pvattest-verify - Man Page

verify an attestation measurement


Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must contain the response as produced by 'pvattest perform'. The protection key must be the one that was used to create the request by 'pvattest create'. Please delete it after verification. The header must be the IBM Secure Execution header of the image that was attested during 'pvattest perform'


-h,  --help

Show help options

-i,  --input=FILE

FILE specifies the attestation result as input.

-o,  --ouput=FILE

FILE specifies the output for the verification result.


Specify the header of the guest image. Exactly one is required.

-a,  --arpk=FILE

Use FILE to specify the GCM-AES256 key to decrypt the attestation request. Delete this key after verification.


Define the output format. Default value: 'yaml'

Possible values:

  • yaml: Use YAML format
-V,  --verbose

Provide more detailed output (optional)


To verify a measurement in 'measurement.bin' with the protection key 'arp.kep' and SE-guest header 'se_guest.hdr'.

        pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr

If the verification was successful the program exists with zero. If the verification failed it exists with 2 and prints the following to stderr:

        ERROR: Attestation measurement verification failed:
               Calculated and received attestation measurement are not the same.

See Also

pvattest(1), pvattest-create(1), pvattest-perform(1)

Referenced By

pvattest-create(1), pvattest-perform(1).

07 June 2022 s390-tools Attestation Manual