Provided by: s390-tools_2.29.0-0ubuntu2.1_amd64
NAME
pvattest [OPTION?] verify [OPTIONS] - verify an attestation measurement
DESCRIPTION
Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must contain the response as produced by 'pvattest perform'. The protection key must be the one that was used to create the request by 'pvattest create'. Please delete it after verification. The header must be the IBM Secure Execution header of the image that was attested during 'pvattest perform'
OPTIONS
-h, --help Show help options -i, --input=FILE FILE specifies the attestation result as input. -o, --ouput=FILE FILE specifies the output for the verification result. --hdr=FILE Specify the header of the guest image. Exactly one is required. -a, --arpk=FILE Use FILE to specify the GCM-AES256 key to decrypt the attestation request. Delete this key after verification. --format=yaml Define the output format. Default value: 'yaml' Possible values: - yaml: Use YAML format -V, --verbose Provide more detailed output (optional)
EXAMPLE
To verify a measurement in 'measurement.bin' with the protection key 'arp.kep' and SE- guest header 'se_guest.hdr'. pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr If the verification was successful the program exists with zero. If the verification failed it exists with 2 and prints the following to stderr: ERROR: Attestation measurement verification failed: Calculated and received attestation measurement are not the same.
SEE ALSO
pvattest(1), pvattest-create(1), pvattest-perform(1)