+tpm2 mailing list. In the future direct questions there. I'm assuming you're setup steps would be here and you're just showing the attempt To define a new space with the policy. On master, I am seeing no way to pass the authorizing session context to tpm2_nvread. The options to NV read for PCR policy satisfaction are all internal, and quite limited in support. You really would want something like: tpm2_nvread -p session=session.ctx <args|opts> This way the first handle of the sessions array can be specified. You also need tpm2-abrmd and not /dev/tpm0 or /dev/tpmrm0 as extended sessions (ie Session blobs between tool invocations) is an abrmd only feature. Sorry this support is not there currently, but it's on the roadmap for 2019. My major goal for the 2019 Release is to have: 1. proper session/password support. Each part of the session array should be specifiable. 2. HMAC passwords 3. Consistent options (command line interface will freeze at 4.0)