digraph boot_chain {
  rankdir=LR;
  node [shape=box style=filled fillcolor="#e3f2fd"];

  UEFI [label="UEFI Firmware\n(SECURE BOOT)", fillcolor="#90caf9"];
  GRUB [label="grubx64.efi\n(Secure Boot-signed)", fillcolor="#64b5f6"];
  DecryptBoot [label="GRUB decrypts\n/boot (LUKS2)", fillcolor="#4fc3f7"];
  GRUBCFG [label="Load grub.cfg\n(from decrypted /boot)"];
  Kernel [label="Load Kernel:\n/boot/vmlinuz-<ver>"];
  Initrd [label="Load Initrd:\n/boot/initrd.img-<ver>"];
  Initramfs [label="initramfs:\nUnlock Root (/)", fillcolor="#81d4fa"];
  PivotRoot [label="pivot_root/switch_root", fillcolor="#80cbc4"];
  Systemd [label="systemd (PID 1)", fillcolor="#a5d6a7"];
  MountRest [label="Decrypt + Mount:\n/home, /usr, /var, etc."];
  Ephemeral [label="Create ephemeral\nswap & /tmp", fillcolor="#ffe082"];
  Login [label="User login"];

  UEFI -> GRUB [label="Launch EFI bootloader"];
  GRUB -> DecryptBoot [label="Prompt for /boot passphrase"];
  DecryptBoot -> GRUBCFG [label="Parse GRUB config"];
  GRUBCFG -> Kernel;
  GRUBCFG -> Initrd;
  Kernel -> Initramfs [label="initrd is unpacked\nand executed"];
  Initramfs -> PivotRoot [label="Root unlocked\n(mount /)"];
  PivotRoot -> Systemd;
  Systemd -> MountRest;
  Systemd -> Ephemeral;
  MountRest -> Login;
  Ephemeral -> Login;
}