2. EL 8
  3. s390utils
  4. pvsecret(1)

Scroll to navigation

pvsecret(1) UV-Secret Manual pvsecret(1)

NAME

pvsecret - Manage secrets for IBM Secure Execution guests

SYNOPSIS

pvsecret [OPTIONS] <COMMAND>

DESCRIPTION

Use pvsecret to manage secrets for IBM Secure Execution guests. pvsecret can create add-secret requests on any architecture. On s390x systems, use pvsecret to add the secrets to the ultravisor secret store, list all secrets in the secret store, or lock the secret store to prevent any modifications in the future.

The ultravisor secret store stores secrets for the IBM Secure Execution guest. The secret store is cleared on guest reboot.

Create requests only on trusted systems that are not the IBM Secure Execution guest where you want to inject the secrets. This approach prevents the secrets from being in cleartext on the guest. For extra safety, do an attestation with pvattest of your guest beforehand, and include the configuration UID in the secret request using --cuid. Refer to pvsecret-add(1) for more information. For all certificates, revocation lists, and host-key documents, both the PEM and DER input formats are supported.

OPTIONS

-v, --verbose

Provide more detailed output.

--version

Print version information and exit.

EXAMPLES

Create the add-secret request on a trusted system. The program generates three files. addsecreq.bin contains the add-secret request. TEST.yaml contains the non-confidential information about the generated secret. It contains the name and ID of the secret. TEST contains the plaintext secret that is encrypted in the request. It can be used to generate add-secret requests for a different guest with the same secret. Destroy the secret when it is not used anymore.

	trusted:~$ pvsecret create -k hkd.crt --cert CA.crt --cert ibmsk.crt --hdr pvimage -o addsecreq.bin association EXAMPLE
	Successfully generated the request
	Successfully wrote association info to 'EXAMPLE.yaml'
	Successfully wrote generated association secret to 'EXAMPLE'
On the SE-guest, add the secret from request to the secret store. 

	seguest:~$ pvsecret add addsecreq.bin
	Successfully added the secret
On the SE-guest, list the secrets currently stored. 

	seguest:~$ pvsecret list
	Total number of secrets: 1
	0 Association:
		94ee059335e587e501cc4bf90613e0814f00a7b08bc7c648fd865a2af6a22cc2

On the SE-guest, lock the secret store.

	seguest:~$ pvsecret lock
	Successfully locked secret store
	seguest:~$ pvsecret add addsecreq.bin
	error: Ultravisor: 'secret store locked' (0x0102)

SEE ALSO

pvsecret-create(1) pvsecret-add(1) pvsecret-lock(1) pvsecret-list(1) pvsecret-version(1)

2023-07-28 s390-tools