Skip to content

microagent kernel

Last updated: 2026-06-27

microagent kernel list [--all] [--backend <name>] [--arch <arch>] List available kernels
microagent kernel check [--backend <name>] [--arch <arch>] Check the installed kernel
microagent kernel install [--channel <ch>] [--version <ver>] [--url <url>] [--from <path>] [--sha256 <sum>] [--out <path>] Install a kernel
microagent kernel verify --path <path> --sha256 <sum> Verify a kernel checksum

kernel manages the guest kernel the microVMs boot. Most users can stick with microagent run IMAGE [COMMAND ARG...] and let microagent install the latest signed kernel automatically. Use kernel when you need to list, check, or install a specific kernel.

Available kernels come from a cryptographically signed manifest on kernels.microagent.sh. list, check, and install fetch that manifest and verify it against a TUF root embedded in the binary before trusting any entry, so a tampered or unsigned manifest yields an error rather than a bad kernel.

List the kernels available for this host:

Terminal window
microagent kernel list

Check whether the installed kernel is current - and whether any gap is security-relevant:

Terminal window
microagent kernel check

Install the latest signed kernel, or a specific version or channel:

Terminal window
microagent kernel install
microagent kernel install --version 6.1.155
microagent kernel install --channel lts

Kernels are published on channels (default lts); --channel selects one.

Install from a URL with an explicit checksum (custom kernel outside the manifest):

Terminal window
microagent kernel install \
--url https://example.com/Image \
--sha256 4bbe8b2fd19f78fea4bf02d52a67482227a896c90a63f272b6a084fa46a416c0

Verify an existing kernel:

Terminal window
microagent kernel verify \
--path ~/.microagent/kernels/linux-kvm/amd64/Image \
--sha256 4bbe8b2fd19f78fea4bf02d52a67482227a896c90a63f272b6a084fa46a416c0

list prints the kernels available in the signed manifest for the host backend and architecture, or every backend with --all.

FlagDescription
--allList kernels for all backends/architectures
--arch <arch>Guest architecture
--backend <name>Backend identity override

check reports whether the installed kernel is current, optional (behind the latest but at or above the security floor), security (below the floor - missing security fixes), or unknown. The installed version is resolved by matching the local kernel’s checksum against the signed manifest.

FlagDescription
--arch <arch>Guest architecture
--backend <name>Backend identity override

With no options, install downloads the latest signed kernel for the host backend and architecture. --version pins a specific manifest version; --url or --from install a custom kernel outside the manifest.

FlagDescription
--version <ver>Install a specific manifest version (default: latest)
--url <url>Download URL (custom kernel)
--from <path>Local kernel path (custom kernel)
--sha256 <sum>Expected SHA-256
--out <path>Output path (defaults to the writable kernel path for the host)
--arch <arch>Guest architecture
--backend <name>Backend identity override

verify checks that a kernel file matches an expected SHA-256.

FlagDescription
--path <path>Kernel path
--sha256 <sum>Expected SHA-256
--arch <arch>Guest architecture
--backend <name>Backend identity override
HostDefault kernel path
Apple VF, arm64~/.microagent/kernels/apple-vf/arm64/Image
Linux KVM, amd64~/.microagent/kernels/linux-kvm/amd64/Image

kernel subcommands exit 0 on success; nonzero when the manifest cannot be fetched or verified, the download fails, the checksum does not match, or the kernel file cannot be read or written. In AX mode a failure is written as a structured error envelope.

  • doctor - reports whether the kernel is installed
  • Backends - kernel expectations per backend