Recipe: HSM key integration design
How Meridian binds license material to hardware-backed keys stored in TPM or external HSMs, ensuring private key material never leaves the secure enclave.
1. Key hierarchy
The HSM holds a persistent asymmetric root (TPM EK or vendor-provisioned attestation key). Meridian derives per-license Ed25519 sub-keys inside the enclave using HKDF-SHA512 with the license UUID as info. The sub-key public half is exported; the private half stays sealed.
2. Enrollment flow
On first launch the loader requests an HSM-backed CSR. The TPM signs a nonce + machine fingerprint blob. Meridian's license server verifies the attestation, issues an X.509 leaf bound to the sub-key, and stores the certificate chain in the local license cache.
3. Runtime signing
Every heartbeat and integrity challenge is signed by the HSM-resident sub-key. The server validates the signature against the enrolled public key. If the enclave is unavailable the session is refused — no fallback to software keys.
4. Recovery & migration
License transfers require a signed de-enrollment token from the old machine. The new machine performs a fresh attestation and the server atomically swaps the bound public key. Offline grace windows are HMAC-signed and validated against the last known HSM state.