diff --git a/oscore/bootable-rpm-ostree.yaml b/oscore/bootable-rpm-ostree.yaml
index 55f540e..4a1f243 100644
--- a/oscore/bootable-rpm-ostree.yaml
+++ b/oscore/bootable-rpm-ostree.yaml
@@ -1,31 +1,6 @@
-# This minimal base starts just from: kernel + systemd + rpm-ostree + bootloader.
-# The intent of this is to inherit from this if you are doing something highly
-# custom that e.g. might not involve Ignition or podman, but you do want
-# rpm-ostree.
-# We expect most people though using coreos-assembler to inherit from
-# fedora-coreos-base.yaml.
 packages:
- # Kernel + systemd.
- - kernel systemd
- # linux-firmware now a recommends so let's explicitly include it
- # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
- # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- - linux-firmware
- - bootc
- # rpm-ostree
  - rpm-ostree nss-altfiles
 
-postprocess:
-  # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
-  #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
-  #      https://github.com/coreos/rpm-ostree/issues/3918
-  # Temporary workaround to remove the SetGID binary from liblockfile that is
-  # pulled by the s390utils but not needed for /usr/sbin/zipl.
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -f /usr/bin/dotlockfile
-
 exclude-packages:
   # Exclude kernel-debug-core to make sure that it doesn't somehow get
   # chosen as the package to satisfy the `kernel-core` dependency from
diff --git a/oscore/bootc.yaml b/oscore/bootc.yaml
new file mode 100644
index 0000000..ed35b97
--- /dev/null
+++ b/oscore/bootc.yaml
@@ -0,0 +1,15 @@
+# A relatively minimal base, but we also do include linux-firmware so
+# we can be directly booted on metal.
+packages:
+ - kernel systemd
+ # linux-firmware now a recommends so let's explicitly include it
+ # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+ # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+ - linux-firmware
+ - bootc
+
+exclude-packages:
+  # Exclude kernel-debug-core to make sure that it doesn't somehow get
+  # chosen as the package to satisfy the `kernel-core` dependency from
+  # the kernel package.
+  - kernel-debug-core
diff --git a/oscore/bootupd.yaml b/oscore/bootupd.yaml
index b3570b5..cb9d662 100644
--- a/oscore/bootupd.yaml
+++ b/oscore/bootupd.yaml
@@ -16,6 +16,11 @@ packages-x86_64:
   - grub2 grub2-efi-x64 efibootmgr shim
   - microcode_ctl
 
+conditional-include:
+  - if: basearch != "s390x"
+    # And remove some cruft from grub2
+    include: grub2-removals.yaml
+
 postprocess:
   - |
     #!/bin/bash
diff --git a/oscore/manifest.yaml b/oscore/manifest.yaml
index 6a9570f..c393d21 100644
--- a/oscore/manifest.yaml
+++ b/oscore/manifest.yaml
@@ -26,6 +26,7 @@ check-groups:
   filename: "group"
 
 include:
+  - bootc.yaml
   - bootable-rpm-ostree.yaml
   - file-transfer.yaml
   - networking-tools.yaml
@@ -34,11 +35,6 @@ include:
   - shared-workarounds.yaml
   - fwupd.yaml
 
-conditional-include:
-  - if: basearch != "s390x"
-    # And remove some cruft from grub2
-    include: grub2-removals.yaml
-
 remove-from-packages:
   # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
   - [systemd, /usr/bin/systemd-firstboot,
@@ -57,8 +53,6 @@ mutate-os-release: "${releasever}"
 packages:
   # Include and set the default editor
   - nano
-  # Security
-  - polkit
   # Containers
   - systemd-container catatonit
   - fuse-overlayfs slirp4netns
@@ -155,6 +149,15 @@ postprocess:
     ln -sf /usr/sbin/iptables-nft          /etc/alternatives/iptables
     ln -sf /usr/sbin/iptables-nft-restore  /etc/alternatives/iptables-restore
     ln -sf /usr/sbin/iptables-nft-save     /etc/alternatives/iptables-save
+  # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
+  #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
+  #      https://github.com/coreos/rpm-ostree/issues/3918
+  # Temporary workaround to remove the SetGID binary from liblockfile that is
+  # pulled by the s390utils but not needed for /usr/sbin/zipl.
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    rm -f /usr/bin/dotlockfile
 
 # Things we don't expect to ship on the host.  We currently
 # have recommends: false so these could only come in via