40 files changed, 1268 insertions, 101 deletions
diff --git a/meta-gnome/recipes-gnome/libtimezonemap/files/0001-configure.ac-correct-the-version.patch b/meta-gnome/recipes-gnome/libtimezonemap/files/0001-configure.ac-correct-the-version.patch
new file mode 100644
index 0000000000..0538bc3e5c
--- /dev/null
+++ b/meta-gnome/recipes-gnome/libtimezonemap/files/0001-configure.ac-correct-the-version.patch
@@ -0,0 +1,29 @@
+From 915bc44d9f243075d084238c72089a346036388c Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 29 May 2025 10:08:21 +0800
+Subject: [PATCH] configure.ac: correct the version
+The source is here:
+https://salsa.debian.org/cinnamon-team/libtimezonemap
+Upstream-Status: Pending [ register account rejected ]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/configure.ac b/configure.ac
+index 3f74dae..24eb0e5 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1,5 +1,5 @@
+ AC_INIT([libtimezonemap],
+-        [0.4.4],
+        [0.4.6],
+         [http://bugs.launchpad.net/libtimezonemap],
+         [libtimezonemap],
+         [http://launchpad.net/libtimezonemap])
+-- 
+2.34.1
diff --git a/meta-gnome/recipes-gnome/libtimezonemap/libtimezonemap_0.4.6.bb b/meta-gnome/recipes-gnome/libtimezonemap/libtimezonemap_0.4.6.bb
index bafe7af040..3f37890e8d 100644
--- a/meta-gnome/recipes-gnome/libtimezonemap/libtimezonemap_0.4.6.bb
+++ b/meta-gnome/recipes-gnome/libtimezonemap/libtimezonemap_0.4.6.bb
@@ -4,7 +4,8 @@ SECTION = "devel/lib"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-SRC_URI = "${DEBIAN_MIRROR}/main/libt/${BPN}/${BPN}_${PV}.orig.tar.gz;downloadfilename=${BP}.tar.gz"
+SRC_URI = "${DEBIAN_MIRROR}/main/libt/${BPN}/${BPN}_${PV}.orig.tar.gz;downloadfilename=${BP}.tar.gz \
+           file://0001-configure.ac-correct-the-version.patch"
 SRC_URI[sha256sum] = "0d634cc2476d8f57d1ee1864bd4f442180ae4bf040a9ae4bf73b66bbd85d7195"
 DEPENDS = "gtk+3 gdk-pixbuf libsoup-2.4 json-glib gnome-common-native"
diff --git a/meta-initramfs/recipes-devtools/dracut/dracut_106.bb b/meta-initramfs/recipes-devtools/dracut/dracut_106.bb
index b70ee4baeb..871119521f 100644
--- a/meta-initramfs/recipes-devtools/dracut/dracut_106.bb
+++ b/meta-initramfs/recipes-devtools/dracut/dracut_106.bb
@@ -35,7 +35,7 @@ EXTRA_OECONF = "--prefix=${prefix} \
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
 PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,,,systemd"
-EXTRA_OEMAKE += 'libdir=${nonarch_libdir} LDLIBS="${LDLIBS}" enable_test=no'
+EXTRA_OEMAKE += 'libdir=${nonarch_libdir} LDLIBS="${LDLIBS}" enable_test=no DRACUT_FULL_VERSION=${PV}'
 CFLAGS:append = " -fPIC"
 LDLIBS:append:libc-musl = " -lfts"
diff --git a/meta-multimedia/recipes-multimedia/aom/aom_3.12.1.bb b/meta-multimedia/recipes-multimedia/aom/aom_3.12.1.bb
index 681ebb4d3d..94e3f4f14f 100644
--- a/meta-multimedia/recipes-multimedia/aom/aom_3.12.1.bb
+++ b/meta-multimedia/recipes-multimedia/aom/aom_3.12.1.bb
@@ -21,6 +21,7 @@ EXTRA_OECMAKE = "-DBUILD_SHARED_LIBS=1 -DENABLE_TESTS=0 \
 CMAKE_VERBOSE = "VERBOSE=1"
 CFLAGS:append:libc-musl = " -D_GNU_SOURCE"
 EXTRA_OECMAKE:append:arm = " -DENABLE_NEON=OFF"
+EXTRA_OECMAKE:append:riscv32 = " -DENABLE_RVV=OFF"
 do_generate_toolchain_file:append() {
    echo "set(AOM_AS_FLAGS --debug-prefix-map ${S}=${TARGET_DBGSRC_DIR})" >> ${WORKDIR}/toolchain.cmake
diff --git a/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.3.bb b/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.4.bb
index 5fe8a1c105..5eefb07532 100644
--- a/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.3.bb
+++ b/meta-multimedia/recipes-multimedia/pipewire/pipewire_1.4.4.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = " \
 DEPENDS = "dbus ncurses"
-SRCREV = "331d5e03516a99c56b3064dbbbd639a3ae848d36"
+SRCREV = "3f79bcae5d4415f82907b49221ca05241a7f263c"
 BRANCH = "${@oe.utils.trim_version('${PV}', 2)}"
 SRC_URI = "git://gitlab.freedesktop.org/pipewire/pipewire.git;branch=${BRANCH};protocol=https"
diff --git a/meta-networking/classes/waf-samba.bbclass b/meta-networking/classes/waf-samba.bbclass
index 49d64b096f..cb78ce6b0d 100644
--- a/meta-networking/classes/waf-samba.bbclass
+++ b/meta-networking/classes/waf-samba.bbclass
@@ -1,7 +1,7 @@
 # waf is a build system which is used by samba related project.
 # Obtain details from https://wiki.samba.org/index.php/Waf
 #
-inherit python3native
+inherit qemu python3native
 DEPENDS += "qemu-native libxslt-native docbook-xsl-stylesheets-native python3"
@@ -77,7 +77,7 @@ do_configure() {
    echo 'Checking uname release type: "${OLDEST_KERNEL}"' >> ${CROSS_ANSWERS}
    cat ${WAF_CROSS_ANSWERS_PATH}/cross-answers-${TARGET_ARCH}.txt >> ${CROSS_ANSWERS}
-    qemu_binary="${@oe.qemu.qemu_target_binary(d)}"
+    qemu_binary="${@qemu_target_binary(d)}"
    if [ "${qemu_binary}" = "qemu-allarch" ]; then
        qemu_binary="qemuwrapper"
    fi
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch b/meta-networking/recipes-connectivity/wolfssl/files/0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch
new file mode 100644
index 0000000000..f4f149c7e8
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch
@@ -0,0 +1,791 @@
+From 04975ac158e6d33875c2855f74792efb2258bb93 Mon Sep 17 00:00:00 2001
+From: Daniel Pouzzner <douzzer@wolfssl.com>
+Date: Tue, 13 May 2025 20:30:48 -0500
+Subject: [PATCH] wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add 
+  WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor  
+ wolfssl_log() to use it, and move printf setup includes/prototypes from  
+ logging.c to logging.h;
+src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses
+  to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from
+  callers;
+remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem
+  and certs/external/baltimore-cybertrust-root.pem.
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/55460a52619626f614e86d528b9a60445562eb34]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ certs/external/baltimore-cybertrust-root.pem |  21 ---
+ certs/external/ca_collection.pem             |  77 ----------
+ src/ssl_load.c                               | 111 +++++++++++----
+ wolfcrypt/src/error.c                        |   4 +-
+ wolfcrypt/src/logging.c                      | 142 ++-----------------
+ wolfssl/internal.h                           |   3 +-
+ wolfssl/wolfcrypt/logging.h                  |  93 +++++++++++-
+ 7 files changed, 190 insertions(+), 261 deletions(-)
+ delete mode 100644 certs/external/baltimore-cybertrust-root.pem
+diff --git a/certs/external/baltimore-cybertrust-root.pem b/certs/external/baltimore-cybertrust-root.pem
+deleted file mode 100644
+index 519028c63..000000000
+--- a/certs/external/baltimore-cybertrust-root.pem
+++ /dev/null
+@@ -1,21 +0,0 @@
+------BEGIN CERTIFICATE-----
+-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+------END CERTIFICATE-----
+diff --git a/certs/external/ca_collection.pem b/certs/external/ca_collection.pem
+index ddfdf9cee..c76d6c605 100644
+--- a/certs/external/ca_collection.pem
+++ b/certs/external/ca_collection.pem
+@@ -1,80 +1,3 @@
+-Certificate:
+-    Data:
+-        Version: 3 (0x2)
+-        Serial Number: 33554617 (0x20000b9)
+-        Signature Algorithm: sha1WithRSAEncryption
+-        Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
+-        Validity
+-            Not Before: May 12 18:46:00 2000 GMT
+-            Not After : May 12 23:59:00 2025 GMT
+-        Subject: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
+-        Subject Public Key Info:
+-            Public Key Algorithm: rsaEncryption
+-                RSA Public-Key: (2048 bit)
+-                Modulus:
+-                    00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
+-                    d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
+-                    64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
+-                    62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
+-                    52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
+-                    73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
+-                    50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
+-                    a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
+-                    70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
+-                    d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
+-                    5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
+-                    98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
+-                    ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
+-                    39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
+-                    c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
+-                    ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
+-                    78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
+-                    1a:39
+-                Exponent: 65537 (0x10001)
+-        X509v3 extensions:
+-            X509v3 Subject Key Identifier: 
+-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
+-            X509v3 Basic Constraints: critical
+-                CA:TRUE, pathlen:3
+-            X509v3 Key Usage: critical
+-                Certificate Sign, CRL Sign
+-    Signature Algorithm: sha1WithRSAEncryption
+-         85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
+-         bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
+-         76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
+-         12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
+-         ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
+-         74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
+-         05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
+-         31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
+-         9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
+-         1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
+-         73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
+-         7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
+-         9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
+-         fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
+-         ea:63:39:a9
+------BEGIN CERTIFICATE-----
+-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+------END CERTIFICATE-----
+ Certificate:
+     Data:
+         Version: 3 (0x2)
+diff --git a/src/ssl_load.c b/src/ssl_load.c
+index 24c8af1be..d803b4093 100644
+--- a/src/ssl_load.c
+++ b/src/ssl_load.c
+@@ -2352,11 +2352,13 @@ static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type)
+  * @param [out]     used       Number of bytes consumed.
+  * @param [in[      userChain  Whether this certificate is for user's chain.
+  * @param [in]      verify     How to verify certificate.
+ * @param [in]      source_name Associated filename or other source ID.
+  * @return  1 on success.
+  * @return  Less than 1 on failure.
+  */
+ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
+-    int format, int type, WOLFSSL* ssl, long* used, int userChain, int verify)
+    int format, int type, WOLFSSL* ssl, long* used, int userChain, int verify,
+    const char *source_name)
+ {
+     DerBuffer*    der = NULL;
+     int           ret = 0;
+@@ -2367,6 +2369,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
+     EncryptedInfo  info[1];
+ #endif
+     int           algId = 0;
+#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
+    long usedAtStart = used ? *used : 0L;
+#else
+    (void)source_name;
+#endif
+ 
+     WOLFSSL_ENTER("ProcessBuffer");
+ 
+@@ -2444,6 +2451,22 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
+                 CLEAR_ASN_NO_PEM_HEADER_ERROR(pemErr);
+                 ret = 0;
+             }
+#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
+            if (ret < 0) {
+#ifdef NO_ERROR_STRINGS
+                WOLFSSL_DEBUG_PRINTF(
+                    "ERROR: ProcessUserChain: certificate from %s at offset %ld"
+                    " rejected with code %d\n",
+                    source_name, usedAtStart, ret);
+#else
+                WOLFSSL_DEBUG_PRINTF(
+                    "ERROR: ProcessUserChain: certificate from %s at offset %ld"
+                    " rejected with code %d: %s\n",
+                    source_name, usedAtStart, ret,
+                    wolfSSL_ERR_reason_error_string(ret));
+#endif
+            }
+#endif /* WOLFSSL_DEBUG_CERTIFICATE_LOADS */
+         }
+ 
+     #ifdef WOLFSSL_SMALL_STACK
+@@ -2455,6 +2478,22 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
+             /* Process the different types of certificates. */
+             ret = ProcessBufferCertTypes(ctx, ssl, buff, sz, der, format, type,
+                 verify);
+#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
+            if (ret < 0) {
+#ifdef NO_ERROR_STRINGS
+                WOLFSSL_DEBUG_PRINTF(
+                    "ERROR: ProcessBufferCertTypes: certificate from %s at"
+                    " offset %ld rejected with code %d\n",
+                    source_name, usedAtStart, ret);
+#else
+                WOLFSSL_DEBUG_PRINTF(
+                    "ERROR: ProcessBufferCertTypes: certificate from %s at"
+                    " offset %ld rejected with code %d: %s\n",
+                    source_name, usedAtStart, ret,
+                    wolfSSL_ERR_reason_error_string(ret));
+#endif
+            }
+#endif /* WOLFSSL_DEBUG_CERTIFICATE_LOADS */
+         }
+         else {
+             FreeDer(&der);
+@@ -2515,12 +2554,14 @@ static int ProcessChainBufferCRL(WOLFSSL_CTX* ctx, const unsigned char* buff,
+  * @param [in]      sz      Size of data in buffer.
+  * @param [in]      type    Type of data.
+  * @param [in]      verify  How to verify certificate.
+ * @param [in]      source_name   Associated filename or other source ID.
+  * @return  1 on success.
+  * @return  0 on failure.
+  * @return  MEMORY_E when dynamic memory allocation fails.
+  */
+ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
+-    const unsigned char* buff, long sz, int type, int verify)
+    const unsigned char* buff, long sz, int type, int verify,
+    const char *source_name)
+ {
+     int  ret    = 0;
+     long used   = 0;
+@@ -2529,11 +2570,11 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
+     WOLFSSL_MSG("Processing CA PEM file");
+     /* Keep processing file while no errors and data to parse. */
+     while ((ret >= 0) && (used < sz)) {
+-        long consumed = 0;
+        long consumed = used;
+ 
+         /* Process the buffer. */
+         ret = ProcessBuffer(ctx, buff + used, sz - used, WOLFSSL_FILETYPE_PEM,
+-            type, ssl, &consumed, 0, verify);
+            type, ssl, &consumed, 0, verify, source_name);
+         /* Memory allocation failure is fatal. */
+         if (ret == WC_NO_ERR_TRACE(MEMORY_E)) {
+             gotOne = 0;
+@@ -2665,6 +2706,12 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
+         {
+             /* Not a header that we support. */
+             WOLFSSL_MSG("Failed to detect certificate type");
+#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS
+            WOLFSSL_DEBUG_PRINTF(
+                "ERROR: ProcessFile: Failed to detect certificate type"
+                " of \"%s\"\n",
+                fname);
+#endif
+             ret = WOLFSSL_BAD_CERTTYPE;
+         }
+     }
+@@ -2673,7 +2720,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
+         if (((type == CA_TYPE) || (type == TRUSTED_PEER_TYPE)) &&
+                 (format == WOLFSSL_FILETYPE_PEM)) {
+             ret = ProcessChainBuffer(ctx, ssl, content.buffer, sz, type,
+-                verify);
+                verify, fname);
+         }
+ #ifdef HAVE_CRL
+         else if (type == CRL_TYPE) {
+@@ -2690,18 +2737,18 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
+             long consumed = 0;
+ 
+             ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl,
+-                &consumed, userChain, verify);
+                &consumed, userChain, verify, fname);
+             if ((ret == 1) && (consumed < sz)) {
+                 ret = ProcessBuffer(ctx, content.buffer + consumed,
+                     sz - consumed, format, ALT_PRIVATEKEY_TYPE, ssl, NULL, 0,
+-                    verify);
+                    verify, fname);
+             }
+         }
+ #endif
+         else {
+             /* Load all other certificate types. */
+             ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl,
+-                NULL, userChain, verify);
+                NULL, userChain, verify, fname);
+         }
+     }
+ 
+@@ -3030,7 +3077,8 @@ static int LoadSystemCaCertsWindows(WOLFSSL_CTX* ctx, byte* loaded)
+                     if (ProcessBuffer(ctx, certCtx->pbCertEncoded,
+                           certCtx->cbCertEncoded, WOLFSSL_FILETYPE_ASN1,
+                           CA_TYPE, NULL, NULL, 0,
+-                          GET_VERIFY_SETTING_CTX(ctx)) == 1) {
+                          GET_VERIFY_SETTING_CTX(ctx),
+                          storeNames[i]) == 1) {
+                         /*
+                          * Set "loaded" as long as we've loaded one CA
+                          * cert.
+@@ -3105,7 +3153,8 @@ static int LoadSystemCaCertsMac(WOLFSSL_CTX* ctx, byte* loaded)
+                     if (ProcessBuffer(ctx, CFDataGetBytePtr(der),
+                           CFDataGetLength(der), WOLFSSL_FILETYPE_ASN1,
+                           CA_TYPE, NULL, NULL, 0,
+-                          GET_VERIFY_SETTING_CTX(ctx)) == 1) {
+                          GET_VERIFY_SETTING_CTX(ctx),
+                          "MacOSX trustDomains") == 1) {
+                         /*
+                          * Set "loaded" as long as we've loaded one CA
+                          * cert.
+@@ -3644,7 +3693,8 @@ int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509)
+         /* Get DER encoded certificate data from X509 object. */
+         ret = ProcessBuffer(NULL, x509->derCert->buffer, x509->derCert->length,
+             WOLFSSL_FILETYPE_ASN1, CERT_TYPE, ssl, &idx, 0,
+-            GET_VERIFY_SETTING_SSL(ssl));
+            GET_VERIFY_SETTING_SSL(ssl),
+            "x509 buffer");
+     }
+ 
+     /* Return 1 on success or 0 on failure. */
+@@ -3676,7 +3726,8 @@ int wolfSSL_use_certificate_ASN1(WOLFSSL* ssl, const unsigned char* der,
+         long idx = 0;
+ 
+         ret = ProcessBuffer(NULL, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE,
+-            ssl, &idx, 0, GET_VERIFY_SETTING_SSL(ssl));
+            ssl, &idx, 0, GET_VERIFY_SETTING_SSL(ssl),
+            "asn1 buffer");
+     }
+ 
+     /* Return 1 on success or 0 on failure. */
+@@ -3884,12 +3935,13 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
+ 
+     /* When PEM, treat as certificate chain of CA certificates. */
+     if (format == WOLFSSL_FILETYPE_PEM) {
+-        ret = ProcessChainBuffer(ctx, NULL, in, sz, CA_TYPE, verify);
+        ret = ProcessChainBuffer(ctx, NULL, in, sz, CA_TYPE, verify,
+                                 "PEM buffer");
+     }
+     /* When DER, load the CA certificate. */
+     else {
+         ret = ProcessBuffer(ctx, in, sz, format, CA_TYPE, NULL, NULL,
+-            userChain, verify);
+            userChain, verify, "buffer");
+     }
+ #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
+     if (ret == 1) {
+@@ -3973,12 +4025,12 @@ int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
+         /* When PEM, treat as certificate chain of trusted peer certificates. */
+         if (format == WOLFSSL_FILETYPE_PEM) {
+             ret = ProcessChainBuffer(ctx, NULL, in, sz, TRUSTED_PEER_TYPE,
+-                verify);
+                verify, "peer");
+         }
+         /* When DER, load the trusted peer certificate. */
+         else {
+             ret = ProcessBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE, NULL,
+-                NULL, 0, verify);
+                NULL, 0, verify, "peer");
+         }
+     }
+ 
+@@ -4004,7 +4056,7 @@ int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
+ 
+     WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_buffer");
+     ret = ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 0,
+-        GET_VERIFY_SETTING_CTX(ctx));
+        GET_VERIFY_SETTING_CTX(ctx), "buffer");
+     WOLFSSL_LEAVE("wolfSSL_CTX_use_certificate_buffer", ret);
+ 
+     return ret;
+@@ -4030,7 +4082,7 @@ int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
+     WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_buffer");
+ 
+     ret = ProcessBuffer(ctx, in, sz, format, PRIVATEKEY_TYPE, NULL, &consumed,
+-        0, GET_VERIFY_SETTING_CTX(ctx));
+        0, GET_VERIFY_SETTING_CTX(ctx), "key buffer");
+ #ifdef WOLFSSL_DUAL_ALG_CERTS
+     if ((ret == 1) && (consumed < sz)) {
+         /* When support for dual algorithm certificates is enabled, the
+@@ -4038,7 +4090,8 @@ int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
+          * private key. Hence, we have to parse both of them.
+          */
+         ret = ProcessBuffer(ctx, in + consumed, sz - consumed, format,
+-            ALT_PRIVATEKEY_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx));
+            ALT_PRIVATEKEY_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx),
+            "key buffer");
+     }
+ #endif
+ 
+@@ -4056,7 +4109,7 @@ int wolfSSL_CTX_use_AltPrivateKey_buffer(WOLFSSL_CTX* ctx,
+ 
+     WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_buffer");
+     ret = ProcessBuffer(ctx, in, sz, format, ALT_PRIVATEKEY_TYPE, NULL,
+-        NULL, 0, GET_VERIFY_SETTING_CTX(ctx));
+        NULL, 0, GET_VERIFY_SETTING_CTX(ctx), "alt key buffer");
+     WOLFSSL_LEAVE("wolfSSL_CTX_use_AltPrivateKey_buffer", ret);
+ 
+     return ret;
+@@ -4271,7 +4324,8 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx,
+     }
+ 
+     ret = ProcessBuffer(ctx, certData, certDataLen, certFormat,
+-        CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx));
+        CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx),
+        label ? label : "cert buffer");
+ 
+ exit:
+     XFREE(certData, ctx->heap, DYNAMIC_TYPE_CERT);
+@@ -4333,7 +4387,7 @@ int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
+ {
+     WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_buffer_format");
+     return ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 1,
+-        GET_VERIFY_SETTING_CTX(ctx));
+        GET_VERIFY_SETTING_CTX(ctx), "cert chain buffer");
+ }
+ 
+ /* Load a PEM encoded certificate chain in a buffer into SSL context.
+@@ -4376,7 +4430,7 @@ int wolfSSL_use_certificate_buffer(WOLFSSL* ssl, const unsigned char* in,
+     }
+     else {
+         ret = ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 0,
+-            GET_VERIFY_SETTING_SSL(ssl));
+            GET_VERIFY_SETTING_SSL(ssl), "cert buffer");
+     }
+ 
+     return ret;
+@@ -4407,7 +4461,7 @@ int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in,
+     }
+     else {
+         ret = ProcessBuffer(ssl->ctx, in, sz, format, PRIVATEKEY_TYPE, ssl,
+-            &consumed, 0, GET_VERIFY_SETTING_SSL(ssl));
+            &consumed, 0, GET_VERIFY_SETTING_SSL(ssl), "key buffer");
+     #ifdef WOLFSSL_DUAL_ALG_CERTS
+         if ((ret == 1) && (consumed < sz)) {
+             /* When support for dual algorithm certificates is enabled, the
+@@ -4415,7 +4469,8 @@ int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in,
+              * private key. Hence, we have to parse both of them.
+              */
+             ret = ProcessBuffer(ssl->ctx, in + consumed, sz - consumed, format,
+-                ALT_PRIVATEKEY_TYPE, ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
+                ALT_PRIVATEKEY_TYPE, ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl),
+                "key buffer");
+         }
+     #endif
+     }
+@@ -4431,7 +4486,7 @@ int wolfSSL_use_AltPrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in,
+ 
+     WOLFSSL_ENTER("wolfSSL_use_AltPrivateKey_buffer");
+     ret = ProcessBuffer(ssl->ctx, in, sz, format, ALT_PRIVATEKEY_TYPE, ssl,
+-        NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
+        NULL, 0, GET_VERIFY_SETTING_SSL(ssl), "alt key buffer");
+     WOLFSSL_LEAVE("wolfSSL_use_AltPrivateKey_buffer", ret);
+ 
+     return ret;
+@@ -4669,7 +4724,7 @@ int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl,
+     }
+     else {
+         ret = ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 1,
+-            GET_VERIFY_SETTING_SSL(ssl));
+            GET_VERIFY_SETTING_SSL(ssl), "cert chain buffer");
+     }
+ 
+     return ret;
+@@ -4826,7 +4881,7 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
+ 
+         /* Process buffer makes first certificate the leaf. */
+         ret = ProcessBuffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE,
+-            NULL, NULL, 1, GET_VERIFY_SETTING_CTX(ctx));
+            NULL, NULL, 1, GET_VERIFY_SETTING_CTX(ctx), "extra chain buffer");
+         if (ret != 1) {
+             ret = 0;
+         }
+diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c
+index af5ba36b4..9ec9484d4 100644
+--- a/wolfcrypt/src/error.c
+++ b/wolfcrypt/src/error.c
+@@ -182,10 +182,10 @@ const char* wc_GetErrorString(int error)
+         return "ASN date error, bad size";
+ 
+     case ASN_BEFORE_DATE_E :
+-        return "ASN date error, current date before";
+        return "ASN date error, current date is before start of validity";
+ 
+     case ASN_AFTER_DATE_E :
+-        return "ASN date error, current date after";
+        return "ASN date error, current date is after expiration";
+ 
+     case ASN_SIG_OID_E :
+         return "ASN signature error, mismatched oid";
+diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c
+index 29b9221df..b80fc3a56 100644
+--- a/wolfcrypt/src/logging.c
+++ b/wolfcrypt/src/logging.c
+@@ -230,42 +230,6 @@ void WOLFSSL_TIME(int count)
+ 
+ #ifdef DEBUG_WOLFSSL
+ 
+-#if defined(ARDUINO)
+-    /* see Arduino wolfssl.h for wolfSSL_Arduino_Serial_Print */
+-#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
+-    /* see wc_port.h for fio.h and nio.h includes */
+-#elif defined(WOLFSSL_SGX)
+-    /* Declare sprintf for ocall */
+-    int sprintf(char* buf, const char *fmt, ...);
+-#elif defined(WOLFSSL_DEOS)
+-#elif defined(MICRIUM)
+-    #if (BSP_SER_COMM_EN  == DEF_ENABLED)
+-        #include <bsp_ser.h>
+-    #endif
+-#elif defined(WOLFSSL_USER_LOG)
+-    /* user includes their own headers */
+-#elif defined(WOLFSSL_ESPIDF)
+-    #include "esp_types.h"
+-    #include "esp_log.h"
+-#elif defined(WOLFSSL_TELIT_M2MB)
+-    #include <stdio.h>
+-    #include "m2m_log.h"
+-#elif defined(WOLFSSL_ANDROID_DEBUG)
+-    #include <android/log.h>
+-#elif defined(WOLFSSL_XILINX)
+-    #include "xil_printf.h"
+-#elif defined(WOLFSSL_LINUXKM)
+-    /* the requisite linux/kernel.h is included in wc_port.h, with incompatible warnings masked out. */
+-#elif defined(FUSION_RTOS)
+-    #include <fclstdio.h>
+-    #define fprintf FCL_FPRINTF
+-#else
+-    #include <stdio.h>  /* for default printf stuff */
+-#endif
+-
+-#if defined(THREADX) && !defined(THREADX_NO_DC_PRINTF)
+-    int dc_log_printf(char*, ...);
+-#endif
+ 
+ #ifdef HAVE_STACK_SIZE_VERBOSE
+ #include <wolfssl/wolfcrypt/mem_track.h>
+@@ -281,106 +245,30 @@ static void wolfssl_log(const int logLevel, const char* const file_name,
+     else {
+ #if defined(WOLFSSL_USER_LOG)
+         WOLFSSL_USER_LOG(logMessage);
+-#elif defined(ARDUINO)
+-        wolfSSL_Arduino_Serial_Print(logMessage);
+-#elif defined(WOLFSSL_LOG_PRINTF)
+-        if (file_name != NULL)
+-            printf("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            printf("%s\n", logMessage);
+-#elif defined(THREADX) && !defined(THREADX_NO_DC_PRINTF)
+-        if (file_name != NULL)
+-            dc_log_printf("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            dc_log_printf("%s\n", logMessage);
+-#elif defined(WOLFSSL_DEOS)
+-        if (file_name != NULL)
+-            printf("[%s L %d] %s\r\n", file_name, line_number, logMessage);
+-        else
+-            printf("%s\r\n", logMessage);
+-#elif defined(MICRIUM)
+-        if (file_name != NULL)
+-            BSP_Ser_Printf("[%s L %d] %s\r\n",
+-                           file_name, line_number, logMessage);
+-        else
+-            BSP_Ser_Printf("%s\r\n", logMessage);
+-#elif defined(WOLFSSL_MDK_ARM)
+-        fflush(stdout) ;
+-        if (file_name != NULL)
+-            printf("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            printf("%s\n", logMessage);
+-        fflush(stdout) ;
+-#elif defined(WOLFSSL_UTASKER)
+-        fnDebugMsg((char*)logMessage);
+-        fnDebugMsg("\r\n");
+-#elif defined(MQX_USE_IO_OLD)
+-        if (file_name != NULL)
+-            fprintf(_mqxio_stderr, "[%s L %d] %s\n",
+-                    file_name, line_number, logMessage);
+-        else
+-            fprintf(_mqxio_stderr, "%s\n", logMessage);
+-#elif defined(WOLFSSL_APACHE_MYNEWT)
+-        if (file_name != NULL)
+-            LOG_DEBUG(&mynewt_log, LOG_MODULE_DEFAULT, "[%s L %d] %s\n",
+-                      file_name, line_number, logMessage);
+-        else
+-            LOG_DEBUG(&mynewt_log, LOG_MODULE_DEFAULT, "%s\n", logMessage);
+-#elif defined(WOLFSSL_ESPIDF)
+-        if (file_name != NULL)
+-            ESP_LOGI("wolfssl", "[%s L %d] %s",
+-                     file_name, line_number, logMessage);
+-        else
+-            ESP_LOGI("wolfssl", "%s", logMessage);
+-#elif defined(WOLFSSL_ZEPHYR)
+-        if (file_name != NULL)
+-            printk("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            printk("%s\n", logMessage);
+-#elif defined(WOLFSSL_TELIT_M2MB)
+-        if (file_name != NULL)
+-            M2M_LOG_INFO("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            M2M_LOG_INFO("%s\n", logMessage);
+-#elif defined(WOLFSSL_ANDROID_DEBUG)
+-        if (file_name != NULL)
+-            __android_log_print(ANDROID_LOG_VERBOSE, "[wolfSSL]", "[%s L %d] %s",
+-                                file_name, line_number, logMessage);
+-        else
+-            __android_log_print(ANDROID_LOG_VERBOSE, "[wolfSSL]", "%s",
+-                                logMessage);
+-#elif defined(WOLFSSL_XILINX)
+-        if (file_name != NULL)
+-            xil_printf("[%s L %d] %s\r\n", file_name, line_number, logMessage);
+-        else
+-            xil_printf("%s\r\n", logMessage);
+-#elif defined(WOLFSSL_LINUXKM)
+-        if (file_name != NULL)
+-            printk("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            printk("%s\n", logMessage);
+-#elif defined(WOLFSSL_RENESAS_RA6M4)
+-        if (file_name != NULL)
+-            myprintf("[%s L %d] %s\n", file_name, line_number, logMessage);
+-        else
+-            myprintf("%s\n", logMessage);
+-#elif defined(STACK_SIZE_CHECKPOINT_MSG) && \
+-      defined(HAVE_STACK_SIZE_VERBOSE) && defined(HAVE_STACK_SIZE_VERBOSE_LOG)
+-        STACK_SIZE_CHECKPOINT_MSG(logMessage);
+-#else
+#elif defined(WOLFSSL_DEBUG_PRINTF)
+         if (log_prefix != NULL) {
+             if (file_name != NULL)
+-                fprintf(stderr, "[%s]: [%s L %d] %s\n",
+                WOLFSSL_DEBUG_PRINTF("[%s]: [%s L %d] %s\n",
+                         log_prefix, file_name, line_number, logMessage);
+             else
+-                fprintf(stderr, "[%s]: %s\n", log_prefix, logMessage);
+                WOLFSSL_DEBUG_PRINTF("[%s]: %s\n", log_prefix, logMessage);
+         } else {
+             if (file_name != NULL)
+-                fprintf(stderr, "[%s L %d] %s\n",
+                WOLFSSL_DEBUG_PRINTF("[%s L %d] %s\n",
+                         file_name, line_number, logMessage);
+             else
+-                fprintf(stderr, "%s\n", logMessage);
+                WOLFSSL_DEBUG_PRINTF("%s\n", logMessage);
+         }
+#elif defined(ARDUINO)
+        wolfSSL_Arduino_Serial_Print(logMessage);
+#elif defined(WOLFSSL_UTASKER)
+        fnDebugMsg((char*)logMessage);
+        fnDebugMsg("\r\n");
+#elif defined(STACK_SIZE_CHECKPOINT_MSG) && \
+      defined(HAVE_STACK_SIZE_VERBOSE) && defined(HAVE_STACK_SIZE_VERBOSE_LOG)
+        STACK_SIZE_CHECKPOINT_MSG(logMessage);
+#else
+    #error No log method defined.
+ #endif
+     }
+ }
+diff --git a/wolfssl/internal.h b/wolfssl/internal.h
+index 9cdbdb697..dd191fb1a 100644
+--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
+@@ -6389,7 +6389,8 @@ WOLFSSL_TEST_VIS   void wolfSSL_ResourceFree(WOLFSSL* ssl);   /* Micrium uses */
+ 
+     WOLFSSL_LOCAL int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
+                                     long sz, int format, int type, WOLFSSL* ssl,
+-                                    long* used, int userChain, int verify);
+                                    long* used, int userChain, int verify,
+                                    const char *source_name);
+     WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format,
+                                  int type, WOLFSSL* ssl, int userChain,
+                                 WOLFSSL_CRL* crl, int verify);
+diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h
+index 49de70147..8b3cf0fd8 100644
+--- a/wolfssl/wolfcrypt/logging.h
+++ b/wolfssl/wolfcrypt/logging.h
+@@ -89,11 +89,6 @@ enum wc_FuncNum {
+ };
+ #endif
+ 
+-#if defined(ARDUINO)
+-/* implemented in Arduino wolfssl.h */
+-extern WOLFSSL_API int wolfSSL_Arduino_Serial_Print(const char* const s);
+-#endif /* ARDUINO */
+-
+ typedef void (*wolfSSL_Logging_cb)(const int logLevel,
+                                    const char *const logMessage);
+ 
+@@ -157,6 +152,10 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix);
+     #define WOLFSSL_TIME(n)  WC_DO_NOTHING
+ #endif
+ 
+#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_DEBUG_CERTIFICATE_LOADS)
+    #define WOLFSSL_DEBUG_CERTIFICATE_LOADS
+#endif
+
+ #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_DEBUG_ERRORS_ONLY)
+     #if defined(_WIN32)
+         #if defined(INTIME_RTOS)
+@@ -268,6 +267,90 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix);
+     extern WOLFSSL_API THREAD_LS_T void *StackSizeCheck_stackOffsetPointer;
+ #endif
+ 
+/* Port-specific includes and printf methods: */
+
+#if defined(ARDUINO)
+    /* implemented in Arduino wolfssl.h */
+    extern WOLFSSL_API int wolfSSL_Arduino_Serial_Print(const char* const s);
+#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
+    /* see wc_port.h for fio.h and nio.h includes */
+#elif defined(WOLFSSL_SGX)
+    /* Declare sprintf for ocall */
+    int sprintf(char* buf, const char *fmt, ...);
+#elif defined(WOLFSSL_DEOS)
+#elif defined(MICRIUM)
+    #if (BSP_SER_COMM_EN  == DEF_ENABLED)
+        #include <bsp_ser.h>
+    #endif
+#elif defined(WOLFSSL_USER_LOG)
+    /* user includes their own headers */
+#elif defined(WOLFSSL_ESPIDF)
+    #include "esp_types.h"
+    #include "esp_log.h"
+#elif defined(WOLFSSL_TELIT_M2MB)
+    #include <stdio.h>
+    #include "m2m_log.h"
+#elif defined(WOLFSSL_ANDROID_DEBUG)
+    #include <android/log.h>
+#elif defined(WOLFSSL_XILINX)
+    #include "xil_printf.h"
+#elif defined(WOLFSSL_LINUXKM)
+    /* the requisite linux/kernel.h is included in linuxkm_wc_port.h, with
+     * incompatible warnings masked out.
+     */
+#elif defined(FUSION_RTOS)
+    #include <fclstdio.h>
+    #define fprintf FCL_FPRINTF
+#else
+    #include <stdio.h>  /* for default printf stuff */
+#endif
+
+#if defined(THREADX) && !defined(THREADX_NO_DC_PRINTF)
+    int dc_log_printf(char*, ...);
+#endif
+
+#ifdef WOLFSSL_DEBUG_PRINTF
+    /* user-supplied definition */
+#elif defined(ARDUINO)
+    /* ARDUINO only has print and sprintf, no printf. */
+#elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS)
+    #define WOLFSSL_DEBUG_PRINTF(...) printf(__VA_ARGS__)
+#elif defined(THREADX) && !defined(THREADX_NO_DC_PRINTF)
+    #define WOLFSSL_DEBUG_PRINTF(...) dc_log_printf(__VA_ARGS__)
+#elif defined(MICRIUM)
+    #define WOLFSSL_DEBUG_PRINTF(...) BSP_Ser_Printf(__VA_ARGS__)
+#elif defined(WOLFSSL_MDK_ARM)
+    #define WOLFSSL_DEBUG_PRINTF(...) do { \
+            fflush(stdout);                \
+            printf(__VA_ARGS__);           \
+            fflush(stdout);                \
+        } while (0)
+#elif defined(WOLFSSL_UTASKER)
+    /* WOLFSSL_UTASKER only has fnDebugMsg and related primitives, no printf. */
+#elif defined(MQX_USE_IO_OLD)
+    #define WOLFSSL_DEBUG_PRINTF(...) fprintf(_mqxio_stderr, __VAR_ARGS)
+#elif defined(WOLFSSL_APACHE_MYNEWT)
+    #define WOLFSSL_DEBUG_PRINTF(...) LOG_DEBUG(&mynewt_log, \
+        LOG_MODULE_DEFAULT, __VA_ARGS__)
+#elif defined(WOLFSSL_ESPIDF)
+    #define WOLFSSL_DEBUG_PRINTF(...) ESP_LOGI("wolfssl", __VA_ARGS__)
+#elif defined(WOLFSSL_ZEPHYR)
+    #define WOLFSSL_DEBUG_PRINTF(...) printk(__VA_ARGS__)
+#elif defined(WOLFSSL_TELIT_M2MB)
+    #define WOLFSSL_DEBUG_PRINTF(...) M2M_LOG_INFO(__VA_ARGS__)
+#elif defined(WOLFSSL_ANDROID_DEBUG)
+    #define WOLFSSL_DEBUG_PRINTF(...) __android_log_print(ANDROID_LOG_VERBOSE, \
+                                                    "[wolfSSL]", __VA_ARGS__)
+#elif defined(WOLFSSL_XILINX)
+    #define WOLFSSL_DEBUG_PRINTF(...) xil_printf(__VA_ARGS__)
+#elif defined(WOLFSSL_LINUXKM)
+    #define WOLFSSL_DEBUG_PRINTF(...) printk(__VA_ARGS__)
+#elif defined(WOLFSSL_RENESAS_RA6M4)
+    #define WOLFSSL_DEBUG_PRINTF(...) myprintf(__VA_ARGS__)
+#else
+    #define WOLFSSL_DEBUG_PRINTF(...) fprintf(stderr, __VA_ARGS__)
+#endif
+
+ #ifdef __cplusplus
+ }
+ #endif
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/run-ptest b/meta-networking/recipes-connectivity/wolfssl/files/run-ptest
index ff66f4ef6c..fd260d441a 100644
--- a/meta-networking/recipes-connectivity/wolfssl/files/run-ptest
+++ b/meta-networking/recipes-connectivity/wolfssl/files/run-ptest
@@ -8,7 +8,9 @@ echo "Wolfssl ptest logs are stored in ${temp_dir}/${log_file}"
 ./test/unit.test > "$temp_dir/$log_file" 2>&1  
-echo "Test script returned: $?"
+ret=$?
+echo "Test script returned: $ret"
 MAGIC_SENTENCE=$(grep "unit_test: Success for all configured tests." $temp_dir/$log_file)
@@ -21,4 +23,4 @@ else
 fi
 NUM_FAILS=$(grep -c "Failed" $temp_dir/$log_file)
-exit $NUM_FAILS
+exit $ret
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
index b7ff23e719..b420795cee 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
@@ -14,20 +14,25 @@ RPROVIDES:${PN} = "cyassl"
 SRC_URI = " \
    git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
+    file://0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch \
    file://run-ptest \
 "
-SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"
+SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"
 S = "${WORKDIR}/git"
 inherit autotools ptest
+EXTRA_OECONF += "--enable-certreq --enable-dtls --enable-opensslextra --enable-certext --enable-certgen"
 PACKAGECONFIG ?= "reproducible-build"
 PACKAGECONFIG[reproducible-build] = "--enable-reproducible-build,--disable-reproducible-build,"
 BBCLASSEXTEND += "native nativesdk"
+CFLAGS += '-fPIC -DCERT_REL_PREFIX=\\"./\\"'
 RDEPENDS:${PN}-ptest += " bash"
 do_install_ptest() {
diff --git a/meta-oe/classes/check-version-mismatch.bbclass b/meta-oe/classes/check-version-mismatch.bbclass
index e83cfec756..f735280d7a 100644
--- a/meta-oe/classes/check-version-mismatch.bbclass
+++ b/meta-oe/classes/check-version-mismatch.bbclass
@@ -1,3 +1,6 @@
+QEMU_OPTIONS = "-r ${OLDEST_KERNEL} ${@d.getVar("QEMU_EXTRAOPTIONS:tune-%s" % d.getVar('TUNE_PKGARCH')) or ""}"
+QEMU_OPTIONS[vardeps] += "QEMU_EXTRAOPTIONS:tune-${TUNE_PKGARCH}"
 ENABLE_VERSION_MISMATCH_CHECK ?= "${@'1' if bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', True, False, d) else '0'}"
 DEBUG_VERSION_MISMATCH_CHECK ?= "1"
 CHECK_VERSION_PV ?= ""
diff --git a/meta-oe/classes/discoverable-disk-image.bbclass b/meta-oe/classes/discoverable-disk-image.bbclass
new file mode 100644
index 0000000000..e601bf452f
--- /dev/null
+++ b/meta-oe/classes/discoverable-disk-image.bbclass
@@ -0,0 +1,132 @@
+##
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+#
+# Discoverable Disk Image (DDI)
+#
+# "DDIs (Discoverable Disk Images) are self-describing file system
+# images that follow the DPS ( Discoverable Partitions Specification),
+# wrapped in a GPT partition table, that may contain root (or /usr/)
+# filesystems for bootable OS images, system extensions, configuration
+# extensions, portable services, containers and more, and shall be
+# protected by signed dm-verity all combined into one. They are
+# designed to be composable and stackable, and provide security by
+# default."
+# https://uapi-group.org/specifications/specs/discoverable_disk_image/
+# https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+# https://www.freedesktop.org/software/systemd/man/latest/systemd.image-policy.html
+# To be able to use discoverable-disk-images with a
+# root-verity-sig or usr-verity-sig configuration:
+# - systemd needs to include the PACKAGECONFIG 'cryptsetup', and
+# - the kernel needs the following features enabled:
+#   CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+#   CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING=y
+#   CONFIG_EROFS_FS=y
+#   CONFIG_EROFS_FS_XATTR=y
+#   CONFIG_EROFS_FS_ZIP=y
+#   CONFIG_EROFS_FS_ZIP_LZMA=y
+#   CONFIG_INTEGRITY_SIGNATURE=y
+#   CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+#   CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+#   CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+#   CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+#   CONFIG_SIGNATURE=y
+# To sign DDIs, a key and certificate need to be provided by setting
+# the variables:
+#   REPART_PRIVATE_KEY
+#     private key so sign the verity-hash
+#   REPART_PRIVATE_KEY_SOURCE
+#     optional, can be "engine:pkcs11" when using a (soft)hsm
+#   REPART_CERTIFICATE
+#     corresponding public certificate, in .pem format
+#
+# For signature verification, systemd-sysext expects the matching
+# certificate to reside in /etc/verity.d as PEM formated .crt file.
+#
+# To enforce loading of only signed extension images, an appropriate
+# image policy has to be passed to systemd-sysext, e.g.:
+# systemd-sysext --image-policy='root=signed+absent:usr=signed+absent:=unused+absent' merge
+# 'systemd-dissect' can be used to inspect, manually mount, ... a DDI.
+inherit image
+IMAGE_FSTYPES = "ddi"
+DEPENDS += " \
+    systemd-repart-native \
+    erofs-utils-native \
+    openssl-native \
+"
+# systemd-repart --make-ddi takes one of "sysext", "confext" or "portable",
+# which it then takes and looks up definitions in the host os; which we need
+# to divert to the sysroot-native by setting '--definitions=' instead.
+#
+REPART_DDI_TYPE ?= "sysext"
+REPART_DDI_EXTENSION ?= "ddi"
+# systemd-repart creates temporary directoryies under /var/tmp/.#repartXXXXXXX/,
+# to estimate partition size etc. Since files are copied there from the image/rootfs
+# folder - which are owned by pseudo-root - this temporary location has to be
+# added to the directories handled by pseudo; otherwise calls to e.g.
+# fchown(0,0) inside systemd git/src/shared/copy.c end up failing.
+PSEUDO_INCLUDE_PATHS .= ",/var/tmp/"
+oe_image_systemd_repart_make_ddi() {
+    local additional_args=""
+    if [ -n "${REPART_PRIVATE_KEY}" ]
+    then
+        if [ -n "${REPART_PRIVATE_KEY_SOURCE}" ]
+        then
+            additional_args="$additional_args --private-key-source=${REPART_PRIVATE_KEY_SOURCE}"
+        fi
+        additional_args="$additional_args --private-key=${REPART_PRIVATE_KEY}"
+    fi
+    if [ -n "${REPART_CERTIFICATE}" ]
+    then
+        additional_args="$additional_args --certificate=${REPART_CERTIFICATE}"
+    fi
+    # map architectures to systemd's expected values
+    local systemd_arch="${TARGET_ARCH}"
+    case "${systemd_arch}" in
+        aarch64)
+        systemd_arch=arm64
+        ;;
+        x86_64)
+        systemd_arch=x86-64
+        ;;
+    esac
+    # prepare system-repart configuration
+    mkdir -p ${B}/definitions.repart.d
+    cp ${STAGING_LIBDIR_NATIVE}/systemd/repart/definitions/${REPART_DDI_TYPE}.repart.d/* ${B}/definitions.repart.d/
+    # enable erofs compression
+    sed -i "/^Compression/d" ${B}/definitions.repart.d/10-root.conf
+    echo "Compression=lzma\nCompressionLevel=3" >> ${B}/definitions.repart.d/10-root.conf
+    # disable verity signature partition creation, if no key is provided
+    if [ -z "${REPART_PRIVATE_KEY}" ]; then
+        rm ${B}/definitions.repart.d/30-root-verity-sig.conf
+    fi
+    systemd-repart \
+        --definitions="${B}/definitions.repart.d/" \
+        --copy-source="${IMAGE_ROOTFS}" \
+        --empty=create --size=auto --dry-run=no --offline=yes \
+        --architecture="${systemd_arch}" \
+        --json=pretty --no-pager $additional_args \
+        "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${REPART_DDI_EXTENSION}"
+}
+IMAGE_CMD:ddi = "oe_image_systemd_repart_make_ddi"
+do_image_ddi[deptask] += "do_unpack"
diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 8af7bbf8e0..c9759e9198 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -54,7 +54,7 @@
 SIGNING_PKCS11_URI ?= ""
 SIGNING_PKCS11_MODULE ?= ""
-DEPENDS += "softhsm-native libp11-native opensc-native openssl-native"
+DEPENDS += "softhsm-native libp11-native opensc-native openssl-native extract-cert-native"
 def signing_class_prepare(d):
    import os.path
@@ -123,58 +123,122 @@ signing_import_define_role() {
    echo "_SIGNING_PKCS11_MODULE_${role}_=\"softhsm\"" >> $_SIGNING_ENV_FILE_
 }
-# signing_import_cert_from_der <role> <der>
+# signing_import_cert_from_der <cert_name> <der>
 #
-# Import a certificate from DER file to a role. To be used
+# Import a certificate from DER file to a cert_name.
-# with SoftHSM.
+# Where the <cert_name> can either be a previously setup
+# signing_import_define_role linking the certificate to a signing key,
+# or a new identifier when dealing with a standalone certificate.
+#
+# To be used with SoftHSM.
 signing_import_cert_from_der() {
-    local role="${1}"
+    local cert_name="${1}"
    local der="${2}"
-    signing_pkcs11_tool --type cert --write-object "${der}" --label "${role}"
+    # check wether the cert_name/role needs to be defined first,
+    # or do so otherwise
+    local uri=$(siging_get_uri $cert_name)
+    if [ -z "$uri" ]; then
+        signing_import_define_role "$cert_name"
+    fi
+    signing_pkcs11_tool --type cert --write-object "${der}" --label "${cert_name}"
 }
-# signing_import_cert_chain_from_pem <role> <pem>
+# signing_import_set_ca <cert_name> <ca_cert_name>
 #
+# Link the certificate from <cert_name> to its issuer stored in
+# <ca_cert_name> By walking this linked list a CA-chain can later be
+# reconstructed from the involed roles.
+signing_import_set_ca() {
+    local cert_name="${1}"
+    local ca_cert_name="${2}"
+    echo "_SIGNING_CA_${cert_name}_=\"${ca_cert_name}\"" >> $_SIGNING_ENV_FILE_
+    echo "added link from ${cert_name} to ${ca_cert_name}"
+}
-# Import a certificate *chain* from a PEM file to a role.
+# signing_get_ca <cert_name>
-# (e.g. multiple ones concatenated in one file)
 #
-# Due to limitations in the toolchain:
+# returns the <ca_cert_name> that has been set previously through
-#   signing class -> softhsm -> 'extract-cert'
+# signing_import_set_ca; or the empty string if none was set
-# the input certificate is split into a sequentially numbered list of roles,
+signing_get_ca() {
-# starting at <role>_1
+    local cert_name="${1}"
+    eval local ca_cert_name="\$_SIGNING_CA_${cert_name}_"
+    echo "$ca_cert_name"
+}
+# signing_has_ca <cert_name>
 #
-# (The limitations are the conversion step from x509 to a plain .der, and
+# check if the cert_name links to another cert_name that is its
-# extract-cert expecting a x509 and then producing only plain .der again)
+# certificate authority/issuer.
-signing_import_cert_chain_from_pem() {
+signing_has_ca() {
-    local role="${1}"
+    local ca_cert_name="$(signing_get_ca ${1})"
-    local pem="${2}"
-    local i=1
+    test -n "$ca_cert_name"
+    return $?
-    cat "${pem}" | \
-        while openssl x509 -inform pem -outform der -out ${B}/temp_${i}.der; do
-            signing_import_define_role "${role}_${i}"
-            signing_pkcs11_tool --type cert \
-                                --write-object  ${B}/temp_${i}.der \
-                                --label "${role}_${i}"
-            rm ${B}/temp_${i}.der
-            echo "imported ${pem} under role: ${role}_${i}"
-            i=$(awk "BEGIN {print $i+1}")
-        done
 }
-# signing_import_cert_from_pem <role> <pem>
+# signing_get_intermediate_certs <cert_name>
 #
-# Import a certificate from PEM file to a role. To be used
+# return a list of role/name intermediary CA certificates for a given
-# with SoftHSM.
+# <cert_name> by walking the chain setup with signing_import_set_ca.
+#
+# The returned list will not include the the root CA, and can
+# potentially be empty.
+#
+# To be used with SoftHSM.
+signing_get_intermediate_certs() {
+    local cert_name="${1}"
+    local intermediary=""
+    while signing_has_ca "${cert_name}"; do
+        cert_name="$(signing_get_ca ${cert_name})"
+        if signing_has_ca "${cert_name}"; then
+            intermediary="${intermediary} ${cert_name}"
+        fi
+    done
+    echo "${intermediary}"
+}
+# signing_get_root_cert <cert_name>
+#
+# return the role/name of the CA root certificate for a given
+# <cert_name>, by walking the chain setup with signing_import_set_ca
+# all the way to the last in line that doesn't have a CA set - which
+# would be the root.
+#
+# To be used with SoftHSM.
+signing_get_root_cert() {
+    local cert_name="${1}"
+    while signing_has_ca "${cert_name}"; do
+        cert_name="$(signing_get_ca ${cert_name})"
+    done
+    echo "${cert_name}"
+}
+# signing_import_cert_from_pem <cert_name> <pem>
+#
+# Import a certificate from PEM file to a cert_name.
+# Where the <cert_name> can either be a previously setup
+# signing_import_define_role linking the certificate to a signing key,
+# or a new identifier when dealing with a standalone certificate.
+#
+# To be used with SoftHSM.
 signing_import_cert_from_pem() {
-    local role="${1}"
+    local cert_name="${1}"
    local pem="${2}"
+    # check wether the cert_name/role needs to be defined first,
+    # or do so otherwise
+    local uri=$(siging_get_uri $cert_name)
+    if [ -z "$uri" ]; then
+        signing_import_define_role "$cert_name"
+    fi
    openssl x509 \
        -in "${pem}" -inform pem -outform der |
-    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${role}"
+    signing_pkcs11_tool --type cert --write-object /proc/self/fd/0 --label "${cert_name}"
 }
 # signing_import_pubkey_from_der <role> <der>
@@ -346,6 +410,30 @@ signing_get_module() {
    fi
 }
+# signing_extract_cert_der <role> <der>
+#
+# Export a certificate attached to a role into a DER file.
+# To be used with SoftHSM.
+signing_extract_cert_der() {
+    local role="${1}"
+    local output="${2}"
+    extract-cert "$(signing_get_uri $role)" "${output}"
+}
+# signing_extract_cert_pem <role> <pem>
+#
+# Export a certificate attached to a role into a PEM file.
+# To be used with SoftHSM.
+signing_extract_cert_pem() {
+    local role="${1}"
+    local output="${2}"
+    extract-cert "$(signing_get_uri $role)" "${output}.tmp-der"
+    openssl x509 -inform der -in "${output}.tmp-der" -out "${output}"
+    rm "${output}.tmp-der"
+}
 python () {
    signing_class_prepare(d)
 }
diff --git a/meta-oe/classes/sysext-image.bbclass b/meta-oe/classes/sysext-image.bbclass
new file mode 100644
index 0000000000..4d97b59ce3
--- /dev/null
+++ b/meta-oe/classes/sysext-image.bbclass
@@ -0,0 +1,76 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+# System extension images may – dynamically at runtime — extend the
+# /usr/ and /opt/ directory hierarchies with additional files. This is
+# particularly useful on immutable system images where a /usr/ and/or
+# /opt/ hierarchy residing on a read-only file system shall be
+# extended temporarily at runtime without making any persistent
+# modifications.
+# Example usage:
+## place a symlink into the systemd-sysext image search path:
+# $> mkdir /run/extensions
+# $> ln -s /tmp/extension-example.sysext.ddi /run/extensions/example.raw
+## list all available extensions:
+# $> systemd-sysext list
+## and enable the found extensions:
+# $> SYSTEMD_LOG_LEVEL=debug systemd-sysext merge
+# Note: PACKAGECONFIG:pn-systemd needs to include 'sysext'
+# systemd-sysext [1] has a simple mechanism for version compatibility:
+# the extension to be loaded has to contain a file named
+# /usr/lib/extension-release.d/extension-release.NAME
+# with "NAME" part *exactly* matching the filename of the extensions
+# raw-device filename/
+#
+# From the extension-release file the "ID" and "VERSION_ID" fields are
+# matched against same fields present in `os-release` and the extension
+# is "merged" only if values in both fields from both files are an
+# exact match.
+#
+# Link: https://www.freedesktop.org/software/systemd/man/latest/systemd-sysext.html
+inherit image
+# Include '.sysext' in the deployed image filename and symlink
+IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}.sysext"
+IMAGE_LINK_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}.sysext"
+EXTENSION_NAME = "${IMAGE_LINK_NAME}.${IMAGE_FSTYPES}"
+# Base extension identification fields
+EXTENSION_ID_FIELD ?= "${DISTRO}"
+EXTENSION_VERSION_FIELD ?= "${DISTRO_VERSION}"
+sysext_image_add_version_identifier_file() {
+    # Use matching based on Distro name and version
+    echo 'ID=${EXTENSION_ID_FIELD}' > ${WORKDIR}/extension-release.base
+    # os-release.bb does "sanitise_value(ver)", which needs to be done here too
+    echo 'VERSION_ID=${EXTENSION_VERSION_FIELD}' \
+        | sed 's,+,-,g;s, ,_,g' \
+        >> ${WORKDIR}/extension-release.base
+    # Instruct `systemd-sysext` to perform re-load once extension image is verified
+    echo 'EXTENSION_RELOAD_MANAGER=1' >> ${WORKDIR}/extension-release.base
+    install -d ${IMAGE_ROOTFS}${nonarch_libdir}/extension-release.d
+    install -m 0644 ${WORKDIR}/extension-release.base \
+        ${IMAGE_ROOTFS}${nonarch_libdir}/extension-release.d/extension-release.${EXTENSION_NAME}
+    # systemd-sysext expects an extension-release file of the exact same name as the image;
+    # by setting a xattr we allow renaming of the extension image file.
+    # (Kernel: this requires xattr support in the used filesystem)
+    setfattr -n user.extension-release.strict -v false \
+        ${IMAGE_ROOTFS}${nonarch_libdir}/extension-release.d/extension-release.${EXTENSION_NAME}
+}
+ROOTFS_POSTPROCESS_COMMAND += "sysext_image_add_version_identifier_file"
+# remove 'os-release' from the packages to be installed into the image.
+# systemd-sysext otherwise raises the error:
+# Extension contains '/usr/lib/os-release', which is not allowed, refusing.
+PACKAGE_EXCLUDE += "os-release"
diff --git a/meta-oe/conf/version-check.conf b/meta-oe/conf/version-check.conf
index dee5fe40d5..b41c9e8d22 100644
--- a/meta-oe/conf/version-check.conf
+++ b/meta-oe/conf/version-check.conf
@@ -29,3 +29,9 @@ CHECK_VERSION_PV:pn-sg3-utils = "%"
 CHECK_VERSION_PV:pn-netperf = "2.7.%"
 CHECK_VERSION_PV:pn-bridge-utils = "1.7%"
 CHECK_VERSION_PV:pn-turbostat = "2024.07.26"
+CHECK_VERSION_PV:pn-bpftool = "%"
+CHECK_VERSION_PV:pn-libhugetlbfs = "%"
+CHECK_VERSION_PV:pn-pps-tools = '%'
+CHECK_VERSION_PV:pn-libusb-compat = "0.1.12"
+CHECK_VERSION_PV:pn-jemalloc = "${@d.getVar('PV').split('+')[0]}%"
+CHECK_VERSION_PV:pn-dialog = "${@d.getVar('PV').split('-')[0]}%"
diff --git a/meta-oe/recipes-core/systemd/systemd-repart-native_257.6.bb b/meta-oe/recipes-core/systemd/systemd-repart-native_257.6.bb
new file mode 100644
index 0000000000..15b60af02e
--- /dev/null
+++ b/meta-oe/recipes-core/systemd/systemd-repart-native_257.6.bb
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: MIT
+#
+# Copyright Leica Geosystems AG
+#
+SUMMARY = "systemd-repart"
+DESCRIPTION = "systemd-repart grows and adds partitions to a partition table, based on the configuration files described in repart.d(5), or generates a Discoverable Disk Image (DDI) for a system extension (sysext, see systemd-sysext(8))."
+HOMEPAGE = "http://www.freedesktop.org/wiki/Software/systemd"
+LICENSE = "GPL-2.0-only & LGPL-2.1-or-later"
+LICENSE:libsystemd = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
+                    file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
+SRCREV = "00a12c234e2506f5cab683460199575f13c454db"
+SRCBRANCH = "v257-stable"
+SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH}"
+S = "${WORKDIR}/git"
+DEPENDS = " \
+    cryptsetup-native \
+    gperf-native \
+    libcap \
+    python3-jinja2-native \
+    util-linux \
+"
+inherit meson pkgconfig gettext native
+MESON_TARGET = "systemd-repart"
+# Helper variables to clarify locations. This mirrors the logic in systemd's
+# build system.
+rootprefix ?= "${root_prefix}"
+rootlibdir ?= "${base_libdir}"
+rootlibexecdir = "${rootprefix}/lib"
+EXTRA_OEMESON += "-Dnobody-user=nobody \
+    -Dnobody-group=nogroup \
+    -Drootlibdir=${rootlibdir} \
+    -Drootprefix=${rootprefix} \
+    -Ddefault-locale=C \
+    -Dmode=release \
+    -Dsystem-alloc-uid-min=101 \
+    -Dsystem-uid-max=999 \
+    -Dsystem-alloc-gid-min=101 \
+    -Dsystem-gid-max=999 \
+"
+do_install() {
+    install -d ${D}${bindir}/
+    install -m 0755 ${B}/systemd-repart ${D}${bindir}/systemd-repart
+    install -d ${D}${libdir}/
+    install -m 0644 ${B}/src/shared/libsystemd-shared-257.so ${D}${libdir}/libsystemd-shared-257.so
+    install -d ${D}${libdir}/systemd/repart/
+    cp -r ${S}/src/repart/definitions ${D}${libdir}/systemd/repart/
+}
diff --git a/meta-oe/recipes-devtools/mpich/mpich_4.3.0.bb b/meta-oe/recipes-devtools/mpich/mpich_4.3.0.bb
index af15ce61a3..6babba3de7 100644
--- a/meta-oe/recipes-devtools/mpich/mpich_4.3.0.bb
+++ b/meta-oe/recipes-devtools/mpich/mpich_4.3.0.bb
@@ -28,13 +28,13 @@ PACKAGECONFIG[fortran] = "--with-cross=${WORKDIR}/cross_values.txt --enable-fort
 LDFLAGS:append:x86-64 = " -lgcc"
 LDFLAGS:append:x86 = " -lgcc"
-inherit autotools gettext pkgconfig
+inherit autotools gettext pkgconfig qemu
 DEPENDS += "qemu-native"
 do_configure() {
    if [ "${@bb.utils.contains('PACKAGECONFIG', 'fortran', '1', '', d)}" = "1" ]; then
-        qemu_binary="${@oe.qemu.qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_DIR_HOST}${base_libdir}')])}"
+        qemu_binary="${@qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_DIR_HOST}${base_libdir}')])}"
        cat > ${WORKDIR}/qemuwrapper << EOF
 #!/bin/sh
 $qemu_binary "\$@"
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_22.16.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_22.16.0.bb
index c2bf3b6bd3..43d9b99fd8 100644
--- a/meta-oe/recipes-devtools/nodejs/nodejs_22.16.0.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_22.16.0.bb
@@ -9,7 +9,7 @@ DEPENDS = "openssl openssl-native file-replacement-native python3-packaging-nati
 DEPENDS:append:class-target = " qemu-native"
 DEPENDS:append:class-native = " c-ares-native"
-inherit pkgconfig python3native ptest siteinfo
+inherit pkgconfig python3native qemu ptest siteinfo
 COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*"
 COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*"
@@ -107,8 +107,8 @@ python do_create_v8_qemu_wrapper () {
    on the host."""
    qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'),
                    d.expand('${STAGING_DIR_HOST}${base_libdir}')]
-    qemu_cmd = oe.qemu.qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'),
+    qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'),
-                                            qemu_libdirs)
+                                    qemu_libdirs)
    if d.getVar("HOST_AND_TARGET_SAME_WIDTH") == "1":
        qemu_cmd = ""
diff --git a/meta-oe/recipes-extended/icewm/icewm_3.7.4.bb b/meta-oe/recipes-extended/icewm/icewm_3.7.4.bb
index 77160b5b51..fa76f2e34e 100644
--- a/meta-oe/recipes-extended/icewm/icewm_3.7.4.bb
+++ b/meta-oe/recipes-extended/icewm/icewm_3.7.4.bb
@@ -10,7 +10,7 @@ SRC_URI[sha256sum] = "e248e299616f417f5051423ea65a15668b71c1fdc9b5e477b47b1e80db
 UPSTREAM_CHECK_URI = "https://github.com/ice-wm/${BPN}/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
-inherit autotools pkgconfig gettext perlnative features_check update-alternatives
+inherit autotools pkgconfig gettext perlnative features_check qemu update-alternatives
 REQUIRED_DISTRO_FEATURES = "x11"
 EXTRA_OECONF += "--with-libdir=${datadir}/icewm \
@@ -31,7 +31,7 @@ do_compile:prepend:class-target() {
    cd ${B}
    oe_runmake -C src genpref
-    qemu_binary="${@oe.qemu.qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}',['${B}/src/.libs','${STAGING_DIR_TARGET}/${libdir}','${STAGING_DIR_TARGET}/${base_libdir}'])}"
+    qemu_binary="${@qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}',['${B}/src/.libs','${STAGING_DIR_TARGET}/${libdir}','${STAGING_DIR_TARGET}/${base_libdir}'])}"
    cat >qemuwrapper <<EOF
 #!/bin/sh
 ${qemu_binary} src/genpref "\$@"
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/0001-hiredis-use-default-CC-if-it-is-set.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-hiredis-use-default-CC-if-it-is-set.patch
index 63bf403412..63bf403412 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/0001-hiredis-use-default-CC-if-it-is-set.patch
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-hiredis-use-default-CC-if-it-is-set.patch
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/0002-lua-update-Makefile-to-use-environment-build-setting.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0002-lua-update-Makefile-to-use-environment-build-setting.patch
index 46330f5064..46330f5064 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/0002-lua-update-Makefile-to-use-environment-build-setting.patch
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0002-lua-update-Makefile-to-use-environment-build-setting.patch
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/0003-hack-to-force-use-of-libc-malloc.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0003-hack-to-force-use-of-libc-malloc.patch
index 1f97f9783d..1f97f9783d 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/0003-hack-to-force-use-of-libc-malloc.patch
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0003-hack-to-force-use-of-libc-malloc.patch
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/0004-src-Do-not-reset-FINAL_LIBS.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0004-src-Do-not-reset-FINAL_LIBS.patch
index 974cf5169f..974cf5169f 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/0004-src-Do-not-reset-FINAL_LIBS.patch
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0004-src-Do-not-reset-FINAL_LIBS.patch
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch
index 8e5f30993b..8e5f30993b 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/0006-Define-correct-gregs-for-RISCV32.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0006-Define-correct-gregs-for-RISCV32.patch
index 7009048171..7009048171 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/0006-Define-correct-gregs-for-RISCV32.patch
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0006-Define-correct-gregs-for-RISCV32.patch
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/init-redis-server b/meta-oe/recipes-extended/redis/redis-7.2.8/init-redis-server
index c5f335f57d..c5f335f57d 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/init-redis-server
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/init-redis-server
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/redis.conf b/meta-oe/recipes-extended/redis/redis-7.2.8/redis.conf
index 75037d6dc8..75037d6dc8 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/redis.conf
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/redis.conf
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.7/redis.service b/meta-oe/recipes-extended/redis/redis-7.2.8/redis.service
index b7791d0df4..b7791d0df4 100644
--- a/meta-oe/recipes-extended/redis/redis-7.2.7/redis.service
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/redis.service
diff --git a/meta-oe/recipes-extended/redis/redis_7.2.7.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
index c688e92cca..3c4d84085b 100644
--- a/meta-oe/recipes-extended/redis/redis_7.2.7.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
@@ -18,7 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
          "
-SRC_URI[sha256sum] = "72c081e3b8cfae7144273d26d76736f08319000af46c01515cad5d29765cead5"
+SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"
 RPROVIDES:${PN} = "virtual-redis"
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_12.2.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_12.2.1.bb
index cb04a1b24a..cccbbe75f7 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_12.2.1.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_12.2.1.bb
@@ -16,7 +16,7 @@ DEPENDS = " \
 DEPENDS:append:class-target = " ${BPN}-native"
 DEPENDS:append:class-nativesdk = " ${BPN}-native"
-inherit autotools-brokensep pkgconfig gettext
+inherit autotools-brokensep pkgconfig gettext qemu
 SRC_URI = "https://gitlab.com/api/v4/projects/4207231/packages/generic/${BPN}-releases/${PV}/${BP}.tar.xz \
           "
@@ -84,7 +84,7 @@ SYSROOT_PREPROCESS_FUNCS:append:class-native = " graphviz_sstate_postinst"
 pkg_postinst:${PN} () {
    if [ -n "$D" ]; then
        if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'true', 'false', d)}; then
-            ${@oe.qemu.qemu_run_binary(d, '$D', '${bindir}/dot')} -c
+            ${@qemu_run_binary(d, '$D', '${bindir}/dot')} -c
        fi
    else
        dot -c
@@ -96,7 +96,7 @@ pkg_postrm:${PN} () {
    rmdir --ignore-fail-on-non-empty $D${libdir}/graphviz
 }
-PACKAGE_WRITE_DEPS += "qemuwrapper-cross"
+PACKAGE_WRITE_DEPS += "qemu-native"
 PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo"
diff --git a/meta-oe/recipes-support/bvi/bvi_1.4.2.bb b/meta-oe/recipes-support/bvi/bvi_1.4.2.bb
index b0081794d0..fb136e16a6 100644
--- a/meta-oe/recipes-support/bvi/bvi_1.4.2.bb
+++ b/meta-oe/recipes-support/bvi/bvi_1.4.2.bb
@@ -2,10 +2,10 @@ SUMMARY = "Binary VI editor"
 DESCRIPTION = "bvi is a visual editor for binary files."
 HOMEPAGE = "https://sourceforge.net/projects/bvi"
 SECTION = "console/utils"
-LICENSE = "GPL-3.0-only"
+LICENSE = "GPL-3.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a36207309d382da27cd66fdaae922e3c"
-SRC_URI = "${SOURCEFORGE_MIRROR}/bvi/bvi-${PV}.src.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.src.tar.gz"
 SRC_URI[sha256sum] = "4bba16c2b496963a9b939336c0abcc8d488664492080ae43a86da18cf4ce94f2"
 DEPENDS += "ncurses"
diff --git a/meta-oe/recipes-support/espeak/espeak_1.48.04.bb b/meta-oe/recipes-support/espeak/espeak_1.48.04.bb
index 363fffbc05..b4812d59d6 100644
--- a/meta-oe/recipes-support/espeak/espeak_1.48.04.bb
+++ b/meta-oe/recipes-support/espeak/espeak_1.48.04.bb
@@ -13,7 +13,7 @@ SRC_URI[sha256sum] = "bf9a17673adffcc28ff7ea18764f06136547e97bbd9edf2ec612f09b20
 S = "${WORKDIR}/espeak-${PV}-source"
 DEPENDS = "portaudio-v19 qemu-helper-native"
-inherit siteinfo
+inherit siteinfo qemu
 CXXFLAGS += "-DUSE_PORTAUDIO"
@@ -31,7 +31,7 @@ do_compile() {
    oe_runmake
    cd "${S}/platforms/big_endian"
-    qemu_binary="${@oe.qemu.qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}', ['${S}/platforms/big_endian', '${STAGING_DIR_TARGET}${base_libdir}'])}"
+    qemu_binary="${@qemu_wrapper_cmdline(d, '${STAGING_DIR_TARGET}', ['${S}/platforms/big_endian', '${STAGING_DIR_TARGET}${base_libdir}'])}"
    cat >qemuwrapper <<EOF
 #!/bin/sh
 $qemu_binary "\$@"
diff --git a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
index 4ffc875cec..f34e5f183d 100644
--- a/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
+++ b/meta-oe/recipes-support/hdf5/hdf5_1.14.4-3.bb
@@ -7,7 +7,7 @@ SECTION = "libs"
 LICENSE = "HDF5"
 LIC_FILES_CHKSUM = "file://COPYING;md5=adebb1ecf1b3b80c13359e18ef67301e"
-inherit cmake siteinfo multilib_header multilib_script
+inherit cmake siteinfo qemu multilib_header multilib_script
 DEPENDS += "qemu-native zlib"
@@ -30,7 +30,7 @@ EXTRA_OECMAKE:prepend:class-target = "-DCMAKE_CROSSCOMPILING_EMULATOR=${WORKDIR}
 gen_emu() {
        # Write out a qemu wrapper that will be used by cmake
        # so that it can run target helper binaries through that.
-        qemu_binary="${@oe.qemu.qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_DIR_HOST}${base_libdir}')])}"
+        qemu_binary="${@qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_DIR_HOST}${base_libdir}')])}"
        cat > ${WORKDIR}/qemuwrapper << EOF
 #!/bin/sh
 $qemu_binary "\$@"
diff --git a/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.7.bb b/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.8.bb
index ac5a3eaf09..7994907e13 100644
--- a/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.7.bb
+++ b/meta-oe/recipes-support/libserialmodule/libserialmodule_1.0.8.bb
@@ -6,7 +6,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=22cdd382a6275cb4c2e75c517952ac7c"
 DEPENDS = "libsimplelog"
 SRC_URI = "git://git@github.com/thuanalg/libserialmodule.git;branch=main;protocol=https;tag=v${PV}"
-SRCREV = "b5a5a436900d0bd69f990ca062de916c65f7e2e0"
+SRCREV = "f89f98ff0c9d0aaee2624d40addb0687a74c5d81"
 S = "${WORKDIR}/git"
 inherit cmake
 EXTRA_OECMAKE = "-DUNIX_LINUX=1 -DMETA_OPENEMBEDDED=1"
diff --git a/meta-oe/recipes-support/uim/uim_1.9.0.bb b/meta-oe/recipes-support/uim/uim_1.9.0.bb
index a7857b2487..cb3aee3f0d 100644
--- a/meta-oe/recipes-support/uim/uim_1.9.0.bb
+++ b/meta-oe/recipes-support/uim/uim_1.9.0.bb
@@ -25,7 +25,7 @@ LEAD_SONAME = "libuim.so.1"
 COMPATIBLE_HOST:riscv64 = "null"
 COMPATIBLE_HOST:riscv32 = "null"
-inherit features_check autotools pkgconfig gettext gtk-immodules-cache
+inherit features_check autotools pkgconfig gettext qemu gtk-immodules-cache
 REQUIRED_DISTRO_FEATURES = "x11"
@@ -120,10 +120,10 @@ FILES:uim-skk = "${libdir}/uim/plugin/libuim-skk.* \
    ${datadir}/uim/skk*.scm \
 "
-PACKAGE_WRITE_DEPS += "qemuwrapper-cross"
+PACKAGE_WRITE_DEPS += "qemu-native"
 pkg_postinst:uim-anthy() {
    if test -n "$D"; then
-        ${@oe.qemu.qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --register anthy --path $D${datadir}/uim
+        ${@qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --register anthy --path $D${datadir}/uim
    else
                uim-module-manager --register anthy --path ${datadir}/uim
    fi
@@ -131,7 +131,7 @@ pkg_postinst:uim-anthy() {
 pkg_prerm:uim-anthy() {
    if test -n "$D"; then
-        ${@oe.qemu.qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --path $D${datadir}/uim --unregister anthy
+        ${@qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --path $D${datadir}/uim --unregister anthy
    else
                uim-module-manager --path ${datadir}/uim --unregister anthy
    fi
@@ -139,7 +139,7 @@ pkg_prerm:uim-anthy() {
 pkg_postinst:uim-skk() {
    if test -n "$D"; then
-        ${@oe.qemu.qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --register skk --path $D${datadir}/uim
+        ${@qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --register skk --path $D${datadir}/uim
    else
                uim-module-manager --register skk --path ${datadir}/uim
    fi
@@ -147,7 +147,7 @@ pkg_postinst:uim-skk() {
 pkg_postrm:uim-skk() {
    if test -n "$D"; then
-        ${@oe.qemu.qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --path $D${datadir}/uim --unregister skk
+        ${@qemu_run_binary(d, '$D', '${bindir}/uim-module-manager')} --path $D${datadir}/uim --unregister skk
    else
                uim-module-manager --path ${datadir}/uim --unregister skk
    fi
diff --git a/meta-oe/recipes-support/unixodbc/unixodbc_2.3.12.bb b/meta-oe/recipes-support/unixodbc/unixodbc_2.3.12.bb
index ce02535c95..0927f5c904 100644
--- a/meta-oe/recipes-support/unixodbc/unixodbc_2.3.12.bb
+++ b/meta-oe/recipes-support/unixodbc/unixodbc_2.3.12.bb
@@ -18,14 +18,14 @@ SRC_URI[sha256sum] = "f210501445ce21bf607ba51ef8c125e10e22dffdffec377646462df5f0
 UPSTREAM_CHECK_URI = "https://www.unixodbc.org/download.html"
 UPSTREAM_CHECK_REGEX = "unixODBC-(?P<pver>\d+(\.\d+)+)\.tar"
-inherit autotools-brokensep multilib_header
+inherit autotools-brokensep multilib_header qemu
 S = "${WORKDIR}/unixODBC-${PV}"
 EXTRA_OEMAKE += "LIBS=-lltdl"
 EXTRA_OECONF += "--enable-utf8ini"
 DEPENDS:append:class-target = "${@' qemu-native' if bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', True, False, d) else ''}"
-QEMU_WRAPPER = "${@oe.qemu.qemu_wrapper_cmdline(d, '${STAGING_DIR_HOST}', ['${STAGING_DIR_HOST}/${libdir}','${STAGING_DIR_HOST}/${base_libdir}'])}"
+QEMU_WRAPPER = "${@qemu_wrapper_cmdline(d, '${STAGING_DIR_HOST}', ['${STAGING_DIR_HOST}/${libdir}','${STAGING_DIR_HOST}/${base_libdir}'])}"
 do_configure:prepend() {
    # old m4 files will cause libtool version don't match
diff --git a/meta-python/recipes-devtools/python/python3-charset-normalizer/0001-pyproject.toml-Relax-version-for-mypy.patch b/meta-python/recipes-devtools/python/python3-charset-normalizer/0001-pyproject.toml-Relax-version-for-mypy.patch
deleted file mode 100644
index d544caaa17..0000000000
--- a/meta-python/recipes-devtools/python/python3-charset-normalizer/0001-pyproject.toml-Relax-version-for-mypy.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 57b626d6d8c247c9203dde51a988b9401abe065c Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 9 Apr 2025 23:44:44 -0700
-Subject: [PATCH] pyproject.toml: Relax version for mypy
-It asks for mypy <= 1.14.0 but we have 1.15.x
-already in meta-python
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- pyproject.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/pyproject.toml b/pyproject.toml
-index bbb8227..ad42715 100644
--- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -1,5 +1,5 @@
- [build-system]
-requires = ["setuptools", "setuptools-scm", "mypy>=1.4.1,<=1.14.0"]
-+requires = ["setuptools", "setuptools-scm", "mypy>=1.4.1,<=1.16.0"]
- build-backend = "setuptools.build_meta"
- 
- [project]
diff --git a/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.1.bb b/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.2.bb
index 4f9b09ef93..e62306fff3 100644
--- a/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.1.bb
+++ b/meta-python/recipes-devtools/python/python3-charset-normalizer_3.4.2.bb
@@ -3,8 +3,7 @@ HOMEPAGE = "https://github.com/ousret/charset_normalizer"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=48178f3fc1374ad7e830412f812bde05"
-SRC_URI += "file://0001-pyproject.toml-Relax-version-for-mypy.patch"
+SRC_URI[sha256sum] = "5baececa9ecba31eff645232d59845c07aa030f0c81ee70184a90d35099a0e63"
-SRC_URI[sha256sum] = "44251f18cd68a75b56585dd00dae26183e102cd5e0f9f1466e6df5da2ed64ea3"
 DEPENDS += "python3-setuptools-scm-native python3-mypy-native"
diff --git a/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb b/meta-python/recipes-devtools/python/python3-libevdev_0.12.bb
index 8c05df38e3..cabcfd8df6 100644
--- a/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb
+++ b/meta-python/recipes-devtools/python/python3-libevdev_0.12.bb
@@ -5,7 +5,7 @@ SECTION = "devel/python"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d94c10c546b419eddc6296157ec40747"
-SRC_URI[sha256sum] = "e9ca006a4df2488a60bd9a740011ee948d81904be2364f017e560169508f560f"
+SRC_URI[sha256sum] = "02e952632ec6c249cbb9c66f6fa00012ea448b06606c77cd139133bc2fe46b08"
 inherit pypi setuptools3
diff --git a/meta-python/recipes-devtools/python/python3-portion_2.6.0.bb b/meta-python/recipes-devtools/python/python3-portion_2.6.1.bb
index 2c2e67579e..942d7d5d4d 100644
--- a/meta-python/recipes-devtools/python/python3-portion_2.6.0.bb
+++ b/meta-python/recipes-devtools/python/python3-portion_2.6.1.bb
@@ -5,9 +5,9 @@ SECTION = "devel/python"
 LICENSE = "LGPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3000208d539ec061b899bce1d9ce9404"
-inherit pypi python_setuptools_build_meta ptest-python-pytest
+inherit pypi python_hatchling ptest-python-pytest
-SRC_URI[sha256sum] = "6fb538b57a92058f0edd360667694448aa3fc028ab97e41e3091359d14ba4dd5"
+SRC_URI[sha256sum] = "44b1f7d57e052993c4157e519dc447e57b87a4e5e00a77c1c50e7044104e53c6"
 RDEPENDS:${PN} += "\
        python3-sortedcontainers \
diff --git a/meta-python/recipes-devtools/python/python3-typer_0.15.4.bb b/meta-python/recipes-devtools/python/python3-typer_0.16.0.bb
index 26b0c042be..87e258ae1f 100644
--- a/meta-python/recipes-devtools/python/python3-typer_0.15.4.bb
+++ b/meta-python/recipes-devtools/python/python3-typer_0.16.0.bb
@@ -3,11 +3,11 @@ DESCRIPTION = "\
    Typer is a library for building CLI applications that users will love using and developers will love creating. Based on Python type hints. \
    It's also a command line tool to run scripts, automatically converting them to CLI applications. \
 "
-HOMEPAGE = "https://github.com/tiangolo/typer"
+HOMEPAGE = "https://github.com/fastapi/typer"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=173d405eb704b1499218013178722617"
-SRC_URI[sha256sum] = "89507b104f9b6a0730354f27c39fae5b63ccd0c95b1ce1f1a6ba0cfd329997c3"
+SRC_URI[sha256sum] = "af377ffaee1dbe37ae9440cb4e8f11686ea5ce4e9bae01b84ae7c63b87f1dd3b"
 inherit pypi python_setuptools_build_meta ptest