Testing Sealed Bootable Container Images for Fedora Atomic Desktops

We are excited to announce that sealed bootable container images are now available for testing for the Fedora Atomic Desktops. These images create a fully verified boot chain from firmware to operating system, enhancing security and enabling features like passwordless TPM disk unlocking. Below we answer key questions about what these images are, how to test them, and where to learn more.

What are sealed bootable container images?

Sealed bootable container images include all components necessary for a completely verified boot chain, from the firmware to the operating system's composefs image. This relies on Secure Boot and therefore only supports UEFI booting on x86_64 and aarch64 systems. The key components are:

• systemd-boot as the bootloader
• A Unified Kernel Image (UKI) containing the Linux kernel, an initrd, and the kernel command line
• A composefs repository with fs-verity enabled, managed by bootc

Both systemd-boot and the UKI are signed for Secure Boot. Because these are test images, they are not signed with Fedora's official keys.

What are the main benefits of sealed bootable images?

The primary direct benefit is the ability to enable passwordless disk unlocking using the TPM (Trusted Platform Module) in a reasonably secure manner by default. With a fully verified boot chain, the system can attest that the booted OS is untampered, allowing the TPM to release disk encryption keys automatically. This improves user experience (no password prompts) while maintaining strong security. Additionally, sealed images simplify deployment and management of Atomic Desktops, as the entire system is built and signed as a single unit.

How can I test these sealed images?

To test the pre-built container and disk images, follow the instructions on the GitHub repository. You can also build your own customized images from the provided sources. We welcome all feedback! Please review the list of known issues and report any new issues there. If needed, we will redirect them to the appropriate upstream projects.

What are the current limitations and known issues?

These are testing images and should not be used in production. Important caveats include:

• The root account has no password set, and sshd is enabled by default to simplify debugging.
• The UKI and systemd-boot are signed for Secure Boot but with test keys, not the official Fedora keys.
• Only x86_64 and aarch64 with UEFI are supported (no legacy BIOS).

Be sure to check the GitHub repository for a full list of known issues before testing. Your feedback helps us improve.

Where can I learn more about the technology behind sealed images?

For deeper understanding of how sealed images work—combining bootable containers, UKIs, and composefs into a verified boot chain—see these resources:

• FOSDEM 2025: “Signed, Sealed, and Delivered” with UKIs and composefs (Allison and Timothée)
• Devconf.cz 2025: UKIs and composefs support for Bootable Containers (Timothée)
• ASG 2025: UKI, composefs and remote attestation for Bootable Containers (Pragyan, Vitaly, and Timothée)
• composefs backend documentation in bootc

Thanks to contributors from bootc, composefs, systemd, and other projects.