Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening.
For SEV-SNP/TDX the cnf.jwk<->report_data binding is currently advisory (non-fatal) and the TDX report_data is read from a best-effort/likely-wrong offset. Extract report_data from the parsed raw_evidence at the correct documented offset and require it to equal jwk_thumbprint(cnf.jwk.x); a mismatch must be fatal for all hardware platforms.
Tracked follow-up from the June 2026 org-wide security hardening review. Wave 1/2 fixes are merged and published; this is remaining hardening.
For SEV-SNP/TDX the cnf.jwk<->report_data binding is currently advisory (non-fatal) and the TDX report_data is read from a best-effort/likely-wrong offset. Extract report_data from the parsed raw_evidence at the correct documented offset and require it to equal jwk_thumbprint(cnf.jwk.x); a mismatch must be fatal for all hardware platforms.