Binding the request to a specific guest instance
Use the --cuid option to use the attestation response to enhance security of the pvsecret create command.
This ensures that your add-secret request can only be used for a specific instance of a secure-execution guest.
Before you begin
About this task
Assume that during attestation of an image, the attestation verification saves the Configuration
Unique ID (CUID) to, for example, cuid.yaml.
# pvattest verify <other_verify_options> -i attestationResponse --format=yaml -o cuid.yamlwhere:
-i attestationResponsespecifies the attestation request created to be verified.--format=yamldefines the output format. The default is yaml.-o cuid.yamlwrites the verification result to the specified file.
Procedure
To generate a new add-secret request with a random secret, the hash value of
myConfidentialSecretas identifier, and the CUID of cuid.yaml, issue:
[trusted]# pvsecret create association -k <host_key_document> --hdr <SEL_header> -o <request_file> -C <CA_certificate> -C <IBM_signing_certificate> --cuid <cuid_file> <name>where:
- association specifies that the add-secret request is for an association secret.
-k <host_key_document>specifies the host key document.--hdr <SEL_header>specifies the header of the KVM guest.-o <request_file>specifies the file that contains the generated add-secret request.-C <CA_certificate>specifies the certificate that is used to establish a chain of trust for the verification of the host key documents. Specify this option twice to specify the IBM Z signing-key certificate and the intermediate CA certificate (signed by the root CA).--cuid <cuid_file>.- <name> A string that identifies the new secret. Strings are hashed with SHA-256 to form the ID that is used by the ultravisor. The ID is saved in <name>.yaml with white-spaces mapped to underscores ( _ ).
For example, to use:
- a host-key document z16.crt
- a guest header se.hdr
- a CA certificate DigiCert.crt
- an IBM signing key ibm-sign.crt
myConfidentialSecretas identifier, and the CUID of cuid.yaml, issue:
[trusted]# pvsecret create association -k z16.crt --hdr se.hdr -o addSecretReq -C DigiCertCA.crt \ -C ibm-sign.crt --cuid cuid.yaml "myConfidentialSecret"