Getting Started with Sealed Bootable Container Images on Fedora Atomic Desktops

By

Overview

Fedora Atomic Desktops now offer sealed bootable container images — a new method to create a fully verified boot chain from firmware to the operating system. These images integrate systemd-boot, a Unified Kernel Image (UKI), and a composefs repository with fs-verity, all signed for Secure Boot. The primary goal is to enable passwordless disk unlocking via TPM in a reasonably secure, default configuration. This tutorial walks you through testing these pre-built images, building your own, and understanding the underlying technology. Important: These are test images — not signed with official Fedora keys, root has no password, and SSH is enabled. Do not use in production.

Prerequisites

Hardware Requirements

• A system booting with UEFI on x86_64 or aarch64.
• Secure Boot enabled in UEFI firmware (but since test keys are used, you must enroll custom keys or disable Secure Boot for initial testing).

Software Requirements

• Fedora Atomic Desktop (or any bootc-based system) for building custom images. For testing pre-built images, any Linux system with podman and bootc installed.
• bootc command-line tool (available via dnf install bootc).
• buildah or podman for container operations.
• Optional: git to clone the testing repository.

Step-by-Step Instructions

1. Test Pre-Built Sealed Images

The easiest way to evaluate sealed bootable containers is to use the ready-made images from the fedora-atomic-desktops-sealed repository. These include both container images and disk images (e.g., ISO or raw disk).

1.1 Pull the container image

podman pull ghcr.io/travier/fedora-atomic-desktops-sealed:latest

1.2 Deploy to a test system

Use bootc to install the container image onto a disk (be careful — this overwrites the target disk!):

sudo bootc install to-disk --imgref containers-storage:ghcr.io/travier/fedora-atomic-desktops-sealed:latest /dev/sdX

Replace /dev/sdX with your actual disk (e.g., /dev/nvme0n1).

1.3 Boot and verify

Reboot the system. You should see systemd-boot appearing and booting the UKI. After login, verify the composefs mount:

mount | grep composefs

Confirm fs-verity is enabled:

bootc status

Look for output indicating a sealed image and verity.

Note on Secure Boot: Because test keys are used, you may need to enroll them manually using mokutil or temporarily disable Secure Boot. The repository contains instructions for key enrollment.

2. Build Your Own Sealed Image

If you want to customize the image (e.g., add packages or configuration), follow these steps.

2.1 Clone the repository

git clone https://github.com/travier/fedora-atomic-desktops-sealed.git
cd fedora-atomic-desktops-sealed

2.2 Install dependencies

sudo dnf install bootc podman buildah

2.3 Build the container image

Use the provided Containerfile to create your own sealed bootable container:

sudo podman build -t my-sealed-image .

This will re-sign the UKI and systemd-boot with test keys (if you haven't replaced them). To use your own signing keys, modify the scripts in the repository accordingly.

2.4 Export and deploy

Convert the container to a disk image (optional) or install directly:

sudo bootc install to-disk --imgref containers-storage:my-sealed-image /dev/sdX

Alternatively, push the container to a registry for remote deployment.

3. Understand the Key Components

• systemd-boot: The UEFI boot manager that loads the UKI. Signed for Secure Boot.
• Unified Kernel Image (UKI): Combines kernel, initrd, and command line into a single EFI executable. Signed separately.
• composefs: A filesystem image with fs-verity checks, managed by bootc. Ensures integrity of all system files.
• TPM unlocking: With a sealed image, disk encryption keys can be bound to the TPM, allowing automatic unlocking after verifying the boot chain.

Common Mistakes

• Ignoring Secure Boot key enrollment: Test images use non‑official keys. Skipping key enrollment leads to Verification failed errors. Either enroll the provided test keys (see repository) or disable Secure Boot.
• Using production systems for testing: The root account has no password and SSH is enabled. This is dangerous on any network‑facing system. Always test on isolated hardware or virtual machines.
• Assuming disk images are bootable from ISO: The pre‑built disk image (e.g., raw) is meant to be written directly to a disk. If you try to boot it from an ISO (e.g., via a VM), it may fail. Use dd or bootc install for direct disk writing.
• Forgetting fs-verity kernel support: Some older kernels may lack fs-verity. Ensure your running kernel (for building) has CONFIG_FS_VERITY enabled.

Summary

Sealed bootable container images for Fedora Atomic Desktops bring a verifiable boot chain using systemd-boot, UKI, and composefs. They are currently in testing — great for evaluating passwordless TPM unlock in a non‑production environment. To get started, pull pre‑built images from the GitHub repository, install them with bootc install to-disk, and verify the integrity with bootc status. For deeper customization, build your own using the provided scripts. Remember: These are test images: handle with care, enroll Secure Boot keys appropriately, and never use on real production systems. Feedback and bug reports are welcome via the repository’s issue tracker.

Related Articles

• Upgrading and Exploring Fedora Workstation 44: A Step-by-Step Guide
• Everything You Need to Know About Ubuntu 26.04 LTS 'Resolute Raccoon'
• Linux Distros Surge as Solution for Millions of Stranded Windows PCs
• How to Respond to a DDoS Attack on Your Ubuntu Infrastructure
• Linux Standardizes 'Projects' Folder; Fedora 44 and Ubuntu 26.04 Land Amid Security Alerts
• Press Freedom Under Siege: Q&A on Media and Human Rights in the Palestinian Territories
• Ubuntu 26.10 Codename 'Stonking Stingray' Revealed – Here's What It Means
• KernelEvolve: Inside Meta’s AI-Powered Kernel Optimization System