Fedora Atomic Desktops Introduce Sealed Bootable Container Images for Enhanced Security

Breaking: Fedora Atomic Desktops Achieve Verified Boot with Sealed Containers

The Fedora Project today announced the immediate availability of sealed bootable container images for its Atomic Desktop variants, marking a significant leap in Linux desktop security. These images enable a fully verified boot chain from firmware to operating system, leveraging Secure Boot and systemd-boot.

"Sealed images close a critical gap in container-based desktop security — they ensure that every component, from the bootloader to the kernel, is cryptographically verified," said Timothée Ravier, Fedora Atomic contributor. "This is the foundation for passwordless TPM disk unlocking without sacrificing trust."

What Are Sealed Bootable Container Images?

Sealed bootable container images integrate all components required for a verified boot chain: systemd-boot as bootloader, a Unified Kernel Image (UKI) containing the Linux kernel, initrd, and command line, and a composefs repository with fs-verity enabled, managed by bootc.

Both systemd-boot and the UKI are signed for Secure Boot on x86_64 and aarch64 UEFI systems. The images are test releases — they are not signed with official Fedora keys but enable early community validation.

Key Benefit: Passwordless Disk Unlocking

The primary immediate benefit is the ability to enable TPM-based passwordless disk unlocking in a reasonably secure manner by default. This eliminates a common user friction point while maintaining a high security bar.

"With sealed images, we can tie disk encryption to the system's verified state, so only trusted software can unlock the drive," explained Ravier. "This is a game-changer for desktop security."

How to Test the Sealed Images

Pre-built container and disk images are available for testing. Detailed instructions are provided on the Fedora Atomic Desktops Sealed repository.

Users can also build their own images from source. The project welcomes feedback and issue reports via the same repository. Known issues are listed, and new reports will be redirected to the appropriate upstream projects.

Important Cautions

These are testing images: the root account has no password set, and SSH is enabled by default for debugging. Secure Boot signatures use test keys, not official Fedora keys. Do not use these images in production environments.

Background: The Path to Verified Bootable Containers

Fedora Atomic Desktops have long provided container-based operating system updates, but without a verified boot chain, the system could be compromised before the OS loads. Sealed images solve this by extending verification down to firmware.

Technical foundations were presented at FOSDEM 2025 ("Signed, Sealed, and Delivered"), Devconf.cz 2025 ("UKIs and composefs support for Bootable Containers"), and ASG 2025 ("UKI, composefs and remote attestation for Bootable Containers"). Detailed documentation is available in the bootc composefs backend documentation.

What This Means for Users and Security

For Fedora Atomic Desktop users, sealed images offer a preview of a future where container-based systems can match or exceed traditional installations in security, thanks to a unified chain of trust. Passwordless TPM unlocking reduces friction while increasing security against cold boot attacks.

Developers and system administrators can leverage these images to build highly trustworthy environments, integrating remote attestation capabilities also under exploration. This marks a step toward fully attestable, container-native desktops.

Contributors and Acknowledgments

This work is the result of contributions from projects including bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. A full list of contributors is available in the official announcement.

Get started with testing today: follow the test instructions and help shape the future of verified bootable containers.