Provided by: tboot_1.9.6-0ubuntu1_amd64 bug

NAME
       tb_polgen - manage tboot verified launch policy


SYNOPSIS
       tb_polgen COMMAND [OPTION]


DESCRIPTION
       tb_polgen is used to manage tboot verified launch policy.


COMMANDS
       --create
              Create an empty tboot verified launch policy file.

              --type nonfatal | continue | halt
                     Nonfatal  means  ignoring  all  non-fatal  errors  and  continuing. Continue means ignoring
                     verification errors and halting otherwise. Halt means halting on any errors.

              [--ctrl policy-control-value]
                     The default value 1 is to extend policy into PCR 17.

              policy-file

       --add  Add a module hash entry into a policy file.

              --num module-number | any
                     The module-number is the 0-based module number  corresponding  to  modules  loaded  by  the
                     bootloader.

              --pcr TPM-PCR-number | none
                     The TPM-PCR-number is the PCR to extend the module's measurement into.

              --hash any | image

              [--cmdline command-line]
                     The  command  line  is  from  grub.conf,  and  it  should not include the module name (e.g.
                     "/xen.gz").

              [--image image-file-name]

              policy-file

       --del  Delete a module hash entry from a policy file.

              --num module-number | any
                     The module-number is the 0-based module number  corresponding  to  modules  loaded  by  the
                     bootloader.

              [--pos hash-number]
                     The  hash-number  is  the  0-based  index  of  the  hash, within the list of hashes for the
                     specified module.

              policy-file

       --unwrap
              Extract the tboot verified launch policy from a TXT LCP element file.

              --elt elt-file

              policy-file

       --show policy-file
              Show the policy information in a policy file.

       --help Print out the help message.

       --verbose
              Enable verbose output; can be specified with any command.


EXAMPLES
       tb_polgen --create --type nonfatal vl.pol

       tb_polgen --add --num 0 --pcr none --hash image --cmdline "cmdline" --image /boot/xen.gz vl.pol

       tb_polgen --add --num 1 --pcr 19 --hash  image  --cmdline  "cmdline"  --image  /boot/vmlinuz-2.6.18.8-xen
       vl.pol

       tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image /boot/initrd-2.6.18.8-xen.img vl.pol

       tb_polgen --del --num 1 vl.pol

       tb_polgen --show --verbose vl.pol

   Note1:
       It  is  not  necessary  to  specify  a  PCR  for module 0, since this module's measurement will always be
       extended to PCR 18.  If a PCR is specified, then the measurement will be extended to that PCR in addition
       to PCR 18.

   Note2:
       --unwrap is not implemented correctly. There should be a defined UUID for this and that should be checked
       before copying the data. There should be a wrap or similar command to generates an  element  file  for  a
       policy.


SEE ALSO
       lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).