lcp2_crtpollist(8)

create an Intel(R) TXT policy list

Section 8 tboot bookworm source

Description

LCP2_CRTPOLLIST

NAME

lcp2_crtpollist - create an Intel(R) TXT policy list

SYNOPSIS

lcp2_crtpollist COMMAND [OPTION]

DESCRIPTION

lcp2_crtpollist is used to create an Intel(R) TXT policy list.

OPTIONS

--create

Create a TXT policy list. The following options are available:
--listver ver

policy list version. Supported values are: 0x100 (legacy LCP_POLICY_LIST), 0x200, 0x201 (legacy LCP_POLICY_LIST2) and 0x300 (current LCP_POLICY_LIST2_1).

--out file

output file for policy list

[file]...

policy element files (created with the lcp2_crpolelt command).

--sign

Sign a TXT policy list.
--sigalg <rsa|rsapss|ecdsa|sm2>

Signature algorithm. Lists version 0x100 only support rsa (rsa pkcs 1.5). Lists version 0x200 and 0x201 support rsa (rsa pkcs 1.5) and ecdsa. Lists version 0x300 support rsapss and ecdsa.

--hashalg <sha1|sha256|sha384|sha512|sm2>

Hash algorithm used for signing a list. Lists version 0x100 only support SHA1.

	--pub file		Public key to use, must be in PEM format.
	[--priv file]		Private key to use, must be in PEM format. This option is required unless you use the --nosig option
	[--rev counter]		Revocation counter value
	[--nosig]		Don’t add a SigBlock. This option is ignored if list is version 0x300.
	--out file		Policy list file (input and output)

--addsig

Add a signature. This option is ignored if list is version 0x300.
--sig file

File containing signature (big-endian)

--out file

Policy list file

--show file

Show contents of a policy file

--verify file

Verify policy version 0x300 file.

--version

Show tool version.

--help

Print out the tool’s help message.

--verbose

Enable verbose output; can be specified with any command.

EXAMPLES

Create unsigned policy list with MLE element:
lcp2_crtpollist --create --out list.lst mle.elt

Sign policy:
lcp2_crtpollist --sign --sigalg rsa --pub pubkey.pem --priv privkey.pem --out list.lst