pvattest - Man Page

pvattest [OPTIONS] <COMMAND>

Create, perform, and verify attestation measurements for IBM Secure Execution guest systems.

create

Create an attestation measurement request

perform

Send the attestation request to the Ultravisor

verify

Verify an attestation response

check

Check if the attestation result matches defined policies

-v,  --verbose

Provide more detailed output.

-q,  --quiet

Provide less output.

--version

Print version information and exit.

-h,  --help

Print help (see a summary with '-h').

For details refer to the man page of the command.

Create the request on a trusted system.

	trusted:~$ pvattest create -k hkd.crt --cert CA.crt --cert ibmsk.crt --arpk arp.key -o attreq.bin

On the SE-guest, perform the attestation.

	seguest:~$ pvattest perform attreq.bin attresp.bin

On a trusted system, verify that the response is correct. Here, the protection key from the creation and the SE-guest’s header is used to verify the measurement.

	trusted:~$ pvattest verify -i attresp.bin --arpk arp.key --hdr se_guest.hdr
	trusted:~$ echo $?
	0

If the measurements do not match pvattest exits with code 2 and emits an error message. The SE-guest attestation failed.

	trusted:~$ pvattest verify -i wrongresp.bin --arpk arp.key --hdr se_guest.hdr
	ERROR: Attestation measurement verification failed:
	       Calculated and received attestation measurement are not the same.
	trusted:~$ echo $?
	2

pvattest-create(1) pvattest-perform(1) pvattest-verify(1) pvattest-check(1)

pvattest-check(1), pvattest-create(1), pvattest-perform(1), pvattest-verify(1).