Verification
Verification starts from the node URL shown by the splash, host logs, or release launch output.
export NODE_URL=http://HOST:8734
Capture Boot Evidence
Fetch the boot measurement bundle:
curl -fsS \
-H 'accept: application/json' \
-H 'accept-bundle: true' \
"$NODE_URL/~measurement@1.0/boot" \
-o boot-measurement.json
The node can also replay-check its cached boot measurement:
curl -fsS \
-H 'accept: application/json' \
-H 'accept-bundle: true' \
"$NODE_URL/~measurement@1.0/boot/~measurement@1.0/verify"
Core Endpoints
| Endpoint | Use |
|---|---|
~measurement@1.0/boot | Primary boot measurement bundle. |
~measurement@1.0/fresh?nonce=N | Fresh nonce-bound measurement. |
~system@1.0/all | Redacted system evidence. |
~meta@1.0/info | Public node message and operator config. |
~tpm@2.0a/info | LapEE TPM readiness and identity metadata. |
~snp@1.0/info | SEV-SNP readiness and report metadata when available. |
Use explicit accept: application/json or accept: text/plain headers for
machine-readable output. For linked AO values and encoded lists, also send
accept-bundle: true.
What Verification Checks
For LapEE TPM evidence, a verifier checks:
- TPM EK chain or accepted TPM trust material.
- TPM quote signature, nonce, PCR selection, and
pcrDigest. - AK policy bound to PCRs
0,1,7,10,11,14,15. - Runtime PCR 15 replay.
- PCR 15 event commitment to
node-message-id. - Secure Boot state, UKI identity, kernel command line, lockdown, IOMMU, and memory-encryption signals according to policy.
- Public node message values such as profile name, trusted device signers, and remote-device loading policy.
TEE / SEV-SNP evidence uses the same ~measurement@1.0 front door but a
different backend evidence shape through ~snp@1.0.
Profile Checks
For a paid-bundler LapEE node:
curl -fsS -H 'accept: text/plain' \
"$NODE_URL/~meta@1.0/info/lapee-profile"
curl -fsS -H 'accept: text/plain' \
"$NODE_URL/~meta@1.0/info/load-remote-devices"
curl -fsS \
-H 'accept: application/json' \
-H 'accept-bundle: true' \
"$NODE_URL/~meta@1.0/info/trusted-device-signers" \
| jq '[to_entries[] | select(.key | test("^[0-9]+$")) | .value]'
The verifier must compare those values with the profile it intended to accept.
The signer list is AO json@1.0 list encoding, so the raw response uses
numeric object keys rather than a plain JSON array.
Policy Verdict
A valid quote is not automatically an accepted node. Policy decides which release image, Secure Boot state, memory-encryption posture, profile, signer set, and hardware evidence are acceptable.
Secure Boot off, a no-TME command line, or missing EK material may be a warning or a rejection depending on policy. PCR 15 replay failure or quote signature failure is a core verification failure.