diff --git a/mkosi.conf b/mkosi.conf
index 2fe5012..7ed69ce 100644
--- a/mkosi.conf
+++ b/mkosi.conf
@@ -20,9 +20,12 @@ Output=%i_%v_%a
 [Content]
 UnifiedKernelImageFormat=%i_%v_%a
 KernelCommandLine=
+        root=dissect
+        mount.usr=dissect
         rw
         audit=0
-        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted:swap=encrypted+unused+absent:home=unprotected:=ignore
+        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore
+        systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-*
 InitrdProfiles=
 KernelModulesInitrdExclude=.*
 KernelModulesInitrdInclude=default
diff --git a/mkosi.uki-profiles/10-live.conf b/mkosi.uki-profiles/10-live.conf
index 2a8d40e..50c18ba 100644
--- a/mkosi.uki-profiles/10-live.conf
+++ b/mkosi.uki-profiles/10-live.conf
@@ -7,6 +7,7 @@ Profile=
 
 Cmdline=
         root=tmpfs
+        mount.usr=dissect
         rd.systemd.mask=systemd-repart.service
         systemd.mask=systemd-repart.service
         systemd.firstboot=no
@@ -18,5 +19,6 @@ Cmdline=
         rw
         audit=0
         systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:=ignore
+        systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*
 
 SignExpectedPcr=no
diff --git a/mkosi.uki-profiles/80-storagetm.conf b/mkosi.uki-profiles/80-storagetm.conf
index b148976..e54f7a9 100644
--- a/mkosi.uki-profiles/80-storagetm.conf
+++ b/mkosi.uki-profiles/80-storagetm.conf
@@ -11,5 +11,6 @@ Cmdline=
         ro
         audit=0
         systemd.image_policy=-
+        root=off
 
 SignExpectedPcr=no
diff --git a/mkosi.uki-profiles/90-factory-reset.conf b/mkosi.uki-profiles/90-factory-reset.conf
index 7b314e7..267f49a 100644
--- a/mkosi.uki-profiles/90-factory-reset.conf
+++ b/mkosi.uki-profiles/90-factory-reset.conf
@@ -6,9 +6,12 @@ Profile=
         TITLE=Reset System to Factory Defaults [CAUTION!]
 
 Cmdline=
+        root=dissect
+        mount.usr=dissect
         systemd.factory_reset=1
         rw
         audit=0
-        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted:swap=encrypted+unused+absent:home=unprotected:=ignore
+        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore
+        systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-*
 
 SignExpectedPcr=yes
diff --git a/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf b/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf
index e74c0fd..12fd9b5 100644
--- a/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf
+++ b/mkosi.uki-profiles/91-factory-reset-with-tpm-clear.conf
@@ -10,5 +10,6 @@ Cmdline=
         ro
         audit=0
         systemd.image_policy=-
+        root=off
 
 SignExpectedPcr=no
diff --git a/mkosi.uki-profiles/95-emergency.conf b/mkosi.uki-profiles/95-emergency.conf
index cc736fc..9d12360 100644
--- a/mkosi.uki-profiles/95-emergency.conf
+++ b/mkosi.uki-profiles/95-emergency.conf
@@ -6,9 +6,12 @@ Profile=
         TITLE=Boot into Emergency Mode
 
 Cmdline=
+        root=dissect
+        mount.usr=dissect
         systemd.unit=emergency.target
         rw
         audit=0
-        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted:swap=encrypted+unused+absent:home=unprotected:=ignore
+        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore
+        systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-*
 
 SignExpectedPcr=yes
diff --git a/mkosi.uki-profiles/99-debug.conf b/mkosi.uki-profiles/99-debug.conf
index 0b3901e..89efb59 100644
--- a/mkosi.uki-profiles/99-debug.conf
+++ b/mkosi.uki-profiles/99-debug.conf
@@ -6,11 +6,18 @@ Profile=
         TITLE=Boot with debug logs enabled
 
 Cmdline=
+        root=dissect
+        mount.usr=dissect
         debug
         systemd.log_level=debug
         systemd.journald.forward_to_console=1
         rw
         audit=0
-        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted:swap=encrypted+unused+absent:home=unprotected:=ignore
+        systemd.image_policy=esp=unprotected:xbootldr=unprotected+unused+absent:usr=signed:root=encrypted+absent:swap=encrypted+unused+absent:home=unprotected+absent:=ignore
+        systemd.image_filter=usr=ParticleOS_*:usr-verity=ParticleOS_*:usr-verity-sig=ParticleOS_*:root=ParticleOS-*:swap=ParticleOS-*:home=ParticleOS-*
+
+# More knobs to enable:
+#       systemd.log_target=console
+#       rd.systemd.break=pre-switch-root
 
 SignExpectedPcr=yes