osmo os by Osmosian boots with a signed UKI for UEFI Secure Boot; on legacy BIOS it boots without Secure Boot. Storage is encrypted with LUKS2 on Btrfs, the kernel is hardened, and userspace is BusyBox — runs under QEMU/KVM or on bare metal.
Unified Kernel Image signed for UEFI Secure Boot: single artifact (stub, kernel, initramfs, cmdline) — measured and verified at boot.
LUKS2 full-disk encryption on Btrfs with hardened mount options, controlled discard (TRIM) when enabled, and integrity-preserving defaults.
Lockdown mode, AppArmor, KASLR, strict sysctls, read-only kernel memory regions, and minimal module set reduce attack surface.
BusyBox core with essential tools only — no telemetry, no desktop, predictable boot, and fewer moving parts.
| Area | Default | Status |
|---|---|---|
| Boot | UEFI path: signed Unified Kernel Image (UKI) with measured boot and a signed command line; dm-verity for read-only critical partitions. Legacy BIOS: boot without Secure Boot. | enforced |
| Storage | LUKS2 with argon2id, Btrfs subvolumes, hardened mounts, controlled discard (TRIM) when enabled. | enforced |
| Kernel | Lockdown integrity, AppArmor, KASLR, unprivileged BPF disabled, restricted dmesg/kptr, minimal modules. | strict |
| Networking | Default-deny firewall, reverse-path filtering, TCP hardening, drop unsolicited IPv6 RA, minimal services. | enabled |
For production, enroll your own PK/KEK/db and sign UKIs in CI with organization keys.