Testing Sealed Bootable Container Images for Fedora Atomic Desktops

By

We are excited to announce that sealed bootable container images are now available for testing for the Fedora Atomic Desktops. These images create a fully verified boot chain from firmware to operating system, enhancing security and enabling features like passwordless TPM disk unlocking. Below we answer key questions about what these images are, how to test them, and where to learn more.

What are sealed bootable container images?

Sealed bootable container images include all components necessary for a completely verified boot chain, from the firmware to the operating system's composefs image. This relies on Secure Boot and therefore only supports UEFI booting on x86_64 and aarch64 systems. The key components are:

• systemd-boot as the bootloader
• A Unified Kernel Image (UKI) containing the Linux kernel, an initrd, and the kernel command line
• A composefs repository with fs-verity enabled, managed by bootc

Both systemd-boot and the UKI are signed for Secure Boot. Because these are test images, they are not signed with Fedora's official keys.

What are the main benefits of sealed bootable images?

The primary direct benefit is the ability to enable passwordless disk unlocking using the TPM (Trusted Platform Module) in a reasonably secure manner by default. With a fully verified boot chain, the system can attest that the booted OS is untampered, allowing the TPM to release disk encryption keys automatically. This improves user experience (no password prompts) while maintaining strong security. Additionally, sealed images simplify deployment and management of Atomic Desktops, as the entire system is built and signed as a single unit.

How can I test these sealed images?

To test the pre-built container and disk images, follow the instructions on the GitHub repository. You can also build your own customized images from the provided sources. We welcome all feedback! Please review the list of known issues and report any new issues there. If needed, we will redirect them to the appropriate upstream projects.

What are the current limitations and known issues?

These are testing images and should not be used in production. Important caveats include:

• The root account has no password set, and sshd is enabled by default to simplify debugging.
• The UKI and systemd-boot are signed for Secure Boot but with test keys, not the official Fedora keys.
• Only x86_64 and aarch64 with UEFI are supported (no legacy BIOS).

Be sure to check the GitHub repository for a full list of known issues before testing. Your feedback helps us improve.

Where can I learn more about the technology behind sealed images?

For deeper understanding of how sealed images work—combining bootable containers, UKIs, and composefs into a verified boot chain—see these resources:

• FOSDEM 2025: “Signed, Sealed, and Delivered” with UKIs and composefs (Allison and Timothée)
• Devconf.cz 2025: UKIs and composefs support for Bootable Containers (Timothée)
• ASG 2025: UKI, composefs and remote attestation for Bootable Containers (Pragyan, Vitaly, and Timothée)
• composefs backend documentation in bootc

Thanks to contributors from bootc, composefs, systemd, and other projects.

Related Articles

• 9 Essential Highlights of Fedora Linux 44: What Every User Needs to Know
• Bringing Linux to Windows 95: The Windows 9x Subsystem for Linux Explained
• Fedora Embraces AI Development: New Desktop Images for Local-First AI Workflows
• How to Identify and Resolve a QUIC Congestion Control Bug Stemming from a Linux Kernel Optimization
• How to Assess and Respond to the Decline of Press Freedom and Free Expression in Palestine: A Step-by-Step Guide Based on EFF's UN Submission
• Shared Memory, Shared Page Tables: The Promise of Linux mshare
• How Meta’s AI Agents Revolutionize Capacity Efficiency at Hyperscale
• How to Get the Most Out of the LWN Weekly Edition