Sophie: tboot-1:1.7.3-3.fc18 x86

tboot-1.7.3-3.fc18.x86_64.rpm

.\"
.TH LCP_CRTPOLLIST 8 "2011-12-31" "tboot" "User Manuals"
.SH NAME
lcp_crtpollist \- create an Intel(R) TXT policy list
.SH SYNOPSIS
.B lcp_crtpollist
.I COMMAND
.RI [ OPTION ]
.SH DESCRIPTION
.B lcp_crtpollist
is used to create an Intel(R) TXT policy list.
.SH OPTIONS
.TP
.B \-\-create
Create an TXT policy list. The following options are available:
.RS
.TP \w'\fR[\fB\-\-priv\ \fIkey-file\fR]'u+1n
\fB\-\-out\ \fIfile\fP
policy list file
.TP
\fR[\fB\-\-ver\ \fIversion\fR]\fP
version
.TP
\fR[\fIfile\fR]...\fP
policy element files
.RE
.TP
.B \-\-sigh
Sign an TXT policy list.
.RS
.TP \w'\fR[\fB\-\-priv\ \fIkey-file\fR]'u+1n
\fB\-\-pub \fIkey-file\fP
PEM file of public key
.TP
\fB\-\-out\ \fIfile\fP
policy list file
.TP
\fR[\fB\-\-priv \fIkey-file\fR]\fP
PEM file of private key
.TP
\fR[\fB\-\-rev \fIrev-ctr\fR]\fP
revocation counter value
.TP
\fR[\fB\-\-nosig\fR]\fP
don't add SigBlock
.RE
.TP
.B \-\-addsig
.RS
.TP \w'\fR[\fB\-\-priv\ \fIkey-file\fR]'u+1n
\fB\-\-sig\ \fIfile\fP
file containing signature (big-endian)
.TP
\fB\-\-out\ \fIfile\fP
policy list file
.RE
.TP
\fB\-\-show \fIfile\fP
policy list file
.TP
.B \-\-help
Print out the help message.
.TP
.B \-\-verbose
Enable verbose output; can be specified with any command.
.SH EXAMPLES
.SS "Create policy list:"
Assuming there have been two element file 
.I mle.elt
and
.I pconf.elt
generated by
.BR lcp_crtpolelt (8)
The following example can create an unsigned policy list:
.PP
\fBlcp_crtpollist \-\-create \-\-out \fIlist-unsig.lst mle.elt pconf.elt
.SS "Sign policy list:"
Unsigned policy list can be signed by the command
.BR lcp_crtpollist (8)
or
.BR openssl (1).
The
.BR openssl (1)
signing is supported for cases where the signing environment is separate from 
the policy creation environment and the software allowed to run there is 
strictly controlled and already supports
.BR openssl (1).
.PP
The following example uses
.BR openssl (1)
to sign the list:

.TS
tab (@);
l lx.
1@T{
\fBopenssl rsa \-pubout \-in \fIprivkey.pem \fB\-out \fIpubkey.pem
T}
2@T{
\fBcp \fIlist-unsig.lst list-sig.lst
T}
3@T{
\fBlcp_crtpollist \-\-sigh \-\-pub \fIpubkey.pem \fB\-\-nosig \-\-out \fIlist-sig.lst
T}
4@T{
\fBopenssl genrsa \-out \fIprivkey.pem 2048
T}
5@T{
\fBopenssl dgst \-sha1 \-sign \fIprivkey.pem \fB\-out \fIlist.sig list-sig.lst
T}
6@T{
\fBlcp_crtpollist \-\-addsig \-\-sig \fIlist.sig \fB\-\-out \fIlist-sig.lst
T}
.TE

.B lcp_crtpollist
can also be used to sigh a policy list. The following example are intended to be mutually exclusive with the preceding example.

.TS
tab (@);
l lx.
1@T{
\fBopenssl genrsa \-out \fIprivkey.pem 2048
T}
2@T{
\fBopenssl rsa \-pubout \-in \fIprivkey.pem \fB\-out \fIpubkey.pem
T}
3@T{
\fBcp \fIlist-unsig.lst list-sig.lst
T}
4@T{
\fBlcp_crtpollist \-\-sign \-\-pub \fIpubkey.pem \fB\-\-priv \fIprivkey.pem \fB\-\-out \fIlist-sig.lst
T}
.TE

.SH "SEE ALSO"
.BR lcp_crtpol2 (8),
.BR lcp_crtpolelt (8),
.BR lcp_crtpollist (8),
.BR openssl(1).