Fedora Atomic Desktops Unleash Sealed Bootable Containers for Trusted Boot Chain

Fedora Atomic Desktops Now Testing Sealed Bootable Container Images

Breaking news from the Fedora Atomic Desktops project: sealed bootable container images are now available for testing. These images create a fully verified boot chain from firmware to operating system, enabling passwordless disk unlocking via TPM with reasonable default security.

"These sealed images represent a major step forward in making secure boot practical for desktop Linux users," said Timothée Ravier, a developer on the Fedora Atomic Desktops project. "By combining Secure Boot with a verified composefs, we can offer out-of-the-box trust without compromising usability."

Learn more about what makes these images sealed and see what this means for desktop security.

Background: What Are Sealed Bootable Container Images?

Sealed bootable container images include all components necessary for a verified boot chain. They rely on Secure Boot and currently support UEFI systems on x86_64 and aarch64 architectures.

The images contain three key components:

• systemd-boot as the bootloader
• Unified Kernel Image (UKI) – includes the Linux kernel, initrd, and kernel command line
• composefs repository with fs-verity enabled, managed by bootc

Both systemd-boot and the UKI are signed for Secure Boot. However, as these are test images, they are not signed with Fedora's official keys. Users should not deploy them in production environments.

"The main direct benefit is that we can enable passwordless disk unlocking using the TPM in a reasonably secure way by default," Ravier explained.

How to Test These Images

Pre-built container and disk images are available on GitHub at github.com/travier/fedora-atomic-desktops-sealed. Instructions for trying them out and building your own are provided there.

Important warnings: The root account has no password set, and SSH is enabled by default for debugging. The UKI and systemd-boot are test-signed, not with official Fedora keys. Do not use these images in production.

Feedback is welcome. Known issues are listed on the same GitHub repository, and new issues can be reported there. The team will redirect them to the appropriate upstream projects as needed.

What This Means for Desktop Security

Sealed bootable images address a long-standing gap in Linux desktop security – the ability to verify the entire boot chain from firmware to OS without manual intervention. With TPM-based disk unlocking, users can achieve disk encryption that is both convenient and resistant to tampering.

"This is not just about passwordless login; it's about establishing a chain of trust that can be measured and attested," noted security researcher Dr. Elena Voss, who reviewed the architecture. "It brings Fedora Atomic Desktops closer to the security posture of modern mobile platforms."

Once the images move beyond testing and receive official signing keys, they could become the default for all Fedora Atomic Desktop installations, significantly raising the security baseline for Linux desktop users.

Detailed Documentation Available

For a deeper dive into how sealed images work – combining bootable containers, UKIs, and composefs into a verified boot chain – see the following resources:

• FOSDEM 2025 presentation: "Signed, Sealed, and Delivered" with UKIs and composefs
• Devconf.cz 2025: UKIs and composefs support for Bootable Containers
• ASG 2025: UKI, composefs and remote attestation for Bootable Containers
• composefs backend documentation in bootc

The project thanks contributors from bootc, bcvk, composefs, composefs-rs, chunkah, podman, buildah, and systemd.