// Technology / Hardware-Rooted Trust

The node has to prove itself.

QHx can use TPM v2.0 evidence, endorsement roots, and PCR policy to determine whether a node should receive identity.

QHx AttestorPKI →

// Mechanism

Platform trust precedes workload trust.

QHx Attestor verifies node evidence before QHx PKI issues a machine identity. Workload identities then inherit the trust boundary of the node on which they run.

  • TPM evidenceQuoted PCR values and endorsement key trust can be evaluated against policy.
  • Policy gateThe PKI Server issues identity only if attestation verification succeeds.
  • Measured stateBoot, firmware, and platform configuration can become part of admission.
  • Deployment choiceTPM policy can be enabled where hardware-backed assurance is required and omitted where unavailable.

No measured platform. No platform identity.