NAME

tb_polgen - manage tboot verified launch policy

SYNOPSIS

tb_polgen COMMAND [OPTION]

DESCRIPTION

tb_polgen is used to manage tboot verified launch policy.

COMMANDS

--create: Create an empty tboot verified launch policy file.

--type nonfatal | continue | halt: Nonfatal means ignoring all non-fatal errors and continuing. Continue means ignoring verification errors and halting otherwise. Halt means halting on any errors.
[--ctrl policy-control-value]: The default value 1 is to extend policy into PCR 17.
[--alg sha1 | sha256 | sha384 | sha512]: Policy hashing algorithm.
policy-file

--add: Add a module hash entry into a policy file.

--num module-number | any: The module-number is the 0-based module number corresponding to modules loaded by the bootloader.
--pcr TPM-PCR-number | none: The TPM-PCR-number is the PCR to extend the module's measurement into.
--hash any | image
[--cmdline command-line]: The command line is from grub.conf, and it should not include the module name (e.g. "/xen.gz").
[--image image-file-name]
policy-file

--del: Delete a module hash entry from a policy file.

--num module-number | any: The module-number is the 0-based module number corresponding to modules loaded by the bootloader.
[--pos hash-number]: The hash-number is the 0-based index of the hash, within the list of hashes for the specified module.
policy-file

--unwrap: Extract the tboot verified launch policy from a TXT LCP element file.

--elt elt-file
policy-file

--show policy-file: Show the policy information in a policy file.
--help: Print out the help message.
--verbose: Enable verbose output; can be specified with any command.

EXAMPLES

tb_polgen --create --type nonfatal vl.pol

tb_polgen --add --num 0 --pcr none --hash image --cmdline "cmdline" --image /boot/xen.gz vl.pol

tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "cmdline" --image /boot/vmlinuz-2.6.18.8-xen vl.pol

tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image /boot/initrd-2.6.18.8-xen.img vl.pol

tb_polgen --del --num 1 vl.pol

tb_polgen --show --verbose vl.pol

Note1:

It is not necessary to specify a PCR for module 0, since this module's measurement will always be extended to PCR 18. If a PCR is specified, then the measurement will be extended to that PCR in addition to PCR 18.

Note2:

--unwrap is not implemented correctly. There should be a defined UUID for this and that should be checked before copying the data. There should be a wrap or similar command to generates an element file for a policy.