diff --git a/usr/lib/akshara/utils/update.py b/usr/lib/akshara/utils/update.py
index ade42cd..1a58cfc 100644
--- a/usr/lib/akshara/utils/update.py
+++ b/usr/lib/akshara/utils/update.py
@@ -52,6 +52,7 @@ def merge_etc(new_rootfs: RootFS, overrides_keep_new: dict) -> None:
         for name in dcmp.left_only:
             subprocess.run(["cp", "-ax", "--", os.path.join(dcmp.left, name), dir_name])
         for name in dcmp.diff_files:
+            subprocess.run(["rm", "-f", "--", os.path.join(dir_name, name)])
             subprocess.run(["cp", "-ax", "--", os.path.join(dcmp.left, name), dir_name])
         for sub_dcmp in dcmp.subdirs.values():
             handle_diff_etc_files(sub_dcmp)
@@ -169,10 +170,25 @@ def update() -> None:
 
     new_rootfs = gen_rootfs(system_config, "/var/cache/akshara/rootfs")
 
+    if (
+        len(
+            [
+                kernel
+                for kernel in os.listdir(f"{new_rootfs}/boot")
+                if kernel.startswith("vmlinuz")
+            ]
+        )
+        == 0
+    ):
+        output.error("new rootfs contains no kernel")
+        output.error("refusing to proceed with applying update")
+        exit(1)
+
     overrides_keep_new = (
         {
             override["path"]: override["keep"] == "new"
             for override in system_config["override"]
+            if isinstance(override.get("keep"), str)
         }
         if isinstance(system_config.get("override"), list)
         else {}
@@ -207,19 +223,22 @@ def update() -> None:
 
     merge_var(new_rootfs, overrides_keep_new)
 
-    if (
-        len(
+    with open(
+        os.path.join(str(new_rootfs), "usr/immutable.list"), "w"
+    ) as immutable_list_file:
+        immutable_set = set(
             [
-                kernel
-                for kernel in os.listdir(f"{new_rootfs}/boot")
-                if kernel.startswith("vmlinuz")
+                override["path"]
+                for override in system_config["override"]
+                if isinstance(override.get("immutable"), bool) and override["immutable"]
             ]
+            if isinstance(system_config.get("override"), list)
+            else {}
         )
-        == 0
-    ):
-        output.error("new rootfs contains no kernel")
-        output.error("refusing to proceed with applying update")
-        exit(1)
+
+        immutable_set.add("/usr")
+
+        immutable_list_file.write("\n".join(list(immutable_set)))
 
     subprocess.run(["cp", "-ax", str(new_rootfs), "/.update_rootfs"])
 
diff --git a/usr/lib/dracut/modules.d/10akshara/handle-update.sh b/usr/lib/dracut/modules.d/10akshara/handle-update.sh
index a6b8b09..6884750 100755
--- a/usr/lib/dracut/modules.d/10akshara/handle-update.sh
+++ b/usr/lib/dracut/modules.d/10akshara/handle-update.sh
@@ -36,4 +36,7 @@ if [ -d "$NEWROOT"/.update_rootfs ]; then
     touch "$NEWROOT"/.successful-update
 fi
 
-mount -o ro,bind "$NEWROOT"/usr "$NEWROOT"/usr
+# Handle immutable paths
+if [ -f "$NEWROOT/usr/immutable.list" ]; then
+    while IFS= read -r immutablepath; do mount -o ro,bind "$NEWROOT"/"$immutablepath" "$NEWROOT"/"$immutablepath" >/dev/null 2>&1 || true; done < "$NEWROOT"/usr/immutable.list
+fi