Boot hash mismatch following dom0 update

Updated dom0, rebooted, verified TOTP success and nitrokey flashing green however once I selected default boot I received the following error message

Under heads, this is normal when you update dom0 and there is any change to /boot

TOTP and nitrokey green show you that the firmware has not been tampered with.

The next step in the chain of trust validation is by checking the checksums file for /boot is valid and signed using the gpg key embedded in the firmware.

in your case, the hashes/checksums of the files in /boot did not match and you got this error

If you just updated dom0, and you know that kernel, initrd (or any other file signed in /boot) was changed, then its normal and you can go ahead and re-sign /boot as being valid (or you can take more investigative steps to make sure - check your threat model for your approach)

If you were not expecting that, its bad.


That makes sense - thank you!