Securing Fedora Atomic Desktops: Testing Sealed Bootable Container Images

The Fedora Atomic Desktop project has reached an exciting milestone: sealed bootable container images are now available for testing. These images bring a new level of security by creating a fully verified boot chain, from firmware to the operating system. This article explains what sealed bootable containers are, how to test them, and what you should know before diving in.

What Are Sealed Bootable Container Images?

Sealed bootable container images include all components needed for a verified boot chain, ensuring that every step in the boot process is cryptographically signed and secure. This feature relies on Secure Boot and is currently supported only on systems booting with UEFI on x86_64 and aarch64 architectures. The key components are:

Securing Fedora Atomic Desktops: Testing Sealed Bootable Container Images — Source: fedoramagazine.org

systemd-boot as the bootloader
A Unified Kernel Image (UKI) that bundles the Linux kernel, an initrd, and the kernel command line
A composefs repository with fs-verity enabled, managed by bootc

Both systemd-boot and the UKI are signed for Secure Boot. However, because these are test images, the signatures use test keys rather than the official Fedora signing keys.

Benefits of Sealed Bootable Containers

The primary benefit of this implementation is passwordless disk unlocking using the TPM (Trusted Platform Module). By verifying the entire boot chain, the system can securely attest to the TPM that the correct OS is loading, enabling automatic decryption of encrypted disks without user intervention. This dramatically improves both security and convenience for desktop systems. It also lays the groundwork for more advanced features like remote attestation and measured boot.

How to Test the Images

Testing is straightforward. Pre-built container images and disk images are available from the fedora-atomic-desktops-sealed repository on GitHub. The same repository provides instructions for building your own sealed images if you prefer a custom setup. To get started:

Visit the GitHub repository and follow the setup guide.
Download a pre-built disk image or container image.
Boot the image on a UEFI system (x86_64 or aarch64).
Test passwordless disk unlocking with TPM.

Feedback is highly encouraged. Please check the known issues list and report any new problems via GitHub. The development team will redirect reports to the appropriate upstream projects as needed.

Important Warnings

These images are strictly for testing. Do not use them in production environments. Key caveats include:

The root account has no password set and SSH is enabled by default for debugging convenience.
Although the UKI and systemd-boot are signed for Secure Boot, the signatures use test keys—not the official Fedora keys.
The images are not hardened for real-world use and may have security vulnerabilities.

If you decide to test, do so only on a non‑critical machine or in a virtual environment.

Where to Learn More

For those interested in the technical details behind sealed bootable containers—how bootc, UKIs, and composefs work together to create a verified boot chain—the following resources are excellent starting points:

“Signed, Sealed, and Delivered” – Allison and Timothée at FOSDEM 2025
“UKIs and composefs support for Bootable Containers” – Timothée at Devconf.cz 2025
“UKI, composefs and remote attestation for Bootable Containers” – Pragyan, Vitaly, and Timothée at ASG 2025
composefs backend documentation in the bootc project

These presentations and documents explain the design decisions, implementation details, and future directions of sealed bootable containers.

Acknowledgments

This work would not have been possible without contributions from many individuals and projects. Notable thanks go to the communities behind bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. Their ongoing efforts continue to advance the state of secure bootable containers in Fedora and beyond.

Now is the perfect time to experiment with these sealed images and help shape their evolution. Your feedback can directly influence the path toward official support. Happy testing!

Tags: