Sealed Fedora Atomic Desktop bootable container images

[keyword]


I am happy to announce that we have sealed bootable container images ready for testing for the Fedora Atomic Desktops!

What are sealed bootable container images?

Sealed bootable container images contain all the components needed to create a fully verified boot chain, from the firmware to the operating system assembly image. It relies on Secure Boot and therefore only supports system boot with UEFI on x86_64 & aarch64.

The components are:

  • systemd boot as bootloader
  • A Unified Kernel Image (UKI) that includes the Linux kernel, an initrd, and the kernel command line
  • a composefs repository with fs-verity enabled. It is managed by bootc.

Both systemd-boot and the UKI are signed for Secure Boot. The images are test images so the components are not signed with the official keys of Fedora.

The main direct benefit we will get from this support is that we will be able to use passwordless unlocking through the TPM in a way that will be pretty secure by default.

How do I test those images?

See the instructions github.com/travier/fedora-atomic-desktops-sealed on how to try the prebuilt container and disk images and how to build your own.

We welcome testing and feedback! Please see the list of known issues and report new issue github.com/travier/fedora-atomic-desktops-sealed. We will redirect them as needed to the correct upstream projects.

Bewarethese are test images. The root account does not have a password set and sshd is enabled by default to make debugging easier. The UKI and systemd boot are signed for Secure Boot, but since they are test images, they are not signed with Fedora’s official keys. Do not use those images in production.

Where can I get more details on how it works?

If you want to know more about how sealed images work (ie how we make bootable containers, UKI and composefs work together to create an authenticated boot chain), see the following presentations and documentation:

Thanks to all the contributors who made this possible, especially (but not exclusively) from the following projects: boot c & bcvk, compositions & composefs-rs, chunkah, podman & build and system.


Timothée Ravier

CoreOS engineer at Red Hat, Fedora Atomic Desktops maintainer, KDE developer. See my README at https://github.com/travier



Eva Grace

Eva Grace

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 LearnXYZ  Ascendoor Magazine by Ascendoor | Powered by WordPress.