systemd-boot: add a preferred setting that's similar to default but avoids booting known-bad entries

Motivation: Currently, when setting the default boot pattern, boot assessment status is not taken into account. This means that with boot assessment enabled, when an explicit boot entry is configured as the default entry using an EFI var, as is common for instance in A/B boot schemes, the configured entry will be booted indefinitly, regardless of the entry's boot assessment status. In order to allow for this use case in combination with boot assessment, we introduce a new `preferred` keyword, both in the config file and in the bootctl CLI, that acts very similar to the existing `default` keyword but takes boot assessment into account and never selects any entries that have been marked as bad. If the preferred pattern does not resolve to any bootable entry, and a default pattern is also specified, then the default pattern will be considered next, and we may then still select a known-bad entry to be booted. Fixes: https://github.com/systemd/systemd/issues/31215 Fixes: https://github.com/systemd/systemd/issues/40192
boot: Fix UKI boot for kernels with non-zero ImageBase (#40429 )
2026-03-07 13:44:46 +01:00 · 2026-02-18 03:28:12 +09:00 · 2026-02-18 03:27:41 +09:00 · 2026-02-17 19:13:40 +01:00 · 2026-02-18 02:46:05 +09:00 · 2026-02-17 18:21:45 +01:00
64 changed files with 10809 additions and 5026 deletions
--- a/228
+++ b/228
@ -25,32 +25,213 @@ CHANGES WITH 260 in spe:
          libidn2. The corresponding meson option '-Dlibidn=' is deprecated
          too and will be dropped in a future release.

+        * Required versions of various dependencies have been raised:
+          cryptsetup 2.0.1/2.3.0 → 2.4.0,
+          elfutils 158 → 177,
+          libblkid 2.24 → 2.37,
+          libseccomp 2.3.1 → 2.4.0,
+          glibc 2.31 → 2.34,
+          libxcrypt or libcrypt from glibc → libxcrypt 4.4.0 only,
+          OpenSSL 1.1.0 → 3.0.0.
+
+          The Linux kernel version requirements have been updated too:
+          baseline 5.4 → 5.10, recommended baseline 5.7 → 5.14, 6.6 for full
+          functionality. Code for compatibility with versions older than the
+          baseline has been removed.
+
        * The parsing of RootImageOptions= and the mount image parameters of
          ExtensionImages= and MountImages= has been changed so that the last
-          duplicated definition for a given partition wins and is applied,
-          rather than the first, to keep these options coherent with other
-          unit settings.
+          definition for a given partition wins and is applied, rather than the
+          first, to keep these options coherent with other unit settings.

        * Support for non-system users and groups in udev rules and
          systemd-networkd configuration has been restored, but is deprecated
-          and discouraged. systemd-udevd and systemd-networkd will emit
-          warnings when non-system accounts are used. This support will be
-          removed in a future release.
+          and discouraged. systemd-udevd will emits warnings if a non-system
+          user/group is specified in OWNER=/GROUP=. Similarly, systemd-networkd
+          will warn about User=/Group= settings with a non-system user/group
+          specified in .netdev files for Tun/Tap interfaces. This support will
+          be removed in a future release.
+
+          Device nodes should not be owned by a non-system user/group. It is
+          recommended to check udev rules files with 'udevadm verify' and/or
+          'udevadm test' commands .
+
+        New system interfaces and components:
+
+        * The os-release(3) gained a new field FANCY_NAME= that is similar
+          to PRETTY_NAME= but may contain ANSI sequences such as Unicode
+          emojis. The new field is also defined to NOT contain any version
+          specification, providing better separation between the OS name
+          and version.
+
+          The systemd manager, systemd-hostnamed, and hostnamectl will now
+          show FANCY_NAME= in preference to PRETTY_NAME=.
+
+        * The "Portability and Stability" policy has been simplified and
+          updated to strengthen the promises of avoiding user-visible
+          regressions in public interfaces. See
+          https://systemd.io/PORTABILITY_AND_STABILITY/ for details.
+
+        * Services providing a public Varlink interface can be symlinked under
+          /run/varlink/registry/, allowing services to be enumerated.
+          'varlinkctl list-registry' can be used to list running services.
+
+        * A new "metrics" or "report" framework has been defined. Any component
+          can hook into the reporting framework by providing a varlink endpoint
+          under /run/systemd/report. Such a hookup has been added to the manager.
+
+          systemd-report is a new command line tool which collects the reports
+          from all endpoints and prints them in JSON format.
+
+          The details of the structure of the reports should be considered
+          EXPERIMENTAL at this point. We reserve the right to make incompatible
+          changes to the JSON structure and/or place additional requirements.
+
+        Changes in the system and user managers:
+
+        * Systemd now uses ANSI CSI 18 sequence to query terminal size. This
+          allows the query to be made without changing the position of the
+          cursor. Terminal emulators which do not yet support the sequence are
+          encouraged to do so.
+
+        * Service units gained a RefreshOnReload= setting that configures
+          whether extensions and credentials are to be refreshed when the unit
+          is reloaded.
+
+        * A new unit setting BindNetworkInterface= has been introduced that
+          automatically binds all sockets created by the unit to a specific
+          network interface.
+
+        * EnqueueMarkedJobs() D-Bus method now has a Varlink counterpart.
+
+        * SetProperties() D-Bus method now has a Varlink counterpart. For now,
+          it only supports setting the Markers= property.
+
+        Changes in udev:
+
+        * Persistent network interface naming has bee extended to MCTP devices
+          with the "mc" prefix.
+
+        * The minimum backlight brightness value used when restoring backlight
+          levels at boot has been lowered from 5% to 1%. This lower value
+          should be sufficient to avoid blacked-out displays, but allows user
+          environments to use a wider range of values (without lower values
+          being reset during reboot). Note that environments may still set very
+          low brightness values at runtime independently of the systemd clamp
+          which only applies during boot.
+
+        Changes in systemd-networkd:
+
+        * MultiPathRoute= option now supports interface-bound ECMP routes.
+
+        * systemd-networkd gained integration with ModemManager via the "simple
+          connect" protocol. A new [ModemManager] section has been added with
+          SimpleConnectProperties= (currently apn=, allowed-auth=, user=,
+          password=, ip-type=, allow-roaming=, pin=, and operator-id=),
+          RouteMetric=, and UseGateway= settings. This allows systemd-networkd
+          to establish a cellular modem connection to a broadband network.
+
+        * systemd-networkd gained a pair of varlink methods LinkUp()/LinkDown().
+          networkctl up/down now utilizes the new varlink interfaces in place
+          of direct RTNL message for better interaction with networkd.
+
+        Changes in systemd-boot and the stub:
+
+        * The timeout in the boot menu can be configured with the
+          io.systemd.boot.timeout= SMBIOS type 11 string.
+
+        * bootctl's varlink interface gained a new Install() method for performing
+          systemd-boot installation/upgrade via IPC calls.
+
+        Changes in libsystemd:
+
+        * The varlink implementation now supports SD_VARLINK_ANY as a wildcard
+          type. This is useful to declare generic interfaces which need to
+          support multiple types.
+
+        Changes in systemd-resolved:
+
+        * Queries done through nss-resolve can be limited to a specific
+          interface with the $SYSTEMD_NSS_RESOLVE_INTERFACE environment
+          variable.
+
+        * systemd-resolved now supports marking of packets used for DNS
+          requests with a firewall mark.
+
+        * resolvectl now uses varlink to connect to systemd-resolved.

        Changes in other components:

-        * New options SYSTEMD_COLORS=auto-16, SYSTEMD_COLORS=auto-256, and
-          SYSTEMD_COLORS=auto-24bit, which are like SYSTEMD_COLORS=16,
-          SYSTEMD_COLORS=256, and SYSTEMD_COLORS=24bit respectively when output
-          is to a non-dumb TTY, and like SYSTEMD_COLORS=no otherwise.
+        * systemd-repart gained basic support for integrity checks of encrypted
+          volumes. Two new options Integrity= and IntegrityAlgorithm= can be
+          used to configure integrity checks for LUKS volumes.
+
+        * Image dissection policies have been extended to allow restricting
+          file system types and requiring integrity checks for encrypted volumes
+          with a new 'encryptedwithinegrity' policy.
+
+        * systemd-dissect gained a --copy-ownership= switch to configure
+          ownership of copied files.
+
+        * systemd-portabled now also runs as a user service. Unprivileged users
+          can run portable services (on sufficiently fresh kernels).
+
+        * systemd-portabled will now generate a policy and pin the image for a
+          portable service, so that the image cannot be changed later without a
+          reattach.
+
+        * systemd-keyutil gained an 'extract-certificate' verb to print the X.509
+          certificate.
+
+        * systemd-sysupdate gained a new 'acquire' verb, allowing the download
+          and installation or update steps to be done separately.
+
+        * Support for polkit authorization has been added to systemd-sysext and
+          varlinkctl.
+
+        * A polkit policy was added for systemd-ask-password, allowing it to be
+          used by unprivileged callers.
+
+        * systemd-inhibit --list option gained support for JSON output
+          and filtering with --what= , --who=, --why=, and --mode=.
+
+        * systemd-vmspawn gained support for registering with systemd-machined
+          in the user session. New options --user/--system control which
+          instance is used.
+
+        * systemd-vmspawn gained support for ephemeral machines via a new
+          --ephemeral option. This is similar to the functionality provided via
+          the same switch in systemd-nspawn.
+
+        * New options SYSTEMD_COLORS=auto-16, SYSTEMD_COLORS=auto-256, and
+          SYSTEMD_COLORS=auto-24bit have been added. They are like
+          SYSTEMD_COLORS=16, SYSTEMD_COLORS=256, and SYSTEMD_COLORS=24bit
+          respectively when output is to a non-dumb TTY, and degrade to
+          SYSTEMD_COLORS=no otherwise.
+
+        * Standalone versions of the systemd-sysusers and systemd-tmpfiles
+          binaries now support full functionality. (Previously, those tools
+          were compiled without features which would require libmount and pull
+          in a lot of dependencies. After the conversion to dlopen the option
+          whether to support features requiring libmount is made by providing
+          libmount or not, at install time.)
+
+        * Internal code dealing with processes has been updated to use pidfds
+          in many places.
+
+        Changes in units:
+
+        * runlevel[0-6].target units that were removed in v258 have been
+          restored when the newly introduced -Dcompat-sysv-interfaces=BOOL
+          meson option is enabled. The installation of legacy.conf for tmpfiles
+          is now also conditionalized with the meson option.
+
+        * systemd-portabled now runs also in the user session in the new
+          systemd-portabled.service unit.
+
+        * getty@.service gained an [Install] and must now be explicitly enabled
+          to be active.

-        * Minimum backlight brightness clamp for restoring it at boot has been
-          lowered from 5% to 1%. This is a safe change allowing more chance to
-          user environments to set lower values that won't be set higher at boot
-          while still giving the chance to recover from blackouts because
-          excessive lower bright values by just rebooting. Notice that if your
-          environment allow you to set excessive low brightness values this has
-          nothing to do with systemd's brightness clamp.

 CHANGES WITH 259:

@ -100,6 +281,8 @@ CHANGES WITH 259:

        * systemd-networkd and systemd-nspawn no longer support creating NAT
          rules via iptables/libiptc APIs; only nftables is now supported.
+          The corresponding meson option '-Dlibiptc=' is deprecated and will be
+          dropped in a future release.

        * systemd-boot's and systemd-stub's support for TPM 1.2 has been
          removed (only TPM 2.0 supported is retained). The security value of
@ -683,15 +866,18 @@ CHANGES WITH 258:
          an incompatible change of sorts, since per-user services will
          typically not be available for such PAM sessions of system users.

-        * systemd-udevd warns about OWNER=/GROUP= settings with a non-system
-          user/group specified in udev rules files. Device nodes should not be
+        * systemd-udevd ignores OWNER=/GROUP= settings with a non-system
+          user/group specified in udev rules files, to avoid device nodes being
          owned by a non-system user/group. It is recommended to check udev
          rules files with 'udevadm verify' and/or 'udevadm test' commands if
          the specified user/group in OWNER=/GROUP= are valid.
-          Similarly, systemd-networkd will warn about User=/Group= settings
-          with a non-system user/group specified in .netdev files for Tun/Tap
+          Similarly, systemd-networkd refuses User=/Group= settings with a
+          non-system user/group specified in .netdev files for Tun/Tap
          interfaces.

+          NOTE: this change was partially reverted in v260 and the patch may be
+          backported to the v259-stable branch.
+
        * systemd-cryptenroll, systemd-repart and systemd-creds no longer
          default to locking TPM2 enrollments to the current, literal value of
          PCR 7, i.e. the PCR the SecureBoot policy is measured into by the
--- a/docs/BOOT.md
+++ b/docs/BOOT.md
@ -101,7 +101,8 @@ Some EFI variables control the loader or exported the loaders state to the start

 | EFI Variables |
 |---------------|------------------------|-------------------------------|
-| LoaderEntryDefault | entry identifier to select as default at bootup  | non-volatile |
+| LoaderEntryDefault | entry identifier to select as default at bootup, ignoring boot assessment | non-volatile |
+| LoaderEntryPreferred | entry identifier to select as default at bootup, respecting boot assessment | non-volatile |
 | LoaderEntrySysFail | sysfail entry identifier | non-volatile |
 | LoaderSysFailReason | system failure reason | volatile |
 | LoaderConfigTimeout | timeout in seconds to show the menu | non-volatile |
--- a/docs/BOOT_LOADER_INTERFACE.md
+++ b/docs/BOOT_LOADER_INTERFACE.md
@ -61,8 +61,24 @@ Variables will be listed below using the Linux efivarfs naming,
  The list should be in the order the entries are shown on screen during boot.
  See below regarding the recommended vocabulary for boot loader entry identifiers.

+* The EFI variable `LoaderEntryPreferred-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
+  contains the preferred boot loader entry to use.
+  This takes boot assessment into account by not selecting boot entries that have
+  been marked as bad,
+  see <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot Assessment</ulink>
+  for more details on boot assessment.
+  If no entry was selected by the preferred setting (from either the EFI var or
+  the config file), then the boot loader will look at the default setting, which
+  does not skip entries that were marked as bad.
+  It contains a NUL-terminated boot loader entry identifier.
+
 * The EFI variable `LoaderEntryDefault-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
  contains the default boot loader entry to use.
+  This ignores boot assessment and can select boot entries that have been marked
+  as bad by boot assessment,
+  see <ulink url="https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT">Automatic Boot Assessment</ulink>
+  for more details on boot assessment as well as the documentation on the
+  `LoaderEntryPreferred` EFI var.
  It contains a NUL-terminated boot loader entry identifier.

 * The EFI variable `LoaderEntrySysFail-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
@ -83,10 +99,10 @@ Variables will be listed below using the Linux efivarfs naming,
  contains the default boot loader entry to use for a single following boot.
  It is set by the OS
  in order to request booting into a specific menu entry on the following boot.
-  When set overrides `LoaderEntryDefault`.
+  When set overrides `LoaderEntryPreferred` and `LoaderEntryDefault`.
  It is removed automatically after being read by the boot loader,
  to ensure it only takes effect a single time.
-  This value is formatted the same way as `LoaderEntryDefault`.
+  This value is formatted the same way as `LoaderEntryDefault` and `LoaderEntryPreferred`.

 * The EFI variable `LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
  contains the boot loader entry identifier that was booted.
@ -126,6 +142,7 @@ Variables will be listed below using the Linux efivarfs naming,
                [Boot Loader Specification](https://uapi-group.org/specifications/specs/boot_loader_specification).
  * `1 << 18` → The boot loader reports active TPM2 PCR banks in the
                EFI variable `LoaderTpm2ActivePcrBanks-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`.
+  * `1 << 19` → The boot loader supports the `LoaderEntryPreferred` variable when set.

 * The EFI variable `LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
  contains binary random data,
@ -168,7 +185,8 @@ variables.
 While boot loader entries may be named relatively freely,
 it's highly recommended to follow these rules when picking identifiers for the entries,
 so that programs (and users) can derive basic context and meaning from the identifiers
-as passed in `LoaderEntries`, `LoaderEntryDefault`, `LoaderEntryOneShot`, `LoaderEntrySelected`,
+as passed in `LoaderEntries`, `LoaderEntryPreferred`, `LoaderEntryDefault`,
+`LoaderEntryOneShot`, `LoaderEntrySelected`,
 and possibly show nicely localized names for them in UIs.

 1. When boot loader entries are defined through the
--- a/hwdb.d/20-OUI.hwdb
+++ b/hwdb.d/20-OUI.hwdb
--- a/hwdb.d/20-acpi-vendor.hwdb
+++ b/hwdb.d/20-acpi-vendor.hwdb
@ -243,6 +243,9 @@ acpi:JSYS*:
 acpi:JUMP*:
 ID_VENDOR_FROM_DATABASE=JUMPtec GmbH

+acpi:KAYA*:
+ ID_VENDOR_FROM_DATABASE=KAYA N CO., LTD.
+
 acpi:KIOX*:
 ID_VENDOR_FROM_DATABASE=Kionix, Inc.

@ -270,6 +273,9 @@ acpi:MCRY*:
 acpi:MIPI*:
 ID_VENDOR_FROM_DATABASE=MIPI Alliance

+acpi:MITH*:
+ ID_VENDOR_FROM_DATABASE=Mesiontech
+
 acpi:MRVL*:
 ID_VENDOR_FROM_DATABASE=Marvell Technology Group Ltd.

--- a/hwdb.d/20-acpi-vendor.hwdb.patch
+++ b/hwdb.d/20-acpi-vendor.hwdb.patch
@ -1,5 +1,5 @@
--- 20-acpi-vendor.hwdb.base	2025-12-17 13:23:44.545346018 +0000
-+++ 20-acpi-vendor.hwdb	2025-12-17 13:23:44.549346080 +0000
+--- 20-acpi-vendor.hwdb.base	2026-02-17 11:46:19.559676127 +0100
+++ 20-acpi-vendor.hwdb	2026-02-17 11:46:19.570676054 +0100
@@ -3,6 +3,8 @@
 # Data imported from:
 #     https://uefi.org/uefi-pnp-export
@ -9,7 +9,7 @@
 
 acpi:3GVR*:
  ID_VENDOR_FROM_DATABASE=VR Technology Holdings Limited
-@@ -442,6 +444,9 @@
+@@ -448,6 +450,9 @@
 acpi:AAA*:
  ID_VENDOR_FROM_DATABASE=Avolites Ltd
 
@ -19,7 +19,7 @@
 acpi:AAE*:
  ID_VENDOR_FROM_DATABASE=Anatek Electronics Inc.
 
-@@ -469,6 +474,9 @@
+@@ -475,6 +480,9 @@
 acpi:ABO*:
  ID_VENDOR_FROM_DATABASE=D-Link Systems Inc
 
@ -29,7 +29,7 @@
 acpi:ABS*:
  ID_VENDOR_FROM_DATABASE=Abaco Systems, Inc.
 
-@@ -514,7 +522,7 @@
+@@ -520,7 +528,7 @@
 acpi:ACO*:
  ID_VENDOR_FROM_DATABASE=Allion Computer Inc.
 
@ -38,7 +38,7 @@
  ID_VENDOR_FROM_DATABASE=Aspen Tech Inc
 
 acpi:ACR*:
-@@ -793,6 +801,9 @@
+@@ -799,6 +807,9 @@
 acpi:AMT*:
  ID_VENDOR_FROM_DATABASE=AMT International Industry
 
@ -48,7 +48,7 @@
 acpi:AMX*:
  ID_VENDOR_FROM_DATABASE=AMX LLC
 
-@@ -841,6 +852,9 @@
+@@ -847,6 +858,9 @@
 acpi:AOA*:
  ID_VENDOR_FROM_DATABASE=AOpen Inc.
 
@ -58,7 +58,7 @@
 acpi:AOE*:
  ID_VENDOR_FROM_DATABASE=Advanced Optics Electronics, Inc.
 
-@@ -850,6 +864,9 @@
+@@ -856,6 +870,9 @@
 acpi:AOT*:
  ID_VENDOR_FROM_DATABASE=Alcatel
 
@ -68,7 +68,7 @@
 acpi:APC*:
  ID_VENDOR_FROM_DATABASE=American Power Conversion
 
-@@ -1031,7 +1048,7 @@
+@@ -1037,7 +1054,7 @@
  ID_VENDOR_FROM_DATABASE=ALPS ALPINE CO., LTD.
 
 acpi:AUO*:
@ -77,7 +77,7 @@
 
 acpi:AUR*:
  ID_VENDOR_FROM_DATABASE=Aureal Semiconductor
-@@ -1111,6 +1128,9 @@
+@@ -1117,6 +1134,9 @@
 acpi:AXE*:
  ID_VENDOR_FROM_DATABASE=Axell Corporation
 
@ -87,7 +87,7 @@
 acpi:AXI*:
  ID_VENDOR_FROM_DATABASE=American Magnetics
 
-@@ -1270,6 +1290,9 @@
+@@ -1276,6 +1296,9 @@
 acpi:BML*:
  ID_VENDOR_FROM_DATABASE=BIOMED Lab
 
@ -97,7 +97,7 @@
 acpi:BMS*:
  ID_VENDOR_FROM_DATABASE=BIOMEDISYS
 
-@@ -1282,6 +1305,9 @@
+@@ -1288,6 +1311,9 @@
 acpi:BNO*:
  ID_VENDOR_FROM_DATABASE=Bang & Olufsen
 
@ -107,7 +107,7 @@
 acpi:BNS*:
  ID_VENDOR_FROM_DATABASE=Boulder Nonlinear Systems
 
-@@ -1528,6 +1554,9 @@
+@@ -1534,6 +1560,9 @@
 acpi:CHA*:
  ID_VENDOR_FROM_DATABASE=Chase Research PLC
 
@ -117,7 +117,7 @@
 acpi:CHD*:
  ID_VENDOR_FROM_DATABASE=ChangHong Electric Co.,Ltd
 
-@@ -1693,6 +1722,9 @@
+@@ -1699,6 +1728,9 @@
 acpi:COD*:
  ID_VENDOR_FROM_DATABASE=CODAN Pty. Ltd.
 
@ -127,7 +127,7 @@
 acpi:COI*:
  ID_VENDOR_FROM_DATABASE=Codec Inc.
 
-@@ -2111,7 +2143,7 @@
+@@ -2117,7 +2149,7 @@
  ID_VENDOR_FROM_DATABASE=Dragon Information Technology
 
 acpi:DJE*:
@ -136,7 +136,7 @@
 
 acpi:DJP*:
  ID_VENDOR_FROM_DATABASE=Maygay Machines, Ltd
-@@ -2464,6 +2496,9 @@
+@@ -2470,6 +2502,9 @@
 acpi:EIN*:
  ID_VENDOR_FROM_DATABASE=Elegant Invention
 
@ -146,7 +146,7 @@
 acpi:EKA*:
  ID_VENDOR_FROM_DATABASE=MagTek Inc.
 
-@@ -2734,6 +2769,9 @@
+@@ -2740,6 +2775,9 @@
 acpi:FCG*:
  ID_VENDOR_FROM_DATABASE=First International Computer Ltd
 
@ -156,7 +156,7 @@
 acpi:FCS*:
  ID_VENDOR_FROM_DATABASE=Focus Enhancements, Inc.
 
-@@ -3110,7 +3148,7 @@
+@@ -3116,7 +3154,7 @@
  ID_VENDOR_FROM_DATABASE=General Standards Corporation
 
 acpi:GSM*:
@ -165,7 +165,7 @@
 
 acpi:GSN*:
  ID_VENDOR_FROM_DATABASE=Grandstream Networks, Inc.
-@@ -3220,6 +3258,9 @@
+@@ -3226,6 +3264,9 @@
 acpi:HEC*:
  ID_VENDOR_FROM_DATABASE=Hisense Electric Co., Ltd.
 
@ -175,7 +175,7 @@
 acpi:HEL*:
  ID_VENDOR_FROM_DATABASE=Hitachi Micro Systems Europe Ltd
 
-@@ -3355,6 +3396,9 @@
+@@ -3361,6 +3402,9 @@
 acpi:HSD*:
  ID_VENDOR_FROM_DATABASE=HannStar Display Corp
 
@ -185,7 +185,7 @@
 acpi:HSM*:
  ID_VENDOR_FROM_DATABASE=AT&T Microelectronics
 
-@@ -3481,6 +3525,9 @@
+@@ -3487,6 +3531,9 @@
 acpi:ICI*:
  ID_VENDOR_FROM_DATABASE=Infotek Communication Inc
 
@ -195,7 +195,7 @@
 acpi:ICM*:
  ID_VENDOR_FROM_DATABASE=Intracom SA
 
-@@ -3577,6 +3624,9 @@
+@@ -3583,6 +3630,9 @@
 acpi:IKE*:
  ID_VENDOR_FROM_DATABASE=Ikegami Tsushinki Co. Ltd.
 
@ -205,7 +205,7 @@
 acpi:IKS*:
  ID_VENDOR_FROM_DATABASE=Ikos Systems Inc
 
-@@ -3625,6 +3675,9 @@
+@@ -3631,6 +3681,9 @@
 acpi:IMX*:
  ID_VENDOR_FROM_DATABASE=arpara Technology Co., Ltd.
 
@ -215,7 +215,7 @@
 acpi:INA*:
  ID_VENDOR_FROM_DATABASE=Inventec Corporation
 
-@@ -4153,6 +4206,9 @@
+@@ -4159,6 +4212,9 @@
 acpi:LAN*:
  ID_VENDOR_FROM_DATABASE=Sodeman Lancom Inc
 
@ -225,7 +225,7 @@
 acpi:LAS*:
  ID_VENDOR_FROM_DATABASE=LASAT Comm. A/S
 
-@@ -4204,6 +4260,9 @@
+@@ -4210,6 +4266,9 @@
 acpi:LED*:
  ID_VENDOR_FROM_DATABASE=Long Engineering Design Inc
 
@ -235,7 +235,7 @@
 acpi:LEG*:
  ID_VENDOR_FROM_DATABASE=Legerity, Inc
 
-@@ -4222,6 +4281,9 @@
+@@ -4228,6 +4287,9 @@
 acpi:LGD*:
  ID_VENDOR_FROM_DATABASE=LG Display
 
@ -245,7 +245,7 @@
 acpi:LGI*:
  ID_VENDOR_FROM_DATABASE=Logitech Inc
 
-@@ -4288,6 +4350,9 @@
+@@ -4294,6 +4356,9 @@
 acpi:LND*:
  ID_VENDOR_FROM_DATABASE=Land Computer Company Ltd
 
@ -255,7 +255,7 @@
 acpi:LNK*:
  ID_VENDOR_FROM_DATABASE=Link Tech Inc
 
-@@ -4322,7 +4387,7 @@
+@@ -4328,7 +4393,7 @@
  ID_VENDOR_FROM_DATABASE=Design Technology
 
 acpi:LPL*:
@ -264,7 +264,7 @@
 
 acpi:LSC*:
  ID_VENDOR_FROM_DATABASE=LifeSize Communications
-@@ -4498,6 +4563,9 @@
+@@ -4504,6 +4569,9 @@
 acpi:MCX*:
  ID_VENDOR_FROM_DATABASE=Millson Custom Solutions Inc.
 
@ -274,7 +274,7 @@
 acpi:MDA*:
  ID_VENDOR_FROM_DATABASE=Media4 Inc
 
-@@ -4744,6 +4812,9 @@
+@@ -4750,6 +4818,9 @@
 acpi:MOM*:
  ID_VENDOR_FROM_DATABASE=Momentum Data Systems
 
@ -284,7 +284,7 @@
 acpi:MOS*:
  ID_VENDOR_FROM_DATABASE=Moses Corporation
 
-@@ -4984,6 +5055,9 @@
+@@ -4990,6 +5061,9 @@
 acpi:NAL*:
  ID_VENDOR_FROM_DATABASE=Network Alchemy
 
@ -294,7 +294,7 @@
 acpi:NAT*:
  ID_VENDOR_FROM_DATABASE=NaturalPoint Inc.
 
-@@ -5524,6 +5598,9 @@
+@@ -5530,6 +5604,9 @@
 acpi:PCX*:
  ID_VENDOR_FROM_DATABASE=PC Xperten
 
@ -304,7 +304,7 @@
 acpi:PDM*:
  ID_VENDOR_FROM_DATABASE=Psion Dacom Plc.
 
-@@ -5587,9 +5664,6 @@
+@@ -5593,9 +5670,6 @@
 acpi:PHE*:
  ID_VENDOR_FROM_DATABASE=Philips Medical Systems Boeblingen GmbH
 
@ -314,7 +314,7 @@
 acpi:PHL*:
  ID_VENDOR_FROM_DATABASE=Philips Consumer Electronics Company
 
-@@ -5680,9 +5754,6 @@
+@@ -5686,9 +5760,6 @@
 acpi:PNL*:
  ID_VENDOR_FROM_DATABASE=Panelview, Inc.
 
@ -324,7 +324,7 @@
 acpi:PNR*:
  ID_VENDOR_FROM_DATABASE=Planar Systems, Inc.
 
-@@ -6160,9 +6231,6 @@
+@@ -6166,9 +6237,6 @@
 acpi:RTI*:
  ID_VENDOR_FROM_DATABASE=Rancho Tech Inc
 
@ -334,7 +334,7 @@
 acpi:RTL*:
  ID_VENDOR_FROM_DATABASE=Realtek Semiconductor Company Ltd
 
-@@ -6337,9 +6405,6 @@
+@@ -6343,9 +6411,6 @@
 acpi:SEE*:
  ID_VENDOR_FROM_DATABASE=SeeColor Corporation
 
@ -344,7 +344,7 @@
 acpi:SEI*:
  ID_VENDOR_FROM_DATABASE=Seitz & Associates Inc
 
-@@ -6823,6 +6888,9 @@
+@@ -6829,6 +6894,9 @@
 acpi:SVD*:
  ID_VENDOR_FROM_DATABASE=SVD Computer
 
@ -354,7 +354,7 @@
 acpi:SVI*:
  ID_VENDOR_FROM_DATABASE=Sun Microsystems
 
-@@ -6907,6 +6975,9 @@
+@@ -6913,6 +6981,9 @@
 acpi:SZM*:
  ID_VENDOR_FROM_DATABASE=Shenzhen MTC Co., Ltd
 
@ -364,7 +364,7 @@
 acpi:TAA*:
  ID_VENDOR_FROM_DATABASE=Tandberg
 
-@@ -6997,6 +7068,9 @@
+@@ -7003,6 +7074,9 @@
 acpi:TDG*:
  ID_VENDOR_FROM_DATABASE=Six15 Technologies
 
@ -374,7 +374,7 @@
 acpi:TDM*:
  ID_VENDOR_FROM_DATABASE=Tandem Computer Europe Inc
 
-@@ -7039,6 +7113,9 @@
+@@ -7045,6 +7119,9 @@
 acpi:TEV*:
  ID_VENDOR_FROM_DATABASE=Televés, S.A.
 
@ -384,7 +384,7 @@
 acpi:TEZ*:
  ID_VENDOR_FROM_DATABASE=Tech Source Inc.
 
-@@ -7168,9 +7245,6 @@
+@@ -7174,9 +7251,6 @@
 acpi:TNC*:
  ID_VENDOR_FROM_DATABASE=TNC Industrial Company Ltd
 
@ -394,7 +394,7 @@
 acpi:TNM*:
  ID_VENDOR_FROM_DATABASE=TECNIMAGEN SA
 
-@@ -7483,14 +7557,14 @@
+@@ -7489,14 +7563,14 @@
 acpi:UNC*:
  ID_VENDOR_FROM_DATABASE=Unisys Corporation
 
@ -415,7 +415,7 @@
 
 acpi:UNI*:
  ID_VENDOR_FROM_DATABASE=Uniform Industry Corp.
-@@ -7525,6 +7599,9 @@
+@@ -7531,6 +7605,9 @@
 acpi:USA*:
  ID_VENDOR_FROM_DATABASE=Utimaco Safeware AG
 
@ -425,7 +425,7 @@
 acpi:USD*:
  ID_VENDOR_FROM_DATABASE=U.S. Digital Corporation
 
-@@ -7786,9 +7863,6 @@
+@@ -7792,9 +7869,6 @@
 acpi:WAL*:
  ID_VENDOR_FROM_DATABASE=Wave Access
 
@ -435,7 +435,7 @@
 acpi:WAV*:
  ID_VENDOR_FROM_DATABASE=Wavephore
 
-@@ -7916,7 +7990,7 @@
+@@ -7922,7 +7996,7 @@
  ID_VENDOR_FROM_DATABASE=WyreStorm Technologies LLC
 
 acpi:WYS*:
@ -444,7 +444,7 @@
 
 acpi:WYT*:
  ID_VENDOR_FROM_DATABASE=Wooyoung Image & Information Co.,Ltd.
-@@ -7930,9 +8004,6 @@
+@@ -7936,9 +8010,6 @@
 acpi:XDM*:
  ID_VENDOR_FROM_DATABASE=XDM Ltd.
 
@ -454,7 +454,7 @@
 acpi:XES*:
  ID_VENDOR_FROM_DATABASE=Extreme Engineering Solutions, Inc.
 
-@@ -7966,9 +8037,6 @@
+@@ -7972,9 +8043,6 @@
 acpi:XNT*:
  ID_VENDOR_FROM_DATABASE=XN Technologies, Inc.
 
@ -464,7 +464,7 @@
 acpi:XQU*:
  ID_VENDOR_FROM_DATABASE=SHANGHAI SVA-DAV ELECTRONICS CO., LTD
 
-@@ -8035,6 +8103,9 @@
+@@ -8041,6 +8109,9 @@
 acpi:ZBX*:
  ID_VENDOR_FROM_DATABASE=Zebax Technologies
 
--- a/hwdb.d/20-pci-vendor-model.hwdb
+++ b/hwdb.d/20-pci-vendor-model.hwdb
--- a/hwdb.d/60-autosuspend-fingerprint-reader.hwdb
+++ b/hwdb.d/60-autosuspend-fingerprint-reader.hwdb
@ -169,7 +169,9 @@ usb:v04F3p0C99*
 usb:v04F3p0C9D*
 usb:v04F3p0C9F*
 usb:v04F3p0CA3*
+usb:v04F3p0CA7*
 usb:v04F3p0CA8*
+usb:v04F3p0CB0*
 ID_AUTOSUSPEND=1
 ID_PERSIST=0

@ -258,6 +260,7 @@ usb:v06CBp00C2*
 usb:v06CBp00C4*
 usb:v06CBp00C6*
 usb:v06CBp00DF*
+usb:v06CBp00E9*
 usb:v06CBp00F0*
 usb:v06CBp00F9*
 usb:v06CBp00FC*
@ -385,10 +388,12 @@ usb:v06CBp0088*
 usb:v06CBp008A*
 usb:v06CBp009A*
 usb:v06CBp009B*
+usb:v06CBp00A1*
 usb:v06CBp00A2*
 usb:v06CBp00A8*
 usb:v06CBp00B7*
 usb:v06CBp00BB*
+usb:v06CBp00BC*
 usb:v06CBp00BE*
 usb:v06CBp00CB*
 usb:v06CBp00C9*
@ -397,7 +402,6 @@ usb:v06CBp00DA*
 usb:v06CBp00DC*
 usb:v06CBp00E4*
 usb:v06CBp00E7*
-usb:v06CBp00E9*
 usb:v06CBp00FD*
 usb:v06CBp00FF*
 usb:v0A5Cp5801*
@ -418,9 +422,11 @@ usb:v0A5Cp5867*
 usb:v0BDAp5812*
 usb:v10A5p0007*
 usb:v10A5p9200*
+usb:v10A5p9201*
 usb:v10A5p9800*
 usb:v10A5pA120*
 usb:v10A5pA900*
+usb:v10A5pA921*
 usb:v10A5pE340*
 usb:v1188p9545*
 usb:v138Ap0007*
@ -474,12 +480,14 @@ usb:v27C6p5E0A*
 usb:v27C6p581A*
 usb:v27C6p589A*
 usb:v27C6p5F10*
+usb:v27C6p5F91*
 usb:v27C6p6382*
 usb:v2808p9338*
 usb:v2808p9348*
 usb:v2808p93A9*
 usb:v2808pA658*
 usb:v2808pC652*
+usb:v2808pA553*
 usb:v298Dp2020*
 usb:v298Dp2033*
 usb:v2DF0p0003*
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
--- a/hwdb.d/70-analyzers.hwdb
+++ b/hwdb.d/70-analyzers.hwdb
@ -94,6 +94,13 @@ usb:v1679p3001*
 usb:v1679p6003*
 ID_SIGNAL_ANALYZER=1

+###########################################################
+# Vernier
+###########################################################
+# Go Direct sensors
+usb:v08F7p0010*
+ ID_SIGNAL_ANALYZER=1
+
 ###########################################################
 # XGecu
 ###########################################################
--- a/hwdb.d/acpi_id_registry.csv
+++ b/hwdb.d/acpi_id_registry.csv
@ -144,3 +144,5 @@ IDEMIA,IDEM,06/26/2018
 "Picoheart (SG) Pte. Ltd.",PICO,10/30/2025
 "Kontron France",KOMF,12/09/2025
 "Ubiquiti Inc.",UBTI,12/10/2025
+"KAYA N CO., LTD.",KAYA,01/06/2026
+Mesiontech,MITH,01/30/2026
--- a/hwdb.d/ma-large.txt
+++ b/hwdb.d/ma-large.txt
--- a/hwdb.d/ma-medium.txt
+++ b/hwdb.d/ma-medium.txt
--- a/hwdb.d/ma-small.txt
+++ b/hwdb.d/ma-small.txt
@ -8141,6 +8141,72 @@ C9D000-C9DFFF     (base 16)		Creating Cloud Technology Co.,Ltd.,CT-CLOUD
 				ALCOBENDAS  MADRID  28108
 				ES

+8C-1F-64   (hex)		Network Rail
+18A000-18AFFF     (base 16)		Network Rail
+				The Quadrant, Elder Gate
+				Milton Keynes  Buckinghamshire  MK9 1EN
+				GB
+
+8C-1F-64   (hex)		BORMANN EDV und Zubehoer
+8F7000-8F7FFF     (base 16)		BORMANN EDV und Zubehoer
+				Lohwaldstr. 53
+				Neusaess  Bayern  85356
+				DE
+
+8C-1F-64   (hex)		inmediQ GmbH
+6C4000-6C4FFF     (base 16)		inmediQ GmbH
+				Gebrüder-Freitag-Str. 1
+				Butzbach  Hessen  35510
+				DE
+
+8C-1F-64   (hex)		Potter Electric Signal Co. LLC
+684000-684FFF     (base 16)		Potter Electric Signal Co. LLC
+				1609 Park 370 Place
+				Hazelwood  MO  63042
+				US
+
+8C-1F-64   (hex)		CMC Applied Technology institute
+5F2000-5F2FFF     (base 16)		CMC Applied Technology institute
+				CMC Tower, Duy Tan street, Cau Giay Ward, Hanoi Vietnam
+				Hanoi    151831
+				VN
+
+8C-1F-64   (hex)		PAL Inc.
+60C000-60CFFF     (base 16)		PAL Inc.
+				2217-2 Hayashicho
+				Takamatsu  Kagawa  7610301
+				JP
+
+8C-1F-64   (hex)		Watthour Engineering Co., Inc.
+B0E000-B0EFFF     (base 16)		Watthour Engineering Co., Inc.
+				333 Crosspark Dr
+				Pearl  MS  39208
+				US
+
+8C-1F-64   (hex)		LaserLinc, Inc.
+04D000-04DFFF     (base 16)		LaserLinc, Inc.
+				777 Zapata Drive
+				Fairborn  OH  45324
+				US
+
+8C-1F-64   (hex)		Xi'an Singularity Energy Co., Ltd.
+2AA000-2AAFFF     (base 16)		Xi'an Singularity Energy Co., Ltd.
+				Tianhong Park, No. 25 Biyuan 1st Road Chang'an District
+				Chang'an District  Xi'an  710100
+				CN
+
+8C-1F-64   (hex)		Suzhou Nihone Electronic Technology Co.,Ltd.
+01C000-01CFFF     (base 16)		Suzhou Nihone Electronic Technology Co.,Ltd.
+				No. 185 Xiaoxiang Road, Huqiu District, Suzhou City 
+				Suzhou City   Jiangsu  215000
+				CN
+
+8C-1F-64   (hex)		Meisol Co., Ltd.
+827000-827FFF     (base 16)		Meisol Co., Ltd.
+				Yamato Jisho Building 1006, 74-1 Yamashitacho, Naka-ku
+				Yokohama  Kanagawa Prefecture  2310023
+				JP
+
 8C-1F-64   (hex)		Jacobs Technology, Inc.
 A98000-A98FFF     (base 16)		Jacobs Technology, Inc.
 				7765 Old Telegraph Road
@ -16379,6 +16445,90 @@ F1E000-F1EFFF     (base 16)		Engage Technologies
 				Brooklyn Park  MN  55428
 				US

+8C-1F-64   (hex)		Wherible GPS, Inc.
+76B000-76BFFF     (base 16)		Wherible GPS, Inc.
+				1149 Canton Street, Roswell, GA, 30075
+				Roswell  GA  30075
+				US
+
+8C-1F-64   (hex)		INTERNATIONAL SECURITY SYSTEMS W.L.L.
+AD6000-AD6FFF     (base 16)		INTERNATIONAL SECURITY SYSTEMS W.L.L.
+				Office 4, First Floor, ABC 3,Abu Hamour, Doha
+				Doha    97400
+				QA
+
+8C-1F-64   (hex)		SDELcc
+13B000-13BFFF     (base 16)		SDELcc
+				AEROPOLE D2A
+				St Aignan de Grand Lieu    44860
+				FR
+
+8C-1F-64   (hex)		Sealink Technology B.V
+2F7000-2F7FFF     (base 16)		Sealink Technology B.V
+				Dalweg 3B
+				Rotterdam    3233 KK
+				NL
+
+8C-1F-64   (hex)		Ocarina
+6A1000-6A1FFF     (base 16)		Ocarina
+				29 Skelwith Road
+				London    W6 9EX
+				GB
+
+8C-1F-64   (hex)		SungjinDSP Co., LTD
+0BA000-0BAFFF     (base 16)		SungjinDSP Co., LTD
+				810, 25 Gasan Digital 1-ro, Geumcheon-gu, Seoul (Gasan-dong, Daeryung Techno Town 17th)
+				Geumcheon-gu  Seoul  08594
+				KR
+
+8C-1F-64   (hex)		CyberCube ApS
+65C000-65CFFF     (base 16)		CyberCube ApS
+				Munkehatten 1C
+				Odense    5220
+				DK
+
+8C-1F-64   (hex)		Federant LLC
+972000-972FFF     (base 16)		Federant LLC
+				3022 Watercrest Dr
+				Charlottesville  VA  22911
+				US
+
+8C-1F-64   (hex)		YUYAMA MFG Co.,Ltd
+EAF000-EAFFFF     (base 16)		YUYAMA MFG Co.,Ltd
+				1-4-30
+				MEISHINGUCHI,TOYONAKA  OSAKA  561-0841
+				JP
+
+8C-1F-64   (hex)		MB connect line GmbH
+075000-075FFF     (base 16)		MB connect line GmbH
+				Winnettener Strasse 6
+				Dinkelsbuehl  Bavaria  91550
+				DE
+
+8C-1F-64   (hex)		Bright Solutions PTE LTD
+6C3000-6C3FFF     (base 16)		Bright Solutions PTE LTD
+				51 Goldhill Plaza #07-10/11
+				Singapore    308900
+				SG
+
+8C-1F-64   (hex)		Sensus
+052000-052FFF     (base 16)		Sensus
+				Industriestr. 16
+				Ludwigshafen    67063
+				DE
+
+8C-1F-64   (hex)		AvanTimes
+030000-030FFF     (base 16)		AvanTimes
+				Kuipersweg 2
+				Woerden  Zuid-Holland  3449 JA
+				NL
+
+8C-1F-64   (hex)		Telica
+FBB000-FBBFFF     (base 16)		Telica
+				Tower A-411, 40 Imi-ro
+				Uiwang-si  Gyeonggi-do  16006
+				KR
+
 8C-1F-64   (hex)		Vision Systems Safety Tech
 E6F000-E6FFFF     (base 16)		Vision Systems Safety Tech
 				5 Chemin de Chiradie
@ -18545,12 +18695,6 @@ D19000-D19FFF     (base 16)		Senior Group LLC
 				Cincinnati  OH  45246
 				US

-70-B3-D5   (hex)		ICTK Holdings
-5C9000-5C9FFF     (base 16)		ICTK Holdings
-				3F Ventureforum B'd, Pangyodae-ro
-				Seung-nam Si  Gyeonggi-Do  13488
-				KR
-
 70-B3-D5   (hex)		LARIMART SPA
 536000-536FFF     (base 16)		LARIMART SPA
 				VIA DI TORREVECCHIA
@ -24623,6 +24767,96 @@ D22000-D22FFF     (base 16)		Nine Fives LLC
 				Hueffenhardt    74928
 				DE

+8C-1F-64   (hex)		Luxshare Electronic Technology (KunShan) Ltd
+528000-528FFF     (base 16)		Luxshare Electronic Technology (KunShan) Ltd
+				No. 699 Jinshang Road, Jinxi Town, Kunshan City, Jiangsu Province
+				Kunshan   Jiangsu  215300
+				CN
+
+8C-1F-64   (hex)		Luceor
+C84000-C84FFF     (base 16)		Luceor
+				3 Rue Michael Faraday
+				Montigny-le-Bretonneux    78180
+				FR
+
+8C-1F-64   (hex)		Currux Vision LLC
+66B000-66BFFF     (base 16)		Currux Vision LLC
+				520 Post Oak Boulevard, Suite 260
+				Houston  TX  77027
+				US
+
+8C-1F-64   (hex)		SHODEN Co., Ltd.
+259000-259FFF     (base 16)		SHODEN Co., Ltd.
+				365, Sannocho
+				Inage-ku Chiba  Chiba  2630002
+				JP
+
+8C-1F-64   (hex)		Power Electronics Espana, S.L.
+773000-773FFF     (base 16)		Power Electronics Espana, S.L.
+				C/ Leonardo Da Vinci, 24-26 
+				Paterna  Valencia  46980
+				ES
+
+8C-1F-64   (hex)		Vision Systems Safety Tech
+AD9000-AD9FFF     (base 16)		Vision Systems Safety Tech
+				5 Chemin de Chiradie
+				Brignais    69530
+				FR
+
+8C-1F-64   (hex)		Wesync
+190000-190FFF     (base 16)		Wesync
+				506Ho, Pyeongchondigitalempire, 16, Heungan-daero 427beon-gil, Dongan-gu
+				Anyang-si  Gyeonggi-do  14059
+				KR
+
+8C-1F-64   (hex)		ChamSys 
+143000-143FFF     (base 16)		ChamSys 
+				Unit 5Adanac Park
+				southampton  Hampshire   SO16 0BT
+				GB
+
+8C-1F-64   (hex)		LyconSys GmbH & Co.KG
+134000-134FFF     (base 16)		LyconSys GmbH & Co.KG
+				Hildegardstr. 12A
+				Bad Nauheim    61231
+				DE
+
+8C-1F-64   (hex)		Photon Counting Systems LLC
+036000-036FFF     (base 16)		Photon Counting Systems LLC
+				950 Danby Road
+				Ithaca  NY  14850
+				US
+
+70-B3-D5   (hex)		ICTK Co., Ltd.
+5C9000-5C9FFF     (base 16)		ICTK Co., Ltd.
+				3F Ventureforum B'd, Pangyodae-ro
+				Seung-nam Si  Gyeonggi-Do  13488
+				KR
+
+8C-1F-64   (hex)		PASO SPA
+CF8000-CF8FFF     (base 16)		PASO SPA
+				Via Settembrini 34
+				Lainate  Italy  20045
+				IT
+
+8C-1F-64   (hex)		ASI
+B53000-B53FFF     (base 16)		ASI
+				1001 Av. de la République
+				Marcq-en-Baroeul    59700
+				FR
+
+8C-1F-64   (hex)		Potter Electric Signal Co. LLC
+75D000-75DFFF     (base 16)		Potter Electric Signal Co. LLC
+				1609 Park 370 Place
+				Hazelwood  MO  63042
+				US
+
+8C-1F-64   (hex)		Hitachi Energy Australia Pty. Ltd.
+505000-505FFF     (base 16)		Hitachi Energy Australia Pty. Ltd.
+				88 Beresford Road
+				Lilydale     3140 
+				AU
+
 8C-1F-64   (hex)		Flow Power
 82B000-82BFFF     (base 16)		Flow Power
 				Suite 2, Level 3, 18 - 20 York St
@ -32756,6 +32990,96 @@ A09000-A09FFF     (base 16)		Raycon
 				New York  NY  10010
 				US

+8C-1F-64   (hex)		Zhuhai Lonl electric Co., Ltd.
+E9D000-E9DFFF     (base 16)		Zhuhai Lonl electric Co., Ltd.
+				2nd floor, building B3, nanfang software park, xiangzhou district
+				zhuhai  Guangdong  519000
+				CN
+
+8C-1F-64   (hex)		Shenzhen Konvison Technology Co.,Ltd.
+7FE000-7FEFFF     (base 16)		Shenzhen Konvison Technology Co.,Ltd.
+				5th Floor, Building No. 1,  Honghui Industrial Zone, Liuxian 3rd Road, Bao'an District
+				Shenzhen  Guangdong  518000
+				CN
+
+8C-1F-64   (hex)		1Finity Inc.
+EB4000-EB4FFF     (base 16)		1Finity Inc.
+				4-1-1 Kamikodanaka, Nakahara-ku
+				Kawasaki-shi  Kanagawa  211-8588
+				JP
+
+8C-1F-64   (hex)		Mesa Labs, Inc.
+BD0000-BD0FFF     (base 16)		Mesa Labs, Inc.
+				12100 West 6th Ave.
+				Lakewood  CO  80228
+				US
+
+8C-1F-64   (hex)		Anhui Wenxiang Technology Co.,Ltd.
+3CB000-3CBFFF     (base 16)		Anhui Wenxiang Technology Co.,Ltd.
+				 The intersection of Fengming Avenue and Hanjiang Road, Jiangnan Emerging Industry Concentration Zone
+				Chizhou  Anhui  247100
+				CN
+
+8C-1F-64   (hex)		Starview Asia Company
+83B000-83BFFF     (base 16)		Starview Asia Company
+				Level 40, 140 Williams Street
+				Melbourne  Victoria  3000
+				AU
+
+8C-1F-64   (hex)		INTERNET PROTOCOLO LOGICA SL
+06E000-06EFFF     (base 16)		INTERNET PROTOCOLO LOGICA SL
+				Avenida Somosierra 12. Portal A. Planta 1ª. Letra I
+				San Sebastián de los Reyes  Madrid  28703
+				ES
+
+8C-1F-64   (hex)		Eltvor Instruments
+B58000-B58FFF     (base 16)		Eltvor Instruments
+				Sobeslavska 878/10
+				Tabor    39002
+				CZ
+
+8C-1F-64   (hex)		Rudolf Riester GmbH
+27A000-27AFFF     (base 16)		Rudolf Riester GmbH
+				P.O. Box 35 Bruckstrasse 31
+				Jungingen    72417
+				DE
+
+8C-1F-64   (hex)		EA Elektro-Automatik GmbH
+531000-531FFF     (base 16)		EA Elektro-Automatik GmbH
+				Helmholtzstraße 31-37
+				Viersen  Nordrhein-Westfalen  41747
+				DE
+
+8C-1F-64   (hex)		Computer Express LLC
+93B000-93BFFF     (base 16)		Computer Express LLC
+				365 New Britain Road
+				Berlin  CT  06037
+				US
+
+8C-1F-64   (hex)		QM Technologies aps
+8ED000-8EDFFF     (base 16)		QM Technologies aps
+				Lautrupvang 2
+				Ballerup    2750
+				DK
+
+8C-1F-64   (hex)		TAIT Global LLC
+A78000-A78FFF     (base 16)		TAIT Global LLC
+				401 W Lincoln Ave
+				Lititz  PA  17543
+				US
+
+8C-1F-64   (hex)		OES Inc.
+578000-578FFF     (base 16)		OES Inc.
+				4056 Blakie Road
+				London  ON  N6L1P7
+				CA
+
+8C-1F-64   (hex)		netmon
+434000-434FFF     (base 16)		netmon
+				B-1023 TERA Tower#1, 167 SONGPA-DAERO, SONGPA-GU
+				Seoul    05855 
+				KR
+
 8C-1F-64   (hex)		Mobileye
 D63000-D63FFF     (base 16)		Mobileye
 				13 Hartom st.
@ -40810,3 +41134,90 @@ C26000-C26FFF     (base 16)		IRONWOOD ELECTRONICS
 				 1335 Eagandale Court
 				Eagan  MN  55121
 				US
+
+8C-1F-64   (hex)		First Design System Inc.
+A72000-A72FFF     (base 16)		First Design System Inc.
+				Tachibana Shinjuku Bldg. 3F, 3-2-26 Nishi-Shinjuku
+				Tokyo  Shinjuku-ku  160-0023
+				JP
+
+8C-1F-64   (hex)		Innovative Signal Analysis
+1BA000-1BAFFF     (base 16)		Innovative Signal Analysis
+				3301 E Renner Rd, Ste 200
+				Richardson  TX  75082
+				US
+
+8C-1F-64   (hex)		INVIXIUM ACCESS INC
+64F000-64FFFF     (base 16)		INVIXIUM ACCESS INC
+				111 Gordon Baker Road, Suite #300
+				Toronto  Ontario  M2H 3R1
+				CA
+
+8C-1F-64   (hex)		AEviso Video Solution Co., Ltd.
+1E4000-1E4FFF     (base 16)		AEviso Video Solution Co., Ltd.
+				15 F.-6, No. 716, Zhongzheng Rd., Zhonghe Dist., 
+				New Taipei City   n.a  235603
+				TW
+
+8C-1F-64   (hex)		Smart Dynamics SIA
+576000-576FFF     (base 16)		Smart Dynamics SIA
+				Ūdeles
+				Amatciems  Cēsu novads  LV-4101
+				LV
+
+8C-1F-64   (hex)		Expromo Europe A/S
+C39000-C39FFF     (base 16)		Expromo Europe A/S
+				Langdyssen 3
+				Aarhus N    8200
+				DK
+
+8C-1F-64   (hex)		NEBERO SYSTEMS PRIVATE LIMTED
+71C000-71CFFF     (base 16)		NEBERO SYSTEMS PRIVATE LIMTED
+				Plot 691, Sector 82, Industrial Area, SAS Nagar
+				Mohali  Punjab  140308
+				IN
+
+8C-1F-64   (hex)		Terratel Technology s.r.o.
+E6B000-E6BFFF     (base 16)		Terratel Technology s.r.o.
+				Dukelska 2192
+				Benesov  CZ  25601
+				CZ
+
+8C-1F-64   (hex)		SMITEC S.p.A.
+E82000-E82FFF     (base 16)		SMITEC S.p.A.
+				Via Carlo Ceresa, 10
+				San Giovanni Bianco  Bergamo  24015
+				IT
+
+8C-1F-64   (hex)		I2V Systems Pvt. Ltd. 
+1E0000-1E0FFF     (base 16)		I2V Systems Pvt. Ltd. 
+				CP-07, Sector 8, IMT Manesar
+				Gurugram    122050
+				IN
+
+8C-1F-64   (hex)		Dsan Corporation
+09C000-09CFFF     (base 16)		Dsan Corporation
+				142 Mineola Avenue
+				Roslyn Heights  NY  11577
+				US
+
+8C-1F-64   (hex)		SECUREAAi
+7FD000-7FDFFF     (base 16)		SECUREAAi
+				Tonge Street, Heywood, England,OL10 4HU,United Kingdom
+				England    OL10 4HU
+				GB
+
+8C-1F-64   (hex)		Mootek Technologies Private Limited
+CEA000-CEAFFF     (base 16)		Mootek Technologies Private Limited
+				No.20, First Floor, East Jones Road,SaidapetChennai
+				Chennai  Tamilnadu  600015
+				IN
+
+8C-1F-64   (hex)		Talius Services Pty Ltd
+5D2000-5D2FFF     (base 16)		Talius Services Pty Ltd
+				Unit 1,  212 Curtin Ave West, EAGLE FARM 
+				Brisbane  QLD  4009
+				AU
+
+8C-1F-64   (hex)		Private
+B94000-B94FFF     (base 16)		Private
--- a/hwdb.d/pci.ids
+++ b/hwdb.d/pci.ids
--- a/man/bootctl.xml
+++ b/man/bootctl.xml
@ -132,13 +132,17 @@

    <variablelist>
      <varlistentry>
+        <term><option>set-preferred</option> <replaceable>ID</replaceable></term>
        <term><option>set-default</option> <replaceable>ID</replaceable></term>
        <term><option>set-oneshot</option> <replaceable>ID</replaceable></term>
        <term><option>set-sysfail</option> <replaceable>ID</replaceable></term>

        <listitem><para>Sets the default boot loader entry. Takes a single boot loader entry ID string or a glob
        pattern as argument. The <option>set-oneshot</option> command will set the default entry only for the next boot,
-        the <option>set-default</option> will set it persistently for all future boots. The <option>set-sysfail</option> command
+        <option>set-default</option> will set it persistently for all future boots,
+        <option>set-preferred</option> is like <option>set-default</option>,
+        but is aware of boot assessment and will skip boot entries that have their tries-left counter set to zero.
+        The <option>set-sysfail</option> command
        will set the boot loader entry to be used in case of a system failure. System failure (SysFail) boot entries can
        optionally modify the automatic selection order in the event of a failure, such as a boot firmware update failure with
        the failure status recorded in the EFI system table.</para>
--- a/man/org.freedesktop.login1.xml
+++ b/man/org.freedesktop.login1.xml
@ -1246,7 +1246,7 @@ node /org/freedesktop/login1/session/1 {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
      readonly s RemoteUser = '...';
      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly b ExtraDeviceAccess = ...;
+      readonly as ExtraDeviceAccess = ['...', ...];
      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
      readonly s Service = '...';
      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
@ -1541,9 +1541,9 @@ node /org/freedesktop/login1/session/1 {
      <para><varname>RemoteHost</varname> and <varname>RemoteUser</varname> encode the remote host and user
      if this is a remote session, or an empty string otherwise.</para>

-      <para><varname>ExtraDeviceAccess</varname> encodes whether the session is granted access to additional
-      hardware devices, typically useful for for graphical, remote session. If true, the session is granted
-      access to all devices tagged with <literal>xaccess</literal> in udev.</para>
+      <para><varname>ExtraDeviceAccess</varname> encodes the set of additional hardware devices that the session
+      is granted access to. For every <literal><replaceable>ID</replaceable></literal> in the list, the session
+      is granted access to all devices tagged with <literal>xaccess-<replaceable>ID</replaceable></literal> in udev.</para>

      <para><varname>Service</varname> encodes the PAM service name that registered the session.</para>

--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@ -408,10 +408,9 @@
      <varlistentry>
        <term><varname>$XDG_SESSION_EXTRA_DEVICE_ACCESS</varname></term>

-        <listitem><para>Whether or not the session shall be granted additional hardware device access,
-        typically useful for graphical, remote session. If true, the session is granted access to all
-        devices tagged with <literal>xaccess</literal> in udev. Typically, rendering device nodes of
-        the GPU are tagged like this.</para>
+        <listitem><para>The set of additional hardware devices that the session shall be granted access to.
+        For every <literal><replaceable>ID</replaceable></literal> in the list, the session is granted
+        access to all devices tagged with <literal>xaccess-<replaceable>ID</replaceable></literal> in udev.</para>

        <xi:include href="version-info.xml" xpointer="v260"/></listitem>
      </varlistentry>
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@ -926,6 +926,7 @@ manpages = [
   'sd_session_get_uid',
   'sd_session_get_username',
   'sd_session_get_vt',
+   'sd_session_get_extra_device_access',
   'sd_session_is_remote'],
  'HAVE_PAM'],
 ['sd_uid_get_state',
--- a/man/sd-login.xml
+++ b/man/sd-login.xml
@ -191,12 +191,13 @@
      </varlistentry>

      <varlistentry>
-        <term>Tag <literal>xaccess</literal></term>
+        <term>Tag <literal>xaccess-*</literal></term>

-        <listitem><para>When set, access to this device is granted to sessions
-        created with <literal>ExtraDeviceAccess</literal>. This is typically useful
-        for graphical, remote sessions. As the <literal>ExtraDeviceAccess</literal>
-        sessions open and close, access to the device is updated accordingly.</para>
+        <listitem><para>When <literal>xaccess-<replaceable>ID</replaceable></literal>
+        is set, access to this device is granted to sessions created with
+        <literal><replaceable>ID</replaceable></literal> listed in <literal>ExtraDeviceAccess</literal>.
+        As the sessions with some <literal>ExtraDeviceAccess</literal> open and close,
+        access to the device is updated accordingly.</para>

        <xi:include href="version-info.xml" xpointer="v260"/></listitem>
      </varlistentry>
--- a/man/sd_event_add_memory_pressure.xml
+++ b/man/sd_event_add_memory_pressure.xml
@ -138,7 +138,7 @@

    <para>This event source typically fires on memory pressure stalls, i.e. when operational latency above a
    configured threshold already has been seen. This should be taken into consideration when discussing
-    whether later latency to re-aquire any released resources is acceptable: it is usually more important to
+    whether later latency to re-acquire any released resources is acceptable: it is usually more important to
    think of the latencies that already happened than those coming up in future.</para>

    <para>The <function>sd_event_source_set_memory_pressure_type()</function> and
--- a/man/sd_session_is_active.xml
+++ b/man/sd_session_is_active.xml
@ -34,7 +34,7 @@
    <refname>sd_session_get_remote_host</refname>
    <refname>sd_session_get_remote_user</refname>
    <refname>sd_session_get_leader</refname>
-    <refname>sd_session_has_extra_device_access</refname>
+    <refname>sd_session_get_extra_device_access</refname>
    <refpurpose>Determine state of a specific session</refpurpose>
  </refnamediv>

@ -143,8 +143,9 @@
      </funcprototype>

      <funcprototype>
-        <funcdef>int <function>sd_session_has_extra_device_access</function></funcdef>
+        <funcdef>int <function>sd_session_get_extra_device_access</function></funcdef>
        <paramdef>const char *<parameter>session</parameter></paramdef>
+        <paramdef>char ***<parameter>ret_ids</parameter></paramdef>
      </funcprototype>
    </funcsynopsis>
  </refsynopsisdiv>
@ -280,11 +281,11 @@
    session identifier. This function will return an error if the seat
    does not support VTs.</para>

-    <para><function>sd_session_has_extra_device_access()</function> may
-    be used to determine whether the session is granted access to
-    additional hardware devices, typically useful for for graphical,
-    remote session. If true, the session is granted access to all
-    devices tagged with <literal>xaccess</literal> in udev.</para>
+    <para><function>sd_session_get_extra_device_access()</function> may
+    be used to determine which additional hardware devices the session
+    is granted access to. For every <literal><replaceable>ID</replaceable></literal>
+    in the list, the session is granted access to all devices tagged with
+    <literal>xaccess-<replaceable>ID</replaceable></literal> in udev.</para>

    <para>If the <varname>session</varname> parameter of any of these
    functions is passed as <constant>NULL</constant>, the operation is
@ -296,9 +297,8 @@
    <title>Return Value</title>

    <para>If the test succeeds,
-    <function>sd_session_is_active()</function>,
-    <function>sd_session_is_remote()</function>, and
-    <function>sd_session_has_extra_device_access()</function>
+    <function>sd_session_is_active()</function> and
+    <function>sd_session_is_remote()</function>
    return a positive integer; if it fails, 0.  On success,
    <function>sd_session_get_state()</function>,
    <function>sd_session_get_uid()</function>,
@ -310,9 +310,10 @@
    <function>sd_session_get_display()</function>,
    <function>sd_session_get_leader()</function>,
    <function>sd_session_get_remote_user()</function>,
-    <function>sd_session_get_remote_host()</function> and
-    <function>sd_session_get_tty()</function> return 0 or
-    a positive integer. On failure, these calls return a
+    <function>sd_session_get_remote_host()</function>,
+    <function>sd_session_get_tty()</function>, and
+    <function>sd_session_get_extra_device_access()</function>
+    return 0 or a positive integer. On failure, these calls return a
    negative errno-style error code.</para>

    <refsect2>
@ -366,7 +367,7 @@
    <para><function>sd_session_get_username()</function>,
    <function>sd_session_get_start_time()</function>, and
    <function>sd_session_get_leader()</function> were added in version 254.</para>
-    <para><function>sd_session_has_extra_device_access()</function> was added in version 260.</para>
+    <para><function>sd_session_get_extra_device_access()</function> was added in version 260.</para>
  </refsect1>

  <refsect1>
--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@ -147,11 +147,20 @@

      <varlistentry>
        <term><keycap>d</keycap></term>
-        <listitem><para>Make selected entry the default</para>
+        <listitem><para>Make selected entry the preferred boot entry</para>

        <para>An EFI variable is set to allow this setting to persist.</para>

-        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
+        <xi:include href="version-info.xml" xpointer="v260"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><keycap>D</keycap></term>
+        <listitem><para>Make selected entry the default boot entry</para>
+
+        <para>An EFI variable is set to allow this setting to persist.</para>
+
+        <xi:include href="version-info.xml" xpointer="v260"/></listitem>
      </varlistentry>

      <varlistentry>
@ -472,6 +481,7 @@
      </varlistentry>

      <varlistentry>
+        <term><varname>LoaderEntryPreferred</varname></term>
        <term><varname>LoaderEntryDefault</varname></term>
        <term><varname>LoaderEntrySysFail</varname></term>
        <term><varname>LoaderEntryOneShot</varname></term>
@ -479,6 +489,8 @@
        <listitem><para>The identifier of the default boot loader entry. Can be set in the OS and the boot
        loader. <varname>LoaderEntryOneShot</varname> sets the default entry for the next boot only, while
        <varname>LoaderEntryDefault</varname> sets it persistently for all future boots.
+        <varname>LoaderEntryPreferred</varname> is like <varname>LoaderEntryDefault</varname> but additionally
+        takes into account boot assessment and skips boot entries with a tries-left counter equal to zero.
        <citerefentry><refentrytitle>bootctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
        <option>set-default</option> and <option>set-oneshot</option> commands make use of these variables.
        The boot loader modifies <varname>LoaderEntryDefault</varname> on request, when the
--- a/man/systemd-report.xml
+++ b/man/systemd-report.xml
@ -30,6 +30,9 @@
  <refsect1>
    <title>Description</title>

+    <para><emphasis>Note: this command is experimental for now. While it is likely to become a regular
+    component of systemd, it might still change in behaviour and interface.</emphasis></para>
+
    <para><command>systemd-report</command> requests facts and metrics from the system and writes them to
    standard output.</para>
  </refsect1>
--- a/rules.d/70-uaccess.rules.in
+++ b/rules.d/70-uaccess.rules.in
@ -46,7 +46,7 @@ SUBSYSTEM=="firewire", TEST=="units", ENV{IEEE1394_UNIT_FUNCTION_VIDEO}=="1", TA
 SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
 {% if GROUP_RENDER_UACCESS %}
 # DRI render nodes
-SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess", TAG+="xaccess"
+SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess", TAG+="xaccess-render"
 {% endif %}
 {% if DEV_KVM_UACCESS %}
 # KVM
--- a/src/basic/memstream-util.c
+++ b/src/basic/memstream-util.c
@ -69,7 +69,7 @@ int memstream_dump_internal(

        r = memstream_finalize(m, &buf, NULL);
        if (r < 0)
-                return log_full_errno(level, r, "Failed to flush memstream: %m: %m");
+                return log_full_errno(level, r, "Failed to flush memstream: %m");

        return log_dump_internal(level, error, file, line, func, buf);
 }
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@ -68,6 +68,11 @@ static int pidref_namespace_open_by_type_internal(const PidRef *pidref, Namespac

        if (pidref->fd >= 0) {
                r = pidfd_get_namespace(pidref->fd, namespace_info[type].pidfd_get_ns_ioctl_cmd);
+                if (r == -ENOPKG)
+                        return log_debug_errno(
+                                        r,
+                                        "Cannot open %s namespace for PID "PID_FMT" as the namespace type is not supported by the kernel",
+                                        namespace_info[type].proc_name, pidref->pid);
                if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
                        return r;
        }
@ -83,10 +88,17 @@ static int pidref_namespace_open_by_type_internal(const PidRef *pidref, Namespac
        if (nsfd == -ENOENT) {
                r = proc_mounted();
                if (r == 0)
-                        return -ENOSYS;  /* /proc/ is not available or not set up properly, we're most likely
-                                            in some chroot environment. */
+                        /* /proc/ is not available or not set up properly, we're most likely in some chroot environment. */
+                        return log_debug_errno(
+                                        SYNTHETIC_ERRNO(ENOSYS),
+                                        "Cannot open %s namespace for PID "PID_FMT" as /proc is not mounted",
+                                        namespace_info[type].proc_name, pidref->pid);
                if (r > 0)
-                        return -ENOPKG;  /* If /proc/ is definitely around then this means the namespace type is not supported */
+                        /* If /proc/ is definitely around then this means the namespace type is not supported */
+                        return log_debug_errno(
+                                        SYNTHETIC_ERRNO(ENOPKG),
+                                        "Cannot open %s namespace for PID "PID_FMT" via /proc as the namespace type is not supported by the kernel",
+                                        namespace_info[type].proc_name, pidref->pid);

                /* can't determine? then propagate original error */
        }
@ -216,33 +228,39 @@ int namespace_open(
        return pidref_namespace_open(&pidref, ret_pidns_fd, ret_mntns_fd, ret_netns_fd, ret_userns_fd, ret_root_fd);
 }

-static int namespace_enter_one_idempotent(int nsfd, NamespaceType type) {
-        int r;
-
-        /* Join a namespace, but only if we're not part of it already. This is important if we don't necessarily
-         * own the namespace in question, as kernel would unconditionally return EPERM otherwise. */
-
-        assert(nsfd >= 0);
-        assert(type >= 0 && type < _NAMESPACE_TYPE_MAX);
-
-        r = is_our_namespace(nsfd, type);
-        if (r < 0)
-                return r;
-        if (r > 0)
-                return 0;
-
-        if (setns(nsfd, namespace_info[type].clone_flag) < 0)
-                return -errno;
-
-        return 1;
-}
-
 int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd) {
        int r;

        /* Block dlopen() now, to avoid us inadvertently loading shared library from another namespace */
        block_dlopen();

+         /* Join namespaces, but only if we're not part of them already. This is important if we don't
+          * necessarily own the namespace in question, as kernel would unconditionally return EPERM otherwise. */
+
+        if (pidns_fd >= 0) {
+                r = is_our_namespace(pidns_fd, NAMESPACE_PID);
+                if (r < 0)
+                        return r;
+                if (r > 0)
+                        pidns_fd = -EBADF;
+        }
+
+        if (mntns_fd >= 0) {
+                r = is_our_namespace(mntns_fd, NAMESPACE_MOUNT);
+                if (r < 0)
+                        return r;
+                if (r > 0)
+                        mntns_fd = -EBADF;
+        }
+
+        if (netns_fd >= 0) {
+                r = is_our_namespace(netns_fd, NAMESPACE_NET);
+                if (r < 0)
+                        return r;
+                if (r > 0)
+                        netns_fd = -EBADF;
+        }
+
        if (userns_fd >= 0) {
                /* Can't setns to your own userns, since then you could escalate from non-root to root in
                 * your own namespace, so check if namespaces are equal before attempting to enter. */
@ -275,23 +293,17 @@ int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int
                        return -errno;
        }

-        if (pidns_fd >= 0) {
-                r = namespace_enter_one_idempotent(pidns_fd, NAMESPACE_PID);
-                if (r < 0)
-                        return r;
-        }
+        if (pidns_fd >= 0)
+                if (setns(pidns_fd, CLONE_NEWPID) < 0)
+                        return -errno;

-        if (mntns_fd >= 0) {
-                r = namespace_enter_one_idempotent(mntns_fd, NAMESPACE_MOUNT);
-                if (r < 0)
-                        return r;
-        }
+        if (mntns_fd >= 0)
+                if (setns(mntns_fd, CLONE_NEWNS) < 0)
+                        return -errno;

-        if (netns_fd >= 0) {
-                r = namespace_enter_one_idempotent(netns_fd, NAMESPACE_NET);
-                if (r < 0)
-                        return r;
-        }
+        if (netns_fd >= 0)
+                if (setns(netns_fd, CLONE_NEWNET) < 0)
+                        return -errno;

        if (userns_fd >= 0 && have_cap_sys_admin)
                if (setns(userns_fd, CLONE_NEWUSER) < 0)
@ -361,6 +373,42 @@ int is_our_namespace(int fd, NamespaceType type) {
        return fd_inode_same(fd, our_ns);
 }

+int are_our_namespaces(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd) {
+        int r;
+
+        if (pidns_fd >= 0) {
+                r = is_our_namespace(pidns_fd, NAMESPACE_PID);
+                if (r <= 0)
+                        return r;
+        }
+
+        if (mntns_fd >= 0) {
+                r = is_our_namespace(mntns_fd, NAMESPACE_MOUNT);
+                if (r <= 0)
+                        return r;
+        }
+
+        if (netns_fd >= 0) {
+                r = is_our_namespace(netns_fd, NAMESPACE_NET);
+                if (r <= 0)
+                        return r;
+        }
+
+        if (userns_fd >= 0) {
+                r = is_our_namespace(userns_fd, NAMESPACE_USER);
+                if (r <= 0)
+                        return r;
+        }
+
+        if (root_fd >= 0) {
+                r = dir_fd_is_root(root_fd);
+                if (r <= 0)
+                        return r;
+        }
+
+        return true;
+}
+
 int namespace_is_init(NamespaceType type) {
        int r;

--- a/src/basic/namespace-util.h
+++ b/src/basic/namespace-util.h
@ -50,6 +50,7 @@ int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int

 int fd_is_namespace(int fd, NamespaceType type);
 int is_our_namespace(int fd, NamespaceType type);
+int are_our_namespaces(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd);

 int namespace_is_init(NamespaceType type);

--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@ -25,13 +25,11 @@
 #include "cgroup-util.h"
 #include "dirent-util.h"
 #include "dlfcn-util.h"
-#include "env-file.h"
 #include "errno-util.h"
 #include "escape.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
-#include "hostname-util.h"
 #include "io-util.h"
 #include "iovec-util.h"
 #include "locale-util.h"
@ -53,6 +51,7 @@
 #include "stdio-util.h"
 #include "string-table.h"
 #include "string-util.h"
+#include "strv.h"
 #include "time-util.h"
 #include "user-util.h"

@ -349,47 +348,6 @@ int pidref_get_cmdline_strv(const PidRef *pid, ProcessCmdlineFlags flags, char *
        return 0;
 }

-int container_get_leader(const char *machine, pid_t *pid) {
-        _cleanup_free_ char *s = NULL, *class = NULL;
-        const char *p;
-        pid_t leader;
-        int r;
-
-        assert(machine);
-        assert(pid);
-
-        if (streq(machine, ".host")) {
-                *pid = 1;
-                return 0;
-        }
-
-        if (!hostname_is_valid(machine, 0))
-                return -EINVAL;
-
-        p = strjoina("/run/systemd/machines/", machine);
-        r = parse_env_file(NULL, p,
-                           "LEADER", &s,
-                           "CLASS", &class);
-        if (r == -ENOENT)
-                return -EHOSTDOWN;
-        if (r < 0)
-                return r;
-        if (!s)
-                return -EIO;
-
-        if (!streq_ptr(class, "container"))
-                return -EIO;
-
-        r = parse_pid(s, &leader);
-        if (r < 0)
-                return r;
-        if (leader <= 1)
-                return -EIO;
-
-        *pid = leader;
-        return 0;
-}
-
 int pid_is_kernel_thread(pid_t pid) {
        int r;

--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@ -54,8 +54,6 @@ int pid_get_start_time(pid_t pid, usec_t *ret);
 int pidref_get_start_time(const PidRef *pid, usec_t *ret);
 int get_process_umask(pid_t pid, mode_t *ret);

-int container_get_leader(const char *machine, pid_t *pid);
-
 static inline bool SIGINFO_CODE_IS_DEAD(int code) {
        return IN_SET(code, CLD_EXITED, CLD_KILLED, CLD_DUMPED);
 }
--- a/src/boot/boot.c
+++ b/src/boot/boot.c
@ -133,7 +133,9 @@ typedef struct {
        uint64_t timeout_sec_config;
        uint64_t timeout_sec_efivar;
        char16_t *entry_default_config;
+        char16_t *entry_preferred_config;
        char16_t *entry_default_efivar;
+        char16_t *entry_preferred_efivar;
        char16_t *entry_oneshot;
        char16_t *entry_saved;
        char16_t *entry_sysfail;
@ -150,6 +152,8 @@ typedef struct {
        bool force_menu;
        bool use_saved_entry;
        bool use_saved_entry_efivar;
+        bool use_saved_entry_preferred;
+        bool use_saved_entry_preferred_efivar;
        bool beep;
        bool sysfail_occurred;
        int64_t console_mode;
@ -328,8 +332,12 @@ static void print_status(Config *config, char16_t *loaded_image_path) {

        if (config->entry_default_config)
                printf("              default (config): %ls\n", config->entry_default_config);
+        if (config->entry_preferred_config)
+                printf("            preferred (config): %ls\n", config->entry_preferred_config);
        if (config->entry_default_efivar)
                printf("             default (EFI var): %ls\n", config->entry_default_efivar);
+        if (config->entry_preferred_efivar)
+                printf("           preferred (EFI var): %ls\n", config->entry_preferred_efivar);
        if (config->entry_oneshot)
                printf("            default (one-shot): %ls\n", config->entry_oneshot);
        if (config->entry_sysfail)
@ -760,7 +768,25 @@ static bool menu_run(
                        action = ACTION_QUIT;
                        break;

+                /* Set/unset the preferred entry */
                case KEYPRESS(0, 0, 'd'):
+                        if (config->idx_default_efivar != idx_highlight) {
+                                free(config->entry_preferred_efivar);
+                                config->entry_preferred_efivar = xstrdup16(config->entries[idx_highlight]->id);
+                                config->idx_default_efivar = idx_highlight;
+                                status = xstrdup16(u"Preferred boot entry selected.");
+                        } else {
+                                config->entry_preferred_efivar = mfree(config->entry_preferred_efivar);
+                                config->idx_default_efivar = IDX_INVALID;
+                                status = xstrdup16(u"Preferred boot entry cleared.");
+                        }
+                        config->entry_default_efivar = mfree(config->entry_default_efivar);
+                        config->use_saved_entry_efivar = false;
+                        config->use_saved_entry_preferred_efivar = false;
+                        refresh = true;
+                        break;
+
+                /* Set/unset the default entry */
                case KEYPRESS(0, 0, 'D'):
                        if (config->idx_default_efivar != idx_highlight) {
                                free(config->entry_default_efivar);
@ -772,7 +798,9 @@ static bool menu_run(
                                config->idx_default_efivar = IDX_INVALID;
                                status = xstrdup16(u"Default boot entry cleared.");
                        }
+                        config->entry_preferred_efivar = mfree(config->entry_preferred_efivar);
                        config->use_saved_entry_efivar = false;
+                        config->use_saved_entry_preferred_efivar = false;
                        refresh = true;
                        break;

@ -919,8 +947,17 @@ static bool menu_run(

        /* Update EFI vars after we left the menu to reduce NVRAM writes. */

-        if (default_efivar_saved != config->idx_default_efivar)
+        if (default_efivar_saved != config->idx_default_efivar) {
+                if (config->entry_preferred_efivar)
+                        efivar_set_str16(MAKE_GUID_PTR(LOADER), u"LoaderEntryPreferred", config->entry_preferred_efivar, EFI_VARIABLE_NON_VOLATILE);
+                else
+                        efivar_unset(MAKE_GUID_PTR(LOADER), u"LoaderEntryPreferred", EFI_VARIABLE_NON_VOLATILE);
+
+                if (config->entry_default_efivar)
                        efivar_set_str16(MAKE_GUID_PTR(LOADER), u"LoaderEntryDefault", config->entry_default_efivar, EFI_VARIABLE_NON_VOLATILE);
+                else
+                        efivar_unset(MAKE_GUID_PTR(LOADER), u"LoaderEntryDefault", EFI_VARIABLE_NON_VOLATILE);
+        }

        if (console_mode_efivar_saved != config->console_mode_efivar) {
                if (config->console_mode_efivar == CONSOLE_MODE_KEEP)
@ -1071,6 +1108,14 @@ static void config_defaults_load_from_file(Config *config, char *content) {
                        free(config->entry_default_config);
                        config->entry_default_config = xstr8_to_16(value);

+                } else if (streq8(key, "preferred")) {
+                        if (value[0] == '@' && !strcaseeq8(value, "@saved")) {
+                                log_warning("Unsupported special entry identifier, ignoring: %s", value);
+                                continue;
+                        }
+                        free(config->entry_preferred_config);
+                        config->entry_preferred_config = xstr8_to_16(value);
+
                } else if (streq8(key, "editor")) {
                        if (!parse_boolean(value, &config->editor))
                                log_warning("Error parsing 'editor' config option, ignoring: %s", value);
@ -1571,18 +1616,24 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
                (void) efivar_unset(MAKE_GUID_PTR(LOADER), u"LoaderEntryOneShot", EFI_VARIABLE_NON_VOLATILE);

        (void) efivar_get_str16(MAKE_GUID_PTR(LOADER), u"LoaderEntryDefault", &config->entry_default_efivar);
+        (void) efivar_get_str16(MAKE_GUID_PTR(LOADER), u"LoaderEntryPreferred", &config->entry_preferred_efivar);
        (void) efivar_get_str16(MAKE_GUID_PTR(LOADER), u"LoaderEntrySysFail", &config->entry_sysfail);

        strtolower16(config->entry_default_config);
        strtolower16(config->entry_default_efivar);
+        strtolower16(config->entry_preferred_config);
+        strtolower16(config->entry_preferred_efivar);
        strtolower16(config->entry_oneshot);
        strtolower16(config->entry_saved);
        strtolower16(config->entry_sysfail);

        config->use_saved_entry = streq16(config->entry_default_config, u"@saved");
        config->use_saved_entry_efivar = streq16(config->entry_default_efivar, u"@saved");
-        if (config->use_saved_entry || config->use_saved_entry_efivar)
+        config->use_saved_entry_preferred = streq16(config->entry_preferred_config, u"@saved");
+        config->use_saved_entry_preferred_efivar = streq16(config->entry_preferred_efivar, u"@saved");
+        if (config->use_saved_entry || config->use_saved_entry_efivar || config->use_saved_entry_preferred || config->use_saved_entry_preferred_efivar)
                (void) efivar_get_str16(MAKE_GUID_PTR(LOADER), u"LoaderEntryLastBooted", &config->entry_saved);
+
 }

 static bool valid_type1_filename(const char16_t *fname) {
@ -1745,7 +1796,7 @@ static int boot_entry_compare(const BootEntry *a, const BootEntry *b) {
        return CMP(a->tries_done, b->tries_done);
 }

-static size_t config_find_entry(Config *config, const char16_t *pattern) {
+static size_t config_find_entry(Config *config, const char16_t *pattern, const bool check_assessment) {
        assert(config);

        /* We expect pattern and entry IDs to be already case folded. */
@ -1754,7 +1805,7 @@ static size_t config_find_entry(Config *config, const char16_t *pattern) {
                return IDX_INVALID;

        for (size_t i = 0; i < config->n_entries; i++)
-                if (efi_fnmatch(pattern, config->entries[i]->id))
+                if (efi_fnmatch(pattern, config->entries[i]->id) && (!check_assessment || config->entries[i]->tries_left != 0))
                        return i;

        return IDX_INVALID;
@ -1785,20 +1836,47 @@ static void config_select_default_entry(Config *config) {
        assert(config);

        if (config->sysfail_occurred) {
-                i = config_find_entry(config, config->entry_sysfail);
+                i = config_find_entry(config, config->entry_sysfail, /* check_assessment= */ false);
                if (i != IDX_INVALID) {
                        config->idx_default = i;
                        return;
                }
        }

-        i = config_find_entry(config, config->entry_oneshot);
+        i = config_find_entry(config, config->entry_oneshot, /* check_assessment= */ false);
        if (i != IDX_INVALID) {
                config->idx_default = i;
                return;
        }

-        i = config_find_entry(config, config->use_saved_entry_efivar ? config->entry_saved : config->entry_default_efivar);
+        /* Try to match the preferred entry pattern */
+
+        i = config_find_entry(config, config->use_saved_entry_preferred_efivar ? config->entry_saved : config->entry_preferred_efivar, /* check_assessment= */ true);
+        if (i != IDX_INVALID) {
+                config->idx_default = i;
+                config->idx_default_efivar = i;
+                return;
+        }
+
+        i = config_find_entry(config, config->entry_preferred_config, /* check_assessment= */ true);
+        if (i != IDX_INVALID) {
+                config->idx_default = i;
+                return;
+        }
+
+        if (config->use_saved_entry_preferred)
+                /* No need to do the same thing twice. */
+                i = config->use_saved_entry_preferred_efivar ? IDX_INVALID : config_find_entry(config, config->entry_saved, /* check_assessment= */ true);
+        else
+                i = config_find_entry(config, config->entry_preferred_config, /* check_assessment= */ true);
+        if (i != IDX_INVALID) {
+                config->idx_default = i;
+                return;
+        }
+
+        /* Try to match the default pattern */
+
+        i = config_find_entry(config, config->use_saved_entry_efivar ? config->entry_saved : config->entry_default_efivar, /* check_assessment= */ false);
        if (i != IDX_INVALID) {
                config->idx_default = i;
                config->idx_default_efivar = i;
@ -1807,9 +1885,9 @@ static void config_select_default_entry(Config *config) {

        if (config->use_saved_entry)
                /* No need to do the same thing twice. */
-                i = config->use_saved_entry_efivar ? IDX_INVALID : config_find_entry(config, config->entry_saved);
+                i = config->use_saved_entry_efivar ? IDX_INVALID : config_find_entry(config, config->entry_saved, /* check_assessment= */ false);
        else
-                i = config_find_entry(config, config->entry_default_config);
+                i = config_find_entry(config, config->entry_default_config, /* check_assessment= */ false);
        if (i != IDX_INVALID) {
                config->idx_default = i;
                return;
@ -2785,7 +2863,7 @@ static EFI_STATUS call_image_start(
                uint32_t compat_address;

                err = pe_kernel_info(loaded_image->ImageBase, /* ret_entry_point= */ NULL, &compat_address,
-                                     /* ret_image_base= */ NULL, /* ret_size_in_memory= */ NULL);
+                                     /* ret_size_in_memory= */ NULL);
                if (err != EFI_SUCCESS) {
                        if (err != EFI_UNSUPPORTED)
                                return log_error_status(err, "Error finding kernel compat entry address: %m");
@ -2811,6 +2889,8 @@ static void config_free(Config *config) {
        free(config->entries);
        free(config->entry_default_config);
        free(config->entry_default_efivar);
+        free(config->entry_preferred_config);
+        free(config->entry_preferred_efivar);
        free(config->entry_oneshot);
        free(config->entry_saved);
        free(config->entry_sysfail);
@ -2932,6 +3012,7 @@ static void export_loader_variables(
                EFI_LOADER_FEATURE_CONFIG_TIMEOUT |
                EFI_LOADER_FEATURE_CONFIG_TIMEOUT_ONE_SHOT |
                EFI_LOADER_FEATURE_ENTRY_DEFAULT |
+                EFI_LOADER_FEATURE_ENTRY_PREFERRED |
                EFI_LOADER_FEATURE_ENTRY_ONESHOT |
                EFI_LOADER_FEATURE_BOOT_COUNTING |
                EFI_LOADER_FEATURE_XBOOTLDR |
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@ -161,14 +161,13 @@ EFI_STATUS linux_exec(

        size_t kernel_size_in_memory = 0;
        uint32_t compat_entry_point, entry_point;
-        uint64_t image_base;
        EFI_STATUS err;

        assert(parent_image);
        assert(iovec_is_set(kernel));
        assert(iovec_is_valid(initrd));

-        err = pe_kernel_info(kernel->iov_base, &entry_point, &compat_entry_point, &image_base, &kernel_size_in_memory);
+        err = pe_kernel_info(kernel->iov_base, &entry_point, &compat_entry_point, &kernel_size_in_memory);
 #if defined(__i386__) || defined(__x86_64__)
        if (err == EFI_UNSUPPORTED)
                /* Kernel is too old to support LINUX_INITRD_MEDIA_GUID, try the deprecated EFI handover
@ -276,10 +275,9 @@ EFI_STATUS linux_exec(
                if (h->SizeOfRawData == 0)
                        continue;

-                if ((h->VirtualAddress < image_base)
-                    || (h->VirtualAddress - image_base + h->SizeOfRawData > kernel_size_in_memory))
+                if (h->VirtualAddress + h->SizeOfRawData > kernel_size_in_memory)
                        return log_error_status(EFI_LOAD_ERROR, "Section would write outside of memory");
-                memcpy(loaded_kernel + h->VirtualAddress - image_base,
+                memcpy(loaded_kernel + h->VirtualAddress,
                       (const uint8_t*)kernel->iov_base + h->PointerToRawData,
                       h->SizeOfRawData);
                memzero(loaded_kernel + h->VirtualAddress + h->SizeOfRawData,
@ -288,7 +286,7 @@ EFI_STATUS linux_exec(
                /* Not a code section? Nothing to do, leave as-is. */
                if (memory_proto && (h->Characteristics & (PE_CODE|PE_EXECUTE))) {
                        nx_sections = xrealloc(nx_sections, n_nx_sections * sizeof(struct iovec), (n_nx_sections + 1) * sizeof(struct iovec));
-                        nx_sections[n_nx_sections].iov_base = loaded_kernel + h->VirtualAddress - image_base;
+                        nx_sections[n_nx_sections].iov_base = loaded_kernel + h->VirtualAddress;
                        nx_sections[n_nx_sections].iov_len = h->VirtualSize;

                        err = memory_mark_ro_x(memory_proto, &nx_sections[n_nx_sections]);
--- a/src/boot/pe.c
+++ b/src/boot/pe.c
@ -459,7 +459,7 @@ static uint32_t get_compatibility_entry_address(const DosFileHeader *dos, const
        return 0;
 }

-EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t *ret_compat_entry_point, uint64_t *ret_image_base, size_t *ret_size_in_memory) {
+EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t *ret_compat_entry_point, size_t *ret_size_in_memory) {
        assert(base);

        const DosFileHeader *dos = (const DosFileHeader *) base;
@ -470,18 +470,6 @@ EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t
        if (!verify_pe(dos, pe, /* allow_compatibility= */ true))
                return EFI_LOAD_ERROR;

-        uint64_t image_base;
-        switch (pe->OptionalHeader.Magic) {
-        case OPTHDR32_MAGIC:
-                image_base = pe->OptionalHeader.ImageBase32;
-                break;
-        case OPTHDR64_MAGIC:
-                image_base = pe->OptionalHeader.ImageBase64;
-                break;
-        default:
-                assert_not_reached();
-        }
-
        /* When allocating we need to also consider the virtual/uninitialized data sections, so parse it out
         * of the SizeOfImage field in the PE header and return it */
        size_t size_in_memory = pe->OptionalHeader.SizeOfImage;
@ -495,8 +483,6 @@ EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t
                        *ret_entry_point = pe->OptionalHeader.AddressOfEntryPoint;
                if (ret_compat_entry_point)
                        *ret_compat_entry_point = 0;
-                if (ret_image_base)
-                        *ret_image_base = image_base;
                if (ret_size_in_memory)
                        *ret_size_in_memory = size_in_memory;
                return EFI_SUCCESS;
@ -511,8 +497,6 @@ EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t
                *ret_entry_point = 0;
        if (ret_compat_entry_point)
                *ret_compat_entry_point = compat_entry_point;
-        if (ret_image_base)
-                *ret_image_base = image_base;
        if (ret_size_in_memory)
                *ret_size_in_memory = size_in_memory;

--- a/src/boot/pe.h
+++ b/src/boot/pe.h
@ -57,7 +57,7 @@ EFI_STATUS pe_memory_locate_sections(
                const char *const section_names[],
                PeSectionVector sections[]);

-EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t *ret_compat_entry_point, uint64_t *ret_image_base, size_t *ret_size_in_memory);
+EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t *ret_compat_entry_point, size_t *ret_size_in_memory);

 EFI_STATUS pe_kernel_check_no_relocation(const void *base);

--- a/src/bootctl/bootctl-install.c
+++ b/src/bootctl/bootctl-install.c
@ -1861,6 +1861,7 @@ static int remove_loader_variables(void) {
                       EFI_LOADER_VARIABLE_STR("LoaderConfigConsoleMode"),
                       EFI_LOADER_VARIABLE_STR("LoaderConfigTimeout"),
                       EFI_LOADER_VARIABLE_STR("LoaderConfigTimeoutOneShot"),
+                       EFI_LOADER_VARIABLE_STR("LoaderEntryPreferred"),
                       EFI_LOADER_VARIABLE_STR("LoaderEntryDefault"),
                       EFI_LOADER_VARIABLE_STR("LoaderEntrySysFail"),
                       EFI_LOADER_VARIABLE_STR("LoaderEntryLastBooted"),
--- a/src/bootctl/bootctl-set-efivar.c
+++ b/src/bootctl/bootctl-set-efivar.c
@ -171,6 +171,9 @@ int verb_set_efivar(int argc, char *argv[], void *userdata) {
        if (streq(argv[0], "set-default")) {
                variable = EFI_LOADER_VARIABLE_STR("LoaderEntryDefault");
                arg_parser = parse_loader_entry_target_arg;
+        } else if (streq(argv[0], "set-preferred")) {
+                variable = EFI_LOADER_VARIABLE_STR("LoaderEntryPreferred");
+                arg_parser = parse_loader_entry_target_arg;
        } else if (streq(argv[0], "set-sysfail")) {
                variable = EFI_LOADER_VARIABLE_STR("LoaderEntrySysFail");
                arg_parser = parse_loader_entry_target_arg;
--- a/src/bootctl/bootctl-status.c
+++ b/src/bootctl/bootctl-status.c
@ -408,7 +408,8 @@ int verb_status(int argc, char *argv[], void *userdata) {
                        { EFI_STUB_FEATURE_MULTI_PROFILE_UKI,         "Stub understands profile selector"                           },
                };
                _cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL, *stub_path = NULL,
-                        *current_entry = NULL, *oneshot_entry = NULL, *default_entry = NULL, *sysfail_entry = NULL, *sysfail_reason = NULL;
+                        *current_entry = NULL, *oneshot_entry = NULL, *preferred_entry = NULL, *default_entry = NULL, *sysfail_entry = NULL,
+                        *sysfail_reason = NULL;
                uint64_t loader_features = 0, stub_features = 0;
                int have;

@ -422,6 +423,7 @@ int verb_status(int argc, char *argv[], void *userdata) {
                (void) efi_stub_get_features(&stub_features);
                (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE_STR("LoaderEntrySelected"), &current_entry);
                (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE_STR("LoaderEntryOneShot"), &oneshot_entry);
+                (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE_STR("LoaderEntryPreferred"), &preferred_entry);
                (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE_STR("LoaderEntryDefault"), &default_entry);
                (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE_STR("LoaderEntrySysFail"), &sysfail_entry);
                (void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE_STR("LoaderSysFailReason"), &sysfail_reason);
@ -509,6 +511,8 @@ int verb_status(int argc, char *argv[], void *userdata) {

                        if (current_entry)
                                printf(" Current Entry: %s\n", current_entry);
+                        if (preferred_entry)
+                                printf(" Preferred Entry: %s\n", preferred_entry);
                        if (default_entry)
                                printf(" Default Entry: %s\n", default_entry);
                        if (oneshot_entry && !streq_ptr(oneshot_entry, default_entry))
--- a/src/bootctl/bootctl.c
+++ b/src/bootctl/bootctl.c
@ -702,6 +702,7 @@ static int bootctl_main(int argc, char *argv[]) {
                { "unlink",              2,        2,        0,            verb_unlink              },
                { "cleanup",             VERB_ANY, 1,        0,            verb_cleanup             },
                { "set-default",         2,        2,        0,            verb_set_efivar          },
+                { "set-preferred",       2,        2,        0,            verb_set_efivar          },
                { "set-oneshot",         2,        2,        0,            verb_set_efivar          },
                { "set-timeout",         2,        2,        0,            verb_set_efivar          },
                { "set-timeout-oneshot", 2,        2,        0,            verb_set_efivar          },
--- a/src/coredump/coredump-send.c
+++ b/src/coredump/coredump-send.c
@ -241,7 +241,7 @@ int coredump_send_to_container(CoredumpContext *context) {
        _cleanup_(pidref_done) PidRef leader_pid = PIDREF_NULL;
        r = namespace_get_leader(&context->pidref, NAMESPACE_PID, &leader_pid);
        if (r < 0)
-                return log_debug_errno(r, "Failed to get namespace leader: %m");
+                return log_error_errno(r, "Failed to get namespace leader: %m");

        r = can_forward_coredump(&context->pidref, &leader_pid);
        if (r <= 0)
@ -258,33 +258,33 @@ int coredump_send_to_container(CoredumpContext *context) {

        r = RET_NERRNO(socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, pair));
        if (r < 0)
-                return log_debug_errno(r, "Failed to create socket pair: %m");
+                return log_error_errno(r, "Failed to create socket pair: %m");

        r = setsockopt_int(pair[1], SOL_SOCKET, SO_PASSCRED, true);
        if (r < 0)
-                return log_debug_errno(r, "Failed to set SO_PASSCRED: %m");
+                return log_error_errno(r, "Failed to set SO_PASSCRED: %m");

        r = pidref_namespace_open(&leader_pid, &pidnsfd, &mntnsfd, &netnsfd, &usernsfd, &rootfd);
        if (r < 0)
-                return log_debug_errno(r, "Failed to open namespaces of PID " PID_FMT ": %m", leader_pid.pid);
+                return log_error_errno(r, "Failed to open namespaces of PID " PID_FMT ": %m", leader_pid.pid);

        r = namespace_fork("(sd-coredumpns)", "(sd-coredump)",
                           FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM,
                           pidnsfd, mntnsfd, netnsfd, usernsfd, rootfd, &child);
        if (r < 0)
-                return log_debug_errno(r, "Failed to fork into namespaces of PID " PID_FMT ": %m", leader_pid.pid);
+                return log_error_errno(r, "Failed to fork into namespaces of PID " PID_FMT ": %m", leader_pid.pid);
        if (r == 0) {
                pair[0] = safe_close(pair[0]);

                r = access_nofollow("/run/systemd/coredump", W_OK);
                if (r < 0) {
-                        log_debug_errno(r, "Cannot find coredump socket, exiting: %m");
+                        log_error_errno(r, "Cannot find coredump socket, exiting: %m");
                        _exit(EXIT_FAILURE);
                }

                r = receive_ucred(pair[1], &ucred);
                if (r < 0) {
-                        log_debug_errno(r, "Failed to receive ucred and fd: %m");
+                        log_error_errno(r, "Failed to receive ucred and fd: %m");
                        _exit(EXIT_FAILURE);
                }

@ -309,7 +309,7 @@ int coredump_send_to_container(CoredumpContext *context) {

                r = coredump_send(context);
                if (r < 0) {
-                        log_debug_errno(r, "Failed to send iovec to coredump socket: %m");
+                        log_error_errno(r, "Failed to send iovec to coredump socket: %m");
                        _exit(EXIT_FAILURE);
                }

@ -324,13 +324,13 @@ int coredump_send_to_container(CoredumpContext *context) {
         * container. The kernel will perform the translation for us. */
        r = send_ucred(pair[0], &ucred);
        if (r < 0)
-                return log_debug_errno(r, "Failed to send metadata to container: %m");
+                return log_error_errno(r, "Failed to send metadata to container: %m");

-        r = pidref_wait_for_terminate_and_check("(sd-coredumpns)", &child, 0);
+        r = pidref_wait_for_terminate_and_check("(sd-coredumpns)", &child, WAIT_LOG);
        if (r < 0)
-                return log_debug_errno(r, "Failed to wait for child to terminate: %m");
+                return r;
        if (r != EXIT_SUCCESS)
-                return log_debug_errno(SYNTHETIC_ERRNO(EPROTO), "Failed to process coredump in container.");
+                return -EPROTO;

        return 1; /* sent */
 }
--- a/src/fundamental/efivars-fundamental.h
+++ b/src/fundamental/efivars-fundamental.h
@ -28,6 +28,7 @@
 #define EFI_LOADER_FEATURE_TYPE1_UKI               (UINT64_C(1) << 16)
 #define EFI_LOADER_FEATURE_TYPE1_UKI_URL           (UINT64_C(1) << 17)
 #define EFI_LOADER_FEATURE_TPM2_ACTIVE_PCR_BANKS   (UINT64_C(1) << 18)
+#define EFI_LOADER_FEATURE_ENTRY_PREFERRED         (UINT64_C(1) << 19)

 /* Features of the stub, i.e. systemd-stub */
 #define EFI_STUB_FEATURE_REPORT_BOOT_PARTITION     (UINT64_C(1) << 0)
--- a/src/home/homework-luks.c
+++ b/src/home/homework-luks.c
@ -66,16 +66,16 @@
 #include "user-record.h"
 #include "user-util.h"

-/* Round down to the nearest 4K size. Given that newer hardware generally prefers 4K sectors, let's align our
- * partitions to that too. In the worst case we'll waste 3.5K per partition that way, but I think I can live
+/* Round down to the nearest 1 MiB size. Given that most tools generally align partitions to 1 MiB boundaries, let's align our
+ * partitions to that too. In the worst case we'll waste 1 MiB per partition that way, but I think I can live
 * with that. */
-#define DISK_SIZE_ROUND_DOWN(x) ((x) & ~UINT64_C(4095))
+#define DISK_SIZE_ROUND_DOWN(x) ((x) & ~(U64_MB - 1))

-/* Rounds up to the nearest 4K boundary. Returns UINT64_MAX on overflow */
+/* Rounds up to the nearest 1 MiB boundary. Returns UINT64_MAX on overflow */
 #define DISK_SIZE_ROUND_UP(x)                                           \
        ({                                                              \
                uint64_t _x = (x);                                      \
-                _x > UINT64_MAX - 4095U ? UINT64_MAX : (_x + 4095U) & ~UINT64_C(4095); \
+                _x > UINT64_MAX - (U64_MB - 1) ? UINT64_MAX : (DISK_SIZE_ROUND_DOWN(_x + U64_MB - 1)); \
        })

 /* How much larger will the image on disk be than the fs inside it, i.e. the space we pay for the GPT and
@ -666,6 +666,7 @@ static int luks_validate(
                int fd,
                const char *label,
                sd_id128_t partition_uuid,
+                uint64_t sector_size,
                sd_id128_t *ret_partition_uuid,
                uint64_t *ret_offset,
                uint64_t *ret_size) {
@ -683,6 +684,7 @@ static int luks_validate(
        assert(label);
        assert(ret_offset);
        assert(ret_size);
+        assert(sector_size > 0);

        r = dlopen_libblkid();
        if (r < 0)
@ -697,6 +699,12 @@ static int luks_validate(
        if (r != 0)
                return errno_or_else(ENOMEM);

+        /* Set probing sector size if explicitly specified */
+        if (sector_size != UINT32_MAX) {
+                r = sym_blkid_probe_set_sectorsize(b, sector_size);
+                if (r != 0)
+                        return errno_or_else(EINVAL);
+        }
        (void) sym_blkid_probe_enable_superblocks(b, 1);
        (void) sym_blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
        (void) sym_blkid_probe_enable_partitions(b, 1);
@ -778,6 +786,7 @@ static int luks_validate(
        if ((uint64_t) size > UINT64_MAX / 512U)
                return -EINVAL;

+        /* libblkid returns partitions sizes in count of 512-sectors. This does not necessarily need to match the device sector size */
        *ret_offset = offset * 512U;
        *ret_size = size * 512U;
        *ret_partition_uuid = found_partition_uuid;
@ -1401,7 +1410,15 @@ int home_setup_luks(
                if (!subdir)
                        return log_oom();

-                r = luks_validate(setup->image_fd, user_record_user_name_and_realm(h), h->partition_uuid, &found_partition_uuid, &offset, &size);
+                r = luks_validate(
+                                setup->image_fd,
+                                user_record_user_name_and_realm(h),
+                                h->partition_uuid,
+                                /* if sector size is not specified, select UINT32_MAX, i.e. auto-probe */
+                                h->luks_sector_size == UINT64_MAX ? UINT32_MAX : user_record_luks_sector_size(h),
+                                &found_partition_uuid,
+                                &offset,
+                                &size);
                if (r < 0)
                        return log_error_errno(r, "Failed to validate disk label: %m");

@ -1416,6 +1433,11 @@ int home_setup_luks(
                                return r;
                }

+                /* Before we make the loop device, make sure offset is zero & we are using the full partition
+                 * If our offset is not zero, loop_device_make will create a loop device on top of the block device */
+                if (S_ISBLK(st.st_mode))
+                        assert(offset == 0 && size == UINT64_MAX);
+
                r = loop_device_make(
                                setup->image_fd,
                                O_RDWR,
@ -1755,6 +1777,7 @@ static int luks_format(
                const PasswordCache *cache,
                char **effective_passwords,
                bool discard,
+                uint64_t sector_size,
                UserRecord *hr,
                struct crypt_device **ret) {

@ -1809,7 +1832,7 @@ static int luks_format(
                        &(struct crypt_params_luks2) {
                                .label = label,
                                .subsystem = "systemd-home",
-                                .sector_size = user_record_luks_sector_size(hr),
+                                .sector_size = sector_size, /* sector-size of 0 is auto for libcryptsetup */
                                .pbkdf = &good_pbkdf,
                        });
        if (r < 0)
@ -1887,7 +1910,7 @@ static int make_partition_table(
        _cleanup_(fdisk_unref_parttypep) struct fdisk_parttype *t = NULL;
        _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL;
        _cleanup_free_ char *disk_uuid_as_string = NULL;
-        uint64_t offset, size, first_lba, start, last_lba, end;
+        uint64_t offset, size, first_lba, start, last_lba, end, fdisk_sector_size;
        sd_id128_t disk_uuid;
        int r;

@ -1924,9 +1947,13 @@ static int make_partition_table(
        if (r < 0)
                return log_error_errno(r, "Failed to place partition at first free partition index: %m");

+        /* Use same sector size as the fdisk context when converting to bytes */
+        fdisk_sector_size = fdisk_get_sector_size(c);
+        assert(fdisk_sector_size > 0);
+
        first_lba = fdisk_get_first_lba(c); /* Boundary where usable space starts */
-        assert(first_lba <= UINT64_MAX/512);
-        start = DISK_SIZE_ROUND_UP(first_lba * 512); /* Round up to multiple of 4K */
+        assert(first_lba <= UINT64_MAX / fdisk_sector_size);
+        start = DISK_SIZE_ROUND_UP(first_lba * fdisk_sector_size);

        log_debug("Starting partition at offset %" PRIu64, start);

@ -1934,17 +1961,17 @@ static int make_partition_table(
                return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Overflow while rounding up start LBA.");

        last_lba = fdisk_get_last_lba(c); /* One sector before boundary where usable space ends */
-        assert(last_lba < UINT64_MAX/512);
-        end = DISK_SIZE_ROUND_DOWN((last_lba + 1) * 512); /* Round down to multiple of 4K */
+        assert(last_lba < UINT64_MAX / fdisk_sector_size);
+        end = DISK_SIZE_ROUND_DOWN((last_lba + 1) * fdisk_sector_size);

        if (end <= start)
                return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Resulting partition size zero or negative.");

-        r = fdisk_partition_set_start(p, start / 512);
+        r = fdisk_partition_set_start(p, start / fdisk_sector_size);
        if (r < 0)
                return log_error_errno(r, "Failed to place partition at offset %" PRIu64 ": %m", start);

-        r = fdisk_partition_set_size(p, (end - start) / 512);
+        r = fdisk_partition_set_size(p, (end - start) / fdisk_sector_size);
        if (r < 0)
                return log_error_errno(r, "Failed to end partition at offset %" PRIu64 ": %m", end);

@ -1978,16 +2005,16 @@ static int make_partition_table(

        assert(fdisk_partition_has_start(q));
        offset = fdisk_partition_get_start(q);
-        if (offset > UINT64_MAX / 512U)
+        if (offset > UINT64_MAX / fdisk_sector_size)
                return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Partition offset too large.");

        assert(fdisk_partition_has_size(q));
        size = fdisk_partition_get_size(q);
-        if (size > UINT64_MAX / 512U)
+        if (size > UINT64_MAX / fdisk_sector_size)
                return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Partition size too large.");

-        *ret_offset = offset * 512U;
-        *ret_size = size * 512U;
+        *ret_offset = offset * fdisk_sector_size;
+        *ret_size = size * fdisk_sector_size;
        *ret_disk_uuid = disk_uuid;

        return 0;
@ -2162,13 +2189,14 @@ int home_create_luks(
                UserRecord **ret_home) {

        _cleanup_free_ char *subdir = NULL, *disk_uuid_path = NULL;
-        uint64_t encrypted_size,
+        uint64_t encrypted_size, image_sector_size, luks_sector_size,
                host_size = 0, partition_offset = 0, partition_size = 0; /* Unnecessary initialization to appease gcc */
        _cleanup_(user_record_unrefp) UserRecord *new_home = NULL;
        sd_id128_t partition_uuid, fs_uuid, luks_uuid, disk_uuid;
        _cleanup_close_ int mount_fd = -EBADF;
        const char *fstype, *ip;
        struct statfs sfs;
+        struct stat st;
        int r;
        _cleanup_strv_free_ char **extra_mkfs_options = NULL;

@ -2241,7 +2269,6 @@ int home_create_luks(
        if (path_startswith(ip, "/dev/")) {
                _cleanup_free_ char *sysfs = NULL;
                uint64_t block_device_size;
-                struct stat st;

                /* Let's place the home directory on a real device, i.e. a USB stick or such */

@ -2333,9 +2360,23 @@ int home_create_luks(
                log_info("Allocating image file completed.");
        }

+        if (h->luks_sector_size == UINT64_MAX) {
+                /* If sector size is not specified, select UINT32_MAX, i.e. auto-probe */
+                image_sector_size = UINT32_MAX;
+                /* Let cryptsetup decide if the sector size is not specified in home record */
+                luks_sector_size = 0;
+        } else {
+                if (S_ISBLK(st.st_mode)) {
+                        /* For physical block devices always use the actual device logical
+                         * sector size. Else the partition will not be discoverable by kernel. */
+                        image_sector_size = UINT32_MAX;
+                        luks_sector_size = user_record_luks_sector_size(h);
+                } else
+                        image_sector_size = luks_sector_size = user_record_luks_sector_size(h);
+        }
        r = make_partition_table(
                        setup->image_fd,
-                        user_record_luks_sector_size(h),
+                        image_sector_size,
                        user_record_user_name_and_realm(h),
                        partition_uuid,
                        &partition_offset,
@ -2346,12 +2387,38 @@ int home_create_luks(

        log_info("Writing of partition table completed.");

+        if (fstat(setup->image_fd, &st) < 0)
+                return log_error_errno(errno, "Failed to fstat home image: %m");
+
+        /* Ensure we don't create a loop device over block device as it leads to huge overhead for discard operations
+         * if the device does not support discard_zeroes_data */
+        if (S_ISBLK(st.st_mode)) {
+                _cleanup_free_ char *partition_path = NULL;
+                assert(!sd_id128_is_null(partition_uuid));
+                if (asprintf(&partition_path, "/dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(partition_uuid)) < 0)
+                        return log_oom();
+
+                /* Release the lock, so that udev can find the partition */
+                setup->image_fd = safe_close(setup->image_fd);
+                (void) wait_for_devlink(partition_path);
+                setup->image_fd = open_image_file(h, ip, &st);
+                if (setup->image_fd < 0)
+                        return setup->image_fd;
+
+                r = loop_device_open_from_path(
+                                partition_path,
+                                O_RDWR,
+                                LOCK_EX,
+                                &setup->loop);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to open newly written partition device: %s", partition_path);
+        } else {
                r = loop_device_make(
                                setup->image_fd,
                                O_RDWR,
                                partition_offset,
                                partition_size,
-                        user_record_luks_sector_size(h),
+                                image_sector_size,
                                0,
                                LOCK_EX,
                                &setup->loop);
@ -2361,6 +2428,7 @@ int home_create_luks(
                        return log_error_errno(SYNTHETIC_ERRNO(ENOLINK), "Loopback block device support is not available on this system.");
                if (r < 0)
                        return log_error_errno(r, "Failed to set up loopback device for %s: %m", setup->temporary_image_path);
+        }

        log_info("Setting up loopback device %s completed.", setup->loop->node ?: ip);

@ -2371,6 +2439,7 @@ int home_create_luks(
                        cache,
                        effective_passwords,
                        user_record_luks_discard(h) || user_record_luks_offline_discard(h),
+                        luks_sector_size,
                        h,
                        &setup->crypt_device);
        if (r < 0)
@ -2753,6 +2822,7 @@ static int prepare_resize_partition(
        n_partitions = fdisk_table_get_nents(t);
        for (size_t i = 0; i < n_partitions; i++)  {
                struct fdisk_partition *p;
+                uint64_t fdisk_sector_size;

                p = fdisk_table_get_partition(t, i);
                if (!p)
@ -2763,14 +2833,16 @@ static int prepare_resize_partition(
                if (fdisk_partition_has_start(p) <= 0 || fdisk_partition_has_size(p) <= 0 || fdisk_partition_has_end(p) <= 0)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Found partition without a size.");

-                if (fdisk_partition_get_start(p) == partition_offset / 512U &&
-                    fdisk_partition_get_size(p) == old_partition_size / 512U) {
+                fdisk_sector_size = fdisk_get_sector_size(c);
+                assert(fdisk_sector_size > 0);
+                if (fdisk_partition_get_start(p) == partition_offset / fdisk_sector_size &&
+                    fdisk_partition_get_size(p) == old_partition_size / fdisk_sector_size) {

                        if (found)
                                return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ), "Partition found twice, refusing.");

                        found = p;
-                } else if (fdisk_partition_get_end(p) > partition_offset / 512U)
+                } else if (fdisk_partition_get_end(p) > partition_offset / fdisk_sector_size)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Can't extend, not last partition in image.");
        }

@ -2790,7 +2862,7 @@ static int get_maximum_partition_size(
                uint64_t *ret_maximum_partition_size) {

        _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL;
-        uint64_t start_lba, start, last_lba, end;
+        uint64_t start_lba, start, last_lba, end, fdisk_sector_size;
        int r;

        assert(fd >= 0);
@ -2801,13 +2873,15 @@ static int get_maximum_partition_size(
        if (r < 0)
                return log_error_errno(r, "Failed to create fdisk context: %m");

+        /* Get the probed sector size by fdisk */
+        fdisk_sector_size = fdisk_get_sector_size(c);
        start_lba = fdisk_partition_get_start(p);
-        assert(start_lba <= UINT64_MAX/512);
-        start = start_lba * 512;
+        assert(start_lba <= UINT64_MAX / fdisk_sector_size);
+        start = start_lba * fdisk_sector_size;

        last_lba = fdisk_get_last_lba(c); /* One sector before boundary where usable space ends */
-        assert(last_lba < UINT64_MAX/512);
-        end = DISK_SIZE_ROUND_DOWN((last_lba + 1) * 512); /* Round down to multiple of 4K */
+        assert(last_lba < UINT64_MAX / fdisk_sector_size);
+        end = DISK_SIZE_ROUND_DOWN((last_lba + 1) * fdisk_sector_size);

        if (start > end)
                return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Last LBA is before partition start.");
@ -2847,9 +2921,7 @@ static int apply_resize_partition(
                size_t new_partition_size) {

        _cleanup_(fdisk_unref_contextp) struct fdisk_context *c = NULL;
-        _cleanup_free_ void *two_zero_lbas = NULL;
        uint32_t ssz;
-        ssize_t n;
        int r;

        assert(fd >= 0);
@ -2860,34 +2932,23 @@ static int apply_resize_partition(

        assert(p);

+        r = probe_sector_size(fd, &ssz);
+        if (r < 0)
+                return log_error_errno(r, "Failed to determine current sector size: %m");
+
+        r = fdisk_new_context_at(fd, /* path= */ NULL, /* read_only= */ false, ssz, &c);
+        if (r < 0)
+                return log_error_errno(r, "Failed to open device: %m");
+
        /* Before writing our partition patch the final size in */
        r = fdisk_partition_size_explicit(p, 1);
        if (r < 0)
                return log_error_errno(r, "Failed to enable explicit partition size: %m");

-        r = fdisk_partition_set_size(p, new_partition_size / 512U);
+        r = fdisk_partition_set_size(p, new_partition_size / ssz);
        if (r < 0)
                return log_error_errno(r, "Failed to change partition size: %m");

-        r = probe_sector_size(fd, &ssz);
-        if (r < 0)
-                return log_error_errno(r, "Failed to determine current sector size: %m");
-
-        two_zero_lbas = malloc0(ssz * 2);
-        if (!two_zero_lbas)
-                return log_oom();
-
-        /* libfdisk appears to get confused by the existing PMBR. Let's explicitly flush it out. */
-        n = pwrite(fd, two_zero_lbas, ssz * 2, 0);
-        if (n < 0)
-                return log_error_errno(errno, "Failed to wipe partition table: %m");
-        if ((size_t) n != ssz * 2)
-                return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short write while wiping partition table.");
-
-        r = fdisk_new_context_at(fd, /* path= */ NULL, /* read_only= */ false, ssz, &c);
-        if (r < 0)
-                return log_error_errno(r, "Failed to open device: %m");
-
        r = fdisk_create_disklabel(c, "gpt");
        if (r < 0)
                return log_error_errno(r, "Failed to create GPT disk label: %m");
@ -3472,6 +3533,7 @@ int home_resize_luks(
                        (void) reread_partition_table_fd(image_fd, /* flags= */ 0);

                /* Tell LUKS about the new bigger size too */
+                /* libcrypsetup uses units of 512B sectors for size */
                r = sym_crypt_resize(setup->crypt_device, setup->dm_name, new_fs_size / 512U);
                if (r < 0)
                        return log_error_errno(r, "Failed to grow LUKS device: %m");
@ -3536,7 +3598,8 @@ int home_resize_luks(
        if (new_fs_size < old_fs_size) { /* → Shrink */

                /* Shrink the LUKS device now, matching the new file system size */
-                r = sym_crypt_resize(setup->crypt_device, setup->dm_name, new_fs_size / 512);
+                /* libcrypsetup uses units of 512B sectors for size */
+                r = sym_crypt_resize(setup->crypt_device, setup->dm_name, new_fs_size / 512U);
                if (r < 0)
                        return log_error_errno(r, "Failed to shrink LUKS device: %m");

--- a/src/include/uapi/linux/nl80211.h
+++ b/src/include/uapi/linux/nl80211.h
@ -2880,8 +2880,9 @@ enum nl80211_commands {
 *	index. If the userspace includes more RNR elements than number of
 *	MBSSID elements then these will be added in every EMA beacon.
 *
- * @NL80211_ATTR_MLO_LINK_DISABLED: Flag attribute indicating that the link is
- *	disabled.
+ * @NL80211_ATTR_MLO_LINK_DISABLED: Unused. It was used to indicate that a link
+ *	is disabled during association. However, the AP will send the
+ *	information by including a TTLM in the association response.
 *
 * @NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA: Include BSS usage data, i.e.
 *	include BSSes that can only be used in restricted scenarios and/or
--- a/src/libsystemd/libsystemd.sym
+++ b/src/libsystemd/libsystemd.sym
@ -1088,5 +1088,5 @@ global:

 LIBSYSTEMD_260 {
 global:
-        sd_session_has_extra_device_access;
+        sd_session_get_extra_device_access;
 } LIBSYSTEMD_259;
--- a/src/libsystemd/sd-bus/bus-container.c
+++ b/src/libsystemd/sd-bus/bus-container.c
@ -5,20 +5,99 @@
 #include "bus-container.h"
 #include "bus-internal.h"
 #include "bus-socket.h"
+#include "env-file.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "format-util.h"
+#include "hostname-util.h"
 #include "log.h"
 #include "namespace-util.h"
-#include "pidref.h"
+#include "parse-util.h"
+#include "path-lookup.h"
+#include "path-util.h"
 #include "process-util.h"
 #include "string-util.h"

+int container_get_leader(RuntimeScope scope, const char *machine, pid_t *ret) {
+        _cleanup_free_ char *p = NULL, *s = NULL, *class = NULL;
+        pid_t leader;
+        int r;
+
+        assert(machine);
+        assert(ret);
+
+        if (streq(machine, ".host")) {
+                if (scope == RUNTIME_SCOPE_USER)
+                        return -EHOSTDOWN;
+
+                *ret = 1;
+                return 0;
+        }
+
+        if (!hostname_is_valid(machine, 0))
+                return -EINVAL;
+
+        r = runtime_directory_generic(scope, "systemd/machines", &p);
+        if (r < 0)
+                return r;
+
+        if (!path_extend(&p, machine))
+                return -ENOMEM;
+
+        r = parse_env_file(NULL, p,
+                           "LEADER", &s,
+                           "CLASS", &class);
+        if (r == -ENOENT)
+                return -EHOSTDOWN;
+        if (r < 0)
+                return r;
+        if (!s)
+                return -ESRCH;
+
+        if (!streq_ptr(class, "container"))
+                return -EMEDIUMTYPE;
+
+        r = parse_pid(s, &leader);
+        if (r < 0)
+                return r;
+        if (leader <= 1)
+                return -EBADMSG;
+
+        *ret = leader;
+        return 0;
+}
+
+static int bus_container_connect_namespace(sd_bus *b, int pidnsfd, int mntnsfd, int usernsfd, int rootfd) {
+        _cleanup_close_pair_ int errno_pipe_fd[2] = EBADF_PAIR;
+        int r;
+
+        if (pipe2(errno_pipe_fd, O_CLOEXEC) < 0)
+                return log_debug_errno(errno, "Failed to create pipe: %m");
+
+        r = namespace_fork("(sd-buscntrns)", "(sd-buscntr)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL|FORK_WAIT,
+                           pidnsfd, mntnsfd, /* netns_fd= */ -EBADF, usernsfd, rootfd, /* ret= */ NULL);
+        if (r == -EPROTO) {
+                errno_pipe_fd[1] = safe_close(errno_pipe_fd[1]);
+
+                int k = read_errno(errno_pipe_fd[0]);
+                if (k < 0 && k != -EIO)
+                        return k;
+        }
+        if (r < 0)
+                return log_debug_errno(r, "Failed to create namespace for (sd-buscntr): %m");
+        if (r == 0) {
+                errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]);
+
+                r = RET_NERRNO(connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size));
+                report_errno_and_exit(errno_pipe_fd[1], r);
+        }
+
+        return 0;
+}
+
 int bus_container_connect_socket(sd_bus *b) {
        _cleanup_close_ int pidnsfd = -EBADF, mntnsfd = -EBADF, usernsfd = -EBADF, rootfd = -EBADF;
-        _cleanup_(pidref_done) PidRef child = PIDREF_NULL;
-        _cleanup_close_pair_ int pair[2] = EBADF_PAIR;
-        int r, error_buf = 0;
-        ssize_t n;
+        int r;

        assert(b);
        assert(b->input_fd < 0);
@ -29,7 +108,9 @@ int bus_container_connect_socket(sd_bus *b) {
                log_debug("sd-bus: connecting bus%s%s to machine %s...",
                          b->description ? " " : "", strempty(b->description), b->machine);

-                r = container_get_leader(b->machine, &b->nspid);
+                r = container_get_leader(RUNTIME_SCOPE_USER, b->machine, &b->nspid);
+                if (IN_SET(r, -EHOSTDOWN, -ENXIO))
+                        r = container_get_leader(RUNTIME_SCOPE_SYSTEM, b->machine, &b->nspid);
                if (r < 0)
                        return r;
        } else
@ -50,56 +131,17 @@ int bus_container_connect_socket(sd_bus *b) {

        bus_socket_setup(b);

-        if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)
-                return log_debug_errno(errno, "Failed to create a socket pair: %m");
-
-        r = namespace_fork("(sd-buscntrns)", "(sd-buscntr)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL,
-                           pidnsfd, mntnsfd, -1, usernsfd, rootfd, &child);
+        r = are_our_namespaces(pidnsfd, mntnsfd, /* netns_fd= */ -EBADF, usernsfd, rootfd);
        if (r < 0)
-                return log_debug_errno(r, "Failed to create namespace for (sd-buscntr): %m");
-        if (r == 0) {
-                pair[0] = safe_close(pair[0]);
-
-                r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
-                if (r < 0) {
-                        /* Try to send error up */
-                        error_buf = errno;
-                        (void) write(pair[1], &error_buf, sizeof(error_buf));
-                        _exit(EXIT_FAILURE);
-                }
-
-                _exit(EXIT_SUCCESS);
-        }
-
-        pair[1] = safe_close(pair[1]);
-
-        r = pidref_wait_for_terminate_and_check("(sd-buscntrns)", &child, 0);
-        if (r < 0)
-                return r;
-        bool nonzero_exit_status = r != EXIT_SUCCESS;
-
-        n = read(pair[0], &error_buf, sizeof(error_buf));
-        if (n < 0)
-                return log_debug_errno(errno, "Failed to read error status from (sd-buscntr): %m");
-
-        if (n > 0) {
-                if (n != sizeof(error_buf))
-                        return log_debug_errno(SYNTHETIC_ERRNO(EIO),
-                                               "Read error status of unexpected length %zd from (sd-buscntr).", n);
-
-                if (error_buf < 0)
-                        return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
-                                               "Got unexpected error status from (sd-buscntr).");
-
-                if (error_buf == EINPROGRESS)
+                return log_debug_errno(r, "Failed to check if already in PID "PID_FMT" namespaces: %m", b->nspid);
+        if (r > 0)
+                r = RET_NERRNO(connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size));
+        else
+                r = bus_container_connect_namespace(b, pidnsfd, mntnsfd, usernsfd, rootfd);
+        if (r == -EINPROGRESS)
                return 1;
-
-                if (error_buf > 0)
-                        return log_debug_errno(error_buf, "(sd-buscntr) failed to connect to D-Bus socket: %m");
-        }
-
-        if (nonzero_exit_status)
-                return -EPROTO;
+        if (r < 0)
+                return log_debug_errno(r, "Failed to connect to D-Bus socket in namespaces of PID "PID_FMT": %m", b->nspid);

        return bus_socket_start_auth(b);
 }
--- a/src/libsystemd/sd-bus/bus-container.h
+++ b/src/libsystemd/sd-bus/bus-container.h
@ -3,4 +3,6 @@

 #include "sd-forward.h"

+int container_get_leader(RuntimeScope scope, const char *machine, pid_t *ret);
+
 int bus_container_connect_socket(sd_bus *b);
--- a/src/libsystemd/sd-id128/id128-util.c
+++ b/src/libsystemd/sd-id128/id128-util.c
@ -5,6 +5,7 @@
 #include <sys/socket.h>
 #include <unistd.h>

+#include "bus-container.h"
 #include "fd-util.h"
 #include "fs-util.h"
 #include "hash-funcs.h"
@ -13,6 +14,7 @@
 #include "namespace-util.h"
 #include "pidref.h"
 #include "process-util.h"
+#include "runtime-scope.h"
 #include "sha256.h"
 #include "siphash24.h"
 #include "string-util.h"
@ -287,7 +289,7 @@ int id128_get_boot_for_machine(const char *machine, sd_id128_t *ret) {
        if (isempty(machine))
                return sd_id128_get_boot(ret);

-        r = container_get_leader(machine, &pid);
+        r = container_get_leader(RUNTIME_SCOPE_SYSTEM, machine, &pid);
        if (r < 0)
                return r;

--- a/src/libsystemd/sd-json/json-util.h
+++ b/src/libsystemd/sd-json/json-util.h
@ -264,6 +264,8 @@ enum {
        SD_JSON_BUILD_PAIR_CONDITION(condition, name, SD_JSON_BUILD_UNSIGNED(value))
 #define JSON_BUILD_PAIR_CONDITION_BOOLEAN(condition, name, value) \
        SD_JSON_BUILD_PAIR_CONDITION(condition, name, SD_JSON_BUILD_BOOLEAN(value))
+#define JSON_BUILD_PAIR_CONDITION_STRV(condition, name, value) \
+        SD_JSON_BUILD_PAIR_CONDITION(condition, name, SD_JSON_BUILD_STRV(value))

 int json_variant_new_pidref(sd_json_variant **ret, PidRef *pidref);
 int json_variant_new_devnum(sd_json_variant **ret, dev_t devnum);
--- a/src/libsystemd/sd-login/sd-login.c
+++ b/src/libsystemd/sd-login/sd-login.c
@ -677,7 +677,7 @@ _public_ int sd_session_is_remote(const char *session) {
        return parse_boolean(s);
 }

-_public_ int sd_session_has_extra_device_access(const char *session) {
+_public_ int sd_session_get_extra_device_access(const char *session, char ***ret_ids) {
        _cleanup_free_ char *p = NULL, *s = NULL;
        int r;

@ -690,10 +690,21 @@ _public_ int sd_session_has_extra_device_access(const char *session) {
                return -ENXIO;
        if (r < 0)
                return r;
-        if (isempty(s))
-                return -ENODATA;

-        return parse_boolean(s);
+        _cleanup_strv_free_ char **ids = NULL;
+        size_t n_ids = 0;
+        if (!isempty(s)) {
+                ids = strv_split(s, /* separators= */ NULL);
+                if (!ids)
+                        return -ENOMEM;
+
+                n_ids = strv_length(ids);
+        }
+
+        if (ret_ids)
+                *ret_ids = TAKE_PTR(ids);
+
+        return n_ids;
 }

 _public_ int sd_session_get_state(const char *session, char **ret_state) {
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@ -898,7 +898,7 @@ int manager_create_session(
                bool remote,
                const char *remote_user,
                const char *remote_host,
-                bool extra_device_access,
+                char * const *extra_device_access,
                Session **ret_session) {

        bool mangle_class = false;
@ -1005,7 +1005,6 @@ int manager_create_session(

        session->original_type = session->type = type;
        session->remote = remote;
-        session->extra_device_access = extra_device_access;
        session->vtnr = vtnr;
        session->class = class;

@ -1055,6 +1054,10 @@ int manager_create_session(
                        goto fail;
        }

+        r = strv_copy_unless_empty(extra_device_access, &session->extra_device_access);
+        if (r < 0)
+                goto fail;
+
        if (seat) {
                r = seat_attach_session(seat, session);
                if (r < 0)
@ -1229,7 +1232,7 @@ static int manager_create_session_by_bus(
                        remote,
                        remote_user,
                        remote_host,
-                        /* extra_device_access= */ false,
+                        /* extra_device_access= */ NULL,
                        &session);
        if (r == -EBUSY)
                return sd_bus_error_set(error, BUS_ERROR_SESSION_BUSY, "Already running in a session or user slice");
--- a/src/login/logind-dbus.h
+++ b/src/login/logind-dbus.h
@ -57,7 +57,7 @@ int manager_create_session(
                bool remote,
                const char *remote_user,
                const char *remote_host,
-                bool extra_device_access,
+                char * const *extra_device_access,
                Session **ret_session);

 extern const BusObjectImplementation manager_object;
--- a/src/login/logind-session-dbus.c
+++ b/src/login/logind-session-dbus.c
@ -985,7 +985,7 @@ static const sd_bus_vtable session_vtable[] = {
        SD_BUS_PROPERTY("Remote", "b", bus_property_get_bool, offsetof(Session, remote), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("RemoteHost", "s", NULL, offsetof(Session, remote_host), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("RemoteUser", "s", NULL, offsetof(Session, remote_user), SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_PROPERTY("ExtraDeviceAccess", "b", bus_property_get_bool, offsetof(Session, extra_device_access), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("ExtraDeviceAccess", "as", NULL, offsetof(Session, extra_device_access), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("Service", "s", NULL, offsetof(Session, service), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("Desktop", "s", NULL, offsetof(Session, desktop), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("Scope", "s", NULL, offsetof(Session, scope), SD_BUS_VTABLE_PROPERTY_CONST),
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@ -45,6 +45,7 @@
 #include "process-util.h"
 #include "serialize.h"
 #include "string-table.h"
+#include "strv.h"
 #include "terminal-util.h"
 #include "tmpfile-util.h"
 #include "user-record.h"
@ -210,6 +211,7 @@ Session* session_free(Session *s) {
        free(s->remote_user);
        free(s->service);
        free(s->desktop);
+        strv_free(s->extra_device_access);

        hashmap_remove(s->manager->sessions, s->id);

@ -278,24 +280,37 @@ static void session_save_devices(Session *s, FILE *f) {
        }
 }

-static int trigger_xaccess(void) {
+static int trigger_xaccess(char * const *extra_devices) {
        int r;

+        if (strv_isempty(extra_devices))
+                return 0;
+
+        _cleanup_strv_free_ char **tags = NULL;
+        r = strv_extend_strv_biconcat(&tags, "xaccess-", (const char * const *)extra_devices, /* suffix= */ NULL);
+        if (r < 0)
+                return r;
+
        _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
        r = sd_device_enumerator_new(&e);
        if (r < 0)
                return r;

-        r = sd_device_enumerator_add_match_tag(e, "xaccess");
+        STRV_FOREACH(tag, tags) {
+                r = sd_device_enumerator_add_match_tag(e, *tag);
                if (r < 0)
                        return r;
+        }

        FOREACH_DEVICE(e, d) {
                /* Verify that the tag is still in place. */
-                r = sd_device_has_current_tag(d, "xaccess");
-                if (r < 0)
-                        return r;
-                if (r == 0)
+                bool has_xaccess = false;
+                STRV_FOREACH(tag, tags)
+                        if (sd_device_has_current_tag(d, *tag)) {
+                                has_xaccess = true;
+                                break;
+                        }
+                if (!has_xaccess)
                        continue;

                /* In case people mistag devices without nodes, we need to ignore this. */
@ -349,14 +364,12 @@ int session_save(Session *s) {
                "IS_DISPLAY=%s\n"
                "STATE=%s\n"
                "REMOTE=%s\n"
-                "EXTRA_DEVICE_ACCESS=%s\n"
                "LEADER_FD_SAVED=%s\n",
                s->user->user_record->uid,
                one_zero(session_is_active(s)),
                one_zero(s->user->display == s),
                session_state_to_string(session_get_state(s)),
                one_zero(s->remote),
-                one_zero(s->extra_device_access),
                one_zero(s->leader_fd_saved));

        env_file_fputs_assignment(f, "USER=", s->user->user_record->user_name);
@ -414,6 +427,13 @@ int session_save(Session *s) {
                session_save_devices(s, f);
        }

+        if (s->extra_device_access) {
+                _cleanup_free_ char *extra_devices = strv_join(s->extra_device_access, " ");
+                if (!extra_devices)
+                        return log_oom();
+                fprintf(f, "EXTRA_DEVICE_ACCESS=%s\n", extra_devices);
+        }
+
        r = flink_tmpfile(f, temp_path, s->state_file, LINK_TMPFILE_REPLACE);
        if (r < 0)
                return log_error_errno(r, "Failed to move '%s' into place: %m", s->state_file);
@ -586,9 +606,9 @@ int session_load(Session *s) {
        }

        if (extra_device_access) {
-                k = parse_boolean(extra_device_access);
-                if (k >= 0)
-                        s->extra_device_access = k;
+                s->extra_device_access = strv_split(extra_device_access, /* separators= */ NULL);
+                if (!s->extra_device_access)
+                        return log_oom();
        }

        if (vtnr)
@ -915,8 +935,7 @@ int session_start(Session *s, sd_bus_message *properties, sd_bus_error *error) {
        if (s->seat)
                (void) seat_save(s->seat);

-        if (s->extra_device_access)
-                (void) trigger_xaccess();
+        (void) trigger_xaccess(s->extra_device_access);

        /* Send signals */
        (void) session_send_signal(s, true);
@ -1008,8 +1027,7 @@ int session_stop(Session *s, bool force) {
        (void) session_save(s);
        (void) user_save(s->user);

-        if (s->extra_device_access)
-                (void) trigger_xaccess();
+        (void) trigger_xaccess(s->extra_device_access);

        return r;
 }
--- a/src/login/logind-session.h
+++ b/src/login/logind-session.h
@ -121,7 +121,7 @@ typedef struct Session {
        char *remote_host;
        char *service;
        char *desktop;
-        bool extra_device_access;
+        char **extra_device_access;

        char *scope;
        char *scope_job;
--- a/src/login/logind-varlink.c
+++ b/src/login/logind-varlink.c
@ -15,6 +15,7 @@
 #include "logind-seat.h"
 #include "logind-user.h"
 #include "logind-varlink.h"
+#include "strv.h"
 #include "terminal-util.h"
 #include "user-record.h"
 #include "user-util.h"
@ -145,11 +146,12 @@ typedef struct CreateSessionParameters {
        int remote;
        const char *remote_user;
        const char *remote_host;
-        bool extra_device_access;
+        char **extra_device_access;
 } CreateSessionParameters;

 static void create_session_parameters_done(CreateSessionParameters *p) {
        pidref_done(&p->pid);
+        strv_free(p->extra_device_access);
 }

 static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
@ -170,7 +172,7 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter
                { "Remote",            SD_JSON_VARIANT_BOOLEAN,       sd_json_dispatch_tristate,     offsetof(CreateSessionParameters, remote),              0                 },
                { "RemoteUser",        SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(CreateSessionParameters, remote_user),         0                 },
                { "RemoteHost",        SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(CreateSessionParameters, remote_host),         0                 },
-                { "ExtraDeviceAccess", SD_JSON_VARIANT_BOOLEAN,       sd_json_dispatch_stdbool,      offsetof(CreateSessionParameters, extra_device_access), 0                 },
+                { "ExtraDeviceAccess", SD_JSON_VARIANT_ARRAY,         sd_json_dispatch_strv,         offsetof(CreateSessionParameters, extra_device_access), 0                 },
                {}
        };

@ -180,7 +182,6 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter
                .class = _SESSION_CLASS_INVALID,
                .type = _SESSION_TYPE_INVALID,
                .remote = -1,
-                .extra_device_access = false,
        };

        r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@ -814,7 +814,7 @@ typedef struct SessionContext {
        uint32_t vtnr;
        const char *tty;
        const char *display;
-        bool extra_device_access;
+        char **extra_device_access;
        bool remote;
        const char *remote_user;
        const char *remote_host;
@ -827,6 +827,10 @@ typedef struct SessionContext {
        bool incomplete;
 } SessionContext;

+static void session_context_done(SessionContext *c) {
+        strv_free(c->extra_device_access);
+}
+
 static int create_session_message(
                sd_bus *bus,
                pam_handle_t *pamh,
@ -1150,7 +1154,7 @@ static int register_session(
                                        SD_JSON_BUILD_PAIR_BOOLEAN("Remote", c->remote),
                                        JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteUser", c->remote_user),
                                        JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteHost", c->remote_host),
-                                        JSON_BUILD_PAIR_CONDITION_BOOLEAN(c->extra_device_access, "ExtraDeviceAccess", c->extra_device_access));
+                                        JSON_BUILD_PAIR_CONDITION_STRV(!strv_isempty(c->extra_device_access), "ExtraDeviceAccess", c->extra_device_access));
                        if (r < 0)
                                return pam_syslog_errno(pamh, LOG_ERR, r,
                                                        "Failed to issue io.systemd.Login.CreateSession varlink call: %m");
@ -1317,7 +1321,11 @@ static int register_session(
        if (r != PAM_SUCCESS)
                return r;

-        r = update_environment(pamh, "XDG_SESSION_EXTRA_DEVICE_ACCESS", one_zero(c->extra_device_access));
+        _cleanup_free_ char *extra_devices = strv_join(c->extra_device_access, ":");
+        if (!extra_devices)
+                return pam_log_oom(pamh);
+
+        r = update_environment(pamh, "XDG_SESSION_EXTRA_DEVICE_ACCESS", extra_devices);
        if (r != PAM_SUCCESS)
                return r;

@ -1769,7 +1777,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
        if (r != PAM_SUCCESS)
                return r;

-        SessionContext c = {};
+        _cleanup_(session_context_done) SessionContext c = {};
        r = pam_get_item_many(
                        pamh,
                        PAM_SERVICE,  &c.service,
@ -1787,7 +1795,13 @@ _public_ PAM_EXTERN int pam_sm_open_session(
        c.desktop = getenv_harder(pamh, "XDG_SESSION_DESKTOP", desktop_pam);
        c.area = getenv_harder(pamh, "XDG_AREA", area_pam);
        c.incomplete = getenv_harder_bool(pamh, "XDG_SESSION_INCOMPLETE", false);
-        c.extra_device_access = getenv_harder_bool(pamh, "XDG_SESSION_EXTRA_DEVICE_ACCESS", false);
+
+        const char *extra_device_access = getenv_harder(pamh, "XDG_SESSION_EXTRA_DEVICE_ACCESS", NULL);
+        if (extra_device_access) {
+                c.extra_device_access = strv_split(extra_device_access, ":");
+                if (!c.extra_device_access)
+                        return pam_log_oom(pamh);
+        }

        r = pam_get_data_many(
                        pamh,
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -4368,15 +4368,8 @@ static int outer_child(
                /* The inner child has all namespaces that are requested, so that we all are owned by the
                 * user if user namespaces are turned on. */

-                if (arg_network_namespace_path) {
-                        r = namespace_enter(/* pidns_fd= */ -EBADF,
-                                            /* mntns_fd= */ -EBADF,
-                                            netns_fd,
-                                            /* userns_fd= */ -EBADF,
-                                            /* root_fd= */ -EBADF);
-                        if (r < 0)
-                                return log_error_errno(r, "Failed to join network namespace: %m");
-                }
+                if (arg_network_namespace_path && setns(netns_fd, CLONE_NEWNET) < 0)
+                        return log_error_errno(errno, "Failed to join network namespace: %m");

                if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
                        /* In managed usernamespace operation, sysfs + procfs are special, we'll have to
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@ -478,7 +478,7 @@ static int dns_scope_socket(
        if (s->delegate && s->delegate->fwmark > 0) {
                r = setsockopt_int(fd, SOL_SOCKET, SO_MARK, s->delegate->fwmark);
                if (r < 0)
-                        return log_debug_errno(r, "Failed to set firewall mark on DNS socket: %m)");
+                        return log_debug_errno(r, "Failed to set firewall mark on DNS socket: %m");
        }

        bool addr_is_nonlocal = s->link &&
--- a/src/shared/bootspec.c
+++ b/src/shared/bootspec.c
@ -462,9 +462,11 @@ int boot_config_load_type1(
 void boot_config_free(BootConfig *config) {
        assert(config);

+        free(config->preferred_pattern);
        free(config->default_pattern);

        free(config->entry_oneshot);
+        free(config->entry_preferred);
        free(config->entry_default);
        free(config->entry_selected);
        free(config->entry_sysfail);
@ -515,6 +517,8 @@ int boot_loader_read_conf(BootConfig *config, FILE *file, const char *path) {
                        continue;
                }

+                if (streq(field, "preferred"))
+                        r = free_and_strdup(&config->preferred_pattern, p);
                if (streq(field, "default"))
                        r = free_and_strdup(&config->default_pattern, p);
                else if (STR_IN_SET(field, "timeout", "editor", "auto-entries", "auto-firmware",
@ -1390,6 +1394,15 @@ static int boot_entries_select_default(const BootConfig *config) {
                }
        }

+        if (config->entry_preferred) {
+                i = boot_config_find(config, config->entry_preferred);
+                if (i >= 0) {
+                        log_debug("Found default: id \"%s\" is matched by LoaderEntryPreferred",
+                                  config->entries[i].id);
+                        return i;
+                }
+        }
+
        if (config->entry_default) {
                i = boot_config_find(config, config->entry_default);
                if (i >= 0) {
@ -1399,6 +1412,15 @@ static int boot_entries_select_default(const BootConfig *config) {
                }
        }

+        if (config->preferred_pattern) {
+                i = boot_config_find(config, config->preferred_pattern);
+                if (i >= 0) {
+                        log_debug("Found preferred: id \"%s\" is matched by pattern \"%s\"",
+                                  config->entries[i].id, config->preferred_pattern);
+                        return i;
+                }
+        }
+
        if (config->default_pattern) {
                i = boot_config_find(config, config->default_pattern);
                if (i >= 0) {
@ -1438,6 +1460,12 @@ static int boot_load_efi_entry_pointers(BootConfig *config, bool skip_efivars) {
        if (r < 0 && !IN_SET(r, -ENOENT, -ENODATA))
                log_warning_errno(r, "Failed to read EFI variable \"LoaderEntryOneShot\", ignoring: %m");

+        r = efi_get_variable_string(EFI_LOADER_VARIABLE_STR("LoaderEntryPreferred"), &config->entry_preferred);
+        if (r == -ENOMEM)
+                return log_oom();
+        if (r < 0 && !IN_SET(r, -ENOENT, -ENODATA))
+                log_warning_errno(r, "Failed to read EFI variable \"LoaderEntryPreferred\", ignoring: %m");
+
        r = efi_get_variable_string(EFI_LOADER_VARIABLE_STR("LoaderEntryDefault"), &config->entry_default);
        if (r == -ENOMEM)
                return log_oom();
--- a/src/shared/bootspec.h
+++ b/src/shared/bootspec.h
@ -73,8 +73,10 @@ typedef struct BootConfig {
        int loader_conf_status;  /* 0 → before loading, 1 → loaded, negative → error. */

        char *default_pattern;
+        char *preferred_pattern;

        char *entry_oneshot;
+        char *entry_preferred;
        char *entry_default;
        char *entry_selected;
        char *entry_sysfail;
--- a/src/shared/bus-polkit.c
+++ b/src/shared/bus-polkit.c
@ -571,18 +571,18 @@ int bus_verify_polkit_async_full(
                        return r;
                }
        }
-#endif

        if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) {
+#endif
                /* Don't query PK if client is privileged */
                r = sd_bus_query_sender_privilege(call, /* capability= */ -1);
                if (r < 0)
                        return r;
                if (r > 0)
                        return 1;
+#if ENABLE_POLKIT
        }

-#if ENABLE_POLKIT
        int c = sd_bus_message_get_allow_interactive_authorization(call);
        if (c < 0)
                return c;
@ -781,13 +781,15 @@ int varlink_verify_polkit_async_full(
        if (r != 0)
                return r;

+#if ENABLE_POLKIT
        if (!FLAGS_SET(flags, POLKIT_ALWAYS_QUERY)) {
+#endif
                r = varlink_check_peer_privilege(link);
                if (r != 0)
                        return r;
+#if ENABLE_POLKIT
        }

-#if ENABLE_POLKIT
        _cleanup_(async_polkit_query_unrefp) AsyncPolkitQuery *q = NULL;

        q = async_polkit_query_ref(hashmap_get(*registry, link));
--- a/src/shared/varlink-io.systemd.Login.c
+++ b/src/shared/varlink-io.systemd.Login.c
@ -65,10 +65,9 @@ static SD_VARLINK_DEFINE_METHOD(
                SD_VARLINK_DEFINE_INPUT(RemoteUser, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
                SD_VARLINK_FIELD_COMMENT("Host name of the remote host"),
                SD_VARLINK_DEFINE_INPUT(RemoteHost, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("If true this session is granted access to additional hardware devices, "
-                                         "typically useful for remote, graphical sessions. "
-                                         "This adds access for all devices tagged with \"xaccess\" in udev."),
-                SD_VARLINK_DEFINE_INPUT(ExtraDeviceAccess, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("List of additional hardware devices that this session is granted access to."
+                                         "For every $ID in the list, this adds access for all devices tagged with \"xaccess-$ID\" in udev."),
+                SD_VARLINK_DEFINE_INPUT(ExtraDeviceAccess, SD_VARLINK_STRING, SD_VARLINK_NULLABLE|SD_VARLINK_ARRAY),
                SD_VARLINK_FIELD_COMMENT("The identifier string of the session of the user."),
                SD_VARLINK_DEFINE_OUTPUT(Id, SD_VARLINK_STRING, 0),
                SD_VARLINK_FIELD_COMMENT("The runtime path ($XDG_RUNTIME_DIR) of the user."),
--- a/src/systemd/sd-login.h
+++ b/src/systemd/sd-login.h
@ -150,8 +150,10 @@ int sd_session_is_active(const char *session);
 /* Return 1 if the session is remote. */
 int sd_session_is_remote(const char *session);

-/* Return 1 if the session is granted extra device access. */
-int sd_session_has_extra_device_access(const char *session);
+/* Return extra hardware devices that the session is granted access to.
+ * For every $ID in the list, this adds access for all devices tagged with
+ * "xaccess-$ID" in udev. */
+int sd_session_get_extra_device_access(const char *session, char ***ret_ids);

 /* Get state from session. Possible states: online, active, closing.
 * This function is a more generic version of sd_session_is_active(). */
--- a/src/udev/udev-builtin-uaccess.c
+++ b/src/udev/udev-builtin-uaccess.c
@ -63,34 +63,58 @@ static int builtin_uaccess(UdevEvent *event, int argc, char *argv[]) {
                }
        }

-        r = sd_device_has_tag(dev, "xaccess");
-        if (r < 0)
-                return log_device_error_errno(dev, r, "Failed to query device xaccess tag: %m");
+        bool has_xaccess = false;
+        FOREACH_DEVICE_CURRENT_TAG(dev, tag)
+                if (startswith(tag, "xaccess-")) {
+                        has_xaccess = true;
+                        break;
+                }

-        if (r > 0) {
+        if (has_xaccess) {
                r = sd_get_sessions(&sessions);
                if (r < 0)
                        return log_device_error_errno(dev, r, "Failed to list sessions: %m");

                STRV_FOREACH(s, sessions) {
                        _cleanup_free_ char *state = NULL;
-                        if (sd_session_get_state(*s, &state) < 0) {
+                        r = sd_session_get_state(*s, &state);
+                        if (r < 0) {
                                log_device_debug_errno(dev, r, "Failed to query state for session %s, ignoring: %m", *s);
                                continue;
                        }
                        if (streq(state, "closing"))
                                continue;
-                        r = sd_session_has_extra_device_access(*s);
+
+                        r = sd_session_get_uid(*s, &uid);
+                        if (r < 0) {
+                                log_device_debug_errno(dev, r, "Failed to query uid for session %s, ignoring: %m", *s);
+                                continue;
+                        }
+
+                        _cleanup_strv_free_ char **extra_devices = NULL;
+                        r = sd_session_get_extra_device_access(*s, &extra_devices);
                        if (r < 0) {
                                log_device_debug_errno(dev, r, "Failed to query extra device access for session %s, ignoring: %m", *s);
                                continue;
                        }
-                        if (r == 0)
-                                continue;
-                        if (sd_session_get_uid(*s, &uid) < 0) {
-                                log_device_debug_errno(dev, r, "Failed to query uid for session %s, ignoring: %m", *s);
-                                continue;
+
+                        bool match = false;
+                        STRV_FOREACH(id, extra_devices) {
+                                _cleanup_free_ char *tag = strjoin("xaccess-", *id);
+                                if (!tag)
+                                        return log_oom();
+
+                                r = sd_device_has_current_tag(dev, tag);
+                                if (r < 0)
+                                        return log_device_error_errno(dev, r, "Failed to query %s tag: %m", tag);
+                                if (r > 0) {
+                                        match = true;
+                                        break;
                                }
+                        }
+                        if (!match)
+                                continue;
+
                        if (set_ensure_put(&uids, NULL, UID_TO_PTR(uid)) < 0)
                                return log_oom();
                }