pvsecret-create - Man Page

Create a new add-secret request

Synopsis

pvsecret create [OPTIONS] --host-key-document <FILE> --hdr <FILE> --output <FILE> <--no-verify|--cert <FILE>> <COMMAND>

Description

Create add-secret requests for IBM Secure Execution guests. Only create these requests in a trusted environment, such as your workstation. The pvattest create command creates a randomly generated key to protect the request. The generated requests can then be added on an IBM Secure Execution guest using pvsecret add. The guest can then use the secrets with the use case depending on the secret type. Such a request is bound to a specific IBM Secure Execution image specified with --hdr. Optionally, the request can be bound to a specific instance when bound to the Configuration Unique ID from pvattest using --cuid

Options

-k,  --host-key-document <FILE>

Use FILE as a host-key document. Can be specified multiple times and must be used at least once.

--no-verify

Disable the host-key document verification. Does not require the host-key documents to be valid. Do not use for a production request unless you verified the host-key document beforehand.

-C,  --cert <FILE>

Use FILE as a certificate to verify the host key or keys. The certificates are used to establish a chain of trust for the verification of the host-key documents. Specify this option twice to specify the IBM Z signing key and the intermediate CA certificate (signed by the root CA).

--crl <FILE>

Use FILE as a certificate revocation list. The list is used to check whether a certificate of the chain of trust is revoked. Specify this option multiple times to use multiple CRLs.

--offline

Make no attempt to download CRLs.

--root-ca <ROOT_CA>

Use FILE as the root-CA certificate for the verification. If omitted, the system wide-root CAs installed on the system are used. Use this only if you trust the specified certificate.

--hdr <FILE>

Specifies the header of the guest image. Can be an IBM Secure Execution image created by genprotimg or an extracted IBM Secure Execution header. The header must start at a page boundary.

-f,  --force

Force the generation of add-secret requests on IBM Secure Execution guests. If the program detects that it is running on an IBM Secure Execution guest, it denies the generation of add-secret requests. The force flag overwrites this behavior.

-o,  --output <FILE>

Write the generated request to FILE.

--extension-secret <FILE>

Use the content of FILE as an extension secret. The file must be exactly 32 bytes long. If this request is the first, all subsequent requests must have the same extension secret. Only makes sense if bit 1 of the secret control flags of the IBM Secure Execution header is 0. Otherwise the ultravisor rejects the request.

--cck <FILE>

Use the content of FILE as the customer-communication key (CCK) to derive the extension secret. The file must contain exactly 32 bytes of data. If the target guest was started with bit 1 of the secret control flag set, the ultravisor also derives the secret from the CCK. Otherwise, the ultravisor interprets the extension secret as a normal one. This still works if you use the same CCK for all requests.

--cuid-hex <HEXSTRING>

Use HEXSTRING as the Configuration Unique ID. Must be a hex 128-bit unsigned big endian number string. Leading zeros must be provided. If specified, the value must match with the Config-UID from the attestation result of that guest. If not specified, the CUID will be ignored by the ultravisor during the verification of the request.

--cuid <FILE>

Use the content of FILE as the Configuration Unique ID. The file must contain exactly 128 bit of data or a yaml with a `cuid` entry. If specified, the value must match the Config-UID from the attestation result of that guest. If not specified, the CUID will be ignored by the Ultravisor during the verification of the request.

--flags <FLAGS>

Flags for the add-secret request.

Possible values:

  • disable-dump: Disables host-initiated dumping for the target guest instance.
--user-data <FILE>

Use the content of FILE as user-data. Passes user data defined in <FILE> through the add-secret request to the ultravisor. The user data can be up to 512 bytes of arbitrary data, and the maximum size depends on the size of the user-signing key:

- No key: user data can be 512 bytes.

- EC(secp521r1) or RSA 2048 keys: user data can be 256 bytes.

- RSA 3072 key: user data can be 128 bytes.

The firmware ignores this data, but the request tag protects the user-data. Optional. No user-data by default.

--user-sign-key <FILE>

Use the content of FILE as user signing key. Adds a signature defined calculated from the key in <FILE> to the add-secret request. The file must be in DER or PEM format containing a private key. Supported are RSA 2048 & 3072-bit and EC(secp521r1) keys. The firmware ignores the content, but the request tag protects the signature. The user-signing key signs the request. The location of the signature is filled with zeros during the signature calculation. The request tag also secures the signature. See man pvsecret verify for more details. Optional. No signature by default.

See Also

pvsecret(1) pvsecret-create-meta(1) pvsecret-create-association(1)

Referenced By

pvsecret(1), pvsecret-create-association(1), pvsecret-create-meta(1).

2024-01-30 s390-tools UV-Secret Manual