Fedora Atomic Desktops have introduced sealed bootable container images designed to enhance security and simplify system management. These images integrate a fully verified boot chain from firmware to operating system, leveraging secure boot and modern Linux technologies. In this article, we explore ten essential things you need to know about these innovative images, from their core components to testing procedures and future benefits.
1. What Are Sealed Bootable Container Images?
Sealed bootable container images represent a new approach to operating system delivery. Unlike traditional bootable media, these images encapsulate every element required for a secure and verified startup process. The entire chain—from the system firmware to the final composefs image—is cryptographically signed and verified. This ensures that only trusted code runs on the machine, preventing tampering or unauthorized modifications. The images are built around UEFI Secure Boot, making them compatible with modern x86_64 and aarch64 hardware. By sealing the boot process, administrators gain confidence in system integrity from the moment power is pressed.
2. Core Components of the Sealed Boot Chain
The sealed boot chain relies on three primary components working together. First, systemd-boot acts as the bootloader, handling the initial boot stage. Second, a Unified Kernel Image (UKI) bundles the Linux kernel, initrd, and kernel command line into a single signed EFI executable. Third, a composefs repository with fs-verity enabled provides a verified filesystem image managed by bootc. Each component is signed for Secure Boot, ensuring that only authentic code is executed. This layered verification creates a trust chain that extends from the hardware root of trust to the user space.
3. Secure Boot and Signature Handling
Both systemd-boot and the UKI are signed using keys that enable Secure Boot verification. However, these test images use custom signing keys rather than the official Fedora keys. This means that to boot them, your system must trust these test keys—typically by enrolling them in the UEFI firmware. The images are explicitly marked as test builds and should not be used in production environments. The signing process ensures each boot component's integrity, but users must be aware of the key management implications. For production use, official Fedora-signed keys will be required.
4. Primary Benefit: Passwordless TPM Disk Unlocking
The most immediate practical advantage of sealed boot images is the ability to implement passwordless disk unlocking using the TPM (Trusted Platform Module). With a fully verified boot chain, the system can securely bind disk encryption keys to the measured boot state. This means the disk will automatically unlock if and only if the system boots with trusted components. No more entering LUKS passwords on every reboot—ideal for servers, kiosks, and IoT devices. The security is reasonably robust by default, as the TPM seals the key to the exact hash of the boot chain.
5. Testing the Pre-Built Images
To get started with testing, visit the dedicated GitHub repository at github.com/travier/fedora-atomic-desktops-sealed. There you will find instructions for deploying pre-built container images and disk images. The process involves writing the image to a USB drive or directly to a disk, then booting with UEFI enabled. Ensure that Secure Boot is configured to trust the test signing keys—either by enrollment or by temporarily setting Secure Boot to setup mode. The repository provides detailed steps for various deployment methods, including direct dd writing and using bootc for container-based updates.
6. Building Your Own Sealed Images
Beyond testing pre-built images, you can also create custom sealed images. The same GitHub repository includes scripts and documentation for building your own from source. This involves compiling the UKI, signing it, generating the composefs repository, and packaging everything into a bootable container. The process leverages tools like bootc, podman, and systemd-repart. Custom builds allow you to integrate your own kernel configurations, initrd modules, or additional security policies. However, note that you will need to manage your own signing keys and Secure Boot enrollment.
7. Known Issues and Reporting Feedback
As test images, there are several known issues tracked on the project's GitHub issues page. These include potential incompatibilities with certain UEFI firmware versions, hardware-specific boot failures, and limitations in key enrollment processes. Users are encouraged to report new issues via the same repository. The development team will triage and redirect them to upstream projects like bootc, systemd, or composefs as needed. Providing detailed logs, hardware information, and Secure Boot configuration will help accelerate fixes.
8. Important Warnings for Test Users
These images are strictly for testing—do not use them in production. The root account has no password set, and SSH daemon is enabled by default to simplify debugging. This means any network-accessible system is vulnerable if exposed. Additionally, because the images use custom signing keys (not official Fedora keys), they are not part of Fedora's standard Secure Boot trust chain. Booting them may require enrolling test keys, which could affect system security if not managed carefully. Always test on disposable hardware or virtual machines.
9. Where to Learn More
For a deeper understanding of sealed images, several resources are available. The presentation "Signed, Sealed, and Delivered" by Allison and Timothée at FOSDEM 2025 covers the overall architecture. Timothée's talk at Devconf.cz 2025 focuses on UKIs and composefs integration. Another presentation from ASG 2025 by Pragyan, Vitaly, and Timothée discusses remote attestation. The composefs backend documentation in bootc provides technical implementation details. These materials explain how bootc manages container-based updates with verified boot chains.
10. Acknowledging Contributors
This ambitious project would not be possible without the contributions from multiple open-source communities. Key projects include bootc and bcvk for container management, composefs and composefs-rs for filesystem verification, chunkah for imaging tools, podman and buildah for container building, and systemd for UKI and bootloader support. The list is not exhaustive—many individual developers and testers have helped shape these sealed bootable images into a promising technology.
We encourage the Fedora community to test these images and provide feedback. The sealed boot concept holds great potential for enhancing security in automated environments. While still experimental, the groundwork laid here will likely influence future Fedora releases. Stay tuned for official support and production-ready images.