Fedora Atomic Desktops Introduce Sealed Bootable Container Images for Secure Boot Verification
Fedora Atomic Desktops Unveils Sealed Bootable Container Images for Testing
April 2025 – The Fedora Project has released test versions of sealed bootable container images for the Atomic Desktops, enabling a fully verified boot chain from firmware to operating system. These images integrate Secure Boot, systemd-boot, Unified Kernel Images (UKIs), and composefs with fs-verity, marking a significant step toward stronger security guarantees for Linux desktop deployments.
“These sealed images represent a major milestone for Fedora Atomic Desktops, allowing us to build a trusted path from the hardware through to the OS,” said Timothée Ravier, Fedora contributor and lead developer of the initiative. “Users can now test a chain where every component is cryptographically signed – even though for now, we’re using test keys rather than official Fedora signatures.”
What Are Sealed Bootable Container Images?
Sealed bootable container images bundle all necessary components for a verified boot process. The stack includes systemd-boot as the UEFI bootloader, a UKI that contains the Linux kernel, initramfs, and kernel command line, and a composefs repository with fs-verity enabled, managed by bootc.
Both systemd-boot and the UKI are signed for Secure Boot, supporting only UEFI systems on x86_64 and aarch64 architectures. The images are explicitly marked as test builds – they use non‑official keys – and are not intended for production environments.
Benefits: Passwordless TPM Disk Unlocking
The primary near‑term benefit of this sealed‑image approach is the ability to enable passwordless disk unlocking using the TPM. “With a properly verified boot chain, we can unlock encrypted disks automatically using the TPM, while maintaining a reasonably high security level,” Ravier explained. “This removes a major friction point for users who want full‑disk encryption without typing a password each time.”
How to Test the Images
Pre‑built container and disk images are available for download. Detailed instructions for testing, as well as guidance on building custom images, are published on the Fedora Atomic Desktops Sealed repository on GitHub.
The team encourages testing and feedback. A list of known issues is maintained, and users can report new problems directly on the same repository. The project will redirect relevant bugs to the appropriate upstream projects as needed.
Important Cautions for Testers
Because these are test images, the root account has no password set by default, and SSH is enabled to simplify debugging. The UKI and systemd-boot are signed for Secure Boot but not with official Fedora keys. “Do not use these images in production,” the team warns. “They are meant solely for experimentation and development.”
Background
Sealed bootable container images build upon several existing Fedora and Linux technologies: bootable containers, UKIs, composefs, and Secure Boot. The goal is to create a complete, verifiable boot chain that can be audited from firmware to the running system.
Detailed technical explanations were presented at recent conferences, including FOSDEM 2025 (“Signed, Sealed, and Delivered” by Allison and Timothée), Devconf.cz 2025 (“UKIs and composefs support for Bootable Containers” by Timothée), and ASG 2025 (“UKI, composefs and remote attestation for Bootable Containers” by Pragyan, Vitaly, and Timothée). Additional documentation is available in the composefs backend documentation in bootc.
What This Means
If successfully validated, sealed bootable container images could become the default secure boot mechanism for Fedora Atomic Desktops and other bootc‑based systems. The ability to unlock disks without passwords via TPM strengthens both security and usability, potentially accelerating adoption of full‑disk encryption.
More broadly, this approach demonstrates a future where Linux desktop systems can offer hardware‑rooted trust comparable to that of mobile devices or managed workstations. “We’re enabling a chain of trust that users can rely on without needing to understand every cryptographic detail,” Ravier said. “The next step is to transition from test keys to official Fedora signing.”
The project thanks contributors from bootc & bcvk, composefs & composefs‑rs, chunkah, podman & buildah, and systemd for making this possible.
Related Articles
- 8 Things You Need to Know About gThumb's Stunning GTK4/libadwaita Overhaul
- Fedora 44 Launches After Two-Week Delay With GNOME 50, KDE Plasma 6.6, and Major Gaming Upgrades
- Alpine Linux Services Go Dark After Linode Billing Glitch
- Meta's AI-Powered Efficiency: How Automated Agents Optimize Hyperscale Infrastructure
- Linux Mint Shifts Strategy: Regular HWE ISOs to Bridge Hardware Gap Until December Release
- Major Linux Distributions Roll Out Critical Security Patches for Multiple Packages
- Meta's KernelEvolve AI Agent Revolutionizes Chip-Level Optimization – 60% Performance Boost
- Everything You Need to Know About Ubuntu 26.10's Unusual Codename