Images
LapEE images are USB appliance images for laptops. They are not cloud VM disks.
Pick the channel, verify the artifact, write it to removable media, boot the machine, then verify the live node.
| Name | Status | Artifact | Description |
|---|---|---|---|
vanilla-secure/ | launch channel | .img.zst | Default UEFI + TPM 2.0 path. Use this for TPM quote-backed boot attestation, AK policy checks, PCR 15 replay, and node message binding. |
NO_TPM/ | planned channel | .img.zst | Reduced local assurance path for deployments that explicitly accept no TPM-backed quote. Do not describe it as equivalent to the default image. |
Expected Layout
Release indexes are intentionally plain:
vanilla-secure/
lapee-vanilla-secure-VERSION-x86_64.img.zst
lapee-vanilla-secure-VERSION-x86_64.img.zst.sha256
lapee-vanilla-secure-VERSION-x86_64.img.zst.sig
RELEASE.txt
NO_TPM/
lapee-no-tpm-VERSION-x86_64.img.zst
lapee-no-tpm-VERSION-x86_64.img.zst.sha256
lapee-no-tpm-VERSION-x86_64.img.zst.sig
RELEASE.txt
Exact filenames are release controlled. Use the release note for the current version and signing policy.
Choose A Channel
Use vanilla-secure/ by default.
It expects UEFI and TPM 2.0. On physical hardware, the production build also expects Intel TME or AMD SME unless the release notes say otherwise.
Use NO_TPM/ only when the deployment has made a separate trust decision for
that weaker hardware path. It cannot provide the same TPM-backed quote and AK
policy evidence as the default channel.
Do not confuse NO_TPM with the source-tree TME=0 build. TME=0 disables the
memory-encryption gate and records that fact in the measured command line. It
does not remove TPM attestation.
Verify Before Writing
Linux:
sha256sum -c lapee-vanilla-secure-VERSION-x86_64.img.zst.sha256
macOS:
shasum -a 256 -c lapee-vanilla-secure-VERSION-x86_64.img.zst.sha256
If a release signature is published, verify it before writing the image. The release note should state the signing key or verification method.
Write
Linux:
zstdcat lapee-vanilla-secure-VERSION-x86_64.img.zst \
| sudo dd of=/dev/sdX bs=16M status=progress conv=fsync
macOS:
zstdcat lapee-vanilla-secure-VERSION-x86_64.img.zst \
| sudo dd of=/dev/rdiskN bs=16m
sync
The target device is erased.
Image Contents
The runtime image is a GPT disk with one FAT32 EFI System Partition.
The ESP contains:
EFI/Boot/BootX64.efisigned UKI.LAPEE.MARKER.README.TXT.- Optional
wifi.conf. - Optional
config.json. - Optional Secure Boot enrollment files for provisioner images.
Runtime startup copies accepted ESP inputs into tmpfs, unmounts the boot USB, detaches the boot device, deauthorizes USB, then starts HyperBEAM.