Skip to main content

Verification

Verification starts from the node URL shown by the splash, host logs, or release launch output.

export NODE_URL=http://HOST:8734

Capture Boot Evidence

Fetch the boot measurement bundle:

curl -fsS \
-H 'accept: application/json' \
-H 'accept-bundle: true' \
"$NODE_URL/~measurement@1.0/boot" \
-o boot-measurement.json

The node can also replay-check its cached boot measurement:

curl -fsS \
-H 'accept: application/json' \
-H 'accept-bundle: true' \
"$NODE_URL/~measurement@1.0/boot/~measurement@1.0/verify"

Core Endpoints

EndpointUse
~measurement@1.0/bootPrimary boot measurement bundle.
~measurement@1.0/fresh?nonce=NFresh nonce-bound measurement.
~system@1.0/allRedacted system evidence.
~meta@1.0/infoPublic node message and operator config.
~tpm@2.0a/infoLapEE TPM readiness and identity metadata.
~snp@1.0/infoSEV-SNP readiness and report metadata when available.

Use explicit accept: application/json or accept: text/plain headers for machine-readable output. For linked AO values and encoded lists, also send accept-bundle: true.

What Verification Checks

For LapEE TPM evidence, a verifier checks:

  • TPM EK chain or accepted TPM trust material.
  • TPM quote signature, nonce, PCR selection, and pcrDigest.
  • AK policy bound to PCRs 0,1,7,10,11,14,15.
  • Runtime PCR 15 replay.
  • PCR 15 event commitment to node-message-id.
  • Secure Boot state, UKI identity, kernel command line, lockdown, IOMMU, and memory-encryption signals according to policy.
  • Public node message values such as profile name, trusted device signers, and remote-device loading policy.

TEE / SEV-SNP evidence uses the same ~measurement@1.0 front door but a different backend evidence shape through ~snp@1.0.

Profile Checks

For a paid-bundler LapEE node:

curl -fsS -H 'accept: text/plain' \
"$NODE_URL/~meta@1.0/info/lapee-profile"
curl -fsS -H 'accept: text/plain' \
"$NODE_URL/~meta@1.0/info/load-remote-devices"
curl -fsS \
-H 'accept: application/json' \
-H 'accept-bundle: true' \
"$NODE_URL/~meta@1.0/info/trusted-device-signers" \
| jq '[to_entries[] | select(.key | test("^[0-9]+$")) | .value]'

The verifier must compare those values with the profile it intended to accept. The signer list is AO json@1.0 list encoding, so the raw response uses numeric object keys rather than a plain JSON array.

Policy Verdict

A valid quote is not automatically an accepted node. Policy decides which release image, Secure Boot state, memory-encryption posture, profile, signer set, and hardware evidence are acceptable.

Secure Boot off, a no-TME command line, or missing EK material may be a warning or a rejection depending on policy. PCR 15 replay failure or quote signature failure is a core verification failure.