Fedora Atomic Desktops Launch Sealed Bootable Container Images for Verified Boot Chain
Breaking: Fedora Atomic Desktops Ship Sealed Bootable Container Images
Fedora Atomic Desktops have released test versions of sealed bootable container images that create a fully verified boot chain from firmware to operating system. The images, available now for testing on x86_64 and aarch64 systems with UEFI Secure Boot, aim to enable default TPM-based passwordless disk unlocking in a secure manner.
“This sealed image approach ensures that every component in the boot process is cryptographically verified, from the bootloader to the kernel and filesystem,” said Timothée Ravier, a contributor to Fedora Atomic Desktops and bootc developer. “It’s a foundational step toward making passwordless disk unlocking both convenient and trustworthy.”
The initiative relies on three core components: systemd-boot as the bootloader, a Unified Kernel Image (UKI) that bundles the Linux kernel, initrd, and command line, and a composefs repository with fs-verity enabled, managed by bootc. Both systemd-boot and the UKI are signed for Secure Boot, though the test images use non-official Fedora keys.
Background
Sealed bootable container images differ from standard bootable containers by providing end-to-end verification. Each component—from firmware onward—is measured and signed, creating an immutable trust chain. This is achieved by integrating systemd-boot with a UKI that carries a composed filesystem image (composefs) validated by fs-verity.
The approach builds on prior work presented at FOSDEM 2025, Devconf.cz 2025, and ASG 2025 by Allison, Timothée, Pragyan, Vitaly, and others. It relies on contributions from projects including bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd.
How to Test the Images
Pre-built container and disk images are available via the repository at github.com/travier/fedora-atomic-desktops-sealed. Instructions for building custom sealed images are also provided. Developers and early adopters can download and deploy them on UEFI systems with Secure Boot enabled.
Important warnings: These are test images. The root account has no password set, and SSH is enabled by default for debugging. The signatures use unofficial keys—do not use in production. A list of known issues is maintained in the same repository, and new bugs should be reported there.
What This Means
The immediate benefit is enabling TPM-based passwordless disk unlocking without compromising security. Because the boot chain is fully verified, the TPM can release disk encryption keys only when the firmware, bootloader, kernel, and filesystem all match expected measurements. This removes the need for user passwords during boot while preventing unauthorized access.
Longer term, sealed images pave the way for trusted boot in edge, IoT, and cloud deployments where unattended reboot and remote attestation are critical. The ability to compose a verified system from container layers also simplifies image management and secure updates.
For detailed technical explanations, see the presentations linked in the original announcement or the composefs backend documentation in bootc.
Feedback and contributions are welcomed as the Fedora Atomic Desktop team works toward integrating sealed boot into future stable releases.
Related Articles
- Getting Started with gThumb 4.0: A Comprehensive Guide to the GTK4/Libadwaita Overhaul
- Alpine Linux Outage: Billing Issue Causes Temporary Service Interruption
- Fedora's GNOME Bug Reporting: Policy vs. Practice
- Linux Mint Introduces HWE ISO Images for Enhanced Hardware Compatibility
- Linux Distros Officially Adopt Standard 'Projects' Folder; Ubuntu Leads AI Push with Local Models
- Linux Q&A: New Projects Folder, Ubuntu AI, Fedora 44, and More Open Source Highlights
- Strawberry Music Player Reaches New Milestone: A Full-Featured Linux Music Management Solution
- How to Assess and Respond to the Decline of Press Freedom and Free Expression in Palestine: A Step-by-Step Guide Based on EFF's UN Submission