7 Essential Insights into Fedora Atomic Desktop’s Sealed Bootable Container Images

We are thrilled to announce that sealed bootable container images are now available for testing on Fedora Atomic Desktops. These images promise a fully verified boot chain, leveraging Secure Boot and modern Linux technologies. To help you understand what this means and how to get started, here are 7 things you need to know.

1. What Are Sealed Bootable Container Images?

Sealed bootable container images package everything needed for a complete, verified boot process—from the firmware up to the operating system’s composefs image. They enforce a chain of trust by requiring Secure Boot, so they only work on systems booting via UEFI on x86_64 and aarch64 architectures. Unlike traditional bootable containers, these images are “sealed” because all components are cryptographically signed and integrity-checked before execution. This approach eliminates tampering risks and provides a solid foundation for advanced security features like remote attestation.

7 Essential Insights into Fedora Atomic Desktop’s Sealed Bootable Container Images
Source: fedoramagazine.org

2. The Core Components Behind the Boot Chain

Three main elements form the sealed image:

  • systemd-boot – A lightweight UEFI boot manager that loads the next stage.
  • Unified Kernel Image (UKI) – Combines the Linux kernel, initrd, and kernel command line into a single signed binary.
  • composefs repository with fs-verity – Provides a read-only, integrity-verified filesystem overlay, managed by the bootc tool.

The UKI is signed for Secure Boot, and systemd-boot is also signed. Together, they ensure every component is authenticated before control passes to the next stage, creating an unbroken chain of trust.

3. How Secure Boot Signing Works (Test vs Official)

Both systemd-boot and the UKI are signed with keys that enable Secure Boot validation. However, because these are test images, the signatures do not use Fedora’s official keys. Instead, they rely on temporary testing keys. This means the images can boot on any UEFI system if Secure Boot is properly configured, but they won’t be trusted by default with Fedora’s standard Secure Boot certificate. The official signed images will come later once the signing infrastructure with Fedora’s keys is fully in place. For now, testers must enroll the testing keys or boot in setup mode.

4. Key Benefit: TPM-Based Passwordless Disk Unlocking

The most immediate gain from sealed images is the ability to unlock encrypted disks without a password, using the Trusted Platform Module (TPM). By binding the decryption key to the measured boot chain (via the UKI and composefs), the system can automatically unlock the root filesystem during boot—only if the firmware and OS haven’t been tampered with. This delivers strong security without sacrificing convenience. It’s a big step toward making full-disk encryption easy to use on desktop systems while maintaining resilience against physical attacks.

7 Essential Insights into Fedora Atomic Desktop’s Sealed Bootable Container Images
Source: fedoramagazine.org

5. How to Test These Images

To give the pre-built container or disk images a try, head over to the GitHub repository at travier/fedora-atomic-desktops-sealed. There you’ll find instructions for downloading, writing to a USB drive, or building your own sealed image from source. You can test on bare metal or a UEFI-capable virtual machine (like QEMU with OVMF). The process is straightforward and designed to let you experience the verified boot chain in action.

6. Important Caveats for Testing

These images are strictly for testing. They ship with no root password and SSH enabled by default to simplify debugging. The boot components are not signed with official Fedora keys, so don’t rely on them for production environments. Additionally, the TPM unlocking feature may not work with all TPM firmware versions. Be sure to review the known issues list on the GitHub repository before testing. The team welcomes bug reports, but please do not use these images on machines with sensitive data.

7. Where to Learn More and Give Feedback

For deeper dives into how sealed images work, check out these resources:

  • “Signed, Sealed, and Delivered” – presentation by Allison and Timothée at FOSDEM 2025.
  • “UKIs and composefs support for Bootable Containers” – Timothée at Devconf.cz 2025.
  • “UKI, composefs and remote attestation for Bootable Containers” – Pragyan, Vitaly, and Timothée at ASG 2025.
  • The composefs backend documentation in bootc.

Feedback and bug reports go to the same GitHub repository; the team will redirect issues to upstream projects as needed. Many thanks to contributors from bootc, bcvk, composefs, composefs-rs, chunkah, podman, buildah, and systemd.

We hope you’re as excited as we are about this new capability. Your testing and feedback are invaluable to making sealed bootable container images a robust feature for Fedora Atomic Desktops. Give it a try, and let us know what you think!

Tags:

Recommended

Discover More

Mastering the iOS 26 Phone App: A Step-by-Step Guide to Its Best New FeaturesMicrosoft Surges Sovereign Cloud to Thousands of Nodes with Azure Local ExpansionAutomating Hyperscale Efficiency: A Step-by-Step Guide to Meta's AI-Powered Capacity OptimizationMeet the Flutter Core Team Worldwide in 2026How Electricity Could Revolutionize Coffee Tasting: A New Scientific Approach