How to Test Sealed Bootable Images for Fedora Atomic Desktops: A Step-by-Step Guide

Introduction

Fedora Atomic Desktops are now offering sealed bootable container images for testing. These images create a fully verified boot chain — from firmware to the operating system — using Secure Boot on UEFI systems (x86_64 and aarch64). The sealed images include a signed systemd-boot bootloader, a Unified Kernel Image (UKI) containing the Linux kernel, initrd, and kernel command line, and a composefs repository with fs-verity enabled. The primary benefit of this setup is enabling secure, passwordless disk unlocking via the TPM.

This guide will walk you through obtaining, writing, and booting these test images — either using pre-built disk images or building your own from container images. Follow the steps carefully, and remember: these are test images, not suitable for production environments.

What You Need

• A computer with UEFI firmware (x86_64 or aarch64)
• Secure Boot enabled (or ability to temporarily disable it, as test images use non-official signing keys)
• A USB drive (at least 8 GB) for writing the disk image
• Tool to write disk images (e.g., dd on Linux, Rufus on Windows, or balenaEtcher on any OS)
• For building custom images: a Linux system with Podman or Buildah installed, and access to the GitHub repository travier/fedora-atomic-desktops-sealed
• Basic knowledge of the command line for booting and debugging

Step-by-Step Instructions

Step 1: Download a Sealed Bootable Image

Visit the official GitHub repository. Under the Releases section, you’ll find pre-built disk images (e.g., .raw.zst files) and container image references. Choose the appropriate architecture (x86_64 or aarch64). The disk image contains everything needed to boot directly from a USB drive.

Step 2: Write the Disk Image to a USB Drive

Insert your USB drive. Use a tool like dd (Linux/macOS) or balenaEtcher (cross-platform) to write the raw image. For example, on Linux: sudo dd if=fedora-atomic-desktops-sealed.x86_64.raw of=/dev/sdX bs=4M status=progress Replace /dev/sdX with your USB device (be careful not to overwrite your system disk). After writing, safely eject the drive.

Step 3: Boot from the USB Drive

Restart your computer and enter the UEFI/BIOS setup (usually by pressing F2, F12, Del, or Esc). Set the boot order to prioritize USB, or use the one-time boot menu to select the USB device. If Secure Boot is enabled, you will likely see a warning that the image’s bootloader and UKI are signed with test keys (not official Fedora keys). You have two options:

• Disable Secure Boot temporarily (recommended for quick testing)
• Enroll the test signing keys as MOK (Machine Owner Keys) — follow the repository’s instructions for key files

The system should boot into the Fedora Atomic Desktop environment. Note: the root account has no password set, and SSH is enabled for debugging. Use sudo without a password to run commands.

Step 4: Test TPM-Based Unlocking (Optional)

If you have a TPM 2.0 module, you can verify that passwordless disk unlocking works. When the system boots, it should automatically unlock encrypted partitions (if any) using the TPM. To test, reboot and watch for any prompts. No manual password entry should be required. This is a key feature of sealed images.

Step 5: Build Your Own Sealed Image (Advanced)

If you prefer to customize the image, the repository provides a container-based build process. Clone the repo: git clone https://github.com/travier/fedora-atomic-desktops-sealed.git

Inside the repository, you’ll find a Containerfile and scripts to generate a disk image. Use Podman or Buildah to build the container, then run the script to output a raw image. Ensure you have the required dependencies (e.g., systemd-boot, UKI generation tools). The repository’s README details the exact commands.

Step 6: Report Issues and Provide Feedback

Check the Known Issues list on the GitHub repository. If you encounter bugs or have suggestions, open a new issue. The maintainers will redirect to the appropriate upstream projects (bootc, composefs, systemd, etc.). Your feedback helps improve the technology.

Tips and Warnings

• Never use these test images in production. They are not signed with official Fedora keys, the root account lacks a password, and SSH is open by default. Security guarantees are intentionally weakened for debugging.
• Backup your data before writing any disk image to a USB drive. Writing overwrites the target device completely.
• If you encounter boot failures, try disabling Secure Boot entirely. Some UEFI implementations reject test-key signatures even in setup mode.
• For deeper understanding of how sealed images work, review the presentations linked in the repository:
  – “Signed, Sealed, and Delivered” (FOSDEM 2025)
  – “UKIs and composefs support for Bootable Containers” (Devconf.cz 2025)
  – “UKI, composefs and remote attestation for Bootable Containers” (ASG 2025)
• Join the Fedora community channels (Matrix, mailing lists) to discuss your testing results with contributors from bootc, composefs, and systemd projects.

By following these steps, you can help validate the sealed bootable container images for Fedora Atomic Desktops. Your testing is valuable for bringing secure, verified boot chains to the broader Fedora community.