During boot, a PCR in the vTPM is extended with the root of the Merkle tree, and later on verified by the KMS ahead of releasing the HPKE private critical. All subsequent reads from the foundation partition are checked https://keybookmarks.com/story18401821/the-definitive-guide-to-confidential-employee
