diff --git a/Dockerfile b/Dockerfile
index 9831efcca..7f6b889e6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -46,12 +46,81 @@ RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=c
 #       local sources. We'll override it later.
 # NOTE: All your base belong to me.
 FROM $base as target-base
+
+# SKIP_CONFIGS=1 skips LBIs, test kargs, and install configs (for FCOS testing)
+ARG SKIP_CONFIGS
+ARG boot_type
+ARG seal_state
+ARG variant
+ARG baseconfigs=""
+ARG rootfs=""
+
 # Handle version skew between base image and mirrors for CentOS Stream
 # xref https://gitlab.com/redhat/centos-stream/containers/bootc/-/issues/1174
 RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     /run/packaging/enable-compose-repos
-RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard /target-rootfs
+
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=src,src=/src/hack,target=/run/hack \
+    --mount=type=bind,from=packaging,src=/,target=/run/packaging <<EOF
+    set -eux
+    /usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard --no-initramfs /target-rootfs
+EOF
+
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,src=/proc,target=/target-rootfs/proc \
+    --mount=type=bind,src=/dev,target=/target-rootfs/dev \
+    --mount=type=bind,src=/sys,target=/target-rootfs/sys \
+    --mount=type=bind,src=/etc/resolv.conf,target=/target-rootfs/etc/resolv.conf \
+    --mount=type=bind,from=src,src=/src/hack,target=/target-rootfs/run/hack \
+    --mount=type=bind,from=packages,src=/,target=/target-rootfs/run/packages \
+    --mount=type=bind,from=packaging,src=/usr-extras,target=/target-rootfs/run/usr-extras \
+    --mount=type=bind,from=packaging,src=/,target=/target-rootfs/run/packaging <<EOF
+    set -eux
+
+    # All network-fetching operations: package installs from distro repos, Copr, Koji.
+    SKIP_CONFIGS="${SKIP_CONFIGS:-}" \
+    seal_state="${seal_state}" \
+    boot_type="${boot_type}" \
+    variant="${variant}" \
+    rootfs="${rootfs}" \
+    baseconfigs="${baseconfigs}" \
+    chroot /target-rootfs /bin/bash -c '
+        # Only need enough here to generate the initramfs
+        set -eux
+
+        cd /run/hack/ && SKIP_CONFIGS="${SKIP_CONFIGS}" ./provision-fetch.sh
+
+        # Configure the rootfs
+        /run/packaging/configure-rootfs "${variant}" "${rootfs}"
+
+        # Inject base configuration (e.g. transient-etc, transient-root) before dracut runs
+        /run/packaging/inject-baseconfig "${variant}" "${baseconfigs}"
+
+        # Override with our built package
+        /run/packaging/install-rpm-and-setup /run/packages
+
+        install -D -m 0644 -t /usr/lib/bootc/kargs.d /run/usr-extras/lib/bootc/kargs.d/*.toml
+
+        /run/packaging/cleanup'
+
+    bootc container lint --fatal-warnings --rootfs /target-rootfs
+EOF
+
+# Inject some other configuration
+COPY --from=packaging /usr-extras/ /target-rootfs/usr/
+
+RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp <<EOF 
+    set -eux
+
+    # create this regardless else bind mounts down the line fail for non-uki builds
+    mkdir -p /kernel
+
+    if [[ "${boot_type}" == "uki" ]]; then
+        /target-rootfs/usr/bin/bootc container split-kernel-and-rootfs --rootfs /target-rootfs --output /kernel
+    fi
+EOF
 
 FROM scratch as fetch
 COPY --from=target-base /target-rootfs/ /
@@ -66,8 +135,6 @@ RUN --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=src,src=/src/hack,target=/run/hack <<-EOF
     set -ex
 
-    cd /run/hack/ && SKIP_CONFIGS="${SKIP_CONFIGS}" ./provision-fetch.sh
-
     pkgs_to_install=()
     if [[ "${seal_state}" == "sealed" ]]; then
         . /usr/lib/os-release
@@ -135,7 +202,10 @@ ARG pkgversion
 ARG SOURCE_DATE_EPOCH
 ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
 # Build RPM directly from source, using cached target directory
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp --mount=type=cache,target=/src/target --mount=type=cache,target=/var/roothome RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=cache,target=/src/target \
+    --mount=type=cache,target=/var/roothome \
+    RPM_VERSION="${pkgversion}" /src/contrib/packaging/build-rpm
 
 # Build a systemd-sysext containing just the bootc binary.
 # Skips RPM machinery entirely for fast incremental rebuilds.
@@ -247,27 +317,6 @@ rm -rf /var/cache
 rm -rf /run/rhsm
 
 EORUN
-# Configure the rootfs
-ARG rootfs=""
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
-    /run/packaging/configure-rootfs "${variant}" "${rootfs}"
-# Inject base configuration (e.g. transient-etc, transient-root) before dracut runs
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
-    /run/packaging/inject-baseconfig "${variant}" "${baseconfigs}"
-# Override with our built package
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
-    --mount=type=bind,from=packages,src=/,target=/run/packages \
-    /run/packaging/install-rpm-and-setup /run/packages
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-    --mount=type=bind,from=packaging,src=/usr-extras,target=/run/usr-extras \
-    install -D -m 0644 -t /usr/lib/bootc/kargs.d /run/usr-extras/lib/bootc/kargs.d/*.toml
-# Clean up package manager caches
-RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-    --mount=type=bind,from=packaging,src=/,target=/run/packaging \
-    /run/packaging/cleanup
 
 # Generate the sealed UKI in a separate stage
 # This computes the composefs digest from base-penultimate and creates a signed UKI
@@ -284,18 +333,27 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
+    --mount=type=bind,from=target-base,src=/kernel,target=/run/kernel \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
     --mount=type=bind,from=base-penultimate,src=/,target=/run/target <<EORUN
 set -xeuo pipefail
 
-allow_missing_verity=false
+allow_missing_verity=()
 
 if [[ $filesystem == "xfs" ]]; then
-    allow_missing_verity=true
+    allow_missing_verity=(--allow-missing-verity)
 fi
 
 if test "${boot_type}" = "uki"; then
-  /run/packaging/seal-uki /run/target /out /run/secrets $allow_missing_verity $seal_state
+  kver=$(ls /run/kernel)
+
+  /run/packaging/seal-uki \
+      --target /run/target \
+      --output /out \
+      --secrets /run/secrets \
+      "${allow_missing_verity[@]}" \
+      --kernel-dir "/run/kernel/$kver" \
+      --seal-state $seal_state
 fi
 EORUN
 
@@ -306,10 +364,13 @@ ARG boot_type
 # Copy the sealed UKI and finalize the image (remove raw kernel, create symlinks)
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=target-base,src=/kernel,target=/run/kernel \
     --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki <<EORUN
 set -xeuo pipefail
+
 if test "${boot_type}" = "uki"; then
-  /run/packaging/finalize-uki /run/sealed-uki/out
+  kver=$(ls /run/kernel)
+  /run/packaging/finalize-uki /run/sealed-uki/out "$kver"
 fi
 EORUN
 # And finally, test our linting
diff --git a/Justfile b/Justfile
index 6ba80d0c7..3c16ea1aa 100644
--- a/Justfile
+++ b/Justfile
@@ -102,7 +102,7 @@ build: package _keygen && _pull-lbi-images
 # The retry parameters can be overridden via environment variables:
 #   BOOTC_CI_RETRIES=10 BOOTC_CI_DELAY=60 just build-fetch
 [group('core')]
-build-fetch: _keygen
+build-fetch: _keygen package
     #!/bin/bash
     set -euo pipefail
     retries=${BOOTC_CI_RETRIES:-3}
@@ -131,12 +131,15 @@ build-fetch: _keygen
     for img in {{lbi_images}}; do
         retry podman pull -q "$img"
     done
+
+    pkg_path=$(realpath target/packages)
+
     # Build the network-heavy fetch stage of the main image.  If this
     # succeeds, `just build` will get a cache hit on the fetch layer and
     # run entirely offline.
     # Note: buildargs (not base_buildargs) is needed here because the
     # target-base stage requires --cap-add/--security-opt for bwrap.
-    retry podman build {{_nocache_arg}} --target=fetch {{buildargs}} .
+    retry podman build {{_nocache_arg}} --build-context "packages=${pkg_path}" --target=fetch {{buildargs}} .
     # Same for the upgrade-source image used by test-upgrade.
     retry podman build {{_nocache_arg}} --build-arg=base={{base}} \
         --target=fetch -f tmt/tests/Dockerfile.upgrade-source .
diff --git a/contrib/packaging/finalize-uki b/contrib/packaging/finalize-uki
index c382eccf6..9221cb79b 100755
--- a/contrib/packaging/finalize-uki
+++ b/contrib/packaging/finalize-uki
@@ -20,13 +20,8 @@ set -xeuo pipefail
 # Path to directory containing the generated UKI
 uki_src=$1
 shift
-
-# Find the kernel version from the current system
-kver=$(bootc container inspect --json | jq -r '.kernel.version')
-if [ -z "$kver" ] || [ "$kver" = "null" ]; then
-  echo "Error: No kernel found" >&2
-  exit 1
-fi
+kver=$1
+shift
 
 # Create the EFI directory structure
 mkdir -p /boot/EFI/Linux
@@ -36,12 +31,6 @@ mkdir -p /boot/EFI/Linux
 target=/boot/EFI/Linux/${kver}.efi
 cp "${uki_src}/${kver}.efi" "${target}"
 
-# Remove the raw kernel and initramfs since we're using a UKI now.
-# NOTE: We intentionally keep these for now until bcvk is updated to extract
-# kernel/initramfs from UKIs in subdirectories. Once bcvk PR #144 is fixed
-# to look for .efi files in /usr/lib/modules/<kver>/, we can uncomment this.
-# rm -v "/usr/lib/modules/${kver}/vmlinuz" "/usr/lib/modules/${kver}/initramfs.img"
-
 # NOTE: We used to create a symlink from /usr/lib/modules/${kver}/${kver}.efi to the UKI
 # for tooling compatibility. However, composefs-boot's find_uki_components() doesn't
 # handle symlinks correctly and fails with "is not a regular file". The UKI is already
diff --git a/contrib/packaging/seal-uki b/contrib/packaging/seal-uki
index 66de92ffd..bfc7c4bec 100755
--- a/contrib/packaging/seal-uki
+++ b/contrib/packaging/seal-uki
@@ -2,32 +2,70 @@
 # Generate a sealed UKI with embedded composefs digest
 set -xeuo pipefail
 
-# Path to the desired root filesystem
-target=$1
-shift
-# Write to this directory
-output=$1
-shift
-# Path to secrets directory
-secrets=$1
-shift
-allow_missing_verity=$1
-shift
-seal_state=$1
-shift
-
-if [[ $seal_state == "sealed" && $allow_missing_verity == "true" ]]; then
+missing_verity=()
+
+while [ ! -z "${1:-}" ]; do
+    case "$1" in
+        # Path to the desired root filesystem
+        "--target")
+            target="$2"
+            shift
+            shift
+        ;;
+
+        # Write to this directory
+        "--output")
+            output="$2"
+            shift
+            shift
+        ;;
+
+        # Path to secrets directory
+        "--secrets")
+            secrets="$2"
+            shift
+            shift
+        ;;
+
+        "--allow-missing-verity")
+            missing_verity=(--allow-missing-verity)
+            shift
+        ;;
+
+        "--seal-state")
+            seal_state="$2"
+            shift
+            shift
+        ;;
+
+        # Path to the directory containing kernel and initramfs
+        "--kernel-dir")
+            kernel_dir="$2"
+            shift
+            shift
+        ;;
+
+        * )
+            echo "Argument $1 not understood"
+            exit 1
+        ;;
+    esac
+done
+
+if [[ $seal_state == "sealed" && ${#missing_verity[@]} -gt 0 ]]; then
     echo "Cannot have missing verity with sealed UKI" >&2
     exit 1
 fi
 
-# Find the kernel version (needed for output filename)
-kver=$(bootc container inspect --rootfs "${target}" --json | jq -r '.kernel.version')
-if [ -z "$kver" ] || [ "$kver" = "null" ]; then
-  echo "Error: No kernel found" >&2
-  exit 1
+if [[ -z $kernel_dir ]]; then
+    echo "kernel dir is required" >&2
+    exit 1
 fi
 
+kernel_params=(--kernel-dir "$kernel_dir")
+
+kver=$(basename "$kernel_dir")
+
 mkdir -p "${output}"
 
 # Baseline ukify options
@@ -45,12 +83,6 @@ fi
 # Baseline container ukify options
 containerukifyargs=(--rootfs "${target}")
 
-missing_verity=()
-
-if [[ $allow_missing_verity == "true" ]]; then
-    missing_verity+=(--allow-missing-verity)
-fi
-
 # Build the UKI using bootc container ukify
 # This computes the composefs digest, reads kargs from kargs.d, and invokes ukify
-bootc container ukify "${containerukifyargs[@]}" "${missing_verity[@]}" -- "${ukifyargs[@]}"
+bootc container ukify "${containerukifyargs[@]}" "${kernel_params[@]}" "${missing_verity[@]}" -- "${ukifyargs[@]}"
diff --git a/crates/lib/src/cli.rs b/crates/lib/src/cli.rs
index 9a7c307ff..06845b9e6 100644
--- a/crates/lib/src/cli.rs
+++ b/crates/lib/src/cli.rs
@@ -4,7 +4,7 @@
 
 use std::ffi::{CString, OsStr, OsString};
 use std::fs::File;
-use std::io::{BufWriter, Seek};
+use std::io::{BufWriter, Seek, SeekFrom};
 use std::os::fd::AsFd;
 use std::os::unix::process::CommandExt;
 use std::process::Command;
@@ -27,6 +27,7 @@ use composefs_boot::BootOps as _;
 use etc_merge::{compute_diff, print_diff};
 use fn_error_context::context;
 use indoc::indoc;
+use ocidir::cap_std::ambient_authority;
 use ostree::gio;
 use ostree_container::store::PrepareResult;
 use ostree_ext::container as ostree_container;
@@ -415,6 +416,23 @@ pub(crate) enum ContainerOpts {
         /// Identifier for image; if not provided, the running image will be used.
         image: Option<String>,
     },
+    /// Split kernel and rootfs from a container image
+    ///
+    /// This command extracts the kernel (vmlinuz and initramfs.img) from the
+    /// container rootfs and moves them to a separate output directory, organized
+    /// by kernel version
+    ///
+    /// Example:
+    ///   bootc container split-kernel-rootfs --rootfs /target-rootfs --output /out
+    SplitKernelAndRootfs {
+        /// Operate on the provided rootfs
+        #[clap(long, default_value = "/")]
+        rootfs: Utf8PathBuf,
+
+        /// Output directory for the extracted kernel files
+        #[clap(long)]
+        output: Utf8PathBuf,
+    },
     /// Build a Unified Kernel Image (UKI) using ukify.
     ///
     /// This command computes the necessary arguments from the container image
@@ -626,6 +644,19 @@ pub(crate) enum FsverityOpts {
     },
 }
 
+#[derive(Debug, clap::Subcommand, PartialEq, Eq)]
+pub(crate) enum UkiSubcommands {
+    /// Extract kernel + initrd from a UKI
+    /// The output (vmlinuz + initramfs.img) is placed in a directory named
+    /// after the kernel version found in the UKI
+    Extract {
+        /// The path to the UKI PE
+        path: Utf8PathBuf,
+        /// The output path
+        output_path: Utf8PathBuf,
+    },
+}
+
 /// Hidden, internal only options
 #[derive(Debug, clap::Subcommand, PartialEq, Eq)]
 pub(crate) enum InternalsOpts {
@@ -742,6 +773,9 @@ pub(crate) enum InternalsOpts {
     /// Block device inspection tools.
     #[clap(subcommand)]
     Blockdev(BlockdevOpts),
+    /// For various UKI operations
+    #[clap(subcommand)]
+    Uki(UkiSubcommands),
 }
 
 /// Subcommands for `bootc internals blockdev`.
@@ -1837,6 +1871,41 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 )?;
                 Ok(())
             }
+            ContainerOpts::SplitKernelAndRootfs { rootfs, output } => {
+                use crate::kernel::{KernelType, find_kernel};
+
+                let root = Dir::open_ambient_dir(&rootfs, ambient_authority())?;
+
+                let kernel_internal = find_kernel(&root)?
+                    .ok_or_else(|| anyhow::anyhow!("No kernel found in rootfs"))?;
+
+                if kernel_internal.kernel.unified {
+                    anyhow::bail!("UKIs are not supported");
+                }
+
+                let kver = &kernel_internal.kernel.version;
+                let kernel_output_dir = output.join(kver);
+                std::fs::create_dir_all(&kernel_output_dir)?;
+
+                match &kernel_internal.k_type {
+                    KernelType::Vmlinuz { path, initramfs } => {
+                        let vmlinuz_src = rootfs.join(path);
+                        let initramfs_src = rootfs.join(initramfs);
+                        let vmlinuz_dst = kernel_output_dir.join("vmlinuz");
+                        let initramfs_dst = kernel_output_dir.join("initramfs.img");
+
+                        std::fs::rename(&vmlinuz_src, &vmlinuz_dst).context("Moving vmlinuz")?;
+                        std::fs::rename(&initramfs_src, &initramfs_dst)
+                            .context("Moving initramfs")?;
+                    }
+
+                    KernelType::Uki { .. } => {
+                        unreachable!("UKIs should have been rejected above");
+                    }
+                }
+
+                Ok(())
+            }
             ContainerOpts::ComputeComposefsDigest {
                 path,
                 write_dumpfile_to,
@@ -2319,6 +2388,40 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 println!();
                 Ok(())
             }
+            InternalsOpts::Uki(uki_opts) => match uki_opts {
+                UkiSubcommands::Extract { path, output_path } => {
+                    let mut uki_file =
+                        std::fs::File::open(&path).with_context(|| format!("Opening {path}"))?;
+
+                    let uname =
+                        composefs_boot::uki::get_text_section_buffered(&mut uki_file, ".uname")
+                            .context("Getting uname")?;
+
+                    std::fs::create_dir_all(&output_path).context("Creating output directory")?;
+
+                    let output_dir = Dir::open_ambient_dir(&output_path, ambient_authority())
+                        .context("Opening output dir")?;
+                    output_dir.create_dir(&uname)?;
+
+                    let output_dir = output_dir.open_dir(&uname)?;
+
+                    for (section_name, file_name) in
+                        [(".linux", "vmlinuz"), (".initrd", "initramfs.img")]
+                    {
+                        uki_file
+                            .seek(SeekFrom::Start(0))
+                            .context("Seeking to start")?;
+                        let section =
+                            composefs_boot::uki::get_section_buffered(&mut uki_file, section_name)
+                                .with_context(|| format!("Getting {section_name} section"))?;
+                        output_dir
+                            .write(file_name, section)
+                            .with_context(|| format!("Writing {file_name}"))?;
+                    }
+
+                    Ok(())
+                }
+            },
         },
         Opt::State(opts) => match opts {
             StateOpts::WipeOstree => {
diff --git a/crates/tests-integration/src/container.rs b/crates/tests-integration/src/container.rs
index a7d8e89d6..14396107b 100644
--- a/crates/tests-integration/src/container.rs
+++ b/crates/tests-integration/src/container.rs
@@ -1,8 +1,10 @@
+use cap_std_ext::cap_std::ambient_authority;
+use cap_std_ext::cap_std::fs::Dir;
 use indoc::indoc;
 use scopeguard::defer;
 use serde::Deserialize;
-use std::fs;
 use std::process::Command;
+use std::{fs, path::Path};
 
 use anyhow::{Context, Result};
 use camino::Utf8Path;
@@ -72,6 +74,24 @@ pub(crate) fn test_bootc_container_inspect() -> Result<()> {
                 );
                 // Version should be non-empty after stripping extension
                 assert!(!version.is_empty(), "version should not be empty for UKI");
+
+                let target_root = Dir::open_ambient_dir(TARGET, ambient_authority())
+                    .with_context(|| format!("{TARGET} not found"))?;
+
+                // For UKI make sure vmlinuz + initrd don't exist
+                let usr_lib_mod = Path::new("usr/lib/modules").join(version);
+                assert!(
+                    target_root.exists(&usr_lib_mod),
+                    "'{usr_lib_mod:?}' does not exist"
+                );
+                assert!(
+                    !target_root.exists(usr_lib_mod.join("vmlinuz")),
+                    "vmlinuz should not exist for UKI"
+                );
+                assert!(
+                    !target_root.exists(usr_lib_mod.join("initramfs.img")),
+                    "initramfs should not exist for UKI"
+                );
             }
             o => eprintln!("notice: Unhandled variant for kernel check: {o:?}"),
         }
@@ -188,6 +208,8 @@ fn test_variant_base_crosscheck() -> Result<()> {
     Ok(())
 }
 
+const TARGET: &str = "/run/target";
+
 /// Verify exported tar has correct size/mode/content vs source.
 /// Checks all critical paths (kernel, boot) plus ~10% random sample.
 pub(crate) fn test_container_export_tar() -> Result<()> {
@@ -195,7 +217,6 @@ pub(crate) fn test_container_export_tar() -> Result<()> {
     use std::io::Read;
     use std::os::unix::fs::MetadataExt;
 
-    const TARGET: &str = "/run/target";
     const CRITICAL: &[&str] = &["usr/lib/modules/", "usr/lib/ostree-boot/", "boot/"];
 
     anyhow::ensure!(
diff --git a/docs/src/man/bootc-container-split-kernel-and-rootfs.8.md b/docs/src/man/bootc-container-split-kernel-and-rootfs.8.md
new file mode 100644
index 000000000..61c2a85f5
--- /dev/null
+++ b/docs/src/man/bootc-container-split-kernel-and-rootfs.8.md
@@ -0,0 +1,38 @@
+# NAME
+
+bootc-container-split-kernel-and-rootfs - Split kernel and rootfs from a container image
+
+# SYNOPSIS
+
+bootc container split-kernel-and-rootfs
+
+# DESCRIPTION
+
+Split kernel and rootfs from a container image
+
+# OPTIONS
+
+<!-- BEGIN GENERATED OPTIONS -->
+**--rootfs**=*ROOTFS*
+
+    Operate on the provided rootfs
+
+    Default: /
+
+**--output**=*OUTPUT*
+
+    Output directory for the extracted kernel files
+
+<!-- END GENERATED OPTIONS -->
+
+# EXAMPLES
+
+TODO: Add practical examples showing how to use this command.
+
+# SEE ALSO
+
+**bootc**(8)
+
+# VERSION
+
+<!-- VERSION PLACEHOLDER -->
diff --git a/docs/src/man/bootc-container.8.md b/docs/src/man/bootc-container.8.md
index b8b540972..1b1fce62f 100644
--- a/docs/src/man/bootc-container.8.md
+++ b/docs/src/man/bootc-container.8.md
@@ -21,6 +21,7 @@ Operations which can be executed as part of a container build
 |---------|-------------|
 | **bootc container inspect** | Output information about the container image |
 | **bootc container lint** | Perform relatively inexpensive static analysis checks as part of a container build |
+| **bootc container split-kernel-and-rootfs** | Split kernel and rootfs from a container image |
 | **bootc container ukify** | Build a Unified Kernel Image (UKI) using ukify |
 
 <!-- END GENERATED SUBCOMMANDS -->
diff --git a/tmt/tests/Dockerfile.upgrade b/tmt/tests/Dockerfile.upgrade
index 561e2e0a7..b66393114 100644
--- a/tmt/tests/Dockerfile.upgrade
+++ b/tmt/tests/Dockerfile.upgrade
@@ -13,6 +13,16 @@ ARG filesystem=ext4
 FROM scratch AS packaging
 COPY contrib/packaging /
 
+# Get kernel + initrd from the UKI
+FROM localhost/bootc as kernel
+ARG boot_type
+RUN <<-EOF
+    if test "${boot_type}" = "uki"; then
+        kver=$(bootc container inspect --rootfs / --json | jq -r '.kernel.version')
+        bootc internals uki extract /boot/EFI/Linux/$kver.efi /boot
+    fi
+EOF
+
 # Create the upgrade content (a simple marker file).
 # For UKI builds, we also remove the existing UKI so that seal-uki can
 # regenerate it with the correct composefs digest for this derived image.
@@ -36,16 +46,26 @@ RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp
     --mount=type=secret,id=secureboot_key \
     --mount=type=secret,id=secureboot_cert \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=kernel,src=/,target=/run/kernel \
     --mount=type=bind,from=upgrade-base,src=/,target=/run/target <<EORUN
 set -xeuo pipefail
 
-allow_missing_verity=false
-if [ "${filesystem}" = "xfs" ]; then
-    allow_missing_verity=true
+allow_missing_verity=()
+
+if [[ $filesystem == "xfs" ]]; then
+    allow_missing_verity=(--allow-missing-verity)
 fi
 
 if test "${boot_type}" = "uki"; then
-  /run/packaging/seal-uki /run/target /out /run/secrets "${allow_missing_verity}" "${seal_state}"
+  kver=$(bootc container inspect --rootfs /run/kernel --json | jq -r '.kernel.version')
+
+  /run/packaging/seal-uki \
+      --target /run/target \
+      --output /out \
+      --secrets /run/secrets \
+      "${allow_missing_verity[@]}" \
+      --kernel-dir "/run/kernel/boot/$kver" \
+      --seal-state $seal_state
 fi
 EORUN
 
@@ -54,9 +74,11 @@ FROM upgrade-base
 ARG boot_type
 RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
     --mount=type=bind,from=packaging,src=/,target=/run/packaging \
+    --mount=type=bind,from=kernel,src=/,target=/run/kernel \
     --mount=type=bind,from=sealed-upgrade-uki,src=/,target=/run/sealed-uki <<EORUN
 set -xeuo pipefail
 if test "${boot_type}" = "uki"; then
-  /run/packaging/finalize-uki /run/sealed-uki/out
+  kver=$(bootc container inspect --rootfs /run/kernel --json | jq -r '.kernel.version')
+  /run/packaging/finalize-uki /run/sealed-uki/out $kver
 fi
 EORUN
diff --git a/tmt/tests/booted/tap.nu b/tmt/tests/booted/tap.nu
index b8b0b3f7e..c25a89479 100644
--- a/tmt/tests/booted/tap.nu
+++ b/tmt/tests/booted/tap.nu
@@ -89,26 +89,44 @@ export def make_uki_containerfile [containerfile: string] {
         return $containerfile
     }
 
-    let allow_missing_verity = $st.status.booted.composefs.missingVerityAllowed
+    let allow_missing_verity = if $st.status.booted.composefs.missingVerityAllowed {
+        "--allow-missing-verity"
+    } else {
+        ""
+    }
+
     # TODO: Handle sealed UKI
     let seal_state = "unsealed"
 
     let uki_stuff = $"
+        FROM base as kernel
+        RUN <<-EOF
+            kver=$\(bootc container inspect --rootfs / --json | jq -r '.kernel.version'\)
+            bootc internals uki extract /boot/EFI/Linux/$kver.efi /boot
+        EOF
+
         FROM base as base-final
         RUN rm -rf /boot/EFI/Linux/*.efi
 
         FROM base as sealed-uki
         RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \\
             --mount=type=bind,from=base-final,src=/,target=/run/target \\
-            /usr/bin/seal-uki /run/target /out /run/secrets ($allow_missing_verity) ($seal_state)
+            --mount=type=bind,from=kernel,src=/,target=/run/kernel \\
+              /usr/bin/seal-uki \\
+                  --target /run/target \\
+                  --output /out \\
+                  --secrets /run/secrets ($allow_missing_verity) \\
+                  --kernel-dir /run/kernel/boot/$\(bootc container inspect --rootfs /run/kernel --json | jq -r '.kernel.version'\) \\
+                  --seal-state ($seal_state)
 
         FROM base-final
 
         # Copy the sealed UKI and finalize the image remove raw kernel, create symlinks
         RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \\
             --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki \\
-            /usr/bin/finalize-uki /run/sealed-uki/out
-    "
+            --mount=type=bind,from=kernel,src=/,target=/run/kernel \\
+            /usr/bin/finalize-uki /run/sealed-uki/out $\(bootc container inspect --rootfs /run/kernel --json | jq -r '.kernel.version'\)
+    " | lines | each { str trim } | str join "\n"
 
     return $"($containerfile)\n($uki_stuff)"
 }
diff --git a/tmt/tests/booted/test-install-to-filesystem-var-mount.sh b/tmt/tests/booted/test-install-to-filesystem-var-mount.sh
index 5025b0a76..84e09da8e 100644
--- a/tmt/tests/booted/test-install-to-filesystem-var-mount.sh
+++ b/tmt/tests/booted/test-install-to-filesystem-var-mount.sh
@@ -34,24 +34,47 @@ is_composefs=$(bootc status --json | jq '.status.booted.composefs')
 boot_type=$(bootc status --json | jq -r '.status.booted.composefs.bootType' | tr '[:upper:]' '[:lower:]')
 
 if [[ $is_composefs != "null" && $boot_type == "uki" ]]; then
-    allow_missing_verity=$(bootc status --json | jq -r '.status.booted.composefs.missingVerityAllowed')
-    seal_state="unsealed"
-
-    cat >> /tmp/Containerfile.drop-lbis <<-EOF
-    FROM base as base-final
-    RUN rm -rf /boot/EFI/Linux/*.efi
+    allow_missing_verity=()
 
-    FROM base as sealed-uki
-    RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-        --mount=type=bind,from=base-final,src=/,target=/run/target \
-        /usr/bin/seal-uki /run/target /out /run/secrets $allow_missing_verity $seal_state
+    if [[ "$(bootc status --json | jq -r '.status.booted.composefs.missingVerityAllowed')" == "true" ]]; then
+        allow_missing_verity=("--allow-missing-verity")
+    fi
 
-    FROM base-final
+    seal_state="unsealed"
 
-    # Copy the sealed UKI and finalize the image remove raw kernel, create symlinks
-    RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
-        --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki \
-        /usr/bin/finalize-uki /run/sealed-uki/out
+    cat >> /tmp/Containerfile.drop-lbis <<-EOF
+FROM base as kernel
+RUN <<-RUNEOF
+    kver=\$(bootc container inspect --rootfs / --json | jq -r '.kernel.version')
+    bootc internals uki extract /boot/EFI/Linux/\$kver.efi /boot
+RUNEOF
+
+FROM base as base-final
+RUN rm -rf /boot/EFI/Linux/*.efi
+
+FROM base as sealed-uki
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=kernel,src=/,target=/run/kernel \
+    --mount=type=bind,from=base-final,src=/,target=/run/target <<RUNEOF
+
+    kver=\$(bootc container inspect --rootfs /run/kernel --json | jq -r '.kernel.version')
+
+    /usr/bin/seal-uki \
+      --target /run/target \
+      --output /out \
+      --secrets /run/secrets \
+      --kernel-dir /run/kernel/boot/\$kver \
+      --seal-state $seal_state \
+      "${allow_missing_verity[@]}"
+
+RUNEOF
+
+FROM base-final
+
+RUN --network=none --mount=type=tmpfs,target=/run --mount=type=tmpfs,target=/tmp \
+    --mount=type=bind,from=sealed-uki,src=/,target=/run/sealed-uki \
+    --mount=type=bind,from=kernel,src=/,target=/run/kernel \
+    /usr/bin/finalize-uki /run/sealed-uki/out \$(bootc container inspect --rootfs /run/kernel --json | jq -r '.kernel.version')
 EOF
 fi