Normal for a heads boot mismatch after updating dom0?

OK so I have a new setup with heads, is it normal to get a boot hash mismatch immediately after restarting with an updated dom0?

If there is a new kernel or Xen update, yes those files will change.

1 Like

you must check if the modified files correspond to the update (I think they do) and use the usb security dongle to re-sign /boot
All this is intended (and that is precisely one of the security the system offers)

See also this:

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.