lcp_readpol(8) [centos man page]
LCP_READPOL(8) User Manuals LCP_READPOL(8) NAME
lcp_readpol - read the contents of an LCP policy index SYNOPSIS
lcp_readpol -i index-value [-f policy-file] [-s size] [-p passwd] [-h] DESCRIPTION
lcp_readpol is used to read the contents of an LCP policy index. Any index can be specified but the output will be parsed as if it con- tained a policy. OPTIONS
-i index-value Designate the index for reading. Index can be UINT32 or string. 3 strings are supported for the reserved LCP indices. Strings and default index values for each string are: default 0x50000001(INDEX_LCP_DEF) owner 0x40000001(INDEX_LCP_OWN) aux 0x50000002(INDEX_LCP_AUX) -f policy-file File name to write the policy data to. If no file name is specified then the contents will be displayed. -s size Value size to read from NV store. If no size inputted, read by length as this index defined. -p password The TPM owner password -h Print out the help message EXAMPLES
lcp_readpol -i default -f policy-file lcp_readpol -i 0x00011101 -s 10 lcp_readpol -i 0x00011101 -f policy-file -p 123456 SEE ALSO
lcp_writepol(8), lcp_crtpol(8). tboot 2011-12-31 LCP_READPOL(8)
Check Out this Related Man Page
TB_POLGEN(8) User Manuals TB_POLGEN(8) NAME
tb_polgen - manage tboot verified launch policy SYNOPSIS
tb_polgen COMMAND [OPTION] DESCRIPTION
tb_polgen is used to manage tboot verified launch policy. COMMANDS
--create Create an empty tboot verified launch policy file. --type nonfatal | continue | halt Nonfatal means ignoring all non-fatal errors and continuing. Continue means ignoring verification errors and halting other- wise. Halt means halting on any errors. [--ctrl policy-control-value] The default value 1 is to extend policy into PCR 17. policy-file --add Add a module hash entry into a policy file. --num module-number | any The module-number is the 0-based module number corresponding to modules loaded by the bootloader. --pcr TPM-PCR-number | none The TPM-PCR-number is the PCR to extend the module's measurement into. --hash any | image [--cmdline command-line] The command line is from grub.conf, and it should not include the module name (e.g. "/xen.gz"). [--image image-file-name] policy-file --del Delete a module hash entry from a policy file. --num module-number | any The module-number is the 0-based module number corresponding to modules loaded by the bootloader. [--pos hash-number] The hash-number is the 0-based index of the hash, within the list of hashes for the specified module. policy-file --unwrap Extract the tboot verified launch policy from a TXT LCP element file. --elt elt-file policy-file --show policy-file Show the policy information in a policy file. --help Print out the help message. --verbose Enable verbose output; can be specified with any command. EXAMPLES
tb_polgen --create --type nonfatal vl.pol tb_polgen --add --num 0 --pcr none --hash image --cmdline "cmdline" --image /boot/xen.gz vl.pol tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "cmdline" --image /boot/vmlinuz-2.6.18.8-xen vl.pol tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image /boot/initrd-2.6.18.8-xen.img vl.pol tb_polgen --del --num 1 vl.pol tb_polgen --show --verbose vl.pol Note1: It is not necessary to specify a PCR for module 0, since this module's measurement will always be extended to PCR 18. If a PCR is speci- fied, then the measurement will be extended to that PCR in addition to PCR 18. Note2: --unwrap is not implemented correctly. There should be a defined UUID for this and that should be checked before copying the data. There should be a wrap or similar command to generates an element file for a policy. SEE ALSO
lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8). tboot 2011-12-31 TB_POLGEN(8)