This allows one to express complex policies (ones with alternations)
using a simple language.
The pattern is simply that conjunctions are {tpm2 policy*} command-lines
joined with a ';' argument, and alternations are {tpm2 policyor}
commands with arguments that are themselves policies surrounded by '('
and ')' arguments.
For example:
$ sbin/tpm2-policy \
tpm2 policyor \
'(' tpm2 policycommandcode TPM2_CC_Sign ')' \
'(' tpm2 policycommandcode TPM2_CC_RSA_Decrypt ')' ';' \
tpm2 policypcr -l "sha256:11"
which allows an entity sporting such a policy to be used for signing or
decryption only, and only when PCR#11 is cleared.
From the commit message:
There's more there.