We are excited to announce that sealed bootable container images for Fedora Atomic Desktops are now available for testing. These images provide a fully verified boot chain from firmware to the operating system, leveraging Secure Boot with UEFI on x86_64 and aarch64. Below, we answer common questions about what these images are, how to test them, and what benefits they bring.

What exactly are sealed bootable container images?

Sealed bootable container images bundle every component needed for a verifiable boot process. This includes systemd-boot as the bootloader, a Unified Kernel Image (UKI) that combines the Linux kernel, an initrd, and the kernel command line, and a composefs repository with fs-verity enabled, managed by bootc. Both systemd-boot and the UKI are signed for Secure Boot, although these test images use non-official Fedora keys. The primary goal is to enable secure, passwordless disk unlocking via the TPM by default.

What are the key benefits of using sealed images?

The most immediate advantage is the ability to unlock encrypted disks without a password, using the TPM, in a reasonably secure configuration. This improves usability while maintaining strong security. Additionally, the sealed boot chain ensures that every layer from firmware to OS is verified, protecting against tampering. This aligns with Fedora's commitment to robust security and modern boot architectures.

How can I test these images?

Detailed instructions are available on GitHub at travier/fedora-atomic-desktops-sealed. There you’ll find pre-built container and disk images, as well as guidance on building your own. Keep in mind that these are testing images: the root account has no password set and SSH is enabled by default for debugging. Also, the UKI and systemd-boot are signed with test keys, not official Fedora keys, so do not use them in production environments.

What known issues exist and where do I report feedback?

Before testing, review the list of known issues on the project’s GitHub page. New bugs or suggestions can be reported there as well; the maintainers will redirect reports to the appropriate upstream projects as needed. Your feedback is valuable and helps improve the implementation for eventual broader adoption.

Where can I learn more about the technology behind sealed images?

For deeper understanding of how UKI, composefs, and bootable containers create a verified boot chain, check out these resources:

• “Signed, Sealed, and Delivered” with UKIs and composefs – Allison and Timothée at FOSDEM 2025
• UKIs and composefs support for Bootable Containers – Timothée at Devconf.cz 2025
• UKI, composefs and remote attestation for Bootable Containers – Pragyan, Vitaly and Timothée at ASG 2025
• composefs backend documentation in bootc

These presentations and docs detail the integration and security considerations.

Who contributed to making this possible?

This work is the result of collaboration across several projects, including bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. We extend our thanks to all contributors, especially those presenting at the conferences linked above. Their efforts have brought sealed bootable containers closer to reality for Fedora Atomic Desktops.