EVE-OS 14.5.4 LTS Release Notes

Updated

Article Published Date: 6/12/2026

The latest 14.5.4 LTS version is https://github.com/lf-edge/eve/releases/tag/14.5.4-lts 

For a change log between 14.5.3-lts and 14.5.4-lts, see: https://github.com/lf-edge/eve/compare/14.5.3-lts...14.5.4-lts 

Enhancements

Security

  • Dynamic PCR policy for disk encryption. The Edge Infrastructure Services can now define which TPM Platform Configuration Register (PCR) indexes are used to seal the disk encryption key on edge nodes. This gives administrators more granular control over hardware-backed security policy without requiring a full firmware update. When the controller sends a new PCR policy alongside the encrypted vault key, EVE-OS (Edge Virtualization Engine) validates and persists the policy, then re-seals the disk key using the updated PCR selection.

Hardware

  • Configurable VM boot order. IT administrators can now control the boot device priority for KVM-based edge apps. Boot order can be set to default (firmware default), usb (USB first), or nousb (USB deprioritized) through Edge Infrastructure Services configuration or through a Local Profile Server (LPS). When both sources provide a boot order setting, the LPS value takes precedence. EVE-OS passes the effective boot order to the OVMF UEFI firmware via QEMU firmware configuration, and reports the active setting and its source back to the LPS.
  • Improved eSIM detection for cellular modems. EVE-OS now uses the eUICC Identifier (EID) to reliably distinguish embedded SIM (eSIM) slots from physical SIM slots on cellular modems. Previously, ModemManager often reported SIM type as "unknown," causing edge nodes with eSIM hardware to get stuck on the unsupported eSIM slot instead of automatically switching to an available physical SIM slot. EVE-OS also handles cases where ModemManager returns empty D-Bus slot paths by falling back to the primary modem SIM object for slot property queries.

Resolved Issues and Fixes

Security

  • CVE-2026-31431 kernel patch. Kernel commits were updated across all supported architectures (x86-64, ARM64, RISC-V) to include the fix for CVE-2026-31431.
  • TLS root CA loaded from /config. EVE-OS now loads the TLS root certificate authority directly from the /config partition instead of /persist/certs. 
     
  • Bootstrap config failure on missing ECDH certificate. Fixed a failure that occurred during bootstrap configuration processing when the controller certificate bundle did not include an ECDH (Elliptic-curve Diffie-Hellman) exchange certificate. EVE-OS now correctly validates that both signing and ECDH leaf certificates are present before accepting a certificate chain.

Networking

  • SR-IOV Virtual Function creation stability. Multiple fixes were applied to SR-IOV (Single Root I/O Virtualization) Virtual Function (VF) management. EVE-OS no longer terminates the SR-IOV agent with a fatal error when VF creation fails. Physical Function (PF) interfaces are now explicitly brought up before VFs are created, and user configuration is correctly propagated to VFs after creation. These fixes improve reliability on hardware platforms that use SR-IOV for high-performance network passthrough.
  • IPv4-only static configuration. Fixed a regression where static IPv4-only network configuration was not applied correctly, causing connectivity failures on edge nodes configured with a static IP address and no IPv6.
  • dnsmasq updated to 2.92rel2. The built-in dnsmasq DNS and DHCP service was updated to version 2.92rel2, incorporating upstream security and stability fixes.

Storage

  • SAS token corruption in Azure Blob Storage downloads. Fixed a bug in the downloader where Azure Shared Access Signature (SAS) tokens were corrupted when constructing datastore URLs, causing image download failures from Azure Blob Storage datastores.

Observability

  • Excessive log flooding on VM restart. Fixed a bug in the QEMU Monitor Protocol (QMP) event handler that caused a flood of log entries each time a KVM edge container was restarted. Excessive log volume could obscure other diagnostic information and fill log buffers prematurely.
  • newlog gzip header sanitization. Fixed an issue where filenames containing non-Latin-1 characters were written into gzip file headers in newlog output. Non-Latin-1 characters are invalid in gzip headers and could cause log consumers to reject or fail to parse log archives.
  • Debug diagnostics JSON output. Fixed invalid JSON output from spec.sh in the debug package when no hardware devices are present on the edge node. Malformed JSON prevented automated tooling from parsing diagnostic reports correctly.
     
  • vTPM log rotation. EVE-OS now applies log rotation to swtpm (software TPM) process logs. This prevents unbounded disk usage on edge nodes running edge containers that use virtual TPMs for guest OS security features.

Stability

  • Potential panic in device information publish. Fixed a regression that could cause a nil pointer dereference panic in the triggerPublishAllInfo code path, which is responsible for publishing edge node status and inventory information to the Edge Infrastructure Services.
  • Orphaned vTPM process cleanup. EVE-OS now terminates orphaned swtpm processes when an edge container domain is inactivated. Previously, leftover swtpm processes could hold open file descriptors and consume system resources after their associated domain was shut down.
Was this article helpful?
0 out of 0 found this helpful