diff --git a/Cargo.lock b/Cargo.lock
index 2d38d7bab..fe3723fff 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4427,15 +4427,13 @@ dependencies = [
 name = "task-sp-measure"
 version = "0.1.0"
 dependencies = [
- "anyhow",
+ "attest-api",
  "build-util",
  "drv-sp-ctrl-api",
- "idol",
- "quote",
  "ringbuf",
- "serde",
  "sha3",
  "userlib",
+ "zerocopy",
 ]
 
 [[package]]
diff --git a/app/oxide-rot-1/app-dev.toml b/app/oxide-rot-1/app-dev.toml
index 9c32fd09f..0eb6cddb1 100644
--- a/app/oxide-rot-1/app-dev.toml
+++ b/app/oxide-rot-1/app-dev.toml
@@ -148,8 +148,8 @@ task-slots = ["swd"]
 [tasks.sp_measure]
 name = "task-sp-measure"
 priority = 6
-max-sizes = {flash = 131072, ram = 8192}
-task-slots = ["swd"]
+max-sizes = {flash = 12400, ram = 8192}
+task-slots = ["attest", "swd"]
 stacksize = 2048
 
 [tasks.sp_measure.config]
diff --git a/app/rot-carrier/app.toml b/app/rot-carrier/app.toml
index 4bbbe4268..330a0688e 100644
--- a/app/rot-carrier/app.toml
+++ b/app/rot-carrier/app.toml
@@ -27,6 +27,9 @@ features = ["itm"]
 stacksize = 1536
 notifications = ["fault", "timer"]
 
+[tasks.jefe.config]
+tasks-to-hold = ["sp_measure"]
+
 [tasks.jefe.config.allowed-callers]
 request_reset = ["update_server"]
 
@@ -194,13 +197,10 @@ task-slots = ["gpio_driver", "swd", "update_server"]
 [tasks.sp_measure]
 name = "task-sp-measure"
 priority = 6
-max-sizes = {flash = 131072, ram = 8192}
-task-slots = ["swd"]
+max-sizes = {flash = 12400, ram = 8192}
+task-slots = ["attest", "swd"]
 stacksize = 2048
 
-[tasks.sp_measure.config]
-binary_path = "../../target/gemini-bu/dist/final.bin"
-
 [tasks.attest]
 name = "task-attest"
 priority = 5
diff --git a/task/sp_measure/Cargo.toml b/task/sp_measure/Cargo.toml
index 55b5757e5..bddc1e171 100644
--- a/task/sp_measure/Cargo.toml
+++ b/task/sp_measure/Cargo.toml
@@ -7,16 +7,12 @@ edition = "2021"
 sha3 = { workspace = true }
 
 drv-sp-ctrl-api = { path = "../../drv/sp-ctrl-api" }
+attest-api = { path = "../../task/attest-api" }
 ringbuf = { path = "../../lib/ringbuf" }
 userlib = { path = "../../sys/userlib", features = ["panic-messages"] }
+zerocopy = { workspace = true }
 
 [build-dependencies]
-anyhow = { workspace = true }
-idol = { workspace = true }
-quote = { workspace = true }
-serde = { workspace = true }
-sha3 = { workspace = true }
-
 build-util = { path = "../../build/util" }
 
 # This section is here to discourage RLS/rust-analyzer from doing test builds,
diff --git a/task/sp_measure/build.rs b/task/sp_measure/build.rs
index 3df391224..974d1b55d 100644
--- a/task/sp_measure/build.rs
+++ b/task/sp_measure/build.rs
@@ -2,15 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-use serde::Deserialize;
-use sha3::{Digest, Sha3_256};
 use std::io::Write;
-use std::path::PathBuf;
-
-#[derive(Debug, Deserialize)]
-struct TaskConfig {
-    binary_path: PathBuf,
-}
 
 const TEST_SIZE: usize = 0x0010_0000;
 
@@ -19,39 +11,10 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     let dest_path = out_dir.join("expected.rs");
     let mut file = std::fs::File::create(&dest_path)?;
 
-    let task_config = build_util::task_config::<TaskConfig>()?;
-
-    println!("cargo:rerun-if-changed={:?}", task_config.binary_path);
-
-    // We intentionally don't error out of the binary path isn't
-    // found. There's no way to have another binary available for CI
-    // unless we check something in which will still be wrong. It's
-    // still useful to calculate a hash to demonstrate the connection
-    // works.
-    let bin = match std::fs::read(&task_config.binary_path) {
-        Ok(b) => b,
-        Err(_) => vec![0; 256],
-    };
-
     writeln!(&mut file, "const FLASH_START: u32 = 0x0800_0000;").unwrap();
     writeln!(&mut file, "const TEST_SIZE: u32 = {};", TEST_SIZE).unwrap();
     writeln!(&mut file, "const FLASH_END: u32 = FLASH_START + TEST_SIZE;")
         .unwrap();
 
-    let mut sha = Sha3_256::new();
-    sha.update(&bin);
-
-    let extra: Vec<u8> = vec![0xff; TEST_SIZE - bin.len()];
-
-    sha.update(&extra);
-
-    let sha_out = sha.finalize();
-
-    writeln!(&mut file, "const EXPECTED : [u8; 32] = [").unwrap();
-    for b in sha_out {
-        writeln!(&mut file, "0x{:x},", b).unwrap();
-    }
-    writeln!(&mut file, "];").unwrap();
-
     Ok(())
 }
diff --git a/task/sp_measure/src/main.rs b/task/sp_measure/src/main.rs
index 70ccbd84d..6f8f0cdeb 100644
--- a/task/sp_measure/src/main.rs
+++ b/task/sp_measure/src/main.rs
@@ -5,74 +5,75 @@
 #![no_std]
 #![no_main]
 
+use attest_api::{Attest, AttestError, HashAlgorithm};
 use drv_sp_ctrl_api::*;
 use ringbuf::*;
 use sha3::{Digest, Sha3_256};
 use userlib::*;
+use zerocopy::AsBytes;
 
 const READ_SIZE: usize = 256;
 
 const TRANSACTION_SIZE: u32 = 1024;
 
+task_slot!(ATTEST, attest);
 task_slot!(SP_CTRL, swd);
 
 #[derive(Copy, Clone, PartialEq)]
 enum Trace {
     Start(u64),
     End(u64),
-    ShaGood,
-    ShaBad,
+    RecordFail(AttestError),
     None,
 }
 
 ringbuf!(Trace, 16, Trace::None);
 
 #[export_name = "main"]
-fn main() -> ! {
-    loop {
-        let mut sha = Sha3_256::new();
-        let sp_ctrl = SpCtrl::from(SP_CTRL.get_task_id());
+fn main() {
+    let mut sha = Sha3_256::new();
+    let sp_ctrl = SpCtrl::from(SP_CTRL.get_task_id());
 
-        if sp_ctrl.setup().is_err() {
+    if sp_ctrl.setup().is_err() {
+        panic!();
+    }
+
+    let mut data: [u8; READ_SIZE] = [0; READ_SIZE];
+
+    let start = sys_get_timer().now;
+    ringbuf_entry!(Trace::Start(start));
+    for addr in (FLASH_START..FLASH_END).step_by(READ_SIZE) {
+        if addr % TRANSACTION_SIZE == 0
+            && sp_ctrl
+                .read_transaction_start(addr, addr + TRANSACTION_SIZE)
+                .is_err()
+        {
             panic!();
         }
 
-        let mut data: [u8; READ_SIZE] = [0; READ_SIZE];
-
-        let start = sys_get_timer().now;
-        ringbuf_entry!(Trace::Start(start));
-        for addr in (FLASH_START..FLASH_END).step_by(READ_SIZE) {
-            if addr % TRANSACTION_SIZE == 0
-                && sp_ctrl
-                    .read_transaction_start(addr, addr + TRANSACTION_SIZE)
-                    .is_err()
-            {
-                panic!();
-            }
-
-            data.fill(0);
-            if sp_ctrl.read_transaction(&mut data).is_err() {
-                panic!();
-            }
-
-            sha.update(&data);
+        data.fill(0);
+        if sp_ctrl.read_transaction(&mut data).is_err() {
+            panic!();
         }
 
-        let sha_out = sha.finalize();
+        sha.update(&data);
+    }
+
+    let sha_out = sha.finalize();
 
-        let end = sys_get_timer().now;
-        ringbuf_entry!(Trace::End(end));
-        if sha_out.as_slice() == EXPECTED.as_slice() {
-            ringbuf_entry!(Trace::ShaGood);
-        } else {
-            ringbuf_entry!(Trace::ShaBad);
-        }
+    let end = sys_get_timer().now;
+    ringbuf_entry!(Trace::End(end));
 
-        // Wait for a notification that will never come, politer than
-        // busy looping forever
-        if sys_recv_closed(&mut [], 1, TaskId::KERNEL).is_err() {
-            panic!();
-        }
+    let attest = Attest::from(ATTEST.get_task_id());
+    if let Err(e) = attest.record(HashAlgorithm::Sha3_256, sha_out.as_bytes()) {
+        ringbuf_entry!(Trace::RecordFail(e));
+        panic!();
+    };
+
+    // Wait for a notification that will never come, politer than
+    // busy looping forever
+    if sys_recv_closed(&mut [], 1, TaskId::KERNEL).is_err() {
+        panic!();
     }
 }