If you need to boot a broken system to fix it, add this to the kernel command line (via GRUB or U-Boot):
The knewrootfsverificationerror is a symptom of process failure, not a hardware bug. To prevent it: knewrootfsverificationerror
The rootfs was signed with a different key than the one baked into the bootloader or TPM policy. Common after: If you need to boot a broken system
Find your signing key:
In your CI/CD pipeline, generate a unique build ID. Use this ID to tag both the rootfs image and its verity hash file. Never mix files from different builds. knewrootfsverificationerror