The coverage is measured into a PCR of the Confidential VM's vTPM (which happens to be matched in The real key release policy to the KMS with the envisioned policy hash for that deployment) and enforced by a hardened https://jeanowsb402502.bloggosite.com/36935356/confidential-ai-fortanix-things-to-know-before-you-buy
