Introduction
The Fedora Atomic Desktop team is thrilled to introduce sealed bootable container images now available for testing. These images represent a significant step forward in ensuring a fully verified boot chain, from firmware to operating system, leveraging modern security technologies. This article dives into what makes these images special, how you can test them, and the benefits they bring to the table.
What Are Sealed Bootable Container Images?
Sealed bootable container images are pre-built, self-contained packages that include every component necessary to establish a trustworthy boot process. They rely on Secure Boot and are currently designed for systems using UEFI on x86_64 and aarch64 architectures. The core idea is to create an immutable, verifiable chain that ensures only authorized code runs from the moment the system powers on.
Key Components
The images consist of three main parts, each playing a crucial role in the boot validation:
- systemd-boot as the bootloader, responsible for initiating the boot sequence.
- A Unified Kernel Image (UKI), which bundles the Linux kernel, an initial RAM disk (initrd), and the kernel command line into a single signed binary.
- A composefs repository with fs-verity enabled, managed by bootc to verify the integrity of the filesystem.
Both systemd-boot and the UKI are digitally signed for Secure Boot compliance. However, because these are test images, they are not signed with Fedora’s official keys—a point to keep in mind when evaluating their security.
Benefits: Passwordless Disk Unlocking
One of the most compelling advantages of this sealed approach is the ability to enable passwordless disk unlocking using the Trusted Platform Module (TPM) in a reasonably secure manner. By binding the decryption key to the verified boot chain, the system can automatically unlock the disk only when it boots with the correct, signed components. This eliminates the need for users to enter a password on every restart, enhancing convenience without sacrificing security.
How to Test the Images
Ready to give the sealed images a try? Follow the detailed instructions available on the official GitHub repository. There you’ll find pre-built container and disk images, as well as guidance on how to build your own custom versions.
Important Warnings
These are testing images and should not be used in production environments. Be aware of the following defaults:
- The root account has no password set, and SSH daemon is enabled by default for easier debugging.
- While the UKI and systemd-boot are signed for Secure Boot, they use test keys—not Fedora’s official signing keys.
Before proceeding, review the list of known issues on the repository. If you encounter new problems, please report them via the same GitHub page, and the team will redirect them to the appropriate upstream projects.
Further Reading and Resources
To understand the inner workings of sealed images—how bootable containers, UKI, and composefs collaborate to form a verified boot chain—check out the following presentations and documentation:
- “Signed, Sealed, and Delivered” with UKIs and composefs, presented by Allison and Timothée at FOSDEM 2025.
- “UKIs and composefs support for Bootable Containers” by Timothée at Devconf.cz 2025.
- “UKI, composefs, and remote attestation for Bootable Containers” by Pragyan, Vitaly, and Timothée at ASG 2025.
- The composefs backend documentation in bootc for technical deep dives.
These resources provide a comprehensive look at the technology stack and the rationale behind the sealed images.
Acknowledgments
This achievement would not have been possible without the dedicated contributions from numerous projects and individuals. Special thanks go to the teams behind bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. Their collaborative efforts have laid the foundation for a more secure and streamlined boot process in Fedora Atomic Desktops.