Fedora Atomic Desktop now has sealed bootable container images available for testing. These images provide a fully verified boot chain from firmware to OS, combining systemd-boot, Unified Kernel Images (UKI), and composefs with fs-verity. Both systemd-boot and UKI are signed for Secure Boot (UEFI on x86_64 and aarch64), though test images use unofficial keys. The primary benefit is enabling passwordless disk unlocking via TPM in a secure-by-default manner. These are test-only images — not for production use — with root passwordless access and sshd enabled for debugging.
Table of contents
What are sealed bootable container images?How do I test those images?Where can I get more details about how this works?Sort: