NAME

       pvattest [OPTION?] create [OPTIONS] - create an attestation measurement request

DESCRIPTION

       Prepare attestation measurement requests for an IBM Secure Execution guest.  Only prepare
       attestation requests in a trusted environment, such as your workstation.  The 'pvattest
       create' command creates a randomly generated key to protect the attestation request.  This
       key is only valid for this specific request. In order to avoid compromising the
       attestation, do not publish the protection key and delete it after verification.  Every
       'create' command generates a new, random protection key.

OPTIONS

       -h, --help
              Prints usage information, then exits.

       -k, --host-key-document=FILE
              Specify one or more host key documents. At least one is required.  Specify this
              option multiple times to create an attestation request control block that is usable
              on multiple hosts.

       -C, --cert=FILE
              Specifies  the  certificate that is used to establish a chain of trust for the
              verification of the host-key documents. Specify this option twice to specify the
              IBM Z signing key and the intermediate CA certificate (signed by the root CA).
              Required. Ignored when --no-verify is specified.

       --crl=FILE
              Specifies the revocation list that is used to check whether a certificate of the
              chain of trust is revoked. Specify this option multiple times to use multiple CRLs
              (optional).

       --root-ca=FILE
              Specifies the root CA certificate for the verification. If omitted, the system wide
              root CAs installed on the system are used. Use this only if you trust the specified
              certificate. Optional.

       -o, --output=FILE
              FILE specifies the output for the attestation request control block.

       -a, --arpk=FILE
              Save the protection key as GCM-AES256 key in FILE Do not publish this key,
              otherwise your attestation is compromised.

       --no-verify
              Disable the host-key document verification. Does not require the host-key documents
              to be valid. Do not use for a production request unless you verified the host-key
              document before (optional).

       --offline
              Specifies offline mode, in which no attempt is made to download CRLs. (optional).

       -V, --verbose
              Provide more detailed output (optional).

EXAMPLE

       Create an attestation request with the protection key 'arp.key', write the request to
       'arcb.bin', and verify the host-key document using the CA-signed key 'DigiCertCA.crt' and
       the intermediate key 'IbmSigningKey.crt'.

               pvattest create -k hkd.crt --arpk arp.key -o attreq.bin --cert DigiCertCA.crt --cert IbmSigningKey.crt

       Create an attestation request with the protection key 'arp.key', write the request to
       'arcb.bin', verify the host-key document using the CA-signed key 'DigiCertCA.crt' and the
       intermediate key 'IbmSigningKey.crt', and instead of downloading the certificate
       revocation list use certificate revocation lists 'DigiCertCA.crl', 'IbmSigningKey.crl',
       and 'rootCA.crl'.

               pvattest create -k hkd.crt --arpk arp.key -o attreq.bin --cert DigiCertCA.crt --cert IbmSigningKey.crt --offline --crl DigiCertCA.crl --crl IbmSigningKey.crl --crl rootCA.crl

SEE ALSO

       pvattest(1), pvattest-verify(1), pvattest-perform(1)