Red Hat engineer Anirban Sinha presented at FOSDEM 2025 last weekend in Brussels on F-UKI, a new project being worked on at Red Hat as part of the confidential computing push for loading guest firmware within a Unified Kernel Image (UKI) for confidential VMs.

Red Hat's F-UKI is aiming to be the way to load firmware for confidential VMs with the likes of AMD SEV-SNP and Intel TDX. Due to firmware images needing to be measured as part pf the measured boot processes for security and guests wanting predictable behavior/expectations by supplying their own firmware for VMs, F-UKI aims to be the ideal solution for the industry by pairing the firmware update handling with unified kernel images.

UKIs can already be signed and measured and all-around the design of UKIs make for a pleasant experience for tacking on firmware updates to. Again, this is only about the context of confidential VMs and not about changing the bare metal firmware update handling or similar. So far changes have been merged to QEMU and systemd for F-UKI but other work remains ongoing.

Those wanting to learn more about Red Hat's F-UKI project can see [1]this FOSDEM presentation page for all the assets on the F-UKI talk.



[1] https://fosdem.org/2025/schedule/event/fosdem-2025-4661-introducing-fuki-guest-firmware-in-a-uki-for-confidential-cloud-deployments/