NAME

       pvattest [OPTION?] COMMAND [OPTIONS] - create, perform, and verify attestation
       measurements

SYNOPSIS

       pvattest create [OPTIONS]
       pvattest perform [OPTIONS]
       pvattest verify [OPTIONS]

DESCRIPTION

       Use pvattest to attest that an IBM Secure Execution guest is the correct guest, and that
       it was started in a secure manner.  Run 'pvattest create' and 'pvattest verify' in a
       trusted environment only.

               create    On a trusted system, creates an attestation request.

               perform   On the SE-guest to be attested, sends the attestation request to the Ultravisor and receives the answer.

               verify    On a trusted system, compares the answer from the Ultravisor to the one from your trusted environment. If they differ, the Secure Execution guest might be compromised.

       For meaningful results, run 'create' and 'verify' in a trusted environment, like your
       workstation or a previously attested IBM Secure Execution guest. Otherwise, the
       attestation might be tampered with. For all certificates, revocation lists, and host-key
       documents, both the PEM and DER input formats are supported. If you run pvattest on a
       machine architecture other than z/Architecture, 'measure' is not available.

       Use 'pvattest [COMMAND] -h' to get detailed help

OPTIONS

       -h, --help
              Show help options

       -v, --version
              Print the version and exit.

       -V, --verbose
              Provide more detailed output (optional)

EXAMPLE

       For details refer to the man page of the command.

       Create the request on a trusted system.

            trusted:~$ pvattest create -k hkd.crt --cert CA.crt --cert ibmsk.crt --arpk arp.key -o attreq.bin

       On the SE-guest, perform the attestation.

            seguest:~$ pvattest perform -i attreq.bin -o attresp.bin

       On a trusted system, verify that the response is correct. Here, the protection key from
       the creation and the SE-guest’s header is used to verify the measurement.

            trusted:~$ pvattest verify -i attresp.bin --arpk arp.key --hdr se_guest.hdr
            trusted:~$ echo $?
            0

       If the measurements do not match pvattest exits with code 2 and emits an error message.
       The SE-guest attestation failed.

            trusted:~$ pvattest verify -i wrongresp.bin --arpk arp.key --hdr se_guest.hdr
            ERROR: Attestation measurement verification failed:
                   Calculated and received attestation measurement are not the same.
            trusted:~$ echo $?
            2

SEE ALSO

       pvattest-create(1), pvattest-verify(1), pvattest-perform(1)