lcp2_crtpolelt - Man Page

lcp2_crtpolelt COMMAND [ ELEMENT TYPE Options ] [OPTION]

lcp_crtpolelt is used to create an Intel(R) TXT policy element of specified type. Supports LCP  elements both in current and legacy formats: LCP_MLE_ELEMENT2, LCP_STM_ELEMENT2,  LCP_PCONF_ELEMENT2, LCP_PCONF_ELEMENT, LCP_MLE_ELEMENT and LCP_CUSTOM_ELEMENT.

--create --type type --out FILE [--ctrl pol_elt_ctr1]

create a policy element specified by the --type option.

--type type

type of element. Must be first option. See below for type strings and their options

--out FILE

output file name

[--ctrl value]

PolEltControl field (hex or decimal)

--show file [FILE]

show a policy element

--version

show tool version

--verbose

enable verbose output; can be specified with any command

--help

print out the help message

The --create command requires additional parameters depending on the element's type

mle2 [--minver ver] [--alg algorithm] file [file...]

--minver ver

minimum version of SINIT (hex or decimal)

--alg <sha1|sha256|sha386|sha512>

hash algorithm

file [file...]

one or more text files, each containing one or more MLE hashes (as text, one hash per line);  Hash files can be created with lcp2_mlehash.

custom --uuid UUID file

--uuid UUID

UUID in format: {0xaabbccdd, 0xeeff, 0xgghh, 0xiijj, {0xkk 0xll, 0xmm, 0xnn, 0xoo, 0xpp}} or "--uuid tboot" to use default

file

file containing element data

sbios [--alg algorithm] file [file...]

--alg <sha1|sha256|sha386|sha512>

hash algorithm

file [file...]

one or more files containing one or more BIOS hashes (as text, one hash per line);  the first hash in the first file will be the fallback hash

stm [--alg algorithm] file [file...]

--alg <sha1|sha256|sha386|sha512>

hash algorithm

file [file...]

one or more text files, each containing one or more STM hashes (as text, one hash per line);

pconf2 --alg algorithm [--pcrN hash_value]

--alg <sha1|sha256|sha386|sha512>

PCR hash algorithm

--pcrN hash_value

PCR value for PCR #N, where 0 <= N <= 7.

mle [--minver ver] file [file...]

--minver ver minimum version of SINIT (hex or decimal)

file [file...]

one or more text files, each containing one or more MLE SHA1 hashes (as text, one hash per line);  Hash files can be created with lcp2_mlehash.

pconf file [file...]

one or more text files, each containing PCR information; Each file should have  the following structure: first line should be: 'locality:<value>'  followed by up  to  8 lines,  each  representing one PCR (0 to 7)  and its contents: e.g.  Locality represents TPM's locality at release.  It is a byte, of which bits 0 to 4 represent their respective locality  (bit0 - locality0 and so on). Bits 5-7 are reserved and must be 0. Value must be  at least 1 - locality0 selected, and at most 0x1F (all localities selected).

Create MLE element:

lcp2_crtpolelt --create --type mle --out mle.elt --ctrl 0x00 --alg sha256 --minver 0 mle_hash

Create PCONF2 element:

lcp2_crtpolelt --create --type pconf2 --out pconf2.elt --ctrl 0x00 --alg sha256 --pcr0 <PCR[0] hash> --pcr3 <PCR[3] hash>

Create PCONF element:

lcp2_crtpolelt --create --type pconf pcrInfo1.txt pcrInfo2.txt --out pconf2.elt --ctrl 0x00

Full documentation of MLE, Intel(R) TXT and LCP is available in Intel(R) TXT Measured Launch Environment Deleveloper's Guide, available at:  http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html

lcp2_crtpol(8), lcp2_mlehash(8), lcp2_crtpollist(8), uuidgen(1), tb_polgen(8).

lcp2_crtpol(8), lcp2_crtpollist(8), lcp2_mlehash(8).