How to Test Sealed Bootable Container Images on Fedora Atomic Desktops

Introduction

Fedora Atomic Desktops now offer sealed bootable container images for testing. These images create a fully verified boot chain from firmware to the operating system, leveraging Secure Boot, systemd-boot, Unified Kernel Images (UKIs), and composefs with fs-verity. This guide walks you through the process of testing these images, whether you want to use pre-built versions or build your own. By the end, you'll be able to experience the benefits of a tamper-proof boot process and contribute feedback to the development community.

What You Need

• A machine with UEFI firmware (x86_64 or aarch64) and Secure Boot support (can be enabled or disabled for testing).
• Basic familiarity with the command line and tools like podman or buildah (for building custom images).
• At least 20 GB of free disk space for the disk image or installation.
• A USB drive (8 GB or larger) if you plan to boot from a live image.
• An internet connection for downloading images or building from source.
• Optional: A TPM 2.0 module for testing passwordless disk unlocking.

Step-by-Step Instructions

Step 1: Understand the Components

Before diving in, familiarize yourself with the key parts of a sealed bootable container image:

• systemd-boot – a lightweight UEFI boot manager.
• Unified Kernel Image (UKI) – combines the Linux kernel, initramfs, and kernel command line into a single signed binary.
• composefs – a read-only, verifiable filesystem image with fs-verity enabled, managed by bootc.

Both systemd-boot and the UKI are signed for Secure Boot using test keys (not the official Fedora keys). This ensures the boot chain is verified from the firmware onward.

Step 2: Check Your System's Compatibility

These images only support UEFI boot on x86_64 and aarch64 architectures. Verify your system:

• Boot into your firmware settings and confirm UEFI mode is enabled.
• Ensure Secure Boot is either enabled (recommended for full verification) or disabled for testing purposes.
• If you plan to test TPM-based passwordless disk unlocking, make sure your system has a TPM 2.0 chip.

Step 3: Choose Your Testing Method

You have two options:

• Use pre-built container and disk images – quick and easy, ideal for first-time testing.
• Build your own sealed images – gives you full control and is better for understanding the process.

Both methods are documented in the official GitHub repository: github.com/travier/fedora-atomic-desktops-sealed.

Step 4 (Option A): Use Pre-Built Images

1. Go to the repository and download the latest release of the disk image (e.g., .raw or .iso file).
2. Write the image to a USB drive using dd or a tool like Fedora Media Writer:
   dd if=path/to/image.raw of=/dev/sdX bs=4M status=progress
   (Replace /dev/sdX with your USB device.)
3. Boot from the USB drive. If Secure Boot is enabled, you may see a warning about the unsigned test keys – proceed to test.
4. Once booted, log in as root (no password set by default) and explore the sealed system. Note that SSH is enabled by default for debugging – disable it if you don't need it.

Step 4 (Option B): Build Your Own Sealed Image

1. Clone the repository: git clone https://github.com/travier/fedora-atomic-desktops-sealed.git.
2. Install dependencies: podman, buildah, and bootc (see the repository's README for exact versions).
3. Follow the build instructions in the BUILD.md file – this typically involves running a script that creates a container image with composefs, signs the UKI with test keys, and generates a bootable disk image.
4. Write the resulting disk image to a USB drive or install it directly to a disk using bootc install.

Step 5: Boot and Verify the Secure Chain

After booting, run the following commands to confirm the boot chain is sealed:

• bootc status – shows the active deployment and composefs mount.
• fsverity measure / – verifies the filesystem integrity hash.
• Check /proc/cmdline to see the kernel command line embedded in the UKI.

If Secure Boot is active, the system will refuse to boot if any component has been tampered with.

Step 6: Test TPM-Based Unlocking (Optional)

The sealed images enable passwordless disk unlocking using the TPM. This works because the boot chain is verified, so the TPM can safely release the encryption key. To test this:

1. Install the system to a disk (not just live boot) using bootc install.
2. Reboot and ensure Secure Boot is active.
3. You should be prompted only for the TPM PIN (if set) or boot directly to the desktop without a disk password.

Step 7: Provide Feedback and Report Issues

Testing is valuable! Before reporting issues, check the known issues list on the repository. If you find a new bug, open an issue with as much detail as possible (hardware, boot logs, steps to reproduce). The maintainers will redirect to the appropriate upstream projects (bootc, composefs, systemd, etc.).

Tips and Best Practices

• Do not use these images in production. They are test images: root has no password, SSH is enabled, and the Secure Boot signatures use test keys. Treat them like an experimental playground.
• Disable SSH after initial testing to reduce attack surface: systemctl disable --now sshd.
• Set a root password if you plan to keep the system running for a while: passwd.
• Keep backups of any important data on the test machine – installing these images may overwrite the disk.
• If Secure Boot prevents booting due to test keys, you can disable Secure Boot temporarily in your firmware settings.
• Explore the presentations linked in the original announcement for deep dives into how UKIs, composefs, and remote attestation work together.
• Join the Fedora community – share your experiences on the Fedora discussion forums or mailing lists to help improve this feature.