diff --git a/meta-dstack/conf/distro/dstack.conf b/meta-dstack/conf/distro/dstack.conf
index 8ab3359..0f5259e 100644
--- a/meta-dstack/conf/distro/dstack.conf
+++ b/meta-dstack/conf/distro/dstack.conf
@@ -12,6 +12,7 @@ VOLATILE_TMP_DIR = "yes"
 
 PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
 PREFERRED_VERSION_linux-yocto-dev ?= "6.9%"
+LINUX_KERNEL_TYPE = "tiny"
 
 VIRTUAL-RUNTIME_init_manager = "systemd"
 VIRTUAL-RUNTIME_initscripts = ""
@@ -20,3 +21,5 @@ VIRTUAL-RUNTIME_dev_manager = "systemd"
 SERIAL_CONSOLES = "115200;ttyS0"
 PREFERRED_VERSION_rust-bin-cross-x86_64 = "1.86.0"
 PREFERRED_VERSION_cargo-bin-cross-x86_64 = "1.86.0"
+
+BAD_RECOMMENDATIONS = "busybox-syslog systemd-extra-utils"
diff --git a/meta-dstack/recipes-core/busybox/busybox%.bbappend b/meta-dstack/recipes-core/busybox/busybox%.bbappend
index bef35ef..0dd2f35 100644
--- a/meta-dstack/recipes-core/busybox/busybox%.bbappend
+++ b/meta-dstack/recipes-core/busybox/busybox%.bbappend
@@ -1,2 +1,3 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 SRC_URI += "file://fragment.cfg"
+RRECOMMENDS:${PN} = ""
diff --git a/meta-dstack/recipes-core/busybox/files/fragment.cfg b/meta-dstack/recipes-core/busybox/files/fragment.cfg
index b7dab01..34eb67a 100644
--- a/meta-dstack/recipes-core/busybox/files/fragment.cfg
+++ b/meta-dstack/recipes-core/busybox/files/fragment.cfg
@@ -1 +1,2 @@
 CONFIG_UDHCPD=n
+CONFIG_UDHCPC=n
diff --git a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0005-Declare-ProcessLibraryConstructorList.patch b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0005-Declare-ProcessLibraryConstructorList.patch
index 523b169..12a1c8c 100644
--- a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0005-Declare-ProcessLibraryConstructorList.patch
+++ b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf/0005-Declare-ProcessLibraryConstructorList.patch
@@ -1,21 +1,34 @@
-From 5c718d0c37c65e845b100060fbc08cae26412c35 Mon Sep 17 00:00:00 2001
+From 596f2e3bd7292c8f22cfe01ec95b8b46ce1bc8a1 Mon Sep 17 00:00:00 2001
 From: Kevin Wang <wy721@qq.com>
 Date: Mon, 4 Nov 2024 04:35:18 +0000
-Subject: [PATCH 5/5] Declare ProcessLibraryConstructorList
+Subject: [PATCH] Declare ProcessLibraryConstructorList
 
 ---
- OvmfPkg/Sec/SecMain.c | 1 +
- 1 file changed, 1 insertion(+)
+ OvmfPkg/IntelTdx/Sec/SecMain.c | 1 +
+ OvmfPkg/Sec/SecMain.c          | 1 +
+ 2 files changed, 2 insertions(+)
 
+diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c
+index 7f2d28af95..fcc6b97c28 100644
+--- a/OvmfPkg/IntelTdx/Sec/SecMain.c
++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c
+@@ -163,6 +163,7 @@ SecCoreStartupWithStack (
+   IdtDescriptor.Base  = (UINTN)&IdtTableInStack.IdtTable;
+   IdtDescriptor.Limit = (UINT16)(sizeof (IdtTableInStack.IdtTable) - 1);
+ 
++  void ProcessLibraryConstructorList ();
+   ProcessLibraryConstructorList ();
+ 
+   //
 diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
-index d13a948509..2a44c4ed24 100644
+index d13a948509..58c48c967c 100644
 --- a/OvmfPkg/Sec/SecMain.c
 +++ b/OvmfPkg/Sec/SecMain.c
 @@ -885,6 +885,7 @@ SecCoreStartupWithStack (
      InitializeCpuExceptionHandlers (NULL);
    }
  
-+  void ProcessLibraryConstructorList (void);
++  void ProcessLibraryConstructorList ();
    ProcessLibraryConstructorList ();
  
    if (!SevEsIsEnabled ()) {
diff --git a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb
index b073af5..96fcda3 100644
--- a/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb
+++ b/meta-dstack/recipes-core/dstack-ovmf/dstack-ovmf_git.bb
@@ -195,17 +195,13 @@ do_compile:class-target() {
     # do_deploy will be able to find the files.
     rm -rf ${WORKDIR}/ovmf
     mkdir ${WORKDIR}/ovmf
-    OVMF_DIR_SUFFIX="X64"
-    if [ "${TARGET_ARCH}" != "x86_64" ] ; then
-        OVMF_DIR_SUFFIX="Ia32" # Note the different capitalization
-    fi
     FIXED_GCCVER=$(fixup_target_tools ${GCC_VER})
     bbnote FIXED_GCCVER is ${FIXED_GCCVER}
-    build_dir="${S}/Build/Ovmf$OVMF_DIR_SUFFIX/RELEASE_${FIXED_GCCVER}"
+    build_dir="${S}/Build/IntelTdx/RELEASE_${FIXED_GCCVER}"
 
     bbnote "Building without Secure Boot."
-    rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
-    ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS}
+    rm -rf ${S}/Build/IntelTdx
+    ${S}/OvmfPkg/build.sh -p ${S}/OvmfPkg/IntelTdx/IntelTdxX64.dsc $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS}
     ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.fd
     ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.code.fd
     ln ${build_dir}/FV/OVMF_VARS.fd ${WORKDIR}/ovmf/ovmf.vars.fd
@@ -214,8 +210,8 @@ do_compile:class-target() {
     if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
         # Repeat build with the Secure Boot flags.
         bbnote "Building with Secure Boot."
-        rm -rf ${S}/Build/Ovmf$OVMF_DIR_SUFFIX
-        ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} ${OVMF_SECURE_BOOT_FLAGS}
+        rm -rf ${S}/Build/IntelTdx
+        ${S}/OvmfPkg/build.sh -p ${S}/OvmfPkg/IntelTdx/IntelTdxX64.dsc $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${PACKAGECONFIG_CONFARGS} ${OVMF_SECURE_BOOT_FLAGS}
         ln ${build_dir}/FV/OVMF.fd ${WORKDIR}/ovmf/ovmf.secboot.fd
         ln ${build_dir}/FV/OVMF_CODE.fd ${WORKDIR}/ovmf/ovmf.secboot.code.fd
         ln ${build_dir}/${OVMF_ARCH}/EnrollDefaultKeys.efi ${WORKDIR}/ovmf/
diff --git a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
index 0ac9387..bb89442 100644
--- a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
+++ b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
@@ -20,9 +20,11 @@ IMAGE_INSTALL = "\
     jq \
     chrony \
     chronyc \
-    qemu-guest-agent \
     dstack-zfs \
     kernel-module-tun \
+    kernel-module-fuse \
+    fuse3 \
+    fuse3-utils \
 "
 
 IMAGE_NAME_SUFFIX ?= ""
@@ -86,6 +88,42 @@ disable_getty_services() {
         rm -f ${IMAGE_ROOTFS}/usr/lib/systemd/system/${srv}.service
         rm -f ${IMAGE_ROOTFS}/usr/lib/systemd/system/${srv}@.service
     done
+
+    # Login/console related
+    rm -rf ${IMAGE_ROOTFS}/usr/sbin/getty
+    rm -rf ${IMAGE_ROOTFS}/usr/sbin/agetty
+    rm -rf ${IMAGE_ROOTFS}/usr/bin/login
+    rm -rf ${IMAGE_ROOTFS}/usr/bin/loginctl
+    rm -rf ${IMAGE_ROOTFS}/etc/systemd/system/getty.target.wants
+
+    # Console fonts and keymaps
+    rm -rf ${IMAGE_ROOTFS}/usr/share/consolefonts
+    rm -rf ${IMAGE_ROOTFS}/usr/share/keymaps
+
+    # Systemd components we don't need
+    rm -rf ${IMAGE_ROOTFS}/usr/bin/systemd-tty-ask-password-agent
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/debug-shell.service
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/suspend.target
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/systemd-hibernate.service
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/systemd-suspend-then-hibernate.service
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/systemd-hibernate-resume
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system-generators/systemd-getty-generator
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/systemd-logind
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/systemd-logind.service
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/multi-user.target.wants/systemd-logind.service
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/logind.conf.d
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/system/graphical.target.wants
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/user/graphical-session.target
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/user/graphical-session-pre.target
+    rm -rf ${IMAGE_ROOTFS}/usr/lib/systemd/user/bluetooth.target
+
+    # Polkit
+    rm -rf ${IMAGE_ROOTFS}/usr/share/polkit-1
+
+    # Factory defaults
+    rm -rf ${IMAGE_ROOTFS}/usr/share/factory
+
+    > ${IMAGE_ROOTFS}/etc/securetty
 }
 
 mkdirs() {
diff --git a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
index 4bd4509..b8fd024 100644
--- a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
+++ b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
@@ -6,6 +6,7 @@ CONFIG_IP_VS=m
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 CONFIG_SECURITY_SELINUX=y
+CONFIG_VLAN_8021Q=y
 CONFIG_BRIDGE_VLAN_FILTERING=y
 CONFIG_XFRM=y
 CONFIG_XFRM_USER=y
@@ -22,3 +23,4 @@ CONFIG_NETFILTER_FAMILY_BRIDGE=y
 CONFIG_VETH=y
 CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
 CONFIG_VXLAN=y
+CONFIG_CGROUP_BPF=y
diff --git a/meta-dstack/recipes-kernel/linux/files/dstack.cfg b/meta-dstack/recipes-kernel/linux/files/dstack.cfg
index 9277e22..a1c5bb3 100644
--- a/meta-dstack/recipes-kernel/linux/files/dstack.cfg
+++ b/meta-dstack/recipes-kernel/linux/files/dstack.cfg
@@ -1,3 +1,4 @@
+CONFIG_MODULES=y
 CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y
 CONFIG_NET_9P=y
@@ -5,6 +6,20 @@ CONFIG_NET_9P_VIRTIO=y
 CONFIG_9P_FS=y
 CONFIG_9P_FS_POSIX_ACL=y
 CONFIG_PCI=y
+CONFIG_TUN=m
 CONFIG_VIRTIO_PCI=y
 CONFIG_ISO9660_FS=y
-CONFIG_WIREGUARD=y
\ No newline at end of file
+CONFIG_WIREGUARD=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_TMPFS_XATTR=y
+#
+CONFIG_PM=n
+CONFIG_SUSPEND=n
+CONFIG_PM_SLEEP=n
+CONFIG_HOTPLUG_CPU=n
+CONFIG_HOTPLUG_PCI=n
+CONFIG_BT=n
+CONFIG_MMC=n
+CONFIG_SCSI=n
+CONFIG_INPUT=n
+CONFIG_WLAN=n
diff --git a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
index 5d9603a..a2a9d5d 100644
--- a/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-dstack/recipes-kernel/linux/linux-yocto%.bbappend
@@ -1,5 +1,7 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
+LINUX_VERSION_EXTENSION = "-dstack"
+
 SRC_URI += "file://dstack-docker.cfg \
             file://dstack-docker.scc \
             file://dstack-tdx.cfg \
@@ -10,6 +12,7 @@ SRC_URI += "file://dstack-docker.cfg \
 KERNEL_FEATURES:append = " features/cgroups/cgroups.scc \
                           features/overlayfs/overlayfs.scc \
                           features/netfilter/netfilter.scc \
+                          features/fuse/fuse.scc \
                           cfg/fs/squashfs.scc \
                           dstack-docker.scc \
                           dstack.scc"