pvattest-check - Man Page

Check if the attestation result matches defined policies

Synopsis

pvattest check [OPTIONS] <IN> <OUT>

Description

After the attestation verification, check whether the attestation result complies with user-defined policies.

Options

<IN>

Specify the attestation response to check whether the policies are validated.

<OUT>

Specify the output file for the check result.

--format <FORMAT>

Define the output format. [default: 'yaml']

Possible values:

  • yaml: Use yaml format.
-k,  --host-key-document <FILE>

Use FILE to check for a host-key document. Verifies that the attestation response contains the host-key hash of one of the specified host keys. The check fails if none of the host-keys match the hash in the response. This parameter can be specified multiple times.

--host-key-check <HOST_KEY_CHECKS>

Define the host-key check policy By default, all host-key hashes are checked, and it is not considered a failure if a hash is missing from the attestation response. Use this policy switch to trigger a failure if no corresponding hash is found. Requires at least one host-key document.

Possible values:

  • att-key-hash: Check the host-key used for the attestation request.
  • boot-key-hash: Check the host-key used to the boot the image.
-u,  --user-data <FILE>

Check if the provided user data matches the data from the attestation response.

--secret <FILE>

Use FILE to include as successful Add-secret request. Checks if the Attestation response contains the hash of all specified add secret requests-tags. The hash is sensible to the order in which the secrets where added. This means that if the order of adding here different from the order the add-secret requests where sent to the UV this check will fail even though the same secrets are included in the UV secret store. Can be specified multiple times.

--secret-store-locked <BOOL>

Check whether the guests secret store is locked or not. Compares the hash of the secret store state to the one calculated by this option and optionally specified add-secret-requests in the correct order. If the attestation response does not contain a secret store hash, this check fails.

Required if add-secret-requests are specified.

--firmware

Check whether the firmware is supported by IBM. Requires internet access.

--firmware-verify-url <URL>

Specify the endpoint to use for firmware version verification. Use an endpoint you trust. Requires the --firmware option.

-h,  --help

Print help (see a summary with '-h').

See Also

pvattest(1)

Referenced By

pvattest(1).

2024-12-05 s390-tools Attestation Manual