diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index ad7d57d..c08f0d8 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -12,23 +12,6 @@ find rootfs/ -type d -exec chmod 755 {} \;
 # set default target to multi-user
 ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
 
-# Overlay mount for /etc which makes it read-write in runtime
-cat <<EOF > rootfs/usr/lib/systemd/system/etc.mount
-[Unit]
-Description=Overlay mount for /etc
-Before=local-fs.target
-
-[Mount]
-What=overlay
-Where=/etc
-Type=overlay
-Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
-
-[Install]
-WantedBy=local-fs.target
-EOF
-ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
-
 # enable dbus
 ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
 ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
@@ -40,8 +23,9 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
 # enable default network config
 mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
 
-#FIXME: generate a temporary machine id (replace with overlay/confext later?)
-$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
+# enable confext/sysext services
+ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
+ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
 
 # install sys users
 mkdir creds
diff --git a/pkgs/kernel/generic.config b/pkgs/kernel/generic.config
index 0220e23..209e026 100644
--- a/pkgs/kernel/generic.config
+++ b/pkgs/kernel/generic.config
@@ -591,7 +591,8 @@ CONFIG_DM_SWITCH=m
 CONFIG_DM_THIN_PROVISIONING=m
 CONFIG_DM_UNSTRIPED=m
 CONFIG_DM_VDO=m
-CONFIG_DM_VERITY=m
+CONFIG_DM_VERITY=y
+CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
 CONFIG_DM_WRITECACHE=m
 CONFIG_DM_ZERO=y
 CONFIG_DM_ZONED=m
diff --git a/pkgs/rootfs/default.nix b/pkgs/rootfs/default.nix
index dd0e2a7..5ac9c6a 100644
--- a/pkgs/rootfs/default.nix
+++ b/pkgs/rootfs/default.nix
@@ -27,10 +27,12 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   libbpf = pkgs.libbpf.out;
   btrfs = pkgs.btrfs-progs.out;
   tpm2Libs = patosPkgs.tpm2-tss.out;
-  tpm2Tools = patosPkgs.tpm2-tools.out;
   kexec = patosPkgs.kexec.out;
   lvm2 = patosPkgs.lvm2.out;
+  # FIXME: remove later:
+  tpm2Tools = patosPkgs.tpm2-tools.out;
   cryptsetup = pkgs.cryptsetup.bin;
+  erofsUtils = pkgs.erofs-utils.out;
 
   builder = ./mkrootfs.sh;
 })
diff --git a/pkgs/rootfs/mkrootfs.sh b/pkgs/rootfs/mkrootfs.sh
index 110b1e4..78d14d3 100644
--- a/pkgs/rootfs/mkrootfs.sh
+++ b/pkgs/rootfs/mkrootfs.sh
@@ -29,8 +29,8 @@ IMAGE_ID=patos
 ID=patos
 IMAGE_VERSION=${version}
 VERSION=${version}
-VERSION_ID={version}
-BUILD_ID={version}
+VERSION_ID=patos
+BUILD_ID=somehash
 EOF
 
 cat <<EOF > $out/etc/issue
@@ -106,6 +106,9 @@ cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
 cp -Pr ${btrfs}/bin/* $out/usr/bin/
 cp -Pr ${btrfs}/lib/* $out/usr/lib/
 
+##FIXME(remove later): install mkfs.erofs bin
+cp -P ${erofsUtils}/bin/mkfs.erofs $out/usr/bin/
+
 ### install tpm2 tools
 # For TPM debugging
 # cp -P ${tpm2Tools}/bin/* $out/usr/bin/
@@ -119,11 +122,23 @@ cp -P $kmodBin/bin/* $out/usr/bin
 ### install libbpf
 cp -P $libbpf/lib/libbpf* $out/usr/lib
 
+# setup default files
+$systemd/usr/bin/systemd-hwdb --root=$out --usr update
+$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
+cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
+cp $out/usr/share/factory/etc/locale.conf $out/etc/
+cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
+#Ephemeral machine-id until registration
+ln -sf /run/machine-id $out/etc/machine-id
+
+
 # remove pkgconfig
 rm -rf $out/usr/lib/pkgconfig
 
 ### Find and install all shared libs
-find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
+find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
+  grep -v util-linux-2 | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
+  sort -u | xargs -I {} cp {} $out/usr/lib/
 find $out -type f -executable -exec chmod 755 {} \;
 
 # FIXME: ELF patching. Is there a better way?