Skip to main content

Verify A Node

Verification runs from another machine. Use the URL shown on the LapEE splash screen.

export LAPEE_URL=http://HOST:8734

Live Capture

Fetch the full boot-attestation bundle:

curl -fsSL \
  -H 'accept: application/json' \
  -H 'accept-bundle: true' \
  "$LAPEE_URL/~tpm@2.0a/boot-attestation" \
  -o boot-attestation.json

The supported live dashboard path uses the same endpoint:

make hb-fetch
./scripts/interpret-local-capture.sh \
  --url "$LAPEE_URL" \
  --label "operator-check"

Output:

build/hyperbeam/src-edge/out/local-capture/operator-check/
  input.bin
  claim.json
  interpret.json
  interpret.txt
  input-preview.txt
  dashboard.html

What Is Checked

The verifier checks:

  • EK certificate chain against measured TPM vendor root CAs.
  • TPM2 quote signature.
  • Quote nonce.
  • Quote pcrDigest.
  • PCR value set and PCR selection.
  • AK authPolicy for PCRs 0,1,7,10,11,14,15.
  • Runtime PCR 15 replay.
  • PCR 15 event commitment to node-message-id.
  • Embedded node message and HyperBEAM message id shape.

The dashboard also interprets Secure Boot state, kernel lockdown, IOMMU, TME or SME, CPU identity, DMI, TPM identity, firmware data, measured command line, and TCG event-log replay when present.

Policy Verdict

The dashboard writes claim.json. The high-level result is in:

policy-verdict

Use the detailed sections for policy decisions. A warning is not the same as a failed quote. For example, Secure Boot off can be a warning in an evaluation environment, while quote signature failure or PCR 15 replay failure means the core binding did not verify.

Secondary External Verifier

For a smaller dependency surface, use the Python verifier on a captured bundle:

python3 secondary-external-verifier/verifier_hb.py boot-attestation.json

It checks:

  • EK chain.
  • Quote signature, nonce, and pcrDigest.
  • AK policy.
  • Runtime PCR 15 replay.
  • PCR 15 commitment to the node-message id.
  • Node message shape.

Exit code 0 means all checks passed. Exit code 1 means at least one check failed.

Raw Event Logs

interpret-local-capture.sh can parse a raw TCG event log, but that is not the preferred live verification path. The boot-attestation bundle is stronger input because it binds the TPM quote, runtime log, TCG log, and node message in one attested message.