fs-verity support

[np22-jpg]

From what I can tell, Talos currently doesn’t make use of kernel features such as fs-verity, which verifies the signatures of files through a merkle tree, and makes those files truly read-only.

Fedora CoreOS currently achieves this through composefs. Their docs on it can be found here.

[xyhhx]

it looks like composefs makes it easy to verify/attest digests... maybe a composefs system extension could enable verified as well as attestation by (for example) control plane nodes?