Securing Fedora Atomic Desktops: Testing Sealed Bootable Container Images
The Fedora Atomic Desktop project has reached an exciting milestone: sealed bootable container images are now available for testing. These images bring a new level of security by creating a fully verified boot chain, from firmware to the operating system. This article explains what sealed bootable containers are, how to test them, and what you should know before diving in.
What Are Sealed Bootable Container Images?
Sealed bootable container images include all components needed for a verified boot chain, ensuring that every step in the boot process is cryptographically signed and secure. This feature relies on Secure Boot and is currently supported only on systems booting with UEFI on x86_64 and aarch64 architectures. The key components are:
- systemd-boot as the bootloader
- A Unified Kernel Image (UKI) that bundles the Linux kernel, an initrd, and the kernel command line
- A composefs repository with fs-verity enabled, managed by bootc
Both systemd-boot and the UKI are signed for Secure Boot. However, because these are test images, the signatures use test keys rather than the official Fedora signing keys.
Benefits of Sealed Bootable Containers
The primary benefit of this implementation is passwordless disk unlocking using the TPM (Trusted Platform Module). By verifying the entire boot chain, the system can securely attest to the TPM that the correct OS is loading, enabling automatic decryption of encrypted disks without user intervention. This dramatically improves both security and convenience for desktop systems. It also lays the groundwork for more advanced features like remote attestation and measured boot.
How to Test the Images
Testing is straightforward. Pre-built container images and disk images are available from the fedora-atomic-desktops-sealed repository on GitHub. The same repository provides instructions for building your own sealed images if you prefer a custom setup. To get started:
- Visit the GitHub repository and follow the setup guide.
- Download a pre-built disk image or container image.
- Boot the image on a UEFI system (x86_64 or aarch64).
- Test passwordless disk unlocking with TPM.
Feedback is highly encouraged. Please check the known issues list and report any new problems via GitHub. The development team will redirect reports to the appropriate upstream projects as needed.
Important Warnings
These images are strictly for testing. Do not use them in production environments. Key caveats include:
- The root account has no password set and SSH is enabled by default for debugging convenience.
- Although the UKI and
systemd-bootare signed for Secure Boot, the signatures use test keys—not the official Fedora keys. - The images are not hardened for real-world use and may have security vulnerabilities.
If you decide to test, do so only on a non‑critical machine or in a virtual environment.
Where to Learn More
For those interested in the technical details behind sealed bootable containers—how bootc, UKIs, and composefs work together to create a verified boot chain—the following resources are excellent starting points:
- “Signed, Sealed, and Delivered” – Allison and Timothée at FOSDEM 2025
- “UKIs and composefs support for Bootable Containers” – Timothée at Devconf.cz 2025
- “UKI, composefs and remote attestation for Bootable Containers” – Pragyan, Vitaly, and Timothée at ASG 2025
- composefs backend documentation in the bootc project
These presentations and documents explain the design decisions, implementation details, and future directions of sealed bootable containers.
Acknowledgments
This work would not have been possible without contributions from many individuals and projects. Notable thanks go to the communities behind bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. Their ongoing efforts continue to advance the state of secure bootable containers in Fedora and beyond.
Now is the perfect time to experiment with these sealed images and help shape their evolution. Your feedback can directly influence the path toward official support. Happy testing!
Related Articles
- How Meta’s AI Agents Revolutionize Capacity Efficiency at Hyperscale
- How to Diagnose and Respond to an Ubuntu Server Infrastructure Outage
- Major Security Patch Release Across Linux Distributions: Critical Vulnerabilities Addressed
- Linux 7.2 Brings AMDGPU Power Module to Match Windows Radeon Behavior
- 10 Essential Updates: Fedora Atomic Desktops in Fedora 44
- Meta's AI Agent Platform Automates Hyperscale Efficiency, Saving Hundreds of Megawatts
- Why New Linux File-Systems Face Higher Hurdles: Q&A on Kernel Guidelines
- Meta's KernelEvolve: Autonomous Kernel Optimization for Scalable AI Infrastructure