Introduction
The Fedora Atomic Desktops team has reached an exciting milestone: sealed bootable container images are now available for testing. These images bring a fully verified boot chain to your system, from firmware to operating system, leveraging Secure Boot and modern Linux technologies. This article explains what sealed images are, how they work, and how you can test them yourself.
What Are Sealed Bootable Container Images?
Sealed bootable container images are complete operating system images that include all components required to establish a trusted, verified boot sequence. The verification starts at the firmware level and extends to the composefs image layer. Because this relies on Secure Boot, it only supports UEFI-based systems on x86_64 and aarch64 architectures.
Components of the Verified Boot Chain
- systemd-boot – acts as the bootloader.
- Unified Kernel Image (UKI) – a single EFI executable that bundles the Linux kernel, an initial ramdisk (initrd), and the kernel command line.
- composefs repository – a filesystem image with fs-verity enabled, managed by bootc and providing integrity verification for all files.
Both the systemd-boot and UKI are signed for Secure Boot. Note that these test images are signed with temporary keys, not the official Fedora signing keys.
Key Benefit: Passwordless Disk Unlocking
The most immediate advantage of this sealed boot chain is the ability to enable passwordless disk unlocking via the Trusted Platform Module (TPM). Because the boot process is fully verified, the TPM can securely release the disk encryption key without requiring a password, offering a reasonable level of security by default.
Testing the Pre-built Images
Ready to give sealed container images a try? Step-by-step instructions for downloading and running pre-built disk images (or building your own) are available in the fedora-atomic-desktops-sealed repository. The guide covers both container-based and traditional disk image usage.
How to Get Started
- Clone or visit the repository
- Follow the instructions to obtain a pre-built image or build from source
- Boot the image on a UEFI system (x86_64 or aarch64)
- Test features like passwordless disk unlocking and verified boot
Important Considerations for Test Images
These are testing images only. They are not intended for production use. Please note the following:
- The root account has no password set.
- SSH is enabled by default for easier debugging.
- Secure Boot signatures are applied with test keys – not official Fedora keys.
If you encounter any issues, check the known issues list and report new bugs there. The maintainers will redirect relevant reports to the appropriate upstream projects.
Additional Resources
To dive deeper into how sealed bootable container images work (combining bootable containers, UKIs, and composefs for a verified chain), consult these presentations and documentation:
- “Signed, Sealed, and Delivered” – UKIs and composefs (Allison & Timothée, FOSDEM 2025)
- UKIs and composefs support for Bootable Containers (Timothée, Devconf.cz 2025)
- UKI, composefs and remote attestation for Bootable Containers (Pragyan, Vitaly & Timothée, ASG 2025)
- composefs backend documentation in bootc
Thanks to all contributors from projects including bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd.
Conclusion
Sealed bootable container images represent a significant step toward fully verified boot chains for Fedora Atomic Desktops. By testing these images, you help improve the feature and pave the way for secure, passwordless disk encryption. Get your hands on the pre-built images today and share your feedback.