pvattest - Man Page
create, perform, and verify attestation measurements
Synopsis
pvattest create [OPTIONS] pvattest perform [OPTIONS] pvattest verify [OPTIONS]
Description
Use pvattest to attest that an IBM Secure Execution guest is the correct guest, and that it was started in a secure manner. Run 'pvattest create' and 'pvattest verify' in a trusted environment only.
create On a trusted system, creates an attestation request. perform On the SE-guest to be attested, sends the attestation request to the Ultravisor and receives the answer. verify On a trusted system, compares the answer from the Ultravisor to the one from your trusted environment. If they differ, the Secure Execution guest might be compromised.
For meaningful results, run 'create' and 'verify' in a trusted environment, like your workstation or a previously attested IBM Secure Execution guest. Otherwise, the attestation might be tampered with. For all certificates, revocation lists, and host-key documents, both the PEM and DER input formats are supported. If you run pvattest on a machine architecture other than z/Architecture, 'measure' is not available.
Use 'pvattest [COMMAND] -h' to get detailed help
Options
- -h, --help
Show help options
- -v, --version
Print the version and exit.
- -V, --verbose
Provide more detailed output (optional)
Example
For details refer to the man page of the command.
Create the request on a trusted system.
trusted:~$ pvattest create -k hkd.crt --cert CA.crt --cert ibmsk.crt --arpk arp.key -o attreq.bin
On the SE-guest, perform the attestation.
seguest:~$ pvattest perform -i attreq.bin -o attresp.bin
On a trusted system, verify that the response is correct. Here, the protection key from the creation and the SE-guest’s header is used to verify the measurement.
trusted:~$ pvattest verify -i attresp.bin --arpk arp.key --hdr se_guest.hdr trusted:~$ echo $? 0
If the measurements do not match pvattest exits with code 2 and emits an error message. The SE-guest attestation failed.
trusted:~$ pvattest verify -i wrongresp.bin --arpk arp.key --hdr se_guest.hdr ERROR: Attestation measurement verification failed: Calculated and received attestation measurement are not the same. trusted:~$ echo $? 2
See Also
pvattest-create(1), pvattest-verify(1), pvattest-perform(1)
Referenced By
pvattest-create(1), pvattest-perform(1), pvattest-verify(1).