diff --git a/modules/module-list.nix b/modules/module-list.nix
index 1fb6738a5..7125a947e 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -17,6 +17,7 @@
   ./profiles/graphics.nix
   ./profiles/installer.nix
   ./profiles/release.nix
+  ./security/tpm2.nix
   ./users/accounts.nix
   ./version
   ./virtualization/docker.nix
diff --git a/modules/security/tpm2.nix b/modules/security/tpm2.nix
new file mode 100644
index 000000000..feed3224c
--- /dev/null
+++ b/modules/security/tpm2.nix
@@ -0,0 +1,35 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.ghaf.security.tpm2;
+in
+  with lib; {
+    options.ghaf.security.tpm2 = {
+      enable = mkEnableOption "TPM2 PKCS#11 interface";
+    };
+
+    config = mkIf cfg.enable {
+      security.tpm2 = {
+        enable = true;
+        pkcs11.enable = true;
+        abrmd.enable = true;
+      };
+
+      environment.systemPackages = mkIf config.ghaf.profiles.debug.enable [
+        pkgs.opensc
+        pkgs.tpm2-tools
+      ];
+
+      assertions = [
+        {
+          assertion = pkgs.stdenv.isx86_64;
+          message = "TPM2 is only supported on x86_64";
+        }
+      ];
+    };
+  }
diff --git a/modules/users/accounts.nix b/modules/users/accounts.nix
index 76aca8a18..b44293022 100644
--- a/modules/users/accounts.nix
+++ b/modules/users/accounts.nix
@@ -37,7 +37,10 @@ in
           isNormalUser = true;
           inherit (cfg) password;
           #TODO add "docker" use "lib.optionals"
-          extraGroups = ["wheel" "video" "networkmanager"];
+          extraGroups =
+            ["wheel" "video" "networkmanager"]
+            ++ optionals
+            config.ghaf.security.tpm2.enable ["tss"];
         };
         groups."${cfg.user}" = {
           name = cfg.user;
diff --git a/overlays/custom-packages/default.nix b/overlays/custom-packages/default.nix
index 246ca64bc..e9162168c 100644
--- a/overlays/custom-packages/default.nix
+++ b/overlays/custom-packages/default.nix
@@ -13,5 +13,6 @@ _: {
     (import ./qemu)
     (import ./nm-launcher)
     (import ./labwc)
+    (import ./tpm2-pkcs11)
   ];
 }
diff --git a/overlays/custom-packages/tpm2-pkcs11/default.nix b/overlays/custom-packages/tpm2-pkcs11/default.nix
new file mode 100644
index 000000000..8ef540196
--- /dev/null
+++ b/overlays/custom-packages/tpm2-pkcs11/default.nix
@@ -0,0 +1,10 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# This overlay customizes tpm2-pkcs11 - see comments for details
+#
+(_final: prev: {
+  tpm2-pkcs11 = prev.tpm2-pkcs11.overrideAttrs (_prevAttrs: {
+    configureFlags = ["--with-fapi=no --enable-fapi=no"];
+  });
+})
diff --git a/targets/lenovo-x1-carbon.nix b/targets/lenovo-x1-carbon.nix
index fdc3a3c7b..03a72c33c 100644
--- a/targets/lenovo-x1-carbon.nix
+++ b/targets/lenovo-x1-carbon.nix
@@ -327,6 +327,8 @@
 
               hardware.x86_64.common.enable = true;
 
+              security.tpm2.enable = true;
+
               virtualization.microvm-host.enable = true;
               host.networking.enable = true;
               virtualization.microvm.netvm = {