pvattest-check - Man Page
Check if the attestation result matches defined policies
Synopsis
pvattest check [OPTIONS] <IN> <OUT>
Description
After the attestation verification, check whether the attestation result complies with user-defined policies.
Options
- <IN>
Specify the attestation response to check whether the policies are validated.
- <OUT>
Specify the output file for the check result.
- --format <FORMAT>
Define the output format. [default: 'yaml']
Possible values:
- yaml: Use yaml format.
- -k, --host-key-document <FILE>
Use FILE to check for a host-key document. Verifies that the attestation response contains the host-key hash of one of the specified host keys. The check fails if none of the host-keys match the hash in the response. This parameter can be specified multiple times.
- --host-key-check <HOST_KEY_CHECKS>
Define the host-key check policy By default, all host-key hashes are checked, and it is not considered a failure if a hash is missing from the attestation response. Use this policy switch to trigger a failure if no corresponding hash is found. Requires at least one host-key document.
Possible values:
- att-key-hash: Check the host-key used for the attestation request.
- boot-key-hash: Check the host-key used to the boot the image.
- -u, --user-data <FILE>
Check if the provided user data matches the data from the attestation response.
- --secret <FILE>
Use FILE to include as successful Add-secret request. Checks if the Attestation response contains the hash of all specified add secret requests-tags. The hash is sensible to the order in which the secrets where added. This means that if the order of adding here different from the order the add-secret requests where sent to the UV this check will fail even though the same secrets are included in the UV secret store. Can be specified multiple times.
- --secret-store-locked <BOOL>
Check whether the guests secret store is locked or not. Compares the hash of the secret store state to the one calculated by this option and optionally specified add-secret-requests in the correct order. If the attestation response does not contain a secret store hash, this check fails.
Required if add-secret-requests are specified.
- --firmware
Check whether the firmware is supported by IBM. Requires internet access.
- --firmware-verify-url <URL>
Specify the endpoint to use for firmware version verification. Use an endpoint you trust. Requires the --firmware option.
- -h, --help
Print help (see a summary with '-h').