Testing Sealed Bootable Container Images for Fedora Atomic Desktops
Fedora Atomic Desktop enthusiasts now have a new experimental feature to explore: sealed bootable container images. These images are designed to establish a fully verified boot chain, from the firmware all the way through to the operating system's composefs image, enhancing security and enabling features like passwordless disk unlocking via the Trusted Platform Module (TPM). Below, we break down what these images are, how to test them, and where you can dive deeper into the technology.
What Are Sealed Bootable Container Images?
Sealed bootable container images integrate all necessary components for a complete, verified boot process. This relies on Secure Boot, so it only functions on systems booting with UEFI on x86_64 and aarch64 architectures. The key components included are:
- systemd-boot as the bootloader
- A Unified Kernel Image (UKI) that bundles the Linux kernel, an initrd, and the kernel command line
- A composefs repository with fs-verity enabled, managed by bootc
Both systemd-boot and the UKI are signed for Secure Boot, though because these are testing images, the signatures use test keys rather than official Fedora keys.
Benefits: Passwordless Disk Unlocking with TPM
The primary advantage of this sealed boot chain is the ability to enable passwordless disk unlocking using the TPM in a way that is reasonably secure by default. With a verified boot chain, the system can trust that the disk encryption key is released only to the correct, unmodified operating system, streamlining the boot process without sacrificing security.
How to Test the Images
To try out the pre-built container and disk images, or to build your own, follow the instructions available on the dedicated GitHub repository: github.com/travier/fedora-atomic-desktops-sealed. The repository provides clear steps for getting started, whether you want to run the sealed image as a container or create a bootable disk image.
Feedback and Known Issues
Testing and feedback are highly encouraged. Before reporting an issue, please check the list of known issues on the same repository. New issues can be filed there, and the maintainers will redirect them to the appropriate upstream projects as needed. Your input helps refine this feature for broader adoption.
Important Caveats for Test Images
These are testing images, not production-ready. Please be aware of the following:
- The root account has no password set.
- SSHD is enabled by default to simplify debugging.
- The UKI and systemd-boot are signed for Secure Boot, but with test keys, not official Fedora keys.
- Do not use these images in production environments.
Where to Learn More
If you want to understand how sealed images work—how bootable containers, UKIs, and composefs combine to create a verified boot chain—the following resources provide detailed explanations:
- "Signed, Sealed, and Delivered" with UKIs and composefs, presented by Allison and Timothée at FOSDEM 2025
- UKIs and composefs support for Bootable Containers, presented by Timothée at Devconf.cz 2025
- UKI, composefs and remote attestation for Bootable Containers, presented by Pragyan, Vitaly, and Timothée at ASG 2025
- composefs backend documentation in bootc
Acknowledgments
This work would not have been possible without the contributions of many individuals across several projects, including (but not limited to):
- bootc and bcvk
- composefs and composefs-rs
- chunkah
- podman and buildah
- systemd
We extend our gratitude to all contributors for making sealed bootable container images a reality.