Fedora Atomic Desktop: Sealed Bootable Container Images Enter Testing Phase

By • min read

Introduction

The Fedora Atomic Desktop project has reached a significant milestone with the release of sealed bootable container images for testing. These images represent a major step forward in creating a fully verified boot chain, from firmware to operating system. For the first time, users can experience a Secure Boot–enabled UEFI environment on both x86_64 and aarch64 architectures, built entirely from bootable containers. This article dives into what sealed images are, how to test them, and the benefits they bring.

Fedora Atomic Desktop: Sealed Bootable Container Images Enter Testing Phase — Source: fedoramagazine.org

What Are Sealed Bootable Container Images?

Sealed bootable container images are complete system images that incorporate every component needed for a verified boot chain. Unlike traditional disk images, these containers include cryptographic signatures that Secure Boot validates at each stage. The result is a trusted path from the firmware loader all the way to the operating system’s composefs image.

The core components that make this possible are:

systemd-boot – a simple UEFI boot manager that loads the next stage.
Unified Kernel Image (UKI) – a single file combining the Linux kernel, an initramfs (initrd), and the kernel command line, all signed for Secure Boot.
composefs repository – an immutable, content-addressed filesystem image with fs-verity enabled, managed by bootc.

Both systemd-boot and the UKI are signed with Secure Boot keys. However, because these are test images, the signatures use experimental keys rather than the official Fedora signing keys. This means the images work on any UEFI machine (with Secure Boot enabled) but are not yet suitable for production deployments.

Key Benefits: Passwordless Disk Unlocking with TPM

The main practical advantage of sealed images is the ability to enable passwordless disk unlocking using the Trusted Platform Module (TPM). When the boot chain is fully verified, the TPM can be used to securely release a disk encryption key automatically at boot. This provides a reasonable level of security without requiring a passphrase on every start, making the system more convenient for desktops and workstations. The verified chain ensures that only the authentic operating system can access the disk, protecting against tampering.

How to Test the Sealed Images

Testers can download pre-built container images or build their own from the provided instructions. The complete guide is available on GitHub:

github.com/travier/fedora-atomic-desktops-sealed

The repository contains both container images and ready-to-use disk images. To get started:

Clone the repository or download a pre-built image.
Write the disk image to a USB drive or deploy the container using bootc.
Boot the target system with UEFI and Secure Boot enabled.

Important warnings for testers:

The root account has no password set and SSH daemon is enabled by default for easier debugging.
The Secure Boot signatures are not official Fedora keys; they are test keys.
These images are not intended for production use. Do not expose them to untrusted networks.

If you encounter any issues, refer to the known issues section or report new bugs via the GitHub issue tracker.

Known Issues and Feedback

This is an early testing release, so some issues are expected. The project maintainers have compiled a list of known problems on the same GitHub page. Before reporting a new issue, please check that list. Contributors are actively working with upstream projects (bootc, composefs, systemd, etc.) to resolve them. Feedback is welcome and will help shape the final implementation.

To report a new issue, visit: github.com/travier/fedora-atomic-desktops-sealed/issues

Where to Learn More

For those who want a deep technical dive into how sealed bootable containers work – including the interplay of UKIs, composefs, and bootc to create a verified chain – several resources are available:

“Signed, Sealed, and Delivered” – a presentation by Allison and Timothée at FOSDEM 2025.
“UKIs and composefs support for Bootable Containers” – a talk by Timothée at Devconf.cz 2025.
“UKI, composefs and remote attestation for Bootable Containers” – presented by Pragyan, Vitaly, and Timothée at ASG 2025.
The official composefs backend documentation in the bootc repository.

These materials explain the design decisions and implementation details behind the sealed images.

Acknowledgments

This achievement would not have been possible without the dedicated work of many contributors across multiple upstream projects. Special thanks go to the teams behind:

bootc and bcvk
composefs and composefs-rs
chunkah
podman and buildah
systemd

Their collective efforts have made sealed bootable container images a reality. We encourage the community to test and provide feedback as we move toward official Fedora support.