Introduction
Fedora Atomic Desktops have taken a significant step forward with the introduction of sealed bootable container images. These images are now available for testing, promising enhanced security and streamlined disk unlocking. This article dives into what sealed images are, how they work, and how you can test them yourself.
What Are Sealed Bootable Container Images?
Sealed bootable container images are pre-assembled system images that include every component needed for a fully verified boot chain—from the firmware all the way up to the operating system's composefs image. The sealing process relies on Secure Boot, meaning these images only support UEFI-based systems on x86_64 and aarch64 architectures. By integrating cryptographic signatures at each stage, the boot process becomes tamper-evident and verifiable.
Components of a Sealed Image
Each sealed image is composed of three key elements working in concert:
- systemd-boot as the bootloader, responsible for launching the operating system.
- A Unified Kernel Image (UKI) that bundles the Linux kernel, an initial ramdisk (initrd), and the kernel command line into a single signed file.
- A composefs repository with fs-verity enabled, managed by the bootc tool. Composefs provides a verifiable, read-only filesystem image.
Both systemd-boot and the UKI are signed for Secure Boot. However, because these are test images, they are not signed with Fedora's official keys—so they carry an important caveat for production use.
Benefits of Sealed Images
The primary practical benefit is the ability to enable passwordless disk unlocking using the Trusted Platform Module (TPM) in a way that remains reasonably secure by default. With a sealed boot chain, the system can verify that the operating system hasn't been tampered with before releasing the disk encryption key to the TPM. This simplifies the user experience while maintaining strong security.
How to Test the Images
Ready to give sealed images a try? The getting-started guide is hosted on GitHub at github.com/travier/fedora-atomic-desktops-sealed. There you'll find instructions for downloading pre-built container and disk images, as well as guidance on building your own sealed images from source.
Before diving in, be aware of the following:
- These are testing images only. Do not use them in production environments.
- The root account has no password set, and SSH (sshd) is enabled by default to simplify debugging. This makes the system vulnerable if exposed to untrusted networks.
- The UKI and systemd-boot are signed for Secure Boot, but they use test certificates—not Fedora's official keys. You may need to enroll the test keys in your UEFI firmware manually.
We welcome all testing and feedback! Please check the known issues list and report new bugs on the same repository. The development team will redirect issues to appropriate upstream projects as needed.
Where to Learn More
If you're curious about the technical underpinnings—how bootable containers, UKIs, and composefs combine to create a verified boot chain—the following resources are excellent starting points:
- “Signed, Sealed, and Delivered” with UKIs and composefs, presented by Allison and Timothée at FOSDEM 2025.
- UKIs and composefs support for Bootable Containers, from Timothée at Devconf.cz 2025.
- UKI, composefs and remote attestation for Bootable Containers, from Pragyan, Vitaly and Timothée at ASG 2025.
- The composefs backend documentation in bootc.
These talks and documents explain the integration from both theoretical and practical perspectives.
Acknowledgments
This work would not have been possible without the contributions of many individuals across several projects: bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. The test images represent a collaborative effort to push bootable containers toward production-ready security.
Conclusion
Sealed bootable container images for Fedora Atomic Desktops mark an exciting milestone. They provide a verified boot chain that enables secure, passwordless TPM unlocking—without sacrificing usability. While still in testing, the infrastructure promises to bring enterprise-grade boot integrity to the Fedora ecosystem. Try them out, share your feedback, and help shape the future of bootable containers.