nfkmverify
nfkmverify [-fvU] [-m MODULE] [appname ident [appname ident [...]]]
Establishes the soundness of security world infrastructure and application keys.
nfkmverify options
Option | Description |
---|---|
Program options |
|
|
In a |
|
Forces the display of possibly-wrong output report. |
|
Prints full public keys and generation parameters. |
Key checking options |
|
|
Check original ACL for the key using key generation certificate. (Default) |
|
Checks the ACL of the loaded key instead of the generation certificate. |
|
Checks the ACL of the key loaded from the recovery blob. |
Option to accept particular discrepancies |
|
|
Proceeds if a Diffie-Hellman key uses an unrecognized Sophie-Germain group. |
|
Proceeds even if the security world is unverifiable. |
Option to address HSMs |
|
|
Specifies the number of the module to perform the test with. |
Help options |
|
|
Displays help for |
|
Displays a brief usage summary for |
|
Displays the version number of the Security World Software that deploys |
Verify a migrated key
To verify a migrated key, you must preload the key and use nfkmverify
with either -L|--loaded
or -R|--recov
options.
By default, nfkmverify
compares the original Access Control List (ACL) that was provided when a key was generated to the current Security World.
If the key was migrated, then the key hashes and mechanisms in the original ACL will not be consistent with the current Security World and nfkmverify
will report a discrepancy.
It might also be unable to load the KML blob necessary to verify the original ACL.