diff --git a/attestation/initramfs/br2_external/Config.in b/attestation/initramfs/br2_external/Config.in
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/attestation/initramfs/br2_external/board/virtcca_qemu/busybox.config b/attestation/initramfs/br2_external/board/virtcca_qemu/busybox.config
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/etc/init.d/rcA b/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/etc/init.d/rcA
new file mode 100755
index 0000000000000000000000000000000000000000..e379dc38d050cdeb7733dfd2c826fde5dbac405f
--- /dev/null
+++ b/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/etc/init.d/rcA
@@ -0,0 +1,37 @@
+#!/bin/sh
+echo "Starting attestation procedure with PID=$$....."
+export LD_LIBRARY_PATH=/usr/lib/rats-tls:$LD_LIBRARY_PATH
+
+ip a
+sleep 10
+ip a
+
+ip_addr=$(ip a | grep inet | grep -v inet6 | grep -v 127 | awk -F' ' '{print $2}' | awk -F'/' '{print $1}')
+echo "IP address: $ip_addr"
+
+server -i $ip_addr &
+pid=$!
+
+sleep 5
+wait $pid
+exit_status=$?
+echo "server return $exit_status"
+
+if [ $exit_status -eq 0 ]; then
+    # mount the new root
+    echo "Mounting new root filesystem..."
+    mkdir -p /newroot
+    mount /dev/vda /newroot
+
+    if [ $? -ne 0 ]; then
+        echo "Failed to mount new root filesystem."
+        exit 1
+    fi
+
+    exec switch_root /newroot /sbin/init
+    echo "Failed to switch root!"
+    exit 1
+else
+    echo "Go to panic..."
+    exit 1
+fi
diff --git a/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/inittab b/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/inittab
new file mode 100644
index 0000000000000000000000000000000000000000..31ab57b2d6ec376240d7197c69e09725bc31fc4d
--- /dev/null
+++ b/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/inittab
@@ -0,0 +1,41 @@
+# /etc/inittab
+#
+# Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>
+#
+# Note: BusyBox init doesn't support runlevels.  The runlevels field is
+# completely ignored by BusyBox init. If you want runlevels, use
+# sysvinit.
+#
+# Format for each entry: <id>:<runlevels>:<action>:<process>
+#
+# id        == tty to run on, or empty for /dev/console
+# runlevels == ignored
+# action    == one of sysinit, respawn, askfirst, wait, and once
+# process   == program to run
+
+# Startup the system
+::sysinit:/bin/mount -t proc proc /proc
+::sysinit:/bin/mount -o remount,rw /
+::sysinit:/bin/mkdir -p /dev/pts /dev/shm
+::sysinit:/bin/mount -a
+::sysinit:/bin/mkdir -p /run/lock/subsys
+::sysinit:/sbin/swapon -a
+null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
+null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
+null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
+null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
+::sysinit:/bin/hostname -F /etc/hostname
+# now run any rc scripts
+::sysinit:/etc/init.d/rcS
+::sysinit:/etc/init.d/rcA
+
+# Put a getty on the serial port
+console::respawn:/sbin/getty -L  console 0 vt100 # GENERIC_SERIAL
+
+# Stuff to do for the 3-finger salute
+#::ctrlaltdel:/sbin/reboot
+
+# Stuff to do before rebooting
+::shutdown:/etc/init.d/rcK
+::shutdown:/sbin/swapoff -a
+::shutdown:/bin/umount -a -r
diff --git a/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/profile b/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/profile
new file mode 100644
index 0000000000000000000000000000000000000000..6bf10ad9ba246fdde501a02a54a026ca4b06c599
--- /dev/null
+++ b/attestation/initramfs/br2_external/board/virtcca_qemu/rootfs_overlay/profile
@@ -0,0 +1,15 @@
+export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
+
+if [ "$PS1" ]; then
+	export PS1='[\u@\h]\w$ '
+fi
+
+export EDITOR='/bin/vi'
+
+# Source configuration files from /etc/profile.d
+for i in /etc/profile.d/*.sh ; do
+	if [ -r "$i" ]; then
+		. $i
+	fi
+done
+unset i
diff --git a/attestation/initramfs/br2_external/configs/virtcca_qemu_defconfig b/attestation/initramfs/br2_external/configs/virtcca_qemu_defconfig
new file mode 100644
index 0000000000000000000000000000000000000000..11718d19fd9c1b3c867f9ef74f78e97a8832f14f
--- /dev/null
+++ b/attestation/initramfs/br2_external/configs/virtcca_qemu_defconfig
@@ -0,0 +1,57 @@
+BR2_ROOTFS_OVERLAY="${BR2_EXTERNAL_VIRTCCA_PATH}/board/virtcca_qemu/rootfs_overlay"
+BR2_GLOBAL_PATCH_DIR="${BR2_EXTERNAL_VIRTCCA_PATH}/package_patch/patches"
+
+# Architecture
+BR2_aarch64=y
+BR2_cortex_a53=y
+
+# System
+BR2_SYSTEM_DHCP="eth0"
+
+# Initramfs
+BR2_TARGET_ROOTFS_CPIO=y
+BR2_TARGET_ROOTFS_CPIO_GZIP=y
+BR2_TARGET_ROOTFS_CPIO_DRACUT=n
+
+# System Configuration
+BR2_TARGET_ENABLE_ROOT_LOGIN=y
+BR2_TARGET_GENERIC_HOSTNAME="initramfs"
+BR2_TARGET_GENERIC_ISSUE="Welcome to virtCCA cVM protected by attestation (usr: root, passwd: root)"
+BR2_TARGET_GENERIC_ROOT_PASSWD="root"
+
+# Linux headers same as kernel
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y
+
+# Kernel
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.0"
+
+# Target Installed Packages
+BR2_PACKAGE_OPENSSL=y
+BR2_PACKAGE_LIBOPENSSL=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_MD2=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_MD4=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_MDC2=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_BLAKE2=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_IDEA=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_SEED=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_DES=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_WHIRLPOOL=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_BLOWFISH=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL2=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_SSL3=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_WEAK_SSL=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_PSK=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_CAST=y
+BR2_PACKAGE_LIBOPENSSL_UNSECURE=y
+BR2_PACKAGE_LIBOPENSSL_DYNAMIC_ENGINE=y
+BR2_PACKAGE_LIBOPENSSL_ENABLE_COMP=y
+BR2_PACKAGE_HAS_OPENSSL=y
+BR2_PACKAGE_PROVIDES_OPENSSL="libopenssl"
+BR2_PACKAGE_PROVIDES_HOST_OPENSSL="host-libopenssl"
+BR2_PACKAGE_WOLFSSL_ASM_SUPPORTS=y
diff --git a/attestation/initramfs/br2_external/external.desc b/attestation/initramfs/br2_external/external.desc
new file mode 100644
index 0000000000000000000000000000000000000000..683f815cce29bc81d4001eb9e1914f47c42169dd
--- /dev/null
+++ b/attestation/initramfs/br2_external/external.desc
@@ -0,0 +1,2 @@
+name: VIRTCCA
+desc: VIRTCCA buildroot external
diff --git a/attestation/initramfs/br2_external/external.mk b/attestation/initramfs/br2_external/external.mk
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/attestation/initramfs/br2_external/package_patch/patches/busybox/init.c.patch b/attestation/initramfs/br2_external/package_patch/patches/busybox/init.c.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7bbc6bdb1a18de84180ca21a06fb9438dfc79d21
--- /dev/null
+++ b/attestation/initramfs/br2_external/package_patch/patches/busybox/init.c.patch
@@ -0,0 +1,17 @@
+--- a/init/init.c	2024-05-09 14:18:27.978042450 +0800
++++ b/init/init.c	2024-05-09 14:18:27.978042450 +0800
+@@ -480,7 +480,13 @@
+ {
+ 	pid_t pid;
+ 
+-	if (BB_MMU && (a->action_type & ASKFIRST))
++	if (strcmp(a->command, "/etc/init.d/rcA") == 0) {
++		/* The new program will take over this PID=1,
++		 * so nothing further in init.c should be run. */
++		init_exec(a->command);
++		/* We're still here? Some error happened. */
++		_exit(-1);
++	} else if (BB_MMU && (a->action_type & ASKFIRST))
+ 		pid = fork();
+ 	else
+ 		pid = vfork();
diff --git a/attestation/initramfs/build.sh b/attestation/initramfs/build.sh
new file mode 100755
index 0000000000000000000000000000000000000000..7beae5883ff4b233e710c559c2b42090a65fc781
--- /dev/null
+++ b/attestation/initramfs/build.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+INITRAMFS_PROJ_DIR=$(cd "$(dirname "$0")";pwd)
+export ROOT=${INITRAMFS_PROJ_DIR}/../..
+PACKAGE_DIR=${INITRAMFS_PROJ_DIR}/br2_external/package_patch
+OUTPUT_DIR=${INITRAMFS_PROJ_DIR}/buildroot/output
+APP_INSTALL_DIR=${INITRAMFS_PROJ_DIR}/br2_external/board/virtcca_qemu/rootfs_overlay
+export BR2_EXTERNAL=${INITRAMFS_PROJ_DIR}/br2_external
+
+# prepare to install TSI server
+TSI_SERVER_BIN=${INITRAMFS_PROJ_DIR}/../samples/build/server
+if [ ! -f "${TSI_SERVER_BIN}" ]; then
+    echo "Cannot find ${TSI_SERVER_BIN}"
+    exit 1
+fi
+
+# clean
+rm -rf ${APP_INSTALL_DIR}/tmp
+rm -rf ${APP_INSTALL_DIR}/usr
+mkdir -p ${APP_INSTALL_DIR}/tmp
+mkdir -p ${APP_INSTALL_DIR}/usr/bin
+
+# install TSI server
+cp -rf ${INITRAMFS_PROJ_DIR}/../samples/build/server ${APP_INSTALL_DIR}/usr/bin/
+
+# clean up
+rm -rf ${APP_INSTALL_DIR}/tmp
+pushd ${INITRAMFS_PROJ_DIR}
+
+# initramfs build process
+if [ ! -d "buildroot" ]; then
+    git clone https://gitlab.com/buildroot.org/buildroot.git -b 2024.02
+fi
+cd buildroot && make clean && make virtcca_qemu_defconfig && make