1LCP2_CRTPOL(8) User Manuals LCP2_CRTPOL(8)
2
6 lcp2_crtpol - create an Intel TXT Launch Control Policy
7
9 lcp2_crtpol <--create|--show|--help> [--brief] [--verbose] --alg alg
10 --type <any|list> [LISTFILES] [--minver <ver>] [--rev <counter1>[,coun‐
11 terN]] [--ctrl <pol_ctrl>] --pol <POLICY FILE> [--data <POL‐
12 ICY DATA FILE>] [--mask mask] [--auxalg alg] --sign alg [--polver ver‐
13 sion]
14
16 lcp2_crtpol is used to create a TXT LCP policy (and optionally policy
17 data), which can later be written to the TPM. This tool allows creating
18 policies for TPM 1.2 and TPM 2.0. Policy format is specified by the
19 --polver option.
20
22 --create
23 Create a policy.
24 --show Show contents of a policy file, policy data file or both. If you
26 specify one file it must be either a policy file or a policy
27 data file. If you specify two files, one must be a policy file
28 and the other a policy data file.
29 --help Show help text.
31 --version
33 Show tool version.
34
36 --brief
37 Use brief format for output.
38 --verbose
40 Use verbose format for output.
41 --alg alg
43 Specify algorithm for the LCP. Supported values are sha1, sha256
44 or sm3.
45 --type <any|list>
47 Specify type of the policy. If --type is list, specify a comma-
48 separated list of up to 8 policy list files (created with the
49 lcp2_crtpollist command).
50 --minver version
52 Specify minimum allowed SINIT module version number (SINITMin‐
53 Version).
54 --max_sinit_min version
56 Specify maximum allowed value of the minimal SINIT module ver‐
57 sion number (MaxSinitMinVersion).
58 --rev <counter1>[,counterN]
60 Specify a comma-separated list of revocation counters.
61 --ctrl <pol ctrl>
63 Specify PolicyControl value. The default is 0 (LCP_DEFAULT_POL‐
64 ICY_CONTROL).
65 --pol <POLICY FILE>
67 Specify output file for the policy.
68 --data <POLICY DATA FILE>
70 Specify output file for the policy data.
71 --mask mask
73 Specify the policy hash algorithm mask. Supported values are
74 sha1, sha256, sha384, sha512 or sm3. This option can be used
75 multiple times to specify several allowed algorithms. Policy
76 versions 2.0-2.4 only support SHA1.
77 --auxalg alg
79 Specify the AUX hash algorithm. Supported values are sha1,
80 sha256, sha384, sha512 or sm3. You can also specify a raw value
81 in hex (the value must start with "0x"). This option is only
82 valid for policy versions 3.0 or 3.1.
83 --sign alg
85 Specify the allowed LCP signature algorithm mask. Supported val‐
86 ues are: rsa-2048-sha1, rsa-2048-sha256, rsa-3072-sha256,
87 rsa-3072-sha384, ecdsa-p256, ecdsa-p384 sm3. This option can be
88 used multiple times to specify several allowed algorithms.
89 --polver version
91 Specify LCP policy version. Supported values are 2.0-2.4 (for
92 TPM 1.2) and 3.0-3.2 (for TPM 2.0). If not specified, this op‐
93 tion defaults to 3.0.
94
96 lcp2_crtpol --create --type list --pol list.pol --alg sha256 --data list.data --sign 0x8 list.lst
97
99 Full documentation of MLE, Intel(R) TXT and LCP is available in In‐
100 tel(R) TXT Measured Launch Environment Deleveloper's Guide, available
101 at: http://www.intel.com/content/www/us/en/software-developers/intel-
102 txt-software-development-guide.html
103 lcp2_crtpollist(8), lcp2_crtpolelt(8), lcp2_mlehash(8),
105tboot 2020-05-10 LCP2_CRTPOL(8)