Merge 63d0fe5b84 into 4b356c90dc

measure: add 'dtbauto' option in help message
'dtbauto' command line was missing from the help string. Add it.
2024-11-23 15:12:54 +01:00 · 2024-11-23 12:43:34 +00:00 · 2024-11-23 20:49:18 +09:00 · 2024-11-23 17:33:43 +09:00 · 2024-11-23 17:33:17 +09:00 · 2024-11-23 17:33:06 +09:00
112 changed files with 103441 additions and 102349 deletions
--- a/93
+++ b/93
@ -399,6 +399,15 @@ CHANGES WITH 257 in spe:
          be extended, and a --measure-base= switch to support measurement
          of multi-profile UKIs.

+        * ukify gained a --certificate-provider switch to use an OpenSSL
+          provider to load the certificate used to sign artifacts, instead of
+          having to provide the path to a file on disk.
+
+        * bootctl, systemd-keyutil, systemd-measure, systemd-repart, and
+          systemd-sbsign gained a new --certificate-source switch that allows
+          loading the X.509 certificate from an OpenSSL provider instead of a
+          file system path.
+
        * systemd-boot's menu will now react to volume up/down rocker presses
          the same way as to arrow up/down presses: they move the menu item up
          or down. This is useful on device form factors that have only a
@ -437,6 +446,9 @@ CHANGES WITH 257 in spe:
          and providers, with pin caching support for PKCS11. ukify supports it
          as an alternative to sbsigntool and pesign.

+        * A new systemd-keyutil tool has been added, that can be used to perform
+          various operations on private keys and X.509 certificates.
+
        The journal:

        * journalctl can now list invocations of a unit with the
@ -752,36 +764,38 @@ CHANGES WITH 257 in spe:
          other cases EnterNamespace= might be an suitable approach to acquire
          symbolized backtraces.)

-        Contributions from: A. Wilcox, Abderrahim Kitouni, Adrian Vovk,
-        Alain Greppin, Allison Karlitskaya, Alyssa Ross, Anders Jonsson,
-        Andika Triwidada, Andres Beltran, Anouk Ceyssens, Anton Golubev,
-        Antonio Alvarez Feijoo, Arian van Putten, Arnaud Patard,
-        Arthur Shau, Bastien Nocera, Benjamin ROBIN, Brenton Simpson,
-        Bryan Gurney, ButterflyOfFire, Carlo Teubner, Celeste Liu,
-        Chen Guanqiao, Chen Qi, Chengen Du, Christoph Anton Mitterer,
-        Colin Foster, Collin L, Cristian Rodríguez, Daan De Meyer,
-        Dan Nicholson, Daniel Dawson, Daniel Martinez,
-        Daniel P. Berrangé, Daniel Rusek, Darsey Litzenberger,
-        David Joaquín Shourabi Porcel, David Michael, David Rheinsberg,
-        David Tardon, Davide Cavalca, Derek J. Clark, Diego Viola,
-        Dimitrys Meliates, Diogo Ivo, DocNITE, Dominique Martinet,
-        Dr. David Alan Gilbert, Edson Juliano Drosdeck, Erik Sjölund,
-        Etienne Champetier, Etienne Cordonnier, Ettore Atalan,
-        Eugeny Shcheglov, Fabian Vogt, Filip Lewiński, Florian Schmaus,
-        Franck Bui, Frantisek Sumsal, Fábio Rodrigues Ribeiro,
-        Gabriel Elyas, Gaël PORTAY, Giovanni Baratta, Gregor Herburger,
-        Gregory Arenius, GwynBleidD, Göran Uddeborg, Hans de Goede,
-        Helmut Grohne, Henry Chen, Ian Abbott, Integral, Ivan Kruglov,
-        Ivan Shapovalov, James Coglan, James Hilliard, James Muir,
-        Jason Yundt, Jeffrey Bosboom, Johannes Schneider,
-        John A. Leuenhagen, Jose Ignacio Tornos Martinez, JoseskVolpe,
-        Joshua Grisham, Jörg Behrmann, Kai-Chuan Hsieh, Kamil Szczęk,
-        Karel Zak, Kornilios Kourtis, Kuntal Majumder, Lennart Poettering,
-        Luca Boccassi, Lucas Adriano Salles, Lucas Werkmeister,
-        Ludwig Nussel, Luke T. Shumaker, Lukáš Nykrýn, Léane GRASSER,
-        Maanya Goenka, Mantas Mikulėnas, Marc Reisner, Marcel Hellwig,
-        Marin Kresic, Marius Hoch, Martin Srebotnjak, Martin Wilck,
-        Mary Strodl, Matteo Croce, Matthias Lisin, Matthias Schiffer,
+        Contributions from: 12paper, A. Wilcox, Abderrahim Kitouni,
+        Adrian Vovk, Alain Greppin, Allison Karlitskaya, Alyssa Ross,
+        Anders Jonsson, Andika Triwidada, Andres Beltran, Anouk Ceyssens,
+        Anselm Schueler, Anton Golubev, Antonio Alvarez Feijoo,
+        Arian van Putten, Arnaud Patard, Arthur Shau, Bastien Nocera,
+        Benjamin ROBIN, Brenton Simpson, Bryan Gurney, ButterflyOfFire,
+        Carlo Teubner, Celeste Liu, Chen Guanqiao, Chen Qi, Chengen Du,
+        Christoph Anton Mitterer, Colin Foster, Collin L,
+        Cristian Rodríguez, Daan De Meyer, Dan Nicholson, Daniel Dawson,
+        Daniel Martinez, Daniel P. Berrangé, Daniel Rusek,
+        Darsey Litzenberger, David Joaquín Shourabi Porcel,
+        David Michael, David Rheinsberg, David Tardon, Davide Cavalca,
+        Derek J. Clark, Diego Viola, Dimitrys Meliates, Diogo Ivo,
+        DocNITE, Dominique Martinet, Dr. David Alan Gilbert,
+        Edson Juliano Drosdeck, Erik Sjölund, Etienne Champetier,
+        Etienne Cordonnier, Ettore Atalan, Eugeny Shcheglov, Fabian Vogt,
+        Filip Lewiński, Florian Schmaus, Franck Bui, Frantisek Sumsal,
+        Fábio Rodrigues Ribeiro, Gabriel Elyas, Gaël PORTAY,
+        Giovanni Baratta, Gregor Herburger, Gregory Arenius, GwynBleidD,
+        Göran Uddeborg, Hans de Goede, Helmut Grohne, Henry Chen,
+        Ian Abbott, Integral, Ivan Kruglov, Ivan Shapovalov, James Coglan,
+        James Hilliard, James Muir, Jason Yundt, Jeffrey Bosboom,
+        Jian Zhang, Johannes Schneider, John A. Leuenhagen,
+        Jose Ignacio Tornos Martinez, JoseskVolpe, Joshua Grisham,
+        Jörg Behrmann, Kai-Chuan Hsieh, Kamil Szczęk, Karel Zak,
+        Kornilios Kourtis, Kuntal Majumder, Lennart Poettering,
+        Lidong Zhong, Luca Boccassi, Lucas Adriano Salles,
+        Lucas Werkmeister, Ludwig Nussel, Luke T. Shumaker,
+        Lukáš Nykrýn, Luna Jernberg, Léane GRASSER, Maanya Goenka,
+        Mantas Mikulėnas, Marc Reisner, Marcel Hellwig, Marin Kresic,
+        Marius Hoch, Martin Srebotnjak, Martin Wilck, Mary Strodl,
+        Matteo Croce, Matthias Lisin, Matthias Schiffer,
        Matthieu Baerts (NGI0), Matthieu CHARETTE,
        Mauri de Souza Meneguzzo, Maximilian Wilhelm, Merlin Jehli,
        Michael Ferrari, Michal Koutný, Michal Sekletár,
@ -795,16 +809,17 @@ CHANGES WITH 257 in spe:
        Stuart Hayhurst, Susant Sahani, Takeo Kondo, Temuri Doghonadze,
        Thomas Blume, Thorsten Scherer, Tobias Fleig, Tom Coldrick,
        Tom Yan, Tomas Bzatek, Topi Miettinen, Uday Shankar,
-        Vasiliy Kovalev, Vitaly Kuznetsov, Vito Caputo, Vladimir Panteleev,
-        Will Fancher, WilliButz, Xeonacid, Yanqing Jing, Yu Watanabe,
-        Yuri Chornoivan, ZHANG Yuntian, Zbigniew Jędrzejewski-Szmek,
-        Zhou Qiankang, anonymix007, bryango, chayleaf, chenjiayi, csp5me,
-        cvlc12, fwfy, hugo303, jan@neighbourhood.ie, jauge-technica, lumingzh,
-        maia x., marginaldev, migleeson, nerdopolis, oldherl, pyfisch, q66,
-        rajmohan r, reDBo0n, rhellstrom, rindeal, samuelvw01, sinus-x, tfg13,
-        vdovhanych, xujing, Łukasz Stelmach, Дамјан Георгиевски
+        Valentin David, Vasiliy Kovalev, Vitaly Kuznetsov, Vito Caputo,
+        Vladimir Panteleev, Vursc, Will Fancher, WilliButz, Xeonacid,
+        Yanqing Jing, Yu Watanabe, Yuri Chornoivan, ZHANG Yuntian,
+        Zbigniew Jędrzejewski-Szmek, Zhou Qiankang, andre4ik3, anonymix007,
+        bryango, chayleaf, chenjiayi, csp5me, cvlc12, fwfy, hugo303,
+        jan@neighbourhood.ie, jauge-technica, lumingzh, maia x., marginaldev,
+        migleeson, nerdopolis, oldherl, pyfisch, q66, rajmohan r, reDBo0n,
+        rhellstrom, rindeal, samuelvw01, sinus-x, tfg13, vdovhanych, xujing,
+        Łukasz Stelmach, Štěpán Němec, Дамјан Георгиевски

-        — Edinburgh, 2024-11-06
+        — Edinburgh, 2024-11-15

 CHANGES WITH 256:

--- a/14
+++ b/14
@ -129,6 +129,20 @@ Deprecations and removals:

 Features:

+* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
+  users how to connect to the system via the AF_VSOCK, as per:
+  https://github.com/systemd/systemd/issues/35071#issuecomment-2462803142
+
+* maybe introduce an OSC sequence that signals when we ask for a password, so
+  that terminal emulators can maybe connect a password manager or so, and
+  highlight things specially.
+
+* Port pidref_namespace_open() to use PIDFD_GET_MNT_NAMESPACE and related
+  ioctls to get nsfds directly from pidfds.
+
+* start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
+  generically, so that image discovery recognizes bcachefs subvols too.
+
 * format-table: introduce new cell type for strings with ansi sequences in
  them. display them in regular output mode (via strip_tab_ansi()), but
  suppress them in json mode.
--- a/hwdb.d/20-OUI.hwdb
+++ b/hwdb.d/20-OUI.hwdb
@ -36123,7 +36123,7 @@ OUI:00A044*
 ID_OUI_FROM_DATABASE=NTT IT CO., LTD.

 OUI:00A045*
- ID_OUI_FROM_DATABASE=PHOENIX CONTACT Electronics GmbH
+ ID_OUI_FROM_DATABASE=Phoenix Contact GmbH & Co. KG

 OUI:00A046*
 ID_OUI_FROM_DATABASE=SCITEX CORP. LTD.
@ -40088,6 +40088,9 @@ OUI:044707*
 OUI:04472A*
 ID_OUI_FROM_DATABASE=Palo Alto Networks

+OUI:0447CA*
+ ID_OUI_FROM_DATABASE=GREE ELECTRIC APPLIANCES, INC. OF ZHUHAI
+
 OUI:04489A*
 ID_OUI_FROM_DATABASE=Apple, Inc.

@ -40556,6 +40559,9 @@ OUI:04AC44*
 OUI:04AEC7*
 ID_OUI_FROM_DATABASE=Marquardt

+OUI:04B066*
+ ID_OUI_FROM_DATABASE=Private
+
 OUI:04B0E7*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

@ -43058,12 +43064,30 @@ OUI:0C47A90*
 OUI:0C47A91*
 ID_OUI_FROM_DATABASE=Shanghai BST Electric Co.,ltd

+OUI:0C47A92*
+ ID_OUI_FROM_DATABASE=Annapurna labs
+
+OUI:0C47A93*
+ ID_OUI_FROM_DATABASE=HONGKONG STONEOIM TECHNOLOGY LIMITED
+
 OUI:0C47A94*
 ID_OUI_FROM_DATABASE=Private

+OUI:0C47A95*
+ ID_OUI_FROM_DATABASE=Everon Co., Ltd.
+
+OUI:0C47A96*
+ ID_OUI_FROM_DATABASE=Shenzhen Hahappylife Innovations Electronics Technology Co.,Ltd
+
 OUI:0C47A97*
 ID_OUI_FROM_DATABASE=Annapurna labs

+OUI:0C47A98*
+ ID_OUI_FROM_DATABASE=Honest Networks LLC
+
+OUI:0C47A99*
+ ID_OUI_FROM_DATABASE=Shanghai Sigen New Energy Technology Co., Ltd
+
 OUI:0C47A9A*
 ID_OUI_FROM_DATABASE=Lens Technology (Xiangtan) Co.,Ltd

@ -43076,6 +43100,9 @@ OUI:0C47A9C*
 OUI:0C47A9D*
 ID_OUI_FROM_DATABASE=DIG_LINK

+OUI:0C47A9E*
+ ID_OUI_FROM_DATABASE=BGResearch
+
 OUI:0C47C9*
 ID_OUI_FROM_DATABASE=Amazon Technologies Inc.

@ -43598,6 +43625,9 @@ OUI:0C9301*
 OUI:0C938F*
 ID_OUI_FROM_DATABASE=GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD

+OUI:0C93A5*
+ ID_OUI_FROM_DATABASE=eero inc.
+
 OUI:0C93FB*
 ID_OUI_FROM_DATABASE=BNS Solutions

@ -44027,6 +44057,9 @@ OUI:0CEC84*
 OUI:0CEC8D*
 ID_OUI_FROM_DATABASE=Motorola Mobility LLC, a Lenovo Company

+OUI:0CED71*
+ ID_OUI_FROM_DATABASE=Extreme Networks Headquarters
+
 OUI:0CEDC8*
 ID_OUI_FROM_DATABASE=Xiaomi Communications Co Ltd

@ -46211,6 +46244,9 @@ OUI:147F67*
 OUI:147FCE*
 ID_OUI_FROM_DATABASE=Apple, Inc.

+OUI:1480CC*
+ ID_OUI_FROM_DATABASE=Quectel Wireless Solutions Co.,Ltd.
+
 OUI:14825B*
 ID_OUI_FROM_DATABASE=Hefei Radio Communication Technology Co., Ltd

@ -47297,6 +47333,9 @@ OUI:1869DA*
 OUI:186A81*
 ID_OUI_FROM_DATABASE=Sagemcom Broadband SAS

+OUI:186BE2*
+ ID_OUI_FROM_DATABASE=LYLINK LIMITED
+
 OUI:186D99*
 ID_OUI_FROM_DATABASE=Adanis Inc.

@ -48560,6 +48599,9 @@ OUI:1C4D70*
 OUI:1C4D89*
 ID_OUI_FROM_DATABASE=Hangzhou Huacheng Network Technology Co.,Ltd

+OUI:1C4EA2*
+ ID_OUI_FROM_DATABASE=Shenzhen V-Link Technology CO., LTD.
+
 OUI:1C501E*
 ID_OUI_FROM_DATABASE=Sunplus Technology Co., Ltd.

@ -48809,6 +48851,9 @@ OUI:1C77F6*
 OUI:1C7839*
 ID_OUI_FROM_DATABASE=Shenzhen Tencent Computer System Co., Ltd.

+OUI:1C784B*
+ ID_OUI_FROM_DATABASE=Bouffalo Lab (Nanjing) Co., Ltd.
+
 OUI:1C784E*
 ID_OUI_FROM_DATABASE=China Mobile Iot Limited company

@ -49145,6 +49190,9 @@ OUI:1C937C*
 OUI:1C93C4*
 ID_OUI_FROM_DATABASE=Amazon Technologies Inc.

+OUI:1C9468*
+ ID_OUI_FROM_DATABASE=New H3C Technologies Co., Ltd
+
 OUI:1C9492*
 ID_OUI_FROM_DATABASE=RUAG Schweiz AG

@ -51335,6 +51383,9 @@ OUI:24470E*
 OUI:244845*
 ID_OUI_FROM_DATABASE=Hangzhou Hikvision Digital Technology Co.,Ltd.

+OUI:244885*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:24497B*
 ID_OUI_FROM_DATABASE=Innovative Converged Devices Inc

@ -53387,6 +53438,9 @@ OUI:28DB81*
 OUI:28DBA7*
 ID_OUI_FROM_DATABASE=Silicon Laboratories

+OUI:28DE1C*
+ ID_OUI_FROM_DATABASE=Samsung Electronics Co.,Ltd
+
 OUI:28DE59*
 ID_OUI_FROM_DATABASE=Domus NTW CORP.

@ -54396,7 +54450,7 @@ OUI:2C691D3*
 ID_OUI_FROM_DATABASE=Sunsa, Inc

 OUI:2C691D4*
- ID_OUI_FROM_DATABASE=SPEEDTECH CORP.
+ ID_OUI_FROM_DATABASE=SPEEDTECH CORP. JIO

 OUI:2C691D5*
 ID_OUI_FROM_DATABASE=LG Electronics Inc.
@ -55172,6 +55226,9 @@ OUI:2CFFEE*
 OUI:3000FC*
 ID_OUI_FROM_DATABASE=Nokia

+OUI:3001AF*
+ ID_OUI_FROM_DATABASE=Cisco Systems, Inc
+
 OUI:3003C8*
 ID_OUI_FROM_DATABASE=CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.

@ -56345,6 +56402,9 @@ OUI:30E3D6*
 OUI:30E48E*
 ID_OUI_FROM_DATABASE=Vodafone UK

+OUI:30E4D8*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:30E4DB*
 ID_OUI_FROM_DATABASE=Cisco Systems, Inc

@ -56360,6 +56420,9 @@ OUI:30E98E*
 OUI:30EA26*
 ID_OUI_FROM_DATABASE=Sycada BV

+OUI:30EB15*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:30EB1F*
 ID_OUI_FROM_DATABASE=Skylab M&C Technology Co.,Ltd

@ -57137,6 +57200,9 @@ OUI:346F92*
 OUI:346FED*
 ID_OUI_FROM_DATABASE=Enovation Controls

+OUI:347069*
+ ID_OUI_FROM_DATABASE=Cisco Systems, Inc
+
 OUI:347146*
 ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.

@ -57887,6 +57953,9 @@ OUI:34F39A*
 OUI:34F39B*
 ID_OUI_FROM_DATABASE=WizLAN Ltd.

+OUI:34F5D7*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:34F62D*
 ID_OUI_FROM_DATABASE=SHARP Corporation

@ -58382,6 +58451,9 @@ OUI:384C4F*
 OUI:384C90*
 ID_OUI_FROM_DATABASE=Commscope

+OUI:384DD2*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:384F49*
 ID_OUI_FROM_DATABASE=Juniper Networks

@ -60650,6 +60722,9 @@ OUI:3CE624*
 OUI:3CE824*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

+OUI:3CE86E*
+ ID_OUI_FROM_DATABASE=Hewlett Packard Enterprise
+
 OUI:3CE90E*
 ID_OUI_FROM_DATABASE=Espressif Inc.

@ -62984,6 +63059,9 @@ OUI:44AAE8*
 OUI:44AAF5*
 ID_OUI_FROM_DATABASE=Commscope

+OUI:44AC85*
+ ID_OUI_FROM_DATABASE=eero inc.
+
 OUI:44AD19*
 ID_OUI_FROM_DATABASE=XINGFEI （H.K）LIMITED

@ -63356,6 +63434,9 @@ OUI:44F477*
 OUI:44F4E7*
 ID_OUI_FROM_DATABASE=Cohesity Inc

+OUI:44F53E*
+ ID_OUI_FROM_DATABASE=Earda Technologies co Ltd
+
 OUI:44F770*
 ID_OUI_FROM_DATABASE=Beijing Xiaomi Mobile Software Co., Ltd

@ -67448,6 +67529,9 @@ OUI:50E039*
 OUI:50E085*
 ID_OUI_FROM_DATABASE=Intel Corporate

+OUI:50E099*
+ ID_OUI_FROM_DATABASE=HangZhou Atuo Future Technology Co., Ltd
+
 OUI:50E0C7*
 ID_OUI_FROM_DATABASE=TurControlSystme AG

@ -68237,6 +68321,9 @@ OUI:547D40*
 OUI:547DCD*
 ID_OUI_FROM_DATABASE=Texas Instruments

+OUI:547E1A*
+ ID_OUI_FROM_DATABASE=Kaon Group Co., Ltd.
+
 OUI:547F54*
 ID_OUI_FROM_DATABASE=INGENICO

@ -69941,6 +70028,9 @@ OUI:58DB8D*
 OUI:58DC6D*
 ID_OUI_FROM_DATABASE=Exceptional Innovation, Inc.

+OUI:58DF59*
+ ID_OUI_FROM_DATABASE=Cisco Systems, Inc
+
 OUI:58E02C*
 ID_OUI_FROM_DATABASE=Micro Technic A/S

@ -70085,6 +70175,9 @@ OUI:58F987*
 OUI:58F98E*
 ID_OUI_FROM_DATABASE=SECUDOS GmbH

+OUI:58FB3E*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:58FB84*
 ID_OUI_FROM_DATABASE=Intel Corporate

@ -74438,6 +74531,9 @@ OUI:684F64*
 OUI:68505D*
 ID_OUI_FROM_DATABASE=Halo Technologies

+OUI:68508C*
+ ID_OUI_FROM_DATABASE=Shanghai Sunmi Technology Co.,Ltd.
+
 OUI:685134*
 ID_OUI_FROM_DATABASE=Hewlett Packard Enterprise

@ -74849,6 +74945,9 @@ OUI:689A87*
 OUI:689AB7*
 ID_OUI_FROM_DATABASE=Atelier Vision Corporation

+OUI:689B43*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:689C5E*
 ID_OUI_FROM_DATABASE=AcSiP Technology Corp.

@ -94458,7 +94557,7 @@ OUI:7CBD06*
 ID_OUI_FROM_DATABASE=AE REFUsol

 OUI:7CBF77*
- ID_OUI_FROM_DATABASE=SPEEDTECH CORP.
+ ID_OUI_FROM_DATABASE=SPEEDTECH CORP. JIO

 OUI:7CBF88*
 ID_OUI_FROM_DATABASE=Mobilicom LTD
@ -95102,6 +95201,9 @@ OUI:802E14*
 OUI:802EC3*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

+OUI:802EDE*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:802FDE*
 ID_OUI_FROM_DATABASE=Zurich Instruments AG

@ -95177,6 +95279,9 @@ OUI:803C20*
 OUI:803E48*
 ID_OUI_FROM_DATABASE=SHENZHEN GONGJIN ELECTRONICS CO.,LT

+OUI:803E4F*
+ ID_OUI_FROM_DATABASE=GD Midea Air-Conditioning Equipment Co.,Ltd.
+
 OUI:803F5D*
 ID_OUI_FROM_DATABASE=Winstars Technology Ltd

@ -95426,6 +95531,9 @@ OUI:8077A4*
 OUI:807871*
 ID_OUI_FROM_DATABASE=ASKEY COMPUTER CORP

+OUI:807933*
+ ID_OUI_FROM_DATABASE=Aigentec Technology(Zhejiang) Co., Ltd.
+
 OUI:80795D*
 ID_OUI_FROM_DATABASE=Infinix mobility limited

@ -97790,6 +97898,9 @@ OUI:884477*
 OUI:8844F6*
 ID_OUI_FROM_DATABASE=Nokia Corporation

+OUI:8845F0*
+ ID_OUI_FROM_DATABASE=GUANGDONG GENIUS TECHNOLOGY CO., LTD.
+
 OUI:884604*
 ID_OUI_FROM_DATABASE=Xiaomi Communications Co Ltd

@ -99572,6 +99683,9 @@ OUI:8C1F64154*
 OUI:8C1F64155*
 ID_OUI_FROM_DATABASE=SLAT

+OUI:8C1F64159*
+ ID_OUI_FROM_DATABASE=Mediana Co., Ltd.
+
 OUI:8C1F6415A*
 ID_OUI_FROM_DATABASE=ASHIDA Electronics Pvt. Ltd

@ -99698,6 +99812,9 @@ OUI:8C1F641B9*
 OUI:8C1F641BB*
 ID_OUI_FROM_DATABASE=Renwei Electronics Technology (Shenzhen) Co.,LTD.

+OUI:8C1F641BC*
+ ID_OUI_FROM_DATABASE=Transit Solutions, LLC.
+
 OUI:8C1F641BD*
 ID_OUI_FROM_DATABASE=DORLET SAU

@ -99797,6 +99914,9 @@ OUI:8C1F64203*
 OUI:8C1F64204*
 ID_OUI_FROM_DATABASE=castcore

+OUI:8C1F64206*
+ ID_OUI_FROM_DATABASE=KRYFS TECHNOLOGIES PRIVATE LIMITED
+
 OUI:8C1F64208*
 ID_OUI_FROM_DATABASE=Sichuan AnSphere Technology Co. Ltd.

@ -100373,6 +100493,9 @@ OUI:8C1F64392*
 OUI:8C1F64393*
 ID_OUI_FROM_DATABASE=GRE SYSTEM INC.

+OUI:8C1F64394*
+ ID_OUI_FROM_DATABASE=Ceranext Ltd
+
 OUI:8C1F64395*
 ID_OUI_FROM_DATABASE=Beijing Ceresdata Technology Co., LTD

@ -100565,6 +100688,9 @@ OUI:8C1F64417*
 OUI:8C1F64419*
 ID_OUI_FROM_DATABASE=Naval Group

+OUI:8C1F6441B*
+ ID_OUI_FROM_DATABASE=ENERGY POWER PRODUCTS LIMITED
+
 OUI:8C1F6441C*
 ID_OUI_FROM_DATABASE=KSE GmbH

@ -102014,6 +102140,9 @@ OUI:8C1F64803*
 OUI:8C1F64804*
 ID_OUI_FROM_DATABASE=EA Elektro-Automatik

+OUI:8C1F64806*
+ ID_OUI_FROM_DATABASE=Matrixspace
+
 OUI:8C1F64807*
 ID_OUI_FROM_DATABASE=GIORDANO CONTROLS SPA

@ -102620,6 +102749,9 @@ OUI:8C1F649B3*
 OUI:8C1F649B6*
 ID_OUI_FROM_DATABASE=GS Elektromedizinsiche Geräte G. Stemple GmbH

+OUI:8C1F649B8*
+ ID_OUI_FROM_DATABASE=Makel Elektrik Malzemeleri A.Ş.
+
 OUI:8C1F649B9*
 ID_OUI_FROM_DATABASE=QUERCUS TECHNOLOGIES, S.L.

@ -104366,6 +104498,9 @@ OUI:8C1F64E80*
 OUI:8C1F64E86*
 ID_OUI_FROM_DATABASE=ComVetia AG

+OUI:8C1F64E88*
+ ID_OUI_FROM_DATABASE=SiFive Inc
+
 OUI:8C1F64E89*
 ID_OUI_FROM_DATABASE=PADL Software Pty Ltd

@ -104828,6 +104963,9 @@ OUI:8C1F64FDA*
 OUI:8C1F64FDC*
 ID_OUI_FROM_DATABASE=Nuphoton Technologies

+OUI:8C1F64FDF*
+ ID_OUI_FROM_DATABASE=Potter Electric Signal Company
+
 OUI:8C1F64FE0*
 ID_OUI_FROM_DATABASE=Potter Electric Signal Company

@ -108248,6 +108386,9 @@ OUI:94A04E*
 OUI:94A07D*
 ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.

+OUI:94A081*
+ ID_OUI_FROM_DATABASE=Silicon Laboratories
+
 OUI:94A1A2*
 ID_OUI_FROM_DATABASE=AMPAK Technology, Inc.

@ -109112,6 +109253,9 @@ OUI:981E0F*
 OUI:981E19*
 ID_OUI_FROM_DATABASE=Sagemcom Broadband SAS

+OUI:981E89*
+ ID_OUI_FROM_DATABASE=Tianyi Telecom Terminals Company Limited
+
 OUI:981FB1*
 ID_OUI_FROM_DATABASE=Shenzhen Lemon Network Technology Co.,Ltd

@ -109841,6 +109985,9 @@ OUI:98A404*
 OUI:98A40E*
 ID_OUI_FROM_DATABASE=Snap, Inc.

+OUI:98A44E*
+ ID_OUI_FROM_DATABASE=IEC Technologies S. de R.L de C.V.
+
 OUI:98A5F9*
 ID_OUI_FROM_DATABASE=Apple, Inc.

@ -111275,6 +111422,9 @@ OUI:9CB793*
 OUI:9CB8B4*
 ID_OUI_FROM_DATABASE=AMPAK Technology,Inc.

+OUI:9CBAC9*
+ ID_OUI_FROM_DATABASE=Telit Communication s.p.a
+
 OUI:9CBB98*
 ID_OUI_FROM_DATABASE=Shen Zhen RND Electronic Co.,LTD

@ -111710,6 +111860,9 @@ OUI:A00BBA*
 OUI:A00CA1*
 ID_OUI_FROM_DATABASE=SKTB SKiT

+OUI:A00CE2*
+ ID_OUI_FROM_DATABASE=Shenzhen Shokz Co., Ltd.
+
 OUI:A00E98*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

@ -113801,6 +113954,9 @@ OUI:A47C1F*
 OUI:A47CC9*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

+OUI:A47D78*
+ ID_OUI_FROM_DATABASE=Edgecore Americas Networking Corporation
+
 OUI:A47D9F*
 ID_OUI_FROM_DATABASE=Shenzhen iComm Semiconductor CO.,LTD

@ -115011,7 +115167,7 @@ OUI:A87285*
 ID_OUI_FROM_DATABASE=IDT, INC.

 OUI:A8741D*
- ID_OUI_FROM_DATABASE=PHOENIX CONTACT Electronics GmbH
+ ID_OUI_FROM_DATABASE=Phoenix Contact GmbH & Co. KG

 OUI:A87484*
 ID_OUI_FROM_DATABASE=zte corporation
@ -115118,6 +115274,9 @@ OUI:A88D7B*
 OUI:A88E24*
 ID_OUI_FROM_DATABASE=Apple, Inc.

+OUI:A88F99*
+ ID_OUI_FROM_DATABASE=Arista Networks
+
 OUI:A88FD9*
 ID_OUI_FROM_DATABASE=Apple, Inc.

@ -119228,6 +119387,9 @@ OUI:B4C810*
 OUI:B4C9B9*
 ID_OUI_FROM_DATABASE=Sichuan AI-Link Technology Co., Ltd.

+OUI:B4CADD*
+ ID_OUI_FROM_DATABASE=Cisco Systems, Inc
+
 OUI:B4CB57*
 ID_OUI_FROM_DATABASE=GUANGDONG OPPO MOBILE TELECOMMUNICATIONS CORP.,LTD

@ -120413,6 +120575,9 @@ OUI:B8D4C3*
 OUI:B8D4E7*
 ID_OUI_FROM_DATABASE=Hewlett Packard Enterprise

+OUI:B8D4F7*
+ ID_OUI_FROM_DATABASE=New H3C Technologies Co., Ltd
+
 OUI:B8D50B*
 ID_OUI_FROM_DATABASE=Sunitec Enterprise Co.,Ltd

@ -122114,6 +122279,12 @@ OUI:C02C5C*
 OUI:C02C7A*
 ID_OUI_FROM_DATABASE=Shenzhen Horn Audio Co.,Ltd.

+OUI:C02CED*
+ ID_OUI_FROM_DATABASE=Silicon Laboratories
+
+OUI:C02D2E*
+ ID_OUI_FROM_DATABASE=China Mobile Group Device Co.,Ltd.
+
 OUI:C02DEE*
 ID_OUI_FROM_DATABASE=Cuff

@ -123200,6 +123371,9 @@ OUI:C0F79D*
 OUI:C0F827*
 ID_OUI_FROM_DATABASE=Rapidmax Technology Corporation

+OUI:C0F853*
+ ID_OUI_FROM_DATABASE=Tuya Smart Inc.
+
 OUI:C0F87F*
 ID_OUI_FROM_DATABASE=Cisco Systems, Inc

@ -126368,6 +126542,9 @@ OUI:CC10A3*
 OUI:CC115A*
 ID_OUI_FROM_DATABASE=Apple, Inc.

+OUI:CC1228*
+ ID_OUI_FROM_DATABASE=HISENSE VISUAL TECHNOLOGY CO.,LTD
+
 OUI:CC14A6*
 ID_OUI_FROM_DATABASE=Yichun MyEnergy Domain, Inc

@ -126458,6 +126635,9 @@ OUI:CC1FC4*
 OUI:CC208C*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

+OUI:CC20AC*
+ ID_OUI_FROM_DATABASE=Samsung Electronics Co.,Ltd
+
 OUI:CC20E8*
 ID_OUI_FROM_DATABASE=Apple, Inc.

@ -127037,6 +127217,9 @@ OUI:CC896C*
 OUI:CC89FD*
 ID_OUI_FROM_DATABASE=Nokia Corporation

+OUI:CC8A84*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:CC8C17*
 ID_OUI_FROM_DATABASE=ITEL MOBILE LIMITED

@ -127362,7 +127545,7 @@ OUI:CCCCCC*
 ID_OUI_FROM_DATABASE=Silicon Laboratories

 OUI:CCCCEA*
- ID_OUI_FROM_DATABASE=PHOENIX CONTACT Electronics GmbH
+ ID_OUI_FROM_DATABASE=Phoenix Contact GmbH & Co. KG

 OUI:CCCD64*
 ID_OUI_FROM_DATABASE=SM-Electronic GmbH
@ -130773,7 +130956,7 @@ OUI:D822F4*
 ID_OUI_FROM_DATABASE=Avnet Silica

 OUI:D823E0*
- ID_OUI_FROM_DATABASE=SPEEDTECH CORP.
+ ID_OUI_FROM_DATABASE=SPEEDTECH CORP. JIO

 OUI:D82477*
 ID_OUI_FROM_DATABASE=Universal Electric Corporation
@ -130958,6 +131141,9 @@ OUI:D8490B*
 OUI:D8492F*
 ID_OUI_FROM_DATABASE=CANON INC.

+OUI:D849BF*
+ ID_OUI_FROM_DATABASE=CELESTICA INC.
+
 OUI:D84A2B*
 ID_OUI_FROM_DATABASE=zte corporation

@ -131543,6 +131729,9 @@ OUI:D8C771*
 OUI:D8C7C8*
 ID_OUI_FROM_DATABASE=Hewlett Packard Enterprise

+OUI:D8C80C*
+ ID_OUI_FROM_DATABASE=Tuya Smart Inc.
+
 OUI:D8C8E9*
 ID_OUI_FROM_DATABASE=Phicomm (Shanghai) Co., Ltd.

@ -132101,6 +132290,9 @@ OUI:DC41A9*
 OUI:DC41E5*
 ID_OUI_FROM_DATABASE=Shenzhen Zhixin Data Service Co., Ltd.

+OUI:DC42C8*
+ ID_OUI_FROM_DATABASE=Huawei Device Co., Ltd.
+
 OUI:DC44270*
 ID_OUI_FROM_DATABASE=Suritel

@ -133175,6 +133367,9 @@ OUI:E021FE*
 OUI:E02202*
 ID_OUI_FROM_DATABASE=Commscope

+OUI:E022A1*
+ ID_OUI_FROM_DATABASE=AltoBeam Inc.
+
 OUI:E023D7*
 ID_OUI_FROM_DATABASE=Sleep Number

@ -135413,6 +135608,9 @@ OUI:E4FC82*
 OUI:E4FD45*
 ID_OUI_FROM_DATABASE=Intel Corporate

+OUI:E4FD8C*
+ ID_OUI_FROM_DATABASE=Extreme Networks Headquarters
+
 OUI:E4FDA1*
 ID_OUI_FROM_DATABASE=HUAWEI TECHNOLOGIES CO.,LTD

@ -136478,6 +136676,9 @@ OUI:E8CD2D*
 OUI:E8CE06*
 ID_OUI_FROM_DATABASE=SkyHawke Technologies, LLC.

+OUI:E8CF83*
+ ID_OUI_FROM_DATABASE=Dell Inc.
+
 OUI:E8D03C*
 ID_OUI_FROM_DATABASE=Shenzhen Jingxun Software Telecommunication Technology Co.,Ltd

@ -137312,6 +137513,30 @@ OUI:EC748C*
 OUI:EC74BA*
 ID_OUI_FROM_DATABASE=Hirschmann Automation and Control GmbH

+OUI:EC74CD3*
+ ID_OUI_FROM_DATABASE=iSolution Technologies Co.,Ltd.
+
+OUI:EC74CD5*
+ ID_OUI_FROM_DATABASE=Standard Backhaul Communications
+
+OUI:EC74CD6*
+ ID_OUI_FROM_DATABASE=Platypus
+
+OUI:EC74CD8*
+ ID_OUI_FROM_DATABASE=TRANS AUDIO VIDEO SRL
+
+OUI:EC74CD9*
+ ID_OUI_FROM_DATABASE=Sound Health Systems
+
+OUI:EC74CDA*
+ ID_OUI_FROM_DATABASE=Bosch (zhuhai) Security Systems Company, Ltd.
+
+OUI:EC74CDB*
+ ID_OUI_FROM_DATABASE=Hitachi Rail GTS Austria GmbH
+
+OUI:EC74CDD*
+ ID_OUI_FROM_DATABASE=Shenzhen Ting-Shine Technology Co., Ltd.
+
 OUI:EC74D7*
 ID_OUI_FROM_DATABASE=Grandstream Networks Inc

@ -143102,6 +143327,9 @@ OUI:FCB467*
 OUI:FCB4E6*
 ID_OUI_FROM_DATABASE=ASKEY COMPUTER CORP

+OUI:FCB577*
+ ID_OUI_FROM_DATABASE=Cortex Security Inc
+
 OUI:FCB585*
 ID_OUI_FROM_DATABASE=Shenzhen Water World Information Co.,Ltd.

@ -143159,6 +143387,9 @@ OUI:FCC23D*
 OUI:FCC2DE*
 ID_OUI_FROM_DATABASE=Murata Manufacturing Co., Ltd.

+OUI:FCC2E5*
+ ID_OUI_FROM_DATABASE=HOLOWITS TECHNOLOGIES CO.,LTD
+
 OUI:FCC734*
 ID_OUI_FROM_DATABASE=Samsung Electronics Co.,Ltd

--- a/hwdb.d/20-acpi-vendor.hwdb
+++ b/hwdb.d/20-acpi-vendor.hwdb
@ -2019,9 +2019,6 @@ acpi:DEL*:
 acpi:DEM*:
 ID_VENDOR_FROM_DATABASE=DemoPad Software Ltd

-acpi:DEM*:
- ID_VENDOR_FROM_DATABASE=DemoPad Software Ltd
-
 acpi:DEN*:
 ID_VENDOR_FROM_DATABASE=Densitron Computers Ltd

--- a/hwdb.d/20-acpi-vendor.hwdb.patch
+++ b/hwdb.d/20-acpi-vendor.hwdb.patch
@ -1,5 +1,5 @@
--- 20-acpi-vendor.hwdb.base	2024-11-06 10:40:14.734611315 +0000
-+++ 20-acpi-vendor.hwdb	2024-11-06 10:40:14.738611667 +0000
+--- 20-acpi-vendor.hwdb.base	2024-11-15 17:16:38.971258201 +0000
+++ 20-acpi-vendor.hwdb	2024-11-15 17:16:38.979258339 +0000
@@ -3,6 +3,8 @@
 # Data imported from:
 #     https://uefi.org/uefi-pnp-export
@ -137,7 +137,7 @@
 acpi:COI*:
  ID_VENDOR_FROM_DATABASE=Codec Inc.
 
-@@ -2063,7 +2092,7 @@
+@@ -2060,7 +2089,7 @@
  ID_VENDOR_FROM_DATABASE=Dragon Information Technology
 
 acpi:DJE*:
@ -146,7 +146,7 @@
 
 acpi:DJP*:
  ID_VENDOR_FROM_DATABASE=Maygay Machines, Ltd
-@@ -2416,6 +2445,9 @@
+@@ -2413,6 +2442,9 @@
 acpi:EIN*:
  ID_VENDOR_FROM_DATABASE=Elegant Invention
 
@ -156,7 +156,7 @@
 acpi:EKA*:
  ID_VENDOR_FROM_DATABASE=MagTek Inc.
 
-@@ -2686,6 +2718,9 @@
+@@ -2683,6 +2715,9 @@
 acpi:FCG*:
  ID_VENDOR_FROM_DATABASE=First International Computer Ltd
 
@ -166,7 +166,7 @@
 acpi:FCS*:
  ID_VENDOR_FROM_DATABASE=Focus Enhancements, Inc.
 
-@@ -3062,7 +3097,7 @@
+@@ -3059,7 +3094,7 @@
  ID_VENDOR_FROM_DATABASE=General Standards Corporation
 
 acpi:GSM*:
@ -175,7 +175,7 @@
 
 acpi:GSN*:
  ID_VENDOR_FROM_DATABASE=Grandstream Networks, Inc.
-@@ -3172,6 +3207,9 @@
+@@ -3169,6 +3204,9 @@
 acpi:HEC*:
  ID_VENDOR_FROM_DATABASE=Hisense Electric Co., Ltd.
 
@ -185,7 +185,7 @@
 acpi:HEL*:
  ID_VENDOR_FROM_DATABASE=Hitachi Micro Systems Europe Ltd
 
-@@ -3307,6 +3345,9 @@
+@@ -3304,6 +3342,9 @@
 acpi:HSD*:
  ID_VENDOR_FROM_DATABASE=HannStar Display Corp
 
@ -195,7 +195,7 @@
 acpi:HSM*:
  ID_VENDOR_FROM_DATABASE=AT&T Microelectronics
 
-@@ -3433,6 +3474,9 @@
+@@ -3430,6 +3471,9 @@
 acpi:ICI*:
  ID_VENDOR_FROM_DATABASE=Infotek Communication Inc
 
@ -205,7 +205,7 @@
 acpi:ICM*:
  ID_VENDOR_FROM_DATABASE=Intracom SA
 
-@@ -3529,6 +3573,9 @@
+@@ -3526,6 +3570,9 @@
 acpi:IKE*:
  ID_VENDOR_FROM_DATABASE=Ikegami Tsushinki Co. Ltd.
 
@ -215,7 +215,7 @@
 acpi:IKS*:
  ID_VENDOR_FROM_DATABASE=Ikos Systems Inc
 
-@@ -3577,6 +3624,9 @@
+@@ -3574,6 +3621,9 @@
 acpi:IMX*:
  ID_VENDOR_FROM_DATABASE=arpara Technology Co., Ltd.
 
@ -225,7 +225,7 @@
 acpi:INA*:
  ID_VENDOR_FROM_DATABASE=Inventec Corporation
 
-@@ -4105,6 +4155,9 @@
+@@ -4102,6 +4152,9 @@
 acpi:LAN*:
  ID_VENDOR_FROM_DATABASE=Sodeman Lancom Inc
 
@ -235,7 +235,7 @@
 acpi:LAS*:
  ID_VENDOR_FROM_DATABASE=LASAT Comm. A/S
 
-@@ -4156,6 +4209,9 @@
+@@ -4153,6 +4206,9 @@
 acpi:LED*:
  ID_VENDOR_FROM_DATABASE=Long Engineering Design Inc
 
@ -245,7 +245,7 @@
 acpi:LEG*:
  ID_VENDOR_FROM_DATABASE=Legerity, Inc
 
-@@ -4174,6 +4230,9 @@
+@@ -4171,6 +4227,9 @@
 acpi:LGD*:
  ID_VENDOR_FROM_DATABASE=LG Display
 
@ -255,7 +255,7 @@
 acpi:LGI*:
  ID_VENDOR_FROM_DATABASE=Logitech Inc
 
-@@ -4240,6 +4299,9 @@
+@@ -4237,6 +4296,9 @@
 acpi:LND*:
  ID_VENDOR_FROM_DATABASE=Land Computer Company Ltd
 
@ -265,7 +265,7 @@
 acpi:LNK*:
  ID_VENDOR_FROM_DATABASE=Link Tech Inc
 
-@@ -4274,7 +4336,7 @@
+@@ -4271,7 +4333,7 @@
  ID_VENDOR_FROM_DATABASE=Design Technology
 
 acpi:LPL*:
@ -274,7 +274,7 @@
 
 acpi:LSC*:
  ID_VENDOR_FROM_DATABASE=LifeSize Communications
-@@ -4450,6 +4512,9 @@
+@@ -4447,6 +4509,9 @@
 acpi:MCX*:
  ID_VENDOR_FROM_DATABASE=Millson Custom Solutions Inc.
 
@ -284,7 +284,7 @@
 acpi:MDA*:
  ID_VENDOR_FROM_DATABASE=Media4 Inc
 
-@@ -4696,6 +4761,9 @@
+@@ -4693,6 +4758,9 @@
 acpi:MOM*:
  ID_VENDOR_FROM_DATABASE=Momentum Data Systems
 
@ -294,7 +294,7 @@
 acpi:MOS*:
  ID_VENDOR_FROM_DATABASE=Moses Corporation
 
-@@ -4936,6 +5004,9 @@
+@@ -4933,6 +5001,9 @@
 acpi:NAL*:
  ID_VENDOR_FROM_DATABASE=Network Alchemy
 
@ -304,7 +304,7 @@
 acpi:NAT*:
  ID_VENDOR_FROM_DATABASE=NaturalPoint Inc.
 
-@@ -5476,6 +5547,9 @@
+@@ -5473,6 +5544,9 @@
 acpi:PCX*:
  ID_VENDOR_FROM_DATABASE=PC Xperten
 
@ -314,7 +314,7 @@
 acpi:PDM*:
  ID_VENDOR_FROM_DATABASE=Psion Dacom Plc.
 
-@@ -5539,9 +5613,6 @@
+@@ -5536,9 +5610,6 @@
 acpi:PHE*:
  ID_VENDOR_FROM_DATABASE=Philips Medical Systems Boeblingen GmbH
 
@ -324,7 +324,7 @@
 acpi:PHL*:
  ID_VENDOR_FROM_DATABASE=Philips Consumer Electronics Company
 
-@@ -5632,9 +5703,6 @@
+@@ -5629,9 +5700,6 @@
 acpi:PNL*:
  ID_VENDOR_FROM_DATABASE=Panelview, Inc.
 
@ -334,7 +334,7 @@
 acpi:PNR*:
  ID_VENDOR_FROM_DATABASE=Planar Systems, Inc.
 
-@@ -6112,9 +6180,6 @@
+@@ -6109,9 +6177,6 @@
 acpi:RTI*:
  ID_VENDOR_FROM_DATABASE=Rancho Tech Inc
 
@ -344,7 +344,7 @@
 acpi:RTL*:
  ID_VENDOR_FROM_DATABASE=Realtek Semiconductor Company Ltd
 
-@@ -6289,9 +6354,6 @@
+@@ -6286,9 +6351,6 @@
 acpi:SEE*:
  ID_VENDOR_FROM_DATABASE=SeeColor Corporation
 
@ -354,7 +354,7 @@
 acpi:SEI*:
  ID_VENDOR_FROM_DATABASE=Seitz & Associates Inc
 
-@@ -6775,6 +6837,9 @@
+@@ -6772,6 +6834,9 @@
 acpi:SVD*:
  ID_VENDOR_FROM_DATABASE=SVD Computer
 
@ -364,7 +364,7 @@
 acpi:SVI*:
  ID_VENDOR_FROM_DATABASE=Sun Microsystems
 
-@@ -6859,6 +6924,9 @@
+@@ -6856,6 +6921,9 @@
 acpi:SZM*:
  ID_VENDOR_FROM_DATABASE=Shenzhen MTC Co., Ltd
 
@ -374,7 +374,7 @@
 acpi:TAA*:
  ID_VENDOR_FROM_DATABASE=Tandberg
 
-@@ -6949,6 +7017,9 @@
+@@ -6946,6 +7014,9 @@
 acpi:TDG*:
  ID_VENDOR_FROM_DATABASE=Six15 Technologies
 
@ -384,7 +384,7 @@
 acpi:TDM*:
  ID_VENDOR_FROM_DATABASE=Tandem Computer Europe Inc
 
-@@ -6991,6 +7062,9 @@
+@@ -6988,6 +7059,9 @@
 acpi:TEV*:
  ID_VENDOR_FROM_DATABASE=Televés, S.A.
 
@ -394,7 +394,7 @@
 acpi:TEZ*:
  ID_VENDOR_FROM_DATABASE=Tech Source Inc.
 
-@@ -7120,9 +7194,6 @@
+@@ -7117,9 +7191,6 @@
 acpi:TNC*:
  ID_VENDOR_FROM_DATABASE=TNC Industrial Company Ltd
 
@ -404,7 +404,7 @@
 acpi:TNM*:
  ID_VENDOR_FROM_DATABASE=TECNIMAGEN SA
 
-@@ -7432,14 +7503,14 @@
+@@ -7429,14 +7500,14 @@
 acpi:UNC*:
  ID_VENDOR_FROM_DATABASE=Unisys Corporation
 
@ -425,7 +425,7 @@
 
 acpi:UNI*:
  ID_VENDOR_FROM_DATABASE=Uniform Industry Corp.
-@@ -7474,6 +7545,9 @@
+@@ -7471,6 +7542,9 @@
 acpi:USA*:
  ID_VENDOR_FROM_DATABASE=Utimaco Safeware AG
 
@ -435,7 +435,7 @@
 acpi:USD*:
  ID_VENDOR_FROM_DATABASE=U.S. Digital Corporation
 
-@@ -7735,9 +7809,6 @@
+@@ -7732,9 +7806,6 @@
 acpi:WAL*:
  ID_VENDOR_FROM_DATABASE=Wave Access
 
@ -445,7 +445,7 @@
 acpi:WAV*:
  ID_VENDOR_FROM_DATABASE=Wavephore
 
-@@ -7865,7 +7936,7 @@
+@@ -7862,7 +7933,7 @@
  ID_VENDOR_FROM_DATABASE=WyreStorm Technologies LLC
 
 acpi:WYS*:
@ -454,7 +454,7 @@
 
 acpi:WYT*:
  ID_VENDOR_FROM_DATABASE=Wooyoung Image & Information Co.,Ltd.
-@@ -7879,9 +7950,6 @@
+@@ -7876,9 +7947,6 @@
 acpi:XDM*:
  ID_VENDOR_FROM_DATABASE=XDM Ltd.
 
@ -464,7 +464,7 @@
 acpi:XES*:
  ID_VENDOR_FROM_DATABASE=Extreme Engineering Solutions, Inc.
 
-@@ -7915,9 +7983,6 @@
+@@ -7912,9 +7980,6 @@
 acpi:XNT*:
  ID_VENDOR_FROM_DATABASE=XN Technologies, Inc.
 
@ -474,7 +474,7 @@
 acpi:XQU*:
  ID_VENDOR_FROM_DATABASE=SHANGHAI SVA-DAV ELECTRONICS CO., LTD
 
-@@ -7984,6 +8049,9 @@
+@@ -7981,6 +8046,9 @@
 acpi:ZBX*:
  ID_VENDOR_FROM_DATABASE=Zebax Technologies
 
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -1438,6 +1438,11 @@ evdev:input:b0003v046DpC309*
 KEYBOARD_KEY_c01b6=images                              # My Pictures (F11)
 KEYBOARD_KEY_c01b7=audio                               # My Music (F12)

+# Logitech MX Keys for Mac
+evdev:input:b0003v046Dp4092*
+ KEYBOARD_KEY_70035=102nd                               # '<' key
+ KEYBOARD_KEY_70064=grave                               # '^' key
+
 ###########################################################
 # Maxdata
 ###########################################################
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -376,11 +376,12 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svncube:pni1-TF:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svncube:pni7:*
 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1

-# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B)
+# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B/i18D)
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni7Stylus:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni16:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni18B:*
+sensor:modalias:acpi:KIOX000A*:dmi:*:svnALLDOCUBE:pni18D:*
 ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1

 # Cube iWork 10 Flagship
@ -952,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
 ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1

+#########################################
+# Pine64
+#########################################
+
+# PineTab2
+
+sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
+ ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
+
 #########################################
 # Pipo
 #########################################
--- a/hwdb.d/ma-large.txt
+++ b/hwdb.d/ma-large.txt
--- a/hwdb.d/ma-medium.txt
+++ b/hwdb.d/ma-medium.txt
@ -770,12 +770,6 @@ C00000-CFFFFF     (base 16)		HANGZHOU ZHONGKEJIGUANG TECHNOLOGY CO., LTD
 				HANGZHOU  Zhejiang  310018
 				CN

-2C-69-1D   (hex)		SPEEDTECH CORP.
-400000-4FFFFF     (base 16)		SPEEDTECH CORP.
-				No. 568, Sec. 1, Minsheng N. Rd., Guishan Dist., Taoyuan City 338, Taiwan
-				Taoyuan    338
-				TW
-
 2C-69-1D   (hex)		IBM
 800000-8FFFFF     (base 16)		IBM
 				9000 South Rita Rd
@ -6788,6 +6782,30 @@ AC-EF-92   (hex)		CEER NATIONAL AUTOMOTIVE COMPANY
 				Shanghai    201316
 				CN

+0C-47-A9   (hex)		Shenzhen Hahappylife Innovations Electronics Technology Co.,Ltd
+600000-6FFFFF     (base 16)		Shenzhen Hahappylife Innovations Electronics Technology Co.,Ltd
+				103, Bldg1, Meicheng Ind Park, No.4, Xinhe St, Ma’antang Community, Bantian St, Longgang Dist
+				Shenzhen  Guangdong  518000
+				CN
+
+EC-74-CD   (hex)		Bosch (zhuhai) Security Systems Company, Ltd.
+A00000-AFFFFF     (base 16)		Bosch (zhuhai) Security Systems Company, Ltd.
+				20 Ji Chang Bei Road, Qingwan Industrial Estate, | Sanzao Town, Jinwan District
+				Zhuhai  Guangdong  519040
+				CN
+
+0C-47-A9   (hex)		Shanghai Sigen New Energy Technology Co., Ltd
+900000-9FFFFF     (base 16)		Shanghai Sigen New Energy Technology Co., Ltd
+				Room 514 The 5th Floor, No.175 Weizhan Road China (Shanghai) Plilot Free Trade Zone
+				Shanghai    201306
+				CN
+
+2C-69-1D   (hex)		SPEEDTECH CORP. JIO
+400000-4FFFFF     (base 16)		SPEEDTECH CORP. JIO
+				No. 568, Sec. 1, Minsheng N. Rd., Guishan Dist., Taoyuan City 338, Taiwan
+				Taoyuan    338
+				TW
+
 B8-4C-87   (hex)		Shenzhen Link-all Technology Co., Ltd
 300000-3FFFFF     (base 16)		Shenzhen Link-all Technology Co., Ltd
 				Floor 5th, Block 9th, Sunny Industrial Zone, Xili Town, Nanshan District, Shenzhen, China 
@ -13073,6 +13091,18 @@ A00000-AFFFFF     (base 16)		Lens Technology (Xiangtan) Co.,Ltd
 				Xiangtan  Hunan  411100
 				CN

+EC-74-CD   (hex)		Shenzhen Ting-Shine Technology Co., Ltd.
+D00000-DFFFFF     (base 16)		Shenzhen Ting-Shine Technology Co., Ltd.
+				No. 148, Huarong Road, Longhua District, Shenzhen
+				Shenzhen  Guangdong  518083
+				CN
+
+EC-74-CD   (hex)		iSolution Technologies Co.,Ltd.
+300000-3FFFFF     (base 16)		iSolution Technologies Co.,Ltd.
+				5F,Bldg #6, Zhongguan Honghualing Industrial South Park
+				Shenzhen  Guangdong  518055
+				CN
+
 B8-4C-87   (hex)		Altronix , Corp
 A00000-AFFFFF     (base 16)		Altronix , Corp
 				140 58th St. Bldg A, Ste 2N
@ -19862,6 +19892,48 @@ AC-EF-92   (hex)		JiZhiKang (Beijing) Technology Co., Ltd
 				Beijing    100176
 				CN

+0C-47-A9   (hex)		HONGKONG STONEOIM TECHNOLOGY LIMITED
+300000-3FFFFF     (base 16)		HONGKONG STONEOIM TECHNOLOGY LIMITED
+				UNIT 1507C,15/F,EASTCORE 398 KWUN TONG ROAD KWUN TONG KL
+				hongkong  hongkong  999077
+				HK
+
+0C-47-A9   (hex)		Annapurna labs
+200000-2FFFFF     (base 16)		Annapurna labs
+				Matam Scientific Industries Center,   Building 8.2
+				Mail box 15123  Haifa  3508409
+				IL
+
+0C-47-A9   (hex)		BGResearch
+E00000-EFFFFF     (base 16)		BGResearch
+				5, The Business Centre, Harvard Way, Kimbolton, 
+				Huntingdon.  Cambridgeshire  PE28 0NJ
+				GB
+
+EC-74-CD   (hex)		Platypus
+600000-6FFFFF     (base 16)		Platypus
+				6, Wonteo-ro 110beon-gil, Jungwon-gu
+				Gyeonggi-do   Seongnam-si  13360
+				KR
+
+EC-74-CD   (hex)		Sound Health Systems
+900000-9FFFFF     (base 16)		Sound Health Systems
+				650B Fremont Ave #65
+				Los Altos  CA  94024
+				US
+
+EC-74-CD   (hex)		Hitachi Rail GTS Austria GmbH
+B00000-BFFFFF     (base 16)		Hitachi Rail GTS Austria GmbH
+				Handelskai 92
+				Vienna    1200
+				AT
+
+EC-74-CD   (hex)		Standard Backhaul Communications
+500000-5FFFFF     (base 16)		Standard Backhaul Communications
+				333 South Highland Ave
+				Briarcliff Manor    10510
+				US
+
 D0-14-11   (hex)		P.B. Elettronica srl
 100000-1FFFFF     (base 16)		P.B. Elettronica srl
 				Via Santorelli, 8
@ -26459,6 +26531,12 @@ C00000-CFFFFF     (base 16)		Senix
 0C-47-A9   (hex)		Private
 400000-4FFFFF     (base 16)		Private

+0C-47-A9   (hex)		Honest Networks LLC
+800000-8FFFFF     (base 16)		Honest Networks LLC
+				15 Maiden LnSte 1101
+				New York  NY  10038
+				US
+
 C8-5C-E2   (hex)		Fela Management AG 
 000000-0FFFFF     (base 16)		Fela Management AG 
 				Basadingerstrasse 18
@ -33206,8 +33284,20 @@ C00000-CFFFFF     (base 16)		Annapurna labs
 				Mail box 15123  Haifa  3508409
 				IL

+0C-47-A9   (hex)		Everon Co., Ltd.
+500000-5FFFFF     (base 16)		Everon Co., Ltd.
+				3F.Pine Avenue B, 100, Eulji-ro, Jung-gu
+				Seoul    04551
+				KR
+
 0C-47-A9   (hex)		Shenzhen Hebang Electronic Co., Ltd
 B00000-BFFFFF     (base 16)		Shenzhen Hebang Electronic Co., Ltd
 				2nd Floor West, Bldg B, Kelunte Low Carbon Industry Park, Huarong Road, Dalang, Longhua District
 				Shenzhen    518000
 				CN
+
+EC-74-CD   (hex)		TRANS AUDIO VIDEO SRL
+800000-8FFFFF     (base 16)		TRANS AUDIO VIDEO SRL
+				Viale Melvin Jones 12
+				Caserta  CE  81100
+				IT
--- a/hwdb.d/ma-small.txt
+++ b/hwdb.d/ma-small.txt
@ -7457,6 +7457,24 @@ D04000-D04FFF     (base 16)		Plenty Unlimited Inc
 				HongKong    999077
 				HK

+8C-1F-64   (hex)		KRYFS TECHNOLOGIES PRIVATE LIMITED
+206000-206FFF     (base 16)		KRYFS TECHNOLOGIES PRIVATE LIMITED
+				SURVEY NO 231 KHERDI MAIN ROAD NEAR HPCL KHERDI SILVASSA
+				SILVASSA  DADRA AND NAGAR HAVELI  396230
+				IN
+
+8C-1F-64   (hex)		Matrixspace
+806000-806FFF     (base 16)		Matrixspace
+				1721 Moon Lake BlvdSTE 200
+				Hoffman Estates  IL  60169
+				US
+
+8C-1F-64   (hex)		ENERGY POWER PRODUCTS LIMITED
+41B000-41BFFF     (base 16)		ENERGY POWER PRODUCTS LIMITED
+				7/F, Room 701, Lucky Centre, 165-171,  Wanchai Road
+				Wanchai    000000
+				HK
+
 8C-1F-64   (hex)		Jacobs Technology, Inc.
 A98000-A98FFF     (base 16)		Jacobs Technology, Inc.
 				7765 Old Telegraph Road
@ -22361,6 +22379,12 @@ A8C000-A8CFFF     (base 16)		Elektronik Art
 				Lublin  Lublin  20234
 				PL

+8C-1F-64   (hex)		Anduril Imaging
+763000-763FFF     (base 16)		Anduril Imaging
+				83 Hartwell Ave 
+				Lexington  MA  02421
+				US
+
 8C-1F-64   (hex)		Wuhan YiValley Opto-electric technology Co.,Ltd
 175000-175FFF     (base 16)		Wuhan YiValley Opto-electric technology Co.,Ltd
 				A104,1st stage Juxian Building, Hongshan internatinoal enterprise center
@ -22379,12 +22403,6 @@ C60000-C60FFF     (base 16)		Intelligent Security Systems (ISS)
 				Woodbridge  NJ  07095
 				US

-8C-1F-64   (hex)		Anduril Imaging
-763000-763FFF     (base 16)		Anduril Imaging
-				83 Hartwell Ave 
-				Lexington  MA  02421
-				US
-
 8C-1F-64   (hex)		Flow Power
 82B000-82BFFF     (base 16)		Flow Power
 				Suite 2, Level 3, 18 - 20 York St
@ -29885,12 +29903,42 @@ BA7000-BA7FFF     (base 16)		iLensys Technologies PVT LTD
 				Thiruvananthapuram  KERALA  695014
 				IN

+8C-1F-64   (hex)		Potter Electric Signal Company
+FDF000-FDFFFF     (base 16)		Potter Electric Signal Company
+				5757 Phantom Drive
+				Hazelwood  MO  63042
+				US
+
 8C-1F-64   (hex)		Hurry-tech
 F19000-F19FFF     (base 16)		Hurry-tech
 				Greenland  Central Plaza ,Building 1 of Yard 9,Room 601
 				Beijing  Beijing  100089
 				CN

+8C-1F-64   (hex)		Transit Solutions, LLC.
+1BC000-1BCFFF     (base 16)		Transit Solutions, LLC.
+				114 West Grandview Avenue
+				Zelienople  PA  16063
+				US
+
+8C-1F-64   (hex)		Ceranext Ltd
+394000-394FFF     (base 16)		Ceranext Ltd
+				25-27 Demostheni Severi ,Metropolis Tower,Building B',1080 Cyprus
+				Nicosia    1080
+				CY
+
+8C-1F-64   (hex)		SiFive Inc
+E88000-E88FFF     (base 16)		SiFive Inc
+				2625 Augustine DriveSuite 101
+				Santa Clara  CA  95054
+				US
+
+8C-1F-64   (hex)		Makel Elektrik Malzemeleri A.Ş.
+9B8000-9B8FFF     (base 16)		Makel Elektrik Malzemeleri A.Ş.
+				Osmangazi Mah.Mareşal Fevzi Çakmak Cad. No:38 KIRAÇ / Esenyurt
+				ESENYURT  İstanbul  34522
+				TR
+
 8C-1F-64   (hex)		Mobileye
 D63000-D63FFF     (base 16)		Mobileye
 				13 Hartom st.
@ -37294,3 +37342,9 @@ BD9000-BD9FFF     (base 16)		WATTS
 				C. Valportillo Segunda, 8 bis
 				Alcobendas  Madrid  28108
 				ES
+
+8C-1F-64   (hex)		Mediana Co., Ltd.
+159000-159FFF     (base 16)		Mediana Co., Ltd.
+				132, Donghwagongdan-ro, Munmak-eup
+				Wonju-si  Gangwon-do  26365
+				KR
--- a/hwdb.d/pnp_id_registry.csv
+++ b/hwdb.d/pnp_id_registry.csv
@ -2540,7 +2540,6 @@ AVARRO,RRO,08/07/2023
 "LUMINO Licht Elektronik GmbH",LLT,11/07/2023
 "Reonel Oy",RNL,01/04/2024
 DemoPad Software Ltd,DEM,01/04/2024
-DemoPad Software Ltd,DEM,01/04/2024
 "TeamViewer Germany GmbH",TMV,01/04/2024
 "Pixio USA",PXO,02/14/2024
 "ELARABY COMPANY FOR ENGINEERING INDUSTRIES",EEI,02/14/2024
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@ -421,7 +421,7 @@
        <term><varname>rd.systemd.verity=</varname></term>
        <term><varname>systemd.verity_root_data=</varname></term>
        <term><varname>systemd.verity_root_hash=</varname></term>
-        <term><varname>systemd.verity.root_options=</varname></term>
+        <term><varname>systemd.verity_root_options=</varname></term>
        <term><varname>usrhash=</varname></term>
        <term><varname>systemd.verity_usr_data=</varname></term>
        <term><varname>systemd.verity_usr_hash=</varname></term>
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -265,32 +265,11 @@
  </refsect1>

  <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>

-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>

    <variablelist>
-      <varlistentry>
-        <term><option>--password</option></term>
-
-        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
-        <command>cryptsetup luksAddKey</command>, however may be combined with
-        <option>--wipe-slot=</option> in one call, see below.</para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--recovery-key</option></term>
-
-        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
-        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
-        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
-        </para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>

@ -328,7 +307,45 @@

        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>Simple Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll simple user input based
+    unlocking:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--password</option></term>
+
+        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
+        <command>cryptsetup luksAddKey</command>, however may be combined with
+        <option>--wipe-slot=</option> in one call, see below.</para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--recovery-key</option></term>
+
+        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+        </para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>PKCS#11 Enrollment</title>
+
+    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>

@ -361,7 +378,15 @@

        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>FIDO2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>TPM2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>

@ -636,7 +669,15 @@

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>Other Options</title>
+
+    <para>The following additional options are understood:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

--- a/man/version-info.xml
+++ b/man/version-info.xml
@ -81,4 +81,7 @@
  <para id="v255">Added in version 255.</para>
  <para id="v256">Added in version 256.</para>
  <para id="v257">Added in version 257.</para>
+  <para id="v258">Added in version 258.</para>
+  <para id="v259">Added in version 259.</para>
+  <para id="v260">Added in version 260.</para>
 </refsect1>
--- a/meson.build
+++ b/meson.build
@ -2674,6 +2674,14 @@ endif

 #####################################################################

+ukify_depends = []
+
+foreach executable : ['systemd-measure', 'systemd-sbsign', 'systemd-keyutil']
+        if executable in executables_by_name
+                ukify_depends += [executables_by_name[executable]]
+        endif
+endforeach
+
 ukify = custom_target(
        'ukify',
        input : 'src/ukify/ukify.py',
@ -2681,6 +2689,7 @@ ukify = custom_target(
        command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
        install : want_ukify,
        install_mode : 'rwxr-xr-x',
+        depends : ukify_depends,
        install_dir : bindir)
 if want_ukify
        public_programs += ukify
@ -2700,7 +2709,7 @@ endif

 mkosi_depends = public_programs

-foreach executable : ['systemd-journal-remote', 'systemd-measure', 'systemd-sbsign', 'systemd-keyutil']
+foreach executable : ['systemd-journal-remote', 'systemd-sbsign', 'systemd-keyutil']
        if executable in executables_by_name
                mkosi_depends += [executables_by_name[executable]]
        endif
--- a/meson.version
+++ b/meson.version
@ -1 +1 @@
-257~rc1
+257~rc2
--- a/mkosi.images/build/mkosi.build.chroot
+++ b/mkosi.images/build/mkosi.build.chroot
@ -0,0 +1,7 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [[ "$1" == "clangd" ]]; then
+    exec "$@"
+fi
--- a/mkosi.images/build/mkosi.conf.d/arch/mkosi.build.chroot
+++ b/mkosi.images/build/mkosi.conf.d/arch/mkosi.build.chroot
@ -2,10 +2,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e

-if [[ "$1" == "clangd" ]]; then
-    exec "$@"
-fi
-
 if [[ ! -f "pkg/$PKG_SUBDIR/PKGBUILD" ]]; then
    echo "PKGBUILD not found at pkg/$PKG_SUBDIR/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
    exit 1
--- a/mkosi.images/build/mkosi.conf.d/arch/mkosi.conf
+++ b/mkosi.images/build/mkosi.conf.d/arch/mkosi.conf
@ -7,7 +7,7 @@ Distribution=arch
 Environment=
        GIT_URL=https://gitlab.archlinux.org/archlinux/packaging/packages/systemd.git
        GIT_BRANCH=main
-        GIT_COMMIT=62c224b60ca150627be58ca2da50f47cc0a5793c
+        GIT_COMMIT=29a73017cd380cd8db070dbd560e229d523b3c79
        PKG_SUBDIR=arch

 [Content]
--- a/mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf
+++ b/mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf
@ -8,7 +8,7 @@ Distribution=|fedora
 Environment=
        GIT_URL=https://src.fedoraproject.org/rpms/systemd.git
        GIT_BRANCH=rawhide
-        GIT_COMMIT=e42eed4afd6267cd954d393d8eec79e0e7573de0
+        GIT_COMMIT=7bd1d09f7fd16d20a041de0eb9af7cc8dbef6a99
        PKG_SUBDIR=fedora

 [Content]
--- a/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.conf
+++ b/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.conf
@ -9,7 +9,7 @@ Environment=
        GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
        GIT_SUBDIR=debian
        GIT_BRANCH=debian/master
-        GIT_COMMIT=48fabbd5d240a70fce6712b6161f29b40b2fc7de
+        GIT_COMMIT=51cd22f3684725a1b199012555e7378f2f468c16
        PKG_SUBDIR=debian

 [Content]
--- a/po/de.po
+++ b/po/de.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-09 20:13+0000\n"
+"PO-Revision-Date: 2024-11-17 15:48+0000\n"
 "Last-Translator: Weblate Translation Memory <noreply-mt-weblate-translation-"
 "memory@weblate.org>\n"
 "Language-Team: German <https://translate.fedoraproject.org/projects/systemd/"
@ -187,9 +187,11 @@ msgstr ""
 "benötigte Speichermedium oder Dateisystem ein."

 #: src/home/pam_systemd_home.c:298
-#, fuzzy, c-format
+#, c-format
 msgid "Too frequent login attempts for user %s, try again later."
-msgstr "Zu häufige Loginversuche für %s. Bitte später erneut probieren."
+msgstr ""
+"Zu viele Anmeldeversuche für Benutzer %s, versuchen Sie es später noch "
+"einmal."

 #: src/home/pam_systemd_home.c:310
 msgid "Password: "
@ -1189,18 +1191,16 @@ msgid "Subscribe query results"
 msgstr "Abfrageergebnisse abonnieren"

 #: src/resolve/org.freedesktop.resolve1.policy:144
-#, fuzzy
 msgid "Authentication is required to subscribe query results."
-msgstr "Legitimierung ist zum Versetzen des Systems in Bereitschaft notwendig."
+msgstr "Legitimierung ist zum Abonnieren von Abfrageergebnissen erforderlich."

 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Dump cache"
 msgstr ""

 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
 msgid "Authentication is required to dump cache."
-msgstr "Legitimierung ist zum Festlegen von Domains notwendig."
+msgstr ""

 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump server state"
@ -1248,20 +1248,21 @@ msgid "Install specific system version"
 msgstr "Spezifische Systemversion installieren"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:56
-#, fuzzy
 msgid ""
 "Authentication is required to update the system to a specific (possibly old) "
 "version."
-msgstr "Legitimierung ist zum Festlegen der Systemzeitzone notwendig."
+msgstr ""
+"Legitimierung ist zum Aktualisieren des Systems auf eine bestimmte ("
+"möglicherweise alte) Version erforderlich."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:65
 msgid "Cleanup old system updates"
 msgstr "Alte Systemaktualisierungen bereinigen"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:66
-#, fuzzy
 msgid "Authentication is required to cleanup old system updates."
-msgstr "Legitimierung ist zum Festlegen der Systemzeit notwendig."
+msgstr ""
+"Legitimierung ist zum Bereinigen alter Systemaktualisierungen erforderlich."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
@ -1269,11 +1270,8 @@ msgstr "Optionale Funktionen verwalten"

 # https://www.freedesktop.org/software/systemd/man/sd-login.html
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Legitimierung ist zur Verwaltung aktiver Sitzungen, Benutzern und "
-"Arbeitsstationen notwendig."
+msgstr "Legitimierung ist zur Verwaltung optionaler Funktionen erforderlich"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/fi.po
+++ b/po/fi.po
@ -3,12 +3,13 @@
 # Finnish translation of systemd.
 # Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2023.
 # Ricky Tigg <ricky.tigg@gmail.com>, 2022, 2024.
+# Jiri Grönroos <jiri.gronroos@iki.fi>, 2024.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-09-12 13:43+0000\n"
-"Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>\n"
 "Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
 "main/fi/>\n"
 "Language: fi\n"
@ -16,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.7.2\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -112,14 +113,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "Todennus vaaditaan käyttäjän kotialueen päivittämiseksi."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "Päivitä kotialue"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "Todennus vaaditaan käyttäjän kotialueen päivittämiseksi."
+msgstr "Todennus vaaditaan kotialueen päivittämiseksi."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1174,14 +1173,11 @@ msgstr "Todennus vaaditaan vanhojen järjestelmäpäivitysten puhdistamiseen."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Hallitse valinnaisia ominaisuuksia"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Todennus vaaditaan aktiivisten istuntojen, käyttäjien ja paikkojen "
-"hallintaan."
+msgstr "Todennus vaaditaan valinnaisten ominaisuuksien hallintaan"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/fr.po
+++ b/po/fr.po
@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-07 09:30+0000\n"
+"PO-Revision-Date: 2024-11-23 10:38+0000\n"
 "Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
 "main/fr/>\n"
@ -360,8 +360,8 @@ msgid ""
 "Authentication is required to set the statically configured local hostname, "
 "as well as the pretty hostname."
 msgstr ""
-"Une authentification est requise pour définir le nom d'hôte local de manière "
-"statique, ainsi que le nom d'hôte familier."
+"Une authentification est requise pour définir le nom d'hôte local configuré "
+"de manière statique, ainsi que le nom d'hôte convivial."

 #: src/hostname/org.freedesktop.hostname1.policy:41
 msgid "Set machine information"
@ -1258,7 +1258,7 @@ msgstr ""

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr "Gérer les fonctionnalités en option"
+msgstr "Gérer les fonctionnalités facultatives"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
--- a/po/he.po
+++ b/po/he.po
@ -1,22 +1,22 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
-# Yaron Shahrabani <sh.yaron@gmail.com>, 2023.
+# Yaron Shahrabani <sh.yaron@gmail.com>, 2023, 2024.
 msgid ""
 msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2023-11-22 00:01+0000\n"
+"PO-Revision-Date: 2024-11-19 07:38+0000\n"
 "Last-Translator: Yaron Shahrabani <sh.yaron@gmail.com>\n"
 "Language-Team: Hebrew <https://translate.fedoraproject.org/projects/systemd/"
-"master/he/>\n"
+"main/he/>\n"
 "Language: he\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=4; plural=(n == 1) ? 0 : ((n == 2) ? 1 : ((n > 10 && "
 "n % 10 == 0) ? 2 : 3));\n"
-"X-Generator: Weblate 5.2\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -106,14 +106,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "נדרש אימות כדי לעדכן אזור בית למשתמש."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
-msgstr "עדכון אזור בית"
+msgstr "עדכון אזור הבית שלך"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "נדרש אימות כדי לעדכן אזור בית למשתמש."
+msgstr "נדרש אימות כדי לעדכן את אזור הבית שלך."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -133,14 +131,12 @@ msgid ""
 msgstr "נדרש אימות כדי להחליף סיסמה של אזור בית למשתמש."

 #: src/home/org.freedesktop.home1.policy:83
-#, fuzzy
 msgid "Activate a home area"
-msgstr "יצירת אזור בית"
+msgstr "הפעלת אזור בית"

 #: src/home/org.freedesktop.home1.policy:84
-#, fuzzy
 msgid "Authentication is required to activate a user's home area."
-msgstr "נדרש אימות כדי ליצור אזור בית למשתמש."
+msgstr "נדרש אימות כדי להפעיל אזור בית של משתמש."

 #: src/home/pam_systemd_home.c:293
 #, c-format
@ -351,46 +347,37 @@ msgid "Authentication is required to get system description."
 msgstr "נדרש אימות כדי למשוך את תיאור המערכת."

 #: src/import/org.freedesktop.import1.policy:22
-#, fuzzy
 msgid "Import a disk image"
-msgstr "לייבא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "ייבוא דמות כונן"

 #: src/import/org.freedesktop.import1.policy:23
-#, fuzzy
 msgid "Authentication is required to import an image."
-msgstr ""
-"נדרש אימות כדי לייבא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "נדרש אימות כדי לייבא דמות."

 #: src/import/org.freedesktop.import1.policy:32
-#, fuzzy
 msgid "Export a disk image"
-msgstr "ייצוא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "ייצוא דמות כונן"

 #: src/import/org.freedesktop.import1.policy:33
-#, fuzzy
 msgid "Authentication is required to export disk image."
-msgstr ""
-"נדרש אימות כדי לייצא מכונה וירטואלית או דמות של מכולה (container image)"
+msgstr "נדרש אימות כדי לייצא דמות כונן."

 #: src/import/org.freedesktop.import1.policy:42
-#, fuzzy
 msgid "Download a disk image"
-msgstr "הורדת מכונה וירטואלית או דמות מכולה"
+msgstr "הורדת דמות כונן"

 #: src/import/org.freedesktop.import1.policy:43
-#, fuzzy
 msgid "Authentication is required to download a disk image."
-msgstr "נדרש אימות כדי להוריד מכונה וירטואלית או דמות מכולה"
+msgstr "נדרש אימות כדי להוריד דמות כונן."

 #: src/import/org.freedesktop.import1.policy:52
 msgid "Cancel transfer of a disk image"
-msgstr ""
+msgstr "ביטול העברה של דמות כונן"

 #: src/import/org.freedesktop.import1.policy:53
-#, fuzzy
 msgid ""
 "Authentication is required to cancel the ongoing transfer of a disk image."
-msgstr "נדרש אימות כדי להחליף סיסמה של אזור בית למשתמש."
+msgstr "נדרש אימות כדי לבטל העברה של דמות כונן שמתבצעת בזמן אמת."

 #: src/locale/org.freedesktop.locale1.policy:22
 msgid "Set system locale"
@ -732,9 +719,8 @@ msgid "Set a wall message"
 msgstr "הגדרת הודעת קיר"

 #: src/login/org.freedesktop.login1.policy:397
-#, fuzzy
 msgid "Authentication is required to set a wall message."
-msgstr "נדרש אימות כדי להגדיר הודעת קיר"
+msgstr "נדרש אימות כדי להגדיר הודעת קיר."

 #: src/login/org.freedesktop.login1.policy:406
 msgid "Change Session"
@ -804,16 +790,14 @@ msgstr ""
 "נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."

 #: src/machine/org.freedesktop.machine1.policy:95
-#, fuzzy
 msgid "Create a local virtual machine or container"
-msgstr "ניהול מכונות וירטואליות ומכולות מקומיות"
+msgstr "יצירת מכונה וירטואלית או מכולה מקומיות"

 #: src/machine/org.freedesktop.machine1.policy:96
-#, fuzzy
 msgid ""
 "Authentication is required to create a local virtual machine or container."
 msgstr ""
-"נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."
+"נדרש אימות כדי ליצור מכונות וירטואליות (VM) או מכולות (container) מקומיות."

 #: src/machine/org.freedesktop.machine1.policy:106
 msgid "Manage local virtual machine and container images"
@ -965,13 +949,13 @@ msgstr "נדרש אימות כדי להגדיר כרטיס רשת מחדש."

 #: src/network/org.freedesktop.network1.policy:187
 msgid "Specify whether persistent storage for systemd-networkd is available"
-msgstr ""
+msgstr "נא לציין האם יש אחסון קבוע זמין ל־systemd-networkd"

 #: src/network/org.freedesktop.network1.policy:188
 msgid ""
 "Authentication is required to specify whether persistent storage for systemd-"
 "networkd is available."
-msgstr ""
+msgstr "נדרש אימות כדי לציין האם אחסון קבוע זמין ל־systemd-networkd."

 #: src/portable/org.freedesktop.portable1.policy:13
 msgid "Inspect a portable service image"
@ -1004,18 +988,16 @@ msgid "Register a DNS-SD service"
 msgstr "רישום שירות DNS-SD"

 #: src/resolve/org.freedesktop.resolve1.policy:23
-#, fuzzy
 msgid "Authentication is required to register a DNS-SD service."
-msgstr "נדרש אימות כדי לרשום שירות DNS-SD"
+msgstr "נדרש אימות כדי לרשום שירות DNS-SD."

 #: src/resolve/org.freedesktop.resolve1.policy:33
 msgid "Unregister a DNS-SD service"
 msgstr "ביטול רישום שירות DNS-SD"

 #: src/resolve/org.freedesktop.resolve1.policy:34
-#, fuzzy
 msgid "Authentication is required to unregister a DNS-SD service."
-msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD"
+msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD."

 #: src/resolve/org.freedesktop.resolve1.policy:132
 msgid "Revert name resolution settings"
@ -1027,95 +1009,85 @@ msgstr "נדרש אימות כדי לאפס את הגדרות פתרון השמ

 #: src/resolve/org.freedesktop.resolve1.policy:143
 msgid "Subscribe query results"
-msgstr ""
+msgstr "רישום לתוצאות שאילתה"

 #: src/resolve/org.freedesktop.resolve1.policy:144
-#, fuzzy
 msgid "Authentication is required to subscribe query results."
-msgstr "נדרש אימות כדי להשהות את המערכת."
+msgstr "נדרש אימות כדי להירשם לתוצאות שאילתה."

 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Dump cache"
-msgstr ""
+msgstr "היטל המטמון"

 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
 msgid "Authentication is required to dump cache."
-msgstr "נדרש אימות כדי להגדיר שמות תחום."
+msgstr "נדרש אימות כדי להטיל את המטמון."

 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump server state"
-msgstr ""
+msgstr "היטל מצב השרת"

 #: src/resolve/org.freedesktop.resolve1.policy:166
-#, fuzzy
 msgid "Authentication is required to dump server state."
-msgstr "נדרש אימות כדי להגדיר שרתי NTP."
+msgstr "נדרש אימות כדי להטיל את מצב השרת."

 #: src/resolve/org.freedesktop.resolve1.policy:176
 msgid "Dump statistics"
-msgstr ""
+msgstr "היטל סטטיסטיקה"

 #: src/resolve/org.freedesktop.resolve1.policy:177
-#, fuzzy
 msgid "Authentication is required to dump statistics."
-msgstr "נדרש אימות כדי להגדיר שמות תחום."
+msgstr "נדרש אימות כדי להטיל סטטיסטיקה."

 #: src/resolve/org.freedesktop.resolve1.policy:187
 msgid "Reset statistics"
-msgstr ""
+msgstr "איפוס סטטיסטיקה"

 #: src/resolve/org.freedesktop.resolve1.policy:188
-#, fuzzy
 msgid "Authentication is required to reset statistics."
-msgstr "נדרש אימות כדי לאפס הגדרות NTP."
+msgstr "נדרש אימות כדי לאפס סטטיסטיקה."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:35
 msgid "Check for system updates"
-msgstr ""
+msgstr "חיפוש עדכוני מערכת"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:36
-#, fuzzy
 msgid "Authentication is required to check for system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי לחפש עדכוני מערכת."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:45
 msgid "Install system updates"
-msgstr ""
+msgstr "התקנת עדכוני מערכת"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:46
-#, fuzzy
 msgid "Authentication is required to install system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי להתקין עדכוני מערכת."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:55
 msgid "Install specific system version"
-msgstr ""
+msgstr "התקנת גרסת מערכת מסוימת"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:56
-#, fuzzy
 msgid ""
 "Authentication is required to update the system to a specific (possibly old) "
 "version."
-msgstr "נדרש אימות כדי להגדיר את אזור הזמן של המערכת."
+msgstr "נדרש אימות כדי לעדכן את המערכת לגרסה מסוימת (כנראה ישנה)."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:65
 msgid "Cleanup old system updates"
-msgstr ""
+msgstr "ניקוי עדכוני מערכת ישנים"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:66
-#, fuzzy
 msgid "Authentication is required to cleanup old system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי לנקות עדכוני מערכת ישנים."

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "ניהול יכולות רשות"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr "נדרש אימות כדי לנהל הפעלות, משתמשים ומושבים פעילים."
+msgstr "נדרש אימות כדי לנהל יכולות רשות"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/ja.po
+++ b/po/ja.po
@ -6,7 +6,7 @@
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-06 14:42+0000\n"
+"POT-Creation-Date: 2024-11-18 12:55+0900\n"
 "PO-Revision-Date: 2021-09-09 03:04+0000\n"
 "Last-Translator: Takuro Onoue <kusanaginoturugi@gmail.com>\n"
 "Language-Team: Japanese <https://translate.fedoraproject.org/projects/"
@ -106,14 +106,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "ユーザのホーム領域の更新には認証が必要です。"

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "ホーム領域の更新"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "ユーザのホーム領域の更新には認証が必要です。"
+msgstr "ホーム領域の更新には認証が必要です。"

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1120,12 +1118,11 @@ msgstr "過去のシステム更新を削除するには認証が必要です。

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "任意の機能の管理"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr "アクティブなセッションやユーザ，シートを管理するには認証が必要です。"
+msgstr "任意の機能を管理するには認証が必要です。"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/ru.po
+++ b/po/ru.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-07 09:30+0000\n"
+"PO-Revision-Date: 2024-11-17 13:38+0000\n"
 "Last-Translator: \"Sergey A.\" <Ser82-png@yandex.ru>\n"
 "Language-Team: Russian <https://translate.fedoraproject.org/projects/systemd/"
 "main/ru/>\n"
@ -1280,7 +1280,7 @@ msgstr "Управление дополнительными функциями"
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
 msgstr ""
-"Для управления дополнительными функциями необходимо пройти аутентификацию."
+"Для управления дополнительными функциями необходимо пройти аутентификацию"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/sl.po
+++ b/po/sl.po
@ -7,7 +7,7 @@ msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-08-26 19:38+0000\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
 "Last-Translator: Martin Srebotnjak <miles@filmsi.net>\n"
 "Language-Team: Slovenian <https://translate.fedoraproject.org/projects/"
 "systemd/main/sl/>\n"
@ -17,7 +17,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=4; plural=n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || "
 "n%100==4 ? 2 : 3;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -125,16 +125,13 @@ msgstr ""
 "območja."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "Posodobite domače območje"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
 msgstr ""
-"Preverjanje pristnosti je potrebno za posodobitev uporabnikovega domačega "
-"območja."
+"Preverjanje pristnosti je potrebno za posodobitev vašega domačega območja."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1234,14 +1231,12 @@ msgstr ""

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Upravljaj dodatne funkcionalnosti"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
 msgstr ""
-"Preverjanje pristnosti je potrebno za upravljanje aktivnih sej, uporabnikov "
-"in delovišč."
+"Preverjanje pristnosti je potrebno za upravljanje dodatnih funkcionalnosti."

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/po/uk.po
+++ b/po/uk.po
@ -4,11 +4,12 @@
 # Eugene Melnik <jeka7js@gmail.com>, 2014.
 # Daniel Korostil <ted.korostiled@gmail.com>, 2014, 2016, 2018.
 # Yuri Chornoivan <yurchor@ukr.net>, 2019, 2020, 2021, 2022, 2023, 2024.
+# Dmytro Markevych <hotr1pak@gmail.com>, 2024.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-08-24 10:36+0000\n"
+"PO-Revision-Date: 2024-11-21 19:38+0000\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
@ -18,7 +19,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
 "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.8.2\n"

 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@ -118,14 +119,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "Для оновлення домашньої теки користувача слід пройти розпізнавання."

 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
-msgstr "Оновлення домашньої теки"
+msgstr "Оновлення домашньої області"

 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої теки користувача слід пройти розпізнавання."
+msgstr "Для оновлення домашньої області слід пройти розпізнавання."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1212,14 +1211,11 @@ msgstr "Для вилучення застарілих оновлень сист

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Керування додатковими функціями"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Для того, щоб керувати сеансами, користувачами і робочими місцями, слід "
-"пройти розпізнавання."
+msgstr "Для керування додатковими можливостями слід пройти розпізнавання"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@ -38,19 +38,12 @@ __get_tpm2_devices() {
    done
 }

-__get_block_devices() {
-    local i
-    for i in /dev/*; do
-        [ -b "$i" ] && printf '%s\n' "$i"
-    done
-}
-
 _systemd_cryptenroll() {
    local comps
    local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
    local -A OPTS=(
        [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
        [ARG]='--unlock-key-file
               --unlock-fido2-device
               --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
        return 0
    fi

-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
    COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
    return 0
 }
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@ -799,16 +799,20 @@ int cg_pid_get_path(const char *controller, pid_t pid, char **ret_path) {
                                continue;
                }

-                char *path = strdup(e + 1);
+                _cleanup_free_ char *path = strdup(e + 1);
                if (!path)
                        return -ENOMEM;

+                /* Refuse cgroup paths from outside our cgroup namespace */
+                if (startswith(path, "/../"))
+                        return -EUNATCH;
+
                /* Truncate suffix indicating the process is a zombie */
                e = endswith(path, " (deleted)");
                if (e)
                        *e = 0;

-                *ret_path = path;
+                *ret_path = TAKE_PTR(path);
                return 0;
        }
 }
--- a/src/basic/linux/auto_fs.h
+++ b/src/basic/linux/auto_fs.h
@ -21,7 +21,7 @@
 #define AUTOFS_MIN_PROTO_VERSION	3
 #define AUTOFS_MAX_PROTO_VERSION	5

-#define AUTOFS_PROTO_SUBVERSION		5
+#define AUTOFS_PROTO_SUBVERSION		6

 /*
 * The wait_queue_token (autofs_wqt_t) is part of a structure which is passed
--- a/src/basic/linux/bpf.h
+++ b/src/basic/linux/bpf.h
@ -1121,6 +1121,9 @@ enum bpf_attach_type {

 #define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE

+/* Add BPF_LINK_TYPE(type, name) in bpf_types.h to keep bpf_link_type_strs[]
+ * in sync with the definitions below.
+ */
 enum bpf_link_type {
 	BPF_LINK_TYPE_UNSPEC = 0,
 	BPF_LINK_TYPE_RAW_TRACEPOINT = 1,
@ -2851,7 +2854,7 @@ union bpf_attr {
 * 		  **TCP_SYNCNT**, **TCP_USER_TIMEOUT**, **TCP_NOTSENT_LOWAT**,
 * 		  **TCP_NODELAY**, **TCP_MAXSEG**, **TCP_WINDOW_CLAMP**,
 * 		  **TCP_THIN_LINEAR_TIMEOUTS**, **TCP_BPF_DELACK_MAX**,
- * 		  **TCP_BPF_RTO_MIN**.
+ *		  **TCP_BPF_RTO_MIN**, **TCP_BPF_SOCK_OPS_CB_FLAGS**.
 * 		* **IPPROTO_IP**, which supports *optname* **IP_TOS**.
 * 		* **IPPROTO_IPV6**, which supports the following *optname*\ s:
 * 		  **IPV6_TCLASS**, **IPV6_AUTOFLOWLABEL**.
@ -5519,11 +5522,12 @@ union bpf_attr {
 *		**-EOPNOTSUPP** if the hash calculation failed or **-EINVAL** if
 *		invalid arguments are passed.
 *
- * void *bpf_kptr_xchg(void *map_value, void *ptr)
+ * void *bpf_kptr_xchg(void *dst, void *ptr)
 *	Description
- *		Exchange kptr at pointer *map_value* with *ptr*, and return the
- *		old value. *ptr* can be NULL, otherwise it must be a referenced
- *		pointer which will be released when this helper is called.
+ *		Exchange kptr at pointer *dst* with *ptr*, and return the old value.
+ *		*dst* can be map value or local kptr. *ptr* can be NULL, otherwise
+ *		it must be a referenced pointer which will be released when this helper
+ *		is called.
 *	Return
 *		The old value of kptr (which can be NULL). The returned pointer
 *		if not NULL, is a reference which must be released using its
@ -6046,11 +6050,6 @@ enum {
 	BPF_F_MARK_ENFORCE		= (1ULL << 6),
 };

-/* BPF_FUNC_clone_redirect and BPF_FUNC_redirect flags. */
-enum {
-	BPF_F_INGRESS			= (1ULL << 0),
-};
-
 /* BPF_FUNC_skb_set_tunnel_key and BPF_FUNC_skb_get_tunnel_key flags. */
 enum {
 	BPF_F_TUNINFO_IPV6		= (1ULL << 0),
@ -6197,10 +6196,12 @@ enum {
 	BPF_F_BPRM_SECUREEXEC	= (1ULL << 0),
 };

-/* Flags for bpf_redirect_map helper */
+/* Flags for bpf_redirect and bpf_redirect_map helpers */
 enum {
-	BPF_F_BROADCAST		= (1ULL << 3),
-	BPF_F_EXCLUDE_INGRESS	= (1ULL << 4),
+	BPF_F_INGRESS		= (1ULL << 0), /* used for skb path */
+	BPF_F_BROADCAST		= (1ULL << 3), /* used for XDP path */
+	BPF_F_EXCLUDE_INGRESS	= (1ULL << 4), /* used for XDP path */
+#define BPF_F_REDIRECT_FLAGS (BPF_F_INGRESS | BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS)
 };

 #define __bpf_md_ptr(type, name)	\
@ -7080,6 +7081,7 @@ enum {
 	TCP_BPF_SYN		= 1005, /* Copy the TCP header */
 	TCP_BPF_SYN_IP		= 1006, /* Copy the IP[46] and TCP header */
 	TCP_BPF_SYN_MAC         = 1007, /* Copy the MAC, IP[46], and TCP header */
+	TCP_BPF_SOCK_OPS_CB_FLAGS = 1008, /* Get or Set TCP sock ops flags */
 };

 enum {
@ -7512,4 +7514,13 @@ struct bpf_iter_num {
 	__u64 __opaque[1];
 } __attribute__((aligned(8)));

+/*
+ * Flags to control BPF kfunc behaviour.
+ *     - BPF_F_PAD_ZEROS: Pad destination buffer with zeros. (See the respective
+ *       helper documentation for details.)
+ */
+enum bpf_kfunc_flags {
+	BPF_F_PAD_ZEROS = (1ULL << 0),
+};
+
 #endif /* __LINUX_BPF_H__ */
--- a/src/basic/linux/const.h
+++ b/src/basic/linux/const.h
@ -28,6 +28,23 @@
 #define _BITUL(x)	(_UL(1) << (x))
 #define _BITULL(x)	(_ULL(1) << (x))

+#if !defined(__ASSEMBLY__)
+/*
+ * Missing __asm__ support
+ *
+ * __BIT128() would not work in the __asm__ code, as it shifts an
+ * 'unsigned __init128' data type as direct representation of
+ * 128 bit constants is not supported in the gcc compiler, as
+ * they get silently truncated.
+ *
+ * TODO: Please revisit this implementation when gcc compiler
+ * starts representing 128 bit constants directly like long
+ * and unsigned long etc. Subsequently drop the comment for
+ * GENMASK_U128() which would then start supporting __asm__ code.
+ */
+#define _BIT128(x)	((unsigned __int128)(1) << (x))
+#endif
+
 #define __ALIGN_KERNEL(x, a)		__ALIGN_KERNEL_MASK(x, (__typeof__(x))(a) - 1)
 #define __ALIGN_KERNEL_MASK(x, mask)	(((x) + (mask)) & ~(mask))

--- a/src/basic/linux/ethtool.h
+++ b/src/basic/linux/ethtool.h
@ -2531,4 +2531,20 @@ struct ethtool_link_settings {
 	 * __u32 map_lp_advertising[link_mode_masks_nwords];
 	 */
 };
+
+/**
+ * enum phy_upstream - Represents the upstream component a given PHY device
+ * is connected to, as in what is on the other end of the MII bus. Most PHYs
+ * will be attached to an Ethernet MAC controller, but in some cases, there's
+ * an intermediate PHY used as a media-converter, which will driver another
+ * MII interface as its output.
+ * @PHY_UPSTREAM_MAC: Upstream component is a MAC (a switch port,
+ *		      or ethernet controller)
+ * @PHY_UPSTREAM_PHY: Upstream component is a PHY (likely a media converter)
+ */
+enum phy_upstream {
+	PHY_UPSTREAM_MAC,
+	PHY_UPSTREAM_PHY,
+};
+
 #endif /* _LINUX_ETHTOOL_H */
--- a/src/basic/linux/fib_rules.h
+++ b/src/basic/linux/fib_rules.h
@ -67,6 +67,7 @@ enum {
 	FRA_IP_PROTO,	/* ip proto */
 	FRA_SPORT_RANGE, /* sport */
 	FRA_DPORT_RANGE, /* dport */
+	FRA_DSCP,	/* dscp */
 	__FRA_MAX
 };

--- a/src/basic/linux/if_packet.h
+++ b/src/basic/linux/if_packet.h
@ -230,8 +230,8 @@ struct tpacket_hdr_v1 {
 	 * ts_first_pkt:
 	 *		Is always the time-stamp when the block was opened.
 	 *		Case a)	ZERO packets
-	 *			No packets to deal with but atleast you know the
-	 *			time-interval of this block.
+	 *			No packets to deal with but at least you know
+	 *			the time-interval of this block.
 	 *		Case b) Non-zero packets
 	 *			Use the ts of the first packet in the block.
 	 *
@ -265,7 +265,8 @@ enum tpacket_versions {
   - struct tpacket_hdr
   - pad to TPACKET_ALIGNMENT=16
   - struct sockaddr_ll
-   - Gap, chosen so that packet data (Start+tp_net) alignes to TPACKET_ALIGNMENT=16
+   - Gap, chosen so that packet data (Start+tp_net) aligns to
+     TPACKET_ALIGNMENT=16
   - Start+tp_mac: [ Optional MAC header ]
   - Start+tp_net: Packet data, aligned to TPACKET_ALIGNMENT=16.
   - Pad to align to TPACKET_ALIGNMENT=16
--- a/src/basic/linux/in.h
+++ b/src/basic/linux/in.h
@ -141,7 +141,7 @@ struct in_addr {
 */
 #define IP_PMTUDISC_INTERFACE		4
 /* weaker version of IP_PMTUDISC_INTERFACE, which allows packets to get
- * fragmented if they exeed the interface mtu
+ * fragmented if they exceed the interface mtu
 */
 #define IP_PMTUDISC_OMIT		5

--- a/src/basic/linux/libc-compat.h
+++ b/src/basic/linux/libc-compat.h
@ -140,25 +140,6 @@

 #endif /* _NETINET_IN_H */

-/* Coordinate with glibc netipx/ipx.h header. */
-#if defined(__NETIPX_IPX_H)
-
-#define __UAPI_DEF_SOCKADDR_IPX			0
-#define __UAPI_DEF_IPX_ROUTE_DEFINITION		0
-#define __UAPI_DEF_IPX_INTERFACE_DEFINITION	0
-#define __UAPI_DEF_IPX_CONFIG_DATA		0
-#define __UAPI_DEF_IPX_ROUTE_DEF		0
-
-#else /* defined(__NETIPX_IPX_H) */
-
-#define __UAPI_DEF_SOCKADDR_IPX			1
-#define __UAPI_DEF_IPX_ROUTE_DEFINITION		1
-#define __UAPI_DEF_IPX_INTERFACE_DEFINITION	1
-#define __UAPI_DEF_IPX_CONFIG_DATA		1
-#define __UAPI_DEF_IPX_ROUTE_DEF		1
-
-#endif /* defined(__NETIPX_IPX_H) */
-
 /* Definitions for xattr.h */
 #if defined(_SYS_XATTR_H)
 #define __UAPI_DEF_XATTR		0
@ -240,23 +221,6 @@
 #define __UAPI_DEF_IP6_MTUINFO		1
 #endif

-/* Definitions for ipx.h */
-#ifndef __UAPI_DEF_SOCKADDR_IPX
-#define __UAPI_DEF_SOCKADDR_IPX			1
-#endif
-#ifndef __UAPI_DEF_IPX_ROUTE_DEFINITION
-#define __UAPI_DEF_IPX_ROUTE_DEFINITION		1
-#endif
-#ifndef __UAPI_DEF_IPX_INTERFACE_DEFINITION
-#define __UAPI_DEF_IPX_INTERFACE_DEFINITION	1
-#endif
-#ifndef __UAPI_DEF_IPX_CONFIG_DATA
-#define __UAPI_DEF_IPX_CONFIG_DATA		1
-#endif
-#ifndef __UAPI_DEF_IPX_ROUTE_DEF
-#define __UAPI_DEF_IPX_ROUTE_DEF		1
-#endif
-
 /* Definitions for xattr.h */
 #ifndef __UAPI_DEF_XATTR
 #define __UAPI_DEF_XATTR		1
--- a/src/basic/linux/netfilter/nf_tables.h
+++ b/src/basic/linux/netfilter/nf_tables.h
@ -436,7 +436,7 @@ enum nft_set_elem_flags {
 * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
 * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
 * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
- * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
+ * @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64)
 * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
 * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
 * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
@ -1694,7 +1694,7 @@ enum nft_flowtable_flags {
 *
 * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
 * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
+ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
 * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
 * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
 * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
--- a/src/basic/linux/nexthop.h
+++ b/src/basic/linux/nexthop.h
@ -16,10 +16,15 @@ struct nhmsg {
 struct nexthop_grp {
 	__u32	id;	  /* nexthop id - must exist */
 	__u8	weight;   /* weight of this nexthop */
-	__u8	resvd1;
+	__u8	weight_high;	/* high order bits of weight */
 	__u16	resvd2;
 };

+static __inline__ __u16 nexthop_grp_weight(const struct nexthop_grp *entry)
+{
+	return ((entry->weight_high << 8) | entry->weight) + 1;
+}
+
 enum {
 	NEXTHOP_GRP_TYPE_MPATH,  /* hash-threshold nexthop group
 				  * default type if not specified
@ -33,6 +38,9 @@ enum {
 #define NHA_OP_FLAG_DUMP_STATS		BIT(0)
 #define NHA_OP_FLAG_DUMP_HW_STATS	BIT(1)

+/* Response OP_FLAGS. */
+#define NHA_OP_FLAG_RESP_GRP_RESVD_0	BIT(31)	/* Dump clears resvd fields. */
+
 enum {
 	NHA_UNSPEC,
 	NHA_ID,		/* u32; id for nexthop. id == 0 means auto-assign */
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@ -531,20 +531,24 @@ int is_idmapping_supported(const char *path) {
        userns_fd = userns_acquire(uid_map, gid_map);
        if (ERRNO_IS_NEG_NOT_SUPPORTED(userns_fd) || ERRNO_IS_NEG_PRIVILEGE(userns_fd))
                return false;
+        if (userns_fd == -ENOSPC) {
+                log_debug_errno(userns_fd, "Failed to acquire new user namespace, user.max_user_namespaces seems to be exhausted or maybe even zero, assuming ID-mapping is not supported: %m");
+                return false;
+        }
        if (userns_fd < 0)
-                return log_debug_errno(userns_fd, "ID-mapping supported namespace acquire failed for '%s' : %m", path);
+                return log_debug_errno(userns_fd, "Failed to acquire new user namespace for checking if '%s' supports ID-mapping: %m", path);

        dir_fd = RET_NERRNO(open(path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
        if (ERRNO_IS_NEG_NOT_SUPPORTED(dir_fd))
                return false;
        if (dir_fd < 0)
-                return log_debug_errno(dir_fd, "ID-mapping supported open failed for '%s' : %m", path);
+                return log_debug_errno(dir_fd, "Failed to open '%s', cannot determine if ID-mapping is supported: %m", path);

        mount_fd = RET_NERRNO(open_tree(dir_fd, "", AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC));
        if (ERRNO_IS_NEG_NOT_SUPPORTED(mount_fd) || ERRNO_IS_NEG_PRIVILEGE(mount_fd) || mount_fd == -EINVAL)
                return false;
        if (mount_fd < 0)
-                return log_debug_errno(mount_fd, "ID-mapping supported open_tree failed for '%s' : %m", path);
+                return log_debug_errno(mount_fd, "Failed to open mount tree '%s', cannot determine if ID-mapping is supported: %m", path);

        r = RET_NERRNO(mount_setattr(mount_fd, "", AT_EMPTY_PATH,
                       &(struct mount_attr) {
@ -554,7 +558,7 @@ int is_idmapping_supported(const char *path) {
        if (ERRNO_IS_NEG_NOT_SUPPORTED(r) || ERRNO_IS_NEG_PRIVILEGE(r) || r == -EINVAL)
                return false;
        if (r < 0)
-                return log_debug_errno(r, "ID-mapping supported setattr failed for '%s' : %m", path);
+                return log_debug_errno(r, "Failed to set mount attribute to '%s', cannot determine if ID-mapping is supported: %m", path);

        return true;
 }
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@ -102,8 +102,8 @@ int pid_get_comm(pid_t pid, char **ret) {
        _cleanup_free_ char *escaped = NULL, *comm = NULL;
        int r;

-        assert(ret);
        assert(pid >= 0);
+        assert(ret);

        if (pid == 0 || pid == getpid_cached()) {
                comm = new0(char, TASK_COMM_LEN + 1); /* Must fit in 16 byte according to prctl(2) */
@ -143,6 +143,9 @@ int pidref_get_comm(const PidRef *pid, char **ret) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_comm(pid->pid, &comm);
        if (r < 0)
                return r;
@ -289,6 +292,9 @@ int pidref_get_cmdline(const PidRef *pid, size_t max_columns, ProcessCmdlineFlag
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_cmdline(pid->pid, max_columns, flags, &s);
        if (r < 0)
                return r;
@ -331,6 +337,9 @@ int pidref_get_cmdline_strv(const PidRef *pid, ProcessCmdlineFlags flags, char *
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_cmdline_strv(pid->pid, flags, &args);
        if (r < 0)
                return r;
@ -477,6 +486,9 @@ int pidref_is_kernel_thread(const PidRef *pid) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        result = pid_is_kernel_thread(pid->pid);
        if (result < 0)
                return result;
@ -594,6 +606,9 @@ int pidref_get_uid(const PidRef *pid, uid_t *ret) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_uid(pid->pid, &uid);
        if (r < 0)
                return r;
@ -794,6 +809,9 @@ int pidref_get_start_time(const PidRef *pid, usec_t *ret) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        r = pid_get_start_time(pid->pid, ret ? &t : NULL);
        if (r < 0)
                return r;
@ -1093,6 +1111,9 @@ int pidref_is_my_child(const PidRef *pid) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        result = pid_is_my_child(pid->pid);
        if (result < 0)
                return result;
@ -1128,6 +1149,9 @@ int pidref_is_unwaited(const PidRef *pid) {
        if (!pidref_is_set(pid))
                return -ESRCH;

+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
        if (pid->pid == 1 || pidref_is_self(pid))
                return true;

@ -1169,6 +1193,9 @@ int pidref_is_alive(const PidRef *pidref) {
        if (!pidref_is_set(pidref))
                return -ESRCH;

+        if (pidref_is_remote(pidref))
+                return -EREMOTE;
+
        result = pid_is_alive(pidref->pid);
        if (result < 0) {
                assert(result != -ESRCH);
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@ -220,9 +220,9 @@ static int synthesize_user_creds(
                if (ret_gid)
                        *ret_gid = GID_NOBODY;
                if (ret_home)
-                        *ret_home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
+                        *ret_home = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : "/";
                if (ret_shell)
-                        *ret_shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
+                        *ret_shell = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : NOLOGIN;

                return 0;
        }
@ -244,6 +244,7 @@ int get_user_creds(

        assert(username);
        assert(*username);
+        assert((ret_home || ret_shell) || !(flags & (USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_CLEAN)));

        if (!FLAGS_SET(flags, USER_CREDS_PREFER_NSS) ||
            (!ret_home && !ret_shell)) {
@ -315,17 +316,14 @@ int get_user_creds(

        if (ret_home)
                /* Note: we don't insist on normalized paths, since there are setups that have /./ in the path */
-                *ret_home = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
-                             (empty_or_root(p->pw_dir) ||
-                              !path_is_valid(p->pw_dir) ||
-                              !path_is_absolute(p->pw_dir))) ? NULL : p->pw_dir;
+                *ret_home = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && empty_or_root(p->pw_dir)) ||
+                            (FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_dir) || !path_is_absolute(p->pw_dir)))
+                            ? NULL : p->pw_dir;

        if (ret_shell)
-                *ret_shell = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
-                              (isempty(p->pw_shell) ||
-                               !path_is_valid(p->pw_shell) ||
-                               !path_is_absolute(p->pw_shell) ||
-                               is_nologin_shell(p->pw_shell))) ? NULL : p->pw_shell;
+                *ret_shell = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && shell_is_placeholder(p->pw_shell)) ||
+                             (FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_shell) || !path_is_absolute(p->pw_shell)))
+                             ? NULL : p->pw_shell;

        if (patch_username)
                *username = p->pw_name;
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@ -12,6 +12,8 @@
 #include <sys/types.h>
 #include <unistd.h>

+#include "string-util.h"
+
 /* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
 #define HOME_UID_MIN ((uid_t) 60001)
 #define HOME_UID_MAX ((uid_t) 60513)
@ -36,10 +38,20 @@ static inline int parse_gid(const char *s, gid_t *ret_gid) {
 char* getlogname_malloc(void);
 char* getusername_malloc(void);

+const char* default_root_shell_at(int rfd);
+const char* default_root_shell(const char *root);
+
+bool is_nologin_shell(const char *shell);
+
+static inline bool shell_is_placeholder(const char *shell) {
+        return isempty(shell) || is_nologin_shell(shell);
+}
+
 typedef enum UserCredsFlags {
        USER_CREDS_PREFER_NSS           = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
        USER_CREDS_ALLOW_MISSING        = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
        USER_CREDS_CLEAN                = 1 << 2,  /* try to clean up shell and home fields with invalid data */
+        USER_CREDS_SUPPRESS_PLACEHOLDER = 1 << 3,  /* suppress home and/or shell fields if value is placeholder (root/empty/nologin) */
 } UserCredsFlags;

 int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags);
@ -125,10 +137,6 @@ int fgetsgent_sane(FILE *stream, struct sgrp **sg);
 int putsgent_sane(const struct sgrp *sg, FILE *stream);
 #endif

-bool is_nologin_shell(const char *shell);
-const char* default_root_shell_at(int rfd);
-const char* default_root_shell(const char *root);
-
 int is_this_me(const char *username);

 const char* get_home_root(void);
--- a/src/boot/chid.c
+++ b/src/boot/chid.c
@ -21,6 +21,11 @@
 #include "smbios.h"
 #include "util.h"

+/* Validate the descriptor macros a bit that they match our expectations */
+assert_cc(DEVICE_DESCRIPTOR_DEVICETREE == UINT32_C(0x1000001C));
+assert_cc(DEVICE_SIZE_FROM_DESCRIPTOR(DEVICE_DESCRIPTOR_DEVICETREE) == sizeof(Device));
+assert_cc(DEVICE_TYPE_FROM_DESCRIPTOR(DEVICE_DESCRIPTOR_DEVICETREE) == DEVICE_TYPE_DEVICETREE);
+
 /**
 * smbios_to_hashable_string() - Convert ascii smbios string to stripped char16_t.
 */
@ -105,9 +110,10 @@ EFI_STATUS chid_match(const void *hwid_buffer, size_t hwid_length, const Device

        /* Count devices and check validity */
        for (; (n_devices + 1) * sizeof(*devices) < hwid_length;) {
-                if (devices[n_devices].struct_size == 0)
+
+                if (devices[n_devices].descriptor == DEVICE_DESCRIPTOR_EOL)
                        break;
-                if (devices[n_devices].struct_size != sizeof(*devices))
+                if (devices[n_devices].descriptor != DEVICE_DESCRIPTOR_DEVICETREE)
                        return EFI_UNSUPPORTED;
                n_devices++;
        }
--- a/src/boot/chid.h
+++ b/src/boot/chid.h
@ -2,22 +2,63 @@
 #pragma once

 #include "efi.h"
-
 #include "chid-fundamental.h"

+/* A .hwids PE section consists of a series of 'Device' structures. A 'Device' structure binds a CHID to some
+ * resource, for now only Devicetree blobs. Designed to be extensible to other types of resources, should the
+ * need arise. The series of 'Device' structures is followed by some space for strings that can be referenced
+ * by offset by the Device structures. */
+
+enum {
+        DEVICE_TYPE_DEVICETREE = 0x1, /* A devicetree blob */
+
+        /* Maybe later additional types for:
+         *   - CoCo Bring-Your-Own-Firmware
+         *   - ACPI DSDT Overrides
+         *   - … */
+};
+
+#define DEVICE_SIZE_FROM_DESCRIPTOR(u) ((uint32_t) (u) & UINT32_C(0x0FFFFFFF))
+#define DEVICE_TYPE_FROM_DESCRIPTOR(u) ((uint32_t) (u) >> 28)
+#define DEVICE_MAKE_DESCRIPTOR(type, size) (((uint32_t) (size) | ((uint32_t) type << 28)))
+
+#define DEVICE_DESCRIPTOR_DEVICETREE DEVICE_MAKE_DESCRIPTOR(DEVICE_TYPE_DEVICETREE, sizeof(Device))
+#define DEVICE_DESCRIPTOR_EOL UINT32_C(0)
+
 typedef struct Device {
-        uint32_t struct_size;       /* = sizeof(struct Device), or 0 for EOL */
+        uint32_t descriptor; /* The highest four bit encode the type of entry, the other 28 bit encode the
+                              * size of the structure. Use the macros above to generate or take apart this
+                              * field. */
+        EFI_GUID chid;
+        union {
+                struct {
+                        /* These offsets are relative to the beginning of the .hwids PE section. */
                        uint32_t name_offset;          /* nul-terminated string or 0 if not present */
                        uint32_t compatible_offset;    /* nul-terminated string or 0 if not present */
-        EFI_GUID chid;
+                } devicetree;
+                /* fields for other descriptor types… */
+        };
 } _packed_ Device;

+/* Validate some offset, since the structure is API and src/ukify/ukify.py encodes them directly */
+assert_cc(offsetof(Device, descriptor) == 0);
+assert_cc(offsetof(Device, chid) == 4);
+assert_cc(offsetof(Device, devicetree.name_offset) == 20);
+assert_cc(offsetof(Device, devicetree.compatible_offset) == 24);
+assert_cc(sizeof(Device) == 28);
+
 static inline const char* device_get_name(const void *base, const Device *device) {
-        return device->name_offset == 0 ? NULL : (const char *) ((const uint8_t *) base + device->name_offset);
+        if (device->descriptor != DEVICE_DESCRIPTOR_DEVICETREE)
+                return NULL;
+
+        return device->devicetree.name_offset == 0 ? NULL : (const char *) ((const uint8_t *) base + device->devicetree.name_offset);
 }

 static inline const char* device_get_compatible(const void *base, const Device *device) {
-        return device->compatible_offset == 0 ? NULL : (const char *) ((const uint8_t *) base + device->compatible_offset);
+        if (device->descriptor != DEVICE_DESCRIPTOR_DEVICETREE)
+                return NULL;
+
+        return device->devicetree.compatible_offset == 0 ? NULL : (const char *) ((const uint8_t *) base + device->devicetree.compatible_offset);
 }

 EFI_STATUS chid_match(const void *chids_buffer, size_t chids_length, const Device **ret_device);
--- a/src/boot/util.h
+++ b/src/boot/util.h
@ -100,6 +100,13 @@ static inline Pages xmalloc_pages(
 }

 static inline Pages xmalloc_initrd_pages(size_t n_pages) {
+        /* The original native x86 boot protocol of the Linux kernel was not 64bit safe, hence we allocate
+         * memory for the initrds below the 4G boundary on x86, since we don't know early enough which
+         * protocol we'll use to ultimately boot the kernel. This restriction is somewhat obsolete, since
+         * these days we generally prefer the kernel's newer EFI entrypoint instead, which has no such
+         * limitations. On other architectures we do not bother with any restriction on this, in particular
+         * as some of them don't even have RAM mapped to such low addresses. */
+
 #if defined(__i386__) || defined(__x86_64__)
        return xmalloc_pages(
                        AllocateMaxAddress,
--- a/src/bootctl/bootctl-install.c
+++ b/src/bootctl/bootctl-install.c
@ -299,7 +299,6 @@ static const char *const esp_subdirs[] = {
        "EFI/BOOT",
        "loader",
        "loader/keys",
-        "loader/keys/auto",
        NULL
 };

@ -615,6 +614,10 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E
                return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to convert X.509 certificate to DER: %s",
                                       ERR_error_string(ERR_get_error(), NULL));

+        r = mkdir_one(esp, "loader/keys/auto");
+        if (r < 0)
+                return r;
+
        _cleanup_close_ int keys_fd = chase_and_open("loader/keys/auto", esp, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, O_DIRECTORY, NULL);
        if (keys_fd < 0)
                return log_error_errno(keys_fd, "Failed to chase loader/keys/auto in the ESP: %m");
@ -1287,6 +1290,10 @@ int verb_remove(int argc, char *argv[], void *userdata) {
                        r = q;
        }

+        q = rmdir_one(arg_esp_path, "/loader/keys/auto");
+        if (q < 0 && r >= 0)
+                r = q;
+
        q = remove_subdirs(arg_esp_path, esp_subdirs);
        if (q < 0 && r >= 0)
                r = q;
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -855,9 +855,6 @@ static int get_fixed_user(
        assert(user_or_uid);
        assert(ret_username);

-        /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
-         * (i.e. are "/" or "/bin/nologin"). */
-
        r = get_user_creds(&user_or_uid, ret_uid, ret_gid, ret_home, ret_shell, USER_CREDS_CLEAN);
        if (r < 0)
                return r;
@ -1883,7 +1880,10 @@ static int build_environment(
                }
        }

-        if (home && set_user_login_env) {
+        /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
+         * (i.e. are "/" or "/bin/nologin"). */
+
+        if (home && set_user_login_env && !empty_or_root(home)) {
                x = strjoin("HOME=", home);
                if (!x)
                        return -ENOMEM;
@ -1892,7 +1892,7 @@ static int build_environment(
                our_env[n_env++] = x;
        }

-        if (shell && set_user_login_env) {
+        if (shell && set_user_login_env && !shell_is_placeholder(shell)) {
                x = strjoin("SHELL=", shell);
                if (!x)
                        return -ENOMEM;
@ -3471,20 +3471,16 @@ static int apply_working_directory(
                const ExecContext *context,
                const ExecParameters *params,
                ExecRuntime *runtime,
-                const char *home,
-                int *exit_status) {
+                const char *home) {

        const char *wd;
        int r;

        assert(context);
-        assert(exit_status);

        if (context->working_directory_home) {
-                if (!home) {
-                        *exit_status = EXIT_CHDIR;
+                if (!home)
                        return -ENXIO;
-                }

                wd = home;
        } else
@ -3503,13 +3499,7 @@ static int apply_working_directory(
                if (r >= 0)
                        r = RET_NERRNO(fchdir(dfd));
        }
-
-        if (r < 0 && !context->working_directory_missing_ok) {
-                *exit_status = EXIT_CHDIR;
-                return r;
-        }
-
-        return 0;
+        return context->working_directory_missing_ok ? 0 : r;
 }

 static int apply_root_directory(
@ -3785,7 +3775,7 @@ static int acquire_home(const ExecContext *c, const char **home, char **ret_buf)
        if (!c->working_directory_home)
                return 0;

-        if (c->dynamic_user)
+        if (c->dynamic_user || (c->user && is_this_me(c->user) <= 0))
                return -EADDRNOTAVAIL;

        r = get_home_dir(ret_buf);
@ -4543,7 +4533,7 @@ int exec_invoke(
        r = acquire_home(context, &home, &home_buffer);
        if (r < 0) {
                *exit_status = EXIT_CHDIR;
-                return log_exec_error_errno(context, params, r, "Failed to determine $HOME for user: %m");
+                return log_exec_error_errno(context, params, r, "Failed to determine $HOME for the invoking user: %m");
        }

        /* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */
@ -5382,9 +5372,11 @@ int exec_invoke(
         * running this service might have the correct privilege to change to the working directory. Also, it
         * is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that
         * the cwd cannot be used to pin directories outside of the sandbox. */
-        r = apply_working_directory(context, params, runtime, home, exit_status);
-        if (r < 0)
+        r = apply_working_directory(context, params, runtime, home);
+        if (r < 0) {
+                *exit_status = EXIT_CHDIR;
                return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");
+        }

        if (needs_sandboxing) {
                /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to
--- a/src/core/main.c
+++ b/src/core/main.c
@ -1689,6 +1689,11 @@ static int become_shutdown(int objective, int retval) {
        /* Tell the binary how often to ping, ignore failure */
        (void) strv_extendf(&env_block, "WATCHDOG_USEC="USEC_FMT, watchdog_timer);

+        /* Make sure that tools that look for $WATCHDOG_USEC (and might get started by the exitrd) don't get
+         * confused by the variable, because the sd_watchdog_enabled() protocol uses the same variable for
+         * the same purposes. */
+        (void) strv_extendf(&env_block, "WATCHDOG_PID=" PID_FMT, getpid_cached());
+
        if (arg_watchdog_device)
                (void) strv_extendf(&env_block, "WATCHDOG_DEVICE=%s", arg_watchdog_device);

--- a/src/core/service.c
+++ b/src/core/service.c
@ -3426,14 +3426,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                        return 0;
                }

-                r = service_add_fd_store(s, fd, fdn, do_poll);
+                r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
                if (r < 0) {
                        log_unit_debug_errno(u, r,
                                             "Failed to store deserialized fd '%s', ignoring: %m", fdn);
                        return 0;
                }
-
-                TAKE_FD(fd);
        } else if (streq(key, "extra-fd")) {
                _cleanup_free_ char *fdv = NULL, *fdn = NULL;
                _cleanup_close_ int fd = -EBADF;
--- a/src/cryptenroll/cryptenroll-fido2.c
+++ b/src/cryptenroll/cryptenroll-fido2.c
@ -193,7 +193,7 @@ int enroll_fido2(
                fflush(stdout);

                fprintf(stderr,
-                        "\nPlease save this FIDO2 credential ID. It is required when unloocking the volume\n"
+                        "\nPlease save this FIDO2 credential ID. It is required when unlocking the volume\n"
                        "using the associated FIDO2 keyslot which we just created. To configure automatic\n"
                        "unlocking using this FIDO2 token, add an appropriate entry to your /etc/crypttab\n"
                        "file, see %s for details.\n", link);
--- a/src/cryptenroll/cryptenroll-wipe.c
+++ b/src/cryptenroll/cryptenroll-wipe.c
@ -427,6 +427,9 @@ int wipe_slots(struct crypt_device *cd,
        for (size_t i = n_ordered_slots; i > 0; i--) {
                r = crypt_keyslot_destroy(cd, ordered_slots[i - 1]);
                if (r < 0) {
+                        if (r == -ENOENT)
+                                log_warning_errno(r, "Failed to wipe non-existent slot %i, continuing.", ordered_slots[i - 1]);
+                        else
                                log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]);
                        if (ret == 0)
                                ret = r;
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -193,7 +193,7 @@ static int help(void) {
               "\n%3$sSimple Enrollment:%4$s\n"
               "     --password        Enroll a user-supplied password\n"
               "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
               "     --pkcs11-token-uri=URI\n"
               "                       Specify PKCS#11 security token URI\n"
               "\n%3$sFIDO2 Enrollment:%4$s\n"
--- a/src/fsck/fsck.c
+++ b/src/fsck/fsck.c
@ -98,16 +98,11 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                }
        }

-#if HAVE_SYSV_COMPAT
-        else if (streq(key, "fastboot") && !value) {
-                log_warning("Please pass 'fsck.mode=skip' rather than 'fastboot' on the kernel command line.");
+        else if (streq(key, "fastboot") && !value)
                arg_skip = true;

-        } else if (streq(key, "forcefsck") && !value) {
-                log_warning("Please pass 'fsck.mode=force' rather than 'forcefsck' on the kernel command line.");
+        else if (streq(key, "forcefsck") && !value)
                arg_force = true;
-        }
-#endif

        return 0;
 }
--- a/src/libsystemd-network/ndisc-option.c
+++ b/src/libsystemd-network/ndisc-option.c
@ -750,7 +750,7 @@ static int ndisc_option_parse_route(Set **options, size_t offset, size_t len, co
        usec_t lifetime = unaligned_be32_sec_to_usec(opt + 4, /* max_as_infinity = */ true);

        struct in6_addr prefix;
-        memcpy(&prefix, opt + 8, len - 8);
+        memcpy_safe(&prefix, opt + 8, len - 8);
        in6_addr_mask(&prefix, prefixlen);

        return ndisc_option_add_route(options, offset, preference, prefixlen, &prefix, lifetime);
--- a/src/libsystemd/libsystemd.sym
+++ b/src/libsystemd/libsystemd.sym
@ -1033,12 +1033,14 @@ global:
        sd_varlink_server_listen_fd;
        sd_varlink_server_loop_auto;
        sd_varlink_server_new;
+        sd_varlink_server_ref;
        sd_varlink_server_set_connections_max;
        sd_varlink_server_set_connections_per_uid_max;
        sd_varlink_server_set_description;
        sd_varlink_server_set_exit_on_idle;
        sd_varlink_server_set_userdata;
        sd_varlink_server_shutdown;
+        sd_varlink_server_unref;
        sd_varlink_set_allow_fd_passing_input;
        sd_varlink_set_allow_fd_passing_output;
        sd_varlink_set_description;
--- a/src/libsystemd/sd-varlink/sd-varlink.c
+++ b/src/libsystemd/sd-varlink/sd-varlink.c
@ -3265,7 +3265,7 @@ static sd_varlink_server* varlink_server_destroy(sd_varlink_server *s) {
        return mfree(s);
 }

-DEFINE_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);
+DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);

 static int validate_connection(sd_varlink_server *server, const struct ucred *ucred) {
        int allowed = -1;
--- a/src/libsystemd/sd-varlink/varlink-util.c
+++ b/src/libsystemd/sd-varlink/varlink-util.c
@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {

        int pidfd = sd_varlink_get_peer_pidfd(v);
        if (pidfd < 0) {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                        return pidfd;

                pid_t pid;
--- a/src/measure/measure.c
+++ b/src/measure/measure.c
@ -108,6 +108,7 @@ static int help(int argc, char *argv[], void *userdata) {
               "     --ucode=PATH        Path to microcode image file               %7$s .ucode\n"
               "     --splash=PATH       Path to splash bitmap file                 %7$s .splash\n"
               "     --dtb=PATH          Path to DeviceTree file                    %7$s .dtb\n"
+               "     --dtbauto=PATH      Path to DeviceTree file for auto selection %7$s .dtbauto\n"
               "     --uname=PATH        Path to 'uname -r' file                    %7$s .uname\n"
               "     --sbat=PATH         Path to SBAT file                          %7$s .sbat\n"
               "     --pcrpkey=PATH      Path to public key for PCR signatures      %7$s .pcrpkey\n"
--- a/src/network/netdev/netdev.c
+++ b/src/network/netdev/netdev.c
@ -642,7 +642,7 @@ static bool netdev_can_set_mac(NetDev *netdev, const struct hw_addr_data *hw_add
        if (hw_addr_equal(&link->hw_addr, hw_addr))
                return false; /* Unchanged, not necessary to set. */

-        /* Soem netdevs refuse to update MAC address even if the interface is not running, e.g. ipvlan.
+        /* Some netdevs refuse to update MAC address even if the interface is not running, e.g. ipvlan.
         * Some other netdevs have the IFF_LIVE_ADDR_CHANGE flag and can update update MAC address even if
         * the interface is running, e.g. dummy. For those cases, use custom checkers. */
        if (NETDEV_VTABLE(netdev)->can_set_mac)
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@ -1443,6 +1443,7 @@ int link_reconfigure_impl(Link *link, LinkReconfigurationFlag flags) {
 }

 typedef struct LinkReconfigurationData {
+        Manager *manager;
        Link *link;
        LinkReconfigurationFlag flags;
        sd_bus_message *message;
@ -1473,6 +1474,12 @@ static void link_reconfiguration_data_destroy_callback(LinkReconfigurationData *
                }

                if (!data->counter || *data->counter <= 0) {
+                        /* Update the state files before replying the bus method. Otherwise,
+                         * systemd-networkd-wait-online following networkctl reload/reconfigure may read an
+                         * outdated state file and wrongly handle an interface is already in the configured
+                         * state. */
+                        (void) manager_clean_all(data->manager);
+
                        r = sd_bus_reply_method_return(data->message, NULL);
                        if (r < 0)
                                log_warning_errno(r, "Failed to reply for DBus method, ignoring: %m");
@ -1521,6 +1528,7 @@ int link_reconfigure_full(Link *link, LinkReconfigurationFlag flags, sd_bus_mess
        }

        *data = (LinkReconfigurationData) {
+                .manager = link->manager,
                .link = link_ref(link),
                .flags = flags,
                .message = sd_bus_message_ref(message), /* message may be NULL, but _ref() works fine. */
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@ -1610,7 +1610,7 @@ static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
        return 0;
 }

-static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        uint8_t flags, prefixlen;
        struct in6_addr a;
        int r;
@ -1619,6 +1619,14 @@ static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt) {
        assert(link->network);
        assert(rt);

+        usec_t lifetime_usec;
+        r = sd_ndisc_router_prefix_get_valid_lifetime(rt, &lifetime_usec);
+        if (r < 0)
+                return log_link_warning_errno(link, r, "Failed to get prefix lifetime: %m");
+
+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_prefix_get_address(rt, &a);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get prefix address: %m");
@ -1664,7 +1672,7 @@ static int ndisc_router_process_prefix(Link *link, sd_ndisc_router *rt) {
        return 0;
 }

-static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        _cleanup_(route_unrefp) Route *route = NULL;
        uint8_t preference, prefixlen;
        struct in6_addr gateway, dst;
@ -1680,6 +1688,9 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get route lifetime from RA: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_route_get_address(rt, &dst);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get route destination address: %m");
@ -1712,10 +1723,6 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
        }

        r = sd_ndisc_router_route_get_preference(rt, &preference);
-        if (r == -EOPNOTSUPP) {
-                log_link_debug_errno(link, r, "Received route prefix with unsupported preference, ignoring: %m");
-                return 0;
-        }
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get router preference from RA: %m");

@ -1759,7 +1766,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_rdnss_compare_func,
                free);

-static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        usec_t lifetime_usec;
        const struct in6_addr *a;
        struct in6_addr router;
@ -1781,6 +1788,9 @@ static int ndisc_router_process_rdnss(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get RDNSS lifetime: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        n = sd_ndisc_router_rdnss_get_addresses(rt, &a);
        if (n < 0)
                return log_link_warning_errno(link, n, "Failed to get RDNSS addresses: %m");
@ -1851,7 +1861,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_dnssl_compare_func,
                free);

-static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        char **l;
        usec_t lifetime_usec;
        struct in6_addr router;
@ -1873,6 +1883,9 @@ static int ndisc_router_process_dnssl(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get DNSSL lifetime: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_dnssl_get_domains(rt, &l);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get DNSSL addresses: %m");
@ -1953,7 +1966,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_captive_portal_compare_func,
                ndisc_captive_portal_free);

-static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        _cleanup_(ndisc_captive_portal_freep) NDiscCaptivePortal *new_entry = NULL;
        _cleanup_free_ char *captive_portal = NULL;
        const char *uri;
@ -1980,6 +1993,9 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt)
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get lifetime of RA message: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_get_captive_portal(rt, &uri);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get captive portal from RA: %m");
@ -2068,7 +2084,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR(
                ndisc_pref64_compare_func,
                mfree);

-static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        _cleanup_free_ NDiscPREF64 *new_entry = NULL;
        usec_t lifetime_usec;
        struct in6_addr a, router;
@ -2099,6 +2115,9 @@ static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get pref64 prefix lifetime: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        if (lifetime_usec == 0) {
                free(set_remove(link->ndisc_pref64,
                                &(NDiscPREF64) {
@ -2217,7 +2236,7 @@ static int sd_dns_resolver_copy(const sd_dns_resolver *a, sd_dns_resolver *b) {
        return 0;
 }

-static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        int r;

        assert(link);
@ -2240,6 +2259,9 @@ static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get lifetime of RA message: %m");

+        if ((lifetime_usec == 0) != zero_lifetime)
+                return 0;
+
        r = sd_ndisc_router_encrypted_dns_get_resolver(rt, &res);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to get encrypted dns resolvers: %m");
@ -2292,7 +2314,7 @@ static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
        return 0;
 }

-static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {
+static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt, bool zero_lifetime) {
        size_t n_captive_portal = 0;
        int r;

@ -2314,19 +2336,19 @@ static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {

                switch (type) {
                case SD_NDISC_OPTION_PREFIX_INFORMATION:
-                        r = ndisc_router_process_prefix(link, rt);
+                        r = ndisc_router_process_prefix(link, rt, zero_lifetime);
                        break;

                case SD_NDISC_OPTION_ROUTE_INFORMATION:
-                        r = ndisc_router_process_route(link, rt);
+                        r = ndisc_router_process_route(link, rt, zero_lifetime);
                        break;

                case SD_NDISC_OPTION_RDNSS:
-                        r = ndisc_router_process_rdnss(link, rt);
+                        r = ndisc_router_process_rdnss(link, rt, zero_lifetime);
                        break;

                case SD_NDISC_OPTION_DNSSL:
-                        r = ndisc_router_process_dnssl(link, rt);
+                        r = ndisc_router_process_dnssl(link, rt, zero_lifetime);
                        break;
                case SD_NDISC_OPTION_CAPTIVE_PORTAL:
                        if (n_captive_portal > 0) {
@ -2336,15 +2358,15 @@ static int ndisc_router_process_options(Link *link, sd_ndisc_router *rt) {
                                n_captive_portal++;
                                continue;
                        }
-                        r = ndisc_router_process_captive_portal(link, rt);
+                        r = ndisc_router_process_captive_portal(link, rt, zero_lifetime);
                        if (r > 0)
                                n_captive_portal++;
                        break;
                case SD_NDISC_OPTION_PREF64:
-                        r = ndisc_router_process_pref64(link, rt);
+                        r = ndisc_router_process_pref64(link, rt, zero_lifetime);
                        break;
                case SD_NDISC_OPTION_ENCRYPTED_DNS:
-                        r = ndisc_router_process_encrypted_dns(link, rt);
+                        r = ndisc_router_process_encrypted_dns(link, rt, zero_lifetime);
                        break;
                }
                if (r < 0 && r != -EBADMSG)
@ -2652,10 +2674,6 @@ static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return r;

-        r = ndisc_router_process_default(link, rt);
-        if (r < 0)
-                return r;
-
        r = ndisc_router_process_reachable_time(link, rt);
        if (r < 0)
                return r;
@ -2672,7 +2690,15 @@ static int ndisc_router_handler(Link *link, sd_ndisc_router *rt) {
        if (r < 0)
                return r;

-        r = ndisc_router_process_options(link, rt);
+        r = ndisc_router_process_options(link, rt, /* zero_lifetime = */ true);
+        if (r < 0)
+                return r;
+
+        r = ndisc_router_process_default(link, rt);
+        if (r < 0)
+                return r;
+
+        r = ndisc_router_process_options(link, rt, /* zero_lifetime = */ false);
        if (r < 0)
                return r;

--- a/src/network/networkd-nexthop.c
+++ b/src/network/networkd-nexthop.c
@ -968,7 +968,7 @@ static void nexthop_forget_one(NextHop *nexthop) {

        Request *req;
        if (nexthop_get_request_by_id(nexthop->manager, nexthop->id, &req) >= 0)
-                route_enter_removed(req->userdata);
+                nexthop_enter_removed(req->userdata);

        nexthop_enter_removed(nexthop);
        log_nexthop_debug(nexthop, "Forgetting silently removed", nexthop->manager);
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@ -50,6 +50,7 @@ static int add_syscall_filters(
                { CAP_IPC_LOCK,       "@memlock"                     },

                /* Plus a good set of additional syscalls which are not part of any of the groups above */
+                { 0,                  "arm_fadvise64_64"             },
                { 0,                  "brk"                          },
                { 0,                  "capget"                       },
                { 0,                  "capset"                       },
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -477,7 +477,8 @@ static int custom_mount_check_all(void) {
                if (path_equal(m->destination, "/") && arg_userns_mode != USER_NAMESPACE_NO) {
                        if (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_OFF)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                                       "--private-users-ownership=own may not be combined with custom root mounts.");
+                                                       "--private-users-ownership=%s may not be combined with custom root mounts.",
+                                                       user_namespace_ownership_to_string(arg_userns_ownership));
                        if (arg_uid_shift == UID_INVALID)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                       "--private-users with automatic UID shift may not be combined with custom root mounts.");
@ -2279,10 +2280,9 @@ static int copy_devnode_one(const char *dest, const char *node, bool ignore_mkno
        r = path_extract_directory(from, &parent);
        if (r < 0)
                return log_error_errno(r, "Failed to extract directory from %s: %m", from);
-        if (!path_equal(parent, "/dev/")) {
-                if (userns_mkdir(dest, parent, 0755, 0, 0) < 0)
+        r = userns_mkdir(dest, parent, 0755, 0, 0);
+        if (r < 0)
                return log_error_errno(r, "Failed to create directory %s: %m", parent);
-        }

        if (mknod(to, st.st_mode, st.st_rdev) < 0) {
                r = -errno; /* Save the original error code. */
@ -4653,7 +4653,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r

        ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
        if (!ucred || ucred->pid != inner_child_pid) {
-                log_debug("Received notify message without valid credentials. Ignoring.");
+                log_debug("Received notify message from process that is not the payload's PID 1. Ignoring.");
                return 0;
        }

--- a/src/quotacheck/quotacheck.c
+++ b/src/quotacheck/quotacheck.c
@ -36,14 +36,9 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
                        arg_skip = true;
                else
                        log_warning("Invalid quotacheck.mode= value, ignoring: %s", value);
-        }

-#if HAVE_SYSV_COMPAT
-        else if (streq(key, "forcequotacheck") && !value) {
-                log_warning("Please use 'quotacheck.mode=force' rather than 'forcequotacheck' on the kernel command line. Proceeding anyway.");
+        } else if (streq(key, "forcequotacheck") && !value)
                arg_force = true;
-        }
-#endif

        return 0;
 }
--- a/src/run/run.c
+++ b/src/run/run.c
@ -2297,7 +2297,8 @@ static int start_transient_scope(sd_bus *bus) {
                uid_t uid;
                gid_t gid;

-                r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_PREFER_NSS);
+                r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell,
+                                   USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS);
                if (r < 0)
                        return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user);

--- a/src/shared/killall.c
+++ b/src/shared/killall.c
@ -46,13 +46,17 @@ static bool argv_has_at(pid_t pid) {
        return c == '@';
 }

-static bool is_survivor_cgroup(const PidRef *pid) {
+static bool is_in_survivor_cgroup(const PidRef *pid) {
        _cleanup_free_ char *cgroup_path = NULL;
        int r;

        assert(pidref_is_set(pid));

        r = cg_pidref_get_path(/* root= */ NULL, pid, &cgroup_path);
+        if (r == -EUNATCH) {
+                log_warning_errno(r, "Process " PID_FMT " appears to originate in foreign namespace, ignoring.", pid->pid);
+                return true;
+        }
        if (r < 0) {
                log_warning_errno(r, "Failed to get cgroup path of process " PID_FMT ", ignoring: %m", pid->pid);
                return false;
@ -86,7 +90,7 @@ static bool ignore_proc(const PidRef *pid, bool warn_rootfs) {
                return true; /* also ignore processes where we can't determine this */

        /* Ignore processes that are part of a cgroup marked with the user.survive_final_kill_signal xattr */
-        if (is_survivor_cgroup(pid))
+        if (is_in_survivor_cgroup(pid))
                return true;

        r = pidref_get_uid(pid, &uid);
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
 int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);

 int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
-int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
+int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);

 /* Default to PCR 7 only */
 #define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)
--- a/src/shared/user-record-show.c
+++ b/src/shared/user-record-show.c
@ -28,21 +28,28 @@ const char* user_record_state_color(const char *state) {
        return NULL;
 }

-static void dump_self_modifiable(const char *heading, char **field, const char **value) {
+static void dump_self_modifiable(
+                const char *heading,
+                char **field,
+                const char **value) {
+
        assert(heading);

        /* Helper function for printing the various self_modifiable_* fields from the user record */

-        if (strv_isempty((char**) value))
-                /* Case 1: the array is explicitly set to be empty by the administrator */
-                printf("%13s %sDisabled by Administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
+        if (!value)
+                /* Case 1: no value is set and no default either */
+                printf("%13s %snone%s\n", heading, ansi_highlight(), ansi_normal());
+        else if (strv_isempty((char**) value))
+                /* Case 2: the array is explicitly set to empty by the administrator */
+                printf("%13s %sdisabled by administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
        else if (!field)
-                /* Case 2: we have values, but the field is NULL. This means that we're using the defaults.
+                /* Case 3: we have values, but the field is NULL. This means that we're using the defaults.
                 * We list them anyways, because they're security-sensitive to the administrator */
                STRV_FOREACH(i, value)
                        printf("%13s %s%s%s\n", i == value ? heading : "", ansi_grey(), *i, ansi_normal());
        else
-                /* Case 3: we have a list provided by the administrator */
+                /* Case 4: we have a list provided by the administrator */
                STRV_FOREACH(i, value)
                        printf("%13s %s\n", i == value ? heading : "", *i);
 }
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@ -2165,8 +2165,15 @@ const char** user_record_self_modifiable_fields(UserRecord *h) {

        assert(h);

+        /* Note: if the self_modifiable_fields field in UserRecord is NULL we'll apply a default, if we have
+         * one. If it is a non-NULL empty strv, we'll report it as explicit empty list. When the field is
+         * NULL and we have no default list we'll return NULL. */
+
        /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_fields ?: (const char**) default_fields;
+        if (h->self_modifiable_fields)
+                return (const char**) h->self_modifiable_fields;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
 }

 const char** user_record_self_modifiable_blobs(UserRecord *h) {
@ -2180,7 +2187,10 @@ const char** user_record_self_modifiable_blobs(UserRecord *h) {
        assert(h);

        /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_blobs ?: (const char**) default_blobs;
+        if (h->self_modifiable_blobs)
+                return (const char**) h->self_modifiable_blobs;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_blobs : NULL;
 }

 const char** user_record_self_modifiable_privileged(UserRecord *h) {
@ -2201,7 +2211,10 @@ const char** user_record_self_modifiable_privileged(UserRecord *h) {
        assert(h);

        /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_privileged ?: (const char**) default_fields;
+        if (h->self_modifiable_privileged)
+                return (const char**) h->self_modifiable_privileged;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
 }

 static int remove_self_modifiable_json_fields_common(UserRecord *current, sd_json_variant **target) {
--- a/src/shutdown/detach-dm.c
+++ b/src/shutdown/detach-dm.c
@ -98,15 +98,17 @@ static int delete_dm(DeviceMapper *m) {
        assert(major(m->devnum) != 0);
        assert(m->path);

+        fd = open(m->path, O_RDONLY|O_CLOEXEC|O_NONBLOCK);
+        if (fd < 0)
+                log_debug_errno(errno, "Failed to open DM block device %s for syncing, ignoring: %m", m->path);
+        else {
+                (void) sync_with_progress(fd);
+                fd = safe_close(fd);
+        }
+
        fd = open("/dev/mapper/control", O_RDWR|O_CLOEXEC);
        if (fd < 0)
-                return -errno;
-
-        _cleanup_close_ int block_fd = open(m->path, O_RDONLY|O_CLOEXEC|O_NONBLOCK);
-        if (block_fd < 0)
-                log_debug_errno(errno, "Failed to open DM block device %s for syncing, ignoring: %m", m->path);
-        else
-                (void) sync_with_progress(block_fd);
+                return log_debug_errno(errno, "Failed to open /dev/mapper/control: %m");

        return RET_NERRNO(ioctl(fd, DM_DEV_REMOVE, &(struct dm_ioctl) {
                .version = {
--- a/src/shutdown/shutdown.c
+++ b/src/shutdown/shutdown.c
@ -211,10 +211,8 @@ static int sync_making_progress(unsigned long long *prev_dirty) {
                        continue;

                errno = 0;
-                if (sscanf(line, "%*s %llu %*s", &ull) != 1) {
-                        log_warning_errno(errno_or_else(EIO), "Failed to parse /proc/meminfo field, ignoring: %m");
-                        return false;
-                }
+                if (sscanf(line, "%*s %llu %*s", &ull) != 1)
+                        return log_warning_errno(errno_or_else(EIO), "Failed to parse /proc/meminfo field: %m");

                val += ull;
        }
--- a/src/ssh-generator/ssh-generator.c
+++ b/src/ssh-generator/ssh-generator.c
@ -245,7 +245,7 @@ static int add_vsock_socket(
        if (r < 0)
                return r;

-        log_info("Binding SSH to AF_VSOCK vsock::22.\n"
+        log_debug("Binding SSH to AF_VSOCK vsock::22.\n"
                  "→ connect via 'ssh vsock/%u' from host", local_cid);
        return 0;
 }
@ -280,7 +280,7 @@ static int add_local_unix_socket(
        if (r < 0)
                return r;

-        log_info("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
+        log_debug("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
                  "→ connect via 'ssh .host' locally");
        return 0;
 }
@ -336,7 +336,7 @@ static int add_export_unix_socket(
        if (r < 0)
                return r;

-        log_info("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
+        log_debug("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
                  "→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host");

        return 0;
@ -387,7 +387,7 @@ static int add_extra_sockets(
                if (r < 0)
                        return r;

-                log_info("Binding SSH to socket %s.", *i);
+                log_debug("Binding SSH to socket %s.", *i);
                n++;
        }

@ -462,7 +462,7 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
        _cleanup_free_ char *sshd_binary = NULL;
        r = find_executable("sshd", &sshd_binary);
        if (r == -ENOENT) {
-                log_info("Disabling SSH generator logic, since sshd is not installed.");
+                log_debug("Disabling SSH generator logic, since sshd is not installed.");
                return 0;
        }
        if (r < 0)
--- a/src/systemctl/systemctl-show.c
+++ b/src/systemctl/systemctl-show.c
@ -724,7 +724,7 @@ static void print_status_info(
                printf("      Tasks: %" PRIu64, i->tasks_current);

                if (i->tasks_max != UINT64_MAX)
-                        printf(" (limit: %" PRIu64 ")\n", i->tasks_max);
+                        printf("%s (limit: %" PRIu64 ")%s\n", ansi_grey(), i->tasks_max, ansi_normal());
                else
                        printf("\n");
        }
--- a/src/test/generate-sym-test.py
+++ b/src/test/generate-sym-test.py
@ -105,9 +105,9 @@ int main(void) {
        }

        for (j = 0; symbols_from_source[j].name; j++) {
-                struct symbol*n = bsearch(symbols_from_source+j, symbols_from_source, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
+                struct symbol *n = bsearch(symbols_from_source+j, symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
                if (!n)
-                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[i].name);
+                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[j].name);
        }

        return i == j ? EXIT_SUCCESS : EXIT_FAILURE;
--- a/src/test/test-audit-util.c
+++ b/src/test/test-audit-util.c
@ -7,24 +7,26 @@ TEST(audit_loginuid_from_pid) {
        _cleanup_(pidref_done) PidRef self = PIDREF_NULL, pid1 = PIDREF_NULL;
        int r;

-        assert_se(pidref_set_self(&self) >= 0);
-        assert_se(pidref_set_pid(&pid1, 1) >= 0);
+        ASSERT_OK(pidref_set_self(&self));
+        ASSERT_OK(pidref_set_pid(&pid1, 1));

        uid_t uid;
        r = audit_loginuid_from_pid(&self, &uid);
-        assert_se(r >= 0 || r == -ENODATA);
+        if (r != -ENODATA)
+                ASSERT_OK(r);
        if (r >= 0)
                log_info("self audit login uid: " UID_FMT, uid);

-        assert_se(audit_loginuid_from_pid(&pid1, &uid) == -ENODATA);
+        ASSERT_ERROR(audit_loginuid_from_pid(&pid1, &uid), ENODATA);

        uint32_t sessionid;
        r = audit_session_from_pid(&self, &sessionid);
-        assert_se(r >= 0 || r == -ENODATA);
+        if (r != -ENODATA)
+                ASSERT_OK(r);
        if (r >= 0)
                log_info("self audit session id: %" PRIu32, sessionid);

-        assert_se(audit_session_from_pid(&pid1, &sessionid) == -ENODATA);
+        ASSERT_ERROR(audit_session_from_pid(&pid1, &sessionid), ENODATA);
 }

 static int intro(void) {
--- a/src/test/test-user-record.c
+++ b/src/test/test-user-record.c
@ -9,7 +9,7 @@
        ({                                      \
                typeof(ret) _r = (ret);         \
                user_record_unref(*_r);         \
-                assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(__VA_ARGS__)) >= 0); \
+                assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(SD_JSON_BUILD_PAIR_STRING("disposition", "regular"), __VA_ARGS__)) >= 0); \
                0;                              \
        })

--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@ -363,7 +363,7 @@ def test_config_priority(tmp_path):
    assert opts.pcr_public_keys == ['PKEY2', 'some/path8']
    assert opts.pcr_banks == ['SHA1', 'SHA256']
    assert opts.signing_engine == 'ENGINE'
-    assert opts.signtool == ukify.SbSign # from args
+    assert opts.signtool == 'sbsign' # from args
    assert opts.sb_key == 'SBKEY' # from args
    assert opts.sb_cert == pathlib.Path('SBCERT') # from args
    assert opts.sb_certdir == 'some/path5' # from config
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@ -238,7 +238,9 @@ class UkifyConfig:
    all: bool
    cmdline: Union[str, Path, None]
    devicetree: Path
+    devicetree_auto: list[Path]
    efi_arch: str
+    hwids: Path
    initrd: list[Path]
    join_profiles: list[Path]
    json: Union[Literal['pretty'], Literal['short'], Literal['off']]
@ -265,7 +267,7 @@ class UkifyConfig:
    signing_engine: Optional[str]
    signing_provider: Optional[str]
    certificate_provider: Optional[str]
-    signtool: Optional[type['SignTool']]
+    signtool: Optional[str]
    splash: Optional[Path]
    stub: Path
    summary: bool
@ -365,6 +367,8 @@ DEFAULT_SECTIONS_TO_SHOW = {
    '.ucode':   'binary',
    '.splash':  'binary',
    '.dtb':     'binary',
+    '.dtbauto': 'binary',
+    '.hwids':   'binary',
    '.cmdline': 'text',
    '.osrel':   'text',
    '.uname':   'text',
@ -447,7 +451,7 @@ class UKI:
            if s.name == '.profile':
                start = i + 1

-        if any(section.name == s.name for s in self.sections[start:]):
+        if any(section.name == s.name for s in self.sections[start:] if s.name != '.dtbauto'):
            raise ValueError(f'Duplicate section {section.name}')

        self.sections += [section]
@ -462,6 +466,17 @@ class SignTool:
    def verify(opts: UkifyConfig) -> bool:
        raise NotImplementedError()

+    @staticmethod
+    def from_string(name) -> type['SignTool']:
+        if name == 'pesign':
+            return PeSign
+        elif name == 'sbsign':
+            return SbSign
+        elif name == 'systemd-sbsign':
+            return SystemdSbSign
+        else:
+            raise ValueError(f'Invalid sign tool: {name!r}')
+

 class PeSign(SignTool):
    @staticmethod
@ -620,7 +635,10 @@ def check_inputs(opts: UkifyConfig) -> None:
            continue

        if isinstance(value, Path):
-            # Open file to check that we can read it, or generate an exception
+            # Check that we can open the directory or file, or generate and exception
+            if value.is_dir():
+                value.iterdir()
+            else:
                value.open().close()
        elif isinstance(value, list):
            for item in value:
@ -704,7 +722,16 @@ def call_systemd_measure(uki: UKI, opts: UkifyConfig, profile_start: int = 0) ->
    # PCR measurement

    # First, pick up either the base sections or the profile specific sections we shall measure now
-    to_measure = {s.name: s for s in uki.sections[profile_start:] if s.measure}
+    unique_to_measure = {
+        s.name: s for s in uki.sections[profile_start:] if s.measure and s.name != '.dtbauto'
+    }
+
+    dtbauto_to_measure: list[Optional[Section]] = [
+        s for s in uki.sections[profile_start:] if s.measure and s.name == '.dtbauto'
+    ]
+
+    if len(dtbauto_to_measure) == 0:
+        dtbauto_to_measure = [None]

    # Then, if we're measuring a profile, lookup the missing sections from the base image.
    if profile_start != 0:
@ -718,12 +745,18 @@ def call_systemd_measure(uki: UKI, opts: UkifyConfig, profile_start: int = 0) ->
                continue

            # Check if this is a section we already covered above
-            if section.name in to_measure:
+            if section.name in unique_to_measure:
                continue

-            to_measure[section.name] = section
+            unique_to_measure[section.name] = section

    if opts.measure:
+        to_measure = unique_to_measure.copy()
+
+        for dtbauto in dtbauto_to_measure:
+            if dtbauto is not None:
+                to_measure[dtbauto.name] = dtbauto
+
            pp_groups = opts.phase_path_groups or []

            cmd = [
@ -743,6 +776,11 @@ def call_systemd_measure(uki: UKI, opts: UkifyConfig, profile_start: int = 0) ->

    if opts.pcr_private_keys:
        pcrsigs = []
+        to_measure = unique_to_measure.copy()
+
+        for dtbauto in dtbauto_to_measure:
+            if dtbauto is not None:
+                to_measure[dtbauto.name] = dtbauto

            cmd = [
                measure_tool,
@ -903,7 +941,7 @@ def pe_add_sections(uki: UKI, output: str) -> None:
        # the one from the kernel to it. It should be small enough to fit in the existing section, so just
        # swap the data.
        for i, s in enumerate(pe.sections[:n_original_sections]):
-            if pe_strip_section_name(s.Name) == section.name:
+            if pe_strip_section_name(s.Name) == section.name and section.name != '.dtbauto':
                if new_section.Misc_VirtualSize > s.SizeOfRawData:
                    raise PEError(f'Not enough space in existing section {section.name} to append new data.')

@ -975,6 +1013,123 @@ def merge_sbat(input_pe: list[Path], input_text: list[str]) -> str:
    )


+# Keep in sync with EFI_GUID (src/boot/efi.h)
+# uint32_t Data1, uint16_t Data2, uint16_t Data3, uint8_t Data4[8]
+EFI_GUID = tuple[int, int, int, tuple[int, int, int, int, int, int, int, int]]
+EFI_GUID_STRUCT_SIZE = 4 + 2 + 2 + 1 * 8
+
+# Keep in sync with Device (DEVICE_TYPE_DEVICETREE) from src/boot/chid.h
+# uint32_t descriptor, EFI_GUID chid, uint32_t name_offset, uint32_t compatible_offset
+DEVICE_STRUCT_SIZE = 4 + EFI_GUID_STRUCT_SIZE + 4 + 4
+NULL_DEVICE = b'\0' * DEVICE_STRUCT_SIZE
+DEVICE_TYPE_DEVICETREE = 1
+
+
+def device_make_descriptor(device_type: int, size: int) -> int:
+    return (size) | (device_type << 28)
+
+
+def pack_device(offsets: dict[str, int], name: str, compatible: str, chids: list[EFI_GUID]) -> bytes:
+    data = b''
+
+    for data1, data2, data3, data4 in chids:
+        data += struct.pack(
+            '<IIHH8BII',
+            device_make_descriptor(DEVICE_TYPE_DEVICETREE, DEVICE_STRUCT_SIZE),
+            data1,
+            data2,
+            data3,
+            *data4,
+            offsets[name],
+            offsets[compatible],
+        )
+
+    assert len(data) == DEVICE_STRUCT_SIZE * len(chids)
+    return data
+
+
+def hex_pairs_list(string: str) -> list[int]:
+    return [int(string[i : i + 2], 16) for i in range(0, len(string), 2)]
+
+
+def pack_strings(strings: set[str], base: int) -> tuple[bytes, dict[str, int]]:
+    blob = b''
+    offsets = {}
+
+    for string in sorted(strings):
+        offsets[string] = base + len(blob)
+        blob += string.encode('utf-8') + b'\00'
+
+    return (blob, offsets)
+
+
+def parse_hwid_dir(path: Path) -> bytes:
+    hwid_files = path.rglob('*.txt')
+
+    strings: set[str] = set()
+    devices: collections.defaultdict[tuple[str, str], list[EFI_GUID]] = collections.defaultdict(list)
+
+    uuid_regexp = re.compile(
+        r'\{[0-9a-f]{8}-[0-9a-f]{4}-[0-5][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}\}', re.I
+    )
+
+    for hwid_file in hwid_files:
+        content = hwid_file.open().readlines()
+
+        data: dict[str, str] = {
+            'Manufacturer': '',
+            'Family': '',
+            'Compatible': '',
+        }
+        uuids: list[EFI_GUID] = []
+
+        for line in content:
+            for k in data:
+                if line.startswith(k):
+                    data[k] = line.split(':')[1].strip()
+                    break
+            else:
+                uuid = uuid_regexp.match(line)
+                if uuid is not None:
+                    d1, d2, d3, d4, d5 = uuid.group(0)[1:-1].split('-')
+
+                    data1 = int(d1, 16)
+                    data2 = int(d2, 16)
+                    data3 = int(d3, 16)
+                    data4 = cast(
+                        tuple[int, int, int, int, int, int, int, int],
+                        tuple(hex_pairs_list(d4) + hex_pairs_list(d5)),
+                    )
+
+                    uuids.append((data1, data2, data3, data4))
+
+        for k, v in data.items():
+            if not v:
+                raise ValueError(f'hwid description file "{hwid_file}" does not contain "{k}"')
+
+        name = data['Manufacturer'] + ' ' + data['Family']
+        compatible = data['Compatible']
+
+        strings |= set([name, compatible])
+
+        # (compatible, name) pair uniquely identifies the device
+        devices[(compatible, name)] += uuids
+
+    total_device_structs = 1
+    for dev, uuids in devices.items():
+        total_device_structs += len(uuids)
+
+    strings_blob, offsets = pack_strings(strings, total_device_structs * DEVICE_STRUCT_SIZE)
+
+    devices_blob = b''
+    for (compatible, name), uuids in devices.items():
+        devices_blob += pack_device(offsets, name, compatible, uuids)
+
+    devices_blob += NULL_DEVICE
+
+    return devices_blob + strings_blob
+
+
 STUB_SBAT = """\
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/
@ -997,15 +1152,16 @@ def make_uki(opts: UkifyConfig) -> None:

    if opts.linux and sign_args_present:
        assert opts.signtool is not None
+        signtool = SignTool.from_string(opts.signtool)

        if not sign_kernel:
            # figure out if we should sign the kernel
-            sign_kernel = opts.signtool.verify(opts)
+            sign_kernel = signtool.verify(opts)

        if sign_kernel:
            linux_signed = tempfile.NamedTemporaryFile(prefix='linux-signed')
            linux = Path(linux_signed.name)
-            opts.signtool.sign(os.fspath(opts.linux), os.fspath(linux), opts=opts)
+            signtool.sign(os.fspath(opts.linux), os.fspath(linux), opts=opts)

    if opts.uname is None and opts.linux is not None:
        print('Kernel version not specified, starting autodetection 😖.')
@ -1041,11 +1197,18 @@ def make_uki(opts: UkifyConfig) -> None:
            print('+', shell_join(cmd))
            pcrpkey = subprocess.check_output(cmd)

+    hwids = None
+
+    if opts.hwids is not None:
+        hwids = parse_hwid_dir(opts.hwids)
+
    sections = [
        # name,      content,         measure?
        ('.osrel',   opts.os_release, True),
        ('.cmdline', opts.cmdline,    True),
        ('.dtb',     opts.devicetree, True),
+        *(('.dtbauto', dtb, True) for dtb in opts.devicetree_auto),
+        ('.hwids',   hwids,           True),
        ('.uname',   opts.uname,      True),
        ('.splash',  opts.splash,     True),
        ('.pcrpkey', pcrpkey,         True),
@ -1159,7 +1322,9 @@ def make_uki(opts: UkifyConfig) -> None:

    if sign_args_present:
        assert opts.signtool is not None
-        opts.signtool.sign(os.fspath(unsigned_output), os.fspath(opts.output), opts)
+        signtool = SignTool.from_string(opts.signtool)
+
+        signtool.sign(os.fspath(unsigned_output), os.fspath(opts.output), opts)

        # We end up with no executable bits, let's reapply them
        os.umask(umask := os.umask(0))
@ -1489,10 +1654,10 @@ class ConfigItem:
        else:
            conv = lambda s: s  # noqa: E731

-        # This is a bit ugly, but --initrd is the only option which is specified
+        # This is a bit ugly, but --initrd and --devicetree-auto are the only options
        # with multiple args on the command line and a space-separated list in the
        # config file.
-        if self.name == '--initrd':
+        if self.name in ['--initrd', '--devicetree-auto']:
            value = [conv(v) for v in value.split()]
        else:
            value = conv(value)
@ -1512,26 +1677,6 @@ class ConfigItem:
        return (section_name, key, value)


-class SignToolAction(argparse.Action):
-    def __call__(
-        self,
-        parser: argparse.ArgumentParser,
-        namespace: argparse.Namespace,
-        values: Union[str, Sequence[Any], None] = None,
-        option_string: Optional[str] = None,
-    ) -> None:
-        if values is None:
-            setattr(namespace, 'signtool', None)
-        elif values == 'sbsign':
-            setattr(namespace, 'signtool', SbSign)
-        elif values == 'pesign':
-            setattr(namespace, 'signtool', PeSign)
-        elif values == 'systemd-sbsign':
-            setattr(namespace, 'signtool', SystemdSbSign)
-        else:
-            raise ValueError(f"Unknown signtool '{values}' (this is unreachable)")
-
-
 VERBS = ('build', 'genkey', 'inspect')

 CONFIG_ITEMS = [
@ -1605,6 +1750,23 @@ CONFIG_ITEMS = [
        help='Device Tree file [.dtb section]',
        config_key='UKI/DeviceTree',
    ),
+    ConfigItem(
+        '--devicetree-auto',
+        metavar='PATH',
+        type=Path,
+        action='append',
+        help='DeviceTree file for automatic selection [.dtbauto section]',
+        default=[],
+        config_key='UKI/DeviceTreeAuto',
+        config_push=ConfigItem.config_list_prepend,
+    ),
+    ConfigItem(
+        '--hwids',
+        metavar='DIR',
+        type=Path,
+        help='Directory with HWID text files [.hwids section]',
+        config_key='UKI/HWIDs',
+    ),
    ConfigItem(
        '--uname',
        metavar='VERSION',
@ -1688,7 +1850,6 @@ CONFIG_ITEMS = [
    ConfigItem(
        '--signtool',
        choices=('sbsign', 'pesign', 'systemd-sbsign'),
-        action=SignToolAction,
        dest='signtool',
        help=(
            'whether to use sbsign or pesign. It will also be inferred by the other '
@ -2005,24 +2166,24 @@ def finalize_options(opts: argparse.Namespace) -> None:
        )
    elif bool(opts.sb_key) and bool(opts.sb_cert):
        # both param given, infer sbsign and in case it was given, ensure signtool=sbsign
-        if opts.signtool and opts.signtool not in (SbSign, SystemdSbSign):
+        if opts.signtool and opts.signtool not in ('sbsign', 'systemd-sbsign'):
            raise ValueError(
                f'Cannot provide --signtool={opts.signtool} with --secureboot-private-key= and --secureboot-certificate='  # noqa: E501
            )
        if not opts.signtool:
-            opts.signtool = SbSign
+            opts.signtool = 'sbsign'
    elif bool(opts.sb_cert_name):
        # sb_cert_name given, infer pesign and in case it was given, ensure signtool=pesign
-        if opts.signtool and opts.signtool != PeSign:
+        if opts.signtool and opts.signtool != 'pesign':
            raise ValueError(
                f'Cannot provide --signtool={opts.signtool} with --secureboot-certificate-name='
            )
-        opts.signtool = PeSign
+        opts.signtool = 'pesign'

-    if opts.signing_provider and opts.signtool != SystemdSbSign:
+    if opts.signing_provider and opts.signtool != 'systemd-sbsign':
        raise ValueError('--signing-provider= can only be used with--signtool=systemd-sbsign')

-    if opts.certificate_provider and opts.signtool != SystemdSbSign:
+    if opts.certificate_provider and opts.signtool != 'systemd-sbsign':
        raise ValueError('--certificate-provider= can only be used with--signtool=systemd-sbsign')

    if opts.sign_kernel and not opts.sb_key and not opts.sb_cert_name:
--- a/src/userdb/userdbctl.c
+++ b/src/userdb/userdbctl.c
@ -23,6 +23,7 @@
 #include "user-util.h"
 #include "userdb.h"
 #include "verbs.h"
+#include "virt.h"

 static enum {
        OUTPUT_CLASSIC,
@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
        return 0;
 }

+static bool test_show_mapped(void) {
+        /* Show mapped user range only in environments where user mapping is a thing. */
+        return running_in_userns() > 0;
+}
+
 static const struct {
        uid_t first, last;
        const char *name;
        UserDisposition disposition;
+        bool (*test)(void);
 } uid_range_table[] = {
        {
                .first = 1,
@ -175,11 +182,12 @@ static const struct {
                .last = MAP_UID_MAX,
                .name = "mapped",
                .disposition = USER_REGULAR,
+                .test = test_show_mapped,
        },
 };

 static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;

        assert(table);

@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                        continue;

+                if (i->test && !i->test())
+                        continue;
+
                name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                               " begin ", i->name, " users ",
                               special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                                TABLE_INT, 1); /* sort after any other entry with the same UID */
                if (r < 0)
                        return table_log_add_error(r);
+
+                n_added += 2;
        }

-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }

 static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
 }

 static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;

        assert(table);

        FOREACH_ELEMENT(i, uid_range_table) {
                _cleanup_free_ char *name = NULL, *comment = NULL;

+                if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
+                        continue;
+
                if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                        continue;

+                if (i->test && !i->test())
+                        continue;
+
                name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                               " begin ", i->name, " groups ",
                               special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
                                TABLE_INT, 1); /* sort after any other entry with the same GID */
                if (r < 0)
                        return table_log_add_error(r);
+
+                n_added += 2;
        }

-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }

 static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@ -2182,6 +2182,10 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {

        (void) sd_event_add_signal(event, NULL, (SIGRTMIN+18) | SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, NULL);

+        r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
+        if (r < 0)
+                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+
        /* Exit when the child exits */
        (void) event_add_child_pidref(event, NULL, &child_pidref, WEXITED, on_child_exit, NULL);

--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@ -960,10 +960,13 @@ exec $(systemctl cat systemd-networkd.service | sed -n '/^ExecStart=/ {{ s/^.*=/

        # wait until devices got created
        for _ in range(50):
-            out = subprocess.check_output(['ip', 'a', 'show', 'dev', self.if_router])
-            if b'state UP' in out and b'scope global' in out:
+            if subprocess.run(['ip', 'link', 'show', 'dev', self.if_router],
+                              stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL).returncode == 0:
                break
            time.sleep(0.1)
+        else:
+            subprocess.call(['ip', 'link', 'show', 'dev', self.if_router])
+            self.fail('Timed out waiting for {ifr} created.'.format(ifr=self.if_router))

    def shutdown_iface(self):
        '''Remove test interface and stop DHCP server'''
--- a/test/test-functions
+++ b/test/test-functions
@ -1712,18 +1712,18 @@ check_coverage_reports() {

    # Create a coverage report that will later be uploaded. Remove info about system
    # libraries/headers and generated files, as we don't really care about them.
-    lcov --directory "${root}/${BUILD_DIR:?}" --capture --exclude "*.gperf" --output-file "${dest}.new"
+    lcov --ignore-errors inconsistent --directory "${root}/${BUILD_DIR:?}" --capture --exclude "*.gperf" --output-file "${dest}.new"
    if [[ -f "$dest" ]]; then
        # If the destination report file already exists, don't overwrite it, but
        # merge it with the already present one - this usually happens when
        # running both "parts" of a test in one run (the qemu and the nspawn part).
-        lcov --add-tracefile "${dest}" --add-tracefile "${dest}.new" -o "${dest}"
+        lcov --ignore-errors inconsistent --add-tracefile "${dest}" --add-tracefile "${dest}.new" -o "${dest}"
    else
        # If there's no prior coverage report, merge the new one with the base
        # report we did during the setup phase (see test_setup()).
-        lcov --add-tracefile "${TESTDIR:?}/coverage-base" --add-tracefile "${dest}.new" -o "${dest}"
+        lcov --ignore-errors inconsistent --add-tracefile "${TESTDIR:?}/coverage-base" --add-tracefile "${dest}.new" -o "${dest}"
    fi
-    lcov --remove "$dest" -o "$dest" '/usr/include/*' '/usr/lib/*' "${BUILD_DIR:?}/*"
+    lcov --ignore-errors inconsistent --remove "$dest" -o "$dest" '/usr/include/*' '/usr/lib/*' "${BUILD_DIR:?}/*"
    rm -f "${dest}.new"

    # If the test logs contain lines like:
--- a/test/test-network/conf/25-veth-router-high2.network
+++ b/test/test-network/conf/25-veth-router-high2.network
@ -1,18 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Match]
-Name=router-low
-
-[Network]
-IPv6AcceptRA=no
-IPv6SendRA=yes
-
-[IPv6SendRA]
-# changed from low to high
-RouterPreference=high
-EmitDNS=no
-EmitDomains=no
-
-[IPv6Prefix]
-Prefix=2002:da8:1:98::/64
-PreferredLifetimeSec=1000s
-ValidLifetimeSec=2100s
--- a/test/test-network/conf/25-veth-router-low2.network
+++ b/test/test-network/conf/25-veth-router-low2.network
@ -1,18 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-[Match]
-Name=router-high
-
-[Network]
-IPv6AcceptRA=no
-IPv6SendRA=yes
-
-[IPv6SendRA]
-# changed from high to low
-RouterPreference=low
-EmitDNS=no
-EmitDomains=no
-
-[IPv6Prefix]
-Prefix=2002:da8:1:99::/64
-PreferredLifetimeSec=1000s
-ValidLifetimeSec=2100s
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@ -6391,6 +6391,27 @@ class NetworkdRATests(unittest.TestCase, Utilities):

        self.check_ipv6_sysctl_attr('client', 'hop_limit', '43')

+    def check_router_preference(self, suffix, metric_1, preference_1, metric_2, preference_2):
+        self.wait_online('client:routable')
+        self.wait_address('client', f'2002:da8:1:99:1034:56ff:fe78:9a{suffix}/64', ipv='-6', timeout_sec=10)
+        self.wait_address('client', f'2002:da8:1:98:1034:56ff:fe78:9a{suffix}/64', ipv='-6', timeout_sec=10)
+        self.wait_route('client', rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric {metric_1}', ipv='-6', timeout_sec=10)
+        self.wait_route('client', rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric {metric_2}', ipv='-6', timeout_sec=10)
+
+        print('### ip -6 route show dev client default')
+        output = check_output('ip -6 route show dev client default')
+        print(output)
+        self.assertRegex(output, rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric {metric_1} expires [0-9]*sec pref {preference_1}')
+        self.assertRegex(output, rf'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric {metric_2} expires [0-9]*sec pref {preference_2}')
+
+        for i in [100, 200, 300, 512, 1024, 2048]:
+            if i not in [metric_1, metric_2]:
+                self.assertNotIn(f'metric {i} ', output)
+
+        for i in ['low', 'medium', 'high']:
+            if i not in [preference_1, preference_2]:
+                self.assertNotIn(f'pref {i}', output)
+
    def test_router_preference(self):
        copy_network_unit('25-veth-client.netdev',
                          '25-veth-router-high.netdev',
@ -6409,72 +6430,47 @@ class NetworkdRATests(unittest.TestCase, Utilities):

        networkctl_reconfigure('client')
        self.wait_online('client:routable')
+        self.check_router_preference('00', 512, 'high', 2048, 'low')

-        self.wait_address('client', '2002:da8:1:99:1034:56ff:fe78:9a00/64', ipv='-6', timeout_sec=10)
-        self.wait_address('client', '2002:da8:1:98:1034:56ff:fe78:9a00/64', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 512', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 2048', ipv='-6', timeout_sec=10)
-
-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 512 expires [0-9]*sec pref high')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 2048 expires [0-9]*sec pref low')
-
+        # change the map from preference to metric.
        with open(os.path.join(network_unit_dir, '25-veth-client.network'), mode='a', encoding='utf-8') as f:
            f.write('\n[Link]\nMACAddress=12:34:56:78:9a:01\n[IPv6AcceptRA]\nRouteMetric=100:200:300\n')
-
        networkctl_reload()
-        self.wait_online('client:routable')
-
-        self.wait_address('client', '2002:da8:1:99:1034:56ff:fe78:9a01/64', ipv='-6', timeout_sec=10)
-        self.wait_address('client', '2002:da8:1:98:1034:56ff:fe78:9a01/64', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 100', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 300', ipv='-6', timeout_sec=10)
-
-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 100 expires [0-9]*sec pref high')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 300 expires [0-9]*sec pref low')
-        self.assertNotIn('metric 512', output)
-        self.assertNotIn('metric 2048', output)
+        self.check_router_preference('01', 100, 'high', 300, 'low')

        # swap the preference (for issue #28439)
-        remove_network_unit('25-veth-router-high.network', '25-veth-router-low.network')
-        copy_network_unit('25-veth-router-high2.network', '25-veth-router-low2.network')
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=low\n')
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=high\n')
        networkctl_reload()
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 300', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 100', ipv='-6', timeout_sec=10)
-
-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 300 expires [0-9]*sec pref low')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 100 expires [0-9]*sec pref high')
-        self.assertNotRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 100')
-        self.assertNotRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 300')
-        self.assertNotIn('metric 512', output)
-        self.assertNotIn('metric 2048', output)
+        self.check_router_preference('01', 300, 'low', 100, 'high')

        # Use the same preference, and check if the two routes are not coalesced. See issue #33470.
-        with open(os.path.join(network_unit_dir, '25-veth-router-high2.network'), mode='a', encoding='utf-8') as f:
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
            f.write('\n[IPv6SendRA]\nRouterPreference=medium\n')
-        with open(os.path.join(network_unit_dir, '25-veth-router-low2.network'), mode='a', encoding='utf-8') as f:
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
            f.write('\n[IPv6SendRA]\nRouterPreference=medium\n')
        networkctl_reload()
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 200', ipv='-6', timeout_sec=10)
-        self.wait_route('client', r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 200', ipv='-6', timeout_sec=10)
+        self.check_router_preference('01', 200, 'medium', 200, 'medium')

-        print('### ip -6 route show dev client default')
-        output = check_output('ip -6 route show dev client default')
-        print(output)
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a99 proto ra metric 200 expires [0-9]*sec pref medium')
-        self.assertRegex(output, r'default nhid [0-9]* via fe80::1034:56ff:fe78:9a98 proto ra metric 200 expires [0-9]*sec pref medium')
-        self.assertNotIn('pref high', output)
-        self.assertNotIn('pref low', output)
-        self.assertNotIn('metric 512', output)
-        self.assertNotIn('metric 2048', output)
+        # Use route options to configure default routes.
+        # The preference specified in the RA header should be ignored. See issue #33468.
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=high\n[IPv6RoutePrefix]\nRoute=::/0\nLifetimeSec=1200\n')
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
+            f.write('\n[IPv6SendRA]\nRouterPreference=low\n[IPv6RoutePrefix]\nRoute=::/0\nLifetimeSec=1200\n')
+        networkctl_reload()
+        self.check_router_preference('01', 200, 'medium', 200, 'medium')
+
+        # Set zero lifetime to the route options.
+        # The preference specified in the RA header should be used.
+        with open(os.path.join(network_unit_dir, '25-veth-router-high.network'), mode='a', encoding='utf-8') as f:
+            f.write('LifetimeSec=0\n')
+        with open(os.path.join(network_unit_dir, '25-veth-router-low.network'), mode='a', encoding='utf-8') as f:
+            f.write('LifetimeSec=0\n')
+        networkctl_reload()
+        self.check_router_preference('01', 100, 'high', 300, 'low')

    def _test_ndisc_vs_static_route(self, manage_foreign_nexthops):
        if not manage_foreign_nexthops:
--- a/test/units/TEST-07-PID1.working-directory.sh
+++ b/test/units/TEST-07-PID1.working-directory.sh
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+(! systemd-run --wait -p DynamicUser=yes \
+                      -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+                      -p WorkingDirectory='~' true)
+
+assert_eq "$(systemd-run --pipe --uid=root -p WorkingDirectory='~' pwd)" "/root"
+assert_eq "$(systemd-run --pipe --uid=nobody -p WorkingDirectory='~' pwd)" "/"
+assert_eq "$(systemd-run --pipe --uid=testuser -p WorkingDirectory='~' pwd)" "/home/testuser"
+
+(! systemd-run --wait -p DynamicUser=yes -p User=testuser \
+                      -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+                      -p WorkingDirectory='~' true)
--- a/test/units/TEST-84-STORAGETM.sh
+++ b/test/units/TEST-84-STORAGETM.sh
@ -3,6 +3,14 @@
 set -eux
 set -o pipefail

+if systemd-analyze compare-versions "$(nvme --version | grep libnvme | awk '{print $3}')" eq 1.11; then
+    if grep -q "CONFIG_NVME_TCP_TLS is not set" "/boot/config-$(uname -r)" 2>/dev/null || grep -q "CONFIG_NVME_TCP_TLS is not set" "/usr/lib/modules/$(uname -r)/config" 2>/dev/null; then
+        # See: https://github.com/linux-nvme/nvme-cli/issues/2573
+        echo "nvme-cli is broken and requires TLS support in the kernel" >/skipped
+        exit 77
+    fi
+fi
+
 /usr/lib/systemd/systemd-storagetm --list-devices

 modprobe -v nvmet-tcp
--- a/tmpfiles.d/20-systemd-shell-extra.conf.in
+++ b/tmpfiles.d/20-systemd-shell-extra.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 {% if LINK_SHELL_EXTRA_DROPIN %}
 L$ {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh
--- a/tmpfiles.d/20-systemd-ssh-generator.conf.in
+++ b/tmpfiles.d/20-systemd-ssh-generator.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 {% if LINK_SSH_PROXY_DROPIN %}
 L$ {{SSHCONFDIR}}/20-systemd-ssh-proxy.conf - - - - {{LIBEXECDIR}}/ssh_config.d/20-systemd-ssh-proxy.conf
--- a/tmpfiles.d/20-systemd-stub.conf.in
+++ b/tmpfiles.d/20-systemd-stub.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Copy systemd-stub provided metadata such as PCR signature and public key file
 # from initrd into /run/, so that it will survive the initrd stage
--- a/tmpfiles.d/20-systemd-userdb.conf.in
+++ b/tmpfiles.d/20-systemd-userdb.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 {% if LINK_SSHD_USERDB_DROPIN %}
 L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf
--- a/tmpfiles.d/credstore.conf
+++ b/tmpfiles.d/credstore.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 d /etc/credstore 0700 root root
 d /etc/credstore.encrypted 0700 root root
--- a/tmpfiles.d/etc.conf.in
+++ b/tmpfiles.d/etc.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 L /etc/os-release - - - - ../usr/lib/os-release
 L+ /etc/mtab - - - - ../proc/self/mounts
--- a/tmpfiles.d/home.conf
+++ b/tmpfiles.d/home.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 Q /home 0755 - - -
 q /srv 0755 - - -
--- a/tmpfiles.d/journal-nocow.conf
+++ b/tmpfiles.d/journal-nocow.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Set the NOCOW attribute for directories of journal files. This flag
 # is inherited by their new files and sub-directories. Matters only
--- a/tmpfiles.d/legacy.conf.in
+++ b/tmpfiles.d/legacy.conf.in
@ -5,26 +5,28 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

-# These files are considered legacy and are unnecessary on legacy-free
-# systems.
+# The functionality provided by these files and directories has been replaced
+# by newer interfaces. Their use is discouraged on legacy-free systems. This
+# configuration is provided to maintain backward compatibility.

 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
+
+{% if HAVE_SYSV_COMPAT %}
 {% if CREATE_LOG_DIRS %}
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}

 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
-
 d /run/lock/subsys 0755 root root -

 # /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
 # kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
 # 'quotacheck.mode=force'
-
 r! /forcefsck
 r! /fastboot
 r! /forcequotacheck
+{% endif %}
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 ~rc1
 ~rc2