Provided by: s390-tools_2.38.0-0ubuntu1_amd64 bug

NAME
       pvattest-check - Check if the attestation result matches defined policies


SYNOPSIS
       pvattest check [OPTIONS] <IN> <OUT>


DESCRIPTION
       After the attestation verification, check whether the attestation result complies with user-defined
       policies.


OPTIONS
       <IN>
           Specify the attestation response to check whether the policies are validated.

       <OUT>
           Specify the output file for the check result.

       --format <FORMAT>
           Define the output format.  [default: 'yaml']

           Possible values:
               - yaml: Use yaml format.

       -k, --host-key-document <FILE>
           Use FILE to check for a host-key document. Verifies that the attestation response contains the
           host-key hash of one of the specified host keys. The check fails if none of the host-keys match the
           hash in the response. This parameter can be specified multiple times.

       --host-key-check <HOST_KEY_CHECKS>
           Define the host-key check policy By default, all host-key hashes are checked, and it is not
           considered a failure if a hash is missing from the attestation response. Use this policy switch to
           trigger a failure if no corresponding hash is found. Requires at least one host-key document.

           Possible values:
               - att-key-hash: Check the host-key used for the attestation request.

               - boot-key-hash: Check the host-key used to the boot the image.

       -u, --user-data <FILE>
           Check if the provided user data matches the data from the attestation response.

       --secret <FILE>
           Use FILE to include as successful Add-secret request. Checks if the Attestation response contains the
           hash of all specified add secret requests-tags. The hash is sensible to the order in which the
           secrets where added. This means that if the order of adding here different from the order the
           add-secret requests where sent to the UV this check will fail even though the same secrets are
           included in the UV secret store. Can be specified multiple times.

       --secret-store-locked <BOOL>
           Check whether the guests secret store is locked or not. Compares the hash of the secret store state
           to the one calculated by this option and optionally specified add-secret-requests in the correct
           order. If the attestation response does not contain a secret store hash, this check fails.

           Required if add-secret-requests are specified.

       --firmware
           Check whether the firmware is supported by IBM. Requires internet access.

       --firmware-verify-url <URL>
           Specify the endpoint to use for firmware version verification. Use an endpoint you trust. Requires
           the --firmware option.

       -h, --help
           Print help (see a summary with -h).


SEE ALSO
       pvattest(1)

s390-tools                                         2025-03-12                                  PVATTEST-CHECK(1)