Provided by: s390-tools_2.31.0-0ubuntu5.1_amd64 bug

NAME
       pvattest [OPTION?] create [OPTIONS] - create an attestation measurement request


DESCRIPTION
       Prepare attestation measurement requests for an IBM Secure Execution guest.  Only prepare attestation
       requests in a trusted environment, such as your workstation.  The 'pvattest create' command creates a
       randomly generated key to protect the attestation request.  This key is only valid for this specific
       request. In order to avoid compromising the attestation, do not publish the protection key and delete it
       after verification.  Every 'create' command generates a new, random protection key.


OPTIONS
       -h, --help
              Prints usage information, then exits.

       -k, --host-key-document=FILE
              Specify  one  or  more host key documents. At least one is required.  Specify this option multiple
              times to create an attestation request control block that is usable on multiple hosts.

       -C, --cert=FILE
              Specifies  the  certificate that is used to establish a chain of trust for the verification of the
              host-key documents. Specify  this  option  twice  to  specify  the  IBM  Z  signing  key  and  the
              intermediate  CA  certificate  (signed  by  the  root  CA).  Required. Ignored when --no-verify is
              specified.

       --crl=FILE
              Specifies the revocation list that is used to check whether a certificate of the chain of trust is
              revoked. Specify this option multiple times to use multiple CRLs (optional).

       --root-ca=FILE
              Specifies the root CA certificate for the verification. If  omitted,  the  system  wide  root  CAs
              installed on the system are used. Use this only if you trust the specified certificate. Optional.

       -o, --output=FILE
              FILE specifies the output for the attestation request control block.

       -a, --arpk=FILE
              Save  the  protection  key  as  GCM-AES256  key  in  FILE  Do not publish this key, otherwise your
              attestation is compromised.

       --no-verify
              Disable the host-key document verification. Does not require the host-key documents to  be  valid.
              Do not use for a production request unless you verified the host-key document before (optional).

       --offline
              Specifies offline mode, in which no attempt is made to download CRLs. (optional).

       -V, --verbose
              Provide more detailed output (optional).


EXAMPLE
       Create  an  attestation  request  with the protection key 'arp.key', write the request to 'arcb.bin', and
       verify the  host-key  document  using  the  CA-signed  key  'DigiCertCA.crt'  and  the  intermediate  key
       'IbmSigningKey.crt'.

               pvattest create -k hkd.crt --arpk arp.key -o attreq.bin --cert DigiCertCA.crt --cert IbmSigningKey.crt

       Create  an attestation request with the protection key 'arp.key', write the request to 'arcb.bin', verify
       the  host-key  document  using  the   CA-signed   key   'DigiCertCA.crt'   and   the   intermediate   key
       'IbmSigningKey.crt',  and  instead  of  downloading  the  certificate  revocation  list  use  certificate
       revocation lists 'DigiCertCA.crl', 'IbmSigningKey.crl', and 'rootCA.crl'.

               pvattest create -k hkd.crt --arpk arp.key -o attreq.bin --cert DigiCertCA.crt --cert IbmSigningKey.crt --offline --crl DigiCertCA.crl --crl IbmSigningKey.crl --crl rootCA.crl


SEE ALSO
       pvattest(1), pvattest-verify(1), pvattest-perform(1)

s390-tools                                        07 June 2022                                pvattest-create(1)