NAME¶

pvattest [OPTION?] COMMAND [OPTIONS] - create, perform, and verify attestation measurements

SYNOPSIS¶

pvattest create [OPTIONS]
pvattest perform [OPTIONS]
pvattest verify [OPTIONS]

DESCRIPTION¶

Use pvattest to attest that an IBM Secure Execution guest is the correct guest, and that it was started in a secure manner. Run 'pvattest create' and 'pvattest verify' in a trusted environment only.

        create    On a trusted system, creates an attestation request.


        perform   On the SE-guest to be attested, sends the attestation request to the Ultravisor and receives the answer.


        verify    On a trusted system, compares the answer from the Ultravisor to the one from your trusted environment. If they differ, the Secure Execution guest might be compromised.

Use 'pvattest [COMMAND] -h' to get detailed help

OPTIONS¶

-h, --help

Show help options

-v, --version

Print the version and exit.

-V, --verbose

Provide more detailed output (optional)

EXAMPLE¶

For details refer to the man page of the command.

Create the request on a trusted system.

	trusted:~$ pvattest create -k hkd.crt --cert CA.crt --cert ibmsk.crt --arpk arp.key -o attreq.bin

	seguest:~$ pvattest perform -i attreq.bin -o attresp.bin

	trusted:~$ pvattest verify -i attresp.bin --arpk arp.key --hdr se_guest.hdr
	trusted:~$ echo $?
	0

If the measurements do not match pvattest exits with code 2 and emits an error message. The SE-guest attestation failed.

	trusted:~$ pvattest verify -i wrongresp.bin --arpk arp.key --hdr se_guest.hdr
	ERROR: Attestation measurement verification failed:
	       Calculated and received attestation measurement are not the same.
	trusted:~$ echo $?
	2

SEE ALSO¶

pvattest-create(1), pvattest-verify(1), pvattest-perform(1)