lcp_crtpol - Man Page

create a TXT v1 Launch Control Policy


lcp_crtpol -t policy-type [-a hashalg] [-v version] [-sr SINIT-revocation-counter] [-s srtm-file] [-m mle-file] [-o policy-file] [-b policy-data-file] [-pcf policy-control-field] [-h]


lcp_crtpol is used to create a TXT v1 LCP policy (and optionally policy data), which can later be written to the TPM. The policy created are for platforms produced before 2009 (Weybridge, Montevina, McCreary).


-t policy-type

Policy type can be UINT8 or string. 5 strings are supported for the reserved LCP policy types. Strings and default policy type values for each string are:

0 or "hashonly"

1 or "unsigned"

2 or "signed"

3 or "any"

4 or "forceowner"

-a hashalg

Hash algorithm. Currently we only support SHA-1 algorithm: 0 OR 'sha1'.

-v version

Version number. Currently it can be set to 0 or 1 if specified. The default value is 0.

-sr SINIT-revocation-counter

The default sinit revocation counter is 0.

-s srtm-file

File name of platform configuration data, as produced by lcp_crtpconf.

-m mle-file

File name of file containing the MLE hash values. This is a text file that contains one SHA-1 hash per line. The value of the hash must be hexadecimal values, specified either a single un-deliminated set or as space-delimited two-character (i.e. one byte) values.  This can be produced by the lcp_mlehash command.

-o policy-file

File name to store the output policy.

-b policy-data-file

File name to store the LCP Policy data.

-pcf policy-control-field

The default policy control field value is 0.


Print out the help message


lcp_crtpol -t 0 -m mle-file -o policy-hashonly-file

lcp_crtpol -t 1 -m mle-file -s pconf-file -b policy-data-file

lcp_crtpol -t unsigned -a sha1 -m mle-file -s pconf-file -o policy-unsigned-file -b policy-data-file

See Also

lcp_readpol(8), lcp_writepol(8), lcp_mlehash(8), lcp_crtpconf(8).

Referenced By

lcp_crtpconf(8), lcp_crtpol2(8), lcp_mlehash(8), lcp_readpol(8), lcp_writepol(8), tb_polgen(8).

2011-12-31 tboot User Manuals