OK so I have a new setup with heads, is it normal to get a boot hash mismatch immediately after restarting with an updated dom0?
If there is a new kernel or Xen update, yes those files will change.
1 Like
you must check if the modified files correspond to the update (I think they do) and use the usb security dongle to re-sign /boot
All this is intended (and that is precisely one of the security the system offers)
See also this:
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.