Fedora Atomic Desktops Achieve Sealed Bootable Container Breakthrough – Testing Now Open

Sealed Bootable Container Images Ready for Testing

Fedora Atomic Desktops have reached a critical milestone: sealed bootable container images are now available for public testing. These images provide a fully verified boot chain, from firmware to operating system, leveraging Secure Boot on UEFI systems (x86_64 & aarch64).

Fedora Atomic Desktops Achieve Sealed Bootable Container Breakthrough – Testing Now Open — Source: fedoramagazine.org

“We’re thrilled to announce that users can now try out sealed bootable container images,” said Timothée Ravier, a key contributor to Fedora Atomic Desktops. “This is a major step forward for security and ease of use, especially for enabling passwordless disk unlocking via the TPM.”

What Are Sealed Bootable Container Images?

A sealed bootable image includes every component required for a secure, verified boot chain. This relies on Secure Boot and a set of integrated components:

systemd-boot as the bootloader – signed for Secure Boot
Unified Kernel Image (UKI) containing the Linux kernel, initrd, and command line – also signed
composefs repository with fs-verity enabled, managed by bootc

Both the bootloader and UKI are signed, but with test keys – not the official Fedora signing keys. “These are testing images, so they use separate keys. Don’t use them in production,” Ravier warned.

Key Benefit: TPM-Based Passwordless Disk Unlocking

The primary end-user benefit is the ability to unlock encrypted disks without a password, using the Trusted Platform Module (TPM). “With a verified boot chain, the TPM can securely release the decryption key only when the system is in a known good state,” explained Ravier. This improves both security and convenience for laptops and desktops alike.

How to Test

Pre-built container images and disk images can be downloaded from the fedora-atomic-desktops-sealed GitHub repository. Users can also build their own images following the provided instructions.

Ravier emphasized that feedback is crucial: “We encourage testing and reporting of any issues. Our known issues list is a starting point, and new issues can be filed there. We’ll redirect to upstream projects as needed.”

Background

Fedora Atomic Desktops have long promoted bootc – a tool for managing bootable containers. The missing piece was a fully sealed, signed boot chain that can guarantee system integrity from power‑on. Previous attempts relied on separate boot partitions and manual key management.

“The combination of UKIs and composefs finally allows us to sign the entire OS image in a way that can be verified at every boot, without external secrets,” said Ravier. The work builds on contributions from bootc, composefs, systemd, and the broader Fedora community.

What This Means

Once this test phase concludes, the sealed approach will be integrated into production Fedora Atomic Desktop releases. For everyday users, it means:

Passwordless full-disk encryption with TPM as standard
Verified boot from firmware all the way to the root filesystem
Easier updates via container image swapping without breaking trust

“This is the kind of security that enterprise and privacy-conscious home users have been demanding,” Ravier noted. “It’s now ready for real‑world testing.”

Caveats and Next Steps

Test images have the root account passwordless and SSH enabled by default for debugging. They also use test signing keys. “Do not deploy these on production machines,” Ravier stressed. “Our goal is to gather feedback, fix issues, and prepare for official signing.”

Further details are available in several conference presentations from FOSDEM 2025, Devconf.cz 2025, and ASG 2025, as well as the composefs backend documentation.

Testing images are available now. The Fedora Atomic Desktops team invites the community to participate in shaping the next generation of verified bootable containers.

Tags: