How to Test Sealed Bootable Container Images on Fedora Atomic Desktops

<h2>Introduction</h2><p>Fedora Atomic Desktops now offer sealed bootable container images for testing. These images create a fully verified boot chain from firmware to the operating system, leveraging Secure Boot, systemd-boot, Unified Kernel Images (UKIs), and composefs with fs-verity. This guide walks you through the process of testing these images, whether you want to use pre-built versions or build your own. By the end, you'll be able to experience the benefits of a tamper-proof boot process and contribute feedback to the development community.</p><figure style="margin:20px 0"><img src="https://fedoramagazine.org/wp-content/uploads/2026/04/sealed_atomic_bootable_images-300x127.jpg" alt="How to Test Sealed Bootable Container Images on Fedora Atomic Desktops" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: fedoramagazine.org</figcaption></figure><h2>What You Need</h2><ul><li>A machine with <strong>UEFI firmware</strong> (x86_64 or aarch64) and <strong>Secure Boot</strong> support (can be enabled or disabled for testing).</li><li>Basic familiarity with the command line and tools like <code>podman</code> or <code>buildah</code> (for building custom images).</li><li>At least <strong>20 GB</strong> of free disk space for the disk image or installation.</li><li>A <strong>USB drive</strong> (8 GB or larger) if you plan to boot from a live image.</li><li>An internet connection for downloading images or building from source.</li><li>Optional: A TPM 2.0 module for testing passwordless disk unlocking.</li></ul><h2>Step-by-Step Instructions</h2><h3>Step 1: Understand the Components</h3><p>Before diving in, familiarize yourself with the key parts of a sealed bootable container image:</p><ul><li><strong>systemd-boot</strong> – a lightweight UEFI boot manager.</li><li><strong>Unified Kernel Image (UKI)</strong> – combines the Linux kernel, initramfs, and kernel command line into a single signed binary.</li><li><strong>composefs</strong> – a read-only, verifiable filesystem image with fs-verity enabled, managed by <code>bootc</code>.</li></ul><p>Both systemd-boot and the UKI are signed for Secure Boot using test keys (not the official Fedora keys). This ensures the boot chain is verified from the firmware onward.</p><h3>Step 2: Check Your System's Compatibility</h3><p>These images only support UEFI boot on x86_64 and aarch64 architectures. Verify your system:</p><ul><li>Boot into your firmware settings and confirm UEFI mode is enabled.</li><li>Ensure Secure Boot is either enabled (recommended for full verification) or disabled for testing purposes.</li><li>If you plan to test TPM-based passwordless disk unlocking, make sure your system has a TPM 2.0 chip.</li></ul><h3>Step 3: Choose Your Testing Method</h3><p>You have two options:</p><ul><li><strong>Use pre-built container and disk images</strong> – quick and easy, ideal for first-time testing.</li><li><strong>Build your own sealed images</strong> – gives you full control and is better for understanding the process.</li></ul><p>Both methods are documented in the official GitHub repository: <a href="https://github.com/travier/fedora-atomic-desktops-sealed">github.com/travier/fedora-atomic-desktops-sealed</a>.</p><h3>Step 4 (Option A): Use Pre-Built Images</h3><ol><li>Go to the <a href="https://github.com/travier/fedora-atomic-desktops-sealed">repository</a> and download the latest release of the disk image (e.g., <code>.raw</code> or <code>.iso</code> file).</li><li>Write the image to a USB drive using <code>dd</code> or a tool like <code>Fedora Media Writer</code>:<br/><code>dd if=path/to/image.raw of=/dev/sdX bs=4M status=progress</code><br/>(Replace <code>/dev/sdX</code> with your USB device.)</li><li>Boot from the USB drive. If Secure Boot is enabled, you may see a warning about the unsigned test keys – proceed to test.</li><li>Once booted, log in as root (no password set by default) and explore the sealed system. Note that SSH is enabled by default for debugging – disable it if you don't need it.</li></ol><h3>Step 4 (Option B): Build Your Own Sealed Image</h3><ol><li>Clone the repository: <code>git clone https://github.com/travier/fedora-atomic-desktops-sealed.git</code>.</li><li>Install dependencies: <code>podman</code>, <code>buildah</code>, and <code>bootc</code> (see the repository's README for exact versions).</li><li>Follow the build instructions in the <code>BUILD.md</code> file – this typically involves running a script that creates a container image with composefs, signs the UKI with test keys, and generates a bootable disk image.</li><li>Write the resulting disk image to a USB drive or install it directly to a disk using <code>bootc install</code>.</li></ol><h3>Step 5: Boot and Verify the Secure Chain</h3><p>After booting, run the following commands to confirm the boot chain is sealed:</p><figure style="margin:20px 0"><img src="https://fedoramagazine.org/wp-content/uploads/2026/04/sealed_atomic_bootable_images.jpg" alt="How to Test Sealed Bootable Container Images on Fedora Atomic Desktops" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: fedoramagazine.org</figcaption></figure><ul><li><code>bootc status</code> – shows the active deployment and composefs mount.</li><li><code>fsverity measure /</code> – verifies the filesystem integrity hash.</li><li>Check <code>/proc/cmdline</code> to see the kernel command line embedded in the UKI.</li></ul><p>If Secure Boot is active, the system will refuse to boot if any component has been tampered with.</p><h3>Step 6: Test TPM-Based Unlocking (Optional)</h3><p>The sealed images enable passwordless disk unlocking using the TPM. This works because the boot chain is verified, so the TPM can safely release the encryption key. To test this:</p><ol><li>Install the system to a disk (not just live boot) using <code>bootc install</code>.</li><li>Reboot and ensure Secure Boot is active.</li><li>You should be prompted only for the TPM PIN (if set) or boot directly to the desktop without a disk password.</li></ol><h3>Step 7: Provide Feedback and Report Issues</h3><p>Testing is valuable! Before reporting issues, check the <a href="https://github.com/travier/fedora-atomic-desktops-sealed/issues">known issues list</a> on the repository. If you find a new bug, open an issue with as much detail as possible (hardware, boot logs, steps to reproduce). The maintainers will redirect to the appropriate upstream projects (bootc, composefs, systemd, etc.).</p><h2>Tips and Best Practices</h2><ul><li><strong>Do not use these images in production.</strong> They are test images: root has no password, SSH is enabled, and the Secure Boot signatures use test keys. Treat them like an experimental playground.</li><li><strong>Disable SSH</strong> after initial testing to reduce attack surface: <code>systemctl disable --now sshd</code>.</li><li><strong>Set a root password</strong> if you plan to keep the system running for a while: <code>passwd</code>.</li><li><strong>Keep backups</strong> of any important data on the test machine – installing these images may overwrite the disk.</li><li><strong>If Secure Boot prevents booting</strong> due to test keys, you can disable Secure Boot temporarily in your firmware settings.</li><li><strong>Explore the presentations</strong> linked in the original announcement for deep dives into how UKIs, composefs, and remote attestation work together.</li><li><strong>Join the Fedora community</strong> – share your experiences on the Fedora discussion forums or mailing lists to help improve this feature.</li></ul>