diff --git a/.circleci/config.yml b/.circleci/config.yml
index 5fdbea504..67e1a1312 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -311,6 +311,12 @@ workflows:
           requires:
             - librem_mini
 
+      - build:
+          name: safeboot
+          target: safeboot
+          requires:
+            - librem_mini
+
 
 ########################
 ########################
diff --git a/Makefile b/Makefile
index c9a752f19..92a268c8e 100644
--- a/Makefile
+++ b/Makefile
@@ -493,6 +493,9 @@ bin_modules-$(CONFIG_MSRTOOLS) += msrtools
 bin_modules-$(CONFIG_NKSTORECLI) += nkstorecli
 bin_modules-$(CONFIG_OPENSSL) += openssl
 bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
+bin_modules-$(CONFIG_SAFEBOOT) += safeboot
+bin_modules-$(CONFIG_BASH) += bash
+bin_modules-$(CONFIG_CURL) += curl
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
diff --git a/boards/safeboot/safeboot.config b/boards/safeboot/safeboot.config
new file mode 100644
index 000000000..f225d1305
--- /dev/null
+++ b/boards/safeboot/safeboot.config
@@ -0,0 +1,154 @@
+# Configuration for building a safeboot loader that works with
+# the qemu emulator using either coreboot or the ovmf (UEFI) firmware.
+# This will also launch the swtpm emulator for testing out attestation.
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=4.8.1
+export CONFIG_LINUX_VERSION=5.4.69
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
+CONFIG_LINUX_CONFIG=config/linux-safeboot.config
+
+CONFIG_KEYFILE=$(build)/$(BOARD)/key.bin
+CONFIG_ROOTFS=$(HOME)/debian/safeboot-recovery/root.squashfs
+
+ifeq "$(CONFIG_UROOT)" "y"
+CONFIG_BUSYBOX=n
+else
+CONFIG_KEXEC=y
+#CONFIG_QRENCODE=y
+#CONFIG_TPMTOTP=y
+CONFIG_POPT=y
+#CONFIG_FLASHTOOLS=y
+#CONFIG_FLASHROM=y
+CONFIG_PCIUTILS=y
+CONFIG_UTIL_LINUX=y
+CONFIG_CRYPTSETUP=y
+#CONFIG_GPG2=y
+CONFIG_LVM2=y
+#CONFIG_MBEDTLS=y
+#CONFIG_DROPBEAR=y
+CONFIG_MSRTOOLS=y
+
+CONFIG_BASH=y
+CONFIG_CURL=y
+CONFIG_SAFEBOOT=y
+CONFIG_TPM2_TOOLS=$(CONFIG_SAFEBOOT)
+CONFIG_TPM2_TSS=$(CONFIG_TPM2_TOOLS)
+CONFIG_OPENSSL=$(CONFIG_TPM2_TSS)
+
+#Uncomment only one of the following block
+#Required for graphical gui-init (FBWhiptail)
+#CONFIG_CAIRO=y
+#CONFIG_FBWHIPTAIL=y
+#
+#text-based init (generic-init and gui-init)
+CONFIG_NEWT=y
+CONFIG_SLANG=y
+
+endif
+
+#CONFIG_LINUX_ATA=y
+#CONFIG_LINUX_AHCI=y
+#CONFIG_LINUX_USB=y
+#CONFIG_LINUX_E1000=y
+
+#Uncomment only one BOOTSCRIPT:
+#Whiptail-based init (text-based or FBWhiptail)
+#export CONFIG_BOOTSCRIPT=/bin/gui-init
+#
+#text-based original init:
+export CONFIG_BOOTSCRIPT=/bin/safeboot-init
+
+export CONFIG_TPM=n
+
+export CONFIG_BOOT_DEV="/dev/sda1"
+
+#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh
+TPMDIR=$(build)/$(BOARD)/vtpm
+run-coreboot:
+	@mkdir -p "$(TPMDIR)"
+	swtpm socket \
+		--tpm2 \
+		--tpmstate dir="$(TPMDIR)" \
+		--flags "startup-clear" \
+		--ctrl type=unixio,path="$(TPMDIR)/sock" &
+	sleep 0.5
+
+	-qemu-system-x86_64 \
+		--machine q35 \
+		-m 4G \
+		--serial /dev/tty \
+		--bios $(build)/$(BOARD)/$(CB_OUTPUT_FILE) \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-device virtio-rng-pci,rng=rng0 \
+		-netdev user,id=u1 -device e1000,netdev=u1 \
+		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
+		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+		-device tpm-tis,tpmdev=tpm0 \
+
+	stty sane
+
+$(build)/$(BOARD)/unified.efi: $(build)/$(BOARD)/bzImage $(build)/$(BOARD)/initrd.cpio.xz
+	echo "console=ttyS0 mode=linux" > "$(build)/$(BOARD)/cmdline.txt"
+
+	DIR=$(build)/$(safeboot_dir) $(build)/$(safeboot_dir)/sbin/safeboot \
+		unify-kernel \
+		"$@" \
+		linux="$(build)/$(BOARD)/bzImage" \
+		initrd="$(build)/$(BOARD)/initrd.cpio.xz" \
+		cmdline="$(build)/$(BOARD)/cmdline.txt" \
+
+$(build)/$(BOARD)/hda1.bin: $(build)/$(BOARD)/unified.efi
+	mkdir -p "$(build)/$(BOARD)/hda1/boot/EFI/BOOT"
+	cp "$<" "$(build)/$(BOARD)/hda1/boot/EFI/BOOT/BOOTX64.EFI"
+	$(build)/$(safeboot_dir)/sbin/mkfat \
+		"$(build)/$(BOARD)/hda1.bin" \
+		"$(build)/$(BOARD)/hda1/boot"
+
+$(CONFIG_KEYFILE):
+	echo -n "abcd1234" > "$@"
+$(build)/$(BOARD)/hda2.bin: $(CONFIG_KEYFILE) $(CONFIG_ROOTFS)
+	fallocate -l 512M "$@.tmp"
+	cryptsetup \
+		-y luksFormat \
+		--pbkdf pbkdf2 \
+		"$@.tmp" \
+		"$(CONFIG_KEYFILE)"
+	cryptsetup luksOpen \
+		--key-file "$(CONFIG_KEYFILE)" \
+		"$@.tmp" \
+		test-luks
+	#mkfs.ext4 /dev/mapper/test-luks
+	cat "$(CONFIG_ROOTFS)" > /dev/mapper/test-luks
+	cryptsetup luksClose test-luks
+	mv "$@.tmp" "$@"
+
+$(build)/$(BOARD)/hda.bin: $(build)/$(BOARD)/hda1.bin $(build)/$(BOARD)/hda2.bin
+	$(build)/$(safeboot_dir)/sbin/mkgpt \
+		"$@" \
+		$^
+
+
+run-ovmf: $(build)/$(BOARD)/hda.bin
+	@mkdir -p "$(TPMDIR)"
+	swtpm socket \
+		--tpm2 \
+		--tpmstate dir="$(TPMDIR)" \
+		--flags "startup-clear" \
+		--ctrl type=unixio,path="$(TPMDIR)/sock" &
+	sleep 0.5
+
+	-qemu-system-x86_64 \
+		--machine q35 \
+		-m 4G \
+		--serial /dev/tty \
+		--bios "/usr/share/ovmf/OVMF.fd" \
+		-object rng-random,filename=/dev/urandom,id=rng0 \
+		-device virtio-rng-pci,rng=rng0 \
+		-netdev user,id=u1 -device e1000,netdev=u1 \
+		-chardev socket,id=chrtpm,path="$(TPMDIR)/sock" \
+		-tpmdev emulator,id=tpm0,chardev=chrtpm \
+		-device tpm-tis,tpmdev=tpm0 \
+		-drive "file=$<,format=raw" \
+
+	stty sane
diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config
index 5e85a3694..455d5c275 100644
--- a/config/coreboot-qemu.config
+++ b/config/coreboot-qemu.config
@@ -3,6 +3,7 @@ CONFIG_CBFS_SIZE=0xF00000
 # CONFIG_POST_IO is not set
 CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
 # CONFIG_POST_DEVICE is not set
+CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="qemu-coreboot"
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_COREBOOT_ROMSIZE_KB_16384=y
 CONFIG_PCIEXP_ASPM=y
@@ -12,6 +13,6 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y
 # CONFIG_CONSOLE_SERIAL is not set
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y
 CONFIG_PAYLOAD_LINUX=y
-CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0 vga=786"
 CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot/bzImage"
+CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0 vga=786"
 CONFIG_LINUX_INITRD="../../build/qemu-coreboot/initrd.cpio.xz"
diff --git a/config/linux-safeboot.config b/config/linux-safeboot.config
new file mode 100644
index 000000000..0a08583ca
--- /dev/null
+++ b/config/linux-safeboot.config
@@ -0,0 +1,369 @@
+CONFIG_LOCALVERSION="-heads"
+# CONFIG_LOCALVERSION_AUTO is not set
+CONFIG_KERNEL_XZ=y
+CONFIG_DEFAULT_HOSTNAME="safeboot"
+# CONFIG_SWAP is not set
+# CONFIG_CROSS_MEMORY_ATTACH is not set
+# CONFIG_USELIB is not set
+CONFIG_NO_HZ_IDLE=y
+# CONFIG_CPU_ISOLATION is not set
+CONFIG_LOG_BUF_SHIFT=18
+CONFIG_CGROUPS=y
+CONFIG_MEMCG=y
+CONFIG_BLK_CGROUP=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_RDMA=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_DEBUG=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_INITRAMFS_SOURCE="../../../blobs/dev.cpio"
+# CONFIG_RD_GZIP is not set
+# CONFIG_RD_BZIP2 is not set
+# CONFIG_RD_LZMA is not set
+# CONFIG_RD_LZO is not set
+# CONFIG_RD_LZ4 is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+# CONFIG_SGETMASK_SYSCALL is not set
+# CONFIG_SYSFS_SYSCALL is not set
+# CONFIG_BASE_FULL is not set
+# CONFIG_SIGNALFD is not set
+# CONFIG_TIMERFD is not set
+# CONFIG_AIO is not set
+# CONFIG_IO_URING is not set
+# CONFIG_MEMBARRIER is not set
+# CONFIG_RSEQ is not set
+CONFIG_EMBEDDED=y
+# CONFIG_VM_EVENT_COUNTERS is not set
+# CONFIG_SLUB_DEBUG is not set
+# CONFIG_COMPAT_BRK is not set
+CONFIG_SHUFFLE_PAGE_ALLOCATOR=y
+CONFIG_SMP=y
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+CONFIG_PROCESSOR_SELECT=y
+# CONFIG_CPU_SUP_HYGON is not set
+# CONFIG_CPU_SUP_CENTAUR is not set
+# CONFIG_CPU_SUP_ZHAOXIN is not set
+CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
+# CONFIG_PERF_EVENTS_INTEL_RAPL is not set
+CONFIG_MICROCODE_AMD=y
+CONFIG_X86_MSR=y
+CONFIG_X86_CPUID=y
+CONFIG_EFI=y
+CONFIG_EFI_STUB=y
+# CONFIG_SECCOMP is not set
+CONFIG_HZ_100=y
+CONFIG_KEXEC=y
+CONFIG_KEXEC_FILE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+CONFIG_CMDLINE_BOOL=y
+CONFIG_CMDLINE="nosmp debug"
+# CONFIG_MODIFY_LDT_SYSCALL is not set
+# CONFIG_SUSPEND is not set
+CONFIG_ACPI_DEBUG=y
+CONFIG_ACPI_PCI_SLOT=y
+CONFIG_ACPI_CUSTOM_METHOD=y
+CONFIG_ACPI_CONFIGFS=y
+CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE=y
+CONFIG_X86_ACPI_CPUFREQ=y
+# CONFIG_PCI_MMCONFIG is not set
+# CONFIG_ISA_DMA_API is not set
+CONFIG_IA32_EMULATION=y
+# CONFIG_DMIID is not set
+CONFIG_DMI_SYSFS=y
+CONFIG_EFI_VARS=y
+CONFIG_RESET_ATTACK_MITIGATION=y
+# CONFIG_VIRTUALIZATION is not set
+CONFIG_JUMP_LABEL=y
+CONFIG_MODULES=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_SHA256=y
+# CONFIG_UNUSED_SYMBOLS is not set
+CONFIG_TRIM_UNUSED_KSYMS=y
+CONFIG_BLK_DEV_BSGLIB=y
+# CONFIG_COREDUMP is not set
+# CONFIG_SPARSEMEM_VMEMMAP is not set
+# CONFIG_COMPACTION is not set
+# CONFIG_BOUNCE is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_SYN_COOKIES=y
+# CONFIG_INET_DIAG is not set
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_PCI=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_IOV=y
+CONFIG_PCI_PRI=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_STANDALONE is not set
+# CONFIG_ALLOW_DEV_COREDUMP is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_RAM=y
+CONFIG_BLK_DEV_RAM_SIZE=65536
+CONFIG_EEPROM_93CX6=m
+CONFIG_INTEL_MEI_ME=y
+CONFIG_INTEL_MEI_TXE=y
+CONFIG_RAID_ATTRS=y
+# CONFIG_SCSI_PROC_FS is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_CHR_DEV_SG=y
+# CONFIG_SCSI_LOWLEVEL is not set
+CONFIG_ATA=y
+CONFIG_SATA_AHCI=y
+CONFIG_SATA_AHCI_PLATFORM=y
+# CONFIG_ATA_SFF is not set
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_SNAPSHOT=y
+CONFIG_DM_THIN_PROVISIONING=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_VERITY_FEC=y
+CONFIG_NETDEVICES=y
+# CONFIG_NET_VENDOR_3COM is not set
+# CONFIG_NET_VENDOR_ADAPTEC is not set
+# CONFIG_NET_VENDOR_AGERE is not set
+# CONFIG_NET_VENDOR_ALACRITECH is not set
+# CONFIG_NET_VENDOR_ALTEON is not set
+# CONFIG_NET_VENDOR_AMAZON is not set
+# CONFIG_NET_VENDOR_AMD is not set
+# CONFIG_NET_VENDOR_AQUANTIA is not set
+# CONFIG_NET_VENDOR_ARC is not set
+# CONFIG_NET_VENDOR_ATHEROS is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+# CONFIG_NET_VENDOR_BROADCOM is not set
+# CONFIG_NET_VENDOR_BROCADE is not set
+# CONFIG_NET_VENDOR_CADENCE is not set
+# CONFIG_NET_VENDOR_CAVIUM is not set
+# CONFIG_NET_VENDOR_CHELSIO is not set
+# CONFIG_NET_VENDOR_CISCO is not set
+# CONFIG_NET_VENDOR_CORTINA is not set
+# CONFIG_NET_VENDOR_DEC is not set
+# CONFIG_NET_VENDOR_DLINK is not set
+# CONFIG_NET_VENDOR_EMULEX is not set
+# CONFIG_NET_VENDOR_EZCHIP is not set
+# CONFIG_NET_VENDOR_GOOGLE is not set
+# CONFIG_NET_VENDOR_HP is not set
+# CONFIG_NET_VENDOR_HUAWEI is not set
+# CONFIG_NET_VENDOR_I825XX is not set
+CONFIG_E1000=y
+CONFIG_E1000E=y
+# CONFIG_NET_VENDOR_MARVELL is not set
+# CONFIG_NET_VENDOR_MELLANOX is not set
+# CONFIG_NET_VENDOR_MICREL is not set
+# CONFIG_NET_VENDOR_MICROCHIP is not set
+# CONFIG_NET_VENDOR_MICROSEMI is not set
+# CONFIG_NET_VENDOR_MYRI is not set
+# CONFIG_NET_VENDOR_NATSEMI is not set
+# CONFIG_NET_VENDOR_NETERION is not set
+# CONFIG_NET_VENDOR_NETRONOME is not set
+# CONFIG_NET_VENDOR_NI is not set
+# CONFIG_NET_VENDOR_NVIDIA is not set
+# CONFIG_NET_VENDOR_OKI is not set
+# CONFIG_NET_VENDOR_PACKET_ENGINES is not set
+# CONFIG_NET_VENDOR_PENSANDO is not set
+# CONFIG_NET_VENDOR_QLOGIC is not set
+# CONFIG_NET_VENDOR_QUALCOMM is not set
+# CONFIG_NET_VENDOR_RDC is not set
+# CONFIG_NET_VENDOR_REALTEK is not set
+# CONFIG_NET_VENDOR_RENESAS is not set
+# CONFIG_NET_VENDOR_ROCKER is not set
+# CONFIG_NET_VENDOR_SAMSUNG is not set
+# CONFIG_NET_VENDOR_SEEQ is not set
+# CONFIG_NET_VENDOR_SOLARFLARE is not set
+# CONFIG_NET_VENDOR_SILAN is not set
+# CONFIG_NET_VENDOR_SIS is not set
+# CONFIG_NET_VENDOR_SMSC is not set
+# CONFIG_NET_VENDOR_SOCIONEXT is not set
+# CONFIG_NET_VENDOR_STMICRO is not set
+# CONFIG_NET_VENDOR_SUN is not set
+# CONFIG_NET_VENDOR_SYNOPSYS is not set
+# CONFIG_NET_VENDOR_TEHUTI is not set
+# CONFIG_NET_VENDOR_TI is not set
+# CONFIG_NET_VENDOR_VIA is not set
+# CONFIG_NET_VENDOR_WIZNET is not set
+# CONFIG_NET_VENDOR_XILINX is not set
+# CONFIG_WLAN is not set
+# CONFIG_INPUT_KEYBOARD is not set
+# CONFIG_INPUT_MOUSE is not set
+# CONFIG_SERIO_I8042 is not set
+# CONFIG_SERIO_SERPORT is not set
+# CONFIG_LEGACY_PTYS is not set
+CONFIG_SERIAL_8250=y
+# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set
+CONFIG_SERIAL_8250_CONSOLE=y
+# CONFIG_SERIAL_8250_PCI is not set
+CONFIG_SERIAL_8250_EXTENDED=y
+# CONFIG_SERIAL_8250_LPSS is not set
+# CONFIG_SERIAL_8250_MID is not set
+CONFIG_TTY_PRINTK=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_TIMERIOMEM=m
+CONFIG_HW_RANDOM_INTEL=m
+CONFIG_HW_RANDOM_AMD=m
+CONFIG_HW_RANDOM_VIA=m
+CONFIG_NVRAM=y
+CONFIG_TCG_TIS_I2C_ATMEL=y
+CONFIG_TCG_TIS_I2C_INFINEON=y
+CONFIG_TCG_TIS_I2C_NUVOTON=y
+CONFIG_TCG_NSC=y
+CONFIG_TCG_ATMEL=y
+CONFIG_TCG_INFINEON=y
+CONFIG_TCG_TIS_ST33ZP24_I2C=y
+# CONFIG_I2C_COMPAT is not set
+CONFIG_I2C_CHARDEV=y
+CONFIG_I2C_MUX=m
+CONFIG_I2C_MUX_PCA9541=m
+CONFIG_I2C_MUX_REG=m
+# CONFIG_I2C_HELPER_AUTO is not set
+CONFIG_I2C_I801=y
+CONFIG_I2C_SCMI=y
+CONFIG_I2C_SLAVE=y
+# CONFIG_HWMON is not set
+CONFIG_X86_PKG_TEMP_THERMAL=y
+CONFIG_INT340X_THERMAL=y
+CONFIG_INTEL_PCH_THERMAL=y
+CONFIG_MFD_SYSCON=y
+# CONFIG_VGA_ARB is not set
+CONFIG_DRM=y
+CONFIG_DRM_BOCHS=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+# CONFIG_USB_SUPPORT is not set
+CONFIG_RTC_CLASS=y
+# CONFIG_VIRTIO_MENU is not set
+# CONFIG_X86_PLATFORM_DEVICES is not set
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_SVM=y
+CONFIG_GENERIC_PHY=y
+CONFIG_EXT4_FS=y
+# CONFIG_DNOTIFY is not set
+# CONFIG_INOTIFY_USER is not set
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+# CONFIG_PROC_SYSCTL is not set
+# CONFIG_PROC_PAGE_MONITOR is not set
+CONFIG_TMPFS=y
+CONFIG_EFIVAR_FS=y
+# CONFIG_MISC_FILESYSTEMS is not set
+# CONFIG_NETWORK_FILESYSTEMS is not set
+CONFIG_NLS_DEFAULT="utf8"
+CONFIG_NLS_CODEPAGE_437=y
+CONFIG_NLS_ISO8859_1=y
+CONFIG_NLS_UTF8=y
+CONFIG_SECURITY=y
+CONFIG_INTEL_TXT=y
+CONFIG_HARDENED_USERCOPY=y
+CONFIG_FORTIFY_SOURCE=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_IMA=y
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_CCM=m
+CONFIG_CRYPTO_GCM=m
+CONFIG_CRYPTO_CHACHA20POLY1305=m
+CONFIG_CRYPTO_ECHAINIV=m
+CONFIG_CRYPTO_CTS=m
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=m
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_KEYWRAP=m
+CONFIG_CRYPTO_CMAC=m
+CONFIG_CRYPTO_XCBC=m
+CONFIG_CRYPTO_VMAC=m
+CONFIG_CRYPTO_CRC32C_INTEL=y
+CONFIG_CRYPTO_CRC32=m
+CONFIG_CRYPTO_CRC32_PCLMUL=m
+CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
+CONFIG_CRYPTO_POLY1305_X86_64=m
+CONFIG_CRYPTO_MD4=m
+CONFIG_CRYPTO_MICHAEL_MIC=m
+CONFIG_CRYPTO_RMD128=m
+CONFIG_CRYPTO_RMD160=m
+CONFIG_CRYPTO_RMD256=m
+CONFIG_CRYPTO_RMD320=m
+CONFIG_CRYPTO_SHA1_SSSE3=y
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+CONFIG_CRYPTO_TGR192=m
+CONFIG_CRYPTO_WP512=m
+CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=m
+CONFIG_CRYPTO_ARC4=m
+CONFIG_CRYPTO_BLOWFISH=m
+CONFIG_CRYPTO_BLOWFISH_X86_64=m
+CONFIG_CRYPTO_CAMELLIA=m
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
+CONFIG_CRYPTO_CAST5_AVX_X86_64=m
+CONFIG_CRYPTO_CAST6_AVX_X86_64=m
+CONFIG_CRYPTO_DES=m
+CONFIG_CRYPTO_DES3_EDE_X86_64=m
+CONFIG_CRYPTO_FCRYPT=m
+CONFIG_CRYPTO_KHAZAD=m
+CONFIG_CRYPTO_SALSA20=m
+CONFIG_CRYPTO_CHACHA20_X86_64=m
+CONFIG_CRYPTO_SEED=m
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
+CONFIG_CRYPTO_TEA=m
+CONFIG_CRYPTO_TWOFISH=m
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m
+CONFIG_CRYPTO_DEFLATE=m
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=m
+CONFIG_CRYPTO_LZ4=m
+CONFIG_CRYPTO_LZ4HC=m
+CONFIG_CRYPTO_ANSI_CPRNG=m
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+CONFIG_CRYPTO_USER_API_RNG=y
+CONFIG_CRYPTO_USER_API_AEAD=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_CORDIC=m
+CONFIG_CRC_CCITT=m
+CONFIG_CRC_T10DIF=y
+CONFIG_CRC_ITU_T=m
+CONFIG_CRC7=m
+CONFIG_CRC8=m
+CONFIG_XZ_DEC_TEST=m
+CONFIG_IRQ_POLL=y
+CONFIG_PRINTK_TIME=y
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=6
+CONFIG_DYNAMIC_DEBUG=y
+CONFIG_DEBUG_INFO=y
+CONFIG_DEBUG_INFO_DWARF4=y
+CONFIG_GDB_SCRIPTS=y
+# CONFIG_ENABLE_MUST_CHECK is not set
+CONFIG_FRAME_WARN=1024
+CONFIG_DEBUG_FS=y
+CONFIG_MAGIC_SYSRQ=y
+CONFIG_HARDLOCKUP_DETECTOR=y
+CONFIG_WQ_WATCHDOG=y
+# CONFIG_SCHED_DEBUG is not set
+CONFIG_STACKTRACE=y
+# CONFIG_DEBUG_BUGVERBOSE is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_FTRACE is not set
+# CONFIG_STRICT_DEVMEM is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+# CONFIG_DOUBLEFAULT is not set
+CONFIG_IO_DELAY_0XED=y
+# CONFIG_X86_DEBUG_FPU is not set
diff --git a/initrd/bin/safeboot-init b/initrd/bin/safeboot-init
new file mode 100755
index 000000000..5bbfa1a26
--- /dev/null
+++ b/initrd/bin/safeboot-init
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Ensure that the TPM2 logs are present (if configured)
+mount /sys/kernel/security 2>/dev/ttyprintk
+export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
+
+mkdir -p /etc/safeboot
+mv /bin/functions.sh /etc/safeboot
+
+ifconfig eth0 10.0.2.15
+
+export PS1='\h:\w# '
+
+exec setsid -c /bin/bash
diff --git a/modules/bash b/modules/bash
new file mode 100644
index 000000000..79add3a7b
--- /dev/null
+++ b/modules/bash
@@ -0,0 +1,24 @@
+# bash is the default shell for safeboot,
+# but probably too big for busybox installations.
+modules-$(CONFIG_BASH) += bash
+
+bash_version := 5.0
+bash_dir := bash-$(bash_version)
+bash_tar := bash-$(bash_version).tar.gz
+bash_url := http://ftp.gnu.org/gnu/bash/$(bash_tar)
+bash_hash := b4a80f2ac66170b2913efbfb9f2594f1f76c7b1afd11f799e22035d63077fb4d
+
+# turn off bash malloc, which uses sbrk(), which is not implemented in musl
+
+bash_configure := ./configure \
+	$(CROSS_TOOLS) \
+	--host x86_64-linux-musl \
+	--prefix "/" \
+	--without-bash-malloc \
+
+bash_target := \
+	$(MAKE_JOBS) \
+
+bash_output := bash
+
+bash_depends := $(musl_dep)
diff --git a/modules/curl b/modules/curl
new file mode 100644
index 000000000..6e3480b33
--- /dev/null
+++ b/modules/curl
@@ -0,0 +1,22 @@
+# if you can use wget, it is in busybox. if you need curl, well...
+modules-$(CONFIG_CURL) += curl
+
+curl_version := 7.73.0
+curl_dir := curl-$(curl_version)
+curl_tar := curl-$(curl_version).tar.bz2
+curl_url := https://github.com/curl/curl/releases/download/curl-7_73_0/$(curl_tar)
+curl_hash := cf34fe0b07b800f1c01a499a6e8b2af548f6d0e044dca4a29d88a4bee146d131
+
+curl_configure := ./configure \
+	$(CROSS_TOOLS) \
+	LDFLAGS="-Wl,-rpath-link=$(INSTALL)/lib" \
+	--host x86_64-linux-musl \
+	--prefix "/" \
+
+curl_target := \
+	$(MAKE_JOBS) \
+
+curl_output := src/.libs/curl
+curl_libraries := lib/.libs/libcurl.so.4
+
+curl_depends := openssl $(musl_dep)
diff --git a/modules/safeboot b/modules/safeboot
new file mode 100644
index 000000000..c7976ef31
--- /dev/null
+++ b/modules/safeboot
@@ -0,0 +1,22 @@
+# safeboot tpm2 interface scripts
+modules-$(CONFIG_SAFEBOOT) += safeboot
+
+#safeboot_version := 4.3.0
+safeboot_version := git
+safeboot_repo := https://github.com/osresearch/safeboot.git -b attest-demo
+
+safeboot_dir := safeboot-$(safeboot_version)
+safeboot_tar := safeboot-$(safeboot_version).tar.gz
+safeboot_url := https://github.com/tpm2-software/safeboot/releases/download/$(safeboot_version)/$(safeboot_tar)
+safeboot_hash := ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc
+
+safeboot_configure := echo true
+safeboot_target := $(MAKE_JOBS) \
+	bin/sbsign.safeboot
+
+safeboot_output := \
+	functions.sh  \
+	sbin/safeboot \
+	sbin/tpm2-attest \
+
+safeboot_depends :=