NAME

       pvattest create - Create an attestation measurement request

SYNOPSIS

       pvattest create [OPTIONS] --host-key-document <FILE> --output <FILE> --arpk <FILE> <--no-verify|--cert <FILE>>

DESCRIPTION

       Create attestation measurement requests to attest an IBM Secure Execution guest.  Only build attestation
       requests in a trusted environment such as your Workstation. To avoid compromising the attestation do not
       publish the attestation request protection key and shred it after verification. Every

OPTIONS

       -k, --host-key-document <FILE>
           Use FILE as a host-key document. Can be specified multiple times and must be specified at least once.

       --no-verify
           Disable the host-key document verification. Does not require the host-key documents to be valid. Do
           not use for a production request unless you verified the host-key document beforehand.

       -C, --cert <FILE>
           Use FILE as a certificate to verify the host-key or keys. The certificates are used to establish a
           chain of trust for the verification of the host-key documents. Specify this option twice to specify
           the IBM Z signing key and the intermediate CA certificate (signed by the root CA).

       --crl <FILE>
           Use FILE as a certificate revocation list (CRL). The list is used to check whether a certificate of
           the chain of trust is revoked. Specify this option multiple times to use multiple CRLs.

       --offline
           Make no attempt to download CRLs.

       --root-ca <ROOT_CA>
           Use FILE as the root-CA certificate for the verification. If omitted, the system wide-root CAs
           installed on the system are used. Use this only if you trust the specified certificate.

       -o, --output <FILE>
           Write the generated request to FILE.

       -a, --arpk <FILE>
           Save the protection key as unencrypted GCM-AES256 key in FILE Do not publish this key, otherwise your
           attestation is compromised.

       --add-data <FLAGS>
           Specify additional data for the request. Additional data is provided by the Ultravisor and returned
           during the attestation request and is covered by the attestation measurement. Can be specified
           multiple times. Optional.

           Possible values:
               - phkh-img: Request the public host-key-hash of the key that decrypted the SE-image as
               additional-data.

               - phkh-att: Request the public host-key-hash of the key that decrypted the attestation request as
               additional-data.

               - secret-store-hash: Request a hash over all successful Add-secret requests and the lock state as
               additional-data.

               - firmware-state: Request the state of the firmware as additional-data.

       -h, --help
           Print help (see a summary with '-h').

EXAMPLES

       Create an attestation request with the protection key 'arp.key', write the request to 'arcb.bin', and
       verify the host-key document using the CA-signed key 'DigiCertCA.crt' and the intermediate key
       'IbmSigningKey.crt'.

              $ pvattest create -k hkd.crt --rpk arp.key -o attreq.bin --cert DigiCertCA.crt --cert IbmSigningKey.crt

       Create an attestation request with the protection key 'arp.key', write the request to 'arcb.bin', verify
       the host-key document using the CA-signed key 'DigiCertCA.crt' and the intermediate key
       'IbmSigningKey.crt', and instead of downloading the certificate revocation list use certificate
       revocation lists 'DigiCertCA.crl', 'IbmSigningKey.crl', and 'rootCA.crl'.

               $ pvattest create -k hkd.crt --arpk arp.key -o attreq.bin --cert DigiCertCA.crt --cert IbmSigningKey.crt --offline --crl DigiCertCA.crl --crl IbmSigningKey.crl --crl rootCA.crl

SEE ALSO

       pvattest(1)

s390-tools                                         2024-12-05                                 pvattest-create(1)