oracular (8) lcp2_crtpol.8.gz

Provided by: tboot_1.10.5-4_amd64 bug

NAME

       lcp2_crtpol - create an Intel TXT Launch Control Policy

SYNOPSIS

       lcp2_crtpol  <--create|--show|--help>  [--brief]  [--verbose]  --alg alg --type <any|list>
       [LISTFILES] [--minver  <ver>]  [--rev  <counter1>[,counterN]]  [--ctrl  <pol_ctrl>]  --pol
       <POLICY FILE>   [--data  <POLICY DATA FILE>]  [--mask  mask]  [--auxalg  alg]  --sign  alg
       [--polver version]

DESCRIPTION

       lcp2_crtpol is used to create a TXT LCP policy (and optionally  policy  data),  which  can
       later  be  written to the TPM. This tool allows creating policies for TPM 1.2 and TPM 2.0.
       Policy format is specified by the --polver option.

COMMANDS

       --create
              Create a policy.

       --show Show contents of a policy file, policy data file or both. If you specify  one  file
              it  must  be either a policy file or a policy data file.  If you specify two files,
              one must be a policy file and the other a policy data file.

       --help Show help text.

       --version
              Show tool version.

OPTIONS

       --brief
              Use brief format for output.

       --verbose
              Use verbose format for output.

       --alg alg
              Specify algorithm for the LCP. Supported values are sha1, sha256 or sm3.

       --type <any|list>
              Specify type of the policy. If --type is list, specify a comma-separated list of up
              to 8 policy list files (created with the lcp2_crtpollist command).

       --minver version
              Specify minimum allowed SINIT module version number (SINITMinVersion).

       --max_sinit_min version
              Specify   maximum  allowed  value  of  the  minimal  SINIT  module  version  number
              (MaxSinitMinVersion).

       --rev <counter1>[,counterN]
              Specify a comma-separated list of revocation counters.

       --ctrl <pol ctrl>
              Specify PolicyControl value. The default is 0 (LCP_DEFAULT_POLICY_CONTROL).

       --pol <POLICY FILE>
              Specify output file for the policy.

       --data <POLICY DATA FILE>
              Specify output file for the policy data.

       --mask mask
              Specify the policy hash algorithm mask. Supported values are sha1, sha256,  sha384,
              sha512  or  sm3.  This option can be used multiple times to specify several allowed
              algorithms. Policy versions 2.0-2.4 only support SHA1.

       --auxalg alg
              Specify the AUX hash algorithm. Supported values are sha1, sha256,  sha384,  sha512
              or  sm3.  You can also specify a raw value in hex (the value must start with "0x").
              This option is only valid for policy versions 3.0 or 3.1.

       --sign alg
              Specify  the  allowed  LCP  signature  algorithm  mask.   Supported   values   are:
              rsa-2048-sha1,   rsa-2048-sha256,   rsa-3072-sha256,  rsa-3072-sha384,  ecdsa-p256,
              ecdsa-p384 sm3. This option can be used multiple times to specify  several  allowed
              algorithms.

       --polver version
              Specify  LCP policy version. Supported values are 2.0-2.4 (for TPM 1.2) and 3.0-3.2
              (for TPM 2.0). If not specified, this option defaults to 3.0.

EXAMPLES

       lcp2_crtpol --create --type list --pol list.pol --alg sha256 --data list.data --sign 0x8 list.lst

SEE ALSO

       Full documentation of MLE, Intel(R) TXT and LCP is  available  in  Intel(R)  TXT  Measured
       Launch         Environment         Deleveloper's        Guide,        available        at:
       http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-
       guide.html

       lcp2_crtpollist(8), lcp2_crtpolelt(8), lcp2_mlehash(8),