diff --git a/cli/set.go b/cli/set.go
index d3f5e07dba..15fa0a970f 100644
--- a/cli/set.go
+++ b/cli/set.go
@@ -84,7 +84,8 @@ func runSet(cmd *cobra.Command, args []string) error {
 	}
 	log.Debug("Using KDS cache dir", "dir", kdsDir)
 
-	validateOptsGen := newCoordinatorValidateOptsGen()
+	// TODO(burgerdev): validate coordinator from flag or manifest
+	validateOptsGen := newCoordinatorValidateOptsGen(nil)
 	kdsCache := fsstore.New(kdsDir, log.WithGroup("kds-cache"))
 	kdsGetter := snp.NewCachedHTTPSGetter(kdsCache, snp.NeverGCTicker, log.WithGroup("kds-getter"))
 	validator := snp.NewValidator(validateOptsGen, kdsGetter, log.WithGroup("snp-validator"))
diff --git a/cli/verify.go b/cli/verify.go
index 83af8c94df..1365e5c210 100644
--- a/cli/verify.go
+++ b/cli/verify.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"net"
 	"os"
@@ -40,6 +41,8 @@ func newVerifyCmd() *cobra.Command {
 	cmd.Flags().StringP("output", "o", verifyDir, "directory to write files to")
 	cmd.Flags().StringP("coordinator", "c", "", "endpoint the coordinator can be reached at")
 	must(cobra.MarkFlagRequired(cmd.Flags(), "coordinator"))
+	// TODO(burgerdev): default --policy should be derived from released artifacts.
+	cmd.Flags().String("policy", "", "expected policy hash of the coordinator (64 hex-encoded bytes, will not be checked if empty)")
 
 	return cmd
 }
@@ -62,7 +65,7 @@ func runVerify(cmd *cobra.Command, _ []string) error {
 	}
 	log.Debug("Using KDS cache dir", "dir", kdsDir)
 
-	validateOptsGen := newCoordinatorValidateOptsGen()
+	validateOptsGen := newCoordinatorValidateOptsGen(flags.policy)
 	kdsCache := fsstore.New(kdsDir, log.WithGroup("kds-cache"))
 	kdsGetter := snp.NewCachedHTTPSGetter(kdsCache, snp.NeverGCTicker, log.WithGroup("kds-getter"))
 	validator := snp.NewValidator(validateOptsGen, kdsGetter, log.WithGroup("snp-validator"))
@@ -107,6 +110,7 @@ func runVerify(cmd *cobra.Command, _ []string) error {
 type verifyFlags struct {
 	coordinator string
 	outputDir   string
+	policy      []byte
 }
 
 func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
@@ -118,14 +122,23 @@ func parseVerifyFlags(cmd *cobra.Command) (*verifyFlags, error) {
 	if err != nil {
 		return nil, err
 	}
+	policyString, err := cmd.Flags().GetString("policy")
+	if err != nil {
+		return nil, err
+	}
+	policy, err := hex.DecodeString(policyString)
+	if err != nil {
+		return nil, fmt.Errorf("hex-decoding policy flag: %w", err)
+	}
 
 	return &verifyFlags{
 		coordinator: coordinator,
 		outputDir:   outputDir,
+		policy:      policy,
 	}, nil
 }
 
-func newCoordinatorValidateOptsGen() *snp.StaticValidateOptsGenerator {
+func newCoordinatorValidateOptsGen(hostData []byte) *snp.StaticValidateOptsGenerator {
 	defaultManifest := manifest.Default()
 	trustedIDKeyDigests, err := (&defaultManifest.ReferenceValues.SNP.TrustedIDKeyHashes).ByteSlices()
 	if err != nil {
@@ -134,6 +147,7 @@ func newCoordinatorValidateOptsGen() *snp.StaticValidateOptsGenerator {
 
 	return &snp.StaticValidateOptsGenerator{
 		Opts: &validate.Options{
+			HostData: hostData,
 			GuestPolicy: abi.SnpPolicy{
 				Debug: false,
 				SMT:   true,