Testing Sealed Bootable Container Images for Fedora Atomic Desktops

Introduction

We are excited to announce that sealed bootable container images are now available for testing on Fedora Atomic Desktops. These images provide a fully verified boot chain from firmware to the operating system, leveraging Secure Boot and modern Linux technologies. Below, we answer common questions about what these images are, how to test them, and what benefits they bring.

What exactly are sealed bootable container images?

Sealed bootable container images bundle all necessary components to create a verified boot chain, ensuring the system boots only with trusted software. They rely on Secure Boot and are compatible only with UEFI systems on x86_64 and aarch64 architectures. The key components include:

• systemd-boot as the bootloader, signed for Secure Boot.
• A Unified Kernel Image (UKI) combining the Linux kernel, initrd, and kernel command line, also signed.
• A composefs repository with fs-verity enabled, managed by bootc.

These signatures ensure that every stage of the boot process is verified, from the firmware to the final operating system image.

What are the main benefits of using sealed images?

The primary advantage is the ability to enable passwordless disk unlocking using the TPM in a reasonably secure default configuration. Because the boot chain is verified, the TPM can securely release encryption keys only when the system boots with unmodified, trusted components. This eliminates the need for a user to enter a passphrase at each boot while maintaining strong security. Additionally, sealed images simplify deployment and reduce attack surface by ensuring all boot components are authenticated.

How can I test these sealed images?

You can get started with pre-built container and disk images, or build your own, by following the instructions on our GitHub repository. The repository provides detailed steps for downloading and running the images in a test environment. We encourage you to explore and provide feedback. Note any known issues are listed there, and you can report new ones via the same repository; we will redirect them to the appropriate upstream projects if needed.

What should I know before testing these images?

These are testing images and should not be used in production. Important caveats include:

• The root account has no password set, and SSH daemon is enabled by default for easier debugging.
• While systemd-boot and the UKI are signed for Secure Boot, they are not signed with Fedora’s official keys.
• Only use these images on test machines where security risks are acceptable.

Please treat them as experimental tools for evaluation and development.

Where can I learn more about the technical details?

For deeper understanding of how sealed images work—how bootable containers, UKIs, and composefs combine to form a verified boot chain—refer to these resources:

• “Signed, Sealed, and Delivered” with UKIs and composefs (FOSDEM 2025) by Allison and Timothée
• UKIs and composefs support for Bootable Containers (Devconf.cz 2025) by Timothée
• UKI, composefs and remote attestation for Bootable Containers (ASG 2025) by Pragyan, Vitaly, and Timothée
• composefs backend documentation in bootc

These talks and docs explain the architecture and design decisions behind this technology.

Who contributed to making this possible?

A large community of developers from several projects made this work, including (but not limited to) bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. Their collaboration has been essential in bringing sealed bootable container images to Fedora Atomic Desktops.