# Copyright 2026 Gentoo Authors # Copyright 2026 Lamco Development LLC # Distributed under the terms of the GNU General Public License v2 EAPI=8 PYTHON_COMPAT=( python3_{12..15} ) inherit python-single-r1 shell-completion DESCRIPTION="Memory-safe UEFI bootloader for Linux, written in Rust" HOMEPAGE="https://lamco.ai/products/lamboot/ https://github.com/lamco-admin/lamboot" # Prebuilt binary ebuild: this repackages the published Secure Boot-signed # -bin release artifact (the same tarball AUR lamboot-bin and apt.lamco.ai # consume). It does not build from source, so no nightly Rust toolchain and # no signing keys are needed at merge time. A build-from-source ebuild is a # separate track, gated on whether LamBoot builds on stable rustc for the # *-unknown-uefi targets without -Z build-std (see ../../../PACKAGING.md). SRC_URI="https://github.com/lamco-admin/lamboot/releases/download/v${PV}/lamboot-${PV}-x86_64.tar.gz" LICENSE="MIT Apache-2.0" SLOT="0" KEYWORDS="~amd64" # The shipped .efi is a Secure Boot-signed PE binary. Stripping it (or running # any ELF post-processing over it) rewrites the file and invalidates the # signature, so the firmware rejects it under Secure Boot. Forbid strip. RESTRICT="strip" # efibootmgr: lamboot-install registers the UEFI boot entry through it. # python: lamboot-inspect and lamboot-monitor.py are Python 3 programs; the # python-single-r1 eclass declares the dependency and pins the script shebangs. REQUIRED_USE="${PYTHON_REQUIRED_USE}" RDEPEND=" sys-boot/efibootmgr ${PYTHON_DEPS} " # The signed PE binaries are not ELF; tell the QA scanners not to treat them # as broken ELF objects or to expect them to be stripped. QA_PREBUILT="usr/share/lamboot/EFI/LamBoot/*.efi usr/share/lamboot/EFI/LamBoot/modules/*.efi usr/share/lamboot/EFI/LamBoot/drivers/*/*.efi" src_prepare() { default # Drop any Python bytecode the artifact carried; it is regenerated at # runtime and would otherwise pull host paths into the package. find . -type d -name __pycache__ -exec rm -rf {} + || die find . -type f -name '*.pyc' -delete || die # Normalise permissions: directories 0755, files 0644, keeping the # executable bit where the tarball already set it (lamboot-install, # lamboot-inspect, sign-lamboot.sh + its sign-lock/sign-unlock helpers, # the .efi loaders). Mirrors the deb's `chmod -R u=rwX,go=rX`. The # wholesale cp in src_install then preserves these modes. chmod -R u=rwX,go=rX . || die "failed to normalise source perms" # Pin the Python diagnostic scripts' shebangs to the selected interpreter # (python-single-r1). lamboot-host-sampler and the rest are bash, left as-is. python_fix_shebang lamboot-inspect lamboot-monitor.py } src_install() { # Stage the whole distribution under /usr/share/lamboot — lamboot-install's # SRC_DIR (it searches /usr/share/lamboot, /usr/local/share/lamboot, then # /opt/lamboot, and copies the .efi to the operator's ESP from there). Copy # the tree wholesale to preserve the +x bits on scripts, rather than doins # (which forces 0644 and would break lamboot-install's exec of its siblings). local share="${ED}/usr/share/lamboot" dodir /usr/share/lamboot cp -a "${S}"/. "${share}"/ || die "failed to stage distribution" # Prune the copies installed to their own paths below (man, completions, # the README/CHANGELOG/SECURITY docs) or not installed at all (packaging, # docs, the license texts, the manifest); lamboot-install reads none of # them from SRC_DIR. rm -rf \ "${share}"/packaging \ "${share}"/man \ "${share}"/completions \ "${share}"/docs \ "${share}"/README.md \ "${share}"/CHANGELOG.md \ "${share}"/SECURITY.md \ "${share}"/LICENSE-MIT \ "${share}"/LICENSE-APACHE \ "${share}"/MANIFEST.sha256 \ || die "failed to prune staged tree" # esp-deploy.sh at the canonical literal path. lamboot-install checks # /usr/lib/lamboot/esp-deploy.sh first, then the script-relative # ../lib/esp-deploy.sh. Use the literal /usr/lib (NOT $(get_libdir)): # on amd64 that resolves to /usr/lib64, where lamboot-install does not # look. It is a sourced shell library, so 0644 is correct. insinto /usr/lib/lamboot doins lib/esp-deploy.sh # Operator CLIs on PATH as relative symlinks into the staged tree, so each # script's realpath-based sibling lookups resolve: lamboot-inspect imports # the adjacent lamboot_inspect package, and sign-lamboot.sh execs the # adjacent sign-unlock/sign-lock. The staged systemd units hardcode # /usr/bin/lamboot-install, so these must land in /usr/bin, not /usr/sbin. dodir /usr/bin dosym ../share/lamboot/lamboot-install /usr/bin/lamboot-install dosym ../share/lamboot/lamboot-inspect /usr/bin/lamboot-inspect dosym ../share/lamboot/sign-lamboot.sh /usr/bin/lamboot-sign # Man page, shell completions (newbashcomp + dozshcomp from shell-completion). doman man/man1/lamboot-inspect.1 newbashcomp completions/lamboot-inspect.bash lamboot-inspect dozshcomp completions/_lamboot-inspect # Documentation. The MIT and Apache-2.0 license texts are not installed: # both are in Gentoo's license tree and tracked via LICENSE above. dodoc README.md CHANGELOG.md SECURITY.md # Note what we deliberately do NOT install: the systemd units, the # kernel-install plugin, the kernel-event hooks, and lamboot-kernel-hook. # lamboot-install deploys all of those at runtime from /usr/share/lamboot. # The package never writes the ESP or /etc. (The AUR package's one # exception, the alpm kernel hook, is an Arch-only convention and has no # Gentoo equivalent here.) } pkg_postinst() { elog "LamBoot is staged under /usr/share/lamboot but is NOT yet installed to" elog "the EFI System Partition. To deploy the bootloader and register a UEFI" elog "boot entry, run:" elog "" elog " sudo lamboot-install --signed" elog "" elog "Secure Boot today means MOK or sbctl enrollment; this package never" elog "enrolls a key for you. To trust the shipped signed bootloader under" elog "shim, enroll the LamBoot signing certificate:" elog "" elog " sudo mokutil --import /usr/share/lamboot/lamboot-signing.der" elog " (set a one-time password, reboot, complete enrollment in MokManager)" elog "" elog "Or, with sbctl, sign/enroll through your own Secure Boot key hierarchy." elog "Full guide: /usr/share/doc/${PF}/" }