Extracting an IBM SEL header

Edit online

Use the pvextract-hdr script to obtain the IBM SEL header of a KVM guest running in secure execution mode.

Before you begin

When pvattest is installed, a script called pvextract-hdr is also installed. Should this script be missing, you can obtain it from GitHub at: https://github.com/ibm-s390-linux/s390-tools/tree/master/rust/pvattest/tools/pvextract-hdr

About this task

The Secure Execution image, which is used to start a secure guest, includes a secure-execution header (SE-header). This SE-header holds metadata necessary for the ultravisor to validate the Secure Execution image's integrity and unpack it. The SE-Header need not be kept secret because it is safeguarded such that only the Ultravisor from a target host can verify its integrity and access the confidential data within the SE-header.

To create attestation and add-secret requests, you must provide the header as an argument to the respective request creation tools. Given a Secure Execution image, its SE-Header can be extracted on any Linux system when needed.

Procedure

Use the pvextract-hdr script to extract the header from the KVM guest.
Use a command of the following form:
[secguest]# pvextract-hdr -o <header_file> <path/to/image>
where:
  • -o <header_file> specifies the file that contains the extracted header.
  • <path/to/image> is the path to the image the header should be extracted from.
In the following example, the header file is written to hdr.bin:
[secguest]# pvextract-hdr -o hdr.bin /boot/seimage

Results

The pvextract-hdr script writes the header to a file that you specify. Use this file when attesting the image.

What to do next

Ensure that no non-secure partitions and files on disk are included. See Guard against non-secure partitions and files on disk.