pvattest - Man Page

create, perform, and verify attestation measurements


pvattest create [OPTIONS]
pvattest perform [OPTIONS]
pvattest verify [OPTIONS]


Use pvattest to attest that an IBM Secure Execution guest is the correct guest, and that it was started in a secure manner. Run 'pvattest create' and 'pvattest verify' in a trusted environment only.

        create    On a trusted system, creates an attestation request.

        perform   On the SE-guest to be attested, sends the attestation request to the Ultravisor and receives the answer.

        verify    On a trusted system, compares the answer from the Ultravisor to the one from your trusted environment. If they differ, the Secure Execution guest might be compromised.

For meaningful results, run 'create' and 'verify' in a trusted environment, like your workstation or a previously attested IBM Secure Execution guest. Otherwise, the attestation might be tampered with. For all certificates, revocation lists, and host-key documents, both the PEM and DER input formats are supported. If you run pvattest on a machine architecture other than z/Architecture, 'measure' is not available.

Use 'pvattest [COMMAND] -h' to get detailed help


-h,  --help

Show help options

-v,  --version

Print the version and exit.

-V,  --verbose

Provide more detailed output (optional)


For details refer to the man page of the command.

Create the request on a trusted system.

	trusted:~$ pvattest create -k hkd.crt --cert CA.crt --cert ibmsk.crt --arpk arp.key -o attreq.bin

On the SE-guest, perform the attestation.

	seguest:~$ pvattest perform -i attreq.bin -o attresp.bin

On a trusted system, verify that the response is correct. Here, the protection key from the creation and the SE-guest’s header is used to verify the measurement.

	trusted:~$ pvattest verify -i attresp.bin --arpk arp.key --hdr se_guest.hdr
	trusted:~$ echo $?

If the measurements do not match pvattest exits with code 2 and emits an error message. The SE-guest attestation failed.

	trusted:~$ pvattest verify -i wrongresp.bin --arpk arp.key --hdr se_guest.hdr
	ERROR: Attestation measurement verification failed:
	       Calculated and received attestation measurement are not the same.
	trusted:~$ echo $?

See Also

pvattest-create(1), pvattest-verify(1), pvattest-perform(1)

Referenced By

pvattest-create(1), pvattest-perform(1), pvattest-verify(1).

07 June 2022 s390-tools Attestation Manual