Fedora Sealed Bootable Container Images, Possibly Opening the Door to a “Fully Verified Boot Chain”

Fedora 44 has released, and with it comes a new offering: sealed bootable container images, which “include all the components needed to create a fully verified boot chain.”

UEFI Secure Boot is a feature available on most computers nowadays designed to prevent rootkits and malware persistence on your machine.

Whenever your machine boots, Secure Boot is designed to check each part of the system as it boots in order to prevent malware from loading instead of trusted firmware/software.

The process relies on what’s called a chain of trust, where each component verifies the next component once it’s been verified. The chain begins with the root of trust, which all of the other steps in the chain of trust rely on.

In most devices, the TPM chip provides this root of trust.

The TPM is a hardware chip that provides several security functions that benefit from hardware-based protection, including handling cryptographic keys.

Most operating systems offer some version of this idea, although there’s many names for it and various implementations.

In Windows, Secure Boot verifies everything up to the bootloader, and then Trusted Boot takes over and verifies the kernel and every other part of the boot process.

In macOS, the full process is called Secure Boot. The root of trust is the Boot ROM and it verifies all the way up to the Signed System Volume which verifies the integrity of the OS.

In Android, Verified Boot is instead what handles this. It starts with the hardware-protected root of trust to the bootloader, to the system, vendor, and optionally the oem partitions.

GrapheneOS extends Android’s verified boot with enhanced security, reduced attack surface, and allowing it to also verify out-of-band updates to APKs.

Previously on most desktop Linux distributions, you could verify the bootloader and the kernel with Secure Boot. But, the rest of the file system isn’t verified.

These new sealed bootable container images on Fedora 44 promise to provide a “fully verified boot chain” utilizing systemd as the bootlaoder, Unified Kernel Images, and a composefs repository with fs-verity enabled.

This could theoretically allow the filesystem to be verified on an immutable system like Fedora Silverblue.

For now, the images are only available as test images and they’re not signed with the official keys from Fedora.

They’re also only available as containers and not ISO images that you can boot from on baremetal hardware, but it’s an exciting step for desktop Linux security.

If you want to test them out, you can get the images from GitHub, but be warned: they’re unofficial and only meant for testing purposes, don’t use them in production.