Atomic updates of r/o disk image with OS and apps, isolated from declarative config, e.g.

  NixOS
  Fedora Silverblue
  openSuSE MicroOS

Enables measured boot of fixed-function appliances, limiting which applications are permitted to run.

> .. Integrity Policy Enforcement Linux Security Module (IPE LSM) being accepted for inclusion upstream during the 6.12 merge window. This new LSM lets image-based Linux deployments ship a code-integrity policy enforced by the kernel, so that only signed (and thus trusted) payloads can be executed at run time. Enabling this feature was always one of the goals of developing image-based Linux products, and a demo showing how this can work was given at ASG.