{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreiaqbds6r2yezc5odlyqm3kx5omnztjcxy4vtr5pt5uajwwjiaqawm",
"uri": "at://did:plc:awj2q63kg2v3k5xwsjh2uoe3/app.bsky.feed.post/3ml25swngu4l2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiflfljitc74fwesj2uzltq4fcmrwf2fbbhv4xyxdtpikucapnpbxe"
},
"mimeType": "image/jpeg",
"size": 195710
},
"description": "Fedora 44 has released, and with it comes a new offering: sealed bootable container images, which “include all the components needed to create a fully verified boot chain.”",
"path": "/news/2026/05/04/fedora-sealed-bootable-container-images-possibly-opening-the-door-to-a-fully-verified-boot-chain/",
"publishedAt": "2026-05-04T17:05:13.000Z",
"site": "https://www.privacyguides.org",
"tags": [
"sealed bootable container",
"Secure Boot",
"chain of trust",
"root of trust",
"TPM",
"Windows",
"macOS",
"Signed System Volume",
"Android",
"GrapheneOS",
"Unified Kernel Images",
"fs-verity",
"GitHub"
],
"textContent": "Fedora 44 has released, and with it comes a new offering: sealed bootable container images, which “include all the components needed to create a fully verified boot chain.”\n\nUEFI Secure Boot is a feature available on most computers nowadays designed to prevent rootkits and malware persistence on your machine.\n\nWhenever your machine boots, Secure Boot is designed to check each part of the system as it boots in order to prevent malware from loading instead of trusted firmware/software.\n\nThe process relies on what’s called a chain of trust, where each component verifies the next component once it’s been verified. The chain begins with the root of trust, which all of the other steps in the chain of trust rely on.\n\nIn most devices, the TPM chip provides this root of trust.\n\nThe TPM is a hardware chip that provides several security functions that benefit from hardware-based protection, including handling cryptographic keys.\n\nMost operating systems offer some version of this idea, although there’s many names for it and various implementations.\n\nIn Windows, Secure Boot verifies everything up to the bootloader, and then Trusted Boot takes over and verifies the kernel and every other part of the boot process.\n\nIn macOS, the full process is called Secure Boot. The root of trust is the Boot ROM and it verifies all the way up to the Signed System Volume which verifies the integrity of the OS.\n\nIn Android, Verified Boot is instead what handles this. It starts with the hardware-protected root of trust to the bootloader, to the `system`, `vendor`, and optionally the `oem` partitions.\n\nGrapheneOS extends Android’s verified boot with enhanced security, reduced attack surface, and allowing it to also verify out-of-band updates to APKs.\n\nPreviously on most desktop Linux distributions, you could verify the bootloader and the kernel with Secure Boot. But, the rest of the file system isn’t verified.\n\nThese new sealed bootable container images on Fedora 44 promise to provide a “fully verified boot chain” utilizing systemd as the bootlaoder, Unified Kernel Images, and a composefs repository with fs-verity enabled.\n\nThis could theoretically allow the filesystem to be verified on an immutable system like Fedora Silverblue.\n\nFor now, the images are only available as test images and they’re not signed with the official keys from Fedora.\n\nThey’re also only available as containers and not ISO images that you can boot from on baremetal hardware, but it’s an exciting step for desktop Linux security.\n\nIf you want to test them out, you can get the images from GitHub, but be warned: they’re unofficial and only meant for testing purposes, **don’t use them in production**.",
"title": "Fedora Sealed Bootable Container Images, Possibly Opening the Door to a “Fully Verified Boot Chain”",
"updatedAt": "2026-05-04T17:05:13.519Z"
}