unified-quote

# verifier only — no tee required
$ cargo build --release --bin uq
$ uq check https://<host>/
verified · quote re-checked against pinned vendor root

# live attested-TLS endpoint — verify it yourself, no tee needed
$ uq check https://3.138.156.141/
spki binding PASS · quote signature PASS · chain PASS # stage1 → stage0
# 3.138.156.141 is a genuine SevSnp TEE running Value X 174dbc6ab29abf3d

# or re-verify the captured receipt offline:
$ uq verify deploy/live-snp/snp-verified.json
binding PASS · quote binding PASS · measurement PASS
signature chain PASS  # report → vlek → asvk → ark-milan (pinned)
measurement b756dde7…b8da7617

# azure runs sev-snp under the vTOM paravisor — no /dev/sev-guest.
# served over attested-TLS: the leaf cert *is* the evidence (no ca in chain).
$ uq azure check-tls https://attest.secure.build:8443/
channel binding PASS  # cert SPKI bound into the AK quote
verdict verified · sig PASS · chain PASS # vcek → ask → ark-milan (pinned)
measurement 41f77fe5…f4fab503 · value_x dde6f4c1…

a nitro attestation roots to aws, not silicon — it covers the guest image but the trust terminates at the aws nitro root ca. sev-snp/tdx root in the cpu vendor. and on snp the hardware MEASUREMENT only covers ovmf firmware — the kernel/initrd live in nitrotpm pcrs. we link both roots through one field:

# two independent hardware roots, cryptographically chained
nitrotpm doc  # COSE_Sign1 (nitro-signed) → kernel PCR 0-7
   │ sha256(doc)
   ▼
REPORT_DATA[0..32] bound   # amd-signed → vouches a genuine SNP TEE collected it
REPORT_DATA[32..64] = value_x      # source identity
# result: amd silicon (firmware) + aws nitro (kernel) → one receipt, no host trust

• authorizationeat-pass
• agent platformcvm-agent
• attestation serviceattestation-service
• quote formatunified-quote (here)
• in-tee runtimeattested-workload