Exploring Sealed Bootable Container Images for Fedora Atomic Desktops: A Q&A Guide
Fedora Atomic Desktops have reached an exciting milestone: sealed bootable container images are now available for testing. These images deliver a fully verified boot chain, from firmware to the operating system, enhancing security and enabling features like passwordless disk unlocking via TPM. This Q&A breaks down what sealed images are, how to test them, and why they matter.
What exactly are sealed bootable container images?
Sealed bootable container images bundle every component needed for a verified boot chain, relying on Secure Boot and UEFI on x86_64 and aarch64 systems. The key components include:
- systemd-boot as the bootloader
- A Unified Kernel Image (UKI) that combines the Linux kernel, initrd, and kernel command line
- A composefs repository with fs-verity, managed by bootc
Both systemd-boot and the UKI are signed for Secure Boot, though these test images use non-official Fedora keys. The result is a chain of trust that starts at firmware and extends to the OS image itself.
What is the main benefit of these sealed images?
The direct advantage is enabling passwordless disk unlocking using the TPM (Trusted Platform Module) in a reasonably secure way by default. Because the boot chain is fully verified, the TPM can safely release the decryption key only when the system boots with expected, untampered components. This eliminates the need for manual passphrase entry while maintaining strong security—ideal for servers, kiosks, or edge devices that reboot unattended. Beyond convenience, sealed images also provide integrity guarantees: any modification to the disk image will break the verification, alerting administrators to tampering.
How can I test these sealed images?
Testing is straightforward. Visit the fedora-atomic-desktops-sealed repository on GitHub at github.com/travier/fedora-atomic-desktops-sealed, where you’ll find instructions for using pre-built container and disk images, as well as building your own. The repository also lists known issues and a template for reporting new bugs. Feedback is welcome, and the team will redirect issues to upstream projects as needed. Note that these images are meant for testing only—the root account has no password set, and SSH is enabled for debugging. Do not use them in production.
Are these images safe for production use?
No, these are test images and should not be used in production environments. Several factors make them unsuitable for real-world deployment:
- The root account has no password set.
- SSHD is enabled by default for easier debugging.
- The UKI and systemd-boot are signed with test keys, not official Fedora keys.
This design prioritizes easy access for testing, but it sacrifices security. Once official signed images are released with proper keys, they will be safe for production. For now, only use these images on isolated test systems where you can accept the risks.
Where can I learn more about the technology behind sealed images?
For deeper technical details, several resources are available:
- “Signed, Sealed, and Delivered” with UKIs and composefs – a presentation by Allison and Timothée at FOSDEM 2025.
- UKIs and composefs support for Bootable Containers – Timothée’s talk at Devconf.cz 2025.
- UKI, composefs and remote attestation for Bootable Containers – presented by Pragyan, Vitaly, and Timothée at ASG 2025.
- composefs backend documentation in the bootc project.
These cover how bootable containers, UKIs, and composefs work together to create a verified boot chain, as well as advanced topics like remote attestation.
Which projects contributed to making this possible?
A broad community effort made sealed images a reality. Key contributors and their projects include (but are not limited to):
- bootc & bcvk
- composefs & composefs-rs
- chunkah
- podman & buildah
- systemd
Thanks to all the developers from these upstream projects for their collaboration and innovation in bringing verified boot chains to Fedora Atomic Desktops.