Updating the bootloader


Updating the bootloader is not currently automatic. The bootupd project is included in Fedora/CentOS bootc and may be used for manual updates.

This is usually only relevant on bare metal scenarios, or virtualized hypervisors that support Secure Boot. An example reason to update the bootloader is for the BootHole vulnerability.

Inspect the system status:

# bootupctl status
Component EFI
  Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
  Update: At latest version

If an update is available, use bootupctl update to apply it; the change will take effect for the next reboot.

# bootupctl update
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
Example systemd unit to automate bootupd updates
# /usr/lib/systemd/system/custom-bootupd-update.service
Description=Bootupd automatic update
ExecStart=/usr/bin/bootupctl update

Future versions may default to automatic updates

It is possible that future Fedora/CentOS bootc versions may default to automating bootloader updates similar to the above.