DOKK / manpages / debian 12 / tboot / lcp2_crtpollist.8.en
LCP2_CRTPOLLIST(8) User Manuals LCP2_CRTPOLLIST(8)

lcp2_crtpollist - create an Intel(R) TXT policy list

lcp2_crtpollist COMMAND [OPTION]

lcp2_crtpollist is used to create an Intel(R) TXT policy list.

Create a TXT policy list. The following options are available:
policy list version. Supported values are: 0x100 (legacy LCP_POLICY_LIST), 0x200, 0x201 (legacy LCP_POLICY_LIST2) and 0x300 (current LCP_POLICY_LIST2_1).
output file for policy list
[file]...
policy element files (created with the lcp2_crpolelt command).
Sign a TXT policy list.
Signature algorithm. Lists version 0x100 only support rsa (rsa pkcs 1.5). Lists version 0x200 and 0x201 support rsa (rsa pkcs 1.5) and ecdsa. Lists version 0x300 support rsapss and ecdsa.
Hash algorithm used for signing a list. Lists version 0x100 only support SHA1.
Public key to use, must be in PEM format.
[--priv file]
Private key to use, must be in PEM format. This option is required unless you use the --nosig option
[--rev counter]
Revocation counter value
[--nosig]
Don't add a SigBlock. This option is ignored if list is version 0x300.
Policy list file (input and output)
Add a signature. This option is ignored if list is version 0x300.
File containing signature (big-endian)
Policy list file
Show contents of a policy file
Verify policy version 0x300 file.
Show tool version.
Print out the tool's help message.
Enable verbose output; can be specified with any command.

Create unsigned policy list with MLE element:

lcp2_crtpollist --create --out list.lst mle.elt

Sign policy:

lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv privkey.pem --out list.lst

Full documentation of MLE, Intel(R) TXT and LCP is available in Intel(R) TXT Measured Launch Environment Deleveloper's Guide, available at: http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html

lcp2_crtpol(8), lcp2_crtpolelt(8), lcp2_mlehash(8), openssl(1).

2020-05-10 tboot