Some(handle);
+    }
+
+    // Mark execution of an entry in the bootloader interface.
+    BootloaderInterface::mark_exec(context.root().timer())
+        .context("unable to mark execution of boot entry in bootloader interface")?;
+
+    // Start the loaded image.
+    // This call might return, or it may pass full control to another image that will never return.
+    // Capture the result to ensure we can return an error if the image fails to start, but only
+    // after the optional initrd has been unregistered.
+    let result = uefi::boot::start_image(*image.handle());
+
+    // Unregister the initrd if it was registered.
+    if let Some(initrd_handle) = initrd_handle
+        && let Err(error) = initrd_handle.unregister()
+    {
+        error!("unable to unregister linux initrd: {}", error);
+    }
+
+    // Assert there was no error starting the image.
+    result.context("unable to start image")?;
+
+    // Explicitly drop the options to clarify the lifetime.
+    drop(options);
+
+    // Return control to sprout.
+    Ok(())
+}

crates/boot/src/actions/edera.rs

@@ -1,46 +1,41 @@
-use std::rc::Rc;
-
-use anyhow::{Context, Result};
-use log::error;
-use serde::{Deserialize, Serialize};
-use uefi::Guid;
-
 use crate::{
-    actions::{self, chainload::ChainloadConfiguration},
+    actions,
     context::SproutContext,
-    utils::{
-        self,
-        media_loader::{
-            MediaLoaderHandle,
-            constants::xen::{
-                XEN_EFI_CONFIG_MEDIA_GUID, XEN_EFI_KERNEL_MEDIA_GUID, XEN_EFI_RAMDISK_MEDIA_GUID,
-            },
-        },
+    utils::{self},
+};
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use alloc::{format, vec};
+use anyhow::{Context, Result};
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::actions::edera::EderaConfiguration;
+use eficore::media_loader::{
+    MediaLoaderHandle,
+    constants::xen::{
+        XEN_EFI_CONFIG_MEDIA_GUID, XEN_EFI_KERNEL_MEDIA_GUID, XEN_EFI_RAMDISK_MEDIA_GUID,
     },
 };
-
-/// The configuration of the edera action which boots the Edera hypervisor.
-/// Edera is based on Xen but modified significantly with a Rust stack.
-/// Sprout is a component of the Edera stack and provides the boot functionality of Xen.
-#[derive(Serialize, Deserialize, Default, Clone)]
-pub struct EderaConfiguration {
-    /// The path to the Xen hypervisor EFI image.
-    pub xen: String,
-    /// The path to the kernel to boot for dom0.
-    pub kernel: String,
-    /// The path to the initrd to load for dom0.
-    #[serde(default)]
-    pub initrd: Option<String>,
-    /// The options to pass to the kernel.
-    #[serde(default, rename = "kernel-options")]
-    pub kernel_options: Vec<String>,
-    /// The options to pass to the Xen hypervisor.
-    #[serde(default, rename = "xen-options")]
-    pub xen_options: Vec<String>,
-}
+use log::error;
+use uefi::Guid;
 
 /// Builds a configuration string for the Xen EFI stub using the specified `configuration`.
-fn build_xen_config(configuration: &EderaConfiguration) -> String {
+fn build_xen_config(context: Rc<SproutContext>, configuration: &EderaConfiguration) -> String {
+    // Stamp xen options and combine them.
+    let xen_options = utils::combine_options(
+        configuration
+            .xen_options
+            .iter()
+            .map(|item| context.stamp(item)),
+    );
+
+    // Stamp kernel options and combine them.
+    let kernel_options = utils::combine_options(
+        configuration
+            .kernel_options
+            .iter()
+            .map(|item| context.stamp(item)),
+    );
+
     // xen config file format is ini-like
     [
         // global section
@@ -50,10 +45,10 @@ fn build_xen_config(configuration: &EderaConfiguration) -> String {
         // configuration section for sprout
         "[sprout]".to_string(),
         // xen options
-        format!("options={}", configuration.xen_options.join(" ")),
+        format!("options={}", xen_options),
         // kernel options, stub replaces the kernel path
         // the kernel is provided via media loader
-        format!("kernel=stub {}", configuration.kernel_options.join(" ")),
+        format!("kernel=stub {}", kernel_options),
         // required or else the last line will be ignored
         "".to_string(),
     ]
@@ -82,8 +77,9 @@ fn register_media_loader_file(
     // Stamp the path to the file.
     let path = context.stamp(path);
     // Read the file contents.
-    let content = utils::read_file_contents(context.root().loaded_image_path()?, &path)
-        .context(format!("unable to read {} file", what))?;
+    let content =
+        eficore::path::read_file_contents(Some(context.root().loaded_image_path()?), &path)
+            .context(format!("unable to read {} file", what))?;
     // Register the media loader.
     let handle = MediaLoaderHandle::register(guid, content.into_boxed_slice())
         .context(format!("unable to register {} media loader", what))?;
@@ -94,7 +90,7 @@ fn register_media_loader_file(
 /// `configuration` and `context`. This action uses Edera-specific Xen EFI stub functionality.
 pub fn edera(context: Rc<SproutContext>, configuration: &EderaConfiguration) -> Result<()> {
     // Build the Xen config file content for this configuration.
-    let config = build_xen_config(configuration);
+    let config = build_xen_config(context.clone(), configuration);
 
     // Register the media loader for the config.
     let config = register_media_loader_text(XEN_EFI_CONFIG_MEDIA_GUID, "config", config)
@@ -113,7 +109,7 @@ pub fn edera(context: Rc<SproutContext>, configuration: &EderaConfiguration) ->
     let mut media_loaders = vec![config, kernel];
 
     // Register the initrd if it is provided.
-    if let Some(ref initrd) = configuration.initrd {
+    if let Some(initrd) = utils::empty_is_none(configuration.initrd.as_ref()) {
         let initrd =
             register_media_loader_file(&context, XEN_EFI_RAMDISK_MEDIA_GUID, "initrd", initrd)
                 .context("unable to register initrd media loader")?;
@@ -131,7 +127,7 @@ pub fn edera(context: Rc<SproutContext>, configuration: &EderaConfiguration) ->
     )
     .context("unable to chainload to xen");
 
-    // Unregister the media loaders on error.
+    // Unregister the media loaders when an error happens.
     for media_loader in media_loaders {
         if let Err(error) = media_loader.unregister() {
             error!("unable to unregister media loader: {}", error);

crates/boot/src/actions/print.rs

@@ -0,0 +1,11 @@
+use crate::context::SproutContext;
+use alloc::rc::Rc;
+use anyhow::Result;
+use edera_sprout_config::actions::print::PrintConfiguration;
+use log::info;
+
+/// Executes the print action with the specified `configuration` inside the provided `context`.
+pub fn print(context: Rc<SproutContext>, configuration: &PrintConfiguration) -> Result<()> {
+    info!("{}", context.stamp(&configuration.text));
+    Ok(())
+}

crates/boot/src/autoconfigure.rs

@@ -0,0 +1,57 @@
+use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use uefi::fs::FileSystem;
+use uefi::proto::device_path::DevicePath;
+use uefi::proto::media::fs::SimpleFileSystem;
+
+/// bls: autodetect and configure BLS-enabled filesystems.
+pub mod bls;
+
+/// linux: autodetect and configure Linux kernels.
+/// This autoconfiguration module should not be activated
+/// on BLS-enabled filesystems as it may make duplicate entries.
+pub mod linux;
+
+/// windows: autodetect and configure Windows boot configurations.
+pub mod windows;
+
+/// Generate a [RootConfiguration] based on the environment.
+/// Intakes a `config` to use as the basis of the autoconfiguration.
+pub fn autoconfigure(config: &mut RootConfiguration) -> Result<()> {
+    // Find all the filesystems that are on the system.
+    let filesystem_handles =
+        uefi::boot::find_handles::<SimpleFileSystem>().context("unable to scan filesystems")?;
+
+    // For each filesystem that was detected, scan it for supported autoconfig mechanisms.
+    for handle in filesystem_handles {
+        // Acquire the device path root for the filesystem.
+        let root = {
+            uefi::boot::open_protocol_exclusive::<DevicePath>(handle)
+                .context("unable to get root for filesystem")?
+                .to_boxed()
+        };
+
+        // Open the filesystem that was detected.
+        let filesystem = uefi::boot::open_protocol_exclusive::<SimpleFileSystem>(handle)
+            .context("unable to open filesystem")?;
+
+        // Trade the filesystem protocol for the uefi filesystem helper.
+        let mut filesystem = FileSystem::new(filesystem);
+
+        // Scan the filesystem for BLS supported configurations.
+        let bls_found = bls::scan(&mut filesystem, &root, config)
+            .context("unable to scan for bls configurations")?;
+
+        // If BLS was not found, scan for Linux configurations.
+        if !bls_found {
+            linux::scan(&mut filesystem, &root, config)
+                .context("unable to scan for linux configurations")?;
+        }
+
+        // Always look for Windows configurations.
+        windows::scan(&mut filesystem, &root, config)
+            .context("unable to scan for windows configurations")?;
+    }
+
+    Ok(())
+}

crates/boot/src/autoconfigure/bls.rs

@@ -0,0 +1,103 @@
+use crate::utils;
+use alloc::string::ToString;
+use alloc::{format, vec};
+use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use edera_sprout_config::generators::bls::BlsConfiguration;
+use uefi::cstr16;
+use uefi::fs::{FileSystem, Path};
+use uefi::proto::device_path::DevicePath;
+use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
+
+/// The name prefix of the BLS chainload action that will be used
+/// by the BLS generator to chainload entries.
+const BLS_CHAINLOAD_ACTION_PREFIX: &str = "bls-chainload-";
+
+/// Scan the specified `filesystem` for BLS configurations.
+pub fn scan(
+    filesystem: &mut FileSystem,
+    root: &DevicePath,
+    config: &mut RootConfiguration,
+) -> Result<bool> {
+    // BLS has a loader.conf file that can specify its own auto-entries mechanism.
+    let bls_loader_conf_path = Path::new(cstr16!("\\loader\\loader.conf"));
+    // BLS also has an entries directory that can specify explicit entries.
+    let bls_entries_path = Path::new(cstr16!("\\loader\\entries"));
+
+    // Convert the device path root to a string we can use in the configuration.
+    let mut root = root
+        .to_string(DisplayOnly(false), AllowShortcuts(false))
+        .context("unable to convert device root to string")?
+        .to_string();
+    // Add a trailing forward-slash to the root to ensure the device root is completed.
+    root.push('/');
+
+    // Generate a unique hash of the root path.
+    let root_unique_hash = utils::unique_hash(&root);
+
+    // Whether we have a loader.conf file.
+    let has_loader_conf = filesystem
+        .try_exists(bls_loader_conf_path)
+        .context("unable to check for BLS loader.conf file")?;
+
+    // Whether we have an entries directory.
+    // We actually iterate the entries to see if there are any.
+    let has_entries_dir = filesystem
+        .read_dir(bls_entries_path)
+        .ok()
+        .and_then(|mut iterator| iterator.next())
+        .map(|entry| entry.is_ok())
+        .unwrap_or(false);
+
+    // Detect if a BLS supported configuration is on this filesystem.
+    // We check both loader.conf and entries directory as only one of them is required.
+    if !(has_loader_conf || has_entries_dir) {
+        return Ok(false);
+    }
+
+    // Generate a unique name for the BLS chainload action.
+    let chainload_action_name = format!("{}{}", BLS_CHAINLOAD_ACTION_PREFIX, root_unique_hash,);
+
+    // BLS is now detected, generate a configuration for it.
+    let generator = BlsConfiguration {
+        entry: EntryDeclaration {
+            title: "$title".to_string(),
+            actions: vec![chainload_action_name.clone()],
+            ..Default::default()
+        },
+        path: format!("{}\\loader", root),
+    };
+
+    // Generate a unique name for the BLS generator and insert the generator into the configuration.
+    config.generators.insert(
+        format!("auto-bls-{}", root_unique_hash),
+        GeneratorDeclaration {
+            bls: Some(generator),
+            ..Default::default()
+        },
+    );
+
+    // Generate a chainload configuration for BLS.
+    // BLS will provide these values to us.
+    let chainload = ChainloadConfiguration {
+        path: format!("{}\\$chainload", root),
+        options: vec!["$options".to_string()],
+        linux_initrd: Some(format!("{}\\$initrd", root)),
+    };
+
+    // Insert the chainload action into the configuration.
+    config.actions.insert(
+        chainload_action_name,
+        ActionDeclaration {
+            chainload: Some(chainload),
+            ..Default::default()
+        },
+    );
+
+    // We had a BLS supported configuration, so return true.
+    Ok(true)
+}

crates/boot/src/autoconfigure/linux.rs

@@ -0,0 +1,257 @@
+use crate::utils;
+use crate::utils::vercmp;
+use alloc::collections::BTreeMap;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use alloc::{format, vec};
+use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use edera_sprout_config::generators::GeneratorDeclaration;
+use edera_sprout_config::generators::list::ListConfiguration;
+use uefi::CString16;
+use uefi::fs::{FileSystem, Path, PathBuf};
+use uefi::proto::device_path::DevicePath;
+use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
+
+/// The name prefix of the Linux chainload action that will be used to boot Linux.
+const LINUX_CHAINLOAD_ACTION_PREFIX: &str = "linux-chainload-";
+
+/// The locations to scan for kernel pairs.
+/// We will check for symlinks and if this directory is a symlink, we will skip it.
+/// The empty string represents the root of the filesystem.
+const SCAN_LOCATIONS: &[&str] = &["\\boot", "\\"];
+
+/// Prefixes of kernel files to scan for.
+const KERNEL_PREFIXES: &[&str] = &["vmlinuz", "Image"];
+
+/// Prefixes of initramfs files to match to.
+const INITRAMFS_PREFIXES: &[&str] = &["initramfs", "initrd", "initrd.img"];
+
+/// This is really silly, but if what we are booting is the Canonical stubble stub,
+/// there is a chance it will assert that the load options are non-empty.
+/// Technically speaking, load options can be empty. However, it assumes load options
+/// have something in it. Canonical's stubble copied code from systemd that does this
+/// and then uses that code improperly by asserting that the pointer is non-null.
+/// To give a good user experience, we place a placeholder value here to ensure it's non-empty.
+/// For stubble, this code ensures the command line pointer becomes null:
+/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L61-L64
+/// Then this code asserts on it, stopping the boot process:
+/// https://github.com/ubuntu/stubble/blob/e56643979addfb98982266018e08921c07424a0c/stub.c#L27
+const DEFAULT_LINUX_OPTIONS: &str = "placeholder";
+
+/// Pair of kernel and initramfs.
+/// This is what scanning a directory is meant to find.
+struct KernelPair {
+    /// The path to a kernel.
+    kernel: String,
+    /// The path to an initramfs, if any.
+    initramfs: Option<String>,
+}
+
+/// Scan the specified `filesystem` at `path` for [KernelPair] results.
+fn scan_directory(filesystem: &mut FileSystem, path: &str) -> Result<Vec<KernelPair>> {
+    // All the discovered kernel pairs.
+    let mut pairs = Vec::new();
+
+    // We have to special-case the root directory due to path logic in the uefi crate.
+    let is_root = path.is_empty() || path == "\\";
+
+    // Construct a filesystem path from the path string.
+    let path = CString16::try_from(path).context("unable to convert path to CString16")?;
+    let path = Path::new(&path);
+    let path = path.to_path_buf();
+
+    // Check if the path exists and is a directory.
+    let exists = filesystem
+        .metadata(&path)
+        .ok()
+        .map(|metadata| metadata.is_directory())
+        .unwrap_or(false);
+
+    // If the path does not exist, return an empty list.
+    if !exists {
+        return Ok(pairs);
+    }
+
+    // Open a directory iterator on the path to scan.
+    // Ignore errors here as in some scenarios this might fail due to symlinks.
+    let Some(directory) = filesystem.read_dir(&path).ok() else {
+        return Ok(pairs);
+    };
+
+    // Create a new path used for joining file names below.
+    // All attempts to derive paths for the files in the directory should use this instead.
+    // The uefi crate does not handle push correctly for the root directory.
+    // It will add a second slash, which will cause our path logic to fail.
+    let path_for_join = if is_root {
+        PathBuf::new()
+    } else {
+        path.clone()
+    };
+
+    // For each item in the directory, find a kernel.
+    for item in directory {
+        let item = item.context("unable to read directory item")?;
+
+        // Skip over any items that are not regular files.
+        if !item.is_regular_file() {
+            continue;
+        }
+
+        // Convert the name from a CString16 to a String.
+        let name = item.file_name().to_string();
+
+        // Convert the name to lowercase to make all of this case-insensitive.
+        let name_for_match = name.to_lowercase();
+
+        // Find a kernel prefix that matches, if any.
+        // This is case-insensitive to ensure we pick up all possibilities.
+        let Some(prefix) = KERNEL_PREFIXES.iter().find(|prefix| {
+            name_for_match == **prefix || name_for_match.starts_with(&format!("{}-", prefix))
+        }) else {
+            // Skip over anything that doesn't match a kernel prefix.
+            continue;
+        };
+
+        // Acquire the suffix of the name, this will be used to match an initramfs.
+        let suffix = &name[prefix.len()..];
+
+        // Find a matching initramfs, if any.
+        let mut initramfs_prefix_iter = INITRAMFS_PREFIXES.iter();
+        let matched_initramfs_path = loop {
+            let Some(prefix) = initramfs_prefix_iter.next() else {
+                break None;
+            };
+            // Construct an initramfs path.
+            let initramfs = format!("{}{}", prefix, suffix);
+            let initramfs = CString16::try_from(initramfs.as_str())
+                .context("unable to convert initramfs name to CString16")?;
+            let mut initramfs_path = path_for_join.clone();
+            initramfs_path.push(Path::new(&initramfs));
+
+            // Check if the initramfs path exists, if it does, break out of the loop.
+            if filesystem
+                .try_exists(&initramfs_path)
+                .context("unable to check if initramfs path exists")?
+            {
+                break Some(initramfs_path);
+            }
+        };
+
+        // Construct a kernel path from the kernel name.
+        let mut kernel = path_for_join.clone();
+        kernel.push(Path::new(&item.file_name()));
+        let kernel = kernel.to_string();
+        let initramfs = matched_initramfs_path.map(|initramfs_path| initramfs_path.to_string());
+
+        // Produce a kernel pair.
+        let pair = KernelPair { kernel, initramfs };
+        pairs.push(pair);
+    }
+
+    Ok(pairs)
+}
+
+/// Scan the specified `filesystem` for Linux kernels and matching initramfs.
+pub fn scan(
+    filesystem: &mut FileSystem,
+    root: &DevicePath,
+    config: &mut RootConfiguration,
+) -> Result<bool> {
+    let mut pairs = Vec::new();
+
+    // Convert the device path root to a string we can use in the configuration.
+    let mut root = root
+        .to_string(DisplayOnly(false), AllowShortcuts(false))
+        .context("unable to convert device root to string")?
+        .to_string();
+    // Add a trailing forward-slash to the root to ensure the device root is completed.
+    root.push('/');
+
+    // Generate a unique hash of the root path.
+    let root_unique_hash = utils::unique_hash(&root);
+
+    // Scan all locations for kernel pairs, adding them to the list.
+    for location in SCAN_LOCATIONS {
+        let scanned = scan_directory(filesystem, location)
+            .with_context(|| format!("unable to scan directory {}", location))?;
+        pairs.extend(scanned);
+    }
+
+    // If no kernel pairs were found, return false.
+    if pairs.is_empty() {
+        return Ok(false);
+    }
+
+    // Sort the kernel pairs by kernel version, if it has one, newer kernels first.
+    pairs.sort_by(|a, b| vercmp::compare_versions(&a.kernel, &b.kernel).reverse());
+
+    // Generate a unique name for the linux chainload action.
+    let chainload_action_name = format!("{}{}", LINUX_CHAINLOAD_ACTION_PREFIX, root_unique_hash,);
+
+    // Kernel pairs are detected, generate a list configuration for it.
+    let generator = ListConfiguration {
+        entry: EntryDeclaration {
+            title: "Boot Linux $name".to_string(),
+            actions: vec![chainload_action_name.clone()],
+            ..Default::default()
+        },
+        values: pairs
+            .into_iter()
+            .map(|pair| {
+                BTreeMap::from_iter(vec![
+                    ("name".to_string(), pair.kernel.clone()),
+                    ("kernel".to_string(), format!("{}{}", root, pair.kernel)),
+                    (
+                        "initrd".to_string(),
+                        pair.initramfs
+                            .map(|initramfs| format!("{}{}", root, initramfs))
+                            .unwrap_or_default(),
+                    ),
+                ])
+            })
+            .collect(),
+    };
+
+    // Generate a unique name for the Linux generator and insert the generator into the configuration.
+    config.generators.insert(
+        format!("auto-linux-{}", root_unique_hash),
+        GeneratorDeclaration {
+            list: Some(generator),
+            ..Default::default()
+        },
+    );
+
+    // Insert a default value for the linux-options if it doesn't exist.
+    if !config.values.contains_key("linux-options") {
+        config.values.insert(
+            "linux-options".to_string(),
+            DEFAULT_LINUX_OPTIONS.to_string(),
+        );
+    }
+
+    // Generate a chainload configuration for the list generator.
+    // The list will provide these values to us.
+    // Note that we don't need an extra \\ in the paths here.
+    // The root already contains a trailing slash.
+    let chainload = ChainloadConfiguration {
+        path: "$kernel".to_string(),
+        options: vec!["$linux-options".to_string()],
+        linux_initrd: Some("$initrd".to_string()),
+    };
+
+    // Insert the chainload action into the configuration.
+    config.actions.insert(
+        chainload_action_name,
+        ActionDeclaration {
+            chainload: Some(chainload),
+            ..Default::default()
+        },
+    );
+
+    // We had a Linux kernel, so return true to indicate something was found.
+    Ok(true)
+}

crates/boot/src/autoconfigure/windows.rs

@@ -0,0 +1,82 @@
+use crate::utils;
+use alloc::string::ToString;
+use alloc::{format, vec};
+use anyhow::{Context, Result};
+use edera_sprout_config::RootConfiguration;
+use edera_sprout_config::actions::ActionDeclaration;
+use edera_sprout_config::actions::chainload::ChainloadConfiguration;
+use edera_sprout_config::entries::EntryDeclaration;
+use uefi::CString16;
+use uefi::fs::{FileSystem, Path};
+use uefi::proto::device_path::DevicePath;
+use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
+
+/// The name prefix of the Windows chainload action that will be used to boot Windows.
+const WINDOWS_CHAINLOAD_ACTION_PREFIX: &str = "windows-chainload-";
+
+/// Windows boot manager path.
+const BOOTMGR_FW_PATH: &str = "\\EFI\\Microsoft\\Boot\\bootmgfw.efi";
+
+/// Scan the specified `filesystem` for Windows configurations.
+pub fn scan(
+    filesystem: &mut FileSystem,
+    root: &DevicePath,
+    config: &mut RootConfiguration,
+) -> Result<bool> {
+    // Convert the boot manager firmware path to a path.
+    let bootmgr_fw_path =
+        CString16::try_from(BOOTMGR_FW_PATH).context("unable to convert path to CString16")?;
+    let bootmgr_fw_path = Path::new(&bootmgr_fw_path);
+
+    // Check if the boot manager firmware path exists, if it doesn't, return false.
+    if !filesystem
+        .try_exists(bootmgr_fw_path)
+        .context("unable to check if bootmgr firmware path exists")?
+    {
+        return Ok(false);
+    }
+
+    // Convert the device path root to a string we can use in the configuration.
+    let mut root = root
+        .to_string(DisplayOnly(false), AllowShortcuts(false))
+        .context("unable to convert device root to string")?
+        .to_string();
+    // Add a trailing forward-slash to the root to ensure the device root is completed.
+    root.push('/');
+
+    // Generate a unique hash of the root path.
+    let root_unique_hash = utils::unique_hash(&root);
+
+    // Generate a unique name for the Windows chainload action.
+    let chainload_action_name = format!("{}{}", WINDOWS_CHAINLOAD_ACTION_PREFIX, root_unique_hash,);
+
+    // Generate an entry name for Windows.
+    let entry_name = format!("auto-windows-{}", root_unique_hash,);
+
+    // Create an entry for Windows and insert it into the configuration.
+    let entry = EntryDeclaration {
+        title: "Boot Windows".to_string(),
+        actions: vec![chainload_action_name.clone()],
+        values: Default::default(),
+    };
+    config.entries.insert(entry_name, entry);
+
+    // Generate a chainload configuration for Windows.
+    let chainload = ChainloadConfiguration {
+        path: format!("{}{}", root, bootmgr_fw_path),
+        options: vec![],
+        ..Default::default()
+    };
+
+    // Insert the chainload action into the configuration.
+    config.actions.insert(
+        chainload_action_name,
+        ActionDeclaration {
+            chainload: Some(chainload),
+            ..Default::default()
+        },
+    );
+
+    // We have a Windows boot entry, so return true to indicate something was found.
+    Ok(true)
+}

crates/boot/src/config.rs

@@ -0,0 +1,2 @@
+/// The configuration loader mechanisms.
+pub mod loader;

crates/boot/src/config/loader.rs

@@ -1,31 +1,46 @@
-use crate::config::{RootConfiguration, latest_version};
-use crate::utils;
+use crate::options::SproutOptions;
+use alloc::vec::Vec;
 use anyhow::{Context, Result, bail};
-use std::ops::Deref;
+use core::ops::Deref;
+use edera_sprout_config::{RootConfiguration, latest_version};
+use eficore::platform::tpm::PlatformTpm;
+use log::info;
 use toml::Value;
 use uefi::proto::device_path::LoadedImageDevicePath;
 
-/// Loads the raw configuration from the sprout.toml file as data.
-fn load_raw_config() -> Result<Vec<u8>> {
+/// Loads the raw configuration from the sprout config file as data.
+fn load_raw_config(options: &SproutOptions) -> Result<Vec<u8>> {
     // Open the LoadedImageDevicePath protocol to get the path to the current image.
     let current_image_device_path_protocol =
         uefi::boot::open_protocol_exclusive::<LoadedImageDevicePath>(uefi::boot::image_handle())
             .context("unable to get loaded image device path")?;
     // Acquire the device path as a boxed device path.
     let path = current_image_device_path_protocol.deref().to_boxed();
-    // Read the contents of the sprout.toml file.
-    let content = utils::read_file_contents(&path, "sprout.toml")
-        .context("unable to read sprout.toml file")?;
-    // Return the contents of the sprout.toml file.
+
+    info!("configuration file: {}", options.config);
+
+    // Read the contents of the sprout config file.
+    let content = eficore::path::read_file_contents(Some(&path), &options.config)
+        .context("unable to read sprout config file")?;
+
+    // Measure the sprout.toml into the TPM, if needed and possible.
+    PlatformTpm::log_event(
+        PlatformTpm::PCR_BOOT_LOADER_CONFIG,
+        &content,
+        "sprout: configuration file",
+    )
+    .context("unable to measure the sprout.toml file into the TPM")?;
+
+    // Return the contents of the sprout config file.
     Ok(content)
 }
 
 /// Loads the [RootConfiguration] for Sprout.
-pub fn load() -> Result<RootConfiguration> {
-    // Load the raw configuration from the sprout.toml file.
-    let content = load_raw_config()?;
+pub fn load(options: &SproutOptions) -> Result<RootConfiguration> {
+    // Load the raw configuration from the sprout config file.
+    let content = load_raw_config(options)?;
     // Parse the raw configuration into a toml::Value which can represent any TOML file.
-    let value: Value = toml::from_slice(&content).context("unable to parse sprout.toml file")?;
+    let value: Value = toml::from_slice(&content).context("unable to parse sprout config file")?;
 
     // Check the version of the configuration without parsing the full configuration.
     let version = value

crates/boot/src/context.rs

@@ -1,27 +1,47 @@
-use crate::actions::ActionDeclaration;
-use anyhow::Result;
+use crate::options::SproutOptions;
+use alloc::boxed::Box;
+use alloc::collections::{BTreeMap, BTreeSet};
+use alloc::format;
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
 use anyhow::anyhow;
-use std::collections::{BTreeMap, BTreeSet};
-use std::rc::Rc;
+use anyhow::{Result, bail};
+use core::cmp::Reverse;
+use edera_sprout_config::actions::ActionDeclaration;
+use eficore::platform::timer::PlatformTimer;
 use uefi::proto::device_path::DevicePath;
 
+/// The maximum number of iterations that can be performed in [SproutContext::finalize].
+const CONTEXT_FINALIZE_ITERATION_LIMIT: usize = 100;
+
 /// Declares a root context for Sprout.
 /// This contains data that needs to be shared across Sprout.
-#[derive(Default)]
 pub struct RootContext {
     /// The actions that are available in Sprout.
     actions: BTreeMap<String, ActionDeclaration>,
     /// The device path of the loaded Sprout image.
     loaded_image_path: Option<Box<DevicePath>>,
+    /// Platform timer started at the beginning of the boot process.
+    timer: PlatformTimer,
+    /// The global options of Sprout.
+    options: SproutOptions,
 }
 
 impl RootContext {
     /// Creates a new root context with the `loaded_image_device_path` which will be stored
-    /// in the context for easy access.
-    pub fn new(loaded_image_device_path: Box<DevicePath>) -> Self {
+    /// in the context for easy access. We also provide a `timer` which is used to measure elapsed
+    /// time for the bootloader.
+    pub fn new(
+        loaded_image_device_path: Box<DevicePath>,
+        timer: PlatformTimer,
+        options: SproutOptions,
+    ) -> Self {
         Self {
             actions: BTreeMap::new(),
+            timer,
             loaded_image_path: Some(loaded_image_device_path),
+            options,
         }
     }
 
@@ -35,12 +55,22 @@ impl RootContext {
         &mut self.actions
     }
 
+    /// Access the platform timer that is started at the beginning of the boot process.
+    pub fn timer(&self) -> &PlatformTimer {
+        &self.timer
+    }
+
     /// Access the device path of the loaded Sprout image.
     pub fn loaded_image_path(&self) -> Result<&DevicePath> {
         self.loaded_image_path
             .as_deref()
             .ok_or_else(|| anyhow!("no loaded image path"))
     }
+
+    /// Access the global Sprout options.
+    pub fn options(&self) -> &SproutOptions {
+        &self.options
+    }
 }
 
 /// A context of Sprout. This is passed around different parts of Sprout and represents
@@ -70,6 +100,11 @@ impl SproutContext {
         self.root.as_ref()
     }
 
+    /// Access the root context to modify it, if possible.
+    pub fn root_mut(&mut self) -> Option<&mut RootContext> {
+        Rc::get_mut(&mut self.root)
+    }
+
     /// Retrieve the value specified by `key` from this context or its parents.
     /// Returns `None` if the value is not found.
     pub fn get(&self, key: impl AsRef<str>) -> Option<&String> {
@@ -100,7 +135,10 @@ impl SproutContext {
     pub fn all_values(&self) -> BTreeMap<String, String> {
         let mut values = BTreeMap::new();
         for key in self.all_keys() {
-            values.insert(key.clone(), self.get(key).cloned().unwrap_or_default());
+            // Acquire the value from the context. Since retrieving all the keys will give us
+            // a full view of the context, we can be sure that the key exists.
+            let value = self.get(&key).cloned().unwrap_or_default();
+            values.insert(key.clone(), value);
         }
         values
     }
@@ -142,11 +180,20 @@ impl SproutContext {
     /// Finalizes a context by producing a context with no parent that contains all the values
     /// of all parent contexts merged. This makes it possible to ensure [SproutContext] has no
     /// inheritance with other [SproutContext]s. It will still contain a [RootContext] however.
-    pub fn finalize(&self) -> SproutContext {
+    pub fn finalize(&self) -> Result<SproutContext> {
         // Collect all the values from the context and its parents.
         let mut current_values = self.all_values();
 
+        // To ensure that there is no possible infinite loop, we need to check
+        // the number of iterations. If it exceeds CONTEXT_FINALIZE_ITERATION_LIMIT, we bail.
+        let mut iterations: usize = 0;
         loop {
+            iterations += 1;
+
+            if iterations > CONTEXT_FINALIZE_ITERATION_LIMIT {
+                bail!("maximum number of replacement iterations reached while finalizing context");
+            }
+
             let mut did_change = false;
             let mut values = BTreeMap::new();
             for (key, value) in &current_values {
@@ -167,19 +214,45 @@ impl SproutContext {
         }
 
         // Produce the final context.
-        Self {
+        Ok(Self {
             root: self.root.clone(),
             parent: None,
             values: current_values,
-        }
+        })
     }
 
     /// Stamps the `text` value with the specified `values` map. The returned value indicates
     /// whether the `text` has been changed and the value that was stamped and changed.
+    ///
+    /// Stamping works like this:
+    /// - Start with the input text.
+    /// - Sort all the keys in reverse length order (longest keys first)
+    /// - For each key, if the key is not empty, replace $KEY in the text.
+    /// - Each follow-up iteration acts upon the last iterations result.
+    /// - We keep track if the text changes during the replacement.
+    /// - We return both whether the text changed during any iteration and the final result.
     fn stamp_values(values: &BTreeMap<String, String>, text: impl AsRef<str>) -> (bool, String) {
         let mut result = text.as_ref().to_string();
         let mut did_change = false;
-        for (key, value) in values {
+
+        // Sort the keys by length. This is to ensure that we stamp the longest keys first.
+        // If we did not do this, "$abc" could be stamped by "$a" into an invalid result.
+        let mut keys = values.keys().collect::<Vec<_>>();
+
+        // Sort by key length, reversed. This results in the longest keys appearing first.
+        keys.sort_by_key(|key| Reverse(key.len()));
+
+        for key in keys {
+            // Empty keys are not supported.
+            if key.is_empty() {
+                continue;
+            }
+
+            // We can fetch the value from the map. It is verifiable that the key exists.
+            let Some(value) = values.get(key) else {
+                unreachable!("keys iterated over is collected on a map that cannot be modified");
+            };
+
             let next_result = result.replace(&format!("${key}"), value);
             if result != next_result {
                 did_change = true;
@@ -195,4 +268,10 @@ impl SproutContext {
     pub fn stamp(&self, text: impl AsRef<str>) -> String {
         Self::stamp_values(&self.all_values(), text.as_ref()).1
     }
+
+    /// Unloads a [SproutContext] back into an owned context. This
+    /// may not succeed if something else is holding onto the value.
+    pub fn unload(self: Rc<SproutContext>) -> Option<SproutContext> {
+        Rc::into_inner(self)
+    }
 }

crates/boot/src/drivers.rs

@@ -1,57 +1,38 @@
 use crate::context::SproutContext;
-use crate::utils;
+use alloc::collections::BTreeMap;
+use alloc::format;
+use alloc::rc::Rc;
+use alloc::string::String;
 use anyhow::{Context, Result};
+use edera_sprout_config::drivers::DriverDeclaration;
+use eficore::loader::source::ImageSource;
+use eficore::loader::{ImageLoadRequest, ImageLoader};
 use log::info;
-use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
 use uefi::boot::SearchType;
-use uefi::proto::device_path::LoadedImageDevicePath;
 
-/// Declares a driver configuration.
-/// Drivers allow extending the functionality of Sprout.
-/// Drivers are loaded at runtime and can provide extra functionality like filesystem support.
-/// Drivers are loaded by their name, which is used to reference them in other concepts.
-#[derive(Serialize, Deserialize, Default, Clone)]
-pub struct DriverDeclaration {
-    /// The filesystem path to the driver.
-    /// This file should be an EFI executable that can be located and executed.
-    pub path: String,
-}
-
-/// Loads the driver specified by the [driver] declaration.
+/// Loads the driver specified by the `driver` declaration.
 fn load_driver(context: Rc<SproutContext>, driver: &DriverDeclaration) -> Result<()> {
     // Acquire the handle and device path of the loaded image.
     let sprout_image = uefi::boot::image_handle();
-    let image_device_path_protocol =
-        uefi::boot::open_protocol_exclusive::<LoadedImageDevicePath>(sprout_image)
-            .context("unable to open loaded image device path protocol")?;
 
-    // Get the device path root of the sprout image.
-    let mut full_path = utils::device_path_root(&image_device_path_protocol)?;
-
-    // Push the path of the driver from the root.
-    full_path.push_str(&context.stamp(&driver.path));
-
-    info!("driver path: {}", full_path);
-
-    // Convert the path to a device path.
-    let device_path = utils::text_to_device_path(&full_path)?;
-
-    // Load the driver image.
-    let image = uefi::boot::load_image(
-        sprout_image,
-        uefi::boot::LoadImageSource::FromDevicePath {
-            device_path: &device_path,
-            boot_policy: uefi::proto::BootPolicy::ExactMatch,
-        },
+    // Resolve the path to the driver image.
+    let resolved = eficore::path::resolve_path(
+        Some(context.root().loaded_image_path()?),
+        &context.stamp(&driver.path),
     )
-    .context("unable to load image")?;
+    .context("unable to resolve path to driver")?;
+
+    // Create an image load request with the current image and the resolved path.
+    let request = ImageLoadRequest::new(sprout_image, ImageSource::ResolvedPath(&resolved));
+
+    // Load the driver image using the image loader support module.
+    // It will determine if the image needs to be loaded via the shim or can be loaded directly.
+    let image = ImageLoader::load(request)?;
 
     // Start the driver image, this is expected to return control to sprout.
     // There is no guarantee that the driver will actually return control as it is
     // just a standard EFI image.
-    uefi::boot::start_image(image).context("unable to start driver image")?;
+    uefi::boot::start_image(*image.handle()).context("unable to start driver image")?;
 
     Ok(())
 }

crates/boot/src/entries.rs

@@ -0,0 +1,121 @@
+use crate::context::SproutContext;
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use edera_sprout_config::entries::EntryDeclaration;
+
+/// Represents an entry that is stamped and ready to be booted.
+#[derive(Clone)]
+pub struct BootableEntry {
+    name: String,
+    title: String,
+    context: Rc<SproutContext>,
+    declaration: EntryDeclaration,
+    default: bool,
+    pin_name: bool,
+}
+
+impl BootableEntry {
+    /// Create a new bootable entry to represent the full context of an entry.
+    pub fn new(
+        name: String,
+        title: String,
+        context: Rc<SproutContext>,
+        declaration: EntryDeclaration,
+    ) -> Self {
+        Self {
+            name,
+            title,
+            context,
+            declaration,
+            default: false,
+            pin_name: false,
+        }
+    }
+
+    /// Fetch the name of the entry. This is usually a machine-identifiable key.
+    pub fn name(&self) -> &str {
+        &self.name
+    }
+
+    /// Fetch the title of the entry. This is usually a human-readable key.
+    pub fn title(&self) -> &str {
+        &self.title
+    }
+
+    /// Fetch the full context of the entry.
+    pub fn context(&self) -> Rc<SproutContext> {
+        Rc::clone(&self.context)
+    }
+
+    /// Fetch the declaration of the entry.
+    pub fn declaration(&self) -> &EntryDeclaration {
+        &self.declaration
+    }
+
+    /// Fetch whether the entry is the default entry.
+    pub fn is_default(&self) -> bool {
+        self.default
+    }
+
+    /// Fetch whether the entry is pinned, which prevents prefixing.
+    pub fn is_pin_name(&self) -> bool {
+        self.pin_name
+    }
+
+    /// Swap out the context of the entry.
+    pub fn swap_context(&mut self, context: Rc<SproutContext>) {
+        self.context = context;
+    }
+
+    /// Restamp the title with the current context.
+    pub fn restamp_title(&mut self) {
+        self.title = self.context.stamp(&self.title);
+    }
+
+    /// Mark this entry as the default entry.
+    pub fn mark_default(&mut self) {
+        self.default = true;
+    }
+
+    // Unmark this entry as the default entry.
+    pub fn unmark_default(&mut self) {
+        self.default = false;
+    }
+
+    /// Mark this entry as being pinned, which prevents prefixing.
+    pub fn mark_pin_name(&mut self) {
+        self.pin_name = true;
+    }
+
+    /// Prepend the name of the entry with `prefix`.
+    pub fn prepend_name_prefix(&mut self, prefix: &str) {
+        self.name.insert_str(0, prefix);
+    }
+
+    /// Determine if this entry matches `needle` by comparing to the name or title of the entry.
+    /// If `needle` ends with *, we will match a partial match.
+    pub fn is_match(&self, needle: &str) -> bool {
+        // If the needle ends with '*', we will accept a partial match.
+        if needle.ends_with("*") {
+            // Strip off any '*' at the end.
+            let partial = needle.trim_end_matches("*");
+            // Check if the name or title start with the partial match.
+            return self.name.starts_with(partial) || self.title.starts_with(partial);
+        }
+
+        // Standard quality matching rules.
+        self.name == needle || self.title == needle
+    }
+
+    /// Find an entry by `needle` inside the entry iterator `haystack`.
+    /// This will search for an entry by name, title, or index.
+    pub fn find<'a>(
+        needle: &str,
+        haystack: impl Iterator<Item = &'a BootableEntry>,
+    ) -> Option<&'a BootableEntry> {
+        haystack
+            .enumerate()
+            .find(|(index, entry)| entry.is_match(needle) || index.to_string() == needle)
+            .map(|(_index, entry)| entry)
+    }
+}

crates/boot/src/extractors.rs

@@ -0,0 +1,19 @@
+use crate::context::SproutContext;
+use alloc::rc::Rc;
+use alloc::string::String;
+use anyhow::{Result, bail};
+use edera_sprout_config::extractors::ExtractorDeclaration;
+
+/// The filesystem device match extractor.
+pub mod filesystem_device_match;
+
+/// Extracts the value using the specified `extractor` under the provided `context`.
+/// The extractor must return a value, and if a value cannot be determined, an error
+/// should be returned.
+pub fn extract(context: Rc<SproutContext>, extractor: &ExtractorDeclaration) -> Result<String> {
+    if let Some(filesystem) = &extractor.filesystem_device_match {
+        filesystem_device_match::extract(context, filesystem)
+    } else {
+        bail!("unknown extractor configuration");
+    }
+}

crates/boot/src/extractors/filesystem_device_match.rs

@@ -1,50 +1,31 @@
 use crate::context::SproutContext;
-use crate::utils;
+use alloc::rc::Rc;
+use alloc::string::String;
 use anyhow::{Context, Result, anyhow, bail};
-use serde::{Deserialize, Serialize};
-use std::ops::Deref;
-use std::rc::Rc;
-use std::str::FromStr;
+use core::ops::Deref;
+use core::str::FromStr;
+use edera_sprout_config::extractors::filesystem_device_match::FilesystemDeviceMatchExtractor;
+use eficore::partition::PartitionGuidForm;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::media::file::{File, FileSystemVolumeLabel};
 use uefi::proto::media::fs::SimpleFileSystem;
-use uefi::proto::media::partition::PartitionInfo;
 use uefi::{CString16, Guid};
-use uefi_raw::Status;
-
-/// The filesystem device match extractor.
-/// This extractor finds a filesystem using some search criteria and returns
-/// the device root path that can concatenated with subpaths to access files
-/// on a particular filesystem.
-///
-/// This function only requires one of the criteria to match.
-/// The fallback value can be used to provide a value if none is found.
-#[derive(Serialize, Deserialize, Default, Clone)]
-pub struct FilesystemDeviceMatchExtractor {
-    /// Matches a filesystem that has the specified label.
-    #[serde(default, rename = "has-label")]
-    pub has_label: Option<String>,
-    /// Matches a filesystem that has the specified item.
-    /// An item is either a directory or file.
-    #[serde(default, rename = "has-item")]
-    pub has_item: Option<String>,
-    /// Matches a filesystem that has the specified partition UUID.
-    #[serde(default, rename = "has-partition-uuid")]
-    pub has_partition_uuid: Option<String>,
-    /// Matches a filesystem that has the specified partition type UUID.
-    #[serde(default, rename = "has-partition-type-uuid")]
-    pub has_partition_type_uuid: Option<String>,
-    /// The fallback value to use if no filesystem matches the criteria.
-    #[serde(default)]
-    pub fallback: Option<String>,
-}
 
 /// Extract a filesystem device path using the specified `context` and `extractor` configuration.
 pub fn extract(
     context: Rc<SproutContext>,
     extractor: &FilesystemDeviceMatchExtractor,
 ) -> Result<String> {
+    // If no criteria are provided, bail with an error.
+    if extractor.has_label.is_none()
+        && extractor.has_item.is_none()
+        && extractor.has_partition_uuid.is_none()
+        && extractor.has_partition_type_uuid.is_none()
+    {
+        bail!("at least one criteria is required for filesystem-device-match");
+    }
+
     // Find all the filesystems inside the UEFI stack.
     let handles = uefi::boot::find_handles::<SimpleFileSystem>()
         .context("unable to find filesystem handles")?;
@@ -54,58 +35,50 @@ pub fn extract(
         // This defines whether a match has been found.
         let mut has_match = false;
 
-        // Extract the partition info for this filesystem.
-        // There is no guarantee that the filesystem has a partition.
-        let partition_info = {
-            // Open the partition info protocol for this handle.
-            let partition_info = uefi::boot::open_protocol_exclusive::<PartitionInfo>(handle);
-
-            match partition_info {
-                Ok(partition_info) => {
-                    // GPT partitions have a unique partition GUID.
-                    // MBR does not.
-                    if let Some(gpt) = partition_info.gpt_partition_entry() {
-                        let uuid = gpt.unique_partition_guid;
-                        let type_uuid = gpt.partition_type_guid;
-                        Some((uuid, type_uuid.0))
-                    } else {
-                        None
-                    }
-                }
-
-                Err(error) => {
-                    // If the filesystem does not have a partition, that is okay.
-                    if error.status() == Status::NOT_FOUND || error.status() == Status::UNSUPPORTED
-                    {
-                        None
-                    } else {
-                        // We should still handle other errors gracefully.
-                        Err(error).context("unable to open filesystem partition info")?;
-                        None
-                    }
-                }
-            }
-        };
-
         // Check if the partition info matches partition uuid criteria.
-        if let Some((partition_uuid, _partition_type_guid)) = partition_info
-            && let Some(ref has_partition_uuid) = extractor.has_partition_uuid
-        {
+        if let Some(ref has_partition_uuid) = extractor.has_partition_uuid {
+            // Parse the partition uuid from the extractor.
             let parsed_uuid = Guid::from_str(has_partition_uuid)
                 .map_err(|e| anyhow!("unable to parse has-partition-uuid: {}", e))?;
-            if partition_uuid != parsed_uuid {
+
+            // Fetch the root of the device.
+            let root = uefi::boot::open_protocol_exclusive::<DevicePath>(handle)
+                .context("unable to fetch the device path of the filesystem")?
+                .deref()
+                .to_boxed();
+
+            // Fetch the partition uuid for this filesystem.
+            let partition_uuid =
+                eficore::partition::partition_guid(&root, PartitionGuidForm::Partition)
+                    .context("unable to fetch the partition uuid of the filesystem")?;
+
+            // Compare the partition uuid to the parsed uuid.
+            // If it does not match, continue to the next filesystem.
+            if partition_uuid != Some(parsed_uuid) {
                 continue;
             }
             has_match = true;
         }
 
         // Check if the partition info matches partition type uuid criteria.
-        if let Some((_partition_uuid, partition_type_guid)) = partition_info
-            && let Some(ref has_partition_type_uuid) = extractor.has_partition_type_uuid
-        {
+        if let Some(ref has_partition_type_uuid) = extractor.has_partition_type_uuid {
+            // Parse the partition type uuid from the extractor.
             let parsed_uuid = Guid::from_str(has_partition_type_uuid)
                 .map_err(|e| anyhow!("unable to parse has-partition-type-uuid: {}", e))?;
-            if partition_type_guid != parsed_uuid {
+
+            // Fetch the root of the device.
+            let root = uefi::boot::open_protocol_exclusive::<DevicePath>(handle)
+                .context("unable to fetch the device path of the filesystem")?
+                .deref()
+                .to_boxed();
+
+            // Fetch the partition type uuid for this filesystem.
+            let partition_type_uuid =
+                eficore::partition::partition_guid(&root, PartitionGuidForm::PartitionType)
+                    .context("unable to fetch the partition uuid of the filesystem")?;
+            // Compare the partition type uuid to the parsed uuid.
+            // If it does not match, continue to the next filesystem.
+            if partition_type_uuid != Some(parsed_uuid) {
                 continue;
             }
             has_match = true;
@@ -139,14 +112,11 @@ pub fn extract(
             let mut filesystem = FileSystem::new(filesystem);
 
             // Check the metadata of the item.
-            let metadata = filesystem.metadata(Path::new(&want_item));
-
             // Ignore filesystem errors as we can't do anything useful with the error.
-            if metadata.is_err() {
+            let Some(metadata) = filesystem.metadata(Path::new(&want_item)).ok() else {
                 continue;
-            }
+            };
 
-            let metadata = metadata?;
             // Only check directories and files.
             if !(metadata.is_directory() || metadata.is_regular_file()) {
                 continue;
@@ -164,7 +134,7 @@ pub fn extract(
             .context("unable to open filesystem device path")?;
         let path = path.deref();
         // Acquire the device path root as a string.
-        return utils::device_path_root(path).context("unable to get device path root");
+        return eficore::path::device_path_root(path).context("unable to get device path root");
     }
 
     // If there is a fallback value, use it at this point.

crates/boot/src/generators.rs

@@ -0,0 +1,34 @@
+use crate::context::SproutContext;
+use crate::entries::BootableEntry;
+use alloc::rc::Rc;
+use alloc::vec::Vec;
+use anyhow::Result;
+use anyhow::bail;
+use edera_sprout_config::generators::GeneratorDeclaration;
+
+/// The BLS generator.
+pub mod bls;
+
+/// The list generator.
+pub mod list;
+
+/// The matrix generator.
+pub mod matrix;
+
+/// Runs the generator specified by the `generator` option.
+/// It uses the specified `context` as the parent context for
+/// the generated entries, injecting more values if needed.
+pub fn generate(
+    context: Rc<SproutContext>,
+    generator: &GeneratorDeclaration,
+) -> Result<Vec<BootableEntry>> {
+    if let Some(matrix) = &generator.matrix {
+        matrix::generate(context, matrix)
+    } else if let Some(bls) = &generator.bls {
+        bls::generate(context, bls)
+    } else if let Some(list) = &generator.list {
+        list::generate(context, list)
+    } else {
+        bail!("unknown generator configuration");
+    }
+}

crates/boot/src/generators/bls.rs

@@ -0,0 +1,211 @@
+use crate::context::SproutContext;
+use crate::entries::BootableEntry;
+use crate::generators::bls::entry::BlsEntry;
+use crate::utils::vercmp;
+use alloc::format;
+use alloc::rc::Rc;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use anyhow::{Context, Result};
+use core::cmp::Ordering;
+use core::str::FromStr;
+use edera_sprout_config::generators::bls::BlsConfiguration;
+use uefi::cstr16;
+use uefi::fs::{FileSystem, PathBuf};
+use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
+use uefi::proto::media::fs::SimpleFileSystem;
+
+/// BLS entry parser.
+mod entry;
+
+// TODO(azenla): remove this once variable substitution is implemented.
+/// This function is used to remove the `tuned_initrd` variable from entry values.
+/// Fedora uses tuned which adds an initrd that shouldn't be used.
+fn quirk_initrd_remove_tuned(input: String) -> String {
+    input.replace("$tuned_initrd", "").trim().to_string()
+}
+
+/// Sorts two entries according to the BLS sort system.
+/// Reference: https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting
+fn sort_entries(a: &(BlsEntry, BootableEntry), b: &(BlsEntry, BootableEntry)) -> Ordering {
+    // Grab the components of both entries.
+    let (a_bls, a_boot) = a;
+    let (b_bls, b_boot) = b;
+
+    // Grab the sort keys from both entries.
+    let a_sort_key = a_bls.sort_key();
+    let b_sort_key = b_bls.sort_key();
+
+    // Compare the sort keys of both entries.
+    match a_sort_key.cmp(&b_sort_key) {
+        // If A and B sort keys are equal, sort by machine-id.
+        Ordering::Equal => {
+            // Grab the machine-id from both entries.
+            let a_machine_id = a_bls.machine_id();
+            let b_machine_id = b_bls.machine_id();
+
+            // Compare the machine-id of both entries.
+            match a_machine_id.cmp(&b_machine_id) {
+                // If both machine-id values are equal, sort by version.
+                Ordering::Equal => {
+                    // Grab the version from both entries.
+                    let a_version = a_bls.version();
+                    let b_version = b_bls.version();
+
+                    // Compare the version of both entries, sorting newer versions first.
+                    match vercmp::compare_versions_optional(
+                        a_version.as_deref(),
+                        b_version.as_deref(),
+                    )
+                    .reverse()
+                    {
+                        // If both versions are equal, sort by file name in reverse order.
+                        Ordering::Equal => {
+                            // Grab the file name from both entries.
+                            let a_name = a_boot.name();
+                            let b_name = b_boot.name();
+
+                            // Compare the file names of both entries, sorting newer entries first.
+                            vercmp::compare_versions(a_name, b_name).reverse()
+                        }
+                        other => other,
+                    }
+                }
+                other => other,
+            }
+        }
+
+        other => other,
+    }
+}
+
+/// Generates entries from the BLS entries directory using the specified `bls` configuration and
+/// `context`. The BLS conversion is best-effort and will ignore any unsupported entries.
+pub fn generate(context: Rc<SproutContext>, bls: &BlsConfiguration) -> Result<Vec<BootableEntry>> {
+    let mut entries = Vec::new();
+
+    // Stamp the path to the BLS directory.
+    let path = context.stamp(&bls.path);
+
+    // Resolve the path to the BLS directory.
+    let bls_resolved =
+        eficore::path::resolve_path(Some(context.root().loaded_image_path()?), &path)
+            .context("unable to resolve bls path")?;
+
+    // Construct a filesystem path to the BLS entries directory.
+    let mut entries_path = PathBuf::from(
+        bls_resolved
+            .sub_path
+            .to_string(DisplayOnly(false), AllowShortcuts(false))
+            .context("unable to convert bls path to string")?,
+    );
+    entries_path.push(cstr16!("entries"));
+
+    // Open exclusive access to the BLS filesystem.
+    let fs =
+        uefi::boot::open_protocol_exclusive::<SimpleFileSystem>(bls_resolved.filesystem_handle)
+            .context("unable to open bls filesystem")?;
+    let mut fs = FileSystem::new(fs);
+
+    // Read the BLS entries directory.
+    let entries_iter = fs
+        .read_dir(&entries_path)
+        .context("unable to read bls entries")?;
+
+    // For each entry in the BLS entries directory, parse the entry and add it to the list.
+    for entry in entries_iter {
+        // Unwrap the entry file info.
+        let entry = entry.context("unable to read bls item entry")?;
+
+        // Skip items that are not regular files.
+        if !entry.is_regular_file() {
+            continue;
+        }
+
+        // Get the file name of the filesystem item.
+        let mut name = entry.file_name().to_string();
+
+        // Ignore files that are not .conf files.
+        if !name.to_lowercase().ends_with(".conf") {
+            continue;
+        }
+
+        // Remove the .conf extension.
+        name.truncate(name.len() - 5);
+
+        // Skip over files that are named just ".conf" as they are not valid entry files.
+        if name.is_empty() {
+            continue;
+        }
+
+        // Create a mutable path so we can append the file name to produce the full path.
+        let mut full_entry_path = entries_path.to_path_buf();
+        full_entry_path.push(entry.file_name());
+
+        // Read the entry file.
+        let content = fs
+            .read(full_entry_path)
+            .context("unable to read bls file")?;
+
+        // Parse the entry file as a UTF-8 string.
+        let content = String::from_utf8(content).context("unable to read bls entry as utf8")?;
+
+        // Parse the entry file as a BLS entry.
+        let entry = BlsEntry::from_str(&content).context("unable to parse bls entry")?;
+
+        // Ignore entries that are not valid for Sprout.
+        if !entry.is_valid() {
+            continue;
+        }
+
+        // Produce a new sprout context for the entry with the extracted values.
+        let mut context = context.fork();
+
+        let title_base = entry.title().unwrap_or_else(|| name.clone());
+        let chainload = entry.chainload_path().unwrap_or_default();
+        let options = entry.options().unwrap_or_default();
+        let version = entry.version().unwrap_or_default();
+        let machine_id = entry.machine_id().unwrap_or_default();
+
+        // Put the initrd through a quirk modifier to support Fedora.
+        let initrd = quirk_initrd_remove_tuned(entry.initrd_path().unwrap_or_default());
+
+        // Combine the title with the version if a version is present, except if it already contains it.
+        // Sometimes BLS will have a version in the title already, and this makes it unique.
+        let title_full = if !version.is_empty() && !title_base.contains(&version) {
+            format!("{} {}", title_base, version)
+        } else {
+            title_base.clone()
+        };
+
+        context.set("title-base", title_base);
+        context.set("title", title_full);
+        context.set("chainload", chainload);
+        context.set("options", options);
+        context.set("initrd", initrd);
+        context.set("version", version);
+        context.set("machine-id", machine_id);
+
+        // Produce a new bootable entry.
+        let mut boot = BootableEntry::new(
+            name,
+            bls.entry.title.clone(),
+            context.freeze(),
+            bls.entry.clone(),
+        );
+
+        // Pin the entry name to prevent prefixing.
+        // This is needed as the bootloader interface requires the name to be
+        // the same as the entry file name, minus the .conf extension.
+        boot.mark_pin_name();
+
+        // Add the BLS entry to the list, along with the bootable entry.
+        entries.push((entry, boot));
+    }
+
+    // Sort all the entries according to the BLS sort system.
+    entries.sort_by(sort_entries);
+
+    // Collect all the bootable entries and return them.
+    Ok(entries.into_iter().map(|(_, boot)| boot).collect())
+}

crates/boot/src/generators/bls/entry.rs

@@ -1,5 +1,6 @@
+use alloc::string::{String, ToString};
 use anyhow::{Error, Result};
-use std::str::FromStr;
+use core::str::FromStr;
 
 /// Represents a parsed BLS entry.
 /// Fields unrelated to Sprout are not included.
@@ -15,6 +16,12 @@ pub struct BlsEntry {
     pub initrd: Option<String>,
     /// The path to an EFI image.
     pub efi: Option<String>,
+    /// The sort key for the entry.
+    pub sort_key: Option<String>,
+    /// The version of the entry.
+    pub version: Option<String>,
+    /// The machine id of the entry.
+    pub machine_id: Option<String>,
 }
 
 /// Parser for a BLS entry.
@@ -30,14 +37,23 @@ impl FromStr for BlsEntry {
         let mut linux: Option<String> = None;
         let mut initrd: Option<String> = None;
         let mut efi: Option<String> = None;
+        let mut sort_key: Option<String> = None;
+        let mut version: Option<String> = None;
+        let mut machine_id: Option<String> = None;
 
         // Iterate over each line in the input and parse it.
         for line in input.lines() {
             // Trim the line.
             let line = line.trim();
 
-            // Split the line once by a space.
-            let Some((key, value)) = line.split_once(" ") else {
+            // Skip over empty lines and comments.
+            if line.is_empty() || line.starts_with('#') {
+                continue;
+            }
+
+            // Split the line once by whitespace. This technically includes newlines but since
+            // the lines iterator is used, there should never be a newline here.
+            let Some((key, value)) = line.split_once(char::is_whitespace) else {
                 continue;
             };
 
@@ -68,6 +84,18 @@ impl FromStr for BlsEntry {
                     efi = Some(value.trim().to_string());
                 }
 
+                "sort-key" => {
+                    sort_key = Some(value.trim().to_string());
+                }
+
+                "version" => {
+                    version = Some(value.trim().to_string());
+                }
+
+                "machine-id" => {
+                    machine_id = Some(value.trim().to_string());
+                }
+
                 // Ignore any other key.
                 _ => {
                     continue;
@@ -82,6 +110,9 @@ impl FromStr for BlsEntry {
             linux,
             initrd,
             efi,
+            sort_key,
+            version,
+            machine_id,
         })
     }
 }
@@ -99,7 +130,7 @@ impl BlsEntry {
         self.linux
             .clone()
             .or(self.efi.clone())
-            .map(|path| path.replace("/", "\\").trim_start_matches("\\").to_string())
+            .map(|path| path.replace('/', "\\").trim_start_matches('\\').to_string())
     }
 
     /// Fetches the path to an initrd to pass to the kernel, if any.
@@ -107,7 +138,7 @@ impl BlsEntry {
     pub fn initrd_path(&self) -> Option<String> {
         self.initrd
             .clone()
-            .map(|path| path.replace("/", "\\").trim_start_matches("\\").to_string())
+            .map(|path| path.replace('/', "\\").trim_start_matches('\\').to_string())
     }
 
     /// Fetches the options to pass to the kernel, if any.
@@ -119,4 +150,19 @@ impl BlsEntry {
     pub fn title(&self) -> Option<String> {
         self.title.clone()
     }
+
+    /// Fetches the sort key of the entry, if any.
+    pub fn sort_key(&self) -> Option<String> {
+        self.sort_key.clone()
+    }
+
+    /// Fetches the version of the entry, if any.
+    pub fn version(&self) -> Option<String> {
+        self.version.clone()
+    }
+
+    /// Fetches the machine id of the entry, if any.
+    pub fn machine_id(&self) -> Option<String> {
+        self.machine_id.clone()
+    }
 }

crates/boot/src/generators/list.rs

@@ -0,0 +1,40 @@
+use crate::context::SproutContext;
+use crate::entries::BootableEntry;
+use alloc::rc::Rc;
+use alloc::string::ToString;
+use alloc::vec::Vec;
+use anyhow::Result;
+use edera_sprout_config::generators::list::ListConfiguration;
+
+/// Generates a set of entries using the specified `list` configuration in the `context`.
+pub fn generate(
+    context: Rc<SproutContext>,
+    list: &ListConfiguration,
+) -> Result<Vec<BootableEntry>> {
+    let mut entries = Vec::new();
+
+    // For each combination, create a new context and entry.
+    for (index, combination) in list.values.iter().enumerate() {
+        let mut context = context.fork();
+        // Insert the combination into the context.
+        context.insert(combination);
+        let context = context.freeze();
+
+        // Stamp the entry title and actions from the template.
+        let mut entry = list.entry.clone();
+        entry.actions = entry
+            .actions
+            .into_iter()
+            .map(|action| context.stamp(action))
+            .collect();
+        // Push the entry into the list with the new context.
+        entries.push(BootableEntry::new(
+            index.to_string(),
+            entry.title.clone(),
+            context,
+            entry,
+        ));
+    }
+
+    Ok(entries)
+}

crates/boot/src/generators/matrix.rs

@@ -1,22 +1,14 @@
 use crate::context::SproutContext;
-use crate::entries::EntryDeclaration;
+use crate::entries::BootableEntry;
+use crate::generators::list;
+use alloc::collections::BTreeMap;
+use alloc::rc::Rc;
+use alloc::string::String;
+use alloc::vec;
+use alloc::vec::Vec;
 use anyhow::Result;
-use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
-use std::rc::Rc;
-
-/// Matrix generator configuration.
-/// The matrix generator produces multiple entries based
-/// on input values multiplicatively.
-#[derive(Serialize, Deserialize, Default, Clone)]
-pub struct MatrixConfiguration {
-    /// The template entry to use for each generated entry.
-    #[serde(default)]
-    pub entry: EntryDeclaration,
-    /// The values to use as the input for the matrix.
-    #[serde(default)]
-    pub values: BTreeMap<String, Vec<String>>,
-}
+use edera_sprout_config::generators::list::ListConfiguration;
+use edera_sprout_config::generators::matrix::MatrixConfiguration;
 
 /// Builds out multiple generations of `input` based on a matrix style.
 /// For example, if input is: {"x": ["a", "b"], "y": ["c", "d"]}
@@ -54,29 +46,15 @@ fn build_matrix(input: &BTreeMap<String, Vec<String>>) -> Vec<BTreeMap<String, S
 pub fn generate(
     context: Rc<SproutContext>,
     matrix: &MatrixConfiguration,
-) -> Result<Vec<(Rc<SproutContext>, EntryDeclaration)>> {
+) -> Result<Vec<BootableEntry>> {
     // Produce all the combinations of the input values.
     let combinations = build_matrix(&matrix.values);
-    let mut entries = Vec::new();
-
-    // For each combination, create a new context and entry.
-    for combination in combinations {
-        let mut context = context.fork();
-        // Insert the combination into the context.
-        context.insert(&combination);
-        let context = context.freeze();
-
-        // Stamp the entry title and actions from the template.
-        let mut entry = matrix.entry.clone();
-        entry.title = context.stamp(&entry.title);
-        entry.actions = entry
-            .actions
-            .into_iter()
-            .map(|action| context.stamp(action))
-            .collect();
-        // Push the entry into the list with the new context.
-        entries.push((context, entry));
-    }
-
-    Ok(entries)
+    // Use the list generator to generate entries for each combination.
+    list::generate(
+        context,
+        &ListConfiguration {
+            entry: matrix.entry.clone(),
+            values: combinations,
+        },
+    )
 }

crates/boot/src/main.rs

@@ -0,0 +1,399 @@
+#![doc = include_str!("../README.md")]
+#![no_std]
+#![no_main]
+extern crate alloc;
+
+use crate::context::{RootContext, SproutContext};
+use crate::entries::BootableEntry;
+use crate::options::SproutOptions;
+use crate::phases::phase;
+use alloc::collections::BTreeMap;
+use alloc::format;
+use alloc::string::ToString;
+use alloc::vec::Vec;
+use anyhow::{Context, Result, bail};
+use core::ops::Deref;
+use core::time::Duration;
+use edera_sprout_config::RootConfiguration;
+use eficore::bootloader_interface::{BootloaderInterface, BootloaderInterfaceTimeout};
+use eficore::partition::PartitionGuidForm;
+use eficore::platform::timer::PlatformTimer;
+use eficore::platform::tpm::PlatformTpm;
+use eficore::secure::SecureBoot;
+use eficore::setup;
+use log::{error, info, warn};
+use uefi::entry;
+use uefi::proto::device_path::LoadedImageDevicePath;
+use uefi_raw::Status;
+
+/// actions: Code that can be configured and executed by Sprout.
+pub mod actions;
+
+/// autoconfigure: Autoconfigure Sprout based on the detected environment.
+pub mod autoconfigure;
+
+/// config: Sprout configuration mechanism.
+pub mod config;
+
+/// context: Stored values that can be cheaply forked and cloned.
+pub mod context;
+
+/// drivers: EFI drivers to load and provide extra functionality.
+pub mod drivers;
+
+/// entries: Boot menu entries that have a title and can execute actions.
+pub mod entries;
+
+/// extractors: Runtime code that can extract values into the Sprout context.
+pub mod extractors;
+
+/// generators: Runtime code that can generate entries with specific values.
+pub mod generators;
+
+/// menu: Display a boot menu to select an entry to boot.
+pub mod menu;
+
+/// options: Parse the options of the Sprout executable.
+pub mod options;
+
+/// phases: Hooks into specific parts of the boot process.
+pub mod phases;
+
+/// sbat: Secure Boot Attestation section.
+pub mod sbat;
+
+/// utils: Utility functions that are used by other parts of Sprout.
+pub mod utils;
+
+/// The delay to wait for when an error occurs in Sprout.
+const DELAY_ON_ERROR: Duration = Duration::from_secs(10);
+
+/// Run Sprout, returning an error if one occurs.
+fn run() -> Result<()> {
+    // For safety reasons, we will note that Secure Boot is in beta on Sprout.
+    if SecureBoot::enabled().context("unable to determine Secure Boot status")? {
+        warn!("Sprout Secure Boot is in beta. Some functionality may not work as expected.");
+    }
+
+    // Start the platform timer.
+    let timer = PlatformTimer::start();
+
+    // Mark the initialization of Sprout in the bootloader interface.
+    BootloaderInterface::mark_init(&timer)
+        .context("unable to mark initialization in bootloader interface")?;
+
+    // Tell the bootloader interface what firmware we are running on.
+    BootloaderInterface::set_firmware_info()
+        .context("unable to set firmware info in bootloader interface")?;
+
+    // Tell the bootloader interface what loader is being used.
+    BootloaderInterface::set_loader_info()
+        .context("unable to set loader info in bootloader interface")?;
+
+    // Acquire the number of active PCR banks on the TPM.
+    // If no TPM is available, this will return zero.
+    let active_pcr_banks = PlatformTpm::active_pcr_banks()?;
+    // Tell the bootloader interface what the number of active PCR banks is.
+    BootloaderInterface::set_tpm2_active_pcr_banks(active_pcr_banks)
+        .context("unable to set tpm2 active PCR banks in bootloader interface")?;
+
+    // Parse the options to the sprout executable.
+    let options = SproutOptions::parse().context("unable to parse options")?;
+
+    // If --autoconfigure is specified, we use a stub configuration.
+    let mut config = if options.autoconfigure {
+        info!("autoconfiguration enabled, configuration file will be ignored");
+        RootConfiguration::default()
+    } else {
+        // Load the configuration of sprout.
+        // At this point, the configuration has been validated and the specified
+        // version is checked to ensure compatibility.
+        config::loader::load(&options)?
+    };
+
+    // Grab the sprout.efi loaded image path.
+    // This is done in a block to ensure the release of the LoadedImageDevicePath protocol.
+    let loaded_image_path = {
+        let current_image_device_path_protocol = uefi::boot::open_protocol_exclusive::<
+            LoadedImageDevicePath,
+        >(uefi::boot::image_handle())
+        .context("unable to get loaded image device path")?;
+        current_image_device_path_protocol.deref().to_boxed()
+    };
+
+    // Grab the partition GUID of the ESP that sprout was loaded from.
+    let loaded_image_partition_guid =
+        eficore::partition::partition_guid(&loaded_image_path, PartitionGuidForm::Partition)
+            .context("unable to retrieve loaded image partition guid")?;
+
+    // Set the partition GUID of the ESP that sprout was loaded from in the bootloader interface.
+    if let Some(loaded_image_partition_guid) = loaded_image_partition_guid {
+        // Tell the system about the partition GUID.
+        BootloaderInterface::set_partition_guid(&loaded_image_partition_guid)
+            .context("unable to set partition guid in bootloader interface")?;
+    }
+
+    // Tell the bootloader interface what the loaded image path is.
+    BootloaderInterface::set_loader_path(&loaded_image_path)
+        .context("unable to set loader path in bootloader interface")?;
+
+    // Create the root context.
+    let mut root = RootContext::new(loaded_image_path, timer, options);
+
+    // Insert the configuration actions into the root context.
+    root.actions_mut().extend(config.actions.clone());
+
+    // Create a new sprout context with the root context.
+    let mut context = SproutContext::new(root);
+
+    // Insert the configuration values into the sprout context.
+    context.insert(&config.values);
+
+    // Freeze the sprout context so it can be shared and cheaply cloned.
+    let context = context.freeze();
+
+    // Execute the early phase.
+    phase(context.clone(), &config.phases.early).context("unable to execute early phase")?;
+
+    // Load all configured drivers.
+    drivers::load(context.clone(), &config.drivers).context("unable to load drivers")?;
+
+    // If --autoconfigure is specified or the loaded configuration has autoconfigure enabled,
+    // trigger the autoconfiguration mechanism.
+    if context.root().options().autoconfigure || config.options.autoconfigure {
+        autoconfigure::autoconfigure(&mut config).context("unable to autoconfigure")?;
+    }
+
+    // Unload the context so that it can be modified.
+    let Some(mut context) = context.unload() else {
+        bail!("context safety violation while trying to unload context");
+    };
+
+    // Perform root context modification in a block to release the modification when complete.
+    {
+        // Modify the root context to include the autoconfigured actions.
+        let Some(root) = context.root_mut() else {
+            bail!("context safety violation while trying to modify root context");
+        };
+
+        // Extend the root context with the autoconfigured actions.
+        root.actions_mut().extend(config.actions);
+
+        // Insert any modified root values.
+        context.insert(&config.values);
+    }
+
+    // Refreeze the context to ensure that further operations can share the context.
+    let context = context.freeze();
+
+    // Run all the extractors declared in the configuration.
+    let mut extracted = BTreeMap::new();
+    for (name, extractor) in &config.extractors {
+        let value = extractors::extract(context.clone(), extractor)
+            .context(format!("unable to extract value {}", name))?;
+        info!("extracted value {}: {}", name, value);
+        extracted.insert(name.clone(), value);
+    }
+    let mut context = context.fork();
+    // Insert the extracted values into the sprout context.
+    context.insert(&extracted);
+    let context = context.freeze();
+
+    // Execute the startup phase.
+    phase(context.clone(), &config.phases.startup).context("unable to execute startup phase")?;
+
+    let mut entries = Vec::new();
+
+    // Insert all the static entries from the configuration into the entry list.
+    for (name, entry) in config.entries {
+        // Associate the main context with the static entry.
+        entries.push(BootableEntry::new(
+            name,
+            entry.title.clone(),
+            context.clone(),
+            entry,
+        ));
+    }
+
+    // Run all the generators declared in the configuration.
+    for (name, generator) in config.generators {
+        let context = context.fork().freeze();
+
+        // We will prefix all entries with [name]-, provided the name is not pinned.
+        let prefix = format!("{}-", name);
+
+        // Add all the entries generated by the generator to the entry list.
+        // The generator specifies the context associated with the entry.
+        for mut entry in generators::generate(context.clone(), &generator)? {
+            // If the entry name is not pinned, prepend the name prefix.
+            if !entry.is_pin_name() {
+                entry.prepend_name_prefix(&prefix);
+            }
+
+            entries.push(entry);
+        }
+    }
+
+    for entry in &mut entries {
+        let mut context = entry.context().fork();
+        // Insert the values from the entry configuration into the
+        // sprout context to use with the entry itself.
+        context.insert(&entry.declaration().values);
+        let context = context
+            .finalize()
+            .context("unable to finalize context")?
+            .freeze();
+        // Provide the new context to the bootable entry.
+        entry.swap_context(context);
+        // Restamp the title with any values.
+        entry.restamp_title();
+
+        // Mark this entry as the default entry if it is declared as such.
+        if let Some(ref default_entry) = config.options.default_entry {
+            // If the entry matches the default entry, mark it as the default entry.
+            if entry.is_match(default_entry) {
+                entry.mark_default();
+            }
+        }
+    }
+
+    // Tell the bootloader interface what entries are available.
+    BootloaderInterface::set_entries(entries.iter().map(|entry| entry.name()))
+        .context("unable to set entries in bootloader interface")?;
+
+    // Execute the late phase.
+    phase(context.clone(), &config.phases.late).context("unable to execute late phase")?;
+
+    // Acquire the timeout setting from the bootloader interface.
+    let bootloader_interface_timeout =
+        BootloaderInterface::get_timeout().context("unable to get bootloader interface timeout")?;
+
+    // Acquire the default entry from the bootloader interface.
+    let bootloader_interface_default_entry = BootloaderInterface::get_default_entry()
+        .context("unable to get bootloader interface default entry")?;
+
+    // Acquire the oneshot entry from the bootloader interface.
+    let bootloader_interface_oneshot_entry = BootloaderInterface::get_oneshot_entry()
+        .context("unable to get bootloader interface oneshot entry")?;
+
+    // If --boot is specified, boot that entry immediately.
+    let mut force_boot_entry = context.root().options().boot.clone();
+    // If --force-menu is specified, show the boot menu regardless of the value of --boot.
+    let mut force_boot_menu = context.root().options().force_menu;
+
+    // Determine the menu timeout in seconds based on the options or configuration.
+    // We prefer the options over the configuration to allow for overriding.
+    let mut menu_timeout = context
+        .root()
+        .options()
+        .menu_timeout
+        .unwrap_or(config.options.menu_timeout);
+
+    // Apply bootloader interface timeout settings.
+    match bootloader_interface_timeout {
+        BootloaderInterfaceTimeout::MenuForce => {
+            // Force the boot menu.
+            force_boot_menu = true;
+        }
+
+        BootloaderInterfaceTimeout::MenuHidden | BootloaderInterfaceTimeout::MenuDisabled => {
+            // Hide the boot menu by setting the timeout to zero.
+            menu_timeout = 0;
+        }
+
+        BootloaderInterfaceTimeout::Timeout(timeout) => {
+            // Configure the timeout to the specified value.
+            menu_timeout = timeout;
+        }
+
+        BootloaderInterfaceTimeout::Unspecified => {
+            // Do nothing.
+        }
+    }
+
+    // Apply bootloader interface default entry settings.
+    if let Some(ref bootloader_interface_default_entry) = bootloader_interface_default_entry {
+        // Iterate over all the entries and mark the default entry as the one specified.
+        for entry in &mut entries {
+            // Mark the entry as the default entry if it matches the specified entry.
+            // If the entry does not match the specified entry, unmark it as the default entry.
+            if entry.is_match(bootloader_interface_default_entry) {
+                entry.mark_default();
+            } else {
+                entry.unmark_default();
+            }
+        }
+    }
+
+    // Apply bootloader interface oneshot entry settings.
+    // If set, we will force booting the oneshot entry.
+    if let Some(ref bootloader_interface_oneshot_entry) = bootloader_interface_oneshot_entry {
+        force_boot_entry = Some(bootloader_interface_oneshot_entry.clone());
+    }
+
+    // If no entries were the default, pick the first entry as the default entry.
+    if entries.iter().all(|entry| !entry.is_default())
+        && let Some(entry) = entries.first_mut()
+    {
+        entry.mark_default();
+    }
+
+    // Convert the menu timeout to a duration.
+    let menu_timeout = Duration::from_secs(menu_timeout);
+
+    // Use the forced boot entry if possible, otherwise pick the first entry using a boot menu.
+    let entry = if !force_boot_menu && let Some(ref force_boot_entry) = force_boot_entry {
+        BootableEntry::find(force_boot_entry, entries.iter())
+            .context(format!("unable to find entry: {force_boot_entry}"))?
+    } else {
+        // Delegate to the menu to select an entry to boot.
+        menu::select(&timer, menu_timeout, &entries)
+            .context("unable to select entry via boot menu")?
+    };
+
+    // Tell the bootloader interface what the selected entry is.
+    BootloaderInterface::set_selected_entry(entry.name().to_string())
+        .context("unable to set selected entry in bootloader interface")?;
+
+    // Execute all the actions for the selected entry.
+    for action in &entry.declaration().actions {
+        let action = entry.context().stamp(action);
+        actions::execute(entry.context().clone(), &action)
+            .context(format!("unable to execute action '{}'", action))?;
+    }
+
+    Ok(())
+}
+
+/// The main entrypoint of sprout.
+/// It is possible this function will not return if actions that are executed
+/// exit boot services or do not return control to sprout.
+#[entry]
+fn efi_main() -> Status {
+    // Initialize the basic UEFI environment.
+    // If initialization fails, we will return ABORTED.
+    // NOTE: This function will also initialize the logger.
+    // The logger will panic if it is unable to initialize.
+    // It is guaranteed that if this returns, the logger is initialized.
+    if let Err(error) = setup::init() {
+        error!("unable to initialize environment: {}", error);
+        return Status::ABORTED;
+    }
+
+    // Run Sprout, then handle the error.
+    let result = run();
+    if let Err(ref error) = result {
+        // Print an error trace.
+        error!("sprout encountered an error: {}", error);
+        for (index, stack) in error.chain().enumerate() {
+            error!("[{}]: {}", index, stack);
+        }
+        // Sleep to allow the user to read the error.
+        uefi::boot::stall(DELAY_ON_ERROR);
+        return Status::ABORTED;
+    }
+
+    // Sprout doesn't necessarily guarantee anything was booted.
+    // If we reach here, we will exit back to whoever called us.
+    Status::SUCCESS
+}

crates/boot/src/menu.rs

@@ -0,0 +1,199 @@
+use crate::entries::BootableEntry;
+use alloc::vec;
+use anyhow::{Context, Result, bail};
+use core::time::Duration;
+use eficore::bootloader_interface::BootloaderInterface;
+use eficore::platform::timer::PlatformTimer;
+use log::{info, warn};
+use uefi::ResultExt;
+use uefi::boot::TimerTrigger;
+use uefi::proto::console::text::{Input, Key, ScanCode};
+use uefi_raw::table::boot::{EventType, Tpl};
+
+/// The characters that can be used to select an entry from keys.
+const ENTRY_NUMBER_TABLE: &[char] = &['0', '1', '2', '3', '4', '5', '6', '7', '8', '9'];
+
+/// Represents the operation that can be performed by the boot menu.
+#[derive(PartialEq, Eq)]
+enum MenuOperation {
+    /// The user selected a numbered entry.
+    Number(usize),
+    /// The user selected the escape key to exit the boot menu.
+    Exit,
+    /// The user selected the enter key to display the entries again.
+    Continue,
+    /// Timeout occurred.
+    Timeout,
+    /// No operation should be performed.
+    Nop,
+}
+
+/// Read a key from the input device with a duration, returning the [MenuOperation] that was
+/// performed.
+fn read(input: &mut Input, timeout: &Duration) -> Result<MenuOperation> {
+    // The event to wait for a key press.
+    let key_event = input
+        .wait_for_key_event()
+        .context("unable to acquire key event")?;
+
+    // Timer event for timeout.
+    // SAFETY: The timer event creation allocated a timer pointer on the UEFI heap.
+    // This is validated safe as long as we are in boot services.
+    let timer_event = unsafe {
+        uefi::boot::create_event_ex(EventType::TIMER, Tpl::CALLBACK, None, None, None)
+            .context("unable to create timer event")?
+    };
+
+    // The timeout is in increments of 100 nanoseconds.
+    let timeout_hundred_nanos = timeout.as_nanos() / 100;
+
+    // Check if the timeout is too large to fit into an u64.
+    if timeout_hundred_nanos > u64::MAX as u128 {
+        bail!("timeout duration overflow");
+    }
+
+    // Set a timer to trigger after the specified duration.
+    let trigger = TimerTrigger::Relative(timeout_hundred_nanos as u64);
+    uefi::boot::set_timer(&timer_event, trigger).context("unable to set timeout timer")?;
+
+    let mut events = vec![timer_event, key_event];
+
+    // Wait for either the timer event or the key event to trigger.
+    // Store the result so that we can free the timer event.
+    let event_result = uefi::boot::wait_for_event(&mut events)
+        .discard_errdata()
+        .context("unable to wait for event");
+
+    // Close the timer event that we acquired.
+    // We don't need to close the key event because it is owned globally.
+    // This should always be called in practice as events are not modified by wait_for_event.
+    if let Some(timer_event) = events.into_iter().next() {
+        // Store the result of the close event so we can determine if we can safely assert it.
+        let close_event_result =
+            uefi::boot::close_event(timer_event).context("unable to close timer event");
+        if event_result.is_err()
+            && let Err(ref close_event_error) = close_event_result
+        {
+            // Log a warning if we failed to close the timer event.
+            // This is done to ensure we don't mask the wait_for_event error.
+            warn!("unable to close timer event: {}", close_event_error);
+        } else {
+            // If we reach here, we can safely assert that the close event succeeded without
+            // masking the wait_for_event error.
+            close_event_result?;
+        }
+    }
+
+    // Acquire the event that triggered.
+    let event = event_result?;
+
+    // The first event is the timer event.
+    // If it has triggered, the user did not select a numbered entry.
+    if event == 0 {
+        return Ok(MenuOperation::Timeout);
+    }
+
+    // If we reach here, there is a key event.
+    let Some(key) = input.read_key().context("unable to read key")? else {
+        bail!("no key was pressed");
+    };
+
+    match key {
+        Key::Printable(c) => {
+            // If the key is not ascii, we can't process it.
+            if !c.is_ascii() {
+                return Ok(MenuOperation::Continue);
+            }
+            // Convert the key to a char.
+            let c: char = c.into();
+            // Find the key pressed in the entry number table or continue.
+            Ok(ENTRY_NUMBER_TABLE
+                .iter()
+                .position(|&x| x == c)
+                .map(MenuOperation::Number)
+                .unwrap_or(MenuOperation::Continue))
+        }
+
+        // The escape key is used to exit the boot menu.
+        Key::Special(ScanCode::ESCAPE) => Ok(MenuOperation::Exit),
+
+        // If the special key is unknown, do nothing.
+        Key::Special(_) => Ok(MenuOperation::Nop),
+    }
+}
+
+/// Selects an entry from the list of entries using the boot menu.
+fn select_with_input<'a>(
+    input: &mut Input,
+    timeout: Duration,
+    entries: &'a [BootableEntry],
+) -> Result<&'a BootableEntry> {
+    loop {
+        // If the timeout is not zero, let's display the boot menu.
+        if !timeout.is_zero() {
+            // Until a pretty menu is available, we just print all the entries.
+            info!("Boot Menu:");
+            for (index, entry) in entries.iter().enumerate() {
+                let title = entry.context().stamp(&entry.declaration().title);
+                info!("  [{}] {}", index, title);
+            }
+        }
+
+        // Read from input until a valid operation is selected.
+        let operation = loop {
+            // If the timeout is zero, we can exit immediately because there is nothing to do.
+            if timeout.is_zero() {
+                break MenuOperation::Exit;
+            }
+
+            info!("Select a boot entry using the number keys.");
+            info!("Press Escape to exit and enter to display the entries again.");
+
+            let operation = read(input, &timeout)?;
+            if operation != MenuOperation::Nop {
+                break operation;
+            }
+        };
+
+        match operation {
+            // Entry was selected by number. If the number is invalid, we continue.
+            MenuOperation::Number(index) => {
+                let Some(entry) = entries.get(index) else {
+                    info!("invalid entry number");
+                    continue;
+                };
+                return Ok(entry);
+            }
+
+            // When the user exits the boot menu or a timeout occurs, we should
+            // boot the default entry, if any.
+            MenuOperation::Exit | MenuOperation::Timeout => {
+                return entries
+                    .iter()
+                    .find(|item| item.is_default())
+                    .context("no default entry available");
+            }
+
+            // If the operation is to continue or nop, we can just run the loop again.
+            MenuOperation::Continue | MenuOperation::Nop => {
+                continue;
+            }
+        }
+    }
+}
+
+/// Shows a boot menu to select a bootable entry to boot.
+/// The actual work is done internally in [select_with_input] which is called
+/// within the context of the standard input device.
+pub fn select<'live>(
+    timer: &'live PlatformTimer,
+    timeout: Duration,
+    entries: &'live [BootableEntry],
+) -> Result<&'live BootableEntry> {
+    // Notify the bootloader interface that we are about to display the menu.
+    BootloaderInterface::mark_menu(timer)
+        .context("unable to mark menu display in bootloader interface")?;
+
+    // Acquire the standard input device and run the boot menu.
+    uefi::system::with_stdin(move |input| select_with_input(input, timeout, entries))
+}

crates/boot/src/options.rs

@@ -0,0 +1,132 @@
+use alloc::string::{String, ToString};
+use anyhow::{Context, Result, bail};
+use core::ptr::null_mut;
+use jaarg::alloc::ParseMapResult;
+use jaarg::{
+    ErrorUsageWriter, ErrorUsageWriterContext, HelpWriter, HelpWriterContext, Opt, Opts,
+    StandardErrorUsageWriter, StandardFullHelpWriter,
+};
+use log::{error, info};
+use uefi_raw::Status;
+
+/// Default configuration file path.
+const DEFAULT_CONFIG_PATH: &str = "\\sprout.toml";
+
+/// The parsed options of sprout.
+#[derive(Debug)]
+pub struct SproutOptions {
+    /// Configures Sprout automatically based on the environment.
+    pub autoconfigure: bool,
+    /// Path to a configuration file to load.
+    pub config: String,
+    /// Entry to boot without showing the boot menu.
+    pub boot: Option<String>,
+    /// Force display of the boot menu.
+    pub force_menu: bool,
+    /// The timeout for the boot menu in seconds.
+    pub menu_timeout: Option<u64>,
+}
+
+/// The default Sprout options.
+impl Default for SproutOptions {
+    fn default() -> Self {
+        Self {
+            autoconfigure: false,
+            config: DEFAULT_CONFIG_PATH.to_string(),
+            boot: None,
+            force_menu: false,
+            menu_timeout: None,
+        }
+    }
+}
+
+/// The options parser mechanism for Sprout.
+impl SproutOptions {
+    /// Produces [SproutOptions] from the arguments provided by the UEFI core.
+    /// Internally we utilize the `jaarg` argument parser which has excellent no_std support.
+    pub fn parse() -> Result<Self> {
+        // All the options for the Sprout executable.
+        const OPTIONS: Opts<&str> = Opts::new(&[
+            Opt::help_flag("help", &["--help"]).help_text("Display Sprout Help"),
+            Opt::flag("autoconfigure", &["--autoconfigure"])
+                .help_text("Enable Sprout autoconfiguration"),
+            Opt::value("config", &["--config"], "PATH")
+                .help_text("Path to Sprout configuration file"),
+            Opt::value("boot", &["--boot"], "ENTRY").help_text("Entry to boot, bypassing the menu"),
+            Opt::flag("force-menu", &["--force-menu"]).help_text("Force showing the boot menu"),
+            Opt::value("menu-timeout", &["--menu-timeout"], "TIMEOUT")
+                .help_text("Boot menu timeout, in seconds"),
+        ]);
+
+        // Acquire the arguments as determined by the UEFI core.
+        let args = eficore::env::args()?;
+
+        // Parse the OPTIONS into a map using jaarg.
+        let parsed = match OPTIONS.parse_map(
+            "sprout",
+            args.iter(),
+            |program_name| {
+                let ctx = HelpWriterContext {
+                    options: &OPTIONS,
+                    program_name,
+                };
+                info!("{}", StandardFullHelpWriter::new(ctx));
+            },
+            |program_name, error| {
+                let ctx = ErrorUsageWriterContext {
+                    options: &OPTIONS,
+                    program_name,
+                    error,
+                };
+                error!("{}", StandardErrorUsageWriter::new(ctx));
+            },
+        ) {
+            ParseMapResult::Map(map) => map,
+            ParseMapResult::ExitSuccess => unsafe {
+                uefi::boot::exit(uefi::boot::image_handle(), Status::SUCCESS, 0, null_mut());
+            },
+
+            ParseMapResult::ExitFailure => unsafe {
+                uefi::boot::exit(uefi::boot::image_handle(), Status::ABORTED, 0, null_mut());
+            },
+        };
+
+        // Use the default value of sprout options and have the raw options be parsed into it.
+        let mut result = Self::default();
+
+        for (key, value) in parsed {
+            match key {
+                "autoconfigure" => {
+                    // Enable autoconfiguration.
+                    result.autoconfigure = true;
+                }
+
+                "config" => {
+                    // The configuration file to load.
+                    result.config = value;
+                }
+
+                "boot" => {
+                    // The entry to boot.
+                    result.boot = Some(value);
+                }
+
+                "force-menu" => {
+                    // Force showing of the boot menu.
+                    result.force_menu = true;
+                }
+
+                "menu-timeout" => {
+                    // The timeout for the boot menu in seconds.
+                    let value = value
+                        .parse::<u64>()
+                        .context("menu-timeout must be a number")?;
+                    result.menu_timeout = Some(value);
+                }
+
+                _ => bail!("unknown option: --{key}"),
+            }
+        }
+        Ok(result)
+    }
+}

crates/boot/src/phases.rs

@@ -0,0 +1,26 @@
+use crate::actions;
+use crate::context::SproutContext;
+use alloc::format;
+use alloc::rc::Rc;
+use anyhow::{Context, Result};
+use edera_sprout_config::phases::PhaseConfiguration;
+
+/// Executes the specified [phase] of the boot process.
+/// The value [phase] should be a reference of a specific phase in the [PhasesConfiguration].
+/// Any error from the actions is propagated into the [Result] and will interrupt further
+/// execution of phase actions.
+pub fn phase(context: Rc<SproutContext>, phase: &[PhaseConfiguration]) -> Result<()> {
+    for item in phase {
+        let mut context = context.fork();
+        // Insert the values into the context.
+        context.insert(&item.values);
+        let context = context.freeze();
+
+        // Execute all the actions in this phase configuration.
+        for action in item.actions.iter() {
+            actions::execute(context.clone(), action)
+                .context(format!("unable to execute action '{}'", action))?;
+        }
+    }
+    Ok(())
+}

crates/boot/src/sbat.csv

@@ -0,0 +1,2 @@
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+sprout,1,Edera,sprout,{version},https://sprout.edera.dev

crates/boot/src/sbat.rs

@@ -0,0 +1,2 @@
+// Include the generated sbat section in this file.
+include!(concat!(env!("OUT_DIR"), "/sbat.generated.rs"));

crates/boot/src/utils.rs

@@ -0,0 +1,26 @@
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use sha2::{Digest, Sha256};
+
+/// Implements a version comparison algorithm according to the BLS specification.
+pub mod vercmp;
+
+/// Combine a sequence of strings into a single string, separated by spaces, ignoring empty strings.
+pub fn combine_options<T: AsRef<str>>(options: impl Iterator<Item = T>) -> String {
+    options
+        .flat_map(|item| empty_is_none(Some(item)))
+        .map(|item| item.as_ref().to_string())
+        .collect::<Vec<_>>()
+        .join(" ")
+}
+
+/// Produce a unique hash for the input.
+/// This uses SHA-256, which is unique enough but relatively short.
+pub fn unique_hash(input: &str) -> String {
+    hex::encode(Sha256::digest(input.as_bytes()))
+}
+
+/// Filter a string-like Option `input` such that an empty string is [None].
+pub fn empty_is_none<T: AsRef<str>>(input: Option<T>) -> Option<T> {
+    input.filter(|input| !input.as_ref().is_empty())
+}

crates/boot/src/utils/vercmp.rs

@@ -0,0 +1,184 @@
+use core::cmp::Ordering;
+use core::iter::Peekable;
+
+/// Handles single character advancement and comparison.
+macro_rules! handle_single_char {
+    ($ca: expr, $cb:expr, $a_chars:expr, $b_chars:expr, $c:expr) => {
+        match ($ca == $c, $cb == $c) {
+            (true, false) => return Ordering::Less,
+            (false, true) => return Ordering::Greater,
+            (true, true) => {
+                $a_chars.next();
+                $b_chars.next();
+                continue;
+            }
+            _ => {}
+        }
+    };
+}
+
+/// Compares two strings using the BLS version comparison specification.
+/// Handles optional values as well by comparing only if both are specified.
+pub fn compare_versions_optional(a: Option<&str>, b: Option<&str>) -> Ordering {
+    match (a, b) {
+        // If both have values, compare them.
+        (Some(a), Some(b)) => compare_versions(a, b),
+        // If the second value is None, then `a` is less than `b`.
+        (Some(_a), None) => Ordering::Less,
+        // If the first value is None, the `a` is greater than `b`.
+        (None, Some(_b)) => Ordering::Greater,
+        // If both values are None, return that they are equal.
+        (None, None) => Ordering::Equal,
+    }
+}
+
+/// Compares two strings using the BLS version comparison specification.
+/// See: https://uapi-group.org/specifications/specs/version_format_specification/
+pub fn compare_versions(a: &str, b: &str) -> Ordering {
+    // Acquire a peekable iterator for each string.
+    let mut a_chars = a.chars().peekable();
+    let mut b_chars = b.chars().peekable();
+
+    // Loop until we have reached the end of one of the strings.
+    loop {
+        // Skip invalid characters in both strings.
+        skip_invalid(&mut a_chars);
+        skip_invalid(&mut b_chars);
+
+        // Check if either string has ended.
+        match (a_chars.peek(), b_chars.peek()) {
+            // No more characters in either string.
+            (None, None) => return Ordering::Equal,
+            // One string has ended, the other hasn't.
+            (None, Some(_)) => return Ordering::Less,
+            (Some(_), None) => return Ordering::Greater,
+            // Both strings have characters left.
+            (Some(&ca), Some(&cb)) => {
+                // Handle the ~ character.
+                handle_single_char!(ca, cb, a_chars, b_chars, '~');
+
+                // Handle '-' character.
+                handle_single_char!(ca, cb, a_chars, b_chars, '-');
+
+                // Handle the '^' character.
+                handle_single_char!(ca, cb, a_chars, b_chars, '^');
+
+                // Handle the '.' character.
+                handle_single_char!(ca, cb, a_chars, b_chars, '.');
+
+                // Handle digits with numerical comparison.
+                // We key off of the A character being a digit intentionally as we presume
+                // this indicates it will be the same at this position.
+                if ca.is_ascii_digit() || cb.is_ascii_digit() {
+                    let result = compare_numeric(&mut a_chars, &mut b_chars);
+                    if result != Ordering::Equal {
+                        return result;
+                    }
+                    continue;
+                }
+
+                // Handle letters with alphabetical comparison.
+                // We key off of the A character being alphabetical intentionally as we presume
+                // this indicates it will be the same at this position.
+                if ca.is_ascii_alphabetic() || cb.is_ascii_alphabetic() {
+                    let result = compare_alphabetic(&mut a_chars, &mut b_chars);
+                    if result != Ordering::Equal {
+                        return result;
+                    }
+                    continue;
+                }
+            }
+        }
+    }
+}
+
+/// Skips characters that are not in the valid character set.
+fn skip_invalid<I: Iterator<Item = char>>(iter: &mut Peekable<I>) {
+    while let Some(&c) = iter.peek() {
+        if is_valid_char(c) {
+            break;
+        }
+        iter.next();
+    }
+}
+
+/// Checks if a character is in the valid character set for comparison.
+fn is_valid_char(c: char) -> bool {
+    matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '-' | '.' | '~' | '^')
+}
+
+/// Compares numerical prefixes by extracting numbers.
+fn compare_numeric<I: Iterator<Item = char>>(
+    iter_a: &mut Peekable<I>,
+    iter_b: &mut Peekable<I>,
+) -> Ordering {
+    let num_a = extract_number(iter_a);
+    let num_b = extract_number(iter_b);
+
+    num_a.cmp(&num_b)
+}
+
+/// Extracts a number from the iterator, skipping leading zeros.
+fn extract_number<I: Iterator<Item = char>>(iter: &mut Peekable<I>) -> u64 {
+    // Skip leading zeros
+    while let Some(&'0') = iter.peek() {
+        iter.next();
+    }
+
+    let mut num = 0u64;
+    while let Some(&c) = iter.peek() {
+        if c.is_ascii_digit() {
+            iter.next();
+            num = num.saturating_mul(10).saturating_add(c as u64 - '0' as u64);
+        } else {
+            break;
+        }
+    }
+
+    num
+}
+
+/// Compares alphabetical prefixes
+/// Capital letters compare lower than lowercase letters (B < a)
+fn compare_alphabetic<I: Iterator<Item = char>>(
+    iter_a: &mut Peekable<I>,
+    iter_b: &mut Peekable<I>,
+) -> Ordering {
+    loop {
+        return match (iter_a.peek(), iter_b.peek()) {
+            (Some(&ca), Some(&cb)) if ca.is_ascii_alphabetic() && cb.is_ascii_alphabetic() => {
+                if ca == cb {
+                    // Same character, we should continue.
+                    iter_a.next();
+                    iter_b.next();
+                    continue;
+                }
+
+                // Different characters found.
+                // All capital letters compare lower than lowercase letters.
+                match (ca.is_ascii_uppercase(), cb.is_ascii_uppercase()) {
+                    (true, false) => Ordering::Less,    // uppercase < lowercase
+                    (false, true) => Ordering::Greater, // lowercase > uppercase
+                    (true, true) => ca.cmp(&cb),        // both are uppercase
+                    (false, false) => ca.cmp(&cb),      // both are lowercase
+                }
+            }
+
+            (Some(&ca), Some(_)) if ca.is_ascii_alphabetic() => {
+                // a has letters, b doesn't
+                Ordering::Greater
+            }
+
+            (Some(_), Some(&cb)) if cb.is_ascii_alphabetic() => {
+                // b has letters, a doesn't
+                Ordering::Less
+            }
+
+            (Some(&ca), None) if ca.is_ascii_alphabetic() => Ordering::Greater,
+
+            (None, Some(&cb)) if cb.is_ascii_alphabetic() => Ordering::Less,
+
+            _ => Ordering::Equal,
+        };
+    }
+}

crates/build/Cargo.toml

@@ -0,0 +1,12 @@
+[package]
+name = "edera-sprout-build"
+description = "Sprout Build Tools"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[lib]
+name = "edera_sprout_build"
+path = "src/lib.rs"

crates/build/src/lib.rs

@@ -0,0 +1,76 @@
+use std::path::PathBuf;
+use std::{env, fs};
+
+/// Block size of the sbat section.
+const SBAT_BLOCK_SIZE: usize = 512;
+
+/// Template contents for the sbat.generated.rs file.
+const SBAT_RS_TEMPLATE: &str = include_str!("sbat.template.rs");
+
+/// Pad with zeros the given `data` to a multiple of `block_size`.
+fn block_pad(data: &mut Vec<u8>, block_size: usize) {
+    let needed = data.len().div_ceil(block_size).max(1) * block_size;
+
+    if needed != data.len() {
+        data.resize(needed, 0);
+    }
+}
+
+/// Generate an .sbat link section module. This should be coupled with including the sbat module in
+/// the crate that intends to embed the sbat section.
+/// We intake a sbat.template.csv file in the calling crate and output a sbat.dat
+/// which is included by a generated sbat.generated.rs file.
+pub fn generate_sbat_module() {
+    // Notify Cargo that if the version changes, we need to regenerate the sbat.out file.
+    println!("cargo:rerun-if-env-changed=CARGO_PKG_VERSION");
+
+    // The version of the package.
+    let version = env::var("CARGO_PKG_VERSION").expect("CARGO_PKG_VERSION not set");
+
+    // The output directory to place the sbat.csv into.
+    let output_dir = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR not set"));
+
+    // The output path to the sbat.out file.
+    let out_file = output_dir.join("sbat.out");
+
+    // The output path to the sbat.generated.rs file.
+    let rs_file = output_dir.join("sbat.generated.rs");
+
+    // The path to the root of the crate.
+    let crate_root =
+        PathBuf::from(env::var("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR not set"));
+
+    // The path to the sbat.template.tsv file is in the source directory of the crate.
+    let sbat_template_file = crate_root.join("src/sbat.csv");
+
+    // Notify Cargo that if sbat.csv changes, we need to regenerate the sbat.out file.
+    println!(
+        "cargo:rerun-if-changed={}",
+        sbat_template_file
+            .to_str()
+            .expect("unable to convert sbat template path file to a string")
+    );
+
+    // Read the sbat.csv template file.
+    let sbat_template =
+        fs::read_to_string(&sbat_template_file).expect("unable to read sbat.csv file");
+
+    // Replace the version placeholder in the template with the actual version.
+    let sbat = sbat_template.replace("{version}", &version);
+
+    // Encode the sbat.csv as bytes.
+    let mut encoded = sbat.as_bytes().to_vec();
+
+    // Pad the sbat.csv to the required block size.
+    block_pad(&mut encoded, SBAT_BLOCK_SIZE);
+
+    // Write the sbat.out file to the output directory.
+    fs::write(&out_file, &encoded).expect("unable to write sbat.out");
+
+    // Generate the contents of the sbat.generated.rs file.
+    // The size must tbe size of the encoded sbat.out file.
+    let sbat_rs = SBAT_RS_TEMPLATE.replace("{size}", &encoded.len().to_string());
+
+    // Write the sbat.generated.rs file to the output directory.
+    fs::write(&rs_file, sbat_rs).expect("unable to write sbat.generated.rs");
+}

crates/build/src/sbat.template.rs

@@ -0,0 +1,6 @@
+/// Define the SBAT attestation by including the sbat.csv file.
+/// See this document for more details: https://github.com/rhboot/shim/blob/main/SBAT.md
+/// NOTE: This data must be aligned by 512 bytes.
+#[used]
+#[unsafe(link_section = ".sbat")]
+static SBAT: [u8; {size}] = *include_bytes!(concat!(env!("OUT_DIR"), "/sbat.out"));

crates/config/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "edera-sprout-config"
+description = "Sprout Configuration"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies.serde]
+workspace = true
+default-features = false
+
+[lib]
+name = "edera_sprout_config"
+path = "src/lib.rs"

crates/config/src/actions.rs

@@ -0,0 +1,32 @@
+use serde::{Deserialize, Serialize};
+
+/// Configuration for the chainload action.
+pub mod chainload;
+
+/// Configuration for the edera action.
+pub mod edera;
+
+/// Configuration for the print action.
+pub mod print;
+
+/// Declares an action that sprout can execute.
+/// Actions allow configuring sprout's internal runtime mechanisms with values
+/// that you can specify via other concepts.
+///
+/// Actions are the main work that Sprout gets done, like booting Linux.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ActionDeclaration {
+    /// Chainload to another EFI application.
+    /// This allows you to load any EFI application, either to boot an operating system
+    /// or to perform more EFI actions and return to sprout.
+    #[serde(default)]
+    pub chainload: Option<chainload::ChainloadConfiguration>,
+    /// Print a string to the EFI console.
+    #[serde(default)]
+    pub print: Option<print::PrintConfiguration>,
+    /// Boot the Edera hypervisor and the root operating system.
+    /// This action is an extension on top of the Xen EFI stub that
+    /// is specific to Edera.
+    #[serde(default, rename = "edera")]
+    pub edera: Option<edera::EderaConfiguration>,
+}

crates/config/src/actions/chainload.rs

@@ -0,0 +1,21 @@
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the chainload action.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ChainloadConfiguration {
+    /// The path to the image to chainload.
+    /// This can be a Linux EFI stub (vmlinuz usually) or a standard EFI executable.
+    pub path: String,
+    /// The options to pass to the image.
+    /// The options are concatenated by a space and then passed to the EFI application.
+    #[serde(default)]
+    pub options: Vec<String>,
+    /// An optional path to a Linux initrd.
+    /// This uses the [LINUX_EFI_INITRD_MEDIA_GUID] mechanism to load the initrd into the EFI stack.
+    /// For Linux, you can also use initrd=\path\to\initrd as an option, but this option is
+    /// generally better and safer as it can support additional load options in the future.
+    #[serde(default, rename = "linux-initrd")]
+    pub linux_initrd: Option<String>,
+}

crates/config/src/actions/edera.rs

@@ -0,0 +1,23 @@
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the edera action which boots the Edera hypervisor.
+/// Edera is based on Xen but modified significantly with a Rust stack.
+/// Sprout is a component of the Edera stack and provides the boot functionality of Xen.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct EderaConfiguration {
+    /// The path to the Xen hypervisor EFI image.
+    pub xen: String,
+    /// The path to the kernel to boot for dom0.
+    pub kernel: String,
+    /// The path to the initrd to load for dom0.
+    #[serde(default)]
+    pub initrd: Option<String>,
+    /// The options to pass to the kernel.
+    #[serde(default, rename = "kernel-options")]
+    pub kernel_options: Vec<String>,
+    /// The options to pass to the Xen hypervisor.
+    #[serde(default, rename = "xen-options")]
+    pub xen_options: Vec<String>,
+}

crates/config/src/actions/print.rs

@@ -0,0 +1,10 @@
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+/// The configuration of the print action.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct PrintConfiguration {
+    /// The text to print to the console.
+    #[serde(default)]
+    pub text: String,
+}

crates/config/src/drivers.rs

@@ -0,0 +1,13 @@
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+/// Declares a driver configuration.
+/// Drivers allow extending the functionality of Sprout.
+/// Drivers are loaded at runtime and can provide extra functionality like filesystem support.
+/// Drivers are loaded by their name, which is used to reference them in other concepts.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct DriverDeclaration {
+    /// The filesystem path to the driver.
+    /// This file should be an EFI executable that can be located and executed.
+    pub path: String,
+}

crates/config/src/entries.rs

@@ -1,13 +1,16 @@
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
 use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
 
 /// Declares a boot entry to display in the boot menu.
 ///
 /// Entries are the user-facing concept of Sprout, making it possible
 /// to run a set of actions with a specific context.
-#[derive(Serialize, Deserialize, Default, Clone)]
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
 pub struct EntryDeclaration {
     /// The title of the entry which will be display in the boot menu.
+    /// This is the pre-stamped value.
     pub title: String,
     /// The actions to run when the entry is selected.
     #[serde(default)]

crates/config/src/extractors.rs

@@ -1,16 +1,13 @@
-use crate::context::SproutContext;
 use crate::extractors::filesystem_device_match::FilesystemDeviceMatchExtractor;
-use anyhow::{Result, bail};
 use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
-/// The filesystem device match extractor.
+/// Configuration for the filesystem-device-match extractor.
 pub mod filesystem_device_match;
 
 /// Declares an extractor configuration.
 /// Extractors allow calculating values at runtime
 /// using built-in sprout modules.
-#[derive(Serialize, Deserialize, Default, Clone)]
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
 pub struct ExtractorDeclaration {
     /// The filesystem device match extractor.
     /// This extractor finds a filesystem using some search criteria and returns
@@ -19,14 +16,3 @@ pub struct ExtractorDeclaration {
     #[serde(default, rename = "filesystem-device-match")]
     pub filesystem_device_match: Option<FilesystemDeviceMatchExtractor>,
 }
-
-/// Extracts the value using the specified `extractor` under the provided `context`.
-/// The extractor must return a value, and if a value cannot be determined, an error
-/// should be returned.
-pub fn extract(context: Rc<SproutContext>, extractor: &ExtractorDeclaration) -> Result<String> {
-    if let Some(filesystem) = &extractor.filesystem_device_match {
-        filesystem_device_match::extract(context, filesystem)
-    } else {
-        bail!("unknown extractor configuration");
-    }
-}

crates/config/src/extractors/filesystem_device_match.rs

@@ -0,0 +1,30 @@
+use alloc::string::String;
+use serde::{Deserialize, Serialize};
+
+/// The filesystem device match extractor.
+/// This extractor finds a filesystem using some search criteria and returns
+/// the device root path that can concatenated with subpaths to access files
+/// on a particular filesystem.
+/// The fallback value can be used to provide a value if no match is found.
+///
+/// This extractor requires all the criteria to match. If no criteria is provided,
+/// an error is returned.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct FilesystemDeviceMatchExtractor {
+    /// Matches a filesystem that has the specified label.
+    #[serde(default, rename = "has-label")]
+    pub has_label: Option<String>,
+    /// Matches a filesystem that has the specified item.
+    /// An item is either a directory or file.
+    #[serde(default, rename = "has-item")]
+    pub has_item: Option<String>,
+    /// Matches a filesystem that has the specified partition UUID.
+    #[serde(default, rename = "has-partition-uuid")]
+    pub has_partition_uuid: Option<String>,
+    /// Matches a filesystem that has the specified partition type UUID.
+    #[serde(default, rename = "has-partition-type-uuid")]
+    pub has_partition_type_uuid: Option<String>,
+    /// The fallback value to use if no filesystem matches the criteria.
+    #[serde(default)]
+    pub fallback: Option<String>,
+}

crates/config/src/generators.rs

@@ -1,18 +1,20 @@
-use crate::context::SproutContext;
-use crate::entries::EntryDeclaration;
 use crate::generators::bls::BlsConfiguration;
+use crate::generators::list::ListConfiguration;
 use crate::generators::matrix::MatrixConfiguration;
-use anyhow::Result;
-use anyhow::bail;
 use serde::{Deserialize, Serialize};
-use std::rc::Rc;
 
+/// Configuration for the BLS generator.
 pub mod bls;
+
+/// Configuration for the list generator.
+pub mod list;
+
+/// Configuration for the matrix generator.
 pub mod matrix;
 
 /// Declares a generator configuration.
 /// Generators allow generating entries at runtime based on a set of data.
-#[derive(Serialize, Deserialize, Default, Clone)]
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
 pub struct GeneratorDeclaration {
     /// Matrix generator configuration.
     /// Matrix allows you to specify multiple value-key values as arrays.
@@ -32,20 +34,7 @@ pub struct GeneratorDeclaration {
     /// It will generate a sprout entry for every supported BLS entry.
     #[serde(default)]
     pub bls: Option<BlsConfiguration>,
-}
-
-/// Runs the generator specified by the `generator` option.
-/// It uses the specified `context` as the parent context for
-/// the generated entries, injecting more values if needed.
-pub fn generate(
-    context: Rc<SproutContext>,
-    generator: &GeneratorDeclaration,
-) -> Result<Vec<(Rc<SproutContext>, EntryDeclaration)>> {
-    if let Some(matrix) = &generator.matrix {
-        matrix::generate(context, matrix)
-    } else if let Some(bls) = &generator.bls {
-        bls::generate(context, bls)
-    } else {
-        bail!("unknown generator configuration");
-    }
+    /// List generator configuration.
+    /// Allows you to specify a list of values to generate an entry from.
+    pub list: Option<ListConfiguration>,
 }

crates/config/src/generators/bls.rs

@@ -0,0 +1,22 @@
+use crate::entries::EntryDeclaration;
+use alloc::string::{String, ToString};
+use serde::{Deserialize, Serialize};
+
+/// The default path to the BLS directory.
+const BLS_TEMPLATE_PATH: &str = "\\loader";
+
+/// The configuration of the BLS generator.
+/// The BLS uses the Bootloader Specification to produce
+/// entries from an input template.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct BlsConfiguration {
+    /// The entry to use for as a template.
+    pub entry: EntryDeclaration,
+    /// The path to the BLS directory.
+    #[serde(default = "default_bls_path")]
+    pub path: String,
+}
+
+fn default_bls_path() -> String {
+    BLS_TEMPLATE_PATH.to_string()
+}

crates/config/src/generators/list.rs

@@ -0,0 +1,18 @@
+use crate::entries::EntryDeclaration;
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// List generator configuration.
+/// The list generator produces multiple entries based
+/// on a set of input maps.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct ListConfiguration {
+    /// The template entry to use for each generated entry.
+    #[serde(default)]
+    pub entry: EntryDeclaration,
+    /// The values to use as the input for the matrix.
+    #[serde(default)]
+    pub values: Vec<BTreeMap<String, String>>,
+}

crates/config/src/generators/matrix.rs

@@ -0,0 +1,18 @@
+use crate::entries::EntryDeclaration;
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// Matrix generator configuration.
+/// The matrix generator produces multiple entries based
+/// on input values multiplicatively.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct MatrixConfiguration {
+    /// The template entry to use for each generated entry.
+    #[serde(default)]
+    pub entry: EntryDeclaration,
+    /// The values to use as the input for the matrix.
+    #[serde(default)]
+    pub values: BTreeMap<String, Vec<String>>,
+}

crates/config/src/lib.rs

@@ -1,27 +1,43 @@
+//! Sprout configuration descriptions.
+//! This crate provides all the configuration structures for Sprout.
+#![no_std]
+extern crate alloc;
+
 use crate::actions::ActionDeclaration;
 use crate::drivers::DriverDeclaration;
 use crate::entries::EntryDeclaration;
 use crate::extractors::ExtractorDeclaration;
 use crate::generators::GeneratorDeclaration;
 use crate::phases::PhasesConfiguration;
+use alloc::collections::BTreeMap;
+use alloc::string::String;
 use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
 
-/// The configuration loader mechanisms.
-pub mod loader;
+pub mod actions;
+pub mod drivers;
+pub mod entries;
+pub mod extractors;
+pub mod generators;
+pub mod phases;
 
 /// This is the latest version of the sprout configuration format.
 /// This must be incremented when the configuration breaks compatibility.
 pub const LATEST_VERSION: u32 = 1;
 
+/// The default timeout for the boot menu in seconds.
+pub const DEFAULT_MENU_TIMEOUT_SECONDS: u64 = 10;
+
 /// The Sprout configuration format.
-#[derive(Serialize, Deserialize, Default, Clone)]
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
 pub struct RootConfiguration {
     /// The version of the configuration. This should always be declared
     /// and be the latest version that is supported. If not specified, it is assumed
     /// the configuration is the latest version.
     #[serde(default = "latest_version")]
     pub version: u32,
+    /// Default options for Sprout.
+    #[serde(default)]
+    pub options: OptionsConfiguration,
     /// Values to be inserted into the root sprout context.
     #[serde(default)]
     pub values: BTreeMap<String, String>,
@@ -59,6 +75,25 @@ pub struct RootConfiguration {
     pub phases: PhasesConfiguration,
 }
 
-fn latest_version() -> u32 {
+/// Options configuration for Sprout, used when the corresponding options are not specified.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct OptionsConfiguration {
+    /// The entry to mark as the default entry, instead of the first entry.
+    #[serde(rename = "default-entry", default)]
+    pub default_entry: Option<String>,
+    /// The timeout of the boot menu.
+    #[serde(rename = "menu-timeout", default = "default_menu_timeout")]
+    pub menu_timeout: u64,
+    /// Enables autoconfiguration of Sprout based on the environment.
+    #[serde(default)]
+    pub autoconfigure: bool,
+}
+
+/// Get the latest version of the Sprout configuration format.
+pub fn latest_version() -> u32 {
     LATEST_VERSION
 }
+
+fn default_menu_timeout() -> u64 {
+    DEFAULT_MENU_TIMEOUT_SECONDS
+}

crates/config/src/phases.rs

@@ -0,0 +1,32 @@
+use alloc::collections::BTreeMap;
+use alloc::string::String;
+use alloc::vec::Vec;
+use serde::{Deserialize, Serialize};
+
+/// Configures the various phases of the boot process.
+/// This allows hooking various phases to run actions.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct PhasesConfiguration {
+    /// The early phase is run before drivers are loaded.
+    #[serde(default)]
+    pub early: Vec<PhaseConfiguration>,
+    /// The startup phase is run after drivers are loaded, but before entries are displayed.
+    #[serde(default)]
+    pub startup: Vec<PhaseConfiguration>,
+    /// The late phase is run after the entry is chosen, but before the actions are executed.
+    #[serde(default)]
+    pub late: Vec<PhaseConfiguration>,
+}
+
+/// Configures a single phase of the boot process.
+/// There can be multiple phase configurations that are
+/// executed sequentially.
+#[derive(Serialize, Deserialize, Debug, Default, Clone)]
+pub struct PhaseConfiguration {
+    /// The actions to run when the phase is executed.
+    #[serde(default)]
+    pub actions: Vec<String>,
+    /// The values to insert into the context when the phase is executed.
+    #[serde(default)]
+    pub values: BTreeMap<String, String>,
+}

crates/eficore/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "edera-sprout-eficore"
+description = "Sprout EFI Core"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition.workspace = true
+
+[dependencies]
+anyhow.workspace = true
+bitflags.workspace = true
+log.workspace = true
+shlex.workspace = true
+spin.workspace = true
+uefi.workspace = true
+uefi-raw.workspace = true
+
+[lib]
+name = "eficore"
+path = "src/lib.rs"

crates/eficore/src/bootloader_interface.rs

@@ -0,0 +1,317 @@
+use crate::bootloader_interface::bitflags::LoaderFeatures;
+use crate::platform::timer::PlatformTimer;
+use crate::variables::{VariableClass, VariableController};
+use alloc::format;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use anyhow::{Context, Result};
+use uefi::proto::device_path::DevicePath;
+use uefi::{Guid, guid};
+use uefi_raw::table::runtime::VariableVendor;
+
+/// bitflags: LoaderFeatures bitflags.
+mod bitflags;
+
+/// The name of the bootloader to tell the system.
+const LOADER_NAME: &str = "Sprout";
+
+/// Represents the configured timeout for the bootloader interface.
+pub enum BootloaderInterfaceTimeout {
+    /// Force the menu to be shown.
+    MenuForce,
+    /// Hide the menu.
+    MenuHidden,
+    /// Disable the menu.
+    MenuDisabled,
+    /// Set a timeout for the menu.
+    Timeout(u64),
+    /// Timeout is unspecified.
+    Unspecified,
+}
+
+/// Bootloader Interface support.
+pub struct BootloaderInterface;
+
+impl BootloaderInterface {
+    /// Bootloader Interface GUID from https://systemd.io/BOOT_LOADER_INTERFACE
+    const VENDOR: VariableController = VariableController::new(VariableVendor(guid!(
+        "4a67b082-0a4c-41cf-b6c7-440b29bb8c4f"
+    )));
+
+    /// The feature we support in Sprout.
+    fn features() -> LoaderFeatures {
+        LoaderFeatures::Xbootldr
+            | LoaderFeatures::LoadDriver
+            | LoaderFeatures::Tpm2ActivePcrBanks
+            | LoaderFeatures::RetainShim
+            | LoaderFeatures::ConfigTimeout
+            | LoaderFeatures::ConfigTimeoutOneShot
+            | LoaderFeatures::MenuDisable
+            | LoaderFeatures::EntryDefault
+            | LoaderFeatures::EntryOneShot
+    }
+
+    /// Tell the system that Sprout was initialized at the current time.
+    pub fn mark_init(timer: &PlatformTimer) -> Result<()> {
+        Self::mark_time("LoaderTimeInitUSec", timer)
+    }
+
+    /// Tell the system that Sprout is about to execute the boot entry.
+    pub fn mark_exec(timer: &PlatformTimer) -> Result<()> {
+        Self::mark_time("LoaderTimeExecUSec", timer)
+    }
+
+    /// Tell the system that Sprout is about to display the menu.
+    pub fn mark_menu(timer: &PlatformTimer) -> Result<()> {
+        Self::mark_time("LoaderTimeMenuUSec", timer)
+    }
+
+    /// Tell the system about the current time as measured by the platform timer.
+    /// Sets the variable specified by `key` to the number of microseconds.
+    fn mark_time(key: &str, timer: &PlatformTimer) -> Result<()> {
+        // Measure the elapsed time since the hardware timer was started.
+        let elapsed = timer.elapsed_since_lifetime();
+        Self::VENDOR.set_cstr16(
+            key,
+            &elapsed.as_micros().to_string(),
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Tell the system what loader is being used and our features.
+    pub fn set_loader_info() -> Result<()> {
+        // Set the LoaderInfo variable with the name of the loader.
+        Self::VENDOR
+            .set_cstr16(
+                "LoaderInfo",
+                LOADER_NAME,
+                VariableClass::BootAndRuntimeTemporary,
+            )
+            .context("unable to set loader info variable")?;
+
+        // Set the LoaderFeatures variable with the features we support.
+        Self::VENDOR
+            .set_u64le(
+                "LoaderFeatures",
+                Self::features().bits(),
+                VariableClass::BootAndRuntimeTemporary,
+            )
+            .context("unable to set loader features variable")?;
+        Ok(())
+    }
+
+    /// Tell the system the relative path to the partition root of the current bootloader.
+    pub fn set_loader_path(path: &DevicePath) -> Result<()> {
+        let subpath =
+            crate::path::device_path_subpath(path).context("unable to get loader path subpath")?;
+        Self::VENDOR.set_cstr16(
+            "LoaderImageIdentifier",
+            &subpath,
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Tell the system what the partition GUID of the ESP Sprout was booted from is.
+    pub fn set_partition_guid(guid: &Guid) -> Result<()> {
+        Self::VENDOR.set_cstr16(
+            "LoaderDevicePartUUID",
+            &guid.to_string(),
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Tell the system what boot entries are available.
+    pub fn set_entries<N: AsRef<str>>(entries: impl Iterator<Item = N>) -> Result<()> {
+        // Entries are stored as a null-terminated list of CString16 strings back to back.
+        // Iterate over the entries and convert them to CString16 placing them into data.
+        let mut data = Vec::new();
+        for entry in entries {
+            // Convert the entry to CString16 little endian.
+            let encoded = entry
+                .as_ref()
+                .encode_utf16()
+                .flat_map(|c| c.to_le_bytes())
+                .collect::<Vec<u8>>();
+            // Write the bytes into the data buffer.
+            data.extend_from_slice(&encoded);
+            // Add a null terminator to the end of the entry.
+            data.extend_from_slice(&[0, 0]);
+        }
+
+        // If no data was generated, we will do nothing.
+        if data.is_empty() {
+            return Ok(());
+        }
+
+        Self::VENDOR.set(
+            "LoaderEntries",
+            &data,
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Tell the system what the selected boot entry is.
+    pub fn set_selected_entry(entry: String) -> Result<()> {
+        Self::VENDOR.set_cstr16(
+            "LoaderEntrySelected",
+            &entry,
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Tell the system about the UEFI firmware we are running on.
+    pub fn set_firmware_info() -> Result<()> {
+        // Access the firmware revision.
+        let firmware_revision = uefi::system::firmware_revision();
+
+        // Access the UEFI revision.
+        let uefi_revision = uefi::system::uefi_revision();
+
+        // Format the firmware information string into something human-readable.
+        let firmware_info = format!(
+            "{} {}.{:02}",
+            uefi::system::firmware_vendor(),
+            firmware_revision >> 16,
+            firmware_revision & 0xffff,
+        );
+        Self::VENDOR.set_cstr16(
+            "LoaderFirmwareInfo",
+            &firmware_info,
+            VariableClass::BootAndRuntimeTemporary,
+        )?;
+
+        // Format the firmware revision into something human-readable.
+        let firmware_type = format!(
+            "UEFI {}.{:02}",
+            uefi_revision.major(),
+            uefi_revision.minor()
+        );
+        Self::VENDOR.set_cstr16(
+            "LoaderFirmwareType",
+            &firmware_type,
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Tell the system what the number of active PCR banks is.
+    /// If this is zero, that is okay.
+    pub fn set_tpm2_active_pcr_banks(value: u32) -> Result<()> {
+        // Format the value into the specification format.
+        let value = format!("0x{:08x}", value);
+        Self::VENDOR.set_cstr16(
+            "LoaderTpm2ActivePcrBanks",
+            &value,
+            VariableClass::BootAndRuntimeTemporary,
+        )
+    }
+
+    /// Retrieve the timeout value from the bootloader interface, using the specified `key`.
+    /// `remove` indicates whether, when found, we remove the variable.
+    fn get_timeout_value(key: &str, remove: bool) -> Result<Option<BootloaderInterfaceTimeout>> {
+        // Retrieve the timeout value from the bootloader interface.
+        let Some(value) = Self::VENDOR
+            .get_cstr16(key)
+            .context("unable to get timeout value")?
+        else {
+            return Ok(None);
+        };
+
+        // If we reach here, we know the value was specified.
+        // If `remove` is true, remove the variable.
+        if remove {
+            Self::VENDOR
+                .remove(key)
+                .context("unable to remove timeout variable")?;
+        }
+
+        // If the value is empty, return Unspecified.
+        if value.is_empty() {
+            return Ok(Some(BootloaderInterfaceTimeout::Unspecified));
+        }
+
+        // If the value is "menu-force", return MenuForce.
+        if value == "menu-force" {
+            return Ok(Some(BootloaderInterfaceTimeout::MenuForce));
+        }
+
+        // If the value is "menu-hidden", return MenuHidden.
+        if value == "menu-hidden" {
+            return Ok(Some(BootloaderInterfaceTimeout::MenuHidden));
+        }
+
+        // If the value is "menu-disabled", return MenuDisabled.
+        if value == "menu-disabled" {
+            return Ok(Some(BootloaderInterfaceTimeout::MenuDisabled));
+        }
+
+        // Parse the value as a u64 to decode an numeric value.
+        let value = value
+            .parse::<u64>()
+            .context("unable to parse timeout value")?;
+
+        // The specification says that a value of 0 means that the menu should be hidden.
+        if value == 0 {
+            return Ok(Some(BootloaderInterfaceTimeout::MenuHidden));
+        }
+
+        // If we reach here, we know it must be a real timeout value.
+        Ok(Some(BootloaderInterfaceTimeout::Timeout(value)))
+    }
+
+    /// Get the timeout from the bootloader interface.
+    /// This indicates how the menu should behave.
+    /// If no values are set, Unspecified is returned.
+    pub fn get_timeout() -> Result<BootloaderInterfaceTimeout> {
+        // Attempt to acquire the value of the LoaderConfigTimeoutOneShot variable.
+        // This should take precedence over the LoaderConfigTimeout variable.
+        let oneshot = Self::get_timeout_value("LoaderConfigTimeoutOneShot", true)
+            .context("unable to check for LoaderConfigTimeoutOneShot variable")?;
+
+        // If oneshot was found, return it.
+        if let Some(oneshot) = oneshot {
+            return Ok(oneshot);
+        }
+
+        // Attempt to acquire the value of the LoaderConfigTimeout variable.
+        // This will be used if the LoaderConfigTimeoutOneShot variable is not set.
+        let direct = Self::get_timeout_value("LoaderConfigTimeout", false)
+            .context("unable to check for LoaderConfigTimeout variable")?;
+
+        // If direct was found, return it.
+        if let Some(direct) = direct {
+            return Ok(direct);
+        }
+
+        // If we reach here, we know that neither variable was set.
+        // We provide the unspecified value instead.
+        Ok(BootloaderInterfaceTimeout::Unspecified)
+    }
+
+    /// Get the default entry set by the bootloader interface.
+    pub fn get_default_entry() -> Result<Option<String>> {
+        Self::VENDOR
+            .get_cstr16("LoaderEntryDefault")
+            .context("unable to get default entry from bootloader interface")
+    }
+
+    /// Get the oneshot entry set by the bootloader interface.
+    /// This should be the entry we boot.
+    pub fn get_oneshot_entry() -> Result<Option<String>> {
+        // Acquire the value of the LoaderEntryOneShot variable.
+        // If it is not set, return None.
+        let Some(value) = Self::VENDOR
+            .get_cstr16("LoaderEntryOneShot")
+            .context("unable to get oneshot entry from bootloader interface")?
+        else {
+            return Ok(None);
+        };
+
+        // Remove the oneshot entry from the bootloader interface.
+        Self::VENDOR
+            .remove("LoaderEntryOneShot")
+            .context("unable to remove oneshot entry")?;
+
+        // Return the oneshot value.
+        Ok(Some(value))
+    }
+}

crates/eficore/src/bootloader_interface/bitflags.rs

@@ -0,0 +1,46 @@
+use bitflags::bitflags;
+
+bitflags! {
+    /// Feature bitflags for the bootloader interface.
+    #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+    pub struct LoaderFeatures: u64 {
+        /// Bootloader supports LoaderConfigTimeout.
+        const ConfigTimeout = 1 << 0;
+        /// Bootloader supports LoaderConfigTimeoutOneShot.
+        const ConfigTimeoutOneShot = 1 << 1;
+        /// Bootloader supports LoaderEntryDefault.
+        const EntryDefault = 1 << 2;
+        /// Bootloader supports LoaderEntryOneShot.
+        const EntryOneShot = 1 << 3;
+        /// Bootloader supports boot counting.
+        const BootCounting = 1 << 4;
+        /// Bootloader supports detection from XBOOTLDR partitions.
+        const Xbootldr = 1 << 5;
+        /// Bootloader supports the handling of random seeds.
+        const RandomSeed = 1 << 6;
+        /// Bootloader supports loading drivers.
+        const LoadDriver = 1 << 7;
+        /// Bootloader supports sort keys.
+        const SortKey = 1 << 8;
+        /// Bootloader supports saved entries.
+        const SavedEntry = 1 << 9;
+        /// Bootloader supports device trees.
+        const DeviceTree = 1 << 10;
+        /// Bootloader supports secure boot enroll.
+        const SecureBootEnroll = 1 << 11;
+        /// Bootloader retains the shim.
+        const RetainShim = 1 << 12;
+        /// Bootloader supports disabling the menu via the menu timeout variable.
+        const MenuDisable = 1 << 13;
+        /// Bootloader supports multi-profile UKI.
+        const MultiProfileUki = 1 << 14;
+        /// Bootloader reports URLs.
+        const ReportUrl = 1 << 15;
+        /// Bootloader supports type-1 UKIs.
+        const Type1Uki = 1 << 16;
+        /// Bootloader supports type-1 UKI urls.
+        const Type1UkiUrl = 1 << 17;
+        /// Bootloader indicates TPM2 active PCR banks.
+        const Tpm2ActivePcrBanks = 1 << 18;
+    }
+}

crates/eficore/src/env.rs

@@ -0,0 +1,69 @@
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use anyhow::{Context, Result, bail};
+use uefi::proto::loaded_image::{LoadOptionsError, LoadedImage};
+
+/// Loads the command-line arguments passed to the current image.
+pub fn args() -> Result<Vec<String>> {
+    // Acquire the current image handle.
+    let handle = uefi::boot::image_handle();
+
+    // Open the LoadedImage protocol for the current image.
+    let loaded_image = uefi::boot::open_protocol_exclusive::<LoadedImage>(handle)
+        .context("unable to open loaded image protocol for current image")?;
+
+    // Load the command-line argument string.
+    let options = match loaded_image.load_options_as_cstr16() {
+        // Load options were passed. We will return them for processing.
+        Ok(options) => options,
+
+        // No load options were passed. We will return an empty vector.
+        Err(LoadOptionsError::NotSet) => {
+            return Ok(Vec::new());
+        }
+
+        Err(LoadOptionsError::NotAligned) => {
+            bail!("load options are not properly aligned");
+        }
+
+        Err(LoadOptionsError::InvalidString(error)) => {
+            bail!("load options are not a valid string: {}", error);
+        }
+    };
+
+    // Convert the options to a string.
+    let options = options.to_string();
+
+    // Use shlex to parse the options.
+    // If shlex fails, we will perform a simple whitespace split.
+    let mut args = shlex::split(&options).unwrap_or_else(|| {
+        options
+            .split_ascii_whitespace()
+            .map(|string| string.to_string())
+            .collect::<Vec<_>>()
+    });
+
+    // Correct firmware that may add invalid arguments at the start.
+    // Witnessed this on a Dell Precision 5690 when direct booting.
+    args = args
+        .into_iter()
+        .skip_while(|arg| {
+            arg.chars()
+                .next()
+                // Filter out unprintable characters and backticks.
+                // Both of which have been observed in the wild.
+                .map(|c| c < 0x1f as char || c == '`')
+                .unwrap_or(false)
+        })
+        .collect();
+
+    // If there is a first argument, check if it is not an option.
+    // If it is not, we will assume it is the path to the executable and remove it.
+    if let Some(arg) = args.first()
+        && !arg.starts_with('-')
+    {
+        args.remove(0);
+    }
+
+    Ok(args)
+}

crates/eficore/src/framebuffer.rs

@@ -1,3 +1,5 @@
+use alloc::vec;
+use alloc::vec::Vec;
 use anyhow::{Context, Result};
 use uefi::proto::console::gop::{BltOp, BltPixel, BltRegion, GraphicsOutput};
 
@@ -13,17 +15,33 @@ pub struct Framebuffer {
 
 impl Framebuffer {
     /// Creates a new framebuffer of the specified `width` and `height`.
-    pub fn new(width: usize, height: usize) -> Self {
-        Framebuffer {
+    pub fn new(width: usize, height: usize) -> Result<Self> {
+        // Verify that the size is valid during multiplication.
+        let size = width
+            .checked_mul(height)
+            .context("framebuffer size overflow")?;
+
+        // Initialize the pixel buffer with black pixels, with the verified size.
+        let pixels = vec![BltPixel::new(0, 0, 0); size];
+
+        Ok(Framebuffer {
             width,
             height,
-            pixels: vec![BltPixel::new(0, 0, 0); width * height],
-        }
+            pixels,
+        })
     }
 
     /// Mutably acquires a pixel of the framebuffer at the specified `x` and `y` coordinate.
     pub fn pixel(&mut self, x: usize, y: usize) -> Option<&mut BltPixel> {
-        self.pixels.get_mut(y * self.width + x)
+        // Verify that the coordinates are within the bounds of the framebuffer.
+        if x >= self.width || y >= self.height {
+            return None;
+        }
+
+        // Calculate the index of the pixel safely, returning None if it overflows.
+        let index = y.checked_mul(self.width)?.checked_add(x)?;
+        // Return the pixel at the index. If the index is out of bounds, this will return None.
+        self.pixels.get_mut(index)
     }
 
     /// Blit the framebuffer to the specified `gop` [GraphicsOutput].

crates/eficore/src/handle.rs

@@ -0,0 +1,26 @@
+use anyhow::{Context, Result};
+use uefi::boot::SearchType;
+use uefi::{Guid, Handle};
+use uefi_raw::Status;
+
+/// Find a handle that provides the specified `protocol`.
+pub fn find_handle(protocol: &Guid) -> Result<Option<Handle>> {
+    // Locate the requested protocol handle.
+    match uefi::boot::locate_handle_buffer(SearchType::ByProtocol(protocol)) {
+        // If a handle is found, the protocol is available.
+        Ok(handles) => Ok(if handles.is_empty() {
+            None
+        } else {
+            Some(handles[0])
+        }),
+        // If an error occurs, check if it is because the protocol is not available.
+        // If so, return false. Otherwise, return the error.
+        Err(error) => {
+            if error.status() == Status::NOT_FOUND {
+                Ok(None)
+            } else {
+                Err(error).context("unable to determine if the protocol is available")
+            }
+        }
+    }
+}

crates/eficore/src/lib.rs

@@ -0,0 +1,44 @@
+//! Sprout EFI Core.
+//! This crate provides tools for working with the EFI environment.
+#![no_std]
+extern crate alloc;
+
+/// EFI handle helpers.
+pub mod handle;
+
+/// Load and start EFI images.
+pub mod loader;
+
+/// Logging support for EFI applications.
+pub mod logger;
+
+/// Disk partitioning support infrastructure.
+pub mod partition;
+
+/// Path handling for UEFI.
+pub mod path;
+
+/// platform: Integration or support code for specific hardware platforms.
+pub mod platform;
+
+/// Secure Boot support.
+pub mod secure;
+
+/// Support for the shim loader application that enables Secure Boot.
+pub mod shim;
+
+/// String utilities.
+pub mod strings;
+
+/// Implements support for the bootloader interface specification.
+pub mod bootloader_interface;
+/// Acquire arguments from UEFI environment.
+pub mod env;
+/// Support code for the EFI framebuffer.
+pub mod framebuffer;
+/// Support code for the media loader protocol.
+pub mod media_loader;
+/// setup: Code that initializes the UEFI environment for Sprout.
+pub mod setup;
+/// Support code for EFI variables.
+pub mod variables;

crates/eficore/src/loader.rs

@@ -0,0 +1,141 @@
+use crate::loader::source::ImageSource;
+use crate::secure::SecureBoot;
+use crate::shim::hook::SecurityHook;
+use crate::shim::{ShimInput, ShimSupport};
+use anyhow::{Context, Result, bail};
+use log::warn;
+use uefi::Handle;
+use uefi::boot::LoadImageSource;
+
+/// Represents EFI image sources generically.
+pub mod source;
+
+/// Handle to a loaded EFI image.
+pub struct ImageHandle {
+    /// Handle to the loaded image.
+    handle: Handle,
+}
+
+impl ImageHandle {
+    /// Create a new image handle based on a handle from the UEFI stack.
+    pub fn new(handle: Handle) -> Self {
+        Self { handle }
+    }
+
+    /// Retrieve the underlying handle.
+    pub fn handle(&self) -> &Handle {
+        &self.handle
+    }
+}
+
+/// Request to load an image from a source, with support for additional validation features.
+pub struct ImageLoadRequest<'source> {
+    /// Handle to the current image.
+    current_image: Handle,
+    /// Source of the image to load.
+    source: ImageSource<'source>,
+}
+
+impl<'source> ImageLoadRequest<'source> {
+    /// Create a new image load request with a current image and a source.
+    pub fn new(current_image: Handle, source: ImageSource<'source>) -> Self {
+        Self {
+            current_image,
+            source,
+        }
+    }
+
+    /// Retrieve the current image.
+    pub fn current_image(&self) -> &Handle {
+        &self.current_image
+    }
+
+    /// Retrieve the source of the image to load.
+    pub fn source(&'source self) -> &'source ImageSource<'source> {
+        &self.source
+    }
+
+    /// Convert the request into a source.
+    pub fn into_source(self) -> ImageSource<'source> {
+        self.source
+    }
+}
+
+/// EFI image loader.
+pub struct ImageLoader;
+
+impl ImageLoader {
+    /// Load an image using the image `request` which allows
+    pub fn load(request: ImageLoadRequest) -> Result<ImageHandle> {
+        // Determine whether Secure Boot is enabled.
+        let secure_boot =
+            SecureBoot::enabled().context("unable to determine if secure boot is enabled")?;
+
+        // Determine whether the shim is loaded.
+        let shim_loaded = ShimSupport::loaded().context("unable to determine if shim is loaded")?;
+
+        // Determine whether the shim loader is available.
+        let shim_loader_available = ShimSupport::loader_available()
+            .context("unable to determine if shim loader is available")?;
+
+        // Determines whether LoadImage in Boot Services must be patched.
+        // Version 16 of the shim doesn't require extra effort to load Secure Boot binaries.
+        // If the image loader is installed, we can skip over the security hook.
+        let requires_security_hook = secure_boot && shim_loaded && !shim_loader_available;
+
+        // If the security hook is required, we will bail for now.
+        if requires_security_hook {
+            // Install the security hook, if possible. If it's not, this is necessary to continue,
+            // so we should bail.
+            let installed = SecurityHook::install().context("unable to install security hook")?;
+            if !installed {
+                bail!("unable to install security hook required for this platform");
+            }
+        }
+
+        // If the shim is loaded, we will need to retain the shim protocol to allow
+        // loading multiple images.
+        if shim_loaded {
+            // Retain the shim protocol after loading the image.
+            ShimSupport::retain()?;
+        }
+
+        // Clone the current image handle to use for loading the image.
+        let current_image = *request.current_image();
+
+        // Converts the source to a shim input with an owned data buffer.
+        let input = ShimInput::from(request.into_source())
+            .into_owned_data_buffer()
+            .context("unable to convert input to loaded data buffer")?;
+
+        // Constructs a LoadImageSource from the input.
+        let source = LoadImageSource::FromBuffer {
+            buffer: input.buffer().context("unable to get buffer from input")?,
+            file_path: input.file_path(),
+        };
+
+        // Loads the image using Boot Services LoadImage function.
+        let result = uefi::boot::load_image(current_image, source).context("unable to load image");
+
+        // If the security override is required, we will uninstall the security hook.
+        if requires_security_hook {
+            let uninstall_result = crate::shim::hook::SecurityHook::uninstall();
+            // Ensure we don't mask load image errors if uninstalling fails.
+            if result.is_err()
+                && let Err(uninstall_error) = &uninstall_result
+            {
+                // Warn on the error since the load image error is more important.
+                warn!("unable to uninstall security hook: {}", uninstall_error);
+            } else {
+                // Otherwise, ensure we handle the original uninstallation result.
+                uninstall_result?;
+            }
+        }
+
+        // Assert the result and grab the handle.
+        let handle = result?;
+
+        // Retrieve the handle from the result and make a new image handle.
+        Ok(ImageHandle::new(handle))
+    }
+}

crates/eficore/src/loader/source.rs

@@ -0,0 +1,25 @@
+use crate::path::ResolvedPath;
+use crate::shim::ShimInput;
+
+/// Represents a source of an EFI image.
+pub enum ImageSource<'source> {
+    /// The image is located at the specified path that has been resolved.
+    ResolvedPath(&'source ResolvedPath),
+    /// The image is located in a buffer.
+    DataBuffer {
+        /// Optional path to the image.
+        path: Option<&'source ResolvedPath>,
+        /// Buffer containing the image.
+        buffer: &'source [u8],
+    },
+}
+
+/// Implement conversion from `ImageSource` to `ShimInput`, which is used by the shim support code.
+impl<'source> From<ImageSource<'source>> for ShimInput<'source> {
+    fn from(value: ImageSource<'source>) -> Self {
+        match value {
+            ImageSource::ResolvedPath(path) => ShimInput::ResolvedPath(path),
+            ImageSource::DataBuffer { path, buffer } => ShimInput::DataBuffer(path, buffer),
+        }
+    }
+}

crates/eficore/src/logger.rs

@@ -0,0 +1,94 @@
+//! Based on: https://github.com/rust-osdev/uefi-rs/blob/main/uefi/src/helpers/logger.rs
+
+use alloc::format;
+use core::fmt::Write;
+use core::ptr;
+use core::sync::atomic::{AtomicPtr, Ordering};
+use log::{Log, Record};
+use uefi::proto::console::text::Output;
+
+/// The global logger object.
+static LOGGER: Logger = Logger::new();
+
+/// Logging mechanism for Sprout.
+/// Must be initialized to be used, as we use atomic pointers to store the output to write to.
+pub struct Logger {
+    writer: AtomicPtr<Output>,
+}
+
+impl Default for Logger {
+    /// Creates a default logger, which is uninitialized with an output.
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl Logger {
+    /// Create a new logger with an output not specified.
+    /// This will cause the logger to not print anything until it is configured.
+    pub const fn new() -> Self {
+        Self {
+            writer: AtomicPtr::new(ptr::null_mut()),
+        }
+    }
+
+    /// Retrieves the pointer to the output.
+    /// SAFETY: This pointer might be null, it should be checked before use.
+    #[must_use]
+    fn output(&self) -> *mut Output {
+        self.writer.load(Ordering::Acquire)
+    }
+
+    /// Sets the output to write to.
+    ///
+    /// # Safety
+    /// This function is unsafe because the output is technically leaked and unmanaged.
+    pub unsafe fn set_output(&self, output: *mut Output) {
+        self.writer.store(output, Ordering::Release);
+    }
+}
+
+impl Log for Logger {
+    /// Enable the logger always.
+    fn enabled(&self, _metadata: &log::Metadata<'_>) -> bool {
+        true
+    }
+
+    /// Log the specified `record` to the output if one is set.
+    fn log(&self, record: &Record) {
+        // Acquire the output. If one is not set, we do nothing.
+        let Some(output) = (unsafe { self.output().as_mut() }) else {
+            return;
+        };
+
+        // Format the log message.
+        let message = format!("{}", record.args());
+
+        // Iterate over every line, formatting the message and writing it to the output.
+        for line in message.lines() {
+            // The format writes the log level in front of every line of text.
+            let _ = writeln!(output, "[{:>5}] {}", record.level(), line);
+        }
+    }
+
+    /// This log is not buffered, so flushing isn't required.
+    fn flush(&self) {}
+}
+
+/// Initialize the logging environment, calling panic if something goes wrong.
+pub fn init() {
+    // Retrieve the stdout handle and set it as the output for the global logger.
+    uefi::system::with_stdout(|stdout| unsafe {
+        // SAFETY: We are using the stdout handle to create a pointer to the output.
+        // The handle is global and is guaranteed to be valid for the lifetime of the program.
+        LOGGER.set_output(stdout);
+    });
+
+    // Set the logger to the global logger.
+    if let Err(error) = log::set_logger(&LOGGER) {
+        panic!("unable to set logger: {}", error);
+    }
+
+    // Set the max level to the level specified by the log features.
+    log::set_max_level(log::STATIC_MAX_LEVEL);
+}

crates/eficore/src/media_loader.rs

@@ -1,5 +1,8 @@
+use alloc::boxed::Box;
+use alloc::vec::Vec;
 use anyhow::{Context, Result, bail};
-use std::ffi::c_void;
+use core::ffi::c_void;
+use core::ptr;
 use uefi::proto::device_path::DevicePath;
 use uefi::proto::device_path::build::DevicePathBuilder;
 use uefi::proto::device_path::build::media::Vendor;
@@ -33,8 +36,6 @@ struct MediaLoaderProtocol {
 /// You MUST call [MediaLoaderHandle::unregister] when ready to unregister.
 /// [Drop] is not implemented for this type.
 pub struct MediaLoaderHandle {
-    /// The vendor GUID of the media loader.
-    guid: Guid,
     /// The handle of the media loader in the UEFI stack.
     handle: Handle,
     /// The protocol interface pointer.
@@ -46,11 +47,16 @@ pub struct MediaLoaderHandle {
 impl MediaLoaderHandle {
     /// The behavior of this function is derived from how Linux calls it.
     ///
-    /// Linux calls this function by first passing a NULL [buffer].
-    /// We must set the size of the buffer it should allocate in [buffer_size].
+    /// Linux calls this function by first passing a NULL `buffer`.
+    /// We must set the size of the buffer it should allocate in `buffer_size`.
     /// The next call will pass a buffer of the right size, and we should copy
     /// data into that buffer, checking whether it is safe to copy based on
     /// the buffer size.
+    ///
+    /// SAFETY: `this.address` and `this.length` are set by leaking a Box<[u8]>, so we can
+    /// be sure their pointers are valid when this is called. The caller must call this function
+    /// while inside UEFI boot services to ensure pointers are valid. Copying to `buffer` is
+    /// assumed valid because the caller must ensure `buffer` is valid by function contract.
     unsafe extern "efiapi" fn load_file(
         this: *mut MediaLoaderProtocol,
         file_path: *const DevicePathProtocol,
@@ -97,7 +103,7 @@ impl MediaLoaderHandle {
     }
 
     /// Creates a new device path for the media loader based on a vendor `guid`.
-    fn device_path(guid: Guid) -> Box<DevicePath> {
+    fn device_path(guid: Guid) -> Result<Box<DevicePath>> {
         // The buffer for the device path.
         let mut path = Vec::new();
         // Build a device path for the media loader with a vendor-specific guid.
@@ -106,18 +112,18 @@ impl MediaLoaderHandle {
                 vendor_guid: guid,
                 vendor_defined_data: &[],
             })
-            .unwrap() // We know that the device path is valid, so we can unwrap.
+            .context("unable to produce device path")?
             .finalize()
-            .unwrap(); // We know that the device path is valid, so we can unwrap.
+            .context("unable to produce device path")?;
         // Convert the device path to a boxed device path.
         // This is safer than dealing with a pooled device path.
-        path.to_boxed()
+        Ok(path.to_boxed())
     }
 
     /// Checks if the media loader is already registered with the UEFI stack.
     fn already_registered(guid: Guid) -> Result<bool> {
         // Acquire the device path for the media loader.
-        let path = Self::device_path(guid);
+        let path = Self::device_path(guid)?;
 
         let mut existing_path = path.as_ref();
 
@@ -137,12 +143,12 @@ impl MediaLoaderHandle {
         Ok(false)
     }
 
-    /// Registers the provided [data] with the UEFI stack as media loader.
+    /// Registers the provided `data` with the UEFI stack as media loader.
     /// This uses a special device path that other EFI programs will look at
     /// to load the data from.
     pub fn register(guid: Guid, data: Box<[u8]>) -> Result<MediaLoaderHandle> {
         // Acquire the vendor device path for the media loader.
-        let path = Self::device_path(guid);
+        let path = Self::device_path(guid)?;
 
         // Check if the media loader is already registered.
         // If it is, we can't register it again safely.
@@ -155,14 +161,31 @@ impl MediaLoaderHandle {
 
         // Install a protocol interface for the device path.
         // This ensures it can be located by other EFI programs.
-        let mut handle = unsafe {
+        let primary_handle = match unsafe {
             uefi::boot::install_protocol_interface(
                 None,
                 &DevicePathProtocol::GUID,
                 path.as_ffi_ptr() as *mut c_void,
             )
         }
-        .context("unable to install media loader device path handle")?;
+        .context("unable to install media loader device path handle")
+        {
+            // Acquiring the primary handle succeeded, so we can return the handle.
+            Ok(handle) => handle,
+            // If acquiring the primary handle failed, we free the device path and return the error.
+            Err(error) => {
+                // SAFETY: We know that the device path is leaked,
+                // so we can safely take a reference to it again.
+                // The UEFI stack failed to install the protocol interface
+                // if we reach here, so the path is no longer in use.
+                let path = unsafe { Box::from_raw(path) };
+                // Explicitly drop the path to clarify the lifetime.
+                drop(path);
+
+                // Return the original error.
+                return Err(error);
+            }
+        };
 
         // Leak the data we need to pass to the UEFI stack.
         let data = Box::leak(data);
@@ -178,25 +201,53 @@ impl MediaLoaderHandle {
         let protocol = Box::leak(protocol);
 
         // Install a protocol interface for the load file protocol for the media loader protocol.
-        handle = unsafe {
+        let secondary_handle = unsafe {
             uefi::boot::install_protocol_interface(
-                Some(handle),
+                Some(primary_handle),
                 &LoadFile2Protocol::GUID,
-                protocol as *mut _ as *mut c_void,
+                // The UEFI API expects an opaque pointer here.
+                protocol as *mut MediaLoaderProtocol as *mut c_void,
             )
-        }
-        .context("unable to install media loader load file handle")?;
+        };
 
-        // Check if the media loader is registered.
-        // If it is not, we can't continue safely because something went wrong.
-        if !Self::already_registered(guid)? {
-            bail!("media loader not registered when expected to be registered");
+        // If installing the second protocol interface failed, we need to clean up after ourselves.
+        if secondary_handle.is_err() {
+            // Uninstall the protocol interface for the device path protocol.
+            // SAFETY: If we have reached this point, we know that the protocol is registered.
+            // If this fails, we have no choice but to leak memory. The error will be shown
+            // to the user, so at least they can see it. In most cases, catching this error
+            // will exit, so leaking is safe.
+            unsafe {
+                uefi::boot::uninstall_protocol_interface(
+                    primary_handle,
+                    &DevicePathProtocol::GUID,
+                    path.as_ffi_ptr() as *mut c_void,
+                )
+                .context(
+                    "unable to uninstall media loader device path handle, this will leak memory",
+                )?;
+            }
+
+            // SAFETY: We know that the protocol is leaked, so we can safely take a reference to it.
+            let protocol = unsafe { Box::from_raw(protocol) };
+            // SAFETY: We know that the data is leaked, so we can safely take a reference to it.
+            let data = unsafe { Box::from_raw(data) };
+            // SAFETY: We know that the path is leaked, so we can safely take a reference to it.
+            let path = unsafe { Box::from_raw(path) };
+
+            // Drop all the allocations explicitly to clarify the lifetime.
+            drop(protocol);
+            drop(data);
+            drop(path);
         }
 
+        // If installing the second protocol interface failed, this will return the error.
+        // We should have already cleaned up after ourselves, so this is safe.
+        secondary_handle.context("unable to install media loader load file handle")?;
+
         // Return a handle to the media loader.
         Ok(Self {
-            guid,
-            handle,
+            handle: primary_handle,
             protocol,
             path,
         })
@@ -205,13 +256,8 @@ impl MediaLoaderHandle {
     /// Unregisters a media loader from the UEFI stack.
     /// This will free the memory allocated by the passed data.
     pub fn unregister(self) -> Result<()> {
-        // Check if the media loader is registered.
-        // If it is not, we don't need to do anything.
-        if !Self::already_registered(self.guid)? {
-            return Ok(());
-        }
-
-        // SAFETY: We know that the media loader is registered, so we can safely uninstall it.
+        // SAFETY: We know that the media loader is registered if the handle is valid,
+        // so we can safely uninstall it.
         // We should have allocated the pointers involved, so we can safely free them.
         unsafe {
             // Uninstall the protocol interface for the device path protocol.
@@ -235,8 +281,7 @@ impl MediaLoaderHandle {
             let protocol = Box::from_raw(self.protocol);
 
             // Retrieve a box for the data we passed in.
-            let slice =
-                std::ptr::slice_from_raw_parts_mut(protocol.address as *mut u8, protocol.length);
+            let slice = ptr::slice_from_raw_parts_mut(protocol.address as *mut u8, protocol.length);
             let data = Box::from_raw(slice);
 
             // Drop all the allocations explicitly, as we don't want to leak them.

crates/eficore/src/partition.rs

@@ -0,0 +1,55 @@
+use anyhow::{Context, Result};
+use uefi::Guid;
+use uefi::proto::device_path::DevicePath;
+use uefi::proto::media::partition::PartitionInfo;
+use uefi_raw::Status;
+
+/// Represents the type of partition GUID that can be retrieved.
+#[derive(PartialEq, Eq)]
+pub enum PartitionGuidForm {
+    /// The partition GUID is the unique partition GUID.
+    Partition,
+    /// The partition GUID is the partition type GUID.
+    PartitionType,
+}
+
+/// Retrieve the partition / partition type GUID of the device root `path`.
+/// This only works on GPT partitions. If the root is not a GPT partition, None is returned.
+/// If the GUID is all zeros, this will return None.
+pub fn partition_guid(path: &DevicePath, form: PartitionGuidForm) -> Result<Option<Guid>> {
+    // Clone the path so we can pass it to the UEFI stack.
+    let path = path.to_boxed();
+    let result = uefi::boot::locate_device_path::<PartitionInfo>(&mut &*path);
+    let handle = match result {
+        Ok(handle) => Ok(Some(handle)),
+        Err(error) => {
+            // If the error is NOT_FOUND or UNSUPPORTED, we can return None.
+            // These are non-fatal errors.
+            if error.status() == Status::NOT_FOUND || error.status() == Status::UNSUPPORTED {
+                Ok(None)
+            } else {
+                Err(error)
+            }
+        }
+    }
+    .context("unable to locate device path")?;
+
+    // If we have the handle, we can try to open the partition info protocol.
+    if let Some(handle) = handle {
+        // Open the partition info protocol.
+        let partition_info = uefi::boot::open_protocol_exclusive::<PartitionInfo>(handle)
+            .context("unable to open partition info protocol")?;
+        // Find the unique partition GUID.
+        // If this is not a GPT partition, this will produce None.
+        Ok(partition_info
+            .gpt_partition_entry()
+            .map(|entry| match form {
+                // Match the form of the partition GUID.
+                PartitionGuidForm::Partition => entry.unique_partition_guid,
+                PartitionGuidForm::PartitionType => entry.partition_type_guid.0,
+            })
+            .filter(|guid| !guid.is_zero()))
+    } else {
+        Ok(None)
+    }
+}

crates/eficore/src/path.rs

@@ -1,81 +1,15 @@
+use alloc::borrow::ToOwned;
+use alloc::boxed::Box;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
 use anyhow::{Context, Result};
-use std::ops::Deref;
+use core::ops::Deref;
 use uefi::fs::{FileSystem, Path};
 use uefi::proto::device_path::text::{AllowShortcuts, DevicePathFromText, DisplayOnly};
 use uefi::proto::device_path::{DevicePath, PoolDevicePath};
 use uefi::proto::media::fs::SimpleFileSystem;
 use uefi::{CString16, Handle};
 
-/// Support code for the EFI framebuffer.
-pub mod framebuffer;
-
-/// Support code for the media loader protocol.
-pub mod media_loader;
-
-/// Parses the input [path] as a [DevicePath].
-/// Uses the [DevicePathFromText] protocol exclusively, and will fail if it cannot acquire the protocol.
-pub fn text_to_device_path(path: &str) -> Result<PoolDevicePath> {
-    let path = CString16::try_from(path).context("unable to convert path to CString16")?;
-    let device_path_from_text = uefi::boot::open_protocol_exclusive::<DevicePathFromText>(
-        uefi::boot::get_handle_for_protocol::<DevicePathFromText>()
-            .context("no device path from text protocol")?,
-    )
-    .context("unable to open device path from text protocol")?;
-
-    device_path_from_text
-        .convert_text_to_device_path(&path)
-        .context("unable to convert text to device path")
-}
-
-/// Grabs the root part of the [path].
-/// For example, given "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
-/// it will give "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)"
-pub fn device_path_root(path: &DevicePath) -> Result<String> {
-    let mut path = path
-        .node_iter()
-        .filter_map(|item| {
-            let item = item.to_string(DisplayOnly(false), AllowShortcuts(false));
-            if item
-                .as_ref()
-                .map(|item| item.to_string().contains("("))
-                .unwrap_or(false)
-            {
-                Some(item.unwrap_or_default())
-            } else {
-                None
-            }
-        })
-        .map(|item| item.to_string())
-        .collect::<Vec<_>>()
-        .join("/");
-    path.push('/');
-    Ok(path)
-}
-
-/// Grabs the part of the [path] after the root.
-/// For example, given "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
-/// it will give "\EFI\BOOT\BOOTX64.efi"
-pub fn device_path_subpath(path: &DevicePath) -> Result<String> {
-    let path = path
-        .node_iter()
-        .filter_map(|item| {
-            let item = item.to_string(DisplayOnly(false), AllowShortcuts(false));
-            if item
-                .as_ref()
-                .map(|item| item.to_string().contains("("))
-                .unwrap_or(false)
-            {
-                None
-            } else {
-                Some(item.unwrap_or_default())
-            }
-        })
-        .map(|item| item.to_string())
-        .collect::<Vec<_>>()
-        .join("\\");
-    Ok(path)
-}
-
 /// Represents the components of a resolved path.
 pub struct ResolvedPath {
     /// The root path of the resolved path. This is the device itself.
@@ -92,10 +26,94 @@ pub struct ResolvedPath {
     pub filesystem_handle: Handle,
 }
 
-/// Resolve a path specified by [input] to its various components.
-/// Uses [default_root_path] as the base root if one is not specified in the path.
+impl ResolvedPath {
+    /// Read the file specified by this path into a buffer and return it.
+    pub fn read_file(&self) -> Result<Vec<u8>> {
+        let fs = uefi::boot::open_protocol_exclusive::<SimpleFileSystem>(self.filesystem_handle)
+            .context("unable to open filesystem protocol")?;
+        let mut fs = FileSystem::new(fs);
+        let path = self
+            .sub_path
+            .to_string(DisplayOnly(false), AllowShortcuts(false))?;
+        let content = fs.read(Path::new(&path));
+        content.context("unable to read file contents")
+    }
+}
+
+/// Checks if a [CString16] contains a char `c`.
+/// We need to call to_string() because CString16 doesn't support `contains` with a char.
+fn cstring16_contains_char(string: &CString16, c: char) -> bool {
+    string.to_string().contains(c)
+}
+
+/// Parses the input `path` as a [DevicePath].
+/// Uses the [DevicePathFromText] protocol exclusively, and will fail if it cannot acquire the protocol.
+pub fn text_to_device_path(path: &str) -> Result<PoolDevicePath> {
+    let path = CString16::try_from(path).context("unable to convert path to CString16")?;
+    let device_path_from_text = uefi::boot::open_protocol_exclusive::<DevicePathFromText>(
+        uefi::boot::get_handle_for_protocol::<DevicePathFromText>()
+            .context("no device path from text protocol")?,
+    )
+    .context("unable to open device path from text protocol")?;
+
+    device_path_from_text
+        .convert_text_to_device_path(&path)
+        .context("unable to convert text to device path")
+}
+
+/// Grabs the root part of the `path`.
+/// For example, given "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
+/// it will give "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)"
+pub fn device_path_root(path: &DevicePath) -> Result<String> {
+    let mut path = path
+        .node_iter()
+        .filter_map(|item| {
+            let item = item.to_string(DisplayOnly(false), AllowShortcuts(false));
+            if item
+                .as_ref()
+                .map(|item| cstring16_contains_char(item, '('))
+                .unwrap_or(false)
+            {
+                Some(item.unwrap_or_default())
+            } else {
+                None
+            }
+        })
+        .map(|item| item.to_string())
+        .collect::<Vec<_>>()
+        .join("/");
+    path.push('/');
+    Ok(path)
+}
+
+/// Grabs the part of the `path` after the root.
+/// For example, given "PciRoot(0x0)/Pci(0x4,0x0)/NVMe(0x1,00-00-00-00-00-00-00-00)/HD(1,MBR,0xBE1AFDFA,0x3F,0xFBFC1)/\EFI\BOOT\BOOTX64.efi"
+/// it will give "\EFI\BOOT\BOOTX64.efi"
+pub fn device_path_subpath(path: &DevicePath) -> Result<String> {
+    let path = path
+        .node_iter()
+        .filter_map(|item| {
+            let item = item.to_string(DisplayOnly(false), AllowShortcuts(false));
+            if item
+                .as_ref()
+                .map(|item| cstring16_contains_char(item, '('))
+                .unwrap_or(false)
+            {
+                None
+            } else {
+                Some(item.unwrap_or_default())
+            }
+        })
+        .map(|item| item.to_string())
+        .collect::<Vec<_>>()
+        .join("\\");
+    Ok(path)
+}
+
+/// Resolve a path specified by `input` to its various components.
+/// Uses `default_root_path` as the base root if one is not specified in the path.
 /// Returns [ResolvedPath] which contains the resolved components.
-pub fn resolve_path(default_root_path: &DevicePath, input: &str) -> Result<ResolvedPath> {
+pub fn resolve_path(default_root_path: Option<&DevicePath>, input: &str) -> Result<ResolvedPath> {
     let mut path = text_to_device_path(input).context("unable to convert text to path")?;
     let path_has_device = path
         .node_iter()
@@ -104,13 +122,16 @@ pub fn resolve_path(default_root_path: &DevicePath, input: &str) -> Result<Resol
             it.to_string(DisplayOnly(false), AllowShortcuts(false))
                 .unwrap_or_default()
         })
-        .map(|it| it.to_string().contains("("))
+        .map(|it| it.to_string().contains('('))
         .unwrap_or(false);
     if !path_has_device {
         let mut input = input.to_string();
-        if !input.starts_with("\\") {
+        if !input.starts_with('\\') {
             input.insert(0, '\\');
         }
+
+        let default_root_path = default_root_path.context("unable to get default root path")?;
+
         input.insert_str(
             0,
             device_path_root(default_root_path)
@@ -125,8 +146,11 @@ pub fn resolve_path(default_root_path: &DevicePath, input: &str) -> Result<Resol
     let root_path = text_to_device_path(root.as_str())
         .context("unable to convert root to path")?
         .to_boxed();
-    let mut root_path = root_path.as_ref();
-    let handle = uefi::boot::locate_device_path::<SimpleFileSystem>(&mut root_path)
+    let root_path = root_path.as_ref();
+
+    // locate_device_path modifies the path, so we need to clone it.
+    let root_path_modifiable = root_path.to_owned();
+    let handle = uefi::boot::locate_device_path::<SimpleFileSystem>(&mut &*root_path_modifiable)
         .context("unable to locate filesystem device path")?;
     let subpath = device_path_subpath(path.deref()).context("unable to get device subpath")?;
     Ok(ResolvedPath {
@@ -137,21 +161,14 @@ pub fn resolve_path(default_root_path: &DevicePath, input: &str) -> Result<Resol
     })
 }
 
-/// Read the contents of a file at the location specified with the [input] path.
+/// Read the contents of a file at the location specified with the `input` path.
 /// Internally, this uses [resolve_path] to resolve the path to its various components.
-/// [resolve_path] is passed the [default_root_path] which should specify a base root.
+/// [resolve_path] is passed the `default_root_path` which should specify a base root.
 ///
 /// This acquires exclusive protocol access to the [SimpleFileSystem] protocol of the resolved
 /// filesystem handle, so care must be taken to call this function outside a scope with
 /// the filesystem handle protocol acquired.
-pub fn read_file_contents(default_root_path: &DevicePath, input: &str) -> Result<Vec<u8>> {
+pub fn read_file_contents(default_root_path: Option<&DevicePath>, input: &str) -> Result<Vec<u8>> {
     let resolved = resolve_path(default_root_path, input)?;
-    let fs = uefi::boot::open_protocol_exclusive::<SimpleFileSystem>(resolved.filesystem_handle)
-        .context("unable to open filesystem protocol")?;
-    let mut fs = FileSystem::new(fs);
-    let path = resolved
-        .sub_path
-        .to_string(DisplayOnly(false), AllowShortcuts(false))?;
-    let content = fs.read(Path::new(&path));
-    content.context("unable to read file contents")
+    resolved.read_file()
 }

crates/eficore/src/platform.rs

@@ -0,0 +1,4 @@
+/// Timer support.
+pub mod timer;
+/// TPM support.
+pub mod tpm;

crates/eficore/src/platform/timer.rs

@@ -0,0 +1,94 @@
+// Referenced https://github.com/sheroz/tick_counter (MIT license) as a baseline.
+// Architecturally modified to support UEFI and remove x86 (32-bit) support.
+
+use core::time::Duration;
+
+/// Support for aarch64 timers.
+#[cfg(target_arch = "aarch64")]
+pub mod aarch64;
+
+/// Support for x86_64 timers.
+#[cfg(target_arch = "x86_64")]
+pub mod x86_64;
+
+/// The tick frequency of the platform.
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum TickFrequency {
+    /// The platform provides the tick frequency.
+    Hardware(u64),
+    /// The tick frequency is measured internally.
+    Measured(u64),
+}
+
+impl TickFrequency {
+    /// Acquire the tick frequency reported by the platform.
+    fn ticks(&self) -> u64 {
+        match self {
+            TickFrequency::Hardware(frequency) => *frequency,
+            TickFrequency::Measured(frequency) => *frequency,
+        }
+    }
+
+    /// Calculate the nanoseconds represented by a tick.
+    fn nanos(&self) -> f64 {
+        1.0e9_f64 / (self.ticks() as f64)
+    }
+
+    /// Produce a duration from the provided elapsed `ticks` value.
+    fn duration(&self, ticks: u64) -> Duration {
+        let accuracy = self.nanos();
+        let nanos = ticks as f64 * accuracy;
+        Duration::from_nanos(nanos as u64)
+    }
+}
+
+/// Acquire the tick value reported by the platform.
+fn arch_ticks() -> u64 {
+    #[cfg(target_arch = "aarch64")]
+    return aarch64::ticks();
+    #[cfg(target_arch = "x86_64")]
+    return x86_64::ticks();
+}
+
+/// Acquire the tick frequency reported by the platform.
+fn arch_frequency() -> TickFrequency {
+    #[cfg(target_arch = "aarch64")]
+    let frequency = aarch64::frequency();
+    #[cfg(target_arch = "x86_64")]
+    let frequency = x86_64::frequency();
+    // If the frequency is 0, then something went very wrong and we should panic.
+    if frequency.ticks() == 0 {
+        panic!("timer frequency is zero");
+    }
+    frequency
+}
+
+/// Platform timer that allows measurement of the elapsed time.
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub struct PlatformTimer {
+    /// The start tick value.
+    start: u64,
+    /// The tick frequency of the platform.
+    frequency: TickFrequency,
+}
+
+impl PlatformTimer {
+    /// Start a platform timer at the current instant.
+    pub fn start() -> Self {
+        Self {
+            start: arch_ticks(),
+            frequency: arch_frequency(),
+        }
+    }
+
+    /// Measure the elapsed duration since the hardware started ticking upwards.
+    pub fn elapsed_since_lifetime(&self) -> Duration {
+        self.frequency.duration(arch_ticks())
+    }
+
+    /// Measure the elapsed duration since the timer was started.
+    pub fn elapsed_since_start(&self) -> Duration {
+        let duration = arch_ticks().wrapping_sub(self.start);
+        self.frequency.duration(duration)
+    }
+}

crates/eficore/src/platform/timer/aarch64.rs

@@ -0,0 +1,23 @@
+use crate::platform::timer::TickFrequency;
+use core::arch::asm;
+
+/// Reads the cntvct_el0 counter and returns the value.
+pub fn ticks() -> u64 {
+    let counter: u64;
+    unsafe {
+        asm!("mrs x0, cntvct_el0", out("x0") counter);
+    }
+    counter
+}
+
+/// Our frequency is provided by cntfrq_el0 on the platform.
+pub fn frequency() -> TickFrequency {
+    let frequency: u64;
+    unsafe {
+        asm!(
+            "mrs x0, cntfrq_el0",
+            out("x0") frequency
+        );
+    }
+    TickFrequency::Hardware(frequency)
+}

crates/eficore/src/platform/timer/x86_64.rs

@@ -0,0 +1,29 @@
+use crate::platform::timer::TickFrequency;
+use core::time::Duration;
+
+/// We will measure the frequency of the timer based on 1000 microseconds.
+/// This will result in a call to BS->Stall(1000) in the end.
+const MEASURE_FREQUENCY_DURATION: Duration = Duration::from_micros(1000);
+
+/// Read the number of ticks from the platform timer.
+pub fn ticks() -> u64 {
+    // SAFETY: Reads the platform timer, which is safe in any context.
+    unsafe { core::arch::x86_64::_rdtsc() }
+}
+
+/// Measure the frequency of the platform timer.
+/// NOTE: Intentionally, we do not synchronize rdtsc during measurement to match systemd behavior.
+fn measure_frequency() -> u64 {
+    let start = ticks();
+    uefi::boot::stall(MEASURE_FREQUENCY_DURATION);
+    let stop = ticks();
+    let elapsed = stop.wrapping_sub(start) as f64;
+    (elapsed / MEASURE_FREQUENCY_DURATION.as_secs_f64()) as u64
+}
+
+/// Acquire the platform timer frequency.
+/// On x86_64, this is slightly expensive, so it should be done once.
+pub fn frequency() -> TickFrequency {
+    let frequency = measure_frequency();
+    TickFrequency::Measured(frequency)
+}

crates/eficore/src/platform/tpm.rs

@@ -0,0 +1,129 @@
+use anyhow::{Context, Result};
+use uefi::ResultExt;
+use uefi::boot::ScopedProtocol;
+use uefi::proto::tcg::PcrIndex;
+use uefi::proto::tcg::v2::{PcrEventInputs, Tcg};
+use uefi_raw::protocol::tcg::EventType;
+use uefi_raw::protocol::tcg::v2::{Tcg2HashLogExtendEventFlags, Tcg2Protocol, Tcg2Version};
+
+/// Represents the platform TPM.
+pub struct PlatformTpm;
+
+/// Represents an open TPM handle.
+pub struct TpmProtocolHandle {
+    /// The version of the TPM protocol.
+    version: Tcg2Version,
+    /// The protocol itself.
+    protocol: ScopedProtocol<Tcg>,
+}
+
+impl TpmProtocolHandle {
+    /// Construct a new [TpmProtocolHandle] from the `version` and `protocol`.
+    pub fn new(version: Tcg2Version, protocol: ScopedProtocol<Tcg>) -> Self {
+        Self { version, protocol }
+    }
+
+    /// Access the version provided by the tcg2 protocol.
+    pub fn version(&self) -> Tcg2Version {
+        self.version
+    }
+
+    /// Access the protocol interface for tcg2.
+    pub fn protocol(&mut self) -> &mut ScopedProtocol<Tcg> {
+        &mut self.protocol
+    }
+}
+
+impl PlatformTpm {
+    /// The PCR for measuring the bootloader configuration into.
+    pub const PCR_BOOT_LOADER_CONFIG: PcrIndex = PcrIndex(5);
+
+    /// Acquire access to the TPM protocol handle, if possible.
+    /// Returns None if TPM is not available.
+    fn protocol() -> Result<Option<TpmProtocolHandle>> {
+        // Attempt to acquire the TCG2 protocol handle. If it's not available, return None.
+        let Some(handle) = crate::handle::find_handle(&Tcg2Protocol::GUID)
+            .context("unable to determine tpm presence")?
+        else {
+            return Ok(None);
+        };
+
+        // If we reach here, we've already validated that the handle
+        // implements the TCG2 protocol.
+        let mut protocol = uefi::boot::open_protocol_exclusive::<Tcg>(handle)
+            .context("unable to open tcg2 protocol")?;
+
+        // Acquire the capabilities of the TPM.
+        let capability = protocol
+            .get_capability()
+            .context("unable to get tcg2 boot service capability")?;
+
+        // If the TPM is not present, return None.
+        if !capability.tpm_present() {
+            return Ok(None);
+        }
+
+        // If the TPM is present, we need to determine the version of the TPM.
+        let version = capability.protocol_version;
+
+        // We have a TPM, so return the protocol version and the protocol handle.
+        Ok(Some(TpmProtocolHandle::new(version, protocol)))
+    }
+
+    /// Determines whether the platform TPM is present.
+    pub fn present() -> Result<bool> {
+        Ok(PlatformTpm::protocol()?.is_some())
+    }
+
+    /// Determine the number of active PCR banks on the TPM.
+    /// If no TPM is available, this will return zero.
+    pub fn active_pcr_banks() -> Result<u32> {
+        // Acquire access to the TPM protocol handle.
+        let Some(mut handle) = PlatformTpm::protocol()? else {
+            return Ok(0);
+        };
+
+        // Check if the TPM supports `GetActivePcrBanks`, and if it doesn't return zero.
+        if (handle.version().major < 1)
+            || (handle.version().major == 1 && (handle.version().minor < 1))
+        {
+            return Ok(0);
+        }
+
+        // The safe wrapper for this function will decode the bitmap.
+        // Strictly speaking, it's not future-proof to re-encode that, but in practice it will work.
+        let banks = handle
+            .protocol()
+            .get_active_pcr_banks()
+            .context("unable to get active pcr banks")?;
+
+        // Return the number of active PCR banks.
+        Ok(banks.bits())
+    }
+
+    /// Log an event into the TPM pcr `pcr_index` with `buffer` as data. The `description`
+    /// is used to describe what the event is.
+    ///
+    /// If a TPM is not available, this will do nothing.
+    pub fn log_event(pcr_index: PcrIndex, buffer: &[u8], description: &str) -> Result<()> {
+        // Acquire access to the TPM protocol handle.
+        let Some(mut handle) = PlatformTpm::protocol()? else {
+            return Ok(());
+        };
+
+        // Encode the description as UTF-8.
+        let description = description.as_bytes().to_vec();
+
+        // Construct an event input for the TPM.
+        let event = PcrEventInputs::new_in_box(pcr_index, EventType::IPL, &description)
+            .discard_errdata()
+            .context("unable to construct pcr event inputs")?;
+
+        // Log the event into the TPM.
+        handle
+            .protocol()
+            .hash_log_extend_event(Tcg2HashLogExtendEventFlags::empty(), buffer, &event)
+            .context("unable to log event to tpm")?;
+        Ok(())
+    }
+}

crates/eficore/src/secure.rs

@@ -0,0 +1,14 @@
+use crate::variables::VariableController;
+use anyhow::Result;
+
+/// Secure boot services.
+pub struct SecureBoot;
+
+impl SecureBoot {
+    /// Checks if Secure Boot is enabled on the system.
+    /// This might fail if retrieving the variable fails in an irrecoverable way.
+    pub fn enabled() -> Result<bool> {
+        // The SecureBoot variable will tell us whether Secure Boot is enabled at all.
+        VariableController::GLOBAL.get_bool("SecureBoot")
+    }
+}

crates/eficore/src/setup.rs

@@ -0,0 +1,14 @@
+use crate::logger;
+use anyhow::{Context, Result};
+
+/// Initializes the UEFI environment.
+pub fn init() -> Result<()> {
+    // Initialize the logger for Sprout.
+    // NOTE: This cannot use a result type as errors need to be printed
+    // using the logger, which is not initialized until this returns.
+    logger::init();
+
+    // Initialize further UEFI internals.
+    uefi::helpers::init().context("unable to initialize uefi environment")?;
+    Ok(())
+}

crates/eficore/src/shim.rs

@@ -0,0 +1,247 @@
+use crate::path::ResolvedPath;
+use crate::variables::{VariableClass, VariableController};
+use alloc::boxed::Box;
+use alloc::string::ToString;
+use alloc::vec::Vec;
+use anyhow::{Context, Result, anyhow, bail};
+use core::ffi::c_void;
+use core::pin::Pin;
+use uefi::proto::device_path::text::{AllowShortcuts, DisplayOnly};
+use uefi::proto::device_path::{DevicePath, FfiDevicePath};
+use uefi::proto::unsafe_protocol;
+use uefi_raw::table::runtime::VariableVendor;
+use uefi_raw::{Guid, Status, guid};
+
+/// Security hook support.
+pub mod hook;
+
+/// Support for the shim loader application for Secure Boot.
+pub struct ShimSupport;
+
+/// Input to the shim mechanisms.
+pub enum ShimInput<'a> {
+    /// Data loaded into a buffer and ready to be verified, owned.
+    OwnedDataBuffer(Option<&'a ResolvedPath>, Pin<Box<[u8]>>),
+    /// Data loaded into a buffer and ready to be verified.
+    DataBuffer(Option<&'a ResolvedPath>, &'a [u8]),
+    /// Low-level data buffer provided by the security hook.
+    SecurityHookBuffer(Option<*const FfiDevicePath>, &'a [u8]),
+    /// Low-level owned data buffer provided by the security hook.
+    SecurityHookOwnedBuffer(Option<*const FfiDevicePath>, Pin<Box<[u8]>>),
+    /// Low-level path provided by the security hook.
+    SecurityHookPath(*const FfiDevicePath),
+    /// Data is provided as a resolved path. We will need to load the data to verify it.
+    /// The output will them return the loaded data.
+    ResolvedPath(&'a ResolvedPath),
+}
+
+impl<'a> ShimInput<'a> {
+    /// Accesses the buffer behind the shim input, if available.
+    pub fn buffer(&self) -> Option<&[u8]> {
+        match self {
+            ShimInput::OwnedDataBuffer(_, data) => Some(data),
+            ShimInput::SecurityHookOwnedBuffer(_, data) => Some(data),
+            ShimInput::SecurityHookBuffer(_, data) => Some(data),
+            ShimInput::SecurityHookPath(_) => None,
+            ShimInput::DataBuffer(_, data) => Some(data),
+            ShimInput::ResolvedPath(_) => None,
+        }
+    }
+
+    /// Accesses the full device path to the input.
+    pub fn file_path(&self) -> Option<&DevicePath> {
+        match self {
+            ShimInput::OwnedDataBuffer(path, _) => path.as_ref().map(|it| it.full_path.as_ref()),
+            ShimInput::DataBuffer(path, _) => path.as_ref().map(|it| it.full_path.as_ref()),
+            ShimInput::SecurityHookBuffer(path, _) => {
+                path.map(|it| unsafe { DevicePath::from_ffi_ptr(it) })
+            }
+            ShimInput::SecurityHookPath(path) => unsafe { Some(DevicePath::from_ffi_ptr(*path)) },
+            ShimInput::ResolvedPath(path) => Some(path.full_path.as_ref()),
+            ShimInput::SecurityHookOwnedBuffer(path, _) => {
+                path.map(|it| unsafe { DevicePath::from_ffi_ptr(it) })
+            }
+        }
+    }
+
+    /// Converts this input into an owned data buffer, where the data is loaded.
+    /// For ResolvedPath, this will read the file.
+    pub fn into_owned_data_buffer(self) -> Result<ShimInput<'a>> {
+        match self {
+            ShimInput::OwnedDataBuffer(root, data) => Ok(ShimInput::OwnedDataBuffer(root, data)),
+
+            ShimInput::DataBuffer(root, data) => Ok(ShimInput::OwnedDataBuffer(
+                root,
+                Box::into_pin(data.to_vec().into_boxed_slice()),
+            )),
+
+            ShimInput::SecurityHookPath(ffi_path) => {
+                // Acquire the file path.
+                let Some(path) = self.file_path() else {
+                    bail!("unable to convert security hook path to device path");
+                };
+                // Convert the underlying path to a string.
+                let path = path
+                    .to_string(DisplayOnly(false), AllowShortcuts(false))
+                    .context("unable to convert device path to string")?;
+                let path = crate::path::resolve_path(None, &path.to_string())
+                    .context("unable to resolve path")?;
+                // Read the file path.
+                let data = path.read_file()?;
+                Ok(ShimInput::SecurityHookOwnedBuffer(
+                    Some(ffi_path),
+                    Box::into_pin(data.to_vec().into_boxed_slice()),
+                ))
+            }
+
+            ShimInput::SecurityHookBuffer(_, _) => {
+                bail!("unable to convert security hook buffer to owned data buffer")
+            }
+
+            ShimInput::ResolvedPath(path) => {
+                // Read the file path.
+                let data = path.read_file()?;
+                Ok(ShimInput::OwnedDataBuffer(
+                    Some(path),
+                    Box::into_pin(data.to_vec().into_boxed_slice()),
+                ))
+            }
+
+            ShimInput::SecurityHookOwnedBuffer(path, data) => {
+                Ok(ShimInput::SecurityHookOwnedBuffer(path, data))
+            }
+        }
+    }
+}
+
+/// Output of the shim verification function.
+/// Since the shim needs to load the data from disk, we will optimize by using that as the data
+/// to actually boot.
+pub enum ShimVerificationOutput {
+    /// The verification failed.
+    VerificationFailed(Status),
+    /// The data provided to the verifier was already a buffer.
+    VerifiedDataNotLoaded,
+    /// Verifying the data resulted in loading the data from the source.
+    /// This contains the data that was loaded, so it won't need to be loaded again.
+    VerifiedDataBuffer(Vec<u8>),
+}
+
+/// The shim lock protocol as defined by the shim loader application.
+#[unsafe_protocol(ShimSupport::SHIM_LOCK_GUID)]
+struct ShimLockProtocol {
+    /// Verify the data in `buffer` with the size `buffer_size` to determine if it is valid.
+    /// NOTE: On x86_64, this function uses SYSV calling conventions. On aarch64 it uses the
+    /// efiapi calling convention. This is truly wild, but you can verify it yourself by
+    /// looking at: https://github.com/rhboot/shim/blob/15.8/shim.h#L207-L212
+    /// There is no calling convention declared like there should be.
+    #[cfg(target_arch = "x86_64")]
+    pub shim_verify: unsafe extern "sysv64" fn(buffer: *const c_void, buffer_size: u32) -> Status,
+    #[cfg(target_arch = "aarch64")]
+    pub shim_verify: unsafe extern "efiapi" fn(buffer: *const c_void, buffer_size: u32) -> Status,
+    /// Unused function that is defined by the shim.
+    _generate_header: *mut c_void,
+    /// Unused function that is defined by the shim.
+    _read_header: *mut c_void,
+}
+
+impl ShimSupport {
+    /// Variable controller for the shim lock.
+    const SHIM_LOCK_VARIABLES: VariableController =
+        VariableController::new(VariableVendor(Self::SHIM_LOCK_GUID));
+
+    /// GUID for the shim lock protocol.
+    const SHIM_LOCK_GUID: Guid = guid!("605dab50-e046-4300-abb6-3dd810dd8b23");
+    /// GUID for the shim image loader protocol.
+    const SHIM_IMAGE_LOADER_GUID: Guid = guid!("1f492041-fadb-4e59-9e57-7cafe73a55ab");
+
+    /// Determines whether the shim is loaded.
+    pub fn loaded() -> Result<bool> {
+        Ok(crate::handle::find_handle(&Self::SHIM_LOCK_GUID)
+            .context("unable to find shim lock protocol")?
+            .is_some())
+    }
+
+    /// Determines whether the shim loader is available.
+    pub fn loader_available() -> Result<bool> {
+        Ok(crate::handle::find_handle(&Self::SHIM_IMAGE_LOADER_GUID)
+            .context("unable to find shim image loader protocol")?
+            .is_some())
+    }
+
+    /// Use the shim to validate the `input`, returning [ShimVerificationOutput] when complete.
+    pub fn verify(input: ShimInput) -> Result<ShimVerificationOutput> {
+        // Acquire the handle to the shim lock protocol.
+        let handle = crate::handle::find_handle(&Self::SHIM_LOCK_GUID)
+            .context("unable to find shim lock protocol")?
+            .ok_or_else(|| anyhow!("unable to find shim lock protocol"))?;
+        // Acquire the protocol exclusively to the shim lock.
+        let protocol = uefi::boot::open_protocol_exclusive::<ShimLockProtocol>(handle)
+            .context("unable to open shim lock protocol")?;
+
+        // If the input type is a device path, we need to load the data.
+        let maybe_loaded_data = match input {
+            ShimInput::OwnedDataBuffer(_, _data) => {
+                bail!("owned data buffer is not supported in the verification function");
+            }
+            ShimInput::SecurityHookBuffer(_, _) => None,
+            ShimInput::SecurityHookOwnedBuffer(_, _) => None,
+            ShimInput::DataBuffer(_, _) => None,
+            ShimInput::ResolvedPath(path) => Some(path.read_file()?),
+            ShimInput::SecurityHookPath(_) => None,
+        };
+
+        // Convert the input to a buffer.
+        // If the input provides the data buffer, we will use that.
+        // Otherwise, we will use the data loaded by this function.
+        let buffer = match &input {
+            ShimInput::OwnedDataBuffer(_root, data) => data,
+            ShimInput::DataBuffer(_root, data) => *data,
+            ShimInput::ResolvedPath(_path) => maybe_loaded_data
+                .as_deref()
+                .context("expected data buffer to be loaded already")?,
+            ShimInput::SecurityHookBuffer(_, data) => data,
+            ShimInput::SecurityHookOwnedBuffer(_, data) => data,
+            ShimInput::SecurityHookPath(_) => {
+                bail!("security hook path input not supported in the verification function")
+            }
+        };
+
+        // Check if the buffer is too large to verify.
+        if buffer.len() > u32::MAX as usize {
+            bail!("buffer is too large to verify with shim lock protocol");
+        }
+
+        // Call the shim verify function.
+        // SAFETY: The shim verify function is specified by the shim lock protocol.
+        // Calling this function is considered safe because the shim verify function is
+        // guaranteed to be defined by the environment if we are able to acquire the protocol.
+        let status = unsafe {
+            (protocol.shim_verify)(buffer.as_ptr() as *const c_void, buffer.len() as u32)
+        };
+
+        // If the verification failed, return the verification failure output.
+        if !status.is_success() {
+            return Ok(ShimVerificationOutput::VerificationFailed(status));
+        }
+
+        // If verification succeeded, return the validation output,
+        // which might include the loaded data.
+        Ok(maybe_loaded_data
+            .map(ShimVerificationOutput::VerifiedDataBuffer)
+            .unwrap_or(ShimVerificationOutput::VerifiedDataNotLoaded))
+    }
+
+    /// Set the ShimRetainProtocol variable to indicate that shim should retain the protocols
+    /// for the full lifetime of boot services.
+    pub fn retain() -> Result<()> {
+        Self::SHIM_LOCK_VARIABLES
+            .set_bool(
+                "ShimRetainProtocol",
+                true,
+                VariableClass::BootAndRuntimeTemporary,
+            )
+            .context("unable to retain shim protocol")?;
+        Ok(())
+    }
+}

crates/eficore/src/shim/hook.rs

@@ -0,0 +1,266 @@
+use crate::shim::{ShimInput, ShimSupport, ShimVerificationOutput};
+use anyhow::{Context, Result};
+use core::slice;
+use log::warn;
+use spin::{Lazy, Mutex};
+use uefi::proto::device_path::FfiDevicePath;
+use uefi::proto::unsafe_protocol;
+use uefi::{Guid, guid};
+use uefi_raw::Status;
+
+/// GUID for the EFI_SECURITY_ARCH protocol.
+const SECURITY_ARCH_GUID: Guid = guid!("a46423e3-4617-49f1-b9ff-d1bfa9115839");
+/// GUID for the EFI_SECURITY_ARCH2 protocol.
+const SECURITY_ARCH2_GUID: Guid = guid!("94ab2f58-1438-4ef1-9152-18941a3a0e68");
+
+/// EFI_SECURITY_ARCH protocol definition.
+#[unsafe_protocol(SECURITY_ARCH_GUID)]
+pub struct SecurityArchProtocol {
+    /// Determines the file authentication state.
+    pub file_authentication_state: unsafe extern "efiapi" fn(
+        this: *const SecurityArchProtocol,
+        status: u32,
+        path: *const FfiDevicePath,
+    ) -> Status,
+}
+
+/// EFI_SECURITY_ARCH2 protocol definition.
+#[unsafe_protocol(SECURITY_ARCH2_GUID)]
+pub struct SecurityArch2Protocol {
+    /// Determines the file authentication.
+    pub file_authentication: unsafe extern "efiapi" fn(
+        this: *const SecurityArch2Protocol,
+        path: *const FfiDevicePath,
+        file_buffer: *const u8,
+        file_size: usize,
+        boot_policy: bool,
+    ) -> Status,
+}
+
+/// Global state for the security hook.
+struct SecurityHookState {
+    original_hook: SecurityArchProtocol,
+    original_hook2: SecurityArch2Protocol,
+}
+
+/// Global state for the security hook.
+/// This is messy, but it is safe given the mutex.
+static GLOBAL_HOOK_STATE: Lazy<Mutex<Option<SecurityHookState>>> = Lazy::new(|| Mutex::new(None));
+
+/// Security hook helper.
+pub struct SecurityHook;
+
+impl SecurityHook {
+    /// Shared verifier logic for both hook types.
+    #[must_use]
+    fn verify(input: ShimInput) -> bool {
+        // Verify the input and convert the result to a status.
+        let status = match ShimSupport::verify(input) {
+            Ok(output) => match output {
+                // If the verification failed, return the access-denied status.
+                ShimVerificationOutput::VerificationFailed(status) => status,
+                // If the verification succeeded, return the success status.
+                ShimVerificationOutput::VerifiedDataNotLoaded => Status::SUCCESS,
+                ShimVerificationOutput::VerifiedDataBuffer(_) => Status::SUCCESS,
+            },
+
+            // If an error occurs, log the error since we can't return a better error.
+            // Then return the access-denied status.
+            Err(error) => {
+                warn!("unable to verify image: {}", error);
+                Status::ACCESS_DENIED
+            }
+        };
+
+        // If the status is not a success, log the status.
+        if !status.is_success() {
+            warn!("shim verification failed: {}", status);
+        }
+        // Return whether the status is a success.
+        // If it's not a success, the original hook should be called.
+        status.is_success()
+    }
+
+    /// File authentication state verifier for the EFI_SECURITY_ARCH protocol.
+    /// Takes the `path` and determines the verification.
+    unsafe extern "efiapi" fn arch_file_authentication_state(
+        this: *const SecurityArchProtocol,
+        status: u32,
+        path: *const FfiDevicePath,
+    ) -> Status {
+        // Verify the path is not null.
+        if path.is_null() {
+            return Status::INVALID_PARAMETER;
+        }
+
+        // Construct a shim input from the path.
+        let input = ShimInput::SecurityHookPath(path);
+
+        // Convert the input to an owned data buffer.
+        let input = match input.into_owned_data_buffer() {
+            Ok(input) => input,
+            // If an error occurs, log the error and return the not found status.
+            Err(error) => {
+                warn!("unable to read data to be authenticated: {}", error);
+                return Status::NOT_FOUND;
+            }
+        };
+
+        // Verify the input, if it fails, call the original hook.
+        if !Self::verify(input) {
+            // Acquire the global hook state to grab the original hook.
+            let function = match GLOBAL_HOOK_STATE.lock().as_ref() {
+                // The hook state is available, so we can acquire the original hook.
+                Some(state) => state.original_hook.file_authentication_state,
+
+                // The hook state is not available, so we can't call the original hook.
+                None => {
+                    warn!("global hook state is not available, unable to call original hook");
+                    return Status::LOAD_ERROR;
+                }
+            };
+
+            // Call the original hook function to see what it reports.
+            // SAFETY: This function is safe to call as it is stored by us and is required
+            // in the UEFI specification.
+            unsafe { function(this, status, path) }
+        } else {
+            Status::SUCCESS
+        }
+    }
+
+    /// File authentication verifier for the EFI_SECURITY_ARCH2 protocol.
+    /// Takes the `path` and a file buffer to determine the verification.
+    unsafe extern "efiapi" fn arch2_file_authentication(
+        this: *const SecurityArch2Protocol,
+        path: *const FfiDevicePath,
+        file_buffer: *const u8,
+        file_size: usize,
+        boot_policy: bool,
+    ) -> Status {
+        // Verify the path and file buffer are not null.
+        if path.is_null() || file_buffer.is_null() {
+            return Status::INVALID_PARAMETER;
+        }
+
+        // If the boot policy is true, we can't continue as we don't support that.
+        if boot_policy {
+            return Status::INVALID_PARAMETER;
+        }
+
+        // Construct a slice out of the file buffer and size.
+        let buffer = unsafe { slice::from_raw_parts(file_buffer, file_size) };
+
+        // Construct a shim input from the path.
+        let input = ShimInput::SecurityHookBuffer(Some(path), buffer);
+
+        // Verify the input, if it fails, call the original hook.
+        if !Self::verify(input) {
+            // Acquire the global hook state to grab the original hook.
+            let function = match GLOBAL_HOOK_STATE.lock().as_ref() {
+                // The hook state is available, so we can acquire the original hook.
+                Some(state) => state.original_hook2.file_authentication,
+
+                // The hook state is not available, so we can't call the original hook.
+                None => {
+                    warn!("global hook state is not available, unable to call original hook");
+                    return Status::LOAD_ERROR;
+                }
+            };
+
+            // Call the original hook function to see what it reports.
+            // SAFETY: This function is safe to call as it is stored by us and is required
+            // in the UEFI specification.
+            unsafe { function(this, path, file_buffer, file_size, boot_policy) }
+        } else {
+            Status::SUCCESS
+        }
+    }
+
+    /// Install the security hook if needed.
+    pub fn install() -> Result<bool> {
+        // Find the security arch protocol. If we can't find it, we will return false.
+        let Some(hook_arch) = crate::handle::find_handle(&SECURITY_ARCH_GUID)
+            .context("unable to check security arch existence")?
+        else {
+            return Ok(false);
+        };
+
+        // Find the security arch2 protocol. If we can't find it, we will return false.
+        let Some(hook_arch2) = crate::handle::find_handle(&SECURITY_ARCH2_GUID)
+            .context("unable to check security arch2 existence")?
+        else {
+            return Ok(false);
+        };
+
+        // Open the security arch protocol.
+        let mut arch_protocol =
+            uefi::boot::open_protocol_exclusive::<SecurityArchProtocol>(hook_arch)
+                .context("unable to open security arch protocol")?;
+
+        // Open the security arch2 protocol.
+        let mut arch_protocol2 =
+            uefi::boot::open_protocol_exclusive::<SecurityArch2Protocol>(hook_arch2)
+                .context("unable to open security arch2 protocol")?;
+
+        // Construct the global state to store.
+        let state = SecurityHookState {
+            original_hook: SecurityArchProtocol {
+                file_authentication_state: arch_protocol.file_authentication_state,
+            },
+            original_hook2: SecurityArch2Protocol {
+                file_authentication: arch_protocol2.file_authentication,
+            },
+        };
+
+        // Acquire the lock to the global state and replace it.
+        let mut global_state = GLOBAL_HOOK_STATE.lock();
+        global_state.replace(state);
+
+        // Install the hooks into the UEFI stack.
+        arch_protocol.file_authentication_state = Self::arch_file_authentication_state;
+        arch_protocol2.file_authentication = Self::arch2_file_authentication;
+
+        Ok(true)
+    }
+
+    /// Uninstalls the global security hook, if installed.
+    pub fn uninstall() -> Result<()> {
+        // Find the security arch protocol. If we can't find it, we will do nothing.
+        let Some(hook_arch) = crate::handle::find_handle(&SECURITY_ARCH_GUID)
+            .context("unable to check security arch existence")?
+        else {
+            return Ok(());
+        };
+
+        // Find the security arch2 protocol. If we can't find it, we will do nothing.
+        let Some(hook_arch2) = crate::handle::find_handle(&SECURITY_ARCH2_GUID)
+            .context("unable to check security arch2 existence")?
+        else {
+            return Ok(());
+        };
+
+        // Open the security arch protocol.
+        let mut arch_protocol =
+            uefi::boot::open_protocol_exclusive::<SecurityArchProtocol>(hook_arch)
+                .context("unable to open security arch protocol")?;
+
+        // Open the security arch2 protocol.
+        let mut arch_protocol2 =
+            uefi::boot::open_protocol_exclusive::<SecurityArch2Protocol>(hook_arch2)
+                .context("unable to open security arch2 protocol")?;
+
+        // Acquire the lock to the global state.
+        let mut global_state = GLOBAL_HOOK_STATE.lock();
+
+        // Take the state and replace the original functions.
+        let Some(state) = global_state.take() else {
+            return Ok(());
+        };
+
+        // Reinstall the original functions.
+        arch_protocol.file_authentication_state = state.original_hook.file_authentication_state;
+        arch_protocol2.file_authentication = state.original_hook2.file_authentication;
+        Ok(())
+    }
+}

crates/eficore/src/strings.rs

@@ -0,0 +1,22 @@
+use alloc::vec::Vec;
+use anyhow::{Context, Result, bail};
+use uefi::CString16;
+
+/// Convert a byte slice into a CString16.
+pub fn utf16_bytes_to_cstring16(bytes: &[u8]) -> Result<CString16> {
+    // Validate the input bytes are the right length.
+    if !bytes.len().is_multiple_of(2) {
+        bail!("utf16 bytes must be a multiple of 2");
+    }
+
+    // Convert the bytes to UTF-16 data.
+    let data = bytes
+        // Chunk everything into two bytes.
+        .chunks_exact(2)
+        // Reinterpret the bytes as u16 little-endian.
+        .map(|chunk| u16::from_le_bytes([chunk[0], chunk[1]]))
+        // Collect the result into a vector.
+        .collect::<Vec<_>>();
+
+    CString16::try_from(data).context("unable to convert utf16 bytes to CString16")
+}

crates/eficore/src/variables.rs

@@ -0,0 +1,157 @@
+use crate::strings;
+use alloc::format;
+use alloc::string::{String, ToString};
+use alloc::vec::Vec;
+use anyhow::{Context, Result};
+use log::warn;
+use uefi::{CString16, guid};
+use uefi_raw::Status;
+use uefi_raw::table::runtime::{VariableAttributes, VariableVendor};
+
+/// The classification of a variable.
+/// This is an abstraction over various variable attributes.
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+pub enum VariableClass {
+    /// The variable is available in Boot Services and Runtime Services and is not persistent.
+    BootAndRuntimeTemporary,
+}
+
+impl VariableClass {
+    /// The [VariableAttributes] for this classification.
+    fn attributes(&self) -> VariableAttributes {
+        match self {
+            VariableClass::BootAndRuntimeTemporary => {
+                VariableAttributes::BOOTSERVICE_ACCESS | VariableAttributes::RUNTIME_ACCESS
+            }
+        }
+    }
+}
+
+/// Provides access to a particular set of vendor variables.
+pub struct VariableController {
+    /// The GUID of the vendor.
+    vendor: VariableVendor,
+}
+
+impl VariableController {
+    /// Global variables.
+    pub const GLOBAL: VariableController = VariableController::new(VariableVendor(guid!(
+        "8be4df61-93ca-11d2-aa0d-00e098032b8c"
+    )));
+
+    /// Create a new [VariableController] for the `vendor`.
+    pub const fn new(vendor: VariableVendor) -> Self {
+        Self { vendor }
+    }
+
+    /// Convert `key` to a variable name as a CString16.
+    fn name(key: &str) -> Result<CString16> {
+        CString16::try_from(key).context("unable to convert variable name to CString16")
+    }
+
+    /// Retrieve the cstr16 value specified by the `key`.
+    /// Returns None if the value isn't set.
+    /// If the value is not decodable, we will return None and log a warning.
+    pub fn get_cstr16(&self, key: &str) -> Result<Option<String>> {
+        let name = Self::name(key)?;
+
+        // Retrieve the variable data, handling variable not existing as None.
+        match uefi::runtime::get_variable_boxed(&name, &self.vendor) {
+            Ok((data, _)) => {
+                // Try to decode UTF-16 bytes to a CString16.
+                match strings::utf16_bytes_to_cstring16(&data) {
+                    Ok(value) => {
+                        // We have a value, so return the UTF-8 value.
+                        Ok(Some(value.to_string()))
+                    }
+
+                    Err(error) => {
+                        // We encountered an error, so warn and return None.
+                        warn!("efi variable '{}' is not valid UTF-16: {}", key, error);
+                        Ok(None)
+                    }
+                }
+            }
+
+            Err(error) => {
+                // If the variable does not exist, we will return None.
+                if error.status() == Status::NOT_FOUND {
+                    Ok(None)
+                } else {
+                    Err(error).with_context(|| format!("unable to get efi variable {}", key))
+                }
+            }
+        }
+    }
+
+    /// Retrieve a boolean value specified by the `key`.
+    pub fn get_bool(&self, key: &str) -> Result<bool> {
+        let name = Self::name(key)?;
+
+        // Retrieve the variable data, handling variable not existing as false.
+        match uefi::runtime::get_variable_boxed(&name, &self.vendor) {
+            Ok((data, _)) => {
+                // If the variable is zero-length, we treat it as false.
+                if data.is_empty() {
+                    Ok(false)
+                } else {
+                    // We treat the variable as true if the first byte is non-zero.
+                    Ok(data[0] > 0)
+                }
+            }
+
+            Err(error) => {
+                // If the variable does not exist, we treat it as false.
+                if error.status() == Status::NOT_FOUND {
+                    Ok(false)
+                } else {
+                    Err(error).with_context(|| format!("unable to get efi variable {}", key))
+                }
+            }
+        }
+    }
+
+    /// Set a variable specified by `key` to `value`.
+    /// The variable `class` controls the attributes for the variable.
+    pub fn set(&self, key: &str, value: &[u8], class: VariableClass) -> Result<()> {
+        let name = Self::name(key)?;
+        uefi::runtime::set_variable(&name, &self.vendor, class.attributes(), value)
+            .with_context(|| format!("unable to set efi variable {}", key))?;
+        Ok(())
+    }
+
+    /// Set a variable specified by `key` to `value`, converting the value to
+    /// a [CString16]. The variable `class` controls the attributes for the variable.
+    pub fn set_cstr16(&self, key: &str, value: &str, class: VariableClass) -> Result<()> {
+        // Encode the value as a CString16 little endian.
+        let mut encoded = value
+            .encode_utf16()
+            .flat_map(|c| c.to_le_bytes())
+            .collect::<Vec<u8>>();
+        // Add a null terminator to the end of the value.
+        encoded.extend_from_slice(&[0, 0]);
+        self.set(key, &encoded, class)
+    }
+
+    /// Set a boolean variable specified by `key` to `value`, converting the value.
+    /// The variable `class` controls the attributes for the variable.
+    pub fn set_bool(&self, key: &str, value: bool, class: VariableClass) -> Result<()> {
+        self.set(key, &[value as u8], class)
+    }
+
+    /// Set the u64 little-endian variable specified by `key` to `value`.
+    /// The variable `class` controls the attributes for the variable.
+    pub fn set_u64le(&self, key: &str, value: u64, class: VariableClass) -> Result<()> {
+        self.set(key, &value.to_le_bytes(), class)
+    }
+
+    /// Remove the variable specified by `key`.
+    /// This can fail if the variable is not set.
+    pub fn remove(&self, key: &str) -> Result<()> {
+        let name = Self::name(key)?;
+
+        // Delete the variable from UEFI.
+        uefi::runtime::delete_variable(&name, &self.vendor)
+            .with_context(|| format!("unable to remove efi variable {}", key))
+    }
+}

docs/setup/signed/debian.md

@@ -0,0 +1,146 @@
+# Setup Sprout for Debian with Secure Boot
+
+## Prerequisites
+
+- Modern Debian release: tested on Debian 13 ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `shim-signed`, `mokutil`, `sbsigntool`
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/sprout/shimx64.efi
+$ cp /usr/lib/shim/mmx64.efi.signed /boot/efi/EFI/sprout/mmx64.efi
+$ cp /usr/lib/shim/fbx64.efi.signed /boot/efi/EFI/sprout/fbx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimaa64.efi.signed /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /usr/lib/shim/mmaa64.efi.signed /boot/efi/EFI/sprout/mmaa64.efi
+$ cp /usr/lib/shim/fbaa64.efi.signed /boot/efi/EFI/sprout/fbaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Debian systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It should work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting installed kernels
+# generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/fedora.md

@@ -0,0 +1,172 @@
+# Setup Sprout for Fedora with Secure Boot
+
+## Prerequisites
+
+- Modern Fedora release: tested on Fedora 43 x86_64.
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `mokutil`, `sbsigntools`, `efibootmgr`
+
+**NOTE**: Fedora on ARM64 itself does not support Secure Boot consistently.
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /boot/efi/EFI/fedora/shimx64.efi /boot/efi/EFI/sprout/shimx64.efi
+$ cp /boot/efi/EFI/fedora/mmx64.efi /boot/efi/EFI/sprout/mmx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /boot/efi/EFI/fedora/shimaa64.efi /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /boot/efi/EFI/fedora/mmaa64.efi /boot/efi/EFI/sprout/mmaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+
+### ext4
+
+Most Fedora systems use an ext4 filesystem for `/boot`, if that is the case, use the ext4 instructions here:
+
+Install the necessary `edk2-ext4` package:
+
+```bash
+# Install the ext4 driver from the package manager.
+$ dnf install edk2-ext4
+```
+
+Copy the ext4 driver to `/boot/efi/EFI/sprout/ext4.unsigned.efi`:
+
+```bash
+# For x86_64, copy the ext4x64.efi driver to the Sprout EFI directory.
+$ cp /usr/share/edk2/drivers/ext4x64.efi /boot/efi/EFI/sprout/ext4.unsigned.efi
+
+# For aarch64, copy the ext4aa64.efi driver to the Sprout EFI directory.
+$ cp /usr/share/edk2/drivers/ext4aa64.efi /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+### Other Filesystems
+
+If you need another driver, you can download EFI filesystem drivers from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+Copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing, then sign it like this:
+
+```bash
+# Sign your driver, placing it at DRIVER_NAME.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/DRIVER_NAME.efi \
+    /boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi
+```
+
+You will add the driver in your Sprout configuration below, like this:
+
+```toml
+[drivers.DRIVER_NAME]
+path = "\\EFI\\sprout\\DRIVER_NAME.efi"
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/opensuse.md

@@ -0,0 +1,141 @@
+# Setup Sprout for openSUSE with Secure Boot
+
+**NOTE:** This guide may not function as written if the system validates hashes.
+If your system validates hashes in the shim, you will need to use MokManager to enroll the hashes
+of every EFI file involved, such as Sprout and any EFI drivers.
+
+## Prerequisites
+
+- Modern openSUSE release: tested on openSUSE Tumbleweed ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+- You will need the following packages installed: `openssl`, `shim`, `mokutil`, `sbsigntools`
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/sprout/shim.efi
+$ cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/sprout/MokManager.efi
+$ cp /usr/share/efi/x86_64/fallback.efi /boot/efi/EFI/sprout/fallback.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/share/efi/aarch64/shim.efi /boot/efi/EFI/sprout/shim.efi
+$ cp /usr/share/efi/aarch64/MokManager.efi /boot/efi/EFI/sprout/MokManager.efi
+$ cp /usr/share/efi/aarch64/fallback.efi /boot/efi/EFI/sprout/fallback.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi`
+file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# Sign the unsigned Sprout artifact and name it grub.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grub.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Debian systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It should work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled filesystems
+# or linux kernels and generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# Run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shim.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/signed/ubuntu.md

@@ -0,0 +1,147 @@
+# Setup Sprout for Ubuntu with Secure Boot
+
+## Prerequisites
+
+- Modern Ubuntu release: tested on Ubuntu 25.10 ARM64
+- EFI System Partition mounted on `/boot/efi` (the default)
+
+## Step 1: Generate and Install Secure Boot Key
+
+```bash
+# Create a directory to store the Secure Boot MOK key and certificates.
+$ mkdir -p /etc/sprout/secure-boot
+# Change to the created directory.
+$ cd /etc/sprout/secure-boot
+# Generate a MOK key and certificate.
+$ openssl req \
+    -newkey rsa:4096 -nodes -keyout mok.key \
+    -new -x509 -sha256 -days 3650 -subj '/CN=Sprout Secure Boot/' \
+    -out mok.crt
+# Generate a DER encoded certificate for enrollment.
+$ openssl x509 -outform DER -in mok.crt -out mok.cer
+# Import the certificate into the Secure Boot environment.
+# This will ask you to make a password that will be used during enrollment.
+$ mokutil --import mok.cer
+# Reboot your machine.
+# During boot, MOK enrollment should appear. If it doesn't, ensure you are booting into the shim.
+# Press any key to begin MOK management. Select "Enroll MOK".
+# Select "View key 0", and ensure the subject says "CN=Sprout Secure Boot".
+# If the subject does not match, something has gone wrong with MOK enrollment.
+# Press Enter to continue, then select the "Continue" option.
+# When it asks to enroll the key, select the "Yes" option.
+# Enter the password that you created during the mokutil --import step.
+# Select "Reboot" to boot back into your Operating System.
+```
+
+## Step 2: Prepare the Secure Boot Environment
+
+```bash
+# Create a directory for Sprout EFI artifacts.
+$ mkdir -p /boot/efi/EFI/sprout
+
+# For x86_64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/sprout/shimx64.efi
+$ cp /usr/lib/shim/mmx64.efi /boot/efi/EFI/sprout/mmx64.efi
+$ cp /usr/lib/shim/fbx64.efi /boot/efi/EFI/sprout/fbx64.efi
+
+# For aarch64, copy the following artifacts to the Sprout EFI directory.
+$ cp /usr/lib/shim/shimaa64.efi.signed /boot/efi/EFI/sprout/shimaa64.efi
+$ cp /usr/lib/shim/mmaa64.efi /boot/efi/EFI/sprout/mmaa64.efi
+$ cp /usr/lib/shim/fbaa64.efi /boot/efi/EFI/sprout/fbaa64.efi
+```
+
+## Step 3: Install Unsigned Sprout
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM64 systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/sprout/sprout.unsigned.efi` on your EFI System Partition.
+
+## Step 4: Sign Sprout for Secure Boot
+
+```bash
+# For x86_64, sign the unsigned Sprout artifact and name it grubx64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubx64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+
+# For aarch64, sign the unsigned Sprout artifact and name it grubaa64.efi which is what the shim will call.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/grubaa64.efi \
+    /boot/efi/EFI/sprout/sprout.unsigned.efi
+```
+
+## Step 5: Install and Sign EFI Drivers
+
+You will need a filesystem EFI driver if `/boot` is not FAT32 or ExFAT.
+If `/boot` is FAT32 or ExFAT, you can skip this step.
+
+Most Ubuntu systems use an ext4 filesystem for `/boot`.
+You can download an EFI filesystem driver from [EfiFs releases](https://github.com/pbatard/EfiFs/releases).
+For ext4, download the `ext2` file for your platform. It will work for ext4 filesystems too.
+
+If you have an EFI driver, copy the driver to `/boot/efi/EFI/sprout/DRIVER_NAME.unsigned.efi` for signing.
+
+For example, the `ext4` driver, copy the `ext4.efi` file to `/boot/efi/EFI/sprout/ext4.unsigned.efi`.
+
+Then sign the driver with the Sprout Secure Boot key:
+
+```bash
+# Sign the ext4 driver at ext4.unsigned.efi, placing it at ext4.efi, which will be used in the configuration.
+$ sbsign \
+    --key /etc/sprout/secure-boot/mok.key \
+    --cert /etc/sprout/secure-boot/mok.crt \
+    --output /boot/efi/EFI/sprout/ext4.efi \
+    /boot/efi/EFI/sprout/ext4.unsigned.efi
+```
+
+## Step 6: Create Sprout Configuration
+
+Write the following to the file `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global values.
+[values]
+# your linux kernel command line.
+linux-options = "root=UUID=MY_ROOT_UUID"
+
+# load an ext4 EFI driver.
+# skip this if you do not have a filesystem driver.
+# if your filesystem driver is not named ext4, change accordingly.
+[drivers.ext4]
+path = "\\EFI\\sprout\\ext4.efi"
+
+# global options.
+[options]
+# enable autoconfiguration by detecting installed kernels
+# generating boot entries for them.
+autoconfigure = true
+```
+
+Ensure you add the signed driver paths to the configuration, not the unsigned ones.
+If you do not have any drivers, exclude the drivers section entirely.
+
+## Step 7: Configure Sprout Boot Entry
+
+## Step 7: Configure Sprout Boot Entry
+
+In the following commands, replace /dev/BLOCK_DEVICE with the device that houses your GPT partition table,
+and PARTITION_NUMBER with the partition number of the EFI System Partition. For example, if your EFI System Partition is
+`/dev/sda1`, the BLOCK_DEVICE would be `/dev/sda` and the PARTITION_NUMBER would be `1`
+
+```bash
+# For x86_64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimx64.efi'
+
+# For aarch64, run this command to add Sprout as the default boot entry.
+$ efibootmgr -d /dev/BLOCK_DEVICE -p PARTITION_NUMBER -c -L 'Sprout' -l '\EFI\sprout\shimaa64.efi'
+```
+
+Reboot your machine and it should boot into Sprout.
+If Sprout fails to boot, it should boot into the original bootloader.

docs/setup/unsigned/alpine-edge.md

@@ -0,0 +1,113 @@
+# Setup Sprout for Alpine Edge without Secure Boot
+
+## Prerequisites
+
+- Alpine Edge
+- EFI System Partition mounted on `/boot/efi` (the default)
+- ext4 or FAT32/exFAT formatted `/boot` partition
+
+## Step 1: Base Installation
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/boot/efi/EFI/boot/sprout.efi` on your EFI System Partition.
+
+Additionally, you will want to install the `efifs` package, which provides the filesystem support for Sprout.
+
+```bash
+# Install the efifs package which provides filesystem support for Sprout.
+$ apk install efifs
+```
+
+## Step 2: Configure Sprout
+
+Since Alpine uses standard image paths based on the `linux` package installed, it's quite easy to configure Sprout
+to boot Alpine.
+
+Write the following file to `/boot/efi/sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# load an EFI driver for ext2/ext3/ext4.
+[drivers.ext2]
+path = "\\EFI\\efifs\\ext2.efi"
+
+# extract the full path of the first filesystem
+# that contains \boot\vmlinuz-stable as a file
+# into the value called "root"
+[extractors.root.filesystem-device-match]
+has-item = "\\boot\\vmlinuz-stable"
+
+# add a boot entry for booting linux
+# which will run the boot-linux action.
+[entries.boot-linux-stable]
+title = "Boot Linux Stable"
+actions = ["boot-linux-stable"]
+
+# use the chainload action to boot linux-stable via the efi stub.
+# the options below are passed to the efi stub as the
+# kernel command line. the initrd is loaded using the efi stub
+# initrd loader mechanism.
+[actions.boot-linux-stable]
+chainload.path = "$root\\boot\\vmlinuz-stable"
+chainload.options = ["root=/dev/sda1", "my-kernel-option"]
+chainload.linux-initrd = "$root\\boot\\initramfs-stable"
+```
+
+You can replace `vmlinuz-stable` and `initramfs-stable` with the actual
+files for the `linux` package you have installed. For example, for `linux-lts` it is `vmlinuz-lts` and `initramfs-lts`.
+
+## Step 3, Option 1: Configure GRUB to load Sprout (recommended)
+
+You can configure GRUB to add a boot entry for Sprout, so you can continue to use GRUB without interruption.
+
+GRUB needs to be configured with the chainloader module to load Sprout.
+
+You will need to find the UUID of your EFI System Partition. You can do this by running the following command:
+```bash
+$ grep "/boot/efi" /etc/fstab | awk '{print $1}' | awk -F '=' '{print $2}'
+SAMPLE-VALUE
+```
+
+The GRUB configuration for Sprout is as follows, replace `SAMPLE-VALUE` with the UUID of your EFI System Partition:
+
+```grub
+menuentry 'Sprout' $menuentry_id_option 'sprout' {
+        insmod part_gpt
+        insmod fat
+        insmod chain
+        search --no-floppy --fs-uuid --set=root SAMPLE-VALUE
+        chainloader /EFI/boot/sprout.efi
+}
+```
+
+You can append this to `/etc/grub.d/40_custom` and run the following command to update your configuration:
+```bash
+$ update-grub
+```
+
+To update your GRUB configuration.
+
+You may now reboot your system and select Sprout from the GRUB menu.
+
+## Step 3, Option 2: Configure your EFI firmware for Sprout
+
+You can configure your EFI boot menu to show Sprout as an option.
+
+You will need to install the `efibootmgr` package:
+
+```
+$ apk add efibootmgr
+```
+
+Once `efibootmgr` is installed, find the partition device of your EFI System Partition and run the following:
+
+```bash
+$ efibootmgr -d /dev/esp_partition_here -C -L 'Sprout' -l '\EFI\boot\sprout.efi'
+```
+
+This will add a new entry to your EFI boot menu called `Sprout` that will boot Sprout with your configuration.
+
+Now if you boot into your UEFI firmware, you should see Sprout as an option to boot.

docs/setup/unsigned/fedora.md

@@ -1,4 +1,4 @@
-# Sprout on Fedora
+# Setup Sprout for Fedora without Secure Boot
 
 ## Prerequisites
 
@@ -39,27 +39,11 @@ version = 1
 [drivers.ext4]
 path = "\\sprout\\drivers\\ext4.efi"
 
-# extract the full path of the first filesystem
-# that contains \loader\entries as a directory
-# into the value called "boot"
-[extractors.boot.filesystem-device-match]
-has-item = "\\loader\\entries"
-
-# use the sprout bls module to scan a bls
-# directory for entries and load them as boot
-# entries in sprout, using the entry template
-# as specified here. the bls action below will
-# be passed the extracted values from bls.
-[generators.boot.bls]
-path = "$boot\\loader\\entries"
-entry.title = "$title"
-entry.actions = ["bls"]
-
-# the action that is used for each bls entry above.
-[actions.bls]
-chainload.path = "$boot\\$chainload"
-chainload.options = ["$options"]
-chainload.linux-initrd = "$boot\\$initrd"
+# global options.
+[options]
+# enable autoconfiguration by detecting bls enabled
+# filesystems and generating boot entries for them.
+autoconfigure = true
 ```
 
 ## Step 3, Option 1: Configure GRUB to load Sprout (recommended)

docs/setup/unsigned/generic-linux.md

@@ -0,0 +1,62 @@
+# Setup Sprout for Linux without Secure Boot
+
+## Prerequisites
+
+- EFI System Partition mounted on a known path
+- Linux kernel installed with an optional initramfs
+- Linux kernel must support the EFI stub (most distro kernels)
+
+## Step 1: Base Installation
+
+First, identify the path to your EFI System Partition. On most systems, this is `/boot/efi`.
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `/EFI/BOOT/sprout.efi` on your EFI System Partition.
+
+## Step 2: Copy kernel and optional initramfs
+
+Copy the Linux kernel to `/vmlinuz-sprout` on your EFI System Partition.
+If needed, copy the initramfs to `/initramfs-sprout` on your EFI System Partition.
+
+## Step 3: Configure Sprout
+
+Write the following file to `/sprout.toml` on your EFI System Partition,
+paying attention to place the correct values:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# add a boot entry for booting linux
+# which will run the boot-linux action.
+[entries.boot-linux]
+title = "Boot Linux"
+actions = ["boot-linux"]
+
+# use the chainload action to boot linux via the efi stub.
+# the options below are passed to the efi stub as the
+# kernel command line. the initrd is loaded using the efi stub
+# initrd loader mechanism.
+[actions.boot-linux]
+chainload.path = "\\vmlinuz-sprout"
+chainload.options = ["root=/dev/sda1", "my-kernel-option"]
+chainload.linux-initrd = "\\initramfs-sprout"
+```
+
+You can specify any kernel command line options you want on the chainload options line.
+They will be concatenated by a space and passed to the kernel.
+
+## Step 4: Configure EFI firmware to boot Sprout
+
+Since Sprout is still experimental, the following commands will add a boot entry to your EFI firmware for sprout but
+intentionally do not set it as the default boot entry.
+
+To add the entry, please find the partition device of your EFI System Partition and run the following:
+
+```bash
+$ sudo efibootmgr -d /dev/esp_partition_here -C -L 'Sprout' -l '\EFI\BOOT\sprout.efi'
+```
+
+This will add a new entry to your EFI boot menu called `Sprout` that will boot Sprout with your configuration.
+Now if you boot into your UEFI firmware, you should see Sprout as an option to boot.

docs/setup/unsigned/windows.md

@@ -0,0 +1,47 @@
+# Setup Sprout for Windows without Secure Boot
+
+## Prerequisites
+
+- Secure Boot is disabled or configured to allow Sprout
+- UEFI Windows installation
+
+## Step 1: Base Installation
+
+First, mount the EFI System Partition on your Windows installation:
+
+In an administrator command prompt, run:
+
+```batch
+> mountvol X: /s
+```
+
+This will mount the EFI System Partition to the drive letter `X:`.
+
+Please note that Windows Explorer will not let you see the drive letter `X:` where the ESP is mounted.
+You will need to use the command prompt or PowerShell to access the ESP.
+Standard editors can, however, be used to edit files on the ESP.
+
+Download the latest sprout.efi release from the [GitHub releases page](https://github.com/edera-dev/sprout/releases).
+For x86_64 systems, download the `sprout-x86_64.efi` file, and for ARM systems, download the `sprout-aarch64.efi` file.
+Copy the downloaded `sprout.efi` file to `X:\EFI\BOOT\sprout.efi` on your EFI System Partition.
+
+## Step 3: Configure Sprout
+
+Write the following file to `X:\sprout.toml`:
+
+```toml
+# sprout configuration: version 1
+version = 1
+
+# global options.
+[options]
+# enable autoconfiguration to detect Windows.
+autoconfigure = true
+```
+
+## Step 4: Configure EFI Firmware to boot Sprout
+
+It is not trivial to add an EFI boot entry inside Windows.
+However, most firmware lets you load arbitrary EFI files from the firmware settings.
+
+You can boot `\EFI\BOOT\sprout.efi` from firmware to boot Sprout.

hack/clean.sh

@@ -27,4 +27,6 @@ if command -v docker >/dev/null 2>&1; then
 	delete_image sprout-kernel-build-aarch64 || true
 	delete_image sprout-boot-x86_64 || true
 	delete_image sprout-boot-aarch64 || true
+	delete_image sprout-xen-x86_64 || true
+	delete_image sprout-xen-aarch64 || true
 fi