diff --git a/unix/.gitignore b/unix/.gitignore
index 72c6a808..fa91961c 100644
--- a/unix/.gitignore
+++ b/unix/.gitignore
@@ -9,3 +9,6 @@ ENV
 
 snapshot-*.png
 movie-*.gif
+
+# this file is created once you import an HSM policy
+unix/work/hsm-policy.json
diff --git a/unix/README.md b/unix/README.md
index 57650342..4d3bd0f2 100644
--- a/unix/README.md
+++ b/unix/README.md
@@ -33,7 +33,9 @@ wallet (on testnet, always with the same seed). But there are other options:
 - `--nick Name` => set the pre-login nickname for the Coldcard so it will be shown
 - `--delay X` => set the "login countdown" value to X minutes, also force login
 - `--set key=val` => preset the setting 'key' to be 'val' 
+- `--users` => preset a few users: "totp", "hotp" and "pw"
 - `--msg` => jump to message signing from SD card menu item
+- `--hsm` => enable existing HSM policy
 
 See `frozen-modules/sim-settings.py` for the details of settings-related options.
 
diff --git a/unix/frozen-modules/sim_quickstart.py b/unix/frozen-modules/sim_quickstart.py
index ca9a3231..33136de5 100644
--- a/unix/frozen-modules/sim_quickstart.py
+++ b/unix/frozen-modules/sim_quickstart.py
@@ -70,3 +70,16 @@ if '--msg' in sys.argv:
     numpad.inject('4')
     numpad.inject('8')
     numpad.inject('y')
+
+if '--hsm' in sys.argv:
+    # Sign from MicoSD card
+    from main import numpad
+    numpad.inject('3')
+    numpad.inject('y')
+    for ch in '123460':
+        numpad.inject(ch)
+
+# not best place for this
+import hsm
+hsm.POLICY_FNAME = hsm.POLICY_FNAME.replace('/flash/', '')
+
diff --git a/unix/frozen-modules/sim_settings.py b/unix/frozen-modules/sim_settings.py
index 92fb64de..90b52c87 100644
--- a/unix/frozen-modules/sim_settings.py
+++ b/unix/frozen-modules/sim_settings.py
@@ -124,4 +124,21 @@ if '--set' in sys.argv:
     except: pass
     sim_defaults[k] = v
 
+if '--users' in sys.argv:
+    sim_defaults['usr'] = { 
+            # time based OTP
+            # otpauth://totp/totp?secret=UR4LAZMTSJOF52FE&issuer=Coldcard%20simulator
+            'totp': [1, 'UR4LAZMTSJOF52FE', 0],
+
+            # OBSCURE: counter-based, not time
+            # - no way to get your counter in sync w/ simulator
+            # otpauth://hotp/hotp?secret=DBDCOKLQKM6BAKXD&issuer=Coldcard%20simulator
+            'hotp': [2, 'DBDCOKLQKM6BAKXD', 0],
+
+            # password
+            # pw / 1234abcd
+            'pw': [3, 'THNUHHFTG44NLI4EC7H7D6MU5AYMC3B3ER2ZFIBHQVUBOLGADA7Q', 0],
+        }
+
+
 # EOF