/

tb_polgen (8) Linux Manual Page

ByLinux Manual Posted on Updated on

tb_polgen – manage tboot verified launch policy

Synopsis

tb_polgen COMMAND [OPTION]

Description

tb_polgen is used to manage tboot verified launch policy.

Commands

–create

Create an empty tboot verified launch policy file.

–type nonfatal | continue | halt

Nonfatal means ignoring all non-fatal errors and continuing. Continue means ignoring verification errors and halting otherwise. Halt means halting on any errors.

[–ctrl policy-control-value]

The default value 1 is to extend policy into PCR 17.

policy-file

–add

Add a module hash entry into a policy file.

–num module-number | any

The module-number is the 0-based module number corresponding to modules loaded by the bootloader.

–pcr TPM-PCR-number | none

The TPM-PCR-number is the PCR to extend the module’s measurement into.

–hash any | image

[–cmdline command-line]

The command line is from grub.conf, and it should not include the module name (e.g. "/xen.gz").

[–image image-file-name]

policy-file

–del

Delete a module hash entry from a policy file.

–num module-number | any

The module-number is the 0-based module number corresponding to modules loaded by the bootloader.

[–pos hash-number]

The hash-number is the 0-based index of the hash, within the list of hashes for the specified module.

policy-file

–unwrap

Extract the tboot verified launch policy from a TXT LCP element file.

–elt elt-file

policy-file

–show policy-file

Show the policy information in a policy file.

–help

Print out the help message.

–verbose

Enable verbose output; can be specified with any command.

Examples

tb_polgen –create –type nonfatal vl.pol

tb_polgen –add –num 0 –pcr none –hash image –cmdline "cmdline" –image /boot/xen.gz vl.pol

tb_polgen –add –num 1 –pcr 19 –hash image –cmdline "cmdline" –image /boot/vmlinuz-2.6.18.8-xen vl.pol

tb_polgen –add –num 2 –pcr 19 –hash image –cmdline "" –image /boot/initrd-2.6.18.8-xen.img vl.pol

tb_polgen –del –num 1 vl.pol

tb_polgen –show –verbose vl.pol

Note1:

It is not necessary to specify a PCR for module 0, since this module’s measurement will always be extended to PCR 18. If a PCR is specified, then the measurement will be extended to that PCR in addition to PCR 18.

Note2:

–unwrap is not implemented correctly. There should be a defined UUID for this and that should be checked before copying the data. There should be a wrap or similar command to generates an element file for a policy.

See Also

lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).

Leave a Reply

Your email address will not be published. Required fields are marked *