Updating the bootloader

bootupd

The bootloader update is now performed automatically by default. The bootupd project is included in Fedora CoreOS and supports both manual and automatic updates.

This is usually only relevant on bare metal scenarios, or virtualized hypervisors that support Secure Boot. An example reason to update the bootloader is for the BootHole vulnerability.

At the moment, only the EFI system partition (i.e. not the BIOS MBR) can be updated by bootupd.

Inspect the system status:

# bootupctl status
Component EFI
  Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
  Update: At latest version

If an update is available, use bootupctl update to apply it; the change will take effect for the next reboot.

# bootupctl update
...
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64

Using images that predate bootupd

Older CoreOS images that predate the existence of bootupd need an explicit "adoption" phase. If bootupctl status says the component is Adoptable, perform the adoption with bootupctl adopt-and-update.

# bootupctl adopt-and-update
...
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64

Want to help? Learn how to contribute to Fedora Docs ›