diff --git a/.github/workflows/reusable-uki-test.yaml b/.github/workflows/reusable-uki-test.yaml
index 2080340d8..12ab0d47e 100644
--- a/.github/workflows/reusable-uki-test.yaml
+++ b/.github/workflows/reusable-uki-test.yaml
@@ -72,7 +72,7 @@ jobs:
         run: |
           earthly +uki-iso \
             --BASE_IMAGE=ttl.sh/${{ inputs.flavor }}-${{ inputs.flavor_release }}-${{ github.head_ref || github.ref }}:24h \
-            --ENKI_CREATE_CI_KEYS=true
+            --ENKI_OVERLAY_DIR=tests/assets/sysext/ --ENKI_KEYS_DIR=tests/assets/keys/
       - name: Create datasource iso 🔧
         run: |
           earthly +datasource-iso --CLOUD_CONFIG=tests/assets/uki-install.yaml
diff --git a/Earthfile b/Earthfile
index 55e3ea55e..0c8b8eca6 100644
--- a/Earthfile
+++ b/Earthfile
@@ -9,7 +9,7 @@ ARG LUET_VERSION=0.35.2
 # renovate: datasource=docker depName=aquasec/trivy
 ARG TRIVY_VERSION=0.51.4
 # renovate: datasource=github-releases depName=kairos-io/kairos-framework
-ARG KAIROS_FRAMEWORK_VERSION=v2.8.4
+ARG KAIROS_FRAMEWORK_VERSION=v2.8.5
 ARG COSIGN_SKIP=".*quay.io/kairos/.*"
 # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name
 
@@ -331,15 +331,28 @@ uki-iso:
     ARG ENKI_FLAGS
     ARG ENKI_CREATE_CI_KEYS # If set, it will create keys for the UKI image. Good for testing
     ARG ENKI_OUTPUT_TYPE=iso # Set output type, iso, container, uki file
+    ARG ENKI_OVERLAY_DIR # Overlay directory to be copied to the image
+    ARG ENKI_KEYS_DIR # Directory where the keys are stored
     FROM $OSBUILDER_IMAGE
     WORKDIR /build
     RUN mkdir -p /keys
     IF [ "$ENKI_CREATE_CI_KEYS" != "" ]
         RUN enki genkey -e 7 --output /keys Test
+    ELSE IF [ "$ENKI_KEYS_DIR" != "" ]
+        COPY $ENKI_KEYS_DIR /keys
     ELSE
-        COPY keys/ /keys
+        RUN echo "No keys provided, using the test ones"
+        COPY tests/keys/* /keys
     END
-    RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type ${ENKI_OUTPUT_TYPE} ${ENKI_FLAGS}
+
+    IF [ "$ENKI_OVERLAY_DIR" != "" ]
+        COPY $ENKI_OVERLAY_DIR /overlay-iso
+        RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type ${ENKI_OUTPUT_TYPE} --overlay-iso /overlay-iso ${ENKI_FLAGS}
+    ELSE
+        RUN --no-cache enki build-uki $BASE_IMAGE --output-dir /build/ -k /keys --output-type ${ENKI_OUTPUT_TYPE} ${ENKI_FLAGS}
+    END
+
+
     IF [ "$ENKI_OUTPUT_TYPE" == "iso" ]
         SAVE ARTIFACT /build/*.iso AS LOCAL build/
     ELSE IF [ "$ENKI_OUTPUT_TYPE" == "container" ]
diff --git a/tests/assets/keys/KEK.auth b/tests/assets/keys/KEK.auth
new file mode 100644
index 000000000..030624026
Binary files /dev/null and b/tests/assets/keys/KEK.auth differ
diff --git a/tests/assets/keys/KEK.der b/tests/assets/keys/KEK.der
new file mode 100644
index 000000000..ee1e02b50
Binary files /dev/null and b/tests/assets/keys/KEK.der differ
diff --git a/tests/assets/keys/KEK.esl b/tests/assets/keys/KEK.esl
new file mode 100644
index 000000000..337a4ad30
Binary files /dev/null and b/tests/assets/keys/KEK.esl differ
diff --git a/tests/assets/keys/KEK.key b/tests/assets/keys/KEK.key
new file mode 100644
index 000000000..02b29262c
--- /dev/null
+++ b/tests/assets/keys/KEK.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC8bFfSu9aD+m6/
+Avjvo9U4YSgSJHxcDDd1Qb/6xSf6SjF7ZiK3/BysIPRMMCKvRn4L6Jx8T8pBCoKs
+/kvAvtkMTjy8awQIFWIUKj5B5mwN9CbtGwuzbb/60YT7Y4NegLRDP/E+SQWOdmA9
+DsXcS5wT+rYLG/iBQkXQN+isAaso2SSFunQqogvmbJwPgKcp8YFrF7brDBGeDmws
+cYF29qu6DAVgP9wzZgm6yoSaMRu0zOCoCX7MQZadnPDj7iOu8vGXBQ84SW3XEpbb
+o50FA+cRlHi2/KssX53ElQCtTlktIWDQGPY2j7GWDyAkjqbUoL5cDYiQLLSq8J0l
+RkFmSOaDAgMBAAECggEAU2MRVNo7O8o7c74xhAB57ssUjD7oaGYhrvtrpmPVZu+p
+yWYwjEL/P3AQHZ2Z4/7q7oNBqcQ4CqPHpB6gUMtFTCxdtbcYoCkycCEnz0tV27EG
+/xzeh0hVU3+g/g4Sx+JmpHJqZbm0Q1GBEtR0XSN7Dd6A7RayWiYFtnnftyu/30HB
+asHzD/TRVs/RQ4oxJDf1mlF2MJSI2XhBQ0OHaElOJEi9q5FiAUI8VTUG8bqNJrJV
+D8wg5AmUPAfVQs/o6ehy1rxt8Gh8pNzgGm7wIwLtqFIjk6/l8U1t10YzdTIrO1wp
+kTOirTJCNANmGQPrzXxlUXgi1r5a48c6diXpstuoMQKBgQD+SueHkzpkqYYeYHR9
+zIFZ0cYVT51xchDJh6ghnCKNTQrEqz/tNZkAmpw3PXMdgqniRCTy7QiMaWJ73moh
+NdgY1h1OLUcEymaRZ542ZfIQuUJUf3j/02LfTUCfQ2ivEOmzgE+teCryMPTEjuJ3
+o0f252iwcDB4K+rSPW4p49SXEwKBgQC9sDfDrUqTe6WO2AMEBVFQ/0umt6PEMDxD
+CN9UMlQT2vHVTr+Zz1BdWU/PjRtsOHzOQg8cUQcfnJ1WitNU5G6iekXp8lA/HtUV
+I75Xo4fpnrNv5sGc2knCMGq+sFcpM/q7AvnhMCQ45N2u6qZWoEW4UJ+QMbvVGeRH
+1TikX8Iw0QKBgDXpH2jIt8p7fimWfVvmLU4jgQEnndNdQV3YWra1aUXXnX7QZ38c
+q9FK9e9oIa2R8/46QDMYOYW7Gdv07T8ZMTUiv5fBVZsYZeJRu2MA/e65t+w+EiL6
+Z627rQWWvuzOgx1BCKNYJJKv+lRpjm2aujkIGlO9lSkE9oWX7HEJEhrtAoGAKKv0
+CPzLFLxaTzp5yw7o1Jkou2J8tsAw656nZAI2jNtRJw9vfac58AoKVtJGovmpqP/5
+BXVKNbj682do0Lb6EdRt0S+njSErRxEW6uuhZLImf0PXF66mSgDfomtlBOykQhzt
+Px93ZMuNzMd7Su+qg06mJ+DCCXs3uz84meX+WUECgYEAwZM6yUPf6Mn5+CXYAByx
+1SK+a03d0PrGTi6encdHv7USY0Rjc2G9Q9xGiFUnMKCGHXcDIBCJBIrSsdJ0ue8r
+xwcHRf8fjhgYc/8jI1dMzjW8LGcHGwgpP0XCggWx/O8OIlB2wJ3llkB0VnKsI2Ja
+nBcowQyqGpjvqczU5UgULlg=
+-----END PRIVATE KEY-----
diff --git a/tests/assets/keys/KEK.pem b/tests/assets/keys/KEK.pem
new file mode 100644
index 000000000..3fcdb77d0
--- /dev/null
+++ b/tests/assets/keys/KEK.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDETCCAfmgAwIBAgIUMUBDt54lTob8pbEBlB3I1KdZMfcwDQYJKoZIhvcNAQEL
+BQAwGDEWMBQGA1UEAwwNS0FJUk9TX0NJLUtFSzAeFw0yNDA2MTAwOTU4MzNaFw0y
+NTA2MTAwOTU4MzNaMBgxFjAUBgNVBAMMDUtBSVJPU19DSS1LRUswggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8bFfSu9aD+m6/Avjvo9U4YSgSJHxcDDd1
+Qb/6xSf6SjF7ZiK3/BysIPRMMCKvRn4L6Jx8T8pBCoKs/kvAvtkMTjy8awQIFWIU
+Kj5B5mwN9CbtGwuzbb/60YT7Y4NegLRDP/E+SQWOdmA9DsXcS5wT+rYLG/iBQkXQ
+N+isAaso2SSFunQqogvmbJwPgKcp8YFrF7brDBGeDmwscYF29qu6DAVgP9wzZgm6
+yoSaMRu0zOCoCX7MQZadnPDj7iOu8vGXBQ84SW3XEpbbo50FA+cRlHi2/KssX53E
+lQCtTlktIWDQGPY2j7GWDyAkjqbUoL5cDYiQLLSq8J0lRkFmSOaDAgMBAAGjUzBR
+MB0GA1UdDgQWBBS3vGrB+78d2hPvFUqPdRDH5LJ92DAfBgNVHSMEGDAWgBS3vGrB
++78d2hPvFUqPdRDH5LJ92DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQAOSagDcBl4iKRpdO8zPoyxFdS8LDzXGdjuerY0ZvjBn4AC7WWuXiBEWcef
+0JqLFO+F5THlQyRmap/TlYV29IL5sndnGcHMY5eFOohZ8LGxF65hBtCArzx3XXgd
+a2tF3B66ezv5c8zy/h4FQsstxcxnYhT9MbOTED8jDhk9QZ8W1SqJMcVgyM4G3dMK
+qraDLcMOcRYG09gst45ztR8wopvfUivnQEKxEwBf++O701oNAm8tRdPoBGFp6RhH
+y6yKuGZ/aHjhHgmEhBskeRYJ/Z6cycPoICOpwMCKFEivCthYAcWDCqvPLFMlCP5N
+RIFEURjUHJIhE1lEnxWedMb2+sSI
+-----END CERTIFICATE-----
diff --git a/tests/assets/keys/PK.auth b/tests/assets/keys/PK.auth
new file mode 100644
index 000000000..2eee105a3
Binary files /dev/null and b/tests/assets/keys/PK.auth differ
diff --git a/tests/assets/keys/PK.der b/tests/assets/keys/PK.der
new file mode 100644
index 000000000..dd9fae0ce
Binary files /dev/null and b/tests/assets/keys/PK.der differ
diff --git a/tests/assets/keys/PK.esl b/tests/assets/keys/PK.esl
new file mode 100644
index 000000000..a3375ae99
Binary files /dev/null and b/tests/assets/keys/PK.esl differ
diff --git a/tests/assets/keys/PK.key b/tests/assets/keys/PK.key
new file mode 100644
index 000000000..861f3ffeb
--- /dev/null
+++ b/tests/assets/keys/PK.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCstLLWPl829fk4
+sNSkB+QAeqTkMnFxuePdnuQeB8DNfP/b3MVNw/J34S5krIvza0LfsLru53T4Rt05
+ybHqkxensAkFpB3cw22Lu0CfYazHjBdr4tt/0Jitcp+Rg1nLEBHMFmthc01Og6Lw
+qun7EnAwmzcEtJkWiou+F2/gd1DnkORcMFxUxnfBi770o+P2kGHCSKtKxn36XnZ4
+3FS+bDm/EV6mnk2jIn4n2Z+mOWvJgacHYReriguZ+XahH361lIT4x3skATcXTiKP
+dWBv+Z0jTmesL/oXxM4T7ZaQUG0YifaO0hn15UeiBzpBVQJxm6NnaBKVM4HeQ9DO
+K2H0fGhvAgMBAAECggEAIxPkiu1KK4CUKPaJifNsVMiUOyEft4iZBodiL9NFTrdH
+xGE31c6prb2XzazaFAvCHmrn3OQ39sF152nW8B0GHfH8MyAdTJyI4Guc+YI+NJ14
+mFoQWQqGKBxy2nxCPaM66ifXkYh4uCy2aIleUrdw//5Wk2cW/OQQ9AAQohe53/5R
+aNwd1W2wi+XhCUmvz2uNXFv6NEUZkqO29IhCR8Xxwodl3A99gPY5KZtgcgN1qsHn
+PZA9yO5/b8XMD6epNKPOu8BNb/yAbkda7sgEC0uuh/IDGI5weS9ERU7POs0Ci5b3
+dyM+uJK3BlKn42XbFKaFs33aDcNsuRuPufaoJvzBoQKBgQDTj2GX74XQQeulvYs6
+6CYgdT6ZlgTBRBUqPFgBlO29aIF/naAAcpygI69pndsl/wPxzVFkedXwOAHsmU2q
+C3sJzZhHNA2ooQNgu5bXDXqYeLekB34Q2qvJKBKiCphMi1yEe4/U8g88eZsV64Z2
+noZtEreVhp+ISwEOkGjppBTXPwKBgQDQ+++LdSqxC693X3hWuJz5gj+U4l6n43n7
+eb+GdCsffsEZJWSCh/BG1ckgN0Iag6rE33L4T7g3L/CA3giMjp3PkXD+HrmtwdIv
+stk7X3Z2lgAAinOxveGy2K3iPXCiZVZ3hBSiXyRsLwZ1CFM9QE9r3380gE7iKM4U
+ga4yblnS0QKBgGsBTp+GquwXK5V9NXrqCL7KDouocWc/hGUEeI70QPtYbIebtl4D
+mmz1H7gP+9RQFDKtYsmrRiZmbbK6J6omfGkM8ESzc2Uja4310+maC7Qq+tegYocr
+00+/UQ1cxoOQyY7I4IsYk9RGvcZshmpg7CUnHmwm13IcXcB8ElR6hYAJAoGBAJO/
+Gaqxih4jEclGULCW0ju/7q2WoK73Lp0whMxMwtQAbAoYGogCDUg3CnthNbXDEm8f
+Pov46Fbz6Idi8g5VIZLG02iFVmZWmf+o5NWJ9xl9kMDRIVwuzyr+72f8Ye4d0NSs
+J15n/zsQv/LrkNXD6qJsHuWCNMLFcHSk/f+fbpeRAoGASaeebhUJGEFbj1Ug55X1
+99rl61rOAaDsywou7YfYLOq4QbUh+170G/7u/DlrSxtaRWIl+KPwt0ssxxiAY3Mv
+Y3WBtJgcJaaF8QkxG/ewG2tkJVaZArE7gJ91ej8lWXXbiYAdLr7Pqvxwjv4iml9l
+WE80UL6y2ZskbhFSN31cjdQ=
+-----END PRIVATE KEY-----
diff --git a/tests/assets/keys/PK.pem b/tests/assets/keys/PK.pem
new file mode 100644
index 000000000..253201eae
--- /dev/null
+++ b/tests/assets/keys/PK.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUU+cS7y3oMfE4GnzsP01js+VKHWIwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMS0FJUk9TX0NJLVBLMB4XDTI0MDYxMDA5NTgzMloXDTI1
+MDYxMDA5NTgzMlowFzEVMBMGA1UEAwwMS0FJUk9TX0NJLVBLMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEArLSy1j5fNvX5OLDUpAfkAHqk5DJxcbnj3Z7k
+HgfAzXz/29zFTcPyd+EuZKyL82tC37C67ud0+EbdOcmx6pMXp7AJBaQd3MNti7tA
+n2Gsx4wXa+Lbf9CYrXKfkYNZyxARzBZrYXNNToOi8Krp+xJwMJs3BLSZFoqLvhdv
+4HdQ55DkXDBcVMZ3wYu+9KPj9pBhwkirSsZ9+l52eNxUvmw5vxFepp5NoyJ+J9mf
+pjlryYGnB2EXq4oLmfl2oR9+tZSE+Md7JAE3F04ij3Vgb/mdI05nrC/6F8TOE+2W
+kFBtGIn2jtIZ9eVHogc6QVUCcZujZ2gSlTOB3kPQzith9HxobwIDAQABo1MwUTAd
+BgNVHQ4EFgQUtmAkIdYJrjZlfKaZOAenYbMwA3YwHwYDVR0jBBgwFoAUtmAkIdYJ
+rjZlfKaZOAenYbMwA3YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAInJofnWsIUqYVgfBelOdLMxSLECV4R7t4TaSZSq/4YtrqlUh5SM9yvAP/5aZ
+E0Pn+VTQkkT3xSJW1aaKBn1lAq61GSK1OwnQp1bhO3gzLUR9cmzYvuoebKpHgU+B
+U2NU34lb4Q/p5pezBYKve/5jTTYNrqX3CgrWYSgnVXzadbJAcNS09O/Hswp6bBEQ
+j1Hr0BiMsX6EFeMI667VgRSjI1qoU+ApKMy3mMnzK7ZF37caLu2f3ed6ndXnmE71
+31j5bPptM7SKcd0el4qwgurcKZ9Uy5N0CwtKelcMaD0LvkzBwpvUEUkXF//dcPxb
+46CM613xNzOHsfhZ1xvi7E0duQ==
+-----END CERTIFICATE-----
diff --git a/tests/assets/keys/db.auth b/tests/assets/keys/db.auth
new file mode 100644
index 000000000..d161a171e
Binary files /dev/null and b/tests/assets/keys/db.auth differ
diff --git a/tests/assets/keys/db.der b/tests/assets/keys/db.der
new file mode 100644
index 000000000..3415baa4a
Binary files /dev/null and b/tests/assets/keys/db.der differ
diff --git a/tests/assets/keys/db.esl b/tests/assets/keys/db.esl
new file mode 100644
index 000000000..a10d2c80d
Binary files /dev/null and b/tests/assets/keys/db.esl differ
diff --git a/tests/assets/keys/db.key b/tests/assets/keys/db.key
new file mode 100644
index 000000000..69d637ec0
--- /dev/null
+++ b/tests/assets/keys/db.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVDleYrfrGEHF0
+XZEEcp+hcAthfF3FRb42oed+S8ztCDtYScbV2/zNqo8a8/St4Ovt0w/6YjoEQEjp
+NS2ODOhWuS/7rlr/sKH5MzGAvv1E2ftS/uoxMer/pOLtTYyil86f1oKR4vOCmkFi
+JNbDjB0qX9IRYUR6sXY70lqg16VSWkG5mvHcHojITwmb858ZZzWQZbDBo3126GNG
+PRspznGqut6bwVzU7zVXqjQu7zl1gQRe7oRVSnWG+aPaWpSMRx54pl59TtlYPHN3
+uBuX1XnQD4klTNcHGgv7TBkX23R7uHXD2EP1BDwBjHWITEoGdvzXnUueuPR2mpy6
+223ppYojAgMBAAECggEAOLOQgf2o+GB38EbJrDH4ZJ6tTaPUPf+WaMz1NXebWI35
+mU/TajY5uHkJ4DxuVxjJVxqjqOFl5YkY01IN5swlNBxVUv4UEtE8BILDcZD14pOz
+hfJ/3z/4f9BXHOOTvKRYDzi4ScvWS1fnyHBwHEo4LA7wZ/ki5jOM4RvXqvjtpGIp
+no/FtAw4Ef157cQfsf6fg9TwKEY023aC49Mtw6OwxrnxeNemAWq15qXCwQ9bMNjn
+zigsdpizrX9IyG1xYQMCTlI0v2W9dm2H6oaH8QzwSfuLDaBIVOe1QpxNoUxdfWdh
+1z9iWu+bzt4SomOMYN2feuaDuYptqd49dqjfl+NvRQKBgQDFgDeJb0Y8JAyLAXBX
+VLhDm6mvRlaR9JCz/d7RyTBVs5uAGhbQFmnFT9QRctvd6ugvbIcu/JobYR+i0PaE
+rak3/P45w1Pu6vDVyJpyM4/VMvFoJ5FWBtYspB9o3kmtbYROlsfDXn2mlg1Ag1wn
+CpaXFKfoXOs4kPwziWg4uzwpzwKBgQDBNLo9vExwyOcPIYCpif7QVQSVgCS7jvVy
+cCcwmJzKZJFNQe7ouAtxq36x4+vsfXe5dmVQe0Q6BprS7cGB/AL8W1YgvHCIeTo8
+8DgP/TFFmYUxo81cgTOkK33T9VhjikzocbPGuVjDTh6sJ8WvCZhms21rrTtKyS5Y
+y5pmcnSzbQKBgCQqe4EGSGVA8K8Pv2OuluOCgMsg5T9q+oiLR59A6UH4VtRZcq3+
+PLYuDRZ44vw7RPNSO1sGVK4I1gM5orrfFiqzgFZRh3Arw5hSWL3q5T7USlKZVErd
+i6C3GS1Z70H72QuPHtuO1RGJTrnulBRuIu9dj/XD9irwmc5SLiydVMIPAoGAdPp3
+yOk5XxBE1eRzAjOLFJhlLh9oHidwdNly4PmF9QTu9Nf2zvCf/TLYgtx8+7L7yk7l
+CNWZeYiGNS+++fSb2i9y9l8hw3+iw0Kurv+d1YYeHvAOZvPTUJMEnFDwM1SJPDOb
+pbaTB61E5PcvucsVexkoJwm73Ivyg9DCq0ShZAECgYACNDEEm8nOIe0SBuJwnw6m
+JoNsGRA/KZXf4UReCyF9wBPC8zJBT/SPAnTEbVT2KGJFf5Dyxtf7fzVcFQfwC0Zg
+05+of1QM2ecYZU3+dVzH8sIMv8/12QK9RZRtYS8GHtHNT1Dcsf+KgAnOptIqAthl
+M9kw7VPGa1tWmz95+hWipA==
+-----END PRIVATE KEY-----
diff --git a/tests/assets/keys/db.pem b/tests/assets/keys/db.pem
new file mode 100644
index 000000000..698392968
--- /dev/null
+++ b/tests/assets/keys/db.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUfqMek+uFdfZ70LkedVnY63e68okwDQYJKoZIhvcNAQEL
+BQAwFzEVMBMGA1UEAwwMS0FJUk9TX0NJLWRiMB4XDTI0MDYxMDA5NTgzM1oXDTI1
+MDYxMDA5NTgzM1owFzEVMBMGA1UEAwwMS0FJUk9TX0NJLWRiMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlQ5XmK36xhBxdF2RBHKfoXALYXxdxUW+NqHn
+fkvM7Qg7WEnG1dv8zaqPGvP0reDr7dMP+mI6BEBI6TUtjgzoVrkv+65a/7Ch+TMx
+gL79RNn7Uv7qMTHq/6Ti7U2MopfOn9aCkeLzgppBYiTWw4wdKl/SEWFEerF2O9Ja
+oNelUlpBuZrx3B6IyE8Jm/OfGWc1kGWwwaN9duhjRj0bKc5xqrrem8Fc1O81V6o0
+Lu85dYEEXu6EVUp1hvmj2lqUjEceeKZefU7ZWDxzd7gbl9V50A+JJUzXBxoL+0wZ
+F9t0e7h1w9hD9QQ8AYx1iExKBnb8151Lnrj0dpqcuttt6aWKIwIDAQABo1MwUTAd
+BgNVHQ4EFgQU23PcavDaK0WtTBTe5LGSptTbrEAwHwYDVR0jBBgwFoAU23PcavDa
+K0WtTBTe5LGSptTbrEAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAWyB/Wjhj86VOJV+wDGzkr7aN9QikCOJWP6nU65D/5eWuqPJv/pQLCh6LG9tH
+bS2UFT38gr/7/eiWWi+Gg39jG9Tk6BSMsmVf6tgXdx+HbkR09HlI1sz2BZZjYLME
+W1ogZiV18tC0D84qY9uknRmPLwWvRg+Y7iekOqlIRxwbZKw2Xvb2rV87cxCKRheG
+PZODgNiwXxMoQDibqjFSGm5xEKKhYt34K5HkIwYMX1+TtKiE7jhKPQuREy5iNXUk
+faJR1tUxIfS/Ha3XVjDtjTdbFfp1TRXb397xHwFQmmrHgioD5DTLp6ETuevQy8aV
+EbG606xkcgNeAIPlORjC6tfLng==
+-----END CERTIFICATE-----
diff --git a/tests/assets/keys/tpm2-pcr-private.pem b/tests/assets/keys/tpm2-pcr-private.pem
new file mode 100644
index 000000000..f47813563
--- /dev/null
+++ b/tests/assets/keys/tpm2-pcr-private.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQ04ekTiLTJila
+VIaen8f1oJQVI9LLAt3FKzd5sd8LIJg4GZmZ2axz4Y9N3cNKbW5vom9gxYzk+oWt
+MFZ1Y68RcK+mIoFDAKKIe4U/mASnAd9i7mHq4rXfdEBiTLYrERRKWcLEwcsYkRln
+Sm2gWDilMh8cQXsFSAOdEIvqey2dCO5qnfljVce/NHuFshfHVMvR9u2YcCSrhfOO
+perMYkIQjhhvBZ/x+flVLGd6dI1uyFsLwyAQDRajl0Fy5TnlZehUcejXplFj6fqi
+QsnsjSlym71TdYdBHH1ppPhvPoF4ixdcDxe420cAYNFBL4kfs3SgwD/vTye5+8PD
+E/K1iD2tAgMBAAECggEABtHVpO3BUOR25sKKZ+0/ZjvhgiQ6mtMj42/DHsgKiO4+
+UlyxqbbUXS9xUuFqYoia2e3z1bT14jd1PJ/uvuQrwDXOIq6PSp0fcbYY9qf0BPE4
+dp5i170iI+NDxAIN0++5mij+xZavl4SLkBY76Mfgx7JQlkdkKVq99XfoHdb6eR2V
+smIs821YSqEbFLN7BbZAMTVk4n8loqEC7zba3bpk4LoVoaPqMAILRjAun9xHXoAi
+LBLwajdkUz9IU+8/jgg07+u5C1cQO9Q+i5KAcQDoUgozaembWsvQofgSwyKlm8sx
+4gDzqoDbf1xmakyHbD8DH8pMexEuVsfybUMaP6LKuQKBgQDtHu6izdqdI/RDjo1I
+I1YKYaji3KK2fC2kDBVr1KRTif3Kz66rD4Lk9AM7tcoGL1cAQIFsAfoKJie59Mt6
+5ZNM8Sdxg+3f0YzA59j2U2HrKaDquvhInzjikGMyaLa/C/5PW0Q3ZhJ47z2RZoMY
++m0liV3APLBP7Rqwy10X/r8itQKBgQDhc+PO13i/fy8mE5qphWbMvzVrqZZz7Fg2
+moq+tgswRJog3E50biylppIu19h2Or9pLrNtC+oi7jeSWfBNPpZ5wvYkyX7mvqc4
+foMQJr9+Z0yF+HIWuTFzdlfIz7qYatbM0tntVikfYIrj6I4mT91Gacbhfyr62emh
+o9UsvUyyGQKBgQCz3/og8E29VM/wC4xrQ7r6RxkpdzvLeKnavvvk/7rkUFKA7kjP
+JQYjjmOBgSbOyEyUOVq0R0+ZMVaDfwp4oPy7qlhEiVMCrWC72WTBf4FRNhQG3GyK
+EpbBb8yAKeUvSfbR1icKa1jp+npW+U/Lu/TeO7UtphwNlYzgvnRRRoNR3QKBgCzL
++DH7QnTacqXgM1UHurtoKtcvpUN3bLe80WC/j02R9AYfgD9GPPzVMiq4nLwxRCNE
+MkaynV0/dC9SS5stmnyrLnl0yBBVRajGCojFCju1jtD34sN9HMRSeXLfQ7ZRVEjy
+hHbSLe2cIzzR0pzuNYtuLSRVPlcFwZRql0sCeiDRAoGAEQOkDE1OuLtyVUeD6oDy
+UYfM3/R+5z6I+o+tgt1cAs5XjMtgqd+jcADmmf1m9hiIhfh4dvmROivGplDpbvCp
+mMRCVUSsUwfF30OkMZRsL4ENeE1VZHIXpd+Xkyfvu2T1FXzFH/Au90WwtaSzaQkq
+NW993CKDQcPF6mXlYRheMHQ=
+-----END PRIVATE KEY-----
diff --git a/tests/assets/sysext/README.md b/tests/assets/sysext/README.md
new file mode 100644
index 000000000..53c081ebe
--- /dev/null
+++ b/tests/assets/sysext/README.md
@@ -0,0 +1,35 @@
+This folder contains 2 sysextensions
+
+work.raw contains a simple script called `hello.sh` that prints "Hello World" to the console.
+hello-broke.raw contains a simple script called `hello.sh` that prints "Hello World" to the console, but it is NOT signed or verity checked.
+
+Both extensions need to have a `extension-release.NAME` with `ID=_any` for it to be identified as a sysextension.
+Full path on the image should be `usr/lib/extension-release.d/extension-release.NAME`
+
+work.raw is verity+signed with the db.key and db.crt test keys found under tests/assets/keys
+
+The idea is to copy them into the Kairos iso overlay folder and test the verity+signed sysextension loading.
+
+immucore should only copy the valid ones and ignore the invalid ones. A warning should be logged in the immucore log.
+
+The test idea is as follows:
+1. Copy the sysextensions to the overlay folder on test preparation
+2. Build the uki iso with the overlay files on it and sign it with the same test keys
+3. Boot the uki iso and check if the sysextensions are loaded correctly
+4. Check if we got a warning for hello-broke.raw
+5. Check if the work.raw extension was moved onto /run/extensions and loaded correctly
+6. Check if the hello.sh script is executed correctly, as it should be loaded
+7. Check if the sysext service is running with the override from kairos with the policy
+
+
+
+The sysextensions are really stupid, its just a /usr/local/bin/ dir with a hello.sh script on them.
+work.raw was built with systemd-repart so it would be verity+signed
+```bash
+systemd-repart -S -s SOURCE_DIR OUTPUT_FILE --private-key=tests/assets/keys/db.key --certificate=tests/assets/keys/db.pem
+```
+
+The other one was built with [sysext-bakery](https://github.com/flatcar/sysext-bakery) which makes it easy to build sysextensions, but doesn't have support for signing or verity yet. So its simple to generate images with it but they wont work on UKI.
+```bash
+bake.sh SOURCE_DIR
+```
diff --git a/tests/assets/sysext/hello-broke.sysext.raw b/tests/assets/sysext/hello-broke.sysext.raw
new file mode 100644
index 000000000..8ae752195
Binary files /dev/null and b/tests/assets/sysext/hello-broke.sysext.raw differ
diff --git a/tests/assets/sysext/work.sysext.raw b/tests/assets/sysext/work.sysext.raw
new file mode 100644
index 000000000..497e0e0fa
Binary files /dev/null and b/tests/assets/sysext/work.sysext.raw differ
diff --git a/tests/uki_test.go b/tests/uki_test.go
index 288e4ed2d..e567945de 100644
--- a/tests/uki_test.go
+++ b/tests/uki_test.go
@@ -1,6 +1,7 @@
 package mos_test
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -39,7 +40,7 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
 		if CurrentSpecReport().Failed() {
 			gatherLogs(vm)
 		}
-
+		
 		err := vm.Destroy(nil)
 		Expect(err).ToNot(HaveOccurred())
 	})
@@ -168,12 +169,66 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
 			stateContains(vm, "kairos.flavor", "alpine", "opensuse", "ubuntu", "debian", "fedora")
 		})
 
+		By("Checking sysext was copied during install", func() {
+			out, err := vm.Sudo("ls /.extra/sysext")
+			Expect(err).ToNot(HaveOccurred(), out)
+			Expect(out).To(MatchRegexp("hello-broke.sysext.raw"))
+			Expect(out).To(MatchRegexp("work.sysext.raw"))
+		})
+
+		By("Checking sysext was copied during boot", func() {
+			out, err := vm.Sudo("ls /run/extensions")
+			Expect(err).ToNot(HaveOccurred(), out)
+			// Should not contain hello-broke.sysext.raw as it didn't pass validation
+			Expect(out).ToNot(MatchRegexp("hello-broke.sysext.raw"))
+			// Should contain work.sysext.raw as it passed validation
+			Expect(out).To(MatchRegexp("work.sysext.raw"))
+		})
+
+		By("Checking that sysext was loaded", func() {
+			type sysextStatus []struct {
+				Hierarchy  string `json:"hierarchy"`
+				Extensions any    `json:"extensions"`
+			}
+
+			// when calling the status we need to set the hierarchy env variable so it can find them
+			env := "SYSTEMD_SYSEXT_HIERARCHIES=\"/usr/local/bin:/usr/local/sbin:/usr/local/include:/usr/local/lib:/usr/local/share:/usr/local/src:/usr/bin:/usr/share:/usr/lib:/usr/include:/usr/src:/usr/sbin\""
+			out, err := vm.Sudo(fmt.Sprintf("%s systemd-sysext --json=short", env))
+			Expect(err).ToNot(HaveOccurred(), out)
+			// marshall output to struct
+			var sysexts sysextStatus
+			err = json.Unmarshal([]byte(out), &sysexts)
+			Expect(err).ToNot(HaveOccurred())
+			// check if sysexts are loaded
+			for _, sysext := range sysexts {
+				if sysext.Hierarchy == "/usr" {
+					Expect(sysext.Extensions).To(ContainElement("work"))
+				}
+			}
+		})
+
+		By("Checking that we can run a command from a sysext", func() {
+			out, err := vm.Sudo("hello.sh")
+			Expect(err).ToNot(HaveOccurred(), out)
+			Expect(out).To(ContainSubstring("Hello world"))
+		})
+
 		By("rebooting to recovery")
 		out, err := vm.Sudo("kairos-agent bootentry --select recovery")
 		Expect(err).ToNot(HaveOccurred(), out)
 		vm.Reboot()
 		vm.EventuallyConnects(1200)
 
+		By("Checking the boot mode (recovery)", func() {
+			out, err := vm.Sudo("stat /run/cos/recovery_mode")
+			Expect(err).ToNot(HaveOccurred(), out)
+		})
+
+		By("Checking sysext was not copied during boot", func() {
+			out, err := vm.Sudo("stat /.extra/sysext")
+			Expect(err).To(HaveOccurred(), out)
+		})
+
 		By("resetting")
 		out, err = vm.Sudo("kairos-agent --debug reset --unattended")
 		Expect(err).ToNot(HaveOccurred(), out)