Sealed Fedora Atomic Desktop bootable container images

Posted by on April 28, 2026 1 Comment

Photo by Steve Johnson on Unsplash

Recent Posts

Fedora Asahi Remix 44 is now available

What’s New in Fedora KDE Plasma Desktop 44

What’s New for Fedora Atomic Desktops in Fedora Linux 44

I’m happy to announce that we have sealed bootable container images ready for testing for the Fedora Atomic Desktops!

What are sealed bootable container images?

Sealed bootable container images include all the components needed to create a fully verified boot chain, from the firmware to the operating system composefs image. This relies on Secure Boot and thus only supports system booting with UEFI on x86_64 & aarch64.

The components are:

  • systemd-boot as bootloader
  • a Unified Kernel Image (UKI) which includes the Linux kernel, an initrd and the kernel command line
  • a composefs repository with fs-verity enabled. This is managed by bootc.

Both systemd-boot and the UKI are signed for Secure Boot. The images are test images so the components are not signed with the official keys from Fedora.

The main direct benefit that we will get from this support is that we will be able to enable passwordless disk unlocking using the TPM in a way that will be reasonably secure by default.

How do I test those images?

See the instructions at github.com/travier/fedora-atomic-desktops-sealed on how to give the pre-built container and disk images a try and how to build your own.

We welcome testing and feedback! Please see the list of known issues and report new issue at github.com/travier/fedora-atomic-desktops-sealed. We’ll redirect them as needed to the right upstream projects.

Beware, those are testing images. The root account does not have a password set and sshd is enabled, by default, to make debugging easier. The UKI and systemd-boot are signed for Secure Boot but, since those are test images, they are not signed with the official keys from Fedora. Don’t use those images in production.

Where can I get more details about how this works?

If you want to know more about how sealed images work (i.e. how we make bootable containers, UKI and composefs work together to create a verified boot chain), see the following presentations and documentation:

Thanks to all the contributors that made this possible, notably (but non exhaustively) from the following projects: bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah and systemd.

Fedora Project Community New in Fedora Using Software

Timothée Ravier

CoreOS engineer at Red Hat, Fedora Atomic Desktops maintainer, KDE developer. See my README at https://github.com/travier

1 Comment

Add Comment →

  1. Van

    So this is how freedom ends.

    April 29, 2026
    Reply

Leave a Reply


The interval between posting a comment and its appearance will be irregular so please DO NOT resend the same post repeatedly. All comments are moderated but this site is not monitored continuously so comments will not appear as soon as posted.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Fedora Linux 44
Fedora Linux 44 is available now. Read the release announcement for all the details.

Subscribe to Fedora Magazine via Email

Join 10.7K other subscribers

Contribute to the Magazine

Fedora Magazine is looking for contributors!

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions