diff --git a/tpm2-tss/.footprint b/tpm2-tss/.footprint
new file mode 100644
index 000000000..6a49b9a72
--- /dev/null
+++ b/tpm2-tss/.footprint
@@ -0,0 +1,134 @@
+drwxr-xr-x	root/root	etc/
+drwxr-xr-x	root/root	etc/tpm2-tss/
+-rw-r--r--	root/root	etc/tpm2-tss/fapi-config.json
+drwxr-xr-x	root/root	etc/tpm2-tss/fapi-profiles/
+-rw-r--r--	root/root	etc/tpm2-tss/fapi-profiles/P_ECCP256SHA256.json
+-rw-r--r--	root/root	etc/tpm2-tss/fapi-profiles/P_RSA2048SHA256.json
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/include/
+drwxr-xr-x	root/root	usr/include/tss2/
+-rw-r--r--	root/root	usr/include/tss2/tss2_common.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_esys.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_fapi.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_mu.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_policy.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_rc.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_sys.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_cmd.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_device.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_libtpms.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_mssim.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_pcap.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_spi_helper.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tcti_swtpm.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tctildr.h
+-rw-r--r--	root/root	usr/include/tss2/tss2_tpm2_types.h
+drwxr-xr-x	root/root	usr/lib/
+-rw-r--r--	root/root	usr/lib/libtss2-esys.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-esys.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1
+lrwxrwxrwx	root/root	usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1
+-rwxr-xr-x	root/root	usr/lib/libtss2-esys.so.0.0.1
+-rw-r--r--	root/root	usr/lib/libtss2-fapi.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-fapi.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-fapi.so.1.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-mu.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-mu.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1
+lrwxrwxrwx	root/root	usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1
+-rwxr-xr-x	root/root	usr/lib/libtss2-mu.so.0.0.1
+-rw-r--r--	root/root	usr/lib/libtss2-policy.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-policy.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-policy.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-rc.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-rc.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-rc.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-sys.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-sys.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1
+lrwxrwxrwx	root/root	usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1
+-rwxr-xr-x	root/root	usr/lib/libtss2-sys.so.1.0.1
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-cmd.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-cmd.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-cmd.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-device.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-device.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-device.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-libtpms.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-libtpms.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-libtpms.so -> libtss2-tcti-libtpms.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-libtpms.so.0 -> libtss2-tcti-libtpms.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-libtpms.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-mssim.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-mssim.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-mssim.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-pcap.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-pcap.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-pcap.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-spi-helper.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-spi-helper.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-spi-helper.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tcti-swtpm.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-swtpm.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tcti-swtpm.so.0.0.0
+-rw-r--r--	root/root	usr/lib/libtss2-tctildr.a
+-rwxr-xr-x	root/root	usr/lib/libtss2-tctildr.la
+lrwxrwxrwx	root/root	usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0
+lrwxrwxrwx	root/root	usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0
+-rwxr-xr-x	root/root	usr/lib/libtss2-tctildr.so.0.0.0
+drwxr-xr-x	root/root	usr/lib/pkgconfig/
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-esys.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-fapi.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-mu.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-policy.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-rc.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-sys.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-cmd.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-device.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-libtpms.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-mssim.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-pcap.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-spi-helper.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tcti-swtpm.pc
+-rw-r--r--	root/root	usr/lib/pkgconfig/tss2-tctildr.pc
+drwxr-xr-x	root/root	usr/lib/udev/
+drwxr-xr-x	root/root	usr/lib/udev/rules.d/
+-rw-r--r--	root/root	usr/lib/udev/rules.d/60-tpm-udev.rules
+drwxr-xr-x	root/root	usr/share/
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man3/
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_TctiLdr_Finalize.3.gz
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_TctiLdr_FreeInfo.3.gz
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_TctiLdr_GetInfo.3.gz
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_TctiLdr_Initialize.3.gz
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_Tcti_Cmd_Init.3.gz
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_Tcti_Device_Init.3.gz
+-rw-r--r--	root/root	usr/share/man/man3/Tss2_Tcti_Mssim_Init.3.gz
+drwxr-xr-x	root/root	usr/share/man/man5/
+-rw-r--r--	root/root	usr/share/man/man5/fapi-config.5.gz
+-rw-r--r--	root/root	usr/share/man/man5/fapi-profile.5.gz
+drwxr-xr-x	root/root	usr/share/man/man7/
+-rw-r--r--	root/root	usr/share/man/man7/tss2-tcti-cmd.7.gz
+-rw-r--r--	root/root	usr/share/man/man7/tss2-tcti-device.7.gz
+-rw-r--r--	root/root	usr/share/man/man7/tss2-tcti-mssim.7.gz
+-rw-r--r--	root/root	usr/share/man/man7/tss2-tcti-swtpm.7.gz
+-rw-r--r--	root/root	usr/share/man/man7/tss2-tctildr.7.gz
diff --git a/tpm2-tss/.signature b/tpm2-tss/.signature
new file mode 100644
index 000000000..947a4d94c
--- /dev/null
+++ b/tpm2-tss/.signature
@@ -0,0 +1,7 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF36MMU7BssbPYgJ0u4HFNKRf4MGC+QEHBzxjf3y+Oq5XtTN/+Ev+Bh++5m+ZUlr6Su4f6Yxl/5OqBwBhkh6XkbAA=
+SHA256 (Pkgfile) = 7114d76946422a89f99d45cf2ffef677a1c0bffaaa3f863ac52ca3dba87ede37
+SHA256 (.footprint) = 716d50a1d07edbf25ee8dbfc06a6d3133a390c9d575705bc6cc8ebf046f716bc
+SHA256 (tpm2-tss-4.0.1.tar.gz) = 532a70133910b6bd842289915b3f9423c0205c0ea009d65294ca18a74087c950
+SHA256 (tss2-tcti-libtpms.map) = 41c37dc4b10b1e86023619150e5047739aeee93fd8f77315157d3eeb5fe6a981
+SHA256 (218c0da8.patch) = 76797d64092709d9af8b1d93750bc5d1f1e861e5a9fa37c24e0f1473b874be80
diff --git a/tpm2-tss/218c0da8.patch b/tpm2-tss/218c0da8.patch
new file mode 100644
index 000000000..085aa75d2
--- /dev/null
+++ b/tpm2-tss/218c0da8.patch
@@ -0,0 +1,88 @@
+From 218c0da8d9f675766b1de502a52e23a3aa52648e Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Wed, 22 Mar 2023 10:54:59 +0100
+Subject: [PATCH] FAPI: Skip test fapi-fix-provisioning-with template if no
+ certificate is available.
+
+If the configure option --enable-self-generated-certificate is not used this
+test can't be executed because no certificate will be stored in NV ram. The
+test will be skipped if no certificate is available.
+Fixes: #2558
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ .../fapi-provisioning-with-template.int.c     | 40 ++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/test/integration/fapi-provisioning-with-template.int.c b/test/integration/fapi-provisioning-with-template.int.c
+index 54c724f5d..74184cdc8 100644
+--- a/test/integration/fapi-provisioning-with-template.int.c
++++ b/test/integration/fapi-provisioning-with-template.int.c
+@@ -4,6 +4,8 @@
+ #endif
+ 
+ #include <stdlib.h>
++#include <stdio.h>
++#include <unistd.h>
+ 
+ #include "tss2_esys.h"
+ #include "tss2_fapi.h"
+@@ -31,6 +33,39 @@
+  * @retval EXIT_SKIP
+  *
+  */
++static bool
++fapi_ek_certless()
++{
++    FILE *stream = NULL;
++    long config_size;
++    char *config = NULL;
++    char *fapi_config_file = getenv("TSS2_FAPICONF");
++
++    stream = fopen(fapi_config_file, "r");
++    if (!stream) {
++        LOG_ERROR("File %s does not exist", fapi_config_file);
++        return NULL;
++    }
++    fseek(stream, 0L, SEEK_END);
++    config_size = ftell(stream);
++    fclose(stream);
++    config = malloc(config_size + 1);
++    stream = fopen(fapi_config_file, "r");
++    ssize_t ret = read(fileno(stream), config, config_size);
++    if (ret != config_size) {
++        LOG_ERROR("IO error %s.", fapi_config_file);
++        return NULL;
++    }
++    config[config_size] = '\0';
++    if (strstr(config, "\"ek_cert_less\": \"yes\"") == NULL) {
++        SAFE_FREE(config);
++        return false;
++    } else {
++        SAFE_FREE(config);
++        return true;
++    }
++}
++
+ int
+ test_fapi_provision_template(FAPI_CONTEXT *context)
+ {
+@@ -151,6 +186,9 @@ test_fapi_provision_template(FAPI_CONTEXT *context)
+     TPM2B_AUTH auth = { .size = 0, .buffer = {} };
+     TPM2B_MAX_NV_BUFFER nv_data;
+ 
++    if (fapi_ek_certless())
++        return EXIT_SKIP;
++
+     if (strcmp(FAPI_PROFILE, "P_ECC") == 0) {
+         nv_template_idx = ecc_nv_template_idx;
+         nv_nonce_idx = ecc_nv_nonce_idx;
+@@ -169,7 +207,7 @@ test_fapi_provision_template(FAPI_CONTEXT *context)
+     r = Esys_Initialize(&esys_ctx, tcti, NULL);
+     goto_if_error(r, "Error Esys_Initialize", error);
+ 
+-     /*
++    /*
+      * Store template (marshaled TPMT_PUBLIC) in NV ram.
+      */
+     r = Tss2_MU_TPMT_PUBLIC_Marshal(&in_public, &nv_data.buffer[0],
diff --git a/tpm2-tss/Pkgfile b/tpm2-tss/Pkgfile
new file mode 100644
index 000000000..aa99385d3
--- /dev/null
+++ b/tpm2-tss/Pkgfile
@@ -0,0 +1,28 @@
+# Description: Implementation of the TCG Trusted Platform Module 2.0 Software Stack (TSS2)
+# URL: https://github.com/tpm2-software/tpm2-tss
+# Maintainer: Tim Biermann, tbier at posteo dot de
+# Depends on: json-c cmocka libtpms
+
+name=tpm2-tss
+version=4.0.1
+release=2
+source=(https://github.com/tpm2-software/tpm2-tss/releases/download/$version/$name-$version.tar.gz
+  https://raw.githubusercontent.com/tpm2-software/tpm2-tss/e237e4d33cbf280292a480edd8ad061dcd3a37a2/lib/tss2-tcti-libtpms.map
+  218c0da8.patch)
+
+build() {
+  cd $name-$version
+
+  cp $SRC/tss2-tcti-libtpms.map lib
+  patch -Np1 -i $SRC/218c0da8.patch
+
+  ./configure --prefix=/usr \
+    --sysconfdir=/etc \
+    --localstatedir=/var \
+    --with-runstatedir=/run \
+    --with-udevrulesprefix=60-
+  make
+  make DESTDIR=$PKG install
+
+  rm -rf $PKG/etc/{sysusers.d,tmpfiles.d}
+}
diff --git a/tpm2-tss/post-install b/tpm2-tss/post-install
new file mode 100755
index 000000000..24d1b870f
--- /dev/null
+++ b/tpm2-tss/post-install
@@ -0,0 +1,8 @@
+#!/bin/sh
+_USER=tss
+_GROUP=tss
+
+getent group $_GROUP || /usr/sbin/groupadd $_GROUP
+getent passwd $_USER || /usr/sbin/useradd -g $_GROUP -d /var/empty -s /bin/false -c "tpm-tss user" $_USER
+
+/usr/bin/passwd -l $_USER