Binding the request to a specific guest instance

Use the --cuid option to use the attestation response to enhance security of the pvsecret create command.

This ensures that your add-secret request can only be used for a specific instance of a secure-execution guest.

Before you begin

For the pvattest command, s390-tools version 2.29 or later is required.

About this task

Assume that during attestation of an image, the attestation verification saves the Configuration Unique ID (CUID) to, for example, cuid.yaml.

# pvattest verify <other_verify_options> -i attestationResponse --format=yaml -o cuid.yaml

Procedure

To generate a new add-secret request with a random secret, the hash value of myConfidentialSecret as identifier, and the CUID of cuid.yaml, issue:

[trusted]# pvsecret create -k z16.crt --hdr se.hdr -o addSecretReq -C DigiCertCA.crt \
-C ibm-sign.crt --cuid cuid.yaml association "myConfidentialSecret"

Results

The command writes the ID to myConfidentialSecret.yaml and the encrypted request to addSecretReq. If the CUID does not match the CUID from the attestation of the running guest instance, pvsecret add fails. The CUID is unique to each guest instance and changes with a reboot.