How to Test Sealed Bootable Container Images for Fedora Atomic Desktops

Introduction

Sealed bootable container images bring a fully verified boot chain to Fedora Atomic Desktops, ensuring every component from firmware to the operating system is cryptographically signed and measured. This technology leverages Secure Boot, Unified Kernel Images (UKIs), systemd-boot, and composefs with fs-verity to provide a tamper-proof environment. By testing these pre-alpha images, you can help validate the implementation and prepare for future features like TPM-based passwordless disk unlocking.

This guide walks you through downloading, installing, and testing the sealed images. Whether you use the ready-made disk images or build your own container, you'll be contributing to the development of a more secure desktop experience.

What You Need

• A computer with UEFI firmware (x86_64 or aarch64) and Secure Boot enabled.
• At least 20 GB of free disk space for the installation (preferably on a dedicated drive or partition).
• Access to the GitHub repository: github.com/travier/fedora-atomic-desktops-sealed.
• Basic familiarity with the command line and disk imaging tools (e.g., dd, cp, or balenaEtcher).
• Optional: A container build tool like Podman or Buildah if you wish to build your own sealed image.

Step 1: Download a Pre-Built Disk Image

The easiest way to test is to use one of the provided raw disk images. Visit the releases page of the GitHub repository. Look for the latest release tagged testing. Download the .raw.xz file corresponding to your architecture (x86_64 or aarch64). Ensure you also download the accompanying SHA256 checksum file to verify integrity.

Step 2: Verify the Download

Before writing the image, verify its integrity using the checksum file. Open a terminal and navigate to the download directory. Run:

sha256sum -c *.sha256

If the output shows OK, your download is intact. If not, re-download the image.

Step 3: Write the Image to a USB Drive or Disk

Insert the target storage device (USB drive, NVMe SSD, etc.). This will erase all data on the device. Identify the device name using lsblk or fdisk -l (e.g., /dev/sdX or /dev/nvme0n1). Then decompress and write the image with:

xzcat fedora-atomic-desktops-sealed-*.raw.xz | sudo dd of=/dev/sdX bs=4M status=progress && sync

Replace /dev/sdX with your actual device. The process may take several minutes.

Step 4: Boot from the Image

Ensure Secure Boot is enabled in your UEFI/BIOS settings. Connect the drive to the target computer and boot from it. The systemd-boot menu should appear briefly. The sealed image will automatically boot into Fedora Atomic Desktop. Note that the UKI and systemd-boot are signed with test keys—your firmware may show a warning about untrusted signatures. Accept the enrollment if prompted (this is expected for test images). If the boot fails with a Secure Boot error, verify that Secure Boot is on and that you are using UEFI mode.

Step 5: Log In and Test Basic Functionality

Once booted, log in. The root account has no password set by default, and SSH is enabled for debugging. You can log in directly at the console or via SSH. Check that Secure Boot is active by running:

bootctl status

Look for Secure Boot: enabled. Also verify the UKI integrity:

ls -l /boot/EFI/Linux/fedora-*

Test disk encryption if applicable: the sealed images support TPM-based unlocking (no password required). Try rebooting and see if the system automatically decrypts the disk without prompt. If you set up a password, you may need to unlock manually.

Step 6: Build Your Own Sealed Image (Optional)

If you want to customize or test building from source, follow the instructions in the GitHub README. The repository provides a Containerfile and scripts. You'll need Podman or Buildah installed. Build with:

podman build -t my-sealed-image .

Then export the disk image using the provided export.sh script. This process takes longer but gives you full control.

Step 7: Report Feedback and Known Issues

After testing, share your experience. Check the known issues list first. If you encounter a new bug or have a suggestion, open an issue. Please include your hardware details, logs from journalctl -b, and steps to reproduce. Your feedback helps improve the boot chain security.

Tips

• Do not use in production: These are test images with unsigned test keys. They are not secured with official Fedora signing keys and may have vulnerabilities.
• Passwordless root and SSH: By design, root has no password and SSH is enabled for debugging. Disconnect from untrusted networks unless you secure the system first.
• Back up your data: Writing the image will wipe the target drive. Always back up important files.
• UEFI only: Sealed images require UEFI with Secure Boot. Legacy BIOS is not supported.
• TPM unlocking: If you are testing passwordless decryption, ensure your firmware has a TPM 2.0 chip and that it is enabled.
• Debugging boot failures: If the system does not boot, try disabling Secure Boot temporarily to isolate the issue. Use bootctl list from a rescue environment to inspect the boot entries.
• Stay updated: Watch the GitHub repo for newer releases as development progresses.

For further technical details, refer to the presentations listed in the original announcement: “Signed, Sealed, and Delivered” (FOSDEM 2025), “UKIs and composefs support for Bootable Containers” (Devconf.cz 2025), and “UKI, composefs and remote attestation for Bootable Containers” (ASG 2025). The composefs backend documentation in the bootc project also provides in-depth explanation.