pvattest-verify - Man Page

Verify an attestation response

Synopsis

pvattest verify [OPTIONS] --input <FILE> --hdr <FILE> --arpk <FILE>

Description

Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must contain the response as produced by ’pvattest perform’. The protection key must be the one that was used to create the request by ’pvattest create’. Shred the protection key after the verification. The header must be the IBM Secure Execution header of the image that was attested during ’pvattest perform’

Options

-i,  --input <FILE>

Specify the attestation request to be verified.

-o,  --output <FILE>

Specify the output for the verification result.

--hdr <FILE>

Specifies the header of the guest image. Can be an IBM Secure Execution image created by genprotimg or an extracted IBM Secure Execution header. The header must start at a page boundary.

-a,  --arpk <FILE>

Use FILE as the protection key to decrypt the request Do not publish this key, otherwise your attestation is compromised. Delete this key after verification.

--format <FORMAT>

Define the output format. [default: 'yaml']

Possible values:

  • yaml: Use yaml format.
-u,  --user-data <FILE>

Write the user data to the FILE if any. Writes the user data, if the response contains any, to FILE The user-data is part of the attestation measurement. If the user-data is written to FILE the user-data was part of the measurement and verified. Emits a warning if the response contains no user-data

-v,  --verbose

Provide more detailed output.

-h,  --help

Print help (see a summary with '-h').

Exit Status

0 - Attestation Verified

Attesatation measurement verified successfully. Measured guest is in Secure Execution mode.

1 - Program Error

Something went wrong during the local calculation or receiving of the measurement value. Refer to the error message.

2 - Attestation NOT Verified

Attesation measurement calculation does not match the received value. Measured guest is very likely not in Secure Execution mode.

Examples

To verify a measurement in 'measurement.bin' with the protection key 'arp.kep' and SE-guest header 'se_guest.hdr'.

       $ pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr

If the verification was successful the program exists with zero. If the verification failed it exists with 2 and prints the following to stderr:

        ERROR: Attestation measurement verification failed:
               Calculated and received attestation measurement are not the same.

See Also

pvattest(1)

Referenced By

pvattest(1).

2024-05-15 s390-tools Attestation Manual