Fedora Atomic Desktops Launch Sealed Bootable Container Images for Verified Boot Chain
Breaking: Fedora Atomic Desktops Ship Sealed Bootable Container Images
Fedora Atomic Desktops have released test versions of sealed bootable container images that create a fully verified boot chain from firmware to operating system. The images, available now for testing on x86_64 and aarch64 systems with UEFI Secure Boot, aim to enable default TPM-based passwordless disk unlocking in a secure manner.
“This sealed image approach ensures that every component in the boot process is cryptographically verified, from the bootloader to the kernel and filesystem,” said Timothée Ravier, a contributor to Fedora Atomic Desktops and bootc developer. “It’s a foundational step toward making passwordless disk unlocking both convenient and trustworthy.”
The initiative relies on three core components: systemd-boot as the bootloader, a Unified Kernel Image (UKI) that bundles the Linux kernel, initrd, and command line, and a composefs repository with fs-verity enabled, managed by bootc. Both systemd-boot and the UKI are signed for Secure Boot, though the test images use non-official Fedora keys.
Background
Sealed bootable container images differ from standard bootable containers by providing end-to-end verification. Each component—from firmware onward—is measured and signed, creating an immutable trust chain. This is achieved by integrating systemd-boot with a UKI that carries a composed filesystem image (composefs) validated by fs-verity.
The approach builds on prior work presented at FOSDEM 2025, Devconf.cz 2025, and ASG 2025 by Allison, Timothée, Pragyan, Vitaly, and others. It relies on contributions from projects including bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd.
How to Test the Images
Pre-built container and disk images are available via the repository at github.com/travier/fedora-atomic-desktops-sealed. Instructions for building custom sealed images are also provided. Developers and early adopters can download and deploy them on UEFI systems with Secure Boot enabled.
Important warnings: These are test images. The root account has no password set, and SSH is enabled by default for debugging. The signatures use unofficial keys—do not use in production. A list of known issues is maintained in the same repository, and new bugs should be reported there.
What This Means
The immediate benefit is enabling TPM-based passwordless disk unlocking without compromising security. Because the boot chain is fully verified, the TPM can release disk encryption keys only when the firmware, bootloader, kernel, and filesystem all match expected measurements. This removes the need for user passwords during boot while preventing unauthorized access.
Longer term, sealed images pave the way for trusted boot in edge, IoT, and cloud deployments where unattended reboot and remote attestation are critical. The ability to compose a verified system from container layers also simplifies image management and secure updates.
For detailed technical explanations, see the presentations linked in the original announcement or the composefs backend documentation in bootc.
Feedback and contributions are welcomed as the Fedora Atomic Desktop team works toward integrating sealed boot into future stable releases.