This proposal changes what MigTD measures into RTMR1. Today RTMR1 extends over the raw bytes of the policy/identity issuer certificate chain. This makes RTMR1 far more sensitive than the runtime trust model: validate_peer_cert_chain only requires a matching root CA (DER) and leaf Subject — not the leaf key or exact chain bytes.
This mismatch causes three problems: (1) routine leaf-key rotation churns RTMR1, forcing a new build and endorsement for a runtime no-op; (2) regional leaf certificates fragment RTMR1 into one value per region despite an identical trust anchor; (3) CoRIM-based Azure (MAA) attestation embeds the chain via x5chain , so hashing the chain into RTMR1 duplicates it as a second source of truth.
Proposed fix: extend RTMR1 over a stable signer anchor A = H("MIGTD-RTMR1-ANCHOR-V1" || R || S) , where R = H(DER(root)) and S = H(DER(leaf subject)) . The CFV still ships the full chain (unchanged); only the hashed input changes.
Benefits: no rotation churn, region-independent measurement, no CoRIM duplication, and RTMR1 sensitivity that exactly matches the runtime trust model. Root-CA changes remain visible. Scope: RTMR1 only.
This is a follow-up on #908 and the full proposal is in the second commit of PR #910
This proposal changes what MigTD measures into RTMR1. Today RTMR1 extends over the raw bytes of the policy/identity issuer certificate chain. This makes RTMR1 far more sensitive than the runtime trust model: validate_peer_cert_chain only requires a matching root CA (DER) and leaf Subject — not the leaf key or exact chain bytes.
This mismatch causes three problems: (1) routine leaf-key rotation churns RTMR1, forcing a new build and endorsement for a runtime no-op; (2) regional leaf certificates fragment RTMR1 into one value per region despite an identical trust anchor; (3) CoRIM-based Azure (MAA) attestation embeds the chain via x5chain , so hashing the chain into RTMR1 duplicates it as a second source of truth.
Proposed fix: extend RTMR1 over a stable signer anchor A = H("MIGTD-RTMR1-ANCHOR-V1" || R || S) , where R = H(DER(root)) and S = H(DER(leaf subject)) . The CFV still ships the full chain (unchanged); only the hashed input changes.
Benefits: no rotation churn, region-independent measurement, no CoRIM duplication, and RTMR1 sensitivity that exactly matches the runtime trust model. Root-CA changes remain visible. Scope: RTMR1 only.
This is a follow-up on #908 and the full proposal is in the second commit of PR #910