Building the Bootloader
The NØNOS bootloader is a UEFI application responsible for cryptographic verification and kernel loading. It implements the first stage of the trusted boot chain.
Overview
┌─────────────────────────────────────────────────────────────────┐
│ BOOTLOADER ARCHITECTURE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ BOOTX64.EFI (300 KB) │ │
│ ├─────────────────────────────────────────────────────────┤ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │ │
│ │ │ Ed25519 │ │ BLAKE3 │ │ Groth16 │ │ │
│ │ │ Verifier │ │ Hasher │ │ Verifier │ │ │
│ │ └──────────────┘ └──────────────┘ └────────────┘ │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌────────────┐ │ │
│ │ │ Public Key │ │ UEFI │ │ Memory │ │ │
│ │ │ Storage │ │ Services │ │ Map │ │ │
│ │ └──────────────┘ └──────────────┘ └────────────┘ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ VERIFICATION FLOW │ │
│ │ │ │
│ │ Load kernel.bin ──▶ BLAKE3 hash ──▶ Ed25519 verify │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────┐ │ │
│ │ │ Jump to kernel_main │ │ │
│ │ │ at 0x100000 │ │ │
│ │ └─────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘Build Command
Build Target
Target
x86_64-unknown-uefi
Format
PE32+ executable
Size
~300 KB
Output
target/x86_64-unknown-uefi/release/nonos_boot.efi
Bootloader Responsibilities
Cryptographic Verification
Cryptographic VerificationLoad kernel from ESP partition (
EFI/nonos/kernel.bin)Compute BLAKE3 hash of kernel binary
Verify Ed25519 signature against embedded public keys
Optional: Verify Groth16 ZK proof for attestation
Hardware Initialization
Hardware InitializationPCI bus enumeration
GPU/framebuffer detection
ACPI table discovery
Memory map collection
Hardware RNG seeding
Boot Information Structure
The bootloader passes critical information to the kernel:
Embedded Public Keys
Production public keys are compiled into the bootloader:
The bootloader supports multiple trusted keys:
Key 0
Primary production key
Key 1
Backup production key
Key 2
Recovery key
A kernel is accepted if its signature verifies against any trusted key.
Build Output Structure
Secure Boot Integration
The bootloader can operate in two modes:
Development
Disabled
Uses dev signing key
Production
Enabled
Requires enrolled NØNOS certificate
To enroll NØNOS for Secure Boot, see Booting on Hardware.
Testing Standalone
Test the bootloader independently:
Troubleshooting
not a valid PE image
Verify --target x86_64-unknown-uefi
UEFI boot fails
Check OVMF path: ls /usr/share/OVMF/
Signature verification fails
Rebuild both bootloader and kernel with same key
Black screen
Try different display output or serial mode
Last updated
Was this helpful?