These are some example instructions for creating an Intel(R) TXT Launch
Control Policy (LCP) using the new LCP tools (i.e. for platforms produced
after 2008).

These steps assume that all referenced binaries have already been built and
paths are relative to the tboot/lcptools/ directory:

Create policy element(s):
========================

Create an MLE element:
---------------------
1.  lcp_mlehash -c "the command line for tboot from grub.conf" /boot/tboot.gz
    > mle_hash
2.  lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt
    mle_hash

Create a PCONF element:
----------------------
1.  cat /sys/devices/platform/tpm_tis/pcrs |grep -e PCR-00 -e PCR-01 > pcrs
2.  lcp_crtpolelt --create --type pconf --out pconf.elt pcrs

Create an SBIOS element:
-----------------------
1.  Create hash file containing BIOS hash(es), e.g. named sbios_hash
2.  lcp_crtpolelt --create --type sbios --out sbios.elt sbios_hash

Create a CUSTOM element:
-----------------------
1.  Create or determine the UUID that will identify this data format (e.g.
    using 'uuidgen')
2.  Create the data the will be placed in this element.  E.g. the policy file
    from tb_polgen.
2.  lcp_crtpolelt --create --type custom --out custom.elt --uuid <uuid value>
    <data file>


Create policy list(s):
=====================

Combine the elements into an unsigned list:
------------------------------------------
1.  lcp_crtpollist --create --out list_unsig.lst mle.elt pconf.elt

Use lcp_crtpollist to sign the list:
-----------------------------------
1.  openssl genrsa -out privkey.pem 2048
2.  openssl rsa -pubout -in privkey.pem -out pubkey.pem
3.  cp list_unsig.lst list_1_sig.lst
4.  lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_1_sig.lst

Use openssl to sign the list:
----------------------------
1.  openssl rsa -pubout -in privkey.pem -out pubkey.pem
2.  cp list_unsig.lst list_2_sig.lst
3.  lcp_crtpollist --sign --pub pubkey.pem --nosig --out list_2_sig.lst
4.  openssl genrsa -out privkey.pem 2048
5.  openssl dgst -sha1 -sign privkey.pem -out list_2.sig list_2_sig.lst
6.  lcp_crtpollist --addsig --sig list_2.sig --out list_2_sig.lst

Create policy and policy data files:
===================================
1.  lcp_crtpol2 --create --type list --pol list.pol --data list.data
    list_unsig.lst list_1_sig.lst list_2_sig.lst
