Using a customer-communication-key based extension secret
Use the pvsecret create command with the -cck option to use an RFC-5869-HKDF derivative of the customer communication key (CCK) to enhance security of the pvsecret create command.
This ensures that only the builder of the secure-execution header, that is, someone who knows the CCK, can add add-secrets request to the guest instance.
About this task
# pvimg create <other_pvimg_options> --enable-cck-extension-secret -cck <cck_file> If
that option was specified at image creation, the add-secret request must use the corresponding
-cck <cck_file> option. For details about using pvimg create to create an image, see Securing the guest.The pvsecret command derives the extension secret from the CCK by performing an RFC-5869 HMAC-based extract-and-expand key derivation function (HKDF) operation with hashed message authentication code (HMAC) SHA-512 and "IBM Z Ultravisor Add-Secret" as information material. The firmware verifies that the extension secret was indeed derived from the CCK; otherwise it aborts the operation.
Procedure
[trusted]# pvsecret create association -k <host_key_document> --hdr <SEL_header> -o <request_file> -C <CA_certificate> -C <IBM_signing_certificate> --cck <cck_file> <name>where:
- association specifies that the add-secret request is for an association secret.
-k <host_key_document>specifies the host key document.--hdr <SEL_header>specifies the header of the KVM guest.-o <request_file>specifies the file that contains the generated add-secret request.-C <CA_certificate>specifies the certificate that is used to establish a chain of trust for the verification of the host key documents. Specify this option twice to specify the IBM Z signing-key certificate and the intermediate CA certificate (signed by the root CA).--cck <cck_file>specifies the customer-communication key (CCK) to derive the extension secret.- <name> A string that identifies the new secret. Strings are hashed with SHA-256 to form the ID that is used by the ultravisor. The ID is saved in <name>.yaml with white-spaces mapped to underscores ( _ ).
- a host-key document z16.crt
- a guest header se.hdr
- a CA certificate DigiCert.crt
- an IBM signing key ibm-sign.crt
myConfidentialSecretand derive the extension secret from the CCK:
[trusted]# pvsecret create association -k z16.crt --hdr se.hdr -o addSecretReqCCK -C DigiCertCA.crt -C ibm-sign.crt --cck cck "myConfidentialSecret"
If the CCK does not match the CCK of the running guest instance, pvsecret add fails.