From d70820b5c2ee4efbf117553502a4577e840cc217 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Tue, 14 Sep 2021 20:26:48 -0500
Subject: [PATCH] WIP: Policy system, take 2

                WIP WIP WIP -- not tested

Let's try a different approach to expressing complex policies:

 - Policies as restricted bash scripts that can do very little besides
   evaluate TPM policies, and which are invoked via...

 - ...a driver script, `sbin/tpm2-policy`, that sets up the environment
   for running the policy, and takes optional additional artifacts to
   make available to the policy.

 - Constant artifacts would be things like:

    - signer keys for `policysigned` and `policyauthorize`
    - signer key names for `policyticket` and such
    - anything else you can imagine

   Non-constant artifacts would be things like:

    - saved object context files for signer keys for `policysigned` and
      `policyauthorize`

    - tickets from `verifysignature`, `policysecret`, and `policysigned`

    - timeout files

    - anything else you can imagine

   all of which can be written only in `.` / `$PWD`.

 - The policy scripts would run in the following environment:

    - a temp dir as the current directory, with `$TMPDIR` set to `$PWD`
      and in which all the necessary artifacts, including the policy script
      itself, shall have been placed

    - various TPM2_POLICY... env vars, mainly TPM2_POLICY_SESSION

    - `$PATH` set to have just two paths: an `rbin` (see below), and the
      `$PWD`/`$TMPDIR` itself into which the policy script will have
      been copied (this will allow the policy script to implement
      different sub-policies selected by its arguments by executing itself,
      possibly through the `rbin/policyor` wrapper).

 - The "rbin" directory in the PATH for the execution of policy scripts,
   with:

    - wrappers for all the tpm2_policy... commands
    - the wrapper for tpm2_policyor is a bit special, naturally
    - wrappers for tpm2_loadexternal and tpm2_verifysignature, and
      possibly others
    - links to or wrappers of a handful of useful system commands like
      `sha256sum`, `xxd`, `dc`, `bc`, `jq`, etc.
    - a wrapper around `xxd` and `cat` for creating files from stdin so that
      artifacts can be embedded as here documents in the script

This way policies get all the expressive power of bash, and access to all the
functionality of tpm2-tools' policy commands.

TBD:

 - Test, debug, test, ...

 - Add rbin wrappers for importing duplicated keys (so they can provide
   authValues discretely!).

 - Maybe allow execution of `sbin/tpm2-recv` by linking it from the rbin?

 - Add sample policies that are interesting, like using a combination of
   `policysigned` and `policyauthorize` and `curl` (outside the policy
   script) to execute an external script that varies at runtime, or
   policies that use different passwords for N different users, or which
   use `policysigned` to let some other entity authenticate N different
   users (using `policyRef` to name them, say), policies requiring
   golden PCRs OR external policy, etc.  Showcase `policyor`!

   It'd be very nice to be able to have a policy like this:

         (golden PCRs && user authValue)
      || (admin authValue OTP && NV revocation of OTP index)
      || (superadmin authValue)
      || ($policy_containing_policy_signed && policyauthorize_of_it)

   Perhaps with multiple superadmin authValues via `policyor`.

   Such a policy would allow a laptop to boot normally with a user
   password, and after emergency updates boot with an admin OTP, or
   after any mishaps via a superadmin password, or with a separate
   policy that blesses the current PCRs as golden.

   Such a policy could be used for sealing an NV index, or it could be
   set on local storage keys encrypted to the TPM's EKpub via
   `sbin/tpm2-send`, allowing for unattended server booting
   post-attestation, or attended server booting post-mishap (if the
   encrypted assets get stored "in the clear").
---
 Makefile                     |   3 +-
 functions.sh                 | 106 ++++++++++++++++++++++-
 rbin/flushcontext            |  80 +++++++++++++++++
 rbin/import                  | 105 +++++++++++++++++++++++
 rbin/load                    |  93 ++++++++++++++++++++
 rbin/loadexternal            | 113 ++++++++++++++++++++++++
 rbin/policyauthorize         |  95 ++++++++++++++++++++
 rbin/policyauthorizenv       |  93 ++++++++++++++++++++
 rbin/policyauthvalue         |  70 +++++++++++++++
 rbin/policycommandcode       |  70 +++++++++++++++
 rbin/policycountertimer      |  99 +++++++++++++++++++++
 rbin/policycphash            |  76 ++++++++++++++++
 rbin/policyduplicationselect |  81 ++++++++++++++++++
 rbin/policylocality          |  70 +++++++++++++++
 rbin/policynamehash          |  75 ++++++++++++++++
 rbin/policynv                |  92 ++++++++++++++++++++
 rbin/policynvwritten         |  70 +++++++++++++++
 rbin/policyor                | 136 +++++++++++++++++++++++++++++
 rbin/policypassword          |  70 +++++++++++++++
 rbin/policypcr               |  79 +++++++++++++++++
 rbin/policysecret            | 104 ++++++++++++++++++++++
 rbin/policysigned            | 111 ++++++++++++++++++++++++
 rbin/policytemplate          |  78 +++++++++++++++++
 rbin/policyticket            |  96 +++++++++++++++++++++
 rbin/startauthsession        |  79 +++++++++++++++++
 rbin/tpm2                    |  85 ++++++++++++++++++
 rbin/verifysignature         |  92 ++++++++++++++++++++
 rbin/writeartifact           |  71 +++++++++++++++
 sbin/safeboot                |   1 +
 sbin/safeboot-tpm-unseal     |   2 +
 sbin/tpm2-attest             |   1 +
 sbin/tpm2-policy             | 162 ++++++++++++++++++++++++-----------
 sbin/tpm2-send               |  17 ++--
 tests/test-policy            |  65 ++++++++++++++
 34 files changed, 2581 insertions(+), 59 deletions(-)
 create mode 100755 rbin/flushcontext
 create mode 100644 rbin/import
 create mode 100644 rbin/load
 create mode 100755 rbin/loadexternal
 create mode 100755 rbin/policyauthorize
 create mode 100755 rbin/policyauthorizenv
 create mode 100755 rbin/policyauthvalue
 create mode 100755 rbin/policycommandcode
 create mode 100755 rbin/policycountertimer
 create mode 100755 rbin/policycphash
 create mode 100755 rbin/policyduplicationselect
 create mode 100755 rbin/policylocality
 create mode 100755 rbin/policynamehash
 create mode 100755 rbin/policynv
 create mode 100755 rbin/policynvwritten
 create mode 100755 rbin/policyor
 create mode 100755 rbin/policypassword
 create mode 100755 rbin/policypcr
 create mode 100755 rbin/policysecret
 create mode 100755 rbin/policysigned
 create mode 100755 rbin/policytemplate
 create mode 100755 rbin/policyticket
 create mode 100755 rbin/startauthsession
 create mode 100755 rbin/tpm2
 create mode 100755 rbin/verifysignature
 create mode 100755 rbin/writeartifact
 create mode 100755 tests/test-policy

diff --git a/Makefile b/Makefile
index 886af57d..42e4b15b 100644
--- a/Makefile
+++ b/Makefile
@@ -307,9 +307,10 @@ shellcheck:
 		sbin/tpm2-recv \
 		sbin/tpm2-policy \
 		initramfs/*/* \
+		rbin/* \
 		tests/test-enroll.sh \
 	; do \
-		shellcheck $$file functions.sh ; \
+		shellcheck -x $$file functions.sh ; \
 	done
 
 # Fetch several of the TPM certs and make them usable
diff --git a/functions.sh b/functions.sh
index dd8f04e6..0c9b9ef5 100755
--- a/functions.sh
+++ b/functions.sh
@@ -31,7 +31,6 @@ debug() { ((${VERBOSE:-0})) && echo "$@" >&2 ; return 0 ; }
 #
 ########################################
 
-TMP=
 TMP_MOUNT=n
 cleanup() {
 	if [[ $TMP_MOUNT = "y" ]]; then
@@ -41,8 +40,11 @@ cleanup() {
 	[[ -n $TMP ]] && rm -rf "$TMP"
 }
 
-trap cleanup EXIT
-TMP=$(mktemp -d)
+setup() {
+	TMP=
+	trap cleanup EXIT
+	TMP=$(mktemp -d)
+}
 
 mount_tmp() {
 	mount -t tmpfs none "$TMP" || die "Unable to mount temp directory"
@@ -620,3 +622,101 @@ verify_sig() {
 	||
 	die "could not verify signature on $body with $pubkey"
 }
+
+# getopts_long lname optstring name [args...]
+#
+#   lname is the name of an associative array whose indices are long option
+#   names and whose values are either the empty string (no option argument),
+#   or ':' (the option requires an argument).
+#
+#   optstring is an optstring value for getopts
+#
+#   optname is the name of a variable in which to put the matched option
+#   name / letter.
+#
+#   args... is the arguments to parse.
+#
+# As with getopts, $OPTIND is set to the next argument to check at the
+# next invocation.  Unset OPTIND or set it to 1 to reset options
+# processing.
+#
+# As with getopts, "--" is a special argument that ends options
+# processing.
+#
+# Example:
+#
+#   declare -A long=([foo]=: [id]=: [silent]='')
+#   foo=none
+#   id=$USER
+#   silent=false
+#   while getopts_long long f:i:sx opt "$@"; do
+#   case "$opt" in
+#   foo|f) foo=$OPTARG;;
+#   id|i) id=$OPTARG;;
+#   silent|s) silent=true; [[ -n $OPTARG ]] && echo "Look ma: optional option arguments! --silent=$OPTARG";;
+#   x) set -vx;;
+#   *) echo "Usage: $0 [--foo FOO | -f FOO] [--id USER | -i USER] [--silent | -s] [-x] ARGS" 1>&2; exit 1;;
+#   esac
+#   done
+# 
+#   shift $((OPTIND-1))
+#   echo "foo=$foo id=$id silent=$silent; args: $#: $*"
+function getopts_long {
+	if (($# < 3)); then
+		printf 'bash: illegal use of getopts_long\n'
+		printf 'Usage: getopts_long lname optstring name [ARGS]\n'
+		printf '\t{lname} is the name of an associative array variable\n'
+		printf '\twhose keys are long option names and values are\n'
+		printf '\tthe empty string (no argument) or ":" (argument\n'
+		printf '\trequired).\n\n'
+		printf '\t{optstring} and {name} are as for the {getopts}\n'
+		printf '\tbash builtin.\n'
+		return 1
+	fi 1>&2
+	[[ ${1:-} != lopts ]] && local -n lopts="$1"
+	local optstr="$2"
+	[[ ${3:-} != opt ]] && local -n opt="$3"
+	local optvar="$3"
+	shift 3
+
+	# shellcheck disable=SC2034
+	OPTOPT=
+	OPTARG=
+	: "${OPTIND:=1}"
+	# shellcheck disable=SC2124
+	opt=${@:$OPTIND:1}
+	if [[ $opt = -- ]]; then
+		opt='?'
+		return 1
+	fi
+	if [[ $opt = --* ]]; then
+		# shellcheck disable=SC2034
+		OPTOPT='-'
+		local optval=false
+		opt=${opt#--}
+		if [[ $opt = *=* ]]; then
+			OPTARG=${opt#*=}
+			opt=${opt%%=*}
+			optval=true
+		fi
+		((++OPTIND))
+		if [[ ${lopts[$opt]+yes} != yes ]]; then
+			((OPTERR)) && printf 'bash: illegal long option %s\n' "$opt" 1>&2
+			opt='?'
+			return 0
+		fi
+		if [[ ${lopts[$opt]:-} = : ]]; then
+			if ! $optval; then
+				# shellcheck disable=SC2124
+				OPTARG=${@:$OPTIND:1}
+				((++OPTIND))
+			fi
+		fi
+		return 0
+	fi
+	if getopts "$optstr" "$optvar" "$@"; then
+		return 0
+	else
+		return $?
+	fi
+}
diff --git a/rbin/flushcontext b/rbin/flushcontext
new file mode 100755
index 00000000..3bb4d331
--- /dev/null
+++ b/rbin/flushcontext
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# Restore the environment so that we have a sane PATH and can find, e.g.,
+# tpm2-tools.
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 flushcontext}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -t | --transient-object
+   -l | --loaded-session
+   -s | --saved-session
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[transient-object]=:
+	[loaded-session]=:
+	[saved-session]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxlst opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+t|transient-object|l|loaded-session|s|saved-session)
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_flushcontext "${args[@]}" "$@"
diff --git a/rbin/import b/rbin/import
new file mode 100644
index 00000000..8b28dc99
--- /dev/null
+++ b/rbin/import
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 import}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -C | --parent-context OBJECT		New parent for imported object.
+   -U | --parent-public FILE		Parent's public part.
+   -s | --seed FILE			Output of {tpm2 duplicate}.
+   -u | --public FILE			Output of {tpm2 duplicate}.
+   -i | --input FILE			Output of {tpm2 duplicate}.
+   -r | --private FILE			Output for {tpm2 load}.
+   -g | --hash-algorithm ALGORITHM	Hash algorithm.
+   -G | --key-algorithm ALGORITHM	Key algorithm.
+   -a | --attributes ATTRIBUTES		Attributes for raw external key.
+   -L | --policy FILE			Policy for raw external key.
+   -k | --encryption-key
+   -P | --parent-auth AUTH
+   -p | --key-auth AUTH
+   --cphash FILE			Write cpHash of TPM2_Import() command.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[parent-context]=:
+	[parent-public]=:
+	[seed]=:
+	[private]=:
+	[public]=:
+	[input]=:
+	[hash-algorithm]=:
+	[key-algorithm]=:
+	[attributes]=:
+	[encryption-key]=:
+	[parent-auth]=:
+	[key-auth]=:
+	[cphash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxC:U:s:r:u:i:g:G:a:L:k:P:p: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+C|parent-context|U|parent-public|s|seed|r|private|u|public|k|encryption-key|cphash)
+		[[ $OPTARG = */* ]]	\
+			&& die "Cannot reference files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+P|parent-auth|p|key-auth)
+		case "$OPTARG" in
+		str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		file:*)	[[ $OPTARG = */* ]]		\
+			&& die "Cannot reference input files outside the current directory"
+			args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		*)	die "Auth values must start with str: hex: or file:";;
+		esac;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_import "${args[@]}" "$@"
diff --git a/rbin/load b/rbin/load
new file mode 100644
index 00000000..0085995d
--- /dev/null
+++ b/rbin/load
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 load}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -C | --parent-context OBJECT		Parent object.
+   -c | --key-context OBJECT		Saved object context file.
+   -P | --parent-auth AUTH
+   -r | --private FILE			Output of {tpm2 import}.
+   -u | --public FILE			Output of {tpm2 duplicate, readpublic}.
+   -n | --name FILE			File in which to save the name of the
+					loaded object.
+   --cphash FILE			Write cpHash of TPM2_Import() command.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[parent-context]=:
+	[key-context]=:
+	[parent-auth]=:
+	[private]=:
+	[public]=:
+	[name]=:
+	[cphash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxC:c:P:r:u:n: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+C|parent-context|c|key-context|r|private|u|public|n|name|cphash)
+		[[ $OPTARG = */* ]]	\
+		&& die "Cannot reference files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+P|parent-auth)
+		case "$OPTARG" in
+		str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		file:*)	[[ $OPTARG = */* ]]		\
+			&& die "Cannot reference input files outside the current directory"
+			args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		*)	die "Auth values must start with str: hex: or file:";;
+		esac;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_load "${args[@]}" "$@"
diff --git a/rbin/loadexternal b/rbin/loadexternal
new file mode 100755
index 00000000..0549a69c
--- /dev/null
+++ b/rbin/loadexternal
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 loadexternal}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -C | --hierarchy OBJECT
+   -G | --key-algorithm ALGORITHM
+   -g | --hash-algorithm ALGORITHM
+   -u | --public FILE
+   -r | --private FILE
+   -p | --auth AUTH
+   -L | --policy FILE
+   -a | --attributes ATTRIBUTES
+   -c | --key-context FILE
+   -n | --name FILE
+
+  Input and output files (including any referenced by {AUTH}) are limited to
+  files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[hierarchy]=:
+	[key-algorithm]=:
+	[hash-algorithm]=:
+	[public]=:
+	[private]=:
+	[auth]=:
+	[policy]=:
+	[attributes]=:
+	[key-context]=:
+	[name]=:
+)
+
+declare -a args=()
+
+while getopts_long lopts +:hxC:G:L:a:c:g:n:p:r:u: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+C|hierarchy|G|key-algorithm|g|hash-algorithm|a|attributes)
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+u|public|L|policy|r|private)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+p|auth)
+	case "$OPTARG" in
+	str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside current directory"
+		[[ -s ${OPTARG#file:} ]]	\
+		|| die "Auth file for $PROG missing"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "AUTH values must start with str:, hex:, or file:";;
+	esac;;
+c|key-context|n|name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_loadexternal "${args[@]}" "$@"
diff --git a/rbin/policyauthorize b/rbin/policyauthorize
new file mode 100755
index 00000000..d2d129c7
--- /dev/null
+++ b/rbin/policyauthorize
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyauthorize}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -q | --qualification FILE_OR_HEX	{policyRef} (qualifier)
+   -n | --name FILE			Name of object whose public
+					area has the signer's public key.
+   -i | --input FILE			The {policyDigest} authorized by the
+					signer.
+   -t | --ticket FILE			A {ticket} from {tpm2 verifysignature}
+					that validates that the signer's
+					signature of the authorized
+					{policyDigest}.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[qualification]=:
+	[name]=:
+	[input]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxq:n:i:t: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+n|name|i|input|t|ticket|c|key-context|n|name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyauthorize "${args[@]}" "$@"
diff --git a/rbin/policyauthorizenv b/rbin/policyauthorizenv
new file mode 100755
index 00000000..2c47ad45
--- /dev/null
+++ b/rbin/policyauthorizenv
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyauthorizenv}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -C | --hierarchy OBJECT
+   -P | --auth AUTH
+   --cphash FILE
+
+  Input files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[hierarchy]=:
+	[auth]=:
+	[cphash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxC:P: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+C|hierarchy|cphash)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+P|auth)
+	case "$OPTARG" in
+	str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "AUTH values must start with str:, hex:, or file:";;
+	esac;;
+c|key-context|n|name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyauthorizenv "${args[@]}" "$@"
diff --git a/rbin/policyauthvalue b/rbin/policyauthvalue
new file mode 100755
index 00000000..d7d20459
--- /dev/null
+++ b/rbin/policyauthvalue
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyauthvalue}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyauthvalue "${args[@]}" "$@"
diff --git a/rbin/policycommandcode b/rbin/policycommandcode
new file mode 100755
index 00000000..f39dbbfc
--- /dev/null
+++ b/rbin/policycommandcode
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] COMMAND-CODE
+
+  {$PROG} is a wrapper around {tpm2 policycommandcode}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policycommandcode "${args[@]}" "$@"
diff --git a/rbin/policycountertimer b/rbin/policycountertimer
new file mode 100755
index 00000000..c1437a37
--- /dev/null
+++ b/rbin/policycountertimer
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] COMMAND-CODE
+
+  {$PROG} is a wrapper around {tpm2 policycountertimer}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   --bs
+   --bc
+   --eq
+   --neq
+   --sgt
+   --ugt
+   --slt
+   --ult
+   --slt
+   --ult
+   --sle
+   --ule
+   --sle
+   --ule
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[bs]=''
+	[bc]=''
+	[eq]=''
+	[neq]=''
+	[sgt]=''
+	[ugt]=''
+	[slt]=''
+	[ult]=''
+	[slt]=''
+	[ult]=''
+	[sle]=''
+	[ule]=''
+	[sle]=''
+	[ule]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+[?])	usage;;
+*)	args+=(-"${OPTOPT}$opt");;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policycountertimer "${args[@]}" "$@"
diff --git a/rbin/policycphash b/rbin/policycphash
new file mode 100755
index 00000000..b9ff8c1c
--- /dev/null
+++ b/rbin/policycphash
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policycphash}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   --cphash-input FILE		The file containing the cpHash.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[cphash-input]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+cphash-input)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)			usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policycphash "${args[@]}" "$@"
diff --git a/rbin/policyduplicationselect b/rbin/policyduplicationselect
new file mode 100755
index 00000000..fe78ab65
--- /dev/null
+++ b/rbin/policyduplicationselect
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyduplicationselect}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -n | --object-name FILE
+   -N | --parent-name FILE
+   --include-object
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[object-name]=:
+	[parent-name]=:
+	[include-object]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+include-object)		args+=(-"${OPTOPT}$opt");;
+object-name|parent-name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)			usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyduplicationselect "${args[@]}" "$@"
diff --git a/rbin/policylocality b/rbin/policylocality
new file mode 100755
index 00000000..a00bdbc3
--- /dev/null
+++ b/rbin/policylocality
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policylocality}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)			usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policylocality "${args[@]}" "$@"
diff --git a/rbin/policynamehash b/rbin/policynamehash
new file mode 100755
index 00000000..92767376
--- /dev/null
+++ b/rbin/policynamehash
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policynamehash}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -n | --name FILE
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[name]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hn:x opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+n|name)		[[ $OPTARG = */* ]]	\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policynamehash "${args[@]}" "$@"
diff --git a/rbin/policynv b/rbin/policynv
new file mode 100755
index 00000000..d145d8fc
--- /dev/null
+++ b/rbin/policynv
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policynv}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -P | --auth AUTH
+   -i | --input FILE
+   --cp-hash FILE
+   --offset NUMBER
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[auth]=:
+	[offset]=:
+	[cphash]=:
+	[input]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxi:P: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+offset)		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+p|auth)
+	case "$OPTARG" in
+	str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*) [[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "AUTH values must start with str:, hex:, or file:";;
+	esac;;
+i|input|cphash)
+	[[ $OPTARG = */* ]]	\
+	die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policynv "${args[@]}" "$@"
diff --git a/rbin/policynvwritten b/rbin/policynvwritten
new file mode 100755
index 00000000..dd9e4ad6
--- /dev/null
+++ b/rbin/policynvwritten
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] s|c|0|1
+
+  {$PROG} is a wrapper around {tpm2 policynvwritten}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policynvwritten "${args[@]}" "$@"
diff --git a/rbin/policyor b/rbin/policyor
new file mode 100755
index 00000000..9c85e9d4
--- /dev/null
+++ b/rbin/policyor
@@ -0,0 +1,136 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+	$pager <<EOF
+Usage: $PROG POLICY_0 ';' POLICY_1 ';' ...
+       $PROG --raw POLICY_DIGEST_FILE_0 POLICY_DIGEST_FILE_1...
+
+  {$PROG} evaluates an alternation (TPM2_PolicyOr()) of the given policies.
+
+  Each {POLICY_i} is a policy script or restricted bin policy command wrapper,
+  and optional arguments.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+
+  See {sbin/tpm2-policy}.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+declare -a alts
+alts=()
+if [[ -n ${TPM2_POLICY_ALTERNATIVES:-} ]]; then
+	set -f
+	alts+=($TPM2_POLICY_ALTERNATIVES)
+	set +f
+	this_alt=${alts[0]}
+	[[ $this_alt = [0-7] ]] \
+	|| die "Alternatives must be integers between 0 and 7, inclusive"
+	trial=false
+else
+	this_alt=-1
+	trial=true
+fi
+unset TPM2_POLICY_ALTERNATIVES
+
+join() { local IFS="$1"; printf '%s\n' "$*"; }
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[raw]=''
+)
+
+while getopts_long lopts +:hx opt "$@"; do
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+raw) 
+		tpm2 policyor --session "${TPM2_POLICY_SESSION}"	\
+			      --policy "$TPM2_POLICY"			\
+			      sha256:"$(join ',' "$@")"
+		exit 0;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+(($# > 0)) || usage
+
+unset TPM2_POLICY_ALTERNATIVES
+
+declare -a policies=()
+declare -a sessions=()
+cleanup() { rm -rf "${policies[@]}" "${sessions[@]}"; }
+trap cleanup EXIT
+
+let i=0
+declare -a cmd
+while (($#)); do
+	# Extract POLICY_i from the argv
+	cmd=()
+	while (($#)) && [[ $1 != ";" ]]; do
+		cmd+=("$1")
+		shift
+	done
+	(($#)) && [[ $1 != ";" ]] && shift
+
+	policy="digest-${TPM2_POLICY_SESSION}-${i}"
+	policies+=("$TPM2_POLICY")
+	if $trial || ((i != this_alt)); then
+		# Either we're not executing the policy, or not this arm of it.
+		sessions+=("${TPM2_POLICY_SESSION}-${i}")
+		tpm2 flushcontext --loaded-session
+		tpm2 startauthsession --session "${TPM2_POLICY_SESSION}-${i}"
+		TPM2_POLICY_SESSION=${TPM2_POLICY_SESSION}-${i}	\
+		TPM2_POLICY="$policy"					\
+		"${cmd[@]}"
+		tpm2 flushcontext --loaded-session
+	else
+		# shellcheck disable=SC2124
+		TPM2_POLICY_ALTERNATIVES=${alts[@]:1:${#alts[@]}}	\
+		TPM2_POLICY="$policy"					\
+		"${cmd[@]}"
+	fi
+	((++i))
+done
+
+tpm2_policyor --session "${TPM2_POLICY_SESSION}"	\
+	      --policy "$TPM2_POLICY"			\
+	      sha256:"$(join ',' "${policies[@]}")"
diff --git a/rbin/policypassword b/rbin/policypassword
new file mode 100755
index 00000000..094f3a51
--- /dev/null
+++ b/rbin/policypassword
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policypassword}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policypassword "${args[@]}" "$@"
diff --git a/rbin/policypcr b/rbin/policypcr
new file mode 100755
index 00000000..80656702
--- /dev/null
+++ b/rbin/policypcr
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] [HEX-DIGEST]
+
+  {$PROG} is a wrapper around {tpm2 policypcr}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -f | --pcr FILE
+   -l | --pcr-list PCR
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[pcr]=:
+	[pcr-list]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxf:l: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+l|pcr-list)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+f|pcr)
+		[[ $OPTARG = */* ]]	\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policypcr "${args[@]}" "$@"
diff --git a/rbin/policysecret b/rbin/policysecret
new file mode 100755
index 00000000..ee8add00
--- /dev/null
+++ b/rbin/policysecret
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 policysecret}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -c | --object-context OBJECT		The object whose secret {authValue}
+					to prove.
+   -q | --qualification FILE_OR_HEX	{policyRef} (qualifier).
+   -t | --expiration NUMBER		See {tpm2_policysecret(1)}.
+   --nonce-tpm				Bind the {authValue} proof to this
+					session.
+   --cphash FILE			{cpHash} of command to be authorized.
+   --timeout FILE			Output file.
+   --ticket FILE			{ticket} output file.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[object-context]=:
+	[qualification]=:
+	[expiration]=:
+	[nonce-tpm]=:
+	[timeout]=:
+	[cphash]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxq:t:c: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+nonce-tpm)	args+=(-"${OPTOPT}$opt");;
+t|expiration)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+c|object-context|cphash)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+timeout|ticket)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policysecret "${args[@]}" "$@"
diff --git a/rbin/policysigned b/rbin/policysigned
new file mode 100755
index 00000000..8cdaa6af
--- /dev/null
+++ b/rbin/policysigned
@@ -0,0 +1,111 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 policysigned}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -c | --key-context FILE		Signer's public key object.
+   -s | --signature FILE		Signature file.
+   -f | --format FORMAT			Signature file format.
+   -g | --hash-algorithm ALGORITHM	Hash algorithm for signature.
+   -q | --qualification FILE_OR_HEX	{policyRef} given as hex:...
+					or file:filename.
+   -t | --expiration NUMBER		See {tpm2_policysigned(1)}.
+   --nonce-tpm				Whether to bind the signature to
+					this policy session.
+   --cphash FILE			{cpHash} of command to be authorized.
+   --timeout FILE			Output file.
+   --ticket FILE			Output file (if {expiration} is
+					negative).
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[qualification]=:
+	[expiration]=:
+	[nonce-tpm]=:
+	[hash-algorithm]=:
+	[signature]=:
+	[format]=:
+	[key-context]=:
+	[cphash]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxc:g:s:f:q:t: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+t|expiration|g|hash-algorithm|f|format)
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+h|help)		usage 0;;
+x|trace)	set -vx;;
+nonce-tpm)	args+=(-"${OPTOPT}$opt");;
+c|key-context|cphash|s|signature)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+timeout|ticket)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside POLICY-DIR or the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policysigned "${args[@]}" "$@"
diff --git a/rbin/policytemplate b/rbin/policytemplate
new file mode 100755
index 00000000..609f85d1
--- /dev/null
+++ b/rbin/policytemplate
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policytemplate}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   --template-hash FILE			Hash of public template used to be
+					created by the command authorized by
+					this session.
+
+  Input files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[template-hash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+template-hash)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policytemplate "${args[@]}" "$@"
diff --git a/rbin/policyticket b/rbin/policyticket
new file mode 100755
index 00000000..e1f90704
--- /dev/null
+++ b/rbin/policyticket
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 policyticket}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -n | --name FILE			Name of the object that validated
+					the authorization.
+   -q | --qualification FILE_OR_HEX	{policyRef} given as hex:...
+					or file:filename.
+   --ticket FILE			Ticket.
+   --timeout FILE			Output file.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[name]=:
+	[qualification]=:
+	[timeout]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxn:q: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+t|ticket)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+timeout)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside POLICY-DIR or the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyticket "${args[@]}" "$@"
diff --git a/rbin/startauthsession b/rbin/startauthsession
new file mode 100755
index 00000000..44cbb562
--- /dev/null
+++ b/rbin/startauthsession
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+unset TPM2_POLICY_SESSION
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] --session FILE
+
+  {$PROG} is a wrapper around {tpm2 startauthsession}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -S | --session FILE
+   --policy-session
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[session]=:
+	[policy-session]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+session=
+while getopts_long lopts +:hxS: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+S|session)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+policy-session) args+=(-"${OPTOPT}$opt");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+[[ -z $session ]]	\
+&& die "A session file not given"
+[[ -s $session ]]	\
+&& die "Session already exists"
+
+# Finally:
+tpm2_startauthsession "${args[@]}" "$@"
diff --git a/rbin/tpm2 b/rbin/tpm2
new file mode 100755
index 00000000..47075245
--- /dev/null
+++ b/rbin/tpm2
@@ -0,0 +1,85 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] ARGS
+
+  {$PROG} is a wrapper around {tpm2} for {${BASEDIR}/sbin/tpm2-policy}.  It
+  runs subcommands that are themselves wrappers around {tpm2} subcommands.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+$(($#)) || usage
+
+declare -A cmds=(
+	[flushcontext]=true
+	[import]=true
+	[load]=true
+	[loadexternal]=true
+	[policyauthorize]=true
+	[policyauthorizenv]=true
+	[policyauthvalue]=true
+	[policycommandcode]=true
+	[policycountertimer]=true
+	[policycphash]=true
+	[policyduplicationselect]=true
+	[policylocality]=true
+	[policynamehash]=true
+	[policynv]=true
+	[policynvwritten]=true
+	[policyor]=true
+	[policypassword]=true
+	[policypcr]=true
+	[policysecret]=true
+	[policysigned]=true
+	[policytemplate]=true
+	[policyticket]=true]=true
+	[startauthsession]=true
+	[verifysignature]=true
+)
+
+# Finally:
+"${cmds["$1"]:-false}" && "$@"
diff --git a/rbin/verifysignature b/rbin/verifysignature
new file mode 100755
index 00000000..2963f6c1
--- /dev/null
+++ b/rbin/verifysignature
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 verifysignature}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+
+  Options from {tpm2 verifysignature}:
+
+   -c | --key-context FILE
+   -t | --ticket FILE
+   -g | --hash-algorithm ALGORITHM
+   -m | --message FILE
+   -d | --digest FILE
+   -s | --signature FILE
+   -f | --scheme SCHEME
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[hash-algorithm]=:
+	[scheme]=:
+	[message]=:
+	[signature]=:
+	[key-context]=:
+	[ticket]=:
+)
+
+declare -a args=()
+
+while getopts_long lopts +:hxc:t:g:m:d:s:f: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+g|hash-algorithm|f|scheme)
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+c|key-context|t|ticket|m|message|s|signature)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_verifysignature "${args[@]}" "$@"
diff --git a/rbin/writeartifact b/rbin/writeartifact
new file mode 100755
index 00000000..e4f85c5f
--- /dev/null
+++ b/rbin/writeartifact
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] FILE
+
+  {$PROG} reads from stdin and writes to {FILE} provided {FILE} is in the
+  current directory.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   --help	This message
+   --hex	Decode stdin as hex to binary
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[hex]=''
+)
+
+hex=false
+while getopts_long lopts +:h opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)	usage 0;;
+hex)	hex=true;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+(($# == 1)) || usage
+
+[[ $1 = */* ]] && die "Cannot write files outside current directory"
+[[ -s $1 ]] && die "Cannot clobber files"
+
+# Finally:
+if $hex; then
+	xxd -p -r > "$1"
+else
+	cat > "$1"
+fi
diff --git a/sbin/safeboot b/sbin/safeboot
index e104e30b..a76de448 100755
--- a/sbin/safeboot
+++ b/sbin/safeboot
@@ -29,6 +29,7 @@ export LC_ALL=C
 
 # shellcheck source=functions.sh
 . "$PREFIX$DIR/functions.sh"
+setup
 
 if [ -r "$PREFIX$DIR/safeboot.conf" ]; then
 	# shellcheck source=safeboot.conf
diff --git a/sbin/safeboot-tpm-unseal b/sbin/safeboot-tpm-unseal
index aad13dfc..3a4ba378 100755
--- a/sbin/safeboot-tpm-unseal
+++ b/sbin/safeboot-tpm-unseal
@@ -32,6 +32,8 @@ for script in \
 	fi
 done
 
+setup
+
 # Override die to extend the boot mode PCR to indicate the failure
 die() {
 	echo >&2 "$@"
diff --git a/sbin/tpm2-attest b/sbin/tpm2-attest
index 3be8bc0a..7c9cc2c6 100755
--- a/sbin/tpm2-attest
+++ b/sbin/tpm2-attest
@@ -26,6 +26,7 @@ TOP="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && cd .. && pwd )"
 : "${DIR:=/etc/safeboot}"
 
 . "$TOP/functions.sh"
+setup
 
 if [ -r "$PREFIX$DIR/safeboot.conf" ]; then
 	. $PREFIX$DIR/safeboot.conf
diff --git a/sbin/tpm2-policy b/sbin/tpm2-policy
index 0c85c2f9..d865b0c8 100755
--- a/sbin/tpm2-policy
+++ b/sbin/tpm2-policy
@@ -1,14 +1,8 @@
 #!/bin/bash
 
 PROG=${0##*/}
-
-if [[ $0 = /* ]]; then
-        BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-        BASEDIR=$PWD/${0%/*}
-else
-        BASEDIR=$PWD
-fi
+BASEDIR=$(dirname "$( dirname "$(readlink -f "${BASH_SOURCE[0]}")")")
+export BASEDIR
 
 set -euo pipefail -o noclobber
 shopt -s extglob
@@ -16,61 +10,133 @@ shopt -s extglob
 function usage {
 	((${1:-1} > 0)) && exec 1>&2
 	cat <<EOF
-Usage: $PROG [-o FILE] [-A | -D] POLICY-CMD [ARGS [\\; ...]]
+Usage: $PROG [OPTIONS] POLICY [ARGS...]
+
+  Executes the {POLICY}, which must be a bash script to execute via restricted
+  bash.
+
+  Options:
 
-  The first form computes the policyDigest of the given policy.
+   -h | --help		This message.
+   -x | --trace		Trace this script.
+   -F | --file FILE	A file to make available to the policy script.
+			All such FILEs must have distinct basenames.
+   -P | --path ALTS	Execute the given alternation branches of the
+			EA policy.  The value should be a comma-
+			separated list of integers between 0 and 7.
+   -S | --session FILE	Use the given policy session, otherwise use a
+			trial session.
+   -L | --policy FILE	Leave the {policyDigest} (binary) in {FILE}.
+   -E | --existing	Use an existing session.
+			If {--existing} is not given then if the {--session}
+			file exists that will be an error.
+   -T | --trial		The session is a trial session.
 
-  Policies arguments should be of the form:
+  Policies should consist of a directory with:
 
-       $PROG ... tpm2 policy... args... \\; tpm2 policy args...
+   - policy -- a restricted bash script implementing the policy
+   - any artifacts needed by the policy
 
-  but without any {--session}|{-S} nor {--policy}|{-L} options.
+  Arguments are policy-specific.
 
-  If -A is given then {tpm2 policycommandcode} will be added at the end for
-  enabling TPM2_ActivateCredential().
+  Policies may only execute the external commands in the one directory in
+  {PATH}, which are:
 
-  If -D is given then {tpm2 policycommandcode} will be added at the end for
-  enabling TPM2_RSA_Decrypt().
+   - {verifysignature} -> wrapper for {tpm2_verifysignature}
+   - {loadexternal} -> wrapper for {tpm2_loadexternal}
+   - {policy*} -> wrappers for {tpm2_policy*}
+   - sha256sum
+   - stat
+   - xxd
 
-  E.g.:
+  The wrappers will not allow access to files outside {TMPDIR}.
 
-      $ # Require that PCR 11 be unextended
-      $ $PROG tpm2 policypcr -l "sha256:11"
+  TMPDIR will be set to a directory that the policy script can use for its
+  needs.  In particular, any key contexts loaded from policy artifacts, and any
+  tickets made by any of the wrapped tpm2 commands, must be placed in TMPDIR.
+
+  The current directory when running the policy script will be the {TMPDIR}.
 EOF
 	exit "${1:-1}"
 }
 
 # shellcheck disable=SC1090
-. "$BASEDIR/../functions.sh"
-
-out=
-force=false
-activate=false
-rsa_decrypt=false
-command_code=
-while getopts +:ADhefo:x opt; do
-case "$opt" in
-A)	activate=true;;
-D)	rsa_decrypt=true;;
-h)	usage 0;;
-f)	force=true;;
-o)	out=$OPTARG;;
-x)	set -vx;;
-*)	usage;;
-esac
-done
-shift $((OPTIND - 1))
-
-! $activate  || ! $rsa_decrypt || die "-A and -D are mutually exclusive"
-$activate    && command_code=TPM2_CC_ActivateCredential
-$rsa_decrypt && command_code=TPM2_CC_RSA_Decrypt
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+   [help]=''
+   [trace]=''
+   [file]=:
+   [path]=:
+   [session]=:
+   [policy]=:
+   [existing]=''
+   [trial]=''
+)
 
 # Make a temp dir and remove it when we exit:
 d=
-trap 'rm -rf "$d"' EXIT
+trap 'cd /; rm -rf "$d"' EXIT
 d=$(mktemp -d)
+export TMPDIR="$d"
+
+existing=false
+alts=
+trial=false
+policy=
+session=
+while getopts_long lopts +:L:NP:S:Thx opt "$@"; do
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+F|file)		cp -f "$OPTARG" "$TMPDIR";;
+L|policy)	policy=$OPTARG;;
+E|existing)	existing=true;;
+P|path)		alts=$OPTARG; trial=false;;
+S|session)	session=$OPTARG;;
+T|trial)	trial=true;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+(($#)) || usage
+
+cd "$TMPDIR"
+
+# Save the current environment so it can be restored easily by the rbin
+# wrappers.  Make sure the env is not writable so that the restricted bash
+# script cannot write it.
+unset TPM2_POLICY_SESSION TPM2_POLICY_ALTERNATIVES TPM2_POLICY
+export PREFIX DIR
+(umask 0222; export -p > "${TMPDIR}/env")
+
+[[ -z ${session:-} ]] && session=${TMPDIR}/session
+if $existing; then
+	[[ -z ${session:-} || ! -s ${session:-} ]]	\
+	&& die "Session file exists"
+elif ! $existing; then
+	if $trial; then
+		tpm2 startauthsession --session "$session"
+	else
+		tpm2 startauthsession --session "$session"	\
+				      --policy-session
+	fi
+fi
 
-policyDigest=$(make_policyDigest $command_code "$@")
-[[ -z $out ]] || ! $force >| "$out"
-[[ -z $out ]] ||   $force > "$out"
-echo "$policyDigest"
+: "${policy:="$(mktemp)"}"
+TPM2_POLICY_SESSION=$session
+TPM2_POLICY_ALTERNATIVES=$alts
+TPM2_POLICY=${policy}
+export TPM2_POLICY TPM2_POLICY_SESSION TPM2_POLICY_ALTERNATIVES
+
+script=$1
+shift
+
+# Run restricted scripts with FD 4 set to /dev/null so they can redirect output
+# to /dev/null using 1>&4 and 2>&4.
+BASH_ENV="${BASEDIR}/functions.sh"	\
+PATH="$BASEDIR/rbin"			\
+/bin/rbash "${script}" "$@" 4<>/dev/null
+bin2hex < "$policy"
diff --git a/sbin/tpm2-send b/sbin/tpm2-send
index dbd5ca81..1b6e83d3 100755
--- a/sbin/tpm2-send
+++ b/sbin/tpm2-send
@@ -1,17 +1,20 @@
 #!/bin/bash
 
 PROG=${0##*/}
-if [[ $0 = /* ]]; then
-        BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-        BASEDIR=$PWD/${0%/*}
-else
-        BASEDIR=$PWD
-fi
+BASEDIR=$( dirname "$(readlink -f "${BASH_SOURCE[0]}")")
 
 set -euo pipefail
 shopt -s extglob
 
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=h
+	[method]=M:
+	[policy]=P:
+	[force]=f:
+	[trace]=x
+)
+
 # shellcheck disable=SC2209
 function usage {
 	((${1:-1} > 0)) && exec 1>&2
diff --git a/tests/test-policy b/tests/test-policy
new file mode 100755
index 00000000..20cedc5f
--- /dev/null
+++ b/tests/test-policy
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+PROG=${0##*/}
+
+set -euo pipefail
+shopt -s extglob
+
+die() { echo "Error: $*" 1>&2; exit 1; }
+
+[[ ${TMPDIR:-} ]]	\
+|| die "TMPDIR is not set"
+[[ ${TMPDIR:-} = "$PWD" ]]	\
+|| die "TMPDIR is not equal to \$PWD"
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+IFS=: read -a path <<<"$PATH"
+((${#path[@]} < 1 || ${#path[@]} > 2))			\
+&& die "PATH not set correctly (wrong number of paths)"
+((${#path[@]} == 1)) && [[ ${path[0]} != */rbin ]]	\
+&& die "PATH not set correctly (rbin missing)"
+((${#path[@]} == 2))					\
+&& [[ ${path[0]} != */rbin && ${path[1]} != */rbin ]]	\
+&& die "PATH not set correctly (rbin missing)"
+((${#path[@]} == 2))					\
+&& [[ ${path[0]} != "$PWD" && ${path[1]} != "$PWD" ]]	\
+&& die "PATH not set correctly (something other than \$PWD and rbin is present)"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	local -a usage
+	readarray usage <<EOF
+Usage: $PROG
+
+  A test policy script.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+
+  See {sbin/tpm2-policy}.
+EOF
+	printf '%s' "${usage[@]}"
+	exit "${1:-1}"
+}
+
+while getopts +:hx opt "$@"; do
+# shellcheck disable=SC2154
+case "$opt" in
+h)	usage 0;;
+x)	set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+for ((i=0; i < 32; i++)); do printf '\0'; done | writeartifact pcr11.dat
+policypcr --pcr-list=sha256:11 -f pcr11.dat