tb_polgen - manage tboot verified launch policy

--create
              Create an empty tboot verified launch policy file.

              --typenonfatal | continue | halt
                     Nonfatal  means  ignoring  all  non-fatal  errors  and  continuing. Continue means ignoring
                     verification errors and halting otherwise. Halt means halting on any errors.

              [--ctrlpolicy-control-value]
                     The default value 1 is to extend policy into PCR 17.

              [--algsha1 | sha256 | sha384 | sha512]
                     Policy hashing algorithm.

              policy-file--add  Add a module hash entry into a policy file.

              --nummodule-number | any
                     The module-number is the 0-based module number  corresponding  to  modules  loaded  by  the
                     bootloader.

              --pcrTPM-PCR-number | none
                     The TPM-PCR-number is the PCR to extend the module's measurement into.

              --hashany | image

              [--cmdlinecommand-line]
                     The  command  line  is  from  grub.conf,  and  it  should not include the module name (e.g.
                     "/xen.gz").

              [--imageimage-file-name]

              policy-file--del  Delete a module hash entry from a policy file.

              --nummodule-number | any
                     The module-number is the 0-based module number  corresponding  to  modules  loaded  by  the
                     bootloader.

              [--poshash-number]
                     The  hash-number  is  the  0-based  index  of  the  hash, within the list of hashes for the
                     specified module.

              policy-file--unwrap
              Extract the tboot verified launch policy from a TXT LCP element file.

              --eltelt-filepolicy-file--showpolicy-file
              Show the policy information in a policy file.

       --help Print out the help message.

       --verbose
              Enable verbose output; can be specified with any command.

tb_polgen is used to manage tboot verified launch policy.

tb_polgen--create--typenonfatalvl.poltb_polgen--add--num0--pcrnone--hashimage--cmdline"cmdline"--image/boot/xen.gzvl.poltb_polgen--add--num1--pcr19--hashimage--cmdline"cmdline"--image/boot/vmlinuz-2.6.18.8-xenvl.poltb_polgen--add--num2--pcr19--hashimage--cmdline""--image/boot/initrd-2.6.18.8-xen.imgvl.poltb_polgen--del--num1vl.poltb_polgen--show--verbosevl.polNote1:
       It  is  not  necessary  to  specify  a  PCR  for module 0, since this module's measurement will always be
       extended to PCR 18.  If a PCR is specified, then the measurement will be extended to that PCR in addition
       to PCR 18.

   Note2:
       --unwrap is not implemented correctly. There should be a defined UUID for this and that should be checked
       before copying the data. There should be a wrap or similar command to generates an  element  file  for  a
       policy.

       tb_polgen - manage tboot verified launch policy

lcp_crtpol(8), lcp_crtpol2(8), lcp_crtpolelt(8).

tboot                                              2011-12-31                                       TB_POLGEN(8)

tb_polgenCOMMAND [OPTION]