Introduction
Sealed bootable container images provide a fully verified boot chain for Fedora Atomic Desktops, ensuring every component from firmware to the operating system is cryptographically signed and measured. This guide walks you through testing these pre‑built images on UEFI systems (x86_64 or aarch64) and explains how to build your own. The goal is to enable secure features like TPM‑based passwordless disk unlocking. Note: These are test images—they are not signed with official Fedora keys and should not be used in production.
What You Need
- A system that boots via UEFI with Secure Boot enabled (x86_64 or aarch64)
- A USB drive (at least 8 GB) or spare disk for installation
- Basic familiarity with the command line and disk imaging tools (e.g.,
dd,balenaEtcher) - An internet connection to download the pre‑built images
- Optional: Podman or Buildah installed if you want to build your own sealed image
Step‑by‑Step Instructions
Step 1: Download a Pre‑Built Sealed Image
Head to the fedora-atomic-desktops-sealed repository. Under the Releases section, find the latest disk image (.raw.xz) or container image (.oci.tar) for your architecture. Download the file to your local machine.
Step 2: Write the Image to a USB Drive
Use a disk‑imaging tool to write the downloaded image to your USB drive. For example, with dd:
sudo dd if=path/to/image.raw.xz of=/dev/sdX bs=4M status=progress oflag=syncReplace /dev/sdX with your USB device (be careful not to overwrite your system disk). Alternatively, use balenaEtcher or Fedora Media Writer for a graphical experience.
Step 3: Boot the System with Secure Boot Enabled
Insert the USB drive and reboot your system. Enter the UEFI firmware settings (usually by pressing F2, Del, or Esc during boot). Ensure that Secure Boot is enabled. Save changes and exit. Select the USB drive as the boot device. The sealed image uses systemd-boot as the bootloader and a Unified Kernel Image (UKI), both signed with test keys. You should see a boot menu and then the Fedora Atomic Desktop environment.
Step 4: Verify the Verified Boot Chain
After logging in (the root account has no password set; SSH is enabled for debugging), you can check that the boot chain is verified. Run:
bootc statusThis shows the current deployment, the composefs image, and its fs‑verity status. You can also inspect the boot log with journalctl -b to see Secure Boot measurements and UKI signatures. The composefs repository is mounted with integrity verification via fs‑verity.
Step 5: (Optional) Build Your Own Sealed Image
To create a custom sealed bootable container image, follow the instructions in the repository’s README. You will need:
- Podman or Buildah installed
- The
bootctool andcomposefsutilities - Access to a container registry
The basic workflow involves creating a Containerfile, building an OCI image with a UKI and composefs layer, then sealing it with bootc and signing the artifacts with test keys.
Step 6: Provide Feedback and Report Issues
Your testing helps improve the project! Check the known issues list and report any new findings. If you encounter problems, please open an issue with detailed logs, hardware information, and steps to reproduce.
Tips and Important Notes
- Security Warning: These test images are not signed with official Fedora keys. Do not use them in production or on sensitive systems.
- Default Access: The root account has no password and SSH is enabled. Change these settings if you plan to connect the machine to a network.
- UEFI Required: Secure Boot + UEFI is mandatory. Legacy BIOS boot is not supported.
- TPM Unlocking: After testing, you can experiment with TPM‑based disk encryption unlock by configuring
systemd-cryptenrollonce the sealed boot chain is working. - More Resources: Watch the talks linked in the original announcement for deep dives: “Signed, Sealed, and Delivered” (FOSDEM 2025), “UKIs and composefs support for Bootable Containers” (Devconf.cz 2025), and “UKI, composefs and remote attestation for Bootable Containers” (ASG 2025).