See https://github.com/uapi-group/specifications/blob/main/specs/unified_kernel_image.md
and
https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1

There are two major points here:

UEFI only

We'll need to add a UEFI backend to ostree, which explicitly controls the UEFI boot ordering via e.g. efibootmgr instead of using the /boot/loader/entries stuff.

Kernel cmdline ➡️ rootfs

One goal of the UKI work is to have generic Linux distributions sign both the kernel and initramfs and stock kernel cmdline. However, ostree today embeds the target rootfs in the kernel cmdline - this creates a recursion issue.

Option: ostree=N and symlinks and using systemd-stub credentials

We can change ostree-prepare-root in the initramfs to automatically find the latest symlink in /sysroot/ostree - we effectively do almost this with /ostree/boot.[01] today.

(Something to debate here is whether we require an ostree= karg at all; our initramfs code is conservative today in making ostree opt-in, but for people who are requiring it, we could also just add a flag to default it to on, finding the latest deployment)

The interesting thing here is what it looks like to fetch a userspace only update.

That flow would look like this:

• Initial system deployment has one UKI in ESP
• ostree admin upgrade or bootc update or whatever, fetch new rootfs but not a new kernel UKI
• ostree defaults to enabling rollback today, so for systemd-stub we'd copy the existing UKI, and add a credential that tells the initramfs to look for the previous deployment

Option: Parsing the UKI filename

See #2753 (comment)