diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest
new file mode 100644
index 0000000000..8b75e07bb5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest
@@ -0,0 +1 @@
+DIST p11-kit-0.23.22.tar.xz 830016 BLAKE2B 4e1edfd9e2441d237c07a16c003aee5ffde38f1cf545c26e435645429f2cfa4fe7ca61cdc3c3940390aa040ba991f2ee3995b14cc31bb886d5eeffa8ed5e1721 SHA512 098819e6ca4ad9cc2a0bc2e478aea67354d051a4f03e6c7d75d13d2469b6dc7654f26b15530052f6ed51acb35531c2539e0f971b31e29e6673e857c903afb080
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml
new file mode 100644
index 0000000000..ff17590b69
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>zlogene@gentoo.org</email>
+		<name>Mikle Kolyada</name>
+	</maintainer>
+	<use>
+		<flag name="asn1">Enable ASN.1 certificate support</flag>
+		<flag name="trust">Build the trust policy module</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">p11-glue/p11-kit</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild
new file mode 100644
index 0000000000..d8fecbda23
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild
@@ -0,0 +1,62 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit multilib-minimal
+
+DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
+HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
+SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+asn1 debug +libffi systemd +trust"
+REQUIRED_USE="trust? ( asn1 )"
+
+RDEPEND="asn1? ( >=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}] )
+	libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd:= )
+	trust? ( app-misc/ca-certificates )"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+pkg_setup() {
+	# disable unsafe tests, bug#502088
+	export FAKED_MODE=1
+}
+
+src_prepare() {
+	if [[ ${CHOST} == *-solaris2.* && ${CHOST##*-solaris2.} -lt 11 ]] ; then
+		# Solaris 10 and before doesn't know about XPG7 (XOPEN_SOURCE=700)
+		# drop to XPG6 to make feature_tests.h happy
+		sed -i -e '/define _XOPEN_SOURCE/s/700/600/' common/compat.c || die
+		# paths.h isn't available, oddly enough also not used albeit included
+		sed -i -e '/#include <paths.h>/d' trust/test-trust.c || die
+		# we don't have SUN_LEN here
+		sed -i -e 's/SUN_LEN \(([^)]\+)\)/strlen (\1->sun_path)/' \
+			p11-kit/server.c || die
+	fi
+	default
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		$(use_enable trust trust-module) \
+		$(use_with trust trust-paths ${EPREFIX}/etc/ssl/certs/ca-certificates.crt) \
+		$(use_enable debug) \
+		$(use_with libffi) \
+		$(use_with asn1 libtasn1) \
+		$(multilib_native_use_with systemd)
+
+	if multilib_is_native_abi; then
+		# re-use provided documentation
+		ln -s "${S}"/doc/manual/html doc/manual/html || die
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${D}" -name '*.la' -delete || die
+}