Provided by: s390-tools_2.38.0-0ubuntu1_amd64 bug

NAME
       pvattest-verify - Verify an attestation response


SYNOPSIS
       pvattest verify [OPTIONS] --input <FILE> --hdr <FILE> --arpk <FILE>


DESCRIPTION
       Verify that a previously generated attestation measurement of an IBM Secure Execution guest is as
       expected. Only verify attestation requests in a trusted environment, such as your workstation. Input must
       contain the response as produced by ’pvattest perform’. The protection key must be the one that was used
       to create the request by ’pvattest create’. Shred the protection key after the verification. The header
       must be the IBM Secure Execution header of the image that was attested during ’pvattest perform’. The
       verify command solely verifies that the Attestation measurement is correct. It does not check for the
       content of additional data or user data. See `pvattest check` for policy checks after you verified the
       Attestation measurement.


OPTIONS
       -i, --input <FILE>
           Specify the attestation response to be verified.

       -o, --output <FILE>
           Specify the output for the verification result.

       --hdr <FILE>
           Specifies the header of the guest image. Can be an IBM Secure Execution image created by genprotimg
           or an extracted IBM Secure Execution header. The header must start at a page boundary.

       -a, --arpk <FILE>
           Use FILE as the protection key to decrypt the request Do not publish this key, otherwise your
           attestation is compromised. Delete this key after verification.

       --format <FORMAT>
           Define the output format.  [default: 'yaml']

           Possible values:
               - yaml: Use yaml format.

       -u, --user-data <FILE>
           Write the user data to the FILE if any. Writes the user data, if the response contains any, to FILE
           The user-data is part of the attestation measurement. If the user-data is written to FILE the
           user-data was part of the measurement and verified. Emits a warning if the response contains no
           user-data.

       -h, --help
           Print help (see a summary with -h).


EXIT STATUS
       0 - Attestation Verified
               Attesatation measurement verified successfully. Measured guest is in Secure Execution mode.

       1 - Program Error
               Something went wrong during the local calculation or receiving of the measurement value. Refer to
               the error message.

       2 - Attestation NOT Verified
               Attesation  measurement  calculation  does  not  match the received value. Measured guest is very
               likely not in Secure Execution mode.


EXAMPLES
       To verify a measurement in 'measurement.bin' with  the  protection  key  'arp.kep'  and  SE-guest  header
       'se_guest.hdr'.

              $ pvattest verify --input attresp.bin --arpk arp.key --hdr se_guest.hdr

       If  the  verification  was successful the program exists with zero.  If the verification failed it exists
       with 2 and prints the following to stderr:

               ERROR: Attestation measurement verification failed:
                      Calculated and received attestation measurement are not the same.


SEE ALSO
       pvattest(1)

s390-tools                                         2025-03-12                                 PVATTEST-VERIFY(1)