Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening.
The verifier currently treats the platform report signature as unverified (documented in LIMITATIONS.md). Implement real report-signature verification: SEV-SNP VCEK chain from AMD KDS; Intel TDX Quote via QVL/PCS; TPM AK cert + tpm2_checkquote. Needs vendor libraries + real-hardware test vectors. Until then status must not claim hardware-backed verification.
Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening.
The verifier currently treats the platform report signature as unverified (documented in LIMITATIONS.md). Implement real report-signature verification: SEV-SNP VCEK chain from AMD KDS; Intel TDX Quote via QVL/PCS; TPM AK cert + tpm2_checkquote. Needs vendor libraries + real-hardware test vectors. Until then status must not claim hardware-backed verification.