Provided by: s390-tools_2.38.0-0ubuntu1_amd64 bug

NAME
       pvsecret - Manage secrets for IBM Secure Execution guests


SYNOPSIS
       pvsecret [OPTIONS] <COMMAND>


DESCRIPTION
       Use pvsecret to manage secrets for IBM Secure Execution guests.  pvsecret can create add-secret requests
       on any architecture. On s390x systems, use pvsecret to add the secrets to the ultravisor secret store,
       list all secrets in the secret store, or lock the secret store to prevent any modifications in the
       future.

       The ultravisor secret store stores secrets for the IBM Secure Execution guest.  The secret store is
       cleared on guest reboot.

       Create requests only on trusted systems that are not the IBM Secure Execution guest where you want to
       inject the secrets. This approach prevents the secrets from being in cleartext on the guest. For extra
       safety, do an attestation with pvattest of your guest beforehand, and include the configuration UID in
       the secret request using --cuid. Refer to pvsecret-add(1) for more information. For all certificates,
       revocation lists, and host-key documents, both the PEM and DER input formats are supported.


PVSECRET COMMANDS
       pvsecret-create(1)
           Create a new add-secret request

       pvsecret-add(1)
           Submit an add-secret request to the Ultravisor (s390x only)

       pvsecret-lock(1)
           Lock the secret-store (s390x only)

       pvsecret-list(1)
           List all ultravisor secrets (s390x only)

       pvsecret-verify(1)
           Verify that an add-secret request is sane

       pvsecret-retrieve(1)
           Retrieve a secret from the UV secret store (s390x only)


OPTIONS
       -v, --verbose
           Provide more detailed output.

       -q, --quiet
           Provide less output.

       --version
           Print version information and exit.

       -h, --help
           Print help (see a summary with -h).


EXAMPLES
       Create the add-secret request on a trusted system. The program generates two files. addsecreq.bin
       contains the add-secret request. EXAMPLE.yaml contains the non-confidential information about the
       generated secret. It contains name and id of the secret.

            trusted:~$ pvsecret create -k hkd.crt --cert CA.crt --cert ibmsk.crt --hdr pvimage -o addsecreq.bin association EXAMPLE
            Successfully generated the request
            Successfully wrote association info to 'EXAMPLE.yaml'
       On the SE-guest, add the secret from request to the secret store.

            seguest:~$ pvsecret add addsecreq.bin
            Successfully added the secret

       On the SE-guest, list the secrets currently stored.

            seguest:~$ pvsecret list
            Total number of secrets: 1

            0 Association:
                 94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2

       On the SE-guest, lock the secret store.

            seguest:~$ pvsecret lock
            Successfully locked secret store
            seguest:~$ pvsecret add addsecreq.bin
            error: Ultravisor: 'secret store locked' (0x0102)


SEE ALSO
       pvsecret-create(1) pvsecret-add(1) pvsecret-lock(1) pvsecret-list(1) pvsecret-verify(1) pvsecret-
       retrieve(1)

s390-tools                                         2024-12-19                                        PVSECRET(1)