lcp_crtpollist (8) - Linux Manuals

lcp_crtpollist: create an Intel(R) TXT policy list


lcp_crtpollist - create an Intel(R) TXT policy list


lcp_crtpollist COMMAND [OPTION]


lcp_crtpollist is used to create an Intel(R) TXT policy list.


Create an TXT policy list. The following options are available:
--out file
policy list file
[--ver version]
policy element files
Sign an TXT policy list.
--pub key-file
PEM file of public key
--out file
policy list file
[--priv key-file]
PEM file of private key
[--rev rev-ctr]
revocation counter value
don't add SigBlock
--sig file
file containing signature (big-endian)
--out file
policy list file
--show file
policy list file
Print out the help message.
Enable verbose output; can be specified with any command.


Create policy list:

Assuming there have been two element file mle.elt and pconf.elt generated by lcp_crtpolelt(8) The following example can create an unsigned policy list:

lcp_crtpollist --create --out list-unsig.lst mle.elt pconf.elt

Sign policy list:

Unsigned policy list can be signed by the command lcp_crtpollist(8) or openssl(1). The openssl(1) signing is supported for cases where the signing environment is separate from the policy creation environment and the software allowed to run there is strictly controlled and already supports openssl(1).

The following example uses openssl(1) to sign the list:

1 openssl rsa -pubout -in privkey.pem -out pubkey.pem
2 cp list-unsig.lst list-sig.lst
3 lcp_crtpollist --sigh --pub pubkey.pem --nosig --out list-sig.lst
4 openssl genrsa -out privkey.pem 2048
5 openssl dgst -sha1 -sign privkey.pem -out list.sig list-sig.lst
6 lcp_crtpollist --addsig --sig list.sig --out list-sig.lst

lcp_crtpollist can also be used to sigh a policy list. The following example are intended to be mutually exclusive with the preceding example.

1 openssl genrsa -out privkey.pem 2048
2 openssl rsa -pubout -in privkey.pem -out pubkey.pem
3 cp list-unsig.lst list-sig.lst
4 lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list-sig.lst