Hi Jan, > So I want to use a signed policy, and use multiple policy data files for > lifecycle management (e.g. when I need to upgrade to MLE but want to be able > to "rollback" to a previous version if needed). > Using a signed policy means I don't have to touch the NVRAM (which might > break something, making rollback impossible). > > Sounds right?
Yes. > > There are two ways to install the VLP - either in NVRAM (in which case > > you're right) or by simply adding it to the LCP as a "custom" element. > > If you do the latter, and use signed LCP, you don't need to update the > > NVRAM after a kernel update. You would just update the VLP element > > integrated in the LCP, and sign the updated LCP. > > Is it simply something like: > > lcp_crtpolelt --create --type custom --uuid tboot --out vlp.elt vlp.dat > and then add it vlp.elt to lcp_crtpollist when creating the LCP? Assuming that you created vlp.dat with tb_polgen before, yes. Regards Martin ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel