diff --git a/diskimage_builder/elements/keylime-agent/README.rst b/diskimage_builder/elements/keylime-agent/README.rst
new file mode 100644
index 000000000..62650e83b
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/README.rst
@@ -0,0 +1,52 @@
+=============
+keylime-agent
+=============
+
+Presently, we rely upon a certain level of trust for users that leverage
+baremetal resources. While we do perform cleaning between deployments,
+a malicious attacker could potentially modify firmware of attached devices
+in ways that may or may not be readily detectable.
+
+The solution that has been proposed for this is the use of a measured launch
+environments with engagement of Trusted Platform Management (TPM) modules to
+help ensure that the running system profile is exactly as desired or approved,
+by the attestation service.
+
+To leverage TPM's for attestation, we propose Keylime,
+an open source remote boot attestation and
+runtime integrity measurement system. Keylime agent is a component of the
+Keylime suite which runs on the baremetal node we are attesting
+during cleaning and deployment steps. Keylime regisrar is
+a database of all agents registered with Keylime
+and hosts the public keys of the TPM vendors.
+
+In order to enhance the ramdisk to support TPM 2.0 and Keylime,
+this keylime-agent element is proposed. This element provides
+configurations for Keylime agent to communicate with Keylime server.
+Keylime agent runs as a system service to collect
+Integrity Measurement Architecture (IMA) measurement lists and
+send the measurements to the Keylime verifier for attestation.
+
+Environment Variables
+---------------------
+
+DIB_KEYLIME_AGENT_REGISTRAR_IP
+ :Required: Yes
+ :Default: 0
+ :Description: The IP address of Keylime registrar server
+ which Keylime agent communicates with.
+
+DIB_KEYLIME_AGENT_REGISTRAR_PORT
+ :Required: Yes
+ :Default: 8890
+ :Description: The port of Keylime registrar server
+ which Keylime agent communicates with.
+
+**REFERENCES**
+
+[1] github.com/keylime/
+[2] review.opendev.org/c/openstack/ironic-specs/+/576718
+
+
+
+
diff --git a/diskimage_builder/elements/keylime-agent/element-deps b/diskimage_builder/elements/keylime-agent/element-deps
new file mode 100644
index 000000000..6eae09871
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/element-deps
@@ -0,0 +1,4 @@
+package-installs
+pip-and-virtualenv
+selinux-permissive
+source-repositories
\ No newline at end of file
diff --git a/diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent b/diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent
new file mode 100644
index 000000000..f6f07529c
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/environment.d/16-keylime-agent
@@ -0,0 +1,2 @@
+export DIB_KEYLIME_AGENT_REGISTRAR_IP=${DIB_KEYLIME_AGENT_REGISTRAR_IP:-0}
+export DIB_KEYLIME_AGENT_REGISTRAR_PORT=${DIB_KEYLIME_AGENT_REGISTRAR_PORT:-8890}
\ No newline at end of file
diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install
new file mode 100755
index 000000000..d4603e7e5
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/80-keylime-agent-install
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+ set -x
+fi
+set -eu
+set -o pipefail
+
+SCRIPTDIR=$(dirname $0)
+VENVDIR=/opt/keylime
+
+KLDIR=/tmp/keylime
+
+# create the virtual environment
+
+if [ $DIB_PYTHON_VERSION == 3 ]; then
+ $DIB_PYTHON -m venv $VENVDIR
+else
+ $DIB_PYTHON -m virtualenv $VENVDIR
+fi
+
+install -d /etc/ima/
+
+install -c -m 0644 ${SCRIPTDIR}/ima-policy /etc/ima/ima-policy
+
+# install Keylime-agent inside the virtual environment
+$VENVDIR/bin/pip install 'pip>=19.1.1'
+$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
+ln -s $VENVDIR/bin/keylime_agent /usr/local/bin/keylime_agent
+
+if [ "$DIB_KEYLIME_AGENT_REGISTRAR_IP" != "0" ]; then
+ sed -i "s/registrar_ip = 127.0.0.1/registrar_ip = "$DIB_KEYLIME_AGENT_REGISTRAR_IP"/" /etc/keylime.conf
+fi
+if [ "$DIB_KEYLIME_AGENT_REGISTRAR_PORT" != "8890" ]; then
+ sed -i "s/registrar_port = 8890/registrar_port = "$DIB_KEYLIME_AGENT_REGISTRAR_PORT"/" /etc/keylime.conf
+fi
+# set the agent uuid to randomly generated
+sed -i 's/^\(agent\_uuid\s*=\s*\).*$/\1dmidecode/' /etc/keylime.conf
+sed -i 's/^\(level\s*=\s*\).*$/\1DEBUG/' /etc/keylime.conf
+sed -i 's/^\(cloudagent\_ip\s*=\s*\).*$/\10.0.0.0/' /etc/keylime.conf
+
+
+# create allowlist
+./$KLDIR/scripts/create_allowlist.sh /root/allowlist.txt sha256sum
+
+case "$DIB_INIT_SYSTEM" in
+ systemd)
+ install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-agent.service /usr/lib/systemd/system/keylime-agent.service
+ ;;
+ sysv)
+ install -D -g root -o root -m 0755 ${SCRIPTDIR}/keylime-agent.init /etc/init.d/keylime-agent.init
+ update-rc.d keylime-agent.init defaults
+ ;;
+ *)
+ echo "Unsupported init system"
+ exit 1
+ ;;
+esac
diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy
new file mode 100644
index 000000000..2c4bbad8b
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/ima-policy
@@ -0,0 +1,17 @@
+# MEASUREMENTS
+measure func=BPRM_CHECK
+measure func=FILE_MMAP mask=MAY_EXEC
+measure func=MODULE_CHECK uid=0
+# PROC_SUPER_MAGIC
+dont_measure fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_measure fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_measure fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_measure fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_measure fsmagic=0x858458f6
+# SECURITYFS_MAGIC
+dont_measure fsmagic=0x73636673
+
diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init
new file mode 100755
index 000000000..b932484ba
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.init
@@ -0,0 +1,31 @@
+#!/bin/sh -e
+### BEGIN INIT INFO
+# Provides: keylime-agent
+# Required-Start: $local_fs networking
+# Required-Stop: $local_fs
+# Default-Start: S
+# Default-Stop: 0 6
+# X-Start-Before:
+# Short-Description: Keylime Agent
+# Description: The keylime-agent is deployed to the node for attestation
+### END INIT INFO
+
+NAME=keylime-agent
+INIT_NAME=/etc/init.d/${NAME}
+SCRIPT_NAME=/usr/local/bin/keylime_agent
+
+[ -x $SCRIPT_NAME ] || exit 0
+
+case "$1" in
+ start)
+ $SCRIPT_NAME --config-dir /etc/keylime-agent.d/
+ ;;
+ stop)
+ ;;
+ *)
+ echo "Usage: $INIT_NAME {start|stop}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service
new file mode 100644
index 000000000..61c1d616f
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/install.d/keylime-agent-source-install/keylime-agent.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=The Keylime agent
+Wants=tpm2-abrmd.service
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/keylime_agent
+Restart=always
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/diskimage_builder/elements/keylime-agent/package-installs.yaml b/diskimage_builder/elements/keylime-agent/package-installs.yaml
new file mode 100644
index 000000000..7dba7d575
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/package-installs.yaml
@@ -0,0 +1 @@
+git:
\ No newline at end of file
diff --git a/diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent b/diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent
new file mode 100755
index 000000000..be72f0d8b
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/post-install.d/90-keylime-agent
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+ set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+ systemd)
+ systemctl enable keylime-agent
+ ;;
+ *)
+ echo "Unsupported init system $DIB_INIT_SYSTEM"
+ exit 1
+ ;;
+esac
+
diff --git a/diskimage_builder/elements/keylime-agent/source-repository-keylime b/diskimage_builder/elements/keylime-agent/source-repository-keylime
new file mode 100644
index 000000000..d35a0fc68
--- /dev/null
+++ b/diskimage_builder/elements/keylime-agent/source-repository-keylime
@@ -0,0 +1 @@
+keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1
diff --git a/diskimage_builder/elements/tpm-emulator/README.rst b/diskimage_builder/elements/tpm-emulator/README.rst
new file mode 100644
index 000000000..72808af6f
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/README.rst
@@ -0,0 +1,23 @@
+=============
+tpm-emulator
+=============
+
+This element should be used together with keylime-agent element.
+Keylime can be used with a software TPM emulator for development purposes.
+Please refer to keylime-agent element for the detailed explanation.
+
+This element works with a software TPM 2.0 emulator.
+The download source of IBM's TPM 2.0 Software TPM can be found here:
+https://sourceforge.net/projects/ibmswtpm2/
+
+TPM utility prerequisites are installed, including tpm2-tss software stack,
+tpm2-tools utilities, and the tpm2-abrmd resource manager.
+
+**REFERENCES**
+
+[1] github.com/keylime/keylime-vagrant-ansible-tpm-emulator
+[2] ibmswtpm.sourceforge.net/ibmswtpm2.html
+
+
+
+
diff --git a/diskimage_builder/elements/tpm-emulator/element-deps b/diskimage_builder/elements/tpm-emulator/element-deps
new file mode 100644
index 000000000..ba715befb
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/element-deps
@@ -0,0 +1,3 @@
+package-installs
+pip-and-virtualenv
+source-repositories
\ No newline at end of file
diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf
new file mode 100644
index 000000000..64764f9b1
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/10-tcti-emulator.conf
@@ -0,0 +1,4 @@
+[Service]
+# need to specify ExecStart as empty first to "clear" it: see https://www.freedesktop.org/software/systemd/man/systemd.unit.html
+ExecStart=
+ExecStart=/usr/sbin/tpm2-abrmd --tcti=mssim
diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf
new file mode 100644
index 000000000..ef89429e7
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/20-remove-conditionpathexistsglob.conf
@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExistsGlob=
\ No newline at end of file
diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install
new file mode 100755
index 000000000..f16c810d7
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/78-tpm-emulator-install
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+ set -x
+fi
+set -eu
+set -o pipefail
+
+SCRIPTDIR=$(dirname $0)
+VENVDIR=/opt/keylime
+
+KLDIR=/tmp/keylime
+TPMDIR=/tmp/ibmtpm
+
+# create the virtual environment
+
+if [ $DIB_PYTHON_VERSION == 3 ]; then
+ $DIB_PYTHON -m venv $VENVDIR
+else
+ $DIB_PYTHON -m virtualenv $VENVDIR
+fi
+
+# install tpm
+cd $TPMDIR/src
+# compile tpm emulator
+make
+# install tpm_server
+install -c -m 0755 $TPMDIR/src/tpm_server /usr/local/bin/tpm_server
+# install init_tpm_server script
+install -c -m 0755 $KLDIR/scripts/init_tpm_server /usr/local/bin/init_tpm_server
+
+install -d -g root -o root -m 0755 /etc/systemd/system/tpm2-abrmd.service.d/
+install -c -g root -o root -m 0644 ${SCRIPTDIR}/10-tcti-emulator.conf /etc/systemd/system/tpm2-abrmd.service.d/
+install -c -g root -o root -m 0644 ${SCRIPTDIR}/20-remove-conditionpathexistsglob.conf /etc/systemd/system/tpm2-abrmd.service.d/
+
+
+# install Keylime-agent inside the virtual environment
+$VENVDIR/bin/pip install 'pip>=19.1.1'
+$VENVDIR/bin/pip install -r $KLDIR/requirements.txt $KLDIR
+ln -s $VENVDIR/bin/keylime_ima_emulator /usr/local/bin/keylime_ima_emulator
+
+
+case "$DIB_INIT_SYSTEM" in
+ systemd)
+ install -D -g root -o root -m 0644 ${SCRIPTDIR}/tpm_server.service /usr/lib/systemd/system/tpm_server.service
+ install -D -g root -o root -m 0644 ${SCRIPTDIR}/keylime-ima-emulator.service /usr/lib/systemd/system/keylime-ima-emulator.service
+ ;;
+ *)
+ echo "Unsupported init system"
+ exit 1
+ ;;
+esac
+
diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service
new file mode 100644
index 000000000..1f1f0f254
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/keylime-ima-emulator.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=The Keylime ima emulator
+Wants=tpm2-abrmd.service
+Before=keylime-agent.service
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/keylime_ima_emulator
+Restart=always
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service
new file mode 100644
index 000000000..61ec437f1
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/install.d/tpm-emulator-source-install/tpm_server.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TPM server
+
+[Service]
+ExecStart=/usr/local/bin/tpm_server -rm
+Restart=on-failure
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/diskimage_builder/elements/tpm-emulator/package-installs.yaml b/diskimage_builder/elements/tpm-emulator/package-installs.yaml
new file mode 100644
index 000000000..fb6957e7f
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/package-installs.yaml
@@ -0,0 +1,20 @@
+swig:
+tpm2-abrmd:
+tpm2-tools:
+tpm2-tss:
+make:
+gcc-c++:
+ uninstall: true
+pkg-config:
+ uninstall: true
+libtool:
+ uninstall: true
+libstdc++-devel:
+ uninstall: true
+git:
+dbus-devel:
+glib2-devel:
+uriparser-devel:
+libgcrypt-devel:
+libcurl-devel:
+libselinux-python3:
diff --git a/diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator b/diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator
new file mode 100755
index 000000000..aae7dd3b9
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/post-install.d/89-tpm-emulator
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+ set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+ systemd)
+ systemctl enable tpm_server
+ systemctl enable tpm2-abrmd
+ systemctl enable keylime-ima-emulator
+ ;;
+ *)
+ echo "Unsupported init system $DIB_INIT_SYSTEM"
+ exit 1
+ ;;
+esac
+
diff --git a/diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm b/diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm
new file mode 100644
index 000000000..f60a81632
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/source-repository-ibmtpm
@@ -0,0 +1 @@
+ibmtpm tar /tmp/ibmtpm http://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1119.tar.gz .
diff --git a/diskimage_builder/elements/tpm-emulator/source-repository-keylime b/diskimage_builder/elements/tpm-emulator/source-repository-keylime
new file mode 100644
index 000000000..d35a0fc68
--- /dev/null
+++ b/diskimage_builder/elements/tpm-emulator/source-repository-keylime
@@ -0,0 +1 @@
+keylime git /tmp/keylime https://github.com/keylime/keylime.git 16a9cfd31b02f5c60b1ccc667627fac6144f82d1