NAME

       pvsecret create - Create a new add-secret request

SYNOPSIS

       pvsecret create [OPTIONS] --host-key-document <FILE> --hdr <FILE> --output <FILE> <--no-verify|--cert <FILE>> <COMMAND>

DESCRIPTION

       Create add-secret requests for IBM Secure Execution guests. Only create these requests in
       a trusted environment, such as your workstation. The pvattest create command creates a
       randomly generated key to protect the request. The generated requests can then be added on
       an IBM Secure Execution guest using pvsecret add. The guest can then use the secrets with
       the use case depending on the secret type.  Such a request is bound to a specific IBM
       Secure Execution image specified with --hdr. Optionally, the request can be bound to a
       specific instance when bound to the Configuration Unique ID from pvattest using --cuid

OPTIONS

       -k, --host-key-document <FILE>
           Use FILE as a host-key document. Can be specified multiple times and must be used at
           least once.

       --no-verify
           Disable the host-key document verification. Does not require the host-key documents to
           be valid. Do not use for a production request unless you verified the host-key
           document beforehand.

       -C, --cert <FILE>
           Use FILE as a certificate to verify the host key or keys. The certificates are used to
           establish a chain of trust for the verification of the host-key documents. Specify
           this option twice to specify the IBM Z signing key and the intermediate CA certificate
           (signed by the root CA).

       --crl <FILE>
           Use FILE as a certificate revocation list. The list is used to check whether a
           certificate of the chain of trust is revoked. Specify this option multiple times to
           use multiple CRLs.

       --offline
           Make no attempt to download CRLs.

       --root-ca <ROOT_CA>
           Use FILE as the root-CA certificate for the verification. If omitted, the system wide-
           root CAs installed on the system are used. Use this only if you trust the specified
           certificate.

       --hdr <FILE>
           Specifies the header of the guest image. Can be an IBM Secure Execution image created
           by genprotimg or an extracted IBM Secure Execution header. The header must start at a
           page boundary.

       -f, --force
           Force the generation of add-secret requests on IBM Secure Execution guests. If the
           program detects that it is running on an IBM Secure Execution guest, it denies the
           generation of add-secret requests. The force flag overwrites this behavior.

       -o, --output <FILE>
           Write the generated request to FILE.

       --extension-secret <FILE>
           Use the content of FILE as an extension secret. The file must be exactly 32 bytes
           long. If this request is the first, all subsequent requests must have the same
           extension secret. Only makes sense if bit 1 of the secret control flags of the IBM
           Secure Execution header is 0. Otherwise the ultravisor rejects the request.

       --cck <FILE>
           Use the content of FILE as the customer-communication key (CCK) to derive the
           extension secret. The file must contain exactly 32 bytes of data. If the target guest
           was started with bit 1 of the secret control flag set, the ultravisor also derives the
           secret from the CCK. Otherwise, the ultravisor interprets the extension secret as a
           normal one. This still works if you use the same CCK for all requests.

       --cuid-hex <HEXSTRING>
           Use HEXSTRING as the Configuration Unique ID. Must be a hex 128-bit unsigned big
           endian number string. Leading zeros must be provided. If specified, the value must
           match with the Config-UID from the attestation result of that guest. If not specified,
           the CUID will be ignored by the ultravisor during the verification of the request.

       --cuid <FILE>
           Use the content of FILE as the Configuration Unique ID. The file must contain exactly
           128 bit of data or a yaml with a `cuid` entry. If specified, the value must match the
           Config-UID from the attestation result of that guest. If not specified, the CUID will
           be ignored by the Ultravisor during the verification of the request.

       --flags <FLAGS>
           Flags for the add-secret request.

           Possible values:
               - disable-dump: Disables host-initiated dumping for the target guest instance.

       --user-data <FILE>
           Use the content of FILE as user-data. Passes user data defined in <FILE> through the
           add-secret request to the ultravisor. The user data can be up to 512 bytes of
           arbitrary data, and the maximum size depends on the size of the user-signing key:

            - No key: user data can be 512 bytes.

            - EC(secp521r1) or RSA 2048 keys: user data can be 256 bytes.

            - RSA 3072 key: user data can be 128 bytes.

           The firmware ignores this data, but the request tag protects the user-data.  Optional.
           No user-data by default.

       --user-sign-key <FILE>
           Use the content of FILE as user signing key. Adds a signature defined calculated from
           the key in <FILE> to the add-secret request. The file must be in DER or PEM format
           containing a private key. Supported are RSA 2048 & 3072-bit and EC(secp521r1) keys.
           The firmware ignores the content, but the request tag protects the signature. The
           user-signing key signs the request. The location of the signature is filled with zeros
           during the signature calculation. The request tag also secures the signature. See man
           pvsecret verify for more details.  Optional. No signature by default.

SEE ALSO

       pvsecret(1) pvsecret-create-meta(1) pvsecret-create-association(1)