****************************************************************************
***                                                                      ***
***                    Launch Control Policy v2                          ***
***                                                                      ***
****************************************************************************

This document describes Launch Control Policies for platforms produced after
2008.

These are some example instructions for creating and provisioning both an
Intel(R) TXT Launch Control Policy (LCP) and a Verified Launch policy.

These steps assume that all referenced binaries have already been built and
paths are relative to the lcptools-v2/ directory:

Create LCP policy:
-----------------
o   See the file lcptools-v2/lcptools-v2.txt for instructions on creating
    policies and policy data files using the new tools.


Create Verified Launch policy:
-----------------------------
1.  tb_polgen/tb_polgen --create --type nonfatal vl.pol
2.  tb_polgen/tb_polgen --add --num 0 --pcr none --hash image
    --cmdline "the command line for xen from grub.conf"
    --image /boot/xen.gz
    vl.pol
3.  tb_polgen/tb_polgen --add --num 1 --pcr 19 --hash image
    --cmdline "the command line for dom0 from grub.conf"
    --image /boot/vmlinuz-2.6.18.8-xen
    vl.pol
4.  tb_polgen/tb_polgen --add --num 2 --pcr 19 --hash image
    --cmdline ""
    --image /boot/initrd-2.6.18.8-xen.img
    vl.pol

Note:
    The command lines should not include the module name (e.g. "/xen.gz").
    This is a change from the previous version of policy support and was done
    because a module's measurement should only depend on its content and not
    on its location.
Note 2:
    It is not necessary to specify a PCR for module 0, since this module's
    measurement will always be extended to PCR 18.  If a PCR is specified,
    then the measurement will be extended to that PCR in addition to PCR 18.


Take ownership of the TPM:
-------------------------
1.  modprobe tpm_tis   (you may need 'force=1 interrupts=0')
2.  tcsd
3.  tpm_takeownership -z
    -  choose password for TPM

Note:
    When taking ownership of the TPM it is important to set the SRK auth to
    all 0s so that tboot will be able to seal/unseal the measurements.  The
    '-z' flag to tpm_takeownership will do this.


Define tboot error TPM NV index:
-------------------------------
1.  lcptools/tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07
    -p TPM-password


Define LCP and Verified Launch policy indices:
---------------------------------------------
1.  lcptools/tpmnv_defindex -i owner -s 0x36 -p TPM-owner-password
2.  lcptools/tpmnv_defindex -i 0x20000001 -s 256 -pv 0x02 -p TPM-owner-password


Write LCP and Verified Launch policies to TPM:
---------------------------------------------
(modprobe tpm_tis; tcsd;)
1.  lcptools/lcp_writepol -i owner -f list.pol -p TPM-password
2.  lcptools/lcp_writepol -i 0x20000001 -f vl.pol -p TPM-password


Modify grub.conf to load the policy data file:
---------------------------------------------
1.  Edit grub.conf and add the following:
        module /list.data
    where you should use the path to this file.
