.abignore

@@ -0,0 +1,3 @@
+[suppress_file]
+# Those shared objects are private to systemd
+file_name_regexp=libsystemd-(shared|core)-.*.so

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,9 @@
-SOURCES/systemd-239.tar.gz
+*~
+/.mail.list
+/systemd-*/
+/.build-*.log
+/x86_64/
+/systemd-*src.rpm
+/systemd-*.tar.xz
+/systemd-*.tar.gz
+/*.rpm

.systemd.metadata

@@ -1 +0,0 @@
-8803baa484cbe36680463c8c5e6febeff074b8e7 SOURCES/systemd-239.tar.gz

.zuul.yaml

@@ -0,0 +1,7 @@
+- project:
+    vars:
+      install_repo_exclude:
+        - systemd-standalone-repart
+        - systemd-standalone-shutdown
+        - systemd-standalone-sysusers
+        - systemd-standalone-tmpfiles

0001-Create-CNAME.patch

@@ -0,0 +1,18 @@
+From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Tue, 11 Jun 2024 23:04:12 +0100
+Subject: [PATCH] Create CNAME
+
+---
+ docs/CNAME | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 docs/CNAME
+
+diff --git a/docs/CNAME b/docs/CNAME
+new file mode 100644
+index 0000000000..cdcf4d9a52
+--- /dev/null
++++ b/docs/CNAME
+@@ -0,0 +1 @@
++systemd.io
+\ No newline at end of file

0002-man-systemd-reorder-content-a-bit.patch

@@ -0,0 +1,103 @@
+From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 5 Jun 2024 11:28:21 +0200
+Subject: [PATCH] man/systemd: reorder content a bit
+
+Section "Description" didn't actually say what systemd does. And we had a giant
+"Concepts" section that actually described units types and other details about
+them. So let's move the basic description of functionality to "Description" and
+rename the following section to "Units".
+
+The link to the Original Design Document is moved to "See Also", it is of
+historical interest mostly at this point.
+
+The only actual change is that when talking about API filesystems, /dev is also
+mentioned. (I think /sys+/proc+/dev are the canonical set and should be always
+listed on one breath.)
+
+(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba)
+---
+ man/systemd.xml | 49 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 24 insertions(+), 25 deletions(-)
+
+diff --git a/man/systemd.xml b/man/systemd.xml
+index 66db5bbf25..f4aa7e06ca 100644
+--- a/man/systemd.xml
++++ b/man/systemd.xml
+@@ -62,10 +62,29 @@
+     <filename>user.conf.d</filename> directories. See
+     <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+     for more information.</para>
++
++    <para><command>systemd</command> contains native implementations of various tasks that need to be
++    executed as part of the boot process. For example, it sets the hostname or configures the loopback
++    network device. It also sets up and mounts various API file systems, such as <filename>/sys/</filename>,
++    <filename>/proc/</filename>, and <filename>/dev/</filename>.</para>
++
++    <para>Note that some but not all interfaces provided by systemd are covered by the
++    <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
++
++    <para>The D-Bus API of <command>systemd</command> is described in
++    <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
++    and
++    <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
++    </para>
++
++    <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
++    url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
++    <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
++    specifications, respectively.</para>
+   </refsect1>
+ 
+   <refsect1>
+-    <title>Concepts</title>
++    <title>Units</title>
+ 
+     <para>systemd provides a dependency system between various
+     entities called "units" of 11 different types. Units encapsulate
+@@ -261,34 +280,10 @@
+     example, start jobs for any of those inactive units getting queued as
+     well.</para>
+ 
+-    <para>systemd contains native implementations of various tasks
+-    that need to be executed as part of the boot process. For example,
+-    it sets the hostname or configures the loopback network device. It
+-    also sets up and mounts various API file systems, such as
+-    <filename>/sys/</filename> or <filename>/proc/</filename>.</para>
+-
+-    <para>For more information about the concepts and
+-    ideas behind systemd, please refer to the
+-    <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
+-
+-    <para>Note that some but not all interfaces provided by systemd are covered by the
+-    <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
+-
+     <para>Units may be generated dynamically at boot and system
+     manager reload time, for example based on other configuration
+     files or parameters passed on the kernel command line. For details, see
+     <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
+-
+-    <para>The D-Bus API of <command>systemd</command> is described in
+-    <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-    and
+-    <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+-    </para>
+-
+-    <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
+-    url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
+-    <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
+-    specifications, respectively.</para>
+   </refsect1>
+ 
+   <refsect1>
+@@ -1558,6 +1553,10 @@
+       <member><citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+       <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+     </simplelist></para>
++
++    <para>For more information about the concepts and
++    ideas behind systemd, please refer to the
++    <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
+   </refsect1>
+ 
+ </refentry>

0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch

@@ -0,0 +1,43 @@
+From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 8 May 2024 10:38:11 +0200
+Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink
+ connections are still ongoing
+
+And while we are at it, ongoing PK authorizations are also a reason to
+block exit on idle.
+
+(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33)
+---
+ src/hostname/hostnamed.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
+index 82d08803fa..fe1216fc1c 100644
+--- a/src/hostname/hostnamed.c
++++ b/src/hostname/hostnamed.c
+@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) {
+         return 0;
+ }
+ 
++static bool context_check_idle(void *userdata) {
++        Context *c = ASSERT_PTR(userdata);
++
++        return varlink_server_current_connections(c->varlink_server) == 0 &&
++                hashmap_isempty(c->polkit_registry);
++}
++
+ static int run(int argc, char *argv[]) {
+         _cleanup_(context_destroy) Context context = {
+                 .hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */
+@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) {
+                         context.bus,
+                         "org.freedesktop.hostname1",
+                         DEFAULT_EXIT_USEC,
+-                        /* check_idle= */ NULL,
+-                        /* userdata= */ NULL);
++                        context_check_idle,
++                        &context);
+         if (r < 0)
+                 return log_error_errno(r, "Failed to run event loop: %m");
+ 

0004-sd-dhcp-server-clear-buffer-before-receive.patch

@@ -0,0 +1,30 @@
+From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Wed, 12 Jun 2024 00:48:56 +0900
+Subject: [PATCH] sd-dhcp-server: clear buffer before receive
+
+I do not think this is necessary, but all other places in
+libsystemd-network we clear buffer before receive. Without this,
+Coverity warns about use-of-uninitialized-values.
+Let's silence Coverity.
+
+Closes CID#1469721.
+
+(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62)
+---
+ src/libsystemd-network/sd-dhcp-server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
+index c3b0f82dc4..4967f066dc 100644
+--- a/src/libsystemd-network/sd-dhcp-server.c
++++ b/src/libsystemd-network/sd-dhcp-server.c
+@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd,
+                 /* Preallocate the additional size for DHCP Relay Agent Information Option if needed */
+                 buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
+ 
+-        message = malloc(buflen);
++        message = malloc0(buflen);
+         if (!message)
+                 return -ENOMEM;
+ 

0005-rules-Limit-the-number-of-device-units-generated-for.patch

@@ -0,0 +1,29 @@
+From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Mon, 10 Jun 2024 12:59:58 +0200
+Subject: [PATCH] rules: Limit the number of device units generated for serial
+ ttys
+
+As per the suggestion in https://github.com/systemd/systemd/issues/33242.
+
+This reduces the number of /dev/ttySXX device units generated in
+mkosi from 32 to 4.
+
+(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05)
+---
+ rules.d/99-systemd.rules.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
+index ad0c7e2fb5..8ba6f177f8 100644
+--- a/rules.d/99-systemd.rules.in
++++ b/rules.d/99-systemd.rules.in
+@@ -10,6 +10,8 @@
+ ACTION=="remove", GOTO="systemd_end"
+ 
+ SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
++# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked.
++SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0"
+ KERNEL=="vport*", TAG+="systemd"
+ 
+ SUBSYSTEM=="ptp", TAG+="systemd"

0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch

@@ -0,0 +1,81 @@
+From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001
+From: q66 <q66@chimera-linux.org>
+Date: Thu, 6 Jun 2024 13:45:48 +0200
+Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer
+
+This allows us to reserve a bunch of capacity ahead of time,
+improving the performance of hwdb significantly thanks to not
+having to reallocate so many times.
+
+Before:
+```
+$ sudo time valgrind --leak-check=full ./systemd-hwdb update
+==113297== Memcheck, a memory error detector
+==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
+==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
+==113297== Command: ./systemd-hwdb update
+==113297==
+==113297==
+==113297== HEAP SUMMARY:
+==113297==     in use at exit: 0 bytes in 0 blocks
+==113297==   total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated
+==113297==
+==113297== All heap blocks were freed -- no leaks are possible
+==113297==
+==113297== For lists of detected and suppressed errors, rerun with: -s
+==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k
+0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps
+```
+
+After:
+```
+$ sudo time valgrind --leak-check=full ./systemd-hwdb update
+==112572== Memcheck, a memory error detector
+==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
+==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
+==112572== Command: ./systemd-hwdb update
+==112572==
+==112572==
+==112572== HEAP SUMMARY:
+==112572==     in use at exit: 0 bytes in 0 blocks
+==112572==   total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated
+==112572==
+==112572== All heap blocks were freed -- no leaks are possible
+==112572==
+==112572== For lists of detected and suppressed errors, rerun with: -s
+==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
+21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k
+0inputs+25264outputs (0major+57275minor)pagefaults 0swaps
+```
+
+Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
+(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93)
+---
+ src/basic/strbuf.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
+index 0617acc8d2..6d43955bb1 100644
+--- a/src/basic/strbuf.c
++++ b/src/basic/strbuf.c
+@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node,
+ /* add string, return the index/offset into the buffer */
+ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
+         uint8_t c;
+-        char *buf_new;
+         struct strbuf_child_entry *child;
+         struct strbuf_node *node;
+         ssize_t off;
+@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
+         }
+ 
+         /* add new string */
+-        buf_new = realloc(str->buf, str->len + len+1);
+-        if (!buf_new)
++        if (!GREEDY_REALLOC(str->buf, str->len + len + 1))
+                 return -ENOMEM;
+-        str->buf = buf_new;
+         off = str->len;
+         memcpy(str->buf + off, s, len);
+         str->len += len;

0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch

@@ -0,0 +1,132 @@
+From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Fri, 17 May 2024 16:20:11 +0200
+Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
+ authorization failure
+
+The TPM might be password/pin protected for various reasons even if
+there is no SRK yet. Let's handle those cases gracefully instead of
+failing the unit as it is enabled by default.
+
+(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
+---
+ catalog/systemd.catalog.in                | 13 +++++++++++++
+ src/shared/tpm2-util.c                    |  2 ++
+ src/systemd/sd-messages.h                 |  3 +++
+ src/tpm2-setup/tpm2-setup.c               | 13 ++++++++++++-
+ units/systemd-tpm2-setup-early.service.in |  3 +++
+ units/systemd-tpm2-setup.service.in       |  3 +++
+ 6 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
+index 3c9a6860da..2831152763 100644
+--- a/catalog/systemd.catalog.in
++++ b/catalog/systemd.catalog.in
+@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
+ A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
+ detached from the system and is no longer available for use. The list of attached
+ Portable Services can be queried with 'portablectl list'.
++
++-- ad7089f928ac4f7ea00c07457d47ba8a
++Subject: Authorization failure while attempting to enroll SRK into TPM
++Defined-By: systemd
++Support: %SUPPORT_URL%
++Documentation: man:systemd-tpm2-setup.service(8)
++
++An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
++Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
++the TPM.
++
++Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
++protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
+diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
+index 87ce53cf95..9603f1837e 100644
+--- a/src/shared/tpm2-util.c
++++ b/src/shared/tpm2-util.c
+@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
+                         /* creationData= */ NULL,
+                         /* creationHash= */ NULL,
+                         /* creationTicket= */ NULL);
++        if (rc == TPM2_RC_BAD_AUTH)
++                return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
+         if (rc != TSS2_RC_SUCCESS)
+                 return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
+                                        "Failed to generate primary key in TPM: %s",
+diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
+index e3f68068a8..16e9986be3 100644
+--- a/src/systemd/sd-messages.h
++++ b/src/systemd/sd-messages.h
+@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
+ #define SD_MESSAGE_PORTABLE_DETACHED                  SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+ #define SD_MESSAGE_PORTABLE_DETACHED_STR              SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+ 
++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION     SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
++
+ _SD_END_DECLARATIONS;
+ 
+ #endif
+diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
+index 35628fc02a..b95c5e7a58 100644
+--- a/src/tpm2-setup/tpm2-setup.c
++++ b/src/tpm2-setup/tpm2-setup.c
+@@ -3,6 +3,8 @@
+ #include <getopt.h>
+ #include <unistd.h>
+ 
++#include "sd-messages.h"
++
+ #include "build.h"
+ #include "fd-util.h"
+ #include "fileio.h"
+@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
+                         /* ret_name= */ NULL,
+                         /* ret_qname= */ NULL,
+                         NULL);
++        if (r == -EDEADLK)
++                return r;
+         if (r < 0)
+                 return log_error_errno(r, "Failed to get or create SRK: %m");
+         if (r > 0)
+@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
+         }
+ 
+         r = load_public_key_tpm2(&tpm2_key);
++        if (r == -EDEADLK) {
++                log_struct_errno(LOG_INFO, r,
++                                 LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
++                                 "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
++                return 76; /* Special return value which means "Insufficient permissions to access TPM,
++                            * cannot generate SRK". This isn't really an error when called at boot. */;
++        }
+         if (r < 0)
+                 return r;
+ 
+@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
+         return 0;
+ }
+ 
+-DEFINE_MAIN_FUNCTION(run);
++DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
+diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
+index 9982c84aba..7fdb99b53f 100644
+--- a/units/systemd-tpm2-setup-early.service.in
++++ b/units/systemd-tpm2-setup-early.service.in
+@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
+ Type=oneshot
+ RemainAfterExit=yes
+ ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
++
++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
++SuccessExitStatus=76
+diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
+index 0af7292528..ac29a76966 100644
+--- a/units/systemd-tpm2-setup.service.in
++++ b/units/systemd-tpm2-setup.service.in
+@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
+ Type=oneshot
+ RemainAfterExit=yes
+ ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
++
++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
++SuccessExitStatus=76

0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch

@@ -0,0 +1,37 @@
+From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Fri, 8 Mar 2024 13:40:08 -0700
+Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't
+ validating
+
+This check introduced in 91adc4db33f6 is intended to spare us from
+encountering broken resolver behavior we don't want to deal with.
+However if we aren't validating we more than likely don't know the state
+of the upstream resolver's support for dnssec. Let's let clients try
+these queries if they want.
+
+This brings the behavior of sd-resolved in-line with previouly stated
+change in the meaning of DNSSEC=no, which now means "don't validate"
+rather than "don't validate, because the upstream resolver is declared to
+be dnssec-unaware".
+
+Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
+(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a)
+---
+ src/resolve/resolved-dns-server.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
+index 340f11f4f4..b37f541c7f 100644
+--- a/src/resolve/resolved-dns-server.c
++++ b/src/resolve/resolved-dns-server.c
+@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
+         if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
+                 return true;
+ 
+-        if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
+-                return false;
+-
+         if (server->packet_bad_opt)
+                 return false;
+ 

0009-repart-Use-crypt_reencrypt_run-if-available.patch

@@ -0,0 +1,123 @@
+From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Sun, 2 Jun 2024 16:24:52 +0200
+Subject: [PATCH] repart: Use crypt_reencrypt_run() if available
+
+crypt_reencrypt() is deprecated, so let's look for and prefer
+crypt_reencrypt_run() if it is available.
+
+(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a)
+---
+ meson.build                  |  1 +
+ src/partition/repart.c       |  6 +++++-
+ src/shared/cryptsetup-util.c | 19 ++++++++-----------
+ src/shared/cryptsetup-util.h |  6 +++---
+ 4 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index ea4e12aa1c..e42151998b 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size',
+                  'crypt_token_max',
+                  'crypt_reencrypt_init_by_passphrase',
+                  'crypt_reencrypt',
++                 'crypt_reencrypt_run',
+                  'crypt_set_data_offset',
+                  'crypt_set_keyring_to_link',
+                  'crypt_resume_by_volume_key']
+diff --git a/src/partition/repart.c b/src/partition/repart.c
+index 6f67d46025..2ecae4ca03 100644
+--- a/src/partition/repart.c
++++ b/src/partition/repart.c
+@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
+ }
+ 
+ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
+-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT
++#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
+         const char *node = partition_target_path(target);
+         struct crypt_params_luks2 luks_params = {
+                 .label = strempty(ASSERT_PTR(p)->new_label),
+@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to load reencryption context: %m");
+ 
++#if HAVE_CRYPT_REENCRYPT_RUN
++                r = sym_crypt_reencrypt_run(cd, NULL, NULL);
++#else
+                 r = sym_crypt_reencrypt(cd, NULL);
++#endif
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to encrypt %s: %m", node);
+         } else {
+diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
+index 288e6e8942..d0dd434df8 100644
+--- a/src/shared/cryptsetup-util.c
++++ b/src/shared/cryptsetup-util.c
+@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get);
+ #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+ DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
+ #endif
+-#if HAVE_CRYPT_REENCRYPT
+-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
++#if HAVE_CRYPT_REENCRYPT_RUN
++DLSYM_FUNCTION(crypt_reencrypt_run);
++#elif HAVE_CRYPT_REENCRYPT
+ DLSYM_FUNCTION(crypt_reencrypt);
+-REENABLE_WARNING;
+ #endif
+ DLSYM_FUNCTION(crypt_metadata_locking);
+ #if HAVE_CRYPT_SET_DATA_OFFSET
+@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) {
+ 
+         /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
+          * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
+-         * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
+-         * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
+-         * warnings about this for now. */
+-
+-        DISABLE_WARNING_DEPRECATED_DECLARATIONS;
++         * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
++         * symbol if the new one is not available. */
+ 
+         ELF_NOTE_DLOPEN("cryptsetup",
+                         "Support for disk encryption, integrity, and authentication",
+@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) {
+ #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+                         DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
+ #endif
+-#if HAVE_CRYPT_REENCRYPT
++#if HAVE_CRYPT_REENCRYPT_RUN
++                        DLSYM_ARG(crypt_reencrypt_run),
++#elif HAVE_CRYPT_REENCRYPT
+                         DLSYM_ARG(crypt_reencrypt),
+ #endif
+                         DLSYM_ARG(crypt_metadata_locking),
+@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) {
+         if (r <= 0)
+                 return r;
+ 
+-        REENABLE_WARNING;
+-
+         /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
+          * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
+          * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
+diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
+index f00ac367b6..d255e59004 100644
+--- a/src/shared/cryptsetup-util.h
++++ b/src/shared/cryptsetup-util.h
+@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get);
+ #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
+ DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
+ #endif
+-#if HAVE_CRYPT_REENCRYPT
+-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
++#if HAVE_CRYPT_REENCRYPT_RUN
++DLSYM_PROTOTYPE(crypt_reencrypt_run);
++#elif HAVE_CRYPT_REENCRYPT
+ DLSYM_PROTOTYPE(crypt_reencrypt);
+-REENABLE_WARNING;
+ #endif
+ DLSYM_PROTOTYPE(crypt_metadata_locking);
+ #if HAVE_CRYPT_SET_DATA_OFFSET

0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch

@@ -0,0 +1,136 @@
+From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Wed, 12 Jun 2024 12:09:25 +0200
+Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST
+
+Let's dump a list of skipped tests and logs from failed tests at the end
+of TEST-02-UNITTEST to make debugging fails in CI slightly less painful.
+
+(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3)
+---
+ test/TEST-02-UNITTESTS/test.sh  |  8 ----
+ test/test-functions             | 68 ---------------------------------
+ test/units/TEST-02-UNITTESTS.sh | 14 +++++++
+ 3 files changed, 14 insertions(+), 76 deletions(-)
+
+diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh
+index f165c99368..2cf9c31096 100755
+--- a/test/TEST-02-UNITTESTS/test.sh
++++ b/test/TEST-02-UNITTESTS/test.sh
+@@ -37,12 +37,4 @@ test_append_files() {
+     fi
+ }
+ 
+-check_result_nspawn() {
+-    check_result_nspawn_unittests "${1}"
+-}
+-
+-check_result_qemu() {
+-    check_result_qemu_unittests
+-}
+-
+ do_test "$@"
+diff --git a/test/test-functions b/test/test-functions
+index be6eb1d9b2..8b497b2e27 100644
+--- a/test/test-functions
++++ b/test/test-functions
+@@ -1860,74 +1860,6 @@ check_result_qemu() {
+     return $ret
+ }
+ 
+-check_result_nspawn_unittests() {
+-    local workspace="${1:?}"
+-    local ret=1
+-
+-    [[ -e "$workspace/testok" ]] && ret=0
+-
+-    if [[ -s "$workspace/failed" ]]; then
+-        ret=$((ret + 1))
+-        echo "=== Failed test log ==="
+-        cat "$workspace/failed"
+-    else
+-        if [[ -s "$workspace/skipped" ]]; then
+-            echo "=== Skipped test log =="
+-            cat "$workspace/skipped"
+-            # We might have only skipped tests - that should not fail the job
+-            ret=0
+-        fi
+-        if [[ -s "$workspace/testok" ]]; then
+-            echo "=== Passed tests ==="
+-            cat "$workspace/testok"
+-        fi
+-    fi
+-
+-    get_bool "${TIMED_OUT:=}" && ret=1
+-    check_coverage_reports "$workspace" || ret=5
+-
+-    save_journal "$workspace/var/log/journal" $ret
+-    echo "${JOURNAL_LIST:-"No journals were saved"}"
+-
+-    _umount_dir "${initdir:?}"
+-
+-    return $ret
+-}
+-
+-check_result_qemu_unittests() {
+-    local ret=1
+-
+-    mount_initdir
+-    [[ -e "${initdir:?}/testok" ]] && ret=0
+-
+-    if [[ -s "$initdir/failed" ]]; then
+-        ret=$((ret + 1))
+-        echo "=== Failed test log ==="
+-        cat "$initdir/failed"
+-    else
+-        if [[ -s "$initdir/skipped" ]]; then
+-            echo "=== Skipped test log =="
+-            cat "$initdir/skipped"
+-            # We might have only skipped tests - that should not fail the job
+-            ret=0
+-        fi
+-        if [[ -s "$initdir/testok" ]]; then
+-            echo "=== Passed tests ==="
+-            cat "$initdir/testok"
+-        fi
+-    fi
+-
+-    get_bool "${TIMED_OUT:=}" && ret=1
+-    check_coverage_reports "$initdir" || ret=5
+-
+-    save_journal "$initdir/var/log/journal" $ret
+-    echo "${JOURNAL_LIST:-"No journals were saved"}"
+-
+-    _umount_dir "$initdir"
+-
+-    return $ret
+-}
+-
+ create_rc_local() {
+     dinfo "Create rc.local"
+     mkdir -p "${initdir:?}/etc/rc.d"
+diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh
+index 6392425130..4448643f9a 100755
+--- a/test/units/TEST-02-UNITTESTS.sh
++++ b/test/units/TEST-02-UNITTESTS.sh
+@@ -95,6 +95,20 @@ export -f run_test
+ find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 |
+     xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}"
+ 
++# Write all pending messages, so they don't get mixed with the summaries below
++journalctl --sync
++
++# No need for full test logs in this case
++if [[ -s /skipped-tests ]]; then
++    : "=== SKIPPED TESTS ==="
++    cat /skipped-tests
++fi
++
++if [[ -s /failed ]]; then
++    : "=== FAILED TESTS ==="
++    cat /failed
++fi
++
+ # Test logs are sometimes lost, as the system shuts down immediately after
+ journalctl --sync
+ 

0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch

@@ -0,0 +1,29 @@
+From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Mon, 3 Jun 2024 12:35:29 +0200
+Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE
+
+Let's skip udev device scanning when activating a LUKS volume in
+systemd-repart as we don't depend on any udev symlinks and don't
+expect anything except repart to access the volume.
+
+Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941.
+
+(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6)
+---
+ src/partition/repart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/partition/repart.c b/src/partition/repart.c
+index 2ecae4ca03..78cf60f724 100644
+--- a/src/partition/repart.c
++++ b/src/partition/repart.c
+@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
+                                 dm_name,
+                                 NULL,
+                                 VOLUME_KEY_SIZE,
+-                                arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
++                                (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE);
+                 if (r < 0)
+                         return log_error_errno(r, "Failed to activate LUKS superblock: %m");
+ 

0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch

@@ -0,0 +1,26 @@
+From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Tue, 11 Jun 2024 23:09:30 +0100
+Subject: [PATCH] NEWS: note that new stable releases will be in the main repo
+
+(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf)
+---
+ NEWS | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 02ad8b2c79..bbee0852be 100644
+--- a/NEWS
++++ b/NEWS
+@@ -81,6 +81,11 @@ CHANGES WITH 256:
+         * systemd.crash_reboot and related settings are deprecated in favor of
+           systemd.crash_action=.
+ 
++        * Stable releases for version v256 and newer will now be pushed in the
++          main repository. The systemd-stable repository will be used for existing
++          stable branches (v255-stable and lower), and when they reach EOL it will
++          be archived.
++
+         General Changes and New Features:
+ 
+         * Various programs will now attempt to load the main configuration file

0013-shell-completion-only-offer-devices-for-completion.patch

@@ -0,0 +1,29 @@
+From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Wed, 12 Jun 2024 14:35:34 +0200
+Subject: [PATCH] shell-completion: only offer devices for completion
+
+This skips directories and other stuff like /dev/core, /dev/initctl or
+/dev/log.
+
+(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb)
+---
+ shell-completion/bash/udevadm | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm
+index 05f921cf49..3842d722e7 100644
+--- a/shell-completion/bash/udevadm
++++ b/shell-completion/bash/udevadm
+@@ -32,10 +32,7 @@ __get_all_sysdevs() {
+ }
+ 
+ __get_all_device_nodes() {
+-    local i
+-    for i in /dev/* /dev/*/* /dev/*/*/*; do
+-        echo $i
+-    done
++    find /dev -xtype b -o -xtype c
+ }
+ 
+ __get_all_device_units() {

0014-CODING_STYLE-document-reterr_-return-parameters.patch

@@ -0,0 +1,98 @@
+From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 12 Jun 2024 18:31:56 +0200
+Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters
+
+In some recent PRs (e.g. #32628) I started to systematically name return
+parameters that shall only be initialized on failure (because they carry
+additional error meta information, such as the line/column number of
+parse failures or so). Let's make this official in the coding style.
+
+(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee)
+---
+ docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 48 insertions(+), 14 deletions(-)
+
+diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md
+index 8f687e6662..309436a397 100644
+--- a/docs/CODING_STYLE.md
++++ b/docs/CODING_STYLE.md
+@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later
+   thread. Use `is_main_thread()` to detect whether the calling thread is the
+   main thread.
+ 
+-- Do not write functions that clobber call-by-reference variables on
+-  failure. Use temporary variables for these cases and change the passed in
+-  variables only on success. The rule is: never clobber return parameters on
+-  failure, always initialize return parameters on success.
+-
+-- Typically, function parameters fit into three categories: input parameters,
+-  mutable objects, and call-by-reference return parameters. Input parameters
+-  should always carry suitable "const" declarators if they are pointers, to
+-  indicate they are input-only and not changed by the function. Return
+-  parameters are best prefixed with "ret_", to clarify they are return
+-  parameters. (Conversely, please do not prefix parameters that aren't
+-  output-only with "ret_", in particular not mutable parameters that are both
+-  input as well as output). Example:
++- Typically, function parameters fit into four categories: input parameters,
++  mutable objects, call-by-reference return parameters that are initialized on
++  success, and call-by-reference return parameters that are initialized on
++  failure. Input parameters should always carry suitable `const` declarators if
++  they are pointers, to indicate they are input-only and not changed by the
++  function. The name of return parameters that are initialized on success
++  should be prefixed with `ret_`, to clarify they are return parameters. The
++  name of return parameters that are initialized on failure should be prefixed
++  with `reterr_`. (Examples of such parameters: those which carry additional
++  error information, such as the row/column of parse errors or so). –
++  Conversely, please do not prefix parameters that aren't output-only with
++  `ret_` or `reterr_`, in particular not mutable parameters that are both input
++  as well as output.
++
++  Example:
+ 
+   ```c
+   static int foobar_frobnicate(
+                   Foobar* object,            /* the associated mutable object */
+                   const char *input,         /* immutable input parameter */
+-                  char **ret_frobnicated) {  /* return parameter */
++                  char **ret_frobnicated,    /* return parameter on success */
++                  unsigned *reterr_line,     /* return parameter on failure */
++                  unsigned *reterr_column) { /* ditto */
+           …
+           return 0;
+   }
+   ```
+ 
++- Do not write functions that clobber call-by-reference success return
++  parameters on failure (i.e. `ret_xyz`, see above), or that clobber
++  call-by-reference failure return parameters on success
++  (i.e. `reterr_xyz`). Use temporary variables for these cases and change the
++  passed in variables only in the right condition. The rule is: never clobber
++  success return parameters on failure, always initialize success return
++  parameters on success (and the reverse for failure return parameters, of
++  course).
++
++- Please put `reterr_` return parameters in the function parameter list last,
++  and `ret_` return parameters immediately before that.
++
++  Good:
++
++  ```c
++  static int do_something(
++                  const char *input,
++                  const char *ret_on_success,
++                  const char *reterr_on_failure);
++  ```
++
++  Not good:
++
++  ```c
++  static int do_something(
++                  const char *reterr_on_failure,
++                  const char *ret_on_success,
++                  const char *input);
++  ```
++
+ - The order in which header files are included doesn't matter too
+   much. systemd-internal headers must not rely on an include order, so it is
+   safe to include them in any order possible.  However, to not clutter global

0015-analyze-show-pcrs-also-in-sha384-bank.patch

@@ -0,0 +1,27 @@
+From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 4 Jun 2024 11:02:34 +0200
+Subject: [PATCH] analyze: show pcrs also in sha384 bank
+
+SHA384 is pretty much the bank we actually *want* to use, since it's
+faster to calculate than SHA256, hence at the very least, start
+considering.
+
+(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa)
+---
+ src/analyze/analyze-pcrs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
+index 43e415fc6d..1c3da3fd84 100644
+--- a/src/analyze/analyze-pcrs.c
++++ b/src/analyze/analyze-pcrs.c
+@@ -11,7 +11,7 @@
+ static int get_pcr_alg(const char **ret) {
+         assert(ret);
+ 
+-        FOREACH_STRING(alg, "sha256", "sha1") {
++        FOREACH_STRING(alg, "sha256", "sha384", "sha1") {
+                 _cleanup_free_ char *p = NULL;
+ 
+                 if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)

0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch

@@ -0,0 +1,41 @@
+From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <cristian@rodriguez.im>
+Date: Thu, 13 Jun 2024 11:59:28 -0400
+Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang
+ 19
+
+Silly workaround that:
+- allowed flexible arrays in unions
+- allowed flexible arrays in otherwise empty structs
+
+Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a
+(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9
+
+(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939)
+---
+ src/fundamental/macro-fundamental.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
+index 5ccbda5186..8aca5f784a 100644
+--- a/src/fundamental/macro-fundamental.h
++++ b/src/fundamental/macro-fundamental.h
+@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
+                 }                                                       \
+         }
+ 
++/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/
++#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
++#define DECLARE_FLEX_ARRAY(type, name) type name[];
++#else
+ /* Declare a flexible array usable in a union.
+  * This is essentially a work-around for a pointless constraint in C99
+  * and might go away in some future version of the standard.
+@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
+                 dummy_t __empty__ ## name;             \
+                 type name[];                           \
+         }
++#endif
+ 
+ /* Declares an ELF read-only string section that does not occupy memory at runtime. */
+ #define DECLARE_NOALLOC_SECTION(name, text)   \

0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch

@@ -0,0 +1,31 @@
+From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001
+From: Nick Rosbrook <enr0n@ubuntu.com>
+Date: Fri, 14 Jun 2024 17:31:22 -0400
+Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge
+
+Mention that by default, /home is managed by tmpfiles.d/home.conf, and
+recommend that users run systemd-tmpfiles --dry-run --purge first to
+see exactly what will be removed.
+
+(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc)
+---
+ man/systemd-tmpfiles.xml | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
+index 008bff62da..6f3ec66611 100644
+--- a/man/systemd-tmpfiles.xml
++++ b/man/systemd-tmpfiles.xml
+@@ -150,7 +150,11 @@
+       <varlistentry>
+         <term><option>--purge</option></term>
+         <listitem><para>If this option is passed, all files and directories created by a
+-        <filename>tmpfiles.d/</filename> entry will be deleted.</para>
++        <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
++        <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
++        (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
++        to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
++        and directories will be deleted.</para>
+ 
+         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+       </varlistentry>

0018-man-units-drop-temporary-from-description-of-systemd.patch

@@ -0,0 +1,65 @@
+From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sat, 15 Jun 2024 17:27:33 +0200
+Subject: [PATCH] man,units: drop "temporary" from description of
+ systemd-tmpfiles
+
+Historically, systemd-tmpfiles was designed to manager temporary
+files, but nowadays it has become a generic tool for managing
+all kinds of files. To avoid user confusion, let's remove "temporary"
+from the tool's description.
+
+As discussed in #33349
+
+(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735)
+---
+ man/systemd-tmpfiles.xml                  | 8 +++++---
+ units/systemd-tmpfiles-setup.service      | 2 +-
+ units/user/systemd-tmpfiles-setup.service | 2 +-
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
+index 6f3ec66611..9767aead85 100644
+--- a/man/systemd-tmpfiles.xml
++++ b/man/systemd-tmpfiles.xml
+@@ -55,9 +55,11 @@
+   <refsect1>
+     <title>Description</title>
+ 
+-    <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up volatile and temporary files
+-    and directories, using the configuration file format and location specified in
+-    <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. It must
++    <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up files and directories, using
++    the configuration file format and location specified in
++    <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
++    Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides
++    generic file management functionality and can be used to manage any kind of files. It must
+     be invoked with one or more commands <option>--create</option>, <option>--remove</option>, and
+     <option>--clean</option>, to select the respective subset of operations.</para>
+ 
+diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
+index 6cae32850f..b92beb7314 100644
+--- a/units/systemd-tmpfiles-setup.service
++++ b/units/systemd-tmpfiles-setup.service
+@@ -8,7 +8,7 @@
+ #  (at your option) any later version.
+ 
+ [Unit]
+-Description=Create Volatile Files and Directories
++Description=Create System Files and Directories
+ Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
+ 
+ DefaultDependencies=no
+diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service
+index 156689edcd..54e453c4fc 100644
+--- a/units/user/systemd-tmpfiles-setup.service
++++ b/units/user/systemd-tmpfiles-setup.service
+@@ -8,7 +8,7 @@
+ #  (at your option) any later version.
+ 
+ [Unit]
+-Description=Create User's Volatile Files and Directories
++Description=Create User Files and Directories
+ Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
+ DefaultDependencies=no
+ Conflicts=shutdown.target

0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch

@@ -0,0 +1,24 @@
+From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 11:16:21 +0100
+Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests
+
+Ubuntu disables them by default in Noble, ship a sysctl to turn them back on
+so that tests can use them
+
+(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467)
+---
+ .../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf           | 4 ++++
+ 1 file changed, 4 insertions(+)
+ create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+
+diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+new file mode 100644
+index 0000000000..657ac72f8d
+--- /dev/null
++++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
+@@ -0,0 +1,4 @@
++# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
++# for integration tests
++kernel.apparmor_restrict_unprivileged_unconfined = 0
++kernel.apparmor_restrict_unprivileged_userns = 0

0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch

@@ -0,0 +1,74 @@
+From 21feae324e812580062c36aa14cc5e68a37aa151 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 15:28:56 +0100
+Subject: [PATCH] mkosi: use ports.ubuntu.com for non-x86 backports
+
+Follow-up for 46368556afee7a1f3a1685609942438ef2d9d6c1
+
+(cherry picked from commit c01cb8cbff8512b65b7903b55f78c8d12661b8d7)
+---
+ mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf    | 3 ---
+ .../mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf     | 9 +++++++++
+ .../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf  | 9 +++++++++
+ .../mkosi.conf.d/10-ubuntu/noble-backports-ports.sources | 6 ++++++
+ 4 files changed, 24 insertions(+), 3 deletions(-)
+ create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+ create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+ create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
+
+diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
+index 25957b1e92..86f9736ed9 100644
+--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
+@@ -3,9 +3,6 @@
+ [Match]
+ Distribution=ubuntu
+ 
+-[Distribution]
+-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
+-
+ [Content]
+ Packages=
+         linux-image-generic
+diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+new file mode 100644
+index 0000000000..0ec4807822
+--- /dev/null
++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+@@ -0,0 +1,9 @@
++# SPDX-License-Identifier: LGPL-2.1-or-later
++# The ports Ubuntu archive is for non i386/amd64 repositories
++
++[Match]
++Architecture=!x86-64
++Architecture=!x86
++
++[Distribution]
++PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
+diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+new file mode 100644
+index 0000000000..c08eeac337
+--- /dev/null
++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+@@ -0,0 +1,9 @@
++# SPDX-License-Identifier: LGPL-2.1-or-later
++# The main Ubuntu archive is only for i386/amd64 repositories
++
++[Match]
++Architecture=|x86-64
++Architecture=|x86
++
++[Distribution]
++PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
+diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
+new file mode 100644
+index 0000000000..5b96dc544d
+--- /dev/null
++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
+@@ -0,0 +1,6 @@
++# SPDX-License-Identifier: LGPL-2.1-or-later
++Types: deb
++URIs: http://ports.ubuntu.com
++Suites: noble-backports
++Components: main universe
++Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch

@@ -0,0 +1,58 @@
+From 9802a28b367b3d403c41b570949e3c91f505ede5 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 20:42:12 +0100
+Subject: [PATCH] mkosi: install EFI packages only on EFI architectures
+
+sbsigntool, systemd-boot and systemd-boot-efi do not  exist on other
+architectures
+
+(cherry picked from commit 47fe3f29b4ba1b44ae71a7e67c579c4883731dd4)
+---
+ .../mkosi.conf.d/10-debian-ubuntu/mkosi.conf     |  3 ---
+ .../10-debian-ubuntu/mkosi.conf.d/efi.conf       | 16 ++++++++++++++++
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+ create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
+
+diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+index ae014fa966..ecac78049d 100644
+--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
++++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+@@ -20,8 +20,6 @@ VolatilePackages=
+         libsystemd-dev
+         libudev-dev
+         systemd
+-        systemd-boot
+-        systemd-boot-efi
+         systemd-container
+         systemd-coredump
+         systemd-dev
+@@ -74,7 +72,6 @@ Packages=
+         python3-pexpect
+         python3-psutil
+         quota
+-        sbsigntool
+         softhsm2
+         squashfs-tools
+         stress
+diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
+new file mode 100644
+index 0000000000..781670a775
+--- /dev/null
++++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
+@@ -0,0 +1,16 @@
++# SPDX-License-Identifier: LGPL-2.1-or-later
++# sbsigntool exists only on UEFI architectures
++
++[Match]
++Architecture=|x86
++Architecture=|x86-64
++Architecture=|arm
++Architecture=|arm64
++Architecture=|riscv32
++Architecture=|riscv64
++
++[Content]
++Packages=
++        sbsigntool
++        systemd-boot
++        systemd-boot-efi

0022-test-check-the-skip-condition-before-installing-addi.patch

@@ -0,0 +1,31 @@
+From 50b53b8221aa9d5e8fa3269b73d13b8a304728a8 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 13:41:50 +0100
+Subject: [PATCH] test: check the skip condition before installing additional
+ files
+
+(cherry picked from commit e1daedb4be6d8180790e0b303872fb1c87ddc7fc)
+---
+ test/units/TEST-43-PRIVATEUSER-UNPRIV.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+index 165af47f15..f8a2a62467 100755
+--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
++++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+@@ -6,13 +6,13 @@ set -o pipefail
+ # shellcheck source=test/units/util.sh
+ . "$(dirname "$0")"/util.sh
+ 
+-install_extension_images
+-
+ if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
+     echo "Cannot create unprivileged user namespaces" >/skipped
+     exit 77
+ fi
+ 
++install_extension_images
++
+ systemd-analyze log-level debug
+ 
+ runas testuser systemd-run --wait --user --unit=test-private-users \

0023-test-drop-unneeded-firmware-uefi-setting.patch

@@ -0,0 +1,37 @@
+From 51a2e7be5ec1a28be11d309897671c8dd4511ae8 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 16:08:57 +0100
+Subject: [PATCH] test: drop unneeded firmware: uefi setting
+
+These tests no longer need this, as they are running in nspawn, drop it
+
+(cherry picked from commit f44fc531c95e37c83203375c411189009a01b482)
+---
+ test/TEST-09-REBOOT/meson.build        | 2 --
+ test/TEST-18-FAILUREACTION/meson.build | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build
+index c4b41bc97b..b7556189f5 100644
+--- a/test/TEST-09-REBOOT/meson.build
++++ b/test/TEST-09-REBOOT/meson.build
+@@ -4,7 +4,5 @@ integration_tests += [
+         integration_test_template + {
+                 'name' : fs.name(meson.current_source_dir()),
+                 'storage' : 'persistent',
+-                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
+-                'firmware' : 'uefi',
+         },
+ ]
+diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build
+index 5edfbcad1f..8dec5f37e7 100644
+--- a/test/TEST-18-FAILUREACTION/meson.build
++++ b/test/TEST-18-FAILUREACTION/meson.build
+@@ -3,7 +3,5 @@
+ integration_tests += [
+         integration_test_template + {
+                 'name' : fs.name(meson.current_source_dir()),
+-                # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
+-                'firmware' : 'uefi',
+         },
+ ]

0024-test-drop-obsolete-comment.patch

@@ -0,0 +1,28 @@
+From df1e7d9572fab94209989f341bb1e1a86d88223b Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 19:21:32 +0100
+Subject: [PATCH] test: drop obsolete comment
+
+We want to keep various logic here instead of mkosi, so drop the
+temporary comment
+
+(cherry picked from commit 626518ecd5e7b0c0c708ba53d7eb62934506ed54)
+---
+ test/integration-test-wrapper.py | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
+index 5b098a3e01..1e015e7d47 100755
+--- a/test/integration-test-wrapper.py
++++ b/test/integration-test-wrapper.py
+@@ -2,10 +2,6 @@
+ # SPDX-License-Identifier: LGPL-2.1-or-later
+ 
+ '''Test wrapper command for driving integration tests.
+-
+-Note: This is deliberately rough and only intended to drive existing tests
+-with the expectation that as part of formally defining the API it will be tidy.
+-
+ '''
+ 
+ import argparse

0025-test-support-TEST_NO_KVM.patch

@@ -0,0 +1,25 @@
+From a36cb5660e4d84c16242c1d70b99d9a2e389f191 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Sun, 16 Jun 2024 19:15:24 +0100
+Subject: [PATCH] test: support TEST_NO_KVM
+
+The shell integration suite allows to manually deselect KVM, so
+suppor the same env var for the same purpose in python.
+
+(cherry picked from commit 7d2701e7d1d0a7194026dd371071df6e63f59a82)
+---
+ test/integration-test-wrapper.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
+index 1e015e7d47..15b1ce1055 100755
+--- a/test/integration-test-wrapper.py
++++ b/test/integration-test-wrapper.py
+@@ -124,6 +124,7 @@ def main():
+         *args.mkosi_args,
+         '--append',
+         '--qemu-firmware', args.firmware,
++        '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
+         '--kernel-command-line-extra',
+         ' '.join([
+             'systemd.hostname=H',

0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch

@@ -0,0 +1,30 @@
+From 6178aa4bbcc6b0531314c1a2e9df61e45e6c9ad4 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Mon, 17 Jun 2024 14:09:40 +0100
+Subject: [PATCH] test: support TEST_NO_QEMU in mkosi integration wrapper
+
+Same as the old integration test suite, allow skipping tests that
+require qemu.
+ppc64el's vsock support doesn't appear to work, so we'll skip it,
+as it is already done in the legacy framework.
+
+(cherry picked from commit 464d182b3e470e4163ca376145539a537a6e43a2)
+---
+ test/integration-test-wrapper.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
+index 15b1ce1055..b6a16aa3ef 100755
+--- a/test/integration-test-wrapper.py
++++ b/test/integration-test-wrapper.py
+@@ -57,6 +57,10 @@ def main():
+         print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
+         exit(77)
+ 
++    if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
++        print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
++        exit(77)
++
+     name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
+ 
+     dropin = textwrap.dedent(

0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch

@@ -0,0 +1,27 @@
+From 7d65709901cb3fc746639398776cfdb7cb750a03 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Mon, 17 Jun 2024 15:37:43 +0100
+Subject: [PATCH] test: use 'auto' instead of 'uefi' for automated fallback
+
+mkosi will prefer UEFI if the architecture supports it, but fallback
+to 'linux' if it doesn't.
+
+(cherry picked from commit 80468db8fa21ffd07dc2f28c656eeaf8f0292367)
+---
+ test/TEST-06-SELINUX/meson.build | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
+index 7a850beb81..9261a49c49 100644
+--- a/test/TEST-06-SELINUX/meson.build
++++ b/test/TEST-06-SELINUX/meson.build
+@@ -5,7 +5,8 @@ integration_tests += [
+                 'name' : fs.name(meson.current_source_dir()),
+                 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
+                 # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
+-                'firmware' : 'uefi',
++                # Use 'auto' to automatically fallback on non-uefi architectures.
++                'firmware' : 'auto',
+                 'vm' : true,
+         },
+ ]

0028-core-service-fix-accept-socket-deserialization.patch

@@ -0,0 +1,45 @@
+From f7d55cc801611781fbff2817f2fd4a16ec96ca85 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Mon, 17 Jun 2024 07:47:20 +0200
+Subject: [PATCH] core/service: fix accept-socket deserialization
+
+Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c
+
+(cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578)
+---
+ src/core/service.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 8ec27c463a..6e81460ad0 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) {
+                 service_start_watchdog(s);
+ 
+         if (UNIT_ISSET(s->accept_socket)) {
+-                Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket));
++                Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket));
+ 
+                 if (socket->max_connections_per_source > 0) {
+                         SocketPeer *peer;
+@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
+         } else if (streq(key, "accept-socket")) {
+                 Unit *socket;
+ 
+-                if (u->type != UNIT_SOCKET) {
+-                        log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket");
++                if (unit_name_to_type(value) != UNIT_SOCKET) {
++                        log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value);
+                         return 0;
+                 }
+ 
+@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
+                         log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value);
+                 else {
+                         unit_ref_set(&s->accept_socket, u, socket);
+-                        SOCKET(socket)->n_connections++;
++                        ASSERT_PTR(SOCKET(socket))->n_connections++;
+                 }
+ 
+         } else if (streq(key, "socket-fd")) {

0029-test-network-mention-that-the-captive-portal-option-.patch

@@ -0,0 +1,26 @@
+From 4cc6da9a5dfb69f149404d5a784c57bca2a21237 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Tue, 18 Jun 2024 00:09:03 +0900
+Subject: [PATCH] test-network: mention that the captive portal option is
+ supported since v2.20
+
+The current latest release is v2.19, hence the test is typically skipped now.
+
+(cherry picked from commit 4f6d8ab0767e534553bfa130f39dbb07ebb804a4)
+---
+ test/test-network/systemd-networkd-tests.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
+index 92cb07f11c..0355c7aca1 100755
+--- a/test/test-network/systemd-networkd-tests.py
++++ b/test/test-network/systemd-networkd-tests.py
+@@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities):
+         self.assertIn('pref high', output)
+         self.assertNotIn('pref low', output)
+ 
++    # radvd supports captive portal since v2.20.
++    # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc
+     @unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals")
+     def test_captive_portal(self):
+         copy_network_unit('25-veth-client.netdev',

0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch

@@ -0,0 +1,27 @@
+From b455006ae189d4ceef4214d8d4ab2027781d37e0 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Mon, 17 Jun 2024 17:40:28 +0100
+Subject: [PATCH] CI: disable secure boot in mkosi GHA runs
+
+Booting a guest with secure boot is broken in Azure due to a hypervisor
+bug. Disable it for now. Given there's no option, need to edit
+the configuration on the fly.
+
+(cherry picked from commit bdd0b45bfd7190bb8eb50c71ff6f50a80d6e6e52)
+---
+ .github/workflows/mkosi.yml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
+index 425d737b62..62efd367cb 100644
+--- a/.github/workflows/mkosi.yml
++++ b/.github/workflows/mkosi.yml
+@@ -117,6 +117,8 @@ jobs:
+ 
+     - name: Configure
+       run: |
++        # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
++        sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
+         tee mkosi.local.conf <<EOF
+         [Distribution]
+         Distribution=${{ matrix.distro }}

0031-mkosi-bump-to-latest.patch

@@ -0,0 +1,23 @@
+From d89c99c7ad165fa2471e1c5c1a3bdedab0818da9 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Mon, 17 Jun 2024 15:40:10 +0100
+Subject: [PATCH] mkosi: bump to latest
+
+(cherry picked from commit 3001339dc5b3faf8f8edee4c07b14a4abdf3d66f)
+---
+ .github/workflows/mkosi.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
+index 62efd367cb..3a8dabd95c 100644
+--- a/.github/workflows/mkosi.yml
++++ b/.github/workflows/mkosi.yml
+@@ -92,7 +92,7 @@ jobs:
+ 
+     steps:
+     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+-    - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
++    - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e
+ 
+     # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
+     # immediately, we remove the files in the background. However, we first move them to a different location

0032-NEWS-fix-typo.patch

@@ -0,0 +1,23 @@
+From a776dcf7af3b189f4f9616d174dbfc53a9bd6db6 Mon Sep 17 00:00:00 2001
+From: Carlo Teubner <carlo@cteubner.net>
+Date: Tue, 18 Jun 2024 09:41:59 +0100
+Subject: [PATCH] NEWS: fix typo
+
+(cherry picked from commit f6d517f8478bdd83b7d149b242a47d7686235c7e)
+---
+ NEWS | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index bbee0852be..da81fe3c5d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -195,7 +195,7 @@ CHANGES WITH 256:
+           additional per-user service managers, whose users are transient and
+           are only defined as long as the service manager is running. (This is
+           implemented via DynamicUser=1), allowing a user manager to be used to
+-          manager a group of processes without needing to create an actual user
++          manage a group of processes without needing to create an actual user
+           account. These service managers run with home directories of
+           /var/lib/capsules/<capsule-name> and can contain regular services and
+           other units. A capsule is started via a simple "systemctl start

0033-install-allow-removing-symlinks-even-for-units-that-.patch

@@ -0,0 +1,69 @@
+From c26e56d08f30a2946dfa1d03781c63bfa9f56c1d Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Fri, 7 Jun 2024 21:39:45 +0100
+Subject: [PATCH] install: allow removing symlinks even for units that are gone
+
+If a symlink is leftover, still allow cleaning it up via 'disable'. This
+happens when a unit is stopped and removed, but not disabled, and a reload
+has already happened. At that point, cleaning up the old symlinks becomes
+impossible through the APIs, and needs to be done manually. Always allow
+cleaning up symlinks, if they exist, by only erroring out if there is an
+OOM.
+
+Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017
+
+(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892)
+---
+ src/shared/install.c            | 14 ++++++++++----
+ test/units/TEST-26-SYSTEMCTL.sh |  6 ++++++
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/src/shared/install.c b/src/shared/install.c
+index dd2bd5c948..c94b456c21 100644
+--- a/src/shared/install.c
++++ b/src/shared/install.c
+@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal(
+                         else {
+                                 log_debug_errno(r, "Unit %s not found, removing name.", i->name);
+                                 r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL);
+-                                if (r < 0)
++                                /* In case there's no unit, we still want to remove any leftover symlink, even if
++                                 * the unit might have been removed already, hence treating ENOENT as non-fatal. */
++                                if (r != -ENOENT)
+                                         return r;
+                         }
+                 } else if (r < 0) {
+@@ -2874,9 +2876,13 @@ static int do_unit_file_disable(
+                 r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info);
+                 if (r >= 0)
+                         r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL);
+-
+-                if (r < 0)
+-                        return install_changes_add(changes, n_changes, r, *name, NULL);
++                if (r < 0) {
++                        r = install_changes_add(changes, n_changes, r, *name, NULL);
++                        /* In case there's no unit, we still want to remove any leftover symlink, even if
++                         * the unit might have been removed already, hence treating ENOENT as non-fatal. */
++                        if (r != -ENOENT)
++                                return r;
++                }
+ 
+                 /* If we enable multiple units, some with install info and others without,
+                  * the "empty [Install] section" warning is not shown. Let's make the behavior
+diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh
+index ae7a5d6eb6..1471f3fd9e 100755
+--- a/test/units/TEST-26-SYSTEMCTL.sh
++++ b/test/units/TEST-26-SYSTEMCTL.sh
+@@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME"
+ systemctl help "$UNIT_NAME"
+ systemctl service-watchdogs
+ systemctl service-watchdogs "$(systemctl service-watchdogs)"
++# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers
++systemctl enable "$UNIT_NAME"
++systemctl stop "$UNIT_NAME"
++rm -f "/usr/lib/systemd/system/$UNIT_NAME"
++systemctl daemon-reload
++systemctl disable "$UNIT_NAME"
+ 
+ # show/set-environment
+ # Make sure PATH is set

0034-tmpfiles-honour-dry-run-when-removing-directories.patch

@@ -0,0 +1,35 @@
+From 90ec0265707d381ed8cc77de475cd963686eaba3 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 18 Jun 2024 09:54:33 +0200
+Subject: [PATCH] tmpfiles: honour --dry-run when removing directories
+
+(cherry picked from commit edeceb80a91e8400e8c22f08a41045a2ba270fe6)
+---
+ src/tmpfiles/tmpfiles.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 807925f199..283be21d16 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -3024,10 +3024,16 @@ static int remove_recursive(
+                 return r;
+ 
+         if (remove_instance) {
+-                log_debug("Removing directory \"%s\".", instance);
+-                r = RET_NERRNO(rmdir(instance));
+-                if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY))
+-                        return log_error_errno(r, "Failed to remove %s: %m", instance);
++                log_action("Would remove", "Removing", "%s directory \"%s\".", instance);
++                if (!arg_dry_run) {
++                        r = RET_NERRNO(rmdir(instance));
++                        if (r < 0) {
++                                bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY);
++                                log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance);
++                                if (fatal)
++                                        return r;
++                        }
++                }
+         }
+         return 0;
+ }

0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch

@@ -0,0 +1,68 @@
+From e76015738942246db70f444b3567afd1b132f824 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 18 Jun 2024 09:55:20 +0200
+Subject: [PATCH] tmpfiles: insist on at least one configuration file being
+ specified on --purge
+
+Also, extend the man page explanation substantially, matching more
+closely what --create says.
+
+Fixes: #33349
+(cherry picked from commit 41064a3c97c9a53c97bbe8a1de799a82c4374a2d)
+---
+ man/systemd-tmpfiles.xml | 26 ++++++++++++++++++++------
+ src/tmpfiles/tmpfiles.c  |  4 ++++
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
+index 9767aead85..2a494b9c5c 100644
+--- a/man/systemd-tmpfiles.xml
++++ b/man/systemd-tmpfiles.xml
+@@ -151,12 +151,26 @@
+ 
+       <varlistentry>
+         <term><option>--purge</option></term>
+-        <listitem><para>If this option is passed, all files and directories created by a
+-        <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
+-        <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
+-        (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
+-        to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
+-        and directories will be deleted.</para>
++
++        <listitem><para>If this option is passed, all files and directories marked for
++        <emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command
++        line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories
++        marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
++        <varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
++        <varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
++        <varname>w</varname>, <varname>e</varname>. If this switch is used at least one
++        <filename>tmpfiles.d/</filename> file (or <filename>-</filename> for standard input) must be
++        specified on the command line or the invocation will be refused, for safety reasons (as otherwise
++        much of the installed system files might be removed).</para>
++
++        <para>The primary usecase for this option is to automatically remove files and directories that
++        originally have been created on behalf of an installed packaged at package removal time.</para>
++
++        <para>It is recommended to first run this command in combination with <option>--dry-run</option>
++        (see below) to verify which files and directories will be deleted.</para>
++
++        <para><emphasis>Warning!</emphasis> This is is usually not the command you want! In most cases
++        <option>--remove</option> is what you are looking for.</para>
+ 
+         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+       </varlistentry>
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 283be21d16..1704197207 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -4344,6 +4344,10 @@ static int parse_argv(int argc, char *argv[]) {
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "You need to specify at least one of --clean, --create, --remove, or --purge.");
+ 
++        if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc)
++                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
++                                       "Refusing --purge without specification of a configuration file.");
++
+         if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Option --replace= is not supported with --cat-config/--tldr.");

0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch

@@ -0,0 +1,37 @@
+From 08b8237303efdf072a0f61615b7f1633eafc8e0a Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 18 Jun 2024 09:56:15 +0200
+Subject: [PATCH] tmpfiles: move --purge to command section in --help text
+ where it belongs
+
+Also, make contrast between --remove and --purge clearer: one deletes
+files marked for deletion, the other deletes files marked for creation.
+
+(cherry picked from commit 69d76823ce6e9c307184946ed55b207eb728e625)
+---
+ src/tmpfiles/tmpfiles.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 1704197207..8cc8c1ccd6 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -4148,7 +4148,9 @@ static int help(void) {
+                "\n%3$sCommands:%4$s\n"
+                "     --create               Create files and directories\n"
+                "     --clean                Clean up files and directories\n"
+-               "     --remove               Remove files and directories\n"
++               "     --remove               Remove files and directories marked for removal\n"
++               "     --purge                Delete files and directories marked for creation in\n"
++               "                            specified configuration files (careful!)\n"
+                "  -h --help                 Show this help\n"
+                "     --version              Show package version\n"
+                "\n%3$sOptions:%4$s\n"
+@@ -4157,7 +4159,6 @@ static int help(void) {
+                "     --tldr                 Show non-comment parts of configuration\n"
+                "     --boot                 Execute actions only safe at boot\n"
+                "     --graceful             Quietly ignore unknown users or groups\n"
+-               "     --purge                Delete all files owned by the configuration files\n"
+                "     --prefix=PATH          Only apply rules with the specified prefix\n"
+                "     --exclude-prefix=PATH  Ignore rules with the specified prefix\n"
+                "  -E                        Ignore rules prefixed with /dev, /proc, /run, /sys\n"

0037-mkosi-restrict-noble-backports-to-noble-builds.patch

@@ -0,0 +1,37 @@
+From 7b18adadde58798a895366105c6c1517231029d9 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Tue, 18 Jun 2024 13:35:32 +0100
+Subject: [PATCH] mkosi: restrict noble-backports to noble builds
+
+Follow-up for c01cb8cbff8512b65b7903b55f78c8d12661b8d7
+
+(cherry picked from commit f97b243edfcae211aade6ceb2fd89ae9d9209fac)
+---
+ .../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf      | 1 +
+ mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+index 0ec4807822..582f038b5f 100644
+--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+@@ -4,6 +4,7 @@
+ [Match]
+ Architecture=!x86-64
+ Architecture=!x86
++Release=noble
+ 
+ [Distribution]
+ PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
+diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+index c08eeac337..7347be9069 100644
+--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+@@ -4,6 +4,7 @@
+ [Match]
+ Architecture=|x86-64
+ Architecture=|x86
++Release=noble
+ 
+ [Distribution]
+ PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources

0038-repart-fix-memory-leak.patch

@@ -0,0 +1,22 @@
+From f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd Mon Sep 17 00:00:00 2001
+From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
+Date: Tue, 18 Jun 2024 14:07:50 +0200
+Subject: [PATCH] repart: fix memory leak
+
+(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a)
+---
+ src/partition/repart.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/partition/repart.c b/src/partition/repart.c
+index 78cf60f724..8f64520ee7 100644
+--- a/src/partition/repart.c
++++ b/src/partition/repart.c
+@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep);
++STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep);
+ STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep);

0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch

@@ -0,0 +1,42 @@
+From 34ba18b0124407403690738b46fbd6236fe65c92 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Tue, 18 Jun 2024 17:55:31 +0900
+Subject: [PATCH] logs-show: do not use _SOURCE_MONOTONIC_TIMESTAMP field
+
+The timestamp is not in CLOCK_MONOTONIC, but CLOCK_BOOTTIME,
+while header monotonic timestamp is in CLOCK_MONOTONIC. Hence, we cannot
+adjust timestamp by comparing with header monotonic timestamp and
+_SOURCE_MONOTONIC_TIMESTAMP field.
+
+Fixes a regression caused by affde1d7e79a634ee6053dbd4a57b3b51b74c170.
+Fixes #33293.
+
+(cherry picked from commit 144498e7e6efe2d90981cb14e3ed462a70a955c6)
+---
+ src/shared/logs-show.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
+index c71c868889..153a4110ce 100644
+--- a/src/shared/logs-show.c
++++ b/src/shared/logs-show.c
+@@ -450,6 +450,9 @@ static void parse_display_realtime(
+         assert(j);
+         assert(ret);
+ 
++        // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
++        source_monotonic = NULL;
++
+         /* First, try _SOURCE_REALTIME_TIMESTAMP. */
+         if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) {
+                 *ret = t;
+@@ -488,6 +491,9 @@ static void parse_display_timestamp(
+         assert(ret_display_ts);
+         assert(ret_boot_id);
+ 
++        // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
++        source_monotonic = NULL;
++
+         if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t))
+                 source_ts.realtime = t;
+ 

0040-ci-update-workflows-to-run-on-source-git-setup.patch

@@ -0,0 +1,98 @@
+From 67ff61b054e8d4d4d3923c3b81586b2d4e286d6b Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 16 May 2024 14:24:38 +0200
+Subject: [PATCH] ci: update workflows to run on source-git setup
+
+rhel-only: ci
+
+Related: RHEL-36636
+---
+ .github/workflows/cflite_pr.yml               | 3 ---
+ .github/workflows/codeql.yml                  | 6 ------
+ .github/workflows/differential-shellcheck.yml | 4 ----
+ .github/workflows/linter.yml                  | 3 ---
+ .github/workflows/unit_tests.yml              | 3 ---
+ 5 files changed, 19 deletions(-)
+
+diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
+index f0d321794a..87dcd3c478 100644
+--- a/.github/workflows/cflite_pr.yml
++++ b/.github/workflows/cflite_pr.yml
+@@ -5,9 +5,6 @@
+ name: ClusterFuzzLite PR fuzzing
+ on:
+   pull_request:
+-    branches:
+-      - main
+-      - v[0-9]+-stable
+ 
+ permissions: read-all
+ 
+diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
+index 0d284f75f1..daf34486d2 100644
+--- a/.github/workflows/codeql.yml
++++ b/.github/workflows/codeql.yml
+@@ -6,9 +6,6 @@ name: "CodeQL"
+ 
+ on:
+   pull_request:
+-    branches:
+-      - main
+-      - v[0-9]+-stable
+     paths:
+       - '**/meson.build'
+       - '.github/**/codeql*'
+@@ -16,9 +13,6 @@ on:
+       - 'test/**'
+       - 'tools/**'
+   push:
+-    branches:
+-      - main
+-      - v[0-9]+-stable
+ 
+ permissions:
+   contents: read
+diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
+index 244f5d503b..403b5cfc58 100644
+--- a/.github/workflows/differential-shellcheck.yml
++++ b/.github/workflows/differential-shellcheck.yml
+@@ -4,11 +4,7 @@
+ name: Differential ShellCheck
+ on:
+   push:
+-    branches:
+-      - main
+   pull_request:
+-    branches:
+-      - main
+ 
+ permissions:
+   contents: read
+diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
+index cf0bc09453..e7fb70f2f5 100644
+--- a/.github/workflows/linter.yml
++++ b/.github/workflows/linter.yml
+@@ -6,9 +6,6 @@ name: Lint Code Base
+ 
+ on:
+   pull_request:
+-    branches:
+-      - main
+-      - v[0-9]+-stable
+ 
+ permissions:
+   contents: read
+diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
+index 895068c2a2..bf6c820092 100644
+--- a/.github/workflows/unit_tests.yml
++++ b/.github/workflows/unit_tests.yml
+@@ -5,9 +5,6 @@
+ name: Unit tests
+ on:
+   pull_request:
+-    branches:
+-      - main
+-      - v[0-9]+-stable
+ 
+ permissions:
+   contents: read

0041-ci-setup-source-git-automation.patch

@@ -0,0 +1,282 @@
+From 67b16d23396d9837f878850e890f90228d59d49e Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 16 May 2024 14:36:04 +0200
+Subject: [PATCH] ci: setup source-git automation
+
+rhel-only: ci
+
+Related: RHEL-36636
+---
+ .github/advanced-commit-linter.yml            | 17 +++++
+ .github/auto-merge.yml                        |  4 ++
+ .github/pull-request-validator.yml            |  4 ++
+ .github/regression-sniffer.yml                |  1 +
+ .github/tracker-validator.yml                 | 31 ++++++++
+ .github/workflows/gather-pr-metadata.yml      | 12 ++--
+ .../source-git-automation-on-demand.yml       | 72 +++++++++++++++++++
+ .github/workflows/source-git-automation.yml   | 45 ++++++++++++
+ 8 files changed, 179 insertions(+), 7 deletions(-)
+ create mode 100644 .github/advanced-commit-linter.yml
+ create mode 100644 .github/auto-merge.yml
+ create mode 100644 .github/pull-request-validator.yml
+ create mode 100644 .github/regression-sniffer.yml
+ create mode 100644 .github/tracker-validator.yml
+ create mode 100644 .github/workflows/source-git-automation-on-demand.yml
+ create mode 100644 .github/workflows/source-git-automation.yml
+
+diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
+new file mode 100644
+index 0000000000..3609fe4612
+--- /dev/null
++++ b/.github/advanced-commit-linter.yml
+@@ -0,0 +1,17 @@
++policy:
++  cherry-pick:
++    upstream:
++      - github: systemd/systemd
++    exception:
++      note:
++        - rhel-only
++        - RHEL-only
++  tracker:
++    - keyword:
++        - 'Resolves: '
++        - 'Related: '
++        - 'Reverts: '
++      type: jira
++      issue-format:
++        - 'RHEL-\d+$'
++      url: 'https://issues.redhat.com/browse/'
+diff --git a/.github/auto-merge.yml b/.github/auto-merge.yml
+new file mode 100644
+index 0000000000..35c2539295
+--- /dev/null
++++ b/.github/auto-merge.yml
+@@ -0,0 +1,4 @@
++labels:
++  dont-merge: dont-merge
++  manual-merge: pr/needs-manual-merge
++target-branch': ['main']
+diff --git a/.github/pull-request-validator.yml b/.github/pull-request-validator.yml
+new file mode 100644
+index 0000000000..4bb5bbec12
+--- /dev/null
++++ b/.github/pull-request-validator.yml
+@@ -0,0 +1,4 @@
++labels:
++  missing-review: pr/needs-review
++  changes-requested: pr/changes-requested
++  missing-failing-ci: pr/needs-ci
+diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml
+new file mode 100644
+index 0000000000..3824028e92
+--- /dev/null
++++ b/.github/regression-sniffer.yml
+@@ -0,0 +1 @@
++upstream: systemd/systemd
+diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
+new file mode 100644
+index 0000000000..2e858606ff
+--- /dev/null
++++ b/.github/tracker-validator.yml
+@@ -0,0 +1,31 @@
++labels:
++  missing-tracker: tracker/missing
++  invalid-product: tracker/invalid-product
++  invalid-component: tracker/invalid-component
++  unapproved: tracker/unapproved
++products:
++  - Red Hat Enterprise Linux 10
++  - CentOS Stream 10
++  - rhel-10.0.beta 
++  - rhel-10.0
++  - rhel-10.0.z
++  - rhel-10.1
++  - rhel-10.1.z
++  - rhel-10.2
++  - rhel-10.2.z
++  - rhel-10.3
++  - rhel-10.3.z
++  - rhel-10.4
++  - rhel-10.4.z
++  - rhel-10.5
++  - rhel-10.5.z
++  - rhel-10.6
++  - rhel-10.6.z
++  - rhel-10.7
++  - rhel-10.7.z
++  - rhel-10.8
++  - rhel-10.8.z
++  - rhel-10.9
++  - rhel-10.9.z
++  - rhel-10.10
++  - rhel-10.10.z
+diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
+index e4a0caff03..857689a37b 100644
+--- a/.github/workflows/gather-pr-metadata.yml
++++ b/.github/workflows/gather-pr-metadata.yml
+@@ -1,18 +1,17 @@
+ ---
+-
+ name: Gather Pull Request Metadata
+ 
+ on:
+   pull_request:
+-    branches: [ main ]
++    types: [ opened, reopened, synchronize ]
++    branches: [ main, rhel-10.0.beta, rhel-10.* ]
+ 
+ permissions:
+   contents: read
+ 
+ jobs:
+   gather-metadata:
+-    if: github.repository == 'systemd/systemd'
+-    runs-on: ubuntu-24.04
++    runs-on: ubuntu-latest
+ 
+     steps:
+       - name: Repository checkout
+@@ -20,11 +19,10 @@ jobs:
+ 
+       - id: metadata
+         name: Gather Pull Request Metadata
+-        uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b
++        uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1
+ 
+       - name: Upload Pull Request Metadata artifact
+-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
++        uses: actions/upload-artifact@v4
+         with:
+           name: Pull Request Metadata
+           path: ${{ steps.metadata.outputs.metadata-file }}
+-          retention-days: 1
+diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml
+new file mode 100644
+index 0000000000..af9ea781f6
+--- /dev/null
++++ b/.github/workflows/source-git-automation-on-demand.yml
+@@ -0,0 +1,72 @@
++name: Source git Automation Scheduled/On Demand
++on:
++  schedule:
++    # Workflow runs every 45 minutes
++    - cron: '*/45 * * * *'
++  workflow_dispatch:
++    inputs:
++      pr-number:
++        description: 'Pull Request number/s ; when not provided, the workflow will run for all open PRs'
++        required: true
++        default: '0'
++
++permissions:
++  contents: read
++
++jobs:
++  # Get all open PRs
++  gather-pull-requests:
++    if: github.repository == 'redhat-plumbers/systemd-rhel10'
++    runs-on: ubuntu-latest
++
++    outputs:
++      pr-numbers: ${{ steps.get-pr-numbers.outputs.result }}
++      pr-numbers-manual: ${{ steps.parse-manual-input.outputs.result }}
++
++    steps:
++      - id: get-pr-numbers
++        if: inputs.pr-number == '0'
++        name: Get all open PRs
++        uses: actions/github-script@v6
++        with:
++          # !FIXME: this is not working if there is more than 100 PRs opened
++          script: |
++            const { data: pullRequests } = await github.rest.pulls.list({
++              owner: context.repo.owner,
++              repo: context.repo.repo,
++              state: 'open',
++              per_page: 100
++            });
++            return pullRequests.map(pr => pr.number);
++
++      - id: parse-manual-input
++        if: inputs.pr-number != '0'
++        name: Parse manual input
++        run: |
++          # shellcheck disable=SC2086
++          echo "result="[ ${{ inputs.pr-number }} ]"" >> $GITHUB_OUTPUT
++        shell: bash
++
++  validate-pr:
++    name: 'Validation of Pull Request #${{ matrix.pr-number }}'
++    needs: [ gather-pull-requests ]
++    runs-on: ubuntu-latest
++
++    strategy:
++      fail-fast: false
++      matrix:
++        pr-number: ${{ inputs.pr-number == 0 && fromJSON(needs.gather-pull-requests.outputs.pr-numbers) || fromJSON(needs.gather-pull-requests.outputs.pr-numbers-manual) }}
++
++    permissions:
++      # required for merging PRs
++      contents: write
++      # required for PR comments and setting labels
++      pull-requests: write
++
++    steps:
++      - name: Source-git Automation
++        uses: redhat-plumbers-in-action/source-git-automation@v1
++        with:
++          pr-number: ${{ matrix.pr-number }}
++          jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
++          token: ${{ secrets.GITHUB_TOKEN }}
+diff --git a/.github/workflows/source-git-automation.yml b/.github/workflows/source-git-automation.yml
+new file mode 100644
+index 0000000000..d58242efa7
+--- /dev/null
++++ b/.github/workflows/source-git-automation.yml
+@@ -0,0 +1,45 @@
++name: Source git Automation
++on:
++  workflow_run:
++    workflows: [ Gather Pull Request Metadata ]
++    types:
++      - completed
++
++permissions:
++  contents: read
++
++jobs:
++  download-metadata:
++    if: >
++      github.event.workflow_run.event == 'pull_request' &&
++      github.event.workflow_run.conclusion == 'success' &&
++      github.repository == 'redhat-plumbers/systemd-rhel10'
++    runs-on: ubuntu-latest
++
++    outputs:
++      pr-metadata: ${{ steps.Artifact.outputs.pr-metadata-json }}
++
++    steps:
++      - id: Artifact
++        name: Download Artifact
++        uses: redhat-plumbers-in-action/download-artifact@v1
++        with:
++          name: Pull Request Metadata
++
++  source-git-automation:
++    needs: [ download-metadata ]
++    runs-on: ubuntu-latest
++
++    permissions:
++      # required for merging PRs
++      contents: write
++      # required for PR comments and setting labels
++      pull-requests: write
++
++    steps:
++      - name: Source-git Automation
++        uses: redhat-plumbers-in-action/source-git-automation@v1
++        with:
++          pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
++          jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
++          token: ${{ secrets.GITHUB_TOKEN }}

0042-ci-deploy-systemd-man-to-GitHub-Pages.patch

@@ -1,29 +1,27 @@
-From 045ba12c6337760f0a7f8b0ceb9f998b309e025f Mon Sep 17 00:00:00 2001
+From ecae988291383e13e5b23b5d7a4a1f8a7d6736dc Mon Sep 17 00:00:00 2001
 From: Jan Macku <jamacku@redhat.com>
-Date: Fri, 9 Feb 2024 14:48:02 +0100
+Date: Thu, 16 May 2024 15:14:17 +0200
 Subject: [PATCH] ci: deploy systemd man to GitHub Pages
 
-rhel-only
+rhel-only: ci
 
-Related: RHEL-32494
-
-Co-authored-by: Frantisek Sumsal <frantisek@sumsal.cz>
+Related: RHEL-36636
 ---
- .github/workflows/deploy-man-pages.yml | 60 ++++++++++++++++++++++++++
- 1 file changed, 60 insertions(+)
+ .github/workflows/deploy-man-pages.yml | 59 ++++++++++++++++++++++++++
+ 1 file changed, 59 insertions(+)
  create mode 100644 .github/workflows/deploy-man-pages.yml
 
 diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
 new file mode 100644
-index 0000000000..9da38a1687
+index 0000000000..9739228a87
 --- /dev/null
 +++ b/.github/workflows/deploy-man-pages.yml
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,59 @@
 +name: Deploy systemd man to Pages
 +
 +on:
 +  push:
-+    branches: [ rhel-8.10.0 ]
++    branches: [ main ]
 +    paths:
 +      - man/*
 +      - .github/workflows/deploy-man-pages.yml
@@ -58,7 +56,6 @@ index 0000000000..9da38a1687
 +
 +      - name: Install dependencies
 +        run: |
-+          RELEASE="$(lsb_release -cs)"
 +          sudo add-apt-repository -y --no-update --enable-source
 +          sudo apt-get -y update
 +          sudo apt-get -y build-dep systemd

0043-ci-reconfigure-Packit-for-RHEL-10.patch

@@ -0,0 +1,61 @@
+From 970ac707323ce1b50c6f45184df4373d651e669c Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Fri, 17 May 2024 13:55:40 +0200
+Subject: [PATCH] ci: reconfigure Packit for RHEL 10
+
+rhel-only: ci
+
+Related: RHEL-36636
+---
+ .packit.yml | 28 +++++++++-------------------
+ 1 file changed, 9 insertions(+), 19 deletions(-)
+
+diff --git a/.packit.yml b/.packit.yml
+index 2dcc9e86ca..340c6992ec 100644
+--- a/.packit.yml
++++ b/.packit.yml
+@@ -24,14 +24,12 @@ actions:
+     - "bash -ec 'git describe --tags --abbrev=0 | cut -b 2-'"
+ 
+   post-upstream-clone:
+-    # Use the Fedora Rawhide specfile
+-    - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1"
++    # Use the CentOS Stream 10 specfile
++    - "git clone -b c10s https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1"
+     # Drop the "sources" file so rebase-helper doesn't think we're a dist-git
+     - "rm -fv .packit_rpm/sources"
+-    # Drop backported patches from the specfile, but keep the downstream-only ones
+-    # - Patch(0000-0499): backported patches from upstream
+-    # - Patch0500-9999: downstream-only patches
+-    - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec"
++    # Drop all patches, since they're already included in the tarball
++    - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec"
+     # Build the RPM with --werror. Even though --werror doesn't work in all
+     # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
+     # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
+@@ -45,20 +43,12 @@ actions:
+     # until the change propagates to Rawhide's specfile
+     - "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec"
+ 
++# Available targets can be listed via `copr-cli list-chroots`
+ jobs:
+ - job: copr_build
+   trigger: pull_request
+   targets:
+-  - fedora-rawhide-aarch64
+-  - fedora-rawhide-i386
+-  - fedora-rawhide-ppc64le
+-  - fedora-rawhide-s390x
+-  - fedora-rawhide-x86_64
+-
+-- job: tests
+-  trigger: pull_request
+-  fmf_url: https://src.fedoraproject.org/tests/systemd
+-  fmf_ref: main
+-  tmt_plan: ci
+-  targets:
+-  - fedora-rawhide-x86_64
++  - centos-stream-10-aarch64
++  - centos-stream-10-ppc64le
++  - centos-stream-10-s390x
++  - centos-stream-10-x86_64

0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch

@@ -0,0 +1,37 @@
+From 517bf132e5508a2ac140dbea3650e89205dee052 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Fri, 21 Jun 2024 16:15:24 +0200
+Subject: [PATCH] ci: allow to pass parameters together with rhel-only note
+
+Supported parameters:
+
+* feature - for feature related commits (cross-version)
+* bugfix - for bugfix related commits (cross-version)
+* doc - for documentation related commits (usually version specific)
+* workaround - for workaround related commits (usually version specific)
+* ci - for CI related commits (version specific)
+* test - for test related commits (version specific)
+* other - for commits that do not fit into any of the above categories or use just `rhel-only`
+
+rhel-only: ci
+
+Related: RHEL-36636
+---
+ .github/advanced-commit-linter.yml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
+index 3609fe4612..3e3e3fe2bf 100644
+--- a/.github/advanced-commit-linter.yml
++++ b/.github/advanced-commit-linter.yml
+@@ -4,8 +4,8 @@ policy:
+       - github: systemd/systemd
+     exception:
+       note:
+-        - rhel-only
+-        - RHEL-only
++        - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)'
++        - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)'
+   tracker:
+     - keyword:
+         - 'Resolves: '

0045-journal-again-create-user-journals-for-users-with-hi.patch

@@ -0,0 +1,59 @@
+From 8ca92aa84573b47bb6ee6a5853ecd08463b97af8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 9 Jan 2024 11:28:04 +0100
+Subject: [PATCH] journal: again create user journals for users with high uids
+
+This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
+'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
+in an additional check of uid_is_container(uid). The problem is that that change
+is not backwards-compatible at all and very hard for users to handle.
+There is no common agreement on mappings of high-range uids. Systemd declares
+ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
+but this is only a recent change and various sites allocated those ranges
+in a different way, in particular FreeIPA uses (used?) uids from this range
+for human users. On big sites with lots of users changing uids is obviously a
+hard problem. We generally assume that uids cannot be "freed" and/or changed
+and/or reused safely, so we shouldn't demand the same from others.
+
+This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
+SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
+huge problems for existing systems with were created with a different
+definition and couldn't be easily updated. For that case, we added a
+configuration time switch and we now parse /etc/login.defs to actually use the
+value that is appropriate for the local system.
+
+Unfortunately, login.defs doesn't have a concept of container allocation ranges
+(and we don't have code to parse and use those nonexistent names either), so we
+can't tell users to adjust logind.defs to work around the changed definition.
+
+login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
+because they are used to define where the add allocations for subuids, which is
+generally a much smaller range. Maybe we should talk with other folks about
+the appropriate allocation ranges and define some new settings in login.defs.
+But this would require discussion and coordination with other projects first.
+
+Actualy, it seems that this change was needed at all. The code in the container
+does not log to the outside journal. It talks to its own journald, which does
+journal splitting using its internal logic based on shifted uids. So let's
+revert the change to fix user systems.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
+
+rhel-only: bugfix
+
+Related: RHEL-40924
+---
+ src/basic/uid-classification.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
+index e2d2cebc6d..2c8b06c0d3 100644
+--- a/src/basic/uid-classification.c
++++ b/src/basic/uid-classification.c
+@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
+ 
+         /* Returns true if the specified UID shall get its data stored in the system journal. */
+ 
+-        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
++        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
+ }

0046-tmpfiles-make-purge-hard-to-mis-use.patch

@@ -0,0 +1,67 @@
+From 6ad266a125eabbf27dfbe64aae9a0d9060c2bd08 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 18 Jun 2024 20:32:10 +0200
+Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use
+
+Follow-up for https://github.com/systemd/systemd/pull/33383.
+
+rhel-only: bugfix
+
+Related: RHEL-40924
+---
+ src/tmpfiles/tmpfiles.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 8cc8c1ccd6..14048545db 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -4197,6 +4197,7 @@ static int parse_argv(int argc, char *argv[]) {
+                 ARG_IMAGE_POLICY,
+                 ARG_REPLACE,
+                 ARG_DRY_RUN,
++                ARG_DESTROY_DATA,
+                 ARG_NO_PAGER,
+         };
+ 
+@@ -4220,10 +4221,18 @@ static int parse_argv(int argc, char *argv[]) {
+                 { "replace",        required_argument,   NULL, ARG_REPLACE        },
+                 { "dry-run",        no_argument,         NULL, ARG_DRY_RUN        },
+                 { "no-pager",       no_argument,         NULL, ARG_NO_PAGER       },
++
++                /* This is not documented on purpose.
++                 * If you think --purge should be allowed without jumping through hoops,
++                 * consider opening a bug report with the description of the use case.
++                 */
++                { "destroy-data",   no_argument,         NULL, ARG_DESTROY_DATA   },
++
+                 {}
+         };
+ 
+         int c, r;
++        bool destroy_data = false;
+ 
+         assert(argc >= 0);
+         assert(argv);
+@@ -4330,6 +4339,10 @@ static int parse_argv(int argc, char *argv[]) {
+                         arg_dry_run = true;
+                         break;
+ 
++                case ARG_DESTROY_DATA:
++                        destroy_data = true;
++                        break;
++
+                 case ARG_NO_PAGER:
+                         arg_pager_flags |= PAGER_DISABLE;
+                         break;
+@@ -4349,6 +4362,10 @@ static int parse_argv(int argc, char *argv[]) {
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Refusing --purge without specification of a configuration file.");
+ 
++        if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data)
++                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
++                                       "Refusing --purge without --destroy-data.");
++
+         if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
+                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Option --replace= is not supported with --cat-config/--tldr.");

0047-fedora-use-system-auth-in-pam-systemd-user.patch

@@ -0,0 +1,33 @@
+From 79519b922b59c2282223742327cc8d75c7b219d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:24:53 +0100
+Subject: [PATCH] fedora: use system-auth in pam systemd-user
+
+Adjust upstream config to use our shared stack
+
+rhel-only: feature
+
+Related: RHEL-40924
+---
+ src/login/systemd-user.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 8a3c9e0165..74ef5f2552 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -7,7 +7,7 @@
+ -account sufficient pam_systemd_home.so
+ {% endif %}
+ account  sufficient pam_unix.so no_pass_expiry
+-account  required   pam_permit.so
++account  include    system-auth
+ 
+ {% if HAVE_SELINUX %}
+ session  required   pam_selinux.so close
+@@ -20,4 +20,4 @@ session  required   pam_namespace.so
+ -session optional   pam_systemd_home.so
+ {% endif %}
+ session  optional   pam_umask.so silent
+-session  optional   pam_systemd.so
++session  include    system-auth

0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch

@@ -0,0 +1,317 @@
+From b91be007c4172b50e5ca570c3c3cd64fecbf377b Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Tue, 25 Jun 2024 14:00:45 +0200
+Subject: [PATCH] net-naming-scheme: start rhel10 naming and include rhel8 and
+ rhel9 ones
+
+Also add RHEL8,9,10 versions to version-info.xml file
+
+rhel-only: feature
+
+Resolves: RHEL-22621
+---
+ man/systemd.net-naming-scheme.xml | 186 ++++++++++++++++++++++++++++++
+ man/version-info.xml              |  33 ++++++
+ src/shared/netif-naming-scheme.c  |  17 +++
+ src/shared/netif-naming-scheme.h  |  20 ++++
+ 4 files changed, 256 insertions(+)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index ff811c2bd7..690e3d2c27 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -525,7 +525,193 @@
+           </listitem>
+         </varlistentry>
+ 
++        <varlistentry>
++          <term><constant>rhel-10.0</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
++          </listitem>
++        </varlistentry>
++      </variablelist>
++      <para>By default <constant>rhel-10.0</constant> is used.</para>
++
++      <refsect2>
++      <title>RHEL-9 schemes</title>
++      <para>It is also possible to pick a scheme from RHEL-9</para>
++      <variablelist>
++        <varlistentry>
++          <term><constant>rhel-9.0</constant></term>
++
++          <listitem><para>Since version <constant>v247</constant> we no longer set
++          <varname>ID_NET_NAME_SLOT</varname> if we detect that a PCI device associated with a slot is a PCI
++          bridge as that would create naming conflict when there are more child devices on that bridge. Now,
++          this is relaxed and we will use slot information to generate the name based on it but only if
++          the PCI device has multiple functions. This is safe because distinct function number is a part of
++          the device name for multifunction devices.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-9.0"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-9.1</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-9.0</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-9.1"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-9.2</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-9.0</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-9.2"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-9.3</constant></term>
++
++          <listitem><para>Naming was changed for SR-IOV virtual device representors.</para>
++
++          <para>The <literal>r<replaceable>slot</replaceable></literal> suffix was added to differentiate SR-IOV
++          virtual device representors attached to a single physical device interface.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-9.3"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-9.4</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-9.3</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-9.4"/>
++          </listitem>
++        </varlistentry>
++      </variablelist>
++      </refsect2>
++
++      <refsect2>
++      <title>RHEL-8 schemes</title>
++      <para>It is also possible to pick a scheme from RHEL-8</para>
++      <variablelist>
++        <varlistentry>
++          <term><constant>rhel-8.0</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>v239</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.0"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.1</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.1"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.2</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.2"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.3</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.3"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.4</constant></term>
++
++          <listitem><para>If the PCI slot is assocated with PCI bridge and that has multiple child network
++          controllers then all of them might derive the same value of <varname>ID_NET_NAME_SLOT</varname>
++          property. That could cause naming conflict if the property is selected as a device name. Now, we detect the
++          situation, slot - bridge relation, and we don't produce the <varname>ID_NET_NAME_SLOT</varname> property to
++          avoid possible naming conflict.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.4"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.5</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.5"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.6</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.6"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++         <term><constant>rhel-8.7</constant></term>
++
++          <listitem><para>PCI hotplug slot names for the s390 PCI driver are a hexadecimal representation
++          of the <filename>function_id</filename> device attribute. This attribute is now used to build the
++          <varname>ID_NET_NAME_SLOT</varname>. Before that, all slot names were parsed as decimal
++          numbers, which could either result in an incorrect value of the <varname>ID_NET_NAME_SLOT</varname>
++          property or none at all.</para>
++
++          <para>Some firmware and hypervisor implementations report unreasonable high numbers for the onboard
++          index. To prevent the generation of bogus onbard interface names, index numbers greater than 16381
++          (2^14-1) were ignored. For s390 PCI devices index values up to 65535 (2^16-1) are valid. To account
++          for that, the limit is increased to now 65535.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.7"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.8</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.8"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.9</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.9"/>
++          </listitem>
++        </varlistentry>
++
++        <varlistentry>
++          <term><constant>rhel-8.10</constant></term>
++
++          <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-8.10"/>
++          </listitem>
++        </varlistentry>
+       </variablelist>
++      </refsect2>
+ 
+     <para>Note that <constant>latest</constant> may be used to denote the latest scheme known (to this
+     particular version of systemd).</para>
+diff --git a/man/version-info.xml b/man/version-info.xml
+index bd210b20d3..274450d408 100644
+--- a/man/version-info.xml
++++ b/man/version-info.xml
+@@ -81,4 +81,37 @@
+   <para id="v255">Added in version 255.</para>
+   <para id="v256">Added in version 256.</para>
+   <para id="v257">Added in version 257.</para>
++  <para id="rhel-8.0">Added in rhel-8.0.</para>
++  <para id="rhel-8.1">Added in rhel-8.1.</para>
++  <para id="rhel-8.2">Added in rhel-8.2.</para>
++  <para id="rhel-8.3">Added in rhel-8.3.</para>
++  <para id="rhel-8.4">Added in rhel-8.4.</para>
++  <para id="rhel-8.5">Added in rhel-8.5.</para>
++  <para id="rhel-8.6">Added in rhel-8.6.</para>
++  <para id="rhel-8.7">Added in rhel-8.7.</para>
++  <para id="rhel-8.8">Added in rhel-8.8.</para>
++  <para id="rhel-8.9">Added in rhel-8.9.</para>
++  <para id="rhel-8.10">Added in rhel-8.10.</para>
++  <para id="rhel-9.0">Added in rhel-9.0.</para>
++  <para id="rhel-9.1">Added in rhel-9.1.</para>
++  <para id="rhel-9.2">Added in rhel-9.2.</para>
++  <para id="rhel-9.3">Added in rhel-9.3.</para>
++  <para id="rhel-9.4">Added in rhel-9.4.</para>
++  <para id="rhel-9.5">Added in rhel-9.5.</para>
++  <para id="rhel-9.6">Added in rhel-9.6.</para>
++  <para id="rhel-9.7">Added in rhel-9.7.</para>
++  <para id="rhel-9.8">Added in rhel-9.8.</para>
++  <para id="rhel-9.9">Added in rhel-9.9.</para>
++  <para id="rhel-9.10">Added in rhel-9.10.</para>
++  <para id="rhel-10.0">Added in rhel-10.0.</para>
++  <para id="rhel-10.1">Added in rhel-10.1.</para>
++  <para id="rhel-10.2">Added in rhel-10.2.</para>
++  <para id="rhel-10.3">Added in rhel-10.3.</para>
++  <para id="rhel-10.4">Added in rhel-10.4.</para>
++  <para id="rhel-10.5">Added in rhel-10.5.</para>
++  <para id="rhel-10.6">Added in rhel-10.6.</para>
++  <para id="rhel-10.7">Added in rhel-10.7.</para>
++  <para id="rhel-10.8">Added in rhel-10.8.</para>
++  <para id="rhel-10.9">Added in rhel-10.9.</para>
++  <para id="rhel-10.10">Added in rhel-10.10.</para>
+ </refsect1>
+diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
+index 2955b6e8d5..e4d4c0ba88 100644
+--- a/src/shared/netif-naming-scheme.c
++++ b/src/shared/netif-naming-scheme.c
+@@ -24,6 +24,23 @@ static const NamingScheme naming_schemes[] = {
+         { "v253", NAMING_V253 },
+         { "v254", NAMING_V254 },
+         { "v255", NAMING_V255 },
++        { "rhel-8.0", NAMING_RHEL_8_0 },
++        { "rhel-8.1", NAMING_RHEL_8_1 },
++        { "rhel-8.2", NAMING_RHEL_8_2 },
++        { "rhel-8.3", NAMING_RHEL_8_3 },
++        { "rhel-8.4", NAMING_RHEL_8_4 },
++        { "rhel-8.5", NAMING_RHEL_8_5 },
++        { "rhel-8.6", NAMING_RHEL_8_6 },
++        { "rhel-8.7", NAMING_RHEL_8_7 },
++        { "rhel-8.8", NAMING_RHEL_8_8 },
++        { "rhel-8.9", NAMING_RHEL_8_9 },
++        { "rhel-8.10", NAMING_RHEL_8_10 },
++        { "rhel-9.0", NAMING_RHEL_9_0 },
++        { "rhel-9.1", NAMING_RHEL_9_1 },
++        { "rhel-9.2", NAMING_RHEL_9_2 },
++        { "rhel-9.3", NAMING_RHEL_9_3 },
++        { "rhel-9.4", NAMING_RHEL_9_4 },
++        { "rhel-10.0", NAMING_RHEL_10_0 },
+         /* … add more schemes here, as the logic to name devices is updated … */
+ 
+         EXTRA_NET_NAMING_MAP
+diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
+index 62afdc514a..b0697c141e 100644
+--- a/src/shared/netif-naming-scheme.h
++++ b/src/shared/netif-naming-scheme.h
+@@ -63,6 +63,26 @@ typedef enum NamingSchemeFlags {
+                                                        * systemd version 255, naming scheme "v255". */
+         NAMING_V255 = NAMING_V254 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ 
++        NAMING_RHEL_8_0 = NAMING_V239,
++        NAMING_RHEL_8_1 = NAMING_V239,
++        NAMING_RHEL_8_2 = NAMING_V239,
++        NAMING_RHEL_8_3 = NAMING_V239,
++        NAMING_RHEL_8_4 = NAMING_V239 | NAMING_BRIDGE_NO_SLOT,
++        NAMING_RHEL_8_5 = NAMING_RHEL_8_4,
++        NAMING_RHEL_8_6 = NAMING_RHEL_8_4,
++        NAMING_RHEL_8_7 = NAMING_RHEL_8_4 | NAMING_SLOT_FUNCTION_ID | NAMING_16BIT_INDEX,
++        NAMING_RHEL_8_8 = NAMING_RHEL_8_7,
++        NAMING_RHEL_8_9 = NAMING_RHEL_8_7,
++        NAMING_RHEL_8_10 = NAMING_RHEL_8_7,
++
++        NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT,
++        NAMING_RHEL_9_1 = NAMING_RHEL_9_0,
++        NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
++        NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
++        NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
++
++        NAMING_RHEL_10_0 = NAMING_V255,
++
+         EXTRA_NET_NAMING_SCHEMES
+ 
+         _NAMING_SCHEME_FLAGS_INVALID = -EINVAL,

0049-rules-copy-40-redhat.rules-from-RHEL-9.patch

@@ -0,0 +1,109 @@
+From ee9a767142ec66b1ca93af9401dc8f723ae59881 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 12 Jun 2024 14:23:30 +0200
+Subject: [PATCH] rules: copy 40-redhat.rules from RHEL 9
+
+Also split rules into 40-redhat-hotplug.rules, 40-redhat-s390.rules and 40-redhat.rules.
+
+rhel-only: feature
+
+Resolves: RHEL-40360
+---
+ rules.d/40-redhat-hotplug.rules | 23 +++++++++++++++++++++++
+ rules.d/40-redhat-s390.rules    | 24 ++++++++++++++++++++++++
+ rules.d/40-redhat.rules         |  8 ++++++++
+ rules.d/meson.build             |  5 ++++-
+ 4 files changed, 59 insertions(+), 1 deletion(-)
+ create mode 100644 rules.d/40-redhat-hotplug.rules
+ create mode 100644 rules.d/40-redhat-s390.rules
+ create mode 100644 rules.d/40-redhat.rules
+
+diff --git a/rules.d/40-redhat-hotplug.rules b/rules.d/40-redhat-hotplug.rules
+new file mode 100644
+index 0000000000..5555eeac75
+--- /dev/null
++++ b/rules.d/40-redhat-hotplug.rules
+@@ -0,0 +1,23 @@
++# do not edit this file, it will be overwritten on update
++
++# CPU hotadd request
++SUBSYSTEM!="cpu", GOTO="cpu_online_end"
++ACTION!="add", GOTO="cpu_online_end"
++CONST{arch}=="ppc64*", GOTO="cpu_online_end"
++CONST{arch}=="s390*", ATTR{configure}=="0", GOTO="cpu_online_end"
++
++TEST=="online", ATTR{online}=="0", ATTR{online}="1"
++
++LABEL="cpu_online_end"
++
++# Memory hotadd request
++SUBSYSTEM!="memory", GOTO="memory_hotplug_end"
++ACTION!="add", GOTO="memory_hotplug_end"
++CONST{arch}=="s390*", GOTO="memory_hotplug_end"
++CONST{arch}=="ppc64*", GOTO="memory_hotplug_end"
++
++ENV{.state}="online"
++CONST{virt}=="none", ENV{.state}="online_movable"
++ATTR{state}=="offline", ATTR{state}="$env{.state}"
++
++LABEL="memory_hotplug_end"
+diff --git a/rules.d/40-redhat-s390.rules b/rules.d/40-redhat-s390.rules
+new file mode 100644
+index 0000000000..64698b90e8
+--- /dev/null
++++ b/rules.d/40-redhat-s390.rules
+@@ -0,0 +1,24 @@
++# do not edit this file, it will be overwritten on update
++
++# Rule for prandom character device node permissions
++KERNEL=="prandom", MODE="0644"
++
++# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
++# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
++#
++ACTION=="remove", GOTO="zfcp_scsi_device_end"
++
++#
++# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
++# (both disk and partition) are SCSI devices based on FCP devices
++#
++KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
++
++# For SCSI disks
++KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
++
++
++# For partitions on a SCSI disk
++KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
++
++LABEL="zfcp_scsi_device_end"
+diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
+new file mode 100644
+index 0000000000..975d56fdfd
+--- /dev/null
++++ b/rules.d/40-redhat.rules
+@@ -0,0 +1,8 @@
++# do not edit this file, it will be overwritten on update
++
++# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
++ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
++
++# load SCSI generic (sg) driver
++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+diff --git a/rules.d/meson.build b/rules.d/meson.build
+index 3040fae8a4..edf419f449 100644
+--- a/rules.d/meson.build
++++ b/rules.d/meson.build
+@@ -5,7 +5,10 @@ install_data(
+         install_dir : udevrulesdir)
+ 
+ rules = [
+-        [files('60-autosuspend.rules',
++        [files('40-redhat-hotplug.rules',
++               '40-redhat-s390.rules',
++               '40-redhat.rules',
++               '60-autosuspend.rules',
+                '60-block.rules',
+                '60-cdrom_id.rules',
+                '60-dmi-id.rules',

0050-logind-set-RemoveIPC-to-false-by-default.patch

@@ -1,9 +1,11 @@
-From 0b3833d6c3b751c6dfb40eeb2ef852984c58f546 Mon Sep 17 00:00:00 2001
+From 6e4f0c54b24080fb57261a54a4e26b64f806f40d Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Wed, 1 Aug 2018 10:58:28 +0200
 Subject: [PATCH] logind: set RemoveIPC to false by default
 
-Resolves: #1523233
+RHEL-only: bugfix
+
+Related: RHEL-40924
 ---
  man/logind.conf.xml      | 2 +-
  src/login/logind-core.c  | 2 +-
@@ -11,40 +13,41 @@ Resolves: #1523233
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/man/logind.conf.xml b/man/logind.conf.xml
-index 9e88764c6f..7d7e869a26 100644
+index c52431fd41..bb5e13bfd9 100644
 --- a/man/logind.conf.xml
 +++ b/man/logind.conf.xml
-@@ -319,7 +319,7 @@
+@@ -374,7 +374,7 @@
          user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the
          last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as
          well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users
--        are excluded from the effect of this setting. Defaults to <literal>yes</literal>.</para></listitem>
-+        are excluded from the effect of this setting. Defaults to <literal>no</literal>.</para></listitem>
-       </varlistentry>
+-        are excluded from the effect of this setting. Defaults to <literal>yes</literal>.</para>
++        are excluded from the effect of this setting. Defaults to <literal>no</literal>.</para>
  
-     </variablelist>
+         <xi:include href="version-info.xml" xpointer="v212"/></listitem>
+       </varlistentry>
 diff --git a/src/login/logind-core.c b/src/login/logind-core.c
-index dbae4bf5af..511e3acf8f 100644
+index 71e4247a79..26250c5704 100644
 --- a/src/login/logind-core.c
 +++ b/src/login/logind-core.c
-@@ -25,7 +25,7 @@ void manager_reset_config(Manager *m) {
+@@ -36,7 +36,7 @@ void manager_reset_config(Manager *m) {
  
          m->n_autovts = 6;
          m->reserve_vt = 6;
 -        m->remove_ipc = true;
 +        m->remove_ipc = false;
          m->inhibit_delay_max = 5 * USEC_PER_SEC;
-         m->handle_power_key = HANDLE_POWEROFF;
-         m->handle_suspend_key = HANDLE_SUSPEND;
+         m->user_stop_delay = 10 * USEC_PER_SEC;
+ 
 diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in
-index 1029e29bc7..c7346f9819 100644
+index b62458ec3c..dc798bea2d 100644
 --- a/src/login/logind.conf.in
 +++ b/src/login/logind.conf.in
-@@ -32,6 +32,6 @@
- #IdleAction=ignore
+@@ -46,7 +46,7 @@
  #IdleActionSec=30min
  #RuntimeDirectorySize=10%
+ #RuntimeDirectoryInodesMax=
 -#RemoveIPC=yes
 +#RemoveIPC=no
  #InhibitorsMax=8192
  #SessionsMax=8192
+ #StopIdleSessionSec=infinity

0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch

@@ -0,0 +1,43 @@
+From ed416f79aac6c1136f5d20a19cfc20c2709ab314 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 5 Aug 2021 17:11:47 +0200
+Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf
+ symlink
+
+RHEL-only: bugfix
+
+Related: RHEL-40924
+---
+ tmpfiles.d/meson.build          |  1 -
+ tmpfiles.d/systemd-resolve.conf | 10 ----------
+ 2 files changed, 11 deletions(-)
+ delete mode 100644 tmpfiles.d/systemd-resolve.conf
+
+diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
+index bec24ac7b4..55ce48979d 100644
+--- a/tmpfiles.d/meson.build
++++ b/tmpfiles.d/meson.build
+@@ -10,7 +10,6 @@ files = [['README',               ''],
+          ['systemd-nologin.conf', 'HAVE_PAM'],
+          ['systemd-nspawn.conf',  'ENABLE_MACHINED'],
+          ['systemd-pstore.conf',  'ENABLE_PSTORE'],
+-         ['systemd-resolve.conf', 'ENABLE_RESOLVE'],
+          ['systemd-tmp.conf',     ''],
+          ['tmp.conf',             ''],
+          ['x11.conf',             ''],
+diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf
+deleted file mode 100644
+index cb1c56d6a6..0000000000
+--- a/tmpfiles.d/systemd-resolve.conf
++++ /dev/null
+@@ -1,10 +0,0 @@
+-#  This file is part of systemd.
+-#
+-#  systemd is free software; you can redistribute it and/or modify it
+-#  under the terms of the GNU Lesser General Public License as published by
+-#  the Free Software Foundation; either version 2.1 of the License, or
+-#  (at your option) any later version.
+-
+-# See tmpfiles.d(5) for details
+-
+-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf

0052-rc-local-order-after-network-online.target.patch

@@ -1,4 +1,4 @@
-From 8cd99937562cde7533519303a7a0ad1df749e075 Mon Sep 17 00:00:00 2001
+From 49241b42effa3684b485a8b90e5b4256a6223971 Mon Sep 17 00:00:00 2001
 From: David Tardon <dtardon@redhat.com>
 Date: Thu, 11 Mar 2021 15:48:23 +0100
 Subject: [PATCH] rc-local: order after network-online.target
@@ -6,21 +6,21 @@ Subject: [PATCH] rc-local: order after network-online.target
 I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf,
 just network-online.target didn't exist back then.
 
-RHEL-only
+RHEL-only: bugfix
 
-Resolves: #1934028
+Related: RHEL-40924
 ---
  units/rc-local.service.in | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/units/rc-local.service.in b/units/rc-local.service.in
-index 78ce69e0ae..74e83d8c07 100644
+index 6fb0838cdb..40ffc15c99 100644
 --- a/units/rc-local.service.in
 +++ b/units/rc-local.service.in
 @@ -13,7 +13,8 @@
- Description=@RC_LOCAL_SCRIPT_PATH_START@ Compatibility
+ Description={{RC_LOCAL_PATH}} Compatibility
  Documentation=man:systemd-rc-local-generator(8)
- ConditionFileIsExecutable=@RC_LOCAL_SCRIPT_PATH_START@
+ ConditionFileIsExecutable={{RC_LOCAL_PATH}}
 -After=network.target
 +After=network-online.target
 +Wants=network-online.target

0053-random-util-increase-random-seed-size-to-1024.patch

@@ -0,0 +1,25 @@
+From 9a6ef20bab1411570b3af6f6bbdb1a299ea8e73a Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Thu, 15 Jul 2021 11:15:17 +0200
+Subject: [PATCH] random-util: increase random seed size to 1024
+
+RHEL-only: feature
+
+Related: RHEL-40924
+---
+ src/basic/random-util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/basic/random-util.h b/src/basic/random-util.h
+index b1a4d10971..08b1a3599a 100644
+--- a/src/basic/random-util.h
++++ b/src/basic/random-util.h
+@@ -21,7 +21,7 @@ static inline uint32_t random_u32(void) {
+ }
+ 
+ /* Some limits on the pool sizes when we deal with the kernel random pool */
+-#define RANDOM_POOL_SIZE_MIN 32U
++#define RANDOM_POOL_SIZE_MIN 1024U
+ #define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U)
+ #define RANDOM_EFI_SEED_SIZE 32U
+ 

0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch

@@ -0,0 +1,25 @@
+From 15465a4a302c4379746a21ef7b7fb9a9bfea9297 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Thu, 2 May 2019 14:11:54 +0200
+Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by
+ default
+
+RHEL-only: feature
+
+Related: RHEL-40924
+---
+ presets/90-systemd.preset | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
+index da6b9805fd..004ea6fe14 100644
+--- a/presets/90-systemd.preset
++++ b/presets/90-systemd.preset
+@@ -21,7 +21,6 @@ enable systemd-boot-update.service
+ enable systemd-confext.service
+ enable systemd-homed.service
+ enable systemd-homed-activate.service
+-enable systemd-journald-audit.socket
+ enable systemd-mountfsd.socket
+ enable systemd-network-generator.service
+ enable systemd-networkd.service

0055-journald.conf-don-t-touch-current-audit-settings.patch

@@ -0,0 +1,22 @@
+From b340b4c797599aa444f9dbf07c6ef7ea29021604 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Thu, 5 Aug 2021 15:26:13 +0200
+Subject: [PATCH] journald.conf: don't touch current audit settings
+
+RHEL-only: policy
+
+Related: RHEL-40924
+---
+ src/journal/journald.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/journal/journald.conf b/src/journal/journald.conf
+index 13cdd6300f..fc307c53c2 100644
+--- a/src/journal/journald.conf
++++ b/src/journal/journald.conf
+@@ -47,4 +47,4 @@
+ #MaxLevelSocket=debug
+ #LineMax=48K
+ #ReadKMsg=yes
+-#Audit=yes
++Audit=

0056-rules-add-elevator-kernel-command-line-parameter.patch

@@ -1,4 +1,4 @@
-From 1255584bb0a595fb555af7e14230ab1b7aa6adcd Mon Sep 17 00:00:00 2001
+From 3847259c117fd511043a60400233ca9d1af1b5ce Mon Sep 17 00:00:00 2001
 From: Lukas Nykryn <lnykryn@redhat.com>
 Date: Tue, 12 Feb 2019 16:58:16 +0100
 Subject: [PATCH] rules: add elevator= kernel command line parameter
@@ -6,18 +6,20 @@ Subject: [PATCH] rules: add elevator= kernel command line parameter
 Kernel removed the elevator= option, so let's reintroduce
 it for rhel8 via udev rule.
 
-rhel-only
-Resolves: #1670126
----
- rules/40-elevator.rules | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
- create mode 100644 rules/40-elevator.rules
+RHEL-only: feature
 
-diff --git a/rules/40-elevator.rules b/rules/40-elevator.rules
+Related: RHEL-40924
+---
+ rules.d/40-elevator.rules | 20 ++++++++++++++++++++
+ rules.d/meson.build       |  1 +
+ 2 files changed, 21 insertions(+)
+ create mode 100644 rules.d/40-elevator.rules
+
+diff --git a/rules.d/40-elevator.rules b/rules.d/40-elevator.rules
 new file mode 100644
 index 0000000000..dbe8fc81a4
 --- /dev/null
-+++ b/rules/40-elevator.rules
++++ b/rules.d/40-elevator.rules
 @@ -0,0 +1,20 @@
 +# We aren't adding devices skip the elevator check
 +ACTION!="add", GOTO="sched_out"
@@ -40,3 +42,15 @@ index 0000000000..dbe8fc81a4
 +
 +LABEL="sched_out"
 \ No newline at end of file
+diff --git a/rules.d/meson.build b/rules.d/meson.build
+index edf419f449..2b57322a12 100644
+--- a/rules.d/meson.build
++++ b/rules.d/meson.build
+@@ -8,6 +8,7 @@ rules = [
+         [files('40-redhat-hotplug.rules',
+                '40-redhat-s390.rules',
+                '40-redhat.rules',
++               '40-elevator.rules',
+                '60-autosuspend.rules',
+                '60-block.rules',
+                '60-cdrom_id.rules',

0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch

@@ -0,0 +1,59 @@
+From 5725d315940804ba80468e6e3b6ea4653587f109 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Wed, 1 Aug 2018 13:19:39 +0200
+Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value
+
+This should be hopefully high enough even for the very big deployments.
+
+RHEL-only: feature
+
+Related: RHEL-40924
+---
+ man/systemd-system.conf.xml | 4 ++--
+ src/core/manager.c          | 2 +-
+ src/core/system.conf.in     | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
+index ae5b61b149..22919842f5 100644
+--- a/man/systemd-system.conf.xml
++++ b/man/systemd-system.conf.xml
+@@ -520,10 +520,10 @@
+         <listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
+         <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+         for details. This setting applies to all unit types that support resource control settings, with the exception
+-        of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
++        of slice units. Defaults to 80% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
+         and root cgroup <varname>pids.max</varname>.
+         Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
+-        For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
++        For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 26214,
+         but might be greater in other systems or smaller in OS containers.</para>
+ 
+         <xi:include href="version-info.xml" xpointer="v228"/></listitem>
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 90e72b0c02..8ddf37fdad 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -117,7 +117,7 @@
+ /* How many units and jobs to process of the bus queue before returning to the event loop. */
+ #define MANAGER_BUS_MESSAGE_BUDGET 100U
+ 
+-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */
++#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 80U, 100U }) /* 80% */
+ 
+ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
+ static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
+diff --git a/src/core/system.conf.in b/src/core/system.conf.in
+index 1c08aa4d22..4fe420c344 100644
+--- a/src/core/system.conf.in
++++ b/src/core/system.conf.in
+@@ -59,7 +59,7 @@
+ #DefaultIPAccounting=no
+ #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
+ #DefaultTasksAccounting=yes
+-#DefaultTasksMax=15%
++#DefaultTasksMax=80%
+ #DefaultLimitCPU=
+ #DefaultLimitFSIZE=
+ #DefaultLimitDATA=

0058-udev-net-setup-link-change-the-default-MACAddressPol.patch

@@ -0,0 +1,53 @@
+From 2b9b38af0bd6f15d316869022ad296f5927f2d2b Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Tue, 21 Sep 2021 15:01:19 +0200
+Subject: [PATCH] udev/net-setup-link: change the default MACAddressPolicy to
+ "none"
+
+While stable MAC address for interface types that don't have the
+address provided by HW could be useful it also breaks LACP based bonds.
+Let's err on the side of caution and don't change the MAC address from
+udev.
+
+RHEL-only: policy
+
+Related: RHEL-40924
+---
+ man/systemd.link.xml                       | 2 +-
+ network/99-default.link                    | 2 +-
+ test/fuzz/fuzz-link-parser/99-default.link | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/systemd.link.xml b/man/systemd.link.xml
+index 3991d91881..0002eb3617 100644
+--- a/man/systemd.link.xml
++++ b/man/systemd.link.xml
+@@ -1386,7 +1386,7 @@ OriginalName=*
+ [Link]
+ NamePolicy=keep kernel database onboard slot path
+ AlternativeNamesPolicy=database onboard slot path
+-MACAddressPolicy=persistent</programlisting>
++MACAddressPolicy=none</programlisting>
+     </example>
+ 
+     <example>
+diff --git a/network/99-default.link b/network/99-default.link
+index 56030b62be..5628dcf845 100644
+--- a/network/99-default.link
++++ b/network/99-default.link
+@@ -12,4 +12,4 @@ OriginalName=*
+ [Link]
+ NamePolicy=keep kernel database onboard slot path
+ AlternativeNamesPolicy=database onboard slot path
+-MACAddressPolicy=persistent
++MACAddressPolicy=none
+diff --git a/test/fuzz/fuzz-link-parser/99-default.link b/test/fuzz/fuzz-link-parser/99-default.link
+index feb5b1fbb0..3d755898b4 100644
+--- a/test/fuzz/fuzz-link-parser/99-default.link
++++ b/test/fuzz/fuzz-link-parser/99-default.link
+@@ -9,4 +9,4 @@
+ 
+ [Link]
+ NamePolicy=keep kernel database onboard slot path
+-MACAddressPolicy=persistent
++MACAddressPolicy=none

0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch

@@ -0,0 +1,40 @@
+From 74151c1fd19cbd73f2a6d1c2f84eac9bb73eac7e Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Tue, 22 Feb 2022 13:24:11 +0100
+Subject: [PATCH] core: decrease log level of messages about use of
+ KillMode=none
+
+RHEL-only: bugfix
+
+Related: RHEL-40924
+---
+ src/core/load-fragment.c | 2 +-
+ src/core/unit.c          | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
+index 5ae68886af..d4c006eb87 100644
+--- a/src/core/load-fragment.c
++++ b/src/core/load-fragment.c
+@@ -868,7 +868,7 @@ int config_parse_kill_mode(
+         }
+ 
+         if (m == KILL_NONE)
+-                log_syntax(unit, LOG_WARNING, filename, line, 0,
++                log_syntax(unit, LOG_DEBUG, filename, line, 0,
+                            "Unit uses KillMode=none. "
+                            "This is unsafe, as it disables systemd's process lifecycle management for the service. "
+                            "Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. "
+diff --git a/src/core/unit.c b/src/core/unit.c
+index 2d40618fcb..0ec5dcaf75 100644
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -5867,7 +5867,7 @@ int unit_log_leftover_process_start(const PidRef *pid, int sig, void *userdata)
+ 
+         /* During start we print a warning */
+ 
+-        log_unit_warning(userdata,
++        log_unit_debug(userdata,
+                          "Found left-over process " PID_FMT " (%s) in control group while starting unit. Ignoring.\n"
+                          "This usually indicates unclean termination of a previous run, or service implementation deficiencies.",
+                          pid->pid, strna(comm));

0060-meson-rename-libbasic-to-libbasic_static.patch

@@ -0,0 +1,180 @@
+From 40527d91d2fb1d987473bb4bcf1c929a85ffe9a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 3 Jul 2024 16:51:05 +0200
+Subject: [PATCH] meson: rename libbasic to libbasic_static
+
+Our variables for internal libraries are named 'libfoo' for the shared lib
+variant, and 'libfoo_static' for the static lib variant. The only exception was
+libbasic, because we didn't have a shared variant for it. But let's rename it
+for consitency. This makes the build config easier to understand.
+
+see currently unmerged https://github.com/systemd/systemd/pull/33599
+
+RHEL-only workaround
+
+Resolves: RHEL-46020
+---
+ meson.build                | 4 ++--
+ src/basic/meson.build      | 2 +-
+ src/libsystemd/meson.build | 2 +-
+ src/partition/meson.build  | 2 +-
+ src/shared/meson.build     | 2 +-
+ src/shutdown/meson.build   | 2 +-
+ src/sysusers/meson.build   | 2 +-
+ src/test/meson.build       | 8 ++++----
+ src/tmpfiles/meson.build   | 2 +-
+ 9 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index e42151998b..18115cad5e 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2078,7 +2078,7 @@ libsystemd = shared_library(
+                      # Make sure our library is never deleted from memory, so that our open logging fds don't leak on dlopen/dlclose cycles.
+                      '-z', 'nodelete',
+                      '-Wl,--version-script=' + libsystemd_sym_path],
+-        link_with : [libbasic],
++        link_with : [libbasic_static],
+         link_whole : [libsystemd_static],
+         dependencies : [librt,
+                         threads,
+@@ -2243,7 +2243,7 @@ nss_template = {
+         'link_with' : [
+                 libsystemd_static,
+                 libshared_static,
+-                libbasic,
++                libbasic_static,
+         ],
+         'dependencies' : [
+                 librt,
+diff --git a/src/basic/meson.build b/src/basic/meson.build
+index 9a214575a5..b538775576 100644
+--- a/src/basic/meson.build
++++ b/src/basic/meson.build
+@@ -274,7 +274,7 @@ filesystem_switch_case_h = custom_target(
+ 
+ basic_sources += [filesystem_list_h, filesystem_switch_case_h, filesystems_gperf_h]
+ 
+-libbasic = static_library(
++libbasic_static = static_library(
+         'basic',
+         basic_sources,
+         fundamental_sources,
+diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build
+index 6d4337d1a7..243549299f 100644
+--- a/src/libsystemd/meson.build
++++ b/src/libsystemd/meson.build
+@@ -118,7 +118,7 @@ libsystemd_static = static_library(
+         libsystemd_sources,
+         include_directories : libsystemd_includes,
+         c_args : libsystemd_c_args,
+-        link_with : [libbasic],
++        link_with : [libbasic_static],
+         dependencies : [threads,
+                         librt,
+                         userspace],
+diff --git a/src/partition/meson.build b/src/partition/meson.build
+index 52e1368116..2cfe43e029 100644
+--- a/src/partition/meson.build
++++ b/src/partition/meson.build
+@@ -32,7 +32,7 @@ executables += [
+                 'sources' : files('repart.c'),
+                 'c_args' : '-DSTANDALONE',
+                 'link_with' : [
+-                        libbasic,
++                        libbasic_static,
+                         libshared_fdisk,
+                         libshared_static,
+                         libsystemd_static,
+diff --git a/src/shared/meson.build b/src/shared/meson.build
+index c5106d87d5..e513c0ec1c 100644
+--- a/src/shared/meson.build
++++ b/src/shared/meson.build
+@@ -358,7 +358,7 @@ libshared = shared_library(
+                      '-Wl,--version-script=' + libshared_sym_path],
+         link_depends : libshared_sym_path,
+         link_whole : [libshared_static,
+-                      libbasic,
++                      libbasic_static,
+                       libsystemd_static],
+         dependencies : [libshared_deps,
+                         userspace],
+diff --git a/src/shutdown/meson.build b/src/shutdown/meson.build
+index 219f9fd308..9bc60f83e5 100644
+--- a/src/shutdown/meson.build
++++ b/src/shutdown/meson.build
+@@ -20,7 +20,7 @@ executables += [
+                 'sources' : systemd_shutdown_sources,
+                 'c_args' : '-DSTANDALONE',
+                 'link_with' : [
+-                        libbasic,
++                        libbasic_static,
+                         libshared_static,
+                         libsystemd_static,
+                 ],
+diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build
+index 0f9c067d50..403d82a340 100644
+--- a/src/sysusers/meson.build
++++ b/src/sysusers/meson.build
+@@ -14,7 +14,7 @@ executables += [
+                 'sources' : files('sysusers.c'),
+                 'c_args' : '-DSTANDALONE',
+                 'link_with' : [
+-                        libbasic,
++                        libbasic_static,
+                         libshared_static,
+                         libsystemd_static,
+                 ],
+diff --git a/src/test/meson.build b/src/test/meson.build
+index 3abbb94d9f..9d3c7d675f 100644
+--- a/src/test/meson.build
++++ b/src/test/meson.build
+@@ -274,7 +274,7 @@ executables += [
+                 # only static linking apart from libdl, to make sure that the
+                 # module is linked to all libraries that it uses.
+                 'sources' : files('test-dlopen.c'),
+-                'link_with' : libbasic,
++                'link_with' : libbasic_static,
+                 'dependencies' : libdl,
+                 'install' : false,
+                 'type' : 'manual',
+@@ -410,7 +410,7 @@ executables += [
+         },
+         test_template + {
+                 'sources' : files('test-sizeof.c'),
+-                'link_with' : libbasic,
++                'link_with' : libbasic_static,
+         },
+         test_template + {
+                 'sources' : files('test-time-util.c'),
+@@ -590,7 +590,7 @@ executables += [
+         test_template + {
+                 'sources' : files('../libsystemd/sd-device/test-sd-device-thread.c'),
+                 'link_with' : [
+-                        libbasic,
++                        libbasic_static,
+                         libsystemd,
+                 ],
+                 'dependencies' : threads,
+@@ -598,7 +598,7 @@ executables += [
+         test_template + {
+                 'sources' : files('../libudev/test-udev-device-thread.c'),
+                 'link_with' : [
+-                        libbasic,
++                        libbasic_static,
+                         libudev,
+                 ],
+                 'dependencies' : threads,
+diff --git a/src/tmpfiles/meson.build b/src/tmpfiles/meson.build
+index 2e918509a7..09ad839586 100644
+--- a/src/tmpfiles/meson.build
++++ b/src/tmpfiles/meson.build
+@@ -20,7 +20,7 @@ executables += [
+                 'sources' : systemd_tmpfiles_sources,
+                 'c_args' : '-DSTANDALONE',
+                 'link_with' : [
+-                        libbasic,
++                        libbasic_static,
+                         libshared_static,
+                         libsystemd_static,
+                 ],

0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch

@@ -0,0 +1,63 @@
+From 9eccd6c09f06979003eb2ae1f159defc40213fe0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 3 Jul 2024 17:03:26 +0200
+Subject: [PATCH] meson: build libsystemd-core via an intermediate static
+ library
+
+By itself, this is not useful. I'm making this a separate commit to
+make debugging easier. It turns out that meson does static libraries
+using references, so the "static library" a tiny stub stub that refers
+to the object files on disk and this has negligible cost:
+$ ls -lhd build/src/core/libsystemd-core-257.{a,so}
+-rw-r--r-- 1 zbyszek zbyszek  36K Jul  3 16:54 build/src/core/libsystemd-core-257.a
+-rwxr-xr-x 1 zbyszek zbyszek 6.1M Jul  3 16:54 build/src/core/libsystemd-core-257.so
+
+see currently unmerged https://github.com/systemd/systemd/pull/33599
+
+RHEL-only workaround
+
+Resolves: RHEL-46020
+---
+ src/core/meson.build | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/src/core/meson.build b/src/core/meson.build
+index 7a2012a372..1ef31cc529 100644
+--- a/src/core/meson.build
++++ b/src/core/meson.build
+@@ -110,17 +110,13 @@ load_fragment_gperf_nulstr_c = custom_target(
+ 
+ libcore_name = 'systemd-core-@0@'.format(shared_lib_tag)
+ 
+-libcore = shared_library(
++libcore_static = static_library(
+         libcore_name,
+         libcore_sources,
+         load_fragment_gperf_c,
+         load_fragment_gperf_nulstr_c,
+         include_directories : includes,
+         c_args : ['-fvisibility=default'],
+-        link_args : ['-shared',
+-                     '-Wl,--version-script=' + libshared_sym_path],
+-        link_depends : libshared_sym_path,
+-        link_with : libshared,
+         dependencies : [libacl,
+                         libapparmor,
+                         libaudit,
+@@ -135,6 +131,16 @@ libcore = shared_library(
+                         libselinux,
+                         threads,
+                         userspace],
++        build_by_default : false)
++
++libcore = shared_library(
++        libcore_name,
++        c_args : ['-fvisibility=default'],
++        link_args : ['-shared',
++                     '-Wl,--version-script=' + libshared_sym_path],
++        link_depends : libshared_sym_path,
++        link_whole: libcore_static,
++        link_with : libshared,
+         install : true,
+         install_dir : pkglibdir)
+ 

0062-meson-add-option-to-build-systemd-executor-staticall.patch

@@ -0,0 +1,101 @@
+From f3b375da4cd070788b2b8a21fe678c15cb4babe8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 3 Jul 2024 17:05:31 +0200
+Subject: [PATCH] meson: add option to build systemd-executor "statically"
+
+The new link-executor-shared option is similar to the existing
+link-udev-shared: when set to false, we link to the static versions of our
+internal libraries.
+
+The resulting exuctor binary is fairly large, about as large as libsystemd-core
+(14 MB without lto, 8 with lto).
+
+This is intended as a workaround for the fuckup with the pinned executor
+binary:
+when an upgrade is performed, the package manager will install new version of
+the libraries and new version of the code, and some time later reexecute the
+managers. This creates a window when the pinned executor binary will fail to
+execute. There are two factors which make the issue easier to hit:
+
+- when the distribution uses a finely-grained shared-lib-tag. E.g. Fedora
+  uses version-release as the tag, which means that the issue occurs on
+  every package upgrade. This is the right thing to do, because the
+  ABI of our internal libraries is not stable at all, so replacing the
+  library from a different version in place creates a window where our
+  programs may crash or misbehave.
+
+- when the distribution doesn't immediately reexec all the managers after
+  upgrade. In early versions of systemd, we used to hammer the machine during
+  upgrade, doing daemon-reexecs repeatedly. This works, but is ugly and
+  wasteful. Doing the reexecs while the upgrade is in progres also creates a
+  window where a mix of old and new configs or both is loaded. Users are
+  particularly annoyed by those reloads if there is some issue in the
+  configuration causing us to emit warnings on every reexec. Doing the
+  reexecs once after the new configuration and libraries have been put
+  in place is nicer.
+
+The pinning of the executor binary breaks upgrades and in particular
+it penalizes the distributions which make use of the features which
+were previously added to avoid bugs and inefficiency during upgrades.
+
+When the executor is linked statically, there is a smaller chance that it'll
+fail to load libraries. The issue can still occur because other libraries, not
+our own, are linked dynamically.
+
+see currently unmerged https://github.com/systemd/systemd/pull/33599
+
+RHEL-only workaround
+
+Resolves: RHEL-46020
+---
+ meson_options.txt    |  2 ++
+ src/core/meson.build | 16 ++++++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/meson_options.txt b/meson_options.txt
+index d52ca4e4b5..3cce818392 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -21,6 +21,8 @@ option('rootprefix', type : 'string', deprecated: true,
+        description : '''This option is deprecated and will be removed in a future release''')
+ option('link-udev-shared', type : 'boolean',
+        description : 'link systemd-udevd and its helpers to libsystemd-shared.so')
++option('link-executor-shared', type : 'boolean',
++       description : 'link systemd-executor to libsystemd-shared.so and libsystemd-core.so')
+ option('link-systemctl-shared', type: 'boolean',
+        description : 'link systemctl against libsystemd-shared.so')
+ option('link-networkd-shared', type: 'boolean',
+diff --git a/src/core/meson.build b/src/core/meson.build
+index 1ef31cc529..dbeb752977 100644
+--- a/src/core/meson.build
++++ b/src/core/meson.build
+@@ -156,6 +156,17 @@ systemd_executor_sources = files(
+         'exec-invoke.c',
+ )
+ 
++executor_libs = get_option('link-executor-shared') ? \
++        [
++                libcore,
++                libshared,
++        ] : [
++                libcore_static,
++                libshared_static,
++                libbasic_static,
++                libsystemd_static,
++        ]
++
+ executables += [
+         libexec_template + {
+                 'name' : 'systemd',
+@@ -173,10 +184,7 @@ executables += [
+                 'public' : true,
+                 'sources' : systemd_executor_sources,
+                 'include_directories' : core_includes,
+-                'link_with' : [
+-                        libcore,
+-                        libshared,
+-                ],
++                'link_with' : executor_libs,
+                 'dependencies' : [
+                         libapparmor,
+                         libpam,

0063-taint-remove-unmerged-bin.patch

@@ -0,0 +1,86 @@
+From 13a07024f674e770844de29cd3d01cb7117f56d9 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Mon, 8 Jul 2024 14:44:45 +0200
+Subject: [PATCH] taint: remove unmerged-bin
+
+In rhel10 we will have separate bin and sbin
+
+RHEL-only: policy
+
+Resolves: RHEL-46277
+---
+ catalog/systemd.catalog.in       | 1 -
+ catalog/systemd.pl.catalog.in    | 1 -
+ man/org.freedesktop.systemd1.xml | 9 ---------
+ src/core/taint.c                 | 7 +------
+ 4 files changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
+index 2831152763..66ffefd1c8 100644
+--- a/catalog/systemd.catalog.in
++++ b/catalog/systemd.catalog.in
+@@ -560,7 +560,6 @@ Support: %SUPPORT_URL%
+ The following "tags" are possible:
+ - "unmerged-usr" - /bin, /sbin, /lib* are not symlinks to their counterparts
+   under /usr/
+-- "unmerged-bin" - /usr/sbin is not a symlink to /usr/bin/
+ - "var-run-bad" — /var/run is not a symlink to /run/
+ - "cgroupsv1" - the system is using the deprecated cgroup v1 hierarchy
+ - "local-hwclock" - the local hardware clock (RTC) is configured to be in
+diff --git a/catalog/systemd.pl.catalog.in b/catalog/systemd.pl.catalog.in
+index 75039e9fcd..fcba4b500a 100644
+--- a/catalog/systemd.pl.catalog.in
++++ b/catalog/systemd.pl.catalog.in
+@@ -566,7 +566,6 @@ Support: %SUPPORT_URL%
+ Możliwe są następujące „etykiety”:
+ • „unmerged-usr” — /bin, /sbin, /lib* nie są dowiązaniami symbolicznymi
+   do swoich odpowiedników pod /usr/,
+-• „unmerged-bin” — /usr/sbin nie jest dowiązaniem symbolicznym do /usr/bin/,
+ • „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run/,
+ • „cgroupsv1” — system używa przestarzałej hierarchii cgroup v1,
+ • „local-hwclock” — lokalny zegar sprzętowy (RTC) jest skonfigurowany
+diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
+index b0b45097e3..f2b5ca39e7 100644
+--- a/man/org.freedesktop.systemd1.xml
++++ b/man/org.freedesktop.systemd1.xml
+@@ -1666,15 +1666,6 @@ node /org/freedesktop/systemd1 {
+           <xi:include href="version-info.xml" xpointer="v252"/></listitem>
+         </varlistentry>
+ 
+-        <varlistentry>
+-          <term><literal>unmerged-bin</literal></term>
+-
+-          <listitem><para><filename>/usr/sbin</filename> is not a symlink to <filename>/usr/bin/</filename>.
+-          </para>
+-
+-          <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+-        </varlistentry>
+-
+         <varlistentry>
+           <term><literal>var-run-bad</literal></term>
+ 
+diff --git a/src/core/taint.c b/src/core/taint.c
+index 969b37f209..4c98312f54 100644
+--- a/src/core/taint.c
++++ b/src/core/taint.c
+@@ -32,7 +32,7 @@ static int short_uid_gid_range(UIDRangeUsernsMode mode) {
+ }
+ 
+ char* taint_string(void) {
+-        const char *stage[12] = {};
++        const char *stage[11] = {};
+         size_t n = 0;
+ 
+         /* Returns a "taint string", e.g. "local-hwclock:var-run-bad". Only things that are detected at
+@@ -44,11 +44,6 @@ char* taint_string(void) {
+         if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin"))
+                 stage[n++] = "unmerged-usr";
+ 
+-        /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks
+-         * too. */
+-        if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin"))
+-                stage[n++] = "unmerged-bin";
+-
+         if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run"))
+                 stage[n++] = "var-run-bad";
+ 

0064-presets-remove-resolved.patch

@@ -0,0 +1,28 @@
+From c2f507732264038dbef44b7652c8f5dee148e1e2 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Mon, 8 Jul 2024 13:13:10 +0200
+Subject: [PATCH] presets: remove resolved
+
+We noticed that some people are installing systemd* and then
+have daemons they don't need running. So let's remove resolved
+from presets so its usage is a bit more deliberate
+
+RHEL-only: policy
+
+Resolves: RHEL-46576
+---
+ presets/90-systemd.preset | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
+index 004ea6fe14..676f14f0d3 100644
+--- a/presets/90-systemd.preset
++++ b/presets/90-systemd.preset
+@@ -27,7 +27,6 @@ enable systemd-networkd.service
+ enable systemd-networkd-wait-online.service
+ enable systemd-nsresourced.socket
+ enable systemd-pstore.service
+-enable systemd-resolved.service
+ enable systemd-sysext.service
+ enable systemd-timesyncd.service
+ enable systemd-userdbd.socket

0065-doc-add-downstream-CONTRIBUTING-document.patch

@@ -1,22 +1,23 @@
-From 322ef6cb5fe3c293c6b9a37fe2e58491e9a5100b Mon Sep 17 00:00:00 2001
+From f7c92899a77656a1bb7586f83c27b00cd5ea0707 Mon Sep 17 00:00:00 2001
 From: Jan Macku <jamacku@redhat.com>
-Date: Fri, 4 Aug 2023 13:09:46 +0200
+Date: Thu, 27 Jun 2024 10:17:06 +0200
 Subject: [PATCH] doc: add downstream CONTRIBUTING document
 
-rhel-only
+rhel-only: doc
 
-Related: #2179309
+Related: RHEL-40924
 ---
- CONTRIBUTING.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 67 insertions(+)
+ CONTRIBUTING.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
+ README.md       |  2 +-
+ 2 files changed, 76 insertions(+), 1 deletion(-)
  create mode 100644 CONTRIBUTING.md
 
 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
 new file mode 100644
-index 0000000000..361366d899
+index 0000000000..28466facac
 --- /dev/null
 +++ b/CONTRIBUTING.md
-@@ -0,0 +1,67 @@
+@@ -0,0 +1,75 @@
 +# Contributing
 +
 +Welcome to systemd source-git for CentOS Stream and RHEL. When contributing, please follow the guide below.
@@ -36,7 +37,7 @@ index 0000000000..361366d899
 +
 +## Filing issues
 +
-+When you find an issue with systemd used in CentOS Stream or RHEL, please file an issue in [Jira ticket system](https://issues.redhat.com/secure/CreateIssue!default.jspa) (set Project to **RHEL** and Component to **systemd**).
++When you find an issue with systemd used in **CentOS Stream** or **RHEL**, please file an issue in Red Hat [Jira ticket system](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12332745&issuetype=1&components=12380515).
 +
 +GitHub Issues are not supported tracking system. If your issue is reproducible using the latest upstream version of systemd, please consider creating [upstream issue](https://github.com/systemd/systemd/issues/new/choose).
 +
@@ -52,12 +53,20 @@ index 0000000000..361366d899
 +### Upstream reference
 +
 +When doing a back-port of an upstream commit, always use `cherry-pick -x <sha>`. Consider proposing a change upstream first when an upstream commit doesn't exist.
-+If the change isn't upstream relevant or accepted by upstream, mark the commit with the `rhel-only` string.
++If the change isn't upstream relevant or accepted by upstream, mark the commit with the `rhel-only: <parameter>` string, where a `<parameter>` is:
++
++- `feature` - for feature-related commits (cross-version)
++- `bugfix` - for bugfix-related commits (cross-version)
++- `doc` - for documentation-related commits (usually version-specific)
++- `workaround` - for workaround-related commits (usually version-specific)
++- `ci` - for CI-related commits (version-specific)
++- `test` - for test-related commits (version-specific)
++- `other` - for commits that do not fit into any of the above categories (version-specific)
 +
 +```md
 +doc: Fix TYPO
 +
-+rhel-only
++rhel-only: doc
 +
 +Resolves: RHEL-678
 +```
@@ -70,7 +79,7 @@ index 0000000000..361366d899
 +- **Related** for commits related to the referenced issue, but they don't fix it. Usually, tests and documentation.
 +- **Reverts** for commits that reverts previously merged commit
 +
-+When referencing issues, use following structure: `<keyword>: <issue ID>`. See the example below:
++When referencing issues, use the following structure: `<keyword>: <issue ID>`. See the example below:
 +
 +```md
 +doc: Fix TYPO
@@ -84,3 +93,16 @@ index 0000000000..361366d899
 +
 +Each Pull Request has to pass all enabled tests that are automatically run using GitHub Actions, CentOS Stream CI, and others.
 +If CI failure is unrelated to the change introduced in Pull Request, the downstream maintainer will set the `ci-waived` label and explain why CI was waived.
+diff --git a/README.md b/README.md
+index 12f1381f08..421a2e6572 100644
+--- a/README.md
++++ b/README.md
+@@ -30,7 +30,7 @@ Please see the [Code Map](docs/ARCHITECTURE.md) for information about this repos
+ 
+ Please see the [Hacking guide](docs/HACKING.md) for information on how to hack on systemd and test your modifications.
+ 
+-Please see our [Contribution Guidelines](docs/CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests.
++Please see our [Contribution Guidelines](CONTRIBUTING.md) for more information about filing GitHub Issues and posting GitHub Pull Requests.
+ 
+ When preparing patches for systemd, please follow our [Coding Style Guidelines](docs/CODING_STYLE.md).
+ 

0066-ci-allow-policy-as-rhel-only-keyword.patch

@@ -0,0 +1,40 @@
+From 5d244e25b994f1db5988cf6de14fff9058a75bc2 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Mon, 15 Jul 2024 14:13:14 +0200
+Subject: [PATCH] ci: allow `policy` as rhel-only keyword
+
+rhel-only: ci
+
+Related: RHEL-40924
+---
+ .github/advanced-commit-linter.yml | 4 ++--
+ CONTRIBUTING.md                    | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
+index 3e3e3fe2bf..4a7e6542b4 100644
+--- a/.github/advanced-commit-linter.yml
++++ b/.github/advanced-commit-linter.yml
+@@ -4,8 +4,8 @@ policy:
+       - github: systemd/systemd
+     exception:
+       note:
+-        - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)'
+-        - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)'
++        - 'rhel-only: (feature|bugfix|policy|doc|workaround|ci|test|other)'
++        - 'RHEL-only: (feature|bugfix|policy|doc|workaround|ci|test|other)'
+   tracker:
+     - keyword:
+         - 'Resolves: '
+diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
+index 28466facac..c2e3a2d4d0 100644
+--- a/CONTRIBUTING.md
++++ b/CONTRIBUTING.md
+@@ -37,6 +37,7 @@ If the change isn't upstream relevant or accepted by upstream, mark the commit w
+ 
+ - `feature` - for feature-related commits (cross-version)
+ - `bugfix` - for bugfix-related commits (cross-version)
++- `policy` - for policy-related commits (cross-version)
+ - `doc` - for documentation-related commits (usually version-specific)
+ - `workaround` - for workaround-related commits (usually version-specific)
+ - `ci` - for CI-related commits (version-specific)

0067-ci-run-mkosi-test-only-for-Fedora-and-CentOS-Stream.patch

@@ -0,0 +1,68 @@
+From 1a643a20c5e772fc15a921ed81c7b010fa6bd4a7 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Tue, 16 Jul 2024 10:08:06 +0200
+Subject: [PATCH]  ci: run mkosi test only for Fedora and CentOS Stream
+
+rhel-only: ci
+
+Related: RHEL-40924
+---
+ .github/workflows/mkosi.yml | 24 ++----------------------
+ 1 file changed, 2 insertions(+), 22 deletions(-)
+
+diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
+index 3a8dabd95c..9add22c2ea 100644
+--- a/.github/workflows/mkosi.yml
++++ b/.github/workflows/mkosi.yml
+@@ -8,7 +8,7 @@ on:
+   push:
+     branches:
+       - main
+-      - v[0-9]+-stable
++      - rhel-10.*
+     paths:
+       - '**'
+       - '!README*'
+@@ -26,7 +26,7 @@ on:
+   pull_request:
+     branches:
+       - main
+-      - v[0-9]+-stable
++      - rhel-10.*
+     paths:
+       - '**'
+       - '!README*'
+@@ -54,21 +54,6 @@ jobs:
+       fail-fast: false
+       matrix:
+         include:
+-          - distro: arch
+-            release: rolling
+-            sanitizers: ""
+-            llvm: 0
+-            cflags: "-O2 -D_FORTIFY_SOURCE=3"
+-          - distro: debian
+-            release: testing
+-            sanitizers: ""
+-            llvm: 0
+-            cflags: "-Og"
+-          - distro: ubuntu
+-            release: noble
+-            sanitizers: ""
+-            llvm: 0
+-            cflags: "-Og"
+           - distro: fedora
+             release: "40"
+             sanitizers: ""
+@@ -79,11 +64,6 @@ jobs:
+             sanitizers: address,undefined
+             llvm: 1
+             cflags: "-Og"
+-          - distro: opensuse
+-            release: tumbleweed
+-            sanitizers: ""
+-            llvm: 0
+-            cflags: "-Og"
+           - distro: centos
+             release: "9"
+             sanitizers: ""

0068-taint-remove-unused-variable-usr_sbin.patch

@@ -0,0 +1,27 @@
+From 423af3467e66fd07a3a739b40af97b265bd4e45e Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Tue, 16 Jul 2024 10:09:23 +0200
+Subject: [PATCH] taint: remove unused variable `usr_sbin`
+
+follow-up to https://github.com/redhat-plumbers/systemd-rhel10/commit/13a07024f674e770844de29cd3d01cb7117f56d9
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ src/core/taint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/taint.c b/src/core/taint.c
+index 4c98312f54..370f0297e3 100644
+--- a/src/core/taint.c
++++ b/src/core/taint.c
+@@ -39,7 +39,7 @@ char* taint_string(void) {
+          * runtime should be tagged here. For stuff that is known during compilation, emit a warning in the
+          * configuration phase. */
+ 
+-        _cleanup_free_ char *bin = NULL, *usr_sbin = NULL, *var_run = NULL;
++        _cleanup_free_ char *bin = NULL, *var_run = NULL;
+ 
+         if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin"))
+                 stage[n++] = "unmerged-usr";

0069-packit-drop-the-libarchive-workaround.patch

@@ -0,0 +1,28 @@
+From fb422df08369fd10a4d3543697f09a7bd2f4c288 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Wed, 17 Jul 2024 12:19:03 +0200
+Subject: [PATCH] packit: drop the libarchive workaround
+
+As it's not needed anymore.
+
+rhel-only: ci
+
+Related: RHEL-40924
+---
+ .packit.yml | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/.packit.yml b/.packit.yml
+index 340c6992ec..03b3aae7d5 100644
+--- a/.packit.yml
++++ b/.packit.yml
+@@ -39,9 +39,6 @@ actions:
+     - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
+     # Ignore unpackaged standalone binaries
+     - "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py"
+-    # Temporarily add libarchive-devel build dep and libarchive runtime dep
+-    # until the change propagates to Rawhide's specfile
+-    - "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec"
+ 
+ # Available targets can be listed via `copr-cli list-chroots`
+ jobs:

0070-packit-drop-the-dependency-on-python3-zstd.patch

@@ -0,0 +1,28 @@
+From 43bf3e1a42e2c1a6ecd0ca6fd72c9bc6fe904703 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Wed, 17 Jul 2024 12:22:55 +0200
+Subject: [PATCH] packit: drop the dependency on python3-zstd
+
+Since it's only in the RHEL buildroot repo.
+
+rhel-only: ci
+
+Related: RHEL-40924
+---
+ .packit.yml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/.packit.yml b/.packit.yml
+index 03b3aae7d5..48ba210947 100644
+--- a/.packit.yml
++++ b/.packit.yml
+@@ -39,6 +39,9 @@ actions:
+     - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
+     # Ignore unpackaged standalone binaries
+     - "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py"
++    # Drop the python3dist(zstd) dependency, as it's only in the RHEL buildroot
++    # repo
++    - "sed -i '/python3dist(zstd)/d' .packit_rpm/systemd.spec"
+ 
+ # Available targets can be listed via `copr-cli list-chroots`
+ jobs:

0071-coredump-by-default-process-and-store-core-files-up-.patch

@@ -0,0 +1,30 @@
+From 612afd332a5e647faed3c3acba03ca653bace41b Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Fri, 5 Apr 2024 15:56:58 +0200
+Subject: [PATCH] coredump: by default process and store core files up to 1GiB
+
+This brings policy inline with RHEL-9.
+
+rhel-only: policy
+
+Related: RHEL-46778
+---
+ src/coredump/coredump.conf | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/coredump/coredump.conf b/src/coredump/coredump.conf
+index ae341e40d7..3603edb782 100644
+--- a/src/coredump/coredump.conf
++++ b/src/coredump/coredump.conf
+@@ -19,9 +19,8 @@
+ [Coredump]
+ #Storage=external
+ #Compress=yes
+-# On 32-bit, the default is 1G instead of 32G.
+-#ProcessSizeMax=32G
+-#ExternalSizeMax=32G
++ProcessSizeMax=1G
++ExternalSizeMax=1G
+ #JournalSizeMax=767M
+ #MaxUse=
+ #KeepFree=

0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch

@@ -0,0 +1,23 @@
+From 352f8ad0bfdd8a41f6aa34e3e43038ae75eedf73 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Tue, 15 May 2018 09:24:20 +0200
+Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ units/basic.target | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/units/basic.target b/units/basic.target
+index d8cdd5ac14..9eae0782a2 100644
+--- a/units/basic.target
++++ b/units/basic.target
+@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount
+ # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as
+ # we support that unit being masked, and this should not be considered an error.
+ RequiresMountsFor=/var /var/tmp
+-Wants=tmp.mount
++# RHEL-only: Disable /tmp on tmpfs.
++#Wants=tmp.mount

0073-unit-don-t-add-Requires-for-tmp.mount.patch

@@ -0,0 +1,39 @@
+From e794e570a50392b503549befb65bc8cac0a29869 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Mon, 5 Sep 2016 12:47:09 +0200
+Subject: [PATCH] unit: don't add Requires for tmp.mount
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ src/core/mount.c | 2 +-
+ src/core/unit.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/mount.c b/src/core/mount.c
+index ebafcafa92..9edb2d47eb 100644
+--- a/src/core/mount.c
++++ b/src/core/mount.c
+@@ -313,7 +313,7 @@ static int mount_add_mount_dependencies(Mount *m) {
+                         if (r < 0)
+                                 return r;
+ 
+-                        if (UNIT(m)->fragment_path) {
++                        if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) {
+                                 /* If we have fragment configuration, then make this dependency required/wanted */
+                                 r = unit_add_dependency(
+                                                 other,
+diff --git a/src/core/unit.c b/src/core/unit.c
+index 0ec5dcaf75..a5556ba462 100644
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -1544,7 +1544,7 @@ static int unit_add_mount_dependencies(Unit *u) {
+                                         return r;
+                                 changed = changed || r > 0;
+ 
+-                                if (m->fragment_path) {
++                                if (m->fragment_path && !streq(m->id, "tmp.mount")) {
+                                         r = unit_add_dependency(
+                                                         u,
+                                                         unit_mount_dependency_type_to_dependency_type(t),

0074-units-add-Install-section-to-tmp.mount.patch

@@ -1,23 +1,23 @@
-From bb3d205bea1c83cbd0e27b504f5f1faa884fb602 Mon Sep 17 00:00:00 2001
+From de0e2fde86a7eebbc5c11bb5e4d40d9ab6621ed1 Mon Sep 17 00:00:00 2001
 From: Jan Synacek <jsynacek@redhat.com>
 Date: Tue, 22 Jan 2019 10:28:42 +0100
 Subject: [PATCH] units: add [Install] section to tmp.mount
 
-rhel-only
+rhel-only: policy
 
-Resolves: #1667065
+Related: RHEL-40924
 ---
  units/tmp.mount | 4 ++++
  1 file changed, 4 insertions(+)
 
 diff --git a/units/tmp.mount b/units/tmp.mount
-index 742d86385c..b558047030 100644
+index 896040524a..d7beaa8d14 100644
 --- a/units/tmp.mount
 +++ b/units/tmp.mount
-@@ -22,3 +22,7 @@ What=tmpfs
+@@ -23,3 +23,7 @@ What=tmpfs
  Where=/tmp
  Type=tmpfs
- Options=mode=1777,strictatime,nosuid,nodev
+ Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m
 +
 +# Make 'systemctl enable tmp.mount' work:
 +[Install]

0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch

@@ -0,0 +1,28 @@
+From 571c902adb894bfff481de4591a56a16add2670b Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 22 Sep 2021 14:38:00 +0200
+Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ units/meson.build | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/units/meson.build b/units/meson.build
+index b231341a1f..39fa6f42c0 100644
+--- a/units/meson.build
++++ b/units/meson.build
+@@ -761,10 +761,7 @@ units = [
+         { 'file' : 'time-set.target' },
+         { 'file' : 'time-sync.target' },
+         { 'file' : 'timers.target' },
+-        {
+-          'file' : 'tmp.mount',
+-          'symlinks' : ['local-fs.target.wants/'],
+-        },
++        { 'file' : 'tmp.mount' },
+         { 'file' : 'tpm2.target' },
+         { 'file' : 'umount.target' },
+         { 'file' : 'usb-gadget.target' },

0076-netif-naming-scheme-add-rhel-9.5-scheme.patch

@@ -0,0 +1,64 @@
+From fefc4bc15fe28d8f7def8bd75ada13ede21663cb Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 8 Aug 2024 13:12:58 +0200
+Subject: [PATCH] netif-naming-scheme: add rhel-9.5 scheme
+
+rhel-only: policy
+
+Resolves: RHEL-44416
+---
+ man/systemd.net-naming-scheme.xml | 15 +++++++++++++++
+ src/shared/netif-naming-scheme.c  |  1 +
+ src/shared/netif-naming-scheme.h  |  1 +
+ 3 files changed, 17 insertions(+)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index 690e3d2c27..b2d78c95ab 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -592,6 +592,21 @@
+           <xi:include href="version-info.xml" xpointer="rhel-9.4"/>
+           </listitem>
+         </varlistentry>
++
++        <varlistentry>
++            <term><constant>rhel-9.5</constant></term>
++
++          <listitem><para>Never generate a slot name when a PCI bridge is detected.</para>
++
++          <para>Since version <constant>"rhel-9.0"</constant>, we have generated slot-based names
++          for PCI multifunction devices, because we assumed that it is enough to use function numbers
++          to distinguish between devices. However, name conflict can occur if these devices are not
++          children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
++          </para>
++
++          <xi:include href="version-info.xml" xpointer="rhel-9.5"/>
++          </listitem>
++        </varlistentry>
+       </variablelist>
+       </refsect2>
+ 
+diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
+index e4d4c0ba88..149794e926 100644
+--- a/src/shared/netif-naming-scheme.c
++++ b/src/shared/netif-naming-scheme.c
+@@ -40,6 +40,7 @@ static const NamingScheme naming_schemes[] = {
+         { "rhel-9.2", NAMING_RHEL_9_2 },
+         { "rhel-9.3", NAMING_RHEL_9_3 },
+         { "rhel-9.4", NAMING_RHEL_9_4 },
++        { "rhel-9.5", NAMING_RHEL_9_5 },
+         { "rhel-10.0", NAMING_RHEL_10_0 },
+         /* … add more schemes here, as the logic to name devices is updated … */
+ 
+diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
+index b0697c141e..a55bb0b1cb 100644
+--- a/src/shared/netif-naming-scheme.h
++++ b/src/shared/netif-naming-scheme.h
+@@ -80,6 +80,7 @@ typedef enum NamingSchemeFlags {
+         NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
+         NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
+         NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
++        NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ 
+         NAMING_RHEL_10_0 = NAMING_V255,
+ 

0077-udev-builtin-net_id-use-firmware_node-sun-for-ID_NET.patch

@@ -0,0 +1,197 @@
+From 45fe2e91e4f73c998ff4d29c316cc4fca9d25942 Mon Sep 17 00:00:00 2001
+From: Etienne Champetier <e.champetier@ateme.com>
+Date: Tue, 9 Jul 2024 11:53:50 -0400
+Subject: [PATCH] udev-builtin-net_id: use firmware_node/sun for
+ ID_NET_NAME_SLOT
+
+pci_get_hotplug_slot() has the following limitations:
+- if slots are not hotpluggable, they are not in /sys/bus/pci/slots.
+- the address at /sys/bus/pci/slots/X/addr doesn't contains the function part,
+  so on some system, 2 different slots with different _SUN end up with the same
+  hotplug_slot, leading to naming conflicts.
+- it tries all parent devices until it finds a slot number, which is incorrect,
+  and what led to NAMING_BRIDGE_MULTIFUNCTION_SLOT being disabled.
+
+The use of PCI hotplug to find the slot (ACPI _SUN) was introduced in
+https://github.com/systemd/systemd/commit/0035597a30d120f70df2dd7da3d6128fb8ba6051
+"udev: net_id - export PCI hotplug slot names" on 2012/11/26.
+At the same time on the kernel side we got
+https://github.com/torvalds/linux/commit/bb74ac23b10820d8722c3e1f4add9ef59e703f63
+"ACPI: create _SUN sysfs file" on 2012/11/16.
+
+Using PCI hotplug was the only way at the time, but now 12 years later we can use
+firmware_node/sun sysfs file.
+Looking at a small selection of server HW, for HPE (Gen10 DL325), the _SUN is attached
+to the NIC device, whereas for Dell (R640/R6515/R6615) and Cisco (UCSC-C220-M5SX),
+the _SUN is on the first parent pcieport.
+
+We still fallback to pci_get_hotplug_slot() to handle the s390 case and
+maybe some other coner cases (_SUN on grand parent device that is not a
+bridge ?).
+
+(cherry picked from commit 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb)
+
+Related: RHEL-44416
+---
+ man/systemd.net-naming-scheme.xml |  6 ++-
+ src/shared/netif-naming-scheme.h  |  5 ++-
+ src/udev/udev-builtin-net_id.c    | 72 ++++++++++++++++++++++++++-----
+ 3 files changed, 69 insertions(+), 14 deletions(-)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index b2d78c95ab..ea9a9c8d3c 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -528,7 +528,7 @@
+         <varlistentry>
+           <term><constant>rhel-10.0</constant></term>
+ 
+-          <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
++          <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
+ 
+           <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
+           </listitem>
+@@ -604,6 +604,8 @@
+           children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
+           </para>
+ 
++          <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
++
+           <xi:include href="version-info.xml" xpointer="rhel-9.5"/>
+           </listitem>
+         </varlistentry>
+@@ -798,7 +800,7 @@ ID_NET_NAME_ONBOARD_LABEL=Ethernet Port 1
+     </example>
+ 
+     <example>
+-      <title>PCI Ethernet card in hotplug slot with firmware index number</title>
++      <title>PCI Ethernet card in slot with firmware index number</title>
+ 
+       <programlisting># /sys/devices/pci0000:00/0000:00:1c.3/0000:05:00.0/net/ens1
+ ID_NET_NAME_MAC=enx000000000466
+diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
+index a55bb0b1cb..229232d452 100644
+--- a/src/shared/netif-naming-scheme.h
++++ b/src/shared/netif-naming-scheme.h
+@@ -43,6 +43,7 @@ typedef enum NamingSchemeFlags {
+         NAMING_DEVICETREE_ALIASES        = 1 << 15, /* Generate names from devicetree aliases */
+         NAMING_USB_HOST                  = 1 << 16, /* Generate names for usb host */
+         NAMING_SR_IOV_R                  = 1 << 17, /* Use "r" suffix for SR-IOV VF representors */
++        NAMING_FIRMWARE_NODE_SUN         = 1 << 18, /* Use firmware_node/sun to get PCI slot number */
+ 
+         /* And now the masks that combine the features above */
+         NAMING_V238 = 0,
+@@ -80,9 +81,9 @@ typedef enum NamingSchemeFlags {
+         NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
+         NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
+         NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+-        NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
++        NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
+ 
+-        NAMING_RHEL_10_0 = NAMING_V255,
++        NAMING_RHEL_10_0 = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
+ 
+         EXTRA_NET_NAMING_SCHEMES
+ 
+diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
+index 384a1f31cb..d34357fdb2 100644
+--- a/src/udev/udev-builtin-net_id.c
++++ b/src/udev/udev-builtin-net_id.c
+@@ -566,6 +566,51 @@ static int pci_get_hotplug_slot(sd_device *dev, uint32_t *ret) {
+         return -ENOENT;
+ }
+ 
++static int get_device_firmware_node_sun(sd_device *dev, uint32_t *ret) {
++        const char *attr;
++        int r;
++
++        assert(dev);
++        assert(ret);
++
++        r = device_get_sysattr_value_filtered(dev, "firmware_node/sun", &attr);
++        if (r < 0)
++                return log_device_debug_errno(dev, r, "Failed to read firmware_node/sun, ignoring: %m");
++
++        r = safe_atou32(attr, ret);
++        if (r < 0)
++                return log_device_warning_errno(dev, r, "Failed to parse firmware_node/sun '%s', ignoring: %m", attr);
++
++        return 0;
++}
++
++static int pci_get_slot_from_firmware_node_sun(sd_device *dev, uint32_t *ret) {
++        int r;
++        sd_device *slot_dev;
++
++        assert(dev);
++        assert(ret);
++
++        /* Try getting the ACPI _SUN for the device */
++        if (get_device_firmware_node_sun(dev, ret) >= 0)
++                return 0;
++
++        r = sd_device_get_parent_with_subsystem_devtype(dev, "pci", NULL, &slot_dev);
++        if (r < 0)
++                return log_device_debug_errno(dev, r, "Failed to find pci parent, ignoring: %m");
++
++        if (is_pci_bridge(slot_dev) && is_pci_multifunction(dev) <= 0)
++                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ESTALE),
++                                              "Not using slot information because the parent pcieport "
++                                              "is a bridge and the PCI device is not multifunction.");
++
++        /* Try getting the ACPI _SUN from the parent pcieport */
++        if (get_device_firmware_node_sun(slot_dev, ret) >= 0)
++                return 0;
++
++        return -ENOENT;
++}
++
+ static int get_pci_slot_specifiers(
+                 sd_device *dev,
+                 char **ret_domain,
+@@ -616,7 +661,7 @@ static int get_pci_slot_specifiers(
+ 
+ static int names_pci_slot(sd_device *dev, sd_device *pci_dev, const char *prefix, const char *suffix, EventMode mode) {
+         _cleanup_free_ char *domain = NULL, *bus_and_slot = NULL, *func = NULL, *port = NULL;
+-        uint32_t hotplug_slot = 0;  /* avoid false maybe-uninitialized warning */
++        uint32_t slot = 0;  /* avoid false maybe-uninitialized warning */
+         char str[ALTIFNAMSIZ];
+         int r;
+ 
+@@ -641,20 +686,27 @@ static int names_pci_slot(sd_device *dev, sd_device *pci_dev, const char *prefix
+                          strna(domain), bus_and_slot, strna(func), strna(port),
+                          special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(str));
+ 
+-        r = pci_get_hotplug_slot(pci_dev, &hotplug_slot);
+-        if (r < 0)
+-                return r;
+-        if (r > 0)
+-                /* If the hotplug slot is found through the function ID, then drop the domain from the name.
+-                 * See comments in parse_hotplug_slot_from_function_id(). */
+-                domain = mfree(domain);
++        if (naming_scheme_has(NAMING_FIRMWARE_NODE_SUN))
++                r = pci_get_slot_from_firmware_node_sun(pci_dev, &slot);
++        else
++                r = -1;
++        /* If we don't find a slot using firmware_node/sun, fallback to hotplug_slot */
++        if (r < 0) {
++                r = pci_get_hotplug_slot(pci_dev, &slot);
++                if (r < 0)
++                        return r;
++                if (r > 0)
++                        /* If the hotplug slot is found through the function ID, then drop the domain from the name.
++                        * See comments in parse_hotplug_slot_from_function_id(). */
++                        domain = mfree(domain);
++        }
+ 
+         if (snprintf_ok(str, sizeof str, "%s%ss%"PRIu32"%s%s%s",
+-                        prefix, strempty(domain), hotplug_slot, strempty(func), strempty(port), strempty(suffix)))
++                        prefix, strempty(domain), slot, strempty(func), strempty(port), strempty(suffix)))
+                 udev_builtin_add_property(dev, mode, "ID_NET_NAME_SLOT", str);
+ 
+         log_device_debug(dev, "Slot identifier: domain=%s slot=%"PRIu32" func=%s port=%s %s %s",
+-                         strna(domain), hotplug_slot, strna(func), strna(port),
++                         strna(domain), slot, strna(func), strna(port),
+                          special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(str));
+ 
+         return 0;

0078-man-net-naming-scheme-add-missing-period.patch

@@ -0,0 +1,36 @@
+From f5470e9076138ccf69fb6576e950a75da4b89717 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 2 Aug 2024 16:51:15 +0900
+Subject: [PATCH] man/net-naming-scheme: add missing period
+
+Follow-up for 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb.
+
+(cherry picked from commit 2bb72aadb8169c9310c8ca0d586d277a4a71e2f8)
+
+Related: RHEL-44416
+---
+ man/systemd.net-naming-scheme.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index ea9a9c8d3c..e458b5dd6b 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -528,7 +528,7 @@
+         <varlistentry>
+           <term><constant>rhel-10.0</constant></term>
+ 
+-          <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
++          <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
+ 
+           <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
+           </listitem>
+@@ -604,7 +604,7 @@
+           children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
+           </para>
+ 
+-          <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
++          <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
+ 
+           <xi:include href="version-info.xml" xpointer="rhel-9.5"/>
+           </listitem>

0079-Revert-packit-drop-the-dependency-on-python3-zstd.patch

@@ -0,0 +1,28 @@
+From 6bec94d825960a39bed6429531e722fd1571664b Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Wed, 14 Aug 2024 12:21:59 +0200
+Subject: [PATCH] Revert "packit: drop the dependency on python3-zstd"
+
+This reverts commit 43bf3e1a42e2c1a6ecd0ca6fd72c9bc6fe904703.
+
+rhel-only: ci
+
+Related: RHEL-36636
+---
+ .packit.yml | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/.packit.yml b/.packit.yml
+index 48ba210947..03b3aae7d5 100644
+--- a/.packit.yml
++++ b/.packit.yml
+@@ -39,9 +39,6 @@ actions:
+     - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
+     # Ignore unpackaged standalone binaries
+     - "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py"
+-    # Drop the python3dist(zstd) dependency, as it's only in the RHEL buildroot
+-    # repo
+-    - "sed -i '/python3dist(zstd)/d' .packit_rpm/systemd.spec"
+ 
+ # Available targets can be listed via `copr-cli list-chroots`
+ jobs:

0080-systemctl-do-not-try-to-acquire-triggering-units-for.patch

@@ -0,0 +1,48 @@
+From a81dc0cad9c24df7c005378fe2c438a98054a7d3 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sun, 30 Jun 2024 13:12:45 +0200
+Subject: [PATCH] systemctl: do not try to acquire triggering units for
+ template units
+
+(cherry picked from commit 09d6038d833468ba7c24c658597387ef699ca4fd)
+
+Resolves: RHEL-55132
+---
+ src/systemctl/systemctl-util.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/systemctl/systemctl-util.c b/src/systemctl/systemctl-util.c
+index 2482b7ccb2..08a3ebe128 100644
+--- a/src/systemctl/systemctl-util.c
++++ b/src/systemctl/systemctl-util.c
+@@ -327,14 +327,15 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske
+         if (r < 0)
+                 return r;
+ 
++        if (unit_name_is_valid(name, UNIT_NAME_TEMPLATE))
++                goto skip;
++
+         if (ignore_masked) {
+                 r = unit_is_masked(bus, name);
+                 if (r < 0)
+                         return r;
+-                if (r > 0) {
+-                        *ret = NULL;
+-                        return 0;
+-                }
++                if (r > 0)
++                        goto skip;
+         }
+ 
+         dbus_path = unit_dbus_path_from_name(name);
+@@ -370,6 +371,10 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske
+ 
+         *ret = TAKE_PTR(active);
+         return 0;
++
++skip:
++        *ret = NULL;
++        return 0;
+ }
+ 
+ void warn_triggering_units(sd_bus *bus, const char *unit, const char *operation, bool ignore_masked) {

0081-core-unit-add-one-assertion-for-u-manager.patch

@@ -0,0 +1,24 @@
+From dee8164e2d136efb7bac04775c8bef255f659766 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sat, 22 Jun 2024 12:08:39 +0200
+Subject: [PATCH] core/unit: add one assertion for u->manager
+
+(cherry picked from commit 8b17371b6185c9829bb21a813aadb2225ccfc4de)
+
+Resolves: RHEL-55734
+---
+ src/core/unit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/core/unit.c b/src/core/unit.c
+index a5556ba462..c668c45ee9 100644
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -6103,6 +6103,7 @@ int unit_test_trigger_loaded(Unit *u) {
+ 
+ void unit_destroy_runtime_data(Unit *u, const ExecContext *context) {
+         assert(u);
++        assert(u->manager);
+         assert(context);
+ 
+         /* EXEC_PRESERVE_RESTART is handled via unit_release_resources()! */

0082-core-service-destroy-runtime-data-when-Type-oneshot-.patch

@@ -0,0 +1,88 @@
+From 45d326633b32f4dee739ca38a67347c828c1c136 Mon Sep 17 00:00:00 2001
+From: Mike Yuan <me@yhndnzj.com>
+Date: Sat, 22 Jun 2024 12:03:50 +0200
+Subject: [PATCH] core/service: destroy runtime data when Type=oneshot services
+ exit
+
+Currently, we have a bunch of Type=oneshot + RemainAfterExit=yes
+services that make use of credentials. When those exits, the cred mounts
+remain established, which is pointless and quite annoying. Let's
+instead destroy the runtime data on SERVICE_EXITED, if no process
+will be spawned for the unit again.
+
+(cherry picked from commit c26948c6dae1d2ca13499b36f193b13a0760834c)
+
+Resolves: RHEL-55734
+---
+ src/core/service.c | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 6e81460ad0..60cc902745 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -1206,13 +1206,12 @@ static void service_search_main_pid(Service *s) {
+ }
+ 
+ static void service_set_state(Service *s, ServiceState state) {
++        Unit *u = UNIT(ASSERT_PTR(s));
+         ServiceState old_state;
+         const UnitActiveState *table;
+ 
+-        assert(s);
+-
+         if (s->state != state)
+-                bus_unit_send_pending_change_signal(UNIT(s), false);
++                bus_unit_send_pending_change_signal(u, false);
+ 
+         table = s->type == SERVICE_IDLE ? state_translation_table_idle : state_translation_table;
+ 
+@@ -1246,8 +1245,8 @@ static void service_set_state(Service *s, ServiceState state) {
+                    SERVICE_DEAD, SERVICE_FAILED,
+                    SERVICE_DEAD_BEFORE_AUTO_RESTART, SERVICE_FAILED_BEFORE_AUTO_RESTART, SERVICE_AUTO_RESTART, SERVICE_AUTO_RESTART_QUEUED,
+                    SERVICE_DEAD_RESOURCES_PINNED)) {
+-                unit_unwatch_all_pids(UNIT(s));
+-                unit_dequeue_rewatch_pids(UNIT(s));
++                unit_unwatch_all_pids(u);
++                unit_dequeue_rewatch_pids(u);
+         }
+ 
+         if (state != SERVICE_START)
+@@ -1256,15 +1255,31 @@ static void service_set_state(Service *s, ServiceState state) {
+         if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY))
+                 service_stop_watchdog(s);
+ 
+-        /* For the inactive states unit_notify() will trim the cgroup,
+-         * but for exit we have to do that ourselves... */
+-        if (state == SERVICE_EXITED && !MANAGER_IS_RELOADING(UNIT(s)->manager))
+-                unit_prune_cgroup(UNIT(s));
++        if (state == SERVICE_EXITED && !MANAGER_IS_RELOADING(u->manager)) {
++                /* For the inactive states unit_notify() will trim the cgroup. But for exit we have to
++                 * do that ourselves... */
++                unit_prune_cgroup(u);
++
++                /* If none of ExecReload= and ExecStop*= is used, we can safely destroy runtime data
++                 * as soon as the service enters SERVICE_EXITED. This saves us from keeping the credential mount
++                 * for the whole duration of the oneshot service while no processes are actually running,
++                 * among other things. */
++
++                bool start_only = true;
++                for (ServiceExecCommand c = SERVICE_EXEC_RELOAD; c < _SERVICE_EXEC_COMMAND_MAX; c++)
++                        if (s->exec_command[c]) {
++                                start_only = false;
++                                break;
++                        }
++
++                if (start_only)
++                        unit_destroy_runtime_data(u, &s->exec_context);
++        }
+ 
+         if (old_state != state)
+-                log_unit_debug(UNIT(s), "Changed %s -> %s", service_state_to_string(old_state), service_state_to_string(state));
++                log_unit_debug(u, "Changed %s -> %s", service_state_to_string(old_state), service_state_to_string(state));
+ 
+-        unit_notify(UNIT(s), table[old_state], table[state], s->reload_result == SERVICE_SUCCESS);
++        unit_notify(u, table[old_state], table[state], s->reload_result == SERVICE_SUCCESS);
+ }
+ 
+ static usec_t service_coldplug_timeout(Service *s) {

0083-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch

@@ -0,0 +1,34 @@
+From 05c29b1e58784c87ecb4ae7b56425af786e1cd05 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Tue, 30 Jul 2024 11:53:32 +0200
+Subject: [PATCH] cgroup-util: Ignore kernel threads in cg_kill_items()
+
+Similar to the implementation of cgroup.kill in the kernel, let's
+skip kernel threads in cg_kill_items() as trying to kill kernel
+threads as an unprivileged process will fail with EPERM and doesn't
+do anything when running privileged.
+
+(cherry picked from commit 0fbb569de1dcc06118dba006cf7a40caf6cd94d0)
+
+Resolves: RHEL-55746
+---
+ src/basic/cgroup-util.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
+index 553ee6075a..1fc83a656a 100644
+--- a/src/basic/cgroup-util.c
++++ b/src/basic/cgroup-util.c
+@@ -369,6 +369,12 @@ static int cg_kill_items(
+                         if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid))
+                                 continue;
+ 
++                        /* Ignore kernel threads to mimick the behavior of cgroup.kill. */
++                        if (pidref_is_kernel_thread(&pidref) > 0) {
++                                log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path);
++                                continue;
++                        }
++
+                         if (log_kill)
+                                 ret_log_kill = log_kill(&pidref, sig, userdata);
+ 

0084-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch

@@ -0,0 +1,30 @@
+From 418d2192e0e2bcdc7fe10f4f331231a2ad5a5c00 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Wed, 31 Jul 2024 13:38:50 +0200
+Subject: [PATCH] cgroup-util: Don't try to open pidfd for kernel threads
+
+The kernel might start returning -EINVAL when trying to open pidfd's
+for kernel threads so let's not try to open pidfd's for kernel threads.
+
+(cherry picked from commit ead48ec35c863650944352a3455f26ce3b393058)
+
+Resolves: RHEL-55746
+---
+ src/basic/cgroup-util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
+index 1fc83a656a..b0fe0ecbe8 100644
+--- a/src/basic/cgroup-util.c
++++ b/src/basic/cgroup-util.c
+@@ -149,7 +149,9 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) {
+                 if (pid == 0)
+                         return -EREMOTE;
+ 
+-                if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) {
++                /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so
++                 * catch those and don't try to create a pidfd for them. */
++                if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) {
+                         *ret = PIDREF_MAKE_FROM_PID(pid);
+                         return 1;
+                 }

0085-cgroup-util-fix-typo.patch

@@ -0,0 +1,27 @@
+From d41b2bdf876e0d46486c1800d5ee12a6f641a9d4 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sat, 3 Aug 2024 05:48:51 +0900
+Subject: [PATCH] cgroup-util: fix typo
+
+Follow-up for 0fbb569de1dcc06118dba006cf7a40caf6cd94d0.
+
+(cherry picked from commit ec4964692ae0e080c596610adee2ddb83008c839)
+
+Resolves: RHEL-55746
+---
+ src/basic/cgroup-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
+index b0fe0ecbe8..2c64a54906 100644
+--- a/src/basic/cgroup-util.c
++++ b/src/basic/cgroup-util.c
+@@ -371,7 +371,7 @@ static int cg_kill_items(
+                         if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid))
+                                 continue;
+ 
+-                        /* Ignore kernel threads to mimick the behavior of cgroup.kill. */
++                        /* Ignore kernel threads to mimic the behavior of cgroup.kill. */
+                         if (pidref_is_kernel_thread(&pidref) > 0) {
+                                 log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path);
+                                 continue;

0086-netif-naming-scheme-rename-rhel-10.0-to-rhel-10.0.be.patch

@@ -0,0 +1,75 @@
+From c3300ddbcdd138da8bd3fb31d0f35a20f5b6ca13 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Thu, 22 Aug 2024 13:42:11 +0200
+Subject: [PATCH] netif-naming-scheme: rename rhel-10.0 to rhel-10.0.beta
+
+rhel-only: policy
+Related: RHEL-55728
+---
+ man/systemd.net-naming-scheme.xml | 6 +++---
+ man/version-info.xml              | 1 +
+ src/shared/netif-naming-scheme.c  | 2 +-
+ src/shared/netif-naming-scheme.h  | 2 +-
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index e458b5dd6b..610a05485b 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -526,15 +526,15 @@
+         </varlistentry>
+ 
+         <varlistentry>
+-          <term><constant>rhel-10.0</constant></term>
++          <term><constant>rhel-10.0-beta</constant></term>
+ 
+           <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
+ 
+-          <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
++          <xi:include href="version-info.xml" xpointer="rhel-10.0.beta"/>
+           </listitem>
+         </varlistentry>
+       </variablelist>
+-      <para>By default <constant>rhel-10.0</constant> is used.</para>
++      <para>By default <constant>rhel-10.0-beta</constant> is used.</para>
+ 
+       <refsect2>
+       <title>RHEL-9 schemes</title>
+diff --git a/man/version-info.xml b/man/version-info.xml
+index 274450d408..c05cebfbe2 100644
+--- a/man/version-info.xml
++++ b/man/version-info.xml
+@@ -103,6 +103,7 @@
+   <para id="rhel-9.8">Added in rhel-9.8.</para>
+   <para id="rhel-9.9">Added in rhel-9.9.</para>
+   <para id="rhel-9.10">Added in rhel-9.10.</para>
++  <para id="rhel-10.0.beta">Added in rhel-10.0-beta.</para>
+   <para id="rhel-10.0">Added in rhel-10.0.</para>
+   <para id="rhel-10.1">Added in rhel-10.1.</para>
+   <para id="rhel-10.2">Added in rhel-10.2.</para>
+diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
+index 149794e926..cb5f8c5d38 100644
+--- a/src/shared/netif-naming-scheme.c
++++ b/src/shared/netif-naming-scheme.c
+@@ -41,7 +41,7 @@ static const NamingScheme naming_schemes[] = {
+         { "rhel-9.3", NAMING_RHEL_9_3 },
+         { "rhel-9.4", NAMING_RHEL_9_4 },
+         { "rhel-9.5", NAMING_RHEL_9_5 },
+-        { "rhel-10.0", NAMING_RHEL_10_0 },
++        { "rhel-10.0-beta", NAMING_RHEL_10_0_BETA },
+         /* … add more schemes here, as the logic to name devices is updated … */
+ 
+         EXTRA_NET_NAMING_MAP
+diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
+index 229232d452..2e2023ba5b 100644
+--- a/src/shared/netif-naming-scheme.h
++++ b/src/shared/netif-naming-scheme.h
+@@ -83,7 +83,7 @@ typedef enum NamingSchemeFlags {
+         NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+         NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
+ 
+-        NAMING_RHEL_10_0 = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
++        NAMING_RHEL_10_0_BETA = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
+ 
+         EXTRA_NET_NAMING_SCHEMES
+ 

0087-net-naming-scheme-disable-NAMING_FIRMWARE_NODE_SUN.patch

@@ -0,0 +1,43 @@
+From 8da695b27c2620e6410e0b1a4d8dda4747d89b5f Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Thu, 22 Aug 2024 13:47:56 +0200
+Subject: [PATCH] net-naming-scheme: disable NAMING_FIRMWARE_NODE_SUN
+
+It seems that virtio devices always have "0" in
+the firmware_node/sun. And because of that, udev will
+always name the device ens0, which leads to collisions.
+So let's disable it for now.
+
+rhel-only: policy
+Resolves: RHEL-55728
+---
+ man/systemd.net-naming-scheme.xml | 2 +-
+ src/shared/netif-naming-scheme.h  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index 610a05485b..8be24e4243 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -528,7 +528,7 @@
+         <varlistentry>
+           <term><constant>rhel-10.0-beta</constant></term>
+ 
+-          <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
++          <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
+ 
+           <xi:include href="version-info.xml" xpointer="rhel-10.0.beta"/>
+           </listitem>
+diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
+index 2e2023ba5b..fb733ba768 100644
+--- a/src/shared/netif-naming-scheme.h
++++ b/src/shared/netif-naming-scheme.h
+@@ -83,7 +83,7 @@ typedef enum NamingSchemeFlags {
+         NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+         NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
+ 
+-        NAMING_RHEL_10_0_BETA = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
++        NAMING_RHEL_10_0_BETA = NAMING_V255,
+ 
+         EXTRA_NET_NAMING_SCHEMES
+ 

0088-net-naming-scheme-remove-NAMING_FIRMWARE_NODE_SUN-fr.patch

@@ -0,0 +1,38 @@
+From 6a8e030c0a8481e42ee60a52e7a91f736537f5e3 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Thu, 22 Aug 2024 14:31:54 +0200
+Subject: [PATCH] net-naming-scheme: remove NAMING_FIRMWARE_NODE_SUN from 9.5
+
+rhel-only: policy
+Resolves: RHEL-55728
+---
+ man/systemd.net-naming-scheme.xml | 2 --
+ src/shared/netif-naming-scheme.h  | 2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
+index 8be24e4243..246c6509e3 100644
+--- a/man/systemd.net-naming-scheme.xml
++++ b/man/systemd.net-naming-scheme.xml
+@@ -604,8 +604,6 @@
+           children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
+           </para>
+ 
+-          <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
+-
+           <xi:include href="version-info.xml" xpointer="rhel-9.5"/>
+           </listitem>
+         </varlistentry>
+diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
+index fb733ba768..b2b2ee648f 100644
+--- a/src/shared/netif-naming-scheme.h
++++ b/src/shared/netif-naming-scheme.h
+@@ -81,7 +81,7 @@ typedef enum NamingSchemeFlags {
+         NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
+         NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
+         NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+-        NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
++        NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ 
+         NAMING_RHEL_10_0_BETA = NAMING_V255,
+ 

0089-Revert-cgroup-util-Don-t-try-to-open-pidfd-for-kerne.patch

@@ -0,0 +1,33 @@
+From 38623336fb84eb0df1f72ef8d472a36bb5d60822 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Wed, 21 Aug 2024 11:25:46 +0200
+Subject: [PATCH] Revert "cgroup-util: Don't try to open pidfd for kernel
+ threads"
+
+The kernel patch was reverted so let's try again to open pidfds
+for kernel threads.
+
+This reverts commit ead48ec35c863650944352a3455f26ce3b393058.
+
+(cherry picked from commit 1ce69e06615e69692a6d02d447acfd77f5d44631)
+
+Related: RHEL-52634
+---
+ src/basic/cgroup-util.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
+index 2c64a54906..a6ad711ac0 100644
+--- a/src/basic/cgroup-util.c
++++ b/src/basic/cgroup-util.c
+@@ -149,9 +149,7 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) {
+                 if (pid == 0)
+                         return -EREMOTE;
+ 
+-                /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so
+-                 * catch those and don't try to create a pidfd for them. */
+-                if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) {
++                if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) {
+                         *ret = PIDREF_MAKE_FROM_PID(pid);
+                         return 1;
+                 }

0090-ukify-Skip-test-on-architectures-without-UEFI.patch

@@ -0,0 +1,30 @@
+From 65dbacdb67ae94f7481a413dfea651b2d8a74d13 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Wed, 28 Aug 2024 14:08:30 +0200
+Subject: [PATCH] ukify: Skip test on architectures without UEFI
+
+(cherry picked from commit 5121f7c45b37afca53c89f42123b1dd6a04fa80f)
+
+Related: RHEL-52634
+---
+ src/ukify/test/test_ukify.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
+index 0e3f932890..15d1578695 100755
+--- a/src/ukify/test/test_ukify.py
++++ b/src/ukify/test/test_ukify.py
+@@ -35,6 +35,13 @@ except ImportError as e:
+ sys.path.append(os.path.dirname(__file__) + '/..')
+ import ukify
+ 
++# Skip if we're running on an architecture that does not use UEFI.
++try:
++    ukify.guess_efi_arch()
++except ValueError as e:
++    print(str(e), file=sys.stderr)
++    sys.exit(77)
++
+ build_root = os.getenv('PROJECT_BUILD_ROOT')
+ try:
+     slow_tests = bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '1')))

0091-ci-rename-beta-branch-to-match-dist-git-name.patch

@@ -0,0 +1,25 @@
+From d6ed92f6f6bffbf98700002eeed231af3336b40e Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Thu, 5 Sep 2024 12:36:01 +0200
+Subject: [PATCH] ci: rename beta branch to match dist-git name
+
+rhel-only: ci
+
+Related: RHEL-57603
+---
+ .github/tracker-validator.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
+index 2e858606ff..1226b8a92a 100644
+--- a/.github/tracker-validator.yml
++++ b/.github/tracker-validator.yml
+@@ -6,7 +6,7 @@ labels:
+ products:
+   - Red Hat Enterprise Linux 10
+   - CentOS Stream 10
+-  - rhel-10.0.beta 
++  - rhel-10.0-beta
+   - rhel-10.0
+   - rhel-10.0.z
+   - rhel-10.1

0092-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch

@@ -0,0 +1,41 @@
+From ab07d071227dd878a7376296ab4baaca4522e4fb Mon Sep 17 00:00:00 2001
+From: Chengen Du <chengen.du@canonical.com>
+Date: Mon, 12 Aug 2024 11:41:52 +0800
+Subject: [PATCH] udev: Handle PTP device symlink properly on udev action
+ 'change'
+
+PTP device symlink creation rules are currently executed only when the
+udev action is 'add'. If a user reloads the rules and runs the udevadm
+trigger command to reapply changes, the symlink may be deleted, which
+can prevent the chronyd service from restarting properly.
+
+Signed-off-by: Chengen Du <chengen.du@canonical.com>
+(cherry picked from commit 6bd12be3fa7761f190e17efdbdbff4440da7528b)
+
+Resolves: RHEL-59871
+---
+ rules.d/50-udev-default.rules.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
+index 9b00c7037e..6f80feeecf 100644
+--- a/rules.d/50-udev-default.rules.in
++++ b/rules.d/50-udev-default.rules.in
+@@ -30,6 +30,9 @@ SUBSYSTEM=="pci|usb|platform", IMPORT{builtin}="path_id"
+ 
+ SUBSYSTEM=="net", IMPORT{builtin}="net_driver"
+ 
++SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
++SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
++
+ ACTION!="add", GOTO="default_end"
+ 
+ SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666"
+@@ -116,7 +119,4 @@ KERNEL=="vhost-net", GROUP="kvm", MODE="{{DEV_KVM_MODE}}", OPTIONS+="static_node
+ 
+ KERNEL=="udmabuf", GROUP="kvm"
+ 
+-SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
+-SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
+-
+ LABEL="default_end"

0093-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch

@@ -0,0 +1,121 @@
+From 1fbfcb7d98c95e80e9332770b78613a803c15c20 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Jul 2024 10:51:21 +0100
+Subject: [PATCH] Fix detection of TDX confidential VM on Azure platform
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The original CVM detection logic for TDX assumes that the guest can see
+the standard TDX CPUID leaf. This was true in Azure when this code was
+originally written, however, current Azure now blocks that leaf in the
+paravisor. Instead it is required to use the same Azure specific CPUID
+leaf that is used for SEV-SNP detection, which reports the VM isolation
+type.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd)
+
+Related: RHEL-56144
+---
+ src/basic/confidential-virt.c                   | 11 ++++++++---
+ src/boot/efi/vmm.c                              |  9 ++++++---
+ src/fundamental/confidential-virt-fundamental.h |  1 +
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
+index b6521cf5bf..8a88a3eb83 100644
+--- a/src/basic/confidential-virt.c
++++ b/src/basic/confidential-virt.c
+@@ -76,7 +76,7 @@ static uint64_t msr(uint64_t index) {
+         return ret;
+ }
+ 
+-static bool detect_hyperv_sev(void) {
++static bool detect_hyperv_cvm(uint32_t isoltype) {
+         uint32_t eax, ebx, ecx, edx, feat;
+         char sig[13] = {};
+ 
+@@ -100,7 +100,7 @@ static bool detect_hyperv_sev(void) {
+                 ebx = ecx = edx = 0;
+                 cpuid(&eax, &ebx, &ecx, &edx);
+ 
+-                if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
++                if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
+                         return true;
+         }
+ 
+@@ -133,7 +133,7 @@ static ConfidentialVirtualization detect_sev(void) {
+         if (!(eax & EAX_SEV)) {
+                 log_debug("No sev in CPUID, trying hyperv CPUID");
+ 
+-                if (detect_hyperv_sev())
++                if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP))
+                         return CONFIDENTIAL_VIRTUALIZATION_SEV_SNP;
+ 
+                 log_debug("No hyperv CPUID");
+@@ -171,6 +171,11 @@ static ConfidentialVirtualization detect_tdx(void) {
+         if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
+                 return CONFIDENTIAL_VIRTUALIZATION_TDX;
+ 
++        log_debug("No tdx in CPUID, trying hyperv CPUID");
++
++        if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
++                return CONFIDENTIAL_VIRTUALIZATION_TDX;
++
+         return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+ 
+diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c
+index 60e216d54c..3459461390 100644
+--- a/src/boot/efi/vmm.c
++++ b/src/boot/efi/vmm.c
+@@ -337,7 +337,7 @@ static uint64_t msr(uint32_t index) {
+         return val;
+ }
+ 
+-static bool detect_hyperv_sev(void) {
++static bool detect_hyperv_cvm(uint32_t isoltype) {
+         uint32_t eax, ebx, ecx, edx, feat;
+         char sig[13] = {};
+ 
+@@ -354,7 +354,7 @@ static bool detect_hyperv_sev(void) {
+         if (ebx & CPUID_HYPERV_ISOLATION && !(ebx & CPUID_HYPERV_CPU_MANAGEMENT)) {
+                 __cpuid(CPUID_HYPERV_ISOLATION_CONFIG, eax, ebx, ecx, edx);
+ 
+-                if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
++                if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
+                         return true;
+         }
+ 
+@@ -379,7 +379,7 @@ static bool detect_sev(void) {
+          * specific CPUID checks.
+          */
+         if (!(eax & EAX_SEV))
+-                return detect_hyperv_sev();
++                return detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP);
+ 
+         msrval = msr(MSR_AMD64_SEV);
+ 
+@@ -403,6 +403,9 @@ static bool detect_tdx(void) {
+         if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
+                 return true;
+ 
++        if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
++                return true;
++
+         return false;
+ }
+ #endif /* ! __i386__ && ! __x86_64__ */
+diff --git a/src/fundamental/confidential-virt-fundamental.h b/src/fundamental/confidential-virt-fundamental.h
+index 986923e1c2..618b5800ea 100644
+--- a/src/fundamental/confidential-virt-fundamental.h
++++ b/src/fundamental/confidential-virt-fundamental.h
+@@ -65,6 +65,7 @@
+ 
+ #define CPUID_HYPERV_ISOLATION_TYPE_MASK UINT32_C(0xf)
+ #define CPUID_HYPERV_ISOLATION_TYPE_SNP 2
++#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3
+ 
+ #define EAX_SEV     (UINT32_C(1) << 1)
+ #define MSR_SEV     (UINT64_C(1) << 0)

0094-confidential-virt-split-caching-of-CVM-detection-int.patch

@@ -0,0 +1,76 @@
+From d697ad145aa564aff3ac5cb9b6a63667ce2b391c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 2 Aug 2024 16:26:00 +0100
+Subject: [PATCH] confidential-virt: split caching of CVM detection into
+ separate method
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We have different impls of detect_confidential_virtualization per
+architecture. The detection is cached in the x86_64 impl, and as we
+add support for more targets, we want to use caching for all. It thus
+makes sense to split caching out into an architecture independent
+method.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a)
+
+Related: RHEL-56144
+---
+ src/basic/confidential-virt.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
+index 8a88a3eb83..0e05ecffbf 100644
+--- a/src/basic/confidential-virt.c
++++ b/src/basic/confidential-virt.c
+@@ -194,34 +194,37 @@ static bool detect_hypervisor(void) {
+         return is_hv;
+ }
+ 
+-ConfidentialVirtualization detect_confidential_virtualization(void) {
+-        static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+         char sig[13] = {};
+-        ConfidentialVirtualization cv = CONFIDENTIAL_VIRTUALIZATION_NONE;
+-
+-        if (cached_found >= 0)
+-                return cached_found;
+ 
+         /* Skip everything on bare metal */
+         if (detect_hypervisor()) {
+                 cpuid_leaf(0, sig, true);
+ 
+                 if (memcmp(sig, CPUID_SIG_AMD, sizeof(sig)) == 0)
+-                        cv = detect_sev();
++                        return detect_sev();
+                 else if (memcmp(sig, CPUID_SIG_INTEL, sizeof(sig)) == 0)
+-                        cv = detect_tdx();
++                        return detect_tdx();
+         }
+ 
+-        cached_found = cv;
+-        return cv;
++        return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+ #else /* ! x86_64 */
+-ConfidentialVirtualization detect_confidential_virtualization(void) {
++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+         log_debug("No confidential virtualization detection on this architecture");
+         return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+ #endif /* ! x86_64 */
+ 
++ConfidentialVirtualization detect_confidential_virtualization(void) {
++        static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
++
++        if (cached_found == _CONFIDENTIAL_VIRTUALIZATION_INVALID)
++                cached_found = detect_confidential_virtualization_impl();
++
++        return cached_found;
++}
++
+ static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
+         [CONFIDENTIAL_VIRTUALIZATION_NONE]    = "none",
+         [CONFIDENTIAL_VIRTUALIZATION_SEV]     = "sev",

0095-confidential-virt-add-detection-for-s390x-target.patch

@@ -0,0 +1,90 @@
+From a9da2854f199bb3729b29ea4175858067313659e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 2 Aug 2024 11:03:10 +0100
+Subject: [PATCH] confidential-virt: add detection for s390x target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The s390x platform provides confidential VMs using the "Secure Execution"
+technology, which is also referred to as "Protected Virtualization" or
+just "prot virt" in Linux / QEMU.
+
+This can be detected through a simple sysfs attribute.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e)
+
+Resolves: RHEL-56144
+---
+ src/basic/confidential-virt.c | 30 +++++++++++++++++++++++++-----
+ src/basic/confidential-virt.h |  1 +
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
+index 0e05ecffbf..c246636c7c 100644
+--- a/src/basic/confidential-virt.c
++++ b/src/basic/confidential-virt.c
+@@ -11,6 +11,7 @@
+ #include "confidential-virt-fundamental.h"
+ #include "confidential-virt.h"
+ #include "fd-util.h"
++#include "fileio.h"
+ #include "missing_threads.h"
+ #include "string-table.h"
+ #include "utf8.h"
+@@ -209,6 +210,24 @@ static ConfidentialVirtualization detect_confidential_virtualization_impl(void)
+ 
+         return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
++#elif defined(__s390x__)
++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
++        _cleanup_free_ char *s = NULL;
++        size_t readsize;
++        int r;
++
++        r = read_full_virtual_file("/sys/firmware/uv/prot_virt_guest", &s, &readsize);
++        if (r < 0) {
++                log_debug_errno(r, "Unable to read /sys/firmware/uv/prot_virt_guest: %m");
++                return CONFIDENTIAL_VIRTUALIZATION_NONE;
++        }
++
++        if (readsize >= 1 && s[0] == '1')
++                return CONFIDENTIAL_VIRTUALIZATION_PROTVIRT;
++
++        return CONFIDENTIAL_VIRTUALIZATION_NONE;
++}
++
+ #else /* ! x86_64 */
+ static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+         log_debug("No confidential virtualization detection on this architecture");
+@@ -226,11 +245,12 @@ ConfidentialVirtualization detect_confidential_virtualization(void) {
+ }
+ 
+ static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
+-        [CONFIDENTIAL_VIRTUALIZATION_NONE]    = "none",
+-        [CONFIDENTIAL_VIRTUALIZATION_SEV]     = "sev",
+-        [CONFIDENTIAL_VIRTUALIZATION_SEV_ES]  = "sev-es",
+-        [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
+-        [CONFIDENTIAL_VIRTUALIZATION_TDX]     = "tdx",
++        [CONFIDENTIAL_VIRTUALIZATION_NONE]     = "none",
++        [CONFIDENTIAL_VIRTUALIZATION_SEV]      = "sev",
++        [CONFIDENTIAL_VIRTUALIZATION_SEV_ES]   = "sev-es",
++        [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP]  = "sev-snp",
++        [CONFIDENTIAL_VIRTUALIZATION_TDX]      = "tdx",
++        [CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt",
+ };
+ 
+ DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization);
+diff --git a/src/basic/confidential-virt.h b/src/basic/confidential-virt.h
+index c02f3b2321..f92e3e883d 100644
+--- a/src/basic/confidential-virt.h
++++ b/src/basic/confidential-virt.h
+@@ -13,6 +13,7 @@ typedef enum ConfidentialVirtualization {
+         CONFIDENTIAL_VIRTUALIZATION_SEV_ES,
+         CONFIDENTIAL_VIRTUALIZATION_SEV_SNP,
+         CONFIDENTIAL_VIRTUALIZATION_TDX,
++        CONFIDENTIAL_VIRTUALIZATION_PROTVIRT,
+ 
+         _CONFIDENTIAL_VIRTUALIZATION_MAX,
+         _CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,