About LapEE
LapEE is the Laptop Execution Environment. It packages HyperBEAM as a single-purpose appliance OS for commodity laptops.
LapEE is not a desktop mode. The target machine boots the appliance image, starts HyperBEAM, and exposes evidence about the boot and runtime node identity.
What It Builds
The default runtime image is a UEFI boot image with:
- A signed UKI at
EFI/Boot/BootX64.efi. - Linux, Buildroot initramfs, Erlang, HyperBEAM, and LapEE TPM devices.
- TPM-backed boot attestation endpoints.
- A console splash that shows the live node URL and QR code.
- Optional ESP inputs for WiFi and public operator config.
What The TPM Adds
LapEE uses TPM 2.0 to bind the running node to measured state:
- Firmware and the UKI produce boot measurements.
- LapEE startup builds a subject containing system evidence, node evidence, and TPM evidence.
- LapEE computes the HyperBEAM
node-message-id. - LapEE extends runtime PCR 15 with that node-message id.
- LapEE creates an AK whose policy is bound to PCRs
0,1,7,10,11,14,15. - LapEE quotes those PCRs.
That lets a verifier check the chain from TPM quote to PCR replay to HyperBEAM node identity.
What Verifiers Ask
The verifier question is not just "is a laptop online?"
The verifier asks:
- Which boot path produced this node?
- Which TPM signed the quote?
- Does the AK policy bind the right PCRs?
- Does PCR 15 replay to the node-message id?
- Which HyperBEAM key is speaking for the node?
Boundary
LapEE provides evidence for one appliance node. It does not prove firmware is honest, remove every physical attack, prove Linux or HyperBEAM bug-free, or isolate mutually distrustful workloads inside one kernel.
Its job is narrower: reduce the production runtime surface and make boot/runtime identity observable.