diff --git a/Makefile b/Makefile
index 33bb8901..85cda083 100644
--- a/Makefile
+++ b/Makefile
@@ -499,6 +499,7 @@ bin_modules-$(CONFIG_OPENSSL) += openssl
 bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
 bin_modules-$(CONFIG_BASH) += bash
 bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils
+bin_modules-$(CONFIG_IO386) += io386
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init
index 438f29d9..cd07049a 100755
--- a/initrd/bin/generic-init
+++ b/initrd/bin/generic-init
@@ -41,12 +41,18 @@ while true; do
 	fi
 
 	if [ "$totp_confirm" = "u" ]; then
+		if [ "$CONFIG_IO386" = y ]; then
+			lock_chip
+		fi
 		exec /bin/usb-init
 		continue
 	fi
 
 	if [ "$totp_confirm" = "m" ]; then
 		# Try to select a kernel from the menu
+		if [ "$CONFIG_IO386" = y ]; then
+			lock_chip
+		fi
 		mount_boot
 		kexec-select-boot -m -b /boot -c "grub.cfg"
 		continue
@@ -54,11 +60,16 @@ while true; do
 
 	if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
 		# Try to boot the default
+		if [ "$CONFIG_IO386" = y ]; then
+			lock_chip
+		fi
 		mount_boot
 		kexec-select-boot -b /boot -c "grub.cfg" \
 		|| recovery "Failed default boot"
 	fi
 
+
+
 done
 
 recovery "Something failed during boot"
diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip
new file mode 100755
index 00000000..1331aebf
--- /dev/null
+++ b/initrd/bin/lock_chip
@@ -0,0 +1,15 @@
+#!/bin/sh
+# For this to work:
+#  - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work)
+#  - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
+#  - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
+# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly
+
+#include ash shell functions (TRACE requires it)
+. /etc/ash_functions
+
+TRACE "Under /bin/lock_chip"
+APM_CNT=0xb2
+FIN_CODE=0xcb
+echo "Finalizing chipset"
+io386 -o b -b x $APM_CNT $FIN_CODE
diff --git a/modules/io386 b/modules/io386
new file mode 100644
index 00000000..6829c7ea
--- /dev/null
+++ b/modules/io386
@@ -0,0 +1,28 @@
+modules-$(CONFIG_IO386) += io386
+
+io386_depends := $(musl_dep)
+
+io386_version := git
+io386_repo := https://github.com/hardenedlinux/io386
+io386_dir := io386-$(io386_version)
+
+io386_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+	SHARED=yes \
+	PREFIX="/" \
+	&& \
+	$(MAKE) \
+	-C $(build)/$(io386_dir) \
+	$(CROSS_TOOLS) \
+	SHARED=yes \
+	PREFIX="/" \
+	DESTDIR="$(INSTALL)" \
+	install \
+
+io386_output := \
+	io386
+
+io386_libraries :=
+
+io386_configure :=