diff --git a/Makefile b/Makefile
index 0429b63aa..80e62c62b 100644
--- a/Makefile
+++ b/Makefile
@@ -18,6 +18,8 @@ export KEYSTONE_RUNTIME         ?= $(KEYSTONE)/runtime
 export KEYSTONE_SDK             ?= $(KEYSTONE)/sdk
 export KEYSTONE_BOOTROM         ?= $(KEYSTONE)/bootrom
 export KEYSTONE_SM              ?= $(KEYSTONE)/sm
+export FILTERING_PROXY          ?= $(FILTERING_PROXY_PATH)
+export FILTERING_LIBCOAP        ?= $(KEYSTONE)/sm/src/libcoap
 
 export BUILDDIR                 ?= $(KEYSTONE)/build-$(KEYSTONE_PLATFORM)$(KEYSTONE_BITS)
 export BUILDROOT_OVERLAYDIR     ?= $(BUILDDIR)/overlay
diff --git a/overlays/keystone/Config.in b/overlays/keystone/Config.in
index 51f8f98d0..27121ffe1 100644
--- a/overlays/keystone/Config.in
+++ b/overlays/keystone/Config.in
@@ -9,3 +9,5 @@ source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-driver/Config.in"
 source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-sdk/Config.in.host"
 source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-runtime/Config.in"
 source "$BR2_EXTERNAL_KEYSTONE_PATH/package/keystone-examples/Config.in"
+source "$BR2_EXTERNAL_KEYSTONE_PATH/package/filtering-proxy/Config.in"
+source "$BR2_EXTERNAL_KEYSTONE_PATH/package/filtering-libcoap/Config.in"
diff --git a/overlays/keystone/configs/riscv32_generic_defconfig b/overlays/keystone/configs/riscv32_generic_defconfig
index 6847b4a22..e4d7e59f1 100644
--- a/overlays/keystone/configs/riscv32_generic_defconfig
+++ b/overlays/keystone/configs/riscv32_generic_defconfig
@@ -32,3 +32,5 @@ BR2_PACKAGE_KEYSTONE_DRIVER=y
 BR2_PACKAGE_HOST_KEYSTONE_SDK=y
 BR2_PACKAGE_KEYSTONE_RUNTIME=y
 BR2_PACKAGE_KEYSTONE_EXAMPLES=y
+BR2_PACKAGE_FILTERING_PROXY=y
+BR2_PACKAGE_FILTERING_LIBCOAP=y
diff --git a/overlays/keystone/configs/riscv64_generic_defconfig b/overlays/keystone/configs/riscv64_generic_defconfig
index 89e02f35b..ff5ac4c5d 100644
--- a/overlays/keystone/configs/riscv64_generic_defconfig
+++ b/overlays/keystone/configs/riscv64_generic_defconfig
@@ -32,3 +32,5 @@ BR2_PACKAGE_KEYSTONE_DRIVER=y
 BR2_PACKAGE_HOST_KEYSTONE_SDK=y
 BR2_PACKAGE_KEYSTONE_RUNTIME=y
 BR2_PACKAGE_KEYSTONE_EXAMPLES=y
+BR2_PACKAGE_FILTERING_PROXY=y
+BR2_PACKAGE_FILTERING_LIBCOAP=y
diff --git a/overlays/keystone/package/filtering-libcoap/Config.in b/overlays/keystone/package/filtering-libcoap/Config.in
new file mode 100644
index 000000000..a186eed82
--- /dev/null
+++ b/overlays/keystone/package/filtering-libcoap/Config.in
@@ -0,0 +1,4 @@
+config BR2_PACKAGE_FILTERING_LIBCOAP
+        bool "Filtering libcoap"
+        help
+          A version of libcoap tailored to the filtering-proxy
diff --git a/overlays/keystone/package/filtering-libcoap/filtering-libcoap.mk b/overlays/keystone/package/filtering-libcoap/filtering-libcoap.mk
new file mode 100644
index 000000000..15ab5bae6
--- /dev/null
+++ b/overlays/keystone/package/filtering-libcoap/filtering-libcoap.mk
@@ -0,0 +1,30 @@
+################################################################################
+#
+# libcoap
+#
+################################################################################
+
+ifeq ($(FILTERING_LIBCOAP),)
+$(error FILTERING_LIBCOAP directory not defined)
+else
+include $(KEYSTONE)/mkutils/pkg-keystone.mk
+endif
+
+FILTERING_LIBCOAP_LICENSE = BSD-2-Clause
+FILTERING_LIBCOAP_LICENSE_FILES = COPYING LICENSE
+FILTERING_LIBCOAP_INSTALL_STAGING = YES
+FILTERING_LIBCOAP_CONF_OPTS = \
+    -DCMAKE_INSTALL_PREFIX=/usr/local \
+	-DENABLE_DOCS=OFF \
+    -DENABLE_DTLS=OFF \
+    -DWITH_EPOLL=ON \
+    -DENABLE_EXAMPLES=OFF \
+    -DENABLE_TCP=OFF \
+    -DENABLE_OSCORE=OFF \
+    -DENABLE_OSCORE_NG=ON \
+    -DENABLE_ATTEST=ON \
+    -DENABLE_Q_BLOCK=OFF \
+    -DWITH_OBSERVE_PERSIST=OFF
+
+$(eval $(keystone-package))
+$(eval $(cmake-package))
diff --git a/overlays/keystone/package/filtering-proxy/Config.in b/overlays/keystone/package/filtering-proxy/Config.in
new file mode 100644
index 000000000..1e46c5197
--- /dev/null
+++ b/overlays/keystone/package/filtering-proxy/Config.in
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_FILTERING_PROXY
+        bool "Filtering Proxy"
+        depends on BR2_PACKAGE_HOST_KEYSTONE_SDK
+        depends on BR2_PACKAGE_KEYSTONE_RUNTIME
+        help
+          Privacy-preserving en-route filtering of OSCORE-NG traffic
diff --git a/overlays/keystone/package/filtering-proxy/filtering-proxy.mk b/overlays/keystone/package/filtering-proxy/filtering-proxy.mk
new file mode 100644
index 000000000..9fcefcec5
--- /dev/null
+++ b/overlays/keystone/package/filtering-proxy/filtering-proxy.mk
@@ -0,0 +1,27 @@
+################################################################################
+#
+# Filtering proxy
+#
+################################################################################
+
+ifeq ($(FILTERING_PROXY),)
+$(error FILTERING_PROXY directory not defined)
+else
+include $(KEYSTONE)/mkutils/pkg-keystone.mk
+endif
+
+FILTERING_PROXY_DEPENDENCIES += host-keystone-sdk keystone-runtime filtering-libcoap
+FILTERING_PROXY_CONF_OPTS += -DKEYSTONE_SDK_DIR=$(HOST_DIR)/usr/share/keystone/sdk \
+                             -DKEYSTONE_EYRIE_RUNTIME=$(KEYSTONE_RUNTIME_BUILDDIR) \
+                             -DLIBCOAP_INSTALL_PATH=$(TARGET_DIR)/usr/local
+FILTERING_PROXY_MAKE_OPTS += filtering-proxy
+
+# Install .ke file and overlay
+define FILTERING_PROXY_INSTALL_TARGET_CMDS
+	find $(@D) -name '*.ke' | \
+                xargs -i{} $(INSTALL) -D -m 755 -t $(TARGET_DIR)/root/ {}
+    cp $(FILTERING_PROXY)/overlay/run.sh $(TARGET_DIR)/root/
+endef
+
+$(eval $(keystone-package))
+$(eval $(cmake-package))