1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
.\"
.TH LCP_CRTPOLLIST 8 "2011-12-31" "tboot" "User Manuals"
.SH NAME
lcp_crtpollist \- create an Intel(R) TXT policy list
.SH SYNOPSIS
.B lcp_crtpollist
.I COMMAND
.RI [ OPTION ]
.SH DESCRIPTION
.B lcp_crtpollist
is used to create an Intel(R) TXT policy list.
.SH OPTIONS
.TP
.B \-\-create
Create an TXT policy list. The following options are available:
.RS
.TP \w'\fR[\fB\-\-priv\ \fIkey-file\fR]'u+1n
\fB\-\-out\ \fIfile\fP
policy list file
.TP
\fR[\fB\-\-ver\ \fIversion\fR]\fP
version
.TP
\fR[\fIfile\fR]...\fP
policy element files
.RE
.TP
.B \-\-sigh
Sign an TXT policy list.
.RS
.TP \w'\fR[\fB\-\-priv\ \fIkey-file\fR]'u+1n
\fB\-\-pub \fIkey-file\fP
PEM file of public key
.TP
\fB\-\-out\ \fIfile\fP
policy list file
.TP
\fR[\fB\-\-priv \fIkey-file\fR]\fP
PEM file of private key
.TP
\fR[\fB\-\-rev \fIrev-ctr\fR]\fP
revocation counter value
.TP
\fR[\fB\-\-nosig\fR]\fP
don't add SigBlock
.RE
.TP
.B \-\-addsig
.RS
.TP \w'\fR[\fB\-\-priv\ \fIkey-file\fR]'u+1n
\fB\-\-sig\ \fIfile\fP
file containing signature (big-endian)
.TP
\fB\-\-out\ \fIfile\fP
policy list file
.RE
.TP
\fB\-\-show \fIfile\fP
policy list file
.TP
.B \-\-help
Print out the help message.
.TP
.B \-\-verbose
Enable verbose output; can be specified with any command.
.SH EXAMPLES
.SS "Create policy list:"
Assuming there have been two element file
.I mle.elt
and
.I pconf.elt
generated by
.BR lcp_crtpolelt (8)
The following example can create an unsigned policy list:
.PP
\fBlcp_crtpollist \-\-create \-\-out \fIlist-unsig.lst mle.elt pconf.elt
.SS "Sign policy list:"
Unsigned policy list can be signed by the command
.BR lcp_crtpollist (8)
or
.BR openssl (1).
The
.BR openssl (1)
signing is supported for cases where the signing environment is separate from
the policy creation environment and the software allowed to run there is
strictly controlled and already supports
.BR openssl (1).
.PP
The following example uses
.BR openssl (1)
to sign the list:
.TS
tab (@);
l lx.
1@T{
\fBopenssl rsa \-pubout \-in \fIprivkey.pem \fB\-out \fIpubkey.pem
T}
2@T{
\fBcp \fIlist-unsig.lst list-sig.lst
T}
3@T{
\fBlcp_crtpollist \-\-sigh \-\-pub \fIpubkey.pem \fB\-\-nosig \-\-out \fIlist-sig.lst
T}
4@T{
\fBopenssl genrsa \-out \fIprivkey.pem 2048
T}
5@T{
\fBopenssl dgst \-sha1 \-sign \fIprivkey.pem \fB\-out \fIlist.sig list-sig.lst
T}
6@T{
\fBlcp_crtpollist \-\-addsig \-\-sig \fIlist.sig \fB\-\-out \fIlist-sig.lst
T}
.TE
.B lcp_crtpollist
can also be used to sigh a policy list. The following example are intended to be mutually exclusive with the preceding example.
.TS
tab (@);
l lx.
1@T{
\fBopenssl genrsa \-out \fIprivkey.pem 2048
T}
2@T{
\fBopenssl rsa \-pubout \-in \fIprivkey.pem \fB\-out \fIpubkey.pem
T}
3@T{
\fBcp \fIlist-unsig.lst list-sig.lst
T}
4@T{
\fBlcp_crtpollist \-\-sign \-\-pub \fIpubkey.pem \fB\-\-priv \fIprivkey.pem \fB\-\-out \fIlist-sig.lst
T}
.TE
.SH "SEE ALSO"
.BR lcp_crtpol2 (8),
.BR lcp_crtpolelt (8),
.BR lcp_crtpollist (8),
.BR openssl(1).
|
