diff --git a/data/meson.build b/data/meson.build
index 51384d47e..34c4db148 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -40,7 +40,7 @@ if get_option('systemd')
   rw_directories += join_paths (localstatedir, 'lib', 'fwupd')
   rw_directories += join_paths (default_sysconfdir, 'fwupd', 'remotes.d')
   if get_option('plugin_uefi')
-    rw_directories += ['-/boot/efi', '-/boot', '-/efi']
+    rw_directories += ['-/boot/efi', '-/efi', '-/boot/EFI']
   endif
 
   dynamic_options = []
diff --git a/plugins/uefi/fu-uefi-common.c b/plugins/uefi/fu-uefi-common.c
index f87f15d6d..66a60e3f0 100644
--- a/plugins/uefi/fu-uefi-common.c
+++ b/plugins/uefi/fu-uefi-common.c
@@ -283,7 +283,18 @@ fu_uefi_check_esp_path (const gchar *path, GError **error)
 			     "%s was not mounted", path);
 		return FALSE;
 	}
-	if (g_unix_mount_is_readonly (mount)) {
+	/* /boot is a special case because systemd sandboxing marks
+	 * it read-only, but we need to write to /boot/EFI
+	 */
+	if (g_strcmp0 (path, "/boot") == 0) {
+		if (!g_file_test ("/boot/EFI", G_FILE_TEST_IS_DIR)) {
+			g_set_error (error,
+				     FWUPD_ERROR,
+				     FWUPD_ERROR_NOT_SUPPORTED,
+				     "%s/EFI does not exist", path);
+			return FALSE;
+		}
+	} else if (g_unix_mount_is_readonly (mount)) {
 		g_set_error (error,
 			     FWUPD_ERROR,
 			     FWUPD_ERROR_NOT_SUPPORTED,