NAME¶

lcp2_crtpolelt - create an Intel(R) TXT policy element of specified type.

SYNOPSIS¶

lcp2_crtpolelt COMMAND [ ELEMENT TYPE OPTIONS ] [OPTION]

DESCRIPTION¶

lcp_crtpolelt is used to create an Intel(R) TXT policy element of specified type. Supports LCP elements both in current and legacy formats: LCP_MLE_ELEMENT2, LCP_STM_ELEMENT2, LCP_PCONF_ELEMENT2, LCP_PCONF_ELEMENT, LCP_MLE_ELEMENT and LCP_CUSTOM_ELEMENT.

COMMANDS¶

--create --type type --out FILE [--ctrl pol_elt_ctr1]: create a policy element specified by the --type option.

--type type: type of element. Must be first option. See below for type strings and their options
--out FILE: output file name
[--ctrl value]: PolEltControl field (hex or decimal)

--show file [FILE]: show a policy element
--version: show tool version
--verbose: enable verbose output; can be specified with any command
--help: print out the help message

OPTIONS¶

The --create command requires additional parameters depending on the element's type

mle2 [--minver ver] [--alg algorithm] file [file...]

--minver ver: minimum version of SINIT (hex or decimal)
--alg <sha1|sha256|sha386|sha512>: hash algorithm
file [file...]: one or more text files, each containing one or more MLE hashes (as text, one hash per line); Hash files can be created with lcp2_mlehash.

custom --uuid UUID file

--uuid UUID: UUID in format: {0xaabbccdd, 0xeeff, 0xgghh, 0xiijj, {0xkk 0xll, 0xmm, 0xnn, 0xoo, 0xpp}} or "--uuid tboot" to use default
file: file containing element data

sbios [--alg algorithm] file [file...]

--alg <sha1|sha256|sha386|sha512>: hash algorithm
file [file...]: one or more files containing one or more BIOS hashes (as text, one hash per line); the first hash in the first file will be the fallback hash

stm [--alg algorithm] file [file...]

--alg <sha1|sha256|sha386|sha512>: hash algorithm
file [file...]: one or more text files, each containing one or more STM hashes (as text, one hash per line);

pconf2 --alg algorithm [--pcrN hash_value]

--alg <sha1|sha256|sha386|sha512>: PCR hash algorithm
--pcrN hash_value: PCR value for PCR #N, where 0 <= N <= 7.

mle [--minver ver] file [file...]

--minver ver minimum version of SINIT (hex or decimal)

file [file...]: one or more text files, each containing one or more MLE SHA1 hashes (as text, one hash per line); Hash files can be created with lcp2_mlehash.

pconf file [file...]

one or more text files, each containing PCR information; Each file should have the following structure: first line should be: 'locality:<value>' followed by up to 8 lines, each representing one PCR (0 to 7) and its contents: e.g. Locality represents TPM's locality at release. It is a byte, of which bits 0 to 4 represent their respective locality (bit0 - locality0 and so on). Bits 5-7 are reserved and must be 0. Value must be at least 1 - locality0 selected, and at most 0x1F (all localities selected).

EXAMPLES¶

Create MLE element:

lcp2_crtpolelt --create --type mle --out mle.elt --ctrl 0x00 --alg sha256 --minver 0 mle_hash

Create PCONF2 element:

lcp2_crtpolelt --create --type pconf2 --out pconf2.elt --ctrl 0x00 --alg sha256 --pcr0 <PCR[0] hash> --pcr3 <PCR[3] hash>

Create PCONF element:

lcp2_crtpolelt --create --type pconf pcrInfo1.txt pcrInfo2.txt --out pconf2.elt --ctrl 0x00

Source file:	lcp2_crtpolelt.8.en.gz (from tboot 1.10.5-2.el8)
Source last updated:	2022-03-10 10:14:21
Converted to HTML:	2024-06-22 22:16:24