Provided by: tboot_1.10.5-4_amd64 bug

NAME

       tb_polgen - manage tboot verified launch policy

SYNOPSIS

       tb_polgen COMMAND [OPTION]

DESCRIPTION

       tb_polgen is used to manage tboot verified launch policy.

COMMANDS

       --create
              Create an empty tboot verified launch policy file.

              --type nonfatal | continue | halt
                     Nonfatal  means ignoring all non-fatal errors and continuing. Continue means
                     ignoring verification errors and halting otherwise. Halt  means  halting  on
                     any errors.

              [--ctrl policy-control-value]
                     The default value 1 is to extend policy into PCR 17.

              [--alg sha1 | sha256 | sha384 | sha512]
                     Policy hashing algorithm.

              policy-file

       --add  Add a module hash entry into a policy file.

              --num module-number | any
                     The  module-number  is  the  0-based  module number corresponding to modules
                     loaded by the bootloader.

              --pcr TPM-PCR-number | none
                     The TPM-PCR-number is the PCR to extend the module's measurement into.

              --hash any | image

              [--cmdline command-line]
                     The command line is from grub.conf, and it should  not  include  the  module
                     name (e.g. "/xen.gz").

              [--image image-file-name]

              policy-file

       --del  Delete a module hash entry from a policy file.

              --num module-number | any
                     The  module-number  is  the  0-based  module number corresponding to modules
                     loaded by the bootloader.

              [--pos hash-number]
                     The hash-number is the 0-based index of the hash, within the list of  hashes
                     for the specified module.

              policy-file

       --unwrap
              Extract the tboot verified launch policy from a TXT LCP element file.

              --elt elt-file

              policy-file

       --show policy-file
              Show the policy information in a policy file.

       --help Print out the help message.

       --verbose
              Enable verbose output; can be specified with any command.

EXAMPLES

       tb_polgen --create --type nonfatal vl.pol

       tb_polgen  --add  --num 0 --pcr none --hash image --cmdline "cmdline" --image /boot/xen.gz
       vl.pol

       tb_polgen  --add  --num  1   --pcr   19   --hash   image   --cmdline   "cmdline"   --image
       /boot/vmlinuz-2.6.18.8-xen vl.pol

       tb_polgen    --add    --num    2    --pcr   19   --hash   image   --cmdline   ""   --image
       /boot/initrd-2.6.18.8-xen.img vl.pol

       tb_polgen --del --num 1 vl.pol

       tb_polgen --show --verbose vl.pol

   Note1:
       It is not necessary to specify a PCR for module 0, since this  module's  measurement  will
       always  be  extended  to  PCR  18.   If  a  PCR is specified, then the measurement will be
       extended to that PCR in addition to PCR 18.

   Note2:
       --unwrap is not implemented correctly. There should be a defined UUID for  this  and  that
       should  be  checked  before copying the data. There should be a wrap or similar command to
       generates an element file for a policy.

SEE ALSO

       lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).