LCP2_CRTPOLELT(8) User Manuals LCP2_CRTPOLELT(8)

lcp2_crtpolelt - create an Intel(R) TXT policy element of specified type.

lcp2_crtpolelt COMMAND [ ELEMENT TYPE OPTIONS ] [OPTION]

lcp_crtpolelt is used to create an Intel(R) TXT policy element of specified type. Supports LCP elements both in current and legacy formats: LCP_MLE_ELEMENT2, LCP_STM_ELEMENT2, LCP_PCONF_ELEMENT2, LCP_PCONF_ELEMENT, LCP_MLE_ELEMENT and LCP_CUSTOM_ELEMENT.

create a policy element specified by the --type option.
type of element. Must be first option. See below for type strings and their options
output file name
[--ctrl value]
PolEltControl field (hex or decimal)
show a policy element
show tool version
enable verbose output; can be specified with any command
print out the help message

The --create command requires additional parameters depending on the element's type

minimum version of SINIT (hex or decimal)
hash algorithm
one or more text files, each containing one or more MLE hashes (as text, one hash per line); Hash files can be created with lcp2_mlehash.
UUID in format: {0xaabbccdd, 0xeeff, 0xgghh, 0xiijj, {0xkk 0xll, 0xmm, 0xnn, 0xoo, 0xpp}} or "--uuid tboot" to use default
file containing element data
hash algorithm
one or more files containing one or more BIOS hashes (as text, one hash per line); the first hash in the first file will be the fallback hash
hash algorithm
one or more text files, each containing one or more STM hashes (as text, one hash per line);
PCR hash algorithm
PCR value for PCR #N, where 0 <= N <= 7.
--minver ver minimum version of SINIT (hex or decimal)
one or more text files, each containing one or more MLE SHA1 hashes (as text, one hash per line); Hash files can be created with lcp2_mlehash.
one or more text files, each containing PCR information; Each file should have the following structure: first line should be: 'locality:<value>' followed by up to 8 lines, each representing one PCR (0 to 7) and its contents: e.g. Locality represents TPM's locality at release. It is a byte, of which bits 0 to 4 represent their respective locality (bit0 - locality0 and so on). Bits 5-7 are reserved and must be 0. Value must be at least 1 - locality0 selected, and at most 0x1F (all localities selected).

Create MLE element:

lcp2_crtpolelt --create --type mle --out mle.elt --ctrl 0x00 --alg sha256 --minver 0 mle_hash

Create PCONF2 element:

lcp2_crtpolelt --create --type pconf2 --out pconf2.elt --ctrl 0x00 --alg sha256 --pcr0 <PCR[0] hash> --pcr3 <PCR[3] hash>

Create PCONF element:

lcp2_crtpolelt --create --type pconf pcrInfo1.txt pcrInfo2.txt --out pconf2.elt --ctrl 0x00

Full documentation of MLE, Intel(R) TXT and LCP is available in Intel(R) TXT Measured Launch Environment Deleveloper's Guide, available at: http://www.intel.com/content/www/us/en/software-developers/intel-txt-software-development-guide.html

lcp2_crtpol(8), lcp2_mlehash(8), lcp2_crtpollist(8), uuidgen(1), tb_polgen(8).

2020-05-10 tboot