These are some example instructions for creating an Intel(R) TXT Launch
Control Policy (LCP) using the new LCP tools (i.e. for platforms produced
after 2008).

These steps assume that all referenced binaries have already been built and
paths are relative to the tboot/lcptools/ directory:

Create policy element(s):
========================

Create an MLE element:
---------------------
1.  lcp_mlehash -c "the command line for tboot from grub.conf" /boot/tboot.gz
    > mle_hash
2.  lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt
    mle_hash

Create a PCONF element:
----------------------
1.  cat /sys/devices/platform/tpm_tis/pcrs |grep -e PCR-00 -e PCR-01 > pcrs
2.  lcp_crtpolelt --create --type pconf --out pconf.elt pcrs

Create an SBIOS element:
-----------------------
1.  Create hash file containing BIOS hash(es), e.g. named sbios_hash
2.  lcp_crtpolelt --create --type sbios --out sbios.elt sbios_hash

Create a CUSTOM element:
-----------------------
1.  Create or determine the UUID that will identify this data format (e.g.
    using 'uuidgen')
2.  Create the data the will be placed in this element.  E.g. the policy file
    from tb_polgen.
2.  lcp_crtpolelt --create --type custom --out custom.elt --uuid <uuid value>
    <data file>


Create policy list(s):
=====================

Combine the elements into an unsigned list:
------------------------------------------
1.  lcp_crtpollist --create --out list_unsig.lst mle.elt pconf.elt

The two blocks below are intended to be mutually exclusive.  The openssl
signing is supported for cases where the signing environment is separate
from the policy creation environment and the software allowed to run there
is strictly controlled and already supports openssl.

Use lcp_crtpollist to sign the list:
-----------------------------------
1.  openssl genrsa -out privkey.pem 2048
2.  openssl rsa -pubout -in privkey.pem -out pubkey.pem
3.  cp list_unsig.lst list_sig.lst
4.  lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst

Use openssl to sign the list:
----------------------------
1.  openssl rsa -pubout -in privkey.pem -out pubkey.pem
2.  cp list_unsig.lst list_sig.lst
3.  lcp_crtpollist --sign --pub pubkey.pem --nosig --out list_sig.lst
4.  openssl genrsa -out privkey.pem 2048
5.  openssl dgst -sha1 -sign privkey.pem -out list.sig list_sig.lst
6.  lcp_crtpollist --addsig --sig list.sig --out list_sig.lst

Create policy and policy data files:
===================================
1.  lcp_crtpol2 --create --type list --pol list.pol --data list.data
    list_{unsig,sig}.lst
