Breaking: Fedora Atomic Desktops Gain Sealed Bootable Container Images
Fedora has released sealed bootable container images for testing on Atomic Desktops, bringing a fully verified boot chain from firmware to operating system. The images, announced today, rely on Secure Boot and support UEFI systems on x86_64 and aarch64 architectures.
“This is a major step forward for boot security,” said Timothée Ravier, a Fedora contributor involved in the project. “By sealing all components, we ensure the integrity of every layer, from the bootloader to the root filesystem.”
Background: What Are Sealed Bootable Container Images?
Sealed bootable container images bundle every component needed for a verified boot chain. They include systemd-boot as the bootloader, a Unified Kernel Image (UKI) containing the Linux kernel, initrd, and command line, and a composefs repository with fs-verity enabled, managed by bootc.
Both systemd-boot and the UKI are signed for Secure Boot. However, these test images use test keys—not Fedora’s official signing keys—so they are not suitable for production use. “These are early test images; we strongly advise against deploying them in production environments,” Ravier emphasized.
The primary benefit of sealed images is the ability to enable passwordless disk unlocking using the TPM (Trusted Platform Module) in a reasonably secure manner by default. This eliminates the need for manual password entry on each boot while maintaining hardware-backed security.
Testing the Sealed Images
Users can download pre-built container and disk images from the Fedora Atomic Desktops Sealed GitHub repository. The repository also provides instructions for building custom sealed images.
Fedora welcomes community testing and feedback. A list of known issues is available on the same repository. New issues should be reported there; the team will redirect them to the appropriate upstream projects if needed. “We need the community’s help to stress-test these images and identify any gaps before we consider them stable,” Ravier noted.
Warning: The test images have no root password set, and SSH daemon is enabled by default for debugging. The boot components are signed with test Secure Boot keys, not Fedora’s official keys. Do not use these images in production or on systems with sensitive data.
What This Means for Atomic Desktops
Sealed bootable container images represent a significant leap in securing Atomic Desktop deployments. By providing a verifiable chain of trust from firmware to OS, administrators can deploy systems with confidence that the boot process hasn’t been tampered with.
The integration with TPM for passwordless unlocking simplifies automated and unattended boot flows, crucial for edge devices, IoT, and large-scale deployments. “This unlocks use cases where physical access to a console is impractical,” Ravier explained. “A sealed image with TPM binding ensures only the correct hardware can decrypt the system.”
Looking ahead, this technology lays the groundwork for remote attestation and stronger system integrity guarantees. The project is actively collaborating with upstream communities including bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd.
For deeper technical details, see the presentations: “Signed, Sealed, and Delivered” with UKIs and composefs (FOSDEM 2025), UKIs and composefs support for Bootable Containers (Devconf.cz 2025), and UKI, composefs and remote attestation for Bootable Containers (ASG 2025). The composefs backend documentation in bootc is also an essential resource.
Fedora plans to iterate on these test images based on community feedback before integrating sealed boot support into official Fedora Atomic Desktop spins. “We’re excited about the potential, but we need the community to help us refine the implementation,” Ravier concluded.