Updated dom0, rebooted, verified TOTP success and nitrokey flashing green however once I selected default boot I received the following error message
Under heads, this is normal when you update dom0 and there is any change to /boot
TOTP and nitrokey green show you that the firmware has not been tampered with.
The next step in the chain of trust validation is by checking the checksums file for /boot is valid and signed using the gpg key embedded in the firmware.
in your case, the hashes/checksums of the files in /boot did not match and you got this error
If you just updated dom0, and you know that kernel, initrd (or any other file signed in /boot) was changed, then its normal and you can go ahead and re-sign /boot as being valid (or you can take more investigative steps to make sure - check your threat model for your approach)
If you were not expecting that, its bad.
2 Likes
That makes sense - thank you!