diff --git a/changelog/updates/2024-03-13-systemd-upgrade-from-252-to-255.md b/changelog/updates/2024-03-13-systemd-upgrade-from-252-to-255.md
new file mode 100644
index 00000000000..820ce0c7c7b
--- /dev/null
+++ b/changelog/updates/2024-03-13-systemd-upgrade-from-252-to-255.md
@@ -0,0 +1 @@
+- systemd ([255.3](https://github.com/systemd/systemd-stable/releases/tag/v255.3) (from 252.11))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/packages b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/packages
index 4f3d036ee99..b90afca4b4f 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/packages
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/packages
@@ -1,5 +1,4 @@
 -*sys-apps/busybox
--*sys-apps/kbd
 *app-arch/lbzip2
 *sys-libs/nss-usrfiles
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md
deleted file mode 100644
index df01f3aea50..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/CHECKLIST.md
+++ /dev/null
@@ -1,2 +0,0 @@
-- Check that the `systemd-sysext.service`'s `ConditionDirectoryNotEmpty` entries are correctly reflected in `flatcar/init:systemd/system/ensure-sysext.service`
-- Check if our preset setup in `multilib_src_install_all` is in sync with `systemd/systemd:presets/90-systemd.preset`.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
index 43ddd12fcd4..867980ea7b5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/Manifest
@@ -1 +1,6 @@
-DIST systemd-stable-252.11.tar.gz 11845530 BLAKE2B 5c4492040640d09248d4ec775e8bfca5dbe81d42f4fbda6ecb120271624c19d84eeacd0e93dd018fbab714a29954d50898a93238179948927e466b345446bc9a SHA512 f64c452b028eb8c6342a7e3b943fc22adb04bcfe00790dd91827604bf8746b5cf87fbffd666f408b1a89ed999dec2629533b92d02bec560406ea03313fc41206
+DIST systemd-stable-254.5.tar.gz 14334696 BLAKE2B 2f63d79ae93add69ac0b56dda9f67019340f84692de4da200557b9f5f1f16bebbad42a9a7e2d6ef7420aa37746d2ede0481fd8e39f03a31576c7e4e48e259ce3 SHA512 cac713670216add9e5473e2c86f04da441015e7cc0ac1500b9e1489a435f9b80c4c6ee24e9b22e4c4213a495bc1a0a908925df2045e344a2170d5aea6aafa16c
+DIST systemd-stable-254.7.tar.gz 14411955 BLAKE2B 1213237a001fb0aef8912637f31d7d77888bc2505e1e8d8d295642a547bdebbc3a786eed095694e6a6fe2665d6e8e45e98cd883186eedeb1b4fd73daf2520dcf SHA512 2e859813f1f52fa693631ce43466875ac2ac42e09872011ee52fe4e44727663c3de9f128a47776899423188c1e99ce73a69059426a9356c930e275037d001685
+DIST systemd-stable-254.8.tar.gz 14418468 BLAKE2B e5a151ece86e57c7224fc95bda1b4ede1277fce4a2ba28d3605ab0431a2aafe1088f90c49a20e3b53a5b56aeef7c0f1f5da0601db740150f5efdf6eae7bbde80 SHA512 a3f35d9fcafcccd8d9c33ab1047241f226146017be95562a67c7dcc9eeb4b77bded92ad80e92f4767f2bf2009df0172a621d4c54a805e07ed5a5ed03940ec28e
+DIST systemd-stable-254.9.tar.gz 14423806 BLAKE2B ab39c0a00b8451b24b40e39f4bf7ecb912ff23d9cd6f8d30fd0545e895936baa635b1ff63c02a83761682b72f44244aac8338bf6506885c9b07cd0c5247b6693 SHA512 a0300693a044cfe4c76deb0e3e48a927125eb97c3952c07ba68936f1e093c93506d8044b249b534b8e778ade6143b43194f8d6b721a8cd520bc7bb4cb3d3e5c1
+DIST systemd-stable-255.2.tar.gz 14864388 BLAKE2B 101da82a5d63eaa48c2dc4bad5ab713b4e8b544134de8216f315a97736eb699eaf756aef2d9a4e2126f0d248b3a7e28bc986ccc2154d5d110db733d114072eec SHA512 0a9a43adc6d23f52349d298cdff3f3ae6accd7e43a33253608f7a9d241699c7cba3c9f6a0fa6da3ae3cba0e246e272076bfa2cdf5bade7bc019406f407be0bb9
+DIST systemd-stable-255.3.tar.gz 14873273 BLAKE2B e22ef391c691fcf1e765c5112e1a55096d3bba61a9dae3ea1a3958add4e355892a97d5214e63c516ba3b70e2a83bb5d21254812d870f06c16c74a58d4f957d75 SHA512 c2868a53df2176649b0d0c94e5d451c46ba783bcdbc89ce12434ed2d11dba44b4854ffe4c2430f3f64eef2e214cbb51d5f740170afbd9edd66761a8851157453
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch
index f6e75517eb2..dfd6dbd492a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0004-core-use-max-for-DefaultTasksMax.patch
@@ -1,7 +1,7 @@
-From 7f71d79cc1cac4dc509cecb2f5c00b6dcfd7732b Mon Sep 17 00:00:00 2001
-From: Sayan Chowdhury <sayan@kinvolk.io>
-Date: Thu, 22 Apr 2021 20:08:33 +0530
-Subject: [PATCH 4/7] core: use max for DefaultTasksMax
+From 4cdbcf5df9a2fd165385465bd5be9b8cdb78f83a Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Fri, 16 Feb 2024 11:22:08 +0000
+Subject: [PATCH] [PATCH 4/7] core: use max for DefaultTasksMax
 
 Since systemd v228, systemd has a DefaultTasksMax which defaulted
 to 512, later 15% of the system's maximum number of PIDs.  This
@@ -13,18 +13,18 @@ accommodate stale values.
 
 This change is built on previous patch by David Michael(dm0-).
 
-Signed-off-by: Sayan Chowdhury <sayan@kinvolk.io>
+Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
 ---
  man/systemd-system.conf.xml | 2 +-
- src/core/main.c             | 2 +-
+ src/core/manager.c          | 2 +-
  src/core/system.conf.in     | 2 +-
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
-index ac21c31d9a..39323f6a55 100644
+index 31b6421399..52819ae8b7 100644
 --- a/man/systemd-system.conf.xml
 +++ b/man/systemd-system.conf.xml
-@@ -461,7 +461,7 @@
+@@ -515,7 +515,7 @@
          <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
          <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details. This setting applies to all unit types that support resource control settings, with the exception
@@ -32,25 +32,25 @@ index ac21c31d9a..39323f6a55 100644
 +        of slice units. Defaults to 100% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
          and root cgroup <varname>pids.max</varname>.
          Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
-         For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
-diff --git a/src/core/main.c b/src/core/main.c
-index a3fdd1dfe1..9b79308397 100644
---- a/src/core/main.c
-+++ b/src/core/main.c
-@@ -100,7 +100,7 @@
- #include <sanitizer/lsan_interface.h>
- #endif
+         For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
+diff --git a/src/core/manager.c b/src/core/manager.c
+index e8c747d96d..df9269aab8 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -114,7 +114,7 @@
+ /* How many units and jobs to process of the bus queue before returning to the event loop. */
+ #define MANAGER_BUS_MESSAGE_BUDGET 100U
  
--#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */
-+#define DEFAULT_TASKS_MAX ((TasksMax) { 100U, 100U }) /* 100% */
+-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */
++#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 100U, 100U }) /* 15% */
  
- static enum {
-         ACTION_RUN,
+ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
+ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 71a5869ec0..92fe35b2d6 100644
+index 9b89a6aa77..5a7e92ab5a 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
-@@ -56,7 +56,7 @@
+@@ -59,7 +59,7 @@
  #DefaultIPAccounting=no
  #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
  #DefaultTasksAccounting=yes
@@ -60,5 +60,5 @@ index 71a5869ec0..92fe35b2d6 100644
  #DefaultLimitFSIZE=
  #DefaultLimitDATA=
 -- 
-2.25.1
+2.34.1
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch
index 683cc5b0a49..a6734671fa2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0007-units-Keep-using-old-journal-file-format.patch
@@ -1,40 +1,42 @@
-From ff9f1aa2ab7d707c57008f406186c45cd9858228 Mon Sep 17 00:00:00 2001
-From: Krzesimir Nowak <knowak@microsoft.com>
-Date: Tue, 7 Feb 2023 11:33:44 +0100
-Subject: [PATCH 7/7] units: Keep using old journal file format
+From 44374d98fb65ff5fdbc2a7d07a076b50b8f2b003 Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Fri, 16 Feb 2024 11:29:04 +0000
+Subject: [PATCH] [PATCH 7/7] units: Keep using old journal file format
 
 Systemd 252 made an incompatible change in journal file format. Temporarily
 force journald to use the old journal format to give logging containers more
 time to adapt to the new format.
+
+Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
 ---
  units/systemd-journald.service.in  | 1 +
  units/systemd-journald@.service.in | 1 +
  2 files changed, 2 insertions(+)
 
 diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index 38ba3e2856..e7f671e070 100644
+index 37eeabc510..e5030a81bd 100644
 --- a/units/systemd-journald.service.in
 +++ b/units/systemd-journald.service.in
-@@ -22,6 +22,7 @@ IgnoreOnIsolate=yes
+@@ -27,6 +27,7 @@ IgnoreOnIsolate=yes
  
  [Service]
  DeviceAllow=char-* rw
 +Environment=SYSTEMD_JOURNAL_COMPACT=0
- ExecStart={{ROOTLIBEXECDIR}}/systemd-journald
+ ExecStart={{LIBEXECDIR}}/systemd-journald
  FileDescriptorStoreMax=4224
  IPAddressDeny=any
 diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in
-index 35c998285f..9f7c6a2b3f 100644
+index c3bcb08533..8780783cf6 100644
 --- a/units/systemd-journald@.service.in
 +++ b/units/systemd-journald@.service.in
-@@ -16,6 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket
+@@ -21,6 +21,7 @@ Conflicts=soft-reboot.target
  [Service]
  CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
  DevicePolicy=closed
 +Environment=SYSTEMD_JOURNAL_COMPACT=0
- ExecStart={{ROOTLIBEXECDIR}}/systemd-journald %i
+ ExecStart={{LIBEXECDIR}}/systemd-journald %i
  FileDescriptorStoreMax=4224
  Group=systemd-journal
 -- 
-2.25.1
+2.34.1
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/252-no-stack-protector-bpf.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/252-no-stack-protector-bpf.patch
deleted file mode 100644
index 4e4d1a1bafa..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/252-no-stack-protector-bpf.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-https://github.com/systemd/systemd/pull/26050
-
-From d6a0784a350fb27698ed04f7ada17137324b31bb Mon Sep 17 00:00:00 2001
-From: Sam James <sam@gentoo.org>
-Date: Fri, 13 Jan 2023 05:17:56 +0000
-Subject: [PATCH] bpf: disable -fstack-protector in meson
-
-In Gentoo, we recently started making Clang behave the same way as
-our GCC, with -fstack-protector and some friends enabled by default.
-
-SSP doesn't make sense for BPF, so disable it explicitly.
-
-See also e.g. https://www.spinics.net/lists/netdev/msg556400.html.
-
-Bug: https://bugs.gentoo.org/890004
---- a/src/core/bpf/meson.build
-+++ b/src/core/bpf/meson.build
-@@ -7,6 +7,7 @@ endif
- bpf_clang_flags = [
-         '-std=gnu11',
-         '-Wno-compare-distinct-pointer-types',
-+        '-fno-stack-protector',
-         '-O2',
-         '-target',
-         'bpf',
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch
new file mode 100644
index 00000000000..115c831c275
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch
@@ -0,0 +1,242 @@
+https://bugs.gentoo.org/920331
+https://github.com/systemd/systemd/issues/30535
+
+From 4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaade Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Wed, 27 Sep 2023 11:55:59 +0200
+Subject: [PATCH 1/2] core: Make private /dev read-only after populating it
+
+---
+ src/core/namespace.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/core/namespace.c b/src/core/namespace.c
+index e2304f5d066da..d1153f7690140 100644
+--- a/src/core/namespace.c
++++ b/src/core/namespace.c
+@@ -995,6 +995,11 @@ static int mount_private_dev(MountEntry *m) {
+         if (r < 0)
+                 log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
+ 
++        /* Make the bind mount read-only. */
++        r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
++        if (r < 0)
++                return r;
++
+         /* Create the /dev directory if missing. It is more likely to be missing when the service is started
+          * with RootDirectory. This is consistent with mount units creating the mount points when missing. */
+         (void) mkdir_p_label(mount_entry_path(m), 0755);
+
+From cd7f3702eb47c82a50bf74c2b7c15c2e4e1f5c79 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Wed, 27 Sep 2023 10:52:50 +0200
+Subject: [PATCH 2/2] core: Use a subdirectory of /run/ for PrivateDevices=
+
+When we're starting early boot services such as systemd-userdbd.service,
+/tmp might not yet be mounted, so let's use a directory in /run instead
+which is guaranteed to be available.
+---
+ src/core/execute.c        |  1 +
+ src/core/namespace.c      | 61 +++++++++++++++++++++++++++++----------
+ src/core/namespace.h      |  2 ++
+ src/test/test-namespace.c |  1 +
+ src/test/test-ns.c        |  1 +
+ 5 files changed, 50 insertions(+), 16 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index a52df64d01081..89c3868d55f6c 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -3307,6 +3307,7 @@ static int apply_mount_namespace(
+                         extension_dir,
+                         root_dir || root_image ? params->notify_socket : NULL,
+                         host_os_release_stage,
++                        params->runtime_scope,
+                         error_path);
+ 
+         /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
+diff --git a/src/core/namespace.c b/src/core/namespace.c
+index d1153f7690140..a0471ac8884bf 100644
+--- a/src/core/namespace.c
++++ b/src/core/namespace.c
+@@ -909,7 +909,19 @@ static int clone_device_node(
+         return 0;
+ }
+ 
+-static int mount_private_dev(MountEntry *m) {
++static char *settle_runtime_dir(RuntimeScope scope) {
++        char *runtime_dir;
++
++        if (scope != RUNTIME_SCOPE_USER)
++                return strdup("/run/");
++
++        if (asprintf(&runtime_dir, "/run/user/" UID_FMT, geteuid()) < 0)
++                return NULL;
++
++        return runtime_dir;
++}
++
++static int mount_private_dev(MountEntry *m, RuntimeScope scope) {
+         static const char devnodes[] =
+                 "/dev/null\0"
+                 "/dev/zero\0"
+@@ -918,13 +930,21 @@ static int mount_private_dev(MountEntry *m) {
+                 "/dev/urandom\0"
+                 "/dev/tty\0";
+ 
+-        char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
++        _cleanup_free_ char *runtime_dir = NULL, *temporary_mount = NULL;
+         const char *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
+         bool can_mknod = true;
+         int r;
+ 
+         assert(m);
+ 
++        runtime_dir = settle_runtime_dir(scope);
++        if (!runtime_dir)
++                return log_oom_debug();
++
++        temporary_mount = path_join(runtime_dir, "systemd/namespace-dev-XXXXXX");
++        if (!temporary_mount)
++                return log_oom_debug();
++
+         if (!mkdtemp(temporary_mount))
+                 return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount);
+ 
+@@ -1364,7 +1384,8 @@ static int apply_one_mount(
+                 MountEntry *m,
+                 const ImagePolicy *mount_image_policy,
+                 const ImagePolicy *extension_image_policy,
+-                const NamespaceInfo *ns_info) {
++                const NamespaceInfo *ns_info,
++                RuntimeScope scope) {
+ 
+         _cleanup_free_ char *inaccessible = NULL;
+         bool rbind = true, make = false;
+@@ -1379,8 +1400,7 @@ static int apply_one_mount(
+         switch (m->mode) {
+ 
+         case INACCESSIBLE: {
+-                _cleanup_free_ char *tmp = NULL;
+-                const char *runtime_dir;
++                _cleanup_free_ char *runtime_dir = NULL;
+                 struct stat target;
+ 
+                 /* First, get rid of everything that is below if there
+@@ -1396,14 +1416,14 @@ static int apply_one_mount(
+                                                mount_entry_path(m));
+                 }
+ 
+-                if (geteuid() == 0)
+-                        runtime_dir = "/run";
+-                else {
+-                        if (asprintf(&tmp, "/run/user/" UID_FMT, geteuid()) < 0)
+-                                return -ENOMEM;
+-
+-                        runtime_dir = tmp;
+-                }
++                /* We don't pass the literal runtime scope through here but one based purely on our UID. This
++                 * means that the root user's --user services will use the host's inaccessible inodes rather
++                 * then root's private ones. This is preferable since it means device nodes that are
++                 * overmounted to make them inaccessible will be overmounted with a device node, rather than
++                 * an AF_UNIX socket inode. */
++                runtime_dir = settle_runtime_dir(geteuid() == 0 ? RUNTIME_SCOPE_SYSTEM : RUNTIME_SCOPE_USER);
++                if (!runtime_dir)
++                        return log_oom_debug();
+ 
+                 r = mode_to_inaccessible_node(runtime_dir, target.st_mode, &inaccessible);
+                 if (r < 0)
+@@ -1523,7 +1543,7 @@ static int apply_one_mount(
+                 break;
+ 
+         case PRIVATE_DEV:
+-                return mount_private_dev(m);
++                return mount_private_dev(m, scope);
+ 
+         case BIND_DEV:
+                 return mount_bind_dev(m);
+@@ -1824,6 +1844,7 @@ static int apply_mounts(
+                 const NamespaceInfo *ns_info,
+                 MountEntry *mounts,
+                 size_t *n_mounts,
++                RuntimeScope scope,
+                 char **symlinks,
+                 char **error_path) {
+ 
+@@ -1875,7 +1896,7 @@ static int apply_mounts(
+                                 break;
+                         }
+ 
+-                        r = apply_one_mount(root, m, mount_image_policy, extension_image_policy, ns_info);
++                        r = apply_one_mount(root, m, mount_image_policy, extension_image_policy, ns_info, scope);
+                         if (r < 0) {
+                                 if (error_path && mount_entry_path(m))
+                                         *error_path = strdup(mount_entry_path(m));
+@@ -2030,6 +2051,7 @@ int setup_namespace(
+                 const char *extension_dir,
+                 const char *notify_socket,
+                 const char *host_os_release_stage,
++                RuntimeScope scope,
+                 char **error_path) {
+ 
+         _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
+@@ -2490,7 +2512,14 @@ int setup_namespace(
+                 (void) base_filesystem_create(root, UID_INVALID, GID_INVALID);
+ 
+         /* Now make the magic happen */
+-        r = apply_mounts(root, mount_image_policy, extension_image_policy, ns_info, mounts, &n_mounts, symlinks, error_path);
++        r = apply_mounts(root,
++                         mount_image_policy,
++                         extension_image_policy,
++                         ns_info,
++                         mounts, &n_mounts,
++                         scope,
++                         symlinks,
++                         error_path);
+         if (r < 0)
+                 goto finish;
+ 
+diff --git a/src/core/namespace.h b/src/core/namespace.h
+index b6132154c5132..581403d89826d 100644
+--- a/src/core/namespace.h
++++ b/src/core/namespace.h
+@@ -16,6 +16,7 @@ typedef struct MountImage MountImage;
+ #include "fs-util.h"
+ #include "macro.h"
+ #include "namespace-util.h"
++#include "runtime-scope.h"
+ #include "string-util.h"
+ 
+ typedef enum ProtectHome {
+@@ -134,6 +135,7 @@ int setup_namespace(
+                 const char *extension_dir,
+                 const char *notify_socket,
+                 const char *host_os_release_stage,
++                RuntimeScope scope,
+                 char **error_path);
+ 
+ #define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
+diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
+index 25aafc35ca837..42ac65d08c87a 100644
+--- a/src/test/test-namespace.c
++++ b/src/test/test-namespace.c
+@@ -206,6 +206,7 @@ TEST(protect_kernel_logs) {
+                                     NULL,
+                                     NULL,
+                                     NULL,
++                                    RUNTIME_SCOPE_SYSTEM,
+                                     NULL);
+                 assert_se(r == 0);
+ 
+diff --git a/src/test/test-ns.c b/src/test/test-ns.c
+index 77afd2f6b9eb8..eb3afed9e1c66 100644
+--- a/src/test/test-ns.c
++++ b/src/test/test-ns.c
+@@ -108,6 +108,7 @@ int main(int argc, char *argv[]) {
+                             NULL,
+                             NULL,
+                             NULL,
++                            RUNTIME_SCOPE_SYSTEM,
+                             NULL);
+         if (r < 0) {
+                 log_error_errno(r, "Failed to set up namespace: %m");
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit-r1.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit-r1.patch
new file mode 100644
index 00000000000..b5c32df788e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit-r1.patch
@@ -0,0 +1,51 @@
+From 2de502ccff1cc780d9d29c4ff7e6c1e0f2d7a082 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Fri, 21 Aug 2020 13:16:17 -0400
+Subject: [PATCH] journald: do not change the kernel audit setting by default
+
+Bug: https://bugs.gentoo.org/736910
+---
+ man/journald.conf.xml         | 2 +-
+ src/journal/journald-server.c | 2 +-
+ src/journal/journald.conf     | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/journald.conf.xml b/man/journald.conf.xml
+index 50c33e4792..2e14674f42 100644
+--- a/man/journald.conf.xml
++++ b/man/journald.conf.xml
+@@ -427,7 +427,7 @@
+         kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+         disable it, leaving the previous state unchanged.  This means if another tool turns on auditing even
+         if <command>systemd-journald</command> left it off, it will still collect the generated
+-        messages. Defaults to on.</para>
++        messages.</para>
+ 
+         <para>Note that this option does not control whether <command>systemd-journald</command> collects
+         generated audit records, it just controls whether it tells the kernel to generate them. If you need
+diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
+index 022e12d83d..6b3d261af6 100644
+--- a/src/journal/journald-server.c
++++ b/src/journal/journald-server.c
+@@ -2367,7 +2367,7 @@ int server_init(Server *s, const char *namespace) {
+                 .compress.threshold_bytes = UINT64_MAX,
+                 .seal = true,
+ 
+-                .set_audit = true,
++                .set_audit = -1,
+ 
+                 .watchdog_usec = USEC_INFINITY,
+ 
+diff --git a/src/journal/journald.conf b/src/journal/journald.conf
+index 5a60a9d39c..64156d5463 100644
+--- a/src/journal/journald.conf
++++ b/src/journal/journald.conf
+@@ -44,4 +44,4 @@
+ #MaxLevelWall=emerg
+ #LineMax=48K
+ #ReadKMsg=yes
+-#Audit=yes
++#Audit=
+-- 
+2.39.1
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch
deleted file mode 100644
index 088bceb7696..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-journald-audit.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 593db1c78011ddce551051ce17eda6feac079b3d Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Fri, 21 Aug 2020 13:16:17 -0400
-Subject: [PATCH] journald: do not change the kernel audit setting by default
-
-Bug: https://bugs.gentoo.org/736910
----
- man/journald.conf.xml         | 2 +-
- src/journal/journald-server.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/man/journald.conf.xml b/man/journald.conf.xml
-index bfd359a903..7e93d4050e 100644
---- a/man/journald.conf.xml
-+++ b/man/journald.conf.xml
-@@ -411,7 +411,7 @@
-         <command>systemd-journald</command> collects generated audit records, it just controls whether it
-         tells the kernel to generate them. This means if another tool turns on auditing even if
-         <command>systemd-journald</command> left it off, it will still collect the generated
--        messages. Defaults to on.</para></listitem>
-+        messages.</para></listitem>
-       </varlistentry>
- 
-       <varlistentry>
-diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
-index 5865bf9809..163be685a8 100644
---- a/src/journal/journald-server.c
-+++ b/src/journal/journald-server.c
-@@ -2208,7 +2208,7 @@ int server_init(Server *s, const char *namespace) {
-                 .compress.threshold_bytes = (uint64_t) -1,
-                 .seal = true,
- 
--                .set_audit = true,
-+                .set_audit = -1,
- 
-                 .watchdog_usec = USEC_INFINITY,
- 
--- 
-2.28.0
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch
deleted file mode 100644
index a9d40be4ab7..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/gentoo-systemctl-disable-sysv-sync-r1.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From d9059d2ef1b0d6034267cc8ff44871d0f82f840f Mon Sep 17 00:00:00 2001
-From: Mike Gilbert <floppym@gentoo.org>
-Date: Sun, 8 Nov 2020 12:34:11 -0500
-Subject: [PATCH] systemctl: disable synchronizaion of sysv init scripts
-
----
- src/systemctl/systemctl-sysv-compat.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/systemctl/systemctl-sysv-compat.c b/src/systemctl/systemctl-sysv-compat.c
-index 2dca9e480f..5dcf13ba17 100644
---- a/src/systemctl/systemctl-sysv-compat.c
-+++ b/src/systemctl/systemctl-sysv-compat.c
-@@ -111,7 +111,7 @@ int parse_shutdown_time_spec(const char *t, usec_t *ret) {
- int enable_sysv_units(const char *verb, char **args) {
-         int r = 0;
- 
--#if HAVE_SYSV_COMPAT
-+#if 0
-         _cleanup_(lookup_paths_free) LookupPaths paths = {};
-         unsigned f = 0;
- 
--- 
-2.29.0
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/legacy.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/legacy.conf
new file mode 100644
index 00000000000..2d322e88696
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/legacy.conf
@@ -0,0 +1,3 @@
+# Based on legacy.conf from systemd
+d /run/lock
+L /var/lock - - - - ../run/lock
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-253-initrd-generators.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-253-initrd-generators.patch
new file mode 100644
index 00000000000..60e7b29d7a1
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-253-initrd-generators.patch
@@ -0,0 +1,34 @@
+https://bugs.gentoo.org/896364
+
+Workaround for bug in sys-kernel/dracut.
+
+From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 20 Feb 2023 12:00:30 +0900
+Subject: [PATCH] core/manager: run generators directly when we are in initrd
+
+Some initrd system write files at ourside of /run, /etc, or other
+allowed places. This is a kind of workaround, but in most cases, such
+sandboxing is not necessary as the filesystem is on ramfs when we are in
+initrd.
+
+Fixes #26488.
+---
+ src/core/manager.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 7b394794b0d4..306477c6e6c2 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
+         /* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
+          * we are the user manager, let's just execute the generators directly. We might not have the
+          * necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
+-         */
+-        if (MANAGER_IS_USER(m)) {
++         * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
++        if (MANAGER_IS_USER(m) || in_initrd()) {
+                 r = manager_execute_generators(m, paths, /* remount_ro= */ false);
+                 goto finish;
+         }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf
index c4f06a17f78..2b72383153a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/systemd-flatcar.conf
@@ -2,15 +2,6 @@
 # keepdir. The list isn't sorted, but tries to preserve the order of
 # keepdir lines from Gentoo ebuild for easier comparisons. We skip the
 # directories in /usr, though.
-d   /etc/binfmt.d           -   -   -   -   -
-d   /etc/modules-load.d     -   -   -   -   -
-d   /etc/tmpfiles.d         -   -   -   -   -
-d   /etc/kernel/install.d   -   -   -   -   -
-d   /etc/systemd/network    -   -   -   -   -
-d   /etc/systemd/system     -   -   -   -   -
-d   /etc/systemd/user       -   -   -   -   -
-d   /etc/udev/rules.d       -   -   -   -   -
-d   /etc/udev/hwdb.d        -   -   -   -   -
 d   /var/lib/systemd        -   -   -   -   -
 d   /var/log/journal        -   -   -   -   -
 d   /etc/sysctl.d           -   -   -   -   -
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml
index 34a269d81d8..c9b8604a3c6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/metadata.xml
@@ -10,11 +10,11 @@
 	</slots>
 	<use>
 		<flag name="audit">Enable support for <pkg>sys-process/audit</pkg></flag>
+		<flag name="boot">Enable EFI boot manager and stub loader</flag>
 		<flag name="cgroup-hybrid">Default to hybrid (legacy) cgroup hierarchy instead of unified (modern).</flag>
 		<flag name="curl">Enable support for uploading journals</flag>
 		<flag name="cryptsetup">Enable cryptsetup tools (includes unit generator for crypttab)</flag>
 		<flag name="dns-over-tls">Enable DNS-over-TLS support</flag>
-		<flag name="gnuefi">Enable EFI boot manager and stub loader (built using <pkg>sys-boot/gnu-efi</pkg>)</flag>
 		<flag name="elfutils">Enable coredump stacktraces in the journal</flag>
 		<flag name="fido2">Enable FIDO2 support</flag>
 		<flag name="gcrypt">Enable use of <pkg>dev-libs/libgcrypt</pkg> for various features</flag>
@@ -22,6 +22,7 @@
 		<flag name="http">Enable embedded HTTP server in journald</flag>
 		<flag name="importd">Enable import daemon</flag>
 		<flag name="iptables">Use libiptc from <pkg>net-firewall/iptables</pkg> for NAT support in systemd-networkd; this is used only if the running kernel does not support nftables</flag>
+		<flag name="kernel-install">Enable kernel-install</flag>
 		<flag name="kmod">Enable kernel module loading via <pkg>sys-apps/kmod</pkg></flag>
 		<flag name="lz4">Enable lz4 compression for the journal</flag>
 		<flag name="openssl">Enable use of <pkg>dev-libs/openssl</pkg> for various features</flag>
@@ -31,6 +32,7 @@
 		<flag name="resolvconf">Install resolvconf symlink for systemd-resolve</flag>
 		<flag name="sysv-utils">Install sysvinit compatibility symlinks and manpages for init, telinit, halt, poweroff, reboot, runlevel, and shutdown</flag>
 		<flag name="tpm">Enable TPM support</flag>
+		<flag name="ukify">Enable systemd-ukify</flag>
 		<flag name="vanilla">Disable Gentoo-specific behavior and compatibility quirks</flag>
 		<flag name="xkb">Depend on <pkg>x11-libs/libxkbcommon</pkg> to allow logind to control the X11 keymap</flag>
 	</use>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.11-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.3.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.11-r2.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.3.ebuild
index 76ef14c3349..5ac6f2b40f8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-252.11-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-255.3.ebuild
@@ -1,8 +1,8 @@
-# Copyright 2011-2023 Gentoo Authors
+# Copyright 2011-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
-PYTHON_COMPAT=( python3_{9..11} )
+EAPI=8
+PYTHON_COMPAT=( python3_{10..12} )
 
 # Avoid QA warnings
 TMPFILES_OPTIONAL=1
@@ -23,14 +23,13 @@ else
 	MY_P=${MY_PN}-${MY_PV}
 	S=${WORKDIR}/${MY_P}
 	SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"
-	# Flatcar: Mark as stable.
-	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+	# Flatcar: mark as stable
+	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 fi
 
-inherit bash-completion-r1 linux-info meson-multilib pam
-# Flatcar: We don't use gen_usr_ldscript so dropping usr-ldscript.
-# Adding tmpfiles, since we use it for installing some files.
-inherit python-any-r1 systemd tmpfiles toolchain-funcs udev usr-ldscript
+inherit bash-completion-r1 linux-info meson-multilib optfeature pam python-single-r1
+inherit secureboot systemd tmpfiles toolchain-funcs udev
 
 DESCRIPTION="System and service manager for Linux"
 HOMEPAGE="http://systemd.io/"
@@ -38,30 +37,34 @@ HOMEPAGE="http://systemd.io/"
 LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
 SLOT="0/2"
 IUSE="
-	acl apparmor audit cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
-	fido2 +gcrypt gnuefi gnutls homed http idn importd iptables +kmod
+	acl apparmor audit boot cgroup-hybrid cryptsetup curl +dns-over-tls elfutils
+	fido2 +gcrypt gnutls homed http idn importd iptables +kernel-install +kmod
 	+lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode
-	+resolvconf +seccomp selinux split-usr +sysv-utils test tpm vanilla xkb +zstd
+	+resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd
 "
 REQUIRED_USE="
+	${PYTHON_REQUIRED_USE}
 	dns-over-tls? ( || ( gnutls openssl ) )
+	fido2? ( cryptsetup openssl )
 	homed? ( cryptsetup pam openssl )
 	importd? ( curl lzma || ( gcrypt openssl ) )
 	pwquality? ( homed )
+	boot? ( kernel-install )
+	ukify? ( boot )
 "
 RESTRICT="!test? ( test )"
 
 MINKV="4.15"
 
 COMMON_DEPEND="
-	>=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
+	>=sys-apps/util-linux-2.32:0=[${MULTILIB_USEDEP}]
 	sys-libs/libcap:0=[${MULTILIB_USEDEP}]
 	virtual/libcrypt:=[${MULTILIB_USEDEP}]
 	acl? ( sys-apps/acl:0= )
-	apparmor? ( sys-libs/libapparmor:0= )
+	apparmor? ( >=sys-libs/libapparmor-2.13:0= )
 	audit? ( >=sys-process/audit-2:0= )
 	cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= )
-	curl? ( net-misc/curl:0= )
+	curl? ( >=net-misc/curl-7.32.0:0= )
 	elfutils? ( >=dev-libs/elfutils-0.158:0= )
 	fido2? ( dev-libs/libfido2:0= )
 	gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
@@ -78,12 +81,12 @@ COMMON_DEPEND="
 	iptables? ( net-firewall/iptables:0= )
 	openssl? ( >=dev-libs/openssl-1.1.0:0= )
 	pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] )
-	pkcs11? ( app-crypt/p11-kit:0= )
+	pkcs11? ( >=app-crypt/p11-kit-0.23.3:0= )
 	pcre? ( dev-libs/libpcre2 )
-	pwquality? ( dev-libs/libpwquality:0= )
-	qrcode? ( media-gfx/qrencode:0= )
+	pwquality? ( >=dev-libs/libpwquality-1.4.1:0= )
+	qrcode? ( >=media-gfx/qrencode-3:0= )
 	seccomp? ( >=sys-libs/libseccomp-2.3.3:0= )
-	selinux? ( sys-libs/libselinux:0= )
+	selinux? ( >=sys-libs/libselinux-2.1.9:0= )
 	tpm? ( app-crypt/tpm2-tss:0= )
 	xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )
 	zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] )
@@ -92,9 +95,10 @@ COMMON_DEPEND="
 # Newer linux-headers needed by ia64, bug #480218
 DEPEND="${COMMON_DEPEND}
 	>=sys-kernel/linux-headers-${MINKV}
-	gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
 "
 
+PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]'
+
 # baselayout-2.2 has /run
 #
 # Flatcar: Drop sec-policy/selinux-ntp from deps (under selinux use
@@ -129,6 +133,11 @@ RDEPEND="${COMMON_DEPEND}
 	>=acct-user/systemd-resolve-0-r1
 	>=acct-user/systemd-timesync-0-r1
 	>=sys-apps/baselayout-2.2
+	sys-apps/kbd
+	ukify? (
+		${PYTHON_DEPS}
+		$(python_gen_cond_dep "${PEFILE_DEPEND}")
+	)
 	selinux? (
 		sec-policy/selinux-base-policy[systemd]
 	)
@@ -145,9 +154,8 @@ RDEPEND="${COMMON_DEPEND}
 "
 
 # sys-apps/dbus: the daemon only (+ build-time lib dep for tests)
-#
-# Flatcar: We don't have sys-fs/udev-init-scripts-34, so it's dropped.
 PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
+	>=sys-fs/udev-init-scripts-34
 	policykit? ( sys-auth/polkit )
 	!vanilla? ( sys-apps/gentoo-systemd-integration )"
 
@@ -167,15 +175,15 @@ BDEPEND="
 	app-text/docbook-xml-dtd:4.5
 	app-text/docbook-xsl-stylesheets
 	dev-libs/libxslt:0
-	$(python_gen_any_dep 'dev-python/jinja[${PYTHON_USEDEP}]')
-	$(python_gen_any_dep 'dev-python/lxml[${PYTHON_USEDEP}]')
+	${PYTHON_DEPS}
+	$(python_gen_cond_dep "
+		dev-python/jinja[\${PYTHON_USEDEP}]
+		dev-python/lxml[\${PYTHON_USEDEP}]
+		boot? ( >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] )
+		ukify? ( test? ( ${PEFILE_DEPEND} ) )
+	")
 "
 
-python_check_deps() {
-	python_has_version "dev-python/jinja[${PYTHON_USEDEP}]" &&
-	python_has_version "dev-python/lxml[${PYTHON_USEDEP}]"
-}
-
 QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*"
 QA_EXECSTACK="usr/lib/systemd/boot/efi/*"
 
@@ -186,7 +194,7 @@ pkg_pretend() {
 			ewarn "See https://bugs.gentoo.org/674458."
 		fi
 
-		local CONFIG_CHECK=" ~BINFMT_MISC ~BLK_DEV_BSG ~CGROUPS
+		local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS
 			~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE
 			~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS
 			~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS
@@ -229,7 +237,7 @@ pkg_pretend() {
 }
 
 pkg_setup() {
-	:
+	use boot && secureboot_pkg_setup
 }
 
 src_unpack() {
@@ -239,7 +247,6 @@ src_unpack() {
 
 src_prepare() {
 	local PATCHES=(
-		"${FILESDIR}/252-no-stack-protector-bpf.patch"
 		# Flatcar: Adding our own patches here.
 		"${FILESDIR}/0001-wait-online-set-any-by-default.patch"
 		"${FILESDIR}/0002-networkd-default-to-kernel-IPForwarding-setting.patch"
@@ -248,14 +255,12 @@ src_prepare() {
 		"${FILESDIR}/0005-systemd-Disable-SELinux-permissions-checks.patch"
 		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
 		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
-		"${FILESDIR}/0008-Revert-core-service-when-resetting-PID-also-reset-known.patch"
 	)
 
 	if ! use vanilla; then
 		PATCHES+=(
 			"${FILESDIR}/gentoo-generator-path-r2.patch"
-			"${FILESDIR}/gentoo-systemctl-disable-sysv-sync-r1.patch"
-			"${FILESDIR}/gentoo-journald-audit.patch"
+			"${FILESDIR}/gentoo-journald-audit-r1.patch"
 		)
 	fi
 
@@ -276,7 +281,6 @@ src_prepare() {
 	# configure the kubelet resolvConf variable/--resolv-conf flag
 	# to /run/systemd/resolve/resolv.conf).
 	sed -i -e 's,/run/systemd/resolve/stub-resolv.conf,/run/systemd/resolve/resolv.conf,' tmpfiles.d/systemd-resolve.conf || die
-
 	default
 }
 
@@ -293,7 +297,6 @@ src_configure() {
 get_rootprefix() {
 	usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr"
 }
-
 multilib_src_configure() {
 	local myconf=(
 		--localstatedir="${EPREFIX}/var"
@@ -311,6 +314,9 @@ multilib_src_configure() {
 		# in some places.
 		-Drootprefix="$(get_rootprefix)"
 		-Drootlibdir="${EPREFIX}/usr/$(get_libdir)"
+		# Disable compatibility with sysvinit
+		-Dsysvinit-path=
+		-Dsysvrcnd-path=
 		# Avoid infinite exec recursion, bug 642724
 		-Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit"
 		# no deps
@@ -320,25 +326,25 @@ multilib_src_configure() {
 		$(meson_native_use_bool acl)
 		$(meson_native_use_bool apparmor)
 		$(meson_native_use_bool audit)
+		$(meson_native_use_bool boot bootloader)
 		$(meson_native_use_bool cryptsetup libcryptsetup)
 		$(meson_native_use_bool curl libcurl)
 		$(meson_native_use_bool dns-over-tls dns-over-tls)
 		$(meson_native_use_bool elfutils)
 		$(meson_native_use_bool fido2 libfido2)
 		$(meson_use gcrypt)
-		$(meson_native_use_bool gnuefi gnu-efi)
 		$(meson_native_use_bool gnutls)
-		-Defi-includedir="${ESYSROOT}/usr/include/efi"
-		-Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
 		$(meson_native_use_bool homed)
 		$(meson_native_use_bool http microhttpd)
 		$(meson_native_use_bool idn)
 		$(meson_native_use_bool importd)
 		$(meson_native_use_bool importd bzip2)
 		$(meson_native_use_bool importd zlib)
+		$(meson_native_use_bool kernel-install)
 		$(meson_native_use_bool kmod)
 		$(meson_use lz4)
 		$(meson_use lzma xz)
+		$(meson_use test tests)
 		$(meson_use zstd)
 		$(meson_native_use_bool iptables libiptc)
 		$(meson_native_use_bool openssl)
@@ -352,6 +358,7 @@ multilib_src_configure() {
 		$(meson_native_use_bool selinux)
 		$(meson_native_use_bool tpm tpm2)
 		$(meson_native_use_bool test dbus)
+		$(meson_native_use_bool ukify)
 		$(meson_native_use_bool xkb xkbcommon)
 		# Flatcar: Use our ntp servers.
 		-Dntp-servers="0.flatcar.pool.ntp.org 1.flatcar.pool.ntp.org 2.flatcar.pool.ntp.org 3.flatcar.pool.ntp.org"
@@ -380,7 +387,7 @@ multilib_src_configure() {
 		$(meson_native_true timesyncd)
 		$(meson_native_true tmpfiles)
 		$(meson_native_true vconsole)
-
+		$(meson_native_enabled vmspawn)
 		# Flatcar: Specify this, or meson breaks due to no
 		# /etc/login.defs.
 		-Dsystem-gid-max=999
@@ -416,6 +423,7 @@ multilib_src_configure() {
 		# Flatcar: Unported options, still needed?
 		-Dquotaon-path=/usr/sbin/quotaon
 		-Dquotacheck-path=/usr/sbin/quotacheck
+		-Ddefault-mdns=no
 	)
 
 	meson_src_configure "${myconf[@]}"
@@ -423,15 +431,14 @@ multilib_src_configure() {
 
 multilib_src_test() {
 	unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR
+	local -x COLUMNS=80
 	meson_src_test
 }
 
 multilib_src_install_all() {
-	local rootprefix=$(usex split-usr '' /usr)
 	# Flatcar: We always have bin separate from sbin
 	# local sbin=$(usex split-usr sbin bin)
 	local sbin='sbin'
-
 	# meson doesn't know about docdir
 	mv "${ED}"/usr/share/doc/{systemd,${PF}} || die
 
@@ -440,23 +447,17 @@ multilib_src_install_all() {
 	# provide it.
 	# dodoc "${FILESDIR}"/nsswitch.conf
 
+	insinto /usr/lib/tmpfiles.d
+	doins "${FILESDIR}"/legacy.conf
+
 	if ! use resolvconf; then
-		rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die
+		rm -f "${ED}"/usr/bin/resolvconf || die
 	fi
 
-	rm "${ED}"/etc/init.d/README || die
-	rm "${ED}${rootprefix}"/lib/systemd/system-generators/systemd-sysv-generator || die
-
 	if ! use sysv-utils; then
-		rm "${ED}${rootprefix}/${sbin}"/{halt,init,poweroff,reboot,runlevel,shutdown,telinit} || die
+		rm "${ED}"/usr/bin/{halt,init,poweroff,reboot,shutdown} || die
 		rm "${ED}"/usr/share/man/man1/init.1 || die
-		rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,runlevel,shutdown,telinit}.8 || die
-	fi
-
-	# Flatcar: We always have bin separate from sbin, so drop the
-	# "&& use split-usr" part.
-	if ! use resolvconf && ! use sysv-utils; then
-		rmdir "${ED}${rootprefix}"/sbin || die
+		rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die
 	fi
 
 	# https://bugs.gentoo.org/761763
@@ -464,39 +465,28 @@ multilib_src_install_all() {
 
 	# Flatcar: Upstream uses keepdir commands to keep some empty
 	# directories. We use tmpfiles.
-	# # Preserve empty dirs in /etc & /var, bug #437008
-	# keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
-	# keepdir /etc/kernel/install.d
-	# keepdir /etc/systemd/{network,system,user}
-	# keepdir /etc/udev/rules.d
-	#
-	# keepdir /etc/udev/hwdb.d
-	#
-	# keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
+	# Preserve empty dirs in /etc & /var, bug #437008
+	keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
+	keepdir /etc/kernel/install.d
+	keepdir /etc/systemd/{network,system,user}
+	keepdir /etc/udev/rules.d
+
+	keepdir /etc/udev/hwdb.d
+
+	# keepdir /usr/lib/systemd/{system-sleep,system-shutdown}
 	# keepdir /usr/lib/{binfmt.d,modules-load.d}
 	# keepdir /usr/lib/systemd/user-generators
 	# keepdir /var/lib/systemd
 	# keepdir /var/log/journal
 
-	# Flatcar: No migrations happening here.
-	# # Symlink /etc/sysctl.conf for easy migration.
-	# dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
-
-	# Flatcar: Do not install a pam policy, we have our own.
 	# if use pam; then
-	# 	newpamd "${FILESDIR}"/systemd-user.pam systemd-user
+		# newpamd "${FILESDIR}"/systemd-user.pam systemd-user
 	# fi
 
-	if use split-usr; then
-		# Avoid breaking boot/reboot
-		dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd
-		dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown
+	if use kernel-install; then
+		# Dummy config, remove to make room for sys-kernel/installkernel
+		rm "${ED}/usr/lib/kernel/install.conf" || die
 	fi
-
-	# Flatcar: gen_usr_ldscript is likely for static libs, so we
-	# dropped it.
-	# gen_usr_ldscript -a systemd udev
-
 	# Flatcar: Ensure journal directory has correct ownership/mode
 	# in inital image.  This is fixed by systemd-tmpfiles *but*
 	# journald starts before that and will create the journal if
@@ -560,7 +550,7 @@ multilib_src_install_all() {
 	# Flatcar: enable systemd-pstore.service
 	builddir_systemd_enable_service sysinit.target systemd-pstore.service
 	# Flatcar: enable systemd-boot-update.service
-	if use gnuefi; then
+	if use boot; then
 		builddir_systemd_enable_service sysinit.target systemd-boot-update.service
 	fi
 	# Flatcar: enable reboot.target (not enabled - has no WantedBy
@@ -572,8 +562,8 @@ multilib_src_install_all() {
 	# Flatcar: Use an empty preset file, because systemctl
 	# preset-all puts symlinks in /etc, not in /usr. We don't use
 	# /etc, because it is not autoupdated. We do the "preset" above.
-	rm "${ED}$(usex split-usr '' /usr)/lib/systemd/system-preset/90-systemd.preset" || die
-	insinto $(usex split-usr '' /usr)/lib/systemd/system-preset
+	rm "${ED}/usr/lib/systemd/system-preset/90-systemd.preset" || die
+	insinto /usr/lib/systemd/system-preset
 	doins "${FILESDIR}"/99-default.preset
 
 	# Flatcar: Do not ship distro-specific files (nsswitch.conf
@@ -584,6 +574,9 @@ multilib_src_install_all() {
 		-e '/^C!* \/etc\/nsswitch\.conf/d' \
 		-e '/^C!* \/etc\/pam\.d/d' \
 		-e '/^C!* \/etc\/issue/d'
+
+	use ukify && python_fix_shebang "${ED}"
+	use boot && secureboot_auto_sign
 }
 
 # Flatcar: Our own version of systemd_get_systemunitdir, that returns
@@ -602,8 +595,12 @@ builddir_systemd_enable_service() {
 
 	dodir "${ud}"/"${target}".wants && \
 	dosym ../"${service}" "${ud}"/"${target}".wants/"${destname}"
-}
 
+	if use boot; then
+		python_fix_shebang "${ED}"
+		secureboot_auto_sign
+	fi
+}
 migrate_locale() {
 	local envd_locale_def="${EROOT}/etc/env.d/02locale"
 	local envd_locale=( "${EROOT}"/etc/env.d/??locale )
@@ -649,6 +646,11 @@ migrate_locale() {
 }
 
 pkg_preinst() {
+	if [[ -e ${EROOT}/etc/sysctl.conf ]]; then
+		# Symlink /etc/sysctl.conf for easy migration.
+		dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf
+	fi
+
 	if ! use split-usr; then
 		local dir
 		# Flatcar: We still use separate bin and sbin, so drop usr/sbin from the list.
@@ -664,6 +666,10 @@ pkg_preinst() {
 			die "System layout with split directories still used"
 		fi
 	fi
+	if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then
+		ewarn "The 'gnuefi' USE flag has been renamed to 'boot'."
+		ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot."
+	fi
 }
 
 pkg_postinst() {
@@ -693,12 +699,27 @@ pkg_postinst() {
 		rm "${EROOT}/var/lib/systemd/timesync"
 	fi
 
+	if [[ -z ${ROOT} && -d /run/systemd/system ]]; then
+		ebegin "Reexecuting system manager (systemd)"
+		systemctl daemon-reexec
+		eend $? || FAIL=1
+	fi
+
 	if [[ ${FAIL} ]]; then
 		eerror "One of the postinst commands failed. Please check the postinst output"
 		eerror "for errors. You may need to clean up your system and/or try installing"
 		eerror "systemd again."
 		eerror
 	fi
+
+	if use boot; then
+		optfeature "automatically installing the kernels in systemd-boot's native layout and updating the bootloader configuration" \
+			"sys-kernel/installkernel[systemd-boot]"
+	fi
+	if use ukify; then
+		optfeature "automatically generating an unified kernel image on each kernel installation" \
+			"sys-kernel/installkernel[ukify]"
+	fi
 }
 
 pkg_prerm() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/Manifest
new file mode 100644
index 00000000000..037e60fce89
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/Manifest
@@ -0,0 +1 @@
+DIST udev-init-scripts-35.tar.gz 3666 BLAKE2B fddae466428605ea930519e8a47e0ea91f89f9eacc1fd97c137d175142125b12c3d045aec68db35a463de444ac6d8c037cca55f9628f10576c968259d566a9e4 SHA512 da9d2093149967e2e1b9bc7190ddfd55a87c9ae2177e3216f7cb2694fc9b64037eb6f2599ad8a4b7594ef32ced88fbb319c92904bc72a81ea5404945f8a8378a
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/metadata.xml
new file mode 100644
index 00000000000..31123d01cb4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>systemd@gentoo.org</email>
+	</maintainer>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-35.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-35.ebuild
new file mode 100644
index 00000000000..866d0ce54c5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-35.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+OLD_PN=udev-gentoo-scripts
+OLD_P=${OLD_PN}-${PV}
+
+if [ "${PV}" = "9999" ]; then
+	EGIT_REPO_URI="https://anongit.gentoo.org/proj/${OLD_PN}.git"
+	inherit git-r3
+else
+	SRC_URI="https://gitweb.gentoo.org/proj/${OLD_PN}.git/snapshot/${OLD_P}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${OLD_P}"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+fi
+
+DESCRIPTION="udev startup scripts for openrc"
+HOMEPAGE="https://wiki.gentoo.org/wiki/No_homepage"
+
+LICENSE="GPL-2"
+SLOT="0"
+
+RESTRICT="test"
+
+RDEPEND=">=virtual/udev-217
+	!<sys-apps/openrc-0.14"
+
+src_install() {
+	local -x SYSCONFDIR="${EPREFIX}/etc"
+	default
+}
+
+pkg_postinst() {
+	# Add udev and udev-trigger to the sysinit runlevel automatically.
+	for f in udev udev-trigger; do
+		if [[ -x "${EROOT}/etc/init.d/${f}" &&
+			-d "${EROOT}/etc/runlevels/sysinit" &&
+			! -L "${EROOT}/etc/runlevels/sysinit/${f}" ]]; then
+			ln -snf "${EPREFIX}/etc/init.d/${f}" "${EROOT}/etc/runlevels/sysinit/${f}"
+			ewarn "Adding ${f} to the sysinit runlevel"
+		fi
+	done
+
+	if ! has_version "sys-fs/eudev[rule-generator]" && \
+	[[ -x $(type -P rc-update) ]] && rc-update show | grep udev-postmount | grep -qs 'boot\|default\|sysinit'; then
+		ewarn "The udev-postmount service has been removed because the reasons for"
+		ewarn "its existance have been removed upstream."
+		ewarn "Please remove it from your runlevels."
+	fi
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-9999.ebuild
new file mode 100644
index 00000000000..7c9229bd769
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-fs/udev-init-scripts/udev-init-scripts-9999.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+OLD_PN=udev-gentoo-scripts
+OLD_P=${OLD_PN}-${PV}
+
+if [ "${PV}" = "9999" ]; then
+	EGIT_REPO_URI="https://anongit.gentoo.org/proj/${OLD_PN}.git"
+	inherit git-r3
+else
+	SRC_URI="https://gitweb.gentoo.org/proj/${OLD_PN}.git/snapshot/${OLD_P}.tar.gz -> ${P}.tar.gz"
+	S="${WORKDIR}/${OLD_P}"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+DESCRIPTION="udev startup scripts for openrc"
+HOMEPAGE="https://wiki.gentoo.org/wiki/No_homepage"
+
+LICENSE="GPL-2"
+SLOT="0"
+
+RESTRICT="test"
+
+RDEPEND=">=virtual/udev-217
+	!<sys-apps/openrc-0.14"
+
+src_install() {
+	local -x SYSCONFDIR="${EPREFIX}/etc"
+	default
+}
+
+pkg_postinst() {
+	# Add udev and udev-trigger to the sysinit runlevel automatically.
+	for f in udev udev-trigger; do
+		if [[ -x "${EROOT}/etc/init.d/${f}" &&
+			-d "${EROOT}/etc/runlevels/sysinit" &&
+			! -L "${EROOT}/etc/runlevels/sysinit/${f}" ]]; then
+			ln -snf "${EPREFIX}/etc/init.d/${f}" "${EROOT}/etc/runlevels/sysinit/${f}"
+			ewarn "Adding ${f} to the sysinit runlevel"
+		fi
+	done
+
+	if ! has_version "sys-fs/eudev[rule-generator]" && \
+	[[ -x $(type -P rc-update) ]] && rc-update show | grep udev-postmount | grep -qs 'boot\|default\|sysinit'; then
+		ewarn "The udev-postmount service has been removed because the reasons for"
+		ewarn "its existance have been removed upstream."
+		ewarn "Please remove it from your runlevels."
+	fi
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
index 052c4b576de..4a8ce1fa9a5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild
@@ -10,7 +10,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="ea430ee8ada8f3415228c185c1205d1f681c8ca4" # flatcar-master
+	CROS_WORKON_COMMIT="19245b06d7634f1d2cea30c49f2a92e2462d8551" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/dracut-053-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/dracut-053-r1.ebuild
index dfb0d00e7fd..ff309e2485d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/dracut-053-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/dracut-053-r1.ebuild
@@ -69,6 +69,8 @@ PATCHES=(
 	"${FILESDIR}"/050-change-network-dep-iscsi.patch
 	# Add required systemd 255 binary
 	"${FILESDIR}"/059-systemd-executor.patch
+	# Add systemd vconsole setup fix using i118n
+	"${FILESDIR}"/0001-systemd-initrd-install-only-keymap-required-by-syste.patch
 )
 
 src_configure() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/files/0001-systemd-initrd-install-only-keymap-required-by-syste.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/files/0001-systemd-initrd-install-only-keymap-required-by-syste.patch
new file mode 100644
index 00000000000..819639b1e45
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/dracut/files/0001-systemd-initrd-install-only-keymap-required-by-syste.patch
@@ -0,0 +1,51 @@
+From 6d7e4b88c21f45cf1695e4495004a12cacd58d0c Mon Sep 17 00:00:00 2001
+From: Adrian Vladu <avladu@cloudbasesolutions.com>
+Date: Thu, 7 Mar 2024 11:17:54 +0000
+Subject: [PATCH] systemd: initrd: install only keymap required by
+ systemd-vconsole-setup
+
+Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
+---
+ modules.d/10i18n/module-setup.sh | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/modules.d/10i18n/module-setup.sh b/modules.d/10i18n/module-setup.sh
+index d6688b47..516883be 100755
+--- a/modules.d/10i18n/module-setup.sh
++++ b/modules.d/10i18n/module-setup.sh
+@@ -4,7 +4,7 @@
+ check() {
+     [[ "$mount_needs" ]] && return 1
+ 
+-    require_binaries setfont loadkeys kbd_mode || return 1
++    require_binaries loadkeys || return 1
+ 
+     return 0
+ }
+@@ -164,6 +164,10 @@ install() {
+         fi
+         shopt -q -u nocasematch
+ 
++        # install only one keymap: us
++        KEYMAP=us
++
++
+         # Gentoo user may have KEYMAP set to something like "-u pl2",
+         KEYMAP=${KEYMAP#-* }
+ 
+@@ -267,10 +271,7 @@ install() {
+             inst_simple ${VCONFIG_CONF}
+         fi
+ 
+-        if [[ ${hostonly} ]] && ! [[ ${i18n_install_all} == "yes" ]]; then
+-            install_local_i18n || install_all_kbd
+-        else
+-            install_all_kbd
+-        fi
++        # install only one keyboard map
++        install_local_i18n
+     fi
+ }
+-- 
+2.43.0
+
diff --git a/sdk_container/src/third_party/portage-stable/profiles/features/prefix/packages b/sdk_container/src/third_party/portage-stable/profiles/features/prefix/packages
index e062efedeb7..85e0fc31b65 100644
--- a/sdk_container/src/third_party/portage-stable/profiles/features/prefix/packages
+++ b/sdk_container/src/third_party/portage-stable/profiles/features/prefix/packages
@@ -15,7 +15,6 @@
 
 -*net-misc/iputils
 -*sys-apps/iproute2
--*sys-apps/kbd
 -*sys-fs/e2fsprogs
 -*virtual/dev-manager
 -*sys-apps/shadow