Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must contain the response as produced by 'pvattest perform'. The protection key must be the one that was used to create the request by 'pvattest create'. Please delete it after verification. The header must be the IBM Secure Execution header of the image that was attested during 'pvattest perform'
- -h, --help
Show help options
- -i, --input=FILE
FILE specifies the attestation result as input.
- -o, --ouput=FILE
FILE specifies the output for the verification result.
Specify the header of the guest image. Exactly one is required.
- -a, --arpk=FILE
Use FILE to specify the GCM-AES256 key to decrypt the attestation request. Delete this key after verification.
Define the output format. Default value: 'yaml'
- yaml: Use YAML format
- -V, --verbose
Provide more detailed output (optional)
To verify a measurement in 'measurement.bin' with the protection key 'arp.kep' and SE-guest header 'se_guest.hdr'.
pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr
If the verification was successful the program exists with zero. If the verification failed it exists with 2 and prints the following to stderr:
ERROR: Attestation measurement verification failed: Calculated and received attestation measurement are not the same.
pvattest(1), pvattest-create(1), pvattest-perform(1)