#!/bin/bash

set -x

tpm_takeownership  -z
# define tboot error TPM NV index
tpmnv_defindex -i 0x20000002 -s 8 -pv 0 -rl 0x07 -wl 0x07 -p password
# define policy TPM NV indices
tpmnv_defindex -i owner -s 0x36 -p password
tpmnv_defindex -i 0x20000001 -s 512 -pv 0x02 -p password
tpmnv_defindex -i 0x50000002 -s 64 -p password

rm -r tmp
mkdir tmp
cd tmp

# create lcp policy
lcp_mlehash -c "logging=serial,memory" /boot/tboot.gz > tboot_hash
lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 0 --out tboot_mle.elt tboot_hash
lcp_crtpollist --create --out list_unsig.lst tboot_mle.elt
lcp_crtpol2 --create --type list --ctrl 0x02 --pol owner_list.pol --data owner_list.data list_unsig.lst
lcp_writepol -i owner -f owner_list.pol -p password
cp owner_list.data /boot

tb_polgen --create --type nonfatal tcb.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "root=/dev/mapper/test--vg-root ro   intel_iommu=on" --image /boot/vmlinuz-3.13.0-27-generic tcb.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image /boot/initrd.img-3.13.0-27-generic tcb.pol
lcp_writepol -i 0x20000001 -f tcb.pol -p password

