From 50437e3561d8b8612dacdad565f37d3d772b660e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 May 2026 16:32:24 +0000
Subject: [PATCH 1/2] Initial plan


From 54aab862b2701e6ac24f9d121a4625b62de1812b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 May 2026 16:37:08 +0000
Subject: [PATCH 2/2] docs: warn and document revert for Ubuntu AppArmor quick
 fix

Agent-Logs-Url: https://github.com/AMDEPYC/sev-certify/sessions/51ca8234-e7b3-464c-9222-5461d508d186

Co-authored-by: amd-aliem <232466734+amd-aliem@users.noreply.github.com>
---
 images/README.md | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 images/README.md

diff --git a/images/README.md b/images/README.md
new file mode 100644
index 0000000..63e4f85
--- /dev/null
+++ b/images/README.md
@@ -0,0 +1,60 @@
+# Images
+
+mkosi image definitions for SEV-SNP host and guest environments. Each subdirectory contains a `mkosi.conf` for one image.
+
+## Build
+
+```bash
+make list                    # show available images
+make host-fedora-41          # build a specific image
+make all                     # build every image
+make clean-host-fedora-41    # clean a specific image
+make clean                   # clean every image
+make status                  # show built images and their artifacts
+```
+
+## Naming
+
+```
+{role}-{distro}-{release}
+```
+
+- **role**: `host` (bare-metal SEV hypervisor) or `guest` (SEV guest UKI/EFI)
+- **distro**: `fedora`, `ubuntu`, `centos`, `debian`, `rocky`
+- **release**: distro version number or codename
+
+## Ubuntu: AppArmor + mkosi
+
+Ubuntu restricts unprivileged user namespaces via AppArmor, which breaks mkosi. See [systemd/mkosi#3265](https://github.com/systemd/mkosi/issues/3265).
+
+**Quick fix** -- disable the restriction system-wide (**security impact**: this weakens AppArmor protections for all userspace; `sysctl -w` changes are temporary until reboot unless persisted in `/etc/sysctl.d`):
+
+```bash
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+```
+
+To revert:
+
+```bash
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1
+sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
+```
+
+**Per-binary fix:** Create `/etc/apparmor.d/mkosi` (adjust path if needed):
+
+```
+abi <abi/4.0>,
+include <tunables/global>
+
+profile mkosi /usr/bin/mkosi flags=(unconfined) {
+  userns,
+  include if exists <local/mkosi>
+}
+```
+
+Then reload:
+
+```bash
+sudo systemctl reload apparmor
+```