Hey folks. Running into a real head-scratcher with NemoClaw's remote attestation on my new bare-metal cluster.
My setup:
* Three-node Proxmox 8 cluster on Supermicro X11SDV boards (Intel Xeon D-2141IT).
* OpenClaw deployed via k3s on the cluster, using Longhorn for storage.
* Hardware TPM 2.0 modules are present, enabled, and cleared. I can see them in `/dev/tpm0` on each host.
* I'm following the NemoClaw docs for bare-metal attestation setup.
The problem: The attestation service consistently fails verification. The NemoClaw agent logs show "Quote verification failed" or "TPM quote nonce mismatch." I've double-checked the following:
* The AK/EK certs are correctly generated and registered in the NemoClaw portal.
* The `nemo-attestation` service is running and can reach the TPM.
* System time is synchronized via NTP on all nodes.
What I've tried:
* Re-generating the AK and re-registering the node.
* Ensuring no other process (like `tpm2-abrmd`) is holding a lock on the TPM.
* Checking the PCR values (especially 0-7) against a known-good baseline from a fresh boot.
Has anyone else gone through this on bare metal? Specifically:
* Are there known issues with certain TPM firmware versions on Supermicro boards?
* Could there be a PCR extension happening during the Proxmox or k3s boot process that I'm missing?
* Any gotchas with the quote policy or nonce generation in a multi-node setup?
My gut says it's something simple in the chain of trust between the measured boot and the agent runtime, but I've been staring at TPM event logs for two days. Any pointers would be appreciated.