In bug 1126900, comment 14 I may have found a solution to mitigate the read-only root file system specific problem mentioned in comment 4: Linking the grubenv file to a writable subvolume would make it possible to write the 'env_block' variable when calling grub2-editenv. However this approach also doesn't solve the problem that GRUB is not able to write an environment variable until grub2-editenv has been called from userspace at least once.