Binding the request to a specific guest instance

Use the --cuid option to use the attestation response to enhance security of the pvsecret create command.

This ensures that your add-secret request can only be used for a specific instance of a secure-execution guest.

Before you begin

For the pvattest command, s390-tools version 2.29 or later is required. The guest must be up and running.

About this task

Assume that during attestation of an image, the attestation verification saves the Configuration Unique ID (CUID) to, for example, cuid.yaml.
# pvattest verify <other_verify_options> -i attestationResponse --format=yaml -o cuid.yaml
where:
  • -i attestationResponse specifies the attestation request created to be verified.
  • --format=yaml defines the output format. The default is yaml.
  • -o cuid.yaml writes the verification result to the specified file.

Procedure

To generate a new add-secret request with a random secret, the hash value of myConfidentialSecret as identifier, and the CUID of cuid.yaml, issue:
[trusted]# pvsecret create association -k <host_key_document> --hdr <SEL_header> 
-o <request_file> -C <CA_certificate> -C <IBM_signing_certificate> 
--cuid <cuid_file> <name>
where:
  • association specifies that the add-secret request is for an association secret.
  • -k <host_key_document> specifies the host key document.
  • --hdr <SEL_header> specifies the header of the KVM guest.
  • -o <request_file> specifies the file that contains the generated add-secret request.
  • -C <CA_certificate> specifies the certificate that is used to establish a chain of trust for the verification of the host key documents. Specify this option twice to specify the IBM Z signing-key certificate and the intermediate CA certificate (signed by the root CA).
  • --cuid <cuid_file>.
  • <name> A string that identifies the new secret. Strings are hashed with SHA-256 to form the ID that is used by the ultravisor. The ID is saved in <name>.yaml with white-spaces mapped to underscores ( _ ).
For example, to use:
  • a host-key document z16.crt
  • a guest header se.hdr
  • a CA certificate DigiCert.crt
  • an IBM signing key ibm-sign.crt
and create an add-secret request with a random secret, the hash value of myConfidentialSecret as identifier, and the CUID of cuid.yaml, issue:
[trusted]# pvsecret create association -k z16.crt --hdr se.hdr -o addSecretReq -C DigiCertCA.crt \
-C ibm-sign.crt --cuid cuid.yaml "myConfidentialSecret"

Results

The command writes the ID to myConfidentialSecret.yaml and the encrypted request to addSecretReq. If the CUID does not match the CUID from the attestation of the running guest instance, pvsecret add fails. The CUID is unique to each guest instance and changes with a reboot.