From 1c18058334b7ae0da54ba7a2c4c977fce024e71f Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Wed, 2 Jul 2025 10:48:51 +0200
Subject: [PATCH 1/6] overlay profiles: Enable cryptsetup in SDK systemd

The cryptsetup useflag is required for signing sysexts built with
systemd-repart.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 .../coreos-overlay/profiles/coreos/targets/sdk/package.use     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
index bed09a66e50..307c76dd7f8 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.use
@@ -31,3 +31,6 @@ x11-libs/pixman static-libs
 
 # Get latest EDK2 firmware for Secure Boot on arm64.
 app-emulation/qemu -pin-upstream-blobs
+
+# Needed for signed sysexts using systemd-repart
+sys-apps/systemd cryptsetup

From 86e05b5dc6b00db321692ffb60d77fa711f6930d Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Wed, 5 Nov 2025 09:52:04 +0100
Subject: [PATCH 2/6] virtual/zlib: Add from Gentoo

Gentoo is moving the zlib dependency from sys-libs/zlib to virtual/zlib
to allow different zlib implementation (like zlib-ng). We need to pull
this virtual dependency because erofs-utils depends on it.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 .../workflows/portage-stable-packages-list    |  1 +
 .../portage-stable/virtual/zlib/metadata.xml  | 11 +++++++++
 .../virtual/zlib/zlib-1.3.1-r1.ebuild         | 18 +++++++++++++++
 .../virtual/zlib/zlib-1.3.1.ebuild            | 23 +++++++++++++++++++
 4 files changed, 53 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild

diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index be2dcf3ce96..46ac2e6323b 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -746,6 +746,7 @@ virtual/service-manager
 virtual/ssh
 virtual/tmpfiles
 virtual/udev
+virtual/zlib
 
 x11-drivers/nvidia-drivers
 
diff --git a/sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml b/sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml
new file mode 100644
index 00000000000..e2171ff9839
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/virtual/zlib/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<use>
+		<flag name="minizip">include the minizip library for quick and dirty zip extraction</flag>
+	</use>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild
new file mode 100644
index 00000000000..1ca59a8c388
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit multilib-build
+
+DESCRIPTION="Virtual for libz.so providers"
+SLOT="0/1"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="static-libs"
+
+RDEPEND="
+	|| (
+		>=sys-libs/zlib-1.3.1[${MULTILIB_USEDEP},static-libs?]
+		sys-libs/zlib-ng[${MULTILIB_USEDEP},compat,static-libs(-)?]
+	)
+"
diff --git a/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild
new file mode 100644
index 00000000000..75bff121845
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/virtual/zlib/zlib-1.3.1.ebuild
@@ -0,0 +1,23 @@
+# Copyright 2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit multilib-build
+
+DESCRIPTION="Virtual for libz.so providers"
+SLOT="0/1"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="minizip static-libs"
+
+RDEPEND="
+	|| (
+		>=sys-libs/zlib-1.3.1[${MULTILIB_USEDEP},minizip?,static-libs?]
+		(
+			sys-libs/zlib-ng[${MULTILIB_USEDEP},compat,static-libs(-)?]
+			minizip? (
+				sys-libs/minizip-ng[${MULTILIB_USEDEP},compat,static-libs(-)?]
+			)
+		)
+	)
+"

From 5c13795d6a57de026c204f3a07f4331b4ba88c61 Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Tue, 4 Nov 2025 13:59:53 +0000
Subject: [PATCH 3/6] dev-libs/xxhash,sys-fs/erofs-utils: Add from Gentoo

These packages are needed for building erofs sysexts using
systemd-repart. Also add erofs-utils to SDK deps.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 .../workflows/portage-stable-packages-list    |  2 +
 .../sdk-depends/sdk-depends-0.0.1.ebuild      |  1 +
 .../targets/sdk/package.accept_keywords       |  4 ++
 .../portage-stable/dev-libs/xxhash/Manifest   |  2 +
 .../dev-libs/xxhash/metadata.xml              | 12 ++++
 .../dev-libs/xxhash/xxhash-0.8.2.ebuild       | 43 +++++++++++++
 .../dev-libs/xxhash/xxhash-0.8.3.ebuild       | 57 +++++++++++++++++
 .../sys-fs/erofs-utils/Manifest               |  2 +
 .../erofs-utils/erofs-utils-1.8.10.ebuild     | 63 +++++++++++++++++++
 .../erofs-utils/erofs-utils-1.8.4.ebuild      | 63 +++++++++++++++++++
 .../sys-fs/erofs-utils/metadata.xml           | 13 ++++
 11 files changed, 262 insertions(+)
 create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest
 create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.10.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild
 create mode 100644 sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml

diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index 46ac2e6323b..a0caa7e65f5 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -290,6 +290,7 @@ dev-libs/tree-sitter
 dev-libs/tree-sitter-bash
 dev-libs/userspace-rcu
 dev-libs/xmlsec
+dev-libs/xxhash
 dev-libs/yajl
 
 dev-perl/Parse-Yapp
@@ -668,6 +669,7 @@ sys-fs/btrfs-progs
 sys-fs/cryptsetup
 sys-fs/dosfstools
 sys-fs/e2fsprogs
+sys-fs/erofs-utils
 sys-fs/fuse
 sys-fs/fuse-common
 sys-fs/fuse-overlayfs
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
index 0d8be10a149..f6812c1f75e 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
@@ -46,6 +46,7 @@ DEPEND="
 	sys-firmware/edk2-bin
 	sys-fs/btrfs-progs
 	sys-fs/cryptsetup
+	sys-fs/erofs-utils
 	dev-perl/Parse-Yapp
 	dev-util/pkgcheck
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
index 5a492c6d652..7eb67dc0259 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/sdk/package.accept_keywords
@@ -1 +1,5 @@
 # Temporarily put the SDK version ahead for sd-json support in Dracut.
+
+# Needed for building signed sysexts with systemd-repart
+dev-libs/xxhash
+sys-fs/erofs-utils
diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest
new file mode 100644
index 00000000000..1ea2e70343b
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/Manifest
@@ -0,0 +1,2 @@
+DIST xxhash-0.8.2.tar.gz 1141188 BLAKE2B 735408256240760778fa516e01bed428f04837eb4e059c512e924f13e4a96db6cacbbefb04dea65a37b0f25b52cf13c4927a6e7870dc8c0d45b1b955d4ba3da1 SHA512 3e3eef21432fe88bc4dd9940ccad0308fdea3537b06fa5ac0e74c1bde53413dff29c8b3fc617a8a42b9ce88fcf213311d338a31b1ce73b3729342c9e68f06c78
+DIST xxhash-0.8.3.tar.gz 1147630 BLAKE2B 75923c7c5df3490062791fa02ccddfb7281b3646e2b3e4b4a0c0d611c339e07c8d9cb656777fd0fcec9cda484f7b33edf080116bb011f70d6b8299cda63afa4e SHA512 8b5c8b9aad4e869f28310b12cc314037feda81d92f26c23eaecdb35dc65042ca2e65f2e9606033e62a31bcc737a9a950500ffcbdb8677d6ab20e820ea14f2b79
diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml
new file mode 100644
index 00000000000..63e48a416a2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>amadio@gentoo.org</email>
+		<name>Guilherme Amadio</name>
+	</maintainer>
+	<upstream>
+		<remote-id type="github">Cyan4973/xxHash</remote-id>
+		<bugs-to>https://github.com/Cyan4973/xxHash/issues</bugs-to>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild
new file mode 100644
index 00000000000..1a4ff1b5707
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.2.ebuild
@@ -0,0 +1,43 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit multilib-minimal toolchain-funcs
+
+DESCRIPTION="Extremely fast non-cryptographic hash algorithm"
+HOMEPAGE="https://xxhash.com/"
+SRC_URI="https://github.com/Cyan4973/xxHash/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+S=${WORKDIR}/xxHash-${PV}
+
+LICENSE="BSD-2 GPL-2+"
+# https://abi-laboratory.pro/tracker/timeline/xxhash
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~x64-macos"
+
+src_prepare() {
+	default
+
+	multilib_copy_sources
+}
+
+multilib_src_compile() {
+	emake AR="$(tc-getAR)" CC="$(tc-getCC)"
+}
+
+multilib_src_test() {
+	emake CC="$(tc-getCC)" check
+}
+
+multilib_src_install() {
+	local emakeargs=(
+		DESTDIR="${D}"
+		PREFIX="${EPREFIX}"/usr
+		LIBDIR="${EPREFIX}"/usr/$(get_libdir)
+	)
+
+	emake "${emakeargs[@]}" install
+	einstalldocs
+
+	rm "${ED}"/usr/$(get_libdir)/libxxhash.a || die
+}
diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild
new file mode 100644
index 00000000000..ef8732bc66c
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/xxhash/xxhash-0.8.3.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic multilib-minimal toolchain-funcs
+
+DESCRIPTION="Extremely fast non-cryptographic hash algorithm"
+HOMEPAGE="https://xxhash.com/"
+SRC_URI="https://github.com/Cyan4973/xxHash/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+S=${WORKDIR}/xxHash-${PV}
+
+LICENSE="BSD-2 GPL-2+"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~x64-macos"
+
+src_prepare() {
+	default
+
+	multilib_copy_sources
+}
+
+src_configure() {
+	# Needed for -Og to be buildable, otherwise fails a/ always_inline (bug #961093)
+	# https://github.com/Cyan4973/xxHash?tab=readme-ov-file#binary-size-control
+	is-flagq '-Og' && append-cppflags -DXXH_NO_INLINE_HINTS
+	multilib-minimal_src_configure
+}
+
+myemake() {
+	emake \
+		AR="$(tc-getAR)" \
+		CC="$(tc-getCC)" \
+		"${@}"
+}
+
+multilib_src_compile() {
+	myemake
+}
+
+multilib_src_test() {
+	# Injecting CPPFLAGS into CFLAGS is needed for test_sanity
+	myemake CFLAGS="${CPPFLAGS} ${CFLAGS}" check
+}
+
+multilib_src_install() {
+	local emakeargs=(
+		DESTDIR="${D}"
+		PREFIX="${EPREFIX}"/usr
+		LIBDIR="${EPREFIX}"/usr/$(get_libdir)
+	)
+
+	myemake "${emakeargs[@]}" install
+	einstalldocs
+
+	rm "${ED}"/usr/$(get_libdir)/libxxhash.a || die
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest
new file mode 100644
index 00000000000..07b48fc2002
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/Manifest
@@ -0,0 +1,2 @@
+DIST erofs-utils-1.8.10.tar.gz 201240 BLAKE2B 9575258115192dc0ef7999dd1fa44f619f9f62c93cfe28e3e65fd5d9a601b09acdce293552c90f51c2f7b557d8830e856d6706af6ccd98fc157b05f819d136b4 SHA512 8c7afd3db55fd4c4f7aa9fbd7ed40fa40de0bfffcee601a3f5dce823d406a32b5e939e24cd6dc336e3033e940fb16ee93f8821f627f90b10e6137113949933dd
+DIST erofs-utils-1.8.4.tar.gz 187276 BLAKE2B da0d80abbfd9b2d547c30bad7647165a3500f20e5de0b5db4c54efb27ec895fd069be983193b06d35728f5a8e1490e6cd255207c76135d8978d86e1512430755 SHA512 c941b0a2ab6c650a9aa4c9cadeb277ebc87007dc51354ff013c7cb763e6e8c9d44ed9e4791730ed05088faaba8c612198b924e70f5e52019382cfdf6d2e6b677
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.10.ebuild b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.10.ebuild
new file mode 100644
index 00000000000..a55ac845ea2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.10.ebuild
@@ -0,0 +1,63 @@
+# Copyright 2021-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="Userspace tools for EROFS"
+HOMEPAGE="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git"
+
+SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/${PN}.git/snapshot/${P}.tar.gz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~loong"
+
+IUSE="fuse libdeflate +lz4 +lzma selinux static-libs +threads +uuid +zlib +zstd"
+
+RDEPEND="
+	dev-libs/xxhash:0=
+	fuse? ( sys-fs/fuse:0 )
+	lz4? ( app-arch/lz4:0= )
+	lzma? ( >=app-arch/xz-utils-5.4.0:0= )
+	selinux? ( sys-libs/libselinux:0= )
+	uuid? ( sys-apps/util-linux )
+	zlib? (
+		libdeflate? ( app-arch/libdeflate:0= )
+		!libdeflate? ( virtual/zlib:= )
+	)
+	zstd? ( app-arch/zstd:0= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=(
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--disable-werror
+		$(use_enable fuse)
+		$(use_with libdeflate)
+		$(use_enable lz4)
+		$(use_enable lzma)
+		$(use_with selinux)
+		$(use_enable static-libs static-fuse)
+		$(use_enable threads multithreading)
+		$(use_with uuid)
+		$(use_with zlib)
+		$(use_with zstd libzstd)
+		--without-qpl  # not packaged
+		# do not use bundled xxhash; also upstream says "expected to be
+		# faster than the internal one"
+		--with-xxhash
+	)
+
+	econf "${myeconfargs[@]}"
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild
new file mode 100644
index 00000000000..a55ac845ea2
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/erofs-utils-1.8.4.ebuild
@@ -0,0 +1,63 @@
+# Copyright 2021-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="Userspace tools for EROFS"
+HOMEPAGE="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git"
+
+SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/${PN}.git/snapshot/${P}.tar.gz"
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~loong"
+
+IUSE="fuse libdeflate +lz4 +lzma selinux static-libs +threads +uuid +zlib +zstd"
+
+RDEPEND="
+	dev-libs/xxhash:0=
+	fuse? ( sys-fs/fuse:0 )
+	lz4? ( app-arch/lz4:0= )
+	lzma? ( >=app-arch/xz-utils-5.4.0:0= )
+	selinux? ( sys-libs/libselinux:0= )
+	uuid? ( sys-apps/util-linux )
+	zlib? (
+		libdeflate? ( app-arch/libdeflate:0= )
+		!libdeflate? ( virtual/zlib:= )
+	)
+	zstd? ( app-arch/zstd:0= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=(
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--disable-werror
+		$(use_enable fuse)
+		$(use_with libdeflate)
+		$(use_enable lz4)
+		$(use_enable lzma)
+		$(use_with selinux)
+		$(use_enable static-libs static-fuse)
+		$(use_enable threads multithreading)
+		$(use_with uuid)
+		$(use_with zlib)
+		$(use_with zstd libzstd)
+		--without-qpl  # not packaged
+		# do not use bundled xxhash; also upstream says "expected to be
+		# faster than the internal one"
+		--with-xxhash
+	)
+
+	econf "${myeconfargs[@]}"
+}
diff --git a/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml
new file mode 100644
index 00000000000..15abb558de6
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/sys-fs/erofs-utils/metadata.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>xen0n@gentoo.org</email>
+		<name>WANG Xuerui</name>
+	</maintainer>
+	<use>
+		<flag name="fuse">Builds erofsfuse (requires <pkg>sys-fs/fuse</pkg>).</flag>
+		<flag name="libdeflate">Use <pkg>app-arch/libdeflate</pkg> rather than <pkg>virtual/zlib</pkg> for handling deflate compression.</flag>
+		<flag name="uuid">Enables UUID support via <pkg>sys-apps/util-linux</pkg>.</flag>
+	</use>
+</pkgmetadata>

From df660bfb328562937e97708895c5534d78ff192f Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Wed, 30 Jul 2025 10:24:18 +0200
Subject: [PATCH 4/6] sysext: Sign built-in sysexts

Generate an ephemeral sysext signing key, that is injected into the
image's sysext root of trust. All OS-dependent sysexts will be signed by
this key and the private key (stored in /tmp) will be discarded on SDK
container exit.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 build_library/prod_image_util.sh  |  4 ++++
 build_library/sysext_prod_builder | 32 ++++++++++++++++++++++++-------
 build_library/vm_image_util.sh    |  2 +-
 build_sysext                      | 19 ++++++++++++++----
 sdk_lib/sdk_entry.sh              | 21 ++++++++++++++++++++
 5 files changed, 66 insertions(+), 12 deletions(-)

diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index 9beaf7f4331..e25ee2738ce 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -166,6 +166,10 @@ EOF
   # Remove source locale data, only need to ship the compiled archive.
   sudo rm -rf ${root_fs_dir}/usr/share/i18n/
 
+  # Inject ephemeral sysext signing certificate
+  sudo mkdir -p "${root_fs_dir}/usr/lib/verity.d"
+  sudo cp "${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" "${root_fs_dir}/usr/lib/verity.d"
+
   # Finish image will move files from /etc to /usr/share/flatcar/etc.
   # Note that image filesystem contents generated by finish_image will not
   # include sysext contents (only the sysext squashfs files themselves).
diff --git a/build_library/sysext_prod_builder b/build_library/sysext_prod_builder
index d90fb4a1da2..87599feb803 100755
--- a/build_library/sysext_prod_builder
+++ b/build_library/sysext_prod_builder
@@ -63,7 +63,7 @@ create_prod_sysext() {
   # The --install_root_basename="${name}-base-sysext-rootfs" flag is
   # important - it sets the name of a rootfs directory, which is used
   # to determine the package target in coreos/base/profile.bashrc
-  sudo "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
+  sudo -E "FLATCAR_BUILD_ID=$FLATCAR_BUILD_ID" "${SCRIPTS_DIR}/build_sysext" \
             --board="${BOARD}" \
             --image_builddir="${workdir}/sysext-build" \
             --squashfs_base="${base_sysext}" \
@@ -99,6 +99,14 @@ sysext_mountdir="${BUILD_DIR}/prod-sysext-work/mounts"
 sysext_base="${sysext_workdir}/base-os.squashfs"
 
 function cleanup() {
+  IFS=':' read -r -a mounted_sysexts <<< "$sysext_lowerdirs"
+  # skip the rootfs
+  mounted_sysexts=("${mounted_sysexts[@]:1}")
+
+  for sysext in "${mounted_sysexts[@]}"; do
+    sudo systemd-dissect --umount --rmdir "$sysext"
+  done
+
   sudo umount "${sysext_mountdir}"/* || true
   rm -rf "${sysext_workdir}" || true
 }
@@ -116,6 +124,7 @@ sudo mksquashfs "${root_fs_dir}" "${sysext_base}" -noappend -xattrs-exclude '^bt
 # for combined overlay later.
 prev_pkginfo=""
 sysext_lowerdirs="${sysext_mountdir}/rootfs-lower"
+mkdir -p "${sysext_mountdir}"
 for sysext in ${sysexts_list//,/ }; do
   # format is "<name>:<group>/<package>"
   name="${sysext%|*}"
@@ -129,12 +138,21 @@ for sysext in ${sysexts_list//,/ }; do
                      "${grp_pkg}" \
                      "${prev_pkginfo}"
 
-  mkdir -p "${sysext_mountdir}/${name}" \
-           "${sysext_mountdir}/${name}_pkginfo"
-  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}.raw" \
-                                    "${sysext_mountdir}/${name}"
-  sudo mount -rt squashfs -o loop,nodev "${sysext_output_dir}/${name}_pkginfo.raw" \
-                                    "${sysext_mountdir}/${name}_pkginfo"
+  sudo systemd-dissect \
+    --read-only \
+    --mount \
+    --mkdir \
+    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+    "${sysext_output_dir}/${name}.raw" \
+    "${sysext_mountdir}/${name}"
+
+  sudo systemd-dissect \
+    --read-only \
+    --mount \
+    --mkdir \
+    --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+    "${sysext_output_dir}/${name}_pkginfo.raw" \
+    "${sysext_mountdir}/${name}_pkginfo"
 
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}"
   sysext_lowerdirs="${sysext_lowerdirs}:${sysext_mountdir}/${name}_pkginfo"
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index ac83929cfa6..159fede04e4 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -602,7 +602,7 @@ install_oem_sysext() {
     fi
 
     mkdir -p "${built_sysext_dir}"
-    sudo "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
+    sudo -E "${build_sysext_env[@]}" "${SCRIPT_ROOT}/build_sysext" "${build_sysext_flags[@]}" "${oem_sysext}"
 
     local installed_sysext_oem_dir='/oem/sysext'
     local installed_sysext_file_prefix="${oem_sysext}-${version}"
diff --git a/build_sysext b/build_sysext
index 92d6abc4009..be7e5047746 100755
--- a/build_sysext
+++ b/build_sysext
@@ -304,14 +304,25 @@ if [[ -n "${invalid_files}" ]]; then
   die "Invalid file ownership: ${invalid_files}"
 fi
 
-mksquashfs "${BUILD_DIR}/${FLAGS_install_root_basename}" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
-               -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
+systemd-repart \
+  --private-key="${SYSEXT_SIGNING_KEY_DIR}/sysexts.key" \
+  --certificate="${SYSEXT_SIGNING_KEY_DIR}/sysexts.crt" \
+  --make-ddi=sysext \
+  --copy-source="${BUILD_DIR}/${FLAGS_install_root_basename}" \
+  "${BUILD_DIR}/${SYSEXTNAME}.raw"
+
 rm -rf "${BUILD_DIR}"/{fs-root,"${FLAGS_install_root_basename}",workdir}
 
 # Generate reports
 mkdir "${BUILD_DIR}/img-rootfs"
-mount -rt squashfs -o loop,nodev "${BUILD_DIR}/${SYSEXTNAME}.raw" "${BUILD_DIR}/img-rootfs"
+systemd-dissect --read-only \
+  --mount \
+  --mkdir \
+  --image-policy='root=encrypted+unprotected+absent:usr=encrypted+unprotected+absent' \
+  "${BUILD_DIR}/${SYSEXTNAME}.raw" \
+  "${BUILD_DIR}/img-rootfs"
+
 write_contents "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents.txt"
 write_contents_with_technical_details "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_contents_wtd.txt"
 write_disk_space_usage_in_paths "${BUILD_DIR}/img-rootfs" "${BUILD_DIR}/${SYSEXTNAME}_disk_usage.txt"
-umount "${BUILD_DIR}/img-rootfs"
+systemd-dissect --umount --rmdir "${BUILD_DIR}/img-rootfs"
diff --git a/sdk_lib/sdk_entry.sh b/sdk_lib/sdk_entry.sh
index 3c7aaeb356d..3336952dfde 100755
--- a/sdk_lib/sdk_entry.sh
+++ b/sdk_lib/sdk_entry.sh
@@ -63,6 +63,27 @@ grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
     fi
 }
 
+grep -q 'export SYSEXT_SIGNING_KEY_DIR' /home/sdk/.bashrc || {
+    SYSEXT_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
+    if [[ ! "$SYSEXT_SIGNING_KEY_DIR" || ! -d "$SYSEXT_SIGNING_KEY_DIR" ]]; then
+        echo "Failed to create temporary directory for sysext signing keys."
+    else
+        echo "export SYSEXT_SIGNING_KEY_DIR='$SYSEXT_SIGNING_KEY_DIR'" >> /home/sdk/.bashrc
+    fi
+    pushd "$SYSEXT_SIGNING_KEY_DIR"
+    build_id=$(source "/mnt/host/source/.repo/manifests/version.txt"; echo "$FLATCAR_BUILD_ID")
+    openssl req -new -nodes -utf8 \
+        -x509 -batch -sha256 \
+        -days 36000 \
+        -outform PEM \
+        -out sysexts.crt \
+        -keyout sysexts.key \
+        -newkey 4096 \
+        -subj "/CN=Flatcar $build_id sysext signing key/" \
+          || echo "Generating module signing key failed"
+    popd
+}
+
 # This is ugly.
 #   We need to sudo su - sdk -c so the SDK user gets a fresh login.
 #    'sdk' is member of multiple groups, and plain docker USER only

From c3f83ed84709a2143afade489e452df2e70c3d34 Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Tue, 4 Nov 2025 09:42:30 +0100
Subject: [PATCH 5/6] app-crypt/azure-keyvault-pkcs11: Bump snapshot to
 20250905

Add support for WorkloadIdentityCredential.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 .../coreos-overlay/app-crypt/azure-keyvault-pkcs11/Manifest     | 2 +-
 ...20250526.ebuild => azure-keyvault-pkcs11-0_p20250905.ebuild} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/{azure-keyvault-pkcs11-0_p20250526.ebuild => azure-keyvault-pkcs11-0_p20250905.ebuild} (93%)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/Manifest
index 357ca28f76f..d59d0c57403 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/Manifest
@@ -1 +1 @@
-DIST azure-keyvault-pkcs11-0_p20250526.tar.gz 22829 BLAKE2B 59df337d32c1931577cd6538a53032fc9f5a43ce67192d114b23b84adfb36c234e091c9cbf2183efc080d093a6c17b7596abd3e7789ffbbd0634912d16d92693 SHA512 410f3f4e446aa1c1307769bc021f39ec9dd01cd08c2a3089889ad382f2b1948bd03eb065970901982a014a31f4bef4cd102a14a39286a7518736b59b4d0ee03f
+DIST azure-keyvault-pkcs11-0_p20250905.tar.gz 22855 BLAKE2B e380d091ef486b988cc3720ae16f00082af69eb8f2dab4f1ee9729e3f18ea3ec06c39cf774aed6a887fba14190431592e7bfc5cb161f3b1a2cc82a050a1d4758 SHA512 902ec4a31e52f3d480dac485c12569813c108fed69b968b42a0262b3d94bcbe6b79ac54c801dec3f44141dcb387d04873ddccd99bf06ed46c93bc2fb919374f7
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250526.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild
similarity index 93%
rename from sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250526.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild
index c240e33a4ea..961fbed4778 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250526.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/azure-keyvault-pkcs11/azure-keyvault-pkcs11-0_p20250905.ebuild
@@ -5,7 +5,7 @@ EAPI=8
 
 inherit cmake
 
-COMMIT="126ae2bc714f2867b6628b49962f388c4b314f5f"
+COMMIT="c72d89bf0b17f8c21a93870efaaabb93c0dc9c63"
 DESCRIPTION="PKCS#11 module for Azure Key Vault"
 HOMEPAGE="https://github.com/jepio/azure_keyvault_pkcs11"
 SRC_URI="https://github.com/jepio/azure_keyvault_pkcs11/archive/${COMMIT}.tar.gz -> ${P}.tar.gz"

From 177e87c4a0bbd0f1a80b5c509e216030a00f1270 Mon Sep 17 00:00:00 2001
From: Daniel Zatovic <daniel.zatovic@gmail.com>
Date: Wed, 5 Nov 2025 19:10:48 +0100
Subject: [PATCH 6/6] changelog: Add entry for signed built-in sysexts

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---
 changelog/changes/2025-11-05-signed-built-in-sysexts.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/changes/2025-11-05-signed-built-in-sysexts.md

diff --git a/changelog/changes/2025-11-05-signed-built-in-sysexts.md b/changelog/changes/2025-11-05-signed-built-in-sysexts.md
new file mode 100644
index 00000000000..4a800f712f5
--- /dev/null
+++ b/changelog/changes/2025-11-05-signed-built-in-sysexts.md
@@ -0,0 +1 @@
+- Built-in system extensions (e.g., docker-flatcar, containerd-flatcar) are now cryptographically signed using dm-verity roothash signatures. This enables stricter sysext policies via systemd-sysext and provides a foundation for verifying user-provided extensions in future releases. The format changed from squashfs to erofs-based Discoverable Disk Images (DDI). ([scripts#3162](https://github.com/flatcar/scripts/pull/3162))