custom subpolicy (WIP)

xml/security_cryptopolicy.xml

@@ -121,6 +121,13 @@
   <sect1>
     <title>Switching to a different crypto-policy level</title>
 
+    <para>
+      Use the <command>update-crypto-policies</command> to set the policy level
+      which is applied to the cryptographic back-ends. It is the default policy
+      used by these back-ends unless the application user configures them
+      otherwise.
+    </para>
+
     <procedure>
       <step>
         <para>
@@ -154,4 +161,27 @@
       </step>
     </procedure>
   </sect1>
+  <sect1>
+    <title>Customizing existing crypto-policies</title>
+
+    <para>
+      You can modify aspects of any predefined policy by removing or adding
+      algorithms or protocols. This way, you create a subpolicy (or policy
+      modifier module), stored in text files that include the modifications.
+      After creation, one or multiple subpolicies can be applied on the command
+      line to one of the predefined policies. For details, see example ????.
+    </para>
+
+    <para>
+      Subpolicies need to be stored in
+      <filename>/usr/share/crypto-policies/policies/modules/</filename>. You
+      can also find example subpolicies in this directory. The name of the
+      subpolicy file must be <replaceable>MODULE</replaceable>.pmod, where
+      <replaceable>MODULE</replaceable> is the name of the modifier in
+      uppercase and without spaces.
+    </para>
+
+    <!--todo: add example and how to apply it, e.g. with update-crypto-policies -/-set DEFAULT:NO-SHA1-->
+    <!--todo: add another section how to create a new policy from scratch-->
+  </sect1>
 </chapter>