Disclosed subject matter implements a secure, cloud-based boot sequence for a recovery OS. In at least some embodiments, a three phase solution is employed. The first phase, which may occur during the DXE phase of a boot sequence, establishes trust by configuring at least a portion system memory as a trust zone RAM disk and attesting modules that interact with the RAM disk. The second phase downloads file from the cloud and performs a cumulative hash verification and handshaking with the EC. During the third phase, a memory identification table for the trust zone s migrated to OS runtime environment to enable secured, OS runtime access to the RAM disk contents.