1TB_POLGEN(8)                     User Manuals                     TB_POLGEN(8)
2
3
4

NAME

6       tb_polgen - manage tboot verified launch policy
7

SYNOPSIS

9       tb_polgen COMMAND [OPTION]
10

DESCRIPTION

12       tb_polgen is used to manage tboot verified launch policy.
13

COMMANDS

15       --create
16              Create an empty tboot verified launch policy file.
17
18              --type nonfatal | continue | halt
19                     Nonfatal means ignoring all non-fatal errors and continu‐
20                     ing. Continue  means  ignoring  verification  errors  and
21                     halting otherwise. Halt means halting on any errors.
22
23              [--ctrl policy-control-value]
24                     The default value 1 is to extend policy into PCR 17.
25
26              [--alg sha1 | sha256 | sha384 | sha512]
27                     Policy hashing algorithm.
28
29              policy-file
30
31       --add  Add a module hash entry into a policy file.
32
33              --num module-number | any
34                     The  module-number  is  the  0-based module number corre‐
35                     sponding to modules loaded by the bootloader.
36
37              --pcr TPM-PCR-number | none
38                     The TPM-PCR-number is the PCR to extend the module's mea‐
39                     surement into.
40
41              --hash any | image
42
43              [--cmdline command-line]
44                     The command line is from grub.conf, and it should not in‐
45                     clude the module name (e.g. "/xen.gz").
46
47              [--image image-file-name]
48
49              policy-file
50
51       --del  Delete a module hash entry from a policy file.
52
53              --num module-number | any
54                     The module-number is the  0-based  module  number  corre‐
55                     sponding to modules loaded by the bootloader.
56
57              [--pos hash-number]
58                     The  hash-number is the 0-based index of the hash, within
59                     the list of hashes for the specified module.
60
61              policy-file
62
63       --unwrap
64              Extract the tboot verified launch policy from a TXT LCP  element
65              file.
66
67              --elt elt-file
68
69              policy-file
70
71       --show policy-file
72              Show the policy information in a policy file.
73
74       --help Print out the help message.
75
76       --verbose
77              Enable verbose output; can be specified with any command.
78

EXAMPLES

80       tb_polgen --create --type nonfatal vl.pol
81
82       tb_polgen  --add  --num  0  --pcr none --hash image --cmdline "cmdline"
83       --image /boot/xen.gz vl.pol
84
85       tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "cmdline" --im‐
86       age /boot/vmlinuz-2.6.18.8-xen vl.pol
87
88       tb_polgen  --add  --num  2  --pcr  19 --hash image --cmdline "" --image
89       /boot/initrd-2.6.18.8-xen.img vl.pol
90
91       tb_polgen --del --num 1 vl.pol
92
93       tb_polgen --show --verbose vl.pol
94
95   Note1:
96       It is not necessary to specify a PCR for module 0, since this  module's
97       measurement  will always be extended to PCR 18.  If a PCR is specified,
98       then the measurement will be extended to that PCR in  addition  to  PCR
99       18.
100
101   Note2:
102       --unwrap  is  not implemented correctly. There should be a defined UUID
103       for this and that should be checked  before  copying  the  data.  There
104       should  be a wrap or similar command to generates an element file for a
105       policy.
106

SEE ALSO

108       lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).
109
110
111
112tboot                             2011-12-31                      TB_POLGEN(8)
Impressum