Immutable Linux distribution Nitrux 6.0.0 adds GPU passthrough, boot-level recovery, C++ update system

Nitrux 6.0.0, released March 3, 2026, packages several components that security practitioners running Linux workstations will find worth examining: a new hypervisor orchestrator with IOMMU-enforced isolation, a rewritten update system with cryptographic verification, and a recovery mechanism that operates from within the boot process itself.

Nitrux 6 Linux release

The distribution, built by Nitrux Latinoamericana, runs on an immutable root filesystem and targets hardware enthusiasts and power users. It ships two ISO variants: one configured for NVIDIA GPUs using the NVIDIA Open Kernel Module 590.48.01, and one for AMD and Intel hardware using MESA 25.3.3. The kernel is Linux 6.13.2 with CachyOS patches.

GPU passthrough with IOMMU isolation

VxM is the new hypervisor orchestration utility included in 6.0.0. Written in C++, it enables concurrent execution of guest operating systems with GPU hardware passed directly to those guests using VFIO PCI passthrough. IOMMU groups are validated at runtime, which enforces hardware-level isolation between the host and guest domains.

The utility includes dynamic VFIO binding: it performs runtime driver overrides to vfio-pci, handles BDF normalization, and validates IOMMU groups before binding. It also provisions hugepages automatically and initializes IVSHMEM for low-latency frame relay between host and guest. The rootless model runs QEMU without elevated privileges during guest execution; privileged operations are confined to a pre-flight hardware preparation stage.

Input arbitration uses evdev passthrough with interrupt handling. DDC/CI automation writes VCP commands to the monitor bus to switch input sources when VM state changes, reducing the need for a physical KVM switch in multi-GPU configurations.

Update system rewritten in C++ with PolicyKit gating

The Nitrux Update Tool System, referred to as nuts-cpp, replaces a prior Shell Script implementation. The rewrite adopts a client-server architecture in C++ with a MauiKit graphical interface. All privileged operations are gated through PolicyKit integration.

The system uses atomic operations to maintain transaction integrity during updates. It creates XFS snapshots that are cryptographically verified before use, and supports offline rollbacks from those snapshots.

The Shell Script version of NUTS is being retired. The upgrade path from Nitrux 5.1.0 to 6.0.0 is the last one that will be supported through the old implementation.

Rescue mode built into the boot process

Nitrux Rescue Mode is an initramfs-based recovery mechanism that operates without external media such as a Live ISO or USB drive. It uses the cryptographically verified XFS backup created by NUTS to wipe and re-image the root partition. After restoration, it regenerates the bootloader configuration automatically. The mechanism appears as a selectable entry in GRUB.

This approach keeps recovery self-contained within the installed system, which matters in environments where removable media is restricted or unavailable.

Network and kernel hardening changes

A sysctl configuration change prevents the system from modifying its routing table based on unauthenticated network messages. The NVMe drive is also configured to avoid deep power-saving states, which eliminates wake-up timeouts that previously extended boot time.

DNSCrypt-proxy resolver configuration is updated to use the latest resolvers. Initramfs now includes the exfat driver for early boot, and the upstream initramfs microcode hooks have been replaced with custom versions.

Login infrastructure updated for Wayland

QMLGreet replaces QtGreet as the login screen. It runs natively on Wayland compositors using the wlr-layer-shell-unstable-v1 protocol and integrates with logind or elogind via D-Bus. It does not require systemd. The implementation is built in C++ with MauiKit and supports configurable color schemes, font settings, icon themes, and wallpapers with automatic blur effects.

NudgeOSD, also new in this release, is a QML-based on-screen display for keyboard shortcuts and system notifications. It runs in the background and listens for D-Bus commands, supporting both system icon themes and Nerd Fonts.

Intel Xe driver selection

A new GRUB entry labeled “Intel Xe Mode” lets users with supported Intel iGPUs and Intel Arc GPUs select the xe driver over the older i915 driver. Supported hardware includes Gen12 (Xe-LP), Meteor Lake (Xe-LPG), and Lunar Lake with Xe2. Hardware predating Gen12, including Ice Lake and Skylake-era parts, is not supported by the new driver path.

Component versions

Other updated components include Hyprland 0.53.3, Flatpak 1.16.2, NetworkManager 1.54.3, Python 3.13.9, Wireplumber 0.5.13, Calamares 3.3.14, and Distrobox 1.8.2.4. The scx scheduler and utilities are updated to version 1.0.20.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

More about