Trusted Boot Upgrades

This section covers how to upgrade a Kairos node with Trusted Boot enabled.

See the Trusted Boot Installation and Trusted Boot Architecture pages for more references.


In order to upgrade a node to a new version of the OS, you need to generate again the installable medium with the same keys used in the steps before.

The process will generate an EFI file which we will pack into a container image that will be used to upgrade the node.

First we need to extract the EFI file from the ISO file generated with what explained in the Trusted Boot Installation documentation:

Generate the upgrade image

  1. Build the container image used to generate the upgrade image
# Build the container image that will be used to generate the keys and installable medium
git clone
cd enki
docker build -t enki --target tools-image .
  1. Build the Container image used for upgrades

# ubuntu:
docker run --rm -v $PWD/keys:/keys -v $PWD:/work -ti enki build-uki $CONTAINER_IMAGE -t uki -d /work/upgrade-image -k /keys

# Generate container-image for upgrades
docker run --rm -v $PWD/keys:/keys -v $PWD:/work -ti enki build-uki $CONTAINER_IMAGE -t container -d /work/upgrade-image -k /keys
  1. Push the upgrade image to a registry
# Now you can load upgrade_image.tar to a registry and use it with kairos-agent
docker load -i *.tar
#401b8e83daf6: Loading layer [==================================================>]  1.263GB/1.263GB
# Loaded image: kairos_uki:v3.0.0-alpha2
docker push <IMAGE_NAME>


Generate the upgrade image manually

You can also manually generate the container image:

CONF=$(basename $(ls -1 $PWD/upgrade-image/loader/entries/*.conf))
# Replace with the version of the OS you are upgrading to (next boot auto selection)
cat <<EOF > upgrade-image/loader/loader.conf
default $CONF
timeout 5
console-mode max
editor no

## Generate the container image
docker run --rm -v $PWD:/work --entrypoint /bin/tar -ti enki -C /work/upgrade-image -cf /work/src.tar .

docker run -ti -v $PWD:/work util pack $CONTAINER_IMAGE_NAME /work/src.tar /work/upgrade_image.tar

Last modified February 5, 2024: Upgrade image docs updates (#140) (2065f41)