diff --git a/Makefile b/Makefile
index 886af57d..42e4b15b 100644
--- a/Makefile
+++ b/Makefile
@@ -307,9 +307,10 @@ shellcheck:
 		sbin/tpm2-recv \
 		sbin/tpm2-policy \
 		initramfs/*/* \
+		rbin/* \
 		tests/test-enroll.sh \
 	; do \
-		shellcheck $$file functions.sh ; \
+		shellcheck -x $$file functions.sh ; \
 	done
 
 # Fetch several of the TPM certs and make them usable
diff --git a/functions.sh b/functions.sh
index dd8f04e6..0c9b9ef5 100755
--- a/functions.sh
+++ b/functions.sh
@@ -31,7 +31,6 @@ debug() { ((${VERBOSE:-0})) && echo "$@" >&2 ; return 0 ; }
 #
 ########################################
 
-TMP=
 TMP_MOUNT=n
 cleanup() {
 	if [[ $TMP_MOUNT = "y" ]]; then
@@ -41,8 +40,11 @@ cleanup() {
 	[[ -n $TMP ]] && rm -rf "$TMP"
 }
 
-trap cleanup EXIT
-TMP=$(mktemp -d)
+setup() {
+	TMP=
+	trap cleanup EXIT
+	TMP=$(mktemp -d)
+}
 
 mount_tmp() {
 	mount -t tmpfs none "$TMP" || die "Unable to mount temp directory"
@@ -620,3 +622,101 @@ verify_sig() {
 	||
 	die "could not verify signature on $body with $pubkey"
 }
+
+# getopts_long lname optstring name [args...]
+#
+#   lname is the name of an associative array whose indices are long option
+#   names and whose values are either the empty string (no option argument),
+#   or ':' (the option requires an argument).
+#
+#   optstring is an optstring value for getopts
+#
+#   optname is the name of a variable in which to put the matched option
+#   name / letter.
+#
+#   args... is the arguments to parse.
+#
+# As with getopts, $OPTIND is set to the next argument to check at the
+# next invocation.  Unset OPTIND or set it to 1 to reset options
+# processing.
+#
+# As with getopts, "--" is a special argument that ends options
+# processing.
+#
+# Example:
+#
+#   declare -A long=([foo]=: [id]=: [silent]='')
+#   foo=none
+#   id=$USER
+#   silent=false
+#   while getopts_long long f:i:sx opt "$@"; do
+#   case "$opt" in
+#   foo|f) foo=$OPTARG;;
+#   id|i) id=$OPTARG;;
+#   silent|s) silent=true; [[ -n $OPTARG ]] && echo "Look ma: optional option arguments! --silent=$OPTARG";;
+#   x) set -vx;;
+#   *) echo "Usage: $0 [--foo FOO | -f FOO] [--id USER | -i USER] [--silent | -s] [-x] ARGS" 1>&2; exit 1;;
+#   esac
+#   done
+# 
+#   shift $((OPTIND-1))
+#   echo "foo=$foo id=$id silent=$silent; args: $#: $*"
+function getopts_long {
+	if (($# < 3)); then
+		printf 'bash: illegal use of getopts_long\n'
+		printf 'Usage: getopts_long lname optstring name [ARGS]\n'
+		printf '\t{lname} is the name of an associative array variable\n'
+		printf '\twhose keys are long option names and values are\n'
+		printf '\tthe empty string (no argument) or ":" (argument\n'
+		printf '\trequired).\n\n'
+		printf '\t{optstring} and {name} are as for the {getopts}\n'
+		printf '\tbash builtin.\n'
+		return 1
+	fi 1>&2
+	[[ ${1:-} != lopts ]] && local -n lopts="$1"
+	local optstr="$2"
+	[[ ${3:-} != opt ]] && local -n opt="$3"
+	local optvar="$3"
+	shift 3
+
+	# shellcheck disable=SC2034
+	OPTOPT=
+	OPTARG=
+	: "${OPTIND:=1}"
+	# shellcheck disable=SC2124
+	opt=${@:$OPTIND:1}
+	if [[ $opt = -- ]]; then
+		opt='?'
+		return 1
+	fi
+	if [[ $opt = --* ]]; then
+		# shellcheck disable=SC2034
+		OPTOPT='-'
+		local optval=false
+		opt=${opt#--}
+		if [[ $opt = *=* ]]; then
+			OPTARG=${opt#*=}
+			opt=${opt%%=*}
+			optval=true
+		fi
+		((++OPTIND))
+		if [[ ${lopts[$opt]+yes} != yes ]]; then
+			((OPTERR)) && printf 'bash: illegal long option %s\n' "$opt" 1>&2
+			opt='?'
+			return 0
+		fi
+		if [[ ${lopts[$opt]:-} = : ]]; then
+			if ! $optval; then
+				# shellcheck disable=SC2124
+				OPTARG=${@:$OPTIND:1}
+				((++OPTIND))
+			fi
+		fi
+		return 0
+	fi
+	if getopts "$optstr" "$optvar" "$@"; then
+		return 0
+	else
+		return $?
+	fi
+}
diff --git a/rbin/flushcontext b/rbin/flushcontext
new file mode 100755
index 00000000..3bb4d331
--- /dev/null
+++ b/rbin/flushcontext
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# Restore the environment so that we have a sane PATH and can find, e.g.,
+# tpm2-tools.
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 flushcontext}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -t | --transient-object
+   -l | --loaded-session
+   -s | --saved-session
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[transient-object]=:
+	[loaded-session]=:
+	[saved-session]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxlst opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+t|transient-object|l|loaded-session|s|saved-session)
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_flushcontext "${args[@]}" "$@"
diff --git a/rbin/import b/rbin/import
new file mode 100644
index 00000000..8b28dc99
--- /dev/null
+++ b/rbin/import
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 import}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -C | --parent-context OBJECT		New parent for imported object.
+   -U | --parent-public FILE		Parent's public part.
+   -s | --seed FILE			Output of {tpm2 duplicate}.
+   -u | --public FILE			Output of {tpm2 duplicate}.
+   -i | --input FILE			Output of {tpm2 duplicate}.
+   -r | --private FILE			Output for {tpm2 load}.
+   -g | --hash-algorithm ALGORITHM	Hash algorithm.
+   -G | --key-algorithm ALGORITHM	Key algorithm.
+   -a | --attributes ATTRIBUTES		Attributes for raw external key.
+   -L | --policy FILE			Policy for raw external key.
+   -k | --encryption-key
+   -P | --parent-auth AUTH
+   -p | --key-auth AUTH
+   --cphash FILE			Write cpHash of TPM2_Import() command.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[parent-context]=:
+	[parent-public]=:
+	[seed]=:
+	[private]=:
+	[public]=:
+	[input]=:
+	[hash-algorithm]=:
+	[key-algorithm]=:
+	[attributes]=:
+	[encryption-key]=:
+	[parent-auth]=:
+	[key-auth]=:
+	[cphash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxC:U:s:r:u:i:g:G:a:L:k:P:p: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+C|parent-context|U|parent-public|s|seed|r|private|u|public|k|encryption-key|cphash)
+		[[ $OPTARG = */* ]]	\
+			&& die "Cannot reference files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+P|parent-auth|p|key-auth)
+		case "$OPTARG" in
+		str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		file:*)	[[ $OPTARG = */* ]]		\
+			&& die "Cannot reference input files outside the current directory"
+			args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		*)	die "Auth values must start with str: hex: or file:";;
+		esac;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_import "${args[@]}" "$@"
diff --git a/rbin/load b/rbin/load
new file mode 100644
index 00000000..0085995d
--- /dev/null
+++ b/rbin/load
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 load}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -C | --parent-context OBJECT		Parent object.
+   -c | --key-context OBJECT		Saved object context file.
+   -P | --parent-auth AUTH
+   -r | --private FILE			Output of {tpm2 import}.
+   -u | --public FILE			Output of {tpm2 duplicate, readpublic}.
+   -n | --name FILE			File in which to save the name of the
+					loaded object.
+   --cphash FILE			Write cpHash of TPM2_Import() command.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[parent-context]=:
+	[key-context]=:
+	[parent-auth]=:
+	[private]=:
+	[public]=:
+	[name]=:
+	[cphash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxC:c:P:r:u:n: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+C|parent-context|c|key-context|r|private|u|public|n|name|cphash)
+		[[ $OPTARG = */* ]]	\
+		&& die "Cannot reference files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+P|parent-auth)
+		case "$OPTARG" in
+		str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		file:*)	[[ $OPTARG = */* ]]		\
+			&& die "Cannot reference input files outside the current directory"
+			args+=(-"${OPTOPT}$opt" "$OPTARG");;
+		*)	die "Auth values must start with str: hex: or file:";;
+		esac;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_load "${args[@]}" "$@"
diff --git a/rbin/loadexternal b/rbin/loadexternal
new file mode 100755
index 00000000..0549a69c
--- /dev/null
+++ b/rbin/loadexternal
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 loadexternal}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -C | --hierarchy OBJECT
+   -G | --key-algorithm ALGORITHM
+   -g | --hash-algorithm ALGORITHM
+   -u | --public FILE
+   -r | --private FILE
+   -p | --auth AUTH
+   -L | --policy FILE
+   -a | --attributes ATTRIBUTES
+   -c | --key-context FILE
+   -n | --name FILE
+
+  Input and output files (including any referenced by {AUTH}) are limited to
+  files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[hierarchy]=:
+	[key-algorithm]=:
+	[hash-algorithm]=:
+	[public]=:
+	[private]=:
+	[auth]=:
+	[policy]=:
+	[attributes]=:
+	[key-context]=:
+	[name]=:
+)
+
+declare -a args=()
+
+while getopts_long lopts +:hxC:G:L:a:c:g:n:p:r:u: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+C|hierarchy|G|key-algorithm|g|hash-algorithm|a|attributes)
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+u|public|L|policy|r|private)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+p|auth)
+	case "$OPTARG" in
+	str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside current directory"
+		[[ -s ${OPTARG#file:} ]]	\
+		|| die "Auth file for $PROG missing"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "AUTH values must start with str:, hex:, or file:";;
+	esac;;
+c|key-context|n|name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_loadexternal "${args[@]}" "$@"
diff --git a/rbin/policyauthorize b/rbin/policyauthorize
new file mode 100755
index 00000000..d2d129c7
--- /dev/null
+++ b/rbin/policyauthorize
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyauthorize}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -q | --qualification FILE_OR_HEX	{policyRef} (qualifier)
+   -n | --name FILE			Name of object whose public
+					area has the signer's public key.
+   -i | --input FILE			The {policyDigest} authorized by the
+					signer.
+   -t | --ticket FILE			A {ticket} from {tpm2 verifysignature}
+					that validates that the signer's
+					signature of the authorized
+					{policyDigest}.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[qualification]=:
+	[name]=:
+	[input]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxq:n:i:t: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+n|name|i|input|t|ticket|c|key-context|n|name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyauthorize "${args[@]}" "$@"
diff --git a/rbin/policyauthorizenv b/rbin/policyauthorizenv
new file mode 100755
index 00000000..2c47ad45
--- /dev/null
+++ b/rbin/policyauthorizenv
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyauthorizenv}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -C | --hierarchy OBJECT
+   -P | --auth AUTH
+   --cphash FILE
+
+  Input files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[hierarchy]=:
+	[auth]=:
+	[cphash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxC:P: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+C|hierarchy|cphash)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+P|auth)
+	case "$OPTARG" in
+	str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "AUTH values must start with str:, hex:, or file:";;
+	esac;;
+c|key-context|n|name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyauthorizenv "${args[@]}" "$@"
diff --git a/rbin/policyauthvalue b/rbin/policyauthvalue
new file mode 100755
index 00000000..d7d20459
--- /dev/null
+++ b/rbin/policyauthvalue
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyauthvalue}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyauthvalue "${args[@]}" "$@"
diff --git a/rbin/policycommandcode b/rbin/policycommandcode
new file mode 100755
index 00000000..f39dbbfc
--- /dev/null
+++ b/rbin/policycommandcode
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] COMMAND-CODE
+
+  {$PROG} is a wrapper around {tpm2 policycommandcode}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policycommandcode "${args[@]}" "$@"
diff --git a/rbin/policycountertimer b/rbin/policycountertimer
new file mode 100755
index 00000000..c1437a37
--- /dev/null
+++ b/rbin/policycountertimer
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] COMMAND-CODE
+
+  {$PROG} is a wrapper around {tpm2 policycountertimer}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   --bs
+   --bc
+   --eq
+   --neq
+   --sgt
+   --ugt
+   --slt
+   --ult
+   --slt
+   --ult
+   --sle
+   --ule
+   --sle
+   --ule
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[bs]=''
+	[bc]=''
+	[eq]=''
+	[neq]=''
+	[sgt]=''
+	[ugt]=''
+	[slt]=''
+	[ult]=''
+	[slt]=''
+	[ult]=''
+	[sle]=''
+	[ule]=''
+	[sle]=''
+	[ule]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+[?])	usage;;
+*)	args+=(-"${OPTOPT}$opt");;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policycountertimer "${args[@]}" "$@"
diff --git a/rbin/policycphash b/rbin/policycphash
new file mode 100755
index 00000000..b9ff8c1c
--- /dev/null
+++ b/rbin/policycphash
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policycphash}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   --cphash-input FILE		The file containing the cpHash.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[cphash-input]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+cphash-input)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)			usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policycphash "${args[@]}" "$@"
diff --git a/rbin/policyduplicationselect b/rbin/policyduplicationselect
new file mode 100755
index 00000000..fe78ab65
--- /dev/null
+++ b/rbin/policyduplicationselect
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policyduplicationselect}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -n | --object-name FILE
+   -N | --parent-name FILE
+   --include-object
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[object-name]=:
+	[parent-name]=:
+	[include-object]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+include-object)		args+=(-"${OPTOPT}$opt");;
+object-name|parent-name)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)			usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyduplicationselect "${args[@]}" "$@"
diff --git a/rbin/policylocality b/rbin/policylocality
new file mode 100755
index 00000000..a00bdbc3
--- /dev/null
+++ b/rbin/policylocality
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policylocality}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)			usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policylocality "${args[@]}" "$@"
diff --git a/rbin/policynamehash b/rbin/policynamehash
new file mode 100755
index 00000000..92767376
--- /dev/null
+++ b/rbin/policynamehash
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policynamehash}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -n | --name FILE
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[name]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hn:x opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+n|name)		[[ $OPTARG = */* ]]	\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policynamehash "${args[@]}" "$@"
diff --git a/rbin/policynv b/rbin/policynv
new file mode 100755
index 00000000..d145d8fc
--- /dev/null
+++ b/rbin/policynv
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policynv}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -P | --auth AUTH
+   -i | --input FILE
+   --cp-hash FILE
+   --offset NUMBER
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[auth]=:
+	[offset]=:
+	[cphash]=:
+	[input]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxi:P: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+offset)		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+p|auth)
+	case "$OPTARG" in
+	str:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*) [[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "AUTH values must start with str:, hex:, or file:";;
+	esac;;
+i|input|cphash)
+	[[ $OPTARG = */* ]]	\
+	die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policynv "${args[@]}" "$@"
diff --git a/rbin/policynvwritten b/rbin/policynvwritten
new file mode 100755
index 00000000..dd9e4ad6
--- /dev/null
+++ b/rbin/policynvwritten
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] s|c|0|1
+
+  {$PROG} is a wrapper around {tpm2 policynvwritten}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policynvwritten "${args[@]}" "$@"
diff --git a/rbin/policyor b/rbin/policyor
new file mode 100755
index 00000000..9c85e9d4
--- /dev/null
+++ b/rbin/policyor
@@ -0,0 +1,136 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+	$pager <<EOF
+Usage: $PROG POLICY_0 ';' POLICY_1 ';' ...
+       $PROG --raw POLICY_DIGEST_FILE_0 POLICY_DIGEST_FILE_1...
+
+  {$PROG} evaluates an alternation (TPM2_PolicyOr()) of the given policies.
+
+  Each {POLICY_i} is a policy script or restricted bin policy command wrapper,
+  and optional arguments.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+
+  See {sbin/tpm2-policy}.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+declare -a alts
+alts=()
+if [[ -n ${TPM2_POLICY_ALTERNATIVES:-} ]]; then
+	set -f
+	alts+=($TPM2_POLICY_ALTERNATIVES)
+	set +f
+	this_alt=${alts[0]}
+	[[ $this_alt = [0-7] ]] \
+	|| die "Alternatives must be integers between 0 and 7, inclusive"
+	trial=false
+else
+	this_alt=-1
+	trial=true
+fi
+unset TPM2_POLICY_ALTERNATIVES
+
+join() { local IFS="$1"; printf '%s\n' "$*"; }
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[raw]=''
+)
+
+while getopts_long lopts +:hx opt "$@"; do
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+raw) 
+		tpm2 policyor --session "${TPM2_POLICY_SESSION}"	\
+			      --policy "$TPM2_POLICY"			\
+			      sha256:"$(join ',' "$@")"
+		exit 0;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+(($# > 0)) || usage
+
+unset TPM2_POLICY_ALTERNATIVES
+
+declare -a policies=()
+declare -a sessions=()
+cleanup() { rm -rf "${policies[@]}" "${sessions[@]}"; }
+trap cleanup EXIT
+
+let i=0
+declare -a cmd
+while (($#)); do
+	# Extract POLICY_i from the argv
+	cmd=()
+	while (($#)) && [[ $1 != ";" ]]; do
+		cmd+=("$1")
+		shift
+	done
+	(($#)) && [[ $1 != ";" ]] && shift
+
+	policy="digest-${TPM2_POLICY_SESSION}-${i}"
+	policies+=("$TPM2_POLICY")
+	if $trial || ((i != this_alt)); then
+		# Either we're not executing the policy, or not this arm of it.
+		sessions+=("${TPM2_POLICY_SESSION}-${i}")
+		tpm2 flushcontext --loaded-session
+		tpm2 startauthsession --session "${TPM2_POLICY_SESSION}-${i}"
+		TPM2_POLICY_SESSION=${TPM2_POLICY_SESSION}-${i}	\
+		TPM2_POLICY="$policy"					\
+		"${cmd[@]}"
+		tpm2 flushcontext --loaded-session
+	else
+		# shellcheck disable=SC2124
+		TPM2_POLICY_ALTERNATIVES=${alts[@]:1:${#alts[@]}}	\
+		TPM2_POLICY="$policy"					\
+		"${cmd[@]}"
+	fi
+	((++i))
+done
+
+tpm2_policyor --session "${TPM2_POLICY_SESSION}"	\
+	      --policy "$TPM2_POLICY"			\
+	      sha256:"$(join ',' "${policies[@]}")"
diff --git a/rbin/policypassword b/rbin/policypassword
new file mode 100755
index 00000000..094f3a51
--- /dev/null
+++ b/rbin/policypassword
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policypassword}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policypassword "${args[@]}" "$@"
diff --git a/rbin/policypcr b/rbin/policypcr
new file mode 100755
index 00000000..80656702
--- /dev/null
+++ b/rbin/policypcr
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] [HEX-DIGEST]
+
+  {$PROG} is a wrapper around {tpm2 policypcr}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+   -f | --pcr FILE
+   -l | --pcr-list PCR
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[pcr]=:
+	[pcr-list]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxf:l: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+l|pcr-list)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+f|pcr)
+		[[ $OPTARG = */* ]]	\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policypcr "${args[@]}" "$@"
diff --git a/rbin/policysecret b/rbin/policysecret
new file mode 100755
index 00000000..ee8add00
--- /dev/null
+++ b/rbin/policysecret
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 policysecret}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -c | --object-context OBJECT		The object whose secret {authValue}
+					to prove.
+   -q | --qualification FILE_OR_HEX	{policyRef} (qualifier).
+   -t | --expiration NUMBER		See {tpm2_policysecret(1)}.
+   --nonce-tpm				Bind the {authValue} proof to this
+					session.
+   --cphash FILE			{cpHash} of command to be authorized.
+   --timeout FILE			Output file.
+   --ticket FILE			{ticket} output file.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[object-context]=:
+	[qualification]=:
+	[expiration]=:
+	[nonce-tpm]=:
+	[timeout]=:
+	[cphash]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxq:t:c: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+nonce-tpm)	args+=(-"${OPTOPT}$opt");;
+t|expiration)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+c|object-context|cphash)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+timeout|ticket)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policysecret "${args[@]}" "$@"
diff --git a/rbin/policysigned b/rbin/policysigned
new file mode 100755
index 00000000..8cdaa6af
--- /dev/null
+++ b/rbin/policysigned
@@ -0,0 +1,111 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 policysigned}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -c | --key-context FILE		Signer's public key object.
+   -s | --signature FILE		Signature file.
+   -f | --format FORMAT			Signature file format.
+   -g | --hash-algorithm ALGORITHM	Hash algorithm for signature.
+   -q | --qualification FILE_OR_HEX	{policyRef} given as hex:...
+					or file:filename.
+   -t | --expiration NUMBER		See {tpm2_policysigned(1)}.
+   --nonce-tpm				Whether to bind the signature to
+					this policy session.
+   --cphash FILE			{cpHash} of command to be authorized.
+   --timeout FILE			Output file.
+   --ticket FILE			Output file (if {expiration} is
+					negative).
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[qualification]=:
+	[expiration]=:
+	[nonce-tpm]=:
+	[hash-algorithm]=:
+	[signature]=:
+	[format]=:
+	[key-context]=:
+	[cphash]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxc:g:s:f:q:t: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+t|expiration|g|hash-algorithm|f|format)
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+h|help)		usage 0;;
+x|trace)	set -vx;;
+nonce-tpm)	args+=(-"${OPTOPT}$opt");;
+c|key-context|cphash|s|signature)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+timeout|ticket)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside POLICY-DIR or the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policysigned "${args[@]}" "$@"
diff --git a/rbin/policytemplate b/rbin/policytemplate
new file mode 100755
index 00000000..609f85d1
--- /dev/null
+++ b/rbin/policytemplate
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 policytemplate}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   --template-hash FILE			Hash of public template used to be
+					created by the command authorized by
+					this session.
+
+  Input files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[template-hash]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hx opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+template-hash)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policytemplate "${args[@]}" "$@"
diff --git a/rbin/policyticket b/rbin/policyticket
new file mode 100755
index 00000000..e1f90704
--- /dev/null
+++ b/rbin/policyticket
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] AUTH
+
+  {$PROG} is a wrapper around {tpm2 policyticket}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -n | --name FILE			Name of the object that validated
+					the authorization.
+   -q | --qualification FILE_OR_HEX	{policyRef} given as hex:...
+					or file:filename.
+   --ticket FILE			Ticket.
+   --timeout FILE			Output file.
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[name]=:
+	[qualification]=:
+	[timeout]=:
+	[ticket]=:
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+while getopts_long lopts +:hxn:q: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+t|ticket)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+timeout)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+q|qualification)
+	case "$OPTARG" in
+	hex:*)	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	file:*)	[[ $OPTARG = */* ]]		\
+		&& die "Cannot reference input files outside POLICY-DIR or the current directory"
+		args+=(-"${OPTOPT}$opt" "$OPTARG");;
+	*)	die "Qualifiers must start with hex: or file:";;
+	esac;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_policyticket "${args[@]}" "$@"
diff --git a/rbin/startauthsession b/rbin/startauthsession
new file mode 100755
index 00000000..44cbb562
--- /dev/null
+++ b/rbin/startauthsession
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+unset TPM2_POLICY_SESSION
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] --session FILE
+
+  {$PROG} is a wrapper around {tpm2 startauthsession}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help				This help message.
+   -x | --trace				Trace this script.
+   -S | --session FILE
+   --policy-session
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[trace]=''
+	[session]=:
+	[policy-session]=''
+)
+
+declare -a args=(--policy "$TPM2_POLICY" --session "$TPM2_POLICY_SESSION")
+
+session=
+while getopts_long lopts +:hxS: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+S|session)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference output files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+policy-session) args+=(-"${OPTOPT}$opt");;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+[[ -z $session ]]	\
+&& die "A session file not given"
+[[ -s $session ]]	\
+&& die "Session already exists"
+
+# Finally:
+tpm2_startauthsession "${args[@]}" "$@"
diff --git a/rbin/verifysignature b/rbin/verifysignature
new file mode 100755
index 00000000..2963f6c1
--- /dev/null
+++ b/rbin/verifysignature
@@ -0,0 +1,92 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options]
+
+  {$PROG} is a wrapper around {tpm2 verifysignature}.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+
+  Options from {tpm2 verifysignature}:
+
+   -c | --key-context FILE
+   -t | --ticket FILE
+   -g | --hash-algorithm ALGORITHM
+   -m | --message FILE
+   -d | --digest FILE
+   -s | --signature FILE
+   -f | --scheme SCHEME
+
+  Input and output files are limited to files in the current directory.
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[hash-algorithm]=:
+	[scheme]=:
+	[message]=:
+	[signature]=:
+	[key-context]=:
+	[ticket]=:
+)
+
+declare -a args=()
+
+while getopts_long lopts +:hxc:t:g:m:d:s:f: opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)			usage 0;;
+x|trace)		set -vx;;
+g|hash-algorithm|f|scheme)
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+c|key-context|t|ticket|m|message|s|signature)
+	[[ $OPTARG = */* ]]	\
+	&& die "Cannot reference input files outside the current directory"
+	args+=(-"${OPTOPT}$opt" "$OPTARG");;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+# Finally:
+tpm2_verifysignature "${args[@]}" "$@"
diff --git a/rbin/writeartifact b/rbin/writeartifact
new file mode 100755
index 00000000..e4f85c5f
--- /dev/null
+++ b/rbin/writeartifact
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+PROG=${0##*/}
+# shellcheck disable=SC1090 disable=SC1091
+. ./env
+
+set -euo pipefail
+shopt -s extglob
+
+TMPDIR=$PWD
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	pager=cat
+	if [[ -t 0 && -t 1 && -t 2 ]]; then
+		if [[ -z ${PAGER:-} ]] && type less >/dev/null 2>&1; then
+			pager=less
+		elif [[ -z ${PAGER:-} ]] && type more >/dev/null 2>&1; then
+			pager=more
+		elif [[ -n ${PAGER:-} ]]; then
+			pager=$PAGER
+		fi
+	fi
+        $pager <<EOF
+Usage: $PROG [options] FILE
+
+  {$PROG} reads from stdin and writes to {FILE} provided {FILE} is in the
+  current directory.
+
+  See {${BASEDIR}/sbin/tpm2-policy}.
+
+  Options:
+
+   --help	This message
+   --hex	Decode stdin as hex to binary
+EOF
+	exit "${1:-1}"
+}
+
+# shellcheck disable=SC1090 disable=SC1091
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=''
+	[hex]=''
+)
+
+hex=false
+while getopts_long lopts +:h opt "$@"; do
+# opt is set in getopts_long
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)	usage 0;;
+hex)	hex=true;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+(($# == 1)) || usage
+
+[[ $1 = */* ]] && die "Cannot write files outside current directory"
+[[ -s $1 ]] && die "Cannot clobber files"
+
+# Finally:
+if $hex; then
+	xxd -p -r > "$1"
+else
+	cat > "$1"
+fi
diff --git a/sbin/safeboot b/sbin/safeboot
index e104e30b..a76de448 100755
--- a/sbin/safeboot
+++ b/sbin/safeboot
@@ -29,6 +29,7 @@ export LC_ALL=C
 
 # shellcheck source=functions.sh
 . "$PREFIX$DIR/functions.sh"
+setup
 
 if [ -r "$PREFIX$DIR/safeboot.conf" ]; then
 	# shellcheck source=safeboot.conf
diff --git a/sbin/safeboot-tpm-unseal b/sbin/safeboot-tpm-unseal
index aad13dfc..3a4ba378 100755
--- a/sbin/safeboot-tpm-unseal
+++ b/sbin/safeboot-tpm-unseal
@@ -32,6 +32,8 @@ for script in \
 	fi
 done
 
+setup
+
 # Override die to extend the boot mode PCR to indicate the failure
 die() {
 	echo >&2 "$@"
diff --git a/sbin/tpm2-attest b/sbin/tpm2-attest
index 3be8bc0a..7c9cc2c6 100755
--- a/sbin/tpm2-attest
+++ b/sbin/tpm2-attest
@@ -26,6 +26,7 @@ TOP="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && cd .. && pwd )"
 : "${DIR:=/etc/safeboot}"
 
 . "$TOP/functions.sh"
+setup
 
 if [ -r "$PREFIX$DIR/safeboot.conf" ]; then
 	. $PREFIX$DIR/safeboot.conf
diff --git a/sbin/tpm2-policy b/sbin/tpm2-policy
index 0c85c2f9..a6f71db8 100755
--- a/sbin/tpm2-policy
+++ b/sbin/tpm2-policy
@@ -1,14 +1,8 @@
 #!/bin/bash
 
 PROG=${0##*/}
-
-if [[ $0 = /* ]]; then
-        BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-        BASEDIR=$PWD/${0%/*}
-else
-        BASEDIR=$PWD
-fi
+BASEDIR=$(dirname "$( dirname "$(readlink -f "${BASH_SOURCE[0]}")")")
+export BASEDIR
 
 set -euo pipefail -o noclobber
 shopt -s extglob
@@ -16,61 +10,132 @@ shopt -s extglob
 function usage {
 	((${1:-1} > 0)) && exec 1>&2
 	cat <<EOF
-Usage: $PROG [-o FILE] [-A | -D] POLICY-CMD [ARGS [\\; ...]]
+Usage: $PROG [OPTIONS] POLICY [ARGS...]
+
+  Executes the {POLICY}, which must be a bash script to execute via restricted
+  bash.
+
+  Options:
 
-  The first form computes the policyDigest of the given policy.
+   -h | --help		This message.
+   -x | --trace		Trace this script.
+   -F | --file FILE	A file to make available to the policy script.
+			All such FILEs must have distinct basenames.
+   -P | --path ALTS	Execute the given alternation branches of the
+			EA policy.  The value should be a comma-
+			separated list of integers between 0 and 7.
+   -S | --session FILE	Use the given policy session, otherwise use a
+			trial session.
+   -L | --policy FILE	Leave the policyDigest (binary) in FILE.
+   -N | --new		Start a new session.
+   -T | --trial		The session is a trial session.
 
-  Policies arguments should be of the form:
+  Policies should consist of a directory with:
 
-       $PROG ... tpm2 policy... args... \\; tpm2 policy args...
+   - policy -- a restricted bash script implementing the policy
+   - any artifacts needed by the policy
 
-  but without any {--session}|{-S} nor {--policy}|{-L} options.
+  Arguments are policy-specific.
 
-  If -A is given then {tpm2 policycommandcode} will be added at the end for
-  enabling TPM2_ActivateCredential().
+  Policies may only execute the external commands in the one directory in
+  {PATH}, which are:
 
-  If -D is given then {tpm2 policycommandcode} will be added at the end for
-  enabling TPM2_RSA_Decrypt().
+   - {verifysignature} -> wrapper for {tpm2_verifysignature}
+   - {loadexternal} -> wrapper for {tpm2_loadexternal}
+   - {policy*} -> wrappers for {tpm2_policy*}
+   - sha256sum
+   - stat
+   - xxd
 
-  E.g.:
+  The wrappers will not allow access to files outside {TMPDIR}.
 
-      $ # Require that PCR 11 be unextended
-      $ $PROG tpm2 policypcr -l "sha256:11"
+  TMPDIR will be set to a directory that the policy script can use for its
+  needs.  In particular, any key contexts loaded from policy artifacts, and any
+  tickets made by any of the wrapped tpm2 commands, must be placed in TMPDIR.
+
+  The current directory when running the policy script will be the {TMPDIR}.
 EOF
 	exit "${1:-1}"
 }
 
 # shellcheck disable=SC1090
-. "$BASEDIR/../functions.sh"
-
-out=
-force=false
-activate=false
-rsa_decrypt=false
-command_code=
-while getopts +:ADhefo:x opt; do
-case "$opt" in
-A)	activate=true;;
-D)	rsa_decrypt=true;;
-h)	usage 0;;
-f)	force=true;;
-o)	out=$OPTARG;;
-x)	set -vx;;
-*)	usage;;
-esac
-done
-shift $((OPTIND - 1))
-
-! $activate  || ! $rsa_decrypt || die "-A and -D are mutually exclusive"
-$activate    && command_code=TPM2_CC_ActivateCredential
-$rsa_decrypt && command_code=TPM2_CC_RSA_Decrypt
+. "$BASEDIR/functions.sh"
+
+# shellcheck disable=SC2034
+declare -A lopts=(
+   [help]=''
+   [trace]=''
+   [file]=:
+   [path]=:
+   [session]=:
+   [policy]=:
+   [new]=''
+   [trial]=''
+)
 
 # Make a temp dir and remove it when we exit:
 d=
-trap 'rm -rf "$d"' EXIT
+trap 'cd /; rm -rf "$d"' EXIT
 d=$(mktemp -d)
+export TMPDIR="$d"
+
+new=false
+alts=
+trial=false
+policy=
+session=
+while getopts_long lopts +:L:NP:S:Thx opt "$@"; do
+# shellcheck disable=SC2154
+case "$opt" in
+h|help)		usage 0;;
+x|trace)	set -vx;;
+F|file)		cp -f "$OPTARG" "$TMPDIR";;
+L|policy)	policy=$OPTARG;;
+N|new)		new=true;;
+P|path)		alts=$OPTARG; trial=false;;
+S|session)	session=$OPTARG;;
+T|trial)	trial=true;;
+*)		usage;;
+esac
+done
+shift $((OPTIND - 1))
+(($#)) || usage
+
+cd "$TMPDIR"
+
+# Save the current environment so it can be restored easily by the rbin
+# wrappers.  Make sure the env is not writable so that the restricted bash
+# script cannot write it.
+unset TPM2_POLICY_SESSION TPM2_POLICY_ALTERNATIVES TPM2_POLICY
+export PREFIX DIR
+(umask 0222; export -p > "${TMPDIR}/env")
+
+! $new && [[ -n ${session:-} && ! -s ${session:-} ]]	\
+&& die "Session file exists"
+[[ -z ${session:-} ]] && session=${TMPDIR}/session
+if $new; then
+	if $trial; then
+		tpm2 startauthsession --session "$session"
+	else
+		tpm2 startauthsession --session "$session"	\
+				      --policy-session
+	fi
+elif [[ ! -s $session ]]; then
+	die "Session does not exist: $session"
+fi
 
-policyDigest=$(make_policyDigest $command_code "$@")
-[[ -z $out ]] || ! $force >| "$out"
-[[ -z $out ]] ||   $force > "$out"
-echo "$policyDigest"
+: "${policy:="$(mktemp)"}"
+TPM2_POLICY_SESSION=$session
+TPM2_POLICY_ALTERNATIVES=$alts
+TPM2_POLICY=${policy}
+export TPM2_POLICY TPM2_POLICY_SESSION TPM2_POLICY_ALTERNATIVES
+
+script=$1
+shift
+
+# Run restricted scripts with FD 4 set to /dev/null so they can redirect output
+# to /dev/null using 1>&4 and 2>&4.
+BASH_ENV="${BASEDIR}/functions.sh"	\
+PATH="$BASEDIR/rbin"			\
+/bin/rbash "${script}" "$@" 4<>/dev/null
+bin2hex < "$policy"
diff --git a/sbin/tpm2-send b/sbin/tpm2-send
index dbd5ca81..1b6e83d3 100755
--- a/sbin/tpm2-send
+++ b/sbin/tpm2-send
@@ -1,17 +1,20 @@
 #!/bin/bash
 
 PROG=${0##*/}
-if [[ $0 = /* ]]; then
-        BASEDIR=${0%/*}
-elif [[ $0 = */* ]]; then
-        BASEDIR=$PWD/${0%/*}
-else
-        BASEDIR=$PWD
-fi
+BASEDIR=$( dirname "$(readlink -f "${BASH_SOURCE[0]}")")
 
 set -euo pipefail
 shopt -s extglob
 
+# shellcheck disable=SC2034
+declare -A lopts=(
+	[help]=h
+	[method]=M:
+	[policy]=P:
+	[force]=f:
+	[trace]=x
+)
+
 # shellcheck disable=SC2209
 function usage {
 	((${1:-1} > 0)) && exec 1>&2
diff --git a/tests/test-policy b/tests/test-policy
new file mode 100755
index 00000000..20cedc5f
--- /dev/null
+++ b/tests/test-policy
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+PROG=${0##*/}
+
+set -euo pipefail
+shopt -s extglob
+
+die() { echo "Error: $*" 1>&2; exit 1; }
+
+[[ ${TMPDIR:-} ]]	\
+|| die "TMPDIR is not set"
+[[ ${TMPDIR:-} = "$PWD" ]]	\
+|| die "TMPDIR is not equal to \$PWD"
+[[ -n ${TPM2_POLICY_SESSION:-} ]]	\
+|| die "TPM2_POLICY_SESSION is not set"
+[[ ${TPM2_POLICY_SESSION} != */* ||
+   ${TPM2_POLICY_SESSION} = ${PWD}/* ]]	\
+|| die "TPM2_POLICY_SESSION does not exist"
+[[ -s ${TPM2_POLICY_SESSION} ]]		\
+|| die "TPM2_POLICY_SESSION does not exist"
+
+IFS=: read -a path <<<"$PATH"
+((${#path[@]} < 1 || ${#path[@]} > 2))			\
+&& die "PATH not set correctly (wrong number of paths)"
+((${#path[@]} == 1)) && [[ ${path[0]} != */rbin ]]	\
+&& die "PATH not set correctly (rbin missing)"
+((${#path[@]} == 2))					\
+&& [[ ${path[0]} != */rbin && ${path[1]} != */rbin ]]	\
+&& die "PATH not set correctly (rbin missing)"
+((${#path[@]} == 2))					\
+&& [[ ${path[0]} != "$PWD" && ${path[1]} != "$PWD" ]]	\
+&& die "PATH not set correctly (something other than \$PWD and rbin is present)"
+
+# shellcheck disable=SC2209
+function usage {
+	((${1:-1} > 0)) && exec 1>&2
+	local -a usage
+	readarray usage <<EOF
+Usage: $PROG
+
+  A test policy script.
+
+  Options:
+
+   -h | --help			This help message.
+   -x | --trace			Trace this script.
+
+  See {sbin/tpm2-policy}.
+EOF
+	printf '%s' "${usage[@]}"
+	exit "${1:-1}"
+}
+
+while getopts +:hx opt "$@"; do
+# shellcheck disable=SC2154
+case "$opt" in
+h)	usage 0;;
+x)	set -vx;;
+*)	usage;;
+esac
+done
+shift $((OPTIND - 1))
+
+for ((i=0; i < 32; i++)); do printf '\0'; done | writeartifact pcr11.dat
+policypcr --pcr-list=sha256:11 -f pcr11.dat