1. Manuals
  2. Tumbleweed
  3. s390-tools
  4. pvattest-check(1)

Scroll to navigation

pvattest-check(1) Attestation Manual pvattest-check(1)

NAME

pvattest check - Check if the attestation result matches defined policies

SYNOPSIS

pvattest check [OPTIONS] <IN> <OUT>

DESCRIPTION

After the attestation verification, check whether the attestation result complies with user-defined policies.

OPTIONS

<IN>

Specify the attestation response to check whether the policies are validated.

<OUT>

Specify the output file for the check result.

--format <FORMAT>

Define the output format. [default: 'yaml']

Possible values:

- yaml: Use yaml format.

-k, --host-key-document <FILE>

Use FILE to check for a host-key document. Verifies that the attestation response contains the host-key hash of one of the specified host keys. The check fails if none of the host-keys match the hash in the response. This parameter can be specified multiple times.

--host-key-check <HOST_KEY_CHECKS>

Define the host-key check policy By default, all host-key hashes are checked, and it is not considered a failure if a hash is missing from the attestation response. Use this policy switch to trigger a failure if no corresponding hash is found. Requires at least one host-key document.

Possible values:

- att-key-hash: Check the host-key used for the attestation request.

- boot-key-hash: Check the host-key used to the boot the image.

-u, --user-data <FILE>

Check if the provided user data matches the data from the attestation response.

--secret <FILE>

Use FILE to include as successful Add-secret request. Checks if the Attestation response contains the hash of all specified add secret requests-tags. The hash is sensible to the order in which the secrets where added. This means that if the order of adding here different from the order the add-secret requests where sent to the UV this check will fail even though the same secrets are included in the UV secret store. Can be specified multiple times.

--secret-store-locked <BOOL>

Check whether the guests secret store is locked or not. Compares the hash of the secret store state to the one calculated by this option and optionally specified add-secret-requests in the correct order. If the attestation response does not contain a secret store hash, this check fails.

Required if add-secret-requests are specified.


--firmware

Check whether the firmware is supported by IBM. Requires internet access.

--firmware-verify-url <URL>

Specify the endpoint to use for firmware version verification. Use an endpoint you trust. Requires the --firmware option.

-h, --help

Print help (see a summary with '-h').

SEE ALSO

pvattest(1)

2024-12-05 s390-tools