1. Manuals
  2. Tumbleweed
  3. s390-tools
  4. pvattest-verify(1)

Scroll to navigation

pvattest-verify(1) Attestation Manual pvattest-verify(1)

NAME

pvattest verify - Verify an attestation response

SYNOPSIS

pvattest verify [OPTIONS] --input <FILE> --hdr <FILE> --arpk <FILE>

DESCRIPTION

Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must contain the response as produced by ’pvattest perform’. The protection key must be the one that was used to create the request by ’pvattest create’. Shred the protection key after the verification. The header must be the IBM Secure Execution header of the image that was attested during ’pvattest perform’. The verify command solely verifies that the Attestation measurement is correct. It does not check for the content of additional data or user data. See `pvattest check` for policy checks after you verified the Attestation measurement.

OPTIONS

-i, --input <FILE>

Specify the attestation response to be verified.

-o, --output <FILE>

Specify the output for the verification result.

--hdr <FILE>

Specifies the header of the guest image. Can be an IBM Secure Execution image created by genprotimg or an extracted IBM Secure Execution header. The header must start at a page boundary.

-a, --arpk <FILE>

Use FILE as the protection key to decrypt the request Do not publish this key, otherwise your attestation is compromised. Delete this key after verification.

--format <FORMAT>

Define the output format. [default: 'yaml']

Possible values:

- yaml: Use yaml format.

-u, --user-data <FILE>

Write the user data to the FILE if any. Writes the user data, if the response contains any, to FILE The user-data is part of the attestation measurement. If the user-data is written to FILE the user-data was part of the measurement and verified. Emits a warning if the response contains no user-data.

-h, --help

Print help (see a summary with '-h').

EXIT STATUS

0 - Attestation Verified
Attesatation measurement verified successfully. Measured guest is in Secure Execution mode.

1 - Program Error
Something went wrong during the local calculation or receiving of the measurement value. Refer to the error message.

2 - Attestation NOT Verified
Attesation measurement calculation does not match the received value. Measured guest is very likely not in Secure Execution mode.

EXAMPLES

To verify a measurement in 'measurement.bin' with the protection key 'arp.kep' and SE-guest header 'se_guest.hdr'.



       $ pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr
If the verification was successful the program exists with zero. If the verification failed it exists with 2 and prints the following to stderr: 



        ERROR: Attestation measurement verification failed:


               Calculated and received attestation measurement are not the same.

SEE ALSO

pvattest(1)

2024-12-05 s390-tools