TB_POLGEN(8) User Manuals TB_POLGEN(8)NAME
tb_polgen - manage tboot verified launch policy
SYNOPSIS
tb_polgen COMMAND [OPTION]
DESCRIPTION
tb_polgen is used to manage tboot verified launch policy.
COMMANDS--create
Create an empty tboot verified launch policy file.
--type nonfatal | continue | halt
Nonfatal means ignoring all non-fatal errors and continu‐
ing. Continue means ignoring verification errors and
halting otherwise. Halt means halting on any errors.
[--ctrl policy-control-value]
The default value 1 is to extend policy into PCR 17.
policy-file
--add Add a module hash entry into a policy file.
--num module-number | any
The module-number is the 0-based module number corre‐
sponding to modules loaded by the bootloader.
--pcr TPM-PCR-number | none
The TPM-PCR-number is the PCR to extend the module's mea‐
surement into.
--hash any | image
[--cmdline command-line]
The command line is from grub.conf, and it should not
include the module name (e.g. "/xen.gz").
[--image image-file-name]
policy-file
--del Delete a module hash entry from a policy file.
--num module-number | any
The module-number is the 0-based module number corre‐
sponding to modules loaded by the bootloader.
[--pos hash-number]
The hash-number is the 0-based index of the hash, within
the list of hashes for the specified module.
policy-file
--unwrap
Extract the tboot verified launch policy from a TXT LCP element
file.
--elt elt-file
policy-file
--show policy-file
Show the policy information in a policy file.
--help Print out the help message.
--verbose
Enable verbose output; can be specified with any command.
EXAMPLES
tb_polgen --create --type nonfatal vl.pol
tb_polgen --add--num 0 --pcr none --hash image --cmdline "cmdline"
--image /boot/xen.gz vl.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "cmdline"
--image /boot/vmlinuz-2.6.18.8-xen vl.pol
tb_polgen --add--num 2 --pcr 19 --hash image --cmdline "" --image
/boot/initrd-2.6.18.8-xen.img vl.pol
tb_polgen --del --num 1 vl.pol
tb_polgen --show --verbose vl.pol
Note1:
It is not necessary to specify a PCR for module 0, since this module's
measurement will always be extended to PCR 18. If a PCR is specified,
then the measurement will be extended to that PCR in addition to PCR
18.
Note2:
--unwrap is not implemented correctly. There should be a defined UUID
for this and that should be checked before copying the data. There
should be a wrap or similar command to generates an element file for a
policy.
SEE ALSOlcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).
tboot 2011-12-31 TB_POLGEN(8)