✓

Follow along with this comprehensive guide

Overview

Fedora Atomic Desktops now offer sealed bootable container images — a new method to create a fully verified boot chain from firmware to the operating system. These images integrate systemd-boot, a Unified Kernel Image (UKI), and a composefs repository with fs-verity, all signed for Secure Boot. The primary goal is to enable passwordless disk unlocking via TPM in a reasonably secure, default configuration. This tutorial walks you through testing these pre-built images, building your own, and understanding the underlying technology. Important: These are test images — not signed with official Fedora keys, root has no password, and SSH is enabled. Do not use in production.

Getting Started with Sealed Bootable Container Images on Fedora Atomic Desktops — Source: fedoramagazine.org

Prerequisites

Hardware Requirements

A system booting with UEFI on x86_64 or aarch64.
Secure Boot enabled in UEFI firmware (but since test keys are used, you must enroll custom keys or disable Secure Boot for initial testing).

Software Requirements

Fedora Atomic Desktop (or any bootc-based system) for building custom images. For testing pre-built images, any Linux system with podman and bootc installed.
bootc command-line tool (available via dnf install bootc).
buildah or podman for container operations.
Optional: git to clone the testing repository.

Step-by-Step Instructions

1. Test Pre-Built Sealed Images

The easiest way to evaluate sealed bootable containers is to use the ready-made images from the fedora-atomic-desktops-sealed repository. These include both container images and disk images (e.g., ISO or raw disk).

1.1 Pull the container image

podman pull ghcr.io/travier/fedora-atomic-desktops-sealed:latest

1.2 Deploy to a test system

Use bootc to install the container image onto a disk (be careful — this overwrites the target disk!):

sudo bootc install to-disk --imgref containers-storage:ghcr.io/travier/fedora-atomic-desktops-sealed:latest /dev/sdX

Replace /dev/sdX with your actual disk (e.g., /dev/nvme0n1).

1.3 Boot and verify

Reboot the system. You should see systemd-boot appearing and booting the UKI. After login, verify the composefs mount:

mount | grep composefs

Confirm fs-verity is enabled:

bootc status

Look for output indicating a sealed image and verity.

Note on Secure Boot: Because test keys are used, you may need to enroll them manually using mokutil or temporarily disable Secure Boot. The repository contains instructions for key enrollment.

2. Build Your Own Sealed Image

If you want to customize the image (e.g., add packages or configuration), follow these steps.

2.1 Clone the repository

git clone https://github.com/travier/fedora-atomic-desktops-sealed.git
cd fedora-atomic-desktops-sealed

2.2 Install dependencies

sudo dnf install bootc podman buildah

2.3 Build the container image

Use the provided Containerfile to create your own sealed bootable container:

sudo podman build -t my-sealed-image .

This will re-sign the UKI and systemd-boot with test keys (if you haven't replaced them). To use your own signing keys, modify the scripts in the repository accordingly.

2.4 Export and deploy

Convert the container to a disk image (optional) or install directly:

sudo bootc install to-disk --imgref containers-storage:my-sealed-image /dev/sdX

Alternatively, push the container to a registry for remote deployment.

3. Understand the Key Components

systemd-boot: The UEFI boot manager that loads the UKI. Signed for Secure Boot.
Unified Kernel Image (UKI): Combines kernel, initrd, and command line into a single EFI executable. Signed separately.
composefs: A filesystem image with fs-verity checks, managed by bootc. Ensures integrity of all system files.
TPM unlocking: With a sealed image, disk encryption keys can be bound to the TPM, allowing automatic unlocking after verifying the boot chain.

Common Mistakes

Ignoring Secure Boot key enrollment: Test images use non‑official keys. Skipping key enrollment leads to Verification failed errors. Either enroll the provided test keys (see repository) or disable Secure Boot.
Using production systems for testing: The root account has no password and SSH is enabled. This is dangerous on any network‑facing system. Always test on isolated hardware or virtual machines.
Assuming disk images are bootable from ISO: The pre‑built disk image (e.g., raw) is meant to be written directly to a disk. If you try to boot it from an ISO (e.g., via a VM), it may fail. Use dd or bootc install for direct disk writing.
Forgetting fs-verity kernel support: Some older kernels may lack fs-verity. Ensure your running kernel (for building) has CONFIG_FS_VERITY enabled.

Summary

Sealed bootable container images for Fedora Atomic Desktops bring a verifiable boot chain using systemd-boot, UKI, and composefs. They are currently in testing — great for evaluating passwordless TPM unlock in a non‑production environment. To get started, pull pre‑built images from the GitHub repository, install them with bootc install to-disk, and verify the integrity with bootc status. For deeper customization, build your own using the provided scripts. Remember: These are test images: handle with care, enroll Secure Boot keys appropriately, and never use on real production systems. Feedback and bug reports are welcome via the repository’s issue tracker.

Getting Started with Sealed Bootable Container Images on Fedora Atomic Desktops