diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index a58ebb0886..379da377ea 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -33,6 +33,7 @@ jobs:
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - firecracker
+          - genpolicy
           - kata-ctl
           - kernel
           - kernel-confidential
diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml
index e278a2dfc7..e2396301b7 100644
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -48,6 +48,7 @@ jobs:
           - kata-ctl
           - runk
           - trace-forwarder
+          - genpolicy
         command:
           - "make vendor"
           - "make check"
@@ -75,6 +76,8 @@ jobs:
             install-libseccomp: yes
           - component: runk
             install-libseccomp: yes
+          - component: genpolicy
+            component-path: src/tools/genpolicy
     steps:
       - name: Checkout the code
         uses: actions/checkout@v4
diff --git a/src/tools/genpolicy/Cargo.lock b/src/tools/genpolicy/Cargo.lock
index 779df465a3..7926e85e3e 100644
--- a/src/tools/genpolicy/Cargo.lock
+++ b/src/tools/genpolicy/Cargo.lock
@@ -1112,15 +1112,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
 
-[[package]]
-name = "openssl-src"
-version = "111.25.1+1.1.1t"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ef9a9cc6ea7d9d5e7c4a913dc4b48d0e359eddf01af1dfec96ba7064b4aba10"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "openssl-sys"
 version = "0.9.90"
@@ -1129,7 +1120,6 @@ checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6"
 dependencies = [
  "cc",
  "libc",
- "openssl-src",
  "pkg-config",
  "vcpkg",
 ]
diff --git a/src/tools/genpolicy/Cargo.toml b/src/tools/genpolicy/Cargo.toml
index ebe3eee983..d3225c1a5d 100644
--- a/src/tools/genpolicy/Cargo.toml
+++ b/src/tools/genpolicy/Cargo.toml
@@ -1,3 +1,8 @@
+# Copyright (c) 2024 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
 [package]
 name = "genpolicy"
 version = "0.1.0"
@@ -35,7 +40,7 @@ async-trait = "0.1.68"
 docker_credential = "1.2.0"
 flate2 = { version = "1.0.26", features = ["zlib-ng"], default-features = false }
 oci-distribution = { version = "0.10.0" }
-openssl = { version = "0.10.54", features = ["vendored"] }
+openssl = { version = "0.10.54" }
 serde_ignored = "0.1.7"
 serde_json = "1.0.39"
 serde-transcode = "1.1.1"
@@ -44,7 +49,7 @@ tokio = {version = "1.33.0", features = ["rt-multi-thread"]}
 # OCI container specs.
 oci = { path = "../../libs/oci" }
 
-# Kata Agent prototol.
+# Kata Agent protocol.
 protocols = { path = "../../libs/protocols", features = ["with-serde"] }
 protobuf = "3.2.0"
 
diff --git a/src/tools/genpolicy/README.md b/src/tools/genpolicy/README.md
index 400e4d5aa5..c01b53f1c6 100644
--- a/src/tools/genpolicy/README.md
+++ b/src/tools/genpolicy/README.md
@@ -18,32 +18,12 @@ The Policy auto-generated by `genpolicy` is typically used for implementing conf
 
 # Building `genpolicy` from source code
 
-## Install build dependencies
+Build in docker container:
 
-Example for Ubuntu 22.04.3:
-
-```bash
-$ sudo apt-get update
-$ sudo apt-get install -y build-essential cmake curl git musl-dev musl-tools
-$ curl --proto '=https' --tlsv1.3 https://sh.rustup.rs -sSf | sh
-$ source "$HOME/.cargo/env"
-$ arch=$(uname -m)
-$ rustup target add "${arch}-unknown-linux-musl"
-```
-
-# Build `genpolicy`
-
-```bash
+```sh
 $ git clone https://github.com/kata-containers/kata-containers.git
-$ cd kata-containers/src/tools/genpolicy
-$ source "$HOME/.cargo/env"
-$ make && make install
-```
-
-If you want to use `LIBC=gnu` instead of the default `LIBC=musl`, change the last step above to:
-
-```bash
-$ LIBC=gnu make && LIBC=gnu make install
+$ cd kata-containers
+$ tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=genpolicy
 ```
 
 # Executing `genpolicy`
diff --git a/src/tools/genpolicy/src/verity.rs b/src/tools/genpolicy/src/verity.rs
index 5fceb81aa1..0b2aa18afa 100644
--- a/src/tools/genpolicy/src/verity.rs
+++ b/src/tools/genpolicy/src/verity.rs
@@ -56,9 +56,7 @@ impl<T: Digest + Clone> Verity<T> {
             count
         };
 
-        let mut data = Vec::new();
-        data.resize(hash_block_size, 0);
-
+        let data = vec![0; hash_block_size];
         let mut levels = Vec::new();
         levels.resize(
             level_count,
@@ -209,8 +207,7 @@ pub fn traverse_file<T: Digest + Clone>(
     mut verity: Verity<T>,
     writer: &mut impl FnMut(&mut File, &[u8], u64) -> io::Result<()>,
 ) -> io::Result<GenericArray<u8, T::OutputSize>> {
-    let mut buf = Vec::new();
-    buf.resize(verity.data_block_size, 0);
+    let mut buf = vec![0; verity.data_block_size];
     while verity.more_blocks() {
         file.seek(SeekFrom::Start(read_offset))?;
         file.read_exact(&mut buf)?;
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index 21ad3626df..685375a436 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -93,6 +93,9 @@ cloud-hypervisor-glibc-tarball:
 firecracker-tarball:
 	${MAKE} $@-build
 
+genpolicy-tarball:
+	${MAKE} $@-build
+
 kata-ctl-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 8f0c2dd634..0d3f289321 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -90,6 +90,7 @@ options:
 	cloud-hypervisor
 	cloud-hypervisor-glibc
 	firecracker
+	genpolicy
 	kata-ctl
 	kernel
 	kernel-confidential
@@ -713,6 +714,10 @@ install_agent_ctl() {
 	install_tools_helper "agent-ctl"
 }
 
+install_genpolicy() {
+	install_tools_helper "genpolicy"
+}
+
 install_kata_ctl() {
 	install_tools_helper "kata-ctl"
 }
@@ -787,6 +792,8 @@ handle_build() {
 
 	firecracker) install_firecracker ;;
 
+	genpolicy) install_genpolicy ;;
+
 	kata-ctl) install_kata_ctl ;;
 
 	kernel) install_kernel ;;
@@ -893,6 +900,7 @@ main() {
 		agent-ctl
 		cloud-hypervisor
 		firecracker
+		genpolicy
 		kata-ctl
 		kernel
 		kernel-experimental
diff --git a/tools/packaging/static-build/tools/Dockerfile b/tools/packaging/static-build/tools/Dockerfile
index aa468488dc..9cb31e69e5 100644
--- a/tools/packaging/static-build/tools/Dockerfile
+++ b/tools/packaging/static-build/tools/Dockerfile
@@ -9,11 +9,14 @@ ARG RUST_TOOLCHAIN
 SHELL ["/bin/ash", "-o", "pipefail", "-c"]
 RUN apk --no-cache add \
         bash \
+        cmake \
         curl \
         gcc \
         git \
         libcap-ng-static \
         libseccomp-static \
+        openssl-dev \
+        openssl-libs-static \
         make \
         musl-dev \
         protoc && \