Testing Sealed Bootable Images on Fedora Atomic Desktops: A Step-by-Step Guide

Introduction

Sealed bootable container images represent a significant step forward in security for Fedora Atomic Desktops. These images contain all components necessary to create a fully verified boot chain—from firmware to the operating system's composefs image—relying on Secure Boot and UEFI. This guide will walk you through testing these pre-built images, understanding the technology, and even building your own. By the end, you'll be able to experience the benefits of a verified boot chain, including the potential for passwordless disk unlocking via TPM in a secure manner.

What You Need

Before you begin, ensure you have the following:

• A UEFI-based system (x86_64 or aarch64) with Secure Boot capability
• A USB flash drive or blank disk (at least 8GB recommended) for installation
• A Linux environment with dd or similar disk-imaging tool
• Optional: Familiarity with bootc and container image building for custom images

Step 1: Understand Sealed Bootable Images

Sealed bootable images bundle three key components into a trustable chain:

• systemd-boot as the bootloader
• A Unified Kernel Image (UKI) containing the Linux kernel, initrd, and kernel command line
• A composefs repository with fs-verity enabled, managed by bootc

Both systemd-boot and the UKI are signed for Secure Boot. However, these test images use non-official keys—they are signed but not with Fedora's official keys. Hence, they are intended for testing only, not production.

The primary benefit of sealed images is enabling passwordless disk unlocking using the TPM in a reasonably secure manner by default, as the verified boot chain ensures disk integrity.

Step 2: Download Pre-Built Images

Pre-built container and disk images are available from the GitHub repository at github.com/travier/fedora-atomic-desktops-sealed. Navigate to the Releases section or follow the instructions in the repository README. Download the appropriate disk image (e.g., fedora-atomic-desktops-sealed-*.img) for your architecture. These images are raw disk images that can be written to a USB drive or hard disk.

Step 3: Write the Image to a USB Drive or Disk

Once downloaded, write the image to your target media using dd or a similar tool. Warning: This will overwrite all data on the target device. Identify the device name (e.g., /dev/sdX) using lsblk or fdisk -l. Then run:

sudo dd if=path/to/fedora-atomic-desktops-sealed.img of=/dev/sdX bs=4M status=progress && sync

Replace /dev/sdX with your actual device. Ensure the device is not mounted. After writing, you can boot from this media.

Step 4: Boot the System and Verify

Insert the USB drive into your UEFI system and boot from it (you may need to enter the boot menu, typically via F12 or Esc). Secure Boot should be enabled; if it's not, the signed bootloader and UKI may still load but without full verification. Once booted, you'll be greeted by the Fedora Atomic Desktop environment.

Important notes for testing:

• The root account has no password set and SSH service (sshd) is enabled by default to simplify debugging.
• These images are not production-ready—do not use them on critical systems.
• Because the signatures use test keys, your system may display a warning during boot; that is expected.

To verify the boot chain is sealed, you can check that a composefs image with fs-verity is in use. The bootc tool will show the state: run bootc status from a terminal within the live environment.

Step 5: (Optional) Build Your Own Sealed Image

If you prefer to customize or build your own sealed image, the repository mentioned in Step 2 provides scripts and instructions. In general, you will:

1. Clone the repo and examine the Containerfile or build scripts.
2. Use a tool like podman or buildah to build a bootable container image that includes a UKI and composefs with fs-verity.
3. Sign the components with your own keys (for testing, test keys are fine).
4. Convert the container image into a disk image using bootc and related utilities.

Detailed instructions are available in the repository's documentation. Note that building custom sealed images requires deeper knowledge of UKI generation, composefs, and Secure Boot signing.

Tips for Successful Testing

• Secure Boot must be enabled for the full verified chain; otherwise, the boot will proceed without integrity checks.
• If you encounter boot issues, check your UEFI firmware settings. Some machines require enrolling the test key as a MOK (Machine Owner Key). Refer to the repository's known issues list.
• For feedback or bug reports, please open issues at the same GitHub repository. The maintainers will redirect issues to upstream projects as needed.
• Remember: these are test images. The root account is open and SSH is enabled—use only in isolated test environments.
• To learn more about the underlying technology, watch the presentations linked in the repository: “Signed, Sealed, and Delivered” (FOSDEM 2025), “UKIs and composefs support for Bootable Containers” (Devconf.cz 2025), and “UKI, composefs and remote attestation for Bootable Containers” (ASG 2025). The composefs backend documentation in bootc is also a valuable resource.

Special thanks to the contributors from bootc, bcvk, composefs, composefs-rs, chunkah, podman & buildah, and systemd projects for making this possible.