diff --git a/sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml
new file mode 100644
index 0000000000..97ba7c28bb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>julien@jroy.ca</email>
+		<name>Julien Roy</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild
new file mode 100644
index 0000000000..c48b2ad8f5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/acct-group/tang/tang-0.ebuild
@@ -0,0 +1,10 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+DESCRIPTION="Group for tang daemon"
+
+ACCT_GROUP_ID=-1
diff --git a/sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml
new file mode 100644
index 0000000000..97ba7c28bb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>julien@jroy.ca</email>
+		<name>Julien Roy</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild
new file mode 100644
index 0000000000..e76b2a0926
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/acct-user/tang/tang-0.ebuild
@@ -0,0 +1,13 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-user
+
+DESCRIPTION="User for tang daemon"
+
+ACCT_USER_ID=-1
+ACCT_USER_GROUPS=( ${PN} )
+
+acct-user_add_deps
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest
new file mode 100644
index 0000000000..ead9af1f71
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/Manifest
@@ -0,0 +1 @@
+DIST clevis-19.tar.gz 81324 BLAKE2B 75323940d0b53e307f5dbc197e3117e7ddc900d76ae1043bac3d17cc3af0264ba00a5f840c5c9dd3c2dd9c8fbde2cf05934b8ab3e89cd403ad8a8eb28609bb78 SHA512 dee19354c908c3843fc295a84b431780d5d6062c77766ee7ce9550636d3623d92b0cd1f6d4c40d57bef14debddc161da2b72289a5d6185cdd17b09a1ef67409a
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild
new file mode 100644
index 0000000000..37a4b60eb9
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild
@@ -0,0 +1,35 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit meson
+
+DESCRIPTION="Automated Encryption Framework"
+HOMEPAGE="https://github.com/latchset/clevis"
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="+luks +tpm"
+
+DEPEND="
+	dev-libs/jose
+	sys-fs/cryptsetup
+	luks? (
+		app-misc/jq
+		dev-libs/libpwquality
+		dev-libs/luksmeta
+	)
+	tpm? ( app-crypt/tpm2-tools )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	# From https://github.com/latchset/clevis/pull/347
+	# Allows using dracut without systemd
+	"${FILESDIR}/clevis-dracut.patch"
+	# Fix for systemd on Gentoo
+	"${FILESDIR}/clevis-meson.patch"
+)
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch
new file mode 100644
index 0000000000..60873b84e4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-dracut.patch
@@ -0,0 +1,216 @@
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/meson.build b/src/dracut/clevis-pin-sss/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-sss/meson.build
+rename to src/dracut/clevis-pin-sss/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in b/src/dracut/clevis-pin-sss/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-sss/module-setup.sh.in
+rename to src/dracut/clevis-pin-sss/module-setup.sh.in
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/meson.build b/src/dracut/clevis-pin-tang/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tang/meson.build
+rename to src/dracut/clevis-pin-tang/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in b/src/dracut/clevis-pin-tang/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tang/module-setup.sh.in
+rename to src/dracut/clevis-pin-tang/module-setup.sh.in
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/meson.build b/src/dracut/clevis-pin-tpm2/meson.build
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/meson.build
+rename to src/dracut/clevis-pin-tpm2/meson.build
+diff --git a/src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in b/src/dracut/clevis-pin-tpm2/module-setup.sh.in
+similarity index 100%
+rename from src/luks/systemd/dracut/clevis-pin-tpm2/module-setup.sh.in
+rename to src/dracut/clevis-pin-tpm2/module-setup.sh.in
+diff --git a/src/dracut/clevis/clevis-hook.sh.in b/src/dracut/clevis/clevis-hook.sh.in
+new file mode 100755
+index 0000000..91ff2bd
+--- /dev/null
++++ b/src/dracut/clevis/clevis-hook.sh.in
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++@libexecdir@/clevis-luks-generic-unlocker -l
+diff --git a/src/dracut/clevis/clevis-luks-generic-unlocker b/src/dracut/clevis/clevis-luks-generic-unlocker
+new file mode 100755
+index 0000000..a3b9d62
+--- /dev/null
++++ b/src/dracut/clevis/clevis-luks-generic-unlocker
+@@ -0,0 +1,70 @@
++#!/bin/bash
++set -eu
++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
++#
++# Copyright (c) 2020-2021 Red Hat, Inc.
++# Author: Sergio Correia <scorreia@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++. clevis-luks-common-functions
++
++# Make sure to exit cleanly if SIGTERM is received.
++trap 'echo "Exiting due to SIGTERM" && exit 0' TERM
++
++loop=
++while getopts ":l" o; do
++    case "${o}" in
++    l) loop=true;;
++    *) ;;
++    esac
++done
++
++to_unlock() {
++    local _devices='' _d _uuid
++    for _d in $(lsblk -o PATH,FSTYPE,RM \
++               | awk '$2 == "crypto_LUKS" && $3 == "0" { print $1 }' | sort -u);
++    do
++        if ! bindings="$(clevis luks list -d "${_d}" 2>/dev/null)" \
++                         || [ -z "${bindings}" ]; then
++            continue
++        fi
++        _uuid="$(cryptsetup luksUUID "${_d}")"
++        if clevis_is_luks_device_by_uuid_open "${_uuid}"; then
++            continue
++        fi
++        _devices="$(printf '%s\n%s' "${_devices}" "${_d}")"
++    done
++    echo "${_devices}" | sed -e 's/^\n$//'
++}
++
++while true; do
++    for d in $(to_unlock); do
++        uuid="$(cryptsetup luksUUID "${d}")"
++        if ! clevis luks unlock -d "${d}"; then
++            echo "Unable to unlock ${d} (UUID=${uuid})" >&2
++            continue
++        fi
++        echo "Unlocked ${d} (UUID=${uuid}) successfully" >&2
++    done
++
++    [ "${loop}" != true ] && break
++    # Checking for pending devices to be unlocked.
++    if remaining=$(to_unlock) && [ -z "${remaining}" ]; then
++        break;
++    fi
++
++    sleep 0.5
++done
+diff --git a/src/luks/systemd/dracut/clevis/meson.build b/src/dracut/clevis/meson.build
+similarity index 87%
+rename from src/luks/systemd/dracut/clevis/meson.build
+rename to src/dracut/clevis/meson.build
+index 167e708..224e27f 100644
+--- a/src/luks/systemd/dracut/clevis/meson.build
++++ b/src/dracut/clevis/meson.build
+@@ -16,6 +16,7 @@ if dracut.found()
+     install_dir: dracutdir,
+     configuration: data,
+   )
++  install_data('clevis-luks-generic-unlocker', install_dir: libexecdir)
+ else
+   warning('Will not install dracut module due to missing dependencies!')
+ endif
+diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/dracut/clevis/module-setup.sh.in
+similarity index 76%
+rename from src/luks/systemd/dracut/clevis/module-setup.sh.in
+rename to src/dracut/clevis/module-setup.sh.in
+index bfe657c..dbce790 100755
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
++++ b/src/dracut/clevis/module-setup.sh.in
+@@ -19,7 +19,11 @@
+ #
+ 
+ depends() {
+-    echo crypt systemd
++    local __depends=crypt
++    if dracut_module_included "systemd"; then
++        __depends=$(printf '%s systemd' "${_depends}")
++    fi
++    echo "${__depends}"
+     return 255
+ }
+ 
+@@ -27,17 +31,24 @@ install() {
+     if dracut_module_included "systemd"; then
+         inst_multiple \
+             $systemdsystemunitdir/clevis-luks-askpass.service \
+-            $systemdsystemunitdir/clevis-luks-askpass.path
++            $systemdsystemunitdir/clevis-luks-askpass.path \
++            @SYSTEMD_REPLY_PASS@ \
++            @libexecdir@/clevis-luks-askpass
+         systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path
+     else
+         inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
+         inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
++
++	inst_multiple \
++            @libexecdir@/clevis-luks-generic-unlocker \
++            clevis-luks-unlock \
++            lsblk \
++            sort \
++            awk
+     fi
+ 
+     inst_multiple \
+         /etc/services \
+-        @SYSTEMD_REPLY_PASS@ \
+-        @libexecdir@/clevis-luks-askpass \
+         clevis-luks-common-functions \
+         grep sed cut \
+         clevis-decrypt \
+diff --git a/src/luks/systemd/dracut/meson.build b/src/dracut/meson.build
+similarity index 78%
+rename from src/luks/systemd/dracut/meson.build
+rename to src/dracut/meson.build
+index 7ad5b14..fdb264b 100644
+--- a/src/luks/systemd/dracut/meson.build
++++ b/src/dracut/meson.build
+@@ -2,4 +2,3 @@ subdir('clevis')
+ subdir('clevis-pin-tang')
+ subdir('clevis-pin-tpm2')
+ subdir('clevis-pin-sss')
+-subdir('clevis-pin-null')
+diff --git a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in b/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
+deleted file mode 100755
+index cb257c9..0000000
+--- a/src/luks/systemd/dracut/clevis/clevis-hook.sh.in
++++ /dev/null
+@@ -1,2 +0,0 @@
+-#!/bin/bash
+-@libexecdir@/clevis-luks-askpass
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index e3b3d91..b10494e 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -10,7 +10,6 @@ sd_reply_pass = find_program(
+ 
+ if systemd.found() and sd_reply_pass.found()
+   data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
+-  subdir('dracut')
+ 
+   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+ 
+diff --git a/src/meson.build b/src/meson.build
+index c4e696f..a0dff5b 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -1,6 +1,7 @@
+ subdir('bash')
+ subdir('luks')
+ subdir('pins')
++subdir('dracut')
+ subdir('initramfs-tools')
+ 
+ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt')
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch
new file mode 100644
index 0000000000..bfd517d3e1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/files/clevis-meson.patch
@@ -0,0 +1,11 @@
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index b10494e3ca4d620437aee0d5e440eecf323b03d9..09f7fb51e7320aa71e275c34baa0561233821d69 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -5,6 +5,7 @@ sd_reply_pass = find_program(
+   join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
+   join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
+   join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'lib', 'systemd', 'systemd-reply-password'),
+   required: false
+ )
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml
new file mode 100644
index 0000000000..18fcd69367
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/metadata.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>kjain7@u.rochester.edu</email>
+		<name>Krish Jain (based off Julien Roy's work) </name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/clevis</remote-id>
+	</upstream>
+	<use>
+		<flag name="luks">Enable LUKS support</flag>
+		<flag name="tpm">Enable TPM support</flag>
+	</use>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest
new file mode 100644
index 0000000000..dca30c608a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/Manifest
@@ -0,0 +1,2 @@
+DIST tang-13.tar.gz 41537 BLAKE2B 23c7ebb0e74d56c712200e0bcbf048d32e82f08c91eece19337fc9725a6de48240958435c560a32f47fe506e607b38fc29c2b05635f232f713c8af6066a33ac0 SHA512 c8e99498b31a45bb97092d764bbe5f13f9152a8128ef774de6ac99bd44f15d5895b462ecefc504f37142fdacafc86a39059204514aa509db257b342553e00641
+DIST tang-14.tar.gz 41616 BLAKE2B a26091108b16342f51cf05745ae68b56fab5ffac6d9f9191b4d6952a5c88afcbad8bbcfc0e4754b8d9c5ebf659874026a2020c1ad305f4f7393d2487ec5f95d5 SHA512 3b0872f51d9aa8dfd232fa328a326503800a1eedfe7cf9d73f8e10a3cfb97f667996708a18ea04c982c3ca477fe36961045649437b953c593fce544d8dee8048
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd
new file mode 100644
index 0000000000..3bca6e1b81
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd
@@ -0,0 +1,8 @@
+# Address for tang to listen to (default: 0.0.0.0)
+ADDRESS=0.0.0.0
+
+# Port for tang to listen to (default: 8888)
+PORT=8888
+
+# Directory where keys will be stored (default: /var/db/tang)
+TANGDIR=/var/db/tang
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd
new file mode 100644
index 0000000000..fc3c25c03c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.initd
@@ -0,0 +1,11 @@
+#!/sbin/openrc-run
+# Copyright 2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+name="tang daemon"
+description="Tang binding daemon"
+command=/usr/bin/socat
+pidfile="/var/run/${RC_SVCNAME}.pid"
+command_user="tang"
+command_args="TCP-LISTEN:${PORT},bind=${ADDRESS},fork SYSTEM:'/usr/libexec/tangd ${TANGDIR}'"
+command_background=true
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service
new file mode 100644
index 0000000000..59625d9741
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/files/tangd.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Tang Server
+
+[Service]
+ExecStart=/usr/bin/socat TCP-LISTEN:8888,bind=0.0.0.0,fork SYSTEM:'/usr/libexec/tangd /var/db/tang'
+User=tang
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml
new file mode 100644
index 0000000000..89293a302d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>julien@jroy.ca</email>
+		<name>Julien Roy</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/tang</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild
new file mode 100644
index 0000000000..1b055c35e1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-13.ebuild
@@ -0,0 +1,35 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit meson systemd
+
+DESCRIPTION="Tang binding daemon"
+HOMEPAGE="https://github.com/latchset/tang"
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE=""
+
+DEPEND="acct-user/tang
+	net-misc/socat
+	>=net-libs/http-parser-2.8.0
+	>=dev-libs/jose-8"
+RDEPEND="${DEPEND}"
+BDEPEND="app-text/asciidoc"
+
+src_install(){
+	meson_install
+	newinitd "${FILESDIR}"/tangd.initd tangd
+	systemd_dounit "${FILESDIR}"/tangd.service
+
+	doconfd "${FILESDIR}"/tangd
+
+	dodir /var/db/tang
+	keepdir /var/db/tang
+	fowners tang:tang /var/db/tang
+	fperms 770 /var/db/tang
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild
new file mode 100644
index 0000000000..1b055c35e1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/tang/tang-14.ebuild
@@ -0,0 +1,35 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit meson systemd
+
+DESCRIPTION="Tang binding daemon"
+HOMEPAGE="https://github.com/latchset/tang"
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE=""
+
+DEPEND="acct-user/tang
+	net-misc/socat
+	>=net-libs/http-parser-2.8.0
+	>=dev-libs/jose-8"
+RDEPEND="${DEPEND}"
+BDEPEND="app-text/asciidoc"
+
+src_install(){
+	meson_install
+	newinitd "${FILESDIR}"/tangd.initd tangd
+	systemd_dounit "${FILESDIR}"/tangd.service
+
+	doconfd "${FILESDIR}"/tangd
+
+	dodir /var/db/tang
+	keepdir /var/db/tang
+	fowners tang:tang /var/db/tang
+	fperms 770 /var/db/tang
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
index a215fdea4b..75e51bbfa7 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -100,6 +100,7 @@ RDEPEND="${RDEPEND}
 	app-arch/zip
 	app-arch/ncompress
 	app-crypt/adcli
+	app-crypt/clevis
 	app-crypt/gnupg
 	app-crypt/go-tspi
 	app-crypt/tpmpolicy
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest
new file mode 100644
index 0000000000..e93f6475fb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/Manifest
@@ -0,0 +1 @@
+DIST jose-11.tar.gz 841374 BLAKE2B 5ffe35ebd48ed72d140e1dbf3ad37fcc3b4fd5534a5e1a5d9c43e82ad1901f989610baee2e2eb17209fd72f73c4f17227bed01d168bb4d243f067ec25051f913 SHA512 ffe09000837f79cefa549734d13c5d5d51042a42a055867241777ccbff3a127bac86a6155638fdf5ee52aad3598829e19724fd4e7de541117ed9b1c77c2ce457
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild
new file mode 100644
index 0000000000..759d25b8f9
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/jose-11-r1.ebuild
@@ -0,0 +1,20 @@
+# Copyright 2022-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit meson
+
+DESCRIPTION="C-language implementation of Javascript Object Signing and Encryption"
+HOMEPAGE="https://github.com/latchset/jose"
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64"
+
+DEPEND="dev-libs/jansson"
+RDEPEND="${DEPEND}
+	dev-libs/openssl:=
+"
+BDEPEND=""
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml
new file mode 100644
index 0000000000..bfb2fba0b9
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/jose/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>julien@jroy.ca</email>
+		<name>Julien Roy</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/jose</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest
new file mode 100644
index 0000000000..95c5937c64
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/Manifest
@@ -0,0 +1 @@
+DIST luksmeta-9.tar.gz 27650 BLAKE2B e55796929410e9a3124c3f28066bac42b46e71df98ab7a1e58c1f973d4fda41d7c8d64b735ae0d1e192054297932951407083f89a7f255c09d22dce370865036 SHA512 874331988fe2648d4924779b348f190ed5c6e4d71da4ad027f176e3f8dcbc78fc26e9f9b8402a97437db5b884db31b72598afc70e025cd8533168a5986417a76
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch
new file mode 100644
index 0000000000..aeca588619
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/files/luksmeta-tests.patch
@@ -0,0 +1,137 @@
+# Closes Gentoo bug 837308
+# This patch backports the master branch's test-lm-{big,one,two}.c and test-luksmeta.c
+# due to failing tests on v9 tag (see https://bugs.gentoo.org/837308)
+
+diff --git a/test-lm-assumptions.c b/test-lm-assumptions.c
+index d9ff20b..b4f293f 100644
+--- a/test-lm-assumptions.c
++++ b/test-lm-assumptions.c
+@@ -28,7 +28,8 @@ main(int argc, char *argv[])
+     /* Test the layout state. */
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                    /* LUKS header */
+-        END(1024),                    /* Rest of the file */
++        { 1024, 3072, true },           /* Keyslot Area */
++        { 0, 0 },
+     }));
+ 
+     unlink(filename);
+diff --git a/test-lm-big.c b/test-lm-big.c
+index 6098e59..eb94d3b 100644
+--- a/test-lm-big.c
++++ b/test-lm-big.c
+@@ -111,7 +111,7 @@ main(int argc, char *argv[])
+ 
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         { offset + 4096, 4096 },       /* luksmeta slot 0 */
+         { offset + 8192, 4096 },       /* luksmeta slot 0 (cont) */
+@@ -127,7 +127,7 @@ main(int argc, char *argv[])
+ 
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         END(offset + 4096),            /* Rest of the file */
+     }));
+diff --git a/test-lm-init.c b/test-lm-init.c
+index 2a6cb45..b16d597 100644
+--- a/test-lm-init.c
++++ b/test-lm-init.c
+@@ -57,7 +57,7 @@ main(int argc, char *argv[])
+     /* Test the layout state. */
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         END(offset + 4096),            /* Rest of the file */
+     }));
+@@ -106,7 +106,7 @@ main(int argc, char *argv[])
+     assert(luksmeta_test(cd) == -ENOENT);
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         END(offset),                   /* Rest of the file */
+     }));
+ 
+diff --git a/test-lm-one.c b/test-lm-one.c
+index 8deb70a..18613e0 100644
+--- a/test-lm-one.c
++++ b/test-lm-one.c
+@@ -49,7 +49,7 @@ main(int argc, char *argv[])
+     /* Test the layout state. */
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         { offset + 4096, 4096 },       /* luksmeta slot 0 */
+         END(offset + 8192),            /* Rest of the file */
+@@ -68,7 +68,7 @@ main(int argc, char *argv[])
+     /* Test the layout state. */
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         END(offset + 4096),            /* Rest of the file */
+     }));
+diff --git a/test-lm-two.c b/test-lm-two.c
+index 78fea5b..9f0b1c5 100644
+--- a/test-lm-two.c
++++ b/test-lm-two.c
+@@ -53,7 +53,7 @@ main(int argc, char *argv[])
+ 
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         { offset + 4096, 4096 },       /* luksmeta slot 0 */
+         END(offset + 8192),            /* Rest of the file */
+@@ -70,7 +70,7 @@ main(int argc, char *argv[])
+ 
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         { offset + 4096, 4096 },       /* luksmeta slot 0 */
+         { offset + 8192, 4096 },       /* luksmeta slot 1 */
+@@ -88,7 +88,7 @@ main(int argc, char *argv[])
+     assert(luksmeta_wipe(cd, 0, UUID0) == 0);
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         { offset + 4096, 4096, true }, /* luksmeta slot 0 */
+         { offset + 8192, 4096 },       /* luksmeta slot 1 */
+@@ -99,7 +99,7 @@ main(int argc, char *argv[])
+     assert(luksmeta_wipe(cd, 1, UUID1) == 0);
+     assert(test_layout((range_t[]) {
+         { 0, 1024 },                   /* LUKS header */
+-        { 1024, offset - 1024, true }, /* Keyslot Area */
++        { 1024, 3072, true },          /* Keyslot Area */
+         { offset, 4096 },              /* luksmeta header */
+         END(offset + 4096),            /* Rest of the file */
+     }));
+diff --git a/test-luksmeta b/test-luksmeta
+index fd17ead..f1e8b2e 100755
+--- a/test-luksmeta
++++ b/test-luksmeta
+@@ -11,7 +11,7 @@ function onexit() {
+ trap 'onexit' EXIT
+ 
+ truncate -s 4M $tmp
+-echo -n foo | cryptsetup luksFormat $tmp -
++echo -n foo | cryptsetup luksFormat --type luks1 $tmp -
+ 
+ ! ./luksmeta test -d $tmp
+ 
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild
new file mode 100644
index 0000000000..0f5d87e819
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/luksmeta-9.ebuild
@@ -0,0 +1,34 @@
+# Copyright 2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="LUKSMeta is a simple library for storing metadata in the LUKSv1 header"
+HOMEPAGE="https://github.com/latchset/luksmeta"
+SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="+man"
+
+DEPEND="sys-fs/cryptsetup"
+RDEPEND="${DEPEND}"
+BDEPEND="man? ( app-text/asciidoc )
+	sys-devel/libtool"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-tests.patch"
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_install() {
+	default
+	find "${ED}" -name '*.la' -delete || die
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml
new file mode 100644
index 0000000000..4a0695b777
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/luksmeta/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>julien@jroy.ca</email>
+		<name>Julien Roy</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">latchset/luksmeta</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask
index 7f198c44e9..928924c2cc 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask
@@ -4,7 +4,6 @@
 # We don't want to support interpreted languages, changes/updates we make
 # would have a high risk of breaking users.
 dev-lang/perl
-dev-lang/python
 dev-lang/ruby
 
 # We do not configure/install grub like other distros so shipping the user
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
index b8c81c0245..24319b5ffa 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
-CROS_WORKON_PROJECT="flatcar/bootengine"
+CROS_WORKON_PROJECT="krishjainx/bootengine"
 CROS_WORKON_LOCALNAME="bootengine"
 CROS_WORKON_OUTOFTREE_BUILD=1
 CROS_WORKON_REPO="https://github.com"
@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="cc0fdec0cc6c5692acac95a928984ea8a5eb8f08" # flatcar-master
+	CROS_WORKON_COMMIT="6a286c04e4d0cccf70808ff5a9d9fb0f0aa76521" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
@@ -41,7 +41,6 @@ src_install() {
 		"${D}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root \
 		"${D}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root-after-ignition \
 		"${D}"/usr/lib/dracut/modules.d/99setup-root/gpg-agent-wrapper \
-		"${D}"/usr/lib/dracut/modules.d/30ignition/coreos-metadata-wrapper \
-		"${D}"/usr/lib/dracut/modules.d/30ignition/ignition-wrapper \
+		"${D}"/usr/lib/dracut/modules.d/30ignition/*-wrapper \
 		|| die chmod
 }
diff --git a/sdk_container/src/third_party/gentoo b/sdk_container/src/third_party/gentoo
new file mode 160000
index 0000000000..8a26e0f2f0
--- /dev/null
+++ b/sdk_container/src/third_party/gentoo
@@ -0,0 +1 @@
+Subproject commit 8a26e0f2f02cfbf5c9bbf35d814fdaaf575fa91e