An UKI (Unified Kernel Image) is a single executable which can be booted directly from UEFI firmware, or automatically sourced by boot-loaders with little or no configuration. UKI technology is a main building block for Linux on Confidential Virtual Machines. However, UKIs are immutable, meaning that once created it won't be possible to safely change/extend kernel command line or initrd modules without creating a new UKI. This session will firstly review what an UKI is and why is it useful especially for Confidential Computing, then explain the current immutability challenges that it brings, the various approach that were proposed, and which solution is currently deployed. The topic covered are UKI addons, sysext extensions, and sbat rules.