Chapter 2 Action Items
If you are using UEFI Secure Boot, you should be aware of the following action items when upgrading or downgrading packages on your system.
2.1 Upgrading
If you have previously enabled Secure Boot and you intend to
upgrade your kernel, you must ensure that you update
shim-x64, grub2 and
kernel packages as an atomic operation. If
these packages are not all updated, the Secure Boot process may
break and must be disabled until a full system upgrade is
complete.
The fwupdate-efi package is also affected by
this update. Although this package is not essential for boot,
you may wish to update it to a version that is equal to or
higher than the versions listed below if you have it installed.
If you upgrade your kernel to a version that is equal to, or higher than, a version signed with a new EV certificate, as described in Chapter 1, Notices, make sure the associated packages are upgraded to the specified versions or later.
You should pay attention to determine whether the kernel version that you intend to install or upgrade to is affected by a key update and install the appropriate minimum package versions at the same time.
2.2 Downgrading
If you have enabled Secure Boot, are running a current kernel
version signed with the latest EV certificate, and you intend to
downgrade kernel to a version lower than any listed in
Chapter 1, Notices; you must downgrade the
shim-x64, grub2 and
kernel packages as an atomic operation.
Ensure that the shim and
grub2 packages are lower
than the versions listed in
Chapter 1, Notices.
You should pay attention to determine whether the kernel version that you intend to downgrade to is affected by an alternate key update and install the appropriate package versions at the same time.