Skip to content

security: verify attestation report signatures (VCEK / DCAP / EK) #370

Description

@imran-siddique

Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening.

The verifier currently treats the platform report signature as unverified (documented in LIMITATIONS.md). Implement real report-signature verification: SEV-SNP VCEK chain from AMD KDS; Intel TDX Quote via QVL/PCS; TPM AK cert + tpm2_checkquote. Needs vendor libraries + real-hardware test vectors. Until then status must not claim hardware-backed verification.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions