diff --git a/Makefile b/Makefile
index e71959c85..86198507b 100644
--- a/Makefile
+++ b/Makefile
@@ -328,6 +328,7 @@ bin_modules-$(CONFIG_LVM2) += lvm2
 bin_modules-$(CONFIG_DROPBEAR) += dropbear
 bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
 bin_modules-$(CONFIG_NEWT) += newt
+bin_modules-$(CONFIG_IO386) += io386
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init
index c0808e48e..4bdc3452a 100755
--- a/initrd/bin/generic-init
+++ b/initrd/bin/generic-init
@@ -40,12 +40,18 @@ while true; do
 	fi
 
 	if [ "$totp_confirm" = "u" ]; then
+		if [ "$CONFIG_IO386" = y ]; then
+			lock_chip
+		fi
 		exec /bin/usb-init
 		continue
 	fi
 
 	if [ "$totp_confirm" = "m" ]; then
 		# Try to select a kernel from the menu
+		if [ "$CONFIG_IO386" = y ]; then
+			lock_chip
+		fi
 		mount_boot
 		kexec-select-boot -m -b /boot -c "grub.cfg"
 		continue
@@ -53,11 +59,16 @@ while true; do
 
 	if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
 		# Try to boot the default
+		if [ "$CONFIG_IO386" = y ]; then
+			lock_chip
+		fi
 		mount_boot
 		kexec-select-boot -b /boot -c "grub.cfg" \
 		|| recovery "Failed default boot"
 	fi
 
+
+
 done
 
 recovery "Something failed during boot"
diff --git a/initrd/etc/functions b/initrd/etc/functions
index 5301c99a9..d220495ea 100755
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -10,6 +10,13 @@ warn() {
 	echo >&2 "$*";
 }
 
+lock_chip() {
+	APM_CNT=0xb2
+	FIN_CODE=0xcb
+	echo "Finalizing chipset"
+	io386 -o b -b x $APM_CNT $FIN_CODE
+}
+
 recovery() {
 	echo >&2 "!!!!! $*"
 
diff --git a/modules/io386 b/modules/io386
new file mode 100644
index 000000000..6829c7ea9
--- /dev/null
+++ b/modules/io386
@@ -0,0 +1,28 @@
+modules-$(CONFIG_IO386) += io386
+
+io386_depends := $(musl_dep)
+
+io386_version := git
+io386_repo := https://github.com/hardenedlinux/io386
+io386_dir := io386-$(io386_version)
+
+io386_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+	SHARED=yes \
+	PREFIX="/" \
+	&& \
+	$(MAKE) \
+	-C $(build)/$(io386_dir) \
+	$(CROSS_TOOLS) \
+	SHARED=yes \
+	PREFIX="/" \
+	DESTDIR="$(INSTALL)" \
+	install \
+
+io386_output := \
+	io386
+
+io386_libraries :=
+
+io386_configure :=