Updating the bootloader
bootupd
Updating the bootloader is not currently automatic. The bootupd project is included in Fedora CoreOS and may be used for manual updates.
This is usually only relevant on bare metal scenarios, or virtualized hypervisors that support Secure Boot. An example reason to update the bootloader is for the BootHole vulnerability.
At the moment, only the EFI system partition (i.e. not the BIOS MBR) can be updated by bootupd.
Inspect the system status:
# bootupctl status
Component EFI
Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
Update: At latest version
#
If an update is available, use bootupctl update
to apply it; the
change will take effect for the next reboot.
# bootupctl update
...
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
#
variant: fcos
version: 1.5.0
systemd:
units:
- name: custom-bootupd-auto.service
enabled: true
contents: |
[Unit]
Description=Bootupd automatic update
[Service]
ExecStart=/usr/bin/bootupctl update
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Using images that predate bootupd
Older CoreOS images that predate the existence of bootupd need
an explicit "adoption" phase. If bootupctl status
says the component
is Adoptable
, perform the adoption with bootupctl adopt-and-update
.
# bootupctl adopt-and-update
...
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
#
Want to help? Learn how to contribute to Fedora Docs ›