table of contents
| pvattest(1) | Attestation Manual | pvattest(1) |
NAME¶
pvattest - create, perform, and verify attestation measurements
SYNOPSIS¶
pvattest [OPTIONS] <COMMAND>
DESCRIPTION¶
Create, perform, and verify attestation measurements for IBM Secure Execution guest systems.
PVATTEST COMMANDS¶
create
Create an attestation measurement request
perform
Send the attestation request to the Ultravisor
verify
Verify an attestation response
check
Check if the attestation result matches defined
policies
OPTIONS¶
-v, --verbose
Provide more detailed output.
-q, --quiet
Provide less output.
--version
Print version information and exit.
-h, --help
Print help (see a summary with '-h').
EXAMPLES¶
For details refer to the man page of the command.
Create the request on a trusted system.
trusted:~$ pvattest create -k hkd.crt --cert CA.crt --cert ibmsk.crt --arpk arp.key -o attreq.binOn the SE-guest, perform the attestation.
seguest:~$ pvattest perform attreq.bin attresp.binOn a trusted system, verify that the response is correct. Here, the protection key from the creation and the SE-guest’s header is used to verify the measurement.
trusted:~$ pvattest verify -i attresp.bin --arpk arp.key --hdr se_guest.hdr trusted:~$ echo $? 0
If the measurements do not match pvattest exits with code 2 and emits an error message. The SE-guest attestation failed.
trusted:~$ pvattest verify -i wrongresp.bin --arpk arp.key --hdr se_guest.hdr ERROR: Attestation measurement verification failed: Calculated and received attestation measurement are not the same. trusted:~$ echo $? 2
SEE ALSO¶
pvattest-create(1) pvattest-perform(1) pvattest-verify(1) pvattest-check(1)
| 2024-11-18 | s390-tools |