| TB_POLGEN(8) | User Manuals | TB_POLGEN(8) |
NAME¶
tb_polgen - manage tboot verified launch policy
SYNOPSIS¶
tb_polgen COMMAND [OPTION]
DESCRIPTION¶
tb_polgen is used to manage tboot verified launch policy.
COMMANDS¶
- --create
- Create an empty tboot verified launch policy file.
- --type nonfatal | continue | halt
- Nonfatal means ignoring all non-fatal errors and continuing. Continue means ignoring verification errors and halting otherwise. Halt means halting on any errors.
- [--ctrl policy-control-value]
- The default value 1 is to extend policy into PCR 17.
- [--alg sha1 | sha256 | sha384 | sha512]
- Policy hashing algorithm.
- policy-file
- --add
- Add a module hash entry into a policy file.
- --num module-number | any
- The module-number is the 0-based module number corresponding to modules loaded by the bootloader.
- --pcr TPM-PCR-number | none
- The TPM-PCR-number is the PCR to extend the module's measurement into.
- --hash any | image
- [--cmdline command-line]
- The command line is from grub.conf, and it should not include the module name (e.g. "/xen.gz").
- [--image image-file-name]
- policy-file
- --del
- Delete a module hash entry from a policy file.
- --num module-number | any
- The module-number is the 0-based module number corresponding to modules loaded by the bootloader.
- [--pos hash-number]
- The hash-number is the 0-based index of the hash, within the list of hashes for the specified module.
- policy-file
- --unwrap
- Extract the tboot verified launch policy from a TXT LCP element file.
- --show policy-file
- Show the policy information in a policy file.
- --help
- Print out the help message.
- --verbose
- Enable verbose output; can be specified with any command.
EXAMPLES¶
tb_polgen --create --type nonfatal vl.pol
tb_polgen --add --num 0 --pcr none --hash image --cmdline "cmdline" --image /boot/xen.gz vl.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "cmdline" --image /boot/vmlinuz-2.6.18.8-xen vl.pol
tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image /boot/initrd-2.6.18.8-xen.img vl.pol
tb_polgen --del --num 1 vl.pol
tb_polgen --show --verbose vl.pol
Note1:¶
It is not necessary to specify a PCR for module 0, since this module's measurement will always be extended to PCR 18. If a PCR is specified, then the measurement will be extended to that PCR in addition to PCR 18.
Note2:¶
--unwrap is not implemented correctly. There should be a defined UUID for this and that should be checked before copying the data. There should be a wrap or similar command to generates an element file for a policy.
SEE ALSO¶
lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).
| 2011-12-31 | tboot |