diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc
index 45ccf604..440eef48 100644
--- a/modules/ROOT/nav.adoc
+++ b/modules/ROOT/nav.adoc
@@ -33,6 +33,7 @@
 ** OS updates
 *** xref:update-streams.adoc[Update Streams]
 *** xref:auto-updates.adoc[Auto-Updates]
+*** xref:bootloader-updates.adoc[Bootloader Updates]
 ** Troubleshooting
 *** xref:manual-rollbacks.adoc[Manual Rollbacks]
 *** xref:access-recovery.adoc[Access Recovery]
diff --git a/modules/ROOT/pages/bootloader-updates.adoc b/modules/ROOT/pages/bootloader-updates.adoc
new file mode 100644
index 00000000..9488979b
--- /dev/null
+++ b/modules/ROOT/pages/bootloader-updates.adoc
@@ -0,0 +1,79 @@
+= Updating the bootloader
+
+== bootupd
+
+Updating the bootloader is not currently automatic.  The https://github.com/coreos/bootupd/[bootupd]
+project is included in Fedora CoreOS and may be used for manual updates.
+
+This is usually only relevant on bare metal scenarios, or virtualized
+hypervisors that support Secure Boot.  An example reason to update the
+bootloader is for https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/[the BootHole vulnerablity].
+
+Inspect the system status:
+
+[source,bash]
+----
+# bootupctl status
+Component EFI
+  Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
+  Update: At latest version
+#
+----
+
+If an update is available, use `bootupctl update` to apply it; the
+change will take effect for the next reboot.
+
+[source,bash]
+----
+# bootupctl update
+...
+Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
+#
+----
+
+.Example systemd unit to automate bootupd updates
+[source,yaml]
+----
+variant: fcos
+version: 1.1.0
+systemd:
+  units:
+    - name: custom-bootupd-auto.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=Bootupd automatic update
+
+        [Service]
+        ExecStart=/usr/bin/bootupctl update
+        RemainAfterExit=yes
+
+        [Install]
+        WantedBy=multi-user.target
+----
+
+=== Using images that predate bootupd
+
+Older CoreOS images that predate the existence of bootupd need
+an explicit "adoption" phase.  You can see this by looking at
+`bootupctl status` and if it says the component is "Adoptable".
+
+[source,bash]
+----
+# bootupctl adopt-and-update
+...
+Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
+#
+----
+
+=== Future versions may default to automatic updates
+
+It is possible that future Fedora CoreOS versions may default
+to automating bootloader updates similar to the above.
+If you choose to add a systemd unit per above (or manually
+`ssh` to a node for updates), note that concurrent
+`bootupctl update` invocations will not explicitly conflict.
+The only side effect is that without explicit ordering,
+one invocation may see and perform an update, and
+the second may detect no update available.
+