1. Manuals
  2. Tumbleweed
  3. s390-tools
  4. pvattest-verify(1)

Scroll to navigation

pvattest-verify(1) Attestation Manual pvattest-verify(1)

NAME

pvattest [OPTION?] verify [OPTIONS] - verify an attestation measurement

DESCRIPTION

Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must contain the response as produced by 'pvattest perform'. The protection key must be the one that was used to create the request by 'pvattest create'. Please delete it after verification. The header must be the IBM Secure Execution header of the image that was attested during 'pvattest perform'

OPTIONS

Show help options
FILE specifies the attestation result as input.
FILE specifies the output for the verification result.
Specify the header of the guest image. Exactly one is required.
Use FILE to specify the GCM-AES256 key to decrypt the attestation request. Delete this key after verification.
Define the output format. Default value: 'yaml'

Possible values:

- yaml: Use YAML format

Provide more detailed output (optional)

EXAMPLE

To verify a measurement in 'measurement.bin' with the protection key 'arp.kep' and SE-guest header 'se_guest.hdr'.



        pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr
If the verification was successful the program exists with zero. If the verification failed it exists with 2 and prints the following to stderr: 



        ERROR: Attestation measurement verification failed:


               Calculated and received attestation measurement are not the same.

SEE ALSO

pvattest(1), pvattest-create(1), pvattest-perform(1)

07 June 2022 s390-tools