Freezing a Boot Configuration

You can "freeze" a boot configuration to block future changes to it by setting the frozen field to true (example boot configuration named xyzBoot):

scyld-bootctl -i xyzBoot update frozen=true

This blocks updates to any field in the boot configuration, stops any field data from being erased, and prevents the boot configuration from being deleted.

To re-enable changes, set frozen back to false (the default):

scyld-bootctl -i xyzBoot update frozen=false

Anyone who can set frozen=true can also set it to false and thus this mechanism primarily protects against accidental changes to "known good" boot configurations. It does not provide significant protection against malicious attacks.