Using /opt with System Extensions By default, Kairos does not include /opt as a system extension (sysext) overlay hierarchy. This is because in normal runtime, /opt is writable and bind-mounted to the persistent partition, allowing users and applications to freely write data that persists across reboots. However, when a system extension is loaded that includes a /opt hierarchy, the behavior of that directory changes: it becomes read-only, overridden by the overlay from the system extension im...| kairos.io
This document describes how an administrator can prevent certain OS images from booting on their hardware in the context of “Trusted Boot”. Two different scenarios will be covered, with the process being only slightly different for each case. Scenario 1 - Signing certificate is no longer trusted The process of creating signed images that can be trusted to boot, requires the signing keys to be safe and only accessible to the vendor that produces the OS images.| kairos.io