docs: Enhance installation documentation with DPS and provisioning flow

Add comprehensive documentation for the installation process, with particular
focus on the Discoverable Partitions Specification (DPS) and first-boot
provisioning.

Main documentation (bootc-install.md):
- Add DPS section explaining partition type GUIDs and auto-discovery
- Add table showing when DPS vs explicit root= kargs are used
- Add provisioning and first boot section covering cloud-init,
  Ignition, SSH key injection, and custom provisioning
- Document the .bootc-aleph.json provenance file
- Fix typos ('boot install' -> 'bootc install', 'pased' -> 'passed')

Man page (bootc-install-to-disk.8.md):
- Document partition layout conceptually (avoiding specific sizes/GUIDs
  that may change between versions)
- Explain root filesystem discovery with systemd-gpt-auto-generator

Rustdoc for install.rs:
- Add comprehensive module documentation
- Document all installation modes (to-disk, to-filesystem, to-existing-root, reset)
- Explain OSTree vs Composefs storage backends
- Document key types (State, RootSetup, SourceInfo, SELinuxFinalState)
- List configuration paths and submodules

Rustdoc for discoverable_partition_specification.rs:
- Explain how bootc uses DPS for partition creation
- Document automatic root discovery mechanism
- Describe composefs and sealed boot integration

Assisted-by: OpenCode (Claude Sonnet 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/discoverable_partition_specification.rs

@@ -6,6 +6,68 @@
 //! UAPI Group's Discoverable Partitions Specification.
 //!
 //! Reference: <https://uapi-group.org/specifications/specs/discoverable_partitions_specification/>
+//!
+//! # Overview
+//!
+//! The Discoverable Partitions Specification (DPS) defines standardized partition
+//! type GUIDs that enable automatic discovery and mounting of partitions without
+//! explicit configuration. This is a key enabler for bootc's installation process
+//! and for modern systemd-based initramfs implementations.
+//!
+//! # How bootc uses DPS
+//!
+//! When `bootc install to-disk` creates partitions, it sets the appropriate DPS
+//! partition type GUID based on the target CPU architecture. This enables several
+//! important capabilities:
+//!
+//! ## Automatic root discovery
+//!
+//! With a DPS-aware bootloader and initramfs (containing `systemd-gpt-auto-generator`),
+//! the root filesystem can be discovered and mounted automatically without requiring
+//! a `root=` kernel argument. The initramfs:
+//!
+//! 1. Reads the EFI `LoaderDevicePartUUID` variable to identify the boot disk
+//! 2. Scans the GPT for a partition with the architecture-specific root type GUID
+//! 3. Mounts that partition as the root filesystem
+//!
+//! ## Architecture-specific partition types
+//!
+//! Each CPU architecture has its own root partition type GUID. This prevents
+//! accidentally booting a system on incompatible hardware. bootc uses
+//! [`this_arch_root`] to select the correct GUID at compile time.
+//!
+//! ## Composefs and sealed boot
+//!
+//! When using the composefs backend with UKIs (Unified Kernel Images), bootc can
+//! omit the `root=` kernel argument entirely. This enables:
+//!
+//! - Measured boot: The kernel command line is part of the UKI signature
+//! - Simplified image building: No machine-specific kernel arguments needed
+//! - systemd-repart integration: Future support for declarative partition management
+//!
+//! # Partition types included
+//!
+//! This module defines constants for:
+//!
+//! - **Root partitions**: Architecture-specific root filesystem partitions
+//! - **USR partitions**: Separate `/usr` partitions (included for spec completeness; not currently used by bootc)
+//! - **Verity partitions**: dm-verity hash partitions for integrity verification
+//! - **Verity signature partitions**: Signed verity root hashes
+//! - **Special partitions**: ESP, XBOOTLDR, swap, home, var, etc.
+//!
+//! # Usage (internal)
+//!
+//! This is an internal module. Within bootc, it is used like:
+//!
+//! ```ignore
+//! use crate::discoverable_partition_specification::{this_arch_root, ESP};
+//!
+//! // Get the root partition type GUID for the current architecture
+//! let root_type: &str = this_arch_root();
+//!
+//! // ESP GUID is architecture-independent
+//! let esp_type: &str = ESP;
+//! ```
 
 // ============================================================================
 // ROOT PARTITIONS

crates/lib/src/install.rs

@@ -1,8 +1,141 @@
 //! # Writing a container to a block device in a bootable way
 //!
-//! This module supports installing a bootc-compatible image to
-//! a block device directly via the `install` verb, or to an externally
-//! set up filesystem via `install to-filesystem`.
+//! This module implements the core installation logic for bootc, enabling a container
+//! image to be written to storage in a bootable form. It bridges the gap between
+//! OCI container images and traditional bootable Linux systems.
+//!
+//! ## Overview
+//!
+//! The installation process transforms a container image into a bootable system by:
+//!
+//! 1. **Preparing the environment**: Validating we're running in a privileged container,
+//!    handling SELinux re-execution if needed, and loading configuration.
+//!
+//! 2. **Setting up storage**: Either creating partitions (`to-disk`) or using
+//!    externally-prepared filesystems (`to-filesystem`).
+//!
+//! 3. **Deploying the image**: Pulling the container image into an ostree repository
+//!    and creating a deployment, or setting up a composefs-based root.
+//!
+//! 4. **Installing the bootloader**: Using bootupd, systemd-boot, or zipl depending
+//!    on architecture and configuration.
+//!
+//! 5. **Finalizing**: Trimming the filesystem, flushing writes, and freezing/thawing
+//!    the journal.
+//!
+//! ## Installation Modes
+//!
+//! ### `bootc install to-disk`
+//!
+//! Creates a complete bootable system on a block device. This is the simplest path
+//! and handles partitioning automatically using the Discoverable Partitions
+//! Specification (DPS). The partition layout includes:
+//!
+//! - **ESP** (EFI System Partition): Required for UEFI boot
+//! - **BIOS boot partition**: For legacy boot on x86_64
+//! - **Boot partition**: Optional, used when LUKS encryption is enabled
+//! - **Root partition**: Uses architecture-specific DPS type GUIDs for auto-discovery
+//!
+//! ### `bootc install to-filesystem`
+//!
+//! Installs to a pre-mounted filesystem, allowing external tools to handle complex
+//! storage layouts (RAID, LVM, custom LUKS configurations). The caller is responsible
+//! for creating and mounting the filesystem, then providing appropriate `--karg`
+//! options or mount specifications.
+//!
+//! ### `bootc install to-existing-root`
+//!
+//! "Alongside" installation mode that converts an existing Linux system. The boot
+//! partition is wiped and replaced, but the root filesystem content is preserved
+//! until reboot. Post-reboot, the old system is accessible at `/sysroot` for
+//! data migration.
+//!
+//! ### `bootc install reset`
+//!
+//! Creates a new stateroot within an existing bootc system, effectively providing
+//! a factory-reset capability without touching other stateroots.
+//!
+//! ## Storage Backends
+//!
+//! ### OSTree Backend (Default)
+//!
+//! Uses ostree-ext to convert container layers into an ostree repository. The
+//! deployment is created via `ostree admin deploy`, and bootloader entries are
+//! managed via BLS (Boot Loader Specification) files.
+//!
+//! ### Composefs Backend (Experimental)
+//!
+//! Alternative backend using composefs overlayfs for the root filesystem. Provides
+//! stronger integrity guarantees via fs-verity and supports UKI (Unified Kernel
+//! Images) for measured boot scenarios.
+//!
+//! ## Discoverable Partitions Specification (DPS)
+//!
+//! As of bootc 1.11, partitions are created with DPS type GUIDs from the
+//! [UAPI Group specification](https://uapi-group.org/specifications/specs/discoverable_partitions_specification/).
+//! This enables:
+//!
+//! - **Auto-discovery**: systemd-gpt-auto-generator can mount partitions without
+//!   explicit configuration
+//! - **Architecture awareness**: Root partition types are architecture-specific,
+//!   preventing cross-architecture boot issues
+//! - **Future extensibility**: Enables systemd-repart for declarative partition
+//!   management
+//!
+//! See [`crate::discoverable_partition_specification`] for the partition type GUIDs.
+//!
+//! ## Installation Flow
+//!
+//! The high-level flow is:
+//!
+//! 1. **CLI entry** → [`install_to_disk`], [`install_to_filesystem`], or [`install_to_existing_root`]
+//! 2. **Preparation** → [`prepare_install`] validates environment, handles SELinux, loads config
+//! 3. **Storage setup** → (to-disk only) [`baseline::install_create_rootfs`] partitions and formats
+//! 4. **Deployment** → [`install_to_filesystem_impl`] branches to OSTree or Composefs backend
+//! 5. **Bootloader** → [`crate::bootloader::install_via_bootupd`] or architecture-specific installer
+//! 6. **Finalization** → [`finalize_filesystem`] trims, flushes, and freezes the filesystem
+//!
+//! For a visual diagram of this flow, see the bootc documentation.
+//!
+//! ## Key Types
+//!
+//! - [`State`]: Immutable global state for the installation, including source image
+//!   info, SELinux state, configuration, and composefs options.
+//!
+//! - [`RootSetup`]: Represents the prepared root filesystem, including mount paths,
+//!   device information, boot partition specs, and kernel arguments.
+//!
+//! - [`SourceInfo`]: Information about the source container image, including the
+//!   ostree-container reference and whether SELinux labels are present.
+//!
+//! - [`SELinuxFinalState`]: Tracks SELinux handling during installation (enabled,
+//!   disabled, host-disabled, or force-disabled).
+//!
+//! ## Configuration
+//!
+//! Installation is configured via TOML files loaded from multiple paths in
+//! systemd-style priority order:
+//!
+//! - `/usr/lib/bootc/install/*.toml` - Distribution/image defaults
+//! - `/etc/bootc/install/*.toml` - Local overrides
+//!
+//! Files are merged alphanumerically, with higher-numbered files taking precedence.
+//! See [`config::InstallConfiguration`] for the schema.
+//!
+//! Key configurable options include:
+//! - Root filesystem type (xfs, ext4, btrfs)
+//! - Allowed block setups (direct, tpm2-luks)
+//! - Default kernel arguments
+//! - Architecture-specific overrides
+//!
+//! ## Submodules
+//!
+//! - [`baseline`]: The "baseline" installer for simple partitioning (to-disk)
+//! - [`config`]: TOML configuration parsing and merging
+//! - [`completion`]: Post-installation hooks for external installers (Anaconda)
+//! - [`osconfig`]: SSH key injection and OS configuration
+//! - [`aleph`]: Installation provenance tracking (.bootc-aleph.json)
+//! - `osbuild`: Helper APIs for bootc-image-builder integration
 
 // This sub-module is the "basic" installer that handles creating basic block device
 // and filesystem setup.

docs/src/bootc-install.md

@@ -26,7 +26,7 @@ This requires running the container via `--privileged`; it uses the running Linu
 on the host to write the file content from the running container image; not the kernel
 inside the container.
 
-There are two sub-commands: `bootc install to-disk` and `boot install to-filesystem`.
+There are two sub-commands: `bootc install to-disk` and `bootc install to-filesystem`.
 
 However, nothing *else* (external) is required to perform a basic installation
 to disk - the container image itself comes with a baseline self-sufficient installer
@@ -217,7 +217,7 @@ podman run --rm --privileged -v /dev:/dev -v /var/lib/containers:/var/lib/contai
              bootc install to-existing-root
 ```
 
-It is assumed in this command that the target rootfs is pased via `-v /:/target` at this time.
+It is assumed in this command that the target rootfs is passed via `-v /:/target` at this time.
 
 As noted above, the data in `/boot` will be wiped, but everything else in the existing
 operating `/` is **NOT** automatically cleaned up.  This can
@@ -346,6 +346,84 @@ This argument is mainly useful for 3rd-party tooling for building disk images fr
 containers (e.g. based on [osbuild](https://github.com/osbuild/osbuild)).   
 
 
+## Discoverable Partitions Specification (DPS)
+
+As of bootc 1.11, the default partitioning layout for `bootc install to-disk` uses the
+[Discoverable Partitions Specification (DPS)](https://uapi-group.org/specifications/specs/discoverable_partitions_specification/)
+from the UAPI Group. This is an important foundation for modern Linux systems.
+
+### What is DPS?
+
+The Discoverable Partitions Specification defines well-known partition type GUIDs for
+different purposes (root filesystem, ESP, swap, /home, etc.) and for different CPU
+architectures. When partitions use these standardized type GUIDs, systemd and other
+tools can automatically discover and mount them without explicit configuration.
+
+Each supported CPU architecture has its own root partition type GUID. See the
+[DPS specification](https://uapi-group.org/specifications/specs/discoverable_partitions_specification/)
+for the complete list of partition types.
+
+### How bootc uses DPS
+
+When `bootc install to-disk` creates partitions, it sets the appropriate DPS partition
+type GUID based on the target architecture. This enables:
+
+1. **Automatic root discovery**: With a DPS-aware bootloader and initramfs, the root
+   filesystem can be discovered automatically without a `root=` kernel argument.
+   This is handled by [systemd-gpt-auto-generator](https://www.freedesktop.org/software/systemd/man/latest/systemd-gpt-auto-generator.html).
+
+2. **Sealed/verified boot paths**: When using composefs with UKIs (Unified Kernel Images),
+   bootc can omit the `root=` kernel argument entirely. The initramfs uses DPS to find
+   the root partition, and composefs provides integrity verification.
+
+3. **Future systemd-repart integration**: DPS partition types allow systemd-repart to
+   automatically grow or create partitions based on declarative configuration.
+
+### When is DPS used vs explicit kernel arguments?
+
+| Installation Mode | Root Discovery Method |
+|-------------------|----------------------|
+| `to-disk` | Explicit `root=UUID=...` karg |
+| `to-filesystem --root-mount-spec=""` | DPS auto-discovery (no `root=` karg) |
+| `to-filesystem` (default) | Uses filesystem UUID as `root=UUID=...` karg |
+| `to-existing-root` | Inherits from existing system |
+
+For `to-disk`, bootc always injects a `root=UUID=<uuid>` kernel argument for
+compatibility, even though the partition type is set to the DPS GUID. This
+ensures the system boots on initramfs implementations that don't support
+DPS auto-discovery.
+
+For `to-filesystem`, the `--root-mount-spec=""` option (empty string) can be
+used to omit the `root=` kernel argument entirely, enabling DPS auto-discovery.
+This is useful when the bootloader and initramfs both support the
+[Boot Loader Interface](https://systemd.io/BOOT_LOADER_INTERFACE/).
+
+### Bootloader requirements for DPS auto-discovery
+
+DPS auto-discovery requires a bootloader that implements the Boot Loader
+Interface and sets the `LoaderDevicePartUUID` EFI variable. Supported
+bootloaders include:
+
+- **GRUB 2.12+** with the `bli` module (included in Fedora 43+, requires EFI boot)
+- **systemd-boot** (always supports the Boot Loader Interface)
+
+Older GRUB versions (without the `bli` module) do not set this variable and
+DPS auto-discovery will not work.
+
+### Implications for external installers
+
+If you're building tooling that uses `bootc install to-filesystem`, you should:
+
+1. **Set appropriate partition types**: Use the DPS type GUID for the root partition
+   when creating partitions externally.
+
+2. **Consider auto-discovery**: If your bootloader and initramfs support DPS, you
+   may be able to omit `root=` kernel arguments entirely.
+
+3. **Use `rootflags` for mount options**: Prefer the `rootflags=` kernel argument
+   over `/etc/fstab` for root mount options, as this works better with composefs
+   and DPS auto-discovery.
+
 ## Finding and configuring the physical root filesystem
 
 On a bootc system, the "physical root" is different from
@@ -393,3 +471,74 @@ Installation software such as [Anaconda](https://github.com/rhinstaller/anaconda
 do this today to implement generic `%post` scripts and the like.
 
 However, it is very likely that a generic bootc API to do this will be added.
+
+## Provisioning and first boot
+
+After `bootc install` completes, the system is ready for first boot. A key
+design principle is that **minimal machine-specific configuration should be
+injected at install time**. Instead, most configuration should happen at
+runtime—either at first boot or on every boot—using standard Linux mechanisms.
+
+This approach has several benefits:
+
+- **Simpler installation**: The install process doesn't need to know about
+  every possible configuration option
+- **Better fits the container model**: Configuration logic lives in the
+  container image, not in external tooling
+- **Easier updates**: Runtime configuration naturally applies to updated
+  deployments
+
+### Install-time configuration
+
+When some machine-specific data must be provided at install time, the preferred
+approaches depend on your boot setup:
+
+- **Type 1 BLS setups**: Use `bootc install --karg` to inject kernel arguments.
+  For example, `--karg ip=192.168.1.100::192.168.1.1:255.255.255.0:host1::none`
+  for static IP configuration, or `--karg console=ttyS0,115200` for serial console.
+
+- **UKI setups**: Use [UKI addons](https://uapi-group.org/specifications/specs/unified_kernel_image/#addon-uki-format)
+  (additional signed PE binaries containing extra kernel arguments or initrd content)
+  to provide machine-specific configuration while preserving the signed UKI.
+
+### Runtime configuration approaches
+
+Since bootc systems are standard Linux systems, any provisioning tool that
+works on Linux will work with bootc. Common approaches include:
+
+- **cloud-init**: If included in your container image, runs at first boot to
+  configure users, SSH keys, networking, and run custom scripts
+- **Ignition**: Runs in the initramfs before the real root is mounted; used
+  by Fedora CoreOS-style systems
+- **systemd-firstboot**: Configures locale, timezone, hostname, etc. on first boot
+- **Custom systemd services**: Use `ConditionFirstBoot=yes` for one-time setup,
+  or run on every boot for dynamic configuration
+
+The choice of provisioning tool depends on your base image and deployment
+environment—bootc itself is agnostic.
+
+### SSH key injection
+
+For simple SSH access without a full provisioning system, bootc provides the
+`--root-ssh-authorized-keys` option:
+
+```bash
+bootc install to-disk --root-ssh-authorized-keys /path/to/authorized_keys /dev/sda
+```
+
+This writes a systemd-tmpfiles configuration that ensures the SSH keys are
+present on every boot, even if `/root` is a tmpfs.
+
+### The `.bootc-aleph.json` file
+
+After installation, bootc writes a JSON file at the root of the physical
+filesystem (`.bootc-aleph.json`) containing installation provenance information:
+
+- The source image reference and digest
+- Installation timestamp
+- bootc version
+- Kernel version
+- SELinux state
+
+This file is useful for auditing and understanding how a system was provisioned.
+From the booted system, this file is accessible at `/sysroot/.bootc-aleph.json`.